From: Greg Kroah-Hartman Date: Mon, 1 Dec 2025 15:16:11 +0000 (+0100) Subject: 6.6-stable patches X-Git-Tag: v5.4.302~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e7789cf477b21e3b9ca27609d3773f76fc2ff12a;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: iio-accel-bmc150-fix-irq-assumption-regression.patch iio-accel-fix-adxl355-startup-race-condition.patch iio-adc-ad7280a-fix-ad7280_store_balance_timer.patch iio-common-ssp_sensors-fix-an-error-handling-path-ssp_probe.patch iio-imu-st_lsm6dsx-fix-array-size-for-st_lsm6dsx_settings-fields.patch mips-mm-kmalloc-tlb_vpn-array-to-avoid-stack-overflow.patch mips-mm-prevent-a-tlb-shutdown-on-initial-uniquification.patch revert-perf-x86-always-store-regs-ip-in-perf_callchain_kernel.patch --- diff --git a/queue-6.6/iio-accel-bmc150-fix-irq-assumption-regression.patch b/queue-6.6/iio-accel-bmc150-fix-irq-assumption-regression.patch new file mode 100644 index 0000000000..4b1a7cac0c --- /dev/null +++ b/queue-6.6/iio-accel-bmc150-fix-irq-assumption-regression.patch @@ -0,0 +1,78 @@ +From 3aa385a9c75c09b59dcab2ff76423439d23673ab Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Mon, 3 Nov 2025 10:36:18 +0100 +Subject: iio: accel: bmc150: Fix irq assumption regression +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Walleij + +commit 3aa385a9c75c09b59dcab2ff76423439d23673ab upstream. + +The code in bmc150-accel-core.c unconditionally calls +bmc150_accel_set_interrupt() in the iio_buffer_setup_ops, +such as on the runtime PM resume path giving a kernel +splat like this if the device has no interrupts: + +Unable to handle kernel NULL pointer dereference at virtual + address 00000001 when read + +PC is at bmc150_accel_set_interrupt+0x98/0x194 +LR is at __pm_runtime_resume+0x5c/0x64 +(...) +Call trace: +bmc150_accel_set_interrupt from bmc150_accel_buffer_postenable+0x40/0x108 +bmc150_accel_buffer_postenable from __iio_update_buffers+0xbe0/0xcbc +__iio_update_buffers from enable_store+0x84/0xc8 +enable_store from kernfs_fop_write_iter+0x154/0x1b4 + +This bug seems to have been in the driver since the beginning, +but it only manifests recently, I do not know why. + +Store the IRQ number in the state struct, as this is a common +pattern in other drivers, then use this to determine if we have +IRQ support or not. + +Cc: stable@vger.kernel.org +Signed-off-by: Linus Walleij +Reviewed-by: Andy Shevchenko +Reviewed-by: Nuno Sá +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/accel/bmc150-accel-core.c | 5 +++++ + drivers/iio/accel/bmc150-accel.h | 1 + + 2 files changed, 6 insertions(+) + +--- a/drivers/iio/accel/bmc150-accel-core.c ++++ b/drivers/iio/accel/bmc150-accel-core.c +@@ -569,6 +569,10 @@ static int bmc150_accel_set_interrupt(st + const struct bmc150_accel_interrupt_info *info = intr->info; + int ret; + ++ /* We do not always have an IRQ */ ++ if (data->irq <= 0) ++ return 0; ++ + if (state) { + if (atomic_inc_return(&intr->users) > 1) + return 0; +@@ -1743,6 +1747,7 @@ int bmc150_accel_core_probe(struct devic + } + + if (irq > 0) { ++ data->irq = irq; + ret = devm_request_threaded_irq(dev, irq, + bmc150_accel_irq_handler, + bmc150_accel_irq_thread_handler, +--- a/drivers/iio/accel/bmc150-accel.h ++++ b/drivers/iio/accel/bmc150-accel.h +@@ -57,6 +57,7 @@ enum bmc150_accel_trigger_id { + + struct bmc150_accel_data { + struct regmap *regmap; ++ int irq; + struct regulator_bulk_data regulators[2]; + struct bmc150_accel_interrupt interrupts[BMC150_ACCEL_INTERRUPTS]; + struct bmc150_accel_trigger triggers[BMC150_ACCEL_TRIGGERS]; diff --git a/queue-6.6/iio-accel-fix-adxl355-startup-race-condition.patch b/queue-6.6/iio-accel-fix-adxl355-startup-race-condition.patch new file mode 100644 index 0000000000..dae0f536cc --- /dev/null +++ b/queue-6.6/iio-accel-fix-adxl355-startup-race-condition.patch @@ -0,0 +1,95 @@ +From c92c1bc408e9e11ae3c7011b062fdd74c09283a3 Mon Sep 17 00:00:00 2001 +From: Valek Andrej +Date: Tue, 14 Oct 2025 09:13:44 +0200 +Subject: iio: accel: fix ADXL355 startup race condition + +From: Valek Andrej + +commit c92c1bc408e9e11ae3c7011b062fdd74c09283a3 upstream. + +There is an race-condition where device is not full working after SW reset. +Therefore it's necessary to wait some time after reset and verify shadow +registers values by reading and comparing the values before/after reset. +This mechanism is described in datasheet at least from revision D. + +Fixes: 12ed27863ea3 ("iio: accel: Add driver support for ADXL355") +Signed-off-by: Valek Andrej +Signed-off-by: Kessler Markus +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/accel/adxl355_core.c | 44 ++++++++++++++++++++++++++++++++++----- + 1 file changed, 39 insertions(+), 5 deletions(-) + +--- a/drivers/iio/accel/adxl355_core.c ++++ b/drivers/iio/accel/adxl355_core.c +@@ -56,6 +56,8 @@ + #define ADXL355_POWER_CTL_DRDY_MSK BIT(2) + #define ADXL355_SELF_TEST_REG 0x2E + #define ADXL355_RESET_REG 0x2F ++#define ADXL355_BASE_ADDR_SHADOW_REG 0x50 ++#define ADXL355_SHADOW_REG_COUNT 5 + + #define ADXL355_DEVID_AD_VAL 0xAD + #define ADXL355_DEVID_MST_VAL 0x1D +@@ -294,7 +296,12 @@ static void adxl355_fill_3db_frequency_t + static int adxl355_setup(struct adxl355_data *data) + { + unsigned int regval; ++ int retries = 5; /* the number is chosen based on empirical reasons */ + int ret; ++ u8 *shadow_regs __free(kfree) = kzalloc(ADXL355_SHADOW_REG_COUNT, GFP_KERNEL); ++ ++ if (!shadow_regs) ++ return -ENOMEM; + + ret = regmap_read(data->regmap, ADXL355_DEVID_AD_REG, ®val); + if (ret) +@@ -321,14 +328,41 @@ static int adxl355_setup(struct adxl355_ + if (regval != ADXL355_PARTID_VAL) + dev_warn(data->dev, "Invalid DEV ID 0x%02x\n", regval); + +- /* +- * Perform a software reset to make sure the device is in a consistent +- * state after start-up. +- */ +- ret = regmap_write(data->regmap, ADXL355_RESET_REG, ADXL355_RESET_CODE); ++ /* Read shadow registers to be compared after reset */ ++ ret = regmap_bulk_read(data->regmap, ++ ADXL355_BASE_ADDR_SHADOW_REG, ++ shadow_regs, ADXL355_SHADOW_REG_COUNT); + if (ret) + return ret; + ++ do { ++ if (--retries == 0) { ++ dev_err(data->dev, "Shadow registers mismatch\n"); ++ return -EIO; ++ } ++ ++ /* ++ * Perform a software reset to make sure the device is in a consistent ++ * state after start-up. ++ */ ++ ret = regmap_write(data->regmap, ADXL355_RESET_REG, ++ ADXL355_RESET_CODE); ++ if (ret) ++ return ret; ++ ++ /* Wait at least 5ms after software reset */ ++ usleep_range(5000, 10000); ++ ++ /* Read shadow registers for comparison */ ++ ret = regmap_bulk_read(data->regmap, ++ ADXL355_BASE_ADDR_SHADOW_REG, ++ data->buffer.buf, ++ ADXL355_SHADOW_REG_COUNT); ++ if (ret) ++ return ret; ++ } while (memcmp(shadow_regs, data->buffer.buf, ++ ADXL355_SHADOW_REG_COUNT)); ++ + ret = regmap_update_bits(data->regmap, ADXL355_POWER_CTL_REG, + ADXL355_POWER_CTL_DRDY_MSK, + FIELD_PREP(ADXL355_POWER_CTL_DRDY_MSK, 1)); diff --git a/queue-6.6/iio-adc-ad7280a-fix-ad7280_store_balance_timer.patch b/queue-6.6/iio-adc-ad7280a-fix-ad7280_store_balance_timer.patch new file mode 100644 index 0000000000..62e18218e5 --- /dev/null +++ b/queue-6.6/iio-adc-ad7280a-fix-ad7280_store_balance_timer.patch @@ -0,0 +1,40 @@ +From bd886cdcbf9e746f61c74035a3acd42e9108e115 Mon Sep 17 00:00:00 2001 +From: David Lechner +Date: Fri, 10 Oct 2025 10:44:45 -0500 +Subject: iio: adc: ad7280a: fix ad7280_store_balance_timer() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: David Lechner + +commit bd886cdcbf9e746f61c74035a3acd42e9108e115 upstream. + +Use correct argument to iio_str_to_fixpoint() to parse 3 decimal places. + +iio_str_to_fixpoint() has a bit of an unintuitive API where the +fract_mult parameter is the multiplier of the first decimal place as if +it was already an integer. So to get 3 decimal places, fract_mult must +be 100 rather than 1000. + +Fixes: 96ccdbc07a74 ("staging:iio:adc:ad7280a: Standardize extended ABI naming") +Signed-off-by: David Lechner +Reviewed-by: Nuno Sá +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ad7280a.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/ad7280a.c ++++ b/drivers/iio/adc/ad7280a.c +@@ -540,7 +540,7 @@ static ssize_t ad7280_store_balance_time + int val, val2; + int ret; + +- ret = iio_str_to_fixpoint(buf, 1000, &val, &val2); ++ ret = iio_str_to_fixpoint(buf, 100, &val, &val2); + if (ret) + return ret; + diff --git a/queue-6.6/iio-common-ssp_sensors-fix-an-error-handling-path-ssp_probe.patch b/queue-6.6/iio-common-ssp_sensors-fix-an-error-handling-path-ssp_probe.patch new file mode 100644 index 0000000000..9c26efbdbf --- /dev/null +++ b/queue-6.6/iio-common-ssp_sensors-fix-an-error-handling-path-ssp_probe.patch @@ -0,0 +1,46 @@ +From 21553258b94861a73d7f2cf15469d69240e1170d Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Fri, 10 Oct 2025 20:58:48 +0200 +Subject: iio:common:ssp_sensors: Fix an error handling path ssp_probe() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christophe JAILLET + +commit 21553258b94861a73d7f2cf15469d69240e1170d upstream. + +If an error occurs after a successful mfd_add_devices() call, it should be +undone by a corresponding mfd_remove_devices() call, as already done in the +remove function. + +Fixes: 50dd64d57eee ("iio: common: ssp_sensors: Add sensorhub driver") +Signed-off-by: Christophe JAILLET +Reviewed-by: Nuno Sá +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/common/ssp_sensors/ssp_dev.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/iio/common/ssp_sensors/ssp_dev.c ++++ b/drivers/iio/common/ssp_sensors/ssp_dev.c +@@ -503,7 +503,7 @@ static int ssp_probe(struct spi_device * + ret = spi_setup(spi); + if (ret < 0) { + dev_err(&spi->dev, "Failed to setup spi\n"); +- return ret; ++ goto err_setup_spi; + } + + data->fw_dl_state = SSP_FW_DL_STATE_NONE; +@@ -568,6 +568,8 @@ err_read_reg: + err_setup_irq: + mutex_destroy(&data->pending_lock); + mutex_destroy(&data->comm_lock); ++err_setup_spi: ++ mfd_remove_devices(&spi->dev); + + dev_err(&spi->dev, "Probe failed!\n"); + diff --git a/queue-6.6/iio-imu-st_lsm6dsx-fix-array-size-for-st_lsm6dsx_settings-fields.patch b/queue-6.6/iio-imu-st_lsm6dsx-fix-array-size-for-st_lsm6dsx_settings-fields.patch new file mode 100644 index 0000000000..f733e367c0 --- /dev/null +++ b/queue-6.6/iio-imu-st_lsm6dsx-fix-array-size-for-st_lsm6dsx_settings-fields.patch @@ -0,0 +1,73 @@ +From 3af0c1fb1cdc351b64ff1a4bc06d491490c1f10a Mon Sep 17 00:00:00 2001 +From: Francesco Lavra +Date: Fri, 17 Oct 2025 19:32:08 +0200 +Subject: iio: imu: st_lsm6dsx: fix array size for st_lsm6dsx_settings fields + +From: Francesco Lavra + +commit 3af0c1fb1cdc351b64ff1a4bc06d491490c1f10a upstream. + +The `decimator` and `batch` fields of struct st_lsm6dsx_settings +are arrays indexed by sensor type, not by sensor hardware +identifier; moreover, the `batch` field is only used for the +accelerometer and gyroscope. +Change the array size for `decimator` from ST_LSM6DSX_MAX_ID to +ST_LSM6DSX_ID_MAX, and change the array size for `batch` from +ST_LSM6DSX_MAX_ID to 2; move the enum st_lsm6dsx_sensor_id +definition so that the ST_LSM6DSX_ID_MAX value is usable within +the struct st_lsm6dsx_settings definition. + +Fixes: 801a6e0af0c6c ("iio: imu: st_lsm6dsx: add support to LSM6DSO") +Signed-off-by: Francesco Lavra +Acked-by: Lorenzo Bianconi +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h ++++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h +@@ -268,6 +268,15 @@ struct st_lsm6dsx_event_settings { + u8 wakeup_src_x_mask; + }; + ++enum st_lsm6dsx_sensor_id { ++ ST_LSM6DSX_ID_GYRO, ++ ST_LSM6DSX_ID_ACC, ++ ST_LSM6DSX_ID_EXT0, ++ ST_LSM6DSX_ID_EXT1, ++ ST_LSM6DSX_ID_EXT2, ++ ST_LSM6DSX_ID_MAX ++}; ++ + enum st_lsm6dsx_ext_sensor_id { + ST_LSM6DSX_ID_MAGN, + }; +@@ -353,23 +362,14 @@ struct st_lsm6dsx_settings { + struct st_lsm6dsx_odr_table_entry odr_table[2]; + struct st_lsm6dsx_samples_to_discard samples_to_discard[2]; + struct st_lsm6dsx_fs_table_entry fs_table[2]; +- struct st_lsm6dsx_reg decimator[ST_LSM6DSX_MAX_ID]; +- struct st_lsm6dsx_reg batch[ST_LSM6DSX_MAX_ID]; ++ struct st_lsm6dsx_reg decimator[ST_LSM6DSX_ID_MAX]; ++ struct st_lsm6dsx_reg batch[2]; + struct st_lsm6dsx_fifo_ops fifo_ops; + struct st_lsm6dsx_hw_ts_settings ts_settings; + struct st_lsm6dsx_shub_settings shub_settings; + struct st_lsm6dsx_event_settings event_settings; + }; + +-enum st_lsm6dsx_sensor_id { +- ST_LSM6DSX_ID_GYRO, +- ST_LSM6DSX_ID_ACC, +- ST_LSM6DSX_ID_EXT0, +- ST_LSM6DSX_ID_EXT1, +- ST_LSM6DSX_ID_EXT2, +- ST_LSM6DSX_ID_MAX, +-}; +- + enum st_lsm6dsx_fifo_mode { + ST_LSM6DSX_FIFO_BYPASS = 0x0, + ST_LSM6DSX_FIFO_CONT = 0x6, diff --git a/queue-6.6/mips-mm-kmalloc-tlb_vpn-array-to-avoid-stack-overflow.patch b/queue-6.6/mips-mm-kmalloc-tlb_vpn-array-to-avoid-stack-overflow.patch new file mode 100644 index 0000000000..44626aef9f --- /dev/null +++ b/queue-6.6/mips-mm-kmalloc-tlb_vpn-array-to-avoid-stack-overflow.patch @@ -0,0 +1,76 @@ +From 841ecc979b18d3227fad5e2d6a1e6f92688776b5 Mon Sep 17 00:00:00 2001 +From: Thomas Bogendoerfer +Date: Fri, 28 Nov 2025 16:53:46 +0000 +Subject: MIPS: mm: kmalloc tlb_vpn array to avoid stack overflow + +From: Thomas Bogendoerfer + +commit 841ecc979b18d3227fad5e2d6a1e6f92688776b5 upstream. + +Owing to Config4.MMUSizeExt and VTLB/FTLB MMU features later MIPSr2+ +cores can have more than 64 TLB entries. Therefore allocate an array +for uniquification instead of placing too an small array on the stack. + +Fixes: 35ad7e181541 ("MIPS: mm: tlb-r4k: Uniquify TLB entries on init") +Co-developed-by: Maciej W. Rozycki +Signed-off-by: Maciej W. Rozycki +Cc: stable@vger.kernel.org # v6.17+: 9f048fa48740: MIPS: mm: Prevent a TLB shutdown on initial uniquification +Cc: stable@vger.kernel.org # v6.17+ +Tested-by: Gregory CLEMENT +Tested-by: Klara Modin +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/mm/tlb-r4k.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/arch/mips/mm/tlb-r4k.c ++++ b/arch/mips/mm/tlb-r4k.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -520,17 +521,26 @@ static int r4k_vpn_cmp(const void *a, co + * Initialise all TLB entries with unique values that do not clash with + * what we have been handed over and what we'll be using ourselves. + */ +-static void r4k_tlb_uniquify(void) ++static void __ref r4k_tlb_uniquify(void) + { +- unsigned long tlb_vpns[1 << MIPS_CONF1_TLBS_SIZE]; + int tlbsize = current_cpu_data.tlbsize; ++ bool use_slab = slab_is_available(); + int start = num_wired_entries(); ++ phys_addr_t tlb_vpn_size; ++ unsigned long *tlb_vpns; + unsigned long vpn_mask; + int cnt, ent, idx, i; + + vpn_mask = GENMASK(cpu_vmbits - 1, 13); + vpn_mask |= IS_ENABLED(CONFIG_64BIT) ? 3ULL << 62 : 1 << 31; + ++ tlb_vpn_size = tlbsize * sizeof(*tlb_vpns); ++ tlb_vpns = (use_slab ? ++ kmalloc(tlb_vpn_size, GFP_KERNEL) : ++ memblock_alloc_raw(tlb_vpn_size, sizeof(*tlb_vpns))); ++ if (WARN_ON(!tlb_vpns)) ++ return; /* Pray local_flush_tlb_all() is good enough. */ ++ + htw_stop(); + + for (i = start, cnt = 0; i < tlbsize; i++, cnt++) { +@@ -583,6 +593,10 @@ static void r4k_tlb_uniquify(void) + tlbw_use_hazard(); + htw_start(); + flush_micro_tlb(); ++ if (use_slab) ++ kfree(tlb_vpns); ++ else ++ memblock_free(tlb_vpns, tlb_vpn_size); + } + + /* diff --git a/queue-6.6/mips-mm-prevent-a-tlb-shutdown-on-initial-uniquification.patch b/queue-6.6/mips-mm-prevent-a-tlb-shutdown-on-initial-uniquification.patch new file mode 100644 index 0000000000..887151f867 --- /dev/null +++ b/queue-6.6/mips-mm-prevent-a-tlb-shutdown-on-initial-uniquification.patch @@ -0,0 +1,174 @@ +From 9f048fa487409e364cf866c957cf0b0d782ca5a3 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Thu, 13 Nov 2025 05:21:10 +0000 +Subject: MIPS: mm: Prevent a TLB shutdown on initial uniquification + +From: Maciej W. Rozycki + +commit 9f048fa487409e364cf866c957cf0b0d782ca5a3 upstream. + +Depending on the particular CPU implementation a TLB shutdown may occur +if multiple matching entries are detected upon the execution of a TLBP +or the TLBWI/TLBWR instructions. Given that we don't know what entries +we have been handed we need to be very careful with the initial TLB +setup and avoid all these instructions. + +Therefore read all the TLB entries one by one with the TLBR instruction, +bypassing the content addressing logic, and truncate any large pages in +place so as to avoid a case in the second step where an incoming entry +for a large page at a lower address overlaps with a replacement entry +chosen at another index. Then preinitialize the TLB using addresses +outside our usual unique range and avoiding clashes with any entries +received, before making the usual call to local_flush_tlb_all(). + +This fixes (at least) R4x00 cores if TLBP hits multiple matching TLB +entries (SGI IP22 PROM for examples sets up all TLBs to the same virtual +address). + +Signed-off-by: Maciej W. Rozycki +Fixes: 35ad7e181541 ("MIPS: mm: tlb-r4k: Uniquify TLB entries on init") +Cc: stable@vger.kernel.org +Reviewed-by: Jiaxun Yang +Tested-by: Jiaxun Yang # Boston I6400, M5150 sim +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/mm/tlb-r4k.c | 102 ++++++++++++++++++++++++++++++------------------- + 1 file changed, 64 insertions(+), 38 deletions(-) + +--- a/arch/mips/mm/tlb-r4k.c ++++ b/arch/mips/mm/tlb-r4k.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -506,55 +507,79 @@ static int __init set_ntlb(char *str) + + __setup("ntlb=", set_ntlb); + +-/* Initialise all TLB entries with unique values */ ++ ++/* Comparison function for EntryHi VPN fields. */ ++static int r4k_vpn_cmp(const void *a, const void *b) ++{ ++ long v = *(unsigned long *)a - *(unsigned long *)b; ++ int s = sizeof(long) > sizeof(int) ? sizeof(long) * 8 - 1: 0; ++ return s ? (v != 0) | v >> s : v; ++} ++ ++/* ++ * Initialise all TLB entries with unique values that do not clash with ++ * what we have been handed over and what we'll be using ourselves. ++ */ + static void r4k_tlb_uniquify(void) + { +- int entry = num_wired_entries(); ++ unsigned long tlb_vpns[1 << MIPS_CONF1_TLBS_SIZE]; ++ int tlbsize = current_cpu_data.tlbsize; ++ int start = num_wired_entries(); ++ unsigned long vpn_mask; ++ int cnt, ent, idx, i; ++ ++ vpn_mask = GENMASK(cpu_vmbits - 1, 13); ++ vpn_mask |= IS_ENABLED(CONFIG_64BIT) ? 3ULL << 62 : 1 << 31; + + htw_stop(); +- write_c0_entrylo0(0); +- write_c0_entrylo1(0); + +- while (entry < current_cpu_data.tlbsize) { +- unsigned long asid_mask = cpu_asid_mask(¤t_cpu_data); +- unsigned long asid = 0; +- int idx; ++ for (i = start, cnt = 0; i < tlbsize; i++, cnt++) { ++ unsigned long vpn; + +- /* Skip wired MMID to make ginvt_mmid work */ +- if (cpu_has_mmid) +- asid = MMID_KERNEL_WIRED + 1; ++ write_c0_index(i); ++ mtc0_tlbr_hazard(); ++ tlb_read(); ++ tlb_read_hazard(); ++ vpn = read_c0_entryhi(); ++ vpn &= vpn_mask & PAGE_MASK; ++ tlb_vpns[cnt] = vpn; + +- /* Check for match before using UNIQUE_ENTRYHI */ +- do { +- if (cpu_has_mmid) { +- write_c0_memorymapid(asid); +- write_c0_entryhi(UNIQUE_ENTRYHI(entry)); +- } else { +- write_c0_entryhi(UNIQUE_ENTRYHI(entry) | asid); +- } +- mtc0_tlbw_hazard(); +- tlb_probe(); +- tlb_probe_hazard(); +- idx = read_c0_index(); +- /* No match or match is on current entry */ +- if (idx < 0 || idx == entry) +- break; +- /* +- * If we hit a match, we need to try again with +- * a different ASID. +- */ +- asid++; +- } while (asid < asid_mask); +- +- if (idx >= 0 && idx != entry) +- panic("Unable to uniquify TLB entry %d", idx); +- +- write_c0_index(entry); ++ /* Prevent any large pages from overlapping regular ones. */ ++ write_c0_pagemask(read_c0_pagemask() & PM_DEFAULT_MASK); + mtc0_tlbw_hazard(); + tlb_write_indexed(); +- entry++; ++ tlbw_use_hazard(); + } + ++ sort(tlb_vpns, cnt, sizeof(tlb_vpns[0]), r4k_vpn_cmp, NULL); ++ ++ write_c0_pagemask(PM_DEFAULT_MASK); ++ write_c0_entrylo0(0); ++ write_c0_entrylo1(0); ++ ++ idx = 0; ++ ent = tlbsize; ++ for (i = start; i < tlbsize; i++) ++ while (1) { ++ unsigned long entryhi, vpn; ++ ++ entryhi = UNIQUE_ENTRYHI(ent); ++ vpn = entryhi & vpn_mask & PAGE_MASK; ++ ++ if (idx >= cnt || vpn < tlb_vpns[idx]) { ++ write_c0_entryhi(entryhi); ++ write_c0_index(i); ++ mtc0_tlbw_hazard(); ++ tlb_write_indexed(); ++ ent++; ++ break; ++ } else if (vpn == tlb_vpns[idx]) { ++ ent++; ++ } else { ++ idx++; ++ } ++ } ++ + tlbw_use_hazard(); + htw_start(); + flush_micro_tlb(); +@@ -600,6 +625,7 @@ static void r4k_tlb_configure(void) + + /* From this point on the ARC firmware is dead. */ + r4k_tlb_uniquify(); ++ local_flush_tlb_all(); + + /* Did I tell you that ARC SUCKS? */ + } diff --git a/queue-6.6/revert-perf-x86-always-store-regs-ip-in-perf_callchain_kernel.patch b/queue-6.6/revert-perf-x86-always-store-regs-ip-in-perf_callchain_kernel.patch new file mode 100644 index 0000000000..7911a7ec88 --- /dev/null +++ b/queue-6.6/revert-perf-x86-always-store-regs-ip-in-perf_callchain_kernel.patch @@ -0,0 +1,68 @@ +From 6d08340d1e354787d6c65a8c3cdd4d41ffb8a5ed Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Tue, 4 Nov 2025 22:54:02 +0100 +Subject: Revert "perf/x86: Always store regs->ip in perf_callchain_kernel()" + +From: Jiri Olsa + +commit 6d08340d1e354787d6c65a8c3cdd4d41ffb8a5ed upstream. + +This reverts commit 83f44ae0f8afcc9da659799db8693f74847e66b3. + +Currently we store initial stacktrace entry twice for non-HW ot_regs, which +means callers that fail perf_hw_regs(regs) condition in perf_callchain_kernel. + +It's easy to reproduce this bpftrace: + + # bpftrace -e 'tracepoint:sched:sched_process_exec { print(kstack()); }' + Attaching 1 probe... + + bprm_execve+1767 + bprm_execve+1767 + do_execveat_common.isra.0+425 + __x64_sys_execve+56 + do_syscall_64+133 + entry_SYSCALL_64_after_hwframe+118 + +When perf_callchain_kernel calls unwind_start with first_frame, AFAICS +we do not skip regs->ip, but it's added as part of the unwind process. +Hence reverting the extra perf_callchain_store for non-hw regs leg. + +I was not able to bisect this, so I'm not really sure why this was needed +in v5.2 and why it's not working anymore, but I could see double entries +as far as v5.10. + +I did the test for both ORC and framepointer unwind with and without the +this fix and except for the initial entry the stacktraces are the same. + +Acked-by: Song Liu +Signed-off-by: Jiri Olsa +Link: https://lore.kernel.org/r/20251104215405.168643-2-jolsa@kernel.org +Signed-off-by: Alexei Starovoitov +Acked-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/core.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/x86/events/core.c ++++ b/arch/x86/events/core.c +@@ -2769,13 +2769,13 @@ perf_callchain_kernel(struct perf_callch + return; + } + +- if (perf_callchain_store(entry, regs->ip)) +- return; +- +- if (perf_hw_regs(regs)) ++ if (perf_hw_regs(regs)) { ++ if (perf_callchain_store(entry, regs->ip)) ++ return; + unwind_start(&state, current, regs, NULL); +- else ++ } else { + unwind_start(&state, current, NULL, (void *)regs->sp); ++ } + + for (; !unwind_done(&state); unwind_next_frame(&state)) { + addr = unwind_get_return_address(&state); diff --git a/queue-6.6/series b/queue-6.6/series index c17fb07ce7..7de6028a01 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -31,3 +31,11 @@ spi-spi-mem-add-a-new-controller-capability.patch spi-nxp-fspi-support-per-spi-mem-operation-frequency.patch spi-nxp-fspi-propagate-fwnode-in-acpi-case-as-well.patch spi-bcm63xx-fix-premature-cs-deassertion-on-rx-only-.patch +revert-perf-x86-always-store-regs-ip-in-perf_callchain_kernel.patch +iio-imu-st_lsm6dsx-fix-array-size-for-st_lsm6dsx_settings-fields.patch +iio-common-ssp_sensors-fix-an-error-handling-path-ssp_probe.patch +iio-accel-bmc150-fix-irq-assumption-regression.patch +iio-accel-fix-adxl355-startup-race-condition.patch +iio-adc-ad7280a-fix-ad7280_store_balance_timer.patch +mips-mm-prevent-a-tlb-shutdown-on-initial-uniquification.patch +mips-mm-kmalloc-tlb_vpn-array-to-avoid-stack-overflow.patch