From 182f523661c46947cb20549fad9d559169e1c4be Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 19 May 2025 14:33:32 +0200 Subject: [PATCH] 6.12-stable patches added patches: acpi-pptt-fix-processor-subtable-walk.patch btrfs-add-back-warning-for-mount-option-commit-values-exceeding-300.patch btrfs-fix-discard-worker-infinite-loop-after-disabling-discard.patch btrfs-fix-folio-leak-in-submit_one_async_extent.patch dmaengine-revert-dmaengine-dmatest-fix-dmatest-waiting-less-when-interrupted.patch drm-amd-display-avoid-flooding-unnecessary-info-messages.patch drm-amd-display-correct-the-reply-value-when-aux-write-incomplete.patch drm-amdgpu-csa-unmap-use-uninterruptible-lock.patch drm-amdgpu-fix-incorrect-mall-size-for-gfx1151.patch drm-amdgpu-read-back-register-after-written-for-vcn-v4.0.5.patch gpio-pca953x-fix-irq-storm-on-system-wake-up.patch hid-bpf-abort-dispatch-if-device-destroyed.patch loongarch-fix-max_reg_offset-calculation.patch loongarch-move-__arch_cpu_idle-to-.cpuidle.text-section.patch loongarch-prevent-cond_resched-occurring-within-kernel-fpu.patch loongarch-save-and-restore-csr.cntc-for-hibernation.patch loongarch-uprobes-remove-redundant-code-about-resume_era.patch loongarch-uprobes-remove-user_-en-dis-able_single_step.patch maintainers-update-alexey-makhalov-s-email-address.patch revert-drm-amd-display-hardware-cursor-changes-color-when-switched-to-software-cursor.patch sched_ext-bpf_iter_scx_dsq_new-should-always-initialize-iterator.patch udf-make-sure-i_lenextents-is-uptodate-on-inode-eviction.patch --- ...cpi-pptt-fix-processor-subtable-walk.patch | 96 ++++++++++ ...t-option-commit-values-exceeding-300.patch | 49 +++++ ...nfinite-loop-after-disabling-discard.patch | 175 ++++++++++++++++++ ...olio-leak-in-submit_one_async_extent.patch | 80 ++++++++ ...matest-waiting-less-when-interrupted.patch | 51 +++++ ...d-flooding-unnecessary-info-messages.patch | 53 ++++++ ...eply-value-when-aux-write-incomplete.patch | 82 ++++++++ ...u-csa-unmap-use-uninterruptible-lock.patch | 59 ++++++ ...-fix-incorrect-mall-size-for-gfx1151.patch | 44 +++++ ...egister-after-written-for-vcn-v4.0.5.patch | 52 ++++++ ...953x-fix-irq-storm-on-system-wake-up.patch | 62 +++++++ ...f-abort-dispatch-if-device-destroyed.patch | 127 +++++++++++++ ...garch-fix-max_reg_offset-calculation.patch | 32 ++++ ...ch_cpu_idle-to-.cpuidle.text-section.patch | 53 ++++++ ..._resched-occurring-within-kernel-fpu.patch | 84 +++++++++ ...and-restore-csr.cntc-for-hibernation.patch | 71 +++++++ ...move-redundant-code-about-resume_era.patch | 57 ++++++ ...remove-user_-en-dis-able_single_step.patch | 61 ++++++ ...date-alexey-makhalov-s-email-address.patch | 52 ++++++ ...-the-layout-state-after-a-layoutretu.patch | 11 +- ...lor-when-switched-to-software-cursor.patch | 57 ++++++ ...ew-should-always-initialize-iterator.patch | 40 ++++ queue-6.12/series | 22 +++ ...xtents-is-uptodate-on-inode-eviction.patch | 40 ++++ 24 files changed, 1502 insertions(+), 8 deletions(-) create mode 100644 queue-6.12/acpi-pptt-fix-processor-subtable-walk.patch create mode 100644 queue-6.12/btrfs-add-back-warning-for-mount-option-commit-values-exceeding-300.patch create mode 100644 queue-6.12/btrfs-fix-discard-worker-infinite-loop-after-disabling-discard.patch create mode 100644 queue-6.12/btrfs-fix-folio-leak-in-submit_one_async_extent.patch create mode 100644 queue-6.12/dmaengine-revert-dmaengine-dmatest-fix-dmatest-waiting-less-when-interrupted.patch create mode 100644 queue-6.12/drm-amd-display-avoid-flooding-unnecessary-info-messages.patch create mode 100644 queue-6.12/drm-amd-display-correct-the-reply-value-when-aux-write-incomplete.patch create mode 100644 queue-6.12/drm-amdgpu-csa-unmap-use-uninterruptible-lock.patch create mode 100644 queue-6.12/drm-amdgpu-fix-incorrect-mall-size-for-gfx1151.patch create mode 100644 queue-6.12/drm-amdgpu-read-back-register-after-written-for-vcn-v4.0.5.patch create mode 100644 queue-6.12/gpio-pca953x-fix-irq-storm-on-system-wake-up.patch create mode 100644 queue-6.12/hid-bpf-abort-dispatch-if-device-destroyed.patch create mode 100644 queue-6.12/loongarch-fix-max_reg_offset-calculation.patch create mode 100644 queue-6.12/loongarch-move-__arch_cpu_idle-to-.cpuidle.text-section.patch create mode 100644 queue-6.12/loongarch-prevent-cond_resched-occurring-within-kernel-fpu.patch create mode 100644 queue-6.12/loongarch-save-and-restore-csr.cntc-for-hibernation.patch create mode 100644 queue-6.12/loongarch-uprobes-remove-redundant-code-about-resume_era.patch create mode 100644 queue-6.12/loongarch-uprobes-remove-user_-en-dis-able_single_step.patch create mode 100644 queue-6.12/maintainers-update-alexey-makhalov-s-email-address.patch create mode 100644 queue-6.12/revert-drm-amd-display-hardware-cursor-changes-color-when-switched-to-software-cursor.patch create mode 100644 queue-6.12/sched_ext-bpf_iter_scx_dsq_new-should-always-initialize-iterator.patch create mode 100644 queue-6.12/udf-make-sure-i_lenextents-is-uptodate-on-inode-eviction.patch diff --git a/queue-6.12/acpi-pptt-fix-processor-subtable-walk.patch b/queue-6.12/acpi-pptt-fix-processor-subtable-walk.patch new file mode 100644 index 0000000000..e11f55af14 --- /dev/null +++ b/queue-6.12/acpi-pptt-fix-processor-subtable-walk.patch @@ -0,0 +1,96 @@ +From adfab6b39202481bb43286fff94def4953793fdb Mon Sep 17 00:00:00 2001 +From: Jeremy Linton +Date: Wed, 7 May 2025 21:30:25 -0500 +Subject: ACPI: PPTT: Fix processor subtable walk + +From: Jeremy Linton + +commit adfab6b39202481bb43286fff94def4953793fdb upstream. + +The original PPTT code had a bug where the processor subtable length +was not correctly validated when encountering a truncated +acpi_pptt_processor node. + +Commit 7ab4f0e37a0f4 ("ACPI PPTT: Fix coding mistakes in a couple of +sizeof() calls") attempted to fix this by validating the size is as +large as the acpi_pptt_processor node structure. This introduced a +regression where the last processor node in the PPTT table is ignored +if it doesn't contain any private resources. That results errors like: + + ACPI PPTT: PPTT table found, but unable to locate core XX (XX) + ACPI: SPE must be homogeneous + +Furthermore, it fails in a common case where the node length isn't +equal to the acpi_pptt_processor structure size, leaving the original +bug in a modified form. + +Correct the regression by adjusting the loop termination conditions as +suggested by the bug reporters. An additional check performed after +the subtable node type is detected, validates the acpi_pptt_processor +node is fully contained in the PPTT table. Repeating the check in +acpi_pptt_leaf_node() is largely redundant as the node is already +known to be fully contained in the table. + +The case where a final truncated node's parent property is accepted, +but the node itself is rejected should not be considered a bug. + +Fixes: 7ab4f0e37a0f4 ("ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls") +Reported-by: Maximilian Heyne +Closes: https://lore.kernel.org/linux-acpi/20250506-draco-taped-15f475cd@mheyne-amazon/ +Reported-by: Yicong Yang +Closes: https://lore.kernel.org/linux-acpi/20250507035124.28071-1-yangyicong@huawei.com/ +Signed-off-by: Jeremy Linton +Tested-by: Yicong Yang +Reviewed-by: Sudeep Holla +Tested-by: Maximilian Heyne +Cc: All applicable # 7ab4f0e37a0f4: ACPI PPTT: Fix coding mistakes ... +Link: https://patch.msgid.link/20250508023025.1301030-1-jeremy.linton@arm.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/pptt.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/acpi/pptt.c ++++ b/drivers/acpi/pptt.c +@@ -231,16 +231,18 @@ static int acpi_pptt_leaf_node(struct ac + sizeof(struct acpi_table_pptt)); + proc_sz = sizeof(struct acpi_pptt_processor); + +- while ((unsigned long)entry + proc_sz < table_end) { ++ /* ignore subtable types that are smaller than a processor node */ ++ while ((unsigned long)entry + proc_sz <= table_end) { + cpu_node = (struct acpi_pptt_processor *)entry; ++ + if (entry->type == ACPI_PPTT_TYPE_PROCESSOR && + cpu_node->parent == node_entry) + return 0; + if (entry->length == 0) + return 0; ++ + entry = ACPI_ADD_PTR(struct acpi_subtable_header, entry, + entry->length); +- + } + return 1; + } +@@ -273,15 +275,18 @@ static struct acpi_pptt_processor *acpi_ + proc_sz = sizeof(struct acpi_pptt_processor); + + /* find the processor structure associated with this cpuid */ +- while ((unsigned long)entry + proc_sz < table_end) { ++ while ((unsigned long)entry + proc_sz <= table_end) { + cpu_node = (struct acpi_pptt_processor *)entry; + + if (entry->length == 0) { + pr_warn("Invalid zero length subtable\n"); + break; + } ++ /* entry->length may not equal proc_sz, revalidate the processor structure length */ + if (entry->type == ACPI_PPTT_TYPE_PROCESSOR && + acpi_cpu_id == cpu_node->acpi_processor_id && ++ (unsigned long)entry + entry->length <= table_end && ++ entry->length == proc_sz + cpu_node->number_of_priv_resources * sizeof(u32) && + acpi_pptt_leaf_node(table_hdr, cpu_node)) { + return (struct acpi_pptt_processor *)entry; + } diff --git a/queue-6.12/btrfs-add-back-warning-for-mount-option-commit-values-exceeding-300.patch b/queue-6.12/btrfs-add-back-warning-for-mount-option-commit-values-exceeding-300.patch new file mode 100644 index 0000000000..14ce8f2e84 --- /dev/null +++ b/queue-6.12/btrfs-add-back-warning-for-mount-option-commit-values-exceeding-300.patch @@ -0,0 +1,49 @@ +From 4ce2affc6ef9f84b4aebbf18bd5c57397b6024eb Mon Sep 17 00:00:00 2001 +From: Kyoji Ogasawara +Date: Fri, 9 May 2025 19:26:31 +0900 +Subject: btrfs: add back warning for mount option commit values exceeding 300 + +From: Kyoji Ogasawara + +commit 4ce2affc6ef9f84b4aebbf18bd5c57397b6024eb upstream. + +The Btrfs documentation states that if the commit value is greater than +300 a warning should be issued. The warning was accidentally lost in the +new mount API update. + +Fixes: 6941823cc878 ("btrfs: remove old mount API code") +CC: stable@vger.kernel.org # 6.12+ +Reviewed-by: Qu Wenruo +Reviewed-by: Anand Jain +Signed-off-by: Kyoji Ogasawara +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/fs.h | 1 + + fs/btrfs/super.c | 4 ++++ + 2 files changed, 5 insertions(+) + +--- a/fs/btrfs/fs.h ++++ b/fs/btrfs/fs.h +@@ -285,6 +285,7 @@ enum { + #define BTRFS_FEATURE_INCOMPAT_SAFE_CLEAR 0ULL + + #define BTRFS_DEFAULT_COMMIT_INTERVAL (30) ++#define BTRFS_WARNING_COMMIT_INTERVAL (300) + #define BTRFS_DEFAULT_MAX_INLINE (2048) + + struct btrfs_dev_replace { +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -570,6 +570,10 @@ static int btrfs_parse_param(struct fs_c + break; + case Opt_commit_interval: + ctx->commit_interval = result.uint_32; ++ if (ctx->commit_interval > BTRFS_WARNING_COMMIT_INTERVAL) { ++ btrfs_warn(NULL, "excessive commit interval %u, use with care", ++ ctx->commit_interval); ++ } + if (ctx->commit_interval == 0) + ctx->commit_interval = BTRFS_DEFAULT_COMMIT_INTERVAL; + break; diff --git a/queue-6.12/btrfs-fix-discard-worker-infinite-loop-after-disabling-discard.patch b/queue-6.12/btrfs-fix-discard-worker-infinite-loop-after-disabling-discard.patch new file mode 100644 index 0000000000..3f23805969 --- /dev/null +++ b/queue-6.12/btrfs-fix-discard-worker-infinite-loop-after-disabling-discard.patch @@ -0,0 +1,175 @@ +From 54db6d1bdd71fa90172a2a6aca3308bbf7fa7eb5 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Mon, 5 May 2025 16:03:16 +0100 +Subject: btrfs: fix discard worker infinite loop after disabling discard + +From: Filipe Manana + +commit 54db6d1bdd71fa90172a2a6aca3308bbf7fa7eb5 upstream. + +If the discard worker is running and there's currently only one block +group, that block group is a data block group, it's in the unused block +groups discard list and is being used (it got an extent allocated from it +after becoming unused), the worker can end up in an infinite loop if a +transaction abort happens or the async discard is disabled (during remount +or unmount for example). + +This happens like this: + +1) Task A, the discard worker, is at peek_discard_list() and + find_next_block_group() returns block group X; + +2) Block group X is in the unused block groups discard list (its discard + index is BTRFS_DISCARD_INDEX_UNUSED) since at some point in the past + it become an unused block group and was added to that list, but then + later it got an extent allocated from it, so its ->used counter is not + zero anymore; + +3) The current transaction is aborted by task B and we end up at + __btrfs_handle_fs_error() in the transaction abort path, where we call + btrfs_discard_stop(), which clears BTRFS_FS_DISCARD_RUNNING from + fs_info, and then at __btrfs_handle_fs_error() we set the fs to RO mode + (setting SB_RDONLY in the super block's s_flags field); + +4) Task A calls __add_to_discard_list() with the goal of moving the block + group from the unused block groups discard list into another discard + list, but at __add_to_discard_list() we end up doing nothing because + btrfs_run_discard_work() returns false, since the super block has + SB_RDONLY set in its flags and BTRFS_FS_DISCARD_RUNNING is not set + anymore in fs_info->flags. So block group X remains in the unused block + groups discard list; + +5) Task A then does a goto into the 'again' label, calls + find_next_block_group() again we gets block group X again. Then it + repeats the previous steps over and over since there are not other + block groups in the discard lists and block group X is never moved + out of the unused block groups discard list since + btrfs_run_discard_work() keeps returning false and therefore + __add_to_discard_list() doesn't move block group X out of that discard + list. + +When this happens we can get a soft lockup report like this: + + [71.957] watchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:3:97] + [71.957] Modules linked in: xfs af_packet rfkill (...) + [71.957] CPU: 0 UID: 0 PID: 97 Comm: kworker/u4:3 Tainted: G W 6.14.2-1-default #1 openSUSE Tumbleweed 968795ef2b1407352128b466fe887416c33af6fa + [71.957] Tainted: [W]=WARN + [71.957] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 + [71.957] Workqueue: btrfs_discard btrfs_discard_workfn [btrfs] + [71.957] RIP: 0010:btrfs_discard_workfn+0xc4/0x400 [btrfs] + [71.957] Code: c1 01 48 83 (...) + [71.957] RSP: 0018:ffffafaec03efe08 EFLAGS: 00000246 + [71.957] RAX: ffff897045500000 RBX: ffff8970413ed8d0 RCX: 0000000000000000 + [71.957] RDX: 0000000000000001 RSI: ffff8970413ed8d0 RDI: 0000000a8f1272ad + [71.957] RBP: 0000000a9d61c60e R08: ffff897045500140 R09: 8080808080808080 + [71.957] R10: ffff897040276800 R11: fefefefefefefeff R12: ffff8970413ed860 + [71.957] R13: ffff897045500000 R14: ffff8970413ed868 R15: 0000000000000000 + [71.957] FS: 0000000000000000(0000) GS:ffff89707bc00000(0000) knlGS:0000000000000000 + [71.957] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [71.957] CR2: 00005605bcc8d2f0 CR3: 000000010376a001 CR4: 0000000000770ef0 + [71.957] PKRU: 55555554 + [71.957] Call Trace: + [71.957] + [71.957] process_one_work+0x17e/0x330 + [71.957] worker_thread+0x2ce/0x3f0 + [71.957] ? __pfx_worker_thread+0x10/0x10 + [71.957] kthread+0xef/0x220 + [71.957] ? __pfx_kthread+0x10/0x10 + [71.957] ret_from_fork+0x34/0x50 + [71.957] ? __pfx_kthread+0x10/0x10 + [71.957] ret_from_fork_asm+0x1a/0x30 + [71.957] + [71.957] Kernel panic - not syncing: softlockup: hung tasks + [71.987] CPU: 0 UID: 0 PID: 97 Comm: kworker/u4:3 Tainted: G W L 6.14.2-1-default #1 openSUSE Tumbleweed 968795ef2b1407352128b466fe887416c33af6fa + [71.989] Tainted: [W]=WARN, [L]=SOFTLOCKUP + [71.989] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 + [71.991] Workqueue: btrfs_discard btrfs_discard_workfn [btrfs] + [71.992] Call Trace: + [71.993] + [71.994] dump_stack_lvl+0x5a/0x80 + [71.994] panic+0x10b/0x2da + [71.995] watchdog_timer_fn.cold+0x9a/0xa1 + [71.996] ? __pfx_watchdog_timer_fn+0x10/0x10 + [71.997] __hrtimer_run_queues+0x132/0x2a0 + [71.997] hrtimer_interrupt+0xff/0x230 + [71.998] __sysvec_apic_timer_interrupt+0x55/0x100 + [71.999] sysvec_apic_timer_interrupt+0x6c/0x90 + [72.000] + [72.000] + [72.001] asm_sysvec_apic_timer_interrupt+0x1a/0x20 + [72.002] RIP: 0010:btrfs_discard_workfn+0xc4/0x400 [btrfs] + [72.002] Code: c1 01 48 83 (...) + [72.005] RSP: 0018:ffffafaec03efe08 EFLAGS: 00000246 + [72.006] RAX: ffff897045500000 RBX: ffff8970413ed8d0 RCX: 0000000000000000 + [72.006] RDX: 0000000000000001 RSI: ffff8970413ed8d0 RDI: 0000000a8f1272ad + [72.007] RBP: 0000000a9d61c60e R08: ffff897045500140 R09: 8080808080808080 + [72.008] R10: ffff897040276800 R11: fefefefefefefeff R12: ffff8970413ed860 + [72.009] R13: ffff897045500000 R14: ffff8970413ed868 R15: 0000000000000000 + [72.010] ? btrfs_discard_workfn+0x51/0x400 [btrfs 23b01089228eb964071fb7ca156eee8cd3bf996f] + [72.011] process_one_work+0x17e/0x330 + [72.012] worker_thread+0x2ce/0x3f0 + [72.013] ? __pfx_worker_thread+0x10/0x10 + [72.014] kthread+0xef/0x220 + [72.014] ? __pfx_kthread+0x10/0x10 + [72.015] ret_from_fork+0x34/0x50 + [72.015] ? __pfx_kthread+0x10/0x10 + [72.016] ret_from_fork_asm+0x1a/0x30 + [72.017] + [72.017] Kernel Offset: 0x15000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) + [72.019] Rebooting in 90 seconds.. + +So fix this by making sure we move a block group out of the unused block +groups discard list when calling __add_to_discard_list(). + +Fixes: 2bee7eb8bb81 ("btrfs: discard one region at a time in async discard") +Link: https://bugzilla.suse.com/show_bug.cgi?id=1242012 +CC: stable@vger.kernel.org # 5.10+ +Reviewed-by: Boris Burkov +Reviewed-by: Daniel Vacek +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/discard.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/discard.c ++++ b/fs/btrfs/discard.c +@@ -94,8 +94,6 @@ static void __add_to_discard_list(struct + struct btrfs_block_group *block_group) + { + lockdep_assert_held(&discard_ctl->lock); +- if (!btrfs_run_discard_work(discard_ctl)) +- return; + + if (list_empty(&block_group->discard_list) || + block_group->discard_index == BTRFS_DISCARD_INDEX_UNUSED) { +@@ -118,6 +116,9 @@ static void add_to_discard_list(struct b + if (!btrfs_is_block_group_data_only(block_group)) + return; + ++ if (!btrfs_run_discard_work(discard_ctl)) ++ return; ++ + spin_lock(&discard_ctl->lock); + __add_to_discard_list(discard_ctl, block_group); + spin_unlock(&discard_ctl->lock); +@@ -250,6 +251,18 @@ again: + block_group->used != 0) { + if (btrfs_is_block_group_data_only(block_group)) { + __add_to_discard_list(discard_ctl, block_group); ++ /* ++ * The block group must have been moved to other ++ * discard list even if discard was disabled in ++ * the meantime or a transaction abort happened, ++ * otherwise we can end up in an infinite loop, ++ * always jumping into the 'again' label and ++ * keep getting this block group over and over ++ * in case there are no other block groups in ++ * the discard lists. ++ */ ++ ASSERT(block_group->discard_index != ++ BTRFS_DISCARD_INDEX_UNUSED); + } else { + list_del_init(&block_group->discard_list); + btrfs_put_block_group(block_group); diff --git a/queue-6.12/btrfs-fix-folio-leak-in-submit_one_async_extent.patch b/queue-6.12/btrfs-fix-folio-leak-in-submit_one_async_extent.patch new file mode 100644 index 0000000000..2d793df84b --- /dev/null +++ b/queue-6.12/btrfs-fix-folio-leak-in-submit_one_async_extent.patch @@ -0,0 +1,80 @@ +From a0fd1c6098633f9a95fc2f636383546c82b704c3 Mon Sep 17 00:00:00 2001 +From: Boris Burkov +Date: Wed, 7 May 2025 12:42:24 -0700 +Subject: btrfs: fix folio leak in submit_one_async_extent() + +From: Boris Burkov + +commit a0fd1c6098633f9a95fc2f636383546c82b704c3 upstream. + +If btrfs_reserve_extent() fails while submitting an async_extent for a +compressed write, then we fail to call free_async_extent_pages() on the +async_extent and leak its folios. A likely cause for such a failure +would be btrfs_reserve_extent() failing to find a large enough +contiguous free extent for the compressed extent. + +I was able to reproduce this by: + +1. mount with compress-force=zstd:3 +2. fallocating most of a filesystem to a big file +3. fragmenting the remaining free space +4. trying to copy in a file which zstd would generate large compressed + extents for (vmlinux worked well for this) + +Step 4. hits the memory leak and can be repeated ad nauseam to +eventually exhaust the system memory. + +Fix this by detecting the case where we fallback to uncompressed +submission for a compressed async_extent and ensuring that we call +free_async_extent_pages(). + +Fixes: 131a821a243f ("btrfs: fallback if compressed IO fails for ENOSPC") +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Filipe Manana +Co-developed-by: Josef Bacik +Signed-off-by: Boris Burkov +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -1187,6 +1187,7 @@ static void submit_one_async_extent(stru + struct extent_state *cached = NULL; + struct extent_map *em; + int ret = 0; ++ bool free_pages = false; + u64 start = async_extent->start; + u64 end = async_extent->start + async_extent->ram_size - 1; + +@@ -1207,7 +1208,10 @@ static void submit_one_async_extent(stru + } + + if (async_extent->compress_type == BTRFS_COMPRESS_NONE) { ++ ASSERT(!async_extent->folios); ++ ASSERT(async_extent->nr_folios == 0); + submit_uncompressed_range(inode, async_extent, locked_folio); ++ free_pages = true; + goto done; + } + +@@ -1223,6 +1227,7 @@ static void submit_one_async_extent(stru + * fall back to uncompressed. + */ + submit_uncompressed_range(inode, async_extent, locked_folio); ++ free_pages = true; + goto done; + } + +@@ -1264,6 +1269,8 @@ static void submit_one_async_extent(stru + done: + if (async_chunk->blkcg_css) + kthread_associate_blkcg(NULL); ++ if (free_pages) ++ free_async_extent_pages(async_extent); + kfree(async_extent); + return; + diff --git a/queue-6.12/dmaengine-revert-dmaengine-dmatest-fix-dmatest-waiting-less-when-interrupted.patch b/queue-6.12/dmaengine-revert-dmaengine-dmatest-fix-dmatest-waiting-less-when-interrupted.patch new file mode 100644 index 0000000000..737a9675fa --- /dev/null +++ b/queue-6.12/dmaengine-revert-dmaengine-dmatest-fix-dmatest-waiting-less-when-interrupted.patch @@ -0,0 +1,51 @@ +From df180e65305f8c1e020d54bfc2132349fd693de1 Mon Sep 17 00:00:00 2001 +From: Nathan Lynch +Date: Thu, 3 Apr 2025 11:24:19 -0500 +Subject: dmaengine: Revert "dmaengine: dmatest: Fix dmatest waiting less when interrupted" + +From: Nathan Lynch + +commit df180e65305f8c1e020d54bfc2132349fd693de1 upstream. + +Several issues with this change: + +* The analysis is flawed and it's unclear what problem is being + fixed. There is no difference between wait_event_freezable_timeout() + and wait_event_timeout() with respect to device interrupts. And of + course "the interrupt notifying the finish of an operation happens + during wait_event_freezable_timeout()" -- that's how it's supposed + to work. + +* The link at the "Closes:" tag appears to be an unrelated + use-after-free in idxd. + +* It introduces a regression: dmatest threads are meant to be + freezable and this change breaks that. + +See discussion here: +https://lore.kernel.org/dmaengine/878qpa13fe.fsf@AUSNATLYNCH.amd.com/ + +Fixes: e87ca16e9911 ("dmaengine: dmatest: Fix dmatest waiting less when interrupted") +Signed-off-by: Nathan Lynch +Link: https://lore.kernel.org/r/20250403-dmaengine-dmatest-revert-waiting-less-v1-1-8227c5a3d7c8@amd.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/dmatest.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/dma/dmatest.c ++++ b/drivers/dma/dmatest.c +@@ -841,9 +841,9 @@ static int dmatest_func(void *data) + } else { + dma_async_issue_pending(chan); + +- wait_event_timeout(thread->done_wait, +- done->done, +- msecs_to_jiffies(params->timeout)); ++ wait_event_freezable_timeout(thread->done_wait, ++ done->done, ++ msecs_to_jiffies(params->timeout)); + + status = dma_async_is_tx_complete(chan, cookie, NULL, + NULL); diff --git a/queue-6.12/drm-amd-display-avoid-flooding-unnecessary-info-messages.patch b/queue-6.12/drm-amd-display-avoid-flooding-unnecessary-info-messages.patch new file mode 100644 index 0000000000..0ef2bccfca --- /dev/null +++ b/queue-6.12/drm-amd-display-avoid-flooding-unnecessary-info-messages.patch @@ -0,0 +1,53 @@ +From d33724ffb743d3d2698bd969e29253ae0cff9739 Mon Sep 17 00:00:00 2001 +From: Wayne Lin +Date: Tue, 13 May 2025 11:20:24 +0800 +Subject: drm/amd/display: Avoid flooding unnecessary info messages + +From: Wayne Lin + +commit d33724ffb743d3d2698bd969e29253ae0cff9739 upstream. + +It's expected that we'll encounter temporary exceptions +during aux transactions. Adjust logging from drm_info to +drm_dbg_dp to prevent flooding with unnecessary log messages. + +Fixes: 3637e457eb00 ("drm/amd/display: Fix wrong handling for AUX_DEFER case") +Cc: Mario Limonciello +Cc: Alex Deucher +Signed-off-by: Wayne Lin +Acked-by: Alex Deucher +Link: https://lore.kernel.org/r/20250513032026.838036-1-Wayne.Lin@amd.com +Signed-off-by: Mario Limonciello +Signed-off-by: Alex Deucher +(cherry picked from commit 9a9c3e1fe5256da14a0a307dff0478f90c55fc8c) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c +@@ -107,7 +107,7 @@ static ssize_t dm_dp_aux_transfer(struct + if (payload.write && result >= 0) { + if (result) { + /*one byte indicating partially written bytes*/ +- drm_info(adev_to_drm(adev), "amdgpu: AUX partially written\n"); ++ drm_dbg_dp(adev_to_drm(adev), "amdgpu: AUX partially written\n"); + result = payload.data[0]; + } else if (!payload.reply[0]) + /*I2C_ACK|AUX_ACK*/ +@@ -133,11 +133,11 @@ static ssize_t dm_dp_aux_transfer(struct + break; + } + +- drm_info(adev_to_drm(adev), "amdgpu: DP AUX transfer fail:%d\n", operation_result); ++ drm_dbg_dp(adev_to_drm(adev), "amdgpu: DP AUX transfer fail:%d\n", operation_result); + } + + if (payload.reply[0]) +- drm_info(adev_to_drm(adev), "amdgpu: AUX reply command not ACK: 0x%02x.", ++ drm_dbg_dp(adev_to_drm(adev), "amdgpu: AUX reply command not ACK: 0x%02x.", + payload.reply[0]); + + return result; diff --git a/queue-6.12/drm-amd-display-correct-the-reply-value-when-aux-write-incomplete.patch b/queue-6.12/drm-amd-display-correct-the-reply-value-when-aux-write-incomplete.patch new file mode 100644 index 0000000000..df71bb1d62 --- /dev/null +++ b/queue-6.12/drm-amd-display-correct-the-reply-value-when-aux-write-incomplete.patch @@ -0,0 +1,82 @@ +From d433981385c62c72080e26f1c00a961d18b233be Mon Sep 17 00:00:00 2001 +From: Wayne Lin +Date: Fri, 25 Apr 2025 14:44:02 +0800 +Subject: drm/amd/display: Correct the reply value when AUX write incomplete + +From: Wayne Lin + +commit d433981385c62c72080e26f1c00a961d18b233be upstream. + +[Why] +Now forcing aux->transfer to return 0 when incomplete AUX write is +inappropriate. It should return bytes have been transferred. + +[How] +aux->transfer is asked not to change original msg except reply field of +drm_dp_aux_msg structure. Copy the msg->buffer when it's write request, +and overwrite the first byte when sink reply 1 byte indicating partially +written byte number. Then we can return the correct value without +changing the original msg. + +Fixes: 3637e457eb00 ("drm/amd/display: Fix wrong handling for AUX_DEFER case") +Cc: Mario Limonciello +Cc: Alex Deucher +Reviewed-by: Ray Wu +Signed-off-by: Wayne Lin +Signed-off-by: Ray Wu +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +(cherry picked from commit 7ac37f0dcd2e0b729fa7b5513908dc8ab802b540) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 ++- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 10 ++++++++-- + 2 files changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -12546,7 +12546,8 @@ int amdgpu_dm_process_dmub_aux_transfer_ + /* The reply is stored in the top nibble of the command. */ + payload->reply[0] = (adev->dm.dmub_notify->aux_reply.command >> 4) & 0xF; + +- if (!payload->write && p_notify->aux_reply.length) ++ /*write req may receive a byte indicating partially written number as well*/ ++ if (p_notify->aux_reply.length) + memcpy(payload->data, p_notify->aux_reply.data, + p_notify->aux_reply.length); + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c +@@ -62,6 +62,7 @@ static ssize_t dm_dp_aux_transfer(struct + enum aux_return_code_type operation_result; + struct amdgpu_device *adev; + struct ddc_service *ddc; ++ uint8_t copy[16]; + + if (WARN_ON(msg->size > 16)) + return -E2BIG; +@@ -77,6 +78,11 @@ static ssize_t dm_dp_aux_transfer(struct + (msg->request & DP_AUX_I2C_WRITE_STATUS_UPDATE) != 0; + payload.defer_delay = 0; + ++ if (payload.write) { ++ memcpy(copy, msg->buffer, msg->size); ++ payload.data = copy; ++ } ++ + result = dc_link_aux_transfer_raw(TO_DM_AUX(aux)->ddc_service, &payload, + &operation_result); + +@@ -100,9 +106,9 @@ static ssize_t dm_dp_aux_transfer(struct + */ + if (payload.write && result >= 0) { + if (result) { +- /*one byte indicating partially written bytes. Force 0 to retry*/ ++ /*one byte indicating partially written bytes*/ + drm_info(adev_to_drm(adev), "amdgpu: AUX partially written\n"); +- result = 0; ++ result = payload.data[0]; + } else if (!payload.reply[0]) + /*I2C_ACK|AUX_ACK*/ + result = msg->size; diff --git a/queue-6.12/drm-amdgpu-csa-unmap-use-uninterruptible-lock.patch b/queue-6.12/drm-amdgpu-csa-unmap-use-uninterruptible-lock.patch new file mode 100644 index 0000000000..f9f95ad2be --- /dev/null +++ b/queue-6.12/drm-amdgpu-csa-unmap-use-uninterruptible-lock.patch @@ -0,0 +1,59 @@ +From a0fa7873f2f869087b1e7793f7fac3713a1e3afe Mon Sep 17 00:00:00 2001 +From: Philip Yang +Date: Wed, 7 May 2025 11:04:32 -0400 +Subject: drm/amdgpu: csa unmap use uninterruptible lock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Philip Yang + +commit a0fa7873f2f869087b1e7793f7fac3713a1e3afe upstream. + +After process exit to unmap csa and free GPU vm, if signal is accepted +and then waiting to take vm lock is interrupted and return, it causes +memory leaking and below warning backtrace. + +Change to use uninterruptible wait lock fix the issue. + +WARNING: CPU: 69 PID: 167800 at amd/amdgpu/amdgpu_kms.c:1525 + amdgpu_driver_postclose_kms+0x294/0x2a0 [amdgpu] + Call Trace: + + drm_file_free.part.0+0x1da/0x230 [drm] + drm_close_helper.isra.0+0x65/0x70 [drm] + drm_release+0x6a/0x120 [drm] + amdgpu_drm_release+0x51/0x60 [amdgpu] + __fput+0x9f/0x280 + ____fput+0xe/0x20 + task_work_run+0x67/0xa0 + do_exit+0x217/0x3c0 + do_group_exit+0x3b/0xb0 + get_signal+0x14a/0x8d0 + arch_do_signal_or_restart+0xde/0x100 + exit_to_user_mode_loop+0xc1/0x1a0 + exit_to_user_mode_prepare+0xf4/0x100 + syscall_exit_to_user_mode+0x17/0x40 + do_syscall_64+0x69/0xc0 + +Signed-off-by: Philip Yang +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +(cherry picked from commit 7dbbfb3c171a6f63b01165958629c9c26abf38ab) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c +@@ -109,7 +109,7 @@ int amdgpu_unmap_static_csa(struct amdgp + struct drm_exec exec; + int r; + +- drm_exec_init(&exec, DRM_EXEC_INTERRUPTIBLE_WAIT, 0); ++ drm_exec_init(&exec, 0, 0); + drm_exec_until_all_locked(&exec) { + r = amdgpu_vm_lock_pd(vm, &exec, 0); + if (likely(!r)) diff --git a/queue-6.12/drm-amdgpu-fix-incorrect-mall-size-for-gfx1151.patch b/queue-6.12/drm-amdgpu-fix-incorrect-mall-size-for-gfx1151.patch new file mode 100644 index 0000000000..253c21f5ca --- /dev/null +++ b/queue-6.12/drm-amdgpu-fix-incorrect-mall-size-for-gfx1151.patch @@ -0,0 +1,44 @@ +From 2d73b0845ab3963856e857b810600e5594bc29f4 Mon Sep 17 00:00:00 2001 +From: Tim Huang +Date: Thu, 8 May 2025 13:37:35 +0800 +Subject: drm/amdgpu: fix incorrect MALL size for GFX1151 + +From: Tim Huang + +commit 2d73b0845ab3963856e857b810600e5594bc29f4 upstream. + +On GFX1151, the reported MALL cache size reflects only +half of its actual size; this adjustment corrects the discrepancy. + +Signed-off-by: Tim Huang +Acked-by: Alex Deucher +Reviewed-by: Yifan Zhang +Signed-off-by: Alex Deucher +(cherry picked from commit 0a5c060b593ad152318f89e5564bfdfcff8a6ac0) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/gmc_v11_0.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/gmc_v11_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v11_0.c +@@ -747,6 +747,18 @@ static int gmc_v11_0_sw_init(void *handl + adev->gmc.vram_type = vram_type; + adev->gmc.vram_vendor = vram_vendor; + ++ /* The mall_size is already calculated as mall_size_per_umc * num_umc. ++ * However, for gfx1151, which features a 2-to-1 UMC mapping, ++ * the result must be multiplied by 2 to determine the actual mall size. ++ */ ++ switch (amdgpu_ip_version(adev, GC_HWIP, 0)) { ++ case IP_VERSION(11, 5, 1): ++ adev->gmc.mall_size *= 2; ++ break; ++ default: ++ break; ++ } ++ + switch (amdgpu_ip_version(adev, GC_HWIP, 0)) { + case IP_VERSION(11, 0, 0): + case IP_VERSION(11, 0, 1): diff --git a/queue-6.12/drm-amdgpu-read-back-register-after-written-for-vcn-v4.0.5.patch b/queue-6.12/drm-amdgpu-read-back-register-after-written-for-vcn-v4.0.5.patch new file mode 100644 index 0000000000..5554114c0a --- /dev/null +++ b/queue-6.12/drm-amdgpu-read-back-register-after-written-for-vcn-v4.0.5.patch @@ -0,0 +1,52 @@ +From ee7360fc27d6045510f8fe459b5649b2af27811a Mon Sep 17 00:00:00 2001 +From: "David (Ming Qiang) Wu" +Date: Mon, 12 May 2025 15:14:43 -0400 +Subject: drm/amdgpu: read back register after written for VCN v4.0.5 + +From: David (Ming Qiang) Wu + +commit ee7360fc27d6045510f8fe459b5649b2af27811a upstream. + +On VCN v4.0.5 there is a race condition where the WPTR is not +updated after starting from idle when doorbell is used. Adding +register read-back after written at function end is to ensure +all register writes are done before they can be used. + +Closes: https://gitlab.freedesktop.org/mesa/mesa/-/issues/12528 +Signed-off-by: David (Ming Qiang) Wu +Reviewed-by: Mario Limonciello +Tested-by: Mario Limonciello +Reviewed-by: Alex Deucher +Reviewed-by: Ruijing Dong +Signed-off-by: Alex Deucher +(cherry picked from commit 07c9db090b86e5211188e1b351303fbc673378cf) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c ++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c +@@ -985,6 +985,10 @@ static int vcn_v4_0_5_start_dpg_mode(str + ring->doorbell_index << VCN_RB1_DB_CTRL__OFFSET__SHIFT | + VCN_RB1_DB_CTRL__EN_MASK); + ++ /* Keeping one read-back to ensure all register writes are done, otherwise ++ * it may introduce race conditions */ ++ RREG32_SOC15(VCN, inst_idx, regVCN_RB1_DB_CTRL); ++ + return 0; + } + +@@ -1169,6 +1173,10 @@ static int vcn_v4_0_5_start(struct amdgp + fw_shared->sq.queue_mode &= ~(FW_QUEUE_RING_RESET | FW_QUEUE_DPG_HOLD_OFF); + } + ++ /* Keeping one read-back to ensure all register writes are done, otherwise ++ * it may introduce race conditions */ ++ RREG32_SOC15(VCN, i, regVCN_RB_ENABLE); ++ + return 0; + } + diff --git a/queue-6.12/gpio-pca953x-fix-irq-storm-on-system-wake-up.patch b/queue-6.12/gpio-pca953x-fix-irq-storm-on-system-wake-up.patch new file mode 100644 index 0000000000..2ec20b6ea9 --- /dev/null +++ b/queue-6.12/gpio-pca953x-fix-irq-storm-on-system-wake-up.patch @@ -0,0 +1,62 @@ +From 3e38f946062b4845961ab86b726651b4457b2af8 Mon Sep 17 00:00:00 2001 +From: Emanuele Ghidoli +Date: Mon, 12 May 2025 11:54:41 +0200 +Subject: gpio: pca953x: fix IRQ storm on system wake up + +From: Emanuele Ghidoli + +commit 3e38f946062b4845961ab86b726651b4457b2af8 upstream. + +If an input changes state during wake-up and is used as an interrupt +source, the IRQ handler reads the volatile input register to clear the +interrupt mask and deassert the IRQ line. However, the IRQ handler is +triggered before access to the register is granted, causing the read +operation to fail. + +As a result, the IRQ handler enters a loop, repeatedly printing the +"failed reading register" message, until `pca953x_resume()` is eventually +called, which restores the driver context and enables access to +registers. + +Fix by disabling the IRQ line before entering suspend mode, and +re-enabling it after the driver context is restored in `pca953x_resume()`. + +An IRQ can be disabled with disable_irq() and still wake the system as +long as the IRQ has wake enabled, so the wake-up functionality is +preserved. + +Fixes: b76574300504 ("gpio: pca953x: Restore registers after suspend/resume cycle") +Cc: stable@vger.kernel.org +Signed-off-by: Emanuele Ghidoli +Signed-off-by: Francesco Dolcini +Reviewed-by: Andy Shevchenko +Tested-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20250512095441.31645-1-francesco@dolcini.it +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-pca953x.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/gpio/gpio-pca953x.c ++++ b/drivers/gpio/gpio-pca953x.c +@@ -1203,6 +1203,8 @@ static int pca953x_restore_context(struc + + guard(mutex)(&chip->i2c_lock); + ++ if (chip->client->irq > 0) ++ enable_irq(chip->client->irq); + regcache_cache_only(chip->regmap, false); + regcache_mark_dirty(chip->regmap); + ret = pca953x_regcache_sync(chip); +@@ -1215,6 +1217,10 @@ static int pca953x_restore_context(struc + static void pca953x_save_context(struct pca953x_chip *chip) + { + guard(mutex)(&chip->i2c_lock); ++ ++ /* Disable IRQ to prevent early triggering while regmap "cache only" is on */ ++ if (chip->client->irq > 0) ++ disable_irq(chip->client->irq); + regcache_cache_only(chip->regmap, true); + } + diff --git a/queue-6.12/hid-bpf-abort-dispatch-if-device-destroyed.patch b/queue-6.12/hid-bpf-abort-dispatch-if-device-destroyed.patch new file mode 100644 index 0000000000..ad1bf3b1eb --- /dev/null +++ b/queue-6.12/hid-bpf-abort-dispatch-if-device-destroyed.patch @@ -0,0 +1,127 @@ +From 578e1b96fad7402ff7e9c7648c8f1ad0225147c8 Mon Sep 17 00:00:00 2001 +From: Rong Zhang +Date: Mon, 12 May 2025 23:24:19 +0800 +Subject: HID: bpf: abort dispatch if device destroyed + +From: Rong Zhang + +commit 578e1b96fad7402ff7e9c7648c8f1ad0225147c8 upstream. + +The current HID bpf implementation assumes no output report/request will +go through it after hid_bpf_destroy_device() has been called. This leads +to a bug that unplugging certain types of HID devices causes a cleaned- +up SRCU to be accessed. The bug was previously a hidden failure until a +recent x86 percpu change [1] made it access not-present pages. + +The bug will be triggered if the conditions below are met: + +A) a device under the driver has some LEDs on +B) hid_ll_driver->request() is uninplemented (e.g., logitech-djreceiver) + +If condition A is met, hidinput_led_worker() is always scheduled *after* +hid_bpf_destroy_device(). + +hid_destroy_device +` hid_bpf_destroy_device + ` cleanup_srcu_struct(&hdev->bpf.srcu) +` hid_remove_device + ` ... + ` led_classdev_unregister + ` led_trigger_set(led_cdev, NULL) + ` led_set_brightness(led_cdev, LED_OFF) + ` ... + ` input_inject_event + ` input_event_dispose + ` hidinput_input_event + ` schedule_work(&hid->led_work) [hidinput_led_worker] + +This is fine when condition B is not met, where hidinput_led_worker() +calls hid_ll_driver->request(). This is the case for most HID drivers, +which implement it or use the generic one from usbhid. The driver itself +or an underlying driver will then abort processing the request. + +Otherwise, hidinput_led_worker() tries hid_hw_output_report() and leads +to the bug. + +hidinput_led_worker +` hid_hw_output_report + ` dispatch_hid_bpf_output_report + ` srcu_read_lock(&hdev->bpf.srcu) + ` srcu_read_unlock(&hdev->bpf.srcu, idx) + +The bug has existed since the introduction [2] of +dispatch_hid_bpf_output_report(). However, the same bug also exists in +dispatch_hid_bpf_raw_requests(), and I've reproduced (no visible effect +because of the lack of [1], but confirmed bpf.destroyed == 1) the bug +against the commit (i.e., the Fixes:) introducing the function. This is +because hidinput_led_worker() falls back to hid_hw_raw_request() when +hid_ll_driver->output_report() is uninplemented (e.g., logitech- +djreceiver). + +hidinput_led_worker +` hid_hw_output_report: -ENOSYS +` hid_hw_raw_request + ` dispatch_hid_bpf_raw_requests + ` srcu_read_lock(&hdev->bpf.srcu) + ` srcu_read_unlock(&hdev->bpf.srcu, idx) + +Fix the issue by returning early in the two mentioned functions if +hid_bpf has been marked as destroyed. Though +dispatch_hid_bpf_device_event() handles input events, and there is no +evidence that it may be called after the destruction, the same check, as +a safety net, is also added to it to maintain the consistency among all +dispatch functions. + +The impact of the bug on other architectures is unclear. Even if it acts +as a hidden failure, this is still dangerous because it corrupts +whatever is on the address calculated by SRCU. Thus, CC'ing the stable +list. + +[1]: commit 9d7de2aa8b41 ("x86/percpu/64: Use relative percpu offsets") +[2]: commit 9286675a2aed ("HID: bpf: add HID-BPF hooks for +hid_hw_output_report") + +Closes: https://lore.kernel.org/all/20250506145548.GGaBoi9Jzp3aeJizTR@fat_crate.local/ +Fixes: 8bd0488b5ea5 ("HID: bpf: add HID-BPF hooks for hid_hw_raw_requests") +Cc: stable@vger.kernel.org +Signed-off-by: Rong Zhang +Tested-by: Petr Tesarik +Link: https://patch.msgid.link/20250512152420.87441-1-i@rong.moe +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/bpf/hid_bpf_dispatch.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/hid/bpf/hid_bpf_dispatch.c ++++ b/drivers/hid/bpf/hid_bpf_dispatch.c +@@ -38,6 +38,9 @@ dispatch_hid_bpf_device_event(struct hid + struct hid_bpf_ops *e; + int ret; + ++ if (unlikely(hdev->bpf.destroyed)) ++ return ERR_PTR(-ENODEV); ++ + if (type >= HID_REPORT_TYPES) + return ERR_PTR(-EINVAL); + +@@ -93,6 +96,9 @@ int dispatch_hid_bpf_raw_requests(struct + struct hid_bpf_ops *e; + int ret, idx; + ++ if (unlikely(hdev->bpf.destroyed)) ++ return -ENODEV; ++ + if (rtype >= HID_REPORT_TYPES) + return -EINVAL; + +@@ -130,6 +136,9 @@ int dispatch_hid_bpf_output_report(struc + struct hid_bpf_ops *e; + int ret, idx; + ++ if (unlikely(hdev->bpf.destroyed)) ++ return -ENODEV; ++ + idx = srcu_read_lock(&hdev->bpf.srcu); + list_for_each_entry_srcu(e, &hdev->bpf.prog_list, list, + srcu_read_lock_held(&hdev->bpf.srcu)) { diff --git a/queue-6.12/loongarch-fix-max_reg_offset-calculation.patch b/queue-6.12/loongarch-fix-max_reg_offset-calculation.patch new file mode 100644 index 0000000000..8331123fe6 --- /dev/null +++ b/queue-6.12/loongarch-fix-max_reg_offset-calculation.patch @@ -0,0 +1,32 @@ +From 90436d234230e9a950ccd87831108b688b27a234 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Wed, 14 May 2025 22:17:43 +0800 +Subject: LoongArch: Fix MAX_REG_OFFSET calculation + +From: Huacai Chen + +commit 90436d234230e9a950ccd87831108b688b27a234 upstream. + +Fix MAX_REG_OFFSET calculation, make it point to the last register +in 'struct pt_regs' and not to the marker itself, which could allow +regs_get_register() to return an invalid offset. + +Cc: stable@vger.kernel.org +Fixes: 803b0fc5c3f2baa6e5 ("LoongArch: Add process management") +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/include/asm/ptrace.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/loongarch/include/asm/ptrace.h ++++ b/arch/loongarch/include/asm/ptrace.h +@@ -55,7 +55,7 @@ static inline void instruction_pointer_s + + /* Query offset/name of register from its name/offset */ + extern int regs_query_register_offset(const char *name); +-#define MAX_REG_OFFSET (offsetof(struct pt_regs, __last)) ++#define MAX_REG_OFFSET (offsetof(struct pt_regs, __last) - sizeof(unsigned long)) + + /** + * regs_get_register() - get register value from its offset diff --git a/queue-6.12/loongarch-move-__arch_cpu_idle-to-.cpuidle.text-section.patch b/queue-6.12/loongarch-move-__arch_cpu_idle-to-.cpuidle.text-section.patch new file mode 100644 index 0000000000..f141e609d1 --- /dev/null +++ b/queue-6.12/loongarch-move-__arch_cpu_idle-to-.cpuidle.text-section.patch @@ -0,0 +1,53 @@ +From 3e245b7b74c3a2ead5fa4bad27cc275284c75189 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Wed, 14 May 2025 22:17:52 +0800 +Subject: LoongArch: Move __arch_cpu_idle() to .cpuidle.text section + +From: Huacai Chen + +commit 3e245b7b74c3a2ead5fa4bad27cc275284c75189 upstream. + +Now arch_cpu_idle() is annotated with __cpuidle which means it is in +the .cpuidle.text section, but __arch_cpu_idle() isn't. Thus, fix the +missing .cpuidle.text section assignment for __arch_cpu_idle() in order +to correct backtracing with nmi_backtrace(). + +The principle is similar to the commit 97c8580e85cf81c ("MIPS: Annotate +cpu_wait implementations with __cpuidle") + +Cc: stable@vger.kernel.org +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kernel/genex.S | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/arch/loongarch/kernel/genex.S ++++ b/arch/loongarch/kernel/genex.S +@@ -16,6 +16,7 @@ + #include + #include + ++ .section .cpuidle.text, "ax" + .align 5 + SYM_FUNC_START(__arch_cpu_idle) + /* start of idle interrupt region */ +@@ -31,14 +32,16 @@ SYM_FUNC_START(__arch_cpu_idle) + */ + idle 0 + /* end of idle interrupt region */ +-1: jr ra ++idle_exit: ++ jr ra + SYM_FUNC_END(__arch_cpu_idle) ++ .previous + + SYM_CODE_START(handle_vint) + UNWIND_HINT_UNDEFINED + BACKUP_T0T1 + SAVE_ALL +- la_abs t1, 1b ++ la_abs t1, idle_exit + LONG_L t0, sp, PT_ERA + /* 3 instructions idle interrupt region */ + ori t0, t0, 0b1100 diff --git a/queue-6.12/loongarch-prevent-cond_resched-occurring-within-kernel-fpu.patch b/queue-6.12/loongarch-prevent-cond_resched-occurring-within-kernel-fpu.patch new file mode 100644 index 0000000000..43cf3416ec --- /dev/null +++ b/queue-6.12/loongarch-prevent-cond_resched-occurring-within-kernel-fpu.patch @@ -0,0 +1,84 @@ +From 2468b0e3d5659dfde77f081f266e1111a981efb8 Mon Sep 17 00:00:00 2001 +From: Tianyang Zhang +Date: Wed, 14 May 2025 22:17:43 +0800 +Subject: LoongArch: Prevent cond_resched() occurring within kernel-fpu + +From: Tianyang Zhang + +commit 2468b0e3d5659dfde77f081f266e1111a981efb8 upstream. + +When CONFIG_PREEMPT_COUNT is not configured (i.e. CONFIG_PREEMPT_NONE/ +CONFIG_PREEMPT_VOLUNTARY), preempt_disable() / preempt_enable() merely +acts as a barrier(). However, in these cases cond_resched() can still +trigger a context switch and modify the CSR.EUEN, resulting in do_fpu() +exception being activated within the kernel-fpu critical sections, as +demonstrated in the following path: + +dcn32_calculate_wm_and_dlg() + DC_FP_START() + dcn32_calculate_wm_and_dlg_fpu() + dcn32_find_dummy_latency_index_for_fw_based_mclk_switch() + dcn32_internal_validate_bw() + dcn32_enable_phantom_stream() + dc_create_stream_for_sink() + kzalloc(GFP_KERNEL) + __kmem_cache_alloc_node() + __cond_resched() + DC_FP_END() + +This patch is similar to commit d02198550423a0b (x86/fpu: Improve crypto +performance by making kernel-mode FPU reliably usable in softirqs). It +uses local_bh_disable() instead of preempt_disable() for non-RT kernels +so it can avoid the cond_resched() issue, and also extend the kernel-fpu +application scenarios to the softirq context. + +Cc: stable@vger.kernel.org +Signed-off-by: Tianyang Zhang +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kernel/kfpu.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +--- a/arch/loongarch/kernel/kfpu.c ++++ b/arch/loongarch/kernel/kfpu.c +@@ -18,11 +18,28 @@ static unsigned int euen_mask = CSR_EUEN + static DEFINE_PER_CPU(bool, in_kernel_fpu); + static DEFINE_PER_CPU(unsigned int, euen_current); + ++static inline void fpregs_lock(void) ++{ ++ if (IS_ENABLED(CONFIG_PREEMPT_RT)) ++ preempt_disable(); ++ else ++ local_bh_disable(); ++} ++ ++static inline void fpregs_unlock(void) ++{ ++ if (IS_ENABLED(CONFIG_PREEMPT_RT)) ++ preempt_enable(); ++ else ++ local_bh_enable(); ++} ++ + void kernel_fpu_begin(void) + { + unsigned int *euen_curr; + +- preempt_disable(); ++ if (!irqs_disabled()) ++ fpregs_lock(); + + WARN_ON(this_cpu_read(in_kernel_fpu)); + +@@ -73,7 +90,8 @@ void kernel_fpu_end(void) + + this_cpu_write(in_kernel_fpu, false); + +- preempt_enable(); ++ if (!irqs_disabled()) ++ fpregs_unlock(); + } + EXPORT_SYMBOL_GPL(kernel_fpu_end); + diff --git a/queue-6.12/loongarch-save-and-restore-csr.cntc-for-hibernation.patch b/queue-6.12/loongarch-save-and-restore-csr.cntc-for-hibernation.patch new file mode 100644 index 0000000000..7f714d276a --- /dev/null +++ b/queue-6.12/loongarch-save-and-restore-csr.cntc-for-hibernation.patch @@ -0,0 +1,71 @@ +From ceb9155d058a11242aa0572875c44e9713b1a2be Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Wed, 14 May 2025 22:17:52 +0800 +Subject: LoongArch: Save and restore CSR.CNTC for hibernation + +From: Huacai Chen + +commit ceb9155d058a11242aa0572875c44e9713b1a2be upstream. + +Save and restore CSR.CNTC for hibernation which is similar to suspend. + +For host this is unnecessary because sched clock is ensured continuous, +but for kvm guest sched clock isn't enough because rdtime.d should also +be continuous. + +Host::rdtime.d = Host::CSR.CNTC + counter +Guest::rdtime.d = Host::CSR.CNTC + Host::CSR.GCNTC + Guest::CSR.CNTC + counter + +so, + +Guest::rdtime.d = Host::rdtime.d + Host::CSR.GCNTC + Guest::CSR.CNTC + +To ensure Guest::rdtime.d continuous, Host::rdtime.d should be at first +continuous, while Host::CSR.GCNTC / Guest::CSR.CNTC is maintained by KVM. + +Cc: stable@vger.kernel.org +Signed-off-by: Xianglai Li +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kernel/time.c | 2 +- + arch/loongarch/power/hibernate.c | 3 +++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/loongarch/kernel/time.c ++++ b/arch/loongarch/kernel/time.c +@@ -111,7 +111,7 @@ static unsigned long __init get_loops_pe + return lpj; + } + +-static long init_offset __nosavedata; ++static long init_offset; + + void save_counter(void) + { +--- a/arch/loongarch/power/hibernate.c ++++ b/arch/loongarch/power/hibernate.c +@@ -2,6 +2,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -14,6 +15,7 @@ struct pt_regs saved_regs; + + void save_processor_state(void) + { ++ save_counter(); + saved_crmd = csr_read32(LOONGARCH_CSR_CRMD); + saved_prmd = csr_read32(LOONGARCH_CSR_PRMD); + saved_euen = csr_read32(LOONGARCH_CSR_EUEN); +@@ -26,6 +28,7 @@ void save_processor_state(void) + + void restore_processor_state(void) + { ++ sync_counter(); + csr_write32(saved_crmd, LOONGARCH_CSR_CRMD); + csr_write32(saved_prmd, LOONGARCH_CSR_PRMD); + csr_write32(saved_euen, LOONGARCH_CSR_EUEN); diff --git a/queue-6.12/loongarch-uprobes-remove-redundant-code-about-resume_era.patch b/queue-6.12/loongarch-uprobes-remove-redundant-code-about-resume_era.patch new file mode 100644 index 0000000000..4e5d7530a0 --- /dev/null +++ b/queue-6.12/loongarch-uprobes-remove-redundant-code-about-resume_era.patch @@ -0,0 +1,57 @@ +From 12614f794274f63fbdfe76771b2b332077d63848 Mon Sep 17 00:00:00 2001 +From: Tiezhu Yang +Date: Wed, 14 May 2025 22:18:10 +0800 +Subject: LoongArch: uprobes: Remove redundant code about resume_era + +From: Tiezhu Yang + +commit 12614f794274f63fbdfe76771b2b332077d63848 upstream. + +arch_uprobe_skip_sstep() returns true if instruction was emulated, that +is to say, there is no need to single step for the emulated instructions. +regs->csr_era will point to the destination address directly after the +exception, so the resume_era related code is redundant, just remove them. + +Cc: stable@vger.kernel.org +Fixes: 19bc6cb64092 ("LoongArch: Add uprobes support") +Signed-off-by: Tiezhu Yang +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/include/asm/uprobes.h | 1 - + arch/loongarch/kernel/uprobes.c | 7 +------ + 2 files changed, 1 insertion(+), 7 deletions(-) + +--- a/arch/loongarch/include/asm/uprobes.h ++++ b/arch/loongarch/include/asm/uprobes.h +@@ -15,7 +15,6 @@ typedef u32 uprobe_opcode_t; + #define UPROBE_XOLBP_INSN __emit_break(BRK_UPROBE_XOLBP) + + struct arch_uprobe { +- unsigned long resume_era; + u32 insn[2]; + u32 ixol[2]; + bool simulate; +--- a/arch/loongarch/kernel/uprobes.c ++++ b/arch/loongarch/kernel/uprobes.c +@@ -52,11 +52,7 @@ int arch_uprobe_post_xol(struct arch_upr + + WARN_ON_ONCE(current->thread.trap_nr != UPROBE_TRAP_NR); + current->thread.trap_nr = utask->autask.saved_trap_nr; +- +- if (auprobe->simulate) +- instruction_pointer_set(regs, auprobe->resume_era); +- else +- instruction_pointer_set(regs, utask->vaddr + LOONGARCH_INSN_SIZE); ++ instruction_pointer_set(regs, utask->vaddr + LOONGARCH_INSN_SIZE); + + return 0; + } +@@ -86,7 +82,6 @@ bool arch_uprobe_skip_sstep(struct arch_ + + insn.word = auprobe->insn[0]; + arch_simulate_insn(insn, regs); +- auprobe->resume_era = regs->csr_era; + + return true; + } diff --git a/queue-6.12/loongarch-uprobes-remove-user_-en-dis-able_single_step.patch b/queue-6.12/loongarch-uprobes-remove-user_-en-dis-able_single_step.patch new file mode 100644 index 0000000000..f9e958447e --- /dev/null +++ b/queue-6.12/loongarch-uprobes-remove-user_-en-dis-able_single_step.patch @@ -0,0 +1,61 @@ +From 0b326b2371f94e798137cc1a3c5c2eef2bc69061 Mon Sep 17 00:00:00 2001 +From: Tiezhu Yang +Date: Wed, 14 May 2025 22:18:10 +0800 +Subject: LoongArch: uprobes: Remove user_{en,dis}able_single_step() + +From: Tiezhu Yang + +commit 0b326b2371f94e798137cc1a3c5c2eef2bc69061 upstream. + +When executing the "perf probe" and "perf stat" test cases about some +cryptographic algorithm, the output shows that "Trace/breakpoint trap". +This is because it uses the software singlestep breakpoint for uprobes +on LoongArch, and no need to use the hardware singlestep. So just remove +the related function call to user_{en,dis}able_single_step() for uprobes +on LoongArch. + +How to reproduce: + +Please make sure CONFIG_UPROBE_EVENTS is set and openssl supports sm2 +algorithm, then execute the following command. + +cd tools/perf && make +./perf probe -x /usr/lib64/libcrypto.so BN_mod_mul_montgomery +./perf stat -e probe_libcrypto:BN_mod_mul_montgomery openssl speed sm2 + +Cc: stable@vger.kernel.org +Fixes: 19bc6cb64092 ("LoongArch: Add uprobes support") +Signed-off-by: Tiezhu Yang +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kernel/uprobes.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/arch/loongarch/kernel/uprobes.c ++++ b/arch/loongarch/kernel/uprobes.c +@@ -42,7 +42,6 @@ int arch_uprobe_pre_xol(struct arch_upro + utask->autask.saved_trap_nr = current->thread.trap_nr; + current->thread.trap_nr = UPROBE_TRAP_NR; + instruction_pointer_set(regs, utask->xol_vaddr); +- user_enable_single_step(current); + + return 0; + } +@@ -59,8 +58,6 @@ int arch_uprobe_post_xol(struct arch_upr + else + instruction_pointer_set(regs, utask->vaddr + LOONGARCH_INSN_SIZE); + +- user_disable_single_step(current); +- + return 0; + } + +@@ -70,7 +67,6 @@ void arch_uprobe_abort_xol(struct arch_u + + current->thread.trap_nr = utask->autask.saved_trap_nr; + instruction_pointer_set(regs, utask->vaddr); +- user_disable_single_step(current); + } + + bool arch_uprobe_xol_was_trapped(struct task_struct *t) diff --git a/queue-6.12/maintainers-update-alexey-makhalov-s-email-address.patch b/queue-6.12/maintainers-update-alexey-makhalov-s-email-address.patch new file mode 100644 index 0000000000..aca5b52469 --- /dev/null +++ b/queue-6.12/maintainers-update-alexey-makhalov-s-email-address.patch @@ -0,0 +1,52 @@ +From 386cd3dcfd63491619b4034b818737fc0219e128 Mon Sep 17 00:00:00 2001 +From: Alexey Makhalov +Date: Tue, 18 Mar 2025 00:40:31 +0000 +Subject: MAINTAINERS: Update Alexey Makhalov's email address + +From: Alexey Makhalov + +commit 386cd3dcfd63491619b4034b818737fc0219e128 upstream. + +Fix a typo in an email address. + +Closes: https://lore.kernel.org/all/20240925-rational-succinct-vulture-cca9fb@lemur/T/ +Reported-by: Konstantin Ryabitsev +Reported-by: Juergen Gross +Signed-off-by: Alexey Makhalov +Signed-off-by: Borislav Petkov (AMD) +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/20250318004031.2703923-1-alexey.makhalov@broadcom.com +Signed-off-by: Greg Kroah-Hartman +--- + MAINTAINERS | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -17503,7 +17503,7 @@ F: include/uapi/linux/ppdev.h + PARAVIRT_OPS INTERFACE + M: Juergen Gross + R: Ajay Kaher +-R: Alexey Makhalov ++R: Alexey Makhalov + R: Broadcom internal kernel review list + L: virtualization@lists.linux.dev + L: x86@kernel.org +@@ -24729,7 +24729,7 @@ F: drivers/misc/vmw_balloon.c + + VMWARE HYPERVISOR INTERFACE + M: Ajay Kaher +-M: Alexey Makhalov ++M: Alexey Makhalov + R: Broadcom internal kernel review list + L: virtualization@lists.linux.dev + L: x86@kernel.org +@@ -24757,7 +24757,7 @@ F: drivers/scsi/vmw_pvscsi.h + VMWARE VIRTUAL PTP CLOCK DRIVER + M: Nick Shi + R: Ajay Kaher +-R: Alexey Makhalov ++R: Alexey Makhalov + R: Broadcom internal kernel review list + L: netdev@vger.kernel.org + S: Supported diff --git a/queue-6.12/nfsv4-pnfs-reset-the-layout-state-after-a-layoutretu.patch b/queue-6.12/nfsv4-pnfs-reset-the-layout-state-after-a-layoutretu.patch index 49c9edbc00..7660a05a6d 100644 --- a/queue-6.12/nfsv4-pnfs-reset-the-layout-state-after-a-layoutretu.patch +++ b/queue-6.12/nfsv4-pnfs-reset-the-layout-state-after-a-layoutretu.patch @@ -15,14 +15,12 @@ Fixes: 68f744797edd ("pNFS: Do not free layout segments that are marked for retu Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin --- - fs/nfs/pnfs.c | 9 +++++++++ + fs/nfs/pnfs.c | 9 +++++++++ 1 file changed, 9 insertions(+) -diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c -index 5f582713bf05e..683e09be25adf 100644 --- a/fs/nfs/pnfs.c +++ b/fs/nfs/pnfs.c -@@ -745,6 +745,14 @@ pnfs_mark_matching_lsegs_invalid(struct pnfs_layout_hdr *lo, +@@ -745,6 +745,14 @@ pnfs_mark_matching_lsegs_invalid(struct return remaining; } @@ -37,7 +35,7 @@ index 5f582713bf05e..683e09be25adf 100644 static void pnfs_free_returned_lsegs(struct pnfs_layout_hdr *lo, struct list_head *free_me, -@@ -1292,6 +1300,7 @@ void pnfs_layoutreturn_free_lsegs(struct pnfs_layout_hdr *lo, +@@ -1292,6 +1300,7 @@ void pnfs_layoutreturn_free_lsegs(struct pnfs_mark_matching_lsegs_invalid(lo, &freeme, range, seq); pnfs_free_returned_lsegs(lo, &freeme, range, seq); pnfs_set_layout_stateid(lo, stateid, NULL, true); @@ -45,6 +43,3 @@ index 5f582713bf05e..683e09be25adf 100644 } else pnfs_mark_layout_stateid_invalid(lo, &freeme); out_unlock: --- -2.39.5 - diff --git a/queue-6.12/revert-drm-amd-display-hardware-cursor-changes-color-when-switched-to-software-cursor.patch b/queue-6.12/revert-drm-amd-display-hardware-cursor-changes-color-when-switched-to-software-cursor.patch new file mode 100644 index 0000000000..bccef08c21 --- /dev/null +++ b/queue-6.12/revert-drm-amd-display-hardware-cursor-changes-color-when-switched-to-software-cursor.patch @@ -0,0 +1,57 @@ +From fe14c0f096f58d2569e587e9f4b05d772272bbb4 Mon Sep 17 00:00:00 2001 +From: Melissa Wen +Date: Tue, 22 Apr 2025 11:58:11 -0300 +Subject: Revert "drm/amd/display: Hardware cursor changes color when switched to software cursor" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Melissa Wen + +commit fe14c0f096f58d2569e587e9f4b05d772272bbb4 upstream. + +This reverts commit 272e6aab14bbf98d7a06b2b1cd6308a02d4a10a1. + +Applying degamma curve to the cursor by default breaks Linux userspace +expectation. + +On Linux, AMD display manager enables cursor degamma ROM just for +implict sRGB on HW versions where degamma is split into two blocks: +degamma ROM for pre-defined TFs and `gamma correction` for user/custom +curves, and degamma ROM settings doesn't apply to cursor plane. + +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/1513 +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2803 +Reported-by: Michel Dänzer +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4144 +Signed-off-by: Melissa Wen +Reviewed-by: Alex Hung +Signed-off-by: Alex Deucher +(cherry picked from commit f6a305d4748801a6c799ae9375b2ecff3aed094b) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dpp/dcn401/dcn401_dpp_cm.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dpp/dcn401/dcn401_dpp_cm.c b/drivers/gpu/drm/amd/display/dc/dpp/dcn401/dcn401_dpp_cm.c +index 1236e0f9a256..712aff7e17f7 100644 +--- a/drivers/gpu/drm/amd/display/dc/dpp/dcn401/dcn401_dpp_cm.c ++++ b/drivers/gpu/drm/amd/display/dc/dpp/dcn401/dcn401_dpp_cm.c +@@ -120,10 +120,11 @@ void dpp401_set_cursor_attributes( + enum dc_cursor_color_format color_format = cursor_attributes->color_format; + int cur_rom_en = 0; + +- // DCN4 should always do Cursor degamma for Cursor Color modes + if (color_format == CURSOR_MODE_COLOR_PRE_MULTIPLIED_ALPHA || + color_format == CURSOR_MODE_COLOR_UN_PRE_MULTIPLIED_ALPHA) { +- cur_rom_en = 1; ++ if (cursor_attributes->attribute_flags.bits.ENABLE_CURSOR_DEGAMMA) { ++ cur_rom_en = 1; ++ } + } + + REG_UPDATE_3(CURSOR0_CONTROL, +-- +2.49.0 + diff --git a/queue-6.12/sched_ext-bpf_iter_scx_dsq_new-should-always-initialize-iterator.patch b/queue-6.12/sched_ext-bpf_iter_scx_dsq_new-should-always-initialize-iterator.patch new file mode 100644 index 0000000000..89aa19d877 --- /dev/null +++ b/queue-6.12/sched_ext-bpf_iter_scx_dsq_new-should-always-initialize-iterator.patch @@ -0,0 +1,40 @@ +From 428dc9fc0873989d73918d4a9cc22745b7bbc799 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Mon, 5 May 2025 11:30:39 -1000 +Subject: sched_ext: bpf_iter_scx_dsq_new() should always initialize iterator + +From: Tejun Heo + +commit 428dc9fc0873989d73918d4a9cc22745b7bbc799 upstream. + +BPF programs may call next() and destroy() on BPF iterators even after new() +returns an error value (e.g. bpf_for_each() macro ignores error returns from +new()). bpf_iter_scx_dsq_new() could leave the iterator in an uninitialized +state after an error return causing bpf_iter_scx_dsq_next() to dereference +garbage data. Make bpf_iter_scx_dsq_new() always clear $kit->dsq so that +next() and destroy() become noops. + +Signed-off-by: Tejun Heo +Fixes: 650ba21b131e ("sched_ext: Implement DSQ iterator") +Cc: stable@vger.kernel.org # v6.12+ +Acked-by: Andrea Righi +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/ext.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/kernel/sched/ext.c ++++ b/kernel/sched/ext.c +@@ -6731,6 +6731,12 @@ __bpf_kfunc int bpf_iter_scx_dsq_new(str + BUILD_BUG_ON(__alignof__(struct bpf_iter_scx_dsq_kern) != + __alignof__(struct bpf_iter_scx_dsq)); + ++ /* ++ * next() and destroy() will be called regardless of the return value. ++ * Always clear $kit->dsq. ++ */ ++ kit->dsq = NULL; ++ + if (flags & ~__SCX_DSQ_ITER_USER_FLAGS) + return -EINVAL; + diff --git a/queue-6.12/series b/queue-6.12/series index 51207cec46..864aff2144 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -73,3 +73,25 @@ mlxsw-spectrum_router-fix-use-after-free-when-deleti.patch net-tls-fix-kernel-panic-when-alloc_page-failed.patch tsnep-fix-timestamping-with-a-stacked-dsa-driver.patch nfsv4-pnfs-reset-the-layout-state-after-a-layoutretu.patch +dmaengine-revert-dmaengine-dmatest-fix-dmatest-waiting-less-when-interrupted.patch +sched_ext-bpf_iter_scx_dsq_new-should-always-initialize-iterator.patch +udf-make-sure-i_lenextents-is-uptodate-on-inode-eviction.patch +hid-bpf-abort-dispatch-if-device-destroyed.patch +loongarch-prevent-cond_resched-occurring-within-kernel-fpu.patch +loongarch-move-__arch_cpu_idle-to-.cpuidle.text-section.patch +loongarch-save-and-restore-csr.cntc-for-hibernation.patch +loongarch-fix-max_reg_offset-calculation.patch +loongarch-uprobes-remove-user_-en-dis-able_single_step.patch +loongarch-uprobes-remove-redundant-code-about-resume_era.patch +btrfs-fix-discard-worker-infinite-loop-after-disabling-discard.patch +btrfs-fix-folio-leak-in-submit_one_async_extent.patch +btrfs-add-back-warning-for-mount-option-commit-values-exceeding-300.patch +revert-drm-amd-display-hardware-cursor-changes-color-when-switched-to-software-cursor.patch +drm-amdgpu-read-back-register-after-written-for-vcn-v4.0.5.patch +drm-amdgpu-fix-incorrect-mall-size-for-gfx1151.patch +drm-amdgpu-csa-unmap-use-uninterruptible-lock.patch +drm-amd-display-correct-the-reply-value-when-aux-write-incomplete.patch +drm-amd-display-avoid-flooding-unnecessary-info-messages.patch +maintainers-update-alexey-makhalov-s-email-address.patch +gpio-pca953x-fix-irq-storm-on-system-wake-up.patch +acpi-pptt-fix-processor-subtable-walk.patch diff --git a/queue-6.12/udf-make-sure-i_lenextents-is-uptodate-on-inode-eviction.patch b/queue-6.12/udf-make-sure-i_lenextents-is-uptodate-on-inode-eviction.patch new file mode 100644 index 0000000000..4d43f4134c --- /dev/null +++ b/queue-6.12/udf-make-sure-i_lenextents-is-uptodate-on-inode-eviction.patch @@ -0,0 +1,40 @@ +From 55dd5b4db3bf04cf077a8d1712f6295d4517c337 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 7 May 2025 11:49:41 +0200 +Subject: udf: Make sure i_lenExtents is uptodate on inode eviction + +From: Jan Kara + +commit 55dd5b4db3bf04cf077a8d1712f6295d4517c337 upstream. + +UDF maintains total length of all extents in i_lenExtents. Generally we +keep extent lengths (and thus i_lenExtents) block aligned because it +makes the file appending logic simpler. However the standard mandates +that the inode size must match the length of all extents and thus we +trim the last extent when closing the file. To catch possible bugs we +also verify that i_lenExtents matches i_size when evicting inode from +memory. Commit b405c1e58b73 ("udf: refactor udf_next_aext() to handle +error") however broke the code updating i_lenExtents and thus +udf_evict_inode() ended up spewing lots of errors about incorrectly +sized extents although the extents were actually sized properly. Fix the +updating of i_lenExtents to silence the errors. + +Fixes: b405c1e58b73 ("udf: refactor udf_next_aext() to handle error") +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/udf/truncate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/udf/truncate.c ++++ b/fs/udf/truncate.c +@@ -115,7 +115,7 @@ void udf_truncate_tail_extent(struct ino + } + /* This inode entry is in-memory only and thus we don't have to mark + * the inode dirty */ +- if (ret == 0) ++ if (ret >= 0) + iinfo->i_lenExtents = inode->i_size; + brelse(epos.bh); + } -- 2.47.3