From 24c26f52d3b2201d09b38d4d4b6ecf372d2ea992 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 7 Oct 2024 19:12:15 +0200 Subject: [PATCH] 6.11-stable patches added patches: aoe-fix-the-potential-use-after-free-problem-in-more-places.patch cachefiles-fix-dentry-leak-in-cachefiles_open_file.patch clk-qcom-clk-alpha-pll-fix-cal_l_val-override-for-lucid-evo-pll.patch clk-qcom-clk-rpmh-fix-overflow-in-bcm-vote.patch clk-qcom-dispcc-sm8250-use-clk_set_rate_parent-for-branch-clocks.patch clk-qcom-gcc-sc8180x-add-gpll9-support.patch clk-qcom-gcc-sc8180x-fix-the-sdcc2-and-sdcc4-clocks-freq-table.patch clk-qcom-gcc-sc8180x-register-qupv3-rcgs-for-dfs-on-sc8180x.patch clk-qcom-gcc-sm8150-de-register-gcc_cpuss_ahb_clk_src.patch clk-qcom-gcc-sm8250-do-not-turn-off-pcie-gdscs-during-gdsc_disable.patch clk-qcom-gcc-sm8450-do-not-turn-off-pcie-gdscs-during-gdsc_disable.patch clk-rockchip-fix-error-for-unknown-clocks.patch clk-samsung-exynos7885-update-clks_nr_fsys-after-bindings-fix.patch drivers-perf-riscv-align-errno-for-unsupported-perf-event.patch drm-amd-display-avoid-set-dispclk-to-0.patch dt-bindings-clock-qcom-add-gpll9-support-on-gcc-sc8180x.patch gfs2-fix-double-destroy_workqueue-error.patch gso-fix-udp-gso-fraglist-segmentation-after-pull-from-frag_list.patch hid-bpf-fix-cfi-stubs-for-hid_bpf_ops.patch iio-magnetometer-ak8975-fix-reading-for-ak099xx-sensors.patch iio-pressure-bmp280-fix-regmap-for-bmp280-device.patch iio-pressure-bmp280-fix-waiting-time-for-bmp3xx-configuration.patch input-adp5589-keys-fix-adp5589_gpio_get_value.patch input-adp5589-keys-fix-null-pointer-dereference.patch kselftests-mm-fix-wrong-__nr_userfaultfd-value.patch leds-pca9532-remove-irrelevant-blink-configuration-error-message.patch media-imx335-fix-reset-gpio-handling.patch media-ov5675-fix-power-on-off-delay-timings.patch media-qcom-camss-fix-ordering-of-pm_runtime_enable.patch media-qcom-camss-remove-use_count-guard-in-stop_streaming.patch media-sun4i_csi-implement-link-validate-for-sun4i_csi-subdev.patch media-uapi-linux-cec.h-cec_msg_set_reply_to-zero-flags.patch media-venus-fix-use-after-free-bug-in-venus_remove-due-to-race-condition.patch media-videobuf2-drop-minimum-allocation-requirement-of-2-buffers.patch mm-filemap-fix-filemap_get_folios_contig-thp-panic.patch mm-gup-fix-memfd_pin_folios-alloc-race-panic.patch mm-gup-fix-memfd_pin_folios-hugetlb-page-allocation.patch mm-hugetlb-fix-memfd_pin_folios-free_huge_pages-leak.patch mm-hugetlb-fix-memfd_pin_folios-resv_huge_pages-leak.patch mm-hugetlb-simplify-refs-in-memfd_alloc_folio.patch net-gso-fix-tcp-fraglist-segmentation-after-pull-from-frag_list.patch net-stmmac-fix-zero-division-error-when-disabling-tc-cbs.patch remoteproc-k3-r5-fix-error-handling-when-power-up-failed.patch riscv-fix-kernel-stack-size-when-kasan-is-enabled.patch rtc-at91sam9-fix-of-node-leak-in-probe-error-path.patch smb-client-use-actual-path-when-queryfs.patch smb3-fix-incorrect-mode-displayed-for-read-only-files.patch tomoyo-fallback-to-realpath-if-symlink-s-pathname-does-not-exist.patch vrf-revert-vrf-remove-unnecessary-rcu-bh-critical-section.patch --- ...se-after-free-problem-in-more-places.patch | 98 ++++ ...-dentry-leak-in-cachefiles_open_file.patch | 103 ++++ ...cal_l_val-override-for-lucid-evo-pll.patch | 43 ++ ...om-clk-rpmh-fix-overflow-in-bcm-vote.patch | 36 ++ ...lk_set_rate_parent-for-branch-clocks.patch | 48 ++ ...k-qcom-gcc-sc8180x-add-gpll9-support.patch | 66 +++ ...he-sdcc2-and-sdcc4-clocks-freq-table.patch | 44 ++ ...gister-qupv3-rcgs-for-dfs-on-sc8180x.patch | 545 ++++++++++++++++++ ...50-de-register-gcc_cpuss_ahb_clk_src.patch | 124 ++++ ...n-off-pcie-gdscs-during-gdsc_disable.patch | 57 ++ ...n-off-pcie-gdscs-during-gdsc_disable.patch | 48 ++ ...ockchip-fix-error-for-unknown-clocks.patch | 43 ++ ...date-clks_nr_fsys-after-bindings-fix.patch | 33 ++ ...ign-errno-for-unsupported-perf-event.patch | 68 +++ ...m-amd-display-avoid-set-dispclk-to-0.patch | 36 ++ ...com-add-gpll9-support-on-gcc-sc8180x.patch | 32 + ...2-fix-double-destroy_workqueue-error.patch | 51 ++ ...gmentation-after-pull-from-frag_list.patch | 72 +++ ...id-bpf-fix-cfi-stubs-for-hid_bpf_ops.patch | 60 ++ ...8975-fix-reading-for-ak099xx-sensors.patch | 78 +++ ...-bmp280-fix-regmap-for-bmp280-device.patch | 130 +++++ ...aiting-time-for-bmp3xx-configuration.patch | 42 ++ ...5589-keys-fix-adp5589_gpio_get_value.patch | 49 ++ ...89-keys-fix-null-pointer-dereference.patch | 58 ++ ...-mm-fix-wrong-__nr_userfaultfd-value.patch | 60 ++ ...nt-blink-configuration-error-message.patch | 52 ++ ...media-imx335-fix-reset-gpio-handling.patch | 74 +++ ...v5675-fix-power-on-off-delay-timings.patch | 84 +++ ...ss-fix-ordering-of-pm_runtime_enable.patch | 62 ++ ...ve-use_count-guard-in-stop_streaming.patch | 89 +++ ...t-link-validate-for-sun4i_csi-subdev.patch | 45 ++ ...ec.h-cec_msg_set_reply_to-zero-flags.patch | 44 ++ ...n-venus_remove-due-to-race-condition.patch | 50 ++ ...-allocation-requirement-of-2-buffers.patch | 55 ++ ...-filemap_get_folios_contig-thp-panic.patch | 74 +++ ...ix-memfd_pin_folios-alloc-race-panic.patch | 51 ++ ...d_pin_folios-hugetlb-page-allocation.patch | 66 +++ ...emfd_pin_folios-free_huge_pages-leak.patch | 62 ++ ...emfd_pin_folios-resv_huge_pages-leak.patch | 124 ++++ ...b-simplify-refs-in-memfd_alloc_folio.patch | 77 +++ ...gmentation-after-pull-from-frag_list.patch | 84 +++ ...division-error-when-disabling-tc-cbs.patch | 42 ++ ...-error-handling-when-power-up-failed.patch | 45 ++ ...nel-stack-size-when-kasan-is-enabled.patch | 61 ++ ...fix-of-node-leak-in-probe-error-path.patch | 32 + queue-6.11/series | 49 ++ ...-client-use-actual-path-when-queryfs.patch | 140 +++++ ...t-mode-displayed-for-read-only-files.patch | 82 +++ ...if-symlink-s-pathname-does-not-exist.patch | 52 ++ ...-unnecessary-rcu-bh-critical-section.patch | 90 +++ 50 files changed, 3710 insertions(+) create mode 100644 queue-6.11/aoe-fix-the-potential-use-after-free-problem-in-more-places.patch create mode 100644 queue-6.11/cachefiles-fix-dentry-leak-in-cachefiles_open_file.patch create mode 100644 queue-6.11/clk-qcom-clk-alpha-pll-fix-cal_l_val-override-for-lucid-evo-pll.patch create mode 100644 queue-6.11/clk-qcom-clk-rpmh-fix-overflow-in-bcm-vote.patch create mode 100644 queue-6.11/clk-qcom-dispcc-sm8250-use-clk_set_rate_parent-for-branch-clocks.patch create mode 100644 queue-6.11/clk-qcom-gcc-sc8180x-add-gpll9-support.patch create mode 100644 queue-6.11/clk-qcom-gcc-sc8180x-fix-the-sdcc2-and-sdcc4-clocks-freq-table.patch create mode 100644 queue-6.11/clk-qcom-gcc-sc8180x-register-qupv3-rcgs-for-dfs-on-sc8180x.patch create mode 100644 queue-6.11/clk-qcom-gcc-sm8150-de-register-gcc_cpuss_ahb_clk_src.patch create mode 100644 queue-6.11/clk-qcom-gcc-sm8250-do-not-turn-off-pcie-gdscs-during-gdsc_disable.patch create mode 100644 queue-6.11/clk-qcom-gcc-sm8450-do-not-turn-off-pcie-gdscs-during-gdsc_disable.patch create mode 100644 queue-6.11/clk-rockchip-fix-error-for-unknown-clocks.patch create mode 100644 queue-6.11/clk-samsung-exynos7885-update-clks_nr_fsys-after-bindings-fix.patch create mode 100644 queue-6.11/drivers-perf-riscv-align-errno-for-unsupported-perf-event.patch create mode 100644 queue-6.11/drm-amd-display-avoid-set-dispclk-to-0.patch create mode 100644 queue-6.11/dt-bindings-clock-qcom-add-gpll9-support-on-gcc-sc8180x.patch create mode 100644 queue-6.11/gfs2-fix-double-destroy_workqueue-error.patch create mode 100644 queue-6.11/gso-fix-udp-gso-fraglist-segmentation-after-pull-from-frag_list.patch create mode 100644 queue-6.11/hid-bpf-fix-cfi-stubs-for-hid_bpf_ops.patch create mode 100644 queue-6.11/iio-magnetometer-ak8975-fix-reading-for-ak099xx-sensors.patch create mode 100644 queue-6.11/iio-pressure-bmp280-fix-regmap-for-bmp280-device.patch create mode 100644 queue-6.11/iio-pressure-bmp280-fix-waiting-time-for-bmp3xx-configuration.patch create mode 100644 queue-6.11/input-adp5589-keys-fix-adp5589_gpio_get_value.patch create mode 100644 queue-6.11/input-adp5589-keys-fix-null-pointer-dereference.patch create mode 100644 queue-6.11/kselftests-mm-fix-wrong-__nr_userfaultfd-value.patch create mode 100644 queue-6.11/leds-pca9532-remove-irrelevant-blink-configuration-error-message.patch create mode 100644 queue-6.11/media-imx335-fix-reset-gpio-handling.patch create mode 100644 queue-6.11/media-ov5675-fix-power-on-off-delay-timings.patch create mode 100644 queue-6.11/media-qcom-camss-fix-ordering-of-pm_runtime_enable.patch create mode 100644 queue-6.11/media-qcom-camss-remove-use_count-guard-in-stop_streaming.patch create mode 100644 queue-6.11/media-sun4i_csi-implement-link-validate-for-sun4i_csi-subdev.patch create mode 100644 queue-6.11/media-uapi-linux-cec.h-cec_msg_set_reply_to-zero-flags.patch create mode 100644 queue-6.11/media-venus-fix-use-after-free-bug-in-venus_remove-due-to-race-condition.patch create mode 100644 queue-6.11/media-videobuf2-drop-minimum-allocation-requirement-of-2-buffers.patch create mode 100644 queue-6.11/mm-filemap-fix-filemap_get_folios_contig-thp-panic.patch create mode 100644 queue-6.11/mm-gup-fix-memfd_pin_folios-alloc-race-panic.patch create mode 100644 queue-6.11/mm-gup-fix-memfd_pin_folios-hugetlb-page-allocation.patch create mode 100644 queue-6.11/mm-hugetlb-fix-memfd_pin_folios-free_huge_pages-leak.patch create mode 100644 queue-6.11/mm-hugetlb-fix-memfd_pin_folios-resv_huge_pages-leak.patch create mode 100644 queue-6.11/mm-hugetlb-simplify-refs-in-memfd_alloc_folio.patch create mode 100644 queue-6.11/net-gso-fix-tcp-fraglist-segmentation-after-pull-from-frag_list.patch create mode 100644 queue-6.11/net-stmmac-fix-zero-division-error-when-disabling-tc-cbs.patch create mode 100644 queue-6.11/remoteproc-k3-r5-fix-error-handling-when-power-up-failed.patch create mode 100644 queue-6.11/riscv-fix-kernel-stack-size-when-kasan-is-enabled.patch create mode 100644 queue-6.11/rtc-at91sam9-fix-of-node-leak-in-probe-error-path.patch create mode 100644 queue-6.11/smb-client-use-actual-path-when-queryfs.patch create mode 100644 queue-6.11/smb3-fix-incorrect-mode-displayed-for-read-only-files.patch create mode 100644 queue-6.11/tomoyo-fallback-to-realpath-if-symlink-s-pathname-does-not-exist.patch create mode 100644 queue-6.11/vrf-revert-vrf-remove-unnecessary-rcu-bh-critical-section.patch diff --git a/queue-6.11/aoe-fix-the-potential-use-after-free-problem-in-more-places.patch b/queue-6.11/aoe-fix-the-potential-use-after-free-problem-in-more-places.patch new file mode 100644 index 00000000000..60cfe219168 --- /dev/null +++ b/queue-6.11/aoe-fix-the-potential-use-after-free-problem-in-more-places.patch @@ -0,0 +1,98 @@ +From 6d6e54fc71ad1ab0a87047fd9c211e75d86084a3 Mon Sep 17 00:00:00 2001 +From: Chun-Yi Lee +Date: Wed, 2 Oct 2024 11:54:58 +0800 +Subject: aoe: fix the potential use-after-free problem in more places + +From: Chun-Yi Lee + +commit 6d6e54fc71ad1ab0a87047fd9c211e75d86084a3 upstream. + +For fixing CVE-2023-6270, f98364e92662 ("aoe: fix the potential +use-after-free problem in aoecmd_cfg_pkts") makes tx() calling dev_put() +instead of doing in aoecmd_cfg_pkts(). It avoids that the tx() runs +into use-after-free. + +Then Nicolai Stange found more places in aoe have potential use-after-free +problem with tx(). e.g. revalidate(), aoecmd_ata_rw(), resend(), probe() +and aoecmd_cfg_rsp(). Those functions also use aoenet_xmit() to push +packet to tx queue. So they should also use dev_hold() to increase the +refcnt of skb->dev. + +On the other hand, moving dev_put() to tx() causes that the refcnt of +skb->dev be reduced to a negative value, because corresponding +dev_hold() are not called in revalidate(), aoecmd_ata_rw(), resend(), +probe(), and aoecmd_cfg_rsp(). This patch fixed this issue. + +Cc: stable@vger.kernel.org +Link: https://nvd.nist.gov/vuln/detail/CVE-2023-6270 +Fixes: f98364e92662 ("aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts") +Reported-by: Nicolai Stange +Signed-off-by: Chun-Yi Lee +Link: https://lore.kernel.org/stable/20240624064418.27043-1-jlee%40suse.com +Link: https://lore.kernel.org/r/20241002035458.24401-1-jlee@suse.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/aoe/aoecmd.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/block/aoe/aoecmd.c ++++ b/drivers/block/aoe/aoecmd.c +@@ -361,6 +361,7 @@ ata_rw_frameinit(struct frame *f) + } + + ah->cmdstat = ATA_CMD_PIO_READ | writebit | extbit; ++ dev_hold(t->ifp->nd); + skb->dev = t->ifp->nd; + } + +@@ -401,6 +402,8 @@ aoecmd_ata_rw(struct aoedev *d) + __skb_queue_head_init(&queue); + __skb_queue_tail(&queue, skb); + aoenet_xmit(&queue); ++ } else { ++ dev_put(f->t->ifp->nd); + } + return 1; + } +@@ -483,10 +486,13 @@ resend(struct aoedev *d, struct frame *f + memcpy(h->dst, t->addr, sizeof h->dst); + memcpy(h->src, t->ifp->nd->dev_addr, sizeof h->src); + ++ dev_hold(t->ifp->nd); + skb->dev = t->ifp->nd; + skb = skb_clone(skb, GFP_ATOMIC); +- if (skb == NULL) ++ if (skb == NULL) { ++ dev_put(t->ifp->nd); + return; ++ } + f->sent = ktime_get(); + __skb_queue_head_init(&queue); + __skb_queue_tail(&queue, skb); +@@ -617,6 +623,8 @@ probe(struct aoetgt *t) + __skb_queue_head_init(&queue); + __skb_queue_tail(&queue, skb); + aoenet_xmit(&queue); ++ } else { ++ dev_put(f->t->ifp->nd); + } + } + +@@ -1395,6 +1403,7 @@ aoecmd_ata_id(struct aoedev *d) + ah->cmdstat = ATA_CMD_ID_ATA; + ah->lba3 = 0xa0; + ++ dev_hold(t->ifp->nd); + skb->dev = t->ifp->nd; + + d->rttavg = RTTAVG_INIT; +@@ -1404,6 +1413,8 @@ aoecmd_ata_id(struct aoedev *d) + skb = skb_clone(skb, GFP_ATOMIC); + if (skb) + f->sent = ktime_get(); ++ else ++ dev_put(t->ifp->nd); + + return skb; + } diff --git a/queue-6.11/cachefiles-fix-dentry-leak-in-cachefiles_open_file.patch b/queue-6.11/cachefiles-fix-dentry-leak-in-cachefiles_open_file.patch new file mode 100644 index 00000000000..d7222a32437 --- /dev/null +++ b/queue-6.11/cachefiles-fix-dentry-leak-in-cachefiles_open_file.patch @@ -0,0 +1,103 @@ +From da6ef2dffe6056aad3435e6cf7c6471c2a62187c Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Thu, 29 Aug 2024 16:34:09 +0800 +Subject: cachefiles: fix dentry leak in cachefiles_open_file() + +From: Baokun Li + +commit da6ef2dffe6056aad3435e6cf7c6471c2a62187c upstream. + +A dentry leak may be caused when a lookup cookie and a cull are concurrent: + + P1 | P2 +----------------------------------------------------------- +cachefiles_lookup_cookie + cachefiles_look_up_object + lookup_one_positive_unlocked + // get dentry + cachefiles_cull + inode->i_flags |= S_KERNEL_FILE; + cachefiles_open_file + cachefiles_mark_inode_in_use + __cachefiles_mark_inode_in_use + can_use = false + if (!(inode->i_flags & S_KERNEL_FILE)) + can_use = true + return false + return false + // Returns an error but doesn't put dentry + +After that the following WARNING will be triggered when the backend folder +is umounted: + +================================================================== +BUG: Dentry 000000008ad87947{i=7a,n=Dx_1_1.img} still in use (1) [unmount of ext4 sda] +WARNING: CPU: 4 PID: 359261 at fs/dcache.c:1767 umount_check+0x5d/0x70 +CPU: 4 PID: 359261 Comm: umount Not tainted 6.6.0-dirty #25 +RIP: 0010:umount_check+0x5d/0x70 +Call Trace: + + d_walk+0xda/0x2b0 + do_one_tree+0x20/0x40 + shrink_dcache_for_umount+0x2c/0x90 + generic_shutdown_super+0x20/0x160 + kill_block_super+0x1a/0x40 + ext4_kill_sb+0x22/0x40 + deactivate_locked_super+0x35/0x80 + cleanup_mnt+0x104/0x160 +================================================================== + +Whether cachefiles_open_file() returns true or false, the reference count +obtained by lookup_positive_unlocked() in cachefiles_look_up_object() +should be released. + +Therefore release that reference count in cachefiles_look_up_object() to +fix the above issue and simplify the code. + +Fixes: 1f08c925e7a3 ("cachefiles: Implement backing file wrangling") +Cc: stable@kernel.org +Signed-off-by: Baokun Li +Link: https://lore.kernel.org/r/20240829083409.3788142-1-libaokun@huaweicloud.com +Acked-by: David Howells +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/cachefiles/namei.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/fs/cachefiles/namei.c ++++ b/fs/cachefiles/namei.c +@@ -595,14 +595,12 @@ static bool cachefiles_open_file(struct + * write and readdir but not lookup or open). + */ + touch_atime(&file->f_path); +- dput(dentry); + return true; + + check_failed: + fscache_cookie_lookup_negative(object->cookie); + cachefiles_unmark_inode_in_use(object, file); + fput(file); +- dput(dentry); + if (ret == -ESTALE) + return cachefiles_create_file(object); + return false; +@@ -611,7 +609,6 @@ error_fput: + fput(file); + error: + cachefiles_do_unmark_inode_in_use(object, d_inode(dentry)); +- dput(dentry); + return false; + } + +@@ -654,7 +651,9 @@ bool cachefiles_look_up_object(struct ca + goto new_file; + } + +- if (!cachefiles_open_file(object, dentry)) ++ ret = cachefiles_open_file(object, dentry); ++ dput(dentry); ++ if (!ret) + return false; + + _leave(" = t [%lu]", file_inode(object->file)->i_ino); diff --git a/queue-6.11/clk-qcom-clk-alpha-pll-fix-cal_l_val-override-for-lucid-evo-pll.patch b/queue-6.11/clk-qcom-clk-alpha-pll-fix-cal_l_val-override-for-lucid-evo-pll.patch new file mode 100644 index 00000000000..8604436d969 --- /dev/null +++ b/queue-6.11/clk-qcom-clk-alpha-pll-fix-cal_l_val-override-for-lucid-evo-pll.patch @@ -0,0 +1,43 @@ +From fff617979f97c773aaa9432c31cf62444b3bdbd4 Mon Sep 17 00:00:00 2001 +From: Ajit Pandey +Date: Tue, 11 Jun 2024 19:07:45 +0530 +Subject: clk: qcom: clk-alpha-pll: Fix CAL_L_VAL override for LUCID EVO PLL + +From: Ajit Pandey + +commit fff617979f97c773aaa9432c31cf62444b3bdbd4 upstream. + +In LUCID EVO PLL CAL_L_VAL and L_VAL bitfields are part of single +PLL_L_VAL register. Update for L_VAL bitfield values in PLL_L_VAL +register using regmap_write() API in __alpha_pll_trion_set_rate +callback will override LUCID EVO PLL initial configuration related +to PLL_CAL_L_VAL bit fields in PLL_L_VAL register. + +Observed random PLL lock failures during PLL enable due to such +override in PLL calibration value. Use regmap_update_bits() with +L_VAL bitfield mask instead of regmap_write() API to update only +PLL_L_VAL bitfields in __alpha_pll_trion_set_rate callback. + +Fixes: 260e36606a03 ("clk: qcom: clk-alpha-pll: add Lucid EVO PLL configuration interfaces") +Cc: stable@vger.kernel.org +Signed-off-by: Ajit Pandey +Reviewed-by: Dmitry Baryshkov +Acked-by: Vladimir Zapolskiy +Link: https://lore.kernel.org/r/20240611133752.2192401-2-quic_ajipan@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/clk-alpha-pll.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/qcom/clk-alpha-pll.c ++++ b/drivers/clk/qcom/clk-alpha-pll.c +@@ -1713,7 +1713,7 @@ static int __alpha_pll_trion_set_rate(st + if (ret < 0) + return ret; + +- regmap_write(pll->clkr.regmap, PLL_L_VAL(pll), l); ++ regmap_update_bits(pll->clkr.regmap, PLL_L_VAL(pll), LUCID_EVO_PLL_L_VAL_MASK, l); + regmap_write(pll->clkr.regmap, PLL_ALPHA_VAL(pll), a); + + /* Latch the PLL input */ diff --git a/queue-6.11/clk-qcom-clk-rpmh-fix-overflow-in-bcm-vote.patch b/queue-6.11/clk-qcom-clk-rpmh-fix-overflow-in-bcm-vote.patch new file mode 100644 index 00000000000..ba2d3e5b0b8 --- /dev/null +++ b/queue-6.11/clk-qcom-clk-rpmh-fix-overflow-in-bcm-vote.patch @@ -0,0 +1,36 @@ +From a4e5af27e6f6a8b0d14bc0d7eb04f4a6c7291586 Mon Sep 17 00:00:00 2001 +From: Mike Tipton +Date: Fri, 9 Aug 2024 10:51:29 +0530 +Subject: clk: qcom: clk-rpmh: Fix overflow in BCM vote + +From: Mike Tipton + +commit a4e5af27e6f6a8b0d14bc0d7eb04f4a6c7291586 upstream. + +Valid frequencies may result in BCM votes that exceed the max HW value. +Set vote ceiling to BCM_TCS_CMD_VOTE_MASK to ensure the votes aren't +truncated, which can result in lower frequencies than desired. + +Fixes: 04053f4d23a4 ("clk: qcom: clk-rpmh: Add IPA clock support") +Cc: stable@vger.kernel.org +Signed-off-by: Mike Tipton +Reviewed-by: Taniya Das +Signed-off-by: Imran Shaik +Link: https://lore.kernel.org/r/20240809-clk-rpmh-bcm-vote-fix-v2-1-240c584b7ef9@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/clk-rpmh.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/clk/qcom/clk-rpmh.c ++++ b/drivers/clk/qcom/clk-rpmh.c +@@ -263,6 +263,8 @@ static int clk_rpmh_bcm_send_cmd(struct + cmd_state = 0; + } + ++ cmd_state = min(cmd_state, BCM_TCS_CMD_VOTE_MASK); ++ + if (c->last_sent_aggr_state != cmd_state) { + cmd.addr = c->res_addr; + cmd.data = BCM_TCS_CMD(1, enable, 0, cmd_state); diff --git a/queue-6.11/clk-qcom-dispcc-sm8250-use-clk_set_rate_parent-for-branch-clocks.patch b/queue-6.11/clk-qcom-dispcc-sm8250-use-clk_set_rate_parent-for-branch-clocks.patch new file mode 100644 index 00000000000..6f220448b6c --- /dev/null +++ b/queue-6.11/clk-qcom-dispcc-sm8250-use-clk_set_rate_parent-for-branch-clocks.patch @@ -0,0 +1,48 @@ +From 0e93c6320ecde0583de09f3fe801ce8822886fec Mon Sep 17 00:00:00 2001 +From: Dmitry Baryshkov +Date: Sun, 4 Aug 2024 08:40:05 +0300 +Subject: clk: qcom: dispcc-sm8250: use CLK_SET_RATE_PARENT for branch clocks + +From: Dmitry Baryshkov + +commit 0e93c6320ecde0583de09f3fe801ce8822886fec upstream. + +Add CLK_SET_RATE_PARENT for several branch clocks. Such clocks don't +have a way to change the rate, so set the parent rate instead. + +Fixes: 80a18f4a8567 ("clk: qcom: Add display clock controller driver for SM8150 and SM8250") +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20240804-sm8350-fixes-v1-1-1149dd8399fe@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/dispcc-sm8250.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/clk/qcom/dispcc-sm8250.c ++++ b/drivers/clk/qcom/dispcc-sm8250.c +@@ -849,6 +849,7 @@ static struct clk_branch disp_cc_mdss_dp + &disp_cc_mdss_dp_link1_div_clk_src.clkr.hw, + }, + .num_parents = 1, ++ .flags = CLK_SET_RATE_PARENT, + .ops = &clk_branch2_ops, + }, + }, +@@ -884,6 +885,7 @@ static struct clk_branch disp_cc_mdss_dp + &disp_cc_mdss_dp_link_div_clk_src.clkr.hw, + }, + .num_parents = 1, ++ .flags = CLK_SET_RATE_PARENT, + .ops = &clk_branch2_ops, + }, + }, +@@ -1009,6 +1011,7 @@ static struct clk_branch disp_cc_mdss_md + &disp_cc_mdss_mdp_clk_src.clkr.hw, + }, + .num_parents = 1, ++ .flags = CLK_SET_RATE_PARENT, + .ops = &clk_branch2_ops, + }, + }, diff --git a/queue-6.11/clk-qcom-gcc-sc8180x-add-gpll9-support.patch b/queue-6.11/clk-qcom-gcc-sc8180x-add-gpll9-support.patch new file mode 100644 index 00000000000..72d0dc6600f --- /dev/null +++ b/queue-6.11/clk-qcom-gcc-sc8180x-add-gpll9-support.patch @@ -0,0 +1,66 @@ +From 818a2f8d5e4ad2c1e39a4290158fe8e39a744c70 Mon Sep 17 00:00:00 2001 +From: Satya Priya Kakitapalli +Date: Mon, 12 Aug 2024 10:43:03 +0530 +Subject: clk: qcom: gcc-sc8180x: Add GPLL9 support + +From: Satya Priya Kakitapalli + +commit 818a2f8d5e4ad2c1e39a4290158fe8e39a744c70 upstream. + +Add the missing GPLL9 pll and fix the gcc_parents_7 data to use +the correct pll hw. + +Fixes: 4433594bbe5d ("clk: qcom: gcc: Add global clock controller driver for SC8180x") +Cc: stable@vger.kernel.org +Reviewed-by: Dmitry Baryshkov +Signed-off-by: Satya Priya Kakitapalli +Link: https://lore.kernel.org/r/20240812-gcc-sc8180x-fixes-v2-3-8b3eaa5fb856@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gcc-sc8180x.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +--- a/drivers/clk/qcom/gcc-sc8180x.c ++++ b/drivers/clk/qcom/gcc-sc8180x.c +@@ -142,6 +142,23 @@ static struct clk_alpha_pll gpll7 = { + }, + }; + ++static struct clk_alpha_pll gpll9 = { ++ .offset = 0x1c000, ++ .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_TRION], ++ .clkr = { ++ .enable_reg = 0x52000, ++ .enable_mask = BIT(9), ++ .hw.init = &(const struct clk_init_data) { ++ .name = "gpll9", ++ .parent_data = &(const struct clk_parent_data) { ++ .fw_name = "bi_tcxo", ++ }, ++ .num_parents = 1, ++ .ops = &clk_alpha_pll_fixed_trion_ops, ++ }, ++ }, ++}; ++ + static const struct parent_map gcc_parent_map_0[] = { + { P_BI_TCXO, 0 }, + { P_GPLL0_OUT_MAIN, 1 }, +@@ -241,7 +258,7 @@ static const struct parent_map gcc_paren + static const struct clk_parent_data gcc_parents_7[] = { + { .fw_name = "bi_tcxo", }, + { .hw = &gpll0.clkr.hw }, +- { .name = "gppl9" }, ++ { .hw = &gpll9.clkr.hw }, + { .hw = &gpll4.clkr.hw }, + { .hw = &gpll0_out_even.clkr.hw }, + }; +@@ -4489,6 +4506,7 @@ static struct clk_regmap *gcc_sc8180x_cl + [GPLL1] = &gpll1.clkr, + [GPLL4] = &gpll4.clkr, + [GPLL7] = &gpll7.clkr, ++ [GPLL9] = &gpll9.clkr, + }; + + static const struct qcom_reset_map gcc_sc8180x_resets[] = { diff --git a/queue-6.11/clk-qcom-gcc-sc8180x-fix-the-sdcc2-and-sdcc4-clocks-freq-table.patch b/queue-6.11/clk-qcom-gcc-sc8180x-fix-the-sdcc2-and-sdcc4-clocks-freq-table.patch new file mode 100644 index 00000000000..a402c4bd207 --- /dev/null +++ b/queue-6.11/clk-qcom-gcc-sc8180x-fix-the-sdcc2-and-sdcc4-clocks-freq-table.patch @@ -0,0 +1,44 @@ +From b8acaf2de8081371761ab4cf1e7a8ee4e7acc139 Mon Sep 17 00:00:00 2001 +From: Satya Priya Kakitapalli +Date: Mon, 12 Aug 2024 10:43:04 +0530 +Subject: clk: qcom: gcc-sc8180x: Fix the sdcc2 and sdcc4 clocks freq table + +From: Satya Priya Kakitapalli + +commit b8acaf2de8081371761ab4cf1e7a8ee4e7acc139 upstream. + +Update the frequency tables of gcc_sdcc2_apps_clk and gcc_sdcc4_apps_clk +as per the latest frequency plan. + +Fixes: 4433594bbe5d ("clk: qcom: gcc: Add global clock controller driver for SC8180x") +Cc: stable@vger.kernel.org +Signed-off-by: Satya Priya Kakitapalli +Link: https://lore.kernel.org/r/20240812-gcc-sc8180x-fixes-v2-4-8b3eaa5fb856@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gcc-sc8180x.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/clk/qcom/gcc-sc8180x.c ++++ b/drivers/clk/qcom/gcc-sc8180x.c +@@ -952,7 +952,7 @@ static const struct freq_tbl ftbl_gcc_sd + F(25000000, P_GPLL0_OUT_MAIN, 12, 1, 2), + F(50000000, P_GPLL0_OUT_MAIN, 12, 0, 0), + F(100000000, P_GPLL0_OUT_MAIN, 6, 0, 0), +- F(200000000, P_GPLL0_OUT_MAIN, 3, 0, 0), ++ F(202000000, P_GPLL9_OUT_MAIN, 4, 0, 0), + { } + }; + +@@ -975,9 +975,8 @@ static const struct freq_tbl ftbl_gcc_sd + F(400000, P_BI_TCXO, 12, 1, 4), + F(9600000, P_BI_TCXO, 2, 0, 0), + F(19200000, P_BI_TCXO, 1, 0, 0), +- F(37500000, P_GPLL0_OUT_MAIN, 16, 0, 0), + F(50000000, P_GPLL0_OUT_MAIN, 12, 0, 0), +- F(75000000, P_GPLL0_OUT_MAIN, 8, 0, 0), ++ F(100000000, P_GPLL0_OUT_MAIN, 6, 0, 0), + { } + }; + diff --git a/queue-6.11/clk-qcom-gcc-sc8180x-register-qupv3-rcgs-for-dfs-on-sc8180x.patch b/queue-6.11/clk-qcom-gcc-sc8180x-register-qupv3-rcgs-for-dfs-on-sc8180x.patch new file mode 100644 index 00000000000..dd076e91d9f --- /dev/null +++ b/queue-6.11/clk-qcom-gcc-sc8180x-register-qupv3-rcgs-for-dfs-on-sc8180x.patch @@ -0,0 +1,545 @@ +From 1fc8c02e1d80463ce1b361d82b83fc43bb92d964 Mon Sep 17 00:00:00 2001 +From: Satya Priya Kakitapalli +Date: Mon, 12 Aug 2024 10:43:01 +0530 +Subject: clk: qcom: gcc-sc8180x: Register QUPv3 RCGs for DFS on sc8180x + +From: Satya Priya Kakitapalli + +commit 1fc8c02e1d80463ce1b361d82b83fc43bb92d964 upstream. + +QUPv3 clocks support DFS on sc8180x platform but currently the code +changes for it are missing from the driver, this results in not +populating all the DFS supported frequencies and returns incorrect +frequency when the clients request for them. Hence add the DFS +registration for QUPv3 RCGs. + +Fixes: 4433594bbe5d ("clk: qcom: gcc: Add global clock controller driver for SC8180x") +Cc: stable@vger.kernel.org +Signed-off-by: Satya Priya Kakitapalli +Link: https://lore.kernel.org/r/20240812-gcc-sc8180x-fixes-v2-1-8b3eaa5fb856@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gcc-sc8180x.c | 350 ++++++++++++++++++++++++----------------- + 1 file changed, 210 insertions(+), 140 deletions(-) + +--- a/drivers/clk/qcom/gcc-sc8180x.c ++++ b/drivers/clk/qcom/gcc-sc8180x.c +@@ -609,19 +609,29 @@ static const struct freq_tbl ftbl_gcc_qu + { } + }; + ++static struct clk_init_data gcc_qupv3_wrap0_s0_clk_src_init = { ++ .name = "gcc_qupv3_wrap0_s0_clk_src", ++ .parent_data = gcc_parents_0, ++ .num_parents = ARRAY_SIZE(gcc_parents_0), ++ .flags = CLK_SET_RATE_PARENT, ++ .ops = &clk_rcg2_ops, ++}; ++ + static struct clk_rcg2 gcc_qupv3_wrap0_s0_clk_src = { + .cmd_rcgr = 0x17148, + .mnd_width = 16, + .hid_width = 5, + .parent_map = gcc_parent_map_0, + .freq_tbl = ftbl_gcc_qupv3_wrap0_s0_clk_src, +- .clkr.hw.init = &(struct clk_init_data){ +- .name = "gcc_qupv3_wrap0_s0_clk_src", +- .parent_data = gcc_parents_0, +- .num_parents = ARRAY_SIZE(gcc_parents_0), +- .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, +- }, ++ .clkr.hw.init = &gcc_qupv3_wrap0_s0_clk_src_init, ++}; ++ ++static struct clk_init_data gcc_qupv3_wrap0_s1_clk_src_init = { ++ .name = "gcc_qupv3_wrap0_s1_clk_src", ++ .parent_data = gcc_parents_0, ++ .num_parents = ARRAY_SIZE(gcc_parents_0), ++ .flags = CLK_SET_RATE_PARENT, ++ .ops = &clk_rcg2_ops, + }; + + static struct clk_rcg2 gcc_qupv3_wrap0_s1_clk_src = { +@@ -630,13 +640,15 @@ static struct clk_rcg2 gcc_qupv3_wrap0_s + .hid_width = 5, + .parent_map = gcc_parent_map_0, + .freq_tbl = ftbl_gcc_qupv3_wrap0_s0_clk_src, +- .clkr.hw.init = &(struct clk_init_data){ +- .name = "gcc_qupv3_wrap0_s1_clk_src", +- .parent_data = gcc_parents_0, +- .num_parents = ARRAY_SIZE(gcc_parents_0), +- .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, +- }, ++ .clkr.hw.init = &gcc_qupv3_wrap0_s1_clk_src_init, ++}; ++ ++static struct clk_init_data gcc_qupv3_wrap0_s2_clk_src_init = { ++ .name = "gcc_qupv3_wrap0_s2_clk_src", ++ .parent_data = gcc_parents_0, ++ .num_parents = ARRAY_SIZE(gcc_parents_0), ++ .flags = CLK_SET_RATE_PARENT, ++ .ops = &clk_rcg2_ops, + }; + + static struct clk_rcg2 gcc_qupv3_wrap0_s2_clk_src = { +@@ -645,13 +657,15 @@ static struct clk_rcg2 gcc_qupv3_wrap0_s + .hid_width = 5, + .parent_map = gcc_parent_map_0, + .freq_tbl = ftbl_gcc_qupv3_wrap0_s0_clk_src, +- .clkr.hw.init = &(struct clk_init_data){ +- .name = "gcc_qupv3_wrap0_s2_clk_src", +- .parent_data = gcc_parents_0, +- .num_parents = ARRAY_SIZE(gcc_parents_0), +- .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, +- }, ++ .clkr.hw.init = &gcc_qupv3_wrap0_s2_clk_src_init, ++}; ++ ++static struct clk_init_data gcc_qupv3_wrap0_s3_clk_src_init = { ++ .name = "gcc_qupv3_wrap0_s3_clk_src", ++ .parent_data = gcc_parents_0, ++ .num_parents = ARRAY_SIZE(gcc_parents_0), ++ .flags = CLK_SET_RATE_PARENT, ++ .ops = &clk_rcg2_ops, + }; + + static struct clk_rcg2 gcc_qupv3_wrap0_s3_clk_src = { +@@ -660,13 +674,15 @@ static struct clk_rcg2 gcc_qupv3_wrap0_s + .hid_width = 5, + .parent_map = gcc_parent_map_0, + .freq_tbl = ftbl_gcc_qupv3_wrap0_s0_clk_src, +- .clkr.hw.init = &(struct clk_init_data){ +- .name = "gcc_qupv3_wrap0_s3_clk_src", +- .parent_data = gcc_parents_0, +- .num_parents = ARRAY_SIZE(gcc_parents_0), +- .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, +- }, ++ .clkr.hw.init = &gcc_qupv3_wrap0_s3_clk_src_init, ++}; ++ ++static struct clk_init_data gcc_qupv3_wrap0_s4_clk_src_init = { ++ .name = "gcc_qupv3_wrap0_s4_clk_src", ++ .parent_data = gcc_parents_0, ++ .num_parents = ARRAY_SIZE(gcc_parents_0), ++ .flags = CLK_SET_RATE_PARENT, ++ .ops = &clk_rcg2_ops, + }; + + static struct clk_rcg2 gcc_qupv3_wrap0_s4_clk_src = { +@@ -675,13 +691,15 @@ static struct clk_rcg2 gcc_qupv3_wrap0_s + .hid_width = 5, + .parent_map = gcc_parent_map_0, + .freq_tbl = ftbl_gcc_qupv3_wrap0_s0_clk_src, +- .clkr.hw.init = &(struct clk_init_data){ +- .name = "gcc_qupv3_wrap0_s4_clk_src", +- .parent_data = gcc_parents_0, +- .num_parents = ARRAY_SIZE(gcc_parents_0), +- .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, +- }, ++ .clkr.hw.init = &gcc_qupv3_wrap0_s4_clk_src_init, ++}; ++ ++static struct clk_init_data gcc_qupv3_wrap0_s5_clk_src_init = { ++ .name = "gcc_qupv3_wrap0_s5_clk_src", ++ .parent_data = gcc_parents_0, ++ .num_parents = ARRAY_SIZE(gcc_parents_0), ++ .flags = CLK_SET_RATE_PARENT, ++ .ops = &clk_rcg2_ops, + }; + + static struct clk_rcg2 gcc_qupv3_wrap0_s5_clk_src = { +@@ -690,13 +708,15 @@ static struct clk_rcg2 gcc_qupv3_wrap0_s + .hid_width = 5, + .parent_map = gcc_parent_map_0, + .freq_tbl = ftbl_gcc_qupv3_wrap0_s0_clk_src, +- .clkr.hw.init = &(struct clk_init_data){ +- .name = "gcc_qupv3_wrap0_s5_clk_src", +- .parent_data = gcc_parents_0, +- .num_parents = ARRAY_SIZE(gcc_parents_0), +- .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, +- }, ++ .clkr.hw.init = &gcc_qupv3_wrap0_s5_clk_src_init, ++}; ++ ++static struct clk_init_data gcc_qupv3_wrap0_s6_clk_src_init = { ++ .name = "gcc_qupv3_wrap0_s6_clk_src", ++ .parent_data = gcc_parents_0, ++ .num_parents = ARRAY_SIZE(gcc_parents_0), ++ .flags = CLK_SET_RATE_PARENT, ++ .ops = &clk_rcg2_ops, + }; + + static struct clk_rcg2 gcc_qupv3_wrap0_s6_clk_src = { +@@ -705,13 +725,15 @@ static struct clk_rcg2 gcc_qupv3_wrap0_s + .hid_width = 5, + .parent_map = gcc_parent_map_0, + .freq_tbl = ftbl_gcc_qupv3_wrap0_s0_clk_src, +- .clkr.hw.init = &(struct clk_init_data){ +- .name = "gcc_qupv3_wrap0_s6_clk_src", +- .parent_data = gcc_parents_0, +- .num_parents = ARRAY_SIZE(gcc_parents_0), +- .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, +- }, ++ .clkr.hw.init = &gcc_qupv3_wrap0_s6_clk_src_init, ++}; ++ ++static struct clk_init_data gcc_qupv3_wrap0_s7_clk_src_init = { ++ .name = "gcc_qupv3_wrap0_s7_clk_src", ++ .parent_data = gcc_parents_0, ++ .num_parents = ARRAY_SIZE(gcc_parents_0), ++ .flags = CLK_SET_RATE_PARENT, ++ .ops = &clk_rcg2_ops, + }; + + static struct clk_rcg2 gcc_qupv3_wrap0_s7_clk_src = { +@@ -720,13 +742,15 @@ static struct clk_rcg2 gcc_qupv3_wrap0_s + .hid_width = 5, + .parent_map = gcc_parent_map_0, + .freq_tbl = ftbl_gcc_qupv3_wrap0_s0_clk_src, +- .clkr.hw.init = &(struct clk_init_data){ +- .name = "gcc_qupv3_wrap0_s7_clk_src", +- .parent_data = gcc_parents_0, +- .num_parents = ARRAY_SIZE(gcc_parents_0), +- .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, +- }, ++ .clkr.hw.init = &gcc_qupv3_wrap0_s7_clk_src_init, ++}; ++ ++static struct clk_init_data gcc_qupv3_wrap1_s0_clk_src_init = { ++ .name = "gcc_qupv3_wrap1_s0_clk_src", ++ .parent_data = gcc_parents_0, ++ .num_parents = ARRAY_SIZE(gcc_parents_0), ++ .flags = CLK_SET_RATE_PARENT, ++ .ops = &clk_rcg2_ops, + }; + + static struct clk_rcg2 gcc_qupv3_wrap1_s0_clk_src = { +@@ -735,13 +759,15 @@ static struct clk_rcg2 gcc_qupv3_wrap1_s + .hid_width = 5, + .parent_map = gcc_parent_map_0, + .freq_tbl = ftbl_gcc_qupv3_wrap0_s0_clk_src, +- .clkr.hw.init = &(struct clk_init_data){ +- .name = "gcc_qupv3_wrap1_s0_clk_src", +- .parent_data = gcc_parents_0, +- .num_parents = ARRAY_SIZE(gcc_parents_0), +- .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, +- }, ++ .clkr.hw.init = &gcc_qupv3_wrap1_s0_clk_src_init, ++}; ++ ++static struct clk_init_data gcc_qupv3_wrap1_s1_clk_src_init = { ++ .name = "gcc_qupv3_wrap1_s1_clk_src", ++ .parent_data = gcc_parents_0, ++ .num_parents = ARRAY_SIZE(gcc_parents_0), ++ .flags = CLK_SET_RATE_PARENT, ++ .ops = &clk_rcg2_ops, + }; + + static struct clk_rcg2 gcc_qupv3_wrap1_s1_clk_src = { +@@ -750,13 +776,15 @@ static struct clk_rcg2 gcc_qupv3_wrap1_s + .hid_width = 5, + .parent_map = gcc_parent_map_0, + .freq_tbl = ftbl_gcc_qupv3_wrap0_s0_clk_src, +- .clkr.hw.init = &(struct clk_init_data){ +- .name = "gcc_qupv3_wrap1_s1_clk_src", +- .parent_data = gcc_parents_0, +- .num_parents = ARRAY_SIZE(gcc_parents_0), +- .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, +- }, ++ .clkr.hw.init = &gcc_qupv3_wrap1_s1_clk_src_init, ++}; ++ ++static struct clk_init_data gcc_qupv3_wrap1_s2_clk_src_init = { ++ .name = "gcc_qupv3_wrap1_s2_clk_src", ++ .parent_data = gcc_parents_0, ++ .num_parents = ARRAY_SIZE(gcc_parents_0), ++ .flags = CLK_SET_RATE_PARENT, ++ .ops = &clk_rcg2_ops, + }; + + static struct clk_rcg2 gcc_qupv3_wrap1_s2_clk_src = { +@@ -765,13 +793,15 @@ static struct clk_rcg2 gcc_qupv3_wrap1_s + .hid_width = 5, + .parent_map = gcc_parent_map_0, + .freq_tbl = ftbl_gcc_qupv3_wrap0_s0_clk_src, +- .clkr.hw.init = &(struct clk_init_data){ +- .name = "gcc_qupv3_wrap1_s2_clk_src", +- .parent_data = gcc_parents_0, +- .num_parents = ARRAY_SIZE(gcc_parents_0), +- .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, +- }, ++ .clkr.hw.init = &gcc_qupv3_wrap1_s2_clk_src_init, ++}; ++ ++static struct clk_init_data gcc_qupv3_wrap1_s3_clk_src_init = { ++ .name = "gcc_qupv3_wrap1_s3_clk_src", ++ .parent_data = gcc_parents_0, ++ .num_parents = ARRAY_SIZE(gcc_parents_0), ++ .flags = CLK_SET_RATE_PARENT, ++ .ops = &clk_rcg2_ops, + }; + + static struct clk_rcg2 gcc_qupv3_wrap1_s3_clk_src = { +@@ -780,13 +810,15 @@ static struct clk_rcg2 gcc_qupv3_wrap1_s + .hid_width = 5, + .parent_map = gcc_parent_map_0, + .freq_tbl = ftbl_gcc_qupv3_wrap0_s0_clk_src, +- .clkr.hw.init = &(struct clk_init_data){ +- .name = "gcc_qupv3_wrap1_s3_clk_src", +- .parent_data = gcc_parents_0, +- .num_parents = ARRAY_SIZE(gcc_parents_0), +- .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, +- }, ++ .clkr.hw.init = &gcc_qupv3_wrap1_s3_clk_src_init, ++}; ++ ++static struct clk_init_data gcc_qupv3_wrap1_s4_clk_src_init = { ++ .name = "gcc_qupv3_wrap1_s4_clk_src", ++ .parent_data = gcc_parents_0, ++ .num_parents = ARRAY_SIZE(gcc_parents_0), ++ .flags = CLK_SET_RATE_PARENT, ++ .ops = &clk_rcg2_ops, + }; + + static struct clk_rcg2 gcc_qupv3_wrap1_s4_clk_src = { +@@ -795,13 +827,15 @@ static struct clk_rcg2 gcc_qupv3_wrap1_s + .hid_width = 5, + .parent_map = gcc_parent_map_0, + .freq_tbl = ftbl_gcc_qupv3_wrap0_s0_clk_src, +- .clkr.hw.init = &(struct clk_init_data){ +- .name = "gcc_qupv3_wrap1_s4_clk_src", +- .parent_data = gcc_parents_0, +- .num_parents = ARRAY_SIZE(gcc_parents_0), +- .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, +- }, ++ .clkr.hw.init = &gcc_qupv3_wrap1_s4_clk_src_init, ++}; ++ ++static struct clk_init_data gcc_qupv3_wrap1_s5_clk_src_init = { ++ .name = "gcc_qupv3_wrap1_s5_clk_src", ++ .parent_data = gcc_parents_0, ++ .num_parents = ARRAY_SIZE(gcc_parents_0), ++ .flags = CLK_SET_RATE_PARENT, ++ .ops = &clk_rcg2_ops, + }; + + static struct clk_rcg2 gcc_qupv3_wrap1_s5_clk_src = { +@@ -810,13 +844,15 @@ static struct clk_rcg2 gcc_qupv3_wrap1_s + .hid_width = 5, + .parent_map = gcc_parent_map_0, + .freq_tbl = ftbl_gcc_qupv3_wrap0_s0_clk_src, +- .clkr.hw.init = &(struct clk_init_data){ +- .name = "gcc_qupv3_wrap1_s5_clk_src", +- .parent_data = gcc_parents_0, +- .num_parents = ARRAY_SIZE(gcc_parents_0), +- .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, +- }, ++ .clkr.hw.init = &gcc_qupv3_wrap1_s5_clk_src_init, ++}; ++ ++static struct clk_init_data gcc_qupv3_wrap2_s0_clk_src_init = { ++ .name = "gcc_qupv3_wrap2_s0_clk_src", ++ .parent_data = gcc_parents_0, ++ .num_parents = ARRAY_SIZE(gcc_parents_0), ++ .flags = CLK_SET_RATE_PARENT, ++ .ops = &clk_rcg2_ops, + }; + + static struct clk_rcg2 gcc_qupv3_wrap2_s0_clk_src = { +@@ -825,13 +861,15 @@ static struct clk_rcg2 gcc_qupv3_wrap2_s + .hid_width = 5, + .parent_map = gcc_parent_map_0, + .freq_tbl = ftbl_gcc_qupv3_wrap0_s0_clk_src, +- .clkr.hw.init = &(struct clk_init_data){ +- .name = "gcc_qupv3_wrap2_s0_clk_src", +- .parent_data = gcc_parents_0, +- .num_parents = ARRAY_SIZE(gcc_parents_0), +- .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, +- }, ++ .clkr.hw.init = &gcc_qupv3_wrap2_s0_clk_src_init, ++}; ++ ++static struct clk_init_data gcc_qupv3_wrap2_s1_clk_src_init = { ++ .name = "gcc_qupv3_wrap2_s1_clk_src", ++ .parent_data = gcc_parents_0, ++ .num_parents = ARRAY_SIZE(gcc_parents_0), ++ .flags = CLK_SET_RATE_PARENT, ++ .ops = &clk_rcg2_ops, + }; + + static struct clk_rcg2 gcc_qupv3_wrap2_s1_clk_src = { +@@ -840,28 +878,33 @@ static struct clk_rcg2 gcc_qupv3_wrap2_s + .hid_width = 5, + .parent_map = gcc_parent_map_0, + .freq_tbl = ftbl_gcc_qupv3_wrap0_s0_clk_src, +- .clkr.hw.init = &(struct clk_init_data){ +- .name = "gcc_qupv3_wrap2_s1_clk_src", +- .parent_data = gcc_parents_0, +- .num_parents = ARRAY_SIZE(gcc_parents_0), +- .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, +- }, ++ .clkr.hw.init = &gcc_qupv3_wrap2_s1_clk_src_init, + }; + ++static struct clk_init_data gcc_qupv3_wrap2_s2_clk_src_init = { ++ .name = "gcc_qupv3_wrap2_s2_clk_src", ++ .parent_data = gcc_parents_0, ++ .num_parents = ARRAY_SIZE(gcc_parents_0), ++ .flags = CLK_SET_RATE_PARENT, ++ .ops = &clk_rcg2_ops, ++}; ++ ++ + static struct clk_rcg2 gcc_qupv3_wrap2_s2_clk_src = { + .cmd_rcgr = 0x1e3a8, + .mnd_width = 16, + .hid_width = 5, + .parent_map = gcc_parent_map_0, + .freq_tbl = ftbl_gcc_qupv3_wrap0_s0_clk_src, +- .clkr.hw.init = &(struct clk_init_data){ +- .name = "gcc_qupv3_wrap2_s2_clk_src", +- .parent_data = gcc_parents_0, +- .num_parents = ARRAY_SIZE(gcc_parents_0), +- .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, +- }, ++ .clkr.hw.init = &gcc_qupv3_wrap2_s2_clk_src_init, ++}; ++ ++static struct clk_init_data gcc_qupv3_wrap2_s3_clk_src_init = { ++ .name = "gcc_qupv3_wrap2_s3_clk_src", ++ .parent_data = gcc_parents_0, ++ .num_parents = ARRAY_SIZE(gcc_parents_0), ++ .flags = CLK_SET_RATE_PARENT, ++ .ops = &clk_rcg2_ops, + }; + + static struct clk_rcg2 gcc_qupv3_wrap2_s3_clk_src = { +@@ -870,13 +913,15 @@ static struct clk_rcg2 gcc_qupv3_wrap2_s + .hid_width = 5, + .parent_map = gcc_parent_map_0, + .freq_tbl = ftbl_gcc_qupv3_wrap0_s0_clk_src, +- .clkr.hw.init = &(struct clk_init_data){ +- .name = "gcc_qupv3_wrap2_s3_clk_src", +- .parent_data = gcc_parents_0, +- .num_parents = ARRAY_SIZE(gcc_parents_0), +- .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, +- }, ++ .clkr.hw.init = &gcc_qupv3_wrap2_s3_clk_src_init, ++}; ++ ++static struct clk_init_data gcc_qupv3_wrap2_s4_clk_src_init = { ++ .name = "gcc_qupv3_wrap2_s4_clk_src", ++ .parent_data = gcc_parents_0, ++ .num_parents = ARRAY_SIZE(gcc_parents_0), ++ .flags = CLK_SET_RATE_PARENT, ++ .ops = &clk_rcg2_ops, + }; + + static struct clk_rcg2 gcc_qupv3_wrap2_s4_clk_src = { +@@ -885,13 +930,15 @@ static struct clk_rcg2 gcc_qupv3_wrap2_s + .hid_width = 5, + .parent_map = gcc_parent_map_0, + .freq_tbl = ftbl_gcc_qupv3_wrap0_s0_clk_src, +- .clkr.hw.init = &(struct clk_init_data){ +- .name = "gcc_qupv3_wrap2_s4_clk_src", +- .parent_data = gcc_parents_0, +- .num_parents = ARRAY_SIZE(gcc_parents_0), +- .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, +- }, ++ .clkr.hw.init = &gcc_qupv3_wrap2_s4_clk_src_init, ++}; ++ ++static struct clk_init_data gcc_qupv3_wrap2_s5_clk_src_init = { ++ .name = "gcc_qupv3_wrap2_s5_clk_src", ++ .parent_data = gcc_parents_0, ++ .num_parents = ARRAY_SIZE(gcc_parents_0), ++ .flags = CLK_SET_RATE_PARENT, ++ .ops = &clk_rcg2_ops, + }; + + static struct clk_rcg2 gcc_qupv3_wrap2_s5_clk_src = { +@@ -900,13 +947,7 @@ static struct clk_rcg2 gcc_qupv3_wrap2_s + .hid_width = 5, + .parent_map = gcc_parent_map_0, + .freq_tbl = ftbl_gcc_qupv3_wrap0_s0_clk_src, +- .clkr.hw.init = &(struct clk_init_data){ +- .name = "gcc_qupv3_wrap2_s5_clk_src", +- .parent_data = gcc_parents_0, +- .num_parents = ARRAY_SIZE(gcc_parents_0), +- .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, +- }, ++ .clkr.hw.init = &gcc_qupv3_wrap2_s5_clk_src_init, + }; + + static const struct freq_tbl ftbl_gcc_sdcc2_apps_clk_src[] = { +@@ -4561,6 +4602,29 @@ static const struct qcom_reset_map gcc_s + [GCC_VIDEO_AXI1_CLK_BCR] = { .reg = 0xb028, .bit = 2, .udelay = 150 }, + }; + ++static const struct clk_rcg_dfs_data gcc_dfs_clocks[] = { ++ DEFINE_RCG_DFS(gcc_qupv3_wrap0_s0_clk_src), ++ DEFINE_RCG_DFS(gcc_qupv3_wrap0_s1_clk_src), ++ DEFINE_RCG_DFS(gcc_qupv3_wrap0_s2_clk_src), ++ DEFINE_RCG_DFS(gcc_qupv3_wrap0_s3_clk_src), ++ DEFINE_RCG_DFS(gcc_qupv3_wrap0_s4_clk_src), ++ DEFINE_RCG_DFS(gcc_qupv3_wrap0_s5_clk_src), ++ DEFINE_RCG_DFS(gcc_qupv3_wrap0_s6_clk_src), ++ DEFINE_RCG_DFS(gcc_qupv3_wrap0_s7_clk_src), ++ DEFINE_RCG_DFS(gcc_qupv3_wrap1_s0_clk_src), ++ DEFINE_RCG_DFS(gcc_qupv3_wrap1_s1_clk_src), ++ DEFINE_RCG_DFS(gcc_qupv3_wrap1_s2_clk_src), ++ DEFINE_RCG_DFS(gcc_qupv3_wrap1_s3_clk_src), ++ DEFINE_RCG_DFS(gcc_qupv3_wrap1_s4_clk_src), ++ DEFINE_RCG_DFS(gcc_qupv3_wrap1_s5_clk_src), ++ DEFINE_RCG_DFS(gcc_qupv3_wrap2_s0_clk_src), ++ DEFINE_RCG_DFS(gcc_qupv3_wrap2_s1_clk_src), ++ DEFINE_RCG_DFS(gcc_qupv3_wrap2_s2_clk_src), ++ DEFINE_RCG_DFS(gcc_qupv3_wrap2_s3_clk_src), ++ DEFINE_RCG_DFS(gcc_qupv3_wrap2_s4_clk_src), ++ DEFINE_RCG_DFS(gcc_qupv3_wrap2_s5_clk_src), ++}; ++ + static struct gdsc *gcc_sc8180x_gdscs[] = { + [EMAC_GDSC] = &emac_gdsc, + [PCIE_0_GDSC] = &pcie_0_gdsc, +@@ -4602,6 +4666,7 @@ MODULE_DEVICE_TABLE(of, gcc_sc8180x_matc + static int gcc_sc8180x_probe(struct platform_device *pdev) + { + struct regmap *regmap; ++ int ret; + + regmap = qcom_cc_map(pdev, &gcc_sc8180x_desc); + if (IS_ERR(regmap)) +@@ -4623,6 +4688,11 @@ static int gcc_sc8180x_probe(struct plat + regmap_update_bits(regmap, 0x4d110, 0x3, 0x3); + regmap_update_bits(regmap, 0x71028, 0x3, 0x3); + ++ ret = qcom_cc_register_rcg_dfs(regmap, gcc_dfs_clocks, ++ ARRAY_SIZE(gcc_dfs_clocks)); ++ if (ret) ++ return ret; ++ + return qcom_cc_really_probe(&pdev->dev, &gcc_sc8180x_desc, regmap); + } + diff --git a/queue-6.11/clk-qcom-gcc-sm8150-de-register-gcc_cpuss_ahb_clk_src.patch b/queue-6.11/clk-qcom-gcc-sm8150-de-register-gcc_cpuss_ahb_clk_src.patch new file mode 100644 index 00000000000..1d0a5a33cdb --- /dev/null +++ b/queue-6.11/clk-qcom-gcc-sm8150-de-register-gcc_cpuss_ahb_clk_src.patch @@ -0,0 +1,124 @@ +From bab0c7a0bc586e736b7cd2aac8e6391709a70ef2 Mon Sep 17 00:00:00 2001 +From: Satya Priya Kakitapalli +Date: Mon, 12 Aug 2024 10:43:05 +0530 +Subject: clk: qcom: gcc-sm8150: De-register gcc_cpuss_ahb_clk_src + +From: Satya Priya Kakitapalli + +commit bab0c7a0bc586e736b7cd2aac8e6391709a70ef2 upstream. + +The branch clocks of gcc_cpuss_ahb_clk_src are marked critical +and hence these clocks vote on XO blocking the suspend. +De-register these clocks and its source as there is no rate +setting happening on them. + +Fixes: 4433594bbe5d ("clk: qcom: gcc: Add global clock controller driver for SC8180x") +Cc: stable@vger.kernel.org +Signed-off-by: Satya Priya Kakitapalli +Link: https://lore.kernel.org/r/20240812-gcc-sc8180x-fixes-v2-5-8b3eaa5fb856@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gcc-sc8180x.c | 63 ----------------------------------------- + 1 file changed, 63 deletions(-) + +--- a/drivers/clk/qcom/gcc-sc8180x.c ++++ b/drivers/clk/qcom/gcc-sc8180x.c +@@ -260,28 +260,6 @@ static const struct clk_parent_data gcc_ + { .hw = &gpll0_out_even.clkr.hw }, + }; + +-static const struct freq_tbl ftbl_gcc_cpuss_ahb_clk_src[] = { +- F(19200000, P_BI_TCXO, 1, 0, 0), +- F(50000000, P_GPLL0_OUT_MAIN, 12, 0, 0), +- F(100000000, P_GPLL0_OUT_MAIN, 6, 0, 0), +- { } +-}; +- +-static struct clk_rcg2 gcc_cpuss_ahb_clk_src = { +- .cmd_rcgr = 0x48014, +- .mnd_width = 0, +- .hid_width = 5, +- .parent_map = gcc_parent_map_0, +- .freq_tbl = ftbl_gcc_cpuss_ahb_clk_src, +- .clkr.hw.init = &(struct clk_init_data){ +- .name = "gcc_cpuss_ahb_clk_src", +- .parent_data = gcc_parents_0, +- .num_parents = ARRAY_SIZE(gcc_parents_0), +- .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, +- }, +-}; +- + static const struct freq_tbl ftbl_gcc_emac_ptp_clk_src[] = { + F(19200000, P_BI_TCXO, 1, 0, 0), + F(50000000, P_GPLL0_OUT_EVEN, 6, 0, 0), +@@ -1640,25 +1618,6 @@ static struct clk_branch gcc_cfg_noc_usb + }, + }; + +-/* For CPUSS functionality the AHB clock needs to be left enabled */ +-static struct clk_branch gcc_cpuss_ahb_clk = { +- .halt_reg = 0x48000, +- .halt_check = BRANCH_HALT_VOTED, +- .clkr = { +- .enable_reg = 0x52004, +- .enable_mask = BIT(21), +- .hw.init = &(struct clk_init_data){ +- .name = "gcc_cpuss_ahb_clk", +- .parent_hws = (const struct clk_hw *[]){ +- &gcc_cpuss_ahb_clk_src.clkr.hw +- }, +- .num_parents = 1, +- .flags = CLK_IS_CRITICAL | CLK_SET_RATE_PARENT, +- .ops = &clk_branch2_ops, +- }, +- }, +-}; +- + static struct clk_branch gcc_cpuss_rbcpr_clk = { + .halt_reg = 0x48008, + .halt_check = BRANCH_HALT, +@@ -3191,25 +3150,6 @@ static struct clk_branch gcc_sdcc4_apps_ + }, + }; + +-/* For CPUSS functionality the SYS NOC clock needs to be left enabled */ +-static struct clk_branch gcc_sys_noc_cpuss_ahb_clk = { +- .halt_reg = 0x4819c, +- .halt_check = BRANCH_HALT_VOTED, +- .clkr = { +- .enable_reg = 0x52004, +- .enable_mask = BIT(0), +- .hw.init = &(struct clk_init_data){ +- .name = "gcc_sys_noc_cpuss_ahb_clk", +- .parent_hws = (const struct clk_hw *[]){ +- &gcc_cpuss_ahb_clk_src.clkr.hw +- }, +- .num_parents = 1, +- .flags = CLK_IS_CRITICAL | CLK_SET_RATE_PARENT, +- .ops = &clk_branch2_ops, +- }, +- }, +-}; +- + static struct clk_branch gcc_tsif_ahb_clk = { + .halt_reg = 0x36004, + .halt_check = BRANCH_HALT, +@@ -4325,8 +4265,6 @@ static struct clk_regmap *gcc_sc8180x_cl + [GCC_CFG_NOC_USB3_MP_AXI_CLK] = &gcc_cfg_noc_usb3_mp_axi_clk.clkr, + [GCC_CFG_NOC_USB3_PRIM_AXI_CLK] = &gcc_cfg_noc_usb3_prim_axi_clk.clkr, + [GCC_CFG_NOC_USB3_SEC_AXI_CLK] = &gcc_cfg_noc_usb3_sec_axi_clk.clkr, +- [GCC_CPUSS_AHB_CLK] = &gcc_cpuss_ahb_clk.clkr, +- [GCC_CPUSS_AHB_CLK_SRC] = &gcc_cpuss_ahb_clk_src.clkr, + [GCC_CPUSS_RBCPR_CLK] = &gcc_cpuss_rbcpr_clk.clkr, + [GCC_DDRSS_GPU_AXI_CLK] = &gcc_ddrss_gpu_axi_clk.clkr, + [GCC_DISP_HF_AXI_CLK] = &gcc_disp_hf_axi_clk.clkr, +@@ -4463,7 +4401,6 @@ static struct clk_regmap *gcc_sc8180x_cl + [GCC_SDCC4_AHB_CLK] = &gcc_sdcc4_ahb_clk.clkr, + [GCC_SDCC4_APPS_CLK] = &gcc_sdcc4_apps_clk.clkr, + [GCC_SDCC4_APPS_CLK_SRC] = &gcc_sdcc4_apps_clk_src.clkr, +- [GCC_SYS_NOC_CPUSS_AHB_CLK] = &gcc_sys_noc_cpuss_ahb_clk.clkr, + [GCC_TSIF_AHB_CLK] = &gcc_tsif_ahb_clk.clkr, + [GCC_TSIF_INACTIVITY_TIMERS_CLK] = &gcc_tsif_inactivity_timers_clk.clkr, + [GCC_TSIF_REF_CLK] = &gcc_tsif_ref_clk.clkr, diff --git a/queue-6.11/clk-qcom-gcc-sm8250-do-not-turn-off-pcie-gdscs-during-gdsc_disable.patch b/queue-6.11/clk-qcom-gcc-sm8250-do-not-turn-off-pcie-gdscs-during-gdsc_disable.patch new file mode 100644 index 00000000000..9ec4a2cb066 --- /dev/null +++ b/queue-6.11/clk-qcom-gcc-sm8250-do-not-turn-off-pcie-gdscs-during-gdsc_disable.patch @@ -0,0 +1,57 @@ +From ade508b545c969c72cd68479f275a5dd640fd8b9 Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Fri, 19 Jul 2024 19:12:38 +0530 +Subject: clk: qcom: gcc-sm8250: Do not turn off PCIe GDSCs during gdsc_disable() + +From: Manivannan Sadhasivam + +commit ade508b545c969c72cd68479f275a5dd640fd8b9 upstream. + +With PWRSTS_OFF_ON, PCIe GDSCs are turned off during gdsc_disable(). This +can happen during scenarios such as system suspend and breaks the resume +of PCIe controllers from suspend. + +So use PWRSTS_RET_ON to indicate the GDSC driver to not turn off the GDSCs +during gdsc_disable() and allow the hardware to transition the GDSCs to +retention when the parent domain enters low power state during system +suspend. + +Cc: stable@vger.kernel.org # 5.7 +Fixes: 3e5770921a88 ("clk: qcom: gcc: Add global clock controller driver for SM8250") +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20240719134238.312191-1-manivannan.sadhasivam@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gcc-sm8250.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/clk/qcom/gcc-sm8250.c ++++ b/drivers/clk/qcom/gcc-sm8250.c +@@ -3226,7 +3226,7 @@ static struct gdsc pcie_0_gdsc = { + .pd = { + .name = "pcie_0_gdsc", + }, +- .pwrsts = PWRSTS_OFF_ON, ++ .pwrsts = PWRSTS_RET_ON, + }; + + static struct gdsc pcie_1_gdsc = { +@@ -3234,7 +3234,7 @@ static struct gdsc pcie_1_gdsc = { + .pd = { + .name = "pcie_1_gdsc", + }, +- .pwrsts = PWRSTS_OFF_ON, ++ .pwrsts = PWRSTS_RET_ON, + }; + + static struct gdsc pcie_2_gdsc = { +@@ -3242,7 +3242,7 @@ static struct gdsc pcie_2_gdsc = { + .pd = { + .name = "pcie_2_gdsc", + }, +- .pwrsts = PWRSTS_OFF_ON, ++ .pwrsts = PWRSTS_RET_ON, + }; + + static struct gdsc ufs_card_gdsc = { diff --git a/queue-6.11/clk-qcom-gcc-sm8450-do-not-turn-off-pcie-gdscs-during-gdsc_disable.patch b/queue-6.11/clk-qcom-gcc-sm8450-do-not-turn-off-pcie-gdscs-during-gdsc_disable.patch new file mode 100644 index 00000000000..2a1e77fefc5 --- /dev/null +++ b/queue-6.11/clk-qcom-gcc-sm8450-do-not-turn-off-pcie-gdscs-during-gdsc_disable.patch @@ -0,0 +1,48 @@ +From 889e1332310656961855c0dcedbb4dbe78e39d22 Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Mon, 22 Jul 2024 16:27:33 +0530 +Subject: clk: qcom: gcc-sm8450: Do not turn off PCIe GDSCs during gdsc_disable() + +From: Manivannan Sadhasivam + +commit 889e1332310656961855c0dcedbb4dbe78e39d22 upstream. + +With PWRSTS_OFF_ON, PCIe GDSCs are turned off during gdsc_disable(). This +can happen during scenarios such as system suspend and breaks the resume +of PCIe controllers from suspend. + +So use PWRSTS_RET_ON to indicate the GDSC driver to not turn off the GDSCs +during gdsc_disable() and allow the hardware to transition the GDSCs to +retention when the parent domain enters low power state during system +suspend. + +Cc: stable@vger.kernel.org # 5.17 +Fixes: db0c944ee92b ("clk: qcom: Add clock driver for SM8450") +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20240722105733.13040-1-manivannan.sadhasivam@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gcc-sm8450.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/clk/qcom/gcc-sm8450.c ++++ b/drivers/clk/qcom/gcc-sm8450.c +@@ -2974,7 +2974,7 @@ static struct gdsc pcie_0_gdsc = { + .pd = { + .name = "pcie_0_gdsc", + }, +- .pwrsts = PWRSTS_OFF_ON, ++ .pwrsts = PWRSTS_RET_ON, + }; + + static struct gdsc pcie_1_gdsc = { +@@ -2982,7 +2982,7 @@ static struct gdsc pcie_1_gdsc = { + .pd = { + .name = "pcie_1_gdsc", + }, +- .pwrsts = PWRSTS_OFF_ON, ++ .pwrsts = PWRSTS_RET_ON, + }; + + static struct gdsc ufs_phy_gdsc = { diff --git a/queue-6.11/clk-rockchip-fix-error-for-unknown-clocks.patch b/queue-6.11/clk-rockchip-fix-error-for-unknown-clocks.patch new file mode 100644 index 00000000000..8cce9bbf8cc --- /dev/null +++ b/queue-6.11/clk-rockchip-fix-error-for-unknown-clocks.patch @@ -0,0 +1,43 @@ +From 12fd64babaca4dc09d072f63eda76ba44119816a Mon Sep 17 00:00:00 2001 +From: Sebastian Reichel +Date: Mon, 25 Mar 2024 20:33:36 +0100 +Subject: clk: rockchip: fix error for unknown clocks + +From: Sebastian Reichel + +commit 12fd64babaca4dc09d072f63eda76ba44119816a upstream. + +There is a clk == NULL check after the switch to check for +unsupported clk types. Since clk is re-assigned in a loop, +this check is useless right now for anything but the first +round. Let's fix this up by assigning clk = NULL in the +loop before the switch statement. + +Fixes: a245fecbb806 ("clk: rockchip: add basic infrastructure for clock branches") +Cc: stable@vger.kernel.org +Signed-off-by: Sebastian Reichel +[added fixes + stable-cc] +Link: https://lore.kernel.org/r/20240325193609.237182-6-sebastian.reichel@collabora.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/rockchip/clk.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/clk/rockchip/clk.c ++++ b/drivers/clk/rockchip/clk.c +@@ -450,12 +450,13 @@ void rockchip_clk_register_branches(stru + struct rockchip_clk_branch *list, + unsigned int nr_clk) + { +- struct clk *clk = NULL; ++ struct clk *clk; + unsigned int idx; + unsigned long flags; + + for (idx = 0; idx < nr_clk; idx++, list++) { + flags = list->flags; ++ clk = NULL; + + /* catch simple muxes */ + switch (list->branch_type) { diff --git a/queue-6.11/clk-samsung-exynos7885-update-clks_nr_fsys-after-bindings-fix.patch b/queue-6.11/clk-samsung-exynos7885-update-clks_nr_fsys-after-bindings-fix.patch new file mode 100644 index 00000000000..b3bb0664344 --- /dev/null +++ b/queue-6.11/clk-samsung-exynos7885-update-clks_nr_fsys-after-bindings-fix.patch @@ -0,0 +1,33 @@ +From 217a5f23c290c349ceaa37a6f2c014ad4c2d5759 Mon Sep 17 00:00:00 2001 +From: David Virag +Date: Tue, 6 Aug 2024 14:11:47 +0200 +Subject: clk: samsung: exynos7885: Update CLKS_NR_FSYS after bindings fix + +From: David Virag + +commit 217a5f23c290c349ceaa37a6f2c014ad4c2d5759 upstream. + +Update CLKS_NR_FSYS to the proper value after a fix in DT bindings. +This should always be the last clock in a CMU + 1. + +Fixes: cd268e309c29 ("dt-bindings: clock: Add bindings for Exynos7885 CMU_FSYS") +Cc: stable@vger.kernel.org +Signed-off-by: David Virag +Link: https://lore.kernel.org/r/20240806121157.479212-5-virag.david003@gmail.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/samsung/clk-exynos7885.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/samsung/clk-exynos7885.c ++++ b/drivers/clk/samsung/clk-exynos7885.c +@@ -20,7 +20,7 @@ + #define CLKS_NR_TOP (CLK_GOUT_FSYS_USB30DRD + 1) + #define CLKS_NR_CORE (CLK_GOUT_TREX_P_CORE_PCLK_P_CORE + 1) + #define CLKS_NR_PERI (CLK_GOUT_WDT1_PCLK + 1) +-#define CLKS_NR_FSYS (CLK_GOUT_MMC_SDIO_SDCLKIN + 1) ++#define CLKS_NR_FSYS (CLK_MOUT_FSYS_USB30DRD_USER + 1) + + /* ---- CMU_TOP ------------------------------------------------------------- */ + diff --git a/queue-6.11/drivers-perf-riscv-align-errno-for-unsupported-perf-event.patch b/queue-6.11/drivers-perf-riscv-align-errno-for-unsupported-perf-event.patch new file mode 100644 index 00000000000..9b116a26d63 --- /dev/null +++ b/queue-6.11/drivers-perf-riscv-align-errno-for-unsupported-perf-event.patch @@ -0,0 +1,68 @@ +From c625154993d0d24a962b1830cd5ed92adda2cf86 Mon Sep 17 00:00:00 2001 +From: Pu Lehui +Date: Sat, 31 Aug 2024 07:15:20 +0000 +Subject: drivers/perf: riscv: Align errno for unsupported perf event + +From: Pu Lehui + +commit c625154993d0d24a962b1830cd5ed92adda2cf86 upstream. + +RISC-V perf driver does not yet support PERF_TYPE_BREAKPOINT. It would +be more appropriate to return -EOPNOTSUPP or -ENOENT for this type in +pmu_sbi_event_map. Considering that other implementations return -ENOENT +for unsupported perf types, let's synchronize this behavior. Due to this +reason, a riscv bpf testcases perf_skip fail. Meanwhile, align that +behavior to the rest of proper place. + +Signed-off-by: Pu Lehui +Reviewed-by: Atish Patra +Fixes: 9b3e150e310e ("RISC-V: Add a simple platform driver for RISC-V legacy perf") +Fixes: 16d3b1af0944 ("perf: RISC-V: Check standard event availability") +Fixes: e9991434596f ("RISC-V: Add perf platform driver based on SBI PMU extension") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240831071520.1630360-1-pulehui@huaweicloud.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + drivers/perf/riscv_pmu_legacy.c | 4 ++-- + drivers/perf/riscv_pmu_sbi.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/perf/riscv_pmu_legacy.c ++++ b/drivers/perf/riscv_pmu_legacy.c +@@ -22,13 +22,13 @@ static int pmu_legacy_ctr_get_idx(struct + struct perf_event_attr *attr = &event->attr; + + if (event->attr.type != PERF_TYPE_HARDWARE) +- return -EOPNOTSUPP; ++ return -ENOENT; + if (attr->config == PERF_COUNT_HW_CPU_CYCLES) + return RISCV_PMU_LEGACY_CYCLE; + else if (attr->config == PERF_COUNT_HW_INSTRUCTIONS) + return RISCV_PMU_LEGACY_INSTRET; + else +- return -EOPNOTSUPP; ++ return -ENOENT; + } + + /* For legacy config & counter index are same */ +--- a/drivers/perf/riscv_pmu_sbi.c ++++ b/drivers/perf/riscv_pmu_sbi.c +@@ -309,7 +309,7 @@ static void pmu_sbi_check_event(struct s + ret.value, 0x1, SBI_PMU_STOP_FLAG_RESET, 0, 0, 0); + } else if (ret.error == SBI_ERR_NOT_SUPPORTED) { + /* This event cannot be monitored by any counter */ +- edata->event_idx = -EINVAL; ++ edata->event_idx = -ENOENT; + } + } + +@@ -543,7 +543,7 @@ static int pmu_sbi_event_map(struct perf + } + break; + default: +- ret = -EINVAL; ++ ret = -ENOENT; + break; + } + diff --git a/queue-6.11/drm-amd-display-avoid-set-dispclk-to-0.patch b/queue-6.11/drm-amd-display-avoid-set-dispclk-to-0.patch new file mode 100644 index 00000000000..0662eefccf2 --- /dev/null +++ b/queue-6.11/drm-amd-display-avoid-set-dispclk-to-0.patch @@ -0,0 +1,36 @@ +From c36df0f5f5e5acec5d78f23c4725cc500df28843 Mon Sep 17 00:00:00 2001 +From: Charlene Liu +Date: Wed, 11 Sep 2024 19:45:09 -0400 +Subject: drm/amd/display: avoid set dispclk to 0 + +From: Charlene Liu + +commit c36df0f5f5e5acec5d78f23c4725cc500df28843 upstream. + +[why] +set dispclk to 0 cause stability issue. + +Cc: Mario Limonciello +Cc: Alex Deucher +Reviewed-by: Nicholas Kazlauskas +Signed-off-by: Charlene Liu +Signed-off-by: Aurabindo Pillai +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +(cherry picked from commit 1c6b16ebf5eb2bc5740be9e37b3a69f1dfe1dded) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c +@@ -766,6 +766,7 @@ static const struct dc_debug_options deb + .disable_dmub_reallow_idle = false, + .static_screen_wait_frames = 2, + .notify_dpia_hr_bw = true, ++ .min_disp_clk_khz = 50000, + }; + + static const struct dc_panel_config panel_config_defaults = { diff --git a/queue-6.11/dt-bindings-clock-qcom-add-gpll9-support-on-gcc-sc8180x.patch b/queue-6.11/dt-bindings-clock-qcom-add-gpll9-support-on-gcc-sc8180x.patch new file mode 100644 index 00000000000..9bdd8cfa888 --- /dev/null +++ b/queue-6.11/dt-bindings-clock-qcom-add-gpll9-support-on-gcc-sc8180x.patch @@ -0,0 +1,32 @@ +From 648b4bde0aca2980ebc0b90cdfbb80d222370c3d Mon Sep 17 00:00:00 2001 +From: Satya Priya Kakitapalli +Date: Mon, 12 Aug 2024 10:43:02 +0530 +Subject: dt-bindings: clock: qcom: Add GPLL9 support on gcc-sc8180x + +From: Satya Priya Kakitapalli + +commit 648b4bde0aca2980ebc0b90cdfbb80d222370c3d upstream. + +Add the missing GPLL9 which is required for the gcc sdcc2 clock. + +Fixes: 0fadcdfdcf57 ("dt-bindings: clock: Add SC8180x GCC binding") +Cc: stable@vger.kernel.org +Acked-by: Krzysztof Kozlowski +Signed-off-by: Satya Priya Kakitapalli +Link: https://lore.kernel.org/r/20240812-gcc-sc8180x-fixes-v2-2-8b3eaa5fb856@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + include/dt-bindings/clock/qcom,gcc-sc8180x.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/dt-bindings/clock/qcom,gcc-sc8180x.h ++++ b/include/dt-bindings/clock/qcom,gcc-sc8180x.h +@@ -248,6 +248,7 @@ + #define GCC_USB3_SEC_CLKREF_CLK 238 + #define GCC_UFS_MEM_CLKREF_EN 239 + #define GCC_UFS_CARD_CLKREF_EN 240 ++#define GPLL9 241 + + #define GCC_EMAC_BCR 0 + #define GCC_GPU_BCR 1 diff --git a/queue-6.11/gfs2-fix-double-destroy_workqueue-error.patch b/queue-6.11/gfs2-fix-double-destroy_workqueue-error.patch new file mode 100644 index 00000000000..787ff57ed7f --- /dev/null +++ b/queue-6.11/gfs2-fix-double-destroy_workqueue-error.patch @@ -0,0 +1,51 @@ +From 6cb9df81a2c462b89d2f9611009ab43ae8717841 Mon Sep 17 00:00:00 2001 +From: Julian Sun +Date: Tue, 20 Aug 2024 11:31:48 +0800 +Subject: gfs2: fix double destroy_workqueue error + +From: Julian Sun + +commit 6cb9df81a2c462b89d2f9611009ab43ae8717841 upstream. + +When gfs2_fill_super() fails, destroy_workqueue() is called within +gfs2_gl_hash_clear(), and the subsequent code path calls +destroy_workqueue() on the same work queue again. + +This issue can be fixed by setting the work queue pointer to NULL after +the first destroy_workqueue() call and checking for a NULL pointer +before attempting to destroy the work queue again. + +Reported-by: syzbot+d34c2a269ed512c531b0@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=d34c2a269ed512c531b0 +Fixes: 30e388d57367 ("gfs2: Switch to a per-filesystem glock workqueue") +Cc: stable@vger.kernel.org +Signed-off-by: Julian Sun +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Greg Kroah-Hartman +--- + fs/gfs2/glock.c | 1 + + fs/gfs2/ops_fstype.c | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/gfs2/glock.c ++++ b/fs/gfs2/glock.c +@@ -2249,6 +2249,7 @@ void gfs2_gl_hash_clear(struct gfs2_sbd + gfs2_free_dead_glocks(sdp); + glock_hash_walk(dump_glock_func, sdp); + destroy_workqueue(sdp->sd_glock_wq); ++ sdp->sd_glock_wq = NULL; + } + + static const char *state2str(unsigned state) +--- a/fs/gfs2/ops_fstype.c ++++ b/fs/gfs2/ops_fstype.c +@@ -1307,7 +1307,8 @@ fail_debug: + fail_delete_wq: + destroy_workqueue(sdp->sd_delete_wq); + fail_glock_wq: +- destroy_workqueue(sdp->sd_glock_wq); ++ if (sdp->sd_glock_wq) ++ destroy_workqueue(sdp->sd_glock_wq); + fail_free: + free_sbd(sdp); + sb->s_fs_info = NULL; diff --git a/queue-6.11/gso-fix-udp-gso-fraglist-segmentation-after-pull-from-frag_list.patch b/queue-6.11/gso-fix-udp-gso-fraglist-segmentation-after-pull-from-frag_list.patch new file mode 100644 index 00000000000..41190cc6a5a --- /dev/null +++ b/queue-6.11/gso-fix-udp-gso-fraglist-segmentation-after-pull-from-frag_list.patch @@ -0,0 +1,72 @@ +From a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab Mon Sep 17 00:00:00 2001 +From: Willem de Bruijn +Date: Tue, 1 Oct 2024 13:17:46 -0400 +Subject: gso: fix udp gso fraglist segmentation after pull from frag_list + +From: Willem de Bruijn + +commit a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab upstream. + +Detect gso fraglist skbs with corrupted geometry (see below) and +pass these to skb_segment instead of skb_segment_list, as the first +can segment them correctly. + +Valid SKB_GSO_FRAGLIST skbs +- consist of two or more segments +- the head_skb holds the protocol headers plus first gso_size +- one or more frag_list skbs hold exactly one segment +- all but the last must be gso_size + +Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can +modify these skbs, breaking these invariants. + +In extreme cases they pull all data into skb linear. For UDP, this +causes a NULL ptr deref in __udpv4_gso_segment_list_csum at +udp_hdr(seg->next)->dest. + +Detect invalid geometry due to pull, by checking head_skb size. +Don't just drop, as this may blackhole a destination. Convert to be +able to pass to regular skb_segment. + +Link: https://lore.kernel.org/netdev/20240428142913.18666-1-shiming.cheng@mediatek.com/ +Fixes: 9fd1ff5d2ac7 ("udp: Support UDP fraglist GRO/GSO.") +Signed-off-by: Willem de Bruijn +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20241001171752.107580-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/udp_offload.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +--- a/net/ipv4/udp_offload.c ++++ b/net/ipv4/udp_offload.c +@@ -296,8 +296,26 @@ struct sk_buff *__udp_gso_segment(struct + return NULL; + } + +- if (skb_shinfo(gso_skb)->gso_type & SKB_GSO_FRAGLIST) +- return __udp_gso_segment_list(gso_skb, features, is_ipv6); ++ if (skb_shinfo(gso_skb)->gso_type & SKB_GSO_FRAGLIST) { ++ /* Detect modified geometry and pass those to skb_segment. */ ++ if (skb_pagelen(gso_skb) - sizeof(*uh) == skb_shinfo(gso_skb)->gso_size) ++ return __udp_gso_segment_list(gso_skb, features, is_ipv6); ++ ++ /* Setup csum, as fraglist skips this in udp4_gro_receive. */ ++ gso_skb->csum_start = skb_transport_header(gso_skb) - gso_skb->head; ++ gso_skb->csum_offset = offsetof(struct udphdr, check); ++ gso_skb->ip_summed = CHECKSUM_PARTIAL; ++ ++ uh = udp_hdr(gso_skb); ++ if (is_ipv6) ++ uh->check = ~udp_v6_check(gso_skb->len, ++ &ipv6_hdr(gso_skb)->saddr, ++ &ipv6_hdr(gso_skb)->daddr, 0); ++ else ++ uh->check = ~udp_v4_check(gso_skb->len, ++ ip_hdr(gso_skb)->saddr, ++ ip_hdr(gso_skb)->daddr, 0); ++ } + + skb_pull(gso_skb, sizeof(*uh)); + diff --git a/queue-6.11/hid-bpf-fix-cfi-stubs-for-hid_bpf_ops.patch b/queue-6.11/hid-bpf-fix-cfi-stubs-for-hid_bpf_ops.patch new file mode 100644 index 00000000000..b23d8fb570c --- /dev/null +++ b/queue-6.11/hid-bpf-fix-cfi-stubs-for-hid_bpf_ops.patch @@ -0,0 +1,60 @@ +From acd5f76fd5292c91628e04da83e8b78c986cfa2b Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Fri, 27 Sep 2024 16:17:41 +0200 +Subject: HID: bpf: fix cfi stubs for hid_bpf_ops + +From: Benjamin Tissoires + +commit acd5f76fd5292c91628e04da83e8b78c986cfa2b upstream. + +With the introduction of commit e42ac1418055 ("bpf: Check unsupported ops +from the bpf_struct_ops's cfi_stubs"), a HID-BPF struct_ops containing +a .hid_hw_request() or a .hid_hw_output_report() was failing to load +as the cfi stubs were not defined. + +Fix that by defining those simple static functions and restore HID-BPF +functionality. + +This was detected with the HID selftests suddenly failing on Linus' tree. + +Cc: stable@vger.kernel.org # v6.11+ +Fixes: 9286675a2aed ("HID: bpf: add HID-BPF hooks for hid_hw_output_report") +Fixes: 8bd0488b5ea5 ("HID: bpf: add HID-BPF hooks for hid_hw_raw_requests") +Signed-off-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/bpf/hid_bpf_struct_ops.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/hid/bpf/hid_bpf_struct_ops.c b/drivers/hid/bpf/hid_bpf_struct_ops.c +index cd696c59ba0f..702c22fae136 100644 +--- a/drivers/hid/bpf/hid_bpf_struct_ops.c ++++ b/drivers/hid/bpf/hid_bpf_struct_ops.c +@@ -276,9 +276,23 @@ static int __hid_bpf_rdesc_fixup(struct hid_bpf_ctx *ctx) + return 0; + } + ++static int __hid_bpf_hw_request(struct hid_bpf_ctx *ctx, unsigned char reportnum, ++ enum hid_report_type rtype, enum hid_class_request reqtype, ++ u64 source) ++{ ++ return 0; ++} ++ ++static int __hid_bpf_hw_output_report(struct hid_bpf_ctx *ctx, u64 source) ++{ ++ return 0; ++} ++ + static struct hid_bpf_ops __bpf_hid_bpf_ops = { + .hid_device_event = __hid_bpf_device_event, + .hid_rdesc_fixup = __hid_bpf_rdesc_fixup, ++ .hid_hw_request = __hid_bpf_hw_request, ++ .hid_hw_output_report = __hid_bpf_hw_output_report, + }; + + static struct bpf_struct_ops bpf_hid_bpf_ops = { +-- +2.46.2 + diff --git a/queue-6.11/iio-magnetometer-ak8975-fix-reading-for-ak099xx-sensors.patch b/queue-6.11/iio-magnetometer-ak8975-fix-reading-for-ak099xx-sensors.patch new file mode 100644 index 00000000000..313b099cde4 --- /dev/null +++ b/queue-6.11/iio-magnetometer-ak8975-fix-reading-for-ak099xx-sensors.patch @@ -0,0 +1,78 @@ +From 129464e86c7445a858b790ac2d28d35f58256bbe Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Barnab=C3=A1s=20Cz=C3=A9m=C3=A1n?= + +Date: Mon, 19 Aug 2024 00:29:40 +0200 +Subject: iio: magnetometer: ak8975: Fix reading for ak099xx sensors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Barnabás Czémán + +commit 129464e86c7445a858b790ac2d28d35f58256bbe upstream. + +Move ST2 reading with overflow handling after measurement data +reading. +ST2 register read have to be read after read measurment data, +because it means end of the reading and realease the lock on the data. +Remove ST2 read skip on interrupt based waiting because ST2 required to +be read out at and of the axis read. + +Fixes: 57e73a423b1e ("iio: ak8975: add ak09911 and ak09912 support") +Signed-off-by: Barnabás Czémán +Link: https://patch.msgid.link/20240819-ak09918-v4-2-f0734d14cfb9@mainlining.org +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/magnetometer/ak8975.c | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +--- a/drivers/iio/magnetometer/ak8975.c ++++ b/drivers/iio/magnetometer/ak8975.c +@@ -692,22 +692,8 @@ static int ak8975_start_read_axis(struct + if (ret < 0) + return ret; + +- /* This will be executed only for non-interrupt based waiting case */ +- if (ret & data->def->ctrl_masks[ST1_DRDY]) { +- ret = i2c_smbus_read_byte_data(client, +- data->def->ctrl_regs[ST2]); +- if (ret < 0) { +- dev_err(&client->dev, "Error in reading ST2\n"); +- return ret; +- } +- if (ret & (data->def->ctrl_masks[ST2_DERR] | +- data->def->ctrl_masks[ST2_HOFL])) { +- dev_err(&client->dev, "ST2 status error 0x%x\n", ret); +- return -EINVAL; +- } +- } +- +- return 0; ++ /* Return with zero if the data is ready. */ ++ return !data->def->ctrl_regs[ST1_DRDY]; + } + + /* Retrieve raw flux value for one of the x, y, or z axis. */ +@@ -734,6 +720,20 @@ static int ak8975_read_axis(struct iio_d + if (ret < 0) + goto exit; + ++ /* Read out ST2 for release lock on measurment data. */ ++ ret = i2c_smbus_read_byte_data(client, data->def->ctrl_regs[ST2]); ++ if (ret < 0) { ++ dev_err(&client->dev, "Error in reading ST2\n"); ++ goto exit; ++ } ++ ++ if (ret & (data->def->ctrl_masks[ST2_DERR] | ++ data->def->ctrl_masks[ST2_HOFL])) { ++ dev_err(&client->dev, "ST2 status error 0x%x\n", ret); ++ ret = -EINVAL; ++ goto exit; ++ } ++ + mutex_unlock(&data->lock); + + pm_runtime_mark_last_busy(&data->client->dev); diff --git a/queue-6.11/iio-pressure-bmp280-fix-regmap-for-bmp280-device.patch b/queue-6.11/iio-pressure-bmp280-fix-regmap-for-bmp280-device.patch new file mode 100644 index 00000000000..ce8be2c5e24 --- /dev/null +++ b/queue-6.11/iio-pressure-bmp280-fix-regmap-for-bmp280-device.patch @@ -0,0 +1,130 @@ +From b9065b0250e1705935445ede0a18c1850afe7b75 Mon Sep 17 00:00:00 2001 +From: Vasileios Amoiridis +Date: Thu, 11 Jul 2024 23:15:49 +0200 +Subject: iio: pressure: bmp280: Fix regmap for BMP280 device + +From: Vasileios Amoiridis + +commit b9065b0250e1705935445ede0a18c1850afe7b75 upstream. + +Up to now, the BMP280 device is using the regmap of the BME280 which +has registers that exist only in the BME280 device. + +Fixes: 14e8015f8569 ("iio: pressure: bmp280: split driver in logical parts") +Signed-off-by: Vasileios Amoiridis +Link: https://patch.msgid.link/20240711211558.106327-2-vassilisamir@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/pressure/bmp280-core.c | 2 - + drivers/iio/pressure/bmp280-regmap.c | 45 ++++++++++++++++++++++++++++++++--- + drivers/iio/pressure/bmp280.h | 1 + 3 files changed, 44 insertions(+), 4 deletions(-) + +--- a/drivers/iio/pressure/bmp280-core.c ++++ b/drivers/iio/pressure/bmp280-core.c +@@ -882,7 +882,7 @@ const struct bmp280_chip_info bme280_chi + .id_reg = BMP280_REG_ID, + .chip_id = bme280_chip_ids, + .num_chip_id = ARRAY_SIZE(bme280_chip_ids), +- .regmap_config = &bmp280_regmap_config, ++ .regmap_config = &bme280_regmap_config, + .start_up_time = 2000, + .channels = bmp280_channels, + .num_channels = 3, +--- a/drivers/iio/pressure/bmp280-regmap.c ++++ b/drivers/iio/pressure/bmp280-regmap.c +@@ -41,7 +41,7 @@ const struct regmap_config bmp180_regmap + }; + EXPORT_SYMBOL_NS(bmp180_regmap_config, IIO_BMP280); + +-static bool bmp280_is_writeable_reg(struct device *dev, unsigned int reg) ++static bool bme280_is_writeable_reg(struct device *dev, unsigned int reg) + { + switch (reg) { + case BMP280_REG_CONFIG: +@@ -54,9 +54,37 @@ static bool bmp280_is_writeable_reg(stru + } + } + ++static bool bmp280_is_writeable_reg(struct device *dev, unsigned int reg) ++{ ++ switch (reg) { ++ case BMP280_REG_CONFIG: ++ case BMP280_REG_CTRL_MEAS: ++ case BMP280_REG_RESET: ++ return true; ++ default: ++ return false; ++ } ++} ++ + static bool bmp280_is_volatile_reg(struct device *dev, unsigned int reg) + { + switch (reg) { ++ case BMP280_REG_TEMP_XLSB: ++ case BMP280_REG_TEMP_LSB: ++ case BMP280_REG_TEMP_MSB: ++ case BMP280_REG_PRESS_XLSB: ++ case BMP280_REG_PRESS_LSB: ++ case BMP280_REG_PRESS_MSB: ++ case BMP280_REG_STATUS: ++ return true; ++ default: ++ return false; ++ } ++} ++ ++static bool bme280_is_volatile_reg(struct device *dev, unsigned int reg) ++{ ++ switch (reg) { + case BME280_REG_HUMIDITY_LSB: + case BME280_REG_HUMIDITY_MSB: + case BMP280_REG_TEMP_XLSB: +@@ -71,7 +99,6 @@ static bool bmp280_is_volatile_reg(struc + return false; + } + } +- + static bool bmp380_is_writeable_reg(struct device *dev, unsigned int reg) + { + switch (reg) { +@@ -167,7 +194,7 @@ const struct regmap_config bmp280_regmap + .reg_bits = 8, + .val_bits = 8, + +- .max_register = BME280_REG_HUMIDITY_LSB, ++ .max_register = BMP280_REG_TEMP_XLSB, + .cache_type = REGCACHE_RBTREE, + + .writeable_reg = bmp280_is_writeable_reg, +@@ -175,6 +202,18 @@ const struct regmap_config bmp280_regmap + }; + EXPORT_SYMBOL_NS(bmp280_regmap_config, IIO_BMP280); + ++const struct regmap_config bme280_regmap_config = { ++ .reg_bits = 8, ++ .val_bits = 8, ++ ++ .max_register = BME280_REG_HUMIDITY_LSB, ++ .cache_type = REGCACHE_RBTREE, ++ ++ .writeable_reg = bme280_is_writeable_reg, ++ .volatile_reg = bme280_is_volatile_reg, ++}; ++EXPORT_SYMBOL_NS(bme280_regmap_config, IIO_BMP280); ++ + const struct regmap_config bmp380_regmap_config = { + .reg_bits = 8, + .val_bits = 8, +--- a/drivers/iio/pressure/bmp280.h ++++ b/drivers/iio/pressure/bmp280.h +@@ -464,6 +464,7 @@ extern const struct bmp280_chip_info bmp + /* Regmap configurations */ + extern const struct regmap_config bmp180_regmap_config; + extern const struct regmap_config bmp280_regmap_config; ++extern const struct regmap_config bme280_regmap_config; + extern const struct regmap_config bmp380_regmap_config; + extern const struct regmap_config bmp580_regmap_config; + diff --git a/queue-6.11/iio-pressure-bmp280-fix-waiting-time-for-bmp3xx-configuration.patch b/queue-6.11/iio-pressure-bmp280-fix-waiting-time-for-bmp3xx-configuration.patch new file mode 100644 index 00000000000..9cceed9eb30 --- /dev/null +++ b/queue-6.11/iio-pressure-bmp280-fix-waiting-time-for-bmp3xx-configuration.patch @@ -0,0 +1,42 @@ +From 262a6634bcc4f0c1c53d13aa89882909f281a6aa Mon Sep 17 00:00:00 2001 +From: Vasileios Amoiridis +Date: Thu, 11 Jul 2024 23:15:50 +0200 +Subject: iio: pressure: bmp280: Fix waiting time for BMP3xx configuration + +From: Vasileios Amoiridis + +commit 262a6634bcc4f0c1c53d13aa89882909f281a6aa upstream. + +According to the datasheet, both pressure and temperature can go up to +oversampling x32. With this option, the maximum measurement time is not +80ms (this is for press x32 and temp x2), but it is 130ms nominal +(calculated from table 3.9.2) and since most of the maximum values +are around +15%, it is configured to 150ms. + +Fixes: 8d329309184d ("iio: pressure: bmp280: Add support for BMP380 sensor family") +Signed-off-by: Vasileios Amoiridis +Link: https://patch.msgid.link/20240711211558.106327-3-vassilisamir@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/pressure/bmp280-core.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/iio/pressure/bmp280-core.c ++++ b/drivers/iio/pressure/bmp280-core.c +@@ -1272,10 +1272,11 @@ static int bmp380_chip_config(struct bmp + } + /* + * Waits for measurement before checking configuration error +- * flag. Selected longest measure time indicated in +- * section 3.9.1 in the datasheet. ++ * flag. Selected longest measurement time, calculated from ++ * formula in datasheet section 3.9.2 with an offset of ~+15% ++ * as it seen as well in table 3.9.1. + */ +- msleep(80); ++ msleep(150); + + /* Check config error flag */ + ret = regmap_read(data->regmap, BMP380_REG_ERROR, &tmp); diff --git a/queue-6.11/input-adp5589-keys-fix-adp5589_gpio_get_value.patch b/queue-6.11/input-adp5589-keys-fix-adp5589_gpio_get_value.patch new file mode 100644 index 00000000000..c5a60760719 --- /dev/null +++ b/queue-6.11/input-adp5589-keys-fix-adp5589_gpio_get_value.patch @@ -0,0 +1,49 @@ +From c684771630e64bc39bddffeb65dd8a6612a6b249 Mon Sep 17 00:00:00 2001 +From: Nuno Sa +Date: Tue, 1 Oct 2024 07:47:23 -0700 +Subject: Input: adp5589-keys - fix adp5589_gpio_get_value() + +From: Nuno Sa + +commit c684771630e64bc39bddffeb65dd8a6612a6b249 upstream. + +The adp5589 seems to have the same behavior as similar devices as +explained in commit 910a9f5636f5 ("Input: adp5588-keys - get value from +data out when dir is out"). + +Basically, when the gpio is set as output we need to get the value from +ADP5589_GPO_DATA_OUT_A register instead of ADP5589_GPI_STATUS_A. + +Fixes: 9d2e173644bb ("Input: ADP5589 - new driver for I2C Keypad Decoder and I/O Expander") +Signed-off-by: Nuno Sa +Link: https://lore.kernel.org/r/20241001-b4-dev-adp5589-fw-conversion-v1-2-fca0149dfc47@analog.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/keyboard/adp5589-keys.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/input/keyboard/adp5589-keys.c ++++ b/drivers/input/keyboard/adp5589-keys.c +@@ -391,10 +391,17 @@ static int adp5589_gpio_get_value(struct + struct adp5589_kpad *kpad = gpiochip_get_data(chip); + unsigned int bank = kpad->var->bank(kpad->gpiomap[off]); + unsigned int bit = kpad->var->bit(kpad->gpiomap[off]); ++ int val; + +- return !!(adp5589_read(kpad->client, +- kpad->var->reg(ADP5589_GPI_STATUS_A) + bank) & +- bit); ++ mutex_lock(&kpad->gpio_lock); ++ if (kpad->dir[bank] & bit) ++ val = kpad->dat_out[bank]; ++ else ++ val = adp5589_read(kpad->client, ++ kpad->var->reg(ADP5589_GPI_STATUS_A) + bank); ++ mutex_unlock(&kpad->gpio_lock); ++ ++ return !!(val & bit); + } + + static void adp5589_gpio_set_value(struct gpio_chip *chip, diff --git a/queue-6.11/input-adp5589-keys-fix-null-pointer-dereference.patch b/queue-6.11/input-adp5589-keys-fix-null-pointer-dereference.patch new file mode 100644 index 00000000000..08ea0aa747f --- /dev/null +++ b/queue-6.11/input-adp5589-keys-fix-null-pointer-dereference.patch @@ -0,0 +1,58 @@ +From fb5cc65f973661241e4a2b7390b429aa7b330c69 Mon Sep 17 00:00:00 2001 +From: Nuno Sa +Date: Tue, 1 Oct 2024 07:46:44 -0700 +Subject: Input: adp5589-keys - fix NULL pointer dereference + +From: Nuno Sa + +commit fb5cc65f973661241e4a2b7390b429aa7b330c69 upstream. + +We register a devm action to call adp5589_clear_config() and then pass +the i2c client as argument so that we can call i2c_get_clientdata() in +order to get our device object. However, i2c_set_clientdata() is only +being set at the end of the probe function which means that we'll get a +NULL pointer dereference in case the probe function fails early. + +Fixes: 30df385e35a4 ("Input: adp5589-keys - use devm_add_action_or_reset() for register clear") +Signed-off-by: Nuno Sa +Link: https://lore.kernel.org/r/20241001-b4-dev-adp5589-fw-conversion-v1-1-fca0149dfc47@analog.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/keyboard/adp5589-keys.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/drivers/input/keyboard/adp5589-keys.c ++++ b/drivers/input/keyboard/adp5589-keys.c +@@ -936,10 +936,9 @@ static int adp5589_keypad_add(struct adp + + static void adp5589_clear_config(void *data) + { +- struct i2c_client *client = data; +- struct adp5589_kpad *kpad = i2c_get_clientdata(client); ++ struct adp5589_kpad *kpad = data; + +- adp5589_write(client, kpad->var->reg(ADP5589_GENERAL_CFG), 0); ++ adp5589_write(kpad->client, kpad->var->reg(ADP5589_GENERAL_CFG), 0); + } + + static int adp5589_probe(struct i2c_client *client) +@@ -983,7 +982,7 @@ static int adp5589_probe(struct i2c_clie + } + + error = devm_add_action_or_reset(&client->dev, adp5589_clear_config, +- client); ++ kpad); + if (error) + return error; + +@@ -1010,8 +1009,6 @@ static int adp5589_probe(struct i2c_clie + if (error) + return error; + +- i2c_set_clientdata(client, kpad); +- + dev_info(&client->dev, "Rev.%d keypad, irq %d\n", revid, client->irq); + return 0; + } diff --git a/queue-6.11/kselftests-mm-fix-wrong-__nr_userfaultfd-value.patch b/queue-6.11/kselftests-mm-fix-wrong-__nr_userfaultfd-value.patch new file mode 100644 index 00000000000..d65c6693301 --- /dev/null +++ b/queue-6.11/kselftests-mm-fix-wrong-__nr_userfaultfd-value.patch @@ -0,0 +1,60 @@ +From f30beffd977e98c33550bbeb6f278d157ff54844 Mon Sep 17 00:00:00 2001 +From: Muhammad Usama Anjum +Date: Mon, 23 Sep 2024 10:38:36 +0500 +Subject: kselftests: mm: fix wrong __NR_userfaultfd value + +From: Muhammad Usama Anjum + +commit f30beffd977e98c33550bbeb6f278d157ff54844 upstream. + +grep -rnIF "#define __NR_userfaultfd" +tools/include/uapi/asm-generic/unistd.h:681:#define __NR_userfaultfd 282 +arch/x86/include/generated/uapi/asm/unistd_32.h:374:#define +__NR_userfaultfd 374 +arch/x86/include/generated/uapi/asm/unistd_64.h:327:#define +__NR_userfaultfd 323 +arch/x86/include/generated/uapi/asm/unistd_x32.h:282:#define +__NR_userfaultfd (__X32_SYSCALL_BIT + 323) +arch/arm/include/generated/uapi/asm/unistd-eabi.h:347:#define +__NR_userfaultfd (__NR_SYSCALL_BASE + 388) +arch/arm/include/generated/uapi/asm/unistd-oabi.h:359:#define +__NR_userfaultfd (__NR_SYSCALL_BASE + 388) +include/uapi/asm-generic/unistd.h:681:#define __NR_userfaultfd 282 + +The number is dependent on the architecture. The above data shows that: +x86 374 +x86_64 323 + +The value of __NR_userfaultfd was changed to 282 when asm-generic/unistd.h +was included. It makes the test to fail every time as the correct number +of this syscall on x86_64 is 323. Fix the header to asm/unistd.h. + +Link: https://lkml.kernel.org/r/20240923053836.3270393-1-usama.anjum@collabora.com +Fixes: a5c6bc590094 ("selftests/mm: remove local __NR_* definitions") +Signed-off-by: Muhammad Usama Anjum +Reviewed-by: Shuah Khan +Reviewed-by: David Hildenbrand +Cc: John Hubbard +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/mm/pagemap_ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/mm/pagemap_ioctl.c b/tools/testing/selftests/mm/pagemap_ioctl.c +index fc90af2a97b8..bcc73b4e805c 100644 +--- a/tools/testing/selftests/mm/pagemap_ioctl.c ++++ b/tools/testing/selftests/mm/pagemap_ioctl.c +@@ -15,7 +15,7 @@ + #include + #include + #include +-#include ++#include + #include + #include + #include +-- +2.46.2 + diff --git a/queue-6.11/leds-pca9532-remove-irrelevant-blink-configuration-error-message.patch b/queue-6.11/leds-pca9532-remove-irrelevant-blink-configuration-error-message.patch new file mode 100644 index 00000000000..0baec16a5ad --- /dev/null +++ b/queue-6.11/leds-pca9532-remove-irrelevant-blink-configuration-error-message.patch @@ -0,0 +1,52 @@ +From 2aad93b6de0d874038d3d7958be05011284cd6b9 Mon Sep 17 00:00:00 2001 +From: Bastien Curutchet +Date: Mon, 26 Aug 2024 15:32:37 +0200 +Subject: leds: pca9532: Remove irrelevant blink configuration error message + +From: Bastien Curutchet + +commit 2aad93b6de0d874038d3d7958be05011284cd6b9 upstream. + +The update_hw_blink() function prints an error message when hardware is +not able to handle a blink configuration on its own. IMHO, this isn't a +'real' error since the software fallback is used afterwards. + +Remove the error messages to avoid flooding the logs with unnecessary +messages. + +Cc: stable@vger.kernel.org +Fixes: 48ca7f302cfc ("leds: pca9532: Use PWM1 for hardware blinking") +Signed-off-by: Bastien Curutchet +Link: https://lore.kernel.org/r/20240826133237.134604-1-bastien.curutchet@bootlin.com +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/leds/leds-pca9532.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/leds/leds-pca9532.c b/drivers/leds/leds-pca9532.c +index 338ddada3de9..1b47acf54720 100644 +--- a/drivers/leds/leds-pca9532.c ++++ b/drivers/leds/leds-pca9532.c +@@ -215,8 +215,7 @@ static int pca9532_update_hw_blink(struct pca9532_led *led, + if (other->state == PCA9532_PWM1) { + if (other->ldev.blink_delay_on != delay_on || + other->ldev.blink_delay_off != delay_off) { +- dev_err(&led->client->dev, +- "HW can handle only one blink configuration at a time\n"); ++ /* HW can handle only one blink configuration at a time */ + return -EINVAL; + } + } +@@ -224,7 +223,7 @@ static int pca9532_update_hw_blink(struct pca9532_led *led, + + psc = ((delay_on + delay_off) * PCA9532_PWM_PERIOD_DIV - 1) / 1000; + if (psc > U8_MAX) { +- dev_err(&led->client->dev, "Blink period too long to be handled by hardware\n"); ++ /* Blink period too long to be handled by hardware */ + return -EINVAL; + } + +-- +2.46.2 + diff --git a/queue-6.11/media-imx335-fix-reset-gpio-handling.patch b/queue-6.11/media-imx335-fix-reset-gpio-handling.patch new file mode 100644 index 00000000000..15fdee051a2 --- /dev/null +++ b/queue-6.11/media-imx335-fix-reset-gpio-handling.patch @@ -0,0 +1,74 @@ +From 99d30e2fdea4086be4e66e2deb10de854b547ab8 Mon Sep 17 00:00:00 2001 +From: Umang Jain +Date: Fri, 30 Aug 2024 11:41:52 +0530 +Subject: media: imx335: Fix reset-gpio handling + +From: Umang Jain + +commit 99d30e2fdea4086be4e66e2deb10de854b547ab8 upstream. + +Rectify the logical value of reset-gpio so that it is set to +0 (disabled) during power-on and to 1 (enabled) during power-off. + +Set the reset-gpio to GPIO_OUT_HIGH at initialization time to make +sure it starts off in reset. Also drop the "Set XCLR" comment which +is not-so-informative. + +The existing usage of imx335 had reset-gpios polarity inverted +(GPIO_ACTIVE_HIGH) in their device-tree sources. With this patch +included, those DTS will not be able to stream imx335 anymore. The +reset-gpio polarity will need to be rectified in the device-tree +sources as shown in [1] example, in order to get imx335 functional +again (as it remains in reset prior to this fix). + +Cc: stable@vger.kernel.org +Fixes: 45d19b5fb9ae ("media: i2c: Add imx335 camera sensor driver") +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/linux-media/20240729110437.199428-1-umang.jain@ideasonboard.com/ +Signed-off-by: Umang Jain +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/imx335.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/drivers/media/i2c/imx335.c ++++ b/drivers/media/i2c/imx335.c +@@ -997,7 +997,7 @@ static int imx335_parse_hw_config(struct + + /* Request optional reset pin */ + imx335->reset_gpio = devm_gpiod_get_optional(imx335->dev, "reset", +- GPIOD_OUT_LOW); ++ GPIOD_OUT_HIGH); + if (IS_ERR(imx335->reset_gpio)) { + dev_err(imx335->dev, "failed to get reset gpio %ld\n", + PTR_ERR(imx335->reset_gpio)); +@@ -1110,8 +1110,7 @@ static int imx335_power_on(struct device + + usleep_range(500, 550); /* Tlow */ + +- /* Set XCLR */ +- gpiod_set_value_cansleep(imx335->reset_gpio, 1); ++ gpiod_set_value_cansleep(imx335->reset_gpio, 0); + + ret = clk_prepare_enable(imx335->inclk); + if (ret) { +@@ -1124,7 +1123,7 @@ static int imx335_power_on(struct device + return 0; + + error_reset: +- gpiod_set_value_cansleep(imx335->reset_gpio, 0); ++ gpiod_set_value_cansleep(imx335->reset_gpio, 1); + regulator_bulk_disable(ARRAY_SIZE(imx335_supply_name), imx335->supplies); + + return ret; +@@ -1141,7 +1140,7 @@ static int imx335_power_off(struct devic + struct v4l2_subdev *sd = dev_get_drvdata(dev); + struct imx335 *imx335 = to_imx335(sd); + +- gpiod_set_value_cansleep(imx335->reset_gpio, 0); ++ gpiod_set_value_cansleep(imx335->reset_gpio, 1); + clk_disable_unprepare(imx335->inclk); + regulator_bulk_disable(ARRAY_SIZE(imx335_supply_name), imx335->supplies); + diff --git a/queue-6.11/media-ov5675-fix-power-on-off-delay-timings.patch b/queue-6.11/media-ov5675-fix-power-on-off-delay-timings.patch new file mode 100644 index 00000000000..fd290c5c32a --- /dev/null +++ b/queue-6.11/media-ov5675-fix-power-on-off-delay-timings.patch @@ -0,0 +1,84 @@ +From 719ec29fceda2f19c833d2784b1574638320400f Mon Sep 17 00:00:00 2001 +From: Bryan O'Donoghue +Date: Sat, 13 Jul 2024 23:33:29 +0100 +Subject: media: ov5675: Fix power on/off delay timings + +From: Bryan O'Donoghue + +commit 719ec29fceda2f19c833d2784b1574638320400f upstream. + +The ov5675 specification says that the gap between XSHUTDN deassert and the +first I2C transaction should be a minimum of 8192 XVCLK cycles. + +Right now we use a usleep_rage() that gives a sleep time of between about +430 and 860 microseconds. + +On the Lenovo X13s we have observed that in about 1/20 cases the current +timing is too tight and we start transacting before the ov5675's reset +cycle completes, leading to I2C bus transaction failures. + +The reset racing is sometimes triggered at initial chip probe but, more +usually on a subsequent power-off/power-on cycle e.g. + +[ 71.451662] ov5675 24-0010: failed to write reg 0x0103. error = -5 +[ 71.451686] ov5675 24-0010: failed to set plls + +The current quiescence period we have is too tight. Instead of expressing +the post reset delay in terms of the current XVCLK this patch converts the +power-on and power-off delays to the maximum theoretical delay @ 6 MHz with +an additional buffer. + +1.365 milliseconds on the power-on path is 1.5 milliseconds with grace. +85.3 microseconds on the power-off path is 90 microseconds with grace. + +Fixes: 49d9ad719e89 ("media: ov5675: add device-tree support and support runtime PM") +Cc: stable@vger.kernel.org +Signed-off-by: Bryan O'Donoghue +Tested-by: Johan Hovold +Reviewed-by: Quentin Schulz +Tested-by: Quentin Schulz # RK3399 Puma with +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ov5675.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/media/i2c/ov5675.c ++++ b/drivers/media/i2c/ov5675.c +@@ -972,12 +972,10 @@ static int ov5675_set_stream(struct v4l2 + + static int ov5675_power_off(struct device *dev) + { +- /* 512 xvclk cycles after the last SCCB transation or MIPI frame end */ +- u32 delay_us = DIV_ROUND_UP(512, OV5675_XVCLK_19_2 / 1000 / 1000); + struct v4l2_subdev *sd = dev_get_drvdata(dev); + struct ov5675 *ov5675 = to_ov5675(sd); + +- usleep_range(delay_us, delay_us * 2); ++ usleep_range(90, 100); + + clk_disable_unprepare(ov5675->xvclk); + gpiod_set_value_cansleep(ov5675->reset_gpio, 1); +@@ -988,7 +986,6 @@ static int ov5675_power_off(struct devic + + static int ov5675_power_on(struct device *dev) + { +- u32 delay_us = DIV_ROUND_UP(8192, OV5675_XVCLK_19_2 / 1000 / 1000); + struct v4l2_subdev *sd = dev_get_drvdata(dev); + struct ov5675 *ov5675 = to_ov5675(sd); + int ret; +@@ -1014,8 +1011,11 @@ static int ov5675_power_on(struct device + + gpiod_set_value_cansleep(ov5675->reset_gpio, 0); + +- /* 8192 xvclk cycles prior to the first SCCB transation */ +- usleep_range(delay_us, delay_us * 2); ++ /* Worst case quiesence gap is 1.365 milliseconds @ 6MHz XVCLK ++ * Add an additional threshold grace period to ensure reset ++ * completion before initiating our first I2C transaction. ++ */ ++ usleep_range(1500, 1600); + + return 0; + } diff --git a/queue-6.11/media-qcom-camss-fix-ordering-of-pm_runtime_enable.patch b/queue-6.11/media-qcom-camss-fix-ordering-of-pm_runtime_enable.patch new file mode 100644 index 00000000000..c0d11434377 --- /dev/null +++ b/queue-6.11/media-qcom-camss-fix-ordering-of-pm_runtime_enable.patch @@ -0,0 +1,62 @@ +From a151766bd3688f6803e706c6433a7c8d3c6a6a94 Mon Sep 17 00:00:00 2001 +From: Bryan O'Donoghue +Date: Mon, 29 Jul 2024 13:42:03 +0100 +Subject: media: qcom: camss: Fix ordering of pm_runtime_enable + +From: Bryan O'Donoghue + +commit a151766bd3688f6803e706c6433a7c8d3c6a6a94 upstream. + +pm_runtime_enable() should happen prior to vfe_get() since vfe_get() calls +pm_runtime_resume_and_get(). + +This is a basic race condition that doesn't show up for most users so is +not widely reported. If you blacklist qcom-camss in modules.d and then +subsequently modprobe the module post-boot it is possible to reliably show +this error up. + +The kernel log for this error looks like this: + +qcom-camss ac5a000.camss: Failed to power up pipeline: -13 + +Fixes: 02afa816dbbf ("media: camss: Add basic runtime PM support") +Reported-by: Johan Hovold +Closes: https://lore.kernel.org/lkml/ZoVNHOTI0PKMNt4_@hovoldconsulting.com/ +Tested-by: Johan Hovold +Cc: +Signed-off-by: Bryan O'Donoghue +Reviewed-by: Konrad Dybcio +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/camss/camss.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/media/platform/qcom/camss/camss.c ++++ b/drivers/media/platform/qcom/camss/camss.c +@@ -2283,6 +2283,8 @@ static int camss_probe(struct platform_d + + v4l2_async_nf_init(&camss->notifier, &camss->v4l2_dev); + ++ pm_runtime_enable(dev); ++ + num_subdevs = camss_of_parse_ports(camss); + if (num_subdevs < 0) { + ret = num_subdevs; +@@ -2323,8 +2325,6 @@ static int camss_probe(struct platform_d + } + } + +- pm_runtime_enable(dev); +- + return 0; + + err_register_subdevs: +@@ -2332,6 +2332,7 @@ err_register_subdevs: + err_v4l2_device_unregister: + v4l2_device_unregister(&camss->v4l2_dev); + v4l2_async_nf_cleanup(&camss->notifier); ++ pm_runtime_disable(dev); + err_genpd_cleanup: + camss_genpd_cleanup(camss); + diff --git a/queue-6.11/media-qcom-camss-remove-use_count-guard-in-stop_streaming.patch b/queue-6.11/media-qcom-camss-remove-use_count-guard-in-stop_streaming.patch new file mode 100644 index 00000000000..64a46c8929e --- /dev/null +++ b/queue-6.11/media-qcom-camss-remove-use_count-guard-in-stop_streaming.patch @@ -0,0 +1,89 @@ +From 25f18cb1b673220b76a86ebef8e7fb79bd303b27 Mon Sep 17 00:00:00 2001 +From: Bryan O'Donoghue +Date: Mon, 29 Jul 2024 13:42:02 +0100 +Subject: media: qcom: camss: Remove use_count guard in stop_streaming + +From: Bryan O'Donoghue + +commit 25f18cb1b673220b76a86ebef8e7fb79bd303b27 upstream. + +The use_count check was introduced so that multiple concurrent Raw Data +Interfaces RDIs could be driven by different virtual channels VCs on the +CSIPHY input driving the video pipeline. + +This is an invalid use of use_count though as use_count pertains to the +number of times a video entity has been opened by user-space not the number +of active streams. + +If use_count and stream-on count don't agree then stop_streaming() will +break as is currently the case and has become apparent when using CAMSS +with libcamera's released softisp 0.3. + +The use of use_count like this is a bit hacky and right now breaks regular +usage of CAMSS for a single stream case. Stopping qcam results in the splat +below, and then it cannot be started again and any attempts to do so fails +with -EBUSY. + +[ 1265.509831] WARNING: CPU: 5 PID: 919 at drivers/media/common/videobuf2/videobuf2-core.c:2183 __vb2_queue_cancel+0x230/0x2c8 [videobuf2_common] +... +[ 1265.510630] Call trace: +[ 1265.510636] __vb2_queue_cancel+0x230/0x2c8 [videobuf2_common] +[ 1265.510648] vb2_core_streamoff+0x24/0xcc [videobuf2_common] +[ 1265.510660] vb2_ioctl_streamoff+0x5c/0xa8 [videobuf2_v4l2] +[ 1265.510673] v4l_streamoff+0x24/0x30 [videodev] +[ 1265.510707] __video_do_ioctl+0x190/0x3f4 [videodev] +[ 1265.510732] video_usercopy+0x304/0x8c4 [videodev] +[ 1265.510757] video_ioctl2+0x18/0x34 [videodev] +[ 1265.510782] v4l2_ioctl+0x40/0x60 [videodev] +... +[ 1265.510944] videobuf2_common: driver bug: stop_streaming operation is leaving buffer 0 in active state +[ 1265.511175] videobuf2_common: driver bug: stop_streaming operation is leaving buffer 1 in active state +[ 1265.511398] videobuf2_common: driver bug: stop_streaming operation is leaving buffer 2 in active st + +One CAMSS specific way to handle multiple VCs on the same RDI might be: + +- Reference count each pipeline enable for CSIPHY, CSID, VFE and RDIx. +- The video buffers are already associated with msm_vfeN_rdiX so + release video buffers when told to do so by stop_streaming. +- Only release the power-domains for the CSIPHY, CSID and VFE when + their internal refcounts drop. + +Either way refusing to release video buffers based on use_count is +erroneous and should be reverted. The silicon enabling code for selecting +VCs is perfectly fine. Its a "known missing feature" that concurrent VCs +won't work with CAMSS right now. + +Initial testing with this code didn't show an error but, SoftISP and "real" +usage with Google Hangouts breaks the upstream code pretty quickly, we need +to do a partial revert and take another pass at VCs. + +This commit partially reverts commit 89013969e232 ("media: camss: sm8250: +Pipeline starting and stopping for multiple virtual channels") + +Fixes: 89013969e232 ("media: camss: sm8250: Pipeline starting and stopping for multiple virtual channels") +Reported-by: Johan Hovold +Closes: https://lore.kernel.org/lkml/ZoVNHOTI0PKMNt4_@hovoldconsulting.com/ +Tested-by: Johan Hovold +Cc: +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/camss/camss-video.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/drivers/media/platform/qcom/camss/camss-video.c ++++ b/drivers/media/platform/qcom/camss/camss-video.c +@@ -297,12 +297,6 @@ static void video_stop_streaming(struct + + ret = v4l2_subdev_call(subdev, video, s_stream, 0); + +- if (entity->use_count > 1) { +- /* Don't stop if other instances of the pipeline are still running */ +- dev_dbg(video->camss->dev, "Video pipeline still used, don't stop streaming.\n"); +- return; +- } +- + if (ret) { + dev_err(video->camss->dev, "Video pipeline stop failed: %d\n", ret); + return; diff --git a/queue-6.11/media-sun4i_csi-implement-link-validate-for-sun4i_csi-subdev.patch b/queue-6.11/media-sun4i_csi-implement-link-validate-for-sun4i_csi-subdev.patch new file mode 100644 index 00000000000..2b8391defbd --- /dev/null +++ b/queue-6.11/media-sun4i_csi-implement-link-validate-for-sun4i_csi-subdev.patch @@ -0,0 +1,45 @@ +From 2dc5d5d401f5c6cecd97800ffef82e8d17d228f0 Mon Sep 17 00:00:00 2001 +From: Laurent Pinchart +Date: Wed, 19 Jun 2024 02:46:16 +0300 +Subject: media: sun4i_csi: Implement link validate for sun4i_csi subdev + +From: Laurent Pinchart + +commit 2dc5d5d401f5c6cecd97800ffef82e8d17d228f0 upstream. + +The sun4i_csi driver doesn't implement link validation for the subdev it +registers, leaving the link between the subdev and its source +unvalidated. Fix it, using the v4l2_subdev_link_validate() helper. + +Fixes: 577bbf23b758 ("media: sunxi: Add A10 CSI driver") +Cc: stable@vger.kernel.org +Signed-off-by: Laurent Pinchart +Acked-by: Chen-Yu Tsai +Reviewed-by: Tomi Valkeinen +Acked-by: Sakari Ailus +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c ++++ b/drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c +@@ -39,6 +39,10 @@ static const struct media_entity_operati + .link_validate = v4l2_subdev_link_validate, + }; + ++static const struct media_entity_operations sun4i_csi_subdev_entity_ops = { ++ .link_validate = v4l2_subdev_link_validate, ++}; ++ + static int sun4i_csi_notify_bound(struct v4l2_async_notifier *notifier, + struct v4l2_subdev *subdev, + struct v4l2_async_connection *asd) +@@ -214,6 +218,7 @@ static int sun4i_csi_probe(struct platfo + subdev->internal_ops = &sun4i_csi_subdev_internal_ops; + subdev->flags = V4L2_SUBDEV_FL_HAS_DEVNODE | V4L2_SUBDEV_FL_HAS_EVENTS; + subdev->entity.function = MEDIA_ENT_F_VID_IF_BRIDGE; ++ subdev->entity.ops = &sun4i_csi_subdev_entity_ops; + subdev->owner = THIS_MODULE; + snprintf(subdev->name, sizeof(subdev->name), "sun4i-csi-0"); + v4l2_set_subdevdata(subdev, csi); diff --git a/queue-6.11/media-uapi-linux-cec.h-cec_msg_set_reply_to-zero-flags.patch b/queue-6.11/media-uapi-linux-cec.h-cec_msg_set_reply_to-zero-flags.patch new file mode 100644 index 00000000000..53e4d7548f9 --- /dev/null +++ b/queue-6.11/media-uapi-linux-cec.h-cec_msg_set_reply_to-zero-flags.patch @@ -0,0 +1,44 @@ +From 599f6899051cb70c4e0aa9fd591b9ee220cb6f14 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Wed, 7 Aug 2024 09:22:10 +0200 +Subject: media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags + +From: Hans Verkuil + +commit 599f6899051cb70c4e0aa9fd591b9ee220cb6f14 upstream. + +The cec_msg_set_reply_to() helper function never zeroed the +struct cec_msg flags field, this can cause unexpected behavior +if flags was uninitialized to begin with. + +Signed-off-by: Hans Verkuil +Fixes: 0dbacebede1e ("[media] cec: move the CEC framework out of staging and to media") +Cc: +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + include/uapi/linux/cec.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/include/uapi/linux/cec.h ++++ b/include/uapi/linux/cec.h +@@ -132,6 +132,8 @@ static inline void cec_msg_init(struct c + * Set the msg destination to the orig initiator and the msg initiator to the + * orig destination. Note that msg and orig may be the same pointer, in which + * case the change is done in place. ++ * ++ * It also zeroes the reply, timeout and flags fields. + */ + static inline void cec_msg_set_reply_to(struct cec_msg *msg, + struct cec_msg *orig) +@@ -139,7 +141,9 @@ static inline void cec_msg_set_reply_to( + /* The destination becomes the initiator and vice versa */ + msg->msg[0] = (cec_msg_destination(orig) << 4) | + cec_msg_initiator(orig); +- msg->reply = msg->timeout = 0; ++ msg->reply = 0; ++ msg->timeout = 0; ++ msg->flags = 0; + } + + /** diff --git a/queue-6.11/media-venus-fix-use-after-free-bug-in-venus_remove-due-to-race-condition.patch b/queue-6.11/media-venus-fix-use-after-free-bug-in-venus_remove-due-to-race-condition.patch new file mode 100644 index 00000000000..98d3fd2f85f --- /dev/null +++ b/queue-6.11/media-venus-fix-use-after-free-bug-in-venus_remove-due-to-race-condition.patch @@ -0,0 +1,50 @@ +From c5a85ed88e043474161bbfe54002c89c1cb50ee2 Mon Sep 17 00:00:00 2001 +From: Zheng Wang +Date: Tue, 18 Jun 2024 14:55:59 +0530 +Subject: media: venus: fix use after free bug in venus_remove due to race condition + +From: Zheng Wang + +commit c5a85ed88e043474161bbfe54002c89c1cb50ee2 upstream. + +in venus_probe, core->work is bound with venus_sys_error_handler, which is +used to handle error. The code use core->sys_err_done to make sync work. +The core->work is started in venus_event_notify. + +If we call venus_remove, there might be an unfished work. The possible +sequence is as follows: + +CPU0 CPU1 + + |venus_sys_error_handler +venus_remove | +hfi_destroy | +venus_hfi_destroy | +kfree(hdev); | + |hfi_reinit + |venus_hfi_queues_reinit + |//use hdev + +Fix it by canceling the work in venus_remove. + +Cc: stable@vger.kernel.org +Fixes: af2c3834c8ca ("[media] media: venus: adding core part and helper functions") +Signed-off-by: Zheng Wang +Signed-off-by: Dikshita Agarwal +Signed-off-by: Stanimir Varbanov +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/platform/qcom/venus/core.c ++++ b/drivers/media/platform/qcom/venus/core.c +@@ -430,6 +430,7 @@ static void venus_remove(struct platform + struct device *dev = core->dev; + int ret; + ++ cancel_delayed_work_sync(&core->work); + ret = pm_runtime_get_sync(dev); + WARN_ON(ret < 0); + diff --git a/queue-6.11/media-videobuf2-drop-minimum-allocation-requirement-of-2-buffers.patch b/queue-6.11/media-videobuf2-drop-minimum-allocation-requirement-of-2-buffers.patch new file mode 100644 index 00000000000..f3091de355a --- /dev/null +++ b/queue-6.11/media-videobuf2-drop-minimum-allocation-requirement-of-2-buffers.patch @@ -0,0 +1,55 @@ +From e5700c9037727d5a69a677d6dba25010b485d65b Mon Sep 17 00:00:00 2001 +From: Laurent Pinchart +Date: Mon, 26 Aug 2024 02:24:49 +0300 +Subject: media: videobuf2: Drop minimum allocation requirement of 2 buffers + +From: Laurent Pinchart + +commit e5700c9037727d5a69a677d6dba25010b485d65b upstream. + +When introducing the ability for drivers to indicate the minimum number +of buffers they require an application to allocate, commit 6662edcd32cc +("media: videobuf2: Add min_reqbufs_allocation field to vb2_queue +structure") also introduced a global minimum of 2 buffers. It turns out +this breaks the Renesas R-Car VSP test suite, where a test that +allocates a single buffer fails when two buffers are used. + +One may consider debatable whether test suite failures without failures +in production use cases should be considered as a regression, but +operation with a single buffer is a valid use case. While full frame +rate can't be maintained, memory-to-memory devices can still be used +with a decent efficiency, and requiring applications to allocate +multiple buffers for single-shot use cases with capture devices would +just waste memory. + +For those reasons, fix the regression by dropping the global minimum of +buffers. Individual drivers can still set their own minimum. + +Fixes: 6662edcd32cc ("media: videobuf2: Add min_reqbufs_allocation field to vb2_queue structure") +Cc: stable@vger.kernel.org +Signed-off-by: Laurent Pinchart +Reviewed-by: Hans Verkuil +Acked-by: Tomasz Figa +Link: https://lore.kernel.org/r/20240825232449.25905-1-laurent.pinchart+renesas@ideasonboard.com +Signed-off-by: Laurent Pinchart +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/common/videobuf2/videobuf2-core.c | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/drivers/media/common/videobuf2/videobuf2-core.c ++++ b/drivers/media/common/videobuf2/videobuf2-core.c +@@ -2602,13 +2602,6 @@ int vb2_core_queue_init(struct vb2_queue + return -EINVAL; + + /* +- * The minimum requirement is 2: one buffer is used +- * by the hardware while the other is being processed by userspace. +- */ +- if (q->min_reqbufs_allocation < 2) +- q->min_reqbufs_allocation = 2; +- +- /* + * If the driver needs 'min_queued_buffers' in the queue before + * calling start_streaming() then the minimum requirement is + * 'min_queued_buffers + 1' to keep at least one buffer available diff --git a/queue-6.11/mm-filemap-fix-filemap_get_folios_contig-thp-panic.patch b/queue-6.11/mm-filemap-fix-filemap_get_folios_contig-thp-panic.patch new file mode 100644 index 00000000000..f01f2a42804 --- /dev/null +++ b/queue-6.11/mm-filemap-fix-filemap_get_folios_contig-thp-panic.patch @@ -0,0 +1,74 @@ +From c225c4f6056b46a8a5bf2ed35abf17a2d6887691 Mon Sep 17 00:00:00 2001 +From: Steve Sistare +Date: Tue, 3 Sep 2024 07:25:17 -0700 +Subject: mm/filemap: fix filemap_get_folios_contig THP panic + +From: Steve Sistare + +commit c225c4f6056b46a8a5bf2ed35abf17a2d6887691 upstream. + +Patch series "memfd-pin huge page fixes". + +Fix multiple bugs that occur when using memfd_pin_folios with hugetlb +pages and THP. The hugetlb bugs only bite when the page is not yet +faulted in when memfd_pin_folios is called. The THP bug bites when the +starting offset passed to memfd_pin_folios is not huge page aligned. See +the commit messages for details. + + +This patch (of 5): + +memfd_pin_folios on memory backed by THP panics if the requested start +offset is not huge page aligned: + +BUG: kernel NULL pointer dereference, address: 0000000000000036 +RIP: 0010:filemap_get_folios_contig+0xdf/0x290 +RSP: 0018:ffffc9002092fbe8 EFLAGS: 00010202 +RAX: 0000000000000002 RBX: 0000000000000002 RCX: 0000000000000002 + +The fault occurs here, because xas_load returns a folio with value 2: + + filemap_get_folios_contig() + for (folio = xas_load(&xas); folio && xas.xa_index <= end; + folio = xas_next(&xas)) { + ... + if (!folio_try_get(folio)) <-- BOOM + +"2" is an xarray sibling entry. We get it because memfd_pin_folios does +not round the indices passed to filemap_get_folios_contig to huge page +boundaries for THP, so we load from the middle of a huge page range see a +sibling. (It does round for hugetlbfs, at the is_file_hugepages test). + +To fix, if the folio is a sibling, then return the next index as the +starting point for the next call to filemap_get_folios_contig. + +Link: https://lkml.kernel.org/r/1725373521-451395-1-git-send-email-steven.sistare@oracle.com +Link: https://lkml.kernel.org/r/1725373521-451395-2-git-send-email-steven.sistare@oracle.com +Fixes: 89c1905d9c14 ("mm/gup: introduce memfd_pin_folios() for pinning memfd folios") +Signed-off-by: Steve Sistare +Cc: David Hildenbrand +Cc: Jason Gunthorpe +Cc: Matthew Wilcox +Cc: Muchun Song +Cc: Peter Xu +Cc: Vivek Kasireddy +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/filemap.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -2181,6 +2181,10 @@ unsigned filemap_get_folios_contig(struc + if (xa_is_value(folio)) + goto update_start; + ++ /* If we landed in the middle of a THP, continue at its end. */ ++ if (xa_is_sibling(folio)) ++ goto update_start; ++ + if (!folio_try_get(folio)) + goto retry; + diff --git a/queue-6.11/mm-gup-fix-memfd_pin_folios-alloc-race-panic.patch b/queue-6.11/mm-gup-fix-memfd_pin_folios-alloc-race-panic.patch new file mode 100644 index 00000000000..aa18e0f53f2 --- /dev/null +++ b/queue-6.11/mm-gup-fix-memfd_pin_folios-alloc-race-panic.patch @@ -0,0 +1,51 @@ +From ce645b9fdc78ec5d28067286e92871ddae6817d5 Mon Sep 17 00:00:00 2001 +From: Steve Sistare +Date: Tue, 3 Sep 2024 07:25:21 -0700 +Subject: mm/gup: fix memfd_pin_folios alloc race panic + +From: Steve Sistare + +commit ce645b9fdc78ec5d28067286e92871ddae6817d5 upstream. + +If memfd_pin_folios tries to create a hugetlb page, but someone else +already did, then folio gets the value -EEXIST here: + + folio = memfd_alloc_folio(memfd, start_idx); + if (IS_ERR(folio)) { + ret = PTR_ERR(folio); + if (ret != -EEXIST) + goto err; + +then on the next trip through the "while start_idx" loop we panic here: + + if (folio) { + folio_put(folio); + +To fix, set the folio to NULL on error. + +Link: https://lkml.kernel.org/r/1725373521-451395-6-git-send-email-steven.sistare@oracle.com +Fixes: 89c1905d9c14 ("mm/gup: introduce memfd_pin_folios() for pinning memfd folios") +Signed-off-by: Steve Sistare +Acked-by: Vivek Kasireddy +Cc: David Hildenbrand +Cc: Jason Gunthorpe +Cc: Matthew Wilcox +Cc: Muchun Song +Cc: Peter Xu +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/gup.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/gup.c ++++ b/mm/gup.c +@@ -3705,6 +3705,7 @@ long memfd_pin_folios(struct file *memfd + ret = PTR_ERR(folio); + if (ret != -EEXIST) + goto err; ++ folio = NULL; + } + } + } diff --git a/queue-6.11/mm-gup-fix-memfd_pin_folios-hugetlb-page-allocation.patch b/queue-6.11/mm-gup-fix-memfd_pin_folios-hugetlb-page-allocation.patch new file mode 100644 index 00000000000..85ed2ebdd56 --- /dev/null +++ b/queue-6.11/mm-gup-fix-memfd_pin_folios-hugetlb-page-allocation.patch @@ -0,0 +1,66 @@ +From 9289f020da47ef04b28865589eeee3d56d4bafea Mon Sep 17 00:00:00 2001 +From: Steve Sistare +Date: Tue, 3 Sep 2024 07:25:20 -0700 +Subject: mm/gup: fix memfd_pin_folios hugetlb page allocation + +From: Steve Sistare + +commit 9289f020da47ef04b28865589eeee3d56d4bafea upstream. + +When memfd_pin_folios -> memfd_alloc_folio creates a hugetlb page, the +index is wrong. The subsequent call to filemap_get_folios_contig thus +cannot find it, and fails, and memfd_pin_folios loops forever. To fix, +adjust the index for the huge_page_order. + +memfd_alloc_folio also forgets to unlock the folio, so the next touch of +the page calls hugetlb_fault which blocks forever trying to take the lock. +Unlock it. + +Link: https://lkml.kernel.org/r/1725373521-451395-5-git-send-email-steven.sistare@oracle.com +Fixes: 89c1905d9c14 ("mm/gup: introduce memfd_pin_folios() for pinning memfd folios") +Signed-off-by: Steve Sistare +Acked-by: Vivek Kasireddy +Cc: David Hildenbrand +Cc: Jason Gunthorpe +Cc: Matthew Wilcox +Cc: Muchun Song +Cc: Peter Xu +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/memfd.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/mm/memfd.c b/mm/memfd.c +index bfe0e7189a37..bcb131db829d 100644 +--- a/mm/memfd.c ++++ b/mm/memfd.c +@@ -79,10 +79,13 @@ struct folio *memfd_alloc_folio(struct file *memfd, pgoff_t idx) + * alloc from. Also, the folio will be pinned for an indefinite + * amount of time, so it is not expected to be migrated away. + */ +- gfp_mask = htlb_alloc_mask(hstate_file(memfd)); +- gfp_mask &= ~(__GFP_HIGHMEM | __GFP_MOVABLE); ++ struct hstate *h = hstate_file(memfd); + +- folio = alloc_hugetlb_folio_reserve(hstate_file(memfd), ++ gfp_mask = htlb_alloc_mask(h); ++ gfp_mask &= ~(__GFP_HIGHMEM | __GFP_MOVABLE); ++ idx >>= huge_page_order(h); ++ ++ folio = alloc_hugetlb_folio_reserve(h, + numa_node_id(), + NULL, + gfp_mask); +@@ -95,6 +98,7 @@ struct folio *memfd_alloc_folio(struct file *memfd, pgoff_t idx) + free_huge_folio(folio); + return ERR_PTR(err); + } ++ folio_unlock(folio); + return folio; + } + return ERR_PTR(-ENOMEM); +-- +2.46.2 + diff --git a/queue-6.11/mm-hugetlb-fix-memfd_pin_folios-free_huge_pages-leak.patch b/queue-6.11/mm-hugetlb-fix-memfd_pin_folios-free_huge_pages-leak.patch new file mode 100644 index 00000000000..0c0959afb0b --- /dev/null +++ b/queue-6.11/mm-hugetlb-fix-memfd_pin_folios-free_huge_pages-leak.patch @@ -0,0 +1,62 @@ +From c56b6f3d801d7ec8965993342bdd9e2972b6cb8e Mon Sep 17 00:00:00 2001 +From: Steve Sistare +Date: Tue, 3 Sep 2024 07:25:18 -0700 +Subject: mm/hugetlb: fix memfd_pin_folios free_huge_pages leak + +From: Steve Sistare + +commit c56b6f3d801d7ec8965993342bdd9e2972b6cb8e upstream. + +memfd_pin_folios followed by unpin_folios fails to restore free_huge_pages +if the pages were not already faulted in, because the folio refcount for +pages created by memfd_alloc_folio never goes to 0. memfd_pin_folios +needs another folio_put to undo the folio_try_get below: + +memfd_alloc_folio() + alloc_hugetlb_folio_nodemask() + dequeue_hugetlb_folio_nodemask() + dequeue_hugetlb_folio_node_exact() + folio_ref_unfreeze(folio, 1); ; adds 1 refcount + folio_try_get() ; adds 1 refcount + hugetlb_add_to_page_cache() ; adds 512 refcount (on x86) + +With the fix, after memfd_pin_folios + unpin_folios, the refcount for the +(unfaulted) page is 512, which is correct, as the refcount for a faulted +unpinned page is 513. + +Link: https://lkml.kernel.org/r/1725373521-451395-3-git-send-email-steven.sistare@oracle.com +Fixes: 89c1905d9c14 ("mm/gup: introduce memfd_pin_folios() for pinning memfd folios") +Signed-off-by: Steve Sistare +Acked-by: Vivek Kasireddy +Cc: David Hildenbrand +Cc: Jason Gunthorpe +Cc: Matthew Wilcox +Cc: Muchun Song +Cc: Peter Xu +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/gup.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/mm/gup.c ++++ b/mm/gup.c +@@ -3618,7 +3618,7 @@ long memfd_pin_folios(struct file *memfd + pgoff_t start_idx, end_idx, next_idx; + struct folio *folio = NULL; + struct folio_batch fbatch; +- struct hstate *h; ++ struct hstate *h = NULL; + long ret = -EINVAL; + + if (start < 0 || start > end || !max_folios) +@@ -3662,6 +3662,8 @@ long memfd_pin_folios(struct file *memfd + &fbatch); + if (folio) { + folio_put(folio); ++ if (h) ++ folio_put(folio); + folio = NULL; + } + diff --git a/queue-6.11/mm-hugetlb-fix-memfd_pin_folios-resv_huge_pages-leak.patch b/queue-6.11/mm-hugetlb-fix-memfd_pin_folios-resv_huge_pages-leak.patch new file mode 100644 index 00000000000..fc7bc6490ec --- /dev/null +++ b/queue-6.11/mm-hugetlb-fix-memfd_pin_folios-resv_huge_pages-leak.patch @@ -0,0 +1,124 @@ +From 26a8ea80929c518bdec5e53a5776f95919b7c88e Mon Sep 17 00:00:00 2001 +From: Steve Sistare +Date: Tue, 3 Sep 2024 07:25:19 -0700 +Subject: mm/hugetlb: fix memfd_pin_folios resv_huge_pages leak + +From: Steve Sistare + +commit 26a8ea80929c518bdec5e53a5776f95919b7c88e upstream. + +memfd_pin_folios followed by unpin_folios leaves resv_huge_pages elevated +if the pages were not already faulted in. During a normal page fault, +resv_huge_pages is consumed here: + +hugetlb_fault() + alloc_hugetlb_folio() + dequeue_hugetlb_folio_vma() + dequeue_hugetlb_folio_nodemask() + dequeue_hugetlb_folio_node_exact() + free_huge_pages-- + resv_huge_pages-- + +During memfd_pin_folios, the page is created by calling +alloc_hugetlb_folio_nodemask instead of alloc_hugetlb_folio, and +resv_huge_pages is not modified: + +memfd_alloc_folio() + alloc_hugetlb_folio_nodemask() + dequeue_hugetlb_folio_nodemask() + dequeue_hugetlb_folio_node_exact() + free_huge_pages-- + +alloc_hugetlb_folio_nodemask has other callers that must not modify +resv_huge_pages. Therefore, to fix, define an alternate version of +alloc_hugetlb_folio_nodemask for this call site that adjusts +resv_huge_pages. + +Link: https://lkml.kernel.org/r/1725373521-451395-4-git-send-email-steven.sistare@oracle.com +Fixes: 89c1905d9c14 ("mm/gup: introduce memfd_pin_folios() for pinning memfd folios") +Signed-off-by: Steve Sistare +Acked-by: Vivek Kasireddy +Cc: David Hildenbrand +Cc: Jason Gunthorpe +Cc: Matthew Wilcox +Cc: Muchun Song +Cc: Peter Xu +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/hugetlb.h | 10 ++++++++++ + mm/hugetlb.c | 17 +++++++++++++++++ + mm/memfd.c | 9 ++++----- + 3 files changed, 31 insertions(+), 5 deletions(-) + +--- a/include/linux/hugetlb.h ++++ b/include/linux/hugetlb.h +@@ -695,6 +695,9 @@ struct folio *alloc_hugetlb_folio(struct + struct folio *alloc_hugetlb_folio_nodemask(struct hstate *h, int preferred_nid, + nodemask_t *nmask, gfp_t gfp_mask, + bool allow_alloc_fallback); ++struct folio *alloc_hugetlb_folio_reserve(struct hstate *h, int preferred_nid, ++ nodemask_t *nmask, gfp_t gfp_mask); ++ + int hugetlb_add_to_page_cache(struct folio *folio, struct address_space *mapping, + pgoff_t idx); + void restore_reserve_on_error(struct hstate *h, struct vm_area_struct *vma, +@@ -1060,6 +1063,13 @@ static inline struct folio *alloc_hugetl + { + return NULL; + } ++ ++static inline struct folio * ++alloc_hugetlb_folio_reserve(struct hstate *h, int preferred_nid, ++ nodemask_t *nmask, gfp_t gfp_mask) ++{ ++ return NULL; ++} + + static inline struct folio * + alloc_hugetlb_folio_nodemask(struct hstate *h, int preferred_nid, +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -2564,6 +2564,23 @@ struct folio *alloc_buddy_hugetlb_folio_ + return folio; + } + ++struct folio *alloc_hugetlb_folio_reserve(struct hstate *h, int preferred_nid, ++ nodemask_t *nmask, gfp_t gfp_mask) ++{ ++ struct folio *folio; ++ ++ spin_lock_irq(&hugetlb_lock); ++ folio = dequeue_hugetlb_folio_nodemask(h, gfp_mask, preferred_nid, ++ nmask); ++ if (folio) { ++ VM_BUG_ON(!h->resv_huge_pages); ++ h->resv_huge_pages--; ++ } ++ ++ spin_unlock_irq(&hugetlb_lock); ++ return folio; ++} ++ + /* folio migration callback function */ + struct folio *alloc_hugetlb_folio_nodemask(struct hstate *h, int preferred_nid, + nodemask_t *nmask, gfp_t gfp_mask, bool allow_alloc_fallback) +--- a/mm/memfd.c ++++ b/mm/memfd.c +@@ -82,11 +82,10 @@ struct folio *memfd_alloc_folio(struct f + gfp_mask = htlb_alloc_mask(hstate_file(memfd)); + gfp_mask &= ~(__GFP_HIGHMEM | __GFP_MOVABLE); + +- folio = alloc_hugetlb_folio_nodemask(hstate_file(memfd), +- numa_node_id(), +- NULL, +- gfp_mask, +- false); ++ folio = alloc_hugetlb_folio_reserve(hstate_file(memfd), ++ numa_node_id(), ++ NULL, ++ gfp_mask); + if (folio && folio_try_get(folio)) { + err = hugetlb_add_to_page_cache(folio, + memfd->f_mapping, diff --git a/queue-6.11/mm-hugetlb-simplify-refs-in-memfd_alloc_folio.patch b/queue-6.11/mm-hugetlb-simplify-refs-in-memfd_alloc_folio.patch new file mode 100644 index 00000000000..a305b50ee93 --- /dev/null +++ b/queue-6.11/mm-hugetlb-simplify-refs-in-memfd_alloc_folio.patch @@ -0,0 +1,77 @@ +From dc677b5f3765cfd0944c8873d1ea57f1a3439676 Mon Sep 17 00:00:00 2001 +From: Steve Sistare +Date: Wed, 4 Sep 2024 12:41:08 -0700 +Subject: mm/hugetlb: simplify refs in memfd_alloc_folio + +From: Steve Sistare + +commit dc677b5f3765cfd0944c8873d1ea57f1a3439676 upstream. + +The folio_try_get in memfd_alloc_folio is not necessary. Delete it, and +delete the matching folio_put in memfd_pin_folios. This also avoids +leaking a ref if the memfd_alloc_folio call to hugetlb_add_to_page_cache +fails. That error path is also broken in a second way -- when its +folio_put causes the ref to become 0, it will implicitly call +free_huge_folio, but then the path *explicitly* calls free_huge_folio. +Delete the latter. + +This is a continuation of the fix + "mm/hugetlb: fix memfd_pin_folios free_huge_pages leak" + +[steven.sistare@oracle.com: remove explicit call to free_huge_folio(), per Matthew] + Link: https://lkml.kernel.org/r/Zti-7nPVMcGgpcbi@casper.infradead.org + Link: https://lkml.kernel.org/r/1725481920-82506-1-git-send-email-steven.sistare@oracle.com +Link: https://lkml.kernel.org/r/1725478868-61732-1-git-send-email-steven.sistare@oracle.com +Fixes: 89c1905d9c14 ("mm/gup: introduce memfd_pin_folios() for pinning memfd folios") +Signed-off-by: Steve Sistare +Suggested-by: Vivek Kasireddy +Cc: David Hildenbrand +Cc: Jason Gunthorpe +Cc: Matthew Wilcox +Cc: Muchun Song +Cc: Peter Xu +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/gup.c | 4 +--- + mm/memfd.c | 3 +-- + 2 files changed, 2 insertions(+), 5 deletions(-) + +--- a/mm/gup.c ++++ b/mm/gup.c +@@ -3618,7 +3618,7 @@ long memfd_pin_folios(struct file *memfd + pgoff_t start_idx, end_idx, next_idx; + struct folio *folio = NULL; + struct folio_batch fbatch; +- struct hstate *h = NULL; ++ struct hstate *h; + long ret = -EINVAL; + + if (start < 0 || start > end || !max_folios) +@@ -3662,8 +3662,6 @@ long memfd_pin_folios(struct file *memfd + &fbatch); + if (folio) { + folio_put(folio); +- if (h) +- folio_put(folio); + folio = NULL; + } + +--- a/mm/memfd.c ++++ b/mm/memfd.c +@@ -89,13 +89,12 @@ struct folio *memfd_alloc_folio(struct f + numa_node_id(), + NULL, + gfp_mask); +- if (folio && folio_try_get(folio)) { ++ if (folio) { + err = hugetlb_add_to_page_cache(folio, + memfd->f_mapping, + idx); + if (err) { + folio_put(folio); +- free_huge_folio(folio); + return ERR_PTR(err); + } + folio_unlock(folio); diff --git a/queue-6.11/net-gso-fix-tcp-fraglist-segmentation-after-pull-from-frag_list.patch b/queue-6.11/net-gso-fix-tcp-fraglist-segmentation-after-pull-from-frag_list.patch new file mode 100644 index 00000000000..e3fc5ecf1b1 --- /dev/null +++ b/queue-6.11/net-gso-fix-tcp-fraglist-segmentation-after-pull-from-frag_list.patch @@ -0,0 +1,84 @@ +From 17bd3bd82f9f79f3feba15476c2b2c95a9b11ff8 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Thu, 26 Sep 2024 10:53:14 +0200 +Subject: net: gso: fix tcp fraglist segmentation after pull from frag_list + +From: Felix Fietkau + +commit 17bd3bd82f9f79f3feba15476c2b2c95a9b11ff8 upstream. + +Detect tcp gso fraglist skbs with corrupted geometry (see below) and +pass these to skb_segment instead of skb_segment_list, as the first +can segment them correctly. + +Valid SKB_GSO_FRAGLIST skbs +- consist of two or more segments +- the head_skb holds the protocol headers plus first gso_size +- one or more frag_list skbs hold exactly one segment +- all but the last must be gso_size + +Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can +modify these skbs, breaking these invariants. + +In extreme cases they pull all data into skb linear. For TCP, this +causes a NULL ptr deref in __tcpv4_gso_segment_list_csum at +tcp_hdr(seg->next). + +Detect invalid geometry due to pull, by checking head_skb size. +Don't just drop, as this may blackhole a destination. Convert to be +able to pass to regular skb_segment. + +Approach and description based on a patch by Willem de Bruijn. + +Link: https://lore.kernel.org/netdev/20240428142913.18666-1-shiming.cheng@mediatek.com/ +Link: https://lore.kernel.org/netdev/20240922150450.3873767-1-willemdebruijn.kernel@gmail.com/ +Fixes: bee88cd5bd83 ("net: add support for segmenting TCP fraglist GSO packets") +Cc: stable@vger.kernel.org +Signed-off-by: Felix Fietkau +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20240926085315.51524-1-nbd@nbd.name +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_offload.c | 10 ++++++++-- + net/ipv6/tcpv6_offload.c | 10 ++++++++-- + 2 files changed, 16 insertions(+), 4 deletions(-) + +--- a/net/ipv4/tcp_offload.c ++++ b/net/ipv4/tcp_offload.c +@@ -101,8 +101,14 @@ static struct sk_buff *tcp4_gso_segment( + if (!pskb_may_pull(skb, sizeof(struct tcphdr))) + return ERR_PTR(-EINVAL); + +- if (skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST) +- return __tcp4_gso_segment_list(skb, features); ++ if (skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST) { ++ struct tcphdr *th = tcp_hdr(skb); ++ ++ if (skb_pagelen(skb) - th->doff * 4 == skb_shinfo(skb)->gso_size) ++ return __tcp4_gso_segment_list(skb, features); ++ ++ skb->ip_summed = CHECKSUM_NONE; ++ } + + if (unlikely(skb->ip_summed != CHECKSUM_PARTIAL)) { + const struct iphdr *iph = ip_hdr(skb); +--- a/net/ipv6/tcpv6_offload.c ++++ b/net/ipv6/tcpv6_offload.c +@@ -159,8 +159,14 @@ static struct sk_buff *tcp6_gso_segment( + if (!pskb_may_pull(skb, sizeof(*th))) + return ERR_PTR(-EINVAL); + +- if (skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST) +- return __tcp6_gso_segment_list(skb, features); ++ if (skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST) { ++ struct tcphdr *th = tcp_hdr(skb); ++ ++ if (skb_pagelen(skb) - th->doff * 4 == skb_shinfo(skb)->gso_size) ++ return __tcp6_gso_segment_list(skb, features); ++ ++ skb->ip_summed = CHECKSUM_NONE; ++ } + + if (unlikely(skb->ip_summed != CHECKSUM_PARTIAL)) { + const struct ipv6hdr *ipv6h = ipv6_hdr(skb); diff --git a/queue-6.11/net-stmmac-fix-zero-division-error-when-disabling-tc-cbs.patch b/queue-6.11/net-stmmac-fix-zero-division-error-when-disabling-tc-cbs.patch new file mode 100644 index 00000000000..258aa00cb88 --- /dev/null +++ b/queue-6.11/net-stmmac-fix-zero-division-error-when-disabling-tc-cbs.patch @@ -0,0 +1,42 @@ +From 675faf5a14c14a2be0b870db30a70764df81e2df Mon Sep 17 00:00:00 2001 +From: KhaiWenTan +Date: Wed, 18 Sep 2024 14:14:22 +0800 +Subject: net: stmmac: Fix zero-division error when disabling tc cbs + +From: KhaiWenTan + +commit 675faf5a14c14a2be0b870db30a70764df81e2df upstream. + +The commit b8c43360f6e4 ("net: stmmac: No need to calculate speed divider +when offload is disabled") allows the "port_transmit_rate_kbps" to be +set to a value of 0, which is then passed to the "div_s64" function when +tc-cbs is disabled. This leads to a zero-division error. + +When tc-cbs is disabled, the idleslope, sendslope, and credit values the +credit values are not required to be configured. Therefore, adding a return +statement after setting the txQ mode to DCB when tc-cbs is disabled would +prevent a zero-division error. + +Fixes: b8c43360f6e4 ("net: stmmac: No need to calculate speed divider when offload is disabled") +Cc: +Co-developed-by: Choong Yong Liang +Signed-off-by: Choong Yong Liang +Signed-off-by: KhaiWenTan +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20240918061422.1589662-1-khai.wen.tan@linux.intel.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c +@@ -396,6 +396,7 @@ static int tc_setup_cbs(struct stmmac_pr + return ret; + + priv->plat->tx_queues_cfg[queue].mode_to_use = MTL_QUEUE_DCB; ++ return 0; + } + + /* Final adjustments for HW */ diff --git a/queue-6.11/remoteproc-k3-r5-fix-error-handling-when-power-up-failed.patch b/queue-6.11/remoteproc-k3-r5-fix-error-handling-when-power-up-failed.patch new file mode 100644 index 00000000000..57b87134b94 --- /dev/null +++ b/queue-6.11/remoteproc-k3-r5-fix-error-handling-when-power-up-failed.patch @@ -0,0 +1,45 @@ +From 9ab27eb5866ccbf57715cfdba4b03d57776092fb Mon Sep 17 00:00:00 2001 +From: Jan Kiszka +Date: Mon, 19 Aug 2024 17:24:51 +0200 +Subject: remoteproc: k3-r5: Fix error handling when power-up failed + +From: Jan Kiszka + +commit 9ab27eb5866ccbf57715cfdba4b03d57776092fb upstream. + +By simply bailing out, the driver was violating its rule and internal +assumptions that either both or no rproc should be initialized. E.g., +this could cause the first core to be available but not the second one, +leading to crashes on its shutdown later on while trying to dereference +that second instance. + +Fixes: 61f6f68447ab ("remoteproc: k3-r5: Wait for core0 power-up before powering up core1") +Signed-off-by: Jan Kiszka +Acked-by: Beleswar Padhi +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/9f481156-f220-4adf-b3d9-670871351e26@siemens.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +--- + drivers/remoteproc/ti_k3_r5_remoteproc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/remoteproc/ti_k3_r5_remoteproc.c ++++ b/drivers/remoteproc/ti_k3_r5_remoteproc.c +@@ -1332,7 +1332,7 @@ init_rmem: + dev_err(dev, + "Timed out waiting for %s core to power up!\n", + rproc->name); +- return ret; ++ goto err_powerup; + } + } + +@@ -1348,6 +1348,7 @@ err_split: + } + } + ++err_powerup: + rproc_del(rproc); + err_add: + k3_r5_reserved_mem_exit(kproc); diff --git a/queue-6.11/riscv-fix-kernel-stack-size-when-kasan-is-enabled.patch b/queue-6.11/riscv-fix-kernel-stack-size-when-kasan-is-enabled.patch new file mode 100644 index 00000000000..2d89305754a --- /dev/null +++ b/queue-6.11/riscv-fix-kernel-stack-size-when-kasan-is-enabled.patch @@ -0,0 +1,61 @@ +From cfb10de18538e383dbc4f3ce7f477ce49287ff3d Mon Sep 17 00:00:00 2001 +From: Alexandre Ghiti +Date: Tue, 17 Sep 2024 17:03:28 +0200 +Subject: riscv: Fix kernel stack size when KASAN is enabled + +From: Alexandre Ghiti + +commit cfb10de18538e383dbc4f3ce7f477ce49287ff3d upstream. + +We use Kconfig to select the kernel stack size, doubling the default +size if KASAN is enabled. + +But that actually only works if KASAN is selected from the beginning, +meaning that if KASAN config is added later (for example using +menuconfig), CONFIG_THREAD_SIZE_ORDER won't be updated, keeping the +default size, which is not enough for KASAN as reported in [1]. + +So fix this by moving the logic to compute the right kernel stack into a +header. + +Fixes: a7555f6b62e7 ("riscv: stack: Add config of thread stack size") +Reported-by: syzbot+ba9eac24453387a9d502@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/000000000000eb301906222aadc2@google.com/ [1] +Cc: stable@vger.kernel.org +Signed-off-by: Alexandre Ghiti +Link: https://lore.kernel.org/r/20240917150328.59831-1-alexghiti@rivosinc.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/Kconfig | 3 +-- + arch/riscv/include/asm/thread_info.h | 7 ++++++- + 2 files changed, 7 insertions(+), 3 deletions(-) + +--- a/arch/riscv/Kconfig ++++ b/arch/riscv/Kconfig +@@ -763,8 +763,7 @@ config IRQ_STACKS + config THREAD_SIZE_ORDER + int "Kernel stack size (in power-of-two numbers of page size)" if VMAP_STACK && EXPERT + range 0 4 +- default 1 if 32BIT && !KASAN +- default 3 if 64BIT && KASAN ++ default 1 if 32BIT + default 2 + help + Specify the Pages of thread stack size (from 4KB to 64KB), which also +--- a/arch/riscv/include/asm/thread_info.h ++++ b/arch/riscv/include/asm/thread_info.h +@@ -13,7 +13,12 @@ + #include + + /* thread information allocation */ +-#define THREAD_SIZE_ORDER CONFIG_THREAD_SIZE_ORDER ++#ifdef CONFIG_KASAN ++#define KASAN_STACK_ORDER 1 ++#else ++#define KASAN_STACK_ORDER 0 ++#endif ++#define THREAD_SIZE_ORDER (CONFIG_THREAD_SIZE_ORDER + KASAN_STACK_ORDER) + #define THREAD_SIZE (PAGE_SIZE << THREAD_SIZE_ORDER) + + /* diff --git a/queue-6.11/rtc-at91sam9-fix-of-node-leak-in-probe-error-path.patch b/queue-6.11/rtc-at91sam9-fix-of-node-leak-in-probe-error-path.patch new file mode 100644 index 00000000000..a4263398bba --- /dev/null +++ b/queue-6.11/rtc-at91sam9-fix-of-node-leak-in-probe-error-path.patch @@ -0,0 +1,32 @@ +From 73580e2ee6adfb40276bd420da3bb1abae204e10 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Sun, 25 Aug 2024 20:31:03 +0200 +Subject: rtc: at91sam9: fix OF node leak in probe() error path + +From: Krzysztof Kozlowski + +commit 73580e2ee6adfb40276bd420da3bb1abae204e10 upstream. + +Driver is leaking an OF node reference obtained from +of_parse_phandle_with_fixed_args(). + +Fixes: 43e112bb3dea ("rtc: at91sam9: make use of syscon/regmap to access GPBR registers") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20240825183103.102904-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-at91sam9.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/rtc/rtc-at91sam9.c ++++ b/drivers/rtc/rtc-at91sam9.c +@@ -368,6 +368,7 @@ static int at91_rtc_probe(struct platfor + return ret; + + rtc->gpbr = syscon_node_to_regmap(args.np); ++ of_node_put(args.np); + rtc->gpbr_offset = args.args[0]; + if (IS_ERR(rtc->gpbr)) { + dev_err(&pdev->dev, "failed to retrieve gpbr regmap, aborting.\n"); diff --git a/queue-6.11/series b/queue-6.11/series index 9624cd7c3f9..f9767e6678a 100644 --- a/queue-6.11/series +++ b/queue-6.11/series @@ -439,3 +439,52 @@ i3c-master-svc-fix-use-after-free-vulnerability-in-svc_i3c_master-driver-due-to- sysctl-avoid-spurious-permanent-empty-tables.patch rdma-mana_ib-use-the-correct-page-table-index-based-on-hardware-page-size.patch rdma-mana_ib-use-the-correct-page-size-for-mapping-user-mode-doorbell-page.patch +drivers-perf-riscv-align-errno-for-unsupported-perf-event.patch +riscv-fix-kernel-stack-size-when-kasan-is-enabled.patch +aoe-fix-the-potential-use-after-free-problem-in-more-places.patch +media-imx335-fix-reset-gpio-handling.patch +media-ov5675-fix-power-on-off-delay-timings.patch +clk-rockchip-fix-error-for-unknown-clocks.patch +leds-pca9532-remove-irrelevant-blink-configuration-error-message.patch +remoteproc-k3-r5-fix-error-handling-when-power-up-failed.patch +gfs2-fix-double-destroy_workqueue-error.patch +media-videobuf2-drop-minimum-allocation-requirement-of-2-buffers.patch +clk-qcom-dispcc-sm8250-use-clk_set_rate_parent-for-branch-clocks.patch +media-sun4i_csi-implement-link-validate-for-sun4i_csi-subdev.patch +clk-qcom-gcc-sm8450-do-not-turn-off-pcie-gdscs-during-gdsc_disable.patch +media-uapi-linux-cec.h-cec_msg_set_reply_to-zero-flags.patch +dt-bindings-clock-qcom-add-gpll9-support-on-gcc-sc8180x.patch +clk-qcom-gcc-sc8180x-register-qupv3-rcgs-for-dfs-on-sc8180x.patch +clk-qcom-clk-rpmh-fix-overflow-in-bcm-vote.patch +clk-samsung-exynos7885-update-clks_nr_fsys-after-bindings-fix.patch +clk-qcom-gcc-sm8150-de-register-gcc_cpuss_ahb_clk_src.patch +media-venus-fix-use-after-free-bug-in-venus_remove-due-to-race-condition.patch +clk-qcom-gcc-sm8250-do-not-turn-off-pcie-gdscs-during-gdsc_disable.patch +media-qcom-camss-remove-use_count-guard-in-stop_streaming.patch +clk-qcom-gcc-sc8180x-add-gpll9-support.patch +media-qcom-camss-fix-ordering-of-pm_runtime_enable.patch +clk-qcom-gcc-sc8180x-fix-the-sdcc2-and-sdcc4-clocks-freq-table.patch +clk-qcom-clk-alpha-pll-fix-cal_l_val-override-for-lucid-evo-pll.patch +drm-amd-display-avoid-set-dispclk-to-0.patch +smb-client-use-actual-path-when-queryfs.patch +smb3-fix-incorrect-mode-displayed-for-read-only-files.patch +iio-magnetometer-ak8975-fix-reading-for-ak099xx-sensors.patch +iio-pressure-bmp280-fix-regmap-for-bmp280-device.patch +iio-pressure-bmp280-fix-waiting-time-for-bmp3xx-configuration.patch +vrf-revert-vrf-remove-unnecessary-rcu-bh-critical-section.patch +net-gso-fix-tcp-fraglist-segmentation-after-pull-from-frag_list.patch +gso-fix-udp-gso-fraglist-segmentation-after-pull-from-frag_list.patch +tomoyo-fallback-to-realpath-if-symlink-s-pathname-does-not-exist.patch +kselftests-mm-fix-wrong-__nr_userfaultfd-value.patch +net-stmmac-fix-zero-division-error-when-disabling-tc-cbs.patch +rtc-at91sam9-fix-of-node-leak-in-probe-error-path.patch +mm-filemap-fix-filemap_get_folios_contig-thp-panic.patch +mm-hugetlb-fix-memfd_pin_folios-free_huge_pages-leak.patch +mm-hugetlb-fix-memfd_pin_folios-resv_huge_pages-leak.patch +mm-gup-fix-memfd_pin_folios-hugetlb-page-allocation.patch +mm-gup-fix-memfd_pin_folios-alloc-race-panic.patch +mm-hugetlb-simplify-refs-in-memfd_alloc_folio.patch +input-adp5589-keys-fix-null-pointer-dereference.patch +input-adp5589-keys-fix-adp5589_gpio_get_value.patch +hid-bpf-fix-cfi-stubs-for-hid_bpf_ops.patch +cachefiles-fix-dentry-leak-in-cachefiles_open_file.patch diff --git a/queue-6.11/smb-client-use-actual-path-when-queryfs.patch b/queue-6.11/smb-client-use-actual-path-when-queryfs.patch new file mode 100644 index 00000000000..eb57b2f731f --- /dev/null +++ b/queue-6.11/smb-client-use-actual-path-when-queryfs.patch @@ -0,0 +1,140 @@ +From a421e3fe0e6abe27395078f4f0cec5daf466caea Mon Sep 17 00:00:00 2001 +From: wangrong +Date: Thu, 20 Jun 2024 16:37:29 +0800 +Subject: smb: client: use actual path when queryfs + +From: wangrong + +commit a421e3fe0e6abe27395078f4f0cec5daf466caea upstream. + +Due to server permission control, the client does not have access to +the shared root directory, but can access subdirectories normally, so +users usually mount the shared subdirectories directly. In this case, +queryfs should use the actual path instead of the root directory to +avoid the call returning an error (EACCES). + +Signed-off-by: wangrong +Reviewed-by: Paulo Alcantara (Red Hat) +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifsfs.c | 13 ++++++++++++- + fs/smb/client/cifsglob.h | 2 +- + fs/smb/client/smb1ops.c | 2 +- + fs/smb/client/smb2ops.c | 19 ++++++++++++------- + 4 files changed, 26 insertions(+), 10 deletions(-) + +--- a/fs/smb/client/cifsfs.c ++++ b/fs/smb/client/cifsfs.c +@@ -313,8 +313,17 @@ cifs_statfs(struct dentry *dentry, struc + struct TCP_Server_Info *server = tcon->ses->server; + unsigned int xid; + int rc = 0; ++ const char *full_path; ++ void *page; + + xid = get_xid(); ++ page = alloc_dentry_path(); ++ ++ full_path = build_path_from_dentry(dentry, page); ++ if (IS_ERR(full_path)) { ++ rc = PTR_ERR(full_path); ++ goto statfs_out; ++ } + + if (le32_to_cpu(tcon->fsAttrInfo.MaxPathNameComponentLength) > 0) + buf->f_namelen = +@@ -330,8 +339,10 @@ cifs_statfs(struct dentry *dentry, struc + buf->f_ffree = 0; /* unlimited */ + + if (server->ops->queryfs) +- rc = server->ops->queryfs(xid, tcon, cifs_sb, buf); ++ rc = server->ops->queryfs(xid, tcon, full_path, cifs_sb, buf); + ++statfs_out: ++ free_dentry_path(page); + free_xid(xid); + return rc; + } +--- a/fs/smb/client/cifsglob.h ++++ b/fs/smb/client/cifsglob.h +@@ -482,7 +482,7 @@ struct smb_version_operations { + __u16 net_fid, struct cifsInodeInfo *cifs_inode); + /* query remote filesystem */ + int (*queryfs)(const unsigned int, struct cifs_tcon *, +- struct cifs_sb_info *, struct kstatfs *); ++ const char *, struct cifs_sb_info *, struct kstatfs *); + /* send mandatory brlock to the server */ + int (*mand_lock)(const unsigned int, struct cifsFileInfo *, __u64, + __u64, __u32, int, int, bool); +--- a/fs/smb/client/smb1ops.c ++++ b/fs/smb/client/smb1ops.c +@@ -909,7 +909,7 @@ cifs_oplock_response(struct cifs_tcon *t + + static int + cifs_queryfs(const unsigned int xid, struct cifs_tcon *tcon, +- struct cifs_sb_info *cifs_sb, struct kstatfs *buf) ++ const char *path, struct cifs_sb_info *cifs_sb, struct kstatfs *buf) + { + int rc = -EOPNOTSUPP; + +--- a/fs/smb/client/smb2ops.c ++++ b/fs/smb/client/smb2ops.c +@@ -2836,7 +2836,7 @@ out_free_path: + + static int + smb2_queryfs(const unsigned int xid, struct cifs_tcon *tcon, +- struct cifs_sb_info *cifs_sb, struct kstatfs *buf) ++ const char *path, struct cifs_sb_info *cifs_sb, struct kstatfs *buf) + { + struct smb2_query_info_rsp *rsp; + struct smb2_fs_full_size_info *info = NULL; +@@ -2845,7 +2845,7 @@ smb2_queryfs(const unsigned int xid, str + int rc; + + +- rc = smb2_query_info_compound(xid, tcon, "", ++ rc = smb2_query_info_compound(xid, tcon, path, + FILE_READ_ATTRIBUTES, + FS_FULL_SIZE_INFORMATION, + SMB2_O_INFO_FILESYSTEM, +@@ -2873,28 +2873,33 @@ qfs_exit: + + static int + smb311_queryfs(const unsigned int xid, struct cifs_tcon *tcon, +- struct cifs_sb_info *cifs_sb, struct kstatfs *buf) ++ const char *path, struct cifs_sb_info *cifs_sb, struct kstatfs *buf) + { + int rc; +- __le16 srch_path = 0; /* Null - open root of share */ ++ __le16 *utf16_path = NULL; + u8 oplock = SMB2_OPLOCK_LEVEL_NONE; + struct cifs_open_parms oparms; + struct cifs_fid fid; + + if (!tcon->posix_extensions) +- return smb2_queryfs(xid, tcon, cifs_sb, buf); ++ return smb2_queryfs(xid, tcon, path, cifs_sb, buf); + + oparms = (struct cifs_open_parms) { + .tcon = tcon, +- .path = "", ++ .path = path, + .desired_access = FILE_READ_ATTRIBUTES, + .disposition = FILE_OPEN, + .create_options = cifs_create_options(cifs_sb, 0), + .fid = &fid, + }; + +- rc = SMB2_open(xid, &oparms, &srch_path, &oplock, NULL, NULL, ++ utf16_path = cifs_convert_path_to_utf16(path, cifs_sb); ++ if (utf16_path == NULL) ++ return -ENOMEM; ++ ++ rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, NULL, + NULL, NULL); ++ kfree(utf16_path); + if (rc) + return rc; + diff --git a/queue-6.11/smb3-fix-incorrect-mode-displayed-for-read-only-files.patch b/queue-6.11/smb3-fix-incorrect-mode-displayed-for-read-only-files.patch new file mode 100644 index 00000000000..1b401e68a0e --- /dev/null +++ b/queue-6.11/smb3-fix-incorrect-mode-displayed-for-read-only-files.patch @@ -0,0 +1,82 @@ +From 2f3017e7cc7515e0110a3733d8dca84de2a1d23d Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Sat, 21 Sep 2024 23:28:32 -0500 +Subject: smb3: fix incorrect mode displayed for read-only files + +From: Steve French + +commit 2f3017e7cc7515e0110a3733d8dca84de2a1d23d upstream. + +Commands like "chmod 0444" mark a file readonly via the attribute flag +(when mapping of mode bits into the ACL are not set, or POSIX extensions +are not negotiated), but they were not reported correctly for stat of +directories (they were reported ok for files and for "ls"). See example +below: + + root:~# ls /mnt2 -l + total 12 + drwxr-xr-x 2 root root 0 Sep 21 18:03 normaldir + -rwxr-xr-x 1 root root 0 Sep 21 23:24 normalfile + dr-xr-xr-x 2 root root 0 Sep 21 17:55 readonly-dir + -r-xr-xr-x 1 root root 209716224 Sep 21 18:15 readonly-file + root:~# stat -c %a /mnt2/readonly-dir + 755 + root:~# stat -c %a /mnt2/readonly-file + 555 + +This fixes the stat of directories when ATTR_READONLY is set +(in cases where the mode can not be obtained other ways). + + root:~# stat -c %a /mnt2/readonly-dir + 555 + +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/inode.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +--- a/fs/smb/client/inode.c ++++ b/fs/smb/client/inode.c +@@ -800,10 +800,6 @@ static void cifs_open_info_to_fattr(stru + fattr->cf_mode = S_IFREG | cifs_sb->ctx->file_mode; + fattr->cf_dtype = DT_REG; + +- /* clear write bits if ATTR_READONLY is set */ +- if (fattr->cf_cifsattrs & ATTR_READONLY) +- fattr->cf_mode &= ~(S_IWUGO); +- + /* + * Don't accept zero nlink from non-unix servers unless + * delete is pending. Instead mark it as unknown. +@@ -816,6 +812,10 @@ static void cifs_open_info_to_fattr(stru + } + } + ++ /* clear write bits if ATTR_READONLY is set */ ++ if (fattr->cf_cifsattrs & ATTR_READONLY) ++ fattr->cf_mode &= ~(S_IWUGO); ++ + out_reparse: + if (S_ISLNK(fattr->cf_mode)) { + if (likely(data->symlink_target)) +@@ -1233,11 +1233,14 @@ handle_mnt_opt: + __func__, rc); + goto out; + } +- } +- +- /* fill in remaining high mode bits e.g. SUID, VTX */ +- if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UNX_EMUL) ++ } else if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UNX_EMUL) ++ /* fill in remaining high mode bits e.g. SUID, VTX */ + cifs_sfu_mode(fattr, full_path, cifs_sb, xid); ++ else if (!(tcon->posix_extensions)) ++ /* clear write bits if ATTR_READONLY is set */ ++ if (fattr->cf_cifsattrs & ATTR_READONLY) ++ fattr->cf_mode &= ~(S_IWUGO); ++ + + /* check for Minshall+French symlinks */ + if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MF_SYMLINKS) { diff --git a/queue-6.11/tomoyo-fallback-to-realpath-if-symlink-s-pathname-does-not-exist.patch b/queue-6.11/tomoyo-fallback-to-realpath-if-symlink-s-pathname-does-not-exist.patch new file mode 100644 index 00000000000..d6eb5a98629 --- /dev/null +++ b/queue-6.11/tomoyo-fallback-to-realpath-if-symlink-s-pathname-does-not-exist.patch @@ -0,0 +1,52 @@ +From ada1986d07976d60bed5017aa38b7f7cf27883f7 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Wed, 25 Sep 2024 22:30:59 +0900 +Subject: tomoyo: fallback to realpath if symlink's pathname does not exist + +From: Tetsuo Handa + +commit ada1986d07976d60bed5017aa38b7f7cf27883f7 upstream. + +Alfred Agrell found that TOMOYO cannot handle execveat(AT_EMPTY_PATH) +inside chroot environment where /dev and /proc are not mounted, for +commit 51f39a1f0cea ("syscalls: implement execveat() system call") missed +that TOMOYO tries to canonicalize argv[0] when the filename fed to the +executed program as argv[0] is supplied using potentially nonexistent +pathname. + +Since "/dev/fd/" already lost symlink information used for obtaining +that , it is too late to reconstruct symlink's pathname. Although + part of "/dev/fd//" might not be canonicalized, +TOMOYO cannot use tomoyo_realpath_nofollow() when /dev or /proc is not +mounted. Therefore, fallback to tomoyo_realpath_from_path() when +tomoyo_realpath_nofollow() failed. + +Reported-by: Alfred Agrell +Closes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082001 +Fixes: 51f39a1f0cea ("syscalls: implement execveat() system call") +Cc: stable@vger.kernel.org # v3.19+ +Signed-off-by: Tetsuo Handa +Signed-off-by: Greg Kroah-Hartman +--- + security/tomoyo/domain.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/security/tomoyo/domain.c ++++ b/security/tomoyo/domain.c +@@ -723,10 +723,13 @@ int tomoyo_find_next_domain(struct linux + ee->r.obj = &ee->obj; + ee->obj.path1 = bprm->file->f_path; + /* Get symlink's pathname of program. */ +- retval = -ENOENT; + exename.name = tomoyo_realpath_nofollow(original_name); +- if (!exename.name) +- goto out; ++ if (!exename.name) { ++ /* Fallback to realpath if symlink's pathname does not exist. */ ++ exename.name = tomoyo_realpath_from_path(&bprm->file->f_path); ++ if (!exename.name) ++ goto out; ++ } + tomoyo_fill_path_info(&exename); + retry: + /* Check 'aggregator' directive. */ diff --git a/queue-6.11/vrf-revert-vrf-remove-unnecessary-rcu-bh-critical-section.patch b/queue-6.11/vrf-revert-vrf-remove-unnecessary-rcu-bh-critical-section.patch new file mode 100644 index 00000000000..76c074bcd48 --- /dev/null +++ b/queue-6.11/vrf-revert-vrf-remove-unnecessary-rcu-bh-critical-section.patch @@ -0,0 +1,90 @@ +From b04c4d9eb4f25b950b33218e33b04c94e7445e51 Mon Sep 17 00:00:00 2001 +From: Willem de Bruijn +Date: Sun, 29 Sep 2024 02:18:20 -0400 +Subject: vrf: revert "vrf: Remove unnecessary RCU-bh critical section" + +From: Willem de Bruijn + +commit b04c4d9eb4f25b950b33218e33b04c94e7445e51 upstream. + +This reverts commit 504fc6f4f7f681d2a03aa5f68aad549d90eab853. + +dev_queue_xmit_nit is expected to be called with BH disabled. +__dev_queue_xmit has the following: + + /* Disable soft irqs for various locks below. Also + * stops preemption for RCU. + */ + rcu_read_lock_bh(); + +VRF must follow this invariant. The referenced commit removed this +protection. Which triggered a lockdep warning: + + ================================ + WARNING: inconsistent lock state + 6.11.0 #1 Tainted: G W + -------------------------------- + inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage. + btserver/134819 [HC0[0]:SC0[0]:HE1:SE1] takes: + ffff8882da30c118 (rlock-AF_PACKET){+.?.}-{2:2}, at: tpacket_rcv+0x863/0x3b30 + {IN-SOFTIRQ-W} state was registered at: + lock_acquire+0x19a/0x4f0 + _raw_spin_lock+0x27/0x40 + packet_rcv+0xa33/0x1320 + __netif_receive_skb_core.constprop.0+0xcb0/0x3a90 + __netif_receive_skb_list_core+0x2c9/0x890 + netif_receive_skb_list_internal+0x610/0xcc0 + [...] + + other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(rlock-AF_PACKET); + + lock(rlock-AF_PACKET); + + *** DEADLOCK *** + + Call Trace: + + dump_stack_lvl+0x73/0xa0 + mark_lock+0x102e/0x16b0 + __lock_acquire+0x9ae/0x6170 + lock_acquire+0x19a/0x4f0 + _raw_spin_lock+0x27/0x40 + tpacket_rcv+0x863/0x3b30 + dev_queue_xmit_nit+0x709/0xa40 + vrf_finish_direct+0x26e/0x340 [vrf] + vrf_l3_out+0x5f4/0xe80 [vrf] + __ip_local_out+0x51e/0x7a0 + [...] + +Fixes: 504fc6f4f7f6 ("vrf: Remove unnecessary RCU-bh critical section") +Link: https://lore.kernel.org/netdev/20240925185216.1990381-1-greearb@candelatech.com/ +Reported-by: Ben Greear +Signed-off-by: Willem de Bruijn +Cc: stable@vger.kernel.org +Reviewed-by: Ido Schimmel +Tested-by: Ido Schimmel +Reviewed-by: David Ahern +Link: https://patch.msgid.link/20240929061839.1175300-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vrf.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/vrf.c ++++ b/drivers/net/vrf.c +@@ -607,7 +607,9 @@ static void vrf_finish_direct(struct sk_ + eth_zero_addr(eth->h_dest); + eth->h_proto = skb->protocol; + ++ rcu_read_lock_bh(); + dev_queue_xmit_nit(skb, vrf_dev); ++ rcu_read_unlock_bh(); + + skb_pull(skb, ETH_HLEN); + } -- 2.47.3