From 4694920de4fb9f22beaebf52c4537bb7c56c5d42 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 17 Jun 2023 10:33:00 +0200 Subject: [PATCH] 6.3-stable patches added patches: alsa-hda-realtek-add-a-quirk-for-compaq-n14jp6.patch alsa-usb-audio-add-quirk-flag-for-hem-devices-to-enable-native-dsd-playback.patch alsa-usb-audio-fix-broken-resume-due-to-uac3-power-state.patch btrfs-can_nocow_file_extent-should-pass-down-args-strict-from-callers.patch btrfs-do-not-assert-on-duplicated-global-roots.patch btrfs-fix-iomap_begin-length-for-nocow-writes.patch btrfs-properly-enable-async-discard-when-switching-from-ro-rw.patch btrfs-subpage-fix-a-crash-in-metadata-repair-path.patch dm-thin-fix-issue_discard-to-pass-gfp_noio-to-__blkdev_issue_discard.patch dm-thin-metadata-check-fail_io-before-using-data_sm.patch drm-amd-display-edp-do-not-add-non-edid-timings.patch drm-amd-display-limit-dpia-link-rate-to-hbr3.patch drm-amd-make-sure-image-is-written-to-trigger-vbios-image-update-flow.patch drm-amd-pm-workaround-for-compute-workload-type-on-some-skus.patch drm-amd-tighten-permissions-on-vbios-flashing-attributes.patch drm-amdgpu-add-missing-radeon-secondary-pci-id.patch drm-amdgpu-implement-gfx9-patch-functions-for-resubmission.patch drm-amdgpu-modify-indirect-buffer-packages-for-resubmission.patch drm-amdgpu-program-gds-backup-address-as-zero-if-no-gds-allocated.patch drm-amdgpu-reset-cp_vmid_preempt-after-trailing-fence-signaled.patch drm-amdgpu-vcn_4_0-set-instance-0-init-sched-score-to-1.patch epoll-ep_autoremove_wake_function-should-use-list_del_init_careful.patch io_uring-net-save-msghdr-msg_control-for-retries.patch kexec-support-purgatories-with-.text.hot-sections.patch loongarch-fix-debugfs_create_dir-error-checking.patch loongarch-fix-perf-event-id-calculation.patch mm-damon-core-fix-divide-error-in-damon_nr_accesses_to_accesses_bp.patch mm-gup_test-fix-ioctl-fail-for-compat-task.patch mm-uffd-fix-vma-operation-where-start-addr-cuts-part-of-vma.patch net-ethernet-stmicro-stmmac-fix-possible-memory-leak-in-__stmmac_open.patch net-usb-qmi_wwan-add-support-for-compal-rxm-g1.patch nilfs2-fix-incomplete-buffer-cleanup-in-nilfs_btnode_abort_change_key.patch nilfs2-fix-possible-out-of-bounds-segment-allocation-in-resize-ioctl.patch nilfs2-reject-devices-with-insufficient-block-count.patch nios2-dts-fix-tse_mac-max-frame-size-property.patch nouveau-fix-client-work-fence-deletion-race.patch ocfs2-check-new-file-size-on-fallocate-call.patch ocfs2-fix-use-after-free-when-unmounting-read-only-filesystem.patch powerpc-purgatory-remove-pgo-flags.patch rdma-uverbs-restrict-usage-of-privileged-qkeys.patch revert-drm-amdgpu-remove-topdown-flags-when-allocating-vram-in-large-bar-system.patch riscv-purgatory-remove-pgo-flags.patch s390-ism-fix-trying-to-free-already-freed-irq-by-repeated-ism_dev_exit.patch wifi-cfg80211-fix-double-lock-bug-in-reg_wdev_chan_valid.patch wifi-cfg80211-fix-locking-in-regulatory-disconnect.patch x86-purgatory-remove-pgo-flags.patch zswap-do-not-shrink-if-cgroup-may-not-zswap.patch --- ...ealtek-add-a-quirk-for-compaq-n14jp6.patch | 30 +++ ...evices-to-enable-native-dsd-playback.patch | 39 +++ ...roken-resume-due-to-uac3-power-state.patch | 47 ++++ ...d-pass-down-args-strict-from-callers.patch | 55 +++++ ...ot-assert-on-duplicated-global-roots.patch | 120 ++++++++++ ...-iomap_begin-length-for-nocow-writes.patch | 91 +++++++ ...nc-discard-when-switching-from-ro-rw.patch | 95 ++++++++ ...-fix-a-crash-in-metadata-repair-path.patch | 103 ++++++++ ...s-gfp_noio-to-__blkdev_issue_discard.patch | 39 +++ ...a-check-fail_io-before-using-data_sm.patch | 101 ++++++++ ...play-edp-do-not-add-non-edid-timings.patch | 45 ++++ ...display-limit-dpia-link-rate-to-hbr3.patch | 43 ++++ ...n-to-trigger-vbios-image-update-flow.patch | 43 ++++ ...r-compute-workload-type-on-some-skus.patch | 69 ++++++ ...issions-on-vbios-flashing-attributes.patch | 41 ++++ ...-add-missing-radeon-secondary-pci-id.patch | 35 +++ ...fx9-patch-functions-for-resubmission.patch | 134 +++++++++++ ...ect-buffer-packages-for-resubmission.patch | 223 ++++++++++++++++++ ...-address-as-zero-if-no-gds-allocated.patch | 64 +++++ ...reempt-after-trailing-fence-signaled.patch | 53 +++++ ...set-instance-0-init-sched-score-to-1.patch | 37 +++ ...ion-should-use-list_del_init_careful.patch | 42 ++++ ...-save-msghdr-msg_control-for-retries.patch | 60 +++++ ...-purgatories-with-.text.hot-sections.patch | 102 ++++++++ ...ix-debugfs_create_dir-error-checking.patch | 33 +++ ...ngarch-fix-perf-event-id-calculation.patch | 48 ++++ ...-in-damon_nr_accesses_to_accesses_bp.patch | 44 ++++ ..._test-fix-ioctl-fail-for-compat-task.patch | 37 +++ ...on-where-start-addr-cuts-part-of-vma.patch | 92 ++++++++ ...ossible-memory-leak-in-__stmmac_open.patch | 66 ++++++ ...i_wwan-add-support-for-compal-rxm-g1.patch | 88 +++++++ ...nup-in-nilfs_btnode_abort_change_key.patch | 53 +++++ ...s-segment-allocation-in-resize-ioctl.patch | 62 +++++ ...evices-with-insufficient-block-count.patch | 104 ++++++++ ...-fix-tse_mac-max-frame-size-property.patch | 46 ++++ ...-fix-client-work-fence-deletion-race.patch | 60 +++++ ...heck-new-file-size-on-fallocate-call.patch | 57 +++++ ...when-unmounting-read-only-filesystem.patch | 100 ++++++++ .../powerpc-purgatory-remove-pgo-flags.patch | 59 +++++ ...s-restrict-usage-of-privileged-qkeys.patch | 43 ++++ ...-allocating-vram-in-large-bar-system.patch | 51 ++++ .../riscv-purgatory-remove-pgo-flags.patch | 59 +++++ ...y-freed-irq-by-repeated-ism_dev_exit.patch | 55 +++++ queue-6.3/series | 47 ++++ ...uble-lock-bug-in-reg_wdev_chan_valid.patch | 36 +++ ...fix-locking-in-regulatory-disconnect.patch | 36 +++ .../x86-purgatory-remove-pgo-flags.patch | 59 +++++ ...o-not-shrink-if-cgroup-may-not-zswap.patch | 70 ++++++ 48 files changed, 3116 insertions(+) create mode 100644 queue-6.3/alsa-hda-realtek-add-a-quirk-for-compaq-n14jp6.patch create mode 100644 queue-6.3/alsa-usb-audio-add-quirk-flag-for-hem-devices-to-enable-native-dsd-playback.patch create mode 100644 queue-6.3/alsa-usb-audio-fix-broken-resume-due-to-uac3-power-state.patch create mode 100644 queue-6.3/btrfs-can_nocow_file_extent-should-pass-down-args-strict-from-callers.patch create mode 100644 queue-6.3/btrfs-do-not-assert-on-duplicated-global-roots.patch create mode 100644 queue-6.3/btrfs-fix-iomap_begin-length-for-nocow-writes.patch create mode 100644 queue-6.3/btrfs-properly-enable-async-discard-when-switching-from-ro-rw.patch create mode 100644 queue-6.3/btrfs-subpage-fix-a-crash-in-metadata-repair-path.patch create mode 100644 queue-6.3/dm-thin-fix-issue_discard-to-pass-gfp_noio-to-__blkdev_issue_discard.patch create mode 100644 queue-6.3/dm-thin-metadata-check-fail_io-before-using-data_sm.patch create mode 100644 queue-6.3/drm-amd-display-edp-do-not-add-non-edid-timings.patch create mode 100644 queue-6.3/drm-amd-display-limit-dpia-link-rate-to-hbr3.patch create mode 100644 queue-6.3/drm-amd-make-sure-image-is-written-to-trigger-vbios-image-update-flow.patch create mode 100644 queue-6.3/drm-amd-pm-workaround-for-compute-workload-type-on-some-skus.patch create mode 100644 queue-6.3/drm-amd-tighten-permissions-on-vbios-flashing-attributes.patch create mode 100644 queue-6.3/drm-amdgpu-add-missing-radeon-secondary-pci-id.patch create mode 100644 queue-6.3/drm-amdgpu-implement-gfx9-patch-functions-for-resubmission.patch create mode 100644 queue-6.3/drm-amdgpu-modify-indirect-buffer-packages-for-resubmission.patch create mode 100644 queue-6.3/drm-amdgpu-program-gds-backup-address-as-zero-if-no-gds-allocated.patch create mode 100644 queue-6.3/drm-amdgpu-reset-cp_vmid_preempt-after-trailing-fence-signaled.patch create mode 100644 queue-6.3/drm-amdgpu-vcn_4_0-set-instance-0-init-sched-score-to-1.patch create mode 100644 queue-6.3/epoll-ep_autoremove_wake_function-should-use-list_del_init_careful.patch create mode 100644 queue-6.3/io_uring-net-save-msghdr-msg_control-for-retries.patch create mode 100644 queue-6.3/kexec-support-purgatories-with-.text.hot-sections.patch create mode 100644 queue-6.3/loongarch-fix-debugfs_create_dir-error-checking.patch create mode 100644 queue-6.3/loongarch-fix-perf-event-id-calculation.patch create mode 100644 queue-6.3/mm-damon-core-fix-divide-error-in-damon_nr_accesses_to_accesses_bp.patch create mode 100644 queue-6.3/mm-gup_test-fix-ioctl-fail-for-compat-task.patch create mode 100644 queue-6.3/mm-uffd-fix-vma-operation-where-start-addr-cuts-part-of-vma.patch create mode 100644 queue-6.3/net-ethernet-stmicro-stmmac-fix-possible-memory-leak-in-__stmmac_open.patch create mode 100644 queue-6.3/net-usb-qmi_wwan-add-support-for-compal-rxm-g1.patch create mode 100644 queue-6.3/nilfs2-fix-incomplete-buffer-cleanup-in-nilfs_btnode_abort_change_key.patch create mode 100644 queue-6.3/nilfs2-fix-possible-out-of-bounds-segment-allocation-in-resize-ioctl.patch create mode 100644 queue-6.3/nilfs2-reject-devices-with-insufficient-block-count.patch create mode 100644 queue-6.3/nios2-dts-fix-tse_mac-max-frame-size-property.patch create mode 100644 queue-6.3/nouveau-fix-client-work-fence-deletion-race.patch create mode 100644 queue-6.3/ocfs2-check-new-file-size-on-fallocate-call.patch create mode 100644 queue-6.3/ocfs2-fix-use-after-free-when-unmounting-read-only-filesystem.patch create mode 100644 queue-6.3/powerpc-purgatory-remove-pgo-flags.patch create mode 100644 queue-6.3/rdma-uverbs-restrict-usage-of-privileged-qkeys.patch create mode 100644 queue-6.3/revert-drm-amdgpu-remove-topdown-flags-when-allocating-vram-in-large-bar-system.patch create mode 100644 queue-6.3/riscv-purgatory-remove-pgo-flags.patch create mode 100644 queue-6.3/s390-ism-fix-trying-to-free-already-freed-irq-by-repeated-ism_dev_exit.patch create mode 100644 queue-6.3/wifi-cfg80211-fix-double-lock-bug-in-reg_wdev_chan_valid.patch create mode 100644 queue-6.3/wifi-cfg80211-fix-locking-in-regulatory-disconnect.patch create mode 100644 queue-6.3/x86-purgatory-remove-pgo-flags.patch create mode 100644 queue-6.3/zswap-do-not-shrink-if-cgroup-may-not-zswap.patch diff --git a/queue-6.3/alsa-hda-realtek-add-a-quirk-for-compaq-n14jp6.patch b/queue-6.3/alsa-hda-realtek-add-a-quirk-for-compaq-n14jp6.patch new file mode 100644 index 00000000000..17b21d906fb --- /dev/null +++ b/queue-6.3/alsa-hda-realtek-add-a-quirk-for-compaq-n14jp6.patch @@ -0,0 +1,30 @@ +From a2a871483161014f1bcc4e9a04354b01aa77cedb Mon Sep 17 00:00:00 2001 +From: Edson Juliano Drosdeck +Date: Fri, 9 Jun 2023 17:10:58 -0300 +Subject: ALSA: hda/realtek: Add a quirk for Compaq N14JP6 + +From: Edson Juliano Drosdeck + +commit a2a871483161014f1bcc4e9a04354b01aa77cedb upstream. + +Add a quirk for Compaq N14JP6 to fixup ALC897 headset MIC no sound. + +Signed-off-by: Edson Juliano Drosdeck +Cc: +Link: https://lore.kernel.org/r/20230609201058.523499-1-edson.drosdeck@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -11738,6 +11738,7 @@ static const struct snd_pci_quirk alc662 + SND_PCI_QUIRK(0x1b0a, 0x01b8, "ACER Veriton", ALC662_FIXUP_ACER_VERITON), + SND_PCI_QUIRK(0x1b35, 0x1234, "CZC ET26", ALC662_FIXUP_CZC_ET26), + SND_PCI_QUIRK(0x1b35, 0x2206, "CZC P10T", ALC662_FIXUP_CZC_P10T), ++ SND_PCI_QUIRK(0x1c6c, 0x1239, "Compaq N14JP6-V2", ALC897_FIXUP_HP_HSMIC_VERB), + + #if 0 + /* Below is a quirk table taken from the old code. diff --git a/queue-6.3/alsa-usb-audio-add-quirk-flag-for-hem-devices-to-enable-native-dsd-playback.patch b/queue-6.3/alsa-usb-audio-add-quirk-flag-for-hem-devices-to-enable-native-dsd-playback.patch new file mode 100644 index 00000000000..9224f03119f --- /dev/null +++ b/queue-6.3/alsa-usb-audio-add-quirk-flag-for-hem-devices-to-enable-native-dsd-playback.patch @@ -0,0 +1,39 @@ +From 122e2cb7e1a30438cc0e8bf70d4279db245d7d5b Mon Sep 17 00:00:00 2001 +From: Lukasz Tyl +Date: Wed, 14 Jun 2023 14:25:24 +0200 +Subject: ALSA: usb-audio: Add quirk flag for HEM devices to enable native DSD playback + +From: Lukasz Tyl + +commit 122e2cb7e1a30438cc0e8bf70d4279db245d7d5b upstream. + +This commit adds new DEVICE_FLG with QUIRK_FLAG_DSD_RAW and Vendor Id for +HEM devices which supports native DSD. Prior to this change Linux kernel +was not enabling native DSD playback for HEM devices, and as a result, +DSD audio was being converted to PCM "on the fly". HEM devices, +when connected to the system, would only play audio in PCM format, +even if the source material was in DSD format. With the addition of new +VENDOR_FLG in the quircks.c file, the devices are now correctly +recognized, and raw DSD data is transmitted to the device, +allowing for native DSD playback. + +Signed-off-by: Lukasz Tyl +Cc: +Link: https://lore.kernel.org/r/20230614122524.30271-1-ltyl@hem-e.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -2191,6 +2191,8 @@ static const struct usb_audio_quirk_flag + QUIRK_FLAG_DSD_RAW), + VENDOR_FLG(0x2ab6, /* T+A devices */ + QUIRK_FLAG_DSD_RAW), ++ VENDOR_FLG(0x3336, /* HEM devices */ ++ QUIRK_FLAG_DSD_RAW), + VENDOR_FLG(0x3353, /* Khadas devices */ + QUIRK_FLAG_DSD_RAW), + VENDOR_FLG(0x3842, /* EVGA */ diff --git a/queue-6.3/alsa-usb-audio-fix-broken-resume-due-to-uac3-power-state.patch b/queue-6.3/alsa-usb-audio-fix-broken-resume-due-to-uac3-power-state.patch new file mode 100644 index 00000000000..bcc4d001c45 --- /dev/null +++ b/queue-6.3/alsa-usb-audio-fix-broken-resume-due-to-uac3-power-state.patch @@ -0,0 +1,47 @@ +From 8ba61c9f6c9bdfbf9d197b0282641d24ae909778 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 12 Jun 2023 15:28:18 +0200 +Subject: ALSA: usb-audio: Fix broken resume due to UAC3 power state + +From: Takashi Iwai + +commit 8ba61c9f6c9bdfbf9d197b0282641d24ae909778 upstream. + +As reported in the bugzilla below, the PM resume of a UAC3 device may +fail due to the incomplete power state change, stuck at D1. The +reason is that the driver expects the full D0 power state change only +at hw_params, while the normal PCM resume procedure doesn't call +hw_params. + +For fixing the bug, we add the same power state update to D0 at the +prepare callback, which is certainly called by the resume procedure. + +Note that, with this change, the power state change in the hw_params +becomes almost redundant, since snd_usb_hw_params() doesn't touch the +parameters (at least it tires so). But dropping it is still a bit +risky (e.g. we have the media-driver binding), so I leave the D0 power +state change in snd_usb_hw_params() as is for now. + +Fixes: a0a4959eb4e9 ("ALSA: usb-audio: Operate UAC3 Power Domains in PCM callbacks") +Cc: +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217539 +Link: https://lore.kernel.org/r/20230612132818.29486-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/pcm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -650,6 +650,10 @@ static int snd_usb_pcm_prepare(struct sn + goto unlock; + } + ++ ret = snd_usb_pcm_change_state(subs, UAC3_PD_STATE_D0); ++ if (ret < 0) ++ goto unlock; ++ + again: + if (subs->sync_endpoint) { + ret = snd_usb_endpoint_prepare(chip, subs->sync_endpoint); diff --git a/queue-6.3/btrfs-can_nocow_file_extent-should-pass-down-args-strict-from-callers.patch b/queue-6.3/btrfs-can_nocow_file_extent-should-pass-down-args-strict-from-callers.patch new file mode 100644 index 00000000000..bd617ede6fa --- /dev/null +++ b/queue-6.3/btrfs-can_nocow_file_extent-should-pass-down-args-strict-from-callers.patch @@ -0,0 +1,55 @@ +From deccae40e4b30f98837e44225194d80c8baf2233 Mon Sep 17 00:00:00 2001 +From: Chris Mason +Date: Fri, 9 Jun 2023 10:53:41 -0700 +Subject: btrfs: can_nocow_file_extent should pass down args->strict from callers + +From: Chris Mason + +commit deccae40e4b30f98837e44225194d80c8baf2233 upstream. + +Commit 619104ba453ad0 ("btrfs: move common NOCOW checks against a file +extent into a helper") changed our call to btrfs_cross_ref_exist() to +always pass false for the 'strict' parameter. We're passing this down +through the stack so that we can do a full check for cross references +during swapfile activation. + +With strict always false, this test fails: + + btrfs subvol create swappy + chattr +C swappy + fallocate -l1G swappy/swapfile + chmod 600 swappy/swapfile + mkswap swappy/swapfile + + btrfs subvol snap swappy swapsnap + btrfs subvol del -C swapsnap + + btrfs fi sync / + sync;sync;sync + + swapon swappy/swapfile + +The fix is to just use args->strict, and everyone except swapfile +activation is passing false. + +Fixes: 619104ba453ad0 ("btrfs: move common NOCOW checks against a file extent into a helper") +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Filipe Manana +Signed-off-by: Chris Mason +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -1869,7 +1869,7 @@ static int can_nocow_file_extent(struct + + ret = btrfs_cross_ref_exist(root, btrfs_ino(inode), + key->offset - args->extent_offset, +- args->disk_bytenr, false, path); ++ args->disk_bytenr, args->strict, path); + WARN_ON_ONCE(ret > 0 && is_freespace_inode); + if (ret != 0) + goto out; diff --git a/queue-6.3/btrfs-do-not-assert-on-duplicated-global-roots.patch b/queue-6.3/btrfs-do-not-assert-on-duplicated-global-roots.patch new file mode 100644 index 00000000000..436a90450d1 --- /dev/null +++ b/queue-6.3/btrfs-do-not-assert-on-duplicated-global-roots.patch @@ -0,0 +1,120 @@ +From 745806fb4554f334e6406fa82b328562aa48f08f Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Sun, 11 Jun 2023 08:09:13 +0800 +Subject: btrfs: do not ASSERT() on duplicated global roots + +From: Qu Wenruo + +commit 745806fb4554f334e6406fa82b328562aa48f08f upstream. + +[BUG] +Syzbot reports a reproducible ASSERT() when using rescue=usebackuproot +mount option on a corrupted fs. + +The full report can be found here: +https://syzkaller.appspot.com/bug?extid=c4614eae20a166c25bf0 + + BTRFS error (device loop0: state C): failed to load root csum + assertion failed: !tmp, in fs/btrfs/disk-io.c:1103 + ------------[ cut here ]------------ + kernel BUG at fs/btrfs/ctree.h:3664! + invalid opcode: 0000 [#1] PREEMPT SMP KASAN + CPU: 1 PID: 3608 Comm: syz-executor356 Not tainted 6.0.0-rc7-syzkaller-00029-g3800a713b607 #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 + RIP: 0010:assertfail+0x1a/0x1c fs/btrfs/ctree.h:3663 + RSP: 0018:ffffc90003aaf250 EFLAGS: 00010246 + RAX: 0000000000000032 RBX: 0000000000000000 RCX: f21c13f886638400 + RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 + RBP: ffff888021c640a0 R08: ffffffff816bd38d R09: ffffed10173667f1 + R10: ffffed10173667f1 R11: 1ffff110173667f0 R12: dffffc0000000000 + R13: ffff8880229c21f7 R14: ffff888021c64060 R15: ffff8880226c0000 + FS: 0000555556a73300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 000055a2637d7a00 CR3: 00000000709c4000 CR4: 00000000003506e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + + btrfs_global_root_insert+0x1a7/0x1b0 fs/btrfs/disk-io.c:1103 + load_global_roots_objectid+0x482/0x8c0 fs/btrfs/disk-io.c:2467 + load_global_roots fs/btrfs/disk-io.c:2501 [inline] + btrfs_read_roots fs/btrfs/disk-io.c:2528 [inline] + init_tree_roots+0xccb/0x203c fs/btrfs/disk-io.c:2939 + open_ctree+0x1e53/0x33df fs/btrfs/disk-io.c:3574 + btrfs_fill_super+0x1c6/0x2d0 fs/btrfs/super.c:1456 + btrfs_mount_root+0x885/0x9a0 fs/btrfs/super.c:1824 + legacy_get_tree+0xea/0x180 fs/fs_context.c:610 + vfs_get_tree+0x88/0x270 fs/super.c:1530 + fc_mount fs/namespace.c:1043 [inline] + vfs_kern_mount+0xc9/0x160 fs/namespace.c:1073 + btrfs_mount+0x3d3/0xbb0 fs/btrfs/super.c:1884 + +[CAUSE] +Since the introduction of global roots, we handle +csum/extent/free-space-tree roots as global roots, even if no +extent-tree-v2 feature is enabled. + +So for regular csum/extent/fst roots, we load them into +fs_info::global_root_tree rb tree. + +And we should not expect any conflicts in that rb tree, thus we have an +ASSERT() inside btrfs_global_root_insert(). + +But rescue=usebackuproot can break the assumption, as we will try to +load those trees again and again as long as we have bad roots and have +backup roots slot remaining. + +So in that case we can have conflicting roots in the rb tree, and +triggering the ASSERT() crash. + +[FIX] +We can safely remove that ASSERT(), as the caller will properly put the +offending root. + +To make further debugging easier, also add two explicit error messages: + +- Error message for conflicting global roots +- Error message when using backup roots slot + +Reported-by: syzbot+a694851c6ab28cbcfb9c@syzkaller.appspotmail.com +Fixes: abed4aaae4f7 ("btrfs: track the csum, extent, and free space trees in a rb tree") +CC: stable@vger.kernel.org # 6.1+ +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/disk-io.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -996,13 +996,18 @@ int btrfs_global_root_insert(struct btrf + { + struct btrfs_fs_info *fs_info = root->fs_info; + struct rb_node *tmp; ++ int ret = 0; + + write_lock(&fs_info->global_root_lock); + tmp = rb_find_add(&root->rb_node, &fs_info->global_root_tree, global_root_cmp); + write_unlock(&fs_info->global_root_lock); +- ASSERT(!tmp); + +- return tmp ? -EEXIST : 0; ++ if (tmp) { ++ ret = -EEXIST; ++ btrfs_warn(fs_info, "global root %llu %llu already exists", ++ root->root_key.objectid, root->root_key.offset); ++ } ++ return ret; + } + + void btrfs_global_root_delete(struct btrfs_root *root) +@@ -2843,6 +2848,7 @@ static int __cold init_tree_roots(struct + /* We can't trust the free space cache either */ + btrfs_set_opt(fs_info->mount_opt, CLEAR_CACHE); + ++ btrfs_warn(fs_info, "try to load backup roots slot %d", i); + ret = read_backup_root(fs_info, i); + backup_index = ret; + if (ret < 0) diff --git a/queue-6.3/btrfs-fix-iomap_begin-length-for-nocow-writes.patch b/queue-6.3/btrfs-fix-iomap_begin-length-for-nocow-writes.patch new file mode 100644 index 00000000000..96e73b9990d --- /dev/null +++ b/queue-6.3/btrfs-fix-iomap_begin-length-for-nocow-writes.patch @@ -0,0 +1,91 @@ +From 7833b865953c8e62abc76a3261c04132b2fb69de Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Thu, 8 Jun 2023 11:10:25 +0200 +Subject: btrfs: fix iomap_begin length for nocow writes + +From: Christoph Hellwig + +commit 7833b865953c8e62abc76a3261c04132b2fb69de upstream. + +can_nocow_extent can reduce the len passed in, which needs to be +propagated to btrfs_dio_iomap_begin so that iomap does not submit +more data then is mapped. + +This problems exists since the btrfs_get_blocks_direct helper was added +in commit c5794e51784a ("btrfs: Factor out write portion of +btrfs_get_blocks_direct"), but the ordered_extent splitting added in +commit b73a6fd1b1ef ("btrfs: split partial dio bios before submit") +added a WARN_ON that made a syzkaller test fail. + +Reported-by: syzbot+ee90502d5c8fd1d0dd93@syzkaller.appspotmail.com +Fixes: c5794e51784a ("btrfs: Factor out write portion of btrfs_get_blocks_direct") +CC: stable@vger.kernel.org # 6.1+ +Tested-by: syzbot+ee90502d5c8fd1d0dd93@syzkaller.appspotmail.com +Reviewed-by: Filipe Manana +Signed-off-by: Christoph Hellwig +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -7324,7 +7324,7 @@ static struct extent_map *create_io_em(s + static int btrfs_get_blocks_direct_write(struct extent_map **map, + struct inode *inode, + struct btrfs_dio_data *dio_data, +- u64 start, u64 len, ++ u64 start, u64 *lenp, + unsigned int iomap_flags) + { + const bool nowait = (iomap_flags & IOMAP_NOWAIT); +@@ -7335,6 +7335,7 @@ static int btrfs_get_blocks_direct_write + struct btrfs_block_group *bg; + bool can_nocow = false; + bool space_reserved = false; ++ u64 len = *lenp; + u64 prev_len; + int ret = 0; + +@@ -7405,15 +7406,19 @@ static int btrfs_get_blocks_direct_write + free_extent_map(em); + *map = NULL; + +- if (nowait) +- return -EAGAIN; ++ if (nowait) { ++ ret = -EAGAIN; ++ goto out; ++ } + + /* + * If we could not allocate data space before locking the file + * range and we can't do a NOCOW write, then we have to fail. + */ +- if (!dio_data->data_space_reserved) +- return -ENOSPC; ++ if (!dio_data->data_space_reserved) { ++ ret = -ENOSPC; ++ goto out; ++ } + + /* + * We have to COW and we have already reserved data space before, +@@ -7454,6 +7459,7 @@ out: + btrfs_delalloc_release_extents(BTRFS_I(inode), len); + btrfs_delalloc_release_metadata(BTRFS_I(inode), len, true); + } ++ *lenp = len; + return ret; + } + +@@ -7630,7 +7636,7 @@ static int btrfs_dio_iomap_begin(struct + + if (write) { + ret = btrfs_get_blocks_direct_write(&em, inode, dio_data, +- start, len, flags); ++ start, &len, flags); + if (ret < 0) + goto unlock_err; + unlock_extents = true; diff --git a/queue-6.3/btrfs-properly-enable-async-discard-when-switching-from-ro-rw.patch b/queue-6.3/btrfs-properly-enable-async-discard-when-switching-from-ro-rw.patch new file mode 100644 index 00000000000..fba0b83ce08 --- /dev/null +++ b/queue-6.3/btrfs-properly-enable-async-discard-when-switching-from-ro-rw.patch @@ -0,0 +1,95 @@ +From 981a37bab5e5f16137266d3f00cf2bd018af36ef Mon Sep 17 00:00:00 2001 +From: Chris Mason +Date: Mon, 5 Jun 2023 12:03:15 -0700 +Subject: btrfs: properly enable async discard when switching from RO->RW + +From: Chris Mason + +commit 981a37bab5e5f16137266d3f00cf2bd018af36ef upstream. + +The async discard uses the BTRFS_FS_DISCARD_RUNNING bit in the fs_info +to force discards off when the filesystem has aborted or we're generally +not able to run discards. This gets flipped on when we're mounted rw, +and also when we go from ro->rw. + +Commit 63a7cb13071842 ("btrfs: auto enable discard=async when possible") +enabled async discard by default, and this meant +"mount -o ro /dev/xxx /yyy" had async discards turned on. + +Unfortunately, this meant our check in btrfs_remount_cleanup() would see +that discards are already on: + + /* If we toggled discard async */ + if (!btrfs_raw_test_opt(old_opts, DISCARD_ASYNC) && + btrfs_test_opt(fs_info, DISCARD_ASYNC)) + btrfs_discard_resume(fs_info); + +So, we'd never call btrfs_discard_resume() when remounting the root +filesystem from ro->rw. + +drgn shows this really nicely: + +import os +import sys + +from drgn.helpers.linux.fs import path_lookup +from drgn import NULL, Object, Type, cast + +def btrfs_sb(sb): + return cast("struct btrfs_fs_info *", sb.s_fs_info) + +if len(sys.argv) == 1: + path = "/" +else: + path = sys.argv[1] + +fs_info = cast("struct btrfs_fs_info *", path_lookup(prog, path).mnt.mnt_sb.s_fs_info) + +BTRFS_FS_DISCARD_RUNNING = 1 << prog['BTRFS_FS_DISCARD_RUNNING'] +if fs_info.flags & BTRFS_FS_DISCARD_RUNNING: + print("discard running flag is on") +else: + print("discard running flag is off") + +[root]# mount | grep nvme +/dev/nvme0n1p3 on / type btrfs +(rw,relatime,compress-force=zstd:3,ssd,discard=async,space_cache=v2,subvolid=5,subvol=/) + +[root]# ./discard_running.drgn +discard running flag is off + +[root]# mount -o remount,discard=sync / +[root]# mount -o remount,discard=async / +[root]# ./discard_running.drgn +discard running flag is on + +The fix is to call btrfs_discard_resume() when we're going from ro->rw. +It already checks to make sure the async discard flag is on, so it'll do +the right thing. + +Fixes: 63a7cb13071842 ("btrfs: auto enable discard=async when possible") +CC: stable@vger.kernel.org # 6.3+ +Reviewed-by: Boris Burkov +Signed-off-by: Chris Mason +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/super.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -1840,6 +1840,12 @@ static int btrfs_remount(struct super_bl + btrfs_clear_sb_rdonly(sb); + + set_bit(BTRFS_FS_OPEN, &fs_info->flags); ++ ++ /* ++ * If we've gone from readonly -> read/write, we need to get ++ * our sync/async discard lists in the right state. ++ */ ++ btrfs_discard_resume(fs_info); + } + out: + /* diff --git a/queue-6.3/btrfs-subpage-fix-a-crash-in-metadata-repair-path.patch b/queue-6.3/btrfs-subpage-fix-a-crash-in-metadata-repair-path.patch new file mode 100644 index 00000000000..75e212b2f25 --- /dev/null +++ b/queue-6.3/btrfs-subpage-fix-a-crash-in-metadata-repair-path.patch @@ -0,0 +1,103 @@ +From 917ac77846b907dfdbd878688a9a61236ad6c51e Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Fri, 26 May 2023 20:30:20 +0800 +Subject: btrfs: subpage: fix a crash in metadata repair path + +From: Qu Wenruo + +commit 917ac77846b907dfdbd878688a9a61236ad6c51e upstream. + +[BUG] +Test case btrfs/027 would crash with subpage (64K page size, 4K +sectorsize) with the following dying messages: + + debug: map_length=16384 length=65536 type=metadata|raid6(0x104) + assertion failed: map_length >= length, in fs/btrfs/volumes.c:8093 + ------------[ cut here ]------------ + kernel BUG at fs/btrfs/messages.c:259! + Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 + Call trace: + btrfs_assertfail+0x28/0x2c [btrfs] + btrfs_map_repair_block+0x150/0x2b8 [btrfs] + btrfs_repair_io_failure+0xd4/0x31c [btrfs] + btrfs_read_extent_buffer+0x150/0x16c [btrfs] + read_tree_block+0x38/0xbc [btrfs] + read_tree_root_path+0xfc/0x1bc [btrfs] + btrfs_get_root_ref.part.0+0xd4/0x3a8 [btrfs] + open_ctree+0xa30/0x172c [btrfs] + btrfs_mount_root+0x3c4/0x4a4 [btrfs] + legacy_get_tree+0x30/0x60 + vfs_get_tree+0x28/0xec + vfs_kern_mount.part.0+0x90/0xd4 + vfs_kern_mount+0x14/0x28 + btrfs_mount+0x114/0x418 [btrfs] + legacy_get_tree+0x30/0x60 + vfs_get_tree+0x28/0xec + path_mount+0x3e0/0xb64 + __arm64_sys_mount+0x200/0x2d8 + invoke_syscall+0x48/0x114 + el0_svc_common.constprop.0+0x60/0x11c + do_el0_svc+0x38/0x98 + el0_svc+0x40/0xa8 + el0t_64_sync_handler+0xf4/0x120 + el0t_64_sync+0x190/0x194 + Code: aa0403e2 b0fff060 91010000 959c2024 (d4210000) + +[CAUSE] +In btrfs/027 we test RAID6 with missing devices, in this particular +case, we're repairing a metadata at the end of a data stripe. + +But at btrfs_repair_io_failure(), we always pass a full PAGE for repair, +and for subpage case this can cross stripe boundary and lead to the +above BUG_ON(). + +This metadata repair code is always there, since the introduction of +subpage support, but this can trigger BUG_ON() after the bio split +ability at btrfs_map_bio(). + +[FIX] +Instead of passing the old PAGE_SIZE, we calculate the correct length +based on the eb size and page size for both regular and subpage cases. + +CC: stable@vger.kernel.org # 6.3+ +Reviewed-by: Christoph Hellwig +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/disk-io.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index 2b1b227505f3..88e6d1072a35 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -242,7 +242,6 @@ static int btrfs_repair_eb_io_failure(const struct extent_buffer *eb, + int mirror_num) + { + struct btrfs_fs_info *fs_info = eb->fs_info; +- u64 start = eb->start; + int i, num_pages = num_extent_pages(eb); + int ret = 0; + +@@ -251,12 +250,14 @@ static int btrfs_repair_eb_io_failure(const struct extent_buffer *eb, + + for (i = 0; i < num_pages; i++) { + struct page *p = eb->pages[i]; ++ u64 start = max_t(u64, eb->start, page_offset(p)); ++ u64 end = min_t(u64, eb->start + eb->len, page_offset(p) + PAGE_SIZE); ++ u32 len = end - start; + +- ret = btrfs_repair_io_failure(fs_info, 0, start, PAGE_SIZE, +- start, p, start - page_offset(p), mirror_num); ++ ret = btrfs_repair_io_failure(fs_info, 0, start, len, ++ start, p, offset_in_page(start), mirror_num); + if (ret) + break; +- start += PAGE_SIZE; + } + + return ret; +-- +2.41.0 + diff --git a/queue-6.3/dm-thin-fix-issue_discard-to-pass-gfp_noio-to-__blkdev_issue_discard.patch b/queue-6.3/dm-thin-fix-issue_discard-to-pass-gfp_noio-to-__blkdev_issue_discard.patch new file mode 100644 index 00000000000..887af10b59b --- /dev/null +++ b/queue-6.3/dm-thin-fix-issue_discard-to-pass-gfp_noio-to-__blkdev_issue_discard.patch @@ -0,0 +1,39 @@ +From 722d90822321497e2837cfc9000202e256e6b32f Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Tue, 13 Jun 2023 20:05:34 -0400 +Subject: dm thin: fix issue_discard to pass GFP_NOIO to __blkdev_issue_discard + +From: Mike Snitzer + +commit 722d90822321497e2837cfc9000202e256e6b32f upstream. + +issue_discard() passes GFP_NOWAIT to __blkdev_issue_discard() despite +its code assuming bio_alloc() always succeeds. + +Commit 3dba53a958a75 ("dm thin: use __blkdev_issue_discard for async +discard support") clearly shows where things went bad: + +Before commit 3dba53a958a75, dm-thin.c's open-coded +__blkdev_issue_discard_async() properly handled using GFP_NOWAIT. +Unfortunately __blkdev_issue_discard() doesn't and it was missed +during review. + +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-thin.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -399,8 +399,7 @@ static int issue_discard(struct discard_ + sector_t s = block_to_sectors(tc->pool, data_b); + sector_t len = block_to_sectors(tc->pool, data_e - data_b); + +- return __blkdev_issue_discard(tc->pool_dev->bdev, s, len, GFP_NOWAIT, +- &op->bio); ++ return __blkdev_issue_discard(tc->pool_dev->bdev, s, len, GFP_NOIO, &op->bio); + } + + static void end_discard(struct discard_op *op, int r) diff --git a/queue-6.3/dm-thin-metadata-check-fail_io-before-using-data_sm.patch b/queue-6.3/dm-thin-metadata-check-fail_io-before-using-data_sm.patch new file mode 100644 index 00000000000..72d5b62344f --- /dev/null +++ b/queue-6.3/dm-thin-metadata-check-fail_io-before-using-data_sm.patch @@ -0,0 +1,101 @@ +From cb65b282c9640c27d3129e2e04b711ce1b352838 Mon Sep 17 00:00:00 2001 +From: Li Lingfeng +Date: Tue, 6 Jun 2023 20:20:24 +0800 +Subject: dm thin metadata: check fail_io before using data_sm +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Li Lingfeng + +commit cb65b282c9640c27d3129e2e04b711ce1b352838 upstream. + +Must check pmd->fail_io before using pmd->data_sm since +pmd->data_sm may be destroyed by other processes. + + P1(kworker) P2(message) +do_worker + process_prepared + process_prepared_discard_passdown_pt2 + dm_pool_dec_data_range + pool_message + commit + dm_pool_commit_metadata + ↓ + // commit failed + metadata_operation_failed + abort_transaction + dm_pool_abort_metadata + __open_or_format_metadata + ↓ + dm_sm_disk_open + ↓ + // open failed + // pmd->data_sm is NULL + dm_sm_dec_blocks + ↓ + // try to access pmd->data_sm --> UAF + +As shown above, if dm_pool_commit_metadata() and +dm_pool_abort_metadata() fail in pool_message process, kworker may +trigger UAF. + +Fixes: be500ed721a6 ("dm space maps: improve performance with inc/dec on ranges of blocks") +Cc: stable@vger.kernel.org +Signed-off-by: Li Lingfeng +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-thin-metadata.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +--- a/drivers/md/dm-thin-metadata.c ++++ b/drivers/md/dm-thin-metadata.c +@@ -1756,13 +1756,15 @@ int dm_thin_remove_range(struct dm_thin_ + + int dm_pool_block_is_shared(struct dm_pool_metadata *pmd, dm_block_t b, bool *result) + { +- int r; ++ int r = -EINVAL; + uint32_t ref_count; + + down_read(&pmd->root_lock); +- r = dm_sm_get_count(pmd->data_sm, b, &ref_count); +- if (!r) +- *result = (ref_count > 1); ++ if (!pmd->fail_io) { ++ r = dm_sm_get_count(pmd->data_sm, b, &ref_count); ++ if (!r) ++ *result = (ref_count > 1); ++ } + up_read(&pmd->root_lock); + + return r; +@@ -1770,10 +1772,11 @@ int dm_pool_block_is_shared(struct dm_po + + int dm_pool_inc_data_range(struct dm_pool_metadata *pmd, dm_block_t b, dm_block_t e) + { +- int r = 0; ++ int r = -EINVAL; + + pmd_write_lock(pmd); +- r = dm_sm_inc_blocks(pmd->data_sm, b, e); ++ if (!pmd->fail_io) ++ r = dm_sm_inc_blocks(pmd->data_sm, b, e); + pmd_write_unlock(pmd); + + return r; +@@ -1781,10 +1784,11 @@ int dm_pool_inc_data_range(struct dm_poo + + int dm_pool_dec_data_range(struct dm_pool_metadata *pmd, dm_block_t b, dm_block_t e) + { +- int r = 0; ++ int r = -EINVAL; + + pmd_write_lock(pmd); +- r = dm_sm_dec_blocks(pmd->data_sm, b, e); ++ if (!pmd->fail_io) ++ r = dm_sm_dec_blocks(pmd->data_sm, b, e); + pmd_write_unlock(pmd); + + return r; diff --git a/queue-6.3/drm-amd-display-edp-do-not-add-non-edid-timings.patch b/queue-6.3/drm-amd-display-edp-do-not-add-non-edid-timings.patch new file mode 100644 index 00000000000..ec20a1c623f --- /dev/null +++ b/queue-6.3/drm-amd-display-edp-do-not-add-non-edid-timings.patch @@ -0,0 +1,45 @@ +From e749dd10e5f292061ad63d2b030194bf7d7d452c Mon Sep 17 00:00:00 2001 +From: Hersen Wu +Date: Thu, 25 May 2023 08:37:40 -0400 +Subject: drm/amd/display: edp do not add non-edid timings + +From: Hersen Wu + +commit e749dd10e5f292061ad63d2b030194bf7d7d452c upstream. + +[Why] most edp support only timings from edid. applying +non-edid timings, especially those timings out of edp +bandwidth, may damage edp. + +[How] do not add non-edid timings for edp. + +Cc: Mario Limonciello +Cc: Alex Deucher +Cc: stable@vger.kernel.org +Acked-by: Stylon Wang +Signed-off-by: Hersen Wu +Reviewed-by: Roman Li +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -7170,7 +7170,13 @@ static int amdgpu_dm_connector_get_modes + drm_add_modes_noedid(connector, 640, 480); + } else { + amdgpu_dm_connector_ddc_get_modes(connector, edid); +- amdgpu_dm_connector_add_common_modes(encoder, connector); ++ /* most eDP supports only timings from its edid, ++ * usually only detailed timings are available ++ * from eDP edid. timings which are not from edid ++ * may damage eDP ++ */ ++ if (connector->connector_type != DRM_MODE_CONNECTOR_eDP) ++ amdgpu_dm_connector_add_common_modes(encoder, connector); + amdgpu_dm_connector_add_freesync_modes(connector, edid); + } + amdgpu_dm_fbc_init(connector); diff --git a/queue-6.3/drm-amd-display-limit-dpia-link-rate-to-hbr3.patch b/queue-6.3/drm-amd-display-limit-dpia-link-rate-to-hbr3.patch new file mode 100644 index 00000000000..f8c490baaa1 --- /dev/null +++ b/queue-6.3/drm-amd-display-limit-dpia-link-rate-to-hbr3.patch @@ -0,0 +1,43 @@ +From 7c5835bcb9176df94683396f1c0e5df6bf5094b3 Mon Sep 17 00:00:00 2001 +From: Peichen Huang +Date: Wed, 31 May 2023 13:36:14 +0800 +Subject: drm/amd/display: limit DPIA link rate to HBR3 + +From: Peichen Huang + +commit 7c5835bcb9176df94683396f1c0e5df6bf5094b3 upstream. + +[Why] +DPIA doesn't support UHBR, driver should not enable UHBR +for dp tunneling + +[How] +limit DPIA link rate to HBR3 + +Cc: Mario Limonciello +Cc: Alex Deucher +Cc: stable@vger.kernel.org +Acked-by: Stylon Wang +Signed-off-by: Peichen Huang +Reviewed-by: Mustapha Ghaddar +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/link/link_detection.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/amd/display/dc/link/link_detection.c ++++ b/drivers/gpu/drm/amd/display/dc/link/link_detection.c +@@ -980,6 +980,11 @@ static bool detect_link_and_local_sink(s + (link->dpcd_caps.dongle_type != + DISPLAY_DONGLE_DP_HDMI_CONVERTER)) + converter_disable_audio = true; ++ ++ /* limited link rate to HBR3 for DPIA until we implement USB4 V2 */ ++ if (link->ep_type == DISPLAY_ENDPOINT_USB4_DPIA && ++ link->reported_link_cap.link_rate > LINK_RATE_HIGH3) ++ link->reported_link_cap.link_rate = LINK_RATE_HIGH3; + break; + } + diff --git a/queue-6.3/drm-amd-make-sure-image-is-written-to-trigger-vbios-image-update-flow.patch b/queue-6.3/drm-amd-make-sure-image-is-written-to-trigger-vbios-image-update-flow.patch new file mode 100644 index 00000000000..6412fa7d7b4 --- /dev/null +++ b/queue-6.3/drm-amd-make-sure-image-is-written-to-trigger-vbios-image-update-flow.patch @@ -0,0 +1,43 @@ +From 3eb1a3a04056ba3df3205e169b8acc9da0c65a94 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Wed, 7 Jun 2023 01:41:22 -0500 +Subject: drm/amd: Make sure image is written to trigger VBIOS image update flow + +From: Mario Limonciello + +commit 3eb1a3a04056ba3df3205e169b8acc9da0c65a94 upstream. + +The VBIOS image update flow requires userspace to: +1) Write the image to `psp_vbflash` +2) Read `psp_vbflash` +3) Poll `psp_vbflash_status` to check for completion + +If userspace reads `psp_vbflash` before writing an image, it's +possible that it causes problems that can put the dGPU into an invalid +state. + +Explicitly check that an image has been written before letting a read +succeed. + +Cc: stable@vger.kernel.org +Fixes: 8424f2ccb3c0 ("drm/amdgpu/psp: Add vbflash sysfs interface support") +Reviewed-by: Alex Deucher +Signed-off-by: Mario Limonciello +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c +@@ -3538,6 +3538,9 @@ static ssize_t amdgpu_psp_vbflash_read(s + void *fw_pri_cpu_addr; + int ret; + ++ if (adev->psp.vbflash_image_size == 0) ++ return -EINVAL; ++ + dev_info(adev->dev, "VBIOS flash to PSP started"); + + ret = amdgpu_bo_create_kernel(adev, adev->psp.vbflash_image_size, diff --git a/queue-6.3/drm-amd-pm-workaround-for-compute-workload-type-on-some-skus.patch b/queue-6.3/drm-amd-pm-workaround-for-compute-workload-type-on-some-skus.patch new file mode 100644 index 00000000000..a850fe67c91 --- /dev/null +++ b/queue-6.3/drm-amd-pm-workaround-for-compute-workload-type-on-some-skus.patch @@ -0,0 +1,69 @@ +From 7ca302d488f80cf4529620acc1c545f9022d8bb8 Mon Sep 17 00:00:00 2001 +From: Kenneth Feng +Date: Thu, 8 Jun 2023 22:07:11 +0800 +Subject: drm/amd/pm: workaround for compute workload type on some skus + +From: Kenneth Feng + +commit 7ca302d488f80cf4529620acc1c545f9022d8bb8 upstream. + +On smu 13.0.0, the compute workload type cannot be set on all the skus +due to some other problems. This workaround is to make sure compute workload type +can also run on some specific skus. + +v2: keep the variable consistent + +Signed-off-by: Kenneth Feng +Acked-by: Lijo Lazar +Reviewed-by: Feifei Xu +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 6.1.x +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 33 +++++++++++++++++-- + 1 file changed, 31 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c +@@ -1694,10 +1694,39 @@ static int smu_v13_0_0_set_power_profile + } + } + +- /* conv PP_SMC_POWER_PROFILE* to WORKLOAD_PPLIB_*_BIT */ +- workload_type = smu_cmn_to_asic_specific_index(smu, ++ if (smu->power_profile_mode == PP_SMC_POWER_PROFILE_COMPUTE && ++ (((smu->adev->pdev->device == 0x744C) && (smu->adev->pdev->revision == 0xC8)) || ++ ((smu->adev->pdev->device == 0x744C) && (smu->adev->pdev->revision == 0xCC)))) { ++ ret = smu_cmn_update_table(smu, ++ SMU_TABLE_ACTIVITY_MONITOR_COEFF, ++ WORKLOAD_PPLIB_COMPUTE_BIT, ++ (void *)(&activity_monitor_external), ++ false); ++ if (ret) { ++ dev_err(smu->adev->dev, "[%s] Failed to get activity monitor!", __func__); ++ return ret; ++ } ++ ++ ret = smu_cmn_update_table(smu, ++ SMU_TABLE_ACTIVITY_MONITOR_COEFF, ++ WORKLOAD_PPLIB_CUSTOM_BIT, ++ (void *)(&activity_monitor_external), ++ true); ++ if (ret) { ++ dev_err(smu->adev->dev, "[%s] Failed to set activity monitor!", __func__); ++ return ret; ++ } ++ ++ workload_type = smu_cmn_to_asic_specific_index(smu, ++ CMN2ASIC_MAPPING_WORKLOAD, ++ PP_SMC_POWER_PROFILE_CUSTOM); ++ } else { ++ /* conv PP_SMC_POWER_PROFILE* to WORKLOAD_PPLIB_*_BIT */ ++ workload_type = smu_cmn_to_asic_specific_index(smu, + CMN2ASIC_MAPPING_WORKLOAD, + smu->power_profile_mode); ++ } ++ + if (workload_type < 0) + return -EINVAL; + diff --git a/queue-6.3/drm-amd-tighten-permissions-on-vbios-flashing-attributes.patch b/queue-6.3/drm-amd-tighten-permissions-on-vbios-flashing-attributes.patch new file mode 100644 index 00000000000..386fc7f1255 --- /dev/null +++ b/queue-6.3/drm-amd-tighten-permissions-on-vbios-flashing-attributes.patch @@ -0,0 +1,41 @@ +From 7ab1a4913d0051cf5196ef7987b5fa42c25e13b6 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Wed, 7 Jun 2023 01:45:20 -0500 +Subject: drm/amd: Tighten permissions on VBIOS flashing attributes + +From: Mario Limonciello + +commit 7ab1a4913d0051cf5196ef7987b5fa42c25e13b6 upstream. + +Non-root users shouldn't be able to try to trigger a VBIOS flash +or query the flashing status. This should be reserved for users with the +appropriate permissions. + +Cc: stable@vger.kernel.org +Fixes: 8424f2ccb3c0 ("drm/amdgpu/psp: Add vbflash sysfs interface support") +Reviewed-by: Alex Deucher +Signed-off-by: Mario Limonciello +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c +@@ -3592,13 +3592,13 @@ static ssize_t amdgpu_psp_vbflash_status + } + + static const struct bin_attribute psp_vbflash_bin_attr = { +- .attr = {.name = "psp_vbflash", .mode = 0664}, ++ .attr = {.name = "psp_vbflash", .mode = 0660}, + .size = 0, + .write = amdgpu_psp_vbflash_write, + .read = amdgpu_psp_vbflash_read, + }; + +-static DEVICE_ATTR(psp_vbflash_status, 0444, amdgpu_psp_vbflash_status, NULL); ++static DEVICE_ATTR(psp_vbflash_status, 0440, amdgpu_psp_vbflash_status, NULL); + + int amdgpu_psp_sysfs_init(struct amdgpu_device *adev) + { diff --git a/queue-6.3/drm-amdgpu-add-missing-radeon-secondary-pci-id.patch b/queue-6.3/drm-amdgpu-add-missing-radeon-secondary-pci-id.patch new file mode 100644 index 00000000000..e5cc36ed37e --- /dev/null +++ b/queue-6.3/drm-amdgpu-add-missing-radeon-secondary-pci-id.patch @@ -0,0 +1,35 @@ +From e61f67749b351c19455ce3085af2ae9af80023bc Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Tue, 6 Jun 2023 11:14:04 -0400 +Subject: drm/amdgpu: add missing radeon secondary PCI ID +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit e61f67749b351c19455ce3085af2ae9af80023bc upstream. + +0x5b70 is a missing RV370 secondary id. Add it so +we don't try and probe it with amdgpu. + +Cc: michel@daenzer.net +Reviewed-by: Michel Dänzer +Tested-by: Michel Dänzer +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +@@ -1623,6 +1623,7 @@ static const u16 amdgpu_unsupported_pcii + 0x5874, + 0x5940, + 0x5941, ++ 0x5b70, + 0x5b72, + 0x5b73, + 0x5b74, diff --git a/queue-6.3/drm-amdgpu-implement-gfx9-patch-functions-for-resubmission.patch b/queue-6.3/drm-amdgpu-implement-gfx9-patch-functions-for-resubmission.patch new file mode 100644 index 00000000000..8ea10fbe684 --- /dev/null +++ b/queue-6.3/drm-amdgpu-implement-gfx9-patch-functions-for-resubmission.patch @@ -0,0 +1,134 @@ +From 5b711e7f9c73e5ff44d6ac865711d9a05c2a0360 Mon Sep 17 00:00:00 2001 +From: Jiadong Zhu +Date: Thu, 25 May 2023 18:42:15 +0800 +Subject: drm/amdgpu: Implement gfx9 patch functions for resubmission + +From: Jiadong Zhu + +commit 5b711e7f9c73e5ff44d6ac865711d9a05c2a0360 upstream. + +Patch the packages including CONTEXT_CONTROL and WRITE_DATA for gfx9 +during the resubmission scenario. + +Signed-off-by: Jiadong Zhu +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 6.3.x +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 80 ++++++++++++++++++++++++++++++++++ + 1 file changed, 80 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +@@ -5136,9 +5136,83 @@ static void gfx_v9_0_ring_emit_ib_gfx(st + #endif + lower_32_bits(ib->gpu_addr)); + amdgpu_ring_write(ring, upper_32_bits(ib->gpu_addr)); ++ amdgpu_ring_ib_on_emit_cntl(ring); + amdgpu_ring_write(ring, control); + } + ++static void gfx_v9_0_ring_patch_cntl(struct amdgpu_ring *ring, ++ unsigned offset) ++{ ++ u32 control = ring->ring[offset]; ++ ++ control |= INDIRECT_BUFFER_PRE_RESUME(1); ++ ring->ring[offset] = control; ++} ++ ++static void gfx_v9_0_ring_patch_ce_meta(struct amdgpu_ring *ring, ++ unsigned offset) ++{ ++ struct amdgpu_device *adev = ring->adev; ++ void *ce_payload_cpu_addr; ++ uint64_t payload_offset, payload_size; ++ ++ payload_size = sizeof(struct v9_ce_ib_state); ++ ++ if (ring->is_mes_queue) { ++ payload_offset = offsetof(struct amdgpu_mes_ctx_meta_data, ++ gfx[0].gfx_meta_data) + ++ offsetof(struct v9_gfx_meta_data, ce_payload); ++ ce_payload_cpu_addr = ++ amdgpu_mes_ctx_get_offs_cpu_addr(ring, payload_offset); ++ } else { ++ payload_offset = offsetof(struct v9_gfx_meta_data, ce_payload); ++ ce_payload_cpu_addr = adev->virt.csa_cpu_addr + payload_offset; ++ } ++ ++ if (offset + (payload_size >> 2) <= ring->buf_mask + 1) { ++ memcpy((void *)&ring->ring[offset], ce_payload_cpu_addr, payload_size); ++ } else { ++ memcpy((void *)&ring->ring[offset], ce_payload_cpu_addr, ++ (ring->buf_mask + 1 - offset) << 2); ++ payload_size -= (ring->buf_mask + 1 - offset) << 2; ++ memcpy((void *)&ring->ring[0], ++ ce_payload_cpu_addr + ((ring->buf_mask + 1 - offset) << 2), ++ payload_size); ++ } ++} ++ ++static void gfx_v9_0_ring_patch_de_meta(struct amdgpu_ring *ring, ++ unsigned offset) ++{ ++ struct amdgpu_device *adev = ring->adev; ++ void *de_payload_cpu_addr; ++ uint64_t payload_offset, payload_size; ++ ++ payload_size = sizeof(struct v9_de_ib_state); ++ ++ if (ring->is_mes_queue) { ++ payload_offset = offsetof(struct amdgpu_mes_ctx_meta_data, ++ gfx[0].gfx_meta_data) + ++ offsetof(struct v9_gfx_meta_data, de_payload); ++ de_payload_cpu_addr = ++ amdgpu_mes_ctx_get_offs_cpu_addr(ring, payload_offset); ++ } else { ++ payload_offset = offsetof(struct v9_gfx_meta_data, de_payload); ++ de_payload_cpu_addr = adev->virt.csa_cpu_addr + payload_offset; ++ } ++ ++ if (offset + (payload_size >> 2) <= ring->buf_mask + 1) { ++ memcpy((void *)&ring->ring[offset], de_payload_cpu_addr, payload_size); ++ } else { ++ memcpy((void *)&ring->ring[offset], de_payload_cpu_addr, ++ (ring->buf_mask + 1 - offset) << 2); ++ payload_size -= (ring->buf_mask + 1 - offset) << 2; ++ memcpy((void *)&ring->ring[0], ++ de_payload_cpu_addr + ((ring->buf_mask + 1 - offset) << 2), ++ payload_size); ++ } ++} ++ + static void gfx_v9_0_ring_emit_ib_compute(struct amdgpu_ring *ring, + struct amdgpu_job *job, + struct amdgpu_ib *ib, +@@ -5334,6 +5408,8 @@ static void gfx_v9_0_ring_emit_ce_meta(s + amdgpu_ring_write(ring, lower_32_bits(ce_payload_gpu_addr)); + amdgpu_ring_write(ring, upper_32_bits(ce_payload_gpu_addr)); + ++ amdgpu_ring_ib_on_emit_ce(ring); ++ + if (resume) + amdgpu_ring_write_multiple(ring, ce_payload_cpu_addr, + sizeof(ce_payload) >> 2); +@@ -5445,6 +5521,7 @@ static void gfx_v9_0_ring_emit_de_meta(s + amdgpu_ring_write(ring, lower_32_bits(de_payload_gpu_addr)); + amdgpu_ring_write(ring, upper_32_bits(de_payload_gpu_addr)); + ++ amdgpu_ring_ib_on_emit_de(ring); + if (resume) + amdgpu_ring_write_multiple(ring, de_payload_cpu_addr, + sizeof(de_payload) >> 2); +@@ -6857,6 +6934,9 @@ static const struct amdgpu_ring_funcs gf + .emit_reg_write_reg_wait = gfx_v9_0_ring_emit_reg_write_reg_wait, + .soft_recovery = gfx_v9_0_ring_soft_recovery, + .emit_mem_sync = gfx_v9_0_emit_mem_sync, ++ .patch_cntl = gfx_v9_0_ring_patch_cntl, ++ .patch_de = gfx_v9_0_ring_patch_de_meta, ++ .patch_ce = gfx_v9_0_ring_patch_ce_meta, + }; + + static const struct amdgpu_ring_funcs gfx_v9_0_ring_funcs_compute = { diff --git a/queue-6.3/drm-amdgpu-modify-indirect-buffer-packages-for-resubmission.patch b/queue-6.3/drm-amdgpu-modify-indirect-buffer-packages-for-resubmission.patch new file mode 100644 index 00000000000..ab6bc9ee60b --- /dev/null +++ b/queue-6.3/drm-amdgpu-modify-indirect-buffer-packages-for-resubmission.patch @@ -0,0 +1,223 @@ +From 87af86ae89963c227a3beb4d914f3dc7959a690e Mon Sep 17 00:00:00 2001 +From: Jiadong Zhu +Date: Thu, 25 May 2023 16:52:55 +0800 +Subject: drm/amdgpu: Modify indirect buffer packages for resubmission + +From: Jiadong Zhu + +commit 87af86ae89963c227a3beb4d914f3dc7959a690e upstream. + +When the preempted IB frame resubmitted to cp, we need to modify the frame +data including: +1. set PRE_RESUME 1 in CONTEXT_CONTROL. +2. use meta data(DE and CE) read from CSA in WRITE_DATA. + +Add functions to save the location the first time IBs emitted and callback +to patch the package when resubmission happens. + +Signed-off-by: Jiadong Zhu +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 6.3.x +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 18 ++++++++ + drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h | 9 ++++ + drivers/gpu/drm/amd/amdgpu/amdgpu_ring_mux.c | 60 +++++++++++++++++++++++++++ + drivers/gpu/drm/amd/amdgpu/amdgpu_ring_mux.h | 15 ++++++ + 4 files changed, 102 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c +@@ -581,3 +581,21 @@ void amdgpu_ring_ib_end(struct amdgpu_ri + if (ring->is_sw_ring) + amdgpu_sw_ring_ib_end(ring); + } ++ ++void amdgpu_ring_ib_on_emit_cntl(struct amdgpu_ring *ring) ++{ ++ if (ring->is_sw_ring) ++ amdgpu_sw_ring_ib_mark_offset(ring, AMDGPU_MUX_OFFSET_TYPE_CONTROL); ++} ++ ++void amdgpu_ring_ib_on_emit_ce(struct amdgpu_ring *ring) ++{ ++ if (ring->is_sw_ring) ++ amdgpu_sw_ring_ib_mark_offset(ring, AMDGPU_MUX_OFFSET_TYPE_CE); ++} ++ ++void amdgpu_ring_ib_on_emit_de(struct amdgpu_ring *ring) ++{ ++ if (ring->is_sw_ring) ++ amdgpu_sw_ring_ib_mark_offset(ring, AMDGPU_MUX_OFFSET_TYPE_DE); ++} +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h +@@ -227,6 +227,9 @@ struct amdgpu_ring_funcs { + int (*preempt_ib)(struct amdgpu_ring *ring); + void (*emit_mem_sync)(struct amdgpu_ring *ring); + void (*emit_wave_limit)(struct amdgpu_ring *ring, bool enable); ++ void (*patch_cntl)(struct amdgpu_ring *ring, unsigned offset); ++ void (*patch_ce)(struct amdgpu_ring *ring, unsigned offset); ++ void (*patch_de)(struct amdgpu_ring *ring, unsigned offset); + }; + + struct amdgpu_ring { +@@ -316,10 +319,16 @@ struct amdgpu_ring { + #define amdgpu_ring_init_cond_exec(r) (r)->funcs->init_cond_exec((r)) + #define amdgpu_ring_patch_cond_exec(r,o) (r)->funcs->patch_cond_exec((r),(o)) + #define amdgpu_ring_preempt_ib(r) (r)->funcs->preempt_ib(r) ++#define amdgpu_ring_patch_cntl(r, o) ((r)->funcs->patch_cntl((r), (o))) ++#define amdgpu_ring_patch_ce(r, o) ((r)->funcs->patch_ce((r), (o))) ++#define amdgpu_ring_patch_de(r, o) ((r)->funcs->patch_de((r), (o))) + + int amdgpu_ring_alloc(struct amdgpu_ring *ring, unsigned ndw); + void amdgpu_ring_ib_begin(struct amdgpu_ring *ring); + void amdgpu_ring_ib_end(struct amdgpu_ring *ring); ++void amdgpu_ring_ib_on_emit_cntl(struct amdgpu_ring *ring); ++void amdgpu_ring_ib_on_emit_ce(struct amdgpu_ring *ring); ++void amdgpu_ring_ib_on_emit_de(struct amdgpu_ring *ring); + + void amdgpu_ring_insert_nop(struct amdgpu_ring *ring, uint32_t count); + void amdgpu_ring_generic_pad_ib(struct amdgpu_ring *ring, struct amdgpu_ib *ib); +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring_mux.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring_mux.c +@@ -105,6 +105,16 @@ static void amdgpu_mux_resubmit_chunks(s + amdgpu_fence_update_start_timestamp(e->ring, + chunk->sync_seq, + ktime_get()); ++ if (chunk->sync_seq == ++ le32_to_cpu(*(e->ring->fence_drv.cpu_addr + 2))) { ++ if (chunk->cntl_offset <= e->ring->buf_mask) ++ amdgpu_ring_patch_cntl(e->ring, ++ chunk->cntl_offset); ++ if (chunk->ce_offset <= e->ring->buf_mask) ++ amdgpu_ring_patch_ce(e->ring, chunk->ce_offset); ++ if (chunk->de_offset <= e->ring->buf_mask) ++ amdgpu_ring_patch_de(e->ring, chunk->de_offset); ++ } + amdgpu_ring_mux_copy_pkt_from_sw_ring(mux, e->ring, + chunk->start, + chunk->end); +@@ -407,6 +417,17 @@ void amdgpu_sw_ring_ib_end(struct amdgpu + amdgpu_ring_mux_end_ib(mux, ring); + } + ++void amdgpu_sw_ring_ib_mark_offset(struct amdgpu_ring *ring, enum amdgpu_ring_mux_offset_type type) ++{ ++ struct amdgpu_device *adev = ring->adev; ++ struct amdgpu_ring_mux *mux = &adev->gfx.muxer; ++ unsigned offset; ++ ++ offset = ring->wptr & ring->buf_mask; ++ ++ amdgpu_ring_mux_ib_mark_offset(mux, ring, offset, type); ++} ++ + void amdgpu_ring_mux_start_ib(struct amdgpu_ring_mux *mux, struct amdgpu_ring *ring) + { + struct amdgpu_mux_entry *e; +@@ -429,6 +450,10 @@ void amdgpu_ring_mux_start_ib(struct amd + } + + chunk->start = ring->wptr; ++ /* the initialized value used to check if they are set by the ib submission*/ ++ chunk->cntl_offset = ring->buf_mask + 1; ++ chunk->de_offset = ring->buf_mask + 1; ++ chunk->ce_offset = ring->buf_mask + 1; + list_add_tail(&chunk->entry, &e->list); + } + +@@ -454,6 +479,41 @@ static void scan_and_remove_signaled_chu + } + } + ++void amdgpu_ring_mux_ib_mark_offset(struct amdgpu_ring_mux *mux, ++ struct amdgpu_ring *ring, u64 offset, ++ enum amdgpu_ring_mux_offset_type type) ++{ ++ struct amdgpu_mux_entry *e; ++ struct amdgpu_mux_chunk *chunk; ++ ++ e = amdgpu_ring_mux_sw_entry(mux, ring); ++ if (!e) { ++ DRM_ERROR("cannot find entry!\n"); ++ return; ++ } ++ ++ chunk = list_last_entry(&e->list, struct amdgpu_mux_chunk, entry); ++ if (!chunk) { ++ DRM_ERROR("cannot find chunk!\n"); ++ return; ++ } ++ ++ switch (type) { ++ case AMDGPU_MUX_OFFSET_TYPE_CONTROL: ++ chunk->cntl_offset = offset; ++ break; ++ case AMDGPU_MUX_OFFSET_TYPE_DE: ++ chunk->de_offset = offset; ++ break; ++ case AMDGPU_MUX_OFFSET_TYPE_CE: ++ chunk->ce_offset = offset; ++ break; ++ default: ++ DRM_ERROR("invalid type (%d)\n", type); ++ break; ++ } ++} ++ + void amdgpu_ring_mux_end_ib(struct amdgpu_ring_mux *mux, struct amdgpu_ring *ring) + { + struct amdgpu_mux_entry *e; +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring_mux.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring_mux.h +@@ -50,6 +50,12 @@ struct amdgpu_mux_entry { + struct list_head list; + }; + ++enum amdgpu_ring_mux_offset_type { ++ AMDGPU_MUX_OFFSET_TYPE_CONTROL, ++ AMDGPU_MUX_OFFSET_TYPE_DE, ++ AMDGPU_MUX_OFFSET_TYPE_CE, ++}; ++ + struct amdgpu_ring_mux { + struct amdgpu_ring *real_ring; + +@@ -72,12 +78,18 @@ struct amdgpu_ring_mux { + * @sync_seq: the fence seqno related with the saved IB. + * @start:- start location on the software ring. + * @end:- end location on the software ring. ++ * @control_offset:- the PRE_RESUME bit position used for resubmission. ++ * @de_offset:- the anchor in write_data for de meta of resubmission. ++ * @ce_offset:- the anchor in write_data for ce meta of resubmission. + */ + struct amdgpu_mux_chunk { + struct list_head entry; + uint32_t sync_seq; + u64 start; + u64 end; ++ u64 cntl_offset; ++ u64 de_offset; ++ u64 ce_offset; + }; + + int amdgpu_ring_mux_init(struct amdgpu_ring_mux *mux, struct amdgpu_ring *ring, +@@ -89,6 +101,8 @@ u64 amdgpu_ring_mux_get_wptr(struct amdg + u64 amdgpu_ring_mux_get_rptr(struct amdgpu_ring_mux *mux, struct amdgpu_ring *ring); + void amdgpu_ring_mux_start_ib(struct amdgpu_ring_mux *mux, struct amdgpu_ring *ring); + void amdgpu_ring_mux_end_ib(struct amdgpu_ring_mux *mux, struct amdgpu_ring *ring); ++void amdgpu_ring_mux_ib_mark_offset(struct amdgpu_ring_mux *mux, struct amdgpu_ring *ring, ++ u64 offset, enum amdgpu_ring_mux_offset_type type); + bool amdgpu_mcbp_handle_trailing_fence_irq(struct amdgpu_ring_mux *mux); + + u64 amdgpu_sw_ring_get_rptr_gfx(struct amdgpu_ring *ring); +@@ -97,6 +111,7 @@ void amdgpu_sw_ring_set_wptr_gfx(struct + void amdgpu_sw_ring_insert_nop(struct amdgpu_ring *ring, uint32_t count); + void amdgpu_sw_ring_ib_begin(struct amdgpu_ring *ring); + void amdgpu_sw_ring_ib_end(struct amdgpu_ring *ring); ++void amdgpu_sw_ring_ib_mark_offset(struct amdgpu_ring *ring, enum amdgpu_ring_mux_offset_type type); + const char *amdgpu_sw_ring_name(int idx); + unsigned int amdgpu_sw_ring_priority(int idx); + diff --git a/queue-6.3/drm-amdgpu-program-gds-backup-address-as-zero-if-no-gds-allocated.patch b/queue-6.3/drm-amdgpu-program-gds-backup-address-as-zero-if-no-gds-allocated.patch new file mode 100644 index 00000000000..842e1a807dd --- /dev/null +++ b/queue-6.3/drm-amdgpu-program-gds-backup-address-as-zero-if-no-gds-allocated.patch @@ -0,0 +1,64 @@ +From 94034b306ddde4a4a9c1a597ae7f61f04b710dc7 Mon Sep 17 00:00:00 2001 +From: Jiadong Zhu +Date: Wed, 24 May 2023 16:51:32 +0800 +Subject: drm/amdgpu: Program gds backup address as zero if no gds allocated + +From: Jiadong Zhu + +commit 94034b306ddde4a4a9c1a597ae7f61f04b710dc7 upstream. + +It is firmware requirement to set gds_backup_addrlo and gds_backup_addrhi +of DE meta both zero if no gds partition is allocated for the frame. + +Signed-off-by: Jiadong Zhu +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 6.3.x +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +@@ -755,7 +755,7 @@ static void gfx_v9_0_set_rlc_funcs(struc + static int gfx_v9_0_get_cu_info(struct amdgpu_device *adev, + struct amdgpu_cu_info *cu_info); + static uint64_t gfx_v9_0_get_gpu_clock_counter(struct amdgpu_device *adev); +-static void gfx_v9_0_ring_emit_de_meta(struct amdgpu_ring *ring, bool resume); ++static void gfx_v9_0_ring_emit_de_meta(struct amdgpu_ring *ring, bool resume, bool usegds); + static u64 gfx_v9_0_ring_get_rptr_compute(struct amdgpu_ring *ring); + static void gfx_v9_0_query_ras_error_count(struct amdgpu_device *adev, + void *ras_error_status); +@@ -5124,7 +5124,8 @@ static void gfx_v9_0_ring_emit_ib_gfx(st + gfx_v9_0_ring_emit_de_meta(ring, + (!amdgpu_sriov_vf(ring->adev) && + flags & AMDGPU_IB_PREEMPTED) ? +- true : false); ++ true : false, ++ job->gds_size > 0 && job->gds_base != 0); + } + + amdgpu_ring_write(ring, header); +@@ -5399,7 +5400,7 @@ static int gfx_v9_0_ring_preempt_ib(stru + return r; + } + +-static void gfx_v9_0_ring_emit_de_meta(struct amdgpu_ring *ring, bool resume) ++static void gfx_v9_0_ring_emit_de_meta(struct amdgpu_ring *ring, bool resume, bool usegds) + { + struct amdgpu_device *adev = ring->adev; + struct v9_de_ib_state de_payload = {0}; +@@ -5430,8 +5431,10 @@ static void gfx_v9_0_ring_emit_de_meta(s + PAGE_SIZE); + } + +- de_payload.gds_backup_addrlo = lower_32_bits(gds_addr); +- de_payload.gds_backup_addrhi = upper_32_bits(gds_addr); ++ if (usegds) { ++ de_payload.gds_backup_addrlo = lower_32_bits(gds_addr); ++ de_payload.gds_backup_addrhi = upper_32_bits(gds_addr); ++ } + + cnt = (sizeof(de_payload) >> 2) + 4 - 2; + amdgpu_ring_write(ring, PACKET3(PACKET3_WRITE_DATA, cnt)); diff --git a/queue-6.3/drm-amdgpu-reset-cp_vmid_preempt-after-trailing-fence-signaled.patch b/queue-6.3/drm-amdgpu-reset-cp_vmid_preempt-after-trailing-fence-signaled.patch new file mode 100644 index 00000000000..03baf97fbdb --- /dev/null +++ b/queue-6.3/drm-amdgpu-reset-cp_vmid_preempt-after-trailing-fence-signaled.patch @@ -0,0 +1,53 @@ +From 1dbcf770cc2d15baf8a1e8174d6fd014a68b45ca Mon Sep 17 00:00:00 2001 +From: Jiadong Zhu +Date: Wed, 24 May 2023 11:42:19 +0800 +Subject: drm/amdgpu: Reset CP_VMID_PREEMPT after trailing fence signaled + +From: Jiadong Zhu + +commit 1dbcf770cc2d15baf8a1e8174d6fd014a68b45ca upstream. + +When MEC executes unmap_queue for mid command buffer preemption, it will +kick the write pointer of the gfx ring, set CP_VMID_PREEMPT to trigger the +preemption and wait for CP_VMID_PREEMPT becomes zero after the preemption +done. There is a race condition that PFP may excute the resetting command +before MEC set CP_VMID_PREEMPT. As a result, hang happens as +CP_VMID_PREEMPT is always 0xffff. + +To avoid this, we send resetting CP_VMID_PREEMPT command after the trailing +fence is siganled and update gfx write pointer explicitly. + +Signed-off-by: Jiadong Zhu +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 6.3.x +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2535 +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +@@ -5366,10 +5366,6 @@ static int gfx_v9_0_ring_preempt_ib(stru + amdgpu_ring_alloc(ring, 13); + gfx_v9_0_ring_emit_fence(ring, ring->trail_fence_gpu_addr, + ring->trail_seq, AMDGPU_FENCE_FLAG_EXEC | AMDGPU_FENCE_FLAG_INT); +- /*reset the CP_VMID_PREEMPT after trailing fence*/ +- amdgpu_ring_emit_wreg(ring, +- SOC15_REG_OFFSET(GC, 0, mmCP_VMID_PREEMPT), +- 0x0); + + /* assert IB preemption, emit the trailing fence */ + kiq->pmf->kiq_unmap_queues(kiq_ring, ring, PREEMPT_QUEUES_NO_UNMAP, +@@ -5392,6 +5388,10 @@ static int gfx_v9_0_ring_preempt_ib(stru + DRM_WARN("ring %d timeout to preempt ib\n", ring->idx); + } + ++ /*reset the CP_VMID_PREEMPT after trailing fence*/ ++ amdgpu_ring_emit_wreg(ring, ++ SOC15_REG_OFFSET(GC, 0, mmCP_VMID_PREEMPT), ++ 0x0); + amdgpu_ring_commit(ring); + + /* deassert preemption condition */ diff --git a/queue-6.3/drm-amdgpu-vcn_4_0-set-instance-0-init-sched-score-to-1.patch b/queue-6.3/drm-amdgpu-vcn_4_0-set-instance-0-init-sched-score-to-1.patch new file mode 100644 index 00000000000..cee4dd8bbe8 --- /dev/null +++ b/queue-6.3/drm-amdgpu-vcn_4_0-set-instance-0-init-sched-score-to-1.patch @@ -0,0 +1,37 @@ +From 9db5ec1ceb5303398ec4f899d691073d531257c3 Mon Sep 17 00:00:00 2001 +From: Sonny Jiang +Date: Tue, 6 Jun 2023 17:18:52 -0400 +Subject: drm/amdgpu: vcn_4_0 set instance 0 init sched score to 1 + +From: Sonny Jiang + +commit 9db5ec1ceb5303398ec4f899d691073d531257c3 upstream. + +Only vcn0 can process AV1 codecx. In order to use both vcn0 and +vcn1 in h264/265 transcode to AV1 cases, set vcn0 sched score to 1 +at initialization time. + +Signed-off-by: Sonny Jiang +Reviewed-by: Leo Liu +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 6.1.x +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c +@@ -129,7 +129,11 @@ static int vcn_v4_0_sw_init(void *handle + if (adev->vcn.harvest_config & (1 << i)) + continue; + +- atomic_set(&adev->vcn.inst[i].sched_score, 0); ++ /* Init instance 0 sched_score to 1, so it's scheduled after other instances */ ++ if (i == 0) ++ atomic_set(&adev->vcn.inst[i].sched_score, 1); ++ else ++ atomic_set(&adev->vcn.inst[i].sched_score, 0); + + /* VCN UNIFIED TRAP */ + r = amdgpu_irq_add_id(adev, amdgpu_ih_clientid_vcns[i], diff --git a/queue-6.3/epoll-ep_autoremove_wake_function-should-use-list_del_init_careful.patch b/queue-6.3/epoll-ep_autoremove_wake_function-should-use-list_del_init_careful.patch new file mode 100644 index 00000000000..1e9bd2f5ab2 --- /dev/null +++ b/queue-6.3/epoll-ep_autoremove_wake_function-should-use-list_del_init_careful.patch @@ -0,0 +1,42 @@ +From 2192bba03d80f829233bfa34506b428f71e531e7 Mon Sep 17 00:00:00 2001 +From: Benjamin Segall +Date: Tue, 30 May 2023 11:32:28 -0700 +Subject: epoll: ep_autoremove_wake_function should use list_del_init_careful + +From: Benjamin Segall + +commit 2192bba03d80f829233bfa34506b428f71e531e7 upstream. + +autoremove_wake_function uses list_del_init_careful, so should epoll's +more aggressive variant. It only doesn't because it was copied from an +older wait.c rather than the most recent. + +[bsegall@google.com: add comment] + Link: https://lkml.kernel.org/r/xm26bki0ulsr.fsf_-_@google.com +Link: https://lkml.kernel.org/r/xm26pm6hvfer.fsf@google.com +Fixes: a16ceb139610 ("epoll: autoremove wakers even more aggressively") +Signed-off-by: Ben Segall +Cc: Al Viro +Cc: Christian Brauner +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/eventpoll.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -1760,7 +1760,11 @@ static int ep_autoremove_wake_function(s + { + int ret = default_wake_function(wq_entry, mode, sync, key); + +- list_del_init(&wq_entry->entry); ++ /* ++ * Pairs with list_empty_careful in ep_poll, and ensures future loop ++ * iterations see the cause of this wakeup. ++ */ ++ list_del_init_careful(&wq_entry->entry); + return ret; + } + diff --git a/queue-6.3/io_uring-net-save-msghdr-msg_control-for-retries.patch b/queue-6.3/io_uring-net-save-msghdr-msg_control-for-retries.patch new file mode 100644 index 00000000000..81d41580fb2 --- /dev/null +++ b/queue-6.3/io_uring-net-save-msghdr-msg_control-for-retries.patch @@ -0,0 +1,60 @@ +From cac9e4418f4cbd548ccb065b3adcafe073f7f7d2 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Mon, 12 Jun 2023 13:51:36 -0600 +Subject: io_uring/net: save msghdr->msg_control for retries + +From: Jens Axboe + +commit cac9e4418f4cbd548ccb065b3adcafe073f7f7d2 upstream. + +If the application sets ->msg_control and we have to later retry this +command, or if it got queued with IOSQE_ASYNC to begin with, then we +need to retain the original msg_control value. This is due to the net +stack overwriting this field with an in-kernel pointer, to copy it +in. Hitting that path for the second time will now fail the copy from +user, as it's attempting to copy from a non-user address. + +Cc: stable@vger.kernel.org # 5.10+ +Link: https://github.com/axboe/liburing/issues/880 +Reported-and-tested-by: Marek Majkowski +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/net.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/io_uring/net.c ++++ b/io_uring/net.c +@@ -65,6 +65,7 @@ struct io_sr_msg { + u16 addr_len; + u16 buf_group; + void __user *addr; ++ void __user *msg_control; + /* used only for send zerocopy */ + struct io_kiocb *notif; + }; +@@ -195,11 +196,15 @@ static int io_sendmsg_copy_hdr(struct io + struct io_async_msghdr *iomsg) + { + struct io_sr_msg *sr = io_kiocb_to_cmd(req, struct io_sr_msg); ++ int ret; + + iomsg->msg.msg_name = &iomsg->addr; + iomsg->free_iov = iomsg->fast_iov; +- return sendmsg_copy_msghdr(&iomsg->msg, sr->umsg, sr->msg_flags, ++ ret = sendmsg_copy_msghdr(&iomsg->msg, sr->umsg, sr->msg_flags, + &iomsg->free_iov); ++ /* save msg_control as sys_sendmsg() overwrites it */ ++ sr->msg_control = iomsg->msg.msg_control; ++ return ret; + } + + int io_send_prep_async(struct io_kiocb *req) +@@ -297,6 +302,7 @@ int io_sendmsg(struct io_kiocb *req, uns + + if (req_has_async_data(req)) { + kmsg = req->async_data; ++ kmsg->msg.msg_control = sr->msg_control; + } else { + ret = io_sendmsg_copy_hdr(req, &iomsg); + if (ret) diff --git a/queue-6.3/kexec-support-purgatories-with-.text.hot-sections.patch b/queue-6.3/kexec-support-purgatories-with-.text.hot-sections.patch new file mode 100644 index 00000000000..6aa4b2bb403 --- /dev/null +++ b/queue-6.3/kexec-support-purgatories-with-.text.hot-sections.patch @@ -0,0 +1,102 @@ +From 8652d44f466ad5772e7d1756e9457046189b0dfc Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Fri, 19 May 2023 16:47:36 +0200 +Subject: kexec: support purgatories with .text.hot sections + +From: Ricardo Ribalda + +commit 8652d44f466ad5772e7d1756e9457046189b0dfc upstream. + +Patch series "kexec: Fix kexec_file_load for llvm16 with PGO", v7. + +When upreving llvm I realised that kexec stopped working on my test +platform. + +The reason seems to be that due to PGO there are multiple .text sections +on the purgatory, and kexec does not supports that. + + +This patch (of 4): + +Clang16 links the purgatory text in two sections when PGO is in use: + + [ 1] .text PROGBITS 0000000000000000 00000040 + 00000000000011a1 0000000000000000 AX 0 0 16 + [ 2] .rela.text RELA 0000000000000000 00003498 + 0000000000000648 0000000000000018 I 24 1 8 + ... + [17] .text.hot. PROGBITS 0000000000000000 00003220 + 000000000000020b 0000000000000000 AX 0 0 1 + [18] .rela.text.hot. RELA 0000000000000000 00004428 + 0000000000000078 0000000000000018 I 24 17 8 + +And both of them have their range [sh_addr ... sh_addr+sh_size] on the +area pointed by `e_entry`. + +This causes that image->start is calculated twice, once for .text and +another time for .text.hot. The second calculation leaves image->start +in a random location. + +Because of this, the system crashes immediately after: + +kexec_core: Starting new kernel + +Link: https://lkml.kernel.org/r/20230321-kexec_clang16-v7-0-b05c520b7296@chromium.org +Link: https://lkml.kernel.org/r/20230321-kexec_clang16-v7-1-b05c520b7296@chromium.org +Fixes: 930457057abe ("kernel/kexec_file.c: split up __kexec_load_puragory") +Signed-off-by: Ricardo Ribalda +Reviewed-by: Ross Zwisler +Reviewed-by: Steven Rostedt (Google) +Reviewed-by: Philipp Rudo +Cc: Albert Ou +Cc: Baoquan He +Cc: Borislav Petkov (AMD) +Cc: Christophe Leroy +Cc: Dave Hansen +Cc: Dave Young +Cc: Eric W. Biederman +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Michael Ellerman +Cc: Nathan Chancellor +Cc: Nicholas Piggin +Cc: Nick Desaulniers +Cc: Palmer Dabbelt +Cc: Palmer Dabbelt +Cc: Paul Walmsley +Cc: Simon Horman +Cc: Thomas Gleixner +Cc: Tom Rix +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + kernel/kexec_file.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/kernel/kexec_file.c ++++ b/kernel/kexec_file.c +@@ -901,10 +901,22 @@ static int kexec_purgatory_setup_sechdrs + } + + offset = ALIGN(offset, align); ++ ++ /* ++ * Check if the segment contains the entry point, if so, ++ * calculate the value of image->start based on it. ++ * If the compiler has produced more than one .text section ++ * (Eg: .text.hot), they are generally after the main .text ++ * section, and they shall not be used to calculate ++ * image->start. So do not re-calculate image->start if it ++ * is not set to the initial value, and warn the user so they ++ * have a chance to fix their purgatory's linker script. ++ */ + if (sechdrs[i].sh_flags & SHF_EXECINSTR && + pi->ehdr->e_entry >= sechdrs[i].sh_addr && + pi->ehdr->e_entry < (sechdrs[i].sh_addr +- + sechdrs[i].sh_size)) { ++ + sechdrs[i].sh_size) && ++ !WARN_ON(kbuf->image->start != pi->ehdr->e_entry)) { + kbuf->image->start -= sechdrs[i].sh_addr; + kbuf->image->start += kbuf->mem + offset; + } diff --git a/queue-6.3/loongarch-fix-debugfs_create_dir-error-checking.patch b/queue-6.3/loongarch-fix-debugfs_create_dir-error-checking.patch new file mode 100644 index 00000000000..27f3294e6ee --- /dev/null +++ b/queue-6.3/loongarch-fix-debugfs_create_dir-error-checking.patch @@ -0,0 +1,33 @@ +From 41efbb682de1231c3f6361039f46ad149e3ff5b9 Mon Sep 17 00:00:00 2001 +From: Immad Mir +Date: Thu, 15 Jun 2023 14:35:56 +0800 +Subject: LoongArch: Fix debugfs_create_dir() error checking + +From: Immad Mir + +commit 41efbb682de1231c3f6361039f46ad149e3ff5b9 upstream. + +The debugfs_create_dir() returns ERR_PTR in case of an error and the +correct way of checking it is using the IS_ERR_OR_NULL inline function +rather than the simple null comparision. This patch fixes the issue. + +Cc: stable@vger.kernel.org +Suggested-By: Ivan Orlov +Signed-off-by: Immad Mir +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kernel/unaligned.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/loongarch/kernel/unaligned.c ++++ b/arch/loongarch/kernel/unaligned.c +@@ -485,7 +485,7 @@ static int __init debugfs_unaligned(void + struct dentry *d; + + d = debugfs_create_dir("loongarch", NULL); +- if (!d) ++ if (IS_ERR_OR_NULL(d)) + return -ENOMEM; + + debugfs_create_u32("unaligned_instructions_user", diff --git a/queue-6.3/loongarch-fix-perf-event-id-calculation.patch b/queue-6.3/loongarch-fix-perf-event-id-calculation.patch new file mode 100644 index 00000000000..5d923bc3933 --- /dev/null +++ b/queue-6.3/loongarch-fix-perf-event-id-calculation.patch @@ -0,0 +1,48 @@ +From 962369120d750cbc9c4dc492f32b4304669ff6aa Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Thu, 15 Jun 2023 14:35:52 +0800 +Subject: LoongArch: Fix perf event id calculation + +From: Huacai Chen + +commit 962369120d750cbc9c4dc492f32b4304669ff6aa upstream. + +LoongArch PMCFG has 10bit event id rather than 8 bit, so fix it. + +Cc: stable@vger.kernel.org +Signed-off-by: Jun Yi +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kernel/perf_event.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/loongarch/kernel/perf_event.c ++++ b/arch/loongarch/kernel/perf_event.c +@@ -271,7 +271,7 @@ static void loongarch_pmu_enable_event(s + WARN_ON(idx < 0 || idx >= loongarch_pmu.num_counters); + + /* Make sure interrupt enabled. */ +- cpuc->saved_ctrl[idx] = M_PERFCTL_EVENT(evt->event_base & 0xff) | ++ cpuc->saved_ctrl[idx] = M_PERFCTL_EVENT(evt->event_base) | + (evt->config_base & M_PERFCTL_CONFIG_MASK) | CSR_PERFCTRL_IE; + + cpu = (event->cpu >= 0) ? event->cpu : smp_processor_id(); +@@ -594,7 +594,7 @@ static struct pmu pmu = { + + static unsigned int loongarch_pmu_perf_event_encode(const struct loongarch_perf_event *pev) + { +- return (pev->event_id & 0xff); ++ return M_PERFCTL_EVENT(pev->event_id); + } + + static const struct loongarch_perf_event *loongarch_pmu_map_general_event(int idx) +@@ -849,7 +849,7 @@ static void resume_local_counters(void) + + static const struct loongarch_perf_event *loongarch_pmu_map_raw_event(u64 config) + { +- raw_event.event_id = config & 0xff; ++ raw_event.event_id = M_PERFCTL_EVENT(config); + + return &raw_event; + } diff --git a/queue-6.3/mm-damon-core-fix-divide-error-in-damon_nr_accesses_to_accesses_bp.patch b/queue-6.3/mm-damon-core-fix-divide-error-in-damon_nr_accesses_to_accesses_bp.patch new file mode 100644 index 00000000000..39491afa237 --- /dev/null +++ b/queue-6.3/mm-damon-core-fix-divide-error-in-damon_nr_accesses_to_accesses_bp.patch @@ -0,0 +1,44 @@ +From 5ff6e2fff88ef9bf110c5e85a48e7b557bfc64c1 Mon Sep 17 00:00:00 2001 +From: Kefeng Wang +Date: Sat, 27 May 2023 11:21:01 +0800 +Subject: mm/damon/core: fix divide error in damon_nr_accesses_to_accesses_bp() + +From: Kefeng Wang + +commit 5ff6e2fff88ef9bf110c5e85a48e7b557bfc64c1 upstream. + +If 'aggr_interval' is smaller than 'sample_interval', max_nr_accesses in +damon_nr_accesses_to_accesses_bp() becomes zero which leads to divide +error, let's validate the values of them in damon_set_attrs() to fix it, +which similar to others attrs check. + +Link: https://lkml.kernel.org/r/20230527032101.167788-1-wangkefeng.wang@huawei.com +Fixes: 2f5bef5a590b ("mm/damon/core: update monitoring results for new monitoring attributes") +Reported-by: syzbot+841a46899768ec7bec67@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=841a46899768ec7bec67 +Link: https://lore.kernel.org/damon/00000000000055fc4e05fc975bc2@google.com/ +Reviewed-by: SeongJae Park +Signed-off-by: Kefeng Wang +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/mm/damon/core.c b/mm/damon/core.c +index d9ef62047bf5..91cff7f2997e 100644 +--- a/mm/damon/core.c ++++ b/mm/damon/core.c +@@ -551,6 +551,8 @@ int damon_set_attrs(struct damon_ctx *ctx, struct damon_attrs *attrs) + return -EINVAL; + if (attrs->min_nr_regions > attrs->max_nr_regions) + return -EINVAL; ++ if (attrs->sample_interval > attrs->aggr_interval) ++ return -EINVAL; + + damon_update_monitoring_results(ctx, attrs); + ctx->attrs = *attrs; +-- +2.41.0 + diff --git a/queue-6.3/mm-gup_test-fix-ioctl-fail-for-compat-task.patch b/queue-6.3/mm-gup_test-fix-ioctl-fail-for-compat-task.patch new file mode 100644 index 00000000000..c0d1cd9922a --- /dev/null +++ b/queue-6.3/mm-gup_test-fix-ioctl-fail-for-compat-task.patch @@ -0,0 +1,37 @@ +From 4f572f0074b8be8a70bd150d96a749aa94c8d85f Mon Sep 17 00:00:00 2001 +From: Haibo Li +Date: Fri, 26 May 2023 10:21:25 +0800 +Subject: mm/gup_test: fix ioctl fail for compat task + +From: Haibo Li + +commit 4f572f0074b8be8a70bd150d96a749aa94c8d85f upstream. + +When tools/testing/selftests/mm/gup_test.c is compiled as 32bit, then run +on arm64 kernel, it reports "ioctl: Inappropriate ioctl for device". + +Fix it by filling compat_ioctl in gup_test_fops + +Link: https://lkml.kernel.org/r/20230526022125.175728-1-haibo.li@mediatek.com +Signed-off-by: Haibo Li +Acked-by: David Hildenbrand +Cc: AngeloGioacchino Del Regno +Cc: Matthias Brugger +Cc: John Hubbard +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/gup_test.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/gup_test.c ++++ b/mm/gup_test.c +@@ -381,6 +381,7 @@ static int gup_test_release(struct inode + static const struct file_operations gup_test_fops = { + .open = nonseekable_open, + .unlocked_ioctl = gup_test_ioctl, ++ .compat_ioctl = compat_ptr_ioctl, + .release = gup_test_release, + }; + diff --git a/queue-6.3/mm-uffd-fix-vma-operation-where-start-addr-cuts-part-of-vma.patch b/queue-6.3/mm-uffd-fix-vma-operation-where-start-addr-cuts-part-of-vma.patch new file mode 100644 index 00000000000..bf2f65965be --- /dev/null +++ b/queue-6.3/mm-uffd-fix-vma-operation-where-start-addr-cuts-part-of-vma.patch @@ -0,0 +1,92 @@ +From 270aa010620697fb27b8f892cc4e194bc2b7d134 Mon Sep 17 00:00:00 2001 +From: Peter Xu +Date: Wed, 17 May 2023 15:09:15 -0400 +Subject: mm/uffd: fix vma operation where start addr cuts part of vma + +From: Peter Xu + +commit 270aa010620697fb27b8f892cc4e194bc2b7d134 upstream. + +Patch series "mm/uffd: Fix vma merge/split", v2. + +This series contains two patches that fix vma merge/split for userfaultfd +on two separate issues. + +Patch 1 fixes a regression since 6.1+ due to something we overlooked when +converting to maple tree apis. The plan is we use patch 1 to replace the +commit "2f628010799e (mm: userfaultfd: avoid passing an invalid range to +vma_merge())" in mm-hostfixes-unstable tree if possible, so as to bring +uffd vma operations back aligned with the rest code again. + +Patch 2 fixes a long standing issue that vma can be left unmerged even if +we can for either uffd register or unregister. + +Many thanks to Lorenzo on either noticing this issue from the assert +movement patch, looking at this problem, and also provided a reproducer on +the unmerged vma issue [1]. + +[1] https://gist.github.com/lorenzo-stoakes/a11a10f5f479e7a977fc456331266e0e + + +This patch (of 2): + +It seems vma merging with uffd paths is broken with either +register/unregister, where right now we can feed wrong parameters to +vma_merge() and it's found by recent patch which moved asserts upwards in +vma_merge() by Lorenzo Stoakes: + +https://lore.kernel.org/all/ZFunF7DmMdK05MoF@FVFF77S0Q05N.cambridge.arm.com/ + +It's possible that "start" is contained within vma but not clamped to its +start. We need to convert this into either "cannot merge" case or "can +merge" case 4 which permits subdivision of prev by assigning vma to prev. +As we loop, each subsequent VMA will be clamped to the start. + +This patch will eliminate the report and make sure vma_merge() calls will +become legal again. + +One thing to mention is that the "Fixes: 29417d292bd0" below is there only +to help explain where the warning can start to trigger, the real commit to +fix should be 69dbe6daf104. Commit 29417d292bd0 helps us to identify the +issue, but unfortunately we may want to keep it in Fixes too just to ease +kernel backporters for easier tracking. + +Link: https://lkml.kernel.org/r/20230517190916.3429499-1-peterx@redhat.com +Link: https://lkml.kernel.org/r/20230517190916.3429499-2-peterx@redhat.com +Fixes: 69dbe6daf104 ("userfaultfd: use maple tree iterator to iterate VMAs") +Signed-off-by: Peter Xu +Reported-by: Mark Rutland +Reviewed-by: Lorenzo Stoakes +Reviewed-by: Liam R. Howlett +Closes: https://lore.kernel.org/all/ZFunF7DmMdK05MoF@FVFF77S0Q05N.cambridge.arm.com/ +Cc: Lorenzo Stoakes +Cc: Mike Rapoport (IBM) +Cc: Liam R. Howlett +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/userfaultfd.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/userfaultfd.c ++++ b/fs/userfaultfd.c +@@ -1429,6 +1429,8 @@ static int userfaultfd_register(struct u + + vma_iter_set(&vmi, start); + prev = vma_prev(&vmi); ++ if (vma->vm_start < start) ++ prev = vma; + + ret = 0; + for_each_vma_range(vmi, vma, end) { +@@ -1595,6 +1597,9 @@ static int userfaultfd_unregister(struct + + vma_iter_set(&vmi, start); + prev = vma_prev(&vmi); ++ if (vma->vm_start < start) ++ prev = vma; ++ + ret = 0; + for_each_vma_range(vmi, vma, end) { + cond_resched(); diff --git a/queue-6.3/net-ethernet-stmicro-stmmac-fix-possible-memory-leak-in-__stmmac_open.patch b/queue-6.3/net-ethernet-stmicro-stmmac-fix-possible-memory-leak-in-__stmmac_open.patch new file mode 100644 index 00000000000..d00802128db --- /dev/null +++ b/queue-6.3/net-ethernet-stmicro-stmmac-fix-possible-memory-leak-in-__stmmac_open.patch @@ -0,0 +1,66 @@ +From 30134b7c47bd28fdb4db4d12aef824e0579cfee4 Mon Sep 17 00:00:00 2001 +From: Christian Marangi +Date: Wed, 14 Jun 2023 11:17:14 +0200 +Subject: net: ethernet: stmicro: stmmac: fix possible memory leak in __stmmac_open + +From: Christian Marangi + +commit 30134b7c47bd28fdb4db4d12aef824e0579cfee4 upstream. + +Fix a possible memory leak in __stmmac_open when stmmac_init_phy fails. +It's also needed to free everything allocated by stmmac_setup_dma_desc +and not just the dma_conf struct. + +Drop free_dma_desc_resources from __stmmac_open and correctly call +free_dma_desc_resources on each user of __stmmac_open on error. + +Reported-by: Jose Abreu +Fixes: ba39b344e924 ("net: ethernet: stmicro: stmmac: generate stmmac dma conf before open") +Signed-off-by: Christian Marangi +Cc: stable@vger.kernel.org +Reviewed-by: Simon Horman +Reviewed-by: Jose Abreu +Link: https://lore.kernel.org/r/20230614091714.15912-1-ansuelsmth@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -3867,7 +3867,6 @@ irq_error: + + stmmac_hw_teardown(dev); + init_error: +- free_dma_desc_resources(priv, &priv->dma_conf); + phylink_disconnect_phy(priv->phylink); + init_phy_error: + pm_runtime_put(priv->device); +@@ -3885,6 +3884,9 @@ static int stmmac_open(struct net_device + return PTR_ERR(dma_conf); + + ret = __stmmac_open(dev, dma_conf); ++ if (ret) ++ free_dma_desc_resources(priv, dma_conf); ++ + kfree(dma_conf); + return ret; + } +@@ -5609,12 +5611,15 @@ static int stmmac_change_mtu(struct net_ + stmmac_release(dev); + + ret = __stmmac_open(dev, dma_conf); +- kfree(dma_conf); + if (ret) { ++ free_dma_desc_resources(priv, dma_conf); ++ kfree(dma_conf); + netdev_err(priv->dev, "failed reopening the interface after MTU change\n"); + return ret; + } + ++ kfree(dma_conf); ++ + stmmac_set_rx_mode(dev); + } + diff --git a/queue-6.3/net-usb-qmi_wwan-add-support-for-compal-rxm-g1.patch b/queue-6.3/net-usb-qmi_wwan-add-support-for-compal-rxm-g1.patch new file mode 100644 index 00000000000..0e510666284 --- /dev/null +++ b/queue-6.3/net-usb-qmi_wwan-add-support-for-compal-rxm-g1.patch @@ -0,0 +1,88 @@ +From 863199199713908afaa47ba09332b87621c12496 Mon Sep 17 00:00:00 2001 +From: Wes Huang +Date: Thu, 8 Jun 2023 11:01:42 +0800 +Subject: net: usb: qmi_wwan: add support for Compal RXM-G1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wes Huang + +commit 863199199713908afaa47ba09332b87621c12496 upstream. + +Add support for Compal RXM-G1 which is based on Qualcomm SDX55 chip. +This patch adds support for two compositions: + +0x9091: DIAG + MODEM + QMI_RMNET + ADB +0x90db: DIAG + DUN + RMNET + DPL + QDSS(Trace) + ADB + +T: Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0 +D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 +P: Vendor=05c6 ProdID=9091 Rev= 4.14 +S: Manufacturer=QCOM +S: Product=SDXPRAIRIE-MTP _SN:719AB680 +S: SerialNumber=719ab680 +C:* #Ifs= 4 Cfg#= 1 Atr=80 MxPwr=896mA +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=(none) +E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +E: Ad=84(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) +E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms + +T: Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0 +D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 +P: Vendor=05c6 ProdID=90db Rev= 4.14 +S: Manufacturer=QCOM +S: Product=SDXPRAIRIE-MTP _SN:719AB680 +S: SerialNumber=719ab680 +C:* #Ifs= 6 Cfg#= 1 Atr=80 MxPwr=896mA +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=(none) +E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +E: Ad=84(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +E: Ad=8f(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +E: Ad=85(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) +E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=86(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms + +Cc: stable@vger.kernel.org +Signed-off-by: Wes Huang +Acked-by: Bjørn Mork +Link: https://lore.kernel.org/r/20230608030141.3546-1-wes.huang@moxa.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1220,7 +1220,9 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x05c6, 0x9080, 8)}, + {QMI_FIXED_INTF(0x05c6, 0x9083, 3)}, + {QMI_FIXED_INTF(0x05c6, 0x9084, 4)}, ++ {QMI_QUIRK_SET_DTR(0x05c6, 0x9091, 2)}, /* Compal RXM-G1 */ + {QMI_FIXED_INTF(0x05c6, 0x90b2, 3)}, /* ublox R410M */ ++ {QMI_QUIRK_SET_DTR(0x05c6, 0x90db, 2)}, /* Compal RXM-G1 */ + {QMI_FIXED_INTF(0x05c6, 0x920d, 0)}, + {QMI_FIXED_INTF(0x05c6, 0x920d, 5)}, + {QMI_QUIRK_SET_DTR(0x05c6, 0x9625, 4)}, /* YUGA CLM920-NC5 */ diff --git a/queue-6.3/nilfs2-fix-incomplete-buffer-cleanup-in-nilfs_btnode_abort_change_key.patch b/queue-6.3/nilfs2-fix-incomplete-buffer-cleanup-in-nilfs_btnode_abort_change_key.patch new file mode 100644 index 00000000000..5db83e98d8b --- /dev/null +++ b/queue-6.3/nilfs2-fix-incomplete-buffer-cleanup-in-nilfs_btnode_abort_change_key.patch @@ -0,0 +1,53 @@ +From 2f012f2baca140c488e43d27a374029c1e59098d Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Sat, 13 May 2023 19:24:28 +0900 +Subject: nilfs2: fix incomplete buffer cleanup in nilfs_btnode_abort_change_key() + +From: Ryusuke Konishi + +commit 2f012f2baca140c488e43d27a374029c1e59098d upstream. + +A syzbot fault injection test reported that nilfs_btnode_create_block, a +helper function that allocates a new node block for b-trees, causes a +kernel BUG for disk images where the file system block size is smaller +than the page size. + +This was due to unexpected flags on the newly allocated buffer head, and +it turned out to be because the buffer flags were not cleared by +nilfs_btnode_abort_change_key() after an error occurred during a b-tree +update operation and the buffer was later reused in that state. + +Fix this issue by using nilfs_btnode_delete() to abandon the unused +preallocated buffer in nilfs_btnode_abort_change_key(). + +Link: https://lkml.kernel.org/r/20230513102428.10223-1-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+b0a35a5c1f7e846d3b09@syzkaller.appspotmail.com +Closes: https://lkml.kernel.org/r/000000000000d1d6c205ebc4d512@google.com +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/btnode.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/fs/nilfs2/btnode.c ++++ b/fs/nilfs2/btnode.c +@@ -285,6 +285,14 @@ void nilfs_btnode_abort_change_key(struc + if (nbh == NULL) { /* blocksize == pagesize */ + xa_erase_irq(&btnc->i_pages, newkey); + unlock_page(ctxt->bh->b_page); +- } else +- brelse(nbh); ++ } else { ++ /* ++ * When canceling a buffer that a prepare operation has ++ * allocated to copy a node block to another location, use ++ * nilfs_btnode_delete() to initialize and release the buffer ++ * so that the buffer flags will not be in an inconsistent ++ * state when it is reallocated. ++ */ ++ nilfs_btnode_delete(nbh); ++ } + } diff --git a/queue-6.3/nilfs2-fix-possible-out-of-bounds-segment-allocation-in-resize-ioctl.patch b/queue-6.3/nilfs2-fix-possible-out-of-bounds-segment-allocation-in-resize-ioctl.patch new file mode 100644 index 00000000000..b26aee731e3 --- /dev/null +++ b/queue-6.3/nilfs2-fix-possible-out-of-bounds-segment-allocation-in-resize-ioctl.patch @@ -0,0 +1,62 @@ +From fee5eaecca86afa544355569b831c1f90f334b85 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Wed, 24 May 2023 18:43:48 +0900 +Subject: nilfs2: fix possible out-of-bounds segment allocation in resize ioctl + +From: Ryusuke Konishi + +commit fee5eaecca86afa544355569b831c1f90f334b85 upstream. + +Syzbot reports that in its stress test for resize ioctl, the log writing +function nilfs_segctor_do_construct hits a WARN_ON in +nilfs_segctor_truncate_segments(). + +It turned out that there is a problem with the current implementation of +the resize ioctl, which changes the writable range on the device (the +range of allocatable segments) at the end of the resize process. + +This order is necessary for file system expansion to avoid corrupting the +superblock at trailing edge. However, in the case of a file system +shrink, if log writes occur after truncating out-of-bounds trailing +segments and before the resize is complete, segments may be allocated from +the truncated space. + +The userspace resize tool was fine as it limits the range of allocatable +segments before performing the resize, but it can run into this issue if +the resize ioctl is called alone. + +Fix this issue by changing nilfs_sufile_resize() to update the range of +allocatable segments immediately after successful truncation of segment +space in case of file system shrink. + +Link: https://lkml.kernel.org/r/20230524094348.3784-1-konishi.ryusuke@gmail.com +Fixes: 4e33f9eab07e ("nilfs2: implement resize ioctl") +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+33494cd0df2ec2931851@syzkaller.appspotmail.com +Closes: https://lkml.kernel.org/r/0000000000005434c405fbbafdc5@google.com +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/sufile.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/fs/nilfs2/sufile.c ++++ b/fs/nilfs2/sufile.c +@@ -779,6 +779,15 @@ int nilfs_sufile_resize(struct inode *su + goto out_header; + + sui->ncleansegs -= nsegs - newnsegs; ++ ++ /* ++ * If the sufile is successfully truncated, immediately adjust ++ * the segment allocation space while locking the semaphore ++ * "mi_sem" so that nilfs_sufile_alloc() never allocates ++ * segments in the truncated space. ++ */ ++ sui->allocmax = newnsegs - 1; ++ sui->allocmin = 0; + } + + kaddr = kmap_atomic(header_bh->b_page); diff --git a/queue-6.3/nilfs2-reject-devices-with-insufficient-block-count.patch b/queue-6.3/nilfs2-reject-devices-with-insufficient-block-count.patch new file mode 100644 index 00000000000..8ec1f485adf --- /dev/null +++ b/queue-6.3/nilfs2-reject-devices-with-insufficient-block-count.patch @@ -0,0 +1,104 @@ +From 92c5d1b860e9581d64baca76779576c0ab0d943d Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Fri, 26 May 2023 11:13:32 +0900 +Subject: nilfs2: reject devices with insufficient block count + +From: Ryusuke Konishi + +commit 92c5d1b860e9581d64baca76779576c0ab0d943d upstream. + +The current sanity check for nilfs2 geometry information lacks checks for +the number of segments stored in superblocks, so even for device images +that have been destructively truncated or have an unusually high number of +segments, the mount operation may succeed. + +This causes out-of-bounds block I/O on file system block reads or log +writes to the segments, the latter in particular causing +"a_ops->writepages" to repeatedly fail, resulting in sync_inodes_sb() to +hang. + +Fix this issue by checking the number of segments stored in the superblock +and avoiding mounting devices that can cause out-of-bounds accesses. To +eliminate the possibility of overflow when calculating the number of +blocks required for the device from the number of segments, this also adds +a helper function to calculate the upper bound on the number of segments +and inserts a check using it. + +Link: https://lkml.kernel.org/r/20230526021332.3431-1-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+7d50f1e54a12ba3aeae2@syzkaller.appspotmail.com + Link: https://syzkaller.appspot.com/bug?extid=7d50f1e54a12ba3aeae2 +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/the_nilfs.c | 43 ++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 42 insertions(+), 1 deletion(-) + +--- a/fs/nilfs2/the_nilfs.c ++++ b/fs/nilfs2/the_nilfs.c +@@ -405,6 +405,18 @@ unsigned long nilfs_nrsvsegs(struct the_ + 100)); + } + ++/** ++ * nilfs_max_segment_count - calculate the maximum number of segments ++ * @nilfs: nilfs object ++ */ ++static u64 nilfs_max_segment_count(struct the_nilfs *nilfs) ++{ ++ u64 max_count = U64_MAX; ++ ++ do_div(max_count, nilfs->ns_blocks_per_segment); ++ return min_t(u64, max_count, ULONG_MAX); ++} ++ + void nilfs_set_nsegments(struct the_nilfs *nilfs, unsigned long nsegs) + { + nilfs->ns_nsegments = nsegs; +@@ -414,6 +426,8 @@ void nilfs_set_nsegments(struct the_nilf + static int nilfs_store_disk_layout(struct the_nilfs *nilfs, + struct nilfs_super_block *sbp) + { ++ u64 nsegments, nblocks; ++ + if (le32_to_cpu(sbp->s_rev_level) < NILFS_MIN_SUPP_REV) { + nilfs_err(nilfs->ns_sb, + "unsupported revision (superblock rev.=%d.%d, current rev.=%d.%d). Please check the version of mkfs.nilfs(2).", +@@ -457,7 +471,34 @@ static int nilfs_store_disk_layout(struc + return -EINVAL; + } + +- nilfs_set_nsegments(nilfs, le64_to_cpu(sbp->s_nsegments)); ++ nsegments = le64_to_cpu(sbp->s_nsegments); ++ if (nsegments > nilfs_max_segment_count(nilfs)) { ++ nilfs_err(nilfs->ns_sb, ++ "segment count %llu exceeds upper limit (%llu segments)", ++ (unsigned long long)nsegments, ++ (unsigned long long)nilfs_max_segment_count(nilfs)); ++ return -EINVAL; ++ } ++ ++ nblocks = sb_bdev_nr_blocks(nilfs->ns_sb); ++ if (nblocks) { ++ u64 min_block_count = nsegments * nilfs->ns_blocks_per_segment; ++ /* ++ * To avoid failing to mount early device images without a ++ * second superblock, exclude that block count from the ++ * "min_block_count" calculation. ++ */ ++ ++ if (nblocks < min_block_count) { ++ nilfs_err(nilfs->ns_sb, ++ "total number of segment blocks %llu exceeds device size (%llu blocks)", ++ (unsigned long long)min_block_count, ++ (unsigned long long)nblocks); ++ return -EINVAL; ++ } ++ } ++ ++ nilfs_set_nsegments(nilfs, nsegments); + nilfs->ns_crc_seed = le32_to_cpu(sbp->s_crc_seed); + return 0; + } diff --git a/queue-6.3/nios2-dts-fix-tse_mac-max-frame-size-property.patch b/queue-6.3/nios2-dts-fix-tse_mac-max-frame-size-property.patch new file mode 100644 index 00000000000..53a13d28876 --- /dev/null +++ b/queue-6.3/nios2-dts-fix-tse_mac-max-frame-size-property.patch @@ -0,0 +1,46 @@ +From 85041e12418fd0c08ff972b7729f7971afb361f8 Mon Sep 17 00:00:00 2001 +From: Janne Grunau +Date: Sun, 12 Feb 2023 13:16:32 +0100 +Subject: nios2: dts: Fix tse_mac "max-frame-size" property + +From: Janne Grunau + +commit 85041e12418fd0c08ff972b7729f7971afb361f8 upstream. + +The given value of 1518 seems to refer to the layer 2 ethernet frame +size without 802.1Q tag. Actual use of the "max-frame-size" including in +the consumer of the "altr,tse-1.0" compatible is the MTU. + +Fixes: 95acd4c7b69c ("nios2: Device tree support") +Fixes: 61c610ec61bb ("nios2: Add Max10 device tree") +Cc: +Signed-off-by: Janne Grunau +Signed-off-by: Dinh Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + arch/nios2/boot/dts/10m50_devboard.dts | 2 +- + arch/nios2/boot/dts/3c120_devboard.dts | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/nios2/boot/dts/10m50_devboard.dts ++++ b/arch/nios2/boot/dts/10m50_devboard.dts +@@ -97,7 +97,7 @@ + rx-fifo-depth = <8192>; + tx-fifo-depth = <8192>; + address-bits = <48>; +- max-frame-size = <1518>; ++ max-frame-size = <1500>; + local-mac-address = [00 00 00 00 00 00]; + altr,has-supplementary-unicast; + altr,enable-sup-addr = <1>; +--- a/arch/nios2/boot/dts/3c120_devboard.dts ++++ b/arch/nios2/boot/dts/3c120_devboard.dts +@@ -106,7 +106,7 @@ + interrupt-names = "rx_irq", "tx_irq"; + rx-fifo-depth = <8192>; + tx-fifo-depth = <8192>; +- max-frame-size = <1518>; ++ max-frame-size = <1500>; + local-mac-address = [ 00 00 00 00 00 00 ]; + phy-mode = "rgmii-id"; + phy-handle = <&phy0>; diff --git a/queue-6.3/nouveau-fix-client-work-fence-deletion-race.patch b/queue-6.3/nouveau-fix-client-work-fence-deletion-race.patch new file mode 100644 index 00000000000..3c1243fae0c --- /dev/null +++ b/queue-6.3/nouveau-fix-client-work-fence-deletion-race.patch @@ -0,0 +1,60 @@ +From c8a5d5ea3ba6a18958f8d76430e4cd68eea33943 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Thu, 15 Jun 2023 12:22:11 +1000 +Subject: nouveau: fix client work fence deletion race + +From: Dave Airlie + +commit c8a5d5ea3ba6a18958f8d76430e4cd68eea33943 upstream. + +This seems to have existed for ever but is now more apparant after +commit 9bff18d13473 ("drm/ttm: use per BO cleanup workers") + +My analysis: two threads are running, one in the irq signalling the +fence, in dma_fence_signal_timestamp_locked, it has done the +DMA_FENCE_FLAG_SIGNALLED_BIT setting, but hasn't yet reached the +callbacks. + +The second thread in nouveau_cli_work_ready, where it sees the fence is +signalled, so then puts the fence, cleanups the object and frees the +work item, which contains the callback. + +Thread one goes again and tries to call the callback and causes the +use-after-free. + +Proposed fix: lock the fence signalled check in nouveau_cli_work_ready, +so either the callbacks are done or the memory is freed. + +Reviewed-by: Karol Herbst +Fixes: 11e451e74050 ("drm/nouveau: remove fence wait code from deferred client work handler") +Cc: stable@vger.kernel.org +Signed-off-by: Dave Airlie +Link: https://lore.kernel.org/dri-devel/20230615024008.1600281-1-airlied@gmail.com/ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nouveau_drm.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nouveau_drm.c ++++ b/drivers/gpu/drm/nouveau/nouveau_drm.c +@@ -137,10 +137,16 @@ nouveau_name(struct drm_device *dev) + static inline bool + nouveau_cli_work_ready(struct dma_fence *fence) + { +- if (!dma_fence_is_signaled(fence)) +- return false; +- dma_fence_put(fence); +- return true; ++ bool ret = true; ++ ++ spin_lock_irq(fence->lock); ++ if (!dma_fence_is_signaled_locked(fence)) ++ ret = false; ++ spin_unlock_irq(fence->lock); ++ ++ if (ret == true) ++ dma_fence_put(fence); ++ return ret; + } + + static void diff --git a/queue-6.3/ocfs2-check-new-file-size-on-fallocate-call.patch b/queue-6.3/ocfs2-check-new-file-size-on-fallocate-call.patch new file mode 100644 index 00000000000..1c4ab2781c9 --- /dev/null +++ b/queue-6.3/ocfs2-check-new-file-size-on-fallocate-call.patch @@ -0,0 +1,57 @@ +From 26a6ffff7de5dd369cdb12e38ba11db682f1dec0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lu=C3=ADs=20Henriques?= +Date: Mon, 29 May 2023 16:26:45 +0100 +Subject: ocfs2: check new file size on fallocate call +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Luís Henriques + +commit 26a6ffff7de5dd369cdb12e38ba11db682f1dec0 upstream. + +When changing a file size with fallocate() the new size isn't being +checked. In particular, the FSIZE ulimit isn't being checked, which makes +fstest generic/228 fail. Simply adding a call to inode_newsize_ok() fixes +this issue. + +Link: https://lkml.kernel.org/r/20230529152645.32680-1-lhenriques@suse.de +Signed-off-by: Luís Henriques +Reviewed-by: Mark Fasheh +Reviewed-by: Joseph Qi +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/file.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/ocfs2/file.c ++++ b/fs/ocfs2/file.c +@@ -2100,14 +2100,20 @@ static long ocfs2_fallocate(struct file + struct ocfs2_space_resv sr; + int change_size = 1; + int cmd = OCFS2_IOC_RESVSP64; ++ int ret = 0; + + if (mode & ~(FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE)) + return -EOPNOTSUPP; + if (!ocfs2_writes_unwritten_extents(osb)) + return -EOPNOTSUPP; + +- if (mode & FALLOC_FL_KEEP_SIZE) ++ if (mode & FALLOC_FL_KEEP_SIZE) { + change_size = 0; ++ } else { ++ ret = inode_newsize_ok(inode, offset + len); ++ if (ret) ++ return ret; ++ } + + if (mode & FALLOC_FL_PUNCH_HOLE) + cmd = OCFS2_IOC_UNRESVSP64; diff --git a/queue-6.3/ocfs2-fix-use-after-free-when-unmounting-read-only-filesystem.patch b/queue-6.3/ocfs2-fix-use-after-free-when-unmounting-read-only-filesystem.patch new file mode 100644 index 00000000000..4743b7340f6 --- /dev/null +++ b/queue-6.3/ocfs2-fix-use-after-free-when-unmounting-read-only-filesystem.patch @@ -0,0 +1,100 @@ +From 50d927880e0f90d5cb25e897e9d03e5edacc79a8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lu=C3=ADs=20Henriques?= +Date: Mon, 22 May 2023 11:21:12 +0100 +Subject: ocfs2: fix use-after-free when unmounting read-only filesystem +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Luís Henriques + +commit 50d927880e0f90d5cb25e897e9d03e5edacc79a8 upstream. + +It's trivial to trigger a use-after-free bug in the ocfs2 quotas code using +fstest generic/452. After a read-only remount, quotas are suspended and +ocfs2_mem_dqinfo is freed through ->ocfs2_local_free_info(). When unmounting +the filesystem, an UAF access to the oinfo will eventually cause a crash. + +BUG: KASAN: slab-use-after-free in timer_delete+0x54/0xc0 +Read of size 8 at addr ffff8880389a8208 by task umount/669 +... +Call Trace: + + ... + timer_delete+0x54/0xc0 + try_to_grab_pending+0x31/0x230 + __cancel_work_timer+0x6c/0x270 + ocfs2_disable_quotas.isra.0+0x3e/0xf0 [ocfs2] + ocfs2_dismount_volume+0xdd/0x450 [ocfs2] + generic_shutdown_super+0xaa/0x280 + kill_block_super+0x46/0x70 + deactivate_locked_super+0x4d/0xb0 + cleanup_mnt+0x135/0x1f0 + ... + + +Allocated by task 632: + kasan_save_stack+0x1c/0x40 + kasan_set_track+0x21/0x30 + __kasan_kmalloc+0x8b/0x90 + ocfs2_local_read_info+0xe3/0x9a0 [ocfs2] + dquot_load_quota_sb+0x34b/0x680 + dquot_load_quota_inode+0xfe/0x1a0 + ocfs2_enable_quotas+0x190/0x2f0 [ocfs2] + ocfs2_fill_super+0x14ef/0x2120 [ocfs2] + mount_bdev+0x1be/0x200 + legacy_get_tree+0x6c/0xb0 + vfs_get_tree+0x3e/0x110 + path_mount+0xa90/0xe10 + __x64_sys_mount+0x16f/0x1a0 + do_syscall_64+0x43/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Freed by task 650: + kasan_save_stack+0x1c/0x40 + kasan_set_track+0x21/0x30 + kasan_save_free_info+0x2a/0x50 + __kasan_slab_free+0xf9/0x150 + __kmem_cache_free+0x89/0x180 + ocfs2_local_free_info+0x2ba/0x3f0 [ocfs2] + dquot_disable+0x35f/0xa70 + ocfs2_susp_quotas.isra.0+0x159/0x1a0 [ocfs2] + ocfs2_remount+0x150/0x580 [ocfs2] + reconfigure_super+0x1a5/0x3a0 + path_mount+0xc8a/0xe10 + __x64_sys_mount+0x16f/0x1a0 + do_syscall_64+0x43/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Link: https://lkml.kernel.org/r/20230522102112.9031-1-lhenriques@suse.de +Signed-off-by: Luís Henriques +Reviewed-by: Joseph Qi +Tested-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/super.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/ocfs2/super.c ++++ b/fs/ocfs2/super.c +@@ -952,8 +952,10 @@ static void ocfs2_disable_quotas(struct + for (type = 0; type < OCFS2_MAXQUOTAS; type++) { + if (!sb_has_quota_loaded(sb, type)) + continue; +- oinfo = sb_dqinfo(sb, type)->dqi_priv; +- cancel_delayed_work_sync(&oinfo->dqi_sync_work); ++ if (!sb_has_quota_suspended(sb, type)) { ++ oinfo = sb_dqinfo(sb, type)->dqi_priv; ++ cancel_delayed_work_sync(&oinfo->dqi_sync_work); ++ } + inode = igrab(sb->s_dquot.files[type]); + /* Turn off quotas. This will remove all dquot structures from + * memory and so they will be automatically synced to global diff --git a/queue-6.3/powerpc-purgatory-remove-pgo-flags.patch b/queue-6.3/powerpc-purgatory-remove-pgo-flags.patch new file mode 100644 index 00000000000..2e11140e7a3 --- /dev/null +++ b/queue-6.3/powerpc-purgatory-remove-pgo-flags.patch @@ -0,0 +1,59 @@ +From 20188baceb7a1463dc0bcb0c8678b69c2f447df6 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Fri, 19 May 2023 16:47:38 +0200 +Subject: powerpc/purgatory: remove PGO flags + +From: Ricardo Ribalda + +commit 20188baceb7a1463dc0bcb0c8678b69c2f447df6 upstream. + +If profile-guided optimization is enabled, the purgatory ends up with +multiple .text sections. This is not supported by kexec and crashes the +system. + +Link: https://lkml.kernel.org/r/20230321-kexec_clang16-v7-3-b05c520b7296@chromium.org +Fixes: 930457057abe ("kernel/kexec_file.c: split up __kexec_load_puragory") +Signed-off-by: Ricardo Ribalda +Cc: Michael Ellerman +Cc: Nicholas Piggin +Cc: Christophe Leroy +Cc: +Cc: Albert Ou +Cc: Baoquan He +Cc: Borislav Petkov (AMD) +Cc: Dave Hansen +Cc: Dave Young +Cc: Eric W. Biederman +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Nathan Chancellor +Cc: Nick Desaulniers +Cc: Palmer Dabbelt +Cc: Palmer Dabbelt +Cc: Paul Walmsley +Cc: Philipp Rudo +Cc: Ross Zwisler +Cc: Simon Horman +Cc: Steven Rostedt (Google) +Cc: Thomas Gleixner +Cc: Tom Rix +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/purgatory/Makefile | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/powerpc/purgatory/Makefile ++++ b/arch/powerpc/purgatory/Makefile +@@ -5,6 +5,11 @@ KCSAN_SANITIZE := n + + targets += trampoline_$(BITS).o purgatory.ro + ++# When profile-guided optimization is enabled, llvm emits two different ++# overlapping text sections, which is not supported by kexec. Remove profile ++# optimization flags. ++KBUILD_CFLAGS := $(filter-out -fprofile-sample-use=% -fprofile-use=%,$(KBUILD_CFLAGS)) ++ + LDFLAGS_purgatory.ro := -e purgatory_start -r --no-undefined + + $(obj)/purgatory.ro: $(obj)/trampoline_$(BITS).o FORCE diff --git a/queue-6.3/rdma-uverbs-restrict-usage-of-privileged-qkeys.patch b/queue-6.3/rdma-uverbs-restrict-usage-of-privileged-qkeys.patch new file mode 100644 index 00000000000..5d4caca6add --- /dev/null +++ b/queue-6.3/rdma-uverbs-restrict-usage-of-privileged-qkeys.patch @@ -0,0 +1,43 @@ +From 0cadb4db79e1d9eea66711c4031e435c2191907e Mon Sep 17 00:00:00 2001 +From: Edward Srouji +Date: Mon, 5 Jun 2023 13:33:24 +0300 +Subject: RDMA/uverbs: Restrict usage of privileged QKEYs + +From: Edward Srouji + +commit 0cadb4db79e1d9eea66711c4031e435c2191907e upstream. + +According to the IB specification rel-1.6, section 3.5.3: +"QKEYs with the most significant bit set are considered controlled +QKEYs, and a HCA does not allow a consumer to arbitrarily specify a +controlled QKEY." + +Thus, block non-privileged users from setting such a QKEY. + +Cc: stable@vger.kernel.org +Fixes: bc38a6abdd5a ("[PATCH] IB uverbs: core implementation") +Signed-off-by: Edward Srouji +Link: https://lore.kernel.org/r/c00c809ddafaaf87d6f6cb827978670989a511b3.1685960567.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/uverbs_cmd.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/core/uverbs_cmd.c ++++ b/drivers/infiniband/core/uverbs_cmd.c +@@ -1850,8 +1850,13 @@ static int modify_qp(struct uverbs_attr_ + attr->path_mtu = cmd->base.path_mtu; + if (cmd->base.attr_mask & IB_QP_PATH_MIG_STATE) + attr->path_mig_state = cmd->base.path_mig_state; +- if (cmd->base.attr_mask & IB_QP_QKEY) ++ if (cmd->base.attr_mask & IB_QP_QKEY) { ++ if (cmd->base.qkey & IB_QP_SET_QKEY && !capable(CAP_NET_RAW)) { ++ ret = -EPERM; ++ goto release_qp; ++ } + attr->qkey = cmd->base.qkey; ++ } + if (cmd->base.attr_mask & IB_QP_RQ_PSN) + attr->rq_psn = cmd->base.rq_psn; + if (cmd->base.attr_mask & IB_QP_SQ_PSN) diff --git a/queue-6.3/revert-drm-amdgpu-remove-topdown-flags-when-allocating-vram-in-large-bar-system.patch b/queue-6.3/revert-drm-amdgpu-remove-topdown-flags-when-allocating-vram-in-large-bar-system.patch new file mode 100644 index 00000000000..c27ac8c54c8 --- /dev/null +++ b/queue-6.3/revert-drm-amdgpu-remove-topdown-flags-when-allocating-vram-in-large-bar-system.patch @@ -0,0 +1,51 @@ +From 34e5a54327dce5033582f3609eb54812a8c61b90 Mon Sep 17 00:00:00 2001 +From: Arunpravin Paneer Selvam +Date: Fri, 9 Jun 2023 06:18:41 -0700 +Subject: Revert "drm/amdgpu: remove TOPDOWN flags when allocating VRAM in large bar system" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arunpravin Paneer Selvam + +commit 34e5a54327dce5033582f3609eb54812a8c61b90 upstream. + +This reverts commit c105518679b6e87232874ffc989ec403bee59664. + +This patch disables the TOPDOWN flag for APU and few dGPU cards +which has the VRAM size equal to the BAR size. + +When we enable the TOPDOWN flag, we get the free blocks at +the highest available memory region and we don't split the +lower order blocks. This change is required to keep off +the fragmentation related issues particularly in ASIC +which has VRAM space <= 500MiB + +Hence, we are reverting this patch. + +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2270 +Signed-off-by: Arunpravin Paneer Selvam +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c +index 3b225be89cb7..a70103ac0026 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c +@@ -140,7 +140,7 @@ void amdgpu_bo_placement_from_domain(struct amdgpu_bo *abo, u32 domain) + + if (flags & AMDGPU_GEM_CREATE_CPU_ACCESS_REQUIRED) + places[c].lpfn = visible_pfn; +- else if (adev->gmc.real_vram_size != adev->gmc.visible_vram_size) ++ else + places[c].flags |= TTM_PL_FLAG_TOPDOWN; + + if (flags & AMDGPU_GEM_CREATE_VRAM_CONTIGUOUS) +-- +2.41.0 + diff --git a/queue-6.3/riscv-purgatory-remove-pgo-flags.patch b/queue-6.3/riscv-purgatory-remove-pgo-flags.patch new file mode 100644 index 00000000000..96ce1cf8095 --- /dev/null +++ b/queue-6.3/riscv-purgatory-remove-pgo-flags.patch @@ -0,0 +1,59 @@ +From 88ac3bbcf73853880a9b2a65c67e6854390741cc Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Fri, 19 May 2023 16:47:39 +0200 +Subject: riscv/purgatory: remove PGO flags + +From: Ricardo Ribalda + +commit 88ac3bbcf73853880a9b2a65c67e6854390741cc upstream. + +If profile-guided optimization is enabled, the purgatory ends up with +multiple .text sections. This is not supported by kexec and crashes the +system. + +Link: https://lkml.kernel.org/r/20230321-kexec_clang16-v7-4-b05c520b7296@chromium.org +Fixes: 930457057abe ("kernel/kexec_file.c: split up __kexec_load_puragory") +Signed-off-by: Ricardo Ribalda +Acked-by: Palmer Dabbelt +Cc: +Cc: Albert Ou +Cc: Baoquan He +Cc: Borislav Petkov (AMD) +Cc: Christophe Leroy +Cc: Dave Hansen +Cc: Dave Young +Cc: Eric W. Biederman +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Michael Ellerman +Cc: Nathan Chancellor +Cc: Nicholas Piggin +Cc: Nick Desaulniers +Cc: Palmer Dabbelt +Cc: Paul Walmsley +Cc: Philipp Rudo +Cc: Ross Zwisler +Cc: Simon Horman +Cc: Steven Rostedt (Google) +Cc: Thomas Gleixner +Cc: Tom Rix +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/purgatory/Makefile | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/riscv/purgatory/Makefile ++++ b/arch/riscv/purgatory/Makefile +@@ -35,6 +35,11 @@ CFLAGS_sha256.o := -D__DISABLE_EXPORTS + CFLAGS_string.o := -D__DISABLE_EXPORTS + CFLAGS_ctype.o := -D__DISABLE_EXPORTS + ++# When profile-guided optimization is enabled, llvm emits two different ++# overlapping text sections, which is not supported by kexec. Remove profile ++# optimization flags. ++KBUILD_CFLAGS := $(filter-out -fprofile-sample-use=% -fprofile-use=%,$(KBUILD_CFLAGS)) ++ + # When linking purgatory.ro with -r unresolved symbols are not checked, + # also link a purgatory.chk binary without -r to check for unresolved symbols. + PURGATORY_LDFLAGS := -e purgatory_start -z nodefaultlib diff --git a/queue-6.3/s390-ism-fix-trying-to-free-already-freed-irq-by-repeated-ism_dev_exit.patch b/queue-6.3/s390-ism-fix-trying-to-free-already-freed-irq-by-repeated-ism_dev_exit.patch new file mode 100644 index 00000000000..e8efc53a580 --- /dev/null +++ b/queue-6.3/s390-ism-fix-trying-to-free-already-freed-irq-by-repeated-ism_dev_exit.patch @@ -0,0 +1,55 @@ +From 78d0f94902afce8ec2c7a60f600cc0e3729d7412 Mon Sep 17 00:00:00 2001 +From: Julian Ruess +Date: Tue, 13 Jun 2023 14:25:37 +0200 +Subject: s390/ism: Fix trying to free already-freed IRQ by repeated ism_dev_exit() + +From: Julian Ruess + +commit 78d0f94902afce8ec2c7a60f600cc0e3729d7412 upstream. + +This patch prevents the system from crashing when unloading the ISM module. + +How to reproduce: Attach an ISM device and execute 'rmmod ism'. + +Error-Log: +- Trying to free already-free IRQ 0 +- WARNING: CPU: 1 PID: 966 at kernel/irq/manage.c:1890 free_irq+0x140/0x540 + +After calling ism_dev_exit() for each ISM device in the exit routine, +pci_unregister_driver() will execute ism_remove() for each ISM device. +Because ism_remove() also calls ism_dev_exit(), +free_irq(pci_irq_vector(pdev, 0), ism) is called twice for each ISM +device. This results in a crash with the error +'Trying to free already-free IRQ'. + +In the exit routine, it is enough to call pci_unregister_driver() +because it ensures that ism_dev_exit() is called once per +ISM device. + +Cc: # 6.3+ +Fixes: 89e7d2ba61b7 ("net/ism: Add new API for client registration") +Reviewed-by: Niklas Schnelle +Signed-off-by: Julian Ruess +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/net/ism_drv.c | 8 -------- + 1 file changed, 8 deletions(-) + +--- a/drivers/s390/net/ism_drv.c ++++ b/drivers/s390/net/ism_drv.c +@@ -774,14 +774,6 @@ static int __init ism_init(void) + + static void __exit ism_exit(void) + { +- struct ism_dev *ism; +- +- mutex_lock(&ism_dev_list.mutex); +- list_for_each_entry(ism, &ism_dev_list.list, list) { +- ism_dev_exit(ism); +- } +- mutex_unlock(&ism_dev_list.mutex); +- + pci_unregister_driver(&ism_driver); + debug_unregister(ism_debug_info); + } diff --git a/queue-6.3/series b/queue-6.3/series index 65d5416e5cf..9f7710525b1 100644 --- a/queue-6.3/series +++ b/queue-6.3/series @@ -42,3 +42,50 @@ drm-amd-amdgpu-fix-missing-buffer-object-unlock-in-f.patch io_uring-unlock-sqd-lock-before-sq-thread-release-cp.patch nvme-add-maxio-1602-to-bogus-nid-list.patch irqchip-gic-correctly-validate-of-quirk-descriptors.patch +wifi-cfg80211-fix-locking-in-regulatory-disconnect.patch +wifi-cfg80211-fix-double-lock-bug-in-reg_wdev_chan_valid.patch +epoll-ep_autoremove_wake_function-should-use-list_del_init_careful.patch +ocfs2-fix-use-after-free-when-unmounting-read-only-filesystem.patch +ocfs2-check-new-file-size-on-fallocate-call.patch +zswap-do-not-shrink-if-cgroup-may-not-zswap.patch +mm-damon-core-fix-divide-error-in-damon_nr_accesses_to_accesses_bp.patch +nios2-dts-fix-tse_mac-max-frame-size-property.patch +mm-uffd-fix-vma-operation-where-start-addr-cuts-part-of-vma.patch +nilfs2-fix-incomplete-buffer-cleanup-in-nilfs_btnode_abort_change_key.patch +nilfs2-fix-possible-out-of-bounds-segment-allocation-in-resize-ioctl.patch +nilfs2-reject-devices-with-insufficient-block-count.patch +loongarch-fix-debugfs_create_dir-error-checking.patch +loongarch-fix-perf-event-id-calculation.patch +io_uring-net-save-msghdr-msg_control-for-retries.patch +revert-drm-amdgpu-remove-topdown-flags-when-allocating-vram-in-large-bar-system.patch +kexec-support-purgatories-with-.text.hot-sections.patch +x86-purgatory-remove-pgo-flags.patch +riscv-purgatory-remove-pgo-flags.patch +powerpc-purgatory-remove-pgo-flags.patch +btrfs-subpage-fix-a-crash-in-metadata-repair-path.patch +btrfs-properly-enable-async-discard-when-switching-from-ro-rw.patch +btrfs-do-not-assert-on-duplicated-global-roots.patch +btrfs-fix-iomap_begin-length-for-nocow-writes.patch +btrfs-can_nocow_file_extent-should-pass-down-args-strict-from-callers.patch +alsa-usb-audio-fix-broken-resume-due-to-uac3-power-state.patch +alsa-usb-audio-add-quirk-flag-for-hem-devices-to-enable-native-dsd-playback.patch +s390-ism-fix-trying-to-free-already-freed-irq-by-repeated-ism_dev_exit.patch +dm-thin-metadata-check-fail_io-before-using-data_sm.patch +dm-thin-fix-issue_discard-to-pass-gfp_noio-to-__blkdev_issue_discard.patch +net-ethernet-stmicro-stmmac-fix-possible-memory-leak-in-__stmmac_open.patch +nouveau-fix-client-work-fence-deletion-race.patch +mm-gup_test-fix-ioctl-fail-for-compat-task.patch +rdma-uverbs-restrict-usage-of-privileged-qkeys.patch +drm-amdgpu-vcn_4_0-set-instance-0-init-sched-score-to-1.patch +net-usb-qmi_wwan-add-support-for-compal-rxm-g1.patch +drm-amd-display-limit-dpia-link-rate-to-hbr3.patch +drm-amd-display-edp-do-not-add-non-edid-timings.patch +drm-amd-make-sure-image-is-written-to-trigger-vbios-image-update-flow.patch +drm-amd-tighten-permissions-on-vbios-flashing-attributes.patch +drm-amd-pm-workaround-for-compute-workload-type-on-some-skus.patch +drm-amdgpu-add-missing-radeon-secondary-pci-id.patch +drm-amdgpu-reset-cp_vmid_preempt-after-trailing-fence-signaled.patch +drm-amdgpu-program-gds-backup-address-as-zero-if-no-gds-allocated.patch +drm-amdgpu-implement-gfx9-patch-functions-for-resubmission.patch +drm-amdgpu-modify-indirect-buffer-packages-for-resubmission.patch +alsa-hda-realtek-add-a-quirk-for-compaq-n14jp6.patch diff --git a/queue-6.3/wifi-cfg80211-fix-double-lock-bug-in-reg_wdev_chan_valid.patch b/queue-6.3/wifi-cfg80211-fix-double-lock-bug-in-reg_wdev_chan_valid.patch new file mode 100644 index 00000000000..53857cf106d --- /dev/null +++ b/queue-6.3/wifi-cfg80211-fix-double-lock-bug-in-reg_wdev_chan_valid.patch @@ -0,0 +1,36 @@ +From 996c3117dae4c02b38a3cb68e5c2aec9d907ec15 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 9 Jun 2023 13:48:44 +0300 +Subject: wifi: cfg80211: fix double lock bug in reg_wdev_chan_valid() + +From: Dan Carpenter + +commit 996c3117dae4c02b38a3cb68e5c2aec9d907ec15 upstream. + +The locking was changed recently so now the caller holds the wiphy_lock() +lock. Taking the lock inside the reg_wdev_chan_valid() function will +lead to a deadlock. + +Fixes: f7e60032c661 ("wifi: cfg80211: fix locking in regulatory disconnect") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/40c4114a-6cb4-4abf-b013-300b598aba65@moroto.mountain +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/reg.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -2404,11 +2404,8 @@ static bool reg_wdev_chan_valid(struct w + case NL80211_IFTYPE_P2P_GO: + case NL80211_IFTYPE_ADHOC: + case NL80211_IFTYPE_MESH_POINT: +- wiphy_lock(wiphy); + ret = cfg80211_reg_can_beacon_relax(wiphy, &chandef, + iftype); +- wiphy_unlock(wiphy); +- + if (!ret) + return ret; + break; diff --git a/queue-6.3/wifi-cfg80211-fix-locking-in-regulatory-disconnect.patch b/queue-6.3/wifi-cfg80211-fix-locking-in-regulatory-disconnect.patch new file mode 100644 index 00000000000..795dc522005 --- /dev/null +++ b/queue-6.3/wifi-cfg80211-fix-locking-in-regulatory-disconnect.patch @@ -0,0 +1,36 @@ +From f7e60032c6618dfd643c7210d5cba2789e2de2e2 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 6 Jun 2023 14:34:48 +0200 +Subject: wifi: cfg80211: fix locking in regulatory disconnect + +From: Johannes Berg + +commit f7e60032c6618dfd643c7210d5cba2789e2de2e2 upstream. + +This should use wiphy_lock() now instead of requiring the +RTNL, since __cfg80211_leave() via cfg80211_leave() is now +requiring that lock to be held. + +Fixes: a05829a7222e ("cfg80211: avoid holding the RTNL when calling the driver") +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/reg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -2440,11 +2440,11 @@ static void reg_leave_invalid_chans(stru + struct wireless_dev *wdev; + struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); + +- ASSERT_RTNL(); +- ++ wiphy_lock(wiphy); + list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) + if (!reg_wdev_chan_valid(wiphy, wdev)) + cfg80211_leave(rdev, wdev); ++ wiphy_unlock(wiphy); + } + + static void reg_check_chans_work(struct work_struct *work) diff --git a/queue-6.3/x86-purgatory-remove-pgo-flags.patch b/queue-6.3/x86-purgatory-remove-pgo-flags.patch new file mode 100644 index 00000000000..43550770ede --- /dev/null +++ b/queue-6.3/x86-purgatory-remove-pgo-flags.patch @@ -0,0 +1,59 @@ +From 97b6b9cbba40a21c1d9a344d5c1991f8cfbf136e Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Fri, 19 May 2023 16:47:37 +0200 +Subject: x86/purgatory: remove PGO flags + +From: Ricardo Ribalda + +commit 97b6b9cbba40a21c1d9a344d5c1991f8cfbf136e upstream. + +If profile-guided optimization is enabled, the purgatory ends up with +multiple .text sections. This is not supported by kexec and crashes the +system. + +Link: https://lkml.kernel.org/r/20230321-kexec_clang16-v7-2-b05c520b7296@chromium.org +Fixes: 930457057abe ("kernel/kexec_file.c: split up __kexec_load_puragory") +Signed-off-by: Ricardo Ribalda +Cc: +Cc: Albert Ou +Cc: Baoquan He +Cc: Borislav Petkov (AMD) +Cc: Christophe Leroy +Cc: Dave Hansen +Cc: Dave Young +Cc: Eric W. Biederman +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Michael Ellerman +Cc: Nathan Chancellor +Cc: Nicholas Piggin +Cc: Nick Desaulniers +Cc: Palmer Dabbelt +Cc: Palmer Dabbelt +Cc: Paul Walmsley +Cc: Philipp Rudo +Cc: Ross Zwisler +Cc: Simon Horman +Cc: Steven Rostedt (Google) +Cc: Thomas Gleixner +Cc: Tom Rix +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/purgatory/Makefile | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/x86/purgatory/Makefile ++++ b/arch/x86/purgatory/Makefile +@@ -14,6 +14,11 @@ $(obj)/sha256.o: $(srctree)/lib/crypto/s + + CFLAGS_sha256.o := -D__DISABLE_EXPORTS + ++# When profile-guided optimization is enabled, llvm emits two different ++# overlapping text sections, which is not supported by kexec. Remove profile ++# optimization flags. ++KBUILD_CFLAGS := $(filter-out -fprofile-sample-use=% -fprofile-use=%,$(KBUILD_CFLAGS)) ++ + # When linking purgatory.ro with -r unresolved symbols are not checked, + # also link a purgatory.chk binary without -r to check for unresolved symbols. + PURGATORY_LDFLAGS := -e purgatory_start -z nodefaultlib diff --git a/queue-6.3/zswap-do-not-shrink-if-cgroup-may-not-zswap.patch b/queue-6.3/zswap-do-not-shrink-if-cgroup-may-not-zswap.patch new file mode 100644 index 00000000000..c87ff13f27a --- /dev/null +++ b/queue-6.3/zswap-do-not-shrink-if-cgroup-may-not-zswap.patch @@ -0,0 +1,70 @@ +From 0bdf0efa180a9cb1361cbded4e2260a49306ac89 Mon Sep 17 00:00:00 2001 +From: Nhat Pham +Date: Tue, 30 May 2023 15:24:40 -0700 +Subject: zswap: do not shrink if cgroup may not zswap + +From: Nhat Pham + +commit 0bdf0efa180a9cb1361cbded4e2260a49306ac89 upstream. + +Before storing a page, zswap first checks if the number of stored pages +exceeds the limit specified by memory.zswap.max, for each cgroup in the +hierarchy. If this limit is reached or exceeded, then zswap shrinking is +triggered and short-circuits the store attempt. + +However, since the zswap's LRU is not memcg-aware, this can create the +following pathological behavior: the cgroup whose zswap limit is 0 will +evict pages from other cgroups continually, without lowering its own zswap +usage. This means the shrinking will continue until the need for swap +ceases or the pool becomes empty. + +As a result of this, we observe a disproportionate amount of zswap +writeback and a perpetually small zswap pool in our experiments, even +though the pool limit is never hit. + +More generally, a cgroup might unnecessarily evict pages from other +cgroups before we drive the memcg back below its limit. + +This patch fixes the issue by rejecting zswap store attempt without +shrinking the pool when obj_cgroup_may_zswap() returns false. + +[akpm@linux-foundation.org: fix return of unintialized value] +[akpm@linux-foundation.org: s/ENOSPC/ENOMEM/] +Link: https://lkml.kernel.org/r/20230530222440.2777700-1-nphamcs@gmail.com +Link: https://lkml.kernel.org/r/20230530232435.3097106-1-nphamcs@gmail.com +Fixes: f4840ccfca25 ("zswap: memcg accounting") +Signed-off-by: Nhat Pham +Cc: Dan Streetman +Cc: Domenico Cerasuolo +Cc: Johannes Weiner +Cc: Seth Jennings +Cc: Vitaly Wool +Cc: Yosry Ahmed +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/zswap.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/mm/zswap.c ++++ b/mm/zswap.c +@@ -1141,9 +1141,16 @@ static int zswap_frontswap_store(unsigne + goto reject; + } + ++ /* ++ * XXX: zswap reclaim does not work with cgroups yet. Without a ++ * cgroup-aware entry LRU, we will push out entries system-wide based on ++ * local cgroup limits. ++ */ + objcg = get_obj_cgroup_from_page(page); +- if (objcg && !obj_cgroup_may_zswap(objcg)) +- goto shrink; ++ if (objcg && !obj_cgroup_may_zswap(objcg)) { ++ ret = -ENOMEM; ++ goto reject; ++ } + + /* reclaim space if needed */ + if (zswap_is_full()) { -- 2.47.2