From c329f0cfb7b14209e093e1904b392bbac8bc5054 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 29 Sep 2025 15:41:16 +0200 Subject: [PATCH] 6.6-stable patches added patches: arm-bcm-select-arm_gic_v3-for-arch_brcmstb.patch mm-migrate_device-don-t-add-folio-to-be-freed-to-lru-in-migrate_device_finalize.patch mm-migrate_device-use-more-folio-in-migrate_device_finalize.patch s390-cpum_cf-fix-uninitialized-warning-after-backport-of-ce971233242b.patch --- ...m-select-arm_gic_v3-for-arch_brcmstb.patch | 29 +++++ ...ed-to-lru-in-migrate_device_finalize.patch | 116 ++++++++++++++++++ ...ore-folio-in-migrate_device_finalize.patch | 95 ++++++++++++++ ...rning-after-backport-of-ce971233242b.patch | 60 +++++++++ queue-6.6/series | 4 + 5 files changed, 304 insertions(+) create mode 100644 queue-6.6/arm-bcm-select-arm_gic_v3-for-arch_brcmstb.patch create mode 100644 queue-6.6/mm-migrate_device-don-t-add-folio-to-be-freed-to-lru-in-migrate_device_finalize.patch create mode 100644 queue-6.6/mm-migrate_device-use-more-folio-in-migrate_device_finalize.patch create mode 100644 queue-6.6/s390-cpum_cf-fix-uninitialized-warning-after-backport-of-ce971233242b.patch diff --git a/queue-6.6/arm-bcm-select-arm_gic_v3-for-arch_brcmstb.patch b/queue-6.6/arm-bcm-select-arm_gic_v3-for-arch_brcmstb.patch new file mode 100644 index 0000000000..12dfcbed35 --- /dev/null +++ b/queue-6.6/arm-bcm-select-arm_gic_v3-for-arch_brcmstb.patch @@ -0,0 +1,29 @@ +From 2b28fe75c7dbe7ec322e706eed4622964409e21d Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 26 Jul 2024 16:34:14 -0700 +Subject: ARM: bcm: Select ARM_GIC_V3 for ARCH_BRCMSTB + +From: Florian Fainelli + +commit 2b28fe75c7dbe7ec322e706eed4622964409e21d upstream. + +A number of recent Broadcom STB SoCs utilize a GIC-600 interrupt +controller thus requiring the use of the GICv3 driver. + +Link: https://lore.kernel.org/r/20240726233414.2305526-1-florian.fainelli@broadcom.com +Signed-off-by: Florian Fainelli +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-bcm/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/mach-bcm/Kconfig ++++ b/arch/arm/mach-bcm/Kconfig +@@ -186,6 +186,7 @@ config ARCH_BRCMSTB + select ARCH_HAS_RESET_CONTROLLER + select ARM_AMBA + select ARM_GIC ++ select ARM_GIC_V3 + select ARM_ERRATA_798181 if SMP + select HAVE_ARM_ARCH_TIMER + select ZONE_DMA if ARM_LPAE diff --git a/queue-6.6/mm-migrate_device-don-t-add-folio-to-be-freed-to-lru-in-migrate_device_finalize.patch b/queue-6.6/mm-migrate_device-don-t-add-folio-to-be-freed-to-lru-in-migrate_device_finalize.patch new file mode 100644 index 0000000000..9962a56466 --- /dev/null +++ b/queue-6.6/mm-migrate_device-don-t-add-folio-to-be-freed-to-lru-in-migrate_device_finalize.patch @@ -0,0 +1,116 @@ +From 41cddf83d8b00f29fd105e7a0777366edc69a5cf Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Mon, 10 Feb 2025 17:13:17 +0100 +Subject: mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: David Hildenbrand + +commit 41cddf83d8b00f29fd105e7a0777366edc69a5cf upstream. + +If migration succeeded, we called +folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the +old to the new folio. This will set memcg_data of the old folio to 0. + +Similarly, if migration failed, memcg_data of the dst folio is left unset. + +If we call folio_putback_lru() on such folios (memcg_data == 0), we will +add the folio to be freed to the LRU, making memcg code unhappy. Running +the hmm selftests: + + # ./hmm-tests + ... + # RUN hmm.hmm_device_private.migrate ... + [ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00 + [ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff) + [ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9 + [ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000 + [ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled()) + [ 102.087230][T14893] ------------[ cut here ]------------ + [ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170 + [ 102.090478][T14893] Modules linked in: + [ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151 + [ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 + [ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170 + [ 102.096104][T14893] Code: ... + [ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293 + [ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426 + [ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880 + [ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 + [ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8 + [ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000 + [ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000 + [ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0 + [ 102.113478][T14893] PKRU: 55555554 + [ 102.114172][T14893] Call Trace: + [ 102.114805][T14893] + [ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 + [ 102.116547][T14893] ? __warn.cold+0x110/0x210 + [ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 + [ 102.118667][T14893] ? report_bug+0x1b9/0x320 + [ 102.119571][T14893] ? handle_bug+0x54/0x90 + [ 102.120494][T14893] ? exc_invalid_op+0x17/0x50 + [ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20 + [ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0 + [ 102.123506][T14893] ? dump_page+0x4f/0x60 + [ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 + [ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200 + [ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10 + [ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720 + [ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10 + [ 102.129550][T14893] folio_putback_lru+0x16/0x80 + [ 102.130564][T14893] migrate_device_finalize+0x9b/0x530 + [ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0 + [ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80 + +Likely, nothing else goes wrong: putting the last folio reference will +remove the folio from the LRU again. So besides memcg complaining, adding +the folio to be freed to the LRU is just an unnecessary step. + +The new flow resembles what we have in migrate_folio_move(): add the dst +to the lru, remove migration ptes, unlock and unref dst. + +Link: https://lkml.kernel.org/r/20250210161317.717936-1-david@redhat.com +Fixes: 8763cb45ab96 ("mm/migrate: new memory migration helper for use with device memory") +Signed-off-by: David Hildenbrand +Cc: Jérôme Glisse +Cc: John Hubbard +Cc: Alistair Popple +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: David Hildenbrand +Signed-off-by: Greg Kroah-Hartman +--- + mm/migrate_device.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +--- a/mm/migrate_device.c ++++ b/mm/migrate_device.c +@@ -839,20 +839,15 @@ void migrate_device_finalize(unsigned lo + dst = src; + } + ++ if (!folio_is_zone_device(dst)) ++ folio_add_lru(dst); + remove_migration_ptes(src, dst, false); + folio_unlock(src); +- +- if (folio_is_zone_device(src)) +- folio_put(src); +- else +- folio_putback_lru(src); ++ folio_put(src); + + if (dst != src) { + folio_unlock(dst); +- if (folio_is_zone_device(dst)) +- folio_put(dst); +- else +- folio_putback_lru(dst); ++ folio_put(dst); + } + } + } diff --git a/queue-6.6/mm-migrate_device-use-more-folio-in-migrate_device_finalize.patch b/queue-6.6/mm-migrate_device-use-more-folio-in-migrate_device_finalize.patch new file mode 100644 index 0000000000..ccd32abefb --- /dev/null +++ b/queue-6.6/mm-migrate_device-use-more-folio-in-migrate_device_finalize.patch @@ -0,0 +1,95 @@ +From 58bf8c2bf47550bc94fea9cafd2bc7304d97102c Mon Sep 17 00:00:00 2001 +From: Kefeng Wang +Date: Mon, 26 Aug 2024 14:58:12 +0800 +Subject: mm: migrate_device: use more folio in migrate_device_finalize() + +From: Kefeng Wang + +commit 58bf8c2bf47550bc94fea9cafd2bc7304d97102c upstream. + +Saves a couple of calls to compound_head() and remove last two callers of +putback_lru_page(). + +Link: https://lkml.kernel.org/r/20240826065814.1336616-5-wangkefeng.wang@huawei.com +Signed-off-by: Kefeng Wang +Reviewed-by: Vishal Moola (Oracle) +Reviewed-by: Alistair Popple +Cc: Baolin Wang +Cc: David Hildenbrand +Cc: Jonathan Corbet +Cc: Matthew Wilcox (Oracle) +Cc: Zi Yan +Signed-off-by: Andrew Morton +Signed-off-by: David Hildenbrand +Signed-off-by: Greg Kroah-Hartman +--- + mm/migrate_device.c | 41 ++++++++++++++++++++++------------------- + 1 file changed, 22 insertions(+), 19 deletions(-) + +--- a/mm/migrate_device.c ++++ b/mm/migrate_device.c +@@ -814,42 +814,45 @@ void migrate_device_finalize(unsigned lo + unsigned long i; + + for (i = 0; i < npages; i++) { +- struct folio *dst, *src; ++ struct folio *dst = NULL, *src = NULL; + struct page *newpage = migrate_pfn_to_page(dst_pfns[i]); + struct page *page = migrate_pfn_to_page(src_pfns[i]); + ++ if (newpage) ++ dst = page_folio(newpage); ++ + if (!page) { +- if (newpage) { +- unlock_page(newpage); +- put_page(newpage); ++ if (dst) { ++ folio_unlock(dst); ++ folio_put(dst); + } + continue; + } + +- if (!(src_pfns[i] & MIGRATE_PFN_MIGRATE) || !newpage) { +- if (newpage) { +- unlock_page(newpage); +- put_page(newpage); ++ src = page_folio(page); ++ ++ if (!(src_pfns[i] & MIGRATE_PFN_MIGRATE) || !dst) { ++ if (dst) { ++ folio_unlock(dst); ++ folio_put(dst); + } +- newpage = page; ++ dst = src; + } + +- src = page_folio(page); +- dst = page_folio(newpage); + remove_migration_ptes(src, dst, false); + folio_unlock(src); + +- if (is_zone_device_page(page)) +- put_page(page); ++ if (folio_is_zone_device(src)) ++ folio_put(src); + else +- putback_lru_page(page); ++ folio_putback_lru(src); + +- if (newpage != page) { +- unlock_page(newpage); +- if (is_zone_device_page(newpage)) +- put_page(newpage); ++ if (dst != src) { ++ folio_unlock(dst); ++ if (folio_is_zone_device(dst)) ++ folio_put(dst); + else +- putback_lru_page(newpage); ++ folio_putback_lru(dst); + } + } + } diff --git a/queue-6.6/s390-cpum_cf-fix-uninitialized-warning-after-backport-of-ce971233242b.patch b/queue-6.6/s390-cpum_cf-fix-uninitialized-warning-after-backport-of-ce971233242b.patch new file mode 100644 index 0000000000..cdbe32b9d8 --- /dev/null +++ b/queue-6.6/s390-cpum_cf-fix-uninitialized-warning-after-backport-of-ce971233242b.patch @@ -0,0 +1,60 @@ +From nathan@kernel.org Mon Sep 29 15:28:48 2025 +From: Nathan Chancellor +Date: Mon, 22 Sep 2025 14:15:50 -0700 +Subject: s390/cpum_cf: Fix uninitialized warning after backport of ce971233242b +To: Greg Kroah-Hartman , Sasha Levin +Cc: stable@vger.kernel.org, linux-s390@vger.kernel.org, Nathan Chancellor +Message-ID: <20250922-6-6-s390-cpum_cf-fix-uninit-err-v1-1-5183aa9af417@kernel.org> + +From: Nathan Chancellor + +Upstream commit ce971233242b ("s390/cpum_cf: Deny all sampling events by +counter PMU"), backported to 6.6 as commit d660c8d8142e ("s390/cpum_cf: +Deny all sampling events by counter PMU"), implicitly depends on the +unconditional initialization of err to -ENOENT added by upstream +commit aa1ac98268cd ("s390/cpumf: Fix double free on error in +cpumf_pmu_event_init()"). The latter change is missing from 6.6, +resulting in an instance of -Wuninitialized, which is fairly obvious +from looking at the actual diff. + + arch/s390/kernel/perf_cpum_cf.c:858:10: warning: variable 'err' is uninitialized when used here [-Wuninitialized] + 858 | return err; + | ^~~ + +Commit aa1ac98268cd ("s390/cpumf: Fix double free on error in +cpumf_pmu_event_init()") depends on commit c70ca298036c ("perf/core: +Simplify the perf_event_alloc() error path"), which is a part of a much +larger series unsuitable for stable. + +Extract the unconditional initialization of err to -ENOENT from +commit aa1ac98268cd ("s390/cpumf: Fix double free on error in +cpumf_pmu_event_init()") and apply it to 6.6 as a standalone change to +resolve the warning. + +Fixes: d660c8d8142e ("s390/cpum_cf: Deny all sampling events by counter PMU") +Signed-off-by: Nathan Chancellor +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kernel/perf_cpum_cf.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/arch/s390/kernel/perf_cpum_cf.c ++++ b/arch/s390/kernel/perf_cpum_cf.c +@@ -852,7 +852,7 @@ static int cpumf_pmu_event_type(struct p + static int cpumf_pmu_event_init(struct perf_event *event) + { + unsigned int type = event->attr.type; +- int err; ++ int err = -ENOENT; + + if (is_sampling_event(event)) /* No sampling support */ + return err; +@@ -861,8 +861,6 @@ static int cpumf_pmu_event_init(struct p + else if (event->pmu->type == type) + /* Registered as unknown PMU */ + err = __hw_perf_event_init(event, cpumf_pmu_event_type(event)); +- else +- return -ENOENT; + + if (unlikely(err) && event->destroy) + event->destroy(event); diff --git a/queue-6.6/series b/queue-6.6/series index 69b462bc96..d4df43fa5c 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -68,3 +68,7 @@ kmsan-fix-out-of-bounds-access-to-shadow-memory.patch mm-hugetlb-fix-folio-is-still-mapped-when-deleted.patch fbcon-fix-integer-overflow-in-fbcon_do_set_font.patch fbcon-fix-oob-access-in-font-allocation.patch +s390-cpum_cf-fix-uninitialized-warning-after-backport-of-ce971233242b.patch +arm-bcm-select-arm_gic_v3-for-arch_brcmstb.patch +mm-migrate_device-use-more-folio-in-migrate_device_finalize.patch +mm-migrate_device-don-t-add-folio-to-be-freed-to-lru-in-migrate_device_finalize.patch -- 2.47.3