--- /dev/null
+From 74b2661bbbf0bb2c8a96af1637c1d39b02754f0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jun 2021 19:42:55 -0700
+Subject: arch, mm: remove stale mentions of DISCONIGMEM
+
+From: Mike Rapoport <rppt@linux.ibm.com>
+
+[ Upstream commit d3c251ab95b69f3dc189c4657baeac1b4c050789 ]
+
+There are several places that mention DISCONIGMEM in comments or have
+stale code guarded by CONFIG_DISCONTIGMEM.
+
+Remove the dead code and update the comments.
+
+Link: https://lkml.kernel.org/r/20210608091316.3622-7-rppt@kernel.org
+Signed-off-by: Mike Rapoport <rppt@linux.ibm.com>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Matt Turner <mattst88@gmail.com>
+Cc: Richard Henderson <rth@twiddle.net>
+Cc: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Stable-dep-of: e1a9ae457369 ("mips: Fix max_mapnr being uninitialized on early stages")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/ia64/kernel/topology.c | 5 ++---
+ arch/ia64/mm/numa.c | 5 ++---
+ arch/mips/include/asm/mmzone.h | 6 ------
+ arch/mips/mm/init.c | 3 ---
+ arch/nds32/include/asm/memory.h | 6 ------
+ arch/xtensa/include/asm/page.h | 4 ----
+ include/linux/gfp.h | 4 ++--
+ 7 files changed, 6 insertions(+), 27 deletions(-)
+
+diff --git a/arch/ia64/kernel/topology.c b/arch/ia64/kernel/topology.c
+index 09fc385c2acd..3639e0a7cb3b 100644
+--- a/arch/ia64/kernel/topology.c
++++ b/arch/ia64/kernel/topology.c
+@@ -3,9 +3,8 @@
+ * License. See the file "COPYING" in the main directory of this archive
+ * for more details.
+ *
+- * This file contains NUMA specific variables and functions which can
+- * be split away from DISCONTIGMEM and are used on NUMA machines with
+- * contiguous memory.
++ * This file contains NUMA specific variables and functions which are used on
++ * NUMA machines with contiguous memory.
+ * 2002/08/07 Erich Focht <efocht@ess.nec.de>
+ * Populate cpu entries in sysfs for non-numa systems as well
+ * Intel Corporation - Ashok Raj
+diff --git a/arch/ia64/mm/numa.c b/arch/ia64/mm/numa.c
+index 5e1015eb6d0d..ad6837d00e7d 100644
+--- a/arch/ia64/mm/numa.c
++++ b/arch/ia64/mm/numa.c
+@@ -3,9 +3,8 @@
+ * License. See the file "COPYING" in the main directory of this archive
+ * for more details.
+ *
+- * This file contains NUMA specific variables and functions which can
+- * be split away from DISCONTIGMEM and are used on NUMA machines with
+- * contiguous memory.
++ * This file contains NUMA specific variables and functions which are used on
++ * NUMA machines with contiguous memory.
+ *
+ * 2002/08/07 Erich Focht <efocht@ess.nec.de>
+ */
+diff --git a/arch/mips/include/asm/mmzone.h b/arch/mips/include/asm/mmzone.h
+index b826b8473e95..7649ab45e80c 100644
+--- a/arch/mips/include/asm/mmzone.h
++++ b/arch/mips/include/asm/mmzone.h
+@@ -20,10 +20,4 @@
+ #define nid_to_addrbase(nid) 0
+ #endif
+
+-#ifdef CONFIG_DISCONTIGMEM
+-
+-#define pfn_to_nid(pfn) pa_to_nid((pfn) << PAGE_SHIFT)
+-
+-#endif /* CONFIG_DISCONTIGMEM */
+-
+ #endif /* _ASM_MMZONE_H_ */
+diff --git a/arch/mips/mm/init.c b/arch/mips/mm/init.c
+index a73899933505..dee6a790d42d 100644
+--- a/arch/mips/mm/init.c
++++ b/arch/mips/mm/init.c
+@@ -453,9 +453,6 @@ void __init mem_init(void)
+ BUILD_BUG_ON(IS_ENABLED(CONFIG_32BIT) && (_PFN_SHIFT > PAGE_SHIFT));
+
+ #ifdef CONFIG_HIGHMEM
+-#ifdef CONFIG_DISCONTIGMEM
+-#error "CONFIG_HIGHMEM and CONFIG_DISCONTIGMEM dont work together yet"
+-#endif
+ max_mapnr = highend_pfn ? highend_pfn : max_low_pfn;
+ #else
+ max_mapnr = max_low_pfn;
+diff --git a/arch/nds32/include/asm/memory.h b/arch/nds32/include/asm/memory.h
+index 940d32842793..62faafbc28e4 100644
+--- a/arch/nds32/include/asm/memory.h
++++ b/arch/nds32/include/asm/memory.h
+@@ -76,18 +76,12 @@
+ * virt_to_page(k) convert a _valid_ virtual address to struct page *
+ * virt_addr_valid(k) indicates whether a virtual address is valid
+ */
+-#ifndef CONFIG_DISCONTIGMEM
+-
+ #define ARCH_PFN_OFFSET PHYS_PFN_OFFSET
+ #define pfn_valid(pfn) ((pfn) >= PHYS_PFN_OFFSET && (pfn) < (PHYS_PFN_OFFSET + max_mapnr))
+
+ #define virt_to_page(kaddr) (pfn_to_page(__pa(kaddr) >> PAGE_SHIFT))
+ #define virt_addr_valid(kaddr) ((unsigned long)(kaddr) >= PAGE_OFFSET && (unsigned long)(kaddr) < (unsigned long)high_memory)
+
+-#else /* CONFIG_DISCONTIGMEM */
+-#error CONFIG_DISCONTIGMEM is not supported yet.
+-#endif /* !CONFIG_DISCONTIGMEM */
+-
+ #define page_to_phys(page) (page_to_pfn(page) << PAGE_SHIFT)
+
+ #endif
+diff --git a/arch/xtensa/include/asm/page.h b/arch/xtensa/include/asm/page.h
+index 09c56cba442e..5a42d663612b 100644
+--- a/arch/xtensa/include/asm/page.h
++++ b/arch/xtensa/include/asm/page.h
+@@ -181,10 +181,6 @@ static inline unsigned long ___pa(unsigned long va)
+ #define pfn_valid(pfn) \
+ ((pfn) >= ARCH_PFN_OFFSET && ((pfn) - ARCH_PFN_OFFSET) < max_mapnr)
+
+-#ifdef CONFIG_DISCONTIGMEM
+-# error CONFIG_DISCONTIGMEM not supported
+-#endif
+-
+ #define virt_to_page(kaddr) pfn_to_page(__pa(kaddr) >> PAGE_SHIFT)
+ #define page_to_virt(page) __va(page_to_pfn(page) << PAGE_SHIFT)
+ #define virt_addr_valid(kaddr) pfn_valid(__pa(kaddr) >> PAGE_SHIFT)
+diff --git a/include/linux/gfp.h b/include/linux/gfp.h
+index 61f2f6ff9467..c89f8456f18d 100644
+--- a/include/linux/gfp.h
++++ b/include/linux/gfp.h
+@@ -471,8 +471,8 @@ static inline int gfp_zonelist(gfp_t flags)
+ * There are two zonelists per node, one for all zones with memory and
+ * one containing just zones from the node the zonelist belongs to.
+ *
+- * For the normal case of non-DISCONTIGMEM systems the NODE_DATA() gets
+- * optimized to &contig_page_data at compile-time.
++ * For the case of non-NUMA systems the NODE_DATA() gets optimized to
++ * &contig_page_data at compile-time.
+ */
+ static inline struct zonelist *node_zonelist(int nid, gfp_t flags)
+ {
+--
+2.43.0
+
--- /dev/null
+From bdf9b92aeed22ea19d6be05d65681228926f8f13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Nov 2023 22:35:05 +0100
+Subject: bus: moxtet: Add spi device table
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sjoerd Simons <sjoerd@collabora.com>
+
+[ Upstream commit aaafe88d5500ba18b33be72458439367ef878788 ]
+
+The moxtet module fails to auto-load on. Add a SPI id table to
+allow it to do so.
+
+Signed-off-by: Sjoerd Simons <sjoerd@collabora.com>
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Marek BehĂșn <kabel@kernel.org>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bus/moxtet.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/bus/moxtet.c b/drivers/bus/moxtet.c
+index 68413bf9cf87..d87f698d38a3 100644
+--- a/drivers/bus/moxtet.c
++++ b/drivers/bus/moxtet.c
+@@ -833,6 +833,12 @@ static int moxtet_remove(struct spi_device *spi)
+ return 0;
+ }
+
++static const struct spi_device_id moxtet_spi_ids[] = {
++ { "moxtet" },
++ { },
++};
++MODULE_DEVICE_TABLE(spi, moxtet_spi_ids);
++
+ static const struct of_device_id moxtet_dt_ids[] = {
+ { .compatible = "cznic,moxtet" },
+ {},
+@@ -844,6 +850,7 @@ static struct spi_driver moxtet_spi_driver = {
+ .name = "moxtet",
+ .of_match_table = moxtet_dt_ids,
+ },
++ .id_table = moxtet_spi_ids,
+ .probe = moxtet_probe,
+ .remove = moxtet_remove,
+ };
+--
+2.43.0
+
--- /dev/null
+From 826e81a49aa06cbc43fdea586f2df27f55de94a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jan 2024 18:32:32 +0000
+Subject: KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache
+
+From: Oliver Upton <oliver.upton@linux.dev>
+
+[ Upstream commit ad362fe07fecf0aba839ff2cc59a3617bd42c33f ]
+
+There is a potential UAF scenario in the case of an LPI translation
+cache hit racing with an operation that invalidates the cache, such
+as a DISCARD ITS command. The root of the problem is that
+vgic_its_check_cache() does not elevate the refcount on the vgic_irq
+before dropping the lock that serializes refcount changes.
+
+Have vgic_its_check_cache() raise the refcount on the returned vgic_irq
+and add the corresponding decrement after queueing the interrupt.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20240104183233.3560639-1-oliver.upton@linux.dev
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ virt/kvm/arm/vgic/vgic-its.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/virt/kvm/arm/vgic/vgic-its.c b/virt/kvm/arm/vgic/vgic-its.c
+index e06bb8ed7688..0533881bd2ab 100644
+--- a/virt/kvm/arm/vgic/vgic-its.c
++++ b/virt/kvm/arm/vgic/vgic-its.c
+@@ -581,7 +581,11 @@ static struct vgic_irq *vgic_its_check_cache(struct kvm *kvm, phys_addr_t db,
+ unsigned long flags;
+
+ raw_spin_lock_irqsave(&dist->lpi_list_lock, flags);
++
+ irq = __vgic_its_check_cache(dist, db, devid, eventid);
++ if (irq)
++ vgic_get_irq_kref(irq);
++
+ raw_spin_unlock_irqrestore(&dist->lpi_list_lock, flags);
+
+ return irq;
+@@ -761,6 +765,7 @@ int vgic_its_inject_cached_translation(struct kvm *kvm, struct kvm_msi *msi)
+ raw_spin_lock_irqsave(&irq->irq_lock, flags);
+ irq->pending_latch = true;
+ vgic_queue_irq_unlock(kvm, irq, flags);
++ vgic_put_irq(kvm, irq);
+
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From d15379b67f2e35eb6ba210ec5a3bc499dd8ff462 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 2 Dec 2023 14:14:20 +0300
+Subject: mips: Fix max_mapnr being uninitialized on early stages
+
+From: Serge Semin <fancer.lancer@gmail.com>
+
+[ Upstream commit e1a9ae45736989c972a8d1c151bc390678ae6205 ]
+
+max_mapnr variable is utilized in the pfn_valid() method in order to
+determine the upper PFN space boundary. Having it uninitialized
+effectively makes any PFN passed to that method invalid. That in its turn
+causes the kernel mm-subsystem occasion malfunctions even after the
+max_mapnr variable is actually properly updated. For instance,
+pfn_valid() is called in the init_unavailable_range() method in the
+framework of the calls-chain on MIPS:
+setup_arch()
++-> paging_init()
+ +-> free_area_init()
+ +-> memmap_init()
+ +-> memmap_init_zone_range()
+ +-> init_unavailable_range()
+
+Since pfn_valid() always returns "false" value before max_mapnr is
+initialized in the mem_init() method, any flatmem page-holes will be left
+in the poisoned/uninitialized state including the IO-memory pages. Thus
+any further attempts to map/remap the IO-memory by using MMU may fail.
+In particular it happened in my case on attempt to map the SRAM region.
+The kernel bootup procedure just crashed on the unhandled unaligned access
+bug raised in the __update_cache() method:
+
+> Unhandled kernel unaligned access[#1]:
+> CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc1-XXX-dirty #2056
+> ...
+> Call Trace:
+> [<8011ef9c>] __update_cache+0x88/0x1bc
+> [<80385944>] ioremap_page_range+0x110/0x2a4
+> [<80126948>] ioremap_prot+0x17c/0x1f4
+> [<80711b80>] __devm_ioremap+0x8c/0x120
+> [<80711e0c>] __devm_ioremap_resource+0xf4/0x218
+> [<808bf244>] sram_probe+0x4f4/0x930
+> [<80889d20>] platform_probe+0x68/0xec
+> ...
+
+Let's fix the problem by initializing the max_mapnr variable as soon as
+the required data is available. In particular it can be done right in the
+paging_init() method before free_area_init() is called since all the PFN
+zone boundaries have already been calculated by that time.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Serge Semin <fancer.lancer@gmail.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/mm/init.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/arch/mips/mm/init.c b/arch/mips/mm/init.c
+index dee6a790d42d..800cc5bc7a38 100644
+--- a/arch/mips/mm/init.c
++++ b/arch/mips/mm/init.c
+@@ -416,7 +416,12 @@ void __init paging_init(void)
+ (highend_pfn - max_low_pfn) << (PAGE_SHIFT - 10));
+ max_zone_pfns[ZONE_HIGHMEM] = max_low_pfn;
+ }
++
++ max_mapnr = highend_pfn ? highend_pfn : max_low_pfn;
++#else
++ max_mapnr = max_low_pfn;
+ #endif
++ high_memory = (void *) __va(max_low_pfn << PAGE_SHIFT);
+
+ free_area_init_nodes(max_zone_pfns);
+ }
+@@ -452,13 +457,6 @@ void __init mem_init(void)
+ */
+ BUILD_BUG_ON(IS_ENABLED(CONFIG_32BIT) && (_PFN_SHIFT > PAGE_SHIFT));
+
+-#ifdef CONFIG_HIGHMEM
+- max_mapnr = highend_pfn ? highend_pfn : max_low_pfn;
+-#else
+- max_mapnr = max_low_pfn;
+-#endif
+- high_memory = (void *) __va(max_low_pfn << PAGE_SHIFT);
+-
+ maar_init();
+ memblock_free_all();
+ setup_zero_pages(); /* Setup zeroed pages. */
+--
+2.43.0
+
--- /dev/null
+From 517cdda26555fd4432124e166a10139065de5a41 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Nov 2023 10:22:16 -0800
+Subject: Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"
+
+From: Junxiao Bi <junxiao.bi@oracle.com>
+
+[ Upstream commit bed9e27baf52a09b7ba2a3714f1e24e17ced386d ]
+
+This reverts commit 5e2cf333b7bd5d3e62595a44d598a254c697cd74.
+
+That commit introduced the following race and can cause system hung.
+
+ md_write_start: raid5d:
+ // mddev->in_sync == 1
+ set "MD_SB_CHANGE_PENDING"
+ // running before md_write_start wakeup it
+ waiting "MD_SB_CHANGE_PENDING" cleared
+ >>>>>>>>> hung
+ wakeup mddev->thread
+ ...
+ waiting "MD_SB_CHANGE_PENDING" cleared
+ >>>> hung, raid5d should clear this flag
+ but get hung by same flag.
+
+The issue reverted commit fixing is fixed by last patch in a new way.
+
+Fixes: 5e2cf333b7bd ("md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d")
+Cc: stable@vger.kernel.org # v5.19+
+Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/20231108182216.73611-2-junxiao.bi@oracle.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid5.c | 12 ------------
+ 1 file changed, 12 deletions(-)
+
+diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
+index f3d60c4b34b8..0bea103f63d5 100644
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -36,7 +36,6 @@
+ */
+
+ #include <linux/blkdev.h>
+-#include <linux/delay.h>
+ #include <linux/kthread.h>
+ #include <linux/raid/pq.h>
+ #include <linux/async_tx.h>
+@@ -6335,18 +6334,7 @@ static void raid5d(struct md_thread *thread)
+ spin_unlock_irq(&conf->device_lock);
+ md_check_recovery(mddev);
+ spin_lock_irq(&conf->device_lock);
+-
+- /*
+- * Waiting on MD_SB_CHANGE_PENDING below may deadlock
+- * seeing md_check_recovery() is needed to clear
+- * the flag when using mdmon.
+- */
+- continue;
+ }
+-
+- wait_event_lock_irq(mddev->sb_wait,
+- !test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags),
+- conf->device_lock);
+ }
+ pr_debug("%d stripes handled\n", handled);
+
+--
+2.43.0
+
arch-mm-remove-stale-mentions-of-disconigmem.patch
mips-fix-max_mapnr-being-uninitialized-on-early-stag.patch
kvm-arm64-vgic-its-avoid-potential-uaf-in-lpi-transl.patch
+revert-md-raid5-wait-for-md_sb_change_pending-in-rai.patch-4943
+bus-moxtet-add-spi-device-table.patch-27471
+arch-mm-remove-stale-mentions-of-disconigmem.patch-24462
+mips-fix-max_mapnr-being-uninitialized-on-early-stag.patch-10655
+kvm-arm64-vgic-its-avoid-potential-uaf-in-lpi-transl.patch-10468
projects / thirdparty / kernel / stable-queue.git / commitdiff
