From: Sasha Levin Date: Mon, 30 Sep 2024 23:03:11 +0000 (-0400) Subject: Fixes for 6.6 X-Git-Tag: v6.6.54~132 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=824a8d6de01f75f3f34a29251b4040be4b216930;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.6 Signed-off-by: Sasha Levin --- diff --git a/queue-6.6/abi-testing-fix-admv8818-attr-description.patch b/queue-6.6/abi-testing-fix-admv8818-attr-description.patch new file mode 100644 index 00000000000..1fa7f4e7274 --- /dev/null +++ b/queue-6.6/abi-testing-fix-admv8818-attr-description.patch @@ -0,0 +1,37 @@ +From 570dec481de370b3a1aec178dc7de73572d87dc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jul 2024 11:18:50 +0300 +Subject: ABI: testing: fix admv8818 attr description + +From: Antoniu Miclaus + +[ Upstream commit 7d34b4ad8cd2867b130b5b8d7d76d0d6092bd019 ] + +Fix description of the filter_mode_available attribute by pointing to +the correct name of the attribute that can be written with valid values. + +Fixes: bf92d87d7c67 ("iio:filter:admv8818: Add sysfs ABI documentation") +Signed-off-by: Antoniu Miclaus +Link: https://patch.msgid.link/20240702081851.4663-1-antoniu.miclaus@analog.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + Documentation/ABI/testing/sysfs-bus-iio-filter-admv8818 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Documentation/ABI/testing/sysfs-bus-iio-filter-admv8818 b/Documentation/ABI/testing/sysfs-bus-iio-filter-admv8818 +index 31dbb390573ff..c431f0a13cf50 100644 +--- a/Documentation/ABI/testing/sysfs-bus-iio-filter-admv8818 ++++ b/Documentation/ABI/testing/sysfs-bus-iio-filter-admv8818 +@@ -3,7 +3,7 @@ KernelVersion: + Contact: linux-iio@vger.kernel.org + Description: + Reading this returns the valid values that can be written to the +- on_altvoltage0_mode attribute: ++ filter_mode attribute: + + - auto -> Adjust bandpass filter to track changes in input clock rate. + - manual -> disable/unregister the clock rate notifier / input clock tracking. +-- +2.43.0 + diff --git a/queue-6.6/acpi-cppc-fix-mask_val-usage.patch b/queue-6.6/acpi-cppc-fix-mask_val-usage.patch new file mode 100644 index 00000000000..c22640e9653 --- /dev/null +++ b/queue-6.6/acpi-cppc-fix-mask_val-usage.patch @@ -0,0 +1,147 @@ +From 584bd4b2b307029affb673783cf753fc2599dbfd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Aug 2024 12:16:44 +0200 +Subject: ACPI: CPPC: Fix MASK_VAL() usage +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Clément Léger + +[ Upstream commit 60949b7b805424f21326b450ca4f1806c06d982e ] + +MASK_VAL() was added as a way to handle bit_offset and bit_width for +registers located in system memory address space. However, while suited +for reading, it does not work for writing and result in corrupted +registers when writing values with bit_offset > 0. Moreover, when a +register is collocated with another one at the same address but with a +different mask, the current code results in the other registers being +overwritten with 0s. The write procedure for SYSTEM_MEMORY registers +should actually read the value, mask it, update it and write it with the +updated value. Moreover, since registers can be located in the same +word, we must take care of locking the access before doing it. We should +potentially use a global lock since we don't know in if register +addresses aren't shared with another _CPC package but better not +encourage vendors to do so. Assume that registers can use the same word +inside a _CPC package and thus, use a per _CPC package lock. + +Fixes: 2f4a4d63a193 ("ACPI: CPPC: Use access_width over bit_width for system memory accesses") +Signed-off-by: Clément Léger +Link: https://patch.msgid.link/20240826101648.95654-1-cleger@rivosinc.com +[ rjw: Dropped redundant semicolon ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/cppc_acpi.c | 43 ++++++++++++++++++++++++++++++++++++---- + include/acpi/cppc_acpi.h | 2 ++ + 2 files changed, 41 insertions(+), 4 deletions(-) + +diff --git a/drivers/acpi/cppc_acpi.c b/drivers/acpi/cppc_acpi.c +index d6934ba7a3154..28217a995f795 100644 +--- a/drivers/acpi/cppc_acpi.c ++++ b/drivers/acpi/cppc_acpi.c +@@ -167,8 +167,11 @@ show_cppc_data(cppc_get_perf_ctrs, cppc_perf_fb_ctrs, wraparound_time); + #define GET_BIT_WIDTH(reg) ((reg)->access_width ? (8 << ((reg)->access_width - 1)) : (reg)->bit_width) + + /* Shift and apply the mask for CPC reads/writes */ +-#define MASK_VAL(reg, val) (((val) >> (reg)->bit_offset) & \ ++#define MASK_VAL_READ(reg, val) (((val) >> (reg)->bit_offset) & \ + GENMASK(((reg)->bit_width) - 1, 0)) ++#define MASK_VAL_WRITE(reg, prev_val, val) \ ++ ((((val) & GENMASK(((reg)->bit_width) - 1, 0)) << (reg)->bit_offset) | \ ++ ((prev_val) & ~(GENMASK(((reg)->bit_width) - 1, 0) << (reg)->bit_offset))) \ + + static ssize_t show_feedback_ctrs(struct kobject *kobj, + struct kobj_attribute *attr, char *buf) +@@ -852,6 +855,7 @@ int acpi_cppc_processor_probe(struct acpi_processor *pr) + + /* Store CPU Logical ID */ + cpc_ptr->cpu_id = pr->id; ++ spin_lock_init(&cpc_ptr->rmw_lock); + + /* Parse PSD data for this CPU */ + ret = acpi_get_psd(cpc_ptr, handle); +@@ -1057,7 +1061,7 @@ static int cpc_read(int cpu, struct cpc_register_resource *reg_res, u64 *val) + } + + if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) +- *val = MASK_VAL(reg, *val); ++ *val = MASK_VAL_READ(reg, *val); + + return 0; + } +@@ -1066,9 +1070,11 @@ static int cpc_write(int cpu, struct cpc_register_resource *reg_res, u64 val) + { + int ret_val = 0; + int size; ++ u64 prev_val; + void __iomem *vaddr = NULL; + int pcc_ss_id = per_cpu(cpu_pcc_subspace_idx, cpu); + struct cpc_reg *reg = ®_res->cpc_entry.reg; ++ struct cpc_desc *cpc_desc; + + size = GET_BIT_WIDTH(reg); + +@@ -1101,8 +1107,34 @@ static int cpc_write(int cpu, struct cpc_register_resource *reg_res, u64 val) + return acpi_os_write_memory((acpi_physical_address)reg->address, + val, size); + +- if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) +- val = MASK_VAL(reg, val); ++ if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) { ++ cpc_desc = per_cpu(cpc_desc_ptr, cpu); ++ if (!cpc_desc) { ++ pr_debug("No CPC descriptor for CPU:%d\n", cpu); ++ return -ENODEV; ++ } ++ ++ spin_lock(&cpc_desc->rmw_lock); ++ switch (size) { ++ case 8: ++ prev_val = readb_relaxed(vaddr); ++ break; ++ case 16: ++ prev_val = readw_relaxed(vaddr); ++ break; ++ case 32: ++ prev_val = readl_relaxed(vaddr); ++ break; ++ case 64: ++ prev_val = readq_relaxed(vaddr); ++ break; ++ default: ++ spin_unlock(&cpc_desc->rmw_lock); ++ return -EFAULT; ++ } ++ val = MASK_VAL_WRITE(reg, prev_val, val); ++ val |= prev_val; ++ } + + switch (size) { + case 8: +@@ -1129,6 +1161,9 @@ static int cpc_write(int cpu, struct cpc_register_resource *reg_res, u64 val) + break; + } + ++ if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) ++ spin_unlock(&cpc_desc->rmw_lock); ++ + return ret_val; + } + +diff --git a/include/acpi/cppc_acpi.h b/include/acpi/cppc_acpi.h +index c0b69ffe7bdb4..ec425d2834f86 100644 +--- a/include/acpi/cppc_acpi.h ++++ b/include/acpi/cppc_acpi.h +@@ -64,6 +64,8 @@ struct cpc_desc { + int cpu_id; + int write_cmd_status; + int write_cmd_id; ++ /* Lock used for RMW operations in cpc_write() */ ++ spinlock_t rmw_lock; + struct cpc_register_resource cpc_regs[MAX_CPC_REG_ENT]; + struct acpi_psd_package domain_info; + struct kobject kobj; +-- +2.43.0 + diff --git a/queue-6.6/acpi-pmic-remove-unneeded-check-in-tps68470_pmic_opr.patch b/queue-6.6/acpi-pmic-remove-unneeded-check-in-tps68470_pmic_opr.patch new file mode 100644 index 00000000000..8893f22a686 --- /dev/null +++ b/queue-6.6/acpi-pmic-remove-unneeded-check-in-tps68470_pmic_opr.patch @@ -0,0 +1,49 @@ +From d0821ce5e66edcffbcb9c26d55e95113d8dde64e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jul 2024 01:53:39 +0300 +Subject: ACPI: PMIC: Remove unneeded check in tps68470_pmic_opregion_probe() + +From: Aleksandr Mishin + +[ Upstream commit 07442c46abad1d50ac82af5e0f9c5de2732c4592 ] + +In tps68470_pmic_opregion_probe() pointer 'dev' is compared to NULL which +is useless. + +Fix this issue by removing unneeded check. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: e13452ac3790 ("ACPI / PMIC: Add TI PMIC TPS68470 operation region driver") +Suggested-by: Andy Shevchenko +Signed-off-by: Aleksandr Mishin +Reviewed-by: Sakari Ailus +Reviewed-by: Andy Shevchenko +Link: https://patch.msgid.link/20240730225339.13165-1-amishin@t-argos.ru +[ rjw: Subject edit ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/pmic/tps68470_pmic.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/acpi/pmic/tps68470_pmic.c b/drivers/acpi/pmic/tps68470_pmic.c +index ebd03e4729555..0d1a82eeb4b0b 100644 +--- a/drivers/acpi/pmic/tps68470_pmic.c ++++ b/drivers/acpi/pmic/tps68470_pmic.c +@@ -376,10 +376,8 @@ static int tps68470_pmic_opregion_probe(struct platform_device *pdev) + struct tps68470_pmic_opregion *opregion; + acpi_status status; + +- if (!dev || !tps68470_regmap) { +- dev_warn(dev, "dev or regmap is NULL\n"); +- return -EINVAL; +- } ++ if (!tps68470_regmap) ++ return dev_err_probe(dev, -EINVAL, "regmap is missing\n"); + + if (!handle) { + dev_warn(dev, "acpi handle is NULL\n"); +-- +2.43.0 + diff --git a/queue-6.6/alsa-hda-cs35l41-fix-module-autoloading.patch b/queue-6.6/alsa-hda-cs35l41-fix-module-autoloading.patch new file mode 100644 index 00000000000..a7a1077d19e --- /dev/null +++ b/queue-6.6/alsa-hda-cs35l41-fix-module-autoloading.patch @@ -0,0 +1,36 @@ +From 9bbcd5ac59d1a4e90a74686e48a47ab94bcae5f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Aug 2024 09:13:12 +0000 +Subject: ALSA: hda: cs35l41: fix module autoloading + +From: Yuntao Liu + +[ Upstream commit 48f1434a4632c7da1a6a94e159512ebddbe13392 ] + +Add MODULE_DEVICE_TABLE(), so modules could be properly autoloaded +based on the alias from spi_device_id table. + +Fixes: 7b2f3eb492da ("ALSA: hda: cs35l41: Add support for CS35L41 in HDA systems") +Signed-off-by: Yuntao Liu +Link: https://patch.msgid.link/20240815091312.757139-1-liuyuntao12@huawei.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/cs35l41_hda_spi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/cs35l41_hda_spi.c b/sound/pci/hda/cs35l41_hda_spi.c +index eb287aa5f7825..d95954ce55d81 100644 +--- a/sound/pci/hda/cs35l41_hda_spi.c ++++ b/sound/pci/hda/cs35l41_hda_spi.c +@@ -38,6 +38,7 @@ static const struct spi_device_id cs35l41_hda_spi_id[] = { + { "cs35l41-hda", 0 }, + {} + }; ++MODULE_DEVICE_TABLE(spi, cs35l41_hda_spi_id); + + static const struct acpi_device_id cs35l41_acpi_hda_match[] = { + { "CSC3551", 0 }, +-- +2.43.0 + diff --git a/queue-6.6/arm-9410-1-vfp-use-asm-volatile-in-fmrx-fmxr-macros.patch b/queue-6.6/arm-9410-1-vfp-use-asm-volatile-in-fmrx-fmxr-macros.patch new file mode 100644 index 00000000000..990550f9aa2 --- /dev/null +++ b/queue-6.6/arm-9410-1-vfp-use-asm-volatile-in-fmrx-fmxr-macros.patch @@ -0,0 +1,222 @@ +From 755b13a9e8932655d2e71b14ecd1b20b1e9964e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2024 17:05:51 +0100 +Subject: ARM: 9410/1: vfp: Use asm volatile in fmrx/fmxr macros + +From: Calvin Owens + +[ Upstream commit 89a906dfa8c3b21b3e5360f73c49234ac1eb885b ] + +Floating point instructions in userspace can crash some arm kernels +built with clang/LLD 17.0.6: + + BUG: unsupported FP instruction in kernel mode + FPEXC == 0xc0000780 + Internal error: Oops - undefined instruction: 0 [#1] ARM + CPU: 0 PID: 196 Comm: vfp-reproducer Not tainted 6.10.0 #1 + Hardware name: BCM2835 + PC is at vfp_support_entry+0xc8/0x2cc + LR is at do_undefinstr+0xa8/0x250 + pc : [] lr : [] psr: a0000013 + sp : dc8d1f68 ip : 60000013 fp : bedea19c + r10: ec532b17 r9 : 00000010 r8 : 0044766c + r7 : c0000780 r6 : ec532b17 r5 : c1c13800 r4 : dc8d1fb0 + r3 : c10072c4 r2 : c0101c88 r1 : ec532b17 r0 : 0044766c + Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none + Control: 00c5387d Table: 0251c008 DAC: 00000051 + Register r0 information: non-paged memory + Register r1 information: vmalloc memory + Register r2 information: non-slab/vmalloc memory + Register r3 information: non-slab/vmalloc memory + Register r4 information: 2-page vmalloc region + Register r5 information: slab kmalloc-cg-2k + Register r6 information: vmalloc memory + Register r7 information: non-slab/vmalloc memory + Register r8 information: non-paged memory + Register r9 information: zero-size pointer + Register r10 information: vmalloc memory + Register r11 information: non-paged memory + Register r12 information: non-paged memory + Process vfp-reproducer (pid: 196, stack limit = 0x61aaaf8b) + Stack: (0xdc8d1f68 to 0xdc8d2000) + 1f60: 0000081f b6f69300 0000000f c10073f4 c10072c4 dc8d1fb0 + 1f80: ec532b17 0c532b17 0044766c b6f9ccd8 00000000 c010a80c 00447670 60000010 + 1fa0: ffffffff c1c13800 00c5387d c0100f10 b6f68af8 00448fc0 00000000 bedea188 + 1fc0: bedea314 00000001 00448ebc b6f9d000 00447608 b6f9ccd8 00000000 bedea19c + 1fe0: bede9198 bedea188 b6e1061c 0044766c 60000010 ffffffff 00000000 00000000 + Call trace: + [] (vfp_support_entry) from [] (do_undefinstr+0xa8/0x250) + [] (do_undefinstr) from [] (__und_usr+0x70/0x80) + Exception stack(0xdc8d1fb0 to 0xdc8d1ff8) + 1fa0: b6f68af8 00448fc0 00000000 bedea188 + 1fc0: bedea314 00000001 00448ebc b6f9d000 00447608 b6f9ccd8 00000000 bedea19c + 1fe0: bede9198 bedea188 b6e1061c 0044766c 60000010 ffffffff + Code: 0a000061 e3877202 e594003c e3a09010 (eef16a10) + ---[ end trace 0000000000000000 ]--- + Kernel panic - not syncing: Fatal exception in interrupt + ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- + +This is a minimal userspace reproducer on a Raspberry Pi Zero W: + + #include + #include + + int main(void) + { + double v = 1.0; + printf("%fn", NAN + *(volatile double *)&v); + return 0; + } + +Another way to consistently trigger the oops is: + + calvin@raspberry-pi-zero-w ~$ python -c "import json" + +The bug reproduces only when the kernel is built with DYNAMIC_DEBUG=n, +because the pr_debug() calls act as barriers even when not activated. + +This is the output from the same kernel source built with the same +compiler and DYNAMIC_DEBUG=y, where the userspace reproducer works as +expected: + + VFP: bounce: trigger ec532b17 fpexc c0000780 + VFP: emulate: INST=0xee377b06 SCR=0x00000000 + VFP: bounce: trigger eef1fa10 fpexc c0000780 + VFP: emulate: INST=0xeeb40b40 SCR=0x00000000 + VFP: raising exceptions 30000000 + + calvin@raspberry-pi-zero-w ~$ ./vfp-reproducer + nan + +Crudely grepping for vmsr/vmrs instructions in the otherwise nearly +idential text for vfp_support_entry() makes the problem obvious: + + vmlinux.llvm.good [0xc0101cb8] <+48>: vmrs r7, fpexc + vmlinux.llvm.good [0xc0101cd8] <+80>: vmsr fpexc, r0 + vmlinux.llvm.good [0xc0101d20] <+152>: vmsr fpexc, r7 + vmlinux.llvm.good [0xc0101d38] <+176>: vmrs r4, fpexc + vmlinux.llvm.good [0xc0101d6c] <+228>: vmrs r0, fpscr + vmlinux.llvm.good [0xc0101dc4] <+316>: vmsr fpexc, r0 + vmlinux.llvm.good [0xc0101dc8] <+320>: vmrs r0, fpsid + vmlinux.llvm.good [0xc0101dcc] <+324>: vmrs r6, fpscr + vmlinux.llvm.good [0xc0101e10] <+392>: vmrs r10, fpinst + vmlinux.llvm.good [0xc0101eb8] <+560>: vmrs r10, fpinst2 + + vmlinux.llvm.bad [0xc0101cb8] <+48>: vmrs r7, fpexc + vmlinux.llvm.bad [0xc0101cd8] <+80>: vmsr fpexc, r0 + vmlinux.llvm.bad [0xc0101d20] <+152>: vmsr fpexc, r7 + vmlinux.llvm.bad [0xc0101d30] <+168>: vmrs r0, fpscr + vmlinux.llvm.bad [0xc0101d50] <+200>: vmrs r6, fpscr <== BOOM! + vmlinux.llvm.bad [0xc0101d6c] <+228>: vmsr fpexc, r0 + vmlinux.llvm.bad [0xc0101d70] <+232>: vmrs r0, fpsid + vmlinux.llvm.bad [0xc0101da4] <+284>: vmrs r10, fpinst + vmlinux.llvm.bad [0xc0101df8] <+368>: vmrs r4, fpexc + vmlinux.llvm.bad [0xc0101e5c] <+468>: vmrs r10, fpinst2 + +I think LLVM's reordering is valid as the code is currently written: the +compiler doesn't know the instructions have side effects in hardware. + +Fix by using "asm volatile" in fmxr() and fmrx(), so they cannot be +reordered with respect to each other. The original compiler now produces +working kernels on my hardware with DYNAMIC_DEBUG=n. + +This is the relevant piece of the diff of the vfp_support_entry() text, +from the original oopsing kernel to a working kernel with this patch: + + vmrs r0, fpscr + tst r0, #4096 + bne 0xc0101d48 + tst r0, #458752 + beq 0xc0101ecc + orr r7, r7, #536870912 + ldr r0, [r4, #0x3c] + mov r9, #16 + -vmrs r6, fpscr + orr r9, r9, #251658240 + add r0, r0, #4 + str r0, [r4, #0x3c] + mvn r0, #159 + sub r0, r0, #-1207959552 + and r0, r7, r0 + vmsr fpexc, r0 + vmrs r0, fpsid + +vmrs r6, fpscr + and r0, r0, #983040 + cmp r0, #65536 + bne 0xc0101d88 + +Fixes: 4708fb041346 ("ARM: vfp: Reimplement VFP exception entry in C code") +Signed-off-by: Calvin Owens +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/vfp/vfpinstr.h | 48 ++++++++++++++++++++++------------------- + 1 file changed, 26 insertions(+), 22 deletions(-) + +diff --git a/arch/arm/vfp/vfpinstr.h b/arch/arm/vfp/vfpinstr.h +index 3c7938fd40aad..32090b0fb250b 100644 +--- a/arch/arm/vfp/vfpinstr.h ++++ b/arch/arm/vfp/vfpinstr.h +@@ -64,33 +64,37 @@ + + #ifdef CONFIG_AS_VFP_VMRS_FPINST + +-#define fmrx(_vfp_) ({ \ +- u32 __v; \ +- asm(".fpu vfpv2\n" \ +- "vmrs %0, " #_vfp_ \ +- : "=r" (__v) : : "cc"); \ +- __v; \ +- }) +- +-#define fmxr(_vfp_,_var_) \ +- asm(".fpu vfpv2\n" \ +- "vmsr " #_vfp_ ", %0" \ +- : : "r" (_var_) : "cc") ++#define fmrx(_vfp_) ({ \ ++ u32 __v; \ ++ asm volatile (".fpu vfpv2\n" \ ++ "vmrs %0, " #_vfp_ \ ++ : "=r" (__v) : : "cc"); \ ++ __v; \ ++}) ++ ++#define fmxr(_vfp_, _var_) ({ \ ++ asm volatile (".fpu vfpv2\n" \ ++ "vmsr " #_vfp_ ", %0" \ ++ : : "r" (_var_) : "cc"); \ ++}) + + #else + + #define vfpreg(_vfp_) #_vfp_ + +-#define fmrx(_vfp_) ({ \ +- u32 __v; \ +- asm("mrc p10, 7, %0, " vfpreg(_vfp_) ", cr0, 0 @ fmrx %0, " #_vfp_ \ +- : "=r" (__v) : : "cc"); \ +- __v; \ +- }) +- +-#define fmxr(_vfp_,_var_) \ +- asm("mcr p10, 7, %0, " vfpreg(_vfp_) ", cr0, 0 @ fmxr " #_vfp_ ", %0" \ +- : : "r" (_var_) : "cc") ++#define fmrx(_vfp_) ({ \ ++ u32 __v; \ ++ asm volatile ("mrc p10, 7, %0, " vfpreg(_vfp_) "," \ ++ "cr0, 0 @ fmrx %0, " #_vfp_ \ ++ : "=r" (__v) : : "cc"); \ ++ __v; \ ++}) ++ ++#define fmxr(_vfp_, _var_) ({ \ ++ asm volatile ("mcr p10, 7, %0, " vfpreg(_vfp_) "," \ ++ "cr0, 0 @ fmxr " #_vfp_ ", %0" \ ++ : : "r" (_var_) : "cc"); \ ++}) + + #endif + +-- +2.43.0 + diff --git a/queue-6.6/arm-dts-imx7d-zii-rmu2-fix-ethernet-phy-pinctrl-prop.patch b/queue-6.6/arm-dts-imx7d-zii-rmu2-fix-ethernet-phy-pinctrl-prop.patch new file mode 100644 index 00000000000..1cbf80bdef7 --- /dev/null +++ b/queue-6.6/arm-dts-imx7d-zii-rmu2-fix-ethernet-phy-pinctrl-prop.patch @@ -0,0 +1,38 @@ +From 4161e91307c46e78fc4d047363c56f057b333e4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Aug 2024 11:56:36 +0200 +Subject: ARM: dts: imx7d-zii-rmu2: fix Ethernet PHY pinctrl property + +From: Krzysztof Kozlowski + +[ Upstream commit 0e49cfe364dea4345551516eb2fe53135a10432b ] + +There is no "fsl,phy" property in pin controller pincfg nodes: + + imx7d-zii-rmu2.dtb: pinctrl@302c0000: enet1phyinterruptgrp: 'fsl,pins' is a required property + imx7d-zii-rmu2.dtb: pinctrl@302c0000: enet1phyinterruptgrp: 'fsl,phy' does not match any of the regexes: 'pinctrl-[0-9]+' + +Fixes: f496e6750083 ("ARM: dts: Add ZII support for ZII i.MX7 RMU2 board") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/nxp/imx/imx7d-zii-rmu2.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/nxp/imx/imx7d-zii-rmu2.dts b/arch/arm/boot/dts/nxp/imx/imx7d-zii-rmu2.dts +index 521493342fe97..8f5566027c25a 100644 +--- a/arch/arm/boot/dts/nxp/imx/imx7d-zii-rmu2.dts ++++ b/arch/arm/boot/dts/nxp/imx/imx7d-zii-rmu2.dts +@@ -350,7 +350,7 @@ MX7D_PAD_SD3_RESET_B__SD3_RESET_B 0x59 + + &iomuxc_lpsr { + pinctrl_enet1_phy_interrupt: enet1phyinterruptgrp { +- fsl,phy = < ++ fsl,pins = < + MX7D_PAD_LPSR_GPIO1_IO02__GPIO1_IO2 0x08 + >; + }; +-- +2.43.0 + diff --git a/queue-6.6/arm-dts-microchip-sam9x60-fix-rtc-rtt-clocks.patch b/queue-6.6/arm-dts-microchip-sam9x60-fix-rtc-rtt-clocks.patch new file mode 100644 index 00000000000..522e03d1ab9 --- /dev/null +++ b/queue-6.6/arm-dts-microchip-sam9x60-fix-rtc-rtt-clocks.patch @@ -0,0 +1,54 @@ +From e96a5621e5fad280f586786b5f2353ba71ed9368 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2024 07:51:36 +0200 +Subject: ARM: dts: microchip: sam9x60: Fix rtc/rtt clocks + +From: Alexander Dahl + +[ Upstream commit d355c895fa4ddd8bec15569eee540baeed7df8c5 ] + +The RTC and RTT peripherals use the timing domain slow clock (TD_SLCK), +sourced from the 32.768 kHz crystal oscillator or slow rc oscillator. + +The previously used Monitoring domain slow clock (MD_SLCK) is sourced +from an internal RC oscillator which is most probably not precise enough +for real time clock purposes. + +Fixes: 1e5f532c2737 ("ARM: dts: at91: sam9x60: add device tree for soc and board") +Fixes: 5f6b33f46346 ("ARM: dts: sam9x60: add rtt") +Signed-off-by: Alexander Dahl +Link: https://lore.kernel.org/r/20240821055136.6858-1-ada@thorsis.com +[claudiu.beznea: removed () around the last commit description paragraph, + removed " in front of "timing domain slow clock", described that + TD_SLCK can also be sourced from slow rc oscillator] +Signed-off-by: Claudiu Beznea +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/microchip/sam9x60.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/microchip/sam9x60.dtsi b/arch/arm/boot/dts/microchip/sam9x60.dtsi +index 73d570a172690..1705c96f4221e 100644 +--- a/arch/arm/boot/dts/microchip/sam9x60.dtsi ++++ b/arch/arm/boot/dts/microchip/sam9x60.dtsi +@@ -1312,7 +1312,7 @@ rtt: rtc@fffffe20 { + compatible = "microchip,sam9x60-rtt", "atmel,at91sam9260-rtt"; + reg = <0xfffffe20 0x20>; + interrupts = <1 IRQ_TYPE_LEVEL_HIGH 7>; +- clocks = <&clk32k 0>; ++ clocks = <&clk32k 1>; + }; + + pit: timer@fffffe40 { +@@ -1338,7 +1338,7 @@ rtc: rtc@fffffea8 { + compatible = "microchip,sam9x60-rtc", "atmel,at91sam9x5-rtc"; + reg = <0xfffffea8 0x100>; + interrupts = <1 IRQ_TYPE_LEVEL_HIGH 7>; +- clocks = <&clk32k 0>; ++ clocks = <&clk32k 1>; + }; + + watchdog: watchdog@ffffff80 { +-- +2.43.0 + diff --git a/queue-6.6/arm-dts-microchip-sama7g5-fix-rtt-clock.patch b/queue-6.6/arm-dts-microchip-sama7g5-fix-rtt-clock.patch new file mode 100644 index 00000000000..2eff57ccda7 --- /dev/null +++ b/queue-6.6/arm-dts-microchip-sama7g5-fix-rtt-clock.patch @@ -0,0 +1,37 @@ +From 7a4a28719e48e8abfacb02dc38612a95a5e1f029 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Aug 2024 19:53:20 +0300 +Subject: ARM: dts: microchip: sama7g5: Fix RTT clock + +From: Claudiu Beznea + +[ Upstream commit 867bf1923200e6ad82bad0289f43bf20b4ac7ff9 ] + +According to datasheet, Chapter 34. Clock Generator, section 34.2, +Embedded characteristics, source clock for RTT is the TD_SLCK, registered +with ID 1 by the slow clock controller driver. Fix RTT clock. + +Fixes: 7540629e2fc7 ("ARM: dts: at91: add sama7g5 SoC DT and sama7g5-ek") +Link: https://lore.kernel.org/r/20240826165320.3068359-1-claudiu.beznea@tuxon.dev +Signed-off-by: Claudiu Beznea +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/microchip/sama7g5.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/microchip/sama7g5.dtsi b/arch/arm/boot/dts/microchip/sama7g5.dtsi +index 269e0a3ca269c..7a95464bb78d8 100644 +--- a/arch/arm/boot/dts/microchip/sama7g5.dtsi ++++ b/arch/arm/boot/dts/microchip/sama7g5.dtsi +@@ -272,7 +272,7 @@ rtt: rtc@e001d020 { + compatible = "microchip,sama7g5-rtt", "microchip,sam9x60-rtt", "atmel,at91sam9260-rtt"; + reg = <0xe001d020 0x30>; + interrupts = ; +- clocks = <&clk32k 0>; ++ clocks = <&clk32k 1>; + }; + + clk32k: clock-controller@e001d050 { +-- +2.43.0 + diff --git a/queue-6.6/arm-versatile-fix-of-node-leak-in-cpus-prepare.patch b/queue-6.6/arm-versatile-fix-of-node-leak-in-cpus-prepare.patch new file mode 100644 index 00000000000..d51d6721d23 --- /dev/null +++ b/queue-6.6/arm-versatile-fix-of-node-leak-in-cpus-prepare.patch @@ -0,0 +1,37 @@ +From 7c8b5b3e43e715be61b8c19b0933d5dc262955c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Aug 2024 07:49:33 +0200 +Subject: ARM: versatile: fix OF node leak in CPUs prepare + +From: Krzysztof Kozlowski + +[ Upstream commit f2642d97f2105ed17b2ece0c597450f2ff95d704 ] + +Machine code is leaking OF node reference from of_find_matching_node() +in realview_smp_prepare_cpus(). + +Fixes: 5420b4b15617 ("ARM: realview: add an DT SMP boot method") +Signed-off-by: Krzysztof Kozlowski +Acked-by: Liviu Dudau +Link: https://lore.kernel.org/20240826054934.10724-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + arch/arm/mach-versatile/platsmp-realview.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mach-versatile/platsmp-realview.c b/arch/arm/mach-versatile/platsmp-realview.c +index 5d363385c8019..059d796b26bc8 100644 +--- a/arch/arm/mach-versatile/platsmp-realview.c ++++ b/arch/arm/mach-versatile/platsmp-realview.c +@@ -66,6 +66,7 @@ static void __init realview_smp_prepare_cpus(unsigned int max_cpus) + return; + } + map = syscon_node_to_regmap(np); ++ of_node_put(np); + if (IS_ERR(map)) { + pr_err("PLATSMP: No syscon regmap\n"); + return; +-- +2.43.0 + diff --git a/queue-6.6/arm64-dts-exynos-exynos7885-jackpotlte-correct-ram-a.patch b/queue-6.6/arm64-dts-exynos-exynos7885-jackpotlte-correct-ram-a.patch new file mode 100644 index 00000000000..7c36e22ce03 --- /dev/null +++ b/queue-6.6/arm64-dts-exynos-exynos7885-jackpotlte-correct-ram-a.patch @@ -0,0 +1,38 @@ +From 6ba7355fb69e2f7afba8552e429874b1b7234cbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jul 2024 19:58:32 +0200 +Subject: arm64: dts: exynos: exynos7885-jackpotlte: Correct RAM amount to 4GB + +From: David Virag + +[ Upstream commit d281814b8f7a710a75258da883fb0dfe1329c031 ] + +All known jackpotlte variants have 4GB of RAM, let's use it all. +RAM was set to 3GB from a mistake in the vendor provided DTS file. + +Fixes: 06874015327b ("arm64: dts: exynos: Add initial device tree support for Exynos7885 SoC") +Signed-off-by: David Virag +Reviewed-by: Sam Protsenko +Link: https://lore.kernel.org/r/20240713180607.147942-3-virag.david003@gmail.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/exynos/exynos7885-jackpotlte.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/exynos/exynos7885-jackpotlte.dts b/arch/arm64/boot/dts/exynos/exynos7885-jackpotlte.dts +index 47a389d9ff7d7..9d74fa6bfed9f 100644 +--- a/arch/arm64/boot/dts/exynos/exynos7885-jackpotlte.dts ++++ b/arch/arm64/boot/dts/exynos/exynos7885-jackpotlte.dts +@@ -32,7 +32,7 @@ memory@80000000 { + device_type = "memory"; + reg = <0x0 0x80000000 0x3da00000>, + <0x0 0xc0000000 0x40000000>, +- <0x8 0x80000000 0x40000000>; ++ <0x8 0x80000000 0x80000000>; + }; + + gpio-keys { +-- +2.43.0 + diff --git a/queue-6.6/arm64-dts-mediatek-mt8186-fix-supported-hw-mask-for-.patch b/queue-6.6/arm64-dts-mediatek-mt8186-fix-supported-hw-mask-for-.patch new file mode 100644 index 00000000000..03ad76f51ff --- /dev/null +++ b/queue-6.6/arm64-dts-mediatek-mt8186-fix-supported-hw-mask-for-.patch @@ -0,0 +1,84 @@ +From a26114b7143dd04d95d8f21306840335094ea4af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jul 2024 09:22:43 +0200 +Subject: arm64: dts: mediatek: mt8186: Fix supported-hw mask for GPU OPPs + +From: AngeloGioacchino Del Regno + +[ Upstream commit 2317d018b835842df0501d8f9e9efa843068a101 ] + +The speedbin eFuse reads a value 'x' from 0 to 7 and, in order to +make that compatible with opp-supported-hw, it gets post processed +as BIT(x). + +Change all of the 0x30 supported-hw to 0x20 to avoid getting +duplicate OPPs for speedbin 4, and also change all of the 0x8 to +0xcf because speedbins different from 4 and 5 do support 900MHz, +950MHz, 1000MHz with the higher voltage of 850mV, 900mV, 950mV +respectively. + +Fixes: f38ea593ad0d ("arm64: dts: mediatek: mt8186: Wire up GPU voltage/frequency scaling") +Link: https://lore.kernel.org/r/20240725072243.173104-1-angelogioacchino.delregno@collabora.com +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt8186.dtsi | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/arm64/boot/dts/mediatek/mt8186.dtsi b/arch/arm64/boot/dts/mediatek/mt8186.dtsi +index 84ec6c1aa12b9..2c184f9e0fc39 100644 +--- a/arch/arm64/boot/dts/mediatek/mt8186.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt8186.dtsi +@@ -731,7 +731,7 @@ opp-850000000 { + opp-900000000-3 { + opp-hz = /bits/ 64 <900000000>; + opp-microvolt = <850000>; +- opp-supported-hw = <0x8>; ++ opp-supported-hw = <0xcf>; + }; + + opp-900000000-4 { +@@ -743,13 +743,13 @@ opp-900000000-4 { + opp-900000000-5 { + opp-hz = /bits/ 64 <900000000>; + opp-microvolt = <825000>; +- opp-supported-hw = <0x30>; ++ opp-supported-hw = <0x20>; + }; + + opp-950000000-3 { + opp-hz = /bits/ 64 <950000000>; + opp-microvolt = <900000>; +- opp-supported-hw = <0x8>; ++ opp-supported-hw = <0xcf>; + }; + + opp-950000000-4 { +@@ -761,13 +761,13 @@ opp-950000000-4 { + opp-950000000-5 { + opp-hz = /bits/ 64 <950000000>; + opp-microvolt = <850000>; +- opp-supported-hw = <0x30>; ++ opp-supported-hw = <0x20>; + }; + + opp-1000000000-3 { + opp-hz = /bits/ 64 <1000000000>; + opp-microvolt = <950000>; +- opp-supported-hw = <0x8>; ++ opp-supported-hw = <0xcf>; + }; + + opp-1000000000-4 { +@@ -779,7 +779,7 @@ opp-1000000000-4 { + opp-1000000000-5 { + opp-hz = /bits/ 64 <1000000000>; + opp-microvolt = <875000>; +- opp-supported-hw = <0x30>; ++ opp-supported-hw = <0x20>; + }; + }; + +-- +2.43.0 + diff --git a/queue-6.6/arm64-dts-mediatek-mt8195-correct-clock-order-for-dp.patch b/queue-6.6/arm64-dts-mediatek-mt8195-correct-clock-order-for-dp.patch new file mode 100644 index 00000000000..58b011d034b --- /dev/null +++ b/queue-6.6/arm64-dts-mediatek-mt8195-correct-clock-order-for-dp.patch @@ -0,0 +1,60 @@ +From 93bf8f4a1ea34521aa2854bac3dd87f3b752c81b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Aug 2024 15:09:50 +0800 +Subject: arm64: dts: mediatek: mt8195: Correct clock order for dp_intf* +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chen-Yu Tsai + +[ Upstream commit 51bc68debab9e30b50c6352315950f3cfc309b32 ] + +The clocks for dp_intf* device nodes are given in the wrong order, +causing the binding validation to fail. + +Fixes: 6c2503b5856a ("arm64: dts: mt8195: Add dp-intf nodes") +Signed-off-by: Chen-Yu Tsai +Reviewed-by: Nícolas F. R. A. Prado +Link: https://lore.kernel.org/r/20240802070951.1086616-1-wenst@chromium.org +Signed-off-by: Matthias Brugger +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt8195.dtsi | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/arm64/boot/dts/mediatek/mt8195.dtsi b/arch/arm64/boot/dts/mediatek/mt8195.dtsi +index 20e6d90cc4118..d21ba00a5bd5d 100644 +--- a/arch/arm64/boot/dts/mediatek/mt8195.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt8195.dtsi +@@ -2766,10 +2766,10 @@ dp_intf0: dp-intf@1c015000 { + compatible = "mediatek,mt8195-dp-intf"; + reg = <0 0x1c015000 0 0x1000>; + interrupts = ; +- clocks = <&vdosys0 CLK_VDO0_DP_INTF0>, +- <&vdosys0 CLK_VDO0_DP_INTF0_DP_INTF>, ++ clocks = <&vdosys0 CLK_VDO0_DP_INTF0_DP_INTF>, ++ <&vdosys0 CLK_VDO0_DP_INTF0>, + <&apmixedsys CLK_APMIXED_TVDPLL1>; +- clock-names = "engine", "pixel", "pll"; ++ clock-names = "pixel", "engine", "pll"; + status = "disabled"; + }; + +@@ -3036,10 +3036,10 @@ dp_intf1: dp-intf@1c113000 { + reg = <0 0x1c113000 0 0x1000>; + interrupts = ; + power-domains = <&spm MT8195_POWER_DOMAIN_VDOSYS1>; +- clocks = <&vdosys1 CLK_VDO1_DP_INTF0_MM>, +- <&vdosys1 CLK_VDO1_DPINTF>, ++ clocks = <&vdosys1 CLK_VDO1_DPINTF>, ++ <&vdosys1 CLK_VDO1_DP_INTF0_MM>, + <&apmixedsys CLK_APMIXED_TVDPLL2>; +- clock-names = "engine", "pixel", "pll"; ++ clock-names = "pixel", "engine", "pll"; + status = "disabled"; + }; + +-- +2.43.0 + diff --git a/queue-6.6/arm64-dts-renesas-r9a07g043u-correct-gicd-and-gicr-s.patch b/queue-6.6/arm64-dts-renesas-r9a07g043u-correct-gicd-and-gicr-s.patch new file mode 100644 index 00000000000..5e66492b110 --- /dev/null +++ b/queue-6.6/arm64-dts-renesas-r9a07g043u-correct-gicd-and-gicr-s.patch @@ -0,0 +1,41 @@ +From 960d580577cec04c1181c97567d19d106ea88eb4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jul 2024 13:24:34 +0100 +Subject: arm64: dts: renesas: r9a07g043u: Correct GICD and GICR sizes + +From: Lad Prabhakar + +[ Upstream commit ab39547f739236e7f16b8b0a51fdca95cc9cadd3 ] + +The RZ/G2UL SoC is equipped with the GIC-600. The GICD is 64KiB + 64KiB +for the MBI alias (in total 128KiB), and the GICR is 128KiB per CPU. + +Despite the RZ/G2UL SoC being single-core, it has two instances of GICR. + +Fixes: cf40c9689e510 ("arm64: dts: renesas: Add initial DTSI for RZ/G2UL SoC") +Signed-off-by: Lad Prabhakar +Link: https://lore.kernel.org/20240730122436.350013-3-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/r9a07g043u.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/renesas/r9a07g043u.dtsi b/arch/arm64/boot/dts/renesas/r9a07g043u.dtsi +index 4b72de43b71cc..71d51febabc1e 100644 +--- a/arch/arm64/boot/dts/renesas/r9a07g043u.dtsi ++++ b/arch/arm64/boot/dts/renesas/r9a07g043u.dtsi +@@ -145,8 +145,8 @@ gic: interrupt-controller@11900000 { + #interrupt-cells = <3>; + #address-cells = <0>; + interrupt-controller; +- reg = <0x0 0x11900000 0 0x40000>, +- <0x0 0x11940000 0 0x60000>; ++ reg = <0x0 0x11900000 0 0x20000>, ++ <0x0 0x11940000 0 0x40000>; + interrupts = ; + }; + }; +-- +2.43.0 + diff --git a/queue-6.6/arm64-dts-renesas-r9a07g044-correct-gicd-and-gicr-si.patch b/queue-6.6/arm64-dts-renesas-r9a07g044-correct-gicd-and-gicr-si.patch new file mode 100644 index 00000000000..ca524e140a8 --- /dev/null +++ b/queue-6.6/arm64-dts-renesas-r9a07g044-correct-gicd-and-gicr-si.patch @@ -0,0 +1,40 @@ +From 9afd8a2f2337dda46c6e38b7d3e7df2dfc2cd078 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jul 2024 13:24:36 +0100 +Subject: arm64: dts: renesas: r9a07g044: Correct GICD and GICR sizes + +From: Lad Prabhakar + +[ Upstream commit 833948fb2b63155847ab691a54800f801555429b ] + +The RZ/G2L(C) SoC is equipped with the GIC-600. The GICD is 64KiB + +64KiB for the MBI alias (in total 128KiB), and the GICR is 128KiB per +CPU. + +Fixes: 68a45525297b2 ("arm64: dts: renesas: Add initial DTSI for RZ/G2{L,LC} SoC's") +Signed-off-by: Lad Prabhakar +Link: https://lore.kernel.org/20240730122436.350013-5-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/r9a07g044.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/renesas/r9a07g044.dtsi b/arch/arm64/boot/dts/renesas/r9a07g044.dtsi +index a877738c30484..edc942c846395 100644 +--- a/arch/arm64/boot/dts/renesas/r9a07g044.dtsi ++++ b/arch/arm64/boot/dts/renesas/r9a07g044.dtsi +@@ -997,8 +997,8 @@ gic: interrupt-controller@11900000 { + #interrupt-cells = <3>; + #address-cells = <0>; + interrupt-controller; +- reg = <0x0 0x11900000 0 0x40000>, +- <0x0 0x11940000 0 0x60000>; ++ reg = <0x0 0x11900000 0 0x20000>, ++ <0x0 0x11940000 0 0x40000>; + interrupts = ; + }; + +-- +2.43.0 + diff --git a/queue-6.6/arm64-dts-renesas-r9a07g054-correct-gicd-and-gicr-si.patch b/queue-6.6/arm64-dts-renesas-r9a07g054-correct-gicd-and-gicr-si.patch new file mode 100644 index 00000000000..6933c0682a3 --- /dev/null +++ b/queue-6.6/arm64-dts-renesas-r9a07g054-correct-gicd-and-gicr-si.patch @@ -0,0 +1,39 @@ +From 1930aafec465775ca366aff85d8d68d80f90062c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jul 2024 13:24:35 +0100 +Subject: arm64: dts: renesas: r9a07g054: Correct GICD and GICR sizes + +From: Lad Prabhakar + +[ Upstream commit 45afa9eacb59b258d2e53c7f63430ea1e8344803 ] + +The RZ/V2L SoC is equipped with the GIC-600. The GICD is 64KiB + 64KiB +for the MBI alias (in total 128KiB), and the GICR is 128KiB per CPU. + +Fixes: 7c2b8198f4f32 ("arm64: dts: renesas: Add initial DTSI for RZ/V2L SoC") +Signed-off-by: Lad Prabhakar +Link: https://lore.kernel.org/20240730122436.350013-4-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/r9a07g054.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/renesas/r9a07g054.dtsi b/arch/arm64/boot/dts/renesas/r9a07g054.dtsi +index 3f01b096cfb71..d61f7894e55cd 100644 +--- a/arch/arm64/boot/dts/renesas/r9a07g054.dtsi ++++ b/arch/arm64/boot/dts/renesas/r9a07g054.dtsi +@@ -1004,8 +1004,8 @@ gic: interrupt-controller@11900000 { + #interrupt-cells = <3>; + #address-cells = <0>; + interrupt-controller; +- reg = <0x0 0x11900000 0 0x40000>, +- <0x0 0x11940000 0 0x60000>; ++ reg = <0x0 0x11900000 0 0x20000>, ++ <0x0 0x11940000 0 0x40000>; + interrupts = ; + }; + +-- +2.43.0 + diff --git a/queue-6.6/arm64-dts-rockchip-correct-vendor-prefix-for-hardker.patch b/queue-6.6/arm64-dts-rockchip-correct-vendor-prefix-for-hardker.patch new file mode 100644 index 00000000000..ec3c060f771 --- /dev/null +++ b/queue-6.6/arm64-dts-rockchip-correct-vendor-prefix-for-hardker.patch @@ -0,0 +1,39 @@ +From 0687a7d35a8aa1a0121ffb685db1db4198f4514a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2024 21:18:16 +0000 +Subject: arm64: dts: rockchip: Correct vendor prefix for Hardkernel ODROID-M1 + +From: Jonas Karlman + +[ Upstream commit 735065e774dcfc62e38df01a535862138b6c92ed ] + +The vendor prefix for Hardkernel ODROID-M1 is incorrectly listed as +rockchip. Use the proper hardkernel vendor prefix for this board, while +at it also drop the redundant soc prefix. + +Fixes: fd3583267703 ("arm64: dts: rockchip: Add Hardkernel ODROID-M1 board") +Reviewed-by: Aurelien Jarno +Signed-off-by: Jonas Karlman +Link: https://lore.kernel.org/r/20240827211825.1419820-3-jonas@kwiboo.se +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3568-odroid-m1.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3568-odroid-m1.dts b/arch/arm64/boot/dts/rockchip/rk3568-odroid-m1.dts +index a337f547caf53..6a02db4f073f2 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3568-odroid-m1.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3568-odroid-m1.dts +@@ -13,7 +13,7 @@ + + / { + model = "Hardkernel ODROID-M1"; +- compatible = "rockchip,rk3568-odroid-m1", "rockchip,rk3568"; ++ compatible = "hardkernel,odroid-m1", "rockchip,rk3568"; + + aliases { + ethernet0 = &gmac0; +-- +2.43.0 + diff --git a/queue-6.6/arm64-dts-ti-k3-j721e-beagleboneai64-fix-reversed-c6.patch b/queue-6.6/arm64-dts-ti-k3-j721e-beagleboneai64-fix-reversed-c6.patch new file mode 100644 index 00000000000..29a81c4f31b --- /dev/null +++ b/queue-6.6/arm64-dts-ti-k3-j721e-beagleboneai64-fix-reversed-c6.patch @@ -0,0 +1,50 @@ +From d2c1447e0287955aa28e87784e4d24b034971fb7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Aug 2024 13:12:32 -0500 +Subject: arm64: dts: ti: k3-j721e-beagleboneai64: Fix reversed C6x carveout + locations + +From: Andrew Davis + +[ Upstream commit 1a314099b7559690fe23cdf3300dfff6e830ecb1 ] + +The DMA carveout for the C6x core 0 is at 0xa6000000 and core 1 is at +0xa7000000. These are reversed in DT. While both C6x can access either +region, so this is not normally a problem, but if we start restricting +the memory each core can access (such as with firewalls) the cores +accessing the regions for the wrong core will not work. Fix this here. + +Fixes: fae14a1cb8dd ("arm64: dts: ti: Add k3-j721e-beagleboneai64") +Signed-off-by: Andrew Davis +Link: https://lore.kernel.org/r/20240801181232.55027-2-afd@ti.com +Signed-off-by: Nishanth Menon +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/ti/k3-j721e-beagleboneai64.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/ti/k3-j721e-beagleboneai64.dts b/arch/arm64/boot/dts/ti/k3-j721e-beagleboneai64.dts +index 2f954729f3533..7897323376a5b 100644 +--- a/arch/arm64/boot/dts/ti/k3-j721e-beagleboneai64.dts ++++ b/arch/arm64/boot/dts/ti/k3-j721e-beagleboneai64.dts +@@ -123,7 +123,7 @@ main_r5fss1_core1_memory_region: r5f-memory@a5100000 { + no-map; + }; + +- c66_1_dma_memory_region: c66-dma-memory@a6000000 { ++ c66_0_dma_memory_region: c66-dma-memory@a6000000 { + compatible = "shared-dma-pool"; + reg = <0x00 0xa6000000 0x00 0x100000>; + no-map; +@@ -135,7 +135,7 @@ c66_0_memory_region: c66-memory@a6100000 { + no-map; + }; + +- c66_0_dma_memory_region: c66-dma-memory@a7000000 { ++ c66_1_dma_memory_region: c66-dma-memory@a7000000 { + compatible = "shared-dma-pool"; + reg = <0x00 0xa7000000 0x00 0x100000>; + no-map; +-- +2.43.0 + diff --git a/queue-6.6/arm64-dts-ti-k3-j721e-sk-fix-reversed-c6x-carveout-l.patch b/queue-6.6/arm64-dts-ti-k3-j721e-sk-fix-reversed-c6x-carveout-l.patch new file mode 100644 index 00000000000..e8c41cc8c6c --- /dev/null +++ b/queue-6.6/arm64-dts-ti-k3-j721e-sk-fix-reversed-c6x-carveout-l.patch @@ -0,0 +1,49 @@ +From c31d8e2e7c03b2d74a11efe3c706ddafef7cdb20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Aug 2024 13:12:31 -0500 +Subject: arm64: dts: ti: k3-j721e-sk: Fix reversed C6x carveout locations + +From: Andrew Davis + +[ Upstream commit 9f3814a7c06b7c7296cf8c1622078ad71820454b ] + +The DMA carveout for the C6x core 0 is at 0xa6000000 and core 1 is at +0xa7000000. These are reversed in DT. While both C6x can access either +region, so this is not normally a problem, but if we start restricting +the memory each core can access (such as with firewalls) the cores +accessing the regions for the wrong core will not work. Fix this here. + +Fixes: f46d16cf5b43 ("arm64: dts: ti: k3-j721e-sk: Add DDR carveout memory nodes") +Signed-off-by: Andrew Davis +Link: https://lore.kernel.org/r/20240801181232.55027-1-afd@ti.com +Signed-off-by: Nishanth Menon +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/ti/k3-j721e-sk.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/ti/k3-j721e-sk.dts b/arch/arm64/boot/dts/ti/k3-j721e-sk.dts +index 42fe8eee9ec8c..ccacb65683b5b 100644 +--- a/arch/arm64/boot/dts/ti/k3-j721e-sk.dts ++++ b/arch/arm64/boot/dts/ti/k3-j721e-sk.dts +@@ -119,7 +119,7 @@ main_r5fss1_core1_memory_region: r5f-memory@a5100000 { + no-map; + }; + +- c66_1_dma_memory_region: c66-dma-memory@a6000000 { ++ c66_0_dma_memory_region: c66-dma-memory@a6000000 { + compatible = "shared-dma-pool"; + reg = <0x00 0xa6000000 0x00 0x100000>; + no-map; +@@ -131,7 +131,7 @@ c66_0_memory_region: c66-memory@a6100000 { + no-map; + }; + +- c66_0_dma_memory_region: c66-dma-memory@a7000000 { ++ c66_1_dma_memory_region: c66-dma-memory@a7000000 { + compatible = "shared-dma-pool"; + reg = <0x00 0xa7000000 0x00 0x100000>; + no-map; +-- +2.43.0 + diff --git a/queue-6.6/arm64-signal-fix-some-under-bracketed-uapi-macros.patch b/queue-6.6/arm64-signal-fix-some-under-bracketed-uapi-macros.patch new file mode 100644 index 00000000000..4ecb63a1b3d --- /dev/null +++ b/queue-6.6/arm64-signal-fix-some-under-bracketed-uapi-macros.patch @@ -0,0 +1,55 @@ +From 90df33350acb7a78cbadc3f967b357736b361a55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2024 16:20:05 +0100 +Subject: arm64: signal: Fix some under-bracketed UAPI macros + +From: Dave Martin + +[ Upstream commit fc2220c9b15828319b09384e68399b4afc6276d9 ] + +A few SME-related sigcontext UAPI macros leave an argument +unprotected from misparsing during macro expansion. + +Add parentheses around references to macro arguments where +appropriate. + +Signed-off-by: Dave Martin +Fixes: ee072cf70804 ("arm64/sme: Implement signal handling for ZT") +Fixes: 39782210eb7e ("arm64/sme: Implement ZA signal handling") +Reviewed-by: Mark Brown +Link: https://lore.kernel.org/r/20240729152005.289844-1-Dave.Martin@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/uapi/asm/sigcontext.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/include/uapi/asm/sigcontext.h b/arch/arm64/include/uapi/asm/sigcontext.h +index f23c1dc3f002f..8f003db7a6967 100644 +--- a/arch/arm64/include/uapi/asm/sigcontext.h ++++ b/arch/arm64/include/uapi/asm/sigcontext.h +@@ -312,10 +312,10 @@ struct zt_context { + ((sizeof(struct za_context) + (__SVE_VQ_BYTES - 1)) \ + / __SVE_VQ_BYTES * __SVE_VQ_BYTES) + +-#define ZA_SIG_REGS_SIZE(vq) ((vq * __SVE_VQ_BYTES) * (vq * __SVE_VQ_BYTES)) ++#define ZA_SIG_REGS_SIZE(vq) (((vq) * __SVE_VQ_BYTES) * ((vq) * __SVE_VQ_BYTES)) + + #define ZA_SIG_ZAV_OFFSET(vq, n) (ZA_SIG_REGS_OFFSET + \ +- (SVE_SIG_ZREG_SIZE(vq) * n)) ++ (SVE_SIG_ZREG_SIZE(vq) * (n))) + + #define ZA_SIG_CONTEXT_SIZE(vq) \ + (ZA_SIG_REGS_OFFSET + ZA_SIG_REGS_SIZE(vq)) +@@ -326,7 +326,7 @@ struct zt_context { + + #define ZT_SIG_REGS_OFFSET sizeof(struct zt_context) + +-#define ZT_SIG_REGS_SIZE(n) (ZT_SIG_REG_BYTES * n) ++#define ZT_SIG_REGS_SIZE(n) (ZT_SIG_REG_BYTES * (n)) + + #define ZT_SIG_CONTEXT_SIZE(n) \ + (sizeof(struct zt_context) + ZT_SIG_REGS_SIZE(n)) +-- +2.43.0 + diff --git a/queue-6.6/asoc-loongson-fix-error-release.patch b/queue-6.6/asoc-loongson-fix-error-release.patch new file mode 100644 index 00000000000..76aa66de5fe --- /dev/null +++ b/queue-6.6/asoc-loongson-fix-error-release.patch @@ -0,0 +1,40 @@ +From 22dfa1ec4e0ed7bbad3f5ab375392f83b789b7c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Sep 2024 17:06:20 +0800 +Subject: ASoC: loongson: fix error release + +From: tangbin + +[ Upstream commit 97688a9c5b1fd2b826c682cdfa36d411a5c99828 ] + +In function loongson_card_parse_of(), when get device_node +'codec' failed, the function of_node_put(codec) should not +be invoked, thus fix error release. + +Fixes: d24028606e76 ("ASoC: loongson: Add Loongson ASoC Sound Card Support") +Signed-off-by: tangbin +Link: https://patch.msgid.link/20240903090620.6276-1-tangbin@cmss.chinamobile.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/loongson/loongson_card.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/loongson/loongson_card.c b/sound/soc/loongson/loongson_card.c +index 406ee8db1a3c5..8cc54aedd0024 100644 +--- a/sound/soc/loongson/loongson_card.c ++++ b/sound/soc/loongson/loongson_card.c +@@ -127,8 +127,8 @@ static int loongson_card_parse_of(struct loongson_card_data *data) + codec = of_get_child_by_name(dev->of_node, "codec"); + if (!codec) { + dev_err(dev, "audio-codec property missing or invalid\n"); +- ret = -EINVAL; +- goto err; ++ of_node_put(cpu); ++ return -EINVAL; + } + + for (i = 0; i < card->num_links; i++) { +-- +2.43.0 + diff --git a/queue-6.6/asoc-rt5682s-return-devm_of_clk_add_hw_provider-to-t.patch b/queue-6.6/asoc-rt5682s-return-devm_of_clk_add_hw_provider-to-t.patch new file mode 100644 index 00000000000..d24a3cf369c --- /dev/null +++ b/queue-6.6/asoc-rt5682s-return-devm_of_clk_add_hw_provider-to-t.patch @@ -0,0 +1,41 @@ +From 78678776405303664f2396fada4e22df5b1901ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Jul 2024 19:54:36 +0800 +Subject: ASoC: rt5682s: Return devm_of_clk_add_hw_provider to transfer the + error + +From: Ma Ke + +[ Upstream commit 3ff810b9bebe5578a245cfa97c252ab602e703f1 ] + +Return devm_of_clk_add_hw_provider() in order to transfer the error, if it +fails due to resource allocation failure or device tree clock provider +registration failure. + +Fixes: bdd229ab26be ("ASoC: rt5682s: Add driver for ALC5682I-VS codec") +Signed-off-by: Ma Ke +Link: https://patch.msgid.link/20240717115436.3449492-1-make24@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt5682s.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/rt5682s.c b/sound/soc/codecs/rt5682s.c +index 68ac5ea50396d..92c647d439ec7 100644 +--- a/sound/soc/codecs/rt5682s.c ++++ b/sound/soc/codecs/rt5682s.c +@@ -2828,7 +2828,9 @@ static int rt5682s_register_dai_clks(struct snd_soc_component *component) + } + + if (dev->of_node) { +- devm_of_clk_add_hw_provider(dev, of_clk_hw_simple_get, dai_clk_hw); ++ ret = devm_of_clk_add_hw_provider(dev, of_clk_hw_simple_get, dai_clk_hw); ++ if (ret) ++ return ret; + } else { + ret = devm_clk_hw_register_clkdev(dev, dai_clk_hw, + init.name, dev_name(dev)); +-- +2.43.0 + diff --git a/queue-6.6/asoc-tas2781-i2c-drop-weird-gpio-code.patch b/queue-6.6/asoc-tas2781-i2c-drop-weird-gpio-code.patch new file mode 100644 index 00000000000..5235e853a29 --- /dev/null +++ b/queue-6.6/asoc-tas2781-i2c-drop-weird-gpio-code.patch @@ -0,0 +1,192 @@ +From 44413bcc4a8bf336b935a48ba9b26680689745a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Aug 2024 17:02:32 +0200 +Subject: ASoC: tas2781-i2c: Drop weird GPIO code + +From: Linus Walleij + +[ Upstream commit c2c0b67dca3cb3b3cea0dd60075a1c5ba77e2fcd ] + +The tas2781-i2c driver gets an IRQ from either ACPI or device tree, +then proceeds to check if the IRQ has a corresponding GPIO and in +case it does enforce the GPIO as input and set a label on it. + +This is abuse of the API: + +- First we cannot guarantee that the numberspaces of the GPIOs and + the IRQs are the same, i.e that an IRQ number corresponds to + a GPIO number like that. + +- Second, GPIO chips and IRQ chips should be treated as orthogonal + APIs, the irqchip needs to ascertain that the backing GPIO line + is set to input etc just using the irqchip. + +- Third it is using the legacy API which should not + be used in new code yet this was added just a year ago. + +Delete the offending code. + +If this creates problems the GPIO and irqchip maintainers can help +to fix the issues. + +It *should* not create any problems, because the irq isn't +used anywhere in the driver, it's just obtained and then +left unused. + +Fixes: ef3bcde75d06 ("ASoC: tas2781: Add tas2781 driver") +Signed-off-by: Linus Walleij +Link: https://patch.msgid.link/20240807-asoc-tas-gpios-v2-1-bd0f2705d58b@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + include/sound/tas2781.h | 7 +------ + sound/pci/hda/tas2781_hda_i2c.c | 2 +- + sound/soc/codecs/tas2781-comlib.c | 3 --- + sound/soc/codecs/tas2781-fmwlib.c | 1 - + sound/soc/codecs/tas2781-i2c.c | 24 +++--------------------- + 5 files changed, 5 insertions(+), 32 deletions(-) + +diff --git a/include/sound/tas2781.h b/include/sound/tas2781.h +index be6f70dd54f93..f97f386e5a55a 100644 +--- a/include/sound/tas2781.h ++++ b/include/sound/tas2781.h +@@ -78,11 +78,6 @@ struct tasdevice { + bool is_loaderr; + }; + +-struct tasdevice_irqinfo { +- int irq_gpio; +- int irq; +-}; +- + struct calidata { + unsigned char *data; + unsigned long total_sz; +@@ -90,7 +85,6 @@ struct calidata { + + struct tasdevice_priv { + struct tasdevice tasdevice[TASDEVICE_MAX_CHANNELS]; +- struct tasdevice_irqinfo irq_info; + struct tasdevice_rca rcabin; + struct calidata cali_data; + struct tasdevice_fw *fmw; +@@ -111,6 +105,7 @@ struct tasdevice_priv { + unsigned int chip_id; + unsigned int sysclk; + ++ int irq; + int cur_prog; + int cur_conf; + int fw_state; +diff --git a/sound/pci/hda/tas2781_hda_i2c.c b/sound/pci/hda/tas2781_hda_i2c.c +index 0a587f55583ff..980e6104c2f3f 100644 +--- a/sound/pci/hda/tas2781_hda_i2c.c ++++ b/sound/pci/hda/tas2781_hda_i2c.c +@@ -710,7 +710,7 @@ static int tas2781_hda_i2c_probe(struct i2c_client *clt) + } else + return -ENODEV; + +- tas_hda->priv->irq_info.irq = clt->irq; ++ tas_hda->priv->irq = clt->irq; + ret = tas2781_read_acpi(tas_hda->priv, device_name); + if (ret) + return dev_err_probe(tas_hda->dev, ret, +diff --git a/sound/soc/codecs/tas2781-comlib.c b/sound/soc/codecs/tas2781-comlib.c +index 3aa81514dad76..0444cf90c5119 100644 +--- a/sound/soc/codecs/tas2781-comlib.c ++++ b/sound/soc/codecs/tas2781-comlib.c +@@ -14,7 +14,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -406,8 +405,6 @@ EXPORT_SYMBOL_GPL(tasdevice_dsp_remove); + + void tasdevice_remove(struct tasdevice_priv *tas_priv) + { +- if (gpio_is_valid(tas_priv->irq_info.irq_gpio)) +- gpio_free(tas_priv->irq_info.irq_gpio); + mutex_destroy(&tas_priv->codec_lock); + } + EXPORT_SYMBOL_GPL(tasdevice_remove); +diff --git a/sound/soc/codecs/tas2781-fmwlib.c b/sound/soc/codecs/tas2781-fmwlib.c +index 3639dcd0bbb2b..629e2195a890b 100644 +--- a/sound/soc/codecs/tas2781-fmwlib.c ++++ b/sound/soc/codecs/tas2781-fmwlib.c +@@ -13,7 +13,6 @@ + #include + #include + #include +-#include + #include + #include + #include +diff --git a/sound/soc/codecs/tas2781-i2c.c b/sound/soc/codecs/tas2781-i2c.c +index 61a64d18a7d55..b25978f01cd2a 100644 +--- a/sound/soc/codecs/tas2781-i2c.c ++++ b/sound/soc/codecs/tas2781-i2c.c +@@ -22,7 +22,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -617,7 +616,7 @@ static void tasdevice_parse_dt(struct tasdevice_priv *tas_priv) + { + struct i2c_client *client = (struct i2c_client *)tas_priv->client; + unsigned int dev_addrs[TASDEVICE_MAX_CHANNELS]; +- int rc, i, ndev = 0; ++ int i, ndev = 0; + + if (tas_priv->isacpi) { + ndev = device_property_read_u32_array(&client->dev, +@@ -632,7 +631,7 @@ static void tasdevice_parse_dt(struct tasdevice_priv *tas_priv) + "ti,audio-slots", dev_addrs, ndev); + } + +- tas_priv->irq_info.irq_gpio = ++ tas_priv->irq = + acpi_dev_gpio_irq_get(ACPI_COMPANION(&client->dev), 0); + } else if (IS_ENABLED(CONFIG_OF)) { + struct device_node *np = tas_priv->dev->of_node; +@@ -644,7 +643,7 @@ static void tasdevice_parse_dt(struct tasdevice_priv *tas_priv) + dev_addrs[ndev++] = addr; + } + +- tas_priv->irq_info.irq_gpio = of_irq_get(np, 0); ++ tas_priv->irq = of_irq_get(np, 0); + } else { + ndev = 1; + dev_addrs[0] = client->addr; +@@ -660,23 +659,6 @@ static void tasdevice_parse_dt(struct tasdevice_priv *tas_priv) + __func__); + + strcpy(tas_priv->dev_name, tasdevice_id[tas_priv->chip_id].name); +- +- if (gpio_is_valid(tas_priv->irq_info.irq_gpio)) { +- rc = gpio_request(tas_priv->irq_info.irq_gpio, +- "AUDEV-IRQ"); +- if (!rc) { +- gpio_direction_input( +- tas_priv->irq_info.irq_gpio); +- +- tas_priv->irq_info.irq = +- gpio_to_irq(tas_priv->irq_info.irq_gpio); +- } else +- dev_err(tas_priv->dev, "%s: GPIO %d request error\n", +- __func__, tas_priv->irq_info.irq_gpio); +- } else +- dev_err(tas_priv->dev, +- "Looking up irq-gpio property failed %d\n", +- tas_priv->irq_info.irq_gpio); + } + + static int tasdevice_i2c_probe(struct i2c_client *i2c) +-- +2.43.0 + diff --git a/queue-6.6/asoc-tas2781-i2c-get-the-right-gpio-line.patch b/queue-6.6/asoc-tas2781-i2c-get-the-right-gpio-line.patch new file mode 100644 index 00000000000..44ce0685c3c --- /dev/null +++ b/queue-6.6/asoc-tas2781-i2c-get-the-right-gpio-line.patch @@ -0,0 +1,42 @@ +From bca9b7eb9d34854b9ad214f297c7dd328a2088b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Aug 2024 17:02:33 +0200 +Subject: ASoC: tas2781-i2c: Get the right GPIO line + +From: Linus Walleij + +[ Upstream commit 1c4b509edad15192bfb64c81d3c305bbae8070db ] + +The code is obtaining a GPIO reset using the reset GPIO +name "reset-gpios", but the gpiolib is already adding the +suffix "-gpios" to anything passed to this function and +will be looking for "reset-gpios-gpios" which is most +certainly not what the author desired. + +Fix it up. + +Fixes: ef3bcde75d06 ("ASoC: tas2781: Add tas2781 driver") +Signed-off-by: Linus Walleij +Link: https://patch.msgid.link/20240807-asoc-tas-gpios-v2-2-bd0f2705d58b@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tas2781-i2c.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/tas2781-i2c.c b/sound/soc/codecs/tas2781-i2c.c +index b25978f01cd2a..43775c1944452 100644 +--- a/sound/soc/codecs/tas2781-i2c.c ++++ b/sound/soc/codecs/tas2781-i2c.c +@@ -653,7 +653,7 @@ static void tasdevice_parse_dt(struct tasdevice_priv *tas_priv) + tas_priv->tasdevice[i].dev_addr = dev_addrs[i]; + + tas_priv->reset = devm_gpiod_get_optional(&client->dev, +- "reset-gpios", GPIOD_OUT_HIGH); ++ "reset", GPIOD_OUT_HIGH); + if (IS_ERR(tas_priv->reset)) + dev_err(tas_priv->dev, "%s Can't get reset GPIO\n", + __func__); +-- +2.43.0 + diff --git a/queue-6.6/asoc-tas2781-remove-unused-acpi_subysystem_id.patch b/queue-6.6/asoc-tas2781-remove-unused-acpi_subysystem_id.patch new file mode 100644 index 00000000000..257dc673315 --- /dev/null +++ b/queue-6.6/asoc-tas2781-remove-unused-acpi_subysystem_id.patch @@ -0,0 +1,83 @@ +From 740e483894195c40aa1cdbdcee6b5e558ecb912c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Feb 2024 06:59:34 +0100 +Subject: ASoC: tas2781: remove unused acpi_subysystem_id + +From: Gergo Koteles + +[ Upstream commit 4089d82e67a9967fc5bf2b4e5ef820d67fe73924 ] + +The acpi_subysystem_id is only written and freed, not read, so +unnecessary. + +Signed-off-by: Gergo Koteles +Link: https://lore.kernel.org/r/454639336be28d2b50343e9c8366a56b0975e31d.1707456753.git.soyer@irl.hu +Signed-off-by: Mark Brown +Stable-dep-of: c2c0b67dca3c ("ASoC: tas2781-i2c: Drop weird GPIO code") +Signed-off-by: Sasha Levin +--- + include/sound/tas2781.h | 1 - + sound/pci/hda/tas2781_hda_i2c.c | 12 ------------ + sound/soc/codecs/tas2781-comlib.c | 1 - + 3 files changed, 14 deletions(-) + +diff --git a/include/sound/tas2781.h b/include/sound/tas2781.h +index be58d870505a4..be6f70dd54f93 100644 +--- a/include/sound/tas2781.h ++++ b/include/sound/tas2781.h +@@ -101,7 +101,6 @@ struct tasdevice_priv { + struct tm tm; + + enum device_catlog_id catlog_id; +- const char *acpi_subsystem_id; + unsigned char cal_binaryname[TASDEVICE_MAX_CHANNELS][64]; + unsigned char crc8_lkp_tbl[CRC8_TABLE_SIZE]; + unsigned char coef_binaryname[64]; +diff --git a/sound/pci/hda/tas2781_hda_i2c.c b/sound/pci/hda/tas2781_hda_i2c.c +index e5bb1fed26a0c..0a587f55583ff 100644 +--- a/sound/pci/hda/tas2781_hda_i2c.c ++++ b/sound/pci/hda/tas2781_hda_i2c.c +@@ -95,9 +95,7 @@ static int tas2781_get_i2c_res(struct acpi_resource *ares, void *data) + static int tas2781_read_acpi(struct tasdevice_priv *p, const char *hid) + { + struct acpi_device *adev; +- struct device *physdev; + LIST_HEAD(resources); +- const char *sub; + int ret; + + adev = acpi_dev_get_first_match_dev(hid, NULL, -1); +@@ -113,18 +111,8 @@ static int tas2781_read_acpi(struct tasdevice_priv *p, const char *hid) + + acpi_dev_free_resource_list(&resources); + strscpy(p->dev_name, hid, sizeof(p->dev_name)); +- physdev = get_device(acpi_get_first_physical_node(adev)); + acpi_dev_put(adev); + +- /* No side-effect to the playback even if subsystem_id is NULL*/ +- sub = acpi_get_subsystem_id(ACPI_HANDLE(physdev)); +- if (IS_ERR(sub)) +- sub = NULL; +- +- p->acpi_subsystem_id = sub; +- +- put_device(physdev); +- + return 0; + + err: +diff --git a/sound/soc/codecs/tas2781-comlib.c b/sound/soc/codecs/tas2781-comlib.c +index 5d0e5348b361a..3aa81514dad76 100644 +--- a/sound/soc/codecs/tas2781-comlib.c ++++ b/sound/soc/codecs/tas2781-comlib.c +@@ -408,7 +408,6 @@ void tasdevice_remove(struct tasdevice_priv *tas_priv) + { + if (gpio_is_valid(tas_priv->irq_info.irq_gpio)) + gpio_free(tas_priv->irq_info.irq_gpio); +- kfree(tas_priv->acpi_subsystem_id); + mutex_destroy(&tas_priv->codec_lock); + } + EXPORT_SYMBOL_GPL(tasdevice_remove); +-- +2.43.0 + diff --git a/queue-6.6/asoc-tas2781-use-of_property_read_reg.patch b/queue-6.6/asoc-tas2781-use-of_property_read_reg.patch new file mode 100644 index 00000000000..445737b44a9 --- /dev/null +++ b/queue-6.6/asoc-tas2781-use-of_property_read_reg.patch @@ -0,0 +1,80 @@ +From 096736b823dc1461e34d611e2a762eb70d169c13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jul 2024 15:54:01 -0600 +Subject: ASoC: tas2781: Use of_property_read_reg() + +From: Rob Herring (Arm) + +[ Upstream commit 31a45f9190b5b4f5cd8cdec8471babd5215eee04 ] + +Replace the open-coded parsing of "reg" with of_property_read_reg(). +The #ifdef is also easily replaced with IS_ENABLED(). + +Signed-off-by: Rob Herring (Arm) +Link: https://patch.msgid.link/20240702215402.839673-1-robh@kernel.org +Signed-off-by: Mark Brown +Stable-dep-of: c2c0b67dca3c ("ASoC: tas2781-i2c: Drop weird GPIO code") +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tas2781-i2c.c | 34 +++++++++++----------------------- + 1 file changed, 11 insertions(+), 23 deletions(-) + +diff --git a/sound/soc/codecs/tas2781-i2c.c b/sound/soc/codecs/tas2781-i2c.c +index a9d179e307739..61a64d18a7d55 100644 +--- a/sound/soc/codecs/tas2781-i2c.c ++++ b/sound/soc/codecs/tas2781-i2c.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -633,33 +634,20 @@ static void tasdevice_parse_dt(struct tasdevice_priv *tas_priv) + + tas_priv->irq_info.irq_gpio = + acpi_dev_gpio_irq_get(ACPI_COMPANION(&client->dev), 0); +- } else { ++ } else if (IS_ENABLED(CONFIG_OF)) { + struct device_node *np = tas_priv->dev->of_node; +-#ifdef CONFIG_OF +- const __be32 *reg, *reg_end; +- int len, sw, aw; +- +- aw = of_n_addr_cells(np); +- sw = of_n_size_cells(np); +- if (sw == 0) { +- reg = (const __be32 *)of_get_property(np, +- "reg", &len); +- reg_end = reg + len/sizeof(*reg); +- ndev = 0; +- do { +- dev_addrs[ndev] = of_read_number(reg, aw); +- reg += aw; +- ndev++; +- } while (reg < reg_end); +- } else { +- ndev = 1; +- dev_addrs[0] = client->addr; ++ u64 addr; ++ ++ for (i = 0; i < TASDEVICE_MAX_CHANNELS; i++) { ++ if (of_property_read_reg(np, i, &addr, NULL)) ++ break; ++ dev_addrs[ndev++] = addr; + } +-#else ++ ++ tas_priv->irq_info.irq_gpio = of_irq_get(np, 0); ++ } else { + ndev = 1; + dev_addrs[0] = client->addr; +-#endif +- tas_priv->irq_info.irq_gpio = of_irq_get(np, 0); + } + tas_priv->ndev = ndev; + for (i = 0; i < ndev; i++) +-- +2.43.0 + diff --git a/queue-6.6/ata-libata-clear-did_time_out-for-ata-pt-commands-wi.patch b/queue-6.6/ata-libata-clear-did_time_out-for-ata-pt-commands-wi.patch new file mode 100644 index 00000000000..cf339d9b56f --- /dev/null +++ b/queue-6.6/ata-libata-clear-did_time_out-for-ata-pt-commands-wi.patch @@ -0,0 +1,100 @@ +From 45c1535f1cf521c4cc8f388abf4cb0c7348b479a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Sep 2024 17:42:38 +0200 +Subject: ata: libata: Clear DID_TIME_OUT for ATA PT commands with sense data + +From: Niklas Cassel + +[ Upstream commit e5dd410acb34c7341a0a93b429dcf3dabf9e3323 ] + +When ata_qc_complete() schedules a command for EH using +ata_qc_schedule_eh(), blk_abort_request() will be called, which leads to +req->q->mq_ops->timeout() / scsi_timeout() being called. + +scsi_timeout(), if the LLDD has no abort handler (libata has no abort +handler), will set host byte to DID_TIME_OUT, and then call +scsi_eh_scmd_add() to add the command to EH. + +Thus, when commands first enter libata's EH strategy_handler, all the +commands that have been added to EH will have DID_TIME_OUT set. + +libata has its own flag (AC_ERR_TIMEOUT), that it sets for commands that +have not received a completion at the time of entering EH. + +Thus, libata doesn't really care about DID_TIME_OUT at all, and currently +clears the host byte at the end of EH, in ata_scsi_qc_complete(), before +scsi_eh_finish_cmd() is called. + +However, this clearing in ata_scsi_qc_complete() is currently only done +for commands that are not ATA passthrough commands. + +Since the host byte is visible in the completion that we return to user +space for ATA passthrough commands, for ATA passthrough commands that got +completed via EH (commands with sense data), the user will incorrectly see: +ATA pass-through(16): transport error: Host_status=0x03 [DID_TIME_OUT] + +Fix this by moving the clearing of the host byte (which is currently only +done for commands that are not ATA passthrough commands) from +ata_scsi_qc_complete() to the start of EH (regardless if the command is +ATA passthrough or not). + +While at it, use the proper helper function to clear the host byte, rather +than open coding the clearing. + +This will make sure that we: +-Correctly clear DID_TIME_OUT for both ATA passthrough commands and + commands that are not ATA passthrough commands. +-Do not needlessly clear the host byte for commands that did not go via EH. + ata_scsi_qc_complete() is called both for commands that are completed + normally (without going via EH), and for commands that went via EH, + however, only commands that went via EH will have DID_TIME_OUT set. + +Fixes: 24aeebbf8ea9 ("scsi: ata: libata: Change ata_eh_request_sense() to not set CHECK_CONDITION") +Reported-by: Igor Pylypiv +Closes: https://lore.kernel.org/linux-ide/ZttIN8He8TOZ7Lct@google.com/ +Signed-off-by: Niklas Cassel +Tested-by: Igor Pylypiv +Reviewed-by: Hannes Reinecke +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-eh.c | 8 ++++++++ + drivers/ata/libata-scsi.c | 3 --- + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c +index 1168e29cae86e..cd87457375454 100644 +--- a/drivers/ata/libata-eh.c ++++ b/drivers/ata/libata-eh.c +@@ -618,6 +618,14 @@ void ata_scsi_cmd_error_handler(struct Scsi_Host *host, struct ata_port *ap, + list_for_each_entry_safe(scmd, tmp, eh_work_q, eh_entry) { + struct ata_queued_cmd *qc; + ++ /* ++ * If the scmd was added to EH, via ata_qc_schedule_eh() -> ++ * scsi_timeout() -> scsi_eh_scmd_add(), scsi_timeout() will ++ * have set DID_TIME_OUT (since libata does not have an abort ++ * handler). Thus, to clear DID_TIME_OUT, clear the host byte. ++ */ ++ set_host_byte(scmd, DID_OK); ++ + ata_qc_for_each_raw(ap, qc, i) { + if (qc->flags & ATA_QCFLAG_ACTIVE && + qc->scsicmd == scmd) +diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c +index c91f8746289f4..7a71add807a3a 100644 +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -1725,9 +1725,6 @@ static void ata_scsi_qc_complete(struct ata_queued_cmd *qc) + set_status_byte(qc->scsicmd, SAM_STAT_CHECK_CONDITION); + } else if (is_error && !have_sense) { + ata_gen_ata_sense(qc); +- } else { +- /* Keep the SCSI ML and status byte, clear host byte. */ +- cmd->result &= 0x0000ffff; + } + + ata_qc_done(qc); +-- +2.43.0 + diff --git a/queue-6.6/bareudp-pull-inner-ip-header-in-bareudp_udp_encap_re.patch b/queue-6.6/bareudp-pull-inner-ip-header-in-bareudp_udp_encap_re.patch new file mode 100644 index 00000000000..5a355b94b5a --- /dev/null +++ b/queue-6.6/bareudp-pull-inner-ip-header-in-bareudp_udp_encap_re.patch @@ -0,0 +1,70 @@ +From 6dd3683a283185f5707dbfc9a17549c30ae2c3f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2024 11:20:58 +0200 +Subject: bareudp: Pull inner IP header in bareudp_udp_encap_recv(). + +From: Guillaume Nault + +[ Upstream commit 45fa29c85117170b0508790f878b13ec6593c888 ] + +Bareudp reads the inner IP header to get the ECN value. Therefore, it +needs to ensure that it's part of the skb's linear data. + +This is similar to the vxlan and geneve fixes for that same problem: + * commit f7789419137b ("vxlan: Pull inner IP header in vxlan_rcv().") + * commit 1ca1ba465e55 ("geneve: make sure to pull inner header in + geneve_rx()") + +Fixes: 571912c69f0e ("net: UDP tunnel encapsulation module for tunnelling different protocols like MPLS, IP, NSH etc.") +Signed-off-by: Guillaume Nault +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/5205940067c40218a70fbb888080466b2fc288db.1726046181.git.gnault@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bareudp.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c +index 277493e41b072..d0759d8bf7305 100644 +--- a/drivers/net/bareudp.c ++++ b/drivers/net/bareudp.c +@@ -67,6 +67,7 @@ static int bareudp_udp_encap_recv(struct sock *sk, struct sk_buff *skb) + __be16 proto; + void *oiph; + int err; ++ int nh; + + bareudp = rcu_dereference_sk_user_data(sk); + if (!bareudp) +@@ -144,10 +145,25 @@ static int bareudp_udp_encap_recv(struct sock *sk, struct sk_buff *skb) + } + skb_dst_set(skb, &tun_dst->dst); + skb->dev = bareudp->dev; +- oiph = skb_network_header(skb); +- skb_reset_network_header(skb); + skb_reset_mac_header(skb); + ++ /* Save offset of outer header relative to skb->head, ++ * because we are going to reset the network header to the inner header ++ * and might change skb->head. ++ */ ++ nh = skb_network_header(skb) - skb->head; ++ ++ skb_reset_network_header(skb); ++ ++ if (!pskb_inet_may_pull(skb)) { ++ DEV_STATS_INC(bareudp->dev, rx_length_errors); ++ DEV_STATS_INC(bareudp->dev, rx_errors); ++ goto drop; ++ } ++ ++ /* Get the outer header. */ ++ oiph = skb->head + nh; ++ + if (!ipv6_mod_enabled() || family == AF_INET) + err = IP_ECN_decapsulate(oiph, skb); + else +-- +2.43.0 + diff --git a/queue-6.6/bareudp-pull-inner-ip-header-on-xmit.patch b/queue-6.6/bareudp-pull-inner-ip-header-on-xmit.patch new file mode 100644 index 00000000000..9a78a733d92 --- /dev/null +++ b/queue-6.6/bareudp-pull-inner-ip-header-on-xmit.patch @@ -0,0 +1,51 @@ +From d150049b97dbdbe6c6f73dfb80059cac0099f206 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2024 11:21:05 +0200 +Subject: bareudp: Pull inner IP header on xmit. + +From: Guillaume Nault + +[ Upstream commit c471236b2359e6b27388475dd04fff0a5e2bf922 ] + +Both bareudp_xmit_skb() and bareudp6_xmit_skb() read their skb's inner +IP header to get its ECN value (with ip_tunnel_ecn_encap()). Therefore +we need to ensure that the inner IP header is part of the skb's linear +data. + +Fixes: 571912c69f0e ("net: UDP tunnel encapsulation module for tunnelling different protocols like MPLS, IP, NSH etc.") +Signed-off-by: Guillaume Nault +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/267328222f0a11519c6de04c640a4f87a38ea9ed.1726046181.git.gnault@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bareudp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c +index d0759d8bf7305..54767154de265 100644 +--- a/drivers/net/bareudp.c ++++ b/drivers/net/bareudp.c +@@ -319,6 +319,9 @@ static int bareudp_xmit_skb(struct sk_buff *skb, struct net_device *dev, + __be32 saddr; + int err; + ++ if (!skb_vlan_inet_prepare(skb, skb->protocol != htons(ETH_P_TEB))) ++ return -EINVAL; ++ + if (!sock) + return -ESHUTDOWN; + +@@ -382,6 +385,9 @@ static int bareudp6_xmit_skb(struct sk_buff *skb, struct net_device *dev, + __be16 sport; + int err; + ++ if (!skb_vlan_inet_prepare(skb, skb->protocol != htons(ETH_P_TEB))) ++ return -EINVAL; ++ + if (!sock) + return -ESHUTDOWN; + +-- +2.43.0 + diff --git a/queue-6.6/block-bfq-choose-the-last-bfqq-from-merge-chain-in-b.patch b/queue-6.6/block-bfq-choose-the-last-bfqq-from-merge-chain-in-b.patch new file mode 100644 index 00000000000..0d789272b93 --- /dev/null +++ b/queue-6.6/block-bfq-choose-the-last-bfqq-from-merge-chain-in-b.patch @@ -0,0 +1,61 @@ +From ddcf915eb92a7f065e85798faf2fef39414e1bca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Sep 2024 21:03:27 +0800 +Subject: block, bfq: choose the last bfqq from merge chain in + bfq_setup_cooperator() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yu Kuai + +[ Upstream commit 0e456dba86c7f9a19792204a044835f1ca2c8dbb ] + +Consider the following merge chain: + +Process 1 Process 2 Process 3 Process 4 + (BIC1) (BIC2) (BIC3) (BIC4) + Λ | | | + \--------------\ \-------------\ \-------------\| + V V V + bfqq1--------->bfqq2---------->bfqq3----------->bfqq4 + +IO from Process 1 will get bfqf2 from BIC1 first, then +bfq_setup_cooperator() will found bfqq2 already merged to bfqq3 and then +handle this IO from bfqq3. However, the merge chain can be much deeper +and bfqq3 can be merged to other bfqq as well. + +Fix this problem by iterating to the last bfqq in +bfq_setup_cooperator(). + +Fixes: 36eca8948323 ("block, bfq: add Early Queue Merge (EQM)") +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20240902130329.3787024-3-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-iosched.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index 7d13420a16d6a..bdb7ceb680890 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -2911,8 +2911,12 @@ bfq_setup_cooperator(struct bfq_data *bfqd, struct bfq_queue *bfqq, + struct bfq_iocq_bfqq_data *bfqq_data = &bic->bfqq_data[a_idx]; + + /* if a merge has already been setup, then proceed with that first */ +- if (bfqq->new_bfqq) +- return bfqq->new_bfqq; ++ new_bfqq = bfqq->new_bfqq; ++ if (new_bfqq) { ++ while (new_bfqq->new_bfqq) ++ new_bfqq = new_bfqq->new_bfqq; ++ return new_bfqq; ++ } + + /* + * Check delayed stable merge for rotational or non-queueing +-- +2.43.0 + diff --git a/queue-6.6/block-bfq-don-t-break-merge-chain-in-bfq_split_bfqq.patch b/queue-6.6/block-bfq-don-t-break-merge-chain-in-bfq_split_bfqq.patch new file mode 100644 index 00000000000..48e3763a9de --- /dev/null +++ b/queue-6.6/block-bfq-don-t-break-merge-chain-in-bfq_split_bfqq.patch @@ -0,0 +1,66 @@ +From 97042139a91afbd60cb493b89802438927f8292d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Sep 2024 21:03:28 +0800 +Subject: block, bfq: don't break merge chain in bfq_split_bfqq() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yu Kuai + +[ Upstream commit 42c306ed723321af4003b2a41bb73728cab54f85 ] + +Consider the following scenario: + + Process 1 Process 2 Process 3 Process 4 + (BIC1) (BIC2) (BIC3) (BIC4) + Λ | | | + \-------------\ \-------------\ \--------------\| + V V V + bfqq1--------->bfqq2---------->bfqq3----------->bfqq4 +ref 0 1 2 4 + +If Process 1 issue a new IO and bfqq2 is found, and then bfq_init_rq() +decide to spilt bfqq2 by bfq_split_bfqq(). Howerver, procress reference +of bfqq2 is 1 and bfq_split_bfqq() just clear the coop flag, which will +break the merge chain. + +Expected result: caller will allocate a new bfqq for BIC1 + + Process 1 Process 2 Process 3 Process 4 + (BIC1) (BIC2) (BIC3) (BIC4) + | | | + \-------------\ \--------------\| + V V + bfqq1--------->bfqq2---------->bfqq3----------->bfqq4 +ref 0 0 1 3 + +Since the condition is only used for the last bfqq4 when the previous +bfqq2 and bfqq3 are already splited. Fix the problem by checking if +bfqq is the last one in the merge chain as well. + +Fixes: 36eca8948323 ("block, bfq: add Early Queue Merge (EQM)") +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20240902130329.3787024-4-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-iosched.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index bdb7ceb680890..2c09c298d8940 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -6725,7 +6725,7 @@ bfq_split_bfqq(struct bfq_io_cq *bic, struct bfq_queue *bfqq) + { + bfq_log_bfqq(bfqq->bfqd, bfqq, "splitting queue"); + +- if (bfqq_process_refs(bfqq) == 1) { ++ if (bfqq_process_refs(bfqq) == 1 && !bfqq->new_bfqq) { + bfqq->pid = current->pid; + bfq_clear_bfqq_coop(bfqq); + bfq_clear_bfqq_split_coop(bfqq); +-- +2.43.0 + diff --git a/queue-6.6/block-bfq-fix-possible-uaf-for-bfqq-bic-with-merge-c.patch b/queue-6.6/block-bfq-fix-possible-uaf-for-bfqq-bic-with-merge-c.patch new file mode 100644 index 00000000000..6434f41e8d7 --- /dev/null +++ b/queue-6.6/block-bfq-fix-possible-uaf-for-bfqq-bic-with-merge-c.patch @@ -0,0 +1,225 @@ +From 67dd804b88b3ed1a52829cb34a79da44b3ee9b23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Sep 2024 21:03:26 +0800 +Subject: block, bfq: fix possible UAF for bfqq->bic with merge chain +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yu Kuai + +[ Upstream commit 18ad4df091dd5d067d2faa8fce1180b79f7041a7 ] + +1) initial state, three tasks: + + Process 1 Process 2 Process 3 + (BIC1) (BIC2) (BIC3) + | Λ | Λ | Λ + | | | | | | + V | V | V | + bfqq1 bfqq2 bfqq3 +process ref: 1 1 1 + +2) bfqq1 merged to bfqq2: + + Process 1 Process 2 Process 3 + (BIC1) (BIC2) (BIC3) + | | | Λ + \--------------\| | | + V V | + bfqq1--------->bfqq2 bfqq3 +process ref: 0 2 1 + +3) bfqq2 merged to bfqq3: + + Process 1 Process 2 Process 3 + (BIC1) (BIC2) (BIC3) + here -> Λ | | + \--------------\ \-------------\| + V V + bfqq1--------->bfqq2---------->bfqq3 +process ref: 0 1 3 + +In this case, IO from Process 1 will get bfqq2 from BIC1 first, and then +get bfqq3 through merge chain, and finially handle IO by bfqq3. +Howerver, current code will think bfqq2 is owned by BIC1, like initial +state, and set bfqq2->bic to BIC1. + +bfq_insert_request +-> by Process 1 + bfqq = bfq_init_rq(rq) + bfqq = bfq_get_bfqq_handle_split + bfqq = bic_to_bfqq + -> get bfqq2 from BIC1 + bfqq->ref++ + rq->elv.priv[0] = bic + rq->elv.priv[1] = bfqq + if (bfqq_process_refs(bfqq) == 1) + bfqq->bic = bic + -> record BIC1 to bfqq2 + + __bfq_insert_request + new_bfqq = bfq_setup_cooperator + -> get bfqq3 from bfqq2->new_bfqq + bfqq_request_freed(bfqq) + new_bfqq->ref++ + rq->elv.priv[1] = new_bfqq + -> handle IO by bfqq3 + +Fix the problem by checking bfqq is from merge chain fist. And this +might fix a following problem reported by our syzkaller(unreproducible): + +================================================================== +BUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline] +BUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline] +BUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889 +Write of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595 + +CPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G L 6.6.0-07439-gba2303cacfda #6 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +Workqueue: kblockd blk_mq_requeue_work +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:364 [inline] + print_report+0x10d/0x610 mm/kasan/report.c:475 + kasan_report+0x8e/0xc0 mm/kasan/report.c:588 + bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline] + bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline] + bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889 + bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757 + bfq_init_rq block/bfq-iosched.c:6876 [inline] + bfq_insert_request block/bfq-iosched.c:6254 [inline] + bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304 + blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593 + blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502 + process_one_work kernel/workqueue.c:2627 [inline] + process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700 + worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781 + kthread+0x33c/0x440 kernel/kthread.c:388 + ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305 + + +Allocated by task 20776: + kasan_save_stack+0x20/0x40 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328 + kasan_slab_alloc include/linux/kasan.h:188 [inline] + slab_post_alloc_hook mm/slab.h:763 [inline] + slab_alloc_node mm/slub.c:3458 [inline] + kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503 + ioc_create_icq block/blk-ioc.c:370 [inline] + ioc_find_get_icq+0x180/0xaa0 block/blk-ioc.c:436 + bfq_prepare_request+0x39/0xf0 block/bfq-iosched.c:6812 + blk_mq_rq_ctx_init.isra.7+0x6ac/0xa00 block/blk-mq.c:403 + __blk_mq_alloc_requests+0xcc0/0x1070 block/blk-mq.c:517 + blk_mq_get_new_requests block/blk-mq.c:2940 [inline] + blk_mq_submit_bio+0x624/0x27c0 block/blk-mq.c:3042 + __submit_bio+0x331/0x6f0 block/blk-core.c:624 + __submit_bio_noacct_mq block/blk-core.c:703 [inline] + submit_bio_noacct_nocheck+0x816/0xb40 block/blk-core.c:732 + submit_bio_noacct+0x7a6/0x1b50 block/blk-core.c:826 + xlog_write_iclog+0x7d5/0xa00 fs/xfs/xfs_log.c:1958 + xlog_state_release_iclog+0x3b8/0x720 fs/xfs/xfs_log.c:619 + xlog_cil_push_work+0x19c5/0x2270 fs/xfs/xfs_log_cil.c:1330 + process_one_work kernel/workqueue.c:2627 [inline] + process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700 + worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781 + kthread+0x33c/0x440 kernel/kthread.c:388 + ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305 + +Freed by task 946: + kasan_save_stack+0x20/0x40 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + kasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522 + ____kasan_slab_free mm/kasan/common.c:236 [inline] + __kasan_slab_free+0x12c/0x1c0 mm/kasan/common.c:244 + kasan_slab_free include/linux/kasan.h:164 [inline] + slab_free_hook mm/slub.c:1815 [inline] + slab_free_freelist_hook mm/slub.c:1841 [inline] + slab_free mm/slub.c:3786 [inline] + kmem_cache_free+0x118/0x6f0 mm/slub.c:3808 + rcu_do_batch+0x35c/0xe30 kernel/rcu/tree.c:2189 + rcu_core+0x819/0xd90 kernel/rcu/tree.c:2462 + __do_softirq+0x1b0/0x7a2 kernel/softirq.c:553 + +Last potentially related work creation: + kasan_save_stack+0x20/0x40 mm/kasan/common.c:45 + __kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:492 + __call_rcu_common kernel/rcu/tree.c:2712 [inline] + call_rcu+0xce/0x1020 kernel/rcu/tree.c:2826 + ioc_destroy_icq+0x54c/0x830 block/blk-ioc.c:105 + ioc_release_fn+0xf0/0x360 block/blk-ioc.c:124 + process_one_work kernel/workqueue.c:2627 [inline] + process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700 + worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781 + kthread+0x33c/0x440 kernel/kthread.c:388 + ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305 + +Second to last potentially related work creation: + kasan_save_stack+0x20/0x40 mm/kasan/common.c:45 + __kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:492 + __call_rcu_common kernel/rcu/tree.c:2712 [inline] + call_rcu+0xce/0x1020 kernel/rcu/tree.c:2826 + ioc_destroy_icq+0x54c/0x830 block/blk-ioc.c:105 + ioc_release_fn+0xf0/0x360 block/blk-ioc.c:124 + process_one_work kernel/workqueue.c:2627 [inline] + process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700 + worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781 + kthread+0x33c/0x440 kernel/kthread.c:388 + ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305 + +The buggy address belongs to the object at ffff888123839d68 + which belongs to the cache bfq_io_cq of size 1360 +The buggy address is located 336 bytes inside of + freed 1360-byte region [ffff888123839d68, ffff88812383a2b8) + +The buggy address belongs to the physical page: +page:ffffea00048e0e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88812383f588 pfn:0x123838 +head:ffffea00048e0e00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +flags: 0x17ffffc0000a40(workingset|slab|head|node=0|zone=2|lastcpupid=0x1fffff) +page_type: 0xffffffff() +raw: 0017ffffc0000a40 ffff88810588c200 ffffea00048ffa10 ffff888105889488 +raw: ffff88812383f588 0000000000150006 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff888123839d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888123839e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff888123839e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff888123839f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888123839f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +================================================================== + +Fixes: 36eca8948323 ("block, bfq: add Early Queue Merge (EQM)") +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20240902130329.3787024-2-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-iosched.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index 3cce6de464a7b..7d13420a16d6a 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -6932,7 +6932,8 @@ static struct bfq_queue *bfq_init_rq(struct request *rq) + * addition, if the queue has also just been split, we have to + * resume its state. + */ +- if (likely(bfqq != &bfqd->oom_bfqq) && bfqq_process_refs(bfqq) == 1) { ++ if (likely(bfqq != &bfqd->oom_bfqq) && !bfqq->new_bfqq && ++ bfqq_process_refs(bfqq) == 1) { + bfqq->bic = bic; + if (split) { + /* +-- +2.43.0 + diff --git a/queue-6.6/block-bfq-fix-procress-reference-leakage-for-bfqq-in.patch b/queue-6.6/block-bfq-fix-procress-reference-leakage-for-bfqq-in.patch new file mode 100644 index 00000000000..eaf8cee627d --- /dev/null +++ b/queue-6.6/block-bfq-fix-procress-reference-leakage-for-bfqq-in.patch @@ -0,0 +1,159 @@ +From 6d1e4e3f5c19a9231cb63ea3ba587e156aec4b5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Sep 2024 21:41:49 +0800 +Subject: block, bfq: fix procress reference leakage for bfqq in merge chain +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yu Kuai + +[ Upstream commit 73aeab373557fa6ee4ae0b742c6211ccd9859280 ] + +Original state: + + Process 1 Process 2 Process 3 Process 4 + (BIC1) (BIC2) (BIC3) (BIC4) + Λ | | | + \--------------\ \-------------\ \-------------\| + V V V + bfqq1--------->bfqq2---------->bfqq3----------->bfqq4 + ref 0 1 2 4 + +After commit 0e456dba86c7 ("block, bfq: choose the last bfqq from merge +chain in bfq_setup_cooperator()"), if P1 issues a new IO: + +Without the patch: + + Process 1 Process 2 Process 3 Process 4 + (BIC1) (BIC2) (BIC3) (BIC4) + Λ | | | + \------------------------------\ \-------------\| + V V + bfqq1--------->bfqq2---------->bfqq3----------->bfqq4 + ref 0 0 2 4 + +bfqq3 will be used to handle IO from P1, this is not expected, IO +should be redirected to bfqq4; + +With the patch: + + ------------------------------------------- + | | + Process 1 Process 2 Process 3 | Process 4 + (BIC1) (BIC2) (BIC3) | (BIC4) + | | | | + \-------------\ \-------------\| + V V + bfqq1--------->bfqq2---------->bfqq3----------->bfqq4 + ref 0 0 2 4 + +IO is redirected to bfqq4, however, procress reference of bfqq3 is still +2, while there is only P2 using it. + +Fix the problem by calling bfq_merge_bfqqs() for each bfqq in the merge +chain. Also change bfqq_merge_bfqqs() to return new_bfqq to simplify +code. + +Fixes: 0e456dba86c7 ("block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator()") +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20240909134154.954924-3-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-iosched.c | 37 +++++++++++++++++-------------------- + 1 file changed, 17 insertions(+), 20 deletions(-) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index 055ba1f98009d..7e0dcded5713a 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -3129,10 +3129,12 @@ void bfq_release_process_ref(struct bfq_data *bfqd, struct bfq_queue *bfqq) + bfq_put_queue(bfqq); + } + +-static void +-bfq_merge_bfqqs(struct bfq_data *bfqd, struct bfq_io_cq *bic, +- struct bfq_queue *bfqq, struct bfq_queue *new_bfqq) ++static struct bfq_queue *bfq_merge_bfqqs(struct bfq_data *bfqd, ++ struct bfq_io_cq *bic, ++ struct bfq_queue *bfqq) + { ++ struct bfq_queue *new_bfqq = bfqq->new_bfqq; ++ + bfq_log_bfqq(bfqd, bfqq, "merging with queue %lu", + (unsigned long)new_bfqq->pid); + /* Save weight raising and idle window of the merged queues */ +@@ -3226,6 +3228,8 @@ bfq_merge_bfqqs(struct bfq_data *bfqd, struct bfq_io_cq *bic, + bfq_reassign_last_bfqq(bfqq, new_bfqq); + + bfq_release_process_ref(bfqd, bfqq); ++ ++ return new_bfqq; + } + + static bool bfq_allow_bio_merge(struct request_queue *q, struct request *rq, +@@ -3261,14 +3265,8 @@ static bool bfq_allow_bio_merge(struct request_queue *q, struct request *rq, + * fulfilled, i.e., bic can be redirected to new_bfqq + * and bfqq can be put. + */ +- bfq_merge_bfqqs(bfqd, bfqd->bio_bic, bfqq, +- new_bfqq); +- /* +- * If we get here, bio will be queued into new_queue, +- * so use new_bfqq to decide whether bio and rq can be +- * merged. +- */ +- bfqq = new_bfqq; ++ while (bfqq != new_bfqq) ++ bfqq = bfq_merge_bfqqs(bfqd, bfqd->bio_bic, bfqq); + + /* + * Change also bqfd->bio_bfqq, as +@@ -5703,9 +5701,7 @@ bfq_do_early_stable_merge(struct bfq_data *bfqd, struct bfq_queue *bfqq, + * state before killing it. + */ + bfqq->bic = bic; +- bfq_merge_bfqqs(bfqd, bic, bfqq, new_bfqq); +- +- return new_bfqq; ++ return bfq_merge_bfqqs(bfqd, bic, bfqq); + } + + /* +@@ -6160,6 +6156,7 @@ static bool __bfq_insert_request(struct bfq_data *bfqd, struct request *rq) + bool waiting, idle_timer_disabled = false; + + if (new_bfqq) { ++ struct bfq_queue *old_bfqq = bfqq; + /* + * Release the request's reference to the old bfqq + * and make sure one is taken to the shared queue. +@@ -6176,18 +6173,18 @@ static bool __bfq_insert_request(struct bfq_data *bfqd, struct request *rq) + * new_bfqq. + */ + if (bic_to_bfqq(RQ_BIC(rq), true, +- bfq_actuator_index(bfqd, rq->bio)) == bfqq) +- bfq_merge_bfqqs(bfqd, RQ_BIC(rq), +- bfqq, new_bfqq); ++ bfq_actuator_index(bfqd, rq->bio)) == bfqq) { ++ while (bfqq != new_bfqq) ++ bfqq = bfq_merge_bfqqs(bfqd, RQ_BIC(rq), bfqq); ++ } + +- bfq_clear_bfqq_just_created(bfqq); ++ bfq_clear_bfqq_just_created(old_bfqq); + /* + * rq is about to be enqueued into new_bfqq, + * release rq reference on bfqq + */ +- bfq_put_queue(bfqq); ++ bfq_put_queue(old_bfqq); + rq->elv.priv[1] = new_bfqq; +- bfqq = new_bfqq; + } + + bfq_update_io_thinktime(bfqd, bfqq); +-- +2.43.0 + diff --git a/queue-6.6/block-bfq-fix-uaf-for-accessing-waker_bfqq-after-spl.patch b/queue-6.6/block-bfq-fix-uaf-for-accessing-waker_bfqq-after-spl.patch new file mode 100644 index 00000000000..9c9074fd1a2 --- /dev/null +++ b/queue-6.6/block-bfq-fix-uaf-for-accessing-waker_bfqq-after-spl.patch @@ -0,0 +1,95 @@ +From 2096dc8bb2365d3e5260dae98cfd86cdf2bde09f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Sep 2024 21:41:48 +0800 +Subject: block, bfq: fix uaf for accessing waker_bfqq after splitting + +From: Yu Kuai + +[ Upstream commit 1ba0403ac6447f2d63914fb760c44a3b19c44eaf ] + +After commit 42c306ed7233 ("block, bfq: don't break merge chain in +bfq_split_bfqq()"), if the current procress is the last holder of bfqq, +the bfqq can be freed after bfq_split_bfqq(). Hence recored the bfqq and +then access bfqq->waker_bfqq may trigger UAF. What's more, the waker_bfqq +may in the merge chain of bfqq, hence just recored waker_bfqq is still +not safe. + +Fix the problem by adding a helper bfq_waker_bfqq() to check if +bfqq->waker_bfqq is in the merge chain, and current procress is the only +holder. + +Fixes: 42c306ed7233 ("block, bfq: don't break merge chain in bfq_split_bfqq()") +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20240909134154.954924-2-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-iosched.c | 31 ++++++++++++++++++++++++++++--- + 1 file changed, 28 insertions(+), 3 deletions(-) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index 2c09c298d8940..055ba1f98009d 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -6823,6 +6823,31 @@ static void bfq_prepare_request(struct request *rq) + rq->elv.priv[0] = rq->elv.priv[1] = NULL; + } + ++static struct bfq_queue *bfq_waker_bfqq(struct bfq_queue *bfqq) ++{ ++ struct bfq_queue *new_bfqq = bfqq->new_bfqq; ++ struct bfq_queue *waker_bfqq = bfqq->waker_bfqq; ++ ++ if (!waker_bfqq) ++ return NULL; ++ ++ while (new_bfqq) { ++ if (new_bfqq == waker_bfqq) { ++ /* ++ * If waker_bfqq is in the merge chain, and current ++ * is the only procress. ++ */ ++ if (bfqq_process_refs(waker_bfqq) == 1) ++ return NULL; ++ break; ++ } ++ ++ new_bfqq = new_bfqq->new_bfqq; ++ } ++ ++ return waker_bfqq; ++} ++ + /* + * If needed, init rq, allocate bfq data structures associated with + * rq, and increment reference counters in the destination bfq_queue +@@ -6884,7 +6909,7 @@ static struct bfq_queue *bfq_init_rq(struct request *rq) + /* If the queue was seeky for too long, break it apart. */ + if (bfq_bfqq_coop(bfqq) && bfq_bfqq_split_coop(bfqq) && + !bic->bfqq_data[a_idx].stably_merged) { +- struct bfq_queue *old_bfqq = bfqq; ++ struct bfq_queue *waker_bfqq = bfq_waker_bfqq(bfqq); + + /* Update bic before losing reference to bfqq */ + if (bfq_bfqq_in_large_burst(bfqq)) +@@ -6904,7 +6929,7 @@ static struct bfq_queue *bfq_init_rq(struct request *rq) + bfqq_already_existing = true; + + if (!bfqq_already_existing) { +- bfqq->waker_bfqq = old_bfqq->waker_bfqq; ++ bfqq->waker_bfqq = waker_bfqq; + bfqq->tentative_waker_bfqq = NULL; + + /* +@@ -6914,7 +6939,7 @@ static struct bfq_queue *bfq_init_rq(struct request *rq) + * woken_list of the waker. See + * bfq_check_waker for details. + */ +- if (bfqq->waker_bfqq) ++ if (waker_bfqq) + hlist_add_head(&bfqq->woken_list_node, + &bfqq->waker_bfqq->woken_list); + } +-- +2.43.0 + diff --git a/queue-6.6/block-fix-potential-invalid-pointer-dereference-in-b.patch b/queue-6.6/block-fix-potential-invalid-pointer-dereference-in-b.patch new file mode 100644 index 00000000000..2a3c2c86276 --- /dev/null +++ b/queue-6.6/block-fix-potential-invalid-pointer-dereference-in-b.patch @@ -0,0 +1,54 @@ +From 083e45027c36462b75d29acde5accfe4515e94d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2024 18:59:54 +0530 +Subject: block: fix potential invalid pointer dereference in blk_add_partition + +From: Riyan Dhiman + +[ Upstream commit 26e197b7f9240a4ac301dd0ad520c0c697c2ea7d ] + +The blk_add_partition() function initially used a single if-condition +(IS_ERR(part)) to check for errors when adding a partition. This was +modified to handle the specific case of -ENXIO separately, allowing the +function to proceed without logging the error in this case. However, +this change unintentionally left a path where md_autodetect_dev() +could be called without confirming that part is a valid pointer. + +This commit separates the error handling logic by splitting the +initial if-condition, improving code readability and handling specific +error scenarios explicitly. The function now distinguishes the general +error case from -ENXIO without altering the existing behavior of +md_autodetect_dev() calls. + +Fixes: b72053072c0b (block: allow partitions on host aware zone devices) +Signed-off-by: Riyan Dhiman +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20240911132954.5874-1-riyandhiman14@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/partitions/core.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/block/partitions/core.c b/block/partitions/core.c +index 6b2ef9977617a..fc0ab5d8ab705 100644 +--- a/block/partitions/core.c ++++ b/block/partitions/core.c +@@ -574,9 +574,11 @@ static bool blk_add_partition(struct gendisk *disk, + + part = add_partition(disk, p, from, size, state->parts[p].flags, + &state->parts[p].info); +- if (IS_ERR(part) && PTR_ERR(part) != -ENXIO) { +- printk(KERN_ERR " %s: p%d could not be added: %pe\n", +- disk->disk_name, p, part); ++ if (IS_ERR(part)) { ++ if (PTR_ERR(part) != -ENXIO) { ++ printk(KERN_ERR " %s: p%d could not be added: %pe\n", ++ disk->disk_name, p, part); ++ } + return true; + } + +-- +2.43.0 + diff --git a/queue-6.6/block-print-symbolic-error-name-instead-of-error-cod.patch b/queue-6.6/block-print-symbolic-error-name-instead-of-error-cod.patch new file mode 100644 index 00000000000..59d6e84a044 --- /dev/null +++ b/queue-6.6/block-print-symbolic-error-name-instead-of-error-cod.patch @@ -0,0 +1,44 @@ +From 0f6dd9a2d268a8578879bc1584d325a6acdfda44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Jan 2024 00:15:18 +0100 +Subject: block: print symbolic error name instead of error code + +From: Christian Heusel + +[ Upstream commit 25c1772a0493463408489b1fae65cf77fe46cac1 ] + +Utilize the %pe print specifier to get the symbolic error name as a +string (i.e "-ENOMEM") in the log message instead of the error code to +increase its readablility. + +This change was suggested in +https://lore.kernel.org/all/92972476-0b1f-4d0a-9951-af3fc8bc6e65@suswa.mountain/ + +Signed-off-by: Christian Heusel +Reviewed-by: Chaitanya Kulkarni +Link: https://lore.kernel.org/r/20240111231521.1596838-1-christian@heusel.eu +Signed-off-by: Jens Axboe +Stable-dep-of: 26e197b7f924 ("block: fix potential invalid pointer dereference in blk_add_partition") +Signed-off-by: Sasha Levin +--- + block/partitions/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/block/partitions/core.c b/block/partitions/core.c +index 962e4b57d64ab..6b2ef9977617a 100644 +--- a/block/partitions/core.c ++++ b/block/partitions/core.c +@@ -575,8 +575,8 @@ static bool blk_add_partition(struct gendisk *disk, + part = add_partition(disk, p, from, size, state->parts[p].flags, + &state->parts[p].info); + if (IS_ERR(part) && PTR_ERR(part) != -ENXIO) { +- printk(KERN_ERR " %s: p%d could not be added: %ld\n", +- disk->disk_name, p, -PTR_ERR(part)); ++ printk(KERN_ERR " %s: p%d could not be added: %pe\n", ++ disk->disk_name, p, part); + return true; + } + +-- +2.43.0 + diff --git a/queue-6.6/bluetooth-btusb-fix-not-handling-zpl-short-transfer.patch b/queue-6.6/bluetooth-btusb-fix-not-handling-zpl-short-transfer.patch new file mode 100644 index 00000000000..fd8f7d09bda --- /dev/null +++ b/queue-6.6/bluetooth-btusb-fix-not-handling-zpl-short-transfer.patch @@ -0,0 +1,45 @@ +From c8067d098a83433dd77692cb2de6009e93d812a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Sep 2024 16:51:52 -0400 +Subject: Bluetooth: btusb: Fix not handling ZPL/short-transfer + +From: Luiz Augusto von Dentz + +[ Upstream commit 7b05933340f4490ef5b09e84d644d12484b05fdf ] + +Requesting transfers of the exact same size of wMaxPacketSize may result +in ZPL/short-transfer since the USB stack cannot handle it as we are +limiting the buffer size to be the same as wMaxPacketSize. + +Also, in terms of throughput this change has the same effect to +interrupt endpoint as 290ba200815f "Bluetooth: Improve USB driver throughput +by increasing the frame size" had for the bulk endpoint, so users of the +advertisement bearer (e.g. BT Mesh) may benefit from this change. + +Fixes: 5e23b923da03 ("[Bluetooth] Add generic driver for Bluetooth USB devices") +Signed-off-by: Luiz Augusto von Dentz +Tested-by: Kiran K +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index c495fceda20a2..0a58106207b0c 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -1352,7 +1352,10 @@ static int btusb_submit_intr_urb(struct hci_dev *hdev, gfp_t mem_flags) + if (!urb) + return -ENOMEM; + +- size = le16_to_cpu(data->intr_ep->wMaxPacketSize); ++ /* Use maximum HCI Event size so the USB stack handles ++ * ZPL/short-transfer automatically. ++ */ ++ size = HCI_MAX_EVENT_SIZE; + + buf = kmalloc(size, mem_flags); + if (!buf) { +-- +2.43.0 + diff --git a/queue-6.6/bluetooth-hci_core-fix-sending-mgmt_ev_connect_faile.patch b/queue-6.6/bluetooth-hci_core-fix-sending-mgmt_ev_connect_faile.patch new file mode 100644 index 00000000000..7fb80fc55bd --- /dev/null +++ b/queue-6.6/bluetooth-hci_core-fix-sending-mgmt_ev_connect_faile.patch @@ -0,0 +1,90 @@ +From 5e9211beb738d7efe25929e4d7a51e298eb16041 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Aug 2024 17:29:27 -0400 +Subject: Bluetooth: hci_core: Fix sending MGMT_EV_CONNECT_FAILED + +From: Luiz Augusto von Dentz + +[ Upstream commit d47da6bd4cfa982fe903f33423b9e2ec541e9496 ] + +If HCI_CONN_MGMT_CONNECTED has been set then the event shall be +HCI_CONN_MGMT_DISCONNECTED. + +Fixes: b644ba336997 ("Bluetooth: Update device_connected and device_found events to latest API") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci_core.h | 4 ++-- + net/bluetooth/hci_conn.c | 6 ++---- + net/bluetooth/mgmt.c | 13 +++++++++---- + 3 files changed, 13 insertions(+), 10 deletions(-) + +diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h +index 29f1549ee1114..0f50c0cefcb7d 100644 +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -2224,8 +2224,8 @@ void mgmt_device_disconnected(struct hci_dev *hdev, bdaddr_t *bdaddr, + bool mgmt_connected); + void mgmt_disconnect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, + u8 link_type, u8 addr_type, u8 status); +-void mgmt_connect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type, +- u8 addr_type, u8 status); ++void mgmt_connect_failed(struct hci_dev *hdev, struct hci_conn *conn, ++ u8 status); + void mgmt_pin_code_request(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 secure); + void mgmt_pin_code_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr, + u8 status); +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index d8a01eb016ad0..ed95a87ef9ab6 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -107,8 +107,7 @@ void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status) + * where a timeout + cancel does indicate an actual failure. + */ + if (status && status != HCI_ERROR_UNKNOWN_CONN_ID) +- mgmt_connect_failed(hdev, &conn->dst, conn->type, +- conn->dst_type, status); ++ mgmt_connect_failed(hdev, conn, status); + + /* The connection attempt was doing scan for new RPA, and is + * in scan phase. If params are not associated with any other +@@ -1233,8 +1232,7 @@ void hci_conn_failed(struct hci_conn *conn, u8 status) + hci_le_conn_failed(conn, status); + break; + case ACL_LINK: +- mgmt_connect_failed(hdev, &conn->dst, conn->type, +- conn->dst_type, status); ++ mgmt_connect_failed(hdev, conn, status); + break; + } + +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index 4ae9029b5785f..149aff29e5646 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -9724,13 +9724,18 @@ void mgmt_disconnect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, + mgmt_pending_remove(cmd); + } + +-void mgmt_connect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type, +- u8 addr_type, u8 status) ++void mgmt_connect_failed(struct hci_dev *hdev, struct hci_conn *conn, u8 status) + { + struct mgmt_ev_connect_failed ev; + +- bacpy(&ev.addr.bdaddr, bdaddr); +- ev.addr.type = link_to_bdaddr(link_type, addr_type); ++ if (test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { ++ mgmt_device_disconnected(hdev, &conn->dst, conn->type, ++ conn->dst_type, status, true); ++ return; ++ } ++ ++ bacpy(&ev.addr.bdaddr, &conn->dst); ++ ev.addr.type = link_to_bdaddr(conn->type, conn->dst_type); + ev.status = mgmt_status(status); + + mgmt_event(MGMT_EV_CONNECT_FAILED, hdev, &ev, sizeof(ev), NULL); +-- +2.43.0 + diff --git a/queue-6.6/bluetooth-hci_sync-ignore-errors-from-hci_op_remote_.patch b/queue-6.6/bluetooth-hci_sync-ignore-errors-from-hci_op_remote_.patch new file mode 100644 index 00000000000..24e2fb21dd2 --- /dev/null +++ b/queue-6.6/bluetooth-hci_sync-ignore-errors-from-hci_op_remote_.patch @@ -0,0 +1,40 @@ +From 8f10262475fa599311bdf0373e8b3f0bf8ccd4f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Aug 2023 12:05:00 -0700 +Subject: Bluetooth: hci_sync: Ignore errors from HCI_OP_REMOTE_NAME_REQ_CANCEL + +From: Luiz Augusto von Dentz + +[ Upstream commit cfbfeee61582e638770a1a10deef866c9adb38f5 ] + +This ignores errors from HCI_OP_REMOTE_NAME_REQ_CANCEL since it +shouldn't interfere with the stopping of discovery and in certain +conditions it seems to be failing. + +Link: https://github.com/bluez/bluez/issues/575 +Fixes: d0b137062b2d ("Bluetooth: hci_sync: Rework init stages") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sync.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index af7817a7c585b..75515a1d2923a 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -5391,7 +5391,10 @@ int hci_stop_discovery_sync(struct hci_dev *hdev) + if (!e) + return 0; + +- return hci_remote_name_cancel_sync(hdev, &e->data.bdaddr); ++ /* Ignore cancel errors since it should interfere with stopping ++ * of the discovery. ++ */ ++ hci_remote_name_cancel_sync(hdev, &e->data.bdaddr); + } + + return 0; +-- +2.43.0 + diff --git a/queue-6.6/bonding-fix-unnecessary-warnings-and-logs-from-bond_.patch b/queue-6.6/bonding-fix-unnecessary-warnings-and-logs-from-bond_.patch new file mode 100644 index 00000000000..23554cbd4e0 --- /dev/null +++ b/queue-6.6/bonding-fix-unnecessary-warnings-and-logs-from-bond_.patch @@ -0,0 +1,66 @@ +From 6e09efdcf136bad2cf1655ea429f12f404679ebe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Sep 2024 14:06:02 +0000 +Subject: bonding: Fix unnecessary warnings and logs from + bond_xdp_get_xmit_slave() + +From: Jiwon Kim + +[ Upstream commit 0cbfd45fbcf0cb26d85c981b91c62fe73cdee01c ] + +syzbot reported a WARNING in bond_xdp_get_xmit_slave. To reproduce +this[1], one bond device (bond1) has xdpdrv, which increases +bpf_master_redirect_enabled_key. Another bond device (bond0) which is +unsupported by XDP but its slave (veth3) has xdpgeneric that returns +XDP_TX. This triggers WARN_ON_ONCE() from the xdp_master_redirect(). +To reduce unnecessary warnings and improve log management, we need to +delete the WARN_ON_ONCE() and add ratelimit to the netdev_err(). + +[1] Steps to reproduce: + # Needs tx_xdp with return XDP_TX; + ip l add veth0 type veth peer veth1 + ip l add veth3 type veth peer veth4 + ip l add bond0 type bond mode 6 # BOND_MODE_ALB, unsupported by XDP + ip l add bond1 type bond # BOND_MODE_ROUNDROBIN by default + ip l set veth0 master bond1 + ip l set bond1 up + # Increases bpf_master_redirect_enabled_key + ip l set dev bond1 xdpdrv object tx_xdp.o section xdp_tx + ip l set veth3 master bond0 + ip l set bond0 up + ip l set veth4 up + # Triggers WARN_ON_ONCE() from the xdp_master_redirect() + ip l set veth3 xdpgeneric object tx_xdp.o section xdp_tx + +Reported-by: syzbot+c187823a52ed505b2257@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=c187823a52ed505b2257 +Fixes: 9e2ee5c7e7c3 ("net, bonding: Add XDP support to the bonding driver") +Signed-off-by: Jiwon Kim +Signed-off-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20240918140602.18644-1-jiwonaid0@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 53a7b53618d94..14b4780b73c72 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -5534,9 +5534,9 @@ bond_xdp_get_xmit_slave(struct net_device *bond_dev, struct xdp_buff *xdp) + break; + + default: +- /* Should never happen. Mode guarded by bond_xdp_check() */ +- netdev_err(bond_dev, "Unknown bonding mode %d for xdp xmit\n", BOND_MODE(bond)); +- WARN_ON_ONCE(1); ++ if (net_ratelimit()) ++ netdev_err(bond_dev, "Unknown bonding mode %d for xdp xmit\n", ++ BOND_MODE(bond)); + return NULL; + } + +-- +2.43.0 + diff --git a/queue-6.6/bpf-correctly-handle-malformed-bpf_core_type_id_loca.patch b/queue-6.6/bpf-correctly-handle-malformed-bpf_core_type_id_loca.patch new file mode 100644 index 00000000000..6654bac25a2 --- /dev/null +++ b/queue-6.6/bpf-correctly-handle-malformed-bpf_core_type_id_loca.patch @@ -0,0 +1,71 @@ +From e01be549181b7ad4283f1d75f02016faaa39159a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Aug 2024 01:01:23 -0700 +Subject: bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos + +From: Eduard Zingerman + +[ Upstream commit 3d2786d65aaa954ebd3fcc033ada433e10da21c4 ] + +In case of malformed relocation record of kind BPF_CORE_TYPE_ID_LOCAL +referencing a non-existing BTF type, function bpf_core_calc_relo_insn +would cause a null pointer deference. + +Fix this by adding a proper check upper in call stack, as malformed +relocation records could be passed from user space. + +Simplest reproducer is a program: + + r0 = 0 + exit + +With a single relocation record: + + .insn_off = 0, /* patch first instruction */ + .type_id = 100500, /* this type id does not exist */ + .access_str_off = 6, /* offset of string "0" */ + .kind = BPF_CORE_TYPE_ID_LOCAL, + +See the link for original reproducer or next commit for a test case. + +Fixes: 74753e1462e7 ("libbpf: Replace btf__type_by_id() with btf_type_by_id().") +Reported-by: Liu RuiTong +Closes: https://lore.kernel.org/bpf/CAK55_s6do7C+DVwbwY_7nKfUz0YLDoiA1v6X3Y9+p0sWzipFSA@mail.gmail.com/ +Acked-by: Andrii Nakryiko +Signed-off-by: Eduard Zingerman +Link: https://lore.kernel.org/r/20240822080124.2995724-2-eddyz87@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/btf.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c +index fbf9721ba21b6..e0e4d4f490e87 100644 +--- a/kernel/bpf/btf.c ++++ b/kernel/bpf/btf.c +@@ -8421,6 +8421,7 @@ int bpf_core_apply(struct bpf_core_ctx *ctx, const struct bpf_core_relo *relo, + struct bpf_core_cand_list cands = {}; + struct bpf_core_relo_res targ_res; + struct bpf_core_spec *specs; ++ const struct btf_type *type; + int err; + + /* ~4k of temp memory necessary to convert LLVM spec like "0:1:0:5" +@@ -8430,6 +8431,13 @@ int bpf_core_apply(struct bpf_core_ctx *ctx, const struct bpf_core_relo *relo, + if (!specs) + return -ENOMEM; + ++ type = btf_type_by_id(ctx->btf, relo->type_id); ++ if (!type) { ++ bpf_log(ctx->log, "relo #%u: bad type id %u\n", ++ relo_idx, relo->type_id); ++ return -EINVAL; ++ } ++ + if (need_cands) { + struct bpf_cand_cache *cc; + int i; +-- +2.43.0 + diff --git a/queue-6.6/bpf-disable-some-attribute-ignored-warnings-in-gcc.patch b/queue-6.6/bpf-disable-some-attribute-ignored-warnings-in-gcc.patch new file mode 100644 index 00000000000..6a61193ec2c --- /dev/null +++ b/queue-6.6/bpf-disable-some-attribute-ignored-warnings-in-gcc.patch @@ -0,0 +1,93 @@ +From 769f04a675da33fdcebff9296b35e1b98ddd4861 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 May 2024 09:42:27 +0200 +Subject: bpf: Disable some `attribute ignored' warnings in GCC + +From: Jose E. Marchesi + +[ Upstream commit b0fbdf759da05a35b67fd27b8859738b79af25d6 ] + +This patch modifies selftests/bpf/Makefile to pass -Wno-attributes to +GCC. This is because of the following attributes which are ignored: + +- btf_decl_tag +- btf_type_tag + + There are many of these. At the moment none of these are + recognized/handled by gcc-bpf. + + We are aware that btf_decl_tag is necessary for some of the + selftest harness to communicate test failure/success. Support for + it is in progress in GCC upstream: + + https://gcc.gnu.org/pipermail/gcc-patches/2024-May/650482.html + + However, the GCC master branch is not yet open, so the series + above (currently under review upstream) wont be able to make it + there until 14.1 gets released, probably mid next week. + + As for btf_type_tag, more extensive work will be needed in GCC + upstream to support it in both BTF and DWARF. We have a WIP big + patch for that, but that is not needed to compile/build the + selftests. + +- used + + There are SEC macros defined in the selftests as: + + #define SEC(N) __attribute__((section(N),used)) + + The SEC macro is used for both functions and global variables. + According to the GCC documentation `used' attribute is really only + meaningful for functions, and it warns when the attribute is used + for other global objects, like for example ctl_array in + test_xdp_noinline.c. + + Ignoring this is benign. + +- align_value + + In progs/test_cls_redirect.c:127 there is: + + typedef uint8_t *net_ptr __attribute__((align_value(8))); + + GCC warns that it is ignoring this attribute, because it is not + implemented by GCC. + + I think ignoring this attribute in GCC is benign, because according + to the clang documentation [1] its purpose seems to be merely + declarative and doesn't seem to translate into extra checks at + run-time, only to perhaps better optimized code ("runtime behavior + is undefined if the pointed memory object is not aligned to the + specified alignment"). + + [1] https://clang.llvm.org/docs/AttributeReference.html#align-value + +Tested in bpf-next master. + +Signed-off-by: Jose E. Marchesi +Signed-off-by: Andrii Nakryiko +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/20240507074227.4523-3-jose.marchesi@oracle.com +Stable-dep-of: 3ece93a4087b ("selftests/bpf: Fix wrong binary in Makefile log output") +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile +index 397306f5cf911..e0f499794f162 100644 +--- a/tools/testing/selftests/bpf/Makefile ++++ b/tools/testing/selftests/bpf/Makefile +@@ -412,7 +412,7 @@ endef + # Build BPF object using GCC + define GCC_BPF_BUILD_RULE + $(call msg,GCC-BPF,$(TRUNNER_BINARY),$2) +- $(Q)$(BPF_GCC) $3 -O2 -c $1 -o $2 ++ $(Q)$(BPF_GCC) $3 -Wno-attributes -O2 -c $1 -o $2 + endef + + SKEL_BLACKLIST := btf__% test_pinning_invalid.c test_sk_assign.c +-- +2.43.0 + diff --git a/queue-6.6/bpf-fix-bpf_strtol-and-bpf_strtoul-helpers-for-32bit.patch b/queue-6.6/bpf-fix-bpf_strtol-and-bpf_strtoul-helpers-for-32bit.patch new file mode 100644 index 00000000000..58812620af5 --- /dev/null +++ b/queue-6.6/bpf-fix-bpf_strtol-and-bpf_strtoul-helpers-for-32bit.patch @@ -0,0 +1,74 @@ +From 45490ec17585ebfc5fa2245d20f523d3adc3cc40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Sep 2024 21:17:46 +0200 +Subject: bpf: Fix bpf_strtol and bpf_strtoul helpers for 32bit + +From: Daniel Borkmann + +[ Upstream commit cfe69c50b05510b24e26ccb427c7cc70beafd6c1 ] + +The bpf_strtol() and bpf_strtoul() helpers are currently broken on 32bit: + +The argument type ARG_PTR_TO_LONG is BPF-side "long", not kernel-side "long" +and therefore always considered fixed 64bit no matter if 64 or 32bit underlying +architecture. + +This contract breaks in case of the two mentioned helpers since their BPF_CALL +definition for the helpers was added with {unsigned,}long *res. Meaning, the +transition from BPF-side "long" (BPF program) to kernel-side "long" (BPF helper) +breaks here. + +Both helpers call __bpf_strtoll() with "long long" correctly, but later assigning +the result into 32-bit "*(long *)" on 32bit architectures. From a BPF program +point of view, this means upper bits will be seen as uninitialised. + +Therefore, fix both BPF_CALL signatures to {s,u}64 types to fix this situation. + +Now, changing also uapi/bpf.h helper documentation which generates bpf_helper_defs.h +for BPF programs is tricky: Changing signatures there to __{s,u}64 would trigger +compiler warnings (incompatible pointer types passing 'long *' to parameter of type +'__s64 *' (aka 'long long *')) for existing BPF programs. + +Leaving the signatures as-is would be fine as from BPF program point of view it is +still BPF-side "long" and thus equivalent to __{s,u}64 on 64 or 32bit underlying +architectures. + +Note that bpf_strtol() and bpf_strtoul() are the only helpers with this issue. + +Fixes: d7a4cb9b6705 ("bpf: Introduce bpf_strtol and bpf_strtoul helpers") +Reported-by: Alexei Starovoitov +Signed-off-by: Daniel Borkmann +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/481fcec8-c12c-9abb-8ecb-76c71c009959@iogearbox.net +Link: https://lore.kernel.org/r/20240913191754.13290-1-daniel@iogearbox.net +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/helpers.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c +index 9ab6be9653059..0dad29f3e3ba8 100644 +--- a/kernel/bpf/helpers.c ++++ b/kernel/bpf/helpers.c +@@ -516,7 +516,7 @@ static int __bpf_strtoll(const char *buf, size_t buf_len, u64 flags, + } + + BPF_CALL_4(bpf_strtol, const char *, buf, size_t, buf_len, u64, flags, +- long *, res) ++ s64 *, res) + { + long long _res; + int err; +@@ -541,7 +541,7 @@ const struct bpf_func_proto bpf_strtol_proto = { + }; + + BPF_CALL_4(bpf_strtoul, const char *, buf, size_t, buf_len, u64, flags, +- unsigned long *, res) ++ u64 *, res) + { + unsigned long long _res; + bool is_negative; +-- +2.43.0 + diff --git a/queue-6.6/bpf-fix-helper-writes-to-read-only-maps.patch b/queue-6.6/bpf-fix-helper-writes-to-read-only-maps.patch new file mode 100644 index 00000000000..8d5e09116c9 --- /dev/null +++ b/queue-6.6/bpf-fix-helper-writes-to-read-only-maps.patch @@ -0,0 +1,247 @@ +From 96ab91f9d9d2f539243e5ed86176fcd9ada438ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Sep 2024 21:17:48 +0200 +Subject: bpf: Fix helper writes to read-only maps + +From: Daniel Borkmann + +[ Upstream commit 32556ce93bc45c730829083cb60f95a2728ea48b ] + +Lonial found an issue that despite user- and BPF-side frozen BPF map +(like in case of .rodata), it was still possible to write into it from +a BPF program side through specific helpers having ARG_PTR_TO_{LONG,INT} +as arguments. + +In check_func_arg() when the argument is as mentioned, the meta->raw_mode +is never set. Later, check_helper_mem_access(), under the case of +PTR_TO_MAP_VALUE as register base type, it assumes BPF_READ for the +subsequent call to check_map_access_type() and given the BPF map is +read-only it succeeds. + +The helpers really need to be annotated as ARG_PTR_TO_{LONG,INT} | MEM_UNINIT +when results are written into them as opposed to read out of them. The +latter indicates that it's okay to pass a pointer to uninitialized memory +as the memory is written to anyway. + +However, ARG_PTR_TO_{LONG,INT} is a special case of ARG_PTR_TO_FIXED_SIZE_MEM +just with additional alignment requirement. So it is better to just get +rid of the ARG_PTR_TO_{LONG,INT} special cases altogether and reuse the +fixed size memory types. For this, add MEM_ALIGNED to additionally ensure +alignment given these helpers write directly into the args via * = val. +The .arg*_size has been initialized reflecting the actual sizeof(*). + +MEM_ALIGNED can only be used in combination with MEM_FIXED_SIZE annotated +argument types, since in !MEM_FIXED_SIZE cases the verifier does not know +the buffer size a priori and therefore cannot blindly write * = val. + +Fixes: 57c3bb725a3d ("bpf: Introduce ARG_PTR_TO_{INT,LONG} arg types") +Reported-by: Lonial Con +Signed-off-by: Daniel Borkmann +Acked-by: Andrii Nakryiko +Acked-by: Shung-Hsi Yu +Link: https://lore.kernel.org/r/20240913191754.13290-3-daniel@iogearbox.net +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + include/linux/bpf.h | 7 +++++-- + kernel/bpf/helpers.c | 6 ++++-- + kernel/bpf/syscall.c | 3 ++- + kernel/bpf/verifier.c | 41 +++++----------------------------------- + kernel/trace/bpf_trace.c | 6 ++++-- + net/core/filter.c | 6 ++++-- + 6 files changed, 24 insertions(+), 45 deletions(-) + +diff --git a/include/linux/bpf.h b/include/linux/bpf.h +index e4cd28c38b825..722102518dc95 100644 +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -675,6 +675,11 @@ enum bpf_type_flag { + /* DYNPTR points to xdp_buff */ + DYNPTR_TYPE_XDP = BIT(16 + BPF_BASE_TYPE_BITS), + ++ /* Memory must be aligned on some architectures, used in combination with ++ * MEM_FIXED_SIZE. ++ */ ++ MEM_ALIGNED = BIT(17 + BPF_BASE_TYPE_BITS), ++ + __BPF_TYPE_FLAG_MAX, + __BPF_TYPE_LAST_FLAG = __BPF_TYPE_FLAG_MAX - 1, + }; +@@ -711,8 +716,6 @@ enum bpf_arg_type { + ARG_ANYTHING, /* any (initialized) argument is ok */ + ARG_PTR_TO_SPIN_LOCK, /* pointer to bpf_spin_lock */ + ARG_PTR_TO_SOCK_COMMON, /* pointer to sock_common */ +- ARG_PTR_TO_INT, /* pointer to int */ +- ARG_PTR_TO_LONG, /* pointer to long */ + ARG_PTR_TO_SOCKET, /* pointer to bpf_sock (fullsock) */ + ARG_PTR_TO_BTF_ID, /* pointer to in-kernel struct */ + ARG_PTR_TO_RINGBUF_MEM, /* pointer to dynamically reserved ringbuf memory */ +diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c +index 0dad29f3e3ba8..10ad4bd5574af 100644 +--- a/kernel/bpf/helpers.c ++++ b/kernel/bpf/helpers.c +@@ -537,7 +537,8 @@ const struct bpf_func_proto bpf_strtol_proto = { + .arg1_type = ARG_PTR_TO_MEM | MEM_RDONLY, + .arg2_type = ARG_CONST_SIZE, + .arg3_type = ARG_ANYTHING, +- .arg4_type = ARG_PTR_TO_LONG, ++ .arg4_type = ARG_PTR_TO_FIXED_SIZE_MEM | MEM_UNINIT | MEM_ALIGNED, ++ .arg4_size = sizeof(s64), + }; + + BPF_CALL_4(bpf_strtoul, const char *, buf, size_t, buf_len, u64, flags, +@@ -565,7 +566,8 @@ const struct bpf_func_proto bpf_strtoul_proto = { + .arg1_type = ARG_PTR_TO_MEM | MEM_RDONLY, + .arg2_type = ARG_CONST_SIZE, + .arg3_type = ARG_ANYTHING, +- .arg4_type = ARG_PTR_TO_LONG, ++ .arg4_type = ARG_PTR_TO_FIXED_SIZE_MEM | MEM_UNINIT | MEM_ALIGNED, ++ .arg4_size = sizeof(u64), + }; + + BPF_CALL_3(bpf_strncmp, const char *, s1, u32, s1_sz, const char *, s2) +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index 65df92f5b1922..d7df95bcc848a 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -5667,7 +5667,8 @@ static const struct bpf_func_proto bpf_kallsyms_lookup_name_proto = { + .arg1_type = ARG_PTR_TO_MEM, + .arg2_type = ARG_CONST_SIZE_OR_ZERO, + .arg3_type = ARG_ANYTHING, +- .arg4_type = ARG_PTR_TO_LONG, ++ .arg4_type = ARG_PTR_TO_FIXED_SIZE_MEM | MEM_UNINIT | MEM_ALIGNED, ++ .arg4_size = sizeof(u64), + }; + + static const struct bpf_func_proto * +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 9d5699942273e..f778a1b9e1cfd 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -7997,16 +7997,6 @@ static bool arg_type_is_dynptr(enum bpf_arg_type type) + return base_type(type) == ARG_PTR_TO_DYNPTR; + } + +-static int int_ptr_type_to_size(enum bpf_arg_type type) +-{ +- if (type == ARG_PTR_TO_INT) +- return sizeof(u32); +- else if (type == ARG_PTR_TO_LONG) +- return sizeof(u64); +- +- return -EINVAL; +-} +- + static int resolve_map_arg_type(struct bpf_verifier_env *env, + const struct bpf_call_arg_meta *meta, + enum bpf_arg_type *arg_type) +@@ -8079,16 +8069,6 @@ static const struct bpf_reg_types mem_types = { + }, + }; + +-static const struct bpf_reg_types int_ptr_types = { +- .types = { +- PTR_TO_STACK, +- PTR_TO_PACKET, +- PTR_TO_PACKET_META, +- PTR_TO_MAP_KEY, +- PTR_TO_MAP_VALUE, +- }, +-}; +- + static const struct bpf_reg_types spin_lock_types = { + .types = { + PTR_TO_MAP_VALUE, +@@ -8143,8 +8123,6 @@ static const struct bpf_reg_types *compatible_reg_types[__BPF_ARG_TYPE_MAX] = { + [ARG_PTR_TO_SPIN_LOCK] = &spin_lock_types, + [ARG_PTR_TO_MEM] = &mem_types, + [ARG_PTR_TO_RINGBUF_MEM] = &ringbuf_mem_types, +- [ARG_PTR_TO_INT] = &int_ptr_types, +- [ARG_PTR_TO_LONG] = &int_ptr_types, + [ARG_PTR_TO_PERCPU_BTF_ID] = &percpu_btf_ptr_types, + [ARG_PTR_TO_FUNC] = &func_ptr_types, + [ARG_PTR_TO_STACK] = &stack_ptr_types, +@@ -8651,9 +8629,11 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg, + */ + meta->raw_mode = arg_type & MEM_UNINIT; + if (arg_type & MEM_FIXED_SIZE) { +- err = check_helper_mem_access(env, regno, +- fn->arg_size[arg], false, +- meta); ++ err = check_helper_mem_access(env, regno, fn->arg_size[arg], false, meta); ++ if (err) ++ return err; ++ if (arg_type & MEM_ALIGNED) ++ err = check_ptr_alignment(env, reg, 0, fn->arg_size[arg], true); + } + break; + case ARG_CONST_SIZE: +@@ -8678,17 +8658,6 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg, + if (err) + return err; + break; +- case ARG_PTR_TO_INT: +- case ARG_PTR_TO_LONG: +- { +- int size = int_ptr_type_to_size(arg_type); +- +- err = check_helper_mem_access(env, regno, size, false, meta); +- if (err) +- return err; +- err = check_ptr_alignment(env, reg, 0, size, true); +- break; +- } + case ARG_PTR_TO_CONST_STR: + { + struct bpf_map *map = reg->map_ptr; +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c +index cc29bf49f7159..37a19598d712e 100644 +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -1220,7 +1220,8 @@ static const struct bpf_func_proto bpf_get_func_arg_proto = { + .ret_type = RET_INTEGER, + .arg1_type = ARG_PTR_TO_CTX, + .arg2_type = ARG_ANYTHING, +- .arg3_type = ARG_PTR_TO_LONG, ++ .arg3_type = ARG_PTR_TO_FIXED_SIZE_MEM | MEM_UNINIT | MEM_ALIGNED, ++ .arg3_size = sizeof(u64), + }; + + BPF_CALL_2(get_func_ret, void *, ctx, u64 *, value) +@@ -1236,7 +1237,8 @@ static const struct bpf_func_proto bpf_get_func_ret_proto = { + .func = get_func_ret, + .ret_type = RET_INTEGER, + .arg1_type = ARG_PTR_TO_CTX, +- .arg2_type = ARG_PTR_TO_LONG, ++ .arg2_type = ARG_PTR_TO_FIXED_SIZE_MEM | MEM_UNINIT | MEM_ALIGNED, ++ .arg2_size = sizeof(u64), + }; + + BPF_CALL_1(get_func_arg_cnt, void *, ctx) +diff --git a/net/core/filter.c b/net/core/filter.c +index be313928d272c..ecde9111fc958 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -6306,7 +6306,8 @@ static const struct bpf_func_proto bpf_skb_check_mtu_proto = { + .ret_type = RET_INTEGER, + .arg1_type = ARG_PTR_TO_CTX, + .arg2_type = ARG_ANYTHING, +- .arg3_type = ARG_PTR_TO_INT, ++ .arg3_type = ARG_PTR_TO_FIXED_SIZE_MEM | MEM_UNINIT | MEM_ALIGNED, ++ .arg3_size = sizeof(u32), + .arg4_type = ARG_ANYTHING, + .arg5_type = ARG_ANYTHING, + }; +@@ -6317,7 +6318,8 @@ static const struct bpf_func_proto bpf_xdp_check_mtu_proto = { + .ret_type = RET_INTEGER, + .arg1_type = ARG_PTR_TO_CTX, + .arg2_type = ARG_ANYTHING, +- .arg3_type = ARG_PTR_TO_INT, ++ .arg3_type = ARG_PTR_TO_FIXED_SIZE_MEM | MEM_UNINIT | MEM_ALIGNED, ++ .arg3_size = sizeof(u32), + .arg4_type = ARG_ANYTHING, + .arg5_type = ARG_ANYTHING, + }; +-- +2.43.0 + diff --git a/queue-6.6/bpf-improve-check_raw_mode_ok-test-for-mem_uninit-ta.patch b/queue-6.6/bpf-improve-check_raw_mode_ok-test-for-mem_uninit-ta.patch new file mode 100644 index 00000000000..09ecd44d357 --- /dev/null +++ b/queue-6.6/bpf-improve-check_raw_mode_ok-test-for-mem_uninit-ta.patch @@ -0,0 +1,80 @@ +From a39447c47b2e9ef3bb343c83be7118307c0cdadb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Sep 2024 21:17:49 +0200 +Subject: bpf: Improve check_raw_mode_ok test for MEM_UNINIT-tagged types + +From: Daniel Borkmann + +[ Upstream commit 18752d73c1898fd001569195ba4b0b8c43255f4a ] + +When checking malformed helper function signatures, also take other argument +types into account aside from just ARG_PTR_TO_UNINIT_MEM. + +This concerns (formerly) ARG_PTR_TO_{INT,LONG} given uninitialized memory can +be passed there, too. + +The func proto sanity check goes back to commit 435faee1aae9 ("bpf, verifier: +add ARG_PTR_TO_RAW_STACK type"), and its purpose was to detect wrong func protos +which had more than just one MEM_UNINIT-tagged type as arguments. + +The reason more than one is currently not supported is as we mark stack slots with +STACK_MISC in check_helper_call() in case of raw mode based on meta.access_size to +allow uninitialized stack memory to be passed to helpers when they just write into +the buffer. + +Probing for base type as well as MEM_UNINIT tagging ensures that other types do not +get missed (as it used to be the case for ARG_PTR_TO_{INT,LONG}). + +Fixes: 57c3bb725a3d ("bpf: Introduce ARG_PTR_TO_{INT,LONG} arg types") +Reported-by: Shung-Hsi Yu +Signed-off-by: Daniel Borkmann +Acked-by: Andrii Nakryiko +Acked-by: Shung-Hsi Yu +Link: https://lore.kernel.org/r/20240913191754.13290-4-daniel@iogearbox.net +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index f778a1b9e1cfd..834394faf2af3 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -7987,6 +7987,12 @@ static bool arg_type_is_mem_size(enum bpf_arg_type type) + type == ARG_CONST_SIZE_OR_ZERO; + } + ++static bool arg_type_is_raw_mem(enum bpf_arg_type type) ++{ ++ return base_type(type) == ARG_PTR_TO_MEM && ++ type & MEM_UNINIT; ++} ++ + static bool arg_type_is_release(enum bpf_arg_type type) + { + return type & OBJ_RELEASE; +@@ -9009,15 +9015,15 @@ static bool check_raw_mode_ok(const struct bpf_func_proto *fn) + { + int count = 0; + +- if (fn->arg1_type == ARG_PTR_TO_UNINIT_MEM) ++ if (arg_type_is_raw_mem(fn->arg1_type)) + count++; +- if (fn->arg2_type == ARG_PTR_TO_UNINIT_MEM) ++ if (arg_type_is_raw_mem(fn->arg2_type)) + count++; +- if (fn->arg3_type == ARG_PTR_TO_UNINIT_MEM) ++ if (arg_type_is_raw_mem(fn->arg3_type)) + count++; +- if (fn->arg4_type == ARG_PTR_TO_UNINIT_MEM) ++ if (arg_type_is_raw_mem(fn->arg4_type)) + count++; +- if (fn->arg5_type == ARG_PTR_TO_UNINIT_MEM) ++ if (arg_type_is_raw_mem(fn->arg5_type)) + count++; + + /* We only support one arg being in raw mode at the moment, +-- +2.43.0 + diff --git a/queue-6.6/bpf-temporarily-define-bpf_no_preseve_access_index-f.patch b/queue-6.6/bpf-temporarily-define-bpf_no_preseve_access_index-f.patch new file mode 100644 index 00000000000..4e94db4f861 --- /dev/null +++ b/queue-6.6/bpf-temporarily-define-bpf_no_preseve_access_index-f.patch @@ -0,0 +1,70 @@ +From a668f312e0722b178d4031fef62a3889a286377a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 May 2024 11:50:11 +0200 +Subject: bpf: Temporarily define BPF_NO_PRESEVE_ACCESS_INDEX for GCC + +From: Jose E. Marchesi + +[ Upstream commit 675b4e24bc50f4600b6bf3527fdbaa1f73498334 ] + +The vmlinux.h file generated by bpftool makes use of compiler pragmas +in order to install the CO-RE preserve_access_index in all the struct +types derived from the BTF info: + + #ifndef __VMLINUX_H__ + #define __VMLINUX_H__ + + #ifndef BPF_NO_PRESERVE_ACCESS_INDEX + #pragma clang attribute push (__attribute__((preserve_access_index)), apply_t = record + #endif + + [... type definitions generated from kernel BTF ... ] + + #ifndef BPF_NO_PRESERVE_ACCESS_INDEX + #pragma clang attribute pop + #endif + +The `clang attribute push/pop' pragmas are specific to clang/llvm and +are not supported by GCC. + +At the moment the BTF dumping services in libbpf do not support +dicriminating between types dumped because they are directly referred +and types dumped because they are dependencies. A suitable API is +being worked now. See [1] and [2]. + +In the interim, this patch changes the selftests/bpf Makefile so it +passes -DBPF_NO_PRESERVE_ACCESS_INDEX to GCC when it builds the +selftests. This workaround is temporary, and may have an impact on +the results of the GCC-built tests. + +[1] https://lore.kernel.org/bpf/20240503111836.25275-1-jose.marchesi@oracle.com/T/#u +[2] https://lore.kernel.org/bpf/20240504205510.24785-1-jose.marchesi@oracle.com/T/#u + +Tested in bpf-next master. +No regressions. + +Signed-off-by: Jose E. Marchesi +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20240507095011.15867-1-jose.marchesi@oracle.com +Stable-dep-of: 3ece93a4087b ("selftests/bpf: Fix wrong binary in Makefile log output") +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile +index e0f499794f162..24b85060df779 100644 +--- a/tools/testing/selftests/bpf/Makefile ++++ b/tools/testing/selftests/bpf/Makefile +@@ -412,7 +412,7 @@ endef + # Build BPF object using GCC + define GCC_BPF_BUILD_RULE + $(call msg,GCC-BPF,$(TRUNNER_BINARY),$2) +- $(Q)$(BPF_GCC) $3 -Wno-attributes -O2 -c $1 -o $2 ++ $(Q)$(BPF_GCC) $3 -DBPF_NO_PRESERVE_ACCESS_INDEX -Wno-attributes -O2 -c $1 -o $2 + endef + + SKEL_BLACKLIST := btf__% test_pinning_invalid.c test_sk_assign.c +-- +2.43.0 + diff --git a/queue-6.6/bpf-use-wno-error-in-certain-tests-when-building-wit.patch b/queue-6.6/bpf-use-wno-error-in-certain-tests-when-building-wit.patch new file mode 100644 index 00000000000..17e15f1d550 --- /dev/null +++ b/queue-6.6/bpf-use-wno-error-in-certain-tests-when-building-wit.patch @@ -0,0 +1,103 @@ +From bd5366d67aa5d67fda93b001e548d64da68927d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Jan 2024 11:07:02 +0100 +Subject: bpf: Use -Wno-error in certain tests when building with GCC + +From: Jose E. Marchesi + +[ Upstream commit 646751d523587cfd7ebcf1733298ecd470879eda ] + +Certain BPF selftests contain code that, albeit being legal C, trigger +warnings in GCC that cannot be disabled. This is the case for example +for the tests + + progs/btf_dump_test_case_bitfields.c + progs/btf_dump_test_case_namespacing.c + progs/btf_dump_test_case_packing.c + progs/btf_dump_test_case_padding.c + progs/btf_dump_test_case_syntax.c + +which contain struct type declarations inside function parameter +lists. This is problematic, because: + +- The BPF selftests are built with -Werror. + +- The Clang and GCC compilers sometimes differ when it comes to handle + warnings. in the handling of warnings. One compiler may emit + warnings for code that the other compiles compiles silently, and one + compiler may offer the possibility to disable certain warnings, while + the other doesn't. + +In order to overcome this problem, this patch modifies the +tools/testing/selftests/bpf/Makefile in order to: + +1. Enable the possibility of specifing per-source-file extra CFLAGS. + This is done by defining a make variable like: + + -CFLAGS := + + And then modifying the proper Make rule in order to use these flags + when compiling . + +2. Use the mechanism above to add -Wno-error to CFLAGS for the + following selftests: + + progs/btf_dump_test_case_bitfields.c + progs/btf_dump_test_case_namespacing.c + progs/btf_dump_test_case_packing.c + progs/btf_dump_test_case_padding.c + progs/btf_dump_test_case_syntax.c + + Note the corresponding -CFLAGS variables for these files are + defined only if the selftests are being built with GCC. + +Note that, while compiler pragmas can generally be used to disable +particular warnings per file, this 1) is only possible for warning +that actually can be disabled in the command line, i.e. that have +-Wno-FOO options, and 2) doesn't apply to -Wno-error. + +Tested in bpf-next master branch. +No regressions. + +Signed-off-by: Jose E. Marchesi +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20240127100702.21549-1-jose.marchesi@oracle.com +Stable-dep-of: 3ece93a4087b ("selftests/bpf: Fix wrong binary in Makefile log output") +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/Makefile | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile +index 598cd118dfd65..397306f5cf911 100644 +--- a/tools/testing/selftests/bpf/Makefile ++++ b/tools/testing/selftests/bpf/Makefile +@@ -56,6 +56,15 @@ TEST_INST_SUBDIRS := no_alu32 + ifneq ($(BPF_GCC),) + TEST_GEN_PROGS += test_progs-bpf_gcc + TEST_INST_SUBDIRS += bpf_gcc ++ ++# The following tests contain C code that, although technically legal, ++# triggers GCC warnings that cannot be disabled: declaration of ++# anonymous struct types in function parameter lists. ++progs/btf_dump_test_case_bitfields.c-CFLAGS := -Wno-error ++progs/btf_dump_test_case_namespacing.c-CFLAGS := -Wno-error ++progs/btf_dump_test_case_packing.c-CFLAGS := -Wno-error ++progs/btf_dump_test_case_padding.c-CFLAGS := -Wno-error ++progs/btf_dump_test_case_syntax.c-CFLAGS := -Wno-error + endif + + ifneq ($(CLANG_CPUV4),) +@@ -492,7 +501,8 @@ $(TRUNNER_BPF_OBJS): $(TRUNNER_OUTPUT)/%.bpf.o: \ + $(wildcard $(BPFDIR)/*.bpf.h) \ + | $(TRUNNER_OUTPUT) $$(BPFOBJ) + $$(call $(TRUNNER_BPF_BUILD_RULE),$$<,$$@, \ +- $(TRUNNER_BPF_CFLAGS)) ++ $(TRUNNER_BPF_CFLAGS) \ ++ $$($$<-CFLAGS)) + + $(TRUNNER_BPF_SKELS): %.skel.h: %.bpf.o $(BPFTOOL) | $(TRUNNER_OUTPUT) + $$(call msg,GEN-SKEL,$(TRUNNER_BINARY),$$@) +-- +2.43.0 + diff --git a/queue-6.6/bpf-zero-former-arg_ptr_to_-long-int-args-in-case-of.patch b/queue-6.6/bpf-zero-former-arg_ptr_to_-long-int-args-in-case-of.patch new file mode 100644 index 00000000000..f55363aaaf1 --- /dev/null +++ b/queue-6.6/bpf-zero-former-arg_ptr_to_-long-int-args-in-case-of.patch @@ -0,0 +1,169 @@ +From 3bc63d2b8aff03dc462fa3c5a2c28ae8564c8675 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Sep 2024 21:17:50 +0200 +Subject: bpf: Zero former ARG_PTR_TO_{LONG,INT} args in case of error + +From: Daniel Borkmann + +[ Upstream commit 4b3786a6c5397dc220b1483d8e2f4867743e966f ] + +For all non-tracing helpers which formerly had ARG_PTR_TO_{LONG,INT} as input +arguments, zero the value for the case of an error as otherwise it could leak +memory. For tracing, it is not needed given CAP_PERFMON can already read all +kernel memory anyway hence bpf_get_func_arg() and bpf_get_func_ret() is skipped +in here. + +Also, the MTU helpers mtu_len pointer value is being written but also read. +Technically, the MEM_UNINIT should not be there in order to always force init. +Removing MEM_UNINIT needs more verifier rework though: MEM_UNINIT right now +implies two things actually: i) write into memory, ii) memory does not have +to be initialized. If we lift MEM_UNINIT, it then becomes: i) read into memory, +ii) memory must be initialized. This means that for bpf_*_check_mtu() we're +readding the issue we're trying to fix, that is, it would then be able to +write back into things like .rodata BPF maps. Follow-up work will rework the +MEM_UNINIT semantics such that the intent can be better expressed. For now +just clear the *mtu_len on error path which can be lifted later again. + +Fixes: 8a67f2de9b1d ("bpf: expose bpf_strtol and bpf_strtoul to all program types") +Fixes: d7a4cb9b6705 ("bpf: Introduce bpf_strtol and bpf_strtoul helpers") +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/e5edd241-59e7-5e39-0ee5-a51e31b6840a@iogearbox.net +Link: https://lore.kernel.org/r/20240913191754.13290-5-daniel@iogearbox.net +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/helpers.c | 2 ++ + kernel/bpf/syscall.c | 1 + + net/core/filter.c | 44 +++++++++++++++++++++++--------------------- + 3 files changed, 26 insertions(+), 21 deletions(-) + +diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c +index 10ad4bd5574af..3dba5bb294d8e 100644 +--- a/kernel/bpf/helpers.c ++++ b/kernel/bpf/helpers.c +@@ -521,6 +521,7 @@ BPF_CALL_4(bpf_strtol, const char *, buf, size_t, buf_len, u64, flags, + long long _res; + int err; + ++ *res = 0; + err = __bpf_strtoll(buf, buf_len, flags, &_res); + if (err < 0) + return err; +@@ -548,6 +549,7 @@ BPF_CALL_4(bpf_strtoul, const char *, buf, size_t, buf_len, u64, flags, + bool is_negative; + int err; + ++ *res = 0; + err = __bpf_strtoull(buf, buf_len, flags, &_res, &is_negative); + if (err < 0) + return err; +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index d7df95bcc848a..b1933d074f051 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -5647,6 +5647,7 @@ static const struct bpf_func_proto bpf_sys_close_proto = { + + BPF_CALL_4(bpf_kallsyms_lookup_name, const char *, name, int, name_sz, int, flags, u64 *, res) + { ++ *res = 0; + if (flags) + return -EINVAL; + +diff --git a/net/core/filter.c b/net/core/filter.c +index ecde9111fc958..8bfd46a070c16 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -6222,20 +6222,25 @@ BPF_CALL_5(bpf_skb_check_mtu, struct sk_buff *, skb, + int ret = BPF_MTU_CHK_RET_FRAG_NEEDED; + struct net_device *dev = skb->dev; + int skb_len, dev_len; +- int mtu; ++ int mtu = 0; + +- if (unlikely(flags & ~(BPF_MTU_CHK_SEGS))) +- return -EINVAL; ++ if (unlikely(flags & ~(BPF_MTU_CHK_SEGS))) { ++ ret = -EINVAL; ++ goto out; ++ } + +- if (unlikely(flags & BPF_MTU_CHK_SEGS && (len_diff || *mtu_len))) +- return -EINVAL; ++ if (unlikely(flags & BPF_MTU_CHK_SEGS && (len_diff || *mtu_len))) { ++ ret = -EINVAL; ++ goto out; ++ } + + dev = __dev_via_ifindex(dev, ifindex); +- if (unlikely(!dev)) +- return -ENODEV; ++ if (unlikely(!dev)) { ++ ret = -ENODEV; ++ goto out; ++ } + + mtu = READ_ONCE(dev->mtu); +- + dev_len = mtu + dev->hard_header_len; + + /* If set use *mtu_len as input, L3 as iph->tot_len (like fib_lookup) */ +@@ -6253,15 +6258,12 @@ BPF_CALL_5(bpf_skb_check_mtu, struct sk_buff *, skb, + */ + if (skb_is_gso(skb)) { + ret = BPF_MTU_CHK_RET_SUCCESS; +- + if (flags & BPF_MTU_CHK_SEGS && + !skb_gso_validate_network_len(skb, mtu)) + ret = BPF_MTU_CHK_RET_SEGS_TOOBIG; + } + out: +- /* BPF verifier guarantees valid pointer */ + *mtu_len = mtu; +- + return ret; + } + +@@ -6271,19 +6273,21 @@ BPF_CALL_5(bpf_xdp_check_mtu, struct xdp_buff *, xdp, + struct net_device *dev = xdp->rxq->dev; + int xdp_len = xdp->data_end - xdp->data; + int ret = BPF_MTU_CHK_RET_SUCCESS; +- int mtu, dev_len; ++ int mtu = 0, dev_len; + + /* XDP variant doesn't support multi-buffer segment check (yet) */ +- if (unlikely(flags)) +- return -EINVAL; ++ if (unlikely(flags)) { ++ ret = -EINVAL; ++ goto out; ++ } + + dev = __dev_via_ifindex(dev, ifindex); +- if (unlikely(!dev)) +- return -ENODEV; ++ if (unlikely(!dev)) { ++ ret = -ENODEV; ++ goto out; ++ } + + mtu = READ_ONCE(dev->mtu); +- +- /* Add L2-header as dev MTU is L3 size */ + dev_len = mtu + dev->hard_header_len; + + /* Use *mtu_len as input, L3 as iph->tot_len (like fib_lookup) */ +@@ -6293,10 +6297,8 @@ BPF_CALL_5(bpf_xdp_check_mtu, struct xdp_buff *, xdp, + xdp_len += len_diff; /* minus result pass check */ + if (xdp_len > dev_len) + ret = BPF_MTU_CHK_RET_FRAG_NEEDED; +- +- /* BPF verifier guarantees valid pointer */ ++out: + *mtu_len = mtu; +- + return ret; + } + +-- +2.43.0 + diff --git a/queue-6.6/cachefiles-fix-non-taking-of-sb_writers-around-set-r.patch b/queue-6.6/cachefiles-fix-non-taking-of-sb_writers-around-set-r.patch new file mode 100644 index 00000000000..328abfbb030 --- /dev/null +++ b/queue-6.6/cachefiles-fix-non-taking-of-sb_writers-around-set-r.patch @@ -0,0 +1,90 @@ +From 9e4b1383ba66eaf5105610a6857ecb9f71ad8ec8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jul 2024 15:35:29 +0100 +Subject: cachefiles: Fix non-taking of sb_writers around set/removexattr + +From: David Howells + +[ Upstream commit 80887f31672970abae3aaa9cf62ac72a124e7c89 ] + +Unlike other vfs_xxxx() calls, vfs_setxattr() and vfs_removexattr() don't +take the sb_writers lock, so the caller should do it for them. + +Fix cachefiles to do this. + +Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem") +Signed-off-by: David Howells +cc: Christian Brauner +cc: Gao Xiang +cc: netfs@lists.linux.dev +cc: linux-erofs@lists.ozlabs.org +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20240814203850.2240469-3-dhowells@redhat.com/ # v2 +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/cachefiles/xattr.c | 34 ++++++++++++++++++++++++++-------- + 1 file changed, 26 insertions(+), 8 deletions(-) + +diff --git a/fs/cachefiles/xattr.c b/fs/cachefiles/xattr.c +index 4dd8a993c60a8..7c6f260a3be56 100644 +--- a/fs/cachefiles/xattr.c ++++ b/fs/cachefiles/xattr.c +@@ -64,9 +64,15 @@ int cachefiles_set_object_xattr(struct cachefiles_object *object) + memcpy(buf->data, fscache_get_aux(object->cookie), len); + + ret = cachefiles_inject_write_error(); +- if (ret == 0) +- ret = vfs_setxattr(&nop_mnt_idmap, dentry, cachefiles_xattr_cache, +- buf, sizeof(struct cachefiles_xattr) + len, 0); ++ if (ret == 0) { ++ ret = mnt_want_write_file(file); ++ if (ret == 0) { ++ ret = vfs_setxattr(&nop_mnt_idmap, dentry, ++ cachefiles_xattr_cache, buf, ++ sizeof(struct cachefiles_xattr) + len, 0); ++ mnt_drop_write_file(file); ++ } ++ } + if (ret < 0) { + trace_cachefiles_vfs_error(object, file_inode(file), ret, + cachefiles_trace_setxattr_error); +@@ -151,8 +157,14 @@ int cachefiles_remove_object_xattr(struct cachefiles_cache *cache, + int ret; + + ret = cachefiles_inject_remove_error(); +- if (ret == 0) +- ret = vfs_removexattr(&nop_mnt_idmap, dentry, cachefiles_xattr_cache); ++ if (ret == 0) { ++ ret = mnt_want_write(cache->mnt); ++ if (ret == 0) { ++ ret = vfs_removexattr(&nop_mnt_idmap, dentry, ++ cachefiles_xattr_cache); ++ mnt_drop_write(cache->mnt); ++ } ++ } + if (ret < 0) { + trace_cachefiles_vfs_error(object, d_inode(dentry), ret, + cachefiles_trace_remxattr_error); +@@ -208,9 +220,15 @@ bool cachefiles_set_volume_xattr(struct cachefiles_volume *volume) + memcpy(buf->data, p, volume->vcookie->coherency_len); + + ret = cachefiles_inject_write_error(); +- if (ret == 0) +- ret = vfs_setxattr(&nop_mnt_idmap, dentry, cachefiles_xattr_cache, +- buf, len, 0); ++ if (ret == 0) { ++ ret = mnt_want_write(volume->cache->mnt); ++ if (ret == 0) { ++ ret = vfs_setxattr(&nop_mnt_idmap, dentry, ++ cachefiles_xattr_cache, ++ buf, len, 0); ++ mnt_drop_write(volume->cache->mnt); ++ } ++ } + if (ret < 0) { + trace_cachefiles_vfs_error(NULL, d_inode(dentry), ret, + cachefiles_trace_setxattr_error); +-- +2.43.0 + diff --git a/queue-6.6/can-bcm-clear-bo-bcm_proc_read-after-remove_proc_ent.patch b/queue-6.6/can-bcm-clear-bo-bcm_proc_read-after-remove_proc_ent.patch new file mode 100644 index 00000000000..0cf6f9a3317 --- /dev/null +++ b/queue-6.6/can-bcm-clear-bo-bcm_proc_read-after-remove_proc_ent.patch @@ -0,0 +1,99 @@ +From f41066b68bdf57a658ca1dcdf73b8e30701721e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 18:22:37 -0700 +Subject: can: bcm: Clear bo->bcm_proc_read after remove_proc_entry(). + +From: Kuniyuki Iwashima + +[ Upstream commit 94b0818fa63555a65f6ba107080659ea6bcca63e ] + +syzbot reported a warning in bcm_release(). [0] + +The blamed change fixed another warning that is triggered when +connect() is issued again for a socket whose connect()ed device has +been unregistered. + +However, if the socket is just close()d without the 2nd connect(), the +remaining bo->bcm_proc_read triggers unnecessary remove_proc_entry() +in bcm_release(). + +Let's clear bo->bcm_proc_read after remove_proc_entry() in bcm_notify(). + +[0] +name '4986' +WARNING: CPU: 0 PID: 5234 at fs/proc/generic.c:711 remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711 +Modules linked in: +CPU: 0 UID: 0 PID: 5234 Comm: syz-executor606 Not tainted 6.11.0-rc5-syzkaller-00178-g5517ae241919 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 +RIP: 0010:remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711 +Code: ff eb 05 e8 cb 1e 5e ff 48 8b 5c 24 10 48 c7 c7 e0 f7 aa 8e e8 2a 38 8e 09 90 48 c7 c7 60 3a 1b 8c 48 89 de e8 da 42 20 ff 90 <0f> 0b 90 90 48 8b 44 24 18 48 c7 44 24 40 0e 36 e0 45 49 c7 04 07 +RSP: 0018:ffffc9000345fa20 EFLAGS: 00010246 +RAX: 2a2d0aee2eb64600 RBX: ffff888032f1f548 RCX: ffff888029431e00 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: ffffc9000345fb08 R08: ffffffff8155b2f2 R09: 1ffff1101710519a +R10: dffffc0000000000 R11: ffffed101710519b R12: ffff888011d38640 +R13: 0000000000000004 R14: 0000000000000000 R15: dffffc0000000000 +FS: 0000000000000000(0000) GS:ffff8880b8800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fcfb52722f0 CR3: 000000000e734000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + bcm_release+0x250/0x880 net/can/bcm.c:1578 + __sock_release net/socket.c:659 [inline] + sock_close+0xbc/0x240 net/socket.c:1421 + __fput+0x24a/0x8a0 fs/file_table.c:422 + task_work_run+0x24f/0x310 kernel/task_work.c:228 + exit_task_work include/linux/task_work.h:40 [inline] + do_exit+0xa2f/0x27f0 kernel/exit.c:882 + do_group_exit+0x207/0x2c0 kernel/exit.c:1031 + __do_sys_exit_group kernel/exit.c:1042 [inline] + __se_sys_exit_group kernel/exit.c:1040 [inline] + __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1040 + x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7fcfb51ee969 +Code: Unable to access opcode bytes at 0x7fcfb51ee93f. +RSP: 002b:00007ffce0109ca8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 +RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fcfb51ee969 +RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 +RBP: 00007fcfb526f3b0 R08: ffffffffffffffb8 R09: 0000555500000000 +R10: 0000555500000000 R11: 0000000000000246 R12: 00007fcfb526f3b0 +R13: 0000000000000000 R14: 00007fcfb5271ee0 R15: 00007fcfb51bf160 + + +Fixes: 76fe372ccb81 ("can: bcm: Remove proc entry when dev is unregistered.") +Reported-by: syzbot+0532ac7a06fb1a03187e@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=0532ac7a06fb1a03187e +Tested-by: syzbot+0532ac7a06fb1a03187e@syzkaller.appspotmail.com +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Vincent Mailhol +Link: https://patch.msgid.link/20240905012237.79683-1-kuniyu@amazon.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/bcm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/can/bcm.c b/net/can/bcm.c +index 00208ee13e578..a1f5db0fd5d4f 100644 +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -1429,8 +1429,10 @@ static void bcm_notify(struct bcm_sock *bo, unsigned long msg, + /* remove device reference, if this is our bound device */ + if (bo->bound && bo->ifindex == dev->ifindex) { + #if IS_ENABLED(CONFIG_PROC_FS) +- if (sock_net(sk)->can.bcmproc_dir && bo->bcm_proc_read) ++ if (sock_net(sk)->can.bcmproc_dir && bo->bcm_proc_read) { + remove_proc_entry(bo->procname, sock_net(sk)->can.bcmproc_dir); ++ bo->bcm_proc_read = NULL; ++ } + #endif + bo->bound = 0; + bo->ifindex = 0; +-- +2.43.0 + diff --git a/queue-6.6/can-j1939-use-correct-function-name-in-comment.patch b/queue-6.6/can-j1939-use-correct-function-name-in-comment.patch new file mode 100644 index 00000000000..2d91c400938 --- /dev/null +++ b/queue-6.6/can-j1939-use-correct-function-name-in-comment.patch @@ -0,0 +1,44 @@ +From 058c9bb93d92fdfe8f7dfad23d7fd59d46f32876 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2024 20:48:23 +0800 +Subject: can: j1939: use correct function name in comment + +From: Zhang Changzhong + +[ Upstream commit dc2ddcd136fe9b6196a7dd01f75f824beb02d43f ] + +The function j1939_cancel_all_active_sessions() was renamed to +j1939_cancel_active_session() but name in comment wasn't updated. + +Signed-off-by: Zhang Changzhong +Acked-by: Oleksij Rempel +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Link: https://patch.msgid.link/1724935703-44621-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/j1939/transport.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c +index 4be73de5033cb..319f47df33300 100644 +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -1179,10 +1179,10 @@ static enum hrtimer_restart j1939_tp_txtimer(struct hrtimer *hrtimer) + break; + case -ENETDOWN: + /* In this case we should get a netdev_event(), all active +- * sessions will be cleared by +- * j1939_cancel_all_active_sessions(). So handle this as an +- * error, but let j1939_cancel_all_active_sessions() do the +- * cleanup including propagation of the error to user space. ++ * sessions will be cleared by j1939_cancel_active_session(). ++ * So handle this as an error, but let ++ * j1939_cancel_active_session() do the cleanup including ++ * propagation of the error to user space. + */ + break; + case -EOVERFLOW: +-- +2.43.0 + diff --git a/queue-6.6/can-m_can-enable-napi-before-enabling-interrupts.patch b/queue-6.6/can-m_can-enable-napi-before-enabling-interrupts.patch new file mode 100644 index 00000000000..a317caca8b3 --- /dev/null +++ b/queue-6.6/can-m_can-enable-napi-before-enabling-interrupts.patch @@ -0,0 +1,102 @@ +From 3f18f6c960ca8eda622ce1c4c62e298cf56f49c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Sep 2024 23:19:51 +0000 +Subject: can: m_can: enable NAPI before enabling interrupts + +From: Jake Hamby + +[ Upstream commit 801ad2f87b0c6d0c34a75a4efd6bfd3a2d9f9298 ] + +If an interrupt (RX-complete or error flag) is set when bringing up +the CAN device, e.g. due to CAN bus traffic before initializing the +device, when m_can_start() is called and interrupts are enabled, +m_can_isr() is called immediately, which disables all CAN interrupts +and calls napi_schedule(). + +Because napi_enable() isn't called until later in m_can_open(), the +call to napi_schedule() never schedules the m_can_poll() callback and +the device is left with interrupts disabled and can't receive any CAN +packets until rebooted. + +This can be verified by running "cansend" from another device before +setting the bitrate and calling "ip link set up can0" on the test +device. Adding debug lines to m_can_isr() shows it's called with flags +(IR_EP | IR_EW | IR_CRCE), which calls m_can_disable_all_interrupts() +and napi_schedule(), and then m_can_poll() is never called. + +Move the call to napi_enable() above the call to m_can_start() to +enable any initial interrupt flags to be handled by m_can_poll() so +that interrupts are reenabled. Add a call to napi_disable() in the +error handling section of m_can_open(), to handle the case where later +functions return errors. + +Also, in m_can_close(), move the call to napi_disable() below the call +to m_can_stop() to ensure all interrupts are handled when bringing +down the device. This race condition is much less likely to occur. + +Tested on a Microchip SAMA7G54 MPU. The fix should be applicable to +any SoC with a Bosch M_CAN controller. + +Signed-off-by: Jake Hamby +Fixes: e0d1f4816f2a ("can: m_can: add Bosch M_CAN controller support") +Link: https://patch.msgid.link/20240910-can-m_can-fix-ifup-v3-1-6c1720ba45ce@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/m_can/m_can.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c +index fb77fd74de27f..66221fdf785f8 100644 +--- a/drivers/net/can/m_can/m_can.c ++++ b/drivers/net/can/m_can/m_can.c +@@ -1599,9 +1599,6 @@ static int m_can_close(struct net_device *dev) + + netif_stop_queue(dev); + +- if (!cdev->is_peripheral) +- napi_disable(&cdev->napi); +- + m_can_stop(dev); + m_can_clk_stop(cdev); + free_irq(dev->irq, dev); +@@ -1611,6 +1608,8 @@ static int m_can_close(struct net_device *dev) + destroy_workqueue(cdev->tx_wq); + cdev->tx_wq = NULL; + can_rx_offload_disable(&cdev->offload); ++ } else { ++ napi_disable(&cdev->napi); + } + + close_candev(dev); +@@ -1842,6 +1841,8 @@ static int m_can_open(struct net_device *dev) + + if (cdev->is_peripheral) + can_rx_offload_enable(&cdev->offload); ++ else ++ napi_enable(&cdev->napi); + + /* register interrupt handler */ + if (cdev->is_peripheral) { +@@ -1873,9 +1874,6 @@ static int m_can_open(struct net_device *dev) + if (err) + goto exit_start_fail; + +- if (!cdev->is_peripheral) +- napi_enable(&cdev->napi); +- + netif_start_queue(dev); + + return 0; +@@ -1889,6 +1887,8 @@ static int m_can_open(struct net_device *dev) + out_wq_fail: + if (cdev->is_peripheral) + can_rx_offload_disable(&cdev->offload); ++ else ++ napi_disable(&cdev->napi); + close_candev(dev); + exit_disable_clks: + m_can_clk_stop(cdev); +-- +2.43.0 + diff --git a/queue-6.6/can-m_can-m_can_close-stop-clocks-after-device-has-b.patch b/queue-6.6/can-m_can-m_can_close-stop-clocks-after-device-has-b.patch new file mode 100644 index 00000000000..f6519c67f5a --- /dev/null +++ b/queue-6.6/can-m_can-m_can_close-stop-clocks-after-device-has-b.patch @@ -0,0 +1,50 @@ +From bd3e370187017f258d10b978587d652ca5d89f30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Sep 2024 15:07:41 +0200 +Subject: can: m_can: m_can_close(): stop clocks after device has been shut + down + +From: Marc Kleine-Budde + +[ Upstream commit 2c09b50efcad985cf920ca88baa9aa52b1999dcc ] + +After calling m_can_stop() an interrupt may be pending or NAPI might +still be executed. This means the driver might still touch registers +of the IP core after the clocks have been disabled. This is not good +practice and might lead to aborts depending on the SoC integration. + +To avoid these potential problems, make m_can_close() symmetric to +m_can_open(), i.e. stop the clocks at the end, right before shutting +down the transceiver. + +Fixes: e0d1f4816f2a ("can: m_can: add Bosch M_CAN controller support") +Link: https://patch.msgid.link/20240910-can-m_can-fix-ifup-v3-2-6c1720ba45ce@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/m_can/m_can.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c +index 66221fdf785f8..97666a7595959 100644 +--- a/drivers/net/can/m_can/m_can.c ++++ b/drivers/net/can/m_can/m_can.c +@@ -1600,7 +1600,6 @@ static int m_can_close(struct net_device *dev) + netif_stop_queue(dev); + + m_can_stop(dev); +- m_can_clk_stop(cdev); + free_irq(dev->irq, dev); + + if (cdev->is_peripheral) { +@@ -1614,6 +1613,7 @@ static int m_can_close(struct net_device *dev) + + close_candev(dev); + ++ m_can_clk_stop(cdev); + phy_power_off(cdev->transceiver); + + return 0; +-- +2.43.0 + diff --git a/queue-6.6/clk-at91-sama7g5-allocate-only-the-needed-amount-of-.patch b/queue-6.6/clk-at91-sama7g5-allocate-only-the-needed-amount-of-.patch new file mode 100644 index 00000000000..3a6c9e673ee --- /dev/null +++ b/queue-6.6/clk-at91-sama7g5-allocate-only-the-needed-amount-of-.patch @@ -0,0 +1,58 @@ +From ea11e8f4772c2dadd4fd9de8756e12041f876b82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jul 2024 17:13:15 +0300 +Subject: clk: at91: sama7g5: Allocate only the needed amount of memory for + PLLs + +From: Claudiu Beznea + +[ Upstream commit 2d6e9ee7cb3e79b1713783c633b13af9aeffc90c ] + +The maximum number of PLL components on SAMA7G5 is 3 (one fractional +part and 2 dividers). Allocate the needed amount of memory for +sama7g5_plls 2d array. Previous code used to allocate 7 array entries for +each PLL. While at it, replace 3 with PLL_COMPID_MAX in the loop which +parses the sama7g5_plls 2d array. + +Fixes: cb783bbbcf54 ("clk: at91: sama7g5: add clock support for sama7g5") +Acked-by: Stephen Boyd +Link: https://lore.kernel.org/r/20240714141315.19480-1-claudiu.beznea@tuxon.dev +Signed-off-by: Claudiu Beznea +Signed-off-by: Sasha Levin +--- + drivers/clk/at91/sama7g5.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/at91/sama7g5.c b/drivers/clk/at91/sama7g5.c +index 91b5c6f148196..4e9594714b142 100644 +--- a/drivers/clk/at91/sama7g5.c ++++ b/drivers/clk/at91/sama7g5.c +@@ -66,6 +66,7 @@ enum pll_component_id { + PLL_COMPID_FRAC, + PLL_COMPID_DIV0, + PLL_COMPID_DIV1, ++ PLL_COMPID_MAX, + }; + + /* +@@ -165,7 +166,7 @@ static struct sama7g5_pll { + u8 t; + u8 eid; + u8 safe_div; +-} sama7g5_plls[][PLL_ID_MAX] = { ++} sama7g5_plls[][PLL_COMPID_MAX] = { + [PLL_ID_CPU] = { + [PLL_COMPID_FRAC] = { + .n = "cpupll_fracck", +@@ -1038,7 +1039,7 @@ static void __init sama7g5_pmc_setup(struct device_node *np) + sama7g5_pmc->chws[PMC_MAIN] = hw; + + for (i = 0; i < PLL_ID_MAX; i++) { +- for (j = 0; j < 3; j++) { ++ for (j = 0; j < PLL_COMPID_MAX; j++) { + struct clk_hw *parent_hw; + + if (!sama7g5_plls[i][j].n) +-- +2.43.0 + diff --git a/queue-6.6/clk-imx-clk-audiomix-correct-parent-clock-for-earc_p.patch b/queue-6.6/clk-imx-clk-audiomix-correct-parent-clock-for-earc_p.patch new file mode 100644 index 00000000000..876c9d82dcc --- /dev/null +++ b/queue-6.6/clk-imx-clk-audiomix-correct-parent-clock-for-earc_p.patch @@ -0,0 +1,65 @@ +From 8f216d12001e78d04587594aed6f14b093e5c994 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Jun 2024 15:42:03 +0800 +Subject: clk: imx: clk-audiomix: Correct parent clock for earc_phy and audpll + +From: Shengjiu Wang + +[ Upstream commit d40371a1c963db688b37826adaf5ffdafb0862a1 ] + +According to Reference Manual of i.MX8MP +The parent clock of "earc_phy" is "sai_pll_out_div2", +The parent clock of "audpll" is "osc_24m". + +Add CLK_GATE_PARENT() macro for usage of specifying parent clock. + +Fixes: 6cd95f7b151c ("clk: imx: imx8mp: Add audiomix block control") +Signed-off-by: Shengjiu Wang +Reviewed-by: Peng Fan +Link: https://lore.kernel.org/r/1718350923-21392-6-git-send-email-shengjiu.wang@nxp.com +Signed-off-by: Abel Vesa +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-imx8mp-audiomix.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/imx/clk-imx8mp-audiomix.c b/drivers/clk/imx/clk-imx8mp-audiomix.c +index 55ed211a5e0b1..ab2a028b3027d 100644 +--- a/drivers/clk/imx/clk-imx8mp-audiomix.c ++++ b/drivers/clk/imx/clk-imx8mp-audiomix.c +@@ -146,6 +146,15 @@ static const struct clk_parent_data clk_imx8mp_audiomix_pll_bypass_sels[] = { + PDM_SEL, 2, 0 \ + } + ++#define CLK_GATE_PARENT(gname, cname, pname) \ ++ { \ ++ gname"_cg", \ ++ IMX8MP_CLK_AUDIOMIX_##cname, \ ++ { .fw_name = pname, .name = pname }, NULL, 1, \ ++ CLKEN0 + 4 * !!(IMX8MP_CLK_AUDIOMIX_##cname / 32), \ ++ 1, IMX8MP_CLK_AUDIOMIX_##cname % 32 \ ++ } ++ + struct clk_imx8mp_audiomix_sel { + const char *name; + int clkid; +@@ -163,14 +172,14 @@ static struct clk_imx8mp_audiomix_sel sels[] = { + CLK_GATE("earc", EARC_IPG), + CLK_GATE("ocrama", OCRAMA_IPG), + CLK_GATE("aud2htx", AUD2HTX_IPG), +- CLK_GATE("earc_phy", EARC_PHY), ++ CLK_GATE_PARENT("earc_phy", EARC_PHY, "sai_pll_out_div2"), + CLK_GATE("sdma2", SDMA2_ROOT), + CLK_GATE("sdma3", SDMA3_ROOT), + CLK_GATE("spba2", SPBA2_ROOT), + CLK_GATE("dsp", DSP_ROOT), + CLK_GATE("dspdbg", DSPDBG_ROOT), + CLK_GATE("edma", EDMA_ROOT), +- CLK_GATE("audpll", AUDPLL_ROOT), ++ CLK_GATE_PARENT("audpll", AUDPLL_ROOT, "osc_24m"), + CLK_GATE("mu2", MU2_ROOT), + CLK_GATE("mu3", MU3_ROOT), + CLK_PDM, +-- +2.43.0 + diff --git a/queue-6.6/clk-imx-composite-7ulp-check-the-pcc-present-bit.patch b/queue-6.6/clk-imx-composite-7ulp-check-the-pcc-present-bit.patch new file mode 100644 index 00000000000..8b12d81957c --- /dev/null +++ b/queue-6.6/clk-imx-composite-7ulp-check-the-pcc-present-bit.patch @@ -0,0 +1,52 @@ +From 8e31b73597a5cc7069ea9a570969a61e74dbed38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jun 2024 21:33:35 +0800 +Subject: clk: imx: composite-7ulp: Check the PCC present bit + +From: Ye Li + +[ Upstream commit 4717ccadb51e2630790dddd222830702de17f090 ] + +When some module is disabled by fuse, its PCC PR bit is default 0 and +PCC is not operational. Any write to this PCC will cause SError. + +Fixes: b40ba8065347 ("clk: imx: Update the compsite driver to support imx8ulp") +Reviewed-by: Peng Fan +Signed-off-by: Ye Li +Signed-off-by: Peng Fan +Reviewed-by: Abel Vesa +Link: https://lore.kernel.org/r/20240607133347.3291040-4-peng.fan@oss.nxp.com +Signed-off-by: Abel Vesa +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-composite-7ulp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/clk/imx/clk-composite-7ulp.c b/drivers/clk/imx/clk-composite-7ulp.c +index e208ddc511339..db7f40b07d1ab 100644 +--- a/drivers/clk/imx/clk-composite-7ulp.c ++++ b/drivers/clk/imx/clk-composite-7ulp.c +@@ -14,6 +14,7 @@ + #include "../clk-fractional-divider.h" + #include "clk.h" + ++#define PCG_PR_MASK BIT(31) + #define PCG_PCS_SHIFT 24 + #define PCG_PCS_MASK 0x7 + #define PCG_CGC_SHIFT 30 +@@ -78,6 +79,12 @@ static struct clk_hw *imx_ulp_clk_hw_composite(const char *name, + struct clk_hw *hw; + u32 val; + ++ val = readl(reg); ++ if (!(val & PCG_PR_MASK)) { ++ pr_info("PCC PR is 0 for clk:%s, bypass\n", name); ++ return 0; ++ } ++ + if (mux_present) { + mux = kzalloc(sizeof(*mux), GFP_KERNEL); + if (!mux) +-- +2.43.0 + diff --git a/queue-6.6/clk-imx-composite-8m-enable-gate-clk-with-mcore_boot.patch b/queue-6.6/clk-imx-composite-8m-enable-gate-clk-with-mcore_boot.patch new file mode 100644 index 00000000000..8c915a893fc --- /dev/null +++ b/queue-6.6/clk-imx-composite-8m-enable-gate-clk-with-mcore_boot.patch @@ -0,0 +1,113 @@ +From f27f297ea64300007f4e225d104ee4fc28796deb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jun 2024 21:33:33 +0800 +Subject: clk: imx: composite-8m: Enable gate clk with mcore_booted + +From: Peng Fan + +[ Upstream commit 8f32e9dd0916eb3fd4bcf550ed1d04542a65cb9e ] + +Bootloader might disable some CCM ROOT Slices. So if mcore_booted set with +display CCM ROOT disabled by Bootloader, kernel display BLK CTRL driver +imx8m_blk_ctrl_driver_init may hang the system because the BUS clk is +disabled. + +Add back gate ops, but with disable doing nothing, then the CCM ROOT +will be enabled when used. + +Fixes: bb7e897b002a ("clk: imx8m: check mcore_booted before register clk") +Reviewed-by: Ye Li +Reviewed-by: Jacky Bai +Signed-off-by: Peng Fan +Reviewed-by: Abel Vesa +Link: https://lore.kernel.org/r/20240607133347.3291040-2-peng.fan@oss.nxp.com +Signed-off-by: Abel Vesa +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-composite-8m.c | 53 +++++++++++++++++++++++------- + 1 file changed, 42 insertions(+), 11 deletions(-) + +diff --git a/drivers/clk/imx/clk-composite-8m.c b/drivers/clk/imx/clk-composite-8m.c +index eb5392f7a2574..ac5e9d60acb83 100644 +--- a/drivers/clk/imx/clk-composite-8m.c ++++ b/drivers/clk/imx/clk-composite-8m.c +@@ -204,6 +204,34 @@ static const struct clk_ops imx8m_clk_composite_mux_ops = { + .determine_rate = imx8m_clk_composite_mux_determine_rate, + }; + ++static int imx8m_clk_composite_gate_enable(struct clk_hw *hw) ++{ ++ struct clk_gate *gate = to_clk_gate(hw); ++ unsigned long flags; ++ u32 val; ++ ++ spin_lock_irqsave(gate->lock, flags); ++ ++ val = readl(gate->reg); ++ val |= BIT(gate->bit_idx); ++ writel(val, gate->reg); ++ ++ spin_unlock_irqrestore(gate->lock, flags); ++ ++ return 0; ++} ++ ++static void imx8m_clk_composite_gate_disable(struct clk_hw *hw) ++{ ++ /* composite clk requires the disable hook */ ++} ++ ++static const struct clk_ops imx8m_clk_composite_gate_ops = { ++ .enable = imx8m_clk_composite_gate_enable, ++ .disable = imx8m_clk_composite_gate_disable, ++ .is_enabled = clk_gate_is_enabled, ++}; ++ + struct clk_hw *__imx8m_clk_hw_composite(const char *name, + const char * const *parent_names, + int num_parents, void __iomem *reg, +@@ -217,6 +245,7 @@ struct clk_hw *__imx8m_clk_hw_composite(const char *name, + struct clk_mux *mux = NULL; + const struct clk_ops *divider_ops; + const struct clk_ops *mux_ops; ++ const struct clk_ops *gate_ops; + + mux = kzalloc(sizeof(*mux), GFP_KERNEL); + if (!mux) +@@ -257,20 +286,22 @@ struct clk_hw *__imx8m_clk_hw_composite(const char *name, + div->flags = CLK_DIVIDER_ROUND_CLOSEST; + + /* skip registering the gate ops if M4 is enabled */ +- if (!mcore_booted) { +- gate = kzalloc(sizeof(*gate), GFP_KERNEL); +- if (!gate) +- goto free_div; +- +- gate_hw = &gate->hw; +- gate->reg = reg; +- gate->bit_idx = PCG_CGC_SHIFT; +- gate->lock = &imx_ccm_lock; +- } ++ gate = kzalloc(sizeof(*gate), GFP_KERNEL); ++ if (!gate) ++ goto free_div; ++ ++ gate_hw = &gate->hw; ++ gate->reg = reg; ++ gate->bit_idx = PCG_CGC_SHIFT; ++ gate->lock = &imx_ccm_lock; ++ if (!mcore_booted) ++ gate_ops = &clk_gate_ops; ++ else ++ gate_ops = &imx8m_clk_composite_gate_ops; + + hw = clk_hw_register_composite(NULL, name, parent_names, num_parents, + mux_hw, mux_ops, div_hw, +- divider_ops, gate_hw, &clk_gate_ops, flags); ++ divider_ops, gate_hw, gate_ops, flags); + if (IS_ERR(hw)) + goto free_gate; + +-- +2.43.0 + diff --git a/queue-6.6/clk-imx-composite-8m-less-function-calls-in-__imx8m_.patch b/queue-6.6/clk-imx-composite-8m-less-function-calls-in-__imx8m_.patch new file mode 100644 index 00000000000..eab8865f40f --- /dev/null +++ b/queue-6.6/clk-imx-composite-8m-less-function-calls-in-__imx8m_.patch @@ -0,0 +1,81 @@ +From baacdc08e55877eb14ea768d41850b19e51f323a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Dec 2023 16:48:24 +0100 +Subject: clk: imx: composite-8m: Less function calls in + __imx8m_clk_hw_composite() after error detection +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Markus Elfring + +[ Upstream commit fed6bf52c86df27ad4f39a72cdad8c27da9a50ba ] + +The function “kfree” was called in up to three cases +by the function “__imx8m_clk_hw_composite” during error handling +even if the passed variables contained a null pointer. + +Adjust jump targets according to the Linux coding style convention. + +Signed-off-by: Markus Elfring +Reviewed-by: Peng Fan +Link: https://lore.kernel.org/r/147ca1e6-69f3-4586-b5b3-b69f9574a862@web.de +Signed-off-by: Abel Vesa +Stable-dep-of: 8f32e9dd0916 ("clk: imx: composite-8m: Enable gate clk with mcore_booted") +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-composite-8m.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/clk/imx/clk-composite-8m.c b/drivers/clk/imx/clk-composite-8m.c +index 27a08c50ac1d8..eb5392f7a2574 100644 +--- a/drivers/clk/imx/clk-composite-8m.c ++++ b/drivers/clk/imx/clk-composite-8m.c +@@ -220,7 +220,7 @@ struct clk_hw *__imx8m_clk_hw_composite(const char *name, + + mux = kzalloc(sizeof(*mux), GFP_KERNEL); + if (!mux) +- goto fail; ++ return ERR_CAST(hw); + + mux_hw = &mux->hw; + mux->reg = reg; +@@ -230,7 +230,7 @@ struct clk_hw *__imx8m_clk_hw_composite(const char *name, + + div = kzalloc(sizeof(*div), GFP_KERNEL); + if (!div) +- goto fail; ++ goto free_mux; + + div_hw = &div->hw; + div->reg = reg; +@@ -260,7 +260,7 @@ struct clk_hw *__imx8m_clk_hw_composite(const char *name, + if (!mcore_booted) { + gate = kzalloc(sizeof(*gate), GFP_KERNEL); + if (!gate) +- goto fail; ++ goto free_div; + + gate_hw = &gate->hw; + gate->reg = reg; +@@ -272,13 +272,15 @@ struct clk_hw *__imx8m_clk_hw_composite(const char *name, + mux_hw, mux_ops, div_hw, + divider_ops, gate_hw, &clk_gate_ops, flags); + if (IS_ERR(hw)) +- goto fail; ++ goto free_gate; + + return hw; + +-fail: ++free_gate: + kfree(gate); ++free_div: + kfree(div); ++free_mux: + kfree(mux); + return ERR_CAST(hw); + } +-- +2.43.0 + diff --git a/queue-6.6/clk-imx-composite-93-keep-root-clock-on-when-mcore-e.patch b/queue-6.6/clk-imx-composite-93-keep-root-clock-on-when-mcore-e.patch new file mode 100644 index 00000000000..ed3db10586e --- /dev/null +++ b/queue-6.6/clk-imx-composite-93-keep-root-clock-on-when-mcore-e.patch @@ -0,0 +1,72 @@ +From dca2e7fae1062f604286f1544247dc0599ba71b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jun 2024 21:33:34 +0800 +Subject: clk: imx: composite-93: keep root clock on when mcore enabled + +From: Jacky Bai + +[ Upstream commit d342df11726bfac9c3a9d2037afa508ac0e9e44e ] + +Previously we assumed that the root clock slice is enabled +by default when kernel boot up. But the bootloader may disable +the clocks before jump into kernel. The gate ops should be registered +rather than NULL to make sure the disabled clock can be enabled +when kernel boot up. Refine the code to skip disable the clock +if mcore booted. + +Fixes: a740d7350ff7 ("clk: imx: imx93: add mcore_booted module paratemter") +Signed-off-by: Jacky Bai +Reviewed-by: Peng Fan +Tested-by: Chancel Liu +Signed-off-by: Peng Fan +Reviewed-by: Abel Vesa +Link: https://lore.kernel.org/r/20240607133347.3291040-3-peng.fan@oss.nxp.com +Signed-off-by: Abel Vesa +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-composite-93.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/clk/imx/clk-composite-93.c b/drivers/clk/imx/clk-composite-93.c +index 81164bdcd6cc9..6c6c5a30f3282 100644 +--- a/drivers/clk/imx/clk-composite-93.c ++++ b/drivers/clk/imx/clk-composite-93.c +@@ -76,6 +76,13 @@ static int imx93_clk_composite_gate_enable(struct clk_hw *hw) + + static void imx93_clk_composite_gate_disable(struct clk_hw *hw) + { ++ /* ++ * Skip disable the root clock gate if mcore enabled. ++ * The root clock may be used by the mcore. ++ */ ++ if (mcore_booted) ++ return; ++ + imx93_clk_composite_gate_endisable(hw, 0); + } + +@@ -222,7 +229,7 @@ struct clk_hw *imx93_clk_composite_flags(const char *name, const char * const *p + hw = clk_hw_register_composite(NULL, name, parent_names, num_parents, + mux_hw, &clk_mux_ro_ops, div_hw, + &clk_divider_ro_ops, NULL, NULL, flags); +- } else if (!mcore_booted) { ++ } else { + gate = kzalloc(sizeof(*gate), GFP_KERNEL); + if (!gate) + goto fail; +@@ -238,12 +245,6 @@ struct clk_hw *imx93_clk_composite_flags(const char *name, const char * const *p + &imx93_clk_composite_divider_ops, gate_hw, + &imx93_clk_composite_gate_ops, + flags | CLK_SET_RATE_NO_REPARENT); +- } else { +- hw = clk_hw_register_composite(NULL, name, parent_names, num_parents, +- mux_hw, &imx93_clk_composite_mux_ops, div_hw, +- &imx93_clk_composite_divider_ops, NULL, +- &imx93_clk_composite_gate_ops, +- flags | CLK_SET_RATE_NO_REPARENT); + } + + if (IS_ERR(hw)) +-- +2.43.0 + diff --git a/queue-6.6/clk-imx-fracn-gppll-fix-fractional-part-of-pll-getti.patch b/queue-6.6/clk-imx-fracn-gppll-fix-fractional-part-of-pll-getti.patch new file mode 100644 index 00000000000..2a56a9f373b --- /dev/null +++ b/queue-6.6/clk-imx-fracn-gppll-fix-fractional-part-of-pll-getti.patch @@ -0,0 +1,43 @@ +From 44689e403701cdf9e9cb61e2c19f8b29a55df4b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jun 2024 21:33:36 +0800 +Subject: clk: imx: fracn-gppll: fix fractional part of PLL getting lost + +From: Pengfei Li + +[ Upstream commit 7622f888fca125ae46f695edf918798ebc0506c5 ] + +Fractional part of PLL gets lost after re-enabling the PLL. the +MFN can NOT be automatically loaded when doing frac PLL enable/disable, +So when re-enable PLL, configure mfn explicitly. + +Fixes: 1b26cb8a77a4 ("clk: imx: support fracn gppll") +Signed-off-by: Pengfei Li +Reviewed-by: Jacky Bai +Signed-off-by: Peng Fan +Reviewed-by: Abel Vesa +Link: https://lore.kernel.org/r/20240607133347.3291040-5-peng.fan@oss.nxp.com +Signed-off-by: Abel Vesa +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-fracn-gppll.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/clk/imx/clk-fracn-gppll.c b/drivers/clk/imx/clk-fracn-gppll.c +index 44462ab50e513..1becba2b62d0b 100644 +--- a/drivers/clk/imx/clk-fracn-gppll.c ++++ b/drivers/clk/imx/clk-fracn-gppll.c +@@ -291,6 +291,10 @@ static int clk_fracn_gppll_prepare(struct clk_hw *hw) + if (val & POWERUP_MASK) + return 0; + ++ if (pll->flags & CLK_FRACN_GPPLL_FRACN) ++ writel_relaxed(readl_relaxed(pll->base + PLL_NUMERATOR), ++ pll->base + PLL_NUMERATOR); ++ + val |= CLKMUX_BYPASS; + writel_relaxed(val, pll->base + PLL_CTRL); + +-- +2.43.0 + diff --git a/queue-6.6/clk-imx-imx6ul-fix-default-parent-for-enet-_ref_sel.patch b/queue-6.6/clk-imx-imx6ul-fix-default-parent-for-enet-_ref_sel.patch new file mode 100644 index 00000000000..7a9c83c61eb --- /dev/null +++ b/queue-6.6/clk-imx-imx6ul-fix-default-parent-for-enet-_ref_sel.patch @@ -0,0 +1,52 @@ +From e101712084e220afa3f967e7af44f907c33e8231 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 May 2024 17:14:33 +0200 +Subject: clk: imx: imx6ul: fix default parent for enet*_ref_sel + +From: Sebastien Laveze + +[ Upstream commit e52fd71333b4ed78fd5bb43094bdc46476614d25 ] + +The clk_set_parent for "enet1_ref_sel" and "enet2_ref_sel" are +incorrect, therefore the original requirements to have "enet_clk_ref" as +output sourced by iMX ENET PLL as a default config is not met. + +Only "enet[1,2]_ref_125m" "enet[1,2]_ref_pad" are possible parents for +"enet1_ref_sel" and "enet2_ref_sel". + +This was observed as a regression using a custom device tree which was +expecting this default config. + +This can be fixed at the device tree level but having a default config +matching the original behavior (before refclock mux) will avoid breaking +existing configs. + +Fixes: 4e197ee880c2 ("clk: imx6ul: add ethernet refclock mux support") +Link: https://lore.kernel.org/lkml/20230306020226.GC143566@dragon/T/ +Signed-off-by: Sebastien Laveze +Reviewed-by: Oleksij Rempel +Link: https://lore.kernel.org/r/20240528151434.227602-1-slaveze@smartandconnective.com +Signed-off-by: Abel Vesa +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-imx6ul.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/imx/clk-imx6ul.c b/drivers/clk/imx/clk-imx6ul.c +index f9394e94f69d7..05c7a82b751f3 100644 +--- a/drivers/clk/imx/clk-imx6ul.c ++++ b/drivers/clk/imx/clk-imx6ul.c +@@ -542,8 +542,8 @@ static void __init imx6ul_clocks_init(struct device_node *ccm_node) + + clk_set_parent(hws[IMX6UL_CLK_ENFC_SEL]->clk, hws[IMX6UL_CLK_PLL2_PFD2]->clk); + +- clk_set_parent(hws[IMX6UL_CLK_ENET1_REF_SEL]->clk, hws[IMX6UL_CLK_ENET_REF]->clk); +- clk_set_parent(hws[IMX6UL_CLK_ENET2_REF_SEL]->clk, hws[IMX6UL_CLK_ENET2_REF]->clk); ++ clk_set_parent(hws[IMX6UL_CLK_ENET1_REF_SEL]->clk, hws[IMX6UL_CLK_ENET1_REF_125M]->clk); ++ clk_set_parent(hws[IMX6UL_CLK_ENET2_REF_SEL]->clk, hws[IMX6UL_CLK_ENET2_REF_125M]->clk); + + imx_register_uart_clocks(); + } +-- +2.43.0 + diff --git a/queue-6.6/clk-imx-imx8mp-fix-clock-tree-update-of-tf-a-managed.patch b/queue-6.6/clk-imx-imx8mp-fix-clock-tree-update-of-tf-a-managed.patch new file mode 100644 index 00000000000..4a6132f8816 --- /dev/null +++ b/queue-6.6/clk-imx-imx8mp-fix-clock-tree-update-of-tf-a-managed.patch @@ -0,0 +1,61 @@ +From 7fd8164c31877f54f8b37193bbf91250fa327de8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jun 2024 21:33:38 +0800 +Subject: clk: imx: imx8mp: fix clock tree update of TF-A managed clocks + +From: Zhipeng Wang + +[ Upstream commit 3d29036853b9cb07ac49e8261fca82a940be5c41 ] + +On the i.MX8M*, the TF-A exposes a SiP (Silicon Provider) service +for DDR frequency scaling. The imx8m-ddrc-devfreq driver calls the +SiP and then does clk_set_parent on the DDR muxes to synchronize +the clock tree. + +since commit 936c383673b9 ("clk: imx: fix composite peripheral flags"), +these TF-A managed muxes have SET_PARENT_GATE set, which results +in imx8m-ddrc-devfreq's clk_set_parent after SiP failing with -EBUSY: + +clk_set_parent(dram_apb_src, sys1_pll_40m);(busfreq-imx8mq.c) + +commit 926bf91248dd +("clk: imx8m: fix clock tree update of TF-A managed clocks") adds this +method and enables 8mm, 8mn and 8mq. i.MX8MP also needs it. + +This is safe to do, because updating the Linux clock tree to reflect +reality will always be glitch-free. + +Another reason to this patch is that powersave image BT music +requires dram to be 400MTS, so clk_set_parent(dram_alt_src, +sys1_pll_800m); is required. Without this patch, it will not succeed. + +Fixes: 936c383673b9 ("clk: imx: fix composite peripheral flags") +Signed-off-by: Zhipeng Wang +Reviewed-by: Ahmad Fatoum +Signed-off-by: Peng Fan +Reviewed-by: Abel Vesa +Link: https://lore.kernel.org/r/20240607133347.3291040-7-peng.fan@oss.nxp.com +Signed-off-by: Abel Vesa +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-imx8mp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/imx/clk-imx8mp.c b/drivers/clk/imx/clk-imx8mp.c +index 670aa2bab3017..e561ff7b135fb 100644 +--- a/drivers/clk/imx/clk-imx8mp.c ++++ b/drivers/clk/imx/clk-imx8mp.c +@@ -551,8 +551,8 @@ static int imx8mp_clocks_probe(struct platform_device *pdev) + + hws[IMX8MP_CLK_IPG_ROOT] = imx_clk_hw_divider2("ipg_root", "ahb_root", ccm_base + 0x9080, 0, 1); + +- hws[IMX8MP_CLK_DRAM_ALT] = imx8m_clk_hw_composite("dram_alt", imx8mp_dram_alt_sels, ccm_base + 0xa000); +- hws[IMX8MP_CLK_DRAM_APB] = imx8m_clk_hw_composite_critical("dram_apb", imx8mp_dram_apb_sels, ccm_base + 0xa080); ++ hws[IMX8MP_CLK_DRAM_ALT] = imx8m_clk_hw_fw_managed_composite("dram_alt", imx8mp_dram_alt_sels, ccm_base + 0xa000); ++ hws[IMX8MP_CLK_DRAM_APB] = imx8m_clk_hw_fw_managed_composite_critical("dram_apb", imx8mp_dram_apb_sels, ccm_base + 0xa080); + hws[IMX8MP_CLK_VPU_G1] = imx8m_clk_hw_composite("vpu_g1", imx8mp_vpu_g1_sels, ccm_base + 0xa100); + hws[IMX8MP_CLK_VPU_G2] = imx8m_clk_hw_composite("vpu_g2", imx8mp_vpu_g2_sels, ccm_base + 0xa180); + hws[IMX8MP_CLK_CAN1] = imx8m_clk_hw_composite("can1", imx8mp_can1_sels, ccm_base + 0xa200); +-- +2.43.0 + diff --git a/queue-6.6/clk-imx-imx8qxp-parent-should-be-initialized-earlier.patch b/queue-6.6/clk-imx-imx8qxp-parent-should-be-initialized-earlier.patch new file mode 100644 index 00000000000..acb2737ccd4 --- /dev/null +++ b/queue-6.6/clk-imx-imx8qxp-parent-should-be-initialized-earlier.patch @@ -0,0 +1,57 @@ +From 34feec71aec55e0e60691150d2497556be3fcade Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jun 2024 21:33:46 +0800 +Subject: clk: imx: imx8qxp: Parent should be initialized earlier than the + clock + +From: Peng Fan + +[ Upstream commit 766c386c16c9899461b83573a06380d364c6e261 ] + +The initialization order of SCU clocks affects the sequence of SCU clock +resume. If there are no other effects, the earlier the initialization, +the earlier the resume. During SCU clock resume, the clock rate is +restored. As SCFW guidelines, configure the parent clock rate before +configuring the child rate. + +Fixes: babfaa9556d7 ("clk: imx: scu: add more scu clocks") +Signed-off-by: Peng Fan +Reviewed-by: Abel Vesa +Link: https://lore.kernel.org/r/20240607133347.3291040-15-peng.fan@oss.nxp.com +Signed-off-by: Abel Vesa +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-imx8qxp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/imx/clk-imx8qxp.c b/drivers/clk/imx/clk-imx8qxp.c +index bc75e37d818d5..6d458995f3887 100644 +--- a/drivers/clk/imx/clk-imx8qxp.c ++++ b/drivers/clk/imx/clk-imx8qxp.c +@@ -165,8 +165,8 @@ static int imx8qxp_clk_probe(struct platform_device *pdev) + imx_clk_scu("pwm_clk", IMX_SC_R_LCD_0_PWM_0, IMX_SC_PM_CLK_PER); + imx_clk_scu("elcdif_pll", IMX_SC_R_ELCDIF_PLL, IMX_SC_PM_CLK_PLL); + imx_clk_scu2("lcd_clk", lcd_sels, ARRAY_SIZE(lcd_sels), IMX_SC_R_LCD_0, IMX_SC_PM_CLK_PER); +- imx_clk_scu2("lcd_pxl_clk", lcd_pxl_sels, ARRAY_SIZE(lcd_pxl_sels), IMX_SC_R_LCD_0, IMX_SC_PM_CLK_MISC0); + imx_clk_scu("lcd_pxl_bypass_div_clk", IMX_SC_R_LCD_0, IMX_SC_PM_CLK_BYPASS); ++ imx_clk_scu2("lcd_pxl_clk", lcd_pxl_sels, ARRAY_SIZE(lcd_pxl_sels), IMX_SC_R_LCD_0, IMX_SC_PM_CLK_MISC0); + + /* Audio SS */ + imx_clk_scu("audio_pll0_clk", IMX_SC_R_AUDIO_PLL_0, IMX_SC_PM_CLK_PLL); +@@ -206,11 +206,11 @@ static int imx8qxp_clk_probe(struct platform_device *pdev) + imx_clk_scu2("dc0_disp1_clk", dc0_sels, ARRAY_SIZE(dc0_sels), IMX_SC_R_DC_0, IMX_SC_PM_CLK_MISC1); + imx_clk_scu("dc0_bypass1_clk", IMX_SC_R_DC_0_VIDEO1, IMX_SC_PM_CLK_BYPASS); + +- imx_clk_scu2("dc1_disp0_clk", dc1_sels, ARRAY_SIZE(dc1_sels), IMX_SC_R_DC_1, IMX_SC_PM_CLK_MISC0); +- imx_clk_scu2("dc1_disp1_clk", dc1_sels, ARRAY_SIZE(dc1_sels), IMX_SC_R_DC_1, IMX_SC_PM_CLK_MISC1); + imx_clk_scu("dc1_pll0_clk", IMX_SC_R_DC_1_PLL_0, IMX_SC_PM_CLK_PLL); + imx_clk_scu("dc1_pll1_clk", IMX_SC_R_DC_1_PLL_1, IMX_SC_PM_CLK_PLL); + imx_clk_scu("dc1_bypass0_clk", IMX_SC_R_DC_1_VIDEO0, IMX_SC_PM_CLK_BYPASS); ++ imx_clk_scu2("dc1_disp0_clk", dc1_sels, ARRAY_SIZE(dc1_sels), IMX_SC_R_DC_1, IMX_SC_PM_CLK_MISC0); ++ imx_clk_scu2("dc1_disp1_clk", dc1_sels, ARRAY_SIZE(dc1_sels), IMX_SC_R_DC_1, IMX_SC_PM_CLK_MISC1); + imx_clk_scu("dc1_bypass1_clk", IMX_SC_R_DC_1_VIDEO1, IMX_SC_PM_CLK_BYPASS); + + /* MIPI-LVDS SS */ +-- +2.43.0 + diff --git a/queue-6.6/clk-imx-imx8qxp-register-dc0_bypass0_clk-before-disp.patch b/queue-6.6/clk-imx-imx8qxp-register-dc0_bypass0_clk-before-disp.patch new file mode 100644 index 00000000000..ba151478993 --- /dev/null +++ b/queue-6.6/clk-imx-imx8qxp-register-dc0_bypass0_clk-before-disp.patch @@ -0,0 +1,46 @@ +From 7dde5314b12e80972853fb40f029a54998568da9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jun 2024 21:33:45 +0800 +Subject: clk: imx: imx8qxp: Register dc0_bypass0_clk before disp clk + +From: Peng Fan + +[ Upstream commit e61352d5ecdc0da2e7253121c15d9a3e040f78a1 ] + +The initialization order of SCU clocks affects the sequence of SCU clock +resume. If there are no other effects, the earlier the initialization, +the earlier the resume. During SCU clock resume, the clock rate is +restored. As SCFW guidelines, configure the parent clock rate before +configuring the child rate. + +Fixes: 91e916771de0 ("clk: imx: scu: remove legacy scu clock binding support") +Signed-off-by: Peng Fan +Reviewed-by: Abel Vesa +Link: https://lore.kernel.org/r/20240607133347.3291040-14-peng.fan@oss.nxp.com +Signed-off-by: Abel Vesa +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-imx8qxp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/imx/clk-imx8qxp.c b/drivers/clk/imx/clk-imx8qxp.c +index 245761e018973..bc75e37d818d5 100644 +--- a/drivers/clk/imx/clk-imx8qxp.c ++++ b/drivers/clk/imx/clk-imx8qxp.c +@@ -199,11 +199,11 @@ static int imx8qxp_clk_probe(struct platform_device *pdev) + imx_clk_scu("usb3_lpm_div", IMX_SC_R_USB_2, IMX_SC_PM_CLK_MISC); + + /* Display controller SS */ +- imx_clk_scu2("dc0_disp0_clk", dc0_sels, ARRAY_SIZE(dc0_sels), IMX_SC_R_DC_0, IMX_SC_PM_CLK_MISC0); +- imx_clk_scu2("dc0_disp1_clk", dc0_sels, ARRAY_SIZE(dc0_sels), IMX_SC_R_DC_0, IMX_SC_PM_CLK_MISC1); + imx_clk_scu("dc0_pll0_clk", IMX_SC_R_DC_0_PLL_0, IMX_SC_PM_CLK_PLL); + imx_clk_scu("dc0_pll1_clk", IMX_SC_R_DC_0_PLL_1, IMX_SC_PM_CLK_PLL); + imx_clk_scu("dc0_bypass0_clk", IMX_SC_R_DC_0_VIDEO0, IMX_SC_PM_CLK_BYPASS); ++ imx_clk_scu2("dc0_disp0_clk", dc0_sels, ARRAY_SIZE(dc0_sels), IMX_SC_R_DC_0, IMX_SC_PM_CLK_MISC0); ++ imx_clk_scu2("dc0_disp1_clk", dc0_sels, ARRAY_SIZE(dc0_sels), IMX_SC_R_DC_0, IMX_SC_PM_CLK_MISC1); + imx_clk_scu("dc0_bypass1_clk", IMX_SC_R_DC_0_VIDEO1, IMX_SC_PM_CLK_BYPASS); + + imx_clk_scu2("dc1_disp0_clk", dc1_sels, ARRAY_SIZE(dc1_sels), IMX_SC_R_DC_1, IMX_SC_PM_CLK_MISC0); +-- +2.43.0 + diff --git a/queue-6.6/clk-qcom-dispcc-sm8250-use-special-function-for-luci.patch b/queue-6.6/clk-qcom-dispcc-sm8250-use-special-function-for-luci.patch new file mode 100644 index 00000000000..534c2cd33c7 --- /dev/null +++ b/queue-6.6/clk-qcom-dispcc-sm8250-use-special-function-for-luci.patch @@ -0,0 +1,124 @@ +From 63c45cdc763cf75d905d0b8d587266f68493343b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Aug 2024 08:40:06 +0300 +Subject: clk: qcom: dispcc-sm8250: use special function for Lucid 5LPE PLL + +From: Dmitry Baryshkov + +[ Upstream commit 362be5cbaec2a663eb86b7105313368b4a71fc1e ] + +According to msm-5.10 the lucid 5lpe PLLs have require slightly +different configuration that trion / lucid PLLs, it doesn't set +PLL_UPDATE_BYPASS bit. Add corresponding function and use it for the +display clock controller on Qualcomm SM8350 platform. + +Fixes: 205737fe3345 ("clk: qcom: add support for SM8350 DISPCC") +Signed-off-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20240804-sm8350-fixes-v1-2-1149dd8399fe@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/clk-alpha-pll.c | 52 ++++++++++++++++++++++++++++++++ + drivers/clk/qcom/clk-alpha-pll.h | 2 ++ + drivers/clk/qcom/dispcc-sm8250.c | 9 ++++-- + 3 files changed, 61 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/qcom/clk-alpha-pll.c b/drivers/clk/qcom/clk-alpha-pll.c +index 1701cce74df79..7464cf64803fd 100644 +--- a/drivers/clk/qcom/clk-alpha-pll.c ++++ b/drivers/clk/qcom/clk-alpha-pll.c +@@ -1757,6 +1757,58 @@ const struct clk_ops clk_alpha_pll_agera_ops = { + }; + EXPORT_SYMBOL_GPL(clk_alpha_pll_agera_ops); + ++/** ++ * clk_lucid_5lpe_pll_configure - configure the lucid 5lpe pll ++ * ++ * @pll: clk alpha pll ++ * @regmap: register map ++ * @config: configuration to apply for pll ++ */ ++void clk_lucid_5lpe_pll_configure(struct clk_alpha_pll *pll, struct regmap *regmap, ++ const struct alpha_pll_config *config) ++{ ++ /* ++ * If the bootloader left the PLL enabled it's likely that there are ++ * RCGs that will lock up if we disable the PLL below. ++ */ ++ if (trion_pll_is_enabled(pll, regmap)) { ++ pr_debug("Lucid 5LPE PLL is already enabled, skipping configuration\n"); ++ return; ++ } ++ ++ clk_alpha_pll_write_config(regmap, PLL_L_VAL(pll), config->l); ++ regmap_write(regmap, PLL_CAL_L_VAL(pll), TRION_PLL_CAL_VAL); ++ clk_alpha_pll_write_config(regmap, PLL_ALPHA_VAL(pll), config->alpha); ++ clk_alpha_pll_write_config(regmap, PLL_CONFIG_CTL(pll), ++ config->config_ctl_val); ++ clk_alpha_pll_write_config(regmap, PLL_CONFIG_CTL_U(pll), ++ config->config_ctl_hi_val); ++ clk_alpha_pll_write_config(regmap, PLL_CONFIG_CTL_U1(pll), ++ config->config_ctl_hi1_val); ++ clk_alpha_pll_write_config(regmap, PLL_USER_CTL(pll), ++ config->user_ctl_val); ++ clk_alpha_pll_write_config(regmap, PLL_USER_CTL_U(pll), ++ config->user_ctl_hi_val); ++ clk_alpha_pll_write_config(regmap, PLL_USER_CTL_U1(pll), ++ config->user_ctl_hi1_val); ++ clk_alpha_pll_write_config(regmap, PLL_TEST_CTL(pll), ++ config->test_ctl_val); ++ clk_alpha_pll_write_config(regmap, PLL_TEST_CTL_U(pll), ++ config->test_ctl_hi_val); ++ clk_alpha_pll_write_config(regmap, PLL_TEST_CTL_U1(pll), ++ config->test_ctl_hi1_val); ++ ++ /* Disable PLL output */ ++ regmap_update_bits(regmap, PLL_MODE(pll), PLL_OUTCTRL, 0); ++ ++ /* Set operation mode to OFF */ ++ regmap_write(regmap, PLL_OPMODE(pll), PLL_STANDBY); ++ ++ /* Place the PLL in STANDBY mode */ ++ regmap_update_bits(regmap, PLL_MODE(pll), PLL_RESET_N, PLL_RESET_N); ++} ++EXPORT_SYMBOL_GPL(clk_lucid_5lpe_pll_configure); ++ + static int alpha_pll_lucid_5lpe_enable(struct clk_hw *hw) + { + struct clk_alpha_pll *pll = to_clk_alpha_pll(hw); +diff --git a/drivers/clk/qcom/clk-alpha-pll.h b/drivers/clk/qcom/clk-alpha-pll.h +index 903fbab9b58e9..3fd0ef41c72c8 100644 +--- a/drivers/clk/qcom/clk-alpha-pll.h ++++ b/drivers/clk/qcom/clk-alpha-pll.h +@@ -198,6 +198,8 @@ void clk_agera_pll_configure(struct clk_alpha_pll *pll, struct regmap *regmap, + + void clk_zonda_pll_configure(struct clk_alpha_pll *pll, struct regmap *regmap, + const struct alpha_pll_config *config); ++void clk_lucid_5lpe_pll_configure(struct clk_alpha_pll *pll, struct regmap *regmap, ++ const struct alpha_pll_config *config); + void clk_lucid_evo_pll_configure(struct clk_alpha_pll *pll, struct regmap *regmap, + const struct alpha_pll_config *config); + void clk_rivian_evo_pll_configure(struct clk_alpha_pll *pll, struct regmap *regmap, +diff --git a/drivers/clk/qcom/dispcc-sm8250.c b/drivers/clk/qcom/dispcc-sm8250.c +index e17bb8b543b51..9a9e0852c91f2 100644 +--- a/drivers/clk/qcom/dispcc-sm8250.c ++++ b/drivers/clk/qcom/dispcc-sm8250.c +@@ -1359,8 +1359,13 @@ static int disp_cc_sm8250_probe(struct platform_device *pdev) + disp_cc_sm8250_clocks[DISP_CC_MDSS_EDP_GTC_CLK_SRC] = NULL; + } + +- clk_lucid_pll_configure(&disp_cc_pll0, regmap, &disp_cc_pll0_config); +- clk_lucid_pll_configure(&disp_cc_pll1, regmap, &disp_cc_pll1_config); ++ if (of_device_is_compatible(pdev->dev.of_node, "qcom,sm8350-dispcc")) { ++ clk_lucid_5lpe_pll_configure(&disp_cc_pll0, regmap, &disp_cc_pll0_config); ++ clk_lucid_5lpe_pll_configure(&disp_cc_pll1, regmap, &disp_cc_pll1_config); ++ } else { ++ clk_lucid_pll_configure(&disp_cc_pll0, regmap, &disp_cc_pll0_config); ++ clk_lucid_pll_configure(&disp_cc_pll1, regmap, &disp_cc_pll1_config); ++ } + + /* Enable clock gating for MDP clocks */ + regmap_update_bits(regmap, 0x8000, 0x10, 0x10); +-- +2.43.0 + diff --git a/queue-6.6/clk-qcom-dispcc-sm8550-fix-several-supposed-typos.patch b/queue-6.6/clk-qcom-dispcc-sm8550-fix-several-supposed-typos.patch new file mode 100644 index 00000000000..997516c3d65 --- /dev/null +++ b/queue-6.6/clk-qcom-dispcc-sm8550-fix-several-supposed-typos.patch @@ -0,0 +1,52 @@ +From d499ceb30c8d445a35cfd4d3f13754ef44aef8a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Jul 2024 13:04:28 +0300 +Subject: clk: qcom: dispcc-sm8550: fix several supposed typos + +From: Dmitry Baryshkov + +[ Upstream commit 7b6a4b907297b28727933493b9e0c95494504634 ] + +Fix seveal odd-looking places in SM8550's dispcc driver: + +- duplicate entries in disp_cc_parent_map_4 and disp_cc_parent_map_5 +- using &disp_cc_mdss_dptx0_link_div_clk_src as a source for + disp_cc_mdss_dptx1_usb_router_link_intf_clk + +The SM8650 driver has been used as a reference. + +Fixes: 90114ca11476 ("clk: qcom: add SM8550 DISPCC driver") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20240717-dispcc-sm8550-fixes-v2-1-5c4a3128c40b@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/dispcc-sm8550.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/qcom/dispcc-sm8550.c b/drivers/clk/qcom/dispcc-sm8550.c +index b9edeb2a221dc..e868c5c426096 100644 +--- a/drivers/clk/qcom/dispcc-sm8550.c ++++ b/drivers/clk/qcom/dispcc-sm8550.c +@@ -196,7 +196,7 @@ static const struct clk_parent_data disp_cc_parent_data_3[] = { + static const struct parent_map disp_cc_parent_map_4[] = { + { P_BI_TCXO, 0 }, + { P_DP0_PHY_PLL_LINK_CLK, 1 }, +- { P_DP1_PHY_PLL_VCO_DIV_CLK, 2 }, ++ { P_DP0_PHY_PLL_VCO_DIV_CLK, 2 }, + { P_DP3_PHY_PLL_VCO_DIV_CLK, 3 }, + { P_DP1_PHY_PLL_VCO_DIV_CLK, 4 }, + { P_DP2_PHY_PLL_VCO_DIV_CLK, 6 }, +@@ -213,7 +213,7 @@ static const struct clk_parent_data disp_cc_parent_data_4[] = { + + static const struct parent_map disp_cc_parent_map_5[] = { + { P_BI_TCXO, 0 }, +- { P_DSI0_PHY_PLL_OUT_BYTECLK, 4 }, ++ { P_DSI0_PHY_PLL_OUT_BYTECLK, 2 }, + { P_DSI1_PHY_PLL_OUT_BYTECLK, 4 }, + }; + +-- +2.43.0 + diff --git a/queue-6.6/clk-qcom-dispcc-sm8550-use-rcg2_ops-for-mdss_dptx1_a.patch b/queue-6.6/clk-qcom-dispcc-sm8550-use-rcg2_ops-for-mdss_dptx1_a.patch new file mode 100644 index 00000000000..22501aa8e04 --- /dev/null +++ b/queue-6.6/clk-qcom-dispcc-sm8550-use-rcg2_ops-for-mdss_dptx1_a.patch @@ -0,0 +1,38 @@ +From 44a88272cf2d807f42e1ca46895b95aeddefbd19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Jul 2024 13:04:29 +0300 +Subject: clk: qcom: dispcc-sm8550: use rcg2_ops for mdss_dptx1_aux_clk_src + +From: Dmitry Baryshkov + +[ Upstream commit cb4c00698f2f27d99a69adcce659370ca286cf2a ] + +clk_dp_ops should only be used for DisplayPort pixel clocks. Use +clk_rcg2_ops for disp_cc_mdss_dptx1_aux_clk_src. + +Fixes: 90114ca11476 ("clk: qcom: add SM8550 DISPCC driver") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20240717-dispcc-sm8550-fixes-v2-2-5c4a3128c40b@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/dispcc-sm8550.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/qcom/dispcc-sm8550.c b/drivers/clk/qcom/dispcc-sm8550.c +index e868c5c426096..72558ef25e9e8 100644 +--- a/drivers/clk/qcom/dispcc-sm8550.c ++++ b/drivers/clk/qcom/dispcc-sm8550.c +@@ -400,7 +400,7 @@ static struct clk_rcg2 disp_cc_mdss_dptx1_aux_clk_src = { + .parent_data = disp_cc_parent_data_0, + .num_parents = ARRAY_SIZE(disp_cc_parent_data_0), + .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_dp_ops, ++ .ops = &clk_rcg2_ops, + }, + }; + +-- +2.43.0 + diff --git a/queue-6.6/clk-qcom-dispcc-sm8550-use-rcg2_shared_ops-for-esc-r.patch b/queue-6.6/clk-qcom-dispcc-sm8550-use-rcg2_shared_ops-for-esc-r.patch new file mode 100644 index 00000000000..1bc3b8bb414 --- /dev/null +++ b/queue-6.6/clk-qcom-dispcc-sm8550-use-rcg2_shared_ops-for-esc-r.patch @@ -0,0 +1,47 @@ +From a25f9ac7112cb7f3b6a517780f9d939c05e18daa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Jul 2024 13:04:32 +0300 +Subject: clk: qcom: dispcc-sm8550: use rcg2_shared_ops for ESC RCGs + +From: Dmitry Baryshkov + +[ Upstream commit c8bee3ff6c9220092b646ff929f9c832c1adab6d ] + +Follow the recommendations and park disp_cc_mdss_esc[01]_clk_src to the +XO instead of disabling the clocks by using the clk_rcg2_shared_ops. + +Fixes: 90114ca11476 ("clk: qcom: add SM8550 DISPCC driver") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20240717-dispcc-sm8550-fixes-v2-5-5c4a3128c40b@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/dispcc-sm8550.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/qcom/dispcc-sm8550.c b/drivers/clk/qcom/dispcc-sm8550.c +index 9b63d62057ed5..95b4c0548f50d 100644 +--- a/drivers/clk/qcom/dispcc-sm8550.c ++++ b/drivers/clk/qcom/dispcc-sm8550.c +@@ -562,7 +562,7 @@ static struct clk_rcg2 disp_cc_mdss_esc0_clk_src = { + .parent_data = disp_cc_parent_data_5, + .num_parents = ARRAY_SIZE(disp_cc_parent_data_5), + .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, ++ .ops = &clk_rcg2_shared_ops, + }, + }; + +@@ -577,7 +577,7 @@ static struct clk_rcg2 disp_cc_mdss_esc1_clk_src = { + .parent_data = disp_cc_parent_data_5, + .num_parents = ARRAY_SIZE(disp_cc_parent_data_5), + .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, ++ .ops = &clk_rcg2_shared_ops, + }, + }; + +-- +2.43.0 + diff --git a/queue-6.6/clk-qcom-dispcc-sm8650-update-the-gdsc-flags.patch b/queue-6.6/clk-qcom-dispcc-sm8650-update-the-gdsc-flags.patch new file mode 100644 index 00000000000..29f0370f870 --- /dev/null +++ b/queue-6.6/clk-qcom-dispcc-sm8650-update-the-gdsc-flags.patch @@ -0,0 +1,46 @@ +From dd89f585820edf38ab79310e88a99411471647ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Jul 2024 13:04:31 +0300 +Subject: clk: qcom: dispcc-sm8650: Update the GDSC flags + +From: Dmitry Baryshkov + +[ Upstream commit 7de10ddbdb9d03651cff5fbdc8cf01837c698526 ] + +Add missing POLL_CFG_GDSCR to the MDSS GDSC flags. + +Fixes: 90114ca11476 ("clk: qcom: add SM8550 DISPCC driver") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20240717-dispcc-sm8550-fixes-v2-4-5c4a3128c40b@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/dispcc-sm8550.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/qcom/dispcc-sm8550.c b/drivers/clk/qcom/dispcc-sm8550.c +index 72558ef25e9e8..9b63d62057ed5 100644 +--- a/drivers/clk/qcom/dispcc-sm8550.c ++++ b/drivers/clk/qcom/dispcc-sm8550.c +@@ -1611,7 +1611,7 @@ static struct gdsc mdss_gdsc = { + .name = "mdss_gdsc", + }, + .pwrsts = PWRSTS_OFF_ON, +- .flags = HW_CTRL | RETAIN_FF_ENABLE, ++ .flags = POLL_CFG_GDSCR | HW_CTRL | RETAIN_FF_ENABLE, + }; + + static struct gdsc mdss_int2_gdsc = { +@@ -1620,7 +1620,7 @@ static struct gdsc mdss_int2_gdsc = { + .name = "mdss_int2_gdsc", + }, + .pwrsts = PWRSTS_OFF_ON, +- .flags = HW_CTRL | RETAIN_FF_ENABLE, ++ .flags = POLL_CFG_GDSCR | HW_CTRL | RETAIN_FF_ENABLE, + }; + + static struct clk_regmap *disp_cc_sm8550_clocks[] = { +-- +2.43.0 + diff --git a/queue-6.6/clk-qcom-ipq5332-register-gcc_qdss_tsctr_clk_src.patch b/queue-6.6/clk-qcom-ipq5332-register-gcc_qdss_tsctr_clk_src.patch new file mode 100644 index 00000000000..46d20ea869d --- /dev/null +++ b/queue-6.6/clk-qcom-ipq5332-register-gcc_qdss_tsctr_clk_src.patch @@ -0,0 +1,40 @@ +From 5271b634f446a1b5bf30d8f9f08fe6db72f57cf1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jul 2024 11:18:15 +0530 +Subject: clk: qcom: ipq5332: Register gcc_qdss_tsctr_clk_src + +From: Varadarajan Narayanan + +[ Upstream commit 0e1ac23dfa3f635e486fdeb08206b981cb0a2a6b ] + +gcc_qdss_tsctr_clk_src (enabled in the boot loaders and dependent +on gpll4_main) was not registered as one of the ipq5332 clocks. +Hence clk_disable_unused() disabled 'gpll4_main' assuming there +were no consumers for 'gpll4_main' resulting in system freeze or +reboots. + +Reviewed-by: Dmitry Baryshkov +Fixes: 3d89d52970fd ("clk: qcom: add Global Clock controller (GCC) driver for IPQ5332 SoC") +Signed-off-by: Varadarajan Narayanan +Link: https://lore.kernel.org/r/20240730054817.1915652-4-quic_varada@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-ipq5332.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/qcom/gcc-ipq5332.c b/drivers/clk/qcom/gcc-ipq5332.c +index f98591148a976..6a4877d888294 100644 +--- a/drivers/clk/qcom/gcc-ipq5332.c ++++ b/drivers/clk/qcom/gcc-ipq5332.c +@@ -3388,6 +3388,7 @@ static struct clk_regmap *gcc_ipq5332_clocks[] = { + [GCC_QDSS_DAP_DIV_CLK_SRC] = &gcc_qdss_dap_div_clk_src.clkr, + [GCC_QDSS_ETR_USB_CLK] = &gcc_qdss_etr_usb_clk.clkr, + [GCC_QDSS_EUD_AT_CLK] = &gcc_qdss_eud_at_clk.clkr, ++ [GCC_QDSS_TSCTR_CLK_SRC] = &gcc_qdss_tsctr_clk_src.clkr, + [GCC_QPIC_AHB_CLK] = &gcc_qpic_ahb_clk.clkr, + [GCC_QPIC_CLK] = &gcc_qpic_clk.clkr, + [GCC_QPIC_IO_MACRO_CLK] = &gcc_qpic_io_macro_clk.clkr, +-- +2.43.0 + diff --git a/queue-6.6/clk-rockchip-rk3588-fix-32k-clock-name-for-pmu_24m_3.patch b/queue-6.6/clk-rockchip-rk3588-fix-32k-clock-name-for-pmu_24m_3.patch new file mode 100644 index 00000000000..53db465ce96 --- /dev/null +++ b/queue-6.6/clk-rockchip-rk3588-fix-32k-clock-name-for-pmu_24m_3.patch @@ -0,0 +1,38 @@ +From 4cf01a4575fe47b3f2cf7b075b8818ade8bc8db5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2024 08:28:20 +0300 +Subject: clk: rockchip: rk3588: Fix 32k clock name for pmu_24m_32k_100m_src_p + +From: Alexander Shiyan + +[ Upstream commit 0d02e8d284a45bfa8997ebe8764437b8eb6b108b ] + +The 32kHz input clock is named "xin32k" in the driver, +so the name "32k" appears to be a typo in this case. Lets fix this. + +Signed-off-by: Alexander Shiyan +Reviewed-by: Dragan Simic +Fixes: f1c506d152ff ("clk: rockchip: add clock controller for the RK3588") +Link: https://lore.kernel.org/r/20240829052820.3604-1-eagle.alexander923@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + drivers/clk/rockchip/clk-rk3588.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/rockchip/clk-rk3588.c b/drivers/clk/rockchip/clk-rk3588.c +index 6994165e03957..d8ffcaefa480b 100644 +--- a/drivers/clk/rockchip/clk-rk3588.c ++++ b/drivers/clk/rockchip/clk-rk3588.c +@@ -526,7 +526,7 @@ PNAME(pmu_200m_100m_p) = { "clk_pmu1_200m_src", "clk_pmu1_100m_src" }; + PNAME(pmu_300m_24m_p) = { "clk_300m_src", "xin24m" }; + PNAME(pmu_400m_24m_p) = { "clk_400m_src", "xin24m" }; + PNAME(pmu_100m_50m_24m_src_p) = { "clk_pmu1_100m_src", "clk_pmu1_50m_src", "xin24m" }; +-PNAME(pmu_24m_32k_100m_src_p) = { "xin24m", "32k", "clk_pmu1_100m_src" }; ++PNAME(pmu_24m_32k_100m_src_p) = { "xin24m", "xin32k", "clk_pmu1_100m_src" }; + PNAME(hclk_pmu1_root_p) = { "clk_pmu1_200m_src", "clk_pmu1_100m_src", "clk_pmu1_50m_src", "xin24m" }; + PNAME(hclk_pmu_cm0_root_p) = { "clk_pmu1_400m_src", "clk_pmu1_200m_src", "clk_pmu1_100m_src", "xin24m" }; + PNAME(mclk_pdm0_p) = { "clk_pmu1_300m_src", "clk_pmu1_200m_src" }; +-- +2.43.0 + diff --git a/queue-6.6/clk-rockchip-set-parent-rate-for-dclk_vop-clock-on-r.patch b/queue-6.6/clk-rockchip-set-parent-rate-for-dclk_vop-clock-on-r.patch new file mode 100644 index 00000000000..1b17dd21926 --- /dev/null +++ b/queue-6.6/clk-rockchip-set-parent-rate-for-dclk_vop-clock-on-r.patch @@ -0,0 +1,42 @@ +From 16af7f1d8c2685b823d03ffc159a8808baae4b33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jun 2024 17:03:53 +0000 +Subject: clk: rockchip: Set parent rate for DCLK_VOP clock on RK3228 + +From: Jonas Karlman + +[ Upstream commit 1d34b9757523c1ad547bd6d040381f62d74a3189 ] + +Similar to DCLK_LCDC on RK3328, the DCLK_VOP on RK3228 is typically +parented by the hdmiphy clk and it is expected that the DCLK_VOP and +hdmiphy clk rate are kept in sync. + +Use CLK_SET_RATE_PARENT and CLK_SET_RATE_NO_REPARENT flags, same as used +on RK3328, to make full use of all possible supported display modes. + +Fixes: 0a9d4ac08ebc ("clk: rockchip: set the clock ids for RK3228 VOP") +Fixes: 307a2e9ac524 ("clk: rockchip: add clock controller for rk3228") +Signed-off-by: Jonas Karlman +Link: https://lore.kernel.org/r/20240615170417.3134517-3-jonas@kwiboo.se +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + drivers/clk/rockchip/clk-rk3228.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/rockchip/clk-rk3228.c b/drivers/clk/rockchip/clk-rk3228.c +index a24a35553e134..7343d2d7676bc 100644 +--- a/drivers/clk/rockchip/clk-rk3228.c ++++ b/drivers/clk/rockchip/clk-rk3228.c +@@ -409,7 +409,7 @@ static struct rockchip_clk_branch rk3228_clk_branches[] __initdata = { + RK2928_CLKSEL_CON(29), 0, 3, DFLAGS), + DIV(0, "sclk_vop_pre", "sclk_vop_src", 0, + RK2928_CLKSEL_CON(27), 8, 8, DFLAGS), +- MUX(DCLK_VOP, "dclk_vop", mux_dclk_vop_p, 0, ++ MUX(DCLK_VOP, "dclk_vop", mux_dclk_vop_p, CLK_SET_RATE_PARENT | CLK_SET_RATE_NO_REPARENT, + RK2928_CLKSEL_CON(27), 1, 1, MFLAGS), + + FACTOR(0, "xin12m", "xin24m", 0, 1, 2), +-- +2.43.0 + diff --git a/queue-6.6/clk-starfive-use-pm_runtime_resume_and_get-to-fix-pm.patch b/queue-6.6/clk-starfive-use-pm_runtime_resume_and_get-to-fix-pm.patch new file mode 100644 index 00000000000..767d7c496bb --- /dev/null +++ b/queue-6.6/clk-starfive-use-pm_runtime_resume_and_get-to-fix-pm.patch @@ -0,0 +1,40 @@ +From 236de702dfbbe986a09eb93289d7a8c89b77d458 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Aug 2024 09:38:53 +0000 +Subject: clk: starfive: Use pm_runtime_resume_and_get to fix + pm_runtime_get_sync() usage + +From: Yuntao Liu + +[ Upstream commit 55c312c1b2be6d43e39c280ad6ab4b711e545b89 ] + +We need to call pm_runtime_put_noidle() when pm_runtime_get_sync() +fails, so use pm_runtime_resume_and_get() instead. this function +will handle this. + +Fixes: dae5448a327ed ("clk: starfive: Add StarFive JH7110 Video-Output clock driver") +Signed-off-by: Yuntao Liu +Link: https://lore.kernel.org/r/20240815093853.757487-1-liuyuntao12@huawei.com +Reviewed-by: Xingyu Wu +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/starfive/clk-starfive-jh7110-vout.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/starfive/clk-starfive-jh7110-vout.c b/drivers/clk/starfive/clk-starfive-jh7110-vout.c +index 10cc1ec439251..36340ca42cc7e 100644 +--- a/drivers/clk/starfive/clk-starfive-jh7110-vout.c ++++ b/drivers/clk/starfive/clk-starfive-jh7110-vout.c +@@ -145,7 +145,7 @@ static int jh7110_voutcrg_probe(struct platform_device *pdev) + + /* enable power domain and clocks */ + pm_runtime_enable(priv->dev); +- ret = pm_runtime_get_sync(priv->dev); ++ ret = pm_runtime_resume_and_get(priv->dev); + if (ret < 0) + return dev_err_probe(priv->dev, ret, "failed to turn on power\n"); + +-- +2.43.0 + diff --git a/queue-6.6/clk-ti-dra7-atl-fix-leak-of-of_nodes.patch b/queue-6.6/clk-ti-dra7-atl-fix-leak-of-of_nodes.patch new file mode 100644 index 00000000000..c53ecfd5a3e --- /dev/null +++ b/queue-6.6/clk-ti-dra7-atl-fix-leak-of-of_nodes.patch @@ -0,0 +1,39 @@ +From 82a1070f8f4d228e3f98e26c58be362bfbbb8f55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Aug 2024 10:35:29 -0500 +Subject: clk: ti: dra7-atl: Fix leak of of_nodes + +From: David Lechner + +[ Upstream commit 9d6e9f10e2e031fb7bfb3030a7d1afc561a28fea ] + +This fix leaking the of_node references in of_dra7_atl_clk_probe(). + +The docs for of_parse_phandle_with_args() say that the caller must call +of_node_put() on the returned node. This adds the missing of_node_put() +to fix the leak. + +Fixes: 9ac33b0ce81f ("CLK: TI: Driver for DRA7 ATL (Audio Tracking Logic)") +Signed-off-by: David Lechner +Link: https://lore.kernel.org/r/20240826-clk-fix-leak-v1-1-f55418a13aa6@baylibre.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/ti/clk-dra7-atl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/ti/clk-dra7-atl.c b/drivers/clk/ti/clk-dra7-atl.c +index d964e3affd42c..0eab7f3e2eab9 100644 +--- a/drivers/clk/ti/clk-dra7-atl.c ++++ b/drivers/clk/ti/clk-dra7-atl.c +@@ -240,6 +240,7 @@ static int of_dra7_atl_clk_probe(struct platform_device *pdev) + } + + clk = of_clk_get_from_provider(&clkspec); ++ of_node_put(clkspec.np); + if (IS_ERR(clk)) { + pr_err("%s: failed to get atl clock %d from provider\n", + __func__, i); +-- +2.43.0 + diff --git a/queue-6.6/clocksource-drivers-qcom-add-missing-iounmap-on-erro.patch b/queue-6.6/clocksource-drivers-qcom-add-missing-iounmap-on-erro.patch new file mode 100644 index 00000000000..d0b5ddf752b --- /dev/null +++ b/queue-6.6/clocksource-drivers-qcom-add-missing-iounmap-on-erro.patch @@ -0,0 +1,51 @@ +From c0850c1d954b2b93759a7dfa2b8c8ed9e2b3c251 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jul 2024 15:27:13 +0530 +Subject: clocksource/drivers/qcom: Add missing iounmap() on errors in + msm_dt_timer_init() + +From: Ankit Agrawal + +[ Upstream commit ca140a0dc0a18acd4653b56db211fec9b2339986 ] + +Add the missing iounmap() when clock frequency fails to get read by the +of_property_read_u32() call, or if the call to msm_timer_init() fails. + +Fixes: 6e3321631ac2 ("ARM: msm: Add DT support to msm_timer") +Signed-off-by: Ankit Agrawal +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20240713095713.GA430091@bnew-VirtualBox +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-qcom.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/clocksource/timer-qcom.c b/drivers/clocksource/timer-qcom.c +index b4afe3a675835..eac4c95c6127f 100644 +--- a/drivers/clocksource/timer-qcom.c ++++ b/drivers/clocksource/timer-qcom.c +@@ -233,6 +233,7 @@ static int __init msm_dt_timer_init(struct device_node *np) + } + + if (of_property_read_u32(np, "clock-frequency", &freq)) { ++ iounmap(cpu0_base); + pr_err("Unknown frequency\n"); + return -EINVAL; + } +@@ -243,7 +244,11 @@ static int __init msm_dt_timer_init(struct device_node *np) + freq /= 4; + writel_relaxed(DGT_CLK_CTL_DIV_4, source_base + DGT_CLK_CTL); + +- return msm_timer_init(freq, 32, irq, !!percpu_offset); ++ ret = msm_timer_init(freq, 32, irq, !!percpu_offset); ++ if (ret) ++ iounmap(cpu0_base); ++ ++ return ret; + } + TIMER_OF_DECLARE(kpss_timer, "qcom,kpss-timer", msm_dt_timer_init); + TIMER_OF_DECLARE(scss_timer, "qcom,scss-timer", msm_dt_timer_init); +-- +2.43.0 + diff --git a/queue-6.6/coresight-tmc-sg-do-not-leak-sg_table.patch b/queue-6.6/coresight-tmc-sg-do-not-leak-sg_table.patch new file mode 100644 index 00000000000..1f2b16ad8e7 --- /dev/null +++ b/queue-6.6/coresight-tmc-sg-do-not-leak-sg_table.patch @@ -0,0 +1,73 @@ +From 78cd6655bb19362638d2daec649972fd743062c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jul 2024 14:28:46 +0100 +Subject: coresight: tmc: sg: Do not leak sg_table + +From: Suzuki K Poulose + +[ Upstream commit c58dc5a1f886f2fcc1133746d0cbaa1fe7fd44ff ] + +Running perf with cs_etm on Juno triggers the following kmemleak warning ! + +:~# cat /sys/kernel/debug/kmemleak + unreferenced object 0xffffff8806b6d720 (size 96): + comm "perf", pid 562, jiffies 4297810960 + hex dump (first 32 bytes): + 38 d8 13 07 88 ff ff ff 00 d0 9e 85 c0 ff ff ff 8............... + 00 10 00 88 c0 ff ff ff 00 f0 ff f7 ff 00 00 00 ................ + backtrace (crc 1dbf6e00): + [] kmemleak_alloc+0xbc/0xd8 + [] kmalloc_trace_noprof+0x220/0x2e8 + [] tmc_alloc_sg_table+0x48/0x208 [coresight_tmc] + [] tmc_etr_alloc_sg_buf+0xac/0x240 [coresight_tmc] + [] tmc_alloc_etr_buf.constprop.0+0x1f0/0x260 [coresight_tmc] + [] alloc_etr_buf.constprop.0.isra.0+0x74/0xa8 [coresight_tmc] + [] tmc_alloc_etr_buffer+0x110/0x260 [coresight_tmc] + [] etm_setup_aux+0x204/0x3b0 [coresight] + [] rb_alloc_aux+0x20c/0x318 + [] perf_mmap+0x2e4/0x7a0 + [] mmap_region+0x3b0/0xa08 + [] do_mmap+0x3a0/0x500 + [] vm_mmap_pgoff+0x100/0x1d0 + [] ksys_mmap_pgoff+0xb8/0x110 + [] __arm64_sys_mmap+0x38/0x58 + [] invoke_syscall.constprop.0+0x58/0x100 + +This due to the fact that we do not free the "sg_table" itself while +freeing up the SG table and data pages. Fix this by freeing the sg_table +in tmc_free_sg_table(). + +Fixes: 99443ea19e8b ("coresight: Add generic TMC sg table framework") +Cc: Mike Leach +Cc: James Clark +Signed-off-by: Suzuki K Poulose +Reviewed-by: Anshuman Khandual +Link: https://lore.kernel.org/r/20240702132846.1677261-1-suzuki.poulose@arm.com +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-tmc-etr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c b/drivers/hwtracing/coresight/coresight-tmc-etr.c +index 8311e1028ddb0..f3312fbcdc0f8 100644 +--- a/drivers/hwtracing/coresight/coresight-tmc-etr.c ++++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c +@@ -255,6 +255,7 @@ void tmc_free_sg_table(struct tmc_sg_table *sg_table) + { + tmc_free_table_pages(sg_table); + tmc_free_data_pages(sg_table); ++ kfree(sg_table); + } + EXPORT_SYMBOL_GPL(tmc_free_sg_table); + +@@ -336,7 +337,6 @@ struct tmc_sg_table *tmc_alloc_sg_table(struct device *dev, + rc = tmc_alloc_table_pages(sg_table); + if (rc) { + tmc_free_sg_table(sg_table); +- kfree(sg_table); + return ERR_PTR(rc); + } + +-- +2.43.0 + diff --git a/queue-6.6/cpufreq-ti-cpufreq-introduce-quirks-to-handle-syscon.patch b/queue-6.6/cpufreq-ti-cpufreq-introduce-quirks-to-handle-syscon.patch new file mode 100644 index 00000000000..d3628310214 --- /dev/null +++ b/queue-6.6/cpufreq-ti-cpufreq-introduce-quirks-to-handle-syscon.patch @@ -0,0 +1,89 @@ +From d44f8456fdfe12d48a805bb360b1c600543d6496 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Aug 2024 08:19:15 -0500 +Subject: cpufreq: ti-cpufreq: Introduce quirks to handle syscon fails + appropriately + +From: Nishanth Menon + +[ Upstream commit abc00ffda43bd4ba85896713464c7510c39f8165 ] + +Commit b4bc9f9e27ed ("cpufreq: ti-cpufreq: add support for omap34xx +and omap36xx") introduced special handling for OMAP3 class devices +where syscon node may not be present. However, this also creates a bug +where the syscon node is present, however the offset used to read +is beyond the syscon defined range. + +Fix this by providing a quirk option that is populated when such +special handling is required. This allows proper failure for all other +platforms when the syscon node and efuse offsets are mismatched. + +Fixes: b4bc9f9e27ed ("cpufreq: ti-cpufreq: add support for omap34xx and omap36xx") +Signed-off-by: Nishanth Menon +Tested-by: Dhruva Gole +Reviewed-by: Kevin Hilman +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/ti-cpufreq.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/cpufreq/ti-cpufreq.c b/drivers/cpufreq/ti-cpufreq.c +index d88ee87b1cd6f..cb5d1c8fefeb4 100644 +--- a/drivers/cpufreq/ti-cpufreq.c ++++ b/drivers/cpufreq/ti-cpufreq.c +@@ -61,6 +61,9 @@ struct ti_cpufreq_soc_data { + unsigned long efuse_shift; + unsigned long rev_offset; + bool multi_regulator; ++/* Backward compatibility hack: Might have missing syscon */ ++#define TI_QUIRK_SYSCON_MAY_BE_MISSING 0x1 ++ u8 quirks; + }; + + struct ti_cpufreq_data { +@@ -182,6 +185,7 @@ static struct ti_cpufreq_soc_data omap34xx_soc_data = { + .efuse_mask = BIT(3), + .rev_offset = OMAP3_CONTROL_IDCODE - OMAP3_SYSCON_BASE, + .multi_regulator = false, ++ .quirks = TI_QUIRK_SYSCON_MAY_BE_MISSING, + }; + + /* +@@ -209,6 +213,7 @@ static struct ti_cpufreq_soc_data omap36xx_soc_data = { + .efuse_mask = BIT(9), + .rev_offset = OMAP3_CONTROL_IDCODE - OMAP3_SYSCON_BASE, + .multi_regulator = true, ++ .quirks = TI_QUIRK_SYSCON_MAY_BE_MISSING, + }; + + /* +@@ -223,6 +228,7 @@ static struct ti_cpufreq_soc_data am3517_soc_data = { + .efuse_mask = 0, + .rev_offset = OMAP3_CONTROL_IDCODE - OMAP3_SYSCON_BASE, + .multi_regulator = false, ++ .quirks = TI_QUIRK_SYSCON_MAY_BE_MISSING, + }; + + static struct ti_cpufreq_soc_data am625_soc_data = { +@@ -250,7 +256,7 @@ static int ti_cpufreq_get_efuse(struct ti_cpufreq_data *opp_data, + + ret = regmap_read(opp_data->syscon, opp_data->soc_data->efuse_offset, + &efuse); +- if (ret == -EIO) { ++ if (opp_data->soc_data->quirks & TI_QUIRK_SYSCON_MAY_BE_MISSING && ret == -EIO) { + /* not a syscon register! */ + void __iomem *regs = ioremap(OMAP3_SYSCON_BASE + + opp_data->soc_data->efuse_offset, 4); +@@ -291,7 +297,7 @@ static int ti_cpufreq_get_rev(struct ti_cpufreq_data *opp_data, + + ret = regmap_read(opp_data->syscon, opp_data->soc_data->rev_offset, + &revision); +- if (ret == -EIO) { ++ if (opp_data->soc_data->quirks & TI_QUIRK_SYSCON_MAY_BE_MISSING && ret == -EIO) { + /* not a syscon register! */ + void __iomem *regs = ioremap(OMAP3_SYSCON_BASE + + opp_data->soc_data->rev_offset, 4); +-- +2.43.0 + diff --git a/queue-6.6/crypto-caam-pad-sg-length-when-allocating-hash-edesc.patch b/queue-6.6/crypto-caam-pad-sg-length-when-allocating-hash-edesc.patch new file mode 100644 index 00000000000..7b7db43186b --- /dev/null +++ b/queue-6.6/crypto-caam-pad-sg-length-when-allocating-hash-edesc.patch @@ -0,0 +1,40 @@ +From 7e1b02b5820e86f7f5bbfd60bdb0fe85372e3641 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Sep 2024 17:57:13 +0800 +Subject: crypto: caam - Pad SG length when allocating hash edesc + +From: Herbert Xu + +[ Upstream commit 5124bc96162667766f6120b19f57a640c2eccb2a ] + +Because hardware will read in multiples of 4 SG entries, ensure +the allocated length is always padded. This was already done +by some callers of ahash_edesc_alloc, but ahash_digest was conspicuously +missing. + +In any case, doing it in the allocation function ensures that the +memory is always there. + +Reported-by: Guangwu Zhang +Fixes: a5e5c13398f3 ("crypto: caam - fix S/G table passing page boundary") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/caam/caamhash.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/crypto/caam/caamhash.c b/drivers/crypto/caam/caamhash.c +index 290c8500c247f..65785dc5b73b2 100644 +--- a/drivers/crypto/caam/caamhash.c ++++ b/drivers/crypto/caam/caamhash.c +@@ -708,6 +708,7 @@ static struct ahash_edesc *ahash_edesc_alloc(struct ahash_request *req, + GFP_KERNEL : GFP_ATOMIC; + struct ahash_edesc *edesc; + ++ sg_num = pad_sg_nents(sg_num); + edesc = kzalloc(struct_size(edesc, sec4_sg, sg_num), flags); + if (!edesc) + return NULL; +-- +2.43.0 + diff --git a/queue-6.6/crypto-hisilicon-hpre-mask-cluster-timeout-error.patch b/queue-6.6/crypto-hisilicon-hpre-mask-cluster-timeout-error.patch new file mode 100644 index 00000000000..68b8e1fd593 --- /dev/null +++ b/queue-6.6/crypto-hisilicon-hpre-mask-cluster-timeout-error.patch @@ -0,0 +1,115 @@ +From b37415d23675eb46668736fe217ecaf33b7dd622 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 Aug 2024 19:48:30 +0800 +Subject: crypto: hisilicon/hpre - mask cluster timeout error + +From: Weili Qian + +[ Upstream commit 145013f723947c83b1a5f76a0cf6e7237d59e973 ] + +The timeout threshold of the hpre cluster is 16ms. When the CPU +and device share virtual address, page fault processing time may +exceed the threshold. + +In the current test, there is a high probability that the +cluster times out. However, the cluster is waiting for the +completion of memory access, which is not an error, the device +does not need to be reset. If an error occurs in the cluster, +qm also reports the error. Therefore, the cluster timeout +error of hpre can be masked. + +Fixes: d90fab0deb8e ("crypto: hisilicon/qm - get error type from hardware registers") +Signed-off-by: Weili Qian +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/hisilicon/hpre/hpre_main.c | 22 ++++++---------------- + 1 file changed, 6 insertions(+), 16 deletions(-) + +diff --git a/drivers/crypto/hisilicon/hpre/hpre_main.c b/drivers/crypto/hisilicon/hpre/hpre_main.c +index b97ce0ee71406..e0cc429130c26 100644 +--- a/drivers/crypto/hisilicon/hpre/hpre_main.c ++++ b/drivers/crypto/hisilicon/hpre/hpre_main.c +@@ -13,9 +13,7 @@ + #include + #include "hpre.h" + +-#define HPRE_QM_ABNML_INT_MASK 0x100004 + #define HPRE_CTRL_CNT_CLR_CE_BIT BIT(0) +-#define HPRE_COMM_CNT_CLR_CE 0x0 + #define HPRE_CTRL_CNT_CLR_CE 0x301000 + #define HPRE_FSM_MAX_CNT 0x301008 + #define HPRE_VFG_AXQOS 0x30100c +@@ -42,7 +40,6 @@ + #define HPRE_HAC_INT_SET 0x301500 + #define HPRE_RNG_TIMEOUT_NUM 0x301A34 + #define HPRE_CORE_INT_ENABLE 0 +-#define HPRE_CORE_INT_DISABLE GENMASK(21, 0) + #define HPRE_RDCHN_INI_ST 0x301a00 + #define HPRE_CLSTR_BASE 0x302000 + #define HPRE_CORE_EN_OFFSET 0x04 +@@ -66,7 +63,6 @@ + #define HPRE_CLSTR_ADDR_INTRVL 0x1000 + #define HPRE_CLUSTER_INQURY 0x100 + #define HPRE_CLSTR_ADDR_INQRY_RSLT 0x104 +-#define HPRE_TIMEOUT_ABNML_BIT 6 + #define HPRE_PASID_EN_BIT 9 + #define HPRE_REG_RD_INTVRL_US 10 + #define HPRE_REG_RD_TMOUT_US 1000 +@@ -202,9 +198,9 @@ static const struct hisi_qm_cap_info hpre_basic_info[] = { + {HPRE_QM_RESET_MASK_CAP, 0x3128, 0, GENMASK(31, 0), 0x0, 0xC37, 0x6C37}, + {HPRE_QM_OOO_SHUTDOWN_MASK_CAP, 0x3128, 0, GENMASK(31, 0), 0x0, 0x4, 0x6C37}, + {HPRE_QM_CE_MASK_CAP, 0x312C, 0, GENMASK(31, 0), 0x0, 0x8, 0x8}, +- {HPRE_NFE_MASK_CAP, 0x3130, 0, GENMASK(31, 0), 0x0, 0x3FFFFE, 0x1FFFFFE}, +- {HPRE_RESET_MASK_CAP, 0x3134, 0, GENMASK(31, 0), 0x0, 0x3FFFFE, 0xBFFFFE}, +- {HPRE_OOO_SHUTDOWN_MASK_CAP, 0x3134, 0, GENMASK(31, 0), 0x0, 0x22, 0xBFFFFE}, ++ {HPRE_NFE_MASK_CAP, 0x3130, 0, GENMASK(31, 0), 0x0, 0x3FFFFE, 0x1FFFC3E}, ++ {HPRE_RESET_MASK_CAP, 0x3134, 0, GENMASK(31, 0), 0x0, 0x3FFFFE, 0xBFFC3E}, ++ {HPRE_OOO_SHUTDOWN_MASK_CAP, 0x3134, 0, GENMASK(31, 0), 0x0, 0x22, 0xBFFC3E}, + {HPRE_CE_MASK_CAP, 0x3138, 0, GENMASK(31, 0), 0x0, 0x1, 0x1}, + {HPRE_CLUSTER_NUM_CAP, 0x313c, 20, GENMASK(3, 0), 0x0, 0x4, 0x1}, + {HPRE_CORE_TYPE_NUM_CAP, 0x313c, 16, GENMASK(3, 0), 0x0, 0x2, 0x2}, +@@ -653,11 +649,6 @@ static int hpre_set_user_domain_and_cache(struct hisi_qm *qm) + writel(HPRE_QM_USR_CFG_MASK, qm->io_base + QM_AWUSER_M_CFG_ENABLE); + writel_relaxed(HPRE_QM_AXI_CFG_MASK, qm->io_base + QM_AXI_M_CFG); + +- /* HPRE need more time, we close this interrupt */ +- val = readl_relaxed(qm->io_base + HPRE_QM_ABNML_INT_MASK); +- val |= BIT(HPRE_TIMEOUT_ABNML_BIT); +- writel_relaxed(val, qm->io_base + HPRE_QM_ABNML_INT_MASK); +- + if (qm->ver >= QM_HW_V3) + writel(HPRE_RSA_ENB | HPRE_ECC_ENB, + qm->io_base + HPRE_TYPES_ENB); +@@ -666,9 +657,7 @@ static int hpre_set_user_domain_and_cache(struct hisi_qm *qm) + + writel(HPRE_QM_VFG_AX_MASK, qm->io_base + HPRE_VFG_AXCACHE); + writel(0x0, qm->io_base + HPRE_BD_ENDIAN); +- writel(0x0, qm->io_base + HPRE_INT_MASK); + writel(0x0, qm->io_base + HPRE_POISON_BYPASS); +- writel(0x0, qm->io_base + HPRE_COMM_CNT_CLR_CE); + writel(0x0, qm->io_base + HPRE_ECC_BYPASS); + + writel(HPRE_BD_USR_MASK, qm->io_base + HPRE_BD_ARUSR_CFG); +@@ -758,7 +747,7 @@ static void hpre_hw_error_disable(struct hisi_qm *qm) + + static void hpre_hw_error_enable(struct hisi_qm *qm) + { +- u32 ce, nfe; ++ u32 ce, nfe, err_en; + + ce = hisi_qm_get_hw_info(qm, hpre_basic_info, HPRE_CE_MASK_CAP, qm->cap_ver); + nfe = hisi_qm_get_hw_info(qm, hpre_basic_info, HPRE_NFE_MASK_CAP, qm->cap_ver); +@@ -775,7 +764,8 @@ static void hpre_hw_error_enable(struct hisi_qm *qm) + hpre_master_ooo_ctrl(qm, true); + + /* enable hpre hw error interrupts */ +- writel(HPRE_CORE_INT_ENABLE, qm->io_base + HPRE_INT_MASK); ++ err_en = ce | nfe | HPRE_HAC_RAS_FE_ENABLE; ++ writel(~err_en, qm->io_base + HPRE_INT_MASK); + } + + static inline struct hisi_qm *hpre_file_to_qm(struct hpre_debugfs_file *file) +-- +2.43.0 + diff --git a/queue-6.6/crypto-hisilicon-qm-inject-error-before-stopping-que.patch b/queue-6.6/crypto-hisilicon-qm-inject-error-before-stopping-que.patch new file mode 100644 index 00000000000..558369957f3 --- /dev/null +++ b/queue-6.6/crypto-hisilicon-qm-inject-error-before-stopping-que.patch @@ -0,0 +1,108 @@ +From aa06036b15269f973f327f231635599de8e08bb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 Aug 2024 19:48:31 +0800 +Subject: crypto: hisilicon/qm - inject error before stopping queue + +From: Weili Qian + +[ Upstream commit b04f06fc0243600665b3b50253869533b7938468 ] + +The master ooo cannot be completely closed when the +accelerator core reports memory error. Therefore, the driver +needs to inject the qm error to close the master ooo. Currently, +the qm error is injected after stopping queue, memory may be +released immediately after stopping queue, causing the device to +access the released memory. Therefore, error is injected to close master +ooo before stopping queue to ensure that the device does not access +the released memory. + +Fixes: 6c6dd5802c2d ("crypto: hisilicon/qm - add controller reset interface") +Signed-off-by: Weili Qian +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/hisilicon/qm.c | 47 ++++++++++++++++++----------------- + 1 file changed, 24 insertions(+), 23 deletions(-) + +diff --git a/drivers/crypto/hisilicon/qm.c b/drivers/crypto/hisilicon/qm.c +index 2a6ea3815cfb7..1b00edbbfe26a 100644 +--- a/drivers/crypto/hisilicon/qm.c ++++ b/drivers/crypto/hisilicon/qm.c +@@ -4106,6 +4106,28 @@ static int qm_set_vf_mse(struct hisi_qm *qm, bool set) + return -ETIMEDOUT; + } + ++static void qm_dev_ecc_mbit_handle(struct hisi_qm *qm) ++{ ++ u32 nfe_enb = 0; ++ ++ /* Kunpeng930 hardware automatically close master ooo when NFE occurs */ ++ if (qm->ver >= QM_HW_V3) ++ return; ++ ++ if (!qm->err_status.is_dev_ecc_mbit && ++ qm->err_status.is_qm_ecc_mbit && ++ qm->err_ini->close_axi_master_ooo) { ++ qm->err_ini->close_axi_master_ooo(qm); ++ } else if (qm->err_status.is_dev_ecc_mbit && ++ !qm->err_status.is_qm_ecc_mbit && ++ !qm->err_ini->close_axi_master_ooo) { ++ nfe_enb = readl(qm->io_base + QM_RAS_NFE_ENABLE); ++ writel(nfe_enb & QM_RAS_NFE_MBIT_DISABLE, ++ qm->io_base + QM_RAS_NFE_ENABLE); ++ writel(QM_ECC_MBIT, qm->io_base + QM_ABNORMAL_INT_SET); ++ } ++} ++ + static int qm_vf_reset_prepare(struct hisi_qm *qm, + enum qm_stop_reason stop_reason) + { +@@ -4170,6 +4192,8 @@ static int qm_controller_reset_prepare(struct hisi_qm *qm) + return ret; + } + ++ qm_dev_ecc_mbit_handle(qm); ++ + /* PF obtains the information of VF by querying the register. */ + qm_cmd_uninit(qm); + +@@ -4216,28 +4240,6 @@ static int qm_master_ooo_check(struct hisi_qm *qm) + return ret; + } + +-static void qm_dev_ecc_mbit_handle(struct hisi_qm *qm) +-{ +- u32 nfe_enb = 0; +- +- /* Kunpeng930 hardware automatically close master ooo when NFE occurs */ +- if (qm->ver >= QM_HW_V3) +- return; +- +- if (!qm->err_status.is_dev_ecc_mbit && +- qm->err_status.is_qm_ecc_mbit && +- qm->err_ini->close_axi_master_ooo) { +- qm->err_ini->close_axi_master_ooo(qm); +- } else if (qm->err_status.is_dev_ecc_mbit && +- !qm->err_status.is_qm_ecc_mbit && +- !qm->err_ini->close_axi_master_ooo) { +- nfe_enb = readl(qm->io_base + QM_RAS_NFE_ENABLE); +- writel(nfe_enb & QM_RAS_NFE_MBIT_DISABLE, +- qm->io_base + QM_RAS_NFE_ENABLE); +- writel(QM_ECC_MBIT, qm->io_base + QM_ABNORMAL_INT_SET); +- } +-} +- + static int qm_soft_reset_prepare(struct hisi_qm *qm) + { + struct pci_dev *pdev = qm->pdev; +@@ -4262,7 +4264,6 @@ static int qm_soft_reset_prepare(struct hisi_qm *qm) + return ret; + } + +- qm_dev_ecc_mbit_handle(qm); + ret = qm_master_ooo_check(qm); + if (ret) + return ret; +-- +2.43.0 + diff --git a/queue-6.6/crypto-hisilicon-qm-reset-device-before-enabling-it.patch b/queue-6.6/crypto-hisilicon-qm-reset-device-before-enabling-it.patch new file mode 100644 index 00000000000..b1efcbb9eec --- /dev/null +++ b/queue-6.6/crypto-hisilicon-qm-reset-device-before-enabling-it.patch @@ -0,0 +1,434 @@ +From 44cb6fe62da9a6398d35a72c35ffb3427984933d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 Aug 2024 19:48:29 +0800 +Subject: crypto: hisilicon/qm - reset device before enabling it + +From: Weili Qian + +[ Upstream commit 5d2d1ee0874c26b8010ddf7f57e2f246e848af38 ] + +Before the device is enabled again, the device may still +store the previously processed data. If an error occurs in +the previous task, the device may fail to be enabled again. +Therefore, before enabling device, reset the device to restore +the initial state. + +Signed-off-by: Weili Qian +Signed-off-by: Herbert Xu +Stable-dep-of: b04f06fc0243 ("crypto: hisilicon/qm - inject error before stopping queue") +Signed-off-by: Sasha Levin +--- + drivers/crypto/hisilicon/hpre/hpre_main.c | 32 +++--- + drivers/crypto/hisilicon/qm.c | 114 +++++++++++++++------- + drivers/crypto/hisilicon/sec2/sec_main.c | 16 ++- + drivers/crypto/hisilicon/zip/zip_main.c | 23 +++-- + 4 files changed, 121 insertions(+), 64 deletions(-) + +diff --git a/drivers/crypto/hisilicon/hpre/hpre_main.c b/drivers/crypto/hisilicon/hpre/hpre_main.c +index e0cc429130c26..3463f5ee83c0d 100644 +--- a/drivers/crypto/hisilicon/hpre/hpre_main.c ++++ b/drivers/crypto/hisilicon/hpre/hpre_main.c +@@ -353,6 +353,8 @@ static struct dfx_diff_registers hpre_diff_regs[] = { + }, + }; + ++static const struct hisi_qm_err_ini hpre_err_ini; ++ + bool hpre_check_alg_support(struct hisi_qm *qm, u32 alg) + { + u32 cap_val; +@@ -1151,6 +1153,7 @@ static int hpre_qm_init(struct hisi_qm *qm, struct pci_dev *pdev) + qm->qp_num = pf_q_num; + qm->debug.curr_qm_qp_num = pf_q_num; + qm->qm_list = &hpre_devices; ++ qm->err_ini = &hpre_err_ini; + if (pf_q_num_flag) + set_bit(QM_MODULE_PARAM, &qm->misc_ctl); + } +@@ -1340,8 +1343,6 @@ static int hpre_pf_probe_init(struct hpre *hpre) + + hpre_open_sva_prefetch(qm); + +- qm->err_ini = &hpre_err_ini; +- qm->err_ini->err_info_init(qm); + hisi_qm_dev_err_init(qm); + ret = hpre_show_last_regs_init(qm); + if (ret) +@@ -1370,6 +1371,18 @@ static int hpre_probe_init(struct hpre *hpre) + return 0; + } + ++static void hpre_probe_uninit(struct hisi_qm *qm) ++{ ++ if (qm->fun_type == QM_HW_VF) ++ return; ++ ++ hpre_cnt_regs_clear(qm); ++ qm->debug.curr_qm_qp_num = 0; ++ hpre_show_last_regs_uninit(qm); ++ hpre_close_sva_prefetch(qm); ++ hisi_qm_dev_err_uninit(qm); ++} ++ + static int hpre_probe(struct pci_dev *pdev, const struct pci_device_id *id) + { + struct hisi_qm *qm; +@@ -1395,7 +1408,7 @@ static int hpre_probe(struct pci_dev *pdev, const struct pci_device_id *id) + + ret = hisi_qm_start(qm); + if (ret) +- goto err_with_err_init; ++ goto err_with_probe_init; + + ret = hpre_debugfs_init(qm); + if (ret) +@@ -1432,9 +1445,8 @@ static int hpre_probe(struct pci_dev *pdev, const struct pci_device_id *id) + hpre_debugfs_exit(qm); + hisi_qm_stop(qm, QM_NORMAL); + +-err_with_err_init: +- hpre_show_last_regs_uninit(qm); +- hisi_qm_dev_err_uninit(qm); ++err_with_probe_init: ++ hpre_probe_uninit(qm); + + err_with_qm_init: + hisi_qm_uninit(qm); +@@ -1455,13 +1467,7 @@ static void hpre_remove(struct pci_dev *pdev) + hpre_debugfs_exit(qm); + hisi_qm_stop(qm, QM_NORMAL); + +- if (qm->fun_type == QM_HW_PF) { +- hpre_cnt_regs_clear(qm); +- qm->debug.curr_qm_qp_num = 0; +- hpre_show_last_regs_uninit(qm); +- hisi_qm_dev_err_uninit(qm); +- } +- ++ hpre_probe_uninit(qm); + hisi_qm_uninit(qm); + } + +diff --git a/drivers/crypto/hisilicon/qm.c b/drivers/crypto/hisilicon/qm.c +index 562df5c77c636..2a6ea3815cfb7 100644 +--- a/drivers/crypto/hisilicon/qm.c ++++ b/drivers/crypto/hisilicon/qm.c +@@ -455,6 +455,7 @@ static struct qm_typical_qos_table shaper_cbs_s[] = { + }; + + static void qm_irqs_unregister(struct hisi_qm *qm); ++static int qm_reset_device(struct hisi_qm *qm); + + static bool qm_avail_state(struct hisi_qm *qm, enum qm_state new) + { +@@ -4199,6 +4200,22 @@ static int qm_controller_reset_prepare(struct hisi_qm *qm) + return 0; + } + ++static int qm_master_ooo_check(struct hisi_qm *qm) ++{ ++ u32 val; ++ int ret; ++ ++ /* Check the ooo register of the device before resetting the device. */ ++ writel(ACC_MASTER_GLOBAL_CTRL_SHUTDOWN, qm->io_base + ACC_MASTER_GLOBAL_CTRL); ++ ret = readl_relaxed_poll_timeout(qm->io_base + ACC_MASTER_TRANS_RETURN, ++ val, (val == ACC_MASTER_TRANS_RETURN_RW), ++ POLL_PERIOD, POLL_TIMEOUT); ++ if (ret) ++ pci_warn(qm->pdev, "Bus lock! Please reset system.\n"); ++ ++ return ret; ++} ++ + static void qm_dev_ecc_mbit_handle(struct hisi_qm *qm) + { + u32 nfe_enb = 0; +@@ -4221,11 +4238,10 @@ static void qm_dev_ecc_mbit_handle(struct hisi_qm *qm) + } + } + +-static int qm_soft_reset(struct hisi_qm *qm) ++static int qm_soft_reset_prepare(struct hisi_qm *qm) + { + struct pci_dev *pdev = qm->pdev; + int ret; +- u32 val; + + /* Ensure all doorbells and mailboxes received by QM */ + ret = qm_check_req_recv(qm); +@@ -4247,29 +4263,23 @@ static int qm_soft_reset(struct hisi_qm *qm) + } + + qm_dev_ecc_mbit_handle(qm); +- +- /* OOO register set and check */ +- writel(ACC_MASTER_GLOBAL_CTRL_SHUTDOWN, +- qm->io_base + ACC_MASTER_GLOBAL_CTRL); +- +- /* If bus lock, reset chip */ +- ret = readl_relaxed_poll_timeout(qm->io_base + ACC_MASTER_TRANS_RETURN, +- val, +- (val == ACC_MASTER_TRANS_RETURN_RW), +- POLL_PERIOD, POLL_TIMEOUT); +- if (ret) { +- pci_emerg(pdev, "Bus lock! Please reset system.\n"); ++ ret = qm_master_ooo_check(qm); ++ if (ret) + return ret; +- } + + if (qm->err_ini->close_sva_prefetch) + qm->err_ini->close_sva_prefetch(qm); + + ret = qm_set_pf_mse(qm, false); +- if (ret) { ++ if (ret) + pci_err(pdev, "Fails to disable pf MSE bit.\n"); +- return ret; +- } ++ ++ return ret; ++} ++ ++static int qm_reset_device(struct hisi_qm *qm) ++{ ++ struct pci_dev *pdev = qm->pdev; + + /* The reset related sub-control registers are not in PCI BAR */ + if (ACPI_HANDLE(&pdev->dev)) { +@@ -4288,12 +4298,23 @@ static int qm_soft_reset(struct hisi_qm *qm) + pci_err(pdev, "Reset step %llu failed!\n", value); + return -EIO; + } +- } else { +- pci_err(pdev, "No reset method!\n"); +- return -EINVAL; ++ ++ return 0; + } + +- return 0; ++ pci_err(pdev, "No reset method!\n"); ++ return -EINVAL; ++} ++ ++static int qm_soft_reset(struct hisi_qm *qm) ++{ ++ int ret; ++ ++ ret = qm_soft_reset_prepare(qm); ++ if (ret) ++ return ret; ++ ++ return qm_reset_device(qm); + } + + static int qm_vf_reset_done(struct hisi_qm *qm) +@@ -5261,6 +5282,35 @@ static int qm_get_pci_res(struct hisi_qm *qm) + return ret; + } + ++static int qm_clear_device(struct hisi_qm *qm) ++{ ++ acpi_handle handle = ACPI_HANDLE(&qm->pdev->dev); ++ int ret; ++ ++ if (qm->fun_type == QM_HW_VF) ++ return 0; ++ ++ /* Device does not support reset, return */ ++ if (!qm->err_ini->err_info_init) ++ return 0; ++ qm->err_ini->err_info_init(qm); ++ ++ if (!handle) ++ return 0; ++ ++ /* No reset method, return */ ++ if (!acpi_has_method(handle, qm->err_info.acpi_rst)) ++ return 0; ++ ++ ret = qm_master_ooo_check(qm); ++ if (ret) { ++ writel(0x0, qm->io_base + ACC_MASTER_GLOBAL_CTRL); ++ return ret; ++ } ++ ++ return qm_reset_device(qm); ++} ++ + static int hisi_qm_pci_init(struct hisi_qm *qm) + { + struct pci_dev *pdev = qm->pdev; +@@ -5290,8 +5340,14 @@ static int hisi_qm_pci_init(struct hisi_qm *qm) + goto err_get_pci_res; + } + ++ ret = qm_clear_device(qm); ++ if (ret) ++ goto err_free_vectors; ++ + return 0; + ++err_free_vectors: ++ pci_free_irq_vectors(pdev); + err_get_pci_res: + qm_put_pci_res(qm); + err_disable_pcidev: +@@ -5557,7 +5613,6 @@ static int qm_prepare_for_suspend(struct hisi_qm *qm) + { + struct pci_dev *pdev = qm->pdev; + int ret; +- u32 val; + + ret = qm->ops->set_msi(qm, false); + if (ret) { +@@ -5565,18 +5620,9 @@ static int qm_prepare_for_suspend(struct hisi_qm *qm) + return ret; + } + +- /* shutdown OOO register */ +- writel(ACC_MASTER_GLOBAL_CTRL_SHUTDOWN, +- qm->io_base + ACC_MASTER_GLOBAL_CTRL); +- +- ret = readl_relaxed_poll_timeout(qm->io_base + ACC_MASTER_TRANS_RETURN, +- val, +- (val == ACC_MASTER_TRANS_RETURN_RW), +- POLL_PERIOD, POLL_TIMEOUT); +- if (ret) { +- pci_emerg(pdev, "Bus lock! Please reset system.\n"); ++ ret = qm_master_ooo_check(qm); ++ if (ret) + return ret; +- } + + ret = qm_set_pf_mse(qm, false); + if (ret) +diff --git a/drivers/crypto/hisilicon/sec2/sec_main.c b/drivers/crypto/hisilicon/sec2/sec_main.c +index bf02a6b2eed41..cf7b6a37e7df7 100644 +--- a/drivers/crypto/hisilicon/sec2/sec_main.c ++++ b/drivers/crypto/hisilicon/sec2/sec_main.c +@@ -1061,9 +1061,6 @@ static int sec_pf_probe_init(struct sec_dev *sec) + struct hisi_qm *qm = &sec->qm; + int ret; + +- qm->err_ini = &sec_err_ini; +- qm->err_ini->err_info_init(qm); +- + ret = sec_set_user_domain_and_cache(qm); + if (ret) + return ret; +@@ -1118,6 +1115,7 @@ static int sec_qm_init(struct hisi_qm *qm, struct pci_dev *pdev) + qm->qp_num = pf_q_num; + qm->debug.curr_qm_qp_num = pf_q_num; + qm->qm_list = &sec_devices; ++ qm->err_ini = &sec_err_ini; + if (pf_q_num_flag) + set_bit(QM_MODULE_PARAM, &qm->misc_ctl); + } else if (qm->fun_type == QM_HW_VF && qm->ver == QM_HW_V1) { +@@ -1182,6 +1180,12 @@ static int sec_probe_init(struct sec_dev *sec) + + static void sec_probe_uninit(struct hisi_qm *qm) + { ++ if (qm->fun_type == QM_HW_VF) ++ return; ++ ++ sec_debug_regs_clear(qm); ++ sec_show_last_regs_uninit(qm); ++ sec_close_sva_prefetch(qm); + hisi_qm_dev_err_uninit(qm); + } + +@@ -1274,7 +1278,6 @@ static int sec_probe(struct pci_dev *pdev, const struct pci_device_id *id) + sec_debugfs_exit(qm); + hisi_qm_stop(qm, QM_NORMAL); + err_probe_uninit: +- sec_show_last_regs_uninit(qm); + sec_probe_uninit(qm); + err_qm_uninit: + sec_qm_uninit(qm); +@@ -1296,11 +1299,6 @@ static void sec_remove(struct pci_dev *pdev) + sec_debugfs_exit(qm); + + (void)hisi_qm_stop(qm, QM_NORMAL); +- +- if (qm->fun_type == QM_HW_PF) +- sec_debug_regs_clear(qm); +- sec_show_last_regs_uninit(qm); +- + sec_probe_uninit(qm); + + sec_qm_uninit(qm); +diff --git a/drivers/crypto/hisilicon/zip/zip_main.c b/drivers/crypto/hisilicon/zip/zip_main.c +index cd7ecb2180bf1..9d47b3675da7d 100644 +--- a/drivers/crypto/hisilicon/zip/zip_main.c ++++ b/drivers/crypto/hisilicon/zip/zip_main.c +@@ -1150,8 +1150,6 @@ static int hisi_zip_pf_probe_init(struct hisi_zip *hisi_zip) + + hisi_zip->ctrl = ctrl; + ctrl->hisi_zip = hisi_zip; +- qm->err_ini = &hisi_zip_err_ini; +- qm->err_ini->err_info_init(qm); + + ret = hisi_zip_set_user_domain_and_cache(qm); + if (ret) +@@ -1212,6 +1210,7 @@ static int hisi_zip_qm_init(struct hisi_qm *qm, struct pci_dev *pdev) + qm->qp_num = pf_q_num; + qm->debug.curr_qm_qp_num = pf_q_num; + qm->qm_list = &zip_devices; ++ qm->err_ini = &hisi_zip_err_ini; + if (pf_q_num_flag) + set_bit(QM_MODULE_PARAM, &qm->misc_ctl); + } else if (qm->fun_type == QM_HW_VF && qm->ver == QM_HW_V1) { +@@ -1278,6 +1277,16 @@ static int hisi_zip_probe_init(struct hisi_zip *hisi_zip) + return 0; + } + ++static void hisi_zip_probe_uninit(struct hisi_qm *qm) ++{ ++ if (qm->fun_type == QM_HW_VF) ++ return; ++ ++ hisi_zip_show_last_regs_uninit(qm); ++ hisi_zip_close_sva_prefetch(qm); ++ hisi_qm_dev_err_uninit(qm); ++} ++ + static int hisi_zip_probe(struct pci_dev *pdev, const struct pci_device_id *id) + { + struct hisi_zip *hisi_zip; +@@ -1304,7 +1313,7 @@ static int hisi_zip_probe(struct pci_dev *pdev, const struct pci_device_id *id) + + ret = hisi_qm_start(qm); + if (ret) +- goto err_dev_err_uninit; ++ goto err_probe_uninit; + + ret = hisi_zip_debugfs_init(qm); + if (ret) +@@ -1341,9 +1350,8 @@ static int hisi_zip_probe(struct pci_dev *pdev, const struct pci_device_id *id) + hisi_zip_debugfs_exit(qm); + hisi_qm_stop(qm, QM_NORMAL); + +-err_dev_err_uninit: +- hisi_zip_show_last_regs_uninit(qm); +- hisi_qm_dev_err_uninit(qm); ++err_probe_uninit: ++ hisi_zip_probe_uninit(qm); + + err_qm_uninit: + hisi_zip_qm_uninit(qm); +@@ -1364,8 +1372,7 @@ static void hisi_zip_remove(struct pci_dev *pdev) + + hisi_zip_debugfs_exit(qm); + hisi_qm_stop(qm, QM_NORMAL); +- hisi_zip_show_last_regs_uninit(qm); +- hisi_qm_dev_err_uninit(qm); ++ hisi_zip_probe_uninit(qm); + hisi_zip_qm_uninit(qm); + } + +-- +2.43.0 + diff --git a/queue-6.6/crypto-powerpc-p10-aes-gcm-disable-crypto_aes_gcm_p1.patch b/queue-6.6/crypto-powerpc-p10-aes-gcm-disable-crypto_aes_gcm_p1.patch new file mode 100644 index 00000000000..b8c6ab73566 --- /dev/null +++ b/queue-6.6/crypto-powerpc-p10-aes-gcm-disable-crypto_aes_gcm_p1.patch @@ -0,0 +1,37 @@ +From cbee431c68ade48e3e8518e016c706770f929df7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Sep 2024 07:36:37 -0400 +Subject: crypto: powerpc/p10-aes-gcm - Disable CRYPTO_AES_GCM_P10 + +From: Danny Tsen + +[ Upstream commit 44ac4625ea002deecd0c227336c95b724206c698 ] + +Data mismatch found when testing ipsec tunnel with AES/GCM crypto. +Disabling CRYPTO_AES_GCM_P10 in Kconfig for this feature. + +Fixes: fd0e9b3e2ee6 ("crypto: p10-aes-gcm - An accelerated AES/GCM stitched implementation") +Fixes: cdcecfd9991f ("crypto: p10-aes-gcm - Glue code for AES/GCM stitched implementation") +Fixes: 45a4672b9a6e2 ("crypto: p10-aes-gcm - Update Kconfig and Makefile") +Signed-off-by: Danny Tsen +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + arch/powerpc/crypto/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/crypto/Kconfig b/arch/powerpc/crypto/Kconfig +index 6fc2248ca5616..fccf742c55c2c 100644 +--- a/arch/powerpc/crypto/Kconfig ++++ b/arch/powerpc/crypto/Kconfig +@@ -96,6 +96,7 @@ config CRYPTO_AES_PPC_SPE + + config CRYPTO_AES_GCM_P10 + tristate "Stitched AES/GCM acceleration support on P10 or later CPU (PPC)" ++ depends on BROKEN + depends on PPC64 && CPU_LITTLE_ENDIAN && VSX + select CRYPTO_LIB_AES + select CRYPTO_ALGAPI +-- +2.43.0 + diff --git a/queue-6.6/crypto-xor-fix-template-benchmarking.patch b/queue-6.6/crypto-xor-fix-template-benchmarking.patch new file mode 100644 index 00000000000..2c692946333 --- /dev/null +++ b/queue-6.6/crypto-xor-fix-template-benchmarking.patch @@ -0,0 +1,105 @@ +From 5b0a9eb5bf8f2dd6d0dc295f173e03497ea2402a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jul 2024 14:24:52 +0200 +Subject: crypto: xor - fix template benchmarking + +From: Helge Deller + +[ Upstream commit ab9a244c396aae4aaa34b2399b82fc15ec2df8c1 ] + +Commit c055e3eae0f1 ("crypto: xor - use ktime for template benchmarking") +switched from using jiffies to ktime-based performance benchmarking. + +This works nicely on machines which have a fine-grained ktime() +clocksource as e.g. x86 machines with TSC. +But other machines, e.g. my 4-way HP PARISC server, don't have such +fine-grained clocksources, which is why it seems that 800 xor loops +take zero seconds, which then shows up in the logs as: + + xor: measuring software checksum speed + 8regs : -1018167296 MB/sec + 8regs_prefetch : -1018167296 MB/sec + 32regs : -1018167296 MB/sec + 32regs_prefetch : -1018167296 MB/sec + +Fix this with some small modifications to the existing code to improve +the algorithm to always produce correct results without introducing +major delays for architectures with a fine-grained ktime() +clocksource: +a) Delay start of the timing until ktime() just advanced. On machines +with a fast ktime() this should be just one additional ktime() call. +b) Count the number of loops. Run at minimum 800 loops and finish +earliest when the ktime() counter has progressed. + +With that the throughput can now be calculated more accurately under all +conditions. + +Fixes: c055e3eae0f1 ("crypto: xor - use ktime for template benchmarking") +Signed-off-by: Helge Deller +Tested-by: John David Anglin + +v2: +- clean up coding style (noticed & suggested by Herbert Xu) +- rephrased & fixed typo in commit message + +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/xor.c | 31 ++++++++++++++----------------- + 1 file changed, 14 insertions(+), 17 deletions(-) + +diff --git a/crypto/xor.c b/crypto/xor.c +index 8e72e5d5db0de..56aa3169e8717 100644 +--- a/crypto/xor.c ++++ b/crypto/xor.c +@@ -83,33 +83,30 @@ static void __init + do_xor_speed(struct xor_block_template *tmpl, void *b1, void *b2) + { + int speed; +- int i, j; +- ktime_t min, start, diff; ++ unsigned long reps; ++ ktime_t min, start, t0; + + tmpl->next = template_list; + template_list = tmpl; + + preempt_disable(); + +- min = (ktime_t)S64_MAX; +- for (i = 0; i < 3; i++) { +- start = ktime_get(); +- for (j = 0; j < REPS; j++) { +- mb(); /* prevent loop optimization */ +- tmpl->do_2(BENCH_SIZE, b1, b2); +- mb(); +- } +- diff = ktime_sub(ktime_get(), start); +- if (diff < min) +- min = diff; +- } ++ reps = 0; ++ t0 = ktime_get(); ++ /* delay start until time has advanced */ ++ while ((start = ktime_get()) == t0) ++ cpu_relax(); ++ do { ++ mb(); /* prevent loop optimization */ ++ tmpl->do_2(BENCH_SIZE, b1, b2); ++ mb(); ++ } while (reps++ < REPS || (t0 = ktime_get()) == start); ++ min = ktime_sub(t0, start); + + preempt_enable(); + + // bytes/ns == GB/s, multiply by 1000 to get MB/s [not MiB/s] +- if (!min) +- min = 1; +- speed = (1000 * REPS * BENCH_SIZE) / (unsigned int)ktime_to_ns(min); ++ speed = (1000 * reps * BENCH_SIZE) / (unsigned int)ktime_to_ns(min); + tmpl->speed = speed; + + pr_info(" %-16s: %5d MB/sec\n", tmpl->name, speed); +-- +2.43.0 + diff --git a/queue-6.6/cxl-pci-fix-to-record-only-non-zero-ranges.patch b/queue-6.6/cxl-pci-fix-to-record-only-non-zero-ranges.patch new file mode 100644 index 00000000000..c7433254a4f --- /dev/null +++ b/queue-6.6/cxl-pci-fix-to-record-only-non-zero-ranges.patch @@ -0,0 +1,66 @@ +From 2771abf266defa7c5a1232ecb2df8635aac5059f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Aug 2024 16:42:28 +0800 +Subject: cxl/pci: Fix to record only non-zero ranges + +From: Yanfei Xu + +[ Upstream commit 55e268694e8b07026c88191f9b6949b6887d9ce3 ] + +The function cxl_dvsec_rr_decode() retrieves and records DVSEC ranges +into info->dvsec_range[], regardless of whether it is non-zero range, +and the variable info->ranges indicates the number of non-zero ranges. +However, in cxl_hdm_decode_init(), the validation for +info->dvsec_range[] occurs in a for loop that iterates based on +info->ranges. It may result in zero range to be validated but non-zero +range not be validated, in turn, the number of allowed ranges is to be +0. Address it by only record non-zero ranges. + +This fix is not urgent as it requires a configuration that zeroes out +the first dvsec range while populating the second. This has not been +observed, but it is theoretically possible. If this gets picked up for +-stable, no harm done, but there is no urgency to backport. + +Fixes: 560f78559006 ("cxl/pci: Retrieve CXL DVSEC memory info") +Reviewed-by: Jonathan Cameron +Signed-off-by: Yanfei Xu +Reviewed-by: Alison Schofield +Link: https://patch.msgid.link/20240828084231.1378789-2-yanfei.xu@intel.com +Signed-off-by: Dave Jiang +Signed-off-by: Sasha Levin +--- + drivers/cxl/core/pci.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/drivers/cxl/core/pci.c b/drivers/cxl/core/pci.c +index c963cd9e88d16..6edfd05466737 100644 +--- a/drivers/cxl/core/pci.c ++++ b/drivers/cxl/core/pci.c +@@ -388,10 +388,6 @@ int cxl_dvsec_rr_decode(struct device *dev, int d, + + size |= temp & CXL_DVSEC_MEM_SIZE_LOW_MASK; + if (!size) { +- info->dvsec_range[i] = (struct range) { +- .start = 0, +- .end = CXL_RESOURCE_NONE, +- }; + continue; + } + +@@ -409,12 +405,10 @@ int cxl_dvsec_rr_decode(struct device *dev, int d, + + base |= temp & CXL_DVSEC_MEM_BASE_LOW_MASK; + +- info->dvsec_range[i] = (struct range) { ++ info->dvsec_range[ranges++] = (struct range) { + .start = base, + .end = base + size - 1 + }; +- +- ranges++; + } + + info->ranges = ranges; +-- +2.43.0 + diff --git a/queue-6.6/driver-core-fix-a-potential-null-ptr-deref-in-module.patch b/queue-6.6/driver-core-fix-a-potential-null-ptr-deref-in-module.patch new file mode 100644 index 00000000000..4965a19a588 --- /dev/null +++ b/queue-6.6/driver-core-fix-a-potential-null-ptr-deref-in-module.patch @@ -0,0 +1,128 @@ +From 0f955e702862b19a6fa7813d52dc9ad1710b6e52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Aug 2024 16:06:58 +0800 +Subject: driver core: Fix a potential null-ptr-deref in module_add_driver() + +From: Jinjie Ruan + +[ Upstream commit 18ec12c97b39ff6aa15beb8d2b25d15cd44b87d8 ] + +Inject fault while probing of-fpga-region, if kasprintf() fails in +module_add_driver(), the second sysfs_remove_link() in exit path will cause +null-ptr-deref as below because kernfs_name_hash() will call strlen() with +NULL driver_name. + +Fix it by releasing resources based on the exit path sequence. + + KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + Mem abort info: + ESR = 0x0000000096000005 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x05: level 1 translation fault + Data abort info: + ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 + CM = 0, WnR = 0, TnD = 0, TagAccess = 0 + GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 + [dfffffc000000000] address between user and kernel address ranges + Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP + Dumping ftrace buffer: + (ftrace buffer empty) + Modules linked in: of_fpga_region(+) fpga_region fpga_bridge cfg80211 rfkill 8021q garp mrp stp llc ipv6 [last unloaded: of_fpga_region] + CPU: 2 UID: 0 PID: 2036 Comm: modprobe Not tainted 6.11.0-rc2-g6a0e38264012 #295 + Hardware name: linux,dummy-virt (DT) + pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : strlen+0x24/0xb0 + lr : kernfs_name_hash+0x1c/0xc4 + sp : ffffffc081f97380 + x29: ffffffc081f97380 x28: ffffffc081f97b90 x27: ffffff80c821c2a0 + x26: ffffffedac0be418 x25: 0000000000000000 x24: ffffff80c09d2000 + x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000000 + x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000001840 + x17: 0000000000000000 x16: 0000000000000000 x15: 1ffffff8103f2e42 + x14: 00000000f1f1f1f1 x13: 0000000000000004 x12: ffffffb01812d61d + x11: 1ffffff01812d61c x10: ffffffb01812d61c x9 : dfffffc000000000 + x8 : 0000004fe7ed29e4 x7 : ffffff80c096b0e7 x6 : 0000000000000001 + x5 : ffffff80c096b0e0 x4 : 1ffffffdb990efa2 x3 : 0000000000000000 + x2 : 0000000000000000 x1 : dfffffc000000000 x0 : 0000000000000000 + Call trace: + strlen+0x24/0xb0 + kernfs_name_hash+0x1c/0xc4 + kernfs_find_ns+0x118/0x2e8 + kernfs_remove_by_name_ns+0x80/0x100 + sysfs_remove_link+0x74/0xa8 + module_add_driver+0x278/0x394 + bus_add_driver+0x1f0/0x43c + driver_register+0xf4/0x3c0 + __platform_driver_register+0x60/0x88 + of_fpga_region_init+0x20/0x1000 [of_fpga_region] + do_one_initcall+0x110/0x788 + do_init_module+0x1dc/0x5c8 + load_module+0x3c38/0x4cac + init_module_from_file+0xd4/0x128 + idempotent_init_module+0x2cc/0x528 + __arm64_sys_finit_module+0xac/0x100 + invoke_syscall+0x6c/0x258 + el0_svc_common.constprop.0+0x160/0x22c + do_el0_svc+0x44/0x5c + el0_svc+0x48/0xb8 + el0t_64_sync_handler+0x13c/0x158 + el0t_64_sync+0x190/0x194 + Code: f2fbffe1 a90157f4 12000802 aa0003f5 (38e16861) + ---[ end trace 0000000000000000 ]--- + Kernel panic - not syncing: Oops: Fatal exception + +Fixes: 85d2b0aa1703 ("module: don't ignore sysfs_create_link() failures") +Signed-off-by: Jinjie Ruan +Link: https://lore.kernel.org/r/20240812080658.2791982-1-ruanjinjie@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/module.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/base/module.c b/drivers/base/module.c +index b0b79b9c189d4..0d5c5da367f72 100644 +--- a/drivers/base/module.c ++++ b/drivers/base/module.c +@@ -66,27 +66,31 @@ int module_add_driver(struct module *mod, struct device_driver *drv) + driver_name = make_driver_name(drv); + if (!driver_name) { + ret = -ENOMEM; +- goto out; ++ goto out_remove_kobj; + } + + module_create_drivers_dir(mk); + if (!mk->drivers_dir) { + ret = -EINVAL; +- goto out; ++ goto out_free_driver_name; + } + + ret = sysfs_create_link(mk->drivers_dir, &drv->p->kobj, driver_name); + if (ret) +- goto out; ++ goto out_remove_drivers_dir; + + kfree(driver_name); + + return 0; +-out: +- sysfs_remove_link(&drv->p->kobj, "module"); ++ ++out_remove_drivers_dir: + sysfs_remove_link(mk->drivers_dir, driver_name); ++ ++out_free_driver_name: + kfree(driver_name); + ++out_remove_kobj: ++ sysfs_remove_link(&drv->p->kobj, "module"); + return ret; + } + +-- +2.43.0 + diff --git a/queue-6.6/driver-core-fix-error-handling-in-driver-api-device_.patch b/queue-6.6/driver-core-fix-error-handling-in-driver-api-device_.patch new file mode 100644 index 00000000000..5e7c90a1439 --- /dev/null +++ b/queue-6.6/driver-core-fix-error-handling-in-driver-api-device_.patch @@ -0,0 +1,79 @@ +From f0473da043f5d5963b50c3d2e19cf89d5040121e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 22:48:10 +0800 +Subject: driver core: Fix error handling in driver API device_rename() + +From: Zijun Hu + +[ Upstream commit 6d8249ac29bc23260dfa9747eb398ce76012d73c ] + +For class-device, device_rename() failure maybe cause unexpected link name +within its class folder as explained below: + +/sys/class/.../old_name -> /sys/devices/.../old_name +device_rename(..., new_name) and failed +/sys/class/.../new_name -> /sys/devices/.../old_name + +Fixed by undoing renaming link if renaming kobject failed. + +Fixes: f349cf34731c ("driver core: Implement ns directory support for device classes.") +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20240722-device_rename_fix-v2-1-77de1a6c6495@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/core.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/base/core.c b/drivers/base/core.c +index cb323700e952f..60a0a4630a5bb 100644 +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -4485,9 +4485,11 @@ EXPORT_SYMBOL_GPL(device_destroy); + */ + int device_rename(struct device *dev, const char *new_name) + { ++ struct subsys_private *sp = NULL; + struct kobject *kobj = &dev->kobj; + char *old_device_name = NULL; + int error; ++ bool is_link_renamed = false; + + dev = get_device(dev); + if (!dev) +@@ -4502,7 +4504,7 @@ int device_rename(struct device *dev, const char *new_name) + } + + if (dev->class) { +- struct subsys_private *sp = class_to_subsys(dev->class); ++ sp = class_to_subsys(dev->class); + + if (!sp) { + error = -EINVAL; +@@ -4511,16 +4513,19 @@ int device_rename(struct device *dev, const char *new_name) + + error = sysfs_rename_link_ns(&sp->subsys.kobj, kobj, old_device_name, + new_name, kobject_namespace(kobj)); +- subsys_put(sp); + if (error) + goto out; ++ ++ is_link_renamed = true; + } + + error = kobject_rename(kobj, new_name); +- if (error) +- goto out; +- + out: ++ if (error && is_link_renamed) ++ sysfs_rename_link_ns(&sp->subsys.kobj, kobj, new_name, ++ old_device_name, kobject_namespace(kobj)); ++ subsys_put(sp); ++ + put_device(dev); + + kfree(old_device_name); +-- +2.43.0 + diff --git a/queue-6.6/drivers-drm-exynos_drm_gsc-fix-wrong-assignment-in-g.patch b/queue-6.6/drivers-drm-exynos_drm_gsc-fix-wrong-assignment-in-g.patch new file mode 100644 index 00000000000..aedd7ec9388 --- /dev/null +++ b/queue-6.6/drivers-drm-exynos_drm_gsc-fix-wrong-assignment-in-g.patch @@ -0,0 +1,36 @@ +From 825a0e6c4cb90c1d351bf3b9016737e7b3f8a2b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Aug 2024 17:09:27 +0800 +Subject: drivers:drm:exynos_drm_gsc:Fix wrong assignment in gsc_bind() + +From: Yuesong Li + +[ Upstream commit 94ebc3d3235c5c516f67315059ce657e5090e94b ] + +cocci reported a double assignment problem. Upon reviewing previous +commits, it appears this may actually be an incorrect assignment. + +Fixes: 8b9550344d39 ("drm/ipp: clean up debug messages") +Signed-off-by: Yuesong Li +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/exynos/exynos_drm_gsc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/exynos/exynos_drm_gsc.c b/drivers/gpu/drm/exynos/exynos_drm_gsc.c +index 5302bebbe38c9..1456abd5b9dde 100644 +--- a/drivers/gpu/drm/exynos/exynos_drm_gsc.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_gsc.c +@@ -1173,7 +1173,7 @@ static int gsc_bind(struct device *dev, struct device *master, void *data) + struct exynos_drm_ipp *ipp = &ctx->ipp; + + ctx->drm_dev = drm_dev; +- ctx->drm_dev = drm_dev; ++ ipp->drm_dev = drm_dev; + exynos_drm_register_dma(drm_dev, dev, &ctx->dma_priv); + + exynos_drm_ipp_register(dev, ipp, &ipp_funcs, +-- +2.43.0 + diff --git a/queue-6.6/drivers-media-dvb-frontends-rtl2830-fix-an-out-of-bo.patch b/queue-6.6/drivers-media-dvb-frontends-rtl2830-fix-an-out-of-bo.patch new file mode 100644 index 00000000000..461185cf4b8 --- /dev/null +++ b/queue-6.6/drivers-media-dvb-frontends-rtl2830-fix-an-out-of-bo.patch @@ -0,0 +1,43 @@ +From f6b27d155405cdd0eb31e811dff9c7a1ed88aa44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jul 2024 01:50:23 +0800 +Subject: drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write + error + +From: Junlin Li + +[ Upstream commit 46d7ebfe6a75a454a5fa28604f0ef1491f9d8d14 ] + +Ensure index in rtl2830_pid_filter does not exceed 31 to prevent +out-of-bounds access. + +dev->filters is a 32-bit value, so set_bit and clear_bit functions should +only operate on indices from 0 to 31. If index is 32, it will attempt to +access a non-existent 33rd bit, leading to out-of-bounds access. +Change the boundary check from index > 32 to index >= 32 to resolve this +issue. + +Fixes: df70ddad81b4 ("[media] rtl2830: implement PID filter") +Signed-off-by: Junlin Li +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/rtl2830.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/dvb-frontends/rtl2830.c b/drivers/media/dvb-frontends/rtl2830.c +index 35c969fd2cb5e..4e59734ec53e2 100644 +--- a/drivers/media/dvb-frontends/rtl2830.c ++++ b/drivers/media/dvb-frontends/rtl2830.c +@@ -609,7 +609,7 @@ static int rtl2830_pid_filter(struct dvb_frontend *fe, u8 index, u16 pid, int on + index, pid, onoff); + + /* skip invalid PIDs (0x2000) */ +- if (pid > 0x1fff || index > 32) ++ if (pid > 0x1fff || index >= 32) + return 0; + + if (onoff) +-- +2.43.0 + diff --git a/queue-6.6/drivers-media-dvb-frontends-rtl2832-fix-an-out-of-bo.patch b/queue-6.6/drivers-media-dvb-frontends-rtl2832-fix-an-out-of-bo.patch new file mode 100644 index 00000000000..85f3d9535ae --- /dev/null +++ b/queue-6.6/drivers-media-dvb-frontends-rtl2832-fix-an-out-of-bo.patch @@ -0,0 +1,44 @@ +From f8888637e9ca1f1f7fbbb68d982753d89503e744 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jul 2024 21:24:13 +0800 +Subject: drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write + error + +From: Junlin Li + +[ Upstream commit 8ae06f360cfaca2b88b98ca89144548b3186aab1 ] + +Ensure index in rtl2832_pid_filter does not exceed 31 to prevent +out-of-bounds access. + +dev->filters is a 32-bit value, so set_bit and clear_bit functions should +only operate on indices from 0 to 31. If index is 32, it will attempt to +access a non-existent 33rd bit, leading to out-of-bounds access. +Change the boundary check from index > 32 to index >= 32 to resolve this +issue. + +Signed-off-by: Junlin Li +Signed-off-by: Hans Verkuil +Fixes: 4b01e01a81b6 ("[media] rtl2832: implement PID filter") +[hverkuil: added fixes tag, rtl2830_pid_filter -> rtl2832_pid_filter in logmsg] +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/rtl2832.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/dvb-frontends/rtl2832.c b/drivers/media/dvb-frontends/rtl2832.c +index 601cf45c39358..e6a7877a98541 100644 +--- a/drivers/media/dvb-frontends/rtl2832.c ++++ b/drivers/media/dvb-frontends/rtl2832.c +@@ -983,7 +983,7 @@ static int rtl2832_pid_filter(struct dvb_frontend *fe, u8 index, u16 pid, + index, pid, onoff, dev->slave_ts); + + /* skip invalid PIDs (0x2000) */ +- if (pid > 0x1fff || index > 32) ++ if (pid > 0x1fff || index >= 32) + return 0; + + if (onoff) +-- +2.43.0 + diff --git a/queue-6.6/drivers-perf-fix-ali_drw_pmu-driver-interrupt-status.patch b/queue-6.6/drivers-perf-fix-ali_drw_pmu-driver-interrupt-status.patch new file mode 100644 index 00000000000..d0a84c373af --- /dev/null +++ b/queue-6.6/drivers-perf-fix-ali_drw_pmu-driver-interrupt-status.patch @@ -0,0 +1,44 @@ +From 78ee4c59d34f8af86f2758e2c3d3810509dfe535 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Aug 2024 11:33:31 +0800 +Subject: drivers/perf: Fix ali_drw_pmu driver interrupt status clearing + +From: Jing Zhang + +[ Upstream commit a3dd920977dccc453c550260c4b7605b280b79c3 ] + +The alibaba_uncore_pmu driver forgot to clear all interrupt status +in the interrupt processing function. After the PMU counter overflow +interrupt occurred, an interrupt storm occurred, causing the system +to hang. + +Therefore, clear the correct interrupt status in the interrupt handling +function to fix it. + +Fixes: cf7b61073e45 ("drivers/perf: add DDR Sub-System Driveway PMU driver for Yitian 710 SoC") +Signed-off-by: Jing Zhang +Reviewed-by: Shuai Xue +Acked-by: Mark Rutland +Link: https://lore.kernel.org/r/1724297611-20686-1-git-send-email-renyu.zj@linux.alibaba.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/alibaba_uncore_drw_pmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/perf/alibaba_uncore_drw_pmu.c b/drivers/perf/alibaba_uncore_drw_pmu.c +index 19d459a36be55..818ce4424d34d 100644 +--- a/drivers/perf/alibaba_uncore_drw_pmu.c ++++ b/drivers/perf/alibaba_uncore_drw_pmu.c +@@ -408,7 +408,7 @@ static irqreturn_t ali_drw_pmu_isr(int irq_num, void *data) + } + + /* clear common counter intr status */ +- clr_status = FIELD_PREP(ALI_DRW_PMCOM_CNT_OV_INTR_MASK, 1); ++ clr_status = FIELD_PREP(ALI_DRW_PMCOM_CNT_OV_INTR_MASK, status); + writel(clr_status, + drw_pmu->cfg_base + ALI_DRW_PMU_OV_INTR_CLR); + } +-- +2.43.0 + diff --git a/queue-6.6/drivers-perf-hisi_pcie-fix-tlp-headers-bandwidth-cou.patch b/queue-6.6/drivers-perf-hisi_pcie-fix-tlp-headers-bandwidth-cou.patch new file mode 100644 index 00000000000..54e6a820926 --- /dev/null +++ b/queue-6.6/drivers-perf-hisi_pcie-fix-tlp-headers-bandwidth-cou.patch @@ -0,0 +1,41 @@ +From 45fa282a02e80b5e1ff59a457018f8062c4bd5bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2024 17:03:31 +0800 +Subject: drivers/perf: hisi_pcie: Fix TLP headers bandwidth counting + +From: Yicong Yang + +[ Upstream commit 17bf68aeb3642221e3e770399b5a52f370747ac1 ] + +We make the initial value of event ctrl register as HISI_PCIE_INIT_SET +and modify according to the user options. This will make TLP headers +bandwidth only counting never take effect since HISI_PCIE_INIT_SET +configures to count the TLP payloads bandwidth. Fix this by making +the initial value of event ctrl register as 0. + +Fixes: 17d573984d4d ("drivers/perf: hisi: Add TLP filter support") +Signed-off-by: Yicong Yang +Acked-by: Jonathan Cameron +Link: https://lore.kernel.org/r/20240829090332.28756-3-yangyicong@huawei.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/hisilicon/hisi_pcie_pmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/perf/hisilicon/hisi_pcie_pmu.c b/drivers/perf/hisilicon/hisi_pcie_pmu.c +index 570ae69c38ec0..4a902da5c1d49 100644 +--- a/drivers/perf/hisilicon/hisi_pcie_pmu.c ++++ b/drivers/perf/hisilicon/hisi_pcie_pmu.c +@@ -221,7 +221,7 @@ static void hisi_pcie_pmu_config_filter(struct perf_event *event) + struct hisi_pcie_pmu *pcie_pmu = to_pcie_pmu(event->pmu); + struct hw_perf_event *hwc = &event->hw; + u64 port, trig_len, thr_len, len_mode; +- u64 reg = HISI_PCIE_INIT_SET; ++ u64 reg = 0; + + /* Config HISI_PCIE_EVENT_CTRL according to event. */ + reg |= FIELD_PREP(HISI_PCIE_EVENT_M, hisi_pcie_get_real_event(event)); +-- +2.43.0 + diff --git a/queue-6.6/drivers-perf-hisi_pcie-record-hardware-counts-correc.patch b/queue-6.6/drivers-perf-hisi_pcie-record-hardware-counts-correc.patch new file mode 100644 index 00000000000..ba30cd3c57c --- /dev/null +++ b/queue-6.6/drivers-perf-hisi_pcie-record-hardware-counts-correc.patch @@ -0,0 +1,66 @@ +From 637be902d54033134d3493f5041aef245235bb93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2024 17:03:30 +0800 +Subject: drivers/perf: hisi_pcie: Record hardware counts correctly + +From: Yicong Yang + +[ Upstream commit daecd3373a16a039ad241086e30a1ec46fc9d61f ] + +Currently we set the period and record it as the initial value of the +counter without checking it's set to the hardware successfully or not. +However the counter maybe unwritable if the target event is unsupported +by the device. In such case we will pass user a wrong count: + +[start counts when setting the period] +hwc->prev_count = 0x8000000000000000 +device.counter_value = 0 // the counter is not set as the period +[when user reads the counter] +event->count = device.counter_value - hwc->prev_count + = 0x8000000000000000 // wrong. should be 0. + +Fix this by record the hardware counter counts correctly when setting +the period. + +Fixes: 8404b0fbc7fb ("drivers/perf: hisi: Add driver for HiSilicon PCIe PMU") +Signed-off-by: Yicong Yang +Acked-by: Jonathan Cameron +Link: https://lore.kernel.org/r/20240829090332.28756-2-yangyicong@huawei.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/hisilicon/hisi_pcie_pmu.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/perf/hisilicon/hisi_pcie_pmu.c b/drivers/perf/hisilicon/hisi_pcie_pmu.c +index 430ca15373fe2..570ae69c38ec0 100644 +--- a/drivers/perf/hisilicon/hisi_pcie_pmu.c ++++ b/drivers/perf/hisilicon/hisi_pcie_pmu.c +@@ -458,10 +458,24 @@ static void hisi_pcie_pmu_set_period(struct perf_event *event) + struct hisi_pcie_pmu *pcie_pmu = to_pcie_pmu(event->pmu); + struct hw_perf_event *hwc = &event->hw; + int idx = hwc->idx; ++ u64 orig_cnt, cnt; ++ ++ orig_cnt = hisi_pcie_pmu_read_counter(event); + + local64_set(&hwc->prev_count, HISI_PCIE_INIT_VAL); + hisi_pcie_pmu_writeq(pcie_pmu, HISI_PCIE_CNT, idx, HISI_PCIE_INIT_VAL); + hisi_pcie_pmu_writeq(pcie_pmu, HISI_PCIE_EXT_CNT, idx, HISI_PCIE_INIT_VAL); ++ ++ /* ++ * The counter maybe unwritable if the target event is unsupported. ++ * Check this by comparing the counts after setting the period. If ++ * the counts stay unchanged after setting the period then update ++ * the hwc->prev_count correctly. Otherwise the final counts user ++ * get maybe totally wrong. ++ */ ++ cnt = hisi_pcie_pmu_read_counter(event); ++ if (orig_cnt == cnt) ++ local64_set(&hwc->prev_count, cnt); + } + + static void hisi_pcie_pmu_enable_counter(struct hisi_pcie_pmu *pcie_pmu, struct hw_perf_event *hwc) +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-amdgpu-properly-tune-the-size-of-struct.patch b/queue-6.6/drm-amd-amdgpu-properly-tune-the-size-of-struct.patch new file mode 100644 index 00000000000..19b6d3b3b7b --- /dev/null +++ b/queue-6.6/drm-amd-amdgpu-properly-tune-the-size-of-struct.patch @@ -0,0 +1,55 @@ +From e7c8ea253d7297d8cbea3f5681b23ff3b19917f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jul 2024 12:10:40 +0800 +Subject: drm/amd/amdgpu: Properly tune the size of struct + +From: WangYuli + +[ Upstream commit 0cee47cde41e22712c034ae961076067d4ac13a0 ] + +The struct assertion is failed because sparse cannot parse +`#pragma pack(push, 1)` and `#pragma pack(pop)` correctly. +GCC's output is still 1-byte-aligned. No harm to memory layout. + +The error can be filtered out by sparse-diff, but sometimes +multiple lines queezed into one, making the sparse-diff thinks +its a new error. I'm trying to aviod this by fixing errors. + +Link: https://lore.kernel.org/all/20230620045919.492128-1-suhui@nfschina.com/ +Link: https://lore.kernel.org/all/93d10611-9fbb-4242-87b8-5860b2606042@suswa.mountain/ +Fixes: 1721bc1b2afa ("drm/amdgpu: Update VF2PF interface") +Cc: Dan Carpenter +Cc: wenlunpeng +Reported-by: Su Hui +Signed-off-by: WangYuli +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgv_sriovmsg.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgv_sriovmsg.h b/drivers/gpu/drm/amd/amdgpu/amdgv_sriovmsg.h +index 104a5ad8397da..198687545407e 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgv_sriovmsg.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgv_sriovmsg.h +@@ -209,7 +209,7 @@ struct amd_sriov_msg_pf2vf_info { + uint32_t pcie_atomic_ops_support_flags; + /* reserved */ + uint32_t reserved[256 - AMD_SRIOV_MSG_PF2VF_INFO_FILLED_SIZE]; +-}; ++} __packed; + + struct amd_sriov_msg_vf2pf_info_header { + /* the total structure size in byte */ +@@ -267,7 +267,7 @@ struct amd_sriov_msg_vf2pf_info { + + /* reserved */ + uint32_t reserved[256 - AMD_SRIOV_MSG_VF2PF_INFO_FILLED_SIZE]; +-}; ++} __packed; + + /* mailbox message send from guest to host */ + enum amd_sriov_mailbox_request_message { +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-display-add-null-check-for-set_output_gamma-.patch b/queue-6.6/drm-amd-display-add-null-check-for-set_output_gamma-.patch new file mode 100644 index 00000000000..bcfab2f2267 --- /dev/null +++ b/queue-6.6/drm-amd-display-add-null-check-for-set_output_gamma-.patch @@ -0,0 +1,103 @@ +From fbdecfbfa4166516d3df0fbb6de2323a7d64e42b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 17:18:17 +0530 +Subject: drm/amd/display: Add null check for set_output_gamma in + dcn30_set_output_transfer_func + +From: Srinivasan Shanmugam + +[ Upstream commit 08ae395ea22fb3d9b318c8bde28c0dfd2f5fa4d2 ] + +This commit adds a null check for the set_output_gamma function pointer +in the dcn30_set_output_transfer_func function. Previously, +set_output_gamma was being checked for nullity at line 386, but then it +was being dereferenced without any nullity check at line 401. This +could potentially lead to a null pointer dereference error if +set_output_gamma is indeed null. + +To fix this, we now ensure that set_output_gamma is not null before +dereferencing it. We do this by adding a nullity check for +set_output_gamma before the call to set_output_gamma at line 401. If +set_output_gamma is null, we log an error message and do not call the +function. + +This fix prevents a potential null pointer dereference error. + +drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 dcn30_set_output_transfer_func() +error: we previously assumed 'mpc->funcs->set_output_gamma' could be null (see line 386) + +drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c + 373 bool dcn30_set_output_transfer_func(struct dc *dc, + 374 struct pipe_ctx *pipe_ctx, + 375 const struct dc_stream_state *stream) + 376 { + 377 int mpcc_id = pipe_ctx->plane_res.hubp->inst; + 378 struct mpc *mpc = pipe_ctx->stream_res.opp->ctx->dc->res_pool->mpc; + 379 const struct pwl_params *params = NULL; + 380 bool ret = false; + 381 + 382 /* program OGAM or 3DLUT only for the top pipe*/ + 383 if (pipe_ctx->top_pipe == NULL) { + 384 /*program rmu shaper and 3dlut in MPC*/ + 385 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream); + 386 if (ret == false && mpc->funcs->set_output_gamma) { + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this is NULL + + 387 if (stream->out_transfer_func.type == TF_TYPE_HWPWL) + 388 params = &stream->out_transfer_func.pwl; + 389 else if (pipe_ctx->stream->out_transfer_func.type == + 390 TF_TYPE_DISTRIBUTED_POINTS && + 391 cm3_helper_translate_curve_to_hw_format( + 392 &stream->out_transfer_func, + 393 &mpc->blender_params, false)) + 394 params = &mpc->blender_params; + 395 /* there are no ROM LUTs in OUTGAM */ + 396 if (stream->out_transfer_func.type == TF_TYPE_PREDEFINED) + 397 BREAK_TO_DEBUGGER(); + 398 } + 399 } + 400 +--> 401 mpc->funcs->set_output_gamma(mpc, mpcc_id, params); + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Then it will crash + + 402 return ret; + 403 } + +Fixes: d99f13878d6f ("drm/amd/display: Add DCN3 HWSEQ") +Reported-by: Dan Carpenter +Cc: Tom Chung +Cc: Rodrigo Siqueira +Cc: Roman Li +Cc: Hersen Wu +Cc: Alex Hung +Cc: Aurabindo Pillai +Cc: Harry Wentland +Cc: Hamza Mahfooz +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Tom Chung +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c +index ba47a1c8eec10..d59af329d0009 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c +@@ -214,7 +214,11 @@ bool dcn30_set_output_transfer_func(struct dc *dc, + } + } + +- mpc->funcs->set_output_gamma(mpc, mpcc_id, params); ++ if (mpc->funcs->set_output_gamma) ++ mpc->funcs->set_output_gamma(mpc, mpcc_id, params); ++ else ++ DC_LOG_ERROR("%s: set_output_gamma function pointer is NULL.\n", __func__); ++ + return ret; + } + +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-properly-handle-vbios-fake-edid-sizing.patch b/queue-6.6/drm-amdgpu-properly-handle-vbios-fake-edid-sizing.patch new file mode 100644 index 00000000000..b06aa6848d1 --- /dev/null +++ b/queue-6.6/drm-amdgpu-properly-handle-vbios-fake-edid-sizing.patch @@ -0,0 +1,79 @@ +From 7adea46391bb51af9f2c83db6d07bafc9459de7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jul 2024 13:23:56 -0400 +Subject: drm/amdgpu: properly handle vbios fake edid sizing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +[ Upstream commit 8155566a26b8d6c1dd914f06a0c652e4e2f2adf1 ] + +The comment in the vbios structure says: +// = 128 means EDID length is 128 bytes, otherwise the EDID length = ucFakeEDIDLength*128 + +This fake edid struct has not been used in a long time, so I'm +not sure if there were actually any boards out there with a non-128 byte +EDID, but align the code with the comment. + +Reviewed-by: Thomas Weißschuh +Reported-by: Thomas Weißschuh +Link: https://lists.freedesktop.org/archives/amd-gfx/2024-June/109964.html +Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/amdgpu/atombios_encoders.c | 29 ++++++++++--------- + 1 file changed, 16 insertions(+), 13 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c b/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c +index d95b2dc780634..157e898dc3820 100644 +--- a/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c ++++ b/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c +@@ -2065,26 +2065,29 @@ amdgpu_atombios_encoder_get_lcd_info(struct amdgpu_encoder *encoder) + fake_edid_record = (ATOM_FAKE_EDID_PATCH_RECORD *)record; + if (fake_edid_record->ucFakeEDIDLength) { + struct edid *edid; +- int edid_size = +- max((int)EDID_LENGTH, (int)fake_edid_record->ucFakeEDIDLength); +- edid = kmalloc(edid_size, GFP_KERNEL); ++ int edid_size; ++ ++ if (fake_edid_record->ucFakeEDIDLength == 128) ++ edid_size = fake_edid_record->ucFakeEDIDLength; ++ else ++ edid_size = fake_edid_record->ucFakeEDIDLength * 128; ++ edid = kmemdup(&fake_edid_record->ucFakeEDIDString[0], ++ edid_size, GFP_KERNEL); + if (edid) { +- memcpy((u8 *)edid, (u8 *)&fake_edid_record->ucFakeEDIDString[0], +- fake_edid_record->ucFakeEDIDLength); +- + if (drm_edid_is_valid(edid)) { + adev->mode_info.bios_hardcoded_edid = edid; + adev->mode_info.bios_hardcoded_edid_size = edid_size; +- } else ++ } else { + kfree(edid); ++ } + } ++ record += struct_size(fake_edid_record, ++ ucFakeEDIDString, ++ edid_size); ++ } else { ++ /* empty fake edid record must be 3 bytes long */ ++ record += sizeof(ATOM_FAKE_EDID_PATCH_RECORD) + 1; + } +- record += fake_edid_record->ucFakeEDIDLength ? +- struct_size(fake_edid_record, +- ucFakeEDIDString, +- fake_edid_record->ucFakeEDIDLength) : +- /* empty fake edid record must be 3 bytes long */ +- sizeof(ATOM_FAKE_EDID_PATCH_RECORD) + 1; + break; + case LCD_PANEL_RESOLUTION_RECORD_TYPE: + panel_res_record = (ATOM_PANEL_RESOLUTION_PATCH_RECORD *)record; +-- +2.43.0 + diff --git a/queue-6.6/drm-bridge-lontium-lt8912b-validate-mode-in-drm_brid.patch b/queue-6.6/drm-bridge-lontium-lt8912b-validate-mode-in-drm_brid.patch new file mode 100644 index 00000000000..48a054f4f70 --- /dev/null +++ b/queue-6.6/drm-bridge-lontium-lt8912b-validate-mode-in-drm_brid.patch @@ -0,0 +1,97 @@ +From 3abc6f7c47be9f202e01bf8637cefd132319c382 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Aug 2024 17:16:37 +0800 +Subject: drm/bridge: lontium-lt8912b: Validate mode in + drm_bridge_funcs::mode_valid() + +From: Liu Ying + +[ Upstream commit fe828fbd87786238b30f44cafd698d975d956c97 ] + +If the bridge is attached with the DRM_BRIDGE_ATTACH_NO_CONNECTOR flag set, +this driver won't initialize a connector and hence display mode won't be +validated in drm_connector_helper_funcs::mode_valid(). So, move the mode +validation from drm_connector_helper_funcs::mode_valid() to +drm_bridge_funcs::mode_valid(), because the mode validation is always done +for the bridge. + +Fixes: 30e2ae943c26 ("drm/bridge: Introduce LT8912B DSI to HDMI bridge") +Signed-off-by: Liu Ying +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20240813091637.1054586-1-victor.liu@nxp.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/lontium-lt8912b.c | 35 ++++++++++++------------ + 1 file changed, 18 insertions(+), 17 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/lontium-lt8912b.c b/drivers/gpu/drm/bridge/lontium-lt8912b.c +index 0efcbc73f2a43..5e43a40a5d522 100644 +--- a/drivers/gpu/drm/bridge/lontium-lt8912b.c ++++ b/drivers/gpu/drm/bridge/lontium-lt8912b.c +@@ -411,22 +411,6 @@ static const struct drm_connector_funcs lt8912_connector_funcs = { + .atomic_destroy_state = drm_atomic_helper_connector_destroy_state, + }; + +-static enum drm_mode_status +-lt8912_connector_mode_valid(struct drm_connector *connector, +- struct drm_display_mode *mode) +-{ +- if (mode->clock > 150000) +- return MODE_CLOCK_HIGH; +- +- if (mode->hdisplay > 1920) +- return MODE_BAD_HVALUE; +- +- if (mode->vdisplay > 1080) +- return MODE_BAD_VVALUE; +- +- return MODE_OK; +-} +- + static int lt8912_connector_get_modes(struct drm_connector *connector) + { + const struct drm_edid *drm_edid; +@@ -452,7 +436,6 @@ static int lt8912_connector_get_modes(struct drm_connector *connector) + + static const struct drm_connector_helper_funcs lt8912_connector_helper_funcs = { + .get_modes = lt8912_connector_get_modes, +- .mode_valid = lt8912_connector_mode_valid, + }; + + static void lt8912_bridge_mode_set(struct drm_bridge *bridge, +@@ -594,6 +577,23 @@ static void lt8912_bridge_detach(struct drm_bridge *bridge) + drm_bridge_hpd_disable(lt->hdmi_port); + } + ++static enum drm_mode_status ++lt8912_bridge_mode_valid(struct drm_bridge *bridge, ++ const struct drm_display_info *info, ++ const struct drm_display_mode *mode) ++{ ++ if (mode->clock > 150000) ++ return MODE_CLOCK_HIGH; ++ ++ if (mode->hdisplay > 1920) ++ return MODE_BAD_HVALUE; ++ ++ if (mode->vdisplay > 1080) ++ return MODE_BAD_VVALUE; ++ ++ return MODE_OK; ++} ++ + static enum drm_connector_status + lt8912_bridge_detect(struct drm_bridge *bridge) + { +@@ -624,6 +624,7 @@ static struct edid *lt8912_bridge_get_edid(struct drm_bridge *bridge, + static const struct drm_bridge_funcs lt8912_bridge_funcs = { + .attach = lt8912_bridge_attach, + .detach = lt8912_bridge_detach, ++ .mode_valid = lt8912_bridge_mode_valid, + .mode_set = lt8912_bridge_mode_set, + .enable = lt8912_bridge_enable, + .detect = lt8912_bridge_detect, +-- +2.43.0 + diff --git a/queue-6.6/drm-mediatek-fix-missing-configuration-flags-in-mtk_.patch b/queue-6.6/drm-mediatek-fix-missing-configuration-flags-in-mtk_.patch new file mode 100644 index 00000000000..4259ea878f4 --- /dev/null +++ b/queue-6.6/drm-mediatek-fix-missing-configuration-flags-in-mtk_.patch @@ -0,0 +1,143 @@ +From dfbf41caf8f4e1bc472a0c518b18181e295b6a35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2024 22:55:19 +0800 +Subject: drm/mediatek: Fix missing configuration flags in + mtk_crtc_ddp_config() + +From: Jason-JH.Lin + +[ Upstream commit fe30bae552ce27b9fefe0b12db1544e73d07325f ] + +In mtk_crtc_ddp_config(), mtk_crtc will use some configuration flags to +generate instructions to cmdq_handle, such as: + state->pending_config + mtk_crtc->pending_planes + plane_state->pending.config + mtk_crtc->pending_async_planes + plane_state->pending.async_config + +These configuration flags may be set to false when a GCE IRQ comes calling +ddp_cmdq_cb(). This may result in missing prepare instructions, +especially if mtk_crtc_update_config() with the flase need_vblank (no need +to wait for vblank) cases. + +Therefore, the mtk_crtc->config_updating flag is set at the beginning of +mtk_crtc_update_config() to ensure that these configuration flags won't be +changed when the mtk_crtc_ddp_config() is preparing instructions. +But somehow the ddp_cmdq_cb() didn't use the mtk_crtc->config_updating +flag to prevent those pending config flags from being cleared. + +To avoid missing the configuration when generating the config instruction, +the config_updating flag should be added into ddp_cmdq_cb() and be +protected with spin_lock. + +Fixes: 7f82d9c43879 ("drm/mediatek: Clear pending flag when cmdq packet is done") +Signed-off-by: Jason-JH.Lin +Reviewed-by: CK Hu +Reviewed-by: Fei Shao +Link: https://patchwork.kernel.org/project/dri-devel/patch/20240827-drm-fixup-0819-v3-1-4761005211ec@mediatek.com/ +Link: https://patchwork.kernel.org/project/dri-devel/patch/20240827-drm-fixup-0819-v3-2-4761005211ec@mediatek.com/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 27 +++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c +index 29e021ec6901c..5a1c8b26f1bb1 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c +@@ -67,6 +67,8 @@ struct mtk_drm_crtc { + /* lock for display hardware access */ + struct mutex hw_lock; + bool config_updating; ++ /* lock for config_updating to cmd buffer */ ++ spinlock_t config_lock; + }; + + struct mtk_crtc_state { +@@ -104,11 +106,16 @@ static void mtk_drm_crtc_finish_page_flip(struct mtk_drm_crtc *mtk_crtc) + + static void mtk_drm_finish_page_flip(struct mtk_drm_crtc *mtk_crtc) + { ++ unsigned long flags; ++ + drm_crtc_handle_vblank(&mtk_crtc->base); ++ ++ spin_lock_irqsave(&mtk_crtc->config_lock, flags); + if (!mtk_crtc->config_updating && mtk_crtc->pending_needs_vblank) { + mtk_drm_crtc_finish_page_flip(mtk_crtc); + mtk_crtc->pending_needs_vblank = false; + } ++ spin_unlock_irqrestore(&mtk_crtc->config_lock, flags); + } + + #if IS_REACHABLE(CONFIG_MTK_CMDQ) +@@ -291,12 +298,19 @@ static void ddp_cmdq_cb(struct mbox_client *cl, void *mssg) + struct mtk_drm_crtc *mtk_crtc = container_of(cmdq_cl, struct mtk_drm_crtc, cmdq_client); + struct mtk_crtc_state *state; + unsigned int i; ++ unsigned long flags; + + if (data->sta < 0) + return; + + state = to_mtk_crtc_state(mtk_crtc->base.state); + ++ spin_lock_irqsave(&mtk_crtc->config_lock, flags); ++ if (mtk_crtc->config_updating) { ++ spin_unlock_irqrestore(&mtk_crtc->config_lock, flags); ++ goto ddp_cmdq_cb_out; ++ } ++ + state->pending_config = false; + + if (mtk_crtc->pending_planes) { +@@ -323,6 +337,10 @@ static void ddp_cmdq_cb(struct mbox_client *cl, void *mssg) + mtk_crtc->pending_async_planes = false; + } + ++ spin_unlock_irqrestore(&mtk_crtc->config_lock, flags); ++ ++ddp_cmdq_cb_out: ++ + mtk_crtc->cmdq_vblank_cnt = 0; + wake_up(&mtk_crtc->cb_blocking_queue); + } +@@ -555,9 +573,14 @@ static void mtk_drm_crtc_update_config(struct mtk_drm_crtc *mtk_crtc, + struct mtk_drm_private *priv = crtc->dev->dev_private; + unsigned int pending_planes = 0, pending_async_planes = 0; + int i; ++ unsigned long flags; + + mutex_lock(&mtk_crtc->hw_lock); ++ ++ spin_lock_irqsave(&mtk_crtc->config_lock, flags); + mtk_crtc->config_updating = true; ++ spin_unlock_irqrestore(&mtk_crtc->config_lock, flags); ++ + if (needs_vblank) + mtk_crtc->pending_needs_vblank = true; + +@@ -611,7 +634,10 @@ static void mtk_drm_crtc_update_config(struct mtk_drm_crtc *mtk_crtc, + mbox_client_txdone(mtk_crtc->cmdq_client.chan, 0); + } + #endif ++ spin_lock_irqsave(&mtk_crtc->config_lock, flags); + mtk_crtc->config_updating = false; ++ spin_unlock_irqrestore(&mtk_crtc->config_lock, flags); ++ + mutex_unlock(&mtk_crtc->hw_lock); + } + +@@ -1014,6 +1040,7 @@ int mtk_drm_crtc_create(struct drm_device *drm_dev, + drm_mode_crtc_set_gamma_size(&mtk_crtc->base, gamma_lut_size); + drm_crtc_enable_color_mgmt(&mtk_crtc->base, 0, has_ctm, gamma_lut_size); + mutex_init(&mtk_crtc->hw_lock); ++ spin_lock_init(&mtk_crtc->config_lock); + + #if IS_REACHABLE(CONFIG_MTK_CMDQ) + i = priv->mbox_index++; +-- +2.43.0 + diff --git a/queue-6.6/drm-mediatek-use-spin_lock_irqsave-for-crtc-event-lo.patch b/queue-6.6/drm-mediatek-use-spin_lock_irqsave-for-crtc-event-lo.patch new file mode 100644 index 00000000000..7f6fcd2e620 --- /dev/null +++ b/queue-6.6/drm-mediatek-use-spin_lock_irqsave-for-crtc-event-lo.patch @@ -0,0 +1,49 @@ +From 57c12412e36647f00531aa0b8f0dde2a284b0317 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Aug 2024 18:14:47 +0800 +Subject: drm/mediatek: Use spin_lock_irqsave() for CRTC event lock + +From: Fei Shao + +[ Upstream commit be03b30b7aa99aca876fbc7c1c1b73b2d0339321 ] + +Use the state-aware spin_lock_irqsave() and spin_unlock_irqrestore() +to avoid unconditionally re-enabling the local interrupts. + +Fixes: 411f5c1eacfe ("drm/mediatek: handle events when enabling/disabling crtc") +Signed-off-by: Fei Shao +Link: https://patchwork.kernel.org/project/dri-devel/patch/20240828101511.3269822-1-fshao@chromium.org/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c +index 5a1c8b26f1bb1..659112da47b69 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c +@@ -450,6 +450,7 @@ static void mtk_crtc_ddp_hw_fini(struct mtk_drm_crtc *mtk_crtc) + { + struct drm_device *drm = mtk_crtc->base.dev; + struct drm_crtc *crtc = &mtk_crtc->base; ++ unsigned long flags; + int i; + + for (i = 0; i < mtk_crtc->ddp_comp_nr; i++) { +@@ -481,10 +482,10 @@ static void mtk_crtc_ddp_hw_fini(struct mtk_drm_crtc *mtk_crtc) + pm_runtime_put(drm->dev); + + if (crtc->state->event && !crtc->state->active) { +- spin_lock_irq(&crtc->dev->event_lock); ++ spin_lock_irqsave(&crtc->dev->event_lock, flags); + drm_crtc_send_vblank_event(crtc, crtc->state->event); + crtc->state->event = NULL; +- spin_unlock_irq(&crtc->dev->event_lock); ++ spin_unlock_irqrestore(&crtc->dev->event_lock, flags); + } + } + +-- +2.43.0 + diff --git a/queue-6.6/drm-msm-a5xx-disable-preemption-in-submits-by-defaul.patch b/queue-6.6/drm-msm-a5xx-disable-preemption-in-submits-by-defaul.patch new file mode 100644 index 00000000000..644c635a753 --- /dev/null +++ b/queue-6.6/drm-msm-a5xx-disable-preemption-in-submits-by-defaul.patch @@ -0,0 +1,52 @@ +From 14318f92be35c26beebd1751b8d1776406ac9b15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Sep 2024 13:54:00 +0000 +Subject: drm/msm/a5xx: disable preemption in submits by default + +From: Vladimir Lypak + +[ Upstream commit db9dec2db76146d65e1cfbb6afb2e2bd5dab67f8 ] + +Fine grain preemption (switching from/to points within submits) +requires extra handling in command stream of those submits, especially +when rendering with tiling (using GMEM). However this handling is +missing at this point in mesa (and always was). For this reason we get +random GPU faults and hangs if more than one priority level is used +because local preemption is enabled prior to executing command stream +from submit. +With that said it was ahead of time to enable local preemption by +default considering the fact that even on downstream kernel it is only +enabled if requested via UAPI. + +Fixes: a7a4c19c36de ("drm/msm/a5xx: fix setting of the CP_PREEMPT_ENABLE_LOCAL register") +Signed-off-by: Vladimir Lypak +Patchwork: https://patchwork.freedesktop.org/patch/612041/ +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c +index e5916c1067967..14d3a3e78a9db 100644 +--- a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c ++++ b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c +@@ -150,9 +150,13 @@ static void a5xx_submit(struct msm_gpu *gpu, struct msm_gem_submit *submit) + OUT_PKT7(ring, CP_SET_PROTECTED_MODE, 1); + OUT_RING(ring, 1); + +- /* Enable local preemption for finegrain preemption */ ++ /* ++ * Disable local preemption by default because it requires ++ * user-space to be aware of it and provide additional handling ++ * to restore rendering state or do various flushes on switch. ++ */ + OUT_PKT7(ring, CP_PREEMPT_ENABLE_LOCAL, 1); +- OUT_RING(ring, 0x1); ++ OUT_RING(ring, 0x0); + + /* Allow CP_CONTEXT_SWITCH_YIELD packets in the IB2 */ + OUT_PKT7(ring, CP_YIELD_ENABLE, 1); +-- +2.43.0 + diff --git a/queue-6.6/drm-msm-a5xx-fix-races-in-preemption-evaluation-stag.patch b/queue-6.6/drm-msm-a5xx-fix-races-in-preemption-evaluation-stag.patch new file mode 100644 index 00000000000..7a78b01c6b9 --- /dev/null +++ b/queue-6.6/drm-msm-a5xx-fix-races-in-preemption-evaluation-stag.patch @@ -0,0 +1,124 @@ +From e020f39dd164a0fff0327a09d9753bcf05849715 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Sep 2024 13:54:02 +0000 +Subject: drm/msm/a5xx: fix races in preemption evaluation stage + +From: Vladimir Lypak + +[ Upstream commit ce050f307ad93bcc5958d0dd35fc276fd394d274 ] + +On A5XX GPUs when preemption is used it's invietable to enter a soft +lock-up state in which GPU is stuck at empty ring-buffer doing nothing. +This appears as full UI lockup and not detected as GPU hang (because +it's not). This happens due to not triggering preemption when it was +needed. Sometimes this state can be recovered by some new submit but +generally it won't happen because applications are waiting for old +submits to retire. + +One of the reasons why this happens is a race between a5xx_submit and +a5xx_preempt_trigger called from IRQ during submit retire. Former thread +updates ring->cur of previously empty and not current ring right after +latter checks it for emptiness. Then both threads can just exit because +for first one preempt_state wasn't NONE yet and for second one all rings +appeared to be empty. + +To prevent such situations from happening we need to establish guarantee +for preempt_trigger to make decision after each submit or retire. To +implement this we serialize preemption initiation using spinlock. If +switch is already in progress we need to re-trigger preemption when it +finishes. + +Fixes: b1fc2839d2f9 ("drm/msm: Implement preemption for A5XX targets") +Signed-off-by: Vladimir Lypak +Patchwork: https://patchwork.freedesktop.org/patch/612045/ +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a5xx_gpu.h | 1 + + drivers/gpu/drm/msm/adreno/a5xx_preempt.c | 24 +++++++++++++++++++++-- + 2 files changed, 23 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/msm/adreno/a5xx_gpu.h b/drivers/gpu/drm/msm/adreno/a5xx_gpu.h +index c7187bcc5e908..b4d06ca3e499d 100644 +--- a/drivers/gpu/drm/msm/adreno/a5xx_gpu.h ++++ b/drivers/gpu/drm/msm/adreno/a5xx_gpu.h +@@ -36,6 +36,7 @@ struct a5xx_gpu { + uint64_t preempt_iova[MSM_GPU_MAX_RINGS]; + + atomic_t preempt_state; ++ spinlock_t preempt_start_lock; + struct timer_list preempt_timer; + + struct drm_gem_object *shadow_bo; +diff --git a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c +index 67a8ef4adf6b6..c65b34a4a8cc2 100644 +--- a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c ++++ b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c +@@ -97,12 +97,19 @@ void a5xx_preempt_trigger(struct msm_gpu *gpu) + if (gpu->nr_rings == 1) + return; + ++ /* ++ * Serialize preemption start to ensure that we always make ++ * decision on latest state. Otherwise we can get stuck in ++ * lower priority or empty ring. ++ */ ++ spin_lock_irqsave(&a5xx_gpu->preempt_start_lock, flags); ++ + /* + * Try to start preemption by moving from NONE to START. If + * unsuccessful, a preemption is already in flight + */ + if (!try_preempt_state(a5xx_gpu, PREEMPT_NONE, PREEMPT_START)) +- return; ++ goto out; + + /* Get the next ring to preempt to */ + ring = get_next_ring(gpu); +@@ -127,9 +134,11 @@ void a5xx_preempt_trigger(struct msm_gpu *gpu) + set_preempt_state(a5xx_gpu, PREEMPT_ABORT); + update_wptr(gpu, a5xx_gpu->cur_ring); + set_preempt_state(a5xx_gpu, PREEMPT_NONE); +- return; ++ goto out; + } + ++ spin_unlock_irqrestore(&a5xx_gpu->preempt_start_lock, flags); ++ + /* Make sure the wptr doesn't update while we're in motion */ + spin_lock_irqsave(&ring->preempt_lock, flags); + a5xx_gpu->preempt[ring->id]->wptr = get_wptr(ring); +@@ -152,6 +161,10 @@ void a5xx_preempt_trigger(struct msm_gpu *gpu) + + /* And actually start the preemption */ + gpu_write(gpu, REG_A5XX_CP_CONTEXT_SWITCH_CNTL, 1); ++ return; ++ ++out: ++ spin_unlock_irqrestore(&a5xx_gpu->preempt_start_lock, flags); + } + + void a5xx_preempt_irq(struct msm_gpu *gpu) +@@ -188,6 +201,12 @@ void a5xx_preempt_irq(struct msm_gpu *gpu) + update_wptr(gpu, a5xx_gpu->cur_ring); + + set_preempt_state(a5xx_gpu, PREEMPT_NONE); ++ ++ /* ++ * Try to trigger preemption again in case there was a submit or ++ * retire during ring switch ++ */ ++ a5xx_preempt_trigger(gpu); + } + + void a5xx_preempt_hw_init(struct msm_gpu *gpu) +@@ -300,5 +319,6 @@ void a5xx_preempt_init(struct msm_gpu *gpu) + } + } + ++ spin_lock_init(&a5xx_gpu->preempt_start_lock); + timer_setup(&a5xx_gpu->preempt_timer, a5xx_preempt_timer, 0); + } +-- +2.43.0 + diff --git a/queue-6.6/drm-msm-a5xx-properly-clear-preemption-records-on-re.patch b/queue-6.6/drm-msm-a5xx-properly-clear-preemption-records-on-re.patch new file mode 100644 index 00000000000..8f497db40cd --- /dev/null +++ b/queue-6.6/drm-msm-a5xx-properly-clear-preemption-records-on-re.patch @@ -0,0 +1,41 @@ +From 348b88d159d342d49257db0f0f3cc6c5d904fece Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Sep 2024 13:54:01 +0000 +Subject: drm/msm/a5xx: properly clear preemption records on resume + +From: Vladimir Lypak + +[ Upstream commit 64fd6d01a52904bdbda0ce810a45a428c995a4ca ] + +Two fields of preempt_record which are used by CP aren't reset on +resume: "data" and "info". This is the reason behind faults which happen +when we try to switch to the ring that was active last before suspend. +In addition those faults can't be recovered from because we use suspend +and resume to do so (keeping values of those fields again). + +Fixes: b1fc2839d2f9 ("drm/msm: Implement preemption for A5XX targets") +Signed-off-by: Vladimir Lypak +Reviewed-by: Konrad Dybcio +Patchwork: https://patchwork.freedesktop.org/patch/612043/ +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a5xx_preempt.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c +index f58dd564d122b..67a8ef4adf6b6 100644 +--- a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c ++++ b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c +@@ -204,6 +204,8 @@ void a5xx_preempt_hw_init(struct msm_gpu *gpu) + return; + + for (i = 0; i < gpu->nr_rings; i++) { ++ a5xx_gpu->preempt[i]->data = 0; ++ a5xx_gpu->preempt[i]->info = 0; + a5xx_gpu->preempt[i]->wptr = 0; + a5xx_gpu->preempt[i]->rptr = 0; + a5xx_gpu->preempt[i]->rbase = gpu->rb[i]->iova; +-- +2.43.0 + diff --git a/queue-6.6/drm-msm-a5xx-workaround-early-ring-buffer-emptiness-.patch b/queue-6.6/drm-msm-a5xx-workaround-early-ring-buffer-emptiness-.patch new file mode 100644 index 00000000000..42df20d3ec7 --- /dev/null +++ b/queue-6.6/drm-msm-a5xx-workaround-early-ring-buffer-emptiness-.patch @@ -0,0 +1,99 @@ +From 8a299cd260221045f10217782878894c80c3afab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Sep 2024 13:54:03 +0000 +Subject: drm/msm/a5xx: workaround early ring-buffer emptiness check + +From: Vladimir Lypak + +[ Upstream commit a30f9f65b5ac82d4390548c32ed9c7f05de7ddf5 ] + +There is another cause for soft lock-up of GPU in empty ring-buffer: +race between GPU executing last commands and CPU checking ring for +emptiness. On GPU side IRQ for retire is triggered by CACHE_FLUSH_TS +event and RPTR shadow (which is used to check ring emptiness) is updated +a bit later from CP_CONTEXT_SWITCH_YIELD. Thus if GPU is executing its +last commands slow enough or we check that ring too fast we will miss a +chance to trigger switch to lower priority ring because current ring isn't +empty just yet. This can escalate to lock-up situation described in +previous patch. +To work-around this issue we keep track of last submit sequence number +for each ring and compare it with one written to memptrs from GPU during +execution of CACHE_FLUSH_TS event. + +Fixes: b1fc2839d2f9 ("drm/msm: Implement preemption for A5XX targets") +Signed-off-by: Vladimir Lypak +Patchwork: https://patchwork.freedesktop.org/patch/612047/ +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 4 ++++ + drivers/gpu/drm/msm/adreno/a5xx_gpu.h | 1 + + drivers/gpu/drm/msm/adreno/a5xx_preempt.c | 4 ++++ + 3 files changed, 9 insertions(+) + +diff --git a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c +index 14d3a3e78a9db..8c2758a18a19c 100644 +--- a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c ++++ b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c +@@ -65,6 +65,8 @@ void a5xx_flush(struct msm_gpu *gpu, struct msm_ringbuffer *ring, + + static void a5xx_submit_in_rb(struct msm_gpu *gpu, struct msm_gem_submit *submit) + { ++ struct adreno_gpu *adreno_gpu = to_adreno_gpu(gpu); ++ struct a5xx_gpu *a5xx_gpu = to_a5xx_gpu(adreno_gpu); + struct msm_ringbuffer *ring = submit->ring; + struct drm_gem_object *obj; + uint32_t *ptr, dwords; +@@ -109,6 +111,7 @@ static void a5xx_submit_in_rb(struct msm_gpu *gpu, struct msm_gem_submit *submit + } + } + ++ a5xx_gpu->last_seqno[ring->id] = submit->seqno; + a5xx_flush(gpu, ring, true); + a5xx_preempt_trigger(gpu); + +@@ -210,6 +213,7 @@ static void a5xx_submit(struct msm_gpu *gpu, struct msm_gem_submit *submit) + /* Write the fence to the scratch register */ + OUT_PKT4(ring, REG_A5XX_CP_SCRATCH_REG(2), 1); + OUT_RING(ring, submit->seqno); ++ a5xx_gpu->last_seqno[ring->id] = submit->seqno; + + /* + * Execute a CACHE_FLUSH_TS event. This will ensure that the +diff --git a/drivers/gpu/drm/msm/adreno/a5xx_gpu.h b/drivers/gpu/drm/msm/adreno/a5xx_gpu.h +index b4d06ca3e499d..9c0d701fe4b85 100644 +--- a/drivers/gpu/drm/msm/adreno/a5xx_gpu.h ++++ b/drivers/gpu/drm/msm/adreno/a5xx_gpu.h +@@ -34,6 +34,7 @@ struct a5xx_gpu { + struct drm_gem_object *preempt_counters_bo[MSM_GPU_MAX_RINGS]; + struct a5xx_preempt_record *preempt[MSM_GPU_MAX_RINGS]; + uint64_t preempt_iova[MSM_GPU_MAX_RINGS]; ++ uint32_t last_seqno[MSM_GPU_MAX_RINGS]; + + atomic_t preempt_state; + spinlock_t preempt_start_lock; +diff --git a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c +index c65b34a4a8cc2..0469fea550108 100644 +--- a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c ++++ b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c +@@ -55,6 +55,8 @@ static inline void update_wptr(struct msm_gpu *gpu, struct msm_ringbuffer *ring) + /* Return the highest priority ringbuffer with something in it */ + static struct msm_ringbuffer *get_next_ring(struct msm_gpu *gpu) + { ++ struct adreno_gpu *adreno_gpu = to_adreno_gpu(gpu); ++ struct a5xx_gpu *a5xx_gpu = to_a5xx_gpu(adreno_gpu); + unsigned long flags; + int i; + +@@ -64,6 +66,8 @@ static struct msm_ringbuffer *get_next_ring(struct msm_gpu *gpu) + + spin_lock_irqsave(&ring->preempt_lock, flags); + empty = (get_wptr(ring) == gpu->funcs->get_rptr(gpu, ring)); ++ if (!empty && ring == a5xx_gpu->cur_ring) ++ empty = ring->memptrs->fence == a5xx_gpu->last_seqno[i]; + spin_unlock_irqrestore(&ring->preempt_lock, flags); + + if (!empty) +-- +2.43.0 + diff --git a/queue-6.6/drm-msm-dsi-correct-programming-sequence-for-sm8350-.patch b/queue-6.6/drm-msm-dsi-correct-programming-sequence-for-sm8350-.patch new file mode 100644 index 00000000000..86a9c6f2b96 --- /dev/null +++ b/queue-6.6/drm-msm-dsi-correct-programming-sequence-for-sm8350-.patch @@ -0,0 +1,56 @@ +From 6fa3d3c1aa1ccb1157360356d840f1d69d28ddc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Aug 2024 08:40:07 +0300 +Subject: drm/msm/dsi: correct programming sequence for SM8350 / SM8450 + +From: Dmitry Baryshkov + +[ Upstream commit 1328cb7c34bf6d056df9ff694ee5194537548258 ] + +According to the display-drivers, 5nm DSI PLL (v4.2, v4.3) have +different boundaries for pll_clock_inverters programming. Follow the +vendor code and use correct values. + +Fixes: 2f9ae4e395ed ("drm/msm/dsi: add support for DSI-PHY on SM8350 and SM8450") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/606947/ +Link: https://lore.kernel.org/r/20240804-sm8350-fixes-v1-3-1149dd8399fe@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/phy/dsi_phy_7nm.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/dsi/phy/dsi_phy_7nm.c b/drivers/gpu/drm/msm/dsi/phy/dsi_phy_7nm.c +index 89a6344bc8653..f72ce6a3c456d 100644 +--- a/drivers/gpu/drm/msm/dsi/phy/dsi_phy_7nm.c ++++ b/drivers/gpu/drm/msm/dsi/phy/dsi_phy_7nm.c +@@ -135,7 +135,7 @@ static void dsi_pll_calc_dec_frac(struct dsi_pll_7nm *pll, struct dsi_pll_config + config->pll_clock_inverters = 0x00; + else + config->pll_clock_inverters = 0x40; +- } else { ++ } else if (pll->phy->cfg->quirks & DSI_PHY_7NM_QUIRK_V4_1) { + if (pll_freq <= 1000000000ULL) + config->pll_clock_inverters = 0xa0; + else if (pll_freq <= 2500000000ULL) +@@ -144,6 +144,16 @@ static void dsi_pll_calc_dec_frac(struct dsi_pll_7nm *pll, struct dsi_pll_config + config->pll_clock_inverters = 0x00; + else + config->pll_clock_inverters = 0x40; ++ } else { ++ /* 4.2, 4.3 */ ++ if (pll_freq <= 1000000000ULL) ++ config->pll_clock_inverters = 0xa0; ++ else if (pll_freq <= 2500000000ULL) ++ config->pll_clock_inverters = 0x20; ++ else if (pll_freq <= 3500000000ULL) ++ config->pll_clock_inverters = 0x00; ++ else ++ config->pll_clock_inverters = 0x40; + } + + config->decimal_div_start = dec; +-- +2.43.0 + diff --git a/queue-6.6/drm-msm-fix-incorrect-file-name-output-in-adreno_req.patch b/queue-6.6/drm-msm-fix-incorrect-file-name-output-in-adreno_req.patch new file mode 100644 index 00000000000..ac08777ed85 --- /dev/null +++ b/queue-6.6/drm-msm-fix-incorrect-file-name-output-in-adreno_req.patch @@ -0,0 +1,44 @@ +From fdc30cb0b841936dbd90296a95dddbadbc1783ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jul 2024 12:13:12 +0300 +Subject: drm/msm: Fix incorrect file name output in adreno_request_fw() + +From: Aleksandr Mishin + +[ Upstream commit e19366911340c2313a1abbb09c54eaf9bdea4f58 ] + +In adreno_request_fw() when debugging information is printed to the log +after firmware load, an incorrect filename is printed. 'newname' is used +instead of 'fwname', so prefix "qcom/" is being added to filename. +Looks like "copy-paste" mistake. + +Fix this mistake by replacing 'newname' with 'fwname'. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 2c41ef1b6f7d ("drm/msm/adreno: deal with linux-firmware fw paths") +Signed-off-by: Aleksandr Mishin +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/602382/ +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/adreno_gpu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/adreno/adreno_gpu.c b/drivers/gpu/drm/msm/adreno/adreno_gpu.c +index 96deaf85c0cd2..4127e2762dcd1 100644 +--- a/drivers/gpu/drm/msm/adreno/adreno_gpu.c ++++ b/drivers/gpu/drm/msm/adreno/adreno_gpu.c +@@ -468,7 +468,7 @@ adreno_request_fw(struct adreno_gpu *adreno_gpu, const char *fwname) + ret = request_firmware_direct(&fw, fwname, drm->dev); + if (!ret) { + DRM_DEV_INFO(drm->dev, "loaded %s from legacy location\n", +- newname); ++ fwname); + adreno_gpu->fwloc = FW_LOCATION_LEGACY; + goto out; + } else if (adreno_gpu->fwloc != FW_LOCATION_UNKNOWN) { +-- +2.43.0 + diff --git a/queue-6.6/drm-msm-fix-s-null-argument-error.patch b/queue-6.6/drm-msm-fix-s-null-argument-error.patch new file mode 100644 index 00000000000..5bb41dc20ef --- /dev/null +++ b/queue-6.6/drm-msm-fix-s-null-argument-error.patch @@ -0,0 +1,48 @@ +From 9c07c6fee025ef40162a112cfebdfeb68b6ddc2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2024 09:53:37 -0700 +Subject: drm/msm: fix %s null argument error + +From: Sherry Yang + +[ Upstream commit 25b85075150fe8adddb096db8a4b950353045ee1 ] + +The following build error was triggered because of NULL string argument: + +BUILDSTDERR: drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c: In function 'mdp5_smp_dump': +BUILDSTDERR: drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c:352:51: error: '%s' directive argument is null [-Werror=format-overflow=] +BUILDSTDERR: 352 | drm_printf(p, "%s:%d\t%d\t%s\n", +BUILDSTDERR: | ^~ +BUILDSTDERR: drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c:352:51: error: '%s' directive argument is null [-Werror=format-overflow=] + +This happens from the commit a61ddb4393ad ("drm: enable (most) W=1 +warnings by default across the subsystem"). Using "(null)" instead +to fix it. + +Fixes: bc5289eed481 ("drm/msm/mdp5: add debugfs to show smp block status") +Signed-off-by: Sherry Yang +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/611071/ +Link: https://lore.kernel.org/r/20240827165337.1075904-1-sherry.yang@oracle.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c +index 56a3063545ec4..12d07e93a4c47 100644 +--- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c ++++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c +@@ -356,7 +356,7 @@ void mdp5_smp_dump(struct mdp5_smp *smp, struct drm_printer *p) + + drm_printf(p, "%s:%d\t%d\t%s\n", + pipe2name(pipe), j, inuse, +- plane ? plane->name : NULL); ++ plane ? plane->name : "(null)"); + + total += inuse; + } +-- +2.43.0 + diff --git a/queue-6.6/drm-radeon-evergreen_cs-fix-int-overflow-errors-in-c.patch b/queue-6.6/drm-radeon-evergreen_cs-fix-int-overflow-errors-in-c.patch new file mode 100644 index 00000000000..8551044b51c --- /dev/null +++ b/queue-6.6/drm-radeon-evergreen_cs-fix-int-overflow-errors-in-c.patch @@ -0,0 +1,225 @@ +From 3e4d75754a9c437cd06984e765997847e6b556ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Aug 2024 10:19:04 -0700 +Subject: drm/radeon/evergreen_cs: fix int overflow errors in cs track offsets + +From: Nikita Zhandarovich + +[ Upstream commit 3fbaf475a5b8361ebee7da18964db809e37518b7 ] + +Several cs track offsets (such as 'track->db_s_read_offset') +either are initialized with or plainly take big enough values that, +once shifted 8 bits left, may be hit with integer overflow if the +resulting values end up going over u32 limit. + +Same goes for a few instances of 'surf.layer_size * mslice' +multiplications that are added to 'offset' variable - they may +potentially overflow as well and need to be validated properly. + +While some debug prints in this code section take possible overflow +issues into account, simply casting to (unsigned long) may be +erroneous in its own way, as depending on CPU architecture one is +liable to get different results. + +Fix said problems by: + - casting 'offset' to fixed u64 data type instead of + ambiguous unsigned long. + - casting one of the operands in vulnerable to integer + overflow cases to u64. + - adjust format specifiers in debug prints to properly + represent 'offset' values. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: 285484e2d55e ("drm/radeon: add support for evergreen/ni tiling informations v11") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/evergreen_cs.c | 62 +++++++++++++-------------- + 1 file changed, 31 insertions(+), 31 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/evergreen_cs.c b/drivers/gpu/drm/radeon/evergreen_cs.c +index 0de79f3a7e3ff..820c2c3641d38 100644 +--- a/drivers/gpu/drm/radeon/evergreen_cs.c ++++ b/drivers/gpu/drm/radeon/evergreen_cs.c +@@ -395,7 +395,7 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i + struct evergreen_cs_track *track = p->track; + struct eg_surface surf; + unsigned pitch, slice, mslice; +- unsigned long offset; ++ u64 offset; + int r; + + mslice = G_028C6C_SLICE_MAX(track->cb_color_view[id]) + 1; +@@ -433,14 +433,14 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i + return r; + } + +- offset = track->cb_color_bo_offset[id] << 8; ++ offset = (u64)track->cb_color_bo_offset[id] << 8; + if (offset & (surf.base_align - 1)) { +- dev_warn(p->dev, "%s:%d cb[%d] bo base %ld not aligned with %ld\n", ++ dev_warn(p->dev, "%s:%d cb[%d] bo base %llu not aligned with %ld\n", + __func__, __LINE__, id, offset, surf.base_align); + return -EINVAL; + } + +- offset += surf.layer_size * mslice; ++ offset += (u64)surf.layer_size * mslice; + if (offset > radeon_bo_size(track->cb_color_bo[id])) { + /* old ddx are broken they allocate bo with w*h*bpp but + * program slice with ALIGN(h, 8), catch this and patch +@@ -448,14 +448,14 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i + */ + if (!surf.mode) { + uint32_t *ib = p->ib.ptr; +- unsigned long tmp, nby, bsize, size, min = 0; ++ u64 tmp, nby, bsize, size, min = 0; + + /* find the height the ddx wants */ + if (surf.nby > 8) { + min = surf.nby - 8; + } + bsize = radeon_bo_size(track->cb_color_bo[id]); +- tmp = track->cb_color_bo_offset[id] << 8; ++ tmp = (u64)track->cb_color_bo_offset[id] << 8; + for (nby = surf.nby; nby > min; nby--) { + size = nby * surf.nbx * surf.bpe * surf.nsamples; + if ((tmp + size * mslice) <= bsize) { +@@ -467,7 +467,7 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i + slice = ((nby * surf.nbx) / 64) - 1; + if (!evergreen_surface_check(p, &surf, "cb")) { + /* check if this one works */ +- tmp += surf.layer_size * mslice; ++ tmp += (u64)surf.layer_size * mslice; + if (tmp <= bsize) { + ib[track->cb_color_slice_idx[id]] = slice; + goto old_ddx_ok; +@@ -476,9 +476,9 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i + } + } + dev_warn(p->dev, "%s:%d cb[%d] bo too small (layer size %d, " +- "offset %d, max layer %d, bo size %ld, slice %d)\n", ++ "offset %llu, max layer %d, bo size %ld, slice %d)\n", + __func__, __LINE__, id, surf.layer_size, +- track->cb_color_bo_offset[id] << 8, mslice, ++ (u64)track->cb_color_bo_offset[id] << 8, mslice, + radeon_bo_size(track->cb_color_bo[id]), slice); + dev_warn(p->dev, "%s:%d problematic surf: (%d %d) (%d %d %d %d %d %d %d)\n", + __func__, __LINE__, surf.nbx, surf.nby, +@@ -562,7 +562,7 @@ static int evergreen_cs_track_validate_stencil(struct radeon_cs_parser *p) + struct evergreen_cs_track *track = p->track; + struct eg_surface surf; + unsigned pitch, slice, mslice; +- unsigned long offset; ++ u64 offset; + int r; + + mslice = G_028008_SLICE_MAX(track->db_depth_view) + 1; +@@ -608,18 +608,18 @@ static int evergreen_cs_track_validate_stencil(struct radeon_cs_parser *p) + return r; + } + +- offset = track->db_s_read_offset << 8; ++ offset = (u64)track->db_s_read_offset << 8; + if (offset & (surf.base_align - 1)) { +- dev_warn(p->dev, "%s:%d stencil read bo base %ld not aligned with %ld\n", ++ dev_warn(p->dev, "%s:%d stencil read bo base %llu not aligned with %ld\n", + __func__, __LINE__, offset, surf.base_align); + return -EINVAL; + } +- offset += surf.layer_size * mslice; ++ offset += (u64)surf.layer_size * mslice; + if (offset > radeon_bo_size(track->db_s_read_bo)) { + dev_warn(p->dev, "%s:%d stencil read bo too small (layer size %d, " +- "offset %ld, max layer %d, bo size %ld)\n", ++ "offset %llu, max layer %d, bo size %ld)\n", + __func__, __LINE__, surf.layer_size, +- (unsigned long)track->db_s_read_offset << 8, mslice, ++ (u64)track->db_s_read_offset << 8, mslice, + radeon_bo_size(track->db_s_read_bo)); + dev_warn(p->dev, "%s:%d stencil invalid (0x%08x 0x%08x 0x%08x 0x%08x)\n", + __func__, __LINE__, track->db_depth_size, +@@ -627,18 +627,18 @@ static int evergreen_cs_track_validate_stencil(struct radeon_cs_parser *p) + return -EINVAL; + } + +- offset = track->db_s_write_offset << 8; ++ offset = (u64)track->db_s_write_offset << 8; + if (offset & (surf.base_align - 1)) { +- dev_warn(p->dev, "%s:%d stencil write bo base %ld not aligned with %ld\n", ++ dev_warn(p->dev, "%s:%d stencil write bo base %llu not aligned with %ld\n", + __func__, __LINE__, offset, surf.base_align); + return -EINVAL; + } +- offset += surf.layer_size * mslice; ++ offset += (u64)surf.layer_size * mslice; + if (offset > radeon_bo_size(track->db_s_write_bo)) { + dev_warn(p->dev, "%s:%d stencil write bo too small (layer size %d, " +- "offset %ld, max layer %d, bo size %ld)\n", ++ "offset %llu, max layer %d, bo size %ld)\n", + __func__, __LINE__, surf.layer_size, +- (unsigned long)track->db_s_write_offset << 8, mslice, ++ (u64)track->db_s_write_offset << 8, mslice, + radeon_bo_size(track->db_s_write_bo)); + return -EINVAL; + } +@@ -659,7 +659,7 @@ static int evergreen_cs_track_validate_depth(struct radeon_cs_parser *p) + struct evergreen_cs_track *track = p->track; + struct eg_surface surf; + unsigned pitch, slice, mslice; +- unsigned long offset; ++ u64 offset; + int r; + + mslice = G_028008_SLICE_MAX(track->db_depth_view) + 1; +@@ -706,34 +706,34 @@ static int evergreen_cs_track_validate_depth(struct radeon_cs_parser *p) + return r; + } + +- offset = track->db_z_read_offset << 8; ++ offset = (u64)track->db_z_read_offset << 8; + if (offset & (surf.base_align - 1)) { +- dev_warn(p->dev, "%s:%d stencil read bo base %ld not aligned with %ld\n", ++ dev_warn(p->dev, "%s:%d stencil read bo base %llu not aligned with %ld\n", + __func__, __LINE__, offset, surf.base_align); + return -EINVAL; + } +- offset += surf.layer_size * mslice; ++ offset += (u64)surf.layer_size * mslice; + if (offset > radeon_bo_size(track->db_z_read_bo)) { + dev_warn(p->dev, "%s:%d depth read bo too small (layer size %d, " +- "offset %ld, max layer %d, bo size %ld)\n", ++ "offset %llu, max layer %d, bo size %ld)\n", + __func__, __LINE__, surf.layer_size, +- (unsigned long)track->db_z_read_offset << 8, mslice, ++ (u64)track->db_z_read_offset << 8, mslice, + radeon_bo_size(track->db_z_read_bo)); + return -EINVAL; + } + +- offset = track->db_z_write_offset << 8; ++ offset = (u64)track->db_z_write_offset << 8; + if (offset & (surf.base_align - 1)) { +- dev_warn(p->dev, "%s:%d stencil write bo base %ld not aligned with %ld\n", ++ dev_warn(p->dev, "%s:%d stencil write bo base %llu not aligned with %ld\n", + __func__, __LINE__, offset, surf.base_align); + return -EINVAL; + } +- offset += surf.layer_size * mslice; ++ offset += (u64)surf.layer_size * mslice; + if (offset > radeon_bo_size(track->db_z_write_bo)) { + dev_warn(p->dev, "%s:%d depth write bo too small (layer size %d, " +- "offset %ld, max layer %d, bo size %ld)\n", ++ "offset %llu, max layer %d, bo size %ld)\n", + __func__, __LINE__, surf.layer_size, +- (unsigned long)track->db_z_write_offset << 8, mslice, ++ (u64)track->db_z_write_offset << 8, mslice, + radeon_bo_size(track->db_z_write_bo)); + return -EINVAL; + } +-- +2.43.0 + diff --git a/queue-6.6/drm-radeon-properly-handle-vbios-fake-edid-sizing.patch b/queue-6.6/drm-radeon-properly-handle-vbios-fake-edid-sizing.patch new file mode 100644 index 00000000000..c064ca79d98 --- /dev/null +++ b/queue-6.6/drm-radeon-properly-handle-vbios-fake-edid-sizing.patch @@ -0,0 +1,79 @@ +From 08b479d515d54bd7fb62aa6d3bd08538db2b6be2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jul 2024 13:31:58 -0400 +Subject: drm/radeon: properly handle vbios fake edid sizing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +[ Upstream commit 17c6baff3d5f65c8da164137a58742541a060b2f ] + +The comment in the vbios structure says: +// = 128 means EDID length is 128 bytes, otherwise the EDID length = ucFakeEDIDLength*128 + +This fake edid struct has not been used in a long time, so I'm +not sure if there were actually any boards out there with a non-128 byte +EDID, but align the code with the comment. + +Reviewed-by: Thomas Weißschuh +Reported-by: Thomas Weißschuh +Link: https://lists.freedesktop.org/archives/amd-gfx/2024-June/109964.html +Fixes: c324acd5032f ("drm/radeon/kms: parse the extended LCD info block") +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_atombios.c | 29 +++++++++++++----------- + 1 file changed, 16 insertions(+), 13 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c +index 061396e7fa0f9..53c7273eb6a5c 100644 +--- a/drivers/gpu/drm/radeon/radeon_atombios.c ++++ b/drivers/gpu/drm/radeon/radeon_atombios.c +@@ -1716,26 +1716,29 @@ struct radeon_encoder_atom_dig *radeon_atombios_get_lvds_info(struct + fake_edid_record = (ATOM_FAKE_EDID_PATCH_RECORD *)record; + if (fake_edid_record->ucFakeEDIDLength) { + struct edid *edid; +- int edid_size = +- max((int)EDID_LENGTH, (int)fake_edid_record->ucFakeEDIDLength); +- edid = kmalloc(edid_size, GFP_KERNEL); ++ int edid_size; ++ ++ if (fake_edid_record->ucFakeEDIDLength == 128) ++ edid_size = fake_edid_record->ucFakeEDIDLength; ++ else ++ edid_size = fake_edid_record->ucFakeEDIDLength * 128; ++ edid = kmemdup(&fake_edid_record->ucFakeEDIDString[0], ++ edid_size, GFP_KERNEL); + if (edid) { +- memcpy((u8 *)edid, (u8 *)&fake_edid_record->ucFakeEDIDString[0], +- fake_edid_record->ucFakeEDIDLength); +- + if (drm_edid_is_valid(edid)) { + rdev->mode_info.bios_hardcoded_edid = edid; + rdev->mode_info.bios_hardcoded_edid_size = edid_size; +- } else ++ } else { + kfree(edid); ++ } + } ++ record += struct_size(fake_edid_record, ++ ucFakeEDIDString, ++ edid_size); ++ } else { ++ /* empty fake edid record must be 3 bytes long */ ++ record += sizeof(ATOM_FAKE_EDID_PATCH_RECORD) + 1; + } +- record += fake_edid_record->ucFakeEDIDLength ? +- struct_size(fake_edid_record, +- ucFakeEDIDString, +- fake_edid_record->ucFakeEDIDLength) : +- /* empty fake edid record must be 3 bytes long */ +- sizeof(ATOM_FAKE_EDID_PATCH_RECORD) + 1; + break; + case LCD_PANEL_RESOLUTION_RECORD_TYPE: + panel_res_record = (ATOM_PANEL_RESOLUTION_PATCH_RECORD *)record; +-- +2.43.0 + diff --git a/queue-6.6/drm-rockchip-dw_hdmi-fix-reading-edid-when-using-a-f.patch b/queue-6.6/drm-rockchip-dw_hdmi-fix-reading-edid-when-using-a-f.patch new file mode 100644 index 00000000000..ebab6ec1e4f --- /dev/null +++ b/queue-6.6/drm-rockchip-dw_hdmi-fix-reading-edid-when-using-a-f.patch @@ -0,0 +1,45 @@ +From 3573863a3583e0cfa0ac27f789cf860310286afc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jun 2024 17:03:55 +0000 +Subject: drm/rockchip: dw_hdmi: Fix reading EDID when using a forced mode + +From: Jonas Karlman + +[ Upstream commit a5d024541ec466f428e6c514577d511a40779c7b ] + +EDID cannot be read on RK3328 until after read_hpd has been called and +correct io voltage has been configured based on connection status. + +When a forced mode is used, e.g. video=1920x1080@60e, the connector +detect ops, that in turn normally calls the read_hpd, never gets called. + +This result in reading EDID to fail in connector get_modes ops. + +Call dw_hdmi_rk3328_read_hpd at end of dw_hdmi_rk3328_setup_hpd to +correct io voltage and allow reading EDID after setup_hpd. + +Fixes: 1c53ba8f22a1 ("drm/rockchip: dw_hdmi: add dw-hdmi support for the rk3328") +Signed-off-by: Jonas Karlman +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20240615170417.3134517-5-jonas@kwiboo.se +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c b/drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c +index 341550199111f..89bc86d620146 100644 +--- a/drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c ++++ b/drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c +@@ -435,6 +435,8 @@ static void dw_hdmi_rk3328_setup_hpd(struct dw_hdmi *dw_hdmi, void *data) + HIWORD_UPDATE(RK3328_HDMI_SDAIN_MSK | RK3328_HDMI_SCLIN_MSK, + RK3328_HDMI_SDAIN_MSK | RK3328_HDMI_SCLIN_MSK | + RK3328_HDMI_HPD_IOE)); ++ ++ dw_hdmi_rk3328_read_hpd(dw_hdmi, data); + } + + static const struct dw_hdmi_phy_ops rk3228_hdmi_phy_ops = { +-- +2.43.0 + diff --git a/queue-6.6/drm-rockchip-vop-allow-4096px-width-scaling.patch b/queue-6.6/drm-rockchip-vop-allow-4096px-width-scaling.patch new file mode 100644 index 00000000000..6d02fcd0d04 --- /dev/null +++ b/queue-6.6/drm-rockchip-vop-allow-4096px-width-scaling.patch @@ -0,0 +1,43 @@ +From bb7e9e0b24ec75c75ca51c052e7adf91151cbd2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jun 2024 17:03:54 +0000 +Subject: drm/rockchip: vop: Allow 4096px width scaling + +From: Alex Bee + +[ Upstream commit 0ef968d91a20b5da581839f093f98f7a03a804f7 ] + +There is no reason to limit VOP scaling to 3840px width, the limit of +RK3288, when there are newer VOP versions that support 4096px width. + +Change to enforce a maximum of 4096px width plane scaling, the maximum +supported output width of the VOP versions supported by this driver. + +Fixes: 4c156c21c794 ("drm/rockchip: vop: support plane scale") +Signed-off-by: Alex Bee +Signed-off-by: Jonas Karlman +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20240615170417.3134517-4-jonas@kwiboo.se +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c +index 4b338cb89d32d..c6fbfc0baeccd 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c +@@ -381,8 +381,8 @@ static void scl_vop_cal_scl_fac(struct vop *vop, const struct vop_win_data *win, + if (info->is_yuv) + is_yuv = true; + +- if (dst_w > 3840) { +- DRM_DEV_ERROR(vop->dev, "Maximum dst width (3840) exceeded\n"); ++ if (dst_w > 4096) { ++ DRM_DEV_ERROR(vop->dev, "Maximum dst width (4096) exceeded\n"); + return; + } + +-- +2.43.0 + diff --git a/queue-6.6/drm-stm-fix-an-error-handling-path-in-stm_drm_platfo.patch b/queue-6.6/drm-stm-fix-an-error-handling-path-in-stm_drm_platfo.patch new file mode 100644 index 00000000000..66ffeeba69b --- /dev/null +++ b/queue-6.6/drm-stm-fix-an-error-handling-path-in-stm_drm_platfo.patch @@ -0,0 +1,45 @@ +From 2184148e507f9f62c5fcf3cf61e84ddc058264ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Jan 2024 17:54:32 +0100 +Subject: drm/stm: Fix an error handling path in stm_drm_platform_probe() + +From: Christophe JAILLET + +[ Upstream commit ce7c90bfda2656418c69ba0dd8f8a7536b8928d4 ] + +If drm_dev_register() fails, a call to drv_load() must be undone, as +already done in the remove function. + +Fixes: b759012c5fa7 ("drm/stm: Add STM32 LTDC driver") +Signed-off-by: Christophe JAILLET +Acked-by: Raphael Gallais-Pou +Link: https://patchwork.freedesktop.org/patch/msgid/20fff7f853f20a48a96db8ff186124470ec4d976.1704560028.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Raphael Gallais-Pou +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/stm/drv.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/stm/drv.c b/drivers/gpu/drm/stm/drv.c +index e8523abef27a5..4d2db079ad4ff 100644 +--- a/drivers/gpu/drm/stm/drv.c ++++ b/drivers/gpu/drm/stm/drv.c +@@ -203,12 +203,14 @@ static int stm_drm_platform_probe(struct platform_device *pdev) + + ret = drm_dev_register(ddev, 0); + if (ret) +- goto err_put; ++ goto err_unload; + + drm_fbdev_dma_setup(ddev, 16); + + return 0; + ++err_unload: ++ drv_unload(ddev); + err_put: + drm_dev_put(ddev); + +-- +2.43.0 + diff --git a/queue-6.6/drm-stm-ltdc-check-memory-returned-by-devm_kzalloc.patch b/queue-6.6/drm-stm-ltdc-check-memory-returned-by-devm_kzalloc.patch new file mode 100644 index 00000000000..036f3d8f7c5 --- /dev/null +++ b/queue-6.6/drm-stm-ltdc-check-memory-returned-by-devm_kzalloc.patch @@ -0,0 +1,38 @@ +From 2ad87c74e83418aa19375936e189250be90cd9ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 10:28:54 +0300 +Subject: drm/stm: ltdc: check memory returned by devm_kzalloc() + +From: Claudiu Beznea + +[ Upstream commit fd39730c58890cd7f0a594231e19bb357f28877c ] + +devm_kzalloc() can fail and return NULL pointer. Check its return status. +Identified with Coccinelle (kmerr.cocci script). + +Fixes: 484e72d3146b ("drm/stm: ltdc: add support of ycbcr pixel formats") +Signed-off-by: Claudiu Beznea +Acked-by: Raphael Gallais-Pou +Link: https://patchwork.freedesktop.org/patch/msgid/20230531072854.142629-1-claudiu.beznea@microchip.com +Signed-off-by: Raphael Gallais-Pou +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/stm/ltdc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/stm/ltdc.c b/drivers/gpu/drm/stm/ltdc.c +index 5576fdae49623..5aec1e58c968c 100644 +--- a/drivers/gpu/drm/stm/ltdc.c ++++ b/drivers/gpu/drm/stm/ltdc.c +@@ -1580,6 +1580,8 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev, + ARRAY_SIZE(ltdc_drm_fmt_ycbcr_sp) + + ARRAY_SIZE(ltdc_drm_fmt_ycbcr_fp)) * + sizeof(*formats), GFP_KERNEL); ++ if (!formats) ++ return NULL; + + for (i = 0; i < ldev->caps.pix_fmt_nb; i++) { + drm_fmt = ldev->caps.pix_fmt_drm[i]; +-- +2.43.0 + diff --git a/queue-6.6/drm-vc4-hdmi-handle-error-case-of-pm_runtime_resume_.patch b/queue-6.6/drm-vc4-hdmi-handle-error-case-of-pm_runtime_resume_.patch new file mode 100644 index 00000000000..94b0a8a2b48 --- /dev/null +++ b/queue-6.6/drm-vc4-hdmi-handle-error-case-of-pm_runtime_resume_.patch @@ -0,0 +1,61 @@ +From 5586863eb8217e970a4ed7f080a3c44d8b96dd94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2024 23:40:45 +0200 +Subject: drm/vc4: hdmi: Handle error case of pm_runtime_resume_and_get +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stefan Wahren + +[ Upstream commit f1a54e860b1bc8d824925b5a77f510913880e8d6 ] + +The commit 0f5251339eda ("drm/vc4: hdmi: Make sure the controller is +powered in detect") introduced the necessary power management handling +to avoid register access while controller is powered down. +Unfortunately it just print a warning if pm_runtime_resume_and_get() +fails and proceed anyway. + +This could happen during suspend to idle. So we must assume it is unsafe +to access the HDMI register. So bail out properly. + +Fixes: 0f5251339eda ("drm/vc4: hdmi: Make sure the controller is powered in detect") +Signed-off-by: Stefan Wahren +Reviewed-by: Maíra Canal +Acked-by: Maxime Ripard +Signed-off-by: Maíra Canal +Link: https://patchwork.freedesktop.org/patch/msgid/20240821214052.6800-3-wahrenst@gmx.net +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_hdmi.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c +index 643754fa6a8ad..c6e986f71a26f 100644 +--- a/drivers/gpu/drm/vc4/vc4_hdmi.c ++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c +@@ -458,6 +458,7 @@ static int vc4_hdmi_connector_detect_ctx(struct drm_connector *connector, + { + struct vc4_hdmi *vc4_hdmi = connector_to_vc4_hdmi(connector); + enum drm_connector_status status = connector_status_disconnected; ++ int ret; + + /* + * NOTE: This function should really take vc4_hdmi->mutex, but +@@ -470,7 +471,12 @@ static int vc4_hdmi_connector_detect_ctx(struct drm_connector *connector, + * the lock for now. + */ + +- WARN_ON(pm_runtime_resume_and_get(&vc4_hdmi->pdev->dev)); ++ ret = pm_runtime_resume_and_get(&vc4_hdmi->pdev->dev); ++ if (ret) { ++ drm_err_once(connector->dev, "Failed to retain HDMI power domain: %d\n", ++ ret); ++ return connector_status_unknown; ++ } + + if (vc4_hdmi->hpd_gpio) { + if (gpiod_get_value_cansleep(vc4_hdmi->hpd_gpio)) +-- +2.43.0 + diff --git a/queue-6.6/dt-bindings-iio-asahi-kasei-ak8975-drop-incorrect-ak.patch b/queue-6.6/dt-bindings-iio-asahi-kasei-ak8975-drop-incorrect-ak.patch new file mode 100644 index 00000000000..6dceace92f3 --- /dev/null +++ b/queue-6.6/dt-bindings-iio-asahi-kasei-ak8975-drop-incorrect-ak.patch @@ -0,0 +1,41 @@ +From f869b72196beb3e17ad1abba0c74a8a71ce15fd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Aug 2024 07:30:16 +0200 +Subject: dt-bindings: iio: asahi-kasei,ak8975: drop incorrect AK09116 + compatible + +From: Krzysztof Kozlowski + +[ Upstream commit c7668ac67bc21aebdd8e2d7f839bfffba31b7713 ] + +All compatibles in this binding without prefixes were deprecated, so +adding a new deprecated one after some time is not allowed, because it +defies the core logic of deprecating things. + +Drop the AK09916 vendorless compatible. + +Fixes: 76e28aa97fa0 ("iio: magnetometer: ak8975: add AK09116 support") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Conor Dooley +Link: https://patch.msgid.link/20240806053016.6401-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + .../devicetree/bindings/iio/magnetometer/asahi-kasei,ak8975.yaml | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/Documentation/devicetree/bindings/iio/magnetometer/asahi-kasei,ak8975.yaml b/Documentation/devicetree/bindings/iio/magnetometer/asahi-kasei,ak8975.yaml +index 9790f75fc669e..fe5145d3b73cf 100644 +--- a/Documentation/devicetree/bindings/iio/magnetometer/asahi-kasei,ak8975.yaml ++++ b/Documentation/devicetree/bindings/iio/magnetometer/asahi-kasei,ak8975.yaml +@@ -23,7 +23,6 @@ properties: + - ak8963 + - ak09911 + - ak09912 +- - ak09916 + deprecated: true + + reg: +-- +2.43.0 + diff --git a/queue-6.6/edac-synopsys-fix-ecc-status-and-irq-control-race-co.patch b/queue-6.6/edac-synopsys-fix-ecc-status-and-irq-control-race-co.patch new file mode 100644 index 00000000000..b875006328c --- /dev/null +++ b/queue-6.6/edac-synopsys-fix-ecc-status-and-irq-control-race-co.patch @@ -0,0 +1,174 @@ +From 241ecec3ae598eee29c955f7e89b5aec976738fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Feb 2024 21:12:46 +0300 +Subject: EDAC/synopsys: Fix ECC status and IRQ control race condition + +From: Serge Semin + +[ Upstream commit 591c946675d88dcc0ae9ff54be9d5caaee8ce1e3 ] + +The race condition around the ECCCLR register access happens in the IRQ +disable method called in the device remove() procedure and in the ECC IRQ +handler: + + 1. Enable IRQ: + a. ECCCLR = EN_CE | EN_UE + 2. Disable IRQ: + a. ECCCLR = 0 + 3. IRQ handler: + a. ECCCLR = CLR_CE | CLR_CE_CNT | CLR_CE | CLR_CE_CNT + b. ECCCLR = 0 + c. ECCCLR = EN_CE | EN_UE + +So if the IRQ disabling procedure is called concurrently with the IRQ +handler method the IRQ might be actually left enabled due to the +statement 3c. + +The root cause of the problem is that ECCCLR register (which since +v3.10a has been called as ECCCTL) has intermixed ECC status data clear +flags and the IRQ enable/disable flags. Thus the IRQ disabling (clear EN +flags) and handling (write 1 to clear ECC status data) procedures must +be serialised around the ECCCTL register modification to prevent the +race. + +So fix the problem described above by adding the spin-lock around the +ECCCLR modifications and preventing the IRQ-handler from modifying the +IRQs enable flags (there is no point in disabling the IRQ and then +re-enabling it again within a single IRQ handler call, see the +statements 3a/3b and 3c above). + +Fixes: f7824ded4149 ("EDAC/synopsys: Add support for version 3 of the Synopsys EDAC DDR") +Signed-off-by: Serge Semin +Signed-off-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/r/20240222181324.28242-2-fancer.lancer@gmail.com +Stable-dep-of: 35e6dbfe1846 ("EDAC/synopsys: Fix error injection on Zynq UltraScale+") +Signed-off-by: Sasha Levin +--- + drivers/edac/synopsys_edac.c | 50 ++++++++++++++++++++++++++---------- + 1 file changed, 37 insertions(+), 13 deletions(-) + +diff --git a/drivers/edac/synopsys_edac.c b/drivers/edac/synopsys_edac.c +index c4fc64cbecd0e..1ab2f737e4f16 100644 +--- a/drivers/edac/synopsys_edac.c ++++ b/drivers/edac/synopsys_edac.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -299,6 +300,7 @@ struct synps_ecc_status { + /** + * struct synps_edac_priv - DDR memory controller private instance data. + * @baseaddr: Base address of the DDR controller. ++ * @reglock: Concurrent CSRs access lock. + * @message: Buffer for framing the event specific info. + * @stat: ECC status information. + * @p_data: Platform data. +@@ -313,6 +315,7 @@ struct synps_ecc_status { + */ + struct synps_edac_priv { + void __iomem *baseaddr; ++ spinlock_t reglock; + char message[SYNPS_EDAC_MSG_SIZE]; + struct synps_ecc_status stat; + const struct synps_platform_data *p_data; +@@ -408,7 +411,8 @@ static int zynq_get_error_info(struct synps_edac_priv *priv) + static int zynqmp_get_error_info(struct synps_edac_priv *priv) + { + struct synps_ecc_status *p; +- u32 regval, clearval = 0; ++ u32 regval, clearval; ++ unsigned long flags; + void __iomem *base; + + base = priv->baseaddr; +@@ -452,10 +456,14 @@ static int zynqmp_get_error_info(struct synps_edac_priv *priv) + p->ueinfo.blknr = (regval & ECC_CEADDR1_BLKNR_MASK); + p->ueinfo.data = readl(base + ECC_UESYND0_OFST); + out: +- clearval = ECC_CTRL_CLR_CE_ERR | ECC_CTRL_CLR_CE_ERRCNT; +- clearval |= ECC_CTRL_CLR_UE_ERR | ECC_CTRL_CLR_UE_ERRCNT; ++ spin_lock_irqsave(&priv->reglock, flags); ++ ++ clearval = readl(base + ECC_CLR_OFST) | ++ ECC_CTRL_CLR_CE_ERR | ECC_CTRL_CLR_CE_ERRCNT | ++ ECC_CTRL_CLR_UE_ERR | ECC_CTRL_CLR_UE_ERRCNT; + writel(clearval, base + ECC_CLR_OFST); +- writel(0x0, base + ECC_CLR_OFST); ++ ++ spin_unlock_irqrestore(&priv->reglock, flags); + + return 0; + } +@@ -515,24 +523,41 @@ static void handle_error(struct mem_ctl_info *mci, struct synps_ecc_status *p) + + static void enable_intr(struct synps_edac_priv *priv) + { ++ unsigned long flags; ++ + /* Enable UE/CE Interrupts */ +- if (priv->p_data->quirks & DDR_ECC_INTR_SELF_CLEAR) +- writel(DDR_UE_MASK | DDR_CE_MASK, +- priv->baseaddr + ECC_CLR_OFST); +- else ++ if (!(priv->p_data->quirks & DDR_ECC_INTR_SELF_CLEAR)) { + writel(DDR_QOSUE_MASK | DDR_QOSCE_MASK, + priv->baseaddr + DDR_QOS_IRQ_EN_OFST); + ++ return; ++ } ++ ++ spin_lock_irqsave(&priv->reglock, flags); ++ ++ writel(DDR_UE_MASK | DDR_CE_MASK, ++ priv->baseaddr + ECC_CLR_OFST); ++ ++ spin_unlock_irqrestore(&priv->reglock, flags); + } + + static void disable_intr(struct synps_edac_priv *priv) + { ++ unsigned long flags; ++ + /* Disable UE/CE Interrupts */ +- if (priv->p_data->quirks & DDR_ECC_INTR_SELF_CLEAR) +- writel(0x0, priv->baseaddr + ECC_CLR_OFST); +- else ++ if (!(priv->p_data->quirks & DDR_ECC_INTR_SELF_CLEAR)) { + writel(DDR_QOSUE_MASK | DDR_QOSCE_MASK, + priv->baseaddr + DDR_QOS_IRQ_DB_OFST); ++ ++ return; ++ } ++ ++ spin_lock_irqsave(&priv->reglock, flags); ++ ++ writel(0, priv->baseaddr + ECC_CLR_OFST); ++ ++ spin_unlock_irqrestore(&priv->reglock, flags); + } + + /** +@@ -576,8 +601,6 @@ static irqreturn_t intr_handler(int irq, void *dev_id) + /* v3.0 of the controller does not have this register */ + if (!(priv->p_data->quirks & DDR_ECC_INTR_SELF_CLEAR)) + writel(regval, priv->baseaddr + DDR_QOS_IRQ_STAT_OFST); +- else +- enable_intr(priv); + + return IRQ_HANDLED; + } +@@ -1359,6 +1382,7 @@ static int mc_probe(struct platform_device *pdev) + priv = mci->pvt_info; + priv->baseaddr = baseaddr; + priv->p_data = p_data; ++ spin_lock_init(&priv->reglock); + + mc_init(mci, pdev); + +-- +2.43.0 + diff --git a/queue-6.6/edac-synopsys-fix-error-injection-on-zynq-ultrascale.patch b/queue-6.6/edac-synopsys-fix-error-injection-on-zynq-ultrascale.patch new file mode 100644 index 00000000000..913dd5c6aa1 --- /dev/null +++ b/queue-6.6/edac-synopsys-fix-error-injection-on-zynq-ultrascale.patch @@ -0,0 +1,113 @@ +From 0d18b9c84e33126cc3baf3a4b605b330049643f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jul 2024 15:36:56 +0530 +Subject: EDAC/synopsys: Fix error injection on Zynq UltraScale+ + +From: Shubhrajyoti Datta + +[ Upstream commit 35e6dbfe1846caeafabb49b7575adb36b0aa2269 ] + +The Zynq UltraScale+ MPSoC DDR has a disjoint memory from 2GB to 32GB. +The DDR host interface has a contiguous memory so while injecting +errors, the driver should remove the hole else the injection fails as +the address translation is incorrect. + +Introduce a get_mem_info() function pointer and set it for Zynq +UltraScale+ platform to return host address. + +Fixes: 1a81361f75d8 ("EDAC, synopsys: Add Error Injection support for ZynqMP DDR controller") +Signed-off-by: Shubhrajyoti Datta +Signed-off-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/r/20240711100656.31376-1-shubhrajyoti.datta@amd.com +Signed-off-by: Sasha Levin +--- + drivers/edac/synopsys_edac.c | 35 ++++++++++++++++++++++++++++++++++- + 1 file changed, 34 insertions(+), 1 deletion(-) + +diff --git a/drivers/edac/synopsys_edac.c b/drivers/edac/synopsys_edac.c +index 1ab2f737e4f16..6ddc90d7ba7c2 100644 +--- a/drivers/edac/synopsys_edac.c ++++ b/drivers/edac/synopsys_edac.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -337,6 +338,7 @@ struct synps_edac_priv { + * @get_mtype: Get mtype. + * @get_dtype: Get dtype. + * @get_ecc_state: Get ECC state. ++ * @get_mem_info: Get EDAC memory info + * @quirks: To differentiate IPs. + */ + struct synps_platform_data { +@@ -344,6 +346,9 @@ struct synps_platform_data { + enum mem_type (*get_mtype)(const void __iomem *base); + enum dev_type (*get_dtype)(const void __iomem *base); + bool (*get_ecc_state)(void __iomem *base); ++#ifdef CONFIG_EDAC_DEBUG ++ u64 (*get_mem_info)(struct synps_edac_priv *priv); ++#endif + int quirks; + }; + +@@ -402,6 +407,25 @@ static int zynq_get_error_info(struct synps_edac_priv *priv) + return 0; + } + ++#ifdef CONFIG_EDAC_DEBUG ++/** ++ * zynqmp_get_mem_info - Get the current memory info. ++ * @priv: DDR memory controller private instance data. ++ * ++ * Return: host interface address. ++ */ ++static u64 zynqmp_get_mem_info(struct synps_edac_priv *priv) ++{ ++ u64 hif_addr = 0, linear_addr; ++ ++ linear_addr = priv->poison_addr; ++ if (linear_addr >= SZ_32G) ++ linear_addr = linear_addr - SZ_32G + SZ_2G; ++ hif_addr = linear_addr >> 3; ++ return hif_addr; ++} ++#endif ++ + /** + * zynqmp_get_error_info - Get the current ECC error info. + * @priv: DDR memory controller private instance data. +@@ -922,6 +946,9 @@ static const struct synps_platform_data zynqmp_edac_def = { + .get_mtype = zynqmp_get_mtype, + .get_dtype = zynqmp_get_dtype, + .get_ecc_state = zynqmp_get_ecc_state, ++#ifdef CONFIG_EDAC_DEBUG ++ .get_mem_info = zynqmp_get_mem_info, ++#endif + .quirks = (DDR_ECC_INTR_SUPPORT + #ifdef CONFIG_EDAC_DEBUG + | DDR_ECC_DATA_POISON_SUPPORT +@@ -975,10 +1002,16 @@ MODULE_DEVICE_TABLE(of, synps_edac_match); + static void ddr_poison_setup(struct synps_edac_priv *priv) + { + int col = 0, row = 0, bank = 0, bankgrp = 0, rank = 0, regval; ++ const struct synps_platform_data *p_data; + int index; + ulong hif_addr = 0; + +- hif_addr = priv->poison_addr >> 3; ++ p_data = priv->p_data; ++ ++ if (p_data->get_mem_info) ++ hif_addr = p_data->get_mem_info(priv); ++ else ++ hif_addr = priv->poison_addr >> 3; + + for (index = 0; index < DDR_MAX_ROW_SHIFT; index++) { + if (priv->row_shift[index]) +-- +2.43.0 + diff --git a/queue-6.6/ep93xx-clock-fix-off-by-one-in-ep93xx_div_recalc_rat.patch b/queue-6.6/ep93xx-clock-fix-off-by-one-in-ep93xx_div_recalc_rat.patch new file mode 100644 index 00000000000..bb8321ba44c --- /dev/null +++ b/queue-6.6/ep93xx-clock-fix-off-by-one-in-ep93xx_div_recalc_rat.patch @@ -0,0 +1,42 @@ +From c6585d483e104139e90be828e13e0dcc3d20e7ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2024 10:39:15 +0300 +Subject: ep93xx: clock: Fix off by one in ep93xx_div_recalc_rate() + +From: Dan Carpenter + +[ Upstream commit c7f06284a6427475e3df742215535ec3f6cd9662 ] + +The psc->div[] array has psc->num_div elements. These values come from +when we call clk_hw_register_div(). It's adc_divisors and +ARRAY_SIZE(adc_divisors)) and so on. So this condition needs to be >= +instead of > to prevent an out of bounds read. + +Fixes: 9645ccc7bd7a ("ep93xx: clock: convert in-place to COMMON_CLK") +Signed-off-by: Dan Carpenter +Acked-by: Alexander Sverdlin +Reviewed-by: Nikita Shubin +Signed-off-by: Alexander Sverdlin +Link: https://lore.kernel.org/r/1caf01ad4c0a8069535813c26c7f0b8ea011155e.camel@linaro.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/mach-ep93xx/clock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mach-ep93xx/clock.c b/arch/arm/mach-ep93xx/clock.c +index 85a496ddc6197..e9f72a529b508 100644 +--- a/arch/arm/mach-ep93xx/clock.c ++++ b/arch/arm/mach-ep93xx/clock.c +@@ -359,7 +359,7 @@ static unsigned long ep93xx_div_recalc_rate(struct clk_hw *hw, + u32 val = __raw_readl(psc->reg); + u8 index = (val & psc->mask) >> psc->shift; + +- if (index > psc->num_div) ++ if (index >= psc->num_div) + return 0; + + return DIV_ROUND_UP_ULL(parent_rate, psc->div[index]); +-- +2.43.0 + diff --git a/queue-6.6/erofs-fix-incorrect-symlink-detection-in-fast-symlin.patch b/queue-6.6/erofs-fix-incorrect-symlink-detection-in-fast-symlin.patch new file mode 100644 index 00000000000..5a39c82220d --- /dev/null +++ b/queue-6.6/erofs-fix-incorrect-symlink-detection-in-fast-symlin.patch @@ -0,0 +1,77 @@ +From cadb8bb270deea5d234697c77591f046d483f524 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Sep 2024 11:19:11 +0800 +Subject: erofs: fix incorrect symlink detection in fast symlink +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gao Xiang + +[ Upstream commit 9ed50b8231e37b1ae863f5dec8153b98d9f389b4 ] + +Fast symlink can be used if the on-disk symlink data is stored +in the same block as the on-disk inode, so we don’t need to trigger +another I/O for symlink data. However, currently fs correction could be +reported _incorrectly_ if inode xattrs are too large. + +In fact, these should be valid images although they cannot be handled as +fast symlinks. + +Many thanks to Colin for reporting this! + +Reported-by: Colin Walters +Reported-by: https://honggfuzz.dev/ +Link: https://lore.kernel.org/r/bb2dd430-7de0-47da-ae5b-82ab2dd4d945@app.fastmail.com +Fixes: 431339ba9042 ("staging: erofs: add inode operations") +[ Note that it's a runtime misbehavior instead of a security issue. ] +Signed-off-by: Gao Xiang +Link: https://lore.kernel.org/r/20240909031911.1174718-1-hsiangkao@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + fs/erofs/inode.c | 20 ++++++-------------- + 1 file changed, 6 insertions(+), 14 deletions(-) + +diff --git a/fs/erofs/inode.c b/fs/erofs/inode.c +index edc8ec7581b8f..9e40bee3682f7 100644 +--- a/fs/erofs/inode.c ++++ b/fs/erofs/inode.c +@@ -205,12 +205,14 @@ static int erofs_fill_symlink(struct inode *inode, void *kaddr, + unsigned int m_pofs) + { + struct erofs_inode *vi = EROFS_I(inode); +- unsigned int bsz = i_blocksize(inode); ++ loff_t off; + char *lnk; + +- /* if it cannot be handled with fast symlink scheme */ +- if (vi->datalayout != EROFS_INODE_FLAT_INLINE || +- inode->i_size >= bsz || inode->i_size < 0) { ++ m_pofs += vi->xattr_isize; ++ /* check if it cannot be handled with fast symlink scheme */ ++ if (vi->datalayout != EROFS_INODE_FLAT_INLINE || inode->i_size < 0 || ++ check_add_overflow(m_pofs, inode->i_size, &off) || ++ off > i_blocksize(inode)) { + inode->i_op = &erofs_symlink_iops; + return 0; + } +@@ -219,16 +221,6 @@ static int erofs_fill_symlink(struct inode *inode, void *kaddr, + if (!lnk) + return -ENOMEM; + +- m_pofs += vi->xattr_isize; +- /* inline symlink data shouldn't cross block boundary */ +- if (m_pofs + inode->i_size > bsz) { +- kfree(lnk); +- erofs_err(inode->i_sb, +- "inline data cross block boundary @ nid %llu", +- vi->nid); +- DBG_BUGON(1); +- return -EFSCORRUPTED; +- } + memcpy(lnk, kaddr + m_pofs, inode->i_size); + lnk[inode->i_size] = '\0'; + +-- +2.43.0 + diff --git a/queue-6.6/ext4-avoid-buffer_head-leak-in-ext4_mark_inode_used.patch b/queue-6.6/ext4-avoid-buffer_head-leak-in-ext4_mark_inode_used.patch new file mode 100644 index 00000000000..2af5b63de30 --- /dev/null +++ b/queue-6.6/ext4-avoid-buffer_head-leak-in-ext4_mark_inode_used.patch @@ -0,0 +1,51 @@ +From 87523b72c11ef5c4e519cb127f22d6991ded628b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Aug 2024 21:22:28 +0800 +Subject: ext4: avoid buffer_head leak in ext4_mark_inode_used() + +From: Kemeng Shi + +[ Upstream commit 5e5b2a56c57def1b41efd49596621504d7bcc61c ] + +Release inode_bitmap_bh from ext4_read_inode_bitmap() in +ext4_mark_inode_used() to avoid buffer_head leak. +By the way, remove unneeded goto for invalid ino when inode_bitmap_bh +is NULL. + +Fixes: 8016e29f4362 ("ext4: fast commit recovery path") +Signed-off-by: Kemeng Shi +Link: https://patch.msgid.link/20240820132234.2759926-2-shikemeng@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/ialloc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c +index b65058d972f95..b4699a415c210 100644 +--- a/fs/ext4/ialloc.c ++++ b/fs/ext4/ialloc.c +@@ -755,10 +755,10 @@ int ext4_mark_inode_used(struct super_block *sb, int ino) + struct ext4_group_desc *gdp; + ext4_group_t group; + int bit; +- int err = -EFSCORRUPTED; ++ int err; + + if (ino < EXT4_FIRST_INO(sb) || ino > max_ino) +- goto out; ++ return -EFSCORRUPTED; + + group = (ino - 1) / EXT4_INODES_PER_GROUP(sb); + bit = (ino - 1) % EXT4_INODES_PER_GROUP(sb); +@@ -860,6 +860,7 @@ int ext4_mark_inode_used(struct super_block *sb, int ino) + err = ext4_handle_dirty_metadata(NULL, NULL, group_desc_bh); + sync_dirty_buffer(group_desc_bh); + out: ++ brelse(inode_bitmap_bh); + return err; + } + +-- +2.43.0 + diff --git a/queue-6.6/ext4-avoid-negative-min_clusters-in-find_group_orlov.patch b/queue-6.6/ext4-avoid-negative-min_clusters-in-find_group_orlov.patch new file mode 100644 index 00000000000..b438f495b69 --- /dev/null +++ b/queue-6.6/ext4-avoid-negative-min_clusters-in-find_group_orlov.patch @@ -0,0 +1,41 @@ +From 9c1f41854eb5a3ae59069660e91079b2a0438875 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Aug 2024 21:22:30 +0800 +Subject: ext4: avoid negative min_clusters in find_group_orlov() + +From: Kemeng Shi + +[ Upstream commit bb0a12c3439b10d88412fd3102df5b9a6e3cd6dc ] + +min_clusters is signed integer and will be converted to unsigned +integer when compared with unsigned number stats.free_clusters. +If min_clusters is negative, it will be converted to a huge unsigned +value in which case all groups may not meet the actual desired free +clusters. +Set negative min_clusters to 0 to avoid unexpected behavior. + +Fixes: ac27a0ec112a ("[PATCH] ext4: initial copy of files from ext3") +Signed-off-by: Kemeng Shi +Link: https://patch.msgid.link/20240820132234.2759926-4-shikemeng@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/ialloc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c +index d7d89133ed368..1a1e2214c581f 100644 +--- a/fs/ext4/ialloc.c ++++ b/fs/ext4/ialloc.c +@@ -514,6 +514,8 @@ static int find_group_orlov(struct super_block *sb, struct inode *parent, + if (min_inodes < 1) + min_inodes = 1; + min_clusters = avefreec - EXT4_CLUSTERS_PER_GROUP(sb)*flex_size / 4; ++ if (min_clusters < 0) ++ min_clusters = 0; + + /* + * Start looking in the flex group where we last allocated an +-- +2.43.0 + diff --git a/queue-6.6/ext4-avoid-oob-when-system.data-xattr-changes-undern.patch b/queue-6.6/ext4-avoid-oob-when-system.data-xattr-changes-undern.patch new file mode 100644 index 00000000000..ae71fe3bb3d --- /dev/null +++ b/queue-6.6/ext4-avoid-oob-when-system.data-xattr-changes-undern.patch @@ -0,0 +1,146 @@ +From 48e851842cb0f39b9507ed340d58eec7bf7d6253 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2024 12:23:24 -0300 +Subject: ext4: avoid OOB when system.data xattr changes underneath the + filesystem + +From: Thadeu Lima de Souza Cascardo + +[ Upstream commit c6b72f5d82b1017bad80f9ebf502832fc321d796 ] + +When looking up for an entry in an inlined directory, if e_value_offs is +changed underneath the filesystem by some change in the block device, it +will lead to an out-of-bounds access that KASAN detects as an UAF. + +EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. +loop0: detected capacity change from 2048 to 2047 +================================================================== +BUG: KASAN: use-after-free in ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500 +Read of size 1 at addr ffff88803e91130f by task syz-executor269/5103 + +CPU: 0 UID: 0 PID: 5103 Comm: syz-executor269 Not tainted 6.11.0-rc4-syzkaller #0 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:93 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 + print_address_description mm/kasan/report.c:377 [inline] + print_report+0x169/0x550 mm/kasan/report.c:488 + kasan_report+0x143/0x180 mm/kasan/report.c:601 + ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500 + ext4_find_inline_entry+0x4be/0x5e0 fs/ext4/inline.c:1697 + __ext4_find_entry+0x2b4/0x1b30 fs/ext4/namei.c:1573 + ext4_lookup_entry fs/ext4/namei.c:1727 [inline] + ext4_lookup+0x15f/0x750 fs/ext4/namei.c:1795 + lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633 + filename_create+0x297/0x540 fs/namei.c:3980 + do_symlinkat+0xf9/0x3a0 fs/namei.c:4587 + __do_sys_symlinkat fs/namei.c:4610 [inline] + __se_sys_symlinkat fs/namei.c:4607 [inline] + __x64_sys_symlinkat+0x95/0xb0 fs/namei.c:4607 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f3e73ced469 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fff4d40c258 EFLAGS: 00000246 ORIG_RAX: 000000000000010a +RAX: ffffffffffffffda RBX: 0032656c69662f2e RCX: 00007f3e73ced469 +RDX: 0000000020000200 RSI: 00000000ffffff9c RDI: 00000000200001c0 +RBP: 0000000000000000 R08: 00007fff4d40c290 R09: 00007fff4d40c290 +R10: 0023706f6f6c2f76 R11: 0000000000000246 R12: 00007fff4d40c27c +R13: 0000000000000003 R14: 431bde82d7b634db R15: 00007fff4d40c2b0 + + +Calling ext4_xattr_ibody_find right after reading the inode with +ext4_get_inode_loc will lead to a check of the validity of the xattrs, +avoiding this problem. + +Reported-by: syzbot+0c2508114d912a54ee79@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=0c2508114d912a54ee79 +Fixes: e8e948e7802a ("ext4: let ext4_find_entry handle inline data") +Signed-off-by: Thadeu Lima de Souza Cascardo +Link: https://patch.msgid.link/20240821152324.3621860-5-cascardo@igalia.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/inline.c | 31 +++++++++++++++++++++---------- + 1 file changed, 21 insertions(+), 10 deletions(-) + +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index 7adc6634d5234..cb65052ee3dec 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -1665,25 +1665,36 @@ struct buffer_head *ext4_find_inline_entry(struct inode *dir, + struct ext4_dir_entry_2 **res_dir, + int *has_inline_data) + { ++ struct ext4_xattr_ibody_find is = { ++ .s = { .not_found = -ENODATA, }, ++ }; ++ struct ext4_xattr_info i = { ++ .name_index = EXT4_XATTR_INDEX_SYSTEM, ++ .name = EXT4_XATTR_SYSTEM_DATA, ++ }; + int ret; +- struct ext4_iloc iloc; + void *inline_start; + int inline_size; + +- ret = ext4_get_inode_loc(dir, &iloc); ++ ret = ext4_get_inode_loc(dir, &is.iloc); + if (ret) + return ERR_PTR(ret); + + down_read(&EXT4_I(dir)->xattr_sem); ++ ++ ret = ext4_xattr_ibody_find(dir, &i, &is); ++ if (ret) ++ goto out; ++ + if (!ext4_has_inline_data(dir)) { + *has_inline_data = 0; + goto out; + } + +- inline_start = (void *)ext4_raw_inode(&iloc)->i_block + ++ inline_start = (void *)ext4_raw_inode(&is.iloc)->i_block + + EXT4_INLINE_DOTDOT_SIZE; + inline_size = EXT4_MIN_INLINE_DATA_SIZE - EXT4_INLINE_DOTDOT_SIZE; +- ret = ext4_search_dir(iloc.bh, inline_start, inline_size, ++ ret = ext4_search_dir(is.iloc.bh, inline_start, inline_size, + dir, fname, 0, res_dir); + if (ret == 1) + goto out_find; +@@ -1693,23 +1704,23 @@ struct buffer_head *ext4_find_inline_entry(struct inode *dir, + if (ext4_get_inline_size(dir) == EXT4_MIN_INLINE_DATA_SIZE) + goto out; + +- inline_start = ext4_get_inline_xattr_pos(dir, &iloc); ++ inline_start = ext4_get_inline_xattr_pos(dir, &is.iloc); + inline_size = ext4_get_inline_size(dir) - EXT4_MIN_INLINE_DATA_SIZE; + +- ret = ext4_search_dir(iloc.bh, inline_start, inline_size, ++ ret = ext4_search_dir(is.iloc.bh, inline_start, inline_size, + dir, fname, 0, res_dir); + if (ret == 1) + goto out_find; + + out: +- brelse(iloc.bh); ++ brelse(is.iloc.bh); + if (ret < 0) +- iloc.bh = ERR_PTR(ret); ++ is.iloc.bh = ERR_PTR(ret); + else +- iloc.bh = NULL; ++ is.iloc.bh = NULL; + out_find: + up_read(&EXT4_I(dir)->xattr_sem); +- return iloc.bh; ++ return is.iloc.bh; + } + + int ext4_delete_inline_entry(handle_t *handle, +-- +2.43.0 + diff --git a/queue-6.6/ext4-avoid-potential-buffer_head-leak-in-__ext4_new_.patch b/queue-6.6/ext4-avoid-potential-buffer_head-leak-in-__ext4_new_.patch new file mode 100644 index 00000000000..a0360466c83 --- /dev/null +++ b/queue-6.6/ext4-avoid-potential-buffer_head-leak-in-__ext4_new_.patch @@ -0,0 +1,49 @@ +From f312c6cd0bcc852eb02134cf0d3bd564c25e790c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Aug 2024 21:22:29 +0800 +Subject: ext4: avoid potential buffer_head leak in __ext4_new_inode() + +From: Kemeng Shi + +[ Upstream commit 227d31b9214d1b9513383cf6c7180628d4b3b61f ] + +If a group is marked EXT4_GROUP_INFO_IBITMAP_CORRUPT after it's inode +bitmap buffer_head was successfully verified, then __ext4_new_inode() +will get a valid inode_bitmap_bh of a corrupted group from +ext4_read_inode_bitmap() in which case inode_bitmap_bh misses a release. +Hnadle "IS_ERR(inode_bitmap_bh)" and group corruption separately like +how ext4_free_inode() does to avoid buffer_head leak. + +Fixes: 9008a58e5dce ("ext4: make the bitmap read routines return real error codes") +Signed-off-by: Kemeng Shi +Link: https://patch.msgid.link/20240820132234.2759926-3-shikemeng@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/ialloc.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c +index b4699a415c210..d7d89133ed368 100644 +--- a/fs/ext4/ialloc.c ++++ b/fs/ext4/ialloc.c +@@ -1054,12 +1054,13 @@ struct inode *__ext4_new_inode(struct mnt_idmap *idmap, + brelse(inode_bitmap_bh); + inode_bitmap_bh = ext4_read_inode_bitmap(sb, group); + /* Skip groups with suspicious inode tables */ +- if (((!(sbi->s_mount_state & EXT4_FC_REPLAY)) +- && EXT4_MB_GRP_IBITMAP_CORRUPT(grp)) || +- IS_ERR(inode_bitmap_bh)) { ++ if (IS_ERR(inode_bitmap_bh)) { + inode_bitmap_bh = NULL; + goto next_group; + } ++ if (!(sbi->s_mount_state & EXT4_FC_REPLAY) && ++ EXT4_MB_GRP_IBITMAP_CORRUPT(grp)) ++ goto next_group; + + repeat_in_this_group: + ret2 = find_inode_bit(sb, group, inode_bitmap_bh, &ino); +-- +2.43.0 + diff --git a/queue-6.6/ext4-check-stripe-size-compatibility-on-remount-as-w.patch b/queue-6.6/ext4-check-stripe-size-compatibility-on-remount-as-w.patch new file mode 100644 index 00000000000..0aa43d25c24 --- /dev/null +++ b/queue-6.6/ext4-check-stripe-size-compatibility-on-remount-as-w.patch @@ -0,0 +1,87 @@ +From b759b5117c678928f8d7a6feebba4c1b74807819 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Aug 2024 12:50:57 +0530 +Subject: ext4: check stripe size compatibility on remount as well + +From: Ojaswin Mujoo + +[ Upstream commit ee85e0938aa8f9846d21e4d302c3cf6a2a75110d ] + +We disable stripe size in __ext4_fill_super if it is not a multiple of +the cluster ratio however this check is missed when trying to remount. +This can leave us with cases where stripe < cluster_ratio after +remount:set making EXT4_B2C(sbi->s_stripe) become 0 that can cause some +unforeseen bugs like divide by 0. + +Fix that by adding the check in remount path as well. + +Reported-by: syzbot+1ad8bac5af24d01e2cbd@syzkaller.appspotmail.com +Tested-by: syzbot+1ad8bac5af24d01e2cbd@syzkaller.appspotmail.com +Reviewed-by: Kemeng Shi +Reviewed-by: Ritesh Harjani (IBM) +Fixes: c3defd99d58c ("ext4: treat stripe in block unit") +Signed-off-by: Ojaswin Mujoo +Link: https://patch.msgid.link/3a493bb503c3598e25dcfbed2936bb2dff3fece7.1725002410.git.ojaswin@linux.ibm.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/super.c | 29 ++++++++++++++++++++++------- + 1 file changed, 22 insertions(+), 7 deletions(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 5baacb3058abd..46c4f75049791 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -5205,6 +5205,18 @@ static int ext4_block_group_meta_init(struct super_block *sb, int silent) + return 0; + } + ++/* ++ * It's hard to get stripe aligned blocks if stripe is not aligned with ++ * cluster, just disable stripe and alert user to simplify code and avoid ++ * stripe aligned allocation which will rarely succeed. ++ */ ++static bool ext4_is_stripe_incompatible(struct super_block *sb, unsigned long stripe) ++{ ++ struct ext4_sb_info *sbi = EXT4_SB(sb); ++ return (stripe > 0 && sbi->s_cluster_ratio > 1 && ++ stripe % sbi->s_cluster_ratio != 0); ++} ++ + static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb) + { + struct ext4_super_block *es = NULL; +@@ -5312,13 +5324,7 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb) + goto failed_mount3; + + sbi->s_stripe = ext4_get_stripe_size(sbi); +- /* +- * It's hard to get stripe aligned blocks if stripe is not aligned with +- * cluster, just disable stripe and alert user to simpfy code and avoid +- * stripe aligned allocation which will rarely successes. +- */ +- if (sbi->s_stripe > 0 && sbi->s_cluster_ratio > 1 && +- sbi->s_stripe % sbi->s_cluster_ratio != 0) { ++ if (ext4_is_stripe_incompatible(sb, sbi->s_stripe)) { + ext4_msg(sb, KERN_WARNING, + "stripe (%lu) is not aligned with cluster size (%u), " + "stripe is disabled", +@@ -6482,6 +6488,15 @@ static int __ext4_remount(struct fs_context *fc, struct super_block *sb) + + } + ++ if ((ctx->spec & EXT4_SPEC_s_stripe) && ++ ext4_is_stripe_incompatible(sb, ctx->s_stripe)) { ++ ext4_msg(sb, KERN_WARNING, ++ "stripe (%lu) is not aligned with cluster size (%u), " ++ "stripe is disabled", ++ ctx->s_stripe, sbi->s_cluster_ratio); ++ ctx->s_stripe = 0; ++ } ++ + /* + * Changing the DIOREAD_NOLOCK or DELALLOC mount options may cause + * two calls to ext4_should_dioread_nolock() to return inconsistent +-- +2.43.0 + diff --git a/queue-6.6/ext4-clear-ext4_group_info_was_trimmed_bit-even-moun.patch b/queue-6.6/ext4-clear-ext4_group_info_was_trimmed_bit-even-moun.patch new file mode 100644 index 00000000000..83db5f36dce --- /dev/null +++ b/queue-6.6/ext4-clear-ext4_group_info_was_trimmed_bit-even-moun.patch @@ -0,0 +1,69 @@ +From a6579af1ac6a4acdaa214543843eabfb907beb37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Aug 2024 16:55:10 +0800 +Subject: ext4: clear EXT4_GROUP_INFO_WAS_TRIMMED_BIT even mount with discard + +From: yangerkun + +[ Upstream commit 20cee68f5b44fdc2942d20f3172a262ec247b117 ] + +Commit 3d56b8d2c74c ("ext4: Speed up FITRIM by recording flags in +ext4_group_info") speed up fstrim by skipping trim trimmed group. We +also has the chance to clear trimmed once there exists some block free +for this group(mount without discard), and the next trim for this group +will work well too. + +For mount with discard, we will issue dicard when we free blocks, so +leave trimmed flag keep alive to skip useless trim trigger from +userspace seems reasonable. But for some case like ext4 build on +dm-thinpool(ext4 blocksize 4K, pool blocksize 128K), discard from ext4 +maybe unaligned for dm thinpool, and thinpool will just finish this +discard(see process_discard_bio when begein equals to end) without +actually process discard. For this case, trim from userspace can really +help us to free some thinpool block. + +So convert to clear trimmed flag for all case no matter mounted with +discard or not. + +Fixes: 3d56b8d2c74c ("ext4: Speed up FITRIM by recording flags in ext4_group_info") +Signed-off-by: yangerkun +Reviewed-by: Jan Kara +Link: https://patch.msgid.link/20240817085510.2084444-1-yangerkun@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/mballoc.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 870397f3de559..87ba7f58216f7 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -3886,11 +3886,8 @@ static void ext4_free_data_in_buddy(struct super_block *sb, + /* + * Clear the trimmed flag for the group so that the next + * ext4_trim_fs can trim it. +- * If the volume is mounted with -o discard, online discard +- * is supported and the free blocks will be trimmed online. + */ +- if (!test_opt(sb, DISCARD)) +- EXT4_MB_GRP_CLEAR_TRIMMED(db); ++ EXT4_MB_GRP_CLEAR_TRIMMED(db); + + if (!db->bb_free_root.rb_node) { + /* No more items in the per group rb tree +@@ -6586,8 +6583,9 @@ static void ext4_mb_clear_bb(handle_t *handle, struct inode *inode, + " group:%u block:%d count:%lu failed" + " with %d", block_group, bit, count, + err); +- } else +- EXT4_MB_GRP_CLEAR_TRIMMED(e4b.bd_info); ++ } ++ ++ EXT4_MB_GRP_CLEAR_TRIMMED(e4b.bd_info); + + ext4_lock_group(sb, block_group); + mb_clear_bits(bitmap_bh->b_data, bit, count_clusters); +-- +2.43.0 + diff --git a/queue-6.6/ext4-return-error-on-ext4_find_inline_entry.patch b/queue-6.6/ext4-return-error-on-ext4_find_inline_entry.patch new file mode 100644 index 00000000000..81fa265d949 --- /dev/null +++ b/queue-6.6/ext4-return-error-on-ext4_find_inline_entry.patch @@ -0,0 +1,54 @@ +From 4b832ba446886de1d27aab69e7595dae2d1f319c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2024 12:23:22 -0300 +Subject: ext4: return error on ext4_find_inline_entry + +From: Thadeu Lima de Souza Cascardo + +[ Upstream commit 4d231b91a944f3cab355fce65af5871fb5d7735b ] + +In case of errors when reading an inode from disk or traversing inline +directory entries, return an error-encoded ERR_PTR instead of returning +NULL. ext4_find_inline_entry only caller, __ext4_find_entry already returns +such encoded errors. + +Signed-off-by: Thadeu Lima de Souza Cascardo +Link: https://patch.msgid.link/20240821152324.3621860-3-cascardo@igalia.com +Signed-off-by: Theodore Ts'o +Stable-dep-of: c6b72f5d82b1 ("ext4: avoid OOB when system.data xattr changes underneath the filesystem") +Signed-off-by: Sasha Levin +--- + fs/ext4/inline.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index a604aa1d23aed..7adc6634d5234 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -1670,8 +1670,9 @@ struct buffer_head *ext4_find_inline_entry(struct inode *dir, + void *inline_start; + int inline_size; + +- if (ext4_get_inode_loc(dir, &iloc)) +- return NULL; ++ ret = ext4_get_inode_loc(dir, &iloc); ++ if (ret) ++ return ERR_PTR(ret); + + down_read(&EXT4_I(dir)->xattr_sem); + if (!ext4_has_inline_data(dir)) { +@@ -1702,7 +1703,10 @@ struct buffer_head *ext4_find_inline_entry(struct inode *dir, + + out: + brelse(iloc.bh); +- iloc.bh = NULL; ++ if (ret < 0) ++ iloc.bh = ERR_PTR(ret); ++ else ++ iloc.bh = NULL; + out_find: + up_read(&EXT4_I(dir)->xattr_sem); + return iloc.bh; +-- +2.43.0 + diff --git a/queue-6.6/f2fs-atomic-fix-to-avoid-racing-w-gc.patch b/queue-6.6/f2fs-atomic-fix-to-avoid-racing-w-gc.patch new file mode 100644 index 00000000000..736609bbff5 --- /dev/null +++ b/queue-6.6/f2fs-atomic-fix-to-avoid-racing-w-gc.patch @@ -0,0 +1,161 @@ +From b556abeccd9a642770606e2113758bef4da49a57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jun 2024 11:13:48 +0800 +Subject: f2fs: atomic: fix to avoid racing w/ GC + +From: Chao Yu + +[ Upstream commit 1a0bd289a5db1df8df8fab949633a0b8d3f235ee ] + +Case #1: +SQLite App GC Thread Kworker Shrinker +- f2fs_ioc_start_atomic_write + +- f2fs_ioc_commit_atomic_write + - f2fs_commit_atomic_write + - filemap_write_and_wait_range + : write atomic_file's data to cow_inode + echo 3 > drop_caches + to drop atomic_file's + cache. + - f2fs_gc + - gc_data_segment + - move_data_page + - set_page_dirty + + - writepages + - f2fs_do_write_data_page + : overwrite atomic_file's data + to cow_inode + - f2fs_down_write(&fi->i_gc_rwsem[WRITE]) + - __f2fs_commit_atomic_write + - f2fs_up_write(&fi->i_gc_rwsem[WRITE]) + +Case #2: +SQLite App GC Thread Kworker +- f2fs_ioc_start_atomic_write + + - __writeback_single_inode + - do_writepages + - f2fs_write_cache_pages + - f2fs_write_single_data_page + - f2fs_do_write_data_page + : write atomic_file's data to cow_inode + - f2fs_gc + - gc_data_segment + - move_data_page + - set_page_dirty + + - writepages + - f2fs_do_write_data_page + : overwrite atomic_file's data to cow_inode +- f2fs_ioc_commit_atomic_write + +In above cases racing in between atomic_write and GC, previous +data in atomic_file may be overwrited to cow_file, result in +data corruption. + +This patch introduces PAGE_PRIVATE_ATOMIC_WRITE bit flag in page.private, +and use it to indicate that there is last dirty data in atomic file, +and the data should be writebacked into cow_file, if the flag is not +tagged in page, we should never write data across files. + +Fixes: 3db1de0e582c ("f2fs: change the current atomic write way") +Cc: Daeho Jeong +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/data.c | 10 +++++++++- + fs/f2fs/f2fs.h | 8 +++++++- + 2 files changed, 16 insertions(+), 2 deletions(-) + +diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c +index 84fc87018180f..d54644d386842 100644 +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -2623,10 +2623,13 @@ int f2fs_do_write_data_page(struct f2fs_io_info *fio) + struct dnode_of_data dn; + struct node_info ni; + bool ipu_force = false; ++ bool atomic_commit; + int err = 0; + + /* Use COW inode to make dnode_of_data for atomic write */ +- if (f2fs_is_atomic_file(inode)) ++ atomic_commit = f2fs_is_atomic_file(inode) && ++ page_private_atomic(fio->page); ++ if (atomic_commit) + set_new_dnode(&dn, F2FS_I(inode)->cow_inode, NULL, NULL, 0); + else + set_new_dnode(&dn, inode, NULL, NULL, 0); +@@ -2730,6 +2733,8 @@ int f2fs_do_write_data_page(struct f2fs_io_info *fio) + f2fs_outplace_write_data(&dn, fio); + trace_f2fs_do_write_data_page(page, OPU); + set_inode_flag(inode, FI_APPEND_WRITE); ++ if (atomic_commit) ++ clear_page_private_atomic(page); + out_writepage: + f2fs_put_dnode(&dn); + out: +@@ -3700,6 +3705,9 @@ static int f2fs_write_end(struct file *file, + + set_page_dirty(page); + ++ if (f2fs_is_atomic_file(inode)) ++ set_page_private_atomic(page); ++ + if (pos + copied > i_size_read(inode) && + !f2fs_verity_in_progress(inode)) { + f2fs_i_size_write(inode, pos + copied); +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 6371b295fba68..15780e467a64b 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -1411,7 +1411,8 @@ static inline void f2fs_clear_bit(unsigned int nr, char *addr); + * bit 1 PAGE_PRIVATE_ONGOING_MIGRATION + * bit 2 PAGE_PRIVATE_INLINE_INODE + * bit 3 PAGE_PRIVATE_REF_RESOURCE +- * bit 4- f2fs private data ++ * bit 4 PAGE_PRIVATE_ATOMIC_WRITE ++ * bit 5- f2fs private data + * + * Layout B: lowest bit should be 0 + * page.private is a wrapped pointer. +@@ -1421,6 +1422,7 @@ enum { + PAGE_PRIVATE_ONGOING_MIGRATION, /* data page which is on-going migrating */ + PAGE_PRIVATE_INLINE_INODE, /* inode page contains inline data */ + PAGE_PRIVATE_REF_RESOURCE, /* dirty page has referenced resources */ ++ PAGE_PRIVATE_ATOMIC_WRITE, /* data page from atomic write path */ + PAGE_PRIVATE_MAX + }; + +@@ -2386,14 +2388,17 @@ static inline void clear_page_private_##name(struct page *page) \ + PAGE_PRIVATE_GET_FUNC(nonpointer, NOT_POINTER); + PAGE_PRIVATE_GET_FUNC(inline, INLINE_INODE); + PAGE_PRIVATE_GET_FUNC(gcing, ONGOING_MIGRATION); ++PAGE_PRIVATE_GET_FUNC(atomic, ATOMIC_WRITE); + + PAGE_PRIVATE_SET_FUNC(reference, REF_RESOURCE); + PAGE_PRIVATE_SET_FUNC(inline, INLINE_INODE); + PAGE_PRIVATE_SET_FUNC(gcing, ONGOING_MIGRATION); ++PAGE_PRIVATE_SET_FUNC(atomic, ATOMIC_WRITE); + + PAGE_PRIVATE_CLEAR_FUNC(reference, REF_RESOURCE); + PAGE_PRIVATE_CLEAR_FUNC(inline, INLINE_INODE); + PAGE_PRIVATE_CLEAR_FUNC(gcing, ONGOING_MIGRATION); ++PAGE_PRIVATE_CLEAR_FUNC(atomic, ATOMIC_WRITE); + + static inline unsigned long get_page_private_data(struct page *page) + { +@@ -2425,6 +2430,7 @@ static inline void clear_page_private_all(struct page *page) + clear_page_private_reference(page); + clear_page_private_gcing(page); + clear_page_private_inline(page); ++ clear_page_private_atomic(page); + + f2fs_bug_on(F2FS_P_SB(page), page_private(page)); + } +-- +2.43.0 + diff --git a/queue-6.6/f2fs-atomic-fix-to-truncate-pagecache-before-on-disk.patch b/queue-6.6/f2fs-atomic-fix-to-truncate-pagecache-before-on-disk.patch new file mode 100644 index 00000000000..cb33278be5d --- /dev/null +++ b/queue-6.6/f2fs-atomic-fix-to-truncate-pagecache-before-on-disk.patch @@ -0,0 +1,38 @@ +From fc694d807b88f167c076684e61a2cab821a3d0fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Aug 2024 18:24:35 +0800 +Subject: f2fs: atomic: fix to truncate pagecache before on-disk metadata + truncation + +From: Chao Yu + +[ Upstream commit ebd3309aec6271c4616573b0cb83ea25e623070a ] + +We should always truncate pagecache while truncating on-disk data. + +Fixes: a46bebd502fe ("f2fs: synchronize atomic write aborts") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/file.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index e04f4dcb76d1f..2f08bf7f29621 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -2161,6 +2161,10 @@ static int f2fs_ioc_start_atomic_write(struct file *filp, bool truncate) + F2FS_I(fi->cow_inode)->atomic_inode = inode; + } else { + /* Reuse the already created COW inode */ ++ f2fs_bug_on(sbi, get_dirty_pages(fi->cow_inode)); ++ ++ invalidate_mapping_pages(fi->cow_inode->i_mapping, 0, -1); ++ + ret = f2fs_do_truncate_blocks(fi->cow_inode, 0, true); + if (ret) { + f2fs_up_write(&fi->i_gc_rwsem[WRITE]); +-- +2.43.0 + diff --git a/queue-6.6/f2fs-clean-up-w-dotdot_name.patch b/queue-6.6/f2fs-clean-up-w-dotdot_name.patch new file mode 100644 index 00000000000..db06c4835f7 --- /dev/null +++ b/queue-6.6/f2fs-clean-up-w-dotdot_name.patch @@ -0,0 +1,50 @@ +From 41db15c24697c07e42114747601e752b0f9209b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Nov 2023 14:25:54 +0800 +Subject: f2fs: clean up w/ dotdot_name + +From: Chao Yu + +[ Upstream commit ff6584ac2c4b4ee8e1fca20bffaaa387d8fe2974 ] + +Just cleanup, no logic changes. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Stable-dep-of: 884ee6dc85b9 ("f2fs: get rid of online repaire on corrupted directory") +Signed-off-by: Sasha Levin +--- + fs/f2fs/namei.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c +index 7bca22e5dec4f..7dbd541e7bd60 100644 +--- a/fs/f2fs/namei.c ++++ b/fs/f2fs/namei.c +@@ -459,7 +459,6 @@ static int __recover_dot_dentries(struct inode *dir, nid_t pino) + { + struct f2fs_sb_info *sbi = F2FS_I_SB(dir); + struct qstr dot = QSTR_INIT(".", 1); +- struct qstr dotdot = QSTR_INIT("..", 2); + struct f2fs_dir_entry *de; + struct page *page; + int err = 0; +@@ -497,13 +496,13 @@ static int __recover_dot_dentries(struct inode *dir, nid_t pino) + goto out; + } + +- de = f2fs_find_entry(dir, &dotdot, &page); ++ de = f2fs_find_entry(dir, &dotdot_name, &page); + if (de) + f2fs_put_page(page, 0); + else if (IS_ERR(page)) + err = PTR_ERR(page); + else +- err = f2fs_do_add_link(dir, &dotdot, NULL, pino, S_IFDIR); ++ err = f2fs_do_add_link(dir, &dotdot_name, NULL, pino, S_IFDIR); + out: + if (!err) + clear_inode_flag(dir, FI_INLINE_DOTS); +-- +2.43.0 + diff --git a/queue-6.6/f2fs-compress-do-sanity-check-on-cluster-when-config.patch b/queue-6.6/f2fs-compress-do-sanity-check-on-cluster-when-config.patch new file mode 100644 index 00000000000..d8d9a098a17 --- /dev/null +++ b/queue-6.6/f2fs-compress-do-sanity-check-on-cluster-when-config.patch @@ -0,0 +1,167 @@ +From 9d7ce875b29b810806660678dfb8d395e1a70dcd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Aug 2023 22:04:16 +0800 +Subject: f2fs: compress: do sanity check on cluster when CONFIG_F2FS_CHECK_FS + is on + +From: Chao Yu + +[ Upstream commit 2aaea533bf063ed3b442df5fe5f6abfc538054c9 ] + +This patch covers sanity check logic on cluster w/ CONFIG_F2FS_CHECK_FS, +otherwise, there will be performance regression while querying cluster +mapping info. + +Callers of f2fs_is_compressed_cluster() only care about whether cluster +is compressed or not, rather than # of valid blocks in compressed cluster, +so, let's adjust f2fs_is_compressed_cluster()'s logic according to +caller's requirement. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Stable-dep-of: f785cec298c9 ("f2fs: compress: don't redirty sparse cluster during {,de}compress") +Signed-off-by: Sasha Levin +--- + fs/f2fs/compress.c | 61 ++++++++++++++++++++++++++-------------------- + fs/f2fs/data.c | 4 +-- + 2 files changed, 35 insertions(+), 30 deletions(-) + +diff --git a/fs/f2fs/compress.c b/fs/f2fs/compress.c +index c07fe6b840a09..995f6544cc300 100644 +--- a/fs/f2fs/compress.c ++++ b/fs/f2fs/compress.c +@@ -887,14 +887,15 @@ static bool cluster_has_invalid_data(struct compress_ctx *cc) + + bool f2fs_sanity_check_cluster(struct dnode_of_data *dn) + { ++#ifdef CONFIG_F2FS_CHECK_FS + struct f2fs_sb_info *sbi = F2FS_I_SB(dn->inode); + unsigned int cluster_size = F2FS_I(dn->inode)->i_cluster_size; +- bool compressed = dn->data_blkaddr == COMPRESS_ADDR; + int cluster_end = 0; ++ unsigned int count; + int i; + char *reason = ""; + +- if (!compressed) ++ if (dn->data_blkaddr != COMPRESS_ADDR) + return false; + + /* [..., COMPR_ADDR, ...] */ +@@ -903,7 +904,7 @@ bool f2fs_sanity_check_cluster(struct dnode_of_data *dn) + goto out; + } + +- for (i = 1; i < cluster_size; i++) { ++ for (i = 1, count = 1; i < cluster_size; i++, count++) { + block_t blkaddr = data_blkaddr(dn->inode, dn->node_page, + dn->ofs_in_node + i); + +@@ -923,19 +924,42 @@ bool f2fs_sanity_check_cluster(struct dnode_of_data *dn) + goto out; + } + } ++ ++ f2fs_bug_on(F2FS_I_SB(dn->inode), count != cluster_size && ++ !is_inode_flag_set(dn->inode, FI_COMPRESS_RELEASED)); ++ + return false; + out: + f2fs_warn(sbi, "access invalid cluster, ino:%lu, nid:%u, ofs_in_node:%u, reason:%s", + dn->inode->i_ino, dn->nid, dn->ofs_in_node, reason); + set_sbi_flag(sbi, SBI_NEED_FSCK); + return true; ++#else ++ return false; ++#endif ++} ++ ++static int __f2fs_get_cluster_blocks(struct inode *inode, ++ struct dnode_of_data *dn) ++{ ++ unsigned int cluster_size = F2FS_I(inode)->i_cluster_size; ++ int count, i; ++ ++ for (i = 1, count = 1; i < cluster_size; i++) { ++ block_t blkaddr = data_blkaddr(dn->inode, dn->node_page, ++ dn->ofs_in_node + i); ++ ++ if (__is_valid_data_blkaddr(blkaddr)) ++ count++; ++ } ++ ++ return count; + } + + static int __f2fs_cluster_blocks(struct inode *inode, +- unsigned int cluster_idx, bool compr) ++ unsigned int cluster_idx, bool compr_blks) + { + struct dnode_of_data dn; +- unsigned int cluster_size = F2FS_I(inode)->i_cluster_size; + unsigned int start_idx = cluster_idx << + F2FS_I(inode)->i_log_cluster_size; + int ret; +@@ -950,31 +974,14 @@ static int __f2fs_cluster_blocks(struct inode *inode, + + if (f2fs_sanity_check_cluster(&dn)) { + ret = -EFSCORRUPTED; +- f2fs_handle_error(F2FS_I_SB(inode), ERROR_CORRUPTED_CLUSTER); + goto fail; + } + + if (dn.data_blkaddr == COMPRESS_ADDR) { +- int i; +- +- ret = 1; +- for (i = 1; i < cluster_size; i++) { +- block_t blkaddr; +- +- blkaddr = data_blkaddr(dn.inode, +- dn.node_page, dn.ofs_in_node + i); +- if (compr) { +- if (__is_valid_data_blkaddr(blkaddr)) +- ret++; +- } else { +- if (blkaddr != NULL_ADDR) +- ret++; +- } +- } +- +- f2fs_bug_on(F2FS_I_SB(inode), +- !compr && ret != cluster_size && +- !is_inode_flag_set(inode, FI_COMPRESS_RELEASED)); ++ if (compr_blks) ++ ret = __f2fs_get_cluster_blocks(inode, &dn); ++ else ++ ret = 1; + } + fail: + f2fs_put_dnode(&dn); +@@ -987,7 +994,7 @@ static int f2fs_compressed_blocks(struct compress_ctx *cc) + return __f2fs_cluster_blocks(cc->inode, cc->cluster_idx, true); + } + +-/* return # of valid blocks in compressed cluster */ ++/* return whether cluster is compressed one or not */ + int f2fs_is_compressed_cluster(struct inode *inode, pgoff_t index) + { + return __f2fs_cluster_blocks(inode, +diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c +index d54644d386842..1c59a3b2b2c34 100644 +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -1614,9 +1614,7 @@ int f2fs_map_blocks(struct inode *inode, struct f2fs_map_blocks *map, int flag) + map->m_flags |= F2FS_MAP_NEW; + } else if (is_hole) { + if (f2fs_compressed_file(inode) && +- f2fs_sanity_check_cluster(&dn) && +- (flag != F2FS_GET_BLOCK_FIEMAP || +- IS_ENABLED(CONFIG_F2FS_CHECK_FS))) { ++ f2fs_sanity_check_cluster(&dn)) { + err = -EFSCORRUPTED; + f2fs_handle_error(sbi, + ERROR_CORRUPTED_CLUSTER); +-- +2.43.0 + diff --git a/queue-6.6/f2fs-compress-don-t-redirty-sparse-cluster-during-de.patch b/queue-6.6/f2fs-compress-don-t-redirty-sparse-cluster-during-de.patch new file mode 100644 index 00000000000..7844de99bd0 --- /dev/null +++ b/queue-6.6/f2fs-compress-don-t-redirty-sparse-cluster-during-de.patch @@ -0,0 +1,242 @@ +From e75ff570134e3700b357c56dd7f8b6984bba8d51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Aug 2024 17:34:30 +0900 +Subject: f2fs: compress: don't redirty sparse cluster during {,de}compress + +From: Yeongjin Gil + +[ Upstream commit f785cec298c95d00058560c0715233294a04b8f3 ] + +In f2fs_do_write_data_page, when the data block is NULL_ADDR, it skips +writepage considering that it has been already truncated. +This results in an infinite loop as the PAGECACHE_TAG_TOWRITE tag is not +cleared during the writeback process for a compressed file including +NULL_ADDR in compress_mode=user. + +This is the reproduction process: + +1. dd if=/dev/zero bs=4096 count=1024 seek=1024 of=testfile +2. f2fs_io compress testfile +3. dd if=/dev/zero bs=4096 count=1 conv=notrunc of=testfile +4. f2fs_io decompress testfile + +To prevent the problem, let's check whether the cluster is fully +allocated before redirty its pages. + +Fixes: 5fdb322ff2c2 ("f2fs: add F2FS_IOC_DECOMPRESS_FILE and F2FS_IOC_COMPRESS_FILE") +Reviewed-by: Sungjong Seo +Reviewed-by: Sunmin Jeong +Tested-by: Jaewook Kim +Signed-off-by: Yeongjin Gil +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/compress.c | 36 ++++++++++++++++++++++++++++-------- + fs/f2fs/f2fs.h | 12 ++++++++++++ + fs/f2fs/file.c | 39 +++++++++++++++++++++------------------ + 3 files changed, 61 insertions(+), 26 deletions(-) + +diff --git a/fs/f2fs/compress.c b/fs/f2fs/compress.c +index 995f6544cc300..f7ef69f44f3d8 100644 +--- a/fs/f2fs/compress.c ++++ b/fs/f2fs/compress.c +@@ -945,7 +945,7 @@ static int __f2fs_get_cluster_blocks(struct inode *inode, + unsigned int cluster_size = F2FS_I(inode)->i_cluster_size; + int count, i; + +- for (i = 1, count = 1; i < cluster_size; i++) { ++ for (i = 0, count = 0; i < cluster_size; i++) { + block_t blkaddr = data_blkaddr(dn->inode, dn->node_page, + dn->ofs_in_node + i); + +@@ -956,8 +956,8 @@ static int __f2fs_get_cluster_blocks(struct inode *inode, + return count; + } + +-static int __f2fs_cluster_blocks(struct inode *inode, +- unsigned int cluster_idx, bool compr_blks) ++static int __f2fs_cluster_blocks(struct inode *inode, unsigned int cluster_idx, ++ enum cluster_check_type type) + { + struct dnode_of_data dn; + unsigned int start_idx = cluster_idx << +@@ -978,10 +978,12 @@ static int __f2fs_cluster_blocks(struct inode *inode, + } + + if (dn.data_blkaddr == COMPRESS_ADDR) { +- if (compr_blks) +- ret = __f2fs_get_cluster_blocks(inode, &dn); +- else ++ if (type == CLUSTER_COMPR_BLKS) ++ ret = 1 + __f2fs_get_cluster_blocks(inode, &dn); ++ else if (type == CLUSTER_IS_COMPR) + ret = 1; ++ } else if (type == CLUSTER_RAW_BLKS) { ++ ret = __f2fs_get_cluster_blocks(inode, &dn); + } + fail: + f2fs_put_dnode(&dn); +@@ -991,7 +993,16 @@ static int __f2fs_cluster_blocks(struct inode *inode, + /* return # of compressed blocks in compressed cluster */ + static int f2fs_compressed_blocks(struct compress_ctx *cc) + { +- return __f2fs_cluster_blocks(cc->inode, cc->cluster_idx, true); ++ return __f2fs_cluster_blocks(cc->inode, cc->cluster_idx, ++ CLUSTER_COMPR_BLKS); ++} ++ ++/* return # of raw blocks in non-compressed cluster */ ++static int f2fs_decompressed_blocks(struct inode *inode, ++ unsigned int cluster_idx) ++{ ++ return __f2fs_cluster_blocks(inode, cluster_idx, ++ CLUSTER_RAW_BLKS); + } + + /* return whether cluster is compressed one or not */ +@@ -999,7 +1010,16 @@ int f2fs_is_compressed_cluster(struct inode *inode, pgoff_t index) + { + return __f2fs_cluster_blocks(inode, + index >> F2FS_I(inode)->i_log_cluster_size, +- false); ++ CLUSTER_IS_COMPR); ++} ++ ++/* return whether cluster contains non raw blocks or not */ ++bool f2fs_is_sparse_cluster(struct inode *inode, pgoff_t index) ++{ ++ unsigned int cluster_idx = index >> F2FS_I(inode)->i_log_cluster_size; ++ ++ return f2fs_decompressed_blocks(inode, cluster_idx) != ++ F2FS_I(inode)->i_cluster_size; + } + + static bool cluster_may_compress(struct compress_ctx *cc) +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 6c9b1759f4e74..98a098cfcc3ca 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -4284,6 +4284,11 @@ static inline bool f2fs_meta_inode_gc_required(struct inode *inode) + * compress.c + */ + #ifdef CONFIG_F2FS_FS_COMPRESSION ++enum cluster_check_type { ++ CLUSTER_IS_COMPR, /* check only if compressed cluster */ ++ CLUSTER_COMPR_BLKS, /* return # of compressed blocks in a cluster */ ++ CLUSTER_RAW_BLKS /* return # of raw blocks in a cluster */ ++}; + bool f2fs_is_compressed_page(struct page *page); + struct page *f2fs_compress_control_page(struct page *page); + int f2fs_prepare_compress_overwrite(struct inode *inode, +@@ -4310,6 +4315,7 @@ int f2fs_write_multi_pages(struct compress_ctx *cc, + struct writeback_control *wbc, + enum iostat_type io_type); + int f2fs_is_compressed_cluster(struct inode *inode, pgoff_t index); ++bool f2fs_is_sparse_cluster(struct inode *inode, pgoff_t index); + void f2fs_update_read_extent_tree_range_compressed(struct inode *inode, + pgoff_t fofs, block_t blkaddr, + unsigned int llen, unsigned int c_len); +@@ -4396,6 +4402,12 @@ static inline bool f2fs_load_compressed_page(struct f2fs_sb_info *sbi, + static inline void f2fs_invalidate_compress_pages(struct f2fs_sb_info *sbi, + nid_t ino) { } + #define inc_compr_inode_stat(inode) do { } while (0) ++static inline int f2fs_is_compressed_cluster( ++ struct inode *inode, ++ pgoff_t index) { return 0; } ++static inline bool f2fs_is_sparse_cluster( ++ struct inode *inode, ++ pgoff_t index) { return true; } + static inline void f2fs_update_read_extent_tree_range_compressed( + struct inode *inode, + pgoff_t fofs, block_t blkaddr, +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index 0c279ba451205..f2969d8603421 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -4182,9 +4182,8 @@ static int f2fs_ioc_decompress_file(struct file *filp) + struct inode *inode = file_inode(filp); + struct f2fs_sb_info *sbi = F2FS_I_SB(inode); + struct f2fs_inode_info *fi = F2FS_I(inode); +- pgoff_t page_idx = 0, last_idx; +- int cluster_size = fi->i_cluster_size; +- int count, ret; ++ pgoff_t page_idx = 0, last_idx, cluster_idx; ++ int ret; + + if (!f2fs_sb_has_compression(sbi) || + F2FS_OPTION(sbi).compress_mode != COMPR_MODE_USER) +@@ -4217,10 +4216,15 @@ static int f2fs_ioc_decompress_file(struct file *filp) + goto out; + + last_idx = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE); ++ last_idx >>= fi->i_log_cluster_size; ++ ++ for (cluster_idx = 0; cluster_idx < last_idx; cluster_idx++) { ++ page_idx = cluster_idx << fi->i_log_cluster_size; ++ ++ if (!f2fs_is_compressed_cluster(inode, page_idx)) ++ continue; + +- count = last_idx - page_idx; +- while (count && count >= cluster_size) { +- ret = redirty_blocks(inode, page_idx, cluster_size); ++ ret = redirty_blocks(inode, page_idx, fi->i_cluster_size); + if (ret < 0) + break; + +@@ -4230,9 +4234,6 @@ static int f2fs_ioc_decompress_file(struct file *filp) + break; + } + +- count -= cluster_size; +- page_idx += cluster_size; +- + cond_resched(); + if (fatal_signal_pending(current)) { + ret = -EINTR; +@@ -4258,9 +4259,9 @@ static int f2fs_ioc_compress_file(struct file *filp) + { + struct inode *inode = file_inode(filp); + struct f2fs_sb_info *sbi = F2FS_I_SB(inode); +- pgoff_t page_idx = 0, last_idx; +- int cluster_size = F2FS_I(inode)->i_cluster_size; +- int count, ret; ++ struct f2fs_inode_info *fi = F2FS_I(inode); ++ pgoff_t page_idx = 0, last_idx, cluster_idx; ++ int ret; + + if (!f2fs_sb_has_compression(sbi) || + F2FS_OPTION(sbi).compress_mode != COMPR_MODE_USER) +@@ -4292,10 +4293,15 @@ static int f2fs_ioc_compress_file(struct file *filp) + set_inode_flag(inode, FI_ENABLE_COMPRESS); + + last_idx = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE); ++ last_idx >>= fi->i_log_cluster_size; + +- count = last_idx - page_idx; +- while (count && count >= cluster_size) { +- ret = redirty_blocks(inode, page_idx, cluster_size); ++ for (cluster_idx = 0; cluster_idx < last_idx; cluster_idx++) { ++ page_idx = cluster_idx << fi->i_log_cluster_size; ++ ++ if (f2fs_is_sparse_cluster(inode, page_idx)) ++ continue; ++ ++ ret = redirty_blocks(inode, page_idx, fi->i_cluster_size); + if (ret < 0) + break; + +@@ -4305,9 +4311,6 @@ static int f2fs_ioc_compress_file(struct file *filp) + break; + } + +- count -= cluster_size; +- page_idx += cluster_size; +- + cond_resched(); + if (fatal_signal_pending(current)) { + ret = -EINTR; +-- +2.43.0 + diff --git a/queue-6.6/f2fs-create-cow-inode-from-parent-dentry-for-atomic-.patch b/queue-6.6/f2fs-create-cow-inode-from-parent-dentry-for-atomic-.patch new file mode 100644 index 00000000000..65b48d34df0 --- /dev/null +++ b/queue-6.6/f2fs-create-cow-inode-from-parent-dentry-for-atomic-.patch @@ -0,0 +1,63 @@ +From a909e84b4cc14be393f92e4988525608995542c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Aug 2024 16:32:44 +0900 +Subject: f2fs: Create COW inode from parent dentry for atomic write + +From: Yeongjin Gil + +[ Upstream commit 8c1b787938fd86bab27a1492fa887408c75fec2b ] + +The i_pino in f2fs_inode_info has the previous parent's i_ino when inode +was renamed, which may cause f2fs_ioc_start_atomic_write to fail. +If file_wrong_pino is true and i_nlink is 1, then to find a valid pino, +we should refer to the dentry from inode. + +To resolve this issue, let's get parent inode using parent dentry +directly. + +Fixes: 3db1de0e582c ("f2fs: change the current atomic write way") +Reviewed-by: Sungjong Seo +Reviewed-by: Sunmin Jeong +Signed-off-by: Yeongjin Gil +Reviewed-by: Daeho Jeong +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/file.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index 8c4c5c6c1ac64..a0d2e180f0ed7 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -2097,7 +2097,6 @@ static int f2fs_ioc_start_atomic_write(struct file *filp, bool truncate) + struct mnt_idmap *idmap = file_mnt_idmap(filp); + struct f2fs_inode_info *fi = F2FS_I(inode); + struct f2fs_sb_info *sbi = F2FS_I_SB(inode); +- struct inode *pinode; + loff_t isize; + int ret; + +@@ -2146,15 +2145,10 @@ static int f2fs_ioc_start_atomic_write(struct file *filp, bool truncate) + /* Check if the inode already has a COW inode */ + if (fi->cow_inode == NULL) { + /* Create a COW inode for atomic write */ +- pinode = f2fs_iget(inode->i_sb, fi->i_pino); +- if (IS_ERR(pinode)) { +- f2fs_up_write(&fi->i_gc_rwsem[WRITE]); +- ret = PTR_ERR(pinode); +- goto out; +- } ++ struct dentry *dentry = file_dentry(filp); ++ struct inode *dir = d_inode(dentry->d_parent); + +- ret = f2fs_get_tmpfile(idmap, pinode, &fi->cow_inode); +- iput(pinode); ++ ret = f2fs_get_tmpfile(idmap, dir, &fi->cow_inode); + if (ret) { + f2fs_up_write(&fi->i_gc_rwsem[WRITE]); + goto out; +-- +2.43.0 + diff --git a/queue-6.6/f2fs-fix-to-avoid-racing-in-between-read-and-opu-dio.patch b/queue-6.6/f2fs-fix-to-avoid-racing-in-between-read-and-opu-dio.patch new file mode 100644 index 00000000000..ef45663ad1b --- /dev/null +++ b/queue-6.6/f2fs-fix-to-avoid-racing-in-between-read-and-opu-dio.patch @@ -0,0 +1,66 @@ +From 9d80ca4dfa8ec99fe0707e8f3d1c4e0f49fabe6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jun 2024 15:15:21 +0800 +Subject: f2fs: fix to avoid racing in between read and OPU dio write + +From: Chao Yu + +[ Upstream commit 0cac51185e65dc2a20686184e02f3cafc99eb202 ] + +If lfs mode is on, buffered read may race w/ OPU dio write as below, +it may cause buffered read hits unwritten data unexpectly, and for +dio read, the race condition exists as well. + +Thread A Thread B +- f2fs_file_write_iter + - f2fs_dio_write_iter + - __iomap_dio_rw + - f2fs_iomap_begin + - f2fs_map_blocks + - __allocate_data_block + - allocated blkaddr #x + - iomap_dio_submit_bio + - f2fs_file_read_iter + - filemap_read + - f2fs_read_data_folio + - f2fs_mpage_readpages + - f2fs_map_blocks + : get blkaddr #x + - f2fs_submit_read_bio + IRQ + - f2fs_read_end_io + : read IO on blkaddr #x complete +IRQ +- iomap_dio_bio_end_io + : direct write IO on blkaddr #x complete + +In LFS mode, if there is inflight dio, let's wait for its completion, +this policy won't cover all race cases, however it is a tradeoff which +avoids abusing lock around IO paths. + +Fixes: f847c699cff3 ("f2fs: allow out-place-update for direct IO in LFS mode") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/file.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index 81e342bd993c2..8c4c5c6c1ac64 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -4541,6 +4541,10 @@ static ssize_t f2fs_file_read_iter(struct kiocb *iocb, struct iov_iter *to) + f2fs_trace_rw_file_path(iocb->ki_filp, iocb->ki_pos, + iov_iter_count(to), READ); + ++ /* In LFS mode, if there is inflight dio, wait for its completion */ ++ if (f2fs_lfs_mode(F2FS_I_SB(inode))) ++ inode_dio_wait(inode); ++ + if (f2fs_should_use_dio(inode, iocb, to)) { + ret = f2fs_dio_read_iter(iocb, to); + } else { +-- +2.43.0 + diff --git a/queue-6.6/f2fs-fix-to-avoid-use-after-free-in-f2fs_stop_gc_thr.patch b/queue-6.6/f2fs-fix-to-avoid-use-after-free-in-f2fs_stop_gc_thr.patch new file mode 100644 index 00000000000..6291bac74fd --- /dev/null +++ b/queue-6.6/f2fs-fix-to-avoid-use-after-free-in-f2fs_stop_gc_thr.patch @@ -0,0 +1,136 @@ +From e7b40fe494ee5c78684431f3bb094e73b5769d29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jul 2024 09:08:55 +0800 +Subject: f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread() + +From: Chao Yu + +[ Upstream commit c7f114d864ac91515bb07ac271e9824a20f5ed95 ] + +syzbot reports a f2fs bug as below: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 + print_report+0xe8/0x550 mm/kasan/report.c:491 + kasan_report+0x143/0x180 mm/kasan/report.c:601 + kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 + instrument_atomic_read_write include/linux/instrumented.h:96 [inline] + atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline] + __refcount_add include/linux/refcount.h:184 [inline] + __refcount_inc include/linux/refcount.h:241 [inline] + refcount_inc include/linux/refcount.h:258 [inline] + get_task_struct include/linux/sched/task.h:118 [inline] + kthread_stop+0xca/0x630 kernel/kthread.c:704 + f2fs_stop_gc_thread+0x65/0xb0 fs/f2fs/gc.c:210 + f2fs_do_shutdown+0x192/0x540 fs/f2fs/file.c:2283 + f2fs_ioc_shutdown fs/f2fs/file.c:2325 [inline] + __f2fs_ioctl+0x443a/0xbe60 fs/f2fs/file.c:4325 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:907 [inline] + __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +The root cause is below race condition, it may cause use-after-free +issue in sbi->gc_th pointer. + +- remount + - f2fs_remount + - f2fs_stop_gc_thread + - kfree(gc_th) + - f2fs_ioc_shutdown + - f2fs_do_shutdown + - f2fs_stop_gc_thread + - kthread_stop(gc_th->f2fs_gc_task) + : sbi->gc_thread = NULL; + +We will call f2fs_do_shutdown() in two paths: +- for f2fs_ioc_shutdown() path, we should grab sb->s_umount semaphore +for fixing. +- for f2fs_shutdown() path, it's safe since caller has already grabbed +sb->s_umount semaphore. + +Reported-by: syzbot+1a8e2b31f2ac9bd3d148@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-f2fs-devel/0000000000005c7ccb061e032b9b@google.com +Fixes: 7950e9ac638e ("f2fs: stop gc/discard thread after fs shutdown") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 2 +- + fs/f2fs/file.c | 11 +++++++++-- + fs/f2fs/super.c | 2 +- + 3 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 2059a24a330b2..6c9b1759f4e74 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -3508,7 +3508,7 @@ int f2fs_setattr(struct mnt_idmap *idmap, struct dentry *dentry, + int f2fs_truncate_hole(struct inode *inode, pgoff_t pg_start, pgoff_t pg_end); + void f2fs_truncate_data_blocks_range(struct dnode_of_data *dn, int count); + int f2fs_do_shutdown(struct f2fs_sb_info *sbi, unsigned int flag, +- bool readonly); ++ bool readonly, bool need_lock); + int f2fs_precache_extents(struct inode *inode); + int f2fs_fileattr_get(struct dentry *dentry, struct fileattr *fa); + int f2fs_fileattr_set(struct mnt_idmap *idmap, +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index 085008b208020..0c279ba451205 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -2257,7 +2257,7 @@ static int f2fs_ioc_abort_atomic_write(struct file *filp) + } + + int f2fs_do_shutdown(struct f2fs_sb_info *sbi, unsigned int flag, +- bool readonly) ++ bool readonly, bool need_lock) + { + struct super_block *sb = sbi->sb; + int ret = 0; +@@ -2299,12 +2299,19 @@ int f2fs_do_shutdown(struct f2fs_sb_info *sbi, unsigned int flag, + if (readonly) + goto out; + ++ /* grab sb->s_umount to avoid racing w/ remount() */ ++ if (need_lock) ++ down_read(&sbi->sb->s_umount); ++ + f2fs_stop_gc_thread(sbi); + f2fs_stop_discard_thread(sbi); + + f2fs_drop_discard_cmd(sbi); + clear_opt(sbi, DISCARD); + ++ if (need_lock) ++ up_read(&sbi->sb->s_umount); ++ + f2fs_update_time(sbi, REQ_TIME); + out: + +@@ -2341,7 +2348,7 @@ static int f2fs_ioc_shutdown(struct file *filp, unsigned long arg) + } + } + +- ret = f2fs_do_shutdown(sbi, in, readonly); ++ ret = f2fs_do_shutdown(sbi, in, readonly, true); + + if (need_drop) + mnt_drop_write_file(filp); +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index d12603c3b5f50..2bec5176df65d 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -2545,7 +2545,7 @@ static int f2fs_remount(struct super_block *sb, int *flags, char *data) + + static void f2fs_shutdown(struct super_block *sb) + { +- f2fs_do_shutdown(F2FS_SB(sb), F2FS_GOING_DOWN_NOSYNC, false); ++ f2fs_do_shutdown(F2FS_SB(sb), F2FS_GOING_DOWN_NOSYNC, false, false); + } + + #ifdef CONFIG_QUOTA +-- +2.43.0 + diff --git a/queue-6.6/f2fs-fix-to-don-t-set-sb_rdonly-in-f2fs_handle_criti.patch b/queue-6.6/f2fs-fix-to-don-t-set-sb_rdonly-in-f2fs_handle_criti.patch new file mode 100644 index 00000000000..bb0148f9b21 --- /dev/null +++ b/queue-6.6/f2fs-fix-to-don-t-set-sb_rdonly-in-f2fs_handle_criti.patch @@ -0,0 +1,95 @@ +From 8e42ec8baf11b5a4b149d81c169e4afcb029467a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Sep 2024 11:07:13 +0800 +Subject: f2fs: fix to don't set SB_RDONLY in f2fs_handle_critical_error() + +From: Chao Yu + +[ Upstream commit 930c6ab93492c4b15436524e704950b364b2930c ] + +syzbot reports a f2fs bug as below: + +------------[ cut here ]------------ +WARNING: CPU: 1 PID: 58 at kernel/rcu/sync.c:177 rcu_sync_dtor+0xcd/0x180 kernel/rcu/sync.c:177 +CPU: 1 UID: 0 PID: 58 Comm: kworker/1:2 Not tainted 6.10.0-syzkaller-12562-g1722389b0d86 #0 +Workqueue: events destroy_super_work +RIP: 0010:rcu_sync_dtor+0xcd/0x180 kernel/rcu/sync.c:177 +Call Trace: + percpu_free_rwsem+0x41/0x80 kernel/locking/percpu-rwsem.c:42 + destroy_super_work+0xec/0x130 fs/super.c:282 + process_one_work kernel/workqueue.c:3231 [inline] + process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312 + worker_thread+0x86d/0xd40 kernel/workqueue.c:3390 + kthread+0x2f0/0x390 kernel/kthread.c:389 + ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 + +As Christian Brauner pointed out [1]: the root cause is f2fs sets +SB_RDONLY flag in internal function, rather than setting the flag +covered w/ sb->s_umount semaphore via remount procedure, then below +race condition causes this bug: + +- freeze_super() + - sb_wait_write(sb, SB_FREEZE_WRITE) + - sb_wait_write(sb, SB_FREEZE_PAGEFAULT) + - sb_wait_write(sb, SB_FREEZE_FS) + - f2fs_handle_critical_error + - sb->s_flags |= SB_RDONLY +- thaw_super + - thaw_super_locked + - sb_rdonly() is true, so it skips + sb_freeze_unlock(sb, SB_FREEZE_FS) + - deactivate_locked_super + +Since f2fs has almost the same logic as ext4 [2] when handling critical +error in filesystem if it mounts w/ errors=remount-ro option: +- set CP_ERROR_FLAG flag which indicates filesystem is stopped +- record errors to superblock +- set SB_RDONLY falg +Once we set CP_ERROR_FLAG flag, all writable interfaces can detect the +flag and stop any further updates on filesystem. So, it is safe to not +set SB_RDONLY flag, let's remove the logic and keep in line w/ ext4 [3]. + +[1] https://lore.kernel.org/all/20240729-himbeeren-funknetz-96e62f9c7aee@brauner +[2] https://lore.kernel.org/all/20240729132721.hxih6ehigadqf7wx@quack3 +[3] https://lore.kernel.org/linux-ext4/20240805201241.27286-1-jack@suse.cz + +Fixes: b62e71be2110 ("f2fs: support errors=remount-ro|continue|panic mountoption") +Reported-by: syzbot+20d7e439f76bbbd863a7@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/000000000000b90a8e061e21d12f@google.com/ +Cc: Jan Kara +Cc: Christian Brauner +Signed-off-by: Chao Yu +Reviewed-by: Christian Brauner +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/super.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 2bec5176df65d..37fa7e32835a3 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -4137,12 +4137,14 @@ void f2fs_handle_critical_error(struct f2fs_sb_info *sbi, unsigned char reason, + } + + f2fs_warn(sbi, "Remounting filesystem read-only"); ++ + /* +- * Make sure updated value of ->s_mount_flags will be visible before +- * ->s_flags update ++ * We have already set CP_ERROR_FLAG flag to stop all updates ++ * to filesystem, so it doesn't need to set SB_RDONLY flag here ++ * because the flag should be set covered w/ sb->s_umount semaphore ++ * via remount procedure, otherwise, it will confuse code like ++ * freeze_super() which will lead to deadlocks and other problems. + */ +- smp_wmb(); +- sb->s_flags |= SB_RDONLY; + } + + static void f2fs_record_error_work(struct work_struct *work) +-- +2.43.0 + diff --git a/queue-6.6/f2fs-fix-to-wait-page-writeback-before-setting-gcing.patch b/queue-6.6/f2fs-fix-to-wait-page-writeback-before-setting-gcing.patch new file mode 100644 index 00000000000..f24eb5577dc --- /dev/null +++ b/queue-6.6/f2fs-fix-to-wait-page-writeback-before-setting-gcing.patch @@ -0,0 +1,57 @@ +From 48843feae86beb72b5e65b3638bab599e0db54ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Aug 2024 22:12:42 +0800 +Subject: f2fs: fix to wait page writeback before setting gcing flag + +From: Chao Yu + +[ Upstream commit a4d7f2b3238fd5f76b9e6434a0bd5d2e29049cff ] + +Soft IRQ Thread +- f2fs_write_end_io + - f2fs_defragment_range + - set_page_private_gcing + - type = WB_DATA_TYPE(page, false); + : assign type w/ F2FS_WB_CP_DATA + due to page_private_gcing() is true + - dec_page_count() w/ wrong type + - end_page_writeback() + +Value of F2FS_WB_CP_DATA reference count may become negative under above +race condition, the root cause is we missed to wait page writeback before +setting gcing page private flag, let's fix it. + +Fixes: 2d1fe8a86bf5 ("f2fs: fix to tag gcing flag on page during file defragment") +Fixes: 4961acdd65c9 ("f2fs: fix to tag gcing flag on page during block migration") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/file.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index a0d2e180f0ed7..e04f4dcb76d1f 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -2743,6 +2743,8 @@ static int f2fs_defragment_range(struct f2fs_sb_info *sbi, + goto clear_out; + } + ++ f2fs_wait_on_page_writeback(page, DATA, true, true); ++ + set_page_dirty(page); + set_page_private_gcing(page); + f2fs_put_page(page, 1); +@@ -4137,6 +4139,8 @@ static int redirty_blocks(struct inode *inode, pgoff_t page_idx, int len) + /* It will never fail, when page has pinned above */ + f2fs_bug_on(F2FS_I_SB(inode), !page); + ++ f2fs_wait_on_page_writeback(page, DATA, true, true); ++ + set_page_dirty(page); + set_page_private_gcing(page); + f2fs_put_page(page, 1); +-- +2.43.0 + diff --git a/queue-6.6/f2fs-get-rid-of-online-repaire-on-corrupted-director.patch b/queue-6.6/f2fs-get-rid-of-online-repaire-on-corrupted-director.patch new file mode 100644 index 00000000000..7790e0a29bf --- /dev/null +++ b/queue-6.6/f2fs-get-rid-of-online-repaire-on-corrupted-director.patch @@ -0,0 +1,214 @@ +From 23ab8e22783eaa14c157edbcfef1e2b2d4a75d84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Sep 2024 14:27:24 +0800 +Subject: f2fs: get rid of online repaire on corrupted directory + +From: Chao Yu + +[ Upstream commit 884ee6dc85b959bc152f15bca80c30f06069e6c4 ] + +syzbot reports a f2fs bug as below: + +kernel BUG at fs/f2fs/inode.c:896! +RIP: 0010:f2fs_evict_inode+0x1598/0x15c0 fs/f2fs/inode.c:896 +Call Trace: + evict+0x532/0x950 fs/inode.c:704 + dispose_list fs/inode.c:747 [inline] + evict_inodes+0x5f9/0x690 fs/inode.c:797 + generic_shutdown_super+0x9d/0x2d0 fs/super.c:627 + kill_block_super+0x44/0x90 fs/super.c:1696 + kill_f2fs_super+0x344/0x690 fs/f2fs/super.c:4898 + deactivate_locked_super+0xc4/0x130 fs/super.c:473 + cleanup_mnt+0x41f/0x4b0 fs/namespace.c:1373 + task_work_run+0x24f/0x310 kernel/task_work.c:228 + ptrace_notify+0x2d2/0x380 kernel/signal.c:2402 + ptrace_report_syscall include/linux/ptrace.h:415 [inline] + ptrace_report_syscall_exit include/linux/ptrace.h:477 [inline] + syscall_exit_work+0xc6/0x190 kernel/entry/common.c:173 + syscall_exit_to_user_mode_prepare kernel/entry/common.c:200 [inline] + __syscall_exit_to_user_mode_work kernel/entry/common.c:205 [inline] + syscall_exit_to_user_mode+0x279/0x370 kernel/entry/common.c:218 + do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0010:f2fs_evict_inode+0x1598/0x15c0 fs/f2fs/inode.c:896 + +Online repaire on corrupted directory in f2fs_lookup() can generate +dirty data/meta while racing w/ readonly remount, it may leave dirty +inode after filesystem becomes readonly, however, checkpoint() will +skips flushing dirty inode in a state of readonly mode, result in +above panic. + +Let's get rid of online repaire in f2fs_lookup(), and leave the work +to fsck.f2fs. + +Fixes: 510022a85839 ("f2fs: add F2FS_INLINE_DOTS to recover missing dot dentries") +Reported-by: syzbot+ebea2790904673d7c618@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/000000000000a7b20f061ff2d56a@google.com +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 11 ------- + fs/f2fs/namei.c | 68 ----------------------------------------- + include/linux/f2fs_fs.h | 2 +- + 3 files changed, 1 insertion(+), 80 deletions(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 028577fffb58a..fcc2f9e6dc85d 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -780,7 +780,6 @@ enum { + FI_NEED_IPU, /* used for ipu per file */ + FI_ATOMIC_FILE, /* indicate atomic file */ + FI_DATA_EXIST, /* indicate data exists */ +- FI_INLINE_DOTS, /* indicate inline dot dentries */ + FI_SKIP_WRITES, /* should skip data page writeback */ + FI_OPU_WRITE, /* used for opu per file */ + FI_DIRTY_FILE, /* indicate regular/symlink has dirty pages */ +@@ -3037,7 +3036,6 @@ static inline void __mark_inode_dirty_flag(struct inode *inode, + return; + fallthrough; + case FI_DATA_EXIST: +- case FI_INLINE_DOTS: + case FI_PIN_FILE: + case FI_COMPRESS_RELEASED: + f2fs_mark_inode_dirty_sync(inode, true); +@@ -3161,8 +3159,6 @@ static inline void get_inline_info(struct inode *inode, struct f2fs_inode *ri) + set_bit(FI_INLINE_DENTRY, fi->flags); + if (ri->i_inline & F2FS_DATA_EXIST) + set_bit(FI_DATA_EXIST, fi->flags); +- if (ri->i_inline & F2FS_INLINE_DOTS) +- set_bit(FI_INLINE_DOTS, fi->flags); + if (ri->i_inline & F2FS_EXTRA_ATTR) + set_bit(FI_EXTRA_ATTR, fi->flags); + if (ri->i_inline & F2FS_PIN_FILE) +@@ -3183,8 +3179,6 @@ static inline void set_raw_inline(struct inode *inode, struct f2fs_inode *ri) + ri->i_inline |= F2FS_INLINE_DENTRY; + if (is_inode_flag_set(inode, FI_DATA_EXIST)) + ri->i_inline |= F2FS_DATA_EXIST; +- if (is_inode_flag_set(inode, FI_INLINE_DOTS)) +- ri->i_inline |= F2FS_INLINE_DOTS; + if (is_inode_flag_set(inode, FI_EXTRA_ATTR)) + ri->i_inline |= F2FS_EXTRA_ATTR; + if (is_inode_flag_set(inode, FI_PIN_FILE)) +@@ -3271,11 +3265,6 @@ static inline int f2fs_exist_data(struct inode *inode) + return is_inode_flag_set(inode, FI_DATA_EXIST); + } + +-static inline int f2fs_has_inline_dots(struct inode *inode) +-{ +- return is_inode_flag_set(inode, FI_INLINE_DOTS); +-} +- + static inline int f2fs_is_mmap_file(struct inode *inode) + { + return is_inode_flag_set(inode, FI_MMAP_FILE); +diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c +index 7dbd541e7bd60..2e08e1fdf485c 100644 +--- a/fs/f2fs/namei.c ++++ b/fs/f2fs/namei.c +@@ -455,62 +455,6 @@ struct dentry *f2fs_get_parent(struct dentry *child) + return d_obtain_alias(f2fs_iget(child->d_sb, ino)); + } + +-static int __recover_dot_dentries(struct inode *dir, nid_t pino) +-{ +- struct f2fs_sb_info *sbi = F2FS_I_SB(dir); +- struct qstr dot = QSTR_INIT(".", 1); +- struct f2fs_dir_entry *de; +- struct page *page; +- int err = 0; +- +- if (f2fs_readonly(sbi->sb)) { +- f2fs_info(sbi, "skip recovering inline_dots inode (ino:%lu, pino:%u) in readonly mountpoint", +- dir->i_ino, pino); +- return 0; +- } +- +- if (!S_ISDIR(dir->i_mode)) { +- f2fs_err(sbi, "inconsistent inode status, skip recovering inline_dots inode (ino:%lu, i_mode:%u, pino:%u)", +- dir->i_ino, dir->i_mode, pino); +- set_sbi_flag(sbi, SBI_NEED_FSCK); +- return -ENOTDIR; +- } +- +- err = f2fs_dquot_initialize(dir); +- if (err) +- return err; +- +- f2fs_balance_fs(sbi, true); +- +- f2fs_lock_op(sbi); +- +- de = f2fs_find_entry(dir, &dot, &page); +- if (de) { +- f2fs_put_page(page, 0); +- } else if (IS_ERR(page)) { +- err = PTR_ERR(page); +- goto out; +- } else { +- err = f2fs_do_add_link(dir, &dot, NULL, dir->i_ino, S_IFDIR); +- if (err) +- goto out; +- } +- +- de = f2fs_find_entry(dir, &dotdot_name, &page); +- if (de) +- f2fs_put_page(page, 0); +- else if (IS_ERR(page)) +- err = PTR_ERR(page); +- else +- err = f2fs_do_add_link(dir, &dotdot_name, NULL, pino, S_IFDIR); +-out: +- if (!err) +- clear_inode_flag(dir, FI_INLINE_DOTS); +- +- f2fs_unlock_op(sbi); +- return err; +-} +- + static struct dentry *f2fs_lookup(struct inode *dir, struct dentry *dentry, + unsigned int flags) + { +@@ -520,7 +464,6 @@ static struct dentry *f2fs_lookup(struct inode *dir, struct dentry *dentry, + struct dentry *new; + nid_t ino = -1; + int err = 0; +- unsigned int root_ino = F2FS_ROOT_INO(F2FS_I_SB(dir)); + struct f2fs_filename fname; + + trace_f2fs_lookup_start(dir, dentry, flags); +@@ -557,17 +500,6 @@ static struct dentry *f2fs_lookup(struct inode *dir, struct dentry *dentry, + goto out; + } + +- if ((dir->i_ino == root_ino) && f2fs_has_inline_dots(dir)) { +- err = __recover_dot_dentries(dir, root_ino); +- if (err) +- goto out_iput; +- } +- +- if (f2fs_has_inline_dots(inode)) { +- err = __recover_dot_dentries(inode, dir->i_ino); +- if (err) +- goto out_iput; +- } + if (IS_ENCRYPTED(dir) && + (S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode)) && + !fscrypt_has_permitted_context(dir, inode)) { +diff --git a/include/linux/f2fs_fs.h b/include/linux/f2fs_fs.h +index 1352a24d72ef4..b9affa64b7fa2 100644 +--- a/include/linux/f2fs_fs.h ++++ b/include/linux/f2fs_fs.h +@@ -262,7 +262,7 @@ struct f2fs_extent { + #define F2FS_INLINE_DATA 0x02 /* file inline data flag */ + #define F2FS_INLINE_DENTRY 0x04 /* file inline dentry flag */ + #define F2FS_DATA_EXIST 0x08 /* file inline data exist flag */ +-#define F2FS_INLINE_DOTS 0x10 /* file having implicit dot dentries */ ++#define F2FS_INLINE_DOTS 0x10 /* file having implicit dot dentries (obsolete) */ + #define F2FS_EXTRA_ATTR 0x20 /* file having extra attribute */ + #define F2FS_PIN_FILE 0x40 /* file should not be gced */ + #define F2FS_COMPRESS_RELEASED 0x80 /* file released compressed blocks */ +-- +2.43.0 + diff --git a/queue-6.6/f2fs-prevent-atomic-file-from-being-dirtied-before-c.patch b/queue-6.6/f2fs-prevent-atomic-file-from-being-dirtied-before-c.patch new file mode 100644 index 00000000000..1bf2a23363d --- /dev/null +++ b/queue-6.6/f2fs-prevent-atomic-file-from-being-dirtied-before-c.patch @@ -0,0 +1,88 @@ +From b54097a75aad7ee112067e6fe412636f0b2664f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 08:33:06 -0700 +Subject: f2fs: prevent atomic file from being dirtied before commit + +From: Daeho Jeong + +[ Upstream commit fccaa81de87e80b1809906f7e438e5766fbdc172 ] + +Keep atomic file clean while updating and make it dirtied during commit +in order to avoid unnecessary and excessive inode updates in the previous +fix. + +Fixes: 4bf78322346f ("f2fs: mark inode dirty for FI_ATOMIC_COMMITTED flag") +Signed-off-by: Daeho Jeong +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 2 +- + fs/f2fs/inode.c | 5 +++++ + fs/f2fs/segment.c | 8 ++++++++ + 3 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 98a098cfcc3ca..028577fffb58a 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -798,6 +798,7 @@ enum { + FI_ALIGNED_WRITE, /* enable aligned write */ + FI_COW_FILE, /* indicate COW file */ + FI_ATOMIC_COMMITTED, /* indicate atomic commit completed except disk sync */ ++ FI_ATOMIC_DIRTIED, /* indicate atomic file is dirtied */ + FI_ATOMIC_REPLACE, /* indicate atomic replace */ + FI_OPENED_FILE, /* indicate file has been opened */ + FI_MAX, /* max flag, never be used */ +@@ -3039,7 +3040,6 @@ static inline void __mark_inode_dirty_flag(struct inode *inode, + case FI_INLINE_DOTS: + case FI_PIN_FILE: + case FI_COMPRESS_RELEASED: +- case FI_ATOMIC_COMMITTED: + f2fs_mark_inode_dirty_sync(inode, true); + } + } +diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c +index 709b2f79872f2..a3e0c92735433 100644 +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -35,6 +35,11 @@ void f2fs_mark_inode_dirty_sync(struct inode *inode, bool sync) + if (f2fs_inode_dirtied(inode, sync)) + return; + ++ if (f2fs_is_atomic_file(inode)) { ++ set_inode_flag(inode, FI_ATOMIC_DIRTIED); ++ return; ++ } ++ + mark_inode_dirty_sync(inode); + } + +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index e3e2c0b2f4959..c0ba379a6d8f3 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -199,6 +199,10 @@ void f2fs_abort_atomic_write(struct inode *inode, bool clean) + clear_inode_flag(inode, FI_ATOMIC_COMMITTED); + clear_inode_flag(inode, FI_ATOMIC_REPLACE); + clear_inode_flag(inode, FI_ATOMIC_FILE); ++ if (is_inode_flag_set(inode, FI_ATOMIC_DIRTIED)) { ++ clear_inode_flag(inode, FI_ATOMIC_DIRTIED); ++ f2fs_mark_inode_dirty_sync(inode, true); ++ } + stat_dec_atomic_inode(inode); + + F2FS_I(inode)->atomic_write_task = NULL; +@@ -368,6 +372,10 @@ static int __f2fs_commit_atomic_write(struct inode *inode) + } else { + sbi->committed_atomic_block += fi->atomic_write_cnt; + set_inode_flag(inode, FI_ATOMIC_COMMITTED); ++ if (is_inode_flag_set(inode, FI_ATOMIC_DIRTIED)) { ++ clear_inode_flag(inode, FI_ATOMIC_DIRTIED); ++ f2fs_mark_inode_dirty_sync(inode, true); ++ } + } + + __complete_revoke_list(inode, &revoke_list, ret ? true : false); +-- +2.43.0 + diff --git a/queue-6.6/f2fs-reduce-expensive-checkpoint-trigger-frequency.patch b/queue-6.6/f2fs-reduce-expensive-checkpoint-trigger-frequency.patch new file mode 100644 index 00000000000..9b29a1dea9f --- /dev/null +++ b/queue-6.6/f2fs-reduce-expensive-checkpoint-trigger-frequency.patch @@ -0,0 +1,131 @@ +From e137d63ced9d3cf2d08bff90ee0d6499e2e6cf58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jun 2024 09:47:27 +0800 +Subject: f2fs: reduce expensive checkpoint trigger frequency + +From: Chao Yu + +[ Upstream commit aaf8c0b9ae042494cb4585883b15c1332de77840 ] + +We may trigger high frequent checkpoint for below case: +1. mkdir /mnt/dir1; set dir1 encrypted +2. touch /mnt/file1; fsync /mnt/file1 +3. mkdir /mnt/dir2; set dir2 encrypted +4. touch /mnt/file2; fsync /mnt/file2 +... + +Although, newly created dir and file are not related, due to +commit bbf156f7afa7 ("f2fs: fix lost xattrs of directories"), we will +trigger checkpoint whenever fsync() comes after a new encrypted dir +created. + +In order to avoid such performance regression issue, let's record an +entry including directory's ino in global cache whenever we update +directory's xattr data, and then triggerring checkpoint() only if +xattr metadata of target file's parent was updated. + +This patch updates to cover below no encryption case as well: +1) parent is checkpointed +2) set_xattr(dir) w/ new xnid +3) create(file) +4) fsync(file) + +Fixes: bbf156f7afa7 ("f2fs: fix lost xattrs of directories") +Reported-by: wangzijie +Reported-by: Zhiguo Niu +Tested-by: Zhiguo Niu +Reported-by: Yunlei He +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 2 ++ + fs/f2fs/file.c | 3 +++ + fs/f2fs/xattr.c | 14 ++++++++++++-- + include/trace/events/f2fs.h | 3 ++- + 4 files changed, 19 insertions(+), 3 deletions(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 15780e467a64b..f7a8259b9180f 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -282,6 +282,7 @@ enum { + APPEND_INO, /* for append ino list */ + UPDATE_INO, /* for update ino list */ + TRANS_DIR_INO, /* for transactions dir ino list */ ++ XATTR_DIR_INO, /* for xattr updated dir ino list */ + FLUSH_INO, /* for multiple device flushing */ + MAX_INO_ENTRY, /* max. list */ + }; +@@ -1149,6 +1150,7 @@ enum cp_reason_type { + CP_FASTBOOT_MODE, + CP_SPEC_LOG_NUM, + CP_RECOVER_DIR, ++ CP_XATTR_DIR, + }; + + enum iostat_type { +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index 523896200908a..81e342bd993c2 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -213,6 +213,9 @@ static inline enum cp_reason_type need_do_checkpoint(struct inode *inode) + f2fs_exist_written_data(sbi, F2FS_I(inode)->i_pino, + TRANS_DIR_INO)) + cp_reason = CP_RECOVER_DIR; ++ else if (f2fs_exist_written_data(sbi, F2FS_I(inode)->i_pino, ++ XATTR_DIR_INO)) ++ cp_reason = CP_XATTR_DIR; + + return cp_reason; + } +diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c +index e47cc917d1184..54ab9caaae4de 100644 +--- a/fs/f2fs/xattr.c ++++ b/fs/f2fs/xattr.c +@@ -629,6 +629,7 @@ static int __f2fs_setxattr(struct inode *inode, int index, + const char *name, const void *value, size_t size, + struct page *ipage, int flags) + { ++ struct f2fs_sb_info *sbi = F2FS_I_SB(inode); + struct f2fs_xattr_entry *here, *last; + void *base_addr, *last_base_addr; + int found, newsize; +@@ -772,9 +773,18 @@ static int __f2fs_setxattr(struct inode *inode, int index, + if (index == F2FS_XATTR_INDEX_ENCRYPTION && + !strcmp(name, F2FS_XATTR_NAME_ENCRYPTION_CONTEXT)) + f2fs_set_encrypted_inode(inode); +- if (S_ISDIR(inode->i_mode)) +- set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_CP); + ++ if (!S_ISDIR(inode->i_mode)) ++ goto same; ++ /* ++ * In restrict mode, fsync() always try to trigger checkpoint for all ++ * metadata consistency, in other mode, it triggers checkpoint when ++ * parent's xattr metadata was updated. ++ */ ++ if (F2FS_OPTION(sbi).fsync_mode == FSYNC_MODE_STRICT) ++ set_sbi_flag(sbi, SBI_NEED_CP); ++ else ++ f2fs_add_ino_entry(sbi, inode->i_ino, XATTR_DIR_INO); + same: + if (is_inode_flag_set(inode, FI_ACL_MODE)) { + inode->i_mode = F2FS_I(inode)->i_acl_mode; +diff --git a/include/trace/events/f2fs.h b/include/trace/events/f2fs.h +index 793f82cc1515a..b6ffae01a8cd8 100644 +--- a/include/trace/events/f2fs.h ++++ b/include/trace/events/f2fs.h +@@ -139,7 +139,8 @@ TRACE_DEFINE_ENUM(EX_BLOCK_AGE); + { CP_NODE_NEED_CP, "node needs cp" }, \ + { CP_FASTBOOT_MODE, "fastboot mode" }, \ + { CP_SPEC_LOG_NUM, "log type is 2" }, \ +- { CP_RECOVER_DIR, "dir needs recovery" }) ++ { CP_RECOVER_DIR, "dir needs recovery" }, \ ++ { CP_XATTR_DIR, "dir's xattr updated" }) + + #define show_shutdown_mode(type) \ + __print_symbolic(type, \ +-- +2.43.0 + diff --git a/queue-6.6/f2fs-support-.shutdown-in-f2fs_sops.patch b/queue-6.6/f2fs-support-.shutdown-in-f2fs_sops.patch new file mode 100644 index 00000000000..b6843f8e135 --- /dev/null +++ b/queue-6.6/f2fs-support-.shutdown-in-f2fs_sops.patch @@ -0,0 +1,162 @@ +From 358365d0e177ed42cae0ee5d69049dbb550e2009 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Feb 2024 22:38:38 +0800 +Subject: f2fs: support .shutdown in f2fs_sops + +From: Chao Yu + +[ Upstream commit ee745e4736fbf33079d0d0808e1343c2280fd59a ] + +Support .shutdown callback in f2fs_sops, then, it can be called to +shut down the file system when underlying block device is marked dead. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Stable-dep-of: c7f114d864ac ("f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()") +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 2 ++ + fs/f2fs/file.c | 70 ++++++++++++++++++++++++++++++------------------- + fs/f2fs/super.c | 6 +++++ + 3 files changed, 51 insertions(+), 27 deletions(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index f7a8259b9180f..2059a24a330b2 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -3507,6 +3507,8 @@ int f2fs_setattr(struct mnt_idmap *idmap, struct dentry *dentry, + struct iattr *attr); + int f2fs_truncate_hole(struct inode *inode, pgoff_t pg_start, pgoff_t pg_end); + void f2fs_truncate_data_blocks_range(struct dnode_of_data *dn, int count); ++int f2fs_do_shutdown(struct f2fs_sb_info *sbi, unsigned int flag, ++ bool readonly); + int f2fs_precache_extents(struct inode *inode); + int f2fs_fileattr_get(struct dentry *dentry, struct fileattr *fa); + int f2fs_fileattr_set(struct mnt_idmap *idmap, +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index 2f08bf7f29621..085008b208020 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -2256,34 +2256,13 @@ static int f2fs_ioc_abort_atomic_write(struct file *filp) + return ret; + } + +-static int f2fs_ioc_shutdown(struct file *filp, unsigned long arg) ++int f2fs_do_shutdown(struct f2fs_sb_info *sbi, unsigned int flag, ++ bool readonly) + { +- struct inode *inode = file_inode(filp); +- struct f2fs_sb_info *sbi = F2FS_I_SB(inode); + struct super_block *sb = sbi->sb; +- __u32 in; + int ret = 0; + +- if (!capable(CAP_SYS_ADMIN)) +- return -EPERM; +- +- if (get_user(in, (__u32 __user *)arg)) +- return -EFAULT; +- +- if (in != F2FS_GOING_DOWN_FULLSYNC) { +- ret = mnt_want_write_file(filp); +- if (ret) { +- if (ret == -EROFS) { +- ret = 0; +- f2fs_stop_checkpoint(sbi, false, +- STOP_CP_REASON_SHUTDOWN); +- trace_f2fs_shutdown(sbi, in, ret); +- } +- return ret; +- } +- } +- +- switch (in) { ++ switch (flag) { + case F2FS_GOING_DOWN_FULLSYNC: + ret = freeze_bdev(sb->s_bdev); + if (ret) +@@ -2317,6 +2296,9 @@ static int f2fs_ioc_shutdown(struct file *filp, unsigned long arg) + goto out; + } + ++ if (readonly) ++ goto out; ++ + f2fs_stop_gc_thread(sbi); + f2fs_stop_discard_thread(sbi); + +@@ -2325,10 +2307,44 @@ static int f2fs_ioc_shutdown(struct file *filp, unsigned long arg) + + f2fs_update_time(sbi, REQ_TIME); + out: +- if (in != F2FS_GOING_DOWN_FULLSYNC) +- mnt_drop_write_file(filp); + +- trace_f2fs_shutdown(sbi, in, ret); ++ trace_f2fs_shutdown(sbi, flag, ret); ++ ++ return ret; ++} ++ ++static int f2fs_ioc_shutdown(struct file *filp, unsigned long arg) ++{ ++ struct inode *inode = file_inode(filp); ++ struct f2fs_sb_info *sbi = F2FS_I_SB(inode); ++ __u32 in; ++ int ret; ++ bool need_drop = false, readonly = false; ++ ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ ++ if (get_user(in, (__u32 __user *)arg)) ++ return -EFAULT; ++ ++ if (in != F2FS_GOING_DOWN_FULLSYNC) { ++ ret = mnt_want_write_file(filp); ++ if (ret) { ++ if (ret != -EROFS) ++ return ret; ++ ++ /* fallback to nosync shutdown for readonly fs */ ++ in = F2FS_GOING_DOWN_NOSYNC; ++ readonly = true; ++ } else { ++ need_drop = true; ++ } ++ } ++ ++ ret = f2fs_do_shutdown(sbi, in, readonly); ++ ++ if (need_drop) ++ mnt_drop_write_file(filp); + + return ret; + } +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index e022d8233c0a5..d12603c3b5f50 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -2543,6 +2543,11 @@ static int f2fs_remount(struct super_block *sb, int *flags, char *data) + return err; + } + ++static void f2fs_shutdown(struct super_block *sb) ++{ ++ f2fs_do_shutdown(F2FS_SB(sb), F2FS_GOING_DOWN_NOSYNC, false); ++} ++ + #ifdef CONFIG_QUOTA + static bool f2fs_need_recovery(struct f2fs_sb_info *sbi) + { +@@ -3142,6 +3147,7 @@ static const struct super_operations f2fs_sops = { + .unfreeze_fs = f2fs_unfreeze, + .statfs = f2fs_statfs, + .remount_fs = f2fs_remount, ++ .shutdown = f2fs_shutdown, + }; + + #ifdef CONFIG_FS_ENCRYPTION +-- +2.43.0 + diff --git a/queue-6.6/fbdev-hpfb-fix-an-error-handling-path-in-hpfb_dio_pr.patch b/queue-6.6/fbdev-hpfb-fix-an-error-handling-path-in-hpfb_dio_pr.patch new file mode 100644 index 00000000000..03bbc3e14e3 --- /dev/null +++ b/queue-6.6/fbdev-hpfb-fix-an-error-handling-path-in-hpfb_dio_pr.patch @@ -0,0 +1,36 @@ +From 021047cf2b3ce5585ab30c7716e2d26698705df3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Aug 2024 22:34:39 +0200 +Subject: fbdev: hpfb: Fix an error handling path in hpfb_dio_probe() + +From: Christophe JAILLET + +[ Upstream commit aa578e897520f32ae12bec487f2474357d01ca9c ] + +If an error occurs after request_mem_region(), a corresponding +release_mem_region() should be called, as already done in the remove +function. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Christophe JAILLET +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/hpfb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/video/fbdev/hpfb.c b/drivers/video/fbdev/hpfb.c +index 406c1383cbda9..1461a909e17ed 100644 +--- a/drivers/video/fbdev/hpfb.c ++++ b/drivers/video/fbdev/hpfb.c +@@ -343,6 +343,7 @@ static int hpfb_dio_probe(struct dio_dev *d, const struct dio_device_id *ent) + if (hpfb_init_one(paddr, vaddr)) { + if (d->scode >= DIOII_SCBASE) + iounmap((void *)vaddr); ++ release_mem_region(d->resource.start, resource_size(&d->resource)); + return -ENOMEM; + } + return 0; +-- +2.43.0 + diff --git a/queue-6.6/firewire-core-correct-range-of-block-for-case-of-swi.patch b/queue-6.6/firewire-core-correct-range-of-block-for-case-of-swi.patch new file mode 100644 index 00000000000..fa8242a1ffa --- /dev/null +++ b/queue-6.6/firewire-core-correct-range-of-block-for-case-of-swi.patch @@ -0,0 +1,47 @@ +From d2af9bfdc528ce9bf46b13f424147fd4cb38dcde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Aug 2024 16:04:03 +0900 +Subject: firewire: core: correct range of block for case of switch statement + +From: Takashi Sakamoto + +[ Upstream commit ebb9d3ca8f7efc1b6a2f1750d1058eda444883d0 ] + +A commit d8527cab6c31 ("firewire: cdev: implement new event to notify +response subaction with time stamp") adds an additional case, +FW_CDEV_EVENT_RESPONSE2, into switch statement in complete_transaction(). +However, the range of block is beyond to the case label and reaches +neibour default label. + +This commit corrects the range of block. Fortunately, it has few impacts +in practice since the local variable in the scope under the label is not +used in codes under default label. + +Fixes: d8527cab6c31 ("firewire: cdev: implement new event to notify response subaction with time stamp") +Link: https://lore.kernel.org/r/20240810070403.36801-1-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Sakamoto +Signed-off-by: Sasha Levin +--- + drivers/firewire/core-cdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c +index 6274b86eb9437..73cc2f2dcbf92 100644 +--- a/drivers/firewire/core-cdev.c ++++ b/drivers/firewire/core-cdev.c +@@ -598,11 +598,11 @@ static void complete_transaction(struct fw_card *card, int rcode, u32 request_ts + queue_event(client, &e->event, rsp, sizeof(*rsp) + rsp->length, NULL, 0); + + break; ++ } + default: + WARN_ON(1); + break; + } +- } + + /* Drop the idr's reference */ + client_put(client); +-- +2.43.0 + diff --git a/queue-6.6/firmware-arm_scmi-fix-double-free-in-optee-transport.patch b/queue-6.6/firmware-arm_scmi-fix-double-free-in-optee-transport.patch new file mode 100644 index 00000000000..4e29a929551 --- /dev/null +++ b/queue-6.6/firmware-arm_scmi-fix-double-free-in-optee-transport.patch @@ -0,0 +1,45 @@ +From 88d28a5a8aa0199591e75b5edca49dc70f0cf5c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Aug 2024 18:33:32 +0100 +Subject: firmware: arm_scmi: Fix double free in OPTEE transport + +From: Cristian Marussi + +[ Upstream commit e98dba934b2fc587eafb83f47ad64d9053b18ae0 ] + +Channels can be shared between protocols, avoid freeing the same channel +descriptors twice when unloading the stack. + +Fixes: 5f90f189a052 ("firmware: arm_scmi: Add optee transport") +Signed-off-by: Cristian Marussi +Tested-by: Peng Fan #i.MX95 19x19 EVK +Reviewed-by: Peng Fan +Tested-by: Florian Fainelli +Message-Id: <20240812173340.3912830-2-cristian.marussi@arm.com> +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scmi/optee.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/firmware/arm_scmi/optee.c b/drivers/firmware/arm_scmi/optee.c +index e123de6e8c67a..aa02392265d32 100644 +--- a/drivers/firmware/arm_scmi/optee.c ++++ b/drivers/firmware/arm_scmi/optee.c +@@ -467,6 +467,13 @@ static int scmi_optee_chan_free(int id, void *p, void *data) + struct scmi_chan_info *cinfo = p; + struct scmi_optee_channel *channel = cinfo->transport_info; + ++ /* ++ * Different protocols might share the same chan info, so a previous ++ * call might have already freed the structure. ++ */ ++ if (!channel) ++ return 0; ++ + mutex_lock(&scmi_optee_private->mu); + list_del(&channel->link); + mutex_unlock(&scmi_optee_private->mu); +-- +2.43.0 + diff --git a/queue-6.6/hid-wacom-do-not-warn-about-dropped-packets-for-firs.patch b/queue-6.6/hid-wacom-do-not-warn-about-dropped-packets-for-firs.patch new file mode 100644 index 00000000000..7a102c26620 --- /dev/null +++ b/queue-6.6/hid-wacom-do-not-warn-about-dropped-packets-for-firs.patch @@ -0,0 +1,66 @@ +From 65c35657972851a2d313252360f42faefc81d255 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Sep 2024 13:32:08 -0700 +Subject: HID: wacom: Do not warn about dropped packets for first packet + +From: Jason Gerecke + +[ Upstream commit 84aecf2d251a3359bc78b7c8e58f54b9fc966e89 ] + +The driver currently assumes that the first sequence number it will see +is going to be 0. This is not a realiable assumption and can break if, +for example, the tablet has already been running for some time prior to +the kernel driver connecting to the device. This commit initializes the +expected sequence number to -1 and will only print the "Dropped" warning +the it has been updated to a non-negative value. + +Signed-off-by: Jason Gerecke +Tested-by: Joshua Dickens +Fixes: 6d09085b38e5 ("HID: wacom: Adding Support for new usages") +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/wacom_wac.c | 6 +++++- + drivers/hid/wacom_wac.h | 2 +- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c +index c3c576641a38e..18b5cd0234d21 100644 +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -2368,6 +2368,9 @@ static void wacom_wac_pen_usage_mapping(struct hid_device *hdev, + wacom_map_usage(input, usage, field, EV_KEY, BTN_STYLUS3, 0); + features->quirks &= ~WACOM_QUIRK_PEN_BUTTON3; + break; ++ case WACOM_HID_WD_SEQUENCENUMBER: ++ wacom_wac->hid_data.sequence_number = -1; ++ break; + } + } + +@@ -2492,7 +2495,8 @@ static void wacom_wac_pen_event(struct hid_device *hdev, struct hid_field *field + wacom_wac->hid_data.barrelswitch3 = value; + return; + case WACOM_HID_WD_SEQUENCENUMBER: +- if (wacom_wac->hid_data.sequence_number != value) { ++ if (wacom_wac->hid_data.sequence_number != value && ++ wacom_wac->hid_data.sequence_number >= 0) { + int sequence_size = field->logical_maximum - field->logical_minimum + 1; + int drop_count = (value - wacom_wac->hid_data.sequence_number) % sequence_size; + hid_warn(hdev, "Dropped %d packets", drop_count); +diff --git a/drivers/hid/wacom_wac.h b/drivers/hid/wacom_wac.h +index 57e185f18d53d..61073fe81ead2 100644 +--- a/drivers/hid/wacom_wac.h ++++ b/drivers/hid/wacom_wac.h +@@ -324,7 +324,7 @@ struct hid_data { + int bat_connected; + int ps_connected; + bool pad_input_event_flag; +- unsigned short sequence_number; ++ int sequence_number; + ktime_t time_delayed; + }; + +-- +2.43.0 + diff --git a/queue-6.6/hid-wacom-support-sequence-numbers-smaller-than-16-b.patch b/queue-6.6/hid-wacom-support-sequence-numbers-smaller-than-16-b.patch new file mode 100644 index 00000000000..5414e48ce31 --- /dev/null +++ b/queue-6.6/hid-wacom-support-sequence-numbers-smaller-than-16-b.patch @@ -0,0 +1,50 @@ +From 8705e1e803720512cac575202404233f46c98d0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Sep 2024 13:32:07 -0700 +Subject: HID: wacom: Support sequence numbers smaller than 16-bit + +From: Jason Gerecke + +[ Upstream commit 359673ea3a203611b4f6d0f28922a4b9d2cfbcc8 ] + +The current dropped packet reporting assumes that all sequence numbers +are 16 bits in length. This results in misleading "Dropped" messages if +the hardware uses fewer bits. For example, if a tablet uses only 8 bits +to store its sequence number, once it rolls over from 255 -> 0, the +driver will still be expecting a packet "256". This patch adjusts the +logic to reset the next expected packet to logical_minimum whenever +it overflows beyond logical_maximum. + +Signed-off-by: Jason Gerecke +Tested-by: Joshua Dickens +Fixes: 6d09085b38e5 ("HID: wacom: Adding Support for new usages") +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/wacom_wac.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c +index 5db26a8af7728..c3c576641a38e 100644 +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -2492,9 +2492,14 @@ static void wacom_wac_pen_event(struct hid_device *hdev, struct hid_field *field + wacom_wac->hid_data.barrelswitch3 = value; + return; + case WACOM_HID_WD_SEQUENCENUMBER: +- if (wacom_wac->hid_data.sequence_number != value) +- hid_warn(hdev, "Dropped %hu packets", (unsigned short)(value - wacom_wac->hid_data.sequence_number)); ++ if (wacom_wac->hid_data.sequence_number != value) { ++ int sequence_size = field->logical_maximum - field->logical_minimum + 1; ++ int drop_count = (value - wacom_wac->hid_data.sequence_number) % sequence_size; ++ hid_warn(hdev, "Dropped %d packets", drop_count); ++ } + wacom_wac->hid_data.sequence_number = value + 1; ++ if (wacom_wac->hid_data.sequence_number > field->logical_maximum) ++ wacom_wac->hid_data.sequence_number = field->logical_minimum; + return; + } + +-- +2.43.0 + diff --git a/queue-6.6/hwmon-max16065-fix-alarm-attributes.patch b/queue-6.6/hwmon-max16065-fix-alarm-attributes.patch new file mode 100644 index 00000000000..3aa24eb4ef7 --- /dev/null +++ b/queue-6.6/hwmon-max16065-fix-alarm-attributes.patch @@ -0,0 +1,70 @@ +From 4383ff55f11cbc63ab6ed3378c3cf2e667c0ba60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Jul 2024 06:41:17 -0700 +Subject: hwmon: (max16065) Fix alarm attributes + +From: Guenter Roeck + +[ Upstream commit 119abf7d1815f098f7f91ae7abc84324a19943d7 ] + +Chips reporting overcurrent alarms report it in the second alarm register. +That means the second alarm register has to be read, even if the chip only +supports 8 or fewer ADC channels. + +MAX16067 and MAX16068 report undervoltage and overvoltage alarms in +separate registers. Fold register contents together to report both with +the existing alarm attribute. This requires actually storing the chip type +in struct max16065_data. Rename the variable 'chip' to match the variable +name used in the probe function. + +Reviewed-by: Tzung-Bi Shih +Fixes: f5bae2642e3d ("hwmon: Driver for MAX16065 System Manager and compatibles") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/max16065.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/max16065.c b/drivers/hwmon/max16065.c +index 5b2a174c6bad3..0ccb5eb596fc4 100644 +--- a/drivers/hwmon/max16065.c ++++ b/drivers/hwmon/max16065.c +@@ -79,7 +79,7 @@ static const bool max16065_have_current[] = { + }; + + struct max16065_data { +- enum chips type; ++ enum chips chip; + struct i2c_client *client; + const struct attribute_group *groups[4]; + struct mutex update_lock; +@@ -162,10 +162,17 @@ static struct max16065_data *max16065_update_device(struct device *dev) + MAX16065_CURR_SENSE); + } + +- for (i = 0; i < DIV_ROUND_UP(data->num_adc, 8); i++) ++ for (i = 0; i < 2; i++) + data->fault[i] + = i2c_smbus_read_byte_data(client, MAX16065_FAULT(i)); + ++ /* ++ * MAX16067 and MAX16068 have separate undervoltage and ++ * overvoltage alarm bits. Squash them together. ++ */ ++ if (data->chip == max16067 || data->chip == max16068) ++ data->fault[0] |= data->fault[1]; ++ + data->last_updated = jiffies; + data->valid = true; + } +@@ -514,6 +521,7 @@ static int max16065_probe(struct i2c_client *client) + if (unlikely(!data)) + return -ENOMEM; + ++ data->chip = chip; + data->client = client; + mutex_init(&data->update_lock); + +-- +2.43.0 + diff --git a/queue-6.6/hwmon-max16065-fix-overflows-seen-when-writing-limit.patch b/queue-6.6/hwmon-max16065-fix-overflows-seen-when-writing-limit.patch new file mode 100644 index 00000000000..ca689117520 --- /dev/null +++ b/queue-6.6/hwmon-max16065-fix-overflows-seen-when-writing-limit.patch @@ -0,0 +1,46 @@ +From f7557fc157ad1fdac0aa3e6a8c4b408efd014807 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jul 2024 09:52:01 -0700 +Subject: hwmon: (max16065) Fix overflows seen when writing limits + +From: Guenter Roeck + +[ Upstream commit 744ec4477b11c42e2c8de9eb8364675ae7a0bd81 ] + +Writing large limits resulted in overflows as reported by module tests. + +in0_lcrit: Suspected overflow: [max=5538, read 0, written 2147483647] +in0_crit: Suspected overflow: [max=5538, read 0, written 2147483647] +in0_min: Suspected overflow: [max=5538, read 0, written 2147483647] + +Fix the problem by clamping prior to multiplications and the use of +DIV_ROUND_CLOSEST, and by using consistent variable types. + +Reviewed-by: Tzung-Bi Shih +Fixes: f5bae2642e3d ("hwmon: Driver for MAX16065 System Manager and compatibles") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/max16065.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/max16065.c b/drivers/hwmon/max16065.c +index aa38c45adc09e..e392529de098e 100644 +--- a/drivers/hwmon/max16065.c ++++ b/drivers/hwmon/max16065.c +@@ -114,9 +114,10 @@ static inline int LIMIT_TO_MV(int limit, int range) + return limit * range / 256; + } + +-static inline int MV_TO_LIMIT(int mv, int range) ++static inline int MV_TO_LIMIT(unsigned long mv, int range) + { +- return clamp_val(DIV_ROUND_CLOSEST(mv * 256, range), 0, 255); ++ mv = clamp_val(mv, 0, ULONG_MAX / 256); ++ return DIV_ROUND_CLOSEST(clamp_val(mv * 256, 0, range * 255), range); + } + + static inline int ADC_TO_CURR(int adc, int gain) +-- +2.43.0 + diff --git a/queue-6.6/hwmon-max16065-remove-use-of-i2c_match_id.patch b/queue-6.6/hwmon-max16065-remove-use-of-i2c_match_id.patch new file mode 100644 index 00000000000..5fded67d00b --- /dev/null +++ b/queue-6.6/hwmon-max16065-remove-use-of-i2c_match_id.patch @@ -0,0 +1,70 @@ +From b5f8de267bd3f9a8ac7fe259dc8a537901c63b6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 15:36:21 -0500 +Subject: hwmon: (max16065) Remove use of i2c_match_id() + +From: Andrew Davis + +[ Upstream commit 5a71654b398e3471f0169c266a3587cf09e1200c ] + +The function i2c_match_id() is used to fetch the matching ID from +the i2c_device_id table. This is often used to then retrieve the +matching driver_data. This can be done in one step with the helper +i2c_get_match_data(). + +This helper has a couple other benefits: + * It doesn't need the i2c_device_id passed in so we do not need + to have that forward declared, allowing us to remove those or + move the i2c_device_id table down to its more natural spot + with the other module info. + * It also checks for device match data, which allows for OF and + ACPI based probing. That means we do not have to manually check + those first and can remove those checks. + +Signed-off-by: Andrew Davis +Link: https://lore.kernel.org/r/20240403203633.914389-20-afd@ti.com +Signed-off-by: Guenter Roeck +Stable-dep-of: 119abf7d1815 ("hwmon: (max16065) Fix alarm attributes") +Signed-off-by: Sasha Levin +--- + drivers/hwmon/max16065.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/drivers/hwmon/max16065.c b/drivers/hwmon/max16065.c +index e392529de098e..5b2a174c6bad3 100644 +--- a/drivers/hwmon/max16065.c ++++ b/drivers/hwmon/max16065.c +@@ -494,8 +494,6 @@ static const struct attribute_group max16065_max_group = { + .is_visible = max16065_secondary_is_visible, + }; + +-static const struct i2c_device_id max16065_id[]; +- + static int max16065_probe(struct i2c_client *client) + { + struct i2c_adapter *adapter = client->adapter; +@@ -506,7 +504,7 @@ static int max16065_probe(struct i2c_client *client) + bool have_secondary; /* true if chip has secondary limits */ + bool secondary_is_max = false; /* secondary limits reflect max */ + int groups = 0; +- const struct i2c_device_id *id = i2c_match_id(max16065_id, client); ++ enum chips chip = (uintptr_t)i2c_get_match_data(client); + + if (!i2c_check_functionality(adapter, I2C_FUNC_SMBUS_BYTE_DATA + | I2C_FUNC_SMBUS_READ_WORD_DATA)) +@@ -519,9 +517,9 @@ static int max16065_probe(struct i2c_client *client) + data->client = client; + mutex_init(&data->update_lock); + +- data->num_adc = max16065_num_adc[id->driver_data]; +- data->have_current = max16065_have_current[id->driver_data]; +- have_secondary = max16065_have_secondary[id->driver_data]; ++ data->num_adc = max16065_num_adc[chip]; ++ data->have_current = max16065_have_current[chip]; ++ have_secondary = max16065_have_secondary[chip]; + + if (have_secondary) { + val = i2c_smbus_read_byte_data(client, MAX16065_SW_ENABLE); +-- +2.43.0 + diff --git a/queue-6.6/hwmon-ntc_thermistor-fix-module-autoloading.patch b/queue-6.6/hwmon-ntc_thermistor-fix-module-autoloading.patch new file mode 100644 index 00000000000..13e863cec22 --- /dev/null +++ b/queue-6.6/hwmon-ntc_thermistor-fix-module-autoloading.patch @@ -0,0 +1,36 @@ +From c3d1d237a0867cde108b76a3a879e8970e6dd770 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Aug 2024 08:30:21 +0000 +Subject: hwmon: (ntc_thermistor) fix module autoloading + +From: Yuntao Liu + +[ Upstream commit b6964d66a07a9003868e428a956949e17ab44d7e ] + +Add MODULE_DEVICE_TABLE(), so modules could be properly autoloaded +based on the alias from of_device_id table. + +Fixes: 9e8269de100d ("hwmon: (ntc_thermistor) Add DT with IIO support to NTC thermistor driver") +Signed-off-by: Yuntao Liu +Message-ID: <20240815083021.756134-1-liuyuntao12@huawei.com> +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/ntc_thermistor.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hwmon/ntc_thermistor.c b/drivers/hwmon/ntc_thermistor.c +index ef75b63f5894e..b5352900463fb 100644 +--- a/drivers/hwmon/ntc_thermistor.c ++++ b/drivers/hwmon/ntc_thermistor.c +@@ -62,6 +62,7 @@ static const struct platform_device_id ntc_thermistor_id[] = { + [NTC_SSG1404001221] = { "ssg1404_001221", TYPE_NCPXXWB473 }, + [NTC_LAST] = { }, + }; ++MODULE_DEVICE_TABLE(platform, ntc_thermistor_id); + + /* + * A compensation table should be sorted by the values of .ohm +-- +2.43.0 + diff --git a/queue-6.6/ib-core-fix-ib_cache_setup_one-error-flow-cleanup.patch b/queue-6.6/ib-core-fix-ib_cache_setup_one-error-flow-cleanup.patch new file mode 100644 index 00000000000..299ba0dda20 --- /dev/null +++ b/queue-6.6/ib-core-fix-ib_cache_setup_one-error-flow-cleanup.patch @@ -0,0 +1,102 @@ +From 36f96244a3e7063c1b9c6ea363f3cb6f012915a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Sep 2024 13:36:33 +0300 +Subject: IB/core: Fix ib_cache_setup_one error flow cleanup + +From: Patrisious Haddad + +[ Upstream commit 1403c8b14765eab805377dd3b75e96ace8747aed ] + +When ib_cache_update return an error, we exit ib_cache_setup_one +instantly with no proper cleanup, even though before this we had +already successfully done gid_table_setup_one, that results in +the kernel WARN below. + +Do proper cleanup using gid_table_cleanup_one before returning +the err in order to fix the issue. + +WARNING: CPU: 4 PID: 922 at drivers/infiniband/core/cache.c:806 gid_table_release_one+0x181/0x1a0 +Modules linked in: +CPU: 4 UID: 0 PID: 922 Comm: c_repro Not tainted 6.11.0-rc1+ #3 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +RIP: 0010:gid_table_release_one+0x181/0x1a0 +Code: 44 8b 38 75 0c e8 2f cb 34 ff 4d 8b b5 28 05 00 00 e8 23 cb 34 ff 44 89 f9 89 da 4c 89 f6 48 c7 c7 d0 58 14 83 e8 4f de 21 ff <0f> 0b 4c 8b 75 30 e9 54 ff ff ff 48 8 3 c4 10 5b 5d 41 5c 41 5d 41 +RSP: 0018:ffffc90002b835b0 EFLAGS: 00010286 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c8527 +RDX: 0000000000000000 RSI: ffffffff811c8534 RDI: 0000000000000001 +RBP: ffff8881011b3d00 R08: ffff88810b3abe00 R09: 205d303839303631 +R10: 666572207972746e R11: 72746e6520444947 R12: 0000000000000001 +R13: ffff888106390000 R14: ffff8881011f2110 R15: 0000000000000001 +FS: 00007fecc3b70800(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000020000340 CR3: 000000010435a001 CR4: 00000000003706b0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + ? show_regs+0x94/0xa0 + ? __warn+0x9e/0x1c0 + ? gid_table_release_one+0x181/0x1a0 + ? report_bug+0x1f9/0x340 + ? gid_table_release_one+0x181/0x1a0 + ? handle_bug+0xa2/0x110 + ? exc_invalid_op+0x31/0xa0 + ? asm_exc_invalid_op+0x16/0x20 + ? __warn_printk+0xc7/0x180 + ? __warn_printk+0xd4/0x180 + ? gid_table_release_one+0x181/0x1a0 + ib_device_release+0x71/0xe0 + ? __pfx_ib_device_release+0x10/0x10 + device_release+0x44/0xd0 + kobject_put+0x135/0x3d0 + put_device+0x20/0x30 + rxe_net_add+0x7d/0xa0 + rxe_newlink+0xd7/0x190 + nldev_newlink+0x1b0/0x2a0 + ? __pfx_nldev_newlink+0x10/0x10 + rdma_nl_rcv_msg+0x1ad/0x2e0 + rdma_nl_rcv_skb.constprop.0+0x176/0x210 + netlink_unicast+0x2de/0x400 + netlink_sendmsg+0x306/0x660 + __sock_sendmsg+0x110/0x120 + ____sys_sendmsg+0x30e/0x390 + ___sys_sendmsg+0x9b/0xf0 + ? kstrtouint+0x6e/0xa0 + ? kstrtouint_from_user+0x7c/0xb0 + ? get_pid_task+0xb0/0xd0 + ? proc_fail_nth_write+0x5b/0x140 + ? __fget_light+0x9a/0x200 + ? preempt_count_add+0x47/0xa0 + __sys_sendmsg+0x61/0xd0 + do_syscall_64+0x50/0x110 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Fixes: 1901b91f9982 ("IB/core: Fix potential NULL pointer dereference in pkey cache") +Signed-off-by: Patrisious Haddad +Reviewed-by: Maher Sanalla +Link: https://patch.msgid.link/79137687d829899b0b1c9835fcb4b258004c439a.1725273354.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cache.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c +index b7251ed7a8dfb..0b88203720b05 100644 +--- a/drivers/infiniband/core/cache.c ++++ b/drivers/infiniband/core/cache.c +@@ -1640,8 +1640,10 @@ int ib_cache_setup_one(struct ib_device *device) + + rdma_for_each_port (device, p) { + err = ib_cache_update(device, p, true, true, true); +- if (err) ++ if (err) { ++ gid_table_cleanup_one(device); + return err; ++ } + } + + return 0; +-- +2.43.0 + diff --git a/queue-6.6/iio-adc-ad7606-fix-oversampling-gpio-array.patch b/queue-6.6/iio-adc-ad7606-fix-oversampling-gpio-array.patch new file mode 100644 index 00000000000..5ee0202a6af --- /dev/null +++ b/queue-6.6/iio-adc-ad7606-fix-oversampling-gpio-array.patch @@ -0,0 +1,72 @@ +From 6c5b28e90cf641751287e9752cfa902e78fbd9aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jul 2024 17:34:10 +0000 +Subject: iio: adc: ad7606: fix oversampling gpio array + +From: Guillaume Stols + +[ Upstream commit 8dc4594b54dbaaba40dc8884ad3d42083de39434 ] + +gpiod_set_array_value was misused here: the implementation relied on the +assumption that an unsigned long was required for each gpio, while the +function expects a bit array stored in "as much unsigned long as needed +for storing one bit per GPIO", i.e it is using a bit field. + +This leaded to incorrect parameter passed to gpiod_set_array_value, that +would set 1 value instead of 3. +It also prevents to select the software mode correctly for the AD7606B. + +Fixes: d2a415c86c6b ("iio: adc: ad7606: Add support for AD7606B ADC") +Fixes: 41f71e5e7daf ("staging: iio: adc: ad7606: Use find_closest() macro") +Signed-off-by: Guillaume Stols +Reviewed-by: Nuno Sa +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad7606.c | 4 ++-- + drivers/iio/adc/ad7606_spi.c | 5 +++-- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/iio/adc/ad7606.c b/drivers/iio/adc/ad7606.c +index 1c08c0921ee71..8c66b1e364014 100644 +--- a/drivers/iio/adc/ad7606.c ++++ b/drivers/iio/adc/ad7606.c +@@ -215,9 +215,9 @@ static int ad7606_write_os_hw(struct iio_dev *indio_dev, int val) + struct ad7606_state *st = iio_priv(indio_dev); + DECLARE_BITMAP(values, 3); + +- values[0] = val; ++ values[0] = val & GENMASK(2, 0); + +- gpiod_set_array_value(ARRAY_SIZE(values), st->gpio_os->desc, ++ gpiod_set_array_value(st->gpio_os->ndescs, st->gpio_os->desc, + st->gpio_os->info, values); + + /* AD7616 requires a reset to update value */ +diff --git a/drivers/iio/adc/ad7606_spi.c b/drivers/iio/adc/ad7606_spi.c +index 263a778bcf253..287a0591533b6 100644 +--- a/drivers/iio/adc/ad7606_spi.c ++++ b/drivers/iio/adc/ad7606_spi.c +@@ -249,8 +249,9 @@ static int ad7616_sw_mode_config(struct iio_dev *indio_dev) + static int ad7606B_sw_mode_config(struct iio_dev *indio_dev) + { + struct ad7606_state *st = iio_priv(indio_dev); +- unsigned long os[3] = {1}; ++ DECLARE_BITMAP(os, 3); + ++ bitmap_fill(os, 3); + /* + * Software mode is enabled when all three oversampling + * pins are set to high. If oversampling gpios are defined +@@ -258,7 +259,7 @@ static int ad7606B_sw_mode_config(struct iio_dev *indio_dev) + * otherwise, they must be hardwired to VDD + */ + if (st->gpio_os) { +- gpiod_set_array_value(ARRAY_SIZE(os), ++ gpiod_set_array_value(st->gpio_os->ndescs, + st->gpio_os->desc, st->gpio_os->info, os); + } + /* OS of 128 and 256 are available only in software mode */ +-- +2.43.0 + diff --git a/queue-6.6/iio-adc-ad7606-fix-standby-gpio-state-to-match-the-d.patch b/queue-6.6/iio-adc-ad7606-fix-standby-gpio-state-to-match-the-d.patch new file mode 100644 index 00000000000..e5d8e5420a4 --- /dev/null +++ b/queue-6.6/iio-adc-ad7606-fix-standby-gpio-state-to-match-the-d.patch @@ -0,0 +1,48 @@ +From 44e54eb8c67c8dc49a21012ecc994253ebc17b43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jul 2024 17:34:11 +0000 +Subject: iio: adc: ad7606: fix standby gpio state to match the documentation + +From: Guillaume Stols + +[ Upstream commit 059fe4f8bbdf5cad212e1aeeb3e8968c80b9ff3b ] + +The binding's documentation specifies that "As the line is active low, it +should be marked GPIO_ACTIVE_LOW". However, in the driver, it was handled +the opposite way. This commit sets the driver's behaviour in sync with the +documentation + +Fixes: 722407a4e8c0 ("staging:iio:ad7606: Use GPIO descriptor API") +Signed-off-by: Guillaume Stols +Reviewed-by: Nuno Sa +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad7606.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/adc/ad7606.c b/drivers/iio/adc/ad7606.c +index 8c66b1e364014..4d755ffc3f414 100644 +--- a/drivers/iio/adc/ad7606.c ++++ b/drivers/iio/adc/ad7606.c +@@ -422,7 +422,7 @@ static int ad7606_request_gpios(struct ad7606_state *st) + return PTR_ERR(st->gpio_range); + + st->gpio_standby = devm_gpiod_get_optional(dev, "standby", +- GPIOD_OUT_HIGH); ++ GPIOD_OUT_LOW); + if (IS_ERR(st->gpio_standby)) + return PTR_ERR(st->gpio_standby); + +@@ -665,7 +665,7 @@ static int ad7606_suspend(struct device *dev) + + if (st->gpio_standby) { + gpiod_set_value(st->gpio_range, 1); +- gpiod_set_value(st->gpio_standby, 0); ++ gpiod_set_value(st->gpio_standby, 1); + } + + return 0; +-- +2.43.0 + diff --git a/queue-6.6/iio-chemical-bme680-fix-read-write-ops-to-device-by-.patch b/queue-6.6/iio-chemical-bme680-fix-read-write-ops-to-device-by-.patch new file mode 100644 index 00000000000..b008ad45ad6 --- /dev/null +++ b/queue-6.6/iio-chemical-bme680-fix-read-write-ops-to-device-by-.patch @@ -0,0 +1,77 @@ +From 6c61d8a8fdf9fc8ec9f328529192880b71ab4b1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jun 2024 01:38:12 +0200 +Subject: iio: chemical: bme680: Fix read/write ops to device by adding mutexes + +From: Vasileios Amoiridis + +[ Upstream commit 77641e5a477d428335cd094b88ac54e09ccb70f4 ] + +Add mutexes in the {read/write}_raw() functions of the device to guard the +read/write of data from/to the device. This is necessary because for any +operation other than temperature, multiple reads need to take place from +the device. Even though regmap has a locking by itself, it won't protect us +from multiple applications trying to read at the same time temperature and +pressure since the pressure reading includes an internal temperature +reading and there is nothing to ensure that this temperature+pressure +reading will happen sequentially without any other operation interfering +in the meantime. + +Fixes: 1b3bd8592780 ("iio: chemical: Add support for Bosch BME680 sensor") +Signed-off-by: Vasileios Amoiridis +Link: https://patch.msgid.link/20240609233826.330516-2-vassilisamir@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/chemical/bme680_core.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/iio/chemical/bme680_core.c b/drivers/iio/chemical/bme680_core.c +index 500f56834b01f..a6bf689833dad 100644 +--- a/drivers/iio/chemical/bme680_core.c ++++ b/drivers/iio/chemical/bme680_core.c +@@ -10,6 +10,7 @@ + */ + #include + #include ++#include + #include + #include + #include +@@ -52,6 +53,7 @@ struct bme680_calib { + struct bme680_data { + struct regmap *regmap; + struct bme680_calib bme680; ++ struct mutex lock; /* Protect multiple serial R/W ops to device. */ + u8 oversampling_temp; + u8 oversampling_press; + u8 oversampling_humid; +@@ -827,6 +829,8 @@ static int bme680_read_raw(struct iio_dev *indio_dev, + { + struct bme680_data *data = iio_priv(indio_dev); + ++ guard(mutex)(&data->lock); ++ + switch (mask) { + case IIO_CHAN_INFO_PROCESSED: + switch (chan->type) { +@@ -871,6 +875,8 @@ static int bme680_write_raw(struct iio_dev *indio_dev, + { + struct bme680_data *data = iio_priv(indio_dev); + ++ guard(mutex)(&data->lock); ++ + if (val2 != 0) + return -EINVAL; + +@@ -967,6 +973,7 @@ int bme680_core_probe(struct device *dev, struct regmap *regmap, + name = bme680_match_acpi_device(dev); + + data = iio_priv(indio_dev); ++ mutex_init(&data->lock); + dev_set_drvdata(dev, indio_dev); + data->regmap = regmap; + indio_dev->name = name; +-- +2.43.0 + diff --git a/queue-6.6/iio-magnetometer-ak8975-convert-enum-pointer-for-dat.patch b/queue-6.6/iio-magnetometer-ak8975-convert-enum-pointer-for-dat.patch new file mode 100644 index 00000000000..c1c5b807320 --- /dev/null +++ b/queue-6.6/iio-magnetometer-ak8975-convert-enum-pointer-for-dat.patch @@ -0,0 +1,143 @@ +From 430eb29fb8fe68e00b5b03b87050c03b963965af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Aug 2023 08:55:56 +0100 +Subject: iio: magnetometer: ak8975: Convert enum->pointer for data in the + match tables + +From: Biju Das + +[ Upstream commit 4f9ea93afde190a0f906ee624fc9a45cf784551b ] + +Convert enum->pointer for data in the match tables to simplify the probe() +by replacing device_get_match_data() and i2c_client_get_device_id by +i2c_get_match_data() as we have similar I2C, ACPI and DT matching table. + +Signed-off-by: Biju Das +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230818075600.24277-2-biju.das.jz@bp.renesas.com +Signed-off-by: Jonathan Cameron +Stable-dep-of: da6e3160df23 ("iio: magnetometer: ak8975: drop incorrect AK09116 compatible") +Signed-off-by: Sasha Levin +--- + drivers/iio/magnetometer/ak8975.c | 75 +++++++++++++------------------ + 1 file changed, 30 insertions(+), 45 deletions(-) + +diff --git a/drivers/iio/magnetometer/ak8975.c b/drivers/iio/magnetometer/ak8975.c +index eb706d0bf70bc..104798549de11 100644 +--- a/drivers/iio/magnetometer/ak8975.c ++++ b/drivers/iio/magnetometer/ak8975.c +@@ -813,13 +813,13 @@ static const struct iio_info ak8975_info = { + }; + + static const struct acpi_device_id ak_acpi_match[] = { +- {"AK8975", AK8975}, +- {"AK8963", AK8963}, +- {"INVN6500", AK8963}, +- {"AK009911", AK09911}, +- {"AK09911", AK09911}, +- {"AKM9911", AK09911}, +- {"AK09912", AK09912}, ++ {"AK8975", (kernel_ulong_t)&ak_def_array[AK8975] }, ++ {"AK8963", (kernel_ulong_t)&ak_def_array[AK8963] }, ++ {"INVN6500", (kernel_ulong_t)&ak_def_array[AK8963] }, ++ {"AK009911", (kernel_ulong_t)&ak_def_array[AK09911] }, ++ {"AK09911", (kernel_ulong_t)&ak_def_array[AK09911] }, ++ {"AKM9911", (kernel_ulong_t)&ak_def_array[AK09911] }, ++ {"AK09912", (kernel_ulong_t)&ak_def_array[AK09912] }, + { } + }; + MODULE_DEVICE_TABLE(acpi, ak_acpi_match); +@@ -883,10 +883,7 @@ static int ak8975_probe(struct i2c_client *client) + struct iio_dev *indio_dev; + struct gpio_desc *eoc_gpiod; + struct gpio_desc *reset_gpiod; +- const void *match; +- unsigned int i; + int err; +- enum asahi_compass_chipset chipset; + const char *name = NULL; + + /* +@@ -928,27 +925,15 @@ static int ak8975_probe(struct i2c_client *client) + return err; + + /* id will be NULL when enumerated via ACPI */ +- match = device_get_match_data(&client->dev); +- if (match) { +- chipset = (uintptr_t)match; +- name = dev_name(&client->dev); +- } else if (id) { +- chipset = (enum asahi_compass_chipset)(id->driver_data); +- name = id->name; +- } else +- return -ENOSYS; +- +- for (i = 0; i < ARRAY_SIZE(ak_def_array); i++) +- if (ak_def_array[i].type == chipset) +- break; +- +- if (i == ARRAY_SIZE(ak_def_array)) { +- dev_err(&client->dev, "AKM device type unsupported: %d\n", +- chipset); ++ data->def = i2c_get_match_data(client); ++ if (!data->def) + return -ENODEV; +- } + +- data->def = &ak_def_array[i]; ++ /* If enumerated via firmware node, fix the ABI */ ++ if (dev_fwnode(&client->dev)) ++ name = dev_name(&client->dev); ++ else ++ name = id->name; + + /* Fetch the regulators */ + data->vdd = devm_regulator_get(&client->dev, "vdd"); +@@ -1077,28 +1062,28 @@ static DEFINE_RUNTIME_DEV_PM_OPS(ak8975_dev_pm_ops, ak8975_runtime_suspend, + ak8975_runtime_resume, NULL); + + static const struct i2c_device_id ak8975_id[] = { +- {"ak8975", AK8975}, +- {"ak8963", AK8963}, +- {"AK8963", AK8963}, +- {"ak09911", AK09911}, +- {"ak09912", AK09912}, +- {"ak09916", AK09916}, ++ {"ak8975", (kernel_ulong_t)&ak_def_array[AK8975] }, ++ {"ak8963", (kernel_ulong_t)&ak_def_array[AK8963] }, ++ {"AK8963", (kernel_ulong_t)&ak_def_array[AK8963] }, ++ {"ak09911", (kernel_ulong_t)&ak_def_array[AK09911] }, ++ {"ak09912", (kernel_ulong_t)&ak_def_array[AK09912] }, ++ {"ak09916", (kernel_ulong_t)&ak_def_array[AK09916] }, + {} + }; + + MODULE_DEVICE_TABLE(i2c, ak8975_id); + + static const struct of_device_id ak8975_of_match[] = { +- { .compatible = "asahi-kasei,ak8975", }, +- { .compatible = "ak8975", }, +- { .compatible = "asahi-kasei,ak8963", }, +- { .compatible = "ak8963", }, +- { .compatible = "asahi-kasei,ak09911", }, +- { .compatible = "ak09911", }, +- { .compatible = "asahi-kasei,ak09912", }, +- { .compatible = "ak09912", }, +- { .compatible = "asahi-kasei,ak09916", }, +- { .compatible = "ak09916", }, ++ { .compatible = "asahi-kasei,ak8975", .data = &ak_def_array[AK8975] }, ++ { .compatible = "ak8975", .data = &ak_def_array[AK8975] }, ++ { .compatible = "asahi-kasei,ak8963", .data = &ak_def_array[AK8963] }, ++ { .compatible = "ak8963", .data = &ak_def_array[AK8963] }, ++ { .compatible = "asahi-kasei,ak09911", .data = &ak_def_array[AK09911] }, ++ { .compatible = "ak09911", .data = &ak_def_array[AK09911] }, ++ { .compatible = "asahi-kasei,ak09912", .data = &ak_def_array[AK09912] }, ++ { .compatible = "ak09912", .data = &ak_def_array[AK09912] }, ++ { .compatible = "asahi-kasei,ak09916", .data = &ak_def_array[AK09916] }, ++ { .compatible = "ak09916", .data = &ak_def_array[AK09916] }, + {} + }; + MODULE_DEVICE_TABLE(of, ak8975_of_match); +-- +2.43.0 + diff --git a/queue-6.6/iio-magnetometer-ak8975-drop-incorrect-ak09116-compa.patch b/queue-6.6/iio-magnetometer-ak8975-drop-incorrect-ak09116-compa.patch new file mode 100644 index 00000000000..5e38c04b752 --- /dev/null +++ b/queue-6.6/iio-magnetometer-ak8975-drop-incorrect-ak09116-compa.patch @@ -0,0 +1,39 @@ +From 49daecca1d533226a140e4a65b7aa159e99645aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Aug 2024 07:30:15 +0200 +Subject: iio: magnetometer: ak8975: drop incorrect AK09116 compatible + +From: Krzysztof Kozlowski + +[ Upstream commit da6e3160df230692bbd48a6d52318035f19595e2 ] + +All compatibles in this binding without prefixes were deprecated, so +adding a new deprecated one after some time is not allowed, because it +defies the core logic of deprecating things. + +Drop the AK09916 vendorless compatible. + +Fixes: 76e28aa97fa0 ("iio: magnetometer: ak8975: add AK09116 support") +Signed-off-by: Krzysztof Kozlowski +Link: https://patch.msgid.link/20240806053016.6401-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/magnetometer/ak8975.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/iio/magnetometer/ak8975.c b/drivers/iio/magnetometer/ak8975.c +index 104798549de11..a79a1d5b46394 100644 +--- a/drivers/iio/magnetometer/ak8975.c ++++ b/drivers/iio/magnetometer/ak8975.c +@@ -1083,7 +1083,6 @@ static const struct of_device_id ak8975_of_match[] = { + { .compatible = "asahi-kasei,ak09912", .data = &ak_def_array[AK09912] }, + { .compatible = "ak09912", .data = &ak_def_array[AK09912] }, + { .compatible = "asahi-kasei,ak09916", .data = &ak_def_array[AK09916] }, +- { .compatible = "ak09916", .data = &ak_def_array[AK09916] }, + {} + }; + MODULE_DEVICE_TABLE(of, ak8975_of_match); +-- +2.43.0 + diff --git a/queue-6.6/input-ilitek_ts_i2c-add-report-id-message-validation.patch b/queue-6.6/input-ilitek_ts_i2c-add-report-id-message-validation.patch new file mode 100644 index 00000000000..fee41ccbfad --- /dev/null +++ b/queue-6.6/input-ilitek_ts_i2c-add-report-id-message-validation.patch @@ -0,0 +1,50 @@ +From 2b963fb3ca0253c77a5bd07ccde1ee95672044b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Aug 2024 10:55:11 +0200 +Subject: Input: ilitek_ts_i2c - add report id message validation + +From: Emanuele Ghidoli + +[ Upstream commit 208989744a6f01bed86968473312d4e650e600b3 ] + +Ensure that the touchscreen response has correct "report id" byte +before processing the touch data and discard other messages. + +Fixes: 42370681bd46 ("Input: Add support for ILITEK Lego Series") +Signed-off-by: Emanuele Ghidoli +Signed-off-by: Francesco Dolcini +Link: https://lore.kernel.org/r/20240805085511.43955-3-francesco@dolcini.it +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/ilitek_ts_i2c.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/input/touchscreen/ilitek_ts_i2c.c b/drivers/input/touchscreen/ilitek_ts_i2c.c +index f70af5a173b34..e719f5da68bf5 100644 +--- a/drivers/input/touchscreen/ilitek_ts_i2c.c ++++ b/drivers/input/touchscreen/ilitek_ts_i2c.c +@@ -37,6 +37,8 @@ + #define ILITEK_TP_CMD_GET_MCU_VER 0x61 + #define ILITEK_TP_CMD_GET_IC_MODE 0xC0 + ++#define ILITEK_TP_I2C_REPORT_ID 0x48 ++ + #define REPORT_COUNT_ADDRESS 61 + #define ILITEK_SUPPORT_MAX_POINT 40 + +@@ -163,6 +165,11 @@ static int ilitek_process_and_report_v6(struct ilitek_ts_data *ts) + return error; + } + ++ if (buf[0] != ILITEK_TP_I2C_REPORT_ID) { ++ dev_err(dev, "get touch info failed. Wrong id: 0x%02X\n", buf[0]); ++ return -EINVAL; ++ } ++ + report_max_point = buf[REPORT_COUNT_ADDRESS]; + if (report_max_point > ts->max_tp) { + dev_err(dev, "FW report max point:%d > panel info. max:%d\n", +-- +2.43.0 + diff --git a/queue-6.6/input-ilitek_ts_i2c-avoid-wrong-input-subsystem-sync.patch b/queue-6.6/input-ilitek_ts_i2c-avoid-wrong-input-subsystem-sync.patch new file mode 100644 index 00000000000..b710d489162 --- /dev/null +++ b/queue-6.6/input-ilitek_ts_i2c-avoid-wrong-input-subsystem-sync.patch @@ -0,0 +1,71 @@ +From b6e7680963cab97dcb29678e3e3afe5944390bb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Aug 2024 10:55:10 +0200 +Subject: Input: ilitek_ts_i2c - avoid wrong input subsystem sync + +From: Emanuele Ghidoli + +[ Upstream commit 7d0b18cd5dc7429917812963611d961fd93cb44d ] + +For different reasons i2c transaction may fail or report id in the +message may be wrong. Avoid closing the frame in this case as it will +result in all contacts being dropped, indicating that nothing is +touching the screen anymore, while usually it is not the case. + +Fixes: 42370681bd46 ("Input: Add support for ILITEK Lego Series") +Signed-off-by: Emanuele Ghidoli +Signed-off-by: Francesco Dolcini +Link: https://lore.kernel.org/r/20240805085511.43955-2-francesco@dolcini.it +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/ilitek_ts_i2c.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/input/touchscreen/ilitek_ts_i2c.c b/drivers/input/touchscreen/ilitek_ts_i2c.c +index 2f872e95fbbad..f70af5a173b34 100644 +--- a/drivers/input/touchscreen/ilitek_ts_i2c.c ++++ b/drivers/input/touchscreen/ilitek_ts_i2c.c +@@ -160,15 +160,14 @@ static int ilitek_process_and_report_v6(struct ilitek_ts_data *ts) + error = ilitek_i2c_write_and_read(ts, NULL, 0, 0, buf, 64); + if (error) { + dev_err(dev, "get touch info failed, err:%d\n", error); +- goto err_sync_frame; ++ return error; + } + + report_max_point = buf[REPORT_COUNT_ADDRESS]; + if (report_max_point > ts->max_tp) { + dev_err(dev, "FW report max point:%d > panel info. max:%d\n", + report_max_point, ts->max_tp); +- error = -EINVAL; +- goto err_sync_frame; ++ return -EINVAL; + } + + count = DIV_ROUND_UP(report_max_point, packet_max_point); +@@ -178,7 +177,7 @@ static int ilitek_process_and_report_v6(struct ilitek_ts_data *ts) + if (error) { + dev_err(dev, "get touch info. failed, cnt:%d, err:%d\n", + count, error); +- goto err_sync_frame; ++ return error; + } + } + +@@ -203,10 +202,10 @@ static int ilitek_process_and_report_v6(struct ilitek_ts_data *ts) + ilitek_touch_down(ts, id, x, y); + } + +-err_sync_frame: + input_mt_sync_frame(input); + input_sync(input); +- return error; ++ ++ return 0; + } + + /* APIs of cmds for ILITEK Touch IC */ +-- +2.43.0 + diff --git a/queue-6.6/input-ps2-gpio-use-irqf_no_autoen-flag-in-request_ir.patch b/queue-6.6/input-ps2-gpio-use-irqf_no_autoen-flag-in-request_ir.patch new file mode 100644 index 00000000000..81c3a09f0e4 --- /dev/null +++ b/queue-6.6/input-ps2-gpio-use-irqf_no_autoen-flag-in-request_ir.patch @@ -0,0 +1,49 @@ +From f8f4de2e51acd6cfbfd1b21d4115f6565e816d35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Sep 2024 11:30:13 +0800 +Subject: Input: ps2-gpio - use IRQF_NO_AUTOEN flag in request_irq() + +From: Jinjie Ruan + +[ Upstream commit dcd18a3fb1228409dfc24373c5c6868a655810b0 ] + +disable_irq() after request_irq() still has a time gap in which +interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will +disable IRQ auto-enable when request IRQ. + +Fixes: 9ee0a0558819 ("Input: PS/2 gpio bit banging driver for serio bus") +Signed-off-by: Jinjie Ruan +Acked-by: Danilo Krummrich +Link: https://lore.kernel.org/r/20240912033013.2610949-1-ruanjinjie@huawei.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/serio/ps2-gpio.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/input/serio/ps2-gpio.c b/drivers/input/serio/ps2-gpio.c +index bc1dc484389b4..ea67968fb112c 100644 +--- a/drivers/input/serio/ps2-gpio.c ++++ b/drivers/input/serio/ps2-gpio.c +@@ -429,16 +429,14 @@ static int ps2_gpio_probe(struct platform_device *pdev) + } + + error = devm_request_irq(dev, drvdata->irq, ps2_gpio_irq, +- IRQF_NO_THREAD, DRIVER_NAME, drvdata); ++ IRQF_NO_THREAD | IRQF_NO_AUTOEN, DRIVER_NAME, ++ drvdata); + if (error) { + dev_err(dev, "failed to request irq %d: %d\n", + drvdata->irq, error); + goto err_free_serio; + } + +- /* Keep irq disabled until serio->open is called. */ +- disable_irq(drvdata->irq); +- + serio->id.type = SERIO_8042; + serio->open = ps2_gpio_open; + serio->close = ps2_gpio_close; +-- +2.43.0 + diff --git a/queue-6.6/interconnect-icc-clk-add-missed-num_nodes-initializa.patch b/queue-6.6/interconnect-icc-clk-add-missed-num_nodes-initializa.patch new file mode 100644 index 00000000000..6ca10dfaad4 --- /dev/null +++ b/queue-6.6/interconnect-icc-clk-add-missed-num_nodes-initializa.patch @@ -0,0 +1,48 @@ +From bb00027522ac49e70c2088d2cca832e732697215 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jul 2024 14:48:23 -0700 +Subject: interconnect: icc-clk: Add missed num_nodes initialization + +From: Kees Cook + +[ Upstream commit c801ed86840ec38b2a9bcafeee3d7c9e14c743f3 ] + +With the new __counted_by annotation, the "num_nodes" struct member must +be set before accessing the "nodes" array. This initialization was done +in other places where a new struct icc_onecell_data is allocated, but this +case in icc_clk_register() was missed. Set "num_nodes" after allocation. + +Fixes: dd4904f3b924 ("interconnect: qcom: Annotate struct icc_onecell_data with __counted_by") +Signed-off-by: Kees Cook +Reviewed-by: Gustavo A. R. Silva +Link: https://lore.kernel.org/r/20240716214819.work.328-kees@kernel.org +Signed-off-by: Georgi Djakov +Signed-off-by: Sasha Levin +--- + drivers/interconnect/icc-clk.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/interconnect/icc-clk.c b/drivers/interconnect/icc-clk.c +index d787f2ea36d97..a91df709cfb2f 100644 +--- a/drivers/interconnect/icc-clk.c ++++ b/drivers/interconnect/icc-clk.c +@@ -87,6 +87,7 @@ struct icc_provider *icc_clk_register(struct device *dev, + onecell = devm_kzalloc(dev, struct_size(onecell, nodes, 2 * num_clocks), GFP_KERNEL); + if (!onecell) + return ERR_PTR(-ENOMEM); ++ onecell->num_nodes = 2 * num_clocks; + + qp = devm_kzalloc(dev, struct_size(qp, clocks, num_clocks), GFP_KERNEL); + if (!qp) +@@ -133,8 +134,6 @@ struct icc_provider *icc_clk_register(struct device *dev, + onecell->nodes[j++] = node; + } + +- onecell->num_nodes = j; +- + ret = icc_provider_register(provider); + if (ret) + goto err; +-- +2.43.0 + diff --git a/queue-6.6/io_uring-io-wq-do-not-allow-pinning-outside-of-cpuse.patch b/queue-6.6/io_uring-io-wq-do-not-allow-pinning-outside-of-cpuse.patch new file mode 100644 index 00000000000..15d1df68c6e --- /dev/null +++ b/queue-6.6/io_uring-io-wq-do-not-allow-pinning-outside-of-cpuse.patch @@ -0,0 +1,76 @@ +From cd5b89c162c067c25fc9e0d5aec7afcaaf22c822 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Sep 2024 19:11:56 +0200 +Subject: io_uring/io-wq: do not allow pinning outside of cpuset + +From: Felix Moessbauer + +[ Upstream commit 0997aa5497c714edbb349ca366d28bd550ba3408 ] + +The io worker threads are userland threads that just never exit to the +userland. By that, they are also assigned to a cgroup (the group of the +creating task). + +When changing the affinity of the io_wq thread via syscall, we must only +allow cpumasks within the limits defined by the cpuset controller of the +cgroup (if enabled). + +Fixes: da64d6db3bd3 ("io_uring: One wqe per wq") +Signed-off-by: Felix Moessbauer +Link: https://lore.kernel.org/r/20240910171157.166423-2-felix.moessbauer@siemens.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/io-wq.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/io_uring/io-wq.c b/io_uring/io-wq.c +index 98c9cfb983062..2df8d98738498 100644 +--- a/io_uring/io-wq.c ++++ b/io_uring/io-wq.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1324,17 +1325,29 @@ static int io_wq_cpu_offline(unsigned int cpu, struct hlist_node *node) + + int io_wq_cpu_affinity(struct io_uring_task *tctx, cpumask_var_t mask) + { ++ cpumask_var_t allowed_mask; ++ int ret = 0; ++ + if (!tctx || !tctx->io_wq) + return -EINVAL; + ++ if (!alloc_cpumask_var(&allowed_mask, GFP_KERNEL)) ++ return -ENOMEM; ++ + rcu_read_lock(); +- if (mask) +- cpumask_copy(tctx->io_wq->cpu_mask, mask); +- else +- cpumask_copy(tctx->io_wq->cpu_mask, cpu_possible_mask); ++ cpuset_cpus_allowed(tctx->io_wq->task, allowed_mask); ++ if (mask) { ++ if (cpumask_subset(mask, allowed_mask)) ++ cpumask_copy(tctx->io_wq->cpu_mask, mask); ++ else ++ ret = -EINVAL; ++ } else { ++ cpumask_copy(tctx->io_wq->cpu_mask, allowed_mask); ++ } + rcu_read_unlock(); + +- return 0; ++ free_cpumask_var(allowed_mask); ++ return ret; + } + + /* +-- +2.43.0 + diff --git a/queue-6.6/io_uring-io-wq-inherit-cpuset-of-cgroup-in-io-worker.patch b/queue-6.6/io_uring-io-wq-inherit-cpuset-of-cgroup-in-io-worker.patch new file mode 100644 index 00000000000..13f50d1f3bd --- /dev/null +++ b/queue-6.6/io_uring-io-wq-inherit-cpuset-of-cgroup-in-io-worker.patch @@ -0,0 +1,41 @@ +From 793ebf225edb8acd169843fba223dd86c314fabe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Sep 2024 19:11:57 +0200 +Subject: io_uring/io-wq: inherit cpuset of cgroup in io worker + +From: Felix Moessbauer + +[ Upstream commit 84eacf177faa605853c58e5b1c0d9544b88c16fd ] + +The io worker threads are userland threads that just never exit to the +userland. By that, they are also assigned to a cgroup (the group of the +creating task). + +When creating a new io worker, this worker should inherit the cpuset +of the cgroup. + +Fixes: da64d6db3bd3 ("io_uring: One wqe per wq") +Signed-off-by: Felix Moessbauer +Link: https://lore.kernel.org/r/20240910171157.166423-3-felix.moessbauer@siemens.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/io-wq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/io_uring/io-wq.c b/io_uring/io-wq.c +index 2df8d98738498..a1e31723c9ed6 100644 +--- a/io_uring/io-wq.c ++++ b/io_uring/io-wq.c +@@ -1170,7 +1170,7 @@ struct io_wq *io_wq_create(unsigned bounded, struct io_wq_data *data) + + if (!alloc_cpumask_var(&wq->cpu_mask, GFP_KERNEL)) + goto err; +- cpumask_copy(wq->cpu_mask, cpu_possible_mask); ++ cpuset_cpus_allowed(data->task, wq->cpu_mask); + wq->acct[IO_WQ_ACCT_BOUND].max_workers = bounded; + wq->acct[IO_WQ_ACCT_UNBOUND].max_workers = + task_rlimit(current, RLIMIT_NPROC); +-- +2.43.0 + diff --git a/queue-6.6/iommu-amd-do-not-set-the-d-bit-on-amd-v2-table-entri.patch b/queue-6.6/iommu-amd-do-not-set-the-d-bit-on-amd-v2-table-entri.patch new file mode 100644 index 00000000000..21b9f94812e --- /dev/null +++ b/queue-6.6/iommu-amd-do-not-set-the-d-bit-on-amd-v2-table-entri.patch @@ -0,0 +1,38 @@ +From ecdfd9fe38e7f91864090ff49975826ef405b9d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2024 21:06:23 -0300 +Subject: iommu/amd: Do not set the D bit on AMD v2 table entries + +From: Jason Gunthorpe + +[ Upstream commit 2910a7fa1be090fc7637cef0b2e70bcd15bf5469 ] + +The manual says that bit 6 is IGN for all Page-Table Base Address +pointers, don't set it. + +Fixes: aaac38f61487 ("iommu/amd: Initial support for AMD IOMMU v2 page table") +Reviewed-by: Vasant Hegde +Signed-off-by: Jason Gunthorpe +Link: https://lore.kernel.org/r/14-v2-831cdc4d00f3+1a315-amd_iopgtbl_jgg@nvidia.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd/io_pgtable_v2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/amd/io_pgtable_v2.c b/drivers/iommu/amd/io_pgtable_v2.c +index e9ef2e0a62f67..cbf0c46015125 100644 +--- a/drivers/iommu/amd/io_pgtable_v2.c ++++ b/drivers/iommu/amd/io_pgtable_v2.c +@@ -50,7 +50,7 @@ static inline u64 set_pgtable_attr(u64 *page) + u64 prot; + + prot = IOMMU_PAGE_PRESENT | IOMMU_PAGE_RW | IOMMU_PAGE_USER; +- prot |= IOMMU_PAGE_ACCESS | IOMMU_PAGE_DIRTY; ++ prot |= IOMMU_PAGE_ACCESS; + + return (iommu_virt_to_phys(page) | prot); + } +-- +2.43.0 + diff --git a/queue-6.6/iommu-arm-smmu-qcom-apply-num_context_bank-fixes-for.patch b/queue-6.6/iommu-arm-smmu-qcom-apply-num_context_bank-fixes-for.patch new file mode 100644 index 00000000000..82907587697 --- /dev/null +++ b/queue-6.6/iommu-arm-smmu-qcom-apply-num_context_bank-fixes-for.patch @@ -0,0 +1,62 @@ +From f408a31244863dd1328975afe37e7b7f14609328 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Sep 2024 21:48:12 +0300 +Subject: iommu/arm-smmu-qcom: apply num_context_bank fixes for SDM630 / SDM660 + +From: Dmitry Baryshkov + +[ Upstream commit 19eb465c969f3d6ed1b98506d3e470e863b41e16 ] + +The Qualcomm SDM630 / SDM660 platform requires the same kind of +workaround as MSM8998: some IOMMUs have context banks reserved by +firmware / TZ, touching those banks resets the board. + +Apply the num_context_bank workaround to those two SMMU devices in order +to allow them to be used by Linux. + +Fixes: b812834b5329 ("iommu: arm-smmu-qcom: Add sdm630/msm8998 compatibles for qcom quirks") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20240907-sdm660-wifi-v1-1-e316055142f8@linaro.org +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c +index db2092d5af5eb..d491589360197 100644 +--- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c ++++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c +@@ -282,8 +282,15 @@ static int qcom_smmu_cfg_probe(struct arm_smmu_device *smmu) + * MSM8998 LPASS SMMU reports 13 context banks, but accessing + * the last context bank crashes the system. + */ +- if (of_device_is_compatible(smmu->dev->of_node, "qcom,msm8998-smmu-v2") && smmu->num_context_banks == 13) ++ if (of_device_is_compatible(smmu->dev->of_node, "qcom,msm8998-smmu-v2") && ++ smmu->num_context_banks == 13) { + smmu->num_context_banks = 12; ++ } else if (of_device_is_compatible(smmu->dev->of_node, "qcom,sdm630-smmu-v2")) { ++ if (smmu->num_context_banks == 21) /* SDM630 / SDM660 A2NOC SMMU */ ++ smmu->num_context_banks = 7; ++ else if (smmu->num_context_banks == 14) /* SDM630 / SDM660 LPASS SMMU */ ++ smmu->num_context_banks = 13; ++ } + + /* + * Some platforms support more than the Arm SMMU architected maximum of +@@ -346,6 +353,11 @@ static int qcom_adreno_smmuv2_cfg_probe(struct arm_smmu_device *smmu) + /* Support for 16K pages is advertised on some SoCs, but it doesn't seem to work */ + smmu->features &= ~ARM_SMMU_FEAT_FMT_AARCH64_16K; + ++ /* TZ protects several last context banks, hide them from Linux */ ++ if (of_device_is_compatible(smmu->dev->of_node, "qcom,sdm630-smmu-v2") && ++ smmu->num_context_banks == 5) ++ smmu->num_context_banks = 2; ++ + return 0; + } + +-- +2.43.0 + diff --git a/queue-6.6/iommu-arm-smmu-qcom-hide-last-lpass-smmu-context-ban.patch b/queue-6.6/iommu-arm-smmu-qcom-hide-last-lpass-smmu-context-ban.patch new file mode 100644 index 00000000000..5a307a91ee4 --- /dev/null +++ b/queue-6.6/iommu-arm-smmu-qcom-hide-last-lpass-smmu-context-ban.patch @@ -0,0 +1,75 @@ +From 005941d9e3e13531f57f24804b776994b5acd544 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Aug 2024 15:27:19 +0200 +Subject: iommu/arm-smmu-qcom: hide last LPASS SMMU context bank from linux + +From: Marc Gonzalez + +[ Upstream commit 3a8990b8a778219327c5f8ecf10b5d81377b925a ] + +On qcom msm8998, writing to the last context bank of lpass_q6_smmu +(base address 0x05100000) produces a system freeze & reboot. + +The hardware/hypervisor reports 13 context banks for the LPASS SMMU +on msm8998, but only the first 12 are accessible... +Override the number of context banks + +[ 2.546101] arm-smmu 5100000.iommu: probing hardware configuration... +[ 2.552439] arm-smmu 5100000.iommu: SMMUv2 with: +[ 2.558945] arm-smmu 5100000.iommu: stage 1 translation +[ 2.563627] arm-smmu 5100000.iommu: address translation ops +[ 2.568923] arm-smmu 5100000.iommu: non-coherent table walk +[ 2.574566] arm-smmu 5100000.iommu: (IDR0.CTTW overridden by FW configuration) +[ 2.580220] arm-smmu 5100000.iommu: stream matching with 12 register groups +[ 2.587263] arm-smmu 5100000.iommu: 13 context banks (0 stage-2 only) +[ 2.614447] arm-smmu 5100000.iommu: Supported page sizes: 0x63315000 +[ 2.621358] arm-smmu 5100000.iommu: Stage-1: 36-bit VA -> 36-bit IPA +[ 2.627772] arm-smmu 5100000.iommu: preserved 0 boot mappings + +Specifically, the crashes occur here: + + qsmmu->bypass_cbndx = smmu->num_context_banks - 1; + arm_smmu_cb_write(smmu, qsmmu->bypass_cbndx, ARM_SMMU_CB_SCTLR, 0); + +and here: + + arm_smmu_write_context_bank(smmu, i); + arm_smmu_cb_write(smmu, i, ARM_SMMU_CB_FSR, ARM_SMMU_CB_FSR_FAULT); + +It is likely that FW reserves the last context bank for its own use, +thus a simple work-around is: DON'T USE IT in Linux. + +If we decrease the number of context banks, last one will be "hidden". + +Signed-off-by: Marc Gonzalez +Reviewed-by: Caleb Connolly +Reviewed-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20240820-smmu-v3-1-2f71483b00ec@freebox.fr +Signed-off-by: Will Deacon +Stable-dep-of: 19eb465c969f ("iommu/arm-smmu-qcom: apply num_context_bank fixes for SDM630 / SDM660") +Signed-off-by: Sasha Levin +--- + drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c +index 6e6cb19c81f59..b899a7b7fa935 100644 +--- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c ++++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c +@@ -278,6 +278,13 @@ static int qcom_smmu_cfg_probe(struct arm_smmu_device *smmu) + u32 smr; + int i; + ++ /* ++ * MSM8998 LPASS SMMU reports 13 context banks, but accessing ++ * the last context bank crashes the system. ++ */ ++ if (of_device_is_compatible(smmu->dev->of_node, "qcom,msm8998-smmu-v2") && smmu->num_context_banks == 13) ++ smmu->num_context_banks = 12; ++ + /* + * Some platforms support more than the Arm SMMU architected maximum of + * 128 stream matching groups. For unknown reasons, the additional +-- +2.43.0 + diff --git a/queue-6.6/iommu-arm-smmu-qcom-work-around-sdm845-adreno-smmu-w.patch b/queue-6.6/iommu-arm-smmu-qcom-work-around-sdm845-adreno-smmu-w.patch new file mode 100644 index 00000000000..6e0a2ee4b93 --- /dev/null +++ b/queue-6.6/iommu-arm-smmu-qcom-work-around-sdm845-adreno-smmu-w.patch @@ -0,0 +1,70 @@ +From eaa20b74cc5f28116311e288ef70f979c339903e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Aug 2024 01:12:01 +0200 +Subject: iommu/arm-smmu-qcom: Work around SDM845 Adreno SMMU w/ 16K pages + +From: Konrad Dybcio + +[ Upstream commit 2d42d3ba443706c9164fa0bef4e5fd1c36bc1bd9 ] + +SDM845's Adreno SMMU is unique in that it actually advertizes support +for 16K (and 32M) pages, which doesn't hold for newer SoCs. + +This however, seems either broken in the hardware implementation, the +hypervisor middleware that abstracts the SMMU, or there's a bug in the +Linux kernel somewhere down the line that nobody managed to track down. + +Booting SDM845 with 16K page sizes and drm/msm results in: + +*** gpu fault: ttbr0=0000000000000000 iova=000100000000c000 dir=READ +type=TRANSLATION source=CP (0,0,0,0) + +right after loading the firmware. The GPU then starts spitting out +illegal intstruction errors, as it's quite obvious that it got a +bogus pointer. + +Moreover, it seems like this issue also concerns other implementations +of SMMUv2 on Qualcomm SoCs, such as the one on SC7180. + +Hide 16K support on such instances to work around this. + +Reported-by: Sumit Semwal +Signed-off-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20240824-topic-845_gpu_smmu-v2-1-a302b8acc052@quicinc.com +Signed-off-by: Will Deacon +Stable-dep-of: 19eb465c969f ("iommu/arm-smmu-qcom: apply num_context_bank fixes for SDM630 / SDM660") +Signed-off-by: Sasha Levin +--- + drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c +index b899a7b7fa935..db2092d5af5eb 100644 +--- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c ++++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c +@@ -341,6 +341,14 @@ static int qcom_smmu_cfg_probe(struct arm_smmu_device *smmu) + return 0; + } + ++static int qcom_adreno_smmuv2_cfg_probe(struct arm_smmu_device *smmu) ++{ ++ /* Support for 16K pages is advertised on some SoCs, but it doesn't seem to work */ ++ smmu->features &= ~ARM_SMMU_FEAT_FMT_AARCH64_16K; ++ ++ return 0; ++} ++ + static void qcom_smmu_write_s2cr(struct arm_smmu_device *smmu, int idx) + { + struct arm_smmu_s2cr *s2cr = smmu->s2crs + idx; +@@ -431,6 +439,7 @@ static const struct arm_smmu_impl sdm845_smmu_500_impl = { + + static const struct arm_smmu_impl qcom_adreno_smmu_v2_impl = { + .init_context = qcom_adreno_smmu_init_context, ++ .cfg_probe = qcom_adreno_smmuv2_cfg_probe, + .def_domain_type = qcom_smmu_def_domain_type, + .alloc_context_bank = qcom_adreno_smmu_alloc_context_bank, + .write_sctlr = qcom_adreno_smmu_write_sctlr, +-- +2.43.0 + diff --git a/queue-6.6/ipmi-docs-don-t-advertise-deprecated-sysfs-entries.patch b/queue-6.6/ipmi-docs-don-t-advertise-deprecated-sysfs-entries.patch new file mode 100644 index 00000000000..fd0b8cba730 --- /dev/null +++ b/queue-6.6/ipmi-docs-don-t-advertise-deprecated-sysfs-entries.patch @@ -0,0 +1,39 @@ +From cfadeed968f3f4e22cd249e9a1143599a035cc8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Sep 2024 11:02:11 +0200 +Subject: ipmi: docs: don't advertise deprecated sysfs entries + +From: Wolfram Sang + +[ Upstream commit 64dce81f8c373c681e62d5ffe0397c45a35d48a2 ] + +"i2c-adapter" class entries are deprecated since 2009. Switch to the +proper location. + +Reported-by: Heiner Kallweit +Closes: https://lore.kernel.org/r/80c4a898-5867-4162-ac85-bdf7c7c68746@gmail.com +Fixes: 259307074bfc ("ipmi: Add SMBus interface driver (SSIF)") +Signed-off-by: Wolfram Sang +Message-Id: <20240901090211.3797-2-wsa+renesas@sang-engineering.com> +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +--- + Documentation/driver-api/ipmi.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Documentation/driver-api/ipmi.rst b/Documentation/driver-api/ipmi.rst +index e224e47b6b094..dfa021eacd63c 100644 +--- a/Documentation/driver-api/ipmi.rst ++++ b/Documentation/driver-api/ipmi.rst +@@ -540,7 +540,7 @@ at module load time (for a module) with:: + alerts_broken + + The addresses are normal I2C addresses. The adapter is the string +-name of the adapter, as shown in /sys/class/i2c-adapter/i2c-/name. ++name of the adapter, as shown in /sys/bus/i2c/devices/i2c-/name. + It is *NOT* i2c- itself. Also, the comparison is done ignoring + spaces, so if the name is "This is an I2C chip" you can say + adapter_name=ThisisanI2cchip. This is because it's hard to pass in +-- +2.43.0 + diff --git a/queue-6.6/ipv6-avoid-possible-null-deref-in-rt6_uncached_list_.patch b/queue-6.6/ipv6-avoid-possible-null-deref-in-rt6_uncached_list_.patch new file mode 100644 index 00000000000..cc64eabce4e --- /dev/null +++ b/queue-6.6/ipv6-avoid-possible-null-deref-in-rt6_uncached_list_.patch @@ -0,0 +1,110 @@ +From 749e3b7a61751f537816531917cedec755678cd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Sep 2024 08:31:47 +0000 +Subject: ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev() + +From: Eric Dumazet + +[ Upstream commit 04ccecfa959d3b9ae7348780d8e379c6486176ac ] + +Blamed commit accidentally removed a check for rt->rt6i_idev being NULL, +as spotted by syzbot: + +Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +CPU: 1 UID: 0 PID: 10998 Comm: syz-executor Not tainted 6.11.0-rc6-syzkaller-00208-g625403177711 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 + RIP: 0010:rt6_uncached_list_flush_dev net/ipv6/route.c:177 [inline] + RIP: 0010:rt6_disable_ip+0x33e/0x7e0 net/ipv6/route.c:4914 +Code: 41 80 3c 04 00 74 0a e8 90 d0 9b f7 48 8b 7c 24 08 48 8b 07 48 89 44 24 10 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 f7 e8 64 d0 9b f7 48 8b 44 24 18 49 39 06 +RSP: 0018:ffffc900047374e0 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 1ffff1100fdf8f33 RCX: dffffc0000000000 +RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff88807efc78c0 +RBP: ffffc900047375d0 R08: 0000000000000003 R09: fffff520008e6e8c +R10: dffffc0000000000 R11: fffff520008e6e8c R12: 1ffff1100fdf8f18 +R13: ffff88807efc7998 R14: 0000000000000000 R15: ffff88807efc7930 +FS: 0000000000000000(0000) GS:ffff8880b8900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000020002a80 CR3: 0000000022f62000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + addrconf_ifdown+0x15d/0x1bd0 net/ipv6/addrconf.c:3856 + addrconf_notify+0x3cb/0x1020 + notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93 + call_netdevice_notifiers_extack net/core/dev.c:2032 [inline] + call_netdevice_notifiers net/core/dev.c:2046 [inline] + unregister_netdevice_many_notify+0xd81/0x1c40 net/core/dev.c:11352 + unregister_netdevice_many net/core/dev.c:11414 [inline] + unregister_netdevice_queue+0x303/0x370 net/core/dev.c:11289 + unregister_netdevice include/linux/netdevice.h:3129 [inline] + __tun_detach+0x6b9/0x1600 drivers/net/tun.c:685 + tun_detach drivers/net/tun.c:701 [inline] + tun_chr_close+0x108/0x1b0 drivers/net/tun.c:3510 + __fput+0x24a/0x8a0 fs/file_table.c:422 + task_work_run+0x24f/0x310 kernel/task_work.c:228 + exit_task_work include/linux/task_work.h:40 [inline] + do_exit+0xa2f/0x27f0 kernel/exit.c:882 + do_group_exit+0x207/0x2c0 kernel/exit.c:1031 + __do_sys_exit_group kernel/exit.c:1042 [inline] + __se_sys_exit_group kernel/exit.c:1040 [inline] + __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1040 + x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f1acc77def9 +Code: Unable to access opcode bytes at 0x7f1acc77decf. +RSP: 002b:00007ffeb26fa738 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1acc77def9 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000043 +RBP: 00007f1acc7dd508 R08: 00007ffeb26f84d7 R09: 0000000000000003 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 +R13: 0000000000000003 R14: 00000000ffffffff R15: 00007ffeb26fa8e0 + +Modules linked in: +---[ end trace 0000000000000000 ]--- + RIP: 0010:rt6_uncached_list_flush_dev net/ipv6/route.c:177 [inline] + RIP: 0010:rt6_disable_ip+0x33e/0x7e0 net/ipv6/route.c:4914 +Code: 41 80 3c 04 00 74 0a e8 90 d0 9b f7 48 8b 7c 24 08 48 8b 07 48 89 44 24 10 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 f7 e8 64 d0 9b f7 48 8b 44 24 18 49 39 06 +RSP: 0018:ffffc900047374e0 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 1ffff1100fdf8f33 RCX: dffffc0000000000 +RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff88807efc78c0 +RBP: ffffc900047375d0 R08: 0000000000000003 R09: fffff520008e6e8c +R10: dffffc0000000000 R11: fffff520008e6e8c R12: 1ffff1100fdf8f18 +R13: ffff88807efc7998 R14: 0000000000000000 R15: ffff88807efc7930 +FS: 0000000000000000(0000) GS:ffff8880b8900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000020002a80 CR3: 0000000022f62000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + +Fixes: e332bc67cf5e ("ipv6: Don't call with rt6_uncached_list_flush_dev") +Signed-off-by: Eric Dumazet +Reviewed-by: Simon Horman +Reviewed-by: David Ahern +Acked-by: Martin KaFai Lau +Link: https://patch.msgid.link/20240913083147.3095442-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 0299886dbeb91..a9104c4c1c02d 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -175,7 +175,7 @@ static void rt6_uncached_list_flush_dev(struct net_device *dev) + struct net_device *rt_dev = rt->dst.dev; + bool handled = false; + +- if (rt_idev->dev == dev) { ++ if (rt_idev && rt_idev->dev == dev) { + rt->rt6i_idev = in6_dev_get(blackhole_netdev); + in6_dev_put(rt_idev); + handled = true; +-- +2.43.0 + diff --git a/queue-6.6/jfs-fix-out-of-bounds-in-dbnextag-and-dialloc.patch b/queue-6.6/jfs-fix-out-of-bounds-in-dbnextag-and-dialloc.patch new file mode 100644 index 00000000000..3fb9aed2c18 --- /dev/null +++ b/queue-6.6/jfs-fix-out-of-bounds-in-dbnextag-and-dialloc.patch @@ -0,0 +1,68 @@ +From 8e71e5f5851a6206b8b5f38f31dfc885c28a23df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Aug 2024 13:05:46 +0900 +Subject: jfs: fix out-of-bounds in dbNextAG() and diAlloc() + +From: Jeongjun Park + +[ Upstream commit e63866a475562810500ea7f784099bfe341e761a ] + +In dbNextAG() , there is no check for the case where bmp->db_numag is +greater or same than MAXAG due to a polluted image, which causes an +out-of-bounds. Therefore, a bounds check should be added in dbMount(). + +And in dbNextAG(), a check for the case where agpref is greater than +bmp->db_numag should be added, so an out-of-bounds exception should be +prevented. + +Additionally, a check for the case where agno is greater or same than +MAXAG should be added in diAlloc() to prevent out-of-bounds. + +Reported-by: Jeongjun Park +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jeongjun Park +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 4 ++-- + fs/jfs/jfs_imap.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index 5713994328cbc..0625d1c0d0649 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -187,7 +187,7 @@ int dbMount(struct inode *ipbmap) + } + + bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag); +- if (!bmp->db_numag) { ++ if (!bmp->db_numag || bmp->db_numag >= MAXAG) { + err = -EINVAL; + goto err_release_metapage; + } +@@ -652,7 +652,7 @@ int dbNextAG(struct inode *ipbmap) + * average free space. + */ + for (i = 0 ; i < bmp->db_numag; i++, agpref++) { +- if (agpref == bmp->db_numag) ++ if (agpref >= bmp->db_numag) + agpref = 0; + + if (atomic_read(&bmp->db_active[agpref])) +diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c +index 82d88dcf0ea6b..b30e4cf2f5794 100644 +--- a/fs/jfs/jfs_imap.c ++++ b/fs/jfs/jfs_imap.c +@@ -1360,7 +1360,7 @@ int diAlloc(struct inode *pip, bool dir, struct inode *ip) + /* get the ag number of this iag */ + agno = BLKTOAG(JFS_IP(pip)->agstart, JFS_SBI(pip->i_sb)); + dn_numag = JFS_SBI(pip->i_sb)->bmap->db_numag; +- if (agno < 0 || agno > dn_numag) ++ if (agno < 0 || agno > dn_numag || agno >= MAXAG) + return -EIO; + + if (atomic_read(&JFS_SBI(pip->i_sb)->bmap->db_active[agno])) { +-- +2.43.0 + diff --git a/queue-6.6/kselftest-arm64-actually-test-sme-vector-length-chan.patch b/queue-6.6/kselftest-arm64-actually-test-sme-vector-length-chan.patch new file mode 100644 index 00000000000..0f5480005f7 --- /dev/null +++ b/queue-6.6/kselftest-arm64-actually-test-sme-vector-length-chan.patch @@ -0,0 +1,72 @@ +From 6ba893505d3961d955ecde747b72f9249e02caaf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2024 18:20:09 +0100 +Subject: kselftest/arm64: Actually test SME vector length changes via + sigreturn + +From: Mark Brown + +[ Upstream commit 6f0315330af7a57c1c00587fdfb69c7778bf1c50 ] + +The test case for SME vector length changes via sigreturn use a bit too +much cut'n'paste and only actually changed the SVE vector length in the +test itself. Andre's recent factoring out of the initialisation code caused +this to be exposed and the test to start failing. Fix the test to actually +cover the thing it's supposed to test. + +Fixes: 4963aeb35a9e ("kselftest/arm64: signal: Add SME signal handling tests") +Signed-off-by: Mark Brown +Reviewed-by: Andre Przywara +Tested-by: Andre Przywara +Link: https://lore.kernel.org/r/20240829-arm64-sme-signal-vl-change-test-v1-1-42d7534cb818@kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + .../testcases/fake_sigreturn_sme_change_vl.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sme_change_vl.c b/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sme_change_vl.c +index cb8c051b5c8f2..dfd6a2badf9fb 100644 +--- a/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sme_change_vl.c ++++ b/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sme_change_vl.c +@@ -35,30 +35,30 @@ static int fake_sigreturn_ssve_change_vl(struct tdescr *td, + { + size_t resv_sz, offset; + struct _aarch64_ctx *head = GET_SF_RESV_HEAD(sf); +- struct sve_context *sve; ++ struct za_context *za; + + /* Get a signal context with a SME ZA frame in it */ + if (!get_current_context(td, &sf.uc, sizeof(sf.uc))) + return 1; + + resv_sz = GET_SF_RESV_SIZE(sf); +- head = get_header(head, SVE_MAGIC, resv_sz, &offset); ++ head = get_header(head, ZA_MAGIC, resv_sz, &offset); + if (!head) { +- fprintf(stderr, "No SVE context\n"); ++ fprintf(stderr, "No ZA context\n"); + return 1; + } + +- if (head->size != sizeof(struct sve_context)) { ++ if (head->size != sizeof(struct za_context)) { + fprintf(stderr, "Register data present, aborting\n"); + return 1; + } + +- sve = (struct sve_context *)head; ++ za = (struct za_context *)head; + + /* No changes are supported; init left us at minimum VL so go to max */ + fprintf(stderr, "Attempting to change VL from %d to %d\n", +- sve->vl, vls[0]); +- sve->vl = vls[0]; ++ za->vl, vls[0]); ++ za->vl = vls[0]; + + fake_sigreturn(&sf, sizeof(sf), 0); + +-- +2.43.0 + diff --git a/queue-6.6/kselftest-arm64-signal-fix-refactor-sve-vector-lengt.patch b/queue-6.6/kselftest-arm64-signal-fix-refactor-sve-vector-lengt.patch new file mode 100644 index 00000000000..3decabb483a --- /dev/null +++ b/queue-6.6/kselftest-arm64-signal-fix-refactor-sve-vector-lengt.patch @@ -0,0 +1,570 @@ +From 8fcf0f52775f518ff467b675b217f5ef4c49556e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2024 17:44:01 +0100 +Subject: kselftest/arm64: signal: fix/refactor SVE vector length enumeration + +From: Andre Przywara + +[ Upstream commit 5225b6562b9a7dc808d5a1e465aaf5e2ebb220cd ] + +Currently a number of SVE/SME related tests have almost identical +functions to enumerate all supported vector lengths. However over time +the copy&pasted code has diverged, allowing some bugs to creep in: +- fake_sigreturn_sme_change_vl reports a failure, not a SKIP if only + one vector length is supported (but the SVE version is fine) +- fake_sigreturn_sme_change_vl tries to set the SVE vector length, not + the SME one (but the other SME tests are fine) +- za_no_regs keeps iterating forever if only one vector length is + supported (but za_regs is correct) + +Since those bugs seem to be mostly copy&paste ones, let's consolidate +the enumeration loop into one shared function, and just call that from +each test. That should fix the above bugs, and prevent similar issues +from happening again. + +Fixes: 4963aeb35a9e ("kselftest/arm64: signal: Add SME signal handling tests") +Signed-off-by: Andre Przywara +Reviewed-by: Mark Brown +Link: https://lore.kernel.org/r/20240821164401.3598545-1-andre.przywara@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/arm64/signal/Makefile | 2 +- + .../selftests/arm64/signal/sve_helpers.c | 56 +++++++++++++++++++ + .../selftests/arm64/signal/sve_helpers.h | 21 +++++++ + .../testcases/fake_sigreturn_sme_change_vl.c | 32 +++-------- + .../testcases/fake_sigreturn_sve_change_vl.c | 30 ++-------- + .../arm64/signal/testcases/ssve_regs.c | 36 +++--------- + .../arm64/signal/testcases/ssve_za_regs.c | 36 +++--------- + .../arm64/signal/testcases/sve_regs.c | 32 +++-------- + .../arm64/signal/testcases/za_no_regs.c | 32 +++-------- + .../arm64/signal/testcases/za_regs.c | 36 +++--------- + 10 files changed, 132 insertions(+), 181 deletions(-) + create mode 100644 tools/testing/selftests/arm64/signal/sve_helpers.c + create mode 100644 tools/testing/selftests/arm64/signal/sve_helpers.h + +diff --git a/tools/testing/selftests/arm64/signal/Makefile b/tools/testing/selftests/arm64/signal/Makefile +index 8f5febaf1a9a2..edb3613513b8a 100644 +--- a/tools/testing/selftests/arm64/signal/Makefile ++++ b/tools/testing/selftests/arm64/signal/Makefile +@@ -23,7 +23,7 @@ $(TEST_GEN_PROGS): $(PROGS) + # Common test-unit targets to build common-layout test-cases executables + # Needs secondary expansion to properly include the testcase c-file in pre-reqs + COMMON_SOURCES := test_signals.c test_signals_utils.c testcases/testcases.c \ +- signals.S ++ signals.S sve_helpers.c + COMMON_HEADERS := test_signals.h test_signals_utils.h testcases/testcases.h + + .SECONDEXPANSION: +diff --git a/tools/testing/selftests/arm64/signal/sve_helpers.c b/tools/testing/selftests/arm64/signal/sve_helpers.c +new file mode 100644 +index 0000000000000..0acc121af3062 +--- /dev/null ++++ b/tools/testing/selftests/arm64/signal/sve_helpers.c +@@ -0,0 +1,56 @@ ++// SPDX-License-Identifier: GPL-2.0 ++/* ++ * Copyright (C) 2024 ARM Limited ++ * ++ * Common helper functions for SVE and SME functionality. ++ */ ++ ++#include ++#include ++#include ++#include ++ ++unsigned int vls[SVE_VQ_MAX]; ++unsigned int nvls; ++ ++int sve_fill_vls(bool use_sme, int min_vls) ++{ ++ int vq, vl; ++ int pr_set_vl = use_sme ? PR_SME_SET_VL : PR_SVE_SET_VL; ++ int len_mask = use_sme ? PR_SME_VL_LEN_MASK : PR_SVE_VL_LEN_MASK; ++ ++ /* ++ * Enumerate up to SVE_VQ_MAX vector lengths ++ */ ++ for (vq = SVE_VQ_MAX; vq > 0; --vq) { ++ vl = prctl(pr_set_vl, vq * 16); ++ if (vl == -1) ++ return KSFT_FAIL; ++ ++ vl &= len_mask; ++ ++ /* ++ * Unlike SVE, SME does not require the minimum vector length ++ * to be implemented, or the VLs to be consecutive, so any call ++ * to the prctl might return the single implemented VL, which ++ * might be larger than 16. So to avoid this loop never ++ * terminating, bail out here when we find a higher VL than ++ * we asked for. ++ * See the ARM ARM, DDI 0487K.a, B1.4.2: I_QQRNR and I_NWYBP. ++ */ ++ if (vq < sve_vq_from_vl(vl)) ++ break; ++ ++ /* Skip missing VLs */ ++ vq = sve_vq_from_vl(vl); ++ ++ vls[nvls++] = vl; ++ } ++ ++ if (nvls < min_vls) { ++ fprintf(stderr, "Only %d VL supported\n", nvls); ++ return KSFT_SKIP; ++ } ++ ++ return KSFT_PASS; ++} +diff --git a/tools/testing/selftests/arm64/signal/sve_helpers.h b/tools/testing/selftests/arm64/signal/sve_helpers.h +new file mode 100644 +index 0000000000000..50948ce471cc6 +--- /dev/null ++++ b/tools/testing/selftests/arm64/signal/sve_helpers.h +@@ -0,0 +1,21 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++/* ++ * Copyright (C) 2024 ARM Limited ++ * ++ * Common helper functions for SVE and SME functionality. ++ */ ++ ++#ifndef __SVE_HELPERS_H__ ++#define __SVE_HELPERS_H__ ++ ++#include ++ ++#define VLS_USE_SVE false ++#define VLS_USE_SME true ++ ++extern unsigned int vls[]; ++extern unsigned int nvls; ++ ++int sve_fill_vls(bool use_sme, int min_vls); ++ ++#endif +diff --git a/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sme_change_vl.c b/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sme_change_vl.c +index ebd5815b54bba..cb8c051b5c8f2 100644 +--- a/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sme_change_vl.c ++++ b/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sme_change_vl.c +@@ -6,44 +6,28 @@ + * handler, this is not supported and is expected to segfault. + */ + ++#include + #include + #include + #include + + #include "test_signals_utils.h" ++#include "sve_helpers.h" + #include "testcases.h" + + struct fake_sigframe sf; +-static unsigned int vls[SVE_VQ_MAX]; +-unsigned int nvls = 0; + + static bool sme_get_vls(struct tdescr *td) + { +- int vq, vl; ++ int res = sve_fill_vls(VLS_USE_SME, 2); + +- /* +- * Enumerate up to SVE_VQ_MAX vector lengths +- */ +- for (vq = SVE_VQ_MAX; vq > 0; --vq) { +- vl = prctl(PR_SVE_SET_VL, vq * 16); +- if (vl == -1) +- return false; ++ if (!res) ++ return true; + +- vl &= PR_SME_VL_LEN_MASK; ++ if (res == KSFT_SKIP) ++ td->result = KSFT_SKIP; + +- /* Skip missing VLs */ +- vq = sve_vq_from_vl(vl); +- +- vls[nvls++] = vl; +- } +- +- /* We need at least two VLs */ +- if (nvls < 2) { +- fprintf(stderr, "Only %d VL supported\n", nvls); +- return false; +- } +- +- return true; ++ return false; + } + + static int fake_sigreturn_ssve_change_vl(struct tdescr *td, +diff --git a/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sve_change_vl.c b/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sve_change_vl.c +index e2a452190511f..e1ccf8f85a70c 100644 +--- a/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sve_change_vl.c ++++ b/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sve_change_vl.c +@@ -12,40 +12,22 @@ + #include + + #include "test_signals_utils.h" ++#include "sve_helpers.h" + #include "testcases.h" + + struct fake_sigframe sf; +-static unsigned int vls[SVE_VQ_MAX]; +-unsigned int nvls = 0; + + static bool sve_get_vls(struct tdescr *td) + { +- int vq, vl; ++ int res = sve_fill_vls(VLS_USE_SVE, 2); + +- /* +- * Enumerate up to SVE_VQ_MAX vector lengths +- */ +- for (vq = SVE_VQ_MAX; vq > 0; --vq) { +- vl = prctl(PR_SVE_SET_VL, vq * 16); +- if (vl == -1) +- return false; ++ if (!res) ++ return true; + +- vl &= PR_SVE_VL_LEN_MASK; +- +- /* Skip missing VLs */ +- vq = sve_vq_from_vl(vl); +- +- vls[nvls++] = vl; +- } +- +- /* We need at least two VLs */ +- if (nvls < 2) { +- fprintf(stderr, "Only %d VL supported\n", nvls); ++ if (res == KSFT_SKIP) + td->result = KSFT_SKIP; +- return false; +- } + +- return true; ++ return false; + } + + static int fake_sigreturn_sve_change_vl(struct tdescr *td, +diff --git a/tools/testing/selftests/arm64/signal/testcases/ssve_regs.c b/tools/testing/selftests/arm64/signal/testcases/ssve_regs.c +index 3d37daafcff51..6dbe48cf8b09e 100644 +--- a/tools/testing/selftests/arm64/signal/testcases/ssve_regs.c ++++ b/tools/testing/selftests/arm64/signal/testcases/ssve_regs.c +@@ -6,51 +6,31 @@ + * set up as expected. + */ + ++#include + #include + #include + #include + + #include "test_signals_utils.h" ++#include "sve_helpers.h" + #include "testcases.h" + + static union { + ucontext_t uc; + char buf[1024 * 64]; + } context; +-static unsigned int vls[SVE_VQ_MAX]; +-unsigned int nvls = 0; + + static bool sme_get_vls(struct tdescr *td) + { +- int vq, vl; ++ int res = sve_fill_vls(VLS_USE_SME, 1); + +- /* +- * Enumerate up to SVE_VQ_MAX vector lengths +- */ +- for (vq = SVE_VQ_MAX; vq > 0; --vq) { +- vl = prctl(PR_SME_SET_VL, vq * 16); +- if (vl == -1) +- return false; +- +- vl &= PR_SME_VL_LEN_MASK; +- +- /* Did we find the lowest supported VL? */ +- if (vq < sve_vq_from_vl(vl)) +- break; ++ if (!res) ++ return true; + +- /* Skip missing VLs */ +- vq = sve_vq_from_vl(vl); +- +- vls[nvls++] = vl; +- } +- +- /* We need at least one VL */ +- if (nvls < 1) { +- fprintf(stderr, "Only %d VL supported\n", nvls); +- return false; +- } ++ if (res == KSFT_SKIP) ++ td->result = KSFT_SKIP; + +- return true; ++ return false; + } + + static void setup_ssve_regs(void) +diff --git a/tools/testing/selftests/arm64/signal/testcases/ssve_za_regs.c b/tools/testing/selftests/arm64/signal/testcases/ssve_za_regs.c +index 9dc5f128bbc0d..5557e116e9736 100644 +--- a/tools/testing/selftests/arm64/signal/testcases/ssve_za_regs.c ++++ b/tools/testing/selftests/arm64/signal/testcases/ssve_za_regs.c +@@ -6,51 +6,31 @@ + * signal frames is set up as expected when enabled simultaneously. + */ + ++#include + #include + #include + #include + + #include "test_signals_utils.h" ++#include "sve_helpers.h" + #include "testcases.h" + + static union { + ucontext_t uc; + char buf[1024 * 128]; + } context; +-static unsigned int vls[SVE_VQ_MAX]; +-unsigned int nvls = 0; + + static bool sme_get_vls(struct tdescr *td) + { +- int vq, vl; ++ int res = sve_fill_vls(VLS_USE_SME, 1); + +- /* +- * Enumerate up to SVE_VQ_MAX vector lengths +- */ +- for (vq = SVE_VQ_MAX; vq > 0; --vq) { +- vl = prctl(PR_SME_SET_VL, vq * 16); +- if (vl == -1) +- return false; +- +- vl &= PR_SME_VL_LEN_MASK; +- +- /* Did we find the lowest supported VL? */ +- if (vq < sve_vq_from_vl(vl)) +- break; ++ if (!res) ++ return true; + +- /* Skip missing VLs */ +- vq = sve_vq_from_vl(vl); +- +- vls[nvls++] = vl; +- } +- +- /* We need at least one VL */ +- if (nvls < 1) { +- fprintf(stderr, "Only %d VL supported\n", nvls); +- return false; +- } ++ if (res == KSFT_SKIP) ++ td->result = KSFT_SKIP; + +- return true; ++ return false; + } + + static void setup_regs(void) +diff --git a/tools/testing/selftests/arm64/signal/testcases/sve_regs.c b/tools/testing/selftests/arm64/signal/testcases/sve_regs.c +index 8b16eabbb7697..8143eb1c58c18 100644 +--- a/tools/testing/selftests/arm64/signal/testcases/sve_regs.c ++++ b/tools/testing/selftests/arm64/signal/testcases/sve_regs.c +@@ -6,47 +6,31 @@ + * expected. + */ + ++#include + #include + #include + #include + + #include "test_signals_utils.h" ++#include "sve_helpers.h" + #include "testcases.h" + + static union { + ucontext_t uc; + char buf[1024 * 64]; + } context; +-static unsigned int vls[SVE_VQ_MAX]; +-unsigned int nvls = 0; + + static bool sve_get_vls(struct tdescr *td) + { +- int vq, vl; ++ int res = sve_fill_vls(VLS_USE_SVE, 1); + +- /* +- * Enumerate up to SVE_VQ_MAX vector lengths +- */ +- for (vq = SVE_VQ_MAX; vq > 0; --vq) { +- vl = prctl(PR_SVE_SET_VL, vq * 16); +- if (vl == -1) +- return false; +- +- vl &= PR_SVE_VL_LEN_MASK; +- +- /* Skip missing VLs */ +- vq = sve_vq_from_vl(vl); ++ if (!res) ++ return true; + +- vls[nvls++] = vl; +- } +- +- /* We need at least one VL */ +- if (nvls < 1) { +- fprintf(stderr, "Only %d VL supported\n", nvls); +- return false; +- } ++ if (res == KSFT_SKIP) ++ td->result = KSFT_SKIP; + +- return true; ++ return false; + } + + static void setup_sve_regs(void) +diff --git a/tools/testing/selftests/arm64/signal/testcases/za_no_regs.c b/tools/testing/selftests/arm64/signal/testcases/za_no_regs.c +index 4d6f94b6178f3..ce26e9c2fa5e3 100644 +--- a/tools/testing/selftests/arm64/signal/testcases/za_no_regs.c ++++ b/tools/testing/selftests/arm64/signal/testcases/za_no_regs.c +@@ -6,47 +6,31 @@ + * expected. + */ + ++#include + #include + #include + #include + + #include "test_signals_utils.h" ++#include "sve_helpers.h" + #include "testcases.h" + + static union { + ucontext_t uc; + char buf[1024 * 128]; + } context; +-static unsigned int vls[SVE_VQ_MAX]; +-unsigned int nvls = 0; + + static bool sme_get_vls(struct tdescr *td) + { +- int vq, vl; ++ int res = sve_fill_vls(VLS_USE_SME, 1); + +- /* +- * Enumerate up to SME_VQ_MAX vector lengths +- */ +- for (vq = SVE_VQ_MAX; vq > 0; --vq) { +- vl = prctl(PR_SME_SET_VL, vq * 16); +- if (vl == -1) +- return false; +- +- vl &= PR_SME_VL_LEN_MASK; +- +- /* Skip missing VLs */ +- vq = sve_vq_from_vl(vl); ++ if (!res) ++ return true; + +- vls[nvls++] = vl; +- } +- +- /* We need at least one VL */ +- if (nvls < 1) { +- fprintf(stderr, "Only %d VL supported\n", nvls); +- return false; +- } ++ if (res == KSFT_SKIP) ++ td->result = KSFT_SKIP; + +- return true; ++ return false; + } + + static int do_one_sme_vl(struct tdescr *td, siginfo_t *si, ucontext_t *uc, +diff --git a/tools/testing/selftests/arm64/signal/testcases/za_regs.c b/tools/testing/selftests/arm64/signal/testcases/za_regs.c +index 174ad66566964..b9e13f27f1f9a 100644 +--- a/tools/testing/selftests/arm64/signal/testcases/za_regs.c ++++ b/tools/testing/selftests/arm64/signal/testcases/za_regs.c +@@ -6,51 +6,31 @@ + * expected. + */ + ++#include + #include + #include + #include + + #include "test_signals_utils.h" ++#include "sve_helpers.h" + #include "testcases.h" + + static union { + ucontext_t uc; + char buf[1024 * 128]; + } context; +-static unsigned int vls[SVE_VQ_MAX]; +-unsigned int nvls = 0; + + static bool sme_get_vls(struct tdescr *td) + { +- int vq, vl; ++ int res = sve_fill_vls(VLS_USE_SME, 1); + +- /* +- * Enumerate up to SME_VQ_MAX vector lengths +- */ +- for (vq = SVE_VQ_MAX; vq > 0; --vq) { +- vl = prctl(PR_SME_SET_VL, vq * 16); +- if (vl == -1) +- return false; +- +- vl &= PR_SME_VL_LEN_MASK; +- +- /* Did we find the lowest supported VL? */ +- if (vq < sve_vq_from_vl(vl)) +- break; ++ if (!res) ++ return true; + +- /* Skip missing VLs */ +- vq = sve_vq_from_vl(vl); +- +- vls[nvls++] = vl; +- } +- +- /* We need at least one VL */ +- if (nvls < 1) { +- fprintf(stderr, "Only %d VL supported\n", nvls); +- return false; +- } ++ if (res == KSFT_SKIP) ++ td->result = KSFT_SKIP; + +- return true; ++ return false; + } + + static void setup_za_regs(void) +-- +2.43.0 + diff --git a/queue-6.6/kthread-fix-task-state-in-kthread-worker-if-being-fr.patch b/queue-6.6/kthread-fix-task-state-in-kthread-worker-if-being-fr.patch new file mode 100644 index 00000000000..e7e01ec6688 --- /dev/null +++ b/queue-6.6/kthread-fix-task-state-in-kthread-worker-if-being-fr.patch @@ -0,0 +1,91 @@ +From 6f581135fc5edf64ad2df2e0b8e5b7e44756cddc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2024 19:23:08 +0800 +Subject: kthread: fix task state in kthread worker if being frozen +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chen Yu + +[ Upstream commit e16c7b07784f3fb03025939c4590b9a7c64970a7 ] + +When analyzing a kernel waring message, Peter pointed out that there is a +race condition when the kworker is being frozen and falls into +try_to_freeze() with TASK_INTERRUPTIBLE, which could trigger a +might_sleep() warning in try_to_freeze(). Although the root cause is not +related to freeze()[1], it is still worthy to fix this issue ahead. + +One possible race scenario: + + CPU 0 CPU 1 + ----- ----- + + // kthread_worker_fn + set_current_state(TASK_INTERRUPTIBLE); + suspend_freeze_processes() + freeze_processes + static_branch_inc(&freezer_active); + freeze_kernel_threads + pm_nosig_freezing = true; + if (work) { //false + __set_current_state(TASK_RUNNING); + + } else if (!freezing(current)) //false, been frozen + + freezing(): + if (static_branch_unlikely(&freezer_active)) + if (pm_nosig_freezing) + return true; + schedule() + } + + // state is still TASK_INTERRUPTIBLE + try_to_freeze() + might_sleep() <--- warning + +Fix this by explicitly set the TASK_RUNNING before entering +try_to_freeze(). + +Link: https://lore.kernel.org/lkml/Zs2ZoAcUsZMX2B%2FI@chenyu5-mobl2/ [1] +Link: https://lkml.kernel.org/r/20240827112308.181081-1-yu.c.chen@intel.com +Fixes: b56c0d8937e6 ("kthread: implement kthread_worker") +Signed-off-by: Chen Yu +Suggested-by: Peter Zijlstra +Suggested-by: Andrew Morton +Cc: Andreas Gruenbacher +Cc: David Gow +Cc: Mateusz Guzik +Cc: Mickaël Salaün +Cc: Tejun Heo +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + kernel/kthread.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/kernel/kthread.c b/kernel/kthread.c +index 290cbc845225e..ac03bc55e17ca 100644 +--- a/kernel/kthread.c ++++ b/kernel/kthread.c +@@ -844,8 +844,16 @@ int kthread_worker_fn(void *worker_ptr) + * event only cares about the address. + */ + trace_sched_kthread_work_execute_end(work, func); +- } else if (!freezing(current)) ++ } else if (!freezing(current)) { + schedule(); ++ } else { ++ /* ++ * Handle the case where the current remains ++ * TASK_INTERRUPTIBLE. try_to_freeze() expects ++ * the current to be TASK_RUNNING. ++ */ ++ __set_current_state(TASK_RUNNING); ++ } + + try_to_freeze(); + cond_resched(); +-- +2.43.0 + diff --git a/queue-6.6/leds-bd2606mvv-fix-device-child-node-usage-in-bd2606.patch b/queue-6.6/leds-bd2606mvv-fix-device-child-node-usage-in-bd2606.patch new file mode 100644 index 00000000000..17aa05c20a8 --- /dev/null +++ b/queue-6.6/leds-bd2606mvv-fix-device-child-node-usage-in-bd2606.patch @@ -0,0 +1,104 @@ +From 31dabdd19d52eafaece373266783ed071c911091 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Jul 2024 17:19:03 +0200 +Subject: leds: bd2606mvv: Fix device child node usage in bd2606mvv_probe() + +From: Javier Carrasco + +[ Upstream commit ffbf1fcb421429916a861cfc25dfe0c6387dda75 ] + +The current implementation accesses the `child` fwnode handle outside of +fwnode_for_each_available_child_node() without incrementing its +refcount. Add the missing call to `fwnode_handle_get(child)`. + +The cleanup process where `child` is accessed is not right either +because a single call to `fwnode_handle_put()` is carried out in case of +an error, ignoring unasigned nodes at the point when the error happens. +Keep `child` inside of the first loop, and use the helper pointer that +receives references via `fwnode_handle_get()` to handle the child nodes +within the second loop. + +Moreover, the iterated nodes are direct children of the device node, +and the `device_for_each_child_node()` macro accounts for child node +availability. By restricting `child` to live within that loop, the +scoped version of it can be used to simplify the error handling. + +`fwnode_for_each_available_child_node()` is meant to access the child +nodes of an fwnode, and therefore not direct child nodes of the device +node. + +Use `device_for_each_child_node_scoped()` to indicate device's direct +child nodes. + +Fixes: 8325642d2757 ("leds: bd2606mvv: Driver for the Rohm 6 Channel i2c LED driver") +Signed-off-by: Javier Carrasco +Link: https://lore.kernel.org/r/20240721-device_for_each_child_node-available-v2-3-f33748fd8b2d@gmail.com +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/leds/leds-bd2606mvv.c | 23 ++++++++++------------- + 1 file changed, 10 insertions(+), 13 deletions(-) + +diff --git a/drivers/leds/leds-bd2606mvv.c b/drivers/leds/leds-bd2606mvv.c +index 3fda712d2f809..c1181a35d0f76 100644 +--- a/drivers/leds/leds-bd2606mvv.c ++++ b/drivers/leds/leds-bd2606mvv.c +@@ -69,16 +69,14 @@ static const struct regmap_config bd2606mvv_regmap = { + + static int bd2606mvv_probe(struct i2c_client *client) + { +- struct fwnode_handle *np, *child; + struct device *dev = &client->dev; + struct bd2606mvv_priv *priv; + struct fwnode_handle *led_fwnodes[BD2606_MAX_LEDS] = { 0 }; + int active_pairs[BD2606_MAX_LEDS / 2] = { 0 }; + int err, reg; +- int i; ++ int i, j; + +- np = dev_fwnode(dev); +- if (!np) ++ if (!dev_fwnode(dev)) + return -ENODEV; + + priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL); +@@ -94,20 +92,18 @@ static int bd2606mvv_probe(struct i2c_client *client) + + i2c_set_clientdata(client, priv); + +- fwnode_for_each_available_child_node(np, child) { ++ device_for_each_child_node_scoped(dev, child) { + struct bd2606mvv_led *led; + + err = fwnode_property_read_u32(child, "reg", ®); +- if (err) { +- fwnode_handle_put(child); ++ if (err) + return err; +- } +- if (reg < 0 || reg >= BD2606_MAX_LEDS || led_fwnodes[reg]) { +- fwnode_handle_put(child); ++ ++ if (reg < 0 || reg >= BD2606_MAX_LEDS || led_fwnodes[reg]) + return -EINVAL; +- } ++ + led = &priv->leds[reg]; +- led_fwnodes[reg] = child; ++ led_fwnodes[reg] = fwnode_handle_get(child); + active_pairs[reg / 2]++; + led->priv = priv; + led->led_no = reg; +@@ -130,7 +126,8 @@ static int bd2606mvv_probe(struct i2c_client *client) + &priv->leds[i].ldev, + &init_data); + if (err < 0) { +- fwnode_handle_put(child); ++ for (j = i; j < BD2606_MAX_LEDS; j++) ++ fwnode_handle_put(led_fwnodes[j]); + return dev_err_probe(dev, err, + "couldn't register LED %s\n", + priv->leds[i].ldev.name); +-- +2.43.0 + diff --git a/queue-6.6/leds-leds-pca995x-add-support-for-nxp-pca9956b.patch b/queue-6.6/leds-leds-pca995x-add-support-for-nxp-pca9956b.patch new file mode 100644 index 00000000000..758e6580ebe --- /dev/null +++ b/queue-6.6/leds-leds-pca995x-add-support-for-nxp-pca9956b.patch @@ -0,0 +1,160 @@ +From 41e5101305d2bc4c3e634b5d1c121ee0d7adff2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jul 2024 14:49:51 +0200 +Subject: leds: leds-pca995x: Add support for NXP PCA9956B + +From: Pieterjan Camerlynck + +[ Upstream commit 68d6520d2e76998cdea58f6dd8782de5ab5b28af ] + +Add support for PCA9956B chip, which belongs to the same family. + +This chip features 24 instead of 16 outputs, so add a chipdef struct to +deal with the different register layouts. + +Reviewed-by: Marek Vasut +Signed-off-by: Pieterjan Camerlynck +Link: https://lore.kernel.org/r/20240711-pca995x-v4-2-702a67148065@gmail.com +Signed-off-by: Lee Jones +Stable-dep-of: 82c5ada1f9d0 ("leds: pca995x: Fix device child node usage in pca995x_probe()") +Signed-off-by: Sasha Levin +--- + drivers/leds/leds-pca995x.c | 59 ++++++++++++++++++++++++------------- + 1 file changed, 39 insertions(+), 20 deletions(-) + +diff --git a/drivers/leds/leds-pca995x.c b/drivers/leds/leds-pca995x.c +index 78215dff14997..686b77772ccec 100644 +--- a/drivers/leds/leds-pca995x.c ++++ b/drivers/leds/leds-pca995x.c +@@ -19,10 +19,6 @@ + #define PCA995X_MODE1 0x00 + #define PCA995X_MODE2 0x01 + #define PCA995X_LEDOUT0 0x02 +-#define PCA9955B_PWM0 0x08 +-#define PCA9952_PWM0 0x0A +-#define PCA9952_IREFALL 0x43 +-#define PCA9955B_IREFALL 0x45 + + /* Auto-increment disabled. Normal mode */ + #define PCA995X_MODE1_CFG 0x00 +@@ -34,17 +30,38 @@ + #define PCA995X_LDRX_MASK 0x3 + #define PCA995X_LDRX_BITS 2 + +-#define PCA995X_MAX_OUTPUTS 16 ++#define PCA995X_MAX_OUTPUTS 24 + #define PCA995X_OUTPUTS_PER_REG 4 + + #define PCA995X_IREFALL_FULL_CFG 0xFF + #define PCA995X_IREFALL_HALF_CFG (PCA995X_IREFALL_FULL_CFG / 2) + +-#define PCA995X_TYPE_NON_B 0 +-#define PCA995X_TYPE_B 1 +- + #define ldev_to_led(c) container_of(c, struct pca995x_led, ldev) + ++struct pca995x_chipdef { ++ unsigned int num_leds; ++ u8 pwm_base; ++ u8 irefall; ++}; ++ ++static const struct pca995x_chipdef pca9952_chipdef = { ++ .num_leds = 16, ++ .pwm_base = 0x0a, ++ .irefall = 0x43, ++}; ++ ++static const struct pca995x_chipdef pca9955b_chipdef = { ++ .num_leds = 16, ++ .pwm_base = 0x08, ++ .irefall = 0x45, ++}; ++ ++static const struct pca995x_chipdef pca9956b_chipdef = { ++ .num_leds = 24, ++ .pwm_base = 0x0a, ++ .irefall = 0x40, ++}; ++ + struct pca995x_led { + unsigned int led_no; + struct led_classdev ldev; +@@ -54,7 +71,7 @@ struct pca995x_led { + struct pca995x_chip { + struct regmap *regmap; + struct pca995x_led leds[PCA995X_MAX_OUTPUTS]; +- int btype; ++ const struct pca995x_chipdef *chipdef; + }; + + static int pca995x_brightness_set(struct led_classdev *led_cdev, +@@ -62,10 +79,11 @@ static int pca995x_brightness_set(struct led_classdev *led_cdev, + { + struct pca995x_led *led = ldev_to_led(led_cdev); + struct pca995x_chip *chip = led->chip; ++ const struct pca995x_chipdef *chipdef = chip->chipdef; + u8 ledout_addr, pwmout_addr; + int shift, ret; + +- pwmout_addr = (chip->btype ? PCA9955B_PWM0 : PCA9952_PWM0) + led->led_no; ++ pwmout_addr = chipdef->pwm_base + led->led_no; + ledout_addr = PCA995X_LEDOUT0 + (led->led_no / PCA995X_OUTPUTS_PER_REG); + shift = PCA995X_LDRX_BITS * (led->led_no % PCA995X_OUTPUTS_PER_REG); + +@@ -104,11 +122,12 @@ static int pca995x_probe(struct i2c_client *client) + struct fwnode_handle *led_fwnodes[PCA995X_MAX_OUTPUTS] = { 0 }; + struct fwnode_handle *np, *child; + struct device *dev = &client->dev; ++ const struct pca995x_chipdef *chipdef; + struct pca995x_chip *chip; + struct pca995x_led *led; +- int i, btype, reg, ret; ++ int i, reg, ret; + +- btype = (unsigned long)device_get_match_data(&client->dev); ++ chipdef = device_get_match_data(&client->dev); + + np = dev_fwnode(dev); + if (!np) +@@ -118,7 +137,7 @@ static int pca995x_probe(struct i2c_client *client) + if (!chip) + return -ENOMEM; + +- chip->btype = btype; ++ chip->chipdef = chipdef; + chip->regmap = devm_regmap_init_i2c(client, &pca995x_regmap); + if (IS_ERR(chip->regmap)) + return PTR_ERR(chip->regmap); +@@ -170,21 +189,21 @@ static int pca995x_probe(struct i2c_client *client) + return ret; + + /* IREF Output current value for all LEDn outputs */ +- return regmap_write(chip->regmap, +- btype ? PCA9955B_IREFALL : PCA9952_IREFALL, +- PCA995X_IREFALL_HALF_CFG); ++ return regmap_write(chip->regmap, chipdef->irefall, PCA995X_IREFALL_HALF_CFG); + } + + static const struct i2c_device_id pca995x_id[] = { +- { "pca9952", .driver_data = (kernel_ulong_t)PCA995X_TYPE_NON_B }, +- { "pca9955b", .driver_data = (kernel_ulong_t)PCA995X_TYPE_B }, ++ { "pca9952", .driver_data = (kernel_ulong_t)&pca9952_chipdef }, ++ { "pca9955b", .driver_data = (kernel_ulong_t)&pca9955b_chipdef }, ++ { "pca9956b", .driver_data = (kernel_ulong_t)&pca9956b_chipdef }, + {} + }; + MODULE_DEVICE_TABLE(i2c, pca995x_id); + + static const struct of_device_id pca995x_of_match[] = { +- { .compatible = "nxp,pca9952", .data = (void *)PCA995X_TYPE_NON_B }, +- { .compatible = "nxp,pca9955b", .data = (void *)PCA995X_TYPE_B }, ++ { .compatible = "nxp,pca9952", .data = &pca9952_chipdef }, ++ { .compatible = "nxp,pca9955b", . data = &pca9955b_chipdef }, ++ { .compatible = "nxp,pca9956b", .data = &pca9956b_chipdef }, + {}, + }; + MODULE_DEVICE_TABLE(of, pca995x_of_match); +-- +2.43.0 + diff --git a/queue-6.6/leds-pca995x-fix-device-child-node-usage-in-pca995x_.patch b/queue-6.6/leds-pca995x-fix-device-child-node-usage-in-pca995x_.patch new file mode 100644 index 00000000000..944ddde84fe --- /dev/null +++ b/queue-6.6/leds-pca995x-fix-device-child-node-usage-in-pca995x_.patch @@ -0,0 +1,81 @@ +From 7229c3504388cc1e57571e2087dcec32cc09badf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Aug 2024 15:37:03 +0200 +Subject: leds: pca995x: Fix device child node usage in pca995x_probe() + +From: Javier Carrasco + +[ Upstream commit 82c5ada1f9d05902a4ccb926c7ce34e2fe699283 ] + +The current implementation accesses the `child` fwnode handle outside of +device_for_each_child_node() without incrementing its refcount. + +Add the missing call to `fwnode_handle_get(child)`. + +The cleanup process where `child` is accessed is not right either +because a single call to `fwnode_handle_put()` is carried out in case of +an error, ignoring unasigned nodes at the point when the error happens. + +Keep `child` inside of the first loop, and use the helper pointer that +receives references via `fwnode_handle_get()` to handle the child nodes +within the second loop. Keeping `child` inside the first node has also +the advantage that the scoped version of the loop can be used. + +Fixes: ee4e80b2962e ("leds: pca995x: Add support for PCA995X chips") +Signed-off-by: Javier Carrasco +Link: https://lore.kernel.org/r/20240807-leds-pca995x-fix-fwnode-usage-v1-1-8057c84dc583@gmail.com +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/leds/leds-pca995x.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/leds/leds-pca995x.c b/drivers/leds/leds-pca995x.c +index 83bc9669544c3..11c7bb69573e8 100644 +--- a/drivers/leds/leds-pca995x.c ++++ b/drivers/leds/leds-pca995x.c +@@ -120,12 +120,11 @@ static const struct regmap_config pca995x_regmap = { + static int pca995x_probe(struct i2c_client *client) + { + struct fwnode_handle *led_fwnodes[PCA995X_MAX_OUTPUTS] = { 0 }; +- struct fwnode_handle *child; + struct device *dev = &client->dev; + const struct pca995x_chipdef *chipdef; + struct pca995x_chip *chip; + struct pca995x_led *led; +- int i, reg, ret; ++ int i, j, reg, ret; + + chipdef = device_get_match_data(&client->dev); + +@@ -143,7 +142,7 @@ static int pca995x_probe(struct i2c_client *client) + + i2c_set_clientdata(client, chip); + +- device_for_each_child_node(dev, child) { ++ device_for_each_child_node_scoped(dev, child) { + ret = fwnode_property_read_u32(child, "reg", ®); + if (ret) + return ret; +@@ -152,7 +151,7 @@ static int pca995x_probe(struct i2c_client *client) + return -EINVAL; + + led = &chip->leds[reg]; +- led_fwnodes[reg] = child; ++ led_fwnodes[reg] = fwnode_handle_get(child); + led->chip = chip; + led->led_no = reg; + led->ldev.brightness_set_blocking = pca995x_brightness_set; +@@ -171,7 +170,8 @@ static int pca995x_probe(struct i2c_client *client) + &chip->leds[i].ldev, + &init_data); + if (ret < 0) { +- fwnode_handle_put(child); ++ for (j = i; j < PCA995X_MAX_OUTPUTS; j++) ++ fwnode_handle_put(led_fwnodes[j]); + return dev_err_probe(dev, ret, + "Could not register LED %s\n", + chip->leds[i].ldev.name); +-- +2.43.0 + diff --git a/queue-6.6/leds-pca995x-use-device_for_each_child_node-to-acces.patch b/queue-6.6/leds-pca995x-use-device_for_each_child_node-to-acces.patch new file mode 100644 index 00000000000..75a8c05f044 --- /dev/null +++ b/queue-6.6/leds-pca995x-use-device_for_each_child_node-to-acces.patch @@ -0,0 +1,78 @@ +From e8b1fa75217622e6afcd7be473347f73dfcfc39f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Aug 2024 16:49:45 +0200 +Subject: leds: pca995x: Use device_for_each_child_node() to access device + child nodes + +From: Javier Carrasco + +[ Upstream commit 6eefd65ba6ae29ab801f6461e59c10f93dd496f8 ] + +The iterated nodes are direct children of the device node, and the +`device_for_each_child_node()` macro accounts for child node +availability. + +`fwnode_for_each_available_child_node()` is meant to access the child +nodes of an fwnode, and therefore not direct child nodes of the device +node. + +Use `device_for_each_child_node()` to indicate device's direct child +nodes. + +Signed-off-by: Javier Carrasco +Reviewed-by: Jonathan Cameron +Link: https://lore.kernel.org/r/20240805-device_for_each_child_node-available-v3-2-48243a4aa5c0@gmail.com +Signed-off-by: Lee Jones +Stable-dep-of: 82c5ada1f9d0 ("leds: pca995x: Fix device child node usage in pca995x_probe()") +Signed-off-by: Sasha Levin +--- + drivers/leds/leds-pca995x.c | 15 +++++---------- + 1 file changed, 5 insertions(+), 10 deletions(-) + +diff --git a/drivers/leds/leds-pca995x.c b/drivers/leds/leds-pca995x.c +index 686b77772ccec..83bc9669544c3 100644 +--- a/drivers/leds/leds-pca995x.c ++++ b/drivers/leds/leds-pca995x.c +@@ -120,7 +120,7 @@ static const struct regmap_config pca995x_regmap = { + static int pca995x_probe(struct i2c_client *client) + { + struct fwnode_handle *led_fwnodes[PCA995X_MAX_OUTPUTS] = { 0 }; +- struct fwnode_handle *np, *child; ++ struct fwnode_handle *child; + struct device *dev = &client->dev; + const struct pca995x_chipdef *chipdef; + struct pca995x_chip *chip; +@@ -129,8 +129,7 @@ static int pca995x_probe(struct i2c_client *client) + + chipdef = device_get_match_data(&client->dev); + +- np = dev_fwnode(dev); +- if (!np) ++ if (!dev_fwnode(dev)) + return -ENODEV; + + chip = devm_kzalloc(dev, sizeof(*chip), GFP_KERNEL); +@@ -144,17 +143,13 @@ static int pca995x_probe(struct i2c_client *client) + + i2c_set_clientdata(client, chip); + +- fwnode_for_each_available_child_node(np, child) { ++ device_for_each_child_node(dev, child) { + ret = fwnode_property_read_u32(child, "reg", ®); +- if (ret) { +- fwnode_handle_put(child); ++ if (ret) + return ret; +- } + +- if (reg < 0 || reg >= PCA995X_MAX_OUTPUTS || led_fwnodes[reg]) { +- fwnode_handle_put(child); ++ if (reg < 0 || reg >= PCA995X_MAX_OUTPUTS || led_fwnodes[reg]) + return -EINVAL; +- } + + led = &chip->leds[reg]; + led_fwnodes[reg] = child; +-- +2.43.0 + diff --git a/queue-6.6/lib-sbitmap-define-swap_lock-as-raw_spinlock_t.patch b/queue-6.6/lib-sbitmap-define-swap_lock-as-raw_spinlock_t.patch new file mode 100644 index 00000000000..57d1bda4c50 --- /dev/null +++ b/queue-6.6/lib-sbitmap-define-swap_lock-as-raw_spinlock_t.patch @@ -0,0 +1,65 @@ +From af56b40e9b65a8e41b5b79a7306c3b8b5d7243c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Sep 2024 10:17:09 +0800 +Subject: lib/sbitmap: define swap_lock as raw_spinlock_t + +From: Ming Lei + +[ Upstream commit 65f666c6203600053478ce8e34a1db269a8701c9 ] + +When called from sbitmap_queue_get(), sbitmap_deferred_clear() may be run +with preempt disabled. In RT kernel, spin_lock() can sleep, then warning +of "BUG: sleeping function called from invalid context" can be triggered. + +Fix it by replacing it with raw_spin_lock. + +Cc: Yang Yang +Fixes: 72d04bdcf3f7 ("sbitmap: fix io hung due to race on sbitmap_word::cleared") +Signed-off-by: Ming Lei +Reviewed-by: Yang Yang +Link: https://lore.kernel.org/r/20240919021709.511329-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + include/linux/sbitmap.h | 2 +- + lib/sbitmap.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/linux/sbitmap.h b/include/linux/sbitmap.h +index c09cdcc99471e..189140bf11fc4 100644 +--- a/include/linux/sbitmap.h ++++ b/include/linux/sbitmap.h +@@ -40,7 +40,7 @@ struct sbitmap_word { + /** + * @swap_lock: serializes simultaneous updates of ->word and ->cleared + */ +- spinlock_t swap_lock; ++ raw_spinlock_t swap_lock; + } ____cacheline_aligned_in_smp; + + /** +diff --git a/lib/sbitmap.c b/lib/sbitmap.c +index 9307bf17a8175..1d5e157486922 100644 +--- a/lib/sbitmap.c ++++ b/lib/sbitmap.c +@@ -65,7 +65,7 @@ static inline bool sbitmap_deferred_clear(struct sbitmap_word *map, + { + unsigned long mask, word_mask; + +- guard(spinlock_irqsave)(&map->swap_lock); ++ guard(raw_spinlock_irqsave)(&map->swap_lock); + + if (!map->cleared) { + if (depth == 0) +@@ -136,7 +136,7 @@ int sbitmap_init_node(struct sbitmap *sb, unsigned int depth, int shift, + } + + for (i = 0; i < sb->map_nr; i++) +- spin_lock_init(&sb->map[i].swap_lock); ++ raw_spin_lock_init(&sb->map[i].swap_lock); + + return 0; + } +-- +2.43.0 + diff --git a/queue-6.6/libbpf-convert-st_ops-data-to-shadow-type.patch b/queue-6.6/libbpf-convert-st_ops-data-to-shadow-type.patch new file mode 100644 index 00000000000..1cd470f4d55 --- /dev/null +++ b/queue-6.6/libbpf-convert-st_ops-data-to-shadow-type.patch @@ -0,0 +1,117 @@ +From baf8312a8fc1a0eaec7c8d7bdee15c6c69d0756d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 22:45:20 -0800 +Subject: libbpf: Convert st_ops->data to shadow type. + +From: Kui-Feng Lee + +[ Upstream commit 69e4a9d2b3f5adf5af4feeab0a9f505da971265a ] + +Convert st_ops->data to the shadow type of the struct_ops map. The shadow +type of a struct_ops type is a variant of the original struct type +providing a way to access/change the values in the maps of the struct_ops +type. + +bpf_map__initial_value() will return st_ops->data for struct_ops types. The +skeleton is going to use it as the pointer to the shadow type of the +original struct type. + +One of the main differences between the original struct type and the shadow +type is that all function pointers of the shadow type are converted to +pointers of struct bpf_program. Users can replace these bpf_program +pointers with other BPF programs. The st_ops->progs[] will be updated +before updating the value of a map to reflect the changes made by users. + +Signed-off-by: Kui-Feng Lee +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20240229064523.2091270-3-thinker.li@gmail.com +Stable-dep-of: 04a94133f1b3 ("libbpf: Don't take direct pointers into BTF data from st_ops") +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 40 ++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 38 insertions(+), 2 deletions(-) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index a2b765e419c16..c91917868b557 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -994,6 +994,19 @@ static bool bpf_map__is_struct_ops(const struct bpf_map *map) + return map->def.type == BPF_MAP_TYPE_STRUCT_OPS; + } + ++static bool is_valid_st_ops_program(struct bpf_object *obj, ++ const struct bpf_program *prog) ++{ ++ int i; ++ ++ for (i = 0; i < obj->nr_programs; i++) { ++ if (&obj->programs[i] == prog) ++ return prog->type == BPF_PROG_TYPE_STRUCT_OPS; ++ } ++ ++ return false; ++} ++ + /* Init the map's fields that depend on kern_btf */ + static int bpf_map__init_kern_struct_ops(struct bpf_map *map) + { +@@ -1082,9 +1095,16 @@ static int bpf_map__init_kern_struct_ops(struct bpf_map *map) + if (btf_is_ptr(mtype)) { + struct bpf_program *prog; + +- prog = st_ops->progs[i]; ++ /* Update the value from the shadow type */ ++ prog = *(void **)mdata; ++ st_ops->progs[i] = prog; + if (!prog) + continue; ++ if (!is_valid_st_ops_program(obj, prog)) { ++ pr_warn("struct_ops init_kern %s: member %s is not a struct_ops program\n", ++ map->name, mname); ++ return -ENOTSUP; ++ } + + kern_mtype = skip_mods_and_typedefs(kern_btf, + kern_mtype->type, +@@ -9165,7 +9185,9 @@ static struct bpf_map *find_struct_ops_map_by_offset(struct bpf_object *obj, + return NULL; + } + +-/* Collect the reloc from ELF and populate the st_ops->progs[] */ ++/* Collect the reloc from ELF, populate the st_ops->progs[], and update ++ * st_ops->data for shadow type. ++ */ + static int bpf_object__collect_st_ops_relos(struct bpf_object *obj, + Elf64_Shdr *shdr, Elf_Data *data) + { +@@ -9279,6 +9301,14 @@ static int bpf_object__collect_st_ops_relos(struct bpf_object *obj, + } + + st_ops->progs[member_idx] = prog; ++ ++ /* st_ops->data will be exposed to users, being returned by ++ * bpf_map__initial_value() as a pointer to the shadow ++ * type. All function pointers in the original struct type ++ * should be converted to a pointer to struct bpf_program ++ * in the shadow type. ++ */ ++ *((struct bpf_program **)(st_ops->data + moff)) = prog; + } + + return 0; +@@ -9730,6 +9760,12 @@ int bpf_map__set_initial_value(struct bpf_map *map, + + void *bpf_map__initial_value(struct bpf_map *map, size_t *psize) + { ++ if (bpf_map__is_struct_ops(map)) { ++ if (psize) ++ *psize = map->def.value_size; ++ return map->st_ops->data; ++ } ++ + if (!map->mmaped) + return NULL; + *psize = map->def.value_size; +-- +2.43.0 + diff --git a/queue-6.6/libbpf-don-t-take-direct-pointers-into-btf-data-from.patch b/queue-6.6/libbpf-don-t-take-direct-pointers-into-btf-data-from.patch new file mode 100644 index 00000000000..9abf327c452 --- /dev/null +++ b/queue-6.6/libbpf-don-t-take-direct-pointers-into-btf-data-from.patch @@ -0,0 +1,125 @@ +From 235ace355a9655ba562dffe8271fdd211f09b991 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jul 2024 12:14:58 -0500 +Subject: libbpf: Don't take direct pointers into BTF data from st_ops + +From: David Vernet + +[ Upstream commit 04a94133f1b3cccb19e056c26f056c50b4e5b3b1 ] + +In struct bpf_struct_ops, we have take a pointer to a BTF type name, and +a struct btf_type. This was presumably done for convenience, but can +actually result in subtle and confusing bugs given that BTF data can be +invalidated before a program is loaded. For example, in sched_ext, we +may sometimes resize a data section after a skeleton has been opened, +but before the struct_ops scheduler map has been loaded. This may cause +the BTF data to be realloc'd, which can then cause a UAF when loading +the program because the struct_ops map has pointers directly into the +BTF data. + +We're already storing the BTF type_id in struct bpf_struct_ops. Because +type_id is stable, we can therefore just update the places where we were +looking at those pointers to instead do the lookups we need from the +type_id. + +Fixes: 590a00888250 ("bpf: libbpf: Add STRUCT_OPS support") +Signed-off-by: David Vernet +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20240724171459.281234-1-void@manifault.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index aeed9bc44247b..bf1c4c69fd92d 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -457,8 +457,6 @@ struct bpf_program { + }; + + struct bpf_struct_ops { +- const char *tname; +- const struct btf_type *type; + struct bpf_program **progs; + __u32 *kern_func_off; + /* e.g. struct tcp_congestion_ops in bpf_prog's btf format */ +@@ -1027,11 +1025,14 @@ static int bpf_object_adjust_struct_ops_autoload(struct bpf_object *obj) + continue; + + for (j = 0; j < obj->nr_maps; ++j) { ++ const struct btf_type *type; ++ + map = &obj->maps[j]; + if (!bpf_map__is_struct_ops(map)) + continue; + +- vlen = btf_vlen(map->st_ops->type); ++ type = btf__type_by_id(obj->btf, map->st_ops->type_id); ++ vlen = btf_vlen(type); + for (k = 0; k < vlen; ++k) { + slot_prog = map->st_ops->progs[k]; + if (prog != slot_prog) +@@ -1065,8 +1066,8 @@ static int bpf_map__init_kern_struct_ops(struct bpf_map *map) + int err; + + st_ops = map->st_ops; +- type = st_ops->type; +- tname = st_ops->tname; ++ type = btf__type_by_id(btf, st_ops->type_id); ++ tname = btf__name_by_offset(btf, type->name_off); + err = find_struct_ops_kern_types(obj, tname, &mod_btf, + &kern_type, &kern_type_id, + &kern_vtype, &kern_vtype_id, +@@ -1298,8 +1299,6 @@ static int init_struct_ops_maps(struct bpf_object *obj, const char *sec_name, + memcpy(st_ops->data, + data->d_buf + vsi->offset, + type->size); +- st_ops->tname = tname; +- st_ops->type = type; + st_ops->type_id = type_id; + + pr_debug("struct_ops init: struct %s(type_id=%u) %s found at offset %u\n", +@@ -7995,11 +7994,13 @@ static int bpf_object__resolve_externs(struct bpf_object *obj, + + static void bpf_map_prepare_vdata(const struct bpf_map *map) + { ++ const struct btf_type *type; + struct bpf_struct_ops *st_ops; + __u32 i; + + st_ops = map->st_ops; +- for (i = 0; i < btf_vlen(st_ops->type); i++) { ++ type = btf__type_by_id(map->obj->btf, st_ops->type_id); ++ for (i = 0; i < btf_vlen(type); i++) { + struct bpf_program *prog = st_ops->progs[i]; + void *kern_data; + int prog_fd; +@@ -9234,6 +9235,7 @@ static struct bpf_map *find_struct_ops_map_by_offset(struct bpf_object *obj, + static int bpf_object__collect_st_ops_relos(struct bpf_object *obj, + Elf64_Shdr *shdr, Elf_Data *data) + { ++ const struct btf_type *type; + const struct btf_member *member; + struct bpf_struct_ops *st_ops; + struct bpf_program *prog; +@@ -9293,13 +9295,14 @@ static int bpf_object__collect_st_ops_relos(struct bpf_object *obj, + } + insn_idx = sym->st_value / BPF_INSN_SZ; + +- member = find_member_by_offset(st_ops->type, moff * 8); ++ type = btf__type_by_id(btf, st_ops->type_id); ++ member = find_member_by_offset(type, moff * 8); + if (!member) { + pr_warn("struct_ops reloc %s: cannot find member at moff %u\n", + map->name, moff); + return -EINVAL; + } +- member_idx = member - btf_members(st_ops->type); ++ member_idx = member - btf_members(type); + name = btf__name_by_offset(btf, member->name_off); + + if (!resolve_func_ptr(btf, member->type, NULL)) { +-- +2.43.0 + diff --git a/queue-6.6/libbpf-find-correct-module-btfs-for-struct_ops-maps-.patch b/queue-6.6/libbpf-find-correct-module-btfs-for-struct_ops-maps-.patch new file mode 100644 index 00000000000..ce05742cc9f --- /dev/null +++ b/queue-6.6/libbpf-find-correct-module-btfs-for-struct_ops-maps-.patch @@ -0,0 +1,216 @@ +From 3964fbc9879994d2c5a6b862fbebc59abf820ea4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jan 2024 14:50:03 -0800 +Subject: libbpf: Find correct module BTFs for struct_ops maps and progs. + +From: Kui-Feng Lee + +[ Upstream commit 9e926acda0c2e21bca431a1818665ddcd6939755 ] + +Locate the module BTFs for struct_ops maps and progs and pass them to the +kernel. This ensures that the kernel correctly resolves type IDs from the +appropriate module BTFs. + +For the map of a struct_ops object, the FD of the module BTF is set to +bpf_map to keep a reference to the module BTF. The FD is passed to the +kernel as value_type_btf_obj_fd when the struct_ops object is loaded. + +For a bpf_struct_ops prog, attach_btf_obj_fd of bpf_prog is the FD of a +module BTF in the kernel. + +Signed-off-by: Kui-Feng Lee +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/r/20240119225005.668602-13-thinker.li@gmail.com +Signed-off-by: Martin KaFai Lau +Stable-dep-of: 04a94133f1b3 ("libbpf: Don't take direct pointers into BTF data from st_ops") +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/bpf.c | 4 +++- + tools/lib/bpf/bpf.h | 4 +++- + tools/lib/bpf/libbpf.c | 41 ++++++++++++++++++++++++++--------- + tools/lib/bpf/libbpf_probes.c | 1 + + 4 files changed, 38 insertions(+), 12 deletions(-) + +diff --git a/tools/lib/bpf/bpf.c b/tools/lib/bpf/bpf.c +index b0f1913763a33..ee18aea4a7b58 100644 +--- a/tools/lib/bpf/bpf.c ++++ b/tools/lib/bpf/bpf.c +@@ -169,7 +169,8 @@ int bpf_map_create(enum bpf_map_type map_type, + __u32 max_entries, + const struct bpf_map_create_opts *opts) + { +- const size_t attr_sz = offsetofend(union bpf_attr, map_extra); ++ const size_t attr_sz = offsetofend(union bpf_attr, ++ value_type_btf_obj_fd); + union bpf_attr attr; + int fd; + +@@ -191,6 +192,7 @@ int bpf_map_create(enum bpf_map_type map_type, + attr.btf_key_type_id = OPTS_GET(opts, btf_key_type_id, 0); + attr.btf_value_type_id = OPTS_GET(opts, btf_value_type_id, 0); + attr.btf_vmlinux_value_type_id = OPTS_GET(opts, btf_vmlinux_value_type_id, 0); ++ attr.value_type_btf_obj_fd = OPTS_GET(opts, value_type_btf_obj_fd, -1); + + attr.inner_map_fd = OPTS_GET(opts, inner_map_fd, 0); + attr.map_flags = OPTS_GET(opts, map_flags, 0); +diff --git a/tools/lib/bpf/bpf.h b/tools/lib/bpf/bpf.h +index 107fef7488682..db0ff8ade19a4 100644 +--- a/tools/lib/bpf/bpf.h ++++ b/tools/lib/bpf/bpf.h +@@ -51,8 +51,10 @@ struct bpf_map_create_opts { + + __u32 numa_node; + __u32 map_ifindex; ++ __s32 value_type_btf_obj_fd; ++ size_t:0; + }; +-#define bpf_map_create_opts__last_field map_ifindex ++#define bpf_map_create_opts__last_field value_type_btf_obj_fd + + LIBBPF_API int bpf_map_create(enum bpf_map_type map_type, + const char *map_name, +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index 54f3380010f55..a2b765e419c16 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -518,6 +518,7 @@ struct bpf_map { + struct bpf_map_def def; + __u32 numa_node; + __u32 btf_var_idx; ++ int mod_btf_fd; + __u32 btf_key_type_id; + __u32 btf_value_type_id; + __u32 btf_vmlinux_value_type_id; +@@ -918,22 +919,29 @@ find_member_by_name(const struct btf *btf, const struct btf_type *t, + return NULL; + } + ++static int find_ksym_btf_id(struct bpf_object *obj, const char *ksym_name, ++ __u16 kind, struct btf **res_btf, ++ struct module_btf **res_mod_btf); ++ + #define STRUCT_OPS_VALUE_PREFIX "bpf_struct_ops_" + static int find_btf_by_prefix_kind(const struct btf *btf, const char *prefix, + const char *name, __u32 kind); + + static int +-find_struct_ops_kern_types(const struct btf *btf, const char *tname, ++find_struct_ops_kern_types(struct bpf_object *obj, const char *tname, ++ struct module_btf **mod_btf, + const struct btf_type **type, __u32 *type_id, + const struct btf_type **vtype, __u32 *vtype_id, + const struct btf_member **data_member) + { + const struct btf_type *kern_type, *kern_vtype; + const struct btf_member *kern_data_member; ++ struct btf *btf; + __s32 kern_vtype_id, kern_type_id; + __u32 i; + +- kern_type_id = btf__find_by_name_kind(btf, tname, BTF_KIND_STRUCT); ++ kern_type_id = find_ksym_btf_id(obj, tname, BTF_KIND_STRUCT, ++ &btf, mod_btf); + if (kern_type_id < 0) { + pr_warn("struct_ops init_kern: struct %s is not found in kernel BTF\n", + tname); +@@ -987,14 +995,16 @@ static bool bpf_map__is_struct_ops(const struct bpf_map *map) + } + + /* Init the map's fields that depend on kern_btf */ +-static int bpf_map__init_kern_struct_ops(struct bpf_map *map, +- const struct btf *btf, +- const struct btf *kern_btf) ++static int bpf_map__init_kern_struct_ops(struct bpf_map *map) + { + const struct btf_member *member, *kern_member, *kern_data_member; + const struct btf_type *type, *kern_type, *kern_vtype; + __u32 i, kern_type_id, kern_vtype_id, kern_data_off; ++ struct bpf_object *obj = map->obj; ++ const struct btf *btf = obj->btf; + struct bpf_struct_ops *st_ops; ++ const struct btf *kern_btf; ++ struct module_btf *mod_btf; + void *data, *kern_data; + const char *tname; + int err; +@@ -1002,16 +1012,19 @@ static int bpf_map__init_kern_struct_ops(struct bpf_map *map, + st_ops = map->st_ops; + type = st_ops->type; + tname = st_ops->tname; +- err = find_struct_ops_kern_types(kern_btf, tname, ++ err = find_struct_ops_kern_types(obj, tname, &mod_btf, + &kern_type, &kern_type_id, + &kern_vtype, &kern_vtype_id, + &kern_data_member); + if (err) + return err; + ++ kern_btf = mod_btf ? mod_btf->btf : obj->btf_vmlinux; ++ + pr_debug("struct_ops init_kern %s: type_id:%u kern_type_id:%u kern_vtype_id:%u\n", + map->name, st_ops->type_id, kern_type_id, kern_vtype_id); + ++ map->mod_btf_fd = mod_btf ? mod_btf->fd : -1; + map->def.value_size = kern_vtype->size; + map->btf_vmlinux_value_type_id = kern_vtype_id; + +@@ -1087,6 +1100,8 @@ static int bpf_map__init_kern_struct_ops(struct bpf_map *map, + return -ENOTSUP; + } + ++ if (mod_btf) ++ prog->attach_btf_obj_fd = mod_btf->fd; + prog->attach_btf_id = kern_type_id; + prog->expected_attach_type = kern_member_idx; + +@@ -1129,8 +1144,7 @@ static int bpf_object__init_kern_struct_ops_maps(struct bpf_object *obj) + if (!bpf_map__is_struct_ops(map)) + continue; + +- err = bpf_map__init_kern_struct_ops(map, obj->btf, +- obj->btf_vmlinux); ++ err = bpf_map__init_kern_struct_ops(map); + if (err) + return err; + } +@@ -5133,8 +5147,13 @@ static int bpf_object__create_map(struct bpf_object *obj, struct bpf_map *map, b + create_attr.numa_node = map->numa_node; + create_attr.map_extra = map->map_extra; + +- if (bpf_map__is_struct_ops(map)) ++ if (bpf_map__is_struct_ops(map)) { + create_attr.btf_vmlinux_value_type_id = map->btf_vmlinux_value_type_id; ++ if (map->mod_btf_fd >= 0) { ++ create_attr.value_type_btf_obj_fd = map->mod_btf_fd; ++ create_attr.map_flags |= BPF_F_VTYPE_BTF_OBJ_FD; ++ } ++ } + + if (obj->btf && btf__fd(obj->btf) >= 0) { + create_attr.btf_fd = btf__fd(obj->btf); +@@ -9444,7 +9463,9 @@ static int libbpf_find_attach_btf_id(struct bpf_program *prog, const char *attac + *btf_obj_fd = 0; + *btf_type_id = 1; + } else { +- err = find_kernel_btf_id(prog->obj, attach_name, attach_type, btf_obj_fd, btf_type_id); ++ err = find_kernel_btf_id(prog->obj, attach_name, ++ attach_type, btf_obj_fd, ++ btf_type_id); + } + if (err) { + pr_warn("prog '%s': failed to find kernel BTF type ID of '%s': %d\n", +diff --git a/tools/lib/bpf/libbpf_probes.c b/tools/lib/bpf/libbpf_probes.c +index 9c4db90b92b6b..98373d126d9d7 100644 +--- a/tools/lib/bpf/libbpf_probes.c ++++ b/tools/lib/bpf/libbpf_probes.c +@@ -326,6 +326,7 @@ static int probe_map_create(enum bpf_map_type map_type) + case BPF_MAP_TYPE_STRUCT_OPS: + /* we'll get -ENOTSUPP for invalid BTF type ID for struct_ops */ + opts.btf_vmlinux_value_type_id = 1; ++ opts.value_type_btf_obj_fd = -1; + exp_err = -524; /* -ENOTSUPP */ + break; + case BPF_MAP_TYPE_BLOOM_FILTER: +-- +2.43.0 + diff --git a/queue-6.6/libbpf-sync-progs-autoload-with-maps-autocreate-for-.patch b/queue-6.6/libbpf-sync-progs-autoload-with-maps-autocreate-for-.patch new file mode 100644 index 00000000000..25b1a18c132 --- /dev/null +++ b/queue-6.6/libbpf-sync-progs-autoload-with-maps-autocreate-for-.patch @@ -0,0 +1,117 @@ +From acc4fc0e88c09cc23a7ffadabf270585883658dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Mar 2024 12:45:22 +0200 +Subject: libbpf: Sync progs autoload with maps autocreate for struct_ops maps + +From: Eduard Zingerman + +[ Upstream commit fe9d049c3da06373a1a35914b7f695509e4cb1fe ] + +Automatically select which struct_ops programs to load depending on +which struct_ops maps are selected for automatic creation. +E.g. for the BPF code below: + + SEC("struct_ops/test_1") int BPF_PROG(foo) { ... } + SEC("struct_ops/test_2") int BPF_PROG(bar) { ... } + + SEC(".struct_ops.link") + struct test_ops___v1 A = { + .foo = (void *)foo + }; + + SEC(".struct_ops.link") + struct test_ops___v2 B = { + .foo = (void *)foo, + .bar = (void *)bar, + }; + +And the following libbpf API calls: + + bpf_map__set_autocreate(skel->maps.A, true); + bpf_map__set_autocreate(skel->maps.B, false); + +The autoload would be enabled for program 'foo' and disabled for +program 'bar'. + +During load, for each struct_ops program P, referenced from some +struct_ops map M: +- set P.autoload = true if M.autocreate is true for some M; +- set P.autoload = false if M.autocreate is false for all M; +- don't change P.autoload, if P is not referenced from any map. + +Do this after bpf_object__init_kern_struct_ops_maps() +to make sure that shadow vars assignment is done. + +Signed-off-by: Eduard Zingerman +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20240306104529.6453-9-eddyz87@gmail.com +Stable-dep-of: 04a94133f1b3 ("libbpf: Don't take direct pointers into BTF data from st_ops") +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 43 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 43 insertions(+) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index c91917868b557..aeed9bc44247b 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -1007,6 +1007,48 @@ static bool is_valid_st_ops_program(struct bpf_object *obj, + return false; + } + ++/* For each struct_ops program P, referenced from some struct_ops map M, ++ * enable P.autoload if there are Ms for which M.autocreate is true, ++ * disable P.autoload if for all Ms M.autocreate is false. ++ * Don't change P.autoload for programs that are not referenced from any maps. ++ */ ++static int bpf_object_adjust_struct_ops_autoload(struct bpf_object *obj) ++{ ++ struct bpf_program *prog, *slot_prog; ++ struct bpf_map *map; ++ int i, j, k, vlen; ++ ++ for (i = 0; i < obj->nr_programs; ++i) { ++ int should_load = false; ++ int use_cnt = 0; ++ ++ prog = &obj->programs[i]; ++ if (prog->type != BPF_PROG_TYPE_STRUCT_OPS) ++ continue; ++ ++ for (j = 0; j < obj->nr_maps; ++j) { ++ map = &obj->maps[j]; ++ if (!bpf_map__is_struct_ops(map)) ++ continue; ++ ++ vlen = btf_vlen(map->st_ops->type); ++ for (k = 0; k < vlen; ++k) { ++ slot_prog = map->st_ops->progs[k]; ++ if (prog != slot_prog) ++ continue; ++ ++ use_cnt++; ++ if (map->autocreate) ++ should_load = true; ++ } ++ } ++ if (use_cnt) ++ prog->autoload = should_load; ++ } ++ ++ return 0; ++} ++ + /* Init the map's fields that depend on kern_btf */ + static int bpf_map__init_kern_struct_ops(struct bpf_map *map) + { +@@ -8003,6 +8045,7 @@ static int bpf_object_load(struct bpf_object *obj, int extra_log_level, const ch + err = err ? : bpf_object__sanitize_and_load_btf(obj); + err = err ? : bpf_object__sanitize_maps(obj); + err = err ? : bpf_object__init_kern_struct_ops_maps(obj); ++ err = err ? : bpf_object_adjust_struct_ops_autoload(obj); + err = err ? : bpf_object__relocate(obj, obj->btf_custom_path ? : target_btf_path); + err = err ? : bpf_object__create_maps(obj); + err = err ? : bpf_object__load_progs(obj, extra_log_level); +-- +2.43.0 + diff --git a/queue-6.6/libbpf-use-stable-map-placeholder-fds.patch b/queue-6.6/libbpf-use-stable-map-placeholder-fds.patch new file mode 100644 index 00000000000..79c2eb3faf6 --- /dev/null +++ b/queue-6.6/libbpf-use-stable-map-placeholder-fds.patch @@ -0,0 +1,285 @@ +From 35dc8c8739effa064664c56473eba2c1761f59d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jan 2024 17:38:42 -0800 +Subject: libbpf: use stable map placeholder FDs + +From: Andrii Nakryiko + +[ Upstream commit dac645b950ea4fc0896fe46a645365cb8d9ab92b ] + +Move map creation to later during BPF object loading by pre-creating +stable placeholder FDs (utilizing memfd_create()). Use dup2() +syscall to then atomically make those placeholder FDs point to real +kernel BPF map objects. + +This change allows to delay BPF map creation to after all the BPF +program relocations. That, in turn, allows to delay BTF finalization and +loading into kernel to after all the relocations as well. We'll take +advantage of the latter in subsequent patches to allow libbpf to adjust +BTF in a way that helps with BPF global function usage. + +Clean up a few places where we close map->fd, which now shouldn't +happen, because map->fd should be a valid FD regardless of whether map +was created or not. Surprisingly and nicely it simplifies a bunch of +error handling code. If this change doesn't backfire, I'm tempted to +pre-create such stable FDs for other entities (progs, maybe even BTF). +We previously did some manipulations to make gen_loader work with fake +map FDs, with stable map FDs this hack is not necessary for maps (we +still have it for BTF, but I left it as is for now). + +Acked-by: Jiri Olsa +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/r/20240104013847.3875810-5-andrii@kernel.org +Signed-off-by: Alexei Starovoitov +Stable-dep-of: 04a94133f1b3 ("libbpf: Don't take direct pointers into BTF data from st_ops") +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 101 ++++++++++++++++++++------------ + tools/lib/bpf/libbpf_internal.h | 14 +++++ + 2 files changed, 77 insertions(+), 38 deletions(-) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index ceed16a10285a..54f3380010f55 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -1491,6 +1491,16 @@ static Elf64_Sym *find_elf_var_sym(const struct bpf_object *obj, const char *nam + return ERR_PTR(-ENOENT); + } + ++static int create_placeholder_fd(void) ++{ ++ int fd; ++ ++ fd = ensure_good_fd(memfd_create("libbpf-placeholder-fd", MFD_CLOEXEC)); ++ if (fd < 0) ++ return -errno; ++ return fd; ++} ++ + static struct bpf_map *bpf_object__add_map(struct bpf_object *obj) + { + struct bpf_map *map; +@@ -1503,7 +1513,21 @@ static struct bpf_map *bpf_object__add_map(struct bpf_object *obj) + + map = &obj->maps[obj->nr_maps++]; + map->obj = obj; +- map->fd = -1; ++ /* Preallocate map FD without actually creating BPF map just yet. ++ * These map FD "placeholders" will be reused later without changing ++ * FD value when map is actually created in the kernel. ++ * ++ * This is useful to be able to perform BPF program relocations ++ * without having to create BPF maps before that step. This allows us ++ * to finalize and load BTF very late in BPF object's loading phase, ++ * right before BPF maps have to be created and BPF programs have to ++ * be loaded. By having these map FD placeholders we can perform all ++ * the sanitizations, relocations, and any other adjustments before we ++ * start creating actual BPF kernel objects (BTF, maps, progs). ++ */ ++ map->fd = create_placeholder_fd(); ++ if (map->fd < 0) ++ return ERR_PTR(map->fd); + map->inner_map_fd = -1; + map->autocreate = true; + +@@ -2595,7 +2619,9 @@ static int bpf_object__init_user_btf_map(struct bpf_object *obj, + map->inner_map = calloc(1, sizeof(*map->inner_map)); + if (!map->inner_map) + return -ENOMEM; +- map->inner_map->fd = -1; ++ map->inner_map->fd = create_placeholder_fd(); ++ if (map->inner_map->fd < 0) ++ return map->inner_map->fd; + map->inner_map->sec_idx = sec_idx; + map->inner_map->name = malloc(strlen(map_name) + sizeof(".inner") + 1); + if (!map->inner_map->name) +@@ -4446,14 +4472,12 @@ int bpf_map__reuse_fd(struct bpf_map *map, int fd) + goto err_free_new_name; + } + +- err = zclose(map->fd); +- if (err) { +- err = -errno; +- goto err_close_new_fd; +- } ++ err = reuse_fd(map->fd, new_fd); ++ if (err) ++ goto err_free_new_name; ++ + free(map->name); + +- map->fd = new_fd; + map->name = new_name; + map->def.type = info.type; + map->def.key_size = info.key_size; +@@ -4467,8 +4491,6 @@ int bpf_map__reuse_fd(struct bpf_map *map, int fd) + + return 0; + +-err_close_new_fd: +- close(new_fd); + err_free_new_name: + free(new_name); + return libbpf_err(err); +@@ -5102,7 +5124,7 @@ static int bpf_object__create_map(struct bpf_object *obj, struct bpf_map *map, b + LIBBPF_OPTS(bpf_map_create_opts, create_attr); + struct bpf_map_def *def = &map->def; + const char *map_name = NULL; +- int err = 0; ++ int err = 0, map_fd; + + if (kernel_supports(obj, FEAT_PROG_NAME)) + map_name = map->name; +@@ -5164,17 +5186,19 @@ static int bpf_object__create_map(struct bpf_object *obj, struct bpf_map *map, b + bpf_gen__map_create(obj->gen_loader, def->type, map_name, + def->key_size, def->value_size, def->max_entries, + &create_attr, is_inner ? -1 : map - obj->maps); +- /* Pretend to have valid FD to pass various fd >= 0 checks. +- * This fd == 0 will not be used with any syscall and will be reset to -1 eventually. ++ /* We keep pretenting we have valid FD to pass various fd >= 0 ++ * checks by just keeping original placeholder FDs in place. ++ * See bpf_object__add_map() comment. ++ * This placeholder fd will not be used with any syscall and ++ * will be reset to -1 eventually. + */ +- map->fd = 0; ++ map_fd = map->fd; + } else { +- map->fd = bpf_map_create(def->type, map_name, +- def->key_size, def->value_size, +- def->max_entries, &create_attr); ++ map_fd = bpf_map_create(def->type, map_name, ++ def->key_size, def->value_size, ++ def->max_entries, &create_attr); + } +- if (map->fd < 0 && (create_attr.btf_key_type_id || +- create_attr.btf_value_type_id)) { ++ if (map_fd < 0 && (create_attr.btf_key_type_id || create_attr.btf_value_type_id)) { + char *cp, errmsg[STRERR_BUFSIZE]; + + err = -errno; +@@ -5186,13 +5210,11 @@ static int bpf_object__create_map(struct bpf_object *obj, struct bpf_map *map, b + create_attr.btf_value_type_id = 0; + map->btf_key_type_id = 0; + map->btf_value_type_id = 0; +- map->fd = bpf_map_create(def->type, map_name, +- def->key_size, def->value_size, +- def->max_entries, &create_attr); ++ map_fd = bpf_map_create(def->type, map_name, ++ def->key_size, def->value_size, ++ def->max_entries, &create_attr); + } + +- err = map->fd < 0 ? -errno : 0; +- + if (bpf_map_type__is_map_in_map(def->type) && map->inner_map) { + if (obj->gen_loader) + map->inner_map->fd = -1; +@@ -5200,7 +5222,19 @@ static int bpf_object__create_map(struct bpf_object *obj, struct bpf_map *map, b + zfree(&map->inner_map); + } + +- return err; ++ if (map_fd < 0) ++ return map_fd; ++ ++ /* obj->gen_loader case, prevent reuse_fd() from closing map_fd */ ++ if (map->fd == map_fd) ++ return 0; ++ ++ /* Keep placeholder FD value but now point it to the BPF map object. ++ * This way everything that relied on this map's FD (e.g., relocated ++ * ldimm64 instructions) will stay valid and won't need adjustments. ++ * map->fd stays valid but now point to what map_fd points to. ++ */ ++ return reuse_fd(map->fd, map_fd); + } + + static int init_map_in_map_slots(struct bpf_object *obj, struct bpf_map *map) +@@ -5284,10 +5318,8 @@ static int bpf_object_init_prog_arrays(struct bpf_object *obj) + continue; + + err = init_prog_array_slots(obj, map); +- if (err < 0) { +- zclose(map->fd); ++ if (err < 0) + return err; +- } + } + return 0; + } +@@ -5378,25 +5410,20 @@ bpf_object__create_maps(struct bpf_object *obj) + + if (bpf_map__is_internal(map)) { + err = bpf_object__populate_internal_map(obj, map); +- if (err < 0) { +- zclose(map->fd); ++ if (err < 0) + goto err_out; +- } + } + + if (map->init_slots_sz && map->def.type != BPF_MAP_TYPE_PROG_ARRAY) { + err = init_map_in_map_slots(obj, map); +- if (err < 0) { +- zclose(map->fd); ++ if (err < 0) + goto err_out; +- } + } + } + + if (map->pin_path && !map->pinned) { + err = bpf_map__pin(map, NULL); + if (err) { +- zclose(map->fd); + if (!retried && err == -EEXIST) { + retried = true; + goto retry; +@@ -7937,8 +7964,8 @@ static int bpf_object_load(struct bpf_object *obj, int extra_log_level, const ch + err = err ? : bpf_object__sanitize_and_load_btf(obj); + err = err ? : bpf_object__sanitize_maps(obj); + err = err ? : bpf_object__init_kern_struct_ops_maps(obj); +- err = err ? : bpf_object__create_maps(obj); + err = err ? : bpf_object__relocate(obj, obj->btf_custom_path ? : target_btf_path); ++ err = err ? : bpf_object__create_maps(obj); + err = err ? : bpf_object__load_progs(obj, extra_log_level); + err = err ? : bpf_object_init_prog_arrays(obj); + err = err ? : bpf_object_prepare_struct_ops(obj); +@@ -7947,8 +7974,6 @@ static int bpf_object_load(struct bpf_object *obj, int extra_log_level, const ch + /* reset FDs */ + if (obj->btf) + btf__set_fd(obj->btf, -1); +- for (i = 0; i < obj->nr_maps; i++) +- obj->maps[i].fd = -1; + if (!err) + err = bpf_gen__finish(obj->gen_loader, obj->nr_programs, obj->nr_maps); + } +diff --git a/tools/lib/bpf/libbpf_internal.h b/tools/lib/bpf/libbpf_internal.h +index 57dec645d6878..ead99497cb157 100644 +--- a/tools/lib/bpf/libbpf_internal.h ++++ b/tools/lib/bpf/libbpf_internal.h +@@ -569,6 +569,20 @@ static inline int ensure_good_fd(int fd) + return fd; + } + ++/* Point *fixed_fd* to the same file that *tmp_fd* points to. ++ * Regardless of success, *tmp_fd* is closed. ++ * Whatever *fixed_fd* pointed to is closed silently. ++ */ ++static inline int reuse_fd(int fixed_fd, int tmp_fd) ++{ ++ int err; ++ ++ err = dup2(tmp_fd, fixed_fd); ++ err = err < 0 ? -errno : 0; ++ close(tmp_fd); /* clean up temporary FD */ ++ return err; ++} ++ + /* The following two functions are exposed to bpftool */ + int bpf_core_add_cands(struct bpf_core_cand *local_cand, + size_t local_essent_len, +-- +2.43.0 + diff --git a/queue-6.6/m68k-fix-kernel_clone_args.flags-in-m68k_clone.patch b/queue-6.6/m68k-fix-kernel_clone_args.flags-in-m68k_clone.patch new file mode 100644 index 00000000000..7f70abc2020 --- /dev/null +++ b/queue-6.6/m68k-fix-kernel_clone_args.flags-in-m68k_clone.patch @@ -0,0 +1,54 @@ +From 82dcd67a46decce137ddd4dbcf5892c747f25030 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Aug 2024 10:12:29 +1000 +Subject: m68k: Fix kernel_clone_args.flags in m68k_clone() + +From: Finn Thain + +[ Upstream commit 09b3d870faa7bc3e96c0978ab3cf4e96e4b15571 ] + +Stan Johnson recently reported a failure from the 'dump' command: + + DUMP: Date of this level 0 dump: Fri Aug 9 23:37:15 2024 + DUMP: Dumping /dev/sda (an unlisted file system) to /dev/null + DUMP: Label: none + DUMP: Writing 10 Kilobyte records + DUMP: mapping (Pass I) [regular files] + DUMP: mapping (Pass II) [directories] + DUMP: estimated 3595695 blocks. + DUMP: Context save fork fails in parent 671 + +The dump program uses the clone syscall with the CLONE_IO flag, that is, +flags == 0x80000000. When that value is promoted from long int to u64 by +m68k_clone(), it undergoes sign-extension. The new value includes +CLONE_INTO_CGROUP so the validation in cgroup_css_set_fork() fails and +the syscall returns -EBADF. Avoid sign-extension by casting to u32. + +Reported-by: Stan Johnson +Closes: https://lists.debian.org/debian-68k/2024/08/msg00000.html +Fixes: 6aabc1facdb2 ("m68k: Implement copy_thread_tls()") +Signed-off-by: Finn Thain +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/3463f1e5d4e95468dc9f3368f2b78ffa7b72199b.1723335149.git.fthain@linux-m68k.org +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/kernel/process.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/m68k/kernel/process.c b/arch/m68k/kernel/process.c +index e06ce147c0b7f..fb87219fc3b46 100644 +--- a/arch/m68k/kernel/process.c ++++ b/arch/m68k/kernel/process.c +@@ -116,7 +116,7 @@ asmlinkage int m68k_clone(struct pt_regs *regs) + { + /* regs will be equal to current_pt_regs() */ + struct kernel_clone_args args = { +- .flags = regs->d1 & ~CSIGNAL, ++ .flags = (u32)(regs->d1) & ~CSIGNAL, + .pidfd = (int __user *)regs->d3, + .child_tid = (int __user *)regs->d4, + .parent_tid = (int __user *)regs->d3, +-- +2.43.0 + diff --git a/queue-6.6/media-mediatek-vcodec-fix-h264-multi-stateless-decod.patch b/queue-6.6/media-mediatek-vcodec-fix-h264-multi-stateless-decod.patch new file mode 100644 index 00000000000..eea7cceee9e --- /dev/null +++ b/queue-6.6/media-mediatek-vcodec-fix-h264-multi-stateless-decod.patch @@ -0,0 +1,49 @@ +From f76d6d9d6495ea54c239e80454488ceefaaf049b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jun 2024 17:33:55 +0800 +Subject: media: mediatek: vcodec: Fix H264 multi stateless decoder smatch + warning + +From: Yunfei Dong + +[ Upstream commit 9be85491619f1953b8a29590ca630be571941ffa ] + +Fix a smatch static checker warning on vdec_h264_req_multi_if.c. +Which leads to a kernel crash when fb is NULL. + +Fixes: 397edc703a10 ("media: mediatek: vcodec: add h264 decoder driver for mt8186") +Signed-off-by: Yunfei Dong +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Sebastian Fricke +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + .../vcodec/decoder/vdec/vdec_h264_req_multi_if.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_h264_req_multi_if.c b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_h264_req_multi_if.c +index 0e741e0dc8bac..bb0ad93c6b789 100644 +--- a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_h264_req_multi_if.c ++++ b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_h264_req_multi_if.c +@@ -724,11 +724,16 @@ static int vdec_h264_slice_single_decode(void *h_vdec, struct mtk_vcodec_mem *bs + return vpu_dec_reset(vpu); + + fb = inst->ctx->dev->vdec_pdata->get_cap_buffer(inst->ctx); ++ if (!fb) { ++ mtk_vdec_err(inst->ctx, "fb buffer is NULL"); ++ return -ENOMEM; ++ } ++ + src_buf_info = container_of(bs, struct mtk_video_dec_buf, bs_buffer); + dst_buf_info = container_of(fb, struct mtk_video_dec_buf, frame_buffer); + +- y_fb_dma = fb ? (u64)fb->base_y.dma_addr : 0; +- c_fb_dma = fb ? (u64)fb->base_c.dma_addr : 0; ++ y_fb_dma = fb->base_y.dma_addr; ++ c_fb_dma = fb->base_c.dma_addr; + mtk_vdec_debug(inst->ctx, "[h264-dec] [%d] y_dma=%llx c_dma=%llx", + inst->ctx->decoded_frame_cnt, y_fb_dma, c_fb_dma); + +-- +2.43.0 + diff --git a/queue-6.6/media-mediatek-vcodec-fix-h264-stateless-decoder-sma.patch b/queue-6.6/media-mediatek-vcodec-fix-h264-stateless-decoder-sma.patch new file mode 100644 index 00000000000..f3a10a1a168 --- /dev/null +++ b/queue-6.6/media-mediatek-vcodec-fix-h264-stateless-decoder-sma.patch @@ -0,0 +1,48 @@ +From f57683f0f852e527cdd189946ce26510d941b459 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jun 2024 17:33:57 +0800 +Subject: media: mediatek: vcodec: Fix H264 stateless decoder smatch warning + +From: Yunfei Dong + +[ Upstream commit 7878d3a385efab560dce793b595447867fb163f2 ] + +Fix a smatch static checker warning on vdec_h264_req_if.c. +Which leads to a kernel crash when fb is NULL. + +Fixes: 06fa5f757dc5 ("media: mtk-vcodec: vdec: support stateless H.264 decoding") +Signed-off-by: Yunfei Dong +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Sebastian Fricke +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + .../mediatek/vcodec/decoder/vdec/vdec_h264_req_if.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_h264_req_if.c b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_h264_req_if.c +index 5600f1df653d2..b55fbd6a8a669 100644 +--- a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_h264_req_if.c ++++ b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_h264_req_if.c +@@ -347,11 +347,16 @@ static int vdec_h264_slice_decode(void *h_vdec, struct mtk_vcodec_mem *bs, + return vpu_dec_reset(vpu); + + fb = inst->ctx->dev->vdec_pdata->get_cap_buffer(inst->ctx); ++ if (!fb) { ++ mtk_vdec_err(inst->ctx, "fb buffer is NULL"); ++ return -ENOMEM; ++ } ++ + src_buf_info = container_of(bs, struct mtk_video_dec_buf, bs_buffer); + dst_buf_info = container_of(fb, struct mtk_video_dec_buf, frame_buffer); + +- y_fb_dma = fb ? (u64)fb->base_y.dma_addr : 0; +- c_fb_dma = fb ? (u64)fb->base_c.dma_addr : 0; ++ y_fb_dma = fb->base_y.dma_addr; ++ c_fb_dma = fb->base_c.dma_addr; + + mtk_vdec_debug(inst->ctx, "+ [%d] FB y_dma=%llx c_dma=%llx va=%p", + inst->num_nalu, y_fb_dma, c_fb_dma, fb); +-- +2.43.0 + diff --git a/queue-6.6/media-mediatek-vcodec-fix-vp8-stateless-decoder-smat.patch b/queue-6.6/media-mediatek-vcodec-fix-vp8-stateless-decoder-smat.patch new file mode 100644 index 00000000000..239c7cea045 --- /dev/null +++ b/queue-6.6/media-mediatek-vcodec-fix-vp8-stateless-decoder-smat.patch @@ -0,0 +1,51 @@ +From ec1f2958cbe0a996cb3207dff79ddeb3f7b9c669 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jun 2024 17:33:56 +0800 +Subject: media: mediatek: vcodec: Fix VP8 stateless decoder smatch warning + +From: Yunfei Dong + +[ Upstream commit b113bc7c0e83b32f4dd2d291a2b6c4803e0a2c44 ] + +Fix a smatch static checker warning on vdec_vp8_req_if.c. +Which leads to a kernel crash when fb is NULL. + +Fixes: 7a7ae26fd458 ("media: mediatek: vcodec: support stateless VP8 decoding") +Signed-off-by: Yunfei Dong +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Sebastian Fricke +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + .../mediatek/vcodec/decoder/vdec/vdec_vp8_req_if.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_vp8_req_if.c b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_vp8_req_if.c +index f64b21c071696..86b93055f1633 100644 +--- a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_vp8_req_if.c ++++ b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_vp8_req_if.c +@@ -335,14 +335,18 @@ static int vdec_vp8_slice_decode(void *h_vdec, struct mtk_vcodec_mem *bs, + src_buf_info = container_of(bs, struct mtk_video_dec_buf, bs_buffer); + + fb = inst->ctx->dev->vdec_pdata->get_cap_buffer(inst->ctx); +- dst_buf_info = container_of(fb, struct mtk_video_dec_buf, frame_buffer); ++ if (!fb) { ++ mtk_vdec_err(inst->ctx, "fb buffer is NULL"); ++ return -ENOMEM; ++ } + +- y_fb_dma = fb ? (u64)fb->base_y.dma_addr : 0; ++ dst_buf_info = container_of(fb, struct mtk_video_dec_buf, frame_buffer); ++ y_fb_dma = fb->base_y.dma_addr; + if (inst->ctx->q_data[MTK_Q_DATA_DST].fmt->num_planes == 1) + c_fb_dma = y_fb_dma + + inst->ctx->picinfo.buf_w * inst->ctx->picinfo.buf_h; + else +- c_fb_dma = fb ? (u64)fb->base_c.dma_addr : 0; ++ c_fb_dma = fb->base_c.dma_addr; + + inst->vsi->dec.bs_dma = (u64)bs->dma_addr; + inst->vsi->dec.bs_sz = bs->size; +-- +2.43.0 + diff --git a/queue-6.6/media-platform-rzg2l-cru-rzg2l-csi2-add-missing-modu.patch b/queue-6.6/media-platform-rzg2l-cru-rzg2l-csi2-add-missing-modu.patch new file mode 100644 index 00000000000..7abb76f3e5c --- /dev/null +++ b/queue-6.6/media-platform-rzg2l-cru-rzg2l-csi2-add-missing-modu.patch @@ -0,0 +1,39 @@ +From af83d2d2183f51da225a3b7dfa74df879eed37ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jul 2024 17:49:32 +0100 +Subject: media: platform: rzg2l-cru: rzg2l-csi2: Add missing + MODULE_DEVICE_TABLE + +From: Biju Das + +[ Upstream commit 07668fb0f867388bfdac0b60dbf51a4ad789f8e7 ] + +The rzg2l-csi2 driver can be compiled as a module, but lacks +MODULE_DEVICE_TABLE() and will therefore not be loaded automatically. +Fix this. + +Fixes: 51e8415e39a9 ("media: platform: Add Renesas RZ/G2L MIPI CSI-2 receiver driver") +Signed-off-by: Biju Das +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/r/20240731164935.308994-1-biju.das.jz@bp.renesas.com +Signed-off-by: Laurent Pinchart +Signed-off-by: Sasha Levin +--- + drivers/media/platform/renesas/rzg2l-cru/rzg2l-csi2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/platform/renesas/rzg2l-cru/rzg2l-csi2.c b/drivers/media/platform/renesas/rzg2l-cru/rzg2l-csi2.c +index ad2bd71037abd..246eec259c5d7 100644 +--- a/drivers/media/platform/renesas/rzg2l-cru/rzg2l-csi2.c ++++ b/drivers/media/platform/renesas/rzg2l-cru/rzg2l-csi2.c +@@ -854,6 +854,7 @@ static const struct of_device_id rzg2l_csi2_of_table[] = { + { .compatible = "renesas,rzg2l-csi2", }, + { /* sentinel */ } + }; ++MODULE_DEVICE_TABLE(of, rzg2l_csi2_of_table); + + static struct platform_driver rzg2l_csi2_pdrv = { + .remove_new = rzg2l_csi2_remove, +-- +2.43.0 + diff --git a/queue-6.6/minmax-avoid-overly-complex-min-max-macro-arguments-.patch b/queue-6.6/minmax-avoid-overly-complex-min-max-macro-arguments-.patch new file mode 100644 index 00000000000..b816b443038 --- /dev/null +++ b/queue-6.6/minmax-avoid-overly-complex-min-max-macro-arguments-.patch @@ -0,0 +1,77 @@ +From f7187380dbedf64ed64939d77f9159784317de9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jul 2024 15:09:07 -0700 +Subject: minmax: avoid overly complex min()/max() macro arguments in xen + +From: Linus Torvalds + +[ Upstream commit e8432ac802a028eaee6b1e86383d7cd8e9fb8431 ] + +We have some very fancy min/max macros that have tons of sanity checking +to warn about mixed signedness etc. + +This is all things that a sane compiler should warn about, but there are +no sane compiler interfaces for this, and '-Wsign-compare' is broken [1] +and not useful. + +So then we compensate (some would say over-compensate) by doing the +checks manually with some truly horrid macro games. + +And no, we can't just use __builtin_types_compatible_p(), because the +whole question of "does it make sense to compare these two values" is a +lot more complicated than that. + +For example, it makes a ton of sense to compare unsigned values with +simple constants like "5", even if that is indeed a signed type. So we +have these very strange macros to try to make sensible type checking +decisions on the arguments to 'min()' and 'max()'. + +But that can cause enormous code expansion if the min()/max() macros are +used with complicated expressions, and particularly if you nest these +things so that you get the first big expansion then expanded again. + +The xen setup.c file ended up ballooning to over 50MB of preprocessed +noise that takes 15s to compile (obviously depending on the build host), +largely due to one single line. + +So let's split that one single line to just be simpler. I think it ends +up being more legible to humans too at the same time. Now that single +file compiles in under a second. + +Reported-and-reviewed-by: Lorenzo Stoakes +Link: https://lore.kernel.org/all/c83c17bb-be75-4c67-979d-54eee38774c6@lucifer.local/ +Link: https://staticthinking.wordpress.com/2023/07/25/wsign-compare-is-garbage/ [1] +Cc: David Laight +Signed-off-by: Linus Torvalds +Stable-dep-of: be35d91c8880 ("xen: tolerate ACPI NVS memory overlapping with Xen allocated memory") +Signed-off-by: Sasha Levin +--- + arch/x86/xen/setup.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c +index d44d6d8b33195..d2073df5c5624 100644 +--- a/arch/x86/xen/setup.c ++++ b/arch/x86/xen/setup.c +@@ -691,6 +691,7 @@ char * __init xen_memory_setup(void) + struct xen_memory_map memmap; + unsigned long max_pages; + unsigned long extra_pages = 0; ++ unsigned long maxmem_pages; + int i; + int op; + +@@ -762,8 +763,8 @@ char * __init xen_memory_setup(void) + * Make sure we have no memory above max_pages, as this area + * isn't handled by the p2m management. + */ +- extra_pages = min3(EXTRA_MEM_RATIO * min(max_pfn, PFN_DOWN(MAXMEM)), +- extra_pages, max_pages - max_pfn); ++ maxmem_pages = EXTRA_MEM_RATIO * min(max_pfn, PFN_DOWN(MAXMEM)); ++ extra_pages = min3(maxmem_pages, extra_pages, max_pages - max_pfn); + i = 0; + addr = xen_e820_table.entries[0].addr; + size = xen_e820_table.entries[0].size; +-- +2.43.0 + diff --git a/queue-6.6/mount-handle-oom-on-mnt_warn_timestamp_expiry.patch b/queue-6.6/mount-handle-oom-on-mnt_warn_timestamp_expiry.patch new file mode 100644 index 00000000000..41b70db84fa --- /dev/null +++ b/queue-6.6/mount-handle-oom-on-mnt_warn_timestamp_expiry.patch @@ -0,0 +1,61 @@ +From e3cd756d5b7866f87b27b355d87d79761a1a80ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jul 2024 10:58:13 +0200 +Subject: mount: handle OOM on mnt_warn_timestamp_expiry + +From: Olaf Hering + +[ Upstream commit 4bcda1eaf184e308f07f9c61d3a535f9ce477ce8 ] + +If no page could be allocated, an error pointer was used as format +string in pr_warn. + +Rearrange the code to return early in case of OOM. Also add a check +for the return value of d_path. + +Fixes: f8b92ba67c5d ("mount: Add mount warning for impending timestamp expiry") +Signed-off-by: Olaf Hering +Link: https://lore.kernel.org/r/20240730085856.32385-1-olaf@aepfle.de +[brauner: rewrite commit and commit message] +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/namespace.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/fs/namespace.c b/fs/namespace.c +index e6c61d4997ccf..b4385e2413d59 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -2796,8 +2796,15 @@ static void mnt_warn_timestamp_expiry(struct path *mountpoint, struct vfsmount * + if (!__mnt_is_readonly(mnt) && + (!(sb->s_iflags & SB_I_TS_EXPIRY_WARNED)) && + (ktime_get_real_seconds() + TIME_UPTIME_SEC_MAX > sb->s_time_max)) { +- char *buf = (char *)__get_free_page(GFP_KERNEL); +- char *mntpath = buf ? d_path(mountpoint, buf, PAGE_SIZE) : ERR_PTR(-ENOMEM); ++ char *buf, *mntpath; ++ ++ buf = (char *)__get_free_page(GFP_KERNEL); ++ if (buf) ++ mntpath = d_path(mountpoint, buf, PAGE_SIZE); ++ else ++ mntpath = ERR_PTR(-ENOMEM); ++ if (IS_ERR(mntpath)) ++ mntpath = "(unknown)"; + + pr_warn("%s filesystem being %s at %s supports timestamps until %ptTd (0x%llx)\n", + sb->s_type->name, +@@ -2805,8 +2812,9 @@ static void mnt_warn_timestamp_expiry(struct path *mountpoint, struct vfsmount * + mntpath, &sb->s_time_max, + (unsigned long long)sb->s_time_max); + +- free_page((unsigned long)buf); + sb->s_iflags |= SB_I_TS_EXPIRY_WARNED; ++ if (buf) ++ free_page((unsigned long)buf); + } + } + +-- +2.43.0 + diff --git a/queue-6.6/mtd-powernv-add-check-devm_kasprintf-returned-value.patch b/queue-6.6/mtd-powernv-add-check-devm_kasprintf-returned-value.patch new file mode 100644 index 00000000000..eabec4969b0 --- /dev/null +++ b/queue-6.6/mtd-powernv-add-check-devm_kasprintf-returned-value.patch @@ -0,0 +1,38 @@ +From 33e6dd3617be52ec1b4f4533ea6cf5a0723527ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Aug 2024 17:24:27 +0800 +Subject: mtd: powernv: Add check devm_kasprintf() returned value + +From: Charles Han + +[ Upstream commit 395999829880a106bb95f0ce34e6e4c2b43c6a5d ] + +devm_kasprintf() can return a NULL pointer on failure but this +returned value is not checked. + +Fixes: acfe63ec1c59 ("mtd: Convert to using %pOFn instead of device_node.name") +Signed-off-by: Charles Han +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20240828092427.128177-1-hanchunchao@inspur.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/devices/powernv_flash.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/mtd/devices/powernv_flash.c b/drivers/mtd/devices/powernv_flash.c +index 36e060386e59d..59e1b3a4406ed 100644 +--- a/drivers/mtd/devices/powernv_flash.c ++++ b/drivers/mtd/devices/powernv_flash.c +@@ -207,6 +207,9 @@ static int powernv_flash_set_driver_info(struct device *dev, + * get them + */ + mtd->name = devm_kasprintf(dev, GFP_KERNEL, "%pOFP", dev->of_node); ++ if (!mtd->name) ++ return -ENOMEM; ++ + mtd->type = MTD_NORFLASH; + mtd->flags = MTD_WRITEABLE; + mtd->size = size; +-- +2.43.0 + diff --git a/queue-6.6/mtd-rawnand-mtk-factorize-out-the-logic-cleaning-mtk.patch b/queue-6.6/mtd-rawnand-mtk-factorize-out-the-logic-cleaning-mtk.patch new file mode 100644 index 00000000000..6dfa8eeed1b --- /dev/null +++ b/queue-6.6/mtd-rawnand-mtk-factorize-out-the-logic-cleaning-mtk.patch @@ -0,0 +1,79 @@ +From 008c13980763cca9a6555da1654cf325b207a5ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Aug 2024 17:30:18 +0200 +Subject: mtd: rawnand: mtk: Factorize out the logic cleaning mtk chips + +From: Miquel Raynal + +[ Upstream commit 81cb3be3261e766a1f8efab9e3154a4f4fd9d03d ] + +There are some un-freed resources in one of the error path which would +benefit from a helper going through all the registered mtk chips one by +one and perform all the necessary cleanup. This is precisely what the +remove path does, so let's extract the logic in a helper. + +There is no functional change. + +Signed-off-by: Miquel Raynal +Reviewed-by: Pratyush Yadav +Reviewed-by: Matthias Brugger +Link: https://lore.kernel.org/linux-mtd/20240826153019.67106-1-miquel.raynal@bootlin.com +Stable-dep-of: 2073ae37d550 ("mtd: rawnand: mtk: Fix init error path") +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/mtk_nand.c | 31 ++++++++++++++++++------------- + 1 file changed, 18 insertions(+), 13 deletions(-) + +diff --git a/drivers/mtd/nand/raw/mtk_nand.c b/drivers/mtd/nand/raw/mtk_nand.c +index c4ef4eae5da23..3fb32a59fdf61 100644 +--- a/drivers/mtd/nand/raw/mtk_nand.c ++++ b/drivers/mtd/nand/raw/mtk_nand.c +@@ -1429,6 +1429,23 @@ static int mtk_nfc_nand_chip_init(struct device *dev, struct mtk_nfc *nfc, + return 0; + } + ++static void mtk_nfc_nand_chips_cleanup(struct mtk_nfc *nfc) ++{ ++ struct mtk_nfc_nand_chip *mtk_chip; ++ struct nand_chip *chip; ++ int ret; ++ ++ while (!list_empty(&nfc->chips)) { ++ mtk_chip = list_first_entry(&nfc->chips, ++ struct mtk_nfc_nand_chip, node); ++ chip = &mtk_chip->nand; ++ ret = mtd_device_unregister(nand_to_mtd(chip)); ++ WARN_ON(ret); ++ nand_cleanup(chip); ++ list_del(&mtk_chip->node); ++ } ++} ++ + static int mtk_nfc_nand_chips_init(struct device *dev, struct mtk_nfc *nfc) + { + struct device_node *np = dev->of_node; +@@ -1567,20 +1584,8 @@ static int mtk_nfc_probe(struct platform_device *pdev) + static void mtk_nfc_remove(struct platform_device *pdev) + { + struct mtk_nfc *nfc = platform_get_drvdata(pdev); +- struct mtk_nfc_nand_chip *mtk_chip; +- struct nand_chip *chip; +- int ret; +- +- while (!list_empty(&nfc->chips)) { +- mtk_chip = list_first_entry(&nfc->chips, +- struct mtk_nfc_nand_chip, node); +- chip = &mtk_chip->nand; +- ret = mtd_device_unregister(nand_to_mtd(chip)); +- WARN_ON(ret); +- nand_cleanup(chip); +- list_del(&mtk_chip->node); +- } + ++ mtk_nfc_nand_chips_cleanup(nfc); + mtk_ecc_release(nfc->ecc); + } + +-- +2.43.0 + diff --git a/queue-6.6/mtd-rawnand-mtk-fix-init-error-path.patch b/queue-6.6/mtd-rawnand-mtk-fix-init-error-path.patch new file mode 100644 index 00000000000..d024b550970 --- /dev/null +++ b/queue-6.6/mtd-rawnand-mtk-fix-init-error-path.patch @@ -0,0 +1,44 @@ +From 02decd0d87eaf8d2d2ec092f8af58e7e5117a939 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Aug 2024 17:30:19 +0200 +Subject: mtd: rawnand: mtk: Fix init error path + +From: Miquel Raynal + +[ Upstream commit 2073ae37d550ea32e8545edaa94ef10b4fef7235 ] + +Reviewing a series converting the for_each_chil_of_node() loops into +their _scoped variants made me realize there was no cleanup of the +already registered NAND devices upon error which may leak memory on +systems with more than a chip when this error occurs. We should call the +_nand_chips_cleanup() function when this happens. + +Fixes: 1d6b1e464950 ("mtd: mediatek: driver for MTK Smart Device") +Signed-off-by: Miquel Raynal +Reviewed-by: Pratyush Yadav +Reviewed-by: Matthias Brugger +Link: https://lore.kernel.org/linux-mtd/20240826153019.67106-2-miquel.raynal@bootlin.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/mtk_nand.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mtd/nand/raw/mtk_nand.c b/drivers/mtd/nand/raw/mtk_nand.c +index 3fb32a59fdf61..161a409ca4ed2 100644 +--- a/drivers/mtd/nand/raw/mtk_nand.c ++++ b/drivers/mtd/nand/raw/mtk_nand.c +@@ -1453,8 +1453,10 @@ static int mtk_nfc_nand_chips_init(struct device *dev, struct mtk_nfc *nfc) + + for_each_child_of_node_scoped(np, nand_np) { + ret = mtk_nfc_nand_chip_init(dev, nfc, nand_np); +- if (ret) ++ if (ret) { ++ mtk_nfc_nand_chips_cleanup(nfc); + return ret; ++ } + } + + return 0; +-- +2.43.0 + diff --git a/queue-6.6/mtd-rawnand-mtk-use-for_each_child_of_node_scoped.patch b/queue-6.6/mtd-rawnand-mtk-use-for_each_child_of_node_scoped.patch new file mode 100644 index 00000000000..61296a1db98 --- /dev/null +++ b/queue-6.6/mtd-rawnand-mtk-use-for_each_child_of_node_scoped.patch @@ -0,0 +1,46 @@ +From e5f16ede172c184b7d1c0f3048c0193bae557921 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Aug 2024 17:43:25 +0800 +Subject: mtd: rawnand: mtk: Use for_each_child_of_node_scoped() + +From: Jinjie Ruan + +[ Upstream commit 8795952679494b111b7b2ba08bb54ac408daca3b ] + +Avoids the need for manual cleanup of_node_put() in early exits +from the loop. + +Signed-off-by: Jinjie Ruan +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20240826094328.2991664-8-ruanjinjie@huawei.com +Stable-dep-of: 2073ae37d550 ("mtd: rawnand: mtk: Fix init error path") +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/mtk_nand.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/mtd/nand/raw/mtk_nand.c b/drivers/mtd/nand/raw/mtk_nand.c +index 29c8bddde67ff..c4ef4eae5da23 100644 +--- a/drivers/mtd/nand/raw/mtk_nand.c ++++ b/drivers/mtd/nand/raw/mtk_nand.c +@@ -1432,15 +1432,12 @@ static int mtk_nfc_nand_chip_init(struct device *dev, struct mtk_nfc *nfc, + static int mtk_nfc_nand_chips_init(struct device *dev, struct mtk_nfc *nfc) + { + struct device_node *np = dev->of_node; +- struct device_node *nand_np; + int ret; + +- for_each_child_of_node(np, nand_np) { ++ for_each_child_of_node_scoped(np, nand_np) { + ret = mtk_nfc_nand_chip_init(dev, nfc, nand_np); +- if (ret) { +- of_node_put(nand_np); ++ if (ret) + return ret; +- } + } + + return 0; +-- +2.43.0 + diff --git a/queue-6.6/mtd-slram-insert-break-after-errors-in-parsing-the-m.patch b/queue-6.6/mtd-slram-insert-break-after-errors-in-parsing-the-m.patch new file mode 100644 index 00000000000..8de995a39f5 --- /dev/null +++ b/queue-6.6/mtd-slram-insert-break-after-errors-in-parsing-the-m.patch @@ -0,0 +1,72 @@ +From 0397cb40c0c5597699f857234d0194e6d59da593 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Jul 2024 01:43:20 +0200 +Subject: mtd: slram: insert break after errors in parsing the map +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mirsad Todorovac + +[ Upstream commit 336c218dd7f0588ed8a7345f367975a00a4f003f ] + +GCC 12.3.0 compiler on linux-next next-20240709 tree found the execution +path in which, due to lazy evaluation, devlength isn't initialised with the +parsed string: + + 289 while (map) { + 290 devname = devstart = devlength = NULL; + 291 + 292 if (!(devname = strsep(&map, ","))) { + 293 E("slram: No devicename specified.\n"); + 294 break; + 295 } + 296 T("slram: devname = %s\n", devname); + 297 if ((!map) || (!(devstart = strsep(&map, ",")))) { + 298 E("slram: No devicestart specified.\n"); + 299 } + 300 T("slram: devstart = %s\n", devstart); + → 301 if ((!map) || (!(devlength = strsep(&map, ",")))) { + 302 E("slram: No devicelength / -end specified.\n"); + 303 } + → 304 T("slram: devlength = %s\n", devlength); + 305 if (parse_cmdline(devname, devstart, devlength) != 0) { + 306 return(-EINVAL); + 307 } + +Parsing should be finished after map == NULL, so a break is best inserted after +each E("slram: ... \n") error message. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: Miquel Raynal +Cc: Richard Weinberger +Cc: Vignesh Raghavendra +Cc: linux-mtd@lists.infradead.org +Signed-off-by: Mirsad Todorovac +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20240711234319.637824-1-mtodorovac69@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/devices/slram.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/mtd/devices/slram.c b/drivers/mtd/devices/slram.c +index 28131a127d065..8297b366a0669 100644 +--- a/drivers/mtd/devices/slram.c ++++ b/drivers/mtd/devices/slram.c +@@ -296,10 +296,12 @@ static int __init init_slram(void) + T("slram: devname = %s\n", devname); + if ((!map) || (!(devstart = strsep(&map, ",")))) { + E("slram: No devicestart specified.\n"); ++ break; + } + T("slram: devstart = %s\n", devstart); + if ((!map) || (!(devlength = strsep(&map, ",")))) { + E("slram: No devicelength / -end specified.\n"); ++ break; + } + T("slram: devlength = %s\n", devlength); + if (parse_cmdline(devname, devstart, devlength) != 0) { +-- +2.43.0 + diff --git a/queue-6.6/nbd-fix-race-between-timeout-and-normal-completion.patch b/queue-6.6/nbd-fix-race-between-timeout-and-normal-completion.patch new file mode 100644 index 00000000000..44d95cd086f --- /dev/null +++ b/queue-6.6/nbd-fix-race-between-timeout-and-normal-completion.patch @@ -0,0 +1,64 @@ +From fd6ca3ede5c2580da7987769824a3492e94547b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Aug 2024 11:41:45 +0800 +Subject: nbd: fix race between timeout and normal completion + +From: Ming Lei + +[ Upstream commit c9ea57c91f03bcad415e1a20113bdb2077bcf990 ] + +If request timetout is handled by nbd_requeue_cmd(), normal completion +has to be stopped for avoiding to complete this requeued request, other +use-after-free can be triggered. + +Fix the race by clearing NBD_CMD_INFLIGHT in nbd_requeue_cmd(), meantime +make sure that cmd->lock is grabbed for clearing the flag and the +requeue. + +Cc: Josef Bacik +Cc: Yu Kuai +Fixes: 2895f1831e91 ("nbd: don't clear 'NBD_CMD_INFLIGHT' flag if request is not completed") +Signed-off-by: Ming Lei +Reviewed-by: Yu Kuai +Link: https://lore.kernel.org/r/20240830034145.1827742-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 1089dc646b808..96b349148e578 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -181,6 +181,17 @@ static void nbd_requeue_cmd(struct nbd_cmd *cmd) + { + struct request *req = blk_mq_rq_from_pdu(cmd); + ++ lockdep_assert_held(&cmd->lock); ++ ++ /* ++ * Clear INFLIGHT flag so that this cmd won't be completed in ++ * normal completion path ++ * ++ * INFLIGHT flag will be set when the cmd is queued to nbd next ++ * time. ++ */ ++ __clear_bit(NBD_CMD_INFLIGHT, &cmd->flags); ++ + if (!test_and_set_bit(NBD_CMD_REQUEUED, &cmd->flags)) + blk_mq_requeue_request(req, true); + } +@@ -461,8 +472,8 @@ static enum blk_eh_timer_return nbd_xmit_timeout(struct request *req) + nbd_mark_nsock_dead(nbd, nsock, 1); + mutex_unlock(&nsock->tx_lock); + } +- mutex_unlock(&cmd->lock); + nbd_requeue_cmd(cmd); ++ mutex_unlock(&cmd->lock); + nbd_config_put(nbd); + return BLK_EH_DONE; + } +-- +2.43.0 + diff --git a/queue-6.6/net-enetc-use-irqf_no_autoen-flag-in-request_irq.patch b/queue-6.6/net-enetc-use-irqf_no_autoen-flag-in-request_irq.patch new file mode 100644 index 00000000000..91d37176a9e --- /dev/null +++ b/queue-6.6/net-enetc-use-irqf_no_autoen-flag-in-request_irq.patch @@ -0,0 +1,43 @@ +From 5358df35bcc4e3e6cb238b4b1ec5e34deae42af7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2024 17:44:44 +0800 +Subject: net: enetc: Use IRQF_NO_AUTOEN flag in request_irq() + +From: Jinjie Ruan + +[ Upstream commit 799a9225997799f7b1b579bc50a93b78b4fb2a01 ] + +disable_irq() after request_irq() still has a time gap in which +interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will +disable IRQ auto-enable when request IRQ. + +Fixes: bbb96dc7fa1a ("enetc: Factor out the traffic start/stop procedures") +Signed-off-by: Jinjie Ruan +Link: https://patch.msgid.link/20240911094445.1922476-3-ruanjinjie@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/enetc/enetc.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/enetc/enetc.c b/drivers/net/ethernet/freescale/enetc/enetc.c +index 0f5a4ec505ddb..18e3a9cd4fc01 100644 +--- a/drivers/net/ethernet/freescale/enetc/enetc.c ++++ b/drivers/net/ethernet/freescale/enetc/enetc.c +@@ -2305,12 +2305,11 @@ static int enetc_setup_irqs(struct enetc_ndev_priv *priv) + + snprintf(v->name, sizeof(v->name), "%s-rxtx%d", + priv->ndev->name, i); +- err = request_irq(irq, enetc_msix, 0, v->name, v); ++ err = request_irq(irq, enetc_msix, IRQF_NO_AUTOEN, v->name, v); + if (err) { + dev_err(priv->dev, "request_irq() failed!\n"); + goto irq_err; + } +- disable_irq(irq); + + v->tbier_base = hw->reg + ENETC_BDR(TX, 0, ENETC_TBIER); + v->rbier = hw->reg + ENETC_BDR(RX, i, ENETC_RBIER); +-- +2.43.0 + diff --git a/queue-6.6/net-ipv6-rpl_iptunnel-fix-memory-leak-in-rpl_input.patch b/queue-6.6/net-ipv6-rpl_iptunnel-fix-memory-leak-in-rpl_input.patch new file mode 100644 index 00000000000..682eaea4fbf --- /dev/null +++ b/queue-6.6/net-ipv6-rpl_iptunnel-fix-memory-leak-in-rpl_input.patch @@ -0,0 +1,57 @@ +From 54b6a04ef484fddf39d019c1d1eca884244def89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2024 19:45:57 +0200 +Subject: net: ipv6: rpl_iptunnel: Fix memory leak in rpl_input + +From: Justin Iurman + +[ Upstream commit 2c84b0aa28b9e73e8c4b4ce038269469434ae372 ] + +Free the skb before returning from rpl_input when skb_cow_head() fails. +Use a "drop" label and goto instructions. + +Fixes: a7a29f9c361f ("net: ipv6: add rpl sr tunnel") +Signed-off-by: Justin Iurman +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20240911174557.11536-1-justin.iurman@uliege.be +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/rpl_iptunnel.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/net/ipv6/rpl_iptunnel.c b/net/ipv6/rpl_iptunnel.c +index 2c83b7586422d..db3c19a42e1ca 100644 +--- a/net/ipv6/rpl_iptunnel.c ++++ b/net/ipv6/rpl_iptunnel.c +@@ -263,10 +263,8 @@ static int rpl_input(struct sk_buff *skb) + rlwt = rpl_lwt_lwtunnel(orig_dst->lwtstate); + + err = rpl_do_srh(skb, rlwt); +- if (unlikely(err)) { +- kfree_skb(skb); +- return err; +- } ++ if (unlikely(err)) ++ goto drop; + + local_bh_disable(); + dst = dst_cache_get(&rlwt->cache); +@@ -286,9 +284,13 @@ static int rpl_input(struct sk_buff *skb) + + err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev)); + if (unlikely(err)) +- return err; ++ goto drop; + + return dst_input(skb); ++ ++drop: ++ kfree_skb(skb); ++ return err; + } + + static int nla_put_rpl_srh(struct sk_buff *skb, int attrtype, +-- +2.43.0 + diff --git a/queue-6.6/net-ipv6-select-dst_cache-from-ipv6_rpl_lwtunnel.patch b/queue-6.6/net-ipv6-select-dst_cache-from-ipv6_rpl_lwtunnel.patch new file mode 100644 index 00000000000..15eef36996f --- /dev/null +++ b/queue-6.6/net-ipv6-select-dst_cache-from-ipv6_rpl_lwtunnel.patch @@ -0,0 +1,44 @@ +From 15dc1d819dc8fe1f9dfc82e0c3dd0e291d12c7a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Sep 2024 20:57:13 +0200 +Subject: net: ipv6: select DST_CACHE from IPV6_RPL_LWTUNNEL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit 93c21077bb9ba08807c459982d440dbbee4c7af3 ] + +The rpl sr tunnel code contains calls to dst_cache_*() which are +only present when the dst cache is built. +Select DST_CACHE to build the dst cache, similar to other kconfig +options in the same file. +Compiling the rpl sr tunnel without DST_CACHE will lead to linker +errors. + +Fixes: a7a29f9c361f ("net: ipv6: add rpl sr tunnel") +Signed-off-by: Thomas Weißschuh +Reviewed-by: Simon Horman +Tested-by: Simon Horman # build-tested +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv6/Kconfig b/net/ipv6/Kconfig +index 08d4b7132d4c4..1c9c686d9522f 100644 +--- a/net/ipv6/Kconfig ++++ b/net/ipv6/Kconfig +@@ -323,6 +323,7 @@ config IPV6_RPL_LWTUNNEL + bool "IPv6: RPL Source Routing Header support" + depends on IPV6 + select LWTUNNEL ++ select DST_CACHE + help + Support for RFC6554 RPL Source Routing Header using the lightweight + tunnels mechanism. +-- +2.43.0 + diff --git a/queue-6.6/net-qrtr-update-packets-cloning-when-broadcasting.patch b/queue-6.6/net-qrtr-update-packets-cloning-when-broadcasting.patch new file mode 100644 index 00000000000..eb74ee73b84 --- /dev/null +++ b/queue-6.6/net-qrtr-update-packets-cloning-when-broadcasting.patch @@ -0,0 +1,49 @@ +From 2d0883290d459524a1b46adadf2d8b807bb7193d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Sep 2024 19:08:58 +0200 +Subject: net: qrtr: Update packets cloning when broadcasting + +From: Youssef Samir + +[ Upstream commit f011b313e8ebd5b7abd8521b5119aecef403de45 ] + +When broadcasting data to multiple nodes via MHI, using skb_clone() +causes all nodes to receive the same header data. This can result in +packets being discarded by endpoints, leading to lost data. + +This issue occurs when a socket is closed, and a QRTR_TYPE_DEL_CLIENT +packet is broadcasted. All nodes receive the same destination node ID, +causing the node connected to the client to discard the packet and +remain unaware of the client's deletion. + +Replace skb_clone() with pskb_copy(), to create a separate copy of +the header for each sk_buff. + +Fixes: bdabad3e363d ("net: Add Qualcomm IPC router") +Signed-off-by: Youssef Samir +Reviewed-by: Jeffery Hugo +Reviewed-by: Carl Vanderlip +Reviewed-by: Chris Lew +Link: https://patch.msgid.link/20240916170858.2382247-1-quic_yabdulra@quicinc.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/qrtr/af_qrtr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/qrtr/af_qrtr.c b/net/qrtr/af_qrtr.c +index 41ece61eb57ab..00c51cf693f3d 100644 +--- a/net/qrtr/af_qrtr.c ++++ b/net/qrtr/af_qrtr.c +@@ -884,7 +884,7 @@ static int qrtr_bcast_enqueue(struct qrtr_node *node, struct sk_buff *skb, + + mutex_lock(&qrtr_node_lock); + list_for_each_entry(node, &qrtr_all_nodes, item) { +- skbn = skb_clone(skb, GFP_KERNEL); ++ skbn = pskb_copy(skb, GFP_KERNEL); + if (!skbn) + break; + skb_set_owner_w(skbn, skb->sk); +-- +2.43.0 + diff --git a/queue-6.6/net-seeq-fix-use-after-free-vulnerability-in-ether3-.patch b/queue-6.6/net-seeq-fix-use-after-free-vulnerability-in-ether3-.patch new file mode 100644 index 00000000000..f1b32267860 --- /dev/null +++ b/queue-6.6/net-seeq-fix-use-after-free-vulnerability-in-ether3-.patch @@ -0,0 +1,57 @@ +From dfc7b66c1a894424770f22249f967ae1639197c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Sep 2024 22:40:46 +0800 +Subject: net: seeq: Fix use after free vulnerability in ether3 Driver Due to + Race Condition + +From: Kaixin Wang + +[ Upstream commit b5109b60ee4fcb2f2bb24f589575e10cc5283ad4 ] + +In the ether3_probe function, a timer is initialized with a callback +function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is +started, there is a risk of a race condition if the module or device +is removed, triggering the ether3_remove function to perform cleanup. +The sequence of operations that may lead to a UAF bug is as follows: + +CPU0 CPU1 + + | ether3_ledoff +ether3_remove | + free_netdev(dev); | + put_devic | + kfree(dev); | + | ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2); + | // use dev + +Fix it by ensuring that the timer is canceled before proceeding with +the cleanup in ether3_remove. + +Fixes: 6fd9c53f7186 ("net: seeq: Convert timers to use timer_setup()") +Signed-off-by: Kaixin Wang +Link: https://patch.msgid.link/20240915144045.451-1-kxwang23@m.fudan.edu.cn +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/seeq/ether3.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/seeq/ether3.c b/drivers/net/ethernet/seeq/ether3.c +index c672f92d65e97..9319a2675e7b6 100644 +--- a/drivers/net/ethernet/seeq/ether3.c ++++ b/drivers/net/ethernet/seeq/ether3.c +@@ -847,9 +847,11 @@ static void ether3_remove(struct expansion_card *ec) + { + struct net_device *dev = ecard_get_drvdata(ec); + ++ ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2); + ecard_set_drvdata(ec, NULL); + + unregister_netdev(dev); ++ del_timer_sync(&priv(dev)->timer); + free_netdev(dev); + ecard_release_resources(ec); + } +-- +2.43.0 + diff --git a/queue-6.6/net-stmmac-dwmac-loongson-init-ref-and-ptp-clocks-ra.patch b/queue-6.6/net-stmmac-dwmac-loongson-init-ref-and-ptp-clocks-ra.patch new file mode 100644 index 00000000000..840c07055c6 --- /dev/null +++ b/queue-6.6/net-stmmac-dwmac-loongson-init-ref-and-ptp-clocks-ra.patch @@ -0,0 +1,44 @@ +From 3feb6ef845a0aec63e70f21445ea082a39c73b22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Aug 2024 21:48:02 +0800 +Subject: net: stmmac: dwmac-loongson: Init ref and PTP clocks rate + +From: Yanteng Si + +[ Upstream commit c70f3163681381c15686bdd2fe56bf4af9b8aaaa ] + +Reference and PTP clocks rate of the Loongson GMAC devices is 125MHz. +(So is in the GNET devices which support is about to be added.) Set +the respective plat_stmmacenet_data field up in accordance with that +so to have the coalesce command and timestamping work correctly. + +Fixes: 30bba69d7db4 ("stmmac: pci: Add dwmac support for Loongson") +Signed-off-by: Feiyang Chen +Signed-off-by: Yinggang Gu +Reviewed-by: Serge Semin +Acked-by: Huacai Chen +Signed-off-by: Yanteng Si +Tested-by: Serge Semin +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c +index 9e40c28d453ab..ee3604f58def5 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c +@@ -35,6 +35,9 @@ static int loongson_default_data(struct plat_stmmacenet_data *plat) + /* Disable RX queues routing by default */ + plat->rx_queues_cfg[0].pkt_route = 0x0; + ++ plat->clk_ref_rate = 125000000; ++ plat->clk_ptp_rate = 125000000; ++ + /* Default to phy auto-detection */ + plat->phy_addr = -1; + +-- +2.43.0 + diff --git a/queue-6.6/net-stmmac-set-pp_flag_dma_sync_dev-only-if-xdp-is-e.patch b/queue-6.6/net-stmmac-set-pp_flag_dma_sync_dev-only-if-xdp-is-e.patch new file mode 100644 index 00000000000..65d087813b0 --- /dev/null +++ b/queue-6.6/net-stmmac-set-pp_flag_dma_sync_dev-only-if-xdp-is-e.patch @@ -0,0 +1,48 @@ +From ed501ef2c7eeb35e6ba7b4a95b4fd0419ba46944 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Sep 2024 20:10:28 +0800 +Subject: net: stmmac: set PP_FLAG_DMA_SYNC_DEV only if XDP is enabled + +From: Furong Xu <0x1207@gmail.com> + +[ Upstream commit b514c47ebf41a6536551ed28a05758036e6eca7c ] + +Commit 5fabb01207a2 ("net: stmmac: Add initial XDP support") sets +PP_FLAG_DMA_SYNC_DEV flag for page_pool unconditionally, +page_pool_recycle_direct() will call page_pool_dma_sync_for_device() +on every page even the page is not going to be reused by XDP program. + +When XDP is not enabled, the page which holds the received buffer +will be recycled once the buffer is copied into new SKB by +skb_copy_to_linear_data(), then the MAC core will never reuse this +page any longer. Always setting PP_FLAG_DMA_SYNC_DEV wastes CPU cycles +on unnecessary calling of page_pool_dma_sync_for_device(). + +After this patch, up to 9% noticeable performance improvement was observed +on certain platforms. + +Fixes: 5fabb01207a2 ("net: stmmac: Add initial XDP support") +Signed-off-by: Furong Xu <0x1207@gmail.com> +Link: https://patch.msgid.link/20240919121028.1348023-1-0x1207@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index d6167a7b19f21..89a80e3e8bb88 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -2018,7 +2018,7 @@ static int __alloc_dma_rx_desc_resources(struct stmmac_priv *priv, + rx_q->queue_index = queue; + rx_q->priv_data = priv; + +- pp_params.flags = PP_FLAG_DMA_MAP | PP_FLAG_DMA_SYNC_DEV; ++ pp_params.flags = PP_FLAG_DMA_MAP | (xdp_prog ? PP_FLAG_DMA_SYNC_DEV : 0); + pp_params.pool_size = dma_conf->dma_rx_size; + num_pages = DIV_ROUND_UP(dma_conf->dma_buf_sz, PAGE_SIZE); + pp_params.order = ilog2(num_pages); +-- +2.43.0 + diff --git a/queue-6.6/net-tipc-avoid-possible-garbage-value.patch b/queue-6.6/net-tipc-avoid-possible-garbage-value.patch new file mode 100644 index 00000000000..93dc42798ca --- /dev/null +++ b/queue-6.6/net-tipc-avoid-possible-garbage-value.patch @@ -0,0 +1,47 @@ +From 693002f3bf8bf40842b3fd852158ad170e5d0f4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Sep 2024 19:01:20 +0800 +Subject: net: tipc: avoid possible garbage value + +From: Su Hui + +[ Upstream commit 99655a304e450baaae6b396cb942b9e47659d644 ] + +Clang static checker (scan-build) warning: +net/tipc/bcast.c:305:4: +The expression is an uninitialized value. The computed value will also +be garbage [core.uninitialized.Assign] + 305 | (*cong_link_cnt)++; + | ^~~~~~~~~~~~~~~~~~ + +tipc_rcast_xmit() will increase cong_link_cnt's value, but cong_link_cnt +is uninitialized. Although it won't really cause a problem, it's better +to fix it. + +Fixes: dca4a17d24ee ("tipc: fix potential hanging after b/rcast changing") +Signed-off-by: Su Hui +Reviewed-by: Justin Stitt +Link: https://patch.msgid.link/20240912110119.2025503-1-suhui@nfschina.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/bcast.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tipc/bcast.c b/net/tipc/bcast.c +index 593846d252143..114fef65f92ea 100644 +--- a/net/tipc/bcast.c ++++ b/net/tipc/bcast.c +@@ -320,8 +320,8 @@ static int tipc_mcast_send_sync(struct net *net, struct sk_buff *skb, + { + struct tipc_msg *hdr, *_hdr; + struct sk_buff_head tmpq; ++ u16 cong_link_cnt = 0; + struct sk_buff *_skb; +- u16 cong_link_cnt; + int rc = 0; + + /* Is a cluster supporting with new capabilities ? */ +-- +2.43.0 + diff --git a/queue-6.6/net-xilinx-axienet-fix-packet-counting.patch b/queue-6.6/net-xilinx-axienet-fix-packet-counting.patch new file mode 100644 index 00000000000..22479009e0b --- /dev/null +++ b/queue-6.6/net-xilinx-axienet-fix-packet-counting.patch @@ -0,0 +1,98 @@ +From 7ba27a3a9d58f86fb1415be0b31168e91704f8b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Sep 2024 10:51:56 -0400 +Subject: net: xilinx: axienet: Fix packet counting + +From: Sean Anderson + +[ Upstream commit 5a6caa2cfabb559309b5ce29ee7c8e9ce1a9a9df ] + +axienet_free_tx_chain returns the number of DMA descriptors it's +handled. However, axienet_tx_poll treats the return as the number of +packets. When scatter-gather SKBs are enabled, a single packet may use +multiple DMA descriptors, which causes incorrect packet counts. Fix this +by explicitly keepting track of the number of packets processed as +separate from the DMA descriptors. + +Budget does not affect the number of Tx completions we can process for +NAPI, so we use the ring size as the limit instead of budget. As we no +longer return the number of descriptors processed to axienet_tx_poll, we +now update tx_bd_ci in axienet_free_tx_chain. + +Fixes: 8a3b7a252dca ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver") +Signed-off-by: Sean Anderson +Link: https://patch.msgid.link/20240913145156.2283067-1-sean.anderson@linux.dev +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../net/ethernet/xilinx/xilinx_axienet_main.c | 23 +++++++++++-------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +index f869d61e3b867..62c10eb4f0adf 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +@@ -652,15 +652,15 @@ static int axienet_device_reset(struct net_device *ndev) + * + * Would either be called after a successful transmit operation, or after + * there was an error when setting up the chain. +- * Returns the number of descriptors handled. ++ * Returns the number of packets handled. + */ + static int axienet_free_tx_chain(struct axienet_local *lp, u32 first_bd, + int nr_bds, bool force, u32 *sizep, int budget) + { + struct axidma_bd *cur_p; + unsigned int status; ++ int i, packets = 0; + dma_addr_t phys; +- int i; + + for (i = 0; i < nr_bds; i++) { + cur_p = &lp->tx_bd_v[(first_bd + i) % lp->tx_bd_num]; +@@ -679,8 +679,10 @@ static int axienet_free_tx_chain(struct axienet_local *lp, u32 first_bd, + (cur_p->cntrl & XAXIDMA_BD_CTRL_LENGTH_MASK), + DMA_TO_DEVICE); + +- if (cur_p->skb && (status & XAXIDMA_BD_STS_COMPLETE_MASK)) ++ if (cur_p->skb && (status & XAXIDMA_BD_STS_COMPLETE_MASK)) { + napi_consume_skb(cur_p->skb, budget); ++ packets++; ++ } + + cur_p->app0 = 0; + cur_p->app1 = 0; +@@ -696,7 +698,13 @@ static int axienet_free_tx_chain(struct axienet_local *lp, u32 first_bd, + *sizep += status & XAXIDMA_BD_STS_ACTUAL_LEN_MASK; + } + +- return i; ++ if (!force) { ++ lp->tx_bd_ci += i; ++ if (lp->tx_bd_ci >= lp->tx_bd_num) ++ lp->tx_bd_ci %= lp->tx_bd_num; ++ } ++ ++ return packets; + } + + /** +@@ -747,13 +755,10 @@ static int axienet_tx_poll(struct napi_struct *napi, int budget) + u32 size = 0; + int packets; + +- packets = axienet_free_tx_chain(lp, lp->tx_bd_ci, budget, false, &size, budget); ++ packets = axienet_free_tx_chain(lp, lp->tx_bd_ci, lp->tx_bd_num, false, ++ &size, budget); + + if (packets) { +- lp->tx_bd_ci += packets; +- if (lp->tx_bd_ci >= lp->tx_bd_num) +- lp->tx_bd_ci %= lp->tx_bd_num; +- + u64_stats_update_begin(&lp->tx_stat_sync); + u64_stats_add(&lp->tx_packets, packets); + u64_stats_add(&lp->tx_bytes, size); +-- +2.43.0 + diff --git a/queue-6.6/net-xilinx-axienet-schedule-napi-in-two-steps.patch b/queue-6.6/net-xilinx-axienet-schedule-napi-in-two-steps.patch new file mode 100644 index 00000000000..1add57cb56b --- /dev/null +++ b/queue-6.6/net-xilinx-axienet-schedule-napi-in-two-steps.patch @@ -0,0 +1,60 @@ +From 4cdc1ad576d52d17d568ff3c658027d9daa8ae4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Sep 2024 10:57:11 -0400 +Subject: net: xilinx: axienet: Schedule NAPI in two steps + +From: Sean Anderson + +[ Upstream commit ba0da2dc934ec5ac32bbeecbd0670da16ba03565 ] + +As advised by Documentation/networking/napi.rst, masking IRQs after +calling napi_schedule can be racy. Avoid this by only masking/scheduling +if napi_schedule_prep returns true. + +Fixes: 9e2bc267e780 ("net: axienet: Use NAPI for TX completion path") +Fixes: cc37610caaf8 ("net: axienet: implement NAPI and GRO receive") +Signed-off-by: Sean Anderson +Reviewed-by: Shannon Nelson +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20240913145711.2284295-1-sean.anderson@linux.dev +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +index 65d7aaad43fe9..f869d61e3b867 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +@@ -1042,9 +1042,10 @@ static irqreturn_t axienet_tx_irq(int irq, void *_ndev) + u32 cr = lp->tx_dma_cr; + + cr &= ~(XAXIDMA_IRQ_IOC_MASK | XAXIDMA_IRQ_DELAY_MASK); +- axienet_dma_out32(lp, XAXIDMA_TX_CR_OFFSET, cr); +- +- napi_schedule(&lp->napi_tx); ++ if (napi_schedule_prep(&lp->napi_tx)) { ++ axienet_dma_out32(lp, XAXIDMA_TX_CR_OFFSET, cr); ++ __napi_schedule(&lp->napi_tx); ++ } + } + + return IRQ_HANDLED; +@@ -1086,9 +1087,10 @@ static irqreturn_t axienet_rx_irq(int irq, void *_ndev) + u32 cr = lp->rx_dma_cr; + + cr &= ~(XAXIDMA_IRQ_IOC_MASK | XAXIDMA_IRQ_DELAY_MASK); +- axienet_dma_out32(lp, XAXIDMA_RX_CR_OFFSET, cr); +- +- napi_schedule(&lp->napi_rx); ++ if (napi_schedule_prep(&lp->napi_rx)) { ++ axienet_dma_out32(lp, XAXIDMA_RX_CR_OFFSET, cr); ++ __napi_schedule(&lp->napi_rx); ++ } + } + + return IRQ_HANDLED; +-- +2.43.0 + diff --git a/queue-6.6/netfilter-ctnetlink-compile-ctnetlink_label_size-wit.patch b/queue-6.6/netfilter-ctnetlink-compile-ctnetlink_label_size-wit.patch new file mode 100644 index 00000000000..10bd5882683 --- /dev/null +++ b/queue-6.6/netfilter-ctnetlink-compile-ctnetlink_label_size-wit.patch @@ -0,0 +1,86 @@ +From 96b5bebfff759cac44233d2b40cef5da694567db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Sep 2024 16:14:41 +0100 +Subject: netfilter: ctnetlink: compile ctnetlink_label_size with + CONFIG_NF_CONNTRACK_EVENTS + +From: Simon Horman + +[ Upstream commit e1f1ee0e9ad8cbe660f5c104e791c5f1a7cf4c31 ] + +Only provide ctnetlink_label_size when it is used, +which is when CONFIG_NF_CONNTRACK_EVENTS is configured. + +Flagged by clang-18 W=1 builds as: + +.../nf_conntrack_netlink.c:385:19: warning: unused function 'ctnetlink_label_size' [-Wunused-function] + 385 | static inline int ctnetlink_label_size(const struct nf_conn *ct) + | ^~~~~~~~~~~~~~~~~~~~ + +The condition on CONFIG_NF_CONNTRACK_LABELS being removed by +this patch guards compilation of non-trivial implementations +of ctnetlink_dump_labels() and ctnetlink_label_size(). + +However, this is not necessary as each of these functions +will always return 0 if CONFIG_NF_CONNTRACK_LABELS is not defined +as each function starts with the equivalent of: + + struct nf_conn_labels *labels = nf_ct_labels_find(ct); + + if (!labels) + return 0; + +And nf_ct_labels_find always returns NULL if CONFIG_NF_CONNTRACK_LABELS +is not enabled. So I believe that the compiler optimises the code away +in such cases anyway. + +Found by inspection. +Compile tested only. + +Originally splitted in two patches, Pablo Neira Ayuso collapsed them and +added Fixes: tag. + +Fixes: 0ceabd83875b ("netfilter: ctnetlink: deliver labels to userspace") +Link: https://lore.kernel.org/netfilter-devel/20240909151712.GZ2097826@kernel.org/ +Signed-off-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_netlink.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index 4dab45039f349..282e9644f6fdd 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -381,7 +381,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) + #define ctnetlink_dump_secctx(a, b) (0) + #endif + +-#ifdef CONFIG_NF_CONNTRACK_LABELS ++#ifdef CONFIG_NF_CONNTRACK_EVENTS + static inline int ctnetlink_label_size(const struct nf_conn *ct) + { + struct nf_conn_labels *labels = nf_ct_labels_find(ct); +@@ -390,6 +390,7 @@ static inline int ctnetlink_label_size(const struct nf_conn *ct) + return 0; + return nla_total_size(sizeof(labels->bits)); + } ++#endif + + static int + ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct) +@@ -410,10 +411,6 @@ ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct) + + return 0; + } +-#else +-#define ctnetlink_dump_labels(a, b) (0) +-#define ctnetlink_label_size(a) (0) +-#endif + + #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple) + +-- +2.43.0 + diff --git a/queue-6.6/netfilter-nf_reject_ipv6-fix-nf_reject_ip6_tcphdr_pu.patch b/queue-6.6/netfilter-nf_reject_ipv6-fix-nf_reject_ip6_tcphdr_pu.patch new file mode 100644 index 00000000000..1c701ba9145 --- /dev/null +++ b/queue-6.6/netfilter-nf_reject_ipv6-fix-nf_reject_ip6_tcphdr_pu.patch @@ -0,0 +1,191 @@ +From 4cc361eb44188b50799f99cd1a36f16896bdef9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Sep 2024 17:06:15 +0000 +Subject: netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() + +From: Eric Dumazet + +[ Upstream commit 9c778fe48d20ef362047e3376dee56d77f8500d4 ] + +syzbot reported that nf_reject_ip6_tcphdr_put() was possibly sending +garbage on the four reserved tcp bits (th->res1) + +Use skb_put_zero() to clear the whole TCP header, +as done in nf_reject_ip_tcphdr_put() + +BUG: KMSAN: uninit-value in nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255 + nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255 + nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344 + nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48 + expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] + nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288 + nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161 + nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] + nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 + nf_hook include/linux/netfilter.h:269 [inline] + NF_HOOK include/linux/netfilter.h:312 [inline] + ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310 + __netif_receive_skb_one_core net/core/dev.c:5661 [inline] + __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775 + process_backlog+0x4ad/0xa50 net/core/dev.c:6108 + __napi_poll+0xe7/0x980 net/core/dev.c:6772 + napi_poll net/core/dev.c:6841 [inline] + net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963 + handle_softirqs+0x1ce/0x800 kernel/softirq.c:554 + __do_softirq+0x14/0x1a kernel/softirq.c:588 + do_softirq+0x9a/0x100 kernel/softirq.c:455 + __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:382 + local_bh_enable include/linux/bottom_half.h:33 [inline] + rcu_read_unlock_bh include/linux/rcupdate.h:908 [inline] + __dev_queue_xmit+0x2692/0x5610 net/core/dev.c:4450 + dev_queue_xmit include/linux/netdevice.h:3105 [inline] + neigh_resolve_output+0x9ca/0xae0 net/core/neighbour.c:1565 + neigh_output include/net/neighbour.h:542 [inline] + ip6_finish_output2+0x2347/0x2ba0 net/ipv6/ip6_output.c:141 + __ip6_finish_output net/ipv6/ip6_output.c:215 [inline] + ip6_finish_output+0xbb8/0x14b0 net/ipv6/ip6_output.c:226 + NF_HOOK_COND include/linux/netfilter.h:303 [inline] + ip6_output+0x356/0x620 net/ipv6/ip6_output.c:247 + dst_output include/net/dst.h:450 [inline] + NF_HOOK include/linux/netfilter.h:314 [inline] + ip6_xmit+0x1ba6/0x25d0 net/ipv6/ip6_output.c:366 + inet6_csk_xmit+0x442/0x530 net/ipv6/inet6_connection_sock.c:135 + __tcp_transmit_skb+0x3b07/0x4880 net/ipv4/tcp_output.c:1466 + tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline] + tcp_connect+0x35b6/0x7130 net/ipv4/tcp_output.c:4143 + tcp_v6_connect+0x1bcc/0x1e40 net/ipv6/tcp_ipv6.c:333 + __inet_stream_connect+0x2ef/0x1730 net/ipv4/af_inet.c:679 + inet_stream_connect+0x6a/0xd0 net/ipv4/af_inet.c:750 + __sys_connect_file net/socket.c:2061 [inline] + __sys_connect+0x606/0x690 net/socket.c:2078 + __do_sys_connect net/socket.c:2088 [inline] + __se_sys_connect net/socket.c:2085 [inline] + __x64_sys_connect+0x91/0xe0 net/socket.c:2085 + x64_sys_call+0x27a5/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:43 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Uninit was stored to memory at: + nf_reject_ip6_tcphdr_put+0x60c/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:249 + nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344 + nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48 + expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] + nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288 + nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161 + nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] + nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 + nf_hook include/linux/netfilter.h:269 [inline] + NF_HOOK include/linux/netfilter.h:312 [inline] + ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310 + __netif_receive_skb_one_core net/core/dev.c:5661 [inline] + __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775 + process_backlog+0x4ad/0xa50 net/core/dev.c:6108 + __napi_poll+0xe7/0x980 net/core/dev.c:6772 + napi_poll net/core/dev.c:6841 [inline] + net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963 + handle_softirqs+0x1ce/0x800 kernel/softirq.c:554 + __do_softirq+0x14/0x1a kernel/softirq.c:588 + +Uninit was stored to memory at: + nf_reject_ip6_tcphdr_put+0x2ca/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:231 + nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344 + nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48 + expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] + nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288 + nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161 + nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] + nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 + nf_hook include/linux/netfilter.h:269 [inline] + NF_HOOK include/linux/netfilter.h:312 [inline] + ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310 + __netif_receive_skb_one_core net/core/dev.c:5661 [inline] + __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775 + process_backlog+0x4ad/0xa50 net/core/dev.c:6108 + __napi_poll+0xe7/0x980 net/core/dev.c:6772 + napi_poll net/core/dev.c:6841 [inline] + net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963 + handle_softirqs+0x1ce/0x800 kernel/softirq.c:554 + __do_softirq+0x14/0x1a kernel/softirq.c:588 + +Uninit was created at: + slab_post_alloc_hook mm/slub.c:3998 [inline] + slab_alloc_node mm/slub.c:4041 [inline] + kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4084 + kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:583 + __alloc_skb+0x363/0x7b0 net/core/skbuff.c:674 + alloc_skb include/linux/skbuff.h:1320 [inline] + nf_send_reset6+0x98d/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:327 + nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48 + expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] + nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288 + nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161 + nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] + nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 + nf_hook include/linux/netfilter.h:269 [inline] + NF_HOOK include/linux/netfilter.h:312 [inline] + ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310 + __netif_receive_skb_one_core net/core/dev.c:5661 [inline] + __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775 + process_backlog+0x4ad/0xa50 net/core/dev.c:6108 + __napi_poll+0xe7/0x980 net/core/dev.c:6772 + napi_poll net/core/dev.c:6841 [inline] + net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963 + handle_softirqs+0x1ce/0x800 kernel/softirq.c:554 + __do_softirq+0x14/0x1a kernel/softirq.c:588 + +Fixes: c8d7b98bec43 ("netfilter: move nf_send_resetX() code to nf_reject_ipvX modules") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: Simon Horman +Reviewed-by: Pablo Neira Ayuso +Link: https://patch.msgid.link/20240913170615.3670897-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/netfilter/nf_reject_ipv6.c | 14 ++------------ + 1 file changed, 2 insertions(+), 12 deletions(-) + +diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c +index 71d692728230e..690d1c0476913 100644 +--- a/net/ipv6/netfilter/nf_reject_ipv6.c ++++ b/net/ipv6/netfilter/nf_reject_ipv6.c +@@ -223,33 +223,23 @@ void nf_reject_ip6_tcphdr_put(struct sk_buff *nskb, + const struct tcphdr *oth, unsigned int otcplen) + { + struct tcphdr *tcph; +- int needs_ack; + + skb_reset_transport_header(nskb); +- tcph = skb_put(nskb, sizeof(struct tcphdr)); ++ tcph = skb_put_zero(nskb, sizeof(struct tcphdr)); + /* Truncate to length (no data) */ + tcph->doff = sizeof(struct tcphdr)/4; + tcph->source = oth->dest; + tcph->dest = oth->source; + + if (oth->ack) { +- needs_ack = 0; + tcph->seq = oth->ack_seq; +- tcph->ack_seq = 0; + } else { +- needs_ack = 1; + tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin + + otcplen - (oth->doff<<2)); +- tcph->seq = 0; ++ tcph->ack = 1; + } + +- /* Reset flags */ +- ((u_int8_t *)tcph)[13] = 0; + tcph->rst = 1; +- tcph->ack = needs_ack; +- tcph->window = 0; +- tcph->urg_ptr = 0; +- tcph->check = 0; + + /* Adjust TCP checksum */ + tcph->check = csum_ipv6_magic(&ipv6_hdr(nskb)->saddr, +-- +2.43.0 + diff --git a/queue-6.6/netfilter-nf_tables-elements-with-timeout-below-conf.patch b/queue-6.6/netfilter-nf_tables-elements-with-timeout-below-conf.patch new file mode 100644 index 00000000000..94995c97fb5 --- /dev/null +++ b/queue-6.6/netfilter-nf_tables-elements-with-timeout-below-conf.patch @@ -0,0 +1,37 @@ +From d92980f524f18c92878e5d0e6198f9d8d6941eab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Sep 2024 01:06:41 +0200 +Subject: netfilter: nf_tables: elements with timeout below CONFIG_HZ never + expire + +From: Pablo Neira Ayuso + +[ Upstream commit e0c47281723f301894c14e6f5cd5884fdfb813f9 ] + +Element timeout that is below CONFIG_HZ never expires because the +timeout extension is not allocated given that nf_msecs_to_jiffies64() +returns 0. Set timeout to the minimum value to honor timeout. + +Fixes: 8e1102d5a159 ("netfilter: nf_tables: support timeouts larger than 23 days") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index da5684e3fd08c..b28acdaaf9709 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -4462,7 +4462,7 @@ int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result) + return -ERANGE; + + ms *= NSEC_PER_MSEC; +- *result = nsecs_to_jiffies64(ms); ++ *result = nsecs_to_jiffies64(ms) ? : !!ms; + return 0; + } + +-- +2.43.0 + diff --git a/queue-6.6/netfilter-nf_tables-keep-deleted-flowtable-hooks-unt.patch b/queue-6.6/netfilter-nf_tables-keep-deleted-flowtable-hooks-unt.patch new file mode 100644 index 00000000000..b658d207e1f --- /dev/null +++ b/queue-6.6/netfilter-nf_tables-keep-deleted-flowtable-hooks-unt.patch @@ -0,0 +1,38 @@ +From 033d53f6d1c7e11baca61b48db0297bfaf269c1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Sep 2024 14:21:33 +0200 +Subject: netfilter: nf_tables: Keep deleted flowtable hooks until after RCU + +From: Phil Sutter + +[ Upstream commit 642c89c475419b4d0c0d90e29d9c1a0e4351f379 ] + +Documentation of list_del_rcu() warns callers to not immediately free +the deleted list item. While it seems not necessary to use the +RCU-variant of list_del() here in the first place, doing so seems to +require calling kfree_rcu() on the deleted item as well. + +Fixes: 3f0465a9ef02 ("netfilter: nf_tables: dynamically allocate hooks per net_device in flowtables") +Signed-off-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 6b6c16c5fc9ae..935e953b8e1bf 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -8943,7 +8943,7 @@ static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable) + flowtable->data.type->setup(&flowtable->data, hook->ops.dev, + FLOW_BLOCK_UNBIND); + list_del_rcu(&hook->list); +- kfree(hook); ++ kfree_rcu(hook, rcu); + } + kfree(flowtable->name); + module_put(flowtable->data.type->owner); +-- +2.43.0 + diff --git a/queue-6.6/netfilter-nf_tables-reject-element-expiration-with-n.patch b/queue-6.6/netfilter-nf_tables-reject-element-expiration-with-n.patch new file mode 100644 index 00000000000..998d0ff611b --- /dev/null +++ b/queue-6.6/netfilter-nf_tables-reject-element-expiration-with-n.patch @@ -0,0 +1,40 @@ +From ed4d82a1ef784012edefc2c2d6b081c890f6cdba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Sep 2024 01:06:49 +0200 +Subject: netfilter: nf_tables: reject element expiration with no timeout + +From: Pablo Neira Ayuso + +[ Upstream commit d2dc429ecb4e79ad164028d965c00f689e6f6d06 ] + +If element timeout is unset and set provides no default timeout, the +element expiration is silently ignored, reject this instead to let user +know this is unsupported. + +Also prepare for supporting timeout that never expire, where zero +timeout and expiration must be also rejected. + +Fixes: 8e1102d5a159 ("netfilter: nf_tables: support timeouts larger than 23 days") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index b28acdaaf9709..8bb61fb62a2b6 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -6698,6 +6698,9 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, + if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) { + if (!(set->flags & NFT_SET_TIMEOUT)) + return -EINVAL; ++ if (timeout == 0) ++ return -EOPNOTSUPP; ++ + err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION], + &expiration); + if (err) +-- +2.43.0 + diff --git a/queue-6.6/netfilter-nf_tables-reject-expiration-higher-than-ti.patch b/queue-6.6/netfilter-nf_tables-reject-expiration-higher-than-ti.patch new file mode 100644 index 00000000000..b704ef3412e --- /dev/null +++ b/queue-6.6/netfilter-nf_tables-reject-expiration-higher-than-ti.patch @@ -0,0 +1,36 @@ +From 25b50d89e5f61b1dc8e728de8e4cbfed1cafc568 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Sep 2024 01:06:58 +0200 +Subject: netfilter: nf_tables: reject expiration higher than timeout + +From: Pablo Neira Ayuso + +[ Upstream commit c0f38a8c60174368aed1d0f9965d733195f15033 ] + +Report ERANGE to userspace if user specifies an expiration larger than +the timeout. + +Fixes: 8e1102d5a159 ("netfilter: nf_tables: support timeouts larger than 23 days") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 8bb61fb62a2b6..842c9ac6e2341 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -6705,6 +6705,9 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, + &expiration); + if (err) + return err; ++ ++ if (expiration > timeout) ++ return -ERANGE; + } + + if (nla[NFTA_SET_ELEM_EXPR]) { +-- +2.43.0 + diff --git a/queue-6.6/netfilter-nf_tables-remove-annotation-to-access-set-.patch b/queue-6.6/netfilter-nf_tables-remove-annotation-to-access-set-.patch new file mode 100644 index 00000000000..825217c9165 --- /dev/null +++ b/queue-6.6/netfilter-nf_tables-remove-annotation-to-access-set-.patch @@ -0,0 +1,44 @@ +From 8983de874b6a99c686299a90da18c94ad59d5917 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Sep 2024 01:07:06 +0200 +Subject: netfilter: nf_tables: remove annotation to access set timeout while + holding lock + +From: Pablo Neira Ayuso + +[ Upstream commit 15d8605c0cf4fc9cf4386cae658c68a0fd4bdb92 ] + +Mutex is held when adding an element, no need for READ_ONCE, remove it. + +Fixes: 123b99619cca ("netfilter: nf_tables: honor set timeout and garbage collection updates") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 842c9ac6e2341..6b6c16c5fc9ae 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -6691,7 +6691,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, + return err; + } else if (set->flags & NFT_SET_TIMEOUT && + !(flags & NFT_SET_ELEM_INTERVAL_END)) { +- timeout = READ_ONCE(set->timeout); ++ timeout = set->timeout; + } + + expiration = 0; +@@ -6798,7 +6798,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, + if (err < 0) + goto err_parse_key_end; + +- if (timeout != READ_ONCE(set->timeout)) { ++ if (timeout != set->timeout) { + err = nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT); + if (err < 0) + goto err_parse_key_end; +-- +2.43.0 + diff --git a/queue-6.6/netfilter-nf_tables-use-rcu-chain-hook-list-iterator.patch b/queue-6.6/netfilter-nf_tables-use-rcu-chain-hook-list-iterator.patch new file mode 100644 index 00000000000..b7f912f4481 --- /dev/null +++ b/queue-6.6/netfilter-nf_tables-use-rcu-chain-hook-list-iterator.patch @@ -0,0 +1,38 @@ +From c0aa7dd11211cfe90250eeddc3d5cd663d35171f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Sep 2024 23:07:46 +0200 +Subject: netfilter: nf_tables: use rcu chain hook list iterator from netlink + dump path + +From: Pablo Neira Ayuso + +[ Upstream commit 4ffcf5ca81c3b83180473eb0d3c010a1a7c6c4de ] + +Lockless iteration over hook list is possible from netlink dump path, +use rcu variant to iterate over the hook list as is done with flowtable +hooks. + +Fixes: b9703ed44ffb ("netfilter: nf_tables: support for adding new devices to an existing netdev chain") +Reported-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 935e953b8e1bf..da7fd3919ce48 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -1778,7 +1778,7 @@ static int nft_dump_basechain_hook(struct sk_buff *skb, int family, + if (!hook_list) + hook_list = &basechain->hook_list; + +- list_for_each_entry(hook, hook_list, list) { ++ list_for_each_entry_rcu(hook, hook_list, list) { + if (!first) + first = hook; + +-- +2.43.0 + diff --git a/queue-6.6/nfsd-call-cache_put-if-xdr_reserve_space-returns-nul.patch b/queue-6.6/nfsd-call-cache_put-if-xdr_reserve_space-returns-nul.patch new file mode 100644 index 00000000000..4b5ac416553 --- /dev/null +++ b/queue-6.6/nfsd-call-cache_put-if-xdr_reserve_space-returns-nul.patch @@ -0,0 +1,58 @@ +From 9dde11db72aa04cf6918627cef7cc6d56be212f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2024 22:03:18 +0800 +Subject: nfsd: call cache_put if xdr_reserve_space returns NULL + +From: Guoqing Jiang + +[ Upstream commit d078cbf5c38de83bc31f83c47dcd2184c04a50c7 ] + +If not enough buffer space available, but idmap_lookup has triggered +lookup_fn which calls cache_get and returns successfully. Then we +missed to call cache_put here which pairs with cache_get. + +Fixes: ddd1ea563672 ("nfsd4: use xdr_reserve_space in attribute encoding") +Signed-off-by: Guoqing Jiang +Reviwed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4idmap.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/fs/nfsd/nfs4idmap.c b/fs/nfsd/nfs4idmap.c +index 7a806ac13e317..8cca1329f3485 100644 +--- a/fs/nfsd/nfs4idmap.c ++++ b/fs/nfsd/nfs4idmap.c +@@ -581,6 +581,7 @@ static __be32 idmap_id_to_name(struct xdr_stream *xdr, + .id = id, + .type = type, + }; ++ __be32 status = nfs_ok; + __be32 *p; + int ret; + struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id); +@@ -593,12 +594,16 @@ static __be32 idmap_id_to_name(struct xdr_stream *xdr, + return nfserrno(ret); + ret = strlen(item->name); + WARN_ON_ONCE(ret > IDMAP_NAMESZ); ++ + p = xdr_reserve_space(xdr, ret + 4); +- if (!p) +- return nfserr_resource; +- p = xdr_encode_opaque(p, item->name, ret); ++ if (unlikely(!p)) { ++ status = nfserr_resource; ++ goto out_put; ++ } ++ xdr_encode_opaque(p, item->name, ret); ++out_put: + cache_put(&item->h, nn->idtoname_cache); +- return 0; ++ return status; + } + + static bool +-- +2.43.0 + diff --git a/queue-6.6/nfsd-fix-refcount-leak-when-file-is-unhashed-after-b.patch b/queue-6.6/nfsd-fix-refcount-leak-when-file-is-unhashed-after-b.patch new file mode 100644 index 00000000000..81ae033c252 --- /dev/null +++ b/queue-6.6/nfsd-fix-refcount-leak-when-file-is-unhashed-after-b.patch @@ -0,0 +1,37 @@ +From b44158ad1235dc394650d633b36bd22e266c4d95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jul 2024 09:05:32 -0400 +Subject: nfsd: fix refcount leak when file is unhashed after being found + +From: Jeff Layton + +[ Upstream commit 8a7926176378460e0d91e02b03f0ff20a8709a60 ] + +If we wait_for_construction and find that the file is no longer hashed, +and we're going to retry the open, the old nfsd_file reference is +currently leaked. Put the reference before retrying. + +Fixes: c6593366c0bf ("nfsd: don't kill nfsd_files because of lease break error") +Signed-off-by: Jeff Layton +Tested-by: Youzhong Yang +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/filecache.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/nfsd/filecache.c b/fs/nfsd/filecache.c +index 88cefb630e171..5c9f8f8404d5b 100644 +--- a/fs/nfsd/filecache.c ++++ b/fs/nfsd/filecache.c +@@ -1054,6 +1054,7 @@ nfsd_file_do_acquire(struct svc_rqst *rqstp, struct svc_fh *fhp, + status = nfserr_jukebox; + goto construction_err; + } ++ nfsd_file_put(nf); + open_retry = false; + fh_put(fhp); + goto retry; +-- +2.43.0 + diff --git a/queue-6.6/nfsd-remove-unneeded-eexist-error-check-in-nfsd_do_f.patch b/queue-6.6/nfsd-remove-unneeded-eexist-error-check-in-nfsd_do_f.patch new file mode 100644 index 00000000000..1785ca9efd4 --- /dev/null +++ b/queue-6.6/nfsd-remove-unneeded-eexist-error-check-in-nfsd_do_f.patch @@ -0,0 +1,37 @@ +From dd1a726a835366fa3c01dd98137bb980fd209b7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jul 2024 15:11:13 -0400 +Subject: nfsd: remove unneeded EEXIST error check in nfsd_do_file_acquire + +From: Jeff Layton + +[ Upstream commit 81a95c2b1d605743220f28db04b8da13a65c4059 ] + +Given that we do the search and insertion while holding the i_lock, I +don't think it's possible for us to get EEXIST here. Remove this case. + +Fixes: c6593366c0bf ("nfsd: don't kill nfsd_files because of lease break error") +Signed-off-by: Jeff Layton +Tested-by: Youzhong Yang +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/filecache.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/fs/nfsd/filecache.c b/fs/nfsd/filecache.c +index 07bf219f9ae48..88cefb630e171 100644 +--- a/fs/nfsd/filecache.c ++++ b/fs/nfsd/filecache.c +@@ -1040,8 +1040,6 @@ nfsd_file_do_acquire(struct svc_rqst *rqstp, struct svc_fh *fhp, + if (likely(ret == 0)) + goto open_file; + +- if (ret == -EEXIST) +- goto retry; + trace_nfsd_file_insert_err(rqstp, inode, may_flags, ret); + status = nfserr_jukebox; + goto construction_err; +-- +2.43.0 + diff --git a/queue-6.6/nfsd-return-einval-when-namelen-is-0.patch b/queue-6.6/nfsd-return-einval-when-namelen-is-0.patch new file mode 100644 index 00000000000..512f20dee18 --- /dev/null +++ b/queue-6.6/nfsd-return-einval-when-namelen-is-0.patch @@ -0,0 +1,95 @@ +From 2a9701f751b3cd00e06194aadb583d3139b56c3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Sep 2024 19:14:46 +0800 +Subject: nfsd: return -EINVAL when namelen is 0 + +From: Li Lingfeng + +[ Upstream commit 22451a16b7ab7debefce660672566be887db1637 ] + +When we have a corrupted main.sqlite in /var/lib/nfs/nfsdcld/, it may +result in namelen being 0, which will cause memdup_user() to return +ZERO_SIZE_PTR. +When we access the name.data that has been assigned the value of +ZERO_SIZE_PTR in nfs4_client_to_reclaim(), null pointer dereference is +triggered. + +[ T1205] ================================================================== +[ T1205] BUG: KASAN: null-ptr-deref in nfs4_client_to_reclaim+0xe9/0x260 +[ T1205] Read of size 1 at addr 0000000000000010 by task nfsdcld/1205 +[ T1205] +[ T1205] CPU: 11 PID: 1205 Comm: nfsdcld Not tainted 5.10.0-00003-g2c1423731b8d #406 +[ T1205] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014 +[ T1205] Call Trace: +[ T1205] dump_stack+0x9a/0xd0 +[ T1205] ? nfs4_client_to_reclaim+0xe9/0x260 +[ T1205] __kasan_report.cold+0x34/0x84 +[ T1205] ? nfs4_client_to_reclaim+0xe9/0x260 +[ T1205] kasan_report+0x3a/0x50 +[ T1205] nfs4_client_to_reclaim+0xe9/0x260 +[ T1205] ? nfsd4_release_lockowner+0x410/0x410 +[ T1205] cld_pipe_downcall+0x5ca/0x760 +[ T1205] ? nfsd4_cld_tracking_exit+0x1d0/0x1d0 +[ T1205] ? down_write_killable_nested+0x170/0x170 +[ T1205] ? avc_policy_seqno+0x28/0x40 +[ T1205] ? selinux_file_permission+0x1b4/0x1e0 +[ T1205] rpc_pipe_write+0x84/0xb0 +[ T1205] vfs_write+0x143/0x520 +[ T1205] ksys_write+0xc9/0x170 +[ T1205] ? __ia32_sys_read+0x50/0x50 +[ T1205] ? ktime_get_coarse_real_ts64+0xfe/0x110 +[ T1205] ? ktime_get_coarse_real_ts64+0xa2/0x110 +[ T1205] do_syscall_64+0x33/0x40 +[ T1205] entry_SYSCALL_64_after_hwframe+0x67/0xd1 +[ T1205] RIP: 0033:0x7fdbdb761bc7 +[ T1205] Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 514 +[ T1205] RSP: 002b:00007fff8c4b7248 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ T1205] RAX: ffffffffffffffda RBX: 000000000000042b RCX: 00007fdbdb761bc7 +[ T1205] RDX: 000000000000042b RSI: 00007fff8c4b75f0 RDI: 0000000000000008 +[ T1205] RBP: 00007fdbdb761bb0 R08: 0000000000000000 R09: 0000000000000001 +[ T1205] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000042b +[ T1205] R13: 0000000000000008 R14: 00007fff8c4b75f0 R15: 0000000000000000 +[ T1205] ================================================================== + +Fix it by checking namelen. + +Signed-off-by: Li Lingfeng +Fixes: 74725959c33c ("nfsd: un-deprecate nfsdcld") +Reviewed-by: Jeff Layton +Reviewed-by: Scott Mayhew +Tested-by: Scott Mayhew +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4recover.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c +index 3509e73abe1f4..4395577825a7f 100644 +--- a/fs/nfsd/nfs4recover.c ++++ b/fs/nfsd/nfs4recover.c +@@ -806,6 +806,10 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg, + ci = &cmsg->cm_u.cm_clntinfo; + if (get_user(namelen, &ci->cc_name.cn_len)) + return -EFAULT; ++ if (!namelen) { ++ dprintk("%s: namelen should not be zero", __func__); ++ return -EINVAL; ++ } + name.data = memdup_user(&ci->cc_name.cn_id, namelen); + if (IS_ERR(name.data)) + return PTR_ERR(name.data); +@@ -828,6 +832,10 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg, + cnm = &cmsg->cm_u.cm_name; + if (get_user(namelen, &cnm->cn_len)) + return -EFAULT; ++ if (!namelen) { ++ dprintk("%s: namelen should not be zero", __func__); ++ return -EINVAL; ++ } + name.data = memdup_user(&cnm->cn_id, namelen); + if (IS_ERR(name.data)) + return PTR_ERR(name.data); +-- +2.43.0 + diff --git a/queue-6.6/nilfs2-determine-empty-node-blocks-as-corrupted.patch b/queue-6.6/nilfs2-determine-empty-node-blocks-as-corrupted.patch new file mode 100644 index 00000000000..df731a3a4e9 --- /dev/null +++ b/queue-6.6/nilfs2-determine-empty-node-blocks-as-corrupted.patch @@ -0,0 +1,47 @@ +From 297ccffcdc3a045ca56c60feabdc60bd95576be1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 17:13:08 +0900 +Subject: nilfs2: determine empty node blocks as corrupted + +From: Ryusuke Konishi + +[ Upstream commit 111b812d3662f3a1b831d19208f83aa711583fe6 ] + +Due to the nature of b-trees, nilfs2 itself and admin tools such as +mkfs.nilfs2 will never create an intermediate b-tree node block with 0 +child nodes, nor will they delete (key, pointer)-entries that would result +in such a state. However, it is possible that a b-tree node block is +corrupted on the backing device and is read with 0 child nodes. + +Because operation is not guaranteed if the number of child nodes is 0 for +intermediate node blocks other than the root node, modify +nilfs_btree_node_broken(), which performs sanity checks when reading a +b-tree node block, so that such cases will be judged as metadata +corruption. + +Link: https://lkml.kernel.org/r/20240904081401.16682-3-konishi.ryusuke@gmail.com +Fixes: 17c76b0104e4 ("nilfs2: B-tree based block mapping") +Signed-off-by: Ryusuke Konishi +Cc: Lizhi Xu +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/nilfs2/btree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c +index fa51ed649968e..dac090c162a7a 100644 +--- a/fs/nilfs2/btree.c ++++ b/fs/nilfs2/btree.c +@@ -350,7 +350,7 @@ static int nilfs_btree_node_broken(const struct nilfs_btree_node *node, + if (unlikely(level < NILFS_BTREE_LEVEL_NODE_MIN || + level >= NILFS_BTREE_LEVEL_MAX || + (flags & NILFS_BTREE_NODE_ROOT) || +- nchildren < 0 || ++ nchildren <= 0 || + nchildren > NILFS_BTREE_NODE_NCHILDREN_MAX(size))) { + nilfs_crit(inode->i_sb, + "bad btree node (ino=%lu, blocknr=%llu): level = %d, flags = 0x%x, nchildren = %d", +-- +2.43.0 + diff --git a/queue-6.6/nilfs2-fix-potential-null-ptr-deref-in-nilfs_btree_i.patch b/queue-6.6/nilfs2-fix-potential-null-ptr-deref-in-nilfs_btree_i.patch new file mode 100644 index 00000000000..dba5b5ec893 --- /dev/null +++ b/queue-6.6/nilfs2-fix-potential-null-ptr-deref-in-nilfs_btree_i.patch @@ -0,0 +1,66 @@ +From 98f34e96ab70b09f6ee78d49c5aac306a4f90797 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 17:13:07 +0900 +Subject: nilfs2: fix potential null-ptr-deref in nilfs_btree_insert() + +From: Ryusuke Konishi + +[ Upstream commit 9403001ad65ae4f4c5de368bdda3a0636b51d51a ] + +Patch series "nilfs2: fix potential issues with empty b-tree nodes". + +This series addresses three potential issues with empty b-tree nodes that +can occur with corrupted filesystem images, including one recently +discovered by syzbot. + +This patch (of 3): + +If a b-tree is broken on the device, and the b-tree height is greater than +2 (the level of the root node is greater than 1) even if the number of +child nodes of the b-tree root is 0, a NULL pointer dereference occurs in +nilfs_btree_prepare_insert(), which is called from nilfs_btree_insert(). + +This is because, when the number of child nodes of the b-tree root is 0, +nilfs_btree_do_lookup() does not set the block buffer head in any of +path[x].bp_bh, leaving it as the initial value of NULL, but if the level +of the b-tree root node is greater than 1, nilfs_btree_get_nonroot_node(), +which accesses the buffer memory of path[x].bp_bh, is called. + +Fix this issue by adding a check to nilfs_btree_root_broken(), which +performs sanity checks when reading the root node from the device, to +detect this inconsistency. + +Thanks to Lizhi Xu for trying to solve the bug and clarifying the cause +early on. + +Link: https://lkml.kernel.org/r/20240904081401.16682-1-konishi.ryusuke@gmail.com +Link: https://lkml.kernel.org/r/20240902084101.138971-1-lizhi.xu@windriver.com +Link: https://lkml.kernel.org/r/20240904081401.16682-2-konishi.ryusuke@gmail.com +Fixes: 17c76b0104e4 ("nilfs2: B-tree based block mapping") +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+9bff4c7b992038a7409f@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=9bff4c7b992038a7409f +Cc: Lizhi Xu +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/nilfs2/btree.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c +index 598f058670595..fa51ed649968e 100644 +--- a/fs/nilfs2/btree.c ++++ b/fs/nilfs2/btree.c +@@ -381,7 +381,8 @@ static int nilfs_btree_root_broken(const struct nilfs_btree_node *node, + if (unlikely(level < NILFS_BTREE_LEVEL_NODE_MIN || + level >= NILFS_BTREE_LEVEL_MAX || + nchildren < 0 || +- nchildren > NILFS_BTREE_ROOT_NCHILDREN_MAX)) { ++ nchildren > NILFS_BTREE_ROOT_NCHILDREN_MAX || ++ (nchildren == 0 && level > NILFS_BTREE_LEVEL_NODE_MIN))) { + nilfs_crit(inode->i_sb, + "bad btree root (ino=%lu): level = %d, flags = 0x%x, nchildren = %d", + inode->i_ino, level, flags, nchildren); +-- +2.43.0 + diff --git a/queue-6.6/nilfs2-fix-potential-oob-read-in-nilfs_btree_check_d.patch b/queue-6.6/nilfs2-fix-potential-oob-read-in-nilfs_btree_check_d.patch new file mode 100644 index 00000000000..bb199932c6a --- /dev/null +++ b/queue-6.6/nilfs2-fix-potential-oob-read-in-nilfs_btree_check_d.patch @@ -0,0 +1,68 @@ +From c3ed3a8f6da0b1a5007bde835748c8bf1690f8d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 17:13:09 +0900 +Subject: nilfs2: fix potential oob read in nilfs_btree_check_delete() + +From: Ryusuke Konishi + +[ Upstream commit f9c96351aa6718b42a9f42eaf7adce0356bdb5e8 ] + +The function nilfs_btree_check_delete(), which checks whether degeneration +to direct mapping occurs before deleting a b-tree entry, causes memory +access outside the block buffer when retrieving the maximum key if the +root node has no entries. + +This does not usually happen because b-tree mappings with 0 child nodes +are never created by mkfs.nilfs2 or nilfs2 itself. However, it can happen +if the b-tree root node read from a device is configured that way, so fix +this potential issue by adding a check for that case. + +Link: https://lkml.kernel.org/r/20240904081401.16682-4-konishi.ryusuke@gmail.com +Fixes: 17c76b0104e4 ("nilfs2: B-tree based block mapping") +Signed-off-by: Ryusuke Konishi +Cc: Lizhi Xu +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/nilfs2/btree.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c +index dac090c162a7a..dbd27a44632fa 100644 +--- a/fs/nilfs2/btree.c ++++ b/fs/nilfs2/btree.c +@@ -1659,13 +1659,16 @@ static int nilfs_btree_check_delete(struct nilfs_bmap *btree, __u64 key) + int nchildren, ret; + + root = nilfs_btree_get_root(btree); ++ nchildren = nilfs_btree_node_get_nchildren(root); ++ if (unlikely(nchildren == 0)) ++ return 0; ++ + switch (nilfs_btree_height(btree)) { + case 2: + bh = NULL; + node = root; + break; + case 3: +- nchildren = nilfs_btree_node_get_nchildren(root); + if (nchildren > 1) + return 0; + ptr = nilfs_btree_node_get_ptr(root, nchildren - 1, +@@ -1674,12 +1677,12 @@ static int nilfs_btree_check_delete(struct nilfs_bmap *btree, __u64 key) + if (ret < 0) + return ret; + node = (struct nilfs_btree_node *)bh->b_data; ++ nchildren = nilfs_btree_node_get_nchildren(node); + break; + default: + return 0; + } + +- nchildren = nilfs_btree_node_get_nchildren(node); + maxkey = nilfs_btree_node_get_key(node, nchildren - 1); + nextmaxkey = (nchildren > 1) ? + nilfs_btree_node_get_key(node, nchildren - 2) : 0; +-- +2.43.0 + diff --git a/queue-6.6/ntb-force-physically-contiguous-allocation-of-rx-rin.patch b/queue-6.6/ntb-force-physically-contiguous-allocation-of-rx-rin.patch new file mode 100644 index 00000000000..2852a8ffca4 --- /dev/null +++ b/queue-6.6/ntb-force-physically-contiguous-allocation-of-rx-rin.patch @@ -0,0 +1,88 @@ +From 0f24d13d4d614b5f8d79d888f6b25c2513773a10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Sep 2024 14:22:07 -0700 +Subject: ntb: Force physically contiguous allocation of rx ring buffers + +From: Dave Jiang + +[ Upstream commit 061a785a114f159e990ea8ed8d1b7dca4b41120f ] + +Physical addresses under IOVA on x86 platform are mapped contiguously +as a side effect before the patch that removed CONFIG_DMA_REMAP. The +NTB rx buffer ring is a single chunk DMA buffer that is allocated +against the NTB PCI device. If the receive side is using a DMA device, +then the buffers are remapped against the DMA device before being +submitted via the dmaengine API. This scheme becomes a problem when +the physical memory is discontiguous. When dma_map_page() is called +on the kernel virtual address from the dma_alloc_coherent() call, the +new IOVA mapping no longer points to all the physical memory allocated +due to being discontiguous. Change dma_alloc_coherent() to dma_alloc_attrs() +in order to force DMA_ATTR_FORCE_CONTIGUOUS attribute. This is the best +fix for the circumstance. A potential future solution may be having the DMA +mapping API providing a way to alias an existing IOVA mapping to a new +device perhaps. + +This fix is not to fix the patch pointed to by the fixes tag, but to fix +the issue arised in the ntb_transport driver on x86 platforms after the +said patch is applied. + +Reported-by: Jerry Dai +Fixes: f5ff79fddf0e ("dma-mapping: remove CONFIG_DMA_REMAP") +Tested-by: Jerry Dai +Signed-off-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/ntb_transport.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c +index f9e7847a378e7..c84fadfc63c52 100644 +--- a/drivers/ntb/ntb_transport.c ++++ b/drivers/ntb/ntb_transport.c +@@ -807,16 +807,29 @@ static void ntb_free_mw(struct ntb_transport_ctx *nt, int num_mw) + } + + static int ntb_alloc_mw_buffer(struct ntb_transport_mw *mw, +- struct device *dma_dev, size_t align) ++ struct device *ntb_dev, size_t align) + { + dma_addr_t dma_addr; + void *alloc_addr, *virt_addr; + int rc; + +- alloc_addr = dma_alloc_coherent(dma_dev, mw->alloc_size, +- &dma_addr, GFP_KERNEL); ++ /* ++ * The buffer here is allocated against the NTB device. The reason to ++ * use dma_alloc_*() call is to allocate a large IOVA contiguous buffer ++ * backing the NTB BAR for the remote host to write to. During receive ++ * processing, the data is being copied out of the receive buffer to ++ * the kernel skbuff. When a DMA device is being used, dma_map_page() ++ * is called on the kvaddr of the receive buffer (from dma_alloc_*()) ++ * and remapped against the DMA device. It appears to be a double ++ * DMA mapping of buffers, but first is mapped to the NTB device and ++ * second is to the DMA device. DMA_ATTR_FORCE_CONTIGUOUS is necessary ++ * in order for the later dma_map_page() to not fail. ++ */ ++ alloc_addr = dma_alloc_attrs(ntb_dev, mw->alloc_size, ++ &dma_addr, GFP_KERNEL, ++ DMA_ATTR_FORCE_CONTIGUOUS); + if (!alloc_addr) { +- dev_err(dma_dev, "Unable to alloc MW buff of size %zu\n", ++ dev_err(ntb_dev, "Unable to alloc MW buff of size %zu\n", + mw->alloc_size); + return -ENOMEM; + } +@@ -845,7 +858,7 @@ static int ntb_alloc_mw_buffer(struct ntb_transport_mw *mw, + return 0; + + err: +- dma_free_coherent(dma_dev, mw->alloc_size, alloc_addr, dma_addr); ++ dma_free_coherent(ntb_dev, mw->alloc_size, alloc_addr, dma_addr); + + return rc; + } +-- +2.43.0 + diff --git a/queue-6.6/ntb-intel-fix-the-null-vs-is_err-bug-for-debugfs_cre.patch b/queue-6.6/ntb-intel-fix-the-null-vs-is_err-bug-for-debugfs_cre.patch new file mode 100644 index 00000000000..74f46afae6f --- /dev/null +++ b/queue-6.6/ntb-intel-fix-the-null-vs-is_err-bug-for-debugfs_cre.patch @@ -0,0 +1,37 @@ +From d1778aaf586f2c037379210582281537356f07a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Aug 2023 20:39:27 +0800 +Subject: ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir() + +From: Jinjie Ruan + +[ Upstream commit e229897d373a87ee09ec5cc4ecd4bb2f895fc16b ] + +The debugfs_create_dir() function returns error pointers. +It never returns NULL. So use IS_ERR() to check it. + +Fixes: e26a5843f7f5 ("NTB: Split ntb_hw_intel and ntb_transport drivers") +Signed-off-by: Jinjie Ruan +Reviewed-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/intel/ntb_hw_gen1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ntb/hw/intel/ntb_hw_gen1.c b/drivers/ntb/hw/intel/ntb_hw_gen1.c +index 9ab836d0d4f12..079b8cd797857 100644 +--- a/drivers/ntb/hw/intel/ntb_hw_gen1.c ++++ b/drivers/ntb/hw/intel/ntb_hw_gen1.c +@@ -778,7 +778,7 @@ static void ndev_init_debugfs(struct intel_ntb_dev *ndev) + ndev->debugfs_dir = + debugfs_create_dir(pci_name(ndev->ntb.pdev), + debugfs_dir); +- if (!ndev->debugfs_dir) ++ if (IS_ERR(ndev->debugfs_dir)) + ndev->debugfs_info = NULL; + else + ndev->debugfs_info = +-- +2.43.0 + diff --git a/queue-6.6/ntb_perf-fix-printk-format.patch b/queue-6.6/ntb_perf-fix-printk-format.patch new file mode 100644 index 00000000000..2c4c75396f8 --- /dev/null +++ b/queue-6.6/ntb_perf-fix-printk-format.patch @@ -0,0 +1,35 @@ +From eeaa521562a5d875312cb8d422069e3b6c9aa49e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Oct 2023 20:45:16 -0700 +Subject: ntb_perf: Fix printk format + +From: Max Hawking + +[ Upstream commit 1501ae7479c8d0f66efdbfdc9ae8d6136cefbd37 ] + +The correct printk format is %pa or %pap, but not %pa[p]. + +Fixes: 99a06056124d ("NTB: ntb_perf: Fix address err in perf_copy_chunk") +Signed-off-by: Max Hawking +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/test/ntb_perf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ntb/test/ntb_perf.c b/drivers/ntb/test/ntb_perf.c +index 553f1f46bc664..72bc1d017a46e 100644 +--- a/drivers/ntb/test/ntb_perf.c ++++ b/drivers/ntb/test/ntb_perf.c +@@ -1227,7 +1227,7 @@ static ssize_t perf_dbgfs_read_info(struct file *filep, char __user *ubuf, + "\tOut buffer addr 0x%pK\n", peer->outbuf); + + pos += scnprintf(buf + pos, buf_size - pos, +- "\tOut buff phys addr %pa[p]\n", &peer->out_phys_addr); ++ "\tOut buff phys addr %pap\n", &peer->out_phys_addr); + + pos += scnprintf(buf + pos, buf_size - pos, + "\tOut buffer size %pa\n", &peer->outbuf_size); +-- +2.43.0 + diff --git a/queue-6.6/nvdimm-fix-devs-leaks-in-scan_labels.patch b/queue-6.6/nvdimm-fix-devs-leaks-in-scan_labels.patch new file mode 100644 index 00000000000..359306ccc9d --- /dev/null +++ b/queue-6.6/nvdimm-fix-devs-leaks-in-scan_labels.patch @@ -0,0 +1,127 @@ +From cb4409a507250e4c9e71b1bf82eae0d0ed4cfc24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Aug 2024 14:20:44 +0800 +Subject: nvdimm: Fix devs leaks in scan_labels() + +From: Li Zhijian + +[ Upstream commit 62c2aa6b1f565d2fc1ec11a6e9e8336ce37a6426 ] + +scan_labels() leaks memory when label scanning fails and it falls back +to just creating a default "seed" namespace for userspace to configure. +Root can force the kernel to leak memory. + +Allocate the minimum resources unconditionally and release them when +unneeded to avoid the memory leak. + +A kmemleak reports: +unreferenced object 0xffff88800dda1980 (size 16): + comm "kworker/u10:5", pid 69, jiffies 4294671781 + hex dump (first 16 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace (crc 0): + [<00000000c5dea560>] __kmalloc+0x32c/0x470 + [<000000009ed43c83>] nd_region_register_namespaces+0x6fb/0x1120 [libnvdimm] + [<000000000e07a65c>] nd_region_probe+0xfe/0x210 [libnvdimm] + [<000000007b79ce5f>] nvdimm_bus_probe+0x7a/0x1e0 [libnvdimm] + [<00000000a5f3da2e>] really_probe+0xc6/0x390 + [<00000000129e2a69>] __driver_probe_device+0x78/0x150 + [<000000002dfed28b>] driver_probe_device+0x1e/0x90 + [<00000000e7048de2>] __device_attach_driver+0x85/0x110 + [<0000000032dca295>] bus_for_each_drv+0x85/0xe0 + [<00000000391c5a7d>] __device_attach+0xbe/0x1e0 + [<0000000026dabec0>] bus_probe_device+0x94/0xb0 + [<00000000c590d936>] device_add+0x656/0x870 + [<000000003d69bfaa>] nd_async_device_register+0xe/0x50 [libnvdimm] + [<000000003f4c52a4>] async_run_entry_fn+0x2e/0x110 + [<00000000e201f4b0>] process_one_work+0x1ee/0x600 + [<000000006d90d5a9>] worker_thread+0x183/0x350 + +Cc: Dave Jiang +Cc: Ira Weiny +Fixes: 1b40e09a1232 ("libnvdimm: blk labels and namespace instantiation") +Suggested-by: Dan Williams +Signed-off-by: Li Zhijian +Reviewed-by: Dan Williams +Reviewed-by: Ira Weiny +Link: https://patch.msgid.link/20240819062045.1481298-1-lizhijian@fujitsu.com +Signed-off-by: Ira Weiny +Signed-off-by: Sasha Levin +--- + drivers/nvdimm/namespace_devs.c | 34 ++++++++++++++++----------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/drivers/nvdimm/namespace_devs.c b/drivers/nvdimm/namespace_devs.c +index 07177eadc56e8..1ea8c27e8874d 100644 +--- a/drivers/nvdimm/namespace_devs.c ++++ b/drivers/nvdimm/namespace_devs.c +@@ -1927,12 +1927,16 @@ static int cmp_dpa(const void *a, const void *b) + static struct device **scan_labels(struct nd_region *nd_region) + { + int i, count = 0; +- struct device *dev, **devs = NULL; ++ struct device *dev, **devs; + struct nd_label_ent *label_ent, *e; + struct nd_mapping *nd_mapping = &nd_region->mapping[0]; + struct nvdimm_drvdata *ndd = to_ndd(nd_mapping); + resource_size_t map_end = nd_mapping->start + nd_mapping->size - 1; + ++ devs = kcalloc(2, sizeof(dev), GFP_KERNEL); ++ if (!devs) ++ return NULL; ++ + /* "safe" because create_namespace_pmem() might list_move() label_ent */ + list_for_each_entry_safe(label_ent, e, &nd_mapping->labels, list) { + struct nd_namespace_label *nd_label = label_ent->label; +@@ -1951,12 +1955,14 @@ static struct device **scan_labels(struct nd_region *nd_region) + goto err; + if (i < count) + continue; +- __devs = kcalloc(count + 2, sizeof(dev), GFP_KERNEL); +- if (!__devs) +- goto err; +- memcpy(__devs, devs, sizeof(dev) * count); +- kfree(devs); +- devs = __devs; ++ if (count) { ++ __devs = kcalloc(count + 2, sizeof(dev), GFP_KERNEL); ++ if (!__devs) ++ goto err; ++ memcpy(__devs, devs, sizeof(dev) * count); ++ kfree(devs); ++ devs = __devs; ++ } + + dev = create_namespace_pmem(nd_region, nd_mapping, nd_label); + if (IS_ERR(dev)) { +@@ -1983,11 +1989,6 @@ static struct device **scan_labels(struct nd_region *nd_region) + + /* Publish a zero-sized namespace for userspace to configure. */ + nd_mapping_free_labels(nd_mapping); +- +- devs = kcalloc(2, sizeof(dev), GFP_KERNEL); +- if (!devs) +- goto err; +- + nspm = kzalloc(sizeof(*nspm), GFP_KERNEL); + if (!nspm) + goto err; +@@ -2026,11 +2027,10 @@ static struct device **scan_labels(struct nd_region *nd_region) + return devs; + + err: +- if (devs) { +- for (i = 0; devs[i]; i++) +- namespace_pmem_release(devs[i]); +- kfree(devs); +- } ++ for (i = 0; devs[i]; i++) ++ namespace_pmem_release(devs[i]); ++ kfree(devs); ++ + return NULL; + } + +-- +2.43.0 + diff --git a/queue-6.6/nvme-multipath-system-fails-to-create-generic-nvme-d.patch b/queue-6.6/nvme-multipath-system-fails-to-create-generic-nvme-d.patch new file mode 100644 index 00000000000..beb3c6159f2 --- /dev/null +++ b/queue-6.6/nvme-multipath-system-fails-to-create-generic-nvme-d.patch @@ -0,0 +1,42 @@ +From af7df57aaabe2ce48c8e69258ecbae7e933ec25f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Sep 2024 14:01:22 +0200 +Subject: nvme-multipath: system fails to create generic nvme device + +From: Hannes Reinecke + +[ Upstream commit 63bcf9014e95a7d279d10d8e2caa5d88db2b1855 ] + +NVME_NSHEAD_DISK_LIVE is a flag for struct nvme_ns_head, not nvme_ns. +The current code has a typo causing NVME_NSHEAD_DISK_LIVE never to +be cleared once device_add_disk_fails, causing the system never to +create the 'generic' character device. Even several rescan attempts +will change the situation and the system has to be rebooted to fix +the issue. + +Fixes: 11384580e332 ("nvme-multipath: add error handling support for add_disk()") +Signed-off-by: Hannes Reinecke +Reviewed-by: Sagi Grimberg +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/multipath.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c +index 645a6b1322205..37ea0fa421da8 100644 +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -585,7 +585,7 @@ static void nvme_mpath_set_live(struct nvme_ns *ns) + rc = device_add_disk(&head->subsys->dev, head->disk, + nvme_ns_id_attr_groups); + if (rc) { +- clear_bit(NVME_NSHEAD_DISK_LIVE, &ns->flags); ++ clear_bit(NVME_NSHEAD_DISK_LIVE, &head->flags); + return; + } + nvme_add_ns_head_cdev(head); +-- +2.43.0 + diff --git a/queue-6.6/padata-honor-the-caller-s-alignment-in-case-of-chunk.patch b/queue-6.6/padata-honor-the-caller-s-alignment-in-case-of-chunk.patch new file mode 100644 index 00000000000..6218cd8884a --- /dev/null +++ b/queue-6.6/padata-honor-the-caller-s-alignment-in-case-of-chunk.patch @@ -0,0 +1,51 @@ +From 0c70f9d8876152e407cb87b421c52b5348f194b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Aug 2024 02:32:52 +0530 +Subject: padata: Honor the caller's alignment in case of chunk_size 0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kamlesh Gurudasani + +[ Upstream commit 24cc57d8faaa4060fd58adf810b858fcfb71a02f ] + +In the case where we are forcing the ps.chunk_size to be at least 1, +we are ignoring the caller's alignment. + +Move the forcing of ps.chunk_size to be at least 1 before rounding it +up to caller's alignment, so that caller's alignment is honored. + +While at it, use max() to force the ps.chunk_size to be at least 1 to +improve readability. + +Fixes: 6d45e1c948a8 ("padata: Fix possible divide-by-0 panic in padata_mt_helper()") +Signed-off-by: Kamlesh Gurudasani +Acked-by:  Waiman Long +Acked-by: Daniel Jordan +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + kernel/padata.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/padata.c b/kernel/padata.c +index 29545dd6dd53d..da788a58d19cf 100644 +--- a/kernel/padata.c ++++ b/kernel/padata.c +@@ -511,9 +511,12 @@ void __init padata_do_multithreaded(struct padata_mt_job *job) + * thread function. Load balance large jobs between threads by + * increasing the number of chunks, guarantee at least the minimum + * chunk size from the caller, and honor the caller's alignment. ++ * Ensure chunk_size is at least 1 to prevent divide-by-0 ++ * panic in padata_mt_helper(). + */ + ps.chunk_size = job->size / (ps.nworks * load_balance_factor); + ps.chunk_size = max(ps.chunk_size, job->min_chunk); ++ ps.chunk_size = max(ps.chunk_size, 1ul); + ps.chunk_size = roundup(ps.chunk_size, job->align); + + /* +-- +2.43.0 + diff --git a/queue-6.6/pci-keystone-fix-if-statement-expression-in-ks_pcie_.patch b/queue-6.6/pci-keystone-fix-if-statement-expression-in-ks_pcie_.patch new file mode 100644 index 00000000000..b87951cd729 --- /dev/null +++ b/queue-6.6/pci-keystone-fix-if-statement-expression-in-ks_pcie_.patch @@ -0,0 +1,45 @@ +From 96901bb0acdecca4d6eddc6ff8c07368fc846eb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jul 2024 18:53:26 -0500 +Subject: PCI: keystone: Fix if-statement expression in ks_pcie_quirk() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dan Carpenter + +[ Upstream commit 6188a1c762eb9bbd444f47696eda77a5eae6207a ] + +This code accidentally uses && where || was intended. It potentially +results in a NULL dereference. + +Thus, fix the if-statement expression to use the correct condition. + +Fixes: 86f271f22bbb ("PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)") +Link: https://lore.kernel.org/linux-pci/1b762a93-e1b2-4af3-8c04-c8843905c279@stanley.mountain +Signed-off-by: Dan Carpenter +[kwilczynski: commit log] +Signed-off-by: Krzysztof Wilczyński +Reviewed-by: Manivannan Sadhasivam +Reviewed-by: Siddharth Vadapalli +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/dwc/pci-keystone.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/controller/dwc/pci-keystone.c b/drivers/pci/controller/dwc/pci-keystone.c +index c1dedc83759c6..c5475830c835f 100644 +--- a/drivers/pci/controller/dwc/pci-keystone.c ++++ b/drivers/pci/controller/dwc/pci-keystone.c +@@ -579,7 +579,7 @@ static void ks_pcie_quirk(struct pci_dev *dev) + */ + if (pci_match_id(am6_pci_devids, bridge)) { + bridge_dev = pci_get_host_bridge_device(dev); +- if (!bridge_dev && !bridge_dev->parent) ++ if (!bridge_dev || !bridge_dev->parent) + return; + + ks_pcie = dev_get_drvdata(bridge_dev->parent); +-- +2.43.0 + diff --git a/queue-6.6/pci-kirin-fix-buffer-overflow-in-kirin_pcie_parse_po.patch b/queue-6.6/pci-kirin-fix-buffer-overflow-in-kirin_pcie_parse_po.patch new file mode 100644 index 00000000000..aa5a8b885d1 --- /dev/null +++ b/queue-6.6/pci-kirin-fix-buffer-overflow-in-kirin_pcie_parse_po.patch @@ -0,0 +1,55 @@ +From 8c8c57074b435386b079ba0a7ef7ee448ef790fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Sep 2024 14:58:23 +0300 +Subject: PCI: kirin: Fix buffer overflow in kirin_pcie_parse_port() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alexandra Diupina + +[ Upstream commit c500a86693a126c9393e602741e348f80f1b0fc5 ] + +Within kirin_pcie_parse_port(), the pcie->num_slots is compared to +pcie->gpio_id_reset size (MAX_PCI_SLOTS) which is correct and would lead +to an overflow. + +Thus, fix condition to pcie->num_slots + 1 >= MAX_PCI_SLOTS and move +pcie->num_slots increment below the if-statement to avoid out-of-bounds +array access. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: b22dbbb24571 ("PCI: kirin: Support PERST# GPIOs for HiKey970 external PEX 8606 bridge") +Link: https://lore.kernel.org/linux-pci/20240903115823.30647-1-adiupina@astralinux.ru +Signed-off-by: Alexandra Diupina +[kwilczynski: commit log] +Signed-off-by: Krzysztof Wilczyński +Reviewed-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/dwc/pcie-kirin.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/controller/dwc/pcie-kirin.c b/drivers/pci/controller/dwc/pcie-kirin.c +index 2ee146767971c..421697ec7591d 100644 +--- a/drivers/pci/controller/dwc/pcie-kirin.c ++++ b/drivers/pci/controller/dwc/pcie-kirin.c +@@ -415,12 +415,12 @@ static int kirin_pcie_parse_port(struct kirin_pcie *pcie, + if (pcie->gpio_id_reset[i] < 0) + continue; + +- pcie->num_slots++; +- if (pcie->num_slots > MAX_PCI_SLOTS) { ++ if (pcie->num_slots + 1 >= MAX_PCI_SLOTS) { + dev_err(dev, "Too many PCI slots!\n"); + ret = -EINVAL; + goto put_node; + } ++ pcie->num_slots++; + + ret = of_pci_get_devfn(child); + if (ret < 0) { +-- +2.43.0 + diff --git a/queue-6.6/pci-wait-for-link-before-restoring-downstream-buses.patch b/queue-6.6/pci-wait-for-link-before-restoring-downstream-buses.patch new file mode 100644 index 00000000000..19d6733d27f --- /dev/null +++ b/queue-6.6/pci-wait-for-link-before-restoring-downstream-buses.patch @@ -0,0 +1,69 @@ +From 31969a64ffc7118a3aa44cbd023a3c11ff21f025 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Aug 2024 15:17:07 +0300 +Subject: PCI: Wait for Link before restoring Downstream Buses +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 3e40aa29d47e231a54640addf6a09c1f64c5b63f ] + +__pci_reset_bus() calls pci_bridge_secondary_bus_reset() to perform the +reset and also waits for the Secondary Bus to become again accessible. +__pci_reset_bus() then calls pci_bus_restore_locked() that restores the PCI +devices connected to the bus, and if necessary, recursively restores also +the subordinate buses and their devices. + +The logic in pci_bus_restore_locked() does not take into account that after +restoring a device on one level, there might be another Link Downstream +that can only start to come up after restore has been performed for its +Downstream Port device. That is, the Link may require additional wait until +it becomes accessible. + +Similarly, pci_slot_restore_locked() lacks wait. + +Amend pci_bus_restore_locked() and pci_slot_restore_locked() to wait for +the Secondary Bus before recursively performing the restore of that bus. + +Fixes: 090a3c5322e9 ("PCI: Add pci_reset_slot() and pci_reset_bus()") +Link: https://lore.kernel.org/r/20240808121708.2523-1-ilpo.jarvinen@linux.intel.com +Signed-off-by: Ilpo Järvinen +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/pci.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index 53e9e9788bd54..da52f98d8f7f3 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -5875,8 +5875,10 @@ static void pci_bus_restore_locked(struct pci_bus *bus) + + list_for_each_entry(dev, &bus->devices, bus_list) { + pci_dev_restore(dev); +- if (dev->subordinate) ++ if (dev->subordinate) { ++ pci_bridge_wait_for_secondary_bus(dev, "bus reset"); + pci_bus_restore_locked(dev->subordinate); ++ } + } + } + +@@ -5910,8 +5912,10 @@ static void pci_slot_restore_locked(struct pci_slot *slot) + if (!dev->slot || dev->slot != slot) + continue; + pci_dev_restore(dev); +- if (dev->subordinate) ++ if (dev->subordinate) { ++ pci_bridge_wait_for_secondary_bus(dev, "slot reset"); + pci_bus_restore_locked(dev->subordinate); ++ } + } + } + +-- +2.43.0 + diff --git a/queue-6.6/pci-xilinx-nwl-clean-up-clock-on-probe-failure-remov.patch b/queue-6.6/pci-xilinx-nwl-clean-up-clock-on-probe-failure-remov.patch new file mode 100644 index 00000000000..23766ec862a --- /dev/null +++ b/queue-6.6/pci-xilinx-nwl-clean-up-clock-on-probe-failure-remov.patch @@ -0,0 +1,85 @@ +From fd879fcba6e655fb49e09f2d036e87be950ee00c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 May 2024 12:13:35 -0400 +Subject: PCI: xilinx-nwl: Clean up clock on probe failure/removal + +From: Sean Anderson + +[ Upstream commit cfd67903977b13f63340a4eb5a1cc890994f2c62 ] + +Make sure we turn off the clock on probe failure and device removal. + +Fixes: de0a01f52966 ("PCI: xilinx-nwl: Enable the clock through CCF") +Link: https://lore.kernel.org/r/20240531161337.864994-6-sean.anderson@linux.dev +Signed-off-by: Sean Anderson +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pcie-xilinx-nwl.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/drivers/pci/controller/pcie-xilinx-nwl.c b/drivers/pci/controller/pcie-xilinx-nwl.c +index 7cf05431d54bc..60afbb51511c3 100644 +--- a/drivers/pci/controller/pcie-xilinx-nwl.c ++++ b/drivers/pci/controller/pcie-xilinx-nwl.c +@@ -790,6 +790,7 @@ static int nwl_pcie_probe(struct platform_device *pdev) + return -ENODEV; + + pcie = pci_host_bridge_priv(bridge); ++ platform_set_drvdata(pdev, pcie); + + pcie->dev = dev; + pcie->ecam_value = NWL_ECAM_VALUE_DEFAULT; +@@ -813,13 +814,13 @@ static int nwl_pcie_probe(struct platform_device *pdev) + err = nwl_pcie_bridge_init(pcie); + if (err) { + dev_err(dev, "HW Initialization failed\n"); +- return err; ++ goto err_clk; + } + + err = nwl_pcie_init_irq_domain(pcie); + if (err) { + dev_err(dev, "Failed creating IRQ Domain\n"); +- return err; ++ goto err_clk; + } + + bridge->sysdata = pcie; +@@ -829,11 +830,24 @@ static int nwl_pcie_probe(struct platform_device *pdev) + err = nwl_pcie_enable_msi(pcie); + if (err < 0) { + dev_err(dev, "failed to enable MSI support: %d\n", err); +- return err; ++ goto err_clk; + } + } + +- return pci_host_probe(bridge); ++ err = pci_host_probe(bridge); ++ if (!err) ++ return 0; ++ ++err_clk: ++ clk_disable_unprepare(pcie->clk); ++ return err; ++} ++ ++static void nwl_pcie_remove(struct platform_device *pdev) ++{ ++ struct nwl_pcie *pcie = platform_get_drvdata(pdev); ++ ++ clk_disable_unprepare(pcie->clk); + } + + static struct platform_driver nwl_pcie_driver = { +@@ -843,5 +857,6 @@ static struct platform_driver nwl_pcie_driver = { + .of_match_table = nwl_pcie_of_match, + }, + .probe = nwl_pcie_probe, ++ .remove_new = nwl_pcie_remove, + }; + builtin_platform_driver(nwl_pcie_driver); +-- +2.43.0 + diff --git a/queue-6.6/pci-xilinx-nwl-fix-register-misspelling.patch b/queue-6.6/pci-xilinx-nwl-fix-register-misspelling.patch new file mode 100644 index 00000000000..5ceafee4618 --- /dev/null +++ b/queue-6.6/pci-xilinx-nwl-fix-register-misspelling.patch @@ -0,0 +1,62 @@ +From 6a536a67d47556f4e26352237bc89f10427727a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 May 2024 12:13:33 -0400 +Subject: PCI: xilinx-nwl: Fix register misspelling + +From: Sean Anderson + +[ Upstream commit a437027ae1730b8dc379c75fa0dd7d3036917400 ] + +MSIC -> MISC + +Fixes: c2a7ff18edcd ("PCI: xilinx-nwl: Expand error logging") +Link: https://lore.kernel.org/r/20240531161337.864994-4-sean.anderson@linux.dev +Signed-off-by: Sean Anderson +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pcie-xilinx-nwl.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/pci/controller/pcie-xilinx-nwl.c b/drivers/pci/controller/pcie-xilinx-nwl.c +index 176686bdb15c1..7cf05431d54bc 100644 +--- a/drivers/pci/controller/pcie-xilinx-nwl.c ++++ b/drivers/pci/controller/pcie-xilinx-nwl.c +@@ -80,8 +80,8 @@ + #define MSGF_MISC_SR_NON_FATAL_DEV BIT(22) + #define MSGF_MISC_SR_FATAL_DEV BIT(23) + #define MSGF_MISC_SR_LINK_DOWN BIT(24) +-#define MSGF_MSIC_SR_LINK_AUTO_BWIDTH BIT(25) +-#define MSGF_MSIC_SR_LINK_BWIDTH BIT(26) ++#define MSGF_MISC_SR_LINK_AUTO_BWIDTH BIT(25) ++#define MSGF_MISC_SR_LINK_BWIDTH BIT(26) + + #define MSGF_MISC_SR_MASKALL (MSGF_MISC_SR_RXMSG_AVAIL | \ + MSGF_MISC_SR_RXMSG_OVER | \ +@@ -96,8 +96,8 @@ + MSGF_MISC_SR_NON_FATAL_DEV | \ + MSGF_MISC_SR_FATAL_DEV | \ + MSGF_MISC_SR_LINK_DOWN | \ +- MSGF_MSIC_SR_LINK_AUTO_BWIDTH | \ +- MSGF_MSIC_SR_LINK_BWIDTH) ++ MSGF_MISC_SR_LINK_AUTO_BWIDTH | \ ++ MSGF_MISC_SR_LINK_BWIDTH) + + /* Legacy interrupt status mask bits */ + #define MSGF_LEG_SR_INTA BIT(0) +@@ -301,10 +301,10 @@ static irqreturn_t nwl_pcie_misc_handler(int irq, void *data) + if (misc_stat & MSGF_MISC_SR_FATAL_DEV) + dev_err(dev, "Fatal Error Detected\n"); + +- if (misc_stat & MSGF_MSIC_SR_LINK_AUTO_BWIDTH) ++ if (misc_stat & MSGF_MISC_SR_LINK_AUTO_BWIDTH) + dev_info(dev, "Link Autonomous Bandwidth Management Status bit set\n"); + +- if (misc_stat & MSGF_MSIC_SR_LINK_BWIDTH) ++ if (misc_stat & MSGF_MISC_SR_LINK_BWIDTH) + dev_info(dev, "Link Bandwidth Management Status bit set\n"); + + /* Clear misc interrupt status */ +-- +2.43.0 + diff --git a/queue-6.6/perf-annotate-move-some-source-code-related-fields-f.patch b/queue-6.6/perf-annotate-move-some-source-code-related-fields-f.patch new file mode 100644 index 00000000000..3c941bd2e0b --- /dev/null +++ b/queue-6.6/perf-annotate-move-some-source-code-related-fields-f.patch @@ -0,0 +1,150 @@ +From 5fe5f5244df98bbc75bb8f508759664abb1e7cbb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Nov 2023 12:19:06 -0700 +Subject: perf annotate: Move some source code related fields from 'struct + annotation' to 'struct annotated_source' + +From: Namhyung Kim + +[ Upstream commit 0aae4c99c5f8f748c6cb5ca03bb3b3ae8cfb10df ] + +Some fields in the 'struct annotation' are only used with 'struct +annotated_source' so better to be moved there in order to reduce memory +consumption for other symbols. + +Reviewed-by: Ian Rogers +Signed-off-by: Namhyung Kim +Cc: Adrian Hunter +Cc: Christophe JAILLET +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20231103191907.54531-5-namhyung@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Stable-dep-of: 3ef44458071a ("perf report: Fix --total-cycles --stdio output error") +Signed-off-by: Sasha Levin +--- + tools/perf/ui/browsers/annotate.c | 12 ++++++------ + tools/perf/util/annotate.c | 17 +++++++++-------- + tools/perf/util/annotate.h | 14 +++++++------- + 3 files changed, 22 insertions(+), 21 deletions(-) + +diff --git a/tools/perf/ui/browsers/annotate.c b/tools/perf/ui/browsers/annotate.c +index d9f9fa254a71f..1fb7118ef5077 100644 +--- a/tools/perf/ui/browsers/annotate.c ++++ b/tools/perf/ui/browsers/annotate.c +@@ -384,7 +384,7 @@ static bool annotate_browser__toggle_source(struct annotate_browser *browser) + if (al->idx_asm < offset) + offset = al->idx; + +- browser->b.nr_entries = notes->nr_entries; ++ browser->b.nr_entries = notes->src->nr_entries; + notes->options->hide_src_code = false; + browser->b.seek(&browser->b, -offset, SEEK_CUR); + browser->b.top_idx = al->idx - offset; +@@ -402,7 +402,7 @@ static bool annotate_browser__toggle_source(struct annotate_browser *browser) + if (al->idx_asm < offset) + offset = al->idx_asm; + +- browser->b.nr_entries = notes->nr_asm_entries; ++ browser->b.nr_entries = notes->src->nr_asm_entries; + notes->options->hide_src_code = true; + browser->b.seek(&browser->b, -offset, SEEK_CUR); + browser->b.top_idx = al->idx_asm - offset; +@@ -435,7 +435,7 @@ static void ui_browser__init_asm_mode(struct ui_browser *browser) + { + struct annotation *notes = browser__annotation(browser); + ui_browser__reset_index(browser); +- browser->nr_entries = notes->nr_asm_entries; ++ browser->nr_entries = notes->src->nr_asm_entries; + } + + static int sym_title(struct symbol *sym, struct map *map, char *title, +@@ -860,7 +860,7 @@ static int annotate_browser__run(struct annotate_browser *browser, + browser->b.height, + browser->b.index, + browser->b.top_idx, +- notes->nr_asm_entries); ++ notes->src->nr_asm_entries); + } + continue; + case K_ENTER: +@@ -991,8 +991,8 @@ int symbol__tui_annotate(struct map_symbol *ms, struct evsel *evsel, + + ui_helpline__push("Press ESC to exit"); + +- browser.b.width = notes->max_line_len; +- browser.b.nr_entries = notes->nr_entries; ++ browser.b.width = notes->src->max_line_len; ++ browser.b.nr_entries = notes->src->nr_entries; + browser.b.entries = ¬es->src->source, + browser.b.width += 18; /* Percentage */ + +diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c +index e594be2b71340..6dfe11cbf30e2 100644 +--- a/tools/perf/util/annotate.c ++++ b/tools/perf/util/annotate.c +@@ -2825,19 +2825,20 @@ void annotation__mark_jump_targets(struct annotation *notes, struct symbol *sym) + void annotation__set_offsets(struct annotation *notes, s64 size) + { + struct annotation_line *al; ++ struct annotated_source *src = notes->src; + +- notes->max_line_len = 0; +- notes->nr_entries = 0; +- notes->nr_asm_entries = 0; ++ src->max_line_len = 0; ++ src->nr_entries = 0; ++ src->nr_asm_entries = 0; + +- list_for_each_entry(al, ¬es->src->source, node) { ++ list_for_each_entry(al, &src->source, node) { + size_t line_len = strlen(al->line); + +- if (notes->max_line_len < line_len) +- notes->max_line_len = line_len; +- al->idx = notes->nr_entries++; ++ if (src->max_line_len < line_len) ++ src->max_line_len = line_len; ++ al->idx = src->nr_entries++; + if (al->offset != -1) { +- al->idx_asm = notes->nr_asm_entries++; ++ al->idx_asm = src->nr_asm_entries++; + /* + * FIXME: short term bandaid to cope with assembly + * routines that comes with labels in the same column +diff --git a/tools/perf/util/annotate.h b/tools/perf/util/annotate.h +index dd612f9f04c98..238e7ef289a82 100644 +--- a/tools/perf/util/annotate.h ++++ b/tools/perf/util/annotate.h +@@ -269,10 +269,13 @@ struct cyc_hist { + * returns. + */ + struct annotated_source { +- struct list_head source; +- int nr_histograms; +- size_t sizeof_sym_hist; +- struct sym_hist *histograms; ++ struct list_head source; ++ size_t sizeof_sym_hist; ++ struct sym_hist *histograms; ++ int nr_histograms; ++ int nr_entries; ++ int nr_asm_entries; ++ u16 max_line_len; + }; + + struct annotated_branch { +@@ -290,9 +293,6 @@ struct LOCKABLE annotation { + struct annotation_line **offsets; + int nr_events; + int max_jump_sources; +- int nr_entries; +- int nr_asm_entries; +- u16 max_line_len; + struct { + u8 addr; + u8 jumps; +-- +2.43.0 + diff --git a/queue-6.6/perf-annotate-split-branch-stack-cycles-info-from-st.patch b/queue-6.6/perf-annotate-split-branch-stack-cycles-info-from-st.patch new file mode 100644 index 00000000000..13864ede445 --- /dev/null +++ b/queue-6.6/perf-annotate-split-branch-stack-cycles-info-from-st.patch @@ -0,0 +1,352 @@ +From e7f5a017bbd9ba60d002ca6679d7988ae3898a93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Nov 2023 12:19:04 -0700 +Subject: perf annotate: Split branch stack cycles info from 'struct + annotation' + +From: Namhyung Kim + +[ Upstream commit b7f87e32590bf48eca84f729d3422be7b8dc22d3 ] + +The cycles info is only meaningful when sample has branch stacks. To +save the memory for normal cases, move those fields to a new 'struct +annotated_branch' and dynamically allocate it when needed. Also move +cycles_hist from annotated_source as it's related here. + +Signed-off-by: Namhyung Kim +Cc: Adrian Hunter +Cc: Christophe JAILLET +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20231103191907.54531-3-namhyung@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Stable-dep-of: 3ef44458071a ("perf report: Fix --total-cycles --stdio output error") +Signed-off-by: Sasha Levin +--- + tools/perf/util/annotate.c | 99 ++++++++++++++++++++---------------- + tools/perf/util/annotate.h | 17 ++++--- + tools/perf/util/block-info.c | 4 +- + tools/perf/util/sort.c | 14 ++--- + 4 files changed, 73 insertions(+), 61 deletions(-) + +diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c +index 83da2bceb5959..e594be2b71340 100644 +--- a/tools/perf/util/annotate.c ++++ b/tools/perf/util/annotate.c +@@ -813,7 +813,6 @@ static __maybe_unused void annotated_source__delete(struct annotated_source *src + if (src == NULL) + return; + zfree(&src->histograms); +- zfree(&src->cycles_hist); + free(src); + } + +@@ -848,18 +847,6 @@ static int annotated_source__alloc_histograms(struct annotated_source *src, + return src->histograms ? 0 : -1; + } + +-/* The cycles histogram is lazily allocated. */ +-static int symbol__alloc_hist_cycles(struct symbol *sym) +-{ +- struct annotation *notes = symbol__annotation(sym); +- const size_t size = symbol__size(sym); +- +- notes->src->cycles_hist = calloc(size, sizeof(struct cyc_hist)); +- if (notes->src->cycles_hist == NULL) +- return -1; +- return 0; +-} +- + void symbol__annotate_zero_histograms(struct symbol *sym) + { + struct annotation *notes = symbol__annotation(sym); +@@ -868,9 +855,10 @@ void symbol__annotate_zero_histograms(struct symbol *sym) + if (notes->src != NULL) { + memset(notes->src->histograms, 0, + notes->src->nr_histograms * notes->src->sizeof_sym_hist); +- if (notes->src->cycles_hist) +- memset(notes->src->cycles_hist, 0, +- symbol__size(sym) * sizeof(struct cyc_hist)); ++ } ++ if (notes->branch && notes->branch->cycles_hist) { ++ memset(notes->branch->cycles_hist, 0, ++ symbol__size(sym) * sizeof(struct cyc_hist)); + } + annotation__unlock(notes); + } +@@ -961,23 +949,33 @@ static int __symbol__inc_addr_samples(struct map_symbol *ms, + return 0; + } + ++static struct annotated_branch *annotation__get_branch(struct annotation *notes) ++{ ++ if (notes == NULL) ++ return NULL; ++ ++ if (notes->branch == NULL) ++ notes->branch = zalloc(sizeof(*notes->branch)); ++ ++ return notes->branch; ++} ++ + static struct cyc_hist *symbol__cycles_hist(struct symbol *sym) + { + struct annotation *notes = symbol__annotation(sym); ++ struct annotated_branch *branch; + +- if (notes->src == NULL) { +- notes->src = annotated_source__new(); +- if (notes->src == NULL) +- return NULL; +- goto alloc_cycles_hist; +- } ++ branch = annotation__get_branch(notes); ++ if (branch == NULL) ++ return NULL; ++ ++ if (branch->cycles_hist == NULL) { ++ const size_t size = symbol__size(sym); + +- if (!notes->src->cycles_hist) { +-alloc_cycles_hist: +- symbol__alloc_hist_cycles(sym); ++ branch->cycles_hist = calloc(size, sizeof(struct cyc_hist)); + } + +- return notes->src->cycles_hist; ++ return branch->cycles_hist; + } + + struct annotated_source *symbol__hists(struct symbol *sym, int nr_hists) +@@ -1086,6 +1084,14 @@ static unsigned annotation__count_insn(struct annotation *notes, u64 start, u64 + return n_insn; + } + ++static void annotated_branch__delete(struct annotated_branch *branch) ++{ ++ if (branch) { ++ zfree(&branch->cycles_hist); ++ free(branch); ++ } ++} ++ + static void annotation__count_and_fill(struct annotation *notes, u64 start, u64 end, struct cyc_hist *ch) + { + unsigned n_insn; +@@ -1094,6 +1100,7 @@ static void annotation__count_and_fill(struct annotation *notes, u64 start, u64 + + n_insn = annotation__count_insn(notes, start, end); + if (n_insn && ch->num && ch->cycles) { ++ struct annotated_branch *branch; + float ipc = n_insn / ((double)ch->cycles / (double)ch->num); + + /* Hide data when there are too many overlaps. */ +@@ -1109,10 +1116,11 @@ static void annotation__count_and_fill(struct annotation *notes, u64 start, u64 + } + } + +- if (cover_insn) { +- notes->hit_cycles += ch->cycles; +- notes->hit_insn += n_insn * ch->num; +- notes->cover_insn += cover_insn; ++ branch = annotation__get_branch(notes); ++ if (cover_insn && branch) { ++ branch->hit_cycles += ch->cycles; ++ branch->hit_insn += n_insn * ch->num; ++ branch->cover_insn += cover_insn; + } + } + } +@@ -1122,19 +1130,19 @@ static int annotation__compute_ipc(struct annotation *notes, size_t size) + int err = 0; + s64 offset; + +- if (!notes->src || !notes->src->cycles_hist) ++ if (!notes->branch || !notes->branch->cycles_hist) + return 0; + +- notes->total_insn = annotation__count_insn(notes, 0, size - 1); +- notes->hit_cycles = 0; +- notes->hit_insn = 0; +- notes->cover_insn = 0; ++ notes->branch->total_insn = annotation__count_insn(notes, 0, size - 1); ++ notes->branch->hit_cycles = 0; ++ notes->branch->hit_insn = 0; ++ notes->branch->cover_insn = 0; + + annotation__lock(notes); + for (offset = size - 1; offset >= 0; --offset) { + struct cyc_hist *ch; + +- ch = ¬es->src->cycles_hist[offset]; ++ ch = ¬es->branch->cycles_hist[offset]; + if (ch && ch->cycles) { + struct annotation_line *al; + +@@ -1153,13 +1161,12 @@ static int annotation__compute_ipc(struct annotation *notes, size_t size) + al->cycles->max = ch->cycles_max; + al->cycles->min = ch->cycles_min; + } +- notes->have_cycles = true; + } + } + + if (err) { + while (++offset < (s64)size) { +- struct cyc_hist *ch = ¬es->src->cycles_hist[offset]; ++ struct cyc_hist *ch = ¬es->branch->cycles_hist[offset]; + + if (ch && ch->cycles) { + struct annotation_line *al = notes->offsets[offset]; +@@ -1325,6 +1332,7 @@ int disasm_line__scnprintf(struct disasm_line *dl, char *bf, size_t size, bool r + void annotation__exit(struct annotation *notes) + { + annotated_source__delete(notes->src); ++ annotated_branch__delete(notes->branch); + } + + static struct sharded_mutex *sharded_mutex; +@@ -3074,13 +3082,14 @@ static void disasm_line__write(struct disasm_line *dl, struct annotation *notes, + static void ipc_coverage_string(char *bf, int size, struct annotation *notes) + { + double ipc = 0.0, coverage = 0.0; ++ struct annotated_branch *branch = annotation__get_branch(notes); + +- if (notes->hit_cycles) +- ipc = notes->hit_insn / ((double)notes->hit_cycles); ++ if (branch && branch->hit_cycles) ++ ipc = branch->hit_insn / ((double)branch->hit_cycles); + +- if (notes->total_insn) { +- coverage = notes->cover_insn * 100.0 / +- ((double)notes->total_insn); ++ if (branch && branch->total_insn) { ++ coverage = branch->cover_insn * 100.0 / ++ ((double)branch->total_insn); + } + + scnprintf(bf, size, "(Average IPC: %.2f, IPC Coverage: %.1f%%)", +@@ -3105,7 +3114,7 @@ static void __annotation_line__write(struct annotation_line *al, struct annotati + int printed; + + if (first_line && (al->offset == -1 || percent_max == 0.0)) { +- if (notes->have_cycles && al->cycles) { ++ if (notes->branch && al->cycles) { + if (al->cycles->ipc == 0.0 && al->cycles->avg == 0) + show_title = true; + } else +@@ -3142,7 +3151,7 @@ static void __annotation_line__write(struct annotation_line *al, struct annotati + } + } + +- if (notes->have_cycles) { ++ if (notes->branch) { + if (al->cycles && al->cycles->ipc) + obj__printf(obj, "%*.2f ", ANNOTATION__IPC_WIDTH - 1, al->cycles->ipc); + else if (!show_title) +diff --git a/tools/perf/util/annotate.h b/tools/perf/util/annotate.h +index 0fa72eb559ac4..dd612f9f04c98 100644 +--- a/tools/perf/util/annotate.h ++++ b/tools/perf/util/annotate.h +@@ -272,17 +272,20 @@ struct annotated_source { + struct list_head source; + int nr_histograms; + size_t sizeof_sym_hist; +- struct cyc_hist *cycles_hist; + struct sym_hist *histograms; + }; + +-struct LOCKABLE annotation { +- u64 max_coverage; +- u64 start; ++struct annotated_branch { + u64 hit_cycles; + u64 hit_insn; + unsigned int total_insn; + unsigned int cover_insn; ++ struct cyc_hist *cycles_hist; ++}; ++ ++struct LOCKABLE annotation { ++ u64 max_coverage; ++ u64 start; + struct annotation_options *options; + struct annotation_line **offsets; + int nr_events; +@@ -298,8 +301,8 @@ struct LOCKABLE annotation { + u8 max_addr; + u8 max_ins_name; + } widths; +- bool have_cycles; + struct annotated_source *src; ++ struct annotated_branch *branch; + }; + + static inline void annotation__init(struct annotation *notes __maybe_unused) +@@ -313,10 +316,10 @@ bool annotation__trylock(struct annotation *notes) EXCLUSIVE_TRYLOCK_FUNCTION(tr + + static inline int annotation__cycles_width(struct annotation *notes) + { +- if (notes->have_cycles && notes->options->show_minmax_cycle) ++ if (notes->branch && notes->options->show_minmax_cycle) + return ANNOTATION__IPC_WIDTH + ANNOTATION__MINMAX_CYCLES_WIDTH; + +- return notes->have_cycles ? ANNOTATION__IPC_WIDTH + ANNOTATION__CYCLES_WIDTH : 0; ++ return notes->branch ? ANNOTATION__IPC_WIDTH + ANNOTATION__CYCLES_WIDTH : 0; + } + + static inline int annotation__pcnt_width(struct annotation *notes) +diff --git a/tools/perf/util/block-info.c b/tools/perf/util/block-info.c +index 591fc1edd385c..08f82c1f166c3 100644 +--- a/tools/perf/util/block-info.c ++++ b/tools/perf/util/block-info.c +@@ -129,9 +129,9 @@ int block_info__process_sym(struct hist_entry *he, struct block_hist *bh, + al.sym = he->ms.sym; + + notes = symbol__annotation(he->ms.sym); +- if (!notes || !notes->src || !notes->src->cycles_hist) ++ if (!notes || !notes->branch || !notes->branch->cycles_hist) + return 0; +- ch = notes->src->cycles_hist; ++ ch = notes->branch->cycles_hist; + for (unsigned int i = 0; i < symbol__size(he->ms.sym); i++) { + if (ch[i].num_aggr) { + struct block_info *bi; +diff --git a/tools/perf/util/sort.c b/tools/perf/util/sort.c +index 6ab8147a3f870..b80349ca21997 100644 +--- a/tools/perf/util/sort.c ++++ b/tools/perf/util/sort.c +@@ -583,21 +583,21 @@ static int hist_entry__sym_ipc_snprintf(struct hist_entry *he, char *bf, + { + + struct symbol *sym = he->ms.sym; +- struct annotation *notes; ++ struct annotated_branch *branch; + double ipc = 0.0, coverage = 0.0; + char tmp[64]; + + if (!sym) + return repsep_snprintf(bf, size, "%-*s", width, "-"); + +- notes = symbol__annotation(sym); ++ branch = symbol__annotation(sym)->branch; + +- if (notes->hit_cycles) +- ipc = notes->hit_insn / ((double)notes->hit_cycles); ++ if (branch && branch->hit_cycles) ++ ipc = branch->hit_insn / ((double)branch->hit_cycles); + +- if (notes->total_insn) { +- coverage = notes->cover_insn * 100.0 / +- ((double)notes->total_insn); ++ if (branch && branch->total_insn) { ++ coverage = branch->cover_insn * 100.0 / ++ ((double)branch->total_insn); + } + + snprintf(tmp, sizeof(tmp), "%-5.2f [%5.1f%%]", ipc, coverage); +-- +2.43.0 + diff --git a/queue-6.6/perf-arm-cmn-ensure-dtm_idx-is-big-enough.patch b/queue-6.6/perf-arm-cmn-ensure-dtm_idx-is-big-enough.patch new file mode 100644 index 00000000000..5ab979b6dda --- /dev/null +++ b/queue-6.6/perf-arm-cmn-ensure-dtm_idx-is-big-enough.patch @@ -0,0 +1,50 @@ +From c87307a872cb6b7417c84024e425db8513c433c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Sep 2024 18:51:59 +0100 +Subject: perf/arm-cmn: Ensure dtm_idx is big enough + +From: Robin Murphy + +[ Upstream commit 359414b33e00bae91e4eabf3e4ef8e76024c7673 ] + +While CMN_MAX_DIMENSION was bumped to 12 for CMN-650, that only supports +up to a 10x10 mesh, so bumping dtm_idx to 256 bits at the time worked +out OK in practice. However CMN-700 did finally support up to 144 XPs, +and thus needs a worst-case 288 bits of dtm_idx for an aggregated XP +event on a maxed-out config. Oops. + +Fixes: 23760a014417 ("perf/arm-cmn: Add CMN-700 support") +Signed-off-by: Robin Murphy +Link: https://lore.kernel.org/r/e771b358526a0d7fc06efee2c3a2fdc0c9f51d44.1725296395.git.robin.murphy@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/arm-cmn.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/perf/arm-cmn.c b/drivers/perf/arm-cmn.c +index 3926586685cb4..7d5e8cb96e9bf 100644 +--- a/drivers/perf/arm-cmn.c ++++ b/drivers/perf/arm-cmn.c +@@ -35,6 +35,9 @@ + #define CMN_MAX_XPS (CMN_MAX_DIMENSION * CMN_MAX_DIMENSION) + #define CMN_MAX_DTMS (CMN_MAX_XPS + (CMN_MAX_DIMENSION - 1) * 4) + ++/* Currently XPs are the node type we can have most of; others top out at 128 */ ++#define CMN_MAX_NODES_PER_EVENT CMN_MAX_XPS ++ + /* The CFG node has various info besides the discovery tree */ + #define CMN_CFGM_PERIPH_ID_01 0x0008 + #define CMN_CFGM_PID0_PART_0 GENMASK_ULL(7, 0) +@@ -565,7 +568,7 @@ static void arm_cmn_debugfs_init(struct arm_cmn *cmn, int id) {} + + struct arm_cmn_hw_event { + struct arm_cmn_node *dn; +- u64 dtm_idx[4]; ++ u64 dtm_idx[DIV_ROUND_UP(CMN_MAX_NODES_PER_EVENT * 2, 64)]; + s8 dtc_idx[CMN_MAX_DTCS]; + u8 num_dns; + u8 dtm_offset; +-- +2.43.0 + diff --git a/queue-6.6/perf-arm-cmn-fix-ccla-register-offset.patch b/queue-6.6/perf-arm-cmn-fix-ccla-register-offset.patch new file mode 100644 index 00000000000..4d80f1ad3d9 --- /dev/null +++ b/queue-6.6/perf-arm-cmn-fix-ccla-register-offset.patch @@ -0,0 +1,64 @@ +From 2c4e24f8207a38db481bff9cf08662fe61dcaf64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Sep 2024 18:51:58 +0100 +Subject: perf/arm-cmn: Fix CCLA register offset + +From: Robin Murphy + +[ Upstream commit 88b63a82c84ed9bbcbdefb10cb6f75dd1dd04887 ] + +Apparently pmu_event_sel is offset by 8 for all CCLA nodes, not just +the CCLA_RNI combination type. + +Fixes: 23760a014417 ("perf/arm-cmn: Add CMN-700 support") +Acked-by: Mark Rutland +Reviewed-by: Ilkka Koskinen +Signed-off-by: Robin Murphy +Link: https://lore.kernel.org/r/6e7bb06fef6046f83e7647aad0e5be544139763f.1725296395.git.robin.murphy@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/arm-cmn.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/perf/arm-cmn.c b/drivers/perf/arm-cmn.c +index 311a85b6be2ec..3926586685cb4 100644 +--- a/drivers/perf/arm-cmn.c ++++ b/drivers/perf/arm-cmn.c +@@ -70,7 +70,8 @@ + /* Technically this is 4 bits wide on DNs, but we only use 2 there anyway */ + #define CMN__PMU_OCCUP1_ID GENMASK_ULL(34, 32) + +-/* HN-Ps are weird... */ ++/* Some types are designed to coexist with another device in the same node */ ++#define CMN_CCLA_PMU_EVENT_SEL 0x008 + #define CMN_HNP_PMU_EVENT_SEL 0x008 + + /* DTMs live in the PMU space of XP registers */ +@@ -2321,10 +2322,13 @@ static int arm_cmn_discover(struct arm_cmn *cmn, unsigned int rgn_offset) + case CMN_TYPE_CXHA: + case CMN_TYPE_CCRA: + case CMN_TYPE_CCHA: +- case CMN_TYPE_CCLA: + case CMN_TYPE_HNS: + dn++; + break; ++ case CMN_TYPE_CCLA: ++ dn->pmu_base += CMN_CCLA_PMU_EVENT_SEL; ++ dn++; ++ break; + /* Nothing to see here */ + case CMN_TYPE_MPAM_S: + case CMN_TYPE_MPAM_NS: +@@ -2342,7 +2346,7 @@ static int arm_cmn_discover(struct arm_cmn *cmn, unsigned int rgn_offset) + case CMN_TYPE_HNP: + case CMN_TYPE_CCLA_RNI: + dn[1] = dn[0]; +- dn[0].pmu_base += CMN_HNP_PMU_EVENT_SEL; ++ dn[0].pmu_base += CMN_CCLA_PMU_EVENT_SEL; + dn[1].type = arm_cmn_subtype(dn->type); + dn += 2; + break; +-- +2.43.0 + diff --git a/queue-6.6/perf-arm-cmn-improve-debugfs-pretty-printing-for-lar.patch b/queue-6.6/perf-arm-cmn-improve-debugfs-pretty-printing-for-lar.patch new file mode 100644 index 00000000000..acba770617b --- /dev/null +++ b/queue-6.6/perf-arm-cmn-improve-debugfs-pretty-printing-for-lar.patch @@ -0,0 +1,75 @@ +From bdf36897391be6a4119e8e0ea028fd2dcf31013b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Dec 2023 16:24:07 +0000 +Subject: perf/arm-cmn: Improve debugfs pretty-printing for large configs + +From: Robin Murphy + +[ Upstream commit a1083ee717e9bde012268782e084d343314490a4 ] + +The debugfs pretty-printer was written for the CMN-600 assumptions of a +maximum 8x8 mesh, but CMN-700 now allows coordinates and ID values up to +12 and 128 respectively, which can overflow the format strings, mess up +the alignment of the table and hurt overall readability. This table does +prove useful for double-checking that the driver is picking up the +topology of new systems correctly and for verifying user expectations, +so tweak the formatting to stay nice and readable with wider values. + +Signed-off-by: Robin Murphy +Link: https://lore.kernel.org/r/1d1517eadd1bac5992fab679c9dc531b381944da.1702484646.git.robin.murphy@arm.com +Signed-off-by: Will Deacon +Stable-dep-of: e79634b53e39 ("perf/arm-cmn: Refactor node ID handling. Again.") +Signed-off-by: Sasha Levin +--- + drivers/perf/arm-cmn.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/perf/arm-cmn.c b/drivers/perf/arm-cmn.c +index 1c9e42aeb7004..3c3a3d3420e12 100644 +--- a/drivers/perf/arm-cmn.c ++++ b/drivers/perf/arm-cmn.c +@@ -493,6 +493,7 @@ static void arm_cmn_show_logid(struct seq_file *s, int x, int y, int p, int d) + + for (dn = cmn->dns; dn->type; dn++) { + struct arm_cmn_nodeid nid = arm_cmn_nid(cmn, dn->id); ++ int pad = dn->logid < 10; + + if (dn->type == CMN_TYPE_XP) + continue; +@@ -503,7 +504,7 @@ static void arm_cmn_show_logid(struct seq_file *s, int x, int y, int p, int d) + if (nid.x != x || nid.y != y || nid.port != p || nid.dev != d) + continue; + +- seq_printf(s, " #%-2d |", dn->logid); ++ seq_printf(s, " %*c#%-*d |", pad + 1, ' ', 3 - pad, dn->logid); + return; + } + seq_puts(s, " |"); +@@ -516,7 +517,7 @@ static int arm_cmn_map_show(struct seq_file *s, void *data) + + seq_puts(s, " X"); + for (x = 0; x < cmn->mesh_x; x++) +- seq_printf(s, " %d ", x); ++ seq_printf(s, " %-2d ", x); + seq_puts(s, "\nY P D+"); + y = cmn->mesh_y; + while (y--) { +@@ -526,13 +527,13 @@ static int arm_cmn_map_show(struct seq_file *s, void *data) + for (x = 0; x < cmn->mesh_x; x++) + seq_puts(s, "--------+"); + +- seq_printf(s, "\n%d |", y); ++ seq_printf(s, "\n%-2d |", y); + for (x = 0; x < cmn->mesh_x; x++) { + struct arm_cmn_node *xp = cmn->xps + xp_base + x; + + for (p = 0; p < CMN_MAX_PORTS; p++) + port[p][x] = arm_cmn_device_connect_info(cmn, xp, p); +- seq_printf(s, " XP #%-2d |", xp_base + x); ++ seq_printf(s, " XP #%-3d|", xp_base + x); + } + + seq_puts(s, "\n |"); +-- +2.43.0 + diff --git a/queue-6.6/perf-arm-cmn-refactor-node-id-handling.-again.patch b/queue-6.6/perf-arm-cmn-refactor-node-id-handling.-again.patch new file mode 100644 index 00000000000..f20f7d120be --- /dev/null +++ b/queue-6.6/perf-arm-cmn-refactor-node-id-handling.-again.patch @@ -0,0 +1,261 @@ +From e630fe489c8b440368e02efd51d7e6665c03ddd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Sep 2024 18:51:57 +0100 +Subject: perf/arm-cmn: Refactor node ID handling. Again. + +From: Robin Murphy + +[ Upstream commit e79634b53e398966c49f803c49701bc74dc3ccf8 ] + +The scope of the "extra device ports" configuration is not made clear by +the CMN documentation - so far we've assumed it applies globally, based +on the sole example which suggests as much. However it transpires that +this is incorrect, and the format does in fact vary based on each +individual XP's port configuration. As a consequence, we're currenly +liable to decode the port/device indices from a node ID incorrectly, +thus program the wrong event source in the DTM leading to bogus event +counts, and also show device topology on the wrong ports in debugfs. + +To put this right, rework node IDs yet again to carry around the +additional data necessary to decode them properly per-XP. At this point +the notion of fully decomposing an ID becomes more impractical than it's +worth, so unabstracting the XY mesh coordinates (where 2/3 users were +just debug anyway) ends up leaving things a bit simpler overall. + +Fixes: 60d1504070c2 ("perf/arm-cmn: Support new IP features") +Acked-by: Mark Rutland +Signed-off-by: Robin Murphy +Link: https://lore.kernel.org/r/5195f990152fc37adba5fbf5929a6b11063d9f09.1725296395.git.robin.murphy@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/arm-cmn.c | 94 ++++++++++++++++++------------------------ + 1 file changed, 40 insertions(+), 54 deletions(-) + +diff --git a/drivers/perf/arm-cmn.c b/drivers/perf/arm-cmn.c +index 3c3a3d3420e12..311a85b6be2ec 100644 +--- a/drivers/perf/arm-cmn.c ++++ b/drivers/perf/arm-cmn.c +@@ -24,14 +24,6 @@ + #define CMN_NI_NODE_ID GENMASK_ULL(31, 16) + #define CMN_NI_LOGICAL_ID GENMASK_ULL(47, 32) + +-#define CMN_NODEID_DEVID(reg) ((reg) & 3) +-#define CMN_NODEID_EXT_DEVID(reg) ((reg) & 1) +-#define CMN_NODEID_PID(reg) (((reg) >> 2) & 1) +-#define CMN_NODEID_EXT_PID(reg) (((reg) >> 1) & 3) +-#define CMN_NODEID_1x1_PID(reg) (((reg) >> 2) & 7) +-#define CMN_NODEID_X(reg, bits) ((reg) >> (3 + (bits))) +-#define CMN_NODEID_Y(reg, bits) (((reg) >> 3) & ((1U << (bits)) - 1)) +- + #define CMN_CHILD_INFO 0x0080 + #define CMN_CI_CHILD_COUNT GENMASK_ULL(15, 0) + #define CMN_CI_CHILD_PTR_OFFSET GENMASK_ULL(31, 16) +@@ -281,8 +273,11 @@ struct arm_cmn_node { + u16 id, logid; + enum cmn_node_type type; + ++ /* XP properties really, but replicated to children for convenience */ + u8 dtm; + s8 dtc; ++ u8 portid_bits:4; ++ u8 deviceid_bits:4; + /* DN/HN-F/CXHA */ + struct { + u8 val : 4; +@@ -358,49 +353,33 @@ struct arm_cmn { + static int arm_cmn_hp_state; + + struct arm_cmn_nodeid { +- u8 x; +- u8 y; + u8 port; + u8 dev; + }; + + static int arm_cmn_xyidbits(const struct arm_cmn *cmn) + { +- return fls((cmn->mesh_x - 1) | (cmn->mesh_y - 1) | 2); ++ return fls((cmn->mesh_x - 1) | (cmn->mesh_y - 1)); + } + +-static struct arm_cmn_nodeid arm_cmn_nid(const struct arm_cmn *cmn, u16 id) ++static struct arm_cmn_nodeid arm_cmn_nid(const struct arm_cmn_node *dn) + { + struct arm_cmn_nodeid nid; + +- if (cmn->num_xps == 1) { +- nid.x = 0; +- nid.y = 0; +- nid.port = CMN_NODEID_1x1_PID(id); +- nid.dev = CMN_NODEID_DEVID(id); +- } else { +- int bits = arm_cmn_xyidbits(cmn); +- +- nid.x = CMN_NODEID_X(id, bits); +- nid.y = CMN_NODEID_Y(id, bits); +- if (cmn->ports_used & 0xc) { +- nid.port = CMN_NODEID_EXT_PID(id); +- nid.dev = CMN_NODEID_EXT_DEVID(id); +- } else { +- nid.port = CMN_NODEID_PID(id); +- nid.dev = CMN_NODEID_DEVID(id); +- } +- } ++ nid.dev = dn->id & ((1U << dn->deviceid_bits) - 1); ++ nid.port = (dn->id >> dn->deviceid_bits) & ((1U << dn->portid_bits) - 1); + return nid; + } + + static struct arm_cmn_node *arm_cmn_node_to_xp(const struct arm_cmn *cmn, + const struct arm_cmn_node *dn) + { +- struct arm_cmn_nodeid nid = arm_cmn_nid(cmn, dn->id); +- int xp_idx = cmn->mesh_x * nid.y + nid.x; ++ int id = dn->id >> (dn->portid_bits + dn->deviceid_bits); ++ int bits = arm_cmn_xyidbits(cmn); ++ int x = id >> bits; ++ int y = id & ((1U << bits) - 1); + +- return cmn->xps + xp_idx; ++ return cmn->xps + cmn->mesh_x * y + x; + } + static struct arm_cmn_node *arm_cmn_node(const struct arm_cmn *cmn, + enum cmn_node_type type) +@@ -486,13 +465,13 @@ static const char *arm_cmn_device_type(u8 type) + } + } + +-static void arm_cmn_show_logid(struct seq_file *s, int x, int y, int p, int d) ++static void arm_cmn_show_logid(struct seq_file *s, const struct arm_cmn_node *xp, int p, int d) + { + struct arm_cmn *cmn = s->private; + struct arm_cmn_node *dn; ++ u16 id = xp->id | d | (p << xp->deviceid_bits); + + for (dn = cmn->dns; dn->type; dn++) { +- struct arm_cmn_nodeid nid = arm_cmn_nid(cmn, dn->id); + int pad = dn->logid < 10; + + if (dn->type == CMN_TYPE_XP) +@@ -501,7 +480,7 @@ static void arm_cmn_show_logid(struct seq_file *s, int x, int y, int p, int d) + if (dn->type < CMN_TYPE_HNI) + continue; + +- if (nid.x != x || nid.y != y || nid.port != p || nid.dev != d) ++ if (dn->id != id) + continue; + + seq_printf(s, " %*c#%-*d |", pad + 1, ' ', 3 - pad, dn->logid); +@@ -522,6 +501,7 @@ static int arm_cmn_map_show(struct seq_file *s, void *data) + y = cmn->mesh_y; + while (y--) { + int xp_base = cmn->mesh_x * y; ++ struct arm_cmn_node *xp = cmn->xps + xp_base; + u8 port[CMN_MAX_PORTS][CMN_MAX_DIMENSION]; + + for (x = 0; x < cmn->mesh_x; x++) +@@ -529,16 +509,14 @@ static int arm_cmn_map_show(struct seq_file *s, void *data) + + seq_printf(s, "\n%-2d |", y); + for (x = 0; x < cmn->mesh_x; x++) { +- struct arm_cmn_node *xp = cmn->xps + xp_base + x; +- + for (p = 0; p < CMN_MAX_PORTS; p++) +- port[p][x] = arm_cmn_device_connect_info(cmn, xp, p); ++ port[p][x] = arm_cmn_device_connect_info(cmn, xp + x, p); + seq_printf(s, " XP #%-3d|", xp_base + x); + } + + seq_puts(s, "\n |"); + for (x = 0; x < cmn->mesh_x; x++) { +- s8 dtc = cmn->xps[xp_base + x].dtc; ++ s8 dtc = xp[x].dtc; + + if (dtc < 0) + seq_puts(s, " DTC ?? |"); +@@ -555,10 +533,10 @@ static int arm_cmn_map_show(struct seq_file *s, void *data) + seq_puts(s, arm_cmn_device_type(port[p][x])); + seq_puts(s, "\n 0|"); + for (x = 0; x < cmn->mesh_x; x++) +- arm_cmn_show_logid(s, x, y, p, 0); ++ arm_cmn_show_logid(s, xp + x, p, 0); + seq_puts(s, "\n 1|"); + for (x = 0; x < cmn->mesh_x; x++) +- arm_cmn_show_logid(s, x, y, p, 1); ++ arm_cmn_show_logid(s, xp + x, p, 1); + } + seq_puts(s, "\n-----+"); + } +@@ -1751,10 +1729,7 @@ static int arm_cmn_event_init(struct perf_event *event) + } + + if (!hw->num_dns) { +- struct arm_cmn_nodeid nid = arm_cmn_nid(cmn, nodeid); +- +- dev_dbg(cmn->dev, "invalid node 0x%x (%d,%d,%d,%d) type 0x%x\n", +- nodeid, nid.x, nid.y, nid.port, nid.dev, type); ++ dev_dbg(cmn->dev, "invalid node 0x%x type 0x%x\n", nodeid, type); + return -EINVAL; + } + +@@ -1849,7 +1824,7 @@ static int arm_cmn_event_add(struct perf_event *event, int flags) + dtm->wp_event[wp_idx] = hw->dtc_idx[d]; + writel_relaxed(cfg, dtm->base + CMN_DTM_WPn_CONFIG(wp_idx)); + } else { +- struct arm_cmn_nodeid nid = arm_cmn_nid(cmn, dn->id); ++ struct arm_cmn_nodeid nid = arm_cmn_nid(dn); + + if (cmn->multi_dtm) + nid.port %= 2; +@@ -2096,10 +2071,12 @@ static int arm_cmn_init_dtcs(struct arm_cmn *cmn) + continue; + + xp = arm_cmn_node_to_xp(cmn, dn); ++ dn->portid_bits = xp->portid_bits; ++ dn->deviceid_bits = xp->deviceid_bits; + dn->dtc = xp->dtc; + dn->dtm = xp->dtm; + if (cmn->multi_dtm) +- dn->dtm += arm_cmn_nid(cmn, dn->id).port / 2; ++ dn->dtm += arm_cmn_nid(dn).port / 2; + + if (dn->type == CMN_TYPE_DTC) { + int err = arm_cmn_init_dtc(cmn, dn, dtc_idx++); +@@ -2269,18 +2246,27 @@ static int arm_cmn_discover(struct arm_cmn *cmn, unsigned int rgn_offset) + arm_cmn_init_dtm(dtm++, xp, 0); + /* + * Keeping track of connected ports will let us filter out +- * unnecessary XP events easily. We can also reliably infer the +- * "extra device ports" configuration for the node ID format +- * from this, since in that case we will see at least one XP +- * with port 2 connected, for the HN-D. ++ * unnecessary XP events easily, and also infer the per-XP ++ * part of the node ID format. + */ + for (int p = 0; p < CMN_MAX_PORTS; p++) + if (arm_cmn_device_connect_info(cmn, xp, p)) + xp_ports |= BIT(p); + +- if (cmn->multi_dtm && (xp_ports & 0xc)) ++ if (cmn->num_xps == 1) { ++ xp->portid_bits = 3; ++ xp->deviceid_bits = 2; ++ } else if (xp_ports > 0x3) { ++ xp->portid_bits = 2; ++ xp->deviceid_bits = 1; ++ } else { ++ xp->portid_bits = 1; ++ xp->deviceid_bits = 2; ++ } ++ ++ if (cmn->multi_dtm && (xp_ports > 0x3)) + arm_cmn_init_dtm(dtm++, xp, 1); +- if (cmn->multi_dtm && (xp_ports & 0x30)) ++ if (cmn->multi_dtm && (xp_ports > 0xf)) + arm_cmn_init_dtm(dtm++, xp, 2); + + cmn->ports_used |= xp_ports; +-- +2.43.0 + diff --git a/queue-6.6/perf-arm-cmn-rework-dtc-counters-again.patch b/queue-6.6/perf-arm-cmn-rework-dtc-counters-again.patch new file mode 100644 index 00000000000..cde5b2c0194 --- /dev/null +++ b/queue-6.6/perf-arm-cmn-rework-dtc-counters-again.patch @@ -0,0 +1,339 @@ +From 5dc1cc1b03d2cba78ee546abbdd28c5edcb3ebf1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 18:51:26 +0100 +Subject: perf/arm-cmn: Rework DTC counters (again) + +From: Robin Murphy + +[ Upstream commit 7633ec2c262fab3e7c5bf3cd3876b5748f584a57 ] + +The bitmap-based scheme for tracking DTC counter usage turns out to be a +complete dead-end for its imagined purpose, since by the time we have to +keep track of a per-DTC counter index anyway, we already have enough +information to make the bitmap itself redundant. Revert the remains of +it back to almost the original scheme, but now expanded to track per-DTC +indices, in preparation for making use of them in anger. + +Note that since cycle count events always use a dedicated counter on a +single DTC, we reuse the field to encode their DTC index directly. + +Signed-off-by: Robin Murphy +Reviewed-by: Ilkka Koskinen +Link: https://lore.kernel.org/r/5f6ade76b47f033836d7a36c03555da896dfb4a3.1697824215.git.robin.murphy@arm.com +Signed-off-by: Will Deacon +Stable-dep-of: e79634b53e39 ("perf/arm-cmn: Refactor node ID handling. Again.") +Signed-off-by: Sasha Levin +--- + drivers/perf/arm-cmn.c | 126 +++++++++++++++++++++-------------------- + 1 file changed, 64 insertions(+), 62 deletions(-) + +diff --git a/drivers/perf/arm-cmn.c b/drivers/perf/arm-cmn.c +index 2c684e49a6fc7..1c9e42aeb7004 100644 +--- a/drivers/perf/arm-cmn.c ++++ b/drivers/perf/arm-cmn.c +@@ -281,16 +281,13 @@ struct arm_cmn_node { + u16 id, logid; + enum cmn_node_type type; + +- int dtm; +- union { +- /* DN/HN-F/CXHA */ +- struct { +- u8 val : 4; +- u8 count : 4; +- } occupid[SEL_MAX]; +- /* XP */ +- u8 dtc; +- }; ++ u8 dtm; ++ s8 dtc; ++ /* DN/HN-F/CXHA */ ++ struct { ++ u8 val : 4; ++ u8 count : 4; ++ } occupid[SEL_MAX]; + union { + u8 event[4]; + __le32 event_sel; +@@ -540,12 +537,12 @@ static int arm_cmn_map_show(struct seq_file *s, void *data) + + seq_puts(s, "\n |"); + for (x = 0; x < cmn->mesh_x; x++) { +- u8 dtc = cmn->xps[xp_base + x].dtc; ++ s8 dtc = cmn->xps[xp_base + x].dtc; + +- if (dtc & (dtc - 1)) ++ if (dtc < 0) + seq_puts(s, " DTC ?? |"); + else +- seq_printf(s, " DTC %ld |", __ffs(dtc)); ++ seq_printf(s, " DTC %d |", dtc); + } + seq_puts(s, "\n |"); + for (x = 0; x < cmn->mesh_x; x++) +@@ -589,8 +586,7 @@ static void arm_cmn_debugfs_init(struct arm_cmn *cmn, int id) {} + struct arm_cmn_hw_event { + struct arm_cmn_node *dn; + u64 dtm_idx[4]; +- unsigned int dtc_idx; +- u8 dtcs_used; ++ s8 dtc_idx[CMN_MAX_DTCS]; + u8 num_dns; + u8 dtm_offset; + bool wide_sel; +@@ -600,6 +596,10 @@ struct arm_cmn_hw_event { + #define for_each_hw_dn(hw, dn, i) \ + for (i = 0, dn = hw->dn; i < hw->num_dns; i++, dn++) + ++/* @i is the DTC number, @idx is the counter index on that DTC */ ++#define for_each_hw_dtc_idx(hw, i, idx) \ ++ for (int i = 0, idx; i < CMN_MAX_DTCS; i++) if ((idx = hw->dtc_idx[i]) >= 0) ++ + static struct arm_cmn_hw_event *to_cmn_hw(struct perf_event *event) + { + BUILD_BUG_ON(sizeof(struct arm_cmn_hw_event) > offsetof(struct hw_perf_event, target)); +@@ -1429,12 +1429,11 @@ static void arm_cmn_init_counter(struct perf_event *event) + { + struct arm_cmn *cmn = to_cmn(event->pmu); + struct arm_cmn_hw_event *hw = to_cmn_hw(event); +- unsigned int i, pmevcnt = CMN_DT_PMEVCNT(hw->dtc_idx); + u64 count; + +- for (i = 0; hw->dtcs_used & (1U << i); i++) { +- writel_relaxed(CMN_COUNTER_INIT, cmn->dtc[i].base + pmevcnt); +- cmn->dtc[i].counters[hw->dtc_idx] = event; ++ for_each_hw_dtc_idx(hw, i, idx) { ++ writel_relaxed(CMN_COUNTER_INIT, cmn->dtc[i].base + CMN_DT_PMEVCNT(idx)); ++ cmn->dtc[i].counters[idx] = event; + } + + count = arm_cmn_read_dtm(cmn, hw, false); +@@ -1447,11 +1446,9 @@ static void arm_cmn_event_read(struct perf_event *event) + struct arm_cmn_hw_event *hw = to_cmn_hw(event); + u64 delta, new, prev; + unsigned long flags; +- unsigned int i; + +- if (hw->dtc_idx == CMN_DT_NUM_COUNTERS) { +- i = __ffs(hw->dtcs_used); +- delta = arm_cmn_read_cc(cmn->dtc + i); ++ if (CMN_EVENT_TYPE(event) == CMN_TYPE_DTC) { ++ delta = arm_cmn_read_cc(cmn->dtc + hw->dtc_idx[0]); + local64_add(delta, &event->count); + return; + } +@@ -1461,8 +1458,8 @@ static void arm_cmn_event_read(struct perf_event *event) + delta = new - prev; + + local_irq_save(flags); +- for (i = 0; hw->dtcs_used & (1U << i); i++) { +- new = arm_cmn_read_counter(cmn->dtc + i, hw->dtc_idx); ++ for_each_hw_dtc_idx(hw, i, idx) { ++ new = arm_cmn_read_counter(cmn->dtc + i, idx); + delta += new << 16; + } + local_irq_restore(flags); +@@ -1518,7 +1515,7 @@ static void arm_cmn_event_start(struct perf_event *event, int flags) + int i; + + if (type == CMN_TYPE_DTC) { +- i = __ffs(hw->dtcs_used); ++ i = hw->dtc_idx[0]; + writeq_relaxed(CMN_CC_INIT, cmn->dtc[i].base + CMN_DT_PMCCNTR); + cmn->dtc[i].cc_active = true; + } else if (type == CMN_TYPE_WP) { +@@ -1549,7 +1546,7 @@ static void arm_cmn_event_stop(struct perf_event *event, int flags) + int i; + + if (type == CMN_TYPE_DTC) { +- i = __ffs(hw->dtcs_used); ++ i = hw->dtc_idx[0]; + cmn->dtc[i].cc_active = false; + } else if (type == CMN_TYPE_WP) { + int wp_idx = arm_cmn_wp_idx(event); +@@ -1735,12 +1732,19 @@ static int arm_cmn_event_init(struct perf_event *event) + hw->dn = arm_cmn_node(cmn, type); + if (!hw->dn) + return -EINVAL; ++ ++ memset(hw->dtc_idx, -1, sizeof(hw->dtc_idx)); + for (dn = hw->dn; dn->type == type; dn++) { + if (bynodeid && dn->id != nodeid) { + hw->dn++; + continue; + } + hw->num_dns++; ++ if (dn->dtc < 0) ++ memset(hw->dtc_idx, 0, cmn->num_dtcs); ++ else ++ hw->dtc_idx[dn->dtc] = 0; ++ + if (bynodeid) + break; + } +@@ -1752,12 +1756,6 @@ static int arm_cmn_event_init(struct perf_event *event) + nodeid, nid.x, nid.y, nid.port, nid.dev, type); + return -EINVAL; + } +- /* +- * Keep assuming non-cycles events count in all DTC domains; turns out +- * it's hard to make a worthwhile optimisation around this, short of +- * going all-in with domain-local counter allocation as well. +- */ +- hw->dtcs_used = (1U << cmn->num_dtcs) - 1; + + return arm_cmn_validate_group(cmn, event); + } +@@ -1783,28 +1781,25 @@ static void arm_cmn_event_clear(struct arm_cmn *cmn, struct perf_event *event, + } + memset(hw->dtm_idx, 0, sizeof(hw->dtm_idx)); + +- for (i = 0; hw->dtcs_used & (1U << i); i++) +- cmn->dtc[i].counters[hw->dtc_idx] = NULL; ++ for_each_hw_dtc_idx(hw, j, idx) ++ cmn->dtc[j].counters[idx] = NULL; + } + + static int arm_cmn_event_add(struct perf_event *event, int flags) + { + struct arm_cmn *cmn = to_cmn(event->pmu); + struct arm_cmn_hw_event *hw = to_cmn_hw(event); +- struct arm_cmn_dtc *dtc = &cmn->dtc[0]; + struct arm_cmn_node *dn; + enum cmn_node_type type = CMN_EVENT_TYPE(event); +- unsigned int i, dtc_idx, input_sel; ++ unsigned int input_sel, i = 0; + + if (type == CMN_TYPE_DTC) { +- i = 0; + while (cmn->dtc[i].cycles) + if (++i == cmn->num_dtcs) + return -ENOSPC; + + cmn->dtc[i].cycles = event; +- hw->dtc_idx = CMN_DT_NUM_COUNTERS; +- hw->dtcs_used = 1U << i; ++ hw->dtc_idx[0] = i; + + if (flags & PERF_EF_START) + arm_cmn_event_start(event, 0); +@@ -1812,17 +1807,22 @@ static int arm_cmn_event_add(struct perf_event *event, int flags) + } + + /* Grab a free global counter first... */ +- dtc_idx = 0; +- while (dtc->counters[dtc_idx]) +- if (++dtc_idx == CMN_DT_NUM_COUNTERS) +- return -ENOSPC; +- +- hw->dtc_idx = dtc_idx; ++ for_each_hw_dtc_idx(hw, j, idx) { ++ if (j > 0) { ++ idx = hw->dtc_idx[0]; ++ } else { ++ idx = 0; ++ while (cmn->dtc[j].counters[idx]) ++ if (++idx == CMN_DT_NUM_COUNTERS) ++ goto free_dtms; ++ } ++ hw->dtc_idx[j] = idx; ++ } + + /* ...then the local counters to feed it. */ + for_each_hw_dn(hw, dn, i) { + struct arm_cmn_dtm *dtm = &cmn->dtms[dn->dtm] + hw->dtm_offset; +- unsigned int dtm_idx, shift; ++ unsigned int dtm_idx, shift, d = 0; + u64 reg; + + dtm_idx = 0; +@@ -1841,11 +1841,11 @@ static int arm_cmn_event_add(struct perf_event *event, int flags) + + tmp = dtm->wp_event[wp_idx ^ 1]; + if (tmp >= 0 && CMN_EVENT_WP_COMBINE(event) != +- CMN_EVENT_WP_COMBINE(dtc->counters[tmp])) ++ CMN_EVENT_WP_COMBINE(cmn->dtc[d].counters[tmp])) + goto free_dtms; + + input_sel = CMN__PMEVCNT0_INPUT_SEL_WP + wp_idx; +- dtm->wp_event[wp_idx] = dtc_idx; ++ dtm->wp_event[wp_idx] = hw->dtc_idx[d]; + writel_relaxed(cfg, dtm->base + CMN_DTM_WPn_CONFIG(wp_idx)); + } else { + struct arm_cmn_nodeid nid = arm_cmn_nid(cmn, dn->id); +@@ -1865,7 +1865,7 @@ static int arm_cmn_event_add(struct perf_event *event, int flags) + dtm->input_sel[dtm_idx] = input_sel; + shift = CMN__PMEVCNTn_GLOBAL_NUM_SHIFT(dtm_idx); + dtm->pmu_config_low &= ~(CMN__PMEVCNT0_GLOBAL_NUM << shift); +- dtm->pmu_config_low |= FIELD_PREP(CMN__PMEVCNT0_GLOBAL_NUM, dtc_idx) << shift; ++ dtm->pmu_config_low |= FIELD_PREP(CMN__PMEVCNT0_GLOBAL_NUM, hw->dtc_idx[d]) << shift; + dtm->pmu_config_low |= CMN__PMEVCNT_PAIRED(dtm_idx); + reg = (u64)le32_to_cpu(dtm->pmu_config_high) << 32 | dtm->pmu_config_low; + writeq_relaxed(reg, dtm->base + CMN_DTM_PMU_CONFIG); +@@ -1893,7 +1893,7 @@ static void arm_cmn_event_del(struct perf_event *event, int flags) + arm_cmn_event_stop(event, PERF_EF_UPDATE); + + if (type == CMN_TYPE_DTC) +- cmn->dtc[__ffs(hw->dtcs_used)].cycles = NULL; ++ cmn->dtc[hw->dtc_idx[0]].cycles = NULL; + else + arm_cmn_event_clear(cmn, event, hw->num_dns); + } +@@ -2074,7 +2074,6 @@ static int arm_cmn_init_dtcs(struct arm_cmn *cmn) + { + struct arm_cmn_node *dn, *xp; + int dtc_idx = 0; +- u8 dtcs_present = (1 << cmn->num_dtcs) - 1; + + cmn->dtc = devm_kcalloc(cmn->dev, cmn->num_dtcs, sizeof(cmn->dtc[0]), GFP_KERNEL); + if (!cmn->dtc) +@@ -2084,23 +2083,26 @@ static int arm_cmn_init_dtcs(struct arm_cmn *cmn) + + cmn->xps = arm_cmn_node(cmn, CMN_TYPE_XP); + ++ if (cmn->part == PART_CMN600 && cmn->num_dtcs > 1) { ++ /* We do at least know that a DTC's XP must be in that DTC's domain */ ++ dn = arm_cmn_node(cmn, CMN_TYPE_DTC); ++ for (int i = 0; i < cmn->num_dtcs; i++) ++ arm_cmn_node_to_xp(cmn, dn + i)->dtc = i; ++ } ++ + for (dn = cmn->dns; dn->type; dn++) { +- if (dn->type == CMN_TYPE_XP) { +- dn->dtc &= dtcs_present; ++ if (dn->type == CMN_TYPE_XP) + continue; +- } + + xp = arm_cmn_node_to_xp(cmn, dn); ++ dn->dtc = xp->dtc; + dn->dtm = xp->dtm; + if (cmn->multi_dtm) + dn->dtm += arm_cmn_nid(cmn, dn->id).port / 2; + + if (dn->type == CMN_TYPE_DTC) { +- int err; +- /* We do at least know that a DTC's XP must be in that DTC's domain */ +- if (xp->dtc == 0xf) +- xp->dtc = 1 << dtc_idx; +- err = arm_cmn_init_dtc(cmn, dn, dtc_idx++); ++ int err = arm_cmn_init_dtc(cmn, dn, dtc_idx++); ++ + if (err) + return err; + } +@@ -2258,9 +2260,9 @@ static int arm_cmn_discover(struct arm_cmn *cmn, unsigned int rgn_offset) + cmn->mesh_x = xp->logid; + + if (cmn->part == PART_CMN600) +- xp->dtc = 0xf; ++ xp->dtc = -1; + else +- xp->dtc = 1 << arm_cmn_dtc_domain(cmn, xp_region); ++ xp->dtc = arm_cmn_dtc_domain(cmn, xp_region); + + xp->dtm = dtm - cmn->dtms; + arm_cmn_init_dtm(dtm++, xp, 0); +-- +2.43.0 + diff --git a/queue-6.6/perf-callchain-fix-stitch-lbr-memory-leaks.patch b/queue-6.6/perf-callchain-fix-stitch-lbr-memory-leaks.patch new file mode 100644 index 00000000000..a104cbe7e20 --- /dev/null +++ b/queue-6.6/perf-callchain-fix-stitch-lbr-memory-leaks.patch @@ -0,0 +1,143 @@ +From 310257b8ea7ee5c9303a994559d1d9ea99c6cfb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Aug 2024 22:46:43 -0700 +Subject: perf callchain: Fix stitch LBR memory leaks + +From: Ian Rogers + +[ Upstream commit 599c19397b17d197fc1184bbc950f163a292efc9 ] + +The 'struct callchain_cursor_node' has a 'struct map_symbol' whose maps +and map members are reference counted. Ensure these values use a _get +routine to increment the reference counts and use map_symbol__exit() to +release the reference counts. + +Do similar for 'struct thread's prev_lbr_cursor, but save the size of +the prev_lbr_cursor array so that it may be iterated. + +Ensure that when stitch_nodes are placed on the free list the +map_symbols are exited. + +Fix resolve_lbr_callchain_sample() by replacing list_replace_init() to +list_splice_init(), so the whole list is moved and nodes aren't leaked. + +A reproduction of the memory leaks is possible with a leak sanitizer +build in the perf report command of: + + ``` + $ perf record -e cycles --call-graph lbr perf test -w thloop + $ perf report --stitch-lbr + ``` + +Reviewed-by: Kan Liang +Fixes: ff165628d72644e3 ("perf callchain: Stitch LBR call stack") +Signed-off-by: Ian Rogers +[ Basic tests after applying the patch, repeating the example above ] +Tested-by: Arnaldo Carvalho de Melo +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Anne Macedo +Cc: Changbin Du +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20240808054644.1286065-1-irogers@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/machine.c | 17 +++++++++++++++-- + tools/perf/util/thread.c | 4 ++++ + tools/perf/util/thread.h | 1 + + 3 files changed, 20 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/util/machine.c b/tools/perf/util/machine.c +index 7c6874804660e..24dead4e30656 100644 +--- a/tools/perf/util/machine.c ++++ b/tools/perf/util/machine.c +@@ -2536,8 +2536,12 @@ static void save_lbr_cursor_node(struct thread *thread, + cursor->curr = cursor->first; + else + cursor->curr = cursor->curr->next; ++ ++ map_symbol__exit(&lbr_stitch->prev_lbr_cursor[idx].ms); + memcpy(&lbr_stitch->prev_lbr_cursor[idx], cursor->curr, + sizeof(struct callchain_cursor_node)); ++ lbr_stitch->prev_lbr_cursor[idx].ms.maps = maps__get(cursor->curr->ms.maps); ++ lbr_stitch->prev_lbr_cursor[idx].ms.map = map__get(cursor->curr->ms.map); + + lbr_stitch->prev_lbr_cursor[idx].valid = true; + cursor->pos++; +@@ -2748,6 +2752,9 @@ static bool has_stitched_lbr(struct thread *thread, + memcpy(&stitch_node->cursor, &lbr_stitch->prev_lbr_cursor[i], + sizeof(struct callchain_cursor_node)); + ++ stitch_node->cursor.ms.maps = maps__get(lbr_stitch->prev_lbr_cursor[i].ms.maps); ++ stitch_node->cursor.ms.map = map__get(lbr_stitch->prev_lbr_cursor[i].ms.map); ++ + if (callee) + list_add(&stitch_node->node, &lbr_stitch->lists); + else +@@ -2771,6 +2778,8 @@ static bool alloc_lbr_stitch(struct thread *thread, unsigned int max_lbr) + if (!thread__lbr_stitch(thread)->prev_lbr_cursor) + goto free_lbr_stitch; + ++ thread__lbr_stitch(thread)->prev_lbr_cursor_size = max_lbr + 1; ++ + INIT_LIST_HEAD(&thread__lbr_stitch(thread)->lists); + INIT_LIST_HEAD(&thread__lbr_stitch(thread)->free_lists); + +@@ -2826,8 +2835,12 @@ static int resolve_lbr_callchain_sample(struct thread *thread, + max_lbr, callee); + + if (!stitched_lbr && !list_empty(&lbr_stitch->lists)) { +- list_replace_init(&lbr_stitch->lists, +- &lbr_stitch->free_lists); ++ struct stitch_list *stitch_node; ++ ++ list_for_each_entry(stitch_node, &lbr_stitch->lists, node) ++ map_symbol__exit(&stitch_node->cursor.ms); ++ ++ list_splice_init(&lbr_stitch->lists, &lbr_stitch->free_lists); + } + memcpy(&lbr_stitch->prev_sample, sample, sizeof(*sample)); + } +diff --git a/tools/perf/util/thread.c b/tools/perf/util/thread.c +index 61e9f449c7258..6817b99e550ba 100644 +--- a/tools/perf/util/thread.c ++++ b/tools/perf/util/thread.c +@@ -478,6 +478,7 @@ void thread__free_stitch_list(struct thread *thread) + return; + + list_for_each_entry_safe(pos, tmp, &lbr_stitch->lists, node) { ++ map_symbol__exit(&pos->cursor.ms); + list_del_init(&pos->node); + free(pos); + } +@@ -487,6 +488,9 @@ void thread__free_stitch_list(struct thread *thread) + free(pos); + } + ++ for (unsigned int i = 0 ; i < lbr_stitch->prev_lbr_cursor_size; i++) ++ map_symbol__exit(&lbr_stitch->prev_lbr_cursor[i].ms); ++ + zfree(&lbr_stitch->prev_lbr_cursor); + free(thread__lbr_stitch(thread)); + thread__set_lbr_stitch(thread, NULL); +diff --git a/tools/perf/util/thread.h b/tools/perf/util/thread.h +index 0df775b5c1105..a5423f834dc9d 100644 +--- a/tools/perf/util/thread.h ++++ b/tools/perf/util/thread.h +@@ -28,6 +28,7 @@ struct lbr_stitch { + struct list_head free_lists; + struct perf_sample prev_sample; + struct callchain_cursor_node *prev_lbr_cursor; ++ unsigned int prev_lbr_cursor_size; + }; + + struct thread_rb_node { +-- +2.43.0 + diff --git a/queue-6.6/perf-inject-fix-leader-sampling-inserting-additional.patch b/queue-6.6/perf-inject-fix-leader-sampling-inserting-additional.patch new file mode 100644 index 00000000000..05596c1927b --- /dev/null +++ b/queue-6.6/perf-inject-fix-leader-sampling-inserting-additional.patch @@ -0,0 +1,129 @@ +From 54efc4072b7daad06a1c11f6a5f7999a9719bd9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2024 15:06:20 -0700 +Subject: perf inject: Fix leader sampling inserting additional samples + +From: Ian Rogers + +[ Upstream commit 79bcd34e0f3da39fda841406ccc957405e724852 ] + +The processing of leader samples would turn an individual sample with +a group of read values into multiple samples. 'perf inject' would pass +through the additional samples increasing the output data file size: + + $ perf record -g -e "{instructions,cycles}:S" -o perf.orig.data true + $ perf script -D -i perf.orig.data | sed -e 's/perf.orig.data/perf.data/g' > orig.txt + $ perf inject -i perf.orig.data -o perf.new.data + $ perf script -D -i perf.new.data | sed -e 's/perf.new.data/perf.data/g' > new.txt + $ diff -u orig.txt new.txt + --- orig.txt 2024-07-29 14:29:40.606576769 -0700 + +++ new.txt 2024-07-29 14:30:04.142737434 -0700 + ... + -0xc550@perf.data [0x30]: event: 3 + +0xc550@perf.data [0xd0]: event: 9 + +. + +. ... raw event: size 208 bytes + +. 0000: 09 00 00 00 01 00 d0 00 fc 72 01 86 ff ff ff ff .........r...... + +. 0010: 74 7d 2c 00 74 7d 2c 00 fb c3 79 f9 ba d5 05 00 t},.t},...y..... + +. 0020: e6 cb 1a 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ + +. 0030: 02 00 00 00 00 00 00 00 76 01 00 00 00 00 00 00 ........v....... + +. 0040: e6 cb 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + +. 0050: 62 18 00 00 00 00 00 00 f6 cb 1a 00 00 00 00 00 b............... + +. 0060: 00 00 00 00 00 00 00 00 0c 00 00 00 00 00 00 00 ................ + +. 0070: 80 ff ff ff ff ff ff ff fc 72 01 86 ff ff ff ff .........r...... + +. 0080: f3 0e 6e 85 ff ff ff ff 0c cb 7f 85 ff ff ff ff ..n............. + +. 0090: bc f2 87 85 ff ff ff ff 44 af 7f 85 ff ff ff ff ........D....... + +. 00a0: bd be 7f 85 ff ff ff ff 26 d0 7f 85 ff ff ff ff ........&....... + +. 00b0: 6d a4 ff 85 ff ff ff ff ea 00 20 86 ff ff ff ff m......... ..... + +. 00c0: 00 fe ff ff ff ff ff ff 57 14 4f 43 fc 7e 00 00 ........W.OC.~.. + + + +1642373909693435 0xc550 [0xd0]: PERF_RECORD_SAMPLE(IP, 0x1): 2915700/2915700: 0xffffffff860172fc period: 1 addr: 0 + +... FP chain: nr:12 + +..... 0: ffffffffffffff80 + +..... 1: ffffffff860172fc + +..... 2: ffffffff856e0ef3 + +..... 3: ffffffff857fcb0c + +..... 4: ffffffff8587f2bc + +..... 5: ffffffff857faf44 + +..... 6: ffffffff857fbebd + +..... 7: ffffffff857fd026 + +..... 8: ffffffff85ffa46d + +..... 9: ffffffff862000ea + +..... 10: fffffffffffffe00 + +..... 11: 00007efc434f1457 + +... sample_read: + +.... group nr 2 + +..... id 00000000001acbe6, value 0000000000000176, lost 0 + +..... id 00000000001acbf6, value 0000000000001862, lost 0 + + + +0xc620@perf.data [0x30]: event: 3 + ... + +This behavior is incorrect as in the case above 'perf inject' should +have done nothing. Fix this behavior by disabling separating samples +for a tool that requests it. Only request this for `perf inject` so as +to not affect other perf tools. With the patch and the test above +there are no differences between the orig.txt and new.txt. + +Fixes: e4caec0d1af3d608 ("perf evsel: Add PERF_SAMPLE_READ sample related processing") +Signed-off-by: Ian Rogers +Acked-by: Namhyung Kim +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Mark Rutland +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20240729220620.2957754-1-irogers@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-inject.c | 1 + + tools/perf/util/session.c | 3 +++ + tools/perf/util/tool.h | 1 + + 3 files changed, 5 insertions(+) + +diff --git a/tools/perf/builtin-inject.c b/tools/perf/builtin-inject.c +index eb3ef5c24b662..8aba056654679 100644 +--- a/tools/perf/builtin-inject.c ++++ b/tools/perf/builtin-inject.c +@@ -2200,6 +2200,7 @@ int cmd_inject(int argc, const char **argv) + .finished_init = perf_event__repipe_op2_synth, + .compressed = perf_event__repipe_op4_synth, + .auxtrace = perf_event__repipe_auxtrace, ++ .dont_split_sample_group = true, + }, + .input_name = "-", + .samples = LIST_HEAD_INIT(inject.samples), +diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c +index c6afba7ab1a51..277b2cbd51861 100644 +--- a/tools/perf/util/session.c ++++ b/tools/perf/util/session.c +@@ -1500,6 +1500,9 @@ static int deliver_sample_group(struct evlist *evlist, + int ret = -EINVAL; + struct sample_read_value *v = sample->read.group.values; + ++ if (tool->dont_split_sample_group) ++ return deliver_sample_value(evlist, tool, event, sample, v, machine); ++ + sample_read_group__for_each(v, sample->read.group.nr, read_format) { + ret = deliver_sample_value(evlist, tool, event, sample, v, + machine); +diff --git a/tools/perf/util/tool.h b/tools/perf/util/tool.h +index c957fb849ac63..62bbc9cec151b 100644 +--- a/tools/perf/util/tool.h ++++ b/tools/perf/util/tool.h +@@ -85,6 +85,7 @@ struct perf_tool { + bool namespace_events; + bool cgroup_events; + bool no_warn; ++ bool dont_split_sample_group; + enum show_feature_header show_feat_hdr; + }; + +-- +2.43.0 + diff --git a/queue-6.6/perf-mem-free-the-allocated-sort-string-fixing-a-lea.patch b/queue-6.6/perf-mem-free-the-allocated-sort-string-fixing-a-lea.patch new file mode 100644 index 00000000000..91b93d113d4 --- /dev/null +++ b/queue-6.6/perf-mem-free-the-allocated-sort-string-fixing-a-lea.patch @@ -0,0 +1,45 @@ +From 154a69f9357f2230c3ebd9b0a1079bf1e88afd2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jul 2024 16:55:01 -0700 +Subject: perf mem: Free the allocated sort string, fixing a leak + +From: Namhyung Kim + +[ Upstream commit 3da209bb1177462b6fe8e3021a5527a5a49a9336 ] + +The get_sort_order() returns either a new string (from strdup) or NULL +but it never gets freed. + +Signed-off-by: Namhyung Kim +Fixes: 2e7f545096f954a9 ("perf mem: Factor out a function to generate sort order") +Cc: Adrian Hunter +Cc: Athira Rajeev +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Peter Zijlstra +Cc: Stephane Eranian +Link: https://lore.kernel.org/r/20240731235505.710436-3-namhyung@kernel.org +[ Added Fixes tag ] +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-mem.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/builtin-mem.c b/tools/perf/builtin-mem.c +index 51499c20da01e..865f321d729b6 100644 +--- a/tools/perf/builtin-mem.c ++++ b/tools/perf/builtin-mem.c +@@ -372,6 +372,7 @@ static int report_events(int argc, const char **argv, struct perf_mem *mem) + rep_argv[i] = argv[j]; + + ret = cmd_report(i, rep_argv); ++ free(new_sort_order); + free(rep_argv); + return ret; + } +-- +2.43.0 + diff --git a/queue-6.6/perf-report-fix-total-cycles-stdio-output-error.patch b/queue-6.6/perf-report-fix-total-cycles-stdio-output-error.patch new file mode 100644 index 00000000000..ef21c1308aa --- /dev/null +++ b/queue-6.6/perf-report-fix-total-cycles-stdio-output-error.patch @@ -0,0 +1,100 @@ +From 0a0553d005757ace1d6b399fa66647d8efb93fab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Aug 2024 09:02:00 -0700 +Subject: perf report: Fix --total-cycles --stdio output error + +From: Kan Liang + +[ Upstream commit 3ef44458071a19e5b5832cdfe6f75273aa521b6e ] + +The --total-cycles may output wrong information with the --stdio. + +For example: + + # perf record -e "{cycles,instructions}",cache-misses -b sleep 1 + # perf report --total-cycles --stdio + +The total cycles output of {cycles,instructions} and cache-misses are +almost the same. + + # Samples: 938 of events 'anon group { cycles, instructions }' + # Event count (approx.): 938 + # + # Sampled Cycles% Sampled Cycles Avg Cycles% Avg Cycles [Program Block Range] + # ............... .............. ........... .......... ..................................................> + # + 11.19% 2.6K 0.10% 21 [perf_iterate_ctx+48 -> > + 5.79% 1.4K 0.45% 97 [__intel_pmu_enable_all.constprop.0+80 -> __intel_> + 5.11% 1.2K 0.33% 71 [native_write_msr+0 ->> + + # Samples: 293 of event 'cache-misses' + # Event count (approx.): 293 + # + # Sampled Cycles% Sampled Cycles Avg Cycles% Avg Cycles [Program Block Range] + # ............... .............. ........... .......... ..................................................> + # + 11.19% 2.6K 0.13% 21 [perf_iterate_ctx+48 -> > + 5.79% 1.4K 0.59% 97 [__intel_pmu_enable_all.constprop.0+80 -> __intel_> + 5.11% 1.2K 0.43% 71 [native_write_msr+0 ->> + +With the symbol_conf.event_group, the 'perf report' should only report the +block information of the leader event in a group. + +However, the current implementation retrieves the next event's block +information, rather than the next group leader's block information. + +Make sure the index is updated even if the event is skipped. + +With the patch, + + # Samples: 293 of event 'cache-misses' + # Event count (approx.): 293 + # + # Sampled Cycles% Sampled Cycles Avg Cycles% Avg Cycles [Program Block Range] + # ............... .............. ........... .......... ..................................................> + # + 37.98% 9.0K 4.05% 299 [perf_event_addr_filters_exec+0 -> perf_event_a> + 11.19% 2.6K 0.28% 21 [perf_iterate_ctx+48 -> > + 5.79% 1.4K 1.32% 97 [__intel_pmu_enable_all.constprop.0+80 -> __intel_> + +Fixes: 6f7164fa231a5f36 ("perf report: Sort by sampled cycles percent per block for stdio") +Reviewed-by: Andi Kleen +Signed-off-by: Kan Liang +Acked-by: Namhyung Kim +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jin Yao +Cc: Peter Zijlstra +Cc: Stephane Eranian +Link: https://lore.kernel.org/r/20240813160208.2493643-2-kan.liang@linux.intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-report.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/builtin-report.c b/tools/perf/builtin-report.c +index 212760e4dd166..cd2f3f1a75633 100644 +--- a/tools/perf/builtin-report.c ++++ b/tools/perf/builtin-report.c +@@ -562,6 +562,7 @@ static int evlist__tty_browse_hists(struct evlist *evlist, struct report *rep, c + struct hists *hists = evsel__hists(pos); + const char *evname = evsel__name(pos); + ++ i++; + if (symbol_conf.event_group && !evsel__is_group_leader(pos)) + continue; + +@@ -571,7 +572,7 @@ static int evlist__tty_browse_hists(struct evlist *evlist, struct report *rep, c + hists__fprintf_nr_sample_events(hists, rep, evname, stdout); + + if (rep->total_cycles_mode) { +- report__browse_block_hists(&rep->block_reports[i++].hist, ++ report__browse_block_hists(&rep->block_reports[i - 1].hist, + rep->min_percent, pos, NULL); + continue; + } +-- +2.43.0 + diff --git a/queue-6.6/perf-sched-timehist-fix-missing-free-of-session-in-p.patch b/queue-6.6/perf-sched-timehist-fix-missing-free-of-session-in-p.patch new file mode 100644 index 00000000000..8a4ab5ddb48 --- /dev/null +++ b/queue-6.6/perf-sched-timehist-fix-missing-free-of-session-in-p.patch @@ -0,0 +1,49 @@ +From 94e433da11d441cafe89092d1e369867e4db5725 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Aug 2024 10:35:33 +0800 +Subject: perf sched timehist: Fix missing free of session in + perf_sched__timehist() + +From: Yang Jihong + +[ Upstream commit 6bdf5168b6fb19541b0c1862bdaa596d116c7bfb ] + +When perf_time__parse_str() fails in perf_sched__timehist(), +need to free session that was previously created, fix it. + +Fixes: 853b74071110bed3 ("perf sched timehist: Add option to specify time window of interest") +Signed-off-by: Yang Jihong +Acked-by: Namhyung Kim +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: David Ahern +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Mark Rutland +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20240806023533.1316348-1-yangjihong@bytedance.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-sched.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c +index f21a655dd7f95..489a5ef2a25de 100644 +--- a/tools/perf/builtin-sched.c ++++ b/tools/perf/builtin-sched.c +@@ -3068,7 +3068,8 @@ static int perf_sched__timehist(struct perf_sched *sched) + + if (perf_time__parse_str(&sched->ptime, sched->time_str) != 0) { + pr_err("Invalid time string\n"); +- return -EINVAL; ++ err = -EINVAL; ++ goto out; + } + + if (timehist_check_attr(sched, evlist) != 0) +-- +2.43.0 + diff --git a/queue-6.6/perf-sched-timehist-fixed-timestamp-error-when-unabl.patch b/queue-6.6/perf-sched-timehist-fixed-timestamp-error-when-unabl.patch new file mode 100644 index 00000000000..ecd35a1bcf9 --- /dev/null +++ b/queue-6.6/perf-sched-timehist-fixed-timestamp-error-when-unabl.patch @@ -0,0 +1,99 @@ +From fcd0724ac1fe569b0ecb5f4da91d9cf9aac44c76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Aug 2024 10:47:20 +0800 +Subject: perf sched timehist: Fixed timestamp error when unable to confirm + event sched_in time + +From: Yang Jihong + +[ Upstream commit 39c243411bdb8fb35777adf49ee32549633c4e12 ] + +If sched_in event for current task is not recorded, sched_in timestamp +will be set to end_time of time window interest, causing an error in +timestamp show. In this case, we choose to ignore this event. + +Test scenario: + + perf[1229608] does not record the first sched_in event, run time and sch delay are both 0 + + # perf sched timehist + Samples of sched_switch event do not have callchains. + time cpu task name wait time sch delay run time + [tid/pid] (msec) (msec) (msec) + --------------- ------ ------------------------------ --------- --------- --------- + 2090450.763231 [0000] perf[1229608] 0.000 0.000 0.000 + 2090450.763235 [0000] migration/0[15] 0.000 0.001 0.003 + 2090450.763263 [0001] perf[1229608] 0.000 0.000 0.000 + 2090450.763268 [0001] migration/1[21] 0.000 0.001 0.004 + 2090450.763302 [0002] perf[1229608] 0.000 0.000 0.000 + 2090450.763309 [0002] migration/2[27] 0.000 0.001 0.007 + 2090450.763338 [0003] perf[1229608] 0.000 0.000 0.000 + 2090450.763343 [0003] migration/3[33] 0.000 0.001 0.004 + +Before: + + arbitrarily specify a time window of interest, timestamp will be set to an incorrect value + + # perf sched timehist --time 100,200 + Samples of sched_switch event do not have callchains. + time cpu task name wait time sch delay run time + [tid/pid] (msec) (msec) (msec) + --------------- ------ ------------------------------ --------- --------- --------- + 200.000000 [0000] perf[1229608] 0.000 0.000 0.000 + 200.000000 [0001] perf[1229608] 0.000 0.000 0.000 + 200.000000 [0002] perf[1229608] 0.000 0.000 0.000 + 200.000000 [0003] perf[1229608] 0.000 0.000 0.000 + 200.000000 [0004] perf[1229608] 0.000 0.000 0.000 + 200.000000 [0005] perf[1229608] 0.000 0.000 0.000 + 200.000000 [0006] perf[1229608] 0.000 0.000 0.000 + 200.000000 [0007] perf[1229608] 0.000 0.000 0.000 + + After: + + # perf sched timehist --time 100,200 + Samples of sched_switch event do not have callchains. + time cpu task name wait time sch delay run time + [tid/pid] (msec) (msec) (msec) + --------------- ------ ------------------------------ --------- --------- --------- + +Fixes: 853b74071110bed3 ("perf sched timehist: Add option to specify time window of interest") +Signed-off-by: Yang Jihong +Acked-by: Namhyung Kim +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: David Ahern +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: James Clark +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Mark Rutland +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20240819024720.2405244-1-yangjihong@bytedance.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-sched.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c +index 489a5ef2a25de..42185da0f000a 100644 +--- a/tools/perf/builtin-sched.c ++++ b/tools/perf/builtin-sched.c +@@ -2633,9 +2633,12 @@ static int timehist_sched_change_event(struct perf_tool *tool, + * - previous sched event is out of window - we are done + * - sample time is beyond window user cares about - reset it + * to close out stats for time window interest ++ * - If tprev is 0, that is, sched_in event for current task is ++ * not recorded, cannot determine whether sched_in event is ++ * within time window interest - ignore it + */ + if (ptime->end) { +- if (tprev > ptime->end) ++ if (!tprev || tprev > ptime->end) + goto out; + + if (t > ptime->end) +-- +2.43.0 + diff --git a/queue-6.6/perf-stat-display-iostat-headers-correctly.patch b/queue-6.6/perf-stat-display-iostat-headers-correctly.patch new file mode 100644 index 00000000000..00c8023b742 --- /dev/null +++ b/queue-6.6/perf-stat-display-iostat-headers-correctly.patch @@ -0,0 +1,66 @@ +From 76f1041cccfeb16ecbcab95ef8c7f3ee9156786d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Aug 2024 14:58:00 +0800 +Subject: perf stat: Display iostat headers correctly + +From: Yicong Yang + +[ Upstream commit 2615639352420e6e3115952c5b8f46846e1c6d0e ] + +Currently we'll only print metric headers for metric leader in +aggregration mode. This will make `perf iostat` header not shown +since it'll aggregrated globally but don't have metric events: + + root@ubuntu204:/home/yang/linux/tools/perf# ./perf stat --iostat --timeout 1000 + Performance counter stats for 'system wide': + port + 0000:00 0 0 0 0 + 0000:80 0 0 0 0 + [...] + +Fix this by excluding the iostat in the check of printing metric +headers. Then we can see the headers: + + root@ubuntu204:/home/yang/linux/tools/perf# ./perf stat --iostat --timeout 1000 + Performance counter stats for 'system wide': + port Inbound Read(MB) Inbound Write(MB) Outbound Read(MB) Outbound Write(MB) + 0000:00 0 0 0 0 + 0000:80 0 0 0 0 + [...] + +Fixes: 193a9e30207f5477 ("perf stat: Don't display metric header for non-leader uncore events") +Signed-off-by: Yicong Yang +Acked-by: Namhyung Kim +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jonathan Cameron +Cc: Junhao He +Cc: linuxarm@huawei.com +Cc: Mark Rutland +Cc: Peter Zijlstra +Cc: Shameerali Kolothum Thodi +Cc: Zeng Tao +Link: https://lore.kernel.org/r/20240802065800.48774-1-yangyicong@huawei.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/stat-display.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/stat-display.c b/tools/perf/util/stat-display.c +index 0abe35388ab15..f98ade7f9fba4 100644 +--- a/tools/perf/util/stat-display.c ++++ b/tools/perf/util/stat-display.c +@@ -1207,7 +1207,8 @@ static void print_metric_headers(struct perf_stat_config *config, + + /* Print metrics headers only */ + evlist__for_each_entry(evlist, counter) { +- if (config->aggr_mode != AGGR_NONE && counter->metric_leader != counter) ++ if (!config->iostat_run && ++ config->aggr_mode != AGGR_NONE && counter->metric_leader != counter) + continue; + + os.evsel = counter; +-- +2.43.0 + diff --git a/queue-6.6/perf-time-utils-fix-32-bit-nsec-parsing.patch b/queue-6.6/perf-time-utils-fix-32-bit-nsec-parsing.patch new file mode 100644 index 00000000000..f2533a92d15 --- /dev/null +++ b/queue-6.6/perf-time-utils-fix-32-bit-nsec-parsing.patch @@ -0,0 +1,70 @@ +From 5456c2a28c161544218a991342a696ed778368d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 Aug 2024 00:04:11 -0700 +Subject: perf time-utils: Fix 32-bit nsec parsing + +From: Ian Rogers + +[ Upstream commit 38e2648a81204c9fc5b4c87a8ffce93a6ed91b65 ] + +The "time utils" test fails in 32-bit builds: + ... + parse_nsec_time("18446744073.709551615") + Failed. ptime 4294967295709551615 expected 18446744073709551615 + ... + +Switch strtoul to strtoull as an unsigned long in 32-bit build isn't +64-bits. + +Fixes: c284d669a20d408b ("perf tools: Move parse_nsec_time to time-utils.c") +Signed-off-by: Ian Rogers +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Athira Rajeev +Cc: Chaitanya S Prakash +Cc: Colin Ian King +Cc: David Ahern +Cc: Dominique Martinet +Cc: Ingo Molnar +Cc: James Clark +Cc: Jiri Olsa +Cc: John Garry +Cc: Junhao He +Cc: Kan Liang +Cc: Mark Rutland +Cc: Masami Hiramatsu +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Yang Jihong +Link: https://lore.kernel.org/r/20240831070415.506194-3-irogers@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/time-utils.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/util/time-utils.c b/tools/perf/util/time-utils.c +index 3024439216816..1b91ccd4d5234 100644 +--- a/tools/perf/util/time-utils.c ++++ b/tools/perf/util/time-utils.c +@@ -20,7 +20,7 @@ int parse_nsec_time(const char *str, u64 *ptime) + u64 time_sec, time_nsec; + char *end; + +- time_sec = strtoul(str, &end, 10); ++ time_sec = strtoull(str, &end, 10); + if (*end != '.' && *end != '\0') + return -1; + +@@ -38,7 +38,7 @@ int parse_nsec_time(const char *str, u64 *ptime) + for (i = strlen(nsec_buf); i < 9; i++) + nsec_buf[i] = '0'; + +- time_nsec = strtoul(nsec_buf, &end, 10); ++ time_nsec = strtoull(nsec_buf, &end, 10); + if (*end != '\0') + return -1; + } else +-- +2.43.0 + diff --git a/queue-6.6/perf-ui-browser-annotate-use-global-annotation_optio.patch b/queue-6.6/perf-ui-browser-annotate-use-global-annotation_optio.patch new file mode 100644 index 00000000000..12e042d6647 --- /dev/null +++ b/queue-6.6/perf-ui-browser-annotate-use-global-annotation_optio.patch @@ -0,0 +1,626 @@ +From 56703c18ebfa60baa9028803dee484139e709119 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Nov 2023 09:54:38 -0800 +Subject: perf ui/browser/annotate: Use global annotation_options + +From: Namhyung Kim + +[ Upstream commit 22197fb296913f83c7182befd2a8b23bf042f279 ] + +Now it can use the global options and no need save local browser +options separately. + +Reviewed-by: Ian Rogers +Signed-off-by: Namhyung Kim +Cc: Adrian Hunter +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20231128175441.721579-6-namhyung@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Stable-dep-of: 3ef44458071a ("perf report: Fix --total-cycles --stdio output error") +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-annotate.c | 2 +- + tools/perf/builtin-report.c | 8 ++-- + tools/perf/builtin-top.c | 3 +- + tools/perf/ui/browsers/annotate.c | 65 ++++++++++++++----------------- + tools/perf/ui/browsers/hists.c | 34 ++++++---------- + tools/perf/ui/browsers/hists.h | 2 - + tools/perf/util/annotate.h | 6 +-- + tools/perf/util/block-info.c | 6 +-- + tools/perf/util/block-info.h | 3 +- + tools/perf/util/hist.h | 25 ++++-------- + 10 files changed, 59 insertions(+), 95 deletions(-) + +diff --git a/tools/perf/builtin-annotate.c b/tools/perf/builtin-annotate.c +index 92973420c0a5a..0f1e5787b4eda 100644 +--- a/tools/perf/builtin-annotate.c ++++ b/tools/perf/builtin-annotate.c +@@ -378,7 +378,7 @@ static void hists__find_annotations(struct hists *hists, + /* skip missing symbols */ + nd = rb_next(nd); + } else if (use_browser == 1) { +- key = hist_entry__tui_annotate(he, evsel, NULL, &annotate_opts); ++ key = hist_entry__tui_annotate(he, evsel, NULL); + + switch (key) { + case -1: +diff --git a/tools/perf/builtin-report.c b/tools/perf/builtin-report.c +index 2a8889c6d7f97..212760e4dd166 100644 +--- a/tools/perf/builtin-report.c ++++ b/tools/perf/builtin-report.c +@@ -540,8 +540,7 @@ static int evlist__tui_block_hists_browse(struct evlist *evlist, struct report * + evlist__for_each_entry(evlist, pos) { + ret = report__browse_block_hists(&rep->block_reports[i++].hist, + rep->min_percent, pos, +- &rep->session->header.env, +- &annotate_opts); ++ &rep->session->header.env); + if (ret != 0) + return ret; + } +@@ -573,8 +572,7 @@ static int evlist__tty_browse_hists(struct evlist *evlist, struct report *rep, c + + if (rep->total_cycles_mode) { + report__browse_block_hists(&rep->block_reports[i++].hist, +- rep->min_percent, pos, +- NULL, NULL); ++ rep->min_percent, pos, NULL); + continue; + } + +@@ -669,7 +667,7 @@ static int report__browse_hists(struct report *rep) + } + + ret = evlist__tui_browse_hists(evlist, help, NULL, rep->min_percent, +- &session->header.env, true, &annotate_opts); ++ &session->header.env, true); + /* + * Usually "ret" is the last pressed key, and we only + * care if the key notifies us to switch data file. +diff --git a/tools/perf/builtin-top.c b/tools/perf/builtin-top.c +index 6ac17763de0e0..1c1ec444d501e 100644 +--- a/tools/perf/builtin-top.c ++++ b/tools/perf/builtin-top.c +@@ -646,8 +646,7 @@ static void *display_thread_tui(void *arg) + } + + ret = evlist__tui_browse_hists(top->evlist, help, &hbt, top->min_percent, +- &top->session->header.env, !top->record_opts.overwrite, +- &annotate_opts); ++ &top->session->header.env, !top->record_opts.overwrite); + if (ret == K_RELOAD) { + top->zero = true; + goto repeat; +diff --git a/tools/perf/ui/browsers/annotate.c b/tools/perf/ui/browsers/annotate.c +index 1fb7118ef5077..20f24d104da8e 100644 +--- a/tools/perf/ui/browsers/annotate.c ++++ b/tools/perf/ui/browsers/annotate.c +@@ -27,7 +27,6 @@ struct annotate_browser { + struct rb_node *curr_hot; + struct annotation_line *selection; + struct arch *arch; +- struct annotation_options *opts; + bool searching_backwards; + char search_bf[128]; + }; +@@ -97,7 +96,7 @@ static void annotate_browser__write(struct ui_browser *browser, void *entry, int + struct annotation_write_ops ops = { + .first_line = row == 0, + .current_entry = is_current_entry, +- .change_color = (!notes->options->hide_src_code && ++ .change_color = (!annotate_opts.hide_src_code && + (!is_current_entry || + (browser->use_navkeypressed && + !browser->navkeypressed))), +@@ -128,7 +127,7 @@ static int is_fused(struct annotate_browser *ab, struct disasm_line *cursor) + + while (pos && pos->al.offset == -1) { + pos = list_prev_entry(pos, al.node); +- if (!ab->opts->hide_src_code) ++ if (!annotate_opts.hide_src_code) + diff++; + } + +@@ -195,7 +194,7 @@ static void annotate_browser__draw_current_jump(struct ui_browser *browser) + return; + } + +- if (notes->options->hide_src_code) { ++ if (annotate_opts.hide_src_code) { + from = cursor->al.idx_asm; + to = target->idx_asm; + } else { +@@ -224,7 +223,7 @@ static unsigned int annotate_browser__refresh(struct ui_browser *browser) + int ret = ui_browser__list_head_refresh(browser); + int pcnt_width = annotation__pcnt_width(notes); + +- if (notes->options->jump_arrows) ++ if (annotate_opts.jump_arrows) + annotate_browser__draw_current_jump(browser); + + ui_browser__set_color(browser, HE_COLORSET_NORMAL); +@@ -258,7 +257,7 @@ static void disasm_rb_tree__insert(struct annotate_browser *browser, + parent = *p; + l = rb_entry(parent, struct annotation_line, rb_node); + +- if (disasm__cmp(al, l, browser->opts->percent_type) < 0) ++ if (disasm__cmp(al, l, annotate_opts.percent_type) < 0) + p = &(*p)->rb_left; + else + p = &(*p)->rb_right; +@@ -294,11 +293,10 @@ static void annotate_browser__set_top(struct annotate_browser *browser, + static void annotate_browser__set_rb_top(struct annotate_browser *browser, + struct rb_node *nd) + { +- struct annotation *notes = browser__annotation(&browser->b); + struct annotation_line * pos = rb_entry(nd, struct annotation_line, rb_node); + u32 idx = pos->idx; + +- if (notes->options->hide_src_code) ++ if (annotate_opts.hide_src_code) + idx = pos->idx_asm; + annotate_browser__set_top(browser, pos, idx); + browser->curr_hot = nd; +@@ -331,7 +329,7 @@ static void annotate_browser__calc_percent(struct annotate_browser *browser, + double percent; + + percent = annotation_data__percent(&pos->al.data[i], +- browser->opts->percent_type); ++ annotate_opts.percent_type); + + if (max_percent < percent) + max_percent = percent; +@@ -380,12 +378,12 @@ static bool annotate_browser__toggle_source(struct annotate_browser *browser) + browser->b.seek(&browser->b, offset, SEEK_CUR); + al = list_entry(browser->b.top, struct annotation_line, node); + +- if (notes->options->hide_src_code) { ++ if (annotate_opts.hide_src_code) { + if (al->idx_asm < offset) + offset = al->idx; + + browser->b.nr_entries = notes->src->nr_entries; +- notes->options->hide_src_code = false; ++ annotate_opts.hide_src_code = false; + browser->b.seek(&browser->b, -offset, SEEK_CUR); + browser->b.top_idx = al->idx - offset; + browser->b.index = al->idx; +@@ -403,7 +401,7 @@ static bool annotate_browser__toggle_source(struct annotate_browser *browser) + offset = al->idx_asm; + + browser->b.nr_entries = notes->src->nr_asm_entries; +- notes->options->hide_src_code = true; ++ annotate_opts.hide_src_code = true; + browser->b.seek(&browser->b, -offset, SEEK_CUR); + browser->b.top_idx = al->idx_asm - offset; + browser->b.index = al->idx_asm; +@@ -483,8 +481,8 @@ static bool annotate_browser__callq(struct annotate_browser *browser, + target_ms.map = ms->map; + target_ms.sym = dl->ops.target.sym; + annotation__unlock(notes); +- symbol__tui_annotate(&target_ms, evsel, hbt, browser->opts); +- sym_title(ms->sym, ms->map, title, sizeof(title), browser->opts->percent_type); ++ symbol__tui_annotate(&target_ms, evsel, hbt); ++ sym_title(ms->sym, ms->map, title, sizeof(title), annotate_opts.percent_type); + ui_browser__show_title(&browser->b, title); + return true; + } +@@ -659,7 +657,6 @@ bool annotate_browser__continue_search_reverse(struct annotate_browser *browser, + + static int annotate_browser__show(struct ui_browser *browser, char *title, const char *help) + { +- struct annotate_browser *ab = container_of(browser, struct annotate_browser, b); + struct map_symbol *ms = browser->priv; + struct symbol *sym = ms->sym; + char symbol_dso[SYM_TITLE_MAX_SIZE]; +@@ -667,7 +664,7 @@ static int annotate_browser__show(struct ui_browser *browser, char *title, const + if (ui_browser__show(browser, title, help) < 0) + return -1; + +- sym_title(sym, ms->map, symbol_dso, sizeof(symbol_dso), ab->opts->percent_type); ++ sym_title(sym, ms->map, symbol_dso, sizeof(symbol_dso), annotate_opts.percent_type); + + ui_browser__gotorc_title(browser, 0, 0); + ui_browser__set_color(browser, HE_COLORSET_ROOT); +@@ -809,7 +806,7 @@ static int annotate_browser__run(struct annotate_browser *browser, + annotate_browser__show(&browser->b, title, help); + continue; + case 'k': +- notes->options->show_linenr = !notes->options->show_linenr; ++ annotate_opts.show_linenr = !annotate_opts.show_linenr; + continue; + case 'l': + annotate_browser__show_full_location (&browser->b); +@@ -822,18 +819,18 @@ static int annotate_browser__run(struct annotate_browser *browser, + ui_helpline__puts(help); + continue; + case 'o': +- notes->options->use_offset = !notes->options->use_offset; ++ annotate_opts.use_offset = !annotate_opts.use_offset; + annotation__update_column_widths(notes); + continue; + case 'O': +- if (++notes->options->offset_level > ANNOTATION__MAX_OFFSET_LEVEL) +- notes->options->offset_level = ANNOTATION__MIN_OFFSET_LEVEL; ++ if (++annotate_opts.offset_level > ANNOTATION__MAX_OFFSET_LEVEL) ++ annotate_opts.offset_level = ANNOTATION__MIN_OFFSET_LEVEL; + continue; + case 'j': +- notes->options->jump_arrows = !notes->options->jump_arrows; ++ annotate_opts.jump_arrows = !annotate_opts.jump_arrows; + continue; + case 'J': +- notes->options->show_nr_jumps = !notes->options->show_nr_jumps; ++ annotate_opts.show_nr_jumps = !annotate_opts.show_nr_jumps; + annotation__update_column_widths(notes); + continue; + case '/': +@@ -897,15 +894,15 @@ static int annotate_browser__run(struct annotate_browser *browser, + annotation__update_column_widths(notes); + continue; + case 'c': +- if (notes->options->show_minmax_cycle) +- notes->options->show_minmax_cycle = false; ++ if (annotate_opts.show_minmax_cycle) ++ annotate_opts.show_minmax_cycle = false; + else +- notes->options->show_minmax_cycle = true; ++ annotate_opts.show_minmax_cycle = true; + annotation__update_column_widths(notes); + continue; + case 'p': + case 'b': +- switch_percent_type(browser->opts, key == 'b'); ++ switch_percent_type(&annotate_opts, key == 'b'); + hists__scnprintf_title(hists, title, sizeof(title)); + annotate_browser__show(&browser->b, title, help); + continue; +@@ -932,26 +929,23 @@ static int annotate_browser__run(struct annotate_browser *browser, + } + + int map_symbol__tui_annotate(struct map_symbol *ms, struct evsel *evsel, +- struct hist_browser_timer *hbt, +- struct annotation_options *opts) ++ struct hist_browser_timer *hbt) + { +- return symbol__tui_annotate(ms, evsel, hbt, opts); ++ return symbol__tui_annotate(ms, evsel, hbt); + } + + int hist_entry__tui_annotate(struct hist_entry *he, struct evsel *evsel, +- struct hist_browser_timer *hbt, +- struct annotation_options *opts) ++ struct hist_browser_timer *hbt) + { + /* reset abort key so that it can get Ctrl-C as a key */ + SLang_reset_tty(); + SLang_init_tty(0, 0, 0); + +- return map_symbol__tui_annotate(&he->ms, evsel, hbt, opts); ++ return map_symbol__tui_annotate(&he->ms, evsel, hbt); + } + + int symbol__tui_annotate(struct map_symbol *ms, struct evsel *evsel, +- struct hist_browser_timer *hbt, +- struct annotation_options *opts) ++ struct hist_browser_timer *hbt) + { + struct symbol *sym = ms->sym; + struct annotation *notes = symbol__annotation(sym); +@@ -965,7 +959,6 @@ int symbol__tui_annotate(struct map_symbol *ms, struct evsel *evsel, + .priv = ms, + .use_navkeypressed = true, + }, +- .opts = opts, + }; + struct dso *dso; + int ret = -1, err; +@@ -996,7 +989,7 @@ int symbol__tui_annotate(struct map_symbol *ms, struct evsel *evsel, + browser.b.entries = ¬es->src->source, + browser.b.width += 18; /* Percentage */ + +- if (notes->options->hide_src_code) ++ if (annotate_opts.hide_src_code) + ui_browser__init_asm_mode(&browser.b); + + ret = annotate_browser__run(&browser, evsel, hbt); +diff --git a/tools/perf/ui/browsers/hists.c b/tools/perf/ui/browsers/hists.c +index 70db5a7179056..bb59d27642ccf 100644 +--- a/tools/perf/ui/browsers/hists.c ++++ b/tools/perf/ui/browsers/hists.c +@@ -2250,8 +2250,7 @@ struct hist_browser *hist_browser__new(struct hists *hists) + static struct hist_browser * + perf_evsel_browser__new(struct evsel *evsel, + struct hist_browser_timer *hbt, +- struct perf_env *env, +- struct annotation_options *annotation_opts) ++ struct perf_env *env) + { + struct hist_browser *browser = hist_browser__new(evsel__hists(evsel)); + +@@ -2259,7 +2258,6 @@ perf_evsel_browser__new(struct evsel *evsel, + browser->hbt = hbt; + browser->env = env; + browser->title = hists_browser__scnprintf_title; +- browser->annotation_opts = annotation_opts; + } + return browser; + } +@@ -2432,8 +2430,8 @@ do_annotate(struct hist_browser *browser, struct popup_action *act) + struct hist_entry *he; + int err; + +- if (!browser->annotation_opts->objdump_path && +- perf_env__lookup_objdump(browser->env, &browser->annotation_opts->objdump_path)) ++ if (!annotate_opts.objdump_path && ++ perf_env__lookup_objdump(browser->env, &annotate_opts.objdump_path)) + return 0; + + notes = symbol__annotation(act->ms.sym); +@@ -2445,8 +2443,7 @@ do_annotate(struct hist_browser *browser, struct popup_action *act) + else + evsel = hists_to_evsel(browser->hists); + +- err = map_symbol__tui_annotate(&act->ms, evsel, browser->hbt, +- browser->annotation_opts); ++ err = map_symbol__tui_annotate(&act->ms, evsel, browser->hbt); + he = hist_browser__selected_entry(browser); + /* + * offer option to annotate the other branch source or target +@@ -2943,11 +2940,10 @@ static void hist_browser__update_percent_limit(struct hist_browser *hb, + + static int evsel__hists_browse(struct evsel *evsel, int nr_events, const char *helpline, + bool left_exits, struct hist_browser_timer *hbt, float min_pcnt, +- struct perf_env *env, bool warn_lost_event, +- struct annotation_options *annotation_opts) ++ struct perf_env *env, bool warn_lost_event) + { + struct hists *hists = evsel__hists(evsel); +- struct hist_browser *browser = perf_evsel_browser__new(evsel, hbt, env, annotation_opts); ++ struct hist_browser *browser = perf_evsel_browser__new(evsel, hbt, env); + struct branch_info *bi = NULL; + #define MAX_OPTIONS 16 + char *options[MAX_OPTIONS]; +@@ -3398,7 +3394,6 @@ static int evsel__hists_browse(struct evsel *evsel, int nr_events, const char *h + struct evsel_menu { + struct ui_browser b; + struct evsel *selection; +- struct annotation_options *annotation_opts; + bool lost_events, lost_events_warned; + float min_pcnt; + struct perf_env *env; +@@ -3499,8 +3494,7 @@ static int perf_evsel_menu__run(struct evsel_menu *menu, + hbt->timer(hbt->arg); + key = evsel__hists_browse(pos, nr_events, help, true, hbt, + menu->min_pcnt, menu->env, +- warn_lost_event, +- menu->annotation_opts); ++ warn_lost_event); + ui_browser__show_title(&menu->b, title); + switch (key) { + case K_TAB: +@@ -3557,7 +3551,7 @@ static bool filter_group_entries(struct ui_browser *browser __maybe_unused, + + static int __evlist__tui_browse_hists(struct evlist *evlist, int nr_entries, const char *help, + struct hist_browser_timer *hbt, float min_pcnt, struct perf_env *env, +- bool warn_lost_event, struct annotation_options *annotation_opts) ++ bool warn_lost_event) + { + struct evsel *pos; + struct evsel_menu menu = { +@@ -3572,7 +3566,6 @@ static int __evlist__tui_browse_hists(struct evlist *evlist, int nr_entries, con + }, + .min_pcnt = min_pcnt, + .env = env, +- .annotation_opts = annotation_opts, + }; + + ui_helpline__push("Press ESC to exit"); +@@ -3607,8 +3600,7 @@ static bool evlist__single_entry(struct evlist *evlist) + } + + int evlist__tui_browse_hists(struct evlist *evlist, const char *help, struct hist_browser_timer *hbt, +- float min_pcnt, struct perf_env *env, bool warn_lost_event, +- struct annotation_options *annotation_opts) ++ float min_pcnt, struct perf_env *env, bool warn_lost_event) + { + int nr_entries = evlist->core.nr_entries; + +@@ -3617,7 +3609,7 @@ single_entry: { + struct evsel *first = evlist__first(evlist); + + return evsel__hists_browse(first, nr_entries, help, false, hbt, min_pcnt, +- env, warn_lost_event, annotation_opts); ++ env, warn_lost_event); + } + } + +@@ -3635,7 +3627,7 @@ single_entry: { + } + + return __evlist__tui_browse_hists(evlist, nr_entries, help, hbt, min_pcnt, env, +- warn_lost_event, annotation_opts); ++ warn_lost_event); + } + + static int block_hists_browser__title(struct hist_browser *browser, char *bf, +@@ -3654,8 +3646,7 @@ static int block_hists_browser__title(struct hist_browser *browser, char *bf, + } + + int block_hists_tui_browse(struct block_hist *bh, struct evsel *evsel, +- float min_percent, struct perf_env *env, +- struct annotation_options *annotation_opts) ++ float min_percent, struct perf_env *env) + { + struct hists *hists = &bh->block_hists; + struct hist_browser *browser; +@@ -3672,7 +3663,6 @@ int block_hists_tui_browse(struct block_hist *bh, struct evsel *evsel, + browser->title = block_hists_browser__title; + browser->min_pcnt = min_percent; + browser->env = env; +- browser->annotation_opts = annotation_opts; + + /* reset abort key so that it can get Ctrl-C as a key */ + SLang_reset_tty(); +diff --git a/tools/perf/ui/browsers/hists.h b/tools/perf/ui/browsers/hists.h +index 1e938d9ffa5ee..de46f6c56b0ef 100644 +--- a/tools/perf/ui/browsers/hists.h ++++ b/tools/perf/ui/browsers/hists.h +@@ -4,7 +4,6 @@ + + #include "ui/browser.h" + +-struct annotation_options; + struct evsel; + + struct hist_browser { +@@ -15,7 +14,6 @@ struct hist_browser { + struct hist_browser_timer *hbt; + struct pstack *pstack; + struct perf_env *env; +- struct annotation_options *annotation_opts; + struct evsel *block_evsel; + int print_seq; + bool show_dso; +diff --git a/tools/perf/util/annotate.h b/tools/perf/util/annotate.h +index 238e7ef289a82..b79614c44a242 100644 +--- a/tools/perf/util/annotate.h ++++ b/tools/perf/util/annotate.h +@@ -412,13 +412,11 @@ int symbol__tty_annotate2(struct map_symbol *ms, struct evsel *evsel); + + #ifdef HAVE_SLANG_SUPPORT + int symbol__tui_annotate(struct map_symbol *ms, struct evsel *evsel, +- struct hist_browser_timer *hbt, +- struct annotation_options *opts); ++ struct hist_browser_timer *hbt); + #else + static inline int symbol__tui_annotate(struct map_symbol *ms __maybe_unused, + struct evsel *evsel __maybe_unused, +- struct hist_browser_timer *hbt __maybe_unused, +- struct annotation_options *opts __maybe_unused) ++ struct hist_browser_timer *hbt __maybe_unused) + { + return 0; + } +diff --git a/tools/perf/util/block-info.c b/tools/perf/util/block-info.c +index 08f82c1f166c3..dec910989701e 100644 +--- a/tools/perf/util/block-info.c ++++ b/tools/perf/util/block-info.c +@@ -464,8 +464,7 @@ void block_info__free_report(struct block_report *reps, int nr_reps) + } + + int report__browse_block_hists(struct block_hist *bh, float min_percent, +- struct evsel *evsel, struct perf_env *env, +- struct annotation_options *annotation_opts) ++ struct evsel *evsel, struct perf_env *env) + { + int ret; + +@@ -477,8 +476,7 @@ int report__browse_block_hists(struct block_hist *bh, float min_percent, + return 0; + case 1: + symbol_conf.report_individual_block = true; +- ret = block_hists_tui_browse(bh, evsel, min_percent, +- env, annotation_opts); ++ ret = block_hists_tui_browse(bh, evsel, min_percent, env); + return ret; + default: + return -1; +diff --git a/tools/perf/util/block-info.h b/tools/perf/util/block-info.h +index 42e9dcc4cf0ab..96f53e89795e2 100644 +--- a/tools/perf/util/block-info.h ++++ b/tools/perf/util/block-info.h +@@ -78,8 +78,7 @@ struct block_report *block_info__create_report(struct evlist *evlist, + void block_info__free_report(struct block_report *reps, int nr_reps); + + int report__browse_block_hists(struct block_hist *bh, float min_percent, +- struct evsel *evsel, struct perf_env *env, +- struct annotation_options *annotation_opts); ++ struct evsel *evsel, struct perf_env *env); + + float block_info__total_cycles_percent(struct hist_entry *he); + +diff --git a/tools/perf/util/hist.h b/tools/perf/util/hist.h +index afc9f1c7f4dc2..5d0db96609dff 100644 +--- a/tools/perf/util/hist.h ++++ b/tools/perf/util/hist.h +@@ -457,7 +457,6 @@ struct hist_browser_timer { + int refresh; + }; + +-struct annotation_options; + struct res_sample; + + enum rstype { +@@ -473,16 +472,13 @@ struct block_hist; + void attr_to_script(char *buf, struct perf_event_attr *attr); + + int map_symbol__tui_annotate(struct map_symbol *ms, struct evsel *evsel, +- struct hist_browser_timer *hbt, +- struct annotation_options *annotation_opts); ++ struct hist_browser_timer *hbt); + + int hist_entry__tui_annotate(struct hist_entry *he, struct evsel *evsel, +- struct hist_browser_timer *hbt, +- struct annotation_options *annotation_opts); ++ struct hist_browser_timer *hbt); + + int evlist__tui_browse_hists(struct evlist *evlist, const char *help, struct hist_browser_timer *hbt, +- float min_pcnt, struct perf_env *env, bool warn_lost_event, +- struct annotation_options *annotation_options); ++ float min_pcnt, struct perf_env *env, bool warn_lost_event); + + int script_browse(const char *script_opt, struct evsel *evsel); + +@@ -492,8 +488,7 @@ int res_sample_browse(struct res_sample *res_samples, int num_res, + void res_sample_init(void); + + int block_hists_tui_browse(struct block_hist *bh, struct evsel *evsel, +- float min_percent, struct perf_env *env, +- struct annotation_options *annotation_opts); ++ float min_percent, struct perf_env *env); + #else + static inline + int evlist__tui_browse_hists(struct evlist *evlist __maybe_unused, +@@ -501,23 +496,20 @@ int evlist__tui_browse_hists(struct evlist *evlist __maybe_unused, + struct hist_browser_timer *hbt __maybe_unused, + float min_pcnt __maybe_unused, + struct perf_env *env __maybe_unused, +- bool warn_lost_event __maybe_unused, +- struct annotation_options *annotation_options __maybe_unused) ++ bool warn_lost_event __maybe_unused) + { + return 0; + } + static inline int map_symbol__tui_annotate(struct map_symbol *ms __maybe_unused, + struct evsel *evsel __maybe_unused, +- struct hist_browser_timer *hbt __maybe_unused, +- struct annotation_options *annotation_options __maybe_unused) ++ struct hist_browser_timer *hbt __maybe_unused) + { + return 0; + } + + static inline int hist_entry__tui_annotate(struct hist_entry *he __maybe_unused, + struct evsel *evsel __maybe_unused, +- struct hist_browser_timer *hbt __maybe_unused, +- struct annotation_options *annotation_opts __maybe_unused) ++ struct hist_browser_timer *hbt __maybe_unused) + { + return 0; + } +@@ -541,8 +533,7 @@ static inline void res_sample_init(void) {} + static inline int block_hists_tui_browse(struct block_hist *bh __maybe_unused, + struct evsel *evsel __maybe_unused, + float min_percent __maybe_unused, +- struct perf_env *env __maybe_unused, +- struct annotation_options *annotation_opts __maybe_unused) ++ struct perf_env *env __maybe_unused) + { + return 0; + } +-- +2.43.0 + diff --git a/queue-6.6/pinctrl-mvebu-fix-devinit_dove_pinctrl_probe-functio.patch b/queue-6.6/pinctrl-mvebu-fix-devinit_dove_pinctrl_probe-functio.patch new file mode 100644 index 00000000000..3d6de7e0453 --- /dev/null +++ b/queue-6.6/pinctrl-mvebu-fix-devinit_dove_pinctrl_probe-functio.patch @@ -0,0 +1,119 @@ +From 92b7ba057f8fe45045326a16466c501f0a737c49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2024 14:48:23 +0800 +Subject: pinctrl: mvebu: Fix devinit_dove_pinctrl_probe function + +From: Wang Jianzheng + +[ Upstream commit c25478419f6fd3f74c324a21ec007cf14f2688d7 ] + +When an error occurs during the execution of the function +__devinit_dove_pinctrl_probe, the clk is not properly disabled. + +Fix this by calling clk_disable_unprepare before return. + +Fixes: ba607b6238a1 ("pinctrl: mvebu: make pdma clock on dove mandatory") +Signed-off-by: Wang Jianzheng +Link: https://lore.kernel.org/20240829064823.19808-1-wangjianzheng@vivo.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mvebu/pinctrl-dove.c | 42 +++++++++++++++++++--------- + 1 file changed, 29 insertions(+), 13 deletions(-) + +diff --git a/drivers/pinctrl/mvebu/pinctrl-dove.c b/drivers/pinctrl/mvebu/pinctrl-dove.c +index 1947da73e5121..dce601d993728 100644 +--- a/drivers/pinctrl/mvebu/pinctrl-dove.c ++++ b/drivers/pinctrl/mvebu/pinctrl-dove.c +@@ -767,7 +767,7 @@ static int dove_pinctrl_probe(struct platform_device *pdev) + struct resource fb_res; + struct mvebu_mpp_ctrl_data *mpp_data; + void __iomem *base; +- int i; ++ int i, ret; + + pdev->dev.platform_data = (void *)device_get_match_data(&pdev->dev); + +@@ -783,13 +783,17 @@ static int dove_pinctrl_probe(struct platform_device *pdev) + clk_prepare_enable(clk); + + base = devm_platform_get_and_ioremap_resource(pdev, 0, &mpp_res); +- if (IS_ERR(base)) +- return PTR_ERR(base); ++ if (IS_ERR(base)) { ++ ret = PTR_ERR(base); ++ goto err_probe; ++ } + + mpp_data = devm_kcalloc(&pdev->dev, dove_pinctrl_info.ncontrols, + sizeof(*mpp_data), GFP_KERNEL); +- if (!mpp_data) +- return -ENOMEM; ++ if (!mpp_data) { ++ ret = -ENOMEM; ++ goto err_probe; ++ } + + dove_pinctrl_info.control_data = mpp_data; + for (i = 0; i < ARRAY_SIZE(dove_mpp_controls); i++) +@@ -808,8 +812,10 @@ static int dove_pinctrl_probe(struct platform_device *pdev) + } + + mpp4_base = devm_ioremap_resource(&pdev->dev, res); +- if (IS_ERR(mpp4_base)) +- return PTR_ERR(mpp4_base); ++ if (IS_ERR(mpp4_base)) { ++ ret = PTR_ERR(mpp4_base); ++ goto err_probe; ++ } + + res = platform_get_resource(pdev, IORESOURCE_MEM, 2); + if (!res) { +@@ -820,8 +826,10 @@ static int dove_pinctrl_probe(struct platform_device *pdev) + } + + pmu_base = devm_ioremap_resource(&pdev->dev, res); +- if (IS_ERR(pmu_base)) +- return PTR_ERR(pmu_base); ++ if (IS_ERR(pmu_base)) { ++ ret = PTR_ERR(pmu_base); ++ goto err_probe; ++ } + + gconfmap = syscon_regmap_lookup_by_compatible("marvell,dove-global-config"); + if (IS_ERR(gconfmap)) { +@@ -831,12 +839,17 @@ static int dove_pinctrl_probe(struct platform_device *pdev) + adjust_resource(&fb_res, + (mpp_res->start & INT_REGS_MASK) + GC_REGS_OFFS, 0x14); + gc_base = devm_ioremap_resource(&pdev->dev, &fb_res); +- if (IS_ERR(gc_base)) +- return PTR_ERR(gc_base); ++ if (IS_ERR(gc_base)) { ++ ret = PTR_ERR(gc_base); ++ goto err_probe; ++ } ++ + gconfmap = devm_regmap_init_mmio(&pdev->dev, + gc_base, &gc_regmap_config); +- if (IS_ERR(gconfmap)) +- return PTR_ERR(gconfmap); ++ if (IS_ERR(gconfmap)) { ++ ret = PTR_ERR(gconfmap); ++ goto err_probe; ++ } + } + + /* Warn on any missing DT resource */ +@@ -844,6 +857,9 @@ static int dove_pinctrl_probe(struct platform_device *pdev) + dev_warn(&pdev->dev, FW_BUG "Missing pinctrl regs in DTB. Please update your firmware.\n"); + + return mvebu_pinctrl_probe(pdev); ++err_probe: ++ clk_disable_unprepare(clk); ++ return ret; + } + + static struct platform_driver dove_pinctrl_driver = { +-- +2.43.0 + diff --git a/queue-6.6/pinctrl-single-fix-missing-error-code-in-pcs_probe.patch b/queue-6.6/pinctrl-single-fix-missing-error-code-in-pcs_probe.patch new file mode 100644 index 00000000000..713dafdd0ad --- /dev/null +++ b/queue-6.6/pinctrl-single-fix-missing-error-code-in-pcs_probe.patch @@ -0,0 +1,37 @@ +From 64a18b56220dd64a80fd869e915ceaed9853104f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Aug 2024 10:46:25 +0800 +Subject: pinctrl: single: fix missing error code in pcs_probe() + +From: Yang Yingliang + +[ Upstream commit cacd8cf79d7823b07619865e994a7916fcc8ae91 ] + +If pinctrl_enable() fails in pcs_probe(), it should return the error code. + +Fixes: 8f773bfbdd42 ("pinctrl: single: fix possible memory leak when pinctrl_enable() fails") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/20240819024625.154441-1-yangyingliang@huaweicloud.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-single.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c +index bbe7cc894b1a1..6c670203b3ac2 100644 +--- a/drivers/pinctrl/pinctrl-single.c ++++ b/drivers/pinctrl/pinctrl-single.c +@@ -1918,7 +1918,8 @@ static int pcs_probe(struct platform_device *pdev) + + dev_info(pcs->dev, "%i pins, size %u\n", pcs->desc.npins, pcs->size); + +- if (pinctrl_enable(pcs->pctl)) ++ ret = pinctrl_enable(pcs->pctl); ++ if (ret) + goto free; + + return 0; +-- +2.43.0 + diff --git a/queue-6.6/pinctrl-ti-iodelay-use-scope-based-of_node_put-clean.patch b/queue-6.6/pinctrl-ti-iodelay-use-scope-based-of_node_put-clean.patch new file mode 100644 index 00000000000..1ed18857998 --- /dev/null +++ b/queue-6.6/pinctrl-ti-iodelay-use-scope-based-of_node_put-clean.patch @@ -0,0 +1,118 @@ +From aaa60df1a9b34d402fb815b30598d2941c603f1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jun 2024 21:17:19 +0800 +Subject: pinctrl: ti: iodelay: Use scope based of_node_put() cleanups + +From: Peng Fan + +[ Upstream commit 791a8bb202a85f707c20ef04a471519e35f089dc ] + +Use scope based of_node_put() cleanup to simplify code. + +Signed-off-by: Peng Fan +Reviewed-by: Jonathan Cameron +Link: https://lore.kernel.org/20240627131721.678727-2-peng.fan@oss.nxp.com +Signed-off-by: Linus Walleij +Stable-dep-of: a9f2b249adee ("pinctrl: ti: ti-iodelay: Fix some error handling paths") +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/ti/pinctrl-ti-iodelay.c | 43 +++++++++---------------- + 1 file changed, 15 insertions(+), 28 deletions(-) + +diff --git a/drivers/pinctrl/ti/pinctrl-ti-iodelay.c b/drivers/pinctrl/ti/pinctrl-ti-iodelay.c +index ef97586385019..f5e5a23d22260 100644 +--- a/drivers/pinctrl/ti/pinctrl-ti-iodelay.c ++++ b/drivers/pinctrl/ti/pinctrl-ti-iodelay.c +@@ -822,53 +822,48 @@ MODULE_DEVICE_TABLE(of, ti_iodelay_of_match); + static int ti_iodelay_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; +- struct device_node *np = of_node_get(dev->of_node); ++ struct device_node *np __free(device_node) = of_node_get(dev->of_node); + struct resource *res; + struct ti_iodelay_device *iod; +- int ret = 0; ++ int ret; + + if (!np) { +- ret = -EINVAL; + dev_err(dev, "No OF node\n"); +- goto exit_out; ++ return -EINVAL; + } + + iod = devm_kzalloc(dev, sizeof(*iod), GFP_KERNEL); +- if (!iod) { +- ret = -ENOMEM; +- goto exit_out; +- } ++ if (!iod) ++ return -ENOMEM; ++ + iod->dev = dev; + iod->reg_data = device_get_match_data(dev); + if (!iod->reg_data) { +- ret = -EINVAL; + dev_err(dev, "No DATA match\n"); +- goto exit_out; ++ return -EINVAL; + } + + /* So far We can assume there is only 1 bank of registers */ + iod->reg_base = devm_platform_get_and_ioremap_resource(pdev, 0, &res); +- if (IS_ERR(iod->reg_base)) { +- ret = PTR_ERR(iod->reg_base); +- goto exit_out; +- } ++ if (IS_ERR(iod->reg_base)) ++ return PTR_ERR(iod->reg_base); ++ + iod->phys_base = res->start; + + iod->regmap = devm_regmap_init_mmio(dev, iod->reg_base, + iod->reg_data->regmap_config); + if (IS_ERR(iod->regmap)) { + dev_err(dev, "Regmap MMIO init failed.\n"); +- ret = PTR_ERR(iod->regmap); +- goto exit_out; ++ return PTR_ERR(iod->regmap); + } + + ret = ti_iodelay_pinconf_init_dev(iod); + if (ret) +- goto exit_out; ++ return ret; + + ret = ti_iodelay_alloc_pins(dev, iod, res->start); + if (ret) +- goto exit_out; ++ return ret; + + iod->desc.pctlops = &ti_iodelay_pinctrl_ops; + /* no pinmux ops - we are pinconf */ +@@ -879,20 +874,12 @@ static int ti_iodelay_probe(struct platform_device *pdev) + ret = devm_pinctrl_register_and_init(dev, &iod->desc, iod, &iod->pctl); + if (ret) { + dev_err(dev, "Failed to register pinctrl\n"); +- goto exit_out; ++ return ret; + } + + platform_set_drvdata(pdev, iod); + +- ret = pinctrl_enable(iod->pctl); +- if (ret) +- goto exit_out; +- +- return 0; +- +-exit_out: +- of_node_put(np); +- return ret; ++ return pinctrl_enable(iod->pctl); + } + + /** +-- +2.43.0 + diff --git a/queue-6.6/pinctrl-ti-ti-iodelay-convert-to-platform-remove-cal.patch b/queue-6.6/pinctrl-ti-ti-iodelay-convert-to-platform-remove-cal.patch new file mode 100644 index 00000000000..36580c9e08c --- /dev/null +++ b/queue-6.6/pinctrl-ti-ti-iodelay-convert-to-platform-remove-cal.patch @@ -0,0 +1,68 @@ +From c2af1adddf4a7f53c7a31ec371d81f0bcf27fa31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Oct 2023 10:38:56 +0200 +Subject: pinctrl: ti: ti-iodelay: Convert to platform remove callback + returning void +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 93650550dff9d1a3b88c553f8adb81dc89778977 ] + +The .remove() callback for a platform driver returns an int which makes +many driver authors wrongly assume it's possible to do error handling by +returning an error code. However the value returned is ignored (apart +from emitting a warning) and this typically results in resource leaks. + +To improve here there is a quest to make the remove callback return +void. In the first step of this quest all drivers are converted to +.remove_new(), which already returns void. Eventually after all drivers +are converted, .remove_new() will be renamed to .remove(). + +Trivially convert this driver from always returning zero in the remove +callback to the void returning variant. + +Signed-off-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/20231009083856.222030-21-u.kleine-koenig@pengutronix.de +Signed-off-by: Linus Walleij +Stable-dep-of: a9f2b249adee ("pinctrl: ti: ti-iodelay: Fix some error handling paths") +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/ti/pinctrl-ti-iodelay.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/drivers/pinctrl/ti/pinctrl-ti-iodelay.c b/drivers/pinctrl/ti/pinctrl-ti-iodelay.c +index 5370bbdf2e1a1..81ae6737928a5 100644 +--- a/drivers/pinctrl/ti/pinctrl-ti-iodelay.c ++++ b/drivers/pinctrl/ti/pinctrl-ti-iodelay.c +@@ -900,23 +900,19 @@ static int ti_iodelay_probe(struct platform_device *pdev) + /** + * ti_iodelay_remove() - standard remove + * @pdev: platform device +- * +- * Return: 0 if all went fine, else appropriate error value. + */ +-static int ti_iodelay_remove(struct platform_device *pdev) ++static void ti_iodelay_remove(struct platform_device *pdev) + { + struct ti_iodelay_device *iod = platform_get_drvdata(pdev); + + ti_iodelay_pinconf_deinit_dev(iod); + + /* Expect other allocations to be freed by devm */ +- +- return 0; + } + + static struct platform_driver ti_iodelay_driver = { + .probe = ti_iodelay_probe, +- .remove = ti_iodelay_remove, ++ .remove_new = ti_iodelay_remove, + .driver = { + .name = DRIVER_NAME, + .of_match_table = ti_iodelay_of_match, +-- +2.43.0 + diff --git a/queue-6.6/pinctrl-ti-ti-iodelay-fix-some-error-handling-paths.patch b/queue-6.6/pinctrl-ti-ti-iodelay-fix-some-error-handling-paths.patch new file mode 100644 index 00000000000..76ffcd3f23f --- /dev/null +++ b/queue-6.6/pinctrl-ti-ti-iodelay-fix-some-error-handling-paths.patch @@ -0,0 +1,124 @@ +From a1b722b37ef682771473565b2fa0899880dd9224 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jul 2024 22:37:43 +0200 +Subject: pinctrl: ti: ti-iodelay: Fix some error handling paths + +From: Christophe JAILLET + +[ Upstream commit a9f2b249adeef2b9744a884355fa8f5e581d507f ] + +In the probe, if an error occurs after the ti_iodelay_pinconf_init_dev() +call, it is likely that ti_iodelay_pinconf_deinit_dev() should be called, +as already done in the remove function. + +Also in ti_iodelay_pinconf_init_dev(), if an error occurs after the first +regmap_update_bits() call, it is also likely that the deinit() function +should be called. + +The easier way to fix it is to add a devm_add_action_or_reset() at the +rigtht place to have ti_iodelay_pinconf_deinit_dev() called when needed. + +Doing so, the .remove() function can be removed, and the associated +platform_set_drvdata() call in the probe as well. + +Fixes: 003910ebc83b ("pinctrl: Introduce TI IOdelay configuration driver") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/0220fa5b925bd08e361be8206a5438f6229deaac.1720556038.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/ti/pinctrl-ti-iodelay.c | 52 ++++++++++--------------- + 1 file changed, 21 insertions(+), 31 deletions(-) + +diff --git a/drivers/pinctrl/ti/pinctrl-ti-iodelay.c b/drivers/pinctrl/ti/pinctrl-ti-iodelay.c +index f5e5a23d22260..451801acdc403 100644 +--- a/drivers/pinctrl/ti/pinctrl-ti-iodelay.c ++++ b/drivers/pinctrl/ti/pinctrl-ti-iodelay.c +@@ -273,6 +273,22 @@ static int ti_iodelay_pinconf_set(struct ti_iodelay_device *iod, + return r; + } + ++/** ++ * ti_iodelay_pinconf_deinit_dev() - deinit the iodelay device ++ * @data: IODelay device ++ * ++ * Deinitialize the IODelay device (basically just lock the region back up. ++ */ ++static void ti_iodelay_pinconf_deinit_dev(void *data) ++{ ++ struct ti_iodelay_device *iod = data; ++ const struct ti_iodelay_reg_data *reg = iod->reg_data; ++ ++ /* lock the iodelay region back again */ ++ regmap_update_bits(iod->regmap, reg->reg_global_lock_offset, ++ reg->global_lock_mask, reg->global_lock_val); ++} ++ + /** + * ti_iodelay_pinconf_init_dev() - Initialize IODelay device + * @iod: iodelay device +@@ -295,6 +311,11 @@ static int ti_iodelay_pinconf_init_dev(struct ti_iodelay_device *iod) + if (r) + return r; + ++ r = devm_add_action_or_reset(iod->dev, ti_iodelay_pinconf_deinit_dev, ++ iod); ++ if (r) ++ return r; ++ + /* Read up Recalibration sequence done by bootloader */ + r = regmap_read(iod->regmap, reg->reg_refclk_offset, &val); + if (r) +@@ -353,21 +374,6 @@ static int ti_iodelay_pinconf_init_dev(struct ti_iodelay_device *iod) + return 0; + } + +-/** +- * ti_iodelay_pinconf_deinit_dev() - deinit the iodelay device +- * @iod: IODelay device +- * +- * Deinitialize the IODelay device (basically just lock the region back up. +- */ +-static void ti_iodelay_pinconf_deinit_dev(struct ti_iodelay_device *iod) +-{ +- const struct ti_iodelay_reg_data *reg = iod->reg_data; +- +- /* lock the iodelay region back again */ +- regmap_update_bits(iod->regmap, reg->reg_global_lock_offset, +- reg->global_lock_mask, reg->global_lock_val); +-} +- + /** + * ti_iodelay_get_pingroup() - Find the group mapped by a group selector + * @iod: iodelay device +@@ -877,27 +883,11 @@ static int ti_iodelay_probe(struct platform_device *pdev) + return ret; + } + +- platform_set_drvdata(pdev, iod); +- + return pinctrl_enable(iod->pctl); + } + +-/** +- * ti_iodelay_remove() - standard remove +- * @pdev: platform device +- */ +-static void ti_iodelay_remove(struct platform_device *pdev) +-{ +- struct ti_iodelay_device *iod = platform_get_drvdata(pdev); +- +- ti_iodelay_pinconf_deinit_dev(iod); +- +- /* Expect other allocations to be freed by devm */ +-} +- + static struct platform_driver ti_iodelay_driver = { + .probe = ti_iodelay_probe, +- .remove_new = ti_iodelay_remove, + .driver = { + .name = DRIVER_NAME, + .of_match_table = ti_iodelay_of_match, +-- +2.43.0 + diff --git a/queue-6.6/pinctrl-use-device_get_match_data.patch b/queue-6.6/pinctrl-use-device_get_match_data.patch new file mode 100644 index 00000000000..4b91f40c34a --- /dev/null +++ b/queue-6.6/pinctrl-use-device_get_match_data.patch @@ -0,0 +1,656 @@ +From 5518683c9c83b29bcfb6d69171b891079ac23f25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Oct 2023 12:29:13 -0500 +Subject: pinctrl: Use device_get_match_data() + +From: Rob Herring + +[ Upstream commit 63bffc2d3a99eaabc786c513eea71be3f597f175 ] + +Use preferred device_get_match_data() instead of of_match_device() to +get the driver match data. With this, adjust the includes to explicitly +include the correct headers. + +Signed-off-by: Rob Herring +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20231009172923.2457844-18-robh@kernel.org +Signed-off-by: Linus Walleij +Stable-dep-of: a9f2b249adee ("pinctrl: ti: ti-iodelay: Fix some error handling paths") +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/bcm/pinctrl-ns.c | 8 ++------ + drivers/pinctrl/berlin/berlin-bg2.c | 8 +++----- + drivers/pinctrl/berlin/berlin-bg2cd.c | 8 +++----- + drivers/pinctrl/berlin/berlin-bg2q.c | 8 +++----- + drivers/pinctrl/berlin/berlin-bg4ct.c | 9 +++++---- + drivers/pinctrl/berlin/pinctrl-as370.c | 9 +++++---- + drivers/pinctrl/mvebu/pinctrl-armada-38x.c | 9 ++------- + drivers/pinctrl/mvebu/pinctrl-armada-39x.c | 9 ++------- + drivers/pinctrl/mvebu/pinctrl-armada-ap806.c | 5 +---- + drivers/pinctrl/mvebu/pinctrl-armada-cp110.c | 6 ++---- + drivers/pinctrl/mvebu/pinctrl-armada-xp.c | 9 ++------- + drivers/pinctrl/mvebu/pinctrl-dove.c | 6 ++---- + drivers/pinctrl/mvebu/pinctrl-kirkwood.c | 7 ++----- + drivers/pinctrl/mvebu/pinctrl-orion.c | 7 ++----- + drivers/pinctrl/nomadik/pinctrl-abx500.c | 9 ++------- + drivers/pinctrl/nomadik/pinctrl-nomadik.c | 10 ++++------ + drivers/pinctrl/pinctrl-at91.c | 11 +++++------ + drivers/pinctrl/pinctrl-xway.c | 11 ++++------- + drivers/pinctrl/ti/pinctrl-ti-iodelay.c | 18 ++++++++---------- + 19 files changed, 59 insertions(+), 108 deletions(-) + +diff --git a/drivers/pinctrl/bcm/pinctrl-ns.c b/drivers/pinctrl/bcm/pinctrl-ns.c +index f80630a74d34a..d099a7f25f64c 100644 +--- a/drivers/pinctrl/bcm/pinctrl-ns.c ++++ b/drivers/pinctrl/bcm/pinctrl-ns.c +@@ -7,11 +7,11 @@ + #include + #include + #include +-#include + #include + #include + #include + #include ++#include + #include + + #include "../core.h" +@@ -208,7 +208,6 @@ static const struct of_device_id ns_pinctrl_of_match_table[] = { + static int ns_pinctrl_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; +- const struct of_device_id *of_id; + struct ns_pinctrl *ns_pinctrl; + struct pinctrl_desc *pctldesc; + struct pinctrl_pin_desc *pin; +@@ -225,10 +224,7 @@ static int ns_pinctrl_probe(struct platform_device *pdev) + + ns_pinctrl->dev = dev; + +- of_id = of_match_device(ns_pinctrl_of_match_table, dev); +- if (!of_id) +- return -EINVAL; +- ns_pinctrl->chipset_flag = (uintptr_t)of_id->data; ++ ns_pinctrl->chipset_flag = (uintptr_t)device_get_match_data(dev); + + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, + "cru_gpio_control"); +diff --git a/drivers/pinctrl/berlin/berlin-bg2.c b/drivers/pinctrl/berlin/berlin-bg2.c +index acbd413340e8b..15aed44676271 100644 +--- a/drivers/pinctrl/berlin/berlin-bg2.c ++++ b/drivers/pinctrl/berlin/berlin-bg2.c +@@ -8,8 +8,9 @@ + */ + + #include +-#include ++#include + #include ++#include + #include + + #include "berlin.h" +@@ -227,10 +228,7 @@ static const struct of_device_id berlin2_pinctrl_match[] = { + + static int berlin2_pinctrl_probe(struct platform_device *pdev) + { +- const struct of_device_id *match = +- of_match_device(berlin2_pinctrl_match, &pdev->dev); +- +- return berlin_pinctrl_probe(pdev, match->data); ++ return berlin_pinctrl_probe(pdev, device_get_match_data(&pdev->dev)); + } + + static struct platform_driver berlin2_pinctrl_driver = { +diff --git a/drivers/pinctrl/berlin/berlin-bg2cd.c b/drivers/pinctrl/berlin/berlin-bg2cd.c +index c0f5d86d5d01d..73a1d8c230886 100644 +--- a/drivers/pinctrl/berlin/berlin-bg2cd.c ++++ b/drivers/pinctrl/berlin/berlin-bg2cd.c +@@ -8,8 +8,9 @@ + */ + + #include +-#include ++#include + #include ++#include + #include + + #include "berlin.h" +@@ -172,10 +173,7 @@ static const struct of_device_id berlin2cd_pinctrl_match[] = { + + static int berlin2cd_pinctrl_probe(struct platform_device *pdev) + { +- const struct of_device_id *match = +- of_match_device(berlin2cd_pinctrl_match, &pdev->dev); +- +- return berlin_pinctrl_probe(pdev, match->data); ++ return berlin_pinctrl_probe(pdev, device_get_match_data(&pdev->dev)); + } + + static struct platform_driver berlin2cd_pinctrl_driver = { +diff --git a/drivers/pinctrl/berlin/berlin-bg2q.c b/drivers/pinctrl/berlin/berlin-bg2q.c +index 20a3216ede07a..a5dbc8f279e70 100644 +--- a/drivers/pinctrl/berlin/berlin-bg2q.c ++++ b/drivers/pinctrl/berlin/berlin-bg2q.c +@@ -8,8 +8,9 @@ + */ + + #include +-#include ++#include + #include ++#include + #include + + #include "berlin.h" +@@ -389,10 +390,7 @@ static const struct of_device_id berlin2q_pinctrl_match[] = { + + static int berlin2q_pinctrl_probe(struct platform_device *pdev) + { +- const struct of_device_id *match = +- of_match_device(berlin2q_pinctrl_match, &pdev->dev); +- +- return berlin_pinctrl_probe(pdev, match->data); ++ return berlin_pinctrl_probe(pdev, device_get_match_data(&pdev->dev)); + } + + static struct platform_driver berlin2q_pinctrl_driver = { +diff --git a/drivers/pinctrl/berlin/berlin-bg4ct.c b/drivers/pinctrl/berlin/berlin-bg4ct.c +index 3026a3b3da2dd..9bf0a54f2798a 100644 +--- a/drivers/pinctrl/berlin/berlin-bg4ct.c ++++ b/drivers/pinctrl/berlin/berlin-bg4ct.c +@@ -8,8 +8,9 @@ + */ + + #include +-#include ++#include + #include ++#include + #include + + #include "berlin.h" +@@ -449,8 +450,8 @@ static const struct of_device_id berlin4ct_pinctrl_match[] = { + + static int berlin4ct_pinctrl_probe(struct platform_device *pdev) + { +- const struct of_device_id *match = +- of_match_device(berlin4ct_pinctrl_match, &pdev->dev); ++ const struct berlin_pinctrl_desc *desc = ++ device_get_match_data(&pdev->dev); + struct regmap_config *rmconfig; + struct regmap *regmap; + struct resource *res; +@@ -473,7 +474,7 @@ static int berlin4ct_pinctrl_probe(struct platform_device *pdev) + if (IS_ERR(regmap)) + return PTR_ERR(regmap); + +- return berlin_pinctrl_probe_regmap(pdev, match->data, regmap); ++ return berlin_pinctrl_probe_regmap(pdev, desc, regmap); + } + + static struct platform_driver berlin4ct_pinctrl_driver = { +diff --git a/drivers/pinctrl/berlin/pinctrl-as370.c b/drivers/pinctrl/berlin/pinctrl-as370.c +index b631c14813a7d..fc0daec94e105 100644 +--- a/drivers/pinctrl/berlin/pinctrl-as370.c ++++ b/drivers/pinctrl/berlin/pinctrl-as370.c +@@ -8,8 +8,9 @@ + */ + + #include +-#include ++#include + #include ++#include + #include + + #include "berlin.h" +@@ -330,8 +331,8 @@ static const struct of_device_id as370_pinctrl_match[] = { + + static int as370_pinctrl_probe(struct platform_device *pdev) + { +- const struct of_device_id *match = +- of_match_device(as370_pinctrl_match, &pdev->dev); ++ const struct berlin_pinctrl_desc *desc = ++ device_get_match_data(&pdev->dev); + struct regmap_config *rmconfig; + struct regmap *regmap; + struct resource *res; +@@ -354,7 +355,7 @@ static int as370_pinctrl_probe(struct platform_device *pdev) + if (IS_ERR(regmap)) + return PTR_ERR(regmap); + +- return berlin_pinctrl_probe_regmap(pdev, match->data, regmap); ++ return berlin_pinctrl_probe_regmap(pdev, desc, regmap); + } + + static struct platform_driver as370_pinctrl_driver = { +diff --git a/drivers/pinctrl/mvebu/pinctrl-armada-38x.c b/drivers/pinctrl/mvebu/pinctrl-armada-38x.c +index 040e418dbfc1b..162dfc213669a 100644 +--- a/drivers/pinctrl/mvebu/pinctrl-armada-38x.c ++++ b/drivers/pinctrl/mvebu/pinctrl-armada-38x.c +@@ -12,8 +12,8 @@ + #include + #include + #include +-#include + #include ++#include + + #include "pinctrl-mvebu.h" + +@@ -404,13 +404,8 @@ static struct pinctrl_gpio_range armada_38x_mpp_gpio_ranges[] = { + static int armada_38x_pinctrl_probe(struct platform_device *pdev) + { + struct mvebu_pinctrl_soc_info *soc = &armada_38x_pinctrl_info; +- const struct of_device_id *match = +- of_match_device(armada_38x_pinctrl_of_match, &pdev->dev); + +- if (!match) +- return -ENODEV; +- +- soc->variant = (unsigned) match->data & 0xff; ++ soc->variant = (unsigned)device_get_match_data(&pdev->dev) & 0xff; + soc->controls = armada_38x_mpp_controls; + soc->ncontrols = ARRAY_SIZE(armada_38x_mpp_controls); + soc->gpioranges = armada_38x_mpp_gpio_ranges; +diff --git a/drivers/pinctrl/mvebu/pinctrl-armada-39x.c b/drivers/pinctrl/mvebu/pinctrl-armada-39x.c +index c33f1cbaf661a..d9c98faa7b0e9 100644 +--- a/drivers/pinctrl/mvebu/pinctrl-armada-39x.c ++++ b/drivers/pinctrl/mvebu/pinctrl-armada-39x.c +@@ -12,8 +12,8 @@ + #include + #include + #include +-#include + #include ++#include + + #include "pinctrl-mvebu.h" + +@@ -386,13 +386,8 @@ static struct pinctrl_gpio_range armada_39x_mpp_gpio_ranges[] = { + static int armada_39x_pinctrl_probe(struct platform_device *pdev) + { + struct mvebu_pinctrl_soc_info *soc = &armada_39x_pinctrl_info; +- const struct of_device_id *match = +- of_match_device(armada_39x_pinctrl_of_match, &pdev->dev); + +- if (!match) +- return -ENODEV; +- +- soc->variant = (unsigned) match->data & 0xff; ++ soc->variant = (unsigned)device_get_match_data(&pdev->dev) & 0xff; + soc->controls = armada_39x_mpp_controls; + soc->ncontrols = ARRAY_SIZE(armada_39x_mpp_controls); + soc->gpioranges = armada_39x_mpp_gpio_ranges; +diff --git a/drivers/pinctrl/mvebu/pinctrl-armada-ap806.c b/drivers/pinctrl/mvebu/pinctrl-armada-ap806.c +index 89bab536717df..7becf2781a0b9 100644 +--- a/drivers/pinctrl/mvebu/pinctrl-armada-ap806.c ++++ b/drivers/pinctrl/mvebu/pinctrl-armada-ap806.c +@@ -13,7 +13,6 @@ + #include + #include + #include +-#include + #include + + #include "pinctrl-mvebu.h" +@@ -106,10 +105,8 @@ static struct pinctrl_gpio_range armada_ap806_mpp_gpio_ranges[] = { + static int armada_ap806_pinctrl_probe(struct platform_device *pdev) + { + struct mvebu_pinctrl_soc_info *soc = &armada_ap806_pinctrl_info; +- const struct of_device_id *match = +- of_match_device(armada_ap806_pinctrl_of_match, &pdev->dev); + +- if (!match || !pdev->dev.parent) ++ if (!pdev->dev.parent) + return -ENODEV; + + soc->variant = 0; /* no variants for Armada AP806 */ +diff --git a/drivers/pinctrl/mvebu/pinctrl-armada-cp110.c b/drivers/pinctrl/mvebu/pinctrl-armada-cp110.c +index 8ba8f3e9121f0..9a250c491f33d 100644 +--- a/drivers/pinctrl/mvebu/pinctrl-armada-cp110.c ++++ b/drivers/pinctrl/mvebu/pinctrl-armada-cp110.c +@@ -12,9 +12,9 @@ + #include + #include + #include +-#include + #include + #include ++#include + + #include "pinctrl-mvebu.h" + +@@ -638,8 +638,6 @@ static void mvebu_pinctrl_assign_variant(struct mvebu_mpp_mode *m, + static int armada_cp110_pinctrl_probe(struct platform_device *pdev) + { + struct mvebu_pinctrl_soc_info *soc; +- const struct of_device_id *match = +- of_match_device(armada_cp110_pinctrl_of_match, &pdev->dev); + int i; + + if (!pdev->dev.parent) +@@ -650,7 +648,7 @@ static int armada_cp110_pinctrl_probe(struct platform_device *pdev) + if (!soc) + return -ENOMEM; + +- soc->variant = (unsigned long) match->data & 0xff; ++ soc->variant = (unsigned long)device_get_match_data(&pdev->dev) & 0xff; + soc->controls = armada_cp110_mpp_controls; + soc->ncontrols = ARRAY_SIZE(armada_cp110_mpp_controls); + soc->modes = armada_cp110_mpp_modes; +diff --git a/drivers/pinctrl/mvebu/pinctrl-armada-xp.c b/drivers/pinctrl/mvebu/pinctrl-armada-xp.c +index 48e2a6c56a83b..487825bfd125f 100644 +--- a/drivers/pinctrl/mvebu/pinctrl-armada-xp.c ++++ b/drivers/pinctrl/mvebu/pinctrl-armada-xp.c +@@ -19,8 +19,8 @@ + #include + #include + #include +-#include + #include ++#include + #include + + #include "pinctrl-mvebu.h" +@@ -568,14 +568,9 @@ static int armada_xp_pinctrl_resume(struct platform_device *pdev) + static int armada_xp_pinctrl_probe(struct platform_device *pdev) + { + struct mvebu_pinctrl_soc_info *soc = &armada_xp_pinctrl_info; +- const struct of_device_id *match = +- of_match_device(armada_xp_pinctrl_of_match, &pdev->dev); + int nregs; + +- if (!match) +- return -ENODEV; +- +- soc->variant = (unsigned) match->data & 0xff; ++ soc->variant = (unsigned)device_get_match_data(&pdev->dev) & 0xff; + + switch (soc->variant) { + case V_MV78230: +diff --git a/drivers/pinctrl/mvebu/pinctrl-dove.c b/drivers/pinctrl/mvebu/pinctrl-dove.c +index bd74daa9ed666..1947da73e5121 100644 +--- a/drivers/pinctrl/mvebu/pinctrl-dove.c ++++ b/drivers/pinctrl/mvebu/pinctrl-dove.c +@@ -12,9 +12,9 @@ + #include + #include + #include +-#include + #include + #include ++#include + #include + + #include "pinctrl-mvebu.h" +@@ -765,13 +765,11 @@ static int dove_pinctrl_probe(struct platform_device *pdev) + { + struct resource *res, *mpp_res; + struct resource fb_res; +- const struct of_device_id *match = +- of_match_device(dove_pinctrl_of_match, &pdev->dev); + struct mvebu_mpp_ctrl_data *mpp_data; + void __iomem *base; + int i; + +- pdev->dev.platform_data = (void *)match->data; ++ pdev->dev.platform_data = (void *)device_get_match_data(&pdev->dev); + + /* + * General MPP Configuration Register is part of pdma registers. +diff --git a/drivers/pinctrl/mvebu/pinctrl-kirkwood.c b/drivers/pinctrl/mvebu/pinctrl-kirkwood.c +index d45c31f281c85..4789d7442f788 100644 +--- a/drivers/pinctrl/mvebu/pinctrl-kirkwood.c ++++ b/drivers/pinctrl/mvebu/pinctrl-kirkwood.c +@@ -11,8 +11,8 @@ + #include + #include + #include +-#include + #include ++#include + + #include "pinctrl-mvebu.h" + +@@ -470,10 +470,7 @@ static const struct of_device_id kirkwood_pinctrl_of_match[] = { + + static int kirkwood_pinctrl_probe(struct platform_device *pdev) + { +- const struct of_device_id *match = +- of_match_device(kirkwood_pinctrl_of_match, &pdev->dev); +- +- pdev->dev.platform_data = (void *)match->data; ++ pdev->dev.platform_data = (void *)device_get_match_data(&pdev->dev); + + return mvebu_pinctrl_simple_mmio_probe(pdev); + } +diff --git a/drivers/pinctrl/mvebu/pinctrl-orion.c b/drivers/pinctrl/mvebu/pinctrl-orion.c +index cc97d270be61b..2b6ab7f2afc78 100644 +--- a/drivers/pinctrl/mvebu/pinctrl-orion.c ++++ b/drivers/pinctrl/mvebu/pinctrl-orion.c +@@ -19,8 +19,8 @@ + #include + #include + #include +-#include + #include ++#include + + #include "pinctrl-mvebu.h" + +@@ -218,10 +218,7 @@ static const struct of_device_id orion_pinctrl_of_match[] = { + + static int orion_pinctrl_probe(struct platform_device *pdev) + { +- const struct of_device_id *match = +- of_match_device(orion_pinctrl_of_match, &pdev->dev); +- +- pdev->dev.platform_data = (void*)match->data; ++ pdev->dev.platform_data = (void*)device_get_match_data(&pdev->dev); + + mpp_base = devm_platform_ioremap_resource(pdev, 0); + if (IS_ERR(mpp_base)) +diff --git a/drivers/pinctrl/nomadik/pinctrl-abx500.c b/drivers/pinctrl/nomadik/pinctrl-abx500.c +index 6b90051af2067..0cfa74365733c 100644 +--- a/drivers/pinctrl/nomadik/pinctrl-abx500.c ++++ b/drivers/pinctrl/nomadik/pinctrl-abx500.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -985,7 +986,6 @@ static const struct of_device_id abx500_gpio_match[] = { + static int abx500_gpio_probe(struct platform_device *pdev) + { + struct device_node *np = pdev->dev.of_node; +- const struct of_device_id *match; + struct abx500_pinctrl *pct; + unsigned int id = -1; + int ret; +@@ -1006,12 +1006,7 @@ static int abx500_gpio_probe(struct platform_device *pdev) + pct->chip.parent = &pdev->dev; + pct->chip.base = -1; /* Dynamic allocation */ + +- match = of_match_device(abx500_gpio_match, &pdev->dev); +- if (!match) { +- dev_err(&pdev->dev, "gpio dt not matching\n"); +- return -ENODEV; +- } +- id = (unsigned long)match->data; ++ id = (unsigned long)device_get_match_data(&pdev->dev); + + /* Poke in other ASIC variants here */ + switch (id) { +diff --git a/drivers/pinctrl/nomadik/pinctrl-nomadik.c b/drivers/pinctrl/nomadik/pinctrl-nomadik.c +index e7d33093994b2..445c61a4a7e55 100644 +--- a/drivers/pinctrl/nomadik/pinctrl-nomadik.c ++++ b/drivers/pinctrl/nomadik/pinctrl-nomadik.c +@@ -16,9 +16,11 @@ + #include + #include + #include ++#include + #include +-#include ++#include + #include ++#include + #include + #include + #include +@@ -1840,7 +1842,6 @@ static int nmk_pinctrl_resume(struct device *dev) + + static int nmk_pinctrl_probe(struct platform_device *pdev) + { +- const struct of_device_id *match; + struct device_node *np = pdev->dev.of_node; + struct device_node *prcm_np; + struct nmk_pinctrl *npct; +@@ -1851,10 +1852,7 @@ static int nmk_pinctrl_probe(struct platform_device *pdev) + if (!npct) + return -ENOMEM; + +- match = of_match_device(nmk_pinctrl_match, &pdev->dev); +- if (!match) +- return -ENODEV; +- version = (unsigned int) match->data; ++ version = (unsigned int)device_get_match_data(&pdev->dev); + + /* Poke in other ASIC variants here */ + if (version == PINCTRL_NMK_STN8815) +diff --git a/drivers/pinctrl/pinctrl-at91.c b/drivers/pinctrl/pinctrl-at91.c +index ad30fd47a4bb0..d7b66928a4e50 100644 +--- a/drivers/pinctrl/pinctrl-at91.c ++++ b/drivers/pinctrl/pinctrl-at91.c +@@ -12,10 +12,9 @@ + #include + #include + #include +-#include +-#include +-#include ++#include + #include ++#include + #include + #include + #include +@@ -1302,8 +1301,8 @@ static int at91_pinctrl_probe_dt(struct platform_device *pdev, + if (!np) + return -ENODEV; + +- info->dev = dev; +- info->ops = of_device_get_match_data(dev); ++ info->dev = &pdev->dev; ++ info->ops = device_get_match_data(&pdev->dev); + at91_pinctrl_child_count(info, np); + + /* +@@ -1848,7 +1847,7 @@ static int at91_gpio_probe(struct platform_device *pdev) + if (IS_ERR(at91_chip->regbase)) + return PTR_ERR(at91_chip->regbase); + +- at91_chip->ops = of_device_get_match_data(dev); ++ at91_chip->ops = device_get_match_data(dev); + at91_chip->pioc_virq = irq; + + at91_chip->clock = devm_clk_get_enabled(dev, NULL); +diff --git a/drivers/pinctrl/pinctrl-xway.c b/drivers/pinctrl/pinctrl-xway.c +index cf0383f575d9c..f4256a918165f 100644 +--- a/drivers/pinctrl/pinctrl-xway.c ++++ b/drivers/pinctrl/pinctrl-xway.c +@@ -11,12 +11,12 @@ + #include + #include + #include +-#include +-#include ++#include + #include + #include + #include + #include ++#include + + #include "pinctrl-lantiq.h" + +@@ -1451,7 +1451,6 @@ MODULE_DEVICE_TABLE(of, xway_match); + + static int pinmux_xway_probe(struct platform_device *pdev) + { +- const struct of_device_id *match; + const struct pinctrl_xway_soc *xway_soc; + int ret, i; + +@@ -1460,10 +1459,8 @@ static int pinmux_xway_probe(struct platform_device *pdev) + if (IS_ERR(xway_info.membase[0])) + return PTR_ERR(xway_info.membase[0]); + +- match = of_match_device(xway_match, &pdev->dev); +- if (match) +- xway_soc = (const struct pinctrl_xway_soc *) match->data; +- else ++ xway_soc = device_get_match_data(&pdev->dev); ++ if (!xway_soc) + xway_soc = &danube_pinctrl; + + /* find out how many pads we have */ +diff --git a/drivers/pinctrl/ti/pinctrl-ti-iodelay.c b/drivers/pinctrl/ti/pinctrl-ti-iodelay.c +index 81ae6737928a5..ef97586385019 100644 +--- a/drivers/pinctrl/ti/pinctrl-ti-iodelay.c ++++ b/drivers/pinctrl/ti/pinctrl-ti-iodelay.c +@@ -14,7 +14,8 @@ + #include + #include + #include +-#include ++#include ++#include + #include + #include + #include +@@ -822,7 +823,6 @@ static int ti_iodelay_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; + struct device_node *np = of_node_get(dev->of_node); +- const struct of_device_id *match; + struct resource *res; + struct ti_iodelay_device *iod; + int ret = 0; +@@ -833,20 +833,18 @@ static int ti_iodelay_probe(struct platform_device *pdev) + goto exit_out; + } + +- match = of_match_device(ti_iodelay_of_match, dev); +- if (!match) { +- ret = -EINVAL; +- dev_err(dev, "No DATA match\n"); +- goto exit_out; +- } +- + iod = devm_kzalloc(dev, sizeof(*iod), GFP_KERNEL); + if (!iod) { + ret = -ENOMEM; + goto exit_out; + } + iod->dev = dev; +- iod->reg_data = match->data; ++ iod->reg_data = device_get_match_data(dev); ++ if (!iod->reg_data) { ++ ret = -EINVAL; ++ dev_err(dev, "No DATA match\n"); ++ goto exit_out; ++ } + + /* So far We can assume there is only 1 bank of registers */ + iod->reg_base = devm_platform_get_and_ioremap_resource(pdev, 0, &res); +-- +2.43.0 + diff --git a/queue-6.6/pm-cpupower-add-missing-powercap_set_enabled-stub-fu.patch b/queue-6.6/pm-cpupower-add-missing-powercap_set_enabled-stub-fu.patch new file mode 100644 index 00000000000..5f1bd8c29ed --- /dev/null +++ b/queue-6.6/pm-cpupower-add-missing-powercap_set_enabled-stub-fu.patch @@ -0,0 +1,47 @@ +From 53e34b97d02b0acc7d102a510fd50f30b33df429 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 22:19:08 -0400 +Subject: pm:cpupower: Add missing powercap_set_enabled() stub function + +From: John B. Wyatt IV + +[ Upstream commit 4b80294fb53845dc5c98cca0c989da09150f2ca9 ] + +There was a symbol listed in the powercap.h file that was not implemented. +Implement it with a stub return of 0. + +Programs like SWIG require that functions that are defined in the +headers be implemented. + +Fixes: c2294c1496b7 ("cpupower: Introduce powercap intel-rapl library and powercap-info command") +Suggested-by: Shuah Khan +Signed-off-by: John B. Wyatt IV +Signed-off-by: John B. Wyatt IV +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/power/cpupower/lib/powercap.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/tools/power/cpupower/lib/powercap.c b/tools/power/cpupower/lib/powercap.c +index a7a59c6bacda8..94a0c69e55ef5 100644 +--- a/tools/power/cpupower/lib/powercap.c ++++ b/tools/power/cpupower/lib/powercap.c +@@ -77,6 +77,14 @@ int powercap_get_enabled(int *mode) + return sysfs_get_enabled(path, mode); + } + ++/* ++ * TODO: implement function. Returns dummy 0 for now. ++ */ ++int powercap_set_enabled(int mode) ++{ ++ return 0; ++} ++ + /* + * Hardcoded, because rapl is the only powercap implementation + - * this needs to get more generic if more powercap implementations +-- +2.43.0 + diff --git a/queue-6.6/pmdomain-core-harden-inter-column-space-in-debug-sum.patch b/queue-6.6/pmdomain-core-harden-inter-column-space-in-debug-sum.patch new file mode 100644 index 00000000000..9527aa4d709 --- /dev/null +++ b/queue-6.6/pmdomain-core-harden-inter-column-space-in-debug-sum.patch @@ -0,0 +1,38 @@ +From 52da54cf5cf0d84aae438d89457e18fac5360d3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 16:30:45 +0200 +Subject: pmdomain: core: Harden inter-column space in debug summary + +From: Geert Uytterhoeven + +[ Upstream commit 692c20c4d075bd452acfbbc68200fc226c7c9496 ] + +The inter-column space in the debug summary is two spaces. However, in +one case, the extra space is handled implicitly in a field width +specifier. Make inter-column space explicit to ease future maintenance. + +Fixes: 45fbc464b047 ("PM: domains: Add "performance" column to debug summary") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/ae61eb363621b981edde878e1e74d701702a579f.1725459707.git.geert+renesas@glider.be +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/base/power/domain.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/base/power/domain.c b/drivers/base/power/domain.c +index 84443b6bd8825..582564f8dde6f 100644 +--- a/drivers/base/power/domain.c ++++ b/drivers/base/power/domain.c +@@ -3135,7 +3135,7 @@ static int genpd_summary_one(struct seq_file *s, + else + snprintf(state, sizeof(state), "%s", + status_lookup[genpd->status]); +- seq_printf(s, "%-30s %-50s %u", genpd->name, state, genpd->performance_state); ++ seq_printf(s, "%-30s %-49s %u", genpd->name, state, genpd->performance_state); + + /* + * Modifications on the list require holding locks on both +-- +2.43.0 + diff --git a/queue-6.6/power-supply-axp20x_battery-remove-design-from-min-a.patch b/queue-6.6/power-supply-axp20x_battery-remove-design-from-min-a.patch new file mode 100644 index 00000000000..dabb92950df --- /dev/null +++ b/queue-6.6/power-supply-axp20x_battery-remove-design-from-min-a.patch @@ -0,0 +1,82 @@ +From d05a07e3080fea8087593bcc0f1f81ee86a2da2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2024 16:54:43 -0500 +Subject: power: supply: axp20x_battery: Remove design from min and max voltage + +From: Chris Morgan + +[ Upstream commit 61978807b00f8a1817b0e5580981af1cd2f428a5 ] + +The POWER_SUPPLY_PROP_VOLTAGE_MIN_DESIGN and +POWER_SUPPLY_PROP_VOLTAGE_MAX_DESIGN values should be immutable +properties of the battery, but for this driver they are writable values +and used as the minimum and maximum values for charging. Remove the +DESIGN designation from these values. + +Fixes: 46c202b5f25f ("power: supply: add battery driver for AXP20X and AXP22X PMICs") +Suggested-by: Chen-Yu Tsai +Signed-off-by: Chris Morgan +Acked-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20240821215456.962564-3-macroalpha82@gmail.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/axp20x_battery.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/power/supply/axp20x_battery.c b/drivers/power/supply/axp20x_battery.c +index 6ac5c80cfda21..7520b599eb3d1 100644 +--- a/drivers/power/supply/axp20x_battery.c ++++ b/drivers/power/supply/axp20x_battery.c +@@ -303,11 +303,11 @@ static int axp20x_battery_get_prop(struct power_supply *psy, + val->intval = reg & AXP209_FG_PERCENT; + break; + +- case POWER_SUPPLY_PROP_VOLTAGE_MAX_DESIGN: ++ case POWER_SUPPLY_PROP_VOLTAGE_MAX: + return axp20x_batt->data->get_max_voltage(axp20x_batt, + &val->intval); + +- case POWER_SUPPLY_PROP_VOLTAGE_MIN_DESIGN: ++ case POWER_SUPPLY_PROP_VOLTAGE_MIN: + ret = regmap_read(axp20x_batt->regmap, AXP20X_V_OFF, ®); + if (ret) + return ret; +@@ -455,10 +455,10 @@ static int axp20x_battery_set_prop(struct power_supply *psy, + struct axp20x_batt_ps *axp20x_batt = power_supply_get_drvdata(psy); + + switch (psp) { +- case POWER_SUPPLY_PROP_VOLTAGE_MIN_DESIGN: ++ case POWER_SUPPLY_PROP_VOLTAGE_MIN: + return axp20x_set_voltage_min_design(axp20x_batt, val->intval); + +- case POWER_SUPPLY_PROP_VOLTAGE_MAX_DESIGN: ++ case POWER_SUPPLY_PROP_VOLTAGE_MAX: + return axp20x_batt->data->set_max_voltage(axp20x_batt, val->intval); + + case POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT: +@@ -493,8 +493,8 @@ static enum power_supply_property axp20x_battery_props[] = { + POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT, + POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT_MAX, + POWER_SUPPLY_PROP_HEALTH, +- POWER_SUPPLY_PROP_VOLTAGE_MAX_DESIGN, +- POWER_SUPPLY_PROP_VOLTAGE_MIN_DESIGN, ++ POWER_SUPPLY_PROP_VOLTAGE_MAX, ++ POWER_SUPPLY_PROP_VOLTAGE_MIN, + POWER_SUPPLY_PROP_CAPACITY, + }; + +@@ -502,8 +502,8 @@ static int axp20x_battery_prop_writeable(struct power_supply *psy, + enum power_supply_property psp) + { + return psp == POWER_SUPPLY_PROP_STATUS || +- psp == POWER_SUPPLY_PROP_VOLTAGE_MIN_DESIGN || +- psp == POWER_SUPPLY_PROP_VOLTAGE_MAX_DESIGN || ++ psp == POWER_SUPPLY_PROP_VOLTAGE_MIN || ++ psp == POWER_SUPPLY_PROP_VOLTAGE_MAX || + psp == POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT || + psp == POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT_MAX; + } +-- +2.43.0 + diff --git a/queue-6.6/power-supply-max17042_battery-fix-soc-threshold-calc.patch b/queue-6.6/power-supply-max17042_battery-fix-soc-threshold-calc.patch new file mode 100644 index 00000000000..723059cd1af --- /dev/null +++ b/queue-6.6/power-supply-max17042_battery-fix-soc-threshold-calc.patch @@ -0,0 +1,59 @@ +From 18e2b7755bad30947e72cd4f1381225d01787548 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Aug 2024 12:51:14 +0200 +Subject: power: supply: max17042_battery: Fix SOC threshold calc w/ no current + sense + +From: Artur Weber + +[ Upstream commit 3a3acf839b2cedf092bdd1ff65b0e9895df1656b ] + +Commit 223a3b82834f ("power: supply: max17042_battery: use VFSOC for +capacity when no rsns") made it so that capacity on systems without +current sensing would be read from VFSOC instead of RepSOC. However, +the SOC threshold calculation still read RepSOC to get the SOC +regardless of the current sensing option state. + +Fix this by applying the same conditional to determine which register +should be read. + +This also seems to be the intended behavior as per the datasheet - SOC +alert config value in MiscCFG on setups without current sensing is set +to a value of 0b11, indicating SOC alerts being generated based on +VFSOC, instead of 0b00 which indicates SOC alerts being generated based +on RepSOC. + +This fixes an issue on the Galaxy S3/Midas boards, where the alert +interrupt would be constantly retriggered, causing high CPU usage +on idle (around ~12%-15%). + +Fixes: e5f3872d2044 ("max17042: Add support for signalling change in SOC") +Signed-off-by: Artur Weber +Reviewed-by: Henrik Grimler +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20240817-max17042-soc-threshold-fix-v1-1-72b45899c3cc@gmail.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/max17042_battery.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/power/supply/max17042_battery.c b/drivers/power/supply/max17042_battery.c +index 17ac2ab78c4e4..ab97dd7ca5cb6 100644 +--- a/drivers/power/supply/max17042_battery.c ++++ b/drivers/power/supply/max17042_battery.c +@@ -853,7 +853,10 @@ static void max17042_set_soc_threshold(struct max17042_chip *chip, u16 off) + /* program interrupt thresholds such that we should + * get interrupt for every 'off' perc change in the soc + */ +- regmap_read(map, MAX17042_RepSOC, &soc); ++ if (chip->pdata->enable_current_sense) ++ regmap_read(map, MAX17042_RepSOC, &soc); ++ else ++ regmap_read(map, MAX17042_VFSOC, &soc); + soc >>= 8; + soc_tr = (soc + off) << 8; + if (off < soc) +-- +2.43.0 + diff --git a/queue-6.6/powercap-intel_rapl-fix-off-by-one-in-get_rpi.patch b/queue-6.6/powercap-intel_rapl-fix-off-by-one-in-get_rpi.patch new file mode 100644 index 00000000000..5a36e64e5a0 --- /dev/null +++ b/queue-6.6/powercap-intel_rapl-fix-off-by-one-in-get_rpi.patch @@ -0,0 +1,39 @@ +From 7517d5d2a4b1fb1867eabe7437e7064325bbcac4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Aug 2024 11:41:34 +0300 +Subject: powercap: intel_rapl: Fix off by one in get_rpi() + +From: Dan Carpenter + +[ Upstream commit 95f6580352a7225e619551febb83595bcb77ab17 ] + +The rp->priv->rpi array is either rpi_msr or rpi_tpmi which have +NR_RAPL_PRIMITIVES number of elements. Thus the > needs to be >= +to prevent an off by one access. + +Fixes: 98ff639a7289 ("powercap: intel_rapl: Support per Interface primitive information") +Signed-off-by: Dan Carpenter +Acked-by: Zhang Rui +Link: https://patch.msgid.link/86e3a059-504d-4795-a5ea-4a653f3b41f8@stanley.mountain +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/powercap/intel_rapl_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/powercap/intel_rapl_common.c b/drivers/powercap/intel_rapl_common.c +index 3dfe45ac300aa..f1de4111e98d9 100644 +--- a/drivers/powercap/intel_rapl_common.c ++++ b/drivers/powercap/intel_rapl_common.c +@@ -738,7 +738,7 @@ static struct rapl_primitive_info *get_rpi(struct rapl_package *rp, int prim) + { + struct rapl_primitive_info *rpi = rp->priv->rpi; + +- if (prim < 0 || prim > NR_RAPL_PRIMITIVES || !rpi) ++ if (prim < 0 || prim >= NR_RAPL_PRIMITIVES || !rpi) + return NULL; + + return &rpi[prim]; +-- +2.43.0 + diff --git a/queue-6.6/powerpc-8xx-fix-initial-memory-mapping.patch b/queue-6.6/powerpc-8xx-fix-initial-memory-mapping.patch new file mode 100644 index 00000000000..816d5f9a406 --- /dev/null +++ b/queue-6.6/powerpc-8xx-fix-initial-memory-mapping.patch @@ -0,0 +1,48 @@ +From 9744b23130971a083d2dc0982a9865e97e8610a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Aug 2024 19:23:45 +0200 +Subject: powerpc/8xx: Fix initial memory mapping + +From: Christophe Leroy + +[ Upstream commit f9f2bff64c2f0dbee57be3d8c2741357ad3d05e6 ] + +Commit cf209951fa7f ("powerpc/8xx: Map linear memory with huge pages") +introduced an initial mapping of kernel TEXT using PAGE_KERNEL_TEXT, +but the pages that contain kernel TEXT may also contain kernel RODATA, +and depending on selected debug options PAGE_KERNEL_TEXT may be either +RWX or ROX. RODATA must be writable during init because it also +contains ro_after_init data. + +So use PAGE_KERNEL_X instead to be sure it is RWX. + +Fixes: cf209951fa7f ("powerpc/8xx: Map linear memory with huge pages") +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://msgid.link/dac7a828d8497c4548c91840575a706657baa4f1.1724173828.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/mm/nohash/8xx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/mm/nohash/8xx.c b/arch/powerpc/mm/nohash/8xx.c +index 3245016302787..a947dff35d651 100644 +--- a/arch/powerpc/mm/nohash/8xx.c ++++ b/arch/powerpc/mm/nohash/8xx.c +@@ -149,11 +149,11 @@ unsigned long __init mmu_mapin_ram(unsigned long base, unsigned long top) + + mmu_mapin_immr(); + +- mmu_mapin_ram_chunk(0, boundary, PAGE_KERNEL_TEXT, true); ++ mmu_mapin_ram_chunk(0, boundary, PAGE_KERNEL_X, true); + if (debug_pagealloc_enabled_or_kfence()) { + top = boundary; + } else { +- mmu_mapin_ram_chunk(boundary, einittext8, PAGE_KERNEL_TEXT, true); ++ mmu_mapin_ram_chunk(boundary, einittext8, PAGE_KERNEL_X, true); + mmu_mapin_ram_chunk(einittext8, top, PAGE_KERNEL, true); + } + +-- +2.43.0 + diff --git a/queue-6.6/powerpc-8xx-fix-kernel-vs-user-address-comparison.patch b/queue-6.6/powerpc-8xx-fix-kernel-vs-user-address-comparison.patch new file mode 100644 index 00000000000..bf6a51d3cb0 --- /dev/null +++ b/queue-6.6/powerpc-8xx-fix-kernel-vs-user-address-comparison.patch @@ -0,0 +1,63 @@ +From 208bd0770aeca79c8a3b8402b08e35f2220c11b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Aug 2024 19:23:46 +0200 +Subject: powerpc/8xx: Fix kernel vs user address comparison + +From: Christophe Leroy + +[ Upstream commit 65a82e117ffeeab0baf6f871a1cab11a28ace183 ] + +Since commit 9132a2e82adc ("powerpc/8xx: Define a MODULE area below +kernel text"), module exec space is below PAGE_OFFSET so not only +space above PAGE_OFFSET, but space above TASK_SIZE need to be seen +as kernel space. + +Until now the problem went undetected because by default TASK_SIZE +is 0x8000000 which means address space is determined by just +checking upper address bit. But when TASK_SIZE is over 0x80000000, +PAGE_OFFSET is used for comparison, leading to thinking module +addresses are part of user space. + +Fix it by using TASK_SIZE instead of PAGE_OFFSET for address +comparison. + +Fixes: 9132a2e82adc ("powerpc/8xx: Define a MODULE area below kernel text") +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://msgid.link/3f574c9845ff0a023b46cb4f38d2c45aecd769bd.1724173828.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/head_8xx.S | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/kernel/head_8xx.S b/arch/powerpc/kernel/head_8xx.S +index 647b0b445e89d..0c94db8e2bded 100644 +--- a/arch/powerpc/kernel/head_8xx.S ++++ b/arch/powerpc/kernel/head_8xx.S +@@ -41,12 +41,12 @@ + #include "head_32.h" + + .macro compare_to_kernel_boundary scratch, addr +-#if CONFIG_TASK_SIZE <= 0x80000000 && CONFIG_PAGE_OFFSET >= 0x80000000 ++#if CONFIG_TASK_SIZE <= 0x80000000 && MODULES_VADDR >= 0x80000000 + /* By simply checking Address >= 0x80000000, we know if its a kernel address */ + not. \scratch, \addr + #else + rlwinm \scratch, \addr, 16, 0xfff8 +- cmpli cr0, \scratch, PAGE_OFFSET@h ++ cmpli cr0, \scratch, TASK_SIZE@h + #endif + .endm + +@@ -404,7 +404,7 @@ FixupDAR:/* Entry point for dcbx workaround. */ + mfspr r10, SPRN_SRR0 + mtspr SPRN_MD_EPN, r10 + rlwinm r11, r10, 16, 0xfff8 +- cmpli cr1, r11, PAGE_OFFSET@h ++ cmpli cr1, r11, TASK_SIZE@h + mfspr r11, SPRN_M_TWB /* Get level 1 table */ + blt+ cr1, 3f + +-- +2.43.0 + diff --git a/queue-6.6/powerpc-vdso-fix-vdso-data-access-when-running-in-a-.patch b/queue-6.6/powerpc-vdso-fix-vdso-data-access-when-running-in-a-.patch new file mode 100644 index 00000000000..15fe6ae2708 --- /dev/null +++ b/queue-6.6/powerpc-vdso-fix-vdso-data-access-when-running-in-a-.patch @@ -0,0 +1,120 @@ +From ebf1881f875c5fabb8ed493d462d46999d520b95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Sep 2024 10:33:43 +0200 +Subject: powerpc/vdso: Fix VDSO data access when running in a non-root time + namespace + +From: Christophe Leroy + +[ Upstream commit c73049389e58c01e2e3bbfae900c8daeee177191 ] + +When running in a non-root time namespace, the global VDSO data page +is replaced by a dedicated namespace data page and the global data +page is mapped next to it. Detailed explanations can be found at +commit 660fd04f9317 ("lib/vdso: Prepare for time namespace support"). + +When it happens, __kernel_get_syscall_map and __kernel_get_tbfreq +and __kernel_sync_dicache don't work anymore because they read 0 +instead of the data they need. + +To address that, clock_mode has to be read. When it is set to +VDSO_CLOCKMODE_TIMENS, it means it is a dedicated namespace data page +and the global data is located on the following page. + +Add a macro called get_realdatapage which reads clock_mode and add +PAGE_SIZE to the pointer provided by get_datapage macro when +clock_mode is equal to VDSO_CLOCKMODE_TIMENS. Use this new macro +instead of get_datapage macro except for time functions as they handle +it internally. + +Fixes: 74205b3fc2ef ("powerpc/vdso: Add support for time namespaces") +Reported-by: Jason A. Donenfeld +Closes: https://lore.kernel.org/all/ZtnYqZI-nrsNslwy@zx2c4.com/ +Signed-off-by: Christophe Leroy +Acked-by: Michael Ellerman +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/vdso_datapage.h | 15 +++++++++++++++ + arch/powerpc/kernel/asm-offsets.c | 2 ++ + arch/powerpc/kernel/vdso/cacheflush.S | 2 +- + arch/powerpc/kernel/vdso/datapage.S | 4 ++-- + 4 files changed, 20 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/include/asm/vdso_datapage.h b/arch/powerpc/include/asm/vdso_datapage.h +index a585c8e538ff0..939daf6b695ef 100644 +--- a/arch/powerpc/include/asm/vdso_datapage.h ++++ b/arch/powerpc/include/asm/vdso_datapage.h +@@ -111,6 +111,21 @@ extern struct vdso_arch_data *vdso_data; + addi \ptr, \ptr, (_vdso_datapage - 999b)@l + .endm + ++#include ++#include ++ ++.macro get_realdatapage ptr scratch ++ get_datapage \ptr ++#ifdef CONFIG_TIME_NS ++ lwz \scratch, VDSO_CLOCKMODE_OFFSET(\ptr) ++ xoris \scratch, \scratch, VDSO_CLOCKMODE_TIMENS@h ++ xori \scratch, \scratch, VDSO_CLOCKMODE_TIMENS@l ++ cntlzw \scratch, \scratch ++ rlwinm \scratch, \scratch, PAGE_SHIFT - 5, 1 << PAGE_SHIFT ++ add \ptr, \ptr, \scratch ++#endif ++.endm ++ + #endif /* __ASSEMBLY__ */ + + #endif /* __KERNEL__ */ +diff --git a/arch/powerpc/kernel/asm-offsets.c b/arch/powerpc/kernel/asm-offsets.c +index 9f14d95b8b32f..2affd30468bc4 100644 +--- a/arch/powerpc/kernel/asm-offsets.c ++++ b/arch/powerpc/kernel/asm-offsets.c +@@ -348,6 +348,8 @@ int main(void) + #else + OFFSET(CFG_SYSCALL_MAP32, vdso_arch_data, syscall_map); + #endif ++ OFFSET(VDSO_CLOCKMODE_OFFSET, vdso_arch_data, data[0].clock_mode); ++ DEFINE(VDSO_CLOCKMODE_TIMENS, VDSO_CLOCKMODE_TIMENS); + + #ifdef CONFIG_BUG + DEFINE(BUG_ENTRY_SIZE, sizeof(struct bug_entry)); +diff --git a/arch/powerpc/kernel/vdso/cacheflush.S b/arch/powerpc/kernel/vdso/cacheflush.S +index 0085ae464dac9..3b2479bd2f9a1 100644 +--- a/arch/powerpc/kernel/vdso/cacheflush.S ++++ b/arch/powerpc/kernel/vdso/cacheflush.S +@@ -30,7 +30,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_COHERENT_ICACHE) + #ifdef CONFIG_PPC64 + mflr r12 + .cfi_register lr,r12 +- get_datapage r10 ++ get_realdatapage r10, r11 + mtlr r12 + .cfi_restore lr + #endif +diff --git a/arch/powerpc/kernel/vdso/datapage.S b/arch/powerpc/kernel/vdso/datapage.S +index db8e167f01667..2b19b6201a33a 100644 +--- a/arch/powerpc/kernel/vdso/datapage.S ++++ b/arch/powerpc/kernel/vdso/datapage.S +@@ -28,7 +28,7 @@ V_FUNCTION_BEGIN(__kernel_get_syscall_map) + mflr r12 + .cfi_register lr,r12 + mr. r4,r3 +- get_datapage r3 ++ get_realdatapage r3, r11 + mtlr r12 + #ifdef __powerpc64__ + addi r3,r3,CFG_SYSCALL_MAP64 +@@ -52,7 +52,7 @@ V_FUNCTION_BEGIN(__kernel_get_tbfreq) + .cfi_startproc + mflr r12 + .cfi_register lr,r12 +- get_datapage r3 ++ get_realdatapage r3, r11 + #ifndef __powerpc64__ + lwz r4,(CFG_TB_TICKS_PER_SEC + 4)(r3) + #endif +-- +2.43.0 + diff --git a/queue-6.6/powerpc-vdso-inconditionally-use-cfunc-macro.patch b/queue-6.6/powerpc-vdso-inconditionally-use-cfunc-macro.patch new file mode 100644 index 00000000000..c6d56656155 --- /dev/null +++ b/queue-6.6/powerpc-vdso-inconditionally-use-cfunc-macro.patch @@ -0,0 +1,41 @@ +From d119ffe8d2b4236c7bf38fc0f70c5f1b8d6c83c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Aug 2024 10:00:29 +0200 +Subject: powerpc/vdso: Inconditionally use CFUNC macro + +From: Christophe Leroy + +[ Upstream commit 65948b0e716a47382731889ee6bbb18642b8b003 ] + +During merge of commit 4e991e3c16a3 ("powerpc: add CFUNC assembly +label annotation") a fallback version of CFUNC macro was added at +the last minute, so it can be used inconditionally. + +Fixes: 4e991e3c16a3 ("powerpc: add CFUNC assembly label annotation") +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://msgid.link/0fa863f2f69b2ca4094ae066fcf1430fb31110c9.1724313540.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/vdso/gettimeofday.S | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/arch/powerpc/kernel/vdso/gettimeofday.S b/arch/powerpc/kernel/vdso/gettimeofday.S +index 48fc6658053aa..894cb939cd2b3 100644 +--- a/arch/powerpc/kernel/vdso/gettimeofday.S ++++ b/arch/powerpc/kernel/vdso/gettimeofday.S +@@ -38,11 +38,7 @@ + .else + addi r4, r5, VDSO_DATA_OFFSET + .endif +-#ifdef __powerpc64__ + bl CFUNC(DOTSYM(\funct)) +-#else +- bl \funct +-#endif + PPC_LL r0, PPC_MIN_STKFRM + PPC_LR_STKOFF(r1) + #ifdef __powerpc64__ + PPC_LL r2, PPC_MIN_STKFRM + STK_GOT(r1) +-- +2.43.0 + diff --git a/queue-6.6/r8169-disable-aldps-per-default-for-rtl8125.patch b/queue-6.6/r8169-disable-aldps-per-default-for-rtl8125.patch new file mode 100644 index 00000000000..6ce1754ac20 --- /dev/null +++ b/queue-6.6/r8169-disable-aldps-per-default-for-rtl8125.patch @@ -0,0 +1,51 @@ +From c3a5ff59bea7836776d4bee7d020e98c76138f82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2024 15:51:11 +0200 +Subject: r8169: disable ALDPS per default for RTL8125 + +From: Heiner Kallweit + +[ Upstream commit b9c7ac4fe22c608acf6153a3329df2b6b6cd416c ] + +En-Wei reported that traffic breaks if cable is unplugged for more +than 3s and then re-plugged. This was supposed to be fixed by +621735f59064 ("r8169: fix rare issue with broken rx after link-down on +RTL8125"). But apparently this didn't fix the issue for everybody. +The 3s threshold rang a bell, as this is the delay after which ALDPS +kicks in. And indeed disabling ALDPS fixes the issue for this user. +Maybe this fixes the issue in general. In a follow-up step we could +remove the first fix attempt and see whether anybody complains. + +Fixes: f1bce4ad2f1c ("r8169: add support for RTL8125") +Tested-by: En-Wei WU +Signed-off-by: Heiner Kallweit +Link: https://patch.msgid.link/778b9d86-05c4-4856-be59-cde4487b9e52@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_phy_config.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/realtek/r8169_phy_config.c b/drivers/net/ethernet/realtek/r8169_phy_config.c +index b50f16786c246..6ab89f4782857 100644 +--- a/drivers/net/ethernet/realtek/r8169_phy_config.c ++++ b/drivers/net/ethernet/realtek/r8169_phy_config.c +@@ -1060,6 +1060,7 @@ static void rtl8125a_2_hw_phy_config(struct rtl8169_private *tp, + phy_modify_paged(phydev, 0xa86, 0x15, 0x0001, 0x0000); + rtl8168g_enable_gphy_10m(phydev); + ++ rtl8168g_disable_aldps(phydev); + rtl8125a_config_eee_phy(phydev); + } + +@@ -1099,6 +1100,7 @@ static void rtl8125b_hw_phy_config(struct rtl8169_private *tp, + phy_modify_paged(phydev, 0xbf8, 0x12, 0xe000, 0xa000); + + rtl8125_legacy_force_mode(phydev); ++ rtl8168g_disable_aldps(phydev); + rtl8125b_config_eee_phy(phydev); + } + +-- +2.43.0 + diff --git a/queue-6.6/rcu-nocb-fix-rt-throttling-hrtimer-armed-from-offlin.patch b/queue-6.6/rcu-nocb-fix-rt-throttling-hrtimer-armed-from-offlin.patch new file mode 100644 index 00000000000..d2cc06f3879 --- /dev/null +++ b/queue-6.6/rcu-nocb-fix-rt-throttling-hrtimer-armed-from-offlin.patch @@ -0,0 +1,73 @@ +From 289a2509be3730673275734804e715bda1ebe9c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Aug 2024 00:56:40 +0200 +Subject: rcu/nocb: Fix RT throttling hrtimer armed from offline CPU +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Frederic Weisbecker + +[ Upstream commit 9139f93209d1ffd7f489ab19dee01b7c3a1a43d2 ] + +After a CPU is marked offline and until it reaches its final trip to +idle, rcuo has several opportunities to be woken up, either because +a callback has been queued in the meantime or because +rcutree_report_cpu_dead() has issued the final deferred NOCB wake up. + +If RCU-boosting is enabled, RCU kthreads are set to SCHED_FIFO policy. +And if RT-bandwidth is enabled, the related hrtimer might be armed. +However this then happens after hrtimers have been migrated at the +CPUHP_AP_HRTIMERS_DYING stage, which is broken as reported by the +following warning: + + Call trace: + enqueue_hrtimer+0x7c/0xf8 + hrtimer_start_range_ns+0x2b8/0x300 + enqueue_task_rt+0x298/0x3f0 + enqueue_task+0x94/0x188 + ttwu_do_activate+0xb4/0x27c + try_to_wake_up+0x2d8/0x79c + wake_up_process+0x18/0x28 + __wake_nocb_gp+0x80/0x1a0 + do_nocb_deferred_wakeup_common+0x3c/0xcc + rcu_report_dead+0x68/0x1ac + cpuhp_report_idle_dead+0x48/0x9c + do_idle+0x288/0x294 + cpu_startup_entry+0x34/0x3c + secondary_start_kernel+0x138/0x158 + +Fix this with waking up rcuo using an IPI if necessary. Since the +existing API to deal with this situation only handles swait queue, rcuo +is only woken up from offline CPUs if it's not already waiting on a +grace period. In the worst case some callbacks will just wait for a +grace period to complete before being assigned to a subsequent one. + +Reported-by: "Cheng-Jui Wang (王正睿)" +Fixes: 5c0930ccaad5 ("hrtimers: Push pending hrtimers away from outgoing CPU earlier") +Signed-off-by: Frederic Weisbecker +Signed-off-by: Neeraj Upadhyay +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree_nocb.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/kernel/rcu/tree_nocb.h b/kernel/rcu/tree_nocb.h +index 30b34f215ca35..e019f166daa61 100644 +--- a/kernel/rcu/tree_nocb.h ++++ b/kernel/rcu/tree_nocb.h +@@ -220,7 +220,10 @@ static bool __wake_nocb_gp(struct rcu_data *rdp_gp, + raw_spin_unlock_irqrestore(&rdp_gp->nocb_gp_lock, flags); + if (needwake) { + trace_rcu_nocb_wake(rcu_state.name, rdp->cpu, TPS("DoWake")); +- wake_up_process(rdp_gp->nocb_gp_kthread); ++ if (cpu_is_offline(raw_smp_processor_id())) ++ swake_up_one_online(&rdp_gp->nocb_gp_wq); ++ else ++ wake_up_process(rdp_gp->nocb_gp_kthread); + } + + return needwake; +-- +2.43.0 + diff --git a/queue-6.6/rdma-cxgb4-added-null-check-for-lookup_atid.patch b/queue-6.6/rdma-cxgb4-added-null-check-for-lookup_atid.patch new file mode 100644 index 00000000000..b1e4d98769a --- /dev/null +++ b/queue-6.6/rdma-cxgb4-added-null-check-for-lookup_atid.patch @@ -0,0 +1,52 @@ +From c1fbdede758b80e469c2ef8fcbd33fddfcde3b34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Sep 2024 10:58:39 -0400 +Subject: RDMA/cxgb4: Added NULL check for lookup_atid + +From: Mikhail Lobanov + +[ Upstream commit e766e6a92410ca269161de059fff0843b8ddd65f ] + +The lookup_atid() function can return NULL if the ATID is +invalid or does not exist in the identifier table, which +could lead to dereferencing a null pointer without a +check in the `act_establish()` and `act_open_rpl()` functions. +Add a NULL check to prevent null pointer dereferencing. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: cfdda9d76436 ("RDMA/cxgb4: Add driver for Chelsio T4 RNIC") +Signed-off-by: Mikhail Lobanov +Link: https://patch.msgid.link/20240912145844.77516-1-m.lobanov@rosalinux.ru +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/cxgb4/cm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c +index 040ba2224f9ff..b3757c6a0457a 100644 +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -1222,6 +1222,8 @@ static int act_establish(struct c4iw_dev *dev, struct sk_buff *skb) + int ret; + + ep = lookup_atid(t, atid); ++ if (!ep) ++ return -EINVAL; + + pr_debug("ep %p tid %u snd_isn %u rcv_isn %u\n", ep, tid, + be32_to_cpu(req->snd_isn), be32_to_cpu(req->rcv_isn)); +@@ -2279,6 +2281,9 @@ static int act_open_rpl(struct c4iw_dev *dev, struct sk_buff *skb) + int ret = 0; + + ep = lookup_atid(t, atid); ++ if (!ep) ++ return -EINVAL; ++ + la = (struct sockaddr_in *)&ep->com.local_addr; + ra = (struct sockaddr_in *)&ep->com.remote_addr; + la6 = (struct sockaddr_in6 *)&ep->com.local_addr; +-- +2.43.0 + diff --git a/queue-6.6/rdma-erdma-return-qp-state-in-erdma_query_qp.patch b/queue-6.6/rdma-erdma-return-qp-state-in-erdma_query_qp.patch new file mode 100644 index 00000000000..453b7a56a29 --- /dev/null +++ b/queue-6.6/rdma-erdma-return-qp-state-in-erdma_query_qp.patch @@ -0,0 +1,71 @@ +From 5c44a704123f41e935fb5f93605af1a47109db38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Sep 2024 19:29:20 +0800 +Subject: RDMA/erdma: Return QP state in erdma_query_qp + +From: Cheng Xu + +[ Upstream commit e77127ff6416b17e0b3e630ac46ee5c9a6570f57 ] + +Fix qp_state and cur_qp_state to return correct values in +struct ib_qp_attr. + +Fixes: 155055771704 ("RDMA/erdma: Add verbs implementation") +Signed-off-by: Cheng Xu +Link: https://patch.msgid.link/20240902112920.58749-4-chengyou@linux.alibaba.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/erdma/erdma_verbs.c | 25 ++++++++++++++++++++++- + 1 file changed, 24 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/erdma/erdma_verbs.c b/drivers/infiniband/hw/erdma/erdma_verbs.c +index c317947563fbc..b010c4209ea38 100644 +--- a/drivers/infiniband/hw/erdma/erdma_verbs.c ++++ b/drivers/infiniband/hw/erdma/erdma_verbs.c +@@ -1540,11 +1540,31 @@ int erdma_modify_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr, int attr_mask, + return ret; + } + ++static enum ib_qp_state query_qp_state(struct erdma_qp *qp) ++{ ++ switch (qp->attrs.state) { ++ case ERDMA_QP_STATE_IDLE: ++ return IB_QPS_INIT; ++ case ERDMA_QP_STATE_RTR: ++ return IB_QPS_RTR; ++ case ERDMA_QP_STATE_RTS: ++ return IB_QPS_RTS; ++ case ERDMA_QP_STATE_CLOSING: ++ return IB_QPS_ERR; ++ case ERDMA_QP_STATE_TERMINATE: ++ return IB_QPS_ERR; ++ case ERDMA_QP_STATE_ERROR: ++ return IB_QPS_ERR; ++ default: ++ return IB_QPS_ERR; ++ } ++} ++ + int erdma_query_qp(struct ib_qp *ibqp, struct ib_qp_attr *qp_attr, + int qp_attr_mask, struct ib_qp_init_attr *qp_init_attr) + { +- struct erdma_qp *qp; + struct erdma_dev *dev; ++ struct erdma_qp *qp; + + if (ibqp && qp_attr && qp_init_attr) { + qp = to_eqp(ibqp); +@@ -1571,6 +1591,9 @@ int erdma_query_qp(struct ib_qp *ibqp, struct ib_qp_attr *qp_attr, + + qp_init_attr->cap = qp_attr->cap; + ++ qp_attr->qp_state = query_qp_state(qp); ++ qp_attr->cur_qp_state = query_qp_state(qp); ++ + return 0; + } + +-- +2.43.0 + diff --git a/queue-6.6/rdma-hns-don-t-modify-rq-next-block-addr-in-hip09-qp.patch b/queue-6.6/rdma-hns-don-t-modify-rq-next-block-addr-in-hip09-qp.patch new file mode 100644 index 00000000000..448e429d088 --- /dev/null +++ b/queue-6.6/rdma-hns-don-t-modify-rq-next-block-addr-in-hip09-qp.patch @@ -0,0 +1,49 @@ +From ac9dba3a1776227dfb3b20103744e9d37a4de4b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Sep 2024 17:34:36 +0800 +Subject: RDMA/hns: Don't modify rq next block addr in HIP09 QPC + +From: Junxian Huang + +[ Upstream commit 6928d264e328e0cb5ee7663003a6e46e4cba0a7e ] + +The field 'rq next block addr' in QPC can be updated by driver only +on HIP08. On HIP09 HW updates this field while driver is not allowed. + +Fixes: 926a01dc000d ("RDMA/hns: Add QP operations support for hip08 SoC") +Signed-off-by: Junxian Huang +Link: https://patch.msgid.link/20240906093444.3571619-2-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index a49280e2df8ca..8f93aacde4936 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -4391,12 +4391,14 @@ static int config_qp_rq_buf(struct hns_roce_dev *hr_dev, + upper_32_bits(to_hr_hw_page_addr(mtts[0]))); + hr_reg_clear(qpc_mask, QPC_RQ_CUR_BLK_ADDR_H); + +- context->rq_nxt_blk_addr = cpu_to_le32(to_hr_hw_page_addr(mtts[1])); +- qpc_mask->rq_nxt_blk_addr = 0; +- +- hr_reg_write(context, QPC_RQ_NXT_BLK_ADDR_H, +- upper_32_bits(to_hr_hw_page_addr(mtts[1]))); +- hr_reg_clear(qpc_mask, QPC_RQ_NXT_BLK_ADDR_H); ++ if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08) { ++ context->rq_nxt_blk_addr = ++ cpu_to_le32(to_hr_hw_page_addr(mtts[1])); ++ qpc_mask->rq_nxt_blk_addr = 0; ++ hr_reg_write(context, QPC_RQ_NXT_BLK_ADDR_H, ++ upper_32_bits(to_hr_hw_page_addr(mtts[1]))); ++ hr_reg_clear(qpc_mask, QPC_RQ_NXT_BLK_ADDR_H); ++ } + + return 0; + } +-- +2.43.0 + diff --git a/queue-6.6/rdma-hns-fix-1bit-ecc-recovery-address-in-non-4k-os.patch b/queue-6.6/rdma-hns-fix-1bit-ecc-recovery-address-in-non-4k-os.patch new file mode 100644 index 00000000000..84594803d5a --- /dev/null +++ b/queue-6.6/rdma-hns-fix-1bit-ecc-recovery-address-in-non-4k-os.patch @@ -0,0 +1,41 @@ +From 82b90b8c36c4eaabb58962e9923dea2eb24dce74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Sep 2024 17:34:42 +0800 +Subject: RDMA/hns: Fix 1bit-ECC recovery address in non-4K OS + +From: Chengchang Tang + +[ Upstream commit ce196f6297c7f3ab7780795e40efd6c521f60c8b ] + +The 1bit-ECC recovery address read from HW only contain bits 64:12, so +it should be fixed left-shifted 12 bits when used. + +Currently, the driver will shift the address left by PAGE_SHIFT when +used, which is wrong in non-4K OS. + +Fixes: 2de949abd6a5 ("RDMA/hns: Recover 1bit-ECC error of RAM on chip") +Signed-off-by: Chengchang Tang +Signed-off-by: Junxian Huang +Link: https://patch.msgid.link/20240906093444.3571619-8-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index 2cdd002b71228..d226081e1cc03 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -6157,7 +6157,7 @@ static u64 fmea_get_ram_res_addr(u32 res_type, __le64 *data) + res_type == ECC_RESOURCE_SCCC) + return le64_to_cpu(*data); + +- return le64_to_cpu(*data) << PAGE_SHIFT; ++ return le64_to_cpu(*data) << HNS_HW_PAGE_SHIFT; + } + + static int fmea_recover_others(struct hns_roce_dev *hr_dev, u32 res_type, +-- +2.43.0 + diff --git a/queue-6.6/rdma-hns-fix-restricted-__le16-degrades-to-integer-i.patch b/queue-6.6/rdma-hns-fix-restricted-__le16-degrades-to-integer-i.patch new file mode 100644 index 00000000000..fa9037538e9 --- /dev/null +++ b/queue-6.6/rdma-hns-fix-restricted-__le16-degrades-to-integer-i.patch @@ -0,0 +1,40 @@ +From 17d668920827952e33b741895f956d16403eb1e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Sep 2024 14:53:31 +0800 +Subject: RDMA/hns: Fix restricted __le16 degrades to integer issue + +From: Junxian Huang + +[ Upstream commit f4ccc0a2a0c5977540f519588636b5bc81aae2db ] + +Fix sparse warnings: restricted __le16 degrades to integer. + +Fixes: 5a87279591a1 ("RDMA/hns: Support hns HW stats") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202409080508.g4mNSLwy-lkp@intel.com/ +Signed-off-by: Junxian Huang +Link: https://patch.msgid.link/20240909065331.3950268-1-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index d226081e1cc03..8066750afab90 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -1653,8 +1653,8 @@ static int hns_roce_hw_v2_query_counter(struct hns_roce_dev *hr_dev, + + for (i = 0; i < HNS_ROCE_HW_CNT_TOTAL && i < *num_counters; i++) { + bd_idx = i / CNT_PER_DESC; +- if (!(desc[bd_idx].flag & HNS_ROCE_CMD_FLAG_NEXT) && +- bd_idx != HNS_ROCE_HW_CNT_TOTAL / CNT_PER_DESC) ++ if (bd_idx != HNS_ROCE_HW_CNT_TOTAL / CNT_PER_DESC && ++ !(desc[bd_idx].flag & cpu_to_le16(HNS_ROCE_CMD_FLAG_NEXT))) + break; + + cnt_data = (__le64 *)&desc[bd_idx].data[0]; +-- +2.43.0 + diff --git a/queue-6.6/rdma-hns-fix-spin_unlock_irqrestore-called-with-irqs.patch b/queue-6.6/rdma-hns-fix-spin_unlock_irqrestore-called-with-irqs.patch new file mode 100644 index 00000000000..c7f95c47db9 --- /dev/null +++ b/queue-6.6/rdma-hns-fix-spin_unlock_irqrestore-called-with-irqs.patch @@ -0,0 +1,97 @@ +From d320ae968b237d477da29fa1237abd1e6513f1f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Sep 2024 17:34:40 +0800 +Subject: RDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled + +From: Chengchang Tang + +[ Upstream commit 74d315b5af180220d561684d15897730135733a6 ] + +Fix missuse of spin_lock_irq()/spin_unlock_irq() when +spin_lock_irqsave()/spin_lock_irqrestore() was hold. + +This was discovered through the lock debugging, and the corresponding +log is as follows: + +raw_local_irq_restore() called with IRQs enabled +WARNING: CPU: 96 PID: 2074 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x30/0x40 +... +Call trace: + warn_bogus_irq_restore+0x30/0x40 + _raw_spin_unlock_irqrestore+0x84/0xc8 + add_qp_to_list+0x11c/0x148 [hns_roce_hw_v2] + hns_roce_create_qp_common.constprop.0+0x240/0x780 [hns_roce_hw_v2] + hns_roce_create_qp+0x98/0x160 [hns_roce_hw_v2] + create_qp+0x138/0x258 + ib_create_qp_kernel+0x50/0xe8 + create_mad_qp+0xa8/0x128 + ib_mad_port_open+0x218/0x448 + ib_mad_init_device+0x70/0x1f8 + add_client_context+0xfc/0x220 + enable_device_and_get+0xd0/0x140 + ib_register_device.part.0+0xf4/0x1c8 + ib_register_device+0x34/0x50 + hns_roce_register_device+0x174/0x3d0 [hns_roce_hw_v2] + hns_roce_init+0xfc/0x2c0 [hns_roce_hw_v2] + __hns_roce_hw_v2_init_instance+0x7c/0x1d0 [hns_roce_hw_v2] + hns_roce_hw_v2_init_instance+0x9c/0x180 [hns_roce_hw_v2] + +Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver") +Signed-off-by: Chengchang Tang +Signed-off-by: Junxian Huang +Link: https://patch.msgid.link/20240906093444.3571619-6-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_qp.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_qp.c b/drivers/infiniband/hw/hns/hns_roce_qp.c +index bff00b3af41fb..04063cfacae5f 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_qp.c ++++ b/drivers/infiniband/hw/hns/hns_roce_qp.c +@@ -1379,19 +1379,19 @@ void hns_roce_lock_cqs(struct hns_roce_cq *send_cq, struct hns_roce_cq *recv_cq) + __acquire(&send_cq->lock); + __acquire(&recv_cq->lock); + } else if (unlikely(send_cq != NULL && recv_cq == NULL)) { +- spin_lock_irq(&send_cq->lock); ++ spin_lock(&send_cq->lock); + __acquire(&recv_cq->lock); + } else if (unlikely(send_cq == NULL && recv_cq != NULL)) { +- spin_lock_irq(&recv_cq->lock); ++ spin_lock(&recv_cq->lock); + __acquire(&send_cq->lock); + } else if (send_cq == recv_cq) { +- spin_lock_irq(&send_cq->lock); ++ spin_lock(&send_cq->lock); + __acquire(&recv_cq->lock); + } else if (send_cq->cqn < recv_cq->cqn) { +- spin_lock_irq(&send_cq->lock); ++ spin_lock(&send_cq->lock); + spin_lock_nested(&recv_cq->lock, SINGLE_DEPTH_NESTING); + } else { +- spin_lock_irq(&recv_cq->lock); ++ spin_lock(&recv_cq->lock); + spin_lock_nested(&send_cq->lock, SINGLE_DEPTH_NESTING); + } + } +@@ -1411,13 +1411,13 @@ void hns_roce_unlock_cqs(struct hns_roce_cq *send_cq, + spin_unlock(&recv_cq->lock); + } else if (send_cq == recv_cq) { + __release(&recv_cq->lock); +- spin_unlock_irq(&send_cq->lock); ++ spin_unlock(&send_cq->lock); + } else if (send_cq->cqn < recv_cq->cqn) { + spin_unlock(&recv_cq->lock); +- spin_unlock_irq(&send_cq->lock); ++ spin_unlock(&send_cq->lock); + } else { + spin_unlock(&send_cq->lock); +- spin_unlock_irq(&recv_cq->lock); ++ spin_unlock(&recv_cq->lock); + } + } + +-- +2.43.0 + diff --git a/queue-6.6/rdma-hns-fix-the-overflow-risk-of-hem_list_calc_ba_r.patch b/queue-6.6/rdma-hns-fix-the-overflow-risk-of-hem_list_calc_ba_r.patch new file mode 100644 index 00000000000..37bb4321d8a --- /dev/null +++ b/queue-6.6/rdma-hns-fix-the-overflow-risk-of-hem_list_calc_ba_r.patch @@ -0,0 +1,77 @@ +From c7832a8fe28a60786929ae150b1b21c862b8434e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Sep 2024 17:34:39 +0800 +Subject: RDMA/hns: Fix the overflow risk of hem_list_calc_ba_range() + +From: wenglianfa + +[ Upstream commit d586628b169d14bbf36be64d2b3ec9d9d2fe0432 ] + +The max value of 'unit' and 'hop_num' is 2^24 and 2, so the value of +'step' may exceed the range of u32. Change the type of 'step' to u64. + +Fixes: 38389eaa4db1 ("RDMA/hns: Add mtr support for mixed multihop addressing") +Signed-off-by: wenglianfa +Signed-off-by: Junxian Huang +Link: https://patch.msgid.link/20240906093444.3571619-5-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hem.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c b/drivers/infiniband/hw/hns/hns_roce_hem.c +index c4ac06a338696..a429d95a387cd 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hem.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hem.c +@@ -1098,9 +1098,9 @@ static bool hem_list_is_bottom_bt(int hopnum, int bt_level) + * @bt_level: base address table level + * @unit: ba entries per bt page + */ +-static u32 hem_list_calc_ba_range(int hopnum, int bt_level, int unit) ++static u64 hem_list_calc_ba_range(int hopnum, int bt_level, int unit) + { +- u32 step; ++ u64 step; + int max; + int i; + +@@ -1136,7 +1136,7 @@ int hns_roce_hem_list_calc_root_ba(const struct hns_roce_buf_region *regions, + { + struct hns_roce_buf_region *r; + int total = 0; +- int step; ++ u64 step; + int i; + + for (i = 0; i < region_cnt; i++) { +@@ -1167,7 +1167,7 @@ static int hem_list_alloc_mid_bt(struct hns_roce_dev *hr_dev, + int ret = 0; + int max_ofs; + int level; +- u32 step; ++ u64 step; + int end; + + if (hopnum <= 1) +@@ -1204,7 +1204,7 @@ static int hem_list_alloc_mid_bt(struct hns_roce_dev *hr_dev, + } + + start_aligned = (distance / step) * step + r->offset; +- end = min_t(int, start_aligned + step - 1, max_ofs); ++ end = min_t(u64, start_aligned + step - 1, max_ofs); + cur = hem_list_alloc_item(hr_dev, start_aligned, end, unit, + true); + if (!cur) { +@@ -1293,7 +1293,7 @@ static int setup_middle_bt(struct hns_roce_dev *hr_dev, void *cpu_base, + struct hns_roce_hem_item *hem, *temp_hem; + int total = 0; + int offset; +- int step; ++ u64 step; + + step = hem_list_calc_ba_range(r->hopnum, 1, unit); + if (step < 1) +-- +2.43.0 + diff --git a/queue-6.6/rdma-hns-fix-use-after-free-of-rsv_qp-on-hip08.patch b/queue-6.6/rdma-hns-fix-use-after-free-of-rsv_qp-on-hip08.patch new file mode 100644 index 00000000000..f3289ced834 --- /dev/null +++ b/queue-6.6/rdma-hns-fix-use-after-free-of-rsv_qp-on-hip08.patch @@ -0,0 +1,51 @@ +From f288ad1c718c815c335561f7e6c044452302a7ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Sep 2024 17:34:37 +0800 +Subject: RDMA/hns: Fix Use-After-Free of rsv_qp on HIP08 + +From: wenglianfa + +[ Upstream commit fd8489294dd2beefb70f12ec4f6132aeec61a4d0 ] + +Currently rsv_qp is freed before ib_unregister_device() is called +on HIP08. During the time interval, users can still dereg MR and +rsv_qp will be used in this process, leading to a UAF. Move the +release of rsv_qp after calling ib_unregister_device() to fix it. + +Fixes: 70f92521584f ("RDMA/hns: Use the reserved loopback QPs to free MR before destroying MPT") +Signed-off-by: wenglianfa +Signed-off-by: Junxian Huang +Link: https://patch.msgid.link/20240906093444.3571619-3-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index 8f93aacde4936..908b4372bac95 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -2932,6 +2932,9 @@ static int hns_roce_v2_init(struct hns_roce_dev *hr_dev) + + static void hns_roce_v2_exit(struct hns_roce_dev *hr_dev) + { ++ if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08) ++ free_mr_exit(hr_dev); ++ + hns_roce_function_clear(hr_dev); + + if (!hr_dev->is_vf) +@@ -6779,9 +6782,6 @@ static void __hns_roce_hw_v2_uninit_instance(struct hnae3_handle *handle, + hr_dev->state = HNS_ROCE_DEVICE_STATE_UNINIT; + hns_roce_handle_device_err(hr_dev); + +- if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08) +- free_mr_exit(hr_dev); +- + hns_roce_exit(hr_dev); + kfree(hr_dev->priv); + ib_dealloc_device(&hr_dev->ib_dev); +-- +2.43.0 + diff --git a/queue-6.6/rdma-hns-fix-vf-triggering-pf-reset-in-abnormal-inte.patch b/queue-6.6/rdma-hns-fix-vf-triggering-pf-reset-in-abnormal-inte.patch new file mode 100644 index 00000000000..a3f96d110fe --- /dev/null +++ b/queue-6.6/rdma-hns-fix-vf-triggering-pf-reset-in-abnormal-inte.patch @@ -0,0 +1,51 @@ +From c33880aa65f8cc6d68bf581c570bccf299185289 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Sep 2024 17:34:41 +0800 +Subject: RDMA/hns: Fix VF triggering PF reset in abnormal interrupt handler + +From: Junxian Huang + +[ Upstream commit 4321feefa5501a746ebf6a7d8b59e6b955ae1860 ] + +In abnormal interrupt handler, a PF reset will be triggered even if +the device is a VF. It should be a VF reset. + +Fixes: 2b9acb9a97fe ("RDMA/hns: Add the process of AEQ overflow for hip08") +Signed-off-by: Junxian Huang +Link: https://patch.msgid.link/20240906093444.3571619-7-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index 908b4372bac95..2cdd002b71228 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -6070,6 +6070,7 @@ static irqreturn_t abnormal_interrupt_basic(struct hns_roce_dev *hr_dev, + struct pci_dev *pdev = hr_dev->pci_dev; + struct hnae3_ae_dev *ae_dev = pci_get_drvdata(pdev); + const struct hnae3_ae_ops *ops = ae_dev->ops; ++ enum hnae3_reset_type reset_type; + irqreturn_t int_work = IRQ_NONE; + u32 int_en; + +@@ -6081,10 +6082,12 @@ static irqreturn_t abnormal_interrupt_basic(struct hns_roce_dev *hr_dev, + roce_write(hr_dev, ROCEE_VF_ABN_INT_ST_REG, + 1 << HNS_ROCE_V2_VF_INT_ST_AEQ_OVERFLOW_S); + ++ reset_type = hr_dev->is_vf ? ++ HNAE3_VF_FUNC_RESET : HNAE3_FUNC_RESET; ++ + /* Set reset level for reset_event() */ + if (ops->set_default_reset_request) +- ops->set_default_reset_request(ae_dev, +- HNAE3_FUNC_RESET); ++ ops->set_default_reset_request(ae_dev, reset_type); + if (ops->reset_event) + ops->reset_event(pdev, NULL); + +-- +2.43.0 + diff --git a/queue-6.6/rdma-hns-optimize-hem-allocation-performance.patch b/queue-6.6/rdma-hns-optimize-hem-allocation-performance.patch new file mode 100644 index 00000000000..58baaa3cc9a --- /dev/null +++ b/queue-6.6/rdma-hns-optimize-hem-allocation-performance.patch @@ -0,0 +1,57 @@ +From 251bd7378e5391089bc82f957119d24c6eff3766 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Sep 2024 17:34:43 +0800 +Subject: RDMA/hns: Optimize hem allocation performance + +From: Junxian Huang + +[ Upstream commit fe51f6254d81f5a69c31df16353d6539b2b51630 ] + +When allocating MTT hem, for each hop level of each hem that is being +allocated, the driver iterates the hem list to find out whether the +bt page has been allocated in this hop level. If not, allocate a new +one and splice it to the list. The time complexity is O(n^2) in worst +cases. + +Currently the allocation for-loop uses 'unit' as the step size. This +actually has taken into account the reuse of last-hop-level MTT bt +pages by multiple buffer pages. Thus pages of last hop level will +never have been allocated, so there is no need to iterate the hem list +in last hop level. + +Removing this unnecessary iteration can reduce the time complexity to +O(n). + +Fixes: 38389eaa4db1 ("RDMA/hns: Add mtr support for mixed multihop addressing") +Signed-off-by: Junxian Huang +Link: https://patch.msgid.link/20240906093444.3571619-9-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hem.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c b/drivers/infiniband/hw/hns/hns_roce_hem.c +index a429d95a387cd..7ebf80504fd12 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hem.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hem.c +@@ -1191,10 +1191,12 @@ static int hem_list_alloc_mid_bt(struct hns_roce_dev *hr_dev, + + /* config L1 bt to last bt and link them to corresponding parent */ + for (level = 1; level < hopnum; level++) { +- cur = hem_list_search_item(&mid_bt[level], offset); +- if (cur) { +- hem_ptrs[level] = cur; +- continue; ++ if (!hem_list_is_bottom_bt(hopnum, level)) { ++ cur = hem_list_search_item(&mid_bt[level], offset); ++ if (cur) { ++ hem_ptrs[level] = cur; ++ continue; ++ } + } + + step = hem_list_calc_ba_range(hopnum, level, unit); +-- +2.43.0 + diff --git a/queue-6.6/rdma-irdma-fix-error-message-in-irdma_modify_qp_roce.patch b/queue-6.6/rdma-irdma-fix-error-message-in-irdma_modify_qp_roce.patch new file mode 100644 index 00000000000..267458eea2d --- /dev/null +++ b/queue-6.6/rdma-irdma-fix-error-message-in-irdma_modify_qp_roce.patch @@ -0,0 +1,40 @@ +From acbbc593e11d4ff4d53f59b0878785b818f8623d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Sep 2024 21:58:05 +0500 +Subject: RDMA/irdma: fix error message in irdma_modify_qp_roce() + +From: Vitaliy Shevtsov + +[ Upstream commit 9f0eafe86ea0a589676209d0cff1a1ed49a037d3 ] + +Use a correct field max_dest_rd_atomic instead of max_rd_atomic for the +error output. + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") +Signed-off-by: Vitaliy Shevtsov +Link: https://lore.kernel.org/stable/20240916165817.14691-1-v.shevtsov%40maxima.ru +Link: https://patch.msgid.link/20240916165817.14691-1-v.shevtsov@maxima.ru +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c +index ca3e89909ecf4..38cecb28d322e 100644 +--- a/drivers/infiniband/hw/irdma/verbs.c ++++ b/drivers/infiniband/hw/irdma/verbs.c +@@ -1347,7 +1347,7 @@ int irdma_modify_qp_roce(struct ib_qp *ibqp, struct ib_qp_attr *attr, + if (attr->max_dest_rd_atomic > dev->hw_attrs.max_hw_ird) { + ibdev_err(&iwdev->ibdev, + "rd_atomic = %d, above max_hw_ird=%d\n", +- attr->max_rd_atomic, ++ attr->max_dest_rd_atomic, + dev->hw_attrs.max_hw_ird); + return -EINVAL; + } +-- +2.43.0 + diff --git a/queue-6.6/rdma-iwcm-fix-warning-at_kernel-workqueue.c-check_fl.patch b/queue-6.6/rdma-iwcm-fix-warning-at_kernel-workqueue.c-check_fl.patch new file mode 100644 index 00000000000..b6102cc0c48 --- /dev/null +++ b/queue-6.6/rdma-iwcm-fix-warning-at_kernel-workqueue.c-check_fl.patch @@ -0,0 +1,83 @@ +From 405c78da614b69f61cc243d2775944310f66ecaf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Aug 2024 13:33:36 +0200 +Subject: RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency + +From: Zhu Yanjun + +[ Upstream commit 86dfdd8288907f03c18b7fb462e0e232c4f98d89 ] + +In the commit aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to +destroying CM IDs"), the function flush_workqueue is invoked to flush the +work queue iwcm_wq. + +But at that time, the work queue iwcm_wq was created via the function +alloc_ordered_workqueue without the flag WQ_MEM_RECLAIM. + +Because the current process is trying to flush the whole iwcm_wq, if +iwcm_wq doesn't have the flag WQ_MEM_RECLAIM, verify that the current +process is not reclaiming memory or running on a workqueue which doesn't +have the flag WQ_MEM_RECLAIM as that can break forward-progress guarantee +leading to a deadlock. + +The call trace is as below: + +[ 125.350876][ T1430] Call Trace: +[ 125.356281][ T1430] +[ 125.361285][ T1430] ? __warn (kernel/panic.c:693) +[ 125.367640][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9)) +[ 125.375689][ T1430] ? report_bug (lib/bug.c:180 lib/bug.c:219) +[ 125.382505][ T1430] ? handle_bug (arch/x86/kernel/traps.c:239) +[ 125.388987][ T1430] ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1)) +[ 125.395831][ T1430] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621) +[ 125.403125][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9)) +[ 125.410984][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9)) +[ 125.418764][ T1430] __flush_workqueue (kernel/workqueue.c:3970) +[ 125.426021][ T1430] ? __pfx___might_resched (kernel/sched/core.c:10151) +[ 125.433431][ T1430] ? destroy_cm_id (drivers/infiniband/core/iwcm.c:375) iw_cm +[ 125.441209][ T1430] ? __pfx___flush_workqueue (kernel/workqueue.c:3910) +[ 125.473900][ T1430] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:107 include/linux/atomic/atomic-arch-fallback.h:2170 include/linux/atomic/atomic-instrumented.h:1302 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:187 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) +[ 125.473909][ T1430] ? __pfx__raw_spin_lock_irqsave (kernel/locking/spinlock.c:161) +[ 125.482537][ T1430] _destroy_id (drivers/infiniband/core/cma.c:2044) rdma_cm +[ 125.495072][ T1430] nvme_rdma_free_queue (drivers/nvme/host/rdma.c:656 drivers/nvme/host/rdma.c:650) nvme_rdma +[ 125.505827][ T1430] nvme_rdma_reset_ctrl_work (drivers/nvme/host/rdma.c:2180) nvme_rdma +[ 125.505831][ T1430] process_one_work (kernel/workqueue.c:3231) +[ 125.515122][ T1430] worker_thread (kernel/workqueue.c:3306 kernel/workqueue.c:3393) +[ 125.515127][ T1430] ? __pfx_worker_thread (kernel/workqueue.c:3339) +[ 125.531837][ T1430] kthread (kernel/kthread.c:389) +[ 125.539864][ T1430] ? __pfx_kthread (kernel/kthread.c:342) +[ 125.550628][ T1430] ret_from_fork (arch/x86/kernel/process.c:147) +[ 125.558840][ T1430] ? __pfx_kthread (kernel/kthread.c:342) +[ 125.558844][ T1430] ret_from_fork_asm (arch/x86/entry/entry_64.S:257) +[ 125.566487][ T1430] +[ 125.566488][ T1430] ---[ end trace 0000000000000000 ]--- + +Fixes: aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to destroying CM IDs") +Link: https://patch.msgid.link/r/20240820113336.19860-1-yanjun.zhu@linux.dev +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202408151633.fc01893c-oliver.sang@intel.com +Tested-by: kernel test robot +Signed-off-by: Zhu Yanjun +Reviewed-by: Bart Van Assche +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/iwcm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c +index 2d09d1be38f19..3e4941754b48d 100644 +--- a/drivers/infiniband/core/iwcm.c ++++ b/drivers/infiniband/core/iwcm.c +@@ -1191,7 +1191,7 @@ static int __init iw_cm_init(void) + if (ret) + return ret; + +- iwcm_wq = alloc_ordered_workqueue("iw_cm_wq", 0); ++ iwcm_wq = alloc_ordered_workqueue("iw_cm_wq", WQ_MEM_RECLAIM); + if (!iwcm_wq) + goto err_alloc; + +-- +2.43.0 + diff --git a/queue-6.6/rdma-mlx5-limit-usage-of-over-sized-mkeys-from-the-m.patch b/queue-6.6/rdma-mlx5-limit-usage-of-over-sized-mkeys-from-the-m.patch new file mode 100644 index 00000000000..8a17738319d --- /dev/null +++ b/queue-6.6/rdma-mlx5-limit-usage-of-over-sized-mkeys-from-the-m.patch @@ -0,0 +1,97 @@ +From de87be7fcac8152570a5173264299544dfdbd004 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Sep 2024 14:24:49 +0300 +Subject: RDMA/mlx5: Limit usage of over-sized mkeys from the MR cache + +From: Michael Guralnik + +[ Upstream commit ee6d57a2e13d11ce9050cfc3e3b69ef707a44a63 ] + +When searching the MR cache for suitable cache entries, don't use mkeys +larger than twice the size required for the MR. +This should ensure the usage of mkeys closer to the minimal required size +and reduce memory waste. + +On driver init we create entries for mkeys with clear attributes and +powers of 2 sizes from 4 to the max supported size. +This solves the issue for anyone using mkeys that fit these +requirements. + +In the use case where an MR is registered with different attributes, +like an access flag we can't UMR, we'll create a new cache entry to store +it upon dereg. +Without this fix, any later registration with same attributes and smaller +size will use the newly created cache entry and it's mkeys, disregarding +the memory waste of using mkeys larger than required. + +For example, one worst-case scenario can be when registering and +deregistering a 1GB mkey with ATS enabled which will cause the creation of +a new cache entry to hold those type of mkeys. A user registering a 4k MR +with ATS will end up using the new cache entry and an mkey that can +support a 1GB MR, thus wasting x250k memory than actually needed in the HW. + +Additionally, allow all small registration to use the smallest size +cache entry that is initialized on driver load even if size is larger +than twice the required size. + +Fixes: 73d09b2fe833 ("RDMA/mlx5: Introduce mlx5r_cache_rb_key") +Signed-off-by: Michael Guralnik +Link: https://patch.msgid.link/8ba3a6e3748aace2026de8b83da03aba084f78f4.1725362530.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/mr.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c +index 50a1786231c77..9e465cf99733e 100644 +--- a/drivers/infiniband/hw/mlx5/mr.c ++++ b/drivers/infiniband/hw/mlx5/mr.c +@@ -48,6 +48,7 @@ enum { + MAX_PENDING_REG_MR = 8, + }; + ++#define MLX5_MR_CACHE_PERSISTENT_ENTRY_MIN_DESCS 4 + #define MLX5_UMR_ALIGN 2048 + + static void +@@ -715,6 +716,7 @@ mkey_cache_ent_from_rb_key(struct mlx5_ib_dev *dev, + { + struct rb_node *node = dev->cache.rb_root.rb_node; + struct mlx5_cache_ent *cur, *smallest = NULL; ++ u64 ndescs_limit; + int cmp; + + /* +@@ -733,10 +735,18 @@ mkey_cache_ent_from_rb_key(struct mlx5_ib_dev *dev, + return cur; + } + ++ /* ++ * Limit the usage of mkeys larger than twice the required size while ++ * also allowing the usage of smallest cache entry for small MRs. ++ */ ++ ndescs_limit = max_t(u64, rb_key.ndescs * 2, ++ MLX5_MR_CACHE_PERSISTENT_ENTRY_MIN_DESCS); ++ + return (smallest && + smallest->rb_key.access_mode == rb_key.access_mode && + smallest->rb_key.access_flags == rb_key.access_flags && +- smallest->rb_key.ats == rb_key.ats) ? ++ smallest->rb_key.ats == rb_key.ats && ++ smallest->rb_key.ndescs <= ndescs_limit) ? + smallest : + NULL; + } +@@ -986,7 +996,7 @@ int mlx5_mkey_cache_init(struct mlx5_ib_dev *dev) + mlx5_mkey_cache_debugfs_init(dev); + mutex_lock(&cache->rb_lock); + for (i = 0; i <= mkey_cache_max_order(dev); i++) { +- rb_key.ndescs = 1 << (i + 2); ++ rb_key.ndescs = MLX5_MR_CACHE_PERSISTENT_ENTRY_MIN_DESCS << i; + ent = mlx5r_cache_create_ent_locked(dev, rb_key, true); + if (IS_ERR(ent)) { + ret = PTR_ERR(ent); +-- +2.43.0 + diff --git a/queue-6.6/rdma-mlx5-obtain-upper-net-device-only-when-needed.patch b/queue-6.6/rdma-mlx5-obtain-upper-net-device-only-when-needed.patch new file mode 100644 index 00000000000..95daa61b9bb --- /dev/null +++ b/queue-6.6/rdma-mlx5-obtain-upper-net-device-only-when-needed.patch @@ -0,0 +1,39 @@ +From ac2f0f0a77ae8ec9c775ded514f01c356d003365 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Sep 2024 20:30:20 +0300 +Subject: RDMA/mlx5: Obtain upper net device only when needed + +From: Mark Bloch + +[ Upstream commit 3ed7f9e239938a0cfaf3689e2f545229ecabec06 ] + +Report the upper device's state as the RDMA port state only in RoCE LAG or +switchdev LAG. + +Fixes: 27f9e0ccb6da ("net/mlx5: Lag, Add single RDMA device in multiport mode") +Signed-off-by: Mark Bloch +Signed-off-by: Michael Guralnik +Link: https://patch.msgid.link/20240909173025.30422-3-michaelgur@nvidia.com +Reviewed-by: Kalesh AP +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index 2d179bc56ce60..296af7a5c2794 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -539,7 +539,7 @@ static int mlx5_query_port_roce(struct ib_device *device, u32 port_num, + if (!ndev) + goto out; + +- if (dev->lag_active) { ++ if (mlx5_lag_is_roce(mdev) || mlx5_lag_is_sriov(mdev)) { + rcu_read_lock(); + upper = netdev_master_upper_dev_get_rcu(ndev); + if (upper) { +-- +2.43.0 + diff --git a/queue-6.6/rdma-rtrs-clt-reset-cid-to-con_num-1-to-stay-in-boun.patch b/queue-6.6/rdma-rtrs-clt-reset-cid-to-con_num-1-to-stay-in-boun.patch new file mode 100644 index 00000000000..1917d1b6ac7 --- /dev/null +++ b/queue-6.6/rdma-rtrs-clt-reset-cid-to-con_num-1-to-stay-in-boun.patch @@ -0,0 +1,47 @@ +From 8d03a05d7649465bf96033d364835b63b8bab639 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2024 13:22:12 +0200 +Subject: RDMA/rtrs-clt: Reset cid to con_num - 1 to stay in bounds + +From: Md Haris Iqbal + +[ Upstream commit 3e4289b29e216a55d08a89e126bc0b37cbad9f38 ] + +In the function init_conns(), after the create_con() and create_cm() for +loop if something fails. In the cleanup for loop after the destroy tag, we +access out of bound memory because cid is set to clt_path->s.con_num. + +This commits resets the cid to clt_path->s.con_num - 1, to stay in bounds +in the cleanup loop later. + +Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality") +Signed-off-by: Md Haris Iqbal +Signed-off-by: Jack Wang +Signed-off-by: Grzegorz Prajsner +Link: https://patch.msgid.link/20240821112217.41827-7-haris.iqbal@ionos.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/rtrs/rtrs-clt.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c +index 75d3a27dea9a0..82aa47efb8078 100644 +--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c ++++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c +@@ -2342,6 +2342,12 @@ static int init_conns(struct rtrs_clt_path *clt_path) + if (err) + goto destroy; + } ++ ++ /* ++ * Set the cid to con_num - 1, since if we fail later, we want to stay in bounds. ++ */ ++ cid = clt_path->s.con_num - 1; ++ + err = alloc_path_reqs(clt_path); + if (err) + goto destroy; +-- +2.43.0 + diff --git a/queue-6.6/rdma-rtrs-reset-hb_missed_cnt-after-receiving-other-.patch b/queue-6.6/rdma-rtrs-reset-hb_missed_cnt-after-receiving-other-.patch new file mode 100644 index 00000000000..0d1725d71cf --- /dev/null +++ b/queue-6.6/rdma-rtrs-reset-hb_missed_cnt-after-receiving-other-.patch @@ -0,0 +1,68 @@ +From e095291f8724949912c195c8757f38edf575e7b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2024 13:22:10 +0200 +Subject: RDMA/rtrs: Reset hb_missed_cnt after receiving other traffic from + peer + +From: Jack Wang + +[ Upstream commit 3258cbbd86deaa2675e1799bc3d18bd1ef472641 ] + +Reset hb_missed_cnt after receiving traffic from other peer, so +hb is more robust again high load on host or network. + +Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality") +Signed-off-by: Jack Wang +Signed-off-by: Md Haris Iqbal +Signed-off-by: Grzegorz Prajsner +Link: https://patch.msgid.link/20240821112217.41827-5-haris.iqbal@ionos.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/rtrs/rtrs-clt.c | 3 ++- + drivers/infiniband/ulp/rtrs/rtrs-srv.c | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c +index 1aee62aa1515d..75d3a27dea9a0 100644 +--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c ++++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c +@@ -626,6 +626,7 @@ static void rtrs_clt_rdma_done(struct ib_cq *cq, struct ib_wc *wc) + */ + if (WARN_ON(wc->wr_cqe->done != rtrs_clt_rdma_done)) + return; ++ clt_path->s.hb_missed_cnt = 0; + rtrs_from_imm(be32_to_cpu(wc->ex.imm_data), + &imm_type, &imm_payload); + if (imm_type == RTRS_IO_RSP_IMM || +@@ -643,7 +644,6 @@ static void rtrs_clt_rdma_done(struct ib_cq *cq, struct ib_wc *wc) + return rtrs_clt_recv_done(con, wc); + } else if (imm_type == RTRS_HB_ACK_IMM) { + WARN_ON(con->c.cid); +- clt_path->s.hb_missed_cnt = 0; + clt_path->s.hb_cur_latency = + ktime_sub(ktime_get(), clt_path->s.hb_last_sent); + if (clt_path->flags & RTRS_MSG_NEW_RKEY_F) +@@ -670,6 +670,7 @@ static void rtrs_clt_rdma_done(struct ib_cq *cq, struct ib_wc *wc) + /* + * Key invalidations from server side + */ ++ clt_path->s.hb_missed_cnt = 0; + WARN_ON(!(wc->wc_flags & IB_WC_WITH_INVALIDATE || + wc->wc_flags & IB_WC_WITH_IMM)); + WARN_ON(wc->wr_cqe->done != rtrs_clt_rdma_done); +diff --git a/drivers/infiniband/ulp/rtrs/rtrs-srv.c b/drivers/infiniband/ulp/rtrs/rtrs-srv.c +index 1d33efb8fb03b..94ac99a4f696e 100644 +--- a/drivers/infiniband/ulp/rtrs/rtrs-srv.c ++++ b/drivers/infiniband/ulp/rtrs/rtrs-srv.c +@@ -1229,6 +1229,7 @@ static void rtrs_srv_rdma_done(struct ib_cq *cq, struct ib_wc *wc) + */ + if (WARN_ON(wc->wr_cqe != &io_comp_cqe)) + return; ++ srv_path->s.hb_missed_cnt = 0; + err = rtrs_post_recv_empty(&con->c, &io_comp_cqe); + if (err) { + rtrs_err(s, "rtrs_post_recv(), err: %d\n", err); +-- +2.43.0 + diff --git a/queue-6.6/regulator-return-actual-error-in-of_regulator_bulk_g.patch b/queue-6.6/regulator-return-actual-error-in-of_regulator_bulk_g.patch new file mode 100644 index 00000000000..38a89e00247 --- /dev/null +++ b/queue-6.6/regulator-return-actual-error-in-of_regulator_bulk_g.patch @@ -0,0 +1,41 @@ +From 2f9250cffd3144697ae886ea52bed312ac24cc01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Aug 2024 15:20:45 +0800 +Subject: regulator: Return actual error in of_regulator_bulk_get_all() + +From: Chen-Yu Tsai + +[ Upstream commit 395a41a1d3e377462f3eea8a205ee72be8885ff6 ] + +If regulator_get() in of_regulator_bulk_get_all() returns an error, that +error gets overridden and -EINVAL is always passed out. This masks probe +deferral requests and likely won't work properly in all cases. + +Fix this by letting of_regulator_bulk_get_all() return the original +error code. + +Fixes: 27b9ecc7a9ba ("regulator: Add of_regulator_bulk_get_all") +Signed-off-by: Chen-Yu Tsai +Link: https://patch.msgid.link/20240822072047.3097740-3-wenst@chromium.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/of_regulator.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/regulator/of_regulator.c b/drivers/regulator/of_regulator.c +index 1b65e5e4e40ff..59e71fd0db439 100644 +--- a/drivers/regulator/of_regulator.c ++++ b/drivers/regulator/of_regulator.c +@@ -768,7 +768,7 @@ int of_regulator_bulk_get_all(struct device *dev, struct device_node *np, + name[i] = '\0'; + tmp = regulator_get(dev, name); + if (IS_ERR(tmp)) { +- ret = -EINVAL; ++ ret = PTR_ERR(tmp); + goto error; + } + (*consumers)[n].consumer = tmp; +-- +2.43.0 + diff --git a/queue-6.6/remoteproc-imx_rproc-correct-ddr-alias-for-i.mx8m.patch b/queue-6.6/remoteproc-imx_rproc-correct-ddr-alias-for-i.mx8m.patch new file mode 100644 index 00000000000..7238019c79e --- /dev/null +++ b/queue-6.6/remoteproc-imx_rproc-correct-ddr-alias-for-i.mx8m.patch @@ -0,0 +1,40 @@ +From 7ed892b5330b92fa586bf230dfc5ccdeffad5873 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jul 2024 16:36:11 +0800 +Subject: remoteproc: imx_rproc: Correct ddr alias for i.MX8M + +From: Peng Fan + +[ Upstream commit c901f817792822eda9cec23814a4621fa3e66695 ] + +The DDR Alias address should be 0x40000000 according to RM, so correct +it. + +Fixes: 4ab8f9607aad ("remoteproc: imx_rproc: support i.MX8MQ/M") +Reported-by: Terry Lv +Reviewed-by: Iuliana Prodan +Signed-off-by: Peng Fan +Reviewed-by: Daniel Baluta +Link: https://lore.kernel.org/r/20240719-imx_rproc-v2-1-10d0268c7eb1@nxp.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/imx_rproc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/remoteproc/imx_rproc.c b/drivers/remoteproc/imx_rproc.c +index cfee164dd645c..ac32b46b4e0f8 100644 +--- a/drivers/remoteproc/imx_rproc.c ++++ b/drivers/remoteproc/imx_rproc.c +@@ -213,7 +213,7 @@ static const struct imx_rproc_att imx_rproc_att_imx8mq[] = { + /* QSPI Code - alias */ + { 0x08000000, 0x08000000, 0x08000000, 0 }, + /* DDR (Code) - alias */ +- { 0x10000000, 0x80000000, 0x0FFE0000, 0 }, ++ { 0x10000000, 0x40000000, 0x0FFE0000, 0 }, + /* TCML */ + { 0x1FFE0000, 0x007E0000, 0x00020000, ATT_OWN | ATT_IOMEM}, + /* TCMU */ +-- +2.43.0 + diff --git a/queue-6.6/remoteproc-imx_rproc-initialize-workqueue-earlier.patch b/queue-6.6/remoteproc-imx_rproc-initialize-workqueue-earlier.patch new file mode 100644 index 00000000000..35dbce303b1 --- /dev/null +++ b/queue-6.6/remoteproc-imx_rproc-initialize-workqueue-earlier.patch @@ -0,0 +1,48 @@ +From c2e7a84c2c4431486b0573ba2ff54404819eea03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jul 2024 16:36:13 +0800 +Subject: remoteproc: imx_rproc: Initialize workqueue earlier + +From: Peng Fan + +[ Upstream commit 858e57c1d3dd7b92cc0fa692ba130a0a5d57e49d ] + +Initialize workqueue before requesting mailbox channel, otherwise if +mailbox interrupt comes before workqueue ready, the imx_rproc_rx_callback +will trigger issue. + +Fixes: 2df7062002d0 ("remoteproc: imx_proc: enable virtio/mailbox") +Signed-off-by: Peng Fan +Reviewed-by: Daniel Baluta +Link: https://lore.kernel.org/r/20240719-imx_rproc-v2-3-10d0268c7eb1@nxp.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/imx_rproc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/remoteproc/imx_rproc.c b/drivers/remoteproc/imx_rproc.c +index ac32b46b4e0f8..d68d4b22f528e 100644 +--- a/drivers/remoteproc/imx_rproc.c ++++ b/drivers/remoteproc/imx_rproc.c +@@ -1134,6 +1134,8 @@ static int imx_rproc_probe(struct platform_device *pdev) + goto err_put_rproc; + } + ++ INIT_WORK(&priv->rproc_work, imx_rproc_vq_work); ++ + ret = imx_rproc_xtr_mbox_init(rproc); + if (ret) + goto err_put_wkq; +@@ -1152,8 +1154,6 @@ static int imx_rproc_probe(struct platform_device *pdev) + if (ret) + goto err_put_scu; + +- INIT_WORK(&priv->rproc_work, imx_rproc_vq_work); +- + if (rproc->state != RPROC_DETACHED) + rproc->auto_boot = of_property_read_bool(np, "fsl,auto-boot"); + +-- +2.43.0 + diff --git a/queue-6.6/reset-berlin-fix-of-node-leak-in-probe-error-path.patch b/queue-6.6/reset-berlin-fix-of-node-leak-in-probe-error-path.patch new file mode 100644 index 00000000000..245e9f8850c --- /dev/null +++ b/queue-6.6/reset-berlin-fix-of-node-leak-in-probe-error-path.patch @@ -0,0 +1,46 @@ +From 489a242f9de07c4e0b97cade01f807fc11e3fd4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Aug 2024 16:14:24 +0200 +Subject: reset: berlin: fix OF node leak in probe() error path + +From: Krzysztof Kozlowski + +[ Upstream commit 5f58a88cc91075be38cec69b7cb70aaa4ba69e8b ] + +Driver is leaking OF node reference on memory allocation failure. +Acquire the OF node reference after memory allocation to fix this and +keep it simple. + +Fixes: aed6f3cadc86 ("reset: berlin: convert to a platform driver") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Damien Le Moal +Link: https://lore.kernel.org/r/20240825-reset-cleanup-scoped-v1-1-03f6d834f8c0@linaro.org +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/reset/reset-berlin.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/reset/reset-berlin.c b/drivers/reset/reset-berlin.c +index 2537ec05eceef..578fe867080ce 100644 +--- a/drivers/reset/reset-berlin.c ++++ b/drivers/reset/reset-berlin.c +@@ -68,13 +68,14 @@ static int berlin_reset_xlate(struct reset_controller_dev *rcdev, + + static int berlin2_reset_probe(struct platform_device *pdev) + { +- struct device_node *parent_np = of_get_parent(pdev->dev.of_node); ++ struct device_node *parent_np; + struct berlin_reset_priv *priv; + + priv = devm_kzalloc(&pdev->dev, sizeof(*priv), GFP_KERNEL); + if (!priv) + return -ENOMEM; + ++ parent_np = of_get_parent(pdev->dev.of_node); + priv->regmap = syscon_node_to_regmap(parent_np); + of_node_put(parent_np); + if (IS_ERR(priv->regmap)) +-- +2.43.0 + diff --git a/queue-6.6/reset-k210-fix-of-node-leak-in-probe-error-path.patch b/queue-6.6/reset-k210-fix-of-node-leak-in-probe-error-path.patch new file mode 100644 index 00000000000..3ad6326fe6c --- /dev/null +++ b/queue-6.6/reset-k210-fix-of-node-leak-in-probe-error-path.patch @@ -0,0 +1,47 @@ +From 4f931edbbede1e73c3b6bd5009686396e81b29f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Aug 2024 16:14:25 +0200 +Subject: reset: k210: fix OF node leak in probe() error path + +From: Krzysztof Kozlowski + +[ Upstream commit b14e40f5dc7cd0dd7e958010e6ca9ad32ff2ddad ] + +Driver is leaking OF node reference on memory allocation failure. +Acquire the OF node reference after memory allocation to fix this and +keep it simple. + +Fixes: 5a2308da9f60 ("riscv: Add Canaan Kendryte K210 reset controller") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Damien Le Moal +Link: https://lore.kernel.org/r/20240825-reset-cleanup-scoped-v1-2-03f6d834f8c0@linaro.org +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/reset/reset-k210.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/reset/reset-k210.c b/drivers/reset/reset-k210.c +index b62a2fd44e4e4..e77e4cca377dc 100644 +--- a/drivers/reset/reset-k210.c ++++ b/drivers/reset/reset-k210.c +@@ -90,7 +90,7 @@ static const struct reset_control_ops k210_rst_ops = { + static int k210_rst_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; +- struct device_node *parent_np = of_get_parent(dev->of_node); ++ struct device_node *parent_np; + struct k210_rst *ksr; + + dev_info(dev, "K210 reset controller\n"); +@@ -99,6 +99,7 @@ static int k210_rst_probe(struct platform_device *pdev) + if (!ksr) + return -ENOMEM; + ++ parent_np = of_get_parent(dev->of_node); + ksr->map = syscon_node_to_regmap(parent_np); + of_node_put(parent_np); + if (IS_ERR(ksr->map)) +-- +2.43.0 + diff --git a/queue-6.6/revert-dm-requeue-io-if-mapping-table-not-yet-availa.patch b/queue-6.6/revert-dm-requeue-io-if-mapping-table-not-yet-availa.patch new file mode 100644 index 00000000000..0f7e9b1184a --- /dev/null +++ b/queue-6.6/revert-dm-requeue-io-if-mapping-table-not-yet-availa.patch @@ -0,0 +1,84 @@ +From cc23f3049dbfd947586ad578d86e283e3653bb4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Sep 2024 15:05:18 +0200 +Subject: Revert "dm: requeue IO if mapping table not yet available" + +From: Mikulas Patocka + +[ Upstream commit c8691cd0fc11197515ed148de0780d927bfca38b ] + +This reverts commit fa247089de9936a46e290d4724cb5f0b845600f5. + +The following sequence of commands causes a livelock - there will be +workqueue process looping and consuming 100% CPU: + +dmsetup create --notable test +truncate -s 1MiB testdata +losetup /dev/loop0 testdata +dmsetup load test --table '0 2048 linear /dev/loop0 0' +dd if=/dev/zero of=/dev/dm-0 bs=16k count=1 conv=fdatasync + +The livelock is caused by the commit fa247089de99. The commit claims that +it fixes a race condition, however, it is unknown what the actual race +condition is and what program is involved in the race condition. + +When the inactive table is loaded, the nodes /dev/dm-0 and +/sys/block/dm-0 are created. /dev/dm-0 has zero size at this point. When +the device is suspended and resumed, the nodes /dev/mapper/test and +/dev/disk/* are created. + +If some program opens a block device before it is created by dmsetup or +lvm, the program is buggy, so dm could just report an error as it used to +do before. + +Reported-by: Zdenek Kabelac +Signed-off-by: Mikulas Patocka +Fixes: fa247089de99 ("dm: requeue IO if mapping table not yet available") +Signed-off-by: Sasha Levin +--- + drivers/md/dm-rq.c | 4 +++- + drivers/md/dm.c | 11 ++++++++--- + 2 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/md/dm-rq.c b/drivers/md/dm-rq.c +index f7e9a3632eb3d..499f8cc8a39fb 100644 +--- a/drivers/md/dm-rq.c ++++ b/drivers/md/dm-rq.c +@@ -496,8 +496,10 @@ static blk_status_t dm_mq_queue_rq(struct blk_mq_hw_ctx *hctx, + + map = dm_get_live_table(md, &srcu_idx); + if (unlikely(!map)) { ++ DMERR_LIMIT("%s: mapping table unavailable, erroring io", ++ dm_device_name(md)); + dm_put_live_table(md, srcu_idx); +- return BLK_STS_RESOURCE; ++ return BLK_STS_IOERR; + } + ti = dm_table_find_target(map, 0); + dm_put_live_table(md, srcu_idx); +diff --git a/drivers/md/dm.c b/drivers/md/dm.c +index 8ec0a263744a5..5dd0a42463a2b 100644 +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -1817,10 +1817,15 @@ static void dm_submit_bio(struct bio *bio) + struct dm_table *map; + + map = dm_get_live_table(md, &srcu_idx); ++ if (unlikely(!map)) { ++ DMERR_LIMIT("%s: mapping table unavailable, erroring io", ++ dm_device_name(md)); ++ bio_io_error(bio); ++ goto out; ++ } + +- /* If suspended, or map not yet available, queue this IO for later */ +- if (unlikely(test_bit(DMF_BLOCK_IO_FOR_SUSPEND, &md->flags)) || +- unlikely(!map)) { ++ /* If suspended, queue this IO for later */ ++ if (unlikely(test_bit(DMF_BLOCK_IO_FOR_SUSPEND, &md->flags))) { + if (bio->bi_opf & REQ_NOWAIT) + bio_wouldblock_error(bio); + else if (bio->bi_opf & REQ_RAHEAD) +-- +2.43.0 + diff --git a/queue-6.6/risc-v-kvm-allow-legacy-pmu-access-from-guest.patch b/queue-6.6/risc-v-kvm-allow-legacy-pmu-access-from-guest.patch new file mode 100644 index 00000000000..6cee8189069 --- /dev/null +++ b/queue-6.6/risc-v-kvm-allow-legacy-pmu-access-from-guest.patch @@ -0,0 +1,67 @@ +From f13903670f7ac3cc21e01f911498e7bc1658fe2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Aug 2024 00:08:08 -0700 +Subject: RISC-V: KVM: Allow legacy PMU access from guest + +From: Atish Patra + +[ Upstream commit 7d1ffc8b087e97dbe1985912c7a2d00e53cea169 ] + +Currently, KVM traps & emulates PMU counter access only if SBI PMU +is available as the guest can only configure/read PMU counters via +SBI only. However, if SBI PMU is not enabled in the host, the +guest will fallback to the legacy PMU which will try to access +cycle/instret and result in an illegal instruction trap which +is not desired. + +KVM can allow dummy emulation of cycle/instret only for the guest +if SBI PMU is not enabled in the host. The dummy emulation will +still return zero as we don't to expose the host counter values +from a guest using legacy PMU. + +Fixes: a9ac6c37521f ("RISC-V: KVM: Implement trap & emulate for hpmcounters") +Signed-off-by: Atish Patra +Link: https://lore.kernel.org/r/20240816-kvm_pmu_fixes-v1-1-cdfce386dd93@rivosinc.com +Signed-off-by: Anup Patel +Signed-off-by: Sasha Levin +--- + arch/riscv/include/asm/kvm_vcpu_pmu.h | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/arch/riscv/include/asm/kvm_vcpu_pmu.h b/arch/riscv/include/asm/kvm_vcpu_pmu.h +index 395518a1664e0..6823271bce322 100644 +--- a/arch/riscv/include/asm/kvm_vcpu_pmu.h ++++ b/arch/riscv/include/asm/kvm_vcpu_pmu.h +@@ -10,6 +10,7 @@ + #define __KVM_VCPU_RISCV_PMU_H + + #include ++#include + #include + + #ifdef CONFIG_RISCV_PMU_SBI +@@ -92,8 +93,20 @@ void kvm_riscv_vcpu_pmu_reset(struct kvm_vcpu *vcpu); + struct kvm_pmu { + }; + ++static inline int kvm_riscv_vcpu_pmu_read_legacy(struct kvm_vcpu *vcpu, unsigned int csr_num, ++ unsigned long *val, unsigned long new_val, ++ unsigned long wr_mask) ++{ ++ if (csr_num == CSR_CYCLE || csr_num == CSR_INSTRET) { ++ *val = 0; ++ return KVM_INSN_CONTINUE_NEXT_SEPC; ++ } else { ++ return KVM_INSN_ILLEGAL_TRAP; ++ } ++} ++ + #define KVM_RISCV_VCPU_HPMCOUNTER_CSR_FUNCS \ +-{.base = 0, .count = 0, .func = NULL }, ++{.base = CSR_CYCLE, .count = 3, .func = kvm_riscv_vcpu_pmu_read_legacy }, + + static inline void kvm_riscv_vcpu_pmu_init(struct kvm_vcpu *vcpu) {} + static inline int kvm_riscv_vcpu_pmu_incr_fw(struct kvm_vcpu *vcpu, unsigned long fid) +-- +2.43.0 + diff --git a/queue-6.6/risc-v-kvm-fix-sbiret-init-before-forwarding-to-user.patch b/queue-6.6/risc-v-kvm-fix-sbiret-init-before-forwarding-to-user.patch new file mode 100644 index 00000000000..81c0c324793 --- /dev/null +++ b/queue-6.6/risc-v-kvm-fix-sbiret-init-before-forwarding-to-user.patch @@ -0,0 +1,48 @@ +From 4ea3cb21d6d42284fd9b10004130d1e14b0815f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Aug 2024 17:49:44 +0200 +Subject: RISC-V: KVM: Fix sbiret init before forwarding to userspace + +From: Andrew Jones + +[ Upstream commit 6b7b282e6baea06ba65b55ae7d38326ceb79cebf ] + +When forwarding SBI calls to userspace ensure sbiret.error is +initialized to SBI_ERR_NOT_SUPPORTED first, in case userspace +neglects to set it to anything. If userspace neglects it then we +can't be sure it did anything else either, so we just report it +didn't do or try anything. Just init sbiret.value to zero, which is +the preferred value to return when nothing special is specified. + +KVM was already initializing both sbiret.error and sbiret.value, but +the values used appear to come from a copy+paste of the __sbi_ecall() +implementation, i.e. a0 and a1, which don't apply prior to the call +being executed, nor at all when forwarding to userspace. + +Fixes: dea8ee31a039 ("RISC-V: KVM: Add SBI v0.1 support") +Signed-off-by: Andrew Jones +Link: https://lore.kernel.org/r/20240807154943.150540-2-ajones@ventanamicro.com +Signed-off-by: Anup Patel +Signed-off-by: Sasha Levin +--- + arch/riscv/kvm/vcpu_sbi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/riscv/kvm/vcpu_sbi.c b/arch/riscv/kvm/vcpu_sbi.c +index 9cd97091c7233..7a7fe40d0930b 100644 +--- a/arch/riscv/kvm/vcpu_sbi.c ++++ b/arch/riscv/kvm/vcpu_sbi.c +@@ -91,8 +91,8 @@ void kvm_riscv_vcpu_sbi_forward(struct kvm_vcpu *vcpu, struct kvm_run *run) + run->riscv_sbi.args[3] = cp->a3; + run->riscv_sbi.args[4] = cp->a4; + run->riscv_sbi.args[5] = cp->a5; +- run->riscv_sbi.ret[0] = cp->a0; +- run->riscv_sbi.ret[1] = cp->a1; ++ run->riscv_sbi.ret[0] = SBI_ERR_NOT_SUPPORTED; ++ run->riscv_sbi.ret[1] = 0; + } + + void kvm_riscv_vcpu_sbi_system_reset(struct kvm_vcpu *vcpu, +-- +2.43.0 + diff --git a/queue-6.6/risc-v-kvm-fix-to-allow-hpmcounter31-from-the-guest.patch b/queue-6.6/risc-v-kvm-fix-to-allow-hpmcounter31-from-the-guest.patch new file mode 100644 index 00000000000..3d8ffd36e48 --- /dev/null +++ b/queue-6.6/risc-v-kvm-fix-to-allow-hpmcounter31-from-the-guest.patch @@ -0,0 +1,44 @@ +From cae0ec422b3d355c4d3f77b291bf6ae8982e75df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Aug 2024 00:08:09 -0700 +Subject: RISC-V: KVM: Fix to allow hpmcounter31 from the guest + +From: Atish Patra + +[ Upstream commit 5aa09297a3dcc798d038bd7436f8c90f664045a6 ] + +The csr_fun defines a count parameter which defines the total number +CSRs emulated in KVM starting from the base. This value should be +equal to total number of counters possible for trap/emulation (32). + +Fixes: a9ac6c37521f ("RISC-V: KVM: Implement trap & emulate for hpmcounters") +Signed-off-by: Atish Patra +Link: https://lore.kernel.org/r/20240816-kvm_pmu_fixes-v1-2-cdfce386dd93@rivosinc.com +Signed-off-by: Anup Patel +Signed-off-by: Sasha Levin +--- + arch/riscv/include/asm/kvm_vcpu_pmu.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/riscv/include/asm/kvm_vcpu_pmu.h b/arch/riscv/include/asm/kvm_vcpu_pmu.h +index 6823271bce322..a50a1d23523fe 100644 +--- a/arch/riscv/include/asm/kvm_vcpu_pmu.h ++++ b/arch/riscv/include/asm/kvm_vcpu_pmu.h +@@ -58,11 +58,11 @@ struct kvm_pmu { + + #if defined(CONFIG_32BIT) + #define KVM_RISCV_VCPU_HPMCOUNTER_CSR_FUNCS \ +-{.base = CSR_CYCLEH, .count = 31, .func = kvm_riscv_vcpu_pmu_read_hpm }, \ +-{.base = CSR_CYCLE, .count = 31, .func = kvm_riscv_vcpu_pmu_read_hpm }, ++{.base = CSR_CYCLEH, .count = 32, .func = kvm_riscv_vcpu_pmu_read_hpm }, \ ++{.base = CSR_CYCLE, .count = 32, .func = kvm_riscv_vcpu_pmu_read_hpm }, + #else + #define KVM_RISCV_VCPU_HPMCOUNTER_CSR_FUNCS \ +-{.base = CSR_CYCLE, .count = 31, .func = kvm_riscv_vcpu_pmu_read_hpm }, ++{.base = CSR_CYCLE, .count = 32, .func = kvm_riscv_vcpu_pmu_read_hpm }, + #endif + + int kvm_riscv_vcpu_pmu_incr_fw(struct kvm_vcpu *vcpu, unsigned long fid); +-- +2.43.0 + diff --git a/queue-6.6/riscv-fix-fp-alignment-bug-in-perf_callchain_user.patch b/queue-6.6/riscv-fix-fp-alignment-bug-in-perf_callchain_user.patch new file mode 100644 index 00000000000..9f45e79e177 --- /dev/null +++ b/queue-6.6/riscv-fix-fp-alignment-bug-in-perf_callchain_user.patch @@ -0,0 +1,46 @@ +From 9b6febdd9a9bc905d431548430c8e86392fb0de7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jul 2024 11:28:46 +0800 +Subject: riscv: Fix fp alignment bug in perf_callchain_user() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jinjie Ruan + +[ Upstream commit 22ab08955ea13be04a8efd20cc30890e0afaa49c ] + +The standard RISC-V calling convention said: + "The stack grows downward and the stack pointer is always + kept 16-byte aligned". + +So perf_callchain_user() should check whether 16-byte aligned for fp. + +Link: https://riscv.org/wp-content/uploads/2015/01/riscv-calling.pdf + +Fixes: dbeb90b0c1eb ("riscv: Add perf callchain support") +Signed-off-by: Jinjie Ruan +Cc: Björn Töpel +Link: https://lore.kernel.org/r/20240708032847.2998158-2-ruanjinjie@huawei.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/perf_callchain.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/kernel/perf_callchain.c b/arch/riscv/kernel/perf_callchain.c +index 3348a61de7d99..2932791e93882 100644 +--- a/arch/riscv/kernel/perf_callchain.c ++++ b/arch/riscv/kernel/perf_callchain.c +@@ -62,7 +62,7 @@ void perf_callchain_user(struct perf_callchain_entry_ctx *entry, + perf_callchain_store(entry, regs->epc); + + fp = user_backtrace(entry, fp, regs->ra); +- while (fp && !(fp & 0x3) && entry->nr < entry->max_stack) ++ while (fp && !(fp & 0x7) && entry->nr < entry->max_stack) + fp = user_backtrace(entry, fp, 0); + } + +-- +2.43.0 + diff --git a/queue-6.6/samples-bpf-fix-compilation-errors-with-cf-protectio.patch b/queue-6.6/samples-bpf-fix-compilation-errors-with-cf-protectio.patch new file mode 100644 index 00000000000..b67a766ba1e --- /dev/null +++ b/queue-6.6/samples-bpf-fix-compilation-errors-with-cf-protectio.patch @@ -0,0 +1,64 @@ +From 925b226d2139a5accf5b5b7b769ef5f153d4c927 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Aug 2024 21:55:24 +0800 +Subject: samples/bpf: Fix compilation errors with cf-protection option + +From: Jiangshan Yi + +[ Upstream commit fdf1c728fac541891ef1aa773bfd42728626769c ] + +Currently, compiling the bpf programs will result the compilation errors +with the cf-protection option as follows in arm64 and loongarch64 machine +when using gcc 12.3.1 and clang 17.0.6. This commit fixes the compilation +errors by limited the cf-protection option only used in x86 platform. + +[root@localhost linux]# make M=samples/bpf + ...... + CLANG-bpf samples/bpf/xdp2skb_meta_kern.o +error: option 'cf-protection=return' cannot be specified on this target +error: option 'cf-protection=branch' cannot be specified on this target +2 errors generated. + CLANG-bpf samples/bpf/syscall_tp_kern.o +error: option 'cf-protection=return' cannot be specified on this target +error: option 'cf-protection=branch' cannot be specified on this target +2 errors generated. + ...... + +Fixes: 34f6e38f58db ("samples/bpf: fix warning with ignored-attributes") +Reported-by: Jiangshan Yi +Signed-off-by: Jiangshan Yi +Signed-off-by: Andrii Nakryiko +Tested-by: Qiang Wang +Link: https://lore.kernel.org/bpf/20240815135524.140675-1-13667453960@163.com +Signed-off-by: Sasha Levin +--- + samples/bpf/Makefile | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/samples/bpf/Makefile b/samples/bpf/Makefile +index 4ccf4236031c1..3fa16412db15c 100644 +--- a/samples/bpf/Makefile ++++ b/samples/bpf/Makefile +@@ -166,6 +166,10 @@ BPF_EXTRA_CFLAGS += -I$(srctree)/arch/mips/include/asm/mach-generic + endif + endif + ++ifeq ($(ARCH), x86) ++BPF_EXTRA_CFLAGS += -fcf-protection ++endif ++ + TPROGS_CFLAGS += -Wall -O2 + TPROGS_CFLAGS += -Wmissing-prototypes + TPROGS_CFLAGS += -Wstrict-prototypes +@@ -394,7 +398,7 @@ $(obj)/%.o: $(src)/%.c + -Wno-gnu-variable-sized-type-not-at-end \ + -Wno-address-of-packed-member -Wno-tautological-compare \ + -Wno-unknown-warning-option $(CLANG_ARCH_ARGS) \ +- -fno-asynchronous-unwind-tables -fcf-protection \ ++ -fno-asynchronous-unwind-tables \ + -I$(srctree)/samples/bpf/ -include asm_goto_workaround.h \ + -O2 -emit-llvm -Xclang -disable-llvm-passes -c $< -o - | \ + $(OPT) -O2 -mtriple=bpf-pc-linux | $(LLVM_DIS) | \ +-- +2.43.0 + diff --git a/queue-6.6/sched-fair-make-sched_idle-entity-be-preempted-in-st.patch b/queue-6.6/sched-fair-make-sched_idle-entity-be-preempted-in-st.patch new file mode 100644 index 00000000000..583ced766e7 --- /dev/null +++ b/queue-6.6/sched-fair-make-sched_idle-entity-be-preempted-in-st.patch @@ -0,0 +1,98 @@ +From 053727ebad9a4bdbf21c8bdae2d249a327d7fb76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jun 2024 10:35:05 +0800 +Subject: sched/fair: Make SCHED_IDLE entity be preempted in strict hierarchy + +From: Tianchen Ding + +[ Upstream commit faa42d29419def58d3c3e5b14ad4037f0af3b496 ] + +Consider the following cgroup: + + root + | + ------------------------ + | | + normal_cgroup idle_cgroup + | | + SCHED_IDLE task_A SCHED_NORMAL task_B + +According to the cgroup hierarchy, A should preempt B. But current +check_preempt_wakeup_fair() treats cgroup se and task separately, so B +will preempt A unexpectedly. +Unify the wakeup logic by {c,p}se_is_idle only. This makes SCHED_IDLE of +a task a relative policy that is effective only within its own cgroup, +similar to the behavior of NICE. + +Also fix se_is_idle() definition when !CONFIG_FAIR_GROUP_SCHED. + +Fixes: 304000390f88 ("sched: Cgroup SCHED_IDLE support") +Signed-off-by: Tianchen Ding +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Josh Don +Reviewed-by: Vincent Guittot +Link: https://lkml.kernel.org/r/20240626023505.1332596-1-dtcccc@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 22 +++++++++------------- + 1 file changed, 9 insertions(+), 13 deletions(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index b2e1009e5706e..5fc0d9cc9d9d7 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -533,7 +533,7 @@ static int cfs_rq_is_idle(struct cfs_rq *cfs_rq) + + static int se_is_idle(struct sched_entity *se) + { +- return 0; ++ return task_has_idle_policy(task_of(se)); + } + + #endif /* CONFIG_FAIR_GROUP_SCHED */ +@@ -8209,16 +8209,7 @@ static void check_preempt_wakeup(struct rq *rq, struct task_struct *p, int wake_ + if (test_tsk_need_resched(curr)) + return; + +- /* Idle tasks are by definition preempted by non-idle tasks. */ +- if (unlikely(task_has_idle_policy(curr)) && +- likely(!task_has_idle_policy(p))) +- goto preempt; +- +- /* +- * Batch and idle tasks do not preempt non-idle tasks (their preemption +- * is driven by the tick): +- */ +- if (unlikely(p->policy != SCHED_NORMAL) || !sched_feat(WAKEUP_PREEMPTION)) ++ if (!sched_feat(WAKEUP_PREEMPTION)) + return; + + find_matching_se(&se, &pse); +@@ -8228,7 +8219,7 @@ static void check_preempt_wakeup(struct rq *rq, struct task_struct *p, int wake_ + pse_is_idle = se_is_idle(pse); + + /* +- * Preempt an idle group in favor of a non-idle group (and don't preempt ++ * Preempt an idle entity in favor of a non-idle entity (and don't preempt + * in the inverse case). + */ + if (cse_is_idle && !pse_is_idle) +@@ -8236,9 +8227,14 @@ static void check_preempt_wakeup(struct rq *rq, struct task_struct *p, int wake_ + if (cse_is_idle != pse_is_idle) + return; + ++ /* ++ * BATCH and IDLE tasks do not preempt others. ++ */ ++ if (unlikely(p->policy != SCHED_NORMAL)) ++ return; ++ + cfs_rq = cfs_rq_of(se); + update_curr(cfs_rq); +- + /* + * XXX pick_eevdf(cfs_rq) != se ? + */ +-- +2.43.0 + diff --git a/queue-6.6/sched-numa-complete-scanning-of-inactive-vmas-when-t.patch b/queue-6.6/sched-numa-complete-scanning-of-inactive-vmas-when-t.patch new file mode 100644 index 00000000000..fadae300e71 --- /dev/null +++ b/queue-6.6/sched-numa-complete-scanning-of-inactive-vmas-when-t.patch @@ -0,0 +1,262 @@ +From a5145866409098262ff88a4fba9602b1c2435ad9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Oct 2023 09:31:43 +0100 +Subject: sched/numa: Complete scanning of inactive VMAs when there is no + alternative + +From: Mel Gorman + +[ Upstream commit f169c62ff7cd1acf8bac8ae17bfeafa307d9e6fa ] + +VMAs are skipped if there is no recent fault activity but this represents +a chicken-and-egg problem as there may be no fault activity if the PTEs +are never updated to trap NUMA hints. There is an indirect reliance on +scanning to be forced early in the lifetime of a task but this may fail +to detect changes in phase behaviour. Force inactive VMAs to be scanned +when all other eligible VMAs have been updated within the same scan +sequence. + +Test results in general look good with some changes in performance, both +negative and positive, depending on whether the additional scanning and +faulting was beneficial or not to the workload. The autonuma benchmark +workload NUMA01_THREADLOCAL was picked for closer examination. The workload +creates two processes with numerous threads and thread-local storage that +is zero-filled in a loop. It exercises the corner case where unrelated +threads may skip VMAs that are thread-local to another thread and still +has some VMAs that inactive while the workload executes. + +The VMA skipping activity frequency with and without the patch: + + 6.6.0-rc2-sched-numabtrace-v1 + ============================= + 649 reason=scan_delay + 9,094 reason=unsuitable + 48,915 reason=shared_ro + 143,919 reason=inaccessible + 193,050 reason=pid_inactive + + 6.6.0-rc2-sched-numabselective-v1 + ============================= + 146 reason=seq_completed + 622 reason=ignore_pid_inactive + + 624 reason=scan_delay + 6,570 reason=unsuitable + 16,101 reason=shared_ro + 27,608 reason=inaccessible + 41,939 reason=pid_inactive + +Note that with the patch applied, the PID activity is ignored +(ignore_pid_inactive) to ensure a VMA with some activity is completely +scanned. In addition, a small number of VMAs are scanned when no other +eligible VMA is available during a single scan window (seq_completed). +The number of times a VMA is skipped due to no PID activity from the +scanning task (pid_inactive) drops dramatically. It is expected that +this will increase the number of PTEs updated for NUMA hinting faults +as well as hinting faults but these represent PTEs that would otherwise +have been missed. The tradeoff is scan+fault overhead versus improving +locality due to migration. + +On a 2-socket Cascade Lake test machine, the time to complete the +workload is as follows; + + 6.6.0-rc2 6.6.0-rc2 + sched-numabtrace-v1 sched-numabselective-v1 + Min elsp-NUMA01_THREADLOCAL 174.22 ( 0.00%) 117.64 ( 32.48%) + Amean elsp-NUMA01_THREADLOCAL 175.68 ( 0.00%) 123.34 * 29.79%* + Stddev elsp-NUMA01_THREADLOCAL 1.20 ( 0.00%) 4.06 (-238.20%) + CoeffVar elsp-NUMA01_THREADLOCAL 0.68 ( 0.00%) 3.29 (-381.70%) + Max elsp-NUMA01_THREADLOCAL 177.18 ( 0.00%) 128.03 ( 27.74%) + +The time to complete the workload is reduced by almost 30%: + + 6.6.0-rc2 6.6.0-rc2 + sched-numabtrace-v1 sched-numabselective-v1 / + Duration User 91201.80 63506.64 + Duration System 2015.53 1819.78 + Duration Elapsed 1234.77 868.37 + +In this specific case, system CPU time was not increased but it's not +universally true. + +From vmstat, the NUMA scanning and fault activity is as follows; + + 6.6.0-rc2 6.6.0-rc2 + sched-numabtrace-v1 sched-numabselective-v1 + Ops NUMA base-page range updates 64272.00 26374386.00 + Ops NUMA PTE updates 36624.00 55538.00 + Ops NUMA PMD updates 54.00 51404.00 + Ops NUMA hint faults 15504.00 75786.00 + Ops NUMA hint local faults % 14860.00 56763.00 + Ops NUMA hint local percent 95.85 74.90 + Ops NUMA pages migrated 1629.00 6469222.00 + +Both the number of PTE updates and hint faults is dramatically +increased. While this is superficially unfortunate, it represents +ranges that were simply skipped without the patch. As a result +of the scanning and hinting faults, many more pages were also +migrated but as the time to completion is reduced, the overhead +is offset by the gain. + +Signed-off-by: Mel Gorman +Signed-off-by: Ingo Molnar +Tested-by: Raghavendra K T +Link: https://lore.kernel.org/r/20231010083143.19593-7-mgorman@techsingularity.net +Stable-dep-of: f22cde4371f3 ("sched/numa: Fix the vma scan starving issue") +Signed-off-by: Sasha Levin +--- + include/linux/mm_types.h | 6 +++ + include/linux/sched/numa_balancing.h | 1 + + include/trace/events/sched.h | 3 +- + kernel/sched/fair.c | 55 ++++++++++++++++++++++++++-- + 4 files changed, 61 insertions(+), 4 deletions(-) + +diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h +index 80d9d1b7685c6..43c19d85dfe7f 100644 +--- a/include/linux/mm_types.h ++++ b/include/linux/mm_types.h +@@ -575,6 +575,12 @@ struct vma_numab_state { + * every VMA_PID_RESET_PERIOD jiffies: + */ + unsigned long pids_active[2]; ++ ++ /* ++ * MM scan sequence ID when the VMA was last completely scanned. ++ * A VMA is not eligible for scanning if prev_scan_seq == numa_scan_seq ++ */ ++ int prev_scan_seq; + }; + + /* +diff --git a/include/linux/sched/numa_balancing.h b/include/linux/sched/numa_balancing.h +index 7dcc0bdfddbbf..b69afb8630db4 100644 +--- a/include/linux/sched/numa_balancing.h ++++ b/include/linux/sched/numa_balancing.h +@@ -22,6 +22,7 @@ enum numa_vmaskip_reason { + NUMAB_SKIP_SCAN_DELAY, + NUMAB_SKIP_PID_INACTIVE, + NUMAB_SKIP_IGNORE_PID, ++ NUMAB_SKIP_SEQ_COMPLETED, + }; + + #ifdef CONFIG_NUMA_BALANCING +diff --git a/include/trace/events/sched.h b/include/trace/events/sched.h +index 27b51c81b1067..010ba1b7cb0ea 100644 +--- a/include/trace/events/sched.h ++++ b/include/trace/events/sched.h +@@ -671,7 +671,8 @@ DEFINE_EVENT(sched_numa_pair_template, sched_swap_numa, + EM( NUMAB_SKIP_INACCESSIBLE, "inaccessible" ) \ + EM( NUMAB_SKIP_SCAN_DELAY, "scan_delay" ) \ + EM( NUMAB_SKIP_PID_INACTIVE, "pid_inactive" ) \ +- EMe(NUMAB_SKIP_IGNORE_PID, "ignore_pid_inactive" ) ++ EM( NUMAB_SKIP_IGNORE_PID, "ignore_pid_inactive" ) \ ++ EMe(NUMAB_SKIP_SEQ_COMPLETED, "seq_completed" ) + + /* Redefine for export. */ + #undef EM +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 03eb1cab320d8..0af2be3ee849e 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -3233,6 +3233,8 @@ static void task_numa_work(struct callback_head *work) + unsigned long nr_pte_updates = 0; + long pages, virtpages; + struct vma_iterator vmi; ++ bool vma_pids_skipped; ++ bool vma_pids_forced = false; + + SCHED_WARN_ON(p != container_of(work, struct task_struct, numa_work)); + +@@ -3275,7 +3277,6 @@ static void task_numa_work(struct callback_head *work) + */ + p->node_stamp += 2 * TICK_NSEC; + +- start = mm->numa_scan_offset; + pages = sysctl_numa_balancing_scan_size; + pages <<= 20 - PAGE_SHIFT; /* MB in pages */ + virtpages = pages * 8; /* Scan up to this much virtual space */ +@@ -3285,6 +3286,16 @@ static void task_numa_work(struct callback_head *work) + + if (!mmap_read_trylock(mm)) + return; ++ ++ /* ++ * VMAs are skipped if the current PID has not trapped a fault within ++ * the VMA recently. Allow scanning to be forced if there is no ++ * suitable VMA remaining. ++ */ ++ vma_pids_skipped = false; ++ ++retry_pids: ++ start = mm->numa_scan_offset; + vma_iter_init(&vmi, mm, start); + vma = vma_next(&vmi); + if (!vma) { +@@ -3335,6 +3346,13 @@ static void task_numa_work(struct callback_head *work) + /* Reset happens after 4 times scan delay of scan start */ + vma->numab_state->pids_active_reset = vma->numab_state->next_scan + + msecs_to_jiffies(VMA_PID_RESET_PERIOD); ++ ++ /* ++ * Ensure prev_scan_seq does not match numa_scan_seq, ++ * to prevent VMAs being skipped prematurely on the ++ * first scan: ++ */ ++ vma->numab_state->prev_scan_seq = mm->numa_scan_seq - 1; + } + + /* +@@ -3356,8 +3374,19 @@ static void task_numa_work(struct callback_head *work) + vma->numab_state->pids_active[1] = 0; + } + +- /* Do not scan the VMA if task has not accessed */ +- if (!vma_is_accessed(mm, vma)) { ++ /* Do not rescan VMAs twice within the same sequence. */ ++ if (vma->numab_state->prev_scan_seq == mm->numa_scan_seq) { ++ mm->numa_scan_offset = vma->vm_end; ++ trace_sched_skip_vma_numa(mm, vma, NUMAB_SKIP_SEQ_COMPLETED); ++ continue; ++ } ++ ++ /* ++ * Do not scan the VMA if task has not accessed it, unless no other ++ * VMA candidate exists. ++ */ ++ if (!vma_pids_forced && !vma_is_accessed(mm, vma)) { ++ vma_pids_skipped = true; + trace_sched_skip_vma_numa(mm, vma, NUMAB_SKIP_PID_INACTIVE); + continue; + } +@@ -3386,8 +3415,28 @@ static void task_numa_work(struct callback_head *work) + + cond_resched(); + } while (end != vma->vm_end); ++ ++ /* VMA scan is complete, do not scan until next sequence. */ ++ vma->numab_state->prev_scan_seq = mm->numa_scan_seq; ++ ++ /* ++ * Only force scan within one VMA at a time, to limit the ++ * cost of scanning a potentially uninteresting VMA. ++ */ ++ if (vma_pids_forced) ++ break; + } for_each_vma(vmi, vma); + ++ /* ++ * If no VMAs are remaining and VMAs were skipped due to the PID ++ * not accessing the VMA previously, then force a scan to ensure ++ * forward progress: ++ */ ++ if (!vma && !vma_pids_forced && vma_pids_skipped) { ++ vma_pids_forced = true; ++ goto retry_pids; ++ } ++ + out: + /* + * It is possible to reach the end of the VMA list but the last few +-- +2.43.0 + diff --git a/queue-6.6/sched-numa-complete-scanning-of-partial-vmas-regardl.patch b/queue-6.6/sched-numa-complete-scanning-of-partial-vmas-regardl.patch new file mode 100644 index 00000000000..72f6612af41 --- /dev/null +++ b/queue-6.6/sched-numa-complete-scanning-of-partial-vmas-regardl.patch @@ -0,0 +1,109 @@ +From 43cdab6a21f8ce785b9d91a7bdcad8680b74f78f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Oct 2023 09:31:42 +0100 +Subject: sched/numa: Complete scanning of partial VMAs regardless of PID + activity + +From: Mel Gorman + +[ Upstream commit b7a5b537c55c088d891ae554103d1b281abef781 ] + +NUMA Balancing skips VMAs when the current task has not trapped a NUMA +fault within the VMA. If the VMA is skipped then mm->numa_scan_offset +advances and a task that is trapping faults within the VMA may never +fully update PTEs within the VMA. + +Force tasks to update PTEs for partially scanned PTEs. The VMA will +be tagged for NUMA hints by some task but this removes some of the +benefit of tracking PID activity within a VMA. A follow-on patch +will mitigate this problem. + +The test cases and machines evaluated did not trigger the corner case so +the performance results are neutral with only small changes within the +noise from normal test-to-test variance. However, the next patch makes +the corner case easier to trigger. + +Signed-off-by: Mel Gorman +Signed-off-by: Ingo Molnar +Tested-by: Raghavendra K T +Link: https://lore.kernel.org/r/20231010083143.19593-6-mgorman@techsingularity.net +Stable-dep-of: f22cde4371f3 ("sched/numa: Fix the vma scan starving issue") +Signed-off-by: Sasha Levin +--- + include/linux/sched/numa_balancing.h | 1 + + include/trace/events/sched.h | 3 ++- + kernel/sched/fair.c | 18 +++++++++++++++--- + 3 files changed, 18 insertions(+), 4 deletions(-) + +diff --git a/include/linux/sched/numa_balancing.h b/include/linux/sched/numa_balancing.h +index c127a1509e2fa..7dcc0bdfddbbf 100644 +--- a/include/linux/sched/numa_balancing.h ++++ b/include/linux/sched/numa_balancing.h +@@ -21,6 +21,7 @@ enum numa_vmaskip_reason { + NUMAB_SKIP_INACCESSIBLE, + NUMAB_SKIP_SCAN_DELAY, + NUMAB_SKIP_PID_INACTIVE, ++ NUMAB_SKIP_IGNORE_PID, + }; + + #ifdef CONFIG_NUMA_BALANCING +diff --git a/include/trace/events/sched.h b/include/trace/events/sched.h +index b0d0dbf491ea6..27b51c81b1067 100644 +--- a/include/trace/events/sched.h ++++ b/include/trace/events/sched.h +@@ -670,7 +670,8 @@ DEFINE_EVENT(sched_numa_pair_template, sched_swap_numa, + EM( NUMAB_SKIP_SHARED_RO, "shared_ro" ) \ + EM( NUMAB_SKIP_INACCESSIBLE, "inaccessible" ) \ + EM( NUMAB_SKIP_SCAN_DELAY, "scan_delay" ) \ +- EMe(NUMAB_SKIP_PID_INACTIVE, "pid_inactive" ) ++ EM( NUMAB_SKIP_PID_INACTIVE, "pid_inactive" ) \ ++ EMe(NUMAB_SKIP_IGNORE_PID, "ignore_pid_inactive" ) + + /* Redefine for export. */ + #undef EM +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 07363b73ccdcc..03eb1cab320d8 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -3188,7 +3188,7 @@ static void reset_ptenuma_scan(struct task_struct *p) + p->mm->numa_scan_offset = 0; + } + +-static bool vma_is_accessed(struct vm_area_struct *vma) ++static bool vma_is_accessed(struct mm_struct *mm, struct vm_area_struct *vma) + { + unsigned long pids; + /* +@@ -3201,7 +3201,19 @@ static bool vma_is_accessed(struct vm_area_struct *vma) + return true; + + pids = vma->numab_state->pids_active[0] | vma->numab_state->pids_active[1]; +- return test_bit(hash_32(current->pid, ilog2(BITS_PER_LONG)), &pids); ++ if (test_bit(hash_32(current->pid, ilog2(BITS_PER_LONG)), &pids)) ++ return true; ++ ++ /* ++ * Complete a scan that has already started regardless of PID access, or ++ * some VMAs may never be scanned in multi-threaded applications: ++ */ ++ if (mm->numa_scan_offset > vma->vm_start) { ++ trace_sched_skip_vma_numa(mm, vma, NUMAB_SKIP_IGNORE_PID); ++ return true; ++ } ++ ++ return false; + } + + #define VMA_PID_RESET_PERIOD (4 * sysctl_numa_balancing_scan_delay) +@@ -3345,7 +3357,7 @@ static void task_numa_work(struct callback_head *work) + } + + /* Do not scan the VMA if task has not accessed */ +- if (!vma_is_accessed(vma)) { ++ if (!vma_is_accessed(mm, vma)) { + trace_sched_skip_vma_numa(mm, vma, NUMAB_SKIP_PID_INACTIVE); + continue; + } +-- +2.43.0 + diff --git a/queue-6.6/sched-numa-document-vma_numab_state-fields.patch b/queue-6.6/sched-numa-document-vma_numab_state-fields.patch new file mode 100644 index 00000000000..d8ef546ae58 --- /dev/null +++ b/queue-6.6/sched-numa-document-vma_numab_state-fields.patch @@ -0,0 +1,59 @@ +From 98489685b6a47250d198629b7edcedab9b3529dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Oct 2023 09:31:38 +0100 +Subject: sched/numa: Document vma_numab_state fields + +From: Mel Gorman + +[ Upstream commit 9ae5c00ea2e600a8b823f9b95606dd244f3096bf ] + +Document the intended usage of the fields. + +[ mingo: Reformatted to take less vertical space & tidied it up. ] + +Signed-off-by: Mel Gorman +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20231010083143.19593-2-mgorman@techsingularity.net +Stable-dep-of: f22cde4371f3 ("sched/numa: Fix the vma scan starving issue") +Signed-off-by: Sasha Levin +--- + include/linux/mm_types.h | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h +index ba25777ec0a71..b53a13d15bbae 100644 +--- a/include/linux/mm_types.h ++++ b/include/linux/mm_types.h +@@ -551,8 +551,29 @@ struct vma_lock { + }; + + struct vma_numab_state { ++ /* ++ * Initialised as time in 'jiffies' after which VMA ++ * should be scanned. Delays first scan of new VMA by at ++ * least sysctl_numa_balancing_scan_delay: ++ */ + unsigned long next_scan; ++ ++ /* ++ * Time in jiffies when access_pids[] is reset to ++ * detect phase change behaviour: ++ */ + unsigned long next_pid_reset; ++ ++ /* ++ * Approximate tracking of PIDs that trapped a NUMA hinting ++ * fault. May produce false positives due to hash collisions. ++ * ++ * [0] Previous PID tracking ++ * [1] Current PID tracking ++ * ++ * Window moves after next_pid_reset has expired approximately ++ * every VMA_PID_RESET_PERIOD jiffies: ++ */ + unsigned long access_pids[2]; + }; + +-- +2.43.0 + diff --git a/queue-6.6/sched-numa-fix-the-vma-scan-starving-issue.patch b/queue-6.6/sched-numa-fix-the-vma-scan-starving-issue.patch new file mode 100644 index 00000000000..580e4d5d93a --- /dev/null +++ b/queue-6.6/sched-numa-fix-the-vma-scan-starving-issue.patch @@ -0,0 +1,140 @@ +From d086055a82fc3d3e926bd973e024e26792e39e59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2024 19:29:58 +0800 +Subject: sched/numa: Fix the vma scan starving issue + +From: Yujie Liu + +[ Upstream commit f22cde4371f3c624e947a35b075c06c771442a43 ] + +Problem statement: +Since commit fc137c0ddab2 ("sched/numa: enhance vma scanning logic"), the +Numa vma scan overhead has been reduced a lot. Meanwhile, the reducing of +the vma scan might create less Numa page fault information. The +insufficient information makes it harder for the Numa balancer to make +decision. Later, commit b7a5b537c55c08 ("sched/numa: Complete scanning of +partial VMAs regardless of PID activity") and commit 84db47ca7146d7 +("sched/numa: Fix mm numa_scan_seq based unconditional scan") are found to +bring back part of the performance. + +Recently when running SPECcpu omnetpp_r on a 320 CPUs/2 Sockets system, a +long duration of remote Numa node read was observed by PMU events: A few +cores having ~500MB/s remote memory access for ~20 seconds. It causes +high core-to-core variance and performance penalty. After the +investigation, it is found that many vmas are skipped due to the active +PID check. According to the trace events, in most cases, +vma_is_accessed() returns false because the history access info stored in +pids_active array has been cleared. + +Proposal: +The main idea is to adjust vma_is_accessed() to let it return true easier. +Thus compare the diff between mm->numa_scan_seq and +vma->numab_state->prev_scan_seq. If the diff has exceeded the threshold, +scan the vma. + +This patch especially helps the cases where there are small number of +threads, like the process-based SPECcpu. Without this patch, if the +SPECcpu process access the vma at the beginning, then sleeps for a long +time, the pid_active array will be cleared. A a result, if this process +is woken up again, it never has a chance to set prot_none anymore. +Because only the first 2 times of access is granted for vma scan: +(current->mm->numa_scan_seq) - vma->numab_state->start_scan_seq) < 2 to be +worse, no other threads within the task can help set the prot_none. This +causes information lost. + +Raghavendra helped test current patch and got the positive result +on the AMD platform: + +autonumabench NUMA01 + base patched +Amean syst-NUMA01 194.05 ( 0.00%) 165.11 * 14.92%* +Amean elsp-NUMA01 324.86 ( 0.00%) 315.58 * 2.86%* + +Duration User 380345.36 368252.04 +Duration System 1358.89 1156.23 +Duration Elapsed 2277.45 2213.25 + +autonumabench NUMA02 + +Amean syst-NUMA02 1.12 ( 0.00%) 1.09 * 2.93%* +Amean elsp-NUMA02 3.50 ( 0.00%) 3.56 * -1.84%* + +Duration User 1513.23 1575.48 +Duration System 8.33 8.13 +Duration Elapsed 28.59 29.71 + +kernbench + +Amean user-256 22935.42 ( 0.00%) 22535.19 * 1.75%* +Amean syst-256 7284.16 ( 0.00%) 7608.72 * -4.46%* +Amean elsp-256 159.01 ( 0.00%) 158.17 * 0.53%* + +Duration User 68816.41 67615.74 +Duration System 21873.94 22848.08 +Duration Elapsed 506.66 504.55 + +Intel 256 CPUs/2 Sockets: +autonuma benchmark also shows improvements: + + v6.10-rc5 v6.10-rc5 + +patch +Amean syst-NUMA01 245.85 ( 0.00%) 230.84 * 6.11%* +Amean syst-NUMA01_THREADLOCAL 205.27 ( 0.00%) 191.86 * 6.53%* +Amean syst-NUMA02 18.57 ( 0.00%) 18.09 * 2.58%* +Amean syst-NUMA02_SMT 2.63 ( 0.00%) 2.54 * 3.47%* +Amean elsp-NUMA01 517.17 ( 0.00%) 526.34 * -1.77%* +Amean elsp-NUMA01_THREADLOCAL 99.92 ( 0.00%) 100.59 * -0.67%* +Amean elsp-NUMA02 15.81 ( 0.00%) 15.72 * 0.59%* +Amean elsp-NUMA02_SMT 13.23 ( 0.00%) 12.89 * 2.53%* + + v6.10-rc5 v6.10-rc5 + +patch +Duration User 1064010.16 1075416.23 +Duration System 3307.64 3104.66 +Duration Elapsed 4537.54 4604.73 + +The SPECcpu remote node access issue disappears with the patch applied. + +Link: https://lkml.kernel.org/r/20240827112958.181388-1-yu.c.chen@intel.com +Fixes: fc137c0ddab2 ("sched/numa: enhance vma scanning logic") +Signed-off-by: Chen Yu +Co-developed-by: Chen Yu +Signed-off-by: Yujie Liu +Reported-by: Xiaoping Zhou +Reviewed-and-tested-by: Raghavendra K T +Acked-by: Mel Gorman +Cc: "Chen, Tim C" +Cc: Ingo Molnar +Cc: Juri Lelli +Cc: Peter Zijlstra +Cc: Raghavendra K T +Cc: Vincent Guittot +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 0af2be3ee849e..5eb4807bad209 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -3213,6 +3213,15 @@ static bool vma_is_accessed(struct mm_struct *mm, struct vm_area_struct *vma) + return true; + } + ++ /* ++ * This vma has not been accessed for a while, and if the number ++ * the threads in the same process is low, which means no other ++ * threads can help scan this vma, force a vma scan. ++ */ ++ if (READ_ONCE(mm->numa_scan_seq) > ++ (vma->numab_state->prev_scan_seq + get_nr_threads(current))) ++ return true; ++ + return false; + } + +-- +2.43.0 + diff --git a/queue-6.6/sched-numa-move-up-the-access-pid-reset-logic.patch b/queue-6.6/sched-numa-move-up-the-access-pid-reset-logic.patch new file mode 100644 index 00000000000..9a14f486230 --- /dev/null +++ b/queue-6.6/sched-numa-move-up-the-access-pid-reset-logic.patch @@ -0,0 +1,66 @@ +From 59f08aaa4f550d687dea3de6884abdc7c8e921c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Oct 2023 09:31:41 +0100 +Subject: sched/numa: Move up the access pid reset logic + +From: Raghavendra K T + +[ Upstream commit 2e2675db1906ac04809f5399bf1f5e30d56a6f3e ] + +Recent NUMA hinting faulting activity is reset approximately every +VMA_PID_RESET_PERIOD milliseconds. However, if the current task has not +accessed a VMA then the reset check is missed and the reset is potentially +deferred forever. Check if the PID activity information should be reset +before checking if the current task recently trapped a NUMA hinting fault. + +[ mgorman@techsingularity.net: Rewrite changelog ] + +Suggested-by: Mel Gorman +Signed-off-by: Raghavendra K T +Signed-off-by: Mel Gorman +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20231010083143.19593-5-mgorman@techsingularity.net +Stable-dep-of: f22cde4371f3 ("sched/numa: Fix the vma scan starving issue") +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 17 +++++++---------- + 1 file changed, 7 insertions(+), 10 deletions(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 7c5f6e94b3cdc..07363b73ccdcc 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -3335,16 +3335,7 @@ static void task_numa_work(struct callback_head *work) + continue; + } + +- /* Do not scan the VMA if task has not accessed */ +- if (!vma_is_accessed(vma)) { +- trace_sched_skip_vma_numa(mm, vma, NUMAB_SKIP_PID_INACTIVE); +- continue; +- } +- +- /* +- * RESET access PIDs regularly for old VMAs. Resetting after checking +- * vma for recent access to avoid clearing PID info before access.. +- */ ++ /* RESET access PIDs regularly for old VMAs. */ + if (mm->numa_scan_seq && + time_after(jiffies, vma->numab_state->pids_active_reset)) { + vma->numab_state->pids_active_reset = vma->numab_state->pids_active_reset + +@@ -3353,6 +3344,12 @@ static void task_numa_work(struct callback_head *work) + vma->numab_state->pids_active[1] = 0; + } + ++ /* Do not scan the VMA if task has not accessed */ ++ if (!vma_is_accessed(vma)) { ++ trace_sched_skip_vma_numa(mm, vma, NUMAB_SKIP_PID_INACTIVE); ++ continue; ++ } ++ + do { + start = max(start, vma->vm_start); + end = ALIGN(start + (pages << PAGE_SHIFT), HPAGE_SIZE); +-- +2.43.0 + diff --git a/queue-6.6/sched-numa-rename-vma_numab_state-access_pids-pids_a.patch b/queue-6.6/sched-numa-rename-vma_numab_state-access_pids-pids_a.patch new file mode 100644 index 00000000000..e6e233aecc5 --- /dev/null +++ b/queue-6.6/sched-numa-rename-vma_numab_state-access_pids-pids_a.patch @@ -0,0 +1,109 @@ +From 33f45aab25b8e7f36b1e7a9fbc4fa1bc375b6e89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Oct 2023 09:31:39 +0100 +Subject: sched/numa: Rename vma_numab_state::access_pids[] => ::pids_active[], + ::next_pid_reset => ::pids_active_reset + +From: Mel Gorman + +[ Upstream commit f3a6c97940fbd25d6c84c2d5642338fc99a9b35b ] + +The access_pids[] field name is somewhat ambiguous as no PIDs are accessed. +Similarly, it's not clear that next_pid_reset is related to access_pids[]. +Rename the fields to more accurately reflect their purpose. + +[ mingo: Rename in the comments too. ] + +Signed-off-by: Mel Gorman +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20231010083143.19593-3-mgorman@techsingularity.net +Stable-dep-of: f22cde4371f3 ("sched/numa: Fix the vma scan starving issue") +Signed-off-by: Sasha Levin +--- + include/linux/mm.h | 4 ++-- + include/linux/mm_types.h | 6 +++--- + kernel/sched/fair.c | 12 ++++++------ + 3 files changed, 11 insertions(+), 11 deletions(-) + +diff --git a/include/linux/mm.h b/include/linux/mm.h +index 830b925c2d005..b6a4d6471b4a7 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -1732,8 +1732,8 @@ static inline void vma_set_access_pid_bit(struct vm_area_struct *vma) + unsigned int pid_bit; + + pid_bit = hash_32(current->pid, ilog2(BITS_PER_LONG)); +- if (vma->numab_state && !test_bit(pid_bit, &vma->numab_state->access_pids[1])) { +- __set_bit(pid_bit, &vma->numab_state->access_pids[1]); ++ if (vma->numab_state && !test_bit(pid_bit, &vma->numab_state->pids_active[1])) { ++ __set_bit(pid_bit, &vma->numab_state->pids_active[1]); + } + } + #else /* !CONFIG_NUMA_BALANCING */ +diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h +index b53a13d15bbae..80d9d1b7685c6 100644 +--- a/include/linux/mm_types.h ++++ b/include/linux/mm_types.h +@@ -559,10 +559,10 @@ struct vma_numab_state { + unsigned long next_scan; + + /* +- * Time in jiffies when access_pids[] is reset to ++ * Time in jiffies when pids_active[] is reset to + * detect phase change behaviour: + */ +- unsigned long next_pid_reset; ++ unsigned long pids_active_reset; + + /* + * Approximate tracking of PIDs that trapped a NUMA hinting +@@ -574,7 +574,7 @@ struct vma_numab_state { + * Window moves after next_pid_reset has expired approximately + * every VMA_PID_RESET_PERIOD jiffies: + */ +- unsigned long access_pids[2]; ++ unsigned long pids_active[2]; + }; + + /* +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 5fc0d9cc9d9d7..d07fb0a0da808 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -3200,7 +3200,7 @@ static bool vma_is_accessed(struct vm_area_struct *vma) + if (READ_ONCE(current->mm->numa_scan_seq) < 2) + return true; + +- pids = vma->numab_state->access_pids[0] | vma->numab_state->access_pids[1]; ++ pids = vma->numab_state->pids_active[0] | vma->numab_state->pids_active[1]; + return test_bit(hash_32(current->pid, ilog2(BITS_PER_LONG)), &pids); + } + +@@ -3316,7 +3316,7 @@ static void task_numa_work(struct callback_head *work) + msecs_to_jiffies(sysctl_numa_balancing_scan_delay); + + /* Reset happens after 4 times scan delay of scan start */ +- vma->numab_state->next_pid_reset = vma->numab_state->next_scan + ++ vma->numab_state->pids_active_reset = vma->numab_state->next_scan + + msecs_to_jiffies(VMA_PID_RESET_PERIOD); + } + +@@ -3337,11 +3337,11 @@ static void task_numa_work(struct callback_head *work) + * vma for recent access to avoid clearing PID info before access.. + */ + if (mm->numa_scan_seq && +- time_after(jiffies, vma->numab_state->next_pid_reset)) { +- vma->numab_state->next_pid_reset = vma->numab_state->next_pid_reset + ++ time_after(jiffies, vma->numab_state->pids_active_reset)) { ++ vma->numab_state->pids_active_reset = vma->numab_state->pids_active_reset + + msecs_to_jiffies(VMA_PID_RESET_PERIOD); +- vma->numab_state->access_pids[0] = READ_ONCE(vma->numab_state->access_pids[1]); +- vma->numab_state->access_pids[1] = 0; ++ vma->numab_state->pids_active[0] = READ_ONCE(vma->numab_state->pids_active[1]); ++ vma->numab_state->pids_active[1] = 0; + } + + do { +-- +2.43.0 + diff --git a/queue-6.6/sched-numa-trace-decisions-related-to-skipping-vmas.patch b/queue-6.6/sched-numa-trace-decisions-related-to-skipping-vmas.patch new file mode 100644 index 00000000000..ee997bb6be7 --- /dev/null +++ b/queue-6.6/sched-numa-trace-decisions-related-to-skipping-vmas.patch @@ -0,0 +1,161 @@ +From cca0ec561a59223e0cdfc1ba489f060cb4ab286b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Oct 2023 09:31:40 +0100 +Subject: sched/numa: Trace decisions related to skipping VMAs + +From: Mel Gorman + +[ Upstream commit ed2da8b725b932b1e2b2f4835bb664d47ed03031 ] + +NUMA balancing skips or scans VMAs for a variety of reasons. In preparation +for completing scans of VMAs regardless of PID access, trace the reasons +why a VMA was skipped. In a later patch, the tracing will be used to track +if a VMA was forcibly scanned. + +Signed-off-by: Mel Gorman +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20231010083143.19593-4-mgorman@techsingularity.net +Stable-dep-of: f22cde4371f3 ("sched/numa: Fix the vma scan starving issue") +Signed-off-by: Sasha Levin +--- + include/linux/sched/numa_balancing.h | 8 +++++ + include/trace/events/sched.h | 50 ++++++++++++++++++++++++++++ + kernel/sched/fair.c | 17 +++++++--- + 3 files changed, 71 insertions(+), 4 deletions(-) + +diff --git a/include/linux/sched/numa_balancing.h b/include/linux/sched/numa_balancing.h +index 3988762efe15c..c127a1509e2fa 100644 +--- a/include/linux/sched/numa_balancing.h ++++ b/include/linux/sched/numa_balancing.h +@@ -15,6 +15,14 @@ + #define TNF_FAULT_LOCAL 0x08 + #define TNF_MIGRATE_FAIL 0x10 + ++enum numa_vmaskip_reason { ++ NUMAB_SKIP_UNSUITABLE, ++ NUMAB_SKIP_SHARED_RO, ++ NUMAB_SKIP_INACCESSIBLE, ++ NUMAB_SKIP_SCAN_DELAY, ++ NUMAB_SKIP_PID_INACTIVE, ++}; ++ + #ifdef CONFIG_NUMA_BALANCING + extern void task_numa_fault(int last_node, int node, int pages, int flags); + extern pid_t task_numa_group_id(struct task_struct *p); +diff --git a/include/trace/events/sched.h b/include/trace/events/sched.h +index fbb99a61f714c..b0d0dbf491ea6 100644 +--- a/include/trace/events/sched.h ++++ b/include/trace/events/sched.h +@@ -664,6 +664,56 @@ DEFINE_EVENT(sched_numa_pair_template, sched_swap_numa, + TP_ARGS(src_tsk, src_cpu, dst_tsk, dst_cpu) + ); + ++#ifdef CONFIG_NUMA_BALANCING ++#define NUMAB_SKIP_REASON \ ++ EM( NUMAB_SKIP_UNSUITABLE, "unsuitable" ) \ ++ EM( NUMAB_SKIP_SHARED_RO, "shared_ro" ) \ ++ EM( NUMAB_SKIP_INACCESSIBLE, "inaccessible" ) \ ++ EM( NUMAB_SKIP_SCAN_DELAY, "scan_delay" ) \ ++ EMe(NUMAB_SKIP_PID_INACTIVE, "pid_inactive" ) ++ ++/* Redefine for export. */ ++#undef EM ++#undef EMe ++#define EM(a, b) TRACE_DEFINE_ENUM(a); ++#define EMe(a, b) TRACE_DEFINE_ENUM(a); ++ ++NUMAB_SKIP_REASON ++ ++/* Redefine for symbolic printing. */ ++#undef EM ++#undef EMe ++#define EM(a, b) { a, b }, ++#define EMe(a, b) { a, b } ++ ++TRACE_EVENT(sched_skip_vma_numa, ++ ++ TP_PROTO(struct mm_struct *mm, struct vm_area_struct *vma, ++ enum numa_vmaskip_reason reason), ++ ++ TP_ARGS(mm, vma, reason), ++ ++ TP_STRUCT__entry( ++ __field(unsigned long, numa_scan_offset) ++ __field(unsigned long, vm_start) ++ __field(unsigned long, vm_end) ++ __field(enum numa_vmaskip_reason, reason) ++ ), ++ ++ TP_fast_assign( ++ __entry->numa_scan_offset = mm->numa_scan_offset; ++ __entry->vm_start = vma->vm_start; ++ __entry->vm_end = vma->vm_end; ++ __entry->reason = reason; ++ ), ++ ++ TP_printk("numa_scan_offset=%lX vm_start=%lX vm_end=%lX reason=%s", ++ __entry->numa_scan_offset, ++ __entry->vm_start, ++ __entry->vm_end, ++ __print_symbolic(__entry->reason, NUMAB_SKIP_REASON)) ++); ++#endif /* CONFIG_NUMA_BALANCING */ + + /* + * Tracepoint for waking a polling cpu without an IPI. +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index d07fb0a0da808..7c5f6e94b3cdc 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -3285,6 +3285,7 @@ static void task_numa_work(struct callback_head *work) + do { + if (!vma_migratable(vma) || !vma_policy_mof(vma) || + is_vm_hugetlb_page(vma) || (vma->vm_flags & VM_MIXEDMAP)) { ++ trace_sched_skip_vma_numa(mm, vma, NUMAB_SKIP_UNSUITABLE); + continue; + } + +@@ -3295,15 +3296,19 @@ static void task_numa_work(struct callback_head *work) + * as migrating the pages will be of marginal benefit. + */ + if (!vma->vm_mm || +- (vma->vm_file && (vma->vm_flags & (VM_READ|VM_WRITE)) == (VM_READ))) ++ (vma->vm_file && (vma->vm_flags & (VM_READ|VM_WRITE)) == (VM_READ))) { ++ trace_sched_skip_vma_numa(mm, vma, NUMAB_SKIP_SHARED_RO); + continue; ++ } + + /* + * Skip inaccessible VMAs to avoid any confusion between + * PROT_NONE and NUMA hinting ptes + */ +- if (!vma_is_accessible(vma)) ++ if (!vma_is_accessible(vma)) { ++ trace_sched_skip_vma_numa(mm, vma, NUMAB_SKIP_INACCESSIBLE); + continue; ++ } + + /* Initialise new per-VMA NUMAB state. */ + if (!vma->numab_state) { +@@ -3325,12 +3330,16 @@ static void task_numa_work(struct callback_head *work) + * delay the scan for new VMAs. + */ + if (mm->numa_scan_seq && time_before(jiffies, +- vma->numab_state->next_scan)) ++ vma->numab_state->next_scan)) { ++ trace_sched_skip_vma_numa(mm, vma, NUMAB_SKIP_SCAN_DELAY); + continue; ++ } + + /* Do not scan the VMA if task has not accessed */ +- if (!vma_is_accessed(vma)) ++ if (!vma_is_accessed(vma)) { ++ trace_sched_skip_vma_numa(mm, vma, NUMAB_SKIP_PID_INACTIVE); + continue; ++ } + + /* + * RESET access PIDs regularly for old VMAs. Resetting after checking +-- +2.43.0 + diff --git a/queue-6.6/scsi-elx-libefc-fix-potential-use-after-free-in-efc_.patch b/queue-6.6/scsi-elx-libefc-fix-potential-use-after-free-in-efc_.patch new file mode 100644 index 00000000000..596a9bbd6ee --- /dev/null +++ b/queue-6.6/scsi-elx-libefc-fix-potential-use-after-free-in-efc_.patch @@ -0,0 +1,43 @@ +From ebfabde530e26708dd338be98a55e8c4e7d9d94e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Aug 2024 14:29:05 +0300 +Subject: scsi: elx: libefc: Fix potential use after free in + efc_nport_vport_del() + +From: Dan Carpenter + +[ Upstream commit 2e4b02fad094976763af08fec2c620f4f8edd9ae ] + +The kref_put() function will call nport->release if the refcount drops to +zero. The nport->release release function is _efc_nport_free() which frees +"nport". But then we dereference "nport" on the next line which is a use +after free. Re-order these lines to avoid the use after free. + +Fixes: fcd427303eb9 ("scsi: elx: libefc: SLI and FC PORT state machine interfaces") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/b666ab26-6581-4213-9a3d-32a9147f0399@stanley.mountain +Reviewed-by: Daniel Wagner +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/elx/libefc/efc_nport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/elx/libefc/efc_nport.c b/drivers/scsi/elx/libefc/efc_nport.c +index 2e83a667901fe..1a7437f4328e8 100644 +--- a/drivers/scsi/elx/libefc/efc_nport.c ++++ b/drivers/scsi/elx/libefc/efc_nport.c +@@ -705,9 +705,9 @@ efc_nport_vport_del(struct efc *efc, struct efc_domain *domain, + spin_lock_irqsave(&efc->lock, flags); + list_for_each_entry(nport, &domain->nport_list, list_entry) { + if (nport->wwpn == wwpn && nport->wwnn == wwnn) { +- kref_put(&nport->ref, nport->release); + /* Shutdown this NPORT */ + efc_sm_post_event(&nport->sm, EFC_EVT_SHUTDOWN, NULL); ++ kref_put(&nport->ref, nport->release); + break; + } + } +-- +2.43.0 + diff --git a/queue-6.6/scsi-ncr5380-check-for-phase-match-during-pdma-fixup.patch b/queue-6.6/scsi-ncr5380-check-for-phase-match-during-pdma-fixup.patch new file mode 100644 index 00000000000..71a842550a4 --- /dev/null +++ b/queue-6.6/scsi-ncr5380-check-for-phase-match-during-pdma-fixup.patch @@ -0,0 +1,135 @@ +From 254a58d768b19353159bed06fea5998afa7ba254 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Aug 2024 13:36:28 +1000 +Subject: scsi: NCR5380: Check for phase match during PDMA fixup + +From: Finn Thain + +[ Upstream commit 5768718da9417331803fc4bc090544c2a93b88dc ] + +It's not an error for a target to change the bus phase during a transfer. +Unfortunately, the FLAG_DMA_FIXUP workaround does not allow for that -- a +phase change produces a DRQ timeout error and the device borken flag will +be set. + +Check the phase match bit during FLAG_DMA_FIXUP processing. Don't forget to +decrement the command residual. While we are here, change shost_printk() +into scmd_printk() for better consistency with other DMA error messages. + +Tested-by: Stan Johnson +Fixes: 55181be8ced1 ("ncr5380: Replace redundant flags with FLAG_NO_DMA_FIXUP") +Signed-off-by: Finn Thain +Link: https://lore.kernel.org/r/99dc7d1f4c825621b5b120963a69f6cd3e9ca659.1723001788.git.fthain@linux-m68k.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/NCR5380.c | 78 +++++++++++++++++++++--------------------- + 1 file changed, 39 insertions(+), 39 deletions(-) + +diff --git a/drivers/scsi/NCR5380.c b/drivers/scsi/NCR5380.c +index cea3a79d538e4..00e245173320c 100644 +--- a/drivers/scsi/NCR5380.c ++++ b/drivers/scsi/NCR5380.c +@@ -1485,6 +1485,7 @@ static int NCR5380_transfer_dma(struct Scsi_Host *instance, + unsigned char **data) + { + struct NCR5380_hostdata *hostdata = shost_priv(instance); ++ struct NCR5380_cmd *ncmd = NCR5380_to_ncmd(hostdata->connected); + int c = *count; + unsigned char p = *phase; + unsigned char *d = *data; +@@ -1496,7 +1497,7 @@ static int NCR5380_transfer_dma(struct Scsi_Host *instance, + return -1; + } + +- NCR5380_to_ncmd(hostdata->connected)->phase = p; ++ ncmd->phase = p; + + if (p & SR_IO) { + if (hostdata->read_overruns) +@@ -1608,45 +1609,44 @@ static int NCR5380_transfer_dma(struct Scsi_Host *instance, + * request. + */ + +- if (hostdata->flags & FLAG_DMA_FIXUP) { +- if (p & SR_IO) { +- /* +- * The workaround was to transfer fewer bytes than we +- * intended to with the pseudo-DMA read function, wait for +- * the chip to latch the last byte, read it, and then disable +- * pseudo-DMA mode. +- * +- * After REQ is asserted, the NCR5380 asserts DRQ and ACK. +- * REQ is deasserted when ACK is asserted, and not reasserted +- * until ACK goes false. Since the NCR5380 won't lower ACK +- * until DACK is asserted, which won't happen unless we twiddle +- * the DMA port or we take the NCR5380 out of DMA mode, we +- * can guarantee that we won't handshake another extra +- * byte. +- */ +- +- if (NCR5380_poll_politely(hostdata, BUS_AND_STATUS_REG, +- BASR_DRQ, BASR_DRQ, 0) < 0) { +- result = -1; +- shost_printk(KERN_ERR, instance, "PDMA read: DRQ timeout\n"); +- } +- if (NCR5380_poll_politely(hostdata, STATUS_REG, +- SR_REQ, 0, 0) < 0) { +- result = -1; +- shost_printk(KERN_ERR, instance, "PDMA read: !REQ timeout\n"); +- } +- d[*count - 1] = NCR5380_read(INPUT_DATA_REG); +- } else { +- /* +- * Wait for the last byte to be sent. If REQ is being asserted for +- * the byte we're interested, we'll ACK it and it will go false. +- */ +- if (NCR5380_poll_politely2(hostdata, +- BUS_AND_STATUS_REG, BASR_DRQ, BASR_DRQ, +- BUS_AND_STATUS_REG, BASR_PHASE_MATCH, 0, 0) < 0) { +- result = -1; +- shost_printk(KERN_ERR, instance, "PDMA write: DRQ and phase timeout\n"); ++ if ((hostdata->flags & FLAG_DMA_FIXUP) && ++ (NCR5380_read(BUS_AND_STATUS_REG) & BASR_PHASE_MATCH)) { ++ /* ++ * The workaround was to transfer fewer bytes than we ++ * intended to with the pseudo-DMA receive function, wait for ++ * the chip to latch the last byte, read it, and then disable ++ * DMA mode. ++ * ++ * After REQ is asserted, the NCR5380 asserts DRQ and ACK. ++ * REQ is deasserted when ACK is asserted, and not reasserted ++ * until ACK goes false. Since the NCR5380 won't lower ACK ++ * until DACK is asserted, which won't happen unless we twiddle ++ * the DMA port or we take the NCR5380 out of DMA mode, we ++ * can guarantee that we won't handshake another extra ++ * byte. ++ * ++ * If sending, wait for the last byte to be sent. If REQ is ++ * being asserted for the byte we're interested, we'll ACK it ++ * and it will go false. ++ */ ++ if (!NCR5380_poll_politely(hostdata, BUS_AND_STATUS_REG, ++ BASR_DRQ, BASR_DRQ, 0)) { ++ if ((p & SR_IO) && ++ (NCR5380_read(BUS_AND_STATUS_REG) & BASR_PHASE_MATCH)) { ++ if (!NCR5380_poll_politely(hostdata, STATUS_REG, ++ SR_REQ, 0, 0)) { ++ d[c] = NCR5380_read(INPUT_DATA_REG); ++ --ncmd->this_residual; ++ } else { ++ result = -1; ++ scmd_printk(KERN_ERR, hostdata->connected, ++ "PDMA fixup: !REQ timeout\n"); ++ } + } ++ } else if (NCR5380_read(BUS_AND_STATUS_REG) & BASR_PHASE_MATCH) { ++ result = -1; ++ scmd_printk(KERN_ERR, hostdata->connected, ++ "PDMA fixup: DRQ timeout\n"); + } + } + +-- +2.43.0 + diff --git a/queue-6.6/scsi-smartpqi-revert-propagate-the-multipath-failure.patch b/queue-6.6/scsi-smartpqi-revert-propagate-the-multipath-failure.patch new file mode 100644 index 00000000000..e638ab8ca69 --- /dev/null +++ b/queue-6.6/scsi-smartpqi-revert-propagate-the-multipath-failure.patch @@ -0,0 +1,93 @@ +From 6e67fa9a5b68b3a0a1dc7b195909f1918a1df431 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jul 2024 14:47:02 -0500 +Subject: scsi: smartpqi: revert propagate-the-multipath-failure-to-SML-quickly + +From: Gilbert Wu + +[ Upstream commit f1393d52e6cda9c20f12643cbecf1e1dc357e0e2 ] + +Correct a rare multipath failure issue by reverting commit 94a68c814328 +("scsi: smartpqi: Quickly propagate path failures to SCSI midlayer") [1]. + +Reason for revert: The patch propagated the path failure to SML quickly +when one of the path fails during IO and AIO path gets disabled for a +multipath device. + +But it created a new issue: when creating a volume on an encryption-enabled +controller, the firmware reports the AIO path is disabled, which cause the +driver to report a path failure to SML for a multipath device. + +There will be a new fix to handle "Illegal request" and "Invalid field in +parameter list" on RAID path when the AIO path is disabled on a multipath +device. + +[1] https://lore.kernel.org/all/164375209313.440833.9992416628621839233.stgit@brunhilda.pdev.net/ + +Fixes: 94a68c814328 ("scsi: smartpqi: Quickly propagate path failures to SCSI midlayer") +Reviewed-by: Scott Benesh +Reviewed-by: Scott Teel +Reviewed-by: Mike McGowen +Signed-off-by: Gilbert Wu +Signed-off-by: Don Brace +Link: https://lore.kernel.org/r/20240711194704.982400-4-don.brace@microchip.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/smartpqi/smartpqi_init.c | 20 ++------------------ + 1 file changed, 2 insertions(+), 18 deletions(-) + +diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c +index 868453b18c9ae..2ae64cda8bc9e 100644 +--- a/drivers/scsi/smartpqi/smartpqi_init.c ++++ b/drivers/scsi/smartpqi/smartpqi_init.c +@@ -2355,14 +2355,6 @@ static inline void pqi_mask_device(u8 *scsi3addr) + scsi3addr[3] |= 0xc0; + } + +-static inline bool pqi_is_multipath_device(struct pqi_scsi_dev *device) +-{ +- if (pqi_is_logical_device(device)) +- return false; +- +- return (device->path_map & (device->path_map - 1)) != 0; +-} +- + static inline bool pqi_expose_device(struct pqi_scsi_dev *device) + { + return !device->is_physical_device || !pqi_skip_device(device->scsi3addr); +@@ -3259,14 +3251,12 @@ static void pqi_process_aio_io_error(struct pqi_io_request *io_request) + int residual_count; + int xfer_count; + bool device_offline; +- struct pqi_scsi_dev *device; + + scmd = io_request->scmd; + error_info = io_request->error_info; + host_byte = DID_OK; + sense_data_length = 0; + device_offline = false; +- device = scmd->device->hostdata; + + switch (error_info->service_response) { + case PQI_AIO_SERV_RESPONSE_COMPLETE: +@@ -3291,14 +3281,8 @@ static void pqi_process_aio_io_error(struct pqi_io_request *io_request) + break; + case PQI_AIO_STATUS_AIO_PATH_DISABLED: + pqi_aio_path_disabled(io_request); +- if (pqi_is_multipath_device(device)) { +- pqi_device_remove_start(device); +- host_byte = DID_NO_CONNECT; +- scsi_status = SAM_STAT_CHECK_CONDITION; +- } else { +- scsi_status = SAM_STAT_GOOD; +- io_request->status = -EAGAIN; +- } ++ scsi_status = SAM_STAT_GOOD; ++ io_request->status = -EAGAIN; + break; + case PQI_AIO_STATUS_NO_PATH_TO_DEVICE: + case PQI_AIO_STATUS_INVALID_DEVICE: +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-add-a-cgroup-prog-bpf_get_ns_current_p.patch b/queue-6.6/selftests-bpf-add-a-cgroup-prog-bpf_get_ns_current_p.patch new file mode 100644 index 00000000000..0f65e3f24be --- /dev/null +++ b/queue-6.6/selftests-bpf-add-a-cgroup-prog-bpf_get_ns_current_p.patch @@ -0,0 +1,145 @@ +From 96739b5f9076b0b049f1d73e5dc8f60c3f54db38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Mar 2024 11:49:10 -0700 +Subject: selftests/bpf: Add a cgroup prog bpf_get_ns_current_pid_tgid() test + +From: Yonghong Song + +[ Upstream commit 87ade6cd859ea9dbde6e80b3fcf717ed9a73b4a9 ] + +Add a cgroup bpf program test where the bpf program is running +in a pid namespace. The test is successfully: + #165/3 ns_current_pid_tgid/new_ns_cgrp:OK + +Signed-off-by: Yonghong Song +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20240315184910.2976522-1-yonghong.song@linux.dev +Stable-dep-of: 21f0b0af9772 ("selftests/bpf: Fix include of ") +Signed-off-by: Sasha Levin +--- + .../bpf/prog_tests/ns_current_pid_tgid.c | 73 +++++++++++++++++++ + .../bpf/progs/test_ns_current_pid_tgid.c | 7 ++ + 2 files changed, 80 insertions(+) + +diff --git a/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c b/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c +index 847d7b70e2902..fded38d24aae4 100644 +--- a/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c ++++ b/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include "network_helpers.h" + + #define STACK_SIZE (1024 * 1024) + static char child_stack[STACK_SIZE]; +@@ -74,6 +75,50 @@ static int test_current_pid_tgid_tp(void *args) + return ret; + } + ++static int test_current_pid_tgid_cgrp(void *args) ++{ ++ struct test_ns_current_pid_tgid__bss *bss; ++ struct test_ns_current_pid_tgid *skel; ++ int server_fd = -1, ret = -1, err; ++ int cgroup_fd = *(int *)args; ++ pid_t tgid, pid; ++ ++ skel = test_ns_current_pid_tgid__open(); ++ if (!ASSERT_OK_PTR(skel, "test_ns_current_pid_tgid__open")) ++ return ret; ++ ++ bpf_program__set_autoload(skel->progs.cgroup_bind4, true); ++ ++ err = test_ns_current_pid_tgid__load(skel); ++ if (!ASSERT_OK(err, "test_ns_current_pid_tgid__load")) ++ goto cleanup; ++ ++ bss = skel->bss; ++ if (get_pid_tgid(&pid, &tgid, bss)) ++ goto cleanup; ++ ++ skel->links.cgroup_bind4 = bpf_program__attach_cgroup( ++ skel->progs.cgroup_bind4, cgroup_fd); ++ if (!ASSERT_OK_PTR(skel->links.cgroup_bind4, "bpf_program__attach_cgroup")) ++ goto cleanup; ++ ++ server_fd = start_server(AF_INET, SOCK_STREAM, NULL, 0, 0); ++ if (!ASSERT_GE(server_fd, 0, "start_server")) ++ goto cleanup; ++ ++ if (!ASSERT_EQ(bss->user_pid, pid, "pid")) ++ goto cleanup; ++ if (!ASSERT_EQ(bss->user_tgid, tgid, "tgid")) ++ goto cleanup; ++ ret = 0; ++ ++cleanup: ++ if (server_fd >= 0) ++ close(server_fd); ++ test_ns_current_pid_tgid__destroy(skel); ++ return ret; ++} ++ + static void test_ns_current_pid_tgid_new_ns(int (*fn)(void *), void *arg) + { + int wstatus; +@@ -95,6 +140,25 @@ static void test_ns_current_pid_tgid_new_ns(int (*fn)(void *), void *arg) + return; + } + ++static void test_in_netns(int (*fn)(void *), void *arg) ++{ ++ struct nstoken *nstoken = NULL; ++ ++ SYS(cleanup, "ip netns add ns_current_pid_tgid"); ++ SYS(cleanup, "ip -net ns_current_pid_tgid link set dev lo up"); ++ ++ nstoken = open_netns("ns_current_pid_tgid"); ++ if (!ASSERT_OK_PTR(nstoken, "open_netns")) ++ goto cleanup; ++ ++ test_ns_current_pid_tgid_new_ns(fn, arg); ++ ++cleanup: ++ if (nstoken) ++ close_netns(nstoken); ++ SYS_NOFAIL("ip netns del ns_current_pid_tgid"); ++} ++ + /* TODO: use a different tracepoint */ + void serial_test_ns_current_pid_tgid(void) + { +@@ -102,4 +166,13 @@ void serial_test_ns_current_pid_tgid(void) + test_current_pid_tgid_tp(NULL); + if (test__start_subtest("new_ns_tp")) + test_ns_current_pid_tgid_new_ns(test_current_pid_tgid_tp, NULL); ++ if (test__start_subtest("new_ns_cgrp")) { ++ int cgroup_fd = -1; ++ ++ cgroup_fd = test__join_cgroup("/sock_addr"); ++ if (ASSERT_GE(cgroup_fd, 0, "join_cgroup")) { ++ test_in_netns(test_current_pid_tgid_cgrp, &cgroup_fd); ++ close(cgroup_fd); ++ } ++ } + } +diff --git a/tools/testing/selftests/bpf/progs/test_ns_current_pid_tgid.c b/tools/testing/selftests/bpf/progs/test_ns_current_pid_tgid.c +index aa3ec7ca16d9b..d0010e698f668 100644 +--- a/tools/testing/selftests/bpf/progs/test_ns_current_pid_tgid.c ++++ b/tools/testing/selftests/bpf/progs/test_ns_current_pid_tgid.c +@@ -28,4 +28,11 @@ int tp_handler(const void *ctx) + return 0; + } + ++SEC("?cgroup/bind4") ++int cgroup_bind4(struct bpf_sock_addr *ctx) ++{ ++ get_pid_tgid(); ++ return 1; ++} ++ + char _license[] SEC("license") = "GPL"; +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-add-cflags-per-source-file-and-runner.patch b/queue-6.6/selftests-bpf-add-cflags-per-source-file-and-runner.patch new file mode 100644 index 00000000000..5baff1f1e57 --- /dev/null +++ b/queue-6.6/selftests-bpf-add-cflags-per-source-file-and-runner.patch @@ -0,0 +1,74 @@ +From 9dec3f426657b877ee039dc484522c80e0286e63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 May 2024 13:22:19 +0100 +Subject: selftests/bpf: Add CFLAGS per source file and runner + +From: Cupertino Miranda + +[ Upstream commit 207cf6e649ee551ab3bdb1cfe1b2848e6a4337a5 ] + +This patch adds support to specify CFLAGS per source file and per test +runner. + +Signed-off-by: Cupertino Miranda +Signed-off-by: Andrii Nakryiko +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/20240507122220.207820-2-cupertino.miranda@oracle.com +Stable-dep-of: 3ece93a4087b ("selftests/bpf: Fix wrong binary in Makefile log output") +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/Makefile | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile +index 24b85060df779..0093d1161c6ee 100644 +--- a/tools/testing/selftests/bpf/Makefile ++++ b/tools/testing/selftests/bpf/Makefile +@@ -60,11 +60,11 @@ TEST_INST_SUBDIRS += bpf_gcc + # The following tests contain C code that, although technically legal, + # triggers GCC warnings that cannot be disabled: declaration of + # anonymous struct types in function parameter lists. +-progs/btf_dump_test_case_bitfields.c-CFLAGS := -Wno-error +-progs/btf_dump_test_case_namespacing.c-CFLAGS := -Wno-error +-progs/btf_dump_test_case_packing.c-CFLAGS := -Wno-error +-progs/btf_dump_test_case_padding.c-CFLAGS := -Wno-error +-progs/btf_dump_test_case_syntax.c-CFLAGS := -Wno-error ++progs/btf_dump_test_case_bitfields.c-bpf_gcc-CFLAGS := -Wno-error ++progs/btf_dump_test_case_namespacing.c-bpf_gcc-CFLAGS := -Wno-error ++progs/btf_dump_test_case_packing.c-bpf_gcc-CFLAGS := -Wno-error ++progs/btf_dump_test_case_padding.c-bpf_gcc-CFLAGS := -Wno-error ++progs/btf_dump_test_case_syntax.c-bpf_gcc-CFLAGS := -Wno-error + endif + + ifneq ($(CLANG_CPUV4),) +@@ -451,7 +451,7 @@ LINKED_BPF_SRCS := $(patsubst %.bpf.o,%.c,$(foreach skel,$(LINKED_SKELS),$($(ske + # $eval()) and pass control to DEFINE_TEST_RUNNER_RULES. + # Parameters: + # $1 - test runner base binary name (e.g., test_progs) +-# $2 - test runner extra "flavor" (e.g., no_alu32, cpuv4, gcc-bpf, etc) ++# $2 - test runner extra "flavor" (e.g., no_alu32, cpuv4, bpf_gcc, etc) + define DEFINE_TEST_RUNNER + + TRUNNER_OUTPUT := $(OUTPUT)$(if $2,/)$2 +@@ -479,7 +479,7 @@ endef + # Using TRUNNER_XXX variables, provided by callers of DEFINE_TEST_RUNNER and + # set up by DEFINE_TEST_RUNNER itself, create test runner build rules with: + # $1 - test runner base binary name (e.g., test_progs) +-# $2 - test runner extra "flavor" (e.g., no_alu32, cpuv4, gcc-bpf, etc) ++# $2 - test runner extra "flavor" (e.g., no_alu32, cpuv4, bpf_gcc, etc) + define DEFINE_TEST_RUNNER_RULES + + ifeq ($($(TRUNNER_OUTPUT)-dir),) +@@ -502,7 +502,8 @@ $(TRUNNER_BPF_OBJS): $(TRUNNER_OUTPUT)/%.bpf.o: \ + | $(TRUNNER_OUTPUT) $$(BPFOBJ) + $$(call $(TRUNNER_BPF_BUILD_RULE),$$<,$$@, \ + $(TRUNNER_BPF_CFLAGS) \ +- $$($$<-CFLAGS)) ++ $$($$<-CFLAGS) \ ++ $$($$<-$2-CFLAGS)) + + $(TRUNNER_BPF_SKELS): %.skel.h: %.bpf.o $(BPFTOOL) | $(TRUNNER_OUTPUT) + $$(call msg,GEN-SKEL,$(TRUNNER_BINARY),$$@) +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-drop-unneeded-error.h-includes.patch b/queue-6.6/selftests-bpf-drop-unneeded-error.h-includes.patch new file mode 100644 index 00000000000..2d03bfe1163 --- /dev/null +++ b/queue-6.6/selftests-bpf-drop-unneeded-error.h-includes.patch @@ -0,0 +1,69 @@ +From 779c42dee0cd127f8e6df64badf7d69037b2b663 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 22:54:31 -0700 +Subject: selftests/bpf: Drop unneeded error.h includes + +From: Tony Ambardar + +[ Upstream commit 69f409469c9b1515a5db40d5a36fda372376fa2d ] + +The addition of general support for unprivileged tests in test_loader.c +breaks building test_verifier on non-glibc (e.g. musl) systems, due to the +inclusion of glibc extension '' in 'unpriv_helpers.c'. However, +the header is actually not needed, so remove it to restore building. + +Similarly for sk_lookup.c and flow_dissector.c, error.h is not necessary +and causes problems, so drop them. + +Fixes: 1d56ade032a4 ("selftests/bpf: Unprivileged tests for test_loader.c") +Fixes: 0ab5539f8584 ("selftests/bpf: Tests for BPF_SK_LOOKUP attach point") +Fixes: 0905beec9f52 ("selftests/bpf: run flow dissector tests in skb-less mode") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/5664367edf5fea4f3f4b4aec3b182bcfc6edff9c.1721713597.git.tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/flow_dissector.c | 1 - + tools/testing/selftests/bpf/prog_tests/sk_lookup.c | 1 - + tools/testing/selftests/bpf/unpriv_helpers.c | 1 - + 3 files changed, 3 deletions(-) + +diff --git a/tools/testing/selftests/bpf/prog_tests/flow_dissector.c b/tools/testing/selftests/bpf/prog_tests/flow_dissector.c +index 9e5f38739104b..9625e6d217913 100644 +--- a/tools/testing/selftests/bpf/prog_tests/flow_dissector.c ++++ b/tools/testing/selftests/bpf/prog_tests/flow_dissector.c +@@ -1,7 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0 + #include + #include +-#include + #include + #include + +diff --git a/tools/testing/selftests/bpf/prog_tests/sk_lookup.c b/tools/testing/selftests/bpf/prog_tests/sk_lookup.c +index de2466547efe0..a1ab0af004549 100644 +--- a/tools/testing/selftests/bpf/prog_tests/sk_lookup.c ++++ b/tools/testing/selftests/bpf/prog_tests/sk_lookup.c +@@ -18,7 +18,6 @@ + #include + #include + #include +-#include + #include + #include + #include +diff --git a/tools/testing/selftests/bpf/unpriv_helpers.c b/tools/testing/selftests/bpf/unpriv_helpers.c +index 2a6efbd0401e5..762e4b5ec9557 100644 +--- a/tools/testing/selftests/bpf/unpriv_helpers.c ++++ b/tools/testing/selftests/bpf/unpriv_helpers.c +@@ -2,7 +2,6 @@ + + #include + #include +-#include + #include + + #include "unpriv_helpers.h" +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-fix-arg-parsing-in-veristat-test_progs.patch b/queue-6.6/selftests-bpf-fix-arg-parsing-in-veristat-test_progs.patch new file mode 100644 index 00000000000..bde9d14331d --- /dev/null +++ b/queue-6.6/selftests-bpf-fix-arg-parsing-in-veristat-test_progs.patch @@ -0,0 +1,105 @@ +From 12cda87dd2d99097fd0328bf8e0c705fcbefccc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2024 02:24:18 -0700 +Subject: selftests/bpf: Fix arg parsing in veristat, test_progs + +From: Tony Ambardar + +[ Upstream commit 03bfcda1fbc37ef34aa21d2b9e09138335afc6ee ] + +Current code parses arguments with strtok_r() using a construct like + + char *state = NULL; + while ((next = strtok_r(state ? NULL : input, ",", &state))) { + ... + } + +where logic assumes the 'state' var can distinguish between first and +subsequent strtok_r() calls, and adjusts parameters accordingly. However, +'state' is strictly internal context for strtok_r() and no such assumptions +are supported in the man page. Moreover, the exact behaviour of 'state' +depends on the libc implementation, making the above code fragile. + +Indeed, invoking "./test_progs -t " on mips64el/musl will hang, +with the above code in an infinite loop. + +Similarly, we see strange behaviour running 'veristat' on mips64el/musl: + + $ ./veristat -e file,prog,verdict,insns -C two-ok add-failure + Can't specify more than 9 stats + +Rewrite code using a counter to distinguish between strtok_r() calls. + +Fixes: 61ddff373ffa ("selftests/bpf: Improve by-name subtest selection logic in prog_tests") +Fixes: 394169b079b5 ("selftests/bpf: add comparison mode to veristat") +Fixes: c8bc5e050976 ("selftests/bpf: Add veristat tool for mass-verifying BPF object files") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/392d8bf5559f85fa37926c1494e62312ef252c3d.1722244708.git.tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/testing_helpers.c | 4 ++-- + tools/testing/selftests/bpf/veristat.c | 8 ++++---- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/bpf/testing_helpers.c b/tools/testing/selftests/bpf/testing_helpers.c +index 8d994884c7b44..6acffe0426f01 100644 +--- a/tools/testing/selftests/bpf/testing_helpers.c ++++ b/tools/testing/selftests/bpf/testing_helpers.c +@@ -220,13 +220,13 @@ int parse_test_list(const char *s, + bool is_glob_pattern) + { + char *input, *state = NULL, *test_spec; +- int err = 0; ++ int err = 0, cnt = 0; + + input = strdup(s); + if (!input) + return -ENOMEM; + +- while ((test_spec = strtok_r(state ? NULL : input, ",", &state))) { ++ while ((test_spec = strtok_r(cnt++ ? NULL : input, ",", &state))) { + err = insert_test(set, test_spec, is_glob_pattern); + if (err) + break; +diff --git a/tools/testing/selftests/bpf/veristat.c b/tools/testing/selftests/bpf/veristat.c +index 0ad98b6a8e6ef..611b5a0a6f7e3 100644 +--- a/tools/testing/selftests/bpf/veristat.c ++++ b/tools/testing/selftests/bpf/veristat.c +@@ -753,13 +753,13 @@ static int parse_stat(const char *stat_name, struct stat_specs *specs) + static int parse_stats(const char *stats_str, struct stat_specs *specs) + { + char *input, *state = NULL, *next; +- int err; ++ int err, cnt = 0; + + input = strdup(stats_str); + if (!input) + return -ENOMEM; + +- while ((next = strtok_r(state ? NULL : input, ",", &state))) { ++ while ((next = strtok_r(cnt++ ? NULL : input, ",", &state))) { + err = parse_stat(next, specs); + if (err) + return err; +@@ -1444,7 +1444,7 @@ static int parse_stats_csv(const char *filename, struct stat_specs *specs, + while (fgets(line, sizeof(line), f)) { + char *input = line, *state = NULL, *next; + struct verif_stats *st = NULL; +- int col = 0; ++ int col = 0, cnt = 0; + + if (!header) { + void *tmp; +@@ -1462,7 +1462,7 @@ static int parse_stats_csv(const char *filename, struct stat_specs *specs, + *stat_cntp += 1; + } + +- while ((next = strtok_r(state ? NULL : input, ",\n", &state))) { ++ while ((next = strtok_r(cnt++ ? NULL : input, ",\n", &state))) { + if (header) { + /* for the first line, set up spec stats */ + err = parse_stat(next, specs); +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-fix-c-compile-error-from-missing-_bool.patch b/queue-6.6/selftests-bpf-fix-c-compile-error-from-missing-_bool.patch new file mode 100644 index 00000000000..fdd68e6df3e --- /dev/null +++ b/queue-6.6/selftests-bpf-fix-c-compile-error-from-missing-_bool.patch @@ -0,0 +1,55 @@ +From 286ee9dfeb546f29fbdf97eba4c4e2159b648cae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2024 02:24:20 -0700 +Subject: selftests/bpf: Fix C++ compile error from missing _Bool type + +From: Tony Ambardar + +[ Upstream commit aa95073fd290b5b3e45f067fa22bb25e59e1ff7c ] + +While building, bpftool makes a skeleton from test_core_extern.c, which +itself includes and uses the 'bool' type. However, the skeleton +test_core_extern.skel.h generated *does not* include or use the +'bool' type, instead using the C-only '_Bool' type. Compiling test_cpp.cpp +with g++ 12.3 for mips64el/musl-libc then fails with error: + + In file included from test_cpp.cpp:9: + test_core_extern.skel.h:45:17: error: '_Bool' does not name a type + 45 | _Bool CONFIG_BOOL; + | ^~~~~ + +This was likely missed previously because glibc uses a GNU extension for + with C++ (#define _Bool bool), not supported by musl libc. + +Normally, a C fragment would include and use the 'bool' type, +and thus cleanly work after import by C++. The ideal fix would be for +'bpftool gen skeleton' to output the correct type/include supporting C++, +but in the meantime add a conditional define as above. + +Fixes: 7c8dce4b1661 ("bpftool: Make skeleton C code compilable with C++ compiler") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/6fc1dd28b8bda49e51e4f610bdc9d22f4455632d.1722244708.git.tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/test_cpp.cpp | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tools/testing/selftests/bpf/test_cpp.cpp b/tools/testing/selftests/bpf/test_cpp.cpp +index f4936834f76f4..435341c254208 100644 +--- a/tools/testing/selftests/bpf/test_cpp.cpp ++++ b/tools/testing/selftests/bpf/test_cpp.cpp +@@ -6,6 +6,10 @@ + #include + #include + #include ++ ++#ifndef _Bool ++#define _Bool bool ++#endif + #include "test_core_extern.skel.h" + + template +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-fix-compile-error-from-rlim_t-in-sk_st.patch b/queue-6.6/selftests-bpf-fix-compile-error-from-rlim_t-in-sk_st.patch new file mode 100644 index 00000000000..d726c8f4304 --- /dev/null +++ b/queue-6.6/selftests-bpf-fix-compile-error-from-rlim_t-in-sk_st.patch @@ -0,0 +1,57 @@ +From 546292bb91b90331706906cb7da11a44c355c791 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 22:54:29 -0700 +Subject: selftests/bpf: Fix compile error from rlim_t in sk_storage_map.c + +From: Tony Ambardar + +[ Upstream commit d393f9479d4aaab0fa4c3caf513f28685e831f13 ] + +Cast 'rlim_t' argument to match expected type of printf() format and avoid +compile errors seen building for mips64el/musl-libc: + + In file included from map_tests/sk_storage_map.c:20: + map_tests/sk_storage_map.c: In function 'test_sk_storage_map_stress_free': + map_tests/sk_storage_map.c:414:56: error: format '%lu' expects argument of type 'long unsigned int', but argument 2 has type 'rlim_t' {aka 'long long unsigned int'} [-Werror=format=] + 414 | CHECK(err, "setrlimit(RLIMIT_NOFILE)", "rlim_new:%lu errno:%d", + | ^~~~~~~~~~~~~~~~~~~~~~~ + 415 | rlim_new.rlim_cur, errno); + | ~~~~~~~~~~~~~~~~~ + | | + | rlim_t {aka long long unsigned int} + ./test_maps.h:12:24: note: in definition of macro 'CHECK' + 12 | printf(format); \ + | ^~~~~~ + map_tests/sk_storage_map.c:414:68: note: format string is defined here + 414 | CHECK(err, "setrlimit(RLIMIT_NOFILE)", "rlim_new:%lu errno:%d", + | ~~^ + | | + | long unsigned int + | %llu + cc1: all warnings being treated as errors + +Fixes: 51a0e301a563 ("bpf: Add BPF_MAP_TYPE_SK_STORAGE test to test_maps") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/1e00a1fa7acf91b4ca135c4102dc796d518bad86.1721713597.git.tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/map_tests/sk_storage_map.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/map_tests/sk_storage_map.c b/tools/testing/selftests/bpf/map_tests/sk_storage_map.c +index 18405c3b7cee9..af10c309359a7 100644 +--- a/tools/testing/selftests/bpf/map_tests/sk_storage_map.c ++++ b/tools/testing/selftests/bpf/map_tests/sk_storage_map.c +@@ -412,7 +412,7 @@ static void test_sk_storage_map_stress_free(void) + rlim_new.rlim_max = rlim_new.rlim_cur + 128; + err = setrlimit(RLIMIT_NOFILE, &rlim_new); + CHECK(err, "setrlimit(RLIMIT_NOFILE)", "rlim_new:%lu errno:%d", +- rlim_new.rlim_cur, errno); ++ (unsigned long) rlim_new.rlim_cur, errno); + } + + err = do_sk_storage_map_stress_free(); +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-fix-compile-if-backtrace-support-missi.patch b/queue-6.6/selftests-bpf-fix-compile-if-backtrace-support-missi.patch new file mode 100644 index 00000000000..72e5b8c1ca0 --- /dev/null +++ b/queue-6.6/selftests-bpf-fix-compile-if-backtrace-support-missi.patch @@ -0,0 +1,70 @@ +From ab41463a615186de62ea9c92ac94c7941bff9008 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2024 02:24:22 -0700 +Subject: selftests/bpf: Fix compile if backtrace support missing in libc + +From: Tony Ambardar + +[ Upstream commit c9a83e76b5a96801a2c7ea0a79ca77c356d8b38d ] + +Include GNU header only with glibc and provide weak, stubbed +backtrace functions as a fallback in test_progs.c. This allows for non-GNU +replacements while avoiding compile errors (e.g. with musl libc) like: + + test_progs.c:13:10: fatal error: execinfo.h: No such file or directory + 13 | #include /* backtrace */ + | ^~~~~~~~~~~~ + test_progs.c: In function 'crash_handler': + test_progs.c:1034:14: error: implicit declaration of function 'backtrace' [-Werror=implicit-function-declaration] + 1034 | sz = backtrace(bt, ARRAY_SIZE(bt)); + | ^~~~~~~~~ + test_progs.c:1045:9: error: implicit declaration of function 'backtrace_symbols_fd' [-Werror=implicit-function-declaration] + 1045 | backtrace_symbols_fd(bt, sz, STDERR_FILENO); + | ^~~~~~~~~~~~~~~~~~~~ + +Fixes: 9fb156bb82a3 ("selftests/bpf: Print backtrace on SIGSEGV in test_progs") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/aa6dc8e23710cb457b278039d0081de7e7b4847d.1722244708.git.tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/test_progs.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/test_progs.c b/tools/testing/selftests/bpf/test_progs.c +index eed0e4fcf42ef..74620ed3a166e 100644 +--- a/tools/testing/selftests/bpf/test_progs.c ++++ b/tools/testing/selftests/bpf/test_progs.c +@@ -10,7 +10,6 @@ + #include + #include + #include +-#include /* backtrace */ + #include /* get_nprocs */ + #include + #include +@@ -19,6 +18,21 @@ + #include + #include "json_writer.h" + ++#ifdef __GLIBC__ ++#include /* backtrace */ ++#endif ++ ++/* Default backtrace funcs if missing at link */ ++__weak int backtrace(void **buffer, int size) ++{ ++ return 0; ++} ++ ++__weak void backtrace_symbols_fd(void *const *buffer, int size, int fd) ++{ ++ dprintf(fd, "\n"); ++} ++ + static bool verbose(void) + { + return env.verbosity > VERBOSE_NONE; +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-fix-compiling-core_reloc.c-with-musl-l.patch b/queue-6.6/selftests-bpf-fix-compiling-core_reloc.c-with-musl-l.patch new file mode 100644 index 00000000000..8f2ab4e9581 --- /dev/null +++ b/queue-6.6/selftests-bpf-fix-compiling-core_reloc.c-with-musl-l.patch @@ -0,0 +1,43 @@ +From 52fd35a43da2a5c963df2953669a7cb7b7f758ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 22:54:42 -0700 +Subject: selftests/bpf: Fix compiling core_reloc.c with musl-libc + +From: Tony Ambardar + +[ Upstream commit debfa4f628f271f72933bf38d581cc53cfe1def5 ] + +The type 'loff_t' is a GNU extension and not exposed by the musl 'fcntl.h' +header unless _GNU_SOURCE is defined. Add this definition to fix errors +seen compiling for mips64el/musl-libc: + + In file included from tools/testing/selftests/bpf/prog_tests/core_reloc.c:4: + ./bpf_testmod/bpf_testmod.h:10:9: error: unknown type name 'loff_t' + 10 | loff_t off; + | ^~~~~~ + ./bpf_testmod/bpf_testmod.h:16:9: error: unknown type name 'loff_t' + 16 | loff_t off; + | ^~~~~~ + +Fixes: 6bcd39d366b6 ("selftests/bpf: Add CO-RE relocs selftest relying on kernel module BTF") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/11c3af75a7eb6bcb7ad9acfae6a6f470c572eb82.1721713597.git.tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/core_reloc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/bpf/prog_tests/core_reloc.c b/tools/testing/selftests/bpf/prog_tests/core_reloc.c +index 47f42e6801056..26019313e1fc2 100644 +--- a/tools/testing/selftests/bpf/prog_tests/core_reloc.c ++++ b/tools/testing/selftests/bpf/prog_tests/core_reloc.c +@@ -1,4 +1,5 @@ + // SPDX-License-Identifier: GPL-2.0 ++#define _GNU_SOURCE + #include + #include "progs/core_reloc_types.h" + #include "bpf_testmod/bpf_testmod.h" +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-fix-compiling-flow_dissector.c-with-mu.patch b/queue-6.6/selftests-bpf-fix-compiling-flow_dissector.c-with-mu.patch new file mode 100644 index 00000000000..2570847fe9c --- /dev/null +++ b/queue-6.6/selftests-bpf-fix-compiling-flow_dissector.c-with-mu.patch @@ -0,0 +1,46 @@ +From 028af87e6f8fbd4d3bb4620898c6a6c7e7d478cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 22:54:40 -0700 +Subject: selftests/bpf: Fix compiling flow_dissector.c with musl-libc + +From: Tony Ambardar + +[ Upstream commit 5e4c43bcb85973243d7274e0058b6e8f5810e4f7 ] + +The GNU version of 'struct tcphdr' has members 'doff', 'source' and 'dest', +which are not exposed by musl libc headers unless _GNU_SOURCE is defined. + +Add this definition to fix errors seen compiling for mips64el/musl-libc: + + flow_dissector.c:118:30: error: 'struct tcphdr' has no member named 'doff' + 118 | .tcp.doff = 5, + | ^~~~ + flow_dissector.c:119:30: error: 'struct tcphdr' has no member named 'source' + 119 | .tcp.source = 80, + | ^~~~~~ + flow_dissector.c:120:30: error: 'struct tcphdr' has no member named 'dest' + 120 | .tcp.dest = 8080, + | ^~~~ + +Fixes: ae173a915785 ("selftests/bpf: support BPF_FLOW_DISSECTOR_F_PARSE_1ST_FRAG") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/8f7ab21a73f678f9cebd32b26c444a686e57414d.1721713597.git.tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/flow_dissector.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/bpf/prog_tests/flow_dissector.c b/tools/testing/selftests/bpf/prog_tests/flow_dissector.c +index 9625e6d217913..3171047414a7d 100644 +--- a/tools/testing/selftests/bpf/prog_tests/flow_dissector.c ++++ b/tools/testing/selftests/bpf/prog_tests/flow_dissector.c +@@ -1,4 +1,5 @@ + // SPDX-License-Identifier: GPL-2.0 ++#define _GNU_SOURCE + #include + #include + #include +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-fix-compiling-kfree_skb.c-with-musl-li.patch b/queue-6.6/selftests-bpf-fix-compiling-kfree_skb.c-with-musl-li.patch new file mode 100644 index 00000000000..4e04f0fe9d9 --- /dev/null +++ b/queue-6.6/selftests-bpf-fix-compiling-kfree_skb.c-with-musl-li.patch @@ -0,0 +1,41 @@ +From 0ee5436dd659d4078d51f5a2299ace19f67a405a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 22:54:39 -0700 +Subject: selftests/bpf: Fix compiling kfree_skb.c with musl-libc + +From: Tony Ambardar + +[ Upstream commit bae9a5ce7d3a9b3a9e07b31ab9e9c58450e3e9fd ] + +The GNU version of 'struct tcphdr' with member 'doff' is not exposed by +musl headers unless _GNU_SOURCE is defined. Add this definition to fix +errors seen compiling for mips64el/musl-libc: + + In file included from kfree_skb.c:2: + kfree_skb.c: In function 'on_sample': + kfree_skb.c:45:30: error: 'struct tcphdr' has no member named 'doff' + 45 | if (CHECK(pkt_v6->tcp.doff != 5, "check_tcp", + | ^ + +Fixes: 580d656d80cf ("selftests/bpf: Add kfree_skb raw_tp test") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/e2d8cedc790959c10d6822a51f01a7a3616bea1b.1721713597.git.tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/kfree_skb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/bpf/prog_tests/kfree_skb.c b/tools/testing/selftests/bpf/prog_tests/kfree_skb.c +index c07991544a789..34f8822fd2219 100644 +--- a/tools/testing/selftests/bpf/prog_tests/kfree_skb.c ++++ b/tools/testing/selftests/bpf/prog_tests/kfree_skb.c +@@ -1,4 +1,5 @@ + // SPDX-License-Identifier: GPL-2.0 ++#define _GNU_SOURCE + #include + #include + #include "kfree_skb.skel.h" +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-fix-compiling-parse_tcp_hdr_opt.c-with.patch b/queue-6.6/selftests-bpf-fix-compiling-parse_tcp_hdr_opt.c-with.patch new file mode 100644 index 00000000000..f440b96d6cd --- /dev/null +++ b/queue-6.6/selftests-bpf-fix-compiling-parse_tcp_hdr_opt.c-with.patch @@ -0,0 +1,44 @@ +From 64f8962cf66ed19008b12b5d8277228e8ab080c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 22:54:38 -0700 +Subject: selftests/bpf: Fix compiling parse_tcp_hdr_opt.c with musl-libc + +From: Tony Ambardar + +[ Upstream commit 4c329b99ef9c118343379bde9f97e8ce5cac9fc9 ] + +The GNU version of 'struct tcphdr', with members 'doff' and 'urg_ptr', is +not exposed by musl headers unless _GNU_SOURCE is defined. + +Add this definition to fix errors seen compiling for mips64el/musl-libc: + + parse_tcp_hdr_opt.c:18:21: error: 'struct tcphdr' has no member named 'urg_ptr' + 18 | .pk6_v6.tcp.urg_ptr = 123, + | ^~~~~~~ + parse_tcp_hdr_opt.c:19:21: error: 'struct tcphdr' has no member named 'doff' + 19 | .pk6_v6.tcp.doff = 9, /* 16 bytes of options */ + | ^~~~ + +Fixes: cfa7b011894d ("selftests/bpf: tests for using dynptrs to parse skb and xdp buffers") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/ac5440213c242c62cb4e0d9e0a9cd5058b6a31f6.1721713597.git.tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/parse_tcp_hdr_opt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/bpf/prog_tests/parse_tcp_hdr_opt.c b/tools/testing/selftests/bpf/prog_tests/parse_tcp_hdr_opt.c +index daa952711d8fd..e9c07d561ded6 100644 +--- a/tools/testing/selftests/bpf/prog_tests/parse_tcp_hdr_opt.c ++++ b/tools/testing/selftests/bpf/prog_tests/parse_tcp_hdr_opt.c +@@ -1,5 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0 + ++#define _GNU_SOURCE + #include + #include + #include "test_parse_tcp_hdr_opt.skel.h" +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-fix-compiling-tcp_rtt.c-with-musl-libc.patch b/queue-6.6/selftests-bpf-fix-compiling-tcp_rtt.c-with-musl-libc.patch new file mode 100644 index 00000000000..cd9dc931d4b --- /dev/null +++ b/queue-6.6/selftests-bpf-fix-compiling-tcp_rtt.c-with-musl-libc.patch @@ -0,0 +1,43 @@ +From 671e7bc6abc85ca6478f9f639d4dd9f35836d29a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 22:54:41 -0700 +Subject: selftests/bpf: Fix compiling tcp_rtt.c with musl-libc + +From: Tony Ambardar + +[ Upstream commit 18826fb0b79c3c3cd1fe765d85f9c6f1a902c722 ] + +The GNU version of 'struct tcp_info' in 'netinet/tcp.h' is not exposed by +musl headers unless _GNU_SOURCE is defined. + +Add this definition to fix errors seen compiling for mips64el/musl-libc: + + tcp_rtt.c: In function 'wait_for_ack': + tcp_rtt.c:24:25: error: storage size of 'info' isn't known + 24 | struct tcp_info info; + | ^~~~ + tcp_rtt.c:24:25: error: unused variable 'info' [-Werror=unused-variable] + cc1: all warnings being treated as errors + +Fixes: 1f4f80fed217 ("selftests/bpf: test_progs: convert test_tcp_rtt") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/f2329767b15df206f08a5776d35a47c37da855ae.1721713597.git.tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/tcp_rtt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/bpf/prog_tests/tcp_rtt.c b/tools/testing/selftests/bpf/prog_tests/tcp_rtt.c +index 8fe84da1b9b49..6a2da7a64419a 100644 +--- a/tools/testing/selftests/bpf/prog_tests/tcp_rtt.c ++++ b/tools/testing/selftests/bpf/prog_tests/tcp_rtt.c +@@ -1,4 +1,5 @@ + // SPDX-License-Identifier: GPL-2.0 ++#define _GNU_SOURCE + #include + #include "cgroup_helpers.h" + #include "network_helpers.h" +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-fix-error-compiling-bpf_iter_setsockop.patch b/queue-6.6/selftests-bpf-fix-error-compiling-bpf_iter_setsockop.patch new file mode 100644 index 00000000000..af715468e3e --- /dev/null +++ b/queue-6.6/selftests-bpf-fix-error-compiling-bpf_iter_setsockop.patch @@ -0,0 +1,59 @@ +From d320eb4823dcaed0c9af7bab0246334a9778318f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 22:54:30 -0700 +Subject: selftests/bpf: Fix error compiling bpf_iter_setsockopt.c with musl + libc + +From: Tony Ambardar + +[ Upstream commit 7b10f0c227ce3fa055d601f058dc411092a62a78 ] + +Existing code calls getsockname() with a 'struct sockaddr_in6 *' argument +where a 'struct sockaddr *' argument is declared, yielding compile errors +when building for mips64el/musl-libc: + + bpf_iter_setsockopt.c: In function 'get_local_port': + bpf_iter_setsockopt.c:98:30: error: passing argument 2 of 'getsockname' from incompatible pointer type [-Werror=incompatible-pointer-types] + 98 | if (!getsockname(fd, &addr, &addrlen)) + | ^~~~~ + | | + | struct sockaddr_in6 * + In file included from .../netinet/in.h:10, + from .../arpa/inet.h:9, + from ./test_progs.h:17, + from bpf_iter_setsockopt.c:5: + .../sys/socket.h:391:23: note: expected 'struct sockaddr * restrict' but argument is of type 'struct sockaddr_in6 *' + 391 | int getsockname (int, struct sockaddr *__restrict, socklen_t *__restrict); + | ^ + cc1: all warnings being treated as errors + +This compiled under glibc only because the argument is declared to be a +"funky" transparent union which includes both types above. Explicitly cast +the argument to allow compiling for both musl and glibc. + +Fixes: eed92afdd14c ("bpf: selftest: Test batching and bpf_(get|set)sockopt in bpf tcp iter") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Acked-by: Geliang Tang +Link: https://lore.kernel.org/bpf/f41def0f17b27a23b1709080e4e3f37f4cc11ca9.1721713597.git.tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/bpf_iter_setsockopt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/prog_tests/bpf_iter_setsockopt.c b/tools/testing/selftests/bpf/prog_tests/bpf_iter_setsockopt.c +index b52ff8ce34db8..16bed9dd8e6a3 100644 +--- a/tools/testing/selftests/bpf/prog_tests/bpf_iter_setsockopt.c ++++ b/tools/testing/selftests/bpf/prog_tests/bpf_iter_setsockopt.c +@@ -95,7 +95,7 @@ static unsigned short get_local_port(int fd) + struct sockaddr_in6 addr; + socklen_t addrlen = sizeof(addr); + +- if (!getsockname(fd, &addr, &addrlen)) ++ if (!getsockname(fd, (struct sockaddr *)&addr, &addrlen)) + return ntohs(addr.sin6_port); + + return 0; +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-fix-error-compiling-tc_redirect.c-with.patch b/queue-6.6/selftests-bpf-fix-error-compiling-tc_redirect.c-with.patch new file mode 100644 index 00000000000..ff110006dc7 --- /dev/null +++ b/queue-6.6/selftests-bpf-fix-error-compiling-tc_redirect.c-with.patch @@ -0,0 +1,106 @@ +From 9807c794cc405857bd4c71538a229d2d8b8c3489 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2024 02:24:24 -0700 +Subject: selftests/bpf: Fix error compiling tc_redirect.c with musl libc + +From: Tony Ambardar + +[ Upstream commit 21c5f4f55da759c7444a1ef13e90b6e6f674eeeb ] + +Linux 5.1 implemented 64-bit time types and related syscalls to address the +Y2038 problem generally across archs. Userspace handling of Y2038 varies +with the libc however. While musl libc uses 64-bit time across all 32-bit +and 64-bit platforms, GNU glibc uses 64-bit time on 64-bit platforms but +defaults to 32-bit time on 32-bit platforms unless they "opt-in" to 64-bit +time or explicitly use 64-bit syscalls and time structures. + +One specific area is the standard setsockopt() call, SO_TIMESTAMPNS option +used for timestamping, and the related output 'struct timespec'. GNU glibc +defaults as above, also exposing the SO_TIMESTAMPNS_NEW flag to explicitly +use a 64-bit call and 'struct __kernel_timespec'. Since these are not +exposed or needed with musl libc, their use in tc_redirect.c leads to +compile errors building for mips64el/musl: + + tc_redirect.c: In function 'rcv_tstamp': + tc_redirect.c:425:32: error: 'SO_TIMESTAMPNS_NEW' undeclared (first use in this function); did you mean 'SO_TIMESTAMPNS'? + 425 | cmsg->cmsg_type == SO_TIMESTAMPNS_NEW) + | ^~~~~~~~~~~~~~~~~~ + | SO_TIMESTAMPNS + tc_redirect.c:425:32: note: each undeclared identifier is reported only once for each function it appears in + tc_redirect.c: In function 'test_inet_dtime': + tc_redirect.c:491:49: error: 'SO_TIMESTAMPNS_NEW' undeclared (first use in this function); did you mean 'SO_TIMESTAMPNS'? + 491 | err = setsockopt(listen_fd, SOL_SOCKET, SO_TIMESTAMPNS_NEW, + | ^~~~~~~~~~~~~~~~~~ + | SO_TIMESTAMPNS + +However, using SO_TIMESTAMPNS_NEW isn't strictly needed, nor is Y2038 being +explicitly tested. The timestamp checks in tc_redirect.c are simple: the +packet receive timestamp is non-zero and processed/handled in less than 5 +seconds. + +Switch to using the standard setsockopt() call and SO_TIMESTAMPNS option to +ensure compatibility across glibc and musl libc. In the worst-case, there +is a 5-second window 14 years from now where tc_redirect tests may fail on +32-bit systems. However, we should reasonably expect glibc to adopt a +64-bit mandate rather than the current "opt-in" policy before the Y2038 +roll-over. + +Fixes: ce6f6cffaeaa ("selftests/bpf: Wait for the netstamp_needed_key static key to be turned on") +Fixes: c803475fd8dd ("bpf: selftests: test skb->tstamp in redirect_neigh") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/031d656c058b4e55ceae56ef49c4e1729b5090f3.1722244708.git.tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/tc_redirect.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/bpf/prog_tests/tc_redirect.c b/tools/testing/selftests/bpf/prog_tests/tc_redirect.c +index af3c31f82a8ae..5a64017335875 100644 +--- a/tools/testing/selftests/bpf/prog_tests/tc_redirect.c ++++ b/tools/testing/selftests/bpf/prog_tests/tc_redirect.c +@@ -421,7 +421,7 @@ static int set_forwarding(bool enable) + + static int __rcv_tstamp(int fd, const char *expected, size_t s, __u64 *tstamp) + { +- struct __kernel_timespec pkt_ts = {}; ++ struct timespec pkt_ts = {}; + char ctl[CMSG_SPACE(sizeof(pkt_ts))]; + struct timespec now_ts; + struct msghdr msg = {}; +@@ -445,7 +445,7 @@ static int __rcv_tstamp(int fd, const char *expected, size_t s, __u64 *tstamp) + + cmsg = CMSG_FIRSTHDR(&msg); + if (cmsg && cmsg->cmsg_level == SOL_SOCKET && +- cmsg->cmsg_type == SO_TIMESTAMPNS_NEW) ++ cmsg->cmsg_type == SO_TIMESTAMPNS) + memcpy(&pkt_ts, CMSG_DATA(cmsg), sizeof(pkt_ts)); + + pkt_ns = pkt_ts.tv_sec * NSEC_PER_SEC + pkt_ts.tv_nsec; +@@ -487,9 +487,9 @@ static int wait_netstamp_needed_key(void) + if (!ASSERT_GE(srv_fd, 0, "start_server")) + goto done; + +- err = setsockopt(srv_fd, SOL_SOCKET, SO_TIMESTAMPNS_NEW, ++ err = setsockopt(srv_fd, SOL_SOCKET, SO_TIMESTAMPNS, + &opt, sizeof(opt)); +- if (!ASSERT_OK(err, "setsockopt(SO_TIMESTAMPNS_NEW)")) ++ if (!ASSERT_OK(err, "setsockopt(SO_TIMESTAMPNS)")) + goto done; + + cli_fd = connect_to_fd(srv_fd, TIMEOUT_MILLIS); +@@ -571,9 +571,9 @@ static void test_inet_dtime(int family, int type, const char *addr, __u16 port) + return; + + /* Ensure the kernel puts the (rcv) timestamp for all skb */ +- err = setsockopt(listen_fd, SOL_SOCKET, SO_TIMESTAMPNS_NEW, ++ err = setsockopt(listen_fd, SOL_SOCKET, SO_TIMESTAMPNS, + &opt, sizeof(opt)); +- if (!ASSERT_OK(err, "setsockopt(SO_TIMESTAMPNS_NEW)")) ++ if (!ASSERT_OK(err, "setsockopt(SO_TIMESTAMPNS)")) + goto done; + + if (type == SOCK_STREAM) { +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-fix-error-compiling-test_lru_map.c.patch b/queue-6.6/selftests-bpf-fix-error-compiling-test_lru_map.c.patch new file mode 100644 index 00000000000..647e00886ff --- /dev/null +++ b/queue-6.6/selftests-bpf-fix-error-compiling-test_lru_map.c.patch @@ -0,0 +1,46 @@ +From 1cc57aa2f313408160c8778949e4493cdc1a9a69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2024 02:24:19 -0700 +Subject: selftests/bpf: Fix error compiling test_lru_map.c + +From: Tony Ambardar + +[ Upstream commit cacf2a5a78cd1f5f616eae043ebc6f024104b721 ] + +Although the post-increment in macro 'CPU_SET(next++, &cpuset)' seems safe, +the sequencing can raise compile errors, so move the increment outside the +macro. This avoids an error seen using gcc 12.3.0 for mips64el/musl-libc: + + In file included from test_lru_map.c:11: + test_lru_map.c: In function 'sched_next_online': + test_lru_map.c:129:29: error: operation on 'next' may be undefined [-Werror=sequence-point] + 129 | CPU_SET(next++, &cpuset); + | ^ + cc1: all warnings being treated as errors + +Fixes: 3fbfadce6012 ("bpf: Fix test_lru_sanity5() in test_lru_map.c") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/22993dfb11ccf27925a626b32672fd3324cb76c4.1722244708.git.tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/test_lru_map.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/test_lru_map.c b/tools/testing/selftests/bpf/test_lru_map.c +index 4d0650cfb5cd8..fda7589c50236 100644 +--- a/tools/testing/selftests/bpf/test_lru_map.c ++++ b/tools/testing/selftests/bpf/test_lru_map.c +@@ -126,7 +126,8 @@ static int sched_next_online(int pid, int *next_to_try) + + while (next < nr_cpus) { + CPU_ZERO(&cpuset); +- CPU_SET(next++, &cpuset); ++ CPU_SET(next, &cpuset); ++ next++; + if (!sched_setaffinity(pid, sizeof(cpuset), &cpuset)) { + ret = 0; + break; +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-fix-error-linking-uprobe_multi-on-mips.patch b/queue-6.6/selftests-bpf-fix-error-linking-uprobe_multi-on-mips.patch new file mode 100644 index 00000000000..49fb3564ce5 --- /dev/null +++ b/queue-6.6/selftests-bpf-fix-error-linking-uprobe_multi-on-mips.patch @@ -0,0 +1,45 @@ +From ef0aab35a556f9faf1fadfdb06bc6a4b8020c886 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 17:13:29 -0700 +Subject: selftests/bpf: Fix error linking uprobe_multi on mips + +From: Tony Ambardar + +[ Upstream commit a5f40d596bff182b4b47547712f540885e8fb17b ] + +Linking uprobe_multi.c on mips64el fails due to relocation overflows, when +the GOT entries required exceeds the default maximum. Add a specific CFLAGS +(-mxgot) for uprobe_multi.c on MIPS that allows using a larger GOT and +avoids errors such as: + + /tmp/ccBTNQzv.o: in function `bench': + uprobe_multi.c:49:(.text+0x1d7720): relocation truncated to fit: R_MIPS_GOT_DISP against `uprobe_multi_func_08188' + uprobe_multi.c:49:(.text+0x1d7730): relocation truncated to fit: R_MIPS_GOT_DISP against `uprobe_multi_func_08189' + ... + collect2: error: ld returned 1 exit status + +Fixes: 519dfeaf5119 ("selftests/bpf: Add uprobe_multi test program") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/14eb7b70f8ccef9834874d75eb373cb9292129da.1721692479.git.tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/Makefile | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile +index caede9b574cb1..598cd118dfd65 100644 +--- a/tools/testing/selftests/bpf/Makefile ++++ b/tools/testing/selftests/bpf/Makefile +@@ -702,6 +702,8 @@ $(OUTPUT)/veristat: $(OUTPUT)/veristat.o + $(call msg,BINARY,,$@) + $(Q)$(CC) $(CFLAGS) $(LDFLAGS) $(filter %.a %.o,$^) $(LDLIBS) -o $@ + ++# Linking uprobe_multi can fail due to relocation overflows on mips. ++$(OUTPUT)/uprobe_multi: CFLAGS += $(if $(filter mips, $(ARCH)),-mxgot) + $(OUTPUT)/uprobe_multi: uprobe_multi.c + $(call msg,BINARY,,$@) + $(Q)$(CC) $(CFLAGS) $(LDFLAGS) $^ $(LDLIBS) -o $@ +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-fix-errors-compiling-cg_storage_multi..patch b/queue-6.6/selftests-bpf-fix-errors-compiling-cg_storage_multi..patch new file mode 100644 index 00000000000..64a2b1fd36b --- /dev/null +++ b/queue-6.6/selftests-bpf-fix-errors-compiling-cg_storage_multi..patch @@ -0,0 +1,49 @@ +From 0547bbfbe620937ccaec47ae9737f00684b6ecb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 22:54:46 -0700 +Subject: selftests/bpf: Fix errors compiling cg_storage_multi.h with musl libc + +From: Tony Ambardar + +[ Upstream commit 730561d3c08d4a327cceaabf11365958a1c00cec ] + +Remove a redundant include of '', whose needed definitions are +already included (via '') in cg_storage_multi_egress_only.c, +cg_storage_multi_isolated.c, and cg_storage_multi_shared.c. This avoids +redefinition errors seen compiling for mips64el/musl-libc like: + + In file included from progs/cg_storage_multi_egress_only.c:13: + In file included from progs/cg_storage_multi.h:6: + In file included from /usr/mips64el-linux-gnuabi64/include/asm/types.h:23: + /usr/include/asm-generic/int-l64.h:29:25: error: typedef redefinition with different types ('long' vs 'long long') + 29 | typedef __signed__ long __s64; + | ^ + /usr/include/asm-generic/int-ll64.h:30:44: note: previous definition is here + 30 | __extension__ typedef __signed__ long long __s64; + | ^ + +Fixes: 9e5bd1f7633b ("selftests/bpf: Test CGROUP_STORAGE map can't be used by multiple progs") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/4f4702e9f6115b7f84fea01b2326ca24c6df7ba8.1721713597.git.tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/progs/cg_storage_multi.h | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/tools/testing/selftests/bpf/progs/cg_storage_multi.h b/tools/testing/selftests/bpf/progs/cg_storage_multi.h +index a0778fe7857a1..41d59f0ee606c 100644 +--- a/tools/testing/selftests/bpf/progs/cg_storage_multi.h ++++ b/tools/testing/selftests/bpf/progs/cg_storage_multi.h +@@ -3,8 +3,6 @@ + #ifndef __PROGS_CG_STORAGE_MULTI_H + #define __PROGS_CG_STORAGE_MULTI_H + +-#include +- + struct cgroup_value { + __u32 egress_pkts; + __u32 ingress_pkts; +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-fix-errors-compiling-decap_sanity.c-wi.patch b/queue-6.6/selftests-bpf-fix-errors-compiling-decap_sanity.c-wi.patch new file mode 100644 index 00000000000..c65f33339b4 --- /dev/null +++ b/queue-6.6/selftests-bpf-fix-errors-compiling-decap_sanity.c-wi.patch @@ -0,0 +1,60 @@ +From 52539c2ed084aa930999e775f05f5c7a97445cbb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 22:54:44 -0700 +Subject: selftests/bpf: Fix errors compiling decap_sanity.c with musl libc + +From: Tony Ambardar + +[ Upstream commit 1b00f355130a5dfc38a01ad02458ae2cb2ebe609 ] + +Remove a redundant include of '', whose needed definitions are +already provided by 'test_progs.h'. This avoids errors seen compiling for +mips64el/musl-libc: + + In file included from .../arpa/inet.h:9, + from ./test_progs.h:17, + from prog_tests/decap_sanity.c:9: + .../netinet/in.h:23:8: error: redefinition of 'struct in6_addr' + 23 | struct in6_addr { + | ^~~~~~~~ + In file included from decap_sanity.c:7: + .../linux/in6.h:33:8: note: originally defined here + 33 | struct in6_addr { + | ^~~~~~~~ + .../netinet/in.h:34:8: error: redefinition of 'struct sockaddr_in6' + 34 | struct sockaddr_in6 { + | ^~~~~~~~~~~~ + .../linux/in6.h:50:8: note: originally defined here + 50 | struct sockaddr_in6 { + | ^~~~~~~~~~~~ + .../netinet/in.h:42:8: error: redefinition of 'struct ipv6_mreq' + 42 | struct ipv6_mreq { + | ^~~~~~~~~ + .../linux/in6.h:60:8: note: originally defined here + 60 | struct ipv6_mreq { + | ^~~~~~~~~ + +Fixes: 70a00e2f1dba ("selftests/bpf: Test bpf_skb_adjust_room on CHECKSUM_PARTIAL") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/e986ba2d7edccd254b54f7cd049b98f10bafa8c3.1721713597.git.tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/decap_sanity.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/prog_tests/decap_sanity.c b/tools/testing/selftests/bpf/prog_tests/decap_sanity.c +index 5c0ebe6ba8667..95ea5a6a5f18d 100644 +--- a/tools/testing/selftests/bpf/prog_tests/decap_sanity.c ++++ b/tools/testing/selftests/bpf/prog_tests/decap_sanity.c +@@ -4,7 +4,6 @@ + #include + #include + #include +-#include + + #include "test_progs.h" + #include "network_helpers.h" +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-fix-errors-compiling-lwt_redirect.c-wi.patch b/queue-6.6/selftests-bpf-fix-errors-compiling-lwt_redirect.c-wi.patch new file mode 100644 index 00000000000..11997444f9e --- /dev/null +++ b/queue-6.6/selftests-bpf-fix-errors-compiling-lwt_redirect.c-wi.patch @@ -0,0 +1,59 @@ +From 4d0d288a2df3df75c07bd70e70e2f5b78c7eb15b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 22:54:43 -0700 +Subject: selftests/bpf: Fix errors compiling lwt_redirect.c with musl libc + +From: Tony Ambardar + +[ Upstream commit 27c4797ce51c8dd51e35e68e9024a892f62d78b2 ] + +Remove a redundant include of '' which is already provided in +'lwt_helpers.h'. This avoids errors seen compiling for mips64el/musl-libc: + + In file included from .../arpa/inet.h:9, + from lwt_redirect.c:51: + .../netinet/in.h:23:8: error: redefinition of 'struct in6_addr' + 23 | struct in6_addr { + | ^~~~~~~~ + In file included from .../linux/icmp.h:24, + from lwt_redirect.c:50: + .../linux/in6.h:33:8: note: originally defined here + 33 | struct in6_addr { + | ^~~~~~~~ + .../netinet/in.h:34:8: error: redefinition of 'struct sockaddr_in6' + 34 | struct sockaddr_in6 { + | ^~~~~~~~~~~~ + .../linux/in6.h:50:8: note: originally defined here + 50 | struct sockaddr_in6 { + | ^~~~~~~~~~~~ + .../netinet/in.h:42:8: error: redefinition of 'struct ipv6_mreq' + 42 | struct ipv6_mreq { + | ^~~~~~~~~ + .../linux/in6.h:60:8: note: originally defined here + 60 | struct ipv6_mreq { + | ^~~~~~~~~ + +Fixes: 43a7c3ef8a15 ("selftests/bpf: Add lwt_xmit tests for BPF_REDIRECT") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/3869dda876d5206d2f8d4dd67331c739ceb0c7f8.1721713597.git.tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/lwt_redirect.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/prog_tests/lwt_redirect.c b/tools/testing/selftests/bpf/prog_tests/lwt_redirect.c +index 2bc932a18c17e..ea326e26656f5 100644 +--- a/tools/testing/selftests/bpf/prog_tests/lwt_redirect.c ++++ b/tools/testing/selftests/bpf/prog_tests/lwt_redirect.c +@@ -47,7 +47,6 @@ + #include + #include + #include +-#include + #include + #include + #include +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-fix-flaky-selftest-lwt_redirect-lwt_re.patch b/queue-6.6/selftests-bpf-fix-flaky-selftest-lwt_redirect-lwt_re.patch new file mode 100644 index 00000000000..cf185b676f0 --- /dev/null +++ b/queue-6.6/selftests-bpf-fix-flaky-selftest-lwt_redirect-lwt_re.patch @@ -0,0 +1,104 @@ +From c16af2841218e4b271a3b640729f4d57121bd5be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Feb 2024 21:29:14 -0800 +Subject: selftests/bpf: Fix flaky selftest lwt_redirect/lwt_reroute + +From: Yonghong Song + +[ Upstream commit e7f31873176a345d72ca77c7b4da48493ccd9efd ] + +Recently, when running './test_progs -j', I occasionally hit the +following errors: + + test_lwt_redirect:PASS:pthread_create 0 nsec + test_lwt_redirect_run:FAIL:netns_create unexpected error: 256 (errno 0) + #142/2 lwt_redirect/lwt_redirect_normal_nomac:FAIL + #142 lwt_redirect:FAIL + test_lwt_reroute:PASS:pthread_create 0 nsec + test_lwt_reroute_run:FAIL:netns_create unexpected error: 256 (errno 0) + test_lwt_reroute:PASS:pthread_join 0 nsec + #143/2 lwt_reroute/lwt_reroute_qdisc_dropped:FAIL + #143 lwt_reroute:FAIL + +The netns_create() definition looks like below: + + #define NETNS "ns_lwt" + static inline int netns_create(void) + { + return system("ip netns add " NETNS); + } + +One possibility is that both lwt_redirect and lwt_reroute create +netns with the same name "ns_lwt" which may cause conflict. I tried +the following example: + $ sudo ip netns add abc + $ echo $? + 0 + $ sudo ip netns add abc + Cannot create namespace file "/var/run/netns/abc": File exists + $ echo $? + 1 + $ + +The return code for above netns_create() is 256. The internet search +suggests that the return value for 'ip netns add ns_lwt' is 1, which +matches the above 'sudo ip netns add abc' example. + +This patch tried to use different netns names for two tests to avoid +'ip netns add ' failure. + +I ran './test_progs -j' 10 times and all succeeded with +lwt_redirect/lwt_reroute tests. + +Signed-off-by: Yonghong Song +Signed-off-by: Andrii Nakryiko +Tested-by: Eduard Zingerman +Link: https://lore.kernel.org/bpf/20240205052914.1742687-1-yonghong.song@linux.dev +Stable-dep-of: 16b795cc5952 ("selftests/bpf: Fix redefinition errors compiling lwt_reroute.c") +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/lwt_helpers.h | 2 -- + tools/testing/selftests/bpf/prog_tests/lwt_redirect.c | 1 + + tools/testing/selftests/bpf/prog_tests/lwt_reroute.c | 1 + + 3 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/bpf/prog_tests/lwt_helpers.h b/tools/testing/selftests/bpf/prog_tests/lwt_helpers.h +index 61333f2a03f91..68c08309dbc82 100644 +--- a/tools/testing/selftests/bpf/prog_tests/lwt_helpers.h ++++ b/tools/testing/selftests/bpf/prog_tests/lwt_helpers.h +@@ -27,8 +27,6 @@ + } \ + }) + +-#define NETNS "ns_lwt" +- + static inline int netns_create(void) + { + return system("ip netns add " NETNS); +diff --git a/tools/testing/selftests/bpf/prog_tests/lwt_redirect.c b/tools/testing/selftests/bpf/prog_tests/lwt_redirect.c +index ea326e26656f5..7b458ae5f0f85 100644 +--- a/tools/testing/selftests/bpf/prog_tests/lwt_redirect.c ++++ b/tools/testing/selftests/bpf/prog_tests/lwt_redirect.c +@@ -53,6 +53,7 @@ + #include + #include + ++#define NETNS "ns_lwt_redirect" + #include "lwt_helpers.h" + #include "test_progs.h" + #include "network_helpers.h" +diff --git a/tools/testing/selftests/bpf/prog_tests/lwt_reroute.c b/tools/testing/selftests/bpf/prog_tests/lwt_reroute.c +index f4bb2d5fcae0a..c104f07f1b0bc 100644 +--- a/tools/testing/selftests/bpf/prog_tests/lwt_reroute.c ++++ b/tools/testing/selftests/bpf/prog_tests/lwt_reroute.c +@@ -48,6 +48,7 @@ + * For case 2, force UDP packets to overflow fq limit. As long as kernel + * is not crashed, it is considered successful. + */ ++#define NETNS "ns_lwt_reroute" + #include "lwt_helpers.h" + #include "network_helpers.h" + #include +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-fix-include-of-sys-fcntl.h.patch b/queue-6.6/selftests-bpf-fix-include-of-sys-fcntl.h.patch new file mode 100644 index 00000000000..c12ece5c60f --- /dev/null +++ b/queue-6.6/selftests-bpf-fix-include-of-sys-fcntl.h.patch @@ -0,0 +1,43 @@ +From 75d0ec5a73f1b4f945d3c54fdc9c296ac23c7eec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 22:54:37 -0700 +Subject: selftests/bpf: Fix include of + +From: Tony Ambardar + +[ Upstream commit 21f0b0af977203220ad58aff95e372151288ec47 ] + +Update ns_current_pid_tgid.c to use '#include ' and avoid compile +error against mips64el/musl libc: + + In file included from .../prog_tests/ns_current_pid_tgid.c:14: + .../include/sys/fcntl.h:1:2: error: #warning redirecting incorrect #include to [-Werror=cpp] + 1 | #warning redirecting incorrect #include to + | ^~~~~~~ + cc1: all warnings being treated as errors + +Fixes: 09c02d553c49 ("bpf, selftests: Fold test_current_pid_tgid_new_ns into test_progs.") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/8bdc869749177b575025bf69600a4ce591822609.1721713597.git.tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c b/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c +index fded38d24aae4..2c57ceede095e 100644 +--- a/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c ++++ b/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c +@@ -11,7 +11,7 @@ + #include + #include + #include +-#include ++#include + #include "network_helpers.h" + + #define STACK_SIZE (1024 * 1024) +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-fix-missing-array_size-definition-in-b.patch b/queue-6.6/selftests-bpf-fix-missing-array_size-definition-in-b.patch new file mode 100644 index 00000000000..c69b0181a2a --- /dev/null +++ b/queue-6.6/selftests-bpf-fix-missing-array_size-definition-in-b.patch @@ -0,0 +1,42 @@ +From cd5f2b21fc9fc762b69372b1d179d1a5826d8d66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 22:54:34 -0700 +Subject: selftests/bpf: Fix missing ARRAY_SIZE() definition in bench.c + +From: Tony Ambardar + +[ Upstream commit d44c93fc2f5a0c47b23fa03d374e45259abd92d2 ] + +Add a "bpf_util.h" include to avoid the following error seen compiling for +mips64el with musl libc: + + bench.c: In function 'find_benchmark': + bench.c:590:25: error: implicit declaration of function 'ARRAY_SIZE' [-Werror=implicit-function-declaration] + 590 | for (i = 0; i < ARRAY_SIZE(benchs); i++) { + | ^~~~~~~~~~ + cc1: all warnings being treated as errors + +Fixes: 8e7c2a023ac0 ("selftests/bpf: Add benchmark runner infrastructure") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/bc4dde77dfcd17a825d8f28f72f3292341966810.1721713597.git.tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/bench.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/bpf/bench.c b/tools/testing/selftests/bpf/bench.c +index 73ce11b0547da..b705cbabe1e2f 100644 +--- a/tools/testing/selftests/bpf/bench.c ++++ b/tools/testing/selftests/bpf/bench.c +@@ -10,6 +10,7 @@ + #include + #include + #include "bench.h" ++#include "bpf_util.h" + #include "testing_helpers.h" + + struct env env = { +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-fix-missing-build_bug_on-declaration.patch b/queue-6.6/selftests-bpf-fix-missing-build_bug_on-declaration.patch new file mode 100644 index 00000000000..a37e8d489d8 --- /dev/null +++ b/queue-6.6/selftests-bpf-fix-missing-build_bug_on-declaration.patch @@ -0,0 +1,42 @@ +From 119c934ac1b62bedb32e1d0171c414e3ddb91c22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 22:54:36 -0700 +Subject: selftests/bpf: Fix missing BUILD_BUG_ON() declaration + +From: Tony Ambardar + +[ Upstream commit 6495eb79ca7d15bd87c38d77307e8f9b6b7bf4ef ] + +Explicitly include '' to fix errors seen compiling with +gcc targeting mips64el/musl-libc: + + user_ringbuf.c: In function 'test_user_ringbuf_loop': + user_ringbuf.c:426:9: error: implicit declaration of function 'BUILD_BUG_ON' [-Werror=implicit-function-declaration] + 426 | BUILD_BUG_ON(total_samples <= c_max_entries); + | ^~~~~~~~~~~~ + cc1: all warnings being treated as errors + +Fixes: e5a9df51c746 ("selftests/bpf: Add selftests validating the user ringbuf") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/b28575f9221ec54871c46a2e87612bb4bbf46ccd.1721713597.git.tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/user_ringbuf.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/bpf/prog_tests/user_ringbuf.c b/tools/testing/selftests/bpf/prog_tests/user_ringbuf.c +index e51721df14fc1..dfff6feac12c3 100644 +--- a/tools/testing/selftests/bpf/prog_tests/user_ringbuf.c ++++ b/tools/testing/selftests/bpf/prog_tests/user_ringbuf.c +@@ -4,6 +4,7 @@ + #define _GNU_SOURCE + #include + #include ++#include + #include + #include + #include +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-fix-missing-uint_max-definitions-in-be.patch b/queue-6.6/selftests-bpf-fix-missing-uint_max-definitions-in-be.patch new file mode 100644 index 00000000000..0159c490a3d --- /dev/null +++ b/queue-6.6/selftests-bpf-fix-missing-uint_max-definitions-in-be.patch @@ -0,0 +1,48 @@ +From 067abf03a57d07e5ee2500218570b7d7bb2ceea6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 22:54:35 -0700 +Subject: selftests/bpf: Fix missing UINT_MAX definitions in benchmarks + +From: Tony Ambardar + +[ Upstream commit a2c155131b710959beb508ca6a54769b6b1bd488 ] + +Include in 'bench.h' to provide a UINT_MAX definition and avoid +multiple compile errors against mips64el/musl-libc like: + + benchs/bench_local_storage.c: In function 'parse_arg': + benchs/bench_local_storage.c:40:38: error: 'UINT_MAX' undeclared (first use in this function) + 40 | if (ret < 1 || ret > UINT_MAX) { + | ^~~~~~~~ + benchs/bench_local_storage.c:11:1: note: 'UINT_MAX' is defined in header ''; did you forget to '#include '? + 10 | #include + +++ |+#include + 11 | + +seen with bench_local_storage.c, bench_local_storage_rcu_tasks_trace.c, and +bench_bpf_hashmap_lookup.c. + +Fixes: 73087489250d ("selftests/bpf: Add benchmark for local_storage get") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/8f64a9d9fcff40a7fca090a65a68a9b62a468e16.1721713597.git.tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/bench.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/bpf/bench.h b/tools/testing/selftests/bpf/bench.h +index 68180d8f8558e..005c401b3e227 100644 +--- a/tools/testing/selftests/bpf/bench.h ++++ b/tools/testing/selftests/bpf/bench.h +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + + struct cpu_set { + bool *cpus; +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-fix-redefinition-errors-compiling-lwt_.patch b/queue-6.6/selftests-bpf-fix-redefinition-errors-compiling-lwt_.patch new file mode 100644 index 00000000000..21ecba4f21d --- /dev/null +++ b/queue-6.6/selftests-bpf-fix-redefinition-errors-compiling-lwt_.patch @@ -0,0 +1,68 @@ +From 7fe686b9b19f5186b9bdd103fb9ea55f78013282 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2024 02:24:21 -0700 +Subject: selftests/bpf: Fix redefinition errors compiling lwt_reroute.c + +From: Tony Ambardar + +[ Upstream commit 16b795cc59528cf280abc79af3c70bda42f715b9 ] + +Compiling lwt_reroute.c with GCC 12.3 for mips64el/musl-libc yields errors: + +In file included from .../include/arpa/inet.h:9, + from ./test_progs.h:18, + from tools/testing/selftests/bpf/prog_tests/lwt_helpers.h:11, + from tools/testing/selftests/bpf/prog_tests/lwt_reroute.c:52: +.../include/netinet/in.h:23:8: error: redefinition of 'struct in6_addr' + 23 | struct in6_addr { + | ^~~~~~~~ +In file included from .../include/linux/icmp.h:24, + from tools/testing/selftests/bpf/prog_tests/lwt_helpers.h:9: +.../include/linux/in6.h:33:8: note: originally defined here + 33 | struct in6_addr { + | ^~~~~~~~ +.../include/netinet/in.h:34:8: error: redefinition of 'struct sockaddr_in6' + 34 | struct sockaddr_in6 { + | ^~~~~~~~~~~~ +.../include/linux/in6.h:50:8: note: originally defined here + 50 | struct sockaddr_in6 { + | ^~~~~~~~~~~~ +.../include/netinet/in.h:42:8: error: redefinition of 'struct ipv6_mreq' + 42 | struct ipv6_mreq { + | ^~~~~~~~~ +.../include/linux/in6.h:60:8: note: originally defined here + 60 | struct ipv6_mreq { + | ^~~~~~~~~ + +These errors occur because is included before , +bypassing the Linux uapi/libc compat mechanism's partial musl support. As +described in [1] and [2], fix these errors by including in +lwt_reroute.c before any uapi headers. + +[1]: commit c0bace798436 ("uapi libc compat: add fallback for unsupported libcs") +[2]: https://git.musl-libc.org/cgit/musl/commit/?id=04983f227238 + +Fixes: 6c77997bc639 ("selftests/bpf: Add lwt_xmit tests for BPF_REROUTE") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/bd2908aec0755ba8b75f5dc41848b00585f5c73e.1722244708.git.tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/lwt_reroute.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/bpf/prog_tests/lwt_reroute.c b/tools/testing/selftests/bpf/prog_tests/lwt_reroute.c +index c104f07f1b0bc..920ee3042d093 100644 +--- a/tools/testing/selftests/bpf/prog_tests/lwt_reroute.c ++++ b/tools/testing/selftests/bpf/prog_tests/lwt_reroute.c +@@ -49,6 +49,7 @@ + * is not crashed, it is considered successful. + */ + #define NETNS "ns_lwt_reroute" ++#include + #include "lwt_helpers.h" + #include "network_helpers.h" + #include +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-fix-wrong-binary-in-makefile-log-outpu.patch b/queue-6.6/selftests-bpf-fix-wrong-binary-in-makefile-log-outpu.patch new file mode 100644 index 00000000000..b76508bd613 --- /dev/null +++ b/queue-6.6/selftests-bpf-fix-wrong-binary-in-makefile-log-outpu.patch @@ -0,0 +1,90 @@ +From 674ec3798e763fa0f6b771cb3ba043c2cc5ae70e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jul 2024 22:25:35 -0700 +Subject: selftests/bpf: Fix wrong binary in Makefile log output + +From: Tony Ambardar + +[ Upstream commit 3ece93a4087b2db7b99ebb2412bd60cf26bbbb51 ] + +Make log output incorrectly shows 'test_maps' as the binary name for every +'CLNG-BPF' build step, apparently picking up the last value defined for the +$(TRUNNER_BINARY) variable. Update the 'CLANG_BPF_BUILD_RULE' variants to +fix this confusing output. + +Current output: + CLNG-BPF [test_maps] access_map_in_map.bpf.o + GEN-SKEL [test_progs] access_map_in_map.skel.h + ... + CLNG-BPF [test_maps] access_map_in_map.bpf.o + GEN-SKEL [test_progs-no_alu32] access_map_in_map.skel.h + ... + CLNG-BPF [test_maps] access_map_in_map.bpf.o + GEN-SKEL [test_progs-cpuv4] access_map_in_map.skel.h + +After fix: + CLNG-BPF [test_progs] access_map_in_map.bpf.o + GEN-SKEL [test_progs] access_map_in_map.skel.h + ... + CLNG-BPF [test_progs-no_alu32] access_map_in_map.bpf.o + GEN-SKEL [test_progs-no_alu32] access_map_in_map.skel.h + ... + CLNG-BPF [test_progs-cpuv4] access_map_in_map.bpf.o + GEN-SKEL [test_progs-cpuv4] access_map_in_map.skel.h + +Fixes: a5d0c26a2784 ("selftests/bpf: Add a cpuv4 test runner for cpu=v4 testing") +Fixes: 89ad7420b25c ("selftests/bpf: Drop the need for LLVM's llc") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Acked-by: Eduard Zingerman +Link: https://lore.kernel.org/bpf/20240720052535.2185967-1-tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/Makefile | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile +index 0093d1161c6ee..ab364e95a9b23 100644 +--- a/tools/testing/selftests/bpf/Makefile ++++ b/tools/testing/selftests/bpf/Makefile +@@ -395,23 +395,24 @@ $(OUTPUT)/cgroup_getset_retval_hooks.o: cgroup_getset_retval_hooks.h + # $1 - input .c file + # $2 - output .o file + # $3 - CFLAGS ++# $4 - binary name + define CLANG_BPF_BUILD_RULE +- $(call msg,CLNG-BPF,$(TRUNNER_BINARY),$2) ++ $(call msg,CLNG-BPF,$4,$2) + $(Q)$(CLANG) $3 -O2 --target=bpf -c $1 -mcpu=v3 -o $2 + endef + # Similar to CLANG_BPF_BUILD_RULE, but with disabled alu32 + define CLANG_NOALU32_BPF_BUILD_RULE +- $(call msg,CLNG-BPF,$(TRUNNER_BINARY),$2) ++ $(call msg,CLNG-BPF,$4,$2) + $(Q)$(CLANG) $3 -O2 --target=bpf -c $1 -mcpu=v2 -o $2 + endef + # Similar to CLANG_BPF_BUILD_RULE, but with cpu-v4 + define CLANG_CPUV4_BPF_BUILD_RULE +- $(call msg,CLNG-BPF,$(TRUNNER_BINARY),$2) ++ $(call msg,CLNG-BPF,$4,$2) + $(Q)$(CLANG) $3 -O2 --target=bpf -c $1 -mcpu=v4 -o $2 + endef + # Build BPF object using GCC + define GCC_BPF_BUILD_RULE +- $(call msg,GCC-BPF,$(TRUNNER_BINARY),$2) ++ $(call msg,GCC-BPF,$4,$2) + $(Q)$(BPF_GCC) $3 -DBPF_NO_PRESERVE_ACCESS_INDEX -Wno-attributes -O2 -c $1 -o $2 + endef + +@@ -503,7 +504,7 @@ $(TRUNNER_BPF_OBJS): $(TRUNNER_OUTPUT)/%.bpf.o: \ + $$(call $(TRUNNER_BPF_BUILD_RULE),$$<,$$@, \ + $(TRUNNER_BPF_CFLAGS) \ + $$($$<-CFLAGS) \ +- $$($$<-$2-CFLAGS)) ++ $$($$<-$2-CFLAGS),$(TRUNNER_BINARY)) + + $(TRUNNER_BPF_SKELS): %.skel.h: %.bpf.o $(BPFTOOL) | $(TRUNNER_OUTPUT) + $$(call msg,GEN-SKEL,$(TRUNNER_BINARY),$$@) +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-implement-get_hw_ring_size-function-to.patch b/queue-6.6/selftests-bpf-implement-get_hw_ring_size-function-to.patch new file mode 100644 index 00000000000..8ad809d1e42 --- /dev/null +++ b/queue-6.6/selftests-bpf-implement-get_hw_ring_size-function-to.patch @@ -0,0 +1,127 @@ +From a36ab0ecf2e5d40d37fb54a0c1ae024870796b31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Apr 2024 11:45:25 +0000 +Subject: selftests/bpf: Implement get_hw_ring_size function to retrieve + current and max interface size + +From: Tushar Vyavahare + +[ Upstream commit 90a695c3d31e1c9f0adb8c4c80028ed4ea7ed5ab ] + +Introduce a new function called get_hw_size that retrieves both the +current and maximum size of the interface and stores this information +in the 'ethtool_ringparam' structure. + +Remove ethtool_channels struct from xdp_hw_metadata.c due to redefinition +error. Remove unused linux/if.h include from flow_dissector BPF test to +address CI pipeline failure. + +Signed-off-by: Tushar Vyavahare +Signed-off-by: Daniel Borkmann +Acked-by: Magnus Karlsson +Link: https://lore.kernel.org/bpf/20240402114529.545475-4-tushar.vyavahare@intel.com +Stable-dep-of: 69f409469c9b ("selftests/bpf: Drop unneeded error.h includes") +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/network_helpers.c | 24 +++++++++++++++++++ + tools/testing/selftests/bpf/network_helpers.h | 4 ++++ + .../selftests/bpf/prog_tests/flow_dissector.c | 1 - + tools/testing/selftests/bpf/xdp_hw_metadata.c | 14 ----------- + 4 files changed, 28 insertions(+), 15 deletions(-) + +diff --git a/tools/testing/selftests/bpf/network_helpers.c b/tools/testing/selftests/bpf/network_helpers.c +index 0877b60ec81f6..d2acc88752126 100644 +--- a/tools/testing/selftests/bpf/network_helpers.c ++++ b/tools/testing/selftests/bpf/network_helpers.c +@@ -465,3 +465,27 @@ int get_socket_local_port(int sock_fd) + + return -1; + } ++ ++int get_hw_ring_size(char *ifname, struct ethtool_ringparam *ring_param) ++{ ++ struct ifreq ifr = {0}; ++ int sockfd, err; ++ ++ sockfd = socket(AF_INET, SOCK_DGRAM, 0); ++ if (sockfd < 0) ++ return -errno; ++ ++ memcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)); ++ ++ ring_param->cmd = ETHTOOL_GRINGPARAM; ++ ifr.ifr_data = (char *)ring_param; ++ ++ if (ioctl(sockfd, SIOCETHTOOL, &ifr) < 0) { ++ err = errno; ++ close(sockfd); ++ return -err; ++ } ++ ++ close(sockfd); ++ return 0; ++} +diff --git a/tools/testing/selftests/bpf/network_helpers.h b/tools/testing/selftests/bpf/network_helpers.h +index 5eccc67d1a998..11cbe194769b1 100644 +--- a/tools/testing/selftests/bpf/network_helpers.h ++++ b/tools/testing/selftests/bpf/network_helpers.h +@@ -9,8 +9,11 @@ typedef __u16 __sum16; + #include + #include + #include ++#include ++#include + #include + #include ++#include + + #define MAGIC_VAL 0x1234 + #define NUM_ITER 100000 +@@ -60,6 +63,7 @@ int make_sockaddr(int family, const char *addr_str, __u16 port, + struct sockaddr_storage *addr, socklen_t *len); + char *ping_command(int family); + int get_socket_local_port(int sock_fd); ++int get_hw_ring_size(char *ifname, struct ethtool_ringparam *ring_param); + + struct nstoken; + /** +diff --git a/tools/testing/selftests/bpf/prog_tests/flow_dissector.c b/tools/testing/selftests/bpf/prog_tests/flow_dissector.c +index c4773173a4e43..9e5f38739104b 100644 +--- a/tools/testing/selftests/bpf/prog_tests/flow_dissector.c ++++ b/tools/testing/selftests/bpf/prog_tests/flow_dissector.c +@@ -2,7 +2,6 @@ + #include + #include + #include +-#include + #include + #include + +diff --git a/tools/testing/selftests/bpf/xdp_hw_metadata.c b/tools/testing/selftests/bpf/xdp_hw_metadata.c +index adb77c1a6a740..79f2da8f6ead6 100644 +--- a/tools/testing/selftests/bpf/xdp_hw_metadata.c ++++ b/tools/testing/selftests/bpf/xdp_hw_metadata.c +@@ -288,20 +288,6 @@ static int verify_metadata(struct xsk *rx_xsk, int rxq, int server_fd, clockid_t + return 0; + } + +-struct ethtool_channels { +- __u32 cmd; +- __u32 max_rx; +- __u32 max_tx; +- __u32 max_other; +- __u32 max_combined; +- __u32 rx_count; +- __u32 tx_count; +- __u32 other_count; +- __u32 combined_count; +-}; +- +-#define ETHTOOL_GCHANNELS 0x0000003c /* Get no of channels */ +- + static int rxq_num(const char *ifname) + { + struct ethtool_channels ch = { +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-refactor-out-some-functions-in-ns_curr.patch b/queue-6.6/selftests-bpf-refactor-out-some-functions-in-ns_curr.patch new file mode 100644 index 00000000000..7d4b9f78b91 --- /dev/null +++ b/queue-6.6/selftests-bpf-refactor-out-some-functions-in-ns_curr.patch @@ -0,0 +1,158 @@ +From 31caf18ace5586fa86b80a153584869c93a78d47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Mar 2024 11:49:04 -0700 +Subject: selftests/bpf: Refactor out some functions in ns_current_pid_tgid + test + +From: Yonghong Song + +[ Upstream commit 4d4bd29e363c467752536f874a2cba10a5923c59 ] + +Refactor some functions in both user space code and bpf program +as these functions are used by later cgroup/sk_msg tests. +Another change is to mark tp program optional loading as later +patches will use optional loading as well since they have quite +different attachment and testing logic. + +There is no functionality change. + +Signed-off-by: Yonghong Song +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20240315184904.2976123-1-yonghong.song@linux.dev +Stable-dep-of: 21f0b0af9772 ("selftests/bpf: Fix include of ") +Signed-off-by: Sasha Levin +--- + .../bpf/prog_tests/ns_current_pid_tgid.c | 53 ++++++++++++------- + .../bpf/progs/test_ns_current_pid_tgid.c | 10 ++-- + 2 files changed, 41 insertions(+), 22 deletions(-) + +diff --git a/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c b/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c +index 3a0664a86243e..847d7b70e2902 100644 +--- a/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c ++++ b/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c +@@ -16,30 +16,46 @@ + #define STACK_SIZE (1024 * 1024) + static char child_stack[STACK_SIZE]; + +-static int test_current_pid_tgid(void *args) ++static int get_pid_tgid(pid_t *pid, pid_t *tgid, ++ struct test_ns_current_pid_tgid__bss *bss) + { +- struct test_ns_current_pid_tgid__bss *bss; +- struct test_ns_current_pid_tgid *skel; +- int ret = -1, err; +- pid_t tgid, pid; + struct stat st; ++ int err; + +- skel = test_ns_current_pid_tgid__open_and_load(); +- if (!ASSERT_OK_PTR(skel, "test_ns_current_pid_tgid__open_and_load")) +- goto out; +- +- pid = syscall(SYS_gettid); +- tgid = getpid(); ++ *pid = syscall(SYS_gettid); ++ *tgid = getpid(); + + err = stat("/proc/self/ns/pid", &st); + if (!ASSERT_OK(err, "stat /proc/self/ns/pid")) +- goto cleanup; ++ return err; + +- bss = skel->bss; + bss->dev = st.st_dev; + bss->ino = st.st_ino; + bss->user_pid = 0; + bss->user_tgid = 0; ++ return 0; ++} ++ ++static int test_current_pid_tgid_tp(void *args) ++{ ++ struct test_ns_current_pid_tgid__bss *bss; ++ struct test_ns_current_pid_tgid *skel; ++ int ret = -1, err; ++ pid_t tgid, pid; ++ ++ skel = test_ns_current_pid_tgid__open(); ++ if (!ASSERT_OK_PTR(skel, "test_ns_current_pid_tgid__open")) ++ return ret; ++ ++ bpf_program__set_autoload(skel->progs.tp_handler, true); ++ ++ err = test_ns_current_pid_tgid__load(skel); ++ if (!ASSERT_OK(err, "test_ns_current_pid_tgid__load")) ++ goto cleanup; ++ ++ bss = skel->bss; ++ if (get_pid_tgid(&pid, &tgid, bss)) ++ goto cleanup; + + err = test_ns_current_pid_tgid__attach(skel); + if (!ASSERT_OK(err, "test_ns_current_pid_tgid__attach")) +@@ -55,11 +71,10 @@ static int test_current_pid_tgid(void *args) + + cleanup: + test_ns_current_pid_tgid__destroy(skel); +-out: + return ret; + } + +-static void test_ns_current_pid_tgid_new_ns(void) ++static void test_ns_current_pid_tgid_new_ns(int (*fn)(void *), void *arg) + { + int wstatus; + pid_t cpid; +@@ -67,8 +82,8 @@ static void test_ns_current_pid_tgid_new_ns(void) + /* Create a process in a new namespace, this process + * will be the init process of this new namespace hence will be pid 1. + */ +- cpid = clone(test_current_pid_tgid, child_stack + STACK_SIZE, +- CLONE_NEWPID | SIGCHLD, NULL); ++ cpid = clone(fn, child_stack + STACK_SIZE, ++ CLONE_NEWPID | SIGCHLD, arg); + + if (!ASSERT_NEQ(cpid, -1, "clone")) + return; +@@ -84,7 +99,7 @@ static void test_ns_current_pid_tgid_new_ns(void) + void serial_test_ns_current_pid_tgid(void) + { + if (test__start_subtest("root_ns_tp")) +- test_current_pid_tgid(NULL); ++ test_current_pid_tgid_tp(NULL); + if (test__start_subtest("new_ns_tp")) +- test_ns_current_pid_tgid_new_ns(); ++ test_ns_current_pid_tgid_new_ns(test_current_pid_tgid_tp, NULL); + } +diff --git a/tools/testing/selftests/bpf/progs/test_ns_current_pid_tgid.c b/tools/testing/selftests/bpf/progs/test_ns_current_pid_tgid.c +index 0763d49f9c421..aa3ec7ca16d9b 100644 +--- a/tools/testing/selftests/bpf/progs/test_ns_current_pid_tgid.c ++++ b/tools/testing/selftests/bpf/progs/test_ns_current_pid_tgid.c +@@ -10,17 +10,21 @@ __u64 user_tgid = 0; + __u64 dev = 0; + __u64 ino = 0; + +-SEC("tracepoint/syscalls/sys_enter_nanosleep") +-int handler(const void *ctx) ++static void get_pid_tgid(void) + { + struct bpf_pidns_info nsdata; + + if (bpf_get_ns_current_pid_tgid(dev, ino, &nsdata, sizeof(struct bpf_pidns_info))) +- return 0; ++ return; + + user_pid = nsdata.pid; + user_tgid = nsdata.tgid; ++} + ++SEC("?tracepoint/syscalls/sys_enter_nanosleep") ++int tp_handler(const void *ctx) ++{ ++ get_pid_tgid(); + return 0; + } + +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-replace-check-with-assert_-in-ns_curre.patch b/queue-6.6/selftests-bpf-replace-check-with-assert_-in-ns_curre.patch new file mode 100644 index 00000000000..c7f65cfcbf7 --- /dev/null +++ b/queue-6.6/selftests-bpf-replace-check-with-assert_-in-ns_curre.patch @@ -0,0 +1,121 @@ +From 804f9d4c26a2d64cca047134a8b1a463780e9ce6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Mar 2024 11:48:59 -0700 +Subject: selftests/bpf: Replace CHECK with ASSERT_* in ns_current_pid_tgid + test + +From: Yonghong Song + +[ Upstream commit 84239a24d10174fcfc7d6760cb120435a6ff69af ] + +Replace CHECK in selftest ns_current_pid_tgid with recommended ASSERT_* style. +I also shortened subtest name as the prefix of subtest name is covered +by the test name already. + +This patch does fix a testing issue. Currently even if bss->user_{pid,tgid} +is not correct, the test still passed since the clone func returns 0. +I fixed it to return a non-zero value if bss->user_{pid,tgid} is incorrect. + +Signed-off-by: Yonghong Song +Signed-off-by: Andrii Nakryiko +Acked-by: Jiri Olsa +Link: https://lore.kernel.org/bpf/20240315184859.2975543-1-yonghong.song@linux.dev +Stable-dep-of: 21f0b0af9772 ("selftests/bpf: Fix include of ") +Signed-off-by: Sasha Levin +--- + .../bpf/prog_tests/ns_current_pid_tgid.c | 36 ++++++++++--------- + 1 file changed, 19 insertions(+), 17 deletions(-) + +diff --git a/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c b/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c +index 24d493482ffc7..3a0664a86243e 100644 +--- a/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c ++++ b/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c +@@ -20,19 +20,19 @@ static int test_current_pid_tgid(void *args) + { + struct test_ns_current_pid_tgid__bss *bss; + struct test_ns_current_pid_tgid *skel; +- int err = -1, duration = 0; ++ int ret = -1, err; + pid_t tgid, pid; + struct stat st; + + skel = test_ns_current_pid_tgid__open_and_load(); +- if (CHECK(!skel, "skel_open_load", "failed to load skeleton\n")) +- goto cleanup; ++ if (!ASSERT_OK_PTR(skel, "test_ns_current_pid_tgid__open_and_load")) ++ goto out; + + pid = syscall(SYS_gettid); + tgid = getpid(); + + err = stat("/proc/self/ns/pid", &st); +- if (CHECK(err, "stat", "failed /proc/self/ns/pid: %d\n", err)) ++ if (!ASSERT_OK(err, "stat /proc/self/ns/pid")) + goto cleanup; + + bss = skel->bss; +@@ -42,24 +42,26 @@ static int test_current_pid_tgid(void *args) + bss->user_tgid = 0; + + err = test_ns_current_pid_tgid__attach(skel); +- if (CHECK(err, "skel_attach", "skeleton attach failed: %d\n", err)) ++ if (!ASSERT_OK(err, "test_ns_current_pid_tgid__attach")) + goto cleanup; + + /* trigger tracepoint */ + usleep(1); +- ASSERT_EQ(bss->user_pid, pid, "pid"); +- ASSERT_EQ(bss->user_tgid, tgid, "tgid"); +- err = 0; ++ if (!ASSERT_EQ(bss->user_pid, pid, "pid")) ++ goto cleanup; ++ if (!ASSERT_EQ(bss->user_tgid, tgid, "tgid")) ++ goto cleanup; ++ ret = 0; + + cleanup: +- test_ns_current_pid_tgid__destroy(skel); +- +- return err; ++ test_ns_current_pid_tgid__destroy(skel); ++out: ++ return ret; + } + + static void test_ns_current_pid_tgid_new_ns(void) + { +- int wstatus, duration = 0; ++ int wstatus; + pid_t cpid; + + /* Create a process in a new namespace, this process +@@ -68,21 +70,21 @@ static void test_ns_current_pid_tgid_new_ns(void) + cpid = clone(test_current_pid_tgid, child_stack + STACK_SIZE, + CLONE_NEWPID | SIGCHLD, NULL); + +- if (CHECK(cpid == -1, "clone", "%s\n", strerror(errno))) ++ if (!ASSERT_NEQ(cpid, -1, "clone")) + return; + +- if (CHECK(waitpid(cpid, &wstatus, 0) == -1, "waitpid", "%s\n", strerror(errno))) ++ if (!ASSERT_NEQ(waitpid(cpid, &wstatus, 0), -1, "waitpid")) + return; + +- if (CHECK(WEXITSTATUS(wstatus) != 0, "newns_pidtgid", "failed")) ++ if (!ASSERT_OK(WEXITSTATUS(wstatus), "newns_pidtgid")) + return; + } + + /* TODO: use a different tracepoint */ + void serial_test_ns_current_pid_tgid(void) + { +- if (test__start_subtest("ns_current_pid_tgid_root_ns")) ++ if (test__start_subtest("root_ns_tp")) + test_current_pid_tgid(NULL); +- if (test__start_subtest("ns_current_pid_tgid_new_ns")) ++ if (test__start_subtest("new_ns_tp")) + test_ns_current_pid_tgid_new_ns(); + } +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-use-pid_t-consistently-in-test_progs.c.patch b/queue-6.6/selftests-bpf-use-pid_t-consistently-in-test_progs.c.patch new file mode 100644 index 00000000000..fbaf6041875 --- /dev/null +++ b/queue-6.6/selftests-bpf-use-pid_t-consistently-in-test_progs.c.patch @@ -0,0 +1,45 @@ +From 6cace4c0388b06e5a4ac77b91df51e16a8c28017 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 22:54:28 -0700 +Subject: selftests/bpf: Use pid_t consistently in test_progs.c + +From: Tony Ambardar + +[ Upstream commit ec4fe2f0fa12fd2d0115df7e58414dc26899cc5e ] + +Use pid_t rather than __pid_t when allocating memory for 'worker_pids' in +'struct test_env', as this is its declared type and also avoids compile +errors seen building against musl libc on mipsel64: + + test_progs.c:1738:49: error: '__pid_t' undeclared (first use in this function); did you mean 'pid_t'? + 1738 | env.worker_pids = calloc(sizeof(__pid_t), env.workers); + | ^~~~~~~ + | pid_t + test_progs.c:1738:49: note: each undeclared identifier is reported only once for each function it appears in + +Fixes: 91b2c0afd00c ("selftests/bpf: Add parallelism to test_progs") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Acked-by: Geliang Tang +Link: https://lore.kernel.org/bpf/c6447da51a94babc1931711a43e2ceecb135c93d.1721713597.git.tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/test_progs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/test_progs.c b/tools/testing/selftests/bpf/test_progs.c +index 4d582cac2c09e..eed0e4fcf42ef 100644 +--- a/tools/testing/selftests/bpf/test_progs.c ++++ b/tools/testing/selftests/bpf/test_progs.c +@@ -1690,7 +1690,7 @@ int main(int argc, char **argv) + /* launch workers if requested */ + env.worker_id = -1; /* main process */ + if (env.workers) { +- env.worker_pids = calloc(sizeof(__pid_t), env.workers); ++ env.worker_pids = calloc(sizeof(pid_t), env.workers); + env.worker_socks = calloc(sizeof(int), env.workers); + if (env.debug) + fprintf(stdout, "Launching %d workers.\n", env.workers); +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-workaround-strict-bpf_lsm-return-value.patch b/queue-6.6/selftests-bpf-workaround-strict-bpf_lsm-return-value.patch new file mode 100644 index 00000000000..37cab55e7e6 --- /dev/null +++ b/queue-6.6/selftests-bpf-workaround-strict-bpf_lsm-return-value.patch @@ -0,0 +1,47 @@ +From a7d745ec73e64fa73b6415a0bfc719a29d9d808c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 19:08:15 -0700 +Subject: selftests/bpf: Workaround strict bpf_lsm return value check. + +From: Alexei Starovoitov + +[ Upstream commit aa8ebb270c66cea1f56a25d0f938036e91ad085a ] + +test_progs-no_alu32 -t libbpf_get_fd_by_id_opts +is being rejected by the verifier with the following error +due to compiler optimization: + +6: (67) r0 <<= 62 ; R0_w=scalar(smax=0x4000000000000000,umax=0xc000000000000000,smin32=0,smax32=umax32=0,var_off=(0x0; 0xc000000000000000)) +7: (c7) r0 s>>= 63 ; R0_w=scalar(smin=smin32=-1,smax=smax32=0) +; @ test_libbpf_get_fd_by_id_opts.c:0 +8: (57) r0 &= -13 ; R0_w=scalar(smax=0x7ffffffffffffff3,umax=0xfffffffffffffff3,smax32=0x7ffffff3,umax32=0xfffffff3,var_off=(0x0; 0xfffffffffffffff3)) +; int BPF_PROG(check_access, struct bpf_map *map, fmode_t fmode) @ test_libbpf_get_fd_by_id_opts.c:27 +9: (95) exit +At program exit the register R0 has smax=9223372036854775795 should have been in [-4095, 0] + +Workaround by adding barrier(). +Eventually the verifier will be able to recognize it. + +Fixes: 5d99e198be27 ("bpf, lsm: Add check for BPF LSM return value") +Signed-off-by: Alexei Starovoitov +Signed-off-by: Andrii Nakryiko +Signed-off-by: Sasha Levin +--- + .../testing/selftests/bpf/progs/test_libbpf_get_fd_by_id_opts.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/bpf/progs/test_libbpf_get_fd_by_id_opts.c b/tools/testing/selftests/bpf/progs/test_libbpf_get_fd_by_id_opts.c +index f5ac5f3e89196..568816307f712 100644 +--- a/tools/testing/selftests/bpf/progs/test_libbpf_get_fd_by_id_opts.c ++++ b/tools/testing/selftests/bpf/progs/test_libbpf_get_fd_by_id_opts.c +@@ -31,6 +31,7 @@ int BPF_PROG(check_access, struct bpf_map *map, fmode_t fmode) + + if (fmode & FMODE_WRITE) + return -EACCES; ++ barrier(); + + return 0; + } +-- +2.43.0 + diff --git a/queue-6.6/selftests-ftrace-add-required-dependency-for-kprobe-.patch b/queue-6.6/selftests-ftrace-add-required-dependency-for-kprobe-.patch new file mode 100644 index 00000000000..992b9e30744 --- /dev/null +++ b/queue-6.6/selftests-ftrace-add-required-dependency-for-kprobe-.patch @@ -0,0 +1,53 @@ +From 8b2090d196f95cd114b7f4d9867311e89915e2bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jun 2024 07:12:10 +0900 +Subject: selftests/ftrace: Add required dependency for kprobe tests + +From: Masami Hiramatsu (Google) + +[ Upstream commit 41f37c852ac3fbfd072a00281b60dc7ba056be8c ] + +kprobe_args_{char,string}.tc are using available_filter_functions file +which is provided by function tracer. Thus if function tracer is disabled, +these tests are failed on recent kernels because tracefs_create_dir is +not raised events by adding a dynamic event. +Add available_filter_functions to requires line. + +Fixes: 7c1130ea5cae ("test: ftrace: Fix kprobe test for eventfs") +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../testing/selftests/ftrace/test.d/kprobe/kprobe_args_char.tc | 2 +- + .../selftests/ftrace/test.d/kprobe/kprobe_args_string.tc | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_char.tc b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_char.tc +index ff7499eb98d6d..ce5d2e62731f3 100644 +--- a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_char.tc ++++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_char.tc +@@ -1,7 +1,7 @@ + #!/bin/sh + # SPDX-License-Identifier: GPL-2.0 + # description: Kprobe event char type argument +-# requires: kprobe_events ++# requires: kprobe_events available_filter_functions + + case `uname -m` in + x86_64) +diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc +index a202b2ea4baf9..4f72c2875f6b9 100644 +--- a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc ++++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc +@@ -1,7 +1,7 @@ + #!/bin/sh + # SPDX-License-Identifier: GPL-2.0 + # description: Kprobe event string type argument +-# requires: kprobe_events ++# requires: kprobe_events available_filter_functions + + case `uname -m` in + x86_64) +-- +2.43.0 + diff --git a/queue-6.6/selftests-vdso-fix-elf-hash-table-entry-size-for-s39.patch b/queue-6.6/selftests-vdso-fix-elf-hash-table-entry-size-for-s39.patch new file mode 100644 index 00000000000..48bb1b78d02 --- /dev/null +++ b/queue-6.6/selftests-vdso-fix-elf-hash-table-entry-size-for-s39.patch @@ -0,0 +1,78 @@ +From 9d402700dfe83b8bb2dde9ce0593e7f9f0eae152 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2024 10:50:14 +0200 +Subject: selftests: vDSO: fix ELF hash table entry size for s390x + +From: Jens Remus + +[ Upstream commit 14be4e6f35221c4731b004553ecf7cbc6dc1d2d8 ] + +The vDSO self tests fail on s390x for a vDSO linked with the GNU linker +ld as follows: + + # ./vdso_test_gettimeofday + Floating point exception (core dumped) + +On s390x the ELF hash table entries are 64 bits instead of 32 bits in +size (see Glibc sysdeps/unix/sysv/linux/s390/bits/elfclass.h). + +Fixes: 40723419f407 ("kselftest: Enable vDSO test on non x86 platforms") +Reported-by: Heiko Carstens +Tested-by: Heiko Carstens +Signed-off-by: Jens Remus +Signed-off-by: Heiko Carstens +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/vDSO/parse_vdso.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/vDSO/parse_vdso.c b/tools/testing/selftests/vDSO/parse_vdso.c +index d9ccc5acac182..7dd5668ea8a6e 100644 +--- a/tools/testing/selftests/vDSO/parse_vdso.c ++++ b/tools/testing/selftests/vDSO/parse_vdso.c +@@ -36,6 +36,12 @@ + #define ELF_BITS_XFORM(bits, x) ELF_BITS_XFORM2(bits, x) + #define ELF(x) ELF_BITS_XFORM(ELF_BITS, x) + ++#ifdef __s390x__ ++#define ELF_HASH_ENTRY ELF(Xword) ++#else ++#define ELF_HASH_ENTRY ELF(Word) ++#endif ++ + static struct vdso_info + { + bool valid; +@@ -47,8 +53,8 @@ static struct vdso_info + /* Symbol table */ + ELF(Sym) *symtab; + const char *symstrings; +- ELF(Word) *bucket, *chain; +- ELF(Word) nbucket, nchain; ++ ELF_HASH_ENTRY *bucket, *chain; ++ ELF_HASH_ENTRY nbucket, nchain; + + /* Version table */ + ELF(Versym) *versym; +@@ -115,7 +121,7 @@ void vdso_init_from_sysinfo_ehdr(uintptr_t base) + /* + * Fish out the useful bits of the dynamic table. + */ +- ELF(Word) *hash = 0; ++ ELF_HASH_ENTRY *hash = 0; + vdso_info.symstrings = 0; + vdso_info.symtab = 0; + vdso_info.versym = 0; +@@ -133,7 +139,7 @@ void vdso_init_from_sysinfo_ehdr(uintptr_t base) + + vdso_info.load_offset); + break; + case DT_HASH: +- hash = (ELF(Word) *) ++ hash = (ELF_HASH_ENTRY *) + ((uintptr_t)dyn[i].d_un.d_ptr + + vdso_info.load_offset); + break; +-- +2.43.0 + diff --git a/queue-6.6/selftests-vdso-fix-vdso-name-for-powerpc.patch b/queue-6.6/selftests-vdso-fix-vdso-name-for-powerpc.patch new file mode 100644 index 00000000000..d38b6bc4f05 --- /dev/null +++ b/queue-6.6/selftests-vdso-fix-vdso-name-for-powerpc.patch @@ -0,0 +1,52 @@ +From 166d2ee5aa54eb850008cdb3f3cce88c41c467d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Aug 2024 14:28:35 +0200 +Subject: selftests: vDSO: fix vDSO name for powerpc + +From: Christophe Leroy + +[ Upstream commit 59eb856c3ed9b3552befd240c0c339f22eed3fa1 ] + +Following error occurs when running vdso_test_correctness on powerpc: + +~ # ./vdso_test_correctness +[WARN] failed to find vDSO +[SKIP] No vDSO, so skipping clock_gettime() tests +[SKIP] No vDSO, so skipping clock_gettime64() tests +[RUN] Testing getcpu... +[OK] CPU 0: syscall: cpu 0, node 0 + +On powerpc, vDSO is neither called linux-vdso.so.1 nor linux-gate.so.1 +but linux-vdso32.so.1 or linux-vdso64.so.1. + +Also search those two names before giving up. + +Fixes: c7e5789b24d3 ("kselftest: Move test_vdso to the vDSO test suite") +Signed-off-by: Christophe Leroy +Acked-by: Shuah Khan +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/vDSO/vdso_test_correctness.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/tools/testing/selftests/vDSO/vdso_test_correctness.c b/tools/testing/selftests/vDSO/vdso_test_correctness.c +index e691a3cf14911..cdb697ae8343c 100644 +--- a/tools/testing/selftests/vDSO/vdso_test_correctness.c ++++ b/tools/testing/selftests/vDSO/vdso_test_correctness.c +@@ -114,6 +114,12 @@ static void fill_function_pointers() + if (!vdso) + vdso = dlopen("linux-gate.so.1", + RTLD_LAZY | RTLD_LOCAL | RTLD_NOLOAD); ++ if (!vdso) ++ vdso = dlopen("linux-vdso32.so.1", ++ RTLD_LAZY | RTLD_LOCAL | RTLD_NOLOAD); ++ if (!vdso) ++ vdso = dlopen("linux-vdso64.so.1", ++ RTLD_LAZY | RTLD_LOCAL | RTLD_NOLOAD); + if (!vdso) { + printf("[WARN]\tfailed to find vDSO\n"); + return; +-- +2.43.0 + diff --git a/queue-6.6/selftests-vdso-fix-vdso-symbols-lookup-for-powerpc64.patch b/queue-6.6/selftests-vdso-fix-vdso-symbols-lookup-for-powerpc64.patch new file mode 100644 index 00000000000..61c967310d9 --- /dev/null +++ b/queue-6.6/selftests-vdso-fix-vdso-symbols-lookup-for-powerpc64.patch @@ -0,0 +1,108 @@ +From 9aef4348988667cca5680d32907fe6db79f8875e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Aug 2024 14:28:37 +0200 +Subject: selftests: vDSO: fix vDSO symbols lookup for powerpc64 + +From: Christophe Leroy + +[ Upstream commit ba83b3239e657469709d15dcea5f9b65bf9dbf34 ] + +On powerpc64, following tests fail locating vDSO functions: + + ~ # ./vdso_test_abi + TAP version 13 + 1..16 + # [vDSO kselftest] VDSO_VERSION: LINUX_2.6.15 + # Couldn't find __kernel_gettimeofday + ok 1 # SKIP __kernel_gettimeofday + # clock_id: CLOCK_REALTIME + # Couldn't find __kernel_clock_gettime + ok 2 # SKIP __kernel_clock_gettime CLOCK_REALTIME + # Couldn't find __kernel_clock_getres + ok 3 # SKIP __kernel_clock_getres CLOCK_REALTIME + ... + # Couldn't find __kernel_time + ok 16 # SKIP __kernel_time + # Totals: pass:0 fail:0 xfail:0 xpass:0 skip:16 error:0 + + ~ # ./vdso_test_getrandom + __kernel_getrandom is missing! + + ~ # ./vdso_test_gettimeofday + Could not find __kernel_gettimeofday + + ~ # ./vdso_test_getcpu + Could not find __kernel_getcpu + +On powerpc64, as shown below by readelf, vDSO functions symbols have +type NOTYPE, so also accept that type when looking for symbols. + +$ powerpc64-linux-gnu-readelf -a arch/powerpc/kernel/vdso/vdso64.so.dbg +ELF Header: + Magic: 7f 45 4c 46 02 02 01 00 00 00 00 00 00 00 00 00 + Class: ELF64 + Data: 2's complement, big endian + Version: 1 (current) + OS/ABI: UNIX - System V + ABI Version: 0 + Type: DYN (Shared object file) + Machine: PowerPC64 + Version: 0x1 +... + +Symbol table '.dynsym' contains 12 entries: + Num: Value Size Type Bind Vis Ndx Name + 0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND + 1: 0000000000000524 84 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15 + 2: 00000000000005f0 36 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15 + 3: 0000000000000578 68 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15 + 4: 0000000000000000 0 OBJECT GLOBAL DEFAULT ABS LINUX_2.6.15 + 5: 00000000000006c0 48 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15 + 6: 0000000000000614 172 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15 + 7: 00000000000006f0 84 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15 + 8: 000000000000047c 84 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15 + 9: 0000000000000454 12 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15 + 10: 00000000000004d0 84 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15 + 11: 00000000000005bc 52 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15 + +Symbol table '.symtab' contains 56 entries: + Num: Value Size Type Bind Vis Ndx Name +... + 45: 0000000000000000 0 OBJECT GLOBAL DEFAULT ABS LINUX_2.6.15 + 46: 00000000000006c0 48 NOTYPE GLOBAL DEFAULT 8 __kernel_getcpu + 47: 0000000000000524 84 NOTYPE GLOBAL DEFAULT 8 __kernel_clock_getres + 48: 00000000000005f0 36 NOTYPE GLOBAL DEFAULT 8 __kernel_get_tbfreq + 49: 000000000000047c 84 NOTYPE GLOBAL DEFAULT 8 __kernel_gettimeofday + 50: 0000000000000614 172 NOTYPE GLOBAL DEFAULT 8 __kernel_sync_dicache + 51: 00000000000006f0 84 NOTYPE GLOBAL DEFAULT 8 __kernel_getrandom + 52: 0000000000000454 12 NOTYPE GLOBAL DEFAULT 8 __kernel_sigtram[...] + 53: 0000000000000578 68 NOTYPE GLOBAL DEFAULT 8 __kernel_time + 54: 00000000000004d0 84 NOTYPE GLOBAL DEFAULT 8 __kernel_clock_g[...] + 55: 00000000000005bc 52 NOTYPE GLOBAL DEFAULT 8 __kernel_get_sys[...] + +Fixes: 98eedc3a9dbf ("Document the vDSO and add a reference parser") +Signed-off-by: Christophe Leroy +Acked-by: Shuah Khan +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/vDSO/parse_vdso.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/vDSO/parse_vdso.c b/tools/testing/selftests/vDSO/parse_vdso.c +index 4ae417372e9eb..d9ccc5acac182 100644 +--- a/tools/testing/selftests/vDSO/parse_vdso.c ++++ b/tools/testing/selftests/vDSO/parse_vdso.c +@@ -216,7 +216,8 @@ void *vdso_sym(const char *version, const char *name) + ELF(Sym) *sym = &vdso_info.symtab[chain]; + + /* Check for a defined global or weak function w/ right name. */ +- if (ELF64_ST_TYPE(sym->st_info) != STT_FUNC) ++ if (ELF64_ST_TYPE(sym->st_info) != STT_FUNC && ++ ELF64_ST_TYPE(sym->st_info) != STT_NOTYPE) + continue; + if (ELF64_ST_BIND(sym->st_info) != STB_GLOBAL && + ELF64_ST_BIND(sym->st_info) != STB_WEAK) +-- +2.43.0 + diff --git a/queue-6.6/selftests-vdso-fix-vdso_config-for-powerpc.patch b/queue-6.6/selftests-vdso-fix-vdso_config-for-powerpc.patch new file mode 100644 index 00000000000..d1b319d9094 --- /dev/null +++ b/queue-6.6/selftests-vdso-fix-vdso_config-for-powerpc.patch @@ -0,0 +1,52 @@ +From 080db579723fce6cd95f30a61a0818d0e66deafa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Aug 2024 14:28:36 +0200 +Subject: selftests: vDSO: fix vdso_config for powerpc + +From: Christophe Leroy + +[ Upstream commit 7d297c419b08eafa69ce27243ee9bbecab4fcaa4 ] + +Running vdso_test_correctness on powerpc64 gives the following warning: + + ~ # ./vdso_test_correctness + Warning: failed to find clock_gettime64 in vDSO + +This is because vdso_test_correctness was built with VDSO_32BIT defined. + +__powerpc__ macro is defined on both powerpc32 and powerpc64 so +__powerpc64__ needs to be checked first in vdso_config.h + +Fixes: 693f5ca08ca0 ("kselftest: Extend vDSO selftest") +Signed-off-by: Christophe Leroy +Acked-by: Shuah Khan +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/vDSO/vdso_config.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tools/testing/selftests/vDSO/vdso_config.h b/tools/testing/selftests/vDSO/vdso_config.h +index cdfed403ba13f..f9890584f6fb4 100644 +--- a/tools/testing/selftests/vDSO/vdso_config.h ++++ b/tools/testing/selftests/vDSO/vdso_config.h +@@ -18,13 +18,13 @@ + #elif defined(__aarch64__) + #define VDSO_VERSION 3 + #define VDSO_NAMES 0 +-#elif defined(__powerpc__) ++#elif defined(__powerpc64__) + #define VDSO_VERSION 1 + #define VDSO_NAMES 0 +-#define VDSO_32BIT 1 +-#elif defined(__powerpc64__) ++#elif defined(__powerpc__) + #define VDSO_VERSION 1 + #define VDSO_NAMES 0 ++#define VDSO_32BIT 1 + #elif defined (__s390__) + #define VDSO_VERSION 2 + #define VDSO_NAMES 0 +-- +2.43.0 + diff --git a/queue-6.6/selftests-vdso-fix-vdso_config-for-s390.patch b/queue-6.6/selftests-vdso-fix-vdso_config-for-s390.patch new file mode 100644 index 00000000000..6970d42f39e --- /dev/null +++ b/queue-6.6/selftests-vdso-fix-vdso_config-for-s390.patch @@ -0,0 +1,51 @@ +From 6d67407c45b91f1163950660787c72b2b90bba87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2024 10:50:15 +0200 +Subject: selftests: vDSO: fix vdso_config for s390 + +From: Heiko Carstens + +[ Upstream commit a6e23fb8d3c0e3904da70beaf5d7e840a983c97f ] + +Running vdso_test_correctness on s390x (aka s390 64 bit) emits a warning: + +Warning: failed to find clock_gettime64 in vDSO + +This is caused by the "#elif defined (__s390__)" check in vdso_config.h +which the defines VDSO_32BIT. + +If __s390x__ is defined also __s390__ is defined. Therefore the correct +check must make sure that only __s390__ is defined. + +Therefore add the missing !defined(__s390x__). Also use common +__s390x__ define instead of __s390X__. + +Signed-off-by: Heiko Carstens +Fixes: 693f5ca08ca0 ("kselftest: Extend vDSO selftest") +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/vDSO/vdso_config.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/vDSO/vdso_config.h b/tools/testing/selftests/vDSO/vdso_config.h +index f9890584f6fb4..72de45f587b2c 100644 +--- a/tools/testing/selftests/vDSO/vdso_config.h ++++ b/tools/testing/selftests/vDSO/vdso_config.h +@@ -25,11 +25,11 @@ + #define VDSO_VERSION 1 + #define VDSO_NAMES 0 + #define VDSO_32BIT 1 +-#elif defined (__s390__) ++#elif defined (__s390__) && !defined(__s390x__) + #define VDSO_VERSION 2 + #define VDSO_NAMES 0 + #define VDSO_32BIT 1 +-#elif defined (__s390X__) ++#elif defined (__s390x__) + #define VDSO_VERSION 2 + #define VDSO_NAMES 0 + #elif defined(__mips__) +-- +2.43.0 + diff --git a/queue-6.6/serial-8250-omap-cleanup-on-error-in-request_irq.patch b/queue-6.6/serial-8250-omap-cleanup-on-error-in-request_irq.patch new file mode 100644 index 00000000000..cbdc18cbd80 --- /dev/null +++ b/queue-6.6/serial-8250-omap-cleanup-on-error-in-request_irq.patch @@ -0,0 +1,40 @@ +From 44b47fdf0437795a2cfc4d900a103434cbc4438f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Aug 2024 16:12:25 +0200 +Subject: serial: 8250: omap: Cleanup on error in request_irq + +From: Markus Schneider-Pargmann + +[ Upstream commit 35e648a16018b747897be2ccc3ce95ff23237bb5 ] + +If devm_request_irq fails, the code does not cleanup many things that +were setup before. Instead of directly returning ret we should jump to +err. + +Fixes: fef4f600319e ("serial: 8250: omap: Fix life cycle issues for interrupt handlers") +Signed-off-by: Markus Schneider-Pargmann +Reviewed-by: Kevin Hilman +Tested-by: Kevin Hilman +Link: https://lore.kernel.org/r/20240807141227.1093006-4-msp@baylibre.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_omap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c +index 8f472a2080ffa..4caecc3525bfd 100644 +--- a/drivers/tty/serial/8250/8250_omap.c ++++ b/drivers/tty/serial/8250/8250_omap.c +@@ -1567,7 +1567,7 @@ static int omap8250_probe(struct platform_device *pdev) + ret = devm_request_irq(&pdev->dev, irq, omap8250_irq, 0, + dev_name(&pdev->dev), priv); + if (ret < 0) +- return ret; ++ goto err; + + priv->wakeirq = irq_of_parse_and_map(np, 1); + +-- +2.43.0 + diff --git a/queue-6.6/series b/queue-6.6/series new file mode 100644 index 00000000000..76d4be330c0 --- /dev/null +++ b/queue-6.6/series @@ -0,0 +1,389 @@ +edac-synopsys-fix-ecc-status-and-irq-control-race-co.patch +edac-synopsys-fix-error-injection-on-zynq-ultrascale.patch +wifi-rtw88-always-wait-for-both-firmware-loading-att.patch +crypto-xor-fix-template-benchmarking.patch +acpi-pmic-remove-unneeded-check-in-tps68470_pmic_opr.patch +wifi-brcmfmac-export-firmware-interface-functions.patch +wifi-brcmfmac-introducing-fwil-query-functions.patch +wifi-ath9k-remove-error-checks-when-creating-debugfs.patch +wifi-ath12k-fix-bss-chan-info-request-wmi-command.patch +wifi-ath12k-match-wmi-bss-chan-info-structure-with-f.patch +wifi-ath12k-fix-invalid-ampdu-factor-calculation-in-.patch +net-stmmac-dwmac-loongson-init-ref-and-ptp-clocks-ra.patch +arm64-signal-fix-some-under-bracketed-uapi-macros.patch +wifi-rtw88-remove-cpt-execution-branch-never-used.patch +risc-v-kvm-fix-sbiret-init-before-forwarding-to-user.patch +risc-v-kvm-allow-legacy-pmu-access-from-guest.patch +risc-v-kvm-fix-to-allow-hpmcounter31-from-the-guest.patch +mount-handle-oom-on-mnt_warn_timestamp_expiry.patch +arm-9410-1-vfp-use-asm-volatile-in-fmrx-fmxr-macros.patch +powercap-intel_rapl-fix-off-by-one-in-get_rpi.patch +kselftest-arm64-signal-fix-refactor-sve-vector-lengt.patch +drivers-perf-fix-ali_drw_pmu-driver-interrupt-status.patch +wifi-mac80211-don-t-use-rate-mask-for-offchannel-tx-.patch +wifi-iwlwifi-remove-ax101-ax201-and-ax203-support-fr.patch +wifi-iwlwifi-config-label-gl-devices-as-discrete.patch +wifi-iwlwifi-mvm-increase-the-time-between-ranging-m.patch +padata-honor-the-caller-s-alignment-in-case-of-chunk.patch +drivers-perf-hisi_pcie-record-hardware-counts-correc.patch +drivers-perf-hisi_pcie-fix-tlp-headers-bandwidth-cou.patch +kselftest-arm64-actually-test-sme-vector-length-chan.patch +can-j1939-use-correct-function-name-in-comment.patch +acpi-cppc-fix-mask_val-usage.patch +netfilter-nf_tables-elements-with-timeout-below-conf.patch +netfilter-nf_tables-reject-element-expiration-with-n.patch +netfilter-nf_tables-reject-expiration-higher-than-ti.patch +netfilter-nf_tables-remove-annotation-to-access-set-.patch +perf-arm-cmn-rework-dtc-counters-again.patch +perf-arm-cmn-improve-debugfs-pretty-printing-for-lar.patch +perf-arm-cmn-refactor-node-id-handling.-again.patch +perf-arm-cmn-fix-ccla-register-offset.patch +perf-arm-cmn-ensure-dtm_idx-is-big-enough.patch +cpufreq-ti-cpufreq-introduce-quirks-to-handle-syscon.patch +wifi-mt76-mt7915-fix-oops-on-non-dbdc-mt7986.patch +wifi-mt76-mt7996-use-hweight16-to-get-correct-tx-ant.patch +wifi-mt76-mt7996-fix-traffic-delay-when-switching-ba.patch +wifi-mt76-mt7996-fix-wmm-set-of-station-interface-to.patch +wifi-mt76-mt7996-fix-he-and-eht-beamforming-capabili.patch +wifi-mt76-mt7996-fix-eht-beamforming-capability-chec.patch +x86-sgx-fix-deadlock-in-sgx-numa-node-search.patch +pm-cpupower-add-missing-powercap_set_enabled-stub-fu.patch +crypto-hisilicon-hpre-mask-cluster-timeout-error.patch +crypto-hisilicon-qm-reset-device-before-enabling-it.patch +crypto-hisilicon-qm-inject-error-before-stopping-que.patch +wifi-mt76-mt7603-fix-mixed-declarations-and-code.patch +wifi-cfg80211-fix-ubsan-noise-in-cfg80211_wext_siwsc.patch +wifi-mt76-mt7915-fix-rx-filter-setting-for-bfee-func.patch +wifi-mt76-mt7996-ensure-4-byte-alignment-for-beacon-.patch +wifi-mt76-mt7996-fix-uninitialized-tlv-data.patch +wifi-cfg80211-fix-two-more-possible-ubsan-detected-o.patch +wifi-mac80211-use-two-phase-skb-reclamation-in-ieee8.patch +wifi-wilc1000-fix-potential-rcu-dereference-issue-in.patch +bluetooth-hci_core-fix-sending-mgmt_ev_connect_faile.patch +bluetooth-hci_sync-ignore-errors-from-hci_op_remote_.patch +sock_map-add-a-cond_resched-in-sock_hash_free.patch +can-bcm-clear-bo-bcm_proc_read-after-remove_proc_ent.patch +can-m_can-enable-napi-before-enabling-interrupts.patch +can-m_can-m_can_close-stop-clocks-after-device-has-b.patch +bluetooth-btusb-fix-not-handling-zpl-short-transfer.patch +bareudp-pull-inner-ip-header-in-bareudp_udp_encap_re.patch +bareudp-pull-inner-ip-header-on-xmit.patch +net-enetc-use-irqf_no_autoen-flag-in-request_irq.patch +r8169-disable-aldps-per-default-for-rtl8125.patch +net-ipv6-rpl_iptunnel-fix-memory-leak-in-rpl_input.patch +net-tipc-avoid-possible-garbage-value.patch +ipv6-avoid-possible-null-deref-in-rt6_uncached_list_.patch +ublk-move-zone-report-data-out-of-request-pdu.patch +nbd-fix-race-between-timeout-and-normal-completion.patch +block-bfq-fix-possible-uaf-for-bfqq-bic-with-merge-c.patch +block-bfq-choose-the-last-bfqq-from-merge-chain-in-b.patch +block-bfq-don-t-break-merge-chain-in-bfq_split_bfqq.patch +cachefiles-fix-non-taking-of-sb_writers-around-set-r.patch +erofs-fix-incorrect-symlink-detection-in-fast-symlin.patch +block-bfq-fix-uaf-for-accessing-waker_bfqq-after-spl.patch +block-bfq-fix-procress-reference-leakage-for-bfqq-in.patch +io_uring-io-wq-do-not-allow-pinning-outside-of-cpuse.patch +io_uring-io-wq-inherit-cpuset-of-cgroup-in-io-worker.patch +block-print-symbolic-error-name-instead-of-error-cod.patch +block-fix-potential-invalid-pointer-dereference-in-b.patch +spi-ppc4xx-handle-irq_of_parse_and_map-errors.patch +arm64-dts-exynos-exynos7885-jackpotlte-correct-ram-a.patch +arm64-dts-mediatek-mt8186-fix-supported-hw-mask-for-.patch +firmware-arm_scmi-fix-double-free-in-optee-transport.patch +spi-ppc4xx-avoid-returning-0-when-failed-to-parse-an.patch +regulator-return-actual-error-in-of_regulator_bulk_g.patch +arm64-dts-renesas-r9a07g043u-correct-gicd-and-gicr-s.patch +arm64-dts-renesas-r9a07g054-correct-gicd-and-gicr-si.patch +arm64-dts-renesas-r9a07g044-correct-gicd-and-gicr-si.patch +arm-dts-microchip-sam9x60-fix-rtc-rtt-clocks.patch +arm64-dts-rockchip-correct-vendor-prefix-for-hardker.patch +arm64-dts-ti-k3-j721e-sk-fix-reversed-c6x-carveout-l.patch +arm64-dts-ti-k3-j721e-beagleboneai64-fix-reversed-c6.patch +spi-bcmbca-hsspi-fix-missing-pm_runtime_disable.patch +arm-dts-microchip-sama7g5-fix-rtt-clock.patch +arm-dts-imx7d-zii-rmu2-fix-ethernet-phy-pinctrl-prop.patch +arm-versatile-fix-of-node-leak-in-cpus-prepare.patch +reset-berlin-fix-of-node-leak-in-probe-error-path.patch +reset-k210-fix-of-node-leak-in-probe-error-path.patch +clocksource-drivers-qcom-add-missing-iounmap-on-erro.patch +arm64-dts-mediatek-mt8195-correct-clock-order-for-dp.patch +x86-mm-use-ipis-to-synchronize-lam-enablement.patch +asoc-rt5682s-return-devm_of_clk_add_hw_provider-to-t.patch +asoc-tas2781-remove-unused-acpi_subysystem_id.patch +asoc-tas2781-use-of_property_read_reg.patch +asoc-tas2781-i2c-drop-weird-gpio-code.patch +asoc-tas2781-i2c-get-the-right-gpio-line.patch +selftests-ftrace-add-required-dependency-for-kprobe-.patch +alsa-hda-cs35l41-fix-module-autoloading.patch +m68k-fix-kernel_clone_args.flags-in-m68k_clone.patch +asoc-loongson-fix-error-release.patch +hwmon-max16065-fix-overflows-seen-when-writing-limit.patch +hwmon-max16065-remove-use-of-i2c_match_id.patch +hwmon-max16065-fix-alarm-attributes.patch +mtd-slram-insert-break-after-errors-in-parsing-the-m.patch +hwmon-ntc_thermistor-fix-module-autoloading.patch +power-supply-axp20x_battery-remove-design-from-min-a.patch +power-supply-max17042_battery-fix-soc-threshold-calc.patch +fbdev-hpfb-fix-an-error-handling-path-in-hpfb_dio_pr.patch +iommu-amd-do-not-set-the-d-bit-on-amd-v2-table-entri.patch +mtd-powernv-add-check-devm_kasprintf-returned-value.patch +rcu-nocb-fix-rt-throttling-hrtimer-armed-from-offlin.patch +mtd-rawnand-mtk-use-for_each_child_of_node_scoped.patch +mtd-rawnand-mtk-factorize-out-the-logic-cleaning-mtk.patch +mtd-rawnand-mtk-fix-init-error-path.patch +iommu-arm-smmu-qcom-hide-last-lpass-smmu-context-ban.patch +iommu-arm-smmu-qcom-work-around-sdm845-adreno-smmu-w.patch +iommu-arm-smmu-qcom-apply-num_context_bank-fixes-for.patch +pmdomain-core-harden-inter-column-space-in-debug-sum.patch +drm-stm-fix-an-error-handling-path-in-stm_drm_platfo.patch +drm-stm-ltdc-check-memory-returned-by-devm_kzalloc.patch +drm-amd-display-add-null-check-for-set_output_gamma-.patch +drm-amdgpu-properly-handle-vbios-fake-edid-sizing.patch +drm-radeon-properly-handle-vbios-fake-edid-sizing.patch +scsi-smartpqi-revert-propagate-the-multipath-failure.patch +scsi-ncr5380-check-for-phase-match-during-pdma-fixup.patch +drm-amd-amdgpu-properly-tune-the-size-of-struct.patch +drm-rockchip-vop-allow-4096px-width-scaling.patch +drm-rockchip-dw_hdmi-fix-reading-edid-when-using-a-f.patch +drm-radeon-evergreen_cs-fix-int-overflow-errors-in-c.patch +drm-bridge-lontium-lt8912b-validate-mode-in-drm_brid.patch +drm-vc4-hdmi-handle-error-case-of-pm_runtime_resume_.patch +scsi-elx-libefc-fix-potential-use-after-free-in-efc_.patch +jfs-fix-out-of-bounds-in-dbnextag-and-dialloc.patch +drm-mediatek-fix-missing-configuration-flags-in-mtk_.patch +drm-mediatek-use-spin_lock_irqsave-for-crtc-event-lo.patch +powerpc-8xx-fix-initial-memory-mapping.patch +powerpc-8xx-fix-kernel-vs-user-address-comparison.patch +powerpc-vdso-inconditionally-use-cfunc-macro.patch +selftests-vdso-fix-vdso-name-for-powerpc.patch +selftests-vdso-fix-vdso_config-for-powerpc.patch +selftests-vdso-fix-vdso-symbols-lookup-for-powerpc64.patch +drm-msm-fix-incorrect-file-name-output-in-adreno_req.patch +drm-msm-a5xx-disable-preemption-in-submits-by-defaul.patch +drm-msm-a5xx-properly-clear-preemption-records-on-re.patch +drm-msm-a5xx-fix-races-in-preemption-evaluation-stag.patch +drm-msm-a5xx-workaround-early-ring-buffer-emptiness-.patch +ipmi-docs-don-t-advertise-deprecated-sysfs-entries.patch +drm-msm-dsi-correct-programming-sequence-for-sm8350-.patch +drm-msm-fix-s-null-argument-error.patch +drivers-drm-exynos_drm_gsc-fix-wrong-assignment-in-g.patch +xen-use-correct-end-address-of-kernel-for-conflict-c.patch +hid-wacom-support-sequence-numbers-smaller-than-16-b.patch +hid-wacom-do-not-warn-about-dropped-packets-for-firs.patch +ata-libata-clear-did_time_out-for-ata-pt-commands-wi.patch +minmax-avoid-overly-complex-min-max-macro-arguments-.patch +xen-introduce-generic-helper-checking-for-memory-map.patch +xen-move-max_pfn-in-xen_memory_setup-out-of-function.patch +xen-add-capability-to-remap-non-ram-pages-to-differe.patch +xen-tolerate-acpi-nvs-memory-overlapping-with-xen-al.patch +powerpc-vdso-fix-vdso-data-access-when-running-in-a-.patch +selftests-vdso-fix-elf-hash-table-entry-size-for-s39.patch +selftests-vdso-fix-vdso_config-for-s390.patch +xen-swiotlb-add-alignment-check-for-dma-buffers.patch +xen-swiotlb-fix-allocated-size.patch +tpm-clean-up-tpm-space-after-command-failure.patch +sched-fair-make-sched_idle-entity-be-preempted-in-st.patch +selftests-bpf-workaround-strict-bpf_lsm-return-value.patch +selftests-bpf-fix-error-linking-uprobe_multi-on-mips.patch +bpf-use-wno-error-in-certain-tests-when-building-wit.patch +bpf-disable-some-attribute-ignored-warnings-in-gcc.patch +bpf-temporarily-define-bpf_no_preseve_access_index-f.patch +selftests-bpf-add-cflags-per-source-file-and-runner.patch +selftests-bpf-fix-wrong-binary-in-makefile-log-outpu.patch +tools-runqslower-fix-ldflags-and-add-ldlibs-support.patch +selftests-bpf-use-pid_t-consistently-in-test_progs.c.patch +selftests-bpf-fix-compile-error-from-rlim_t-in-sk_st.patch +selftests-bpf-fix-error-compiling-bpf_iter_setsockop.patch +selftests-bpf-implement-get_hw_ring_size-function-to.patch +selftests-bpf-drop-unneeded-error.h-includes.patch +selftests-bpf-fix-missing-array_size-definition-in-b.patch +selftests-bpf-fix-missing-uint_max-definitions-in-be.patch +selftests-bpf-fix-missing-build_bug_on-declaration.patch +selftests-bpf-replace-check-with-assert_-in-ns_curre.patch +selftests-bpf-refactor-out-some-functions-in-ns_curr.patch +selftests-bpf-add-a-cgroup-prog-bpf_get_ns_current_p.patch +selftests-bpf-fix-include-of-sys-fcntl.h.patch +selftests-bpf-fix-compiling-parse_tcp_hdr_opt.c-with.patch +selftests-bpf-fix-compiling-kfree_skb.c-with-musl-li.patch +selftests-bpf-fix-compiling-flow_dissector.c-with-mu.patch +selftests-bpf-fix-compiling-tcp_rtt.c-with-musl-libc.patch +selftests-bpf-fix-compiling-core_reloc.c-with-musl-l.patch +selftests-bpf-fix-errors-compiling-lwt_redirect.c-wi.patch +selftests-bpf-fix-errors-compiling-decap_sanity.c-wi.patch +selftests-bpf-fix-errors-compiling-cg_storage_multi..patch +libbpf-use-stable-map-placeholder-fds.patch +libbpf-find-correct-module-btfs-for-struct_ops-maps-.patch +libbpf-convert-st_ops-data-to-shadow-type.patch +libbpf-sync-progs-autoload-with-maps-autocreate-for-.patch +libbpf-don-t-take-direct-pointers-into-btf-data-from.patch +selftests-bpf-fix-arg-parsing-in-veristat-test_progs.patch +selftests-bpf-fix-error-compiling-test_lru_map.c.patch +selftests-bpf-fix-c-compile-error-from-missing-_bool.patch +selftests-bpf-fix-flaky-selftest-lwt_redirect-lwt_re.patch +selftests-bpf-fix-redefinition-errors-compiling-lwt_.patch +selftests-bpf-fix-compile-if-backtrace-support-missi.patch +selftests-bpf-fix-error-compiling-tc_redirect.c-with.patch +samples-bpf-fix-compilation-errors-with-cf-protectio.patch +bpf-correctly-handle-malformed-bpf_core_type_id_loca.patch +xz-cleanup-crc32-edits-from-2018.patch +kthread-fix-task-state-in-kthread-worker-if-being-fr.patch +ext4-clear-ext4_group_info_was_trimmed_bit-even-moun.patch +smackfs-use-rcu_assign_pointer-to-ensure-safe-assign.patch +ext4-avoid-buffer_head-leak-in-ext4_mark_inode_used.patch +ext4-avoid-potential-buffer_head-leak-in-__ext4_new_.patch +ext4-avoid-negative-min_clusters-in-find_group_orlov.patch +ext4-return-error-on-ext4_find_inline_entry.patch +ext4-avoid-oob-when-system.data-xattr-changes-undern.patch +ext4-check-stripe-size-compatibility-on-remount-as-w.patch +sched-numa-document-vma_numab_state-fields.patch +sched-numa-rename-vma_numab_state-access_pids-pids_a.patch +sched-numa-trace-decisions-related-to-skipping-vmas.patch +sched-numa-move-up-the-access-pid-reset-logic.patch +sched-numa-complete-scanning-of-partial-vmas-regardl.patch +sched-numa-complete-scanning-of-inactive-vmas-when-t.patch +sched-numa-fix-the-vma-scan-starving-issue.patch +nilfs2-fix-potential-null-ptr-deref-in-nilfs_btree_i.patch +nilfs2-determine-empty-node-blocks-as-corrupted.patch +nilfs2-fix-potential-oob-read-in-nilfs_btree_check_d.patch +bpf-fix-bpf_strtol-and-bpf_strtoul-helpers-for-32bit.patch +bpf-fix-helper-writes-to-read-only-maps.patch +bpf-improve-check_raw_mode_ok-test-for-mem_uninit-ta.patch +bpf-zero-former-arg_ptr_to_-long-int-args-in-case-of.patch +perf-mem-free-the-allocated-sort-string-fixing-a-lea.patch +perf-callchain-fix-stitch-lbr-memory-leaks.patch +perf-inject-fix-leader-sampling-inserting-additional.patch +perf-annotate-split-branch-stack-cycles-info-from-st.patch +perf-annotate-move-some-source-code-related-fields-f.patch +perf-ui-browser-annotate-use-global-annotation_optio.patch +perf-report-fix-total-cycles-stdio-output-error.patch +perf-sched-timehist-fix-missing-free-of-session-in-p.patch +perf-stat-display-iostat-headers-correctly.patch +perf-sched-timehist-fixed-timestamp-error-when-unabl.patch +perf-time-utils-fix-32-bit-nsec-parsing.patch +clk-imx-clk-audiomix-correct-parent-clock-for-earc_p.patch +clk-imx-imx6ul-fix-default-parent-for-enet-_ref_sel.patch +clk-imx-composite-8m-less-function-calls-in-__imx8m_.patch +clk-imx-composite-8m-enable-gate-clk-with-mcore_boot.patch +clk-imx-composite-93-keep-root-clock-on-when-mcore-e.patch +clk-imx-composite-7ulp-check-the-pcc-present-bit.patch +clk-imx-fracn-gppll-fix-fractional-part-of-pll-getti.patch +clk-imx-imx8mp-fix-clock-tree-update-of-tf-a-managed.patch +clk-imx-imx8qxp-register-dc0_bypass0_clk-before-disp.patch +clk-imx-imx8qxp-parent-should-be-initialized-earlier.patch +remoteproc-imx_rproc-correct-ddr-alias-for-i.mx8m.patch +remoteproc-imx_rproc-initialize-workqueue-earlier.patch +clk-rockchip-set-parent-rate-for-dclk_vop-clock-on-r.patch +clk-qcom-dispcc-sm8550-fix-several-supposed-typos.patch +clk-qcom-dispcc-sm8550-use-rcg2_ops-for-mdss_dptx1_a.patch +clk-qcom-dispcc-sm8650-update-the-gdsc-flags.patch +clk-qcom-dispcc-sm8550-use-rcg2_shared_ops-for-esc-r.patch +leds-bd2606mvv-fix-device-child-node-usage-in-bd2606.patch +pinctrl-ti-ti-iodelay-convert-to-platform-remove-cal.patch +pinctrl-use-device_get_match_data.patch +pinctrl-ti-iodelay-use-scope-based-of_node_put-clean.patch +pinctrl-ti-ti-iodelay-fix-some-error-handling-paths.patch +input-ilitek_ts_i2c-avoid-wrong-input-subsystem-sync.patch +input-ilitek_ts_i2c-add-report-id-message-validation.patch +drivers-media-dvb-frontends-rtl2832-fix-an-out-of-bo.patch +drivers-media-dvb-frontends-rtl2830-fix-an-out-of-bo.patch +pci-wait-for-link-before-restoring-downstream-buses.patch +firewire-core-correct-range-of-block-for-case-of-swi.patch +pci-keystone-fix-if-statement-expression-in-ks_pcie_.patch +clk-qcom-ipq5332-register-gcc_qdss_tsctr_clk_src.patch +clk-qcom-dispcc-sm8250-use-special-function-for-luci.patch +leds-leds-pca995x-add-support-for-nxp-pca9956b.patch +leds-pca995x-use-device_for_each_child_node-to-acces.patch +leds-pca995x-fix-device-child-node-usage-in-pca995x_.patch +x86-pci-check-pcie_find_root_port-return-for-null.patch +nvdimm-fix-devs-leaks-in-scan_labels.patch +pci-xilinx-nwl-fix-register-misspelling.patch +pci-xilinx-nwl-clean-up-clock-on-probe-failure-remov.patch +media-platform-rzg2l-cru-rzg2l-csi2-add-missing-modu.patch +rdma-iwcm-fix-warning-at_kernel-workqueue.c-check_fl.patch +pinctrl-single-fix-missing-error-code-in-pcs_probe.patch +clk-at91-sama7g5-allocate-only-the-needed-amount-of-.patch +media-mediatek-vcodec-fix-h264-multi-stateless-decod.patch +media-mediatek-vcodec-fix-vp8-stateless-decoder-smat.patch +media-mediatek-vcodec-fix-h264-stateless-decoder-sma.patch +rdma-rtrs-reset-hb_missed_cnt-after-receiving-other-.patch +rdma-rtrs-clt-reset-cid-to-con_num-1-to-stay-in-boun.patch +clk-ti-dra7-atl-fix-leak-of-of_nodes.patch +clk-starfive-use-pm_runtime_resume_and_get-to-fix-pm.patch +clk-rockchip-rk3588-fix-32k-clock-name-for-pmu_24m_3.patch +nfsd-remove-unneeded-eexist-error-check-in-nfsd_do_f.patch +nfsd-fix-refcount-leak-when-file-is-unhashed-after-b.patch +pinctrl-mvebu-fix-devinit_dove_pinctrl_probe-functio.patch +ib-core-fix-ib_cache_setup_one-error-flow-cleanup.patch +pci-kirin-fix-buffer-overflow-in-kirin_pcie_parse_po.patch +rdma-erdma-return-qp-state-in-erdma_query_qp.patch +rdma-mlx5-limit-usage-of-over-sized-mkeys-from-the-m.patch +watchdog-imx_sc_wdt-don-t-disable-wdt-in-suspend.patch +rdma-hns-don-t-modify-rq-next-block-addr-in-hip09-qp.patch +rdma-hns-fix-use-after-free-of-rsv_qp-on-hip08.patch +rdma-hns-fix-the-overflow-risk-of-hem_list_calc_ba_r.patch +rdma-hns-fix-spin_unlock_irqrestore-called-with-irqs.patch +rdma-hns-fix-vf-triggering-pf-reset-in-abnormal-inte.patch +rdma-hns-fix-1bit-ecc-recovery-address-in-non-4k-os.patch +rdma-hns-optimize-hem-allocation-performance.patch +rdma-hns-fix-restricted-__le16-degrades-to-integer-i.patch +rdma-mlx5-obtain-upper-net-device-only-when-needed.patch +input-ps2-gpio-use-irqf_no_autoen-flag-in-request_ir.patch +riscv-fix-fp-alignment-bug-in-perf_callchain_user.patch +rdma-cxgb4-added-null-check-for-lookup_atid.patch +rdma-irdma-fix-error-message-in-irdma_modify_qp_roce.patch +ntb-intel-fix-the-null-vs-is_err-bug-for-debugfs_cre.patch +ntb_perf-fix-printk-format.patch +ntb-force-physically-contiguous-allocation-of-rx-rin.patch +nfsd-call-cache_put-if-xdr_reserve_space-returns-nul.patch +nfsd-return-einval-when-namelen-is-0.patch +crypto-caam-pad-sg-length-when-allocating-hash-edesc.patch +crypto-powerpc-p10-aes-gcm-disable-crypto_aes_gcm_p1.patch +f2fs-atomic-fix-to-avoid-racing-w-gc.patch +f2fs-reduce-expensive-checkpoint-trigger-frequency.patch +f2fs-fix-to-avoid-racing-in-between-read-and-opu-dio.patch +f2fs-create-cow-inode-from-parent-dentry-for-atomic-.patch +f2fs-fix-to-wait-page-writeback-before-setting-gcing.patch +f2fs-atomic-fix-to-truncate-pagecache-before-on-disk.patch +f2fs-support-.shutdown-in-f2fs_sops.patch +f2fs-fix-to-avoid-use-after-free-in-f2fs_stop_gc_thr.patch +f2fs-compress-do-sanity-check-on-cluster-when-config.patch +f2fs-compress-don-t-redirty-sparse-cluster-during-de.patch +f2fs-prevent-atomic-file-from-being-dirtied-before-c.patch +f2fs-clean-up-w-dotdot_name.patch +f2fs-get-rid-of-online-repaire-on-corrupted-director.patch +f2fs-fix-to-don-t-set-sb_rdonly-in-f2fs_handle_criti.patch +spi-atmel-quadspi-undo-runtime-pm-changes-at-driver-.patch +spi-spi-fsl-lpspi-undo-runtime-pm-changes-at-driver-.patch +lib-sbitmap-define-swap_lock-as-raw_spinlock_t.patch +spi-atmel-quadspi-avoid-overwriting-delay-register-s.patch +nvme-multipath-system-fails-to-create-generic-nvme-d.patch +iio-adc-ad7606-fix-oversampling-gpio-array.patch +iio-adc-ad7606-fix-standby-gpio-state-to-match-the-d.patch +usb-dwc2-skip-clock-gating-on-broadcom-socs.patch +driver-core-fix-error-handling-in-driver-api-device_.patch +abi-testing-fix-admv8818-attr-description.patch +iio-chemical-bme680-fix-read-write-ops-to-device-by-.patch +iio-magnetometer-ak8975-convert-enum-pointer-for-dat.patch +iio-magnetometer-ak8975-drop-incorrect-ak09116-compa.patch +dt-bindings-iio-asahi-kasei-ak8975-drop-incorrect-ak.patch +driver-core-fix-a-potential-null-ptr-deref-in-module.patch +serial-8250-omap-cleanup-on-error-in-request_irq.patch +coresight-tmc-sg-do-not-leak-sg_table.patch +interconnect-icc-clk-add-missed-num_nodes-initializa.patch +cxl-pci-fix-to-record-only-non-zero-ranges.patch +vhost_vdpa-assign-irq-bypass-producer-token-correctl.patch +ep93xx-clock-fix-off-by-one-in-ep93xx_div_recalc_rat.patch +revert-dm-requeue-io-if-mapping-table-not-yet-availa.patch +net-xilinx-axienet-schedule-napi-in-two-steps.patch +net-xilinx-axienet-fix-packet-counting.patch +netfilter-nf_reject_ipv6-fix-nf_reject_ip6_tcphdr_pu.patch +net-seeq-fix-use-after-free-vulnerability-in-ether3-.patch +net-ipv6-select-dst_cache-from-ipv6_rpl_lwtunnel.patch +tcp-check-skb-is-non-null-in-tcp_rto_delta_us.patch +net-qrtr-update-packets-cloning-when-broadcasting.patch +bonding-fix-unnecessary-warnings-and-logs-from-bond_.patch +virtio_net-fix-mismatched-buf-address-when-unmapping.patch +net-stmmac-set-pp_flag_dma_sync_dev-only-if-xdp-is-e.patch +netfilter-nf_tables-keep-deleted-flowtable-hooks-unt.patch +netfilter-ctnetlink-compile-ctnetlink_label_size-wit.patch +netfilter-nf_tables-use-rcu-chain-hook-list-iterator.patch diff --git a/queue-6.6/smackfs-use-rcu_assign_pointer-to-ensure-safe-assign.patch b/queue-6.6/smackfs-use-rcu_assign_pointer-to-ensure-safe-assign.patch new file mode 100644 index 00000000000..c87b0fd88b0 --- /dev/null +++ b/queue-6.6/smackfs-use-rcu_assign_pointer-to-ensure-safe-assign.patch @@ -0,0 +1,49 @@ +From 597927a11a9d87a193a2485fbfcc6e74629cf7ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Sep 2024 08:47:26 +0000 +Subject: smackfs: Use rcu_assign_pointer() to ensure safe assignment in + smk_set_cipso + +From: Jiawei Ye + +[ Upstream commit 2749749afa071f8a0e405605de9da615e771a7ce ] + +In the `smk_set_cipso` function, the `skp->smk_netlabel.attr.mls.cat` +field is directly assigned to a new value without using the appropriate +RCU pointer assignment functions. According to RCU usage rules, this is +illegal and can lead to unpredictable behavior, including data +inconsistencies and impossible-to-diagnose memory corruption issues. + +This possible bug was identified using a static analysis tool developed +by myself, specifically designed to detect RCU-related issues. + +To address this, the assignment is now done using rcu_assign_pointer(), +which ensures that the pointer assignment is done safely, with the +necessary memory barriers and synchronization. This change prevents +potential RCU dereference issues by ensuring that the `cat` field is +safely updated while still adhering to RCU's requirements. + +Fixes: 0817534ff9ea ("smackfs: Fix use-after-free in netlbl_catmap_walk()") +Signed-off-by: Jiawei Ye +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smackfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c +index e22aad7604e8a..5dd1e164f9b13 100644 +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -932,7 +932,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, + } + if (rc >= 0) { + old_cat = skp->smk_netlabel.attr.mls.cat; +- skp->smk_netlabel.attr.mls.cat = ncats.attr.mls.cat; ++ rcu_assign_pointer(skp->smk_netlabel.attr.mls.cat, ncats.attr.mls.cat); + skp->smk_netlabel.attr.mls.lvl = ncats.attr.mls.lvl; + synchronize_rcu(); + netlbl_catmap_free(old_cat); +-- +2.43.0 + diff --git a/queue-6.6/sock_map-add-a-cond_resched-in-sock_hash_free.patch b/queue-6.6/sock_map-add-a-cond_resched-in-sock_hash_free.patch new file mode 100644 index 00000000000..30ade649fb0 --- /dev/null +++ b/queue-6.6/sock_map-add-a-cond_resched-in-sock_hash_free.patch @@ -0,0 +1,41 @@ +From 800f512230ec57b0fb05d871a4bd1b28cc220f58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Sep 2024 15:44:49 +0000 +Subject: sock_map: Add a cond_resched() in sock_hash_free() + +From: Eric Dumazet + +[ Upstream commit b1339be951ad31947ae19bc25cb08769bf255100 ] + +Several syzbot soft lockup reports all have in common sock_hash_free() + +If a map with a large number of buckets is destroyed, we need to yield +the cpu when needed. + +Fixes: 75e68e5bf2c7 ("bpf, sockhash: Synchronize delete from bucket list on map free") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: Daniel Borkmann +Acked-by: Martin KaFai Lau +Acked-by: John Fastabend +Link: https://lore.kernel.org/bpf/20240906154449.3742932-1-edumazet@google.com +Signed-off-by: Sasha Levin +--- + net/core/sock_map.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/core/sock_map.c b/net/core/sock_map.c +index a37143d181f95..2afac40bb83ca 100644 +--- a/net/core/sock_map.c ++++ b/net/core/sock_map.c +@@ -1171,6 +1171,7 @@ static void sock_hash_free(struct bpf_map *map) + sock_put(elem->sk); + sock_hash_free_elem(htab, elem); + } ++ cond_resched(); + } + + /* wait for psock readers accessing its map link */ +-- +2.43.0 + diff --git a/queue-6.6/spi-atmel-quadspi-avoid-overwriting-delay-register-s.patch b/queue-6.6/spi-atmel-quadspi-avoid-overwriting-delay-register-s.patch new file mode 100644 index 00000000000..7f3fafd0d8e --- /dev/null +++ b/queue-6.6/spi-atmel-quadspi-avoid-overwriting-delay-register-s.patch @@ -0,0 +1,80 @@ +From 21de8342219d956cc93da9e52016b95fd9cf65f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Sep 2024 10:27:43 +0200 +Subject: spi: atmel-quadspi: Avoid overwriting delay register settings + +From: Alexander Dahl + +[ Upstream commit 329ca3eed4a9a161515a8714be6ba182321385c7 ] + +Previously the MR and SCR registers were just set with the supposedly +required values, from cached register values (cached reg content +initialized to zero). + +All parts fixed here did not consider the current register (cache) +content, which would make future support of cs_setup, cs_hold, and +cs_inactive impossible. + +Setting SCBR in atmel_qspi_setup() erases a possible DLYBS setting from +atmel_qspi_set_cs_timing(). The DLYBS setting is applied by ORing over +the current setting, without resetting the bits first. All writes to MR +did not consider possible settings of DLYCS and DLYBCT. + +Signed-off-by: Alexander Dahl +Fixes: f732646d0ccd ("spi: atmel-quadspi: Add support for configuring CS timing") +Link: https://patch.msgid.link/20240918082744.379610-2-ada@thorsis.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/atmel-quadspi.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/spi/atmel-quadspi.c b/drivers/spi/atmel-quadspi.c +index af0464999af1f..bf7999ac22c80 100644 +--- a/drivers/spi/atmel-quadspi.c ++++ b/drivers/spi/atmel-quadspi.c +@@ -375,9 +375,9 @@ static int atmel_qspi_set_cfg(struct atmel_qspi *aq, + * If the QSPI controller is set in regular SPI mode, set it in + * Serial Memory Mode (SMM). + */ +- if (aq->mr != QSPI_MR_SMM) { +- atmel_qspi_write(QSPI_MR_SMM, aq, QSPI_MR); +- aq->mr = QSPI_MR_SMM; ++ if (!(aq->mr & QSPI_MR_SMM)) { ++ aq->mr |= QSPI_MR_SMM; ++ atmel_qspi_write(aq->scr, aq, QSPI_MR); + } + + /* Clear pending interrupts */ +@@ -501,7 +501,8 @@ static int atmel_qspi_setup(struct spi_device *spi) + if (ret < 0) + return ret; + +- aq->scr = QSPI_SCR_SCBR(scbr); ++ aq->scr &= ~QSPI_SCR_SCBR_MASK; ++ aq->scr |= QSPI_SCR_SCBR(scbr); + atmel_qspi_write(aq->scr, aq, QSPI_SCR); + + pm_runtime_mark_last_busy(ctrl->dev.parent); +@@ -534,6 +535,7 @@ static int atmel_qspi_set_cs_timing(struct spi_device *spi) + if (ret < 0) + return ret; + ++ aq->scr &= ~QSPI_SCR_DLYBS_MASK; + aq->scr |= QSPI_SCR_DLYBS(cs_setup); + atmel_qspi_write(aq->scr, aq, QSPI_SCR); + +@@ -549,8 +551,8 @@ static void atmel_qspi_init(struct atmel_qspi *aq) + atmel_qspi_write(QSPI_CR_SWRST, aq, QSPI_CR); + + /* Set the QSPI controller by default in Serial Memory Mode */ +- atmel_qspi_write(QSPI_MR_SMM, aq, QSPI_MR); +- aq->mr = QSPI_MR_SMM; ++ aq->mr |= QSPI_MR_SMM; ++ atmel_qspi_write(aq->mr, aq, QSPI_MR); + + /* Enable the QSPI controller */ + atmel_qspi_write(QSPI_CR_QSPIEN, aq, QSPI_CR); +-- +2.43.0 + diff --git a/queue-6.6/spi-atmel-quadspi-undo-runtime-pm-changes-at-driver-.patch b/queue-6.6/spi-atmel-quadspi-undo-runtime-pm-changes-at-driver-.patch new file mode 100644 index 00000000000..378e8bc5e1e --- /dev/null +++ b/queue-6.6/spi-atmel-quadspi-undo-runtime-pm-changes-at-driver-.patch @@ -0,0 +1,41 @@ +From 948b4689427186b03ea71c0c301e1f11ba101802 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Sep 2024 10:39:56 +0800 +Subject: spi: atmel-quadspi: Undo runtime PM changes at driver exit time + +From: Jinjie Ruan + +[ Upstream commit 438efb23f9581659495b85f1f6c7d5946200660c ] + +It's important to undo pm_runtime_use_autosuspend() with +pm_runtime_dont_use_autosuspend() at driver exit time unless driver +initially enabled pm_runtime with devm_pm_runtime_enable() +(which handles it for you). + +Hence, call pm_runtime_dont_use_autosuspend() at driver exit time +to fix it. + +Fixes: 4a2f83b7f780 ("spi: atmel-quadspi: add runtime pm support") +Signed-off-by: Jinjie Ruan +Link: https://patch.msgid.link/20240906023956.1004440-1-ruanjinjie@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/atmel-quadspi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/spi/atmel-quadspi.c b/drivers/spi/atmel-quadspi.c +index 4cc4f32ca4490..af0464999af1f 100644 +--- a/drivers/spi/atmel-quadspi.c ++++ b/drivers/spi/atmel-quadspi.c +@@ -726,6 +726,7 @@ static void atmel_qspi_remove(struct platform_device *pdev) + clk_unprepare(aq->pclk); + + pm_runtime_disable(&pdev->dev); ++ pm_runtime_dont_use_autosuspend(&pdev->dev); + pm_runtime_put_noidle(&pdev->dev); + } + +-- +2.43.0 + diff --git a/queue-6.6/spi-bcmbca-hsspi-fix-missing-pm_runtime_disable.patch b/queue-6.6/spi-bcmbca-hsspi-fix-missing-pm_runtime_disable.patch new file mode 100644 index 00000000000..409a14f68b4 --- /dev/null +++ b/queue-6.6/spi-bcmbca-hsspi-fix-missing-pm_runtime_disable.patch @@ -0,0 +1,56 @@ +From 0769c4de946891fba89be3af31aedba3d532b34f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Aug 2024 20:49:02 +0800 +Subject: spi: bcmbca-hsspi: Fix missing pm_runtime_disable() + +From: Jinjie Ruan + +[ Upstream commit 4439a2e92cb89028b22c5d7ba1b99e75d7d889f6 ] + +The pm_runtime_disable() is missing in remove function, use +devm_pm_runtime_enable() to fix it. So the pm_runtime_disable() in +the probe error path can also be removed. + +Fixes: a38a2233f23b ("spi: bcmbca-hsspi: Add driver for newer HSSPI controller") +Signed-off-by: Jinjie Ruan +Reviewed-by: William Zhang +Link: https://patch.msgid.link/20240826124903.3429235-2-ruanjinjie@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcmbca-hsspi.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/spi/spi-bcmbca-hsspi.c b/drivers/spi/spi-bcmbca-hsspi.c +index 9f64afd8164ea..4965bc86d7f52 100644 +--- a/drivers/spi/spi-bcmbca-hsspi.c ++++ b/drivers/spi/spi-bcmbca-hsspi.c +@@ -546,12 +546,14 @@ static int bcmbca_hsspi_probe(struct platform_device *pdev) + goto out_put_host; + } + +- pm_runtime_enable(&pdev->dev); ++ ret = devm_pm_runtime_enable(&pdev->dev); ++ if (ret) ++ goto out_put_host; + + ret = sysfs_create_group(&pdev->dev.kobj, &bcmbca_hsspi_group); + if (ret) { + dev_err(&pdev->dev, "couldn't register sysfs group\n"); +- goto out_pm_disable; ++ goto out_put_host; + } + + /* register and we are done */ +@@ -565,8 +567,6 @@ static int bcmbca_hsspi_probe(struct platform_device *pdev) + + out_sysgroup_disable: + sysfs_remove_group(&pdev->dev.kobj, &bcmbca_hsspi_group); +-out_pm_disable: +- pm_runtime_disable(&pdev->dev); + out_put_host: + spi_controller_put(host); + out_disable_pll_clk: +-- +2.43.0 + diff --git a/queue-6.6/spi-ppc4xx-avoid-returning-0-when-failed-to-parse-an.patch b/queue-6.6/spi-ppc4xx-avoid-returning-0-when-failed-to-parse-an.patch new file mode 100644 index 00000000000..0921bf36ca5 --- /dev/null +++ b/queue-6.6/spi-ppc4xx-avoid-returning-0-when-failed-to-parse-an.patch @@ -0,0 +1,50 @@ +From cf2b69401825dfc8147acab80433e293e312cebd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Aug 2024 17:45:12 +0300 +Subject: spi: ppc4xx: Avoid returning 0 when failed to parse and map IRQ + +From: Andy Shevchenko + +[ Upstream commit 7781f1d120fec8624fc654eda900fc8748262082 ] + +0 is incorrect error code when failed to parse and map IRQ. +Replace OF specific old API for IRQ retrieval with a generic +one to fix this issue. + +Fixes: 0f245463b01e ("spi: ppc4xx: handle irq_of_parse_and_map() errors") +Signed-off-by: Andy Shevchenko +Link: https://patch.msgid.link/20240814144525.2648450-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-ppc4xx.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-ppc4xx.c b/drivers/spi/spi-ppc4xx.c +index 0d698580194e9..1381563941fe3 100644 +--- a/drivers/spi/spi-ppc4xx.c ++++ b/drivers/spi/spi-ppc4xx.c +@@ -26,7 +26,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -410,9 +409,10 @@ static int spi_ppc4xx_of_probe(struct platform_device *op) + } + + /* Request IRQ */ +- hw->irqnum = irq_of_parse_and_map(np, 0); +- if (hw->irqnum <= 0) ++ ret = platform_get_irq(op, 0); ++ if (ret < 0) + goto free_host; ++ hw->irqnum = ret; + + ret = request_irq(hw->irqnum, spi_ppc4xx_int, + 0, "spi_ppc4xx_of", (void *)hw); +-- +2.43.0 + diff --git a/queue-6.6/spi-ppc4xx-handle-irq_of_parse_and_map-errors.patch b/queue-6.6/spi-ppc4xx-handle-irq_of_parse_and_map-errors.patch new file mode 100644 index 00000000000..e38c1ee03ae --- /dev/null +++ b/queue-6.6/spi-ppc4xx-handle-irq_of_parse_and_map-errors.patch @@ -0,0 +1,39 @@ +From 59e33bd2d2941f587ce11ac8115aa9163ff37548 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jul 2024 16:40:47 +0800 +Subject: spi: ppc4xx: handle irq_of_parse_and_map() errors + +From: Ma Ke + +[ Upstream commit 0f245463b01ea254ae90e1d0389e90b0e7d8dc75 ] + +Zero and negative number is not a valid IRQ for in-kernel code and the +irq_of_parse_and_map() function returns zero on error. So this check for +valid IRQs should only accept values > 0. + +Fixes: 44dab88e7cc9 ("spi: add spi_ppc4xx driver") +Signed-off-by: Ma Ke +Link: https://patch.msgid.link/20240724084047.1506084-1-make24@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-ppc4xx.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/spi/spi-ppc4xx.c b/drivers/spi/spi-ppc4xx.c +index e982d3189fdce..0d698580194e9 100644 +--- a/drivers/spi/spi-ppc4xx.c ++++ b/drivers/spi/spi-ppc4xx.c +@@ -411,6 +411,9 @@ static int spi_ppc4xx_of_probe(struct platform_device *op) + + /* Request IRQ */ + hw->irqnum = irq_of_parse_and_map(np, 0); ++ if (hw->irqnum <= 0) ++ goto free_host; ++ + ret = request_irq(hw->irqnum, spi_ppc4xx_int, + 0, "spi_ppc4xx_of", (void *)hw); + if (ret) { +-- +2.43.0 + diff --git a/queue-6.6/spi-spi-fsl-lpspi-undo-runtime-pm-changes-at-driver-.patch b/queue-6.6/spi-spi-fsl-lpspi-undo-runtime-pm-changes-at-driver-.patch new file mode 100644 index 00000000000..aaa7c5d2204 --- /dev/null +++ b/queue-6.6/spi-spi-fsl-lpspi-undo-runtime-pm-changes-at-driver-.patch @@ -0,0 +1,41 @@ +From e8332362dcbc3297b153a620b875079eb8d4bd08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Sep 2024 10:12:51 +0800 +Subject: spi: spi-fsl-lpspi: Undo runtime PM changes at driver exit time + +From: Jinjie Ruan + +[ Upstream commit 3b577de206d52dbde9428664b6d823d35a803d75 ] + +It's important to undo pm_runtime_use_autosuspend() with +pm_runtime_dont_use_autosuspend() at driver exit time unless driver +initially enabled pm_runtime with devm_pm_runtime_enable() +(which handles it for you). + +Hence, call pm_runtime_dont_use_autosuspend() at driver exit time +to fix it. + +Fixes: 944c01a889d9 ("spi: lpspi: enable runtime pm for lpspi") +Signed-off-by: Jinjie Ruan +Link: https://patch.msgid.link/20240906021251.610462-1-ruanjinjie@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-fsl-lpspi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/spi/spi-fsl-lpspi.c b/drivers/spi/spi-fsl-lpspi.c +index f7e268cf90850..180cea7d38172 100644 +--- a/drivers/spi/spi-fsl-lpspi.c ++++ b/drivers/spi/spi-fsl-lpspi.c +@@ -988,6 +988,7 @@ static void fsl_lpspi_remove(struct platform_device *pdev) + + fsl_lpspi_dma_exit(controller); + ++ pm_runtime_dont_use_autosuspend(fsl_lpspi->dev); + pm_runtime_disable(fsl_lpspi->dev); + } + +-- +2.43.0 + diff --git a/queue-6.6/tcp-check-skb-is-non-null-in-tcp_rto_delta_us.patch b/queue-6.6/tcp-check-skb-is-non-null-in-tcp_rto_delta_us.patch new file mode 100644 index 00000000000..0caf86026e4 --- /dev/null +++ b/queue-6.6/tcp-check-skb-is-non-null-in-tcp_rto_delta_us.patch @@ -0,0 +1,351 @@ +From dec95d6d71b0cce157849352ae802cc93adc9a03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Sep 2024 15:08:22 -0400 +Subject: tcp: check skb is non-NULL in tcp_rto_delta_us() + +From: Josh Hunt + +[ Upstream commit c8770db2d54437a5f49417ae7b46f7de23d14db6 ] + +We have some machines running stock Ubuntu 20.04.6 which is their 5.4.0-174-generic +kernel that are running ceph and recently hit a null ptr dereference in +tcp_rearm_rto(). Initially hitting it from the TLP path, but then later we also +saw it getting hit from the RACK case as well. Here are examples of the oops +messages we saw in each of those cases: + +Jul 26 15:05:02 rx [11061395.780353] BUG: kernel NULL pointer dereference, address: 0000000000000020 +Jul 26 15:05:02 rx [11061395.787572] #PF: supervisor read access in kernel mode +Jul 26 15:05:02 rx [11061395.792971] #PF: error_code(0x0000) - not-present page +Jul 26 15:05:02 rx [11061395.798362] PGD 0 P4D 0 +Jul 26 15:05:02 rx [11061395.801164] Oops: 0000 [#1] SMP NOPTI +Jul 26 15:05:02 rx [11061395.805091] CPU: 0 PID: 9180 Comm: msgr-worker-1 Tainted: G W 5.4.0-174-generic #193-Ubuntu +Jul 26 15:05:02 rx [11061395.814996] Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023 +Jul 26 15:05:02 rx [11061395.825952] RIP: 0010:tcp_rearm_rto+0xe4/0x160 +Jul 26 15:05:02 rx [11061395.830656] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3 +Jul 26 15:05:02 rx [11061395.849665] RSP: 0018:ffffb75d40003e08 EFLAGS: 00010246 +Jul 26 15:05:02 rx [11061395.855149] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000 +Jul 26 15:05:02 rx [11061395.862542] RDX: 0000000062177c30 RSI: 000000000000231c RDI: ffff9874ad283a60 +Jul 26 15:05:02 rx [11061395.869933] RBP: ffffb75d40003e20 R08: 0000000000000000 R09: ffff987605e20aa8 +Jul 26 15:05:02 rx [11061395.877318] R10: ffffb75d40003f00 R11: ffffb75d4460f740 R12: ffff9874ad283900 +Jul 26 15:05:02 rx [11061395.884710] R13: ffff9874ad283a60 R14: ffff9874ad283980 R15: ffff9874ad283d30 +Jul 26 15:05:02 rx [11061395.892095] FS: 00007f1ef4a2e700(0000) GS:ffff987605e00000(0000) knlGS:0000000000000000 +Jul 26 15:05:02 rx [11061395.900438] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +Jul 26 15:05:02 rx [11061395.906435] CR2: 0000000000000020 CR3: 0000003e450ba003 CR4: 0000000000760ef0 +Jul 26 15:05:02 rx [11061395.913822] PKRU: 55555554 +Jul 26 15:05:02 rx [11061395.916786] Call Trace: +Jul 26 15:05:02 rx [11061395.919488] +Jul 26 15:05:02 rx [11061395.921765] ? show_regs.cold+0x1a/0x1f +Jul 26 15:05:02 rx [11061395.925859] ? __die+0x90/0xd9 +Jul 26 15:05:02 rx [11061395.929169] ? no_context+0x196/0x380 +Jul 26 15:05:02 rx [11061395.933088] ? ip6_protocol_deliver_rcu+0x4e0/0x4e0 +Jul 26 15:05:02 rx [11061395.938216] ? ip6_sublist_rcv_finish+0x3d/0x50 +Jul 26 15:05:02 rx [11061395.943000] ? __bad_area_nosemaphore+0x50/0x1a0 +Jul 26 15:05:02 rx [11061395.947873] ? bad_area_nosemaphore+0x16/0x20 +Jul 26 15:05:02 rx [11061395.952486] ? do_user_addr_fault+0x267/0x450 +Jul 26 15:05:02 rx [11061395.957104] ? ipv6_list_rcv+0x112/0x140 +Jul 26 15:05:02 rx [11061395.961279] ? __do_page_fault+0x58/0x90 +Jul 26 15:05:02 rx [11061395.965458] ? do_page_fault+0x2c/0xe0 +Jul 26 15:05:02 rx [11061395.969465] ? page_fault+0x34/0x40 +Jul 26 15:05:02 rx [11061395.973217] ? tcp_rearm_rto+0xe4/0x160 +Jul 26 15:05:02 rx [11061395.977313] ? tcp_rearm_rto+0xe4/0x160 +Jul 26 15:05:02 rx [11061395.981408] tcp_send_loss_probe+0x10b/0x220 +Jul 26 15:05:02 rx [11061395.985937] tcp_write_timer_handler+0x1b4/0x240 +Jul 26 15:05:02 rx [11061395.990809] tcp_write_timer+0x9e/0xe0 +Jul 26 15:05:02 rx [11061395.994814] ? tcp_write_timer_handler+0x240/0x240 +Jul 26 15:05:02 rx [11061395.999866] call_timer_fn+0x32/0x130 +Jul 26 15:05:02 rx [11061396.003782] __run_timers.part.0+0x180/0x280 +Jul 26 15:05:02 rx [11061396.008309] ? recalibrate_cpu_khz+0x10/0x10 +Jul 26 15:05:02 rx [11061396.012841] ? native_x2apic_icr_write+0x30/0x30 +Jul 26 15:05:02 rx [11061396.017718] ? lapic_next_event+0x21/0x30 +Jul 26 15:05:02 rx [11061396.021984] ? clockevents_program_event+0x8f/0xe0 +Jul 26 15:05:02 rx [11061396.027035] run_timer_softirq+0x2a/0x50 +Jul 26 15:05:02 rx [11061396.031212] __do_softirq+0xd1/0x2c1 +Jul 26 15:05:02 rx [11061396.035044] do_softirq_own_stack+0x2a/0x40 +Jul 26 15:05:02 rx [11061396.039480] +Jul 26 15:05:02 rx [11061396.041840] do_softirq.part.0+0x46/0x50 +Jul 26 15:05:02 rx [11061396.046022] __local_bh_enable_ip+0x50/0x60 +Jul 26 15:05:02 rx [11061396.050460] _raw_spin_unlock_bh+0x1e/0x20 +Jul 26 15:05:02 rx [11061396.054817] nf_conntrack_tcp_packet+0x29e/0xbe0 [nf_conntrack] +Jul 26 15:05:02 rx [11061396.060994] ? get_l4proto+0xe7/0x190 [nf_conntrack] +Jul 26 15:05:02 rx [11061396.066220] nf_conntrack_in+0xe9/0x670 [nf_conntrack] +Jul 26 15:05:02 rx [11061396.071618] ipv6_conntrack_local+0x14/0x20 [nf_conntrack] +Jul 26 15:05:02 rx [11061396.077356] nf_hook_slow+0x45/0xb0 +Jul 26 15:05:02 rx [11061396.081098] ip6_xmit+0x3f0/0x5d0 +Jul 26 15:05:02 rx [11061396.084670] ? ipv6_anycast_cleanup+0x50/0x50 +Jul 26 15:05:02 rx [11061396.089282] ? __sk_dst_check+0x38/0x70 +Jul 26 15:05:02 rx [11061396.093381] ? inet6_csk_route_socket+0x13b/0x200 +Jul 26 15:05:02 rx [11061396.098346] inet6_csk_xmit+0xa7/0xf0 +Jul 26 15:05:02 rx [11061396.102263] __tcp_transmit_skb+0x550/0xb30 +Jul 26 15:05:02 rx [11061396.106701] tcp_write_xmit+0x3c6/0xc20 +Jul 26 15:05:02 rx [11061396.110792] ? __alloc_skb+0x98/0x1d0 +Jul 26 15:05:02 rx [11061396.114708] __tcp_push_pending_frames+0x37/0x100 +Jul 26 15:05:02 rx [11061396.119667] tcp_push+0xfd/0x100 +Jul 26 15:05:02 rx [11061396.123150] tcp_sendmsg_locked+0xc70/0xdd0 +Jul 26 15:05:02 rx [11061396.127588] tcp_sendmsg+0x2d/0x50 +Jul 26 15:05:02 rx [11061396.131245] inet6_sendmsg+0x43/0x70 +Jul 26 15:05:02 rx [11061396.135075] __sock_sendmsg+0x48/0x70 +Jul 26 15:05:02 rx [11061396.138994] ____sys_sendmsg+0x212/0x280 +Jul 26 15:05:02 rx [11061396.143172] ___sys_sendmsg+0x88/0xd0 +Jul 26 15:05:02 rx [11061396.147098] ? __seccomp_filter+0x7e/0x6b0 +Jul 26 15:05:02 rx [11061396.151446] ? __switch_to+0x39c/0x460 +Jul 26 15:05:02 rx [11061396.155453] ? __switch_to_asm+0x42/0x80 +Jul 26 15:05:02 rx [11061396.159636] ? __switch_to_asm+0x5a/0x80 +Jul 26 15:05:02 rx [11061396.163816] __sys_sendmsg+0x5c/0xa0 +Jul 26 15:05:02 rx [11061396.167647] __x64_sys_sendmsg+0x1f/0x30 +Jul 26 15:05:02 rx [11061396.171832] do_syscall_64+0x57/0x190 +Jul 26 15:05:02 rx [11061396.175748] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 +Jul 26 15:05:02 rx [11061396.181055] RIP: 0033:0x7f1ef692618d +Jul 26 15:05:02 rx [11061396.184893] Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 ca ee ff ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 48 89 44 24 08 e8 fe ee ff ff 48 +Jul 26 15:05:02 rx [11061396.203889] RSP: 002b:00007f1ef4a26aa0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e +Jul 26 15:05:02 rx [11061396.211708] RAX: ffffffffffffffda RBX: 000000000000084b RCX: 00007f1ef692618d +Jul 26 15:05:02 rx [11061396.219091] RDX: 0000000000004000 RSI: 00007f1ef4a26b10 RDI: 0000000000000275 +Jul 26 15:05:02 rx [11061396.226475] RBP: 0000000000004000 R08: 0000000000000000 R09: 0000000000000020 +Jul 26 15:05:02 rx [11061396.233859] R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000084b +Jul 26 15:05:02 rx [11061396.241243] R13: 00007f1ef4a26b10 R14: 0000000000000275 R15: 000055592030f1e8 +Jul 26 15:05:02 rx [11061396.248628] Modules linked in: vrf bridge stp llc vxlan ip6_udp_tunnel udp_tunnel nls_iso8859_1 amd64_edac_mod edac_mce_amd kvm_amd kvm crct10dif_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper wmi_bmof ipmi_ssif input_leds joydev rndis_host cdc_ether usbnet mii ast drm_vram_helper ttm drm_kms_helper i2c_algo_bit fb_sys_fops syscopyarea sysfillrect sysimgblt ccp mac_hid ipmi_si ipmi_devintf ipmi_msghandler nft_ct sch_fq_codel nf_tables_set nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink ramoops reed_solomon efi_pstore drm ip_tables x_tables autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid0 multipath linear mlx5_ib ib_uverbs ib_core raid1 mlx5_core hid_generic pci_hyperv_intf crc32_pclmul tls usbhid ahci mlxfw bnxt_en libahci hid nvme i2c_piix4 nvme_core wmi +Jul 26 15:05:02 rx [11061396.324334] CR2: 0000000000000020 +Jul 26 15:05:02 rx [11061396.327944] ---[ end trace 68a2b679d1cfb4f1 ]--- +Jul 26 15:05:02 rx [11061396.433435] RIP: 0010:tcp_rearm_rto+0xe4/0x160 +Jul 26 15:05:02 rx [11061396.438137] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3 +Jul 26 15:05:02 rx [11061396.457144] RSP: 0018:ffffb75d40003e08 EFLAGS: 00010246 +Jul 26 15:05:02 rx [11061396.462629] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000 +Jul 26 15:05:02 rx [11061396.470012] RDX: 0000000062177c30 RSI: 000000000000231c RDI: ffff9874ad283a60 +Jul 26 15:05:02 rx [11061396.477396] RBP: ffffb75d40003e20 R08: 0000000000000000 R09: ffff987605e20aa8 +Jul 26 15:05:02 rx [11061396.484779] R10: ffffb75d40003f00 R11: ffffb75d4460f740 R12: ffff9874ad283900 +Jul 26 15:05:02 rx [11061396.492164] R13: ffff9874ad283a60 R14: ffff9874ad283980 R15: ffff9874ad283d30 +Jul 26 15:05:02 rx [11061396.499547] FS: 00007f1ef4a2e700(0000) GS:ffff987605e00000(0000) knlGS:0000000000000000 +Jul 26 15:05:02 rx [11061396.507886] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +Jul 26 15:05:02 rx [11061396.513884] CR2: 0000000000000020 CR3: 0000003e450ba003 CR4: 0000000000760ef0 +Jul 26 15:05:02 rx [11061396.521267] PKRU: 55555554 +Jul 26 15:05:02 rx [11061396.524230] Kernel panic - not syncing: Fatal exception in interrupt +Jul 26 15:05:02 rx [11061396.530885] Kernel Offset: 0x1b200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) +Jul 26 15:05:03 rx [11061396.660181] ---[ end Kernel panic - not syncing: Fatal + exception in interrupt ]--- + +After we hit this we disabled TLP by setting tcp_early_retrans to 0 and then hit the crash in the RACK case: + +Aug 7 07:26:16 rx [1006006.265582] BUG: kernel NULL pointer dereference, address: 0000000000000020 +Aug 7 07:26:16 rx [1006006.272719] #PF: supervisor read access in kernel mode +Aug 7 07:26:16 rx [1006006.278030] #PF: error_code(0x0000) - not-present page +Aug 7 07:26:16 rx [1006006.283343] PGD 0 P4D 0 +Aug 7 07:26:16 rx [1006006.286057] Oops: 0000 [#1] SMP NOPTI +Aug 7 07:26:16 rx [1006006.289896] CPU: 5 PID: 0 Comm: swapper/5 Tainted: G W 5.4.0-174-generic #193-Ubuntu +Aug 7 07:26:16 rx [1006006.299107] Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023 +Aug 7 07:26:16 rx [1006006.309970] RIP: 0010:tcp_rearm_rto+0xe4/0x160 +Aug 7 07:26:16 rx [1006006.314584] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3 +Aug 7 07:26:16 rx [1006006.333499] RSP: 0018:ffffb42600a50960 EFLAGS: 00010246 +Aug 7 07:26:16 rx [1006006.338895] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000 +Aug 7 07:26:16 rx [1006006.346193] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff92d687ed8160 +Aug 7 07:26:16 rx [1006006.353489] RBP: ffffb42600a50978 R08: 0000000000000000 R09: 00000000cd896dcc +Aug 7 07:26:16 rx [1006006.360786] R10: ffff92dc3404f400 R11: 0000000000000001 R12: ffff92d687ed8000 +Aug 7 07:26:16 rx [1006006.368084] R13: ffff92d687ed8160 R14: 00000000cd896dcc R15: 00000000cd8fca81 +Aug 7 07:26:16 rx [1006006.375381] FS: 0000000000000000(0000) GS:ffff93158ad40000(0000) knlGS:0000000000000000 +Aug 7 07:26:16 rx [1006006.383632] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +Aug 7 07:26:16 rx [1006006.389544] CR2: 0000000000000020 CR3: 0000003e775ce006 CR4: 0000000000760ee0 +Aug 7 07:26:16 rx [1006006.396839] PKRU: 55555554 +Aug 7 07:26:16 rx [1006006.399717] Call Trace: +Aug 7 07:26:16 rx [1006006.402335] +Aug 7 07:26:16 rx [1006006.404525] ? show_regs.cold+0x1a/0x1f +Aug 7 07:26:16 rx [1006006.408532] ? __die+0x90/0xd9 +Aug 7 07:26:16 rx [1006006.411760] ? no_context+0x196/0x380 +Aug 7 07:26:16 rx [1006006.415599] ? __bad_area_nosemaphore+0x50/0x1a0 +Aug 7 07:26:16 rx [1006006.420392] ? _raw_spin_lock+0x1e/0x30 +Aug 7 07:26:16 rx [1006006.424401] ? bad_area_nosemaphore+0x16/0x20 +Aug 7 07:26:16 rx [1006006.428927] ? do_user_addr_fault+0x267/0x450 +Aug 7 07:26:16 rx [1006006.433450] ? __do_page_fault+0x58/0x90 +Aug 7 07:26:16 rx [1006006.437542] ? do_page_fault+0x2c/0xe0 +Aug 7 07:26:16 rx [1006006.441470] ? page_fault+0x34/0x40 +Aug 7 07:26:16 rx [1006006.445134] ? tcp_rearm_rto+0xe4/0x160 +Aug 7 07:26:16 rx [1006006.449145] tcp_ack+0xa32/0xb30 +Aug 7 07:26:16 rx [1006006.452542] tcp_rcv_established+0x13c/0x670 +Aug 7 07:26:16 rx [1006006.456981] ? sk_filter_trim_cap+0x48/0x220 +Aug 7 07:26:16 rx [1006006.461419] tcp_v6_do_rcv+0xdb/0x450 +Aug 7 07:26:16 rx [1006006.465257] tcp_v6_rcv+0xc2b/0xd10 +Aug 7 07:26:16 rx [1006006.468918] ip6_protocol_deliver_rcu+0xd3/0x4e0 +Aug 7 07:26:16 rx [1006006.473706] ip6_input_finish+0x15/0x20 +Aug 7 07:26:16 rx [1006006.477710] ip6_input+0xa2/0xb0 +Aug 7 07:26:16 rx [1006006.481109] ? ip6_protocol_deliver_rcu+0x4e0/0x4e0 +Aug 7 07:26:16 rx [1006006.486151] ip6_sublist_rcv_finish+0x3d/0x50 +Aug 7 07:26:16 rx [1006006.490679] ip6_sublist_rcv+0x1aa/0x250 +Aug 7 07:26:16 rx [1006006.494779] ? ip6_rcv_finish_core.isra.0+0xa0/0xa0 +Aug 7 07:26:16 rx [1006006.499828] ipv6_list_rcv+0x112/0x140 +Aug 7 07:26:16 rx [1006006.503748] __netif_receive_skb_list_core+0x1a4/0x250 +Aug 7 07:26:16 rx [1006006.509057] netif_receive_skb_list_internal+0x1a1/0x2b0 +Aug 7 07:26:16 rx [1006006.514538] gro_normal_list.part.0+0x1e/0x40 +Aug 7 07:26:16 rx [1006006.519068] napi_complete_done+0x91/0x130 +Aug 7 07:26:16 rx [1006006.523352] mlx5e_napi_poll+0x18e/0x610 [mlx5_core] +Aug 7 07:26:16 rx [1006006.528481] net_rx_action+0x142/0x390 +Aug 7 07:26:16 rx [1006006.532398] __do_softirq+0xd1/0x2c1 +Aug 7 07:26:16 rx [1006006.536142] irq_exit+0xae/0xb0 +Aug 7 07:26:16 rx [1006006.539452] do_IRQ+0x5a/0xf0 +Aug 7 07:26:16 rx [1006006.542590] common_interrupt+0xf/0xf +Aug 7 07:26:16 rx [1006006.546421] +Aug 7 07:26:16 rx [1006006.548695] RIP: 0010:native_safe_halt+0xe/0x10 +Aug 7 07:26:16 rx [1006006.553399] Code: 7b ff ff ff eb bd 90 90 90 90 90 90 e9 07 00 00 00 0f 00 2d 36 2c 50 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 26 2c 50 00 fb f4 90 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 53 e8 dd 5e 61 ff 65 +Aug 7 07:26:16 rx [1006006.572309] RSP: 0018:ffffb42600177e70 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffc2 +Aug 7 07:26:16 rx [1006006.580040] RAX: ffffffff8ed08b20 RBX: 0000000000000005 RCX: 0000000000000001 +Aug 7 07:26:16 rx [1006006.587337] RDX: 00000000f48eeca2 RSI: 0000000000000082 RDI: 0000000000000082 +Aug 7 07:26:16 rx [1006006.594635] RBP: ffffb42600177e90 R08: 0000000000000000 R09: 000000000000020f +Aug 7 07:26:16 rx [1006006.601931] R10: 0000000000100000 R11: 0000000000000000 R12: 0000000000000005 +Aug 7 07:26:16 rx [1006006.609229] R13: ffff93157deb5f00 R14: 0000000000000000 R15: 0000000000000000 +Aug 7 07:26:16 rx [1006006.616530] ? __cpuidle_text_start+0x8/0x8 +Aug 7 07:26:16 rx [1006006.620886] ? default_idle+0x20/0x140 +Aug 7 07:26:16 rx [1006006.624804] arch_cpu_idle+0x15/0x20 +Aug 7 07:26:16 rx [1006006.628545] default_idle_call+0x23/0x30 +Aug 7 07:26:16 rx [1006006.632640] do_idle+0x1fb/0x270 +Aug 7 07:26:16 rx [1006006.636035] cpu_startup_entry+0x20/0x30 +Aug 7 07:26:16 rx [1006006.640126] start_secondary+0x178/0x1d0 +Aug 7 07:26:16 rx [1006006.644218] secondary_startup_64+0xa4/0xb0 +Aug 7 07:26:17 rx [1006006.648568] Modules linked in: vrf bridge stp llc vxlan ip6_udp_tunnel udp_tunnel nls_iso8859_1 nft_ct amd64_edac_mod edac_mce_amd kvm_amd kvm crct10dif_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper wmi_bmof ipmi_ssif input_leds joydev rndis_host cdc_ether usbnet ast mii drm_vram_helper ttm drm_kms_helper i2c_algo_bit fb_sys_fops syscopyarea sysfillrect sysimgblt ccp mac_hid ipmi_si ipmi_devintf ipmi_msghandler sch_fq_codel nf_tables_set nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink ramoops reed_solomon efi_pstore drm ip_tables x_tables autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid0 multipath linear mlx5_ib ib_uverbs ib_core raid1 hid_generic mlx5_core pci_hyperv_intf crc32_pclmul usbhid ahci tls mlxfw bnxt_en hid libahci nvme i2c_piix4 nvme_core wmi [last unloaded: cpuid] +Aug 7 07:26:17 rx [1006006.726180] CR2: 0000000000000020 +Aug 7 07:26:17 rx [1006006.729718] ---[ end trace e0e2e37e4e612984 ]--- + +Prior to seeing the first crash and on other machines we also see the warning in +tcp_send_loss_probe() where packets_out is non-zero, but both transmit and retrans +queues are empty so we know the box is seeing some accounting issue in this area: + +Jul 26 09:15:27 kernel: ------------[ cut here ]------------ +Jul 26 09:15:27 kernel: invalid inflight: 2 state 1 cwnd 68 mss 8988 +Jul 26 09:15:27 kernel: WARNING: CPU: 16 PID: 0 at net/ipv4/tcp_output.c:2605 tcp_send_loss_probe+0x214/0x220 +Jul 26 09:15:27 kernel: Modules linked in: vrf bridge stp llc vxlan ip6_udp_tunnel udp_tunnel nls_iso8859_1 nft_ct amd64_edac_mod edac_mce_amd kvm_amd kvm crct10dif_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper wmi_bmof ipmi_ssif joydev input_leds rndis_host cdc_ether usbnet mii ast drm_vram_helper ttm drm_kms_he> +Jul 26 09:15:27 kernel: CPU: 16 PID: 0 Comm: swapper/16 Not tainted 5.4.0-174-generic #193-Ubuntu +Jul 26 09:15:27 kernel: Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023 +Jul 26 09:15:27 kernel: RIP: 0010:tcp_send_loss_probe+0x214/0x220 +Jul 26 09:15:27 kernel: Code: 08 26 01 00 75 e2 41 0f b6 54 24 12 41 8b 8c 24 c0 06 00 00 45 89 f0 48 c7 c7 e0 b4 20 a7 c6 05 8d 08 26 01 01 e8 4a c0 0f 00 <0f> 0b eb ba 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 +Jul 26 09:15:27 kernel: RSP: 0018:ffffb7838088ce00 EFLAGS: 00010286 +Jul 26 09:15:27 kernel: RAX: 0000000000000000 RBX: ffff9b84b5630430 RCX: 0000000000000006 +Jul 26 09:15:27 kernel: RDX: 0000000000000007 RSI: 0000000000000096 RDI: ffff9b8e4621c8c0 +Jul 26 09:15:27 kernel: RBP: ffffb7838088ce18 R08: 0000000000000927 R09: 0000000000000004 +Jul 26 09:15:27 kernel: R10: 0000000000000000 R11: 0000000000000001 R12: ffff9b84b5630000 +Jul 26 09:15:27 kernel: R13: 0000000000000000 R14: 000000000000231c R15: ffff9b84b5630430 +Jul 26 09:15:27 kernel: FS: 0000000000000000(0000) GS:ffff9b8e46200000(0000) knlGS:0000000000000000 +Jul 26 09:15:27 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +Jul 26 09:15:27 kernel: CR2: 000056238cec2380 CR3: 0000003e49ede005 CR4: 0000000000760ee0 +Jul 26 09:15:27 kernel: PKRU: 55555554 +Jul 26 09:15:27 kernel: Call Trace: +Jul 26 09:15:27 kernel: +Jul 26 09:15:27 kernel: ? show_regs.cold+0x1a/0x1f +Jul 26 09:15:27 kernel: ? __warn+0x98/0xe0 +Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220 +Jul 26 09:15:27 kernel: ? report_bug+0xd1/0x100 +Jul 26 09:15:27 kernel: ? do_error_trap+0x9b/0xc0 +Jul 26 09:15:27 kernel: ? do_invalid_op+0x3c/0x50 +Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220 +Jul 26 09:15:27 kernel: ? invalid_op+0x1e/0x30 +Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220 +Jul 26 09:15:27 kernel: tcp_write_timer_handler+0x1b4/0x240 +Jul 26 09:15:27 kernel: tcp_write_timer+0x9e/0xe0 +Jul 26 09:15:27 kernel: ? tcp_write_timer_handler+0x240/0x240 +Jul 26 09:15:27 kernel: call_timer_fn+0x32/0x130 +Jul 26 09:15:27 kernel: __run_timers.part.0+0x180/0x280 +Jul 26 09:15:27 kernel: ? timerqueue_add+0x9b/0xb0 +Jul 26 09:15:27 kernel: ? enqueue_hrtimer+0x3d/0x90 +Jul 26 09:15:27 kernel: ? do_error_trap+0x9b/0xc0 +Jul 26 09:15:27 kernel: ? do_invalid_op+0x3c/0x50 +Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220 +Jul 26 09:15:27 kernel: ? invalid_op+0x1e/0x30 +Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220 +Jul 26 09:15:27 kernel: tcp_write_timer_handler+0x1b4/0x240 +Jul 26 09:15:27 kernel: tcp_write_timer+0x9e/0xe0 +Jul 26 09:15:27 kernel: ? tcp_write_timer_handler+0x240/0x240 +Jul 26 09:15:27 kernel: call_timer_fn+0x32/0x130 +Jul 26 09:15:27 kernel: __run_timers.part.0+0x180/0x280 +Jul 26 09:15:27 kernel: ? timerqueue_add+0x9b/0xb0 +Jul 26 09:15:27 kernel: ? enqueue_hrtimer+0x3d/0x90 +Jul 26 09:15:27 kernel: ? recalibrate_cpu_khz+0x10/0x10 +Jul 26 09:15:27 kernel: ? ktime_get+0x3e/0xa0 +Jul 26 09:15:27 kernel: ? native_x2apic_icr_write+0x30/0x30 +Jul 26 09:15:27 kernel: run_timer_softirq+0x2a/0x50 +Jul 26 09:15:27 kernel: __do_softirq+0xd1/0x2c1 +Jul 26 09:15:27 kernel: irq_exit+0xae/0xb0 +Jul 26 09:15:27 kernel: smp_apic_timer_interrupt+0x7b/0x140 +Jul 26 09:15:27 kernel: apic_timer_interrupt+0xf/0x20 +Jul 26 09:15:27 kernel: +Jul 26 09:15:27 kernel: RIP: 0010:native_safe_halt+0xe/0x10 +Jul 26 09:15:27 kernel: Code: 7b ff ff ff eb bd 90 90 90 90 90 90 e9 07 00 00 00 0f 00 2d 36 2c 50 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 26 2c 50 00 fb f4 90 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 53 e8 dd 5e 61 ff 65 +Jul 26 09:15:27 kernel: RSP: 0018:ffffb783801cfe70 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 +Jul 26 09:15:27 kernel: RAX: ffffffffa6908b20 RBX: 0000000000000010 RCX: 0000000000000001 +Jul 26 09:15:27 kernel: RDX: 000000006fc0c97e RSI: 0000000000000082 RDI: 0000000000000082 +Jul 26 09:15:27 kernel: RBP: ffffb783801cfe90 R08: 0000000000000000 R09: 0000000000000225 +Jul 26 09:15:27 kernel: R10: 0000000000100000 R11: 0000000000000000 R12: 0000000000000010 +Jul 26 09:15:27 kernel: R13: ffff9b8e390b0000 R14: 0000000000000000 R15: 0000000000000000 +Jul 26 09:15:27 kernel: ? __cpuidle_text_start+0x8/0x8 +Jul 26 09:15:27 kernel: ? default_idle+0x20/0x140 +Jul 26 09:15:27 kernel: arch_cpu_idle+0x15/0x20 +Jul 26 09:15:27 kernel: default_idle_call+0x23/0x30 +Jul 26 09:15:27 kernel: do_idle+0x1fb/0x270 +Jul 26 09:15:27 kernel: cpu_startup_entry+0x20/0x30 +Jul 26 09:15:27 kernel: start_secondary+0x178/0x1d0 +Jul 26 09:15:27 kernel: secondary_startup_64+0xa4/0xb0 +Jul 26 09:15:27 kernel: ---[ end trace e7ac822987e33be1 ]--- + +The NULL ptr deref is coming from tcp_rto_delta_us() attempting to pull an skb +off the head of the retransmit queue and then dereferencing that skb to get the +skb_mstamp_ns value via tcp_skb_timestamp_us(skb). + +The crash is the same one that was reported a # of years ago here: +https://lore.kernel.org/netdev/86c0f836-9a7c-438b-d81a-839be45f1f58@gmail.com/T/#t + +and the kernel we're running has the fix which was added to resolve this issue. + +Unfortunately we've been unsuccessful so far in reproducing this problem in the +lab and do not have the luxury of pushing out a new kernel to try and test if +newer kernels resolve this issue at the moment. I realize this is a report +against both an Ubuntu kernel and also an older 5.4 kernel. I have reported this +issue to Ubuntu here: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2077657 +however I feel like since this issue has possibly cropped up again it makes +sense to build in some protection in this path (even on the latest kernel +versions) since the code in question just blindly assumes there's a valid skb +without testing if it's NULL b/f it looks at the timestamp. + +Given we have seen crashes in this path before and now this case it seems like +we should protect ourselves for when packets_out accounting is incorrect. +While we should fix that root cause we should also just make sure the skb +is not NULL before dereferencing it. Also add a warn once here to capture +some information if/when the problem case is hit again. + +Fixes: e1a10ef7fa87 ("tcp: introduce tcp_rto_delta_us() helper for xmit timer fix") +Signed-off-by: Josh Hunt +Acked-by: Neal Cardwell +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index c206ffaa8ed70..b3917af309e0f 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -2230,9 +2230,26 @@ static inline s64 tcp_rto_delta_us(const struct sock *sk) + { + const struct sk_buff *skb = tcp_rtx_queue_head(sk); + u32 rto = inet_csk(sk)->icsk_rto; +- u64 rto_time_stamp_us = tcp_skb_timestamp_us(skb) + jiffies_to_usecs(rto); + +- return rto_time_stamp_us - tcp_sk(sk)->tcp_mstamp; ++ if (likely(skb)) { ++ u64 rto_time_stamp_us = tcp_skb_timestamp_us(skb) + jiffies_to_usecs(rto); ++ ++ return rto_time_stamp_us - tcp_sk(sk)->tcp_mstamp; ++ } else { ++ WARN_ONCE(1, ++ "rtx queue emtpy: " ++ "out:%u sacked:%u lost:%u retrans:%u " ++ "tlp_high_seq:%u sk_state:%u ca_state:%u " ++ "advmss:%u mss_cache:%u pmtu:%u\n", ++ tcp_sk(sk)->packets_out, tcp_sk(sk)->sacked_out, ++ tcp_sk(sk)->lost_out, tcp_sk(sk)->retrans_out, ++ tcp_sk(sk)->tlp_high_seq, sk->sk_state, ++ inet_csk(sk)->icsk_ca_state, ++ tcp_sk(sk)->advmss, tcp_sk(sk)->mss_cache, ++ inet_csk(sk)->icsk_pmtu_cookie); ++ return jiffies_to_usecs(rto); ++ } ++ + } + + /* +-- +2.43.0 + diff --git a/queue-6.6/tools-runqslower-fix-ldflags-and-add-ldlibs-support.patch b/queue-6.6/tools-runqslower-fix-ldflags-and-add-ldlibs-support.patch new file mode 100644 index 00000000000..5f14b5b531c --- /dev/null +++ b/queue-6.6/tools-runqslower-fix-ldflags-and-add-ldlibs-support.patch @@ -0,0 +1,47 @@ +From d7017e8d80353186976651f733c06ea2241dd6d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 17:30:45 -0700 +Subject: tools/runqslower: Fix LDFLAGS and add LDLIBS support + +From: Tony Ambardar + +[ Upstream commit f86601c3661946721e8f260bdd812b759854ac22 ] + +Actually use previously defined LDFLAGS during build and add support for +LDLIBS to link extra standalone libraries e.g. 'argp' which is not provided +by musl libc. + +Fixes: 585bf4640ebe ("tools: runqslower: Add EXTRA_CFLAGS and EXTRA_LDFLAGS support") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Acked-by: Ilya Leoshkevich +Link: https://lore.kernel.org/bpf/20240723003045.2273499-1-tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/bpf/runqslower/Makefile | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/bpf/runqslower/Makefile b/tools/bpf/runqslower/Makefile +index d8288936c9120..c4f1f1735af65 100644 +--- a/tools/bpf/runqslower/Makefile ++++ b/tools/bpf/runqslower/Makefile +@@ -15,6 +15,7 @@ INCLUDES := -I$(OUTPUT) -I$(BPF_INCLUDE) -I$(abspath ../../include/uapi) + CFLAGS := -g -Wall $(CLANG_CROSS_FLAGS) + CFLAGS += $(EXTRA_CFLAGS) + LDFLAGS += $(EXTRA_LDFLAGS) ++LDLIBS += -lelf -lz + + # Try to detect best kernel BTF source + KERNEL_REL := $(shell uname -r) +@@ -51,7 +52,7 @@ clean: + libbpf_hdrs: $(BPFOBJ) + + $(OUTPUT)/runqslower: $(OUTPUT)/runqslower.o $(BPFOBJ) +- $(QUIET_LINK)$(CC) $(CFLAGS) $^ -lelf -lz -o $@ ++ $(QUIET_LINK)$(CC) $(CFLAGS) $(LDFLAGS) $^ $(LDLIBS) -o $@ + + $(OUTPUT)/runqslower.o: runqslower.h $(OUTPUT)/runqslower.skel.h \ + $(OUTPUT)/runqslower.bpf.o | libbpf_hdrs +-- +2.43.0 + diff --git a/queue-6.6/tpm-clean-up-tpm-space-after-command-failure.patch b/queue-6.6/tpm-clean-up-tpm-space-after-command-failure.patch new file mode 100644 index 00000000000..1760adf709c --- /dev/null +++ b/queue-6.6/tpm-clean-up-tpm-space-after-command-failure.patch @@ -0,0 +1,57 @@ +From 87ee8d0893c02a9f2ce1e7275d6d42f22ec5f4ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Aug 2024 12:55:46 +0100 +Subject: tpm: Clean up TPM space after command failure + +From: Jonathan McDowell + +[ Upstream commit e3aaebcbb7c6b403416f442d1de70d437ce313a7 ] + +tpm_dev_transmit prepares the TPM space before attempting command +transmission. However if the command fails no rollback of this +preparation is done. This can result in transient handles being leaked +if the device is subsequently closed with no further commands performed. + +Fix this by flushing the space in the event of command transmission +failure. + +Fixes: 745b361e989a ("tpm: infrastructure for TPM spaces") +Signed-off-by: Jonathan McDowell +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + drivers/char/tpm/tpm-dev-common.c | 2 ++ + drivers/char/tpm/tpm2-space.c | 3 +++ + 2 files changed, 5 insertions(+) + +diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c +index 30b4c288c1bbc..c3fbbf4d3db79 100644 +--- a/drivers/char/tpm/tpm-dev-common.c ++++ b/drivers/char/tpm/tpm-dev-common.c +@@ -47,6 +47,8 @@ static ssize_t tpm_dev_transmit(struct tpm_chip *chip, struct tpm_space *space, + + if (!ret) + ret = tpm2_commit_space(chip, space, buf, &len); ++ else ++ tpm2_flush_space(chip); + + out_rc: + return ret ? ret : len; +diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-space.c +index 363afdd4d1d30..d4d1007fe8117 100644 +--- a/drivers/char/tpm/tpm2-space.c ++++ b/drivers/char/tpm/tpm2-space.c +@@ -166,6 +166,9 @@ void tpm2_flush_space(struct tpm_chip *chip) + struct tpm_space *space = &chip->work_space; + int i; + ++ if (!space) ++ return; ++ + for (i = 0; i < ARRAY_SIZE(space->context_tbl); i++) + if (space->context_tbl[i] && ~space->context_tbl[i]) + tpm2_flush_context(chip, space->context_tbl[i]); +-- +2.43.0 + diff --git a/queue-6.6/ublk-move-zone-report-data-out-of-request-pdu.patch b/queue-6.6/ublk-move-zone-report-data-out-of-request-pdu.patch new file mode 100644 index 00000000000..762a40b6437 --- /dev/null +++ b/queue-6.6/ublk-move-zone-report-data-out-of-request-pdu.patch @@ -0,0 +1,148 @@ +From 9e0c1cde8fa8a1af18e1b468ec729db807f081da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Aug 2024 09:36:24 +0800 +Subject: ublk: move zone report data out of request pdu + +From: Ming Lei + +[ Upstream commit 9327b51c9a9c864f5177127e09851da9d78b4943 ] + +ublk zoned takes 16 bytes in each request pdu just for handling REPORT_ZONE +operation, this way does waste memory since request pdu is allocated +statically. + +Store the transient zone report data into one global xarray, and remove +it after the report zone request is completed. This way is reasonable +since report zone is run in slow code path. + +Fixes: 29802d7ca33b ("ublk: enable zoned storage support") +Cc: Damien Le Moal +Cc: Andreas Hindborg +Signed-off-by: Ming Lei +Link: https://lore.kernel.org/r/20240812013624.587587-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/ublk_drv.c | 62 +++++++++++++++++++++++++++++----------- + 1 file changed, 46 insertions(+), 16 deletions(-) + +diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c +index bf7f68e90953b..9cafbce1faf38 100644 +--- a/drivers/block/ublk_drv.c ++++ b/drivers/block/ublk_drv.c +@@ -68,9 +68,6 @@ struct ublk_rq_data { + struct llist_node node; + + struct kref ref; +- __u64 sector; +- __u32 operation; +- __u32 nr_zones; + }; + + struct ublk_uring_cmd_pdu { +@@ -215,6 +212,33 @@ static inline bool ublk_queue_is_zoned(struct ublk_queue *ubq) + + #ifdef CONFIG_BLK_DEV_ZONED + ++struct ublk_zoned_report_desc { ++ __u64 sector; ++ __u32 operation; ++ __u32 nr_zones; ++}; ++ ++static DEFINE_XARRAY(ublk_zoned_report_descs); ++ ++static int ublk_zoned_insert_report_desc(const struct request *req, ++ struct ublk_zoned_report_desc *desc) ++{ ++ return xa_insert(&ublk_zoned_report_descs, (unsigned long)req, ++ desc, GFP_KERNEL); ++} ++ ++static struct ublk_zoned_report_desc *ublk_zoned_erase_report_desc( ++ const struct request *req) ++{ ++ return xa_erase(&ublk_zoned_report_descs, (unsigned long)req); ++} ++ ++static struct ublk_zoned_report_desc *ublk_zoned_get_report_desc( ++ const struct request *req) ++{ ++ return xa_load(&ublk_zoned_report_descs, (unsigned long)req); ++} ++ + static int ublk_get_nr_zones(const struct ublk_device *ub) + { + const struct ublk_param_basic *p = &ub->params.basic; +@@ -321,7 +345,7 @@ static int ublk_report_zones(struct gendisk *disk, sector_t sector, + unsigned int zones_in_request = + min_t(unsigned int, remaining_zones, max_zones_per_request); + struct request *req; +- struct ublk_rq_data *pdu; ++ struct ublk_zoned_report_desc desc; + blk_status_t status; + + memset(buffer, 0, buffer_length); +@@ -332,20 +356,23 @@ static int ublk_report_zones(struct gendisk *disk, sector_t sector, + goto out; + } + +- pdu = blk_mq_rq_to_pdu(req); +- pdu->operation = UBLK_IO_OP_REPORT_ZONES; +- pdu->sector = sector; +- pdu->nr_zones = zones_in_request; ++ desc.operation = UBLK_IO_OP_REPORT_ZONES; ++ desc.sector = sector; ++ desc.nr_zones = zones_in_request; ++ ret = ublk_zoned_insert_report_desc(req, &desc); ++ if (ret) ++ goto free_req; + + ret = blk_rq_map_kern(disk->queue, req, buffer, buffer_length, + GFP_KERNEL); +- if (ret) { +- blk_mq_free_request(req); +- goto out; +- } ++ if (ret) ++ goto erase_desc; + + status = blk_execute_rq(req, 0); + ret = blk_status_to_errno(status); ++erase_desc: ++ ublk_zoned_erase_report_desc(req); ++free_req: + blk_mq_free_request(req); + if (ret) + goto out; +@@ -379,7 +406,7 @@ static blk_status_t ublk_setup_iod_zoned(struct ublk_queue *ubq, + { + struct ublksrv_io_desc *iod = ublk_get_iod(ubq, req->tag); + struct ublk_io *io = &ubq->ios[req->tag]; +- struct ublk_rq_data *pdu = blk_mq_rq_to_pdu(req); ++ struct ublk_zoned_report_desc *desc; + u32 ublk_op; + + switch (req_op(req)) { +@@ -402,12 +429,15 @@ static blk_status_t ublk_setup_iod_zoned(struct ublk_queue *ubq, + ublk_op = UBLK_IO_OP_ZONE_RESET_ALL; + break; + case REQ_OP_DRV_IN: +- ublk_op = pdu->operation; ++ desc = ublk_zoned_get_report_desc(req); ++ if (!desc) ++ return BLK_STS_IOERR; ++ ublk_op = desc->operation; + switch (ublk_op) { + case UBLK_IO_OP_REPORT_ZONES: + iod->op_flags = ublk_op | ublk_req_build_flags(req); +- iod->nr_zones = pdu->nr_zones; +- iod->start_sector = pdu->sector; ++ iod->nr_zones = desc->nr_zones; ++ iod->start_sector = desc->sector; + return BLK_STS_OK; + default: + return BLK_STS_IOERR; +-- +2.43.0 + diff --git a/queue-6.6/usb-dwc2-skip-clock-gating-on-broadcom-socs.patch b/queue-6.6/usb-dwc2-skip-clock-gating-on-broadcom-socs.patch new file mode 100644 index 00000000000..936c117c8c8 --- /dev/null +++ b/queue-6.6/usb-dwc2-skip-clock-gating-on-broadcom-socs.patch @@ -0,0 +1,72 @@ +From 766b69a6ddf1b2cae26f04f85a3d38e95247ac1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Jul 2024 15:00:26 +0200 +Subject: usb: dwc2: Skip clock gating on Broadcom SoCs + +From: Stefan Wahren + +[ Upstream commit d483f034f03261c8c8450d106aa243837122b5f0 ] + +On resume of the Raspberry Pi the dwc2 driver fails to enable +HCD_FLAG_HW_ACCESSIBLE before re-enabling the interrupts. +This causes a situation where both handler ignore a incoming port +interrupt and force the upper layers to disable the dwc2 interrupt line. +This leaves the USB interface in a unusable state: + +irq 66: nobody cared (try booting with the "irqpoll" option) +CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 6.10.0-rc3 +Hardware name: BCM2835 +Call trace: +unwind_backtrace from show_stack+0x10/0x14 +show_stack from dump_stack_lvl+0x50/0x64 +dump_stack_lvl from __report_bad_irq+0x38/0xc0 +__report_bad_irq from note_interrupt+0x2ac/0x2f4 +note_interrupt from handle_irq_event+0x88/0x8c +handle_irq_event from handle_level_irq+0xb4/0x1ac +handle_level_irq from generic_handle_domain_irq+0x24/0x34 +generic_handle_domain_irq from bcm2836_chained_handle_irq+0x24/0x28 +bcm2836_chained_handle_irq from generic_handle_domain_irq+0x24/0x34 +generic_handle_domain_irq from generic_handle_arch_irq+0x34/0x44 +generic_handle_arch_irq from __irq_svc+0x88/0xb0 +Exception stack(0xc1b01f20 to 0xc1b01f68) +1f20: 0005c0d4 00000001 00000000 00000000 c1b09780 c1d6b32c c1b04e54 c1a5eae8 +1f40: c1b04e90 00000000 00000000 00000000 c1d6a8a0 c1b01f70 c11d2da8 c11d4160 +1f60: 60000013 ffffffff +__irq_svc from default_idle_call+0x1c/0xb0 +default_idle_call from do_idle+0x21c/0x284 +do_idle from cpu_startup_entry+0x28/0x2c +cpu_startup_entry from kernel_init+0x0/0x12c +handlers: +[] dwc2_handle_common_intr +[<75cd278b>] usb_hcd_irq +Disabling IRQ #66 + +Disabling clock gating workaround this issue. + +Fixes: 0112b7ce68ea ("usb: dwc2: Update dwc2_handle_usb_suspend_intr function.") +Link: https://lore.kernel.org/linux-usb/3fd0c2fb-4752-45b3-94eb-42352703e1fd@gmx.net/T/ +Link: https://lore.kernel.org/all/5e8cbce0-3260-2971-484f-fc73a3b2bd28@synopsys.com/ +Signed-off-by: Stefan Wahren +Acked-by: Minas Harutyunyan +Link: https://lore.kernel.org/r/20240728130029.78279-5-wahrenst@gmx.net +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/params.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/dwc2/params.c b/drivers/usb/dwc2/params.c +index 93f52e371cddb..0634ba55bec67 100644 +--- a/drivers/usb/dwc2/params.c ++++ b/drivers/usb/dwc2/params.c +@@ -23,6 +23,7 @@ static void dwc2_set_bcm_params(struct dwc2_hsotg *hsotg) + p->max_transfer_size = 65535; + p->max_packet_count = 511; + p->ahbcfg = 0x10; ++ p->no_clock_gating = true; + } + + static void dwc2_set_his_params(struct dwc2_hsotg *hsotg) +-- +2.43.0 + diff --git a/queue-6.6/vhost_vdpa-assign-irq-bypass-producer-token-correctl.patch b/queue-6.6/vhost_vdpa-assign-irq-bypass-producer-token-correctl.patch new file mode 100644 index 00000000000..10848e45264 --- /dev/null +++ b/queue-6.6/vhost_vdpa-assign-irq-bypass-producer-token-correctl.patch @@ -0,0 +1,95 @@ +From f1fb2b2a9b63bb976772e93e688d7c8025690ff5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Aug 2024 11:19:00 +0800 +Subject: vhost_vdpa: assign irq bypass producer token correctly + +From: Jason Wang + +[ Upstream commit 02e9e9366fefe461719da5d173385b6685f70319 ] + +We used to call irq_bypass_unregister_producer() in +vhost_vdpa_setup_vq_irq() which is problematic as we don't know if the +token pointer is still valid or not. + +Actually, we use the eventfd_ctx as the token so the life cycle of the +token should be bound to the VHOST_SET_VRING_CALL instead of +vhost_vdpa_setup_vq_irq() which could be called by set_status(). + +Fixing this by setting up irq bypass producer's token when handling +VHOST_SET_VRING_CALL and un-registering the producer before calling +vhost_vring_ioctl() to prevent a possible use after free as eventfd +could have been released in vhost_vring_ioctl(). And such registering +and unregistering will only be done if DRIVER_OK is set. + +Reported-by: Dragos Tatulea +Tested-by: Dragos Tatulea +Reviewed-by: Dragos Tatulea +Fixes: 2cf1ba9a4d15 ("vhost_vdpa: implement IRQ offloading in vhost_vdpa") +Signed-off-by: Jason Wang +Message-Id: <20240816031900.18013-1-jasowang@redhat.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/vhost/vdpa.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c +index da2c31ccc1380..c29a195a0175c 100644 +--- a/drivers/vhost/vdpa.c ++++ b/drivers/vhost/vdpa.c +@@ -191,11 +191,9 @@ static void vhost_vdpa_setup_vq_irq(struct vhost_vdpa *v, u16 qid) + if (irq < 0) + return; + +- irq_bypass_unregister_producer(&vq->call_ctx.producer); + if (!vq->call_ctx.ctx) + return; + +- vq->call_ctx.producer.token = vq->call_ctx.ctx; + vq->call_ctx.producer.irq = irq; + ret = irq_bypass_register_producer(&vq->call_ctx.producer); + if (unlikely(ret)) +@@ -627,6 +625,14 @@ static long vhost_vdpa_vring_ioctl(struct vhost_vdpa *v, unsigned int cmd, + vq->last_avail_idx = vq_state.split.avail_index; + } + break; ++ case VHOST_SET_VRING_CALL: ++ if (vq->call_ctx.ctx) { ++ if (ops->get_status(vdpa) & ++ VIRTIO_CONFIG_S_DRIVER_OK) ++ vhost_vdpa_unsetup_vq_irq(v, idx); ++ vq->call_ctx.producer.token = NULL; ++ } ++ break; + } + + r = vhost_vring_ioctl(&v->vdev, cmd, argp); +@@ -659,13 +665,16 @@ static long vhost_vdpa_vring_ioctl(struct vhost_vdpa *v, unsigned int cmd, + cb.callback = vhost_vdpa_virtqueue_cb; + cb.private = vq; + cb.trigger = vq->call_ctx.ctx; ++ vq->call_ctx.producer.token = vq->call_ctx.ctx; ++ if (ops->get_status(vdpa) & ++ VIRTIO_CONFIG_S_DRIVER_OK) ++ vhost_vdpa_setup_vq_irq(v, idx); + } else { + cb.callback = NULL; + cb.private = NULL; + cb.trigger = NULL; + } + ops->set_vq_cb(vdpa, idx, &cb); +- vhost_vdpa_setup_vq_irq(v, idx); + break; + + case VHOST_SET_VRING_NUM: +@@ -1316,6 +1325,7 @@ static int vhost_vdpa_open(struct inode *inode, struct file *filep) + for (i = 0; i < nvqs; i++) { + vqs[i] = &v->vqs[i]; + vqs[i]->handle_kick = handle_vq_kick; ++ vqs[i]->call_ctx.ctx = NULL; + } + vhost_dev_init(dev, vqs, nvqs, 0, 0, 0, false, + vhost_vdpa_process_iotlb_msg); +-- +2.43.0 + diff --git a/queue-6.6/virtio_net-fix-mismatched-buf-address-when-unmapping.patch b/queue-6.6/virtio_net-fix-mismatched-buf-address-when-unmapping.patch new file mode 100644 index 00000000000..07edfb63585 --- /dev/null +++ b/queue-6.6/virtio_net-fix-mismatched-buf-address-when-unmapping.patch @@ -0,0 +1,67 @@ +From 613770bc9571cf1628c720ffd8fcc6fa966bfe0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Sep 2024 16:13:51 +0800 +Subject: virtio_net: Fix mismatched buf address when unmapping for small + packets + +From: Wenbo Li + +[ Upstream commit c11a49d58ad229a1be1ebe08a2b68fedf83db6c8 ] + +Currently, the virtio-net driver will perform a pre-dma-mapping for +small or mergeable RX buffer. But for small packets, a mismatched address +without VIRTNET_RX_PAD and xdp_headroom is used for unmapping. + +That will result in unsynchronized buffers when SWIOTLB is enabled, for +example, when running as a TDX guest. + +This patch unifies the address passed to the virtio core as the address of +the virtnet header and fixes the mismatched buffer address. + +Changes from v2: unify the buf that passed to the virtio core in small +and merge mode. +Changes from v1: Use ctx to get xdp_headroom. + +Fixes: 295525e29a5b ("virtio_net: merge dma operations when filling mergeable buffers") +Signed-off-by: Wenbo Li +Signed-off-by: Jiahui Cen +Signed-off-by: Ying Fang +Reviewed-by: Xuan Zhuo +Link: https://patch.msgid.link/20240919081351.51772-1-liwenbo.martin@bytedance.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/virtio_net.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index bc01f2dafa948..2da3be3fb9423 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1269,6 +1269,11 @@ static struct sk_buff *receive_small(struct net_device *dev, + struct page *page = virt_to_head_page(buf); + struct sk_buff *skb; + ++ /* We passed the address of virtnet header to virtio-core, ++ * so truncate the padding. ++ */ ++ buf -= VIRTNET_RX_PAD + xdp_headroom; ++ + len -= vi->hdr_len; + u64_stats_add(&stats->bytes, len); + +@@ -1859,8 +1864,9 @@ static int add_recvbuf_small(struct virtnet_info *vi, struct receive_queue *rq, + if (unlikely(!buf)) + return -ENOMEM; + +- virtnet_rq_init_one_sg(rq, buf + VIRTNET_RX_PAD + xdp_headroom, +- vi->hdr_len + GOOD_PACKET_LEN); ++ buf += VIRTNET_RX_PAD + xdp_headroom; ++ ++ virtnet_rq_init_one_sg(rq, buf, vi->hdr_len + GOOD_PACKET_LEN); + + err = virtqueue_add_inbuf_ctx(rq->vq, rq->sg, 1, buf, ctx, gfp); + if (err < 0) { +-- +2.43.0 + diff --git a/queue-6.6/watchdog-imx_sc_wdt-don-t-disable-wdt-in-suspend.patch b/queue-6.6/watchdog-imx_sc_wdt-don-t-disable-wdt-in-suspend.patch new file mode 100644 index 00000000000..6e6c8ff17a1 --- /dev/null +++ b/queue-6.6/watchdog-imx_sc_wdt-don-t-disable-wdt-in-suspend.patch @@ -0,0 +1,73 @@ +From 153c9485bee49762788f1cde8cc661f00546a000 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Aug 2024 14:18:45 +0200 +Subject: watchdog: imx_sc_wdt: Don't disable WDT in suspend + +From: Jonas Blixt + +[ Upstream commit 2d9d6d300fb0a4ae4431bb308027ac9385746d42 ] + +Parts of the suspend and resume chain is left unprotected if we disable +the WDT here. + +>From experiments we can see that the SCU disables and re-enables the WDT +when we enter and leave suspend to ram. By not touching the WDT here we +are protected by the WDT all the way to the SCU. + +Signed-off-by: Jonas Blixt +CC: Anson Huang +Fixes: 986857acbc9a ("watchdog: imx_sc: Add i.MX system controller watchdog support") +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20240801121845.1465765-1-jonas.blixt@actia.se +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/imx_sc_wdt.c | 24 ------------------------ + 1 file changed, 24 deletions(-) + +diff --git a/drivers/watchdog/imx_sc_wdt.c b/drivers/watchdog/imx_sc_wdt.c +index 8ac021748d160..79649b0e89e47 100644 +--- a/drivers/watchdog/imx_sc_wdt.c ++++ b/drivers/watchdog/imx_sc_wdt.c +@@ -213,29 +213,6 @@ static int imx_sc_wdt_probe(struct platform_device *pdev) + return devm_watchdog_register_device(dev, wdog); + } + +-static int __maybe_unused imx_sc_wdt_suspend(struct device *dev) +-{ +- struct imx_sc_wdt_device *imx_sc_wdd = dev_get_drvdata(dev); +- +- if (watchdog_active(&imx_sc_wdd->wdd)) +- imx_sc_wdt_stop(&imx_sc_wdd->wdd); +- +- return 0; +-} +- +-static int __maybe_unused imx_sc_wdt_resume(struct device *dev) +-{ +- struct imx_sc_wdt_device *imx_sc_wdd = dev_get_drvdata(dev); +- +- if (watchdog_active(&imx_sc_wdd->wdd)) +- imx_sc_wdt_start(&imx_sc_wdd->wdd); +- +- return 0; +-} +- +-static SIMPLE_DEV_PM_OPS(imx_sc_wdt_pm_ops, +- imx_sc_wdt_suspend, imx_sc_wdt_resume); +- + static const struct of_device_id imx_sc_wdt_dt_ids[] = { + { .compatible = "fsl,imx-sc-wdt", }, + { /* sentinel */ } +@@ -247,7 +224,6 @@ static struct platform_driver imx_sc_wdt_driver = { + .driver = { + .name = "imx-sc-wdt", + .of_match_table = imx_sc_wdt_dt_ids, +- .pm = &imx_sc_wdt_pm_ops, + }, + }; + module_platform_driver(imx_sc_wdt_driver); +-- +2.43.0 + diff --git a/queue-6.6/wifi-ath12k-fix-bss-chan-info-request-wmi-command.patch b/queue-6.6/wifi-ath12k-fix-bss-chan-info-request-wmi-command.patch new file mode 100644 index 00000000000..d5a43d698fb --- /dev/null +++ b/queue-6.6/wifi-ath12k-fix-bss-chan-info-request-wmi-command.patch @@ -0,0 +1,62 @@ +From 277630e4ac9c6d20da23acec14acbbd44dcb871c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Apr 2024 00:02:31 +0530 +Subject: wifi: ath12k: fix BSS chan info request WMI command + +From: P Praneesh + +[ Upstream commit 59529c982f85047650fd473db903b23006a796c6 ] + +Currently, the firmware returns incorrect pdev_id information in +WMI_PDEV_BSS_CHAN_INFO_EVENTID, leading to incorrect filling of +the pdev's survey information. + +To prevent this issue, when requesting BSS channel information +through WMI_PDEV_BSS_CHAN_INFO_REQUEST_CMDID, firmware expects +pdev_id as one of the arguments in this WMI command. + +Add pdev_id to the struct wmi_pdev_bss_chan_info_req_cmd and fill it +during ath12k_wmi_pdev_bss_chan_info_request(). This resolves the +issue of sending the correct pdev_id in WMI_PDEV_BSS_CHAN_INFO_EVENTID. + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1 + +Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") +Signed-off-by: P Praneesh +Signed-off-by: Karthikeyan Kathirvel +Acked-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/20240331183232.2158756-2-quic_kathirve@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/wmi.c | 1 + + drivers/net/wireless/ath/ath12k/wmi.h | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c +index 21399ad233c02..9105fdd14c667 100644 +--- a/drivers/net/wireless/ath/ath12k/wmi.c ++++ b/drivers/net/wireless/ath/ath12k/wmi.c +@@ -1501,6 +1501,7 @@ int ath12k_wmi_pdev_bss_chan_info_request(struct ath12k *ar, + cmd->tlv_header = ath12k_wmi_tlv_cmd_hdr(WMI_TAG_PDEV_BSS_CHAN_INFO_REQUEST, + sizeof(*cmd)); + cmd->req_type = cpu_to_le32(type); ++ cmd->pdev_id = cpu_to_le32(ar->pdev->pdev_id); + + ath12k_dbg(ar->ab, ATH12K_DBG_WMI, + "WMI bss chan info req type %d\n", type); +diff --git a/drivers/net/wireless/ath/ath12k/wmi.h b/drivers/net/wireless/ath/ath12k/wmi.h +index c75a6fa1f7e08..6549c3853be46 100644 +--- a/drivers/net/wireless/ath/ath12k/wmi.h ++++ b/drivers/net/wireless/ath/ath12k/wmi.h +@@ -3058,6 +3058,7 @@ struct wmi_pdev_bss_chan_info_req_cmd { + __le32 tlv_header; + /* ref wmi_bss_chan_info_req_type */ + __le32 req_type; ++ __le32 pdev_id; + } __packed; + + struct wmi_ap_ps_peer_cmd { +-- +2.43.0 + diff --git a/queue-6.6/wifi-ath12k-fix-invalid-ampdu-factor-calculation-in-.patch b/queue-6.6/wifi-ath12k-fix-invalid-ampdu-factor-calculation-in-.patch new file mode 100644 index 00000000000..7f1ee5d1f29 --- /dev/null +++ b/queue-6.6/wifi-ath12k-fix-invalid-ampdu-factor-calculation-in-.patch @@ -0,0 +1,44 @@ +From 16aa49055ff141dd7a4013ce8b5db859f639eb94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jul 2024 10:18:19 +0800 +Subject: wifi: ath12k: fix invalid AMPDU factor calculation in + ath12k_peer_assoc_h_he() + +From: Baochen Qiang + +[ Upstream commit a66de2d0f22b1740f3f9777776ad98c4bee62dff ] + +Currently ampdu_factor is wrongly calculated in ath12k_peer_assoc_h_he(), fix it. + +This is found during code review. + +Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0-03427-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.15378.4 + +Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") +Signed-off-by: Baochen Qiang +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/20240710021819.87216-1-quic_bqiang@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/mac.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c +index dd2a7c95517be..4bb30e4037287 100644 +--- a/drivers/net/wireless/ath/ath12k/mac.c ++++ b/drivers/net/wireless/ath/ath12k/mac.c +@@ -1681,9 +1681,8 @@ static void ath12k_peer_assoc_h_he(struct ath12k *ar, + * request, then use MAX_AMPDU_LEN_FACTOR as 16 to calculate max_ampdu + * length. + */ +- ampdu_factor = (he_cap->he_cap_elem.mac_cap_info[3] & +- IEEE80211_HE_MAC_CAP3_MAX_AMPDU_LEN_EXP_MASK) >> +- IEEE80211_HE_MAC_CAP3_MAX_AMPDU_LEN_EXP_MASK; ++ ampdu_factor = u8_get_bits(he_cap->he_cap_elem.mac_cap_info[3], ++ IEEE80211_HE_MAC_CAP3_MAX_AMPDU_LEN_EXP_MASK); + + if (ampdu_factor) { + if (sta->deflink.vht_cap.vht_supported) +-- +2.43.0 + diff --git a/queue-6.6/wifi-ath12k-match-wmi-bss-chan-info-structure-with-f.patch b/queue-6.6/wifi-ath12k-match-wmi-bss-chan-info-structure-with-f.patch new file mode 100644 index 00000000000..4830d613560 --- /dev/null +++ b/queue-6.6/wifi-ath12k-match-wmi-bss-chan-info-structure-with-f.patch @@ -0,0 +1,52 @@ +From 3b684e31290e7bb609d0d61db3d9641791920735 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Apr 2024 00:02:32 +0530 +Subject: wifi: ath12k: match WMI BSS chan info structure with firmware + definition + +From: P Praneesh + +[ Upstream commit dd98d54db29fb553839f43ade5f547baa93392c8 ] + +struct wmi_pdev_bss_chan_info_event is not similar to the firmware +struct definition, this will cause some random failures. + +Fix by matching the struct wmi_pdev_bss_chan_info_event with the +firmware structure definition. + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1 + +Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") +Signed-off-by: P Praneesh +Signed-off-by: Karthikeyan Kathirvel +Acked-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/20240331183232.2158756-3-quic_kathirve@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/wmi.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath12k/wmi.h b/drivers/net/wireless/ath/ath12k/wmi.h +index 6549c3853be46..a19a2c29f2264 100644 +--- a/drivers/net/wireless/ath/ath12k/wmi.h ++++ b/drivers/net/wireless/ath/ath12k/wmi.h +@@ -4034,7 +4034,6 @@ struct wmi_vdev_stopped_event { + } __packed; + + struct wmi_pdev_bss_chan_info_event { +- __le32 pdev_id; + __le32 freq; /* Units in MHz */ + __le32 noise_floor; /* units are dBm */ + /* rx clear - how often the channel was unused */ +@@ -4052,6 +4051,7 @@ struct wmi_pdev_bss_chan_info_event { + /*rx_cycle cnt for my bss in 64bits format */ + __le32 rx_bss_cycle_count_low; + __le32 rx_bss_cycle_count_high; ++ __le32 pdev_id; + } __packed; + + #define WMI_VDEV_INSTALL_KEY_COMPL_STATUS_SUCCESS 0 +-- +2.43.0 + diff --git a/queue-6.6/wifi-ath9k-remove-error-checks-when-creating-debugfs.patch b/queue-6.6/wifi-ath9k-remove-error-checks-when-creating-debugfs.patch new file mode 100644 index 00000000000..7820e6cc156 --- /dev/null +++ b/queue-6.6/wifi-ath9k-remove-error-checks-when-creating-debugfs.patch @@ -0,0 +1,68 @@ +From 7eaec677e79aef18b5775b0917961456defc5b64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Aug 2024 13:02:22 +0200 +Subject: wifi: ath9k: Remove error checks when creating debugfs entries +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit f6ffe7f0184792c2f99aca6ae5b916683973d7d3 ] + +We should not be checking the return values from debugfs creation at all: the +debugfs functions are designed to handle errors of previously called functions +and just transparently abort the creation of debugfs entries when debugfs is +disabled. If we check the return value and abort driver initialisation, we break +the driver if debugfs is disabled (such as when booting with debugfs=off). + +Earlier versions of ath9k accidentally did the right thing by checking the +return value, but only for NULL, not for IS_ERR(). This was "fixed" by the two +commits referenced below, breaking ath9k with debugfs=off starting from the 6.6 +kernel (as reported in the Bugzilla linked below). + +Restore functionality by just getting rid of the return value check entirely. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=219122 +Fixes: 1e4134610d93 ("wifi: ath9k: use IS_ERR() with debugfs_create_dir()") +Fixes: 6edb4ba6fb5b ("wifi: ath9k: fix parameter check in ath9k_init_debug()") +Reported-by: Daniel Tobias +Tested-by: Daniel Tobias +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/20240805110225.19690-1-toke@toke.dk +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/debug.c | 2 -- + drivers/net/wireless/ath/ath9k/htc_drv_debug.c | 2 -- + 2 files changed, 4 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/debug.c b/drivers/net/wireless/ath/ath9k/debug.c +index a0376a6787b8d..808fb6747a7f7 100644 +--- a/drivers/net/wireless/ath/ath9k/debug.c ++++ b/drivers/net/wireless/ath/ath9k/debug.c +@@ -1380,8 +1380,6 @@ int ath9k_init_debug(struct ath_hw *ah) + + sc->debug.debugfs_phy = debugfs_create_dir("ath9k", + sc->hw->wiphy->debugfsdir); +- if (IS_ERR(sc->debug.debugfs_phy)) +- return -ENOMEM; + + #ifdef CONFIG_ATH_DEBUG + debugfs_create_file("debug", 0600, sc->debug.debugfs_phy, +diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_debug.c b/drivers/net/wireless/ath/ath9k/htc_drv_debug.c +index 278ddc713fdc2..7b14528224319 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_drv_debug.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_debug.c +@@ -486,8 +486,6 @@ int ath9k_htc_init_debug(struct ath_hw *ah) + + priv->debug.debugfs_phy = debugfs_create_dir(KBUILD_MODNAME, + priv->hw->wiphy->debugfsdir); +- if (IS_ERR(priv->debug.debugfs_phy)) +- return -ENOMEM; + + ath9k_cmn_spectral_init_debug(&priv->spec_priv, priv->debug.debugfs_phy); + +-- +2.43.0 + diff --git a/queue-6.6/wifi-brcmfmac-export-firmware-interface-functions.patch b/queue-6.6/wifi-brcmfmac-export-firmware-interface-functions.patch new file mode 100644 index 00000000000..e4e1627c445 --- /dev/null +++ b/queue-6.6/wifi-brcmfmac-export-firmware-interface-functions.patch @@ -0,0 +1,387 @@ +From 8374b4c5b54bf726b775de0b6c100e8de153177d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jan 2024 10:57:01 +0100 +Subject: wifi: brcmfmac: export firmware interface functions + +From: Arend van Spriel + +[ Upstream commit 31343230abb1683e8afb254e6b13a7a7fd01fcac ] + +With multi-vendor support the vendor-specific module may need to use +the firmware interface functions so export them using the macro +BRCMF_EXPORT_SYMBOL_GPL() which exports them to driver namespace. + +Signed-off-by: Arend van Spriel +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240103095704.135651-2-arend.vanspriel@broadcom.com +Stable-dep-of: c6002b6c05f3 ("wifi: brcmfmac: introducing fwil query functions") +Signed-off-by: Sasha Levin +--- + .../broadcom/brcm80211/brcmfmac/cfg80211.c | 4 +- + .../broadcom/brcm80211/brcmfmac/core.c | 2 +- + .../broadcom/brcm80211/brcmfmac/feature.c | 2 +- + .../broadcom/brcm80211/brcmfmac/fwil.c | 115 +--------------- + .../broadcom/brcm80211/brcmfmac/fwil.h | 127 +++++++++++++++--- + 5 files changed, 121 insertions(+), 129 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +index da4968e66725b..fb91ebe5553e1 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -3067,7 +3067,7 @@ brcmf_cfg80211_get_station_ibss(struct brcmf_if *ifp, + struct brcmf_scb_val_le scbval; + struct brcmf_pktcnt_le pktcnt; + s32 err; +- u32 rate; ++ u32 rate = 0; + u32 rssi; + + /* Get the current tx rate */ +@@ -7269,7 +7269,7 @@ static int brcmf_setup_wiphybands(struct brcmf_cfg80211_info *cfg) + u32 nmode = 0; + u32 vhtmode = 0; + u32 bw_cap[2] = { WLC_BW_20MHZ_BIT, WLC_BW_20MHZ_BIT }; +- u32 rxchain; ++ u32 rxchain = 0; + u32 nchain; + int err; + s32 i; +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +index f599d5f896e89..a92f78026cfda 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +@@ -691,7 +691,7 @@ static int brcmf_net_mon_open(struct net_device *ndev) + { + struct brcmf_if *ifp = netdev_priv(ndev); + struct brcmf_pub *drvr = ifp->drvr; +- u32 monitor; ++ u32 monitor = 0; + int err; + + brcmf_dbg(TRACE, "Enter\n"); +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c +index 909a34a1ab503..7fef93ede0fb3 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c +@@ -184,7 +184,7 @@ static void brcmf_feat_wlc_version_overrides(struct brcmf_pub *drv) + static void brcmf_feat_iovar_int_get(struct brcmf_if *ifp, + enum brcmf_feat_id id, char *name) + { +- u32 data; ++ u32 data = 0; + int err; + + /* we need to know firmware error */ +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil.c +index a9514d72f770b..bc1c6b5a6e316 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil.c +@@ -142,6 +142,7 @@ brcmf_fil_cmd_data_set(struct brcmf_if *ifp, u32 cmd, void *data, u32 len) + + return err; + } ++BRCMF_EXPORT_SYMBOL_GPL(brcmf_fil_cmd_data_set); + + s32 + brcmf_fil_cmd_data_get(struct brcmf_if *ifp, u32 cmd, void *data, u32 len) +@@ -160,36 +161,7 @@ brcmf_fil_cmd_data_get(struct brcmf_if *ifp, u32 cmd, void *data, u32 len) + + return err; + } +- +- +-s32 +-brcmf_fil_cmd_int_set(struct brcmf_if *ifp, u32 cmd, u32 data) +-{ +- s32 err; +- __le32 data_le = cpu_to_le32(data); +- +- mutex_lock(&ifp->drvr->proto_block); +- brcmf_dbg(FIL, "ifidx=%d, cmd=%d, value=%d\n", ifp->ifidx, cmd, data); +- err = brcmf_fil_cmd_data(ifp, cmd, &data_le, sizeof(data_le), true); +- mutex_unlock(&ifp->drvr->proto_block); +- +- return err; +-} +- +-s32 +-brcmf_fil_cmd_int_get(struct brcmf_if *ifp, u32 cmd, u32 *data) +-{ +- s32 err; +- __le32 data_le = cpu_to_le32(*data); +- +- mutex_lock(&ifp->drvr->proto_block); +- err = brcmf_fil_cmd_data(ifp, cmd, &data_le, sizeof(data_le), false); +- mutex_unlock(&ifp->drvr->proto_block); +- *data = le32_to_cpu(data_le); +- brcmf_dbg(FIL, "ifidx=%d, cmd=%d, value=%d\n", ifp->ifidx, cmd, *data); +- +- return err; +-} ++BRCMF_EXPORT_SYMBOL_GPL(brcmf_fil_cmd_data_get); + + static u32 + brcmf_create_iovar(const char *name, const char *data, u32 datalen, +@@ -271,26 +243,7 @@ brcmf_fil_iovar_data_get(struct brcmf_if *ifp, const char *name, void *data, + mutex_unlock(&drvr->proto_block); + return err; + } +- +-s32 +-brcmf_fil_iovar_int_set(struct brcmf_if *ifp, const char *name, u32 data) +-{ +- __le32 data_le = cpu_to_le32(data); +- +- return brcmf_fil_iovar_data_set(ifp, name, &data_le, sizeof(data_le)); +-} +- +-s32 +-brcmf_fil_iovar_int_get(struct brcmf_if *ifp, const char *name, u32 *data) +-{ +- __le32 data_le = cpu_to_le32(*data); +- s32 err; +- +- err = brcmf_fil_iovar_data_get(ifp, name, &data_le, sizeof(data_le)); +- if (err == 0) +- *data = le32_to_cpu(data_le); +- return err; +-} ++BRCMF_EXPORT_SYMBOL_GPL(brcmf_fil_iovar_data_get); + + static u32 + brcmf_create_bsscfg(s32 bsscfgidx, const char *name, char *data, u32 datalen, +@@ -365,6 +318,7 @@ brcmf_fil_bsscfg_data_set(struct brcmf_if *ifp, const char *name, + mutex_unlock(&drvr->proto_block); + return err; + } ++BRCMF_EXPORT_SYMBOL_GPL(brcmf_fil_bsscfg_data_set); + + s32 + brcmf_fil_bsscfg_data_get(struct brcmf_if *ifp, const char *name, +@@ -395,28 +349,7 @@ brcmf_fil_bsscfg_data_get(struct brcmf_if *ifp, const char *name, + mutex_unlock(&drvr->proto_block); + return err; + } +- +-s32 +-brcmf_fil_bsscfg_int_set(struct brcmf_if *ifp, const char *name, u32 data) +-{ +- __le32 data_le = cpu_to_le32(data); +- +- return brcmf_fil_bsscfg_data_set(ifp, name, &data_le, +- sizeof(data_le)); +-} +- +-s32 +-brcmf_fil_bsscfg_int_get(struct brcmf_if *ifp, const char *name, u32 *data) +-{ +- __le32 data_le = cpu_to_le32(*data); +- s32 err; +- +- err = brcmf_fil_bsscfg_data_get(ifp, name, &data_le, +- sizeof(data_le)); +- if (err == 0) +- *data = le32_to_cpu(data_le); +- return err; +-} ++BRCMF_EXPORT_SYMBOL_GPL(brcmf_fil_bsscfg_data_get); + + static u32 brcmf_create_xtlv(const char *name, u16 id, char *data, u32 len, + char *buf, u32 buflen) +@@ -466,6 +399,7 @@ s32 brcmf_fil_xtlv_data_set(struct brcmf_if *ifp, const char *name, u16 id, + mutex_unlock(&drvr->proto_block); + return err; + } ++BRCMF_EXPORT_SYMBOL_GPL(brcmf_fil_xtlv_data_set); + + s32 brcmf_fil_xtlv_data_get(struct brcmf_if *ifp, const char *name, u16 id, + void *data, u32 len) +@@ -495,39 +429,4 @@ s32 brcmf_fil_xtlv_data_get(struct brcmf_if *ifp, const char *name, u16 id, + mutex_unlock(&drvr->proto_block); + return err; + } +- +-s32 brcmf_fil_xtlv_int_set(struct brcmf_if *ifp, const char *name, u16 id, u32 data) +-{ +- __le32 data_le = cpu_to_le32(data); +- +- return brcmf_fil_xtlv_data_set(ifp, name, id, &data_le, +- sizeof(data_le)); +-} +- +-s32 brcmf_fil_xtlv_int_get(struct brcmf_if *ifp, const char *name, u16 id, u32 *data) +-{ +- __le32 data_le = cpu_to_le32(*data); +- s32 err; +- +- err = brcmf_fil_xtlv_data_get(ifp, name, id, &data_le, sizeof(data_le)); +- if (err == 0) +- *data = le32_to_cpu(data_le); +- return err; +-} +- +-s32 brcmf_fil_xtlv_int8_get(struct brcmf_if *ifp, const char *name, u16 id, u8 *data) +-{ +- return brcmf_fil_xtlv_data_get(ifp, name, id, data, sizeof(*data)); +-} +- +-s32 brcmf_fil_xtlv_int16_get(struct brcmf_if *ifp, const char *name, u16 id, u16 *data) +-{ +- __le16 data_le = cpu_to_le16(*data); +- s32 err; +- +- err = brcmf_fil_xtlv_data_get(ifp, name, id, &data_le, sizeof(data_le)); +- if (err == 0) +- *data = le16_to_cpu(data_le); +- return err; +-} +- ++BRCMF_EXPORT_SYMBOL_GPL(brcmf_fil_xtlv_data_get); +\ No newline at end of file +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil.h +index bc693157c4b1c..a315a7fac6a06 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil.h ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil.h +@@ -81,29 +81,122 @@ + + s32 brcmf_fil_cmd_data_set(struct brcmf_if *ifp, u32 cmd, void *data, u32 len); + s32 brcmf_fil_cmd_data_get(struct brcmf_if *ifp, u32 cmd, void *data, u32 len); +-s32 brcmf_fil_cmd_int_set(struct brcmf_if *ifp, u32 cmd, u32 data); +-s32 brcmf_fil_cmd_int_get(struct brcmf_if *ifp, u32 cmd, u32 *data); ++static inline ++s32 brcmf_fil_cmd_int_set(struct brcmf_if *ifp, u32 cmd, u32 data) ++{ ++ s32 err; ++ __le32 data_le = cpu_to_le32(data); + +-s32 brcmf_fil_iovar_data_set(struct brcmf_if *ifp, const char *name, const void *data, +- u32 len); ++ brcmf_dbg(FIL, "ifidx=%d, cmd=%d, value=%d\n", ifp->ifidx, cmd, data); ++ err = brcmf_fil_cmd_data_set(ifp, cmd, &data_le, sizeof(data_le)); ++ ++ return err; ++} ++static inline ++s32 brcmf_fil_cmd_int_get(struct brcmf_if *ifp, u32 cmd, u32 *data) ++{ ++ s32 err; ++ __le32 data_le = cpu_to_le32(*data); ++ ++ err = brcmf_fil_cmd_data_get(ifp, cmd, &data_le, sizeof(data_le)); ++ if (err == 0) ++ *data = le32_to_cpu(data_le); ++ brcmf_dbg(FIL, "ifidx=%d, cmd=%d, value=%d\n", ifp->ifidx, cmd, *data); ++ ++ return err; ++} ++ ++s32 brcmf_fil_iovar_data_set(struct brcmf_if *ifp, const char *name, ++ const void *data, u32 len); + s32 brcmf_fil_iovar_data_get(struct brcmf_if *ifp, const char *name, void *data, + u32 len); +-s32 brcmf_fil_iovar_int_set(struct brcmf_if *ifp, const char *name, u32 data); +-s32 brcmf_fil_iovar_int_get(struct brcmf_if *ifp, const char *name, u32 *data); +- +-s32 brcmf_fil_bsscfg_data_set(struct brcmf_if *ifp, const char *name, void *data, +- u32 len); +-s32 brcmf_fil_bsscfg_data_get(struct brcmf_if *ifp, const char *name, void *data, +- u32 len); +-s32 brcmf_fil_bsscfg_int_set(struct brcmf_if *ifp, const char *name, u32 data); +-s32 brcmf_fil_bsscfg_int_get(struct brcmf_if *ifp, const char *name, u32 *data); ++static inline ++s32 brcmf_fil_iovar_int_set(struct brcmf_if *ifp, const char *name, u32 data) ++{ ++ __le32 data_le = cpu_to_le32(data); ++ ++ return brcmf_fil_iovar_data_set(ifp, name, &data_le, sizeof(data_le)); ++} ++static inline ++s32 brcmf_fil_iovar_int_get(struct brcmf_if *ifp, const char *name, u32 *data) ++{ ++ __le32 data_le = cpu_to_le32(*data); ++ s32 err; ++ ++ err = brcmf_fil_iovar_data_get(ifp, name, &data_le, sizeof(data_le)); ++ if (err == 0) ++ *data = le32_to_cpu(data_le); ++ return err; ++} ++ ++ ++s32 brcmf_fil_bsscfg_data_set(struct brcmf_if *ifp, const char *name, ++ void *data, u32 len); ++s32 brcmf_fil_bsscfg_data_get(struct brcmf_if *ifp, const char *name, ++ void *data, u32 len); ++static inline ++s32 brcmf_fil_bsscfg_int_set(struct brcmf_if *ifp, const char *name, u32 data) ++{ ++ __le32 data_le = cpu_to_le32(data); ++ ++ return brcmf_fil_bsscfg_data_set(ifp, name, &data_le, ++ sizeof(data_le)); ++} ++static inline ++s32 brcmf_fil_bsscfg_int_get(struct brcmf_if *ifp, const char *name, u32 *data) ++{ ++ __le32 data_le = cpu_to_le32(*data); ++ s32 err; ++ ++ err = brcmf_fil_bsscfg_data_get(ifp, name, &data_le, ++ sizeof(data_le)); ++ if (err == 0) ++ *data = le32_to_cpu(data_le); ++ return err; ++} ++ + s32 brcmf_fil_xtlv_data_set(struct brcmf_if *ifp, const char *name, u16 id, + void *data, u32 len); + s32 brcmf_fil_xtlv_data_get(struct brcmf_if *ifp, const char *name, u16 id, + void *data, u32 len); +-s32 brcmf_fil_xtlv_int_set(struct brcmf_if *ifp, const char *name, u16 id, u32 data); +-s32 brcmf_fil_xtlv_int_get(struct brcmf_if *ifp, const char *name, u16 id, u32 *data); +-s32 brcmf_fil_xtlv_int8_get(struct brcmf_if *ifp, const char *name, u16 id, u8 *data); +-s32 brcmf_fil_xtlv_int16_get(struct brcmf_if *ifp, const char *name, u16 id, u16 *data); ++static inline ++s32 brcmf_fil_xtlv_int_set(struct brcmf_if *ifp, const char *name, u16 id, ++ u32 data) ++{ ++ __le32 data_le = cpu_to_le32(data); ++ ++ return brcmf_fil_xtlv_data_set(ifp, name, id, &data_le, ++ sizeof(data_le)); ++} ++static inline ++s32 brcmf_fil_xtlv_int_get(struct brcmf_if *ifp, const char *name, u16 id, ++ u32 *data) ++{ ++ __le32 data_le = cpu_to_le32(*data); ++ s32 err; ++ ++ err = brcmf_fil_xtlv_data_get(ifp, name, id, &data_le, sizeof(data_le)); ++ if (err == 0) ++ *data = le32_to_cpu(data_le); ++ return err; ++} ++static inline ++s32 brcmf_fil_xtlv_int8_get(struct brcmf_if *ifp, const char *name, u16 id, ++ u8 *data) ++{ ++ return brcmf_fil_xtlv_data_get(ifp, name, id, data, sizeof(*data)); ++} ++static inline ++s32 brcmf_fil_xtlv_int16_get(struct brcmf_if *ifp, const char *name, u16 id, ++ u16 *data) ++{ ++ __le16 data_le = cpu_to_le16(*data); ++ s32 err; ++ ++ err = brcmf_fil_xtlv_data_get(ifp, name, id, &data_le, sizeof(data_le)); ++ if (err == 0) ++ *data = le16_to_cpu(data_le); ++ return err; ++} + + #endif /* _fwil_h_ */ +-- +2.43.0 + diff --git a/queue-6.6/wifi-brcmfmac-introducing-fwil-query-functions.patch b/queue-6.6/wifi-brcmfmac-introducing-fwil-query-functions.patch new file mode 100644 index 00000000000..2d197a9f795 --- /dev/null +++ b/queue-6.6/wifi-brcmfmac-introducing-fwil-query-functions.patch @@ -0,0 +1,272 @@ +From 2dc7f490abf5ca5c3b2f1d371a29e7495bf8a5ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Jul 2024 20:56:17 +0200 +Subject: wifi: brcmfmac: introducing fwil query functions + +From: Arend van Spriel + +[ Upstream commit c6002b6c05f3edfa12fd25990cc637281f200442 ] + +When the firmware interface layer was refactored it provided various +"get" and "set" functions. For the "get" in some cases a parameter +needed to be passed down to firmware as a key indicating what to +"get" turning the output parameter of the "get" function into an +input parameter as well. To accommodate this the "get" function blindly +copies the parameter which in some places resulted in an uninitialized +warnings from the compiler. These have been fixed by initializing the +input parameter in the past. Recently another batch of similar fixes +were submitted to address clang static checker warnings [1]. + +Proposing another solution by introducing a "query" variant which is used +when the (input) parameter is needed by firmware. The "get" variant will +only fill the (output) parameter with the result received from firmware +taking care of proper endianess conversion. + +[1] https://lore.kernel.org/all/20240702122450.2213833-1-suhui@nfschina.com/ + +Fixes: 81f5dcb80830 ("brcmfmac: refactor firmware interface layer.") +Reported-by: Su Hui +Signed-off-by: Arend van Spriel +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/20240727185617.253210-1-arend.vanspriel@broadcom.com +Signed-off-by: Sasha Levin +--- + .../broadcom/brcm80211/brcmfmac/btcoex.c | 2 +- + .../broadcom/brcm80211/brcmfmac/cfg80211.c | 30 +++++++------- + .../broadcom/brcm80211/brcmfmac/core.c | 2 +- + .../broadcom/brcm80211/brcmfmac/feature.c | 2 +- + .../broadcom/brcm80211/brcmfmac/fwil.h | 40 ++++++++++++++----- + 5 files changed, 48 insertions(+), 28 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c +index 7ea2631b80692..00794086cc7c9 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c +@@ -123,7 +123,7 @@ static s32 brcmf_btcoex_params_read(struct brcmf_if *ifp, u32 addr, u32 *data) + { + *data = addr; + +- return brcmf_fil_iovar_int_get(ifp, "btc_params", data); ++ return brcmf_fil_iovar_int_query(ifp, "btc_params", data); + } + + /** +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +index fb91ebe5553e1..c708ae91c3ce9 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -663,8 +663,8 @@ static int brcmf_cfg80211_request_sta_if(struct brcmf_if *ifp, u8 *macaddr) + /* interface_create version 3+ */ + /* get supported version from firmware side */ + iface_create_ver = 0; +- err = brcmf_fil_bsscfg_int_get(ifp, "interface_create", +- &iface_create_ver); ++ err = brcmf_fil_bsscfg_int_query(ifp, "interface_create", ++ &iface_create_ver); + if (err) { + brcmf_err("fail to get supported version, err=%d\n", err); + return -EOPNOTSUPP; +@@ -756,8 +756,8 @@ static int brcmf_cfg80211_request_ap_if(struct brcmf_if *ifp) + /* interface_create version 3+ */ + /* get supported version from firmware side */ + iface_create_ver = 0; +- err = brcmf_fil_bsscfg_int_get(ifp, "interface_create", +- &iface_create_ver); ++ err = brcmf_fil_bsscfg_int_query(ifp, "interface_create", ++ &iface_create_ver); + if (err) { + brcmf_err("fail to get supported version, err=%d\n", err); + return -EOPNOTSUPP; +@@ -2101,7 +2101,8 @@ brcmf_set_key_mgmt(struct net_device *ndev, struct cfg80211_connect_params *sme) + if (!sme->crypto.n_akm_suites) + return 0; + +- err = brcmf_fil_bsscfg_int_get(netdev_priv(ndev), "wpa_auth", &val); ++ err = brcmf_fil_bsscfg_int_get(netdev_priv(ndev), ++ "wpa_auth", &val); + if (err) { + bphy_err(drvr, "could not get wpa_auth (%d)\n", err); + return err; +@@ -2680,7 +2681,7 @@ brcmf_cfg80211_get_tx_power(struct wiphy *wiphy, struct wireless_dev *wdev, + struct brcmf_cfg80211_info *cfg = wiphy_to_cfg(wiphy); + struct brcmf_cfg80211_vif *vif = wdev_to_vif(wdev); + struct brcmf_pub *drvr = cfg->pub; +- s32 qdbm = 0; ++ s32 qdbm; + s32 err; + + brcmf_dbg(TRACE, "Enter\n"); +@@ -3067,7 +3068,7 @@ brcmf_cfg80211_get_station_ibss(struct brcmf_if *ifp, + struct brcmf_scb_val_le scbval; + struct brcmf_pktcnt_le pktcnt; + s32 err; +- u32 rate = 0; ++ u32 rate; + u32 rssi; + + /* Get the current tx rate */ +@@ -7046,8 +7047,8 @@ static int brcmf_construct_chaninfo(struct brcmf_cfg80211_info *cfg, + ch.bw = BRCMU_CHAN_BW_20; + cfg->d11inf.encchspec(&ch); + chaninfo = ch.chspec; +- err = brcmf_fil_bsscfg_int_get(ifp, "per_chan_info", +- &chaninfo); ++ err = brcmf_fil_bsscfg_int_query(ifp, "per_chan_info", ++ &chaninfo); + if (!err) { + if (chaninfo & WL_CHAN_RADAR) + channel->flags |= +@@ -7081,7 +7082,7 @@ static int brcmf_enable_bw40_2g(struct brcmf_cfg80211_info *cfg) + + /* verify support for bw_cap command */ + val = WLC_BAND_5G; +- err = brcmf_fil_iovar_int_get(ifp, "bw_cap", &val); ++ err = brcmf_fil_iovar_int_query(ifp, "bw_cap", &val); + + if (!err) { + /* only set 2G bandwidth using bw_cap command */ +@@ -7157,11 +7158,11 @@ static void brcmf_get_bwcap(struct brcmf_if *ifp, u32 bw_cap[]) + int err; + + band = WLC_BAND_2G; +- err = brcmf_fil_iovar_int_get(ifp, "bw_cap", &band); ++ err = brcmf_fil_iovar_int_query(ifp, "bw_cap", &band); + if (!err) { + bw_cap[NL80211_BAND_2GHZ] = band; + band = WLC_BAND_5G; +- err = brcmf_fil_iovar_int_get(ifp, "bw_cap", &band); ++ err = brcmf_fil_iovar_int_query(ifp, "bw_cap", &band); + if (!err) { + bw_cap[NL80211_BAND_5GHZ] = band; + return; +@@ -7170,7 +7171,6 @@ static void brcmf_get_bwcap(struct brcmf_if *ifp, u32 bw_cap[]) + return; + } + brcmf_dbg(INFO, "fallback to mimo_bw_cap info\n"); +- mimo_bwcap = 0; + err = brcmf_fil_iovar_int_get(ifp, "mimo_bw_cap", &mimo_bwcap); + if (err) + /* assume 20MHz if firmware does not give a clue */ +@@ -7266,10 +7266,10 @@ static int brcmf_setup_wiphybands(struct brcmf_cfg80211_info *cfg) + struct brcmf_pub *drvr = cfg->pub; + struct brcmf_if *ifp = brcmf_get_ifp(drvr, 0); + struct wiphy *wiphy = cfg_to_wiphy(cfg); +- u32 nmode = 0; ++ u32 nmode; + u32 vhtmode = 0; + u32 bw_cap[2] = { WLC_BW_20MHZ_BIT, WLC_BW_20MHZ_BIT }; +- u32 rxchain = 0; ++ u32 rxchain; + u32 nchain; + int err; + s32 i; +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +index a92f78026cfda..f599d5f896e89 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +@@ -691,7 +691,7 @@ static int brcmf_net_mon_open(struct net_device *ndev) + { + struct brcmf_if *ifp = netdev_priv(ndev); + struct brcmf_pub *drvr = ifp->drvr; +- u32 monitor = 0; ++ u32 monitor; + int err; + + brcmf_dbg(TRACE, "Enter\n"); +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c +index 7fef93ede0fb3..909a34a1ab503 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c +@@ -184,7 +184,7 @@ static void brcmf_feat_wlc_version_overrides(struct brcmf_pub *drv) + static void brcmf_feat_iovar_int_get(struct brcmf_if *ifp, + enum brcmf_feat_id id, char *name) + { +- u32 data = 0; ++ u32 data; + int err; + + /* we need to know firmware error */ +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil.h +index a315a7fac6a06..31e080e4da669 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil.h ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil.h +@@ -96,15 +96,22 @@ static inline + s32 brcmf_fil_cmd_int_get(struct brcmf_if *ifp, u32 cmd, u32 *data) + { + s32 err; +- __le32 data_le = cpu_to_le32(*data); + +- err = brcmf_fil_cmd_data_get(ifp, cmd, &data_le, sizeof(data_le)); ++ err = brcmf_fil_cmd_data_get(ifp, cmd, data, sizeof(*data)); + if (err == 0) +- *data = le32_to_cpu(data_le); ++ *data = le32_to_cpu(*(__le32 *)data); + brcmf_dbg(FIL, "ifidx=%d, cmd=%d, value=%d\n", ifp->ifidx, cmd, *data); + + return err; + } ++static inline ++s32 brcmf_fil_cmd_int_query(struct brcmf_if *ifp, u32 cmd, u32 *data) ++{ ++ __le32 *data_le = (__le32 *)data; ++ ++ *data_le = cpu_to_le32(*data); ++ return brcmf_fil_cmd_int_get(ifp, cmd, data); ++} + + s32 brcmf_fil_iovar_data_set(struct brcmf_if *ifp, const char *name, + const void *data, u32 len); +@@ -120,14 +127,21 @@ s32 brcmf_fil_iovar_int_set(struct brcmf_if *ifp, const char *name, u32 data) + static inline + s32 brcmf_fil_iovar_int_get(struct brcmf_if *ifp, const char *name, u32 *data) + { +- __le32 data_le = cpu_to_le32(*data); + s32 err; + +- err = brcmf_fil_iovar_data_get(ifp, name, &data_le, sizeof(data_le)); ++ err = brcmf_fil_iovar_data_get(ifp, name, data, sizeof(*data)); + if (err == 0) +- *data = le32_to_cpu(data_le); ++ *data = le32_to_cpu(*(__le32 *)data); + return err; + } ++static inline ++s32 brcmf_fil_iovar_int_query(struct brcmf_if *ifp, const char *name, u32 *data) ++{ ++ __le32 *data_le = (__le32 *)data; ++ ++ *data_le = cpu_to_le32(*data); ++ return brcmf_fil_iovar_int_get(ifp, name, data); ++} + + + s32 brcmf_fil_bsscfg_data_set(struct brcmf_if *ifp, const char *name, +@@ -145,15 +159,21 @@ s32 brcmf_fil_bsscfg_int_set(struct brcmf_if *ifp, const char *name, u32 data) + static inline + s32 brcmf_fil_bsscfg_int_get(struct brcmf_if *ifp, const char *name, u32 *data) + { +- __le32 data_le = cpu_to_le32(*data); + s32 err; + +- err = brcmf_fil_bsscfg_data_get(ifp, name, &data_le, +- sizeof(data_le)); ++ err = brcmf_fil_bsscfg_data_get(ifp, name, data, sizeof(*data)); + if (err == 0) +- *data = le32_to_cpu(data_le); ++ *data = le32_to_cpu(*(__le32 *)data); + return err; + } ++static inline ++s32 brcmf_fil_bsscfg_int_query(struct brcmf_if *ifp, const char *name, u32 *data) ++{ ++ __le32 *data_le = (__le32 *)data; ++ ++ *data_le = cpu_to_le32(*data); ++ return brcmf_fil_bsscfg_int_get(ifp, name, data); ++} + + s32 brcmf_fil_xtlv_data_set(struct brcmf_if *ifp, const char *name, u16 id, + void *data, u32 len); +-- +2.43.0 + diff --git a/queue-6.6/wifi-cfg80211-fix-two-more-possible-ubsan-detected-o.patch b/queue-6.6/wifi-cfg80211-fix-two-more-possible-ubsan-detected-o.patch new file mode 100644 index 00000000000..cc8bb4cf51d --- /dev/null +++ b/queue-6.6/wifi-cfg80211-fix-two-more-possible-ubsan-detected-o.patch @@ -0,0 +1,57 @@ +From 96e25fd1655752544cf59ef21251695c060632a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Sep 2024 12:08:06 +0300 +Subject: wifi: cfg80211: fix two more possible UBSAN-detected off-by-one + errors + +From: Dmitry Antipov + +[ Upstream commit 15ea13b1b1fbf6364d4cd568e65e4c8479632999 ] + +Although not reproduced in practice, these two cases may be +considered by UBSAN as off-by-one errors. So fix them in the +same way as in commit a26a5107bc52 ("wifi: cfg80211: fix UBSAN +noise in cfg80211_wext_siwscan()"). + +Fixes: 807f8a8c3004 ("cfg80211/nl80211: add support for scheduled scans") +Fixes: 5ba63533bbf6 ("cfg80211: fix alignment problem in scan request") +Signed-off-by: Dmitry Antipov +Link: https://patch.msgid.link/20240909090806.1091956-1-dmantipov@yandex.ru +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 3 ++- + net/wireless/sme.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 2b2dc46dc701f..4ce23762b1c95 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -9679,7 +9679,8 @@ nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev, + return ERR_PTR(-ENOMEM); + + if (n_ssids) +- request->ssids = (void *)&request->channels[n_channels]; ++ request->ssids = (void *)request + ++ struct_size(request, channels, n_channels); + request->n_ssids = n_ssids; + if (ie_len) { + if (n_ssids) +diff --git a/net/wireless/sme.c b/net/wireless/sme.c +index 72d78dbc55ffd..591cda99d72f5 100644 +--- a/net/wireless/sme.c ++++ b/net/wireless/sme.c +@@ -115,7 +115,8 @@ static int cfg80211_conn_scan(struct wireless_dev *wdev) + n_channels = i; + } + request->n_channels = n_channels; +- request->ssids = (void *)&request->channels[n_channels]; ++ request->ssids = (void *)request + ++ struct_size(request, channels, n_channels); + request->n_ssids = 1; + + memcpy(request->ssids[0].ssid, wdev->conn->params.ssid, +-- +2.43.0 + diff --git a/queue-6.6/wifi-cfg80211-fix-ubsan-noise-in-cfg80211_wext_siwsc.patch b/queue-6.6/wifi-cfg80211-fix-ubsan-noise-in-cfg80211_wext_siwsc.patch new file mode 100644 index 00000000000..3795fd22fe0 --- /dev/null +++ b/queue-6.6/wifi-cfg80211-fix-ubsan-noise-in-cfg80211_wext_siwsc.patch @@ -0,0 +1,69 @@ +From 055e958b7e7af8f875a60decc25f79a403403eeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Sep 2024 18:04:00 +0300 +Subject: wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan() + +From: Dmitry Antipov + +[ Upstream commit a26a5107bc52922cf5f67361e307ad66547b51c7 ] + +Looking at https://syzkaller.appspot.com/bug?extid=1a3986bbd3169c307819 +and running reproducer with CONFIG_UBSAN_BOUNDS, I've noticed the +following: + +[ T4985] UBSAN: array-index-out-of-bounds in net/wireless/scan.c:3479:25 +[ T4985] index 164 is out of range for type 'struct ieee80211_channel *[]' +<...skipped...> +[ T4985] Call Trace: +[ T4985] +[ T4985] dump_stack_lvl+0x1c2/0x2a0 +[ T4985] ? __pfx_dump_stack_lvl+0x10/0x10 +[ T4985] ? __pfx__printk+0x10/0x10 +[ T4985] __ubsan_handle_out_of_bounds+0x127/0x150 +[ T4985] cfg80211_wext_siwscan+0x11a4/0x1260 +<...the rest is not too useful...> + +Even if we do 'creq->n_channels = n_channels' before 'creq->ssids = +(void *)&creq->channels[n_channels]', UBSAN treats the latter as +off-by-one error. Fix this by using pointer arithmetic rather than +an expression with explicit array indexing and use convenient +'struct_size()' to simplify the math here and in 'kzalloc()' above. + +Fixes: 5ba63533bbf6 ("cfg80211: fix alignment problem in scan request") +Signed-off-by: Dmitry Antipov +Reviewed-by: Kees Cook +Link: https://patch.msgid.link/20240905150400.126386-1-dmantipov@yandex.ru +[fix coding style for multi-line calculation] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index 4d88e797ae49f..4fc6279750ea1 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -3209,8 +3209,8 @@ int cfg80211_wext_siwscan(struct net_device *dev, + n_channels = ieee80211_get_num_supported_channels(wiphy); + } + +- creq = kzalloc(sizeof(*creq) + sizeof(struct cfg80211_ssid) + +- n_channels * sizeof(void *), ++ creq = kzalloc(struct_size(creq, channels, n_channels) + ++ sizeof(struct cfg80211_ssid), + GFP_ATOMIC); + if (!creq) + return -ENOMEM; +@@ -3218,7 +3218,7 @@ int cfg80211_wext_siwscan(struct net_device *dev, + creq->wiphy = wiphy; + creq->wdev = dev->ieee80211_ptr; + /* SSIDs come after channels */ +- creq->ssids = (void *)&creq->channels[n_channels]; ++ creq->ssids = (void *)creq + struct_size(creq, channels, n_channels); + creq->n_channels = n_channels; + creq->n_ssids = 1; + creq->scan_start = jiffies; +-- +2.43.0 + diff --git a/queue-6.6/wifi-iwlwifi-config-label-gl-devices-as-discrete.patch b/queue-6.6/wifi-iwlwifi-config-label-gl-devices-as-discrete.patch new file mode 100644 index 00000000000..c4a6445bfa7 --- /dev/null +++ b/queue-6.6/wifi-iwlwifi-config-label-gl-devices-as-discrete.patch @@ -0,0 +1,79 @@ +From e5e6d48b512fc21b9f3b2845762c47082c1d9582 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2024 20:20:07 +0300 +Subject: wifi: iwlwifi: config: label 'gl' devices as discrete + +From: Johannes Berg + +[ Upstream commit 8131dd52810dfcdb49fcdc78f5e18e1538b6c441 ] + +The 'gl' devices are in the bz family, but they're not, +integrated, so should have their own trans config struct. +Fix that, also necessitating the removal of LTR config, +and while at it remove 0x2727 and 0x272D IDs that were +only used for test chips. + +Fixes: c30a2a64788b ("wifi: iwlwifi: add a new PCI device ID for BZ device")ticket=none +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20240729201718.95aed0620080.Ib9129512c95aa57acc9876bdff8b99dd41e1562c@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/cfg/bz.c | 11 +++++++++++ + drivers/net/wireless/intel/iwlwifi/iwl-config.h | 1 + + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 4 +--- + 3 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/cfg/bz.c b/drivers/net/wireless/intel/iwlwifi/cfg/bz.c +index cc71b513adf98..cebd3c91756fe 100644 +--- a/drivers/net/wireless/intel/iwlwifi/cfg/bz.c ++++ b/drivers/net/wireless/intel/iwlwifi/cfg/bz.c +@@ -152,6 +152,17 @@ const struct iwl_cfg_trans_params iwl_bz_trans_cfg = { + .ltr_delay = IWL_CFG_TRANS_LTR_DELAY_2500US, + }; + ++const struct iwl_cfg_trans_params iwl_gl_trans_cfg = { ++ .device_family = IWL_DEVICE_FAMILY_BZ, ++ .base_params = &iwl_bz_base_params, ++ .mq_rx_supported = true, ++ .rf_id = true, ++ .gen2 = true, ++ .umac_prph_offset = 0x300000, ++ .xtal_latency = 12000, ++ .low_latency_xtal = true, ++}; ++ + const char iwl_bz_name[] = "Intel(R) TBD Bz device"; + + const struct iwl_cfg iwl_cfg_bz = { +diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-config.h b/drivers/net/wireless/intel/iwlwifi/iwl-config.h +index f45f645ca6485..dd3913617bb0b 100644 +--- a/drivers/net/wireless/intel/iwlwifi/iwl-config.h ++++ b/drivers/net/wireless/intel/iwlwifi/iwl-config.h +@@ -493,6 +493,7 @@ extern const struct iwl_cfg_trans_params iwl_so_long_latency_trans_cfg; + extern const struct iwl_cfg_trans_params iwl_so_long_latency_imr_trans_cfg; + extern const struct iwl_cfg_trans_params iwl_ma_trans_cfg; + extern const struct iwl_cfg_trans_params iwl_bz_trans_cfg; ++extern const struct iwl_cfg_trans_params iwl_gl_trans_cfg; + extern const struct iwl_cfg_trans_params iwl_sc_trans_cfg; + extern const char iwl9162_name[]; + extern const char iwl9260_name[]; +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +index 365e19314f2ca..4a2de79f2e864 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -501,9 +501,7 @@ static const struct pci_device_id iwl_hw_card_ids[] = { + {IWL_PCI_DEVICE(0x7E40, PCI_ANY_ID, iwl_ma_trans_cfg)}, + + /* Bz devices */ +- {IWL_PCI_DEVICE(0x2727, PCI_ANY_ID, iwl_bz_trans_cfg)}, +- {IWL_PCI_DEVICE(0x272D, PCI_ANY_ID, iwl_bz_trans_cfg)}, +- {IWL_PCI_DEVICE(0x272b, PCI_ANY_ID, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0x272b, PCI_ANY_ID, iwl_gl_trans_cfg)}, + {IWL_PCI_DEVICE(0xA840, 0x0000, iwl_bz_trans_cfg)}, + {IWL_PCI_DEVICE(0xA840, 0x0090, iwl_bz_trans_cfg)}, + {IWL_PCI_DEVICE(0xA840, 0x0094, iwl_bz_trans_cfg)}, +-- +2.43.0 + diff --git a/queue-6.6/wifi-iwlwifi-mvm-increase-the-time-between-ranging-m.patch b/queue-6.6/wifi-iwlwifi-mvm-increase-the-time-between-ranging-m.patch new file mode 100644 index 00000000000..b75812e2b0e --- /dev/null +++ b/queue-6.6/wifi-iwlwifi-mvm-increase-the-time-between-ranging-m.patch @@ -0,0 +1,39 @@ +From e58b116ec0178f90f09e99bc613cef96225c05f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2024 20:20:12 +0300 +Subject: wifi: iwlwifi: mvm: increase the time between ranging measurements + +From: Avraham Stern + +[ Upstream commit 3a7ee94559dfd640604d0265739e86dec73b64e8 ] + +The algo running in fw may take a little longer than 5 milliseconds, +(e.g. measurement on 80MHz while associated). Increase the minimum +time between measurements to 7 milliseconds. + +Fixes: 830aa3e7d1ca ("iwlwifi: mvm: add support for range request command version 13") +Signed-off-by: Avraham Stern +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20240729201718.d3f3c26e00d9.I09e951290e8a3d73f147b88166fd9a678d1d69ed@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/constants.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/constants.h b/drivers/net/wireless/intel/iwlwifi/mvm/constants.h +index 243eccc68cb05..f7bec6f3d7584 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/constants.h ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/constants.h +@@ -103,7 +103,7 @@ + #define IWL_MVM_FTM_INITIATOR_SECURE_LTF false + #define IWL_MVM_FTM_RESP_NDP_SUPPORT true + #define IWL_MVM_FTM_RESP_LMR_FEEDBACK_SUPPORT true +-#define IWL_MVM_FTM_NON_TB_MIN_TIME_BETWEEN_MSR 5 ++#define IWL_MVM_FTM_NON_TB_MIN_TIME_BETWEEN_MSR 7 + #define IWL_MVM_FTM_NON_TB_MAX_TIME_BETWEEN_MSR 1000 + #define IWL_MVM_D3_DEBUG false + #define IWL_MVM_USE_TWT true +-- +2.43.0 + diff --git a/queue-6.6/wifi-iwlwifi-remove-ax101-ax201-and-ax203-support-fr.patch b/queue-6.6/wifi-iwlwifi-remove-ax101-ax201-and-ax203-support-fr.patch new file mode 100644 index 00000000000..d8d57333040 --- /dev/null +++ b/queue-6.6/wifi-iwlwifi-remove-ax101-ax201-and-ax203-support-fr.patch @@ -0,0 +1,69 @@ +From 4d4e08e12bed6c7a49f8091680cff06460506435 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jun 2024 17:11:23 +0300 +Subject: wifi: iwlwifi: remove AX101, AX201 and AX203 support from LNL + +From: Golan Ben Ami + +[ Upstream commit 6adae0b081454393ca5f7363fd3c7379c8e2a7a1 ] + +LNL is the codename for the upcoming Series 2 Core Ultra +processors designed by Intel. AX101, AX201 and AX203 devices +are not shiped on LNL platforms, so don't support them. + +Signed-off-by: Golan Ben Ami +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20240613171043.f24a228dfd96.I989a2d3f1513211bc49ac8143ee4e9e341e1ee67@changeid +Signed-off-by: Johannes Berg +Stable-dep-of: 8131dd52810d ("wifi: iwlwifi: config: label 'gl' devices as discrete") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 32 ++++++++++++++++++- + 1 file changed, 31 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +index dea4d6478b4f4..365e19314f2ca 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -504,7 +504,37 @@ static const struct pci_device_id iwl_hw_card_ids[] = { + {IWL_PCI_DEVICE(0x2727, PCI_ANY_ID, iwl_bz_trans_cfg)}, + {IWL_PCI_DEVICE(0x272D, PCI_ANY_ID, iwl_bz_trans_cfg)}, + {IWL_PCI_DEVICE(0x272b, PCI_ANY_ID, iwl_bz_trans_cfg)}, +- {IWL_PCI_DEVICE(0xA840, PCI_ANY_ID, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x0000, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x0090, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x0094, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x0098, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x009C, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x00C0, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x00C4, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x00E0, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x00E4, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x00E8, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x00EC, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x0100, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x0110, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x0114, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x0118, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x011C, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x0310, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x0314, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x0510, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x0A10, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x1671, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x1672, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x1771, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x1772, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x1791, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x1792, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x4090, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x40C4, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x40E0, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x4110, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0xA840, 0x4314, iwl_bz_trans_cfg)}, + {IWL_PCI_DEVICE(0x7740, PCI_ANY_ID, iwl_bz_trans_cfg)}, + + /* Sc devices */ +-- +2.43.0 + diff --git a/queue-6.6/wifi-mac80211-don-t-use-rate-mask-for-offchannel-tx-.patch b/queue-6.6/wifi-mac80211-don-t-use-rate-mask-for-offchannel-tx-.patch new file mode 100644 index 00000000000..bcac59354b6 --- /dev/null +++ b/queue-6.6/wifi-mac80211-don-t-use-rate-mask-for-offchannel-tx-.patch @@ -0,0 +1,117 @@ +From abaa68823f9281102804c6d016c117121e18ad66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2024 15:48:16 +0800 +Subject: wifi: mac80211: don't use rate mask for offchannel TX either + +From: Ping-Ke Shih + +[ Upstream commit e7a7ef9a0742dbd0818d5b15fba2c5313ace765b ] + +Like the commit ab9177d83c04 ("wifi: mac80211: don't use rate mask for +scanning"), ignore incorrect settings to avoid no supported rate warning +reported by syzbot. + +The syzbot did bisect and found cause is commit 9df66d5b9f45 ("cfg80211: +fix default HE tx bitrate mask in 2G band"), which however corrects +bitmask of HE MCS and recognizes correctly settings of empty legacy rate +plus HE MCS rate instead of returning -EINVAL. + +As suggestions [1], follow the change of SCAN TX to consider this case of +offchannel TX as well. + +[1] https://lore.kernel.org/linux-wireless/6ab2dc9c3afe753ca6fdcdd1421e7a1f47e87b84.camel@sipsolutions.net/T/#m2ac2a6d2be06a37c9c47a3d8a44b4f647ed4f024 + +Reported-by: syzbot+8dd98a9e98ee28dc484a@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-wireless/000000000000fdef8706191a3f7b@google.com/ +Fixes: 9df66d5b9f45 ("cfg80211: fix default HE tx bitrate mask in 2G band") +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20240729074816.20323-1-pkshih@realtek.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + include/net/mac80211.h | 7 ++++--- + net/mac80211/offchannel.c | 1 + + net/mac80211/rate.c | 2 +- + net/mac80211/scan.c | 2 +- + net/mac80211/tx.c | 2 +- + 5 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/include/net/mac80211.h b/include/net/mac80211.h +index a39bd4169f292..47ade676565db 100644 +--- a/include/net/mac80211.h ++++ b/include/net/mac80211.h +@@ -936,8 +936,9 @@ enum mac80211_tx_info_flags { + * of their QoS TID or other priority field values. + * @IEEE80211_TX_CTRL_MCAST_MLO_FIRST_TX: first MLO TX, used mostly internally + * for sequence number assignment +- * @IEEE80211_TX_CTRL_SCAN_TX: Indicates that this frame is transmitted +- * due to scanning, not in normal operation on the interface. ++ * @IEEE80211_TX_CTRL_DONT_USE_RATE_MASK: Don't use rate mask for this frame ++ * which is transmitted due to scanning or offchannel TX, not in normal ++ * operation on the interface. + * @IEEE80211_TX_CTRL_MLO_LINK: If not @IEEE80211_LINK_UNSPECIFIED, this + * frame should be transmitted on the specific link. This really is + * only relevant for frames that do not have data present, and is +@@ -958,7 +959,7 @@ enum mac80211_tx_control_flags { + IEEE80211_TX_CTRL_NO_SEQNO = BIT(7), + IEEE80211_TX_CTRL_DONT_REORDER = BIT(8), + IEEE80211_TX_CTRL_MCAST_MLO_FIRST_TX = BIT(9), +- IEEE80211_TX_CTRL_SCAN_TX = BIT(10), ++ IEEE80211_TX_CTRL_DONT_USE_RATE_MASK = BIT(10), + IEEE80211_TX_CTRL_MLO_LINK = 0xf0000000, + }; + +diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c +index 5bedd9cef414d..2517a5521a578 100644 +--- a/net/mac80211/offchannel.c ++++ b/net/mac80211/offchannel.c +@@ -940,6 +940,7 @@ int ieee80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev, + } + + IEEE80211_SKB_CB(skb)->flags = flags; ++ IEEE80211_SKB_CB(skb)->control.flags |= IEEE80211_TX_CTRL_DONT_USE_RATE_MASK; + + skb->dev = sdata->dev; + +diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c +index 3cf252418bd38..78e7ac6c0af0b 100644 +--- a/net/mac80211/rate.c ++++ b/net/mac80211/rate.c +@@ -890,7 +890,7 @@ void ieee80211_get_tx_rates(struct ieee80211_vif *vif, + if (ieee80211_is_tx_data(skb)) + rate_control_apply_mask(sdata, sta, sband, dest, max_rates); + +- if (!(info->control.flags & IEEE80211_TX_CTRL_SCAN_TX)) ++ if (!(info->control.flags & IEEE80211_TX_CTRL_DONT_USE_RATE_MASK)) + mask = sdata->rc_rateidx_mask[info->band]; + + if (dest[0].idx < 0) +diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c +index 3d68db738cde4..b58d061333c52 100644 +--- a/net/mac80211/scan.c ++++ b/net/mac80211/scan.c +@@ -636,7 +636,7 @@ static void ieee80211_send_scan_probe_req(struct ieee80211_sub_if_data *sdata, + cpu_to_le16(IEEE80211_SN_TO_SEQ(sn)); + } + IEEE80211_SKB_CB(skb)->flags |= tx_flags; +- IEEE80211_SKB_CB(skb)->control.flags |= IEEE80211_TX_CTRL_SCAN_TX; ++ IEEE80211_SKB_CB(skb)->control.flags |= IEEE80211_TX_CTRL_DONT_USE_RATE_MASK; + ieee80211_tx_skb_tid_band(sdata, skb, 7, channel->band); + } + } +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 415e951e4138a..45a093d3f1fa7 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -706,7 +706,7 @@ ieee80211_tx_h_rate_ctrl(struct ieee80211_tx_data *tx) + txrc.skb = tx->skb; + txrc.reported_rate.idx = -1; + +- if (unlikely(info->control.flags & IEEE80211_TX_CTRL_SCAN_TX)) { ++ if (unlikely(info->control.flags & IEEE80211_TX_CTRL_DONT_USE_RATE_MASK)) { + txrc.rate_idx_mask = ~0; + } else { + txrc.rate_idx_mask = tx->sdata->rc_rateidx_mask[info->band]; +-- +2.43.0 + diff --git a/queue-6.6/wifi-mac80211-use-two-phase-skb-reclamation-in-ieee8.patch b/queue-6.6/wifi-mac80211-use-two-phase-skb-reclamation-in-ieee8.patch new file mode 100644 index 00000000000..d02ccb18ac4 --- /dev/null +++ b/queue-6.6/wifi-mac80211-use-two-phase-skb-reclamation-in-ieee8.patch @@ -0,0 +1,103 @@ +From 4dca2fb7137588432963c524c0f80cd08ea028a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Sep 2024 15:31:51 +0300 +Subject: wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop() + +From: Dmitry Antipov + +[ Upstream commit 9d301de12da6e1bb069a9835c38359b8e8135121 ] + +Since '__dev_queue_xmit()' should be called with interrupts enabled, +the following backtrace: + +ieee80211_do_stop() + ... + spin_lock_irqsave(&local->queue_stop_reason_lock, flags) + ... + ieee80211_free_txskb() + ieee80211_report_used_skb() + ieee80211_report_ack_skb() + cfg80211_mgmt_tx_status_ext() + nl80211_frame_tx_status() + genlmsg_multicast_netns() + genlmsg_multicast_netns_filtered() + nlmsg_multicast_filtered() + netlink_broadcast_filtered() + do_one_broadcast() + netlink_broadcast_deliver() + __netlink_sendskb() + netlink_deliver_tap() + __netlink_deliver_tap_skb() + dev_queue_xmit() + __dev_queue_xmit() ; with IRQS disabled + ... + spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags) + +issues the warning (as reported by syzbot reproducer): + +WARNING: CPU: 2 PID: 5128 at kernel/softirq.c:362 __local_bh_enable_ip+0xc3/0x120 + +Fix this by implementing a two-phase skb reclamation in +'ieee80211_do_stop()', where actual work is performed +outside of a section with interrupts disabled. + +Fixes: 5061b0c2b906 ("mac80211: cooperate more with network namespaces") +Reported-by: syzbot+1a3986bbd3169c307819@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=1a3986bbd3169c307819 +Signed-off-by: Dmitry Antipov +Link: https://patch.msgid.link/20240906123151.351647-1-dmantipov@yandex.ru +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/iface.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c +index a7c39e895b1e5..fae701248f058 100644 +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -466,6 +466,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, bool going_do + { + struct ieee80211_local *local = sdata->local; + unsigned long flags; ++ struct sk_buff_head freeq; + struct sk_buff *skb, *tmp; + u32 hw_reconf_flags = 0; + int i, flushed; +@@ -652,18 +653,32 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, bool going_do + skb_queue_purge(&sdata->status_queue); + } + ++ /* ++ * Since ieee80211_free_txskb() may issue __dev_queue_xmit() ++ * which should be called with interrupts enabled, reclamation ++ * is done in two phases: ++ */ ++ __skb_queue_head_init(&freeq); ++ ++ /* unlink from local queues... */ + spin_lock_irqsave(&local->queue_stop_reason_lock, flags); + for (i = 0; i < IEEE80211_MAX_QUEUES; i++) { + skb_queue_walk_safe(&local->pending[i], skb, tmp) { + struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); + if (info->control.vif == &sdata->vif) { + __skb_unlink(skb, &local->pending[i]); +- ieee80211_free_txskb(&local->hw, skb); ++ __skb_queue_tail(&freeq, skb); + } + } + } + spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags); + ++ /* ... and perform actual reclamation with interrupts enabled. */ ++ skb_queue_walk_safe(&freeq, skb, tmp) { ++ __skb_unlink(skb, &freeq); ++ ieee80211_free_txskb(&local->hw, skb); ++ } ++ + if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN) + ieee80211_txq_remove_vlan(local, sdata); + +-- +2.43.0 + diff --git a/queue-6.6/wifi-mt76-mt7603-fix-mixed-declarations-and-code.patch b/queue-6.6/wifi-mt76-mt7603-fix-mixed-declarations-and-code.patch new file mode 100644 index 00000000000..97327eff4d6 --- /dev/null +++ b/queue-6.6/wifi-mt76-mt7603-fix-mixed-declarations-and-code.patch @@ -0,0 +1,44 @@ +From ad45ca44e914e7e5b18491bda9a85202c3e96913 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2024 11:29:48 +0200 +Subject: wifi: mt76: mt7603: fix mixed declarations and code + +From: Felix Fietkau + +[ Upstream commit 9b8d932053b8b45d650360b36f701cf0f9b6470e ] + +Move the qid variable declaration further up + +Fixes: b473c0e47f04 ("wifi: mt76: mt7603: fix tx queue of loopback packets") +Link: https://patch.msgid.link/20240827093011.18621-1-nbd@nbd.name +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7603/dma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7603/dma.c b/drivers/net/wireless/mediatek/mt76/mt7603/dma.c +index b3a61b0ddd03d..525444953df68 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7603/dma.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7603/dma.c +@@ -29,7 +29,7 @@ mt7603_rx_loopback_skb(struct mt7603_dev *dev, struct sk_buff *skb) + struct ieee80211_sta *sta; + struct mt7603_sta *msta; + struct mt76_wcid *wcid; +- u8 tid = 0, hwq = 0; ++ u8 qid, tid = 0, hwq = 0; + void *priv; + int idx; + u32 val; +@@ -57,7 +57,7 @@ mt7603_rx_loopback_skb(struct mt7603_dev *dev, struct sk_buff *skb) + if (ieee80211_is_data_qos(hdr->frame_control)) { + tid = *ieee80211_get_qos_ctl(hdr) & + IEEE80211_QOS_CTL_TAG1D_MASK; +- u8 qid = tid_to_ac[tid]; ++ qid = tid_to_ac[tid]; + hwq = wmm_queue_map[qid]; + skb_set_queue_mapping(skb, qid); + } else if (ieee80211_is_data(hdr->frame_control)) { +-- +2.43.0 + diff --git a/queue-6.6/wifi-mt76-mt7915-fix-oops-on-non-dbdc-mt7986.patch b/queue-6.6/wifi-mt76-mt7915-fix-oops-on-non-dbdc-mt7986.patch new file mode 100644 index 00000000000..98415b4c941 --- /dev/null +++ b/queue-6.6/wifi-mt76-mt7915-fix-oops-on-non-dbdc-mt7986.patch @@ -0,0 +1,110 @@ +From c30f3f1f98c45704cd2ebff425a0512c88542cba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jul 2024 15:00:10 +0200 +Subject: wifi: mt76: mt7915: fix oops on non-dbdc mt7986 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bjørn Mork + +[ Upstream commit 862bf7cbd772c2bad570ef0c5b5556a1330656dd ] + +mt7915_band_config() sets band_idx = 1 on the main phy for mt7986 +with MT7975_ONE_ADIE or MT7976_ONE_ADIE. + +Commit 0335c034e726 ("wifi: mt76: fix race condition related to +checking tx queue fill status") introduced a dereference of the +phys array indirectly indexed by band_idx via wcid->phy_idx in +mt76_wcid_cleanup(). This caused the following Oops on affected +mt7986 devices: + + Unable to handle kernel read from unreadable memory at virtual address 0000000000000024 + Mem abort info: + ESR = 0x0000000096000005 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x05: level 1 translation fault + Data abort info: + ISV = 0, ISS = 0x00000005 + CM = 0, WnR = 0 + user pgtable: 4k pages, 39-bit VAs, pgdp=0000000042545000 + [0000000000000024] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 + Internal error: Oops: 0000000096000005 [#1] SMP + Modules linked in: ... mt7915e mt76_connac_lib mt76 mac80211 cfg80211 ... + CPU: 2 PID: 1631 Comm: hostapd Not tainted 5.15.150 #0 + Hardware name: ZyXEL EX5700 (Telenor) (DT) + pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : mt76_wcid_cleanup+0x84/0x22c [mt76] + lr : mt76_wcid_cleanup+0x64/0x22c [mt76] + sp : ffffffc00a803700 + x29: ffffffc00a803700 x28: ffffff80008f7300 x27: ffffff80003f3c00 + x26: ffffff80000a7880 x25: ffffffc008c26e00 x24: 0000000000000001 + x23: ffffffc000a68114 x22: 0000000000000000 x21: ffffff8004172cc8 + x20: ffffffc00a803748 x19: ffffff8004152020 x18: 0000000000000000 + x17: 00000000000017c0 x16: ffffffc008ef5000 x15: 0000000000000be0 + x14: ffffff8004172e28 x13: ffffff8004172e28 x12: 0000000000000000 + x11: 0000000000000000 x10: ffffff8004172e30 x9 : ffffff8004172e28 + x8 : 0000000000000000 x7 : ffffff8004156020 x6 : 0000000000000000 + x5 : 0000000000000031 x4 : 0000000000000000 x3 : 0000000000000001 + x2 : 0000000000000000 x1 : ffffff80008f7300 x0 : 0000000000000024 + Call trace: + mt76_wcid_cleanup+0x84/0x22c [mt76] + __mt76_sta_remove+0x70/0xbc [mt76] + mt76_sta_state+0x8c/0x1a4 [mt76] + mt7915_eeprom_get_power_delta+0x11e4/0x23a0 [mt7915e] + drv_sta_state+0x144/0x274 [mac80211] + sta_info_move_state+0x1cc/0x2a4 [mac80211] + sta_set_sinfo+0xaf8/0xc24 [mac80211] + sta_info_destroy_addr_bss+0x4c/0x6c [mac80211] + + ieee80211_color_change_finish+0x1c08/0x1e70 [mac80211] + cfg80211_check_station_change+0x1360/0x4710 [cfg80211] + genl_family_rcv_msg_doit+0xb4/0x110 + genl_rcv_msg+0xd0/0x1bc + netlink_rcv_skb+0x58/0x120 + genl_rcv+0x34/0x50 + netlink_unicast+0x1f0/0x2ec + netlink_sendmsg+0x198/0x3d0 + ____sys_sendmsg+0x1b0/0x210 + ___sys_sendmsg+0x80/0xf0 + __sys_sendmsg+0x44/0xa0 + __arm64_sys_sendmsg+0x20/0x30 + invoke_syscall.constprop.0+0x4c/0xe0 + do_el0_svc+0x40/0xd0 + el0_svc+0x14/0x4c + el0t_64_sync_handler+0x100/0x110 + el0t_64_sync+0x15c/0x160 + Code: d2800002 910092c0 52800023 f9800011 (885f7c01) + ---[ end trace 7e42dd9a39ed2281 ]--- + +Fix by using mt76_dev_phy() which will map band_idx to the correct phy +for all hardware combinations. + +Fixes: 0335c034e726 ("wifi: mt76: fix race condition related to checking tx queue fill status") +Link: https://github.com/openwrt/openwrt/issues/14548 +Signed-off-by: Bjørn Mork +Link: https://patch.msgid.link/20240713130010.516037-1-bjorn@mork.no +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mac80211.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mac80211.c b/drivers/net/wireless/mediatek/mt76/mac80211.c +index 85bffcf4f6fbf..bf4541e76ba22 100644 +--- a/drivers/net/wireless/mediatek/mt76/mac80211.c ++++ b/drivers/net/wireless/mediatek/mt76/mac80211.c +@@ -1503,7 +1503,7 @@ EXPORT_SYMBOL_GPL(mt76_wcid_init); + + void mt76_wcid_cleanup(struct mt76_dev *dev, struct mt76_wcid *wcid) + { +- struct mt76_phy *phy = dev->phys[wcid->phy_idx]; ++ struct mt76_phy *phy = mt76_dev_phy(dev, wcid->phy_idx); + struct ieee80211_hw *hw; + struct sk_buff_head list; + struct sk_buff *skb; +-- +2.43.0 + diff --git a/queue-6.6/wifi-mt76-mt7915-fix-rx-filter-setting-for-bfee-func.patch b/queue-6.6/wifi-mt76-mt7915-fix-rx-filter-setting-for-bfee-func.patch new file mode 100644 index 00000000000..d96c34d7110 --- /dev/null +++ b/queue-6.6/wifi-mt76-mt7915-fix-rx-filter-setting-for-bfee-func.patch @@ -0,0 +1,38 @@ +From 2839b7241dcd84f6aee3339efcb3748adf92f40a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2024 11:30:08 +0200 +Subject: wifi: mt76: mt7915: fix rx filter setting for bfee functionality + +From: Howard Hsu + +[ Upstream commit 6ac80fce713e875a316a58975b830720a3e27721 ] + +Fix rx filter setting to prevent dropping NDPA frames. Without this +change, bfee functionality may behave abnormally. + +Fixes: e57b7901469f ("mt76: add mac80211 driver for MT7915 PCIe-based chipsets") +Signed-off-by: Howard Hsu +Link: https://patch.msgid.link/20240827093011.18621-21-nbd@nbd.name +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7915/main.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/main.c b/drivers/net/wireless/mediatek/mt76/mt7915/main.c +index 260fe00d7dc6d..27655dcb79142 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7915/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/main.c +@@ -557,8 +557,7 @@ static void mt7915_configure_filter(struct ieee80211_hw *hw, + + MT76_FILTER(CONTROL, MT_WF_RFCR_DROP_CTS | + MT_WF_RFCR_DROP_RTS | +- MT_WF_RFCR_DROP_CTL_RSV | +- MT_WF_RFCR_DROP_NDPA); ++ MT_WF_RFCR_DROP_CTL_RSV); + + *total_flags = flags; + mt76_wr(dev, MT_WF_RFCR(band), phy->rxfilter); +-- +2.43.0 + diff --git a/queue-6.6/wifi-mt76-mt7996-ensure-4-byte-alignment-for-beacon-.patch b/queue-6.6/wifi-mt76-mt7996-ensure-4-byte-alignment-for-beacon-.patch new file mode 100644 index 00000000000..07b5b284aa6 --- /dev/null +++ b/queue-6.6/wifi-mt76-mt7996-ensure-4-byte-alignment-for-beacon-.patch @@ -0,0 +1,82 @@ +From 5e8b05ed68c70f5f8825127dcac0711aa1ee4252 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jan 2024 17:09:16 +0800 +Subject: wifi: mt76: mt7996: ensure 4-byte alignment for beacon commands + +From: Benjamin Lin + +[ Upstream commit 5d197d37809b220616a0fb00856b9eeeafe1f69e ] + +If TLV includes beacon content, its length might not be 4-byte aligned. +Make sure the length is aligned before sending beacon commands to FW. + +Signed-off-by: Benjamin Lin +Signed-off-by: Shayne Chen +Signed-off-by: Felix Fietkau +Stable-dep-of: 9e461f4a2329 ("wifi: mt76: mt7996: fix uninitialized TLV data") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 14 +++++--------- + drivers/net/wireless/mediatek/mt76/mt7996/mcu.h | 4 ++-- + 2 files changed, 7 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +index 325bbe3415c25..6d9a92cafe484 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +@@ -520,13 +520,10 @@ void mt7996_mcu_rx_event(struct mt7996_dev *dev, struct sk_buff *skb) + static struct tlv * + mt7996_mcu_add_uni_tlv(struct sk_buff *skb, u16 tag, u16 len) + { +- struct tlv *ptlv, tlv = { +- .tag = cpu_to_le16(tag), +- .len = cpu_to_le16(len), +- }; ++ struct tlv *ptlv = skb_put(skb, len); + +- ptlv = skb_put(skb, len); +- memcpy(ptlv, &tlv, sizeof(tlv)); ++ ptlv->tag = cpu_to_le16(tag); ++ ptlv->len = cpu_to_le16(len); + + return ptlv; + } +@@ -2072,7 +2069,7 @@ int mt7996_mcu_add_beacon(struct ieee80211_hw *hw, + info = IEEE80211_SKB_CB(skb); + info->hw_queue |= FIELD_PREP(MT_TX_HW_QUEUE_PHY, phy->mt76->band_idx); + +- len = sizeof(*bcn) + MT_TXD_SIZE + skb->len; ++ len = ALIGN(sizeof(*bcn) + MT_TXD_SIZE + skb->len, 4); + tlv = mt7996_mcu_add_uni_tlv(rskb, UNI_BSS_INFO_BCN_CONTENT, len); + bcn = (struct bss_bcn_content_tlv *)tlv; + bcn->enable = en; +@@ -2141,8 +2138,7 @@ int mt7996_mcu_beacon_inband_discov(struct mt7996_dev *dev, + info->band = band; + info->hw_queue |= FIELD_PREP(MT_TX_HW_QUEUE_PHY, phy->mt76->band_idx); + +- len = sizeof(*discov) + MT_TXD_SIZE + skb->len; +- ++ len = ALIGN(sizeof(*discov) + MT_TXD_SIZE + skb->len, 4); + tlv = mt7996_mcu_add_uni_tlv(rskb, UNI_BSS_INFO_OFFLOAD, len); + + discov = (struct bss_inband_discovery_tlv *)tlv; +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.h b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.h +index dc8d0a30c707c..58504b80eae8b 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.h ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.h +@@ -587,10 +587,10 @@ enum { + sizeof(struct sta_rec_hdr_trans) + \ + sizeof(struct tlv)) + +-#define MT7996_MAX_BEACON_SIZE 1342 ++#define MT7996_MAX_BEACON_SIZE 1338 + #define MT7996_BEACON_UPDATE_SIZE (sizeof(struct bss_req_hdr) + \ + sizeof(struct bss_bcn_content_tlv) + \ +- MT_TXD_SIZE + \ ++ 4 + MT_TXD_SIZE + \ + sizeof(struct bss_bcn_cntdwn_tlv) + \ + sizeof(struct bss_bcn_mbss_tlv)) + #define MT7996_MAX_BSS_OFFLOAD_SIZE (MT7996_MAX_BEACON_SIZE + \ +-- +2.43.0 + diff --git a/queue-6.6/wifi-mt76-mt7996-fix-eht-beamforming-capability-chec.patch b/queue-6.6/wifi-mt76-mt7996-fix-eht-beamforming-capability-chec.patch new file mode 100644 index 00000000000..f554058e843 --- /dev/null +++ b/queue-6.6/wifi-mt76-mt7996-fix-eht-beamforming-capability-chec.patch @@ -0,0 +1,42 @@ +From 8caf226c920d22b11fdcb3d7dd5229b0582b66dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Aug 2024 17:46:31 +0800 +Subject: wifi: mt76: mt7996: fix EHT beamforming capability check + +From: Howard Hsu + +[ Upstream commit 9ca65757f0a5b393a7737d37f377d5daf91716af ] + +If a VIF acts as a beamformer, it should check peer's beamformee +capability, and vice versa. + +Fixes: ba01944adee9 ("wifi: mt76: mt7996: add EHT beamforming support") +Signed-off-by: Howard Hsu +Signed-off-by: Shayne Chen +Link: https://patch.msgid.link/20240816094635.2391-7-shayne.chen@mediatek.com +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +index 1c3eec84892c2..325bbe3415c25 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +@@ -1188,10 +1188,10 @@ mt7996_is_ebf_supported(struct mt7996_phy *phy, struct ieee80211_vif *vif, + + if (bfee) + return vif->bss_conf.eht_su_beamformee && +- EHT_PHY(CAP0_SU_BEAMFORMEE, pe->phy_cap_info[0]); ++ EHT_PHY(CAP0_SU_BEAMFORMER, pe->phy_cap_info[0]); + else + return vif->bss_conf.eht_su_beamformer && +- EHT_PHY(CAP0_SU_BEAMFORMER, pe->phy_cap_info[0]); ++ EHT_PHY(CAP0_SU_BEAMFORMEE, pe->phy_cap_info[0]); + } + + if (sta->deflink.he_cap.has_he) { +-- +2.43.0 + diff --git a/queue-6.6/wifi-mt76-mt7996-fix-he-and-eht-beamforming-capabili.patch b/queue-6.6/wifi-mt76-mt7996-fix-he-and-eht-beamforming-capabili.patch new file mode 100644 index 00000000000..408434e53d4 --- /dev/null +++ b/queue-6.6/wifi-mt76-mt7996-fix-he-and-eht-beamforming-capabili.patch @@ -0,0 +1,152 @@ +From 1e2b611d8de294d7626c3a878aa39d7d1b256e81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Aug 2024 17:46:29 +0800 +Subject: wifi: mt76: mt7996: fix HE and EHT beamforming capabilities + +From: Howard Hsu + +[ Upstream commit e1f4847fdbdf5d44ae60e035c131920e5ab88598 ] + +Fix HE and EHT beamforming capabilities for different bands and +interface types. + +Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices") +Fixes: 348533eb968d ("wifi: mt76: mt7996: add EHT capability init") +Signed-off-by: Howard Hsu +Signed-off-by: Shayne Chen +Link: https://patch.msgid.link/20240816094635.2391-5-shayne.chen@mediatek.com +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + .../net/wireless/mediatek/mt76/mt7996/init.c | 65 ++++++++++++------- + 1 file changed, 43 insertions(+), 22 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/init.c b/drivers/net/wireless/mediatek/mt76/mt7996/init.c +index 2016ed9197fe3..aee531cab46f6 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/init.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/init.c +@@ -561,8 +561,6 @@ mt7996_set_stream_he_txbf_caps(struct mt7996_phy *phy, + return; + + elem->phy_cap_info[3] |= IEEE80211_HE_PHY_CAP3_SU_BEAMFORMER; +- if (vif == NL80211_IFTYPE_AP) +- elem->phy_cap_info[4] |= IEEE80211_HE_PHY_CAP4_MU_BEAMFORMER; + + c = FIELD_PREP(IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_UNDER_80MHZ_MASK, + sts - 1) | +@@ -570,6 +568,11 @@ mt7996_set_stream_he_txbf_caps(struct mt7996_phy *phy, + sts - 1); + elem->phy_cap_info[5] |= c; + ++ if (vif != NL80211_IFTYPE_AP) ++ return; ++ ++ elem->phy_cap_info[4] |= IEEE80211_HE_PHY_CAP4_MU_BEAMFORMER; ++ + c = IEEE80211_HE_PHY_CAP6_TRIG_SU_BEAMFORMING_FB | + IEEE80211_HE_PHY_CAP6_TRIG_MU_BEAMFORMING_PARTIAL_BW_FB; + elem->phy_cap_info[6] |= c; +@@ -729,7 +732,6 @@ mt7996_init_eht_caps(struct mt7996_phy *phy, enum nl80211_band band, + IEEE80211_EHT_MAC_CAP0_OM_CONTROL; + + eht_cap_elem->phy_cap_info[0] = +- IEEE80211_EHT_PHY_CAP0_320MHZ_IN_6GHZ | + IEEE80211_EHT_PHY_CAP0_NDP_4_EHT_LFT_32_GI | + IEEE80211_EHT_PHY_CAP0_SU_BEAMFORMER | + IEEE80211_EHT_PHY_CAP0_SU_BEAMFORMEE; +@@ -743,30 +745,36 @@ mt7996_init_eht_caps(struct mt7996_phy *phy, enum nl80211_band band, + u8_encode_bits(u8_get_bits(val, GENMASK(2, 1)), + IEEE80211_EHT_PHY_CAP1_BEAMFORMEE_SS_80MHZ_MASK) | + u8_encode_bits(val, +- IEEE80211_EHT_PHY_CAP1_BEAMFORMEE_SS_160MHZ_MASK) | +- u8_encode_bits(val, +- IEEE80211_EHT_PHY_CAP1_BEAMFORMEE_SS_320MHZ_MASK); ++ IEEE80211_EHT_PHY_CAP1_BEAMFORMEE_SS_160MHZ_MASK); + + eht_cap_elem->phy_cap_info[2] = + u8_encode_bits(sts - 1, IEEE80211_EHT_PHY_CAP2_SOUNDING_DIM_80MHZ_MASK) | +- u8_encode_bits(sts - 1, IEEE80211_EHT_PHY_CAP2_SOUNDING_DIM_160MHZ_MASK) | +- u8_encode_bits(sts - 1, IEEE80211_EHT_PHY_CAP2_SOUNDING_DIM_320MHZ_MASK); ++ u8_encode_bits(sts - 1, IEEE80211_EHT_PHY_CAP2_SOUNDING_DIM_160MHZ_MASK); ++ ++ if (band == NL80211_BAND_6GHZ) { ++ eht_cap_elem->phy_cap_info[0] |= ++ IEEE80211_EHT_PHY_CAP0_320MHZ_IN_6GHZ; ++ ++ eht_cap_elem->phy_cap_info[1] |= ++ u8_encode_bits(val, ++ IEEE80211_EHT_PHY_CAP1_BEAMFORMEE_SS_320MHZ_MASK); ++ ++ eht_cap_elem->phy_cap_info[2] |= ++ u8_encode_bits(sts - 1, ++ IEEE80211_EHT_PHY_CAP2_SOUNDING_DIM_320MHZ_MASK); ++ } + + eht_cap_elem->phy_cap_info[3] = + IEEE80211_EHT_PHY_CAP3_NG_16_SU_FEEDBACK | + IEEE80211_EHT_PHY_CAP3_NG_16_MU_FEEDBACK | + IEEE80211_EHT_PHY_CAP3_CODEBOOK_4_2_SU_FDBK | +- IEEE80211_EHT_PHY_CAP3_CODEBOOK_7_5_MU_FDBK | +- IEEE80211_EHT_PHY_CAP3_TRIG_SU_BF_FDBK | +- IEEE80211_EHT_PHY_CAP3_TRIG_MU_BF_PART_BW_FDBK | +- IEEE80211_EHT_PHY_CAP3_TRIG_CQI_FDBK; ++ IEEE80211_EHT_PHY_CAP3_CODEBOOK_7_5_MU_FDBK; + + eht_cap_elem->phy_cap_info[4] = + u8_encode_bits(min_t(int, sts - 1, 2), + IEEE80211_EHT_PHY_CAP4_MAX_NC_MASK); + + eht_cap_elem->phy_cap_info[5] = +- IEEE80211_EHT_PHY_CAP5_NON_TRIG_CQI_FEEDBACK | + u8_encode_bits(IEEE80211_EHT_PHY_CAP5_COMMON_NOMINAL_PKT_PAD_16US, + IEEE80211_EHT_PHY_CAP5_COMMON_NOMINAL_PKT_PAD_MASK) | + u8_encode_bits(u8_get_bits(0x11, GENMASK(1, 0)), +@@ -780,14 +788,6 @@ mt7996_init_eht_caps(struct mt7996_phy *phy, enum nl80211_band band, + IEEE80211_EHT_PHY_CAP6_MAX_NUM_SUPP_EHT_LTF_MASK) | + u8_encode_bits(val, IEEE80211_EHT_PHY_CAP6_MCS15_SUPP_MASK); + +- eht_cap_elem->phy_cap_info[7] = +- IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_80MHZ | +- IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_160MHZ | +- IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_320MHZ | +- IEEE80211_EHT_PHY_CAP7_MU_BEAMFORMER_80MHZ | +- IEEE80211_EHT_PHY_CAP7_MU_BEAMFORMER_160MHZ | +- IEEE80211_EHT_PHY_CAP7_MU_BEAMFORMER_320MHZ; +- + val = u8_encode_bits(nss, IEEE80211_EHT_MCS_NSS_RX) | + u8_encode_bits(nss, IEEE80211_EHT_MCS_NSS_TX); + #define SET_EHT_MAX_NSS(_bw, _val) do { \ +@@ -798,8 +798,29 @@ mt7996_init_eht_caps(struct mt7996_phy *phy, enum nl80211_band band, + + SET_EHT_MAX_NSS(80, val); + SET_EHT_MAX_NSS(160, val); +- SET_EHT_MAX_NSS(320, val); ++ if (band == NL80211_BAND_6GHZ) ++ SET_EHT_MAX_NSS(320, val); + #undef SET_EHT_MAX_NSS ++ ++ if (iftype != NL80211_IFTYPE_AP) ++ return; ++ ++ eht_cap_elem->phy_cap_info[3] |= ++ IEEE80211_EHT_PHY_CAP3_TRIG_SU_BF_FDBK | ++ IEEE80211_EHT_PHY_CAP3_TRIG_MU_BF_PART_BW_FDBK; ++ ++ eht_cap_elem->phy_cap_info[7] = ++ IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_80MHZ | ++ IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_160MHZ | ++ IEEE80211_EHT_PHY_CAP7_MU_BEAMFORMER_80MHZ | ++ IEEE80211_EHT_PHY_CAP7_MU_BEAMFORMER_160MHZ; ++ ++ if (band != NL80211_BAND_6GHZ) ++ return; ++ ++ eht_cap_elem->phy_cap_info[7] |= ++ IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_320MHZ | ++ IEEE80211_EHT_PHY_CAP7_MU_BEAMFORMER_320MHZ; + } + + static void +-- +2.43.0 + diff --git a/queue-6.6/wifi-mt76-mt7996-fix-traffic-delay-when-switching-ba.patch b/queue-6.6/wifi-mt76-mt7996-fix-traffic-delay-when-switching-ba.patch new file mode 100644 index 00000000000..c43343f1a6e --- /dev/null +++ b/queue-6.6/wifi-mt76-mt7996-fix-traffic-delay-when-switching-ba.patch @@ -0,0 +1,42 @@ +From 11607d8441f4e8f157e224e7b9e04fb869a3f664 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Aug 2024 17:46:26 +0800 +Subject: wifi: mt76: mt7996: fix traffic delay when switching back to working + channel + +From: Peter Chiu + +[ Upstream commit 376200f095d0c3a7096199b336204698d7086279 ] + +During scanning, UNI_CHANNEL_RX_PATH tag is necessary for the firmware to +properly stop and resume MAC TX queue. Without this tag, HW needs more time +to resume traffic when switching back to working channel. + +Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices") +Signed-off-by: Peter Chiu +Signed-off-by: Shayne Chen +Link: https://patch.msgid.link/20240816094635.2391-2-shayne.chen@mediatek.com +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7996/main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/main.c b/drivers/net/wireless/mediatek/mt76/mt7996/main.c +index 7fea9f0d409bf..85f6a9f4f188c 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/main.c +@@ -287,6 +287,10 @@ int mt7996_set_channel(struct mt7996_phy *phy) + if (ret) + goto out; + ++ ret = mt7996_mcu_set_chan_info(phy, UNI_CHANNEL_RX_PATH); ++ if (ret) ++ goto out; ++ + ret = mt7996_dfs_init_radar_detector(phy); + mt7996_mac_cca_stats_reset(phy); + +-- +2.43.0 + diff --git a/queue-6.6/wifi-mt76-mt7996-fix-uninitialized-tlv-data.patch b/queue-6.6/wifi-mt76-mt7996-fix-uninitialized-tlv-data.patch new file mode 100644 index 00000000000..5f1effa7651 --- /dev/null +++ b/queue-6.6/wifi-mt76-mt7996-fix-uninitialized-tlv-data.patch @@ -0,0 +1,35 @@ +From 7acd3356a29d0f85ef876e09051c46e5a507fba6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2024 11:30:10 +0200 +Subject: wifi: mt76: mt7996: fix uninitialized TLV data + +From: Felix Fietkau + +[ Upstream commit 9e461f4a2329109571f4b10f9bcad28d07e6ebb3 ] + +Use skb_put_zero instead of skb_put + +Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices") +Link: https://patch.msgid.link/20240827093011.18621-23-nbd@nbd.name +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +index 6d9a92cafe484..b50743f7e030b 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +@@ -520,7 +520,7 @@ void mt7996_mcu_rx_event(struct mt7996_dev *dev, struct sk_buff *skb) + static struct tlv * + mt7996_mcu_add_uni_tlv(struct sk_buff *skb, u16 tag, u16 len) + { +- struct tlv *ptlv = skb_put(skb, len); ++ struct tlv *ptlv = skb_put_zero(skb, len); + + ptlv->tag = cpu_to_le16(tag); + ptlv->len = cpu_to_le16(len); +-- +2.43.0 + diff --git a/queue-6.6/wifi-mt76-mt7996-fix-wmm-set-of-station-interface-to.patch b/queue-6.6/wifi-mt76-mt7996-fix-wmm-set-of-station-interface-to.patch new file mode 100644 index 00000000000..b69a56e96cc --- /dev/null +++ b/queue-6.6/wifi-mt76-mt7996-fix-wmm-set-of-station-interface-to.patch @@ -0,0 +1,38 @@ +From 675d929e749b8d1881324be8c7ad943d91d881a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Aug 2024 17:46:27 +0800 +Subject: wifi: mt76: mt7996: fix wmm set of station interface to 3 + +From: Peter Chiu + +[ Upstream commit 9265397caacf5c0c2d10c40b2958a474664ebd9e ] + +According to connac3 HW design, the WMM index of AP and STA interface +should be 0 and 3, respectively. + +Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices") +Signed-off-by: Peter Chiu +Signed-off-by: Shayne Chen +Link: https://patch.msgid.link/20240816094635.2391-3-shayne.chen@mediatek.com +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7996/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/main.c b/drivers/net/wireless/mediatek/mt76/mt7996/main.c +index 85f6a9f4f188c..0e69f0a508616 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/main.c +@@ -190,7 +190,7 @@ static int mt7996_add_interface(struct ieee80211_hw *hw, + mvif->mt76.omac_idx = idx; + mvif->phy = phy; + mvif->mt76.band_idx = band_idx; +- mvif->mt76.wmm_idx = vif->type != NL80211_IFTYPE_AP; ++ mvif->mt76.wmm_idx = vif->type == NL80211_IFTYPE_AP ? 0 : 3; + + ret = mt7996_mcu_add_dev_info(phy, vif, true); + if (ret) +-- +2.43.0 + diff --git a/queue-6.6/wifi-mt76-mt7996-use-hweight16-to-get-correct-tx-ant.patch b/queue-6.6/wifi-mt76-mt7996-use-hweight16-to-get-correct-tx-ant.patch new file mode 100644 index 00000000000..4e88d6ca981 --- /dev/null +++ b/queue-6.6/wifi-mt76-mt7996-use-hweight16-to-get-correct-tx-ant.patch @@ -0,0 +1,40 @@ +From a39ffdfdb13976b17929fd02bdecd0e7777f995e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Aug 2024 17:46:25 +0800 +Subject: wifi: mt76: mt7996: use hweight16 to get correct tx antenna + +From: Peter Chiu + +[ Upstream commit f98c3de92bb05dac4a4969df8a4595ed380b4604 ] + +The chainmask is u16 so using hweight8 cannot get correct tx_ant. +Without this patch, the tx_ant of band 2 would be -1 and lead to the +following issue: +BUG: KASAN: stack-out-of-bounds in mt7996_mcu_add_sta+0x12e0/0x16e0 [mt7996e] + +Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices") +Signed-off-by: Peter Chiu +Signed-off-by: Shayne Chen +Link: https://patch.msgid.link/20240816094635.2391-1-shayne.chen@mediatek.com +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +index b66f712e1b17b..1c3eec84892c2 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +@@ -1412,7 +1412,7 @@ mt7996_mcu_sta_bfer_tlv(struct mt7996_dev *dev, struct sk_buff *skb, + { + struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv; + struct mt7996_phy *phy = mvif->phy; +- int tx_ant = hweight8(phy->mt76->chainmask) - 1; ++ int tx_ant = hweight16(phy->mt76->chainmask) - 1; + struct sta_rec_bf *bf; + struct tlv *tlv; + const u8 matrix[4][4] = { +-- +2.43.0 + diff --git a/queue-6.6/wifi-rtw88-always-wait-for-both-firmware-loading-att.patch b/queue-6.6/wifi-rtw88-always-wait-for-both-firmware-loading-att.patch new file mode 100644 index 00000000000..5a57538b99c --- /dev/null +++ b/queue-6.6/wifi-rtw88-always-wait-for-both-firmware-loading-att.patch @@ -0,0 +1,58 @@ +From 2d771049c0df03e9efcac3dbecfbea83b8ff7ee6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jul 2024 14:46:57 +0300 +Subject: wifi: rtw88: always wait for both firmware loading attempts + +From: Dmitry Antipov + +[ Upstream commit 0e735a4c6137262bcefe45bb52fde7b1f5fc6c4d ] + +In 'rtw_wait_firmware_completion()', always wait for both (regular and +wowlan) firmware loading attempts. Otherwise if 'rtw_usb_intf_init()' +has failed in 'rtw_usb_probe()', 'rtw_usb_disconnect()' may issue +'ieee80211_free_hw()' when one of 'rtw_load_firmware_cb()' (usually +the wowlan one) is still in progress, causing UAF detected by KASAN. + +Fixes: c8e5695eae99 ("rtw88: load wowlan firmware if wowlan is supported") +Reported-by: syzbot+6c6c08700f9480c41fe3@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=6c6c08700f9480c41fe3 +Signed-off-by: Dmitry Antipov +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20240726114657.25396-1-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/main.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c +index 63673005c2fb1..b90ea6c88b15d 100644 +--- a/drivers/net/wireless/realtek/rtw88/main.c ++++ b/drivers/net/wireless/realtek/rtw88/main.c +@@ -1314,20 +1314,21 @@ static int rtw_wait_firmware_completion(struct rtw_dev *rtwdev) + { + const struct rtw_chip_info *chip = rtwdev->chip; + struct rtw_fw_state *fw; ++ int ret = 0; + + fw = &rtwdev->fw; + wait_for_completion(&fw->completion); + if (!fw->firmware) +- return -EINVAL; ++ ret = -EINVAL; + + if (chip->wow_fw_name) { + fw = &rtwdev->wow_fw; + wait_for_completion(&fw->completion); + if (!fw->firmware) +- return -EINVAL; ++ ret = -EINVAL; + } + +- return 0; ++ return ret; + } + + static enum rtw_lps_deep_mode rtw_update_lps_deep_mode(struct rtw_dev *rtwdev, +-- +2.43.0 + diff --git a/queue-6.6/wifi-rtw88-remove-cpt-execution-branch-never-used.patch b/queue-6.6/wifi-rtw88-remove-cpt-execution-branch-never-used.patch new file mode 100644 index 00000000000..c1ea522b8cf --- /dev/null +++ b/queue-6.6/wifi-rtw88-remove-cpt-execution-branch-never-used.patch @@ -0,0 +1,95 @@ +From c436136f3df617c39438877d6eb00a5ccd4e9c23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Aug 2024 11:53:10 +0300 +Subject: wifi: rtw88: remove CPT execution branch never used + +From: Dmitry Kandybka + +[ Upstream commit 77c977327dfaa9ae2e154964cdb89ceb5c7b7cf1 ] + +In 'rtw_coex_action_bt_a2dp_pan', 'wl_cpt_test' and 'bt_cpt_test' are +hardcoded to false, so corresponding 'table_case' and 'tdma_case' +assignments are never met. +Also 'rtw_coex_set_rf_para(rtwdev, chip->wl_rf_para_rx[1])' is never +executed. Assuming that CPT was never fully implemented, remove +lookalike leftovers. Compile tested only. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 76f631cb401f ("rtw88: coex: update the mechanism for A2DP + PAN") + +Signed-off-by: Dmitry Kandybka +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20240809085310.10512-1-d.kandybka@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/coex.c | 38 ++++++----------------- + 1 file changed, 10 insertions(+), 28 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/coex.c b/drivers/net/wireless/realtek/rtw88/coex.c +index 86467d2f8888c..d35f26919806a 100644 +--- a/drivers/net/wireless/realtek/rtw88/coex.c ++++ b/drivers/net/wireless/realtek/rtw88/coex.c +@@ -2194,7 +2194,6 @@ static void rtw_coex_action_bt_a2dp_pan(struct rtw_dev *rtwdev) + struct rtw_coex_stat *coex_stat = &coex->stat; + struct rtw_efuse *efuse = &rtwdev->efuse; + u8 table_case, tdma_case; +- bool wl_cpt_test = false, bt_cpt_test = false; + + rtw_dbg(rtwdev, RTW_DBG_COEX, "[BTCoex], %s()\n", __func__); + +@@ -2202,29 +2201,16 @@ static void rtw_coex_action_bt_a2dp_pan(struct rtw_dev *rtwdev) + rtw_coex_set_rf_para(rtwdev, chip->wl_rf_para_rx[0]); + if (efuse->share_ant) { + /* Shared-Ant */ +- if (wl_cpt_test) { +- if (coex_stat->wl_gl_busy) { +- table_case = 20; +- tdma_case = 17; +- } else { +- table_case = 10; +- tdma_case = 15; +- } +- } else if (bt_cpt_test) { +- table_case = 26; +- tdma_case = 26; +- } else { +- if (coex_stat->wl_gl_busy && +- coex_stat->wl_noisy_level == 0) +- table_case = 14; +- else +- table_case = 10; ++ if (coex_stat->wl_gl_busy && ++ coex_stat->wl_noisy_level == 0) ++ table_case = 14; ++ else ++ table_case = 10; + +- if (coex_stat->wl_gl_busy) +- tdma_case = 15; +- else +- tdma_case = 20; +- } ++ if (coex_stat->wl_gl_busy) ++ tdma_case = 15; ++ else ++ tdma_case = 20; + } else { + /* Non-Shared-Ant */ + table_case = 112; +@@ -2235,11 +2221,7 @@ static void rtw_coex_action_bt_a2dp_pan(struct rtw_dev *rtwdev) + tdma_case = 120; + } + +- if (wl_cpt_test) +- rtw_coex_set_rf_para(rtwdev, chip->wl_rf_para_rx[1]); +- else +- rtw_coex_set_rf_para(rtwdev, chip->wl_rf_para_rx[0]); +- ++ rtw_coex_set_rf_para(rtwdev, chip->wl_rf_para_rx[0]); + rtw_coex_table(rtwdev, false, table_case); + rtw_coex_tdma(rtwdev, false, tdma_case); + } +-- +2.43.0 + diff --git a/queue-6.6/wifi-wilc1000-fix-potential-rcu-dereference-issue-in.patch b/queue-6.6/wifi-wilc1000-fix-potential-rcu-dereference-issue-in.patch new file mode 100644 index 00000000000..3fd8f81f445 --- /dev/null +++ b/queue-6.6/wifi-wilc1000-fix-potential-rcu-dereference-issue-in.patch @@ -0,0 +1,69 @@ +From 06f200f0f268da77498d68c1850af04206430080 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2024 08:17:09 +0000 +Subject: wifi: wilc1000: fix potential RCU dereference issue in + wilc_parse_join_bss_param +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jiawei Ye + +[ Upstream commit 6d7c6ae1efb1ff68bc01d79d94fdf0388f86cdd8 ] + +In the `wilc_parse_join_bss_param` function, the TSF field of the `ies` +structure is accessed after the RCU read-side critical section is +unlocked. According to RCU usage rules, this is illegal. Reusing this +pointer can lead to unpredictable behavior, including accessing memory +that has been updated or causing use-after-free issues. + +This possible bug was identified using a static analysis tool developed +by myself, specifically designed to detect RCU-related issues. + +To address this, the TSF value is now stored in a local variable +`ies_tsf` before the RCU lock is released. The `param->tsf_lo` field is +then assigned using this local variable, ensuring that the TSF value is +safely accessed. + +Fixes: 205c50306acf ("wifi: wilc1000: fix RCU usage in connect path") +Signed-off-by: Jiawei Ye +Reviewed-by: Alexis Lothoré +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/tencent_466225AA599BA49627FB26F707EE17BC5407@qq.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/microchip/wilc1000/hif.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/microchip/wilc1000/hif.c b/drivers/net/wireless/microchip/wilc1000/hif.c +index e4bb3ea6e2267..25e881ee727cd 100644 +--- a/drivers/net/wireless/microchip/wilc1000/hif.c ++++ b/drivers/net/wireless/microchip/wilc1000/hif.c +@@ -381,6 +381,7 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss, + struct wilc_join_bss_param *param; + u8 rates_len = 0; + int ies_len; ++ u64 ies_tsf; + int ret; + + param = kzalloc(sizeof(*param), GFP_KERNEL); +@@ -396,6 +397,7 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss, + return NULL; + } + ies_len = ies->len; ++ ies_tsf = ies->tsf; + rcu_read_unlock(); + + param->beacon_period = cpu_to_le16(bss->beacon_interval); +@@ -451,7 +453,7 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss, + IEEE80211_P2P_ATTR_ABSENCE_NOTICE, + (u8 *)&noa_attr, sizeof(noa_attr)); + if (ret > 0) { +- param->tsf_lo = cpu_to_le32(ies->tsf); ++ param->tsf_lo = cpu_to_le32(ies_tsf); + param->noa_enabled = 1; + param->idx = noa_attr.index; + if (noa_attr.oppps_ctwindow & IEEE80211_P2P_OPPPS_ENABLE_BIT) { +-- +2.43.0 + diff --git a/queue-6.6/x86-mm-use-ipis-to-synchronize-lam-enablement.patch b/queue-6.6/x86-mm-use-ipis-to-synchronize-lam-enablement.patch new file mode 100644 index 00000000000..51f59d44ae2 --- /dev/null +++ b/queue-6.6/x86-mm-use-ipis-to-synchronize-lam-enablement.patch @@ -0,0 +1,151 @@ +From 695c6b2d5c978183416f458a05c581c028e26e35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jul 2024 13:21:37 +0000 +Subject: x86/mm: Use IPIs to synchronize LAM enablement + +From: Yosry Ahmed + +[ Upstream commit 3b299b99556c1753923f8d9bbd9304bcd139282f ] + +LAM can only be enabled when a process is single-threaded. But _kernel_ +threads can temporarily use a single-threaded process's mm. + +If LAM is enabled by a userspace process while a kthread is using its +mm, the kthread will not observe LAM enablement (i.e. LAM will be +disabled in CR3). This could be fine for the kthread itself, as LAM only +affects userspace addresses. However, if the kthread context switches to +a thread in the same userspace process, CR3 may or may not be updated +because the mm_struct doesn't change (based on pending TLB flushes). If +CR3 is not updated, the userspace thread will run incorrectly with LAM +disabled, which may cause page faults when using tagged addresses. +Example scenario: + +CPU 1 CPU 2 +/* kthread */ +kthread_use_mm() + /* user thread */ + prctl_enable_tagged_addr() + /* LAM enabled on CPU 2 */ +/* LAM disabled on CPU 1 */ + context_switch() /* to CPU 1 */ +/* Switching to user thread */ +switch_mm_irqs_off() +/* CR3 not updated */ +/* LAM is still disabled on CPU 1 */ + +Synchronize LAM enablement by sending an IPI to all CPUs running with +the mm_struct to enable LAM. This makes sure LAM is enabled on CPU 1 +in the above scenario before prctl_enable_tagged_addr() returns and +userspace starts using tagged addresses, and before it's possible to +run the userspace process on CPU 1. + +In switch_mm_irqs_off(), move reading the LAM mask until after +mm_cpumask() is updated. This ensures that if an outdated LAM mask is +written to CR3, an IPI is received to update it right after IRQs are +re-enabled. + +[ dhansen: Add a LAM enabling helper and comment it ] + +Fixes: 82721d8b25d7 ("x86/mm: Handle LAM on context switch") +Suggested-by: Andy Lutomirski +Signed-off-by: Yosry Ahmed +Signed-off-by: Dave Hansen +Reviewed-by: Kirill A. Shutemov +Link: https://lore.kernel.org/all/20240702132139.3332013-2-yosryahmed%40google.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/process_64.c | 29 ++++++++++++++++++++++++++--- + arch/x86/mm/tlb.c | 7 +++---- + 2 files changed, 29 insertions(+), 7 deletions(-) + +diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c +index 4989095ab7696..d595ef7c1de05 100644 +--- a/arch/x86/kernel/process_64.c ++++ b/arch/x86/kernel/process_64.c +@@ -750,6 +750,27 @@ static long prctl_map_vdso(const struct vdso_image *image, unsigned long addr) + + #define LAM_U57_BITS 6 + ++static void enable_lam_func(void *__mm) ++{ ++ struct mm_struct *mm = __mm; ++ ++ if (this_cpu_read(cpu_tlbstate.loaded_mm) == mm) { ++ write_cr3(__read_cr3() | mm->context.lam_cr3_mask); ++ set_tlbstate_lam_mode(mm); ++ } ++} ++ ++static void mm_enable_lam(struct mm_struct *mm) ++{ ++ /* ++ * Even though the process must still be single-threaded at this ++ * point, kernel threads may be using the mm. IPI those kernel ++ * threads if they exist. ++ */ ++ on_each_cpu_mask(mm_cpumask(mm), enable_lam_func, mm, true); ++ set_bit(MM_CONTEXT_LOCK_LAM, &mm->context.flags); ++} ++ + static int prctl_enable_tagged_addr(struct mm_struct *mm, unsigned long nr_bits) + { + if (!cpu_feature_enabled(X86_FEATURE_LAM)) +@@ -766,6 +787,10 @@ static int prctl_enable_tagged_addr(struct mm_struct *mm, unsigned long nr_bits) + if (mmap_write_lock_killable(mm)) + return -EINTR; + ++ /* ++ * MM_CONTEXT_LOCK_LAM is set on clone. Prevent LAM from ++ * being enabled unless the process is single threaded: ++ */ + if (test_bit(MM_CONTEXT_LOCK_LAM, &mm->context.flags)) { + mmap_write_unlock(mm); + return -EBUSY; +@@ -782,9 +807,7 @@ static int prctl_enable_tagged_addr(struct mm_struct *mm, unsigned long nr_bits) + return -EINVAL; + } + +- write_cr3(__read_cr3() | mm->context.lam_cr3_mask); +- set_tlbstate_lam_mode(mm); +- set_bit(MM_CONTEXT_LOCK_LAM, &mm->context.flags); ++ mm_enable_lam(mm); + + mmap_write_unlock(mm); + +diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c +index 453ea95b667da..2fbae48f0b470 100644 +--- a/arch/x86/mm/tlb.c ++++ b/arch/x86/mm/tlb.c +@@ -497,9 +497,9 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next, + { + struct mm_struct *real_prev = this_cpu_read(cpu_tlbstate.loaded_mm); + u16 prev_asid = this_cpu_read(cpu_tlbstate.loaded_mm_asid); +- unsigned long new_lam = mm_lam_cr3_mask(next); + bool was_lazy = this_cpu_read(cpu_tlbstate_shared.is_lazy); + unsigned cpu = smp_processor_id(); ++ unsigned long new_lam; + u64 next_tlb_gen; + bool need_flush; + u16 new_asid; +@@ -622,9 +622,7 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next, + cpumask_clear_cpu(cpu, mm_cpumask(real_prev)); + } + +- /* +- * Start remote flushes and then read tlb_gen. +- */ ++ /* Start receiving IPIs and then read tlb_gen (and LAM below) */ + if (next != &init_mm) + cpumask_set_cpu(cpu, mm_cpumask(next)); + next_tlb_gen = atomic64_read(&next->context.tlb_gen); +@@ -636,6 +634,7 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next, + barrier(); + } + ++ new_lam = mm_lam_cr3_mask(next); + set_tlbstate_lam_mode(next); + if (need_flush) { + this_cpu_write(cpu_tlbstate.ctxs[new_asid].ctx_id, next->context.ctx_id); +-- +2.43.0 + diff --git a/queue-6.6/x86-pci-check-pcie_find_root_port-return-for-null.patch b/queue-6.6/x86-pci-check-pcie_find_root_port-return-for-null.patch new file mode 100644 index 00000000000..6ced0ea8611 --- /dev/null +++ b/queue-6.6/x86-pci-check-pcie_find_root_port-return-for-null.patch @@ -0,0 +1,51 @@ +From 9c13ca4b3d0cbbf96cebbee6c3c492d7ce15a166 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Aug 2024 13:26:59 -0700 +Subject: x86/PCI: Check pcie_find_root_port() return for NULL + +From: Samasth Norway Ananda + +[ Upstream commit dbc3171194403d0d40e4bdeae666f6e76e428b53 ] + +If pcie_find_root_port() is unable to locate a Root Port, it will return +NULL. Check the pointer for NULL before dereferencing it. + +This particular case is in a quirk for devices that are always below a Root +Port, so this won't avoid a problem and doesn't need to be backported, but +check as a matter of style and to prevent copy/paste mistakes. + +Link: https://lore.kernel.org/r/20240812202659.1649121-1-samasth.norway.ananda@oracle.com +Signed-off-by: Samasth Norway Ananda +[bhelgaas: drop Fixes: and explain why there's no problem in this case] +Signed-off-by: Bjorn Helgaas +Reviewed-by: Mario Limonciello +Signed-off-by: Sasha Levin +--- + arch/x86/pci/fixup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/pci/fixup.c b/arch/x86/pci/fixup.c +index b33afb240601b..98a9bb92d75c8 100644 +--- a/arch/x86/pci/fixup.c ++++ b/arch/x86/pci/fixup.c +@@ -980,7 +980,7 @@ static void amd_rp_pme_suspend(struct pci_dev *dev) + return; + + rp = pcie_find_root_port(dev); +- if (!rp->pm_cap) ++ if (!rp || !rp->pm_cap) + return; + + rp->pme_support &= ~((PCI_PM_CAP_PME_D3hot|PCI_PM_CAP_PME_D3cold) >> +@@ -994,7 +994,7 @@ static void amd_rp_pme_resume(struct pci_dev *dev) + u16 pmc; + + rp = pcie_find_root_port(dev); +- if (!rp->pm_cap) ++ if (!rp || !rp->pm_cap) + return; + + pci_read_config_word(rp, rp->pm_cap + PCI_PM_PMC, &pmc); +-- +2.43.0 + diff --git a/queue-6.6/x86-sgx-fix-deadlock-in-sgx-numa-node-search.patch b/queue-6.6/x86-sgx-fix-deadlock-in-sgx-numa-node-search.patch new file mode 100644 index 00000000000..6b27910da9b --- /dev/null +++ b/queue-6.6/x86-sgx-fix-deadlock-in-sgx-numa-node-search.patch @@ -0,0 +1,85 @@ +From 5bb81e1fb3a71df99fa8a0858db18a1123a3b750 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Sep 2024 16:08:54 +0800 +Subject: x86/sgx: Fix deadlock in SGX NUMA node search + +From: Aaron Lu + +[ Upstream commit 9c936844010466535bd46ea4ce4656ef17653644 ] + +When the current node doesn't have an EPC section configured by firmware +and all other EPC sections are used up, CPU can get stuck inside the +while loop that looks for an available EPC page from remote nodes +indefinitely, leading to a soft lockup. Note how nid_of_current will +never be equal to nid in that while loop because nid_of_current is not +set in sgx_numa_mask. + +Also worth mentioning is that it's perfectly fine for the firmware not +to setup an EPC section on a node. While setting up an EPC section on +each node can enhance performance, it is not a requirement for +functionality. + +Rework the loop to start and end on *a* node that has SGX memory. This +avoids the deadlock looking for the current SGX-lacking node to show up +in the loop when it never will. + +Fixes: 901ddbb9ecf5 ("x86/sgx: Add a basic NUMA allocation scheme to sgx_alloc_epc_page()") +Reported-by: "Molina Sabido, Gerardo" +Signed-off-by: Aaron Lu +Signed-off-by: Dave Hansen +Reviewed-by: Kai Huang +Reviewed-by: Jarkko Sakkinen +Acked-by: Dave Hansen +Tested-by: Zhimin Luo +Link: https://lore.kernel.org/all/20240905080855.1699814-2-aaron.lu%40intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/sgx/main.c | 27 ++++++++++++++------------- + 1 file changed, 14 insertions(+), 13 deletions(-) + +diff --git a/arch/x86/kernel/cpu/sgx/main.c b/arch/x86/kernel/cpu/sgx/main.c +index 166692f2d5011..c7f8c3200e8d7 100644 +--- a/arch/x86/kernel/cpu/sgx/main.c ++++ b/arch/x86/kernel/cpu/sgx/main.c +@@ -474,24 +474,25 @@ struct sgx_epc_page *__sgx_alloc_epc_page(void) + { + struct sgx_epc_page *page; + int nid_of_current = numa_node_id(); +- int nid = nid_of_current; ++ int nid_start, nid; + +- if (node_isset(nid_of_current, sgx_numa_mask)) { +- page = __sgx_alloc_epc_page_from_node(nid_of_current); +- if (page) +- return page; +- } +- +- /* Fall back to the non-local NUMA nodes: */ +- while (true) { +- nid = next_node_in(nid, sgx_numa_mask); +- if (nid == nid_of_current) +- break; ++ /* ++ * Try local node first. If it doesn't have an EPC section, ++ * fall back to the non-local NUMA nodes. ++ */ ++ if (node_isset(nid_of_current, sgx_numa_mask)) ++ nid_start = nid_of_current; ++ else ++ nid_start = next_node_in(nid_of_current, sgx_numa_mask); + ++ nid = nid_start; ++ do { + page = __sgx_alloc_epc_page_from_node(nid); + if (page) + return page; +- } ++ ++ nid = next_node_in(nid, sgx_numa_mask); ++ } while (nid != nid_start); + + return ERR_PTR(-ENOMEM); + } +-- +2.43.0 + diff --git a/queue-6.6/xen-add-capability-to-remap-non-ram-pages-to-differe.patch b/queue-6.6/xen-add-capability-to-remap-non-ram-pages-to-differe.patch new file mode 100644 index 00000000000..3c23cdda811 --- /dev/null +++ b/queue-6.6/xen-add-capability-to-remap-non-ram-pages-to-differe.patch @@ -0,0 +1,130 @@ +From 17a9a0b45e1571546467769c67768c76bfc69e17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Aug 2024 16:47:25 +0200 +Subject: xen: add capability to remap non-RAM pages to different PFNs + +From: Juergen Gross + +[ Upstream commit d05208cf7f05420ad10cc7f9550f91d485523659 ] + +When running as a Xen PV dom0 it can happen that the kernel is being +loaded to a guest physical address conflicting with the host memory +map. + +In order to be able to resolve this conflict, add the capability to +remap non-RAM areas to different guest PFNs. A function to use this +remapping information for other purposes than doing the remap will be +added when needed. + +As the number of conflicts should be rather low (currently only +machines with max. 1 conflict are known), save the remap data in a +small statically allocated array. + +Signed-off-by: Juergen Gross +Reviewed-by: Jan Beulich +Signed-off-by: Juergen Gross +Stable-dep-of: be35d91c8880 ("xen: tolerate ACPI NVS memory overlapping with Xen allocated memory") +Signed-off-by: Sasha Levin +--- + arch/x86/xen/p2m.c | 63 ++++++++++++++++++++++++++++++++++++++++++ + arch/x86/xen/xen-ops.h | 3 ++ + 2 files changed, 66 insertions(+) + +diff --git a/arch/x86/xen/p2m.c b/arch/x86/xen/p2m.c +index 4c2bf989edafc..6cb8dae768fad 100644 +--- a/arch/x86/xen/p2m.c ++++ b/arch/x86/xen/p2m.c +@@ -80,6 +80,7 @@ + #include + #include + #include ++#include + + #include "multicalls.h" + #include "xen-ops.h" +@@ -794,6 +795,68 @@ int clear_foreign_p2m_mapping(struct gnttab_unmap_grant_ref *unmap_ops, + return ret; + } + ++/* Remapped non-RAM areas */ ++#define NR_NONRAM_REMAP 4 ++static struct nonram_remap { ++ phys_addr_t maddr; ++ phys_addr_t paddr; ++ size_t size; ++} xen_nonram_remap[NR_NONRAM_REMAP] __ro_after_init; ++static unsigned int nr_nonram_remap __ro_after_init; ++ ++/* ++ * Do the real remapping of non-RAM regions as specified in the ++ * xen_nonram_remap[] array. ++ * In case of an error just crash the system. ++ */ ++void __init xen_do_remap_nonram(void) ++{ ++ unsigned int i; ++ unsigned int remapped = 0; ++ const struct nonram_remap *remap = xen_nonram_remap; ++ unsigned long pfn, mfn, end_pfn; ++ ++ for (i = 0; i < nr_nonram_remap; i++) { ++ end_pfn = PFN_UP(remap->paddr + remap->size); ++ pfn = PFN_DOWN(remap->paddr); ++ mfn = PFN_DOWN(remap->maddr); ++ while (pfn < end_pfn) { ++ if (!set_phys_to_machine(pfn, mfn)) ++ panic("Failed to set p2m mapping for pfn=%lx mfn=%lx\n", ++ pfn, mfn); ++ ++ pfn++; ++ mfn++; ++ remapped++; ++ } ++ ++ remap++; ++ } ++ ++ pr_info("Remapped %u non-RAM page(s)\n", remapped); ++} ++ ++/* ++ * Add a new non-RAM remap entry. ++ * In case of no free entry found, just crash the system. ++ */ ++void __init xen_add_remap_nonram(phys_addr_t maddr, phys_addr_t paddr, ++ unsigned long size) ++{ ++ BUG_ON((maddr & ~PAGE_MASK) != (paddr & ~PAGE_MASK)); ++ ++ if (nr_nonram_remap == NR_NONRAM_REMAP) { ++ xen_raw_console_write("Number of required E820 entry remapping actions exceed maximum value\n"); ++ BUG(); ++ } ++ ++ xen_nonram_remap[nr_nonram_remap].maddr = maddr; ++ xen_nonram_remap[nr_nonram_remap].paddr = paddr; ++ xen_nonram_remap[nr_nonram_remap].size = size; ++ ++ nr_nonram_remap++; ++} ++ + #ifdef CONFIG_XEN_DEBUG_FS + #include + #include "debugfs.h" +diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h +index f46a1dd3624da..a6a21dd055270 100644 +--- a/arch/x86/xen/xen-ops.h ++++ b/arch/x86/xen/xen-ops.h +@@ -43,6 +43,9 @@ void xen_mm_unpin_all(void); + #ifdef CONFIG_X86_64 + void __init xen_relocate_p2m(void); + #endif ++void __init xen_do_remap_nonram(void); ++void __init xen_add_remap_nonram(phys_addr_t maddr, phys_addr_t paddr, ++ unsigned long size); + + void __init xen_chk_is_e820_usable(phys_addr_t start, phys_addr_t size, + const char *component); +-- +2.43.0 + diff --git a/queue-6.6/xen-introduce-generic-helper-checking-for-memory-map.patch b/queue-6.6/xen-introduce-generic-helper-checking-for-memory-map.patch new file mode 100644 index 00000000000..bfb36863655 --- /dev/null +++ b/queue-6.6/xen-introduce-generic-helper-checking-for-memory-map.patch @@ -0,0 +1,138 @@ +From 20049b6f5171d485459e87f053dc96113e10f306 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Aug 2024 14:11:06 +0200 +Subject: xen: introduce generic helper checking for memory map conflicts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Juergen Gross + +[ Upstream commit ba88829706e2c5b7238638fc2b0713edf596495e ] + +When booting as a Xen PV dom0 the memory layout of the dom0 is +modified to match that of the host, as this requires less changes in +the kernel for supporting Xen. + +There are some cases, though, which are problematic, as it is the Xen +hypervisor selecting the kernel's load address plus some other data, +which might conflict with the host's memory map. + +These conflicts are detected at boot time and result in a boot error. +In order to support handling at least some of these conflicts in +future, introduce a generic helper function which will later gain the +ability to adapt the memory layout when possible. + +Add the missing check for the xen_start_info area. + +Note that possible p2m map and initrd memory conflicts are handled +already by copying the data to memory areas not conflicting with the +memory map. The initial stack allocated by Xen doesn't need to be +checked, as early boot code is switching to the statically allocated +initial kernel stack. Initial page tables and the kernel itself will +be handled later. + +Signed-off-by: Juergen Gross +Tested-by: Marek Marczykowski-Górecki +Reviewed-by: Jan Beulich +Signed-off-by: Juergen Gross +Stable-dep-of: be35d91c8880 ("xen: tolerate ACPI NVS memory overlapping with Xen allocated memory") +Signed-off-by: Sasha Levin +--- + arch/x86/xen/mmu_pv.c | 5 +---- + arch/x86/xen/setup.c | 34 ++++++++++++++++++++++++++++------ + arch/x86/xen/xen-ops.h | 3 ++- + 3 files changed, 31 insertions(+), 11 deletions(-) + +diff --git a/arch/x86/xen/mmu_pv.c b/arch/x86/xen/mmu_pv.c +index 9d4a9311e819b..6b201e64d8abc 100644 +--- a/arch/x86/xen/mmu_pv.c ++++ b/arch/x86/xen/mmu_pv.c +@@ -2019,10 +2019,7 @@ void __init xen_reserve_special_pages(void) + + void __init xen_pt_check_e820(void) + { +- if (xen_is_e820_reserved(xen_pt_base, xen_pt_size)) { +- xen_raw_console_write("Xen hypervisor allocated page table memory conflicts with E820 map\n"); +- BUG(); +- } ++ xen_chk_is_e820_usable(xen_pt_base, xen_pt_size, "page table"); + } + + static unsigned char dummy_mapping[PAGE_SIZE] __page_aligned_bss; +diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c +index d2073df5c5624..84cbc7ec55811 100644 +--- a/arch/x86/xen/setup.c ++++ b/arch/x86/xen/setup.c +@@ -568,7 +568,7 @@ static void __init xen_ignore_unusable(void) + } + } + +-bool __init xen_is_e820_reserved(phys_addr_t start, phys_addr_t size) ++static bool __init xen_is_e820_reserved(phys_addr_t start, phys_addr_t size) + { + struct e820_entry *entry; + unsigned mapcnt; +@@ -625,6 +625,23 @@ phys_addr_t __init xen_find_free_area(phys_addr_t size) + return 0; + } + ++/* ++ * Check for an area in physical memory to be usable for non-movable purposes. ++ * An area is considered to usable if the used E820 map lists it to be RAM. ++ * In case the area is not usable, crash the system with an error message. ++ */ ++void __init xen_chk_is_e820_usable(phys_addr_t start, phys_addr_t size, ++ const char *component) ++{ ++ if (!xen_is_e820_reserved(start, size)) ++ return; ++ ++ xen_raw_console_write("Xen hypervisor allocated "); ++ xen_raw_console_write(component); ++ xen_raw_console_write(" memory conflicts with E820 map\n"); ++ BUG(); ++} ++ + /* + * Like memcpy, but with physical addresses for dest and src. + */ +@@ -825,11 +842,16 @@ char * __init xen_memory_setup(void) + * Failing now is better than running into weird problems later due + * to relocating (and even reusing) pages with kernel text or data. + */ +- if (xen_is_e820_reserved(__pa_symbol(_text), +- __pa_symbol(_end) - __pa_symbol(_text))) { +- xen_raw_console_write("Xen hypervisor allocated kernel memory conflicts with E820 map\n"); +- BUG(); +- } ++ xen_chk_is_e820_usable(__pa_symbol(_text), ++ __pa_symbol(_end) - __pa_symbol(_text), ++ "kernel"); ++ ++ /* ++ * Check for a conflict of the xen_start_info memory with the target ++ * E820 map. ++ */ ++ xen_chk_is_e820_usable(__pa(xen_start_info), sizeof(*xen_start_info), ++ "xen_start_info"); + + /* + * Check for a conflict of the hypervisor supplied page tables with +diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h +index 79cf93f2c92f1..f46a1dd3624da 100644 +--- a/arch/x86/xen/xen-ops.h ++++ b/arch/x86/xen/xen-ops.h +@@ -44,7 +44,8 @@ void xen_mm_unpin_all(void); + void __init xen_relocate_p2m(void); + #endif + +-bool __init xen_is_e820_reserved(phys_addr_t start, phys_addr_t size); ++void __init xen_chk_is_e820_usable(phys_addr_t start, phys_addr_t size, ++ const char *component); + unsigned long __ref xen_chk_extra_mem(unsigned long pfn); + void __init xen_inv_extra_mem(void); + void __init xen_remap_memory(void); +-- +2.43.0 + diff --git a/queue-6.6/xen-move-max_pfn-in-xen_memory_setup-out-of-function.patch b/queue-6.6/xen-move-max_pfn-in-xen_memory_setup-out-of-function.patch new file mode 100644 index 00000000000..5668e17880d --- /dev/null +++ b/queue-6.6/xen-move-max_pfn-in-xen_memory_setup-out-of-function.patch @@ -0,0 +1,195 @@ +From 4e3eaca45950e6c5525e564f29b1395d5fa5ac82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Aug 2024 10:24:41 +0200 +Subject: xen: move max_pfn in xen_memory_setup() out of function scope +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Juergen Gross + +[ Upstream commit 43dc2a0f479b9cd30f6674986d7a40517e999d31 ] + +Instead of having max_pfn as a local variable of xen_memory_setup(), +make it a static variable in setup.c instead. This avoids having to +pass it to subfunctions, which will be needed in more cases in future. + +Rename it to ini_nr_pages, as the value denotes the currently usable +number of memory pages as passed from the hypervisor at boot time. + +Signed-off-by: Juergen Gross +Tested-by: Marek Marczykowski-Górecki +Reviewed-by: Jan Beulich +Signed-off-by: Juergen Gross +Stable-dep-of: be35d91c8880 ("xen: tolerate ACPI NVS memory overlapping with Xen allocated memory") +Signed-off-by: Sasha Levin +--- + arch/x86/xen/setup.c | 52 ++++++++++++++++++++++---------------------- + 1 file changed, 26 insertions(+), 26 deletions(-) + +diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c +index 84cbc7ec55811..112b071bac9d4 100644 +--- a/arch/x86/xen/setup.c ++++ b/arch/x86/xen/setup.c +@@ -47,6 +47,9 @@ bool xen_pv_pci_possible; + /* E820 map used during setting up memory. */ + static struct e820_table xen_e820_table __initdata; + ++/* Number of initially usable memory pages. */ ++static unsigned long ini_nr_pages __initdata; ++ + /* + * Buffer used to remap identity mapped pages. We only need the virtual space. + * The physical page behind this address is remapped as needed to different +@@ -213,7 +216,7 @@ static int __init xen_free_mfn(unsigned long mfn) + * as a fallback if the remapping fails. + */ + static void __init xen_set_identity_and_release_chunk(unsigned long start_pfn, +- unsigned long end_pfn, unsigned long nr_pages) ++ unsigned long end_pfn) + { + unsigned long pfn, end; + int ret; +@@ -221,7 +224,7 @@ static void __init xen_set_identity_and_release_chunk(unsigned long start_pfn, + WARN_ON(start_pfn > end_pfn); + + /* Release pages first. */ +- end = min(end_pfn, nr_pages); ++ end = min(end_pfn, ini_nr_pages); + for (pfn = start_pfn; pfn < end; pfn++) { + unsigned long mfn = pfn_to_mfn(pfn); + +@@ -342,15 +345,14 @@ static void __init xen_do_set_identity_and_remap_chunk( + * to Xen and not remapped. + */ + static unsigned long __init xen_set_identity_and_remap_chunk( +- unsigned long start_pfn, unsigned long end_pfn, unsigned long nr_pages, +- unsigned long remap_pfn) ++ unsigned long start_pfn, unsigned long end_pfn, unsigned long remap_pfn) + { + unsigned long pfn; + unsigned long i = 0; + unsigned long n = end_pfn - start_pfn; + + if (remap_pfn == 0) +- remap_pfn = nr_pages; ++ remap_pfn = ini_nr_pages; + + while (i < n) { + unsigned long cur_pfn = start_pfn + i; +@@ -359,19 +361,19 @@ static unsigned long __init xen_set_identity_and_remap_chunk( + unsigned long remap_range_size; + + /* Do not remap pages beyond the current allocation */ +- if (cur_pfn >= nr_pages) { ++ if (cur_pfn >= ini_nr_pages) { + /* Identity map remaining pages */ + set_phys_range_identity(cur_pfn, cur_pfn + size); + break; + } +- if (cur_pfn + size > nr_pages) +- size = nr_pages - cur_pfn; ++ if (cur_pfn + size > ini_nr_pages) ++ size = ini_nr_pages - cur_pfn; + + remap_range_size = xen_find_pfn_range(&remap_pfn); + if (!remap_range_size) { + pr_warn("Unable to find available pfn range, not remapping identity pages\n"); + xen_set_identity_and_release_chunk(cur_pfn, +- cur_pfn + left, nr_pages); ++ cur_pfn + left); + break; + } + /* Adjust size to fit in current e820 RAM region */ +@@ -398,18 +400,18 @@ static unsigned long __init xen_set_identity_and_remap_chunk( + } + + static unsigned long __init xen_count_remap_pages( +- unsigned long start_pfn, unsigned long end_pfn, unsigned long nr_pages, ++ unsigned long start_pfn, unsigned long end_pfn, + unsigned long remap_pages) + { +- if (start_pfn >= nr_pages) ++ if (start_pfn >= ini_nr_pages) + return remap_pages; + +- return remap_pages + min(end_pfn, nr_pages) - start_pfn; ++ return remap_pages + min(end_pfn, ini_nr_pages) - start_pfn; + } + +-static unsigned long __init xen_foreach_remap_area(unsigned long nr_pages, ++static unsigned long __init xen_foreach_remap_area( + unsigned long (*func)(unsigned long start_pfn, unsigned long end_pfn, +- unsigned long nr_pages, unsigned long last_val)) ++ unsigned long last_val)) + { + phys_addr_t start = 0; + unsigned long ret_val = 0; +@@ -437,8 +439,7 @@ static unsigned long __init xen_foreach_remap_area(unsigned long nr_pages, + end_pfn = PFN_UP(entry->addr); + + if (start_pfn < end_pfn) +- ret_val = func(start_pfn, end_pfn, nr_pages, +- ret_val); ++ ret_val = func(start_pfn, end_pfn, ret_val); + start = end; + } + } +@@ -701,7 +702,7 @@ static void __init xen_reserve_xen_mfnlist(void) + **/ + char * __init xen_memory_setup(void) + { +- unsigned long max_pfn, pfn_s, n_pfns; ++ unsigned long pfn_s, n_pfns; + phys_addr_t mem_end, addr, size, chunk_size; + u32 type; + int rc; +@@ -713,9 +714,8 @@ char * __init xen_memory_setup(void) + int op; + + xen_parse_512gb(); +- max_pfn = xen_get_pages_limit(); +- max_pfn = min(max_pfn, xen_start_info->nr_pages); +- mem_end = PFN_PHYS(max_pfn); ++ ini_nr_pages = min(xen_get_pages_limit(), xen_start_info->nr_pages); ++ mem_end = PFN_PHYS(ini_nr_pages); + + memmap.nr_entries = ARRAY_SIZE(xen_e820_table.entries); + set_xen_guest_handle(memmap.buffer, xen_e820_table.entries); +@@ -768,10 +768,10 @@ char * __init xen_memory_setup(void) + max_pages = xen_get_max_pages(); + + /* How many extra pages do we need due to remapping? */ +- max_pages += xen_foreach_remap_area(max_pfn, xen_count_remap_pages); ++ max_pages += xen_foreach_remap_area(xen_count_remap_pages); + +- if (max_pages > max_pfn) +- extra_pages += max_pages - max_pfn; ++ if (max_pages > ini_nr_pages) ++ extra_pages += max_pages - ini_nr_pages; + + /* + * Clamp the amount of extra memory to a EXTRA_MEM_RATIO +@@ -780,8 +780,8 @@ char * __init xen_memory_setup(void) + * Make sure we have no memory above max_pages, as this area + * isn't handled by the p2m management. + */ +- maxmem_pages = EXTRA_MEM_RATIO * min(max_pfn, PFN_DOWN(MAXMEM)); +- extra_pages = min3(maxmem_pages, extra_pages, max_pages - max_pfn); ++ maxmem_pages = EXTRA_MEM_RATIO * min(ini_nr_pages, PFN_DOWN(MAXMEM)); ++ extra_pages = min3(maxmem_pages, extra_pages, max_pages - ini_nr_pages); + i = 0; + addr = xen_e820_table.entries[0].addr; + size = xen_e820_table.entries[0].size; +@@ -886,7 +886,7 @@ char * __init xen_memory_setup(void) + * Set identity map on non-RAM pages and prepare remapping the + * underlying RAM. + */ +- xen_foreach_remap_area(max_pfn, xen_set_identity_and_remap_chunk); ++ xen_foreach_remap_area(xen_set_identity_and_remap_chunk); + + pr_info("Released %ld page(s)\n", xen_released_pages); + +-- +2.43.0 + diff --git a/queue-6.6/xen-swiotlb-add-alignment-check-for-dma-buffers.patch b/queue-6.6/xen-swiotlb-add-alignment-check-for-dma-buffers.patch new file mode 100644 index 00000000000..7d3d9efc68f --- /dev/null +++ b/queue-6.6/xen-swiotlb-add-alignment-check-for-dma-buffers.patch @@ -0,0 +1,52 @@ +From ed84f166f90275171206d9a4eeb54b0c111e3bb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Sep 2024 12:05:02 +0200 +Subject: xen/swiotlb: add alignment check for dma buffers + +From: Juergen Gross + +[ Upstream commit 9f40ec84a7976d95c34e7cc070939deb103652b0 ] + +When checking a memory buffer to be consecutive in machine memory, +the alignment needs to be checked, too. Failing to do so might result +in DMA memory not being aligned according to its requested size, +leading to error messages like: + + 4xxx 0000:2b:00.0: enabling device (0140 -> 0142) + 4xxx 0000:2b:00.0: Ring address not aligned + 4xxx 0000:2b:00.0: Failed to initialise service qat_crypto + 4xxx 0000:2b:00.0: Resetting device qat_dev0 + 4xxx: probe of 0000:2b:00.0 failed with error -14 + +Fixes: 9435cce87950 ("xen/swiotlb: Add support for 64KB page granularity") +Signed-off-by: Juergen Gross +Reviewed-by: Stefano Stabellini +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/swiotlb-xen.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c +index 0e6c6c25d154f..892f87300e2cd 100644 +--- a/drivers/xen/swiotlb-xen.c ++++ b/drivers/xen/swiotlb-xen.c +@@ -78,9 +78,15 @@ static inline int range_straddles_page_boundary(phys_addr_t p, size_t size) + { + unsigned long next_bfn, xen_pfn = XEN_PFN_DOWN(p); + unsigned int i, nr_pages = XEN_PFN_UP(xen_offset_in_page(p) + size); ++ phys_addr_t algn = 1ULL << (get_order(size) + PAGE_SHIFT); + + next_bfn = pfn_to_bfn(xen_pfn); + ++ /* If buffer is physically aligned, ensure DMA alignment. */ ++ if (IS_ALIGNED(p, algn) && ++ !IS_ALIGNED((phys_addr_t)next_bfn << XEN_PAGE_SHIFT, algn)) ++ return 1; ++ + for (i = 1; i < nr_pages; i++) + if (pfn_to_bfn(++xen_pfn) != ++next_bfn) + return 1; +-- +2.43.0 + diff --git a/queue-6.6/xen-swiotlb-fix-allocated-size.patch b/queue-6.6/xen-swiotlb-fix-allocated-size.patch new file mode 100644 index 00000000000..e1e6bb834bc --- /dev/null +++ b/queue-6.6/xen-swiotlb-fix-allocated-size.patch @@ -0,0 +1,49 @@ +From 5a96e6331ec8933fd9edc870910b7fe281d2bdd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Sep 2024 13:06:44 +0200 +Subject: xen/swiotlb: fix allocated size + +From: Juergen Gross + +[ Upstream commit c3dea3d54f4d399f8044547f0f1abdccbdfb0fee ] + +The allocated size in xen_swiotlb_alloc_coherent() and +xen_swiotlb_free_coherent() is calculated wrong for the case of +XEN_PAGE_SIZE not matching PAGE_SIZE. Fix that. + +Fixes: 7250f422da04 ("xen-swiotlb: use actually allocated size on check physical continuous") +Reported-by: Jan Beulich +Signed-off-by: Juergen Gross +Reviewed-by: Jan Beulich +Reviewed-by: Stefano Stabellini +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/swiotlb-xen.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c +index 892f87300e2cd..6d0d1c8a508bf 100644 +--- a/drivers/xen/swiotlb-xen.c ++++ b/drivers/xen/swiotlb-xen.c +@@ -146,7 +146,7 @@ xen_swiotlb_alloc_coherent(struct device *dev, size_t size, + void *ret; + + /* Align the allocation to the Xen page size */ +- size = 1UL << (order + XEN_PAGE_SHIFT); ++ size = ALIGN(size, XEN_PAGE_SIZE); + + ret = (void *)__get_free_pages(flags, get_order(size)); + if (!ret) +@@ -178,7 +178,7 @@ xen_swiotlb_free_coherent(struct device *dev, size_t size, void *vaddr, + int order = get_order(size); + + /* Convert the size to actually allocated. */ +- size = 1UL << (order + XEN_PAGE_SHIFT); ++ size = ALIGN(size, XEN_PAGE_SIZE); + + if (WARN_ON_ONCE(dma_handle + size - 1 > dev->coherent_dma_mask) || + WARN_ON_ONCE(range_straddles_page_boundary(phys, size))) +-- +2.43.0 + diff --git a/queue-6.6/xen-tolerate-acpi-nvs-memory-overlapping-with-xen-al.patch b/queue-6.6/xen-tolerate-acpi-nvs-memory-overlapping-with-xen-al.patch new file mode 100644 index 00000000000..807e2a0cd33 --- /dev/null +++ b/queue-6.6/xen-tolerate-acpi-nvs-memory-overlapping-with-xen-al.patch @@ -0,0 +1,161 @@ +From 91d87632c2c708b9c70f170d1aeb326d8def64e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Aug 2024 20:14:22 +0200 +Subject: xen: tolerate ACPI NVS memory overlapping with Xen allocated memory +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Juergen Gross + +[ Upstream commit be35d91c8880650404f3bf813573222dfb106935 ] + +In order to minimize required special handling for running as Xen PV +dom0, the memory layout is modified to match that of the host. This +requires to have only RAM at the locations where Xen allocated memory +is living. Unfortunately there seem to be some machines, where ACPI +NVS is located at 64 MB, resulting in a conflict with the loaded +kernel or the initial page tables built by Xen. + +Avoid this conflict by swapping the ACPI NVS area in the memory map +with unused RAM. This is possible via modification of the dom0 P2M map. +Accesses to the ACPI NVS area are done either for saving and restoring +it across suspend operations (this will work the same way as before), +or by ACPI code when NVS memory is referenced from other ACPI tables. +The latter case is handled by a Xen specific indirection of +acpi_os_ioremap(). + +While the E820 map can (and should) be modified right away, the P2M +map can be updated only after memory allocation is working, as the P2M +map might need to be extended. + +Fixes: 808fdb71936c ("xen: check for kernel memory conflicting with memory layout") +Signed-off-by: Juergen Gross +Tested-by: Marek Marczykowski-Górecki +Reviewed-by: Jan Beulich +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + arch/x86/xen/setup.c | 92 +++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 91 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c +index 112b071bac9d4..989c14b1ff6c8 100644 +--- a/arch/x86/xen/setup.c ++++ b/arch/x86/xen/setup.c +@@ -496,6 +496,8 @@ void __init xen_remap_memory(void) + set_pte_mfn(buf, mfn_save, PAGE_KERNEL); + + pr_info("Remapped %ld page(s)\n", remapped); ++ ++ xen_do_remap_nonram(); + } + + static unsigned long __init xen_get_pages_limit(void) +@@ -626,14 +628,102 @@ phys_addr_t __init xen_find_free_area(phys_addr_t size) + return 0; + } + ++/* ++ * Swap a non-RAM E820 map entry with RAM above ini_nr_pages. ++ * Note that the E820 map is modified accordingly, but the P2M map isn't yet. ++ * The adaption of the P2M must be deferred until page allocation is possible. ++ */ ++static void __init xen_e820_swap_entry_with_ram(struct e820_entry *swap_entry) ++{ ++ struct e820_entry *entry; ++ unsigned int mapcnt; ++ phys_addr_t mem_end = PFN_PHYS(ini_nr_pages); ++ phys_addr_t swap_addr, swap_size, entry_end; ++ ++ swap_addr = PAGE_ALIGN_DOWN(swap_entry->addr); ++ swap_size = PAGE_ALIGN(swap_entry->addr - swap_addr + swap_entry->size); ++ entry = xen_e820_table.entries; ++ ++ for (mapcnt = 0; mapcnt < xen_e820_table.nr_entries; mapcnt++) { ++ entry_end = entry->addr + entry->size; ++ if (entry->type == E820_TYPE_RAM && entry->size >= swap_size && ++ entry_end - swap_size >= mem_end) { ++ /* Reduce RAM entry by needed space (whole pages). */ ++ entry->size -= swap_size; ++ ++ /* Add new entry at the end of E820 map. */ ++ entry = xen_e820_table.entries + ++ xen_e820_table.nr_entries; ++ xen_e820_table.nr_entries++; ++ ++ /* Fill new entry (keep size and page offset). */ ++ entry->type = swap_entry->type; ++ entry->addr = entry_end - swap_size + ++ swap_addr - swap_entry->addr; ++ entry->size = swap_entry->size; ++ ++ /* Convert old entry to RAM, align to pages. */ ++ swap_entry->type = E820_TYPE_RAM; ++ swap_entry->addr = swap_addr; ++ swap_entry->size = swap_size; ++ ++ /* Remember PFN<->MFN relation for P2M update. */ ++ xen_add_remap_nonram(swap_addr, entry_end - swap_size, ++ swap_size); ++ ++ /* Order E820 table and merge entries. */ ++ e820__update_table(&xen_e820_table); ++ ++ return; ++ } ++ ++ entry++; ++ } ++ ++ xen_raw_console_write("No suitable area found for required E820 entry remapping action\n"); ++ BUG(); ++} ++ ++/* ++ * Look for non-RAM memory types in a specific guest physical area and move ++ * those away if possible (ACPI NVS only for now). ++ */ ++static void __init xen_e820_resolve_conflicts(phys_addr_t start, ++ phys_addr_t size) ++{ ++ struct e820_entry *entry; ++ unsigned int mapcnt; ++ phys_addr_t end; ++ ++ if (!size) ++ return; ++ ++ end = start + size; ++ entry = xen_e820_table.entries; ++ ++ for (mapcnt = 0; mapcnt < xen_e820_table.nr_entries; mapcnt++) { ++ if (entry->addr >= end) ++ return; ++ ++ if (entry->addr + entry->size > start && ++ entry->type == E820_TYPE_NVS) ++ xen_e820_swap_entry_with_ram(entry); ++ ++ entry++; ++ } ++} ++ + /* + * Check for an area in physical memory to be usable for non-movable purposes. +- * An area is considered to usable if the used E820 map lists it to be RAM. ++ * An area is considered to usable if the used E820 map lists it to be RAM or ++ * some other type which can be moved to higher PFNs while keeping the MFNs. + * In case the area is not usable, crash the system with an error message. + */ + void __init xen_chk_is_e820_usable(phys_addr_t start, phys_addr_t size, + const char *component) + { ++ xen_e820_resolve_conflicts(start, size); ++ + if (!xen_is_e820_reserved(start, size)) + return; + +-- +2.43.0 + diff --git a/queue-6.6/xen-use-correct-end-address-of-kernel-for-conflict-c.patch b/queue-6.6/xen-use-correct-end-address-of-kernel-for-conflict-c.patch new file mode 100644 index 00000000000..f058e9c6a83 --- /dev/null +++ b/queue-6.6/xen-use-correct-end-address-of-kernel-for-conflict-c.patch @@ -0,0 +1,51 @@ +From 2b5c234c365a13dadb236900d930c2111add7977 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Aug 2024 08:01:22 +0200 +Subject: xen: use correct end address of kernel for conflict checking +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Juergen Gross + +[ Upstream commit fac1bceeeb04886fc2ee952672e6e6c85ce41dca ] + +When running as a Xen PV dom0 the kernel is loaded by the hypervisor +using a different memory map than that of the host. In order to +minimize the required changes in the kernel, the kernel adapts its +memory map to that of the host. In order to do that it is checking +for conflicts of its load address with the host memory map. + +Unfortunately the tested memory range does not include the .brk +area, which might result in crashes or memory corruption when this +area does conflict with the memory map of the host. + +Fix the test by using the _end label instead of __bss_stop. + +Fixes: 808fdb71936c ("xen: check for kernel memory conflicting with memory layout") + +Signed-off-by: Juergen Gross +Tested-by: Marek Marczykowski-Górecki +Reviewed-by: Jan Beulich +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + arch/x86/xen/setup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c +index 380591028cb8f..d44d6d8b33195 100644 +--- a/arch/x86/xen/setup.c ++++ b/arch/x86/xen/setup.c +@@ -825,7 +825,7 @@ char * __init xen_memory_setup(void) + * to relocating (and even reusing) pages with kernel text or data. + */ + if (xen_is_e820_reserved(__pa_symbol(_text), +- __pa_symbol(__bss_stop) - __pa_symbol(_text))) { ++ __pa_symbol(_end) - __pa_symbol(_text))) { + xen_raw_console_write("Xen hypervisor allocated kernel memory conflicts with E820 map\n"); + BUG(); + } +-- +2.43.0 + diff --git a/queue-6.6/xz-cleanup-crc32-edits-from-2018.patch b/queue-6.6/xz-cleanup-crc32-edits-from-2018.patch new file mode 100644 index 00000000000..940f1e25608 --- /dev/null +++ b/queue-6.6/xz-cleanup-crc32-edits-from-2018.patch @@ -0,0 +1,78 @@ +From 2be164477b7db934a93406275f65cf0fccb25f83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Jul 2024 16:36:24 +0300 +Subject: xz: cleanup CRC32 edits from 2018 + +From: Lasse Collin + +[ Upstream commit 2ee96abef214550d9e92f5143ee3ac1fd1323e67 ] + +In 2018, a dependency on was added to avoid +duplicating the same constant in multiple files. Two months later it was +found to be a bad idea and the definition of CRC32_POLY_LE macro was moved +into xz_private.h to avoid including . + +xz_private.h is a wrong place for it too. Revert back to the upstream +version which has the poly in xz_crc32_init() in xz_crc32.c. + +Link: https://lkml.kernel.org/r/20240721133633.47721-10-lasse.collin@tukaani.org +Fixes: faa16bc404d7 ("lib: Use existing define with polynomial") +Fixes: 242cdad873a7 ("lib/xz: Put CRC32_POLY_LE in xz_private.h") +Signed-off-by: Lasse Collin +Reviewed-by: Sam James +Tested-by: Michael Ellerman (powerpc) +Cc: Krzysztof Kozlowski +Cc: Herbert Xu +Cc: Joel Stanley +Cc: Albert Ou +Cc: Catalin Marinas +Cc: Emil Renner Berthing +Cc: Greg Kroah-Hartman +Cc: Jonathan Corbet +Cc: Jubin Zhong +Cc: Jules Maselbas +Cc: Palmer Dabbelt +Cc: Paul Walmsley +Cc: Randy Dunlap +Cc: Rui Li +Cc: Simon Glass +Cc: Thomas Gleixner +Cc: Will Deacon +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + lib/xz/xz_crc32.c | 2 +- + lib/xz/xz_private.h | 4 ---- + 2 files changed, 1 insertion(+), 5 deletions(-) + +diff --git a/lib/xz/xz_crc32.c b/lib/xz/xz_crc32.c +index 88a2c35e1b597..5627b00fca296 100644 +--- a/lib/xz/xz_crc32.c ++++ b/lib/xz/xz_crc32.c +@@ -29,7 +29,7 @@ STATIC_RW_DATA uint32_t xz_crc32_table[256]; + + XZ_EXTERN void xz_crc32_init(void) + { +- const uint32_t poly = CRC32_POLY_LE; ++ const uint32_t poly = 0xEDB88320; + + uint32_t i; + uint32_t j; +diff --git a/lib/xz/xz_private.h b/lib/xz/xz_private.h +index bf1e94ec7873c..d9fd49b45fd75 100644 +--- a/lib/xz/xz_private.h ++++ b/lib/xz/xz_private.h +@@ -105,10 +105,6 @@ + # endif + #endif + +-#ifndef CRC32_POLY_LE +-#define CRC32_POLY_LE 0xedb88320 +-#endif +- + /* + * Allocate memory for LZMA2 decoder. xz_dec_lzma2_reset() must be used + * before calling xz_dec_lzma2_run(). +-- +2.43.0 +