From 1e7377547795cc6c9c2b900a74177e0fe2e195dc Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 8 Dec 2023 05:04:25 -0500 Subject: [PATCH] Fixes for 6.6 Signed-off-by: Sasha Levin --- ...rypt-start-allocating-with-max_order.patch | 39 +++ ...rect-chunk_ptr-to-a-pointer-to-chunk.patch | 40 ++++ ...t-program-vf-copy-regs-in-mmhub-v1.8.patch | 49 ++++ ...izing-mem_partitions-at-the-end-of-g.patch | 46 ++++ ...nding-hrtimers-away-from-outgoing-cp.patch | 155 ++++++++++++ ...fix-corrupted-memory-seen-in-the-isr.patch | 108 +++++++++ ...e-system-pm-hooks-to-the-noirq-phase.patch | 41 ++++ ...ix-memory-leak-from-range-properties.patch | 92 +++++++ ...ix-section-mismatch-message-for-rela.patch | 75 ++++++ ...fix-race-condition-between-swap-dest.patch | 105 ++++++++ ...eau-use-an-rwlock-for-the-event-lock.patch | 226 ++++++++++++++++++ ...d-fix-sshdr-use-in-sd_suspend_common.patch | 146 +++++++++++ queue-6.6/series | 17 ++ ...-increment-tx_dropped-in-tg3_tso_bug.patch | 41 ++++ ...he-rt-x_dropped-counters-to-tg3_napi.patch | 139 +++++++++++ .../vdpa-mlx5-preserve-cvq-vringh-index.patch | 66 +++++ ...6-acpi-ignore-invalid-x2apic-entries.patch | 130 ++++++++++ ...ay-index-out-of-bounds-ubsan-warning.patch | 43 ++++ 18 files changed, 1558 insertions(+) create mode 100644 queue-6.6/dm-crypt-start-allocating-with-max_order.patch create mode 100644 queue-6.6/drm-amdgpu-correct-chunk_ptr-to-a-pointer-to-chunk.patch create mode 100644 queue-6.6/drm-amdgpu-do-not-program-vf-copy-regs-in-mmhub-v1.8.patch create mode 100644 queue-6.6/drm-amdgpu-finalizing-mem_partitions-at-the-end-of-g.patch create mode 100644 queue-6.6/hrtimers-push-pending-hrtimers-away-from-outgoing-cp.patch create mode 100644 queue-6.6/i2c-designware-fix-corrupted-memory-seen-in-the-isr.patch create mode 100644 queue-6.6/i2c-ocores-move-system-pm-hooks-to-the-noirq-phase.patch create mode 100644 queue-6.6/kconfig-fix-memory-leak-from-range-properties.patch create mode 100644 queue-6.6/modpost-fix-section-mismatch-message-for-rela.patch create mode 100644 queue-6.6/netfilter-ipset-fix-race-condition-between-swap-dest.patch create mode 100644 queue-6.6/nouveau-use-an-rwlock-for-the-event-lock.patch create mode 100644 queue-6.6/scsi-sd-fix-sshdr-use-in-sd_suspend_common.patch create mode 100644 queue-6.6/series create mode 100644 queue-6.6/tg3-increment-tx_dropped-in-tg3_tso_bug.patch create mode 100644 queue-6.6/tg3-move-the-rt-x_dropped-counters-to-tg3_napi.patch create mode 100644 queue-6.6/vdpa-mlx5-preserve-cvq-vringh-index.patch create mode 100644 queue-6.6/x86-acpi-ignore-invalid-x2apic-entries.patch create mode 100644 queue-6.6/zstd-fix-array-index-out-of-bounds-ubsan-warning.patch diff --git a/queue-6.6/dm-crypt-start-allocating-with-max_order.patch b/queue-6.6/dm-crypt-start-allocating-with-max_order.patch new file mode 100644 index 00000000000..98592bfdcc2 --- /dev/null +++ b/queue-6.6/dm-crypt-start-allocating-with-max_order.patch @@ -0,0 +1,39 @@ +From 622358e7f48feee3351300a2af4163f1258fcc7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Nov 2023 18:38:33 +0100 +Subject: dm-crypt: start allocating with MAX_ORDER + +From: Mikulas Patocka + +[ Upstream commit 13648e04a9b831b3dfa5cf3887dfa6cf8fe5fe69 ] + +Commit 23baf831a32c ("mm, treewide: redefine MAX_ORDER sanely") +changed the meaning of MAX_ORDER from exclusive to inclusive. So, we +can allocate compound pages with up to 1 << MAX_ORDER pages. + +Reflect this change in dm-crypt and start trying to allocate compound +pages with MAX_ORDER. + +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-crypt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c +index cef9353370b20..17ffbf7fbe73e 100644 +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -1679,7 +1679,7 @@ static struct bio *crypt_alloc_buffer(struct dm_crypt_io *io, unsigned int size) + unsigned int nr_iovecs = (size + PAGE_SIZE - 1) >> PAGE_SHIFT; + gfp_t gfp_mask = GFP_NOWAIT | __GFP_HIGHMEM; + unsigned int remaining_size; +- unsigned int order = MAX_ORDER - 1; ++ unsigned int order = MAX_ORDER; + + retry: + if (unlikely(gfp_mask & __GFP_DIRECT_RECLAIM)) +-- +2.42.0 + diff --git a/queue-6.6/drm-amdgpu-correct-chunk_ptr-to-a-pointer-to-chunk.patch b/queue-6.6/drm-amdgpu-correct-chunk_ptr-to-a-pointer-to-chunk.patch new file mode 100644 index 00000000000..490e850c7da --- /dev/null +++ b/queue-6.6/drm-amdgpu-correct-chunk_ptr-to-a-pointer-to-chunk.patch @@ -0,0 +1,40 @@ +From 055b22a71e6ee999b9ec71caba0eafb0206004b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Oct 2023 10:32:37 +0800 +Subject: drm/amdgpu: correct chunk_ptr to a pointer to chunk. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: YuanShang + +[ Upstream commit 50d51374b498457c4dea26779d32ccfed12ddaff ] + +The variable "chunk_ptr" should be a pointer pointing +to a struct drm_amdgpu_cs_chunk instead of to a pointer +of that. + +Signed-off-by: YuanShang +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +index f4fd0d5bd9b68..c0a3afe81bb1a 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +@@ -207,7 +207,7 @@ static int amdgpu_cs_pass1(struct amdgpu_cs_parser *p, + } + + for (i = 0; i < p->nchunks; i++) { +- struct drm_amdgpu_cs_chunk __user **chunk_ptr = NULL; ++ struct drm_amdgpu_cs_chunk __user *chunk_ptr = NULL; + struct drm_amdgpu_cs_chunk user_chunk; + uint32_t __user *cdata; + +-- +2.42.0 + diff --git a/queue-6.6/drm-amdgpu-do-not-program-vf-copy-regs-in-mmhub-v1.8.patch b/queue-6.6/drm-amdgpu-do-not-program-vf-copy-regs-in-mmhub-v1.8.patch new file mode 100644 index 00000000000..4d6bdc1879f --- /dev/null +++ b/queue-6.6/drm-amdgpu-do-not-program-vf-copy-regs-in-mmhub-v1.8.patch @@ -0,0 +1,49 @@ +From 3c20fcca5a9bde830de525693f9e84b564205458 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 14:24:15 -0400 +Subject: drm/amdgpu: Do not program VF copy regs in mmhub v1.8 under SRIOV + (v2) + +From: Victor Lu + +[ Upstream commit 0288603040c38ccfeb5342f34a52673366d90038 ] + +MC_VM_AGP_* registers should not be programmed by guest driver. + +v2: move early return outside of loop + +Signed-off-by: Victor Lu +Reviewed-by: Samir Dhume +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/mmhub_v1_8.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/mmhub_v1_8.c b/drivers/gpu/drm/amd/amdgpu/mmhub_v1_8.c +index 784c4e0774707..3d8e579d5c4e8 100644 +--- a/drivers/gpu/drm/amd/amdgpu/mmhub_v1_8.c ++++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v1_8.c +@@ -130,6 +130,9 @@ static void mmhub_v1_8_init_system_aperture_regs(struct amdgpu_device *adev) + uint64_t value; + int i; + ++ if (amdgpu_sriov_vf(adev)) ++ return; ++ + inst_mask = adev->aid_mask; + for_each_inst(i, inst_mask) { + /* Program the AGP BAR */ +@@ -139,9 +142,6 @@ static void mmhub_v1_8_init_system_aperture_regs(struct amdgpu_device *adev) + WREG32_SOC15(MMHUB, i, regMC_VM_AGP_TOP, + adev->gmc.agp_end >> 24); + +- if (amdgpu_sriov_vf(adev)) +- return; +- + /* Program the system aperture low logical page number. */ + WREG32_SOC15(MMHUB, i, regMC_VM_SYSTEM_APERTURE_LOW_ADDR, + min(adev->gmc.fb_start, adev->gmc.agp_start) >> 18); +-- +2.42.0 + diff --git a/queue-6.6/drm-amdgpu-finalizing-mem_partitions-at-the-end-of-g.patch b/queue-6.6/drm-amdgpu-finalizing-mem_partitions-at-the-end-of-g.patch new file mode 100644 index 00000000000..08c20bd9e64 --- /dev/null +++ b/queue-6.6/drm-amdgpu-finalizing-mem_partitions-at-the-end-of-g.patch @@ -0,0 +1,46 @@ +From 9d33c2fbd00d3467de806f21dbeed9706d065370 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Nov 2023 18:05:34 +0800 +Subject: drm/amdgpu: finalizing mem_partitions at the end of GMC v9 sw_fini + +From: Le Ma + +[ Upstream commit bdb72185d310fc8049c7ea95221d640e9e7165e5 ] + +The valid num_mem_partitions is required during ttm pool fini, +thus move the cleanup at the end of the function. + +Signed-off-by: Le Ma +Reviewed-by: Hawking Zhang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c +index f9a5a2c0573e4..89550d3df68d8 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c +@@ -2220,8 +2220,6 @@ static int gmc_v9_0_sw_fini(void *handle) + + if (adev->ip_versions[GC_HWIP][0] == IP_VERSION(9, 4, 3)) + amdgpu_gmc_sysfs_fini(adev); +- adev->gmc.num_mem_partitions = 0; +- kfree(adev->gmc.mem_partitions); + + amdgpu_gmc_ras_fini(adev); + amdgpu_gem_force_release(adev); +@@ -2235,6 +2233,9 @@ static int gmc_v9_0_sw_fini(void *handle) + amdgpu_bo_free_kernel(&adev->gmc.pdb0_bo, NULL, &adev->gmc.ptr_pdb0); + amdgpu_bo_fini(adev); + ++ adev->gmc.num_mem_partitions = 0; ++ kfree(adev->gmc.mem_partitions); ++ + return 0; + } + +-- +2.42.0 + diff --git a/queue-6.6/hrtimers-push-pending-hrtimers-away-from-outgoing-cp.patch b/queue-6.6/hrtimers-push-pending-hrtimers-away-from-outgoing-cp.patch new file mode 100644 index 00000000000..db603c30559 --- /dev/null +++ b/queue-6.6/hrtimers-push-pending-hrtimers-away-from-outgoing-cp.patch @@ -0,0 +1,155 @@ +From ce492ff6cee486f31d9b68183c1cfbec9621679a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Nov 2023 15:57:13 +0100 +Subject: hrtimers: Push pending hrtimers away from outgoing CPU earlier + +From: Thomas Gleixner + +[ Upstream commit 5c0930ccaad5a74d74e8b18b648c5eb21ed2fe94 ] + +2b8272ff4a70 ("cpu/hotplug: Prevent self deadlock on CPU hot-unplug") +solved the straight forward CPU hotplug deadlock vs. the scheduler +bandwidth timer. Yu discovered a more involved variant where a task which +has a bandwidth timer started on the outgoing CPU holds a lock and then +gets throttled. If the lock required by one of the CPU hotplug callbacks +the hotplug operation deadlocks because the unthrottling timer event is not +handled on the dying CPU and can only be recovered once the control CPU +reaches the hotplug state which pulls the pending hrtimers from the dead +CPU. + +Solve this by pushing the hrtimers away from the dying CPU in the dying +callbacks. Nothing can queue a hrtimer on the dying CPU at that point because +all other CPUs spin in stop_machine() with interrupts disabled and once the +operation is finished the CPU is marked offline. + +Reported-by: Yu Liao +Signed-off-by: Thomas Gleixner +Tested-by: Liu Tie +Link: https://lore.kernel.org/r/87a5rphara.ffs@tglx +Signed-off-by: Sasha Levin +--- + include/linux/cpuhotplug.h | 1 + + include/linux/hrtimer.h | 4 ++-- + kernel/cpu.c | 8 +++++++- + kernel/time/hrtimer.c | 33 ++++++++++++--------------------- + 4 files changed, 22 insertions(+), 24 deletions(-) + +diff --git a/include/linux/cpuhotplug.h b/include/linux/cpuhotplug.h +index 28c1d3d77b70f..624d4a38c358a 100644 +--- a/include/linux/cpuhotplug.h ++++ b/include/linux/cpuhotplug.h +@@ -194,6 +194,7 @@ enum cpuhp_state { + CPUHP_AP_ARM_CORESIGHT_CTI_STARTING, + CPUHP_AP_ARM64_ISNDEP_STARTING, + CPUHP_AP_SMPCFD_DYING, ++ CPUHP_AP_HRTIMERS_DYING, + CPUHP_AP_X86_TBOOT_DYING, + CPUHP_AP_ARM_CACHE_B15_RAC_DYING, + CPUHP_AP_ONLINE, +diff --git a/include/linux/hrtimer.h b/include/linux/hrtimer.h +index 0ee140176f102..f2044d5a652b5 100644 +--- a/include/linux/hrtimer.h ++++ b/include/linux/hrtimer.h +@@ -531,9 +531,9 @@ extern void sysrq_timer_list_show(void); + + int hrtimers_prepare_cpu(unsigned int cpu); + #ifdef CONFIG_HOTPLUG_CPU +-int hrtimers_dead_cpu(unsigned int cpu); ++int hrtimers_cpu_dying(unsigned int cpu); + #else +-#define hrtimers_dead_cpu NULL ++#define hrtimers_cpu_dying NULL + #endif + + #endif +diff --git a/kernel/cpu.c b/kernel/cpu.c +index 303cb0591b4b1..72e0f5380bf68 100644 +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -2109,7 +2109,7 @@ static struct cpuhp_step cpuhp_hp_states[] = { + [CPUHP_HRTIMERS_PREPARE] = { + .name = "hrtimers:prepare", + .startup.single = hrtimers_prepare_cpu, +- .teardown.single = hrtimers_dead_cpu, ++ .teardown.single = NULL, + }, + [CPUHP_SMPCFD_PREPARE] = { + .name = "smpcfd:prepare", +@@ -2201,6 +2201,12 @@ static struct cpuhp_step cpuhp_hp_states[] = { + .startup.single = NULL, + .teardown.single = smpcfd_dying_cpu, + }, ++ [CPUHP_AP_HRTIMERS_DYING] = { ++ .name = "hrtimers:dying", ++ .startup.single = NULL, ++ .teardown.single = hrtimers_cpu_dying, ++ }, ++ + /* Entry state on starting. Interrupts enabled from here on. Transient + * state for synchronsization */ + [CPUHP_AP_ONLINE] = { +diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c +index 238262e4aba7e..760793998cdd7 100644 +--- a/kernel/time/hrtimer.c ++++ b/kernel/time/hrtimer.c +@@ -2219,29 +2219,22 @@ static void migrate_hrtimer_list(struct hrtimer_clock_base *old_base, + } + } + +-int hrtimers_dead_cpu(unsigned int scpu) ++int hrtimers_cpu_dying(unsigned int dying_cpu) + { + struct hrtimer_cpu_base *old_base, *new_base; +- int i; ++ int i, ncpu = cpumask_first(cpu_active_mask); + +- BUG_ON(cpu_online(scpu)); +- tick_cancel_sched_timer(scpu); ++ tick_cancel_sched_timer(dying_cpu); ++ ++ old_base = this_cpu_ptr(&hrtimer_bases); ++ new_base = &per_cpu(hrtimer_bases, ncpu); + +- /* +- * this BH disable ensures that raise_softirq_irqoff() does +- * not wakeup ksoftirqd (and acquire the pi-lock) while +- * holding the cpu_base lock +- */ +- local_bh_disable(); +- local_irq_disable(); +- old_base = &per_cpu(hrtimer_bases, scpu); +- new_base = this_cpu_ptr(&hrtimer_bases); + /* + * The caller is globally serialized and nobody else + * takes two locks at once, deadlock is not possible. + */ +- raw_spin_lock(&new_base->lock); +- raw_spin_lock_nested(&old_base->lock, SINGLE_DEPTH_NESTING); ++ raw_spin_lock(&old_base->lock); ++ raw_spin_lock_nested(&new_base->lock, SINGLE_DEPTH_NESTING); + + for (i = 0; i < HRTIMER_MAX_CLOCK_BASES; i++) { + migrate_hrtimer_list(&old_base->clock_base[i], +@@ -2252,15 +2245,13 @@ int hrtimers_dead_cpu(unsigned int scpu) + * The migration might have changed the first expiring softirq + * timer on this CPU. Update it. + */ +- hrtimer_update_softirq_timer(new_base, false); ++ __hrtimer_get_next_event(new_base, HRTIMER_ACTIVE_SOFT); ++ /* Tell the other CPU to retrigger the next event */ ++ smp_call_function_single(ncpu, retrigger_next_event, NULL, 0); + +- raw_spin_unlock(&old_base->lock); + raw_spin_unlock(&new_base->lock); ++ raw_spin_unlock(&old_base->lock); + +- /* Check, if we got expired work to do */ +- __hrtimer_peek_ahead_timers(); +- local_irq_enable(); +- local_bh_enable(); + return 0; + } + +-- +2.42.0 + diff --git a/queue-6.6/i2c-designware-fix-corrupted-memory-seen-in-the-isr.patch b/queue-6.6/i2c-designware-fix-corrupted-memory-seen-in-the-isr.patch new file mode 100644 index 00000000000..bd3bcecf851 --- /dev/null +++ b/queue-6.6/i2c-designware-fix-corrupted-memory-seen-in-the-isr.patch @@ -0,0 +1,108 @@ +From 628ebb81b0f602e4ddb0db4d6069897d730afaa2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Nov 2023 03:19:27 +0000 +Subject: i2c: designware: Fix corrupted memory seen in the ISR + +From: Jan Bottorff + +[ Upstream commit f726eaa787e9f9bc858c902d18a09af6bcbfcdaf ] + +When running on a many core ARM64 server, errors were +happening in the ISR that looked like corrupted memory. These +corruptions would fix themselves if small delays were inserted +in the ISR. Errors reported by the driver included "i2c_designware +APMC0D0F:00: i2c_dw_xfer_msg: invalid target address" and +"i2c_designware APMC0D0F:00:controller timed out" during +in-band IPMI SSIF stress tests. + +The problem was determined to be memory writes in the driver were not +becoming visible to all cores when execution rapidly shifted between +cores, like when a register write immediately triggers an ISR. +Processors with weak memory ordering, like ARM64, make no +guarantees about the order normal memory writes become globally +visible, unless barrier instructions are used to control ordering. + +To solve this, regmap accessor functions configured by this driver +were changed to use non-relaxed forms of the low-level register +access functions, which include a barrier on platforms that require +it. This assures memory writes before a controller register access are +visible to all cores. The community concluded defaulting to correct +operation outweighed defaulting to the small performance gains from +using relaxed access functions. Being a low speed device added weight to +this choice of default register access behavior. + +Signed-off-by: Jan Bottorff +Acked-by: Jarkko Nikula +Tested-by: Serge Semin +Reviewed-by: Serge Semin +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-designware-common.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-designware-common.c b/drivers/i2c/busses/i2c-designware-common.c +index affcfb243f0f5..35f762872b8a5 100644 +--- a/drivers/i2c/busses/i2c-designware-common.c ++++ b/drivers/i2c/busses/i2c-designware-common.c +@@ -63,7 +63,7 @@ static int dw_reg_read(void *context, unsigned int reg, unsigned int *val) + { + struct dw_i2c_dev *dev = context; + +- *val = readl_relaxed(dev->base + reg); ++ *val = readl(dev->base + reg); + + return 0; + } +@@ -72,7 +72,7 @@ static int dw_reg_write(void *context, unsigned int reg, unsigned int val) + { + struct dw_i2c_dev *dev = context; + +- writel_relaxed(val, dev->base + reg); ++ writel(val, dev->base + reg); + + return 0; + } +@@ -81,7 +81,7 @@ static int dw_reg_read_swab(void *context, unsigned int reg, unsigned int *val) + { + struct dw_i2c_dev *dev = context; + +- *val = swab32(readl_relaxed(dev->base + reg)); ++ *val = swab32(readl(dev->base + reg)); + + return 0; + } +@@ -90,7 +90,7 @@ static int dw_reg_write_swab(void *context, unsigned int reg, unsigned int val) + { + struct dw_i2c_dev *dev = context; + +- writel_relaxed(swab32(val), dev->base + reg); ++ writel(swab32(val), dev->base + reg); + + return 0; + } +@@ -99,8 +99,8 @@ static int dw_reg_read_word(void *context, unsigned int reg, unsigned int *val) + { + struct dw_i2c_dev *dev = context; + +- *val = readw_relaxed(dev->base + reg) | +- (readw_relaxed(dev->base + reg + 2) << 16); ++ *val = readw(dev->base + reg) | ++ (readw(dev->base + reg + 2) << 16); + + return 0; + } +@@ -109,8 +109,8 @@ static int dw_reg_write_word(void *context, unsigned int reg, unsigned int val) + { + struct dw_i2c_dev *dev = context; + +- writew_relaxed(val, dev->base + reg); +- writew_relaxed(val >> 16, dev->base + reg + 2); ++ writew(val, dev->base + reg); ++ writew(val >> 16, dev->base + reg + 2); + + return 0; + } +-- +2.42.0 + diff --git a/queue-6.6/i2c-ocores-move-system-pm-hooks-to-the-noirq-phase.patch b/queue-6.6/i2c-ocores-move-system-pm-hooks-to-the-noirq-phase.patch new file mode 100644 index 00000000000..c8eac9e549c --- /dev/null +++ b/queue-6.6/i2c-ocores-move-system-pm-hooks-to-the-noirq-phase.patch @@ -0,0 +1,41 @@ +From ca551606cf849036246d140a1e2668119af47103 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Nov 2023 18:32:45 -0800 +Subject: i2c: ocores: Move system PM hooks to the NOIRQ phase + +From: Samuel Holland + +[ Upstream commit 382561d16854a747e6df71034da08d20d6013dfe ] + +When an I2C device contains a wake IRQ subordinate to a regmap-irq chip, +the regmap-irq code must be able to perform I2C transactions during +suspend_device_irqs() and resume_device_irqs(). Therefore, the bus must +be suspended/resumed during the NOIRQ phase. + +Signed-off-by: Samuel Holland +Acked-by: Peter Korsgaard +Reviewed-by: Andi Shyti +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-ocores.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-ocores.c b/drivers/i2c/busses/i2c-ocores.c +index 041a76f71a49c..e106af83cef4d 100644 +--- a/drivers/i2c/busses/i2c-ocores.c ++++ b/drivers/i2c/busses/i2c-ocores.c +@@ -771,8 +771,8 @@ static int ocores_i2c_resume(struct device *dev) + return ocores_init(dev, i2c); + } + +-static DEFINE_SIMPLE_DEV_PM_OPS(ocores_i2c_pm, +- ocores_i2c_suspend, ocores_i2c_resume); ++static DEFINE_NOIRQ_DEV_PM_OPS(ocores_i2c_pm, ++ ocores_i2c_suspend, ocores_i2c_resume); + + static struct platform_driver ocores_i2c_driver = { + .probe = ocores_i2c_probe, +-- +2.42.0 + diff --git a/queue-6.6/kconfig-fix-memory-leak-from-range-properties.patch b/queue-6.6/kconfig-fix-memory-leak-from-range-properties.patch new file mode 100644 index 00000000000..0f31281ffd1 --- /dev/null +++ b/queue-6.6/kconfig-fix-memory-leak-from-range-properties.patch @@ -0,0 +1,92 @@ +From 9a1143e9c71906ef61451297c3464424a8c00b09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Nov 2023 13:16:53 +0900 +Subject: kconfig: fix memory leak from range properties + +From: Masahiro Yamada + +[ Upstream commit ae1eff0349f2e908fc083630e8441ea6dc434dc0 ] + +Currently, sym_validate_range() duplicates the range string using +xstrdup(), which is overwritten by a subsequent sym_calc_value() call. +It results in a memory leak. + +Instead, only the pointer should be copied. + +Below is a test case, with a summary from Valgrind. + +[Test Kconfig] + + config FOO + int "foo" + range 10 20 + +[Test .config] + + CONFIG_FOO=0 + +[Before] + + LEAK SUMMARY: + definitely lost: 3 bytes in 1 blocks + indirectly lost: 0 bytes in 0 blocks + possibly lost: 0 bytes in 0 blocks + still reachable: 17,465 bytes in 21 blocks + suppressed: 0 bytes in 0 blocks + +[After] + + LEAK SUMMARY: + definitely lost: 0 bytes in 0 blocks + indirectly lost: 0 bytes in 0 blocks + possibly lost: 0 bytes in 0 blocks + still reachable: 17,462 bytes in 20 blocks + suppressed: 0 bytes in 0 blocks + +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/symbol.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/scripts/kconfig/symbol.c b/scripts/kconfig/symbol.c +index 0572330bf8a78..a76925b46ce63 100644 +--- a/scripts/kconfig/symbol.c ++++ b/scripts/kconfig/symbol.c +@@ -122,9 +122,9 @@ static long long sym_get_range_val(struct symbol *sym, int base) + static void sym_validate_range(struct symbol *sym) + { + struct property *prop; ++ struct symbol *range_sym; + int base; + long long val, val2; +- char str[64]; + + switch (sym->type) { + case S_INT: +@@ -140,17 +140,15 @@ static void sym_validate_range(struct symbol *sym) + if (!prop) + return; + val = strtoll(sym->curr.val, NULL, base); +- val2 = sym_get_range_val(prop->expr->left.sym, base); ++ range_sym = prop->expr->left.sym; ++ val2 = sym_get_range_val(range_sym, base); + if (val >= val2) { +- val2 = sym_get_range_val(prop->expr->right.sym, base); ++ range_sym = prop->expr->right.sym; ++ val2 = sym_get_range_val(range_sym, base); + if (val <= val2) + return; + } +- if (sym->type == S_INT) +- sprintf(str, "%lld", val2); +- else +- sprintf(str, "0x%llx", val2); +- sym->curr.val = xstrdup(str); ++ sym->curr.val = range_sym->curr.val; + } + + static void sym_set_changed(struct symbol *sym) +-- +2.42.0 + diff --git a/queue-6.6/modpost-fix-section-mismatch-message-for-rela.patch b/queue-6.6/modpost-fix-section-mismatch-message-for-rela.patch new file mode 100644 index 00000000000..2ab568e2799 --- /dev/null +++ b/queue-6.6/modpost-fix-section-mismatch-message-for-rela.patch @@ -0,0 +1,75 @@ +From b1169cd7e4b056f65ef6562bd70b52752cac97cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Nov 2023 02:46:27 +0900 +Subject: modpost: fix section mismatch message for RELA + +From: Masahiro Yamada + +[ Upstream commit 1c4a7587d1bbee0fd53b63af60e4244a62775f57 ] + +The section mismatch check prints a bogus symbol name on some +architectures. + +[test code] + + #include + + int __initdata foo; + int get_foo(void) { return foo; } + +If you compile it with GCC for riscv or loongarch, modpost will show an +incorrect symbol name: + + WARNING: modpost: vmlinux: section mismatch in reference: get_foo+0x8 (section: .text) -> done (section: .init.data) + +To get the correct symbol address, the st_value must be added. + +This issue has never been noticed since commit 93684d3b8062 ("kbuild: +include symbol names in section mismatch warnings") presumably because +st_value becomes zero on most architectures when the referenced symbol +is looked up. It is not true for riscv or loongarch, at least. + +With this fix, modpost will show the correct symbol name: + + WARNING: modpost: vmlinux: section mismatch in reference: get_foo+0x8 (section: .text) -> foo (section: .init.data) + +Signed-off-by: Masahiro Yamada +Reviewed-by: Nick Desaulniers +Signed-off-by: Sasha Levin +--- + scripts/mod/modpost.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index b3dee80497cb2..ac4ef3e206bbd 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -1496,13 +1496,15 @@ static void section_rela(struct module *mod, struct elf_info *elf, + return; + + for (rela = start; rela < stop; rela++) { ++ Elf_Sym *tsym; + Elf_Addr taddr, r_offset; + unsigned int r_type, r_sym; + + r_offset = TO_NATIVE(rela->r_offset); + get_rel_type_and_sym(elf, rela->r_info, &r_type, &r_sym); + +- taddr = TO_NATIVE(rela->r_addend); ++ tsym = elf->symtab_start + r_sym; ++ taddr = tsym->st_value + TO_NATIVE(rela->r_addend); + + switch (elf->hdr->e_machine) { + case EM_RISCV: +@@ -1517,7 +1519,7 @@ static void section_rela(struct module *mod, struct elf_info *elf, + break; + } + +- check_section_mismatch(mod, elf, elf->symtab_start + r_sym, ++ check_section_mismatch(mod, elf, tsym, + fsecndx, fromsec, r_offset, taddr); + } + } +-- +2.42.0 + diff --git a/queue-6.6/netfilter-ipset-fix-race-condition-between-swap-dest.patch b/queue-6.6/netfilter-ipset-fix-race-condition-between-swap-dest.patch new file mode 100644 index 00000000000..c313d4fb7e0 --- /dev/null +++ b/queue-6.6/netfilter-ipset-fix-race-condition-between-swap-dest.patch @@ -0,0 +1,105 @@ +From 4613621991069362e8983e55874d7cfc65296c44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Nov 2023 21:13:23 +0100 +Subject: netfilter: ipset: fix race condition between swap/destroy and kernel + side add/del/test + +From: Jozsef Kadlecsik + +[ Upstream commit 28628fa952fefc7f2072ce6e8016968cc452b1ba ] + +Linkui Xiao reported that there's a race condition when ipset swap and destroy is +called, which can lead to crash in add/del/test element operations. Swap then +destroy are usual operations to replace a set with another one in a production +system. The issue can in some cases be reproduced with the script: + +ipset create hash_ip1 hash:net family inet hashsize 1024 maxelem 1048576 +ipset add hash_ip1 172.20.0.0/16 +ipset add hash_ip1 192.168.0.0/16 +iptables -A INPUT -m set --match-set hash_ip1 src -j ACCEPT +while [ 1 ] +do + # ... Ongoing traffic... + ipset create hash_ip2 hash:net family inet hashsize 1024 maxelem 1048576 + ipset add hash_ip2 172.20.0.0/16 + ipset swap hash_ip1 hash_ip2 + ipset destroy hash_ip2 + sleep 0.05 +done + +In the race case the possible order of the operations are + + CPU0 CPU1 + ip_set_test + ipset swap hash_ip1 hash_ip2 + ipset destroy hash_ip2 + hash_net_kadt + +Swap replaces hash_ip1 with hash_ip2 and then destroy removes hash_ip2 which +is the original hash_ip1. ip_set_test was called on hash_ip1 and because destroy +removed it, hash_net_kadt crashes. + +The fix is to force ip_set_swap() to wait for all readers to finish accessing the +old set pointers by calling synchronize_rcu(). + +The first version of the patch was written by Linkui Xiao . + +v2: synchronize_rcu() is moved into ip_set_swap() in order not to burden + ip_set_destroy() unnecessarily when all sets are destroyed. +v3: Florian Westphal pointed out that all netfilter hooks run with rcu_read_lock() held + and em_ipset.c wraps the entire ip_set_test() in rcu read lock/unlock pair. + So there's no need to extend the rcu read locked area in ipset itself. + +Closes: https://lore.kernel.org/all/69e7963b-e7f8-3ad0-210-7b86eebf7f78@netfilter.org/ +Reported by: Linkui Xiao +Signed-off-by: Jozsef Kadlecsik +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipset/ip_set_core.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c +index 35d2f9c9ada02..4c133e06be1de 100644 +--- a/net/netfilter/ipset/ip_set_core.c ++++ b/net/netfilter/ipset/ip_set_core.c +@@ -61,6 +61,8 @@ MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_IPSET); + ip_set_dereference((inst)->ip_set_list)[id] + #define ip_set_ref_netlink(inst,id) \ + rcu_dereference_raw((inst)->ip_set_list)[id] ++#define ip_set_dereference_nfnl(p) \ ++ rcu_dereference_check(p, lockdep_nfnl_is_held(NFNL_SUBSYS_IPSET)) + + /* The set types are implemented in modules and registered set types + * can be found in ip_set_type_list. Adding/deleting types is +@@ -708,15 +710,10 @@ __ip_set_put_netlink(struct ip_set *set) + static struct ip_set * + ip_set_rcu_get(struct net *net, ip_set_id_t index) + { +- struct ip_set *set; + struct ip_set_net *inst = ip_set_pernet(net); + +- rcu_read_lock(); +- /* ip_set_list itself needs to be protected */ +- set = rcu_dereference(inst->ip_set_list)[index]; +- rcu_read_unlock(); +- +- return set; ++ /* ip_set_list and the set pointer need to be protected */ ++ return ip_set_dereference_nfnl(inst->ip_set_list)[index]; + } + + static inline void +@@ -1397,6 +1394,9 @@ static int ip_set_swap(struct sk_buff *skb, const struct nfnl_info *info, + ip_set(inst, to_id) = from; + write_unlock_bh(&ip_set_ref_lock); + ++ /* Make sure all readers of the old set pointers are completed. */ ++ synchronize_rcu(); ++ + return 0; + } + +-- +2.42.0 + diff --git a/queue-6.6/nouveau-use-an-rwlock-for-the-event-lock.patch b/queue-6.6/nouveau-use-an-rwlock-for-the-event-lock.patch new file mode 100644 index 00000000000..057ec761293 --- /dev/null +++ b/queue-6.6/nouveau-use-an-rwlock-for-the-event-lock.patch @@ -0,0 +1,226 @@ +From ed1b5be74313f4cf67ac5bd924e36bdc7f83f6bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Nov 2023 15:32:55 +1000 +Subject: nouveau: use an rwlock for the event lock. + +From: Dave Airlie + +[ Upstream commit a2e36cd56041e277d7d81d35638fd8d9731e21f5 ] + +This allows it to break the following circular locking dependency. + +Aug 10 07:01:29 dg1test kernel: ====================================================== +Aug 10 07:01:29 dg1test kernel: WARNING: possible circular locking dependency detected +Aug 10 07:01:29 dg1test kernel: 6.4.0-rc7+ #10 Not tainted +Aug 10 07:01:29 dg1test kernel: ------------------------------------------------------ +Aug 10 07:01:29 dg1test kernel: wireplumber/2236 is trying to acquire lock: +Aug 10 07:01:29 dg1test kernel: ffff8fca5320da18 (&fctx->lock){-...}-{2:2}, at: nouveau_fence_wait_uevent_handler+0x2b/0x100 [nouveau] +Aug 10 07:01:29 dg1test kernel: + but task is already holding lock: +Aug 10 07:01:29 dg1test kernel: ffff8fca41208610 (&event->list_lock#2){-...}-{2:2}, at: nvkm_event_ntfy+0x50/0xf0 [nouveau] +Aug 10 07:01:29 dg1test kernel: + which lock already depends on the new lock. +Aug 10 07:01:29 dg1test kernel: + the existing dependency chain (in reverse order) is: +Aug 10 07:01:29 dg1test kernel: + -> #3 (&event->list_lock#2){-...}-{2:2}: +Aug 10 07:01:29 dg1test kernel: _raw_spin_lock_irqsave+0x4b/0x70 +Aug 10 07:01:29 dg1test kernel: nvkm_event_ntfy+0x50/0xf0 [nouveau] +Aug 10 07:01:29 dg1test kernel: ga100_fifo_nonstall_intr+0x24/0x30 [nouveau] +Aug 10 07:01:29 dg1test kernel: nvkm_intr+0x12c/0x240 [nouveau] +Aug 10 07:01:29 dg1test kernel: __handle_irq_event_percpu+0x88/0x240 +Aug 10 07:01:29 dg1test kernel: handle_irq_event+0x38/0x80 +Aug 10 07:01:29 dg1test kernel: handle_edge_irq+0xa3/0x240 +Aug 10 07:01:29 dg1test kernel: __common_interrupt+0x72/0x160 +Aug 10 07:01:29 dg1test kernel: common_interrupt+0x60/0xe0 +Aug 10 07:01:29 dg1test kernel: asm_common_interrupt+0x26/0x40 +Aug 10 07:01:29 dg1test kernel: + -> #2 (&device->intr.lock){-...}-{2:2}: +Aug 10 07:01:29 dg1test kernel: _raw_spin_lock_irqsave+0x4b/0x70 +Aug 10 07:01:29 dg1test kernel: nvkm_inth_allow+0x2c/0x80 [nouveau] +Aug 10 07:01:29 dg1test kernel: nvkm_event_ntfy_state+0x181/0x250 [nouveau] +Aug 10 07:01:29 dg1test kernel: nvkm_event_ntfy_allow+0x63/0xd0 [nouveau] +Aug 10 07:01:29 dg1test kernel: nvkm_uevent_mthd+0x4d/0x70 [nouveau] +Aug 10 07:01:29 dg1test kernel: nvkm_ioctl+0x10b/0x250 [nouveau] +Aug 10 07:01:29 dg1test kernel: nvif_object_mthd+0xa8/0x1f0 [nouveau] +Aug 10 07:01:29 dg1test kernel: nvif_event_allow+0x2a/0xa0 [nouveau] +Aug 10 07:01:29 dg1test kernel: nouveau_fence_enable_signaling+0x78/0x80 [nouveau] +Aug 10 07:01:29 dg1test kernel: __dma_fence_enable_signaling+0x5e/0x100 +Aug 10 07:01:29 dg1test kernel: dma_fence_add_callback+0x4b/0xd0 +Aug 10 07:01:29 dg1test kernel: nouveau_cli_work_queue+0xae/0x110 [nouveau] +Aug 10 07:01:29 dg1test kernel: nouveau_gem_object_close+0x1d1/0x2a0 [nouveau] +Aug 10 07:01:29 dg1test kernel: drm_gem_handle_delete+0x70/0xe0 [drm] +Aug 10 07:01:29 dg1test kernel: drm_ioctl_kernel+0xa5/0x150 [drm] +Aug 10 07:01:29 dg1test kernel: drm_ioctl+0x256/0x490 [drm] +Aug 10 07:01:29 dg1test kernel: nouveau_drm_ioctl+0x5a/0xb0 [nouveau] +Aug 10 07:01:29 dg1test kernel: __x64_sys_ioctl+0x91/0xd0 +Aug 10 07:01:29 dg1test kernel: do_syscall_64+0x3c/0x90 +Aug 10 07:01:29 dg1test kernel: entry_SYSCALL_64_after_hwframe+0x72/0xdc +Aug 10 07:01:29 dg1test kernel: + -> #1 (&event->refs_lock#4){....}-{2:2}: +Aug 10 07:01:29 dg1test kernel: _raw_spin_lock_irqsave+0x4b/0x70 +Aug 10 07:01:29 dg1test kernel: nvkm_event_ntfy_state+0x37/0x250 [nouveau] +Aug 10 07:01:29 dg1test kernel: nvkm_event_ntfy_allow+0x63/0xd0 [nouveau] +Aug 10 07:01:29 dg1test kernel: nvkm_uevent_mthd+0x4d/0x70 [nouveau] +Aug 10 07:01:29 dg1test kernel: nvkm_ioctl+0x10b/0x250 [nouveau] +Aug 10 07:01:29 dg1test kernel: nvif_object_mthd+0xa8/0x1f0 [nouveau] +Aug 10 07:01:29 dg1test kernel: nvif_event_allow+0x2a/0xa0 [nouveau] +Aug 10 07:01:29 dg1test kernel: nouveau_fence_enable_signaling+0x78/0x80 [nouveau] +Aug 10 07:01:29 dg1test kernel: __dma_fence_enable_signaling+0x5e/0x100 +Aug 10 07:01:29 dg1test kernel: dma_fence_add_callback+0x4b/0xd0 +Aug 10 07:01:29 dg1test kernel: nouveau_cli_work_queue+0xae/0x110 [nouveau] +Aug 10 07:01:29 dg1test kernel: nouveau_gem_object_close+0x1d1/0x2a0 [nouveau] +Aug 10 07:01:29 dg1test kernel: drm_gem_handle_delete+0x70/0xe0 [drm] +Aug 10 07:01:29 dg1test kernel: drm_ioctl_kernel+0xa5/0x150 [drm] +Aug 10 07:01:29 dg1test kernel: drm_ioctl+0x256/0x490 [drm] +Aug 10 07:01:29 dg1test kernel: nouveau_drm_ioctl+0x5a/0xb0 [nouveau] +Aug 10 07:01:29 dg1test kernel: __x64_sys_ioctl+0x91/0xd0 +Aug 10 07:01:29 dg1test kernel: do_syscall_64+0x3c/0x90 +Aug 10 07:01:29 dg1test kernel: entry_SYSCALL_64_after_hwframe+0x72/0xdc +Aug 10 07:01:29 dg1test kernel: + -> #0 (&fctx->lock){-...}-{2:2}: +Aug 10 07:01:29 dg1test kernel: __lock_acquire+0x14e3/0x2240 +Aug 10 07:01:29 dg1test kernel: lock_acquire+0xc8/0x2a0 +Aug 10 07:01:29 dg1test kernel: _raw_spin_lock_irqsave+0x4b/0x70 +Aug 10 07:01:29 dg1test kernel: nouveau_fence_wait_uevent_handler+0x2b/0x100 [nouveau] +Aug 10 07:01:29 dg1test kernel: nvkm_client_event+0xf/0x20 [nouveau] +Aug 10 07:01:29 dg1test kernel: nvkm_event_ntfy+0x9b/0xf0 [nouveau] +Aug 10 07:01:29 dg1test kernel: ga100_fifo_nonstall_intr+0x24/0x30 [nouveau] +Aug 10 07:01:29 dg1test kernel: nvkm_intr+0x12c/0x240 [nouveau] +Aug 10 07:01:29 dg1test kernel: __handle_irq_event_percpu+0x88/0x240 +Aug 10 07:01:29 dg1test kernel: handle_irq_event+0x38/0x80 +Aug 10 07:01:29 dg1test kernel: handle_edge_irq+0xa3/0x240 +Aug 10 07:01:29 dg1test kernel: __common_interrupt+0x72/0x160 +Aug 10 07:01:29 dg1test kernel: common_interrupt+0x60/0xe0 +Aug 10 07:01:29 dg1test kernel: asm_common_interrupt+0x26/0x40 +Aug 10 07:01:29 dg1test kernel: + other info that might help us debug this: +Aug 10 07:01:29 dg1test kernel: Chain exists of: + &fctx->lock --> &device->intr.lock --> &event->list_lock#2 +Aug 10 07:01:29 dg1test kernel: Possible unsafe locking scenario: +Aug 10 07:01:29 dg1test kernel: CPU0 CPU1 +Aug 10 07:01:29 dg1test kernel: ---- ---- +Aug 10 07:01:29 dg1test kernel: lock(&event->list_lock#2); +Aug 10 07:01:29 dg1test kernel: lock(&device->intr.lock); +Aug 10 07:01:29 dg1test kernel: lock(&event->list_lock#2); +Aug 10 07:01:29 dg1test kernel: lock(&fctx->lock); +Aug 10 07:01:29 dg1test kernel: + *** DEADLOCK *** +Aug 10 07:01:29 dg1test kernel: 2 locks held by wireplumber/2236: +Aug 10 07:01:29 dg1test kernel: #0: ffff8fca53177bf8 (&device->intr.lock){-...}-{2:2}, at: nvkm_intr+0x29/0x240 [nouveau] +Aug 10 07:01:29 dg1test kernel: #1: ffff8fca41208610 (&event->list_lock#2){-...}-{2:2}, at: nvkm_event_ntfy+0x50/0xf0 [nouveau] +Aug 10 07:01:29 dg1test kernel: + stack backtrace: +Aug 10 07:01:29 dg1test kernel: CPU: 6 PID: 2236 Comm: wireplumber Not tainted 6.4.0-rc7+ #10 +Aug 10 07:01:29 dg1test kernel: Hardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021 +Aug 10 07:01:29 dg1test kernel: Call Trace: +Aug 10 07:01:29 dg1test kernel: +Aug 10 07:01:29 dg1test kernel: dump_stack_lvl+0x5b/0x90 +Aug 10 07:01:29 dg1test kernel: check_noncircular+0xe2/0x110 +Aug 10 07:01:29 dg1test kernel: __lock_acquire+0x14e3/0x2240 +Aug 10 07:01:29 dg1test kernel: lock_acquire+0xc8/0x2a0 +Aug 10 07:01:29 dg1test kernel: ? nouveau_fence_wait_uevent_handler+0x2b/0x100 [nouveau] +Aug 10 07:01:29 dg1test kernel: ? lock_acquire+0xc8/0x2a0 +Aug 10 07:01:29 dg1test kernel: _raw_spin_lock_irqsave+0x4b/0x70 +Aug 10 07:01:29 dg1test kernel: ? nouveau_fence_wait_uevent_handler+0x2b/0x100 [nouveau] +Aug 10 07:01:29 dg1test kernel: nouveau_fence_wait_uevent_handler+0x2b/0x100 [nouveau] +Aug 10 07:01:29 dg1test kernel: nvkm_client_event+0xf/0x20 [nouveau] +Aug 10 07:01:29 dg1test kernel: nvkm_event_ntfy+0x9b/0xf0 [nouveau] +Aug 10 07:01:29 dg1test kernel: ga100_fifo_nonstall_intr+0x24/0x30 [nouveau] +Aug 10 07:01:29 dg1test kernel: nvkm_intr+0x12c/0x240 [nouveau] +Aug 10 07:01:29 dg1test kernel: __handle_irq_event_percpu+0x88/0x240 +Aug 10 07:01:29 dg1test kernel: handle_irq_event+0x38/0x80 +Aug 10 07:01:29 dg1test kernel: handle_edge_irq+0xa3/0x240 +Aug 10 07:01:29 dg1test kernel: __common_interrupt+0x72/0x160 +Aug 10 07:01:29 dg1test kernel: common_interrupt+0x60/0xe0 +Aug 10 07:01:29 dg1test kernel: asm_common_interrupt+0x26/0x40 +Aug 10 07:01:29 dg1test kernel: RIP: 0033:0x7fb66174d700 +Aug 10 07:01:29 dg1test kernel: Code: c1 e2 05 29 ca 8d 0c 10 0f be 07 84 c0 75 eb 89 c8 c3 0f 1f 84 00 00 00 00 00 f3 0f 1e fa e9 d7 0f fc ff 0f 1f 80 00 00 00 00 0f 1e fa e9 c7 0f fc> +Aug 10 07:01:29 dg1test kernel: RSP: 002b:00007ffdd3c48438 EFLAGS: 00000206 +Aug 10 07:01:29 dg1test kernel: RAX: 000055bb758763c0 RBX: 000055bb758752c0 RCX: 00000000000028b0 +Aug 10 07:01:29 dg1test kernel: RDX: 000055bb758752c0 RSI: 000055bb75887490 RDI: 000055bb75862950 +Aug 10 07:01:29 dg1test kernel: RBP: 00007ffdd3c48490 R08: 000055bb75873b10 R09: 0000000000000001 +Aug 10 07:01:29 dg1test kernel: R10: 0000000000000004 R11: 000055bb7587f000 R12: 000055bb75887490 +Aug 10 07:01:29 dg1test kernel: R13: 000055bb757f6280 R14: 000055bb758875c0 R15: 000055bb757f6280 +Aug 10 07:01:29 dg1test kernel: + +Signed-off-by: Dave Airlie +Tested-by: Danilo Krummrich +Reviewed-by: Danilo Krummrich +Signed-off-by: Danilo Krummrich +Link: https://patchwork.freedesktop.org/patch/msgid/20231107053255.2257079-1-airlied@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/include/nvkm/core/event.h | 4 ++-- + drivers/gpu/drm/nouveau/nvkm/core/event.c | 12 ++++++------ + 2 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/include/nvkm/core/event.h b/drivers/gpu/drm/nouveau/include/nvkm/core/event.h +index 82b267c111470..460459af272d6 100644 +--- a/drivers/gpu/drm/nouveau/include/nvkm/core/event.h ++++ b/drivers/gpu/drm/nouveau/include/nvkm/core/event.h +@@ -14,7 +14,7 @@ struct nvkm_event { + int index_nr; + + spinlock_t refs_lock; +- spinlock_t list_lock; ++ rwlock_t list_lock; + int *refs; + + struct list_head ntfy; +@@ -38,7 +38,7 @@ nvkm_event_init(const struct nvkm_event_func *func, struct nvkm_subdev *subdev, + int types_nr, int index_nr, struct nvkm_event *event) + { + spin_lock_init(&event->refs_lock); +- spin_lock_init(&event->list_lock); ++ rwlock_init(&event->list_lock); + return __nvkm_event_init(func, subdev, types_nr, index_nr, event); + } + +diff --git a/drivers/gpu/drm/nouveau/nvkm/core/event.c b/drivers/gpu/drm/nouveau/nvkm/core/event.c +index a6c877135598f..61fed7792e415 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/core/event.c ++++ b/drivers/gpu/drm/nouveau/nvkm/core/event.c +@@ -81,17 +81,17 @@ nvkm_event_ntfy_state(struct nvkm_event_ntfy *ntfy) + static void + nvkm_event_ntfy_remove(struct nvkm_event_ntfy *ntfy) + { +- spin_lock_irq(&ntfy->event->list_lock); ++ write_lock_irq(&ntfy->event->list_lock); + list_del_init(&ntfy->head); +- spin_unlock_irq(&ntfy->event->list_lock); ++ write_unlock_irq(&ntfy->event->list_lock); + } + + static void + nvkm_event_ntfy_insert(struct nvkm_event_ntfy *ntfy) + { +- spin_lock_irq(&ntfy->event->list_lock); ++ write_lock_irq(&ntfy->event->list_lock); + list_add_tail(&ntfy->head, &ntfy->event->ntfy); +- spin_unlock_irq(&ntfy->event->list_lock); ++ write_unlock_irq(&ntfy->event->list_lock); + } + + static void +@@ -176,7 +176,7 @@ nvkm_event_ntfy(struct nvkm_event *event, int id, u32 bits) + return; + + nvkm_trace(event->subdev, "event: ntfy %08x on %d\n", bits, id); +- spin_lock_irqsave(&event->list_lock, flags); ++ read_lock_irqsave(&event->list_lock, flags); + + list_for_each_entry_safe(ntfy, ntmp, &event->ntfy, head) { + if (ntfy->id == id && ntfy->bits & bits) { +@@ -185,7 +185,7 @@ nvkm_event_ntfy(struct nvkm_event *event, int id, u32 bits) + } + } + +- spin_unlock_irqrestore(&event->list_lock, flags); ++ read_unlock_irqrestore(&event->list_lock, flags); + } + + void +-- +2.42.0 + diff --git a/queue-6.6/scsi-sd-fix-sshdr-use-in-sd_suspend_common.patch b/queue-6.6/scsi-sd-fix-sshdr-use-in-sd_suspend_common.patch new file mode 100644 index 00000000000..24818b8af71 --- /dev/null +++ b/queue-6.6/scsi-sd-fix-sshdr-use-in-sd_suspend_common.patch @@ -0,0 +1,146 @@ +From 18a0799a98d4f0399e7cf7b91f48119a89d74d99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Nov 2023 17:13:04 -0600 +Subject: scsi: sd: Fix sshdr use in sd_suspend_common() + +From: Mike Christie + +[ Upstream commit 3b83486399a6a9feb9c681b74c21a227d48d7020 ] + +If scsi_execute_cmd() returns < 0, it doesn't initialize the sshdr, so we +shouldn't access the sshdr. If it returns 0, then the cmd executed +successfully, so there is no need to check the sshdr. sd_sync_cache() will +only access the sshdr if it's been setup because it calls +scsi_status_is_check_condition() before accessing it. However, the +sd_sync_cache() caller, sd_suspend_common(), does not check. + +sd_suspend_common() is only checking for ILLEGAL_REQUEST which it's using +to determine if the command is supported. If it's not it just ignores the +error. So to fix its sshdr use this patch just moves that check to +sd_sync_cache() where it converts ILLEGAL_REQUEST to success/0. +sd_suspend_common() was ignoring that error and sd_shutdown() doesn't check +for errors so there will be no behavior changes. + +Signed-off-by: Mike Christie +Link: https://lore.kernel.org/r/20231106231304.5694-2-michael.christie@oracle.com +Reviewed-by: Christoph Hellwig +Reviewed-by: Martin Wilck +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/sd.c | 53 ++++++++++++++++++++--------------------------- + 1 file changed, 23 insertions(+), 30 deletions(-) + +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index e17509f0b3fa8..c2e8d9e27749b 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -1642,24 +1642,21 @@ static unsigned int sd_check_events(struct gendisk *disk, unsigned int clearing) + return disk_changed ? DISK_EVENT_MEDIA_CHANGE : 0; + } + +-static int sd_sync_cache(struct scsi_disk *sdkp, struct scsi_sense_hdr *sshdr) ++static int sd_sync_cache(struct scsi_disk *sdkp) + { + int retries, res; + struct scsi_device *sdp = sdkp->device; + const int timeout = sdp->request_queue->rq_timeout + * SD_FLUSH_TIMEOUT_MULTIPLIER; +- struct scsi_sense_hdr my_sshdr; ++ struct scsi_sense_hdr sshdr; + const struct scsi_exec_args exec_args = { + .req_flags = BLK_MQ_REQ_PM, +- /* caller might not be interested in sense, but we need it */ +- .sshdr = sshdr ? : &my_sshdr, ++ .sshdr = &sshdr, + }; + + if (!scsi_device_online(sdp)) + return -ENODEV; + +- sshdr = exec_args.sshdr; +- + for (retries = 3; retries > 0; --retries) { + unsigned char cmd[16] = { 0 }; + +@@ -1684,15 +1681,23 @@ static int sd_sync_cache(struct scsi_disk *sdkp, struct scsi_sense_hdr *sshdr) + return res; + + if (scsi_status_is_check_condition(res) && +- scsi_sense_valid(sshdr)) { +- sd_print_sense_hdr(sdkp, sshdr); ++ scsi_sense_valid(&sshdr)) { ++ sd_print_sense_hdr(sdkp, &sshdr); + + /* we need to evaluate the error return */ +- if (sshdr->asc == 0x3a || /* medium not present */ +- sshdr->asc == 0x20 || /* invalid command */ +- (sshdr->asc == 0x74 && sshdr->ascq == 0x71)) /* drive is password locked */ ++ if (sshdr.asc == 0x3a || /* medium not present */ ++ sshdr.asc == 0x20 || /* invalid command */ ++ (sshdr.asc == 0x74 && sshdr.ascq == 0x71)) /* drive is password locked */ + /* this is no error here */ + return 0; ++ /* ++ * This drive doesn't support sync and there's not much ++ * we can do because this is called during shutdown ++ * or suspend so just return success so those operations ++ * can proceed. ++ */ ++ if (sshdr.sense_key == ILLEGAL_REQUEST) ++ return 0; + } + + switch (host_byte(res)) { +@@ -3847,7 +3852,7 @@ static void sd_shutdown(struct device *dev) + + if (sdkp->WCE && sdkp->media_present) { + sd_printk(KERN_NOTICE, sdkp, "Synchronizing SCSI cache\n"); +- sd_sync_cache(sdkp, NULL); ++ sd_sync_cache(sdkp); + } + + if ((system_state != SYSTEM_RESTART && +@@ -3868,7 +3873,6 @@ static inline bool sd_do_start_stop(struct scsi_device *sdev, bool runtime) + static int sd_suspend_common(struct device *dev, bool runtime) + { + struct scsi_disk *sdkp = dev_get_drvdata(dev); +- struct scsi_sense_hdr sshdr; + int ret = 0; + + if (!sdkp) /* E.g.: runtime suspend following sd_remove() */ +@@ -3877,24 +3881,13 @@ static int sd_suspend_common(struct device *dev, bool runtime) + if (sdkp->WCE && sdkp->media_present) { + if (!sdkp->device->silence_suspend) + sd_printk(KERN_NOTICE, sdkp, "Synchronizing SCSI cache\n"); +- ret = sd_sync_cache(sdkp, &sshdr); +- +- if (ret) { +- /* ignore OFFLINE device */ +- if (ret == -ENODEV) +- return 0; +- +- if (!scsi_sense_valid(&sshdr) || +- sshdr.sense_key != ILLEGAL_REQUEST) +- return ret; ++ ret = sd_sync_cache(sdkp); ++ /* ignore OFFLINE device */ ++ if (ret == -ENODEV) ++ return 0; + +- /* +- * sshdr.sense_key == ILLEGAL_REQUEST means this drive +- * doesn't support sync. There's not much to do and +- * suspend shouldn't fail. +- */ +- ret = 0; +- } ++ if (ret) ++ return ret; + } + + if (sd_do_start_stop(sdkp->device, runtime)) { +-- +2.42.0 + diff --git a/queue-6.6/series b/queue-6.6/series new file mode 100644 index 00000000000..90e735a494e --- /dev/null +++ b/queue-6.6/series @@ -0,0 +1,17 @@ +vdpa-mlx5-preserve-cvq-vringh-index.patch +scsi-sd-fix-sshdr-use-in-sd_suspend_common.patch +x86-acpi-ignore-invalid-x2apic-entries.patch +hrtimers-push-pending-hrtimers-away-from-outgoing-cp.patch +i2c-designware-fix-corrupted-memory-seen-in-the-isr.patch +i2c-ocores-move-system-pm-hooks-to-the-noirq-phase.patch +netfilter-ipset-fix-race-condition-between-swap-dest.patch +nouveau-use-an-rwlock-for-the-event-lock.patch +zstd-fix-array-index-out-of-bounds-ubsan-warning.patch +tg3-move-the-rt-x_dropped-counters-to-tg3_napi.patch +tg3-increment-tx_dropped-in-tg3_tso_bug.patch +modpost-fix-section-mismatch-message-for-rela.patch +kconfig-fix-memory-leak-from-range-properties.patch +drm-amdgpu-do-not-program-vf-copy-regs-in-mmhub-v1.8.patch +drm-amdgpu-finalizing-mem_partitions-at-the-end-of-g.patch +drm-amdgpu-correct-chunk_ptr-to-a-pointer-to-chunk.patch +dm-crypt-start-allocating-with-max_order.patch diff --git a/queue-6.6/tg3-increment-tx_dropped-in-tg3_tso_bug.patch b/queue-6.6/tg3-increment-tx_dropped-in-tg3_tso_bug.patch new file mode 100644 index 00000000000..a4fcbd5fb5c --- /dev/null +++ b/queue-6.6/tg3-increment-tx_dropped-in-tg3_tso_bug.patch @@ -0,0 +1,41 @@ +From 3d97b68b73c18729a06e4bf8816f8d4b79a0e6d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Nov 2023 10:23:50 -0800 +Subject: tg3: Increment tx_dropped in tg3_tso_bug() + +From: Alex Pakhunov + +[ Upstream commit 17dd5efe5f36a96bd78012594fabe21efb01186b ] + +tg3_tso_bug() drops a packet if it cannot be segmented for any reason. +The number of discarded frames should be incremented accordingly. + +Signed-off-by: Alex Pakhunov +Signed-off-by: Vincent Wong +Reviewed-by: Pavan Chebbi +Link: https://lore.kernel.org/r/20231113182350.37472-2-alexey.pakhunov@spacex.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/tg3.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c +index 5c18ad10efc3e..b7acd994a393b 100644 +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -7874,8 +7874,10 @@ static int tg3_tso_bug(struct tg3 *tp, struct tg3_napi *tnapi, + + segs = skb_gso_segment(skb, tp->dev->features & + ~(NETIF_F_TSO | NETIF_F_TSO6)); +- if (IS_ERR(segs) || !segs) ++ if (IS_ERR(segs) || !segs) { ++ tnapi->tx_dropped++; + goto tg3_tso_bug_end; ++ } + + skb_list_walk_safe(segs, seg, next) { + skb_mark_not_on_list(seg); +-- +2.42.0 + diff --git a/queue-6.6/tg3-move-the-rt-x_dropped-counters-to-tg3_napi.patch b/queue-6.6/tg3-move-the-rt-x_dropped-counters-to-tg3_napi.patch new file mode 100644 index 00000000000..f2470d288b6 --- /dev/null +++ b/queue-6.6/tg3-move-the-rt-x_dropped-counters-to-tg3_napi.patch @@ -0,0 +1,139 @@ +From 4849e15ed332c61ae73adc7169759064975656d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Nov 2023 10:23:49 -0800 +Subject: tg3: Move the [rt]x_dropped counters to tg3_napi + +From: Alex Pakhunov + +[ Upstream commit 907d1bdb8b2cc0357d03a1c34d2a08d9943760b1 ] + +This change moves [rt]x_dropped counters to tg3_napi so that they can be +updated by a single writer, race-free. + +Signed-off-by: Alex Pakhunov +Signed-off-by: Vincent Wong +Reviewed-by: Michael Chan +Link: https://lore.kernel.org/r/20231113182350.37472-1-alexey.pakhunov@spacex.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/tg3.c | 38 +++++++++++++++++++++++++---- + drivers/net/ethernet/broadcom/tg3.h | 4 +-- + 2 files changed, 35 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c +index 22b00912f7ac8..5c18ad10efc3e 100644 +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -6845,7 +6845,7 @@ static int tg3_rx(struct tg3_napi *tnapi, int budget) + desc_idx, *post_ptr); + drop_it_no_recycle: + /* Other statistics kept track of by card. */ +- tp->rx_dropped++; ++ tnapi->rx_dropped++; + goto next_pkt; + } + +@@ -8146,7 +8146,7 @@ static netdev_tx_t tg3_start_xmit(struct sk_buff *skb, struct net_device *dev) + drop: + dev_kfree_skb_any(skb); + drop_nofree: +- tp->tx_dropped++; ++ tnapi->tx_dropped++; + return NETDEV_TX_OK; + } + +@@ -9325,7 +9325,7 @@ static void __tg3_set_rx_mode(struct net_device *); + /* tp->lock is held. */ + static int tg3_halt(struct tg3 *tp, int kind, bool silent) + { +- int err; ++ int err, i; + + tg3_stop_fw(tp); + +@@ -9346,6 +9346,13 @@ static int tg3_halt(struct tg3 *tp, int kind, bool silent) + + /* And make sure the next sample is new data */ + memset(tp->hw_stats, 0, sizeof(struct tg3_hw_stats)); ++ ++ for (i = 0; i < TG3_IRQ_MAX_VECS; ++i) { ++ struct tg3_napi *tnapi = &tp->napi[i]; ++ ++ tnapi->rx_dropped = 0; ++ tnapi->tx_dropped = 0; ++ } + } + + return err; +@@ -11895,6 +11902,9 @@ static void tg3_get_nstats(struct tg3 *tp, struct rtnl_link_stats64 *stats) + { + struct rtnl_link_stats64 *old_stats = &tp->net_stats_prev; + struct tg3_hw_stats *hw_stats = tp->hw_stats; ++ unsigned long rx_dropped; ++ unsigned long tx_dropped; ++ int i; + + stats->rx_packets = old_stats->rx_packets + + get_stat64(&hw_stats->rx_ucast_packets) + +@@ -11941,8 +11951,26 @@ static void tg3_get_nstats(struct tg3 *tp, struct rtnl_link_stats64 *stats) + stats->rx_missed_errors = old_stats->rx_missed_errors + + get_stat64(&hw_stats->rx_discards); + +- stats->rx_dropped = tp->rx_dropped; +- stats->tx_dropped = tp->tx_dropped; ++ /* Aggregate per-queue counters. The per-queue counters are updated ++ * by a single writer, race-free. The result computed by this loop ++ * might not be 100% accurate (counters can be updated in the middle of ++ * the loop) but the next tg3_get_nstats() will recompute the current ++ * value so it is acceptable. ++ * ++ * Note that these counters wrap around at 4G on 32bit machines. ++ */ ++ rx_dropped = (unsigned long)(old_stats->rx_dropped); ++ tx_dropped = (unsigned long)(old_stats->tx_dropped); ++ ++ for (i = 0; i < tp->irq_cnt; i++) { ++ struct tg3_napi *tnapi = &tp->napi[i]; ++ ++ rx_dropped += tnapi->rx_dropped; ++ tx_dropped += tnapi->tx_dropped; ++ } ++ ++ stats->rx_dropped = rx_dropped; ++ stats->tx_dropped = tx_dropped; + } + + static int tg3_get_regs_len(struct net_device *dev) +diff --git a/drivers/net/ethernet/broadcom/tg3.h b/drivers/net/ethernet/broadcom/tg3.h +index 1000c894064f0..8d753f8c5b065 100644 +--- a/drivers/net/ethernet/broadcom/tg3.h ++++ b/drivers/net/ethernet/broadcom/tg3.h +@@ -3018,6 +3018,7 @@ struct tg3_napi { + u16 *rx_rcb_prod_idx; + struct tg3_rx_prodring_set prodring; + struct tg3_rx_buffer_desc *rx_rcb; ++ unsigned long rx_dropped; + + u32 tx_prod ____cacheline_aligned; + u32 tx_cons; +@@ -3026,6 +3027,7 @@ struct tg3_napi { + u32 prodmbox; + struct tg3_tx_buffer_desc *tx_ring; + struct tg3_tx_ring_info *tx_buffers; ++ unsigned long tx_dropped; + + dma_addr_t status_mapping; + dma_addr_t rx_rcb_mapping; +@@ -3219,8 +3221,6 @@ struct tg3 { + + + /* begin "everything else" cacheline(s) section */ +- unsigned long rx_dropped; +- unsigned long tx_dropped; + struct rtnl_link_stats64 net_stats_prev; + struct tg3_ethtool_stats estats_prev; + +-- +2.42.0 + diff --git a/queue-6.6/vdpa-mlx5-preserve-cvq-vringh-index.patch b/queue-6.6/vdpa-mlx5-preserve-cvq-vringh-index.patch new file mode 100644 index 00000000000..2ba51c76f40 --- /dev/null +++ b/queue-6.6/vdpa-mlx5-preserve-cvq-vringh-index.patch @@ -0,0 +1,66 @@ +From 32f92230e3a34972ec5069c84b0b68ffb8b0ad10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Nov 2023 05:26:27 -0700 +Subject: vdpa/mlx5: preserve CVQ vringh index +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Steve Sistare + +[ Upstream commit 480b3e73720f6b5d76bef2387b1f9d19ed67573b ] + +mlx5_vdpa does not preserve userland's view of vring base for the control +queue in the following sequence: + +ioctl VHOST_SET_VRING_BASE +ioctl VHOST_VDPA_SET_STATUS VIRTIO_CONFIG_S_DRIVER_OK + mlx5_vdpa_set_status() + setup_cvq_vring() + vringh_init_iotlb() + vringh_init_kern() + vrh->last_avail_idx = 0; +ioctl VHOST_GET_VRING_BASE + +To fix, restore the value of cvq->vring.last_avail_idx after calling +vringh_init_iotlb. + +Fixes: 5262912ef3cf ("vdpa/mlx5: Add support for control VQ and MAC setting") + +Signed-off-by: Steve Sistare +Acked-by: Eugenio Pérez +Acked-by: Jason Wang +Message-Id: <1699014387-194368-1-git-send-email-steven.sistare@oracle.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/vdpa/mlx5/net/mlx5_vnet.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c +index 946488b8989f4..ca972af3c89a2 100644 +--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c ++++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c +@@ -2795,13 +2795,18 @@ static int setup_cvq_vring(struct mlx5_vdpa_dev *mvdev) + struct mlx5_control_vq *cvq = &mvdev->cvq; + int err = 0; + +- if (mvdev->actual_features & BIT_ULL(VIRTIO_NET_F_CTRL_VQ)) ++ if (mvdev->actual_features & BIT_ULL(VIRTIO_NET_F_CTRL_VQ)) { ++ u16 idx = cvq->vring.last_avail_idx; ++ + err = vringh_init_iotlb(&cvq->vring, mvdev->actual_features, + MLX5_CVQ_MAX_ENT, false, + (struct vring_desc *)(uintptr_t)cvq->desc_addr, + (struct vring_avail *)(uintptr_t)cvq->driver_addr, + (struct vring_used *)(uintptr_t)cvq->device_addr); + ++ if (!err) ++ cvq->vring.last_avail_idx = cvq->vring.last_used_idx = idx; ++ } + return err; + } + +-- +2.42.0 + diff --git a/queue-6.6/x86-acpi-ignore-invalid-x2apic-entries.patch b/queue-6.6/x86-acpi-ignore-invalid-x2apic-entries.patch new file mode 100644 index 00000000000..1cf575a19e2 --- /dev/null +++ b/queue-6.6/x86-acpi-ignore-invalid-x2apic-entries.patch @@ -0,0 +1,130 @@ +From a42b966d4d30edb3d901423484de83762cda9c03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jul 2023 00:28:02 +0800 +Subject: x86/acpi: Ignore invalid x2APIC entries + +From: Zhang Rui + +[ Upstream commit ec9aedb2aa1ab7ac420c00b31f5edc5be15ec167 ] + +Currently, the kernel enumerates the possible CPUs by parsing both ACPI +MADT Local APIC entries and x2APIC entries. So CPUs with "valid" APIC IDs, +even if they have duplicated APIC IDs in Local APIC and x2APIC, are always +enumerated. + +Below is what ACPI MADT Local APIC and x2APIC describes on an +Ivebridge-EP system, + +[02Ch 0044 1] Subtable Type : 00 [Processor Local APIC] +[02Fh 0047 1] Local Apic ID : 00 +... +[164h 0356 1] Subtable Type : 00 [Processor Local APIC] +[167h 0359 1] Local Apic ID : 39 +[16Ch 0364 1] Subtable Type : 00 [Processor Local APIC] +[16Fh 0367 1] Local Apic ID : FF +... +[3ECh 1004 1] Subtable Type : 09 [Processor Local x2APIC] +[3F0h 1008 4] Processor x2Apic ID : 00000000 +... +[B5Ch 2908 1] Subtable Type : 09 [Processor Local x2APIC] +[B60h 2912 4] Processor x2Apic ID : 00000077 + +As a result, kernel shows "smpboot: Allowing 168 CPUs, 120 hotplug CPUs". +And this wastes significant amount of memory for the per-cpu data. +Plus this also breaks https://lore.kernel.org/all/87edm36qqb.ffs@tglx/, +because __max_logical_packages is over-estimated by the APIC IDs in +the x2APIC entries. + +According to https://uefi.org/specs/ACPI/6.5/05_ACPI_Software_Programming_Model.html#processor-local-x2apic-structure: + + "[Compatibility note] On some legacy OSes, Logical processors with APIC + ID values less than 255 (whether in XAPIC or X2APIC mode) must use the + Processor Local APIC structure to convey their APIC information to OSPM, + and those processors must be declared in the DSDT using the Processor() + keyword. Logical processors with APIC ID values 255 and greater must use + the Processor Local x2APIC structure and be declared using the Device() + keyword." + +Therefore prevent the registration of x2APIC entries with an APIC ID less +than 255 if the local APIC table enumerates valid APIC IDs. + +[ tglx: Simplify the logic ] + +Signed-off-by: Zhang Rui +Signed-off-by: Thomas Gleixner +Tested-by: Peter Zijlstra +Link: https://lore.kernel.org/r/20230702162802.344176-1-rui.zhang@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/acpi/boot.c | 34 +++++++++++++++------------------- + 1 file changed, 15 insertions(+), 19 deletions(-) + +diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c +index c55c0ef47a187..fc5bce1b50476 100644 +--- a/arch/x86/kernel/acpi/boot.c ++++ b/arch/x86/kernel/acpi/boot.c +@@ -63,6 +63,7 @@ int acpi_fix_pin2_polarity __initdata; + + #ifdef CONFIG_X86_LOCAL_APIC + static u64 acpi_lapic_addr __initdata = APIC_DEFAULT_PHYS_BASE; ++static bool has_lapic_cpus __initdata; + static bool acpi_support_online_capable; + #endif + +@@ -232,6 +233,14 @@ acpi_parse_x2apic(union acpi_subtable_headers *header, const unsigned long end) + if (!acpi_is_processor_usable(processor->lapic_flags)) + return 0; + ++ /* ++ * According to https://uefi.org/specs/ACPI/6.5/05_ACPI_Software_Programming_Model.html#processor-local-x2apic-structure ++ * when MADT provides both valid LAPIC and x2APIC entries, the APIC ID ++ * in x2APIC must be equal or greater than 0xff. ++ */ ++ if (has_lapic_cpus && apic_id < 0xff) ++ return 0; ++ + /* + * We need to register disabled CPU as well to permit + * counting disabled CPUs. This allows us to size +@@ -1114,10 +1123,7 @@ static int __init early_acpi_parse_madt_lapic_addr_ovr(void) + + static int __init acpi_parse_madt_lapic_entries(void) + { +- int count; +- int x2count = 0; +- int ret; +- struct acpi_subtable_proc madt_proc[2]; ++ int count, x2count = 0; + + if (!boot_cpu_has(X86_FEATURE_APIC)) + return -ENODEV; +@@ -1126,21 +1132,11 @@ static int __init acpi_parse_madt_lapic_entries(void) + acpi_parse_sapic, MAX_LOCAL_APIC); + + if (!count) { +- memset(madt_proc, 0, sizeof(madt_proc)); +- madt_proc[0].id = ACPI_MADT_TYPE_LOCAL_APIC; +- madt_proc[0].handler = acpi_parse_lapic; +- madt_proc[1].id = ACPI_MADT_TYPE_LOCAL_X2APIC; +- madt_proc[1].handler = acpi_parse_x2apic; +- ret = acpi_table_parse_entries_array(ACPI_SIG_MADT, +- sizeof(struct acpi_table_madt), +- madt_proc, ARRAY_SIZE(madt_proc), MAX_LOCAL_APIC); +- if (ret < 0) { +- pr_err("Error parsing LAPIC/X2APIC entries\n"); +- return ret; +- } +- +- count = madt_proc[0].count; +- x2count = madt_proc[1].count; ++ count = acpi_table_parse_madt(ACPI_MADT_TYPE_LOCAL_APIC, ++ acpi_parse_lapic, MAX_LOCAL_APIC); ++ has_lapic_cpus = count > 0; ++ x2count = acpi_table_parse_madt(ACPI_MADT_TYPE_LOCAL_X2APIC, ++ acpi_parse_x2apic, MAX_LOCAL_APIC); + } + if (!count && !x2count) { + pr_err("No LAPIC entries present\n"); +-- +2.42.0 + diff --git a/queue-6.6/zstd-fix-array-index-out-of-bounds-ubsan-warning.patch b/queue-6.6/zstd-fix-array-index-out-of-bounds-ubsan-warning.patch new file mode 100644 index 00000000000..0e297694cac --- /dev/null +++ b/queue-6.6/zstd-fix-array-index-out-of-bounds-ubsan-warning.patch @@ -0,0 +1,43 @@ +From 740958dc0a823f905b9790fa9e57de24633c6436 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Oct 2023 12:55:34 -0700 +Subject: zstd: Fix array-index-out-of-bounds UBSAN warning + +From: Nick Terrell + +[ Upstream commit 77618db346455129424fadbbaec596a09feaf3bb ] + +Zstd used an array of length 1 to mean a flexible array for C89 +compatibility. Switch to a C99 flexible array to fix the UBSAN warning. + +Tested locally by booting the kernel and writing to and reading from a +BtrFS filesystem with zstd compression enabled. I was unable to reproduce +the issue before the fix, however it is a trivial change. + +Link: https://lkml.kernel.org/r/20231012213428.1390905-1-nickrterrell@gmail.com +Reported-by: syzbot+1f2eb3e8cd123ffce499@syzkaller.appspotmail.com +Reported-by: Eric Biggers +Reported-by: Kees Cook +Signed-off-by: Nick Terrell +Reviewed-by: Kees Cook +Signed-off-by: Sasha Levin +--- + lib/zstd/common/fse_decompress.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/zstd/common/fse_decompress.c b/lib/zstd/common/fse_decompress.c +index a0d06095be83d..8dcb8ca39767c 100644 +--- a/lib/zstd/common/fse_decompress.c ++++ b/lib/zstd/common/fse_decompress.c +@@ -312,7 +312,7 @@ size_t FSE_decompress_wksp(void* dst, size_t dstCapacity, const void* cSrc, size + + typedef struct { + short ncount[FSE_MAX_SYMBOL_VALUE + 1]; +- FSE_DTable dtable[1]; /* Dynamically sized */ ++ FSE_DTable dtable[]; /* Dynamically sized */ + } FSE_DecompressWksp; + + +-- +2.42.0 + -- 2.47.3