From 9ab58f8e1068ca35982abb4d70252f749e8ea0d8 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 18 Feb 2024 19:56:38 +0100 Subject: [PATCH] 6.7-stable patches added patches: alsa-hda-realtek-enable-mute-led-on-hp-laptop-14-fq0xxx.patch alsa-hda-realtek-fix-the-external-mic-not-being-recognised-for-acer-swift-1-sf114-32.patch asoc-amd-yc-add-dmi-quirk-for-msi-bravo-15-c7vf.patch dm-crypt-dm-verity-disable-tasklets.patch fs-hugetlbfs-inode.c-mm-memory-failure.c-fix-hugetlbfs-hwpoison-handling.patch hid-bpf-actually-free-hdev-memory-after-attaching-a-hid-bpf-program.patch hid-bpf-remove-double-fdget.patch hid-i2c-hid-of-fix-null-deref-on-failed-power-up.patch hid-wacom-do-not-register-input-devices-until-after-hid_hw_start.patch hid-wacom-generic-avoid-reporting-a-serial-of-0-to-userspace.patch iio-hid-sensor-als-return-0-for-hid_usage_sensor_time_timestamp.patch mm-thp_get_unmapped_area-must-honour-topdown-preference.patch mm-writeback-fix-possible-divide-by-zero-in-wb_dirty_limits-again.patch nouveau-offload-fence-uevents-work-to-workqueue.patch parisc-prevent-hung-tasks-when-printing-inventory-on-serial-console.patch readahead-avoid-multiple-marked-readahead-pages.patch scs-add-config_mmu-dependency-for-vfree_atomic.patch scsi-storvsc-fix-ring-buffer-size-calculation.patch selftests-mm-fix-map_hugetlb-failure-on-64k-page-size-systems.patch selftests-mm-ksm_tests-should-only-madv_hugepage-valid-memory.patch selftests-mm-switch-to-bash-from-sh.patch selftests-mm-update-va_high_addr_switch.sh-to-check-cpu-for-la57-flag.patch tracing-trigger-fix-to-return-error-if-failed-to-alloc-snapshot.patch usb-chipidea-core-handle-power-lost-in-workqueue.patch usb-core-prevent-null-pointer-dereference-in-update_port_device_state.patch usb-dwc3-gadget-fix-null-pointer-dereference-in-dwc3_gadget_suspend.patch usb-f_mass_storage-forbid-async-queue-when-shutdown-happen.patch usb-hub-check-for-alternate-port-before-enabling-a_alt_hnp_support.patch usb-ucsi-add-missing-ppm_lock.patch usb-ucsi_acpi-fix-command-completion-handling.patch usb-ulpi-fix-debugfs-directory-leak.patch userfaultfd-fix-mmap_changing-checking-in-mfill_atomic_hugetlb.patch --- ...able-mute-led-on-hp-laptop-14-fq0xxx.patch | 31 +++ ...recognised-for-acer-swift-1-sf114-32.patch | 33 +++ ...-add-dmi-quirk-for-msi-bravo-15-c7vf.patch | 40 ++++ .../dm-crypt-dm-verity-disable-tasklets.patch | 183 ++++++++++++++++ ...re.c-fix-hugetlbfs-hwpoison-handling.patch | 66 ++++++ ...ry-after-attaching-a-hid-bpf-program.patch | 140 ++++++++++++ queue-6.7/hid-bpf-remove-double-fdget.patch | 200 ++++++++++++++++++ ...of-fix-null-deref-on-failed-power-up.patch | 34 +++ ...put-devices-until-after-hid_hw_start.patch | 147 +++++++++++++ ...reporting-a-serial-of-0-to-userspace.patch | 50 +++++ ...-for-hid_usage_sensor_time_timestamp.patch | 34 +++ ..._area-must-honour-topdown-preference.patch | 106 ++++++++++ ...ide-by-zero-in-wb_dirty_limits-again.patch | 46 ++++ ...load-fence-uevents-work-to-workqueue.patch | 91 ++++++++ ...printing-inventory-on-serial-console.patch | 32 +++ ...void-multiple-marked-readahead-pages.patch | 92 ++++++++ ...nfig_mmu-dependency-for-vfree_atomic.patch | 37 ++++ ...vsc-fix-ring-buffer-size-calculation.patch | 83 ++++++++ ...tlb-failure-on-64k-page-size-systems.patch | 56 +++++ ...ould-only-madv_hugepage-valid-memory.patch | 42 ++++ .../selftests-mm-switch-to-bash-from-sh.patch | 51 +++++ ...switch.sh-to-check-cpu-for-la57-flag.patch | 63 ++++++ queue-6.7/series | 32 +++ ...rn-error-if-failed-to-alloc-snapshot.patch | 40 ++++ ...-core-handle-power-lost-in-workqueue.patch | 125 +++++++++++ ...eference-in-update_port_device_state.patch | 52 +++++ ...r-dereference-in-dwc3_gadget_suspend.patch | 58 +++++ ...bid-async-queue-when-shutdown-happen.patch | 71 +++++++ ...rt-before-enabling-a_alt_hnp_support.patch | 79 +++++++ queue-6.7/usb-ucsi-add-missing-ppm_lock.patch | 42 ++++ ...acpi-fix-command-completion-handling.patch | 75 +++++++ .../usb-ulpi-fix-debugfs-directory-leak.patch | 35 +++ ...ing-checking-in-mfill_atomic_hugetlb.patch | 80 +++++++ 33 files changed, 2346 insertions(+) create mode 100644 queue-6.7/alsa-hda-realtek-enable-mute-led-on-hp-laptop-14-fq0xxx.patch create mode 100644 queue-6.7/alsa-hda-realtek-fix-the-external-mic-not-being-recognised-for-acer-swift-1-sf114-32.patch create mode 100644 queue-6.7/asoc-amd-yc-add-dmi-quirk-for-msi-bravo-15-c7vf.patch create mode 100644 queue-6.7/dm-crypt-dm-verity-disable-tasklets.patch create mode 100644 queue-6.7/fs-hugetlbfs-inode.c-mm-memory-failure.c-fix-hugetlbfs-hwpoison-handling.patch create mode 100644 queue-6.7/hid-bpf-actually-free-hdev-memory-after-attaching-a-hid-bpf-program.patch create mode 100644 queue-6.7/hid-bpf-remove-double-fdget.patch create mode 100644 queue-6.7/hid-i2c-hid-of-fix-null-deref-on-failed-power-up.patch create mode 100644 queue-6.7/hid-wacom-do-not-register-input-devices-until-after-hid_hw_start.patch create mode 100644 queue-6.7/hid-wacom-generic-avoid-reporting-a-serial-of-0-to-userspace.patch create mode 100644 queue-6.7/iio-hid-sensor-als-return-0-for-hid_usage_sensor_time_timestamp.patch create mode 100644 queue-6.7/mm-thp_get_unmapped_area-must-honour-topdown-preference.patch create mode 100644 queue-6.7/mm-writeback-fix-possible-divide-by-zero-in-wb_dirty_limits-again.patch create mode 100644 queue-6.7/nouveau-offload-fence-uevents-work-to-workqueue.patch create mode 100644 queue-6.7/parisc-prevent-hung-tasks-when-printing-inventory-on-serial-console.patch create mode 100644 queue-6.7/readahead-avoid-multiple-marked-readahead-pages.patch create mode 100644 queue-6.7/scs-add-config_mmu-dependency-for-vfree_atomic.patch create mode 100644 queue-6.7/scsi-storvsc-fix-ring-buffer-size-calculation.patch create mode 100644 queue-6.7/selftests-mm-fix-map_hugetlb-failure-on-64k-page-size-systems.patch create mode 100644 queue-6.7/selftests-mm-ksm_tests-should-only-madv_hugepage-valid-memory.patch create mode 100644 queue-6.7/selftests-mm-switch-to-bash-from-sh.patch create mode 100644 queue-6.7/selftests-mm-update-va_high_addr_switch.sh-to-check-cpu-for-la57-flag.patch create mode 100644 queue-6.7/tracing-trigger-fix-to-return-error-if-failed-to-alloc-snapshot.patch create mode 100644 queue-6.7/usb-chipidea-core-handle-power-lost-in-workqueue.patch create mode 100644 queue-6.7/usb-core-prevent-null-pointer-dereference-in-update_port_device_state.patch create mode 100644 queue-6.7/usb-dwc3-gadget-fix-null-pointer-dereference-in-dwc3_gadget_suspend.patch create mode 100644 queue-6.7/usb-f_mass_storage-forbid-async-queue-when-shutdown-happen.patch create mode 100644 queue-6.7/usb-hub-check-for-alternate-port-before-enabling-a_alt_hnp_support.patch create mode 100644 queue-6.7/usb-ucsi-add-missing-ppm_lock.patch create mode 100644 queue-6.7/usb-ucsi_acpi-fix-command-completion-handling.patch create mode 100644 queue-6.7/usb-ulpi-fix-debugfs-directory-leak.patch create mode 100644 queue-6.7/userfaultfd-fix-mmap_changing-checking-in-mfill_atomic_hugetlb.patch diff --git a/queue-6.7/alsa-hda-realtek-enable-mute-led-on-hp-laptop-14-fq0xxx.patch b/queue-6.7/alsa-hda-realtek-enable-mute-led-on-hp-laptop-14-fq0xxx.patch new file mode 100644 index 00000000000..a2e01c5bf2c --- /dev/null +++ b/queue-6.7/alsa-hda-realtek-enable-mute-led-on-hp-laptop-14-fq0xxx.patch @@ -0,0 +1,31 @@ +From f0d78972f27dc1d1d51fbace2713ad3cdc60a877 Mon Sep 17 00:00:00 2001 +From: Luka Guzenko +Date: Sun, 28 Jan 2024 16:57:04 +0100 +Subject: ALSA: hda/realtek: Enable Mute LED on HP Laptop 14-fq0xxx + +From: Luka Guzenko + +commit f0d78972f27dc1d1d51fbace2713ad3cdc60a877 upstream. + +This HP Laptop uses ALC236 codec with COEF 0x07 controlling the +mute LED. Enable existing quirk for this device. + +Signed-off-by: Luka Guzenko +Cc: +Link: https://lore.kernel.org/r/20240128155704.2333812-1-l.guzenko@web.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9840,6 +9840,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x8786, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x8787, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x8788, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED), ++ SND_PCI_QUIRK(0x103c, 0x87b7, "HP Laptop 14-fq0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87e5, "HP ProBook 440 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87e7, "HP ProBook 450 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), diff --git a/queue-6.7/alsa-hda-realtek-fix-the-external-mic-not-being-recognised-for-acer-swift-1-sf114-32.patch b/queue-6.7/alsa-hda-realtek-fix-the-external-mic-not-being-recognised-for-acer-swift-1-sf114-32.patch new file mode 100644 index 00000000000..6230ae05702 --- /dev/null +++ b/queue-6.7/alsa-hda-realtek-fix-the-external-mic-not-being-recognised-for-acer-swift-1-sf114-32.patch @@ -0,0 +1,33 @@ +From efb56d84dd9c3de3c99fc396abb57c6d330038b5 Mon Sep 17 00:00:00 2001 +From: David Senoner +Date: Fri, 26 Jan 2024 16:56:26 +0100 +Subject: ALSA: hda/realtek: Fix the external mic not being recognised for Acer Swift 1 SF114-32 + +From: David Senoner + +commit efb56d84dd9c3de3c99fc396abb57c6d330038b5 upstream. + +If you connect an external headset/microphone to the 3.5mm jack on the +Acer Swift 1 SF114-32 it does not recognize the microphone. This fixes +that and gives the user the ability to choose between internal and +headset mic. + +Signed-off-by: David Senoner +Cc: +Link: https://lore.kernel.org/r/20240126155626.2304465-1-seda18@rolmail.net +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9640,6 +9640,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1025, 0x1247, "Acer vCopperbox", ALC269VC_FIXUP_ACER_VCOPPERBOX_PINS), + SND_PCI_QUIRK(0x1025, 0x1248, "Acer Veriton N4660G", ALC269VC_FIXUP_ACER_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1025, 0x1269, "Acer SWIFT SF314-54", ALC256_FIXUP_ACER_HEADSET_MIC), ++ SND_PCI_QUIRK(0x1025, 0x126a, "Acer Swift SF114-32", ALC256_FIXUP_ACER_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1025, 0x128f, "Acer Veriton Z6860G", ALC286_FIXUP_ACER_AIO_HEADSET_MIC), + SND_PCI_QUIRK(0x1025, 0x1290, "Acer Veriton Z4860G", ALC286_FIXUP_ACER_AIO_HEADSET_MIC), + SND_PCI_QUIRK(0x1025, 0x1291, "Acer Veriton Z4660G", ALC286_FIXUP_ACER_AIO_HEADSET_MIC), diff --git a/queue-6.7/asoc-amd-yc-add-dmi-quirk-for-msi-bravo-15-c7vf.patch b/queue-6.7/asoc-amd-yc-add-dmi-quirk-for-msi-bravo-15-c7vf.patch new file mode 100644 index 00000000000..685da99f051 --- /dev/null +++ b/queue-6.7/asoc-amd-yc-add-dmi-quirk-for-msi-bravo-15-c7vf.patch @@ -0,0 +1,40 @@ +From c6dce23ec993f7da7790a9eadb36864ceb60e942 Mon Sep 17 00:00:00 2001 +From: Techno Mooney +Date: Mon, 29 Jan 2024 15:11:47 +0700 +Subject: ASoC: amd: yc: Add DMI quirk for MSI Bravo 15 C7VF + +From: Techno Mooney + +commit c6dce23ec993f7da7790a9eadb36864ceb60e942 upstream. + +The laptop requires a quirk ID to enable its internal microphone. Add +it to the DMI quirk table. + +Reported-by: Techno Mooney +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218402 +Cc: stable@vger.kernel.org +Signed-off-by: Techno Mooney +Signed-off-by: Bagas Sanjaya +Link: https://msgid.link/r/20240129081148.1044891-1-bagasdotme@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -300,6 +300,13 @@ static const struct dmi_system_id yc_acp + { + .driver_data = &acp6x_card, + .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "Micro-Star International Co., Ltd."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Bravo 15 C7VF"), ++ } ++ }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "Alienware"), + DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m17 R5 AMD"), + } diff --git a/queue-6.7/dm-crypt-dm-verity-disable-tasklets.patch b/queue-6.7/dm-crypt-dm-verity-disable-tasklets.patch new file mode 100644 index 00000000000..73b9cb4e4b4 --- /dev/null +++ b/queue-6.7/dm-crypt-dm-verity-disable-tasklets.patch @@ -0,0 +1,183 @@ +From 0a9bab391e336489169b95cb0d4553d921302189 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 31 Jan 2024 21:57:27 +0100 +Subject: dm-crypt, dm-verity: disable tasklets + +From: Mikulas Patocka + +commit 0a9bab391e336489169b95cb0d4553d921302189 upstream. + +Tasklets have an inherent problem with memory corruption. The function +tasklet_action_common calls tasklet_trylock, then it calls the tasklet +callback and then it calls tasklet_unlock. If the tasklet callback frees +the structure that contains the tasklet or if it calls some code that may +free it, tasklet_unlock will write into free memory. + +The commits 8e14f610159d and d9a02e016aaf try to fix it for dm-crypt, but +it is not a sufficient fix and the data corruption can still happen [1]. +There is no fix for dm-verity and dm-verity will write into free memory +with every tasklet-processed bio. + +There will be atomic workqueues implemented in the kernel 6.9 [2]. They +will have better interface and they will not suffer from the memory +corruption problem. + +But we need something that stops the memory corruption now and that can be +backported to the stable kernels. So, I'm proposing this commit that +disables tasklets in both dm-crypt and dm-verity. This commit doesn't +remove the tasklet support, because the tasklet code will be reused when +atomic workqueues will be implemented. + +[1] https://lore.kernel.org/all/d390d7ee-f142-44d3-822a-87949e14608b@suse.de/T/ +[2] https://lore.kernel.org/lkml/20240130091300.2968534-1-tj@kernel.org/ + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Fixes: 39d42fa96ba1b ("dm crypt: add flags to optionally bypass kcryptd workqueues") +Fixes: 5721d4e5a9cdb ("dm verity: Add optional "try_verify_in_tasklet" feature") +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-crypt.c | 38 ++------------------------------------ + drivers/md/dm-verity-target.c | 26 ++------------------------ + drivers/md/dm-verity.h | 1 - + 3 files changed, 4 insertions(+), 61 deletions(-) + +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -73,10 +73,8 @@ struct dm_crypt_io { + struct bio *base_bio; + u8 *integrity_metadata; + bool integrity_metadata_from_pool:1; +- bool in_tasklet:1; + + struct work_struct work; +- struct tasklet_struct tasklet; + + struct convert_context ctx; + +@@ -1762,7 +1760,6 @@ static void crypt_io_init(struct dm_cryp + io->ctx.r.req = NULL; + io->integrity_metadata = NULL; + io->integrity_metadata_from_pool = false; +- io->in_tasklet = false; + atomic_set(&io->io_pending, 0); + } + +@@ -1771,13 +1768,6 @@ static void crypt_inc_pending(struct dm_ + atomic_inc(&io->io_pending); + } + +-static void kcryptd_io_bio_endio(struct work_struct *work) +-{ +- struct dm_crypt_io *io = container_of(work, struct dm_crypt_io, work); +- +- bio_endio(io->base_bio); +-} +- + /* + * One of the bios was finished. Check for completion of + * the whole request and correctly clean up the buffer. +@@ -1801,20 +1791,6 @@ static void crypt_dec_pending(struct dm_ + + base_bio->bi_status = error; + +- /* +- * If we are running this function from our tasklet, +- * we can't call bio_endio() here, because it will call +- * clone_endio() from dm.c, which in turn will +- * free the current struct dm_crypt_io structure with +- * our tasklet. In this case we need to delay bio_endio() +- * execution to after the tasklet is done and dequeued. +- */ +- if (io->in_tasklet) { +- INIT_WORK(&io->work, kcryptd_io_bio_endio); +- queue_work(cc->io_queue, &io->work); +- return; +- } +- + bio_endio(base_bio); + } + +@@ -2246,11 +2222,6 @@ static void kcryptd_crypt(struct work_st + kcryptd_crypt_write_convert(io); + } + +-static void kcryptd_crypt_tasklet(unsigned long work) +-{ +- kcryptd_crypt((struct work_struct *)work); +-} +- + static void kcryptd_queue_crypt(struct dm_crypt_io *io) + { + struct crypt_config *cc = io->cc; +@@ -2262,15 +2233,10 @@ static void kcryptd_queue_crypt(struct d + * irqs_disabled(): the kernel may run some IO completion from the idle thread, but + * it is being executed with irqs disabled. + */ +- if (in_hardirq() || irqs_disabled()) { +- io->in_tasklet = true; +- tasklet_init(&io->tasklet, kcryptd_crypt_tasklet, (unsigned long)&io->work); +- tasklet_schedule(&io->tasklet); ++ if (!(in_hardirq() || irqs_disabled())) { ++ kcryptd_crypt(&io->work); + return; + } +- +- kcryptd_crypt(&io->work); +- return; + } + + INIT_WORK(&io->work, kcryptd_crypt); +--- a/drivers/md/dm-verity-target.c ++++ b/drivers/md/dm-verity-target.c +@@ -645,23 +645,6 @@ static void verity_work(struct work_stru + verity_finish_io(io, errno_to_blk_status(verity_verify_io(io))); + } + +-static void verity_tasklet(unsigned long data) +-{ +- struct dm_verity_io *io = (struct dm_verity_io *)data; +- int err; +- +- io->in_tasklet = true; +- err = verity_verify_io(io); +- if (err == -EAGAIN || err == -ENOMEM) { +- /* fallback to retrying with work-queue */ +- INIT_WORK(&io->work, verity_work); +- queue_work(io->v->verify_wq, &io->work); +- return; +- } +- +- verity_finish_io(io, errno_to_blk_status(err)); +-} +- + static void verity_end_io(struct bio *bio) + { + struct dm_verity_io *io = bio->bi_private; +@@ -674,13 +657,8 @@ static void verity_end_io(struct bio *bi + return; + } + +- if (static_branch_unlikely(&use_tasklet_enabled) && io->v->use_tasklet) { +- tasklet_init(&io->tasklet, verity_tasklet, (unsigned long)io); +- tasklet_schedule(&io->tasklet); +- } else { +- INIT_WORK(&io->work, verity_work); +- queue_work(io->v->verify_wq, &io->work); +- } ++ INIT_WORK(&io->work, verity_work); ++ queue_work(io->v->verify_wq, &io->work); + } + + /* +--- a/drivers/md/dm-verity.h ++++ b/drivers/md/dm-verity.h +@@ -83,7 +83,6 @@ struct dm_verity_io { + struct bvec_iter iter; + + struct work_struct work; +- struct tasklet_struct tasklet; + + /* + * Three variably-size fields follow this struct: diff --git a/queue-6.7/fs-hugetlbfs-inode.c-mm-memory-failure.c-fix-hugetlbfs-hwpoison-handling.patch b/queue-6.7/fs-hugetlbfs-inode.c-mm-memory-failure.c-fix-hugetlbfs-hwpoison-handling.patch new file mode 100644 index 00000000000..1a812c08adb --- /dev/null +++ b/queue-6.7/fs-hugetlbfs-inode.c-mm-memory-failure.c-fix-hugetlbfs-hwpoison-handling.patch @@ -0,0 +1,66 @@ +From 19d3e221807772f8443e565234a6fdc5a2b09d26 Mon Sep 17 00:00:00 2001 +From: Sidhartha Kumar +Date: Fri, 12 Jan 2024 10:08:40 -0800 +Subject: fs/hugetlbfs/inode.c: mm/memory-failure.c: fix hugetlbfs hwpoison handling + +From: Sidhartha Kumar + +commit 19d3e221807772f8443e565234a6fdc5a2b09d26 upstream. + +has_extra_refcount() makes the assumption that the page cache adds a ref +count of 1 and subtracts this in the extra_pins case. Commit a08c7193e4f1 +(mm/filemap: remove hugetlb special casing in filemap.c) modifies +__filemap_add_folio() by calling folio_ref_add(folio, nr); for all cases +(including hugtetlb) where nr is the number of pages in the folio. We +should adjust the number of references coming from the page cache by +subtracing the number of pages rather than 1. + +In hugetlbfs_read_iter(), folio_test_has_hwpoisoned() is testing the wrong +flag as, in the hugetlb case, memory-failure code calls +folio_test_set_hwpoison() to indicate poison. folio_test_hwpoison() is +the correct function to test for that flag. + +After these fixes, the hugetlb hwpoison read selftest passes all cases. + +Link: https://lkml.kernel.org/r/20240112180840.367006-1-sidhartha.kumar@oracle.com +Fixes: a08c7193e4f1 ("mm/filemap: remove hugetlb special casing in filemap.c") +Signed-off-by: Sidhartha Kumar +Closes: https://lore.kernel.org/linux-mm/20230713001833.3778937-1-jiaqiyan@google.com/T/#m8e1469119e5b831bbd05d495f96b842e4a1c5519 +Reported-by: Muhammad Usama Anjum +Tested-by: Muhammad Usama Anjum +Acked-by: Miaohe Lin +Acked-by: Muchun Song +Cc: James Houghton +Cc: Jiaqi Yan +Cc: Matthew Wilcox (Oracle) +Cc: Naoya Horiguchi +Cc: [6.7+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/hugetlbfs/inode.c | 2 +- + mm/memory-failure.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/hugetlbfs/inode.c ++++ b/fs/hugetlbfs/inode.c +@@ -340,7 +340,7 @@ static ssize_t hugetlbfs_read_iter(struc + } else { + folio_unlock(folio); + +- if (!folio_test_has_hwpoisoned(folio)) ++ if (!folio_test_hwpoison(folio)) + want = nr; + else { + /* +--- a/mm/memory-failure.c ++++ b/mm/memory-failure.c +@@ -976,7 +976,7 @@ static bool has_extra_refcount(struct pa + int count = page_count(p) - 1; + + if (extra_pins) +- count -= 1; ++ count -= folio_nr_pages(page_folio(p)); + + if (count > 0) { + pr_err("%#lx: %s still referenced by %d users\n", diff --git a/queue-6.7/hid-bpf-actually-free-hdev-memory-after-attaching-a-hid-bpf-program.patch b/queue-6.7/hid-bpf-actually-free-hdev-memory-after-attaching-a-hid-bpf-program.patch new file mode 100644 index 00000000000..9befa36aab5 --- /dev/null +++ b/queue-6.7/hid-bpf-actually-free-hdev-memory-after-attaching-a-hid-bpf-program.patch @@ -0,0 +1,140 @@ +From 89be8aa5b0ecb3b729c7bcff64bb2af7921fec63 Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Wed, 24 Jan 2024 12:26:58 +0100 +Subject: HID: bpf: actually free hdev memory after attaching a HID-BPF program + +From: Benjamin Tissoires + +commit 89be8aa5b0ecb3b729c7bcff64bb2af7921fec63 upstream. + +Turns out that I got my reference counts wrong and each successful +bus_find_device() actually calls get_device(), and we need to manually +call put_device(). + +Ensure each bus_find_device() gets a matching put_device() when releasing +the bpf programs and fix all the error paths. + +Cc: +Fixes: f5c27da4e3c8 ("HID: initial BPF implementation") +Link: https://lore.kernel.org/r/20240124-b4-hid-bpf-fixes-v2-2-052520b1e5e6@kernel.org +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/bpf/hid_bpf_dispatch.c | 29 +++++++++++++++++++++++------ + drivers/hid/bpf/hid_bpf_jmp_table.c | 20 +++++++++++++++++--- + 2 files changed, 40 insertions(+), 9 deletions(-) + +--- a/drivers/hid/bpf/hid_bpf_dispatch.c ++++ b/drivers/hid/bpf/hid_bpf_dispatch.c +@@ -292,7 +292,7 @@ hid_bpf_attach_prog(unsigned int hid_id, + struct hid_device *hdev; + struct bpf_prog *prog; + struct device *dev; +- int fd; ++ int err, fd; + + if (!hid_bpf_ops) + return -EINVAL; +@@ -311,14 +311,24 @@ hid_bpf_attach_prog(unsigned int hid_id, + * on errors or when it'll be detached + */ + prog = bpf_prog_get(prog_fd); +- if (IS_ERR(prog)) +- return PTR_ERR(prog); ++ if (IS_ERR(prog)) { ++ err = PTR_ERR(prog); ++ goto out_dev_put; ++ } + + fd = do_hid_bpf_attach_prog(hdev, prog_fd, prog, flags); +- if (fd < 0) +- bpf_prog_put(prog); ++ if (fd < 0) { ++ err = fd; ++ goto out_prog_put; ++ } + + return fd; ++ ++ out_prog_put: ++ bpf_prog_put(prog); ++ out_dev_put: ++ put_device(dev); ++ return err; + } + + /** +@@ -345,8 +355,10 @@ hid_bpf_allocate_context(unsigned int hi + hdev = to_hid_device(dev); + + ctx_kern = kzalloc(sizeof(*ctx_kern), GFP_KERNEL); +- if (!ctx_kern) ++ if (!ctx_kern) { ++ put_device(dev); + return NULL; ++ } + + ctx_kern->ctx.hid = hdev; + +@@ -363,10 +375,15 @@ noinline void + hid_bpf_release_context(struct hid_bpf_ctx *ctx) + { + struct hid_bpf_ctx_kern *ctx_kern; ++ struct hid_device *hid; + + ctx_kern = container_of(ctx, struct hid_bpf_ctx_kern, ctx); ++ hid = (struct hid_device *)ctx_kern->ctx.hid; /* ignore const */ + + kfree(ctx_kern); ++ ++ /* get_device() is called by bus_find_device() */ ++ put_device(&hid->dev); + } + + /** +--- a/drivers/hid/bpf/hid_bpf_jmp_table.c ++++ b/drivers/hid/bpf/hid_bpf_jmp_table.c +@@ -196,6 +196,7 @@ static void __hid_bpf_do_release_prog(in + static void hid_bpf_release_progs(struct work_struct *work) + { + int i, j, n, map_fd = -1; ++ bool hdev_destroyed; + + if (!jmp_table.map) + return; +@@ -220,6 +221,12 @@ static void hid_bpf_release_progs(struct + if (entry->hdev) { + hdev = entry->hdev; + type = entry->type; ++ /* ++ * hdev is still valid, even if we are called after hid_destroy_device(): ++ * when hid_bpf_attach() gets called, it takes a ref on the dev through ++ * bus_find_device() ++ */ ++ hdev_destroyed = hdev->bpf.destroyed; + + hid_bpf_populate_hdev(hdev, type); + +@@ -232,12 +239,19 @@ static void hid_bpf_release_progs(struct + if (test_bit(next->idx, jmp_table.enabled)) + continue; + +- if (next->hdev == hdev && next->type == type) ++ if (next->hdev == hdev && next->type == type) { ++ /* ++ * clear the hdev reference and decrement the device ref ++ * that was taken during bus_find_device() while calling ++ * hid_bpf_attach() ++ */ + next->hdev = NULL; ++ put_device(&hdev->dev); ++ } + } + +- /* if type was rdesc fixup, reconnect device */ +- if (type == HID_BPF_PROG_TYPE_RDESC_FIXUP) ++ /* if type was rdesc fixup and the device is not gone, reconnect device */ ++ if (type == HID_BPF_PROG_TYPE_RDESC_FIXUP && !hdev_destroyed) + hid_bpf_reconnect(hdev); + } + } diff --git a/queue-6.7/hid-bpf-remove-double-fdget.patch b/queue-6.7/hid-bpf-remove-double-fdget.patch new file mode 100644 index 00000000000..83e47124696 --- /dev/null +++ b/queue-6.7/hid-bpf-remove-double-fdget.patch @@ -0,0 +1,200 @@ +From 7cdd2108903a4e369eb37579830afc12a6877ec2 Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Wed, 24 Jan 2024 12:26:57 +0100 +Subject: HID: bpf: remove double fdget() + +From: Benjamin Tissoires + +commit 7cdd2108903a4e369eb37579830afc12a6877ec2 upstream. + +When the kfunc hid_bpf_attach_prog() is called, we called twice fdget(): +one for fetching the type of the bpf program, and one for actually +attaching the program to the device. + +The problem is that between those two calls, we have no guarantees that +the prog_fd is still the same file descriptor for the given program. + +Solve this by calling bpf_prog_get() earlier, and use this to fetch the +program type. + +Reported-by: Dan Carpenter +Link: https://lore.kernel.org/bpf/CAO-hwJJ8vh8JD3-P43L-_CLNmPx0hWj44aom0O838vfP4=_1CA@mail.gmail.com/T/#t +Cc: +Fixes: f5c27da4e3c8 ("HID: initial BPF implementation") +Link: https://lore.kernel.org/r/20240124-b4-hid-bpf-fixes-v2-1-052520b1e5e6@kernel.org +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/bpf/hid_bpf_dispatch.c | 66 ++++++++++++++++++++++++------------ + drivers/hid/bpf/hid_bpf_dispatch.h | 4 +- + drivers/hid/bpf/hid_bpf_jmp_table.c | 20 +--------- + 3 files changed, 49 insertions(+), 41 deletions(-) + +--- a/drivers/hid/bpf/hid_bpf_dispatch.c ++++ b/drivers/hid/bpf/hid_bpf_dispatch.c +@@ -241,6 +241,39 @@ int hid_bpf_reconnect(struct hid_device + return 0; + } + ++static int do_hid_bpf_attach_prog(struct hid_device *hdev, int prog_fd, struct bpf_prog *prog, ++ __u32 flags) ++{ ++ int fd, err, prog_type; ++ ++ prog_type = hid_bpf_get_prog_attach_type(prog); ++ if (prog_type < 0) ++ return prog_type; ++ ++ if (prog_type >= HID_BPF_PROG_TYPE_MAX) ++ return -EINVAL; ++ ++ if (prog_type == HID_BPF_PROG_TYPE_DEVICE_EVENT) { ++ err = hid_bpf_allocate_event_data(hdev); ++ if (err) ++ return err; ++ } ++ ++ fd = __hid_bpf_attach_prog(hdev, prog_type, prog_fd, prog, flags); ++ if (fd < 0) ++ return fd; ++ ++ if (prog_type == HID_BPF_PROG_TYPE_RDESC_FIXUP) { ++ err = hid_bpf_reconnect(hdev); ++ if (err) { ++ close_fd(fd); ++ return err; ++ } ++ } ++ ++ return fd; ++} ++ + /** + * hid_bpf_attach_prog - Attach the given @prog_fd to the given HID device + * +@@ -257,18 +290,13 @@ noinline int + hid_bpf_attach_prog(unsigned int hid_id, int prog_fd, __u32 flags) + { + struct hid_device *hdev; ++ struct bpf_prog *prog; + struct device *dev; +- int fd, err, prog_type = hid_bpf_get_prog_attach_type(prog_fd); ++ int fd; + + if (!hid_bpf_ops) + return -EINVAL; + +- if (prog_type < 0) +- return prog_type; +- +- if (prog_type >= HID_BPF_PROG_TYPE_MAX) +- return -EINVAL; +- + if ((flags & ~HID_BPF_FLAG_MASK)) + return -EINVAL; + +@@ -278,23 +306,17 @@ hid_bpf_attach_prog(unsigned int hid_id, + + hdev = to_hid_device(dev); + +- if (prog_type == HID_BPF_PROG_TYPE_DEVICE_EVENT) { +- err = hid_bpf_allocate_event_data(hdev); +- if (err) +- return err; +- } ++ /* ++ * take a ref on the prog itself, it will be released ++ * on errors or when it'll be detached ++ */ ++ prog = bpf_prog_get(prog_fd); ++ if (IS_ERR(prog)) ++ return PTR_ERR(prog); + +- fd = __hid_bpf_attach_prog(hdev, prog_type, prog_fd, flags); ++ fd = do_hid_bpf_attach_prog(hdev, prog_fd, prog, flags); + if (fd < 0) +- return fd; +- +- if (prog_type == HID_BPF_PROG_TYPE_RDESC_FIXUP) { +- err = hid_bpf_reconnect(hdev); +- if (err) { +- close_fd(fd); +- return err; +- } +- } ++ bpf_prog_put(prog); + + return fd; + } +--- a/drivers/hid/bpf/hid_bpf_dispatch.h ++++ b/drivers/hid/bpf/hid_bpf_dispatch.h +@@ -12,9 +12,9 @@ struct hid_bpf_ctx_kern { + + int hid_bpf_preload_skel(void); + void hid_bpf_free_links_and_skel(void); +-int hid_bpf_get_prog_attach_type(int prog_fd); ++int hid_bpf_get_prog_attach_type(struct bpf_prog *prog); + int __hid_bpf_attach_prog(struct hid_device *hdev, enum hid_bpf_prog_type prog_type, int prog_fd, +- __u32 flags); ++ struct bpf_prog *prog, __u32 flags); + void __hid_bpf_destroy_device(struct hid_device *hdev); + int hid_bpf_prog_run(struct hid_device *hdev, enum hid_bpf_prog_type type, + struct hid_bpf_ctx_kern *ctx_kern); +--- a/drivers/hid/bpf/hid_bpf_jmp_table.c ++++ b/drivers/hid/bpf/hid_bpf_jmp_table.c +@@ -333,15 +333,10 @@ static int hid_bpf_insert_prog(int prog_ + return err; + } + +-int hid_bpf_get_prog_attach_type(int prog_fd) ++int hid_bpf_get_prog_attach_type(struct bpf_prog *prog) + { +- struct bpf_prog *prog = NULL; +- int i; + int prog_type = HID_BPF_PROG_TYPE_UNDEF; +- +- prog = bpf_prog_get(prog_fd); +- if (IS_ERR(prog)) +- return PTR_ERR(prog); ++ int i; + + for (i = 0; i < HID_BPF_PROG_TYPE_MAX; i++) { + if (hid_bpf_btf_ids[i] == prog->aux->attach_btf_id) { +@@ -350,8 +345,6 @@ int hid_bpf_get_prog_attach_type(int pro + } + } + +- bpf_prog_put(prog); +- + return prog_type; + } + +@@ -388,19 +381,13 @@ static const struct bpf_link_ops hid_bpf + /* called from syscall */ + noinline int + __hid_bpf_attach_prog(struct hid_device *hdev, enum hid_bpf_prog_type prog_type, +- int prog_fd, __u32 flags) ++ int prog_fd, struct bpf_prog *prog, __u32 flags) + { + struct bpf_link_primer link_primer; + struct hid_bpf_link *link; +- struct bpf_prog *prog = NULL; + struct hid_bpf_prog_entry *prog_entry; + int cnt, err = -EINVAL, prog_table_idx = -1; + +- /* take a ref on the prog itself */ +- prog = bpf_prog_get(prog_fd); +- if (IS_ERR(prog)) +- return PTR_ERR(prog); +- + mutex_lock(&hid_bpf_attach_lock); + + link = kzalloc(sizeof(*link), GFP_USER); +@@ -467,7 +454,6 @@ __hid_bpf_attach_prog(struct hid_device + err_unlock: + mutex_unlock(&hid_bpf_attach_lock); + +- bpf_prog_put(prog); + kfree(link); + + return err; diff --git a/queue-6.7/hid-i2c-hid-of-fix-null-deref-on-failed-power-up.patch b/queue-6.7/hid-i2c-hid-of-fix-null-deref-on-failed-power-up.patch new file mode 100644 index 00000000000..9a7be4dcf4c --- /dev/null +++ b/queue-6.7/hid-i2c-hid-of-fix-null-deref-on-failed-power-up.patch @@ -0,0 +1,34 @@ +From 00aab7dcb2267f2aef59447602f34501efe1a07f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 26 Jan 2024 18:09:01 +0100 +Subject: HID: i2c-hid-of: fix NULL-deref on failed power up + +From: Johan Hovold + +commit 00aab7dcb2267f2aef59447602f34501efe1a07f upstream. + +A while back the I2C HID implementation was split in an ACPI and OF +part, but the new OF driver never initialises the client pointer which +is dereferenced on power-up failures. + +Fixes: b33752c30023 ("HID: i2c-hid: Reorganize so ACPI and OF are separate modules") +Cc: stable@vger.kernel.org # 5.12 +Cc: Douglas Anderson +Signed-off-by: Johan Hovold +Reviewed-by: Douglas Anderson +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/i2c-hid/i2c-hid-of.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/hid/i2c-hid/i2c-hid-of.c ++++ b/drivers/hid/i2c-hid/i2c-hid-of.c +@@ -87,6 +87,7 @@ static int i2c_hid_of_probe(struct i2c_c + if (!ihid_of) + return -ENOMEM; + ++ ihid_of->client = client; + ihid_of->ops.power_up = i2c_hid_of_power_up; + ihid_of->ops.power_down = i2c_hid_of_power_down; + diff --git a/queue-6.7/hid-wacom-do-not-register-input-devices-until-after-hid_hw_start.patch b/queue-6.7/hid-wacom-do-not-register-input-devices-until-after-hid_hw_start.patch new file mode 100644 index 00000000000..e4705bc5e80 --- /dev/null +++ b/queue-6.7/hid-wacom-do-not-register-input-devices-until-after-hid_hw_start.patch @@ -0,0 +1,147 @@ +From c1d6708bf0d3dd976460d435373cf5abf21ce258 Mon Sep 17 00:00:00 2001 +From: Jason Gerecke +Date: Mon, 29 Jan 2024 14:35:45 -0800 +Subject: HID: wacom: Do not register input devices until after hid_hw_start + +From: Jason Gerecke + +commit c1d6708bf0d3dd976460d435373cf5abf21ce258 upstream. + +If a input device is opened before hid_hw_start is called, events may +not be received from the hardware. In the case of USB-backed devices, +for example, the hid_hw_start function is responsible for filling in +the URB which is submitted when the input device is opened. If a device +is opened prematurely, polling will never start because the device will +not have been in the correct state to send the URB. + +Because the wacom driver registers its input devices before calling +hid_hw_start, there is a window of time where a device can be opened +and end up in an inoperable state. Some ARM-based Chromebooks in particular +reliably trigger this bug. + +This commit splits the wacom_register_inputs function into two pieces. +One which is responsible for setting up the allocated inputs (and runs +prior to hid_hw_start so that devices are ready for any input events +they may end up receiving) and another which only registers the devices +(and runs after hid_hw_start to ensure devices can be immediately opened +without issue). Note that the functions to initialize the LEDs and remotes +are also moved after hid_hw_start to maintain their own dependency chains. + +Fixes: 7704ac937345 ("HID: wacom: implement generic HID handling for pen generic devices") +Cc: stable@vger.kernel.org # v3.18+ +Suggested-by: Dmitry Torokhov +Signed-off-by: Jason Gerecke +Tested-by: Dmitry Torokhov +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/wacom_sys.c | 63 ++++++++++++++++++++++++++++++++---------------- + 1 file changed, 43 insertions(+), 20 deletions(-) + +--- a/drivers/hid/wacom_sys.c ++++ b/drivers/hid/wacom_sys.c +@@ -2080,7 +2080,7 @@ static int wacom_allocate_inputs(struct + return 0; + } + +-static int wacom_register_inputs(struct wacom *wacom) ++static int wacom_setup_inputs(struct wacom *wacom) + { + struct input_dev *pen_input_dev, *touch_input_dev, *pad_input_dev; + struct wacom_wac *wacom_wac = &(wacom->wacom_wac); +@@ -2099,10 +2099,6 @@ static int wacom_register_inputs(struct + input_free_device(pen_input_dev); + wacom_wac->pen_input = NULL; + pen_input_dev = NULL; +- } else { +- error = input_register_device(pen_input_dev); +- if (error) +- goto fail; + } + + error = wacom_setup_touch_input_capabilities(touch_input_dev, wacom_wac); +@@ -2111,10 +2107,6 @@ static int wacom_register_inputs(struct + input_free_device(touch_input_dev); + wacom_wac->touch_input = NULL; + touch_input_dev = NULL; +- } else { +- error = input_register_device(touch_input_dev); +- if (error) +- goto fail; + } + + error = wacom_setup_pad_input_capabilities(pad_input_dev, wacom_wac); +@@ -2123,7 +2115,34 @@ static int wacom_register_inputs(struct + input_free_device(pad_input_dev); + wacom_wac->pad_input = NULL; + pad_input_dev = NULL; +- } else { ++ } ++ ++ return 0; ++} ++ ++static int wacom_register_inputs(struct wacom *wacom) ++{ ++ struct input_dev *pen_input_dev, *touch_input_dev, *pad_input_dev; ++ struct wacom_wac *wacom_wac = &(wacom->wacom_wac); ++ int error = 0; ++ ++ pen_input_dev = wacom_wac->pen_input; ++ touch_input_dev = wacom_wac->touch_input; ++ pad_input_dev = wacom_wac->pad_input; ++ ++ if (pen_input_dev) { ++ error = input_register_device(pen_input_dev); ++ if (error) ++ goto fail; ++ } ++ ++ if (touch_input_dev) { ++ error = input_register_device(touch_input_dev); ++ if (error) ++ goto fail; ++ } ++ ++ if (pad_input_dev) { + error = input_register_device(pad_input_dev); + if (error) + goto fail; +@@ -2376,6 +2395,20 @@ static int wacom_parse_and_register(stru + if (error) + goto fail; + ++ error = wacom_setup_inputs(wacom); ++ if (error) ++ goto fail; ++ ++ if (features->type == HID_GENERIC) ++ connect_mask |= HID_CONNECT_DRIVER; ++ ++ /* Regular HID work starts now */ ++ error = hid_hw_start(hdev, connect_mask); ++ if (error) { ++ hid_err(hdev, "hw start failed\n"); ++ goto fail; ++ } ++ + error = wacom_register_inputs(wacom); + if (error) + goto fail; +@@ -2390,16 +2423,6 @@ static int wacom_parse_and_register(stru + goto fail; + } + +- if (features->type == HID_GENERIC) +- connect_mask |= HID_CONNECT_DRIVER; +- +- /* Regular HID work starts now */ +- error = hid_hw_start(hdev, connect_mask); +- if (error) { +- hid_err(hdev, "hw start failed\n"); +- goto fail; +- } +- + if (!wireless) { + /* Note that if query fails it is not a hard failure */ + wacom_query_tablet_data(wacom); diff --git a/queue-6.7/hid-wacom-generic-avoid-reporting-a-serial-of-0-to-userspace.patch b/queue-6.7/hid-wacom-generic-avoid-reporting-a-serial-of-0-to-userspace.patch new file mode 100644 index 00000000000..fa3aac129f4 --- /dev/null +++ b/queue-6.7/hid-wacom-generic-avoid-reporting-a-serial-of-0-to-userspace.patch @@ -0,0 +1,50 @@ +From ab41a31dd5e2681803642b6d08590b61867840ec Mon Sep 17 00:00:00 2001 +From: Tatsunosuke Tobita +Date: Thu, 1 Feb 2024 13:40:55 +0900 +Subject: HID: wacom: generic: Avoid reporting a serial of '0' to userspace + +From: Tatsunosuke Tobita + +commit ab41a31dd5e2681803642b6d08590b61867840ec upstream. + +The xf86-input-wacom driver does not treat '0' as a valid serial +number and will drop any input report which contains an +MSC_SERIAL = 0 event. The kernel driver already takes care to +avoid sending any MSC_SERIAL event if the value of serial[0] == 0 +(which is the case for devices that don't actually report a +serial number), but this is not quite sufficient. +Only the lower 32 bits of the serial get reported to userspace, +so if this portion of the serial is zero then there can still +be problems. + +This commit allows the driver to report either the lower 32 bits +if they are non-zero or the upper 32 bits otherwise. + +Signed-off-by: Jason Gerecke +Signed-off-by: Tatsunosuke Tobita +Fixes: f85c9dc678a5 ("HID: wacom: generic: Support tool ID and additional tool types") +CC: stable@vger.kernel.org # v4.10 +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/wacom_wac.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -2574,7 +2574,14 @@ static void wacom_wac_pen_report(struct + wacom_wac->hid_data.tipswitch); + input_report_key(input, wacom_wac->tool[0], sense); + if (wacom_wac->serial[0]) { +- input_event(input, EV_MSC, MSC_SERIAL, wacom_wac->serial[0]); ++ /* ++ * xf86-input-wacom does not accept a serial number ++ * of '0'. Report the low 32 bits if possible, but ++ * if they are zero, report the upper ones instead. ++ */ ++ __u32 serial_lo = wacom_wac->serial[0] & 0xFFFFFFFFu; ++ __u32 serial_hi = wacom_wac->serial[0] >> 32; ++ input_event(input, EV_MSC, MSC_SERIAL, (int)(serial_lo ? serial_lo : serial_hi)); + input_report_abs(input, ABS_MISC, sense ? id : 0); + } + diff --git a/queue-6.7/iio-hid-sensor-als-return-0-for-hid_usage_sensor_time_timestamp.patch b/queue-6.7/iio-hid-sensor-als-return-0-for-hid_usage_sensor_time_timestamp.patch new file mode 100644 index 00000000000..e620b35981d --- /dev/null +++ b/queue-6.7/iio-hid-sensor-als-return-0-for-hid_usage_sensor_time_timestamp.patch @@ -0,0 +1,34 @@ +From 621c6257128149e45b36ffb973a01c3f3461b893 Mon Sep 17 00:00:00 2001 +From: Srinivas Pandruvada +Date: Sun, 4 Feb 2024 04:56:17 -0800 +Subject: iio: hid-sensor-als: Return 0 for HID_USAGE_SENSOR_TIME_TIMESTAMP + +From: Srinivas Pandruvada + +commit 621c6257128149e45b36ffb973a01c3f3461b893 upstream. + +When als_capture_sample() is called with usage ID +HID_USAGE_SENSOR_TIME_TIMESTAMP, return 0. The HID sensor core ignores +the return value for capture_sample() callback, so return value doesn't +make difference. But correct the return value to return success instead +of -EINVAL. + +Signed-off-by: Srinivas Pandruvada +Link: https://lore.kernel.org/r/20240204125617.2635574-1-srinivas.pandruvada@linux.intel.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/hid-sensor-als.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/light/hid-sensor-als.c ++++ b/drivers/iio/light/hid-sensor-als.c +@@ -226,6 +226,7 @@ static int als_capture_sample(struct hid + case HID_USAGE_SENSOR_TIME_TIMESTAMP: + als_state->timestamp = hid_sensor_convert_timestamp(&als_state->common_attributes, + *(s64 *)raw_data); ++ ret = 0; + break; + default: + break; diff --git a/queue-6.7/mm-thp_get_unmapped_area-must-honour-topdown-preference.patch b/queue-6.7/mm-thp_get_unmapped_area-must-honour-topdown-preference.patch new file mode 100644 index 00000000000..c37ff385672 --- /dev/null +++ b/queue-6.7/mm-thp_get_unmapped_area-must-honour-topdown-preference.patch @@ -0,0 +1,106 @@ +From 96204e15310c218fd9355bdcacd02fed1d18070e Mon Sep 17 00:00:00 2001 +From: Ryan Roberts +Date: Tue, 23 Jan 2024 17:14:20 +0000 +Subject: mm: thp_get_unmapped_area must honour topdown preference + +From: Ryan Roberts + +commit 96204e15310c218fd9355bdcacd02fed1d18070e upstream. + +The addition of commit efa7df3e3bb5 ("mm: align larger anonymous mappings +on THP boundaries") caused the "virtual_address_range" mm selftest to +start failing on arm64. Let's fix that regression. + +There were 2 visible problems when running the test; 1) it takes much +longer to execute, and 2) the test fails. Both are related: + +The (first part of the) test allocates as many 1GB anonymous blocks as it +can in the low 256TB of address space, passing NULL as the addr hint to +mmap. Before the faulty patch, all allocations were abutted and contained +in a single, merged VMA. However, after this patch, each allocation is in +its own VMA, and there is a 2M gap between each VMA. This causes the 2 +problems in the test: 1) mmap becomes MUCH slower because there are so +many VMAs to check to find a new 1G gap. 2) mmap fails once it hits the +VMA limit (/proc/sys/vm/max_map_count). Hitting this limit then causes a +subsequent calloc() to fail, which causes the test to fail. + +The problem is that arm64 (unlike x86) selects +ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT. But __thp_get_unmapped_area() +allocates len+2M then always aligns to the bottom of the discovered gap. +That causes the 2M hole. + +Fix this by detecting cases where we can still achive the alignment goal +when moved to the top of the allocated area, if configured to prefer +top-down allocation. + +While we are at it, fix thp_get_unmapped_area's use of pgoff, which should +always be zero for anonymous mappings. Prior to the faulty change, while +it was possible for user space to pass in pgoff!=0, the old +mm->get_unmapped_area() handler would not use it. thp_get_unmapped_area() +does use it, so let's explicitly zero it before calling the handler. This +should also be the correct behavior for arches that define their own +get_unmapped_area() handler. + +Link: https://lkml.kernel.org/r/20240123171420.3970220-1-ryan.roberts@arm.com +Fixes: efa7df3e3bb5 ("mm: align larger anonymous mappings on THP boundaries") +Closes: https://lore.kernel.org/linux-mm/1e8f5ac7-54ce-433a-ae53-81522b2320e1@arm.com/ +Signed-off-by: Ryan Roberts +Reviewed-by: Yang Shi +Cc: Matthew Wilcox (Oracle) +Cc: Rik van Riel +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/huge_memory.c | 10 ++++++++-- + mm/mmap.c | 6 ++++-- + 2 files changed, 12 insertions(+), 4 deletions(-) + +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -633,7 +633,7 @@ static unsigned long __thp_get_unmapped_ + { + loff_t off_end = off + len; + loff_t off_align = round_up(off, size); +- unsigned long len_pad, ret; ++ unsigned long len_pad, ret, off_sub; + + if (IS_ENABLED(CONFIG_32BIT) || in_compat_syscall()) + return 0; +@@ -662,7 +662,13 @@ static unsigned long __thp_get_unmapped_ + if (ret == addr) + return addr; + +- ret += (off - ret) & (size - 1); ++ off_sub = (off - ret) & (size - 1); ++ ++ if (current->mm->get_unmapped_area == arch_get_unmapped_area_topdown && ++ !off_sub) ++ return ret + size; ++ ++ ret += off_sub; + return ret; + } + +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -1825,15 +1825,17 @@ get_unmapped_area(struct file *file, uns + /* + * mmap_region() will call shmem_zero_setup() to create a file, + * so use shmem's get_unmapped_area in case it can be huge. +- * do_mmap() will clear pgoff, so match alignment. + */ +- pgoff = 0; + get_area = shmem_get_unmapped_area; + } else if (IS_ENABLED(CONFIG_TRANSPARENT_HUGEPAGE)) { + /* Ensures that larger anonymous mappings are THP aligned. */ + get_area = thp_get_unmapped_area; + } + ++ /* Always treat pgoff as zero for anonymous memory. */ ++ if (!file) ++ pgoff = 0; ++ + addr = get_area(file, addr, len, pgoff, flags); + if (IS_ERR_VALUE(addr)) + return addr; diff --git a/queue-6.7/mm-writeback-fix-possible-divide-by-zero-in-wb_dirty_limits-again.patch b/queue-6.7/mm-writeback-fix-possible-divide-by-zero-in-wb_dirty_limits-again.patch new file mode 100644 index 00000000000..ed905a3ec0a --- /dev/null +++ b/queue-6.7/mm-writeback-fix-possible-divide-by-zero-in-wb_dirty_limits-again.patch @@ -0,0 +1,46 @@ +From 9319b647902cbd5cc884ac08a8a6d54ce111fc78 Mon Sep 17 00:00:00 2001 +From: Zach O'Keefe +Date: Thu, 18 Jan 2024 10:19:53 -0800 +Subject: mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again + +From: Zach O'Keefe + +commit 9319b647902cbd5cc884ac08a8a6d54ce111fc78 upstream. + +(struct dirty_throttle_control *)->thresh is an unsigned long, but is +passed as the u32 divisor argument to div_u64(). On architectures where +unsigned long is 64 bytes, the argument will be implicitly truncated. + +Use div64_u64() instead of div_u64() so that the value used in the "is +this a safe division" check is the same as the divisor. + +Also, remove redundant cast of the numerator to u64, as that should happen +implicitly. + +This would be difficult to exploit in memcg domain, given the ratio-based +arithmetic domain_drity_limits() uses, but is much easier in global +writeback domain with a BDI_CAP_STRICTLIMIT-backing device, using e.g. +vm.dirty_bytes=(1<<32)*PAGE_SIZE so that dtc->thresh == (1<<32) + +Link: https://lkml.kernel.org/r/20240118181954.1415197-1-zokeefe@google.com +Fixes: f6789593d5ce ("mm/page-writeback.c: fix divide by zero in bdi_dirty_limits()") +Signed-off-by: Zach O'Keefe +Cc: Maxim Patlasov +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/page-writeback.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/page-writeback.c ++++ b/mm/page-writeback.c +@@ -1638,7 +1638,7 @@ static inline void wb_dirty_limits(struc + */ + dtc->wb_thresh = __wb_calc_thresh(dtc); + dtc->wb_bg_thresh = dtc->thresh ? +- div_u64((u64)dtc->wb_thresh * dtc->bg_thresh, dtc->thresh) : 0; ++ div64_u64(dtc->wb_thresh * dtc->bg_thresh, dtc->thresh) : 0; + + /* + * In order to avoid the stacked BDI deadlock we need diff --git a/queue-6.7/nouveau-offload-fence-uevents-work-to-workqueue.patch b/queue-6.7/nouveau-offload-fence-uevents-work-to-workqueue.patch new file mode 100644 index 00000000000..33e5cb80423 --- /dev/null +++ b/queue-6.7/nouveau-offload-fence-uevents-work-to-workqueue.patch @@ -0,0 +1,91 @@ +From 39126abc5e20611579602f03b66627d7cd1422f0 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Mon, 29 Jan 2024 11:26:45 +1000 +Subject: nouveau: offload fence uevents work to workqueue + +From: Dave Airlie + +commit 39126abc5e20611579602f03b66627d7cd1422f0 upstream. + +This should break the deadlock between the fctx lock and the irq lock. + +This offloads the processing off the work from the irq into a workqueue. + +Cc: linux-stable@vger.kernel.org +Signed-off-by: Dave Airlie +Link: https://patchwork.freedesktop.org/patch/576237/ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nouveau_fence.c | 24 ++++++++++++++++++------ + drivers/gpu/drm/nouveau/nouveau_fence.h | 1 + + 2 files changed, 19 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nouveau_fence.c ++++ b/drivers/gpu/drm/nouveau/nouveau_fence.c +@@ -103,6 +103,7 @@ nouveau_fence_context_kill(struct nouvea + void + nouveau_fence_context_del(struct nouveau_fence_chan *fctx) + { ++ cancel_work_sync(&fctx->uevent_work); + nouveau_fence_context_kill(fctx, 0); + nvif_event_dtor(&fctx->event); + fctx->dead = 1; +@@ -145,12 +146,13 @@ nouveau_fence_update(struct nouveau_chan + return drop; + } + +-static int +-nouveau_fence_wait_uevent_handler(struct nvif_event *event, void *repv, u32 repc) ++static void ++nouveau_fence_uevent_work(struct work_struct *work) + { +- struct nouveau_fence_chan *fctx = container_of(event, typeof(*fctx), event); ++ struct nouveau_fence_chan *fctx = container_of(work, struct nouveau_fence_chan, ++ uevent_work); + unsigned long flags; +- int ret = NVIF_EVENT_KEEP; ++ int drop = 0; + + spin_lock_irqsave(&fctx->lock, flags); + if (!list_empty(&fctx->pending)) { +@@ -160,11 +162,20 @@ nouveau_fence_wait_uevent_handler(struct + fence = list_entry(fctx->pending.next, typeof(*fence), head); + chan = rcu_dereference_protected(fence->channel, lockdep_is_held(&fctx->lock)); + if (nouveau_fence_update(chan, fctx)) +- ret = NVIF_EVENT_DROP; ++ drop = 1; + } ++ if (drop) ++ nvif_event_block(&fctx->event); ++ + spin_unlock_irqrestore(&fctx->lock, flags); ++} + +- return ret; ++static int ++nouveau_fence_wait_uevent_handler(struct nvif_event *event, void *repv, u32 repc) ++{ ++ struct nouveau_fence_chan *fctx = container_of(event, typeof(*fctx), event); ++ schedule_work(&fctx->uevent_work); ++ return NVIF_EVENT_KEEP; + } + + void +@@ -178,6 +189,7 @@ nouveau_fence_context_new(struct nouveau + } args; + int ret; + ++ INIT_WORK(&fctx->uevent_work, nouveau_fence_uevent_work); + INIT_LIST_HEAD(&fctx->flip); + INIT_LIST_HEAD(&fctx->pending); + spin_lock_init(&fctx->lock); +--- a/drivers/gpu/drm/nouveau/nouveau_fence.h ++++ b/drivers/gpu/drm/nouveau/nouveau_fence.h +@@ -44,6 +44,7 @@ struct nouveau_fence_chan { + u32 context; + char name[32]; + ++ struct work_struct uevent_work; + struct nvif_event event; + int notify_ref, dead, killed; + }; diff --git a/queue-6.7/parisc-prevent-hung-tasks-when-printing-inventory-on-serial-console.patch b/queue-6.7/parisc-prevent-hung-tasks-when-printing-inventory-on-serial-console.patch new file mode 100644 index 00000000000..4e7d13d3385 --- /dev/null +++ b/queue-6.7/parisc-prevent-hung-tasks-when-printing-inventory-on-serial-console.patch @@ -0,0 +1,32 @@ +From c8708d758e715c3824a73bf0cda97292b52be44d Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Fri, 19 Jan 2024 21:16:39 +0100 +Subject: parisc: Prevent hung tasks when printing inventory on serial console + +From: Helge Deller + +commit c8708d758e715c3824a73bf0cda97292b52be44d upstream. + +Printing the inventory on a serial console can be quite slow and thus may +trigger the hung task detector (CONFIG_DETECT_HUNG_TASK=y) and possibly +reboot the machine. Adding a cond_resched() prevents this. + +Signed-off-by: Helge Deller +Cc: # v6.0+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/drivers.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/parisc/kernel/drivers.c ++++ b/arch/parisc/kernel/drivers.c +@@ -1004,6 +1004,9 @@ static __init int qemu_print_iodc_data(s + + pr_info("\n"); + ++ /* Prevent hung task messages when printing on serial console */ ++ cond_resched(); ++ + pr_info("#define HPA_%08lx_DESCRIPTION \"%s\"\n", + hpa, parisc_hardware_description(&dev->id)); + diff --git a/queue-6.7/readahead-avoid-multiple-marked-readahead-pages.patch b/queue-6.7/readahead-avoid-multiple-marked-readahead-pages.patch new file mode 100644 index 00000000000..f0f5a2f96d8 --- /dev/null +++ b/queue-6.7/readahead-avoid-multiple-marked-readahead-pages.patch @@ -0,0 +1,92 @@ +From ab4443fe3ca6298663a55c4a70efc6c3ce913ca6 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 4 Jan 2024 09:58:39 +0100 +Subject: readahead: avoid multiple marked readahead pages + +From: Jan Kara + +commit ab4443fe3ca6298663a55c4a70efc6c3ce913ca6 upstream. + +ra_alloc_folio() marks a page that should trigger next round of async +readahead. However it rounds up computed index to the order of page being +allocated. This can however lead to multiple consecutive pages being +marked with readahead flag. Consider situation with index == 1, mark == +1, order == 0. We insert order 0 page at index 1 and mark it. Then we +bump order to 1, index to 2, mark (still == 1) is rounded up to 2 so page +at index 2 is marked as well. Then we bump order to 2, index is +incremented to 4, mark gets rounded to 4 so page at index 4 is marked as +well. The fact that multiple pages get marked within a single readahead +window confuses the readahead logic and results in readahead window being +trimmed back to 1. This situation is triggered in particular when maximum +readahead window size is not a power of two (in the observed case it was +768 KB) and as a result sequential read throughput suffers. + +Fix the problem by rounding 'mark' down instead of up. Because the index +is naturally aligned to 'order', we are guaranteed 'rounded mark' == index +iff 'mark' is within the page we are allocating at 'index' and thus +exactly one page is marked with readahead flag as required by the +readahead code and sequential read performance is restored. + +This effectively reverts part of commit b9ff43dd2743 ("mm/readahead: Fix +readahead with large folios"). The commit changed the rounding with the +rationale: + +"... we were setting the readahead flag on the folio which contains the +last byte read from the block. This is wrong because we will trigger +readahead at the end of the read without waiting to see if a subsequent +read is going to use the pages we just read." + +Although this is true, the fact is this was always the case with read +sizes not aligned to folio boundaries and large folios in the page cache +just make the situation more obvious (and frequent). Also for sequential +read workloads it is better to trigger the readahead earlier rather than +later. It is true that the difference in the rounding and thus earlier +triggering of the readahead can result in reading more for semi-random +workloads. However workloads really suffering from this seem to be rare. +In particular I have verified that the workload described in commit +b9ff43dd2743 ("mm/readahead: Fix readahead with large folios") of reading +random 100k blocks from a file like: + +[reader] +bs=100k +rw=randread +numjobs=1 +size=64g +runtime=60s + +is not impacted by the rounding change and achieves ~70MB/s in both cases. + +[jack@suse.cz: fix one more place where mark rounding was done as well] + Link: https://lkml.kernel.org/r/20240123153254.5206-1-jack@suse.cz +Link: https://lkml.kernel.org/r/20240104085839.21029-1-jack@suse.cz +Fixes: b9ff43dd2743 ("mm/readahead: Fix readahead with large folios") +Signed-off-by: Jan Kara +Cc: Matthew Wilcox +Cc: Guo Xuenan +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/readahead.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/mm/readahead.c ++++ b/mm/readahead.c +@@ -469,7 +469,7 @@ static inline int ra_alloc_folio(struct + + if (!folio) + return -ENOMEM; +- mark = round_up(mark, 1UL << order); ++ mark = round_down(mark, 1UL << order); + if (index == mark) + folio_set_readahead(folio); + err = filemap_add_folio(ractl->mapping, folio, index, gfp); +@@ -577,7 +577,7 @@ static void ondemand_readahead(struct re + * It's the expected callback index, assume sequential access. + * Ramp up sizes, and push forward the readahead window. + */ +- expected = round_up(ra->start + ra->size - ra->async_size, ++ expected = round_down(ra->start + ra->size - ra->async_size, + 1UL << order); + if (index == expected || index == (ra->start + ra->size)) { + ra->start += ra->size; diff --git a/queue-6.7/scs-add-config_mmu-dependency-for-vfree_atomic.patch b/queue-6.7/scs-add-config_mmu-dependency-for-vfree_atomic.patch new file mode 100644 index 00000000000..c73d1510f93 --- /dev/null +++ b/queue-6.7/scs-add-config_mmu-dependency-for-vfree_atomic.patch @@ -0,0 +1,37 @@ +From 6f9dc684cae638dda0570154509884ee78d0f75c Mon Sep 17 00:00:00 2001 +From: Samuel Holland +Date: Mon, 22 Jan 2024 09:52:01 -0800 +Subject: scs: add CONFIG_MMU dependency for vfree_atomic() + +From: Samuel Holland + +commit 6f9dc684cae638dda0570154509884ee78d0f75c upstream. + +The shadow call stack implementation fails to build without CONFIG_MMU: + + ld.lld: error: undefined symbol: vfree_atomic + >>> referenced by scs.c + >>> kernel/scs.o:(scs_free) in archive vmlinux.a + +Link: https://lkml.kernel.org/r/20240122175204.2371009-1-samuel.holland@sifive.com +Fixes: a2abe7cbd8fe ("scs: switch to vmapped shadow stacks") +Signed-off-by: Samuel Holland +Reviewed-by: Sami Tolvanen +Cc: Will Deacon +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + arch/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/Kconfig ++++ b/arch/Kconfig +@@ -681,6 +681,7 @@ config SHADOW_CALL_STACK + bool "Shadow Call Stack" + depends on ARCH_SUPPORTS_SHADOW_CALL_STACK + depends on DYNAMIC_FTRACE_WITH_ARGS || DYNAMIC_FTRACE_WITH_REGS || !FUNCTION_GRAPH_TRACER ++ depends on MMU + help + This option enables the compiler's Shadow Call Stack, which + uses a shadow stack to protect function return addresses from diff --git a/queue-6.7/scsi-storvsc-fix-ring-buffer-size-calculation.patch b/queue-6.7/scsi-storvsc-fix-ring-buffer-size-calculation.patch new file mode 100644 index 00000000000..4f7d0c92f94 --- /dev/null +++ b/queue-6.7/scsi-storvsc-fix-ring-buffer-size-calculation.patch @@ -0,0 +1,83 @@ +From f4469f3858352ad1197434557150b1f7086762a0 Mon Sep 17 00:00:00 2001 +From: Michael Kelley +Date: Mon, 22 Jan 2024 09:09:56 -0800 +Subject: scsi: storvsc: Fix ring buffer size calculation + +From: Michael Kelley + +commit f4469f3858352ad1197434557150b1f7086762a0 upstream. + +Current code uses the specified ring buffer size (either the default of 128 +Kbytes or a module parameter specified value) to encompass the one page +ring buffer header plus the actual ring itself. When the page size is 4K, +carving off one page for the header isn't significant. But when the page +size is 64K on ARM64, only half of the default 128 Kbytes is left for the +actual ring. While this doesn't break anything, the smaller ring size +could be a performance bottleneck. + +Fix this by applying the VMBUS_RING_SIZE macro to the specified ring buffer +size. This macro adds a page for the header, and rounds up the size to a +page boundary, using the page size for which the kernel is built. Use this +new size for subsequent ring buffer calculations. For example, on ARM64 +with 64K page size and the default ring size, this results in the actual +ring being 128 Kbytes, which is intended. + +Cc: stable@vger.kernel.org # 5.15.x +Signed-off-by: Michael Kelley +Link: https://lore.kernel.org/r/20240122170956.496436-1-mhklinux@outlook.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/storvsc_drv.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -330,6 +330,7 @@ enum storvsc_request_type { + */ + + static int storvsc_ringbuffer_size = (128 * 1024); ++static int aligned_ringbuffer_size; + static u32 max_outstanding_req_per_channel; + static int storvsc_change_queue_depth(struct scsi_device *sdev, int queue_depth); + +@@ -687,8 +688,8 @@ static void handle_sc_creation(struct vm + new_sc->next_request_id_callback = storvsc_next_request_id; + + ret = vmbus_open(new_sc, +- storvsc_ringbuffer_size, +- storvsc_ringbuffer_size, ++ aligned_ringbuffer_size, ++ aligned_ringbuffer_size, + (void *)&props, + sizeof(struct vmstorage_channel_properties), + storvsc_on_channel_callback, new_sc); +@@ -1973,7 +1974,7 @@ static int storvsc_probe(struct hv_devic + dma_set_min_align_mask(&device->device, HV_HYP_PAGE_SIZE - 1); + + stor_device->port_number = host->host_no; +- ret = storvsc_connect_to_vsp(device, storvsc_ringbuffer_size, is_fc); ++ ret = storvsc_connect_to_vsp(device, aligned_ringbuffer_size, is_fc); + if (ret) + goto err_out1; + +@@ -2164,7 +2165,7 @@ static int storvsc_resume(struct hv_devi + { + int ret; + +- ret = storvsc_connect_to_vsp(hv_dev, storvsc_ringbuffer_size, ++ ret = storvsc_connect_to_vsp(hv_dev, aligned_ringbuffer_size, + hv_dev_is_fc(hv_dev)); + return ret; + } +@@ -2198,8 +2199,9 @@ static int __init storvsc_drv_init(void) + * the ring buffer indices) by the max request size (which is + * vmbus_channel_packet_multipage_buffer + struct vstor_packet + u64) + */ ++ aligned_ringbuffer_size = VMBUS_RING_SIZE(storvsc_ringbuffer_size); + max_outstanding_req_per_channel = +- ((storvsc_ringbuffer_size - PAGE_SIZE) / ++ ((aligned_ringbuffer_size - PAGE_SIZE) / + ALIGN(MAX_MULTIPAGE_BUFFER_PACKET + + sizeof(struct vstor_packet) + sizeof(u64), + sizeof(u64))); diff --git a/queue-6.7/selftests-mm-fix-map_hugetlb-failure-on-64k-page-size-systems.patch b/queue-6.7/selftests-mm-fix-map_hugetlb-failure-on-64k-page-size-systems.patch new file mode 100644 index 00000000000..376e4d5b41c --- /dev/null +++ b/queue-6.7/selftests-mm-fix-map_hugetlb-failure-on-64k-page-size-systems.patch @@ -0,0 +1,56 @@ +From 91b80cc5b39f00399e8e2d17527cad2c7fa535e2 Mon Sep 17 00:00:00 2001 +From: Nico Pache +Date: Fri, 19 Jan 2024 06:14:29 -0700 +Subject: selftests: mm: fix map_hugetlb failure on 64K page size systems + +From: Nico Pache + +commit 91b80cc5b39f00399e8e2d17527cad2c7fa535e2 upstream. + +On systems with 64k page size and 512M huge page sizes, the allocation and +test succeeds but errors out at the munmap. As the comment states, munmap +will failure if its not HUGEPAGE aligned. This is due to the length of +the mapping being 1/2 the size of the hugepage causing the munmap to not +be hugepage aligned. Fix this by making the mapping length the full +hugepage if the hugepage is larger than the length of the mapping. + +Link: https://lkml.kernel.org/r/20240119131429.172448-1-npache@redhat.com +Signed-off-by: Nico Pache +Cc: Donet Tom +Cc: Shuah Khan +Cc: Christophe Leroy +Cc: Michael Ellerman +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/mm/map_hugetlb.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/tools/testing/selftests/mm/map_hugetlb.c ++++ b/tools/testing/selftests/mm/map_hugetlb.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include "vm_util.h" + + #define LENGTH (256UL*1024*1024) + #define PROTECTION (PROT_READ | PROT_WRITE) +@@ -58,10 +59,16 @@ int main(int argc, char **argv) + { + void *addr; + int ret; ++ size_t hugepage_size; + size_t length = LENGTH; + int flags = FLAGS; + int shift = 0; + ++ hugepage_size = default_huge_page_size(); ++ /* munmap with fail if the length is not page aligned */ ++ if (hugepage_size > length) ++ length = hugepage_size; ++ + if (argc > 1) + length = atol(argv[1]) << 20; + if (argc > 2) { diff --git a/queue-6.7/selftests-mm-ksm_tests-should-only-madv_hugepage-valid-memory.patch b/queue-6.7/selftests-mm-ksm_tests-should-only-madv_hugepage-valid-memory.patch new file mode 100644 index 00000000000..db169534c91 --- /dev/null +++ b/queue-6.7/selftests-mm-ksm_tests-should-only-madv_hugepage-valid-memory.patch @@ -0,0 +1,42 @@ +From d021b442cf312664811783e92b3d5e4548e92a53 Mon Sep 17 00:00:00 2001 +From: Ryan Roberts +Date: Mon, 22 Jan 2024 12:05:54 +0000 +Subject: selftests/mm: ksm_tests should only MADV_HUGEPAGE valid memory + +From: Ryan Roberts + +commit d021b442cf312664811783e92b3d5e4548e92a53 upstream. + +ksm_tests was previously mmapping a region of memory, aligning the +returned pointer to a PMD boundary, then setting MADV_HUGEPAGE, but was +setting it past the end of the mmapped area due to not taking the pointer +alignment into consideration. Fix this behaviour. + +Up until commit efa7df3e3bb5 ("mm: align larger anonymous mappings on THP +boundaries"), this buggy behavior was (usually) masked because the +alignment difference was always less than PMD-size. But since the +mentioned commit, `ksm_tests -H -s 100` started failing. + +Link: https://lkml.kernel.org/r/20240122120554.3108022-1-ryan.roberts@arm.com +Fixes: 325254899684 ("selftests: vm: add KSM huge pages merging time test") +Signed-off-by: Ryan Roberts +Cc: Pedro Demarchi Gomes +Cc: Shuah Khan +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/mm/ksm_tests.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/mm/ksm_tests.c ++++ b/tools/testing/selftests/mm/ksm_tests.c +@@ -566,7 +566,7 @@ static int ksm_merge_hugepages_time(int + if (map_ptr_orig == MAP_FAILED) + err(2, "initial mmap"); + +- if (madvise(map_ptr, len + HPAGE_SIZE, MADV_HUGEPAGE)) ++ if (madvise(map_ptr, len, MADV_HUGEPAGE)) + err(2, "MADV_HUGEPAGE"); + + pagemap_fd = open("/proc/self/pagemap", O_RDONLY); diff --git a/queue-6.7/selftests-mm-switch-to-bash-from-sh.patch b/queue-6.7/selftests-mm-switch-to-bash-from-sh.patch new file mode 100644 index 00000000000..2b8d44dc598 --- /dev/null +++ b/queue-6.7/selftests-mm-switch-to-bash-from-sh.patch @@ -0,0 +1,51 @@ +From bc29036e1da1cf66e5f8312649aeec2d51ea3d86 Mon Sep 17 00:00:00 2001 +From: Muhammad Usama Anjum +Date: Tue, 16 Jan 2024 14:04:54 +0500 +Subject: selftests/mm: switch to bash from sh + +From: Muhammad Usama Anjum + +commit bc29036e1da1cf66e5f8312649aeec2d51ea3d86 upstream. + +Running charge_reserved_hugetlb.sh generates errors if sh is set to +dash: + +./charge_reserved_hugetlb.sh: 9: [[: not found +./charge_reserved_hugetlb.sh: 19: [[: not found +./charge_reserved_hugetlb.sh: 27: [[: not found +./charge_reserved_hugetlb.sh: 37: [[: not found +./charge_reserved_hugetlb.sh: 45: Syntax error: "(" unexpected + +Switch to using /bin/bash instead of /bin/sh. Make the switch for +write_hugetlb_memory.sh as well which is called from +charge_reserved_hugetlb.sh. + +Link: https://lkml.kernel.org/r/20240116090455.3407378-1-usama.anjum@collabora.com +Signed-off-by: Muhammad Usama Anjum +Cc: Muhammad Usama Anjum +Cc: Shuah Khan +Cc: David Laight +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/mm/charge_reserved_hugetlb.sh | 2 +- + tools/testing/selftests/mm/write_hugetlb_memory.sh | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/testing/selftests/mm/charge_reserved_hugetlb.sh ++++ b/tools/testing/selftests/mm/charge_reserved_hugetlb.sh +@@ -1,4 +1,4 @@ +-#!/bin/sh ++#!/bin/bash + # SPDX-License-Identifier: GPL-2.0 + + # Kselftest framework requirement - SKIP code is 4. +--- a/tools/testing/selftests/mm/write_hugetlb_memory.sh ++++ b/tools/testing/selftests/mm/write_hugetlb_memory.sh +@@ -1,4 +1,4 @@ +-#!/bin/sh ++#!/bin/bash + # SPDX-License-Identifier: GPL-2.0 + + set -e diff --git a/queue-6.7/selftests-mm-update-va_high_addr_switch.sh-to-check-cpu-for-la57-flag.patch b/queue-6.7/selftests-mm-update-va_high_addr_switch.sh-to-check-cpu-for-la57-flag.patch new file mode 100644 index 00000000000..2de60e2e638 --- /dev/null +++ b/queue-6.7/selftests-mm-update-va_high_addr_switch.sh-to-check-cpu-for-la57-flag.patch @@ -0,0 +1,63 @@ +From 52e63d67b5bb423b33d7a262ac7f8bd375a90145 Mon Sep 17 00:00:00 2001 +From: Audra Mitchell +Date: Fri, 19 Jan 2024 15:58:01 -0500 +Subject: selftests/mm: Update va_high_addr_switch.sh to check CPU for la57 flag + +From: Audra Mitchell + +commit 52e63d67b5bb423b33d7a262ac7f8bd375a90145 upstream. + +In order for the page table level 5 to be in use, the CPU must have the +setting enabled in addition to the CONFIG option. Check for the flag to be +set to avoid false test failures on systems that do not have this cpu flag +set. + +The test does a series of mmap calls including three using the +MAP_FIXED flag and specifying an address that is 1<<47 or 1<<48. These +addresses are only available if you are using level 5 page tables, +which requires both the CPU to have the capabiltiy (la57 flag) and the +kernel to be configured. Currently the test only checks for the kernel +configuration option, so this test can still report a false positive. +Here are the three failing lines: + +$ ./va_high_addr_switch | grep FAILED +mmap(ADDR_SWITCH_HINT, 2 * PAGE_SIZE, MAP_FIXED): 0xffffffffffffffff - FAILED +mmap(HIGH_ADDR, MAP_FIXED): 0xffffffffffffffff - FAILED +mmap(ADDR_SWITCH_HINT, 2 * PAGE_SIZE, MAP_FIXED): 0xffffffffffffffff - FAILED + +I thought (for about a second) refactoring the test so that these three +mmap calls will only be run on systems with the level 5 page tables +available, but the whole point of the test is to check the level 5 +feature... + +Link: https://lkml.kernel.org/r/20240119205801.62769-1-audra@redhat.com +Fixes: 4f2930c6718a ("selftests/vm: only run 128TBswitch with 5-level paging") +Signed-off-by: Audra Mitchell +Cc: Rafael Aquini +Cc: Shuah Khan +Cc: Adam Sindelar +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/mm/va_high_addr_switch.sh | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/tools/testing/selftests/mm/va_high_addr_switch.sh ++++ b/tools/testing/selftests/mm/va_high_addr_switch.sh +@@ -29,9 +29,15 @@ check_supported_x86_64() + # See man 1 gzip under '-f'. + local pg_table_levels=$(gzip -dcfq "${config}" | grep PGTABLE_LEVELS | cut -d'=' -f 2) + ++ local cpu_supports_pl5=$(awk '/^flags/ {if (/la57/) {print 0;} ++ else {print 1}; exit}' /proc/cpuinfo 2>/dev/null) ++ + if [[ "${pg_table_levels}" -lt 5 ]]; then + echo "$0: PGTABLE_LEVELS=${pg_table_levels}, must be >= 5 to run this test" + exit $ksft_skip ++ elif [[ "${cpu_supports_pl5}" -ne 0 ]]; then ++ echo "$0: CPU does not have the necessary la57 flag to support page table level 5" ++ exit $ksft_skip + fi + } + diff --git a/queue-6.7/series b/queue-6.7/series index ea462ef75c7..c431472e6e8 100644 --- a/queue-6.7/series +++ b/queue-6.7/series @@ -60,3 +60,35 @@ ptrace-introduce-exception_ip-arch-hook.patch mm-memory-use-exception-ip-to-search-exception-table.patch i40e-do-not-allow-untrusted-vf-to-remove-administrat.patch i40e-fix-waiting-for-queues-of-all-vsis-to-be-disabl.patch +mm-thp_get_unmapped_area-must-honour-topdown-preference.patch +userfaultfd-fix-mmap_changing-checking-in-mfill_atomic_hugetlb.patch +selftests-mm-ksm_tests-should-only-madv_hugepage-valid-memory.patch +scs-add-config_mmu-dependency-for-vfree_atomic.patch +tracing-trigger-fix-to-return-error-if-failed-to-alloc-snapshot.patch +fs-hugetlbfs-inode.c-mm-memory-failure.c-fix-hugetlbfs-hwpoison-handling.patch +selftests-mm-switch-to-bash-from-sh.patch +readahead-avoid-multiple-marked-readahead-pages.patch +mm-writeback-fix-possible-divide-by-zero-in-wb_dirty_limits-again.patch +selftests-mm-update-va_high_addr_switch.sh-to-check-cpu-for-la57-flag.patch +selftests-mm-fix-map_hugetlb-failure-on-64k-page-size-systems.patch +scsi-storvsc-fix-ring-buffer-size-calculation.patch +nouveau-offload-fence-uevents-work-to-workqueue.patch +dm-crypt-dm-verity-disable-tasklets.patch +asoc-amd-yc-add-dmi-quirk-for-msi-bravo-15-c7vf.patch +parisc-prevent-hung-tasks-when-printing-inventory-on-serial-console.patch +alsa-hda-realtek-fix-the-external-mic-not-being-recognised-for-acer-swift-1-sf114-32.patch +alsa-hda-realtek-enable-mute-led-on-hp-laptop-14-fq0xxx.patch +hid-bpf-remove-double-fdget.patch +hid-bpf-actually-free-hdev-memory-after-attaching-a-hid-bpf-program.patch +hid-i2c-hid-of-fix-null-deref-on-failed-power-up.patch +hid-wacom-generic-avoid-reporting-a-serial-of-0-to-userspace.patch +hid-wacom-do-not-register-input-devices-until-after-hid_hw_start.patch +iio-hid-sensor-als-return-0-for-hid_usage_sensor_time_timestamp.patch +usb-ucsi-add-missing-ppm_lock.patch +usb-ulpi-fix-debugfs-directory-leak.patch +usb-ucsi_acpi-fix-command-completion-handling.patch +usb-hub-check-for-alternate-port-before-enabling-a_alt_hnp_support.patch +usb-f_mass_storage-forbid-async-queue-when-shutdown-happen.patch +usb-chipidea-core-handle-power-lost-in-workqueue.patch +usb-core-prevent-null-pointer-dereference-in-update_port_device_state.patch +usb-dwc3-gadget-fix-null-pointer-dereference-in-dwc3_gadget_suspend.patch diff --git a/queue-6.7/tracing-trigger-fix-to-return-error-if-failed-to-alloc-snapshot.patch b/queue-6.7/tracing-trigger-fix-to-return-error-if-failed-to-alloc-snapshot.patch new file mode 100644 index 00000000000..198ac51b53e --- /dev/null +++ b/queue-6.7/tracing-trigger-fix-to-return-error-if-failed-to-alloc-snapshot.patch @@ -0,0 +1,40 @@ +From 0958b33ef5a04ed91f61cef4760ac412080c4e08 Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Fri, 26 Jan 2024 09:42:58 +0900 +Subject: tracing/trigger: Fix to return error if failed to alloc snapshot + +From: Masami Hiramatsu (Google) + +commit 0958b33ef5a04ed91f61cef4760ac412080c4e08 upstream. + +Fix register_snapshot_trigger() to return error code if it failed to +allocate a snapshot instead of 0 (success). Unless that, it will register +snapshot trigger without an error. + +Link: https://lore.kernel.org/linux-trace-kernel/170622977792.270660.2789298642759362200.stgit@devnote2 + +Fixes: 0bbe7f719985 ("tracing: Fix the race between registering 'snapshot' event trigger and triggering 'snapshot' operation") +Cc: stable@vger.kernel.org +Cc: Vincent Donnefort +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_trigger.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/kernel/trace/trace_events_trigger.c ++++ b/kernel/trace/trace_events_trigger.c +@@ -1470,8 +1470,10 @@ register_snapshot_trigger(char *glob, + struct event_trigger_data *data, + struct trace_event_file *file) + { +- if (tracing_alloc_snapshot_instance(file->tr) != 0) +- return 0; ++ int ret = tracing_alloc_snapshot_instance(file->tr); ++ ++ if (ret < 0) ++ return ret; + + return register_trigger(glob, data, file); + } diff --git a/queue-6.7/usb-chipidea-core-handle-power-lost-in-workqueue.patch b/queue-6.7/usb-chipidea-core-handle-power-lost-in-workqueue.patch new file mode 100644 index 00000000000..abe9e6b8047 --- /dev/null +++ b/queue-6.7/usb-chipidea-core-handle-power-lost-in-workqueue.patch @@ -0,0 +1,125 @@ +From cc509b6a47e7c8998d9e41c273191299d5d9d631 Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Fri, 19 Jan 2024 20:35:37 +0800 +Subject: usb: chipidea: core: handle power lost in workqueue + +From: Xu Yang + +commit cc509b6a47e7c8998d9e41c273191299d5d9d631 upstream. + +When power is recycled in usb controller during system power management, +the controller will recognize it and switch role if role has been changed +during power lost. In current design, it will be completed in resume() +function. However, this may bring issues since usb class devices have +their pm operations too and these device's resume() functions are still +not being called at this point. When usb controller recognized host role +should be stopped, these usb class devices will be removed at this point. +But these usb class devices can't be removed in some cases, such as scsi +devices. Since scsi driver may sync data to U-disk, however it will block +there because scsi drvier can only handle pm request when is in suspended +state. Therefore, there may exist a dependency between ci_resume() and usb +class device's resume(). To break this potential dependency, we need to +handle power lost work in a workqueue. + +Fixes: 74494b33211d ("usb: chipidea: core: add controller resume support when controller is powered off") +cc: stable@vger.kernel.org +Signed-off-by: Xu Yang +Link: https://lore.kernel.org/r/20240119123537.3614838-1-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/chipidea/ci.h | 2 ++ + drivers/usb/chipidea/core.c | 44 ++++++++++++++++++++++++-------------------- + 2 files changed, 26 insertions(+), 20 deletions(-) + +--- a/drivers/usb/chipidea/ci.h ++++ b/drivers/usb/chipidea/ci.h +@@ -176,6 +176,7 @@ struct hw_bank { + * @enabled_otg_timer_bits: bits of enabled otg timers + * @next_otg_timer: next nearest enabled timer to be expired + * @work: work for role changing ++ * @power_lost_work: work for power lost handling + * @wq: workqueue thread + * @qh_pool: allocation pool for queue heads + * @td_pool: allocation pool for transfer descriptors +@@ -226,6 +227,7 @@ struct ci_hdrc { + enum otg_fsm_timer next_otg_timer; + struct usb_role_switch *role_switch; + struct work_struct work; ++ struct work_struct power_lost_work; + struct workqueue_struct *wq; + + struct dma_pool *qh_pool; +--- a/drivers/usb/chipidea/core.c ++++ b/drivers/usb/chipidea/core.c +@@ -856,6 +856,27 @@ static int ci_extcon_register(struct ci_ + return 0; + } + ++static void ci_power_lost_work(struct work_struct *work) ++{ ++ struct ci_hdrc *ci = container_of(work, struct ci_hdrc, power_lost_work); ++ enum ci_role role; ++ ++ disable_irq_nosync(ci->irq); ++ pm_runtime_get_sync(ci->dev); ++ if (!ci_otg_is_fsm_mode(ci)) { ++ role = ci_get_role(ci); ++ ++ if (ci->role != role) { ++ ci_handle_id_switch(ci); ++ } else if (role == CI_ROLE_GADGET) { ++ if (ci->is_otg && hw_read_otgsc(ci, OTGSC_BSV)) ++ usb_gadget_vbus_connect(&ci->gadget); ++ } ++ } ++ pm_runtime_put_sync(ci->dev); ++ enable_irq(ci->irq); ++} ++ + static DEFINE_IDA(ci_ida); + + struct platform_device *ci_hdrc_add_device(struct device *dev, +@@ -1045,6 +1066,8 @@ static int ci_hdrc_probe(struct platform + + spin_lock_init(&ci->lock); + mutex_init(&ci->mutex); ++ INIT_WORK(&ci->power_lost_work, ci_power_lost_work); ++ + ci->dev = dev; + ci->platdata = dev_get_platdata(dev); + ci->imx28_write_fix = !!(ci->platdata->flags & +@@ -1396,25 +1419,6 @@ static int ci_suspend(struct device *dev + return 0; + } + +-static void ci_handle_power_lost(struct ci_hdrc *ci) +-{ +- enum ci_role role; +- +- disable_irq_nosync(ci->irq); +- if (!ci_otg_is_fsm_mode(ci)) { +- role = ci_get_role(ci); +- +- if (ci->role != role) { +- ci_handle_id_switch(ci); +- } else if (role == CI_ROLE_GADGET) { +- if (ci->is_otg && hw_read_otgsc(ci, OTGSC_BSV)) +- usb_gadget_vbus_connect(&ci->gadget); +- } +- } +- +- enable_irq(ci->irq); +-} +- + static int ci_resume(struct device *dev) + { + struct ci_hdrc *ci = dev_get_drvdata(dev); +@@ -1446,7 +1450,7 @@ static int ci_resume(struct device *dev) + ci_role(ci)->resume(ci, power_lost); + + if (power_lost) +- ci_handle_power_lost(ci); ++ queue_work(system_freezable_wq, &ci->power_lost_work); + + if (ci->supports_runtime_pm) { + pm_runtime_disable(dev); diff --git a/queue-6.7/usb-core-prevent-null-pointer-dereference-in-update_port_device_state.patch b/queue-6.7/usb-core-prevent-null-pointer-dereference-in-update_port_device_state.patch new file mode 100644 index 00000000000..86beac0f946 --- /dev/null +++ b/queue-6.7/usb-core-prevent-null-pointer-dereference-in-update_port_device_state.patch @@ -0,0 +1,52 @@ +From 12783c0b9e2c7915a50d5ec829630ff2da50472c Mon Sep 17 00:00:00 2001 +From: Udipto Goswami +Date: Wed, 10 Jan 2024 15:28:14 +0530 +Subject: usb: core: Prevent null pointer dereference in update_port_device_state + +From: Udipto Goswami + +commit 12783c0b9e2c7915a50d5ec829630ff2da50472c upstream. + +Currently, the function update_port_device_state gets the usb_hub from +udev->parent by calling usb_hub_to_struct_hub. +However, in case the actconfig or the maxchild is 0, the usb_hub would +be NULL and upon further accessing to get port_dev would result in null +pointer dereference. + +Fix this by introducing an if check after the usb_hub is populated. + +Fixes: 83cb2604f641 ("usb: core: add sysfs entry for usb device state") +Cc: stable@vger.kernel.org +Signed-off-by: Udipto Goswami +Reviewed-by: Alan Stern +Link: https://lore.kernel.org/r/20240110095814.7626-1-quic_ugoswami@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/hub.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -2047,9 +2047,19 @@ static void update_port_device_state(str + + if (udev->parent) { + hub = usb_hub_to_struct_hub(udev->parent); +- port_dev = hub->ports[udev->portnum - 1]; +- WRITE_ONCE(port_dev->state, udev->state); +- sysfs_notify_dirent(port_dev->state_kn); ++ ++ /* ++ * The Link Layer Validation System Driver (lvstest) ++ * has a test step to unbind the hub before running the ++ * rest of the procedure. This triggers hub_disconnect ++ * which will set the hub's maxchild to 0, further ++ * resulting in usb_hub_to_struct_hub returning NULL. ++ */ ++ if (hub) { ++ port_dev = hub->ports[udev->portnum - 1]; ++ WRITE_ONCE(port_dev->state, udev->state); ++ sysfs_notify_dirent(port_dev->state_kn); ++ } + } + } + diff --git a/queue-6.7/usb-dwc3-gadget-fix-null-pointer-dereference-in-dwc3_gadget_suspend.patch b/queue-6.7/usb-dwc3-gadget-fix-null-pointer-dereference-in-dwc3_gadget_suspend.patch new file mode 100644 index 00000000000..0f76a63bd5b --- /dev/null +++ b/queue-6.7/usb-dwc3-gadget-fix-null-pointer-dereference-in-dwc3_gadget_suspend.patch @@ -0,0 +1,58 @@ +From 61a348857e869432e6a920ad8ea9132e8d44c316 Mon Sep 17 00:00:00 2001 +From: Uttkarsh Aggarwal +Date: Fri, 19 Jan 2024 15:18:25 +0530 +Subject: usb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend + +From: Uttkarsh Aggarwal + +commit 61a348857e869432e6a920ad8ea9132e8d44c316 upstream. + +In current scenario if Plug-out and Plug-In performed continuously +there could be a chance while checking for dwc->gadget_driver in +dwc3_gadget_suspend, a NULL pointer dereference may occur. + +Call Stack: + + CPU1: CPU2: + gadget_unbind_driver dwc3_suspend_common + dwc3_gadget_stop dwc3_gadget_suspend + dwc3_disconnect_gadget + +CPU1 basically clears the variable and CPU2 checks the variable. +Consider CPU1 is running and right before gadget_driver is cleared +and in parallel CPU2 executes dwc3_gadget_suspend where it finds +dwc->gadget_driver which is not NULL and resumes execution and then +CPU1 completes execution. CPU2 executes dwc3_disconnect_gadget where +it checks dwc->gadget_driver is already NULL because of which the +NULL pointer deference occur. + +Cc: stable@vger.kernel.org +Fixes: 9772b47a4c29 ("usb: dwc3: gadget: Fix suspend/resume during device mode") +Acked-by: Thinh Nguyen +Signed-off-by: Uttkarsh Aggarwal +Link: https://lore.kernel.org/r/20240119094825.26530-1-quic_uaggarwa@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -4703,15 +4703,13 @@ int dwc3_gadget_suspend(struct dwc3 *dwc + unsigned long flags; + int ret; + +- if (!dwc->gadget_driver) +- return 0; +- + ret = dwc3_gadget_soft_disconnect(dwc); + if (ret) + goto err; + + spin_lock_irqsave(&dwc->lock, flags); +- dwc3_disconnect_gadget(dwc); ++ if (dwc->gadget_driver) ++ dwc3_disconnect_gadget(dwc); + spin_unlock_irqrestore(&dwc->lock, flags); + + return 0; diff --git a/queue-6.7/usb-f_mass_storage-forbid-async-queue-when-shutdown-happen.patch b/queue-6.7/usb-f_mass_storage-forbid-async-queue-when-shutdown-happen.patch new file mode 100644 index 00000000000..c67416d3326 --- /dev/null +++ b/queue-6.7/usb-f_mass_storage-forbid-async-queue-when-shutdown-happen.patch @@ -0,0 +1,71 @@ +From b2d2d7ea0dd09802cf5a0545bf54d8ad8987d20c Mon Sep 17 00:00:00 2001 +From: yuan linyu +Date: Tue, 23 Jan 2024 11:48:29 +0800 +Subject: usb: f_mass_storage: forbid async queue when shutdown happen + +From: yuan linyu + +commit b2d2d7ea0dd09802cf5a0545bf54d8ad8987d20c upstream. + +When write UDC to empty and unbind gadget driver from gadget device, it is +possible that there are many queue failures for mass storage function. + +The root cause is mass storage main thread alaways try to queue request to +receive a command from host if running flag is on, on platform like dwc3, +if pull down called, it will not queue request again and return +-ESHUTDOWN, but it not affect running flag of mass storage function. + +Check return code from mass storage function and clear running flag if it +is -ESHUTDOWN, also indicate start in/out transfer failure to break loops. + +Cc: stable +Signed-off-by: yuan linyu +Reviewed-by: Alan Stern +Link: https://lore.kernel.org/r/20240123034829.3848409-1-yuanlinyu@hihonor.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_mass_storage.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/function/f_mass_storage.c ++++ b/drivers/usb/gadget/function/f_mass_storage.c +@@ -545,21 +545,37 @@ static int start_transfer(struct fsg_dev + + static bool start_in_transfer(struct fsg_common *common, struct fsg_buffhd *bh) + { ++ int rc; ++ + if (!fsg_is_set(common)) + return false; + bh->state = BUF_STATE_SENDING; +- if (start_transfer(common->fsg, common->fsg->bulk_in, bh->inreq)) ++ rc = start_transfer(common->fsg, common->fsg->bulk_in, bh->inreq); ++ if (rc) { + bh->state = BUF_STATE_EMPTY; ++ if (rc == -ESHUTDOWN) { ++ common->running = 0; ++ return false; ++ } ++ } + return true; + } + + static bool start_out_transfer(struct fsg_common *common, struct fsg_buffhd *bh) + { ++ int rc; ++ + if (!fsg_is_set(common)) + return false; + bh->state = BUF_STATE_RECEIVING; +- if (start_transfer(common->fsg, common->fsg->bulk_out, bh->outreq)) ++ rc = start_transfer(common->fsg, common->fsg->bulk_out, bh->outreq); ++ if (rc) { + bh->state = BUF_STATE_FULL; ++ if (rc == -ESHUTDOWN) { ++ common->running = 0; ++ return false; ++ } ++ } + return true; + } + diff --git a/queue-6.7/usb-hub-check-for-alternate-port-before-enabling-a_alt_hnp_support.patch b/queue-6.7/usb-hub-check-for-alternate-port-before-enabling-a_alt_hnp_support.patch new file mode 100644 index 00000000000..328929419bf --- /dev/null +++ b/queue-6.7/usb-hub-check-for-alternate-port-before-enabling-a_alt_hnp_support.patch @@ -0,0 +1,79 @@ +From f17c34ffc792bbb520e4b61baa16b6cfc7d44b13 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Mon, 22 Jan 2024 16:35:32 +0100 +Subject: USB: hub: check for alternate port before enabling A_ALT_HNP_SUPPORT +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Oliver Neukum + +commit f17c34ffc792bbb520e4b61baa16b6cfc7d44b13 upstream. + +The OTG 1.3 spec has the feature A_ALT_HNP_SUPPORT, which tells +a device that it is connected to the wrong port. Some devices +refuse to operate if you enable that feature, because it indicates +to them that they ought to request to be connected to another port. + +According to the spec this feature may be used based only the following +three conditions: + +6.5.3 a_alt_hnp_support +Setting this feature indicates to the B-device that it is connected to +an A-device port that is not capable of HNP, but that the A-device does +have an alternate port that is capable of HNP. +The A-device is required to set this feature under the following conditions: +• the A-device has multiple receptacles +• the A-device port that connects to the B-device does not support HNP +• the A-device has another port that does support HNP + +A check for the third and first condition is missing. Add it. + +Signed-off-by: Oliver Neukum +Cc: stable +Fixes: 7d2d641c44269 ("usb: otg: don't set a_alt_hnp_support feature for OTG 2.0 device") +Link: https://lore.kernel.org/r/20240122153545.12284-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/hub.c | 30 +++++++++++++++++++----------- + 1 file changed, 19 insertions(+), 11 deletions(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -2382,17 +2382,25 @@ static int usb_enumerate_device_otg(stru + } + } else if (desc->bLength == sizeof + (struct usb_otg_descriptor)) { +- /* Set a_alt_hnp_support for legacy otg device */ +- err = usb_control_msg(udev, +- usb_sndctrlpipe(udev, 0), +- USB_REQ_SET_FEATURE, 0, +- USB_DEVICE_A_ALT_HNP_SUPPORT, +- 0, NULL, 0, +- USB_CTRL_SET_TIMEOUT); +- if (err < 0) +- dev_err(&udev->dev, +- "set a_alt_hnp_support failed: %d\n", +- err); ++ /* ++ * We are operating on a legacy OTP device ++ * These should be told that they are operating ++ * on the wrong port if we have another port that does ++ * support HNP ++ */ ++ if (bus->otg_port != 0) { ++ /* Set a_alt_hnp_support for legacy otg device */ ++ err = usb_control_msg(udev, ++ usb_sndctrlpipe(udev, 0), ++ USB_REQ_SET_FEATURE, 0, ++ USB_DEVICE_A_ALT_HNP_SUPPORT, ++ 0, NULL, 0, ++ USB_CTRL_SET_TIMEOUT); ++ if (err < 0) ++ dev_err(&udev->dev, ++ "set a_alt_hnp_support failed: %d\n", ++ err); ++ } + } + } + #endif diff --git a/queue-6.7/usb-ucsi-add-missing-ppm_lock.patch b/queue-6.7/usb-ucsi-add-missing-ppm_lock.patch new file mode 100644 index 00000000000..437efc1764a --- /dev/null +++ b/queue-6.7/usb-ucsi-add-missing-ppm_lock.patch @@ -0,0 +1,42 @@ +From c9aed03a0a683fd1600ea92f2ad32232d4736272 Mon Sep 17 00:00:00 2001 +From: "Christian A. Ehrhardt" +Date: Sun, 21 Jan 2024 21:41:21 +0100 +Subject: usb: ucsi: Add missing ppm_lock + +From: Christian A. Ehrhardt + +commit c9aed03a0a683fd1600ea92f2ad32232d4736272 upstream. + +Calling ->sync_write must be done while holding the PPM lock as +the mailbox logic does not support concurrent commands. + +At least since the addition of partner task this means that +ucsi_acknowledge_connector_change should be called with the +PPM lock held as it calls ->sync_write. + +Thus protect the only call to ucsi_acknowledge_connector_change +with the PPM. All other calls to ->sync_write already happen +under the PPM lock. + +Fixes: b9aa02ca39a4 ("usb: typec: ucsi: Add polling mechanism for partner tasks like alt mode checking") +Cc: stable@vger.kernel.org +Signed-off-by: "Christian A. Ehrhardt" +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20240121204123.275441-2-lk@c--e.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/ucsi.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/typec/ucsi/ucsi.c ++++ b/drivers/usb/typec/ucsi/ucsi.c +@@ -935,7 +935,9 @@ static void ucsi_handle_connector_change + + clear_bit(EVENT_PENDING, &con->ucsi->flags); + ++ mutex_lock(&ucsi->ppm_lock); + ret = ucsi_acknowledge_connector_change(ucsi); ++ mutex_unlock(&ucsi->ppm_lock); + if (ret) + dev_err(ucsi->dev, "%s: ACK failed (%d)", __func__, ret); + diff --git a/queue-6.7/usb-ucsi_acpi-fix-command-completion-handling.patch b/queue-6.7/usb-ucsi_acpi-fix-command-completion-handling.patch new file mode 100644 index 00000000000..fd067a27fab --- /dev/null +++ b/queue-6.7/usb-ucsi_acpi-fix-command-completion-handling.patch @@ -0,0 +1,75 @@ +From 2840143e393a4ddc1caab4372969ea337371168c Mon Sep 17 00:00:00 2001 +From: "Christian A. Ehrhardt" +Date: Sun, 21 Jan 2024 21:41:22 +0100 +Subject: usb: ucsi_acpi: Fix command completion handling + +From: Christian A. Ehrhardt + +commit 2840143e393a4ddc1caab4372969ea337371168c upstream. + +In case of a spurious or otherwise delayed notification it is +possible that CCI still reports the previous completion. The +UCSI spec is aware of this and provides two completion bits in +CCI, one for normal commands and one for acks. As acks and commands +alternate the notification handler can determine if the completion +bit is from the current command. + +The initial UCSI code correctly handled this but the distinction +between the two completion bits was lost with the introduction of +the new API. + +To fix this revive the ACK_PENDING bit for ucsi_acpi and only complete +commands if the completion bit matches. + +Fixes: f56de278e8ec ("usb: typec: ucsi: acpi: Move to the new API") +Cc: stable@vger.kernel.org +Signed-off-by: "Christian A. Ehrhardt" +Acked-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20240121204123.275441-3-lk@c--e.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/ucsi_acpi.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +--- a/drivers/usb/typec/ucsi/ucsi_acpi.c ++++ b/drivers/usb/typec/ucsi/ucsi_acpi.c +@@ -73,9 +73,13 @@ static int ucsi_acpi_sync_write(struct u + const void *val, size_t val_len) + { + struct ucsi_acpi *ua = ucsi_get_drvdata(ucsi); ++ bool ack = UCSI_COMMAND(*(u64 *)val) == UCSI_ACK_CC_CI; + int ret; + +- set_bit(COMMAND_PENDING, &ua->flags); ++ if (ack) ++ set_bit(ACK_PENDING, &ua->flags); ++ else ++ set_bit(COMMAND_PENDING, &ua->flags); + + ret = ucsi_acpi_async_write(ucsi, offset, val, val_len); + if (ret) +@@ -85,7 +89,10 @@ static int ucsi_acpi_sync_write(struct u + ret = -ETIMEDOUT; + + out_clear_bit: +- clear_bit(COMMAND_PENDING, &ua->flags); ++ if (ack) ++ clear_bit(ACK_PENDING, &ua->flags); ++ else ++ clear_bit(COMMAND_PENDING, &ua->flags); + + return ret; + } +@@ -142,8 +149,10 @@ static void ucsi_acpi_notify(acpi_handle + if (UCSI_CCI_CONNECTOR(cci)) + ucsi_connector_change(ua->ucsi, UCSI_CCI_CONNECTOR(cci)); + +- if (test_bit(COMMAND_PENDING, &ua->flags) && +- cci & (UCSI_CCI_ACK_COMPLETE | UCSI_CCI_COMMAND_COMPLETE)) ++ if (cci & UCSI_CCI_ACK_COMPLETE && test_bit(ACK_PENDING, &ua->flags)) ++ complete(&ua->complete); ++ if (cci & UCSI_CCI_COMMAND_COMPLETE && ++ test_bit(COMMAND_PENDING, &ua->flags)) + complete(&ua->complete); + } + diff --git a/queue-6.7/usb-ulpi-fix-debugfs-directory-leak.patch b/queue-6.7/usb-ulpi-fix-debugfs-directory-leak.patch new file mode 100644 index 00000000000..dc9304b3a93 --- /dev/null +++ b/queue-6.7/usb-ulpi-fix-debugfs-directory-leak.patch @@ -0,0 +1,35 @@ +From 3caf2b2ad7334ef35f55b95f3e1b138c6f77b368 Mon Sep 17 00:00:00 2001 +From: Sean Anderson +Date: Fri, 26 Jan 2024 17:38:00 -0500 +Subject: usb: ulpi: Fix debugfs directory leak + +From: Sean Anderson + +commit 3caf2b2ad7334ef35f55b95f3e1b138c6f77b368 upstream. + +The ULPI per-device debugfs root is named after the ulpi device's +parent, but ulpi_unregister_interface tries to remove a debugfs +directory named after the ulpi device itself. This results in the +directory sticking around and preventing subsequent (deferred) probes +from succeeding. Change the directory name to match the ulpi device. + +Fixes: bd0a0a024f2a ("usb: ulpi: Add debugfs support") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Anderson +Link: https://lore.kernel.org/r/20240126223800.2864613-1-sean.anderson@seco.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/common/ulpi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/common/ulpi.c ++++ b/drivers/usb/common/ulpi.c +@@ -301,7 +301,7 @@ static int ulpi_register(struct device * + return ret; + } + +- root = debugfs_create_dir(dev_name(dev), ulpi_root); ++ root = debugfs_create_dir(dev_name(&ulpi->dev), ulpi_root); + debugfs_create_file("regs", 0444, root, ulpi, &ulpi_regs_fops); + + dev_dbg(&ulpi->dev, "registered ULPI PHY: vendor %04x, product %04x\n", diff --git a/queue-6.7/userfaultfd-fix-mmap_changing-checking-in-mfill_atomic_hugetlb.patch b/queue-6.7/userfaultfd-fix-mmap_changing-checking-in-mfill_atomic_hugetlb.patch new file mode 100644 index 00000000000..63661b5f0ba --- /dev/null +++ b/queue-6.7/userfaultfd-fix-mmap_changing-checking-in-mfill_atomic_hugetlb.patch @@ -0,0 +1,80 @@ +From 67695f18d55924b2013534ef3bdc363bc9e14605 Mon Sep 17 00:00:00 2001 +From: Lokesh Gidra +Date: Wed, 17 Jan 2024 14:37:29 -0800 +Subject: userfaultfd: fix mmap_changing checking in mfill_atomic_hugetlb + +From: Lokesh Gidra + +commit 67695f18d55924b2013534ef3bdc363bc9e14605 upstream. + +In mfill_atomic_hugetlb(), mmap_changing isn't being checked +again if we drop mmap_lock and reacquire it. When the lock is not held, +mmap_changing could have been incremented. This is also inconsistent +with the behavior in mfill_atomic(). + +Link: https://lkml.kernel.org/r/20240117223729.1444522-1-lokeshgidra@google.com +Fixes: df2cc96e77011 ("userfaultfd: prevent non-cooperative events vs mcopy_atomic races") +Signed-off-by: Lokesh Gidra +Cc: Andrea Arcangeli +Cc: Mike Rapoport +Cc: Axel Rasmussen +Cc: Brian Geffon +Cc: David Hildenbrand +Cc: Jann Horn +Cc: Kalesh Singh +Cc: Matthew Wilcox (Oracle) +Cc: Nicolas Geoffray +Cc: Peter Xu +Cc: Suren Baghdasaryan +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/userfaultfd.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/mm/userfaultfd.c ++++ b/mm/userfaultfd.c +@@ -357,6 +357,7 @@ static __always_inline ssize_t mfill_ato + unsigned long dst_start, + unsigned long src_start, + unsigned long len, ++ atomic_t *mmap_changing, + uffd_flags_t flags) + { + struct mm_struct *dst_mm = dst_vma->vm_mm; +@@ -472,6 +473,15 @@ retry: + goto out; + } + mmap_read_lock(dst_mm); ++ /* ++ * If memory mappings are changing because of non-cooperative ++ * operation (e.g. mremap) running in parallel, bail out and ++ * request the user to retry later ++ */ ++ if (mmap_changing && atomic_read(mmap_changing)) { ++ err = -EAGAIN; ++ break; ++ } + + dst_vma = NULL; + goto retry; +@@ -506,6 +516,7 @@ extern ssize_t mfill_atomic_hugetlb(stru + unsigned long dst_start, + unsigned long src_start, + unsigned long len, ++ atomic_t *mmap_changing, + uffd_flags_t flags); + #endif /* CONFIG_HUGETLB_PAGE */ + +@@ -622,8 +633,8 @@ retry: + * If this is a HUGETLB vma, pass off to appropriate routine + */ + if (is_vm_hugetlb_page(dst_vma)) +- return mfill_atomic_hugetlb(dst_vma, dst_start, +- src_start, len, flags); ++ return mfill_atomic_hugetlb(dst_vma, dst_start, src_start, ++ len, mmap_changing, flags); + + if (!vma_is_anonymous(dst_vma) && !vma_is_shmem(dst_vma)) + goto out_unlock; -- 2.47.3