From: Sasha Levin Date: Sun, 26 May 2024 17:04:01 +0000 (-0400) Subject: Fixes for 6.1 X-Git-Tag: v6.9.3~16 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=024da16cbd0876c048a657a0e4d854971a987860;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/acpi-disable-wstringop-truncation.patch b/queue-6.1/acpi-disable-wstringop-truncation.patch new file mode 100644 index 00000000000..2e49ce59133 --- /dev/null +++ b/queue-6.1/acpi-disable-wstringop-truncation.patch @@ -0,0 +1,48 @@ +From e43b5f14f03f20d39efbfc8a92757f5a0c980a53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2024 16:00:55 +0200 +Subject: ACPI: disable -Wstringop-truncation + +From: Arnd Bergmann + +[ Upstream commit a3403d304708f60565582d60af4316289d0316a0 ] + +gcc -Wstringop-truncation warns about copying a string that results in a +missing nul termination: + +drivers/acpi/acpica/tbfind.c: In function 'acpi_tb_find_table': +drivers/acpi/acpica/tbfind.c:60:9: error: 'strncpy' specified bound 6 equals destination size [-Werror=stringop-truncation] + 60 | strncpy(header.oem_id, oem_id, ACPI_OEM_ID_SIZE); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/acpi/acpica/tbfind.c:61:9: error: 'strncpy' specified bound 8 equals destination size [-Werror=stringop-truncation] + 61 | strncpy(header.oem_table_id, oem_table_id, ACPI_OEM_TABLE_ID_SIZE); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The code works as intended, and the warning could be addressed by using +a memcpy(), but turning the warning off for this file works equally well +and may be easier to merge. + +Fixes: 47c08729bf1c ("ACPICA: Fix for LoadTable operator, input strings") +Link: https://lore.kernel.org/lkml/CAJZ5v0hoUfv54KW7y4223Mn9E7D4xvR7whRFNLTBqCZMUxT50Q@mail.gmail.com/#t +Signed-off-by: Arnd Bergmann +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/Makefile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/acpi/acpica/Makefile b/drivers/acpi/acpica/Makefile +index f919811156b1f..b6cf9c9bd6396 100644 +--- a/drivers/acpi/acpica/Makefile ++++ b/drivers/acpi/acpica/Makefile +@@ -5,6 +5,7 @@ + + ccflags-y := -D_LINUX -DBUILDING_ACPICA + ccflags-$(CONFIG_ACPI_DEBUG) += -DACPI_DEBUG_OUTPUT ++CFLAGS_tbfind.o += $(call cc-disable-warning, stringop-truncation) + + # use acpi.o to put all files here into acpi.o modparam namespace + obj-y += acpi.o +-- +2.43.0 + diff --git a/queue-6.1/acpi-fix-generic-initiator-affinity-_osc-bit.patch b/queue-6.1/acpi-fix-generic-initiator-affinity-_osc-bit.patch new file mode 100644 index 00000000000..8c0534903a0 --- /dev/null +++ b/queue-6.1/acpi-fix-generic-initiator-affinity-_osc-bit.patch @@ -0,0 +1,40 @@ +From 6f5255248b396c3c9fce6067e492d39099b0157b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Mar 2024 21:13:09 +0100 +Subject: ACPI: Fix Generic Initiator Affinity _OSC bit + +From: Armin Wolf + +[ Upstream commit d0d4f1474e36b195eaad477373127ae621334c01 ] + +The ACPI spec says bit 17 should be used to indicate support +for Generic Initiator Affinity Structure in SRAT, but we currently +set bit 13 ("Interrupt ResourceSource support"). + +Fix this by actually setting bit 17 when evaluating _OSC. + +Fixes: 01aabca2fd54 ("ACPI: Let ACPI know we support Generic Initiator Affinity Structures") +Signed-off-by: Armin Wolf +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + include/linux/acpi.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/acpi.h b/include/linux/acpi.h +index 3015235d65e31..e4e7b2cfe72af 100644 +--- a/include/linux/acpi.h ++++ b/include/linux/acpi.h +@@ -582,8 +582,8 @@ acpi_status acpi_run_osc(acpi_handle handle, struct acpi_osc_context *context); + #define OSC_SB_PCLPI_SUPPORT 0x00000080 + #define OSC_SB_OSLPI_SUPPORT 0x00000100 + #define OSC_SB_CPC_DIVERSE_HIGH_SUPPORT 0x00001000 +-#define OSC_SB_GENERIC_INITIATOR_SUPPORT 0x00002000 + #define OSC_SB_CPC_FLEXIBLE_ADR_SPACE 0x00004000 ++#define OSC_SB_GENERIC_INITIATOR_SUPPORT 0x00020000 + #define OSC_SB_NATIVE_USB4_SUPPORT 0x00040000 + #define OSC_SB_PRM_SUPPORT 0x00200000 + +-- +2.43.0 + diff --git a/queue-6.1/acpi-lpss-advertise-number-of-chip-selects-via-prope.patch b/queue-6.1/acpi-lpss-advertise-number-of-chip-selects-via-prope.patch new file mode 100644 index 00000000000..ea94000af40 --- /dev/null +++ b/queue-6.1/acpi-lpss-advertise-number-of-chip-selects-via-prope.patch @@ -0,0 +1,35 @@ +From 474897cb8a143cee6a24d686632866ee67abc15b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Apr 2024 15:06:58 +0300 +Subject: ACPI: LPSS: Advertise number of chip selects via property + +From: Andy Shevchenko + +[ Upstream commit 07b73ee599428b41d0240f2f7b31b524eba07dd0 ] + +Advertise number of chip selects via property for Intel Braswell. + +Fixes: 620c803f42de ("ACPI: LPSS: Provide an SSP type to the driver") +Signed-off-by: Andy Shevchenko +Reviewed-by: Kuppuswamy Sathyanarayanan +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_lpss.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/acpi/acpi_lpss.c b/drivers/acpi/acpi_lpss.c +index 8b44743945c8b..52af775ac1f16 100644 +--- a/drivers/acpi/acpi_lpss.c ++++ b/drivers/acpi/acpi_lpss.c +@@ -319,6 +319,7 @@ static const struct lpss_device_desc bsw_i2c_dev_desc = { + + static const struct property_entry bsw_spi_properties[] = { + PROPERTY_ENTRY_U32("intel,spi-pxa2xx-type", LPSS_BSW_SSP), ++ PROPERTY_ENTRY_U32("num-cs", 2), + { } + }; + +-- +2.43.0 + diff --git a/queue-6.1/af_packet-do-not-call-packet_read_pending-from-tpack.patch b/queue-6.1/af_packet-do-not-call-packet_read_pending-from-tpack.patch new file mode 100644 index 00000000000..3ecbd9f1723 --- /dev/null +++ b/queue-6.1/af_packet-do-not-call-packet_read_pending-from-tpack.patch @@ -0,0 +1,49 @@ +From 2758a27895b0255e7ea86796115d74487cad255d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 May 2024 16:33:58 +0000 +Subject: af_packet: do not call packet_read_pending() from + tpacket_destruct_skb() + +From: Eric Dumazet + +[ Upstream commit 581073f626e387d3e7eed55c48c8495584ead7ba ] + +trafgen performance considerably sank on hosts with many cores +after the blamed commit. + +packet_read_pending() is very expensive, and calling it +in af_packet fast path defeats Daniel intent in commit +b013840810c2 ("packet: use percpu mmap tx frame pending refcount") + +tpacket_destruct_skb() makes room for one packet, we can immediately +wakeup a producer, no need to completely drain the tx ring. + +Fixes: 89ed5b519004 ("af_packet: Block execution of tasks waiting for transmit to complete in AF_PACKET") +Signed-off-by: Eric Dumazet +Cc: Neil Horman +Cc: Daniel Borkmann +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20240515163358.4105915-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 7188ca8d84693..8888c09931ce3 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2528,8 +2528,7 @@ static void tpacket_destruct_skb(struct sk_buff *skb) + ts = __packet_set_timestamp(po, ph, skb); + __packet_set_status(po, ph, TP_STATUS_AVAILABLE | ts); + +- if (!packet_read_pending(&po->tx_ring)) +- complete(&po->skb_completion); ++ complete(&po->skb_completion); + } + + sock_wfree(skb); +-- +2.43.0 + diff --git a/queue-6.1/af_unix-fix-data-races-in-unix_release_sock-unix_str.patch b/queue-6.1/af_unix-fix-data-races-in-unix_release_sock-unix_str.patch new file mode 100644 index 00000000000..55a84b926bc --- /dev/null +++ b/queue-6.1/af_unix-fix-data-races-in-unix_release_sock-unix_str.patch @@ -0,0 +1,76 @@ +From 5aa8a69c94751a7915fa91aa13007c97bcee4d06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 01:14:46 -0700 +Subject: af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg + +From: Breno Leitao + +[ Upstream commit 540bf24fba16b88c1b3b9353927204b4f1074e25 ] + +A data-race condition has been identified in af_unix. In one data path, +the write function unix_release_sock() atomically writes to +sk->sk_shutdown using WRITE_ONCE. However, on the reader side, +unix_stream_sendmsg() does not read it atomically. Consequently, this +issue is causing the following KCSAN splat to occur: + + BUG: KCSAN: data-race in unix_release_sock / unix_stream_sendmsg + + write (marked) to 0xffff88867256ddbb of 1 bytes by task 7270 on cpu 28: + unix_release_sock (net/unix/af_unix.c:640) + unix_release (net/unix/af_unix.c:1050) + sock_close (net/socket.c:659 net/socket.c:1421) + __fput (fs/file_table.c:422) + __fput_sync (fs/file_table.c:508) + __se_sys_close (fs/open.c:1559 fs/open.c:1541) + __x64_sys_close (fs/open.c:1541) + x64_sys_call (arch/x86/entry/syscall_64.c:33) + do_syscall_64 (arch/x86/entry/common.c:?) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + + read to 0xffff88867256ddbb of 1 bytes by task 989 on cpu 14: + unix_stream_sendmsg (net/unix/af_unix.c:2273) + __sock_sendmsg (net/socket.c:730 net/socket.c:745) + ____sys_sendmsg (net/socket.c:2584) + __sys_sendmmsg (net/socket.c:2638 net/socket.c:2724) + __x64_sys_sendmmsg (net/socket.c:2753 net/socket.c:2750 net/socket.c:2750) + x64_sys_call (arch/x86/entry/syscall_64.c:33) + do_syscall_64 (arch/x86/entry/common.c:?) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + + value changed: 0x01 -> 0x03 + +The line numbers are related to commit dd5a440a31fa ("Linux 6.9-rc7"). + +Commit e1d09c2c2f57 ("af_unix: Fix data races around sk->sk_shutdown.") +addressed a comparable issue in the past regarding sk->sk_shutdown. +However, it overlooked resolving this particular data path. +This patch only offending unix_stream_sendmsg() function, since the +other reads seem to be protected by unix_state_lock() as discussed in +Link: https://lore.kernel.org/all/20240508173324.53565-1-kuniyu@amazon.com/ + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Breno Leitao +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20240509081459.2807828-1-leitao@debian.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index f28e2956fea58..97d22bdfdc73b 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -2189,7 +2189,7 @@ static int unix_stream_sendmsg(struct socket *sock, struct msghdr *msg, + goto out_err; + } + +- if (sk->sk_shutdown & SEND_SHUTDOWN) ++ if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN) + goto pipe_err; + + while (sent < len) { +-- +2.43.0 + diff --git a/queue-6.1/alsa-hda-intel-dsp-config-harden-i2c-i2s-codec-detec.patch b/queue-6.1/alsa-hda-intel-dsp-config-harden-i2c-i2s-codec-detec.patch new file mode 100644 index 00000000000..72a89797162 --- /dev/null +++ b/queue-6.1/alsa-hda-intel-dsp-config-harden-i2c-i2s-codec-detec.patch @@ -0,0 +1,84 @@ +From 68b9a5ccc4789773ae9da4180f436e330f532193 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Apr 2024 10:28:18 -0500 +Subject: ALSA: hda: intel-dsp-config: harden I2C/I2S codec detection +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pierre-Louis Bossart + +[ Upstream commit 79ac4c1443eaec0d09355307043a9149287f23c1 ] + +The SOF driver is selected whenever specific I2C/I2S HIDs are reported +as 'present' in the ACPI DSDT. In some cases, an HID is reported but +the hardware does not actually rely on I2C/I2S. This false positive +leads to an invalid selection of the SOF driver and as a result an +invalid topology is loaded. + +This patch hardens the detection with a check that the NHLT table is +consistent with the report of an I2S-based codec in DSDT. This table +should expose at least one SSP endpoint configured for an I2S-codec +connection. + +Tested on Huawei Matebook D14 (NBLB-WAX9N) using an HDaudio codec with +an invalid ES8336 ACPI HID reported: + +[ 7.858249] snd_hda_intel 0000:00:1f.3: DSP detected with PCI class/subclass/prog-if info 0x040380 +[ 7.858312] snd_hda_intel 0000:00:1f.3: snd_intel_dsp_find_config: no valid SSP found for HID ESSX8336, skipped + +Reported-by: Mauro Carvalho Chehab +Tested-by: Mauro Carvalho Chehab +Closes: https://github.com/thesofproject/linux/issues/4934 +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Bard Liao +Reviewed-by: Péter Ujfalusi +Message-ID: <20240426152818.38443-1-pierre-louis.bossart@linux.intel.com> +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/intel-dsp-config.c | 27 +++++++++++++++++++++++++-- + 1 file changed, 25 insertions(+), 2 deletions(-) + +diff --git a/sound/hda/intel-dsp-config.c b/sound/hda/intel-dsp-config.c +index bc03b5692983c..f1de386604a10 100644 +--- a/sound/hda/intel-dsp-config.c ++++ b/sound/hda/intel-dsp-config.c +@@ -511,9 +511,32 @@ static const struct config_entry *snd_intel_dsp_find_config + if (table->codec_hid) { + int i; + +- for (i = 0; i < table->codec_hid->num_codecs; i++) +- if (acpi_dev_present(table->codec_hid->codecs[i], NULL, -1)) ++ for (i = 0; i < table->codec_hid->num_codecs; i++) { ++ struct nhlt_acpi_table *nhlt; ++ bool ssp_found = false; ++ ++ if (!acpi_dev_present(table->codec_hid->codecs[i], NULL, -1)) ++ continue; ++ ++ nhlt = intel_nhlt_init(&pci->dev); ++ if (!nhlt) { ++ dev_warn(&pci->dev, "%s: NHLT table not found, skipped HID %s\n", ++ __func__, table->codec_hid->codecs[i]); ++ continue; ++ } ++ ++ if (intel_nhlt_has_endpoint_type(nhlt, NHLT_LINK_SSP) && ++ intel_nhlt_ssp_endpoint_mask(nhlt, NHLT_DEVICE_I2S)) ++ ssp_found = true; ++ ++ intel_nhlt_free(nhlt); ++ ++ if (ssp_found) + break; ++ ++ dev_warn(&pci->dev, "%s: no valid SSP found for HID %s, skipped\n", ++ __func__, table->codec_hid->codecs[i]); ++ } + if (i == table->codec_hid->num_codecs) + continue; + } +-- +2.43.0 + diff --git a/queue-6.1/arm-configs-sunxi-enable-drm_dw_hdmi.patch b/queue-6.1/arm-configs-sunxi-enable-drm_dw_hdmi.patch new file mode 100644 index 00000000000..f57134ffd94 --- /dev/null +++ b/queue-6.1/arm-configs-sunxi-enable-drm_dw_hdmi.patch @@ -0,0 +1,41 @@ +From 921810b39d68acf13848bb343c4b99c307efbf51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 12:56:23 +0200 +Subject: ARM: configs: sunxi: Enable DRM_DW_HDMI + +From: Maxime Ripard + +[ Upstream commit deff401b14e2d832b25b55862ad6c73378fe034e ] + +Commit 4fc8cb47fcfd ("drm/display: Move HDMI helpers into display-helper +module") turned the DRM_DW_HDMI dependency of DRM_SUN8I_DW_HDMI into a +depends on which ended up disabling the driver in the defconfig. Make +sure it's still enabled. + +Fixes: 4fc8cb47fcfd ("drm/display: Move HDMI helpers into display-helper module") +Reported-by: Mark Brown +Reported-by: Alexander Stein +Signed-off-by: Maxime Ripard +Acked-by: Jernej Skrabec +Link: https://lore.kernel.org/r/20240403-fix-dw-hdmi-kconfig-v1-5-afbc4a835c38@kernel.org +Signed-off-by: Jernej Skrabec +Signed-off-by: Sasha Levin +--- + arch/arm/configs/sunxi_defconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/configs/sunxi_defconfig b/arch/arm/configs/sunxi_defconfig +index bddc82f789421..a83d29fed1756 100644 +--- a/arch/arm/configs/sunxi_defconfig ++++ b/arch/arm/configs/sunxi_defconfig +@@ -110,6 +110,7 @@ CONFIG_DRM_PANEL_LVDS=y + CONFIG_DRM_PANEL_SIMPLE=y + CONFIG_DRM_PANEL_EDP=y + CONFIG_DRM_SIMPLE_BRIDGE=y ++CONFIG_DRM_DW_HDMI=y + CONFIG_DRM_LIMA=y + CONFIG_FB_SIMPLE=y + CONFIG_BACKLIGHT_CLASS_DEVICE=y +-- +2.43.0 + diff --git a/queue-6.1/asoc-da7219-aad-fix-usage-of-device_get_named_child_.patch b/queue-6.1/asoc-da7219-aad-fix-usage-of-device_get_named_child_.patch new file mode 100644 index 00000000000..97dd4cf7ffb --- /dev/null +++ b/queue-6.1/asoc-da7219-aad-fix-usage-of-device_get_named_child_.patch @@ -0,0 +1,55 @@ +From b98ae7463f177d3ac76fa50e4aed34c7ed2a64ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Apr 2024 10:30:33 -0500 +Subject: ASoC: da7219-aad: fix usage of device_get_named_child_node() + +From: Pierre-Louis Bossart + +[ Upstream commit e8a6a5ad73acbafd98e8fd3f0cbf6e379771bb76 ] + +The documentation for device_get_named_child_node() mentions this +important point: + +" +The caller is responsible for calling fwnode_handle_put() on the +returned fwnode pointer. +" + +Add fwnode_handle_put() to avoid a leaked reference. + +Signed-off-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20240426153033.38500-1-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/da7219-aad.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/da7219-aad.c b/sound/soc/codecs/da7219-aad.c +index c8410769188a0..d613f1074524a 100644 +--- a/sound/soc/codecs/da7219-aad.c ++++ b/sound/soc/codecs/da7219-aad.c +@@ -638,8 +638,10 @@ static struct da7219_aad_pdata *da7219_aad_fw_to_pdata(struct device *dev) + return NULL; + + aad_pdata = devm_kzalloc(dev, sizeof(*aad_pdata), GFP_KERNEL); +- if (!aad_pdata) ++ if (!aad_pdata) { ++ fwnode_handle_put(aad_np); + return NULL; ++ } + + aad_pdata->irq = i2c->irq; + +@@ -714,6 +716,8 @@ static struct da7219_aad_pdata *da7219_aad_fw_to_pdata(struct device *dev) + else + aad_pdata->adc_1bit_rpt = DA7219_AAD_ADC_1BIT_RPT_1; + ++ fwnode_handle_put(aad_np); ++ + return aad_pdata; + } + +-- +2.43.0 + diff --git a/queue-6.1/asoc-dt-bindings-rt5645-add-cbj-sleeve-gpio-property.patch b/queue-6.1/asoc-dt-bindings-rt5645-add-cbj-sleeve-gpio-property.patch new file mode 100644 index 00000000000..b3bf8990d03 --- /dev/null +++ b/queue-6.1/asoc-dt-bindings-rt5645-add-cbj-sleeve-gpio-property.patch @@ -0,0 +1,48 @@ +From f639a005b0ca453ea52d4b54527d75da5a7a769d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 17:10:57 +0800 +Subject: ASoC: dt-bindings: rt5645: add cbj sleeve gpio property + +From: Derek Fang + +[ Upstream commit 306b38e3fa727d22454a148a364123709e356600 ] + +Add an optional gpio property to control external CBJ circuits +to avoid some electric noise caused by sleeve/ring2 contacts floating. + +Signed-off-by: Derek Fang + +Link: https://msgid.link/r/20240408091057.14165-2-derek.fang@realtek.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + Documentation/devicetree/bindings/sound/rt5645.txt | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/Documentation/devicetree/bindings/sound/rt5645.txt b/Documentation/devicetree/bindings/sound/rt5645.txt +index 41a62fd2ae1ff..c1fa379f5f3ea 100644 +--- a/Documentation/devicetree/bindings/sound/rt5645.txt ++++ b/Documentation/devicetree/bindings/sound/rt5645.txt +@@ -20,6 +20,11 @@ Optional properties: + a GPIO spec for the external headphone detect pin. If jd-mode = 0, + we will get the JD status by getting the value of hp-detect-gpios. + ++- cbj-sleeve-gpios: ++ a GPIO spec to control the external combo jack circuit to tie the sleeve/ring2 ++ contacts to the ground or floating. It could avoid some electric noise from the ++ active speaker jacks. ++ + - realtek,in2-differential + Boolean. Indicate MIC2 input are differential, rather than single-ended. + +@@ -68,6 +73,7 @@ codec: rt5650@1a { + compatible = "realtek,rt5650"; + reg = <0x1a>; + hp-detect-gpios = <&gpio 19 0>; ++ cbj-sleeve-gpios = <&gpio 20 0>; + interrupt-parent = <&gpio>; + interrupts = <7 IRQ_TYPE_EDGE_FALLING>; + realtek,dmic-en = "true"; +-- +2.43.0 + diff --git a/queue-6.1/asoc-intel-avs-fix-asrc-module-initialization.patch b/queue-6.1/asoc-intel-avs-fix-asrc-module-initialization.patch new file mode 100644 index 00000000000..14814a8a6bf --- /dev/null +++ b/queue-6.1/asoc-intel-avs-fix-asrc-module-initialization.patch @@ -0,0 +1,36 @@ +From 96cdfcc18946597a8fe095300482521aa440288e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 11:09:21 +0200 +Subject: ASoC: Intel: avs: Fix ASRC module initialization + +From: Cezary Rojewski + +[ Upstream commit 9d2e26f31c7cc3fa495c423af9b4902ec0dc7be3 ] + +The ASRC module configuration consists of several reserved fields. Zero +them out when initializing the module to avoid sending invalid data. + +Fixes: 274d79e51875 ("ASoC: Intel: avs: Configure modules according to their type") +Signed-off-by: Cezary Rojewski +Link: https://msgid.link/r/20240405090929.1184068-6-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/avs/path.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/intel/avs/path.c b/sound/soc/intel/avs/path.c +index ce157a8d65520..989a7a4127cdd 100644 +--- a/sound/soc/intel/avs/path.c ++++ b/sound/soc/intel/avs/path.c +@@ -308,6 +308,7 @@ static int avs_asrc_create(struct avs_dev *adev, struct avs_path_module *mod) + struct avs_tplg_module *t = mod->template; + struct avs_asrc_cfg cfg; + ++ memset(&cfg, 0, sizeof(cfg)); + cfg.base.cpc = t->cfg_base->cpc; + cfg.base.ibs = t->cfg_base->ibs; + cfg.base.obs = t->cfg_base->obs; +-- +2.43.0 + diff --git a/queue-6.1/asoc-intel-avs-fix-potential-integer-overflow.patch b/queue-6.1/asoc-intel-avs-fix-potential-integer-overflow.patch new file mode 100644 index 00000000000..104c459e6f2 --- /dev/null +++ b/queue-6.1/asoc-intel-avs-fix-potential-integer-overflow.patch @@ -0,0 +1,41 @@ +From ab74804a12602fb1de2bfe7324ac6e0bd01c5516 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 11:09:23 +0200 +Subject: ASoC: Intel: avs: Fix potential integer overflow + +From: Cezary Rojewski + +[ Upstream commit c7e832cabe635df47c2bf6df7801e97bf3045b1e ] + +While stream_tag for CLDMA on SKL-based platforms is always 1, function +hda_cldma_setup() uses AZX_SD_CTL_STRM() macro which does: + stream_tag << 20 + +what combined with stream_tag type of 'unsigned int' generates a +potential overflow issue. Update the field type to fix that. + +Fixes: 45864e49a05a ("ASoC: Intel: avs: Implement CLDMA transfer") +Signed-off-by: Cezary Rojewski +Link: https://msgid.link/r/20240405090929.1184068-8-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/avs/cldma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/intel/avs/cldma.c b/sound/soc/intel/avs/cldma.c +index d7a9390b5e483..585579840b646 100644 +--- a/sound/soc/intel/avs/cldma.c ++++ b/sound/soc/intel/avs/cldma.c +@@ -35,7 +35,7 @@ struct hda_cldma { + + unsigned int buffer_size; + unsigned int num_periods; +- unsigned int stream_tag; ++ unsigned char stream_tag; + void __iomem *sd_addr; + + struct snd_dma_buffer dmab_data; +-- +2.43.0 + diff --git a/queue-6.1/asoc-intel-avs-ssm4567-do-not-ignore-route-checks.patch b/queue-6.1/asoc-intel-avs-ssm4567-do-not-ignore-route-checks.patch new file mode 100644 index 00000000000..1d1f9f164e8 --- /dev/null +++ b/queue-6.1/asoc-intel-avs-ssm4567-do-not-ignore-route-checks.patch @@ -0,0 +1,36 @@ +From e7f5f88748492d00d3a2559840c3648c304a1164 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Mar 2024 10:05:00 +0100 +Subject: ASoC: Intel: avs: ssm4567: Do not ignore route checks + +From: Cezary Rojewski + +[ Upstream commit e6719d48ba6329536c459dcee5a571e535687094 ] + +A copy-paste from intel/boards/skl_nau88l25_ssm4567.c made the avs's +equivalent disable route checks as well. Such behavior is not desired. + +Fixes: 69ea14efe99b ("ASoC: Intel: avs: Add ssm4567 machine board") +Signed-off-by: Cezary Rojewski +Link: https://msgid.link/r/20240308090502.2136760-4-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/avs/boards/ssm4567.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/sound/soc/intel/avs/boards/ssm4567.c b/sound/soc/intel/avs/boards/ssm4567.c +index 51a8867326b47..c1c936b73475d 100644 +--- a/sound/soc/intel/avs/boards/ssm4567.c ++++ b/sound/soc/intel/avs/boards/ssm4567.c +@@ -217,7 +217,6 @@ static int avs_ssm4567_probe(struct platform_device *pdev) + card->dapm_routes = routes; + card->num_dapm_routes = num_routes; + card->fully_routed = true; +- card->disable_route_checks = true; + + ret = snd_soc_fixup_dai_links_platform_name(card, pname); + if (ret) +-- +2.43.0 + diff --git a/queue-6.1/asoc-intel-bytcr_rt5640-apply-asus-t100ta-quirk-to-a.patch b/queue-6.1/asoc-intel-bytcr_rt5640-apply-asus-t100ta-quirk-to-a.patch new file mode 100644 index 00000000000..f0022599323 --- /dev/null +++ b/queue-6.1/asoc-intel-bytcr_rt5640-apply-asus-t100ta-quirk-to-a.patch @@ -0,0 +1,71 @@ +From 86821abbd56f05622ecb2409b554e4c1e131dfb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Apr 2024 21:15:59 +0200 +Subject: ASoC: Intel: bytcr_rt5640: Apply Asus T100TA quirk to Asus T100TAM + too + +From: Hans de Goede + +[ Upstream commit e50729d742ec364895f1c389c32315984a987aa5 ] + +The Asus T100TA quirk has been using an exact match on a product-name of +"T100TA" but there are also T100TAM variants with a slightly higher +clocked CPU and a metal backside which need the same quirk. + +Sort the existing T100TA (stereo speakers) below the more specific +T100TAF (mono speaker) quirk and switch from exact matching to +substring matching so that the T100TA quirk will also match on +the T100TAM models. + +Signed-off-by: Hans de Goede +Link: https://msgid.link/r/20240407191559.21596-1-hdegoede@redhat.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/bytcr_rt5640.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c +index 094445036c20f..d6ef8e850412b 100644 +--- a/sound/soc/intel/boards/bytcr_rt5640.c ++++ b/sound/soc/intel/boards/bytcr_rt5640.c +@@ -636,28 +636,30 @@ static const struct dmi_system_id byt_rt5640_quirk_table[] = { + BYT_RT5640_USE_AMCR0F28), + }, + { ++ /* Asus T100TAF, unlike other T100TA* models this one has a mono speaker */ + .matches = { + DMI_EXACT_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), +- DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "T100TA"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "T100TAF"), + }, + .driver_data = (void *)(BYT_RT5640_IN1_MAP | + BYT_RT5640_JD_SRC_JD2_IN4N | + BYT_RT5640_OVCD_TH_2000UA | + BYT_RT5640_OVCD_SF_0P75 | ++ BYT_RT5640_MONO_SPEAKER | ++ BYT_RT5640_DIFF_MIC | ++ BYT_RT5640_SSP0_AIF2 | + BYT_RT5640_MCLK_EN), + }, + { ++ /* Asus T100TA and T100TAM, must come after T100TAF (mono spk) match */ + .matches = { +- DMI_EXACT_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), +- DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "T100TAF"), ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "T100TA"), + }, + .driver_data = (void *)(BYT_RT5640_IN1_MAP | + BYT_RT5640_JD_SRC_JD2_IN4N | + BYT_RT5640_OVCD_TH_2000UA | + BYT_RT5640_OVCD_SF_0P75 | +- BYT_RT5640_MONO_SPEAKER | +- BYT_RT5640_DIFF_MIC | +- BYT_RT5640_SSP0_AIF2 | + BYT_RT5640_MCLK_EN), + }, + { +-- +2.43.0 + diff --git a/queue-6.1/asoc-intel-disable-route-checks-for-skylake-boards.patch b/queue-6.1/asoc-intel-disable-route-checks-for-skylake-boards.patch new file mode 100644 index 00000000000..8a288d3b1a0 --- /dev/null +++ b/queue-6.1/asoc-intel-disable-route-checks-for-skylake-boards.patch @@ -0,0 +1,209 @@ +From f30fcc430bb7f9c537ec7305805c350bf6f0cb06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Mar 2024 10:04:58 +0100 +Subject: ASoC: Intel: Disable route checks for Skylake boards + +From: Cezary Rojewski + +[ Upstream commit 0cb3b7fd530b8c107443218ce6db5cb6e7b5dbe1 ] + +Topology files that are propagated to the world and utilized by the +skylake-driver carry shortcomings in their SectionGraphs. + +Since commit daa480bde6b3 ("ASoC: soc-core: tidyup for +snd_soc_dapm_add_routes()") route checks are no longer permissive. Probe +failures for Intel boards have been partially addressed by commit +a22ae72b86a4 ("ASoC: soc-core: disable route checks for legacy devices") +and its follow up but only skl_nau88l25_ssm4567.c is patched. Fix the +problem for the rest of the boards. + +Link: https://lore.kernel.org/all/20200309192744.18380-1-pierre-louis.bossart@linux.intel.com/ +Fixes: daa480bde6b3 ("ASoC: soc-core: tidyup for snd_soc_dapm_add_routes()") +Signed-off-by: Cezary Rojewski +Link: https://msgid.link/r/20240308090502.2136760-2-cezary.rojewski@intel.com +Reviewed-by: Pierre-Louis Bossart +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/bxt_da7219_max98357a.c | 1 + + sound/soc/intel/boards/bxt_rt298.c | 1 + + sound/soc/intel/boards/glk_rt5682_max98357a.c | 2 ++ + sound/soc/intel/boards/kbl_da7219_max98357a.c | 1 + + sound/soc/intel/boards/kbl_da7219_max98927.c | 4 ++++ + sound/soc/intel/boards/kbl_rt5660.c | 1 + + sound/soc/intel/boards/kbl_rt5663_max98927.c | 2 ++ + sound/soc/intel/boards/kbl_rt5663_rt5514_max98927.c | 1 + + sound/soc/intel/boards/skl_hda_dsp_generic.c | 2 ++ + sound/soc/intel/boards/skl_nau88l25_max98357a.c | 1 + + sound/soc/intel/boards/skl_rt286.c | 1 + + 11 files changed, 17 insertions(+) + +diff --git a/sound/soc/intel/boards/bxt_da7219_max98357a.c b/sound/soc/intel/boards/bxt_da7219_max98357a.c +index 7c6c95e99ade2..420c8b2588c17 100644 +--- a/sound/soc/intel/boards/bxt_da7219_max98357a.c ++++ b/sound/soc/intel/boards/bxt_da7219_max98357a.c +@@ -762,6 +762,7 @@ static struct snd_soc_card broxton_audio_card = { + .dapm_routes = audio_map, + .num_dapm_routes = ARRAY_SIZE(audio_map), + .fully_routed = true, ++ .disable_route_checks = true, + .late_probe = bxt_card_late_probe, + }; + +diff --git a/sound/soc/intel/boards/bxt_rt298.c b/sound/soc/intel/boards/bxt_rt298.c +index 4bd93c3ba3777..ea45baaaaaed9 100644 +--- a/sound/soc/intel/boards/bxt_rt298.c ++++ b/sound/soc/intel/boards/bxt_rt298.c +@@ -574,6 +574,7 @@ static struct snd_soc_card broxton_rt298 = { + .dapm_routes = broxton_rt298_map, + .num_dapm_routes = ARRAY_SIZE(broxton_rt298_map), + .fully_routed = true, ++ .disable_route_checks = true, + .late_probe = bxt_card_late_probe, + + }; +diff --git a/sound/soc/intel/boards/glk_rt5682_max98357a.c b/sound/soc/intel/boards/glk_rt5682_max98357a.c +index cf0f89db3e204..0f9bbb970b230 100644 +--- a/sound/soc/intel/boards/glk_rt5682_max98357a.c ++++ b/sound/soc/intel/boards/glk_rt5682_max98357a.c +@@ -649,6 +649,8 @@ static int geminilake_audio_probe(struct platform_device *pdev) + card = &glk_audio_card_rt5682_m98357a; + card->dev = &pdev->dev; + snd_soc_card_set_drvdata(card, ctx); ++ if (!snd_soc_acpi_sof_parent(&pdev->dev)) ++ card->disable_route_checks = true; + + /* override platform name, if required */ + mach = pdev->dev.platform_data; +diff --git a/sound/soc/intel/boards/kbl_da7219_max98357a.c b/sound/soc/intel/boards/kbl_da7219_max98357a.c +index 329457e3e3a22..c990baed8013b 100644 +--- a/sound/soc/intel/boards/kbl_da7219_max98357a.c ++++ b/sound/soc/intel/boards/kbl_da7219_max98357a.c +@@ -633,6 +633,7 @@ static struct snd_soc_card kabylake_audio_card_da7219_m98357a = { + .dapm_routes = kabylake_map, + .num_dapm_routes = ARRAY_SIZE(kabylake_map), + .fully_routed = true, ++ .disable_route_checks = true, + .late_probe = kabylake_card_late_probe, + }; + +diff --git a/sound/soc/intel/boards/kbl_da7219_max98927.c b/sound/soc/intel/boards/kbl_da7219_max98927.c +index 362579f25835e..7ab80ba264cb5 100644 +--- a/sound/soc/intel/boards/kbl_da7219_max98927.c ++++ b/sound/soc/intel/boards/kbl_da7219_max98927.c +@@ -1030,6 +1030,7 @@ static struct snd_soc_card kbl_audio_card_da7219_m98927 = { + .codec_conf = max98927_codec_conf, + .num_configs = ARRAY_SIZE(max98927_codec_conf), + .fully_routed = true, ++ .disable_route_checks = true, + .late_probe = kabylake_card_late_probe, + }; + +@@ -1048,6 +1049,7 @@ static struct snd_soc_card kbl_audio_card_max98927 = { + .codec_conf = max98927_codec_conf, + .num_configs = ARRAY_SIZE(max98927_codec_conf), + .fully_routed = true, ++ .disable_route_checks = true, + .late_probe = kabylake_card_late_probe, + }; + +@@ -1065,6 +1067,7 @@ static struct snd_soc_card kbl_audio_card_da7219_m98373 = { + .codec_conf = max98373_codec_conf, + .num_configs = ARRAY_SIZE(max98373_codec_conf), + .fully_routed = true, ++ .disable_route_checks = true, + .late_probe = kabylake_card_late_probe, + }; + +@@ -1082,6 +1085,7 @@ static struct snd_soc_card kbl_audio_card_max98373 = { + .codec_conf = max98373_codec_conf, + .num_configs = ARRAY_SIZE(max98373_codec_conf), + .fully_routed = true, ++ .disable_route_checks = true, + .late_probe = kabylake_card_late_probe, + }; + +diff --git a/sound/soc/intel/boards/kbl_rt5660.c b/sound/soc/intel/boards/kbl_rt5660.c +index 2c7a547f63c90..358d606228121 100644 +--- a/sound/soc/intel/boards/kbl_rt5660.c ++++ b/sound/soc/intel/boards/kbl_rt5660.c +@@ -518,6 +518,7 @@ static struct snd_soc_card kabylake_audio_card_rt5660 = { + .dapm_routes = kabylake_rt5660_map, + .num_dapm_routes = ARRAY_SIZE(kabylake_rt5660_map), + .fully_routed = true, ++ .disable_route_checks = true, + .late_probe = kabylake_card_late_probe, + }; + +diff --git a/sound/soc/intel/boards/kbl_rt5663_max98927.c b/sound/soc/intel/boards/kbl_rt5663_max98927.c +index 2d4224c5b1520..d110ebd10bca2 100644 +--- a/sound/soc/intel/boards/kbl_rt5663_max98927.c ++++ b/sound/soc/intel/boards/kbl_rt5663_max98927.c +@@ -966,6 +966,7 @@ static struct snd_soc_card kabylake_audio_card_rt5663_m98927 = { + .codec_conf = max98927_codec_conf, + .num_configs = ARRAY_SIZE(max98927_codec_conf), + .fully_routed = true, ++ .disable_route_checks = true, + .late_probe = kabylake_card_late_probe, + }; + +@@ -982,6 +983,7 @@ static struct snd_soc_card kabylake_audio_card_rt5663 = { + .dapm_routes = kabylake_5663_map, + .num_dapm_routes = ARRAY_SIZE(kabylake_5663_map), + .fully_routed = true, ++ .disable_route_checks = true, + .late_probe = kabylake_card_late_probe, + }; + +diff --git a/sound/soc/intel/boards/kbl_rt5663_rt5514_max98927.c b/sound/soc/intel/boards/kbl_rt5663_rt5514_max98927.c +index 2c79fca57b19e..a15d2c30b6c46 100644 +--- a/sound/soc/intel/boards/kbl_rt5663_rt5514_max98927.c ++++ b/sound/soc/intel/boards/kbl_rt5663_rt5514_max98927.c +@@ -791,6 +791,7 @@ static struct snd_soc_card kabylake_audio_card = { + .codec_conf = max98927_codec_conf, + .num_configs = ARRAY_SIZE(max98927_codec_conf), + .fully_routed = true, ++ .disable_route_checks = true, + .late_probe = kabylake_card_late_probe, + }; + +diff --git a/sound/soc/intel/boards/skl_hda_dsp_generic.c b/sound/soc/intel/boards/skl_hda_dsp_generic.c +index 463ffb85121d3..2e1c1e4013c3f 100644 +--- a/sound/soc/intel/boards/skl_hda_dsp_generic.c ++++ b/sound/soc/intel/boards/skl_hda_dsp_generic.c +@@ -231,6 +231,8 @@ static int skl_hda_audio_probe(struct platform_device *pdev) + ctx->common_hdmi_codec_drv = mach->mach_params.common_hdmi_codec_drv; + + hda_soc_card.dev = &pdev->dev; ++ if (!snd_soc_acpi_sof_parent(&pdev->dev)) ++ hda_soc_card.disable_route_checks = true; + + if (mach->mach_params.dmic_num > 0) { + snprintf(hda_soc_components, sizeof(hda_soc_components), +diff --git a/sound/soc/intel/boards/skl_nau88l25_max98357a.c b/sound/soc/intel/boards/skl_nau88l25_max98357a.c +index 8dceb0b025812..8180afb4505bc 100644 +--- a/sound/soc/intel/boards/skl_nau88l25_max98357a.c ++++ b/sound/soc/intel/boards/skl_nau88l25_max98357a.c +@@ -654,6 +654,7 @@ static struct snd_soc_card skylake_audio_card = { + .dapm_routes = skylake_map, + .num_dapm_routes = ARRAY_SIZE(skylake_map), + .fully_routed = true, ++ .disable_route_checks = true, + .late_probe = skylake_card_late_probe, + }; + +diff --git a/sound/soc/intel/boards/skl_rt286.c b/sound/soc/intel/boards/skl_rt286.c +index 4f3d655e2bfa8..0a4795a94a768 100644 +--- a/sound/soc/intel/boards/skl_rt286.c ++++ b/sound/soc/intel/boards/skl_rt286.c +@@ -523,6 +523,7 @@ static struct snd_soc_card skylake_rt286 = { + .dapm_routes = skylake_rt286_map, + .num_dapm_routes = ARRAY_SIZE(skylake_rt286_map), + .fully_routed = true, ++ .disable_route_checks = true, + .late_probe = skylake_card_late_probe, + }; + +-- +2.43.0 + diff --git a/queue-6.1/asoc-kirkwood-fix-potential-null-dereference.patch b/queue-6.1/asoc-kirkwood-fix-potential-null-dereference.patch new file mode 100644 index 00000000000..df6537d5507 --- /dev/null +++ b/queue-6.1/asoc-kirkwood-fix-potential-null-dereference.patch @@ -0,0 +1,41 @@ +From 854023c5d9637ca0b898e267ce6b15ce6b5cf2a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 20:33:37 +0300 +Subject: ASoC: kirkwood: Fix potential NULL dereference + +From: Aleksandr Mishin + +[ Upstream commit ea60ab95723f5738e7737b56dda95e6feefa5b50 ] + +In kirkwood_dma_hw_params() mv_mbus_dram_info() returns NULL if +CONFIG_PLAT_ORION macro is not defined. +Fix this bug by adding NULL check. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: bb6a40fc5a83 ("ASoC: kirkwood: Fix reference to PCM buffer address") +Signed-off-by: Aleksandr Mishin +Link: https://msgid.link/r/20240328173337.21406-1-amishin@t-argos.ru +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/kirkwood/kirkwood-dma.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/kirkwood/kirkwood-dma.c b/sound/soc/kirkwood/kirkwood-dma.c +index 640cebd2983e2..16d2c9acc33a6 100644 +--- a/sound/soc/kirkwood/kirkwood-dma.c ++++ b/sound/soc/kirkwood/kirkwood-dma.c +@@ -182,6 +182,9 @@ static int kirkwood_dma_hw_params(struct snd_soc_component *component, + const struct mbus_dram_target_info *dram = mv_mbus_dram_info(); + unsigned long addr = substream->runtime->dma_addr; + ++ if (!dram) ++ return 0; ++ + if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) + kirkwood_dma_conf_mbus_windows(priv->io, + KIRKWOOD_PLAYBACK_WIN, addr, dram); +-- +2.43.0 + diff --git a/queue-6.1/asoc-rt5645-fix-the-electric-noise-due-to-the-cbj-co.patch b/queue-6.1/asoc-rt5645-fix-the-electric-noise-due-to-the-cbj-co.patch new file mode 100644 index 00000000000..f42bf4c9efa --- /dev/null +++ b/queue-6.1/asoc-rt5645-fix-the-electric-noise-due-to-the-cbj-co.patch @@ -0,0 +1,105 @@ +From 8e1186822585dc410dbc36558f01eaae84433d04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 17:10:56 +0800 +Subject: ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating + +From: Derek Fang + +[ Upstream commit 103abab975087e1f01b76fcb54c91dbb65dbc249 ] + +The codec leaves tie combo jack's sleeve/ring2 to floating status +default. It would cause electric noise while connecting the active +speaker jack during boot or shutdown. +This patch requests a gpio to control the additional jack circuit +to tie the contacts to the ground or floating. + +Signed-off-by: Derek Fang + +Link: https://msgid.link/r/20240408091057.14165-1-derek.fang@realtek.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt5645.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/sound/soc/codecs/rt5645.c b/sound/soc/codecs/rt5645.c +index aac9140749968..0bb70066111b7 100644 +--- a/sound/soc/codecs/rt5645.c ++++ b/sound/soc/codecs/rt5645.c +@@ -441,6 +441,7 @@ struct rt5645_priv { + struct regmap *regmap; + struct i2c_client *i2c; + struct gpio_desc *gpiod_hp_det; ++ struct gpio_desc *gpiod_cbj_sleeve; + struct snd_soc_jack *hp_jack; + struct snd_soc_jack *mic_jack; + struct snd_soc_jack *btn_jack; +@@ -3179,6 +3180,9 @@ static int rt5645_jack_detect(struct snd_soc_component *component, int jack_inse + regmap_update_bits(rt5645->regmap, RT5645_IN1_CTRL2, + RT5645_CBJ_MN_JD, 0); + ++ if (rt5645->gpiod_cbj_sleeve) ++ gpiod_set_value(rt5645->gpiod_cbj_sleeve, 1); ++ + msleep(600); + regmap_read(rt5645->regmap, RT5645_IN1_CTRL3, &val); + val &= 0x7; +@@ -3195,6 +3199,8 @@ static int rt5645_jack_detect(struct snd_soc_component *component, int jack_inse + snd_soc_dapm_disable_pin(dapm, "Mic Det Power"); + snd_soc_dapm_sync(dapm); + rt5645->jack_type = SND_JACK_HEADPHONE; ++ if (rt5645->gpiod_cbj_sleeve) ++ gpiod_set_value(rt5645->gpiod_cbj_sleeve, 0); + } + if (rt5645->pdata.level_trigger_irq) + regmap_update_bits(rt5645->regmap, RT5645_IRQ_CTRL2, +@@ -3220,6 +3226,9 @@ static int rt5645_jack_detect(struct snd_soc_component *component, int jack_inse + if (rt5645->pdata.level_trigger_irq) + regmap_update_bits(rt5645->regmap, RT5645_IRQ_CTRL2, + RT5645_JD_1_1_MASK, RT5645_JD_1_1_INV); ++ ++ if (rt5645->gpiod_cbj_sleeve) ++ gpiod_set_value(rt5645->gpiod_cbj_sleeve, 0); + } + + return rt5645->jack_type; +@@ -3931,6 +3940,16 @@ static int rt5645_i2c_probe(struct i2c_client *i2c) + return ret; + } + ++ rt5645->gpiod_cbj_sleeve = devm_gpiod_get_optional(&i2c->dev, "cbj-sleeve", ++ GPIOD_OUT_LOW); ++ ++ if (IS_ERR(rt5645->gpiod_cbj_sleeve)) { ++ ret = PTR_ERR(rt5645->gpiod_cbj_sleeve); ++ dev_info(&i2c->dev, "failed to initialize gpiod, ret=%d\n", ret); ++ if (ret != -ENOENT) ++ return ret; ++ } ++ + for (i = 0; i < ARRAY_SIZE(rt5645->supplies); i++) + rt5645->supplies[i].supply = rt5645_supply_names[i]; + +@@ -4174,6 +4193,9 @@ static void rt5645_i2c_remove(struct i2c_client *i2c) + cancel_delayed_work_sync(&rt5645->jack_detect_work); + cancel_delayed_work_sync(&rt5645->rcclock_work); + ++ if (rt5645->gpiod_cbj_sleeve) ++ gpiod_set_value(rt5645->gpiod_cbj_sleeve, 0); ++ + regulator_bulk_disable(ARRAY_SIZE(rt5645->supplies), rt5645->supplies); + } + +@@ -4189,6 +4211,9 @@ static void rt5645_i2c_shutdown(struct i2c_client *i2c) + 0); + msleep(20); + regmap_write(rt5645->regmap, RT5645_RESET, 0); ++ ++ if (rt5645->gpiod_cbj_sleeve) ++ gpiod_set_value(rt5645->gpiod_cbj_sleeve, 0); + } + + static struct i2c_driver rt5645_i2c_driver = { +-- +2.43.0 + diff --git a/queue-6.1/asoc-rt715-add-vendor-clear-control-register.patch b/queue-6.1/asoc-rt715-add-vendor-clear-control-register.patch new file mode 100644 index 00000000000..0499f37fb79 --- /dev/null +++ b/queue-6.1/asoc-rt715-add-vendor-clear-control-register.patch @@ -0,0 +1,38 @@ +From a1e070247530b4bd09349f78b13a543d510617e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 06:27:23 +0000 +Subject: ASoC: rt715: add vendor clear control register + +From: Jack Yu + +[ Upstream commit cebfbc89ae2552dbb58cd9b8206a5c8e0e6301e9 ] + +Add vendor clear control register in readable register's +callback function. This prevents an access failure reported +in Intel CI tests. + +Signed-off-by: Jack Yu +Closes: https://github.com/thesofproject/linux/issues/4860 +Tested-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/6a103ce9134d49d8b3941172c87a7bd4@realtek.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt715-sdw.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/codecs/rt715-sdw.c b/sound/soc/codecs/rt715-sdw.c +index 4e61e16470eda..4e35b67b01ce8 100644 +--- a/sound/soc/codecs/rt715-sdw.c ++++ b/sound/soc/codecs/rt715-sdw.c +@@ -111,6 +111,7 @@ static bool rt715_readable_register(struct device *dev, unsigned int reg) + case 0x839d: + case 0x83a7: + case 0x83a9: ++ case 0x752001: + case 0x752039: + return true; + default: +-- +2.43.0 + diff --git a/queue-6.1/asoc-rt715-sdca-volume-step-modification.patch b/queue-6.1/asoc-rt715-sdca-volume-step-modification.patch new file mode 100644 index 00000000000..cd5ebc7daca --- /dev/null +++ b/queue-6.1/asoc-rt715-sdca-volume-step-modification.patch @@ -0,0 +1,61 @@ +From 1f43f71205584ccc5ef74a0fa0b9a0aca0eb169c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Apr 2024 06:59:35 +0000 +Subject: ASoC: rt715-sdca: volume step modification + +From: Jack Yu + +[ Upstream commit bda16500dd0b05e2e047093b36cbe0873c95aeae ] + +Volume step (dB/step) modification to fix format error +which shown in amixer control. + +Signed-off-by: Jack Yu +Link: https://lore.kernel.org/r/b1f546ad16dc4c7abb7daa7396e8345c@realtek.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt715-sdca.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/codecs/rt715-sdca.c b/sound/soc/codecs/rt715-sdca.c +index ce8bbc76199a8..3377846a87539 100644 +--- a/sound/soc/codecs/rt715-sdca.c ++++ b/sound/soc/codecs/rt715-sdca.c +@@ -315,7 +315,7 @@ static int rt715_sdca_set_amp_gain_8ch_get(struct snd_kcontrol *kcontrol, + return 0; + } + +-static const DECLARE_TLV_DB_SCALE(in_vol_tlv, -17625, 375, 0); ++static const DECLARE_TLV_DB_SCALE(in_vol_tlv, -1725, 75, 0); + static const DECLARE_TLV_DB_SCALE(mic_vol_tlv, 0, 1000, 0); + + static int rt715_sdca_get_volsw(struct snd_kcontrol *kcontrol, +@@ -476,7 +476,7 @@ static const struct snd_kcontrol_new rt715_sdca_snd_controls[] = { + RT715_SDCA_FU_VOL_CTRL, CH_01), + SDW_SDCA_CTL(FUN_MIC_ARRAY, RT715_SDCA_FU_ADC7_27_VOL, + RT715_SDCA_FU_VOL_CTRL, CH_02), +- 0x2f, 0x7f, 0, ++ 0x2f, 0x3f, 0, + rt715_sdca_set_amp_gain_get, rt715_sdca_set_amp_gain_put, + in_vol_tlv), + RT715_SDCA_EXT_TLV("FU02 Capture Volume", +@@ -484,13 +484,13 @@ static const struct snd_kcontrol_new rt715_sdca_snd_controls[] = { + RT715_SDCA_FU_VOL_CTRL, CH_01), + rt715_sdca_set_amp_gain_4ch_get, + rt715_sdca_set_amp_gain_4ch_put, +- in_vol_tlv, 4, 0x7f), ++ in_vol_tlv, 4, 0x3f), + RT715_SDCA_EXT_TLV("FU06 Capture Volume", + SDW_SDCA_CTL(FUN_MIC_ARRAY, RT715_SDCA_FU_ADC10_11_VOL, + RT715_SDCA_FU_VOL_CTRL, CH_01), + rt715_sdca_set_amp_gain_4ch_get, + rt715_sdca_set_amp_gain_4ch_put, +- in_vol_tlv, 4, 0x7f), ++ in_vol_tlv, 4, 0x3f), + /* MIC Boost Control */ + RT715_SDCA_BOOST_EXT_TLV("FU0E Boost", + SDW_SDCA_CTL(FUN_MIC_ARRAY, RT715_SDCA_FU_DMIC_GAIN_EN, +-- +2.43.0 + diff --git a/queue-6.1/asoc-tracing-export-snd_soc_dapm_dir_out-to-its-valu.patch b/queue-6.1/asoc-tracing-export-snd_soc_dapm_dir_out-to-its-valu.patch new file mode 100644 index 00000000000..3cb67660ad6 --- /dev/null +++ b/queue-6.1/asoc-tracing-export-snd_soc_dapm_dir_out-to-its-valu.patch @@ -0,0 +1,48 @@ +From 735bd8bf978dc1e7065b04aea76d5457786c2c98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Apr 2024 00:03:03 -0400 +Subject: ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value + +From: Steven Rostedt + +[ Upstream commit 58300f8d6a48e58d1843199be743f819e2791ea3 ] + +The string SND_SOC_DAPM_DIR_OUT is printed in the snd_soc_dapm_path trace +event instead of its value: + + (((REC->path_dir) == SND_SOC_DAPM_DIR_OUT) ? "->" : "<-") + +User space cannot parse this, as it has no idea what SND_SOC_DAPM_DIR_OUT +is. Use TRACE_DEFINE_ENUM() to convert it to its value: + + (((REC->path_dir) == 1) ? "->" : "<-") + +So that user space tools, such as perf and trace-cmd, can parse it +correctly. + +Reported-by: Luca Ceresoli +Fixes: 6e588a0d839b5 ("ASoC: dapm: Consolidate path trace events") +Signed-off-by: Steven Rostedt (Google) +Link: https://lore.kernel.org/r/20240416000303.04670cdf@rorschach.local.home +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + include/trace/events/asoc.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/trace/events/asoc.h b/include/trace/events/asoc.h +index 4d8ef71090af1..97a434d021356 100644 +--- a/include/trace/events/asoc.h ++++ b/include/trace/events/asoc.h +@@ -12,6 +12,8 @@ + #define DAPM_DIRECT "(direct)" + #define DAPM_ARROW(dir) (((dir) == SND_SOC_DAPM_DIR_OUT) ? "->" : "<-") + ++TRACE_DEFINE_ENUM(SND_SOC_DAPM_DIR_OUT); ++ + struct snd_soc_jack; + struct snd_soc_card; + struct snd_soc_dapm_widget; +-- +2.43.0 + diff --git a/queue-6.1/ax25-fix-reference-count-leak-issue-of-net_device.patch b/queue-6.1/ax25-fix-reference-count-leak-issue-of-net_device.patch new file mode 100644 index 00000000000..cd83a034d93 --- /dev/null +++ b/queue-6.1/ax25-fix-reference-count-leak-issue-of-net_device.patch @@ -0,0 +1,53 @@ +From 7bbd7abfbb52f4d18682d081017e659540f557d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 17:37:02 +0800 +Subject: ax25: Fix reference count leak issue of net_device + +From: Duoming Zhou + +[ Upstream commit 36e56b1b002bb26440403053f19f9e1a8bc075b2 ] + +There is a reference count leak issue of the object "net_device" in +ax25_dev_device_down(). When the ax25 device is shutting down, the +ax25_dev_device_down() drops the reference count of net_device one +or zero times depending on if we goto unlock_put or not, which will +cause memory leak. + +In order to solve the above issue, decrease the reference count of +net_device after dev->ax25_ptr is set to null. + +Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") +Suggested-by: Dan Carpenter +Signed-off-by: Duoming Zhou +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/7ce3b23a40d9084657ba1125432f0ecc380cbc80.1715247018.git.duoming@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ax25/ax25_dev.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c +index dd1d616dab367..fcc64645bbf5e 100644 +--- a/net/ax25/ax25_dev.c ++++ b/net/ax25/ax25_dev.c +@@ -118,15 +118,10 @@ void ax25_dev_device_down(struct net_device *dev) + list_for_each_entry(s, &ax25_dev_list, list) { + if (s == ax25_dev) { + list_del(&s->list); +- goto unlock_put; ++ break; + } + } +- dev->ax25_ptr = NULL; +- spin_unlock_bh(&ax25_dev_lock); +- ax25_dev_put(ax25_dev); +- return; + +-unlock_put: + dev->ax25_ptr = NULL; + spin_unlock_bh(&ax25_dev_lock); + netdev_put(dev, &ax25_dev->dev_tracker); +-- +2.43.0 + diff --git a/queue-6.1/ax25-fix-reference-count-leak-issues-of-ax25_dev.patch b/queue-6.1/ax25-fix-reference-count-leak-issues-of-ax25_dev.patch new file mode 100644 index 00000000000..e0a18f78a0e --- /dev/null +++ b/queue-6.1/ax25-fix-reference-count-leak-issues-of-ax25_dev.patch @@ -0,0 +1,74 @@ +From 2b5f5b8ebc54e0e08665e16f5ac13ad0dba55dba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 17:36:47 +0800 +Subject: ax25: Fix reference count leak issues of ax25_dev + +From: Duoming Zhou + +[ Upstream commit b505e0319852b08a3a716b64620168eab21f4ced ] + +The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference +count leak issue of the object "ax25_dev". + +Memory leak issue in ax25_addr_ax25dev(): + +The reference count of the object "ax25_dev" can be increased multiple +times in ax25_addr_ax25dev(). This will cause a memory leak. + +Memory leak issues in ax25_dev_device_down(): + +The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and +then increase the reference count when ax25_dev is added to ax25_dev_list. +As a result, the reference count of ax25_dev is 2. But when the device is +shutting down. The ax25_dev_device_down() drops the reference count once +or twice depending on if we goto unlock_put or not, which will cause +memory leak. + +As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer +to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the +issue of ax25_dev_device_down(), increase the reference count of ax25_dev +once in ax25_dev_device_up() and decrease the reference count of ax25_dev +after it is removed from the ax25_dev_list. + +Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") +Suggested-by: Dan Carpenter +Signed-off-by: Duoming Zhou +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/361bbf2a4b091e120006279ec3b382d73c4a0c17.1715247018.git.duoming@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ax25/ax25_dev.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c +index a56d12fae464b..dd1d616dab367 100644 +--- a/net/ax25/ax25_dev.c ++++ b/net/ax25/ax25_dev.c +@@ -39,6 +39,7 @@ ax25_dev *ax25_addr_ax25dev(ax25_address *addr) + if (ax25cmp(addr, (const ax25_address *)ax25_dev->dev->dev_addr) == 0) { + res = ax25_dev; + ax25_dev_hold(ax25_dev); ++ break; + } + spin_unlock_bh(&ax25_dev_lock); + +@@ -88,7 +89,6 @@ void ax25_dev_device_up(struct net_device *dev) + list_add(&ax25_dev->list, &ax25_dev_list); + dev->ax25_ptr = ax25_dev; + spin_unlock_bh(&ax25_dev_lock); +- ax25_dev_hold(ax25_dev); + + ax25_register_dev_sysctl(ax25_dev); + } +@@ -129,7 +129,6 @@ void ax25_dev_device_down(struct net_device *dev) + unlock_put: + dev->ax25_ptr = NULL; + spin_unlock_bh(&ax25_dev_lock); +- ax25_dev_put(ax25_dev); + netdev_put(dev, &ax25_dev->dev_tracker); + ax25_dev_put(ax25_dev); + } +-- +2.43.0 + diff --git a/queue-6.1/ax25-use-kernel-universal-linked-list-to-implement-a.patch b/queue-6.1/ax25-use-kernel-universal-linked-list-to-implement-a.patch new file mode 100644 index 00000000000..8b9da3b48ee --- /dev/null +++ b/queue-6.1/ax25-use-kernel-universal-linked-list-to-implement-a.patch @@ -0,0 +1,163 @@ +From 3bd31977402f43661e55eaa02b93957b399d0d18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 17:36:33 +0800 +Subject: ax25: Use kernel universal linked list to implement ax25_dev_list + +From: Duoming Zhou + +[ Upstream commit a7d6e36b9ad052926ba2ecba3a59d8bb67dabcb4 ] + +The origin ax25_dev_list implements its own single linked list, +which is complicated and error-prone. For example, when deleting +the node of ax25_dev_list in ax25_dev_device_down(), we have to +operate on the head node and other nodes separately. + +This patch uses kernel universal linked list to replace original +ax25_dev_list, which make the operation of ax25_dev_list easier. + +We should do "dev->ax25_ptr = ax25_dev;" and "dev->ax25_ptr = NULL;" +while holding the spinlock, otherwise the ax25_dev_device_up() and +ax25_dev_device_down() could race. + +Suggested-by: Dan Carpenter +Signed-off-by: Duoming Zhou +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/85bba3af651ca0e1a519da8d0d715b949891171c.1715247018.git.duoming@zju.edu.cn +Signed-off-by: Jakub Kicinski +Stable-dep-of: b505e0319852 ("ax25: Fix reference count leak issues of ax25_dev") +Signed-off-by: Sasha Levin +--- + include/net/ax25.h | 3 +-- + net/ax25/ax25_dev.c | 40 +++++++++++++++------------------------- + 2 files changed, 16 insertions(+), 27 deletions(-) + +diff --git a/include/net/ax25.h b/include/net/ax25.h +index f8cf3629a4193..1d55e8ee08b4f 100644 +--- a/include/net/ax25.h ++++ b/include/net/ax25.h +@@ -216,7 +216,7 @@ typedef struct { + struct ctl_table; + + typedef struct ax25_dev { +- struct ax25_dev *next; ++ struct list_head list; + + struct net_device *dev; + netdevice_tracker dev_tracker; +@@ -333,7 +333,6 @@ int ax25_addr_size(const ax25_digi *); + void ax25_digi_invert(const ax25_digi *, ax25_digi *); + + /* ax25_dev.c */ +-extern ax25_dev *ax25_dev_list; + extern spinlock_t ax25_dev_lock; + + #if IS_ENABLED(CONFIG_AX25) +diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c +index c5462486dbca1..a56d12fae464b 100644 +--- a/net/ax25/ax25_dev.c ++++ b/net/ax25/ax25_dev.c +@@ -22,11 +22,12 @@ + #include + #include + #include ++#include + #include + #include + #include + +-ax25_dev *ax25_dev_list; ++static LIST_HEAD(ax25_dev_list); + DEFINE_SPINLOCK(ax25_dev_lock); + + ax25_dev *ax25_addr_ax25dev(ax25_address *addr) +@@ -34,7 +35,7 @@ ax25_dev *ax25_addr_ax25dev(ax25_address *addr) + ax25_dev *ax25_dev, *res = NULL; + + spin_lock_bh(&ax25_dev_lock); +- for (ax25_dev = ax25_dev_list; ax25_dev != NULL; ax25_dev = ax25_dev->next) ++ list_for_each_entry(ax25_dev, &ax25_dev_list, list) + if (ax25cmp(addr, (const ax25_address *)ax25_dev->dev->dev_addr) == 0) { + res = ax25_dev; + ax25_dev_hold(ax25_dev); +@@ -59,7 +60,6 @@ void ax25_dev_device_up(struct net_device *dev) + } + + refcount_set(&ax25_dev->refcount, 1); +- dev->ax25_ptr = ax25_dev; + ax25_dev->dev = dev; + netdev_hold(dev, &ax25_dev->dev_tracker, GFP_KERNEL); + ax25_dev->forward = NULL; +@@ -85,8 +85,8 @@ void ax25_dev_device_up(struct net_device *dev) + #endif + + spin_lock_bh(&ax25_dev_lock); +- ax25_dev->next = ax25_dev_list; +- ax25_dev_list = ax25_dev; ++ list_add(&ax25_dev->list, &ax25_dev_list); ++ dev->ax25_ptr = ax25_dev; + spin_unlock_bh(&ax25_dev_lock); + ax25_dev_hold(ax25_dev); + +@@ -111,32 +111,25 @@ void ax25_dev_device_down(struct net_device *dev) + /* + * Remove any packet forwarding that points to this device. + */ +- for (s = ax25_dev_list; s != NULL; s = s->next) ++ list_for_each_entry(s, &ax25_dev_list, list) + if (s->forward == dev) + s->forward = NULL; + +- if ((s = ax25_dev_list) == ax25_dev) { +- ax25_dev_list = s->next; +- goto unlock_put; +- } +- +- while (s != NULL && s->next != NULL) { +- if (s->next == ax25_dev) { +- s->next = ax25_dev->next; ++ list_for_each_entry(s, &ax25_dev_list, list) { ++ if (s == ax25_dev) { ++ list_del(&s->list); + goto unlock_put; + } +- +- s = s->next; + } +- spin_unlock_bh(&ax25_dev_lock); + dev->ax25_ptr = NULL; ++ spin_unlock_bh(&ax25_dev_lock); + ax25_dev_put(ax25_dev); + return; + + unlock_put: ++ dev->ax25_ptr = NULL; + spin_unlock_bh(&ax25_dev_lock); + ax25_dev_put(ax25_dev); +- dev->ax25_ptr = NULL; + netdev_put(dev, &ax25_dev->dev_tracker); + ax25_dev_put(ax25_dev); + } +@@ -200,16 +193,13 @@ struct net_device *ax25_fwd_dev(struct net_device *dev) + */ + void __exit ax25_dev_free(void) + { +- ax25_dev *s, *ax25_dev; ++ ax25_dev *s, *n; + + spin_lock_bh(&ax25_dev_lock); +- ax25_dev = ax25_dev_list; +- while (ax25_dev != NULL) { +- s = ax25_dev; +- netdev_put(ax25_dev->dev, &ax25_dev->dev_tracker); +- ax25_dev = ax25_dev->next; ++ list_for_each_entry_safe(s, n, &ax25_dev_list, list) { ++ netdev_put(s->dev, &s->dev_tracker); ++ list_del(&s->list); + kfree(s); + } +- ax25_dev_list = NULL; + spin_unlock_bh(&ax25_dev_lock); + } +-- +2.43.0 + diff --git a/queue-6.1/bitops-add-missing-prototype-check.patch b/queue-6.1/bitops-add-missing-prototype-check.patch new file mode 100644 index 00000000000..745b46b993a --- /dev/null +++ b/queue-6.1/bitops-add-missing-prototype-check.patch @@ -0,0 +1,40 @@ +From df84d5cf207eb1e03fd19c6d79cf706fc6a76214 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Mar 2024 16:23:41 +0100 +Subject: bitops: add missing prototype check + +From: Alexander Lobakin + +[ Upstream commit 72cc1980a0ef3ccad0d539e7dace63d0d7d432a4 ] + +Commit 8238b4579866 ("wait_on_bit: add an acquire memory barrier") added +a new bitop, test_bit_acquire(), with proper wrapping in order to try to +optimize it at compile-time, but missed the list of bitops used for +checking their prototypes a bit below. +The functions added have consistent prototypes, so that no more changes +are required and no functional changes take place. + +Fixes: 8238b4579866 ("wait_on_bit: add an acquire memory barrier") +Reviewed-by: Przemek Kitszel +Signed-off-by: Alexander Lobakin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/bitops.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/bitops.h b/include/linux/bitops.h +index 2ba557e067fe6..f7f5a783da2aa 100644 +--- a/include/linux/bitops.h ++++ b/include/linux/bitops.h +@@ -80,6 +80,7 @@ __check_bitop_pr(__test_and_set_bit); + __check_bitop_pr(__test_and_clear_bit); + __check_bitop_pr(__test_and_change_bit); + __check_bitop_pr(test_bit); ++__check_bitop_pr(test_bit_acquire); + + #undef __check_bitop_pr + +-- +2.43.0 + diff --git a/queue-6.1/block-open-code-__blk_account_io_done.patch b/queue-6.1/block-open-code-__blk_account_io_done.patch new file mode 100644 index 00000000000..4ad6335e3b7 --- /dev/null +++ b/queue-6.1/block-open-code-__blk_account_io_done.patch @@ -0,0 +1,67 @@ +From 72fa2c6ed1d8b694721d05e99171ed49d35dcb34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Mar 2023 00:34:27 -0700 +Subject: block: open code __blk_account_io_done() + +From: Chaitanya Kulkarni + +[ Upstream commit 06965037ce942500c1ce3aa29ca217093a9c5720 ] + +There is only one caller for __blk_account_io_done(), the function +is small enough to fit in its caller blk_account_io_done(). + +Remove the function and opencode in the its caller +blk_account_io_done(). + +Signed-off-by: Chaitanya Kulkarni +Link: https://lore.kernel.org/r/20230327073427.4403-2-kch@nvidia.com +Signed-off-by: Jens Axboe +Stable-dep-of: 99dc422335d8 ("block: support to account io_ticks precisely") +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 22 +++++++++------------- + 1 file changed, 9 insertions(+), 13 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 33ac49dc775d7..355c4c52065b8 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -971,17 +971,6 @@ bool blk_update_request(struct request *req, blk_status_t error, + } + EXPORT_SYMBOL_GPL(blk_update_request); + +-static void __blk_account_io_done(struct request *req, u64 now) +-{ +- const int sgrp = op_stat_group(req_op(req)); +- +- part_stat_lock(); +- update_io_ticks(req->part, jiffies, true); +- part_stat_inc(req->part, ios[sgrp]); +- part_stat_add(req->part, nsecs[sgrp], now - req->start_time_ns); +- part_stat_unlock(); +-} +- + static inline void blk_account_io_done(struct request *req, u64 now) + { + /* +@@ -990,8 +979,15 @@ static inline void blk_account_io_done(struct request *req, u64 now) + * containing request is enough. + */ + if (blk_do_io_stat(req) && req->part && +- !(req->rq_flags & RQF_FLUSH_SEQ)) +- __blk_account_io_done(req, now); ++ !(req->rq_flags & RQF_FLUSH_SEQ)) { ++ const int sgrp = op_stat_group(req_op(req)); ++ ++ part_stat_lock(); ++ update_io_ticks(req->part, jiffies, true); ++ part_stat_inc(req->part, ios[sgrp]); ++ part_stat_add(req->part, nsecs[sgrp], now - req->start_time_ns); ++ part_stat_unlock(); ++ } + } + + static inline void blk_account_io_start(struct request *req) +-- +2.43.0 + diff --git a/queue-6.1/block-open-code-__blk_account_io_start.patch b/queue-6.1/block-open-code-__blk_account_io_start.patch new file mode 100644 index 00000000000..8d31bb483c2 --- /dev/null +++ b/queue-6.1/block-open-code-__blk_account_io_start.patch @@ -0,0 +1,76 @@ +From 28efe7241fd21f5d46488bb84c5b4e9c56afd960 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Mar 2023 00:34:26 -0700 +Subject: block: open code __blk_account_io_start() + +From: Chaitanya Kulkarni + +[ Upstream commit e165fb4dd6985b37215178e514a2e09dab8fef14 ] + +There is only one caller for __blk_account_io_start(), the function +is small enough to fit in its caller blk_account_io_start(). + +Remove the function and opencode in the its caller +blk_account_io_start(). + +Signed-off-by: Chaitanya Kulkarni +Link: https://lore.kernel.org/r/20230327073427.4403-2-kch@nvidia.com +Signed-off-by: Jens Axboe +Stable-dep-of: 99dc422335d8 ("block: support to account io_ticks precisely") +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 36 ++++++++++++++++-------------------- + 1 file changed, 16 insertions(+), 20 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index e1b12f3d54bd4..33ac49dc775d7 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -994,28 +994,24 @@ static inline void blk_account_io_done(struct request *req, u64 now) + __blk_account_io_done(req, now); + } + +-static void __blk_account_io_start(struct request *rq) +-{ +- /* +- * All non-passthrough requests are created from a bio with one +- * exception: when a flush command that is part of a flush sequence +- * generated by the state machine in blk-flush.c is cloned onto the +- * lower device by dm-multipath we can get here without a bio. +- */ +- if (rq->bio) +- rq->part = rq->bio->bi_bdev; +- else +- rq->part = rq->q->disk->part0; +- +- part_stat_lock(); +- update_io_ticks(rq->part, jiffies, false); +- part_stat_unlock(); +-} +- + static inline void blk_account_io_start(struct request *req) + { +- if (blk_do_io_stat(req)) +- __blk_account_io_start(req); ++ if (blk_do_io_stat(req)) { ++ /* ++ * All non-passthrough requests are created from a bio with one ++ * exception: when a flush command that is part of a flush sequence ++ * generated by the state machine in blk-flush.c is cloned onto the ++ * lower device by dm-multipath we can get here without a bio. ++ */ ++ if (req->bio) ++ req->part = req->bio->bi_bdev; ++ else ++ req->part = req->q->disk->part0; ++ ++ part_stat_lock(); ++ update_io_ticks(req->part, jiffies, false); ++ part_stat_unlock(); ++ } + } + + static inline void __blk_mq_end_request_acct(struct request *rq, u64 now) +-- +2.43.0 + diff --git a/queue-6.1/block-support-to-account-io_ticks-precisely.patch b/queue-6.1/block-support-to-account-io_ticks-precisely.patch new file mode 100644 index 00000000000..326bb4079a4 --- /dev/null +++ b/queue-6.1/block-support-to-account-io_ticks-precisely.patch @@ -0,0 +1,152 @@ +From f556fc94b7dcac6fde1d83a9fd8fd7ab141b4ab5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 20:37:16 +0800 +Subject: block: support to account io_ticks precisely + +From: Yu Kuai + +[ Upstream commit 99dc422335d8b2bd4d105797241d3e715bae90e9 ] + +Currently, io_ticks is accounted based on sampling, specifically +update_io_ticks() will always account io_ticks by 1 jiffies from +bdev_start_io_acct()/blk_account_io_start(), and the result can be +inaccurate, for example(HZ is 250): + +Test script: +fio -filename=/dev/sda -bs=4k -rw=write -direct=1 -name=test -thinktime=4ms + +Test result: util is about 90%, while the disk is really idle. + +This behaviour is introduced by commit 5b18b5a73760 ("block: delete +part_round_stats and switch to less precise counting"), however, there +was a key point that is missed that this patch also improve performance +a lot: + +Before the commit: +part_round_stats: + if (part->stamp != now) + stats |= 1; + + part_in_flight() + -> there can be lots of task here in 1 jiffies. + part_round_stats_single() + __part_stat_add() + part->stamp = now; + +After the commit: +update_io_ticks: + stamp = part->bd_stamp; + if (time_after(now, stamp)) + if (try_cmpxchg()) + __part_stat_add() + -> only one task can reach here in 1 jiffies. + +Hence in order to account io_ticks precisely, we only need to know if +there are IO inflight at most once in one jiffies. Noted that for +rq-based device, iterating tags should not be used here because +'tags->lock' is grabbed in blk_mq_find_and_get_req(), hence +part_stat_lock_inc/dec() and part_in_flight() is used to trace inflight. +The additional overhead is quite little: + + - per cpu add/dec for each IO for rq-based device; + - per cpu sum for each jiffies; + +And it's verified by null-blk that there are no performance degration +under heavy IO pressure. + +Fixes: 5b18b5a73760 ("block: delete part_round_stats and switch to less precise counting") +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20240509123717.3223892-2-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-core.c | 9 +++++---- + block/blk-merge.c | 2 ++ + block/blk-mq.c | 4 ++++ + block/blk.h | 1 + + block/genhd.c | 2 +- + 5 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/block/blk-core.c b/block/blk-core.c +index aefdf07bdc2cf..a4155f123ab38 100644 +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -933,10 +933,11 @@ void update_io_ticks(struct block_device *part, unsigned long now, bool end) + unsigned long stamp; + again: + stamp = READ_ONCE(part->bd_stamp); +- if (unlikely(time_after(now, stamp))) { +- if (likely(try_cmpxchg(&part->bd_stamp, &stamp, now))) +- __part_stat_add(part, io_ticks, end ? now - stamp : 1); +- } ++ if (unlikely(time_after(now, stamp)) && ++ likely(try_cmpxchg(&part->bd_stamp, &stamp, now)) && ++ (end || part_in_flight(part))) ++ __part_stat_add(part, io_ticks, now - stamp); ++ + if (part->bd_partno) { + part = bdev_whole(part); + goto again; +diff --git a/block/blk-merge.c b/block/blk-merge.c +index cc7f6a4a255c9..13a47b37acb7d 100644 +--- a/block/blk-merge.c ++++ b/block/blk-merge.c +@@ -779,6 +779,8 @@ static void blk_account_io_merge_request(struct request *req) + if (blk_do_io_stat(req)) { + part_stat_lock(); + part_stat_inc(req->part, merges[op_stat_group(req_op(req))]); ++ part_stat_local_dec(req->part, ++ in_flight[op_is_write(req_op(req))]); + part_stat_unlock(); + } + } +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 355c4c52065b8..3afa5c8d165b1 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -986,6 +986,8 @@ static inline void blk_account_io_done(struct request *req, u64 now) + update_io_ticks(req->part, jiffies, true); + part_stat_inc(req->part, ios[sgrp]); + part_stat_add(req->part, nsecs[sgrp], now - req->start_time_ns); ++ part_stat_local_dec(req->part, ++ in_flight[op_is_write(req_op(req))]); + part_stat_unlock(); + } + } +@@ -1006,6 +1008,8 @@ static inline void blk_account_io_start(struct request *req) + + part_stat_lock(); + update_io_ticks(req->part, jiffies, false); ++ part_stat_local_inc(req->part, ++ in_flight[op_is_write(req_op(req))]); + part_stat_unlock(); + } + } +diff --git a/block/blk.h b/block/blk.h +index a186ea20f39d8..9b2f53ff4c37f 100644 +--- a/block/blk.h ++++ b/block/blk.h +@@ -346,6 +346,7 @@ static inline bool blk_do_io_stat(struct request *rq) + } + + void update_io_ticks(struct block_device *part, unsigned long now, bool end); ++unsigned int part_in_flight(struct block_device *part); + + static inline void req_set_nomerge(struct request_queue *q, struct request *req) + { +diff --git a/block/genhd.c b/block/genhd.c +index ddb17c4adc8a2..f9e3ecd5ba2fa 100644 +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -123,7 +123,7 @@ static void part_stat_read_all(struct block_device *part, + } + } + +-static unsigned int part_in_flight(struct block_device *part) ++unsigned int part_in_flight(struct block_device *part) + { + unsigned int inflight = 0; + int cpu; +-- +2.43.0 + diff --git a/queue-6.1/bluetooth-compute-le-flow-credits-based-on-recvbuf-s.patch b/queue-6.1/bluetooth-compute-le-flow-credits-based-on-recvbuf-s.patch new file mode 100644 index 00000000000..f239725535d --- /dev/null +++ b/queue-6.1/bluetooth-compute-le-flow-credits-based-on-recvbuf-s.patch @@ -0,0 +1,388 @@ +From 8ac217f6d02f986b648c444d8e7ed4e2545161a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 May 2024 12:08:58 +0200 +Subject: Bluetooth: compute LE flow credits based on recvbuf space + +From: Sebastian Urban + +[ Upstream commit ce60b9231b66710b6ee24042ded26efee120ecfc ] + +Previously LE flow credits were returned to the +sender even if the socket's receive buffer was +full. This meant that no back-pressure +was applied to the sender, thus it continued to +send data, resulting in data loss without any +error being reported. Furthermore, the amount +of credits was essentially fixed to a small +amount, leading to reduced performance. + +This is fixed by computing the number of returned +LE flow credits based on the estimated available +space in the receive buffer of an L2CAP socket. +Consequently, if the receive buffer is full, no +credits are returned until the buffer is read and +thus cleared by user-space. + +Since the computation of available receive buffer +space can only be performed approximately (due to +sk_buff overhead) and the receive buffer size may +be changed by user-space after flow credits have +been sent, superfluous received data is temporary +stored within l2cap_pinfo. This is necessary +because Bluetooth LE provides no retransmission +mechanism once the data has been acked by the +physical layer. + +If receive buffer space estimation is not possible +at the moment, we fall back to providing credits +for one full packet as before. This is currently +the case during connection setup, when MPS is not +yet available. + +Fixes: b1c325c23d75 ("Bluetooth: Implement returning of LE L2CAP credits") +Signed-off-by: Sebastian Urban +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/l2cap.h | 11 ++++- + net/bluetooth/l2cap_core.c | 56 ++++++++++++++++++--- + net/bluetooth/l2cap_sock.c | 91 ++++++++++++++++++++++++++++------- + 3 files changed, 132 insertions(+), 26 deletions(-) + +diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h +index 2f766e3437ce2..d46f1335cf9ac 100644 +--- a/include/net/bluetooth/l2cap.h ++++ b/include/net/bluetooth/l2cap.h +@@ -584,6 +584,9 @@ struct l2cap_chan { + __u16 tx_credits; + __u16 rx_credits; + ++ /* estimated available receive buffer space or -1 if unknown */ ++ ssize_t rx_avail; ++ + __u8 tx_state; + __u8 rx_state; + +@@ -724,10 +727,15 @@ struct l2cap_user { + /* ----- L2CAP socket info ----- */ + #define l2cap_pi(sk) ((struct l2cap_pinfo *) sk) + ++struct l2cap_rx_busy { ++ struct list_head list; ++ struct sk_buff *skb; ++}; ++ + struct l2cap_pinfo { + struct bt_sock bt; + struct l2cap_chan *chan; +- struct sk_buff *rx_busy_skb; ++ struct list_head rx_busy; + }; + + enum { +@@ -985,6 +993,7 @@ int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid, + int l2cap_chan_reconfigure(struct l2cap_chan *chan, __u16 mtu); + int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len); + void l2cap_chan_busy(struct l2cap_chan *chan, int busy); ++void l2cap_chan_rx_avail(struct l2cap_chan *chan, ssize_t rx_avail); + int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator); + void l2cap_chan_set_defaults(struct l2cap_chan *chan); + int l2cap_ertm_init(struct l2cap_chan *chan); +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index c34011113d4c5..5f9a599baa34d 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -477,6 +477,9 @@ struct l2cap_chan *l2cap_chan_create(void) + /* Set default lock nesting level */ + atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL); + ++ /* Available receive buffer space is initially unknown */ ++ chan->rx_avail = -1; ++ + write_lock(&chan_list_lock); + list_add(&chan->global_l, &chan_list); + write_unlock(&chan_list_lock); +@@ -558,6 +561,28 @@ void l2cap_chan_set_defaults(struct l2cap_chan *chan) + } + EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults); + ++static __u16 l2cap_le_rx_credits(struct l2cap_chan *chan) ++{ ++ size_t sdu_len = chan->sdu ? chan->sdu->len : 0; ++ ++ if (chan->mps == 0) ++ return 0; ++ ++ /* If we don't know the available space in the receiver buffer, give ++ * enough credits for a full packet. ++ */ ++ if (chan->rx_avail == -1) ++ return (chan->imtu / chan->mps) + 1; ++ ++ /* If we know how much space is available in the receive buffer, give ++ * out as many credits as would fill the buffer. ++ */ ++ if (chan->rx_avail <= sdu_len) ++ return 0; ++ ++ return DIV_ROUND_UP(chan->rx_avail - sdu_len, chan->mps); ++} ++ + static void l2cap_le_flowctl_init(struct l2cap_chan *chan, u16 tx_credits) + { + chan->sdu = NULL; +@@ -566,8 +591,7 @@ static void l2cap_le_flowctl_init(struct l2cap_chan *chan, u16 tx_credits) + chan->tx_credits = tx_credits; + /* Derive MPS from connection MTU to stop HCI fragmentation */ + chan->mps = min_t(u16, chan->imtu, chan->conn->mtu - L2CAP_HDR_SIZE); +- /* Give enough credits for a full packet */ +- chan->rx_credits = (chan->imtu / chan->mps) + 1; ++ chan->rx_credits = l2cap_le_rx_credits(chan); + + skb_queue_head_init(&chan->tx_q); + } +@@ -579,7 +603,7 @@ static void l2cap_ecred_init(struct l2cap_chan *chan, u16 tx_credits) + /* L2CAP implementations shall support a minimum MPS of 64 octets */ + if (chan->mps < L2CAP_ECRED_MIN_MPS) { + chan->mps = L2CAP_ECRED_MIN_MPS; +- chan->rx_credits = (chan->imtu / chan->mps) + 1; ++ chan->rx_credits = l2cap_le_rx_credits(chan); + } + } + +@@ -7529,9 +7553,7 @@ static void l2cap_chan_le_send_credits(struct l2cap_chan *chan) + { + struct l2cap_conn *conn = chan->conn; + struct l2cap_le_credits pkt; +- u16 return_credits; +- +- return_credits = (chan->imtu / chan->mps) + 1; ++ u16 return_credits = l2cap_le_rx_credits(chan); + + if (chan->rx_credits >= return_credits) + return; +@@ -7550,6 +7572,19 @@ static void l2cap_chan_le_send_credits(struct l2cap_chan *chan) + l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt); + } + ++void l2cap_chan_rx_avail(struct l2cap_chan *chan, ssize_t rx_avail) ++{ ++ if (chan->rx_avail == rx_avail) ++ return; ++ ++ BT_DBG("chan %p has %zd bytes avail for rx", chan, rx_avail); ++ ++ chan->rx_avail = rx_avail; ++ ++ if (chan->state == BT_CONNECTED) ++ l2cap_chan_le_send_credits(chan); ++} ++ + static int l2cap_ecred_recv(struct l2cap_chan *chan, struct sk_buff *skb) + { + int err; +@@ -7559,6 +7594,12 @@ static int l2cap_ecred_recv(struct l2cap_chan *chan, struct sk_buff *skb) + /* Wait recv to confirm reception before updating the credits */ + err = chan->ops->recv(chan, skb); + ++ if (err < 0 && chan->rx_avail != -1) { ++ BT_ERR("Queueing received LE L2CAP data failed"); ++ l2cap_send_disconn_req(chan, ECONNRESET); ++ return err; ++ } ++ + /* Update credits whenever an SDU is received */ + l2cap_chan_le_send_credits(chan); + +@@ -7581,7 +7622,8 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) + } + + chan->rx_credits--; +- BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits); ++ BT_DBG("chan %p: rx_credits %u -> %u", ++ chan, chan->rx_credits + 1, chan->rx_credits); + + /* Update if remote had run out of credits, this should only happens + * if the remote is not using the entire MPS. +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index bca399a9d21be..af6d4e3b8c065 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1165,6 +1165,34 @@ static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg, + return err; + } + ++static void l2cap_publish_rx_avail(struct l2cap_chan *chan) ++{ ++ struct sock *sk = chan->data; ++ ssize_t avail = sk->sk_rcvbuf - atomic_read(&sk->sk_rmem_alloc); ++ int expected_skbs, skb_overhead; ++ ++ if (avail <= 0) { ++ l2cap_chan_rx_avail(chan, 0); ++ return; ++ } ++ ++ if (!chan->mps) { ++ l2cap_chan_rx_avail(chan, -1); ++ return; ++ } ++ ++ /* Correct available memory by estimated sk_buff overhead. ++ * This is significant due to small transfer sizes. However, accept ++ * at least one full packet if receive space is non-zero. ++ */ ++ expected_skbs = DIV_ROUND_UP(avail, chan->mps); ++ skb_overhead = expected_skbs * sizeof(struct sk_buff); ++ if (skb_overhead < avail) ++ l2cap_chan_rx_avail(chan, avail - skb_overhead); ++ else ++ l2cap_chan_rx_avail(chan, -1); ++} ++ + static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg, + size_t len, int flags) + { +@@ -1201,28 +1229,33 @@ static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg, + else + err = bt_sock_recvmsg(sock, msg, len, flags); + +- if (pi->chan->mode != L2CAP_MODE_ERTM) ++ if (pi->chan->mode != L2CAP_MODE_ERTM && ++ pi->chan->mode != L2CAP_MODE_LE_FLOWCTL && ++ pi->chan->mode != L2CAP_MODE_EXT_FLOWCTL) + return err; + +- /* Attempt to put pending rx data in the socket buffer */ +- + lock_sock(sk); + +- if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state)) +- goto done; ++ l2cap_publish_rx_avail(pi->chan); + +- if (pi->rx_busy_skb) { +- if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb)) +- pi->rx_busy_skb = NULL; +- else ++ /* Attempt to put pending rx data in the socket buffer */ ++ while (!list_empty(&pi->rx_busy)) { ++ struct l2cap_rx_busy *rx_busy = ++ list_first_entry(&pi->rx_busy, ++ struct l2cap_rx_busy, ++ list); ++ if (__sock_queue_rcv_skb(sk, rx_busy->skb) < 0) + goto done; ++ list_del(&rx_busy->list); ++ kfree(rx_busy); + } + + /* Restore data flow when half of the receive buffer is + * available. This avoids resending large numbers of + * frames. + */ +- if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1) ++ if (test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state) && ++ atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1) + l2cap_chan_busy(pi->chan, 0); + + done: +@@ -1483,17 +1516,20 @@ static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan) + static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) + { + struct sock *sk = chan->data; ++ struct l2cap_pinfo *pi = l2cap_pi(sk); + int err; + + lock_sock(sk); + +- if (l2cap_pi(sk)->rx_busy_skb) { ++ if (chan->mode == L2CAP_MODE_ERTM && !list_empty(&pi->rx_busy)) { + err = -ENOMEM; + goto done; + } + + if (chan->mode != L2CAP_MODE_ERTM && +- chan->mode != L2CAP_MODE_STREAMING) { ++ chan->mode != L2CAP_MODE_STREAMING && ++ chan->mode != L2CAP_MODE_LE_FLOWCTL && ++ chan->mode != L2CAP_MODE_EXT_FLOWCTL) { + /* Even if no filter is attached, we could potentially + * get errors from security modules, etc. + */ +@@ -1504,7 +1540,9 @@ static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) + + err = __sock_queue_rcv_skb(sk, skb); + +- /* For ERTM, handle one skb that doesn't fit into the recv ++ l2cap_publish_rx_avail(chan); ++ ++ /* For ERTM and LE, handle a skb that doesn't fit into the recv + * buffer. This is important to do because the data frames + * have already been acked, so the skb cannot be discarded. + * +@@ -1513,8 +1551,18 @@ static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) + * acked and reassembled until there is buffer space + * available. + */ +- if (err < 0 && chan->mode == L2CAP_MODE_ERTM) { +- l2cap_pi(sk)->rx_busy_skb = skb; ++ if (err < 0 && ++ (chan->mode == L2CAP_MODE_ERTM || ++ chan->mode == L2CAP_MODE_LE_FLOWCTL || ++ chan->mode == L2CAP_MODE_EXT_FLOWCTL)) { ++ struct l2cap_rx_busy *rx_busy = ++ kmalloc(sizeof(*rx_busy), GFP_KERNEL); ++ if (!rx_busy) { ++ err = -ENOMEM; ++ goto done; ++ } ++ rx_busy->skb = skb; ++ list_add_tail(&rx_busy->list, &pi->rx_busy); + l2cap_chan_busy(chan, 1); + err = 0; + } +@@ -1740,6 +1788,8 @@ static const struct l2cap_ops l2cap_chan_ops = { + + static void l2cap_sock_destruct(struct sock *sk) + { ++ struct l2cap_rx_busy *rx_busy, *next; ++ + BT_DBG("sk %p", sk); + + if (l2cap_pi(sk)->chan) { +@@ -1747,9 +1797,10 @@ static void l2cap_sock_destruct(struct sock *sk) + l2cap_chan_put(l2cap_pi(sk)->chan); + } + +- if (l2cap_pi(sk)->rx_busy_skb) { +- kfree_skb(l2cap_pi(sk)->rx_busy_skb); +- l2cap_pi(sk)->rx_busy_skb = NULL; ++ list_for_each_entry_safe(rx_busy, next, &l2cap_pi(sk)->rx_busy, list) { ++ kfree_skb(rx_busy->skb); ++ list_del(&rx_busy->list); ++ kfree(rx_busy); + } + + skb_queue_purge(&sk->sk_receive_queue); +@@ -1833,6 +1884,8 @@ static void l2cap_sock_init(struct sock *sk, struct sock *parent) + + chan->data = sk; + chan->ops = &l2cap_chan_ops; ++ ++ l2cap_publish_rx_avail(chan); + } + + static struct proto l2cap_proto = { +@@ -1854,6 +1907,8 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, + sk->sk_destruct = l2cap_sock_destruct; + sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT; + ++ INIT_LIST_HEAD(&l2cap_pi(sk)->rx_busy); ++ + chan = l2cap_chan_create(); + if (!chan) { + sk_free(sk); +-- +2.43.0 + diff --git a/queue-6.1/bluetooth-consolidate-code-around-sk_alloc-into-a-he.patch b/queue-6.1/bluetooth-consolidate-code-around-sk_alloc-into-a-he.patch new file mode 100644 index 00000000000..4db97275d91 --- /dev/null +++ b/queue-6.1/bluetooth-consolidate-code-around-sk_alloc-into-a-he.patch @@ -0,0 +1,245 @@ +From ac71ddcae8fc47d047662861a2b470c805dc5771 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 16:46:41 -0700 +Subject: Bluetooth: Consolidate code around sk_alloc into a helper function + +From: Luiz Augusto von Dentz + +[ Upstream commit 6bfa273e533d7b25eee3d74e28a7fe8e6a8e7a93 ] + +This consolidates code around sk_alloc into bt_sock_alloc which does +take care of common initialization. + +Signed-off-by: Luiz Augusto von Dentz +Stable-dep-of: ce60b9231b66 ("Bluetooth: compute LE flow credits based on recvbuf space") +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/bluetooth.h | 2 ++ + net/bluetooth/af_bluetooth.c | 21 +++++++++++++++++++++ + net/bluetooth/bnep/sock.c | 10 +--------- + net/bluetooth/hci_sock.c | 10 ++-------- + net/bluetooth/iso.c | 10 +--------- + net/bluetooth/l2cap_sock.c | 10 +--------- + net/bluetooth/rfcomm/sock.c | 13 +++---------- + net/bluetooth/sco.c | 10 +--------- + 8 files changed, 32 insertions(+), 54 deletions(-) + +diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h +index 5aaf7d7f3c6fa..c7f1dd34ea470 100644 +--- a/include/net/bluetooth/bluetooth.h ++++ b/include/net/bluetooth/bluetooth.h +@@ -383,6 +383,8 @@ int bt_sock_register(int proto, const struct net_proto_family *ops); + void bt_sock_unregister(int proto); + void bt_sock_link(struct bt_sock_list *l, struct sock *s); + void bt_sock_unlink(struct bt_sock_list *l, struct sock *s); ++struct sock *bt_sock_alloc(struct net *net, struct socket *sock, ++ struct proto *prot, int proto, gfp_t prio, int kern); + int bt_sock_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, + int flags); + int bt_sock_stream_recvmsg(struct socket *sock, struct msghdr *msg, +diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c +index 3f9ff02baafe3..b8b31b79904a8 100644 +--- a/net/bluetooth/af_bluetooth.c ++++ b/net/bluetooth/af_bluetooth.c +@@ -140,6 +140,27 @@ static int bt_sock_create(struct net *net, struct socket *sock, int proto, + return err; + } + ++struct sock *bt_sock_alloc(struct net *net, struct socket *sock, ++ struct proto *prot, int proto, gfp_t prio, int kern) ++{ ++ struct sock *sk; ++ ++ sk = sk_alloc(net, PF_BLUETOOTH, prio, prot, kern); ++ if (!sk) ++ return NULL; ++ ++ sock_init_data(sock, sk); ++ INIT_LIST_HEAD(&bt_sk(sk)->accept_q); ++ ++ sock_reset_flag(sk, SOCK_ZAPPED); ++ ++ sk->sk_protocol = proto; ++ sk->sk_state = BT_OPEN; ++ ++ return sk; ++} ++EXPORT_SYMBOL(bt_sock_alloc); ++ + void bt_sock_link(struct bt_sock_list *l, struct sock *sk) + { + write_lock(&l->lock); +diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c +index 57d509d77cb46..00d47bcf4d7dc 100644 +--- a/net/bluetooth/bnep/sock.c ++++ b/net/bluetooth/bnep/sock.c +@@ -205,21 +205,13 @@ static int bnep_sock_create(struct net *net, struct socket *sock, int protocol, + if (sock->type != SOCK_RAW) + return -ESOCKTNOSUPPORT; + +- sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &bnep_proto, kern); ++ sk = bt_sock_alloc(net, sock, &bnep_proto, protocol, GFP_ATOMIC, kern); + if (!sk) + return -ENOMEM; + +- sock_init_data(sock, sk); +- + sock->ops = &bnep_sock_ops; +- + sock->state = SS_UNCONNECTED; + +- sock_reset_flag(sk, SOCK_ZAPPED); +- +- sk->sk_protocol = protocol; +- sk->sk_state = BT_OPEN; +- + bt_sock_link(&bnep_sk_list, sk); + return 0; + } +diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c +index 484fc2a8e4baa..730e569cae36d 100644 +--- a/net/bluetooth/hci_sock.c ++++ b/net/bluetooth/hci_sock.c +@@ -2144,18 +2144,12 @@ static int hci_sock_create(struct net *net, struct socket *sock, int protocol, + + sock->ops = &hci_sock_ops; + +- sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto, kern); ++ sk = bt_sock_alloc(net, sock, &hci_sk_proto, protocol, GFP_ATOMIC, ++ kern); + if (!sk) + return -ENOMEM; + +- sock_init_data(sock, sk); +- +- sock_reset_flag(sk, SOCK_ZAPPED); +- +- sk->sk_protocol = protocol; +- + sock->state = SS_UNCONNECTED; +- sk->sk_state = BT_OPEN; + sk->sk_destruct = hci_sock_destruct; + + bt_sock_link(&hci_sk_list, sk); +diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c +index 91e990accbf20..5fe1008799ab4 100644 +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -695,21 +695,13 @@ static struct sock *iso_sock_alloc(struct net *net, struct socket *sock, + { + struct sock *sk; + +- sk = sk_alloc(net, PF_BLUETOOTH, prio, &iso_proto, kern); ++ sk = bt_sock_alloc(net, sock, &iso_proto, proto, prio, kern); + if (!sk) + return NULL; + +- sock_init_data(sock, sk); +- INIT_LIST_HEAD(&bt_sk(sk)->accept_q); +- + sk->sk_destruct = iso_sock_destruct; + sk->sk_sndtimeo = ISO_CONN_TIMEOUT; + +- sock_reset_flag(sk, SOCK_ZAPPED); +- +- sk->sk_protocol = proto; +- sk->sk_state = BT_OPEN; +- + /* Set address type as public as default src address is BDADDR_ANY */ + iso_pi(sk)->src_type = BDADDR_LE_PUBLIC; + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index e3c7029ec8a61..bca399a9d21be 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1847,21 +1847,13 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, + struct sock *sk; + struct l2cap_chan *chan; + +- sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto, kern); ++ sk = bt_sock_alloc(net, sock, &l2cap_proto, proto, prio, kern); + if (!sk) + return NULL; + +- sock_init_data(sock, sk); +- INIT_LIST_HEAD(&bt_sk(sk)->accept_q); +- + sk->sk_destruct = l2cap_sock_destruct; + sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT; + +- sock_reset_flag(sk, SOCK_ZAPPED); +- +- sk->sk_protocol = proto; +- sk->sk_state = BT_OPEN; +- + chan = l2cap_chan_create(); + if (!chan) { + sk_free(sk); +diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c +index 4397e14ff560f..b54e8a530f55a 100644 +--- a/net/bluetooth/rfcomm/sock.c ++++ b/net/bluetooth/rfcomm/sock.c +@@ -268,18 +268,16 @@ static struct proto rfcomm_proto = { + .obj_size = sizeof(struct rfcomm_pinfo) + }; + +-static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio, int kern) ++static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock, ++ int proto, gfp_t prio, int kern) + { + struct rfcomm_dlc *d; + struct sock *sk; + +- sk = sk_alloc(net, PF_BLUETOOTH, prio, &rfcomm_proto, kern); ++ sk = bt_sock_alloc(net, sock, &rfcomm_proto, proto, prio, kern); + if (!sk) + return NULL; + +- sock_init_data(sock, sk); +- INIT_LIST_HEAD(&bt_sk(sk)->accept_q); +- + d = rfcomm_dlc_alloc(prio); + if (!d) { + sk_free(sk); +@@ -298,11 +296,6 @@ static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock, int + sk->sk_sndbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10; + sk->sk_rcvbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10; + +- sock_reset_flag(sk, SOCK_ZAPPED); +- +- sk->sk_protocol = proto; +- sk->sk_state = BT_OPEN; +- + bt_sock_link(&rfcomm_sk_list, sk); + + BT_DBG("sk %p", sk); +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index 301cf802d32c4..a3bbe04b11383 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -484,21 +484,13 @@ static struct sock *sco_sock_alloc(struct net *net, struct socket *sock, + { + struct sock *sk; + +- sk = sk_alloc(net, PF_BLUETOOTH, prio, &sco_proto, kern); ++ sk = bt_sock_alloc(net, sock, &sco_proto, proto, prio, kern); + if (!sk) + return NULL; + +- sock_init_data(sock, sk); +- INIT_LIST_HEAD(&bt_sk(sk)->accept_q); +- + sk->sk_destruct = sco_sock_destruct; + sk->sk_sndtimeo = SCO_CONN_TIMEOUT; + +- sock_reset_flag(sk, SOCK_ZAPPED); +- +- sk->sk_protocol = proto; +- sk->sk_state = BT_OPEN; +- + sco_pi(sk)->setting = BT_VOICE_CVSD_16BIT; + sco_pi(sk)->codec.id = BT_CODEC_CVSD; + sco_pi(sk)->codec.cid = 0xffff; +-- +2.43.0 + diff --git a/queue-6.1/bluetooth-qca-fix-error-code-in-qca_read_fw_build_in.patch b/queue-6.1/bluetooth-qca-fix-error-code-in-qca_read_fw_build_in.patch new file mode 100644 index 00000000000..d2f9c4f5c8f --- /dev/null +++ b/queue-6.1/bluetooth-qca-fix-error-code-in-qca_read_fw_build_in.patch @@ -0,0 +1,39 @@ +From 5f5e99cef6dd32785644c5157fa385cf4c0f1720 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 May 2024 14:25:43 +0300 +Subject: Bluetooth: qca: Fix error code in qca_read_fw_build_info() + +From: Dan Carpenter + +[ Upstream commit a189f0ee6685457528db7a36ded3085e5d13ddc3 ] + +Return -ENOMEM on allocation failure. Don't return success. + +Fixes: cda0d6a198e2 ("Bluetooth: qca: fix info leak when fetching fw build id") +Signed-off-by: Dan Carpenter +Reviewed-by: Johan Hovold +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btqca.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c +index a0fadde993d70..2dda94a0875a6 100644 +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -148,8 +148,10 @@ static int qca_read_fw_build_info(struct hci_dev *hdev) + } + + build_label = kstrndup(&edl->data[1], build_lbl_len, GFP_KERNEL); +- if (!build_label) ++ if (!build_label) { ++ err = -ENOMEM; + goto out; ++ } + + hci_set_fw_info(hdev, "%s", build_label); + +-- +2.43.0 + diff --git a/queue-6.1/bpf-pack-struct-bpf_fib_lookup.patch b/queue-6.1/bpf-pack-struct-bpf_fib_lookup.patch new file mode 100644 index 00000000000..0df4b2c986f --- /dev/null +++ b/queue-6.1/bpf-pack-struct-bpf_fib_lookup.patch @@ -0,0 +1,74 @@ +From ef6f302521566a62b0a431cbce99ac60b4640229 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 14:33:03 +0200 +Subject: bpf: Pack struct bpf_fib_lookup + +From: Anton Protopopov + +[ Upstream commit f91717007217d975aa975ddabd91ae1a107b9bff ] + +The struct bpf_fib_lookup is supposed to be of size 64. A recent commit +59b418c7063d ("bpf: Add a check for struct bpf_fib_lookup size") added +a static assertion to check this property so that future changes to the +structure will not accidentally break this assumption. + +As it immediately turned out, on some 32-bit arm systems, when AEABI=n, +the total size of the structure was equal to 68, see [1]. This happened +because the bpf_fib_lookup structure contains a union of two 16-bit +fields: + + union { + __u16 tot_len; + __u16 mtu_result; + }; + +which was supposed to compile to a 16-bit-aligned 16-bit field. On the +aforementioned setups it was instead both aligned and padded to 32-bits. + +Declare this inner union as __attribute__((packed, aligned(2))) such +that it always is of size 2 and is aligned to 16 bits. + + [1] https://lore.kernel.org/all/CA+G9fYtsoP51f-oP_Sp5MOq-Ffv8La2RztNpwvE6+R1VtFiLrw@mail.gmail.com/#t + +Reported-by: Naresh Kamboju +Fixes: e1850ea9bd9e ("bpf: bpf_fib_lookup return MTU value as output when looked up") +Signed-off-by: Anton Protopopov +Signed-off-by: Andrii Nakryiko +Reviewed-by: Alexander Lobakin +Acked-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20240403123303.1452184-1-aspsk@isovalent.com +Signed-off-by: Sasha Levin +--- + include/uapi/linux/bpf.h | 2 +- + tools/include/uapi/linux/bpf.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h +index d5d2183730b9f..a17688011440e 100644 +--- a/include/uapi/linux/bpf.h ++++ b/include/uapi/linux/bpf.h +@@ -6730,7 +6730,7 @@ struct bpf_fib_lookup { + + /* output: MTU value */ + __u16 mtu_result; +- }; ++ } __attribute__((packed, aligned(2))); + /* input: L3 device index for lookup + * output: device index from FIB lookup + */ +diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h +index d5d2183730b9f..a17688011440e 100644 +--- a/tools/include/uapi/linux/bpf.h ++++ b/tools/include/uapi/linux/bpf.h +@@ -6730,7 +6730,7 @@ struct bpf_fib_lookup { + + /* output: MTU value */ + __u16 mtu_result; +- }; ++ } __attribute__((packed, aligned(2))); + /* input: L3 device index for lookup + * output: device index from FIB lookup + */ +-- +2.43.0 + diff --git a/queue-6.1/bpftool-fix-missing-pids-during-link-show.patch b/queue-6.1/bpftool-fix-missing-pids-during-link-show.patch new file mode 100644 index 00000000000..885bebcac71 --- /dev/null +++ b/queue-6.1/bpftool-fix-missing-pids-during-link-show.patch @@ -0,0 +1,89 @@ +From 566ef89b5748809f780e93a80125f2dc2be1541e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Mar 2024 19:32:49 -0700 +Subject: bpftool: Fix missing pids during link show + +From: Yonghong Song + +[ Upstream commit fe879bb42f8a6513ed18e9d22efb99cb35590201 ] + +Current 'bpftool link' command does not show pids, e.g., + $ tools/build/bpftool/bpftool link + ... + 4: tracing prog 23 + prog_type lsm attach_type lsm_mac + target_obj_id 1 target_btf_id 31320 + +Hack the following change to enable normal libbpf debug output, + --- a/tools/bpf/bpftool/pids.c + +++ b/tools/bpf/bpftool/pids.c + @@ -121,9 +121,9 @@ int build_obj_refs_table(struct hashmap **map, enum bpf_obj_type type) + /* we don't want output polluted with libbpf errors if bpf_iter is not + * supported + */ + - default_print = libbpf_set_print(libbpf_print_none); + + /* default_print = libbpf_set_print(libbpf_print_none); */ + err = pid_iter_bpf__load(skel); + - libbpf_set_print(default_print); + + /* libbpf_set_print(default_print); */ + +Rerun the above bpftool command: + $ tools/build/bpftool/bpftool link + libbpf: prog 'iter': BPF program load failed: Permission denied + libbpf: prog 'iter': -- BEGIN PROG LOAD LOG -- + 0: R1=ctx() R10=fp0 + ; struct task_struct *task = ctx->task; @ pid_iter.bpf.c:69 + 0: (79) r6 = *(u64 *)(r1 +8) ; R1=ctx() R6_w=ptr_or_null_task_struct(id=1) + ; struct file *file = ctx->file; @ pid_iter.bpf.c:68 + ... + ; struct bpf_link *link = (struct bpf_link *) file->private_data; @ pid_iter.bpf.c:103 + 80: (79) r3 = *(u64 *)(r8 +432) ; R3_w=scalar() R8=ptr_file() + ; if (link->type == bpf_core_enum_value(enum bpf_link_type___local, @ pid_iter.bpf.c:105 + 81: (61) r1 = *(u32 *)(r3 +12) + R3 invalid mem access 'scalar' + processed 39 insns (limit 1000000) max_states_per_insn 0 total_states 3 peak_states 3 mark_read 2 + -- END PROG LOAD LOG -- + libbpf: prog 'iter': failed to load: -13 + ... + +The 'file->private_data' returns a 'void' type and this caused subsequent 'link->type' +(insn #81) failed in verification. + +To fix the issue, restore the previous BPF_CORE_READ so old kernels can also work. +With this patch, the 'bpftool link' runs successfully with 'pids'. + $ tools/build/bpftool/bpftool link + ... + 4: tracing prog 23 + prog_type lsm attach_type lsm_mac + target_obj_id 1 target_btf_id 31320 + pids systemd(1) + +Fixes: 44ba7b30e84f ("bpftool: Use a local copy of BPF_LINK_TYPE_PERF_EVENT in pid_iter.bpf.c") +Signed-off-by: Yonghong Song +Signed-off-by: Andrii Nakryiko +Tested-by: Quentin Monnet +Reviewed-by: Quentin Monnet +Link: https://lore.kernel.org/bpf/20240312023249.3776718-1-yonghong.song@linux.dev +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/skeleton/pid_iter.bpf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/bpf/bpftool/skeleton/pid_iter.bpf.c b/tools/bpf/bpftool/skeleton/pid_iter.bpf.c +index 26004f0c5a6ae..7bdbcac3cf628 100644 +--- a/tools/bpf/bpftool/skeleton/pid_iter.bpf.c ++++ b/tools/bpf/bpftool/skeleton/pid_iter.bpf.c +@@ -102,8 +102,8 @@ int iter(struct bpf_iter__task_file *ctx) + BPF_LINK_TYPE_PERF_EVENT___local)) { + struct bpf_link *link = (struct bpf_link *) file->private_data; + +- if (link->type == bpf_core_enum_value(enum bpf_link_type___local, +- BPF_LINK_TYPE_PERF_EVENT___local)) { ++ if (BPF_CORE_READ(link, type) == bpf_core_enum_value(enum bpf_link_type___local, ++ BPF_LINK_TYPE_PERF_EVENT___local)) { + e.has_bpf_cookie = true; + e.bpf_cookie = get_bpf_cookie(link); + } +-- +2.43.0 + diff --git a/queue-6.1/clk-mediatek-mt8365-mm-fix-dpi0-parent.patch b/queue-6.1/clk-mediatek-mt8365-mm-fix-dpi0-parent.patch new file mode 100644 index 00000000000..dc3a51b1ca9 --- /dev/null +++ b/queue-6.1/clk-mediatek-mt8365-mm-fix-dpi0-parent.patch @@ -0,0 +1,52 @@ +From 64a7cafb623427671194d0b206407d90fcb7e56d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Apr 2024 16:17:00 +0200 +Subject: clk: mediatek: mt8365-mm: fix DPI0 parent + +From: Alexandre Mergnat + +[ Upstream commit 4c0c087772d7e29bc2489ddb068d5167140bfc38 ] + +To have a working display through DPI, a workaround has been +implemented downstream to add "mm_dpi0_dpi0" and "dpi0_sel" to +the DPI node. Shortly, that add an extra clock. + +It seems consistent to have the "dpi0_sel" as parent. +Additionnaly, "vpll_dpix" isn't used/managed. + +Then, set the "mm_dpi0_dpi0" parent clock to "dpi0_sel". + +The new clock tree is: + +clk26m + lvdspll + lvdspll_X (2, 4, 8, 16) + dpi0_sel + mm_dpi0_dpi0 + +Fixes: d46adccb7966 ("clk: mediatek: add driver for MT8365 SoC") +Signed-off-by: Alexandre Mergnat +Link: https://lore.kernel.org/r/20231023-display-support-v3-12-53388f3ed34b@baylibre.com +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/mediatek/clk-mt8365-mm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/mediatek/clk-mt8365-mm.c b/drivers/clk/mediatek/clk-mt8365-mm.c +index 22c75a03a6452..bc0b1162ed431 100644 +--- a/drivers/clk/mediatek/clk-mt8365-mm.c ++++ b/drivers/clk/mediatek/clk-mt8365-mm.c +@@ -53,7 +53,7 @@ static const struct mtk_gate mm_clks[] = { + GATE_MM0(CLK_MM_MM_DSI0, "mm_dsi0", "mm_sel", 17), + GATE_MM0(CLK_MM_MM_DISP_RDMA1, "mm_disp_rdma1", "mm_sel", 18), + GATE_MM0(CLK_MM_MM_MDP_RDMA1, "mm_mdp_rdma1", "mm_sel", 19), +- GATE_MM0(CLK_MM_DPI0_DPI0, "mm_dpi0_dpi0", "vpll_dpix", 20), ++ GATE_MM0(CLK_MM_DPI0_DPI0, "mm_dpi0_dpi0", "dpi0_sel", 20), + GATE_MM0(CLK_MM_MM_FAKE, "mm_fake", "mm_sel", 21), + GATE_MM0(CLK_MM_MM_SMI_COMMON, "mm_smi_common", "mm_sel", 22), + GATE_MM0(CLK_MM_MM_SMI_LARB0, "mm_smi_larb0", "mm_sel", 23), +-- +2.43.0 + diff --git a/queue-6.1/clk-qcom-dispcc-sm6350-fix-displayport-clocks.patch b/queue-6.1/clk-qcom-dispcc-sm6350-fix-displayport-clocks.patch new file mode 100644 index 00000000000..6580204562a --- /dev/null +++ b/queue-6.1/clk-qcom-dispcc-sm6350-fix-displayport-clocks.patch @@ -0,0 +1,65 @@ +From 50dd4810597888f8ef06b672b4f61106cab3d5a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Apr 2024 04:39:30 +0300 +Subject: clk: qcom: dispcc-sm6350: fix DisplayPort clocks + +From: Dmitry Baryshkov + +[ Upstream commit 1113501cfb46d5c0eb960f0a8a9f6c0f91dc6fb6 ] + +On SM6350 DisplayPort link clocks use frequency tables inherited from +the vendor kernel, it is not applicable in the upstream kernel. Drop +frequency tables and use clk_byte2_ops for those clocks. + +This fixes frequency selection in the OPP core (which otherwise attempts +to use invalid 810 KHz as DP link rate), also fixing the following +message: +msm-dp-display ae90000.displayport-controller: _opp_config_clk_single: failed to set clock rate: -22 + +Fixes: 837519775f1d ("clk: qcom: Add display clock controller driver for SM6350") +Reviewed-by: Neil Armstrong +Tested-by: Luca Weiss +Reviewed-by: Konrad Dybcio +Signed-off-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20240424-dispcc-dp-clocks-v2-2-b44038f3fa96@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/dispcc-sm6350.c | 11 +---------- + 1 file changed, 1 insertion(+), 10 deletions(-) + +diff --git a/drivers/clk/qcom/dispcc-sm6350.c b/drivers/clk/qcom/dispcc-sm6350.c +index ea6f54ed846ec..441f042f5ea45 100644 +--- a/drivers/clk/qcom/dispcc-sm6350.c ++++ b/drivers/clk/qcom/dispcc-sm6350.c +@@ -221,26 +221,17 @@ static struct clk_rcg2 disp_cc_mdss_dp_crypto_clk_src = { + }, + }; + +-static const struct freq_tbl ftbl_disp_cc_mdss_dp_link_clk_src[] = { +- F(162000, P_DP_PHY_PLL_LINK_CLK, 1, 0, 0), +- F(270000, P_DP_PHY_PLL_LINK_CLK, 1, 0, 0), +- F(540000, P_DP_PHY_PLL_LINK_CLK, 1, 0, 0), +- F(810000, P_DP_PHY_PLL_LINK_CLK, 1, 0, 0), +- { } +-}; +- + static struct clk_rcg2 disp_cc_mdss_dp_link_clk_src = { + .cmd_rcgr = 0x10f8, + .mnd_width = 0, + .hid_width = 5, + .parent_map = disp_cc_parent_map_0, +- .freq_tbl = ftbl_disp_cc_mdss_dp_link_clk_src, + .clkr.hw.init = &(struct clk_init_data){ + .name = "disp_cc_mdss_dp_link_clk_src", + .parent_data = disp_cc_parent_data_0, + .num_parents = ARRAY_SIZE(disp_cc_parent_data_0), + .flags = CLK_SET_RATE_PARENT | CLK_GET_RATE_NOCACHE, +- .ops = &clk_rcg2_ops, ++ .ops = &clk_byte2_ops, + }, + }; + +-- +2.43.0 + diff --git a/queue-6.1/clk-qcom-dispcc-sm8450-fix-displayport-clocks.patch b/queue-6.1/clk-qcom-dispcc-sm8450-fix-displayport-clocks.patch new file mode 100644 index 00000000000..aaccc9ab510 --- /dev/null +++ b/queue-6.1/clk-qcom-dispcc-sm8450-fix-displayport-clocks.patch @@ -0,0 +1,109 @@ +From 4259e779332c862a8850c7f2682c220f6f73d612 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Apr 2024 04:39:29 +0300 +Subject: clk: qcom: dispcc-sm8450: fix DisplayPort clocks + +From: Dmitry Baryshkov + +[ Upstream commit e801038a02ce1e8c652a0b668dd233a4ee48aeb7 ] + +On SM8450 DisplayPort link clocks use frequency tables inherited from +the vendor kernel, it is not applicable in the upstream kernel. Drop +frequency tables and use clk_byte2_ops for those clocks. + +This fixes frequency selection in the OPP core (which otherwise attempts +to use invalid 810 KHz as DP link rate), also fixing the following +message: +msm-dp-display ae90000.displayport-controller: _opp_config_clk_single: failed to set clock rate: -22 + +Fixes: 16fb89f92ec4 ("clk: qcom: Add support for Display Clock Controller on SM8450") +Reviewed-by: Neil Armstrong +Reviewed-by: Konrad Dybcio +Signed-off-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20240424-dispcc-dp-clocks-v2-1-b44038f3fa96@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/dispcc-sm8450.c | 20 ++++---------------- + 1 file changed, 4 insertions(+), 16 deletions(-) + +diff --git a/drivers/clk/qcom/dispcc-sm8450.c b/drivers/clk/qcom/dispcc-sm8450.c +index 64626f620a01b..e7dd45a2058c1 100644 +--- a/drivers/clk/qcom/dispcc-sm8450.c ++++ b/drivers/clk/qcom/dispcc-sm8450.c +@@ -309,26 +309,17 @@ static struct clk_rcg2 disp_cc_mdss_dptx0_aux_clk_src = { + }, + }; + +-static const struct freq_tbl ftbl_disp_cc_mdss_dptx0_link_clk_src[] = { +- F(162000, P_DP0_PHY_PLL_LINK_CLK, 1, 0, 0), +- F(270000, P_DP0_PHY_PLL_LINK_CLK, 1, 0, 0), +- F(540000, P_DP0_PHY_PLL_LINK_CLK, 1, 0, 0), +- F(810000, P_DP0_PHY_PLL_LINK_CLK, 1, 0, 0), +- { } +-}; +- + static struct clk_rcg2 disp_cc_mdss_dptx0_link_clk_src = { + .cmd_rcgr = 0x819c, + .mnd_width = 0, + .hid_width = 5, + .parent_map = disp_cc_parent_map_3, +- .freq_tbl = ftbl_disp_cc_mdss_dptx0_link_clk_src, + .clkr.hw.init = &(struct clk_init_data) { + .name = "disp_cc_mdss_dptx0_link_clk_src", + .parent_data = disp_cc_parent_data_3, + .num_parents = ARRAY_SIZE(disp_cc_parent_data_3), + .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, ++ .ops = &clk_byte2_ops, + }, + }; + +@@ -382,13 +373,12 @@ static struct clk_rcg2 disp_cc_mdss_dptx1_link_clk_src = { + .mnd_width = 0, + .hid_width = 5, + .parent_map = disp_cc_parent_map_3, +- .freq_tbl = ftbl_disp_cc_mdss_dptx0_link_clk_src, + .clkr.hw.init = &(struct clk_init_data) { + .name = "disp_cc_mdss_dptx1_link_clk_src", + .parent_data = disp_cc_parent_data_3, + .num_parents = ARRAY_SIZE(disp_cc_parent_data_3), + .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, ++ .ops = &clk_byte2_ops, + }, + }; + +@@ -442,13 +432,12 @@ static struct clk_rcg2 disp_cc_mdss_dptx2_link_clk_src = { + .mnd_width = 0, + .hid_width = 5, + .parent_map = disp_cc_parent_map_3, +- .freq_tbl = ftbl_disp_cc_mdss_dptx0_link_clk_src, + .clkr.hw.init = &(struct clk_init_data) { + .name = "disp_cc_mdss_dptx2_link_clk_src", + .parent_data = disp_cc_parent_data_3, + .num_parents = ARRAY_SIZE(disp_cc_parent_data_3), + .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, ++ .ops = &clk_byte2_ops, + }, + }; + +@@ -502,13 +491,12 @@ static struct clk_rcg2 disp_cc_mdss_dptx3_link_clk_src = { + .mnd_width = 0, + .hid_width = 5, + .parent_map = disp_cc_parent_map_3, +- .freq_tbl = ftbl_disp_cc_mdss_dptx0_link_clk_src, + .clkr.hw.init = &(struct clk_init_data) { + .name = "disp_cc_mdss_dptx3_link_clk_src", + .parent_data = disp_cc_parent_data_3, + .num_parents = ARRAY_SIZE(disp_cc_parent_data_3), + .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, ++ .ops = &clk_byte2_ops, + }, + }; + +-- +2.43.0 + diff --git a/queue-6.1/clk-qcom-mmcc-msm8998-fix-venus-clock-issue.patch b/queue-6.1/clk-qcom-mmcc-msm8998-fix-venus-clock-issue.patch new file mode 100644 index 00000000000..4edc1b4a5d1 --- /dev/null +++ b/queue-6.1/clk-qcom-mmcc-msm8998-fix-venus-clock-issue.patch @@ -0,0 +1,114 @@ +From 0ab4f2355e67a4406e40fb05ccd07903e09a88a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Apr 2024 17:07:07 +0200 +Subject: clk: qcom: mmcc-msm8998: fix venus clock issue + +From: Marc Gonzalez + +[ Upstream commit e20ae5ae9f0c843aded4f06f3d1cab7384789e92 ] + +Right now, msm8998 video decoder (venus) is non-functional: + +$ time mpv --hwdec=v4l2m2m-copy --vd-lavc-software-fallback=no --vo=null --no-audio --untimed --length=30 --quiet demo-480.webm + (+) Video --vid=1 (*) (vp9 854x480 29.970fps) + Audio --aid=1 --alang=eng (*) (opus 2ch 48000Hz) +[ffmpeg/video] vp9_v4l2m2m: output VIDIOC_REQBUFS failed: Connection timed out +[ffmpeg/video] vp9_v4l2m2m: no v4l2 output context's buffers +[ffmpeg/video] vp9_v4l2m2m: can't configure decoder +Could not open codec. +Software decoding fallback is disabled. +Exiting... (Quit) + +Bryan O'Donoghue suggested the proper fix: +- Set required register offsets in venus GDSC structs. +- Set HW_CTRL flag. + +$ time mpv --hwdec=v4l2m2m-copy --vd-lavc-software-fallback=no --vo=null --no-audio --untimed --length=30 --quiet demo-480.webm + (+) Video --vid=1 (*) (vp9 854x480 29.970fps) + Audio --aid=1 --alang=eng (*) (opus 2ch 48000Hz) +[ffmpeg/video] vp9_v4l2m2m: VIDIOC_G_FMT ioctl +[ffmpeg/video] vp9_v4l2m2m: VIDIOC_G_FMT ioctl +... +Using hardware decoding (v4l2m2m-copy). +VO: [null] 854x480 nv12 +Exiting... (End of file) +real 0m3.315s +user 0m1.277s +sys 0m0.453s + +NOTES: + +GDSC = Globally Distributed Switch Controller + +Use same code as mmcc-msm8996 with: +s/venus_gdsc/video_top_gdsc/ +s/venus_core0_gdsc/video_subcore0_gdsc/ +s/venus_core1_gdsc/video_subcore1_gdsc/ + +https://git.codelinaro.org/clo/la/kernel/msm-4.4/-/blob/caf_migration/kernel.lnx.4.4.r38-rel/include/dt-bindings/clock/msm-clocks-hwio-8996.h +https://git.codelinaro.org/clo/la/kernel/msm-4.4/-/blob/caf_migration/kernel.lnx.4.4.r38-rel/include/dt-bindings/clock/msm-clocks-hwio-8998.h + +0x1024 = MMSS_VIDEO GDSCR (undocumented) +0x1028 = MMSS_VIDEO_CORE_CBCR +0x1030 = MMSS_VIDEO_AHB_CBCR +0x1034 = MMSS_VIDEO_AXI_CBCR +0x1038 = MMSS_VIDEO_MAXI_CBCR +0x1040 = MMSS_VIDEO_SUBCORE0 GDSCR (undocumented) +0x1044 = MMSS_VIDEO_SUBCORE1 GDSCR (undocumented) +0x1048 = MMSS_VIDEO_SUBCORE0_CBCR +0x104c = MMSS_VIDEO_SUBCORE1_CBCR + +Fixes: d14b15b5931c2b ("clk: qcom: Add MSM8998 Multimedia Clock Controller (MMCC) driver") +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Marc Gonzalez +Reviewed-by: Jeffrey Hugo +Link: https://lore.kernel.org/r/ff4e2e34-a677-4c39-8c29-83655c5512ae@freebox.fr +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/mmcc-msm8998.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/clk/qcom/mmcc-msm8998.c b/drivers/clk/qcom/mmcc-msm8998.c +index e5a72c2f080f8..c282424bac537 100644 +--- a/drivers/clk/qcom/mmcc-msm8998.c ++++ b/drivers/clk/qcom/mmcc-msm8998.c +@@ -2578,6 +2578,8 @@ static struct clk_hw *mmcc_msm8998_hws[] = { + + static struct gdsc video_top_gdsc = { + .gdscr = 0x1024, ++ .cxcs = (unsigned int []){ 0x1028, 0x1034, 0x1038 }, ++ .cxc_count = 3, + .pd = { + .name = "video_top", + }, +@@ -2586,20 +2588,26 @@ static struct gdsc video_top_gdsc = { + + static struct gdsc video_subcore0_gdsc = { + .gdscr = 0x1040, ++ .cxcs = (unsigned int []){ 0x1048 }, ++ .cxc_count = 1, + .pd = { + .name = "video_subcore0", + }, + .parent = &video_top_gdsc.pd, + .pwrsts = PWRSTS_OFF_ON, ++ .flags = HW_CTRL, + }; + + static struct gdsc video_subcore1_gdsc = { + .gdscr = 0x1044, ++ .cxcs = (unsigned int []){ 0x104c }, ++ .cxc_count = 1, + .pd = { + .name = "video_subcore1", + }, + .parent = &video_top_gdsc.pd, + .pwrsts = PWRSTS_OFF_ON, ++ .flags = HW_CTRL, + }; + + static struct gdsc mdss_gdsc = { +-- +2.43.0 + diff --git a/queue-6.1/clk-renesas-r8a779a0-fix-canfd-parent-clock.patch b/queue-6.1/clk-renesas-r8a779a0-fix-canfd-parent-clock.patch new file mode 100644 index 00000000000..88236c4b9af --- /dev/null +++ b/queue-6.1/clk-renesas-r8a779a0-fix-canfd-parent-clock.patch @@ -0,0 +1,40 @@ +From 48ba9174c72db5613c033d78951d8f91164db44a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Apr 2024 17:00:51 +0200 +Subject: clk: renesas: r8a779a0: Fix CANFD parent clock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +[ Upstream commit 3b23118bdbd898dc2f4de8f549d598d492c42ba8 ] + +According to Figure 52A.1 ("RS-CANFD Module Block Diagram (in classical +CAN mode)") in the R-Car V3U Series User’s Manual Rev. 0.5, the parent +clock for the CANFD peripheral module clock is the S3D2 clock. + +Fixes: 9b621b6adff53346 ("clk: renesas: r8a779a0: Add CANFD module clock") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/aef9300f44c9141b1465343f91c5cc7303249b6e.1713279523.git.geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + drivers/clk/renesas/r8a779a0-cpg-mssr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/renesas/r8a779a0-cpg-mssr.c b/drivers/clk/renesas/r8a779a0-cpg-mssr.c +index e02542ca24a06..5c908c8c5180d 100644 +--- a/drivers/clk/renesas/r8a779a0-cpg-mssr.c ++++ b/drivers/clk/renesas/r8a779a0-cpg-mssr.c +@@ -139,7 +139,7 @@ static const struct mssr_mod_clk r8a779a0_mod_clks[] __initconst = { + DEF_MOD("avb3", 214, R8A779A0_CLK_S3D2), + DEF_MOD("avb4", 215, R8A779A0_CLK_S3D2), + DEF_MOD("avb5", 216, R8A779A0_CLK_S3D2), +- DEF_MOD("canfd0", 328, R8A779A0_CLK_CANFD), ++ DEF_MOD("canfd0", 328, R8A779A0_CLK_S3D2), + DEF_MOD("csi40", 331, R8A779A0_CLK_CSI0), + DEF_MOD("csi41", 400, R8A779A0_CLK_CSI0), + DEF_MOD("csi42", 401, R8A779A0_CLK_CSI0), +-- +2.43.0 + diff --git a/queue-6.1/clk-renesas-r9a07g043-add-clock-and-reset-entry-for-.patch b/queue-6.1/clk-renesas-r9a07g043-add-clock-and-reset-entry-for-.patch new file mode 100644 index 00000000000..88037e3172e --- /dev/null +++ b/queue-6.1/clk-renesas-r9a07g043-add-clock-and-reset-entry-for-.patch @@ -0,0 +1,59 @@ +From 55ba1c4c193cab06207bcd9e46d5c81644ed5ac8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 21:09:52 +0100 +Subject: clk: renesas: r9a07g043: Add clock and reset entry for PLIC + +From: Lad Prabhakar + +[ Upstream commit 44019387fce230beda35b83da3a2c9fc5787704e ] + +Add the missing clock and reset entry for PLIC. Also add +R9A07G043_NCEPLIC_ACLK to the critical clocks list. + +Fixes: 95d48d270305ad2c ("clk: renesas: r9a07g043: Add support for RZ/Five SoC") +Signed-off-by: Lad Prabhakar +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20240403200952.633084-1-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + drivers/clk/renesas/r9a07g043-cpg.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/clk/renesas/r9a07g043-cpg.c b/drivers/clk/renesas/r9a07g043-cpg.c +index 37475465100de..0b56688ecbfc4 100644 +--- a/drivers/clk/renesas/r9a07g043-cpg.c ++++ b/drivers/clk/renesas/r9a07g043-cpg.c +@@ -252,6 +252,10 @@ static struct rzg2l_mod_clk r9a07g043_mod_clks[] = { + 0x5a8, 1), + DEF_MOD("tsu_pclk", R9A07G043_TSU_PCLK, R9A07G043_CLK_TSU, + 0x5ac, 0), ++#ifdef CONFIG_RISCV ++ DEF_MOD("nceplic_aclk", R9A07G043_NCEPLIC_ACLK, R9A07G043_CLK_P1, ++ 0x608, 0), ++#endif + }; + + static struct rzg2l_reset r9a07g043_resets[] = { +@@ -305,6 +309,10 @@ static struct rzg2l_reset r9a07g043_resets[] = { + DEF_RST(R9A07G043_ADC_PRESETN, 0x8a8, 0), + DEF_RST(R9A07G043_ADC_ADRST_N, 0x8a8, 1), + DEF_RST(R9A07G043_TSU_PRESETN, 0x8ac, 0), ++#ifdef CONFIG_RISCV ++ DEF_RST(R9A07G043_NCEPLIC_ARESETN, 0x908, 0), ++#endif ++ + }; + + static const unsigned int r9a07g043_crit_mod_clks[] __initconst = { +@@ -314,6 +322,7 @@ static const unsigned int r9a07g043_crit_mod_clks[] __initconst = { + #endif + #ifdef CONFIG_RISCV + MOD_CLK_BASE + R9A07G043_IAX45_CLK, ++ MOD_CLK_BASE + R9A07G043_NCEPLIC_ACLK, + #endif + MOD_CLK_BASE + R9A07G043_DMAC_ACLK, + }; +-- +2.43.0 + diff --git a/queue-6.1/clk-rs9-fix-wrong-default-value-for-clock-amplitude.patch b/queue-6.1/clk-rs9-fix-wrong-default-value-for-clock-amplitude.patch new file mode 100644 index 00000000000..764aa9a65cb --- /dev/null +++ b/queue-6.1/clk-rs9-fix-wrong-default-value-for-clock-amplitude.patch @@ -0,0 +1,72 @@ +From 2604aefa46c444f1afbc1380234cf799e89af7cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 16:03:48 +0200 +Subject: clk: rs9: fix wrong default value for clock amplitude + +From: Catalin Popescu + +[ Upstream commit 1758c68c81b8b881818fcebaaeb91055362a82f8 ] + +According to 9FGV0241, 9FGV0441 & 9FGV0841 datasheets, the default +value for the clock amplitude is 0.8V, while the driver assumes 0.7V. + +Additionally, define constants for default values for both clock +amplitude and spread spectrum and use them. + +Fixes: 892e0ddea1aa ("clk: rs9: Add Renesas 9-series PCIe clock generator driver") +Signed-off-by: Catalin Popescu +Reviewed-by: Marek Vasut +Link: https://lore.kernel.org/r/20240415140348.2887619-1-catalin.popescu@leica-geosystems.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-renesas-pcie.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/clk/clk-renesas-pcie.c b/drivers/clk/clk-renesas-pcie.c +index 35b2519f16961..bba0e7c667dc1 100644 +--- a/drivers/clk/clk-renesas-pcie.c ++++ b/drivers/clk/clk-renesas-pcie.c +@@ -24,10 +24,12 @@ + #define RS9_REG_SS_AMP_0V7 0x1 + #define RS9_REG_SS_AMP_0V8 0x2 + #define RS9_REG_SS_AMP_0V9 0x3 ++#define RS9_REG_SS_AMP_DEFAULT RS9_REG_SS_AMP_0V8 + #define RS9_REG_SS_AMP_MASK 0x3 + #define RS9_REG_SS_SSC_100 0 + #define RS9_REG_SS_SSC_M025 (1 << 3) + #define RS9_REG_SS_SSC_M050 (3 << 3) ++#define RS9_REG_SS_SSC_DEFAULT RS9_REG_SS_SSC_100 + #define RS9_REG_SS_SSC_MASK (3 << 3) + #define RS9_REG_SS_SSC_LOCK BIT(5) + #define RS9_REG_SR 0x2 +@@ -196,8 +198,8 @@ static int rs9_get_common_config(struct rs9_driver_data *rs9) + int ret; + + /* Set defaults */ +- rs9->pll_amplitude = RS9_REG_SS_AMP_0V7; +- rs9->pll_ssc = RS9_REG_SS_SSC_100; ++ rs9->pll_amplitude = RS9_REG_SS_AMP_DEFAULT; ++ rs9->pll_ssc = RS9_REG_SS_SSC_DEFAULT; + + /* Output clock amplitude */ + ret = of_property_read_u32(np, "renesas,out-amplitude-microvolt", +@@ -238,13 +240,13 @@ static void rs9_update_config(struct rs9_driver_data *rs9) + int i; + + /* If amplitude is non-default, update it. */ +- if (rs9->pll_amplitude != RS9_REG_SS_AMP_0V7) { ++ if (rs9->pll_amplitude != RS9_REG_SS_AMP_DEFAULT) { + regmap_update_bits(rs9->regmap, RS9_REG_SS, RS9_REG_SS_AMP_MASK, + rs9->pll_amplitude); + } + + /* If SSC is non-default, update it. */ +- if (rs9->pll_ssc != RS9_REG_SS_SSC_100) { ++ if (rs9->pll_ssc != RS9_REG_SS_SSC_DEFAULT) { + regmap_update_bits(rs9->regmap, RS9_REG_SS, RS9_REG_SS_SSC_MASK, + rs9->pll_ssc); + } +-- +2.43.0 + diff --git a/queue-6.1/clk-samsung-exynosautov9-fix-wrong-pll-clock-id-valu.patch b/queue-6.1/clk-samsung-exynosautov9-fix-wrong-pll-clock-id-valu.patch new file mode 100644 index 00000000000..d331ee4a7ad --- /dev/null +++ b/queue-6.1/clk-samsung-exynosautov9-fix-wrong-pll-clock-id-valu.patch @@ -0,0 +1,47 @@ +From da18c942e41b19295a74afb99334c36e0ea0ac2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 18:10:00 +0900 +Subject: clk: samsung: exynosautov9: fix wrong pll clock id value + +From: Jaewon Kim + +[ Upstream commit 04ee3a0b44e3d18cf6b0c712d14b98624877fd26 ] + +All PLL id values of CMU_TOP were incorrectly set to FOUT_SHARED0_PLL. +It modified to the correct PLL clock id value. + +Fixes: 6587c62f69dc ("clk: samsung: add top clock support for Exynos Auto v9 SoC") +Signed-off-by: Jaewon Kim +Reviewed-by: Sam Protsenko +Link: https://lore.kernel.org/r/20240328091000.17660-1-jaewon02.kim@samsung.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/clk/samsung/clk-exynosautov9.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/clk/samsung/clk-exynosautov9.c b/drivers/clk/samsung/clk-exynosautov9.c +index 7b16320bba667..c360639562755 100644 +--- a/drivers/clk/samsung/clk-exynosautov9.c ++++ b/drivers/clk/samsung/clk-exynosautov9.c +@@ -343,13 +343,13 @@ static const struct samsung_pll_clock top_pll_clks[] __initconst = { + /* CMU_TOP_PURECLKCOMP */ + PLL(pll_0822x, FOUT_SHARED0_PLL, "fout_shared0_pll", "oscclk", + PLL_LOCKTIME_PLL_SHARED0, PLL_CON3_PLL_SHARED0, NULL), +- PLL(pll_0822x, FOUT_SHARED0_PLL, "fout_shared1_pll", "oscclk", ++ PLL(pll_0822x, FOUT_SHARED1_PLL, "fout_shared1_pll", "oscclk", + PLL_LOCKTIME_PLL_SHARED1, PLL_CON3_PLL_SHARED1, NULL), +- PLL(pll_0822x, FOUT_SHARED0_PLL, "fout_shared2_pll", "oscclk", ++ PLL(pll_0822x, FOUT_SHARED2_PLL, "fout_shared2_pll", "oscclk", + PLL_LOCKTIME_PLL_SHARED2, PLL_CON3_PLL_SHARED2, NULL), +- PLL(pll_0822x, FOUT_SHARED0_PLL, "fout_shared3_pll", "oscclk", ++ PLL(pll_0822x, FOUT_SHARED3_PLL, "fout_shared3_pll", "oscclk", + PLL_LOCKTIME_PLL_SHARED3, PLL_CON3_PLL_SHARED3, NULL), +- PLL(pll_0822x, FOUT_SHARED0_PLL, "fout_shared4_pll", "oscclk", ++ PLL(pll_0822x, FOUT_SHARED4_PLL, "fout_shared4_pll", "oscclk", + PLL_LOCKTIME_PLL_SHARED4, PLL_CON3_PLL_SHARED4, NULL), + }; + +-- +2.43.0 + diff --git a/queue-6.1/cppc_cpufreq-fix-possible-null-pointer-dereference.patch b/queue-6.1/cppc_cpufreq-fix-possible-null-pointer-dereference.patch new file mode 100644 index 00000000000..00657b3bfa5 --- /dev/null +++ b/queue-6.1/cppc_cpufreq-fix-possible-null-pointer-dereference.patch @@ -0,0 +1,65 @@ +From f98ad68133c62c6cfb48b6eb904a62698f69ba73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 12:35:36 +0300 +Subject: cppc_cpufreq: Fix possible null pointer dereference + +From: Aleksandr Mishin + +[ Upstream commit cf7de25878a1f4508c69dc9f6819c21ba177dbfe ] + +cppc_cpufreq_get_rate() and hisi_cppc_cpufreq_get_rate() can be called from +different places with various parameters. So cpufreq_cpu_get() can return +null as 'policy' in some circumstances. +Fix this bug by adding null return check. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: a28b2bfc099c ("cppc_cpufreq: replace per-cpu data array with a list") +Signed-off-by: Aleksandr Mishin +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/cppc_cpufreq.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/cpufreq/cppc_cpufreq.c b/drivers/cpufreq/cppc_cpufreq.c +index 022e3555407c8..8791a88c7741c 100644 +--- a/drivers/cpufreq/cppc_cpufreq.c ++++ b/drivers/cpufreq/cppc_cpufreq.c +@@ -841,10 +841,15 @@ static unsigned int cppc_cpufreq_get_rate(unsigned int cpu) + { + struct cppc_perf_fb_ctrs fb_ctrs_t0 = {0}, fb_ctrs_t1 = {0}; + struct cpufreq_policy *policy = cpufreq_cpu_get(cpu); +- struct cppc_cpudata *cpu_data = policy->driver_data; ++ struct cppc_cpudata *cpu_data; + u64 delivered_perf; + int ret; + ++ if (!policy) ++ return -ENODEV; ++ ++ cpu_data = policy->driver_data; ++ + cpufreq_cpu_put(policy); + + ret = cppc_get_perf_ctrs(cpu, &fb_ctrs_t0); +@@ -924,10 +929,15 @@ static struct cpufreq_driver cppc_cpufreq_driver = { + static unsigned int hisi_cppc_cpufreq_get_rate(unsigned int cpu) + { + struct cpufreq_policy *policy = cpufreq_cpu_get(cpu); +- struct cppc_cpudata *cpu_data = policy->driver_data; ++ struct cppc_cpudata *cpu_data; + u64 desired_perf; + int ret; + ++ if (!policy) ++ return -ENODEV; ++ ++ cpu_data = policy->driver_data; ++ + cpufreq_cpu_put(policy); + + ret = cppc_get_desired_perf(cpu, &desired_perf); +-- +2.43.0 + diff --git a/queue-6.1/cpufreq-exit-callback-is-optional.patch b/queue-6.1/cpufreq-exit-callback-is-optional.patch new file mode 100644 index 00000000000..674a8b6bf64 --- /dev/null +++ b/queue-6.1/cpufreq-exit-callback-is-optional.patch @@ -0,0 +1,58 @@ +From d3ac093613f43b2f7426f1fd921aa6a0b31d575c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 11:19:20 +0530 +Subject: cpufreq: exit() callback is optional + +From: Viresh Kumar + +[ Upstream commit b8f85833c05730d631576008daaa34096bc7f3ce ] + +The exit() callback is optional and shouldn't be called without checking +a valid pointer first. + +Also, we must clear freq_table pointer even if the exit() callback isn't +present. + +Signed-off-by: Viresh Kumar +Fixes: 91a12e91dc39 ("cpufreq: Allow light-weight tear down and bring up of CPUs") +Fixes: f339f3541701 ("cpufreq: Rearrange locking in cpufreq_remove_dev()") +Reported-by: Lizhe +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/cpufreq.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c +index 91efa23e0e8f3..04d89cf0d71df 100644 +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -1619,10 +1619,13 @@ static void __cpufreq_offline(unsigned int cpu, struct cpufreq_policy *policy) + */ + if (cpufreq_driver->offline) { + cpufreq_driver->offline(policy); +- } else if (cpufreq_driver->exit) { +- cpufreq_driver->exit(policy); +- policy->freq_table = NULL; ++ return; + } ++ ++ if (cpufreq_driver->exit) ++ cpufreq_driver->exit(policy); ++ ++ policy->freq_table = NULL; + } + + static int cpufreq_offline(unsigned int cpu) +@@ -1680,7 +1683,7 @@ static void cpufreq_remove_dev(struct device *dev, struct subsys_interface *sif) + } + + /* We did light-weight exit earlier, do full tear down now */ +- if (cpufreq_driver->offline) ++ if (cpufreq_driver->offline && cpufreq_driver->exit) + cpufreq_driver->exit(policy); + + up_write(&policy->rwsem); +-- +2.43.0 + diff --git a/queue-6.1/crypto-bcm-fix-pointer-arithmetic.patch b/queue-6.1/crypto-bcm-fix-pointer-arithmetic.patch new file mode 100644 index 00000000000..b88adc13270 --- /dev/null +++ b/queue-6.1/crypto-bcm-fix-pointer-arithmetic.patch @@ -0,0 +1,40 @@ +From 9fdd37e57c23eacf393c8cd1e2e435de9100c4d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Mar 2024 23:59:15 +0300 +Subject: crypto: bcm - Fix pointer arithmetic + +From: Aleksandr Mishin + +[ Upstream commit 2b3460cbf454c6b03d7429e9ffc4fe09322eb1a9 ] + +In spu2_dump_omd() value of ptr is increased by ciph_key_len +instead of hash_iv_len which could lead to going beyond the +buffer boundaries. +Fix this bug by changing ciph_key_len to hash_iv_len. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver") +Signed-off-by: Aleksandr Mishin +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/bcm/spu2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/bcm/spu2.c b/drivers/crypto/bcm/spu2.c +index 07989bb8c220a..3fdc64b5a65e7 100644 +--- a/drivers/crypto/bcm/spu2.c ++++ b/drivers/crypto/bcm/spu2.c +@@ -495,7 +495,7 @@ static void spu2_dump_omd(u8 *omd, u16 hash_key_len, u16 ciph_key_len, + if (hash_iv_len) { + packet_log(" Hash IV Length %u bytes\n", hash_iv_len); + packet_dump(" hash IV: ", ptr, hash_iv_len); +- ptr += ciph_key_len; ++ ptr += hash_iv_len; + } + + if (ciph_iv_len) { +-- +2.43.0 + diff --git a/queue-6.1/crypto-ccp-drop-platform-ifdef-checks.patch b/queue-6.1/crypto-ccp-drop-platform-ifdef-checks.patch new file mode 100644 index 00000000000..6bb1b8a3e50 --- /dev/null +++ b/queue-6.1/crypto-ccp-drop-platform-ifdef-checks.patch @@ -0,0 +1,94 @@ +From f873139261dd9ea69c30e5a02a382361bf2a62ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 10:06:42 +0200 +Subject: crypto: ccp - drop platform ifdef checks + +From: Arnd Bergmann + +[ Upstream commit 42c2d7d02977ef09d434b1f5b354f5bc6c1027ab ] + +When both ACPI and OF are disabled, the dev_vdata variable is unused: + +drivers/crypto/ccp/sp-platform.c:33:34: error: unused variable 'dev_vdata' [-Werror,-Wunused-const-variable] + +This is not a useful configuration, and there is not much point in saving +a few bytes when only one of the two is enabled, so just remove all +these ifdef checks and rely on of_match_node() and acpi_match_device() +returning NULL when these subsystems are disabled. + +Fixes: 6c5063434098 ("crypto: ccp - Add ACPI support") +Signed-off-by: Arnd Bergmann +Acked-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccp/sp-platform.c | 14 ++------------ + 1 file changed, 2 insertions(+), 12 deletions(-) + +diff --git a/drivers/crypto/ccp/sp-platform.c b/drivers/crypto/ccp/sp-platform.c +index 7d79a8744f9a6..c43ad7e1acf7e 100644 +--- a/drivers/crypto/ccp/sp-platform.c ++++ b/drivers/crypto/ccp/sp-platform.c +@@ -39,44 +39,38 @@ static const struct sp_dev_vdata dev_vdata[] = { + }, + }; + +-#ifdef CONFIG_ACPI + static const struct acpi_device_id sp_acpi_match[] = { + { "AMDI0C00", (kernel_ulong_t)&dev_vdata[0] }, + { }, + }; + MODULE_DEVICE_TABLE(acpi, sp_acpi_match); +-#endif + +-#ifdef CONFIG_OF + static const struct of_device_id sp_of_match[] = { + { .compatible = "amd,ccp-seattle-v1a", + .data = (const void *)&dev_vdata[0] }, + { }, + }; + MODULE_DEVICE_TABLE(of, sp_of_match); +-#endif + + static struct sp_dev_vdata *sp_get_of_version(struct platform_device *pdev) + { +-#ifdef CONFIG_OF + const struct of_device_id *match; + + match = of_match_node(sp_of_match, pdev->dev.of_node); + if (match && match->data) + return (struct sp_dev_vdata *)match->data; +-#endif ++ + return NULL; + } + + static struct sp_dev_vdata *sp_get_acpi_version(struct platform_device *pdev) + { +-#ifdef CONFIG_ACPI + const struct acpi_device_id *match; + + match = acpi_match_device(sp_acpi_match, &pdev->dev); + if (match && match->driver_data) + return (struct sp_dev_vdata *)match->driver_data; +-#endif ++ + return NULL; + } + +@@ -214,12 +208,8 @@ static int sp_platform_resume(struct platform_device *pdev) + static struct platform_driver sp_platform_driver = { + .driver = { + .name = "ccp", +-#ifdef CONFIG_ACPI + .acpi_match_table = sp_acpi_match, +-#endif +-#ifdef CONFIG_OF + .of_match_table = sp_of_match, +-#endif + }, + .probe = sp_platform_probe, + .remove = sp_platform_remove, +-- +2.43.0 + diff --git a/queue-6.1/crypto-x86-nh-avx2-add-missing-vzeroupper.patch b/queue-6.1/crypto-x86-nh-avx2-add-missing-vzeroupper.patch new file mode 100644 index 00000000000..010d19586b3 --- /dev/null +++ b/queue-6.1/crypto-x86-nh-avx2-add-missing-vzeroupper.patch @@ -0,0 +1,36 @@ +From 6e0fb424ed13520d27f561d4a93892d0e4e17570 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 20:26:08 -0400 +Subject: crypto: x86/nh-avx2 - add missing vzeroupper + +From: Eric Biggers + +[ Upstream commit 4ad096cca942959871d8ff73826d30f81f856f6e ] + +Since nh_avx2() uses ymm registers, execute vzeroupper before returning +from it. This is necessary to avoid reducing the performance of SSE +code. + +Fixes: 0f961f9f670e ("crypto: x86/nhpoly1305 - add AVX2 accelerated NHPoly1305") +Signed-off-by: Eric Biggers +Acked-by: Tim Chen +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + arch/x86/crypto/nh-avx2-x86_64.S | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/crypto/nh-avx2-x86_64.S b/arch/x86/crypto/nh-avx2-x86_64.S +index 6a0b15e7196a8..54c0ee41209d5 100644 +--- a/arch/x86/crypto/nh-avx2-x86_64.S ++++ b/arch/x86/crypto/nh-avx2-x86_64.S +@@ -153,5 +153,6 @@ SYM_FUNC_START(nh_avx2) + vpaddq T1, T0, T0 + vpaddq T4, T0, T0 + vmovdqu T0, (HASH) ++ vzeroupper + RET + SYM_FUNC_END(nh_avx2) +-- +2.43.0 + diff --git a/queue-6.1/crypto-x86-sha256-avx2-add-missing-vzeroupper.patch b/queue-6.1/crypto-x86-sha256-avx2-add-missing-vzeroupper.patch new file mode 100644 index 00000000000..2c41378cae8 --- /dev/null +++ b/queue-6.1/crypto-x86-sha256-avx2-add-missing-vzeroupper.patch @@ -0,0 +1,37 @@ +From 516a0a354992b8ee860e7050119b4af59a462417 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 20:26:09 -0400 +Subject: crypto: x86/sha256-avx2 - add missing vzeroupper + +From: Eric Biggers + +[ Upstream commit 57ce8a4e162599cf9adafef1f29763160a8e5564 ] + +Since sha256_transform_rorx() uses ymm registers, execute vzeroupper +before returning from it. This is necessary to avoid reducing the +performance of SSE code. + +Fixes: d34a460092d8 ("crypto: sha256 - Optimized sha256 x86_64 routine using AVX2's RORX instructions") +Signed-off-by: Eric Biggers +Acked-by: Tim Chen +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + arch/x86/crypto/sha256-avx2-asm.S | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/crypto/sha256-avx2-asm.S b/arch/x86/crypto/sha256-avx2-asm.S +index 2d2be531a11ed..eaa093f973cc3 100644 +--- a/arch/x86/crypto/sha256-avx2-asm.S ++++ b/arch/x86/crypto/sha256-avx2-asm.S +@@ -711,6 +711,7 @@ done_hash: + popq %r13 + popq %r12 + popq %rbx ++ vzeroupper + RET + SYM_FUNC_END(sha256_transform_rorx) + +-- +2.43.0 + diff --git a/queue-6.1/crypto-x86-sha512-avx2-add-missing-vzeroupper.patch b/queue-6.1/crypto-x86-sha512-avx2-add-missing-vzeroupper.patch new file mode 100644 index 00000000000..c2885736a11 --- /dev/null +++ b/queue-6.1/crypto-x86-sha512-avx2-add-missing-vzeroupper.patch @@ -0,0 +1,37 @@ +From 8359997c0c79f0098f484fb6b02300a2f639a8b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 20:26:10 -0400 +Subject: crypto: x86/sha512-avx2 - add missing vzeroupper + +From: Eric Biggers + +[ Upstream commit 6a24fdfe1edbafacdacd53516654d99068f20eec ] + +Since sha512_transform_rorx() uses ymm registers, execute vzeroupper +before returning from it. This is necessary to avoid reducing the +performance of SSE code. + +Fixes: e01d69cb0195 ("crypto: sha512 - Optimized SHA512 x86_64 assembly routine using AVX instructions.") +Signed-off-by: Eric Biggers +Acked-by: Tim Chen +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + arch/x86/crypto/sha512-avx2-asm.S | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/crypto/sha512-avx2-asm.S b/arch/x86/crypto/sha512-avx2-asm.S +index b1ca99055ef99..17d6c756b5414 100644 +--- a/arch/x86/crypto/sha512-avx2-asm.S ++++ b/arch/x86/crypto/sha512-avx2-asm.S +@@ -680,6 +680,7 @@ done_hash: + pop %r12 + pop %rbx + ++ vzeroupper + RET + SYM_FUNC_END(sha512_transform_rorx) + +-- +2.43.0 + diff --git a/queue-6.1/dev_printk-add-and-use-dev_no_printk.patch b/queue-6.1/dev_printk-add-and-use-dev_no_printk.patch new file mode 100644 index 00000000000..01d6c0fa828 --- /dev/null +++ b/queue-6.1/dev_printk-add-and-use-dev_no_printk.patch @@ -0,0 +1,98 @@ +From 47c8fa98607c3c9382d54d20ba59ac912d96179c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 15:00:03 +0100 +Subject: dev_printk: Add and use dev_no_printk() + +From: Geert Uytterhoeven + +[ Upstream commit c26ec799042a3888935d59b599f33e41efedf5f8 ] + +When printk-indexing is enabled, each dev_printk() invocation emits a +pi_entry structure. This is even true when the dev_printk() is +protected by an always-false check, as is typically the case for debug +messages: while the actual code to print the message is optimized out by +the compiler, the pi_entry structure is still emitted. + +Avoid emitting pi_entry structures for unavailable dev_printk() kernel +messages by: + 1. Introducing a dev_no_printk() helper, mimicked after the existing + no_printk() helper, which calls _dev_printk() instead of + dev_printk(), + 2. Replacing all "if (0) dev_printk(...)" constructs by calls to the + new helper. + +This reduces the size of an arm64 defconfig kernel with +CONFIG_PRINTK_INDEX=y by 957 KiB. + +Fixes: ad7d61f159db7397 ("printk: index: Add indexing support to dev_printk") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Andy Shevchenko +Reviewed-by: Xiubo Li +Reviewed-by: Chris Down +Reviewed-by: Petr Mladek +Link: https://lore.kernel.org/r/8583d54f1687c801c6cda8edddf2cf0344c6e883.1709127473.git.geert+renesas@glider.be +Signed-off-by: Petr Mladek +Signed-off-by: Sasha Levin +--- + include/linux/dev_printk.h | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +diff --git a/include/linux/dev_printk.h b/include/linux/dev_printk.h +index 8904063d4c9f0..65eec5be8ccb9 100644 +--- a/include/linux/dev_printk.h ++++ b/include/linux/dev_printk.h +@@ -129,6 +129,16 @@ void _dev_info(const struct device *dev, const char *fmt, ...) + _dev_printk(level, dev, fmt, ##__VA_ARGS__); \ + }) + ++/* ++ * Dummy dev_printk for disabled debugging statements to use whilst maintaining ++ * gcc's format checking. ++ */ ++#define dev_no_printk(level, dev, fmt, ...) \ ++ ({ \ ++ if (0) \ ++ _dev_printk(level, dev, fmt, ##__VA_ARGS__); \ ++ }) ++ + /* + * #defines for all the dev_ macros to prefix with whatever + * possible use of #define dev_fmt(fmt) ... +@@ -158,10 +168,7 @@ void _dev_info(const struct device *dev, const char *fmt, ...) + dev_printk(KERN_DEBUG, dev, dev_fmt(fmt), ##__VA_ARGS__) + #else + #define dev_dbg(dev, fmt, ...) \ +-({ \ +- if (0) \ +- dev_printk(KERN_DEBUG, dev, dev_fmt(fmt), ##__VA_ARGS__); \ +-}) ++ dev_no_printk(KERN_DEBUG, dev, dev_fmt(fmt), ##__VA_ARGS__) + #endif + + #ifdef CONFIG_PRINTK +@@ -247,20 +254,14 @@ do { \ + } while (0) + #else + #define dev_dbg_ratelimited(dev, fmt, ...) \ +-do { \ +- if (0) \ +- dev_printk(KERN_DEBUG, dev, dev_fmt(fmt), ##__VA_ARGS__); \ +-} while (0) ++ dev_no_printk(KERN_DEBUG, dev, dev_fmt(fmt), ##__VA_ARGS__) + #endif + + #ifdef VERBOSE_DEBUG + #define dev_vdbg dev_dbg + #else + #define dev_vdbg(dev, fmt, ...) \ +-({ \ +- if (0) \ +- dev_printk(KERN_DEBUG, dev, dev_fmt(fmt), ##__VA_ARGS__); \ +-}) ++ dev_no_printk(KERN_DEBUG, dev, dev_fmt(fmt), ##__VA_ARGS__) + #endif + + /* +-- +2.43.0 + diff --git a/queue-6.1/drivers-perf-hisi-hns3-actually-use-devm_add_action_.patch b/queue-6.1/drivers-perf-hisi-hns3-actually-use-devm_add_action_.patch new file mode 100644 index 00000000000..d519eed38a6 --- /dev/null +++ b/queue-6.1/drivers-perf-hisi-hns3-actually-use-devm_add_action_.patch @@ -0,0 +1,43 @@ +From 0c9775bea6cfee1bc8db4941a971a6725e3b02de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Apr 2024 20:46:27 +0800 +Subject: drivers/perf: hisi: hns3: Actually use devm_add_action_or_reset() + +From: Hao Chen + +[ Upstream commit 582c1aeee0a9e73010cf1c4cef338709860deeb0 ] + +pci_alloc_irq_vectors() allocates an irq vector. When devm_add_action() +fails, the irq vector is not freed, which leads to a memory leak. + +Replace the devm_add_action with devm_add_action_or_reset to ensure +the irq vector can be destroyed when it fails. + +Fixes: 66637ab137b4 ("drivers/perf: hisi: add driver for HNS3 PMU") +Signed-off-by: Hao Chen +Signed-off-by: Junhao He +Reviewed-by: Jijie Shao +Acked-by: Jonathan Cameron +Link: https://lore.kernel.org/r/20240425124627.13764-4-hejunhao3@huawei.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/hisilicon/hns3_pmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/perf/hisilicon/hns3_pmu.c b/drivers/perf/hisilicon/hns3_pmu.c +index cbdd53b0a0342..60062eaa342aa 100644 +--- a/drivers/perf/hisilicon/hns3_pmu.c ++++ b/drivers/perf/hisilicon/hns3_pmu.c +@@ -1527,7 +1527,7 @@ static int hns3_pmu_irq_register(struct pci_dev *pdev, + return ret; + } + +- ret = devm_add_action(&pdev->dev, hns3_pmu_free_irq, pdev); ++ ret = devm_add_action_or_reset(&pdev->dev, hns3_pmu_free_irq, pdev); + if (ret) { + pci_err(pdev, "failed to add free irq action, ret = %d.\n", ret); + return ret; +-- +2.43.0 + diff --git a/queue-6.1/drivers-perf-hisi-hns3-fix-out-of-bound-access-when-.patch b/queue-6.1/drivers-perf-hisi-hns3-fix-out-of-bound-access-when-.patch new file mode 100644 index 00000000000..2803c307545 --- /dev/null +++ b/queue-6.1/drivers-perf-hisi-hns3-fix-out-of-bound-access-when-.patch @@ -0,0 +1,70 @@ +From c67c5f540d2b6d0cc64ffa53e1dff9c88c7788c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Apr 2024 20:46:26 +0800 +Subject: drivers/perf: hisi: hns3: Fix out-of-bound access when valid event + group + +From: Junhao He + +[ Upstream commit 81bdd60a3d1d3b05e6cc6674845afb1694dd3a0e ] + +The perf tool allows users to create event groups through following +cmd [1], but the driver does not check whether the array index is out +of bounds when writing data to the event_group array. If the number of +events in an event_group is greater than HNS3_PMU_MAX_HW_EVENTS, the +memory write overflow of event_group array occurs. + +Add array index check to fix the possible array out of bounds violation, +and return directly when write new events are written to array bounds. + +There are 9 different events in an event_group. +[1] perf stat -e '{pmu/event1/, ... ,pmu/event9/} + +Fixes: 66637ab137b4 ("drivers/perf: hisi: add driver for HNS3 PMU") +Signed-off-by: Junhao He +Signed-off-by: Hao Chen +Acked-by: Jonathan Cameron +Reviewed-by: Jijie Shao +Link: https://lore.kernel.org/r/20240425124627.13764-3-hejunhao3@huawei.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/hisilicon/hns3_pmu.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/drivers/perf/hisilicon/hns3_pmu.c b/drivers/perf/hisilicon/hns3_pmu.c +index 16869bf5bf4cc..cbdd53b0a0342 100644 +--- a/drivers/perf/hisilicon/hns3_pmu.c ++++ b/drivers/perf/hisilicon/hns3_pmu.c +@@ -1085,15 +1085,27 @@ static bool hns3_pmu_validate_event_group(struct perf_event *event) + return false; + + for (num = 0; num < counters; num++) { ++ /* ++ * If we find a related event, then it's a valid group ++ * since we don't need to allocate a new counter for it. ++ */ + if (hns3_pmu_cmp_event(event_group[num], sibling)) + break; + } + ++ /* ++ * Otherwise it's a new event but if there's no available counter, ++ * fail the check since we cannot schedule all the events in ++ * the group simultaneously. ++ */ ++ if (num == HNS3_PMU_MAX_HW_EVENTS) ++ return false; ++ + if (num == counters) + event_group[counters++] = sibling; + } + +- return counters <= HNS3_PMU_MAX_HW_EVENTS; ++ return true; + } + + static u32 hns3_pmu_get_filter_condition(struct perf_event *event) +-- +2.43.0 + diff --git a/queue-6.1/drivers-perf-hisi_pcie-fix-out-of-bound-access-when-.patch b/queue-6.1/drivers-perf-hisi_pcie-fix-out-of-bound-access-when-.patch new file mode 100644 index 00000000000..02f9f5a8cb5 --- /dev/null +++ b/queue-6.1/drivers-perf-hisi_pcie-fix-out-of-bound-access-when-.patch @@ -0,0 +1,69 @@ +From 2fc32da2c5c082a186f840d4d59e508182dcda5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Apr 2024 20:46:25 +0800 +Subject: drivers/perf: hisi_pcie: Fix out-of-bound access when valid event + group + +From: Junhao He + +[ Upstream commit 77fce82678ea5fd51442e62febec2004f79e041b ] + +The perf tool allows users to create event groups through following +cmd [1], but the driver does not check whether the array index is out of +bounds when writing data to the event_group array. If the number of events +in an event_group is greater than HISI_PCIE_MAX_COUNTERS, the memory write +overflow of event_group array occurs. + +Add array index check to fix the possible array out of bounds violation, +and return directly when write new events are written to array bounds. + +There are 9 different events in an event_group. +[1] perf stat -e '{pmu/event1/, ... ,pmu/event9/}' + +Fixes: 8404b0fbc7fb ("drivers/perf: hisi: Add driver for HiSilicon PCIe PMU") +Signed-off-by: Junhao He +Reviewed-by: Jijie Shao +Acked-by: Jonathan Cameron +Link: https://lore.kernel.org/r/20240425124627.13764-2-hejunhao3@huawei.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/hisilicon/hisi_pcie_pmu.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/drivers/perf/hisilicon/hisi_pcie_pmu.c b/drivers/perf/hisilicon/hisi_pcie_pmu.c +index c4c1cd269c577..49f2d69c119df 100644 +--- a/drivers/perf/hisilicon/hisi_pcie_pmu.c ++++ b/drivers/perf/hisilicon/hisi_pcie_pmu.c +@@ -326,15 +326,27 @@ static bool hisi_pcie_pmu_validate_event_group(struct perf_event *event) + return false; + + for (num = 0; num < counters; num++) { ++ /* ++ * If we find a related event, then it's a valid group ++ * since we don't need to allocate a new counter for it. ++ */ + if (hisi_pcie_pmu_cmp_event(event_group[num], sibling)) + break; + } + ++ /* ++ * Otherwise it's a new event but if there's no available counter, ++ * fail the check since we cannot schedule all the events in ++ * the group simultaneously. ++ */ ++ if (num == HISI_PCIE_MAX_COUNTERS) ++ return false; ++ + if (num == counters) + event_group[counters++] = sibling; + } + +- return counters <= HISI_PCIE_MAX_COUNTERS; ++ return true; + } + + static int hisi_pcie_pmu_event_init(struct perf_event *event) +-- +2.43.0 + diff --git a/queue-6.1/drivers-virt-acrn-fix-pfnmap-pte-checks-in-acrn_vm_r.patch b/queue-6.1/drivers-virt-acrn-fix-pfnmap-pte-checks-in-acrn_vm_r.patch new file mode 100644 index 00000000000..27f6753d871 --- /dev/null +++ b/queue-6.1/drivers-virt-acrn-fix-pfnmap-pte-checks-in-acrn_vm_r.patch @@ -0,0 +1,195 @@ +From 38f5f49948f947230c5ed05b99c641f8daab1bee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Apr 2024 17:55:25 +0200 +Subject: drivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map() + +From: David Hildenbrand + +[ Upstream commit 3d6586008f7b638f91f3332602592caa8b00b559 ] + +Patch series "mm: follow_pte() improvements and acrn follow_pte() fixes". + +Patch #1 fixes a bunch of issues I spotted in the acrn driver. It +compiles, that's all I know. I'll appreciate some review and testing from +acrn folks. + +Patch #2+#3 improve follow_pte(), passing a VMA instead of the MM, adding +more sanity checks, and improving the documentation. Gave it a quick test +on x86-64 using VM_PAT that ends up using follow_pte(). + +This patch (of 3): + +We currently miss handling various cases, resulting in a dangerous +follow_pte() (previously follow_pfn()) usage. + +(1) We're not checking PTE write permissions. + +Maybe we should simply always require pte_write() like we do for +pin_user_pages_fast(FOLL_WRITE)? Hard to tell, so let's check for +ACRN_MEM_ACCESS_WRITE for now. + +(2) We're not rejecting refcounted pages. + +As we are not using MMU notifiers, messing with refcounted pages is +dangerous and can result in use-after-free. Let's make sure to reject them. + +(3) We are only looking at the first PTE of a bigger range. + +We only lookup a single PTE, but memmap->len may span a larger area. +Let's loop over all involved PTEs and make sure the PFN range is +actually contiguous. Reject everything else: it couldn't have worked +either way, and rather made use access PFNs we shouldn't be accessing. + +Link: https://lkml.kernel.org/r/20240410155527.474777-1-david@redhat.com +Link: https://lkml.kernel.org/r/20240410155527.474777-2-david@redhat.com +Fixes: 8a6e85f75a83 ("virt: acrn: obtain pa from VMA with PFNMAP flag") +Signed-off-by: David Hildenbrand +Cc: Alex Williamson +Cc: Christoph Hellwig +Cc: Fei Li +Cc: Gerald Schaefer +Cc: Heiko Carstens +Cc: Ingo Molnar +Cc: Paolo Bonzini +Cc: Yonghua Huang +Cc: Sean Christopherson +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + drivers/virt/acrn/mm.c | 63 +++++++++++++++++++++++++++++++----------- + 1 file changed, 47 insertions(+), 16 deletions(-) + +diff --git a/drivers/virt/acrn/mm.c b/drivers/virt/acrn/mm.c +index ffc1d1136f765..8ef49d7be453c 100644 +--- a/drivers/virt/acrn/mm.c ++++ b/drivers/virt/acrn/mm.c +@@ -155,23 +155,29 @@ int acrn_vm_memseg_unmap(struct acrn_vm *vm, struct acrn_vm_memmap *memmap) + int acrn_vm_ram_map(struct acrn_vm *vm, struct acrn_vm_memmap *memmap) + { + struct vm_memory_region_batch *regions_info; +- int nr_pages, i = 0, order, nr_regions = 0; ++ int nr_pages, i, order, nr_regions = 0; + struct vm_memory_mapping *region_mapping; + struct vm_memory_region_op *vm_region; + struct page **pages = NULL, *page; + void *remap_vaddr; + int ret, pinned; + u64 user_vm_pa; +- unsigned long pfn; + struct vm_area_struct *vma; + + if (!vm || !memmap) + return -EINVAL; + ++ /* Get the page number of the map region */ ++ nr_pages = memmap->len >> PAGE_SHIFT; ++ if (!nr_pages) ++ return -EINVAL; ++ + mmap_read_lock(current->mm); + vma = vma_lookup(current->mm, memmap->vma_base); + if (vma && ((vma->vm_flags & VM_PFNMAP) != 0)) { ++ unsigned long start_pfn, cur_pfn; + spinlock_t *ptl; ++ bool writable; + pte_t *ptep; + + if ((memmap->vma_base + memmap->len) > vma->vm_end) { +@@ -179,25 +185,53 @@ int acrn_vm_ram_map(struct acrn_vm *vm, struct acrn_vm_memmap *memmap) + return -EINVAL; + } + +- ret = follow_pte(vma->vm_mm, memmap->vma_base, &ptep, &ptl); +- if (ret < 0) { +- mmap_read_unlock(current->mm); ++ for (i = 0; i < nr_pages; i++) { ++ ret = follow_pte(vma->vm_mm, ++ memmap->vma_base + i * PAGE_SIZE, ++ &ptep, &ptl); ++ if (ret) ++ break; ++ ++ cur_pfn = pte_pfn(ptep_get(ptep)); ++ if (i == 0) ++ start_pfn = cur_pfn; ++ writable = !!pte_write(ptep_get(ptep)); ++ pte_unmap_unlock(ptep, ptl); ++ ++ /* Disallow write access if the PTE is not writable. */ ++ if (!writable && ++ (memmap->attr & ACRN_MEM_ACCESS_WRITE)) { ++ ret = -EFAULT; ++ break; ++ } ++ ++ /* Disallow refcounted pages. */ ++ if (pfn_valid(cur_pfn) && ++ !PageReserved(pfn_to_page(cur_pfn))) { ++ ret = -EFAULT; ++ break; ++ } ++ ++ /* Disallow non-contiguous ranges. */ ++ if (cur_pfn != start_pfn + i) { ++ ret = -EINVAL; ++ break; ++ } ++ } ++ mmap_read_unlock(current->mm); ++ ++ if (ret) { + dev_dbg(acrn_dev.this_device, + "Failed to lookup PFN at VMA:%pK.\n", (void *)memmap->vma_base); + return ret; + } +- pfn = pte_pfn(ptep_get(ptep)); +- pte_unmap_unlock(ptep, ptl); +- mmap_read_unlock(current->mm); + + return acrn_mm_region_add(vm, memmap->user_vm_pa, +- PFN_PHYS(pfn), memmap->len, ++ PFN_PHYS(start_pfn), memmap->len, + ACRN_MEM_TYPE_WB, memmap->attr); + } + mmap_read_unlock(current->mm); + +- /* Get the page number of the map region */ +- nr_pages = memmap->len >> PAGE_SHIFT; + pages = vzalloc(array_size(nr_pages, sizeof(*pages))); + if (!pages) + return -ENOMEM; +@@ -241,12 +275,11 @@ int acrn_vm_ram_map(struct acrn_vm *vm, struct acrn_vm_memmap *memmap) + mutex_unlock(&vm->regions_mapping_lock); + + /* Calculate count of vm_memory_region_op */ +- while (i < nr_pages) { ++ for (i = 0; i < nr_pages; i += 1 << order) { + page = pages[i]; + VM_BUG_ON_PAGE(PageTail(page), page); + order = compound_order(page); + nr_regions++; +- i += 1 << order; + } + + /* Prepare the vm_memory_region_batch */ +@@ -263,8 +296,7 @@ int acrn_vm_ram_map(struct acrn_vm *vm, struct acrn_vm_memmap *memmap) + regions_info->regions_num = nr_regions; + regions_info->regions_gpa = virt_to_phys(vm_region); + user_vm_pa = memmap->user_vm_pa; +- i = 0; +- while (i < nr_pages) { ++ for (i = 0; i < nr_pages; i += 1 << order) { + u32 region_size; + + page = pages[i]; +@@ -280,7 +312,6 @@ int acrn_vm_ram_map(struct acrn_vm *vm, struct acrn_vm_memmap *memmap) + + vm_region++; + user_vm_pa += region_size; +- i += 1 << order; + } + + /* Inform the ACRN Hypervisor to set up EPT mappings */ +-- +2.43.0 + diff --git a/queue-6.1/drm-amd-display-add-dtbclk-access-to-dcn315.patch b/queue-6.1/drm-amd-display-add-dtbclk-access-to-dcn315.patch new file mode 100644 index 00000000000..c81e41c5e24 --- /dev/null +++ b/queue-6.1/drm-amd-display-add-dtbclk-access-to-dcn315.patch @@ -0,0 +1,55 @@ +From 91c5ff23e8095c0fb2b317d55a4dd87843116b12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Apr 2024 21:07:46 -0400 +Subject: drm/amd/display: Add dtbclk access to dcn315 + +From: Swapnil Patel + +[ Upstream commit a01b64f31d65bdc917d1afb4cec9915beb6931be ] + +[Why & How] + +Currently DCN315 clk manager is missing code to enable/disable dtbclk. +Because of this, "optimized_required" flag is constantly set +and this prevents FreeSync from engaging for certain high bandwidth +display Modes which require DTBCLK. + +Reviewed-by: Dmytro Laktyushkin +Acked-by: Aurabindo Pillai +Signed-off-by: Swapnil Patel +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../drm/amd/display/dc/clk_mgr/dcn315/dcn315_clk_mgr.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn315/dcn315_clk_mgr.c b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn315/dcn315_clk_mgr.c +index 28b83133db910..09eb1bc9aa030 100644 +--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn315/dcn315_clk_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn315/dcn315_clk_mgr.c +@@ -131,6 +131,10 @@ static void dcn315_update_clocks(struct clk_mgr *clk_mgr_base, + */ + clk_mgr_base->clks.zstate_support = new_clocks->zstate_support; + if (safe_to_lower) { ++ if (clk_mgr_base->clks.dtbclk_en && !new_clocks->dtbclk_en) { ++ dcn315_smu_set_dtbclk(clk_mgr, false); ++ clk_mgr_base->clks.dtbclk_en = new_clocks->dtbclk_en; ++ } + /* check that we're not already in lower */ + if (clk_mgr_base->clks.pwr_state != DCN_PWR_STATE_LOW_POWER) { + display_count = dcn315_get_active_display_cnt_wa(dc, context); +@@ -146,6 +150,10 @@ static void dcn315_update_clocks(struct clk_mgr *clk_mgr_base, + } + } + } else { ++ if (!clk_mgr_base->clks.dtbclk_en && new_clocks->dtbclk_en) { ++ dcn315_smu_set_dtbclk(clk_mgr, true); ++ clk_mgr_base->clks.dtbclk_en = new_clocks->dtbclk_en; ++ } + /* check that we're not already in D0 */ + if (clk_mgr_base->clks.pwr_state != DCN_PWR_STATE_MISSION_MODE) { + union display_idle_optimization_u idle_info = { 0 }; +-- +2.43.0 + diff --git a/queue-6.1/drm-amd-display-add-vco-speed-parameter-for-dcn31-fp.patch b/queue-6.1/drm-amd-display-add-vco-speed-parameter-for-dcn31-fp.patch new file mode 100644 index 00000000000..e8772a1f8c1 --- /dev/null +++ b/queue-6.1/drm-amd-display-add-vco-speed-parameter-for-dcn31-fp.patch @@ -0,0 +1,43 @@ +From 9f3da53cf1ed33d6dc5db83e6eb3aef8771ce44c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Apr 2024 11:19:03 -0600 +Subject: drm/amd/display: Add VCO speed parameter for DCN31 FPU + +From: Rodrigo Siqueira + +[ Upstream commit 0e62103bdcbc88281e16add299a946fb3bd02fbe ] + +Add VCO speed parameters in the bounding box array. + +Acked-by: Wayne Lin +Signed-off-by: Rodrigo Siqueira +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dml/dcn31/dcn31_fpu.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn31/dcn31_fpu.c b/drivers/gpu/drm/amd/display/dc/dml/dcn31/dcn31_fpu.c +index 19d034341e640..cb2f6cd73af54 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn31/dcn31_fpu.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn31/dcn31_fpu.c +@@ -291,6 +291,7 @@ static struct _vcs_dpi_soc_bounding_box_st dcn3_15_soc = { + .do_urgent_latency_adjustment = false, + .urgent_latency_adjustment_fabric_clock_component_us = 0, + .urgent_latency_adjustment_fabric_clock_reference_mhz = 0, ++ .dispclk_dppclk_vco_speed_mhz = 2400.0, + .num_chans = 4, + .dummy_pstate_latency_us = 10.0 + }; +@@ -438,6 +439,7 @@ static struct _vcs_dpi_soc_bounding_box_st dcn3_16_soc = { + .do_urgent_latency_adjustment = false, + .urgent_latency_adjustment_fabric_clock_component_us = 0, + .urgent_latency_adjustment_fabric_clock_reference_mhz = 0, ++ .dispclk_dppclk_vco_speed_mhz = 2500.0, + }; + + void dcn31_zero_pipe_dcc_fraction(display_e2e_pipe_params_st *pipes, +-- +2.43.0 + diff --git a/queue-6.1/drm-amd-display-fix-potential-index-out-of-bounds-in.patch b/queue-6.1/drm-amd-display-fix-potential-index-out-of-bounds-in.patch new file mode 100644 index 00000000000..4f008a9f503 --- /dev/null +++ b/queue-6.1/drm-amd-display-fix-potential-index-out-of-bounds-in.patch @@ -0,0 +1,58 @@ +From 87fb3887f2cb0ab9f70e030b19a99e29ca5a6bc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Feb 2024 18:38:08 +0530 +Subject: drm/amd/display: Fix potential index out of bounds in color + transformation function + +From: Srinivasan Shanmugam + +[ Upstream commit 63ae548f1054a0b71678d0349c7dc9628ddd42ca ] + +Fixes index out of bounds issue in the color transformation function. +The issue could occur when the index 'i' exceeds the number of transfer +function points (TRANSFER_FUNC_POINTS). + +The fix adds a check to ensure 'i' is within bounds before accessing the +transfer function points. If 'i' is out of bounds, an error message is +logged and the function returns false to indicate an error. + +Reported by smatch: +drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:405 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max +drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:406 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max +drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:407 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max + +Fixes: b629596072e5 ("drm/amd/display: Build unity lut for shaper") +Cc: Vitaly Prosyak +Cc: Charlene Liu +Cc: Harry Wentland +Cc: Rodrigo Siqueira +Cc: Roman Li +Cc: Aurabindo Pillai +Cc: Tom Chung +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Tom Chung +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c +index 3538973bd0c6c..c0372aa4ec838 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c +@@ -382,6 +382,11 @@ bool cm_helper_translate_curve_to_hw_format(struct dc_context *ctx, + i += increment) { + if (j == hw_points - 1) + break; ++ if (i >= TRANSFER_FUNC_POINTS) { ++ DC_LOG_ERROR("Index out of bounds: i=%d, TRANSFER_FUNC_POINTS=%d\n", ++ i, TRANSFER_FUNC_POINTS); ++ return false; ++ } + rgb_resulted[j].red = output_tf->tf_pts.red[i]; + rgb_resulted[j].green = output_tf->tf_pts.green[i]; + rgb_resulted[j].blue = output_tf->tf_pts.blue[i]; +-- +2.43.0 + diff --git a/queue-6.1/drm-amd-display-set-color_mgmt_changed-to-true-on-un.patch b/queue-6.1/drm-amd-display-set-color_mgmt_changed-to-true-on-un.patch new file mode 100644 index 00000000000..3e155e9492d --- /dev/null +++ b/queue-6.1/drm-amd-display-set-color_mgmt_changed-to-true-on-un.patch @@ -0,0 +1,37 @@ +From 72f1295a5bcfda6afa3726173a600075e07bc262 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Nov 2023 04:21:55 +0000 +Subject: drm/amd/display: Set color_mgmt_changed to true on unsuspend + +From: Joshua Ashton + +[ Upstream commit 2eb9dd497a698dc384c0dd3e0311d541eb2e13dd ] + +Otherwise we can end up with a frame on unsuspend where color management +is not applied when userspace has not committed themselves. + +Fixes re-applying color management on Steam Deck/Gamescope on S3 resume. + +Signed-off-by: Joshua Ashton +Reviewed-by: Harry Wentland +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index ff460c9802eb2..31bae620aeffc 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -2964,6 +2964,7 @@ static int dm_resume(void *handle) + dc_stream_release(dm_new_crtc_state->stream); + dm_new_crtc_state->stream = NULL; + } ++ dm_new_crtc_state->base.color_mgmt_changed = true; + } + + for_each_new_plane_in_state(dm->cached_state, plane, new_plane_state, i) { +-- +2.43.0 + diff --git a/queue-6.1/drm-amdgpu-fix-the-ring-buffer-size-for-queue-vm-flu.patch b/queue-6.1/drm-amdgpu-fix-the-ring-buffer-size-for-queue-vm-flu.patch new file mode 100644 index 00000000000..9c0f8ca2d62 --- /dev/null +++ b/queue-6.1/drm-amdgpu-fix-the-ring-buffer-size-for-queue-vm-flu.patch @@ -0,0 +1,94 @@ +From b9418c17aabffcde86dc19ac35f913fae5bef1b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 15:33:34 +0800 +Subject: drm/amdgpu: Fix the ring buffer size for queue VM flush +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Prike Liang + +[ Upstream commit fe93b0927bc58cb1d64230f45744e527d9d8482c ] + +Here are the corrections needed for the queue ring buffer size +calculation for the following cases: +- Remove the KIQ VM flush ring usage. +- Add the invalidate TLBs packet for gfx10 and gfx11 queue. +- There's no VM flush and PFP sync, so remove the gfx9 real + ring and compute ring buffer usage. + +Signed-off-by: Prike Liang +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 3 +-- + drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 3 +-- + drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 2 -- + 3 files changed, 2 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c +index 84a36b50ddd87..f8382b227ad46 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c +@@ -9352,7 +9352,7 @@ static const struct amdgpu_ring_funcs gfx_v10_0_ring_funcs_gfx = { + 7 + /* PIPELINE_SYNC */ + SOC15_FLUSH_GPU_TLB_NUM_WREG * 5 + + SOC15_FLUSH_GPU_TLB_NUM_REG_WAIT * 7 + +- 2 + /* VM_FLUSH */ ++ 4 + /* VM_FLUSH */ + 8 + /* FENCE for VM_FLUSH */ + 20 + /* GDS switch */ + 4 + /* double SWITCH_BUFFER, +@@ -9445,7 +9445,6 @@ static const struct amdgpu_ring_funcs gfx_v10_0_ring_funcs_kiq = { + 7 + /* gfx_v10_0_ring_emit_pipeline_sync */ + SOC15_FLUSH_GPU_TLB_NUM_WREG * 5 + + SOC15_FLUSH_GPU_TLB_NUM_REG_WAIT * 7 + +- 2 + /* gfx_v10_0_ring_emit_vm_flush */ + 8 + 8 + 8, /* gfx_v10_0_ring_emit_fence_kiq x3 for user fence, vm fence */ + .emit_ib_size = 7, /* gfx_v10_0_ring_emit_ib_compute */ + .emit_ib = gfx_v10_0_ring_emit_ib_compute, +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c +index 5a5787bfbce7f..1f9f7fdd4b8e0 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c +@@ -6157,7 +6157,7 @@ static const struct amdgpu_ring_funcs gfx_v11_0_ring_funcs_gfx = { + 7 + /* PIPELINE_SYNC */ + SOC15_FLUSH_GPU_TLB_NUM_WREG * 5 + + SOC15_FLUSH_GPU_TLB_NUM_REG_WAIT * 7 + +- 2 + /* VM_FLUSH */ ++ 4 + /* VM_FLUSH */ + 8 + /* FENCE for VM_FLUSH */ + 20 + /* GDS switch */ + 5 + /* COND_EXEC */ +@@ -6243,7 +6243,6 @@ static const struct amdgpu_ring_funcs gfx_v11_0_ring_funcs_kiq = { + 7 + /* gfx_v11_0_ring_emit_pipeline_sync */ + SOC15_FLUSH_GPU_TLB_NUM_WREG * 5 + + SOC15_FLUSH_GPU_TLB_NUM_REG_WAIT * 7 + +- 2 + /* gfx_v11_0_ring_emit_vm_flush */ + 8 + 8 + 8, /* gfx_v11_0_ring_emit_fence_kiq x3 for user fence, vm fence */ + .emit_ib_size = 7, /* gfx_v11_0_ring_emit_ib_compute */ + .emit_ib = gfx_v11_0_ring_emit_ib_compute, +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +index 195b298923543..6a1fe21685149 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +@@ -6742,7 +6742,6 @@ static const struct amdgpu_ring_funcs gfx_v9_0_ring_funcs_compute = { + 7 + /* gfx_v9_0_ring_emit_pipeline_sync */ + SOC15_FLUSH_GPU_TLB_NUM_WREG * 5 + + SOC15_FLUSH_GPU_TLB_NUM_REG_WAIT * 7 + +- 2 + /* gfx_v9_0_ring_emit_vm_flush */ + 8 + 8 + 8 + /* gfx_v9_0_ring_emit_fence x3 for user fence, vm fence */ + 7 + /* gfx_v9_0_emit_mem_sync */ + 5 + /* gfx_v9_0_emit_wave_limit for updating mmSPI_WCL_PIPE_PERCENT_GFX register */ +@@ -6781,7 +6780,6 @@ static const struct amdgpu_ring_funcs gfx_v9_0_ring_funcs_kiq = { + 7 + /* gfx_v9_0_ring_emit_pipeline_sync */ + SOC15_FLUSH_GPU_TLB_NUM_WREG * 5 + + SOC15_FLUSH_GPU_TLB_NUM_REG_WAIT * 7 + +- 2 + /* gfx_v9_0_ring_emit_vm_flush */ + 8 + 8 + 8, /* gfx_v9_0_ring_emit_fence_kiq x3 for user fence, vm fence */ + .emit_ib_size = 7, /* gfx_v9_0_ring_emit_ib_compute */ + .emit_fence = gfx_v9_0_ring_emit_fence_kiq, +-- +2.43.0 + diff --git a/queue-6.1/drm-amdgpu-mes-fix-use-after-free-issue.patch b/queue-6.1/drm-amdgpu-mes-fix-use-after-free-issue.patch new file mode 100644 index 00000000000..4f4d83a4048 --- /dev/null +++ b/queue-6.1/drm-amdgpu-mes-fix-use-after-free-issue.patch @@ -0,0 +1,41 @@ +From 8bacee07c013b1f4c45a94183867dbae0234d0bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Apr 2024 16:22:54 +0800 +Subject: drm/amdgpu/mes: fix use-after-free issue +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jack Xiao + +[ Upstream commit 948255282074d9367e01908b3f5dcf8c10fc9c3d ] + +Delete fence fallback timer to fix the ramdom +use-after-free issue. + +v2: move to amdgpu_mes.c + +Signed-off-by: Jack Xiao +Acked-by: Lijo Lazar +Acked-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c +index bebd136ed5444..9a4cbfbd5d9e5 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c +@@ -1083,6 +1083,7 @@ void amdgpu_mes_remove_ring(struct amdgpu_device *adev, + return; + + amdgpu_mes_remove_hw_queue(adev, ring->hw_queue_id); ++ del_timer_sync(&ring->fence_drv.fallback_timer); + amdgpu_ring_fini(ring); + kfree(ring); + } +-- +2.43.0 + diff --git a/queue-6.1/drm-amdgpu-update-bo-eviction-priorities.patch b/queue-6.1/drm-amdgpu-update-bo-eviction-priorities.patch new file mode 100644 index 00000000000..bd064c10a3c --- /dev/null +++ b/queue-6.1/drm-amdgpu-update-bo-eviction-priorities.patch @@ -0,0 +1,44 @@ +From af09737351c71a28a994f225e96f0672d1f9f573 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Apr 2024 13:56:42 -0400 +Subject: drm/amdgpu: Update BO eviction priorities +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Felix Kuehling + +[ Upstream commit b0b13d532105e0e682d95214933bb8483a063184 ] + +Make SVM BOs more likely to get evicted than other BOs. These BOs +opportunistically use available VRAM, but can fall back relatively +seamlessly to system memory. It also avoids SVM migrations evicting +other, more important BOs as they will evict other SVM allocations +first. + +Signed-off-by: Felix Kuehling +Acked-by: Mukul Joshi +Tested-by: Mukul Joshi +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c +index 9a111988b7f15..7acf1586882e1 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c +@@ -585,6 +585,8 @@ int amdgpu_bo_create(struct amdgpu_device *adev, + else + amdgpu_bo_placement_from_domain(bo, bp->domain); + if (bp->type == ttm_bo_type_kernel) ++ bo->tbo.priority = 2; ++ else if (!(bp->flags & AMDGPU_GEM_CREATE_DISCARDABLE)) + bo->tbo.priority = 1; + + if (!bp->destroy) +-- +2.43.0 + diff --git a/queue-6.1/drm-amdkfd-flush-the-process-wq-before-creating-a-kf.patch b/queue-6.1/drm-amdkfd-flush-the-process-wq-before-creating-a-kf.patch new file mode 100644 index 00000000000..e69820c99ef --- /dev/null +++ b/queue-6.1/drm-amdkfd-flush-the-process-wq-before-creating-a-kf.patch @@ -0,0 +1,61 @@ +From bb1042b1a9bba518ad39eebbc34b36c31b66eba7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Apr 2024 14:14:13 +0100 +Subject: drm/amdkfd: Flush the process wq before creating a kfd_process + +From: Lancelot SIX + +[ Upstream commit f5b9053398e70a0c10aa9cb4dd5910ab6bc457c5 ] + +There is a race condition when re-creating a kfd_process for a process. +This has been observed when a process under the debugger executes +exec(3). In this scenario: +- The process executes exec. + - This will eventually release the process's mm, which will cause the + kfd_process object associated with the process to be freed + (kfd_process_free_notifier decrements the reference count to the + kfd_process to 0). This causes kfd_process_ref_release to enqueue + kfd_process_wq_release to the kfd_process_wq. +- The debugger receives the PTRACE_EVENT_EXEC notification, and tries to + re-enable AMDGPU traps (KFD_IOC_DBG_TRAP_ENABLE). + - When handling this request, KFD tries to re-create a kfd_process. + This eventually calls kfd_create_process and kobject_init_and_add. + +At this point the call to kobject_init_and_add can fail because the +old kfd_process.kobj has not been freed yet by kfd_process_wq_release. + +This patch proposes to avoid this race by making sure to drain +kfd_process_wq before creating a new kfd_process object. This way, we +know that any cleanup task is done executing when we reach +kobject_init_and_add. + +Signed-off-by: Lancelot SIX +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_process.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process.c b/drivers/gpu/drm/amd/amdkfd/kfd_process.c +index 7f68d51541e8e..5bca6abd55aef 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_process.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process.c +@@ -823,6 +823,14 @@ struct kfd_process *kfd_create_process(struct file *filep) + if (process) { + pr_debug("Process already found\n"); + } else { ++ /* If the process just called exec(3), it is possible that the ++ * cleanup of the kfd_process (following the release of the mm ++ * of the old process image) is still in the cleanup work queue. ++ * Make sure to drain any job before trying to recreate any ++ * resource for this process. ++ */ ++ flush_workqueue(kfd_process_wq); ++ + process = create_process(thread); + if (IS_ERR(process)) + goto out; +-- +2.43.0 + diff --git a/queue-6.1/drm-arm-malidp-fix-a-possible-null-pointer-dereferen.patch b/queue-6.1/drm-arm-malidp-fix-a-possible-null-pointer-dereferen.patch new file mode 100644 index 00000000000..a3756f2726f --- /dev/null +++ b/queue-6.1/drm-arm-malidp-fix-a-possible-null-pointer-dereferen.patch @@ -0,0 +1,42 @@ +From d9a0c5b50f8b11983207e9b19f763481076fad99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Apr 2024 14:30:53 +0800 +Subject: drm/arm/malidp: fix a possible null pointer dereference + +From: Huai-Yuan Liu + +[ Upstream commit a1f95aede6285dba6dd036d907196f35ae3a11ea ] + +In malidp_mw_connector_reset, new memory is allocated with kzalloc, but +no check is performed. In order to prevent null pointer dereferencing, +ensure that mw_state is checked before calling +__drm_atomic_helper_connector_reset. + +Fixes: 8cbc5caf36ef ("drm: mali-dp: Add writeback connector") +Signed-off-by: Huai-Yuan Liu +Signed-off-by: Liviu Dudau +Link: https://patchwork.freedesktop.org/patch/msgid/20240407063053.5481-1-qq810974084@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/arm/malidp_mw.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/arm/malidp_mw.c b/drivers/gpu/drm/arm/malidp_mw.c +index ef76d0e6ee2fc..389d32994135b 100644 +--- a/drivers/gpu/drm/arm/malidp_mw.c ++++ b/drivers/gpu/drm/arm/malidp_mw.c +@@ -72,7 +72,10 @@ static void malidp_mw_connector_reset(struct drm_connector *connector) + __drm_atomic_helper_connector_destroy_state(connector->state); + + kfree(connector->state); +- __drm_atomic_helper_connector_reset(connector, &mw_state->base); ++ connector->state = NULL; ++ ++ if (mw_state) ++ __drm_atomic_helper_connector_reset(connector, &mw_state->base); + } + + static enum drm_connector_status +-- +2.43.0 + diff --git a/queue-6.1/drm-bridge-anx7625-don-t-log-an-error-when-dsi-host-.patch b/queue-6.1/drm-bridge-anx7625-don-t-log-an-error-when-dsi-host-.patch new file mode 100644 index 00000000000..33877a78920 --- /dev/null +++ b/queue-6.1/drm-bridge-anx7625-don-t-log-an-error-when-dsi-host-.patch @@ -0,0 +1,49 @@ +From fb78a02df73e77ea90197c87058ca762b87e85f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 17:49:29 -0400 +Subject: drm/bridge: anx7625: Don't log an error when DSI host can't be found +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +[ Upstream commit ef4a9204d594fe959cdbc7418273caf4001535c8 ] + +Given that failing to find a DSI host causes the driver to defer probe, +make use of dev_err_probe() to log the reason. This makes the defer +probe reason available and avoids alerting userspace about something +that is not necessarily an error. + +Fixes: 269332997a16 ("drm/bridge: anx7625: Return -EPROBE_DEFER if the dsi host was not found") +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Neil Armstrong +Reviewed-by: Laurent Pinchart +Signed-off-by: Nícolas F. R. A. Prado +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20240415-anx7625-defer-log-no-dsi-host-v3-1-619a28148e5c@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/analogix/anx7625.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/analogix/anx7625.c b/drivers/gpu/drm/bridge/analogix/anx7625.c +index 77a304ac4d75e..193015c75b454 100644 +--- a/drivers/gpu/drm/bridge/analogix/anx7625.c ++++ b/drivers/gpu/drm/bridge/analogix/anx7625.c +@@ -2077,10 +2077,8 @@ static int anx7625_setup_dsi_device(struct anx7625_data *ctx) + }; + + host = of_find_mipi_dsi_host_by_node(ctx->pdata.mipi_host_node); +- if (!host) { +- DRM_DEV_ERROR(dev, "fail to find dsi host.\n"); +- return -EPROBE_DEFER; +- } ++ if (!host) ++ return dev_err_probe(dev, -EPROBE_DEFER, "fail to find dsi host.\n"); + + dsi = devm_mipi_dsi_device_register_full(dev, host, &info); + if (IS_ERR(dsi)) { +-- +2.43.0 + diff --git a/queue-6.1/drm-bridge-cdns-mhdp8546-fix-possible-null-pointer-d.patch b/queue-6.1/drm-bridge-cdns-mhdp8546-fix-possible-null-pointer-d.patch new file mode 100644 index 00000000000..654e5e862d1 --- /dev/null +++ b/queue-6.1/drm-bridge-cdns-mhdp8546-fix-possible-null-pointer-d.patch @@ -0,0 +1,43 @@ +From 47c50ec84e2fc81e81fff3ac355e9d224546d454 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 15:58:10 +0300 +Subject: drm: bridge: cdns-mhdp8546: Fix possible null pointer dereference + +From: Aleksandr Mishin + +[ Upstream commit 935a92a1c400285545198ca2800a4c6c519c650a ] + +In cdns_mhdp_atomic_enable(), the return value of drm_mode_duplicate() is +assigned to mhdp_state->current_mode, and there is a dereference of it in +drm_mode_set_name(), which will lead to a NULL pointer dereference on +failure of drm_mode_duplicate(). + +Fix this bug add a check of mhdp_state->current_mode. + +Fixes: fb43aa0acdfd ("drm: bridge: Add support for Cadence MHDP8546 DPI/DP bridge") +Signed-off-by: Aleksandr Mishin +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20240408125810.21899-1-amishin@t-argos.ru +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c +index 31442a9225029..1b7c14d7c5ee3 100644 +--- a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c ++++ b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c +@@ -2042,6 +2042,9 @@ static void cdns_mhdp_atomic_enable(struct drm_bridge *bridge, + mhdp_state = to_cdns_mhdp_bridge_state(new_state); + + mhdp_state->current_mode = drm_mode_duplicate(bridge->dev, mode); ++ if (!mhdp_state->current_mode) ++ return; ++ + drm_mode_set_name(mhdp_state->current_mode); + + dev_dbg(mhdp->dev, "%s: Enabling mode %s\n", __func__, mode->name); +-- +2.43.0 + diff --git a/queue-6.1/drm-bridge-dpc3433-don-t-log-an-error-when-dsi-host-.patch b/queue-6.1/drm-bridge-dpc3433-don-t-log-an-error-when-dsi-host-.patch new file mode 100644 index 00000000000..510ed3a3eaf --- /dev/null +++ b/queue-6.1/drm-bridge-dpc3433-don-t-log-an-error-when-dsi-host-.patch @@ -0,0 +1,80 @@ +From 63566ad3643e699f5260f98616aaa1bea232994e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 17:49:35 -0400 +Subject: drm/bridge: dpc3433: Don't log an error when DSI host can't be found +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +[ Upstream commit 24f4f575214de776539d346b99b8717bffa8ebba ] + +Given that failing to find a DSI host causes the driver to defer probe, +make use of dev_err_probe() to log the reason. This makes the defer +probe reason available and avoids alerting userspace about something +that is not necessarily an error. + +Also move the "failed to attach" error message so that it's only printed +when the devm_mipi_dsi_attach() call fails. + +Fixes: 6352cd451ddb ("drm: bridge: Add TI DLPC3433 DSI to DMD bridge") +Suggested-by: AngeloGioacchino Del Regno +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Laurent Pinchart +Signed-off-by: Nícolas F. R. A. Prado +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20240415-anx7625-defer-log-no-dsi-host-v3-7-619a28148e5c@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/ti-dlpc3433.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/ti-dlpc3433.c b/drivers/gpu/drm/bridge/ti-dlpc3433.c +index 186a9e2ff24dc..d1684e66d9e3d 100644 +--- a/drivers/gpu/drm/bridge/ti-dlpc3433.c ++++ b/drivers/gpu/drm/bridge/ti-dlpc3433.c +@@ -319,12 +319,11 @@ static int dlpc_host_attach(struct dlpc *dlpc) + .channel = 0, + .node = NULL, + }; ++ int ret; + + host = of_find_mipi_dsi_host_by_node(dlpc->host_node); +- if (!host) { +- DRM_DEV_ERROR(dev, "failed to find dsi host\n"); +- return -EPROBE_DEFER; +- } ++ if (!host) ++ return dev_err_probe(dev, -EPROBE_DEFER, "failed to find dsi host\n"); + + dlpc->dsi = mipi_dsi_device_register_full(host, &info); + if (IS_ERR(dlpc->dsi)) { +@@ -336,7 +335,11 @@ static int dlpc_host_attach(struct dlpc *dlpc) + dlpc->dsi->format = MIPI_DSI_FMT_RGB565; + dlpc->dsi->lanes = dlpc->dsi_lanes; + +- return devm_mipi_dsi_attach(dev, dlpc->dsi); ++ ret = devm_mipi_dsi_attach(dev, dlpc->dsi); ++ if (ret) ++ DRM_DEV_ERROR(dev, "failed to attach dsi host\n"); ++ ++ return ret; + } + + static int dlpc3433_probe(struct i2c_client *client) +@@ -367,10 +370,8 @@ static int dlpc3433_probe(struct i2c_client *client) + drm_bridge_add(&dlpc->bridge); + + ret = dlpc_host_attach(dlpc); +- if (ret) { +- DRM_DEV_ERROR(dev, "failed to attach dsi host\n"); ++ if (ret) + goto err_remove_bridge; +- } + + return 0; + +-- +2.43.0 + diff --git a/queue-6.1/drm-bridge-fix-improper-bridge-init-order-with-pre_e.patch b/queue-6.1/drm-bridge-fix-improper-bridge-init-order-with-pre_e.patch new file mode 100644 index 00000000000..42cd809dbad --- /dev/null +++ b/queue-6.1/drm-bridge-fix-improper-bridge-init-order-with-pre_e.patch @@ -0,0 +1,154 @@ +From 57b7e7112f3ca616d84d280af3a7ad1d8d3bf53d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Mar 2023 22:37:51 +0530 +Subject: drm/bridge: Fix improper bridge init order with pre_enable_prev_first + +From: Jagan Teki + +[ Upstream commit e18aeeda0b6905c333df5a0566b99f5c84426098 ] + +For a given bridge pipeline if any bridge sets pre_enable_prev_first +flag then the pre_enable for the previous bridge will be called before +pre_enable of this bridge and opposite is done for post_disable. + +These are the potential bridge flags to alter bridge init order in order +to satisfy the MIPI DSI host and downstream panel or bridge to function. +However the existing pre_enable_prev_first logic with associated bridge +ordering has broken for both pre_enable and post_disable calls. + +[pre_enable] + +The altered bridge ordering has failed if two consecutive bridges on a +given pipeline enables the pre_enable_prev_first flag. + +Example: +- Panel +- Bridge 1 +- Bridge 2 pre_enable_prev_first +- Bridge 3 +- Bridge 4 pre_enable_prev_first +- Bridge 5 pre_enable_prev_first +- Bridge 6 +- Encoder + +In this example, Bridge 4 and Bridge 5 have pre_enable_prev_first. + +The logic looks for a bridge which enabled pre_enable_prev_first flag +on each iteration and assigned the previou bridge to limit pointer +if the bridge doesn't enable pre_enable_prev_first flags. + +If control found Bridge 2 is pre_enable_prev_first then the iteration +looks for Bridge 3 and found it is not pre_enable_prev_first and assigns +it's previous Bridge 4 to limit pointer and calls pre_enable of Bridge 3 +and Bridge 2 and assign iter pointer with limit which is Bridge 4. + +Here is the actual problem, for the next iteration control look for +Bridge 5 instead of Bridge 4 has iter pointer in previous iteration +moved to Bridge 4 so this iteration skips the Bridge 4. The iteration +found Bridge 6 doesn't pre_enable_prev_first flags so the limit assigned +to Encoder. From next iteration Encoder skips as it is the last bridge +for reverse order pipeline. + +So, the resulting pre_enable bridge order would be, +- Panel, Bridge 1, Bridge 3, Bridge 2, Bridge 6, Bridge 5. + +This patch fixes this by assigning limit to next pointer instead of +previous bridge since the iteration always looks for bridge that does +NOT request prev so assigning next makes sure the last bridge on a +given iteration what exactly the limit bridge is. + +So, the resulting pre_enable bridge order with fix would be, +- Panel, Bridge 1, Bridge 3, Bridge 2, Bridge 6, Bridge 5, Bridge 4, + Encoder. + +[post_disable] + +The altered bridge ordering has failed if two consecutive bridges on a +given pipeline enables the pre_enable_prev_first flag. + +Example: +- Panel +- Bridge 1 +- Bridge 2 pre_enable_prev_first +- Bridge 3 +- Bridge 4 pre_enable_prev_first +- Bridge 5 pre_enable_prev_first +- Bridge 6 +- Encoder + +In this example Bridge 5 and Bridge 4 have pre_enable_prev_first. + +The logic looks for a bridge which enabled pre_enable_prev_first flags +on each iteration and assigned the previou bridge to next and next to +limit pointer if the bridge does enable pre_enable_prev_first flag. + +If control starts from Bridge 6 then it found next Bridge 5 is +pre_enable_prev_first and immediately the next assigned to previous +Bridge 6 and limit assignments to next Bridge 6 and call post_enable +of Bridge 6 even though the next consecutive Bridge 5 is enabled with +pre_enable_prev_first. This clearly misses the logic to find the state +of next conducive bridge as everytime the next and limit assigns +previous bridge if given bridge enabled pre_enable_prev_first. + +So, the resulting post_disable bridge order would be, +- Encoder, Bridge 6, Bridge 5, Bridge 4, Bridge 3, Bridge 2, Bridge 1, + Panel. + +This patch fixes this by assigning next with previou bridge only if the +bridge doesn't enable pre_enable_prev_first flag and the next further +assign it to limit. This way we can find the bridge that NOT requested +prev to disable last. + +So, the resulting pre_enable bridge order with fix would be, +- Encoder, Bridge 4, Bridge 5, Bridge 6, Bridge 2, Bridge 3, Bridge 1, + Panel. + +Validated the bridge init ordering by incorporating dummy bridges in +the sun6i-mipi-dsi pipeline + +Fixes: 4fb912e5e190 ("drm/bridge: Introduce pre_enable_prev_first to alter bridge init order") +Signed-off-by: Jagan Teki +Tested-by: Michael Trimarchi +Reviewed-by: Dave Stevenson +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20230328170752.1102347-1-jagan@amarulasolutions.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_bridge.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/drm_bridge.c b/drivers/gpu/drm/drm_bridge.c +index 7044e339a82cd..f802548798044 100644 +--- a/drivers/gpu/drm/drm_bridge.c ++++ b/drivers/gpu/drm/drm_bridge.c +@@ -755,11 +755,17 @@ void drm_atomic_bridge_chain_post_disable(struct drm_bridge *bridge, + */ + list_for_each_entry_from(next, &encoder->bridge_chain, + chain_node) { +- if (next->pre_enable_prev_first) { ++ if (!next->pre_enable_prev_first) { + next = list_prev_entry(next, chain_node); + limit = next; + break; + } ++ ++ if (list_is_last(&next->chain_node, ++ &encoder->bridge_chain)) { ++ limit = next; ++ break; ++ } + } + + /* Call these bridges in reverse order */ +@@ -842,7 +848,7 @@ void drm_atomic_bridge_chain_pre_enable(struct drm_bridge *bridge, + /* Found first bridge that does NOT + * request prev to be enabled first + */ +- limit = list_prev_entry(next, chain_node); ++ limit = next; + break; + } + } +-- +2.43.0 + diff --git a/queue-6.1/drm-bridge-icn6211-don-t-log-an-error-when-dsi-host-.patch b/queue-6.1/drm-bridge-icn6211-don-t-log-an-error-when-dsi-host-.patch new file mode 100644 index 00000000000..e559bcb8de8 --- /dev/null +++ b/queue-6.1/drm-bridge-icn6211-don-t-log-an-error-when-dsi-host-.patch @@ -0,0 +1,49 @@ +From 5abc49565a256553ea5d1d6672ff3e3773a7dea1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 17:49:30 -0400 +Subject: drm/bridge: icn6211: Don't log an error when DSI host can't be found +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +[ Upstream commit 275fafe58faa7fdb10fa245412696ecef676aac5 ] + +Given that failing to find a DSI host causes the driver to defer probe, +make use of dev_err_probe() to log the reason. This makes the defer +probe reason available and avoids alerting userspace about something +that is not necessarily an error. + +Fixes: 8dde6f7452a1 ("drm: bridge: icn6211: Add I2C configuration support") +Suggested-by: AngeloGioacchino Del Regno +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Laurent Pinchart +Signed-off-by: Nícolas F. R. A. Prado +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20240415-anx7625-defer-log-no-dsi-host-v3-2-619a28148e5c@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/chipone-icn6211.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/chipone-icn6211.c b/drivers/gpu/drm/bridge/chipone-icn6211.c +index bf920c3503aa3..3459a696b34fc 100644 +--- a/drivers/gpu/drm/bridge/chipone-icn6211.c ++++ b/drivers/gpu/drm/bridge/chipone-icn6211.c +@@ -563,10 +563,8 @@ static int chipone_dsi_host_attach(struct chipone *icn) + + host = of_find_mipi_dsi_host_by_node(host_node); + of_node_put(host_node); +- if (!host) { +- dev_err(dev, "failed to find dsi host\n"); +- return -EPROBE_DEFER; +- } ++ if (!host) ++ return dev_err_probe(dev, -EPROBE_DEFER, "failed to find dsi host\n"); + + dsi = mipi_dsi_device_register_full(host, &info); + if (IS_ERR(dsi)) { +-- +2.43.0 + diff --git a/queue-6.1/drm-bridge-lt8912b-don-t-log-an-error-when-dsi-host-.patch b/queue-6.1/drm-bridge-lt8912b-don-t-log-an-error-when-dsi-host-.patch new file mode 100644 index 00000000000..5955d0305b8 --- /dev/null +++ b/queue-6.1/drm-bridge-lt8912b-don-t-log-an-error-when-dsi-host-.patch @@ -0,0 +1,49 @@ +From 097642fd36a04f655cbb9e28125257995d099846 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 17:49:31 -0400 +Subject: drm/bridge: lt8912b: Don't log an error when DSI host can't be found +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +[ Upstream commit b3b4695ff47c4964d4ccb930890c9ffd8e455e20 ] + +Given that failing to find a DSI host causes the driver to defer probe, +make use of dev_err_probe() to log the reason. This makes the defer +probe reason available and avoids alerting userspace about something +that is not necessarily an error. + +Fixes: 30e2ae943c26 ("drm/bridge: Introduce LT8912B DSI to HDMI bridge") +Suggested-by: AngeloGioacchino Del Regno +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Laurent Pinchart +Signed-off-by: Nícolas F. R. A. Prado +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20240415-anx7625-defer-log-no-dsi-host-v3-3-619a28148e5c@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/lontium-lt8912b.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/lontium-lt8912b.c b/drivers/gpu/drm/bridge/lontium-lt8912b.c +index ac76c23635892..55a7fa4670a7a 100644 +--- a/drivers/gpu/drm/bridge/lontium-lt8912b.c ++++ b/drivers/gpu/drm/bridge/lontium-lt8912b.c +@@ -485,10 +485,8 @@ static int lt8912_attach_dsi(struct lt8912 *lt) + }; + + host = of_find_mipi_dsi_host_by_node(lt->host_node); +- if (!host) { +- dev_err(dev, "failed to find dsi host\n"); +- return -EPROBE_DEFER; +- } ++ if (!host) ++ return dev_err_probe(dev, -EPROBE_DEFER, "failed to find dsi host\n"); + + dsi = devm_mipi_dsi_device_register_full(dev, host, &info); + if (IS_ERR(dsi)) { +-- +2.43.0 + diff --git a/queue-6.1/drm-bridge-lt9611-don-t-log-an-error-when-dsi-host-c.patch b/queue-6.1/drm-bridge-lt9611-don-t-log-an-error-when-dsi-host-c.patch new file mode 100644 index 00000000000..395a6a51c0c --- /dev/null +++ b/queue-6.1/drm-bridge-lt9611-don-t-log-an-error-when-dsi-host-c.patch @@ -0,0 +1,50 @@ +From 2804b5475f1606158e2af5423d8a8fad6539e96c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 17:49:32 -0400 +Subject: drm/bridge: lt9611: Don't log an error when DSI host can't be found +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +[ Upstream commit cd0a2c6a081ff67007323725b9ff07d9934b1ed8 ] + +Given that failing to find a DSI host causes the driver to defer probe, +make use of dev_err_probe() to log the reason. This makes the defer +probe reason available and avoids alerting userspace about something +that is not necessarily an error. + +Fixes: 23278bf54afe ("drm/bridge: Introduce LT9611 DSI to HDMI bridge") +Suggested-by: AngeloGioacchino Del Regno +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Laurent Pinchart +Signed-off-by: Nícolas F. R. A. Prado +Reviewed-by: Dmitry Baryshkov +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20240415-anx7625-defer-log-no-dsi-host-v3-4-619a28148e5c@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/lontium-lt9611.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/lontium-lt9611.c b/drivers/gpu/drm/bridge/lontium-lt9611.c +index ae8c6d9d4095f..e40ceb56ff55f 100644 +--- a/drivers/gpu/drm/bridge/lontium-lt9611.c ++++ b/drivers/gpu/drm/bridge/lontium-lt9611.c +@@ -777,10 +777,8 @@ static struct mipi_dsi_device *lt9611_attach_dsi(struct lt9611 *lt9611, + int ret; + + host = of_find_mipi_dsi_host_by_node(dsi_node); +- if (!host) { +- dev_err(lt9611->dev, "failed to find dsi host\n"); +- return ERR_PTR(-EPROBE_DEFER); +- } ++ if (!host) ++ return ERR_PTR(dev_err_probe(lt9611->dev, -EPROBE_DEFER, "failed to find dsi host\n")); + + dsi = devm_mipi_dsi_device_register_full(dev, host, &info); + if (IS_ERR(dsi)) { +-- +2.43.0 + diff --git a/queue-6.1/drm-bridge-lt9611uxc-don-t-log-an-error-when-dsi-hos.patch b/queue-6.1/drm-bridge-lt9611uxc-don-t-log-an-error-when-dsi-hos.patch new file mode 100644 index 00000000000..89e9befac8e --- /dev/null +++ b/queue-6.1/drm-bridge-lt9611uxc-don-t-log-an-error-when-dsi-hos.patch @@ -0,0 +1,51 @@ +From b7f1056e8d63274d871fd0bbbe08c8113fd623df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 17:49:33 -0400 +Subject: drm/bridge: lt9611uxc: Don't log an error when DSI host can't be + found +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +[ Upstream commit 6d9e877cde7e9b516a9a99751b8222c87557436d ] + +Given that failing to find a DSI host causes the driver to defer probe, +make use of dev_err_probe() to log the reason. This makes the defer +probe reason available and avoids alerting userspace about something +that is not necessarily an error. + +Fixes: 0cbbd5b1a012 ("drm: bridge: add support for lontium LT9611UXC bridge") +Suggested-by: AngeloGioacchino Del Regno +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Laurent Pinchart +Signed-off-by: Nícolas F. R. A. Prado +Reviewed-by: Dmitry Baryshkov +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20240415-anx7625-defer-log-no-dsi-host-v3-5-619a28148e5c@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/lontium-lt9611uxc.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/lontium-lt9611uxc.c b/drivers/gpu/drm/bridge/lontium-lt9611uxc.c +index 818848b2c04dd..cb75da940b890 100644 +--- a/drivers/gpu/drm/bridge/lontium-lt9611uxc.c ++++ b/drivers/gpu/drm/bridge/lontium-lt9611uxc.c +@@ -263,10 +263,8 @@ static struct mipi_dsi_device *lt9611uxc_attach_dsi(struct lt9611uxc *lt9611uxc, + int ret; + + host = of_find_mipi_dsi_host_by_node(dsi_node); +- if (!host) { +- dev_err(dev, "failed to find dsi host\n"); +- return ERR_PTR(-EPROBE_DEFER); +- } ++ if (!host) ++ return ERR_PTR(dev_err_probe(dev, -EPROBE_DEFER, "failed to find dsi host\n")); + + dsi = devm_mipi_dsi_device_register_full(dev, host, &info); + if (IS_ERR(dsi)) { +-- +2.43.0 + diff --git a/queue-6.1/drm-bridge-tc358775-don-t-log-an-error-when-dsi-host.patch b/queue-6.1/drm-bridge-tc358775-don-t-log-an-error-when-dsi-host.patch new file mode 100644 index 00000000000..e9edc2ece91 --- /dev/null +++ b/queue-6.1/drm-bridge-tc358775-don-t-log-an-error-when-dsi-host.patch @@ -0,0 +1,49 @@ +From 094f7861163ce840d6c0af10ea3676f2c3e0e46c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 17:49:34 -0400 +Subject: drm/bridge: tc358775: Don't log an error when DSI host can't be found +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +[ Upstream commit 272377aa0e3dddeec3f568c8bb9d12c7a79d8ef5 ] + +Given that failing to find a DSI host causes the driver to defer probe, +make use of dev_err_probe() to log the reason. This makes the defer +probe reason available and avoids alerting userspace about something +that is not necessarily an error. + +Fixes: b26975593b17 ("display/drm/bridge: TC358775 DSI/LVDS driver") +Suggested-by: AngeloGioacchino Del Regno +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Laurent Pinchart +Signed-off-by: Nícolas F. R. A. Prado +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20240415-anx7625-defer-log-no-dsi-host-v3-6-619a28148e5c@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/tc358775.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/tc358775.c b/drivers/gpu/drm/bridge/tc358775.c +index 02dc12b8151e7..b1c8ce5d20186 100644 +--- a/drivers/gpu/drm/bridge/tc358775.c ++++ b/drivers/gpu/drm/bridge/tc358775.c +@@ -611,10 +611,8 @@ static int tc_attach_host(struct tc_data *tc) + }; + + host = of_find_mipi_dsi_host_by_node(tc->host_node); +- if (!host) { +- dev_err(dev, "failed to find dsi host\n"); +- return -EPROBE_DEFER; +- } ++ if (!host) ++ return dev_err_probe(dev, -EPROBE_DEFER, "failed to find dsi host\n"); + + dsi = devm_mipi_dsi_device_register_full(dev, host, &info); + if (IS_ERR(dsi)) { +-- +2.43.0 + diff --git a/queue-6.1/drm-dp-don-t-attempt-aux-transfers-when-edp-panels-a.patch b/queue-6.1/drm-dp-don-t-attempt-aux-transfers-when-edp-panels-a.patch new file mode 100644 index 00000000000..26bd59003fd --- /dev/null +++ b/queue-6.1/drm-dp-don-t-attempt-aux-transfers-when-edp-panels-a.patch @@ -0,0 +1,180 @@ +From d0c7e18134da14fe3f9883a5a49f5a93540d09e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Feb 2024 14:11:16 -0800 +Subject: drm/dp: Don't attempt AUX transfers when eDP panels are not powered + +From: Douglas Anderson + +[ Upstream commit 8df1ddb5bf11ab820ad991e164dab82c0960add9 ] + +If an eDP panel is not powered on then any attempts to talk to it over +the DP AUX channel will timeout. Unfortunately these attempts may be +quite slow. Userspace can initiate these attempts either via a +/dev/drm_dp_auxN device or via the created i2c device. + +Making the DP AUX drivers timeout faster is a difficult proposition. +In theory we could just poll the panel's HPD line in the AUX transfer +function and immediately return an error there. However, this is +easier said than done. For one thing, there's no hard requirement to +hook the HPD line up for eDP panels and it's OK to just delay a fixed +amount. For another thing, the HPD line may not be fast to probe. On +parade-ps8640 we need to wait for the bridge chip's firmware to boot +before we can get the HPD line and this is a slow process. + +The fact that the transfers are taking so long to timeout is causing +real problems. The open source fwupd daemon sometimes scans DP busses +looking for devices whose firmware need updating. If it happens to +scan while a panel is turned off this scan can take a long time. The +fwupd daemon could try to be smarter and only scan when eDP panels are +turned on, but we can also improve the behavior in the kernel. + +Let's let eDP panels drivers specify that a panel is turned off and +then modify the common AUX transfer code not to attempt a transfer in +this case. + +Tested-by: Steev Klimaszewski +Reviewed-by: Hsin-Yi Wang +Tested-by: Eizan Miyamoto +Acked-by: Neil Armstrong +Signed-off-by: Douglas Anderson +Link: https://patchwork.freedesktop.org/patch/msgid/20240202141109.1.I24277520ac754ea538c9b14578edc94e1df11b48@changeid +Stable-dep-of: 5e842d55bad7 ("drm/panel: atna33xc20: Fix unbalanced regulator in the case HPD doesn't assert") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/display/drm_dp_helper.c | 35 +++++++++++++++++++ + drivers/gpu/drm/panel/panel-edp.c | 3 ++ + .../gpu/drm/panel/panel-samsung-atna33xc20.c | 2 ++ + include/drm/display/drm_dp_helper.h | 6 ++++ + 4 files changed, 46 insertions(+) + +diff --git a/drivers/gpu/drm/display/drm_dp_helper.c b/drivers/gpu/drm/display/drm_dp_helper.c +index 16565a0a5da6d..e839981c7b2f7 100644 +--- a/drivers/gpu/drm/display/drm_dp_helper.c ++++ b/drivers/gpu/drm/display/drm_dp_helper.c +@@ -532,6 +532,15 @@ static int drm_dp_dpcd_access(struct drm_dp_aux *aux, u8 request, + + mutex_lock(&aux->hw_mutex); + ++ /* ++ * If the device attached to the aux bus is powered down then there's ++ * no reason to attempt a transfer. Error out immediately. ++ */ ++ if (aux->powered_down) { ++ ret = -EBUSY; ++ goto unlock; ++ } ++ + /* + * The specification doesn't give any recommendation on how often to + * retry native transactions. We used to retry 7 times like for +@@ -599,6 +608,29 @@ int drm_dp_dpcd_probe(struct drm_dp_aux *aux, unsigned int offset) + } + EXPORT_SYMBOL(drm_dp_dpcd_probe); + ++/** ++ * drm_dp_dpcd_set_powered() - Set whether the DP device is powered ++ * @aux: DisplayPort AUX channel; for convenience it's OK to pass NULL here ++ * and the function will be a no-op. ++ * @powered: true if powered; false if not ++ * ++ * If the endpoint device on the DP AUX bus is known to be powered down ++ * then this function can be called to make future transfers fail immediately ++ * instead of needing to time out. ++ * ++ * If this function is never called then a device defaults to being powered. ++ */ ++void drm_dp_dpcd_set_powered(struct drm_dp_aux *aux, bool powered) ++{ ++ if (!aux) ++ return; ++ ++ mutex_lock(&aux->hw_mutex); ++ aux->powered_down = !powered; ++ mutex_unlock(&aux->hw_mutex); ++} ++EXPORT_SYMBOL(drm_dp_dpcd_set_powered); ++ + /** + * drm_dp_dpcd_read() - read a series of bytes from the DPCD + * @aux: DisplayPort AUX channel (SST or MST) +@@ -1855,6 +1887,9 @@ static int drm_dp_i2c_xfer(struct i2c_adapter *adapter, struct i2c_msg *msgs, + struct drm_dp_aux_msg msg; + int err = 0; + ++ if (aux->powered_down) ++ return -EBUSY; ++ + dp_aux_i2c_transfer_size = clamp(dp_aux_i2c_transfer_size, 1, DP_AUX_MAX_PAYLOAD_BYTES); + + memset(&msg, 0, sizeof(msg)); +diff --git a/drivers/gpu/drm/panel/panel-edp.c b/drivers/gpu/drm/panel/panel-edp.c +index bfcddd4aa9322..2c14779a39e88 100644 +--- a/drivers/gpu/drm/panel/panel-edp.c ++++ b/drivers/gpu/drm/panel/panel-edp.c +@@ -397,6 +397,7 @@ static int panel_edp_suspend(struct device *dev) + { + struct panel_edp *p = dev_get_drvdata(dev); + ++ drm_dp_dpcd_set_powered(p->aux, false); + gpiod_set_value_cansleep(p->enable_gpio, 0); + regulator_disable(p->supply); + p->unprepared_time = ktime_get(); +@@ -453,6 +454,7 @@ static int panel_edp_prepare_once(struct panel_edp *p) + } + + gpiod_set_value_cansleep(p->enable_gpio, 1); ++ drm_dp_dpcd_set_powered(p->aux, true); + + delay = p->desc->delay.hpd_reliable; + if (p->no_hpd) +@@ -489,6 +491,7 @@ static int panel_edp_prepare_once(struct panel_edp *p) + return 0; + + error: ++ drm_dp_dpcd_set_powered(p->aux, false); + gpiod_set_value_cansleep(p->enable_gpio, 0); + regulator_disable(p->supply); + p->unprepared_time = ktime_get(); +diff --git a/drivers/gpu/drm/panel/panel-samsung-atna33xc20.c b/drivers/gpu/drm/panel/panel-samsung-atna33xc20.c +index f4616f0367846..8fa15321c22f4 100644 +--- a/drivers/gpu/drm/panel/panel-samsung-atna33xc20.c ++++ b/drivers/gpu/drm/panel/panel-samsung-atna33xc20.c +@@ -72,6 +72,7 @@ static int atana33xc20_suspend(struct device *dev) + if (p->el3_was_on) + atana33xc20_wait(p->el_on3_off_time, 150); + ++ drm_dp_dpcd_set_powered(p->aux, false); + ret = regulator_disable(p->supply); + if (ret) + return ret; +@@ -93,6 +94,7 @@ static int atana33xc20_resume(struct device *dev) + ret = regulator_enable(p->supply); + if (ret) + return ret; ++ drm_dp_dpcd_set_powered(p->aux, true); + p->powered_on_time = ktime_get_boottime(); + + if (p->no_hpd) { +diff --git a/include/drm/display/drm_dp_helper.h b/include/drm/display/drm_dp_helper.h +index ade9df59e156a..59b191de14d61 100644 +--- a/include/drm/display/drm_dp_helper.h ++++ b/include/drm/display/drm_dp_helper.h +@@ -436,9 +436,15 @@ struct drm_dp_aux { + * @is_remote: Is this AUX CH actually using sideband messaging. + */ + bool is_remote; ++ ++ /** ++ * @powered_down: If true then the remote endpoint is powered down. ++ */ ++ bool powered_down; + }; + + int drm_dp_dpcd_probe(struct drm_dp_aux *aux, unsigned int offset); ++void drm_dp_dpcd_set_powered(struct drm_dp_aux *aux, bool powered); + ssize_t drm_dp_dpcd_read(struct drm_dp_aux *aux, unsigned int offset, + void *buffer, size_t size); + ssize_t drm_dp_dpcd_write(struct drm_dp_aux *aux, unsigned int offset, +-- +2.43.0 + diff --git a/queue-6.1/drm-lcdif-do-not-disable-clocks-on-already-suspended.patch b/queue-6.1/drm-lcdif-do-not-disable-clocks-on-already-suspended.patch new file mode 100644 index 00000000000..f85b59d16fa --- /dev/null +++ b/queue-6.1/drm-lcdif-do-not-disable-clocks-on-already-suspended.patch @@ -0,0 +1,61 @@ +From a971527a4172b6f11bea8e56450b3035e15595d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Feb 2024 09:26:27 +0100 +Subject: drm/lcdif: Do not disable clocks on already suspended hardware + +From: Marek Vasut + +[ Upstream commit 172695f145fb4798ab605e8a73f6e87711930124 ] + +In case the LCDIF is enabled in DT but unused, the clocks used by the +LCDIF are not enabled. Those clocks may even have a use count of 0 in +case there are no other users of those clocks. This can happen e.g. in +case the LCDIF drives HDMI bridge which has no panel plugged into the +HDMI connector. + +Do not attempt to disable clocks in the suspend callback and re-enable +clocks in the resume callback unless the LCDIF is enabled and was in +use before the system entered suspend, otherwise the driver might end +up trying to disable clocks which are already disabled with use count +0, and would trigger a warning from clock core about this condition. + +Note that the lcdif_rpm_suspend() and lcdif_rpm_resume() functions +internally perform the clocks disable and enable operations and act +as runtime PM hooks too. + +Reviewed-by: Liu Ying +Fixes: 9db35bb349a0 ("drm: lcdif: Add support for i.MX8MP LCDIF variant") +Signed-off-by: Marek Vasut +Link: https://patchwork.freedesktop.org/patch/msgid/20240226082644.32603-1-marex@denx.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mxsfb/lcdif_drv.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/mxsfb/lcdif_drv.c b/drivers/gpu/drm/mxsfb/lcdif_drv.c +index 075002ed6fb09..43d316447f387 100644 +--- a/drivers/gpu/drm/mxsfb/lcdif_drv.c ++++ b/drivers/gpu/drm/mxsfb/lcdif_drv.c +@@ -290,6 +290,9 @@ static int __maybe_unused lcdif_suspend(struct device *dev) + if (ret) + return ret; + ++ if (pm_runtime_suspended(dev)) ++ return 0; ++ + return lcdif_rpm_suspend(dev); + } + +@@ -297,7 +300,8 @@ static int __maybe_unused lcdif_resume(struct device *dev) + { + struct drm_device *drm = dev_get_drvdata(dev); + +- lcdif_rpm_resume(dev); ++ if (!pm_runtime_suspended(dev)) ++ lcdif_rpm_resume(dev); + + return drm_mode_config_helper_resume(drm); + } +-- +2.43.0 + diff --git a/queue-6.1/drm-mediatek-add-0-size-check-to-mtk_drm_gem_obj.patch b/queue-6.1/drm-mediatek-add-0-size-check-to-mtk_drm_gem_obj.patch new file mode 100644 index 00000000000..c5b70cb41f2 --- /dev/null +++ b/queue-6.1/drm-mediatek-add-0-size-check-to-mtk_drm_gem_obj.patch @@ -0,0 +1,44 @@ +From 7d5209227ff87923e075e85a7e203edec4b4446f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 13:00:51 -0500 +Subject: drm/mediatek: Add 0 size check to mtk_drm_gem_obj + +From: Justin Green + +[ Upstream commit 1e4350095e8ab2577ee05f8c3b044e661b5af9a0 ] + +Add a check to mtk_drm_gem_init if we attempt to allocate a GEM object +of 0 bytes. Currently, no such check exists and the kernel will panic if +a userspace application attempts to allocate a 0x0 GBM buffer. + +Tested by attempting to allocate a 0x0 GBM buffer on an MT8188 and +verifying that we now return EINVAL. + +Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") +Signed-off-by: Justin Green +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: CK Hu +Link: https://patchwork.kernel.org/project/dri-devel/patch/20240307180051.4104425-1-greenjustin@chromium.org/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_gem.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c +index fb4f0e336b60e..21e584038581d 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c +@@ -33,6 +33,9 @@ static struct mtk_drm_gem_obj *mtk_drm_gem_init(struct drm_device *dev, + + size = round_up(size, PAGE_SIZE); + ++ if (size == 0) ++ return ERR_PTR(-EINVAL); ++ + mtk_gem_obj = kzalloc(sizeof(*mtk_gem_obj), GFP_KERNEL); + if (!mtk_gem_obj) + return ERR_PTR(-ENOMEM); +-- +2.43.0 + diff --git a/queue-6.1/drm-meson-vclk-fix-calculation-of-59.94-fractional-r.patch b/queue-6.1/drm-meson-vclk-fix-calculation-of-59.94-fractional-r.patch new file mode 100644 index 00000000000..23fc0d3054d --- /dev/null +++ b/queue-6.1/drm-meson-vclk-fix-calculation-of-59.94-fractional-r.patch @@ -0,0 +1,65 @@ +From 98ef8585fee75adeb07038a7f1df90aad4e9bb53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jan 2024 23:07:04 +0000 +Subject: drm/meson: vclk: fix calculation of 59.94 fractional rates + +From: Christian Hewitt + +[ Upstream commit bfbc68e4d8695497f858a45a142665e22a512ea3 ] + +Playing 4K media with 59.94 fractional rate (typically VP9) causes the screen to lose +sync with the following error reported in the system log: + +[ 89.610280] Fatal Error, invalid HDMI vclk freq 593406 + +Modetest shows the following: + +3840x2160 59.94 3840 4016 4104 4400 2160 2168 2178 2250 593407 flags: xxxx, xxxx, +drm calculated value -------------------------------------^ + +Change the fractional rate calculation to stop DIV_ROUND_CLOSEST rounding down which +results in vclk freq failing to match correctly. + +Fixes: e5fab2ec9ca4 ("drm/meson: vclk: add support for YUV420 setup") +Signed-off-by: Christian Hewitt +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20240109230704.4120561-1-christianshewitt@gmail.com +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20240109230704.4120561-1-christianshewitt@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_vclk.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/meson/meson_vclk.c b/drivers/gpu/drm/meson/meson_vclk.c +index 2a82119eb58ed..2a942dc6a6dc2 100644 +--- a/drivers/gpu/drm/meson/meson_vclk.c ++++ b/drivers/gpu/drm/meson/meson_vclk.c +@@ -790,13 +790,13 @@ meson_vclk_vic_supported_freq(struct meson_drm *priv, unsigned int phy_freq, + FREQ_1000_1001(params[i].pixel_freq)); + DRM_DEBUG_DRIVER("i = %d phy_freq = %d alt = %d\n", + i, params[i].phy_freq, +- FREQ_1000_1001(params[i].phy_freq/10)*10); ++ FREQ_1000_1001(params[i].phy_freq/1000)*1000); + /* Match strict frequency */ + if (phy_freq == params[i].phy_freq && + vclk_freq == params[i].vclk_freq) + return MODE_OK; + /* Match 1000/1001 variant */ +- if (phy_freq == (FREQ_1000_1001(params[i].phy_freq/10)*10) && ++ if (phy_freq == (FREQ_1000_1001(params[i].phy_freq/1000)*1000) && + vclk_freq == FREQ_1000_1001(params[i].vclk_freq)) + return MODE_OK; + } +@@ -1070,7 +1070,7 @@ void meson_vclk_setup(struct meson_drm *priv, unsigned int target, + + for (freq = 0 ; params[freq].pixel_freq ; ++freq) { + if ((phy_freq == params[freq].phy_freq || +- phy_freq == FREQ_1000_1001(params[freq].phy_freq/10)*10) && ++ phy_freq == FREQ_1000_1001(params[freq].phy_freq/1000)*1000) && + (vclk_freq == params[freq].vclk_freq || + vclk_freq == FREQ_1000_1001(params[freq].vclk_freq))) { + if (vclk_freq != params[freq].vclk_freq) +-- +2.43.0 + diff --git a/queue-6.1/drm-mipi-dsi-use-correct-return-type-for-the-dsc-fun.patch b/queue-6.1/drm-mipi-dsi-use-correct-return-type-for-the-dsc-fun.patch new file mode 100644 index 00000000000..a94d1bf3afc --- /dev/null +++ b/queue-6.1/drm-mipi-dsi-use-correct-return-type-for-the-dsc-fun.patch @@ -0,0 +1,69 @@ +From c0cf8485748a1d92bb3a07d3377bd8695b0a6a69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 02:53:51 +0300 +Subject: drm/mipi-dsi: use correct return type for the DSC functions + +From: Dmitry Baryshkov + +[ Upstream commit de1c705c50326acaceaf1f02bc5bf6f267c572bd ] + +The functions mipi_dsi_compression_mode() and +mipi_dsi_picture_parameter_set() return 0-or-error rather than a buffer +size. Follow example of other similar MIPI DSI functions and use int +return type instead of size_t. + +Fixes: f4dea1aaa9a1 ("drm/dsi: add helpers for DSI compression mode and PPS packets") +Reviewed-by: Marijn Suijten +Reviewed-by: Jessica Zhang +Signed-off-by: Dmitry Baryshkov +Link: https://patchwork.freedesktop.org/patch/msgid/20240408-lg-sw43408-panel-v5-2-4e092da22991@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_mipi_dsi.c | 6 +++--- + include/drm/drm_mipi_dsi.h | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c +index ef7ec68867df0..112f213cc8d9b 100644 +--- a/drivers/gpu/drm/drm_mipi_dsi.c ++++ b/drivers/gpu/drm/drm_mipi_dsi.c +@@ -653,7 +653,7 @@ EXPORT_SYMBOL(mipi_dsi_set_maximum_return_packet_size); + * + * Return: 0 on success or a negative error code on failure. + */ +-ssize_t mipi_dsi_compression_mode(struct mipi_dsi_device *dsi, bool enable) ++int mipi_dsi_compression_mode(struct mipi_dsi_device *dsi, bool enable) + { + /* Note: Needs updating for non-default PPS or algorithm */ + u8 tx[2] = { enable << 0, 0 }; +@@ -678,8 +678,8 @@ EXPORT_SYMBOL(mipi_dsi_compression_mode); + * + * Return: 0 on success or a negative error code on failure. + */ +-ssize_t mipi_dsi_picture_parameter_set(struct mipi_dsi_device *dsi, +- const struct drm_dsc_picture_parameter_set *pps) ++int mipi_dsi_picture_parameter_set(struct mipi_dsi_device *dsi, ++ const struct drm_dsc_picture_parameter_set *pps) + { + struct mipi_dsi_msg msg = { + .channel = dsi->channel, +diff --git a/include/drm/drm_mipi_dsi.h b/include/drm/drm_mipi_dsi.h +index 31171914990a3..66a7e01c62608 100644 +--- a/include/drm/drm_mipi_dsi.h ++++ b/include/drm/drm_mipi_dsi.h +@@ -244,9 +244,9 @@ int mipi_dsi_shutdown_peripheral(struct mipi_dsi_device *dsi); + int mipi_dsi_turn_on_peripheral(struct mipi_dsi_device *dsi); + int mipi_dsi_set_maximum_return_packet_size(struct mipi_dsi_device *dsi, + u16 value); +-ssize_t mipi_dsi_compression_mode(struct mipi_dsi_device *dsi, bool enable); +-ssize_t mipi_dsi_picture_parameter_set(struct mipi_dsi_device *dsi, +- const struct drm_dsc_picture_parameter_set *pps); ++int mipi_dsi_compression_mode(struct mipi_dsi_device *dsi, bool enable); ++int mipi_dsi_picture_parameter_set(struct mipi_dsi_device *dsi, ++ const struct drm_dsc_picture_parameter_set *pps); + + ssize_t mipi_dsi_generic_write(struct mipi_dsi_device *dsi, const void *payload, + size_t size); +-- +2.43.0 + diff --git a/queue-6.1/drm-msm-dp-allow-voltage-swing-pre-emphasis-of-3.patch b/queue-6.1/drm-msm-dp-allow-voltage-swing-pre-emphasis-of-3.patch new file mode 100644 index 00000000000..b5e67c2fc4b --- /dev/null +++ b/queue-6.1/drm-msm-dp-allow-voltage-swing-pre-emphasis-of-3.patch @@ -0,0 +1,138 @@ +From 6d10bc5b1d5f649d3faa40dba7eecc3c57ecdb1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Feb 2024 15:47:25 +0200 +Subject: drm/msm/dp: allow voltage swing / pre emphasis of 3 + +From: Dmitry Baryshkov + +[ Upstream commit 22578178e5dd6d3aa4490879df8b6c2977d980be ] + +Both dp_link_adjust_levels() and dp_ctrl_update_vx_px() limit swing and +pre-emphasis to 2, while the real maximum value for the sum of the +voltage swing and pre-emphasis is 3. Fix the DP code to remove this +limitation. + +Fixes: c943b4948b58 ("drm/msm/dp: add displayPort driver support") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Kuogee Hsieh +Tested-by: Kuogee Hsieh +Patchwork: https://patchwork.freedesktop.org/patch/577006/ +Link: https://lore.kernel.org/r/20240203-dp-swing-3-v1-1-6545e1706196@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dp/dp_ctrl.c | 6 +++--- + drivers/gpu/drm/msm/dp/dp_link.c | 22 +++++++++++----------- + drivers/gpu/drm/msm/dp/dp_link.h | 14 +------------- + 3 files changed, 15 insertions(+), 27 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dp/dp_ctrl.c b/drivers/gpu/drm/msm/dp/dp_ctrl.c +index b20701893e5b3..2c501261f2323 100644 +--- a/drivers/gpu/drm/msm/dp/dp_ctrl.c ++++ b/drivers/gpu/drm/msm/dp/dp_ctrl.c +@@ -1014,14 +1014,14 @@ static int dp_ctrl_update_vx_px(struct dp_ctrl_private *ctrl) + if (ret) + return ret; + +- if (voltage_swing_level >= DP_TRAIN_VOLTAGE_SWING_MAX) { ++ if (voltage_swing_level >= DP_TRAIN_LEVEL_MAX) { + drm_dbg_dp(ctrl->drm_dev, + "max. voltage swing level reached %d\n", + voltage_swing_level); + max_level_reached |= DP_TRAIN_MAX_SWING_REACHED; + } + +- if (pre_emphasis_level >= DP_TRAIN_PRE_EMPHASIS_MAX) { ++ if (pre_emphasis_level >= DP_TRAIN_LEVEL_MAX) { + drm_dbg_dp(ctrl->drm_dev, + "max. pre-emphasis level reached %d\n", + pre_emphasis_level); +@@ -1112,7 +1112,7 @@ static int dp_ctrl_link_train_1(struct dp_ctrl_private *ctrl, + } + + if (ctrl->link->phy_params.v_level >= +- DP_TRAIN_VOLTAGE_SWING_MAX) { ++ DP_TRAIN_LEVEL_MAX) { + DRM_ERROR_RATELIMITED("max v_level reached\n"); + return -EAGAIN; + } +diff --git a/drivers/gpu/drm/msm/dp/dp_link.c b/drivers/gpu/drm/msm/dp/dp_link.c +index ceb382fa56d5b..e4f9decec970f 100644 +--- a/drivers/gpu/drm/msm/dp/dp_link.c ++++ b/drivers/gpu/drm/msm/dp/dp_link.c +@@ -1102,6 +1102,7 @@ int dp_link_get_colorimetry_config(struct dp_link *dp_link) + int dp_link_adjust_levels(struct dp_link *dp_link, u8 *link_status) + { + int i; ++ u8 max_p_level; + int v_max = 0, p_max = 0; + struct dp_link_private *link; + +@@ -1133,30 +1134,29 @@ int dp_link_adjust_levels(struct dp_link *dp_link, u8 *link_status) + * Adjust the voltage swing and pre-emphasis level combination to within + * the allowable range. + */ +- if (dp_link->phy_params.v_level > DP_TRAIN_VOLTAGE_SWING_MAX) { ++ if (dp_link->phy_params.v_level > DP_TRAIN_LEVEL_MAX) { + drm_dbg_dp(link->drm_dev, + "Requested vSwingLevel=%d, change to %d\n", + dp_link->phy_params.v_level, +- DP_TRAIN_VOLTAGE_SWING_MAX); +- dp_link->phy_params.v_level = DP_TRAIN_VOLTAGE_SWING_MAX; ++ DP_TRAIN_LEVEL_MAX); ++ dp_link->phy_params.v_level = DP_TRAIN_LEVEL_MAX; + } + +- if (dp_link->phy_params.p_level > DP_TRAIN_PRE_EMPHASIS_MAX) { ++ if (dp_link->phy_params.p_level > DP_TRAIN_LEVEL_MAX) { + drm_dbg_dp(link->drm_dev, + "Requested preEmphasisLevel=%d, change to %d\n", + dp_link->phy_params.p_level, +- DP_TRAIN_PRE_EMPHASIS_MAX); +- dp_link->phy_params.p_level = DP_TRAIN_PRE_EMPHASIS_MAX; ++ DP_TRAIN_LEVEL_MAX); ++ dp_link->phy_params.p_level = DP_TRAIN_LEVEL_MAX; + } + +- if ((dp_link->phy_params.p_level > DP_TRAIN_PRE_EMPHASIS_LVL_1) +- && (dp_link->phy_params.v_level == +- DP_TRAIN_VOLTAGE_SWING_LVL_2)) { ++ max_p_level = DP_TRAIN_LEVEL_MAX - dp_link->phy_params.v_level; ++ if (dp_link->phy_params.p_level > max_p_level) { + drm_dbg_dp(link->drm_dev, + "Requested preEmphasisLevel=%d, change to %d\n", + dp_link->phy_params.p_level, +- DP_TRAIN_PRE_EMPHASIS_LVL_1); +- dp_link->phy_params.p_level = DP_TRAIN_PRE_EMPHASIS_LVL_1; ++ max_p_level); ++ dp_link->phy_params.p_level = max_p_level; + } + + drm_dbg_dp(link->drm_dev, "adjusted: v_level=%d, p_level=%d\n", +diff --git a/drivers/gpu/drm/msm/dp/dp_link.h b/drivers/gpu/drm/msm/dp/dp_link.h +index 9dd4dd9265304..79c3a02b8dacd 100644 +--- a/drivers/gpu/drm/msm/dp/dp_link.h ++++ b/drivers/gpu/drm/msm/dp/dp_link.h +@@ -19,19 +19,7 @@ struct dp_link_info { + unsigned long capabilities; + }; + +-enum dp_link_voltage_level { +- DP_TRAIN_VOLTAGE_SWING_LVL_0 = 0, +- DP_TRAIN_VOLTAGE_SWING_LVL_1 = 1, +- DP_TRAIN_VOLTAGE_SWING_LVL_2 = 2, +- DP_TRAIN_VOLTAGE_SWING_MAX = DP_TRAIN_VOLTAGE_SWING_LVL_2, +-}; +- +-enum dp_link_preemaphasis_level { +- DP_TRAIN_PRE_EMPHASIS_LVL_0 = 0, +- DP_TRAIN_PRE_EMPHASIS_LVL_1 = 1, +- DP_TRAIN_PRE_EMPHASIS_LVL_2 = 2, +- DP_TRAIN_PRE_EMPHASIS_MAX = DP_TRAIN_PRE_EMPHASIS_LVL_2, +-}; ++#define DP_TRAIN_LEVEL_MAX 3 + + struct dp_link_test_video { + u32 test_video_pattern; +-- +2.43.0 + diff --git a/queue-6.1/drm-msm-dp-avoid-a-long-timeout-for-aux-transfer-if-.patch b/queue-6.1/drm-msm-dp-avoid-a-long-timeout-for-aux-transfer-if-.patch new file mode 100644 index 00000000000..0c3f1b9e15a --- /dev/null +++ b/queue-6.1/drm-msm-dp-avoid-a-long-timeout-for-aux-transfer-if-.patch @@ -0,0 +1,133 @@ +From 16d03aaee0d6c1e670a5f6032982e0fdacbda635 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Mar 2024 14:36:29 -0700 +Subject: drm/msm/dp: Avoid a long timeout for AUX transfer if nothing + connected + +From: Douglas Anderson + +[ Upstream commit 5d1a7493343cc00d9019880b686e4e0a0f649531 ] + +As documented in the description of the transfer() function of +"struct drm_dp_aux", the transfer() function can be called at any time +regardless of the state of the DP port. Specifically if the kernel has +the DP AUX character device enabled and userspace accesses +"/dev/drm_dp_auxN" directly then the AUX transfer function will be +called regardless of whether a DP device is connected. + +For eDP panels we have a special rule where we wait (with a 5 second +timeout) for HPD to go high. This rule was important before all panels +drivers were converted to call wait_hpd_asserted() and actually can be +removed in a future commit. + +For external DP devices we never checked for HPD. That means that +trying to access the DP AUX character device (AKA `hexdump -C +/dev/drm_dp_auxN`) would very, very slowly timeout. Specifically on my +system: + $ time hexdump -C /dev/drm_dp_aux0 + hexdump: /dev/drm_dp_aux0: Connection timed out + real 0m8.200s +We want access to the drm_dp_auxN character device to fail faster than +8 seconds when no DP cable is plugged in. + +Let's add a test to make transfers fail right away if a device isn't +plugged in. Rather than testing the HPD line directly, we have the +dp_display module tell us when AUX transfers should be enabled so we +can handle cases where HPD is signaled out of band like with Type C. + +Fixes: c943b4948b58 ("drm/msm/dp: add displayPort driver support") +Signed-off-by: Douglas Anderson +Reviewed-by: Guenter Roeck +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/583127/ +Link: https://lore.kernel.org/r/20240315143621.v2.1.I16aff881c9fe82b5e0fc06ca312da017aa7b5b3e@changeid +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dp/dp_aux.c | 20 ++++++++++++++++++++ + drivers/gpu/drm/msm/dp/dp_aux.h | 1 + + drivers/gpu/drm/msm/dp/dp_display.c | 4 ++++ + 3 files changed, 25 insertions(+) + +diff --git a/drivers/gpu/drm/msm/dp/dp_aux.c b/drivers/gpu/drm/msm/dp/dp_aux.c +index 8e3b677f35e64..559809a5cbcfb 100644 +--- a/drivers/gpu/drm/msm/dp/dp_aux.c ++++ b/drivers/gpu/drm/msm/dp/dp_aux.c +@@ -35,6 +35,7 @@ struct dp_aux_private { + bool no_send_stop; + bool initted; + bool is_edp; ++ bool enable_xfers; + u32 offset; + u32 segment; + +@@ -297,6 +298,17 @@ static ssize_t dp_aux_transfer(struct drm_dp_aux *dp_aux, + goto exit; + } + ++ /* ++ * If we're using DP and an external display isn't connected then the ++ * transfer won't succeed. Return right away. If we don't do this we ++ * can end up with long timeouts if someone tries to access the DP AUX ++ * character device when no DP device is connected. ++ */ ++ if (!aux->is_edp && !aux->enable_xfers) { ++ ret = -ENXIO; ++ goto exit; ++ } ++ + /* + * For eDP it's important to give a reasonably long wait here for HPD + * to be asserted. This is because the panel driver may have _just_ +@@ -428,6 +440,14 @@ irqreturn_t dp_aux_isr(struct drm_dp_aux *dp_aux) + return IRQ_HANDLED; + } + ++void dp_aux_enable_xfers(struct drm_dp_aux *dp_aux, bool enabled) ++{ ++ struct dp_aux_private *aux; ++ ++ aux = container_of(dp_aux, struct dp_aux_private, dp_aux); ++ aux->enable_xfers = enabled; ++} ++ + void dp_aux_reconfig(struct drm_dp_aux *dp_aux) + { + struct dp_aux_private *aux; +diff --git a/drivers/gpu/drm/msm/dp/dp_aux.h b/drivers/gpu/drm/msm/dp/dp_aux.h +index 511305da4f66d..f3052cb43306b 100644 +--- a/drivers/gpu/drm/msm/dp/dp_aux.h ++++ b/drivers/gpu/drm/msm/dp/dp_aux.h +@@ -12,6 +12,7 @@ + int dp_aux_register(struct drm_dp_aux *dp_aux); + void dp_aux_unregister(struct drm_dp_aux *dp_aux); + irqreturn_t dp_aux_isr(struct drm_dp_aux *dp_aux); ++void dp_aux_enable_xfers(struct drm_dp_aux *dp_aux, bool enabled); + void dp_aux_init(struct drm_dp_aux *dp_aux); + void dp_aux_deinit(struct drm_dp_aux *dp_aux); + void dp_aux_reconfig(struct drm_dp_aux *dp_aux); +diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c +index e0551ad7a4252..fd82752e502f1 100644 +--- a/drivers/gpu/drm/msm/dp/dp_display.c ++++ b/drivers/gpu/drm/msm/dp/dp_display.c +@@ -577,6 +577,8 @@ static int dp_hpd_plug_handle(struct dp_display_private *dp, u32 data) + if (!hpd) + return 0; + ++ dp_aux_enable_xfers(dp->aux, true); ++ + mutex_lock(&dp->event_mutex); + + state = dp->hpd_state; +@@ -641,6 +643,8 @@ static int dp_hpd_unplug_handle(struct dp_display_private *dp, u32 data) + if (!hpd) + return 0; + ++ dp_aux_enable_xfers(dp->aux, false); ++ + mutex_lock(&dp->event_mutex); + + state = dp->hpd_state; +-- +2.43.0 + diff --git a/queue-6.1/drm-msm-dp-return-irq_none-for-unhandled-interrupts.patch b/queue-6.1/drm-msm-dp-return-irq_none-for-unhandled-interrupts.patch new file mode 100644 index 00000000000..d38c49b9438 --- /dev/null +++ b/queue-6.1/drm-msm-dp-return-irq_none-for-unhandled-interrupts.patch @@ -0,0 +1,211 @@ +From ec6fd033541ec105276cd5d8de380ea4d78e626b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 17:09:13 -0800 +Subject: drm/msm/dp: Return IRQ_NONE for unhandled interrupts + +From: Douglas Anderson + +[ Upstream commit bfc12020e63d017ea8f85cda9c39cbd1314ecd77 ] + +If our interrupt handler gets called and we don't really handle the +interrupt then we should return IRQ_NONE. The current interrupt +handler didn't do this, so let's fix it. + +NOTE: for some of the cases it's clear that we should return IRQ_NONE +and some cases it's clear that we should return IRQ_HANDLED. However, +there are a few that fall somewhere in between. Specifically, the +documentation for when to return IRQ_NONE vs. IRQ_HANDLED is probably +best spelled out in the commit message of commit d9e4ad5badf4 ("Document +that IRQ_NONE should be returned when IRQ not actually handled"). That +commit makes it clear that we should return IRQ_HANDLED if we've done +something to make the interrupt stop happening. + +The case where it's unclear is, for instance, in dp_aux_isr() after +we've read the interrupt using dp_catalog_aux_get_irq() and confirmed +that "isr" is non-zero. The function dp_catalog_aux_get_irq() not only +reads the interrupts but it also "ack"s all the interrupts that are +returned. For an "unknown" interrupt this has a very good chance of +actually stopping the interrupt from happening. That would mean we've +identified that it's our device and done something to stop them from +happening and should return IRQ_HANDLED. Specifically, it should be +noted that most interrupts that need "ack"ing are ones that are +one-time events and doing an "ack" is enough to clear them. However, +since these interrupts are unknown then, by definition, it's unknown +if "ack"ing them is truly enough to clear them. It's possible that we +also need to remove the original source of the interrupt. In this +case, IRQ_NONE would be a better choice. + +Given that returning an occasional IRQ_NONE isn't the absolute end of +the world, however, let's choose that course of action. The IRQ +framework will forgive a few IRQ_NONE returns now and again (and it +won't even log them, which is why we have to log them ourselves). This +means that if we _do_ end hitting an interrupt where "ack"ing isn't +enough the kernel will eventually detect the problem and shut our +device down. + +Signed-off-by: Douglas Anderson +Tested-by: Kuogee Hsieh +Reviewed-by: Kuogee Hsieh +Patchwork: https://patchwork.freedesktop.org/patch/520660/ +Link: https://lore.kernel.org/r/20230126170745.v2.2.I2d7aec2fadb9c237cd0090a47d6a8ba2054bf0f8@changeid +[DB: reformatted commit message to make checkpatch happy] +Signed-off-by: Dmitry Baryshkov +Stable-dep-of: 5d1a7493343c ("drm/msm/dp: Avoid a long timeout for AUX transfer if nothing connected") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dp/dp_aux.c | 12 +++++++----- + drivers/gpu/drm/msm/dp/dp_aux.h | 2 +- + drivers/gpu/drm/msm/dp/dp_ctrl.c | 10 ++++++++-- + drivers/gpu/drm/msm/dp/dp_ctrl.h | 2 +- + drivers/gpu/drm/msm/dp/dp_display.c | 8 +++++--- + 5 files changed, 22 insertions(+), 12 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dp/dp_aux.c b/drivers/gpu/drm/msm/dp/dp_aux.c +index 84f9e3e5f9642..8e3b677f35e64 100644 +--- a/drivers/gpu/drm/msm/dp/dp_aux.c ++++ b/drivers/gpu/drm/msm/dp/dp_aux.c +@@ -368,14 +368,14 @@ static ssize_t dp_aux_transfer(struct drm_dp_aux *dp_aux, + return ret; + } + +-void dp_aux_isr(struct drm_dp_aux *dp_aux) ++irqreturn_t dp_aux_isr(struct drm_dp_aux *dp_aux) + { + u32 isr; + struct dp_aux_private *aux; + + if (!dp_aux) { + DRM_ERROR("invalid input\n"); +- return; ++ return IRQ_NONE; + } + + aux = container_of(dp_aux, struct dp_aux_private, dp_aux); +@@ -384,11 +384,11 @@ void dp_aux_isr(struct drm_dp_aux *dp_aux) + + /* no interrupts pending, return immediately */ + if (!isr) +- return; ++ return IRQ_NONE; + + if (!aux->cmd_busy) { + DRM_ERROR("Unexpected DP AUX IRQ %#010x when not busy\n", isr); +- return; ++ return IRQ_NONE; + } + + /* +@@ -420,10 +420,12 @@ void dp_aux_isr(struct drm_dp_aux *dp_aux) + aux->aux_error_num = DP_AUX_ERR_NONE; + } else { + DRM_WARN("Unexpected interrupt: %#010x\n", isr); +- return; ++ return IRQ_NONE; + } + + complete(&aux->comp); ++ ++ return IRQ_HANDLED; + } + + void dp_aux_reconfig(struct drm_dp_aux *dp_aux) +diff --git a/drivers/gpu/drm/msm/dp/dp_aux.h b/drivers/gpu/drm/msm/dp/dp_aux.h +index e930974bcb5b9..511305da4f66d 100644 +--- a/drivers/gpu/drm/msm/dp/dp_aux.h ++++ b/drivers/gpu/drm/msm/dp/dp_aux.h +@@ -11,7 +11,7 @@ + + int dp_aux_register(struct drm_dp_aux *dp_aux); + void dp_aux_unregister(struct drm_dp_aux *dp_aux); +-void dp_aux_isr(struct drm_dp_aux *dp_aux); ++irqreturn_t dp_aux_isr(struct drm_dp_aux *dp_aux); + void dp_aux_init(struct drm_dp_aux *dp_aux); + void dp_aux_deinit(struct drm_dp_aux *dp_aux); + void dp_aux_reconfig(struct drm_dp_aux *dp_aux); +diff --git a/drivers/gpu/drm/msm/dp/dp_ctrl.c b/drivers/gpu/drm/msm/dp/dp_ctrl.c +index 2c501261f2323..bd1343602f553 100644 +--- a/drivers/gpu/drm/msm/dp/dp_ctrl.c ++++ b/drivers/gpu/drm/msm/dp/dp_ctrl.c +@@ -1973,27 +1973,33 @@ int dp_ctrl_off(struct dp_ctrl *dp_ctrl) + return ret; + } + +-void dp_ctrl_isr(struct dp_ctrl *dp_ctrl) ++irqreturn_t dp_ctrl_isr(struct dp_ctrl *dp_ctrl) + { + struct dp_ctrl_private *ctrl; + u32 isr; ++ irqreturn_t ret = IRQ_NONE; + + if (!dp_ctrl) +- return; ++ return IRQ_NONE; + + ctrl = container_of(dp_ctrl, struct dp_ctrl_private, dp_ctrl); + + isr = dp_catalog_ctrl_get_interrupt(ctrl->catalog); + ++ + if (isr & DP_CTRL_INTR_READY_FOR_VIDEO) { + drm_dbg_dp(ctrl->drm_dev, "dp_video_ready\n"); + complete(&ctrl->video_comp); ++ ret = IRQ_HANDLED; + } + + if (isr & DP_CTRL_INTR_IDLE_PATTERN_SENT) { + drm_dbg_dp(ctrl->drm_dev, "idle_patterns_sent\n"); + complete(&ctrl->idle_comp); ++ ret = IRQ_HANDLED; + } ++ ++ return ret; + } + + struct dp_ctrl *dp_ctrl_get(struct device *dev, struct dp_link *link, +diff --git a/drivers/gpu/drm/msm/dp/dp_ctrl.h b/drivers/gpu/drm/msm/dp/dp_ctrl.h +index 9f29734af81ca..c3af06dc87b17 100644 +--- a/drivers/gpu/drm/msm/dp/dp_ctrl.h ++++ b/drivers/gpu/drm/msm/dp/dp_ctrl.h +@@ -25,7 +25,7 @@ int dp_ctrl_off_link_stream(struct dp_ctrl *dp_ctrl); + int dp_ctrl_off_link(struct dp_ctrl *dp_ctrl); + int dp_ctrl_off(struct dp_ctrl *dp_ctrl); + void dp_ctrl_push_idle(struct dp_ctrl *dp_ctrl); +-void dp_ctrl_isr(struct dp_ctrl *dp_ctrl); ++irqreturn_t dp_ctrl_isr(struct dp_ctrl *dp_ctrl); + void dp_ctrl_handle_sink_request(struct dp_ctrl *dp_ctrl); + struct dp_ctrl *dp_ctrl_get(struct device *dev, struct dp_link *link, + struct dp_panel *panel, struct drm_dp_aux *aux, +diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c +index d16c12351adb6..e0551ad7a4252 100644 +--- a/drivers/gpu/drm/msm/dp/dp_display.c ++++ b/drivers/gpu/drm/msm/dp/dp_display.c +@@ -1193,7 +1193,7 @@ static int dp_hpd_event_thread_start(struct dp_display_private *dp_priv) + static irqreturn_t dp_display_irq_handler(int irq, void *dev_id) + { + struct dp_display_private *dp = dev_id; +- irqreturn_t ret = IRQ_HANDLED; ++ irqreturn_t ret = IRQ_NONE; + u32 hpd_isr_status; + + if (!dp) { +@@ -1221,13 +1221,15 @@ static irqreturn_t dp_display_irq_handler(int irq, void *dev_id) + + if (hpd_isr_status & DP_DP_HPD_UNPLUG_INT_MASK) + dp_add_event(dp, EV_HPD_UNPLUG_INT, 0, 0); ++ ++ ret = IRQ_HANDLED; + } + + /* DP controller isr */ +- dp_ctrl_isr(dp->ctrl); ++ ret |= dp_ctrl_isr(dp->ctrl); + + /* DP aux isr */ +- dp_aux_isr(dp->aux); ++ ret |= dp_aux_isr(dp->aux); + + return ret; + } +-- +2.43.0 + diff --git a/queue-6.1/drm-panel-atna33xc20-fix-unbalanced-regulator-in-the.patch b/queue-6.1/drm-panel-atna33xc20-fix-unbalanced-regulator-in-the.patch new file mode 100644 index 00000000000..bf39d1a4bb4 --- /dev/null +++ b/queue-6.1/drm-panel-atna33xc20-fix-unbalanced-regulator-in-the.patch @@ -0,0 +1,74 @@ +From 3127141e4001f4ef6d404f55f693534110e9db7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Mar 2024 14:12:14 -0700 +Subject: drm/panel: atna33xc20: Fix unbalanced regulator in the case HPD + doesn't assert + +From: Douglas Anderson + +[ Upstream commit 5e842d55bad7794823a50f24fd645b58f2ef93ab ] + +When the atna33xc20 driver was first written the resume code never +returned an error. If there was a problem waiting for HPD it just +printed a warning and moved on. This changed in response to review +feedback [1] on a future patch but I accidentally didn't account for +rolling back the regulator enable in the error cases. Do so now. + +[1] https://lore.kernel.org/all/5f3cf3a6-1cc2-63e4-f76b-4ee686764705@linaro.org/ + +Fixes: 3b5765df375c ("drm/panel: atna33xc20: Take advantage of wait_hpd_asserted() in struct drm_dp_aux") +Acked-by: Jessica Zhang +Signed-off-by: Douglas Anderson +Link: https://patchwork.freedesktop.org/patch/msgid/20240313-homestarpanel-regulator-v1-1-b8e3a336da12@chromium.org +Signed-off-by: Sasha Levin +--- + .../gpu/drm/panel/panel-samsung-atna33xc20.c | 22 +++++++++++-------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpu/drm/panel/panel-samsung-atna33xc20.c b/drivers/gpu/drm/panel/panel-samsung-atna33xc20.c +index 8fa15321c22f4..5b698514957cf 100644 +--- a/drivers/gpu/drm/panel/panel-samsung-atna33xc20.c ++++ b/drivers/gpu/drm/panel/panel-samsung-atna33xc20.c +@@ -109,19 +109,17 @@ static int atana33xc20_resume(struct device *dev) + if (hpd_asserted < 0) + ret = hpd_asserted; + +- if (ret) ++ if (ret) { + dev_warn(dev, "Error waiting for HPD GPIO: %d\n", ret); +- +- return ret; +- } +- +- if (p->aux->wait_hpd_asserted) { ++ goto error; ++ } ++ } else if (p->aux->wait_hpd_asserted) { + ret = p->aux->wait_hpd_asserted(p->aux, HPD_MAX_US); + +- if (ret) ++ if (ret) { + dev_warn(dev, "Controller error waiting for HPD: %d\n", ret); +- +- return ret; ++ goto error; ++ } + } + + /* +@@ -133,6 +131,12 @@ static int atana33xc20_resume(struct device *dev) + * right times. + */ + return 0; ++ ++error: ++ drm_dp_dpcd_set_powered(p->aux, false); ++ regulator_disable(p->supply); ++ ++ return ret; + } + + static int atana33xc20_disable(struct drm_panel *panel) +-- +2.43.0 + diff --git a/queue-6.1/drm-panel-novatek-nt35950-don-t-log-an-error-when-ds.patch b/queue-6.1/drm-panel-novatek-nt35950-don-t-log-an-error-when-ds.patch new file mode 100644 index 00000000000..302b62d15bd --- /dev/null +++ b/queue-6.1/drm-panel-novatek-nt35950-don-t-log-an-error-when-ds.patch @@ -0,0 +1,49 @@ +From 1e2006f95049cc0b569f4254ac5688658d3547c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 17:49:36 -0400 +Subject: drm/panel: novatek-nt35950: Don't log an error when DSI host can't be + found +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +[ Upstream commit 5ff5505b9a2d827cae3f95dceba258c963138175 ] + +Given that failing to find a DSI host causes the driver to defer probe, +make use of dev_err_probe() to log the reason. This makes the defer +probe reason available and avoids alerting userspace about something +that is not necessarily an error. + +Fixes: 623a3531e9cf ("drm/panel: Add driver for Novatek NT35950 DSI DriverIC panels") +Suggested-by: AngeloGioacchino Del Regno +Reviewed-by: Laurent Pinchart +Signed-off-by: Nícolas F. R. A. Prado +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20240415-anx7625-defer-log-no-dsi-host-v3-8-619a28148e5c@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-novatek-nt35950.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/panel/panel-novatek-nt35950.c b/drivers/gpu/drm/panel/panel-novatek-nt35950.c +index 5d04957b1144f..ec2780be74d10 100644 +--- a/drivers/gpu/drm/panel/panel-novatek-nt35950.c ++++ b/drivers/gpu/drm/panel/panel-novatek-nt35950.c +@@ -573,10 +573,8 @@ static int nt35950_probe(struct mipi_dsi_device *dsi) + } + dsi_r_host = of_find_mipi_dsi_host_by_node(dsi_r); + of_node_put(dsi_r); +- if (!dsi_r_host) { +- dev_err(dev, "Cannot get secondary DSI host\n"); +- return -EPROBE_DEFER; +- } ++ if (!dsi_r_host) ++ return dev_err_probe(dev, -EPROBE_DEFER, "Cannot get secondary DSI host\n"); + + nt->dsi[1] = mipi_dsi_device_register_full(dsi_r_host, info); + if (!nt->dsi[1]) { +-- +2.43.0 + diff --git a/queue-6.1/drm-panel-samsung-atna33xc20-use-ktime_get_boottime-.patch b/queue-6.1/drm-panel-samsung-atna33xc20-use-ktime_get_boottime-.patch new file mode 100644 index 00000000000..a781a4160b3 --- /dev/null +++ b/queue-6.1/drm-panel-samsung-atna33xc20-use-ktime_get_boottime-.patch @@ -0,0 +1,66 @@ +From 465d5b7a5869886c13594c49e52df6f68b992644 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 13:38:45 -0700 +Subject: drm/panel-samsung-atna33xc20: Use ktime_get_boottime for delays + +From: Drew Davenport + +[ Upstream commit 62e43673ca84a68cc06dcaa9337a06df7f79fef9 ] + +ktime_get_boottime continues while the device is suspended. This change +ensures that the resume path will not be delayed if the power off delay +has already been met while the device is suspended + +Signed-off-by: Drew Davenport +Reviewed-by: Douglas Anderson +Signed-off-by: Douglas Anderson +Link: https://patchwork.freedesktop.org/patch/msgid/20221117133655.2.Iebd9f79aba0a62015fd2383fe6986c2d6fe12cfd@changeid +Stable-dep-of: 5e842d55bad7 ("drm/panel: atna33xc20: Fix unbalanced regulator in the case HPD doesn't assert") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-samsung-atna33xc20.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/panel/panel-samsung-atna33xc20.c b/drivers/gpu/drm/panel/panel-samsung-atna33xc20.c +index 5a8b978c64158..f4616f0367846 100644 +--- a/drivers/gpu/drm/panel/panel-samsung-atna33xc20.c ++++ b/drivers/gpu/drm/panel/panel-samsung-atna33xc20.c +@@ -53,7 +53,7 @@ static void atana33xc20_wait(ktime_t start_ktime, unsigned int min_ms) + ktime_t now_ktime, min_ktime; + + min_ktime = ktime_add(start_ktime, ms_to_ktime(min_ms)); +- now_ktime = ktime_get(); ++ now_ktime = ktime_get_boottime(); + + if (ktime_before(now_ktime, min_ktime)) + msleep(ktime_to_ms(ktime_sub(min_ktime, now_ktime)) + 1); +@@ -75,7 +75,7 @@ static int atana33xc20_suspend(struct device *dev) + ret = regulator_disable(p->supply); + if (ret) + return ret; +- p->powered_off_time = ktime_get(); ++ p->powered_off_time = ktime_get_boottime(); + p->el3_was_on = false; + + return 0; +@@ -93,7 +93,7 @@ static int atana33xc20_resume(struct device *dev) + ret = regulator_enable(p->supply); + if (ret) + return ret; +- p->powered_on_time = ktime_get(); ++ p->powered_on_time = ktime_get_boottime(); + + if (p->no_hpd) { + msleep(HPD_MAX_MS); +@@ -142,7 +142,7 @@ static int atana33xc20_disable(struct drm_panel *panel) + return 0; + + gpiod_set_value_cansleep(p->el_on3_gpio, 0); +- p->el_on3_off_time = ktime_get(); ++ p->el_on3_off_time = ktime_get_boottime(); + p->enabled = false; + + /* +-- +2.43.0 + diff --git a/queue-6.1/drm-panel-simple-add-missing-innolux-g121x1-l03-form.patch b/queue-6.1/drm-panel-simple-add-missing-innolux-g121x1-l03-form.patch new file mode 100644 index 00000000000..e8b4e3e86de --- /dev/null +++ b/queue-6.1/drm-panel-simple-add-missing-innolux-g121x1-l03-form.patch @@ -0,0 +1,50 @@ +From 91fbd924c85b5e9d7d59b1d4fe8fc8ebed0abc17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 11:27:36 +0100 +Subject: drm/panel: simple: Add missing Innolux G121X1-L03 format, flags, + connector + +From: Marek Vasut + +[ Upstream commit 11ac72d033b9f577e8ba0c7a41d1c312bb232593 ] + +The .bpc = 6 implies .bus_format = MEDIA_BUS_FMT_RGB666_1X7X3_SPWG , +add the missing bus_format. Add missing connector type and bus_flags +as well. + +Documentation [1] 1.4 GENERAL SPECIFICATI0NS indicates this panel is +capable of both RGB 18bit/24bit panel, the current configuration uses +18bit mode, .bus_format = MEDIA_BUS_FMT_RGB666_1X7X3_SPWG , .bpc = 6. + +Support for the 24bit mode would require another entry in panel-simple +with .bus_format = MEDIA_BUS_FMT_RGB666_1X7X4_SPWG and .bpc = 8, which +is out of scope of this fix. + +[1] https://www.distec.de/fileadmin/pdf/produkte/TFT-Displays/Innolux/G121X1-L03_Datasheet.pdf + +Fixes: f8fa17ba812b ("drm/panel: simple: Add support for Innolux G121X1-L03") +Signed-off-by: Marek Vasut +Acked-by: Jessica Zhang +Link: https://patchwork.freedesktop.org/patch/msgid/20240328102746.17868-2-marex@denx.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index b714ee1bcbaa3..acb7f5c206d13 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -2286,6 +2286,9 @@ static const struct panel_desc innolux_g121x1_l03 = { + .unprepare = 200, + .disable = 400, + }, ++ .bus_format = MEDIA_BUS_FMT_RGB666_1X7X3_SPWG, ++ .bus_flags = DRM_BUS_FLAG_DE_HIGH, ++ .connector_type = DRM_MODE_CONNECTOR_LVDS, + }; + + static const struct drm_display_mode innolux_n156bge_l21_mode = { +-- +2.43.0 + diff --git a/queue-6.1/drm-rockchip-vop2-do-not-divide-height-twice-for-yuv.patch b/queue-6.1/drm-rockchip-vop2-do-not-divide-height-twice-for-yuv.patch new file mode 100644 index 00000000000..430abe2c89b --- /dev/null +++ b/queue-6.1/drm-rockchip-vop2-do-not-divide-height-twice-for-yuv.patch @@ -0,0 +1,83 @@ +From 8cab983aad226087719fef3dc4b74f4aa1e1c596 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Apr 2024 14:27:06 -0400 +Subject: drm/rockchip: vop2: Do not divide height twice for YUV + +From: Detlev Casanova + +[ Upstream commit e80c219f52861e756181d7f88b0d341116daac2b ] + +For the cbcr format, gt2 and gt4 are computed again after src_h has been +divided by vsub. + +As src_h as already been divided by 2 before, introduce cbcr_src_h and +cbcr_src_w to keep a copy of those values to be used for cbcr gt2 and +gt4 computation. + +This fixes yuv planes being unaligned vertically when down scaling to +1080 pixels from 2160. + +Signed-off-by: Detlev Casanova +Fixes: 604be85547ce ("drm/rockchip: Add VOP2 driver") +Acked-by: Andy Yan +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20240414182706.655270-1-detlev.casanova@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/rockchip_drm_vop2.c | 22 +++++++++++--------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c +index b233f52675dc4..a72642bb9cc60 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c +@@ -607,6 +607,8 @@ static void vop2_setup_scale(struct vop2 *vop2, const struct vop2_win *win, + const struct drm_format_info *info; + u16 hor_scl_mode, ver_scl_mode; + u16 hscl_filter_mode, vscl_filter_mode; ++ uint16_t cbcr_src_w = src_w; ++ uint16_t cbcr_src_h = src_h; + u8 gt2 = 0; + u8 gt4 = 0; + u32 val; +@@ -664,27 +666,27 @@ static void vop2_setup_scale(struct vop2 *vop2, const struct vop2_win *win, + vop2_win_write(win, VOP2_WIN_YRGB_VSCL_FILTER_MODE, vscl_filter_mode); + + if (info->is_yuv) { +- src_w /= info->hsub; +- src_h /= info->vsub; ++ cbcr_src_w /= info->hsub; ++ cbcr_src_h /= info->vsub; + + gt4 = 0; + gt2 = 0; + +- if (src_h >= (4 * dst_h)) { ++ if (cbcr_src_h >= (4 * dst_h)) { + gt4 = 1; +- src_h >>= 2; +- } else if (src_h >= (2 * dst_h)) { ++ cbcr_src_h >>= 2; ++ } else if (cbcr_src_h >= (2 * dst_h)) { + gt2 = 1; +- src_h >>= 1; ++ cbcr_src_h >>= 1; + } + +- hor_scl_mode = scl_get_scl_mode(src_w, dst_w); +- ver_scl_mode = scl_get_scl_mode(src_h, dst_h); ++ hor_scl_mode = scl_get_scl_mode(cbcr_src_w, dst_w); ++ ver_scl_mode = scl_get_scl_mode(cbcr_src_h, dst_h); + +- val = vop2_scale_factor(src_w, dst_w); ++ val = vop2_scale_factor(cbcr_src_w, dst_w); + vop2_win_write(win, VOP2_WIN_SCALE_CBCR_X, val); + +- val = vop2_scale_factor(src_h, dst_h); ++ val = vop2_scale_factor(cbcr_src_h, dst_h); + vop2_win_write(win, VOP2_WIN_SCALE_CBCR_Y, val); + + vop2_win_write(win, VOP2_WIN_VSD_CBCR_GT4, gt4); +-- +2.43.0 + diff --git a/queue-6.1/drm-vc4-fix-possible-null-pointer-dereference.patch b/queue-6.1/drm-vc4-fix-possible-null-pointer-dereference.patch new file mode 100644 index 00000000000..9eebc9a1385 --- /dev/null +++ b/queue-6.1/drm-vc4-fix-possible-null-pointer-dereference.patch @@ -0,0 +1,39 @@ +From f7d4e47a25dfe044f9c7b21fd8dc750bd9df1d05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2024 10:56:22 +0300 +Subject: drm: vc4: Fix possible null pointer dereference + +From: Aleksandr Mishin + +[ Upstream commit c534b63bede6cb987c2946ed4d0b0013a52c5ba7 ] + +In vc4_hdmi_audio_init() of_get_address() may return +NULL which is later dereferenced. Fix this bug by adding NULL check. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: bb7d78568814 ("drm/vc4: Add HDMI audio support") +Signed-off-by: Aleksandr Mishin +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20240409075622.11783-1-amishin@t-argos.ru +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_hdmi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c +index f696818913499..072e2487b4655 100644 +--- a/drivers/gpu/drm/vc4/vc4_hdmi.c ++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c +@@ -2489,6 +2489,8 @@ static int vc4_hdmi_audio_init(struct vc4_hdmi *vc4_hdmi) + index = 1; + + addr = of_get_address(dev->of_node, index, NULL, NULL); ++ if (!addr) ++ return -EINVAL; + + vc4_hdmi->audio.dma_data.addr = be32_to_cpup(addr) + mai_data->offset; + vc4_hdmi->audio.dma_data.addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES; +-- +2.43.0 + diff --git a/queue-6.1/dt-bindings-rockchip-grf-add-missing-type-to-pcie-ph.patch b/queue-6.1/dt-bindings-rockchip-grf-add-missing-type-to-pcie-ph.patch new file mode 100644 index 00000000000..929a1783e3f --- /dev/null +++ b/queue-6.1/dt-bindings-rockchip-grf-add-missing-type-to-pcie-ph.patch @@ -0,0 +1,37 @@ +From 268c60953520f1168bff1b04eeb3ec8d195c06a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Apr 2024 15:49:58 -0500 +Subject: dt-bindings: rockchip: grf: Add missing type to 'pcie-phy' node + +From: Rob Herring + +[ Upstream commit d41201c90f825f19a46afbfb502f22f612d8ccc4 ] + +'pcie-phy' is missing any type. Add 'type: object' to indicate it's a +node. + +Signed-off-by: Rob Herring +Reviewed-by: Heiko Stuebner +Acked-by: Conor Dooley +Link: https://lore.kernel.org/r/20240401204959.1698106-1-robh@kernel.org +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + Documentation/devicetree/bindings/soc/rockchip/grf.yaml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Documentation/devicetree/bindings/soc/rockchip/grf.yaml b/Documentation/devicetree/bindings/soc/rockchip/grf.yaml +index 2ed8cca79b59c..e4eade2661f6b 100644 +--- a/Documentation/devicetree/bindings/soc/rockchip/grf.yaml ++++ b/Documentation/devicetree/bindings/soc/rockchip/grf.yaml +@@ -151,6 +151,7 @@ allOf: + unevaluatedProperties: false + + pcie-phy: ++ type: object + description: + Documentation/devicetree/bindings/phy/rockchip-pcie-phy.txt + +-- +2.43.0 + diff --git a/queue-6.1/ecryptfs-fix-buffer-size-for-tag-66-packet.patch b/queue-6.1/ecryptfs-fix-buffer-size-for-tag-66-packet.patch new file mode 100644 index 00000000000..4f060e93484 --- /dev/null +++ b/queue-6.1/ecryptfs-fix-buffer-size-for-tag-66-packet.patch @@ -0,0 +1,116 @@ +From f0ca7bb0a921e9296d139741cc893251f604b40a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Mar 2024 07:46:00 -0700 +Subject: ecryptfs: Fix buffer size for tag 66 packet + +From: Brian Kubisiak + +[ Upstream commit 85a6a1aff08ec9f5b929d345d066e2830e8818e5 ] + +The 'TAG 66 Packet Format' description is missing the cipher code and +checksum fields that are packed into the message packet. As a result, +the buffer allocated for the packet is 3 bytes too small and +write_tag_66_packet() will write up to 3 bytes past the end of the +buffer. + +Fix this by increasing the size of the allocation so the whole packet +will always fit in the buffer. + +This fixes the below kasan slab-out-of-bounds bug: + + BUG: KASAN: slab-out-of-bounds in ecryptfs_generate_key_packet_set+0x7d6/0xde0 + Write of size 1 at addr ffff88800afbb2a5 by task touch/181 + + CPU: 0 PID: 181 Comm: touch Not tainted 6.6.13-gnu #1 4c9534092be820851bb687b82d1f92a426598dc6 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2/GNU Guix 04/01/2014 + Call Trace: + + dump_stack_lvl+0x4c/0x70 + print_report+0xc5/0x610 + ? ecryptfs_generate_key_packet_set+0x7d6/0xde0 + ? kasan_complete_mode_report_info+0x44/0x210 + ? ecryptfs_generate_key_packet_set+0x7d6/0xde0 + kasan_report+0xc2/0x110 + ? ecryptfs_generate_key_packet_set+0x7d6/0xde0 + __asan_store1+0x62/0x80 + ecryptfs_generate_key_packet_set+0x7d6/0xde0 + ? __pfx_ecryptfs_generate_key_packet_set+0x10/0x10 + ? __alloc_pages+0x2e2/0x540 + ? __pfx_ovl_open+0x10/0x10 [overlay 30837f11141636a8e1793533a02e6e2e885dad1d] + ? dentry_open+0x8f/0xd0 + ecryptfs_write_metadata+0x30a/0x550 + ? __pfx_ecryptfs_write_metadata+0x10/0x10 + ? ecryptfs_get_lower_file+0x6b/0x190 + ecryptfs_initialize_file+0x77/0x150 + ecryptfs_create+0x1c2/0x2f0 + path_openat+0x17cf/0x1ba0 + ? __pfx_path_openat+0x10/0x10 + do_filp_open+0x15e/0x290 + ? __pfx_do_filp_open+0x10/0x10 + ? __kasan_check_write+0x18/0x30 + ? _raw_spin_lock+0x86/0xf0 + ? __pfx__raw_spin_lock+0x10/0x10 + ? __kasan_check_write+0x18/0x30 + ? alloc_fd+0xf4/0x330 + do_sys_openat2+0x122/0x160 + ? __pfx_do_sys_openat2+0x10/0x10 + __x64_sys_openat+0xef/0x170 + ? __pfx___x64_sys_openat+0x10/0x10 + do_syscall_64+0x60/0xd0 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + RIP: 0033:0x7f00a703fd67 + Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f + RSP: 002b:00007ffc088e30b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 + RAX: ffffffffffffffda RBX: 00007ffc088e3368 RCX: 00007f00a703fd67 + RDX: 0000000000000941 RSI: 00007ffc088e48d7 RDI: 00000000ffffff9c + RBP: 00007ffc088e48d7 R08: 0000000000000001 R09: 0000000000000000 + R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000941 + R13: 0000000000000000 R14: 00007ffc088e48d7 R15: 00007f00a7180040 + + + Allocated by task 181: + kasan_save_stack+0x2f/0x60 + kasan_set_track+0x29/0x40 + kasan_save_alloc_info+0x25/0x40 + __kasan_kmalloc+0xc5/0xd0 + __kmalloc+0x66/0x160 + ecryptfs_generate_key_packet_set+0x6d2/0xde0 + ecryptfs_write_metadata+0x30a/0x550 + ecryptfs_initialize_file+0x77/0x150 + ecryptfs_create+0x1c2/0x2f0 + path_openat+0x17cf/0x1ba0 + do_filp_open+0x15e/0x290 + do_sys_openat2+0x122/0x160 + __x64_sys_openat+0xef/0x170 + do_syscall_64+0x60/0xd0 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +Fixes: dddfa461fc89 ("[PATCH] eCryptfs: Public key; packet management") +Signed-off-by: Brian Kubisiak +Link: https://lore.kernel.org/r/5j2q56p6qkhezva6b2yuqfrsurmvrrqtxxzrnp3wqu7xrz22i7@hoecdztoplbl +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/ecryptfs/keystore.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c +index 3fe41964c0d8d..7f9f68c00ef63 100644 +--- a/fs/ecryptfs/keystore.c ++++ b/fs/ecryptfs/keystore.c +@@ -300,9 +300,11 @@ write_tag_66_packet(char *signature, u8 cipher_code, + * | Key Identifier Size | 1 or 2 bytes | + * | Key Identifier | arbitrary | + * | File Encryption Key Size | 1 or 2 bytes | ++ * | Cipher Code | 1 byte | + * | File Encryption Key | arbitrary | ++ * | Checksum | 2 bytes | + */ +- data_len = (5 + ECRYPTFS_SIG_SIZE_HEX + crypt_stat->key_size); ++ data_len = (8 + ECRYPTFS_SIG_SIZE_HEX + crypt_stat->key_size); + *packet = kmalloc(data_len, GFP_KERNEL); + message = *packet; + if (!message) { +-- +2.43.0 + diff --git a/queue-6.1/epoll-be-better-about-file-lifetimes.patch b/queue-6.1/epoll-be-better-about-file-lifetimes.patch new file mode 100644 index 00000000000..c0ba4ddd4b9 --- /dev/null +++ b/queue-6.1/epoll-be-better-about-file-lifetimes.patch @@ -0,0 +1,94 @@ +From 54701c8dd5b8fa5b2feba5e8688fd030b736c5a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 May 2024 13:36:09 -0700 +Subject: epoll: be better about file lifetimes + +From: Linus Torvalds + +[ Upstream commit 4efaa5acf0a1d2b5947f98abb3acf8bfd966422b ] + +epoll can call out to vfs_poll() with a file pointer that may race with +the last 'fput()'. That would make f_count go down to zero, and while +the ep->mtx locking means that the resulting file pointer tear-down will +be blocked until the poll returns, it means that f_count is already +dead, and any use of it won't actually get a reference to the file any +more: it's dead regardless. + +Make sure we have a valid ref on the file pointer before we call down to +vfs_poll() from the epoll routines. + +Link: https://lore.kernel.org/lkml/0000000000002d631f0615918f1e@google.com/ +Reported-by: syzbot+045b454ab35fd82a35fb@syzkaller.appspotmail.com +Reviewed-by: Jens Axboe +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/eventpoll.c | 38 +++++++++++++++++++++++++++++++++++++- + 1 file changed, 37 insertions(+), 1 deletion(-) + +diff --git a/fs/eventpoll.c b/fs/eventpoll.c +index eccecd3fac90c..7221072f39fad 100644 +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -839,6 +839,34 @@ static __poll_t __ep_eventpoll_poll(struct file *file, poll_table *wait, int dep + return res; + } + ++/* ++ * The ffd.file pointer may be in the process of being torn down due to ++ * being closed, but we may not have finished eventpoll_release() yet. ++ * ++ * Normally, even with the atomic_long_inc_not_zero, the file may have ++ * been free'd and then gotten re-allocated to something else (since ++ * files are not RCU-delayed, they are SLAB_TYPESAFE_BY_RCU). ++ * ++ * But for epoll, users hold the ep->mtx mutex, and as such any file in ++ * the process of being free'd will block in eventpoll_release_file() ++ * and thus the underlying file allocation will not be free'd, and the ++ * file re-use cannot happen. ++ * ++ * For the same reason we can avoid a rcu_read_lock() around the ++ * operation - 'ffd.file' cannot go away even if the refcount has ++ * reached zero (but we must still not call out to ->poll() functions ++ * etc). ++ */ ++static struct file *epi_fget(const struct epitem *epi) ++{ ++ struct file *file; ++ ++ file = epi->ffd.file; ++ if (!atomic_long_inc_not_zero(&file->f_count)) ++ file = NULL; ++ return file; ++} ++ + /* + * Differs from ep_eventpoll_poll() in that internal callers already have + * the ep->mtx so we need to start from depth=1, such that mutex_lock_nested() +@@ -847,14 +875,22 @@ static __poll_t __ep_eventpoll_poll(struct file *file, poll_table *wait, int dep + static __poll_t ep_item_poll(const struct epitem *epi, poll_table *pt, + int depth) + { +- struct file *file = epi->ffd.file; ++ struct file *file = epi_fget(epi); + __poll_t res; + ++ /* ++ * We could return EPOLLERR | EPOLLHUP or something, but let's ++ * treat this more as "file doesn't exist, poll didn't happen". ++ */ ++ if (!file) ++ return 0; ++ + pt->_key = epi->event.events; + if (!is_file_epoll(file)) + res = vfs_poll(file, pt); + else + res = __ep_eventpoll_poll(file, pt, depth); ++ fput(file); + return res & epi->event.events; + } + +-- +2.43.0 + diff --git a/queue-6.1/eth-sungem-remove-.ndo_poll_controller-to-avoid-dead.patch b/queue-6.1/eth-sungem-remove-.ndo_poll_controller-to-avoid-dead.patch new file mode 100644 index 00000000000..dc9fdc65854 --- /dev/null +++ b/queue-6.1/eth-sungem-remove-.ndo_poll_controller-to-avoid-dead.patch @@ -0,0 +1,67 @@ +From 3b77e78ba2ace18cdb4f5171c647d80532c6838b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 06:45:04 -0700 +Subject: eth: sungem: remove .ndo_poll_controller to avoid deadlocks + +From: Jakub Kicinski + +[ Upstream commit ac0a230f719b02432d8c7eba7615ebd691da86f4 ] + +Erhard reports netpoll warnings from sungem: + + netpoll_send_skb_on_dev(): eth0 enabled interrupts in poll (gem_start_xmit+0x0/0x398) + WARNING: CPU: 1 PID: 1 at net/core/netpoll.c:370 netpoll_send_skb+0x1fc/0x20c + +gem_poll_controller() disables interrupts, which may sleep. +We can't sleep in netpoll, it has interrupts disabled completely. +Strangely, gem_poll_controller() doesn't even poll the completions, +and instead acts as if an interrupt has fired so it just schedules +NAPI and exits. None of this has been necessary for years, since +netpoll invokes NAPI directly. + +Fixes: fe09bb619096 ("sungem: Spring cleaning and GRO support") +Reported-and-tested-by: Erhard Furtner +Link: https://lore.kernel.org/all/20240428125306.2c3080ef@legion +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240508134504.3560956-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sun/sungem.c | 14 -------------- + 1 file changed, 14 deletions(-) + +diff --git a/drivers/net/ethernet/sun/sungem.c b/drivers/net/ethernet/sun/sungem.c +index 4154e68639ace..940e45bf7a2eb 100644 +--- a/drivers/net/ethernet/sun/sungem.c ++++ b/drivers/net/ethernet/sun/sungem.c +@@ -948,17 +948,6 @@ static irqreturn_t gem_interrupt(int irq, void *dev_id) + return IRQ_HANDLED; + } + +-#ifdef CONFIG_NET_POLL_CONTROLLER +-static void gem_poll_controller(struct net_device *dev) +-{ +- struct gem *gp = netdev_priv(dev); +- +- disable_irq(gp->pdev->irq); +- gem_interrupt(gp->pdev->irq, dev); +- enable_irq(gp->pdev->irq); +-} +-#endif +- + static void gem_tx_timeout(struct net_device *dev, unsigned int txqueue) + { + struct gem *gp = netdev_priv(dev); +@@ -2838,9 +2827,6 @@ static const struct net_device_ops gem_netdev_ops = { + .ndo_change_mtu = gem_change_mtu, + .ndo_validate_addr = eth_validate_addr, + .ndo_set_mac_address = gem_set_mac_address, +-#ifdef CONFIG_NET_POLL_CONTROLLER +- .ndo_poll_controller = gem_poll_controller, +-#endif + }; + + static int gem_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) +-- +2.43.0 + diff --git a/queue-6.1/ext4-avoid-excessive-credit-estimate-in-ext4_tmpfile.patch b/queue-6.1/ext4-avoid-excessive-credit-estimate-in-ext4_tmpfile.patch new file mode 100644 index 00000000000..5b3913f6a09 --- /dev/null +++ b/queue-6.1/ext4-avoid-excessive-credit-estimate-in-ext4_tmpfile.patch @@ -0,0 +1,52 @@ +From 106df581c5792055840cd40513dbc4d6bbf83d3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 12:53:20 +0100 +Subject: ext4: avoid excessive credit estimate in ext4_tmpfile() + +From: Jan Kara + +[ Upstream commit 35a1f12f0ca857fee1d7a04ef52cbd5f1f84de13 ] + +A user with minimum journal size (1024 blocks these days) complained +about the following error triggered by generic/697 test in +ext4_tmpfile(): + +run fstests generic/697 at 2024-02-28 05:34:46 +JBD2: vfstest wants too many credits credits:260 rsv_credits:0 max:256 +EXT4-fs error (device loop0) in __ext4_new_inode:1083: error 28 + +Indeed the credit estimate in ext4_tmpfile() is huge. +EXT4_MAXQUOTAS_INIT_BLOCKS() is 219, then 10 credits from ext4_tmpfile() +itself and then ext4_xattr_credits_for_new_inode() adds more credits +needed for security attributes and ACLs. Now the +EXT4_MAXQUOTAS_INIT_BLOCKS() is in fact unnecessary because we've +already initialized quotas with dquot_init() shortly before and so +EXT4_MAXQUOTAS_TRANS_BLOCKS() is enough (which boils down to 3 credits). + +Fixes: af51a2ac36d1 ("ext4: ->tmpfile() support") +Signed-off-by: Jan Kara +Tested-by: Luis Henriques +Tested-by: Disha Goel +Link: https://lore.kernel.org/r/20240307115320.28949-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/namei.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index bbfb37390723c..8b13832238484 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -2901,7 +2901,7 @@ static int ext4_tmpfile(struct user_namespace *mnt_userns, struct inode *dir, + inode = ext4_new_inode_start_handle(mnt_userns, dir, mode, + NULL, 0, NULL, + EXT4_HT_DIR, +- EXT4_MAXQUOTAS_INIT_BLOCKS(dir->i_sb) + ++ EXT4_MAXQUOTAS_TRANS_BLOCKS(dir->i_sb) + + 4 + EXT4_XATTR_TRANS_BLOCKS); + handle = ext4_journal_current_handle(); + err = PTR_ERR(inode); +-- +2.43.0 + diff --git a/queue-6.1/ext4-fix-potential-unnitialized-variable.patch b/queue-6.1/ext4-fix-potential-unnitialized-variable.patch new file mode 100644 index 00000000000..6147f2879c0 --- /dev/null +++ b/queue-6.1/ext4-fix-potential-unnitialized-variable.patch @@ -0,0 +1,40 @@ +From a1609c38b02ee32836736b33aea657eae919d157 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Apr 2024 21:10:40 +0300 +Subject: ext4: fix potential unnitialized variable + +From: Dan Carpenter + +[ Upstream commit 3f4830abd236d0428e50451e1ecb62e14c365e9b ] + +Smatch complains "err" can be uninitialized in the caller. + + fs/ext4/indirect.c:349 ext4_alloc_branch() + error: uninitialized symbol 'err'. + +Set the error to zero on the success path. + +Fixes: 8016e29f4362 ("ext4: fast commit recovery path") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/363a4673-0fb8-4adf-b4fb-90a499077276@moroto.mountain +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/mballoc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 97f4563a97c8e..71ce3ed5ab6ba 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -5672,6 +5672,7 @@ ext4_mb_new_blocks_simple(struct ext4_allocation_request *ar, int *errp) + ext4_mb_mark_bb(sb, block, 1, 1); + ar->len = 1; + ++ *errp = 0; + return block; + } + +-- +2.43.0 + diff --git a/queue-6.1/ext4-fix-unit-mismatch-in-ext4_mb_new_blocks_simple.patch b/queue-6.1/ext4-fix-unit-mismatch-in-ext4_mb_new_blocks_simple.patch new file mode 100644 index 00000000000..d7665549430 --- /dev/null +++ b/queue-6.1/ext4-fix-unit-mismatch-in-ext4_mb_new_blocks_simple.patch @@ -0,0 +1,57 @@ +From 2ae5f83e40e31754b5ae27185a6044bb7942f340 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Jun 2023 23:03:10 +0800 +Subject: ext4: fix unit mismatch in ext4_mb_new_blocks_simple + +From: Kemeng Shi + +[ Upstream commit 497885f72d930305d8e61b6b616b22b4da1adf90 ] + +The "i" returned from mb_find_next_zero_bit is in cluster unit and we +need offset "block" corresponding to "i" in block unit. Convert "i" to +block unit to fix the unit mismatch. + +Signed-off-by: Kemeng Shi +Reviewed-by: Ojaswin Mujoo +Link: https://lore.kernel.org/r/20230603150327.3596033-3-shikemeng@huaweicloud.com +Signed-off-by: Theodore Ts'o +Stable-dep-of: 3f4830abd236 ("ext4: fix potential unnitialized variable") +Signed-off-by: Sasha Levin +--- + fs/ext4/mballoc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index eaa5db60865a4..a809a80589857 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -5874,6 +5874,7 @@ static ext4_fsblk_t ext4_mb_new_blocks_simple(handle_t *handle, + { + struct buffer_head *bitmap_bh; + struct super_block *sb = ar->inode->i_sb; ++ struct ext4_sb_info *sbi = EXT4_SB(sb); + ext4_group_t group; + ext4_grpblk_t blkoff; + ext4_grpblk_t max = EXT4_CLUSTERS_PER_GROUP(sb); +@@ -5902,7 +5903,8 @@ static ext4_fsblk_t ext4_mb_new_blocks_simple(handle_t *handle, + if (i >= max) + break; + if (ext4_fc_replay_check_excluded(sb, +- ext4_group_first_block_no(sb, group) + i)) { ++ ext4_group_first_block_no(sb, group) + ++ EXT4_C2B(sbi, i))) { + blkoff = i + 1; + } else + break; +@@ -5919,7 +5921,7 @@ static ext4_fsblk_t ext4_mb_new_blocks_simple(handle_t *handle, + return 0; + } + +- block = ext4_group_first_block_no(sb, group) + i; ++ block = ext4_group_first_block_no(sb, group) + EXT4_C2B(sbi, i); + ext4_mb_mark_bb(sb, block, 1, 1); + ar->len = 1; + +-- +2.43.0 + diff --git a/queue-6.1/ext4-remove-unused-parameter-from-ext4_mb_new_blocks.patch b/queue-6.1/ext4-remove-unused-parameter-from-ext4_mb_new_blocks.patch new file mode 100644 index 00000000000..48cebeb0d1e --- /dev/null +++ b/queue-6.1/ext4-remove-unused-parameter-from-ext4_mb_new_blocks.patch @@ -0,0 +1,189 @@ +From 6260a11f674ffb7988783c8dbb5e33724fefb4c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Jun 2023 23:03:17 +0800 +Subject: ext4: remove unused parameter from ext4_mb_new_blocks_simple() + +From: Kemeng Shi + +[ Upstream commit ad78b5efe4246e5deba8d44a6ed172b8a00d3113 ] + +Two cleanups for ext4_mb_new_blocks_simple: +Remove unused parameter handle of ext4_mb_new_blocks_simple. +Move ext4_mb_new_blocks_simple definition before ext4_mb_new_blocks to +remove unnecessary forward declaration of ext4_mb_new_blocks_simple. + +Signed-off-by: Kemeng Shi +Reviewed-by: Ojaswin Mujoo +Link: https://lore.kernel.org/r/20230603150327.3596033-10-shikemeng@huaweicloud.com +Signed-off-by: Theodore Ts'o +Stable-dep-of: 3f4830abd236 ("ext4: fix potential unnitialized variable") +Signed-off-by: Sasha Levin +--- + fs/ext4/mballoc.c | 137 +++++++++++++++++++++++----------------------- + 1 file changed, 67 insertions(+), 70 deletions(-) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index a7801d2a7d1b4..97f4563a97c8e 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -5608,8 +5608,72 @@ static bool ext4_mb_discard_preallocations_should_retry(struct super_block *sb, + return ret; + } + +-static ext4_fsblk_t ext4_mb_new_blocks_simple(handle_t *handle, +- struct ext4_allocation_request *ar, int *errp); ++/* ++ * Simple allocator for Ext4 fast commit replay path. It searches for blocks ++ * linearly starting at the goal block and also excludes the blocks which ++ * are going to be in use after fast commit replay. ++ */ ++static ext4_fsblk_t ++ext4_mb_new_blocks_simple(struct ext4_allocation_request *ar, int *errp) ++{ ++ struct buffer_head *bitmap_bh; ++ struct super_block *sb = ar->inode->i_sb; ++ struct ext4_sb_info *sbi = EXT4_SB(sb); ++ ext4_group_t group, nr; ++ ext4_grpblk_t blkoff; ++ ext4_grpblk_t max = EXT4_CLUSTERS_PER_GROUP(sb); ++ ext4_grpblk_t i = 0; ++ ext4_fsblk_t goal, block; ++ struct ext4_super_block *es = EXT4_SB(sb)->s_es; ++ ++ goal = ar->goal; ++ if (goal < le32_to_cpu(es->s_first_data_block) || ++ goal >= ext4_blocks_count(es)) ++ goal = le32_to_cpu(es->s_first_data_block); ++ ++ ar->len = 0; ++ ext4_get_group_no_and_offset(sb, goal, &group, &blkoff); ++ for (nr = ext4_get_groups_count(sb); nr > 0; nr--) { ++ bitmap_bh = ext4_read_block_bitmap(sb, group); ++ if (IS_ERR(bitmap_bh)) { ++ *errp = PTR_ERR(bitmap_bh); ++ pr_warn("Failed to read block bitmap\n"); ++ return 0; ++ } ++ ++ while (1) { ++ i = mb_find_next_zero_bit(bitmap_bh->b_data, max, ++ blkoff); ++ if (i >= max) ++ break; ++ if (ext4_fc_replay_check_excluded(sb, ++ ext4_group_first_block_no(sb, group) + ++ EXT4_C2B(sbi, i))) { ++ blkoff = i + 1; ++ } else ++ break; ++ } ++ brelse(bitmap_bh); ++ if (i < max) ++ break; ++ ++ if (++group >= ext4_get_groups_count(sb)) ++ group = 0; ++ ++ blkoff = 0; ++ } ++ ++ if (i >= max) { ++ *errp = -ENOSPC; ++ return 0; ++ } ++ ++ block = ext4_group_first_block_no(sb, group) + EXT4_C2B(sbi, i); ++ ext4_mb_mark_bb(sb, block, 1, 1); ++ ar->len = 1; ++ ++ return block; ++} + + /* + * Main entry point into mballoc to allocate blocks +@@ -5634,7 +5698,7 @@ ext4_fsblk_t ext4_mb_new_blocks(handle_t *handle, + + trace_ext4_request_blocks(ar); + if (sbi->s_mount_state & EXT4_FC_REPLAY) +- return ext4_mb_new_blocks_simple(handle, ar, errp); ++ return ext4_mb_new_blocks_simple(ar, errp); + + /* Allow to use superuser reservation for quota file */ + if (ext4_is_quota_file(ar->inode)) +@@ -5864,73 +5928,6 @@ ext4_mb_free_metadata(handle_t *handle, struct ext4_buddy *e4b, + return 0; + } + +-/* +- * Simple allocator for Ext4 fast commit replay path. It searches for blocks +- * linearly starting at the goal block and also excludes the blocks which +- * are going to be in use after fast commit replay. +- */ +-static ext4_fsblk_t ext4_mb_new_blocks_simple(handle_t *handle, +- struct ext4_allocation_request *ar, int *errp) +-{ +- struct buffer_head *bitmap_bh; +- struct super_block *sb = ar->inode->i_sb; +- struct ext4_sb_info *sbi = EXT4_SB(sb); +- ext4_group_t group, nr; +- ext4_grpblk_t blkoff; +- ext4_grpblk_t max = EXT4_CLUSTERS_PER_GROUP(sb); +- ext4_grpblk_t i = 0; +- ext4_fsblk_t goal, block; +- struct ext4_super_block *es = EXT4_SB(sb)->s_es; +- +- goal = ar->goal; +- if (goal < le32_to_cpu(es->s_first_data_block) || +- goal >= ext4_blocks_count(es)) +- goal = le32_to_cpu(es->s_first_data_block); +- +- ar->len = 0; +- ext4_get_group_no_and_offset(sb, goal, &group, &blkoff); +- for (nr = ext4_get_groups_count(sb); nr > 0; nr--) { +- bitmap_bh = ext4_read_block_bitmap(sb, group); +- if (IS_ERR(bitmap_bh)) { +- *errp = PTR_ERR(bitmap_bh); +- pr_warn("Failed to read block bitmap\n"); +- return 0; +- } +- +- while (1) { +- i = mb_find_next_zero_bit(bitmap_bh->b_data, max, +- blkoff); +- if (i >= max) +- break; +- if (ext4_fc_replay_check_excluded(sb, +- ext4_group_first_block_no(sb, group) + +- EXT4_C2B(sbi, i))) { +- blkoff = i + 1; +- } else +- break; +- } +- brelse(bitmap_bh); +- if (i < max) +- break; +- +- if (++group >= ext4_get_groups_count(sb)) +- group = 0; +- +- blkoff = 0; +- } +- +- if (i >= max) { +- *errp = -ENOSPC; +- return 0; +- } +- +- block = ext4_group_first_block_no(sb, group) + EXT4_C2B(sbi, i); +- ext4_mb_mark_bb(sb, block, 1, 1); +- ar->len = 1; +- +- return block; +-} +- + static void ext4_free_blocks_simple(struct inode *inode, ext4_fsblk_t block, + unsigned long count) + { +-- +2.43.0 + diff --git a/queue-6.1/ext4-simplify-calculation-of-blkoff-in-ext4_mb_new_b.patch b/queue-6.1/ext4-simplify-calculation-of-blkoff-in-ext4_mb_new_b.patch new file mode 100644 index 00000000000..200152ac7c1 --- /dev/null +++ b/queue-6.1/ext4-simplify-calculation-of-blkoff-in-ext4_mb_new_b.patch @@ -0,0 +1,48 @@ +From ee267d076c476e3ea20762f9364ebc2fafca9e52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Mar 2023 01:21:20 +0800 +Subject: ext4: simplify calculation of blkoff in ext4_mb_new_blocks_simple + +From: Kemeng Shi + +[ Upstream commit 253cacb0de89235673ad5889d61f275a73dbee79 ] + +We try to allocate a block from goal in ext4_mb_new_blocks_simple. We +only need get blkoff in first group with goal and set blkoff to 0 for +the rest groups. + +Signed-off-by: Kemeng Shi +Link: https://lore.kernel.org/r/20230303172120.3800725-21-shikemeng@huaweicloud.com +Signed-off-by: Theodore Ts'o +Stable-dep-of: 3f4830abd236 ("ext4: fix potential unnitialized variable") +Signed-off-by: Sasha Levin +--- + fs/ext4/mballoc.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index a843f964332c2..eaa5db60865a4 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -5896,9 +5896,6 @@ static ext4_fsblk_t ext4_mb_new_blocks_simple(handle_t *handle, + return 0; + } + +- ext4_get_group_no_and_offset(sb, +- max(ext4_group_first_block_no(sb, group), goal), +- NULL, &blkoff); + while (1) { + i = mb_find_next_zero_bit(bitmap_bh->b_data, max, + blkoff); +@@ -5913,6 +5910,8 @@ static ext4_fsblk_t ext4_mb_new_blocks_simple(handle_t *handle, + brelse(bitmap_bh); + if (i < max) + break; ++ ++ blkoff = 0; + } + + if (group >= ext4_get_groups_count(sb) || i >= max) { +-- +2.43.0 + diff --git a/queue-6.1/ext4-try-all-groups-in-ext4_mb_new_blocks_simple.patch b/queue-6.1/ext4-try-all-groups-in-ext4_mb_new_blocks_simple.patch new file mode 100644 index 00000000000..3313ccc0764 --- /dev/null +++ b/queue-6.1/ext4-try-all-groups-in-ext4_mb_new_blocks_simple.patch @@ -0,0 +1,67 @@ +From e428b77fee0556dca674a9d3abef788a7cbdfc07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Jun 2023 23:03:15 +0800 +Subject: ext4: try all groups in ext4_mb_new_blocks_simple + +From: Kemeng Shi + +[ Upstream commit 19a043bb1fd1b5cb2652ca33536c55e6c0a70df0 ] + +ext4_mb_new_blocks_simple ignores the group before goal, so it will fail +if free blocks reside in group before goal. Try all groups to avoid +unexpected failure. +Search finishes either if any free block is found or if no available +blocks are found. Simpliy check "i >= max" to distinguish the above +cases. + +Signed-off-by: Kemeng Shi +Suggested-by: Theodore Ts'o +Reviewed-by: Ojaswin Mujoo +Link: https://lore.kernel.org/r/20230603150327.3596033-8-shikemeng@huaweicloud.com +Signed-off-by: Theodore Ts'o +Stable-dep-of: 3f4830abd236 ("ext4: fix potential unnitialized variable") +Signed-off-by: Sasha Levin +--- + fs/ext4/mballoc.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index a809a80589857..a7801d2a7d1b4 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -5875,7 +5875,7 @@ static ext4_fsblk_t ext4_mb_new_blocks_simple(handle_t *handle, + struct buffer_head *bitmap_bh; + struct super_block *sb = ar->inode->i_sb; + struct ext4_sb_info *sbi = EXT4_SB(sb); +- ext4_group_t group; ++ ext4_group_t group, nr; + ext4_grpblk_t blkoff; + ext4_grpblk_t max = EXT4_CLUSTERS_PER_GROUP(sb); + ext4_grpblk_t i = 0; +@@ -5889,7 +5889,7 @@ static ext4_fsblk_t ext4_mb_new_blocks_simple(handle_t *handle, + + ar->len = 0; + ext4_get_group_no_and_offset(sb, goal, &group, &blkoff); +- for (; group < ext4_get_groups_count(sb); group++) { ++ for (nr = ext4_get_groups_count(sb); nr > 0; nr--) { + bitmap_bh = ext4_read_block_bitmap(sb, group); + if (IS_ERR(bitmap_bh)) { + *errp = PTR_ERR(bitmap_bh); +@@ -5913,10 +5913,13 @@ static ext4_fsblk_t ext4_mb_new_blocks_simple(handle_t *handle, + if (i < max) + break; + ++ if (++group >= ext4_get_groups_count(sb)) ++ group = 0; ++ + blkoff = 0; + } + +- if (group >= ext4_get_groups_count(sb) || i >= max) { ++ if (i >= max) { + *errp = -ENOSPC; + return 0; + } +-- +2.43.0 + diff --git a/queue-6.1/fbdev-sh7760fb-allow-modular-build.patch b/queue-6.1/fbdev-sh7760fb-allow-modular-build.patch new file mode 100644 index 00000000000..6f418dda24a --- /dev/null +++ b/queue-6.1/fbdev-sh7760fb-allow-modular-build.patch @@ -0,0 +1,50 @@ +From 63444e18760521874e91e3517ce1fb869fdee40a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Feb 2024 21:39:38 -0800 +Subject: fbdev: sh7760fb: allow modular build + +From: Randy Dunlap + +[ Upstream commit 51084f89d687e14d96278241e5200cde4b0985c7 ] + +There is no reason to prohibit sh7760fb from being built as a +loadable module as suggested by Geert, so change the config symbol +from bool to tristate to allow that and change the FB dependency as +needed. + +Fixes: f75f71b2c418 ("fbdev/sh7760fb: Depend on FB=y") +Suggested-by: Geert Uytterhoeven +Signed-off-by: Randy Dunlap +Cc: Thomas Zimmermann +Cc: Javier Martinez Canillas +Cc: John Paul Adrian Glaubitz +Cc: Sam Ravnborg +Cc: Helge Deller +Cc: linux-fbdev@vger.kernel.org +Cc: dri-devel@lists.freedesktop.org +Acked-by: John Paul Adrian Glaubitz +Acked-by: Javier Martinez Canillas +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/Kconfig b/drivers/video/fbdev/Kconfig +index ff95f19224901..37089d5a7ccc5 100644 +--- a/drivers/video/fbdev/Kconfig ++++ b/drivers/video/fbdev/Kconfig +@@ -2014,8 +2014,8 @@ config FB_COBALT + depends on FB && MIPS_COBALT + + config FB_SH7760 +- bool "SH7760/SH7763/SH7720/SH7721 LCDC support" +- depends on FB=y && (CPU_SUBTYPE_SH7760 || CPU_SUBTYPE_SH7763 \ ++ tristate "SH7760/SH7763/SH7720/SH7721 LCDC support" ++ depends on FB && (CPU_SUBTYPE_SH7760 || CPU_SUBTYPE_SH7763 \ + || CPU_SUBTYPE_SH7720 || CPU_SUBTYPE_SH7721) + select FB_CFB_FILLRECT + select FB_CFB_COPYAREA +-- +2.43.0 + diff --git a/queue-6.1/fbdev-shmobile-fix-snprintf-truncation.patch b/queue-6.1/fbdev-shmobile-fix-snprintf-truncation.patch new file mode 100644 index 00000000000..eabe6298eab --- /dev/null +++ b/queue-6.1/fbdev-shmobile-fix-snprintf-truncation.patch @@ -0,0 +1,40 @@ +From 596dff206c8d103c5a965cf89b2def02d2cefb61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 23:38:00 +0100 +Subject: fbdev: shmobile: fix snprintf truncation + +From: Arnd Bergmann + +[ Upstream commit 26c8cfb9d1e4b252336d23dd5127a8cbed414a32 ] + +The name of the overlay does not fit into the fixed-length field: + +drivers/video/fbdev/sh_mobile_lcdcfb.c:1577:2: error: 'snprintf' will always be truncated; specified size is 16, but format string expands to at least 25 + +Make it short enough by changing the string. + +Fixes: c5deac3c9b22 ("fbdev: sh_mobile_lcdc: Implement overlays support") +Signed-off-by: Arnd Bergmann +Reviewed-by: Laurent Pinchart +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/sh_mobile_lcdcfb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/sh_mobile_lcdcfb.c b/drivers/video/fbdev/sh_mobile_lcdcfb.c +index 6d00893d41f4c..444c3ca9d4d4d 100644 +--- a/drivers/video/fbdev/sh_mobile_lcdcfb.c ++++ b/drivers/video/fbdev/sh_mobile_lcdcfb.c +@@ -1576,7 +1576,7 @@ sh_mobile_lcdc_overlay_fb_init(struct sh_mobile_lcdc_overlay *ovl) + */ + info->fix = sh_mobile_lcdc_overlay_fix; + snprintf(info->fix.id, sizeof(info->fix.id), +- "SH Mobile LCDC Overlay %u", ovl->index); ++ "SHMobile ovl %u", ovl->index); + info->fix.smem_start = ovl->dma_handle; + info->fix.smem_len = ovl->fb_size; + info->fix.line_length = ovl->pitch; +-- +2.43.0 + diff --git a/queue-6.1/fbdev-sisfb-hide-unused-variables.patch b/queue-6.1/fbdev-sisfb-hide-unused-variables.patch new file mode 100644 index 00000000000..2121d01a40c --- /dev/null +++ b/queue-6.1/fbdev-sisfb-hide-unused-variables.patch @@ -0,0 +1,68 @@ +From 0965ac2b47eac87a6e714e0a4666f5501a8bb7f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 10:06:31 +0200 +Subject: fbdev: sisfb: hide unused variables + +From: Arnd Bergmann + +[ Upstream commit 688cf598665851b9e8cb5083ff1d208ce43d10ff ] + +Building with W=1 shows that a couple of variables in this driver are only +used in certain configurations: + +drivers/video/fbdev/sis/init301.c:239:28: error: 'SiS_Part2CLVX_6' defined but not used [-Werror=unused-const-variable=] + 239 | static const unsigned char SiS_Part2CLVX_6[] = { /* 1080i */ + | ^~~~~~~~~~~~~~~ +drivers/video/fbdev/sis/init301.c:230:28: error: 'SiS_Part2CLVX_5' defined but not used [-Werror=unused-const-variable=] + 230 | static const unsigned char SiS_Part2CLVX_5[] = { /* 750p */ + | ^~~~~~~~~~~~~~~ +drivers/video/fbdev/sis/init301.c:211:28: error: 'SiS_Part2CLVX_4' defined but not used [-Werror=unused-const-variable=] + 211 | static const unsigned char SiS_Part2CLVX_4[] = { /* PAL */ + | ^~~~~~~~~~~~~~~ +drivers/video/fbdev/sis/init301.c:192:28: error: 'SiS_Part2CLVX_3' defined but not used [-Werror=unused-const-variable=] + 192 | static const unsigned char SiS_Part2CLVX_3[] = { /* NTSC, 525i, 525p */ + | ^~~~~~~~~~~~~~~ +drivers/video/fbdev/sis/init301.c:184:28: error: 'SiS_Part2CLVX_2' defined but not used [-Werror=unused-const-variable=] + 184 | static const unsigned char SiS_Part2CLVX_2[] = { + | ^~~~~~~~~~~~~~~ +drivers/video/fbdev/sis/init301.c:176:28: error: 'SiS_Part2CLVX_1' defined but not used [-Werror=unused-const-variable=] + 176 | static const unsigned char SiS_Part2CLVX_1[] = { + | ^~~~~~~~~~~~~~~ + +This started showing up after the definitions were moved into the +source file from the header, which was not flagged by the compiler. +Move the definition into the appropriate #ifdef block that already +exists next to them. + +Fixes: 5908986ef348 ("video: fbdev: sis: avoid mismatched prototypes") +Signed-off-by: Arnd Bergmann +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/sis/init301.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/sis/init301.c b/drivers/video/fbdev/sis/init301.c +index a8fb41f1a2580..09329072004f4 100644 +--- a/drivers/video/fbdev/sis/init301.c ++++ b/drivers/video/fbdev/sis/init301.c +@@ -172,7 +172,7 @@ static const unsigned char SiS_HiTVGroup3_2[] = { + }; + + /* 301C / 302ELV extended Part2 TV registers (4 tap scaler) */ +- ++#ifdef CONFIG_FB_SIS_315 + static const unsigned char SiS_Part2CLVX_1[] = { + 0x00,0x00, + 0x00,0x20,0x00,0x00,0x7F,0x20,0x02,0x7F,0x7D,0x20,0x04,0x7F,0x7D,0x1F,0x06,0x7E, +@@ -245,7 +245,6 @@ static const unsigned char SiS_Part2CLVX_6[] = { /* 1080i */ + 0xFF,0xFF, + }; + +-#ifdef CONFIG_FB_SIS_315 + /* 661 et al LCD data structure (2.03.00) */ + static const unsigned char SiS_LCDStruct661[] = { + /* 1024x768 */ +-- +2.43.0 + diff --git a/queue-6.1/firmware-raspberrypi-use-correct-device-for-dma-mapp.patch b/queue-6.1/firmware-raspberrypi-use-correct-device-for-dma-mapp.patch new file mode 100644 index 00000000000..a2bf32f8a06 --- /dev/null +++ b/queue-6.1/firmware-raspberrypi-use-correct-device-for-dma-mapp.patch @@ -0,0 +1,65 @@ +From 4ec78b4ff3332c48676417f1026ea1890b75d9e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 21:58:06 +0200 +Subject: firmware: raspberrypi: Use correct device for DMA mappings + +From: Laurent Pinchart + +[ Upstream commit df518a0ae1b982a4dcf2235464016c0c4576a34d ] + +The buffer used to transfer data over the mailbox interface is mapped +using the client's device. This is incorrect, as the device performing +the DMA transfer is the mailbox itself. Fix it by using the mailbox +controller device instead. + +This requires including the mailbox_controller.h header to dereference +the mbox_chan and mbox_controller structures. The header is not meant to +be included by clients. This could be fixed by extending the client API +with a function to access the controller's device. + +Fixes: 4e3d60656a72 ("ARM: bcm2835: Add the Raspberry Pi firmware driver") +Signed-off-by: Laurent Pinchart +Reviewed-by: Stefan Wahren +Tested-by: Ivan T. Ivanov +Link: https://lore.kernel.org/r/20240326195807.15163-3-laurent.pinchart@ideasonboard.com +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + drivers/firmware/raspberrypi.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/firmware/raspberrypi.c b/drivers/firmware/raspberrypi.c +index dba315f675bc7..ec223976c972d 100644 +--- a/drivers/firmware/raspberrypi.c ++++ b/drivers/firmware/raspberrypi.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -96,8 +97,8 @@ int rpi_firmware_property_list(struct rpi_firmware *fw, + if (size & 3) + return -EINVAL; + +- buf = dma_alloc_coherent(fw->cl.dev, PAGE_ALIGN(size), &bus_addr, +- GFP_ATOMIC); ++ buf = dma_alloc_coherent(fw->chan->mbox->dev, PAGE_ALIGN(size), ++ &bus_addr, GFP_ATOMIC); + if (!buf) + return -ENOMEM; + +@@ -125,7 +126,7 @@ int rpi_firmware_property_list(struct rpi_firmware *fw, + ret = -EINVAL; + } + +- dma_free_coherent(fw->cl.dev, PAGE_ALIGN(size), buf, bus_addr); ++ dma_free_coherent(fw->chan->mbox->dev, PAGE_ALIGN(size), buf, bus_addr); + + return ret; + } +-- +2.43.0 + diff --git a/queue-6.1/fpga-dfl-pci-add-pci-subdevice-id-for-intel-d5005-ca.patch b/queue-6.1/fpga-dfl-pci-add-pci-subdevice-id-for-intel-d5005-ca.patch new file mode 100644 index 00000000000..982693e7ad7 --- /dev/null +++ b/queue-6.1/fpga-dfl-pci-add-pci-subdevice-id-for-intel-d5005-ca.patch @@ -0,0 +1,51 @@ +From 238b47d8afb1897ac60bec052479e9b7176d15bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Apr 2024 19:02:57 -0400 +Subject: fpga: dfl-pci: add PCI subdevice ID for Intel D5005 card + +From: Peter Colberg + +[ Upstream commit bb1dbeceb1c20cfd81271e1bd69892ebd1ee38e0 ] + +Add PCI subdevice ID for the Intel D5005 Stratix 10 FPGA card as +used with the Open FPGA Stack (OFS) FPGA Interface Manager (FIM). + +Unlike the Intel D5005 PAC FIM which exposed a separate PCI device ID, +the OFS FIM reuses the same device ID for all DFL-based FPGA cards +and differentiates on the subdevice ID. The subdevice ID values were +chosen as the numeric part of the FPGA card names in hexadecimal. + +Signed-off-by: Peter Colberg +Reviewed-by: Matthew Gerlach +Acked-by: Xu Yilun +Link: https://lore.kernel.org/r/20240422230257.1959-1-peter.colberg@intel.com +Signed-off-by: Xu Yilun +Signed-off-by: Sasha Levin +--- + drivers/fpga/dfl-pci.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/fpga/dfl-pci.c b/drivers/fpga/dfl-pci.c +index 0914e7328b1a5..4220ef00a555e 100644 +--- a/drivers/fpga/dfl-pci.c ++++ b/drivers/fpga/dfl-pci.c +@@ -79,6 +79,7 @@ static void cci_pci_free_irq(struct pci_dev *pcidev) + #define PCIE_DEVICE_ID_SILICOM_PAC_N5011 0x1001 + #define PCIE_DEVICE_ID_INTEL_DFL 0xbcce + /* PCI Subdevice ID for PCIE_DEVICE_ID_INTEL_DFL */ ++#define PCIE_SUBDEVICE_ID_INTEL_D5005 0x138d + #define PCIE_SUBDEVICE_ID_INTEL_N6000 0x1770 + #define PCIE_SUBDEVICE_ID_INTEL_N6001 0x1771 + #define PCIE_SUBDEVICE_ID_INTEL_C6100 0x17d4 +@@ -102,6 +103,8 @@ static struct pci_device_id cci_pcie_id_tbl[] = { + {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCIE_DEVICE_ID_INTEL_PAC_D5005_VF),}, + {PCI_DEVICE(PCI_VENDOR_ID_SILICOM_DENMARK, PCIE_DEVICE_ID_SILICOM_PAC_N5010),}, + {PCI_DEVICE(PCI_VENDOR_ID_SILICOM_DENMARK, PCIE_DEVICE_ID_SILICOM_PAC_N5011),}, ++ {PCI_DEVICE_SUB(PCI_VENDOR_ID_INTEL, PCIE_DEVICE_ID_INTEL_DFL, ++ PCI_VENDOR_ID_INTEL, PCIE_SUBDEVICE_ID_INTEL_D5005),}, + {PCI_DEVICE_SUB(PCI_VENDOR_ID_INTEL, PCIE_DEVICE_ID_INTEL_DFL, + PCI_VENDOR_ID_INTEL, PCIE_SUBDEVICE_ID_INTEL_N6000),}, + {PCI_DEVICE_SUB(PCI_VENDOR_ID_INTEL, PCIE_DEVICE_ID_INTEL_DFL_VF, +-- +2.43.0 + diff --git a/queue-6.1/gfs2-don-t-forget-to-complete-delayed-withdraw.patch b/queue-6.1/gfs2-don-t-forget-to-complete-delayed-withdraw.patch new file mode 100644 index 00000000000..94bc2ba4d92 --- /dev/null +++ b/queue-6.1/gfs2-don-t-forget-to-complete-delayed-withdraw.patch @@ -0,0 +1,39 @@ +From 67bbcf6a158818b70595b6800ba71365886ca430 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jan 2024 11:49:44 +0100 +Subject: gfs2: Don't forget to complete delayed withdraw + +From: Andreas Gruenbacher + +[ Upstream commit b01189333ee91c1ae6cd96dfd1e3a3c2e69202f0 ] + +Commit fffe9bee14b0 ("gfs2: Delay withdraw from atomic context") +switched from gfs2_withdraw() to gfs2_withdraw_delayed() in +gfs2_ail_error(), but failed to then check if a delayed withdraw had +occurred. Fix that by adding the missing check in __gfs2_ail_flush(), +where the spin locks are already dropped and a withdraw is possible. + +Fixes: fffe9bee14b0 ("gfs2: Delay withdraw from atomic context") +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/glops.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/gfs2/glops.c b/fs/gfs2/glops.c +index 7762483f5f20f..91a542b9d81e8 100644 +--- a/fs/gfs2/glops.c ++++ b/fs/gfs2/glops.c +@@ -82,6 +82,9 @@ static void __gfs2_ail_flush(struct gfs2_glock *gl, bool fsync, + GLOCK_BUG_ON(gl, !fsync && atomic_read(&gl->gl_ail_count)); + spin_unlock(&sdp->sd_ail_lock); + gfs2_log_unlock(sdp); ++ ++ if (gfs2_withdrawing(sdp)) ++ gfs2_withdraw(sdp); + } + + +-- +2.43.0 + diff --git a/queue-6.1/gfs2-fix-ignore-unlock-failures-after-withdraw.patch b/queue-6.1/gfs2-fix-ignore-unlock-failures-after-withdraw.patch new file mode 100644 index 00000000000..970a17ae5fe --- /dev/null +++ b/queue-6.1/gfs2-fix-ignore-unlock-failures-after-withdraw.patch @@ -0,0 +1,63 @@ +From 412681cac096a11a88c69a37e86c46e45d1b8fea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 13:47:51 +0200 +Subject: gfs2: Fix "ignore unlock failures after withdraw" + +From: Andreas Gruenbacher + +[ Upstream commit 5d9231111966b6c5a65016d58dcbeab91055bc91 ] + +Commit 3e11e53041502 tries to suppress dlm_lock() lock conversion errors +that occur when the lockspace has already been released. + +It does that by setting and checking the SDF_SKIP_DLM_UNLOCK flag. This +conflicts with the intended meaning of the SDF_SKIP_DLM_UNLOCK flag, so +check whether the lockspace is still allocated instead. + +(Given the current DLM API, checking for this kind of error after the +fact seems easier that than to make sure that the lockspace is still +allocated before calling dlm_lock(). Changing the DLM API so that users +maintain the lockspace references themselves would be an option.) + +Fixes: 3e11e53041502 ("GFS2: ignore unlock failures after withdraw") +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/glock.c | 4 +++- + fs/gfs2/util.c | 1 - + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c +index 235a0948f6cc6..95353982e643a 100644 +--- a/fs/gfs2/glock.c ++++ b/fs/gfs2/glock.c +@@ -855,11 +855,13 @@ __acquires(&gl->gl_lockref.lock) + } + + if (sdp->sd_lockstruct.ls_ops->lm_lock) { ++ struct lm_lockstruct *ls = &sdp->sd_lockstruct; ++ + /* lock_dlm */ + ret = sdp->sd_lockstruct.ls_ops->lm_lock(gl, target, lck_flags); + if (ret == -EINVAL && gl->gl_target == LM_ST_UNLOCKED && + target == LM_ST_UNLOCKED && +- test_bit(SDF_SKIP_DLM_UNLOCK, &sdp->sd_flags)) { ++ test_bit(DFL_UNMOUNT, &ls->ls_recover_flags)) { + finish_xmote(gl, target); + gfs2_glock_queue_work(gl, 0); + } else if (ret) { +diff --git a/fs/gfs2/util.c b/fs/gfs2/util.c +index 7a6aeffcdf5ca..48c69aa60cd17 100644 +--- a/fs/gfs2/util.c ++++ b/fs/gfs2/util.c +@@ -359,7 +359,6 @@ int gfs2_withdraw(struct gfs2_sbd *sdp) + fs_err(sdp, "telling LM to unmount\n"); + lm->lm_unmount(sdp); + } +- set_bit(SDF_SKIP_DLM_UNLOCK, &sdp->sd_flags); + fs_err(sdp, "File system withdrawn\n"); + dump_stack(); + clear_bit(SDF_WITHDRAW_IN_PROG, &sdp->sd_flags); +-- +2.43.0 + diff --git a/queue-6.1/hid-amd_sfh-handle-no-sensors-in-pm-operations.patch b/queue-6.1/hid-amd_sfh-handle-no-sensors-in-pm-operations.patch new file mode 100644 index 00000000000..336693f1718 --- /dev/null +++ b/queue-6.1/hid-amd_sfh-handle-no-sensors-in-pm-operations.patch @@ -0,0 +1,52 @@ +From c0ddcc751092cdfe113812eeb193ce557f893fd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 May 2024 12:40:44 +0530 +Subject: HID: amd_sfh: Handle "no sensors" in PM operations + +From: Basavaraj Natikar + +[ Upstream commit 077e3e3bc84a51891e732507bbbd9acf6e0e4c8b ] + +Resume or suspend each sensor device based on the num_hid_devices. +Therefore, add a check to handle the special case where no sensors are +present. + +Fixes: 93ce5e0231d7 ("HID: amd_sfh: Implement SFH1.1 functionality") +Signed-off-by: Basavaraj Natikar +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c +index bb8bd7892b674..eda888f75f165 100644 +--- a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c ++++ b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c +@@ -222,6 +222,11 @@ static void amd_sfh_resume(struct amd_mp2_dev *mp2) + struct amd_mp2_sensor_info info; + int i, status; + ++ if (!cl_data->is_any_sensor_enabled) { ++ amd_sfh_clear_intr(mp2); ++ return; ++ } ++ + for (i = 0; i < cl_data->num_hid_devices; i++) { + if (cl_data->sensor_sts[i] == SENSOR_DISABLED) { + info.sensor_idx = cl_data->sensor_idx[i]; +@@ -247,6 +252,11 @@ static void amd_sfh_suspend(struct amd_mp2_dev *mp2) + struct amdtp_cl_data *cl_data = mp2->cl_data; + int i, status; + ++ if (!cl_data->is_any_sensor_enabled) { ++ amd_sfh_clear_intr(mp2); ++ return; ++ } ++ + for (i = 0; i < cl_data->num_hid_devices; i++) { + if (cl_data->sensor_idx[i] != HPD_IDX && + cl_data->sensor_sts[i] == SENSOR_ENABLED) { +-- +2.43.0 + diff --git a/queue-6.1/hid-intel-ish-hid-ipc-add-check-for-pci_alloc_irq_ve.patch b/queue-6.1/hid-intel-ish-hid-ipc-add-check-for-pci_alloc_irq_ve.patch new file mode 100644 index 00000000000..3cd10cb5b29 --- /dev/null +++ b/queue-6.1/hid-intel-ish-hid-ipc-add-check-for-pci_alloc_irq_ve.patch @@ -0,0 +1,41 @@ +From 86c957bccb911554329a953add2fa1e3aa29425b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Apr 2024 16:54:22 +0800 +Subject: HID: intel-ish-hid: ipc: Add check for pci_alloc_irq_vectors + +From: Chen Ni + +[ Upstream commit 6baa4524027fd64d7ca524e1717c88c91a354b93 ] + +Add a check for the return value of pci_alloc_irq_vectors() and return +error if it fails. + +[jkosina@suse.com: reworded changelog based on Srinivas' suggestion] +Fixes: 74fbc7d371d9 ("HID: intel-ish-hid: add MSI interrupt support") +Signed-off-by: Chen Ni +Acked-by: Srinivas Pandruvada +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/intel-ish-hid/ipc/pci-ish.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/hid/intel-ish-hid/ipc/pci-ish.c b/drivers/hid/intel-ish-hid/ipc/pci-ish.c +index 710fda5f19e1c..916d427163ca2 100644 +--- a/drivers/hid/intel-ish-hid/ipc/pci-ish.c ++++ b/drivers/hid/intel-ish-hid/ipc/pci-ish.c +@@ -216,6 +216,11 @@ static int ish_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + /* request and enable interrupt */ + ret = pci_alloc_irq_vectors(pdev, 1, 1, PCI_IRQ_ALL_TYPES); ++ if (ret < 0) { ++ dev_err(dev, "ISH: Failed to allocate IRQ vectors\n"); ++ return ret; ++ } ++ + if (!pdev->msi_enabled && !pdev->msix_enabled) + irq_flag = IRQF_SHARED; + +-- +2.43.0 + diff --git a/queue-6.1/ib-mlx5-use-__iowrite64_copy-for-write-combining-sto.patch b/queue-6.1/ib-mlx5-use-__iowrite64_copy-for-write-combining-sto.patch new file mode 100644 index 00000000000..699b1289dac --- /dev/null +++ b/queue-6.1/ib-mlx5-use-__iowrite64_copy-for-write-combining-sto.patch @@ -0,0 +1,83 @@ +From 33b77f91ff948e5ae736f1e0b9e200f80fc835e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Apr 2024 13:46:19 -0300 +Subject: IB/mlx5: Use __iowrite64_copy() for write combining stores + +From: Jason Gunthorpe + +[ Upstream commit ef302283ddfceaba2657923af3f90fd58e6dff06 ] + +mlx5 has a built in self-test at driver startup to evaluate if the +platform supports write combining to generate a 64 byte PCIe TLP or +not. This has proven necessary because a lot of common scenarios end up +with broken write combining (especially inside virtual machines) and there +is other way to learn this information. + +This self test has been consistently failing on new ARM64 CPU +designs (specifically with NVIDIA Grace's implementation of Neoverse +V2). The C loop around writeq() generates some pretty terrible ARM64 +assembly, but historically this has worked on a lot of existing ARM64 CPUs +till now. + +We see it succeed about 1 time in 10,000 on the worst effected +systems. The CPU architects speculate that the load instructions +interspersed with the stores makes the WC buffers statistically flush too +often and thus the generation of large TLPs becomes infrequent. This makes +the boot up test unreliable in that it indicates no write-combining, +however userspace would be fine since it uses a ST4 instruction. + +Further, S390 has similar issues where only the special zpci_memcpy_toio() +will actually generate large TLPs, and the open coded loop does not +trigger it at all. + +Fix both ARM64 and S390 by switching to __iowrite64_copy() which now +provides architecture specific variants that have a high change of +generating a large TLP with write combining. x86 continues to use a +similar writeq loop in the generate __iowrite64_copy(). + +Fixes: 11f552e21755 ("IB/mlx5: Test write combining support") +Link: https://lore.kernel.org/r/6-v3-1893cd8b9369+1925-mlx5_arm_wc_jgg@nvidia.com +Tested-by: Niklas Schnelle +Acked-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/mem.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/mem.c b/drivers/infiniband/hw/mlx5/mem.c +index 96ffbbaf0a73d..5a22be14d958f 100644 +--- a/drivers/infiniband/hw/mlx5/mem.c ++++ b/drivers/infiniband/hw/mlx5/mem.c +@@ -30,6 +30,7 @@ + * SOFTWARE. + */ + ++#include + #include + #include "mlx5_ib.h" + #include +@@ -108,7 +109,6 @@ static int post_send_nop(struct mlx5_ib_dev *dev, struct ib_qp *ibqp, u64 wr_id, + __be32 mmio_wqe[16] = {}; + unsigned long flags; + unsigned int idx; +- int i; + + if (unlikely(dev->mdev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR)) + return -EIO; +@@ -148,10 +148,8 @@ static int post_send_nop(struct mlx5_ib_dev *dev, struct ib_qp *ibqp, u64 wr_id, + * we hit doorbell + */ + wmb(); +- for (i = 0; i < 8; i++) +- mlx5_write64(&mmio_wqe[i * 2], +- bf->bfreg->map + bf->offset + i * 8); +- io_stop_wc(); ++ __iowrite64_copy(bf->bfreg->map + bf->offset, mmio_wqe, ++ sizeof(mmio_wqe) / 8); + + bf->offset ^= bf->buf_size; + +-- +2.43.0 + diff --git a/queue-6.1/io_uring-don-t-use-tif_notify_signal-to-test-for-ava.patch b/queue-6.1/io_uring-don-t-use-tif_notify_signal-to-test-for-ava.patch new file mode 100644 index 00000000000..2382e167213 --- /dev/null +++ b/queue-6.1/io_uring-don-t-use-tif_notify_signal-to-test-for-ava.patch @@ -0,0 +1,39 @@ +From 7eba1466830a087049cb964c7ecb86d98e1b31a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Dec 2022 13:40:17 -0700 +Subject: io_uring: don't use TIF_NOTIFY_SIGNAL to test for availability of + task_work + +From: Jens Axboe + +[ Upstream commit 6434ec0186b80c734aa7a2acf95f75f5c6dd943b ] + +Use task_work_pending() as a better test for whether we have task_work +or not, TIF_NOTIFY_SIGNAL is only valid if the any of the task_work +items had been queued with TWA_SIGNAL as the notification mechanism. +Hence task_work_pending() is a more reliable check. + +Signed-off-by: Jens Axboe +Stable-dep-of: 22537c9f7941 ("io_uring: use the right type for work_llist empty check") +Signed-off-by: Sasha Levin +--- + io_uring/io_uring.h | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/io_uring/io_uring.h b/io_uring/io_uring.h +index 59e6f755f12c6..9e74f7968e059 100644 +--- a/io_uring/io_uring.h ++++ b/io_uring/io_uring.h +@@ -275,8 +275,7 @@ static inline int io_run_task_work(void) + + static inline bool io_task_work_pending(struct io_ring_ctx *ctx) + { +- return test_thread_flag(TIF_NOTIFY_SIGNAL) || +- !wq_list_empty(&ctx->work_llist); ++ return task_work_pending(current) || !wq_list_empty(&ctx->work_llist); + } + + static inline int io_run_task_work_ctx(struct io_ring_ctx *ctx) +-- +2.43.0 + diff --git a/queue-6.1/io_uring-use-the-right-type-for-work_llist-empty-che.patch b/queue-6.1/io_uring-use-the-right-type-for-work_llist-empty-che.patch new file mode 100644 index 00000000000..a65c463489b --- /dev/null +++ b/queue-6.1/io_uring-use-the-right-type-for-work_llist-empty-che.patch @@ -0,0 +1,37 @@ +From a698ff907d28b1625b87a92386c8cbe4f06e35ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 18:53:33 -0600 +Subject: io_uring: use the right type for work_llist empty check + +From: Jens Axboe + +[ Upstream commit 22537c9f79417fed70b352d54d01d2586fee9521 ] + +io_task_work_pending() uses wq_list_empty() on ctx->work_llist, but it's +not an io_wq_work_list, it's a struct llist_head. They both have +->first as head-of-list, and it turns out the checks are identical. But +be proper and use the right helper. + +Fixes: dac6a0eae793 ("io_uring: ensure iopoll runs local task work as well") +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/io_uring.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/io_uring/io_uring.h b/io_uring/io_uring.h +index 9e74f7968e059..0cafdefce02dc 100644 +--- a/io_uring/io_uring.h ++++ b/io_uring/io_uring.h +@@ -275,7 +275,7 @@ static inline int io_run_task_work(void) + + static inline bool io_task_work_pending(struct io_ring_ctx *ctx) + { +- return task_work_pending(current) || !wq_list_empty(&ctx->work_llist); ++ return task_work_pending(current) || !llist_empty(&ctx->work_llist); + } + + static inline int io_run_task_work_ctx(struct io_ring_ctx *ctx) +-- +2.43.0 + diff --git a/queue-6.1/ipv6-sr-add-missing-seg6_local_exit.patch b/queue-6.1/ipv6-sr-add-missing-seg6_local_exit.patch new file mode 100644 index 00000000000..18b53d19023 --- /dev/null +++ b/queue-6.1/ipv6-sr-add-missing-seg6_local_exit.patch @@ -0,0 +1,38 @@ +From e607d34dd335faf94eea8df49e3a0ee84e75fd05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 21:18:10 +0800 +Subject: ipv6: sr: add missing seg6_local_exit + +From: Hangbin Liu + +[ Upstream commit 3321687e321307629c71b664225b861ebf3e5753 ] + +Currently, we only call seg6_local_exit() in seg6_init() if +seg6_local_init() failed. But forgot to call it in seg6_exit(). + +Fixes: d1df6fd8a1d2 ("ipv6: sr: define core operations for seg6local lightweight tunnel") +Signed-off-by: Hangbin Liu +Reviewed-by: Sabrina Dubroca +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20240509131812.1662197-2-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/seg6.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c +index 35508abd76f43..5423f1f2aa626 100644 +--- a/net/ipv6/seg6.c ++++ b/net/ipv6/seg6.c +@@ -564,6 +564,7 @@ void seg6_exit(void) + seg6_hmac_exit(); + #endif + #ifdef CONFIG_IPV6_SEG6_LWTUNNEL ++ seg6_local_exit(); + seg6_iptunnel_exit(); + #endif + unregister_pernet_subsys(&ip6_segments_ops); +-- +2.43.0 + diff --git a/queue-6.1/ipv6-sr-fix-incorrect-unregister-order.patch b/queue-6.1/ipv6-sr-fix-incorrect-unregister-order.patch new file mode 100644 index 00000000000..d18a919c127 --- /dev/null +++ b/queue-6.1/ipv6-sr-fix-incorrect-unregister-order.patch @@ -0,0 +1,39 @@ +From 836b3f4a9adb0deea866f353716fd00fb578318f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 21:18:11 +0800 +Subject: ipv6: sr: fix incorrect unregister order + +From: Hangbin Liu + +[ Upstream commit 6e370a771d2985107e82d0f6174381c1acb49c20 ] + +Commit 5559cea2d5aa ("ipv6: sr: fix possible use-after-free and +null-ptr-deref") changed the register order in seg6_init(). But the +unregister order in seg6_exit() is not updated. + +Fixes: 5559cea2d5aa ("ipv6: sr: fix possible use-after-free and null-ptr-deref") +Signed-off-by: Hangbin Liu +Reviewed-by: Sabrina Dubroca +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20240509131812.1662197-3-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/seg6.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c +index 5423f1f2aa626..c4ef96c8fdaca 100644 +--- a/net/ipv6/seg6.c ++++ b/net/ipv6/seg6.c +@@ -567,6 +567,6 @@ void seg6_exit(void) + seg6_local_exit(); + seg6_iptunnel_exit(); + #endif +- unregister_pernet_subsys(&ip6_segments_ops); + genl_unregister_family(&seg6_genl_family); ++ unregister_pernet_subsys(&ip6_segments_ops); + } +-- +2.43.0 + diff --git a/queue-6.1/ipv6-sr-fix-invalid-unregister-error-path.patch b/queue-6.1/ipv6-sr-fix-invalid-unregister-error-path.patch new file mode 100644 index 00000000000..c3efe20a07d --- /dev/null +++ b/queue-6.1/ipv6-sr-fix-invalid-unregister-error-path.patch @@ -0,0 +1,46 @@ +From 1b3954d50bcc2612f0cf5ec4c9733b7cf60b9112 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 21:18:12 +0800 +Subject: ipv6: sr: fix invalid unregister error path + +From: Hangbin Liu + +[ Upstream commit 160e9d2752181fcf18c662e74022d77d3164cd45 ] + +The error path of seg6_init() is wrong in case CONFIG_IPV6_SEG6_LWTUNNEL +is not defined. In that case if seg6_hmac_init() fails, the +genl_unregister_family() isn't called. + +This issue exist since commit 46738b1317e1 ("ipv6: sr: add option to control +lwtunnel support"), and commit 5559cea2d5aa ("ipv6: sr: fix possible +use-after-free and null-ptr-deref") replaced unregister_pernet_subsys() +with genl_unregister_family() in this error path. + +Fixes: 46738b1317e1 ("ipv6: sr: add option to control lwtunnel support") +Reported-by: Guillaume Nault +Signed-off-by: Hangbin Liu +Reviewed-by: Sabrina Dubroca +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20240509131812.1662197-4-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/seg6.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c +index c4ef96c8fdaca..a31521e270f78 100644 +--- a/net/ipv6/seg6.c ++++ b/net/ipv6/seg6.c +@@ -551,6 +551,8 @@ int __init seg6_init(void) + #endif + #ifdef CONFIG_IPV6_SEG6_LWTUNNEL + out_unregister_genl: ++#endif ++#if IS_ENABLED(CONFIG_IPV6_SEG6_LWTUNNEL) || IS_ENABLED(CONFIG_IPV6_SEG6_HMAC) + genl_unregister_family(&seg6_genl_family); + #endif + out_unregister_pernet: +-- +2.43.0 + diff --git a/queue-6.1/irqchip-alpine-msi-fix-off-by-one-in-allocation-erro.patch b/queue-6.1/irqchip-alpine-msi-fix-off-by-one-in-allocation-erro.patch new file mode 100644 index 00000000000..29bdd974ce0 --- /dev/null +++ b/queue-6.1/irqchip-alpine-msi-fix-off-by-one-in-allocation-erro.patch @@ -0,0 +1,40 @@ +From b8ea3836490c81c993c42003daed5f031bc83b1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Mar 2024 22:23:05 +0800 +Subject: irqchip/alpine-msi: Fix off-by-one in allocation error path + +From: Zenghui Yu + +[ Upstream commit ff3669a71afa06208de58d6bea1cc49d5e3fcbd1 ] + +When alpine_msix_gic_domain_alloc() fails, there is an off-by-one in the +number of interrupts to be freed. + +Fix it by passing the number of successfully allocated interrupts, instead +of the relative index of the last allocated one. + +Fixes: 3841245e8498 ("irqchip/alpine-msi: Fix freeing of interrupts on allocation error path") +Signed-off-by: Zenghui Yu +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/20240327142305.1048-1-yuzenghui@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-alpine-msi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-alpine-msi.c b/drivers/irqchip/irq-alpine-msi.c +index fc1ef7de37973..c9ffd69dfc756 100644 +--- a/drivers/irqchip/irq-alpine-msi.c ++++ b/drivers/irqchip/irq-alpine-msi.c +@@ -165,7 +165,7 @@ static int alpine_msix_middle_domain_alloc(struct irq_domain *domain, + return 0; + + err_sgi: +- irq_domain_free_irqs_parent(domain, virq, i - 1); ++ irq_domain_free_irqs_parent(domain, virq, i); + alpine_msix_free_sgi(priv, sgi, nr_irqs); + return err; + } +-- +2.43.0 + diff --git a/queue-6.1/irqchip-loongson-pch-msi-fix-off-by-one-on-allocatio.patch b/queue-6.1/irqchip-loongson-pch-msi-fix-off-by-one-on-allocatio.patch new file mode 100644 index 00000000000..7e2cb6e63aa --- /dev/null +++ b/queue-6.1/irqchip-loongson-pch-msi-fix-off-by-one-on-allocatio.patch @@ -0,0 +1,41 @@ +From da59c4903df5f26e0c53eeefcccfa9e7a1d1c6cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Mar 2024 22:23:34 +0800 +Subject: irqchip/loongson-pch-msi: Fix off-by-one on allocation error path + +From: Zenghui Yu + +[ Upstream commit b327708798809328f21da8dc14cc8883d1e8a4b3 ] + +When pch_msi_parent_domain_alloc() returns an error, there is an off-by-one +in the number of interrupts to be freed. + +Fix it by passing the number of successfully allocated interrupts, instead of the +relative index of the last allocated one. + +Fixes: 632dcc2c75ef ("irqchip: Add Loongson PCH MSI controller") +Signed-off-by: Zenghui Yu +Signed-off-by: Thomas Gleixner +Reviewed-by: Jiaxun Yang +Link: https://lore.kernel.org/r/20240327142334.1098-1-yuzenghui@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-loongson-pch-msi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-loongson-pch-msi.c b/drivers/irqchip/irq-loongson-pch-msi.c +index a72ede90ffc69..8b642927b522b 100644 +--- a/drivers/irqchip/irq-loongson-pch-msi.c ++++ b/drivers/irqchip/irq-loongson-pch-msi.c +@@ -136,7 +136,7 @@ static int pch_msi_middle_domain_alloc(struct irq_domain *domain, + + err_hwirq: + pch_msi_free_hwirq(priv, hwirq, nr_irqs); +- irq_domain_free_irqs_parent(domain, virq, i - 1); ++ irq_domain_free_irqs_parent(domain, virq, i); + + return err; + } +-- +2.43.0 + diff --git a/queue-6.1/jffs2-prevent-xattr-node-from-overflowing-the-eraseb.patch b/queue-6.1/jffs2-prevent-xattr-node-from-overflowing-the-eraseb.patch new file mode 100644 index 00000000000..3853f5e6090 --- /dev/null +++ b/queue-6.1/jffs2-prevent-xattr-node-from-overflowing-the-eraseb.patch @@ -0,0 +1,81 @@ +From bb668d9cd55cac1712ce2861e298ae5eeccdc460 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 18:53:54 +0300 +Subject: jffs2: prevent xattr node from overflowing the eraseblock + +From: Ilya Denisyev + +[ Upstream commit c6854e5a267c28300ff045480b5a7ee7f6f1d913 ] + +Add a check to make sure that the requested xattr node size is no larger +than the eraseblock minus the cleanmarker. + +Unlike the usual inode nodes, the xattr nodes aren't split into parts +and spread across multiple eraseblocks, which means that a xattr node +must not occupy more than one eraseblock. If the requested xattr value is +too large, the xattr node can spill onto the next eraseblock, overwriting +the nodes and causing errors such as: + +jffs2: argh. node added in wrong place at 0x0000b050(2) +jffs2: nextblock 0x0000a000, expected at 0000b00c +jffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050, +read=0xfc892c93, calc=0x000000 +jffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed +at 0x01e00c. {848f,2fc4,0fef511f,59a3d171} +jffs2: Node at 0x0000000c with length 0x00001044 would run over the +end of the erase block +jffs2: Perhaps the file system was created with the wrong erase size? +jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found +at 0x00000010: 0x1044 instead + +This breaks the filesystem and can lead to KASAN crashes such as: + +BUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0 +Read of size 4 at addr ffff88802c31e914 by task repro/830 +CPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), +BIOS Arch Linux 1.16.3-1-1 04/01/2014 +Call Trace: + + dump_stack_lvl+0xc6/0x120 + print_report+0xc4/0x620 + ? __virt_addr_valid+0x308/0x5b0 + kasan_report+0xc1/0xf0 + ? jffs2_sum_add_kvec+0x125e/0x15d0 + ? jffs2_sum_add_kvec+0x125e/0x15d0 + jffs2_sum_add_kvec+0x125e/0x15d0 + jffs2_flash_direct_writev+0xa8/0xd0 + jffs2_flash_writev+0x9c9/0xef0 + ? __x64_sys_setxattr+0xc4/0x160 + ? do_syscall_64+0x69/0x140 + ? entry_SYSCALL_64_after_hwframe+0x76/0x7e + [...] + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: aa98d7cf59b5 ("[JFFS2][XATTR] XATTR support on JFFS2 (version. 5)") +Signed-off-by: Ilya Denisyev +Link: https://lore.kernel.org/r/20240412155357.237803-1-dev@elkcl.ru +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/jffs2/xattr.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/jffs2/xattr.c b/fs/jffs2/xattr.c +index acb4492f5970c..5a31220f96f5f 100644 +--- a/fs/jffs2/xattr.c ++++ b/fs/jffs2/xattr.c +@@ -1111,6 +1111,9 @@ int do_jffs2_setxattr(struct inode *inode, int xprefix, const char *xname, + return rc; + + request = PAD(sizeof(struct jffs2_raw_xattr) + strlen(xname) + 1 + size); ++ if (request > c->sector_size - c->cleanmarker_size) ++ return -ERANGE; ++ + rc = jffs2_reserve_space(c, request, &length, + ALLOC_NORMAL, JFFS2_SUMMARY_XATTR_SIZE); + if (rc) { +-- +2.43.0 + diff --git a/queue-6.1/kernel-numa.c-move-logging-out-of-numa.h.patch b/queue-6.1/kernel-numa.c-move-logging-out-of-numa.h.patch new file mode 100644 index 00000000000..433a60e8dac --- /dev/null +++ b/queue-6.1/kernel-numa.c-move-logging-out-of-numa.h.patch @@ -0,0 +1,121 @@ +From e2ea7dc13583065e7bd9673613439de717797cc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 13:27:00 -0500 +Subject: kernel/numa.c: Move logging out of numa.h + +From: Kent Overstreet + +[ Upstream commit d7a73e3f089204aee3393687e23fd45a22657b08 ] + +Moving these stub functions to a .c file means we can kill a sched.h +dependency on printk.h. + +Signed-off-by: Kent Overstreet +Stable-dep-of: f9f67e5adc8d ("x86/numa: Fix SRAT lookup of CFMWS ranges with numa_fill_memblks()") +Signed-off-by: Sasha Levin +--- + include/linux/numa.h | 19 ++++++------------- + kernel/Makefile | 1 + + kernel/numa.c | 26 ++++++++++++++++++++++++++ + 3 files changed, 33 insertions(+), 13 deletions(-) + create mode 100644 kernel/numa.c + +diff --git a/include/linux/numa.h b/include/linux/numa.h +index 0f512c0aba54b..8fc218a55be4e 100644 +--- a/include/linux/numa.h ++++ b/include/linux/numa.h +@@ -1,6 +1,7 @@ + /* SPDX-License-Identifier: GPL-2.0 */ + #ifndef _LINUX_NUMA_H + #define _LINUX_NUMA_H ++#include + #include + + #ifdef CONFIG_NODES_SHIFT +@@ -22,34 +23,26 @@ + #endif + + #ifdef CONFIG_NUMA +-#include + #include + + /* Generic implementation available */ + int numa_map_to_online_node(int node); + + #ifndef memory_add_physaddr_to_nid +-static inline int memory_add_physaddr_to_nid(u64 start) +-{ +- pr_info_once("Unknown online node for memory at 0x%llx, assuming node 0\n", +- start); +- return 0; +-} ++int memory_add_physaddr_to_nid(u64 start); + #endif ++ + #ifndef phys_to_target_node +-static inline int phys_to_target_node(u64 start) +-{ +- pr_info_once("Unknown target node for memory at 0x%llx, assuming node 0\n", +- start); +- return 0; +-} ++int phys_to_target_node(u64 start); + #endif ++ + #ifndef numa_fill_memblks + static inline int __init numa_fill_memblks(u64 start, u64 end) + { + return NUMA_NO_MEMBLK; + } + #endif ++ + #else /* !CONFIG_NUMA */ + static inline int numa_map_to_online_node(int node) + { +diff --git a/kernel/Makefile b/kernel/Makefile +index ebc692242b68b..c90ee75eb8043 100644 +--- a/kernel/Makefile ++++ b/kernel/Makefile +@@ -112,6 +112,7 @@ obj-$(CONFIG_SHADOW_CALL_STACK) += scs.o + obj-$(CONFIG_HAVE_STATIC_CALL) += static_call.o + obj-$(CONFIG_HAVE_STATIC_CALL_INLINE) += static_call_inline.o + obj-$(CONFIG_CFI_CLANG) += cfi.o ++obj-$(CONFIG_NUMA) += numa.o + + obj-$(CONFIG_PERF_EVENTS) += events/ + +diff --git a/kernel/numa.c b/kernel/numa.c +new file mode 100644 +index 0000000000000..67ca6b8585c06 +--- /dev/null ++++ b/kernel/numa.c +@@ -0,0 +1,26 @@ ++// SPDX-License-Identifier: GPL-2.0-or-later ++ ++#include ++#include ++ ++/* Stub functions: */ ++ ++#ifndef memory_add_physaddr_to_nid ++int memory_add_physaddr_to_nid(u64 start) ++{ ++ pr_info_once("Unknown online node for memory at 0x%llx, assuming node 0\n", ++ start); ++ return 0; ++} ++EXPORT_SYMBOL_GPL(memory_add_physaddr_to_nid); ++#endif ++ ++#ifndef phys_to_target_node ++int phys_to_target_node(u64 start) ++{ ++ pr_info_once("Unknown target node for memory at 0x%llx, assuming node 0\n", ++ start); ++ return 0; ++} ++EXPORT_SYMBOL_GPL(phys_to_target_node); ++#endif +-- +2.43.0 + diff --git a/queue-6.1/kunit-fix-kthread-reference.patch b/queue-6.1/kunit-fix-kthread-reference.patch new file mode 100644 index 00000000000..22ed6b9bc92 --- /dev/null +++ b/queue-6.1/kunit-fix-kthread-reference.patch @@ -0,0 +1,70 @@ +From 3ccfffdf89b2379348b5a610e6dd9b601ea152e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 09:46:20 +0200 +Subject: kunit: Fix kthread reference +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mickaël Salaün + +[ Upstream commit f8aa1b98ce40184521ed95ec26cc115a255183b2 ] + +There is a race condition when a kthread finishes after the deadline and +before the call to kthread_stop(), which may lead to use after free. + +Cc: Brendan Higgins +Cc: Shuah Khan +Reviewed-by: Kees Cook +Fixes: adf505457032 ("kunit: fix UAF when run kfence test case test_gfpzero") +Reviewed-by: David Gow +Reviewed-by: Rae Moar +Signed-off-by: Mickaël Salaün +Link: https://lore.kernel.org/r/20240408074625.65017-3-mic@digikod.net +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + lib/kunit/try-catch.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/lib/kunit/try-catch.c b/lib/kunit/try-catch.c +index f7825991d576a..d9d1df28cc52e 100644 +--- a/lib/kunit/try-catch.c ++++ b/lib/kunit/try-catch.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + + #include "try-catch-impl.h" + +@@ -65,13 +66,14 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context) + try_catch->context = context; + try_catch->try_completion = &try_completion; + try_catch->try_result = 0; +- task_struct = kthread_run(kunit_generic_run_threadfn_adapter, +- try_catch, +- "kunit_try_catch_thread"); ++ task_struct = kthread_create(kunit_generic_run_threadfn_adapter, ++ try_catch, "kunit_try_catch_thread"); + if (IS_ERR(task_struct)) { + try_catch->catch(try_catch->context); + return; + } ++ get_task_struct(task_struct); ++ wake_up_process(task_struct); + + time_remaining = wait_for_completion_timeout(&try_completion, + kunit_test_timeout()); +@@ -81,6 +83,7 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context) + kthread_stop(task_struct); + } + ++ put_task_struct(task_struct); + exit_code = try_catch->try_result; + + if (!exit_code) +-- +2.43.0 + diff --git a/queue-6.1/kvm-selftests-add-test-for-uaccesses-to-non-existent.patch b/queue-6.1/kvm-selftests-add-test-for-uaccesses-to-non-existent.patch new file mode 100644 index 00000000000..07f52d9239a --- /dev/null +++ b/queue-6.1/kvm-selftests-add-test-for-uaccesses-to-non-existent.patch @@ -0,0 +1,102 @@ +From e3c371adc6aa6c50a0f89bf376fc403952413f1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Apr 2024 17:39:59 +0000 +Subject: KVM: selftests: Add test for uaccesses to non-existent vgic-v2 CPUIF + +From: Oliver Upton + +[ Upstream commit 160933e330f4c5a13931d725a4d952a4b9aefa71 ] + +Assert that accesses to a non-existent vgic-v2 CPU interface +consistently fail across the various KVM device attr ioctls. This also +serves as a regression test for a bug wherein KVM hits a NULL +dereference when the CPUID specified in the ioctl is invalid. + +Note that there is no need to print the observed errno, as TEST_ASSERT() +will take care of it. + +Reviewed-by: Marc Zyngier +Link: https://lore.kernel.org/r/20240424173959.3776798-3-oliver.upton@linux.dev +Signed-off-by: Oliver Upton +Signed-off-by: Sasha Levin +--- + .../testing/selftests/kvm/aarch64/vgic_init.c | 49 +++++++++++++++++++ + 1 file changed, 49 insertions(+) + +diff --git a/tools/testing/selftests/kvm/aarch64/vgic_init.c b/tools/testing/selftests/kvm/aarch64/vgic_init.c +index 9c131d977a1b5..ef737d0ed8fcb 100644 +--- a/tools/testing/selftests/kvm/aarch64/vgic_init.c ++++ b/tools/testing/selftests/kvm/aarch64/vgic_init.c +@@ -86,6 +86,18 @@ static struct vm_gic vm_gic_create_with_vcpus(uint32_t gic_dev_type, + return v; + } + ++static struct vm_gic vm_gic_create_barebones(uint32_t gic_dev_type) ++{ ++ struct vm_gic v; ++ ++ v.gic_dev_type = gic_dev_type; ++ v.vm = vm_create_barebones(); ++ v.gic_fd = kvm_create_device(v.vm, gic_dev_type); ++ ++ return v; ++} ++ ++ + static void vm_gic_destroy(struct vm_gic *v) + { + close(v->gic_fd); +@@ -359,6 +371,40 @@ static void test_vcpus_then_vgic(uint32_t gic_dev_type) + vm_gic_destroy(&v); + } + ++#define KVM_VGIC_V2_ATTR(offset, cpu) \ ++ (FIELD_PREP(KVM_DEV_ARM_VGIC_OFFSET_MASK, offset) | \ ++ FIELD_PREP(KVM_DEV_ARM_VGIC_CPUID_MASK, cpu)) ++ ++#define GIC_CPU_CTRL 0x00 ++ ++static void test_v2_uaccess_cpuif_no_vcpus(void) ++{ ++ struct vm_gic v; ++ u64 val = 0; ++ int ret; ++ ++ v = vm_gic_create_barebones(KVM_DEV_TYPE_ARM_VGIC_V2); ++ subtest_dist_rdist(&v); ++ ++ ret = __kvm_has_device_attr(v.gic_fd, KVM_DEV_ARM_VGIC_GRP_CPU_REGS, ++ KVM_VGIC_V2_ATTR(GIC_CPU_CTRL, 0)); ++ TEST_ASSERT(ret && errno == EINVAL, ++ "accessed non-existent CPU interface, want errno: %i", ++ EINVAL); ++ ret = __kvm_device_attr_get(v.gic_fd, KVM_DEV_ARM_VGIC_GRP_CPU_REGS, ++ KVM_VGIC_V2_ATTR(GIC_CPU_CTRL, 0), &val); ++ TEST_ASSERT(ret && errno == EINVAL, ++ "accessed non-existent CPU interface, want errno: %i", ++ EINVAL); ++ ret = __kvm_device_attr_set(v.gic_fd, KVM_DEV_ARM_VGIC_GRP_CPU_REGS, ++ KVM_VGIC_V2_ATTR(GIC_CPU_CTRL, 0), &val); ++ TEST_ASSERT(ret && errno == EINVAL, ++ "accessed non-existent CPU interface, want errno: %i", ++ EINVAL); ++ ++ vm_gic_destroy(&v); ++} ++ + static void test_v3_new_redist_regions(void) + { + struct kvm_vcpu *vcpus[NR_VCPUS]; +@@ -677,6 +723,9 @@ void run_tests(uint32_t gic_dev_type) + test_vcpus_then_vgic(gic_dev_type); + test_vgic_then_vcpus(gic_dev_type); + ++ if (VGIC_DEV_IS_V2(gic_dev_type)) ++ test_v2_uaccess_cpuif_no_vcpus(); ++ + if (VGIC_DEV_IS_V3(gic_dev_type)) { + test_v3_new_redist_regions(); + test_v3_typer_accesses(); +-- +2.43.0 + diff --git a/queue-6.1/lib-test_hmm.c-handle-src_pfns-and-dst_pfns-allocati.patch b/queue-6.1/lib-test_hmm.c-handle-src_pfns-and-dst_pfns-allocati.patch new file mode 100644 index 00000000000..d0c22d9f4b2 --- /dev/null +++ b/queue-6.1/lib-test_hmm.c-handle-src_pfns-and-dst_pfns-allocati.patch @@ -0,0 +1,62 @@ +From eb0d6716aede7c5b3a7f56df82a051f4bcdc2d79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Mar 2024 08:59:05 +0800 +Subject: lib/test_hmm.c: handle src_pfns and dst_pfns allocation failure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Duoming Zhou + +[ Upstream commit c2af060d1c18beaec56351cf9c9bcbbc5af341a3 ] + +The kcalloc() in dmirror_device_evict_chunk() will return null if the +physical memory has run out. As a result, if src_pfns or dst_pfns is +dereferenced, the null pointer dereference bug will happen. + +Moreover, the device is going away. If the kcalloc() fails, the pages +mapping a chunk could not be evicted. So add a __GFP_NOFAIL flag in +kcalloc(). + +Finally, as there is no need to have physically contiguous memory, Switch +kcalloc() to kvcalloc() in order to avoid failing allocations. + +Link: https://lkml.kernel.org/r/20240312005905.9939-1-duoming@zju.edu.cn +Fixes: b2ef9f5a5cb3 ("mm/hmm/test: add selftest driver for HMM") +Signed-off-by: Duoming Zhou +Cc: Jérôme Glisse +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + lib/test_hmm.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/lib/test_hmm.c b/lib/test_hmm.c +index 67e6f83fe0f82..be50a1fdba70b 100644 +--- a/lib/test_hmm.c ++++ b/lib/test_hmm.c +@@ -1232,8 +1232,8 @@ static void dmirror_device_evict_chunk(struct dmirror_chunk *chunk) + unsigned long *src_pfns; + unsigned long *dst_pfns; + +- src_pfns = kcalloc(npages, sizeof(*src_pfns), GFP_KERNEL); +- dst_pfns = kcalloc(npages, sizeof(*dst_pfns), GFP_KERNEL); ++ src_pfns = kvcalloc(npages, sizeof(*src_pfns), GFP_KERNEL | __GFP_NOFAIL); ++ dst_pfns = kvcalloc(npages, sizeof(*dst_pfns), GFP_KERNEL | __GFP_NOFAIL); + + migrate_device_range(src_pfns, start_pfn, npages); + for (i = 0; i < npages; i++) { +@@ -1256,8 +1256,8 @@ static void dmirror_device_evict_chunk(struct dmirror_chunk *chunk) + } + migrate_device_pages(src_pfns, dst_pfns, npages); + migrate_device_finalize(src_pfns, dst_pfns, npages); +- kfree(src_pfns); +- kfree(dst_pfns); ++ kvfree(src_pfns); ++ kvfree(dst_pfns); + } + + /* Removes free pages from the free list so they can't be re-allocated */ +-- +2.43.0 + diff --git a/queue-6.1/libbpf-fix-error-message-in-attach_kprobe_multi.patch b/queue-6.1/libbpf-fix-error-message-in-attach_kprobe_multi.patch new file mode 100644 index 00000000000..e64488f2d95 --- /dev/null +++ b/queue-6.1/libbpf-fix-error-message-in-attach_kprobe_multi.patch @@ -0,0 +1,37 @@ +From be7200a58bb5e32f6eb29a4b4da86edca753de0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 May 2024 09:55:41 +0200 +Subject: libbpf: Fix error message in attach_kprobe_multi + +From: Jiri Olsa + +[ Upstream commit 7c13ef16e87ac2e44d16c0468b1191bceb06f95c ] + +We just failed to retrieve pattern, so we need to print spec instead. + +Fixes: ddc6b04989eb ("libbpf: Add bpf_program__attach_kprobe_multi_opts function") +Reported-by: Andrii Nakryiko +Signed-off-by: Jiri Olsa +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20240502075541.1425761-2-jolsa@kernel.org +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index c71d4d0f5c6f3..bb27dfd6b97a7 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -10417,7 +10417,7 @@ static int attach_kprobe_multi(const struct bpf_program *prog, long cookie, stru + + n = sscanf(spec, "%m[a-zA-Z0-9_.*?]", &pattern); + if (n < 1) { +- pr_warn("kprobe multi pattern is invalid: %s\n", pattern); ++ pr_warn("kprobe multi pattern is invalid: %s\n", spec); + return -EINVAL; + } + +-- +2.43.0 + diff --git a/queue-6.1/loongarch-lately-init-pmu-after-smp-is-online.patch b/queue-6.1/loongarch-lately-init-pmu-after-smp-is-online.patch new file mode 100644 index 00000000000..3d853feefc3 --- /dev/null +++ b/queue-6.1/loongarch-lately-init-pmu-after-smp-is-online.patch @@ -0,0 +1,40 @@ +From cd26219a8d45c87f0adc85225f10984346b8fb32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Apr 2024 22:17:52 +0800 +Subject: LoongArch: Lately init pmu after smp is online + +From: Bibo Mao + +[ Upstream commit f3334ebb8a2a1841c2824594dd992e66de19deb2 ] + +There is an smp function call named reset_counters() to init PMU +registers of every CPU in PMU initialization state. It requires that all +CPUs are online. However there is an early_initcall() wrapper for the +PMU init funciton init_hw_perf_events(), so that pmu init funciton is +called in do_pre_smp_initcalls() which before function smp_init(). +Function reset_counters() cannot work on other CPUs since they haven't +boot up still. + +Here replace the wrapper early_initcall() with pure_initcall(), so that +the PMU init function is called after every cpu is online. + +Signed-off-by: Bibo Mao +Signed-off-by: Huacai Chen +Signed-off-by: Sasha Levin +--- + arch/loongarch/kernel/perf_event.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/loongarch/kernel/perf_event.c b/arch/loongarch/kernel/perf_event.c +index 3a2edb157b65a..1563bf47f3e2c 100644 +--- a/arch/loongarch/kernel/perf_event.c ++++ b/arch/loongarch/kernel/perf_event.c +@@ -884,4 +884,4 @@ static int __init init_hw_perf_events(void) + + return 0; + } +-early_initcall(init_hw_perf_events); ++pure_initcall(init_hw_perf_events); +-- +2.43.0 + diff --git a/queue-6.1/m68k-fix-spinlock-race-in-kernel-thread-creation.patch b/queue-6.1/m68k-fix-spinlock-race-in-kernel-thread-creation.patch new file mode 100644 index 00000000000..bc8851225f4 --- /dev/null +++ b/queue-6.1/m68k-fix-spinlock-race-in-kernel-thread-creation.patch @@ -0,0 +1,77 @@ +From cf16ce0ce3421693ba4e327ae2f0f02a8ee7bebb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Apr 2024 15:36:31 +1200 +Subject: m68k: Fix spinlock race in kernel thread creation + +From: Michael Schmitz + +[ Upstream commit da89ce46f02470ef08f0f580755d14d547da59ed ] + +Context switching does take care to retain the correct lock owner across +the switch from 'prev' to 'next' tasks. This does rely on interrupts +remaining disabled for the entire duration of the switch. + +This condition is guaranteed for normal process creation and context +switching between already running processes, because both 'prev' and +'next' already have interrupts disabled in their saved copies of the +status register. + +The situation is different for newly created kernel threads. The status +register is set to PS_S in copy_thread(), which does leave the IPL at 0. +Upon restoring the 'next' thread's status register in switch_to() aka +resume(), interrupts then become enabled prematurely. resume() then +returns via ret_from_kernel_thread() and schedule_tail() where run queue +lock is released (see finish_task_switch() and finish_lock_switch()). + +A timer interrupt calling scheduler_tick() before the lock is released +in finish_task_switch() will find the lock already taken, with the +current task as lock owner. This causes a spinlock recursion warning as +reported by Guenter Roeck. + +As far as I can ascertain, this race has been opened in commit +533e6903bea0 ("m68k: split ret_from_fork(), simplify kernel_thread()") +but I haven't done a detailed study of kernel history so it may well +predate that commit. + +Interrupts cannot be disabled in the saved status register copy for +kernel threads (init will complain about interrupts disabled when +finally starting user space). Disable interrupts temporarily when +switching the tasks' register sets in resume(). + +Note that a simple oriw 0x700,%sr after restoring sr is not enough here +- this leaves enough of a race for the 'spinlock recursion' warning to +still be observed. + +Tested on ARAnyM and qemu (Quadra 800 emulation). + +Fixes: 533e6903bea0 ("m68k: split ret_from_fork(), simplify kernel_thread()") +Reported-by: Guenter Roeck +Closes: https://lore.kernel.org/all/07811b26-677c-4d05-aeb4-996cd880b789@roeck-us.net +Signed-off-by: Michael Schmitz +Tested-by: Guenter Roeck +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20240411033631.16335-1-schmitzmic@gmail.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/kernel/entry.S | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/m68k/kernel/entry.S b/arch/m68k/kernel/entry.S +index 42879e6eb651d..1219318304b26 100644 +--- a/arch/m68k/kernel/entry.S ++++ b/arch/m68k/kernel/entry.S +@@ -430,7 +430,9 @@ resume: + movec %a0,%dfc + + /* restore status register */ +- movew %a1@(TASK_THREAD+THREAD_SR),%sr ++ movew %a1@(TASK_THREAD+THREAD_SR),%d0 ++ oriw #0x0700,%d0 ++ movew %d0,%sr + + rts + +-- +2.43.0 + diff --git a/queue-6.1/m68k-mac-fix-reboot-hang-on-mac-iici.patch b/queue-6.1/m68k-mac-fix-reboot-hang-on-mac-iici.patch new file mode 100644 index 00000000000..e7328bf40fb --- /dev/null +++ b/queue-6.1/m68k-mac-fix-reboot-hang-on-mac-iici.patch @@ -0,0 +1,99 @@ +From e309bce1b874543d4b8eea1d3661675a717f3632 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 May 2024 14:31:12 +1000 +Subject: m68k: mac: Fix reboot hang on Mac IIci + +From: Finn Thain + +[ Upstream commit 265a3b322df9a973ff1fc63da70af456ab6ae1d6 ] + +Calling mac_reset() on a Mac IIci does reset the system, but what +follows is a POST failure that requires a manual reset to resolve. +Avoid that by using the 68030 asm implementation instead of the C +implementation. + +Apparently the SE/30 has a similar problem as it has used the asm +implementation since before git. This patch extends that solution to +other systems with a similar ROM. + +After this patch, the only systems still using the C implementation are +68040 systems where adb_type is either MAC_ADB_IOP or MAC_ADB_II. This +implies a 1 MiB Quadra ROM. + +This now includes the Quadra 900/950, which previously fell through to +the "should never get here" catch-all. + +Reported-and-tested-by: Stan Johnson +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/480ebd1249d229c6dc1f3f1c6d599b8505483fd8.1714797072.git.fthain@linux-m68k.org +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/mac/misc.c | 36 ++++++++++++++++++------------------ + 1 file changed, 18 insertions(+), 18 deletions(-) + +diff --git a/arch/m68k/mac/misc.c b/arch/m68k/mac/misc.c +index 4fab347917586..060394b00037d 100644 +--- a/arch/m68k/mac/misc.c ++++ b/arch/m68k/mac/misc.c +@@ -451,30 +451,18 @@ void mac_poweroff(void) + + void mac_reset(void) + { +- if (macintosh_config->adb_type == MAC_ADB_II && +- macintosh_config->ident != MAC_MODEL_SE30) { +- /* need ROMBASE in booter */ +- /* indeed, plus need to MAP THE ROM !! */ +- +- if (mac_bi_data.rombase == 0) +- mac_bi_data.rombase = 0x40800000; +- +- /* works on some */ +- rom_reset = (void *) (mac_bi_data.rombase + 0xa); +- +- local_irq_disable(); +- rom_reset(); + #ifdef CONFIG_ADB_CUDA +- } else if (macintosh_config->adb_type == MAC_ADB_EGRET || +- macintosh_config->adb_type == MAC_ADB_CUDA) { ++ if (macintosh_config->adb_type == MAC_ADB_EGRET || ++ macintosh_config->adb_type == MAC_ADB_CUDA) { + cuda_restart(); ++ } else + #endif + #ifdef CONFIG_ADB_PMU +- } else if (macintosh_config->adb_type == MAC_ADB_PB2) { ++ if (macintosh_config->adb_type == MAC_ADB_PB2) { + pmu_restart(); ++ } else + #endif +- } else if (CPU_IS_030) { +- ++ if (CPU_IS_030) { + /* 030-specific reset routine. The idea is general, but the + * specific registers to reset are '030-specific. Until I + * have a non-030 machine, I can't test anything else. +@@ -522,6 +510,18 @@ void mac_reset(void) + "jmp %/a0@\n\t" /* jump to the reset vector */ + ".chip 68k" + : : "r" (offset), "a" (rombase) : "a0"); ++ } else { ++ /* need ROMBASE in booter */ ++ /* indeed, plus need to MAP THE ROM !! */ ++ ++ if (mac_bi_data.rombase == 0) ++ mac_bi_data.rombase = 0x40800000; ++ ++ /* works on some */ ++ rom_reset = (void *)(mac_bi_data.rombase + 0xa); ++ ++ local_irq_disable(); ++ rom_reset(); + } + + /* should never get here */ +-- +2.43.0 + diff --git a/queue-6.1/macintosh-via-macii-fix-bug-sleeping-function-called.patch b/queue-6.1/macintosh-via-macii-fix-bug-sleeping-function-called.patch new file mode 100644 index 00000000000..05006b1e436 --- /dev/null +++ b/queue-6.1/macintosh-via-macii-fix-bug-sleeping-function-called.patch @@ -0,0 +1,59 @@ +From 283cd1cea995740f23bdfbe672deb5dfd1dfd75d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Mar 2024 13:53:41 +1100 +Subject: macintosh/via-macii: Fix "BUG: sleeping function called from invalid + context" + +From: Finn Thain + +[ Upstream commit d301a71c76ee4c384b4e03cdc320a55f5cf1df05 ] + +The via-macii ADB driver calls request_irq() after disabling hard +interrupts. But disabling interrupts isn't necessary here because the +VIA shift register interrupt was masked during VIA1 initialization. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/419fcc09d0e563b425c419053d02236b044d86b0.1710298421.git.fthain@linux-m68k.org +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + drivers/macintosh/via-macii.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/drivers/macintosh/via-macii.c b/drivers/macintosh/via-macii.c +index db9270da5b8e9..b6ddf1d47cb4e 100644 +--- a/drivers/macintosh/via-macii.c ++++ b/drivers/macintosh/via-macii.c +@@ -140,24 +140,19 @@ static int macii_probe(void) + /* Initialize the driver */ + static int macii_init(void) + { +- unsigned long flags; + int err; + +- local_irq_save(flags); +- + err = macii_init_via(); + if (err) +- goto out; ++ return err; + + err = request_irq(IRQ_MAC_ADB, macii_interrupt, 0, "ADB", + macii_interrupt); + if (err) +- goto out; ++ return err; + + macii_state = idle; +-out: +- local_irq_restore(flags); +- return err; ++ return 0; + } + + /* initialize the hardware */ +-- +2.43.0 + diff --git a/queue-6.1/md-fix-resync-softlockup-when-bitmap-size-is-less-th.patch b/queue-6.1/md-fix-resync-softlockup-when-bitmap-size-is-less-th.patch new file mode 100644 index 00000000000..7f84f710faa --- /dev/null +++ b/queue-6.1/md-fix-resync-softlockup-when-bitmap-size-is-less-th.patch @@ -0,0 +1,93 @@ +From 1932632d9703b9c8e43da6a84f6883742ad654a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Apr 2024 14:58:24 +0800 +Subject: md: fix resync softlockup when bitmap size is less than array size + +From: Yu Kuai + +[ Upstream commit f0e729af2eb6bee9eb58c4df1087f14ebaefe26b ] + +Is is reported that for dm-raid10, lvextend + lvchange --syncaction will +trigger following softlockup: + +kernel:watchdog: BUG: soft lockup - CPU#3 stuck for 26s! [mdX_resync:6976] +CPU: 7 PID: 3588 Comm: mdX_resync Kdump: loaded Not tainted 6.9.0-rc4-next-20240419 #1 +RIP: 0010:_raw_spin_unlock_irq+0x13/0x30 +Call Trace: + + md_bitmap_start_sync+0x6b/0xf0 + raid10_sync_request+0x25c/0x1b40 [raid10] + md_do_sync+0x64b/0x1020 + md_thread+0xa7/0x170 + kthread+0xcf/0x100 + ret_from_fork+0x30/0x50 + ret_from_fork_asm+0x1a/0x30 + +And the detailed process is as follows: + +md_do_sync + j = mddev->resync_min + while (j < max_sectors) + sectors = raid10_sync_request(mddev, j, &skipped) + if (!md_bitmap_start_sync(..., &sync_blocks)) + // md_bitmap_start_sync set sync_blocks to 0 + return sync_blocks + sectors_skippe; + // sectors = 0; + j += sectors; + // j never change + +Root cause is that commit 301867b1c168 ("md/raid10: check +slab-out-of-bounds in md_bitmap_get_counter") return early from +md_bitmap_get_counter(), without setting returned blocks. + +Fix this problem by always set returned blocks from +md_bitmap_get_counter"(), as it used to be. + +Noted that this patch just fix the softlockup problem in kernel, the +case that bitmap size doesn't match array size still need to be fixed. + +Fixes: 301867b1c168 ("md/raid10: check slab-out-of-bounds in md_bitmap_get_counter") +Reported-and-tested-by: Nigel Croxon +Closes: https://lore.kernel.org/all/71ba5272-ab07-43ba-8232-d2da642acb4e@redhat.com/ +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20240422065824.2516-1-yukuai1@huaweicloud.com +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/md-bitmap.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c +index 5200bba63708e..9d8ac04c23462 100644 +--- a/drivers/md/md-bitmap.c ++++ b/drivers/md/md-bitmap.c +@@ -1352,7 +1352,7 @@ __acquires(bitmap->lock) + sector_t chunk = offset >> bitmap->chunkshift; + unsigned long page = chunk >> PAGE_COUNTER_SHIFT; + unsigned long pageoff = (chunk & PAGE_COUNTER_MASK) << COUNTER_BYTE_SHIFT; +- sector_t csize; ++ sector_t csize = ((sector_t)1) << bitmap->chunkshift; + int err; + + if (page >= bitmap->pages) { +@@ -1361,6 +1361,7 @@ __acquires(bitmap->lock) + * End-of-device while looking for a whole page or + * user set a huge number to sysfs bitmap_set_bits. + */ ++ *blocks = csize - (offset & (csize - 1)); + return NULL; + } + err = md_bitmap_checkpage(bitmap, page, create, 0); +@@ -1369,8 +1370,7 @@ __acquires(bitmap->lock) + bitmap->bp[page].map == NULL) + csize = ((sector_t)1) << (bitmap->chunkshift + + PAGE_COUNTER_SHIFT); +- else +- csize = ((sector_t)1) << bitmap->chunkshift; ++ + *blocks = csize - (offset & (csize - 1)); + + if (err < 0) +-- +2.43.0 + diff --git a/queue-6.1/media-atomisp-ssh_css-fix-a-null-pointer-dereference.patch b/queue-6.1/media-atomisp-ssh_css-fix-a-null-pointer-dereference.patch new file mode 100644 index 00000000000..2c0d1ef8641 --- /dev/null +++ b/queue-6.1/media-atomisp-ssh_css-fix-a-null-pointer-dereference.patch @@ -0,0 +1,52 @@ +From 8cd7ac1090421587f680464caab3927aa2b33fc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jan 2024 16:13:00 +0100 +Subject: media: atomisp: ssh_css: Fix a null-pointer dereference in + load_video_binaries + +From: Zhipeng Lu + +[ Upstream commit 3b621e9e9e148c0928ab109ac3d4b81487469acb ] + +The allocation failure of mycs->yuv_scaler_binary in load_video_binaries() +is followed with a dereference of mycs->yuv_scaler_binary after the +following call chain: + +sh_css_pipe_load_binaries() + |-> load_video_binaries(mycs->yuv_scaler_binary == NULL) + | + |-> sh_css_pipe_unload_binaries() + |-> unload_video_binaries() + +In unload_video_binaries(), it calls to ia_css_binary_unload with argument +&pipe->pipe_settings.video.yuv_scaler_binary[i], which refers to the +same memory slot as mycs->yuv_scaler_binary. Thus, a null-pointer +dereference is triggered. + +Link: https://lore.kernel.org/r/20240118151303.3828292-1-alexious@zju.edu.cn + +Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2") +Signed-off-by: Zhipeng Lu +Reviewed-by: Andy Shevchenko +Signed-off-by: Hans de Goede +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/atomisp/pci/sh_css.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/staging/media/atomisp/pci/sh_css.c b/drivers/staging/media/atomisp/pci/sh_css.c +index da96aaffebc19..738c0d634ea90 100644 +--- a/drivers/staging/media/atomisp/pci/sh_css.c ++++ b/drivers/staging/media/atomisp/pci/sh_css.c +@@ -4972,6 +4972,7 @@ static int load_video_binaries(struct ia_css_pipe *pipe) + sizeof(struct ia_css_binary), + GFP_KERNEL); + if (!mycs->yuv_scaler_binary) { ++ mycs->num_yuv_scaler = 0; + err = -ENOMEM; + return err; + } +-- +2.43.0 + diff --git a/queue-6.1/media-dt-bindings-ovti-ov2680-fix-the-power-supply-n.patch b/queue-6.1/media-dt-bindings-ovti-ov2680-fix-the-power-supply-n.patch new file mode 100644 index 00000000000..d67b72cda71 --- /dev/null +++ b/queue-6.1/media-dt-bindings-ovti-ov2680-fix-the-power-supply-n.patch @@ -0,0 +1,77 @@ +From 88b5035d63b7d4da1312022363d439897c714ce4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Apr 2024 14:40:27 -0300 +Subject: media: dt-bindings: ovti,ov2680: Fix the power supply names + +From: Fabio Estevam + +[ Upstream commit e2f6ea61b6f3e4ebbb7dff857eea6220c18cd17b ] + +The original .txt bindings had the OV2680 power supply names correct, +but the transition from .txt to yaml spelled them incorrectly. + +Fix the OV2680 power supply names as the original .txt bindings +as these are the names used by the OV2680 driver and in devicetree. + +Fixes: 57226cd8c8bf ("media: dt-bindings: ov2680: convert bindings to yaml") +Signed-off-by: Fabio Estevam +Reviewed-by: Rob Herring +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + .../bindings/media/i2c/ovti,ov2680.yaml | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/Documentation/devicetree/bindings/media/i2c/ovti,ov2680.yaml b/Documentation/devicetree/bindings/media/i2c/ovti,ov2680.yaml +index cf456f8d9ddcb..c87677f5e2a25 100644 +--- a/Documentation/devicetree/bindings/media/i2c/ovti,ov2680.yaml ++++ b/Documentation/devicetree/bindings/media/i2c/ovti,ov2680.yaml +@@ -37,15 +37,15 @@ properties: + active low. + maxItems: 1 + +- dovdd-supply: ++ DOVDD-supply: + description: + Definition of the regulator used as interface power supply. + +- avdd-supply: ++ AVDD-supply: + description: + Definition of the regulator used as analog power supply. + +- dvdd-supply: ++ DVDD-supply: + description: + Definition of the regulator used as digital power supply. + +@@ -59,9 +59,9 @@ required: + - reg + - clocks + - clock-names +- - dovdd-supply +- - avdd-supply +- - dvdd-supply ++ - DOVDD-supply ++ - AVDD-supply ++ - DVDD-supply + - reset-gpios + - port + +@@ -82,9 +82,9 @@ examples: + clock-names = "xvclk"; + reset-gpios = <&gpio1 3 GPIO_ACTIVE_LOW>; + +- dovdd-supply = <&sw2_reg>; +- dvdd-supply = <&sw2_reg>; +- avdd-supply = <®_peri_3p15v>; ++ DOVDD-supply = <&sw2_reg>; ++ DVDD-supply = <&sw2_reg>; ++ AVDD-supply = <®_peri_3p15v>; + + port { + ov2680_to_mipi: endpoint { +-- +2.43.0 + diff --git a/queue-6.1/media-ipu3-cio2-request-irq-earlier.patch b/queue-6.1/media-ipu3-cio2-request-irq-earlier.patch new file mode 100644 index 00000000000..13258c68e42 --- /dev/null +++ b/queue-6.1/media-ipu3-cio2-request-irq-earlier.patch @@ -0,0 +1,52 @@ +From 49c7aa3a23a334cda7491a5b3360201578d54484 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Dec 2022 16:01:20 +0200 +Subject: media: ipu3-cio2: Request IRQ earlier + +From: Sakari Ailus + +[ Upstream commit a069f79bfa6ec1ea0744981ea8425c8a25322579 ] + +Call devm_request_irq() before registering the async notifier, as otherwise +it would be possible to use the device before the interrupts could be +delivered to the driver. + +Fixes: c2a6a07afe4a ("media: intel-ipu3: cio2: add new MIPI-CSI2 driver") +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/pci/intel/ipu3/ipu3-cio2-main.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/media/pci/intel/ipu3/ipu3-cio2-main.c b/drivers/media/pci/intel/ipu3/ipu3-cio2-main.c +index 1bbe58b24d99d..2ae7130880533 100644 +--- a/drivers/media/pci/intel/ipu3/ipu3-cio2-main.c ++++ b/drivers/media/pci/intel/ipu3/ipu3-cio2-main.c +@@ -1798,11 +1798,6 @@ static int cio2_pci_probe(struct pci_dev *pci_dev, + + v4l2_async_nf_init(&cio2->notifier); + +- /* Register notifier for subdevices we care */ +- r = cio2_parse_firmware(cio2); +- if (r) +- goto fail_clean_notifier; +- + r = devm_request_irq(dev, pci_dev->irq, cio2_irq, IRQF_SHARED, + CIO2_NAME, cio2); + if (r) { +@@ -1810,6 +1805,11 @@ static int cio2_pci_probe(struct pci_dev *pci_dev, + goto fail_clean_notifier; + } + ++ /* Register notifier for subdevices we care */ ++ r = cio2_parse_firmware(cio2); ++ if (r) ++ goto fail_clean_notifier; ++ + pm_runtime_put_noidle(dev); + pm_runtime_allow(dev); + +-- +2.43.0 + diff --git a/queue-6.1/media-ngene-add-dvb_ca_en50221_init-return-value-che.patch b/queue-6.1/media-ngene-add-dvb_ca_en50221_init-return-value-che.patch new file mode 100644 index 00000000000..b2a5e5caf6e --- /dev/null +++ b/queue-6.1/media-ngene-add-dvb_ca_en50221_init-return-value-che.patch @@ -0,0 +1,40 @@ +From 659864752b9e40aa784684bc23e0c7bae2fca652 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Mar 2024 14:15:53 +0300 +Subject: media: ngene: Add dvb_ca_en50221_init return value check + +From: Aleksandr Burakov + +[ Upstream commit 9bb1fd7eddcab2d28cfc11eb20f1029154dac718 ] + +The return value of dvb_ca_en50221_init() is not checked here that may +cause undefined behavior in case of nonzero value return. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 25aee3debe04 ("[media] Rename media/dvb as media/pci") +Signed-off-by: Aleksandr Burakov +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/pci/ngene/ngene-core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/pci/ngene/ngene-core.c b/drivers/media/pci/ngene/ngene-core.c +index 7481f553f9595..24ec576dc3bff 100644 +--- a/drivers/media/pci/ngene/ngene-core.c ++++ b/drivers/media/pci/ngene/ngene-core.c +@@ -1488,7 +1488,9 @@ static int init_channel(struct ngene_channel *chan) + } + + if (dev->ci.en && (io & NGENE_IO_TSOUT)) { +- dvb_ca_en50221_init(adapter, dev->ci.en, 0, 1); ++ ret = dvb_ca_en50221_init(adapter, dev->ci.en, 0, 1); ++ if (ret != 0) ++ goto err; + set_transfer(chan, 1); + chan->dev->channel[2].DataFormatFlags = DF_SWAP32; + set_transfer(&chan->dev->channel[2], 1); +-- +2.43.0 + diff --git a/queue-6.1/media-radio-shark2-avoid-led_names-truncations.patch b/queue-6.1/media-radio-shark2-avoid-led_names-truncations.patch new file mode 100644 index 00000000000..887ed645bf3 --- /dev/null +++ b/queue-6.1/media-radio-shark2-avoid-led_names-truncations.patch @@ -0,0 +1,40 @@ +From 0301d84d89da5bc6434652f8df8e689eac474609 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 14:50:24 +0000 +Subject: media: radio-shark2: Avoid led_names truncations +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ricardo Ribalda + +[ Upstream commit 1820e16a3019b6258e6009d34432946a6ddd0a90 ] + +Increase the size of led_names so it can fit any valid v4l2 device name. + +Fixes: +drivers/media/radio/radio-shark2.c:197:17: warning: ‘%s’ directive output may be truncated writing up to 35 bytes into a region of size 32 [-Wformat-truncation=] + +Signed-off-by: Ricardo Ribalda +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/radio/radio-shark2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/radio/radio-shark2.c b/drivers/media/radio/radio-shark2.c +index f1c5c0a6a335c..e3e6aa87fe081 100644 +--- a/drivers/media/radio/radio-shark2.c ++++ b/drivers/media/radio/radio-shark2.c +@@ -62,7 +62,7 @@ struct shark_device { + #ifdef SHARK_USE_LEDS + struct work_struct led_work; + struct led_classdev leds[NO_LEDS]; +- char led_names[NO_LEDS][32]; ++ char led_names[NO_LEDS][64]; + atomic_t brightness[NO_LEDS]; + unsigned long brightness_new; + #endif +-- +2.43.0 + diff --git a/queue-6.1/media-rcar-vin-work-around-wenum-compare-conditional.patch b/queue-6.1/media-rcar-vin-work-around-wenum-compare-conditional.patch new file mode 100644 index 00000000000..d6c19cac2ad --- /dev/null +++ b/queue-6.1/media-rcar-vin-work-around-wenum-compare-conditional.patch @@ -0,0 +1,47 @@ +From 7fd42ede0e446b52b8a9d6e344878baaa4f15ec3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Mar 2024 14:33:46 +0100 +Subject: media: rcar-vin: work around -Wenum-compare-conditional warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnd Bergmann + +[ Upstream commit 1a742c6010d136cb6c441a0f1dd2bfbfae3c4df2 ] + +clang-19 warns about mixing two enum types here: + +drivers/media/platform/renesas/rcar-vin/rcar-vin.h:296:12: error: conditional expression between different enumeration types ('enum rvin_csi_id' and 'enum rvin_isp_id') [-Werror,-Wenum-compare-conditional] +drivers/media/platform/renesas/rcar-vin/rcar-core.c:216:18: error: conditional expression between different enumeration types ('enum rvin_csi_id' and 'enum rvin_isp_id') [-Werror,-Wenum-compare-conditional] +drivers/media/platform/renesas/rcar-vin/rcar-vin.h:296:12: error: conditional expression between different enumeration types ('enum rvin_csi_id' and 'enum rvin_isp_id') [-Werror,-Wenum-compare-conditional] +drivers/media/platform/renesas/rcar-vin/rcar-vin.h:296:12: error: conditional expression between different enumeration types ('enum rvin_csi_id' and 'enum rvin_isp_id') [-Werror,-Wenum-compare-conditional] + +This one is intentional, and there is already a cast to work around another +warning, so address this by adding another cast. + +Fixes: 406bb586dec0 ("media: rcar-vin: Add r8a779a0 support") +Signed-off-by: Arnd Bergmann +Reviewed-by: Niklas Söderlund +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/renesas/rcar-vin/rcar-vin.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/platform/renesas/rcar-vin/rcar-vin.h b/drivers/media/platform/renesas/rcar-vin/rcar-vin.h +index 1f94589d9ef14..0b144ed643791 100644 +--- a/drivers/media/platform/renesas/rcar-vin/rcar-vin.h ++++ b/drivers/media/platform/renesas/rcar-vin/rcar-vin.h +@@ -58,7 +58,7 @@ enum rvin_isp_id { + + #define RVIN_REMOTES_MAX \ + (((unsigned int)RVIN_CSI_MAX) > ((unsigned int)RVIN_ISP_MAX) ? \ +- RVIN_CSI_MAX : RVIN_ISP_MAX) ++ (unsigned int)RVIN_CSI_MAX : (unsigned int)RVIN_ISP_MAX) + + /** + * enum rvin_dma_state - DMA states +-- +2.43.0 + diff --git a/queue-6.1/mlx5-stop-warning-for-64kb-pages.patch b/queue-6.1/mlx5-stop-warning-for-64kb-pages.patch new file mode 100644 index 00000000000..7a59b3fb42b --- /dev/null +++ b/queue-6.1/mlx5-stop-warning-for-64kb-pages.patch @@ -0,0 +1,57 @@ +From 927286ea8b27721606f62735d2d698229fa9bb72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 15:30:46 +0100 +Subject: mlx5: stop warning for 64KB pages + +From: Arnd Bergmann + +[ Upstream commit a5535e5336943b33689f558199366102387b7bbf ] + +When building with 64KB pages, clang points out that xsk->chunk_size +can never be PAGE_SIZE: + +drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c:19:22: error: result of comparison of constant 65536 with expression of type 'u16' (aka 'unsigned short') is always false [-Werror,-Wtautological-constant-out-of-range-compare] + if (xsk->chunk_size > PAGE_SIZE || + ~~~~~~~~~~~~~~~ ^ ~~~~~~~~~ + +In older versions of this code, using PAGE_SIZE was the only +possibility, so this would have never worked on 64KB page kernels, +but the patch apparently did not address this case completely. + +As Maxim Mikityanskiy suggested, 64KB chunks are really not all that +useful, so just shut up the warning by adding a cast. + +Fixes: 282c0c798f8e ("net/mlx5e: Allow XSK frames smaller than a page") +Link: https://lore.kernel.org/netdev/20211013150232.2942146-1-arnd@kernel.org/ +Link: https://lore.kernel.org/lkml/a7b27541-0ebb-4f2d-bd06-270a4d404613@app.fastmail.com/ +Signed-off-by: Arnd Bergmann +Acked-by: Maxim Mikityanskiy +Reviewed-by: Justin Stitt +Reviewed-by: Tariq Toukan +Link: https://lore.kernel.org/r/20240328143051.1069575-9-arnd@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c b/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c +index 81a567e172646..608d4253799de 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c +@@ -28,8 +28,10 @@ bool mlx5e_validate_xsk_param(struct mlx5e_params *params, + struct mlx5e_xsk_param *xsk, + struct mlx5_core_dev *mdev) + { +- /* AF_XDP doesn't support frames larger than PAGE_SIZE. */ +- if (xsk->chunk_size > PAGE_SIZE || xsk->chunk_size < MLX5E_MIN_XSK_CHUNK_SIZE) { ++ /* AF_XDP doesn't support frames larger than PAGE_SIZE, ++ * and xsk->chunk_size is limited to 65535 bytes. ++ */ ++ if ((size_t)xsk->chunk_size > PAGE_SIZE || xsk->chunk_size < MLX5E_MIN_XSK_CHUNK_SIZE) { + mlx5_core_err(mdev, "XSK chunk size %u out of bounds [%u, %lu]\n", xsk->chunk_size, + MLX5E_MIN_XSK_CHUNK_SIZE, PAGE_SIZE); + return false; +-- +2.43.0 + diff --git a/queue-6.1/mm-slub-kunit-use-inverted-data-to-corrupt-kmem-cach.patch b/queue-6.1/mm-slub-kunit-use-inverted-data-to-corrupt-kmem-cach.patch new file mode 100644 index 00000000000..7b3a3001398 --- /dev/null +++ b/queue-6.1/mm-slub-kunit-use-inverted-data-to-corrupt-kmem-cach.patch @@ -0,0 +1,69 @@ +From 6f56f5e0ceb637c8bd43b107a2cef0a99046e1ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Apr 2024 06:38:39 -0700 +Subject: mm/slub, kunit: Use inverted data to corrupt kmem cache + +From: Guenter Roeck + +[ Upstream commit b1080c667b3b2c8c38a7fa83ca5567124887abae ] + +Two failure patterns are seen randomly when running slub_kunit tests with +CONFIG_SLAB_FREELIST_RANDOM and CONFIG_SLAB_FREELIST_HARDENED enabled. + +Pattern 1: + # test_clobber_zone: pass:1 fail:0 skip:0 total:1 + ok 1 test_clobber_zone + # test_next_pointer: EXPECTATION FAILED at lib/slub_kunit.c:72 + Expected 3 == slab_errors, but + slab_errors == 0 (0x0) + # test_next_pointer: EXPECTATION FAILED at lib/slub_kunit.c:84 + Expected 2 == slab_errors, but + slab_errors == 0 (0x0) + # test_next_pointer: pass:0 fail:1 skip:0 total:1 + not ok 2 test_next_pointer + +In this case, test_next_pointer() overwrites p[s->offset], but the data +at p[s->offset] is already 0x12. + +Pattern 2: + ok 1 test_clobber_zone + # test_next_pointer: EXPECTATION FAILED at lib/slub_kunit.c:72 + Expected 3 == slab_errors, but + slab_errors == 2 (0x2) + # test_next_pointer: pass:0 fail:1 skip:0 total:1 + not ok 2 test_next_pointer + +In this case, p[s->offset] has a value other than 0x12, but one of the +expected failures is nevertheless missing. + +Invert data instead of writing a fixed value to corrupt the cache data +structures to fix the problem. + +Fixes: 1f9f78b1b376 ("mm/slub, kunit: add a KUnit test for SLUB debugging functionality") +Cc: Oliver Glitta +Cc: Vlastimil Babka +CC: Daniel Latypov +Cc: Marco Elver +Signed-off-by: Guenter Roeck +Signed-off-by: Vlastimil Babka +Signed-off-by: Sasha Levin +--- + lib/slub_kunit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/slub_kunit.c b/lib/slub_kunit.c +index 7a0564d7cb7ae..9384747d90e5f 100644 +--- a/lib/slub_kunit.c ++++ b/lib/slub_kunit.c +@@ -39,7 +39,7 @@ static void test_next_pointer(struct kunit *test) + + ptr_addr = (unsigned long *)(p + s->offset); + tmp = *ptr_addr; +- p[s->offset] = 0x12; ++ p[s->offset] = ~p[s->offset]; + + /* + * Expecting three errors. +-- +2.43.0 + diff --git a/queue-6.1/mptcp-so_keepalive-fix-getsockopt-support.patch b/queue-6.1/mptcp-so_keepalive-fix-getsockopt-support.patch new file mode 100644 index 00000000000..14dbbc56cb6 --- /dev/null +++ b/queue-6.1/mptcp-so_keepalive-fix-getsockopt-support.patch @@ -0,0 +1,53 @@ +From 5a1434536b2acaa69fbc5b2e63c41bd3d99e7953 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 18:13:25 -0700 +Subject: mptcp: SO_KEEPALIVE: fix getsockopt support + +From: Matthieu Baerts (NGI0) + +[ Upstream commit a65198136eaa15b74ee0abf73f12ef83d469a334 ] + +SO_KEEPALIVE support has to be set on each subflow: on each TCP socket, +where sk_prot->keepalive is defined. Technically, nothing has to be done +on the MPTCP socket. That's why mptcp_sol_socket_sync_intval() was +called instead of mptcp_sol_socket_intval(). + +Except that when nothing is done on the MPTCP socket, the +getsockopt(SO_KEEPALIVE), handled in net/core/sock.c:sk_getsockopt(), +will not know if SO_KEEPALIVE has been set on the different subflows or +not. + +The fix is simple: simply call mptcp_sol_socket_intval() which will end +up calling net/core/sock.c:sk_setsockopt() where the SOCK_KEEPOPEN flag +will be set, the one used in sk_getsockopt(). + +So now, getsockopt(SO_KEEPALIVE) on an MPTCP socket will return the same +value as the one previously set with setsockopt(SO_KEEPALIVE). + +Fixes: 1b3e7ede1365 ("mptcp: setsockopt: handle SO_KEEPALIVE and SO_PRIORITY") +Acked-by: Paolo Abeni +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: Mat Martineau +Link: https://lore.kernel.org/r/20240514011335.176158-2-martineau@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/sockopt.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/net/mptcp/sockopt.c b/net/mptcp/sockopt.c +index 30374fd44228f..e59e46e07b5c9 100644 +--- a/net/mptcp/sockopt.c ++++ b/net/mptcp/sockopt.c +@@ -179,8 +179,6 @@ static int mptcp_setsockopt_sol_socket_int(struct mptcp_sock *msk, int optname, + + switch (optname) { + case SO_KEEPALIVE: +- mptcp_sol_socket_sync_intval(msk, optname, val); +- return 0; + case SO_DEBUG: + case SO_MARK: + case SO_PRIORITY: +-- +2.43.0 + diff --git a/queue-6.1/mtd-core-report-error-if-first-mtd_otp_size-call-fai.patch b/queue-6.1/mtd-core-report-error-if-first-mtd_otp_size-call-fai.patch new file mode 100644 index 00000000000..4fbd8eae0d7 --- /dev/null +++ b/queue-6.1/mtd-core-report-error-if-first-mtd_otp_size-call-fai.patch @@ -0,0 +1,44 @@ +From 60d9436b89625f88a6a81deaed8494f2e52aa784 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Mar 2024 19:34:24 +0200 +Subject: mtd: core: Report error if first mtd_otp_size() call fails in + mtd_otp_nvmem_add() + +From: Aapo Vienamo + +[ Upstream commit d44f0bbbd8d182debcce88bda55b05269f3d33d6 ] + +Jump to the error reporting code in mtd_otp_nvmem_add() if the +mtd_otp_size() call fails. Without this fix, the error is not logged. + +Signed-off-by: Aapo Vienamo +Reviewed-by: Mika Westerberg +Reviewed-by: Michael Walle +Fixes: 4b361cfa8624 ("mtd: core: add OTP nvmem provider support") +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20240313173425.1325790-2-aapo.vienamo@linux.intel.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/mtdcore.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/mtdcore.c b/drivers/mtd/mtdcore.c +index 24518e5e1b5e4..ad527bdbd4632 100644 +--- a/drivers/mtd/mtdcore.c ++++ b/drivers/mtd/mtdcore.c +@@ -942,8 +942,10 @@ static int mtd_otp_nvmem_add(struct mtd_info *mtd) + + if (mtd->_get_user_prot_info && mtd->_read_user_prot_reg) { + size = mtd_otp_size(mtd, true); +- if (size < 0) +- return size; ++ if (size < 0) { ++ err = size; ++ goto err; ++ } + + if (size > 0) { + nvmem = mtd_otp_nvmem_register(mtd, "user-otp", size, +-- +2.43.0 + diff --git a/queue-6.1/mtd-rawnand-hynix-fixed-typo.patch b/queue-6.1/mtd-rawnand-hynix-fixed-typo.patch new file mode 100644 index 00000000000..6149e9bf097 --- /dev/null +++ b/queue-6.1/mtd-rawnand-hynix-fixed-typo.patch @@ -0,0 +1,43 @@ +From ba2e7b4bf44551a2f5fd9cc17f7934ba3389c749 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Mar 2024 13:27:20 +0300 +Subject: mtd: rawnand: hynix: fixed typo + +From: Maxim Korotkov + +[ Upstream commit 6819db94e1cd3ce24a432f3616cd563ed0c4eaba ] + +The function hynix_nand_rr_init() should probably return an error code. +Judging by the usage, it seems that the return code is passed up +the call stack. +Right now, it always returns 0 and the function hynix_nand_cleanup() +in hynix_nand_init() has never been called. + +Found by RASU JSC and Linux Verification Center (linuxtesting.org) + +Fixes: 626994e07480 ("mtd: nand: hynix: Add read-retry support for 1x nm MLC NANDs") + +Signed-off-by: Maxim Korotkov +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20240313102721.1991299-1-korotkov.maxim.s@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/nand_hynix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/nand/raw/nand_hynix.c b/drivers/mtd/nand/raw/nand_hynix.c +index 0d4d4bbfdecea..49e36767d8f76 100644 +--- a/drivers/mtd/nand/raw/nand_hynix.c ++++ b/drivers/mtd/nand/raw/nand_hynix.c +@@ -402,7 +402,7 @@ static int hynix_nand_rr_init(struct nand_chip *chip) + if (ret) + pr_warn("failed to initialize read-retry infrastructure"); + +- return 0; ++ return ret; + } + + static void hynix_nand_extract_oobsize(struct nand_chip *chip, +-- +2.43.0 + diff --git a/queue-6.1/net-add-pskb_may_pull_reason-helper.patch b/queue-6.1/net-add-pskb_may_pull_reason-helper.patch new file mode 100644 index 00000000000..ea5248dc683 --- /dev/null +++ b/queue-6.1/net-add-pskb_may_pull_reason-helper.patch @@ -0,0 +1,67 @@ +From b73f6f0e26a832f1d87f7d5740794cb6f4c69883 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Feb 2023 18:47:06 +0000 +Subject: net: add pskb_may_pull_reason() helper + +From: Eric Dumazet + +[ Upstream commit 1fb2d41501f38192d8a19da585cd441cf8845697 ] + +pskb_may_pull() can fail for two different reasons. + +Provide pskb_may_pull_reason() helper to distinguish +between these reasons. + +It returns: + +SKB_NOT_DROPPED_YET : Success +SKB_DROP_REASON_PKT_TOO_SMALL : packet too small +SKB_DROP_REASON_NOMEM : skb->head could not be resized + +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Signed-off-by: Jakub Kicinski +Stable-dep-of: 8bd67ebb50c0 ("net: bridge: xmit: make sure we have at least eth header len bytes") +Signed-off-by: Sasha Levin +--- + include/linux/skbuff.h | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index cecd3b6bebb8b..2b54662048882 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -2636,15 +2636,26 @@ void *skb_pull_data(struct sk_buff *skb, size_t len); + + void *__pskb_pull_tail(struct sk_buff *skb, int delta); + +-static inline bool pskb_may_pull(struct sk_buff *skb, unsigned int len) ++static inline enum skb_drop_reason ++pskb_may_pull_reason(struct sk_buff *skb, unsigned int len) + { + DEBUG_NET_WARN_ON_ONCE(len > INT_MAX); + + if (likely(len <= skb_headlen(skb))) +- return true; ++ return SKB_NOT_DROPPED_YET; ++ + if (unlikely(len > skb->len)) +- return false; +- return __pskb_pull_tail(skb, len - skb_headlen(skb)) != NULL; ++ return SKB_DROP_REASON_PKT_TOO_SMALL; ++ ++ if (unlikely(!__pskb_pull_tail(skb, len - skb_headlen(skb)))) ++ return SKB_DROP_REASON_NOMEM; ++ ++ return SKB_NOT_DROPPED_YET; ++} ++ ++static inline bool pskb_may_pull(struct sk_buff *skb, unsigned int len) ++{ ++ return pskb_may_pull_reason(skb, len) == SKB_NOT_DROPPED_YET; + } + + static inline void *pskb_pull(struct sk_buff *skb, unsigned int len) +-- +2.43.0 + diff --git a/queue-6.1/net-bridge-mst-fix-vlan-use-after-free.patch b/queue-6.1/net-bridge-mst-fix-vlan-use-after-free.patch new file mode 100644 index 00000000000..60cabc1f028 --- /dev/null +++ b/queue-6.1/net-bridge-mst-fix-vlan-use-after-free.patch @@ -0,0 +1,123 @@ +From 5f6707ff78aac2a6064f751d90a94bdb0d749fd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 14:06:27 +0300 +Subject: net: bridge: mst: fix vlan use-after-free + +From: Nikolay Aleksandrov + +[ Upstream commit 3a7c1661ae1383364cd6092d851f5e5da64d476b ] + +syzbot reported a suspicious rcu usage[1] in bridge's mst code. While +fixing it I noticed that nothing prevents a vlan to be freed while +walking the list from the same path (br forward delay timer). Fix the rcu +usage and also make sure we are not accessing freed memory by making +br_mst_vlan_set_state use rcu read lock. + +[1] + WARNING: suspicious RCU usage + 6.9.0-rc6-syzkaller #0 Not tainted + ----------------------------- + net/bridge/br_private.h:1599 suspicious rcu_dereference_protected() usage! + ... + stack backtrace: + CPU: 1 PID: 8017 Comm: syz-executor.1 Not tainted 6.9.0-rc6-syzkaller #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 + Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 + lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712 + nbp_vlan_group net/bridge/br_private.h:1599 [inline] + br_mst_set_state+0x1ea/0x650 net/bridge/br_mst.c:105 + br_set_state+0x28a/0x7b0 net/bridge/br_stp.c:47 + br_forward_delay_timer_expired+0x176/0x440 net/bridge/br_stp_timer.c:88 + call_timer_fn+0x18e/0x650 kernel/time/timer.c:1793 + expire_timers kernel/time/timer.c:1844 [inline] + __run_timers kernel/time/timer.c:2418 [inline] + __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2429 + run_timer_base kernel/time/timer.c:2438 [inline] + run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2448 + __do_softirq+0x2c6/0x980 kernel/softirq.c:554 + invoke_softirq kernel/softirq.c:428 [inline] + __irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633 + irq_exit_rcu+0x9/0x30 kernel/softirq.c:645 + instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] + sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043 + + + asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 + RIP: 0010:lock_acquire+0x264/0x550 kernel/locking/lockdep.c:5758 + Code: 2b 00 74 08 4c 89 f7 e8 ba d1 84 00 f6 44 24 61 02 0f 85 85 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25 + RSP: 0018:ffffc90013657100 EFLAGS: 00000206 + RAX: 0000000000000001 RBX: 1ffff920026cae2c RCX: 0000000000000001 + RDX: dffffc0000000000 RSI: ffffffff8bcaca00 RDI: ffffffff8c1eaa60 + RBP: ffffc90013657260 R08: ffffffff92efe507 R09: 1ffffffff25dfca0 + R10: dffffc0000000000 R11: fffffbfff25dfca1 R12: 1ffff920026cae28 + R13: dffffc0000000000 R14: ffffc90013657160 R15: 0000000000000246 + +Fixes: ec7328b59176 ("net: bridge: mst: Multiple Spanning Tree (MST) mode") +Reported-by: syzbot+fa04eb8a56fd923fc5d8@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=fa04eb8a56fd923fc5d8 +Signed-off-by: Nikolay Aleksandrov +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/bridge/br_mst.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/net/bridge/br_mst.c b/net/bridge/br_mst.c +index ee680adcee179..3c66141d34d62 100644 +--- a/net/bridge/br_mst.c ++++ b/net/bridge/br_mst.c +@@ -78,7 +78,7 @@ static void br_mst_vlan_set_state(struct net_bridge_port *p, struct net_bridge_v + { + struct net_bridge_vlan_group *vg = nbp_vlan_group(p); + +- if (v->state == state) ++ if (br_vlan_get_state(v) == state) + return; + + br_vlan_set_state(v, state); +@@ -100,11 +100,12 @@ int br_mst_set_state(struct net_bridge_port *p, u16 msti, u8 state, + }; + struct net_bridge_vlan_group *vg; + struct net_bridge_vlan *v; +- int err; ++ int err = 0; + ++ rcu_read_lock(); + vg = nbp_vlan_group(p); + if (!vg) +- return 0; ++ goto out; + + /* MSTI 0 (CST) state changes are notified via the regular + * SWITCHDEV_ATTR_ID_PORT_STP_STATE. +@@ -112,17 +113,20 @@ int br_mst_set_state(struct net_bridge_port *p, u16 msti, u8 state, + if (msti) { + err = switchdev_port_attr_set(p->dev, &attr, extack); + if (err && err != -EOPNOTSUPP) +- return err; ++ goto out; + } + +- list_for_each_entry(v, &vg->vlan_list, vlist) { ++ err = 0; ++ list_for_each_entry_rcu(v, &vg->vlan_list, vlist) { + if (v->brvlan->msti != msti) + continue; + + br_mst_vlan_set_state(p, v, state); + } + +- return 0; ++out: ++ rcu_read_unlock(); ++ return err; + } + + static void br_mst_vlan_sync_state(struct net_bridge_vlan *pv, u16 msti) +-- +2.43.0 + diff --git a/queue-6.1/net-bridge-xmit-make-sure-we-have-at-least-eth-heade.patch b/queue-6.1/net-bridge-xmit-make-sure-we-have-at-least-eth-heade.patch new file mode 100644 index 00000000000..14d9f8cbc78 --- /dev/null +++ b/queue-6.1/net-bridge-xmit-make-sure-we-have-at-least-eth-heade.patch @@ -0,0 +1,90 @@ +From ae75f462b68b1c61288b615c491f8e1dc6201ab7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 13:34:19 +0300 +Subject: net: bridge: xmit: make sure we have at least eth header len bytes + +From: Nikolay Aleksandrov + +[ Upstream commit 8bd67ebb50c0145fd2ca8681ab65eb7e8cde1afc ] + +syzbot triggered an uninit value[1] error in bridge device's xmit path +by sending a short (less than ETH_HLEN bytes) skb. To fix it check if +we can actually pull that amount instead of assuming. + +Tested with dropwatch: + drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3) + origin: software + timestamp: Mon May 13 11:31:53 2024 778214037 nsec + protocol: 0x88a8 + length: 2 + original length: 2 + drop reason: PKT_TOO_SMALL + +[1] +BUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 + br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 + __netdev_start_xmit include/linux/netdevice.h:4903 [inline] + netdev_start_xmit include/linux/netdevice.h:4917 [inline] + xmit_one net/core/dev.c:3531 [inline] + dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547 + __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341 + dev_queue_xmit include/linux/netdevice.h:3091 [inline] + __bpf_tx_skb net/core/filter.c:2136 [inline] + __bpf_redirect_common net/core/filter.c:2180 [inline] + __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187 + ____bpf_clone_redirect net/core/filter.c:2460 [inline] + bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432 + ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997 + __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238 + bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] + __bpf_prog_run include/linux/filter.h:657 [inline] + bpf_prog_run include/linux/filter.h:664 [inline] + bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425 + bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058 + bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269 + __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678 + __do_sys_bpf kernel/bpf/syscall.c:5767 [inline] + __se_sys_bpf kernel/bpf/syscall.c:5765 [inline] + __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765 + x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+a63a1f6a062033cf0f40@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=a63a1f6a062033cf0f40 +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/bridge/br_device.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c +index b82906fc999a3..036ae99d09841 100644 +--- a/net/bridge/br_device.c ++++ b/net/bridge/br_device.c +@@ -27,6 +27,7 @@ EXPORT_SYMBOL_GPL(nf_br_ops); + /* net device transmit always called with BH disabled */ + netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev) + { ++ enum skb_drop_reason reason = pskb_may_pull_reason(skb, ETH_HLEN); + struct net_bridge_mcast_port *pmctx_null = NULL; + struct net_bridge *br = netdev_priv(dev); + struct net_bridge_mcast *brmctx = &br->multicast_ctx; +@@ -38,6 +39,11 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev) + const unsigned char *dest; + u16 vid = 0; + ++ if (unlikely(reason != SKB_NOT_DROPPED_YET)) { ++ kfree_skb_reason(skb, reason); ++ return NETDEV_TX_OK; ++ } ++ + memset(skb->cb, 0, sizeof(struct br_input_skb_cb)); + + rcu_read_lock(); +-- +2.43.0 + diff --git a/queue-6.1/net-dsa-mv88e6xxx-add-support-for-model-specific-pre.patch b/queue-6.1/net-dsa-mv88e6xxx-add-support-for-model-specific-pre.patch new file mode 100644 index 00000000000..2cc7b4203ba --- /dev/null +++ b/queue-6.1/net-dsa-mv88e6xxx-add-support-for-model-specific-pre.patch @@ -0,0 +1,234 @@ +From e253b20339ac53a5ed58e4b2d7e19c5bf030e51c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Apr 2024 09:47:48 +0200 +Subject: net: dsa: mv88e6xxx: Add support for model-specific pre- and + post-reset handlers + +From: Matthias Schiffer + +[ Upstream commit 0fdd27b9d6d7c60bd319d3497ad797934bab13cb ] + +Instead of calling mv88e6xxx_g2_eeprom_wait() directly from +mv88e6xxx_hardware_reset(), add configurable pre- and post-reset hard +reset handlers. Initially, the handlers are set to +mv88e6xxx_g2_eeprom_wait() for all families that have get/set_eeprom() +to match the existing behavior. No functional change intended (except +for additional error messages on failure). + +Fixes: 6ccf50d4d474 ("net: dsa: mv88e6xxx: Avoid EEPROM timeout when EEPROM is absent") +Signed-off-by: Matthias Schiffer +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 50 +++++++++++++++++++++++++++++--- + drivers/net/dsa/mv88e6xxx/chip.h | 6 ++++ + 2 files changed, 52 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index 517c50d11fbce..b59cdc850a07a 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -3003,6 +3003,7 @@ static int mv88e6xxx_software_reset(struct mv88e6xxx_chip *chip) + static void mv88e6xxx_hardware_reset(struct mv88e6xxx_chip *chip) + { + struct gpio_desc *gpiod = chip->reset; ++ int err; + + /* If there is a GPIO connected to the reset pin, toggle it */ + if (gpiod) { +@@ -3011,17 +3012,26 @@ static void mv88e6xxx_hardware_reset(struct mv88e6xxx_chip *chip) + * mid-byte, causing the first EEPROM read after the reset + * from the wrong location resulting in the switch booting + * to wrong mode and inoperable. ++ * For this reason, switch families with EEPROM support ++ * generally wait for EEPROM loads to complete as their pre- ++ * and post-reset handlers. + */ +- if (chip->info->ops->get_eeprom) +- mv88e6xxx_g2_eeprom_wait(chip); ++ if (chip->info->ops->hardware_reset_pre) { ++ err = chip->info->ops->hardware_reset_pre(chip); ++ if (err) ++ dev_err(chip->dev, "pre-reset error: %d\n", err); ++ } + + gpiod_set_value_cansleep(gpiod, 1); + usleep_range(10000, 20000); + gpiod_set_value_cansleep(gpiod, 0); + usleep_range(10000, 20000); + +- if (chip->info->ops->get_eeprom) +- mv88e6xxx_g2_eeprom_wait(chip); ++ if (chip->info->ops->hardware_reset_post) { ++ err = chip->info->ops->hardware_reset_post(chip); ++ if (err) ++ dev_err(chip->dev, "post-reset error: %d\n", err); ++ } + } + } + +@@ -4339,6 +4349,8 @@ static const struct mv88e6xxx_ops mv88e6141_ops = { + .watchdog_ops = &mv88e6390_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6390_g1_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .rmu_disable = mv88e6390_g1_rmu_disable, + .atu_get_hash = mv88e6165_g1_atu_get_hash, +@@ -4529,6 +4541,8 @@ static const struct mv88e6xxx_ops mv88e6172_ops = { + .watchdog_ops = &mv88e6097_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6352_g2_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .rmu_disable = mv88e6352_g1_rmu_disable, + .atu_get_hash = mv88e6165_g1_atu_get_hash, +@@ -4630,6 +4644,8 @@ static const struct mv88e6xxx_ops mv88e6176_ops = { + .watchdog_ops = &mv88e6097_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6352_g2_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .rmu_disable = mv88e6352_g1_rmu_disable, + .atu_get_hash = mv88e6165_g1_atu_get_hash, +@@ -4731,6 +4747,8 @@ static const struct mv88e6xxx_ops mv88e6190_ops = { + .watchdog_ops = &mv88e6390_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6390_g1_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .rmu_disable = mv88e6390_g1_rmu_disable, + .atu_get_hash = mv88e6165_g1_atu_get_hash, +@@ -4794,6 +4812,8 @@ static const struct mv88e6xxx_ops mv88e6190x_ops = { + .watchdog_ops = &mv88e6390_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6390_g1_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .rmu_disable = mv88e6390_g1_rmu_disable, + .atu_get_hash = mv88e6165_g1_atu_get_hash, +@@ -4855,6 +4875,8 @@ static const struct mv88e6xxx_ops mv88e6191_ops = { + .watchdog_ops = &mv88e6390_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6390_g1_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .rmu_disable = mv88e6390_g1_rmu_disable, + .atu_get_hash = mv88e6165_g1_atu_get_hash, +@@ -4919,6 +4941,8 @@ static const struct mv88e6xxx_ops mv88e6240_ops = { + .watchdog_ops = &mv88e6097_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6352_g2_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .rmu_disable = mv88e6352_g1_rmu_disable, + .atu_get_hash = mv88e6165_g1_atu_get_hash, +@@ -4977,6 +5001,8 @@ static const struct mv88e6xxx_ops mv88e6250_ops = { + .watchdog_ops = &mv88e6250_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6352_g2_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6250_g1_reset, + .vtu_getnext = mv88e6185_g1_vtu_getnext, + .vtu_loadpurge = mv88e6185_g1_vtu_loadpurge, +@@ -5021,6 +5047,8 @@ static const struct mv88e6xxx_ops mv88e6290_ops = { + .watchdog_ops = &mv88e6390_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6390_g1_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .rmu_disable = mv88e6390_g1_rmu_disable, + .atu_get_hash = mv88e6165_g1_atu_get_hash, +@@ -5085,6 +5113,8 @@ static const struct mv88e6xxx_ops mv88e6320_ops = { + .watchdog_ops = &mv88e6390_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6352_g2_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .vtu_getnext = mv88e6185_g1_vtu_getnext, + .vtu_loadpurge = mv88e6185_g1_vtu_loadpurge, +@@ -5129,6 +5159,8 @@ static const struct mv88e6xxx_ops mv88e6321_ops = { + .set_egress_port = mv88e6095_g1_set_egress_port, + .watchdog_ops = &mv88e6390_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6352_g2_mgmt_rsvd2cpu, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .vtu_getnext = mv88e6185_g1_vtu_getnext, + .vtu_loadpurge = mv88e6185_g1_vtu_loadpurge, +@@ -5177,6 +5209,8 @@ static const struct mv88e6xxx_ops mv88e6341_ops = { + .watchdog_ops = &mv88e6390_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6390_g1_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .rmu_disable = mv88e6390_g1_rmu_disable, + .atu_get_hash = mv88e6165_g1_atu_get_hash, +@@ -5333,6 +5367,8 @@ static const struct mv88e6xxx_ops mv88e6352_ops = { + .watchdog_ops = &mv88e6097_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6352_g2_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .rmu_disable = mv88e6352_g1_rmu_disable, + .atu_get_hash = mv88e6165_g1_atu_get_hash, +@@ -5400,6 +5436,8 @@ static const struct mv88e6xxx_ops mv88e6390_ops = { + .watchdog_ops = &mv88e6390_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6390_g1_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .rmu_disable = mv88e6390_g1_rmu_disable, + .atu_get_hash = mv88e6165_g1_atu_get_hash, +@@ -5467,6 +5505,8 @@ static const struct mv88e6xxx_ops mv88e6390x_ops = { + .watchdog_ops = &mv88e6390_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6390_g1_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .rmu_disable = mv88e6390_g1_rmu_disable, + .atu_get_hash = mv88e6165_g1_atu_get_hash, +@@ -5537,6 +5577,8 @@ static const struct mv88e6xxx_ops mv88e6393x_ops = { + .watchdog_ops = &mv88e6393x_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6393x_port_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .rmu_disable = mv88e6390_g1_rmu_disable, + .atu_get_hash = mv88e6165_g1_atu_get_hash, +diff --git a/drivers/net/dsa/mv88e6xxx/chip.h b/drivers/net/dsa/mv88e6xxx/chip.h +index 97a47d8743fd3..b34e96e689d5c 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.h ++++ b/drivers/net/dsa/mv88e6xxx/chip.h +@@ -458,6 +458,12 @@ struct mv88e6xxx_ops { + int (*ppu_enable)(struct mv88e6xxx_chip *chip); + int (*ppu_disable)(struct mv88e6xxx_chip *chip); + ++ /* Additional handlers to run before and after hard reset, to make sure ++ * that the switch and EEPROM are in a good state. ++ */ ++ int (*hardware_reset_pre)(struct mv88e6xxx_chip *chip); ++ int (*hardware_reset_post)(struct mv88e6xxx_chip *chip); ++ + /* Switch Software Reset */ + int (*reset)(struct mv88e6xxx_chip *chip); + +-- +2.43.0 + diff --git a/queue-6.1/net-dsa-mv88e6xxx-avoid-eeprom-timeout-without-eepro.patch b/queue-6.1/net-dsa-mv88e6xxx-avoid-eeprom-timeout-without-eepro.patch new file mode 100644 index 00000000000..0fc29444ce5 --- /dev/null +++ b/queue-6.1/net-dsa-mv88e6xxx-avoid-eeprom-timeout-without-eepro.patch @@ -0,0 +1,173 @@ +From 6e632d1d83ddf97c15ec196bc3585cd9b32f6274 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Apr 2024 09:47:49 +0200 +Subject: net: dsa: mv88e6xxx: Avoid EEPROM timeout without EEPROM on + 88E6250-family switches + +From: Matthias Schiffer + +[ Upstream commit e44894e2aa4eb311ceda134de8b6f51ff979211b ] + +88E6250-family switches have the quirk that the EEPROM Running flag can +get stuck at 1 when no EEPROM is connected, causing +mv88e6xxx_g2_eeprom_wait() to time out. We still want to wait for the +EEPROM however, to avoid interrupting a transfer and leaving the EEPROM +in an invalid state. + +The condition to wait for recommended by the hardware spec is the EEInt +flag, however this flag is cleared on read, so before the hardware reset, +is may have been cleared already even though the EEPROM has been read +successfully. + +For this reason, we revive the mv88e6xxx_g1_wait_eeprom_done() function +that was removed in commit 6ccf50d4d474 +("net: dsa: mv88e6xxx: Avoid EEPROM timeout when EEPROM is absent") in a +slightly refactored form, and introduce a new +mv88e6xxx_g1_wait_eeprom_done_prereset() that additionally handles this +case by triggering another EEPROM reload that can be waited on. + +On other switch models without this quirk, mv88e6xxx_g2_eeprom_wait() is +kept, as it avoids the additional reload. + +Fixes: 6ccf50d4d474 ("net: dsa: mv88e6xxx: Avoid EEPROM timeout when EEPROM is absent") +Signed-off-by: Matthias Schiffer +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 4 +- + drivers/net/dsa/mv88e6xxx/global1.c | 89 +++++++++++++++++++++++++++++ + drivers/net/dsa/mv88e6xxx/global1.h | 2 + + 3 files changed, 93 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index b59cdc850a07a..dc4ff8a6d0bf5 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -5001,8 +5001,8 @@ static const struct mv88e6xxx_ops mv88e6250_ops = { + .watchdog_ops = &mv88e6250_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6352_g2_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, +- .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, +- .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_pre = mv88e6250_g1_wait_eeprom_done_prereset, ++ .hardware_reset_post = mv88e6xxx_g1_wait_eeprom_done, + .reset = mv88e6250_g1_reset, + .vtu_getnext = mv88e6185_g1_vtu_getnext, + .vtu_loadpurge = mv88e6185_g1_vtu_loadpurge, +diff --git a/drivers/net/dsa/mv88e6xxx/global1.c b/drivers/net/dsa/mv88e6xxx/global1.c +index 964928285782c..83c6d1fab94ab 100644 +--- a/drivers/net/dsa/mv88e6xxx/global1.c ++++ b/drivers/net/dsa/mv88e6xxx/global1.c +@@ -75,6 +75,95 @@ static int mv88e6xxx_g1_wait_init_ready(struct mv88e6xxx_chip *chip) + return mv88e6xxx_g1_wait_bit(chip, MV88E6XXX_G1_STS, bit, 1); + } + ++static int mv88e6250_g1_eeprom_reload(struct mv88e6xxx_chip *chip) ++{ ++ /* MV88E6185_G1_CTL1_RELOAD_EEPROM is also valid for 88E6250 */ ++ int bit = __bf_shf(MV88E6185_G1_CTL1_RELOAD_EEPROM); ++ u16 val; ++ int err; ++ ++ err = mv88e6xxx_g1_read(chip, MV88E6XXX_G1_CTL1, &val); ++ if (err) ++ return err; ++ ++ val |= MV88E6185_G1_CTL1_RELOAD_EEPROM; ++ ++ err = mv88e6xxx_g1_write(chip, MV88E6XXX_G1_CTL1, val); ++ if (err) ++ return err; ++ ++ return mv88e6xxx_g1_wait_bit(chip, MV88E6XXX_G1_CTL1, bit, 0); ++} ++ ++/* Returns 0 when done, -EBUSY when waiting, other negative codes on error */ ++static int mv88e6xxx_g1_is_eeprom_done(struct mv88e6xxx_chip *chip) ++{ ++ u16 val; ++ int err; ++ ++ err = mv88e6xxx_g1_read(chip, MV88E6XXX_G1_STS, &val); ++ if (err < 0) { ++ dev_err(chip->dev, "Error reading status"); ++ return err; ++ } ++ ++ /* If the switch is still resetting, it may not ++ * respond on the bus, and so MDIO read returns ++ * 0xffff. Differentiate between that, and waiting for ++ * the EEPROM to be done by bit 0 being set. ++ */ ++ if (val == 0xffff || !(val & BIT(MV88E6XXX_G1_STS_IRQ_EEPROM_DONE))) ++ return -EBUSY; ++ ++ return 0; ++} ++ ++/* As the EEInt (EEPROM done) flag clears on read if the status register, this ++ * function must be called directly after a hard reset or EEPROM ReLoad request, ++ * or the done condition may have been missed ++ */ ++int mv88e6xxx_g1_wait_eeprom_done(struct mv88e6xxx_chip *chip) ++{ ++ const unsigned long timeout = jiffies + 1 * HZ; ++ int ret; ++ ++ /* Wait up to 1 second for the switch to finish reading the ++ * EEPROM. ++ */ ++ while (time_before(jiffies, timeout)) { ++ ret = mv88e6xxx_g1_is_eeprom_done(chip); ++ if (ret != -EBUSY) ++ return ret; ++ } ++ ++ dev_err(chip->dev, "Timeout waiting for EEPROM done"); ++ return -ETIMEDOUT; ++} ++ ++int mv88e6250_g1_wait_eeprom_done_prereset(struct mv88e6xxx_chip *chip) ++{ ++ int ret; ++ ++ ret = mv88e6xxx_g1_is_eeprom_done(chip); ++ if (ret != -EBUSY) ++ return ret; ++ ++ /* Pre-reset, we don't know the state of the switch - when ++ * mv88e6xxx_g1_is_eeprom_done() returns -EBUSY, that may be because ++ * the switch is actually busy reading the EEPROM, or because ++ * MV88E6XXX_G1_STS_IRQ_EEPROM_DONE has been cleared by an unrelated ++ * status register read already. ++ * ++ * To account for the latter case, trigger another EEPROM reload for ++ * another chance at seeing the done flag. ++ */ ++ ret = mv88e6250_g1_eeprom_reload(chip); ++ if (ret) ++ return ret; ++ ++ return mv88e6xxx_g1_wait_eeprom_done(chip); ++} ++ + /* Offset 0x01: Switch MAC Address Register Bytes 0 & 1 + * Offset 0x02: Switch MAC Address Register Bytes 2 & 3 + * Offset 0x03: Switch MAC Address Register Bytes 4 & 5 +diff --git a/drivers/net/dsa/mv88e6xxx/global1.h b/drivers/net/dsa/mv88e6xxx/global1.h +index 04b57a21f7868..f3c0b8ab6461b 100644 +--- a/drivers/net/dsa/mv88e6xxx/global1.h ++++ b/drivers/net/dsa/mv88e6xxx/global1.h +@@ -281,6 +281,8 @@ int mv88e6xxx_g1_set_switch_mac(struct mv88e6xxx_chip *chip, u8 *addr); + int mv88e6185_g1_reset(struct mv88e6xxx_chip *chip); + int mv88e6352_g1_reset(struct mv88e6xxx_chip *chip); + int mv88e6250_g1_reset(struct mv88e6xxx_chip *chip); ++int mv88e6xxx_g1_wait_eeprom_done(struct mv88e6xxx_chip *chip); ++int mv88e6250_g1_wait_eeprom_done_prereset(struct mv88e6xxx_chip *chip); + + int mv88e6185_g1_ppu_enable(struct mv88e6xxx_chip *chip); + int mv88e6185_g1_ppu_disable(struct mv88e6xxx_chip *chip); +-- +2.43.0 + diff --git a/queue-6.1/net-ethernet-cortina-locking-fixes.patch b/queue-6.1/net-ethernet-cortina-locking-fixes.patch new file mode 100644 index 00000000000..dc26bb2f88f --- /dev/null +++ b/queue-6.1/net-ethernet-cortina-locking-fixes.patch @@ -0,0 +1,86 @@ +From 7e3f52b77b1973adb774d2da593cba157bbde6cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 09:44:54 +0200 +Subject: net: ethernet: cortina: Locking fixes + +From: Linus Walleij + +[ Upstream commit 812552808f7ff71133fc59768cdc253c5b8ca1bf ] + +This fixes a probably long standing problem in the Cortina +Gemini ethernet driver: there are some paths in the code +where the IRQ registers are written without taking the proper +locks. + +Fixes: 4d5ae32f5e1e ("net: ethernet: Add a driver for Gemini gigabit ethernet") +Signed-off-by: Linus Walleij +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240509-gemini-ethernet-locking-v1-1-afd00a528b95@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cortina/gemini.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c +index 7c0b0bc033c9c..19fb8c4caab87 100644 +--- a/drivers/net/ethernet/cortina/gemini.c ++++ b/drivers/net/ethernet/cortina/gemini.c +@@ -1108,10 +1108,13 @@ static void gmac_tx_irq_enable(struct net_device *netdev, + { + struct gemini_ethernet_port *port = netdev_priv(netdev); + struct gemini_ethernet *geth = port->geth; ++ unsigned long flags; + u32 val, mask; + + netdev_dbg(netdev, "%s device %d\n", __func__, netdev->dev_id); + ++ spin_lock_irqsave(&geth->irq_lock, flags); ++ + mask = GMAC0_IRQ0_TXQ0_INTS << (6 * netdev->dev_id + txq); + + if (en) +@@ -1120,6 +1123,8 @@ static void gmac_tx_irq_enable(struct net_device *netdev, + val = readl(geth->base + GLOBAL_INTERRUPT_ENABLE_0_REG); + val = en ? val | mask : val & ~mask; + writel(val, geth->base + GLOBAL_INTERRUPT_ENABLE_0_REG); ++ ++ spin_unlock_irqrestore(&geth->irq_lock, flags); + } + + static void gmac_tx_irq(struct net_device *netdev, unsigned int txq_num) +@@ -1426,15 +1431,19 @@ static unsigned int gmac_rx(struct net_device *netdev, unsigned int budget) + union gmac_rxdesc_3 word3; + struct page *page = NULL; + unsigned int page_offs; ++ unsigned long flags; + unsigned short r, w; + union dma_rwptr rw; + dma_addr_t mapping; + int frag_nr = 0; + ++ spin_lock_irqsave(&geth->irq_lock, flags); + rw.bits32 = readl(ptr_reg); + /* Reset interrupt as all packages until here are taken into account */ + writel(DEFAULT_Q0_INT_BIT << netdev->dev_id, + geth->base + GLOBAL_INTERRUPT_STATUS_1_REG); ++ spin_unlock_irqrestore(&geth->irq_lock, flags); ++ + r = rw.bits.rptr; + w = rw.bits.wptr; + +@@ -1737,10 +1746,9 @@ static irqreturn_t gmac_irq(int irq, void *data) + gmac_update_hw_stats(netdev); + + if (val & (GMAC0_RX_OVERRUN_INT_BIT << (netdev->dev_id * 8))) { ++ spin_lock(&geth->irq_lock); + writel(GMAC0_RXDERR_INT_BIT << (netdev->dev_id * 8), + geth->base + GLOBAL_INTERRUPT_STATUS_4_REG); +- +- spin_lock(&geth->irq_lock); + u64_stats_update_begin(&port->ir_stats_syncp); + ++port->stats.rx_fifo_errors; + u64_stats_update_end(&port->ir_stats_syncp); +-- +2.43.0 + diff --git a/queue-6.1/net-export-inet_lookup_reuseport-and-inet6_lookup_re.patch b/queue-6.1/net-export-inet_lookup_reuseport-and-inet6_lookup_re.patch new file mode 100644 index 00000000000..048ea99c55a --- /dev/null +++ b/queue-6.1/net-export-inet_lookup_reuseport-and-inet6_lookup_re.patch @@ -0,0 +1,163 @@ +From c4ca2c7a491d1fde445bb2cf42c404d850bbfa14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 17:30:07 +0200 +Subject: net: export inet_lookup_reuseport and inet6_lookup_reuseport + +From: Lorenz Bauer + +[ Upstream commit ce796e60b3b196b61fcc565df195443cbb846ef0 ] + +Rename the existing reuseport helpers for IPv4 and IPv6 so that they +can be invoked in the follow up commit. Export them so that building +DCCP and IPv6 as a module works. + +No change in functionality. + +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: Lorenz Bauer +Link: https://lore.kernel.org/r/20230720-so-reuseport-v6-3-7021b683cdae@isovalent.com +Signed-off-by: Martin KaFai Lau +Stable-dep-of: 50aee97d1511 ("udp: Avoid call to compute_score on multiple sites") +Signed-off-by: Sasha Levin +--- + include/net/inet6_hashtables.h | 7 +++++++ + include/net/inet_hashtables.h | 5 +++++ + net/ipv4/inet_hashtables.c | 15 ++++++++------- + net/ipv6/inet6_hashtables.c | 19 ++++++++++--------- + 4 files changed, 30 insertions(+), 16 deletions(-) + +diff --git a/include/net/inet6_hashtables.h b/include/net/inet6_hashtables.h +index 56f1286583d3c..032ddab48f8f8 100644 +--- a/include/net/inet6_hashtables.h ++++ b/include/net/inet6_hashtables.h +@@ -48,6 +48,13 @@ struct sock *__inet6_lookup_established(struct net *net, + const u16 hnum, const int dif, + const int sdif); + ++struct sock *inet6_lookup_reuseport(struct net *net, struct sock *sk, ++ struct sk_buff *skb, int doff, ++ const struct in6_addr *saddr, ++ __be16 sport, ++ const struct in6_addr *daddr, ++ unsigned short hnum); ++ + struct sock *inet6_lookup_listener(struct net *net, + struct inet_hashinfo *hashinfo, + struct sk_buff *skb, int doff, +diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h +index 99bd823e97f62..8734f3488f5d0 100644 +--- a/include/net/inet_hashtables.h ++++ b/include/net/inet_hashtables.h +@@ -379,6 +379,11 @@ struct sock *__inet_lookup_established(struct net *net, + const __be32 daddr, const u16 hnum, + const int dif, const int sdif); + ++struct sock *inet_lookup_reuseport(struct net *net, struct sock *sk, ++ struct sk_buff *skb, int doff, ++ __be32 saddr, __be16 sport, ++ __be32 daddr, unsigned short hnum); ++ + static inline struct sock * + inet_lookup_established(struct net *net, struct inet_hashinfo *hashinfo, + const __be32 saddr, const __be16 sport, +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index 0ad25e6783ac7..eb8da8d113fe2 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -338,10 +338,10 @@ static inline int compute_score(struct sock *sk, struct net *net, + return score; + } + +-static inline struct sock *lookup_reuseport(struct net *net, struct sock *sk, +- struct sk_buff *skb, int doff, +- __be32 saddr, __be16 sport, +- __be32 daddr, unsigned short hnum) ++struct sock *inet_lookup_reuseport(struct net *net, struct sock *sk, ++ struct sk_buff *skb, int doff, ++ __be32 saddr, __be16 sport, ++ __be32 daddr, unsigned short hnum) + { + struct sock *reuse_sk = NULL; + u32 phash; +@@ -352,6 +352,7 @@ static inline struct sock *lookup_reuseport(struct net *net, struct sock *sk, + } + return reuse_sk; + } ++EXPORT_SYMBOL_GPL(inet_lookup_reuseport); + + /* + * Here are some nice properties to exploit here. The BSD API +@@ -375,8 +376,8 @@ static struct sock *inet_lhash2_lookup(struct net *net, + sk_nulls_for_each_rcu(sk, node, &ilb2->nulls_head) { + score = compute_score(sk, net, hnum, daddr, dif, sdif); + if (score > hiscore) { +- result = lookup_reuseport(net, sk, skb, doff, +- saddr, sport, daddr, hnum); ++ result = inet_lookup_reuseport(net, sk, skb, doff, ++ saddr, sport, daddr, hnum); + if (result) + return result; + +@@ -405,7 +406,7 @@ static inline struct sock *inet_lookup_run_bpf(struct net *net, + if (no_reuseport || IS_ERR_OR_NULL(sk)) + return sk; + +- reuse_sk = lookup_reuseport(net, sk, skb, doff, saddr, sport, daddr, hnum); ++ reuse_sk = inet_lookup_reuseport(net, sk, skb, doff, saddr, sport, daddr, hnum); + if (reuse_sk) + sk = reuse_sk; + return sk; +diff --git a/net/ipv6/inet6_hashtables.c b/net/ipv6/inet6_hashtables.c +index b64b49012655e..b7c56867314ed 100644 +--- a/net/ipv6/inet6_hashtables.c ++++ b/net/ipv6/inet6_hashtables.c +@@ -111,12 +111,12 @@ static inline int compute_score(struct sock *sk, struct net *net, + return score; + } + +-static inline struct sock *lookup_reuseport(struct net *net, struct sock *sk, +- struct sk_buff *skb, int doff, +- const struct in6_addr *saddr, +- __be16 sport, +- const struct in6_addr *daddr, +- unsigned short hnum) ++struct sock *inet6_lookup_reuseport(struct net *net, struct sock *sk, ++ struct sk_buff *skb, int doff, ++ const struct in6_addr *saddr, ++ __be16 sport, ++ const struct in6_addr *daddr, ++ unsigned short hnum) + { + struct sock *reuse_sk = NULL; + u32 phash; +@@ -127,6 +127,7 @@ static inline struct sock *lookup_reuseport(struct net *net, struct sock *sk, + } + return reuse_sk; + } ++EXPORT_SYMBOL_GPL(inet6_lookup_reuseport); + + /* called with rcu_read_lock() */ + static struct sock *inet6_lhash2_lookup(struct net *net, +@@ -143,8 +144,8 @@ static struct sock *inet6_lhash2_lookup(struct net *net, + sk_nulls_for_each_rcu(sk, node, &ilb2->nulls_head) { + score = compute_score(sk, net, hnum, daddr, dif, sdif); + if (score > hiscore) { +- result = lookup_reuseport(net, sk, skb, doff, +- saddr, sport, daddr, hnum); ++ result = inet6_lookup_reuseport(net, sk, skb, doff, ++ saddr, sport, daddr, hnum); + if (result) + return result; + +@@ -175,7 +176,7 @@ static inline struct sock *inet6_lookup_run_bpf(struct net *net, + if (no_reuseport || IS_ERR_OR_NULL(sk)) + return sk; + +- reuse_sk = lookup_reuseport(net, sk, skb, doff, saddr, sport, daddr, hnum); ++ reuse_sk = inet6_lookup_reuseport(net, sk, skb, doff, saddr, sport, daddr, hnum); + if (reuse_sk) + sk = reuse_sk; + return sk; +-- +2.43.0 + diff --git a/queue-6.1/net-give-more-chances-to-rcu-in-netdev_wait_allrefs_.patch b/queue-6.1/net-give-more-chances-to-rcu-in-netdev_wait_allrefs_.patch new file mode 100644 index 00000000000..16cb2b5cd43 --- /dev/null +++ b/queue-6.1/net-give-more-chances-to-rcu-in-netdev_wait_allrefs_.patch @@ -0,0 +1,54 @@ +From 57c1224207e5dacf30a5827dc112f2cbc1545f1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Apr 2024 06:42:22 +0000 +Subject: net: give more chances to rcu in netdev_wait_allrefs_any() + +From: Eric Dumazet + +[ Upstream commit cd42ba1c8ac9deb9032add6adf491110e7442040 ] + +This came while reviewing commit c4e86b4363ac ("net: add two more +call_rcu_hurry()"). + +Paolo asked if adding one synchronize_rcu() would help. + +While synchronize_rcu() does not help, making sure to call +rcu_barrier() before msleep(wait) is definitely helping +to make sure lazy call_rcu() are completed. + +Instead of waiting ~100 seconds in my tests, the ref_tracker +splats occurs one time only, and netdev_wait_allrefs_any() +latency is reduced to the strict minimum. + +Ideally we should audit our call_rcu() users to make sure +no refcount (or cascading call_rcu()) is held too long, +because rcu_barrier() is quite expensive. + +Fixes: 0e4be9e57e8c ("net: use exponential backoff in netdev_wait_allrefs") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/all/28bbf698-befb-42f6-b561-851c67f464aa@kernel.org/T/#m76d73ed6b03cd930778ac4d20a777f22a08d6824 +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 65284eeec7de5..20d8b9195ef60 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -10300,8 +10300,9 @@ static struct net_device *netdev_wait_allrefs_any(struct list_head *list) + rebroadcast_time = jiffies; + } + ++ rcu_barrier(); ++ + if (!wait) { +- rcu_barrier(); + wait = WAIT_REFS_MIN_MSECS; + } else { + msleep(wait); +-- +2.43.0 + diff --git a/queue-6.1/net-ipv6-fix-wrong-start-position-when-receive-hop-b.patch b/queue-6.1/net-ipv6-fix-wrong-start-position-when-receive-hop-b.patch new file mode 100644 index 00000000000..905f905bc66 --- /dev/null +++ b/queue-6.1/net-ipv6-fix-wrong-start-position-when-receive-hop-b.patch @@ -0,0 +1,41 @@ +From 57a69dd4f5acc489fffec8903c3b4cefd766e4a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Apr 2024 17:19:17 +0800 +Subject: net: ipv6: fix wrong start position when receive hop-by-hop fragment + +From: gaoxingwang + +[ Upstream commit 1cd354fe1e4864eeaff62f66ee513080ec946f20 ] + +In IPv6, ipv6_rcv_core will parse the hop-by-hop type extension header and increase skb->transport_header by one extension header length. +But if there are more other extension headers like fragment header at this time, the skb->transport_header points to the second extension header, +not the transport layer header or the first extension header. + +This will result in the start and nexthdrp variable not pointing to the same position in ipv6frag_thdr_trunced, +and ipv6_skip_exthdr returning incorrect offset and frag_off.Sometimes,the length of the last sharded packet is smaller than the calculated incorrect offset, resulting in packet loss. +We can use network header to offset and calculate the correct position to solve this problem. + +Fixes: 9d9e937b1c8b (ipv6/netfilter: Discard first fragment not including all headers) +Signed-off-by: Gao Xingwang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/reassembly.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c +index ff866f2a879e0..32ba4417eb1de 100644 +--- a/net/ipv6/reassembly.c ++++ b/net/ipv6/reassembly.c +@@ -364,7 +364,7 @@ static int ipv6_frag_rcv(struct sk_buff *skb) + * the source of the fragment, with the Pointer field set to zero. + */ + nexthdr = hdr->nexthdr; +- if (ipv6frag_thdr_truncated(skb, skb_transport_offset(skb), &nexthdr)) { ++ if (ipv6frag_thdr_truncated(skb, skb_network_offset(skb) + sizeof(struct ipv6hdr), &nexthdr)) { + __IP6_INC_STATS(net, __in6_dev_get_safely(skb->dev), + IPSTATS_MIB_INHDRERRORS); + icmpv6_param_prob(skb, ICMPV6_HDR_INCOMP, 0); +-- +2.43.0 + diff --git a/queue-6.1/net-mlx5-add-a-timeout-to-acquire-the-command-queue-.patch b/queue-6.1/net-mlx5-add-a-timeout-to-acquire-the-command-queue-.patch new file mode 100644 index 00000000000..211cf9875fd --- /dev/null +++ b/queue-6.1/net-mlx5-add-a-timeout-to-acquire-the-command-queue-.patch @@ -0,0 +1,156 @@ +From 69480f0ea63e868274fcfc171d40a6077b47a69b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 14:29:50 +0300 +Subject: net/mlx5: Add a timeout to acquire the command queue semaphore + +From: Akiva Goldberger + +[ Upstream commit 485d65e1357123a697c591a5aeb773994b247ad7 ] + +Prevent forced completion handling on an entry that has not yet been +assigned an index, causing an out of bounds access on idx = -22. +Instead of waiting indefinitely for the sem, blocking flow now waits for +index to be allocated or a sem acquisition timeout before beginning the +timer for FW completion. + +Kernel log example: +mlx5_core 0000:06:00.0: wait_func_handle_exec_timeout:1128:(pid 185911): cmd[-22]: CREATE_UCTX(0xa04) No done completion + +Fixes: 8e715cd613a1 ("net/mlx5: Set command entry semaphore up once got index free") +Signed-off-by: Akiva Goldberger +Reviewed-by: Moshe Shemesh +Signed-off-by: Tariq Toukan +Link: https://lore.kernel.org/r/20240509112951.590184-5-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 41 +++++++++++++++---- + include/linux/mlx5/driver.h | 1 + + 2 files changed, 33 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index ac6a0785b10d8..946923b9404fc 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -964,19 +964,32 @@ static void cmd_work_handler(struct work_struct *work) + bool poll_cmd = ent->polling; + struct mlx5_cmd_layout *lay; + struct mlx5_core_dev *dev; +- unsigned long cb_timeout; +- struct semaphore *sem; ++ unsigned long timeout; + unsigned long flags; + int alloc_ret; + int cmd_mode; + ++ complete(&ent->handling); ++ + dev = container_of(cmd, struct mlx5_core_dev, cmd); +- cb_timeout = msecs_to_jiffies(mlx5_tout_ms(dev, CMD)); ++ timeout = msecs_to_jiffies(mlx5_tout_ms(dev, CMD)); + +- complete(&ent->handling); +- sem = ent->page_queue ? &cmd->vars.pages_sem : &cmd->vars.sem; +- down(sem); + if (!ent->page_queue) { ++ if (down_timeout(&cmd->vars.sem, timeout)) { ++ mlx5_core_warn(dev, "%s(0x%x) timed out while waiting for a slot.\n", ++ mlx5_command_str(ent->op), ent->op); ++ if (ent->callback) { ++ ent->callback(-EBUSY, ent->context); ++ mlx5_free_cmd_msg(dev, ent->out); ++ free_msg(dev, ent->in); ++ cmd_ent_put(ent); ++ } else { ++ ent->ret = -EBUSY; ++ complete(&ent->done); ++ } ++ complete(&ent->slotted); ++ return; ++ } + alloc_ret = cmd_alloc_index(cmd, ent); + if (alloc_ret < 0) { + mlx5_core_err_rl(dev, "failed to allocate command entry\n"); +@@ -989,10 +1002,11 @@ static void cmd_work_handler(struct work_struct *work) + ent->ret = -EAGAIN; + complete(&ent->done); + } +- up(sem); ++ up(&cmd->vars.sem); + return; + } + } else { ++ down(&cmd->vars.pages_sem); + ent->idx = cmd->vars.max_reg_cmds; + spin_lock_irqsave(&cmd->alloc_lock, flags); + clear_bit(ent->idx, &cmd->vars.bitmask); +@@ -1000,6 +1014,8 @@ static void cmd_work_handler(struct work_struct *work) + spin_unlock_irqrestore(&cmd->alloc_lock, flags); + } + ++ complete(&ent->slotted); ++ + lay = get_inst(cmd, ent->idx); + ent->lay = lay; + memset(lay, 0, sizeof(*lay)); +@@ -1018,7 +1034,7 @@ static void cmd_work_handler(struct work_struct *work) + ent->ts1 = ktime_get_ns(); + cmd_mode = cmd->mode; + +- if (ent->callback && schedule_delayed_work(&ent->cb_timeout_work, cb_timeout)) ++ if (ent->callback && schedule_delayed_work(&ent->cb_timeout_work, timeout)) + cmd_ent_get(ent); + set_bit(MLX5_CMD_ENT_STATE_PENDING_COMP, &ent->state); + +@@ -1138,6 +1154,9 @@ static int wait_func(struct mlx5_core_dev *dev, struct mlx5_cmd_work_ent *ent) + ent->ret = -ECANCELED; + goto out_err; + } ++ ++ wait_for_completion(&ent->slotted); ++ + if (cmd->mode == CMD_MODE_POLLING || ent->polling) + wait_for_completion(&ent->done); + else if (!wait_for_completion_timeout(&ent->done, timeout)) +@@ -1152,6 +1171,9 @@ static int wait_func(struct mlx5_core_dev *dev, struct mlx5_cmd_work_ent *ent) + } else if (err == -ECANCELED) { + mlx5_core_warn(dev, "%s(0x%x) canceled on out of queue timeout.\n", + mlx5_command_str(ent->op), ent->op); ++ } else if (err == -EBUSY) { ++ mlx5_core_warn(dev, "%s(0x%x) timeout while waiting for command semaphore.\n", ++ mlx5_command_str(ent->op), ent->op); + } + mlx5_core_dbg(dev, "err %d, delivery status %s(%d)\n", + err, deliv_status_to_str(ent->status), ent->status); +@@ -1203,6 +1225,7 @@ static int mlx5_cmd_invoke(struct mlx5_core_dev *dev, struct mlx5_cmd_msg *in, + ent->polling = force_polling; + + init_completion(&ent->handling); ++ init_completion(&ent->slotted); + if (!callback) + init_completion(&ent->done); + +@@ -1220,7 +1243,7 @@ static int mlx5_cmd_invoke(struct mlx5_core_dev *dev, struct mlx5_cmd_msg *in, + return 0; /* mlx5_cmd_comp_handler() will put(ent) */ + + err = wait_func(dev, ent); +- if (err == -ETIMEDOUT || err == -ECANCELED) ++ if (err == -ETIMEDOUT || err == -ECANCELED || err == -EBUSY) + goto out_free; + + ds = ent->ts2 - ent->ts1; +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h +index 93ec34a94b724..1cae12185cf04 100644 +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -850,6 +850,7 @@ struct mlx5_cmd_work_ent { + void *context; + int idx; + struct completion handling; ++ struct completion slotted; + struct completion done; + struct mlx5_cmd *cmd; + struct work_struct work; +-- +2.43.0 + diff --git a/queue-6.1/net-mlx5-discard-command-completions-in-internal-err.patch b/queue-6.1/net-mlx5-discard-command-completions-in-internal-err.patch new file mode 100644 index 00000000000..2e092bdd47a --- /dev/null +++ b/queue-6.1/net-mlx5-discard-command-completions-in-internal-err.patch @@ -0,0 +1,75 @@ +From ec5197ea18df763431c145da5bd5077329928ab3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 14:29:51 +0300 +Subject: net/mlx5: Discard command completions in internal error + +From: Akiva Goldberger + +[ Upstream commit db9b31aa9bc56ff0d15b78f7e827d61c4a096e40 ] + +Fix use after free when FW completion arrives while device is in +internal error state. Avoid calling completion handler in this case, +since the device will flush the command interface and trigger all +completions manually. + +Kernel log: +------------[ cut here ]------------ +refcount_t: underflow; use-after-free. +... +RIP: 0010:refcount_warn_saturate+0xd8/0xe0 +... +Call Trace: + +? __warn+0x79/0x120 +? refcount_warn_saturate+0xd8/0xe0 +? report_bug+0x17c/0x190 +? handle_bug+0x3c/0x60 +? exc_invalid_op+0x14/0x70 +? asm_exc_invalid_op+0x16/0x20 +? refcount_warn_saturate+0xd8/0xe0 +cmd_ent_put+0x13b/0x160 [mlx5_core] +mlx5_cmd_comp_handler+0x5f9/0x670 [mlx5_core] +cmd_comp_notifier+0x1f/0x30 [mlx5_core] +notifier_call_chain+0x35/0xb0 +atomic_notifier_call_chain+0x16/0x20 +mlx5_eq_async_int+0xf6/0x290 [mlx5_core] +notifier_call_chain+0x35/0xb0 +atomic_notifier_call_chain+0x16/0x20 +irq_int_handler+0x19/0x30 [mlx5_core] +__handle_irq_event_percpu+0x4b/0x160 +handle_irq_event+0x2e/0x80 +handle_edge_irq+0x98/0x230 +__common_interrupt+0x3b/0xa0 +common_interrupt+0x7b/0xa0 + + +asm_common_interrupt+0x22/0x40 + +Fixes: 51d138c2610a ("net/mlx5: Fix health error state handling") +Signed-off-by: Akiva Goldberger +Reviewed-by: Moshe Shemesh +Signed-off-by: Tariq Toukan +Link: https://lore.kernel.org/r/20240509112951.590184-6-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index 946923b9404fc..465d2adbf3c00 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -1632,6 +1632,9 @@ static int cmd_comp_notifier(struct notifier_block *nb, + dev = container_of(cmd, struct mlx5_core_dev, cmd); + eqe = data; + ++ if (dev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR) ++ return NOTIFY_DONE; ++ + mlx5_cmd_comp_handler(dev, be32_to_cpu(eqe->data.cmd.vector), false); + + return NOTIFY_OK; +-- +2.43.0 + diff --git a/queue-6.1/net-mlx5e-fail-with-messages-when-params-are-not-val.patch b/queue-6.1/net-mlx5e-fail-with-messages-when-params-are-not-val.patch new file mode 100644 index 00000000000..efcc61547f7 --- /dev/null +++ b/queue-6.1/net-mlx5e-fail-with-messages-when-params-are-not-val.patch @@ -0,0 +1,96 @@ +From 18c2e97433aa7704aa0d81e30ac9e8be18273103 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Jan 2023 09:45:36 +0200 +Subject: net/mlx5e: Fail with messages when params are not valid for XSK + +From: Adham Faris + +[ Upstream commit 130b12079f3732babe2772314ab129bca0d8492f ] + +Current XSK prerequisites validation implementation +(setup.c/mlx5e_validate_xsk_param()) fails silently when xsk +prerequisites are not fulfilled. +Add error messages to the kernel log to help the user understand what +went wrong when params are not valid for XSK. + +Signed-off-by: Adham Faris +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Stable-dep-of: a5535e533694 ("mlx5: stop warning for 64KB pages") +Signed-off-by: Sasha Levin +--- + .../ethernet/mellanox/mlx5/core/en/params.c | 9 +++++++-- + .../mellanox/mlx5/core/en/xsk/setup.c | 19 +++++++++++++++++-- + 2 files changed, 24 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/params.c b/drivers/net/ethernet/mellanox/mlx5/core/en/params.c +index d3de1b7a80bf5..be7302aa6f864 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/params.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/params.c +@@ -581,11 +581,16 @@ int mlx5e_mpwrq_validate_xsk(struct mlx5_core_dev *mdev, struct mlx5e_params *pa + bool unaligned = xsk ? xsk->unaligned : false; + u16 max_mtu_pkts; + +- if (!mlx5e_check_fragmented_striding_rq_cap(mdev, page_shift, umr_mode)) ++ if (!mlx5e_check_fragmented_striding_rq_cap(mdev, page_shift, umr_mode)) { ++ mlx5_core_err(mdev, "Striding RQ for XSK can't be activated with page_shift %u and umr_mode %d\n", ++ page_shift, umr_mode); + return -EOPNOTSUPP; ++ } + +- if (!mlx5e_rx_mpwqe_is_linear_skb(mdev, params, xsk)) ++ if (!mlx5e_rx_mpwqe_is_linear_skb(mdev, params, xsk)) { ++ mlx5_core_err(mdev, "Striding RQ linear mode for XSK can't be activated with current params\n"); + return -EINVAL; ++ } + + /* Current RQ length is too big for the given frame size, the + * needed number of WQEs exceeds the maximum. +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c b/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c +index ff03c43833bbf..81a567e172646 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c +@@ -7,6 +7,18 @@ + #include "en/health.h" + #include + ++static int mlx5e_legacy_rq_validate_xsk(struct mlx5_core_dev *mdev, ++ struct mlx5e_params *params, ++ struct mlx5e_xsk_param *xsk) ++{ ++ if (!mlx5e_rx_is_linear_skb(mdev, params, xsk)) { ++ mlx5_core_err(mdev, "Legacy RQ linear mode for XSK can't be activated with current params\n"); ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++ + /* The limitation of 2048 can be altered, but shouldn't go beyond the minimal + * stride size of striding RQ. + */ +@@ -17,8 +29,11 @@ bool mlx5e_validate_xsk_param(struct mlx5e_params *params, + struct mlx5_core_dev *mdev) + { + /* AF_XDP doesn't support frames larger than PAGE_SIZE. */ +- if (xsk->chunk_size > PAGE_SIZE || xsk->chunk_size < MLX5E_MIN_XSK_CHUNK_SIZE) ++ if (xsk->chunk_size > PAGE_SIZE || xsk->chunk_size < MLX5E_MIN_XSK_CHUNK_SIZE) { ++ mlx5_core_err(mdev, "XSK chunk size %u out of bounds [%u, %lu]\n", xsk->chunk_size, ++ MLX5E_MIN_XSK_CHUNK_SIZE, PAGE_SIZE); + return false; ++ } + + /* frag_sz is different for regular and XSK RQs, so ensure that linear + * SKB mode is possible. +@@ -27,7 +42,7 @@ bool mlx5e_validate_xsk_param(struct mlx5e_params *params, + case MLX5_WQ_TYPE_LINKED_LIST_STRIDING_RQ: + return !mlx5e_mpwrq_validate_xsk(mdev, params, xsk); + default: /* MLX5_WQ_TYPE_CYCLIC */ +- return mlx5e_rx_is_linear_skb(mdev, params, xsk); ++ return !mlx5e_legacy_rq_validate_xsk(mdev, params, xsk); + } + } + +-- +2.43.0 + diff --git a/queue-6.1/net-openvswitch-fix-overwriting-ct-original-tuple-fo.patch b/queue-6.1/net-openvswitch-fix-overwriting-ct-original-tuple-fo.patch new file mode 100644 index 00000000000..41eb6b85ef2 --- /dev/null +++ b/queue-6.1/net-openvswitch-fix-overwriting-ct-original-tuple-fo.patch @@ -0,0 +1,86 @@ +From 43c1dcfbaad1bda0f60f426db0efdbb84211ebc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 11:38:05 +0200 +Subject: net: openvswitch: fix overwriting ct original tuple for ICMPv6 + +From: Ilya Maximets + +[ Upstream commit 7c988176b6c16c516474f6fceebe0f055af5eb56 ] + +OVS_PACKET_CMD_EXECUTE has 3 main attributes: + - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format. + - OVS_PACKET_ATTR_PACKET - Binary packet content. + - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet. + +OVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure +with the metadata like conntrack state, input port, recirculation id, +etc. Then the packet itself gets parsed to populate the rest of the +keys from the packet headers. + +Whenever the packet parsing code starts parsing the ICMPv6 header, it +first zeroes out fields in the key corresponding to Neighbor Discovery +information even if it is not an ND packet. + +It is an 'ipv6.nd' field. However, the 'ipv6' is a union that shares +the space between 'nd' and 'ct_orig' that holds the original tuple +conntrack metadata parsed from the OVS_PACKET_ATTR_KEY. + +ND packets should not normally have conntrack state, so it's fine to +share the space, but normal ICMPv6 Echo packets or maybe other types of +ICMPv6 can have the state attached and it should not be overwritten. + +The issue results in all but the last 4 bytes of the destination +address being wiped from the original conntrack tuple leading to +incorrect packet matching and potentially executing wrong actions +in case this packet recirculates within the datapath or goes back +to userspace. + +ND fields should not be accessed in non-ND packets, so not clearing +them should be fine. Executing memset() only for actual ND packets to +avoid the issue. + +Initializing the whole thing before parsing is needed because ND packet +may not contain all the options. + +The issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't +affect packets entering OVS datapath from network interfaces, because +in this case CT metadata is populated from skb after the packet is +already parsed. + +Fixes: 9dd7f8907c37 ("openvswitch: Add original direction conntrack tuple to sw_flow_key.") +Reported-by: Antonin Bas +Closes: https://github.com/openvswitch/ovs-issues/issues/327 +Signed-off-by: Ilya Maximets +Acked-by: Aaron Conole +Acked-by: Eelco Chaudron +Link: https://lore.kernel.org/r/20240509094228.1035477-1-i.maximets@ovn.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/openvswitch/flow.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c +index e20d1a9734175..78960a8a38925 100644 +--- a/net/openvswitch/flow.c ++++ b/net/openvswitch/flow.c +@@ -558,7 +558,6 @@ static int parse_icmpv6(struct sk_buff *skb, struct sw_flow_key *key, + */ + key->tp.src = htons(icmp->icmp6_type); + key->tp.dst = htons(icmp->icmp6_code); +- memset(&key->ipv6.nd, 0, sizeof(key->ipv6.nd)); + + if (icmp->icmp6_code == 0 && + (icmp->icmp6_type == NDISC_NEIGHBOUR_SOLICITATION || +@@ -567,6 +566,8 @@ static int parse_icmpv6(struct sk_buff *skb, struct sw_flow_key *key, + struct nd_msg *nd; + int offset; + ++ memset(&key->ipv6.nd, 0, sizeof(key->ipv6.nd)); ++ + /* In order to process neighbor discovery options, we need the + * entire packet. + */ +-- +2.43.0 + diff --git a/queue-6.1/net-qrtr-ns-fix-module-refcnt.patch b/queue-6.1/net-qrtr-ns-fix-module-refcnt.patch new file mode 100644 index 00000000000..fbfc1487931 --- /dev/null +++ b/queue-6.1/net-qrtr-ns-fix-module-refcnt.patch @@ -0,0 +1,83 @@ +From 7e8c4f52ac36a3665fa1f77097023f3e851075d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 10:31:46 -0700 +Subject: net: qrtr: ns: Fix module refcnt + +From: Chris Lew + +[ Upstream commit fd76e5ccc48f9f54eb44909dd7c0b924005f1582 ] + +The qrtr protocol core logic and the qrtr nameservice are combined into +a single module. Neither the core logic or nameservice provide much +functionality by themselves; combining the two into a single module also +prevents any possible issues that may stem from client modules loading +inbetween qrtr and the ns. + +Creating a socket takes two references to the module that owns the +socket protocol. Since the ns needs to create the control socket, this +creates a scenario where there are always two references to the qrtr +module. This prevents the execution of 'rmmod' for qrtr. + +To resolve this, forcefully put the module refcount for the socket +opened by the nameservice. + +Fixes: a365023a76f2 ("net: qrtr: combine nameservice into main module") +Reported-by: Jeffrey Hugo +Tested-by: Jeffrey Hugo +Signed-off-by: Chris Lew +Reviewed-by: Manivannan Sadhasivam +Reviewed-by: Jeffrey Hugo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/qrtr/ns.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c +index 4a13b9f7abb44..3c513e7ca2d5c 100644 +--- a/net/qrtr/ns.c ++++ b/net/qrtr/ns.c +@@ -807,6 +807,24 @@ int qrtr_ns_init(void) + if (ret < 0) + goto err_wq; + ++ /* As the qrtr ns socket owner and creator is the same module, we have ++ * to decrease the qrtr module reference count to guarantee that it ++ * remains zero after the ns socket is created, otherwise, executing ++ * "rmmod" command is unable to make the qrtr module deleted after the ++ * qrtr module is inserted successfully. ++ * ++ * However, the reference count is increased twice in ++ * sock_create_kern(): one is to increase the reference count of owner ++ * of qrtr socket's proto_ops struct; another is to increment the ++ * reference count of owner of qrtr proto struct. Therefore, we must ++ * decrement the module reference count twice to ensure that it keeps ++ * zero after server's listening socket is created. Of course, we ++ * must bump the module reference count twice as well before the socket ++ * is closed. ++ */ ++ module_put(qrtr_ns.sock->ops->owner); ++ module_put(qrtr_ns.sock->sk->sk_prot_creator->owner); ++ + return 0; + + err_wq: +@@ -821,6 +839,15 @@ void qrtr_ns_remove(void) + { + cancel_work_sync(&qrtr_ns.work); + destroy_workqueue(qrtr_ns.workqueue); ++ ++ /* sock_release() expects the two references that were put during ++ * qrtr_ns_init(). This function is only called during module remove, ++ * so try_stop_module() has already set the refcnt to 0. Use ++ * __module_get() instead of try_module_get() to successfully take two ++ * references. ++ */ ++ __module_get(qrtr_ns.sock->ops->owner); ++ __module_get(qrtr_ns.sock->sk->sk_prot_creator->owner); + sock_release(qrtr_ns.sock); + } + EXPORT_SYMBOL_GPL(qrtr_ns_remove); +-- +2.43.0 + diff --git a/queue-6.1/net-remove-duplicate-reuseport_lookup-functions.patch b/queue-6.1/net-remove-duplicate-reuseport_lookup-functions.patch new file mode 100644 index 00000000000..42860bbc929 --- /dev/null +++ b/queue-6.1/net-remove-duplicate-reuseport_lookup-functions.patch @@ -0,0 +1,365 @@ +From 75b8b88d0831ceba2fed6eb25b1a6c846c72cd2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 17:30:08 +0200 +Subject: net: remove duplicate reuseport_lookup functions + +From: Lorenz Bauer + +[ Upstream commit 0f495f7617229772403e683033abc473f0f0553c ] + +There are currently four copies of reuseport_lookup: one each for +(TCP, UDP)x(IPv4, IPv6). This forces us to duplicate all callers of +those functions as well. This is already the case for sk_lookup +helpers (inet,inet6,udp4,udp6)_lookup_run_bpf. + +There are two differences between the reuseport_lookup helpers: + +1. They call different hash functions depending on protocol +2. UDP reuseport_lookup checks that sk_state != TCP_ESTABLISHED + +Move the check for sk_state into the caller and use the INDIRECT_CALL +infrastructure to cut down the helpers to one per IP version. + +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: Lorenz Bauer +Link: https://lore.kernel.org/r/20230720-so-reuseport-v6-4-7021b683cdae@isovalent.com +Signed-off-by: Martin KaFai Lau +Stable-dep-of: 50aee97d1511 ("udp: Avoid call to compute_score on multiple sites") +Signed-off-by: Sasha Levin +--- + include/net/inet6_hashtables.h | 11 ++++++++- + include/net/inet_hashtables.h | 15 ++++++++----- + net/ipv4/inet_hashtables.c | 20 +++++++++++------ + net/ipv4/udp.c | 34 +++++++++++----------------- + net/ipv6/inet6_hashtables.c | 14 ++++++++---- + net/ipv6/udp.c | 41 +++++++++++++--------------------- + 6 files changed, 72 insertions(+), 63 deletions(-) + +diff --git a/include/net/inet6_hashtables.h b/include/net/inet6_hashtables.h +index 032ddab48f8f8..f89320b6fee31 100644 +--- a/include/net/inet6_hashtables.h ++++ b/include/net/inet6_hashtables.h +@@ -48,12 +48,21 @@ struct sock *__inet6_lookup_established(struct net *net, + const u16 hnum, const int dif, + const int sdif); + ++typedef u32 (inet6_ehashfn_t)(const struct net *net, ++ const struct in6_addr *laddr, const u16 lport, ++ const struct in6_addr *faddr, const __be16 fport); ++ ++inet6_ehashfn_t inet6_ehashfn; ++ ++INDIRECT_CALLABLE_DECLARE(inet6_ehashfn_t udp6_ehashfn); ++ + struct sock *inet6_lookup_reuseport(struct net *net, struct sock *sk, + struct sk_buff *skb, int doff, + const struct in6_addr *saddr, + __be16 sport, + const struct in6_addr *daddr, +- unsigned short hnum); ++ unsigned short hnum, ++ inet6_ehashfn_t *ehashfn); + + struct sock *inet6_lookup_listener(struct net *net, + struct inet_hashinfo *hashinfo, +diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h +index 8734f3488f5d0..ddfa2e67fdb51 100644 +--- a/include/net/inet_hashtables.h ++++ b/include/net/inet_hashtables.h +@@ -379,10 +379,19 @@ struct sock *__inet_lookup_established(struct net *net, + const __be32 daddr, const u16 hnum, + const int dif, const int sdif); + ++typedef u32 (inet_ehashfn_t)(const struct net *net, ++ const __be32 laddr, const __u16 lport, ++ const __be32 faddr, const __be16 fport); ++ ++inet_ehashfn_t inet_ehashfn; ++ ++INDIRECT_CALLABLE_DECLARE(inet_ehashfn_t udp_ehashfn); ++ + struct sock *inet_lookup_reuseport(struct net *net, struct sock *sk, + struct sk_buff *skb, int doff, + __be32 saddr, __be16 sport, +- __be32 daddr, unsigned short hnum); ++ __be32 daddr, unsigned short hnum, ++ inet_ehashfn_t *ehashfn); + + static inline struct sock * + inet_lookup_established(struct net *net, struct inet_hashinfo *hashinfo, +@@ -453,10 +462,6 @@ static inline struct sock *__inet_lookup_skb(struct inet_hashinfo *hashinfo, + refcounted); + } + +-u32 inet6_ehashfn(const struct net *net, +- const struct in6_addr *laddr, const u16 lport, +- const struct in6_addr *faddr, const __be16 fport); +- + static inline void sk_daddr_set(struct sock *sk, __be32 addr) + { + sk->sk_daddr = addr; /* alias of inet_daddr */ +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index eb8da8d113fe2..321f509f23473 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -28,9 +28,9 @@ + #include + #include + +-static u32 inet_ehashfn(const struct net *net, const __be32 laddr, +- const __u16 lport, const __be32 faddr, +- const __be16 fport) ++u32 inet_ehashfn(const struct net *net, const __be32 laddr, ++ const __u16 lport, const __be32 faddr, ++ const __be16 fport) + { + static u32 inet_ehash_secret __read_mostly; + +@@ -39,6 +39,7 @@ static u32 inet_ehashfn(const struct net *net, const __be32 laddr, + return __inet_ehashfn(laddr, lport, faddr, fport, + inet_ehash_secret + net_hash_mix(net)); + } ++EXPORT_SYMBOL_GPL(inet_ehashfn); + + /* This function handles inet_sock, but also timewait and request sockets + * for IPv4/IPv6. +@@ -338,16 +339,20 @@ static inline int compute_score(struct sock *sk, struct net *net, + return score; + } + ++INDIRECT_CALLABLE_DECLARE(inet_ehashfn_t udp_ehashfn); ++ + struct sock *inet_lookup_reuseport(struct net *net, struct sock *sk, + struct sk_buff *skb, int doff, + __be32 saddr, __be16 sport, +- __be32 daddr, unsigned short hnum) ++ __be32 daddr, unsigned short hnum, ++ inet_ehashfn_t *ehashfn) + { + struct sock *reuse_sk = NULL; + u32 phash; + + if (sk->sk_reuseport) { +- phash = inet_ehashfn(net, daddr, hnum, saddr, sport); ++ phash = INDIRECT_CALL_2(ehashfn, udp_ehashfn, inet_ehashfn, ++ net, daddr, hnum, saddr, sport); + reuse_sk = reuseport_select_sock(sk, phash, skb, doff); + } + return reuse_sk; +@@ -377,7 +382,7 @@ static struct sock *inet_lhash2_lookup(struct net *net, + score = compute_score(sk, net, hnum, daddr, dif, sdif); + if (score > hiscore) { + result = inet_lookup_reuseport(net, sk, skb, doff, +- saddr, sport, daddr, hnum); ++ saddr, sport, daddr, hnum, inet_ehashfn); + if (result) + return result; + +@@ -406,7 +411,8 @@ static inline struct sock *inet_lookup_run_bpf(struct net *net, + if (no_reuseport || IS_ERR_OR_NULL(sk)) + return sk; + +- reuse_sk = inet_lookup_reuseport(net, sk, skb, doff, saddr, sport, daddr, hnum); ++ reuse_sk = inet_lookup_reuseport(net, sk, skb, doff, saddr, sport, daddr, hnum, ++ inet_ehashfn); + if (reuse_sk) + sk = reuse_sk; + return sk; +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index 39fae7581d350..3dc4eaddb598a 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -400,9 +400,9 @@ static int compute_score(struct sock *sk, struct net *net, + return score; + } + +-static u32 udp_ehashfn(const struct net *net, const __be32 laddr, +- const __u16 lport, const __be32 faddr, +- const __be16 fport) ++INDIRECT_CALLABLE_SCOPE ++u32 udp_ehashfn(const struct net *net, const __be32 laddr, const __u16 lport, ++ const __be32 faddr, const __be16 fport) + { + static u32 udp_ehash_secret __read_mostly; + +@@ -412,22 +412,6 @@ static u32 udp_ehashfn(const struct net *net, const __be32 laddr, + udp_ehash_secret + net_hash_mix(net)); + } + +-static struct sock *lookup_reuseport(struct net *net, struct sock *sk, +- struct sk_buff *skb, +- __be32 saddr, __be16 sport, +- __be32 daddr, unsigned short hnum) +-{ +- struct sock *reuse_sk = NULL; +- u32 hash; +- +- if (sk->sk_reuseport && sk->sk_state != TCP_ESTABLISHED) { +- hash = udp_ehashfn(net, daddr, hnum, saddr, sport); +- reuse_sk = reuseport_select_sock(sk, hash, skb, +- sizeof(struct udphdr)); +- } +- return reuse_sk; +-} +- + /* called with rcu_read_lock() */ + static struct sock *udp4_lib_lookup2(struct net *net, + __be32 saddr, __be16 sport, +@@ -446,7 +430,14 @@ static struct sock *udp4_lib_lookup2(struct net *net, + daddr, hnum, dif, sdif); + if (score > badness) { + badness = score; +- result = lookup_reuseport(net, sk, skb, saddr, sport, daddr, hnum); ++ ++ if (sk->sk_state == TCP_ESTABLISHED) { ++ result = sk; ++ continue; ++ } ++ ++ result = inet_lookup_reuseport(net, sk, skb, sizeof(struct udphdr), ++ saddr, sport, daddr, hnum, udp_ehashfn); + if (!result) { + result = sk; + continue; +@@ -485,7 +476,8 @@ static struct sock *udp4_lookup_run_bpf(struct net *net, + if (no_reuseport || IS_ERR_OR_NULL(sk)) + return sk; + +- reuse_sk = lookup_reuseport(net, sk, skb, saddr, sport, daddr, hnum); ++ reuse_sk = inet_lookup_reuseport(net, sk, skb, sizeof(struct udphdr), ++ saddr, sport, daddr, hnum, udp_ehashfn); + if (reuse_sk) + sk = reuse_sk; + return sk; +diff --git a/net/ipv6/inet6_hashtables.c b/net/ipv6/inet6_hashtables.c +index b7c56867314ed..3616225c89ef6 100644 +--- a/net/ipv6/inet6_hashtables.c ++++ b/net/ipv6/inet6_hashtables.c +@@ -39,6 +39,7 @@ u32 inet6_ehashfn(const struct net *net, + return __inet6_ehashfn(lhash, lport, fhash, fport, + inet6_ehash_secret + net_hash_mix(net)); + } ++EXPORT_SYMBOL_GPL(inet6_ehashfn); + + /* + * Sockets in TCP_CLOSE state are _always_ taken out of the hash, so +@@ -111,18 +112,22 @@ static inline int compute_score(struct sock *sk, struct net *net, + return score; + } + ++INDIRECT_CALLABLE_DECLARE(inet6_ehashfn_t udp6_ehashfn); ++ + struct sock *inet6_lookup_reuseport(struct net *net, struct sock *sk, + struct sk_buff *skb, int doff, + const struct in6_addr *saddr, + __be16 sport, + const struct in6_addr *daddr, +- unsigned short hnum) ++ unsigned short hnum, ++ inet6_ehashfn_t *ehashfn) + { + struct sock *reuse_sk = NULL; + u32 phash; + + if (sk->sk_reuseport) { +- phash = inet6_ehashfn(net, daddr, hnum, saddr, sport); ++ phash = INDIRECT_CALL_INET(ehashfn, udp6_ehashfn, inet6_ehashfn, ++ net, daddr, hnum, saddr, sport); + reuse_sk = reuseport_select_sock(sk, phash, skb, doff); + } + return reuse_sk; +@@ -145,7 +150,7 @@ static struct sock *inet6_lhash2_lookup(struct net *net, + score = compute_score(sk, net, hnum, daddr, dif, sdif); + if (score > hiscore) { + result = inet6_lookup_reuseport(net, sk, skb, doff, +- saddr, sport, daddr, hnum); ++ saddr, sport, daddr, hnum, inet6_ehashfn); + if (result) + return result; + +@@ -176,7 +181,8 @@ static inline struct sock *inet6_lookup_run_bpf(struct net *net, + if (no_reuseport || IS_ERR_OR_NULL(sk)) + return sk; + +- reuse_sk = inet6_lookup_reuseport(net, sk, skb, doff, saddr, sport, daddr, hnum); ++ reuse_sk = inet6_lookup_reuseport(net, sk, skb, doff, ++ saddr, sport, daddr, hnum, inet6_ehashfn); + if (reuse_sk) + sk = reuse_sk; + return sk; +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index 504ea27d08fb0..6f270fda3cbe0 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -70,11 +70,12 @@ int udpv6_init_sock(struct sock *sk) + return 0; + } + +-static u32 udp6_ehashfn(const struct net *net, +- const struct in6_addr *laddr, +- const u16 lport, +- const struct in6_addr *faddr, +- const __be16 fport) ++INDIRECT_CALLABLE_SCOPE ++u32 udp6_ehashfn(const struct net *net, ++ const struct in6_addr *laddr, ++ const u16 lport, ++ const struct in6_addr *faddr, ++ const __be16 fport) + { + static u32 udp6_ehash_secret __read_mostly; + static u32 udp_ipv6_hash_secret __read_mostly; +@@ -159,24 +160,6 @@ static int compute_score(struct sock *sk, struct net *net, + return score; + } + +-static struct sock *lookup_reuseport(struct net *net, struct sock *sk, +- struct sk_buff *skb, +- const struct in6_addr *saddr, +- __be16 sport, +- const struct in6_addr *daddr, +- unsigned int hnum) +-{ +- struct sock *reuse_sk = NULL; +- u32 hash; +- +- if (sk->sk_reuseport && sk->sk_state != TCP_ESTABLISHED) { +- hash = udp6_ehashfn(net, daddr, hnum, saddr, sport); +- reuse_sk = reuseport_select_sock(sk, hash, skb, +- sizeof(struct udphdr)); +- } +- return reuse_sk; +-} +- + /* called with rcu_read_lock() */ + static struct sock *udp6_lib_lookup2(struct net *net, + const struct in6_addr *saddr, __be16 sport, +@@ -194,7 +177,14 @@ static struct sock *udp6_lib_lookup2(struct net *net, + daddr, hnum, dif, sdif); + if (score > badness) { + badness = score; +- result = lookup_reuseport(net, sk, skb, saddr, sport, daddr, hnum); ++ ++ if (sk->sk_state == TCP_ESTABLISHED) { ++ result = sk; ++ continue; ++ } ++ ++ result = inet6_lookup_reuseport(net, sk, skb, sizeof(struct udphdr), ++ saddr, sport, daddr, hnum, udp6_ehashfn); + if (!result) { + result = sk; + continue; +@@ -234,7 +224,8 @@ static inline struct sock *udp6_lookup_run_bpf(struct net *net, + if (no_reuseport || IS_ERR_OR_NULL(sk)) + return sk; + +- reuse_sk = lookup_reuseport(net, sk, skb, saddr, sport, daddr, hnum); ++ reuse_sk = inet6_lookup_reuseport(net, sk, skb, sizeof(struct udphdr), ++ saddr, sport, daddr, hnum, udp6_ehashfn); + if (reuse_sk) + sk = reuse_sk; + return sk; +-- +2.43.0 + diff --git a/queue-6.1/net-usb-qmi_wwan-add-telit-fn920c04-compositions.patch b/queue-6.1/net-usb-qmi_wwan-add-telit-fn920c04-compositions.patch new file mode 100644 index 00000000000..3b7b0dd7bc2 --- /dev/null +++ b/queue-6.1/net-usb-qmi_wwan-add-telit-fn920c04-compositions.patch @@ -0,0 +1,108 @@ +From d2d005d3c2111898c06d2a9376026edf897fcd62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Apr 2024 13:12:07 +0200 +Subject: net: usb: qmi_wwan: add Telit FN920C04 compositions + +From: Daniele Palmas + +[ Upstream commit 0b8fe5bd73249dc20be2e88a12041f8920797b59 ] + +Add the following Telit FN920C04 compositions: + +0x10a0: rmnet + tty (AT/NMEA) + tty (AT) + tty (diag) +T: Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 5 Spd=480 MxCh= 0 +D: Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=10a0 Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FN920 +S: SerialNumber=92c4c4d8 +C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +0x10a4: rmnet + tty (AT) + tty (AT) + tty (diag) +T: Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 8 Spd=480 MxCh= 0 +D: Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=10a4 Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FN920 +S: SerialNumber=92c4c4d8 +C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +0x10a9: rmnet + tty (AT) + tty (diag) + DPL (data packet logging) + adb +T: Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 9 Spd=480 MxCh= 0 +D: Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=10a9 Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FN920 +S: SerialNumber=92c4c4d8 +C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: Daniele Palmas +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/qmi_wwan.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 45a542659a814..d22ba63160b8d 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1367,6 +1367,9 @@ static const struct usb_device_id products[] = { + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1060, 2)}, /* Telit LN920 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1070, 2)}, /* Telit FN990 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1080, 2)}, /* Telit FE990 */ ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x10a0, 0)}, /* Telit FN920C04 */ ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x10a4, 0)}, /* Telit FN920C04 */ ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x10a9, 0)}, /* Telit FN920C04 */ + {QMI_FIXED_INTF(0x1bc7, 0x1100, 3)}, /* Telit ME910 */ + {QMI_FIXED_INTF(0x1bc7, 0x1101, 3)}, /* Telit ME910 dual modem */ + {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */ +-- +2.43.0 + diff --git a/queue-6.1/net-usb-smsc95xx-stop-lying-about-skb-truesize.patch b/queue-6.1/net-usb-smsc95xx-stop-lying-about-skb-truesize.patch new file mode 100644 index 00000000000..f25676b3d7a --- /dev/null +++ b/queue-6.1/net-usb-smsc95xx-stop-lying-about-skb-truesize.patch @@ -0,0 +1,87 @@ +From d64c6cf9b2c2ecf6c474a34dc01b6415eb41e17b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 08:33:13 +0000 +Subject: net: usb: smsc95xx: stop lying about skb->truesize + +From: Eric Dumazet + +[ Upstream commit d50729f1d60bca822ef6d9c1a5fb28d486bd7593 ] + +Some usb drivers try to set small skb->truesize and break +core networking stacks. + +In this patch, I removed one of the skb->truesize override. + +I also replaced one skb_clone() by an allocation of a fresh +and small skb, to get minimally sized skbs, like we did +in commit 1e2c61172342 ("net: cdc_ncm: reduce skb truesize +in rx path") and 4ce62d5b2f7a ("net: usb: ax88179_178a: +stop lying about skb->truesize") + +v3: also fix a sparse error ( https://lore.kernel.org/oe-kbuild-all/202405091310.KvncIecx-lkp@intel.com/ ) +v2: leave the skb_trim() game because smsc95xx_rx_csum_offload() + needs the csum part. (Jakub) + While we are it, use get_unaligned() in smsc95xx_rx_csum_offload(). + +Fixes: 2f7ca802bdae ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver") +Signed-off-by: Eric Dumazet +Cc: Steve Glendinning +Cc: UNGLinuxDriver@microchip.com +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240509083313.2113832-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc95xx.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c +index 2fa46baa589e5..cbea246664795 100644 +--- a/drivers/net/usb/smsc95xx.c ++++ b/drivers/net/usb/smsc95xx.c +@@ -1810,9 +1810,11 @@ static int smsc95xx_reset_resume(struct usb_interface *intf) + + static void smsc95xx_rx_csum_offload(struct sk_buff *skb) + { +- skb->csum = *(u16 *)(skb_tail_pointer(skb) - 2); ++ u16 *csum_ptr = (u16 *)(skb_tail_pointer(skb) - 2); ++ ++ skb->csum = (__force __wsum)get_unaligned(csum_ptr); + skb->ip_summed = CHECKSUM_COMPLETE; +- skb_trim(skb, skb->len - 2); ++ skb_trim(skb, skb->len - 2); /* remove csum */ + } + + static int smsc95xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb) +@@ -1870,25 +1872,22 @@ static int smsc95xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + if (dev->net->features & NETIF_F_RXCSUM) + smsc95xx_rx_csum_offload(skb); + skb_trim(skb, skb->len - 4); /* remove fcs */ +- skb->truesize = size + sizeof(struct sk_buff); + + return 1; + } + +- ax_skb = skb_clone(skb, GFP_ATOMIC); ++ ax_skb = netdev_alloc_skb_ip_align(dev->net, size); + if (unlikely(!ax_skb)) { + netdev_warn(dev->net, "Error allocating skb\n"); + return 0; + } + +- ax_skb->len = size; +- ax_skb->data = packet; +- skb_set_tail_pointer(ax_skb, size); ++ skb_put(ax_skb, size); ++ memcpy(ax_skb->data, packet, size); + + if (dev->net->features & NETIF_F_RXCSUM) + smsc95xx_rx_csum_offload(ax_skb); + skb_trim(ax_skb, ax_skb->len - 4); /* remove fcs */ +- ax_skb->truesize = size + sizeof(struct sk_buff); + + usbnet_skb_return(dev, ax_skb); + } +-- +2.43.0 + diff --git a/queue-6.1/net-usb-sr9700-stop-lying-about-skb-truesize.patch b/queue-6.1/net-usb-sr9700-stop-lying-about-skb-truesize.patch new file mode 100644 index 00000000000..da2bc90db03 --- /dev/null +++ b/queue-6.1/net-usb-sr9700-stop-lying-about-skb-truesize.patch @@ -0,0 +1,59 @@ +From 4cea969d848298b36a023b061c5dbdfe0c487229 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 May 2024 14:39:39 +0000 +Subject: net: usb: sr9700: stop lying about skb->truesize + +From: Eric Dumazet + +[ Upstream commit 05417aa9c0c038da2464a0c504b9d4f99814a23b ] + +Some usb drivers set small skb->truesize and break +core networking stacks. + +In this patch, I removed one of the skb->truesize override. + +I also replaced one skb_clone() by an allocation of a fresh +and small skb, to get minimally sized skbs, like we did +in commit 1e2c61172342 ("net: cdc_ncm: reduce skb truesize +in rx path") and 4ce62d5b2f7a ("net: usb: ax88179_178a: +stop lying about skb->truesize") + +Fixes: c9b37458e956 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240506143939.3673865-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/sr9700.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c +index 3164451e1010c..0a662e42ed965 100644 +--- a/drivers/net/usb/sr9700.c ++++ b/drivers/net/usb/sr9700.c +@@ -421,19 +421,15 @@ static int sr9700_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + skb_pull(skb, 3); + skb->len = len; + skb_set_tail_pointer(skb, len); +- skb->truesize = len + sizeof(struct sk_buff); + return 2; + } + +- /* skb_clone is used for address align */ +- sr_skb = skb_clone(skb, GFP_ATOMIC); ++ sr_skb = netdev_alloc_skb_ip_align(dev->net, len); + if (!sr_skb) + return 0; + +- sr_skb->len = len; +- sr_skb->data = skb->data + 3; +- skb_set_tail_pointer(sr_skb, len); +- sr_skb->truesize = len + sizeof(struct sk_buff); ++ skb_put(sr_skb, len); ++ memcpy(sr_skb->data, skb->data + 3, len); + usbnet_skb_return(dev, sr_skb); + + skb_pull(skb, len + SR_RX_OVERHEAD); +-- +2.43.0 + diff --git a/queue-6.1/netrom-fix-possible-dead-lock-in-nr_rt_ioctl.patch b/queue-6.1/netrom-fix-possible-dead-lock-in-nr_rt_ioctl.patch new file mode 100644 index 00000000000..d4d9addf84a --- /dev/null +++ b/queue-6.1/netrom-fix-possible-dead-lock-in-nr_rt_ioctl.patch @@ -0,0 +1,192 @@ +From 4470acbf88587fbd3c509bafcd0f2bb32634e123 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 May 2024 14:29:34 +0000 +Subject: netrom: fix possible dead-lock in nr_rt_ioctl() + +From: Eric Dumazet + +[ Upstream commit e03e7f20ebf7e1611d40d1fdc1bde900fd3335f6 ] + +syzbot loves netrom, and found a possible deadlock in nr_rt_ioctl [1] + +Make sure we always acquire nr_node_list_lock before nr_node_lock(nr_node) + +[1] +WARNING: possible circular locking dependency detected +6.9.0-rc7-syzkaller-02147-g654de42f3fc6 #0 Not tainted +------------------------------------------------------ +syz-executor350/5129 is trying to acquire lock: + ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] + ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_node_lock include/net/netrom.h:152 [inline] + ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:464 [inline] + ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697 + +but task is already holding lock: + ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] + ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline] + ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_rt_ioctl+0x10a/0x1090 net/netrom/nr_route.c:697 + +which lock already depends on the new lock. + +the existing dependency chain (in reverse order) is: + +-> #1 (nr_node_list_lock){+...}-{2:2}: + lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754 + __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] + _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178 + spin_lock_bh include/linux/spinlock.h:356 [inline] + nr_remove_node net/netrom/nr_route.c:299 [inline] + nr_del_node+0x4b4/0x820 net/netrom/nr_route.c:355 + nr_rt_ioctl+0xa95/0x1090 net/netrom/nr_route.c:683 + sock_do_ioctl+0x158/0x460 net/socket.c:1222 + sock_ioctl+0x629/0x8e0 net/socket.c:1341 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:904 [inline] + __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +-> #0 (&nr_node->node_lock){+...}-{2:2}: + check_prev_add kernel/locking/lockdep.c:3134 [inline] + check_prevs_add kernel/locking/lockdep.c:3253 [inline] + validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869 + __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137 + lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754 + __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] + _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178 + spin_lock_bh include/linux/spinlock.h:356 [inline] + nr_node_lock include/net/netrom.h:152 [inline] + nr_dec_obs net/netrom/nr_route.c:464 [inline] + nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697 + sock_do_ioctl+0x158/0x460 net/socket.c:1222 + sock_ioctl+0x629/0x8e0 net/socket.c:1341 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:904 [inline] + __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +other info that might help us debug this: + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(nr_node_list_lock); + lock(&nr_node->node_lock); + lock(nr_node_list_lock); + lock(&nr_node->node_lock); + + *** DEADLOCK *** + +1 lock held by syz-executor350/5129: + #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] + #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline] + #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_rt_ioctl+0x10a/0x1090 net/netrom/nr_route.c:697 + +stack backtrace: +CPU: 0 PID: 5129 Comm: syz-executor350 Not tainted 6.9.0-rc7-syzkaller-02147-g654de42f3fc6 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 + check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2187 + check_prev_add kernel/locking/lockdep.c:3134 [inline] + check_prevs_add kernel/locking/lockdep.c:3253 [inline] + validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869 + __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137 + lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754 + __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] + _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178 + spin_lock_bh include/linux/spinlock.h:356 [inline] + nr_node_lock include/net/netrom.h:152 [inline] + nr_dec_obs net/netrom/nr_route.c:464 [inline] + nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697 + sock_do_ioctl+0x158/0x460 net/socket.c:1222 + sock_ioctl+0x629/0x8e0 net/socket.c:1341 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:904 [inline] + __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240515142934.3708038-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netrom/nr_route.c | 19 +++++++------------ + 1 file changed, 7 insertions(+), 12 deletions(-) + +diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c +index 70480869ad1c5..bd2b17b219ae9 100644 +--- a/net/netrom/nr_route.c ++++ b/net/netrom/nr_route.c +@@ -285,22 +285,14 @@ static int __must_check nr_add_node(ax25_address *nr, const char *mnemonic, + return 0; + } + +-static inline void __nr_remove_node(struct nr_node *nr_node) ++static void nr_remove_node_locked(struct nr_node *nr_node) + { ++ lockdep_assert_held(&nr_node_list_lock); ++ + hlist_del_init(&nr_node->node_node); + nr_node_put(nr_node); + } + +-#define nr_remove_node_locked(__node) \ +- __nr_remove_node(__node) +- +-static void nr_remove_node(struct nr_node *nr_node) +-{ +- spin_lock_bh(&nr_node_list_lock); +- __nr_remove_node(nr_node); +- spin_unlock_bh(&nr_node_list_lock); +-} +- + static inline void __nr_remove_neigh(struct nr_neigh *nr_neigh) + { + hlist_del_init(&nr_neigh->neigh_node); +@@ -339,6 +331,7 @@ static int nr_del_node(ax25_address *callsign, ax25_address *neighbour, struct n + return -EINVAL; + } + ++ spin_lock_bh(&nr_node_list_lock); + nr_node_lock(nr_node); + for (i = 0; i < nr_node->count; i++) { + if (nr_node->routes[i].neighbour == nr_neigh) { +@@ -352,7 +345,7 @@ static int nr_del_node(ax25_address *callsign, ax25_address *neighbour, struct n + nr_node->count--; + + if (nr_node->count == 0) { +- nr_remove_node(nr_node); ++ nr_remove_node_locked(nr_node); + } else { + switch (i) { + case 0: +@@ -367,12 +360,14 @@ static int nr_del_node(ax25_address *callsign, ax25_address *neighbour, struct n + nr_node_put(nr_node); + } + nr_node_unlock(nr_node); ++ spin_unlock_bh(&nr_node_list_lock); + + return 0; + } + } + nr_neigh_put(nr_neigh); + nr_node_unlock(nr_node); ++ spin_unlock_bh(&nr_node_list_lock); + nr_node_put(nr_node); + + return -EINVAL; +-- +2.43.0 + diff --git a/queue-6.1/nilfs2-fix-out-of-range-warning.patch b/queue-6.1/nilfs2-fix-out-of-range-warning.patch new file mode 100644 index 00000000000..a3c1cb3447b --- /dev/null +++ b/queue-6.1/nilfs2-fix-out-of-range-warning.patch @@ -0,0 +1,45 @@ +From f23a3f3cbbdbc50c475c85d0ba73039376e26619 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 15:30:44 +0100 +Subject: nilfs2: fix out-of-range warning + +From: Arnd Bergmann + +[ Upstream commit c473bcdd80d4ab2ae79a7a509a6712818366e32a ] + +clang-14 points out that v_size is always smaller than a 64KB +page size if that is configured by the CPU architecture: + +fs/nilfs2/ioctl.c:63:19: error: result of comparison of constant 65536 with expression of type '__u16' (aka 'unsigned short') is always false [-Werror,-Wtautological-constant-out-of-range-compare] + if (argv->v_size > PAGE_SIZE) + ~~~~~~~~~~~~ ^ ~~~~~~~~~ + +This is ok, so just shut up that warning with a cast. + +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20240328143051.1069575-7-arnd@kernel.org +Fixes: 3358b4aaa84f ("nilfs2: fix problems of memory allocation in ioctl") +Acked-by: Ryusuke Konishi +Reviewed-by: Justin Stitt +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/nilfs2/ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c +index ef9f9a2511b72..1d4d610bd82b5 100644 +--- a/fs/nilfs2/ioctl.c ++++ b/fs/nilfs2/ioctl.c +@@ -60,7 +60,7 @@ static int nilfs_ioctl_wrap_copy(struct the_nilfs *nilfs, + if (argv->v_nmembs == 0) + return 0; + +- if (argv->v_size > PAGE_SIZE) ++ if ((size_t)argv->v_size > PAGE_SIZE) + return -EINVAL; + + /* +-- +2.43.0 + diff --git a/queue-6.1/nilfs2-make-superblock-data-array-index-computation-.patch b/queue-6.1/nilfs2-make-superblock-data-array-index-computation-.patch new file mode 100644 index 00000000000..efedbfb56d3 --- /dev/null +++ b/queue-6.1/nilfs2-make-superblock-data-array-index-computation-.patch @@ -0,0 +1,73 @@ +From 3d2cdadba20db675bdbc1043ef7d4324771d8474 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Apr 2024 17:00:19 +0900 +Subject: nilfs2: make superblock data array index computation sparse friendly + +From: Ryusuke Konishi + +[ Upstream commit 91d743a9c8299de1fc1b47428d8bb4c85face00f ] + +Upon running sparse, "warning: dubious: x & !y" is output at an array +index calculation within nilfs_load_super_block(). + +The calculation is not wrong, but to eliminate the sparse warning, replace +it with an equivalent calculation. + +Also, add a comment to make it easier to understand what the unintuitive +array index calculation is doing and whether it's correct. + +Link: https://lkml.kernel.org/r/20240430080019.4242-3-konishi.ryusuke@gmail.com +Fixes: e339ad31f599 ("nilfs2: introduce secondary super block") +Signed-off-by: Ryusuke Konishi +Cc: Bart Van Assche +Cc: Jens Axboe +Cc: kernel test robot +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/nilfs2/the_nilfs.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +diff --git a/fs/nilfs2/the_nilfs.c b/fs/nilfs2/the_nilfs.c +index 71400496ed365..3e3c1d32da180 100644 +--- a/fs/nilfs2/the_nilfs.c ++++ b/fs/nilfs2/the_nilfs.c +@@ -592,7 +592,7 @@ static int nilfs_load_super_block(struct the_nilfs *nilfs, + struct nilfs_super_block **sbp = nilfs->ns_sbp; + struct buffer_head **sbh = nilfs->ns_sbh; + u64 sb2off, devsize = bdev_nr_bytes(nilfs->ns_bdev); +- int valid[2], swp = 0; ++ int valid[2], swp = 0, older; + + if (devsize < NILFS_SEG_MIN_BLOCKS * NILFS_MIN_BLOCK_SIZE + 4096) { + nilfs_err(sb, "device size too small"); +@@ -648,9 +648,25 @@ static int nilfs_load_super_block(struct the_nilfs *nilfs, + if (swp) + nilfs_swap_super_block(nilfs); + ++ /* ++ * Calculate the array index of the older superblock data. ++ * If one has been dropped, set index 0 pointing to the remaining one, ++ * otherwise set index 1 pointing to the old one (including if both ++ * are the same). ++ * ++ * Divided case valid[0] valid[1] swp -> older ++ * ------------------------------------------------------------- ++ * Both SBs are invalid 0 0 N/A (Error) ++ * SB1 is invalid 0 1 1 0 ++ * SB2 is invalid 1 0 0 0 ++ * SB2 is newer 1 1 1 0 ++ * SB2 is older or the same 1 1 0 1 ++ */ ++ older = valid[1] ^ swp; ++ + nilfs->ns_sbwcount = 0; + nilfs->ns_sbwtime = le64_to_cpu(sbp[0]->s_wtime); +- nilfs->ns_prot_seq = le64_to_cpu(sbp[valid[1] & !swp]->s_last_seq); ++ nilfs->ns_prot_seq = le64_to_cpu(sbp[older]->s_last_seq); + *sbpp = sbp[0]; + return 0; + } +-- +2.43.0 + diff --git a/queue-6.1/null_blk-fix-missing-mutex_destroy-at-module-removal.patch b/queue-6.1/null_blk-fix-missing-mutex_destroy-at-module-removal.patch new file mode 100644 index 00000000000..dbfab7e65dd --- /dev/null +++ b/queue-6.1/null_blk-fix-missing-mutex_destroy-at-module-removal.patch @@ -0,0 +1,37 @@ +From 43e2870f51aff978333ec871338743d1111aa0d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Apr 2024 19:16:35 +0200 +Subject: null_blk: Fix missing mutex_destroy() at module removal + +From: Zhu Yanjun + +[ Upstream commit 07d1b99825f40f9c0d93e6b99d79a08d0717bac1 ] + +When a mutex lock is not used any more, the function mutex_destroy +should be called to mark the mutex lock uninitialized. + +Fixes: f2298c0403b0 ("null_blk: multi queue aware block test driver") +Signed-off-by: Zhu Yanjun +Link: https://lore.kernel.org/r/20240425171635.4227-1-yanjun.zhu@linux.dev +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/null_blk/main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/block/null_blk/main.c b/drivers/block/null_blk/main.c +index 959952e8ede38..b7a26a12dc656 100644 +--- a/drivers/block/null_blk/main.c ++++ b/drivers/block/null_blk/main.c +@@ -2298,6 +2298,8 @@ static void __exit null_exit(void) + + if (g_queue_mode == NULL_Q_MQ && shared_tags) + blk_mq_free_tag_set(&tag_set); ++ ++ mutex_destroy(&lock); + } + + module_init(null_init); +-- +2.43.0 + diff --git a/queue-6.1/nvme-find-numa-distance-only-if-controller-has-valid.patch b/queue-6.1/nvme-find-numa-distance-only-if-controller-has-valid.patch new file mode 100644 index 00000000000..d26b1e8acb8 --- /dev/null +++ b/queue-6.1/nvme-find-numa-distance-only-if-controller-has-valid.patch @@ -0,0 +1,47 @@ +From b2e857933cd0c147d025de2090c119fa58c26920 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Apr 2024 13:49:23 +0530 +Subject: nvme: find numa distance only if controller has valid numa id + +From: Nilay Shroff + +[ Upstream commit 863fe60ed27f2c85172654a63c5b827e72c8b2e6 ] + +On system where native nvme multipath is configured and iopolicy +is set to numa but the nvme controller numa node id is undefined +or -1 (NUMA_NO_NODE) then avoid calculating node distance for +finding optimal io path. In such case we may access numa distance +table with invalid index and that may potentially refer to incorrect +memory. So this patch ensures that if the nvme controller numa node +id is -1 then instead of calculating node distance for finding optimal +io path, we set the numa node distance of such controller to default 10 +(LOCAL_DISTANCE). + +Link: https://lore.kernel.org/all/20240413090614.678353-1-nilay@linux.ibm.com/ +Signed-off-by: Nilay Shroff +Reviewed-by: Christoph Hellwig +Reviewed-by: Sagi Grimberg +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/multipath.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c +index f96d330d39641..6cf0ce7aff678 100644 +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -213,7 +213,8 @@ static struct nvme_ns *__nvme_find_path(struct nvme_ns_head *head, int node) + if (nvme_path_is_disabled(ns)) + continue; + +- if (READ_ONCE(head->subsys->iopolicy) == NVME_IOPOLICY_NUMA) ++ if (ns->ctrl->numa_node != NUMA_NO_NODE && ++ READ_ONCE(head->subsys->iopolicy) == NVME_IOPOLICY_NUMA) + distance = node_distance(node, ns->ctrl->numa_node); + else + distance = LOCAL_DISTANCE; +-- +2.43.0 + diff --git a/queue-6.1/nvmet-auth-replace-pr_debug-with-pr_err-to-report-an.patch b/queue-6.1/nvmet-auth-replace-pr_debug-with-pr_err-to-report-an.patch new file mode 100644 index 00000000000..c2264244770 --- /dev/null +++ b/queue-6.1/nvmet-auth-replace-pr_debug-with-pr_err-to-report-an.patch @@ -0,0 +1,41 @@ +From e1b788abe4907f5fc1f11cda4370655b5e618bd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Apr 2024 11:48:42 +0200 +Subject: nvmet-auth: replace pr_debug() with pr_err() to report an error. + +From: Maurizio Lombardi + +[ Upstream commit 445f9119e70368ccc964575c2a6d3176966a9d65 ] + +In nvmet_auth_host_hash(), if a mismatch is detected in the hash length +the kernel should print an error. + +Signed-off-by: Maurizio Lombardi +Reviewed-by: Sagi Grimberg +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/auth.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/nvme/target/auth.c b/drivers/nvme/target/auth.c +index 1f7d492c4dc26..e900525b78665 100644 +--- a/drivers/nvme/target/auth.c ++++ b/drivers/nvme/target/auth.c +@@ -284,9 +284,9 @@ int nvmet_auth_host_hash(struct nvmet_req *req, u8 *response, + } + + if (shash_len != crypto_shash_digestsize(shash_tfm)) { +- pr_debug("%s: hash len mismatch (len %d digest %d)\n", +- __func__, shash_len, +- crypto_shash_digestsize(shash_tfm)); ++ pr_err("%s: hash len mismatch (len %d digest %d)\n", ++ __func__, shash_len, ++ crypto_shash_digestsize(shash_tfm)); + ret = -EINVAL; + goto out_free_tfm; + } +-- +2.43.0 + diff --git a/queue-6.1/nvmet-auth-return-the-error-code-to-the-nvmet_auth_h.patch b/queue-6.1/nvmet-auth-return-the-error-code-to-the-nvmet_auth_h.patch new file mode 100644 index 00000000000..3f15181bb3a --- /dev/null +++ b/queue-6.1/nvmet-auth-return-the-error-code-to-the-nvmet_auth_h.patch @@ -0,0 +1,38 @@ +From 01f6922d74ec653970a291289970e6294a4f7019 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Apr 2024 11:48:41 +0200 +Subject: nvmet-auth: return the error code to the nvmet_auth_host_hash() + callers + +From: Maurizio Lombardi + +[ Upstream commit 46b8f9f74f6d500871985e22eb19560b21f3bc81 ] + +If the nvmet_auth_host_hash() function fails, the error code should +be returned to its callers. + +Signed-off-by: Maurizio Lombardi +Reviewed-by: Sagi Grimberg +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/auth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/target/auth.c b/drivers/nvme/target/auth.c +index 4dcddcf95279b..1f7d492c4dc26 100644 +--- a/drivers/nvme/target/auth.c ++++ b/drivers/nvme/target/auth.c +@@ -368,7 +368,7 @@ int nvmet_auth_host_hash(struct nvmet_req *req, u8 *response, + kfree_sensitive(host_response); + out_free_tfm: + crypto_free_shash(shash_tfm); +- return 0; ++ return ret; + } + + int nvmet_auth_ctrl_hash(struct nvmet_req *req, u8 *response, +-- +2.43.0 + diff --git a/queue-6.1/nvmet-fix-nvme-status-code-when-namespace-is-disable.patch b/queue-6.1/nvmet-fix-nvme-status-code-when-namespace-is-disable.patch new file mode 100644 index 00000000000..67e44ab12bc --- /dev/null +++ b/queue-6.1/nvmet-fix-nvme-status-code-when-namespace-is-disable.patch @@ -0,0 +1,94 @@ +From 450e8faa206c8188703a170830cc12708639f1bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Apr 2024 12:25:40 +0300 +Subject: nvmet: fix nvme status code when namespace is disabled + +From: Sagi Grimberg + +[ Upstream commit 505363957fad35f7aed9a2b0d8dad73451a80fb5 ] + +If the user disabled a nvmet namespace, it is removed from the subsystem +namespaces list. When nvmet processes a command directed to an nsid that +was disabled, it cannot differentiate between a nsid that is disabled +vs. a non-existent namespace, and resorts to return NVME_SC_INVALID_NS +with the dnr bit set. + +This translates to a non-retryable status for the host, which translates +to a user error. We should expect disabled namespaces to not cause an +I/O error in a multipath environment. + +Address this by searching a configfs item for the namespace nvmet failed +to find, and if we found one, conclude that the namespace is disabled +(perhaps temporarily). Return NVME_SC_INTERNAL_PATH_ERROR in this case +and keep DNR bit cleared. + +Reported-by: Jirong Feng +Tested-by: Jirong Feng +Signed-off-by: Sagi Grimberg +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/configfs.c | 13 +++++++++++++ + drivers/nvme/target/core.c | 5 ++++- + drivers/nvme/target/nvmet.h | 1 + + 3 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c +index 73ae16059a1cb..b1f5fa45bb4ac 100644 +--- a/drivers/nvme/target/configfs.c ++++ b/drivers/nvme/target/configfs.c +@@ -615,6 +615,19 @@ static struct configfs_attribute *nvmet_ns_attrs[] = { + NULL, + }; + ++bool nvmet_subsys_nsid_exists(struct nvmet_subsys *subsys, u32 nsid) ++{ ++ struct config_item *ns_item; ++ char name[4] = {}; ++ ++ if (sprintf(name, "%u", nsid) <= 0) ++ return false; ++ mutex_lock(&subsys->namespaces_group.cg_subsys->su_mutex); ++ ns_item = config_group_find_item(&subsys->namespaces_group, name); ++ mutex_unlock(&subsys->namespaces_group.cg_subsys->su_mutex); ++ return ns_item != NULL; ++} ++ + static void nvmet_ns_release(struct config_item *item) + { + struct nvmet_ns *ns = to_nvmet_ns(item); +diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c +index 3235baf7cc6b1..7b74926c50f9b 100644 +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -423,10 +423,13 @@ void nvmet_stop_keep_alive_timer(struct nvmet_ctrl *ctrl) + u16 nvmet_req_find_ns(struct nvmet_req *req) + { + u32 nsid = le32_to_cpu(req->cmd->common.nsid); ++ struct nvmet_subsys *subsys = nvmet_req_subsys(req); + +- req->ns = xa_load(&nvmet_req_subsys(req)->namespaces, nsid); ++ req->ns = xa_load(&subsys->namespaces, nsid); + if (unlikely(!req->ns)) { + req->error_loc = offsetof(struct nvme_common_command, nsid); ++ if (nvmet_subsys_nsid_exists(subsys, nsid)) ++ return NVME_SC_INTERNAL_PATH_ERROR; + return NVME_SC_INVALID_NS | NVME_SC_DNR; + } + +diff --git a/drivers/nvme/target/nvmet.h b/drivers/nvme/target/nvmet.h +index 273cca49a040f..6aee0ce60a4ba 100644 +--- a/drivers/nvme/target/nvmet.h ++++ b/drivers/nvme/target/nvmet.h +@@ -527,6 +527,7 @@ void nvmet_subsys_disc_changed(struct nvmet_subsys *subsys, + struct nvmet_host *host); + void nvmet_add_async_event(struct nvmet_ctrl *ctrl, u8 event_type, + u8 event_info, u8 log_page); ++bool nvmet_subsys_nsid_exists(struct nvmet_subsys *subsys, u32 nsid); + + #define NVMET_QUEUE_SIZE 1024 + #define NVMET_NR_QUEUES 128 +-- +2.43.0 + diff --git a/queue-6.1/nvmet-prevent-sprintf-overflow-in-nvmet_subsys_nsid_.patch b/queue-6.1/nvmet-prevent-sprintf-overflow-in-nvmet_subsys_nsid_.patch new file mode 100644 index 00000000000..d988d29eb97 --- /dev/null +++ b/queue-6.1/nvmet-prevent-sprintf-overflow-in-nvmet_subsys_nsid_.patch @@ -0,0 +1,49 @@ +From 56d8ccdfdeecbff45a88475b88c2d01d314d3c6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 10:43:04 +0300 +Subject: nvmet: prevent sprintf() overflow in nvmet_subsys_nsid_exists() + +From: Dan Carpenter + +[ Upstream commit d15dcd0f1a4753b57e66c64c8dc2a9779ff96aab ] + +The nsid value is a u32 that comes from nvmet_req_find_ns(). It's +endian data and we're on an error path and both of those raise red +flags. So let's make this safer. + +1) Make the buffer large enough for any u32. +2) Remove the unnecessary initialization. +3) Use snprintf() instead of sprintf() for even more safety. +4) The sprintf() function returns the number of bytes printed, not + counting the NUL terminator. It is impossible for the return value to + be <= 0 so delete that. + +Fixes: 505363957fad ("nvmet: fix nvme status code when namespace is disabled") +Signed-off-by: Dan Carpenter +Reviewed-by: Sagi Grimberg +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/configfs.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c +index b1f5fa45bb4ac..40c1c3db5d7cd 100644 +--- a/drivers/nvme/target/configfs.c ++++ b/drivers/nvme/target/configfs.c +@@ -618,10 +618,9 @@ static struct configfs_attribute *nvmet_ns_attrs[] = { + bool nvmet_subsys_nsid_exists(struct nvmet_subsys *subsys, u32 nsid) + { + struct config_item *ns_item; +- char name[4] = {}; ++ char name[12]; + +- if (sprintf(name, "%u", nsid) <= 0) +- return false; ++ snprintf(name, sizeof(name), "%u", nsid); + mutex_lock(&subsys->namespaces_group.cg_subsys->su_mutex); + ns_item = config_group_find_item(&subsys->namespaces_group, name); + mutex_unlock(&subsys->namespaces_group.cg_subsys->su_mutex); +-- +2.43.0 + diff --git a/queue-6.1/nvmet-tcp-fix-possible-memory-leak-when-tearing-down.patch b/queue-6.1/nvmet-tcp-fix-possible-memory-leak-when-tearing-down.patch new file mode 100644 index 00000000000..df31d3f6ff7 --- /dev/null +++ b/queue-6.1/nvmet-tcp-fix-possible-memory-leak-when-tearing-down.patch @@ -0,0 +1,65 @@ +From 962a4efb0490a01facc8cca1dbda7389da7bf47a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Apr 2024 11:49:49 +0300 +Subject: nvmet-tcp: fix possible memory leak when tearing down a controller + +From: Sagi Grimberg + +[ Upstream commit 6825bdde44340c5a9121f6d6fa25cc885bd9e821 ] + +When we teardown the controller, we wait for pending I/Os to complete +(sq->ref on all queues to drop to zero) and then we go over the commands, +and free their command buffers in case they are still fetching data from +the host (e.g. processing nvme writes) and have yet to take a reference +on the sq. + +However, we may miss the case where commands have failed before executing +and are queued for sending a response, but will never occur because the +queue socket is already down. In this case we may miss deallocating command +buffers. + +Solve this by freeing all commands buffers as nvmet_tcp_free_cmd_buffers is +idempotent anyways. + +Reported-by: Yi Zhang +Tested-by: Yi Zhang +Signed-off-by: Sagi Grimberg +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index 3480768274699..5556f55880411 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -297,6 +297,7 @@ static int nvmet_tcp_check_ddgst(struct nvmet_tcp_queue *queue, void *pdu) + return 0; + } + ++/* If cmd buffers are NULL, no operation is performed */ + static void nvmet_tcp_free_cmd_buffers(struct nvmet_tcp_cmd *cmd) + { + kfree(cmd->iov); +@@ -1437,13 +1438,9 @@ static void nvmet_tcp_free_cmd_data_in_buffers(struct nvmet_tcp_queue *queue) + struct nvmet_tcp_cmd *cmd = queue->cmds; + int i; + +- for (i = 0; i < queue->nr_cmds; i++, cmd++) { +- if (nvmet_tcp_need_data_in(cmd)) +- nvmet_tcp_free_cmd_buffers(cmd); +- } +- +- if (!queue->nr_cmds && nvmet_tcp_need_data_in(&queue->connect)) +- nvmet_tcp_free_cmd_buffers(&queue->connect); ++ for (i = 0; i < queue->nr_cmds; i++, cmd++) ++ nvmet_tcp_free_cmd_buffers(cmd); ++ nvmet_tcp_free_cmd_buffers(&queue->connect); + } + + static void nvmet_tcp_release_queue_work(struct work_struct *w) +-- +2.43.0 + diff --git a/queue-6.1/openpromfs-finish-conversion-to-the-new-mount-api.patch b/queue-6.1/openpromfs-finish-conversion-to-the-new-mount-api.patch new file mode 100644 index 00000000000..ed64a53107e --- /dev/null +++ b/queue-6.1/openpromfs-finish-conversion-to-the-new-mount-api.patch @@ -0,0 +1,58 @@ +From a909d437bac574b42a938e9f60a469647413fae9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Mar 2024 16:33:11 -0600 +Subject: openpromfs: finish conversion to the new mount API + +From: Eric Sandeen + +[ Upstream commit 8f27829974b025d4df2e78894105d75e3bf349f0 ] + +The original mount API conversion inexplicably left out the change +from ->remount_fs to ->reconfigure; do that now. + +Fixes: 7ab2fa7693c3 ("vfs: Convert openpromfs to use the new mount API") +Signed-off-by: Eric Sandeen +Link: https://lore.kernel.org/r/90b968aa-c979-420f-ba37-5acc3391b28f@redhat.com +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/openpromfs/inode.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/openpromfs/inode.c b/fs/openpromfs/inode.c +index f0b7f4d51a175..0a2b0b4a8361e 100644 +--- a/fs/openpromfs/inode.c ++++ b/fs/openpromfs/inode.c +@@ -355,10 +355,10 @@ static struct inode *openprom_iget(struct super_block *sb, ino_t ino) + return inode; + } + +-static int openprom_remount(struct super_block *sb, int *flags, char *data) ++static int openpromfs_reconfigure(struct fs_context *fc) + { +- sync_filesystem(sb); +- *flags |= SB_NOATIME; ++ sync_filesystem(fc->root->d_sb); ++ fc->sb_flags |= SB_NOATIME; + return 0; + } + +@@ -366,7 +366,6 @@ static const struct super_operations openprom_sops = { + .alloc_inode = openprom_alloc_inode, + .free_inode = openprom_free_inode, + .statfs = simple_statfs, +- .remount_fs = openprom_remount, + }; + + static int openprom_fill_super(struct super_block *s, struct fs_context *fc) +@@ -416,6 +415,7 @@ static int openpromfs_get_tree(struct fs_context *fc) + + static const struct fs_context_operations openpromfs_context_ops = { + .get_tree = openpromfs_get_tree, ++ .reconfigure = openpromfs_reconfigure, + }; + + static int openpromfs_init_fs_context(struct fs_context *fc) +-- +2.43.0 + diff --git a/queue-6.1/parisc-add-missing-export-of-__cmpxchg_u8.patch b/queue-6.1/parisc-add-missing-export-of-__cmpxchg_u8.patch new file mode 100644 index 00000000000..9f733692b12 --- /dev/null +++ b/queue-6.1/parisc-add-missing-export-of-__cmpxchg_u8.patch @@ -0,0 +1,36 @@ +From 62ab30493df4e53bc1a66fe72cb10c08e67e5c07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Apr 2024 22:35:54 -0400 +Subject: parisc: add missing export of __cmpxchg_u8() + +From: Al Viro + +[ Upstream commit c57e5dccb06decf3cb6c272ab138c033727149b5 ] + +__cmpxchg_u8() had been added (initially) for the sake of +drivers/phy/ti/phy-tusb1210.c; the thing is, that drivers is +modular, so we need an export + +Fixes: b344d6a83d01 "parisc: add support for cmpxchg on u8 pointers" +Signed-off-by: Al Viro +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + arch/parisc/kernel/parisc_ksyms.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/parisc/kernel/parisc_ksyms.c b/arch/parisc/kernel/parisc_ksyms.c +index 00297e8e1c888..317508493b81c 100644 +--- a/arch/parisc/kernel/parisc_ksyms.c ++++ b/arch/parisc/kernel/parisc_ksyms.c +@@ -21,6 +21,7 @@ EXPORT_SYMBOL(memset); + #include + EXPORT_SYMBOL(__xchg8); + EXPORT_SYMBOL(__xchg32); ++EXPORT_SYMBOL(__cmpxchg_u8); + EXPORT_SYMBOL(__cmpxchg_u32); + EXPORT_SYMBOL(__cmpxchg_u64); + #ifdef CONFIG_SMP +-- +2.43.0 + diff --git a/queue-6.1/platform-x86-xiaomi-wmi-fix-race-condition-when-repo.patch b/queue-6.1/platform-x86-xiaomi-wmi-fix-race-condition-when-repo.patch new file mode 100644 index 00000000000..f5e5d7f2dbc --- /dev/null +++ b/queue-6.1/platform-x86-xiaomi-wmi-fix-race-condition-when-repo.patch @@ -0,0 +1,95 @@ +From 1abdef69265133db29772ed5cefea2338f8ce173 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Apr 2024 16:30:57 +0200 +Subject: platform/x86: xiaomi-wmi: Fix race condition when reporting key + events + +From: Armin Wolf + +[ Upstream commit 290680c2da8061e410bcaec4b21584ed951479af ] + +Multiple WMI events can be received concurrently, so multiple instances +of xiaomi_wmi_notify() can be active at the same time. Since the input +device is shared between those handlers, the key input sequence can be +disturbed. + +Fix this by protecting the key input sequence with a mutex. + +Compile-tested only. + +Fixes: edb73f4f0247 ("platform/x86: wmi: add Xiaomi WMI key driver") +Signed-off-by: Armin Wolf +Link: https://lore.kernel.org/r/20240402143059.8456-2-W_Armin@gmx.de +Reviewed-by: Kuppuswamy Sathyanarayanan +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/xiaomi-wmi.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/drivers/platform/x86/xiaomi-wmi.c b/drivers/platform/x86/xiaomi-wmi.c +index 54a2546bb93bf..be80f0bda9484 100644 +--- a/drivers/platform/x86/xiaomi-wmi.c ++++ b/drivers/platform/x86/xiaomi-wmi.c +@@ -2,8 +2,10 @@ + /* WMI driver for Xiaomi Laptops */ + + #include ++#include + #include + #include ++#include + #include + + #include +@@ -20,12 +22,21 @@ + + struct xiaomi_wmi { + struct input_dev *input_dev; ++ struct mutex key_lock; /* Protects the key event sequence */ + unsigned int key_code; + }; + ++static void xiaomi_mutex_destroy(void *data) ++{ ++ struct mutex *lock = data; ++ ++ mutex_destroy(lock); ++} ++ + static int xiaomi_wmi_probe(struct wmi_device *wdev, const void *context) + { + struct xiaomi_wmi *data; ++ int ret; + + if (wdev == NULL || context == NULL) + return -EINVAL; +@@ -35,6 +46,11 @@ static int xiaomi_wmi_probe(struct wmi_device *wdev, const void *context) + return -ENOMEM; + dev_set_drvdata(&wdev->dev, data); + ++ mutex_init(&data->key_lock); ++ ret = devm_add_action_or_reset(&wdev->dev, xiaomi_mutex_destroy, &data->key_lock); ++ if (ret < 0) ++ return ret; ++ + data->input_dev = devm_input_allocate_device(&wdev->dev); + if (data->input_dev == NULL) + return -ENOMEM; +@@ -59,10 +75,12 @@ static void xiaomi_wmi_notify(struct wmi_device *wdev, union acpi_object *dummy) + if (data == NULL) + return; + ++ mutex_lock(&data->key_lock); + input_report_key(data->input_dev, data->key_code, 1); + input_sync(data->input_dev); + input_report_key(data->input_dev, data->key_code, 0); + input_sync(data->input_dev); ++ mutex_unlock(&data->key_lock); + } + + static const struct wmi_device_id xiaomi_wmi_id_table[] = { +-- +2.43.0 + diff --git a/queue-6.1/powerpc-fsl-soc-hide-unused-const-variable.patch b/queue-6.1/powerpc-fsl-soc-hide-unused-const-variable.patch new file mode 100644 index 00000000000..882bf645f1e --- /dev/null +++ b/queue-6.1/powerpc-fsl-soc-hide-unused-const-variable.patch @@ -0,0 +1,48 @@ +From 7873e0fed5a7071b2e5b5b64d472f9743ba61fcc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 10:06:19 +0200 +Subject: powerpc/fsl-soc: hide unused const variable + +From: Arnd Bergmann + +[ Upstream commit 01acaf3aa75e1641442cc23d8fe0a7bb4226efb1 ] + +vmpic_msi_feature is only used conditionally, which triggers a rare +-Werror=unused-const-variable= warning with gcc: + +arch/powerpc/sysdev/fsl_msi.c:567:37: error: 'vmpic_msi_feature' defined but not used [-Werror=unused-const-variable=] + 567 | static const struct fsl_msi_feature vmpic_msi_feature = + +Hide this one in the same #ifdef as the reference so we can turn on +the warning by default. + +Fixes: 305bcf26128e ("powerpc/fsl-soc: use CONFIG_EPAPR_PARAVIRT for hcalls") +Signed-off-by: Arnd Bergmann +Reviewed-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240403080702.3509288-2-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/sysdev/fsl_msi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/sysdev/fsl_msi.c b/arch/powerpc/sysdev/fsl_msi.c +index 73c2d70706c0a..e50445c2656ac 100644 +--- a/arch/powerpc/sysdev/fsl_msi.c ++++ b/arch/powerpc/sysdev/fsl_msi.c +@@ -567,10 +567,12 @@ static const struct fsl_msi_feature ipic_msi_feature = { + .msiir_offset = 0x38, + }; + ++#ifdef CONFIG_EPAPR_PARAVIRT + static const struct fsl_msi_feature vmpic_msi_feature = { + .fsl_pic_ip = FSL_PIC_IP_VMPIC, + .msiir_offset = 0, + }; ++#endif + + static const struct of_device_id fsl_of_msi_ids[] = { + { +-- +2.43.0 + diff --git a/queue-6.1/printk-let-no_printk-use-_printk.patch b/queue-6.1/printk-let-no_printk-use-_printk.patch new file mode 100644 index 00000000000..3b32a107163 --- /dev/null +++ b/queue-6.1/printk-let-no_printk-use-_printk.patch @@ -0,0 +1,55 @@ +From e31f8060ff623b7c7670440aeb6481a9f15d030c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 15:00:02 +0100 +Subject: printk: Let no_printk() use _printk() + +From: Geert Uytterhoeven + +[ Upstream commit 8522f6b760ca588928eede740d5d69dd1e936b49 ] + +When printk-indexing is enabled, each printk() invocation emits a +pi_entry structure, containing the format string and other information +related to its location in the kernel sources. This is even true for +no_printk(): while the actual code to print the message is optimized out +by the compiler due to the always-false check, the pi_entry structure is +still emitted. + +As the main purpose of no_printk() is to provide a helper to maintain +printf()-style format checking when debugging is disabled, this leads to +the inclusion in the index of lots of printk formats that cannot be +emitted by the current kernel. + +Fix this by switching no_printk() from printk() to _printk(). + +This reduces the size of an arm64 defconfig kernel with +CONFIG_PRINTK_INDEX=y by 576 KiB. + +Fixes: 337015573718b161 ("printk: Userspace format indexing support") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Andy Shevchenko +Reviewed-by: Xiubo Li +Reviewed-by: Chris Down +Reviewed-by: Petr Mladek +Link: https://lore.kernel.org/r/56cf92edccffea970e1f40a075334dd6cf5bb2a4.1709127473.git.geert+renesas@glider.be +Signed-off-by: Petr Mladek +Signed-off-by: Sasha Levin +--- + include/linux/printk.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/printk.h b/include/linux/printk.h +index 8c81806c2e99f..b1a12916f0361 100644 +--- a/include/linux/printk.h ++++ b/include/linux/printk.h +@@ -128,7 +128,7 @@ struct va_format { + #define no_printk(fmt, ...) \ + ({ \ + if (0) \ +- printk(fmt, ##__VA_ARGS__); \ ++ _printk(fmt, ##__VA_ARGS__); \ + 0; \ + }) + +-- +2.43.0 + diff --git a/queue-6.1/pwm-sti-convert-to-platform-remove-callback-returnin.patch b/queue-6.1/pwm-sti-convert-to-platform-remove-callback-returnin.patch new file mode 100644 index 00000000000..2f242a0e128 --- /dev/null +++ b/queue-6.1/pwm-sti-convert-to-platform-remove-callback-returnin.patch @@ -0,0 +1,65 @@ +From 98c77c245eca7316114bf04fc14af313e9b9f820 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Mar 2023 19:54:38 +0100 +Subject: pwm: sti: Convert to platform remove callback returning void +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit e13cec3617c6ace4fc389b60d2a7d5b305b62683 ] + +The .remove() callback for a platform driver returns an int which makes +many driver authors wrongly assume it's possible to do error handling by +returning an error code. However the value returned is (mostly) ignored +and this typically results in resource leaks. To improve here there is a +quest to make the remove callback return void. In the first step of this +quest all drivers are converted to .remove_new() which already returns +void. + +Trivially convert this driver from always returning zero in the remove +callback to the void returning variant. + +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Stable-dep-of: 5bb0b194aeee ("pwm: sti: Simplify probe function using devm functions") +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-sti.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/pwm/pwm-sti.c b/drivers/pwm/pwm-sti.c +index 0a7920cbd4949..c782378dff5e5 100644 +--- a/drivers/pwm/pwm-sti.c ++++ b/drivers/pwm/pwm-sti.c +@@ -677,7 +677,7 @@ static int sti_pwm_probe(struct platform_device *pdev) + return 0; + } + +-static int sti_pwm_remove(struct platform_device *pdev) ++static void sti_pwm_remove(struct platform_device *pdev) + { + struct sti_pwm_chip *pc = platform_get_drvdata(pdev); + +@@ -685,8 +685,6 @@ static int sti_pwm_remove(struct platform_device *pdev) + + clk_unprepare(pc->pwm_clk); + clk_unprepare(pc->cpt_clk); +- +- return 0; + } + + static const struct of_device_id sti_pwm_of_match[] = { +@@ -701,7 +699,7 @@ static struct platform_driver sti_pwm_driver = { + .of_match_table = sti_pwm_of_match, + }, + .probe = sti_pwm_probe, +- .remove = sti_pwm_remove, ++ .remove_new = sti_pwm_remove, + }; + module_platform_driver(sti_pwm_driver); + +-- +2.43.0 + diff --git a/queue-6.1/pwm-sti-prepare-removing-pwm_chip-from-driver-data.patch b/queue-6.1/pwm-sti-prepare-removing-pwm_chip-from-driver-data.patch new file mode 100644 index 00000000000..9363ca8d882 --- /dev/null +++ b/queue-6.1/pwm-sti-prepare-removing-pwm_chip-from-driver-data.patch @@ -0,0 +1,90 @@ +From f16a1f9a40a4ff282575eaacb7a639b38abb7aa3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Feb 2024 10:32:38 +0100 +Subject: pwm: sti: Prepare removing pwm_chip from driver data +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 54272761ce7c475fa30a31b59b0cb89f7652b39e ] + +This prepares the driver for further changes that will drop struct +pwm_chip chip from struct sti_pwm_chip. Use the pwm_chip as driver data +instead of the sti_pwm_chip to get access to the pwm_chip in +sti_pwm_remove() without using pc->chip. + +Link: https://lore.kernel.org/r/56d53372aacff6871df4d6c6779c9dac94592696.1707900770.git.u.kleine-koenig@pengutronix.de +Signed-off-by: Uwe Kleine-König +Stable-dep-of: 5bb0b194aeee ("pwm: sti: Simplify probe function using devm functions") +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-sti.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/drivers/pwm/pwm-sti.c b/drivers/pwm/pwm-sti.c +index c782378dff5e5..8f7aff51787be 100644 +--- a/drivers/pwm/pwm-sti.c ++++ b/drivers/pwm/pwm-sti.c +@@ -571,6 +571,7 @@ static int sti_pwm_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; + struct sti_pwm_compat_data *cdata; ++ struct pwm_chip *chip; + struct sti_pwm_chip *pc; + unsigned int i; + int irq, ret; +@@ -578,6 +579,7 @@ static int sti_pwm_probe(struct platform_device *pdev) + pc = devm_kzalloc(dev, sizeof(*pc), GFP_KERNEL); + if (!pc) + return -ENOMEM; ++ chip = &pc->chip; + + cdata = devm_kzalloc(dev, sizeof(*cdata), GFP_KERNEL); + if (!cdata) +@@ -654,9 +656,9 @@ static int sti_pwm_probe(struct platform_device *pdev) + return -ENOMEM; + } + +- pc->chip.dev = dev; +- pc->chip.ops = &sti_pwm_ops; +- pc->chip.npwm = max(cdata->pwm_num_devs, cdata->cpt_num_devs); ++ chip->dev = dev; ++ chip->ops = &sti_pwm_ops; ++ chip->npwm = max(cdata->pwm_num_devs, cdata->cpt_num_devs); + + for (i = 0; i < cdata->cpt_num_devs; i++) { + struct sti_cpt_ddata *ddata = &cdata->ddata[i]; +@@ -665,23 +667,24 @@ static int sti_pwm_probe(struct platform_device *pdev) + mutex_init(&ddata->lock); + } + +- ret = pwmchip_add(&pc->chip); ++ ret = pwmchip_add(chip); + if (ret < 0) { + clk_unprepare(pc->pwm_clk); + clk_unprepare(pc->cpt_clk); + return ret; + } + +- platform_set_drvdata(pdev, pc); ++ platform_set_drvdata(pdev, chip); + + return 0; + } + + static void sti_pwm_remove(struct platform_device *pdev) + { +- struct sti_pwm_chip *pc = platform_get_drvdata(pdev); ++ struct pwm_chip *chip = platform_get_drvdata(pdev); ++ struct sti_pwm_chip *pc = to_sti_pwmchip(chip); + +- pwmchip_remove(&pc->chip); ++ pwmchip_remove(chip); + + clk_unprepare(pc->pwm_clk); + clk_unprepare(pc->cpt_clk); +-- +2.43.0 + diff --git a/queue-6.1/pwm-sti-simplify-probe-function-using-devm-functions.patch b/queue-6.1/pwm-sti-simplify-probe-function-using-devm-functions.patch new file mode 100644 index 00000000000..80fd2889598 --- /dev/null +++ b/queue-6.1/pwm-sti-simplify-probe-function-using-devm-functions.patch @@ -0,0 +1,115 @@ +From 02775bfb66aa220a2a832b1b5cf0483769e828e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Mar 2024 12:00:54 +0100 +Subject: pwm: sti: Simplify probe function using devm functions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 5bb0b194aeee5d5da6881232f4e9989b35957c25 ] + +Instead of of_clk_get_by_name() use devm_clk_get_prepared() which has +several advantages: + + - Combines getting the clock and a call to clk_prepare(). The latter + can be dropped from sti_pwm_probe() accordingly. + - Cares for calling clk_put() which is missing in both probe's error + path and the remove function. + - Cares for calling clk_unprepare() which can be dropped from the error + paths and the remove function. (Note that not all error path got this + right.) + +With additionally using devm_pwmchip_add() instead of pwmchip_add() the +remove callback can be dropped completely. With it the last user of +platform_get_drvdata() goes away and so platform_set_drvdata() can be +dropped from the probe function, too. + +Fixes: 378fe115d19d ("pwm: sti: Add new driver for ST's PWM IP") +Link: https://lore.kernel.org/r/81f0e1d173652f435afda6719adaed1922fe059a.1710068192.git.u.kleine-koenig@pengutronix.de +Signed-off-by: Uwe Kleine-König +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-sti.c | 39 +++------------------------------------ + 1 file changed, 3 insertions(+), 36 deletions(-) + +diff --git a/drivers/pwm/pwm-sti.c b/drivers/pwm/pwm-sti.c +index 8f7aff51787be..a0467f0b549c2 100644 +--- a/drivers/pwm/pwm-sti.c ++++ b/drivers/pwm/pwm-sti.c +@@ -625,32 +625,20 @@ static int sti_pwm_probe(struct platform_device *pdev) + return ret; + + if (cdata->pwm_num_devs) { +- pc->pwm_clk = of_clk_get_by_name(dev->of_node, "pwm"); ++ pc->pwm_clk = devm_clk_get_prepared(dev, "pwm"); + if (IS_ERR(pc->pwm_clk)) { + dev_err(dev, "failed to get PWM clock\n"); + return PTR_ERR(pc->pwm_clk); + } +- +- ret = clk_prepare(pc->pwm_clk); +- if (ret) { +- dev_err(dev, "failed to prepare clock\n"); +- return ret; +- } + } + + if (cdata->cpt_num_devs) { +- pc->cpt_clk = of_clk_get_by_name(dev->of_node, "capture"); ++ pc->cpt_clk = devm_clk_get_prepared(dev, "capture"); + if (IS_ERR(pc->cpt_clk)) { + dev_err(dev, "failed to get PWM capture clock\n"); + return PTR_ERR(pc->cpt_clk); + } + +- ret = clk_prepare(pc->cpt_clk); +- if (ret) { +- dev_err(dev, "failed to prepare clock\n"); +- return ret; +- } +- + cdata->ddata = devm_kzalloc(dev, cdata->cpt_num_devs * sizeof(*cdata->ddata), GFP_KERNEL); + if (!cdata->ddata) + return -ENOMEM; +@@ -667,27 +655,7 @@ static int sti_pwm_probe(struct platform_device *pdev) + mutex_init(&ddata->lock); + } + +- ret = pwmchip_add(chip); +- if (ret < 0) { +- clk_unprepare(pc->pwm_clk); +- clk_unprepare(pc->cpt_clk); +- return ret; +- } +- +- platform_set_drvdata(pdev, chip); +- +- return 0; +-} +- +-static void sti_pwm_remove(struct platform_device *pdev) +-{ +- struct pwm_chip *chip = platform_get_drvdata(pdev); +- struct sti_pwm_chip *pc = to_sti_pwmchip(chip); +- +- pwmchip_remove(chip); +- +- clk_unprepare(pc->pwm_clk); +- clk_unprepare(pc->cpt_clk); ++ return devm_pwmchip_add(dev, chip); + } + + static const struct of_device_id sti_pwm_of_match[] = { +@@ -702,7 +670,6 @@ static struct platform_driver sti_pwm_driver = { + .of_match_table = sti_pwm_of_match, + }, + .probe = sti_pwm_probe, +- .remove_new = sti_pwm_remove, + }; + module_platform_driver(sti_pwm_driver); + +-- +2.43.0 + diff --git a/queue-6.1/qed-avoid-truncating-work-queue-length.patch b/queue-6.1/qed-avoid-truncating-work-queue-length.patch new file mode 100644 index 00000000000..7c4c1cc15b0 --- /dev/null +++ b/queue-6.1/qed-avoid-truncating-work-queue-length.patch @@ -0,0 +1,58 @@ +From 88b8c8da247cb57e8461b35e45b3c9129a2e2aac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 23:38:02 +0100 +Subject: qed: avoid truncating work queue length + +From: Arnd Bergmann + +[ Upstream commit 954fd908f177604d4cce77e2a88cc50b29bad5ff ] + +clang complains that the temporary string for the name passed into +alloc_workqueue() is too short for its contents: + +drivers/net/ethernet/qlogic/qed/qed_main.c:1218:3: error: 'snprintf' will always be truncated; specified size is 16, but format string expands to at least 18 [-Werror,-Wformat-truncation] + +There is no need for a temporary buffer, and the actual name of a workqueue +is 32 bytes (WQ_NAME_LEN), so just use the interface as intended to avoid +the truncation. + +Fixes: 59ccf86fe69a ("qed: Add driver infrastucture for handling mfw requests.") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20240326223825.4084412-4-arnd@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_main.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_main.c b/drivers/net/ethernet/qlogic/qed/qed_main.c +index 25d9c254288b5..956ae0206a1f9 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_main.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_main.c +@@ -1215,7 +1215,6 @@ static void qed_slowpath_task(struct work_struct *work) + static int qed_slowpath_wq_start(struct qed_dev *cdev) + { + struct qed_hwfn *hwfn; +- char name[NAME_SIZE]; + int i; + + if (IS_VF(cdev)) +@@ -1224,11 +1223,11 @@ static int qed_slowpath_wq_start(struct qed_dev *cdev) + for_each_hwfn(cdev, i) { + hwfn = &cdev->hwfns[i]; + +- snprintf(name, NAME_SIZE, "slowpath-%02x:%02x.%02x", +- cdev->pdev->bus->number, +- PCI_SLOT(cdev->pdev->devfn), hwfn->abs_pf_id); ++ hwfn->slowpath_wq = alloc_workqueue("slowpath-%02x:%02x.%02x", ++ 0, 0, cdev->pdev->bus->number, ++ PCI_SLOT(cdev->pdev->devfn), ++ hwfn->abs_pf_id); + +- hwfn->slowpath_wq = alloc_workqueue(name, 0, 0); + if (!hwfn->slowpath_wq) { + DP_NOTICE(hwfn, "Cannot create slowpath workqueue\n"); + return -ENOMEM; +-- +2.43.0 + diff --git a/queue-6.1/rcu-fix-buffer-overflow-in-print_cpu_stall_info.patch b/queue-6.1/rcu-fix-buffer-overflow-in-print_cpu_stall_info.patch new file mode 100644 index 00000000000..22f592ac2b5 --- /dev/null +++ b/queue-6.1/rcu-fix-buffer-overflow-in-print_cpu_stall_info.patch @@ -0,0 +1,51 @@ +From 4ecb79580b05138981c708f466b40f0f409f91a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Apr 2024 22:43:15 +0300 +Subject: rcu: Fix buffer overflow in print_cpu_stall_info() + +From: Nikita Kiryushin + +[ Upstream commit 3758f7d9917bd7ef0482c4184c0ad673b4c4e069 ] + +The rcuc-starvation output from print_cpu_stall_info() might overflow the +buffer if there is a huge difference in jiffies difference. The situation +might seem improbable, but computers sometimes get very confused about +time, which can result in full-sized integers, and, in this case, +buffer overflow. + +Also, the unsigned jiffies difference is printed using %ld, which is +normally for signed integers. This is intentional for debugging purposes, +but it is not obvious from the code. + +This commit therefore changes sprintf() to snprintf() and adds a +clarifying comment about intention of %ld format. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 245a62982502 ("rcu: Dump rcuc kthread status for CPUs not reporting quiescent state") +Signed-off-by: Nikita Kiryushin +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Paul E. McKenney +Signed-off-by: Uladzislau Rezki (Sony) +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree_stall.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/rcu/tree_stall.h b/kernel/rcu/tree_stall.h +index 7d15b5b5a235a..11a82404a6cee 100644 +--- a/kernel/rcu/tree_stall.h ++++ b/kernel/rcu/tree_stall.h +@@ -474,7 +474,8 @@ static void print_cpu_stall_info(int cpu) + rcu_dynticks_in_eqs(rcu_dynticks_snap(cpu)); + rcuc_starved = rcu_is_rcuc_kthread_starving(rdp, &j); + if (rcuc_starved) +- sprintf(buf, " rcuc=%ld jiffies(starved)", j); ++ // Print signed value, as negative values indicate a probable bug. ++ snprintf(buf, sizeof(buf), " rcuc=%ld jiffies(starved)", j); + pr_err("\t%d-%c%c%c%c: (%lu %s) idle=%04x/%ld/%#lx softirq=%u/%u fqs=%ld%s%s\n", + cpu, + "O."[!!cpu_online(cpu)], +-- +2.43.0 + diff --git a/queue-6.1/rcu-tasks-fix-show_rcu_tasks_trace_gp_kthread-buffer.patch b/queue-6.1/rcu-tasks-fix-show_rcu_tasks_trace_gp_kthread-buffer.patch new file mode 100644 index 00000000000..55bd4a0b2c5 --- /dev/null +++ b/queue-6.1/rcu-tasks-fix-show_rcu_tasks_trace_gp_kthread-buffer.patch @@ -0,0 +1,45 @@ +From 91ba3dfba5c0120e62896b20e491b2a6ba2507af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Mar 2024 20:47:47 +0300 +Subject: rcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow + +From: Nikita Kiryushin + +[ Upstream commit cc5645fddb0ce28492b15520306d092730dffa48 ] + +There is a possibility of buffer overflow in +show_rcu_tasks_trace_gp_kthread() if counters, passed +to sprintf() are huge. Counter numbers, needed for this +are unrealistically high, but buffer overflow is still +possible. + +Use snprintf() with buffer size instead of sprintf(). + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: edf3775f0ad6 ("rcu-tasks: Add count for idle tasks on offline CPUs") +Signed-off-by: Nikita Kiryushin +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Paul E. McKenney +Signed-off-by: Uladzislau Rezki (Sony) +Signed-off-by: Sasha Levin +--- + kernel/rcu/tasks.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/rcu/tasks.h b/kernel/rcu/tasks.h +index b5d5b6cf093a7..6f48f565e3acb 100644 +--- a/kernel/rcu/tasks.h ++++ b/kernel/rcu/tasks.h +@@ -1789,7 +1789,7 @@ void show_rcu_tasks_trace_gp_kthread(void) + { + char buf[64]; + +- sprintf(buf, "N%lu h:%lu/%lu/%lu", ++ snprintf(buf, sizeof(buf), "N%lu h:%lu/%lu/%lu", + data_race(n_trc_holdouts), + data_race(n_heavy_reader_ofl_updates), + data_race(n_heavy_reader_updates), +-- +2.43.0 + diff --git a/queue-6.1/rdma-hns-fix-deadlock-on-srq-async-events.patch b/queue-6.1/rdma-hns-fix-deadlock-on-srq-async-events.patch new file mode 100644 index 00000000000..7c81877d23a --- /dev/null +++ b/queue-6.1/rdma-hns-fix-deadlock-on-srq-async-events.patch @@ -0,0 +1,69 @@ +From 1c486dcffca4193c8ab463158431e5a4410f33c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 17:16:10 +0800 +Subject: RDMA/hns: Fix deadlock on SRQ async events. + +From: Chengchang Tang + +[ Upstream commit b46494b6f9c19f141114a57729e198698f40af37 ] + +xa_lock for SRQ table may be required in AEQ. Use xa_store_irq()/ +xa_erase_irq() to avoid deadlock. + +Fixes: 81fce6291d99 ("RDMA/hns: Add SRQ asynchronous event support") +Signed-off-by: Chengchang Tang +Signed-off-by: Junxian Huang +Link: https://lore.kernel.org/r/20240412091616.370789-5-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_main.c | 1 + + drivers/infiniband/hw/hns/hns_roce_srq.c | 6 +++--- + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c +index da1b33d818d82..afe7523eca909 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_main.c ++++ b/drivers/infiniband/hw/hns/hns_roce_main.c +@@ -37,6 +37,7 @@ + #include + #include + #include ++#include "hnae3.h" + #include "hns_roce_common.h" + #include "hns_roce_device.h" + #include "hns_roce_hem.h" +diff --git a/drivers/infiniband/hw/hns/hns_roce_srq.c b/drivers/infiniband/hw/hns/hns_roce_srq.c +index 8dae98f827eb2..6a4923c21cbc6 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_srq.c ++++ b/drivers/infiniband/hw/hns/hns_roce_srq.c +@@ -122,7 +122,7 @@ static int alloc_srqc(struct hns_roce_dev *hr_dev, struct hns_roce_srq *srq) + return ret; + } + +- ret = xa_err(xa_store(&srq_table->xa, srq->srqn, srq, GFP_KERNEL)); ++ ret = xa_err(xa_store_irq(&srq_table->xa, srq->srqn, srq, GFP_KERNEL)); + if (ret) { + ibdev_err(ibdev, "failed to store SRQC, ret = %d.\n", ret); + goto err_put; +@@ -135,7 +135,7 @@ static int alloc_srqc(struct hns_roce_dev *hr_dev, struct hns_roce_srq *srq) + return 0; + + err_xa: +- xa_erase(&srq_table->xa, srq->srqn); ++ xa_erase_irq(&srq_table->xa, srq->srqn); + err_put: + hns_roce_table_put(hr_dev, &srq_table->table, srq->srqn); + +@@ -153,7 +153,7 @@ static void free_srqc(struct hns_roce_dev *hr_dev, struct hns_roce_srq *srq) + dev_err(hr_dev->dev, "DESTROY_SRQ failed (%d) for SRQN %06lx\n", + ret, srq->srqn); + +- xa_erase(&srq_table->xa, srq->srqn); ++ xa_erase_irq(&srq_table->xa, srq->srqn); + + if (refcount_dec_and_test(&srq->refcount)) + complete(&srq->free); +-- +2.43.0 + diff --git a/queue-6.1/rdma-hns-fix-gmv-table-pagesize.patch b/queue-6.1/rdma-hns-fix-gmv-table-pagesize.patch new file mode 100644 index 00000000000..c9388f47a5b --- /dev/null +++ b/queue-6.1/rdma-hns-fix-gmv-table-pagesize.patch @@ -0,0 +1,39 @@ +From 185803441dc661db8c76e252b2b5b19a1d8d9c25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 17:16:13 +0800 +Subject: RDMA/hns: Fix GMV table pagesize + +From: Chengchang Tang + +[ Upstream commit ee045493283403969591087bd405fa280103282a ] + +GMV's BA table only supports 4K pages. Currently, PAGESIZE is used to +calculate gmv_bt_num, which will cause an abnormal number of gmv_bt_num +in a 64K OS. + +Fixes: d6d91e46210f ("RDMA/hns: Add support for configuring GMV table") +Signed-off-by: Chengchang Tang +Signed-off-by: Junxian Huang +Link: https://lore.kernel.org/r/20240412091616.370789-8-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index d06b19e69a151..08e2e9569a52a 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -2229,7 +2229,7 @@ static void apply_func_caps(struct hns_roce_dev *hr_dev) + caps->gid_table_len[0] = caps->gmv_bt_num * + (HNS_HW_PAGE_SIZE / caps->gmv_entry_sz); + +- caps->gmv_entry_num = caps->gmv_bt_num * (PAGE_SIZE / ++ caps->gmv_entry_num = caps->gmv_bt_num * (HNS_HW_PAGE_SIZE / + caps->gmv_entry_sz); + } else { + u32 func_num = max_t(u32, 1, hr_dev->func_num); +-- +2.43.0 + diff --git a/queue-6.1/rdma-hns-fix-return-value-in-hns_roce_map_mr_sg.patch b/queue-6.1/rdma-hns-fix-return-value-in-hns_roce_map_mr_sg.patch new file mode 100644 index 00000000000..149f2aaccf9 --- /dev/null +++ b/queue-6.1/rdma-hns-fix-return-value-in-hns_roce_map_mr_sg.patch @@ -0,0 +1,75 @@ +From 1b14d3d33283192646440c61e30231164e6428e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Apr 2024 11:38:51 +0800 +Subject: RDMA/hns: Fix return value in hns_roce_map_mr_sg + +From: Zhengchao Shao + +[ Upstream commit 203b70fda63425a4eb29f03f9074859afe821a39 ] + +As described in the ib_map_mr_sg function comment, it returns the number +of sg elements that were mapped to the memory region. However, +hns_roce_map_mr_sg returns the number of pages required for mapping the +DMA area. Fix it. + +Fixes: 9b2cf76c9f05 ("RDMA/hns: Optimize PBL buffer allocation process") +Signed-off-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20240411033851.2884771-1-shaozhengchao@huawei.com +Reviewed-by: Junxian Huang +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_mr.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_mr.c b/drivers/infiniband/hw/hns/hns_roce_mr.c +index 14376490ac226..190e62da98e4b 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_mr.c ++++ b/drivers/infiniband/hw/hns/hns_roce_mr.c +@@ -421,18 +421,18 @@ int hns_roce_map_mr_sg(struct ib_mr *ibmr, struct scatterlist *sg, int sg_nents, + struct ib_device *ibdev = &hr_dev->ib_dev; + struct hns_roce_mr *mr = to_hr_mr(ibmr); + struct hns_roce_mtr *mtr = &mr->pbl_mtr; +- int ret = 0; ++ int ret, sg_num = 0; + + mr->npages = 0; + mr->page_list = kvcalloc(mr->pbl_mtr.hem_cfg.buf_pg_count, + sizeof(dma_addr_t), GFP_KERNEL); + if (!mr->page_list) +- return ret; ++ return sg_num; + +- ret = ib_sg_to_pages(ibmr, sg, sg_nents, sg_offset, hns_roce_set_page); +- if (ret < 1) { ++ sg_num = ib_sg_to_pages(ibmr, sg, sg_nents, sg_offset, hns_roce_set_page); ++ if (sg_num < 1) { + ibdev_err(ibdev, "failed to store sg pages %u %u, cnt = %d.\n", +- mr->npages, mr->pbl_mtr.hem_cfg.buf_pg_count, ret); ++ mr->npages, mr->pbl_mtr.hem_cfg.buf_pg_count, sg_num); + goto err_page_list; + } + +@@ -443,17 +443,16 @@ int hns_roce_map_mr_sg(struct ib_mr *ibmr, struct scatterlist *sg, int sg_nents, + ret = hns_roce_mtr_map(hr_dev, mtr, mr->page_list, mr->npages); + if (ret) { + ibdev_err(ibdev, "failed to map sg mtr, ret = %d.\n", ret); +- ret = 0; ++ sg_num = 0; + } else { + mr->pbl_mtr.hem_cfg.buf_pg_shift = (u32)ilog2(ibmr->page_size); +- ret = mr->npages; + } + + err_page_list: + kvfree(mr->page_list); + mr->page_list = NULL; + +- return ret; ++ return sg_num; + } + + static void hns_roce_mw_free(struct hns_roce_dev *hr_dev, +-- +2.43.0 + diff --git a/queue-6.1/rdma-hns-fix-uaf-for-cq-async-event.patch b/queue-6.1/rdma-hns-fix-uaf-for-cq-async-event.patch new file mode 100644 index 00000000000..30d68488250 --- /dev/null +++ b/queue-6.1/rdma-hns-fix-uaf-for-cq-async-event.patch @@ -0,0 +1,91 @@ +From 508fd8f223f2e84531fb6fe70ccf86517f9ea092 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 17:16:11 +0800 +Subject: RDMA/hns: Fix UAF for cq async event + +From: Chengchang Tang + +[ Upstream commit a942ec2745ca864cd8512142100e4027dc306a42 ] + +The refcount of CQ is not protected by locks. When CQ asynchronous +events and CQ destruction are concurrent, CQ may have been released, +which will cause UAF. + +Use the xa_lock() to protect the CQ refcount. + +Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver") +Signed-off-by: Chengchang Tang +Signed-off-by: Junxian Huang +Link: https://lore.kernel.org/r/20240412091616.370789-6-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_cq.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_cq.c b/drivers/infiniband/hw/hns/hns_roce_cq.c +index 736dc2f993b40..ff177466de9b4 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_cq.c ++++ b/drivers/infiniband/hw/hns/hns_roce_cq.c +@@ -151,7 +151,7 @@ static int alloc_cqc(struct hns_roce_dev *hr_dev, struct hns_roce_cq *hr_cq) + return ret; + } + +- ret = xa_err(xa_store(&cq_table->array, hr_cq->cqn, hr_cq, GFP_KERNEL)); ++ ret = xa_err(xa_store_irq(&cq_table->array, hr_cq->cqn, hr_cq, GFP_KERNEL)); + if (ret) { + ibdev_err(ibdev, "failed to xa_store CQ, ret = %d.\n", ret); + goto err_put; +@@ -164,7 +164,7 @@ static int alloc_cqc(struct hns_roce_dev *hr_dev, struct hns_roce_cq *hr_cq) + return 0; + + err_xa: +- xa_erase(&cq_table->array, hr_cq->cqn); ++ xa_erase_irq(&cq_table->array, hr_cq->cqn); + err_put: + hns_roce_table_put(hr_dev, &cq_table->table, hr_cq->cqn); + +@@ -183,7 +183,7 @@ static void free_cqc(struct hns_roce_dev *hr_dev, struct hns_roce_cq *hr_cq) + dev_err(dev, "DESTROY_CQ failed (%d) for CQN %06lx\n", ret, + hr_cq->cqn); + +- xa_erase(&cq_table->array, hr_cq->cqn); ++ xa_erase_irq(&cq_table->array, hr_cq->cqn); + + /* Waiting interrupt process procedure carried out */ + synchronize_irq(hr_dev->eq_table.eq[hr_cq->vector].irq); +@@ -472,13 +472,6 @@ void hns_roce_cq_event(struct hns_roce_dev *hr_dev, u32 cqn, int event_type) + struct ib_event event; + struct ib_cq *ibcq; + +- hr_cq = xa_load(&hr_dev->cq_table.array, +- cqn & (hr_dev->caps.num_cqs - 1)); +- if (!hr_cq) { +- dev_warn(dev, "async event for bogus CQ 0x%06x\n", cqn); +- return; +- } +- + if (event_type != HNS_ROCE_EVENT_TYPE_CQ_ID_INVALID && + event_type != HNS_ROCE_EVENT_TYPE_CQ_ACCESS_ERROR && + event_type != HNS_ROCE_EVENT_TYPE_CQ_OVERFLOW) { +@@ -487,7 +480,16 @@ void hns_roce_cq_event(struct hns_roce_dev *hr_dev, u32 cqn, int event_type) + return; + } + +- refcount_inc(&hr_cq->refcount); ++ xa_lock(&hr_dev->cq_table.array); ++ hr_cq = xa_load(&hr_dev->cq_table.array, ++ cqn & (hr_dev->caps.num_cqs - 1)); ++ if (hr_cq) ++ refcount_inc(&hr_cq->refcount); ++ xa_unlock(&hr_dev->cq_table.array); ++ if (!hr_cq) { ++ dev_warn(dev, "async event for bogus CQ 0x%06x\n", cqn); ++ return; ++ } + + ibcq = &hr_cq->ib_cq; + if (ibcq->event_handler) { +-- +2.43.0 + diff --git a/queue-6.1/rdma-hns-modify-the-print-level-of-cqe-error.patch b/queue-6.1/rdma-hns-modify-the-print-level-of-cqe-error.patch new file mode 100644 index 00000000000..1ca0216e01d --- /dev/null +++ b/queue-6.1/rdma-hns-modify-the-print-level-of-cqe-error.patch @@ -0,0 +1,42 @@ +From f38f0c21865886bbe5eb64a627ca117dd2abe95f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 17:16:16 +0800 +Subject: RDMA/hns: Modify the print level of CQE error + +From: Chengchang Tang + +[ Upstream commit 349e859952285ab9689779fb46de163f13f18f43 ] + +Too much print may lead to a panic in kernel. Change ibdev_err() to +ibdev_err_ratelimited(), and change the printing level of cqe dump +to debug level. + +Fixes: 7c044adca272 ("RDMA/hns: Simplify the cqe code of poll cq") +Signed-off-by: Chengchang Tang +Signed-off-by: Junxian Huang +Link: https://lore.kernel.org/r/20240412091616.370789-11-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index 08e2e9569a52a..c931cce50d50d 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -3857,8 +3857,9 @@ static void get_cqe_status(struct hns_roce_dev *hr_dev, struct hns_roce_qp *qp, + wc->status == IB_WC_WR_FLUSH_ERR)) + return; + +- ibdev_err(&hr_dev->ib_dev, "error cqe status 0x%x:\n", cqe_status); +- print_hex_dump(KERN_ERR, "", DUMP_PREFIX_NONE, 16, 4, cqe, ++ ibdev_err_ratelimited(&hr_dev->ib_dev, "error cqe status 0x%x:\n", ++ cqe_status); ++ print_hex_dump(KERN_DEBUG, "", DUMP_PREFIX_NONE, 16, 4, cqe, + cq->cqe_size, false); + wc->vendor_err = hr_reg_read(cqe, CQE_SUB_STATUS); + +-- +2.43.0 + diff --git a/queue-6.1/rdma-hns-use-complete-parentheses-in-macros.patch b/queue-6.1/rdma-hns-use-complete-parentheses-in-macros.patch new file mode 100644 index 00000000000..7d4da6fae10 --- /dev/null +++ b/queue-6.1/rdma-hns-use-complete-parentheses-in-macros.patch @@ -0,0 +1,52 @@ +From e7dbc43af23fedbcd68d7e986ebc50b575b64145 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 17:16:15 +0800 +Subject: RDMA/hns: Use complete parentheses in macros + +From: Chengchang Tang + +[ Upstream commit 4125269bb9b22e1d8cdf4412c81be8074dbc61ca ] + +Use complete parentheses to ensure that macro expansion does +not produce unexpected results. + +Fixes: a25d13cbe816 ("RDMA/hns: Add the interfaces to support multi hop addressing for the contexts in hip08") +Signed-off-by: Chengchang Tang +Signed-off-by: Junxian Huang +Link: https://lore.kernel.org/r/20240412091616.370789-10-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hem.h | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.h b/drivers/infiniband/hw/hns/hns_roce_hem.h +index 7d23d3c51da46..fea6d7d508b60 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hem.h ++++ b/drivers/infiniband/hw/hns/hns_roce_hem.h +@@ -61,16 +61,16 @@ enum { + (sizeof(struct scatterlist) + sizeof(void *))) + + #define check_whether_bt_num_3(type, hop_num) \ +- (type < HEM_TYPE_MTT && hop_num == 2) ++ ((type) < HEM_TYPE_MTT && (hop_num) == 2) + + #define check_whether_bt_num_2(type, hop_num) \ +- ((type < HEM_TYPE_MTT && hop_num == 1) || \ +- (type >= HEM_TYPE_MTT && hop_num == 2)) ++ (((type) < HEM_TYPE_MTT && (hop_num) == 1) || \ ++ ((type) >= HEM_TYPE_MTT && (hop_num) == 2)) + + #define check_whether_bt_num_1(type, hop_num) \ +- ((type < HEM_TYPE_MTT && hop_num == HNS_ROCE_HOP_NUM_0) || \ +- (type >= HEM_TYPE_MTT && hop_num == 1) || \ +- (type >= HEM_TYPE_MTT && hop_num == HNS_ROCE_HOP_NUM_0)) ++ (((type) < HEM_TYPE_MTT && (hop_num) == HNS_ROCE_HOP_NUM_0) || \ ++ ((type) >= HEM_TYPE_MTT && (hop_num) == 1) || \ ++ ((type) >= HEM_TYPE_MTT && (hop_num) == HNS_ROCE_HOP_NUM_0)) + + struct hns_roce_hem_chunk { + struct list_head list; +-- +2.43.0 + diff --git a/queue-6.1/rdma-ipoib-fix-format-truncation-compilation-errors.patch b/queue-6.1/rdma-ipoib-fix-format-truncation-compilation-errors.patch new file mode 100644 index 00000000000..507ecf7d65d --- /dev/null +++ b/queue-6.1/rdma-ipoib-fix-format-truncation-compilation-errors.patch @@ -0,0 +1,66 @@ +From c3e72aaaf03952c71d3572bde19303d44ff711f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 10:39:33 +0300 +Subject: RDMA/IPoIB: Fix format truncation compilation errors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Leon Romanovsky + +[ Upstream commit 49ca2b2ef3d003402584c68ae7b3055ba72e750a ] + +Truncate the device name to store IPoIB VLAN name. + +[leonro@5b4e8fba4ddd kernel]$ make -s -j 20 allmodconfig +[leonro@5b4e8fba4ddd kernel]$ make -s -j 20 W=1 drivers/infiniband/ulp/ipoib/ +drivers/infiniband/ulp/ipoib/ipoib_vlan.c: In function ‘ipoib_vlan_add’: +drivers/infiniband/ulp/ipoib/ipoib_vlan.c:187:52: error: ‘%04x’ +directive output may be truncated writing 4 bytes into a region of size +between 0 and 15 [-Werror=format-truncation=] + 187 | snprintf(intf_name, sizeof(intf_name), "%s.%04x", + | ^~~~ +drivers/infiniband/ulp/ipoib/ipoib_vlan.c:187:48: note: directive +argument in the range [0, 65535] + 187 | snprintf(intf_name, sizeof(intf_name), "%s.%04x", + | ^~~~~~~~~ +drivers/infiniband/ulp/ipoib/ipoib_vlan.c:187:9: note: ‘snprintf’ output +between 6 and 21 bytes into a destination of size 16 + 187 | snprintf(intf_name, sizeof(intf_name), "%s.%04x", + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 188 | ppriv->dev->name, pkey); + | ~~~~~~~~~~~~~~~~~~~~~~~ +cc1: all warnings being treated as errors +make[6]: *** [scripts/Makefile.build:244: drivers/infiniband/ulp/ipoib/ipoib_vlan.o] Error 1 +make[6]: *** Waiting for unfinished jobs.... + +Fixes: 9baa0b036410 ("IB/ipoib: Add rtnl_link_ops support") +Link: https://lore.kernel.org/r/e9d3e1fef69df4c9beaf402cc3ac342bad680791.1715240029.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c +index 4bd161e86f8dd..562df2b3ef187 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c +@@ -184,8 +184,12 @@ int ipoib_vlan_add(struct net_device *pdev, unsigned short pkey) + + ppriv = ipoib_priv(pdev); + +- snprintf(intf_name, sizeof(intf_name), "%s.%04x", +- ppriv->dev->name, pkey); ++ /* If you increase IFNAMSIZ, update snprintf below ++ * to allow longer names. ++ */ ++ BUILD_BUG_ON(IFNAMSIZ != 16); ++ snprintf(intf_name, sizeof(intf_name), "%.10s.%04x", ppriv->dev->name, ++ pkey); + + ndev = ipoib_intf_alloc(ppriv->ca, ppriv->port, intf_name); + if (IS_ERR(ndev)) { +-- +2.43.0 + diff --git a/queue-6.1/rdma-mlx5-adding-remote-atomic-access-flag-to-updata.patch b/queue-6.1/rdma-mlx5-adding-remote-atomic-access-flag-to-updata.patch new file mode 100644 index 00000000000..7ccbdebe276 --- /dev/null +++ b/queue-6.1/rdma-mlx5-adding-remote-atomic-access-flag-to-updata.patch @@ -0,0 +1,39 @@ +From 3c1b467bff9250c83da90305b373c0acbea37196 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 13:36:01 +0300 +Subject: RDMA/mlx5: Adding remote atomic access flag to updatable flags + +From: Or Har-Toov + +[ Upstream commit 2ca7e93bc963d9ec2f5c24d117176851454967af ] + +Currently IB_ACCESS_REMOTE_ATOMIC is blocked from being updated via UMR +although in some cases it should be possible. These cases are checked in +mlx5r_umr_can_reconfig function. + +Fixes: ef3642c4f54d ("RDMA/mlx5: Fix error unwinds for rereg_mr") +Signed-off-by: Or Har-Toov +Link: https://lore.kernel.org/r/24dac73e2fa48cb806f33a932d97f3e402a5ea2c.1712140377.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/mr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c +index 410cc5fd25239..b81b03aa2a629 100644 +--- a/drivers/infiniband/hw/mlx5/mr.c ++++ b/drivers/infiniband/hw/mlx5/mr.c +@@ -1349,7 +1349,8 @@ static bool can_use_umr_rereg_access(struct mlx5_ib_dev *dev, + unsigned int diffs = current_access_flags ^ target_access_flags; + + if (diffs & ~(IB_ACCESS_LOCAL_WRITE | IB_ACCESS_REMOTE_WRITE | +- IB_ACCESS_REMOTE_READ | IB_ACCESS_RELAXED_ORDERING)) ++ IB_ACCESS_REMOTE_READ | IB_ACCESS_RELAXED_ORDERING | ++ IB_ACCESS_REMOTE_ATOMIC)) + return false; + return mlx5r_umr_can_reconfig(dev, current_access_flags, + target_access_flags); +-- +2.43.0 + diff --git a/queue-6.1/rdma-rxe-fix-incorrect-rxe_put-in-error-path.patch b/queue-6.1/rdma-rxe-fix-incorrect-rxe_put-in-error-path.patch new file mode 100644 index 00000000000..fb93351f151 --- /dev/null +++ b/queue-6.1/rdma-rxe-fix-incorrect-rxe_put-in-error-path.patch @@ -0,0 +1,55 @@ +From 7aeddda93b3ea713c11ca88ad1cc5e15346c4558 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 09:55:12 -0500 +Subject: RDMA/rxe: Fix incorrect rxe_put in error path + +From: Bob Pearson + +[ Upstream commit 8776618dbbd1b6f210b31509507e1aad461d6435 ] + +In rxe_send() a ref is taken on the qp to keep it alive until the +kfree_skb() has a chance to call the skb destructor rxe_skb_tx_dtor() +which drops the reference. If the packet has an incorrect protocol the +error path just calls kfree_skb() which will call the destructor which +will drop the ref. Currently the driver also calls rxe_put() which is +incorrect. Additionally since the packets sent to rxe_send() are under the +control of the driver and it only ever produces IPV4 or IPV6 packets the +simplest fix is to remove all the code in this block. + +Link: https://lore.kernel.org/r/20240329145513.35381-12-rpearsonhpe@gmail.com +Signed-off-by: Bob Pearson +Fixes: 9eb7f8e44d13 ("IB/rxe: Move refcounting earlier in rxe_send()") +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_net.c | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_net.c b/drivers/infiniband/sw/rxe/rxe_net.c +index 6bd6ed80f4a6c..779cd547ce839 100644 +--- a/drivers/infiniband/sw/rxe/rxe_net.c ++++ b/drivers/infiniband/sw/rxe/rxe_net.c +@@ -366,18 +366,10 @@ static int rxe_send(struct sk_buff *skb, struct rxe_pkt_info *pkt) + rxe_get(pkt->qp); + atomic_inc(&pkt->qp->skb_out); + +- if (skb->protocol == htons(ETH_P_IP)) { ++ if (skb->protocol == htons(ETH_P_IP)) + err = ip_local_out(dev_net(skb_dst(skb)->dev), skb->sk, skb); +- } else if (skb->protocol == htons(ETH_P_IPV6)) { ++ else + err = ip6_local_out(dev_net(skb_dst(skb)->dev), skb->sk, skb); +- } else { +- rxe_dbg_qp(pkt->qp, "Unknown layer 3 protocol: %d\n", +- skb->protocol); +- atomic_dec(&pkt->qp->skb_out); +- rxe_put(pkt->qp); +- kfree_skb(skb); +- return -EINVAL; +- } + + if (unlikely(net_xmit_eval(err))) { + rxe_dbg_qp(pkt->qp, "error sending packet: %d\n", err); +-- +2.43.0 + diff --git a/queue-6.1/rdma-rxe-fix-seg-fault-in-rxe_comp_queue_pkt.patch b/queue-6.1/rdma-rxe-fix-seg-fault-in-rxe_comp_queue_pkt.patch new file mode 100644 index 00000000000..aeceeb210dc --- /dev/null +++ b/queue-6.1/rdma-rxe-fix-seg-fault-in-rxe_comp_queue_pkt.patch @@ -0,0 +1,52 @@ +From ea28cc4d9fc02341bfb6031f228718ef0aad4900 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 09:55:04 -0500 +Subject: RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt + +From: Bob Pearson + +[ Upstream commit 2b23b6097303ed0ba5f4bc036a1c07b6027af5c6 ] + +In rxe_comp_queue_pkt() an incoming response packet skb is enqueued to the +resp_pkts queue and then a decision is made whether to run the completer +task inline or schedule it. Finally the skb is dereferenced to bump a 'hw' +performance counter. This is wrong because if the completer task is +already running in a separate thread it may have already processed the skb +and freed it which can cause a seg fault. This has been observed +infrequently in testing at high scale. + +This patch fixes this by changing the order of enqueuing the packet until +after the counter is accessed. + +Link: https://lore.kernel.org/r/20240329145513.35381-4-rpearsonhpe@gmail.com +Signed-off-by: Bob Pearson +Fixes: 0b1e5b99a48b ("IB/rxe: Add port protocol stats") +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_comp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_comp.c b/drivers/infiniband/sw/rxe/rxe_comp.c +index d2a2501236174..c238fa61815aa 100644 +--- a/drivers/infiniband/sw/rxe/rxe_comp.c ++++ b/drivers/infiniband/sw/rxe/rxe_comp.c +@@ -126,12 +126,12 @@ void rxe_comp_queue_pkt(struct rxe_qp *qp, struct sk_buff *skb) + { + int must_sched; + +- skb_queue_tail(&qp->resp_pkts, skb); +- +- must_sched = skb_queue_len(&qp->resp_pkts) > 1; ++ must_sched = skb_queue_len(&qp->resp_pkts) > 0; + if (must_sched != 0) + rxe_counter_inc(SKB_TO_PKT(skb)->rxe, RXE_CNT_COMPLETER_SCHED); + ++ skb_queue_tail(&qp->resp_pkts, skb); ++ + if (must_sched) + rxe_sched_task(&qp->comp.task); + else +-- +2.43.0 + diff --git a/queue-6.1/rdma-rxe-replace-pr_xxx-by-rxe_dbg_xxx-in-rxe_net.c.patch b/queue-6.1/rdma-rxe-replace-pr_xxx-by-rxe_dbg_xxx-in-rxe_net.c.patch new file mode 100644 index 00000000000..91155041891 --- /dev/null +++ b/queue-6.1/rdma-rxe-replace-pr_xxx-by-rxe_dbg_xxx-in-rxe_net.c.patch @@ -0,0 +1,167 @@ +From 51b3a404ae34136aa4652ee919313778cd8b502f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 12:10:04 -0500 +Subject: RDMA/rxe: Replace pr_xxx by rxe_dbg_xxx in rxe_net.c + +From: Bob Pearson + +[ Upstream commit 34549e88e0a3088416177023abf1232fe40e721c ] + +Replace (some) calls to pr_xxx() in rxe_net.c with rxe_dbg_xxx(). +Calls with a rxe device not yet in scope are left as is. + +Link: https://lore.kernel.org/r/20221103171013.20659-7-rpearsonhpe@gmail.com +Signed-off-by: Bob Pearson +Signed-off-by: Jason Gunthorpe +Stable-dep-of: 8776618dbbd1 ("RDMA/rxe: Fix incorrect rxe_put in error path") +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_net.c | 38 ++++++++++++++++------------- + 1 file changed, 21 insertions(+), 17 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_net.c b/drivers/infiniband/sw/rxe/rxe_net.c +index 719432808a063..6bd6ed80f4a6c 100644 +--- a/drivers/infiniband/sw/rxe/rxe_net.c ++++ b/drivers/infiniband/sw/rxe/rxe_net.c +@@ -20,9 +20,10 @@ + + static struct rxe_recv_sockets recv_sockets; + +-static struct dst_entry *rxe_find_route4(struct net_device *ndev, +- struct in_addr *saddr, +- struct in_addr *daddr) ++static struct dst_entry *rxe_find_route4(struct rxe_qp *qp, ++ struct net_device *ndev, ++ struct in_addr *saddr, ++ struct in_addr *daddr) + { + struct rtable *rt; + struct flowi4 fl = { { 0 } }; +@@ -35,7 +36,7 @@ static struct dst_entry *rxe_find_route4(struct net_device *ndev, + + rt = ip_route_output_key(&init_net, &fl); + if (IS_ERR(rt)) { +- pr_err_ratelimited("no route to %pI4\n", &daddr->s_addr); ++ rxe_dbg_qp(qp, "no route to %pI4\n", &daddr->s_addr); + return NULL; + } + +@@ -43,7 +44,8 @@ static struct dst_entry *rxe_find_route4(struct net_device *ndev, + } + + #if IS_ENABLED(CONFIG_IPV6) +-static struct dst_entry *rxe_find_route6(struct net_device *ndev, ++static struct dst_entry *rxe_find_route6(struct rxe_qp *qp, ++ struct net_device *ndev, + struct in6_addr *saddr, + struct in6_addr *daddr) + { +@@ -60,12 +62,12 @@ static struct dst_entry *rxe_find_route6(struct net_device *ndev, + recv_sockets.sk6->sk, &fl6, + NULL); + if (IS_ERR(ndst)) { +- pr_err_ratelimited("no route to %pI6\n", daddr); ++ rxe_dbg_qp(qp, "no route to %pI6\n", daddr); + return NULL; + } + + if (unlikely(ndst->error)) { +- pr_err("no route to %pI6\n", daddr); ++ rxe_dbg_qp(qp, "no route to %pI6\n", daddr); + goto put; + } + +@@ -77,7 +79,8 @@ static struct dst_entry *rxe_find_route6(struct net_device *ndev, + + #else + +-static struct dst_entry *rxe_find_route6(struct net_device *ndev, ++static struct dst_entry *rxe_find_route6(struct rxe_qp *qp, ++ struct net_device *ndev, + struct in6_addr *saddr, + struct in6_addr *daddr) + { +@@ -105,14 +108,14 @@ static struct dst_entry *rxe_find_route(struct net_device *ndev, + + saddr = &av->sgid_addr._sockaddr_in.sin_addr; + daddr = &av->dgid_addr._sockaddr_in.sin_addr; +- dst = rxe_find_route4(ndev, saddr, daddr); ++ dst = rxe_find_route4(qp, ndev, saddr, daddr); + } else if (av->network_type == RXE_NETWORK_TYPE_IPV6) { + struct in6_addr *saddr6; + struct in6_addr *daddr6; + + saddr6 = &av->sgid_addr._sockaddr_in6.sin6_addr; + daddr6 = &av->dgid_addr._sockaddr_in6.sin6_addr; +- dst = rxe_find_route6(ndev, saddr6, daddr6); ++ dst = rxe_find_route6(qp, ndev, saddr6, daddr6); + #if IS_ENABLED(CONFIG_IPV6) + if (dst) + qp->dst_cookie = +@@ -285,7 +288,7 @@ static int prepare4(struct rxe_av *av, struct rxe_pkt_info *pkt, + + dst = rxe_find_route(skb->dev, qp, av); + if (!dst) { +- pr_err("Host not reachable\n"); ++ rxe_dbg_qp(qp, "Host not reachable\n"); + return -EHOSTUNREACH; + } + +@@ -309,7 +312,7 @@ static int prepare6(struct rxe_av *av, struct rxe_pkt_info *pkt, + + dst = rxe_find_route(skb->dev, qp, av); + if (!dst) { +- pr_err("Host not reachable\n"); ++ rxe_dbg_qp(qp, "Host not reachable\n"); + return -EHOSTUNREACH; + } + +@@ -368,7 +371,8 @@ static int rxe_send(struct sk_buff *skb, struct rxe_pkt_info *pkt) + } else if (skb->protocol == htons(ETH_P_IPV6)) { + err = ip6_local_out(dev_net(skb_dst(skb)->dev), skb->sk, skb); + } else { +- pr_err("Unknown layer 3 protocol: %d\n", skb->protocol); ++ rxe_dbg_qp(pkt->qp, "Unknown layer 3 protocol: %d\n", ++ skb->protocol); + atomic_dec(&pkt->qp->skb_out); + rxe_put(pkt->qp); + kfree_skb(skb); +@@ -376,7 +380,7 @@ static int rxe_send(struct sk_buff *skb, struct rxe_pkt_info *pkt) + } + + if (unlikely(net_xmit_eval(err))) { +- pr_debug("error sending packet: %d\n", err); ++ rxe_dbg_qp(pkt->qp, "error sending packet: %d\n", err); + return -EAGAIN; + } + +@@ -417,7 +421,7 @@ int rxe_xmit_packet(struct rxe_qp *qp, struct rxe_pkt_info *pkt, + + if ((is_request && (qp->req.state != QP_STATE_READY)) || + (!is_request && (qp->resp.state != QP_STATE_READY))) { +- pr_info("Packet dropped. QP is not in ready state\n"); ++ rxe_dbg_qp(qp, "Packet dropped. QP is not in ready state\n"); + goto drop; + } + +@@ -598,7 +602,7 @@ static int rxe_notify(struct notifier_block *not_blk, + rxe_port_down(rxe); + break; + case NETDEV_CHANGEMTU: +- pr_info("%s changed mtu to %d\n", ndev->name, ndev->mtu); ++ rxe_dbg(rxe, "%s changed mtu to %d\n", ndev->name, ndev->mtu); + rxe_set_mtu(rxe, ndev->mtu); + break; + case NETDEV_CHANGE: +@@ -610,7 +614,7 @@ static int rxe_notify(struct notifier_block *not_blk, + case NETDEV_CHANGENAME: + case NETDEV_FEAT_CHANGE: + default: +- pr_info("ignoring netdev event = %ld for %s\n", ++ rxe_dbg(rxe, "ignoring netdev event = %ld for %s\n", + event, ndev->name); + break; + } +-- +2.43.0 + diff --git a/queue-6.1/regulator-irq_helpers-duplicate-irq-name.patch b/queue-6.1/regulator-irq_helpers-duplicate-irq-name.patch new file mode 100644 index 00000000000..51ba452a71f --- /dev/null +++ b/queue-6.1/regulator-irq_helpers-duplicate-irq-name.patch @@ -0,0 +1,43 @@ +From 129941f8f0aad12c530a94cb0e6ce5dfa7d83b72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Apr 2024 10:35:21 +0300 +Subject: regulator: irq_helpers: duplicate IRQ name + +From: Matti Vaittinen + +[ Upstream commit 7ab681ddedd4b6dd2b047c74af95221c5f827e1d ] + +The regulator IRQ helper requires caller to provide pointer to IRQ name +which is kept in memory by caller. All other data passed to the helper +in the regulator_irq_desc structure is copied. This can cause some +confusion and unnecessary complexity. + +Make the regulator_irq_helper() to copy also the provided IRQ name +information so caller can discard the name after the call to +regulator_irq_helper() completes. + +Signed-off-by: Matti Vaittinen +Link: https://msgid.link/r/ZhJMuUYwaZbBXFGP@drtxq0yyyyyyyyyyyyydy-3.rev.dnainternet.fi +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/irq_helpers.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/regulator/irq_helpers.c b/drivers/regulator/irq_helpers.c +index fe7ae0f3f46af..5ab1a0befe12f 100644 +--- a/drivers/regulator/irq_helpers.c ++++ b/drivers/regulator/irq_helpers.c +@@ -352,6 +352,9 @@ void *regulator_irq_helper(struct device *dev, + + h->irq = irq; + h->desc = *d; ++ h->desc.name = devm_kstrdup(dev, d->name, GFP_KERNEL); ++ if (!h->desc.name) ++ return ERR_PTR(-ENOMEM); + + ret = init_rdev_state(dev, h, rdev, common_errs, per_rdev_errs, + rdev_amount); +-- +2.43.0 + diff --git a/queue-6.1/regulator-vqmmc-ipq4019-fix-module-autoloading.patch b/queue-6.1/regulator-vqmmc-ipq4019-fix-module-autoloading.patch new file mode 100644 index 00000000000..27204138625 --- /dev/null +++ b/queue-6.1/regulator-vqmmc-ipq4019-fix-module-autoloading.patch @@ -0,0 +1,36 @@ +From 0d4514856618b030b57602853856a3e60b015a69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Apr 2024 19:26:15 +0200 +Subject: regulator: vqmmc-ipq4019: fix module autoloading + +From: Krzysztof Kozlowski + +[ Upstream commit 68adb581a39ae63a0ed082c47f01fbbe515efa0e ] + +Add MODULE_DEVICE_TABLE(), so the module could be properly autoloaded +based on the alias from of_device_id table. + +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Konrad Dybcio +Link: https://msgid.link/r/20240410172615.255424-2-krzk@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/vqmmc-ipq4019-regulator.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/regulator/vqmmc-ipq4019-regulator.c b/drivers/regulator/vqmmc-ipq4019-regulator.c +index c4213f096fe57..4f470b2d66c97 100644 +--- a/drivers/regulator/vqmmc-ipq4019-regulator.c ++++ b/drivers/regulator/vqmmc-ipq4019-regulator.c +@@ -84,6 +84,7 @@ static const struct of_device_id regulator_ipq4019_of_match[] = { + { .compatible = "qcom,vqmmc-ipq4019-regulator", }, + {}, + }; ++MODULE_DEVICE_TABLE(of, regulator_ipq4019_of_match); + + static struct platform_driver ipq4019_regulator_driver = { + .probe = ipq4019_regulator_probe, +-- +2.43.0 + diff --git a/queue-6.1/revert-sh-handle-calling-csum_partial-with-misaligne.patch b/queue-6.1/revert-sh-handle-calling-csum_partial-with-misaligne.patch new file mode 100644 index 00000000000..4f4111f6b21 --- /dev/null +++ b/queue-6.1/revert-sh-handle-calling-csum_partial-with-misaligne.patch @@ -0,0 +1,187 @@ +From 9227f42a7781164b4a68e5cc15e8fba8fda42a70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Mar 2024 16:18:04 -0700 +Subject: Revert "sh: Handle calling csum_partial with misaligned data" + +From: Guenter Roeck + +[ Upstream commit b5319c96292ff877f6b58d349acf0a9dc8d3b454 ] + +This reverts commit cadc4e1a2b4d20d0cc0e81f2c6ba0588775e54e5. + +Commit cadc4e1a2b4d ("sh: Handle calling csum_partial with misaligned +data") causes bad checksum calculations on unaligned data. Reverting +it fixes the problem. + + # Subtest: checksum + # module: checksum_kunit + 1..5 + # test_csum_fixed_random_inputs: ASSERTION FAILED at lib/checksum_kunit.c:500 + Expected ( u64)result == ( u64)expec, but + ( u64)result == 53378 (0xd082) + ( u64)expec == 33488 (0x82d0) + # test_csum_fixed_random_inputs: pass:0 fail:1 skip:0 total:1 + not ok 1 test_csum_fixed_random_inputs + # test_csum_all_carry_inputs: ASSERTION FAILED at lib/checksum_kunit.c:525 + Expected ( u64)result == ( u64)expec, but + ( u64)result == 65281 (0xff01) + ( u64)expec == 65280 (0xff00) + # test_csum_all_carry_inputs: pass:0 fail:1 skip:0 total:1 + not ok 2 test_csum_all_carry_inputs + # test_csum_no_carry_inputs: ASSERTION FAILED at lib/checksum_kunit.c:573 + Expected ( u64)result == ( u64)expec, but + ( u64)result == 65535 (0xffff) + ( u64)expec == 65534 (0xfffe) + # test_csum_no_carry_inputs: pass:0 fail:1 skip:0 total:1 + not ok 3 test_csum_no_carry_inputs + # test_ip_fast_csum: pass:1 fail:0 skip:0 total:1 + ok 4 test_ip_fast_csum + # test_csum_ipv6_magic: pass:1 fail:0 skip:0 total:1 + ok 5 test_csum_ipv6_magic + # checksum: pass:2 fail:3 skip:0 total:5 + # Totals: pass:2 fail:3 skip:0 total:5 +not ok 22 checksum + +Fixes: cadc4e1a2b4d ("sh: Handle calling csum_partial with misaligned data") +Signed-off-by: Guenter Roeck +Tested-by: Geert Uytterhoeven +Reviewed-by: John Paul Adrian Glaubitz +Link: https://lore.kernel.org/r/20240324231804.841099-1-linux@roeck-us.net +Signed-off-by: John Paul Adrian Glaubitz +Signed-off-by: Sasha Levin +--- + arch/sh/lib/checksum.S | 67 ++++++++++++------------------------------ + 1 file changed, 18 insertions(+), 49 deletions(-) + +diff --git a/arch/sh/lib/checksum.S b/arch/sh/lib/checksum.S +index 3e07074e00981..06fed5a21e8ba 100644 +--- a/arch/sh/lib/checksum.S ++++ b/arch/sh/lib/checksum.S +@@ -33,7 +33,8 @@ + */ + + /* +- * asmlinkage __wsum csum_partial(const void *buf, int len, __wsum sum); ++ * unsigned int csum_partial(const unsigned char *buf, int len, ++ * unsigned int sum); + */ + + .text +@@ -45,31 +46,11 @@ ENTRY(csum_partial) + * Fortunately, it is easy to convert 2-byte alignment to 4-byte + * alignment for the unrolled loop. + */ ++ mov r5, r1 + mov r4, r0 +- tst #3, r0 ! Check alignment. +- bt/s 2f ! Jump if alignment is ok. +- mov r4, r7 ! Keep a copy to check for alignment ++ tst #2, r0 ! Check alignment. ++ bt 2f ! Jump if alignment is ok. + ! +- tst #1, r0 ! Check alignment. +- bt 21f ! Jump if alignment is boundary of 2bytes. +- +- ! buf is odd +- tst r5, r5 +- add #-1, r5 +- bt 9f +- mov.b @r4+, r0 +- extu.b r0, r0 +- addc r0, r6 ! t=0 from previous tst +- mov r6, r0 +- shll8 r6 +- shlr16 r0 +- shlr8 r0 +- or r0, r6 +- mov r4, r0 +- tst #2, r0 +- bt 2f +-21: +- ! buf is 2 byte aligned (len could be 0) + add #-2, r5 ! Alignment uses up two bytes. + cmp/pz r5 ! + bt/s 1f ! Jump if we had at least two bytes. +@@ -77,17 +58,16 @@ ENTRY(csum_partial) + bra 6f + add #2, r5 ! r5 was < 2. Deal with it. + 1: ++ mov r5, r1 ! Save new len for later use. + mov.w @r4+, r0 + extu.w r0, r0 + addc r0, r6 + bf 2f + add #1, r6 + 2: +- ! buf is 4 byte aligned (len could be 0) +- mov r5, r1 + mov #-5, r0 +- shld r0, r1 +- tst r1, r1 ++ shld r0, r5 ++ tst r5, r5 + bt/s 4f ! if it's =0, go to 4f + clrt + .align 2 +@@ -109,31 +89,30 @@ ENTRY(csum_partial) + addc r0, r6 + addc r2, r6 + movt r0 +- dt r1 ++ dt r5 + bf/s 3b + cmp/eq #1, r0 +- ! here, we know r1==0 +- addc r1, r6 ! add carry to r6 ++ ! here, we know r5==0 ++ addc r5, r6 ! add carry to r6 + 4: +- mov r5, r0 ++ mov r1, r0 + and #0x1c, r0 + tst r0, r0 +- bt 6f +- ! 4 bytes or more remaining +- mov r0, r1 +- shlr2 r1 ++ bt/s 6f ++ mov r0, r5 ++ shlr2 r5 + mov #0, r2 + 5: + addc r2, r6 + mov.l @r4+, r2 + movt r0 +- dt r1 ++ dt r5 + bf/s 5b + cmp/eq #1, r0 + addc r2, r6 +- addc r1, r6 ! r1==0 here, so it means add carry-bit ++ addc r5, r6 ! r5==0 here, so it means add carry-bit + 6: +- ! 3 bytes or less remaining ++ mov r1, r5 + mov #3, r0 + and r0, r5 + tst r5, r5 +@@ -159,16 +138,6 @@ ENTRY(csum_partial) + mov #0, r0 + addc r0, r6 + 9: +- ! Check if the buffer was misaligned, if so realign sum +- mov r7, r0 +- tst #1, r0 +- bt 10f +- mov r6, r0 +- shll8 r6 +- shlr16 r0 +- shlr8 r0 +- or r0, r6 +-10: + rts + mov r6, r0 + +-- +2.43.0 + diff --git a/queue-6.1/riscv-bpf-make-some-atomic-operations-fully-ordered.patch b/queue-6.1/riscv-bpf-make-some-atomic-operations-fully-ordered.patch new file mode 100644 index 00000000000..90b092405e6 --- /dev/null +++ b/queue-6.1/riscv-bpf-make-some-atomic-operations-fully-ordered.patch @@ -0,0 +1,97 @@ +From effa94917ad12990a237fbbd138e503d49d2de34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 May 2024 20:16:33 +0000 +Subject: riscv, bpf: make some atomic operations fully ordered + +From: Puranjay Mohan + +[ Upstream commit 20a759df3bba35bf5c3ddec0c02ad69b603b584c ] + +The BPF atomic operations with the BPF_FETCH modifier along with +BPF_XCHG and BPF_CMPXCHG are fully ordered but the RISC-V JIT implements +all atomic operations except BPF_CMPXCHG with relaxed ordering. + +Section 8.1 of the "The RISC-V Instruction Set Manual Volume I: +Unprivileged ISA" [1], titled, "Specifying Ordering of Atomic +Instructions" says: + +| To provide more efficient support for release consistency [5], each +| atomic instruction has two bits, aq and rl, used to specify additional +| memory ordering constraints as viewed by other RISC-V harts. + +and + +| If only the aq bit is set, the atomic memory operation is treated as +| an acquire access. +| If only the rl bit is set, the atomic memory operation is treated as a +| release access. +| +| If both the aq and rl bits are set, the atomic memory operation is +| sequentially consistent. + +Fix this by setting both aq and rl bits as 1 for operations with +BPF_FETCH and BPF_XCHG. + +[1] https://riscv.org/wp-content/uploads/2017/05/riscv-spec-v2.2.pdf + +Fixes: dd642ccb45ec ("riscv, bpf: Implement more atomic operations for RV64") +Signed-off-by: Puranjay Mohan +Reviewed-by: Pu Lehui +Link: https://lore.kernel.org/r/20240505201633.123115-1-puranjay@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/riscv/net/bpf_jit_comp64.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/arch/riscv/net/bpf_jit_comp64.c b/arch/riscv/net/bpf_jit_comp64.c +index 8f5d3c57d58ad..4c4ac563326b5 100644 +--- a/arch/riscv/net/bpf_jit_comp64.c ++++ b/arch/riscv/net/bpf_jit_comp64.c +@@ -503,33 +503,33 @@ static void emit_atomic(u8 rd, u8 rs, s16 off, s32 imm, bool is64, + break; + /* src_reg = atomic_fetch_(dst_reg + off16, src_reg) */ + case BPF_ADD | BPF_FETCH: +- emit(is64 ? rv_amoadd_d(rs, rs, rd, 0, 0) : +- rv_amoadd_w(rs, rs, rd, 0, 0), ctx); ++ emit(is64 ? rv_amoadd_d(rs, rs, rd, 1, 1) : ++ rv_amoadd_w(rs, rs, rd, 1, 1), ctx); + if (!is64) + emit_zext_32(rs, ctx); + break; + case BPF_AND | BPF_FETCH: +- emit(is64 ? rv_amoand_d(rs, rs, rd, 0, 0) : +- rv_amoand_w(rs, rs, rd, 0, 0), ctx); ++ emit(is64 ? rv_amoand_d(rs, rs, rd, 1, 1) : ++ rv_amoand_w(rs, rs, rd, 1, 1), ctx); + if (!is64) + emit_zext_32(rs, ctx); + break; + case BPF_OR | BPF_FETCH: +- emit(is64 ? rv_amoor_d(rs, rs, rd, 0, 0) : +- rv_amoor_w(rs, rs, rd, 0, 0), ctx); ++ emit(is64 ? rv_amoor_d(rs, rs, rd, 1, 1) : ++ rv_amoor_w(rs, rs, rd, 1, 1), ctx); + if (!is64) + emit_zext_32(rs, ctx); + break; + case BPF_XOR | BPF_FETCH: +- emit(is64 ? rv_amoxor_d(rs, rs, rd, 0, 0) : +- rv_amoxor_w(rs, rs, rd, 0, 0), ctx); ++ emit(is64 ? rv_amoxor_d(rs, rs, rd, 1, 1) : ++ rv_amoxor_w(rs, rs, rd, 1, 1), ctx); + if (!is64) + emit_zext_32(rs, ctx); + break; + /* src_reg = atomic_xchg(dst_reg + off16, src_reg); */ + case BPF_XCHG: +- emit(is64 ? rv_amoswap_d(rs, rs, rd, 0, 0) : +- rv_amoswap_w(rs, rs, rd, 0, 0), ctx); ++ emit(is64 ? rv_amoswap_d(rs, rs, rd, 1, 1) : ++ rv_amoswap_w(rs, rs, rd, 1, 1), ctx); + if (!is64) + emit_zext_32(rs, ctx); + break; +-- +2.43.0 + diff --git a/queue-6.1/s390-bpf-emit-a-barrier-for-bpf_fetch-instructions.patch b/queue-6.1/s390-bpf-emit-a-barrier-for-bpf_fetch-instructions.patch new file mode 100644 index 00000000000..c530ab72f67 --- /dev/null +++ b/queue-6.1/s390-bpf-emit-a-barrier-for-bpf_fetch-instructions.patch @@ -0,0 +1,62 @@ +From 9f220fb42f7b21687260cfe531845312c29a55df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 May 2024 02:02:49 +0200 +Subject: s390/bpf: Emit a barrier for BPF_FETCH instructions + +From: Ilya Leoshkevich + +[ Upstream commit 68378982f0b21de02ac3c6a11e2420badefcb4bc ] + +BPF_ATOMIC_OP() macro documentation states that "BPF_ADD | BPF_FETCH" +should be the same as atomic_fetch_add(), which is currently not the +case on s390x: the serialization instruction "bcr 14,0" is missing. +This applies to "and", "or" and "xor" variants too. + +s390x is allowed to reorder stores with subsequent fetches from +different addresses, so code relying on BPF_FETCH acting as a barrier, +for example: + + stw [%r0], 1 + afadd [%r1], %r2 + ldxw %r3, [%r4] + +may be broken. Fix it by emitting "bcr 14,0". + +Note that a separate serialization instruction is not needed for +BPF_XCHG and BPF_CMPXCHG, because COMPARE AND SWAP performs +serialization itself. + +Fixes: ba3b86b9cef0 ("s390/bpf: Implement new atomic ops") +Reported-by: Puranjay Mohan +Closes: https://lore.kernel.org/bpf/mb61p34qvq3wf.fsf@kernel.org/ +Signed-off-by: Ilya Leoshkevich +Reviewed-by: Puranjay Mohan +Link: https://lore.kernel.org/r/20240507000557.12048-1-iii@linux.ibm.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/s390/net/bpf_jit_comp.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c +index fbdba4c306bea..8623863935576 100644 +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -1207,8 +1207,12 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, + EMIT6_DISP_LH(0xeb000000, is32 ? (op32) : (op64), \ + (insn->imm & BPF_FETCH) ? src_reg : REG_W0, \ + src_reg, dst_reg, off); \ +- if (is32 && (insn->imm & BPF_FETCH)) \ +- EMIT_ZERO(src_reg); \ ++ if (insn->imm & BPF_FETCH) { \ ++ /* bcr 14,0 - see atomic_fetch_{add,and,or,xor}() */ \ ++ _EMIT2(0x07e0); \ ++ if (is32) \ ++ EMIT_ZERO(src_reg); \ ++ } \ + } while (0) + case BPF_ADD: + case BPF_ADD | BPF_FETCH: +-- +2.43.0 + diff --git a/queue-6.1/s390-cio-fix-tracepoint-subchannel-type-field.patch b/queue-6.1/s390-cio-fix-tracepoint-subchannel-type-field.patch new file mode 100644 index 00000000000..9ff2cc4f8ed --- /dev/null +++ b/queue-6.1/s390-cio-fix-tracepoint-subchannel-type-field.patch @@ -0,0 +1,38 @@ +From 59108ce9d959b62149ba8170b1b6a30e4746832c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 17:04:56 +0100 +Subject: s390/cio: fix tracepoint subchannel type field + +From: Peter Oberparleiter + +[ Upstream commit 8692a24d0fae19f674d51726d179ad04ba95d958 ] + +The subchannel-type field "st" of s390_cio_stsch and s390_cio_msch +tracepoints is incorrectly filled with the subchannel-enabled SCHIB +value "ena". Fix this by assigning the correct value. + +Fixes: d1de8633d96a ("s390 cio: Rewrite trace point class s390_class_schib") +Reviewed-by: Heiko Carstens +Signed-off-by: Peter Oberparleiter +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + drivers/s390/cio/trace.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/s390/cio/trace.h b/drivers/s390/cio/trace.h +index 86993de253451..a4c5c6736b310 100644 +--- a/drivers/s390/cio/trace.h ++++ b/drivers/s390/cio/trace.h +@@ -50,7 +50,7 @@ DECLARE_EVENT_CLASS(s390_class_schib, + __entry->devno = schib->pmcw.dev; + __entry->schib = *schib; + __entry->pmcw_ena = schib->pmcw.ena; +- __entry->pmcw_st = schib->pmcw.ena; ++ __entry->pmcw_st = schib->pmcw.st; + __entry->pmcw_dnv = schib->pmcw.dnv; + __entry->pmcw_dev = schib->pmcw.dev; + __entry->pmcw_lpm = schib->pmcw.lpm; +-- +2.43.0 + diff --git a/queue-6.1/sched-core-fix-incorrect-initialization-of-the-burst.patch b/queue-6.1/sched-core-fix-incorrect-initialization-of-the-burst.patch new file mode 100644 index 00000000000..0c132334279 --- /dev/null +++ b/queue-6.1/sched-core-fix-incorrect-initialization-of-the-burst.patch @@ -0,0 +1,71 @@ +From 174cf604dbb7ffab79ffb06598c8975099fc5cf0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Apr 2024 21:24:38 +0800 +Subject: sched/core: Fix incorrect initialization of the 'burst' parameter in + cpu_max_write() + +From: Cheng Yu + +[ Upstream commit 49217ea147df7647cb89161b805c797487783fc0 ] + +In the cgroup v2 CPU subsystem, assuming we have a +cgroup named 'test', and we set cpu.max and cpu.max.burst: + + # echo 1000000 > /sys/fs/cgroup/test/cpu.max + # echo 1000000 > /sys/fs/cgroup/test/cpu.max.burst + +then we check cpu.max and cpu.max.burst: + + # cat /sys/fs/cgroup/test/cpu.max + 1000000 100000 + # cat /sys/fs/cgroup/test/cpu.max.burst + 1000000 + +Next we set cpu.max again and check cpu.max and +cpu.max.burst: + + # echo 2000000 > /sys/fs/cgroup/test/cpu.max + # cat /sys/fs/cgroup/test/cpu.max + 2000000 100000 + + # cat /sys/fs/cgroup/test/cpu.max.burst + 1000 + +... we find that the cpu.max.burst value changed unexpectedly. + +In cpu_max_write(), the unit of the burst value returned +by tg_get_cfs_burst() is microseconds, while in cpu_max_write(), +the burst unit used for calculation should be nanoseconds, +which leads to the bug. + +To fix it, get the burst value directly from tg->cfs_bandwidth.burst. + +Fixes: f4183717b370 ("sched/fair: Introduce the burstable CFS controller") +Reported-by: Qixin Liao +Signed-off-by: Cheng Yu +Signed-off-by: Zhang Qiao +Signed-off-by: Ingo Molnar +Reviewed-by: Vincent Guittot +Tested-by: Vincent Guittot +Link: https://lore.kernel.org/r/20240424132438.514720-1-serein.chengyu@huawei.com +Signed-off-by: Sasha Levin +--- + kernel/sched/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 18a4f8f28a25f..d71234729edb4 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -11117,7 +11117,7 @@ static ssize_t cpu_max_write(struct kernfs_open_file *of, + { + struct task_group *tg = css_tg(of_css(of)); + u64 period = tg_get_cfs_period(tg); +- u64 burst = tg_get_cfs_burst(tg); ++ u64 burst = tg->cfs_bandwidth.burst; + u64 quota; + int ret; + +-- +2.43.0 + diff --git a/queue-6.1/sched-fair-add-eas-checks-before-updating-root_domai.patch b/queue-6.1/sched-fair-add-eas-checks-before-updating-root_domai.patch new file mode 100644 index 00000000000..ebecc34b7f6 --- /dev/null +++ b/queue-6.1/sched-fair-add-eas-checks-before-updating-root_domai.patch @@ -0,0 +1,148 @@ +From bbee301064cdac03bb93f4a326e7b22f5a964bef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 14:27:23 +0530 +Subject: sched/fair: Add EAS checks before updating root_domain::overutilized + +From: Shrikanth Hegde + +[ Upstream commit be3a51e68f2f1b17250ce40d8872c7645b7a2991 ] + +root_domain::overutilized is only used for EAS(energy aware scheduler) +to decide whether to do load balance or not. It is not used if EAS +not possible. + +Currently enqueue_task_fair and task_tick_fair accesses, sometime updates +this field. In update_sd_lb_stats it is updated often. This causes cache +contention due to true sharing and burns a lot of cycles. ::overload and +::overutilized are part of the same cacheline. Updating it often invalidates +the cacheline. That causes access to ::overload to slow down due to +false sharing. Hence add EAS check before accessing/updating this field. +EAS check is optimized at compile time or it is a static branch. +Hence it shouldn't cost much. + +With the patch, both enqueue_task_fair and newidle_balance don't show +up as hot routines in perf profile. + + 6.8-rc4: + 7.18% swapper [kernel.vmlinux] [k] enqueue_task_fair + 6.78% s [kernel.vmlinux] [k] newidle_balance + + +patch: + 0.14% swapper [kernel.vmlinux] [k] enqueue_task_fair + 0.00% swapper [kernel.vmlinux] [k] newidle_balance + +While at it: trace_sched_overutilized_tp expect that second argument to +be bool. So do a int to bool conversion for that. + +Fixes: 2802bf3cd936 ("sched/fair: Add over-utilization/tipping point indicator") +Signed-off-by: Shrikanth Hegde +Signed-off-by: Ingo Molnar +Reviewed-by: Qais Yousef +Reviewed-by: Srikar Dronamraju +Reviewed-by: Vincent Guittot +Link: https://lore.kernel.org/r/20240307085725.444486-2-sshegde@linux.ibm.com +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 53 +++++++++++++++++++++++++++++---------------- + 1 file changed, 34 insertions(+), 19 deletions(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 91c101ecfef9f..0de8354d5ad0a 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -6020,22 +6020,42 @@ static inline void hrtick_update(struct rq *rq) + #ifdef CONFIG_SMP + static inline bool cpu_overutilized(int cpu) + { +- unsigned long rq_util_min = uclamp_rq_get(cpu_rq(cpu), UCLAMP_MIN); +- unsigned long rq_util_max = uclamp_rq_get(cpu_rq(cpu), UCLAMP_MAX); ++ unsigned long rq_util_min, rq_util_max; ++ ++ if (!sched_energy_enabled()) ++ return false; ++ ++ rq_util_min = uclamp_rq_get(cpu_rq(cpu), UCLAMP_MIN); ++ rq_util_max = uclamp_rq_get(cpu_rq(cpu), UCLAMP_MAX); + + /* Return true only if the utilization doesn't fit CPU's capacity */ + return !util_fits_cpu(cpu_util_cfs(cpu), rq_util_min, rq_util_max, cpu); + } + +-static inline void update_overutilized_status(struct rq *rq) ++static inline void set_rd_overutilized_status(struct root_domain *rd, ++ unsigned int status) + { +- if (!READ_ONCE(rq->rd->overutilized) && cpu_overutilized(rq->cpu)) { +- WRITE_ONCE(rq->rd->overutilized, SG_OVERUTILIZED); +- trace_sched_overutilized_tp(rq->rd, SG_OVERUTILIZED); +- } ++ if (!sched_energy_enabled()) ++ return; ++ ++ WRITE_ONCE(rd->overutilized, status); ++ trace_sched_overutilized_tp(rd, !!status); ++} ++ ++static inline void check_update_overutilized_status(struct rq *rq) ++{ ++ /* ++ * overutilized field is used for load balancing decisions only ++ * if energy aware scheduler is being used ++ */ ++ if (!sched_energy_enabled()) ++ return; ++ ++ if (!READ_ONCE(rq->rd->overutilized) && cpu_overutilized(rq->cpu)) ++ set_rd_overutilized_status(rq->rd, SG_OVERUTILIZED); + } + #else +-static inline void update_overutilized_status(struct rq *rq) { } ++static inline void check_update_overutilized_status(struct rq *rq) { } + #endif + + /* Runqueue only has SCHED_IDLE tasks enqueued */ +@@ -6147,7 +6167,7 @@ enqueue_task_fair(struct rq *rq, struct task_struct *p, int flags) + * and the following generally works well enough in practice. + */ + if (!task_new) +- update_overutilized_status(rq); ++ check_update_overutilized_status(rq); + + enqueue_throttle: + assert_list_leaf_cfs_rq(rq); +@@ -9923,19 +9943,14 @@ static inline void update_sd_lb_stats(struct lb_env *env, struct sd_lb_stats *sd + env->fbq_type = fbq_classify_group(&sds->busiest_stat); + + if (!env->sd->parent) { +- struct root_domain *rd = env->dst_rq->rd; +- + /* update overload indicator if we are at root domain */ +- WRITE_ONCE(rd->overload, sg_status & SG_OVERLOAD); ++ WRITE_ONCE(env->dst_rq->rd->overload, sg_status & SG_OVERLOAD); + + /* Update over-utilization (tipping point, U >= 0) indicator */ +- WRITE_ONCE(rd->overutilized, sg_status & SG_OVERUTILIZED); +- trace_sched_overutilized_tp(rd, sg_status & SG_OVERUTILIZED); ++ set_rd_overutilized_status(env->dst_rq->rd, ++ sg_status & SG_OVERUTILIZED); + } else if (sg_status & SG_OVERUTILIZED) { +- struct root_domain *rd = env->dst_rq->rd; +- +- WRITE_ONCE(rd->overutilized, SG_OVERUTILIZED); +- trace_sched_overutilized_tp(rd, SG_OVERUTILIZED); ++ set_rd_overutilized_status(env->dst_rq->rd, SG_OVERUTILIZED); + } + + update_idle_cpu_scan(env, sum_util); +@@ -11849,7 +11864,7 @@ static void task_tick_fair(struct rq *rq, struct task_struct *curr, int queued) + task_tick_numa(rq, curr); + + update_misfit_status(curr, rq); +- update_overutilized_status(task_rq(curr)); ++ check_update_overutilized_status(task_rq(curr)); + + task_tick_core(rq, curr); + } +-- +2.43.0 + diff --git a/queue-6.1/sched-fair-allow-disabling-sched_balance_newidle-wit.patch b/queue-6.1/sched-fair-allow-disabling-sched_balance_newidle-wit.patch new file mode 100644 index 00000000000..8fde7d8201d --- /dev/null +++ b/queue-6.1/sched-fair-allow-disabling-sched_balance_newidle-wit.patch @@ -0,0 +1,64 @@ +From 6ea77ca11fd39396be7f5cfedaca90033a0cb45e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Apr 2024 18:05:23 +0300 +Subject: sched/fair: Allow disabling sched_balance_newidle with + sched_relax_domain_level + +From: Vitalii Bursov + +[ Upstream commit a1fd0b9d751f840df23ef0e75b691fc00cfd4743 ] + +Change relax_domain_level checks so that it would be possible +to include or exclude all domains from newidle balancing. + +This matches the behavior described in the documentation: + + -1 no request. use system default or follow request of others. + 0 no search. + 1 search siblings (hyperthreads in a core). + +"2" enables levels 0 and 1, level_max excludes the last (level_max) +level, and level_max+1 includes all levels. + +Fixes: 1d3504fcf560 ("sched, cpuset: customize sched domains, core") +Signed-off-by: Vitalii Bursov +Signed-off-by: Ingo Molnar +Tested-by: Dietmar Eggemann +Reviewed-by: Vincent Guittot +Reviewed-by: Valentin Schneider +Link: https://lore.kernel.org/r/bd6de28e80073c79466ec6401cdeae78f0d4423d.1714488502.git.vitaly@bursov.com +Signed-off-by: Sasha Levin +--- + kernel/cgroup/cpuset.c | 2 +- + kernel/sched/topology.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c +index 79e6a5d4c29a1..01f5a019e0f54 100644 +--- a/kernel/cgroup/cpuset.c ++++ b/kernel/cgroup/cpuset.c +@@ -2185,7 +2185,7 @@ bool current_cpuset_is_being_rebound(void) + static int update_relax_domain_level(struct cpuset *cs, s64 val) + { + #ifdef CONFIG_SMP +- if (val < -1 || val >= sched_domain_level_max) ++ if (val < -1 || val > sched_domain_level_max + 1) + return -EINVAL; + #endif + +diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c +index 8739c2a5a54ea..d404b5d2d842e 100644 +--- a/kernel/sched/topology.c ++++ b/kernel/sched/topology.c +@@ -1436,7 +1436,7 @@ static void set_domain_attribute(struct sched_domain *sd, + } else + request = attr->relax_domain_level; + +- if (sd->level > request) { ++ if (sd->level >= request) { + /* Turn off idle balance on this domain: */ + sd->flags &= ~(SD_BALANCE_WAKE|SD_BALANCE_NEWIDLE); + } +-- +2.43.0 + diff --git a/queue-6.1/sched-isolation-fix-boot-crash-when-maxcpus-first-ho.patch b/queue-6.1/sched-isolation-fix-boot-crash-when-maxcpus-first-ho.patch new file mode 100644 index 00000000000..592f367ce3a --- /dev/null +++ b/queue-6.1/sched-isolation-fix-boot-crash-when-maxcpus-first-ho.patch @@ -0,0 +1,78 @@ +From 3f9597fa3bf58cce7273475aae99bd1eb71912ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Apr 2024 16:17:46 +0200 +Subject: sched/isolation: Fix boot crash when maxcpus < first housekeeping CPU + +From: Oleg Nesterov + +[ Upstream commit 257bf89d84121280904800acd25cc2c444c717ae ] + +housekeeping_setup() checks cpumask_intersects(present, online) to ensure +that the kernel will have at least one housekeeping CPU after smp_init(), +but this doesn't work if the maxcpus= kernel parameter limits the number of +processors available after bootup. + +For example, a kernel with "maxcpus=2 nohz_full=0-2" parameters crashes at +boot time on a virtual machine with 4 CPUs. + +Change housekeeping_setup() to use cpumask_first_and() and check that the +returned CPU number is valid and less than setup_max_cpus. + +Another corner case is "nohz_full=0" on a machine with a single CPU or with +the maxcpus=1 kernel argument. In this case non_housekeeping_mask is empty +and tick_nohz_full_setup() makes no sense. And indeed, the kernel hits the +WARN_ON(tick_nohz_full_running) in tick_sched_do_timer(). + +And how should the kernel interpret the "nohz_full=" parameter? It should +be silently ignored, but currently cpulist_parse() happily returns the +empty cpumask and this leads to the same problem. + +Change housekeeping_setup() to check cpumask_empty(non_housekeeping_mask) +and do nothing in this case. + +Signed-off-by: Oleg Nesterov +Signed-off-by: Thomas Gleixner +Signed-off-by: Ingo Molnar +Reviewed-by: Phil Auld +Acked-by: Frederic Weisbecker +Link: https://lore.kernel.org/r/20240413141746.GA10008@redhat.com +Signed-off-by: Sasha Levin +--- + kernel/sched/isolation.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/kernel/sched/isolation.c b/kernel/sched/isolation.c +index 373d42c707bc5..82e2f7fc7c267 100644 +--- a/kernel/sched/isolation.c ++++ b/kernel/sched/isolation.c +@@ -109,6 +109,7 @@ static void __init housekeeping_setup_type(enum hk_type type, + static int __init housekeeping_setup(char *str, unsigned long flags) + { + cpumask_var_t non_housekeeping_mask, housekeeping_staging; ++ unsigned int first_cpu; + int err = 0; + + if ((flags & HK_FLAG_TICK) && !(housekeeping.flags & HK_FLAG_TICK)) { +@@ -129,7 +130,8 @@ static int __init housekeeping_setup(char *str, unsigned long flags) + cpumask_andnot(housekeeping_staging, + cpu_possible_mask, non_housekeeping_mask); + +- if (!cpumask_intersects(cpu_present_mask, housekeeping_staging)) { ++ first_cpu = cpumask_first_and(cpu_present_mask, housekeeping_staging); ++ if (first_cpu >= nr_cpu_ids || first_cpu >= setup_max_cpus) { + __cpumask_set_cpu(smp_processor_id(), housekeeping_staging); + __cpumask_clear_cpu(smp_processor_id(), non_housekeeping_mask); + if (!housekeeping.flags) { +@@ -138,6 +140,9 @@ static int __init housekeeping_setup(char *str, unsigned long flags) + } + } + ++ if (cpumask_empty(non_housekeeping_mask)) ++ goto free_housekeeping_staging; ++ + if (!housekeeping.flags) { + /* First setup call ("nohz_full=" or "isolcpus=") */ + enum hk_type type; +-- +2.43.0 + diff --git a/queue-6.1/scsi-bfa-ensure-the-copied-buf-is-nul-terminated.patch b/queue-6.1/scsi-bfa-ensure-the-copied-buf-is-nul-terminated.patch new file mode 100644 index 00000000000..cdd6e548746 --- /dev/null +++ b/queue-6.1/scsi-bfa-ensure-the-copied-buf-is-nul-terminated.patch @@ -0,0 +1,49 @@ +From 7527274bb99f7d1488f310dfcc79618e5f9816e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Apr 2024 21:44:20 +0700 +Subject: scsi: bfa: Ensure the copied buf is NUL terminated + +From: Bui Quang Minh + +[ Upstream commit 13d0cecb4626fae67c00c84d3c7851f6b62f7df3 ] + +Currently, we allocate a nbytes-sized kernel buffer and copy nbytes from +userspace to that buffer. Later, we use sscanf on this buffer but we don't +ensure that the string is terminated inside the buffer, this can lead to +OOB read when using sscanf. Fix this issue by using memdup_user_nul instead +of memdup_user. + +Fixes: 9f30b674759b ("bfa: replace 2 kzalloc/copy_from_user by memdup_user") +Signed-off-by: Bui Quang Minh +Link: https://lore.kernel.org/r/20240424-fix-oob-read-v2-3-f1f1b53a10f4@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/bfa/bfad_debugfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/bfa/bfad_debugfs.c b/drivers/scsi/bfa/bfad_debugfs.c +index 52db147d9979d..f6dd077d47c9a 100644 +--- a/drivers/scsi/bfa/bfad_debugfs.c ++++ b/drivers/scsi/bfa/bfad_debugfs.c +@@ -250,7 +250,7 @@ bfad_debugfs_write_regrd(struct file *file, const char __user *buf, + unsigned long flags; + void *kern_buf; + +- kern_buf = memdup_user(buf, nbytes); ++ kern_buf = memdup_user_nul(buf, nbytes); + if (IS_ERR(kern_buf)) + return PTR_ERR(kern_buf); + +@@ -317,7 +317,7 @@ bfad_debugfs_write_regwr(struct file *file, const char __user *buf, + unsigned long flags; + void *kern_buf; + +- kern_buf = memdup_user(buf, nbytes); ++ kern_buf = memdup_user_nul(buf, nbytes); + if (IS_ERR(kern_buf)) + return PTR_ERR(kern_buf); + +-- +2.43.0 + diff --git a/queue-6.1/scsi-hpsa-fix-allocation-size-for-scsi_host-private-.patch b/queue-6.1/scsi-hpsa-fix-allocation-size-for-scsi_host-private-.patch new file mode 100644 index 00000000000..769884369dd --- /dev/null +++ b/queue-6.1/scsi-hpsa-fix-allocation-size-for-scsi_host-private-.patch @@ -0,0 +1,41 @@ +From 6e1ff484cbd4c039b5b81e6a70f1e02ad3c587ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Mar 2024 20:04:47 +0300 +Subject: scsi: hpsa: Fix allocation size for Scsi_Host private data + +From: Yuri Karpov + +[ Upstream commit 504e2bed5d50610c1836046c0c195b0a6dba9c72 ] + +struct Scsi_Host private data contains pointer to struct ctlr_info. + +Restore allocation of only 8 bytes to store pointer in struct Scsi_Host +private data area. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: bbbd25499100 ("scsi: hpsa: Fix allocation size for scsi_host_alloc()") +Signed-off-by: Yuri Karpov +Link: https://lore.kernel.org/r/20240312170447.743709-1-YKarpov@ispras.ru +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hpsa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c +index f6da34850af9d..e529b3d3eaf39 100644 +--- a/drivers/scsi/hpsa.c ++++ b/drivers/scsi/hpsa.c +@@ -5850,7 +5850,7 @@ static int hpsa_scsi_host_alloc(struct ctlr_info *h) + { + struct Scsi_Host *sh; + +- sh = scsi_host_alloc(&hpsa_driver_template, sizeof(struct ctlr_info)); ++ sh = scsi_host_alloc(&hpsa_driver_template, sizeof(struct ctlr_info *)); + if (sh == NULL) { + dev_err(&h->pdev->dev, "scsi_host_alloc failed\n"); + return -ENOMEM; +-- +2.43.0 + diff --git a/queue-6.1/scsi-libsas-fix-the-failure-of-adding-phy-with-zero-.patch b/queue-6.1/scsi-libsas-fix-the-failure-of-adding-phy-with-zero-.patch new file mode 100644 index 00000000000..dfa72a6a19c --- /dev/null +++ b/queue-6.1/scsi-libsas-fix-the-failure-of-adding-phy-with-zero-.patch @@ -0,0 +1,55 @@ +From 46ed269d921d7c440edf7909323fe81ab28c8dd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Mar 2024 14:11:03 +0000 +Subject: scsi: libsas: Fix the failure of adding phy with zero-address to port + +From: Xingui Yang + +[ Upstream commit 06036a0a5db34642c5dbe22021a767141f010b7a ] + +As of commit 7d1d86518118 ("[SCSI] libsas: fix false positive 'device +attached' conditions"), reset the phy->entacted_sas_addr address to a +zero-address when the link rate is less than 1.5G. + +Currently we find that when a new device is attached, and the link rate is +less than 1.5G, but the device type is not NO_DEVICE, for example: the link +rate is SAS_PHY_RESET_IN_PROGRESS and the device type is stp. After setting +the phy->entacted_sas_addr address to the zero address, the port will +continue to be created for the phy with the zero-address, and other phys +with the zero-address will be tried to be added to the new port: + +[562240.051197] sas: ex 500e004aaaaaaa1f phy19:U:0 attached: 0000000000000000 (no device) +// phy19 is deleted but still on the parent port's phy_list +[562240.062536] sas: ex 500e004aaaaaaa1f phy0 new device attached +[562240.062616] sas: ex 500e004aaaaaaa1f phy00:U:5 attached: 0000000000000000 (stp) +[562240.062680] port-7:7:0: trying to add phy phy-7:7:19 fails: it's already part of another port + +Therefore, it should be the same as sas_get_phy_attached_dev(). Only when +device_type is SAS_PHY_UNUSED, sas_address is set to the 0 address. + +Fixes: 7d1d86518118 ("[SCSI] libsas: fix false positive 'device attached' conditions") +Signed-off-by: Xingui Yang +Link: https://lore.kernel.org/r/20240312141103.31358-5-yangxingui@huawei.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libsas/sas_expander.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c +index 4b5ceba68e46e..ffec7f0e51fcd 100644 +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -239,8 +239,7 @@ static void sas_set_ex_phy(struct domain_device *dev, int phy_id, + /* help some expanders that fail to zero sas_address in the 'no + * device' case + */ +- if (phy->attached_dev_type == SAS_PHY_UNUSED || +- phy->linkrate < SAS_LINK_RATE_1_5_GBPS) ++ if (phy->attached_dev_type == SAS_PHY_UNUSED) + memset(phy->attached_sas_addr, 0, SAS_ADDR_SIZE); + else + memcpy(phy->attached_sas_addr, dr->attached_sas_addr, SAS_ADDR_SIZE); +-- +2.43.0 + diff --git a/queue-6.1/scsi-qedf-ensure-the-copied-buf-is-nul-terminated.patch b/queue-6.1/scsi-qedf-ensure-the-copied-buf-is-nul-terminated.patch new file mode 100644 index 00000000000..2f3a9cbbb0c --- /dev/null +++ b/queue-6.1/scsi-qedf-ensure-the-copied-buf-is-nul-terminated.patch @@ -0,0 +1,40 @@ +From b996bd27d146789ca8ae77634b50aa409dd07286 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Apr 2024 21:44:21 +0700 +Subject: scsi: qedf: Ensure the copied buf is NUL terminated + +From: Bui Quang Minh + +[ Upstream commit d0184a375ee797eb657d74861ba0935b6e405c62 ] + +Currently, we allocate a count-sized kernel buffer and copy count from +userspace to that buffer. Later, we use kstrtouint on this buffer but we +don't ensure that the string is terminated inside the buffer, this can +lead to OOB read when using kstrtouint. Fix this issue by using +memdup_user_nul instead of memdup_user. + +Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.") +Signed-off-by: Bui Quang Minh +Link: https://lore.kernel.org/r/20240424-fix-oob-read-v2-4-f1f1b53a10f4@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedf/qedf_debugfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c +index 451fd236bfd05..96174353e3898 100644 +--- a/drivers/scsi/qedf/qedf_debugfs.c ++++ b/drivers/scsi/qedf/qedf_debugfs.c +@@ -170,7 +170,7 @@ qedf_dbg_debug_cmd_write(struct file *filp, const char __user *buffer, + if (!count || *ppos) + return 0; + +- kern_buf = memdup_user(buffer, count); ++ kern_buf = memdup_user_nul(buffer, count); + if (IS_ERR(kern_buf)) + return PTR_ERR(kern_buf); + +-- +2.43.0 + diff --git a/queue-6.1/scsi-qla2xxx-fix-debugfs-output-for-fw_resource_coun.patch b/queue-6.1/scsi-qla2xxx-fix-debugfs-output-for-fw_resource_coun.patch new file mode 100644 index 00000000000..9e34e486f35 --- /dev/null +++ b/queue-6.1/scsi-qla2xxx-fix-debugfs-output-for-fw_resource_coun.patch @@ -0,0 +1,43 @@ +From b2c3fc8f133d4d747ff1eed21472d6f332719e93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Apr 2024 02:00:56 +0000 +Subject: scsi: qla2xxx: Fix debugfs output for fw_resource_count + +From: Himanshu Madhani + +[ Upstream commit 998d09c5ef6183bd8137d1a892ba255b15978bb4 ] + +DebugFS output for fw_resource_count shows: + +estimate exchange used[0] high water limit [1945] n estimate iocb2 used [0] high water limit [5141] + estimate exchange2 used[0] high water limit [1945] + +Which shows incorrect display due to missing newline in seq_print(). + +[mkp: fix checkpatch warning about space before newline] + +Fixes: 5f63a163ed2f ("scsi: qla2xxx: Fix exchange oversubscription for management commands") +Signed-off-by: Himanshu Madhani +Link: https://lore.kernel.org/r/20240426020056.3639406-1-himanshu.madhani@oracle.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_dfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_dfs.c b/drivers/scsi/qla2xxx/qla_dfs.c +index a7a364760b800..081af4d420a05 100644 +--- a/drivers/scsi/qla2xxx/qla_dfs.c ++++ b/drivers/scsi/qla2xxx/qla_dfs.c +@@ -274,7 +274,7 @@ qla_dfs_fw_resource_cnt_show(struct seq_file *s, void *unused) + seq_printf(s, "Driver: estimate iocb used [%d] high water limit [%d]\n", + iocbs_used, ha->base_qpair->fwres.iocbs_limit); + +- seq_printf(s, "estimate exchange used[%d] high water limit [%d] n", ++ seq_printf(s, "estimate exchange used[%d] high water limit [%d]\n", + exch_used, ha->base_qpair->fwres.exch_limit); + + if (ql2xenforce_iocb_limit == 2) { +-- +2.43.0 + diff --git a/queue-6.1/scsi-ufs-cdns-pltfrm-perform-read-back-after-writing.patch b/queue-6.1/scsi-ufs-cdns-pltfrm-perform-read-back-after-writing.patch new file mode 100644 index 00000000000..9a3d377fb37 --- /dev/null +++ b/queue-6.1/scsi-ufs-cdns-pltfrm-perform-read-back-after-writing.patch @@ -0,0 +1,50 @@ +From 28ab8bbb37519e6f02b38f20dc0d55b07c5f320f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 15:46:48 -0500 +Subject: scsi: ufs: cdns-pltfrm: Perform read back after writing HCLKDIV + +From: Andrew Halaney + +[ Upstream commit b715c55daf598aac8fa339048e4ca8a0916b332e ] + +Currently, HCLKDIV is written to and then completed with an mb(). + +mb() ensures that the write completes, but completion doesn't mean that it +isn't stored in a buffer somewhere. The recommendation for ensuring this +bit has taken effect on the device is to perform a read back to force it to +make it all the way to the device. This is documented in device-io.rst and +a talk by Will Deacon on this can be seen over here: + + https://youtu.be/i6DayghhA8Q?si=MiyxB5cKJXSaoc01&t=1678 + +Let's do that to ensure the bit hits the device. Because the mb()'s purpose +wasn't to add extra ordering (on top of the ordering guaranteed by +writel()/readl()), it can safely be removed. + +Fixes: d90996dae8e4 ("scsi: ufs: Add UFS platform driver for Cadence UFS") +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Andrew Halaney +Link: https://lore.kernel.org/r/20240329-ufs-reset-ensure-effect-before-delay-v5-6-181252004586@redhat.com +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/host/cdns-pltfrm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ufs/host/cdns-pltfrm.c b/drivers/ufs/host/cdns-pltfrm.c +index e05c0ae64eea4..38a238eaa2133 100644 +--- a/drivers/ufs/host/cdns-pltfrm.c ++++ b/drivers/ufs/host/cdns-pltfrm.c +@@ -137,7 +137,7 @@ static int cdns_ufs_set_hclkdiv(struct ufs_hba *hba) + * Make sure the register was updated, + * UniPro layer will not work with an incorrect value. + */ +- mb(); ++ ufshcd_readl(hba, CDNS_UFS_REG_HCLKDIV); + + return 0; + } +-- +2.43.0 + diff --git a/queue-6.1/scsi-ufs-core-perform-read-back-after-disabling-inte.patch b/queue-6.1/scsi-ufs-core-perform-read-back-after-disabling-inte.patch new file mode 100644 index 00000000000..0efa0b09efe --- /dev/null +++ b/queue-6.1/scsi-ufs-core-perform-read-back-after-disabling-inte.patch @@ -0,0 +1,53 @@ +From cce7e11222b71174734e443538e22d92109cb047 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 15:46:50 -0500 +Subject: scsi: ufs: core: Perform read back after disabling interrupts + +From: Andrew Halaney + +[ Upstream commit e4a628877119bd40164a651d20321247b6f94a8b ] + +Currently, interrupts are cleared and disabled prior to registering the +interrupt. An mb() is used to complete the clear/disable writes before the +interrupt is registered. + +mb() ensures that the write completes, but completion doesn't mean that it +isn't stored in a buffer somewhere. The recommendation for ensuring these +bits have taken effect on the device is to perform a read back to force it +to make it all the way to the device. This is documented in device-io.rst +and a talk by Will Deacon on this can be seen over here: + + https://youtu.be/i6DayghhA8Q?si=MiyxB5cKJXSaoc01&t=1678 + +Let's do that to ensure these bits hit the device. Because the mb()'s +purpose wasn't to add extra ordering (on top of the ordering guaranteed by +writel()/readl()), it can safely be removed. + +Fixes: 199ef13cac7d ("scsi: ufs: avoid spurious UFS host controller interrupts") +Reviewed-by: Manivannan Sadhasivam +Reviewed-by: Bart Van Assche +Reviewed-by: Can Guo +Signed-off-by: Andrew Halaney +Link: https://lore.kernel.org/r/20240329-ufs-reset-ensure-effect-before-delay-v5-8-181252004586@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/core/ufshcd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c +index 948449a13247c..f54260d7873f1 100644 +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -9817,7 +9817,7 @@ int ufshcd_init(struct ufs_hba *hba, void __iomem *mmio_base, unsigned int irq) + * Make sure that UFS interrupts are disabled and any pending interrupt + * status is cleared before registering UFS interrupt handler. + */ +- mb(); ++ ufshcd_readl(hba, REG_INTERRUPT_ENABLE); + + /* IRQ registration */ + err = devm_request_irq(dev, irq, ufshcd_intr, IRQF_SHARED, UFSHCD, hba); +-- +2.43.0 + diff --git a/queue-6.1/scsi-ufs-core-perform-read-back-after-disabling-uic_.patch b/queue-6.1/scsi-ufs-core-perform-read-back-after-disabling-uic_.patch new file mode 100644 index 00000000000..88d1c74d744 --- /dev/null +++ b/queue-6.1/scsi-ufs-core-perform-read-back-after-disabling-uic_.patch @@ -0,0 +1,52 @@ +From 54b173c31a1d640b6905645ee230b427e4410204 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 15:46:51 -0500 +Subject: scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL + +From: Andrew Halaney + +[ Upstream commit 4bf3855497b60765ca03b983d064b25e99b97657 ] + +Currently, the UIC_COMMAND_COMPL interrupt is disabled and a wmb() is used +to complete the register write before any following writes. + +wmb() ensures the writes complete in that order, but completion doesn't +mean that it isn't stored in a buffer somewhere. The recommendation for +ensuring this bit has taken effect on the device is to perform a read back +to force it to make it all the way to the device. This is documented in +device-io.rst and a talk by Will Deacon on this can be seen over here: + + https://youtu.be/i6DayghhA8Q?si=MiyxB5cKJXSaoc01&t=1678 + +Let's do that to ensure the bit hits the device. Because the wmb()'s +purpose wasn't to add extra ordering (on top of the ordering guaranteed by +writel()/readl()), it can safely be removed. + +Fixes: d75f7fe495cf ("scsi: ufs: reduce the interrupts for power mode change requests") +Reviewed-by: Bart Van Assche +Reviewed-by: Can Guo +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Andrew Halaney +Link: https://lore.kernel.org/r/20240329-ufs-reset-ensure-effect-before-delay-v5-9-181252004586@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/core/ufshcd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c +index f54260d7873f1..5922cb5a1de0d 100644 +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -4074,7 +4074,7 @@ static int ufshcd_uic_pwr_ctrl(struct ufs_hba *hba, struct uic_command *cmd) + * Make sure UIC command completion interrupt is disabled before + * issuing UIC command. + */ +- wmb(); ++ ufshcd_readl(hba, REG_INTERRUPT_ENABLE); + reenable_intr = true; + } + spin_unlock_irqrestore(hba->host->host_lock, flags); +-- +2.43.0 + diff --git a/queue-6.1/scsi-ufs-qcom-perform-read-back-after-writing-cgc-en.patch b/queue-6.1/scsi-ufs-qcom-perform-read-back-after-writing-cgc-en.patch new file mode 100644 index 00000000000..4557431098f --- /dev/null +++ b/queue-6.1/scsi-ufs-qcom-perform-read-back-after-writing-cgc-en.patch @@ -0,0 +1,51 @@ +From b55ae400c65f811b85cc76033f5d9928d1718143 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 15:46:47 -0500 +Subject: scsi: ufs: qcom: Perform read back after writing CGC enable + +From: Andrew Halaney + +[ Upstream commit d9488511b3ac7eb48a91bc5eded7027525525e03 ] + +Currently, the CGC enable bit is written and then an mb() is used to ensure +that completes before continuing. + +mb() ensures that the write completes, but completion doesn't mean that it +isn't stored in a buffer somewhere. The recommendation for ensuring this +bit has taken effect on the device is to perform a read back to force it to +make it all the way to the device. This is documented in device-io.rst and +a talk by Will Deacon on this can be seen over here: + + https://youtu.be/i6DayghhA8Q?si=MiyxB5cKJXSaoc01&t=1678 + +Let's do that to ensure the bit hits the device. Because the mb()'s purpose +wasn't to add extra ordering (on top of the ordering guaranteed by +writel()/readl()), it can safely be removed. + +Reviewed-by: Manivannan Sadhasivam +Reviewed-by: Can Guo +Fixes: 81c0fc51b7a7 ("ufs-qcom: add support for Qualcomm Technologies Inc platforms") +Signed-off-by: Andrew Halaney +Link: https://lore.kernel.org/r/20240329-ufs-reset-ensure-effect-before-delay-v5-5-181252004586@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/host/ufs-qcom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ufs/host/ufs-qcom.c b/drivers/ufs/host/ufs-qcom.c +index edbd3d7cf83aa..337c0ef0fab6d 100644 +--- a/drivers/ufs/host/ufs-qcom.c ++++ b/drivers/ufs/host/ufs-qcom.c +@@ -336,7 +336,7 @@ static void ufs_qcom_enable_hw_clk_gating(struct ufs_hba *hba) + REG_UFS_CFG2); + + /* Ensure that HW clock gating is enabled before next operations */ +- mb(); ++ ufshcd_readl(hba, REG_UFS_CFG2); + } + + static int ufs_qcom_hce_enable_notify(struct ufs_hba *hba, +-- +2.43.0 + diff --git a/queue-6.1/scsi-ufs-qcom-perform-read-back-after-writing-reg_uf.patch b/queue-6.1/scsi-ufs-qcom-perform-read-back-after-writing-reg_uf.patch new file mode 100644 index 00000000000..d1006638bf9 --- /dev/null +++ b/queue-6.1/scsi-ufs-qcom-perform-read-back-after-writing-reg_uf.patch @@ -0,0 +1,51 @@ +From 51515ff564ece22edf55d4df32a9135d3df3530f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 15:46:44 -0500 +Subject: scsi: ufs: qcom: Perform read back after writing REG_UFS_SYS1CLK_1US + +From: Andrew Halaney + +[ Upstream commit a862fafa263aea0f427d51aca6ff7fd9eeaaa8bd ] + +Currently after writing to REG_UFS_SYS1CLK_1US a mb() is used to ensure +that write has gone through to the device. + +mb() ensures that the write completes, but completion doesn't mean that it +isn't stored in a buffer somewhere. The recommendation for ensuring this +bit has taken effect on the device is to perform a read back to force it to +make it all the way to the device. This is documented in device-io.rst and +a talk by Will Deacon on this can be seen over here: + + https://youtu.be/i6DayghhA8Q?si=MiyxB5cKJXSaoc01&t=1678 + +Let's do that to ensure the bit hits the device. Because the mb()'s purpose +wasn't to add extra ordering (on top of the ordering guaranteed by +writel()/readl()), it can safely be removed. + +Fixes: f06fcc7155dc ("scsi: ufs-qcom: add QUniPro hardware support and power optimizations") +Reviewed-by: Can Guo +Signed-off-by: Andrew Halaney +Link: https://lore.kernel.org/r/20240329-ufs-reset-ensure-effect-before-delay-v5-2-181252004586@redhat.com +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/host/ufs-qcom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ufs/host/ufs-qcom.c b/drivers/ufs/host/ufs-qcom.c +index 8ad1415e10b63..a5d981d3dd6be 100644 +--- a/drivers/ufs/host/ufs-qcom.c ++++ b/drivers/ufs/host/ufs-qcom.c +@@ -432,7 +432,7 @@ static int ufs_qcom_cfg_timers(struct ufs_hba *hba, u32 gear, + * make sure above write gets applied before we return from + * this function. + */ +- mb(); ++ ufshcd_readl(hba, REG_UFS_SYS1CLK_1US); + } + + if (ufs_qcom_cap_qunipro(host)) +-- +2.43.0 + diff --git a/queue-6.1/scsi-ufs-qcom-perform-read-back-after-writing-reset-.patch b/queue-6.1/scsi-ufs-qcom-perform-read-back-after-writing-reset-.patch new file mode 100644 index 00000000000..9a3a4cdab54 --- /dev/null +++ b/queue-6.1/scsi-ufs-qcom-perform-read-back-after-writing-reset-.patch @@ -0,0 +1,71 @@ +From 8869ad811d3a1ff31abf47ae6e721e78eea7072f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 15:46:43 -0500 +Subject: scsi: ufs: qcom: Perform read back after writing reset bit + +From: Andrew Halaney + +[ Upstream commit c4d28e06b0c94636f6e35d003fa9ebac0a94e1ae ] + +Currently, the reset bit for the UFS provided reset controller (used by its +phy) is written to, and then a mb() happens to try and ensure that hit the +device. Immediately afterwards a usleep_range() occurs. + +mb() ensures that the write completes, but completion doesn't mean that it +isn't stored in a buffer somewhere. The recommendation for ensuring this +bit has taken effect on the device is to perform a read back to force it to +make it all the way to the device. This is documented in device-io.rst and +a talk by Will Deacon on this can be seen over here: + + https://youtu.be/i6DayghhA8Q?si=MiyxB5cKJXSaoc01&t=1678 + +Let's do that to ensure the bit hits the device. By doing so and +guaranteeing the ordering against the immediately following usleep_range(), +the mb() can safely be removed. + +Fixes: 81c0fc51b7a7 ("ufs-qcom: add support for Qualcomm Technologies Inc platforms") +Reviewed-by: Manivannan Sadhasivam +Reviewed-by: Can Guo +Signed-off-by: Andrew Halaney +Link: https://lore.kernel.org/r/20240329-ufs-reset-ensure-effect-before-delay-v5-1-181252004586@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/host/ufs-qcom.h | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/ufs/host/ufs-qcom.h b/drivers/ufs/host/ufs-qcom.h +index 44466a395bb53..8a3a65625db55 100644 +--- a/drivers/ufs/host/ufs-qcom.h ++++ b/drivers/ufs/host/ufs-qcom.h +@@ -146,10 +146,10 @@ static inline void ufs_qcom_assert_reset(struct ufs_hba *hba) + 1 << OFFSET_UFS_PHY_SOFT_RESET, REG_UFS_CFG1); + + /* +- * Make sure assertion of ufs phy reset is written to +- * register before returning ++ * Dummy read to ensure the write takes effect before doing any sort ++ * of delay + */ +- mb(); ++ ufshcd_readl(hba, REG_UFS_CFG1); + } + + static inline void ufs_qcom_deassert_reset(struct ufs_hba *hba) +@@ -158,10 +158,10 @@ static inline void ufs_qcom_deassert_reset(struct ufs_hba *hba) + 0 << OFFSET_UFS_PHY_SOFT_RESET, REG_UFS_CFG1); + + /* +- * Make sure de-assertion of ufs phy reset is written to +- * register before returning ++ * Dummy read to ensure the write takes effect before doing any sort ++ * of delay + */ +- mb(); ++ ufshcd_readl(hba, REG_UFS_CFG1); + } + + /* Host controller hardware version: major.minor.step */ +-- +2.43.0 + diff --git a/queue-6.1/scsi-ufs-qcom-perform-read-back-after-writing-unipro.patch b/queue-6.1/scsi-ufs-qcom-perform-read-back-after-writing-unipro.patch new file mode 100644 index 00000000000..5c80574f210 --- /dev/null +++ b/queue-6.1/scsi-ufs-qcom-perform-read-back-after-writing-unipro.patch @@ -0,0 +1,52 @@ +From e3c349321e7970b0d51e6cc0d2ca847ef525f607 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 15:46:46 -0500 +Subject: scsi: ufs: qcom: Perform read back after writing unipro mode + +From: Andrew Halaney + +[ Upstream commit 823150ecf04f958213cf3bf162187cd1a91c885c ] + +Currently, the QUNIPRO_SEL bit is written to and then an mb() is used to +ensure that completes before continuing. + +mb() ensures that the write completes, but completion doesn't mean that it +isn't stored in a buffer somewhere. The recommendation for ensuring this +bit has taken effect on the device is to perform a read back to force it to +make it all the way to the device. This is documented in device-io.rst and +a talk by Will Deacon on this can be seen over here: + + https://youtu.be/i6DayghhA8Q?si=MiyxB5cKJXSaoc01&t=1678 + +But, there's really no reason to even ensure completion before +continuing. The only requirement here is that this write is ordered to this +endpoint (which readl()/writel() guarantees already). For that reason the +mb() can be dropped altogether without anything forcing completion. + +Fixes: f06fcc7155dc ("scsi: ufs-qcom: add QUniPro hardware support and power optimizations") +Signed-off-by: Andrew Halaney +Link: https://lore.kernel.org/r/20240329-ufs-reset-ensure-effect-before-delay-v5-4-181252004586@redhat.com +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/host/ufs-qcom.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/ufs/host/ufs-qcom.c b/drivers/ufs/host/ufs-qcom.c +index ce18c43937a22..edbd3d7cf83aa 100644 +--- a/drivers/ufs/host/ufs-qcom.c ++++ b/drivers/ufs/host/ufs-qcom.c +@@ -229,9 +229,6 @@ static void ufs_qcom_select_unipro_mode(struct ufs_qcom_host *host) + + if (host->hw_ver.major == 0x05) + ufshcd_rmwl(host->hba, QUNIPRO_G4_SEL, 0, REG_UFS_CFG0); +- +- /* make sure above configuration is applied before we return */ +- mb(); + } + + /* +-- +2.43.0 + diff --git a/queue-6.1/scsi-ufs-ufs-qcom-clear-qunipro_g4_sel-for-hw-major-.patch b/queue-6.1/scsi-ufs-ufs-qcom-clear-qunipro_g4_sel-for-hw-major-.patch new file mode 100644 index 00000000000..d7781aec3fb --- /dev/null +++ b/queue-6.1/scsi-ufs-ufs-qcom-clear-qunipro_g4_sel-for-hw-major-.patch @@ -0,0 +1,40 @@ +From 9b3c0b3afae88c0255330d557bf8e30e9f0798a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Aug 2023 14:11:21 +0200 +Subject: scsi: ufs: ufs-qcom: Clear qunipro_g4_sel for HW major version > 5 + +From: Neil Armstrong + +[ Upstream commit c422fbd5cb58c9a078172ae1e9750971b738a197 ] + +The qunipro_g4_sel clear is also needed for new platforms with major +version > 5. Fix the version check to take this into account. + +Fixes: 9c02aa24bf40 ("scsi: ufs: ufs-qcom: Clear qunipro_g4_sel for HW version major 5") +Acked-by: Manivannan Sadhasivam +Reviewed-by: Nitin Rawat +Signed-off-by: Neil Armstrong +Link: https://lore.kernel.org/r/20230821-topic-sm8x50-upstream-ufs-major-5-plus-v2-1-f42a4b712e58@linaro.org +Reviewed-by: "Bao D. Nguyen" +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/host/ufs-qcom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ufs/host/ufs-qcom.c b/drivers/ufs/host/ufs-qcom.c +index 337c0ef0fab6d..ecd5939f4c9a6 100644 +--- a/drivers/ufs/host/ufs-qcom.c ++++ b/drivers/ufs/host/ufs-qcom.c +@@ -227,7 +227,7 @@ static void ufs_qcom_select_unipro_mode(struct ufs_qcom_host *host) + ufs_qcom_cap_qunipro(host) ? QUNIPRO_SEL : 0, + REG_UFS_CFG1); + +- if (host->hw_ver.major == 0x05) ++ if (host->hw_ver.major >= 0x05) + ufshcd_rmwl(host->hba, QUNIPRO_G4_SEL, 0, REG_UFS_CFG0); + } + +-- +2.43.0 + diff --git a/queue-6.1/scsi-ufs-ufs-qcom-clear-qunipro_g4_sel-for-hw-versio.patch b/queue-6.1/scsi-ufs-ufs-qcom-clear-qunipro_g4_sel-for-hw-versio.patch new file mode 100644 index 00000000000..155a888f3e0 --- /dev/null +++ b/queue-6.1/scsi-ufs-ufs-qcom-clear-qunipro_g4_sel-for-hw-versio.patch @@ -0,0 +1,76 @@ +From 1eb9c6b3010a6a836605fcf0b10c03be7a768bc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jan 2023 17:14:05 +0200 +Subject: scsi: ufs: ufs-qcom: Clear qunipro_g4_sel for HW version major 5 + +From: Abel Vesa + +[ Upstream commit 9c02aa24bf404a39ec509d9f50539056b9b128f7 ] + +On SM8550, depending on the Qunipro, we can run with G5 or G4. For now, +when the major version is 5 or above, we go with G5. Therefore, we need to +specifically tell UFS HC that. + +Signed-off-by: Abel Vesa +Signed-off-by: Martin K. Petersen +Stable-dep-of: 823150ecf04f ("scsi: ufs: qcom: Perform read back after writing unipro mode") +Signed-off-by: Sasha Levin +--- + drivers/ufs/host/ufs-qcom.c | 8 ++++++-- + drivers/ufs/host/ufs-qcom.h | 6 +++++- + 2 files changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/ufs/host/ufs-qcom.c b/drivers/ufs/host/ufs-qcom.c +index a5d981d3dd6be..ce18c43937a22 100644 +--- a/drivers/ufs/host/ufs-qcom.c ++++ b/drivers/ufs/host/ufs-qcom.c +@@ -226,6 +226,10 @@ static void ufs_qcom_select_unipro_mode(struct ufs_qcom_host *host) + ufshcd_rmwl(host->hba, QUNIPRO_SEL, + ufs_qcom_cap_qunipro(host) ? QUNIPRO_SEL : 0, + REG_UFS_CFG1); ++ ++ if (host->hw_ver.major == 0x05) ++ ufshcd_rmwl(host->hba, QUNIPRO_G4_SEL, 0, REG_UFS_CFG0); ++ + /* make sure above configuration is applied before we return */ + mb(); + } +@@ -498,9 +502,9 @@ static int ufs_qcom_cfg_timers(struct ufs_hba *hba, u32 gear, + mb(); + } + +- if (update_link_startup_timer) { ++ if (update_link_startup_timer && host->hw_ver.major != 0x5) { + ufshcd_writel(hba, ((core_clk_rate / MSEC_PER_SEC) * 100), +- REG_UFS_PA_LINK_STARTUP_TIMER); ++ REG_UFS_CFG0); + /* + * make sure that this configuration is applied before + * we return +diff --git a/drivers/ufs/host/ufs-qcom.h b/drivers/ufs/host/ufs-qcom.h +index 112e53efafe2b..24367cee0b3ff 100644 +--- a/drivers/ufs/host/ufs-qcom.h ++++ b/drivers/ufs/host/ufs-qcom.h +@@ -38,7 +38,8 @@ enum { + REG_UFS_PA_ERR_CODE = 0xCC, + /* On older UFS revisions, this register is called "RETRY_TIMER_REG" */ + REG_UFS_PARAM0 = 0xD0, +- REG_UFS_PA_LINK_STARTUP_TIMER = 0xD8, ++ /* On older UFS revisions, this register is called "REG_UFS_PA_LINK_STARTUP_TIMER" */ ++ REG_UFS_CFG0 = 0xD8, + REG_UFS_CFG1 = 0xDC, + REG_UFS_CFG2 = 0xE0, + REG_UFS_HW_VERSION = 0xE4, +@@ -76,6 +77,9 @@ enum { + #define UFS_CNTLR_2_x_x_VEN_REGS_OFFSET(x) (0x000 + x) + #define UFS_CNTLR_3_x_x_VEN_REGS_OFFSET(x) (0x400 + x) + ++/* bit definitions for REG_UFS_CFG0 register */ ++#define QUNIPRO_G4_SEL BIT(5) ++ + /* bit definitions for REG_UFS_CFG1 register */ + #define QUNIPRO_SEL 0x1 + #define UTP_DBG_RAMS_EN 0x20000 +-- +2.43.0 + diff --git a/queue-6.1/scsi-ufs-ufs-qcom-fix-the-qcom-register-name-for-off.patch b/queue-6.1/scsi-ufs-ufs-qcom-fix-the-qcom-register-name-for-off.patch new file mode 100644 index 00000000000..dbd5691a71d --- /dev/null +++ b/queue-6.1/scsi-ufs-ufs-qcom-fix-the-qcom-register-name-for-off.patch @@ -0,0 +1,41 @@ +From 3ed83881f534ef099f342e90b3e42f3c27a7afcc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Dec 2022 19:39:55 +0530 +Subject: scsi: ufs: ufs-qcom: Fix the Qcom register name for offset 0xD0 + +From: Manivannan Sadhasivam + +[ Upstream commit 7959587f3284bf163e4f1baff3c6fa71fc6a55b1 ] + +On newer UFS revisions, the register at offset 0xD0 is called, +REG_UFS_PARAM0. Since the existing register, RETRY_TIMER_REG is not used +anywhere, it is safe to use the new name. + +Reviewed-by: Andrew Halaney +Reviewed-by: Asutosh Das +Tested-by: Andrew Halaney # Qdrive3/sa8540p-ride +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Martin K. Petersen +Stable-dep-of: 823150ecf04f ("scsi: ufs: qcom: Perform read back after writing unipro mode") +Signed-off-by: Sasha Levin +--- + drivers/ufs/host/ufs-qcom.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/ufs/host/ufs-qcom.h b/drivers/ufs/host/ufs-qcom.h +index 8a3a65625db55..112e53efafe2b 100644 +--- a/drivers/ufs/host/ufs-qcom.h ++++ b/drivers/ufs/host/ufs-qcom.h +@@ -36,7 +36,8 @@ enum { + REG_UFS_TX_SYMBOL_CLK_NS_US = 0xC4, + REG_UFS_LOCAL_PORT_ID_REG = 0xC8, + REG_UFS_PA_ERR_CODE = 0xCC, +- REG_UFS_RETRY_TIMER_REG = 0xD0, ++ /* On older UFS revisions, this register is called "RETRY_TIMER_REG" */ ++ REG_UFS_PARAM0 = 0xD0, + REG_UFS_PA_LINK_STARTUP_TIMER = 0xD8, + REG_UFS_CFG1 = 0xDC, + REG_UFS_CFG2 = 0xE0, +-- +2.43.0 + diff --git a/queue-6.1/selftests-binderfs-use-the-makefile-s-rules-not-make.patch b/queue-6.1/selftests-binderfs-use-the-makefile-s-rules-not-make.patch new file mode 100644 index 00000000000..e24fb3fec84 --- /dev/null +++ b/queue-6.1/selftests-binderfs-use-the-makefile-s-rules-not-make.patch @@ -0,0 +1,71 @@ +From eece523fed288d434e7732c94c2c221a6f7fda42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 May 2024 18:58:20 -0700 +Subject: selftests/binderfs: use the Makefile's rules, not Make's implicit + rules + +From: John Hubbard + +[ Upstream commit 019baf635eb6ffe8d6c1343f81788f02a7e0ed98 ] + +First of all, in order to build with clang at all, one must first apply +Valentin Obst's build fix for LLVM [1]. Once that is done, then when +building with clang, via: + + make LLVM=1 -C tools/testing/selftests + +...the following error occurs: + + clang: error: cannot specify -o when generating multiple output files + +This is because clang, unlike gcc, won't accept invocations of this +form: + + clang file1.c header2.h + +While trying to fix this, I noticed that: + +a) selftests/lib.mk already avoids the problem, and + +b) The binderfs Makefile indavertently bypasses the selftests/lib.mk +build system, and quitely uses Make's implicit build rules for .c files +instead. + +The Makefile attempts to set up both a dependency and a source file, +neither of which was needed, because lib.mk is able to automatically +handle both. This line: + + binderfs_test: binderfs_test.c + +...causes Make's implicit rules to run, which builds binderfs_test +without ever looking at lib.mk. + +Fix this by simply deleting the "binderfs_test:" Makefile target and +letting lib.mk handle it instead. + +[1] https://lore.kernel.org/all/20240329-selftests-libmk-llvm-rfc-v1-1-2f9ed7d1c49f@valentinobst.de/ + +Fixes: 6e29225af902 ("binderfs: port tests to test harness infrastructure") +Cc: Christian Brauner +Signed-off-by: John Hubbard +Reviewed-by: Christian Brauner +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/filesystems/binderfs/Makefile | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/tools/testing/selftests/filesystems/binderfs/Makefile b/tools/testing/selftests/filesystems/binderfs/Makefile +index c2f7cef919c04..eb4c3b4119348 100644 +--- a/tools/testing/selftests/filesystems/binderfs/Makefile ++++ b/tools/testing/selftests/filesystems/binderfs/Makefile +@@ -3,6 +3,4 @@ + CFLAGS += $(KHDR_INCLUDES) -pthread + TEST_GEN_PROGS := binderfs_test + +-binderfs_test: binderfs_test.c ../../kselftest.h ../../kselftest_harness.h +- + include ../../lib.mk +-- +2.43.0 + diff --git a/queue-6.1/selftests-bpf-fix-a-fd-leak-in-error-paths-in-open_n.patch b/queue-6.1/selftests-bpf-fix-a-fd-leak-in-error-paths-in-open_n.patch new file mode 100644 index 00000000000..9ad6ec490ac --- /dev/null +++ b/queue-6.1/selftests-bpf-fix-a-fd-leak-in-error-paths-in-open_n.patch @@ -0,0 +1,40 @@ +From df028939fef3d623e7e85ce5303253f56042d272 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Apr 2024 18:35:27 +0800 +Subject: selftests/bpf: Fix a fd leak in error paths in open_netns + +From: Geliang Tang + +[ Upstream commit 151f7442436658ee84076681d8f52e987fe147ea ] + +As Martin mentioned in review comment, there is an existing bug that +orig_netns_fd will be leaked in the later "goto fail;" case after +open("/proc/self/ns/net") in open_netns() in network_helpers.c. This +patch adds "close(token->orig_netns_fd);" before "free(token);" to +fix it. + +Fixes: a30338840fa5 ("selftests/bpf: Move open_netns() and close_netns() into network_helpers.c") +Signed-off-by: Geliang Tang +Link: https://lore.kernel.org/r/a104040b47c3c34c67f3f125cdfdde244a870d3c.1713868264.git.tanggeliang@kylinos.cn +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/network_helpers.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/testing/selftests/bpf/network_helpers.c b/tools/testing/selftests/bpf/network_helpers.c +index 1fa4672380a92..9448d075bce20 100644 +--- a/tools/testing/selftests/bpf/network_helpers.c ++++ b/tools/testing/selftests/bpf/network_helpers.c +@@ -459,6 +459,8 @@ struct nstoken *open_netns(const char *name) + + return token; + fail: ++ if (token->orig_netns_fd != -1) ++ close(token->orig_netns_fd); + free(token); + return NULL; + } +-- +2.43.0 + diff --git a/queue-6.1/selftests-bpf-fix-umount-cgroup2-error-in-test_sockm.patch b/queue-6.1/selftests-bpf-fix-umount-cgroup2-error-in-test_sockm.patch new file mode 100644 index 00000000000..e236b1d1d36 --- /dev/null +++ b/queue-6.1/selftests-bpf-fix-umount-cgroup2-error-in-test_sockm.patch @@ -0,0 +1,43 @@ +From 0b42a6d9a90f96f63b8730d9c539098b16ed9c74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2024 13:18:40 +0800 +Subject: selftests/bpf: Fix umount cgroup2 error in test_sockmap + +From: Geliang Tang + +[ Upstream commit d75142dbeb2bd1587b9cc19f841578f541275a64 ] + +This patch fixes the following "umount cgroup2" error in test_sockmap.c: + + (cgroup_helpers.c:353: errno: Device or resource busy) umount cgroup2 + +Cgroup fd cg_fd should be closed before cleanup_cgroup_environment(). + +Fixes: 13a5f3ffd202 ("bpf: Selftests, sockmap test prog run without setting cgroup") +Signed-off-by: Geliang Tang +Acked-by: Yonghong Song +Link: https://lore.kernel.org/r/0399983bde729708773416b8488bac2cd5e022b8.1712639568.git.tanggeliang@kylinos.cn +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/test_sockmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/test_sockmap.c b/tools/testing/selftests/bpf/test_sockmap.c +index e768181a1bd75..d56f521b8aaa2 100644 +--- a/tools/testing/selftests/bpf/test_sockmap.c ++++ b/tools/testing/selftests/bpf/test_sockmap.c +@@ -2086,9 +2086,9 @@ int main(int argc, char **argv) + free(options.whitelist); + if (options.blacklist) + free(options.blacklist); ++ close(cg_fd); + if (cg_created) + cleanup_cgroup_environment(); +- close(cg_fd); + return err; + } + +-- +2.43.0 + diff --git a/queue-6.1/selftests-default-to-host-arch-for-llvm-builds.patch b/queue-6.1/selftests-default-to-host-arch-for-llvm-builds.patch new file mode 100644 index 00000000000..6247d889b06 --- /dev/null +++ b/queue-6.1/selftests-default-to-host-arch-for-llvm-builds.patch @@ -0,0 +1,85 @@ +From 200fb98927a5e2f0d3040d4aeec84224bec70c6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 11:49:43 +0100 +Subject: selftests: default to host arch for LLVM builds + +From: Valentin Obst + +[ Upstream commit d4e6fbd245c48b272cc591d1c5e7c07aedd7f071 ] + +Align the behavior for gcc and clang builds by interpreting unset +`ARCH` and `CROSS_COMPILE` variables in `LLVM` builds as a sign that the +user wants to build for the host architecture. + +This patch preserves the properties that setting the `ARCH` variable to an +unknown value will trigger an error that complains about insufficient +information, and that a set `CROSS_COMPILE` variable will override the +target triple that is determined based on presence/absence of `ARCH`. + +When compiling with clang, i.e., `LLVM` is set, an unset `ARCH` variable in +combination with an unset `CROSS_COMPILE` variable, i.e., compiling for +the host architecture, leads to compilation failures since `lib.mk` can +not determine the clang target triple. In this case, the following error +message is displayed for each subsystem that does not set `ARCH` in its +own Makefile before including `lib.mk` (lines wrapped at 75 chrs): + + make[1]: Entering directory '/mnt/build/linux/tools/testing/selftests/ + sysctl' + ../lib.mk:33: *** Specify CROSS_COMPILE or add '--target=' option to + lib.mk. Stop. + make[1]: Leaving directory '/mnt/build/linux/tools/testing/selftests/ + sysctl' + +In the same scenario a gcc build would default to the host architecture, +i.e., it would use plain `gcc`. + +Fixes: 795285ef2425 ("selftests: Fix clang cross compilation") +Reviewed-by: Mark Brown +Signed-off-by: Valentin Obst +Reviewed-by: John Hubbard +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/lib.mk | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/lib.mk b/tools/testing/selftests/lib.mk +index aa646e0661f36..a8f0442a36bca 100644 +--- a/tools/testing/selftests/lib.mk ++++ b/tools/testing/selftests/lib.mk +@@ -7,6 +7,8 @@ else ifneq ($(filter -%,$(LLVM)),) + LLVM_SUFFIX := $(LLVM) + endif + ++CLANG := $(LLVM_PREFIX)clang$(LLVM_SUFFIX) ++ + CLANG_TARGET_FLAGS_arm := arm-linux-gnueabi + CLANG_TARGET_FLAGS_arm64 := aarch64-linux-gnu + CLANG_TARGET_FLAGS_hexagon := hexagon-linux-musl +@@ -18,7 +20,13 @@ CLANG_TARGET_FLAGS_riscv := riscv64-linux-gnu + CLANG_TARGET_FLAGS_s390 := s390x-linux-gnu + CLANG_TARGET_FLAGS_x86 := x86_64-linux-gnu + CLANG_TARGET_FLAGS_x86_64 := x86_64-linux-gnu +-CLANG_TARGET_FLAGS := $(CLANG_TARGET_FLAGS_$(ARCH)) ++ ++# Default to host architecture if ARCH is not explicitly given. ++ifeq ($(ARCH),) ++CLANG_TARGET_FLAGS := $(shell $(CLANG) -print-target-triple) ++else ++CLANG_TARGET_FLAGS := $(CLANG_TARGET_FLAGS_$(ARCH)) ++endif + + ifeq ($(CROSS_COMPILE),) + ifeq ($(CLANG_TARGET_FLAGS),) +@@ -30,7 +38,7 @@ else + CLANG_FLAGS += --target=$(notdir $(CROSS_COMPILE:%-=%)) + endif # CROSS_COMPILE + +-CC := $(LLVM_PREFIX)clang$(LLVM_SUFFIX) $(CLANG_FLAGS) -fintegrated-as ++CC := $(CLANG) $(CLANG_FLAGS) -fintegrated-as + else + CC := $(CROSS_COMPILE)gcc + endif # LLVM +-- +2.43.0 + diff --git a/queue-6.1/selftests-kcmp-remove-unused-open-mode.patch b/queue-6.1/selftests-kcmp-remove-unused-open-mode.patch new file mode 100644 index 00000000000..8710e5fd239 --- /dev/null +++ b/queue-6.1/selftests-kcmp-remove-unused-open-mode.patch @@ -0,0 +1,42 @@ +From 7ed7610e8b73040e169a3f6525760e124121d6c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Apr 2024 23:46:09 +0000 +Subject: selftests/kcmp: remove unused open mode + +From: Edward Liaw + +[ Upstream commit eb59a58113717df04b8a8229befd8ab1e5dbf86e ] + +Android bionic warns that open modes are ignored if O_CREAT or O_TMPFILE +aren't specified. The permissions for the file are set above: + + fd1 = open(kpath, O_RDWR | O_CREAT | O_TRUNC, 0644); + +Link: https://lkml.kernel.org/r/20240429234610.191144-1-edliaw@google.com +Fixes: d97b46a64674 ("syscalls, x86: add __NR_kcmp syscall") +Signed-off-by: Edward Liaw +Reviewed-by: Cyrill Gorcunov +Cc: Eric Biederman +Cc: Shuah Khan +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/kcmp/kcmp_test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/kcmp/kcmp_test.c b/tools/testing/selftests/kcmp/kcmp_test.c +index 25110c7c0b3ed..d7a8e321bb16b 100644 +--- a/tools/testing/selftests/kcmp/kcmp_test.c ++++ b/tools/testing/selftests/kcmp/kcmp_test.c +@@ -91,7 +91,7 @@ int main(int argc, char **argv) + ksft_print_header(); + ksft_set_plan(3); + +- fd2 = open(kpath, O_RDWR, 0644); ++ fd2 = open(kpath, O_RDWR); + if (fd2 < 0) { + perror("Can't open file"); + ksft_exit_fail(); +-- +2.43.0 + diff --git a/queue-6.1/selftests-net-bridge-increase-igmp-mld-exclude-timeo.patch b/queue-6.1/selftests-net-bridge-increase-igmp-mld-exclude-timeo.patch new file mode 100644 index 00000000000..fdaecf67568 --- /dev/null +++ b/queue-6.1/selftests-net-bridge-increase-igmp-mld-exclude-timeo.patch @@ -0,0 +1,82 @@ +From 115c2bb3cf0a95095fdc2db667380ad6b13ab95c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 13:52:57 +0300 +Subject: selftests: net: bridge: increase IGMP/MLD exclude timeout membership + interval + +From: Nikolay Aleksandrov + +[ Upstream commit 06080ea23095afe04a2cb7a8d05fab4311782623 ] + +When running the bridge IGMP/MLD selftests on debug kernels we can get +spurious errors when setting up the IGMP/MLD exclude timeout tests +because the membership interval is just 3 seconds and the setup has 2 +seconds of sleep plus various validations, the one second that is left +is not enough. Increase the membership interval from 3 to 5 seconds to +make room for the setup validation and 2 seconds of sleep. + +Fixes: 34d7ecb3d4f7 ("selftests: net: bridge: update IGMP/MLD membership interval value") +Reported-by: Jakub Kicinski +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/forwarding/bridge_igmp.sh | 6 +++--- + tools/testing/selftests/net/forwarding/bridge_mld.sh | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/net/forwarding/bridge_igmp.sh b/tools/testing/selftests/net/forwarding/bridge_igmp.sh +index 1162836f8f329..6dc3cb4ac6081 100755 +--- a/tools/testing/selftests/net/forwarding/bridge_igmp.sh ++++ b/tools/testing/selftests/net/forwarding/bridge_igmp.sh +@@ -481,10 +481,10 @@ v3exc_timeout_test() + RET=0 + local X=("192.0.2.20" "192.0.2.30") + +- # GMI should be 3 seconds ++ # GMI should be 5 seconds + ip link set dev br0 type bridge mcast_query_interval 100 \ + mcast_query_response_interval 100 \ +- mcast_membership_interval 300 ++ mcast_membership_interval 500 + + v3exclude_prepare $h1 $ALL_MAC $ALL_GROUP + ip link set dev br0 type bridge mcast_query_interval 500 \ +@@ -492,7 +492,7 @@ v3exc_timeout_test() + mcast_membership_interval 1500 + + $MZ $h1 -c 1 -b $ALL_MAC -B $ALL_GROUP -t ip "proto=2,p=$MZPKT_ALLOW2" -q +- sleep 3 ++ sleep 5 + bridge -j -d -s mdb show dev br0 \ + | jq -e ".[].mdb[] | \ + select(.grp == \"$TEST_GROUP\" and \ +diff --git a/tools/testing/selftests/net/forwarding/bridge_mld.sh b/tools/testing/selftests/net/forwarding/bridge_mld.sh +index e2b9ff773c6b6..f84ab2e657547 100755 +--- a/tools/testing/selftests/net/forwarding/bridge_mld.sh ++++ b/tools/testing/selftests/net/forwarding/bridge_mld.sh +@@ -478,10 +478,10 @@ mldv2exc_timeout_test() + RET=0 + local X=("2001:db8:1::20" "2001:db8:1::30") + +- # GMI should be 3 seconds ++ # GMI should be 5 seconds + ip link set dev br0 type bridge mcast_query_interval 100 \ + mcast_query_response_interval 100 \ +- mcast_membership_interval 300 ++ mcast_membership_interval 500 + + mldv2exclude_prepare $h1 + ip link set dev br0 type bridge mcast_query_interval 500 \ +@@ -489,7 +489,7 @@ mldv2exc_timeout_test() + mcast_membership_interval 1500 + + $MZ $h1 -c 1 $MZPKT_ALLOW2 -q +- sleep 3 ++ sleep 5 + bridge -j -d -s mdb show dev br0 \ + | jq -e ".[].mdb[] | \ + select(.grp == \"$TEST_GROUP\" and \ +-- +2.43.0 + diff --git a/queue-6.1/selftests-net-move-amt-to-socat-for-better-compatibi.patch b/queue-6.1/selftests-net-move-amt-to-socat-for-better-compatibi.patch new file mode 100644 index 00000000000..b3f0c2a6ac1 --- /dev/null +++ b/queue-6.1/selftests-net-move-amt-to-socat-for-better-compatibi.patch @@ -0,0 +1,77 @@ +From 13a3b6c58c1ca826fc24bdecd66b12a6b8b48075 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 09:19:52 -0700 +Subject: selftests: net: move amt to socat for better compatibility + +From: Jakub Kicinski + +[ Upstream commit 4c639b6a7b9db236c0907aca8e92d1537076f2cd ] + +The test seems to expect that nc will exit after the first +received message. This is not the case with Ncat 7.94. +There are multiple versions of nc out there, switch +to socat for better compatibility. + +Tell socat to exit after 128 bytes and pad the message. + +Since the test sets -e make sure we don't set exit code +(|| true) and print the pass / fail rather then silently +moving over the test and just setting non-zero exit code +with no output indicating what failed. + +Fixes: c08e8baea78e ("selftests: add amt interface selftest script") +Acked-by: Paolo Abeni +Tested-by: Taehee Yoo +Link: https://lore.kernel.org/r/20240509161952.3940476-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/amt.sh | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/net/amt.sh b/tools/testing/selftests/net/amt.sh +index 75528788cb95e..5175a42cbe8a2 100755 +--- a/tools/testing/selftests/net/amt.sh ++++ b/tools/testing/selftests/net/amt.sh +@@ -210,8 +210,8 @@ check_features() + + test_ipv4_forward() + { +- RESULT4=$(ip netns exec "${LISTENER}" nc -w 1 -l -u 239.0.0.1 4000) +- if [ "$RESULT4" == "172.17.0.2" ]; then ++ RESULT4=$(ip netns exec "${LISTENER}" timeout 15 socat - UDP4-LISTEN:4000,readbytes=128 || true) ++ if echo "$RESULT4" | grep -q "172.17.0.2"; then + printf "TEST: %-60s [ OK ]\n" "IPv4 amt multicast forwarding" + exit 0 + else +@@ -222,8 +222,8 @@ test_ipv4_forward() + + test_ipv6_forward() + { +- RESULT6=$(ip netns exec "${LISTENER}" nc -w 1 -l -u ff0e::5:6 6000) +- if [ "$RESULT6" == "2001:db8:3::2" ]; then ++ RESULT6=$(ip netns exec "${LISTENER}" timeout 15 socat - UDP6-LISTEN:6000,readbytes=128 || true) ++ if echo "$RESULT6" | grep -q "2001:db8:3::2"; then + printf "TEST: %-60s [ OK ]\n" "IPv6 amt multicast forwarding" + exit 0 + else +@@ -236,14 +236,14 @@ send_mcast4() + { + sleep 2 + ip netns exec "${SOURCE}" bash -c \ +- 'echo 172.17.0.2 | nc -w 1 -u 239.0.0.1 4000' & ++ 'printf "%s %128s" 172.17.0.2 | nc -w 1 -u 239.0.0.1 4000' & + } + + send_mcast6() + { + sleep 2 + ip netns exec "${SOURCE}" bash -c \ +- 'echo 2001:db8:3::2 | nc -w 1 -u ff0e::5:6 6000' & ++ 'printf "%s %128s" 2001:db8:3::2 | nc -w 1 -u ff0e::5:6 6000' & + } + + check_features +-- +2.43.0 + diff --git a/queue-6.1/selftests-resctrl-fix-clang-build-failure-use-local_.patch b/queue-6.1/selftests-resctrl-fix-clang-build-failure-use-local_.patch new file mode 100644 index 00000000000..4a5c34108a0 --- /dev/null +++ b/queue-6.1/selftests-resctrl-fix-clang-build-failure-use-local_.patch @@ -0,0 +1,60 @@ +From 40882d8d02e1ee09a2dc366f55c624c7d8f7fa28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 May 2024 19:17:12 -0700 +Subject: selftests/resctrl: fix clang build failure: use LOCAL_HDRS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: John Hubbard + +[ Upstream commit d8171aa4ca72f1a67bf3c14c59441d63c1d2585f ] + +First of all, in order to build with clang at all, one must first apply +Valentin Obst's build fix for LLVM [1]. Once that is done, then when +building with clang, via: + + make LLVM=1 -C tools/testing/selftests + +...the following error occurs: + + clang: error: cannot specify -o when generating multiple output files + +This is because clang, unlike gcc, won't accept invocations of this +form: + + clang file1.c header2.h + +Fix this by using selftests/lib.mk facilities for tracking local header +file dependencies: add them to LOCAL_HDRS, leaving only the .c files to +be passed to the compiler. + +[1] https://lore.kernel.org/all/20240329-selftests-libmk-llvm-rfc-v1-1-2f9ed7d1c49f@valentinobst.de/ + +Fixes: 8e289f454289 ("selftests/resctrl: Add resctrl.h into build deps") +Cc: Ilpo Järvinen +Signed-off-by: John Hubbard +Acked-by: Reinette Chatre +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/resctrl/Makefile | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/resctrl/Makefile b/tools/testing/selftests/resctrl/Makefile +index 2deac2031de9e..021863f86053a 100644 +--- a/tools/testing/selftests/resctrl/Makefile ++++ b/tools/testing/selftests/resctrl/Makefile +@@ -5,6 +5,8 @@ CFLAGS += $(KHDR_INCLUDES) + + TEST_GEN_PROGS := resctrl_tests + ++LOCAL_HDRS += $(wildcard *.h) ++ + include ../lib.mk + +-$(OUTPUT)/resctrl_tests: $(wildcard *.[ch]) ++$(OUTPUT)/resctrl_tests: $(wildcard *.c) +-- +2.43.0 + diff --git a/queue-6.1/selftests-sud_test-return-correct-emulated-syscall-v.patch b/queue-6.1/selftests-sud_test-return-correct-emulated-syscall-v.patch new file mode 100644 index 00000000000..b1a8b85a159 --- /dev/null +++ b/queue-6.1/selftests-sud_test-return-correct-emulated-syscall-v.patch @@ -0,0 +1,56 @@ +From 0c1f2a064519cff5ab15d0f8e189204188cbe085 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 14:44:37 +0100 +Subject: selftests: sud_test: return correct emulated syscall value on RISC-V +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Clément Léger + +[ Upstream commit 17c67ed752d6a456602b3dbb25c5ae4d3de5deab ] + +Currently, the sud_test expects the emulated syscall to return the +emulated syscall number. This assumption only works on architectures +were the syscall calling convention use the same register for syscall +number/syscall return value. This is not the case for RISC-V and thus +the return value must be also emulated using the provided ucontext. + +Signed-off-by: Clément Léger +Reviewed-by: Palmer Dabbelt +Acked-by: Palmer Dabbelt +Link: https://lore.kernel.org/r/20231206134438.473166-1-cleger@rivosinc.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + .../selftests/syscall_user_dispatch/sud_test.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/tools/testing/selftests/syscall_user_dispatch/sud_test.c b/tools/testing/selftests/syscall_user_dispatch/sud_test.c +index b5d592d4099e8..d975a67673299 100644 +--- a/tools/testing/selftests/syscall_user_dispatch/sud_test.c ++++ b/tools/testing/selftests/syscall_user_dispatch/sud_test.c +@@ -158,6 +158,20 @@ static void handle_sigsys(int sig, siginfo_t *info, void *ucontext) + + /* In preparation for sigreturn. */ + SYSCALL_DISPATCH_OFF(glob_sel); ++ ++ /* ++ * The tests for argument handling assume that `syscall(x) == x`. This ++ * is a NOP on x86 because the syscall number is passed in %rax, which ++ * happens to also be the function ABI return register. Other ++ * architectures may need to swizzle the arguments around. ++ */ ++#if defined(__riscv) ++/* REG_A7 is not defined in libc headers */ ++# define REG_A7 (REG_A0 + 7) ++ ++ ((ucontext_t *)ucontext)->uc_mcontext.__gregs[REG_A0] = ++ ((ucontext_t *)ucontext)->uc_mcontext.__gregs[REG_A7]; ++#endif + } + + TEST(dispatch_and_return) +-- +2.43.0 + diff --git a/queue-6.1/series b/queue-6.1/series index bd48397a520..4defc59175e 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -23,3 +23,252 @@ alsa-core-fix-null-module-pointer-assignment-at-card-init.patch alsa-timer-set-lower-bound-of-start-tick-time.patch alsa-fix-deadlocks-with-kctl-removals-at-disconnection.patch keys-asymmetric-add-missing-dependencies-of-fips_signature_selftest.patch +wifi-mac80211-don-t-use-rate-mask-for-scanning.patch +wifi-mac80211-ensure-beacon-is-non-s1g-prior-to-extr.patch +wifi-cfg80211-fix-the-order-of-arguments-for-trace-e.patch +dt-bindings-rockchip-grf-add-missing-type-to-pcie-ph.patch +net-usb-qmi_wwan-add-telit-fn920c04-compositions.patch +drm-amd-display-set-color_mgmt_changed-to-true-on-un.patch +drm-amdgpu-update-bo-eviction-priorities.patch +drm-amdgpu-fix-the-ring-buffer-size-for-queue-vm-flu.patch +drm-amdgpu-mes-fix-use-after-free-issue.patch +loongarch-lately-init-pmu-after-smp-is-online.patch +selftests-sud_test-return-correct-emulated-syscall-v.patch +sched-isolation-fix-boot-crash-when-maxcpus-first-ho.patch +asoc-intel-bytcr_rt5640-apply-asus-t100ta-quirk-to-a.patch +regulator-irq_helpers-duplicate-irq-name.patch +asoc-rt5645-fix-the-electric-noise-due-to-the-cbj-co.patch +asoc-dt-bindings-rt5645-add-cbj-sleeve-gpio-property.patch +regulator-vqmmc-ipq4019-fix-module-autoloading.patch +asoc-rt715-add-vendor-clear-control-register.patch +asoc-rt715-sdca-volume-step-modification.patch +kvm-selftests-add-test-for-uaccesses-to-non-existent.patch +fpga-dfl-pci-add-pci-subdevice-id-for-intel-d5005-ca.patch +softirq-fix-suspicious-rcu-usage-in-__do_softirq.patch +asoc-da7219-aad-fix-usage-of-device_get_named_child_.patch +alsa-hda-intel-dsp-config-harden-i2c-i2s-codec-detec.patch +drm-amd-display-add-dtbclk-access-to-dcn315.patch +drm-amd-display-add-vco-speed-parameter-for-dcn31-fp.patch +drm-amdkfd-flush-the-process-wq-before-creating-a-kf.patch +x86-mm-remove-broken-vsyscall-emulation-code-from-th.patch +nvme-find-numa-distance-only-if-controller-has-valid.patch +nvmet-auth-return-the-error-code-to-the-nvmet_auth_h.patch +nvmet-auth-replace-pr_debug-with-pr_err-to-report-an.patch +nvmet-tcp-fix-possible-memory-leak-when-tearing-down.patch +nvmet-fix-nvme-status-code-when-namespace-is-disable.patch +epoll-be-better-about-file-lifetimes.patch +nvmet-prevent-sprintf-overflow-in-nvmet_subsys_nsid_.patch +openpromfs-finish-conversion-to-the-new-mount-api.patch +crypto-bcm-fix-pointer-arithmetic.patch +mm-slub-kunit-use-inverted-data-to-corrupt-kmem-cach.patch +firmware-raspberrypi-use-correct-device-for-dma-mapp.patch +ecryptfs-fix-buffer-size-for-tag-66-packet.patch +nilfs2-fix-out-of-range-warning.patch +parisc-add-missing-export-of-__cmpxchg_u8.patch +crypto-ccp-drop-platform-ifdef-checks.patch +crypto-x86-nh-avx2-add-missing-vzeroupper.patch +crypto-x86-sha256-avx2-add-missing-vzeroupper.patch +crypto-x86-sha512-avx2-add-missing-vzeroupper.patch +s390-cio-fix-tracepoint-subchannel-type-field.patch +io_uring-don-t-use-tif_notify_signal-to-test-for-ava.patch +io_uring-use-the-right-type-for-work_llist-empty-che.patch +rcu-tasks-fix-show_rcu_tasks_trace_gp_kthread-buffer.patch +rcu-fix-buffer-overflow-in-print_cpu_stall_info.patch +arm-configs-sunxi-enable-drm_dw_hdmi.patch +jffs2-prevent-xattr-node-from-overflowing-the-eraseb.patch +soc-mediatek-cmdq-fix-typo-of-cmdq_jump_relative.patch +null_blk-fix-missing-mutex_destroy-at-module-removal.patch +md-fix-resync-softlockup-when-bitmap-size-is-less-th.patch +block-open-code-__blk_account_io_start.patch +block-open-code-__blk_account_io_done.patch +block-support-to-account-io_ticks-precisely.patch +wifi-ath10k-poll-service-ready-message-before-failin.patch +wifi-brcmfmac-pcie-handle-randbuf-allocation-failure.patch +wifi-ath11k-don-t-force-enable-power-save-on-non-run.patch +bpftool-fix-missing-pids-during-link-show.patch +x86-boot-ignore-relocations-in-.notes-sections-in-wa.patch +sched-fair-add-eas-checks-before-updating-root_domai.patch +acpi-fix-generic-initiator-affinity-_osc-bit.patch +qed-avoid-truncating-work-queue-length.patch +net-mlx5e-fail-with-messages-when-params-are-not-val.patch +mlx5-stop-warning-for-64kb-pages.patch +bitops-add-missing-prototype-check.patch +wifi-carl9170-re-fix-fortified-memset-warning.patch +bpf-pack-struct-bpf_fib_lookup.patch +scsi-ufs-qcom-perform-read-back-after-writing-reset-.patch +scsi-ufs-qcom-perform-read-back-after-writing-reg_uf.patch +scsi-ufs-ufs-qcom-fix-the-qcom-register-name-for-off.patch +scsi-ufs-ufs-qcom-clear-qunipro_g4_sel-for-hw-versio.patch +scsi-ufs-qcom-perform-read-back-after-writing-unipro.patch +scsi-ufs-qcom-perform-read-back-after-writing-cgc-en.patch +scsi-ufs-cdns-pltfrm-perform-read-back-after-writing.patch +scsi-ufs-core-perform-read-back-after-disabling-inte.patch +scsi-ufs-core-perform-read-back-after-disabling-uic_.patch +acpi-lpss-advertise-number-of-chip-selects-via-prope.patch +irqchip-alpine-msi-fix-off-by-one-in-allocation-erro.patch +irqchip-loongson-pch-msi-fix-off-by-one-on-allocatio.patch +acpi-disable-wstringop-truncation.patch +gfs2-don-t-forget-to-complete-delayed-withdraw.patch +gfs2-fix-ignore-unlock-failures-after-withdraw.patch +x86-boot-64-clear-most-of-cr4-in-startup_64-except-p.patch +selftests-bpf-fix-umount-cgroup2-error-in-test_sockm.patch +cpufreq-exit-callback-is-optional.patch +x86-pat-introduce-lookup_address_in_pgd_attr.patch +x86-pat-restructure-_lookup_address_cpa.patch +x86-pat-fix-w-x-violation-false-positives-when-runni.patch +net-export-inet_lookup_reuseport-and-inet6_lookup_re.patch +net-remove-duplicate-reuseport_lookup-functions.patch +udp-avoid-call-to-compute_score-on-multiple-sites.patch +cppc_cpufreq-fix-possible-null-pointer-dereference.patch +scsi-libsas-fix-the-failure-of-adding-phy-with-zero-.patch +scsi-hpsa-fix-allocation-size-for-scsi_host-private-.patch +x86-purgatory-switch-to-the-position-independent-sma.patch +thermal-drivers-tsens-fix-null-pointer-dereference.patch +wifi-ath10k-fix-an-error-code-problem-in-ath10k_dbg_.patch +selftests-bpf-fix-a-fd-leak-in-error-paths-in-open_n.patch +wifi-ath10k-populate-board-data-for-wcn3990.patch +net-dsa-mv88e6xxx-add-support-for-model-specific-pre.patch +net-dsa-mv88e6xxx-avoid-eeprom-timeout-without-eepro.patch +tcp-avoid-premature-drops-in-tcp_add_backlog.patch +pwm-sti-convert-to-platform-remove-callback-returnin.patch +pwm-sti-prepare-removing-pwm_chip-from-driver-data.patch +pwm-sti-simplify-probe-function-using-devm-functions.patch +drivers-perf-hisi_pcie-fix-out-of-bound-access-when-.patch +drivers-perf-hisi-hns3-fix-out-of-bound-access-when-.patch +drivers-perf-hisi-hns3-actually-use-devm_add_action_.patch +net-give-more-chances-to-rcu-in-netdev_wait_allrefs_.patch +macintosh-via-macii-fix-bug-sleeping-function-called.patch +wifi-carl9170-add-a-proper-sanity-check-for-endpoint.patch +wifi-ar5523-enable-proper-endpoint-verification.patch +sh-kprobes-merge-arch_copy_kprobe-into-arch_prepare_.patch +revert-sh-handle-calling-csum_partial-with-misaligne.patch +wifi-mt76-mt7603-add-wpdma-tx-eof-flag-for-pse-clien.patch +libbpf-fix-error-message-in-attach_kprobe_multi.patch +selftests-binderfs-use-the-makefile-s-rules-not-make.patch +selftests-resctrl-fix-clang-build-failure-use-local_.patch +selftests-default-to-host-arch-for-llvm-builds.patch +kunit-fix-kthread-reference.patch +hid-intel-ish-hid-ipc-add-check-for-pci_alloc_irq_ve.patch +scsi-bfa-ensure-the-copied-buf-is-nul-terminated.patch +scsi-qedf-ensure-the-copied-buf-is-nul-terminated.patch +scsi-qla2xxx-fix-debugfs-output-for-fw_resource_coun.patch +kernel-numa.c-move-logging-out-of-numa.h.patch +x86-numa-fix-srat-lookup-of-cfmws-ranges-with-numa_f.patch +wifi-mwl8k-initialize-cmd-addr-properly.patch +hid-amd_sfh-handle-no-sensors-in-pm-operations.patch +usb-aqc111-stop-lying-about-skb-truesize.patch +net-usb-sr9700-stop-lying-about-skb-truesize.patch +m68k-fix-spinlock-race-in-kernel-thread-creation.patch +m68k-mac-fix-reboot-hang-on-mac-iici.patch +net-ipv6-fix-wrong-start-position-when-receive-hop-b.patch +eth-sungem-remove-.ndo_poll_controller-to-avoid-dead.patch +selftests-net-move-amt-to-socat-for-better-compatibi.patch +net-ethernet-cortina-locking-fixes.patch +af_unix-fix-data-races-in-unix_release_sock-unix_str.patch +net-usb-smsc95xx-stop-lying-about-skb-truesize.patch +net-openvswitch-fix-overwriting-ct-original-tuple-fo.patch +ipv6-sr-add-missing-seg6_local_exit.patch +ipv6-sr-fix-incorrect-unregister-order.patch +ipv6-sr-fix-invalid-unregister-error-path.patch +net-mlx5-add-a-timeout-to-acquire-the-command-queue-.patch +net-mlx5-discard-command-completions-in-internal-err.patch +s390-bpf-emit-a-barrier-for-bpf_fetch-instructions.patch +riscv-bpf-make-some-atomic-operations-fully-ordered.patch +ax25-use-kernel-universal-linked-list-to-implement-a.patch +ax25-fix-reference-count-leak-issues-of-ax25_dev.patch +ax25-fix-reference-count-leak-issue-of-net_device.patch +mptcp-so_keepalive-fix-getsockopt-support.patch +bluetooth-consolidate-code-around-sk_alloc-into-a-he.patch +bluetooth-compute-le-flow-credits-based-on-recvbuf-s.patch +bluetooth-qca-fix-error-code-in-qca_read_fw_build_in.patch +drm-bridge-fix-improper-bridge-init-order-with-pre_e.patch +printk-let-no_printk-use-_printk.patch +dev_printk-add-and-use-dev_no_printk.patch +drm-lcdif-do-not-disable-clocks-on-already-suspended.patch +drm-panel-samsung-atna33xc20-use-ktime_get_boottime-.patch +drm-dp-don-t-attempt-aux-transfers-when-edp-panels-a.patch +drm-panel-atna33xc20-fix-unbalanced-regulator-in-the.patch +drm-amd-display-fix-potential-index-out-of-bounds-in.patch +asoc-intel-disable-route-checks-for-skylake-boards.patch +asoc-intel-avs-ssm4567-do-not-ignore-route-checks.patch +mtd-core-report-error-if-first-mtd_otp_size-call-fai.patch +mtd-rawnand-hynix-fixed-typo.patch +fbdev-shmobile-fix-snprintf-truncation.patch +asoc-kirkwood-fix-potential-null-dereference.patch +drm-meson-vclk-fix-calculation-of-59.94-fractional-r.patch +drm-mediatek-add-0-size-check-to-mtk_drm_gem_obj.patch +powerpc-fsl-soc-hide-unused-const-variable.patch +fbdev-sisfb-hide-unused-variables.patch +asoc-intel-avs-fix-asrc-module-initialization.patch +asoc-intel-avs-fix-potential-integer-overflow.patch +media-ngene-add-dvb_ca_en50221_init-return-value-che.patch +media-rcar-vin-work-around-wenum-compare-conditional.patch +media-radio-shark2-avoid-led_names-truncations.patch +drm-bridge-cdns-mhdp8546-fix-possible-null-pointer-d.patch +platform-x86-xiaomi-wmi-fix-race-condition-when-repo.patch +drm-msm-dp-allow-voltage-swing-pre-emphasis-of-3.patch +drm-msm-dp-return-irq_none-for-unhandled-interrupts.patch +drm-msm-dp-avoid-a-long-timeout-for-aux-transfer-if-.patch +media-ipu3-cio2-request-irq-earlier.patch +media-dt-bindings-ovti-ov2680-fix-the-power-supply-n.patch +fbdev-sh7760fb-allow-modular-build.patch +media-atomisp-ssh_css-fix-a-null-pointer-dereference.patch +drm-arm-malidp-fix-a-possible-null-pointer-dereferen.patch +drm-vc4-fix-possible-null-pointer-dereference.patch +asoc-tracing-export-snd_soc_dapm_dir_out-to-its-valu.patch +drm-bridge-anx7625-don-t-log-an-error-when-dsi-host-.patch +drm-bridge-icn6211-don-t-log-an-error-when-dsi-host-.patch +drm-bridge-lt8912b-don-t-log-an-error-when-dsi-host-.patch +drm-bridge-lt9611-don-t-log-an-error-when-dsi-host-c.patch +drm-bridge-lt9611uxc-don-t-log-an-error-when-dsi-hos.patch +drm-bridge-tc358775-don-t-log-an-error-when-dsi-host.patch +drm-bridge-dpc3433-don-t-log-an-error-when-dsi-host-.patch +drm-panel-novatek-nt35950-don-t-log-an-error-when-ds.patch +drm-panel-simple-add-missing-innolux-g121x1-l03-form.patch +drm-mipi-dsi-use-correct-return-type-for-the-dsc-fun.patch +drm-rockchip-vop2-do-not-divide-height-twice-for-yuv.patch +clk-samsung-exynosautov9-fix-wrong-pll-clock-id-valu.patch +rdma-mlx5-adding-remote-atomic-access-flag-to-updata.patch +rdma-hns-fix-return-value-in-hns_roce_map_mr_sg.patch +rdma-hns-fix-deadlock-on-srq-async-events.patch +rdma-hns-fix-uaf-for-cq-async-event.patch +rdma-hns-fix-gmv-table-pagesize.patch +rdma-hns-use-complete-parentheses-in-macros.patch +rdma-hns-modify-the-print-level-of-cqe-error.patch +clk-mediatek-mt8365-mm-fix-dpi0-parent.patch +clk-rs9-fix-wrong-default-value-for-clock-amplitude.patch +rdma-rxe-fix-seg-fault-in-rxe_comp_queue_pkt.patch +rdma-rxe-replace-pr_xxx-by-rxe_dbg_xxx-in-rxe_net.c.patch +rdma-rxe-fix-incorrect-rxe_put-in-error-path.patch +ib-mlx5-use-__iowrite64_copy-for-write-combining-sto.patch +clk-renesas-r8a779a0-fix-canfd-parent-clock.patch +clk-renesas-r9a07g043-add-clock-and-reset-entry-for-.patch +lib-test_hmm.c-handle-src_pfns-and-dst_pfns-allocati.patch +clk-qcom-dispcc-sm8450-fix-displayport-clocks.patch +clk-qcom-dispcc-sm6350-fix-displayport-clocks.patch +clk-qcom-mmcc-msm8998-fix-venus-clock-issue.patch +x86-insn-fix-push-instruction-in-x86-instruction-dec.patch +x86-insn-add-vex-versions-of-vpdpbusd-vpdpbusds-vpdp.patch +ext4-avoid-excessive-credit-estimate-in-ext4_tmpfile.patch +virt-acrn-stop-using-follow_pfn.patch +drivers-virt-acrn-fix-pfnmap-pte-checks-in-acrn_vm_r.patch +sunrpc-removed-redundant-procp-check.patch +ext4-simplify-calculation-of-blkoff-in-ext4_mb_new_b.patch +ext4-fix-unit-mismatch-in-ext4_mb_new_blocks_simple.patch +ext4-try-all-groups-in-ext4_mb_new_blocks_simple.patch +ext4-remove-unused-parameter-from-ext4_mb_new_blocks.patch +ext4-fix-potential-unnitialized-variable.patch +nilfs2-make-superblock-data-array-index-computation-.patch +sunrpc-fix-gss_free_in_token_pages.patch +selftests-kcmp-remove-unused-open-mode.patch +rdma-ipoib-fix-format-truncation-compilation-errors.patch +net-add-pskb_may_pull_reason-helper.patch +net-bridge-xmit-make-sure-we-have-at-least-eth-heade.patch +selftests-net-bridge-increase-igmp-mld-exclude-timeo.patch +net-bridge-mst-fix-vlan-use-after-free.patch +net-qrtr-ns-fix-module-refcnt.patch +netrom-fix-possible-dead-lock-in-nr_rt_ioctl.patch +af_packet-do-not-call-packet_read_pending-from-tpack.patch +sched-fair-allow-disabling-sched_balance_newidle-wit.patch +sched-core-fix-incorrect-initialization-of-the-burst.patch +scsi-ufs-ufs-qcom-clear-qunipro_g4_sel-for-hw-major-.patch diff --git a/queue-6.1/sh-kprobes-merge-arch_copy_kprobe-into-arch_prepare_.patch b/queue-6.1/sh-kprobes-merge-arch_copy_kprobe-into-arch_prepare_.patch new file mode 100644 index 00000000000..4fe5f00984f --- /dev/null +++ b/queue-6.1/sh-kprobes-merge-arch_copy_kprobe-into-arch_prepare_.patch @@ -0,0 +1,53 @@ +From aa5505d3b1e2e60cc8768896e3fed51b34e1db54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Mar 2024 22:02:30 +0100 +Subject: sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe() + +From: Geert Uytterhoeven + +[ Upstream commit 1422ae080b66134fe192082d9b721ab7bd93fcc5 ] + +arch/sh/kernel/kprobes.c:52:16: warning: no previous prototype for 'arch_copy_kprobe' [-Wmissing-prototypes] + +Although SH kprobes support was only merged in v2.6.28, it missed the +earlier removal of the arch_copy_kprobe() callback in v2.6.15. + +Based on the powerpc part of commit 49a2a1b83ba6fa40 ("[PATCH] kprobes: +changed from using spinlock to mutex"). + +Fixes: d39f5450146ff39f ("sh: Add kprobes support.") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: John Paul Adrian Glaubitz +Link: https://lore.kernel.org/r/717d47a19689cc944fae6e981a1ad7cae1642c89.1709326528.git.geert+renesas@glider.be +Signed-off-by: John Paul Adrian Glaubitz +Signed-off-by: Sasha Levin +--- + arch/sh/kernel/kprobes.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/arch/sh/kernel/kprobes.c b/arch/sh/kernel/kprobes.c +index aed1ea8e2c2f0..74051b8ddf3e7 100644 +--- a/arch/sh/kernel/kprobes.c ++++ b/arch/sh/kernel/kprobes.c +@@ -44,17 +44,12 @@ int __kprobes arch_prepare_kprobe(struct kprobe *p) + if (OPCODE_RTE(opcode)) + return -EFAULT; /* Bad breakpoint */ + ++ memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t)); + p->opcode = opcode; + + return 0; + } + +-void __kprobes arch_copy_kprobe(struct kprobe *p) +-{ +- memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t)); +- p->opcode = *p->addr; +-} +- + void __kprobes arch_arm_kprobe(struct kprobe *p) + { + *p->addr = BREAKPOINT_INSTRUCTION; +-- +2.43.0 + diff --git a/queue-6.1/soc-mediatek-cmdq-fix-typo-of-cmdq_jump_relative.patch b/queue-6.1/soc-mediatek-cmdq-fix-typo-of-cmdq_jump_relative.patch new file mode 100644 index 00000000000..6737462b4f9 --- /dev/null +++ b/queue-6.1/soc-mediatek-cmdq-fix-typo-of-cmdq_jump_relative.patch @@ -0,0 +1,49 @@ +From 23b6609049f267b8d5fca9452c6cf7be3093e6a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Feb 2024 15:41:09 +0000 +Subject: soc: mediatek: cmdq: Fix typo of CMDQ_JUMP_RELATIVE + +From: Chun-Kuang Hu + +[ Upstream commit ed4d5ab179b9f0a60da87c650a31f1816db9b4b4 ] + +For cmdq jump command, offset 0 means relative jump and offset 1 +means absolute jump. cmdq_pkt_jump() is absolute jump, so fix the +typo of CMDQ_JUMP_RELATIVE in cmdq_pkt_jump(). + +Fixes: 946f1792d3d7 ("soc: mediatek: cmdq: add jump function") +Signed-off-by: Chun-Kuang Hu +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20240222154120.16959-2-chunkuang.hu@kernel.org +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Sasha Levin +--- + drivers/soc/mediatek/mtk-cmdq-helper.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/mediatek/mtk-cmdq-helper.c b/drivers/soc/mediatek/mtk-cmdq-helper.c +index c1837a4682673..3ed8bd63f7e14 100644 +--- a/drivers/soc/mediatek/mtk-cmdq-helper.c ++++ b/drivers/soc/mediatek/mtk-cmdq-helper.c +@@ -13,7 +13,8 @@ + #define CMDQ_POLL_ENABLE_MASK BIT(0) + #define CMDQ_EOC_IRQ_EN BIT(0) + #define CMDQ_REG_TYPE 1 +-#define CMDQ_JUMP_RELATIVE 1 ++#define CMDQ_JUMP_RELATIVE 0 ++#define CMDQ_JUMP_ABSOLUTE 1 + + struct cmdq_instruction { + union { +@@ -396,7 +397,7 @@ int cmdq_pkt_jump(struct cmdq_pkt *pkt, dma_addr_t addr) + struct cmdq_instruction inst = {}; + + inst.op = CMDQ_CODE_JUMP; +- inst.offset = CMDQ_JUMP_RELATIVE; ++ inst.offset = CMDQ_JUMP_ABSOLUTE; + inst.value = addr >> + cmdq_get_shift_pa(((struct cmdq_client *)pkt->cl)->chan); + return cmdq_pkt_append_command(pkt, inst); +-- +2.43.0 + diff --git a/queue-6.1/softirq-fix-suspicious-rcu-usage-in-__do_softirq.patch b/queue-6.1/softirq-fix-suspicious-rcu-usage-in-__do_softirq.patch new file mode 100644 index 00000000000..26a2710cf24 --- /dev/null +++ b/queue-6.1/softirq-fix-suspicious-rcu-usage-in-__do_softirq.patch @@ -0,0 +1,102 @@ +From f9715d131c57db6bef1fe478e0471ef4aad7f4df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Apr 2024 18:28:08 +0800 +Subject: softirq: Fix suspicious RCU usage in __do_softirq() + +From: Zqiang + +[ Upstream commit 1dd1eff161bd55968d3d46bc36def62d71fb4785 ] + +Currently, the condition "__this_cpu_read(ksoftirqd) == current" is used to +invoke rcu_softirq_qs() in ksoftirqd tasks context for non-RT kernels. + +This works correctly as long as the context is actually task context but +this condition is wrong when: + + - the current task is ksoftirqd + - the task is interrupted in a RCU read side critical section + - __do_softirq() is invoked on return from interrupt + +Syzkaller triggered the following scenario: + + -> finish_task_switch() + -> put_task_struct_rcu_user() + -> call_rcu(&task->rcu, delayed_put_task_struct) + -> __kasan_record_aux_stack() + -> pfn_valid() + -> rcu_read_lock_sched() + + __irq_exit_rcu() + -> __do_softirq)() + -> if (!IS_ENABLED(CONFIG_PREEMPT_RT) && + __this_cpu_read(ksoftirqd) == current) + -> rcu_softirq_qs() + -> RCU_LOCKDEP_WARN(lock_is_held(&rcu_sched_lock_map)) + +The rcu quiescent state is reported in the rcu-read critical section, so +the lockdep warning is triggered. + +Fix this by splitting out the inner working of __do_softirq() into a helper +function which takes an argument to distinguish between ksoftirqd task +context and interrupted context and invoke it from the relevant call sites +with the proper context information and use that for the conditional +invocation of rcu_softirq_qs(). + +Reported-by: syzbot+dce04ed6d1438ad69656@syzkaller.appspotmail.com +Suggested-by: Thomas Gleixner +Signed-off-by: Zqiang +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/20240427102808.29356-1-qiang.zhang1211@gmail.com +Link: https://lore.kernel.org/lkml/8f281a10-b85a-4586-9586-5bbc12dc784f@paulmck-laptop/T/#mea8aba4abfcb97bbf499d169ce7f30c4cff1b0e3 +Signed-off-by: Sasha Levin +--- + kernel/softirq.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/kernel/softirq.c b/kernel/softirq.c +index c8a6913c067d9..a47396161843a 100644 +--- a/kernel/softirq.c ++++ b/kernel/softirq.c +@@ -525,7 +525,7 @@ static inline bool lockdep_softirq_start(void) { return false; } + static inline void lockdep_softirq_end(bool in_hardirq) { } + #endif + +-asmlinkage __visible void __softirq_entry __do_softirq(void) ++static void handle_softirqs(bool ksirqd) + { + unsigned long end = jiffies + MAX_SOFTIRQ_TIME; + unsigned long old_flags = current->flags; +@@ -580,8 +580,7 @@ asmlinkage __visible void __softirq_entry __do_softirq(void) + pending >>= softirq_bit; + } + +- if (!IS_ENABLED(CONFIG_PREEMPT_RT) && +- __this_cpu_read(ksoftirqd) == current) ++ if (!IS_ENABLED(CONFIG_PREEMPT_RT) && ksirqd) + rcu_softirq_qs(); + + local_irq_disable(); +@@ -601,6 +600,11 @@ asmlinkage __visible void __softirq_entry __do_softirq(void) + current_restore_flags(old_flags, PF_MEMALLOC); + } + ++asmlinkage __visible void __softirq_entry __do_softirq(void) ++{ ++ handle_softirqs(false); ++} ++ + /** + * irq_enter_rcu - Enter an interrupt context with RCU watching + */ +@@ -931,7 +935,7 @@ static void run_ksoftirqd(unsigned int cpu) + * We can safely run softirq on inline stack, as we are not deep + * in the task stack here. + */ +- __do_softirq(); ++ handle_softirqs(true); + ksoftirqd_run_end(); + cond_resched(); + return; +-- +2.43.0 + diff --git a/queue-6.1/sunrpc-fix-gss_free_in_token_pages.patch b/queue-6.1/sunrpc-fix-gss_free_in_token_pages.patch new file mode 100644 index 00000000000..58502927273 --- /dev/null +++ b/queue-6.1/sunrpc-fix-gss_free_in_token_pages.patch @@ -0,0 +1,78 @@ +From 65826c3fd8e86180d6d876f424448e1f0fdfdc21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 May 2024 09:10:41 -0400 +Subject: SUNRPC: Fix gss_free_in_token_pages() + +From: Chuck Lever + +[ Upstream commit bafa6b4d95d97877baa61883ff90f7e374427fae ] + +Dan Carpenter says: +> Commit 5866efa8cbfb ("SUNRPC: Fix svcauth_gss_proxy_init()") from Oct +> 24, 2019 (linux-next), leads to the following Smatch static checker +> warning: +> +> net/sunrpc/auth_gss/svcauth_gss.c:1039 gss_free_in_token_pages() +> warn: iterator 'i' not incremented +> +> net/sunrpc/auth_gss/svcauth_gss.c +> 1034 static void gss_free_in_token_pages(struct gssp_in_token *in_token) +> 1035 { +> 1036 u32 inlen; +> 1037 int i; +> 1038 +> --> 1039 i = 0; +> 1040 inlen = in_token->page_len; +> 1041 while (inlen) { +> 1042 if (in_token->pages[i]) +> 1043 put_page(in_token->pages[i]); +> ^ +> This puts page zero over and over. +> +> 1044 inlen -= inlen > PAGE_SIZE ? PAGE_SIZE : inlen; +> 1045 } +> 1046 +> 1047 kfree(in_token->pages); +> 1048 in_token->pages = NULL; +> 1049 } + +Based on the way that the ->pages[] array is constructed in +gss_read_proxy_verf(), we know that once the loop encounters a NULL +page pointer, the remaining array elements must also be NULL. + +Reported-by: Dan Carpenter +Suggested-by: Trond Myklebust +Fixes: 5866efa8cbfb ("SUNRPC: Fix svcauth_gss_proxy_init()") +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + net/sunrpc/auth_gss/svcauth_gss.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c +index bdc34ea0d939d..9d045aa6805d7 100644 +--- a/net/sunrpc/auth_gss/svcauth_gss.c ++++ b/net/sunrpc/auth_gss/svcauth_gss.c +@@ -1132,17 +1132,11 @@ gss_read_verf(struct rpc_gss_wire_cred *gc, + + static void gss_free_in_token_pages(struct gssp_in_token *in_token) + { +- u32 inlen; + int i; + + i = 0; +- inlen = in_token->page_len; +- while (inlen) { +- if (in_token->pages[i]) +- put_page(in_token->pages[i]); +- inlen -= inlen > PAGE_SIZE ? PAGE_SIZE : inlen; +- } +- ++ while (in_token->pages[i]) ++ put_page(in_token->pages[i++]); + kfree(in_token->pages); + in_token->pages = NULL; + } +-- +2.43.0 + diff --git a/queue-6.1/sunrpc-removed-redundant-procp-check.patch b/queue-6.1/sunrpc-removed-redundant-procp-check.patch new file mode 100644 index 00000000000..78e3bbfdf87 --- /dev/null +++ b/queue-6.1/sunrpc-removed-redundant-procp-check.patch @@ -0,0 +1,39 @@ +From 0ec815dc57f3908b484804c4b7d3c8563a009ea4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Mar 2024 14:10:44 +0700 +Subject: sunrpc: removed redundant procp check + +From: Aleksandr Aprelkov + +[ Upstream commit a576f36971ab4097b6aa76433532aa1fb5ee2d3b ] + +since vs_proc pointer is dereferenced before getting it's address there's +no need to check for NULL. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 8e5b67731d08 ("SUNRPC: Add a callback to initialise server requests") +Signed-off-by: Aleksandr Aprelkov +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + net/sunrpc/svc.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c +index 9b0b21cccca9a..666d738bcf07e 100644 +--- a/net/sunrpc/svc.c ++++ b/net/sunrpc/svc.c +@@ -1205,8 +1205,6 @@ svc_generic_init_request(struct svc_rqst *rqstp, + if (rqstp->rq_proc >= versp->vs_nproc) + goto err_bad_proc; + rqstp->rq_procinfo = procp = &versp->vs_proc[rqstp->rq_proc]; +- if (!procp) +- goto err_bad_proc; + + /* Initialize storage for argp and resp */ + memset(rqstp->rq_argp, 0, procp->pc_argzero); +-- +2.43.0 + diff --git a/queue-6.1/tcp-avoid-premature-drops-in-tcp_add_backlog.patch b/queue-6.1/tcp-avoid-premature-drops-in-tcp_add_backlog.patch new file mode 100644 index 00000000000..c55820d7f0a --- /dev/null +++ b/queue-6.1/tcp-avoid-premature-drops-in-tcp_add_backlog.patch @@ -0,0 +1,87 @@ +From 8211fb434b40789250172a29c0fdf45c6510b884 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Apr 2024 12:56:20 +0000 +Subject: tcp: avoid premature drops in tcp_add_backlog() + +From: Eric Dumazet + +[ Upstream commit ec00ed472bdb7d0af840da68c8c11bff9f4d9caa ] + +While testing TCP performance with latest trees, +I saw suspect SOCKET_BACKLOG drops. + +tcp_add_backlog() computes its limit with : + + limit = (u32)READ_ONCE(sk->sk_rcvbuf) + + (u32)(READ_ONCE(sk->sk_sndbuf) >> 1); + limit += 64 * 1024; + +This does not take into account that sk->sk_backlog.len +is reset only at the very end of __release_sock(). + +Both sk->sk_backlog.len and sk->sk_rmem_alloc could reach +sk_rcvbuf in normal conditions. + +We should double sk->sk_rcvbuf contribution in the formula +to absorb bubbles in the backlog, which happen more often +for very fast flows. + +This change maintains decent protection against abuses. + +Fixes: c377411f2494 ("net: sk_add_backlog() take rmem_alloc into account") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240423125620.3309458-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ipv4.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 5dcb969cb5e9c..befa848fb820c 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -1771,7 +1771,7 @@ int tcp_v4_early_demux(struct sk_buff *skb) + bool tcp_add_backlog(struct sock *sk, struct sk_buff *skb, + enum skb_drop_reason *reason) + { +- u32 limit, tail_gso_size, tail_gso_segs; ++ u32 tail_gso_size, tail_gso_segs; + struct skb_shared_info *shinfo; + const struct tcphdr *th; + struct tcphdr *thtail; +@@ -1780,6 +1780,7 @@ bool tcp_add_backlog(struct sock *sk, struct sk_buff *skb, + bool fragstolen; + u32 gso_segs; + u32 gso_size; ++ u64 limit; + int delta; + + /* In case all data was pulled from skb frags (in __pskb_pull_tail()), +@@ -1877,7 +1878,13 @@ bool tcp_add_backlog(struct sock *sk, struct sk_buff *skb, + __skb_push(skb, hdrlen); + + no_coalesce: +- limit = (u32)READ_ONCE(sk->sk_rcvbuf) + (u32)(READ_ONCE(sk->sk_sndbuf) >> 1); ++ /* sk->sk_backlog.len is reset only at the end of __release_sock(). ++ * Both sk->sk_backlog.len and sk->sk_rmem_alloc could reach ++ * sk_rcvbuf in normal conditions. ++ */ ++ limit = ((u64)READ_ONCE(sk->sk_rcvbuf)) << 1; ++ ++ limit += ((u32)READ_ONCE(sk->sk_sndbuf)) >> 1; + + /* Only socket owner can try to collapse/prune rx queues + * to reduce memory overhead, so add a little headroom here. +@@ -1885,6 +1892,8 @@ bool tcp_add_backlog(struct sock *sk, struct sk_buff *skb, + */ + limit += 64 * 1024; + ++ limit = min_t(u64, limit, UINT_MAX); ++ + if (unlikely(sk_add_backlog(sk, skb, limit))) { + bh_unlock_sock(sk); + *reason = SKB_DROP_REASON_SOCKET_BACKLOG; +-- +2.43.0 + diff --git a/queue-6.1/thermal-drivers-tsens-fix-null-pointer-dereference.patch b/queue-6.1/thermal-drivers-tsens-fix-null-pointer-dereference.patch new file mode 100644 index 00000000000..72a557101e4 --- /dev/null +++ b/queue-6.1/thermal-drivers-tsens-fix-null-pointer-dereference.patch @@ -0,0 +1,42 @@ +From 7943c72a5504b1fe4b25b1a3f0e5d8fc0172789a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Apr 2024 14:40:21 +0300 +Subject: thermal/drivers/tsens: Fix null pointer dereference + +From: Aleksandr Mishin + +[ Upstream commit d998ddc86a27c92140b9f7984ff41e3d1d07a48f ] + +compute_intercept_slope() is called from calibrate_8960() (in tsens-8960.c) +as compute_intercept_slope(priv, p1, NULL, ONE_PT_CALIB) which lead to null +pointer dereference (if DEBUG or DYNAMIC_DEBUG set). +Fix this bug by adding null pointer check. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: dfc1193d4dbd ("thermal/drivers/tsens: Replace custom 8960 apis with generic apis") +Signed-off-by: Aleksandr Mishin +Reviewed-by: Konrad Dybcio +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20240411114021.12203-1-amishin@t-argos.ru +Signed-off-by: Sasha Levin +--- + drivers/thermal/qcom/tsens.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/thermal/qcom/tsens.c b/drivers/thermal/qcom/tsens.c +index 252c5ffdd1b66..fc58db60852a0 100644 +--- a/drivers/thermal/qcom/tsens.c ++++ b/drivers/thermal/qcom/tsens.c +@@ -85,7 +85,7 @@ void compute_intercept_slope(struct tsens_priv *priv, u32 *p1, + for (i = 0; i < priv->num_sensors; i++) { + dev_dbg(priv->dev, + "%s: sensor%d - data_point1:%#x data_point2:%#x\n", +- __func__, i, p1[i], p2[i]); ++ __func__, i, p1[i], p2 ? p2[i] : 0); + + if (!priv->sensor[i].slope) + priv->sensor[i].slope = SLOPE_DEFAULT; +-- +2.43.0 + diff --git a/queue-6.1/udp-avoid-call-to-compute_score-on-multiple-sites.patch b/queue-6.1/udp-avoid-call-to-compute_score-on-multiple-sites.patch new file mode 100644 index 00000000000..afbe7681404 --- /dev/null +++ b/queue-6.1/udp-avoid-call-to-compute_score-on-multiple-sites.patch @@ -0,0 +1,164 @@ +From 16d757906f8721ffdb4f642acede988f189f3300 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 17:20:04 -0400 +Subject: udp: Avoid call to compute_score on multiple sites + +From: Gabriel Krisman Bertazi + +[ Upstream commit 50aee97d15113b95a68848db1f0cb2a6c09f753a ] + +We've observed a 7-12% performance regression in iperf3 UDP ipv4 and +ipv6 tests with multiple sockets on Zen3 cpus, which we traced back to +commit f0ea27e7bfe1 ("udp: re-score reuseport groups when connected +sockets are present"). The failing tests were those that would spawn +UDP sockets per-cpu on systems that have a high number of cpus. + +Unsurprisingly, it is not caused by the extra re-scoring of the reused +socket, but due to the compiler no longer inlining compute_score, once +it has the extra call site in udp4_lib_lookup2. This is augmented by +the "Safe RET" mitigation for SRSO, needed in our Zen3 cpus. + +We could just explicitly inline it, but compute_score() is quite a large +function, around 300b. Inlining in two sites would almost double +udp4_lib_lookup2, which is a silly thing to do just to workaround a +mitigation. Instead, this patch shuffles the code a bit to avoid the +multiple calls to compute_score. Since it is a static function used in +one spot, the compiler can safely fold it in, as it did before, without +increasing the text size. + +With this patch applied I ran my original iperf3 testcases. The failing +cases all looked like this (ipv4): + iperf3 -c 127.0.0.1 --udp -4 -f K -b $R -l 8920 -t 30 -i 5 -P 64 -O 2 + +where $R is either 1G/10G/0 (max, unlimited). I ran 3 times each. +baseline is v6.9-rc3. harmean == harmonic mean; CV == coefficient of +variation. + +ipv4: + 1G 10G MAX + HARMEAN (CV) HARMEAN (CV) HARMEAN (CV) +baseline 1743852.66(0.0208) 1725933.02(0.0167) 1705203.78(0.0386) +patched 1968727.61(0.0035) 1962283.22(0.0195) 1923853.50(0.0256) + +ipv6: + 1G 10G MAX + HARMEAN (CV) HARMEAN (CV) HARMEAN (CV) +baseline 1729020.03(0.0028) 1691704.49(0.0243) 1692251.34(0.0083) +patched 1900422.19(0.0067) 1900968.01(0.0067) 1568532.72(0.1519) + +This restores the performance we had before the change above with this +benchmark. We obviously don't expect any real impact when mitigations +are disabled, but just to be sure it also doesn't regresses: + +mitigations=off ipv4: + 1G 10G MAX + HARMEAN (CV) HARMEAN (CV) HARMEAN (CV) +baseline 3230279.97(0.0066) 3229320.91(0.0060) 2605693.19(0.0697) +patched 3242802.36(0.0073) 3239310.71(0.0035) 2502427.19(0.0882) + +Cc: Lorenz Bauer +Fixes: f0ea27e7bfe1 ("udp: re-score reuseport groups when connected sockets are present") +Signed-off-by: Gabriel Krisman Bertazi +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/udp.c | 21 ++++++++++++++++----- + net/ipv6/udp.c | 20 ++++++++++++++++---- + 2 files changed, 32 insertions(+), 9 deletions(-) + +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index 3dc4eaddb598a..b8f93c1479ae1 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -422,15 +422,21 @@ static struct sock *udp4_lib_lookup2(struct net *net, + { + struct sock *sk, *result; + int score, badness; ++ bool need_rescore; + + result = NULL; + badness = 0; + udp_portaddr_for_each_entry_rcu(sk, &hslot2->head) { +- score = compute_score(sk, net, saddr, sport, +- daddr, hnum, dif, sdif); ++ need_rescore = false; ++rescore: ++ score = compute_score(need_rescore ? result : sk, net, saddr, ++ sport, daddr, hnum, dif, sdif); + if (score > badness) { + badness = score; + ++ if (need_rescore) ++ continue; ++ + if (sk->sk_state == TCP_ESTABLISHED) { + result = sk; + continue; +@@ -451,9 +457,14 @@ static struct sock *udp4_lib_lookup2(struct net *net, + if (IS_ERR(result)) + continue; + +- badness = compute_score(result, net, saddr, sport, +- daddr, hnum, dif, sdif); +- ++ /* compute_score is too long of a function to be ++ * inlined, and calling it again here yields ++ * measureable overhead for some ++ * workloads. Work around it by jumping ++ * backwards to rescore 'result'. ++ */ ++ need_rescore = true; ++ goto rescore; + } + } + return result; +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index 6f270fda3cbe0..f55d08d2096ae 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -169,15 +169,21 @@ static struct sock *udp6_lib_lookup2(struct net *net, + { + struct sock *sk, *result; + int score, badness; ++ bool need_rescore; + + result = NULL; + badness = -1; + udp_portaddr_for_each_entry_rcu(sk, &hslot2->head) { +- score = compute_score(sk, net, saddr, sport, +- daddr, hnum, dif, sdif); ++ need_rescore = false; ++rescore: ++ score = compute_score(need_rescore ? result : sk, net, saddr, ++ sport, daddr, hnum, dif, sdif); + if (score > badness) { + badness = score; + ++ if (need_rescore) ++ continue; ++ + if (sk->sk_state == TCP_ESTABLISHED) { + result = sk; + continue; +@@ -198,8 +204,14 @@ static struct sock *udp6_lib_lookup2(struct net *net, + if (IS_ERR(result)) + continue; + +- badness = compute_score(sk, net, saddr, sport, +- daddr, hnum, dif, sdif); ++ /* compute_score is too long of a function to be ++ * inlined, and calling it again here yields ++ * measureable overhead for some ++ * workloads. Work around it by jumping ++ * backwards to rescore 'result'. ++ */ ++ need_rescore = true; ++ goto rescore; + } + } + return result; +-- +2.43.0 + diff --git a/queue-6.1/usb-aqc111-stop-lying-about-skb-truesize.patch b/queue-6.1/usb-aqc111-stop-lying-about-skb-truesize.patch new file mode 100644 index 00000000000..6b9c77f12c2 --- /dev/null +++ b/queue-6.1/usb-aqc111-stop-lying-about-skb-truesize.patch @@ -0,0 +1,55 @@ +From cff81788706564e5d92f04b282ac947c8686207f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 May 2024 13:55:46 +0000 +Subject: usb: aqc111: stop lying about skb->truesize + +From: Eric Dumazet + +[ Upstream commit 9aad6e45c4e7d16b2bb7c3794154b828fb4384b4 ] + +Some usb drivers try to set small skb->truesize and break +core networking stacks. + +I replace one skb_clone() by an allocation of a fresh +and small skb, to get minimally sized skbs, like we did +in commit 1e2c61172342 ("net: cdc_ncm: reduce skb truesize +in rx path") and 4ce62d5b2f7a ("net: usb: ax88179_178a: +stop lying about skb->truesize") + +Fixes: 361459cd9642 ("net: usb: aqc111: Implement RX data path") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240506135546.3641185-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/aqc111.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c +index 7b8afa589a53c..284375f662f1e 100644 +--- a/drivers/net/usb/aqc111.c ++++ b/drivers/net/usb/aqc111.c +@@ -1141,17 +1141,15 @@ static int aqc111_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + continue; + } + +- /* Clone SKB */ +- new_skb = skb_clone(skb, GFP_ATOMIC); ++ new_skb = netdev_alloc_skb_ip_align(dev->net, pkt_len); + + if (!new_skb) + goto err; + +- new_skb->len = pkt_len; ++ skb_put(new_skb, pkt_len); ++ memcpy(new_skb->data, skb->data, pkt_len); + skb_pull(new_skb, AQ_RX_HW_PAD); +- skb_set_tail_pointer(new_skb, new_skb->len); + +- new_skb->truesize = SKB_TRUESIZE(new_skb->len); + if (aqc111_data->rx_checksum) + aqc111_rx_checksum(new_skb, pkt_desc); + +-- +2.43.0 + diff --git a/queue-6.1/virt-acrn-stop-using-follow_pfn.patch b/queue-6.1/virt-acrn-stop-using-follow_pfn.patch new file mode 100644 index 00000000000..b28c36da81e --- /dev/null +++ b/queue-6.1/virt-acrn-stop-using-follow_pfn.patch @@ -0,0 +1,71 @@ +From 3573ef75e001e95fdc0b0cc28e69267f6abc26d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 07:45:40 +0800 +Subject: virt: acrn: stop using follow_pfn + +From: Christoph Hellwig + +[ Upstream commit 1b265da7ea1e1ae997fa119c2846bb389eb39c6b ] + +Patch series "remove follow_pfn". + +This series open codes follow_pfn in the only remaining caller, although +the code there remains questionable. It then also moves follow_phys into +the only user and simplifies it a bit. + +This patch (of 3): + +Switch from follow_pfn to follow_pte so that we can get rid of follow_pfn. +Note that this doesn't fix any of the pre-existing raciness and lack of +permission checking in the code. + +Link: https://lkml.kernel.org/r/20240324234542.2038726-1-hch@lst.de +Link: https://lkml.kernel.org/r/20240324234542.2038726-2-hch@lst.de +Signed-off-by: Christoph Hellwig +Reviewed-by: David Hildenbrand +Cc: Andy Lutomirski +Cc: Dave Hansen +Cc: Fei Li +Cc: Peter Zijlstra +Cc: Ingo Molnar +Signed-off-by: Andrew Morton +Stable-dep-of: 3d6586008f7b ("drivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map()") +Signed-off-by: Sasha Levin +--- + drivers/virt/acrn/mm.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/virt/acrn/mm.c b/drivers/virt/acrn/mm.c +index b4ad8d452e9a1..ffc1d1136f765 100644 +--- a/drivers/virt/acrn/mm.c ++++ b/drivers/virt/acrn/mm.c +@@ -171,18 +171,24 @@ int acrn_vm_ram_map(struct acrn_vm *vm, struct acrn_vm_memmap *memmap) + mmap_read_lock(current->mm); + vma = vma_lookup(current->mm, memmap->vma_base); + if (vma && ((vma->vm_flags & VM_PFNMAP) != 0)) { ++ spinlock_t *ptl; ++ pte_t *ptep; ++ + if ((memmap->vma_base + memmap->len) > vma->vm_end) { + mmap_read_unlock(current->mm); + return -EINVAL; + } + +- ret = follow_pfn(vma, memmap->vma_base, &pfn); +- mmap_read_unlock(current->mm); ++ ret = follow_pte(vma->vm_mm, memmap->vma_base, &ptep, &ptl); + if (ret < 0) { ++ mmap_read_unlock(current->mm); + dev_dbg(acrn_dev.this_device, + "Failed to lookup PFN at VMA:%pK.\n", (void *)memmap->vma_base); + return ret; + } ++ pfn = pte_pfn(ptep_get(ptep)); ++ pte_unmap_unlock(ptep, ptl); ++ mmap_read_unlock(current->mm); + + return acrn_mm_region_add(vm, memmap->user_vm_pa, + PFN_PHYS(pfn), memmap->len, +-- +2.43.0 + diff --git a/queue-6.1/wifi-ar5523-enable-proper-endpoint-verification.patch b/queue-6.1/wifi-ar5523-enable-proper-endpoint-verification.patch new file mode 100644 index 00000000000..363e2f3c92d --- /dev/null +++ b/queue-6.1/wifi-ar5523-enable-proper-endpoint-verification.patch @@ -0,0 +1,99 @@ +From 5ce1c7ea10d5c6bc4b5a43ccdd89cf45ed34c6a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 05:14:25 -0700 +Subject: wifi: ar5523: enable proper endpoint verification + +From: Nikita Zhandarovich + +[ Upstream commit e120b6388d7d88635d67dcae6483f39c37111850 ] + +Syzkaller reports [1] hitting a warning about an endpoint in use +not having an expected type to it. + +Fix the issue by checking for the existence of all proper +endpoints with their according types intact. + +Sadly, this patch has not been tested on real hardware. + +[1] Syzkaller report: +------------[ cut here ]------------ +usb 1-1: BOGUS urb xfer, pipe 3 != type 1 +WARNING: CPU: 0 PID: 3643 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 +... +Call Trace: + + ar5523_cmd+0x41b/0x780 drivers/net/wireless/ath/ar5523/ar5523.c:275 + ar5523_cmd_read drivers/net/wireless/ath/ar5523/ar5523.c:302 [inline] + ar5523_host_available drivers/net/wireless/ath/ar5523/ar5523.c:1376 [inline] + ar5523_probe+0x14b0/0x1d10 drivers/net/wireless/ath/ar5523/ar5523.c:1655 + usb_probe_interface+0x30f/0x7f0 drivers/usb/core/driver.c:396 + call_driver_probe drivers/base/dd.c:560 [inline] + really_probe+0x249/0xb90 drivers/base/dd.c:639 + __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778 + driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808 + __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936 + bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427 + __device_attach+0x1e4/0x530 drivers/base/dd.c:1008 + bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487 + device_add+0xbd9/0x1e90 drivers/base/core.c:3517 + usb_set_configuration+0x101d/0x1900 drivers/usb/core/message.c:2170 + usb_generic_driver_probe+0xbe/0x100 drivers/usb/core/generic.c:238 + usb_probe_device+0xd8/0x2c0 drivers/usb/core/driver.c:293 + call_driver_probe drivers/base/dd.c:560 [inline] + really_probe+0x249/0xb90 drivers/base/dd.c:639 + __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778 + driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808 + __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936 + bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427 + __device_attach+0x1e4/0x530 drivers/base/dd.c:1008 + bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487 + device_add+0xbd9/0x1e90 drivers/base/core.c:3517 + usb_new_device.cold+0x685/0x10ad drivers/usb/core/hub.c:2573 + hub_port_connect drivers/usb/core/hub.c:5353 [inline] + hub_port_connect_change drivers/usb/core/hub.c:5497 [inline] + port_event drivers/usb/core/hub.c:5653 [inline] + hub_event+0x26cb/0x45d0 drivers/usb/core/hub.c:5735 + process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 + worker_thread+0x669/0x1090 kernel/workqueue.c:2436 + kthread+0x2e8/0x3a0 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 + + +Reported-and-tested-by: syzbot+1bc2c2afd44f820a669f@syzkaller.appspotmail.com +Fixes: b7d572e1871d ("ar5523: Add new driver") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240408121425.29392-1-n.zhandarovich@fintech.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ar5523/ar5523.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c +index ce3d613fa36c4..2833e2206cc88 100644 +--- a/drivers/net/wireless/ath/ar5523/ar5523.c ++++ b/drivers/net/wireless/ath/ar5523/ar5523.c +@@ -1589,6 +1589,20 @@ static int ar5523_probe(struct usb_interface *intf, + struct ar5523 *ar; + int error = -ENOMEM; + ++ static const u8 bulk_ep_addr[] = { ++ AR5523_CMD_TX_PIPE | USB_DIR_OUT, ++ AR5523_DATA_TX_PIPE | USB_DIR_OUT, ++ AR5523_CMD_RX_PIPE | USB_DIR_IN, ++ AR5523_DATA_RX_PIPE | USB_DIR_IN, ++ 0}; ++ ++ if (!usb_check_bulk_endpoints(intf, bulk_ep_addr)) { ++ dev_err(&dev->dev, ++ "Could not find all expected endpoints\n"); ++ error = -ENODEV; ++ goto out; ++ } ++ + /* + * Load firmware if the device requires it. This will return + * -ENXIO on success and we'll get called back afer the usb +-- +2.43.0 + diff --git a/queue-6.1/wifi-ath10k-fix-an-error-code-problem-in-ath10k_dbg_.patch b/queue-6.1/wifi-ath10k-fix-an-error-code-problem-in-ath10k_dbg_.patch new file mode 100644 index 00000000000..282a87fc7a1 --- /dev/null +++ b/queue-6.1/wifi-ath10k-fix-an-error-code-problem-in-ath10k_dbg_.patch @@ -0,0 +1,43 @@ +From 2a22ba95a8643df06f5af5ff321c873839eaea1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Apr 2024 11:42:44 +0800 +Subject: wifi: ath10k: Fix an error code problem in + ath10k_dbg_sta_write_peer_debug_trigger() + +From: Su Hui + +[ Upstream commit c511a9c12674d246916bb16c479d496b76983193 ] + +Clang Static Checker (scan-build) warns: + +drivers/net/wireless/ath/ath10k/debugfs_sta.c:line 429, column 3 +Value stored to 'ret' is never read. + +Return 'ret' rather than 'count' when 'ret' stores an error code. + +Fixes: ee8b08a1be82 ("ath10k: add debugfs support to get per peer tids log via tracing") +Signed-off-by: Su Hui +Acked-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240422034243.938962-1-suhui@nfschina.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/debugfs_sta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath10k/debugfs_sta.c b/drivers/net/wireless/ath/ath10k/debugfs_sta.c +index 87a3365330ff8..5598cf706daab 100644 +--- a/drivers/net/wireless/ath/ath10k/debugfs_sta.c ++++ b/drivers/net/wireless/ath/ath10k/debugfs_sta.c +@@ -438,7 +438,7 @@ ath10k_dbg_sta_write_peer_debug_trigger(struct file *file, + } + out: + mutex_unlock(&ar->conf_mutex); +- return count; ++ return ret ?: count; + } + + static const struct file_operations fops_peer_debug_trigger = { +-- +2.43.0 + diff --git a/queue-6.1/wifi-ath10k-poll-service-ready-message-before-failin.patch b/queue-6.1/wifi-ath10k-poll-service-ready-message-before-failin.patch new file mode 100644 index 00000000000..26795fe8917 --- /dev/null +++ b/queue-6.1/wifi-ath10k-poll-service-ready-message-before-failin.patch @@ -0,0 +1,81 @@ +From 9535b20fe9ea0bbd12d06961c657fda0512fe051 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Mar 2024 07:15:14 +0200 +Subject: wifi: ath10k: poll service ready message before failing + +From: Baochen Qiang + +[ Upstream commit e57b7d62a1b2f496caf0beba81cec3c90fad80d5 ] + +Currently host relies on CE interrupts to get notified that +the service ready message is ready. This results in timeout +issue if the interrupt is not fired, due to some unknown +reasons. See below logs: + +[76321.937866] ath10k_pci 0000:02:00.0: wmi service ready event not received +... +[76322.016738] ath10k_pci 0000:02:00.0: Could not init core: -110 + +And finally it causes WLAN interface bring up failure. + +Change to give it one more chance here by polling CE rings, +before failing directly. + +Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00157-QCARMSWPZ-1 + +Fixes: 5e3dd157d7e7 ("ath10k: mac80211 driver for Qualcomm Atheros 802.11ac CQA98xx devices") +Reported-by: James Prestwood +Tested-By: James Prestwood # on QCA6174 hw3.2 +Link: https://lore.kernel.org/linux-wireless/304ce305-fbe6-420e-ac2a-d61ae5e6ca1a@gmail.com/ +Signed-off-by: Baochen Qiang +Acked-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240227030409.89702-1-quic_bqiang@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/wmi.c | 26 +++++++++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c +index 980d4124fa287..8a5a44d75b141 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi.c ++++ b/drivers/net/wireless/ath/ath10k/wmi.c +@@ -1762,12 +1762,32 @@ void ath10k_wmi_put_wmi_channel(struct ath10k *ar, struct wmi_channel *ch, + + int ath10k_wmi_wait_for_service_ready(struct ath10k *ar) + { +- unsigned long time_left; ++ unsigned long time_left, i; + + time_left = wait_for_completion_timeout(&ar->wmi.service_ready, + WMI_SERVICE_READY_TIMEOUT_HZ); +- if (!time_left) +- return -ETIMEDOUT; ++ if (!time_left) { ++ /* Sometimes the PCI HIF doesn't receive interrupt ++ * for the service ready message even if the buffer ++ * was completed. PCIe sniffer shows that it's ++ * because the corresponding CE ring doesn't fires ++ * it. Workaround here by polling CE rings once. ++ */ ++ ath10k_warn(ar, "failed to receive service ready completion, polling..\n"); ++ ++ for (i = 0; i < CE_COUNT; i++) ++ ath10k_hif_send_complete_check(ar, i, 1); ++ ++ time_left = wait_for_completion_timeout(&ar->wmi.service_ready, ++ WMI_SERVICE_READY_TIMEOUT_HZ); ++ if (!time_left) { ++ ath10k_warn(ar, "polling timed out\n"); ++ return -ETIMEDOUT; ++ } ++ ++ ath10k_warn(ar, "service ready completion received, continuing normally\n"); ++ } ++ + return 0; + } + +-- +2.43.0 + diff --git a/queue-6.1/wifi-ath10k-populate-board-data-for-wcn3990.patch b/queue-6.1/wifi-ath10k-populate-board-data-for-wcn3990.patch new file mode 100644 index 00000000000..45ed5511a60 --- /dev/null +++ b/queue-6.1/wifi-ath10k-populate-board-data-for-wcn3990.patch @@ -0,0 +1,65 @@ +From dc770872a30b9d8799371d81ad7ac6e93adfd082 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jan 2024 08:47:06 +0200 +Subject: wifi: ath10k: populate board data for WCN3990 + +From: Dmitry Baryshkov + +[ Upstream commit f1f1b5b055c9f27a2f90fd0f0521f5920e9b3c18 ] + +Specify board data size (and board.bin filename) for the WCN3990 +platform. + +Reported-by: Yongqin Liu +Fixes: 03a72288c546 ("ath10k: wmi: add hw params entry for wcn3990") +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240130-wcn3990-board-fw-v1-1-738f7c19a8c8@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/core.c | 3 +++ + drivers/net/wireless/ath/ath10k/hw.h | 1 + + drivers/net/wireless/ath/ath10k/targaddrs.h | 3 +++ + 3 files changed, 7 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath10k/core.c b/drivers/net/wireless/ath/ath10k/core.c +index 6cdb225b7eacc..81058be3598f1 100644 +--- a/drivers/net/wireless/ath/ath10k/core.c ++++ b/drivers/net/wireless/ath/ath10k/core.c +@@ -704,6 +704,9 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = { + .max_spatial_stream = 4, + .fw = { + .dir = WCN3990_HW_1_0_FW_DIR, ++ .board = WCN3990_HW_1_0_BOARD_DATA_FILE, ++ .board_size = WCN3990_BOARD_DATA_SZ, ++ .board_ext_size = WCN3990_BOARD_EXT_DATA_SZ, + }, + .sw_decrypt_mcast_mgmt = true, + .rx_desc_ops = &wcn3990_rx_desc_ops, +diff --git a/drivers/net/wireless/ath/ath10k/hw.h b/drivers/net/wireless/ath/ath10k/hw.h +index 9643031a4427a..7ecdd0011cfa4 100644 +--- a/drivers/net/wireless/ath/ath10k/hw.h ++++ b/drivers/net/wireless/ath/ath10k/hw.h +@@ -132,6 +132,7 @@ enum qca9377_chip_id_rev { + /* WCN3990 1.0 definitions */ + #define WCN3990_HW_1_0_DEV_VERSION ATH10K_HW_WCN3990 + #define WCN3990_HW_1_0_FW_DIR ATH10K_FW_DIR "/WCN3990/hw1.0" ++#define WCN3990_HW_1_0_BOARD_DATA_FILE "board.bin" + + #define ATH10K_FW_FILE_BASE "firmware" + #define ATH10K_FW_API_MAX 6 +diff --git a/drivers/net/wireless/ath/ath10k/targaddrs.h b/drivers/net/wireless/ath/ath10k/targaddrs.h +index ec556bb88d658..ba37e6c7ced08 100644 +--- a/drivers/net/wireless/ath/ath10k/targaddrs.h ++++ b/drivers/net/wireless/ath/ath10k/targaddrs.h +@@ -491,4 +491,7 @@ struct host_interest { + #define QCA4019_BOARD_DATA_SZ 12064 + #define QCA4019_BOARD_EXT_DATA_SZ 0 + ++#define WCN3990_BOARD_DATA_SZ 26328 ++#define WCN3990_BOARD_EXT_DATA_SZ 0 ++ + #endif /* __TARGADDRS_H__ */ +-- +2.43.0 + diff --git a/queue-6.1/wifi-ath11k-don-t-force-enable-power-save-on-non-run.patch b/queue-6.1/wifi-ath11k-don-t-force-enable-power-save-on-non-run.patch new file mode 100644 index 00000000000..5c47a0818f2 --- /dev/null +++ b/queue-6.1/wifi-ath11k-don-t-force-enable-power-save-on-non-run.patch @@ -0,0 +1,94 @@ +From 5c7e0a011b8fc8e82abf045980c3a29935b8500b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Mar 2024 19:31:15 +0800 +Subject: wifi: ath11k: don't force enable power save on non-running vdevs + +From: Baochen Qiang + +[ Upstream commit 01296b39d3515f20a1db64d3c421c592b1e264a0 ] + +Currently we force enable power save on non-running vdevs, this results +in unexpected ping latency in below scenarios: + 1. disable power save from userspace. + 2. trigger suspend/resume. + +With step 1 power save is disabled successfully and we get a good latency: + +PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. +64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=5.13 ms +64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=5.45 ms +64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=5.99 ms +64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 time=6.34 ms +64 bytes from 192.168.1.1: icmp_seq=5 ttl=64 time=4.47 ms +64 bytes from 192.168.1.1: icmp_seq=6 ttl=64 time=6.45 ms + +While after step 2, the latency becomes much larger: + +PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. +64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=17.7 ms +64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=15.0 ms +64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=14.3 ms +64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 time=16.5 ms +64 bytes from 192.168.1.1: icmp_seq=5 ttl=64 time=20.1 ms + +The reason is, with step 2, power save is force enabled due to vdev not +running, although mac80211 was trying to disable it to honor userspace +configuration: + +ath11k_pci 0000:03:00.0: wmi cmd sta powersave mode psmode 1 vdev id 0 +Call Trace: + ath11k_wmi_pdev_set_ps_mode + ath11k_mac_op_bss_info_changed + ieee80211_bss_info_change_notify + ieee80211_reconfig + ieee80211_resume + wiphy_resume + +This logic is taken from ath10k where it was added due to below comment: + + Firmware doesn't behave nicely and consumes more power than + necessary if PS is disabled on a non-started vdev. + +However we don't know whether such an issue also occurs to ath11k firmware +or not. But even if it does, it's not appropriate because it goes against +userspace, even cfg/mac80211 don't know we have enabled it in fact. + +Remove it to fix this issue. In this way we not only get a better latency, +but also, and the most important, keeps the consistency between userspace +and kernel/driver. The biggest price for that would be the power consumption, +which is not that important, compared with the consistency. + +Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30 + +Fixes: b2beffa7d9a6 ("ath11k: enable 802.11 power save mode in station mode") +Signed-off-by: Baochen Qiang +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240309113115.11498-1-quic_bqiang@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/mac.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index 51fc77e93de5c..b863ead198bda 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -1226,14 +1226,7 @@ static int ath11k_mac_vif_setup_ps(struct ath11k_vif *arvif) + + enable_ps = arvif->ps; + +- if (!arvif->is_started) { +- /* mac80211 can update vif powersave state while disconnected. +- * Firmware doesn't behave nicely and consumes more power than +- * necessary if PS is disabled on a non-started vdev. Hence +- * force-enable PS for non-running vdevs. +- */ +- psmode = WMI_STA_PS_MODE_ENABLED; +- } else if (enable_ps) { ++ if (enable_ps) { + psmode = WMI_STA_PS_MODE_ENABLED; + param = WMI_STA_PS_PARAM_INACTIVITY_TIME; + +-- +2.43.0 + diff --git a/queue-6.1/wifi-brcmfmac-pcie-handle-randbuf-allocation-failure.patch b/queue-6.1/wifi-brcmfmac-pcie-handle-randbuf-allocation-failure.patch new file mode 100644 index 00000000000..7185651a09e --- /dev/null +++ b/queue-6.1/wifi-brcmfmac-pcie-handle-randbuf-allocation-failure.patch @@ -0,0 +1,71 @@ +From 507f7f6c8e0bc8f3ceb5e3de5316ab852d2680aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Mar 2024 22:04:37 +0800 +Subject: wifi: brcmfmac: pcie: handle randbuf allocation failure + +From: Duoming Zhou + +[ Upstream commit 316f790ebcf94bdf59f794b7cdea4068dc676d4c ] + +The kzalloc() in brcmf_pcie_download_fw_nvram() will return null +if the physical memory has run out. As a result, if we use +get_random_bytes() to generate random bytes in the randbuf, the +null pointer dereference bug will happen. + +In order to prevent allocation failure, this patch adds a separate +function using buffer on kernel stack to generate random bytes in +the randbuf, which could prevent the kernel stack from overflow. + +Fixes: 91918ce88d9f ("wifi: brcmfmac: pcie: Provide a buffer of random bytes to the device") +Suggested-by: Arnd Bergmann +Signed-off-by: Duoming Zhou +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240306140437.18177-1-duoming@zju.edu.cn +Signed-off-by: Sasha Levin +--- + .../wireless/broadcom/brcm80211/brcmfmac/pcie.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +index 3b1277a8bd617..99cc41135473a 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +@@ -1640,6 +1640,15 @@ struct brcmf_random_seed_footer { + #define BRCMF_RANDOM_SEED_MAGIC 0xfeedc0de + #define BRCMF_RANDOM_SEED_LENGTH 0x100 + ++static noinline_for_stack void ++brcmf_pcie_provide_random_bytes(struct brcmf_pciedev_info *devinfo, u32 address) ++{ ++ u8 randbuf[BRCMF_RANDOM_SEED_LENGTH]; ++ ++ get_random_bytes(randbuf, BRCMF_RANDOM_SEED_LENGTH); ++ memcpy_toio(devinfo->tcm + address, randbuf, BRCMF_RANDOM_SEED_LENGTH); ++} ++ + static int brcmf_pcie_download_fw_nvram(struct brcmf_pciedev_info *devinfo, + const struct firmware *fw, void *nvram, + u32 nvram_len) +@@ -1682,7 +1691,6 @@ static int brcmf_pcie_download_fw_nvram(struct brcmf_pciedev_info *devinfo, + .length = cpu_to_le32(rand_len), + .magic = cpu_to_le32(BRCMF_RANDOM_SEED_MAGIC), + }; +- void *randbuf; + + /* Some Apple chips/firmwares expect a buffer of random + * data to be present before NVRAM +@@ -1694,10 +1702,7 @@ static int brcmf_pcie_download_fw_nvram(struct brcmf_pciedev_info *devinfo, + sizeof(footer)); + + address -= rand_len; +- randbuf = kzalloc(rand_len, GFP_KERNEL); +- get_random_bytes(randbuf, rand_len); +- memcpy_toio(devinfo->tcm + address, randbuf, rand_len); +- kfree(randbuf); ++ brcmf_pcie_provide_random_bytes(devinfo, address); + } + } else { + brcmf_dbg(PCIE, "No matching NVRAM file found %s\n", +-- +2.43.0 + diff --git a/queue-6.1/wifi-carl9170-add-a-proper-sanity-check-for-endpoint.patch b/queue-6.1/wifi-carl9170-add-a-proper-sanity-check-for-endpoint.patch new file mode 100644 index 00000000000..64f3d19981e --- /dev/null +++ b/queue-6.1/wifi-carl9170-add-a-proper-sanity-check-for-endpoint.patch @@ -0,0 +1,97 @@ +From 81a53db03738ed0823b551c556b5051e814c449f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Apr 2024 11:33:55 -0700 +Subject: wifi: carl9170: add a proper sanity check for endpoints + +From: Nikita Zhandarovich + +[ Upstream commit b6dd09b3dac89b45d1ea3e3bd035a3859c0369a0 ] + +Syzkaller reports [1] hitting a warning which is caused by presence +of a wrong endpoint type at the URB sumbitting stage. While there +was a check for a specific 4th endpoint, since it can switch types +between bulk and interrupt, other endpoints are trusted implicitly. +Similar warning is triggered in a couple of other syzbot issues [2]. + +Fix the issue by doing a comprehensive check of all endpoints +taking into account difference between high- and full-speed +configuration. + +[1] Syzkaller report: +... +WARNING: CPU: 0 PID: 4721 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 +... +Call Trace: + + carl9170_usb_send_rx_irq_urb+0x273/0x340 drivers/net/wireless/ath/carl9170/usb.c:504 + carl9170_usb_init_device drivers/net/wireless/ath/carl9170/usb.c:939 [inline] + carl9170_usb_firmware_finish drivers/net/wireless/ath/carl9170/usb.c:999 [inline] + carl9170_usb_firmware_step2+0x175/0x240 drivers/net/wireless/ath/carl9170/usb.c:1028 + request_firmware_work_func+0x130/0x240 drivers/base/firmware_loader/main.c:1107 + process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 + worker_thread+0x669/0x1090 kernel/workqueue.c:2436 + kthread+0x2e8/0x3a0 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + + +[2] Related syzkaller crashes: +Link: https://syzkaller.appspot.com/bug?extid=e394db78ae0b0032cb4d +Link: https://syzkaller.appspot.com/bug?extid=9468df99cb63a4a4c4e1 + +Reported-and-tested-by: syzbot+0ae4804973be759fa420@syzkaller.appspotmail.com +Fixes: a84fab3cbfdc ("carl9170: 802.11 rx/tx processing and usb backend") +Signed-off-by: Nikita Zhandarovich +Acked-By: Christian Lamparter +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240422183355.3785-1-n.zhandarovich@fintech.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/carl9170/usb.c | 32 +++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +diff --git a/drivers/net/wireless/ath/carl9170/usb.c b/drivers/net/wireless/ath/carl9170/usb.c +index e4eb666c6eea4..a5265997b5767 100644 +--- a/drivers/net/wireless/ath/carl9170/usb.c ++++ b/drivers/net/wireless/ath/carl9170/usb.c +@@ -1069,6 +1069,38 @@ static int carl9170_usb_probe(struct usb_interface *intf, + ar->usb_ep_cmd_is_bulk = true; + } + ++ /* Verify that all expected endpoints are present */ ++ if (ar->usb_ep_cmd_is_bulk) { ++ u8 bulk_ep_addr[] = { ++ AR9170_USB_EP_RX | USB_DIR_IN, ++ AR9170_USB_EP_TX | USB_DIR_OUT, ++ AR9170_USB_EP_CMD | USB_DIR_OUT, ++ 0}; ++ u8 int_ep_addr[] = { ++ AR9170_USB_EP_IRQ | USB_DIR_IN, ++ 0}; ++ if (!usb_check_bulk_endpoints(intf, bulk_ep_addr) || ++ !usb_check_int_endpoints(intf, int_ep_addr)) ++ err = -ENODEV; ++ } else { ++ u8 bulk_ep_addr[] = { ++ AR9170_USB_EP_RX | USB_DIR_IN, ++ AR9170_USB_EP_TX | USB_DIR_OUT, ++ 0}; ++ u8 int_ep_addr[] = { ++ AR9170_USB_EP_IRQ | USB_DIR_IN, ++ AR9170_USB_EP_CMD | USB_DIR_OUT, ++ 0}; ++ if (!usb_check_bulk_endpoints(intf, bulk_ep_addr) || ++ !usb_check_int_endpoints(intf, int_ep_addr)) ++ err = -ENODEV; ++ } ++ ++ if (err) { ++ carl9170_free(ar); ++ return err; ++ } ++ + usb_set_intfdata(intf, ar); + SET_IEEE80211_DEV(ar->hw, &intf->dev); + +-- +2.43.0 + diff --git a/queue-6.1/wifi-carl9170-re-fix-fortified-memset-warning.patch b/queue-6.1/wifi-carl9170-re-fix-fortified-memset-warning.patch new file mode 100644 index 00000000000..a657617c77b --- /dev/null +++ b/queue-6.1/wifi-carl9170-re-fix-fortified-memset-warning.patch @@ -0,0 +1,60 @@ +From d489692f301bf9eb5e5d05a55d0218d119958407 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Apr 2024 09:35:58 +0300 +Subject: wifi: carl9170: re-fix fortified-memset warning + +From: Arnd Bergmann + +[ Upstream commit 066afafc10c9476ee36c47c9062527a17e763901 ] + +The carl9170_tx_release() function sometimes triggers a fortified-memset +warning in my randconfig builds: + +In file included from include/linux/string.h:254, + from drivers/net/wireless/ath/carl9170/tx.c:40: +In function 'fortify_memset_chk', + inlined from 'carl9170_tx_release' at drivers/net/wireless/ath/carl9170/tx.c:283:2, + inlined from 'kref_put' at include/linux/kref.h:65:3, + inlined from 'carl9170_tx_put_skb' at drivers/net/wireless/ath/carl9170/tx.c:342:9: +include/linux/fortify-string.h:493:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning] + 493 | __write_overflow_field(p_size_field, size); + +Kees previously tried to avoid this by using memset_after(), but it seems +this does not fully address the problem. I noticed that the memset_after() +here is done on a different part of the union (status) than the original +cast was from (rate_driver_data), which may confuse the compiler. + +Unfortunately, the memset_after() trick does not work on driver_rates[] +because that is part of an anonymous struct, and I could not get +struct_group() to do this either. Using two separate memset() calls +on the two members does address the warning though. + +Fixes: fb5f6a0e8063b ("mac80211: Use memset_after() to clear tx status") +Link: https://lore.kernel.org/lkml/20230623152443.2296825-1-arnd@kernel.org/ +Signed-off-by: Arnd Bergmann +Reviewed-by: Kees Cook +Acked-by: Christian Lamparter +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240328135509.3755090-2-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/carl9170/tx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/carl9170/tx.c b/drivers/net/wireless/ath/carl9170/tx.c +index 6bb9aa2bfe654..88ef6e023f826 100644 +--- a/drivers/net/wireless/ath/carl9170/tx.c ++++ b/drivers/net/wireless/ath/carl9170/tx.c +@@ -280,7 +280,8 @@ static void carl9170_tx_release(struct kref *ref) + * carl9170_tx_fill_rateinfo() has filled the rate information + * before we get to this point. + */ +- memset_after(&txinfo->status, 0, rates); ++ memset(&txinfo->pad, 0, sizeof(txinfo->pad)); ++ memset(&txinfo->rate_driver_data, 0, sizeof(txinfo->rate_driver_data)); + + if (atomic_read(&ar->tx_total_queued)) + ar->tx_schedule = true; +-- +2.43.0 + diff --git a/queue-6.1/wifi-cfg80211-fix-the-order-of-arguments-for-trace-e.patch b/queue-6.1/wifi-cfg80211-fix-the-order-of-arguments-for-trace-e.patch new file mode 100644 index 00000000000..13e8cb60efb --- /dev/null +++ b/queue-6.1/wifi-cfg80211-fix-the-order-of-arguments-for-trace-e.patch @@ -0,0 +1,50 @@ +From f228b74c2104b6877573eac66bf7d0d4585ca99c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 18:24:30 +0300 +Subject: wifi: cfg80211: fix the order of arguments for trace events of the + tx_rx_evt class + +From: Igor Artemiev + +[ Upstream commit 9ef369973cd2c97cce3388d2c0c7e3c056656e8a ] + +The declarations of the tx_rx_evt class and the rdev_set_antenna event +use the wrong order of arguments in the TP_ARGS macro. + +Fix the order of arguments in the TP_ARGS macro. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Igor Artemiev +Link: https://msgid.link/20240405152431.270267-1-Igor.A.Artemiev@mcst.ru +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/trace.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/wireless/trace.h b/net/wireless/trace.h +index cb5c3224e038a..137937b1f4b39 100644 +--- a/net/wireless/trace.h ++++ b/net/wireless/trace.h +@@ -1734,7 +1734,7 @@ TRACE_EVENT(rdev_return_void_tx_rx, + + DECLARE_EVENT_CLASS(tx_rx_evt, + TP_PROTO(struct wiphy *wiphy, u32 tx, u32 rx), +- TP_ARGS(wiphy, rx, tx), ++ TP_ARGS(wiphy, tx, rx), + TP_STRUCT__entry( + WIPHY_ENTRY + __field(u32, tx) +@@ -1751,7 +1751,7 @@ DECLARE_EVENT_CLASS(tx_rx_evt, + + DEFINE_EVENT(tx_rx_evt, rdev_set_antenna, + TP_PROTO(struct wiphy *wiphy, u32 tx, u32 rx), +- TP_ARGS(wiphy, rx, tx) ++ TP_ARGS(wiphy, tx, rx) + ); + + DECLARE_EVENT_CLASS(wiphy_netdev_id_evt, +-- +2.43.0 + diff --git a/queue-6.1/wifi-mac80211-don-t-use-rate-mask-for-scanning.patch b/queue-6.1/wifi-mac80211-don-t-use-rate-mask-for-scanning.patch new file mode 100644 index 00000000000..305dd7ff957 --- /dev/null +++ b/queue-6.1/wifi-mac80211-don-t-use-rate-mask-for-scanning.patch @@ -0,0 +1,119 @@ +From f93897994ef6c6d8b7e5257b5b71a30871b95f19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 22:08:54 +0100 +Subject: wifi: mac80211: don't use rate mask for scanning + +From: Johannes Berg + +[ Upstream commit ab9177d83c040eba58387914077ebca56f14fae6 ] + +The rate mask is intended for use during operation, and +can be set to only have masks for the currently active +band. As such, it cannot be used for scanning which can +be on other bands as well. + +Simply ignore the rate masks during scanning to avoid +warnings from incorrect settings. + +Reported-by: syzbot+fdc5123366fb9c3fdc6d@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=fdc5123366fb9c3fdc6d +Co-developed-by: Dmitry Antipov +Signed-off-by: Dmitry Antipov +Tested-by: Dmitry Antipov +Link: https://msgid.link/20240326220854.9594cbb418ca.I7f86c0ba1f98cf7e27c2bacf6c2d417200ecea5c@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + include/net/mac80211.h | 3 +++ + net/mac80211/rate.c | 6 +++++- + net/mac80211/scan.c | 1 + + net/mac80211/tx.c | 13 +++++++++---- + 4 files changed, 18 insertions(+), 5 deletions(-) + +diff --git a/include/net/mac80211.h b/include/net/mac80211.h +index 43173204d6d5e..87a4f334c22a8 100644 +--- a/include/net/mac80211.h ++++ b/include/net/mac80211.h +@@ -885,6 +885,8 @@ enum mac80211_tx_info_flags { + * of their QoS TID or other priority field values. + * @IEEE80211_TX_CTRL_MCAST_MLO_FIRST_TX: first MLO TX, used mostly internally + * for sequence number assignment ++ * @IEEE80211_TX_CTRL_SCAN_TX: Indicates that this frame is transmitted ++ * due to scanning, not in normal operation on the interface. + * @IEEE80211_TX_CTRL_MLO_LINK: If not @IEEE80211_LINK_UNSPECIFIED, this + * frame should be transmitted on the specific link. This really is + * only relevant for frames that do not have data present, and is +@@ -905,6 +907,7 @@ enum mac80211_tx_control_flags { + IEEE80211_TX_CTRL_NO_SEQNO = BIT(7), + IEEE80211_TX_CTRL_DONT_REORDER = BIT(8), + IEEE80211_TX_CTRL_MCAST_MLO_FIRST_TX = BIT(9), ++ IEEE80211_TX_CTRL_SCAN_TX = BIT(10), + IEEE80211_TX_CTRL_MLO_LINK = 0xf0000000, + }; + +diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c +index 9d33fd2377c88..a2bc9c5d92b8b 100644 +--- a/net/mac80211/rate.c ++++ b/net/mac80211/rate.c +@@ -877,6 +877,7 @@ void ieee80211_get_tx_rates(struct ieee80211_vif *vif, + struct ieee80211_sub_if_data *sdata; + struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); + struct ieee80211_supported_band *sband; ++ u32 mask = ~0; + + rate_control_fill_sta_table(sta, info, dest, max_rates); + +@@ -889,9 +890,12 @@ void ieee80211_get_tx_rates(struct ieee80211_vif *vif, + if (ieee80211_is_tx_data(skb)) + rate_control_apply_mask(sdata, sta, sband, dest, max_rates); + ++ if (!(info->control.flags & IEEE80211_TX_CTRL_SCAN_TX)) ++ mask = sdata->rc_rateidx_mask[info->band]; ++ + if (dest[0].idx < 0) + __rate_control_send_low(&sdata->local->hw, sband, sta, info, +- sdata->rc_rateidx_mask[info->band]); ++ mask); + + if (sta) + rate_fixup_ratelist(vif, sband, info, dest, max_rates); +diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c +index c37e2576f1c13..933d02d7c1284 100644 +--- a/net/mac80211/scan.c ++++ b/net/mac80211/scan.c +@@ -647,6 +647,7 @@ static void ieee80211_send_scan_probe_req(struct ieee80211_sub_if_data *sdata, + cpu_to_le16(IEEE80211_SN_TO_SEQ(sn)); + } + IEEE80211_SKB_CB(skb)->flags |= tx_flags; ++ IEEE80211_SKB_CB(skb)->control.flags |= IEEE80211_TX_CTRL_SCAN_TX; + ieee80211_tx_skb_tid_band(sdata, skb, 7, channel->band); + } + } +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 3d62e8b718740..419baf8efddea 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -720,11 +720,16 @@ ieee80211_tx_h_rate_ctrl(struct ieee80211_tx_data *tx) + txrc.bss_conf = &tx->sdata->vif.bss_conf; + txrc.skb = tx->skb; + txrc.reported_rate.idx = -1; +- txrc.rate_idx_mask = tx->sdata->rc_rateidx_mask[info->band]; + +- if (tx->sdata->rc_has_mcs_mask[info->band]) +- txrc.rate_idx_mcs_mask = +- tx->sdata->rc_rateidx_mcs_mask[info->band]; ++ if (unlikely(info->control.flags & IEEE80211_TX_CTRL_SCAN_TX)) { ++ txrc.rate_idx_mask = ~0; ++ } else { ++ txrc.rate_idx_mask = tx->sdata->rc_rateidx_mask[info->band]; ++ ++ if (tx->sdata->rc_has_mcs_mask[info->band]) ++ txrc.rate_idx_mcs_mask = ++ tx->sdata->rc_rateidx_mcs_mask[info->band]; ++ } + + txrc.bss = (tx->sdata->vif.type == NL80211_IFTYPE_AP || + tx->sdata->vif.type == NL80211_IFTYPE_MESH_POINT || +-- +2.43.0 + diff --git a/queue-6.1/wifi-mac80211-ensure-beacon-is-non-s1g-prior-to-extr.patch b/queue-6.1/wifi-mac80211-ensure-beacon-is-non-s1g-prior-to-extr.patch new file mode 100644 index 00000000000..abee5dfe155 --- /dev/null +++ b/queue-6.1/wifi-mac80211-ensure-beacon-is-non-s1g-prior-to-extr.patch @@ -0,0 +1,42 @@ +From 545470aa4acfcdde85cc410fc934c9dc9e791590 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 11:57:25 +1100 +Subject: wifi: mac80211: ensure beacon is non-S1G prior to extracting the + beacon timestamp field + +From: Richard Kinder + +[ Upstream commit d12b9779cc9ba29d65fbfc728eb8a037871dd331 ] + +Logic inside ieee80211_rx_mgmt_beacon accesses the +mgmt->u.beacon.timestamp field without first checking whether the beacon +received is non-S1G format. + +Fix the problem by checking the beacon is non-S1G format to avoid access +of the mgmt->u.beacon.timestamp field. + +Signed-off-by: Richard Kinder +Link: https://msgid.link/20240328005725.85355-1-richard.kinder@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mlme.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index f25dc6931a5b1..9a5530ca2f6b2 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -5528,7 +5528,8 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_link_data *link, + link->u.mgd.dtim_period = elems->dtim_period; + link->u.mgd.have_beacon = true; + ifmgd->assoc_data->need_beacon = false; +- if (ieee80211_hw_check(&local->hw, TIMING_BEACON_ONLY)) { ++ if (ieee80211_hw_check(&local->hw, TIMING_BEACON_ONLY) && ++ !ieee80211_is_s1g_beacon(hdr->frame_control)) { + link->conf->sync_tsf = + le64_to_cpu(mgmt->u.beacon.timestamp); + link->conf->sync_device_ts = +-- +2.43.0 + diff --git a/queue-6.1/wifi-mt76-mt7603-add-wpdma-tx-eof-flag-for-pse-clien.patch b/queue-6.1/wifi-mt76-mt7603-add-wpdma-tx-eof-flag-for-pse-clien.patch new file mode 100644 index 00000000000..b4237cad959 --- /dev/null +++ b/queue-6.1/wifi-mt76-mt7603-add-wpdma-tx-eof-flag-for-pse-clien.patch @@ -0,0 +1,33 @@ +From 0e7a405d497be92bfa51c8db55e62c6782546bd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 11:11:54 +0200 +Subject: wifi: mt76: mt7603: add wpdma tx eof flag for PSE client reset + +From: Felix Fietkau + +[ Upstream commit 21de5f72260b4246e2415bc900c18139bc52ea80 ] + +This flag is needed for the PSE client reset. Fixes watchdog reset issues. + +Fixes: c677dda16523 ("wifi: mt76: mt7603: improve watchdog reset reliablity") +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7603/mac.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7603/mac.c b/drivers/net/wireless/mediatek/mt76/mt7603/mac.c +index 2980e1234d13f..082ac1afc515a 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7603/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7603/mac.c +@@ -1382,6 +1382,7 @@ void mt7603_pse_client_reset(struct mt7603_dev *dev) + MT_CLIENT_RESET_TX_R_E_2_S); + + /* Start PSE client TX abort */ ++ mt76_set(dev, MT_WPDMA_GLO_CFG, MT_WPDMA_GLO_CFG_FORCE_TX_EOF); + mt76_set(dev, addr, MT_CLIENT_RESET_TX_R_E_1); + mt76_poll_msec(dev, addr, MT_CLIENT_RESET_TX_R_E_1_S, + MT_CLIENT_RESET_TX_R_E_1_S, 500); +-- +2.43.0 + diff --git a/queue-6.1/wifi-mwl8k-initialize-cmd-addr-properly.patch b/queue-6.1/wifi-mwl8k-initialize-cmd-addr-properly.patch new file mode 100644 index 00000000000..76df3821625 --- /dev/null +++ b/queue-6.1/wifi-mwl8k-initialize-cmd-addr-properly.patch @@ -0,0 +1,38 @@ +From fc051ab3d82a81fdb19c69e7cd301b8f76cdeaa6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 May 2024 14:38:15 +0300 +Subject: wifi: mwl8k: initialize cmd->addr[] properly + +From: Dan Carpenter + +[ Upstream commit 1d60eabb82694e58543e2b6366dae3e7465892a5 ] + +This loop is supposed to copy the mac address to cmd->addr but the +i++ increment is missing so it copies everything to cmd->addr[0] and +only the last address is recorded. + +Fixes: 22bedad3ce11 ("net: convert multicast list to list_head") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Link: https://msgid.link/b788be9a-15f5-4cca-a3fe-79df4c8ce7b2@moroto.mountain +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwl8k.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/marvell/mwl8k.c b/drivers/net/wireless/marvell/mwl8k.c +index 4dc7e2e53b81e..61697dad4ea61 100644 +--- a/drivers/net/wireless/marvell/mwl8k.c ++++ b/drivers/net/wireless/marvell/mwl8k.c +@@ -2718,7 +2718,7 @@ __mwl8k_cmd_mac_multicast_adr(struct ieee80211_hw *hw, int allmulti, + cmd->action |= cpu_to_le16(MWL8K_ENABLE_RX_MULTICAST); + cmd->numaddr = cpu_to_le16(mc_count); + netdev_hw_addr_list_for_each(ha, mc_list) { +- memcpy(cmd->addr[i], ha->addr, ETH_ALEN); ++ memcpy(cmd->addr[i++], ha->addr, ETH_ALEN); + } + } + +-- +2.43.0 + diff --git a/queue-6.1/x86-boot-64-clear-most-of-cr4-in-startup_64-except-p.patch b/queue-6.1/x86-boot-64-clear-most-of-cr4-in-startup_64-except-p.patch new file mode 100644 index 00000000000..75502d1d687 --- /dev/null +++ b/queue-6.1/x86-boot-64-clear-most-of-cr4-in-startup_64-except-p.patch @@ -0,0 +1,74 @@ +From 6a192d818e0c963c4720e228d81919eb6d8619a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Apr 2024 17:13:55 +0200 +Subject: x86/boot/64: Clear most of CR4 in startup_64(), except PAE, MCE and + LA57 + +From: Ard Biesheuvel + +[ Upstream commit a0025f587c685e5ff842fb0194036f2ca0b6eaf4 ] + +The early 64-bit boot code must be entered with a 1:1 mapping of the +bootable image, but it cannot operate without a 1:1 mapping of all the +assets in memory that it accesses, and therefore, it creates such +mappings for all known assets upfront, and additional ones on demand +when a page fault happens on a memory address. + +These mappings are created with the global bit G set, as the flags used +to create page table descriptors are based on __PAGE_KERNEL_LARGE_EXEC +defined by the core kernel, even though the context where these mappings +are used is very different. + +This means that the TLB maintenance carried out by the decompressor is +not sufficient if it is entered with CR4.PGE enabled, which has been +observed to happen with the stage0 bootloader of project Oak. While this +is a dubious practice if no global mappings are being used to begin +with, the decompressor is clearly at fault here for creating global +mappings and not performing the appropriate TLB maintenance. + +Since commit: + + f97b67a773cd84b ("x86/decompressor: Only call the trampoline when changing paging levels") + +CR4 is no longer modified by the decompressor if no change in the number +of paging levels is needed. Before that, CR4 would always be set to a +consistent value with PGE cleared. + +So let's reinstate a simplified version of the original logic to put CR4 +into a known state, and preserve the PAE, MCE and LA57 bits, none of +which can be modified freely at this point (PAE and LA57 cannot be +changed while running in long mode, and MCE cannot be cleared when +running under some hypervisors). + +This effectively clears PGE and works around the project Oak bug. + +Fixes: f97b67a773cd84b ("x86/decompressor: Only call the trampoline when ...") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Ingo Molnar +Cc: Linus Torvalds +Cc: "H. Peter Anvin" +Link: https://lore.kernel.org/r/20240410151354.506098-2-ardb+git@google.com +Signed-off-by: Sasha Levin +--- + arch/x86/boot/compressed/head_64.S | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S +index 0d7aef10b19ad..6bc70385314cb 100644 +--- a/arch/x86/boot/compressed/head_64.S ++++ b/arch/x86/boot/compressed/head_64.S +@@ -390,6 +390,11 @@ SYM_CODE_START(startup_64) + call sev_enable + #endif + ++ /* Preserve only the CR4 bits that must be preserved, and clear the rest */ ++ movq %cr4, %rax ++ andl $(X86_CR4_PAE | X86_CR4_MCE | X86_CR4_LA57), %eax ++ movq %rax, %cr4 ++ + /* + * configure_5level_paging() updates the number of paging levels using + * a trampoline in 32-bit addressable memory if the current number does +-- +2.43.0 + diff --git a/queue-6.1/x86-boot-ignore-relocations-in-.notes-sections-in-wa.patch b/queue-6.1/x86-boot-ignore-relocations-in-.notes-sections-in-wa.patch new file mode 100644 index 00000000000..88b9144caef --- /dev/null +++ b/queue-6.1/x86-boot-ignore-relocations-in-.notes-sections-in-wa.patch @@ -0,0 +1,54 @@ +From 1768ddb5a0f96773a963e24bc4786d4295a5af45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Mar 2024 23:05:47 +0800 +Subject: x86/boot: Ignore relocations in .notes sections in walk_relocs() too + +From: Guixiong Wei + +[ Upstream commit 76e9762d66373354b45c33b60e9a53ef2a3c5ff2 ] + +Commit: + + aaa8736370db ("x86, relocs: Ignore relocations in .notes section") + +... only started ignoring the .notes sections in print_absolute_relocs(), +but the same logic should also by applied in walk_relocs() to avoid +such relocations. + +[ mingo: Fixed various typos in the changelog, removed extra curly braces from the code. ] + +Fixes: aaa8736370db ("x86, relocs: Ignore relocations in .notes section") +Fixes: 5ead97c84fa7 ("xen: Core Xen implementation") +Fixes: da1a679cde9b ("Add /sys/kernel/notes") +Signed-off-by: Guixiong Wei +Signed-off-by: Ingo Molnar +Reviewed-by: Kees Cook +Link: https://lore.kernel.org/r/20240317150547.24910-1-weiguixiong@bytedance.com +Signed-off-by: Sasha Levin +--- + arch/x86/tools/relocs.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c +index 9a5b101c45023..4fd824a448245 100644 +--- a/arch/x86/tools/relocs.c ++++ b/arch/x86/tools/relocs.c +@@ -746,6 +746,15 @@ static void walk_relocs(int (*process)(struct section *sec, Elf_Rel *rel, + if (!(sec_applies->shdr.sh_flags & SHF_ALLOC)) { + continue; + } ++ ++ /* ++ * Do not perform relocations in .notes sections; any ++ * values there are meant for pre-boot consumption (e.g. ++ * startup_xen). ++ */ ++ if (sec_applies->shdr.sh_type == SHT_NOTE) ++ continue; ++ + sh_symtab = sec_symtab->symtab; + sym_strtab = sec_symtab->link->strtab; + for (j = 0; j < sec->shdr.sh_size/sizeof(Elf_Rel); j++) { +-- +2.43.0 + diff --git a/queue-6.1/x86-insn-add-vex-versions-of-vpdpbusd-vpdpbusds-vpdp.patch b/queue-6.1/x86-insn-add-vex-versions-of-vpdpbusd-vpdpbusds-vpdp.patch new file mode 100644 index 00000000000..d126d5567c3 --- /dev/null +++ b/queue-6.1/x86-insn-add-vex-versions-of-vpdpbusd-vpdpbusds-vpdp.patch @@ -0,0 +1,75 @@ +From 7258910aae9d04dc4af49d39fe20c6a73ba5c72b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 May 2024 13:58:46 +0300 +Subject: x86/insn: Add VEX versions of VPDPBUSD, VPDPBUSDS, VPDPWSSD and + VPDPWSSDS + +From: Adrian Hunter + +[ Upstream commit b8000264348979b60dbe479255570a40e1b3a097 ] + +The x86 instruction decoder is used not only for decoding kernel +instructions. It is also used by perf uprobes (user space probes) and by +perf tools Intel Processor Trace decoding. Consequently, it needs to +support instructions executed by user space also. + +Intel Architecture Instruction Set Extensions and Future Features manual +number 319433-044 of May 2021, documented VEX versions of instructions +VPDPBUSD, VPDPBUSDS, VPDPWSSD and VPDPWSSDS, but the opcode map has them +listed as EVEX only. + +Remove EVEX-only (ev) annotation from instructions VPDPBUSD, VPDPBUSDS, +VPDPWSSD and VPDPWSSDS, which allows them to be decoded with either a VEX +or EVEX prefix. + +Fixes: 0153d98f2dd6 ("x86/insn: Add misc instructions to x86 instruction decoder") +Signed-off-by: Adrian Hunter +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20240502105853.5338-4-adrian.hunter@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/lib/x86-opcode-map.txt | 8 ++++---- + tools/arch/x86/lib/x86-opcode-map.txt | 8 ++++---- + 2 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/arch/x86/lib/x86-opcode-map.txt b/arch/x86/lib/x86-opcode-map.txt +index d94bc4e3e5849..8eaf140172c58 100644 +--- a/arch/x86/lib/x86-opcode-map.txt ++++ b/arch/x86/lib/x86-opcode-map.txt +@@ -698,10 +698,10 @@ AVXcode: 2 + 4d: vrcp14ss/d Vsd,Hpd,Wsd (66),(ev) + 4e: vrsqrt14ps/d Vpd,Wpd (66),(ev) + 4f: vrsqrt14ss/d Vsd,Hsd,Wsd (66),(ev) +-50: vpdpbusd Vx,Hx,Wx (66),(ev) +-51: vpdpbusds Vx,Hx,Wx (66),(ev) +-52: vdpbf16ps Vx,Hx,Wx (F3),(ev) | vpdpwssd Vx,Hx,Wx (66),(ev) | vp4dpwssd Vdqq,Hdqq,Wdq (F2),(ev) +-53: vpdpwssds Vx,Hx,Wx (66),(ev) | vp4dpwssds Vdqq,Hdqq,Wdq (F2),(ev) ++50: vpdpbusd Vx,Hx,Wx (66) ++51: vpdpbusds Vx,Hx,Wx (66) ++52: vdpbf16ps Vx,Hx,Wx (F3),(ev) | vpdpwssd Vx,Hx,Wx (66) | vp4dpwssd Vdqq,Hdqq,Wdq (F2),(ev) ++53: vpdpwssds Vx,Hx,Wx (66) | vp4dpwssds Vdqq,Hdqq,Wdq (F2),(ev) + 54: vpopcntb/w Vx,Wx (66),(ev) + 55: vpopcntd/q Vx,Wx (66),(ev) + 58: vpbroadcastd Vx,Wx (66),(v) +diff --git a/tools/arch/x86/lib/x86-opcode-map.txt b/tools/arch/x86/lib/x86-opcode-map.txt +index d94bc4e3e5849..8eaf140172c58 100644 +--- a/tools/arch/x86/lib/x86-opcode-map.txt ++++ b/tools/arch/x86/lib/x86-opcode-map.txt +@@ -698,10 +698,10 @@ AVXcode: 2 + 4d: vrcp14ss/d Vsd,Hpd,Wsd (66),(ev) + 4e: vrsqrt14ps/d Vpd,Wpd (66),(ev) + 4f: vrsqrt14ss/d Vsd,Hsd,Wsd (66),(ev) +-50: vpdpbusd Vx,Hx,Wx (66),(ev) +-51: vpdpbusds Vx,Hx,Wx (66),(ev) +-52: vdpbf16ps Vx,Hx,Wx (F3),(ev) | vpdpwssd Vx,Hx,Wx (66),(ev) | vp4dpwssd Vdqq,Hdqq,Wdq (F2),(ev) +-53: vpdpwssds Vx,Hx,Wx (66),(ev) | vp4dpwssds Vdqq,Hdqq,Wdq (F2),(ev) ++50: vpdpbusd Vx,Hx,Wx (66) ++51: vpdpbusds Vx,Hx,Wx (66) ++52: vdpbf16ps Vx,Hx,Wx (F3),(ev) | vpdpwssd Vx,Hx,Wx (66) | vp4dpwssd Vdqq,Hdqq,Wdq (F2),(ev) ++53: vpdpwssds Vx,Hx,Wx (66) | vp4dpwssds Vdqq,Hdqq,Wdq (F2),(ev) + 54: vpopcntb/w Vx,Wx (66),(ev) + 55: vpopcntd/q Vx,Wx (66),(ev) + 58: vpbroadcastd Vx,Wx (66),(v) +-- +2.43.0 + diff --git a/queue-6.1/x86-insn-fix-push-instruction-in-x86-instruction-dec.patch b/queue-6.1/x86-insn-fix-push-instruction-in-x86-instruction-dec.patch new file mode 100644 index 00000000000..7bc41f0763d --- /dev/null +++ b/queue-6.1/x86-insn-fix-push-instruction-in-x86-instruction-dec.patch @@ -0,0 +1,98 @@ +From e20607a3537fdd1c319f1d1968fdba21385f0e9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 May 2024 13:58:45 +0300 +Subject: x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map + +From: Adrian Hunter + +[ Upstream commit 59162e0c11d7257cde15f907d19fefe26da66692 ] + +The x86 instruction decoder is used not only for decoding kernel +instructions. It is also used by perf uprobes (user space probes) and by +perf tools Intel Processor Trace decoding. Consequently, it needs to +support instructions executed by user space also. + +Opcode 0x68 PUSH instruction is currently defined as 64-bit operand size +only i.e. (d64). That was based on Intel SDM Opcode Map. However that is +contradicted by the Instruction Set Reference section for PUSH in the +same manual. + +Remove 64-bit operand size only annotation from opcode 0x68 PUSH +instruction. + +Example: + + $ cat pushw.s + .global _start + .text + _start: + pushw $0x1234 + mov $0x1,%eax # system call number (sys_exit) + int $0x80 + $ as -o pushw.o pushw.s + $ ld -s -o pushw pushw.o + $ objdump -d pushw | tail -4 + 0000000000401000 <.text>: + 401000: 66 68 34 12 pushw $0x1234 + 401004: b8 01 00 00 00 mov $0x1,%eax + 401009: cd 80 int $0x80 + $ perf record -e intel_pt//u ./pushw + [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 0.014 MB perf.data ] + + Before: + + $ perf script --insn-trace=disasm + Warning: + 1 instruction trace errors + pushw 10349 [000] 10586.869237014: 401000 [unknown] (/home/ahunter/git/misc/rtit-tests/pushw) pushw $0x1234 + pushw 10349 [000] 10586.869237014: 401006 [unknown] (/home/ahunter/git/misc/rtit-tests/pushw) addb %al, (%rax) + pushw 10349 [000] 10586.869237014: 401008 [unknown] (/home/ahunter/git/misc/rtit-tests/pushw) addb %cl, %ch + pushw 10349 [000] 10586.869237014: 40100a [unknown] (/home/ahunter/git/misc/rtit-tests/pushw) addb $0x2e, (%rax) + instruction trace error type 1 time 10586.869237224 cpu 0 pid 10349 tid 10349 ip 0x40100d code 6: Trace doesn't match instruction + + After: + + $ perf script --insn-trace=disasm + pushw 10349 [000] 10586.869237014: 401000 [unknown] (./pushw) pushw $0x1234 + pushw 10349 [000] 10586.869237014: 401004 [unknown] (./pushw) movl $1, %eax + +Fixes: eb13296cfaf6 ("x86: Instruction decoder API") +Signed-off-by: Adrian Hunter +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20240502105853.5338-3-adrian.hunter@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/lib/x86-opcode-map.txt | 2 +- + tools/arch/x86/lib/x86-opcode-map.txt | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/lib/x86-opcode-map.txt b/arch/x86/lib/x86-opcode-map.txt +index d12d1358f96d2..d94bc4e3e5849 100644 +--- a/arch/x86/lib/x86-opcode-map.txt ++++ b/arch/x86/lib/x86-opcode-map.txt +@@ -148,7 +148,7 @@ AVXcode: + 65: SEG=GS (Prefix) + 66: Operand-Size (Prefix) + 67: Address-Size (Prefix) +-68: PUSH Iz (d64) ++68: PUSH Iz + 69: IMUL Gv,Ev,Iz + 6a: PUSH Ib (d64) + 6b: IMUL Gv,Ev,Ib +diff --git a/tools/arch/x86/lib/x86-opcode-map.txt b/tools/arch/x86/lib/x86-opcode-map.txt +index d12d1358f96d2..d94bc4e3e5849 100644 +--- a/tools/arch/x86/lib/x86-opcode-map.txt ++++ b/tools/arch/x86/lib/x86-opcode-map.txt +@@ -148,7 +148,7 @@ AVXcode: + 65: SEG=GS (Prefix) + 66: Operand-Size (Prefix) + 67: Address-Size (Prefix) +-68: PUSH Iz (d64) ++68: PUSH Iz + 69: IMUL Gv,Ev,Iz + 6a: PUSH Ib (d64) + 6b: IMUL Gv,Ev,Ib +-- +2.43.0 + diff --git a/queue-6.1/x86-mm-remove-broken-vsyscall-emulation-code-from-th.patch b/queue-6.1/x86-mm-remove-broken-vsyscall-emulation-code-from-th.patch new file mode 100644 index 00000000000..1a931bdb1c3 --- /dev/null +++ b/queue-6.1/x86-mm-remove-broken-vsyscall-emulation-code-from-th.patch @@ -0,0 +1,232 @@ +From 4c2ed3c947839148bd6d693f2a6917f2ec1a4739 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Apr 2024 10:00:51 +0200 +Subject: x86/mm: Remove broken vsyscall emulation code from the page fault + code + +From: Linus Torvalds + +[ Upstream commit 02b670c1f88e78f42a6c5aee155c7b26960ca054 ] + +The syzbot-reported stack trace from hell in this discussion thread +actually has three nested page faults: + + https://lore.kernel.org/r/000000000000d5f4fc0616e816d4@google.com + +... and I think that's actually the important thing here: + + - the first page fault is from user space, and triggers the vsyscall + emulation. + + - the second page fault is from __do_sys_gettimeofday(), and that should + just have caused the exception that then sets the return value to + -EFAULT + + - the third nested page fault is due to _raw_spin_unlock_irqrestore() -> + preempt_schedule() -> trace_sched_switch(), which then causes a BPF + trace program to run, which does that bpf_probe_read_compat(), which + causes that page fault under pagefault_disable(). + +It's quite the nasty backtrace, and there's a lot going on. + +The problem is literally the vsyscall emulation, which sets + + current->thread.sig_on_uaccess_err = 1; + +and that causes the fixup_exception() code to send the signal *despite* the +exception being caught. + +And I think that is in fact completely bogus. It's completely bogus +exactly because it sends that signal even when it *shouldn't* be sent - +like for the BPF user mode trace gathering. + +In other words, I think the whole "sig_on_uaccess_err" thing is entirely +broken, because it makes any nested page-faults do all the wrong things. + +Now, arguably, I don't think anybody should enable vsyscall emulation any +more, but this test case clearly does. + +I think we should just make the "send SIGSEGV" be something that the +vsyscall emulation does on its own, not this broken per-thread state for +something that isn't actually per thread. + +The x86 page fault code actually tried to deal with the "incorrect nesting" +by having that: + + if (in_interrupt()) + return; + +which ignores the sig_on_uaccess_err case when it happens in interrupts, +but as shown by this example, these nested page faults do not need to be +about interrupts at all. + +IOW, I think the only right thing is to remove that horrendously broken +code. + +The attached patch looks like the ObviouslyCorrect(tm) thing to do. + +NOTE! This broken code goes back to this commit in 2011: + + 4fc3490114bb ("x86-64: Set siginfo and context on vsyscall emulation faults") + +... and back then the reason was to get all the siginfo details right. +Honestly, I do not for a moment believe that it's worth getting the siginfo +details right here, but part of the commit says: + + This fixes issues with UML when vsyscall=emulate. + +... and so my patch to remove this garbage will probably break UML in this +situation. + +I do not believe that anybody should be running with vsyscall=emulate in +2024 in the first place, much less if you are doing things like UML. But +let's see if somebody screams. + +Reported-and-tested-by: syzbot+83e7f982ca045ab4405c@syzkaller.appspotmail.com +Signed-off-by: Linus Torvalds +Signed-off-by: Ingo Molnar +Tested-by: Jiri Olsa +Acked-by: Andy Lutomirski +Link: https://lore.kernel.org/r/CAHk-=wh9D6f7HUkDgZHKmDCHUQmp+Co89GP+b8+z+G56BKeyNg@mail.gmail.com +Signed-off-by: Sasha Levin +--- + arch/x86/entry/vsyscall/vsyscall_64.c | 28 ++--------------------- + arch/x86/include/asm/processor.h | 1 - + arch/x86/mm/fault.c | 33 +-------------------------- + 3 files changed, 3 insertions(+), 59 deletions(-) + +diff --git a/arch/x86/entry/vsyscall/vsyscall_64.c b/arch/x86/entry/vsyscall/vsyscall_64.c +index 4af81df133ee8..5d4ca8b942939 100644 +--- a/arch/x86/entry/vsyscall/vsyscall_64.c ++++ b/arch/x86/entry/vsyscall/vsyscall_64.c +@@ -98,11 +98,6 @@ static int addr_to_vsyscall_nr(unsigned long addr) + + static bool write_ok_or_segv(unsigned long ptr, size_t size) + { +- /* +- * XXX: if access_ok, get_user, and put_user handled +- * sig_on_uaccess_err, this could go away. +- */ +- + if (!access_ok((void __user *)ptr, size)) { + struct thread_struct *thread = ¤t->thread; + +@@ -120,10 +115,8 @@ static bool write_ok_or_segv(unsigned long ptr, size_t size) + bool emulate_vsyscall(unsigned long error_code, + struct pt_regs *regs, unsigned long address) + { +- struct task_struct *tsk; + unsigned long caller; + int vsyscall_nr, syscall_nr, tmp; +- int prev_sig_on_uaccess_err; + long ret; + unsigned long orig_dx; + +@@ -172,8 +165,6 @@ bool emulate_vsyscall(unsigned long error_code, + goto sigsegv; + } + +- tsk = current; +- + /* + * Check for access_ok violations and find the syscall nr. + * +@@ -234,12 +225,8 @@ bool emulate_vsyscall(unsigned long error_code, + goto do_ret; /* skip requested */ + + /* +- * With a real vsyscall, page faults cause SIGSEGV. We want to +- * preserve that behavior to make writing exploits harder. ++ * With a real vsyscall, page faults cause SIGSEGV. + */ +- prev_sig_on_uaccess_err = current->thread.sig_on_uaccess_err; +- current->thread.sig_on_uaccess_err = 1; +- + ret = -EFAULT; + switch (vsyscall_nr) { + case 0: +@@ -262,23 +249,12 @@ bool emulate_vsyscall(unsigned long error_code, + break; + } + +- current->thread.sig_on_uaccess_err = prev_sig_on_uaccess_err; +- + check_fault: + if (ret == -EFAULT) { + /* Bad news -- userspace fed a bad pointer to a vsyscall. */ + warn_bad_vsyscall(KERN_INFO, regs, + "vsyscall fault (exploit attempt?)"); +- +- /* +- * If we failed to generate a signal for any reason, +- * generate one here. (This should be impossible.) +- */ +- if (WARN_ON_ONCE(!sigismember(&tsk->pending.signal, SIGBUS) && +- !sigismember(&tsk->pending.signal, SIGSEGV))) +- goto sigsegv; +- +- return true; /* Don't emulate the ret. */ ++ goto sigsegv; + } + + regs->ax = ret; +diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h +index 94ea13adb724a..3ed6cc7785037 100644 +--- a/arch/x86/include/asm/processor.h ++++ b/arch/x86/include/asm/processor.h +@@ -519,7 +519,6 @@ struct thread_struct { + unsigned long iopl_emul; + + unsigned int iopl_warn:1; +- unsigned int sig_on_uaccess_err:1; + + /* + * Protection Keys Register for Userspace. Loaded immediately on +diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c +index f20636510eb1e..2fc007752ceb1 100644 +--- a/arch/x86/mm/fault.c ++++ b/arch/x86/mm/fault.c +@@ -737,39 +737,8 @@ kernelmode_fixup_or_oops(struct pt_regs *regs, unsigned long error_code, + WARN_ON_ONCE(user_mode(regs)); + + /* Are we prepared to handle this kernel fault? */ +- if (fixup_exception(regs, X86_TRAP_PF, error_code, address)) { +- /* +- * Any interrupt that takes a fault gets the fixup. This makes +- * the below recursive fault logic only apply to a faults from +- * task context. +- */ +- if (in_interrupt()) +- return; +- +- /* +- * Per the above we're !in_interrupt(), aka. task context. +- * +- * In this case we need to make sure we're not recursively +- * faulting through the emulate_vsyscall() logic. +- */ +- if (current->thread.sig_on_uaccess_err && signal) { +- sanitize_error_code(address, &error_code); +- +- set_signal_archinfo(address, error_code); +- +- if (si_code == SEGV_PKUERR) { +- force_sig_pkuerr((void __user *)address, pkey); +- } else { +- /* XXX: hwpoison faults will set the wrong code. */ +- force_sig_fault(signal, si_code, (void __user *)address); +- } +- } +- +- /* +- * Barring that, we can do the fixup and be happy. +- */ ++ if (fixup_exception(regs, X86_TRAP_PF, error_code, address)) + return; +- } + + /* + * AMD erratum #91 manifests as a spurious page fault on a PREFETCH +-- +2.43.0 + diff --git a/queue-6.1/x86-numa-fix-srat-lookup-of-cfmws-ranges-with-numa_f.patch b/queue-6.1/x86-numa-fix-srat-lookup-of-cfmws-ranges-with-numa_f.patch new file mode 100644 index 00000000000..d1a9d462fb9 --- /dev/null +++ b/queue-6.1/x86-numa-fix-srat-lookup-of-cfmws-ranges-with-numa_f.patch @@ -0,0 +1,118 @@ +From b0ac82edb21e1a1d7dffe59e4e82a9dd7beb210c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 May 2024 15:10:09 +0200 +Subject: x86/numa: Fix SRAT lookup of CFMWS ranges with numa_fill_memblks() + +From: Robert Richter + +[ Upstream commit f9f67e5adc8dc2e1cc51ab2d3d6382fa97f074d4 ] + +For configurations that have the kconfig option NUMA_KEEP_MEMINFO +disabled, numa_fill_memblks() only returns with NUMA_NO_MEMBLK (-1). +SRAT lookup fails then because an existing SRAT memory range cannot be +found for a CFMWS address range. This causes the addition of a +duplicate numa_memblk with a different node id and a subsequent page +fault and kernel crash during boot. + +Fix this by making numa_fill_memblks() always available regardless of +NUMA_KEEP_MEMINFO. + +As Dan suggested, the fix is implemented to remove numa_fill_memblks() +from sparsemem.h and alos using __weak for the function. + +Note that the issue was initially introduced with [1]. But since +phys_to_target_node() was originally used that returned the valid node +0, an additional numa_memblk was not added. Though, the node id was +wrong too, a message is seen then in the logs: + + kernel/numa.c: pr_info_once("Unknown target node for memory at 0x%llx, assuming node 0\n", + +[1] commit fd49f99c1809 ("ACPI: NUMA: Add a node and memblk for each + CFMWS not in SRAT") + +Suggested-by: Dan Williams +Link: https://lore.kernel.org/all/66271b0072317_69102944c@dwillia2-xfh.jf.intel.com.notmuch/ +Fixes: 8f1004679987 ("ACPI/NUMA: Apply SRAT proximity domain to entire CFMWS window") +Reviewed-by: Jonathan Cameron +Reviewed-by: Alison Schofield +Reviewed-by: Dan Williams +Signed-off-by: Robert Richter +Acked-by: Borislav Petkov (AMD) +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/sparsemem.h | 2 -- + arch/x86/mm/numa.c | 4 ++-- + drivers/acpi/numa/srat.c | 5 +++++ + include/linux/numa.h | 7 +------ + 4 files changed, 8 insertions(+), 10 deletions(-) + +diff --git a/arch/x86/include/asm/sparsemem.h b/arch/x86/include/asm/sparsemem.h +index 1be13b2dfe8bf..64df897c0ee30 100644 +--- a/arch/x86/include/asm/sparsemem.h ++++ b/arch/x86/include/asm/sparsemem.h +@@ -37,8 +37,6 @@ extern int phys_to_target_node(phys_addr_t start); + #define phys_to_target_node phys_to_target_node + extern int memory_add_physaddr_to_nid(u64 start); + #define memory_add_physaddr_to_nid memory_add_physaddr_to_nid +-extern int numa_fill_memblks(u64 start, u64 end); +-#define numa_fill_memblks numa_fill_memblks + #endif + #endif /* __ASSEMBLY__ */ + +diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c +index dae5c952735c7..c7fa5396c0f05 100644 +--- a/arch/x86/mm/numa.c ++++ b/arch/x86/mm/numa.c +@@ -956,6 +956,8 @@ int memory_add_physaddr_to_nid(u64 start) + } + EXPORT_SYMBOL_GPL(memory_add_physaddr_to_nid); + ++#endif ++ + static int __init cmp_memblk(const void *a, const void *b) + { + const struct numa_memblk *ma = *(const struct numa_memblk **)a; +@@ -1028,5 +1030,3 @@ int __init numa_fill_memblks(u64 start, u64 end) + } + return 0; + } +- +-#endif +diff --git a/drivers/acpi/numa/srat.c b/drivers/acpi/numa/srat.c +index b57de78fbf14f..a44c0761fd1c0 100644 +--- a/drivers/acpi/numa/srat.c ++++ b/drivers/acpi/numa/srat.c +@@ -206,6 +206,11 @@ int __init srat_disabled(void) + return acpi_numa < 0; + } + ++__weak int __init numa_fill_memblks(u64 start, u64 end) ++{ ++ return NUMA_NO_MEMBLK; ++} ++ + #if defined(CONFIG_X86) || defined(CONFIG_ARM64) || defined(CONFIG_LOONGARCH) + /* + * Callback for SLIT parsing. pxm_to_node() returns NUMA_NO_NODE for +diff --git a/include/linux/numa.h b/include/linux/numa.h +index 8fc218a55be4e..871e7babc2886 100644 +--- a/include/linux/numa.h ++++ b/include/linux/numa.h +@@ -36,12 +36,7 @@ int memory_add_physaddr_to_nid(u64 start); + int phys_to_target_node(u64 start); + #endif + +-#ifndef numa_fill_memblks +-static inline int __init numa_fill_memblks(u64 start, u64 end) +-{ +- return NUMA_NO_MEMBLK; +-} +-#endif ++int numa_fill_memblks(u64 start, u64 end); + + #else /* !CONFIG_NUMA */ + static inline int numa_map_to_online_node(int node) +-- +2.43.0 + diff --git a/queue-6.1/x86-pat-fix-w-x-violation-false-positives-when-runni.patch b/queue-6.1/x86-pat-fix-w-x-violation-false-positives-when-runni.patch new file mode 100644 index 00000000000..0aae1a97839 --- /dev/null +++ b/queue-6.1/x86-pat-fix-w-x-violation-false-positives-when-runni.patch @@ -0,0 +1,144 @@ +From c5bd29d278ffbb205222a08832f6a24a09e354b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 17:12:58 +0200 +Subject: x86/pat: Fix W^X violation false-positives when running as Xen PV + guest + +From: Juergen Gross + +[ Upstream commit 5bc8b0f5dac04cd4ebe47f8090a5942f2f2647ef ] + +When running as Xen PV guest in some cases W^X violation WARN()s have +been observed. Those WARN()s are produced by verify_rwx(), which looks +into the PTE to verify that writable kernel pages have the NX bit set +in order to avoid code modifications of the kernel by rogue code. + +As the NX bits of all levels of translation entries are or-ed and the +RW bits of all levels are and-ed, looking just into the PTE isn't enough +for the decision that a writable page is executable, too. + +When running as a Xen PV guest, the direct map PMDs and kernel high +map PMDs share the same set of PTEs. Xen kernel initialization will set +the NX bit in the direct map PMD entries, and not the shared PTEs. + +Fixes: 652c5bf380ad ("x86/mm: Refuse W^X violations") +Reported-by: Jason Andryuk +Signed-off-by: Juergen Gross +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20240412151258.9171-5-jgross@suse.com +Signed-off-by: Sasha Levin +--- + arch/x86/mm/pat/set_memory.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +diff --git a/arch/x86/mm/pat/set_memory.c b/arch/x86/mm/pat/set_memory.c +index cf721614806b9..fd412dec01259 100644 +--- a/arch/x86/mm/pat/set_memory.c ++++ b/arch/x86/mm/pat/set_memory.c +@@ -583,7 +583,8 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long start, + * Validate strict W^X semantics. + */ + static inline pgprot_t verify_rwx(pgprot_t old, pgprot_t new, unsigned long start, +- unsigned long pfn, unsigned long npg) ++ unsigned long pfn, unsigned long npg, ++ bool nx, bool rw) + { + unsigned long end; + +@@ -609,6 +610,10 @@ static inline pgprot_t verify_rwx(pgprot_t old, pgprot_t new, unsigned long star + if ((pgprot_val(new) & (_PAGE_RW | _PAGE_NX)) != _PAGE_RW) + return new; + ++ /* Non-leaf translation entries can disable writing or execution. */ ++ if (!rw || nx) ++ return new; ++ + end = start + npg * PAGE_SIZE - 1; + WARN_ONCE(1, "CPA detected W^X violation: %016llx -> %016llx range: 0x%016lx - 0x%016lx PFN %lx\n", + (unsigned long long)pgprot_val(old), +@@ -710,7 +715,7 @@ pte_t *lookup_address(unsigned long address, unsigned int *level) + EXPORT_SYMBOL_GPL(lookup_address); + + static pte_t *_lookup_address_cpa(struct cpa_data *cpa, unsigned long address, +- unsigned int *level) ++ unsigned int *level, bool *nx, bool *rw) + { + pgd_t *pgd; + +@@ -719,7 +724,7 @@ static pte_t *_lookup_address_cpa(struct cpa_data *cpa, unsigned long address, + else + pgd = cpa->pgd + pgd_index(address); + +- return lookup_address_in_pgd(pgd, address, level); ++ return lookup_address_in_pgd_attr(pgd, address, level, nx, rw); + } + + /* +@@ -843,12 +848,13 @@ static int __should_split_large_page(pte_t *kpte, unsigned long address, + pgprot_t old_prot, new_prot, req_prot, chk_prot; + pte_t new_pte, *tmp; + enum pg_level level; ++ bool nx, rw; + + /* + * Check for races, another CPU might have split this page + * up already: + */ +- tmp = _lookup_address_cpa(cpa, address, &level); ++ tmp = _lookup_address_cpa(cpa, address, &level, &nx, &rw); + if (tmp != kpte) + return 1; + +@@ -959,7 +965,8 @@ static int __should_split_large_page(pte_t *kpte, unsigned long address, + new_prot = static_protections(req_prot, lpaddr, old_pfn, numpages, + psize, CPA_DETECT); + +- new_prot = verify_rwx(old_prot, new_prot, lpaddr, old_pfn, numpages); ++ new_prot = verify_rwx(old_prot, new_prot, lpaddr, old_pfn, numpages, ++ nx, rw); + + /* + * If there is a conflict, split the large page. +@@ -1040,6 +1047,7 @@ __split_large_page(struct cpa_data *cpa, pte_t *kpte, unsigned long address, + pte_t *pbase = (pte_t *)page_address(base); + unsigned int i, level; + pgprot_t ref_prot; ++ bool nx, rw; + pte_t *tmp; + + spin_lock(&pgd_lock); +@@ -1047,7 +1055,7 @@ __split_large_page(struct cpa_data *cpa, pte_t *kpte, unsigned long address, + * Check for races, another CPU might have split this page + * up for us already: + */ +- tmp = _lookup_address_cpa(cpa, address, &level); ++ tmp = _lookup_address_cpa(cpa, address, &level, &nx, &rw); + if (tmp != kpte) { + spin_unlock(&pgd_lock); + return 1; +@@ -1588,10 +1596,11 @@ static int __change_page_attr(struct cpa_data *cpa, int primary) + int do_split, err; + unsigned int level; + pte_t *kpte, old_pte; ++ bool nx, rw; + + address = __cpa_addr(cpa, cpa->curpage); + repeat: +- kpte = _lookup_address_cpa(cpa, address, &level); ++ kpte = _lookup_address_cpa(cpa, address, &level, &nx, &rw); + if (!kpte) + return __cpa_process_fault(cpa, address, primary); + +@@ -1613,7 +1622,8 @@ static int __change_page_attr(struct cpa_data *cpa, int primary) + new_prot = static_protections(new_prot, address, pfn, 1, 0, + CPA_PROTECT); + +- new_prot = verify_rwx(old_prot, new_prot, address, pfn, 1); ++ new_prot = verify_rwx(old_prot, new_prot, address, pfn, 1, ++ nx, rw); + + new_prot = pgprot_clear_protnone_bits(new_prot); + +-- +2.43.0 + diff --git a/queue-6.1/x86-pat-introduce-lookup_address_in_pgd_attr.patch b/queue-6.1/x86-pat-introduce-lookup_address_in_pgd_attr.patch new file mode 100644 index 00000000000..1ce333c4bb1 --- /dev/null +++ b/queue-6.1/x86-pat-introduce-lookup_address_in_pgd_attr.patch @@ -0,0 +1,127 @@ +From 81176b3e0b19728613b3fa6efe4d3522c6726a90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 17:12:55 +0200 +Subject: x86/pat: Introduce lookup_address_in_pgd_attr() + +From: Juergen Gross + +[ Upstream commit ceb647b4b529fdeca9021cd34486f5a170746bda ] + +Add lookup_address_in_pgd_attr() doing the same as the already +existing lookup_address_in_pgd(), but returning the effective settings +of the NX and RW bits of all walked page table levels, too. + +This will be needed in order to match hardware behavior when looking +for effective access rights, especially for detecting writable code +pages. + +In order to avoid code duplication, let lookup_address_in_pgd() call +lookup_address_in_pgd_attr() with dummy parameters. + +Signed-off-by: Juergen Gross +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20240412151258.9171-2-jgross@suse.com +Stable-dep-of: 5bc8b0f5dac0 ("x86/pat: Fix W^X violation false-positives when running as Xen PV guest") +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/pgtable_types.h | 2 ++ + arch/x86/mm/pat/set_memory.c | 33 +++++++++++++++++++++++++--- + 2 files changed, 32 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/include/asm/pgtable_types.h b/arch/x86/include/asm/pgtable_types.h +index f0b9b37c4609b..e3028373f0b45 100644 +--- a/arch/x86/include/asm/pgtable_types.h ++++ b/arch/x86/include/asm/pgtable_types.h +@@ -544,6 +544,8 @@ static inline void update_page_count(int level, unsigned long pages) { } + extern pte_t *lookup_address(unsigned long address, unsigned int *level); + extern pte_t *lookup_address_in_pgd(pgd_t *pgd, unsigned long address, + unsigned int *level); ++pte_t *lookup_address_in_pgd_attr(pgd_t *pgd, unsigned long address, ++ unsigned int *level, bool *nx, bool *rw); + extern pmd_t *lookup_pmd_address(unsigned long address); + extern phys_addr_t slow_virt_to_phys(void *__address); + extern int __init kernel_map_pages_in_pgd(pgd_t *pgd, u64 pfn, +diff --git a/arch/x86/mm/pat/set_memory.c b/arch/x86/mm/pat/set_memory.c +index 68d4f328f1696..a26a9e3608cb2 100644 +--- a/arch/x86/mm/pat/set_memory.c ++++ b/arch/x86/mm/pat/set_memory.c +@@ -625,20 +625,26 @@ static inline pgprot_t verify_rwx(pgprot_t old, pgprot_t new, unsigned long star + + /* + * Lookup the page table entry for a virtual address in a specific pgd. +- * Return a pointer to the entry and the level of the mapping. ++ * Return a pointer to the entry, the level of the mapping, and the effective ++ * NX and RW bits of all page table levels. + */ +-pte_t *lookup_address_in_pgd(pgd_t *pgd, unsigned long address, +- unsigned int *level) ++pte_t *lookup_address_in_pgd_attr(pgd_t *pgd, unsigned long address, ++ unsigned int *level, bool *nx, bool *rw) + { + p4d_t *p4d; + pud_t *pud; + pmd_t *pmd; + + *level = PG_LEVEL_NONE; ++ *nx = false; ++ *rw = true; + + if (pgd_none(*pgd)) + return NULL; + ++ *nx |= pgd_flags(*pgd) & _PAGE_NX; ++ *rw &= pgd_flags(*pgd) & _PAGE_RW; ++ + p4d = p4d_offset(pgd, address); + if (p4d_none(*p4d)) + return NULL; +@@ -647,6 +653,9 @@ pte_t *lookup_address_in_pgd(pgd_t *pgd, unsigned long address, + if (p4d_large(*p4d) || !p4d_present(*p4d)) + return (pte_t *)p4d; + ++ *nx |= p4d_flags(*p4d) & _PAGE_NX; ++ *rw &= p4d_flags(*p4d) & _PAGE_RW; ++ + pud = pud_offset(p4d, address); + if (pud_none(*pud)) + return NULL; +@@ -655,6 +664,9 @@ pte_t *lookup_address_in_pgd(pgd_t *pgd, unsigned long address, + if (pud_large(*pud) || !pud_present(*pud)) + return (pte_t *)pud; + ++ *nx |= pud_flags(*pud) & _PAGE_NX; ++ *rw &= pud_flags(*pud) & _PAGE_RW; ++ + pmd = pmd_offset(pud, address); + if (pmd_none(*pmd)) + return NULL; +@@ -663,11 +675,26 @@ pte_t *lookup_address_in_pgd(pgd_t *pgd, unsigned long address, + if (pmd_large(*pmd) || !pmd_present(*pmd)) + return (pte_t *)pmd; + ++ *nx |= pmd_flags(*pmd) & _PAGE_NX; ++ *rw &= pmd_flags(*pmd) & _PAGE_RW; ++ + *level = PG_LEVEL_4K; + + return pte_offset_kernel(pmd, address); + } + ++/* ++ * Lookup the page table entry for a virtual address in a specific pgd. ++ * Return a pointer to the entry and the level of the mapping. ++ */ ++pte_t *lookup_address_in_pgd(pgd_t *pgd, unsigned long address, ++ unsigned int *level) ++{ ++ bool nx, rw; ++ ++ return lookup_address_in_pgd_attr(pgd, address, level, &nx, &rw); ++} ++ + /* + * Lookup the page table entry for a virtual address. Return a pointer + * to the entry and the level of the mapping. +-- +2.43.0 + diff --git a/queue-6.1/x86-pat-restructure-_lookup_address_cpa.patch b/queue-6.1/x86-pat-restructure-_lookup_address_cpa.patch new file mode 100644 index 00000000000..06dac33b75b --- /dev/null +++ b/queue-6.1/x86-pat-restructure-_lookup_address_cpa.patch @@ -0,0 +1,51 @@ +From 4e6ae4cbe0a28f50afc9febd1f2dd6ffb4a44bee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 17:12:57 +0200 +Subject: x86/pat: Restructure _lookup_address_cpa() + +From: Juergen Gross + +[ Upstream commit 02eac06b820c3eae73e5736ae62f986d37fed991 ] + +Modify _lookup_address_cpa() to no longer use lookup_address(), but +only lookup_address_in_pgd(). + +This is done in preparation of using lookup_address_in_pgd_attr(). + +No functional change intended. + +Signed-off-by: Juergen Gross +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20240412151258.9171-4-jgross@suse.com +Stable-dep-of: 5bc8b0f5dac0 ("x86/pat: Fix W^X violation false-positives when running as Xen PV guest") +Signed-off-by: Sasha Levin +--- + arch/x86/mm/pat/set_memory.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/mm/pat/set_memory.c b/arch/x86/mm/pat/set_memory.c +index a26a9e3608cb2..cf721614806b9 100644 +--- a/arch/x86/mm/pat/set_memory.c ++++ b/arch/x86/mm/pat/set_memory.c +@@ -712,11 +712,14 @@ EXPORT_SYMBOL_GPL(lookup_address); + static pte_t *_lookup_address_cpa(struct cpa_data *cpa, unsigned long address, + unsigned int *level) + { +- if (cpa->pgd) +- return lookup_address_in_pgd(cpa->pgd + pgd_index(address), +- address, level); ++ pgd_t *pgd; ++ ++ if (!cpa->pgd) ++ pgd = pgd_offset_k(address); ++ else ++ pgd = cpa->pgd + pgd_index(address); + +- return lookup_address(address, level); ++ return lookup_address_in_pgd(pgd, address, level); + } + + /* +-- +2.43.0 + diff --git a/queue-6.1/x86-purgatory-switch-to-the-position-independent-sma.patch b/queue-6.1/x86-purgatory-switch-to-the-position-independent-sma.patch new file mode 100644 index 00000000000..be346d527ba --- /dev/null +++ b/queue-6.1/x86-purgatory-switch-to-the-position-independent-sma.patch @@ -0,0 +1,81 @@ +From 8d1a7fc2805eb3047d901378327d38e8d4490b3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Apr 2024 22:17:06 +0200 +Subject: x86/purgatory: Switch to the position-independent small code model + +From: Ard Biesheuvel + +[ Upstream commit cba786af84a0f9716204e09f518ce3b7ada8555e ] + +On x86, the ordinary, position dependent small and kernel code models +only support placement of the executable in 32-bit addressable memory, +due to the use of 32-bit signed immediates to generate references to +global variables. For the kernel, this implies that all global variables +must reside in the top 2 GiB of the kernel virtual address space, where +the implicit address bits 63:32 are equal to sign bit 31. + +This means the kernel code model is not suitable for other bare metal +executables such as the kexec purgatory, which can be placed arbitrarily +in the physical address space, where its address may no longer be +representable as a sign extended 32-bit quantity. For this reason, +commit + + e16c2983fba0 ("x86/purgatory: Change compiler flags from -mcmodel=kernel to -mcmodel=large to fix kexec relocation errors") + +switched to the large code model, which uses 64-bit immediates for all +symbol references, including function calls, in order to avoid relying +on any assumptions regarding proximity of symbols in the final +executable. + +The large code model is rarely used, clunky and the least likely to +operate in a similar fashion when comparing GCC and Clang, so it is best +avoided. This is especially true now that Clang 18 has started to emit +executable code in two separate sections (.text and .ltext), which +triggers an issue in the kexec loading code at runtime. + +The SUSE bugzilla fixes tag points to gcc 13 having issues with the +large model too and that perhaps the large model should simply not be +used at all. + +Instead, use the position independent small code model, which makes no +assumptions about placement but only about proximity, where all +referenced symbols must be within -/+ 2 GiB, i.e., in range for a +RIP-relative reference. Use hidden visibility to suppress the use of a +GOT, which carries absolute addresses that are not covered by static ELF +relocations, and is therefore incompatible with the kexec loader's +relocation logic. + + [ bp: Massage commit message. ] + +Fixes: e16c2983fba0 ("x86/purgatory: Change compiler flags from -mcmodel=kernel to -mcmodel=large to fix kexec relocation errors") +Fixes: https://bugzilla.suse.com/show_bug.cgi?id=1211853 +Closes: https://github.com/ClangBuiltLinux/linux/issues/2016 +Signed-off-by: Ard Biesheuvel +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Nathan Chancellor +Reviewed-by: Fangrui Song +Acked-by: Nick Desaulniers +Tested-by: Nathan Chancellor +Link: https://lore.kernel.org/all/20240417-x86-fix-kexec-with-llvm-18-v1-0-5383121e8fb7@kernel.org/ +Signed-off-by: Sasha Levin +--- + arch/x86/purgatory/Makefile | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/purgatory/Makefile b/arch/x86/purgatory/Makefile +index d28e0987aa85b..ebb1b786591d5 100644 +--- a/arch/x86/purgatory/Makefile ++++ b/arch/x86/purgatory/Makefile +@@ -42,7 +42,8 @@ KCOV_INSTRUMENT := n + # make up the standalone purgatory.ro + + PURGATORY_CFLAGS_REMOVE := -mcmodel=kernel +-PURGATORY_CFLAGS := -mcmodel=large -ffreestanding -fno-zero-initialized-in-bss -g0 ++PURGATORY_CFLAGS := -mcmodel=small -ffreestanding -fno-zero-initialized-in-bss -g0 ++PURGATORY_CFLAGS += -fpic -fvisibility=hidden + PURGATORY_CFLAGS += $(DISABLE_STACKLEAK_PLUGIN) -DDISABLE_BRANCH_PROFILING + PURGATORY_CFLAGS += -fno-stack-protector + +-- +2.43.0 +