From: Greg Kroah-Hartman Date: Mon, 24 Jun 2024 17:49:11 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v6.1.96~32 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=081a06b0f4ef44fb1891301a0e83a8abbc9c4258;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14ahp9.patch alsa-hda-realtek-fix-mute-micmute-leds-don-t-work-for-probook-445-465-g11.patch alsa-hda-realtek-limit-mic-boost-on-n14ap7.patch arm64-dts-imx8qm-mek-fix-gpio-number-for-reg_usdhc2_vmmc.patch btrfs-retry-block-group-reclaim-without-infinite-loop.patch cifs-fix-typo-in-module-parameter-enable_gcm_256.patch drm-amdgpu-fix-ubsan-warning-in-kv_dpm.c.patch drm-i915-mso-using-joiner-is-not-possible-with-edp-mso.patch drm-radeon-fix-ubsan-warning-in-kv_dpm.c.patch dt-bindings-dma-fsl-edma-fix-dma-channels-constraints.patch dt-bindings-i2c-atmel-at91sam-correct-path-to-i2c-controller-schema.patch dt-bindings-i2c-google-cros-ec-i2c-tunnel-correct-path-to-i2c-controller-schema.patch efi-x86-free-efi-memory-map-only-when-installing-a-new-one.patch gcov-add-support-for-gcc-14.patch i2c-ocores-set-iack-bit-after-core-is-enabled.patch kcov-don-t-lose-track-of-remote-references-during-softirqs.patch kvm-arm64-disassociate-vcpus-from-redistributor-region-on-teardown.patch kvm-fix-a-data-race-on-last_boosted_vcpu-in-kvm_vcpu_on_spin.patch kvm-x86-always-sync-pir-to-irr-prior-to-scanning-i-o-apic-routes.patch loongarch-fix-multiple-hardware-watchpoint-issues.patch loongarch-fix-watchpoint-setting-error.patch loongarch-trigger-user-space-watchpoints-correctly.patch mips-pci-lantiq-restore-reset-gpio-polarity.patch mm-mmap-allow-for-the-maximum-number-of-bits-for-randomizing-mmap_base-by-default.patch mm-page_table_check-fix-crash-on-zone_device.patch net-do-not-leave-a-dangling-sk-pointer-when-socket-creation-fails.patch net-stmmac-assign-configured-channel-value-to-extts-event.patch net-usb-ax88179_178a-improve-reset-check.patch ocfs2-fix-null-pointer-dereference-in-ocfs2_abort_trigger.patch ocfs2-fix-null-pointer-dereference-in-ocfs2_journal_dirty.patch ovl-fix-encoding-fid-for-lower-only-root.patch rdma-mlx5-follow-rb_key.ats-when-creating-new-mkeys.patch rdma-mlx5-remove-extra-unlock-on-error-path.patch rdma-rxe-fix-data-copy-for-ib_send_inline.patch scsi-ufs-core-free-memory-allocated-for-model-before-reinit.patch serial-8250_dw-revert-move-definitions-to-the-shared-header.patch spi-stm32-qspi-clamp-stm32_qspi_get_mode-output-to-ccr_buswidth_4.patch spi-stm32-qspi-fix-dual-flash-mode-sanity-test-in-stm32_qspi_setup.patch tcp-clear-tp-retrans_stamp-in-tcp_rcv_fastopen_synack.patch --- diff --git a/queue-6.6/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14ahp9.patch b/queue-6.6/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14ahp9.patch new file mode 100644 index 00000000000..687c651b1f3 --- /dev/null +++ b/queue-6.6/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14ahp9.patch @@ -0,0 +1,34 @@ +From ad22051afdad962b6012f3823d0ed1a735935386 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pablo=20Ca=C3=B1o?= +Date: Thu, 20 Jun 2024 17:25:33 +0200 +Subject: ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14AHP9 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pablo Caño + +commit ad22051afdad962b6012f3823d0ed1a735935386 upstream. + +Lenovo Yoga Pro 7 14AHP9 (PCI SSID 17aa:3891) seems requiring a similar workaround like Yoga 9 model and Yoga 7 Pro 14APH8 for the bass speaker. + +Cc: +Link: https://lore.kernel.org/all/20231207182035.30248-1-tiwai@suse.de/ +Signed-off-by: Pablo Caño +Link: https://patch.msgid.link/20240620152533.76712-1-pablocpascual@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10270,6 +10270,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x17aa, 0x3882, "Lenovo Yoga Pro 7 14APH8", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), + SND_PCI_QUIRK(0x17aa, 0x3884, "Y780 YG DUAL", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x3886, "Y780 VECO DUAL", ALC287_FIXUP_TAS2781_I2C), ++ SND_PCI_QUIRK(0x17aa, 0x3891, "Lenovo Yoga Pro 7 14AHP9", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), + SND_PCI_QUIRK(0x17aa, 0x38a7, "Y780P AMD YG dual", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x38a8, "Y780P AMD VECO dual", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x38ba, "Yoga S780-14.5 Air AMD quad YC", ALC287_FIXUP_TAS2781_I2C), diff --git a/queue-6.6/alsa-hda-realtek-fix-mute-micmute-leds-don-t-work-for-probook-445-465-g11.patch b/queue-6.6/alsa-hda-realtek-fix-mute-micmute-leds-don-t-work-for-probook-445-465-g11.patch new file mode 100644 index 00000000000..112c8023835 --- /dev/null +++ b/queue-6.6/alsa-hda-realtek-fix-mute-micmute-leds-don-t-work-for-probook-445-465-g11.patch @@ -0,0 +1,34 @@ +From ea5f8c4cffcd8a6b62b3a3bd5008275218c9d02a Mon Sep 17 00:00:00 2001 +From: Andy Chi +Date: Wed, 5 Jun 2024 17:22:41 +0800 +Subject: ALSA: hda/realtek: fix mute/micmute LEDs don't work for ProBook 445/465 G11. + +From: Andy Chi + +commit ea5f8c4cffcd8a6b62b3a3bd5008275218c9d02a upstream. + +HP ProBook 445/465 G11 needs ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF quirk to +make mic-mute/audio-mute working. + +Signed-off-by: Andy Chi +Cc: +Link: https://lore.kernel.org/r/20240605092243.41963-1-andy.chi@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9959,6 +9959,10 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x8c70, "HP EliteBook 835 G11", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8c71, "HP EliteBook 845 G11", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8c72, "HP EliteBook 865 G11", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8c7b, "HP ProBook 445 G11", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), ++ SND_PCI_QUIRK(0x103c, 0x8c7c, "HP ProBook 445 G11", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), ++ SND_PCI_QUIRK(0x103c, 0x8c7d, "HP ProBook 465 G11", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), ++ SND_PCI_QUIRK(0x103c, 0x8c7e, "HP ProBook 465 G11", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8c89, "HP ProBook 460 G11", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8c8a, "HP EliteBook 630", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8c8c, "HP EliteBook 660", ALC236_FIXUP_HP_GPIO_LED), diff --git a/queue-6.6/alsa-hda-realtek-limit-mic-boost-on-n14ap7.patch b/queue-6.6/alsa-hda-realtek-limit-mic-boost-on-n14ap7.patch new file mode 100644 index 00000000000..ff92ba5d286 --- /dev/null +++ b/queue-6.6/alsa-hda-realtek-limit-mic-boost-on-n14ap7.patch @@ -0,0 +1,31 @@ +From 86a433862912f52597263aa224a9ed82bcd533bf Mon Sep 17 00:00:00 2001 +From: Edson Juliano Drosdeck +Date: Wed, 5 Jun 2024 12:39:23 -0300 +Subject: ALSA: hda/realtek: Limit mic boost on N14AP7 + +From: Edson Juliano Drosdeck + +commit 86a433862912f52597263aa224a9ed82bcd533bf upstream. + +The internal mic boost on the N14AP7 is too high. Fix this by applying the +ALC269_FIXUP_LIMIT_INT_MIC_BOOST fixup to the machine to limit the gain. + +Signed-off-by: Edson Juliano Drosdeck +Cc: +Link: https://lore.kernel.org/r/20240605153923.2837-1-edson.drosdeck@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10316,6 +10316,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1b7d, 0xa831, "Ordissimo EVE2 ", ALC269VB_FIXUP_ORDISSIMO_EVE2), /* Also known as Malata PC-B1303 */ + SND_PCI_QUIRK(0x1c06, 0x2013, "Lemote A1802", ALC269_FIXUP_LEMOTE_A1802), + SND_PCI_QUIRK(0x1c06, 0x2015, "Lemote A190X", ALC269_FIXUP_LEMOTE_A190X), ++ SND_PCI_QUIRK(0x1c6c, 0x122a, "Positivo N14AP7", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x1c6c, 0x1251, "Positivo N14KP6-TG", ALC288_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1d05, 0x1132, "TongFang PHxTxX1", ALC256_FIXUP_SET_COEF_DEFAULTS), + SND_PCI_QUIRK(0x1d05, 0x1096, "TongFang GMxMRxx", ALC269_FIXUP_NO_SHUTUP), diff --git a/queue-6.6/arm64-dts-imx8qm-mek-fix-gpio-number-for-reg_usdhc2_vmmc.patch b/queue-6.6/arm64-dts-imx8qm-mek-fix-gpio-number-for-reg_usdhc2_vmmc.patch new file mode 100644 index 00000000000..b316ad4de27 --- /dev/null +++ b/queue-6.6/arm64-dts-imx8qm-mek-fix-gpio-number-for-reg_usdhc2_vmmc.patch @@ -0,0 +1,32 @@ +From dfd239a039b3581ca25f932e66b6e2c2bf77c798 Mon Sep 17 00:00:00 2001 +From: Frank Li +Date: Fri, 14 Jun 2024 11:06:32 -0400 +Subject: arm64: dts: imx8qm-mek: fix gpio number for reg_usdhc2_vmmc + +From: Frank Li + +commit dfd239a039b3581ca25f932e66b6e2c2bf77c798 upstream. + +The gpio in "reg_usdhc2_vmmc" should be 7 instead of 19. + +Cc: stable@vger.kernel.org +Fixes: 307fd14d4b14 ("arm64: dts: imx: add imx8qm mek support") +Reviewed-by: Peng Fan +Signed-off-by: Frank Li +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8qm-mek.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/freescale/imx8qm-mek.dts ++++ b/arch/arm64/boot/dts/freescale/imx8qm-mek.dts +@@ -36,7 +36,7 @@ + regulator-name = "SD1_SPWR"; + regulator-min-microvolt = <3000000>; + regulator-max-microvolt = <3000000>; +- gpio = <&lsio_gpio4 19 GPIO_ACTIVE_HIGH>; ++ gpio = <&lsio_gpio4 7 GPIO_ACTIVE_HIGH>; + enable-active-high; + }; + }; diff --git a/queue-6.6/btrfs-retry-block-group-reclaim-without-infinite-loop.patch b/queue-6.6/btrfs-retry-block-group-reclaim-without-infinite-loop.patch new file mode 100644 index 00000000000..c8b5e9cb914 --- /dev/null +++ b/queue-6.6/btrfs-retry-block-group-reclaim-without-infinite-loop.patch @@ -0,0 +1,66 @@ +From 4eb4e85c4f818491efc67e9373aa16b123c3f522 Mon Sep 17 00:00:00 2001 +From: Boris Burkov +Date: Fri, 7 Jun 2024 12:50:14 -0700 +Subject: btrfs: retry block group reclaim without infinite loop + +From: Boris Burkov + +commit 4eb4e85c4f818491efc67e9373aa16b123c3f522 upstream. + +If inc_block_group_ro systematically fails (e.g. due to ETXTBUSY from +swap) or btrfs_relocate_chunk systematically fails (from lack of +space), then this worker becomes an infinite loop. + +At the very least, this strands the cleaner thread, but can also result +in hung tasks/RCU stalls on PREEMPT_NONE kernels and if the +reclaim_bgs_lock mutex is not contended. + +I believe the best long term fix is to manage reclaim via work queue, +where we queue up a relocation on the triggering condition and re-queue +on failure. In the meantime, this is an easy fix to apply to avoid the +immediate pain. + +Fixes: 7e2718099438 ("btrfs: reinsert BGs failed to reclaim") +CC: stable@vger.kernel.org # 6.6+ +Signed-off-by: Boris Burkov +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/block-group.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/block-group.c ++++ b/fs/btrfs/block-group.c +@@ -1788,6 +1788,7 @@ void btrfs_reclaim_bgs_work(struct work_ + container_of(work, struct btrfs_fs_info, reclaim_bgs_work); + struct btrfs_block_group *bg; + struct btrfs_space_info *space_info; ++ LIST_HEAD(retry_list); + + if (!test_bit(BTRFS_FS_OPEN, &fs_info->flags)) + return; +@@ -1924,8 +1925,11 @@ void btrfs_reclaim_bgs_work(struct work_ + } + + next: +- if (ret) +- btrfs_mark_bg_to_reclaim(bg); ++ if (ret) { ++ /* Refcount held by the reclaim_bgs list after splice. */ ++ btrfs_get_block_group(bg); ++ list_add_tail(&bg->bg_list, &retry_list); ++ } + btrfs_put_block_group(bg); + + mutex_unlock(&fs_info->reclaim_bgs_lock); +@@ -1945,6 +1949,9 @@ next: + spin_unlock(&fs_info->unused_bgs_lock); + mutex_unlock(&fs_info->reclaim_bgs_lock); + end: ++ spin_lock(&fs_info->unused_bgs_lock); ++ list_splice_tail(&retry_list, &fs_info->reclaim_bgs); ++ spin_unlock(&fs_info->unused_bgs_lock); + btrfs_exclop_finish(fs_info); + sb_end_write(fs_info->sb); + } diff --git a/queue-6.6/cifs-fix-typo-in-module-parameter-enable_gcm_256.patch b/queue-6.6/cifs-fix-typo-in-module-parameter-enable_gcm_256.patch new file mode 100644 index 00000000000..9f9ba115935 --- /dev/null +++ b/queue-6.6/cifs-fix-typo-in-module-parameter-enable_gcm_256.patch @@ -0,0 +1,32 @@ +From 8bf0287528da1992c5e49d757b99ad6bbc34b522 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Wed, 19 Jun 2024 14:46:48 -0500 +Subject: cifs: fix typo in module parameter enable_gcm_256 + +From: Steve French + +commit 8bf0287528da1992c5e49d757b99ad6bbc34b522 upstream. + +enable_gcm_256 (which allows the server to require the strongest +encryption) is enabled by default, but the modinfo description +incorrectly showed it disabled by default. Fix the typo. + +Cc: stable@vger.kernel.org +Fixes: fee742b50289 ("smb3.1.1: enable negotiating stronger encryption by default") +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifsfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/smb/client/cifsfs.c ++++ b/fs/smb/client/cifsfs.c +@@ -133,7 +133,7 @@ module_param(enable_oplocks, bool, 0644) + MODULE_PARM_DESC(enable_oplocks, "Enable or disable oplocks. Default: y/Y/1"); + + module_param(enable_gcm_256, bool, 0644); +-MODULE_PARM_DESC(enable_gcm_256, "Enable requesting strongest (256 bit) GCM encryption. Default: n/N/0"); ++MODULE_PARM_DESC(enable_gcm_256, "Enable requesting strongest (256 bit) GCM encryption. Default: y/Y/0"); + + module_param(require_gcm_256, bool, 0644); + MODULE_PARM_DESC(require_gcm_256, "Require strongest (256 bit) GCM encryption. Default: n/N/0"); diff --git a/queue-6.6/drm-amdgpu-fix-ubsan-warning-in-kv_dpm.c.patch b/queue-6.6/drm-amdgpu-fix-ubsan-warning-in-kv_dpm.c.patch new file mode 100644 index 00000000000..c74dc2ef616 --- /dev/null +++ b/queue-6.6/drm-amdgpu-fix-ubsan-warning-in-kv_dpm.c.patch @@ -0,0 +1,31 @@ +From f0d576f840153392d04b2d52cf3adab8f62e8cb6 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 20 May 2024 09:05:21 -0400 +Subject: drm/amdgpu: fix UBSAN warning in kv_dpm.c + +From: Alex Deucher + +commit f0d576f840153392d04b2d52cf3adab8f62e8cb6 upstream. + +Adds bounds check for sumo_vid_mapping_entry. + +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3392 +Reviewed-by: Mario Limonciello +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c ++++ b/drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c +@@ -164,6 +164,8 @@ static void sumo_construct_vid_mapping_t + + for (i = 0; i < SUMO_MAX_HARDWARE_POWERLEVELS; i++) { + if (table[i].ulSupportedSCLK != 0) { ++ if (table[i].usVoltageIndex >= SUMO_MAX_NUMBER_VOLTAGES) ++ continue; + vid_mapping_table->entries[table[i].usVoltageIndex].vid_7bit = + table[i].usVoltageID; + vid_mapping_table->entries[table[i].usVoltageIndex].vid_2bit = diff --git a/queue-6.6/drm-i915-mso-using-joiner-is-not-possible-with-edp-mso.patch b/queue-6.6/drm-i915-mso-using-joiner-is-not-possible-with-edp-mso.patch new file mode 100644 index 00000000000..a8097271f97 --- /dev/null +++ b/queue-6.6/drm-i915-mso-using-joiner-is-not-possible-with-edp-mso.patch @@ -0,0 +1,44 @@ +From 49cc17967be95d64606d5684416ee51eec35e84a Mon Sep 17 00:00:00 2001 +From: Jani Nikula +Date: Fri, 14 Jun 2024 17:23:11 +0300 +Subject: drm/i915/mso: using joiner is not possible with eDP MSO +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jani Nikula + +commit 49cc17967be95d64606d5684416ee51eec35e84a upstream. + +It's not possible to use the joiner at the same time with eDP MSO. When +a panel needs MSO, it's not optional, so MSO trumps joiner. + +v3: Only change intel_dp_has_joiner(), leave debugfs alone (Ville) + +Fixes: bc71194e8897 ("drm/i915/edp: enable eDP MSO during link training") +Cc: # v5.13+ +Cc: Ville Syrjala +Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/1668 +Reviewed-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20240614142311.589089-1-jani.nikula@intel.com +Signed-off-by: Jani Nikula +(cherry picked from commit 8b5a92ca24eb96bb71e2a55e352687487d87687f) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_dp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/i915/display/intel_dp.c ++++ b/drivers/gpu/drm/i915/display/intel_dp.c +@@ -393,6 +393,10 @@ bool intel_dp_can_bigjoiner(struct intel + struct intel_encoder *encoder = &intel_dig_port->base; + struct drm_i915_private *dev_priv = to_i915(encoder->base.dev); + ++ /* eDP MSO is not compatible with joiner */ ++ if (intel_dp->mso_link_count) ++ return false; ++ + return DISPLAY_VER(dev_priv) >= 12 || + (DISPLAY_VER(dev_priv) == 11 && + encoder->port != PORT_A); diff --git a/queue-6.6/drm-radeon-fix-ubsan-warning-in-kv_dpm.c.patch b/queue-6.6/drm-radeon-fix-ubsan-warning-in-kv_dpm.c.patch new file mode 100644 index 00000000000..47aada28bf8 --- /dev/null +++ b/queue-6.6/drm-radeon-fix-ubsan-warning-in-kv_dpm.c.patch @@ -0,0 +1,30 @@ +From a498df5421fd737d11bfd152428ba6b1c8538321 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 20 May 2024 09:11:45 -0400 +Subject: drm/radeon: fix UBSAN warning in kv_dpm.c + +From: Alex Deucher + +commit a498df5421fd737d11bfd152428ba6b1c8538321 upstream. + +Adds bounds check for sumo_vid_mapping_entry. + +Reviewed-by: Mario Limonciello +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/radeon/sumo_dpm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/radeon/sumo_dpm.c ++++ b/drivers/gpu/drm/radeon/sumo_dpm.c +@@ -1621,6 +1621,8 @@ void sumo_construct_vid_mapping_table(st + + for (i = 0; i < SUMO_MAX_HARDWARE_POWERLEVELS; i++) { + if (table[i].ulSupportedSCLK != 0) { ++ if (table[i].usVoltageIndex >= SUMO_MAX_NUMBER_VOLTAGES) ++ continue; + vid_mapping_table->entries[table[i].usVoltageIndex].vid_7bit = + table[i].usVoltageID; + vid_mapping_table->entries[table[i].usVoltageIndex].vid_2bit = diff --git a/queue-6.6/dt-bindings-dma-fsl-edma-fix-dma-channels-constraints.patch b/queue-6.6/dt-bindings-dma-fsl-edma-fix-dma-channels-constraints.patch new file mode 100644 index 00000000000..d1adef7c4ec --- /dev/null +++ b/queue-6.6/dt-bindings-dma-fsl-edma-fix-dma-channels-constraints.patch @@ -0,0 +1,37 @@ +From 1345a13f18370ad9e5bc98995959a27f9bd71464 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Tue, 21 May 2024 10:30:02 +0200 +Subject: dt-bindings: dma: fsl-edma: fix dma-channels constraints + +From: Krzysztof Kozlowski + +commit 1345a13f18370ad9e5bc98995959a27f9bd71464 upstream. + +dma-channels is a number, not a list. Apply proper constraints on the +actual number. + +Fixes: 6eb439dff645 ("dt-bindings: fsl-dma: fsl-edma: add edma3 compatible string") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Peng Fan +Acked-by: Rob Herring (Arm) +Link: https://lore.kernel.org/r/20240521083002.23262-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/dma/fsl,edma.yaml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/Documentation/devicetree/bindings/dma/fsl,edma.yaml ++++ b/Documentation/devicetree/bindings/dma/fsl,edma.yaml +@@ -47,8 +47,8 @@ properties: + - 3 + + dma-channels: +- minItems: 1 +- maxItems: 64 ++ minimum: 1 ++ maximum: 64 + + clocks: + minItems: 1 diff --git a/queue-6.6/dt-bindings-i2c-atmel-at91sam-correct-path-to-i2c-controller-schema.patch b/queue-6.6/dt-bindings-i2c-atmel-at91sam-correct-path-to-i2c-controller-schema.patch new file mode 100644 index 00000000000..75fc3115f0d --- /dev/null +++ b/queue-6.6/dt-bindings-i2c-atmel-at91sam-correct-path-to-i2c-controller-schema.patch @@ -0,0 +1,33 @@ +From d4e001ffeccfc128c715057e866f301ac9b95728 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 20 Jun 2024 13:34:49 +0200 +Subject: dt-bindings: i2c: atmel,at91sam: correct path to i2c-controller schema + +From: Krzysztof Kozlowski + +commit d4e001ffeccfc128c715057e866f301ac9b95728 upstream. + +The referenced i2c-controller.yaml schema is provided by dtschema +package (outside of Linux kernel), so use full path to reference it. + +Cc: stable@vger.kernel.org +Fixes: 7ea75dd386be ("dt-bindings: i2c: convert i2c-at91 to json-schema") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Conor Dooley +Signed-off-by: Andi Shyti +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/i2c/atmel,at91sam-i2c.yaml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/i2c/atmel,at91sam-i2c.yaml ++++ b/Documentation/devicetree/bindings/i2c/atmel,at91sam-i2c.yaml +@@ -75,7 +75,7 @@ required: + - clocks + + allOf: +- - $ref: i2c-controller.yaml ++ - $ref: /schemas/i2c/i2c-controller.yaml# + - if: + properties: + compatible: diff --git a/queue-6.6/dt-bindings-i2c-google-cros-ec-i2c-tunnel-correct-path-to-i2c-controller-schema.patch b/queue-6.6/dt-bindings-i2c-google-cros-ec-i2c-tunnel-correct-path-to-i2c-controller-schema.patch new file mode 100644 index 00000000000..5d202edeb9f --- /dev/null +++ b/queue-6.6/dt-bindings-i2c-google-cros-ec-i2c-tunnel-correct-path-to-i2c-controller-schema.patch @@ -0,0 +1,33 @@ +From 5c8cfd592bb7632200b4edac8f2c7ec892ed9d81 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 20 Jun 2024 13:34:50 +0200 +Subject: dt-bindings: i2c: google,cros-ec-i2c-tunnel: correct path to i2c-controller schema + +From: Krzysztof Kozlowski + +commit 5c8cfd592bb7632200b4edac8f2c7ec892ed9d81 upstream. + +The referenced i2c-controller.yaml schema is provided by dtschema +package (outside of Linux kernel), so use full path to reference it. + +Cc: stable@vger.kernel.org +Fixes: 1acd4577a66f ("dt-bindings: i2c: convert i2c-cros-ec-tunnel to json-schema") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Conor Dooley +Signed-off-by: Andi Shyti +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/i2c/google,cros-ec-i2c-tunnel.yaml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/i2c/google,cros-ec-i2c-tunnel.yaml ++++ b/Documentation/devicetree/bindings/i2c/google,cros-ec-i2c-tunnel.yaml +@@ -21,7 +21,7 @@ description: | + google,cros-ec-spi or google,cros-ec-i2c. + + allOf: +- - $ref: i2c-controller.yaml# ++ - $ref: /schemas/i2c/i2c-controller.yaml# + + properties: + compatible: diff --git a/queue-6.6/efi-x86-free-efi-memory-map-only-when-installing-a-new-one.patch b/queue-6.6/efi-x86-free-efi-memory-map-only-when-installing-a-new-one.patch new file mode 100644 index 00000000000..d807647ba76 --- /dev/null +++ b/queue-6.6/efi-x86-free-efi-memory-map-only-when-installing-a-new-one.patch @@ -0,0 +1,109 @@ +From 75dde792d6f6c2d0af50278bd374bf0c512fe196 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Mon, 10 Jun 2024 16:02:13 +0200 +Subject: efi/x86: Free EFI memory map only when installing a new one. + +From: Ard Biesheuvel + +commit 75dde792d6f6c2d0af50278bd374bf0c512fe196 upstream. + +The logic in __efi_memmap_init() is shared between two different +execution flows: +- mapping the EFI memory map early or late into the kernel VA space, so + that its entries can be accessed; +- the x86 specific cloning of the EFI memory map in order to insert new + entries that are created as a result of making a memory reservation + via a call to efi_mem_reserve(). + +In the former case, the underlying memory containing the kernel's view +of the EFI memory map (which may be heavily modified by the kernel +itself on x86) is not modified at all, and the only thing that changes +is the virtual mapping of this memory, which is different between early +and late boot. + +In the latter case, an entirely new allocation is created that carries a +new, updated version of the kernel's view of the EFI memory map. When +installing this new version, the old version will no longer be +referenced, and if the memory was allocated by the kernel, it will leak +unless it gets freed. + +The logic that implements this freeing currently lives on the code path +that is shared between these two use cases, but it should only apply to +the latter. So move it to the correct spot. + +While at it, drop the dummy definition for non-x86 architectures, as +that is no longer needed. + +Cc: +Fixes: f0ef6523475f ("efi: Fix efi_memmap_alloc() leaks") +Tested-by: Ashish Kalra +Link: https://lore.kernel.org/all/36ad5079-4326-45ed-85f6-928ff76483d3@amd.com +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/efi.h | 1 - + arch/x86/platform/efi/memmap.c | 12 +++++++++++- + drivers/firmware/efi/memmap.c | 9 --------- + 3 files changed, 11 insertions(+), 11 deletions(-) + +--- a/arch/x86/include/asm/efi.h ++++ b/arch/x86/include/asm/efi.h +@@ -410,7 +410,6 @@ extern int __init efi_memmap_alloc(unsig + struct efi_memory_map_data *data); + extern void __efi_memmap_free(u64 phys, unsigned long size, + unsigned long flags); +-#define __efi_memmap_free __efi_memmap_free + + extern int __init efi_memmap_install(struct efi_memory_map_data *data); + extern int __init efi_memmap_split_count(efi_memory_desc_t *md, +--- a/arch/x86/platform/efi/memmap.c ++++ b/arch/x86/platform/efi/memmap.c +@@ -92,12 +92,22 @@ int __init efi_memmap_alloc(unsigned int + */ + int __init efi_memmap_install(struct efi_memory_map_data *data) + { ++ unsigned long size = efi.memmap.desc_size * efi.memmap.nr_map; ++ unsigned long flags = efi.memmap.flags; ++ u64 phys = efi.memmap.phys_map; ++ int ret; ++ + efi_memmap_unmap(); + + if (efi_enabled(EFI_PARAVIRT)) + return 0; + +- return __efi_memmap_init(data); ++ ret = __efi_memmap_init(data); ++ if (ret) ++ return ret; ++ ++ __efi_memmap_free(phys, size, flags); ++ return 0; + } + + /** +--- a/drivers/firmware/efi/memmap.c ++++ b/drivers/firmware/efi/memmap.c +@@ -15,10 +15,6 @@ + #include + #include + +-#ifndef __efi_memmap_free +-#define __efi_memmap_free(phys, size, flags) do { } while (0) +-#endif +- + /** + * __efi_memmap_init - Common code for mapping the EFI memory map + * @data: EFI memory map data +@@ -51,11 +47,6 @@ int __init __efi_memmap_init(struct efi_ + return -ENOMEM; + } + +- if (efi.memmap.flags & (EFI_MEMMAP_MEMBLOCK | EFI_MEMMAP_SLAB)) +- __efi_memmap_free(efi.memmap.phys_map, +- efi.memmap.desc_size * efi.memmap.nr_map, +- efi.memmap.flags); +- + map.phys_map = data->phys_map; + map.nr_map = data->size / data->desc_size; + map.map_end = map.map + data->size; diff --git a/queue-6.6/gcov-add-support-for-gcc-14.patch b/queue-6.6/gcov-add-support-for-gcc-14.patch new file mode 100644 index 00000000000..c79dac8534c --- /dev/null +++ b/queue-6.6/gcov-add-support-for-gcc-14.patch @@ -0,0 +1,40 @@ +From c1558bc57b8e5b4da5d821537cd30e2e660861d8 Mon Sep 17 00:00:00 2001 +From: Peter Oberparleiter +Date: Mon, 10 Jun 2024 11:27:43 +0200 +Subject: gcov: add support for GCC 14 + +From: Peter Oberparleiter + +commit c1558bc57b8e5b4da5d821537cd30e2e660861d8 upstream. + +Using gcov on kernels compiled with GCC 14 results in truncated 16-byte +long .gcda files with no usable data. To fix this, update GCOV_COUNTERS +to match the value defined by GCC 14. + +Tested with GCC versions 14.1.0 and 13.2.0. + +Link: https://lkml.kernel.org/r/20240610092743.1609845-1-oberpar@linux.ibm.com +Signed-off-by: Peter Oberparleiter +Reported-by: Allison Henderson +Reported-by: Chuck Lever III +Tested-by: Chuck Lever +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + kernel/gcov/gcc_4_7.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/kernel/gcov/gcc_4_7.c ++++ b/kernel/gcov/gcc_4_7.c +@@ -18,7 +18,9 @@ + #include + #include "gcov.h" + +-#if (__GNUC__ >= 10) ++#if (__GNUC__ >= 14) ++#define GCOV_COUNTERS 9 ++#elif (__GNUC__ >= 10) + #define GCOV_COUNTERS 8 + #elif (__GNUC__ >= 7) + #define GCOV_COUNTERS 9 diff --git a/queue-6.6/i2c-ocores-set-iack-bit-after-core-is-enabled.patch b/queue-6.6/i2c-ocores-set-iack-bit-after-core-is-enabled.patch new file mode 100644 index 00000000000..a1e5dadd98b --- /dev/null +++ b/queue-6.6/i2c-ocores-set-iack-bit-after-core-is-enabled.patch @@ -0,0 +1,39 @@ +From 5a72477273066b5b357801ab2d315ef14949d402 Mon Sep 17 00:00:00 2001 +From: Grygorii Tertychnyi +Date: Mon, 20 May 2024 17:39:32 +0200 +Subject: i2c: ocores: set IACK bit after core is enabled + +From: Grygorii Tertychnyi + +commit 5a72477273066b5b357801ab2d315ef14949d402 upstream. + +Setting IACK bit when core is disabled does not clear the "Interrupt Flag" +bit in the status register, and the interrupt remains pending. + +Sometimes it causes failure for the very first message transfer, that is +usually a device probe. + +Hence, set IACK bit after core is enabled to clear pending interrupt. + +Fixes: 18f98b1e3147 ("[PATCH] i2c: New bus driver for the OpenCores I2C controller") +Signed-off-by: Grygorii Tertychnyi +Acked-by: Peter Korsgaard +Cc: stable@vger.kernel.org +Signed-off-by: Andi Shyti +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-ocores.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-ocores.c ++++ b/drivers/i2c/busses/i2c-ocores.c +@@ -442,8 +442,8 @@ static int ocores_init(struct device *de + oc_setreg(i2c, OCI2C_PREHIGH, prescale >> 8); + + /* Init the device */ +- oc_setreg(i2c, OCI2C_CMD, OCI2C_CMD_IACK); + oc_setreg(i2c, OCI2C_CONTROL, ctrl | OCI2C_CTRL_EN); ++ oc_setreg(i2c, OCI2C_CMD, OCI2C_CMD_IACK); + + return 0; + } diff --git a/queue-6.6/kcov-don-t-lose-track-of-remote-references-during-softirqs.patch b/queue-6.6/kcov-don-t-lose-track-of-remote-references-during-softirqs.patch new file mode 100644 index 00000000000..d84549efc1f --- /dev/null +++ b/queue-6.6/kcov-don-t-lose-track-of-remote-references-during-softirqs.patch @@ -0,0 +1,79 @@ +From 01c8f9806bde438ca1c8cbbc439f0a14a6694f6c Mon Sep 17 00:00:00 2001 +From: Aleksandr Nogikh +Date: Tue, 11 Jun 2024 15:32:29 +0200 +Subject: kcov: don't lose track of remote references during softirqs + +From: Aleksandr Nogikh + +commit 01c8f9806bde438ca1c8cbbc439f0a14a6694f6c upstream. + +In kcov_remote_start()/kcov_remote_stop(), we swap the previous KCOV +metadata of the current task into a per-CPU variable. However, the +kcov_mode_enabled(mode) check is not sufficient in the case of remote KCOV +coverage: current->kcov_mode always remains KCOV_MODE_DISABLED for remote +KCOV objects. + +If the original task that has invoked the KCOV_REMOTE_ENABLE ioctl happens +to get interrupted and kcov_remote_start() is called, it ultimately leads +to kcov_remote_stop() NOT restoring the original KCOV reference. So when +the task exits, all registered remote KCOV handles remain active forever. + +The most uncomfortable effect (at least for syzkaller) is that the bug +prevents the reuse of the same /sys/kernel/debug/kcov descriptor. If +we obtain it in the parent process and then e.g. drop some +capabilities and continuously fork to execute individual programs, at +some point current->kcov of the forked process is lost, +kcov_task_exit() takes no action, and all KCOV_REMOTE_ENABLE ioctls +calls from subsequent forks fail. + +And, yes, the efficiency is also affected if we keep on losing remote +kcov objects. +a) kcov_remote_map keeps on growing forever. +b) (If I'm not mistaken), we're also not freeing the memory referenced +by kcov->area. + +Fix it by introducing a special kcov_mode that is assigned to the task +that owns a KCOV remote object. It makes kcov_mode_enabled() return true +and yet does not trigger coverage collection in __sanitizer_cov_trace_pc() +and write_comp_data(). + +[nogikh@google.com: replace WRITE_ONCE() with an ordinary assignment] + Link: https://lkml.kernel.org/r/20240614171221.2837584-1-nogikh@google.com +Link: https://lkml.kernel.org/r/20240611133229.527822-1-nogikh@google.com +Fixes: 5ff3b30ab57d ("kcov: collect coverage from interrupts") +Signed-off-by: Aleksandr Nogikh +Reviewed-by: Dmitry Vyukov +Reviewed-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Cc: Alexander Potapenko +Cc: Arnd Bergmann +Cc: Marco Elver +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/kcov.h | 2 ++ + kernel/kcov.c | 1 + + 2 files changed, 3 insertions(+) + +--- a/include/linux/kcov.h ++++ b/include/linux/kcov.h +@@ -21,6 +21,8 @@ enum kcov_mode { + KCOV_MODE_TRACE_PC = 2, + /* Collecting comparison operands mode. */ + KCOV_MODE_TRACE_CMP = 3, ++ /* The process owns a KCOV remote reference. */ ++ KCOV_MODE_REMOTE = 4, + }; + + #define KCOV_IN_CTXSW (1 << 30) +--- a/kernel/kcov.c ++++ b/kernel/kcov.c +@@ -631,6 +631,7 @@ static int kcov_ioctl_locked(struct kcov + return -EINVAL; + kcov->mode = mode; + t->kcov = kcov; ++ t->kcov_mode = KCOV_MODE_REMOTE; + kcov->t = t; + kcov->remote = true; + kcov->remote_size = remote_arg->area_size; diff --git a/queue-6.6/kvm-arm64-disassociate-vcpus-from-redistributor-region-on-teardown.patch b/queue-6.6/kvm-arm64-disassociate-vcpus-from-redistributor-region-on-teardown.patch new file mode 100644 index 00000000000..4e62a415725 --- /dev/null +++ b/queue-6.6/kvm-arm64-disassociate-vcpus-from-redistributor-region-on-teardown.patch @@ -0,0 +1,79 @@ +From 0d92e4a7ffd5c42b9fa864692f82476c0bf8bcc8 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Wed, 5 Jun 2024 18:56:37 +0100 +Subject: KVM: arm64: Disassociate vcpus from redistributor region on teardown + +From: Marc Zyngier + +commit 0d92e4a7ffd5c42b9fa864692f82476c0bf8bcc8 upstream. + +When tearing down a redistributor region, make sure we don't have +any dangling pointer to that region stored in a vcpu. + +Fixes: e5a35635464b ("kvm: arm64: vgic-v3: Introduce vgic_v3_free_redist_region()") +Reported-by: Alexander Potapenko +Reviewed-by: Oliver Upton +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20240605175637.1635653-1-maz@kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/vgic/vgic-init.c | 2 +- + arch/arm64/kvm/vgic/vgic-mmio-v3.c | 15 +++++++++++++-- + arch/arm64/kvm/vgic/vgic.h | 2 +- + 3 files changed, 15 insertions(+), 4 deletions(-) + +--- a/arch/arm64/kvm/vgic/vgic-init.c ++++ b/arch/arm64/kvm/vgic/vgic-init.c +@@ -355,7 +355,7 @@ static void kvm_vgic_dist_destroy(struct + + if (dist->vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3) { + list_for_each_entry_safe(rdreg, next, &dist->rd_regions, list) +- vgic_v3_free_redist_region(rdreg); ++ vgic_v3_free_redist_region(kvm, rdreg); + INIT_LIST_HEAD(&dist->rd_regions); + } else { + dist->vgic_cpu_base = VGIC_ADDR_UNDEF; +--- a/arch/arm64/kvm/vgic/vgic-mmio-v3.c ++++ b/arch/arm64/kvm/vgic/vgic-mmio-v3.c +@@ -942,8 +942,19 @@ free: + return ret; + } + +-void vgic_v3_free_redist_region(struct vgic_redist_region *rdreg) ++void vgic_v3_free_redist_region(struct kvm *kvm, struct vgic_redist_region *rdreg) + { ++ struct kvm_vcpu *vcpu; ++ unsigned long c; ++ ++ lockdep_assert_held(&kvm->arch.config_lock); ++ ++ /* Garbage collect the region */ ++ kvm_for_each_vcpu(c, vcpu, kvm) { ++ if (vcpu->arch.vgic_cpu.rdreg == rdreg) ++ vcpu->arch.vgic_cpu.rdreg = NULL; ++ } ++ + list_del(&rdreg->list); + kfree(rdreg); + } +@@ -968,7 +979,7 @@ int vgic_v3_set_redist_base(struct kvm * + + mutex_lock(&kvm->arch.config_lock); + rdreg = vgic_v3_rdist_region_from_index(kvm, index); +- vgic_v3_free_redist_region(rdreg); ++ vgic_v3_free_redist_region(kvm, rdreg); + mutex_unlock(&kvm->arch.config_lock); + return ret; + } +--- a/arch/arm64/kvm/vgic/vgic.h ++++ b/arch/arm64/kvm/vgic/vgic.h +@@ -310,7 +310,7 @@ vgic_v3_rd_region_size(struct kvm *kvm, + + struct vgic_redist_region *vgic_v3_rdist_region_from_index(struct kvm *kvm, + u32 index); +-void vgic_v3_free_redist_region(struct vgic_redist_region *rdreg); ++void vgic_v3_free_redist_region(struct kvm *kvm, struct vgic_redist_region *rdreg); + + bool vgic_v3_rdist_overlap(struct kvm *kvm, gpa_t base, size_t size); + diff --git a/queue-6.6/kvm-fix-a-data-race-on-last_boosted_vcpu-in-kvm_vcpu_on_spin.patch b/queue-6.6/kvm-fix-a-data-race-on-last_boosted_vcpu-in-kvm_vcpu_on_spin.patch new file mode 100644 index 00000000000..1a740127bd0 --- /dev/null +++ b/queue-6.6/kvm-fix-a-data-race-on-last_boosted_vcpu-in-kvm_vcpu_on_spin.patch @@ -0,0 +1,96 @@ +From 49f683b41f28918df3e51ddc0d928cb2e934ccdb Mon Sep 17 00:00:00 2001 +From: Breno Leitao +Date: Fri, 10 May 2024 02:23:52 -0700 +Subject: KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() + +From: Breno Leitao + +commit 49f683b41f28918df3e51ddc0d928cb2e934ccdb upstream. + +Use {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the +loads and stores are atomic. In the extremely unlikely scenario the +compiler tears the stores, it's theoretically possible for KVM to attempt +to get a vCPU using an out-of-bounds index, e.g. if the write is split +into multiple 8-bit stores, and is paired with a 32-bit load on a VM with +257 vCPUs: + + CPU0 CPU1 + last_boosted_vcpu = 0xff; + + (last_boosted_vcpu = 0x100) + last_boosted_vcpu[15:8] = 0x01; + i = (last_boosted_vcpu = 0x1ff) + last_boosted_vcpu[7:0] = 0x00; + + vcpu = kvm->vcpu_array[0x1ff]; + +As detected by KCSAN: + + BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm] + + write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16: + kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm + handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel + vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? + arch/x86/kvm/vmx/vmx.c:6606) kvm_intel + vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm + kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm + kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm + __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) + __x64_sys_ioctl (fs/ioctl.c:890) + x64_sys_call (arch/x86/entry/syscall_64.c:33) + do_syscall_64 (arch/x86/entry/common.c:?) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + + read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4: + kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm + handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel + vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? + arch/x86/kvm/vmx/vmx.c:6606) kvm_intel + vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm + kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm + kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm + __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) + __x64_sys_ioctl (fs/ioctl.c:890) + x64_sys_call (arch/x86/entry/syscall_64.c:33) + do_syscall_64 (arch/x86/entry/common.c:?) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + + value changed: 0x00000012 -> 0x00000000 + +Fixes: 217ece6129f2 ("KVM: use yield_to instead of sleep in kvm_vcpu_on_spin") +Cc: stable@vger.kernel.org +Signed-off-by: Breno Leitao +Link: https://lore.kernel.org/r/20240510092353.2261824-1-leitao@debian.org +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/kvm_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -3813,12 +3813,13 @@ void kvm_vcpu_on_spin(struct kvm_vcpu *m + { + struct kvm *kvm = me->kvm; + struct kvm_vcpu *vcpu; +- int last_boosted_vcpu = me->kvm->last_boosted_vcpu; ++ int last_boosted_vcpu; + unsigned long i; + int yielded = 0; + int try = 3; + int pass; + ++ last_boosted_vcpu = READ_ONCE(kvm->last_boosted_vcpu); + kvm_vcpu_set_in_spin_loop(me, true); + /* + * We boost the priority of a VCPU that is runnable but not +@@ -3849,7 +3850,7 @@ void kvm_vcpu_on_spin(struct kvm_vcpu *m + + yielded = kvm_vcpu_yield_to(vcpu); + if (yielded > 0) { +- kvm->last_boosted_vcpu = i; ++ WRITE_ONCE(kvm->last_boosted_vcpu, i); + break; + } else if (yielded < 0) { + try--; diff --git a/queue-6.6/kvm-x86-always-sync-pir-to-irr-prior-to-scanning-i-o-apic-routes.patch b/queue-6.6/kvm-x86-always-sync-pir-to-irr-prior-to-scanning-i-o-apic-routes.patch new file mode 100644 index 00000000000..288744c6d05 --- /dev/null +++ b/queue-6.6/kvm-x86-always-sync-pir-to-irr-prior-to-scanning-i-o-apic-routes.patch @@ -0,0 +1,59 @@ +From f3ced000a2df53f4b12849e121769045a81a3b22 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Mon, 10 Jun 2024 18:48:45 -0700 +Subject: KVM: x86: Always sync PIR to IRR prior to scanning I/O APIC routes + +From: Sean Christopherson + +commit f3ced000a2df53f4b12849e121769045a81a3b22 upstream. + +Sync pending posted interrupts to the IRR prior to re-scanning I/O APIC +routes, irrespective of whether the I/O APIC is emulated by userspace or +by KVM. If a level-triggered interrupt routed through the I/O APIC is +pending or in-service for a vCPU, KVM needs to intercept EOIs on said +vCPU even if the vCPU isn't the destination for the new routing, e.g. if +servicing an interrupt using the old routing races with I/O APIC +reconfiguration. + +Commit fceb3a36c29a ("KVM: x86: ioapic: Fix level-triggered EOI and +userspace I/OAPIC reconfigure race") fixed the common cases, but +kvm_apic_pending_eoi() only checks if an interrupt is in the local +APIC's IRR or ISR, i.e. misses the uncommon case where an interrupt is +pending in the PIR. + +Failure to intercept EOI can manifest as guest hangs with Windows 11 if +the guest uses the RTC as its timekeeping source, e.g. if the VMM doesn't +expose a more modern form of time to the guest. + +Cc: stable@vger.kernel.org +Cc: Adamos Ttofari +Cc: Raghavendra Rao Ananta +Reviewed-by: Jim Mattson +Signed-off-by: Sean Christopherson +Message-ID: <20240611014845.82795-1-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -10456,13 +10456,12 @@ static void vcpu_scan_ioapic(struct kvm_ + + bitmap_zero(vcpu->arch.ioapic_handled_vectors, 256); + ++ static_call_cond(kvm_x86_sync_pir_to_irr)(vcpu); ++ + if (irqchip_split(vcpu->kvm)) + kvm_scan_ioapic_routes(vcpu, vcpu->arch.ioapic_handled_vectors); +- else { +- static_call_cond(kvm_x86_sync_pir_to_irr)(vcpu); +- if (ioapic_in_kernel(vcpu->kvm)) +- kvm_ioapic_scan_entry(vcpu, vcpu->arch.ioapic_handled_vectors); +- } ++ else if (ioapic_in_kernel(vcpu->kvm)) ++ kvm_ioapic_scan_entry(vcpu, vcpu->arch.ioapic_handled_vectors); + + if (is_guest_mode(vcpu)) + vcpu->arch.load_eoi_exitmap_pending = true; diff --git a/queue-6.6/loongarch-fix-multiple-hardware-watchpoint-issues.patch b/queue-6.6/loongarch-fix-multiple-hardware-watchpoint-issues.patch new file mode 100644 index 00000000000..160df6e5f33 --- /dev/null +++ b/queue-6.6/loongarch-fix-multiple-hardware-watchpoint-issues.patch @@ -0,0 +1,197 @@ +From 3eb2a8b23598e90fda43abb0f23cb267bd5018ba Mon Sep 17 00:00:00 2001 +From: Hui Li +Date: Fri, 21 Jun 2024 10:18:40 +0800 +Subject: LoongArch: Fix multiple hardware watchpoint issues + +From: Hui Li + +commit 3eb2a8b23598e90fda43abb0f23cb267bd5018ba upstream. + +In the current code, if multiple hardware breakpoints/watchpoints in +a user-space thread, some of them will not be triggered. + +When debugging the following code using gdb. + +lihui@bogon:~$ cat test.c + #include + int a = 0; + int main() + { + printf("start test\n"); + a = 1; + printf("a = %d\n", a); + printf("end test\n"); + return 0; + } +lihui@bogon:~$ gcc -g test.c -o test +lihui@bogon:~$ gdb test +... +(gdb) start +... +Temporary breakpoint 1, main () at test.c:5 +5 printf("start test\n"); +(gdb) watch a +Hardware watchpoint 2: a +(gdb) hbreak 8 +Hardware assisted breakpoint 3 at 0x1200006ec: file test.c, line 8. +(gdb) c +Continuing. +start test +a = 1 + +Breakpoint 3, main () at test.c:8 +8 printf("end test\n"); +... + +The first hardware watchpoint is not triggered, the root causes are: + +1. In hw_breakpoint_control(), The FWPnCFG1.2.4/MWPnCFG1.2.4 register + settings are not distinguished. They should be set based on hardware + watchpoint functions (fetch or load/store operations). + +2. In breakpoint_handler() and watchpoint_handler(), it doesn't identify + which watchpoint is triggered. So, all watchpoint-related perf_event + callbacks are called and siginfo is sent to the user space. This will + cause user-space unable to determine which watchpoint is triggered. + The kernel need to identity which watchpoint is triggered via MWPS/ + FWPS registers, and then call the corresponding perf event callbacks + to report siginfo to the user-space. + +Modify the relevant code to solve above issues. + +All changes according to the LoongArch Reference Manual: +https://loongson.github.io/LoongArch-Documentation/LoongArch-Vol1-EN.html#control-and-status-registers-related-to-watchpoints + +With this patch: + +lihui@bogon:~$ gdb test +... +(gdb) start +... +Temporary breakpoint 1, main () at test.c:5 +5 printf("start test\n"); +(gdb) watch a +Hardware watchpoint 2: a +(gdb) hbreak 8 +Hardware assisted breakpoint 3 at 0x1200006ec: file test.c, line 8. +(gdb) c +Continuing. +start test + +Hardware watchpoint 2: a + +Old value = 0 +New value = 1 +main () at test.c:7 +7 printf("a = %d\n", a); +(gdb) c +Continuing. +a = 1 + +Breakpoint 3, main () at test.c:8 +8 printf("end test\n"); +(gdb) c +Continuing. +end test +[Inferior 1 (process 778) exited normally] + +Cc: stable@vger.kernel.org +Signed-off-by: Hui Li +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kernel/hw_breakpoint.c | 57 +++++++++++++++++++--------------- + 1 file changed, 33 insertions(+), 24 deletions(-) + +--- a/arch/loongarch/kernel/hw_breakpoint.c ++++ b/arch/loongarch/kernel/hw_breakpoint.c +@@ -207,15 +207,15 @@ static int hw_breakpoint_control(struct + switch (ops) { + case HW_BREAKPOINT_INSTALL: + /* Set the FWPnCFG/MWPnCFG 1~4 register. */ +- write_wb_reg(CSR_CFG_ADDR, i, 0, info->address); +- write_wb_reg(CSR_CFG_ADDR, i, 1, info->address); +- write_wb_reg(CSR_CFG_MASK, i, 0, info->mask); +- write_wb_reg(CSR_CFG_MASK, i, 1, info->mask); +- write_wb_reg(CSR_CFG_ASID, i, 0, 0); +- write_wb_reg(CSR_CFG_ASID, i, 1, 0); + if (info->ctrl.type == LOONGARCH_BREAKPOINT_EXECUTE) { ++ write_wb_reg(CSR_CFG_ADDR, i, 0, info->address); ++ write_wb_reg(CSR_CFG_MASK, i, 0, info->mask); ++ write_wb_reg(CSR_CFG_ASID, i, 0, 0); + write_wb_reg(CSR_CFG_CTRL, i, 0, privilege); + } else { ++ write_wb_reg(CSR_CFG_ADDR, i, 1, info->address); ++ write_wb_reg(CSR_CFG_MASK, i, 1, info->mask); ++ write_wb_reg(CSR_CFG_ASID, i, 1, 0); + ctrl = encode_ctrl_reg(info->ctrl); + write_wb_reg(CSR_CFG_CTRL, i, 1, ctrl | privilege); + } +@@ -226,14 +226,17 @@ static int hw_breakpoint_control(struct + break; + case HW_BREAKPOINT_UNINSTALL: + /* Reset the FWPnCFG/MWPnCFG 1~4 register. */ +- write_wb_reg(CSR_CFG_ADDR, i, 0, 0); +- write_wb_reg(CSR_CFG_ADDR, i, 1, 0); +- write_wb_reg(CSR_CFG_MASK, i, 0, 0); +- write_wb_reg(CSR_CFG_MASK, i, 1, 0); +- write_wb_reg(CSR_CFG_CTRL, i, 0, 0); +- write_wb_reg(CSR_CFG_CTRL, i, 1, 0); +- write_wb_reg(CSR_CFG_ASID, i, 0, 0); +- write_wb_reg(CSR_CFG_ASID, i, 1, 0); ++ if (info->ctrl.type == LOONGARCH_BREAKPOINT_EXECUTE) { ++ write_wb_reg(CSR_CFG_ADDR, i, 0, 0); ++ write_wb_reg(CSR_CFG_MASK, i, 0, 0); ++ write_wb_reg(CSR_CFG_CTRL, i, 0, 0); ++ write_wb_reg(CSR_CFG_ASID, i, 0, 0); ++ } else { ++ write_wb_reg(CSR_CFG_ADDR, i, 1, 0); ++ write_wb_reg(CSR_CFG_MASK, i, 1, 0); ++ write_wb_reg(CSR_CFG_CTRL, i, 1, 0); ++ write_wb_reg(CSR_CFG_ASID, i, 1, 0); ++ } + if (bp->hw.target) + regs->csr_prmd &= ~CSR_PRMD_PWE; + break; +@@ -476,12 +479,15 @@ void breakpoint_handler(struct pt_regs * + slots = this_cpu_ptr(bp_on_reg); + + for (i = 0; i < boot_cpu_data.watch_ireg_count; ++i) { +- bp = slots[i]; +- if (bp == NULL) +- continue; +- perf_bp_event(bp, regs); ++ if ((csr_read32(LOONGARCH_CSR_FWPS) & (0x1 << i))) { ++ bp = slots[i]; ++ if (bp == NULL) ++ continue; ++ perf_bp_event(bp, regs); ++ csr_write32(0x1 << i, LOONGARCH_CSR_FWPS); ++ update_bp_registers(regs, 0, 0); ++ } + } +- update_bp_registers(regs, 0, 0); + } + NOKPROBE_SYMBOL(breakpoint_handler); + +@@ -493,12 +499,15 @@ void watchpoint_handler(struct pt_regs * + slots = this_cpu_ptr(wp_on_reg); + + for (i = 0; i < boot_cpu_data.watch_dreg_count; ++i) { +- wp = slots[i]; +- if (wp == NULL) +- continue; +- perf_bp_event(wp, regs); ++ if ((csr_read32(LOONGARCH_CSR_MWPS) & (0x1 << i))) { ++ wp = slots[i]; ++ if (wp == NULL) ++ continue; ++ perf_bp_event(wp, regs); ++ csr_write32(0x1 << i, LOONGARCH_CSR_MWPS); ++ update_bp_registers(regs, 0, 1); ++ } + } +- update_bp_registers(regs, 0, 1); + } + NOKPROBE_SYMBOL(watchpoint_handler); + diff --git a/queue-6.6/loongarch-fix-watchpoint-setting-error.patch b/queue-6.6/loongarch-fix-watchpoint-setting-error.patch new file mode 100644 index 00000000000..a2f068d6a10 --- /dev/null +++ b/queue-6.6/loongarch-fix-watchpoint-setting-error.patch @@ -0,0 +1,188 @@ +From f63a47b34b140ed1ca39d7e4bd4f1cdc617fc316 Mon Sep 17 00:00:00 2001 +From: Hui Li +Date: Fri, 21 Jun 2024 10:18:40 +0800 +Subject: LoongArch: Fix watchpoint setting error + +From: Hui Li + +commit f63a47b34b140ed1ca39d7e4bd4f1cdc617fc316 upstream. + +In the current code, when debugging the following code using gdb, +"invalid argument ..." message will be displayed. + +lihui@bogon:~$ cat test.c + #include + int a = 0; + int main() + { + a = 1; + return 0; + } +lihui@bogon:~$ gcc -g test.c -o test +lihui@bogon:~$ gdb test +... +(gdb) watch a +Hardware watchpoint 1: a +(gdb) r +... +Invalid argument setting hardware debug registers + +There are mainly two types of issues. + +1. Some incorrect judgment condition existed in user_watch_state + argument parsing, causing -EINVAL to be returned. + +When setting up a watchpoint, gdb uses the ptrace interface, +ptrace(PTRACE_SETREGSET, tid, NT_LOONGARCH_HW_WATCH, (void *) &iov)). +Register values in user_watch_state as follows: + + addr[0] = 0x0, mask[0] = 0x0, ctrl[0] = 0x0 + addr[1] = 0x0, mask[1] = 0x0, ctrl[1] = 0x0 + addr[2] = 0x0, mask[2] = 0x0, ctrl[2] = 0x0 + addr[3] = 0x0, mask[3] = 0x0, ctrl[3] = 0x0 + addr[4] = 0x0, mask[4] = 0x0, ctrl[4] = 0x0 + addr[5] = 0x0, mask[5] = 0x0, ctrl[5] = 0x0 + addr[6] = 0x0, mask[6] = 0x0, ctrl[6] = 0x0 + addr[7] = 0x12000803c, mask[7] = 0x0, ctrl[7] = 0x610 + +In arch_bp_generic_fields(), return -EINVAL when ctrl.len is +LOONGARCH_BREAKPOINT_LEN_8(0b00). So delete the incorrect judgment here. + +In ptrace_hbp_fill_attr_ctrl(), when note_type is NT_LOONGARCH_HW_WATCH +and ctrl[0] == 0x0, if ((type & HW_BREAKPOINT_RW) != type) will return +-EINVAL. Here ctrl.type should be set based on note_type, and unnecessary +judgments can be removed. + +2. The watchpoint argument was not set correctly due to unnecessary + offset and alignment_mask. + +Modify ptrace_hbp_fill_attr_ctrl() and hw_breakpoint_arch_parse(), which +ensure the watchpont argument is set correctly. + +All changes according to the LoongArch Reference Manual: +https://loongson.github.io/LoongArch-Documentation/LoongArch-Vol1-EN.html#control-and-status-registers-related-to-watchpoints + +Cc: stable@vger.kernel.org +Signed-off-by: Hui Li +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/include/asm/hw_breakpoint.h | 2 - + arch/loongarch/kernel/hw_breakpoint.c | 19 ++++------------- + arch/loongarch/kernel/ptrace.c | 32 +++++++++++++---------------- + 3 files changed, 21 insertions(+), 32 deletions(-) + +--- a/arch/loongarch/include/asm/hw_breakpoint.h ++++ b/arch/loongarch/include/asm/hw_breakpoint.h +@@ -101,7 +101,7 @@ struct perf_event; + struct perf_event_attr; + + extern int arch_bp_generic_fields(struct arch_hw_breakpoint_ctrl ctrl, +- int *gen_len, int *gen_type, int *offset); ++ int *gen_len, int *gen_type); + extern int arch_check_bp_in_kernelspace(struct arch_hw_breakpoint *hw); + extern int hw_breakpoint_arch_parse(struct perf_event *bp, + const struct perf_event_attr *attr, +--- a/arch/loongarch/kernel/hw_breakpoint.c ++++ b/arch/loongarch/kernel/hw_breakpoint.c +@@ -283,7 +283,7 @@ int arch_check_bp_in_kernelspace(struct + * to generic breakpoint descriptions. + */ + int arch_bp_generic_fields(struct arch_hw_breakpoint_ctrl ctrl, +- int *gen_len, int *gen_type, int *offset) ++ int *gen_len, int *gen_type) + { + /* Type */ + switch (ctrl.type) { +@@ -303,11 +303,6 @@ int arch_bp_generic_fields(struct arch_h + return -EINVAL; + } + +- if (!ctrl.len) +- return -EINVAL; +- +- *offset = __ffs(ctrl.len); +- + /* Len */ + switch (ctrl.len) { + case LOONGARCH_BREAKPOINT_LEN_1: +@@ -386,21 +381,17 @@ int hw_breakpoint_arch_parse(struct perf + struct arch_hw_breakpoint *hw) + { + int ret; +- u64 alignment_mask, offset; ++ u64 alignment_mask; + + /* Build the arch_hw_breakpoint. */ + ret = arch_build_bp_info(bp, attr, hw); + if (ret) + return ret; + +- if (hw->ctrl.type != LOONGARCH_BREAKPOINT_EXECUTE) +- alignment_mask = 0x7; +- else ++ if (hw->ctrl.type == LOONGARCH_BREAKPOINT_EXECUTE) { + alignment_mask = 0x3; +- offset = hw->address & alignment_mask; +- +- hw->address &= ~alignment_mask; +- hw->ctrl.len <<= offset; ++ hw->address &= ~alignment_mask; ++ } + + return 0; + } +--- a/arch/loongarch/kernel/ptrace.c ++++ b/arch/loongarch/kernel/ptrace.c +@@ -494,28 +494,14 @@ static int ptrace_hbp_fill_attr_ctrl(uns + struct arch_hw_breakpoint_ctrl ctrl, + struct perf_event_attr *attr) + { +- int err, len, type, offset; ++ int err, len, type; + +- err = arch_bp_generic_fields(ctrl, &len, &type, &offset); ++ err = arch_bp_generic_fields(ctrl, &len, &type); + if (err) + return err; + +- switch (note_type) { +- case NT_LOONGARCH_HW_BREAK: +- if ((type & HW_BREAKPOINT_X) != type) +- return -EINVAL; +- break; +- case NT_LOONGARCH_HW_WATCH: +- if ((type & HW_BREAKPOINT_RW) != type) +- return -EINVAL; +- break; +- default: +- return -EINVAL; +- } +- + attr->bp_len = len; + attr->bp_type = type; +- attr->bp_addr += offset; + + return 0; + } +@@ -609,7 +595,19 @@ static int ptrace_hbp_set_ctrl(unsigned + return PTR_ERR(bp); + + attr = bp->attr; +- decode_ctrl_reg(uctrl, &ctrl); ++ ++ switch (note_type) { ++ case NT_LOONGARCH_HW_BREAK: ++ ctrl.type = LOONGARCH_BREAKPOINT_EXECUTE; ++ ctrl.len = LOONGARCH_BREAKPOINT_LEN_4; ++ break; ++ case NT_LOONGARCH_HW_WATCH: ++ decode_ctrl_reg(uctrl, &ctrl); ++ break; ++ default: ++ return -EINVAL; ++ } ++ + err = ptrace_hbp_fill_attr_ctrl(note_type, ctrl, &attr); + if (err) + return err; diff --git a/queue-6.6/loongarch-trigger-user-space-watchpoints-correctly.patch b/queue-6.6/loongarch-trigger-user-space-watchpoints-correctly.patch new file mode 100644 index 00000000000..1457a5b74af --- /dev/null +++ b/queue-6.6/loongarch-trigger-user-space-watchpoints-correctly.patch @@ -0,0 +1,178 @@ +From c8e57ab0995c5b443d3c81c8a36b588776dcd0c3 Mon Sep 17 00:00:00 2001 +From: Hui Li +Date: Fri, 21 Jun 2024 10:18:40 +0800 +Subject: LoongArch: Trigger user-space watchpoints correctly + +From: Hui Li + +commit c8e57ab0995c5b443d3c81c8a36b588776dcd0c3 upstream. + +In the current code, gdb can set the watchpoint successfully through +ptrace interface, but watchpoint will not be triggered. + +When debugging the following code using gdb. + +lihui@bogon:~$ cat test.c + #include + int a = 0; + int main() + { + a = 1; + printf("a = %d\n", a); + return 0; + } +lihui@bogon:~$ gcc -g test.c -o test +lihui@bogon:~$ gdb test +... +(gdb) watch a +... +(gdb) r +... +a = 1 +[Inferior 1 (process 4650) exited normally] + +No watchpoints were triggered, the root causes are: + +1. Kernel uses perf_event and hw_breakpoint framework to control + watchpoint, but the perf_event corresponding to watchpoint is + not enabled. So it needs to be enabled according to MWPnCFG3 + or FWPnCFG3 PLV bit field in ptrace_hbp_set_ctrl(), and privilege + is set according to the monitored addr in hw_breakpoint_control(). + Furthermore, add a judgment in ptrace_hbp_set_addr() to ensure + kernel-space addr cannot be monitored in user mode. + +2. The global enable control for all watchpoints is the WE bit of + CSR.CRMD, and hardware sets the value to 0 when an exception is + triggered. When the ERTN instruction is executed to return, the + hardware restores the value of the PWE field of CSR.PRMD here. + So, before a thread containing watchpoints be scheduled, the PWE + field of CSR.PRMD needs to be set to 1. Add this modification in + hw_breakpoint_control(). + +All changes according to the LoongArch Reference Manual: +https://loongson.github.io/LoongArch-Documentation/LoongArch-Vol1-EN.html#control-and-status-registers-related-to-watchpoints +https://loongson.github.io/LoongArch-Documentation/LoongArch-Vol1-EN.html#basic-control-and-status-registers + +With this patch: + +lihui@bogon:~$ gdb test +... +(gdb) watch a +Hardware watchpoint 1: a +(gdb) r +... +Hardware watchpoint 1: a + +Old value = 0 +New value = 1 +main () at test.c:6 +6 printf("a = %d\n", a); +(gdb) c +Continuing. +a = 1 +[Inferior 1 (process 775) exited normally] + +Cc: stable@vger.kernel.org +Signed-off-by: Hui Li +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/include/asm/hw_breakpoint.h | 2 ++ + arch/loongarch/kernel/hw_breakpoint.c | 20 +++++++++++++++++--- + arch/loongarch/kernel/ptrace.c | 15 ++++++++++++--- + 3 files changed, 31 insertions(+), 6 deletions(-) + +--- a/arch/loongarch/include/asm/hw_breakpoint.h ++++ b/arch/loongarch/include/asm/hw_breakpoint.h +@@ -75,6 +75,8 @@ do { \ + #define CSR_MWPC_NUM 0x3f + + #define CTRL_PLV_ENABLE 0x1e ++#define CTRL_PLV0_ENABLE 0x02 ++#define CTRL_PLV3_ENABLE 0x10 + + #define MWPnCFG3_LoadEn 8 + #define MWPnCFG3_StoreEn 9 +--- a/arch/loongarch/kernel/hw_breakpoint.c ++++ b/arch/loongarch/kernel/hw_breakpoint.c +@@ -174,11 +174,21 @@ void flush_ptrace_hw_breakpoint(struct t + static int hw_breakpoint_control(struct perf_event *bp, + enum hw_breakpoint_ops ops) + { +- u32 ctrl; ++ u32 ctrl, privilege; + int i, max_slots, enable; ++ struct pt_regs *regs; + struct perf_event **slots; + struct arch_hw_breakpoint *info = counter_arch_bp(bp); + ++ if (arch_check_bp_in_kernelspace(info)) ++ privilege = CTRL_PLV0_ENABLE; ++ else ++ privilege = CTRL_PLV3_ENABLE; ++ ++ /* Whether bp belongs to a task. */ ++ if (bp->hw.target) ++ regs = task_pt_regs(bp->hw.target); ++ + if (info->ctrl.type == LOONGARCH_BREAKPOINT_EXECUTE) { + /* Breakpoint */ + slots = this_cpu_ptr(bp_on_reg); +@@ -204,13 +214,15 @@ static int hw_breakpoint_control(struct + write_wb_reg(CSR_CFG_ASID, i, 0, 0); + write_wb_reg(CSR_CFG_ASID, i, 1, 0); + if (info->ctrl.type == LOONGARCH_BREAKPOINT_EXECUTE) { +- write_wb_reg(CSR_CFG_CTRL, i, 0, CTRL_PLV_ENABLE); ++ write_wb_reg(CSR_CFG_CTRL, i, 0, privilege); + } else { + ctrl = encode_ctrl_reg(info->ctrl); +- write_wb_reg(CSR_CFG_CTRL, i, 1, ctrl | CTRL_PLV_ENABLE); ++ write_wb_reg(CSR_CFG_CTRL, i, 1, ctrl | privilege); + } + enable = csr_read64(LOONGARCH_CSR_CRMD); + csr_write64(CSR_CRMD_WE | enable, LOONGARCH_CSR_CRMD); ++ if (bp->hw.target) ++ regs->csr_prmd |= CSR_PRMD_PWE; + break; + case HW_BREAKPOINT_UNINSTALL: + /* Reset the FWPnCFG/MWPnCFG 1~4 register. */ +@@ -222,6 +234,8 @@ static int hw_breakpoint_control(struct + write_wb_reg(CSR_CFG_CTRL, i, 1, 0); + write_wb_reg(CSR_CFG_ASID, i, 0, 0); + write_wb_reg(CSR_CFG_ASID, i, 1, 0); ++ if (bp->hw.target) ++ regs->csr_prmd &= ~CSR_PRMD_PWE; + break; + } + +--- a/arch/loongarch/kernel/ptrace.c ++++ b/arch/loongarch/kernel/ptrace.c +@@ -608,9 +608,14 @@ static int ptrace_hbp_set_ctrl(unsigned + return -EINVAL; + } + +- err = ptrace_hbp_fill_attr_ctrl(note_type, ctrl, &attr); +- if (err) +- return err; ++ if (uctrl & CTRL_PLV_ENABLE) { ++ err = ptrace_hbp_fill_attr_ctrl(note_type, ctrl, &attr); ++ if (err) ++ return err; ++ attr.disabled = 0; ++ } else { ++ attr.disabled = 1; ++ } + + return modify_user_hw_breakpoint(bp, &attr); + } +@@ -641,6 +646,10 @@ static int ptrace_hbp_set_addr(unsigned + struct perf_event *bp; + struct perf_event_attr attr; + ++ /* Kernel-space address cannot be monitored by user-space */ ++ if ((unsigned long)addr >= XKPRANGE) ++ return -EINVAL; ++ + bp = ptrace_hbp_get_initialised_bp(note_type, tsk, idx); + if (IS_ERR(bp)) + return PTR_ERR(bp); diff --git a/queue-6.6/mips-pci-lantiq-restore-reset-gpio-polarity.patch b/queue-6.6/mips-pci-lantiq-restore-reset-gpio-polarity.patch new file mode 100644 index 00000000000..bdfd84dd366 --- /dev/null +++ b/queue-6.6/mips-pci-lantiq-restore-reset-gpio-polarity.patch @@ -0,0 +1,68 @@ +From 277a0363120276645ae598d8d5fea7265e076ae9 Mon Sep 17 00:00:00 2001 +From: Martin Schiller +Date: Fri, 7 Jun 2024 11:04:00 +0200 +Subject: MIPS: pci: lantiq: restore reset gpio polarity + +From: Martin Schiller + +commit 277a0363120276645ae598d8d5fea7265e076ae9 upstream. + +Commit 90c2d2eb7ab5 ("MIPS: pci: lantiq: switch to using gpiod API") not +only switched to the gpiod API, but also inverted / changed the polarity +of the GPIO. + +According to the PCI specification, the RST# pin is an active-low +signal. However, most of the device trees that have been widely used for +a long time (mainly in the openWrt project) define this GPIO as +active-high and the old driver code inverted the signal internally. + +Apparently there are actually boards where the reset gpio must be +operated inverted. For this reason, we cannot use the GPIOD_OUT_LOW/HIGH +flag for initialization. Instead, we must explicitly set the gpio to +value 1 in order to take into account any "GPIO_ACTIVE_LOW" flag that +may have been set. + +In order to remain compatible with all these existing device trees, we +should therefore keep the logic as it was before the commit. + +Fixes: 90c2d2eb7ab5 ("MIPS: pci: lantiq: switch to using gpiod API") +Cc: stable@vger.kernel.org +Signed-off-by: Martin Schiller +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/pci/pci-lantiq.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/mips/pci/pci-lantiq.c ++++ b/arch/mips/pci/pci-lantiq.c +@@ -124,14 +124,14 @@ static int ltq_pci_startup(struct platfo + clk_disable(clk_external); + + /* setup reset gpio used by pci */ +- reset_gpio = devm_gpiod_get_optional(&pdev->dev, "reset", +- GPIOD_OUT_LOW); ++ reset_gpio = devm_gpiod_get_optional(&pdev->dev, "reset", GPIOD_ASIS); + error = PTR_ERR_OR_ZERO(reset_gpio); + if (error) { + dev_err(&pdev->dev, "failed to request gpio: %d\n", error); + return error; + } + gpiod_set_consumer_name(reset_gpio, "pci_reset"); ++ gpiod_direction_output(reset_gpio, 1); + + /* enable auto-switching between PCI and EBU */ + ltq_pci_w32(0xa, PCI_CR_CLK_CTRL); +@@ -194,10 +194,10 @@ static int ltq_pci_startup(struct platfo + + /* toggle reset pin */ + if (reset_gpio) { +- gpiod_set_value_cansleep(reset_gpio, 1); ++ gpiod_set_value_cansleep(reset_gpio, 0); + wmb(); + mdelay(1); +- gpiod_set_value_cansleep(reset_gpio, 0); ++ gpiod_set_value_cansleep(reset_gpio, 1); + } + return 0; + } diff --git a/queue-6.6/mm-mmap-allow-for-the-maximum-number-of-bits-for-randomizing-mmap_base-by-default.patch b/queue-6.6/mm-mmap-allow-for-the-maximum-number-of-bits-for-randomizing-mmap_base-by-default.patch new file mode 100644 index 00000000000..2dba0bd5f25 --- /dev/null +++ b/queue-6.6/mm-mmap-allow-for-the-maximum-number-of-bits-for-randomizing-mmap_base-by-default.patch @@ -0,0 +1,70 @@ +From 3afb76a66b5559a7b595155803ce23801558a7a9 Mon Sep 17 00:00:00 2001 +From: Rafael Aquini +Date: Thu, 6 Jun 2024 14:06:22 -0400 +Subject: mm: mmap: allow for the maximum number of bits for randomizing mmap_base by default + +From: Rafael Aquini + +commit 3afb76a66b5559a7b595155803ce23801558a7a9 upstream. + +An ASLR regression was noticed [1] and tracked down to file-mapped areas +being backed by THP in recent kernels. The 21-bit alignment constraint +for such mappings reduces the entropy for randomizing the placement of +64-bit library mappings and breaks ASLR completely for 32-bit libraries. + +The reported issue is easily addressed by increasing vm.mmap_rnd_bits and +vm.mmap_rnd_compat_bits. This patch just provides a simple way to set +ARCH_MMAP_RND_BITS and ARCH_MMAP_RND_COMPAT_BITS to their maximum values +allowed by the architecture at build time. + +[1] https://zolutal.github.io/aslrnt/ + +[akpm@linux-foundation.org: default to `y' if 32-bit, per Rafael] +Link: https://lkml.kernel.org/r/20240606180622.102099-1-aquini@redhat.com +Fixes: 1854bc6e2420 ("mm/readahead: Align file mappings for non-DAX") +Signed-off-by: Rafael Aquini +Cc: Arnd Bergmann +Cc: Heiko Carstens +Cc: Mike Rapoport (IBM) +Cc: Paul E. McKenney +Cc: Petr Mladek +Cc: Samuel Holland +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + arch/Kconfig | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/arch/Kconfig ++++ b/arch/Kconfig +@@ -1037,10 +1037,21 @@ config ARCH_MMAP_RND_BITS_MAX + config ARCH_MMAP_RND_BITS_DEFAULT + int + ++config FORCE_MAX_MMAP_RND_BITS ++ bool "Force maximum number of bits to use for ASLR of mmap base address" ++ default y if !64BIT ++ help ++ ARCH_MMAP_RND_BITS and ARCH_MMAP_RND_COMPAT_BITS represent the number ++ of bits to use for ASLR and if no custom value is assigned (EXPERT) ++ then the architecture's lower bound (minimum) value is assumed. ++ This toggle changes that default assumption to assume the arch upper ++ bound (maximum) value instead. ++ + config ARCH_MMAP_RND_BITS + int "Number of bits to use for ASLR of mmap base address" if EXPERT + range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX + default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT ++ default ARCH_MMAP_RND_BITS_MAX if FORCE_MAX_MMAP_RND_BITS + default ARCH_MMAP_RND_BITS_MIN + depends on HAVE_ARCH_MMAP_RND_BITS + help +@@ -1075,6 +1086,7 @@ config ARCH_MMAP_RND_COMPAT_BITS + int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT + range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX + default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT ++ default ARCH_MMAP_RND_COMPAT_BITS_MAX if FORCE_MAX_MMAP_RND_BITS + default ARCH_MMAP_RND_COMPAT_BITS_MIN + depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS + help diff --git a/queue-6.6/mm-page_table_check-fix-crash-on-zone_device.patch b/queue-6.6/mm-page_table_check-fix-crash-on-zone_device.patch new file mode 100644 index 00000000000..208e0fca5f1 --- /dev/null +++ b/queue-6.6/mm-page_table_check-fix-crash-on-zone_device.patch @@ -0,0 +1,71 @@ +From 8bb592c2eca8fd2bc06db7d80b38da18da4a2f43 Mon Sep 17 00:00:00 2001 +From: Peter Xu +Date: Wed, 5 Jun 2024 17:21:46 -0400 +Subject: mm/page_table_check: fix crash on ZONE_DEVICE + +From: Peter Xu + +commit 8bb592c2eca8fd2bc06db7d80b38da18da4a2f43 upstream. + +Not all pages may apply to pgtable check. One example is ZONE_DEVICE +pages: they map PFNs directly, and they don't allocate page_ext at all +even if there's struct page around. One may reference +devm_memremap_pages(). + +When both ZONE_DEVICE and page-table-check enabled, then try to map some +dax memories, one can trigger kernel bug constantly now when the kernel +was trying to inject some pfn maps on the dax device: + + kernel BUG at mm/page_table_check.c:55! + +While it's pretty legal to use set_pxx_at() for ZONE_DEVICE pages for page +fault resolutions, skip all the checks if page_ext doesn't even exist in +pgtable checker, which applies to ZONE_DEVICE but maybe more. + +Link: https://lkml.kernel.org/r/20240605212146.994486-1-peterx@redhat.com +Fixes: df4e817b7108 ("mm: page table check") +Signed-off-by: Peter Xu +Reviewed-by: Pasha Tatashin +Reviewed-by: Dan Williams +Reviewed-by: Alistair Popple +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/page_table_check.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/mm/page_table_check.c ++++ b/mm/page_table_check.c +@@ -71,6 +71,9 @@ static void page_table_check_clear(unsig + page = pfn_to_page(pfn); + page_ext = page_ext_get(page); + ++ if (!page_ext) ++ return; ++ + BUG_ON(PageSlab(page)); + anon = PageAnon(page); + +@@ -108,6 +111,9 @@ static void page_table_check_set(unsigne + page = pfn_to_page(pfn); + page_ext = page_ext_get(page); + ++ if (!page_ext) ++ return; ++ + BUG_ON(PageSlab(page)); + anon = PageAnon(page); + +@@ -138,7 +144,10 @@ void __page_table_check_zero(struct page + BUG_ON(PageSlab(page)); + + page_ext = page_ext_get(page); +- BUG_ON(!page_ext); ++ ++ if (!page_ext) ++ return; ++ + for (i = 0; i < (1ul << order); i++) { + struct page_table_check *ptc = get_page_table_check(page_ext); + diff --git a/queue-6.6/net-do-not-leave-a-dangling-sk-pointer-when-socket-creation-fails.patch b/queue-6.6/net-do-not-leave-a-dangling-sk-pointer-when-socket-creation-fails.patch new file mode 100644 index 00000000000..ec47db2e49e --- /dev/null +++ b/queue-6.6/net-do-not-leave-a-dangling-sk-pointer-when-socket-creation-fails.patch @@ -0,0 +1,95 @@ +From 6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2 Mon Sep 17 00:00:00 2001 +From: Ignat Korchagin +Date: Mon, 17 Jun 2024 22:02:05 +0100 +Subject: net: do not leave a dangling sk pointer, when socket creation fails + +From: Ignat Korchagin + +commit 6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2 upstream. + +It is possible to trigger a use-after-free by: + * attaching an fentry probe to __sock_release() and the probe calling the + bpf_get_socket_cookie() helper + * running traceroute -I 1.1.1.1 on a freshly booted VM + +A KASAN enabled kernel will log something like below (decoded and stripped): +================================================================== +BUG: KASAN: slab-use-after-free in __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) +Read of size 8 at addr ffff888007110dd8 by task traceroute/299 + +CPU: 2 PID: 299 Comm: traceroute Tainted: G E 6.10.0-rc2+ #2 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 +Call Trace: + +dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1)) +print_report (mm/kasan/report.c:378 mm/kasan/report.c:488) +? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) +kasan_report (mm/kasan/report.c:603) +? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) +kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189) +__sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) +bpf_get_socket_ptr_cookie (./arch/x86/include/asm/preempt.h:94 ./include/linux/sock_diag.h:42 net/core/filter.c:5094 net/core/filter.c:5092) +bpf_prog_875642cf11f1d139___sock_release+0x6e/0x8e +bpf_trampoline_6442506592+0x47/0xaf +__sock_release (net/socket.c:652) +__sock_create (net/socket.c:1601) +... +Allocated by task 299 on cpu 2 at 78.328492s: +kasan_save_stack (mm/kasan/common.c:48) +kasan_save_track (mm/kasan/common.c:68) +__kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338) +kmem_cache_alloc_noprof (mm/slub.c:3941 mm/slub.c:4000 mm/slub.c:4007) +sk_prot_alloc (net/core/sock.c:2075) +sk_alloc (net/core/sock.c:2134) +inet_create (net/ipv4/af_inet.c:327 net/ipv4/af_inet.c:252) +__sock_create (net/socket.c:1572) +__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706) +__x64_sys_socket (net/socket.c:1718) +do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) +entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + +Freed by task 299 on cpu 2 at 78.328502s: +kasan_save_stack (mm/kasan/common.c:48) +kasan_save_track (mm/kasan/common.c:68) +kasan_save_free_info (mm/kasan/generic.c:582) +poison_slab_object (mm/kasan/common.c:242) +__kasan_slab_free (mm/kasan/common.c:256) +kmem_cache_free (mm/slub.c:4437 mm/slub.c:4511) +__sk_destruct (net/core/sock.c:2117 net/core/sock.c:2208) +inet_create (net/ipv4/af_inet.c:397 net/ipv4/af_inet.c:252) +__sock_create (net/socket.c:1572) +__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706) +__x64_sys_socket (net/socket.c:1718) +do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) +entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + +Fix this by clearing the struct socket reference in sk_common_release() to cover +all protocol families create functions, which may already attached the +reference to the sk object with sock_init_data(). + +Fixes: c5dbb89fc2ac ("bpf: Expose bpf_get_socket_cookie to tracing programs") +Suggested-by: Kuniyuki Iwashima +Signed-off-by: Ignat Korchagin +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/netdev/20240613194047.36478-1-kuniyu@amazon.com/T/ +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: D. Wythe +Link: https://lore.kernel.org/r/20240617210205.67311-1-ignat@cloudflare.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/core/sock.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -3725,6 +3725,9 @@ void sk_common_release(struct sock *sk) + + sk->sk_prot->unhash(sk); + ++ if (sk->sk_socket) ++ sk->sk_socket->sk = NULL; ++ + /* + * In this point socket cannot receive new packets, but it is possible + * that some packets are in flight because some CPU runs receiver and diff --git a/queue-6.6/net-stmmac-assign-configured-channel-value-to-extts-event.patch b/queue-6.6/net-stmmac-assign-configured-channel-value-to-extts-event.patch new file mode 100644 index 00000000000..c8659da523f --- /dev/null +++ b/queue-6.6/net-stmmac-assign-configured-channel-value-to-extts-event.patch @@ -0,0 +1,61 @@ +From 8851346912a1fa33e7a5966fe51f07313b274627 Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Tue, 18 Jun 2024 09:38:21 +0200 +Subject: net: stmmac: Assign configured channel value to EXTTS event + +From: Oleksij Rempel + +commit 8851346912a1fa33e7a5966fe51f07313b274627 upstream. + +Assign the configured channel value to the EXTTS event in the timestamp +interrupt handler. Without assigning the correct channel, applications +like ts2phc will refuse to accept the event, resulting in errors such +as: +... +ts2phc[656.834]: config item end1.ts2phc.pin_index is 0 +ts2phc[656.834]: config item end1.ts2phc.channel is 3 +ts2phc[656.834]: config item end1.ts2phc.extts_polarity is 2 +ts2phc[656.834]: config item end1.ts2phc.extts_correction is 0 +... +ts2phc[656.862]: extts on unexpected channel +ts2phc[658.141]: extts on unexpected channel +ts2phc[659.140]: extts on unexpected channel + +Fixes: f4da56529da60 ("net: stmmac: Add support for external trigger timestamping") +Cc: stable@vger.kernel.org +Signed-off-by: Oleksij Rempel +Reviewed-by: Wojciech Drewek +Link: https://lore.kernel.org/r/20240618073821.619751-1-o.rempel@pengutronix.de +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c +@@ -218,6 +218,7 @@ static void timestamp_interrupt(struct s + { + u32 num_snapshot, ts_status, tsync_int; + struct ptp_clock_event event; ++ u32 acr_value, channel; + unsigned long flags; + u64 ptp_time; + int i; +@@ -243,12 +244,15 @@ static void timestamp_interrupt(struct s + num_snapshot = (ts_status & GMAC_TIMESTAMP_ATSNS_MASK) >> + GMAC_TIMESTAMP_ATSNS_SHIFT; + ++ acr_value = readl(priv->ptpaddr + PTP_ACR); ++ channel = ilog2(FIELD_GET(PTP_ACR_MASK, acr_value)); ++ + for (i = 0; i < num_snapshot; i++) { + read_lock_irqsave(&priv->ptp_lock, flags); + get_ptptime(priv->ptpaddr, &ptp_time); + read_unlock_irqrestore(&priv->ptp_lock, flags); + event.type = PTP_CLOCK_EXTTS; +- event.index = 0; ++ event.index = channel; + event.timestamp = ptp_time; + ptp_clock_event(priv->ptp_clock, &event); + } diff --git a/queue-6.6/net-usb-ax88179_178a-improve-reset-check.patch b/queue-6.6/net-usb-ax88179_178a-improve-reset-check.patch new file mode 100644 index 00000000000..5f6cf21e6c3 --- /dev/null +++ b/queue-6.6/net-usb-ax88179_178a-improve-reset-check.patch @@ -0,0 +1,83 @@ +From 7be4cb7189f747b4e5b6977d0e4387bde3204e62 Mon Sep 17 00:00:00 2001 +From: Jose Ignacio Tornos Martinez +Date: Mon, 17 Jun 2024 12:28:21 +0200 +Subject: net: usb: ax88179_178a: improve reset check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jose Ignacio Tornos Martinez + +commit 7be4cb7189f747b4e5b6977d0e4387bde3204e62 upstream. + +After ecf848eb934b ("net: usb: ax88179_178a: fix link status when link is +set to down/up") to not reset from usbnet_open after the reset from +usbnet_probe at initialization stage to speed up this, some issues have +been reported. + +It seems to happen that if the initialization is slower, and some time +passes between the probe operation and the open operation, the second reset +from open is necessary too to have the device working. The reason is that +if there is no activity with the phy, this is "disconnected". + +In order to improve this, the solution is to detect when the phy is +"disconnected", and we can use the phy status register for this. So we will +only reset the device from reset operation in this situation, that is, only +if necessary. + +The same bahavior is happening when the device is stopped (link set to +down) and later is restarted (link set to up), so if the phy keeps working +we only need to enable the mac again, but if enough time passes between the +device stop and restart, reset is necessary, and we can detect the +situation checking the phy status register too. + +cc: stable@vger.kernel.org # 6.6+ +Fixes: ecf848eb934b ("net: usb: ax88179_178a: fix link status when link is set to down/up") +Reported-by: Yongqin Liu +Reported-by: Antje Miederhöfer +Reported-by: Arne Fitzenreiter +Tested-by: Yongqin Liu +Tested-by: Antje Miederhöfer +Signed-off-by: Jose Ignacio Tornos Martinez +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/ax88179_178a.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/drivers/net/usb/ax88179_178a.c ++++ b/drivers/net/usb/ax88179_178a.c +@@ -174,7 +174,6 @@ struct ax88179_data { + u32 wol_supported; + u32 wolopts; + u8 disconnecting; +- u8 initialized; + }; + + struct ax88179_int_data { +@@ -1676,12 +1675,21 @@ static int ax88179_reset(struct usbnet * + + static int ax88179_net_reset(struct usbnet *dev) + { +- struct ax88179_data *ax179_data = dev->driver_priv; ++ u16 tmp16; + +- if (ax179_data->initialized) ++ ax88179_read_cmd(dev, AX_ACCESS_PHY, AX88179_PHY_ID, GMII_PHY_PHYSR, ++ 2, &tmp16); ++ if (tmp16) { ++ ax88179_read_cmd(dev, AX_ACCESS_MAC, AX_MEDIUM_STATUS_MODE, ++ 2, 2, &tmp16); ++ if (!(tmp16 & AX_MEDIUM_RECEIVE_EN)) { ++ tmp16 |= AX_MEDIUM_RECEIVE_EN; ++ ax88179_write_cmd(dev, AX_ACCESS_MAC, AX_MEDIUM_STATUS_MODE, ++ 2, 2, &tmp16); ++ } ++ } else { + ax88179_reset(dev); +- else +- ax179_data->initialized = 1; ++ } + + return 0; + } diff --git a/queue-6.6/ocfs2-fix-null-pointer-dereference-in-ocfs2_abort_trigger.patch b/queue-6.6/ocfs2-fix-null-pointer-dereference-in-ocfs2_abort_trigger.patch new file mode 100644 index 00000000000..72c8941df5a --- /dev/null +++ b/queue-6.6/ocfs2-fix-null-pointer-dereference-in-ocfs2_abort_trigger.patch @@ -0,0 +1,369 @@ +From 685d03c3795378fca6a1b3d43581f7f1a3fc095f Mon Sep 17 00:00:00 2001 +From: Joseph Qi +Date: Thu, 30 May 2024 19:06:30 +0800 +Subject: ocfs2: fix NULL pointer dereference in ocfs2_abort_trigger() + +From: Joseph Qi + +commit 685d03c3795378fca6a1b3d43581f7f1a3fc095f upstream. + +bdev->bd_super has been removed and commit 8887b94d9322 change the usage +from bdev->bd_super to b_assoc_map->host->i_sb. Since ocfs2 hasn't set +bh->b_assoc_map, it will trigger NULL pointer dereference when calling +into ocfs2_abort_trigger(). + +Actually this was pointed out in history, see commit 74e364ad1b13. But +I've made a mistake when reviewing commit 8887b94d9322 and then +re-introduce this regression. + +Since we cannot revive bdev in buffer head, so fix this issue by +initializing all types of ocfs2 triggers when fill super, and then get the +specific ocfs2 trigger from ocfs2_caching_info when access journal. + +[joseph.qi@linux.alibaba.com: v2] + Link: https://lkml.kernel.org/r/20240602112045.1112708-1-joseph.qi@linux.alibaba.com +Link: https://lkml.kernel.org/r/20240530110630.3933832-2-joseph.qi@linux.alibaba.com +Fixes: 8887b94d9322 ("ocfs2: stop using bdev->bd_super for journal error logging") +Signed-off-by: Joseph Qi +Reviewed-by: Heming Zhao +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: [6.6+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/journal.c | 182 +++++++++++++++++++++++++-------------------- + fs/ocfs2/ocfs2.h | 27 +++++++ + fs/ocfs2/super.c | 4 +- + 3 files changed, 131 insertions(+), 82 deletions(-) + +diff --git a/fs/ocfs2/journal.c b/fs/ocfs2/journal.c +index 27c7683c7d3f..86807086b2df 100644 +--- a/fs/ocfs2/journal.c ++++ b/fs/ocfs2/journal.c +@@ -479,12 +479,6 @@ int ocfs2_allocate_extend_trans(handle_t *handle, int thresh) + return status; + } + +- +-struct ocfs2_triggers { +- struct jbd2_buffer_trigger_type ot_triggers; +- int ot_offset; +-}; +- + static inline struct ocfs2_triggers *to_ocfs2_trigger(struct jbd2_buffer_trigger_type *triggers) + { + return container_of(triggers, struct ocfs2_triggers, ot_triggers); +@@ -548,85 +542,76 @@ static void ocfs2_db_frozen_trigger(struct jbd2_buffer_trigger_type *triggers, + static void ocfs2_abort_trigger(struct jbd2_buffer_trigger_type *triggers, + struct buffer_head *bh) + { ++ struct ocfs2_triggers *ot = to_ocfs2_trigger(triggers); ++ + mlog(ML_ERROR, + "ocfs2_abort_trigger called by JBD2. bh = 0x%lx, " + "bh->b_blocknr = %llu\n", + (unsigned long)bh, + (unsigned long long)bh->b_blocknr); + +- ocfs2_error(bh->b_assoc_map->host->i_sb, ++ ocfs2_error(ot->sb, + "JBD2 has aborted our journal, ocfs2 cannot continue\n"); + } + +-static struct ocfs2_triggers di_triggers = { +- .ot_triggers = { +- .t_frozen = ocfs2_frozen_trigger, +- .t_abort = ocfs2_abort_trigger, +- }, +- .ot_offset = offsetof(struct ocfs2_dinode, i_check), +-}; ++static void ocfs2_setup_csum_triggers(struct super_block *sb, ++ enum ocfs2_journal_trigger_type type, ++ struct ocfs2_triggers *ot) ++{ ++ BUG_ON(type >= OCFS2_JOURNAL_TRIGGER_COUNT); + +-static struct ocfs2_triggers eb_triggers = { +- .ot_triggers = { +- .t_frozen = ocfs2_frozen_trigger, +- .t_abort = ocfs2_abort_trigger, +- }, +- .ot_offset = offsetof(struct ocfs2_extent_block, h_check), +-}; ++ switch (type) { ++ case OCFS2_JTR_DI: ++ ot->ot_triggers.t_frozen = ocfs2_frozen_trigger; ++ ot->ot_offset = offsetof(struct ocfs2_dinode, i_check); ++ break; ++ case OCFS2_JTR_EB: ++ ot->ot_triggers.t_frozen = ocfs2_frozen_trigger; ++ ot->ot_offset = offsetof(struct ocfs2_extent_block, h_check); ++ break; ++ case OCFS2_JTR_RB: ++ ot->ot_triggers.t_frozen = ocfs2_frozen_trigger; ++ ot->ot_offset = offsetof(struct ocfs2_refcount_block, rf_check); ++ break; ++ case OCFS2_JTR_GD: ++ ot->ot_triggers.t_frozen = ocfs2_frozen_trigger; ++ ot->ot_offset = offsetof(struct ocfs2_group_desc, bg_check); ++ break; ++ case OCFS2_JTR_DB: ++ ot->ot_triggers.t_frozen = ocfs2_db_frozen_trigger; ++ break; ++ case OCFS2_JTR_XB: ++ ot->ot_triggers.t_frozen = ocfs2_frozen_trigger; ++ ot->ot_offset = offsetof(struct ocfs2_xattr_block, xb_check); ++ break; ++ case OCFS2_JTR_DQ: ++ ot->ot_triggers.t_frozen = ocfs2_dq_frozen_trigger; ++ break; ++ case OCFS2_JTR_DR: ++ ot->ot_triggers.t_frozen = ocfs2_frozen_trigger; ++ ot->ot_offset = offsetof(struct ocfs2_dx_root_block, dr_check); ++ break; ++ case OCFS2_JTR_DL: ++ ot->ot_triggers.t_frozen = ocfs2_frozen_trigger; ++ ot->ot_offset = offsetof(struct ocfs2_dx_leaf, dl_check); ++ break; ++ case OCFS2_JTR_NONE: ++ /* To make compiler happy... */ ++ return; ++ } + +-static struct ocfs2_triggers rb_triggers = { +- .ot_triggers = { +- .t_frozen = ocfs2_frozen_trigger, +- .t_abort = ocfs2_abort_trigger, +- }, +- .ot_offset = offsetof(struct ocfs2_refcount_block, rf_check), +-}; ++ ot->ot_triggers.t_abort = ocfs2_abort_trigger; ++ ot->sb = sb; ++} + +-static struct ocfs2_triggers gd_triggers = { +- .ot_triggers = { +- .t_frozen = ocfs2_frozen_trigger, +- .t_abort = ocfs2_abort_trigger, +- }, +- .ot_offset = offsetof(struct ocfs2_group_desc, bg_check), +-}; ++void ocfs2_initialize_journal_triggers(struct super_block *sb, ++ struct ocfs2_triggers triggers[]) ++{ ++ enum ocfs2_journal_trigger_type type; + +-static struct ocfs2_triggers db_triggers = { +- .ot_triggers = { +- .t_frozen = ocfs2_db_frozen_trigger, +- .t_abort = ocfs2_abort_trigger, +- }, +-}; +- +-static struct ocfs2_triggers xb_triggers = { +- .ot_triggers = { +- .t_frozen = ocfs2_frozen_trigger, +- .t_abort = ocfs2_abort_trigger, +- }, +- .ot_offset = offsetof(struct ocfs2_xattr_block, xb_check), +-}; +- +-static struct ocfs2_triggers dq_triggers = { +- .ot_triggers = { +- .t_frozen = ocfs2_dq_frozen_trigger, +- .t_abort = ocfs2_abort_trigger, +- }, +-}; +- +-static struct ocfs2_triggers dr_triggers = { +- .ot_triggers = { +- .t_frozen = ocfs2_frozen_trigger, +- .t_abort = ocfs2_abort_trigger, +- }, +- .ot_offset = offsetof(struct ocfs2_dx_root_block, dr_check), +-}; +- +-static struct ocfs2_triggers dl_triggers = { +- .ot_triggers = { +- .t_frozen = ocfs2_frozen_trigger, +- .t_abort = ocfs2_abort_trigger, +- }, +- .ot_offset = offsetof(struct ocfs2_dx_leaf, dl_check), +-}; ++ for (type = OCFS2_JTR_DI; type < OCFS2_JOURNAL_TRIGGER_COUNT; type++) ++ ocfs2_setup_csum_triggers(sb, type, &triggers[type]); ++} + + static int __ocfs2_journal_access(handle_t *handle, + struct ocfs2_caching_info *ci, +@@ -708,56 +693,91 @@ static int __ocfs2_journal_access(handle_t *handle, + int ocfs2_journal_access_di(handle_t *handle, struct ocfs2_caching_info *ci, + struct buffer_head *bh, int type) + { +- return __ocfs2_journal_access(handle, ci, bh, &di_triggers, type); ++ struct ocfs2_super *osb = OCFS2_SB(ocfs2_metadata_cache_get_super(ci)); ++ ++ return __ocfs2_journal_access(handle, ci, bh, ++ &osb->s_journal_triggers[OCFS2_JTR_DI], ++ type); + } + + int ocfs2_journal_access_eb(handle_t *handle, struct ocfs2_caching_info *ci, + struct buffer_head *bh, int type) + { +- return __ocfs2_journal_access(handle, ci, bh, &eb_triggers, type); ++ struct ocfs2_super *osb = OCFS2_SB(ocfs2_metadata_cache_get_super(ci)); ++ ++ return __ocfs2_journal_access(handle, ci, bh, ++ &osb->s_journal_triggers[OCFS2_JTR_EB], ++ type); + } + + int ocfs2_journal_access_rb(handle_t *handle, struct ocfs2_caching_info *ci, + struct buffer_head *bh, int type) + { +- return __ocfs2_journal_access(handle, ci, bh, &rb_triggers, ++ struct ocfs2_super *osb = OCFS2_SB(ocfs2_metadata_cache_get_super(ci)); ++ ++ return __ocfs2_journal_access(handle, ci, bh, ++ &osb->s_journal_triggers[OCFS2_JTR_RB], + type); + } + + int ocfs2_journal_access_gd(handle_t *handle, struct ocfs2_caching_info *ci, + struct buffer_head *bh, int type) + { +- return __ocfs2_journal_access(handle, ci, bh, &gd_triggers, type); ++ struct ocfs2_super *osb = OCFS2_SB(ocfs2_metadata_cache_get_super(ci)); ++ ++ return __ocfs2_journal_access(handle, ci, bh, ++ &osb->s_journal_triggers[OCFS2_JTR_GD], ++ type); + } + + int ocfs2_journal_access_db(handle_t *handle, struct ocfs2_caching_info *ci, + struct buffer_head *bh, int type) + { +- return __ocfs2_journal_access(handle, ci, bh, &db_triggers, type); ++ struct ocfs2_super *osb = OCFS2_SB(ocfs2_metadata_cache_get_super(ci)); ++ ++ return __ocfs2_journal_access(handle, ci, bh, ++ &osb->s_journal_triggers[OCFS2_JTR_DB], ++ type); + } + + int ocfs2_journal_access_xb(handle_t *handle, struct ocfs2_caching_info *ci, + struct buffer_head *bh, int type) + { +- return __ocfs2_journal_access(handle, ci, bh, &xb_triggers, type); ++ struct ocfs2_super *osb = OCFS2_SB(ocfs2_metadata_cache_get_super(ci)); ++ ++ return __ocfs2_journal_access(handle, ci, bh, ++ &osb->s_journal_triggers[OCFS2_JTR_XB], ++ type); + } + + int ocfs2_journal_access_dq(handle_t *handle, struct ocfs2_caching_info *ci, + struct buffer_head *bh, int type) + { +- return __ocfs2_journal_access(handle, ci, bh, &dq_triggers, type); ++ struct ocfs2_super *osb = OCFS2_SB(ocfs2_metadata_cache_get_super(ci)); ++ ++ return __ocfs2_journal_access(handle, ci, bh, ++ &osb->s_journal_triggers[OCFS2_JTR_DQ], ++ type); + } + + int ocfs2_journal_access_dr(handle_t *handle, struct ocfs2_caching_info *ci, + struct buffer_head *bh, int type) + { +- return __ocfs2_journal_access(handle, ci, bh, &dr_triggers, type); ++ struct ocfs2_super *osb = OCFS2_SB(ocfs2_metadata_cache_get_super(ci)); ++ ++ return __ocfs2_journal_access(handle, ci, bh, ++ &osb->s_journal_triggers[OCFS2_JTR_DR], ++ type); + } + + int ocfs2_journal_access_dl(handle_t *handle, struct ocfs2_caching_info *ci, + struct buffer_head *bh, int type) + { +- return __ocfs2_journal_access(handle, ci, bh, &dl_triggers, type); ++ struct ocfs2_super *osb = OCFS2_SB(ocfs2_metadata_cache_get_super(ci)); ++ ++ return __ocfs2_journal_access(handle, ci, bh, ++ &osb->s_journal_triggers[OCFS2_JTR_DL], ++ type); + } + + int ocfs2_journal_access(handle_t *handle, struct ocfs2_caching_info *ci, +diff --git a/fs/ocfs2/ocfs2.h b/fs/ocfs2/ocfs2.h +index a503c553bab2..8fe826143d7b 100644 +--- a/fs/ocfs2/ocfs2.h ++++ b/fs/ocfs2/ocfs2.h +@@ -284,6 +284,30 @@ enum ocfs2_mount_options + #define OCFS2_OSB_ERROR_FS 0x0004 + #define OCFS2_DEFAULT_ATIME_QUANTUM 60 + ++struct ocfs2_triggers { ++ struct jbd2_buffer_trigger_type ot_triggers; ++ int ot_offset; ++ struct super_block *sb; ++}; ++ ++enum ocfs2_journal_trigger_type { ++ OCFS2_JTR_DI, ++ OCFS2_JTR_EB, ++ OCFS2_JTR_RB, ++ OCFS2_JTR_GD, ++ OCFS2_JTR_DB, ++ OCFS2_JTR_XB, ++ OCFS2_JTR_DQ, ++ OCFS2_JTR_DR, ++ OCFS2_JTR_DL, ++ OCFS2_JTR_NONE /* This must be the last entry */ ++}; ++ ++#define OCFS2_JOURNAL_TRIGGER_COUNT OCFS2_JTR_NONE ++ ++void ocfs2_initialize_journal_triggers(struct super_block *sb, ++ struct ocfs2_triggers triggers[]); ++ + struct ocfs2_journal; + struct ocfs2_slot_info; + struct ocfs2_recovery_map; +@@ -351,6 +375,9 @@ struct ocfs2_super + struct ocfs2_journal *journal; + unsigned long osb_commit_interval; + ++ /* Journal triggers for checksum */ ++ struct ocfs2_triggers s_journal_triggers[OCFS2_JOURNAL_TRIGGER_COUNT]; ++ + struct delayed_work la_enable_wq; + + /* +diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c +index 8aabaed2c1cb..afee70125ae3 100644 +--- a/fs/ocfs2/super.c ++++ b/fs/ocfs2/super.c +@@ -1075,9 +1075,11 @@ static int ocfs2_fill_super(struct super_block *sb, void *data, int silent) + debugfs_create_file("fs_state", S_IFREG|S_IRUSR, osb->osb_debug_root, + osb, &ocfs2_osb_debug_fops); + +- if (ocfs2_meta_ecc(osb)) ++ if (ocfs2_meta_ecc(osb)) { ++ ocfs2_initialize_journal_triggers(sb, osb->s_journal_triggers); + ocfs2_blockcheck_stats_debugfs_install( &osb->osb_ecc_stats, + osb->osb_debug_root); ++ } + + status = ocfs2_mount_volume(sb); + if (status < 0) +-- +2.45.2 + diff --git a/queue-6.6/ocfs2-fix-null-pointer-dereference-in-ocfs2_journal_dirty.patch b/queue-6.6/ocfs2-fix-null-pointer-dereference-in-ocfs2_journal_dirty.patch new file mode 100644 index 00000000000..1fcc77e4fde --- /dev/null +++ b/queue-6.6/ocfs2-fix-null-pointer-dereference-in-ocfs2_journal_dirty.patch @@ -0,0 +1,106 @@ +From 58f7e1e2c9e72c7974054c64c3abeac81c11f822 Mon Sep 17 00:00:00 2001 +From: Joseph Qi +Date: Thu, 30 May 2024 19:06:29 +0800 +Subject: ocfs2: fix NULL pointer dereference in ocfs2_journal_dirty() + +From: Joseph Qi + +commit 58f7e1e2c9e72c7974054c64c3abeac81c11f822 upstream. + +bdev->bd_super has been removed and commit 8887b94d9322 change the usage +from bdev->bd_super to b_assoc_map->host->i_sb. This introduces the +following NULL pointer dereference in ocfs2_journal_dirty() since +b_assoc_map is still not initialized. This can be easily reproduced by +running xfstests generic/186, which simulate no more credits. + +[ 134.351592] BUG: kernel NULL pointer dereference, address: 0000000000000000 +... +[ 134.355341] RIP: 0010:ocfs2_journal_dirty+0x14f/0x160 [ocfs2] +... +[ 134.365071] Call Trace: +[ 134.365312] +[ 134.365524] ? __die_body+0x1e/0x60 +[ 134.365868] ? page_fault_oops+0x13d/0x4f0 +[ 134.366265] ? __pfx_bit_wait_io+0x10/0x10 +[ 134.366659] ? schedule+0x27/0xb0 +[ 134.366981] ? exc_page_fault+0x6a/0x140 +[ 134.367356] ? asm_exc_page_fault+0x26/0x30 +[ 134.367762] ? ocfs2_journal_dirty+0x14f/0x160 [ocfs2] +[ 134.368305] ? ocfs2_journal_dirty+0x13d/0x160 [ocfs2] +[ 134.368837] ocfs2_create_new_meta_bhs.isra.51+0x139/0x2e0 [ocfs2] +[ 134.369454] ocfs2_grow_tree+0x688/0x8a0 [ocfs2] +[ 134.369927] ocfs2_split_and_insert.isra.67+0x35c/0x4a0 [ocfs2] +[ 134.370521] ocfs2_split_extent+0x314/0x4d0 [ocfs2] +[ 134.371019] ocfs2_change_extent_flag+0x174/0x410 [ocfs2] +[ 134.371566] ocfs2_add_refcount_flag+0x3fa/0x630 [ocfs2] +[ 134.372117] ocfs2_reflink_remap_extent+0x21b/0x4c0 [ocfs2] +[ 134.372994] ? inode_update_timestamps+0x4a/0x120 +[ 134.373692] ? __pfx_ocfs2_journal_access_di+0x10/0x10 [ocfs2] +[ 134.374545] ? __pfx_ocfs2_journal_access_di+0x10/0x10 [ocfs2] +[ 134.375393] ocfs2_reflink_remap_blocks+0xe4/0x4e0 [ocfs2] +[ 134.376197] ocfs2_remap_file_range+0x1de/0x390 [ocfs2] +[ 134.376971] ? security_file_permission+0x29/0x50 +[ 134.377644] vfs_clone_file_range+0xfe/0x320 +[ 134.378268] ioctl_file_clone+0x45/0xa0 +[ 134.378853] do_vfs_ioctl+0x457/0x990 +[ 134.379422] __x64_sys_ioctl+0x6e/0xd0 +[ 134.379987] do_syscall_64+0x5d/0x170 +[ 134.380550] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[ 134.381231] RIP: 0033:0x7fa4926397cb +[ 134.381786] Code: 73 01 c3 48 8b 0d bd 56 38 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8d 56 38 00 f7 d8 64 89 01 48 +[ 134.383930] RSP: 002b:00007ffc2b39f7b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +[ 134.384854] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fa4926397cb +[ 134.385734] RDX: 00007ffc2b39f7f0 RSI: 000000004020940d RDI: 0000000000000003 +[ 134.386606] RBP: 0000000000000000 R08: 00111a82a4f015bb R09: 00007fa494221000 +[ 134.387476] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +[ 134.388342] R13: 0000000000f10000 R14: 0000558e844e2ac8 R15: 0000000000f10000 +[ 134.389207] + +Fix it by only aborting transaction and journal in ocfs2_journal_dirty() +now, and leave ocfs2_abort() later when detecting an aborted handle, +e.g. start next transaction. Also log the handle details in this case. + +Link: https://lkml.kernel.org/r/20240530110630.3933832-1-joseph.qi@linux.alibaba.com +Fixes: 8887b94d9322 ("ocfs2: stop using bdev->bd_super for journal error logging") +Signed-off-by: Joseph Qi +Reviewed-by: Heming Zhao +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: [6.6+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/journal.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fs/ocfs2/journal.c b/fs/ocfs2/journal.c +index 604fea3a26ff..27c7683c7d3f 100644 +--- a/fs/ocfs2/journal.c ++++ b/fs/ocfs2/journal.c +@@ -778,13 +778,15 @@ void ocfs2_journal_dirty(handle_t *handle, struct buffer_head *bh) + if (!is_handle_aborted(handle)) { + journal_t *journal = handle->h_transaction->t_journal; + +- mlog(ML_ERROR, "jbd2_journal_dirty_metadata failed. " +- "Aborting transaction and journal.\n"); ++ mlog(ML_ERROR, "jbd2_journal_dirty_metadata failed: " ++ "handle type %u started at line %u, credits %u/%u " ++ "errcode %d. Aborting transaction and journal.\n", ++ handle->h_type, handle->h_line_no, ++ handle->h_requested_credits, ++ jbd2_handle_buffer_credits(handle), status); + handle->h_err = status; + jbd2_journal_abort_handle(handle); + jbd2_journal_abort(journal, status); +- ocfs2_abort(bh->b_assoc_map->host->i_sb, +- "Journal already aborted.\n"); + } + } + } +-- +2.45.2 + diff --git a/queue-6.6/ovl-fix-encoding-fid-for-lower-only-root.patch b/queue-6.6/ovl-fix-encoding-fid-for-lower-only-root.patch new file mode 100644 index 00000000000..731af56e45d --- /dev/null +++ b/queue-6.6/ovl-fix-encoding-fid-for-lower-only-root.patch @@ -0,0 +1,51 @@ +From 004b8d1491b4bcbb7da1a3206d1e7e66822d47c6 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Fri, 14 Jun 2024 09:55:58 +0200 +Subject: ovl: fix encoding fid for lower only root + +From: Miklos Szeredi + +commit 004b8d1491b4bcbb7da1a3206d1e7e66822d47c6 upstream. + +ovl_check_encode_origin() should return a positive number if the lower +dentry is to be encoded, zero otherwise. If there's no upper layer at all +(read-only overlay), then it obviously needs to return positive. + +This was broken by commit 16aac5ad1fa9 ("ovl: support encoding +non-decodable file handles"), which didn't take the lower-only +configuration into account. + +Fix by checking the no-upper-layer case up-front. + +Reported-and-tested-by: Youzhong Yang +Closes: https://lore.kernel.org/all/CADpNCvaBimi+zCYfRJHvCOhMih8OU0rmZkwLuh24MKKroRuT8Q@mail.gmail.com/ +Fixes: 16aac5ad1fa9 ("ovl: support encoding non-decodable file handles") +Cc: # v6.6 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/overlayfs/export.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/overlayfs/export.c ++++ b/fs/overlayfs/export.c +@@ -186,6 +186,10 @@ static int ovl_check_encode_origin(struc + struct ovl_fs *ofs = OVL_FS(dentry->d_sb); + bool decodable = ofs->config.nfs_export; + ++ /* No upper layer? */ ++ if (!ovl_upper_mnt(ofs)) ++ return 1; ++ + /* Lower file handle for non-upper non-decodable */ + if (!ovl_dentry_upper(dentry) && !decodable) + return 1; +@@ -214,7 +218,7 @@ static int ovl_check_encode_origin(struc + * ovl_connect_layer() will try to make origin's layer "connected" by + * copying up a "connectable" ancestor. + */ +- if (d_is_dir(dentry) && ovl_upper_mnt(ofs) && decodable) ++ if (d_is_dir(dentry) && decodable) + return ovl_connect_layer(dentry); + + /* Lower file handle for indexed and non-upper dir/non-dir */ diff --git a/queue-6.6/rdma-mlx5-follow-rb_key.ats-when-creating-new-mkeys.patch b/queue-6.6/rdma-mlx5-follow-rb_key.ats-when-creating-new-mkeys.patch new file mode 100644 index 00000000000..c0aaa44e6ec --- /dev/null +++ b/queue-6.6/rdma-mlx5-follow-rb_key.ats-when-creating-new-mkeys.patch @@ -0,0 +1,37 @@ +From f637040c3339a2ed8c12d65ad03f9552386e2fe7 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Tue, 28 May 2024 15:52:53 +0300 +Subject: RDMA/mlx5: Follow rb_key.ats when creating new mkeys + +From: Jason Gunthorpe + +commit f637040c3339a2ed8c12d65ad03f9552386e2fe7 upstream. + +When a cache ent already exists but doesn't have any mkeys in it the cache +will automatically create a new one based on the specification in the +ent->rb_key. + +ent->ats was missed when creating the new key and so ma_translation_mode +was not being set even though the ent requires it. + +Cc: stable@vger.kernel.org +Fixes: 73d09b2fe833 ("RDMA/mlx5: Introduce mlx5r_cache_rb_key") +Signed-off-by: Jason Gunthorpe +Reviewed-by: Michael Guralnik +Link: https://lore.kernel.org/r/7c5613458ecb89fbe5606b7aa4c8d990bdea5b9a.1716900410.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx5/mr.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/infiniband/hw/mlx5/mr.c ++++ b/drivers/infiniband/hw/mlx5/mr.c +@@ -308,6 +308,7 @@ static void set_cache_mkc(struct mlx5_ca + MLX5_SET(mkc, mkc, access_mode_1_0, ent->rb_key.access_mode & 0x3); + MLX5_SET(mkc, mkc, access_mode_4_2, + (ent->rb_key.access_mode >> 2) & 0x7); ++ MLX5_SET(mkc, mkc, ma_translation_mode, !!ent->rb_key.ats); + + MLX5_SET(mkc, mkc, translations_octword_size, + get_mkc_octo_size(ent->rb_key.access_mode, diff --git a/queue-6.6/rdma-mlx5-remove-extra-unlock-on-error-path.patch b/queue-6.6/rdma-mlx5-remove-extra-unlock-on-error-path.patch new file mode 100644 index 00000000000..1ed8046f33d --- /dev/null +++ b/queue-6.6/rdma-mlx5-remove-extra-unlock-on-error-path.patch @@ -0,0 +1,38 @@ +From c1eb2512596fb3542357bb6c34c286f5e0374538 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Tue, 28 May 2024 15:52:52 +0300 +Subject: RDMA/mlx5: Remove extra unlock on error path + +From: Jason Gunthorpe + +commit c1eb2512596fb3542357bb6c34c286f5e0374538 upstream. + +The below commit lifted the locking out of this function but left this +error path unlock behind resulting in unbalanced locking. Remove the +missed unlock too. + +Cc: stable@vger.kernel.org +Fixes: 627122280c87 ("RDMA/mlx5: Add work to remove temporary entries from the cache") +Signed-off-by: Jason Gunthorpe +Reviewed-by: Michael Guralnik +Link: https://lore.kernel.org/r/78090c210c750f47219b95248f9f782f34548bb1.1716900410.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx5/mr.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/infiniband/hw/mlx5/mr.c ++++ b/drivers/infiniband/hw/mlx5/mr.c +@@ -697,10 +697,8 @@ static int mlx5_cache_ent_insert(struct + new = &((*new)->rb_left); + if (cmp < 0) + new = &((*new)->rb_right); +- if (cmp == 0) { +- mutex_unlock(&cache->rb_lock); ++ if (cmp == 0) + return -EEXIST; +- } + } + + /* Add new node and rebalance tree. */ diff --git a/queue-6.6/rdma-rxe-fix-data-copy-for-ib_send_inline.patch b/queue-6.6/rdma-rxe-fix-data-copy-for-ib_send_inline.patch new file mode 100644 index 00000000000..1c438adad30 --- /dev/null +++ b/queue-6.6/rdma-rxe-fix-data-copy-for-ib_send_inline.patch @@ -0,0 +1,44 @@ +From 03fa18a992d5626fd7bf3557a52e826bf8b326b3 Mon Sep 17 00:00:00 2001 +From: Honggang LI +Date: Thu, 16 May 2024 17:50:52 +0800 +Subject: RDMA/rxe: Fix data copy for IB_SEND_INLINE + +From: Honggang LI + +commit 03fa18a992d5626fd7bf3557a52e826bf8b326b3 upstream. + +For RDMA Send and Write with IB_SEND_INLINE, the memory buffers +specified in sge list will be placed inline in the Send Request. + +The data should be copied by CPU from the virtual addresses of +corresponding sge list DMA addresses. + +Cc: stable@kernel.org +Fixes: 8d7c7c0eeb74 ("RDMA: Add ib_virt_dma_to_page()") +Signed-off-by: Honggang LI +Link: https://lore.kernel.org/r/20240516095052.542767-1-honggangli@163.com +Reviewed-by: Zhu Yanjun +Reviewed-by: Li Zhijian +Reviewed-by: Jason Gunthorpe +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/sw/rxe/rxe_verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.c b/drivers/infiniband/sw/rxe/rxe_verbs.c +index c7d4d8ab5a09..de6238ee4379 100644 +--- a/drivers/infiniband/sw/rxe/rxe_verbs.c ++++ b/drivers/infiniband/sw/rxe/rxe_verbs.c +@@ -812,7 +812,7 @@ static void copy_inline_data_to_wqe(struct rxe_send_wqe *wqe, + int i; + + for (i = 0; i < ibwr->num_sge; i++, sge++) { +- memcpy(p, ib_virt_dma_to_page(sge->addr), sge->length); ++ memcpy(p, ib_virt_dma_to_ptr(sge->addr), sge->length); + p += sge->length; + } + } +-- +2.45.2 + diff --git a/queue-6.6/scsi-ufs-core-free-memory-allocated-for-model-before-reinit.patch b/queue-6.6/scsi-ufs-core-free-memory-allocated-for-model-before-reinit.patch new file mode 100644 index 00000000000..e9f92117d6c --- /dev/null +++ b/queue-6.6/scsi-ufs-core-free-memory-allocated-for-model-before-reinit.patch @@ -0,0 +1,56 @@ +From 135c6eb27a85c8b261a2cc1f5093abcda6ee9010 Mon Sep 17 00:00:00 2001 +From: Joel Slebodnick +Date: Thu, 13 Jun 2024 14:27:28 -0400 +Subject: scsi: ufs: core: Free memory allocated for model before reinit + +From: Joel Slebodnick + +commit 135c6eb27a85c8b261a2cc1f5093abcda6ee9010 upstream. + +Under the conditions that a device is to be reinitialized within +ufshcd_probe_hba(), the device must first be fully reset. + +Resetting the device should include freeing U8 model (member of dev_info) +but does not, and this causes a memory leak. ufs_put_device_desc() is +responsible for freeing model. + +unreferenced object 0xffff3f63008bee60 (size 32): + comm "kworker/u33:1", pid 60, jiffies 4294892642 + hex dump (first 32 bytes): + 54 48 47 4a 46 47 54 30 54 32 35 42 41 5a 5a 41 THGJFGT0T25BAZZA + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace (crc ed7ff1a9): + [] kmemleak_alloc+0x34/0x40 + [] __kmalloc_noprof+0x1e4/0x2fc + [] ufshcd_read_string_desc+0x94/0x190 + [] ufshcd_device_init+0x480/0xdf8 + [] ufshcd_probe_hba+0x3c/0x404 + [] ufshcd_async_scan+0x40/0x370 + [] async_run_entry_fn+0x34/0xe0 + [] process_one_work+0x154/0x298 + [] worker_thread+0x2f8/0x408 + [] kthread+0x114/0x118 + [] ret_from_fork+0x10/0x20 + +Fixes: 96a7141da332 ("scsi: ufs: core: Add support for reinitializing the UFS device") +Cc: +Reviewed-by: Andrew Halaney +Reviewed-by: Bart Van Assche +Signed-off-by: Joel Slebodnick +Link: https://lore.kernel.org/r/20240613200202.2524194-1-jslebodn@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/core/ufshcd.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -8743,6 +8743,7 @@ static int ufshcd_probe_hba(struct ufs_h + (hba->quirks & UFSHCD_QUIRK_REINIT_AFTER_MAX_GEAR_SWITCH)) { + /* Reset the device and controller before doing reinit */ + ufshcd_device_reset(hba); ++ ufs_put_device_desc(hba); + ufshcd_hba_stop(hba); + ufshcd_vops_reinit_notify(hba); + ret = ufshcd_hba_enable(hba); diff --git a/queue-6.6/serial-8250_dw-revert-move-definitions-to-the-shared-header.patch b/queue-6.6/serial-8250_dw-revert-move-definitions-to-the-shared-header.patch new file mode 100644 index 00000000000..9363641ba21 --- /dev/null +++ b/queue-6.6/serial-8250_dw-revert-move-definitions-to-the-shared-header.patch @@ -0,0 +1,118 @@ +From 2c94512055f362dd789e0f87b8566feeddec83c9 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Tue, 14 May 2024 22:05:54 +0300 +Subject: serial: 8250_dw: Revert "Move definitions to the shared header" + +From: Andy Shevchenko + +commit 2c94512055f362dd789e0f87b8566feeddec83c9 upstream. + +This reverts commit d9666dfb314e1ffd6eb9c3c4243fe3e094c047a7. + +The container of the struct dw8250_port_data is private to the actual +driver. In particular, 8250_lpss and 8250_dw use different data types +that are assigned to the UART port private_data. Hence, it must not +be used outside the specific driver. + +Fix the mistake made in the past by moving the respective definitions +to the specific driver. + +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20240514190730.2787071-3-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_dw.c | 27 +++++++++++++++++++++++++++ + drivers/tty/serial/8250/8250_dwlib.h | 32 -------------------------------- + 2 files changed, 27 insertions(+), 32 deletions(-) + +--- a/drivers/tty/serial/8250/8250_dw.c ++++ b/drivers/tty/serial/8250/8250_dw.c +@@ -57,6 +57,33 @@ + #define DW_UART_QUIRK_APMC0D08 BIT(4) + #define DW_UART_QUIRK_CPR_VALUE BIT(5) + ++struct dw8250_platform_data { ++ u8 usr_reg; ++ u32 cpr_value; ++ unsigned int quirks; ++}; ++ ++struct dw8250_data { ++ struct dw8250_port_data data; ++ const struct dw8250_platform_data *pdata; ++ ++ int msr_mask_on; ++ int msr_mask_off; ++ struct clk *clk; ++ struct clk *pclk; ++ struct notifier_block clk_notifier; ++ struct work_struct clk_work; ++ struct reset_control *rst; ++ ++ unsigned int skip_autocfg:1; ++ unsigned int uart_16550_compatible:1; ++}; ++ ++static inline struct dw8250_data *to_dw8250_data(struct dw8250_port_data *data) ++{ ++ return container_of(data, struct dw8250_data, data); ++} ++ + static inline struct dw8250_data *clk_to_dw8250_data(struct notifier_block *nb) + { + return container_of(nb, struct dw8250_data, clk_notifier); +--- a/drivers/tty/serial/8250/8250_dwlib.h ++++ b/drivers/tty/serial/8250/8250_dwlib.h +@@ -2,15 +2,10 @@ + /* Synopsys DesignWare 8250 library header file. */ + + #include +-#include + #include +-#include + + #include "8250.h" + +-struct clk; +-struct reset_control; +- + struct dw8250_port_data { + /* Port properties */ + int line; +@@ -26,36 +21,9 @@ struct dw8250_port_data { + bool hw_rs485_support; + }; + +-struct dw8250_platform_data { +- u8 usr_reg; +- u32 cpr_value; +- unsigned int quirks; +-}; +- +-struct dw8250_data { +- struct dw8250_port_data data; +- const struct dw8250_platform_data *pdata; +- +- int msr_mask_on; +- int msr_mask_off; +- struct clk *clk; +- struct clk *pclk; +- struct notifier_block clk_notifier; +- struct work_struct clk_work; +- struct reset_control *rst; +- +- unsigned int skip_autocfg:1; +- unsigned int uart_16550_compatible:1; +-}; +- + void dw8250_do_set_termios(struct uart_port *p, struct ktermios *termios, const struct ktermios *old); + void dw8250_setup_port(struct uart_port *p); + +-static inline struct dw8250_data *to_dw8250_data(struct dw8250_port_data *data) +-{ +- return container_of(data, struct dw8250_data, data); +-} +- + static inline u32 dw8250_readl_ext(struct uart_port *p, int offset) + { + if (p->iotype == UPIO_MEM32BE) diff --git a/queue-6.6/series b/queue-6.6/series index 643b0889c51..9981d2fd5dd 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -136,3 +136,42 @@ arm64-defconfig-enable-the-vf610-gpio-driver.patch ext4-avoid-overflow-when-setting-values-via-sysfs.patch ext4-fix-slab-out-of-bounds-in-ext4_mb_find_good_group_avg_frag_lists.patch locking-atomic-scripts-fix-atomic-_sub_and_test-kerneldoc.patch +net-stmmac-assign-configured-channel-value-to-extts-event.patch +net-usb-ax88179_178a-improve-reset-check.patch +net-do-not-leave-a-dangling-sk-pointer-when-socket-creation-fails.patch +btrfs-retry-block-group-reclaim-without-infinite-loop.patch +scsi-ufs-core-free-memory-allocated-for-model-before-reinit.patch +cifs-fix-typo-in-module-parameter-enable_gcm_256.patch +loongarch-fix-watchpoint-setting-error.patch +loongarch-trigger-user-space-watchpoints-correctly.patch +loongarch-fix-multiple-hardware-watchpoint-issues.patch +kvm-fix-a-data-race-on-last_boosted_vcpu-in-kvm_vcpu_on_spin.patch +kvm-arm64-disassociate-vcpus-from-redistributor-region-on-teardown.patch +kvm-x86-always-sync-pir-to-irr-prior-to-scanning-i-o-apic-routes.patch +rdma-rxe-fix-data-copy-for-ib_send_inline.patch +rdma-mlx5-remove-extra-unlock-on-error-path.patch +rdma-mlx5-follow-rb_key.ats-when-creating-new-mkeys.patch +ovl-fix-encoding-fid-for-lower-only-root.patch +alsa-hda-realtek-fix-mute-micmute-leds-don-t-work-for-probook-445-465-g11.patch +alsa-hda-realtek-limit-mic-boost-on-n14ap7.patch +alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14ahp9.patch +drm-i915-mso-using-joiner-is-not-possible-with-edp-mso.patch +drm-radeon-fix-ubsan-warning-in-kv_dpm.c.patch +drm-amdgpu-fix-ubsan-warning-in-kv_dpm.c.patch +dt-bindings-dma-fsl-edma-fix-dma-channels-constraints.patch +ocfs2-fix-null-pointer-dereference-in-ocfs2_journal_dirty.patch +ocfs2-fix-null-pointer-dereference-in-ocfs2_abort_trigger.patch +gcov-add-support-for-gcc-14.patch +kcov-don-t-lose-track-of-remote-references-during-softirqs.patch +efi-x86-free-efi-memory-map-only-when-installing-a-new-one.patch +serial-8250_dw-revert-move-definitions-to-the-shared-header.patch +mips-pci-lantiq-restore-reset-gpio-polarity.patch +mm-mmap-allow-for-the-maximum-number-of-bits-for-randomizing-mmap_base-by-default.patch +tcp-clear-tp-retrans_stamp-in-tcp_rcv_fastopen_synack.patch +mm-page_table_check-fix-crash-on-zone_device.patch +i2c-ocores-set-iack-bit-after-core-is-enabled.patch +dt-bindings-i2c-atmel-at91sam-correct-path-to-i2c-controller-schema.patch +dt-bindings-i2c-google-cros-ec-i2c-tunnel-correct-path-to-i2c-controller-schema.patch +spi-stm32-qspi-fix-dual-flash-mode-sanity-test-in-stm32_qspi_setup.patch +arm64-dts-imx8qm-mek-fix-gpio-number-for-reg_usdhc2_vmmc.patch +spi-stm32-qspi-clamp-stm32_qspi_get_mode-output-to-ccr_buswidth_4.patch diff --git a/queue-6.6/spi-stm32-qspi-clamp-stm32_qspi_get_mode-output-to-ccr_buswidth_4.patch b/queue-6.6/spi-stm32-qspi-clamp-stm32_qspi_get_mode-output-to-ccr_buswidth_4.patch new file mode 100644 index 00000000000..0779f18168f --- /dev/null +++ b/queue-6.6/spi-stm32-qspi-clamp-stm32_qspi_get_mode-output-to-ccr_buswidth_4.patch @@ -0,0 +1,35 @@ +From 63deee52811b2f84ed2da55ad47252f0e8145d62 Mon Sep 17 00:00:00 2001 +From: Patrice Chotard +Date: Tue, 18 Jun 2024 15:29:50 +0200 +Subject: spi: stm32: qspi: Clamp stm32_qspi_get_mode() output to CCR_BUSWIDTH_4 + +From: Patrice Chotard + +commit 63deee52811b2f84ed2da55ad47252f0e8145d62 upstream. + +In case usage of OCTAL mode, buswidth parameter can take the value 8. +As return value of stm32_qspi_get_mode() is used to configure fields +of CCR registers that are 2 bits only (fields IMODE, ADMODE, ADSIZE, + DMODE), clamp return value of stm32_qspi_get_mode() to 4. + +Fixes: a557fca630cc ("spi: stm32_qspi: Add transfer_one_message() spi callback") +Cc: stable@vger.kernel.org +Signed-off-by: Patrice Chotard +Link: https://msgid.link/r/20240618132951.2743935-3-patrice.chotard@foss.st.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-stm32-qspi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi-stm32-qspi.c ++++ b/drivers/spi/spi-stm32-qspi.c +@@ -349,7 +349,7 @@ static int stm32_qspi_wait_poll_status(s + + static int stm32_qspi_get_mode(u8 buswidth) + { +- if (buswidth == 4) ++ if (buswidth >= 4) + return CCR_BUSWIDTH_4; + + return buswidth; diff --git a/queue-6.6/spi-stm32-qspi-fix-dual-flash-mode-sanity-test-in-stm32_qspi_setup.patch b/queue-6.6/spi-stm32-qspi-fix-dual-flash-mode-sanity-test-in-stm32_qspi_setup.patch new file mode 100644 index 00000000000..8b0c8fbc47f --- /dev/null +++ b/queue-6.6/spi-stm32-qspi-fix-dual-flash-mode-sanity-test-in-stm32_qspi_setup.patch @@ -0,0 +1,52 @@ +From c2bd0791c5f02e964402624dfff45ca8995f5397 Mon Sep 17 00:00:00 2001 +From: Patrice Chotard +Date: Tue, 18 Jun 2024 15:29:49 +0200 +Subject: spi: stm32: qspi: Fix dual flash mode sanity test in stm32_qspi_setup() + +From: Patrice Chotard + +commit c2bd0791c5f02e964402624dfff45ca8995f5397 upstream. + +Misplaced parenthesis make test of mode wrong in case mode is equal to +SPI_TX_OCTAL or SPI_RX_OCTAL. + +Simplify this sanity test, if one of this bit is set, property +cs-gpio must be present in DT. + +Fixes: a557fca630cc ("spi: stm32_qspi: Add transfer_one_message() spi callback") +Cc: stable@vger.kernel.org +Signed-off-by: Patrice Chotard +Link: https://msgid.link/r/20240618132951.2743935-2-patrice.chotard@foss.st.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-stm32-qspi.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/spi/spi-stm32-qspi.c ++++ b/drivers/spi/spi-stm32-qspi.c +@@ -653,9 +653,7 @@ static int stm32_qspi_setup(struct spi_d + return -EINVAL; + + mode = spi->mode & (SPI_TX_OCTAL | SPI_RX_OCTAL); +- if ((mode == SPI_TX_OCTAL || mode == SPI_RX_OCTAL) || +- ((mode == (SPI_TX_OCTAL | SPI_RX_OCTAL)) && +- gpiod_count(qspi->dev, "cs") == -ENOENT)) { ++ if (mode && gpiod_count(qspi->dev, "cs") == -ENOENT) { + dev_err(qspi->dev, "spi-rx-bus-width\\/spi-tx-bus-width\\/cs-gpios\n"); + dev_err(qspi->dev, "configuration not supported\n"); + +@@ -676,10 +674,10 @@ static int stm32_qspi_setup(struct spi_d + qspi->cr_reg = CR_APMS | 3 << CR_FTHRES_SHIFT | CR_SSHIFT | CR_EN; + + /* +- * Dual flash mode is only enable in case SPI_TX_OCTAL and SPI_TX_OCTAL +- * are both set in spi->mode and "cs-gpios" properties is found in DT ++ * Dual flash mode is only enable in case SPI_TX_OCTAL or SPI_RX_OCTAL ++ * is set in spi->mode and "cs-gpios" properties is found in DT + */ +- if (mode == (SPI_TX_OCTAL | SPI_RX_OCTAL)) { ++ if (mode) { + qspi->cr_reg |= CR_DFM; + dev_dbg(qspi->dev, "Dual flash mode enable"); + } diff --git a/queue-6.6/tcp-clear-tp-retrans_stamp-in-tcp_rcv_fastopen_synack.patch b/queue-6.6/tcp-clear-tp-retrans_stamp-in-tcp_rcv_fastopen_synack.patch new file mode 100644 index 00000000000..e095e09db0e --- /dev/null +++ b/queue-6.6/tcp-clear-tp-retrans_stamp-in-tcp_rcv_fastopen_synack.patch @@ -0,0 +1,57 @@ +From 9e046bb111f13461d3f9331e24e974324245140e Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 14 Jun 2024 13:06:15 +0000 +Subject: tcp: clear tp->retrans_stamp in tcp_rcv_fastopen_synack() + +From: Eric Dumazet + +commit 9e046bb111f13461d3f9331e24e974324245140e upstream. + +Some applications were reporting ETIMEDOUT errors on apparently +good looking flows, according to packet dumps. + +We were able to root cause the issue to an accidental setting +of tp->retrans_stamp in the following scenario: + +- client sends TFO SYN with data. +- server has TFO disabled, ACKs only SYN but not payload. +- client receives SYNACK covering only SYN. +- tcp_ack() eats SYN and sets tp->retrans_stamp to 0. +- tcp_rcv_fastopen_synack() calls tcp_xmit_retransmit_queue() + to retransmit TFO payload w/o SYN, sets tp->retrans_stamp to "now", + but we are not in any loss recovery state. +- TFO payload is ACKed. +- we are not in any loss recovery state, and don't see any dupacks, + so we don't get to any code path that clears tp->retrans_stamp. +- tp->retrans_stamp stays non-zero for the lifetime of the connection. +- after first RTO, tcp_clamp_rto_to_user_timeout() clamps second RTO + to 1 jiffy due to bogus tp->retrans_stamp. +- on clamped RTO with non-zero icsk_retransmits, retransmits_timed_out() + sets start_ts from tp->retrans_stamp from TFO payload retransmit + hours/days ago, and computes bogus long elapsed time for loss recovery, + and suffers ETIMEDOUT early. + +Fixes: a7abf3cd76e1 ("tcp: consider using standard rtx logic in tcp_rcv_fastopen_synack()") +CC: stable@vger.kernel.org +Co-developed-by: Neal Cardwell +Signed-off-by: Neal Cardwell +Co-developed-by: Yuchung Cheng +Signed-off-by: Yuchung Cheng +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240614130615.396837-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -6176,6 +6176,7 @@ static bool tcp_rcv_fastopen_synack(stru + skb_rbtree_walk_from(data) + tcp_mark_skb_lost(sk, data); + tcp_xmit_retransmit_queue(sk); ++ tp->retrans_stamp = 0; + NET_INC_STATS(sock_net(sk), + LINUX_MIB_TCPFASTOPENACTIVEFAIL); + return true;