From: Sasha Levin Date: Tue, 20 Aug 2024 11:58:51 +0000 (-0400) Subject: Fixes for 6.1 X-Git-Tag: v6.1.107~108 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=210231734be0fcde3c893914133713afe84fc8be;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/arm64-fix-kasan-random-tag-seed-initialization.patch b/queue-6.1/arm64-fix-kasan-random-tag-seed-initialization.patch new file mode 100644 index 00000000000..8b43bbb16ec --- /dev/null +++ b/queue-6.1/arm64-fix-kasan-random-tag-seed-initialization.patch @@ -0,0 +1,57 @@ +From d72ff40d606824b95a8763245d04146be627a83f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Aug 2024 02:09:53 -0700 +Subject: arm64: Fix KASAN random tag seed initialization + +From: Samuel Holland + +[ Upstream commit f75c235565f90c4a17b125e47f1c68ef6b8c2bce ] + +Currently, kasan_init_sw_tags() is called before setup_per_cpu_areas(), +so per_cpu(prng_state, cpu) accesses the same address regardless of the +value of "cpu", and the same seed value gets copied to the percpu area +for every CPU. Fix this by moving the call to smp_prepare_boot_cpu(), +which is the first architecture hook after setup_per_cpu_areas(). + +Fixes: 3c9e3aa11094 ("kasan: add tag related helper functions") +Fixes: 3f41b6093823 ("kasan: fix random seed generation for tag-based mode") +Signed-off-by: Samuel Holland +Reviewed-by: Andrey Konovalov +Link: https://lore.kernel.org/r/20240814091005.969756-1-samuel.holland@sifive.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/setup.c | 3 --- + arch/arm64/kernel/smp.c | 2 ++ + 2 files changed, 2 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/kernel/setup.c +index fea3223704b63..44c4d79bd914c 100644 +--- a/arch/arm64/kernel/setup.c ++++ b/arch/arm64/kernel/setup.c +@@ -360,9 +360,6 @@ void __init __no_sanitize_address setup_arch(char **cmdline_p) + smp_init_cpus(); + smp_build_mpidr_hash(); + +- /* Init percpu seeds for random tags after cpus are set up. */ +- kasan_init_sw_tags(); +- + #ifdef CONFIG_ARM64_SW_TTBR0_PAN + /* + * Make sure init_thread_info.ttbr0 always generates translation +diff --git a/arch/arm64/kernel/smp.c b/arch/arm64/kernel/smp.c +index d323621d14a59..b606093a5596c 100644 +--- a/arch/arm64/kernel/smp.c ++++ b/arch/arm64/kernel/smp.c +@@ -464,6 +464,8 @@ void __init smp_prepare_boot_cpu(void) + init_gic_priority_masking(); + + kasan_init_hw_tags(); ++ /* Init percpu seeds for random tags after cpus are set up. */ ++ kasan_init_sw_tags(); + } + + /* +-- +2.43.0 + diff --git a/queue-6.1/binfmt_misc-cleanup-on-filesystem-umount.patch b/queue-6.1/binfmt_misc-cleanup-on-filesystem-umount.patch new file mode 100644 index 00000000000..ad75623b54b --- /dev/null +++ b/queue-6.1/binfmt_misc-cleanup-on-filesystem-umount.patch @@ -0,0 +1,442 @@ +From f671a69e22250915dc1e64525fbea50bec8550c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 12:31:13 +0200 +Subject: binfmt_misc: cleanup on filesystem umount + +From: Christian Brauner + +[ Upstream commit 1c5976ef0f7ad76319df748ccb99a4c7ba2ba464 ] + +Currently, registering a new binary type pins the binfmt_misc +filesystem. Specifically, this means that as long as there is at least +one binary type registered the binfmt_misc filesystem survives all +umounts, i.e. the superblock is not destroyed. Meaning that a umount +followed by another mount will end up with the same superblock and the +same binary type handlers. This is a behavior we tend to discourage for +any new filesystems (apart from a few special filesystems such as e.g. +configfs or debugfs). A umount operation without the filesystem being +pinned - by e.g. someone holding a file descriptor to an open file - +should usually result in the destruction of the superblock and all +associated resources. This makes introspection easier and leads to +clearly defined, simple and clean semantics. An administrator can rely +on the fact that a umount will guarantee a clean slate making it +possible to reinitialize a filesystem. Right now all binary types would +need to be explicitly deleted before that can happen. + +This allows us to remove the heavy-handed calls to simple_pin_fs() and +simple_release_fs() when creating and deleting binary types. This in +turn allows us to replace the current brittle pinning mechanism abusing +dget() which has caused a range of bugs judging from prior fixes in [2] +and [3]. The additional dget() in load_misc_binary() pins the dentry but +only does so for the sake to prevent ->evict_inode() from freeing the +node when a user removes the binary type and kill_node() is run. Which +would mean ->interpreter and ->interp_file would be freed causing a UAF. + +This isn't really nicely documented nor is it very clean because it +relies on simple_pin_fs() pinning the filesystem as long as at least one +binary type exists. Otherwise it would cause load_misc_binary() to hold +on to a dentry belonging to a superblock that has been shutdown. +Replace that implicit pinning with a clean and simple per-node refcount +and get rid of the ugly dget() pinning. A similar mechanism exists for +e.g. binderfs (cf. [4]). All the cleanup work can now be done in +->evict_inode(). + +In a follow-up patch we will make it possible to use binfmt_misc in +sandboxes. We will use the cleaner semantics where a umount for the +filesystem will cause the superblock and all resources to be +deallocated. In preparation for this apply the same semantics to the +initial binfmt_misc mount. Note, that this is a user-visible change and +as such a uapi change but one that we can reasonably risk. We've +discussed this in earlier versions of this patchset (cf. [1]). + +The main user and provider of binfmt_misc is systemd. Systemd provides +binfmt_misc via autofs since it is configurable as a kernel module and +is used by a few exotic packages and users. As such a binfmt_misc mount +is triggered when /proc/sys/fs/binfmt_misc is accessed and is only +provided on demand. Other autofs on demand filesystems include EFI ESP +which systemd umounts if the mountpoint stays idle for a certain amount +of time. This doesn't apply to the binfmt_misc autofs mount which isn't +touched once it is mounted meaning this change can't accidently wipe +binary type handlers without someone having explicitly unmounted +binfmt_misc. After speaking to systemd folks they don't expect this +change to affect them. + +In line with our general policy, if we see a regression for systemd or +other users with this change we will switch back to the old behavior for +the initial binfmt_misc mount and have binary types pin the filesystem +again. But while we touch this code let's take the chance and let's +improve on the status quo. + +[1]: https://lore.kernel.org/r/20191216091220.465626-2-laurent@vivier.eu +[2]: commit 43a4f2619038 ("exec: binfmt_misc: fix race between load_misc_binary() and kill_node()" +[3]: commit 83f918274e4b ("exec: binfmt_misc: shift filp_close(interp_file) from kill_node() to bm_evict_inode()") +[4]: commit f0fe2c0f050d ("binder: prevent UAF for binderfs devices II") + +Link: https://lore.kernel.org/r/20211028103114.2849140-1-brauner@kernel.org (v1) +Cc: Sargun Dhillon +Cc: Serge Hallyn +Cc: Jann Horn +Cc: Henning Schild +Cc: Andrei Vagin +Cc: Al Viro +Cc: Laurent Vivier +Cc: linux-fsdevel@vger.kernel.org +Acked-by: Serge Hallyn +Signed-off-by: Christian Brauner +Signed-off-by: Christian Brauner +Signed-off-by: Kees Cook +--- +/* v2 */ +- Christian Brauner : + - Add more comments that explain what's going on. + - Rename functions while changing them to better reflect what they are + doing to make the code easier to understand. + - In the first version when a specific binary type handler was removed + either through a write to the entry's file or all binary type + handlers were removed by a write to the binfmt_misc mount's status + file all cleanup work happened during inode eviction. + That includes removal of the relevant entries from entry list. While + that works fine I disliked that model after thinking about it for a + bit. Because it means that there was a window were someone has + already removed a or all binary handlers but they could still be + safely reached from load_misc_binary() when it has managed to take + the read_lock() on the entries list while inode eviction was already + happening. Again, that perfectly benign but it's cleaner to remove + the binary handler from the list immediately meaning that ones the + write to then entry's file or the binfmt_misc status file returns + the binary type cannot be executed anymore. That gives stronger + guarantees to the user. +Signed-off-by: Sasha Levin +--- + fs/binfmt_misc.c | 216 ++++++++++++++++++++++++++++++++++++----------- + 1 file changed, 168 insertions(+), 48 deletions(-) + +diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c +index bb202ad369d53..740dac1012ae8 100644 +--- a/fs/binfmt_misc.c ++++ b/fs/binfmt_misc.c +@@ -60,12 +60,11 @@ typedef struct { + char *name; + struct dentry *dentry; + struct file *interp_file; ++ refcount_t users; /* sync removal with load_misc_binary() */ + } Node; + + static DEFINE_RWLOCK(entries_lock); + static struct file_system_type bm_fs_type; +-static struct vfsmount *bm_mnt; +-static int entry_count; + + /* + * Max length of the register string. Determined by: +@@ -82,19 +81,23 @@ static int entry_count; + */ + #define MAX_REGISTER_LENGTH 1920 + +-/* +- * Check if we support the binfmt +- * if we do, return the node, else NULL +- * locking is done in load_misc_binary ++/** ++ * search_binfmt_handler - search for a binary handler for @bprm ++ * @misc: handle to binfmt_misc instance ++ * @bprm: binary for which we are looking for a handler ++ * ++ * Search for a binary type handler for @bprm in the list of registered binary ++ * type handlers. ++ * ++ * Return: binary type list entry on success, NULL on failure + */ +-static Node *check_file(struct linux_binprm *bprm) ++static Node *search_binfmt_handler(struct linux_binprm *bprm) + { + char *p = strrchr(bprm->interp, '.'); +- struct list_head *l; ++ Node *e; + + /* Walk all the registered handlers. */ +- list_for_each(l, &entries) { +- Node *e = list_entry(l, Node, list); ++ list_for_each_entry(e, &entries, list) { + char *s; + int j; + +@@ -123,9 +126,49 @@ static Node *check_file(struct linux_binprm *bprm) + if (j == e->size) + return e; + } ++ + return NULL; + } + ++/** ++ * get_binfmt_handler - try to find a binary type handler ++ * @misc: handle to binfmt_misc instance ++ * @bprm: binary for which we are looking for a handler ++ * ++ * Try to find a binfmt handler for the binary type. If one is found take a ++ * reference to protect against removal via bm_{entry,status}_write(). ++ * ++ * Return: binary type list entry on success, NULL on failure ++ */ ++static Node *get_binfmt_handler(struct linux_binprm *bprm) ++{ ++ Node *e; ++ ++ read_lock(&entries_lock); ++ e = search_binfmt_handler(bprm); ++ if (e) ++ refcount_inc(&e->users); ++ read_unlock(&entries_lock); ++ return e; ++} ++ ++/** ++ * put_binfmt_handler - put binary handler node ++ * @e: node to put ++ * ++ * Free node syncing with load_misc_binary() and defer final free to ++ * load_misc_binary() in case it is using the binary type handler we were ++ * requested to remove. ++ */ ++static void put_binfmt_handler(Node *e) ++{ ++ if (refcount_dec_and_test(&e->users)) { ++ if (e->flags & MISC_FMT_OPEN_FILE) ++ filp_close(e->interp_file, NULL); ++ kfree(e); ++ } ++} ++ + /* + * the loader itself + */ +@@ -139,12 +182,7 @@ static int load_misc_binary(struct linux_binprm *bprm) + if (!enabled) + return retval; + +- /* to keep locking time low, we copy the interpreter string */ +- read_lock(&entries_lock); +- fmt = check_file(bprm); +- if (fmt) +- dget(fmt->dentry); +- read_unlock(&entries_lock); ++ fmt = get_binfmt_handler(bprm); + if (!fmt) + return retval; + +@@ -198,7 +236,16 @@ static int load_misc_binary(struct linux_binprm *bprm) + + retval = 0; + ret: +- dput(fmt->dentry); ++ ++ /* ++ * If we actually put the node here all concurrent calls to ++ * load_misc_binary() will have finished. We also know ++ * that for the refcount to be zero ->evict_inode() must have removed ++ * the node to be deleted from the list. All that is left for us is to ++ * close and free. ++ */ ++ put_binfmt_handler(fmt); ++ + return retval; + } + +@@ -553,30 +600,90 @@ static struct inode *bm_get_inode(struct super_block *sb, int mode) + return inode; + } + ++/** ++ * bm_evict_inode - cleanup data associated with @inode ++ * @inode: inode to which the data is attached ++ * ++ * Cleanup the binary type handler data associated with @inode if a binary type ++ * entry is removed or the filesystem is unmounted and the super block is ++ * shutdown. ++ * ++ * If the ->evict call was not caused by a super block shutdown but by a write ++ * to remove the entry or all entries via bm_{entry,status}_write() the entry ++ * will have already been removed from the list. We keep the list_empty() check ++ * to make that explicit. ++*/ + static void bm_evict_inode(struct inode *inode) + { + Node *e = inode->i_private; + +- if (e && e->flags & MISC_FMT_OPEN_FILE) +- filp_close(e->interp_file, NULL); +- + clear_inode(inode); +- kfree(e); ++ ++ if (e) { ++ write_lock(&entries_lock); ++ if (!list_empty(&e->list)) ++ list_del_init(&e->list); ++ write_unlock(&entries_lock); ++ put_binfmt_handler(e); ++ } + } + +-static void kill_node(Node *e) ++/** ++ * unlink_binfmt_dentry - remove the dentry for the binary type handler ++ * @dentry: dentry associated with the binary type handler ++ * ++ * Do the actual filesystem work to remove a dentry for a registered binary ++ * type handler. Since binfmt_misc only allows simple files to be created ++ * directly under the root dentry of the filesystem we ensure that we are ++ * indeed passed a dentry directly beneath the root dentry, that the inode ++ * associated with the root dentry is locked, and that it is a regular file we ++ * are asked to remove. ++ */ ++static void unlink_binfmt_dentry(struct dentry *dentry) + { +- struct dentry *dentry; ++ struct dentry *parent = dentry->d_parent; ++ struct inode *inode, *parent_inode; ++ ++ /* All entries are immediate descendants of the root dentry. */ ++ if (WARN_ON_ONCE(dentry->d_sb->s_root != parent)) ++ return; + ++ /* We only expect to be called on regular files. */ ++ inode = d_inode(dentry); ++ if (WARN_ON_ONCE(!S_ISREG(inode->i_mode))) ++ return; ++ ++ /* The parent inode must be locked. */ ++ parent_inode = d_inode(parent); ++ if (WARN_ON_ONCE(!inode_is_locked(parent_inode))) ++ return; ++ ++ if (simple_positive(dentry)) { ++ dget(dentry); ++ simple_unlink(parent_inode, dentry); ++ d_delete(dentry); ++ dput(dentry); ++ } ++} ++ ++/** ++ * remove_binfmt_handler - remove a binary type handler ++ * @misc: handle to binfmt_misc instance ++ * @e: binary type handler to remove ++ * ++ * Remove a binary type handler from the list of binary type handlers and ++ * remove its associated dentry. This is called from ++ * binfmt_{entry,status}_write(). In the future, we might want to think about ++ * adding a proper ->unlink() method to binfmt_misc instead of forcing caller's ++ * to use writes to files in order to delete binary type handlers. But it has ++ * worked for so long that it's not a pressing issue. ++ */ ++static void remove_binfmt_handler(Node *e) ++{ + write_lock(&entries_lock); + list_del_init(&e->list); + write_unlock(&entries_lock); +- +- dentry = e->dentry; +- drop_nlink(d_inode(dentry)); +- d_drop(dentry); +- dput(dentry); +- simple_release_fs(&bm_mnt, &entry_count); ++ unlink_binfmt_dentry(e->dentry); + } + + /* / */ +@@ -603,8 +710,8 @@ bm_entry_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos) + static ssize_t bm_entry_write(struct file *file, const char __user *buffer, + size_t count, loff_t *ppos) + { +- struct dentry *root; +- Node *e = file_inode(file)->i_private; ++ struct inode *inode = file_inode(file); ++ Node *e = inode->i_private; + int res = parse_command(buffer, count); + + switch (res) { +@@ -618,13 +725,22 @@ static ssize_t bm_entry_write(struct file *file, const char __user *buffer, + break; + case 3: + /* Delete this handler. */ +- root = file_inode(file)->i_sb->s_root; +- inode_lock(d_inode(root)); ++ inode = d_inode(inode->i_sb->s_root); ++ inode_lock(inode); + ++ /* ++ * In order to add new element or remove elements from the list ++ * via bm_{entry,register,status}_write() inode_lock() on the ++ * root inode must be held. ++ * The lock is exclusive ensuring that the list can't be ++ * modified. Only load_misc_binary() can access but does so ++ * read-only. So we only need to take the write lock when we ++ * actually remove the entry from the list. ++ */ + if (!list_empty(&e->list)) +- kill_node(e); ++ remove_binfmt_handler(e); + +- inode_unlock(d_inode(root)); ++ inode_unlock(inode); + break; + default: + return res; +@@ -683,13 +799,7 @@ static ssize_t bm_register_write(struct file *file, const char __user *buffer, + if (!inode) + goto out2; + +- err = simple_pin_fs(&bm_fs_type, &bm_mnt, &entry_count); +- if (err) { +- iput(inode); +- inode = NULL; +- goto out2; +- } +- ++ refcount_set(&e->users, 1); + e->dentry = dget(dentry); + inode->i_private = e; + inode->i_fop = &bm_entry_operations; +@@ -733,7 +843,8 @@ static ssize_t bm_status_write(struct file *file, const char __user *buffer, + size_t count, loff_t *ppos) + { + int res = parse_command(buffer, count); +- struct dentry *root; ++ Node *e, *next; ++ struct inode *inode; + + switch (res) { + case 1: +@@ -746,13 +857,22 @@ static ssize_t bm_status_write(struct file *file, const char __user *buffer, + break; + case 3: + /* Delete all handlers. */ +- root = file_inode(file)->i_sb->s_root; +- inode_lock(d_inode(root)); ++ inode = d_inode(file_inode(file)->i_sb->s_root); ++ inode_lock(inode); + +- while (!list_empty(&entries)) +- kill_node(list_first_entry(&entries, Node, list)); ++ /* ++ * In order to add new element or remove elements from the list ++ * via bm_{entry,register,status}_write() inode_lock() on the ++ * root inode must be held. ++ * The lock is exclusive ensuring that the list can't be ++ * modified. Only load_misc_binary() can access but does so ++ * read-only. So we only need to take the write lock when we ++ * actually remove the entry from the list. ++ */ ++ list_for_each_entry_safe(e, next, &entries, list) ++ remove_binfmt_handler(e); + +- inode_unlock(d_inode(root)); ++ inode_unlock(inode); + break; + default: + return res; +-- +2.43.0 + diff --git a/queue-6.1/block-fix-lockdep-warning-in-blk_mq_mark_tag_wait.patch b/queue-6.1/block-fix-lockdep-warning-in-blk_mq_mark_tag_wait.patch new file mode 100644 index 00000000000..f67a07d8efe --- /dev/null +++ b/queue-6.1/block-fix-lockdep-warning-in-blk_mq_mark_tag_wait.patch @@ -0,0 +1,211 @@ +From 6d280542e7d270551ddc6822730bed7eb15300cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Aug 2024 10:47:36 +0800 +Subject: block: Fix lockdep warning in blk_mq_mark_tag_wait + +From: Li Lingfeng + +[ Upstream commit b313a8c835516bdda85025500be866ac8a74e022 ] + +Lockdep reported a warning in Linux version 6.6: + +[ 414.344659] ================================ +[ 414.345155] WARNING: inconsistent lock state +[ 414.345658] 6.6.0-07439-gba2303cacfda #6 Not tainted +[ 414.346221] -------------------------------- +[ 414.346712] inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage. +[ 414.347545] kworker/u10:3/1152 [HC0[0]:SC0[0]:HE0:SE1] takes: +[ 414.349245] ffff88810edd1098 (&sbq->ws[i].wait){+.?.}-{2:2}, at: blk_mq_dispatch_rq_list+0x131c/0x1ee0 +[ 414.351204] {IN-SOFTIRQ-W} state was registered at: +[ 414.351751] lock_acquire+0x18d/0x460 +[ 414.352218] _raw_spin_lock_irqsave+0x39/0x60 +[ 414.352769] __wake_up_common_lock+0x22/0x60 +[ 414.353289] sbitmap_queue_wake_up+0x375/0x4f0 +[ 414.353829] sbitmap_queue_clear+0xdd/0x270 +[ 414.354338] blk_mq_put_tag+0xdf/0x170 +[ 414.354807] __blk_mq_free_request+0x381/0x4d0 +[ 414.355335] blk_mq_free_request+0x28b/0x3e0 +[ 414.355847] __blk_mq_end_request+0x242/0xc30 +[ 414.356367] scsi_end_request+0x2c1/0x830 +[ 414.345155] WARNING: inconsistent lock state +[ 414.345658] 6.6.0-07439-gba2303cacfda #6 Not tainted +[ 414.346221] -------------------------------- +[ 414.346712] inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage. +[ 414.347545] kworker/u10:3/1152 [HC0[0]:SC0[0]:HE0:SE1] takes: +[ 414.349245] ffff88810edd1098 (&sbq->ws[i].wait){+.?.}-{2:2}, at: blk_mq_dispatch_rq_list+0x131c/0x1ee0 +[ 414.351204] {IN-SOFTIRQ-W} state was registered at: +[ 414.351751] lock_acquire+0x18d/0x460 +[ 414.352218] _raw_spin_lock_irqsave+0x39/0x60 +[ 414.352769] __wake_up_common_lock+0x22/0x60 +[ 414.353289] sbitmap_queue_wake_up+0x375/0x4f0 +[ 414.353829] sbitmap_queue_clear+0xdd/0x270 +[ 414.354338] blk_mq_put_tag+0xdf/0x170 +[ 414.354807] __blk_mq_free_request+0x381/0x4d0 +[ 414.355335] blk_mq_free_request+0x28b/0x3e0 +[ 414.355847] __blk_mq_end_request+0x242/0xc30 +[ 414.356367] scsi_end_request+0x2c1/0x830 +[ 414.356863] scsi_io_completion+0x177/0x1610 +[ 414.357379] scsi_complete+0x12f/0x260 +[ 414.357856] blk_complete_reqs+0xba/0xf0 +[ 414.358338] __do_softirq+0x1b0/0x7a2 +[ 414.358796] irq_exit_rcu+0x14b/0x1a0 +[ 414.359262] sysvec_call_function_single+0xaf/0xc0 +[ 414.359828] asm_sysvec_call_function_single+0x1a/0x20 +[ 414.360426] default_idle+0x1e/0x30 +[ 414.360873] default_idle_call+0x9b/0x1f0 +[ 414.361390] do_idle+0x2d2/0x3e0 +[ 414.361819] cpu_startup_entry+0x55/0x60 +[ 414.362314] start_secondary+0x235/0x2b0 +[ 414.362809] secondary_startup_64_no_verify+0x18f/0x19b +[ 414.363413] irq event stamp: 428794 +[ 414.363825] hardirqs last enabled at (428793): [] ktime_get+0x1dc/0x200 +[ 414.364694] hardirqs last disabled at (428794): [] _raw_spin_lock_irq+0x47/0x50 +[ 414.365629] softirqs last enabled at (428444): [] __do_softirq+0x540/0x7a2 +[ 414.366522] softirqs last disabled at (428419): [] irq_exit_rcu+0x14b/0x1a0 +[ 414.367425] + other info that might help us debug this: +[ 414.368194] Possible unsafe locking scenario: +[ 414.368900] CPU0 +[ 414.369225] ---- +[ 414.369548] lock(&sbq->ws[i].wait); +[ 414.370000] +[ 414.370342] lock(&sbq->ws[i].wait); +[ 414.370802] + *** DEADLOCK *** +[ 414.371569] 5 locks held by kworker/u10:3/1152: +[ 414.372088] #0: ffff88810130e938 ((wq_completion)writeback){+.+.}-{0:0}, at: process_scheduled_works+0x357/0x13f0 +[ 414.373180] #1: ffff88810201fdb8 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x3a3/0x13f0 +[ 414.374384] #2: ffffffff86ffbdc0 (rcu_read_lock){....}-{1:2}, at: blk_mq_run_hw_queue+0x637/0xa00 +[ 414.375342] #3: ffff88810edd1098 (&sbq->ws[i].wait){+.?.}-{2:2}, at: blk_mq_dispatch_rq_list+0x131c/0x1ee0 +[ 414.376377] #4: ffff888106205a08 (&hctx->dispatch_wait_lock){+.-.}-{2:2}, at: blk_mq_dispatch_rq_list+0x1337/0x1ee0 +[ 414.378607] + stack backtrace: +[ 414.379177] CPU: 0 PID: 1152 Comm: kworker/u10:3 Not tainted 6.6.0-07439-gba2303cacfda #6 +[ 414.380032] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[ 414.381177] Workqueue: writeback wb_workfn (flush-253:0) +[ 414.381805] Call Trace: +[ 414.382136] +[ 414.382429] dump_stack_lvl+0x91/0xf0 +[ 414.382884] mark_lock_irq+0xb3b/0x1260 +[ 414.383367] ? __pfx_mark_lock_irq+0x10/0x10 +[ 414.383889] ? stack_trace_save+0x8e/0xc0 +[ 414.384373] ? __pfx_stack_trace_save+0x10/0x10 +[ 414.384903] ? graph_lock+0xcf/0x410 +[ 414.385350] ? save_trace+0x3d/0xc70 +[ 414.385808] mark_lock.part.20+0x56d/0xa90 +[ 414.386317] mark_held_locks+0xb0/0x110 +[ 414.386791] ? __pfx_do_raw_spin_lock+0x10/0x10 +[ 414.387320] lockdep_hardirqs_on_prepare+0x297/0x3f0 +[ 414.387901] ? _raw_spin_unlock_irq+0x28/0x50 +[ 414.388422] trace_hardirqs_on+0x58/0x100 +[ 414.388917] _raw_spin_unlock_irq+0x28/0x50 +[ 414.389422] __blk_mq_tag_busy+0x1d6/0x2a0 +[ 414.389920] __blk_mq_get_driver_tag+0x761/0x9f0 +[ 414.390899] blk_mq_dispatch_rq_list+0x1780/0x1ee0 +[ 414.391473] ? __pfx_blk_mq_dispatch_rq_list+0x10/0x10 +[ 414.392070] ? sbitmap_get+0x2b8/0x450 +[ 414.392533] ? __blk_mq_get_driver_tag+0x210/0x9f0 +[ 414.393095] __blk_mq_sched_dispatch_requests+0xd99/0x1690 +[ 414.393730] ? elv_attempt_insert_merge+0x1b1/0x420 +[ 414.394302] ? __pfx___blk_mq_sched_dispatch_requests+0x10/0x10 +[ 414.394970] ? lock_acquire+0x18d/0x460 +[ 414.395456] ? blk_mq_run_hw_queue+0x637/0xa00 +[ 414.395986] ? __pfx_lock_acquire+0x10/0x10 +[ 414.396499] blk_mq_sched_dispatch_requests+0x109/0x190 +[ 414.397100] blk_mq_run_hw_queue+0x66e/0xa00 +[ 414.397616] blk_mq_flush_plug_list.part.17+0x614/0x2030 +[ 414.398244] ? __pfx_blk_mq_flush_plug_list.part.17+0x10/0x10 +[ 414.398897] ? writeback_sb_inodes+0x241/0xcc0 +[ 414.399429] blk_mq_flush_plug_list+0x65/0x80 +[ 414.399957] __blk_flush_plug+0x2f1/0x530 +[ 414.400458] ? __pfx___blk_flush_plug+0x10/0x10 +[ 414.400999] blk_finish_plug+0x59/0xa0 +[ 414.401467] wb_writeback+0x7cc/0x920 +[ 414.401935] ? __pfx_wb_writeback+0x10/0x10 +[ 414.402442] ? mark_held_locks+0xb0/0x110 +[ 414.402931] ? __pfx_do_raw_spin_lock+0x10/0x10 +[ 414.403462] ? lockdep_hardirqs_on_prepare+0x297/0x3f0 +[ 414.404062] wb_workfn+0x2b3/0xcf0 +[ 414.404500] ? __pfx_wb_workfn+0x10/0x10 +[ 414.404989] process_scheduled_works+0x432/0x13f0 +[ 414.405546] ? __pfx_process_scheduled_works+0x10/0x10 +[ 414.406139] ? do_raw_spin_lock+0x101/0x2a0 +[ 414.406641] ? assign_work+0x19b/0x240 +[ 414.407106] ? lock_is_held_type+0x9d/0x110 +[ 414.407604] worker_thread+0x6f2/0x1160 +[ 414.408075] ? __kthread_parkme+0x62/0x210 +[ 414.408572] ? lockdep_hardirqs_on_prepare+0x297/0x3f0 +[ 414.409168] ? __kthread_parkme+0x13c/0x210 +[ 414.409678] ? __pfx_worker_thread+0x10/0x10 +[ 414.410191] kthread+0x33c/0x440 +[ 414.410602] ? __pfx_kthread+0x10/0x10 +[ 414.411068] ret_from_fork+0x4d/0x80 +[ 414.411526] ? __pfx_kthread+0x10/0x10 +[ 414.411993] ret_from_fork_asm+0x1b/0x30 +[ 414.412489] + +When interrupt is turned on while a lock holding by spin_lock_irq it +throws a warning because of potential deadlock. + +blk_mq_prep_dispatch_rq + blk_mq_get_driver_tag + __blk_mq_get_driver_tag + __blk_mq_alloc_driver_tag + blk_mq_tag_busy -> tag is already busy + // failed to get driver tag + blk_mq_mark_tag_wait + spin_lock_irq(&wq->lock) -> lock A (&sbq->ws[i].wait) + __add_wait_queue(wq, wait) -> wait queue active + blk_mq_get_driver_tag + __blk_mq_tag_busy +-> 1) tag must be idle, which means there can't be inflight IO + spin_lock_irq(&tags->lock) -> lock B (hctx->tags) + spin_unlock_irq(&tags->lock) -> unlock B, turn on interrupt accidentally +-> 2) context must be preempt by IO interrupt to trigger deadlock. + +As shown above, the deadlock is not possible in theory, but the warning +still need to be fixed. + +Fix it by using spin_lock_irqsave to get lockB instead of spin_lock_irq. + +Fixes: 4f1731df60f9 ("blk-mq: fix potential io hang by wrong 'wake_batch'") +Signed-off-by: Li Lingfeng +Reviewed-by: Ming Lei +Reviewed-by: Yu Kuai +Reviewed-by: Bart Van Assche +Link: https://lore.kernel.org/r/20240815024736.2040971-1-lilingfeng@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq-tag.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/block/blk-mq-tag.c b/block/blk-mq-tag.c +index 100889c276c3f..dcd620422d01d 100644 +--- a/block/blk-mq-tag.c ++++ b/block/blk-mq-tag.c +@@ -40,6 +40,7 @@ static void blk_mq_update_wake_batch(struct blk_mq_tags *tags, + void __blk_mq_tag_busy(struct blk_mq_hw_ctx *hctx) + { + unsigned int users; ++ unsigned long flags; + struct blk_mq_tags *tags = hctx->tags; + + /* +@@ -58,11 +59,11 @@ void __blk_mq_tag_busy(struct blk_mq_hw_ctx *hctx) + return; + } + +- spin_lock_irq(&tags->lock); ++ spin_lock_irqsave(&tags->lock, flags); + users = tags->active_queues + 1; + WRITE_ONCE(tags->active_queues, users); + blk_mq_update_wake_batch(tags, users); +- spin_unlock_irq(&tags->lock); ++ spin_unlock_irqrestore(&tags->lock, flags); + } + + /* +-- +2.43.0 + diff --git a/queue-6.1/cgroup-avoid-extra-dereference-in-css_populate_dir.patch b/queue-6.1/cgroup-avoid-extra-dereference-in-css_populate_dir.patch new file mode 100644 index 00000000000..6013547179b --- /dev/null +++ b/queue-6.1/cgroup-avoid-extra-dereference-in-css_populate_dir.patch @@ -0,0 +1,44 @@ +From da7b80013536ace44318db1dde06020c0150f531 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Sep 2023 12:34:35 +0530 +Subject: cgroup: Avoid extra dereference in css_populate_dir() + +From: Kamalesh Babulal + +[ Upstream commit d24f05987ce8bf61e62d86fedbe47523dc5c3393 ] + +Use css directly instead of dereferencing it from &cgroup->self, while +adding the cgroup v2 cft base and psi files in css_populate_dir(). Both +points to the same css, when css->ss is NULL, this avoids extra deferences +and makes code consistent in usage across the function. + +Signed-off-by: Kamalesh Babulal +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/cgroup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c +index 489c25713edcb..455f67ff31b57 100644 +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -1751,13 +1751,13 @@ static int css_populate_dir(struct cgroup_subsys_state *css) + + if (!css->ss) { + if (cgroup_on_dfl(cgrp)) { +- ret = cgroup_addrm_files(&cgrp->self, cgrp, ++ ret = cgroup_addrm_files(css, cgrp, + cgroup_base_files, true); + if (ret < 0) + return ret; + + if (cgroup_psi_enabled()) { +- ret = cgroup_addrm_files(&cgrp->self, cgrp, ++ ret = cgroup_addrm_files(css, cgrp, + cgroup_psi_files, true); + if (ret < 0) + return ret; +-- +2.43.0 + diff --git a/queue-6.1/clk-visconti-add-bounds-checking-coverage-for-struct.patch b/queue-6.1/clk-visconti-add-bounds-checking-coverage-for-struct.patch new file mode 100644 index 00000000000..710adfae5db --- /dev/null +++ b/queue-6.1/clk-visconti-add-bounds-checking-coverage-for-struct.patch @@ -0,0 +1,80 @@ +From a38f0a2380e5a5db5e8dd1fc3abadee1f69375ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Oct 2023 16:06:16 -0600 +Subject: clk: visconti: Add bounds-checking coverage for struct + visconti_pll_provider + +From: Gustavo A. R. Silva + +[ Upstream commit 397d887c1601a71e8a8abdb6beea67d58f0472d3 ] + +In order to gain the bounds-checking coverage that __counted_by provides +to flexible-array members at run-time via CONFIG_UBSAN_BOUNDS (for array +indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions), +we must make sure that the counter member, in this particular case `num`, +is updated before the first access to the flex-array member, in this +particular case array `hws`. See below: + +commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with +__counted_by") introduced `__counted_by` for `struct clk_hw_onecell_data` +together with changes to relocate some of assignments of counter `num` +before `hws` is accessed: + +include/linux/clk-provider.h: +1380 struct clk_hw_onecell_data { +1381 unsigned int num; +1382 struct clk_hw *hws[] __counted_by(num); +1383 }; + +However, this structure is used as a member in other structs, in this +case in `struct visconti_pll_provider`: + +drivers/clk/visconti/pll.h: + 16 struct visconti_pll_provider { + 17 void __iomem *reg_base; + 18 struct device_node *node; + 19 + 20 /* Must be last */ + 21 struct clk_hw_onecell_data clk_data; + 22 }; + +Hence, we need to move the assignments to `ctx->clk_data.num` after +allocation for `struct visconti_pll_provider` and before accessing the +flexible array `ctx->clk_data.hws`. And, as assignments for all members +in `struct visconti_pll_provider` are originally adjacent to each other, +relocate all assignments together, so we don't split up +`ctx->clk_data.hws = nr_plls` from the rest. :) + +Reviewed-by: Kees Cook +Acked-by: Nobuhiro Iwamatsu +Signed-off-by: Gustavo A. R. Silva +Link: https://lore.kernel.org/r/e3189f3e40e8723b6d794fb2260e2e9ab6b960bd.1697492890.git.gustavoars@kernel.org +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/visconti/pll.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/visconti/pll.c b/drivers/clk/visconti/pll.c +index 1f3234f226674..e9cd80e085dc3 100644 +--- a/drivers/clk/visconti/pll.c ++++ b/drivers/clk/visconti/pll.c +@@ -329,12 +329,12 @@ struct visconti_pll_provider * __init visconti_init_pll(struct device_node *np, + if (!ctx) + return ERR_PTR(-ENOMEM); + +- for (i = 0; i < nr_plls; ++i) +- ctx->clk_data.hws[i] = ERR_PTR(-ENOENT); +- + ctx->node = np; + ctx->reg_base = base; + ctx->clk_data.num = nr_plls; + ++ for (i = 0; i < nr_plls; ++i) ++ ctx->clk_data.hws[i] = ERR_PTR(-ENOENT); ++ + return ctx; + } +-- +2.43.0 + diff --git a/queue-6.1/drm-amd-amdgpu-imu_v11_0-increase-buffer-size-to-ens.patch b/queue-6.1/drm-amd-amdgpu-imu_v11_0-increase-buffer-size-to-ens.patch new file mode 100644 index 00000000000..7b0d6a02746 --- /dev/null +++ b/queue-6.1/drm-amd-amdgpu-imu_v11_0-increase-buffer-size-to-ens.patch @@ -0,0 +1,42 @@ +From 0f56005231a85857d6bae3b421104c5af09357e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Aug 2023 08:37:05 +0100 +Subject: drm/amd/amdgpu/imu_v11_0: Increase buffer size to ensure all possible + values can be stored +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lee Jones + +[ Upstream commit a728342ae4ec2a7fdab0038b11427579424f133e ] + +Fixes the following W=1 kernel build warning(s): + + drivers/gpu/drm/amd/amdgpu/imu_v11_0.c: In function ‘imu_v11_0_init_microcode’: + drivers/gpu/drm/amd/amdgpu/imu_v11_0.c:52:54: warning: ‘_imu.bin’ directive output may be truncated writing 8 bytes into a region of size between 4 and 33 [-Wformat-truncation=] + drivers/gpu/drm/amd/amdgpu/imu_v11_0.c:52:9: note: ‘snprintf’ output between 16 and 45 bytes into a destination of size 40 + +Signed-off-by: Lee Jones +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/imu_v11_0.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/imu_v11_0.c b/drivers/gpu/drm/amd/amdgpu/imu_v11_0.c +index 95548c512f4fb..3c21128fa1d82 100644 +--- a/drivers/gpu/drm/amd/amdgpu/imu_v11_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/imu_v11_0.c +@@ -38,7 +38,7 @@ MODULE_FIRMWARE("amdgpu/gc_11_0_3_imu.bin"); + + static int imu_v11_0_init_microcode(struct amdgpu_device *adev) + { +- char fw_name[40]; ++ char fw_name[45]; + char ucode_prefix[30]; + int err; + const struct imu_firmware_header_v1_0 *imu_hdr; +-- +2.43.0 + diff --git a/queue-6.1/drm-amd-display-validate-hw_points_num-before-using-.patch b/queue-6.1/drm-amd-display-validate-hw_points_num-before-using-.patch new file mode 100644 index 00000000000..8d2ff50dcc2 --- /dev/null +++ b/queue-6.1/drm-amd-display-validate-hw_points_num-before-using-.patch @@ -0,0 +1,42 @@ +From c542fb911193763b9e35419b1756a5fe4040dcf2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 18:23:58 -0600 +Subject: drm/amd/display: Validate hw_points_num before using it + +From: Alex Hung + +[ Upstream commit 58c3b3341cea4f75dc8c003b89f8a6dd8ec55e50 ] + +[WHAT] +hw_points_num is 0 before ogam LUT is programmed; however, function +"dwb3_program_ogam_pwl" assumes hw_points_num is always greater than 0, +i.e. substracting it by 1 as an array index. + +[HOW] +Check hw_points_num is not equal to 0 before using it. + +Reviewed-by: Harry Wentland +Signed-off-by: Alex Hung +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn30/dcn30_dwb_cm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_dwb_cm.c b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_dwb_cm.c +index 701c7d8bc038a..03a50c32fcfe1 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_dwb_cm.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_dwb_cm.c +@@ -243,6 +243,9 @@ static bool dwb3_program_ogam_lut( + return false; + } + ++ if (params->hw_points_num == 0) ++ return false; ++ + REG_SET(DWB_OGAM_CONTROL, 0, DWB_OGAM_MODE, 2); + + current_mode = dwb3_get_ogam_current(dwbc30); +-- +2.43.0 + diff --git a/queue-6.1/drm-amdkfd-move-dma-unmapping-after-tlb-flush.patch b/queue-6.1/drm-amdkfd-move-dma-unmapping-after-tlb-flush.patch new file mode 100644 index 00000000000..8e299c4d691 --- /dev/null +++ b/queue-6.1/drm-amdkfd-move-dma-unmapping-after-tlb-flush.patch @@ -0,0 +1,144 @@ +From 24c08b999ba308592aa69e131bc36fe9fcfcd5be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Sep 2023 14:44:22 -0400 +Subject: drm/amdkfd: Move dma unmapping after TLB flush + +From: Philip Yang + +[ Upstream commit 101b8104307eac734f2dfa4d3511430b0b631c73 ] + +Otherwise GPU may access the stale mapping and generate IOMMU +IO_PAGE_FAULT. + +Move this to inside p->mutex to prevent multiple threads mapping and +unmapping concurrently race condition. + +After kfd_mem_dmaunmap_attachment is removed from unmap_bo_from_gpuvm, +kfd_mem_dmaunmap_attachment is called if failed to map to GPUs, and +before free the mem attachment in case failed to unmap from GPUs. + +Signed-off-by: Philip Yang +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 1 + + .../gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 26 ++++++++++++++++--- + drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 20 ++++++++------ + 3 files changed, 35 insertions(+), 12 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h +index dbc842590b253..585d608c10e8e 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h +@@ -286,6 +286,7 @@ int amdgpu_amdkfd_gpuvm_map_memory_to_gpu(struct amdgpu_device *adev, + struct kgd_mem *mem, void *drm_priv); + int amdgpu_amdkfd_gpuvm_unmap_memory_from_gpu( + struct amdgpu_device *adev, struct kgd_mem *mem, void *drm_priv); ++void amdgpu_amdkfd_gpuvm_dmaunmap_mem(struct kgd_mem *mem, void *drm_priv); + int amdgpu_amdkfd_gpuvm_sync_memory( + struct amdgpu_device *adev, struct kgd_mem *mem, bool intr); + int amdgpu_amdkfd_gpuvm_map_gtt_bo_to_kernel(struct kgd_mem *mem, +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +index 7d5fbaaba72f7..3e7f4d8dc9d13 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +@@ -719,7 +719,7 @@ kfd_mem_dmaunmap_sg_bo(struct kgd_mem *mem, + enum dma_data_direction dir; + + if (unlikely(!ttm->sg)) { +- pr_err("SG Table of BO is UNEXPECTEDLY NULL"); ++ pr_debug("SG Table of BO is NULL"); + return; + } + +@@ -1226,8 +1226,6 @@ static void unmap_bo_from_gpuvm(struct kgd_mem *mem, + amdgpu_vm_clear_freed(adev, vm, &bo_va->last_pt_update); + + amdgpu_sync_fence(sync, bo_va->last_pt_update); +- +- kfd_mem_dmaunmap_attachment(mem, entry); + } + + static int update_gpuvm_pte(struct kgd_mem *mem, +@@ -1282,6 +1280,7 @@ static int map_bo_to_gpuvm(struct kgd_mem *mem, + + update_gpuvm_pte_failed: + unmap_bo_from_gpuvm(mem, entry, sync); ++ kfd_mem_dmaunmap_attachment(mem, entry); + return ret; + } + +@@ -1852,8 +1851,10 @@ int amdgpu_amdkfd_gpuvm_free_memory_of_gpu( + mem->va + bo_size * (1 + mem->aql_queue)); + + /* Remove from VM internal data structures */ +- list_for_each_entry_safe(entry, tmp, &mem->attachments, list) ++ list_for_each_entry_safe(entry, tmp, &mem->attachments, list) { ++ kfd_mem_dmaunmap_attachment(mem, entry); + kfd_mem_detach(entry); ++ } + + ret = unreserve_bo_and_vms(&ctx, false, false); + +@@ -2024,6 +2025,23 @@ int amdgpu_amdkfd_gpuvm_map_memory_to_gpu( + return ret; + } + ++void amdgpu_amdkfd_gpuvm_dmaunmap_mem(struct kgd_mem *mem, void *drm_priv) ++{ ++ struct kfd_mem_attachment *entry; ++ struct amdgpu_vm *vm; ++ ++ vm = drm_priv_to_vm(drm_priv); ++ ++ mutex_lock(&mem->lock); ++ ++ list_for_each_entry(entry, &mem->attachments, list) { ++ if (entry->bo_va->base.vm == vm) ++ kfd_mem_dmaunmap_attachment(mem, entry); ++ } ++ ++ mutex_unlock(&mem->lock); ++} ++ + int amdgpu_amdkfd_gpuvm_unmap_memory_from_gpu( + struct amdgpu_device *adev, struct kgd_mem *mem, void *drm_priv) + { +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c +index b0f475d51ae7e..2b21ce967e766 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c +@@ -1400,17 +1400,21 @@ static int kfd_ioctl_unmap_memory_from_gpu(struct file *filep, + goto sync_memory_failed; + } + } +- mutex_unlock(&p->mutex); + +- if (flush_tlb) { +- /* Flush TLBs after waiting for the page table updates to complete */ +- for (i = 0; i < args->n_devices; i++) { +- peer_pdd = kfd_process_device_data_by_id(p, devices_arr[i]); +- if (WARN_ON_ONCE(!peer_pdd)) +- continue; ++ /* Flush TLBs after waiting for the page table updates to complete */ ++ for (i = 0; i < args->n_devices; i++) { ++ peer_pdd = kfd_process_device_data_by_id(p, devices_arr[i]); ++ if (WARN_ON_ONCE(!peer_pdd)) ++ continue; ++ if (flush_tlb) + kfd_flush_tlb(peer_pdd, TLB_FLUSH_HEAVYWEIGHT); +- } ++ ++ /* Remove dma mapping after tlb flush to avoid IO_PAGE_FAULT */ ++ amdgpu_amdkfd_gpuvm_dmaunmap_mem(mem, peer_pdd->drm_priv); + } ++ ++ mutex_unlock(&p->mutex); ++ + kfree(devices_arr); + + return 0; +-- +2.43.0 + diff --git a/queue-6.1/drm-bridge-tc358768-attempt-to-fix-dsi-horizontal-ti.patch b/queue-6.1/drm-bridge-tc358768-attempt-to-fix-dsi-horizontal-ti.patch new file mode 100644 index 00000000000..ab24da1b66b --- /dev/null +++ b/queue-6.1/drm-bridge-tc358768-attempt-to-fix-dsi-horizontal-ti.patch @@ -0,0 +1,346 @@ +From 2678047cc3b49420e2421706cf4cfec8ba0d5a5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Sep 2023 09:50:59 +0300 +Subject: drm/bridge: tc358768: Attempt to fix DSI horizontal timings + +From: Tomi Valkeinen + +[ Upstream commit 9fc75c40faa29df14ba16066be6bdfaea9f39ce4 ] + +The DSI horizontal timing calculations done by the driver seem to often +lead to underflows or overflows, depending on the videomode. + +There are two main things the current driver doesn't seem to get right: +DSI HSW and HFP, and VSDly. However, even following Toshiba's +documentation it seems we don't always get a working display. + +This patch attempts to fix the horizontal timings for DSI event mode, and +on a system with a DSI->HDMI encoder, a lot of standard HDMI modes now +seem to work. The work relies on Toshiba's documentation, but also quite +a bit on empirical testing. + +This also adds timing related debug prints to make it easier to improve +on this later. + +The DSI pulse mode has only been tested with a fixed-resolution panel, +which limits the testing of different modes on DSI pulse mode. However, +as the VSDly calculation also affects pulse mode, so this might cause a +regression. + +Reviewed-by: Peter Ujfalusi +Tested-by: Marcel Ziswiler +Tested-by: Maxim Schwalm # Asus TF700T +Signed-off-by: Tomi Valkeinen +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20230906-tc358768-v4-12-31725f008a50@ideasonboard.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/tc358768.c | 213 ++++++++++++++++++++++++++---- + 1 file changed, 185 insertions(+), 28 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/tc358768.c b/drivers/gpu/drm/bridge/tc358768.c +index 8429b6518b502..aabdb5c74d936 100644 +--- a/drivers/gpu/drm/bridge/tc358768.c ++++ b/drivers/gpu/drm/bridge/tc358768.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -158,6 +159,7 @@ struct tc358768_priv { + u32 frs; /* PLL Freqency range for HSCK (post divider) */ + + u32 dsiclk; /* pll_clk / 2 */ ++ u32 pclk; /* incoming pclk rate */ + }; + + static inline struct tc358768_priv *dsi_host_to_tc358768(struct mipi_dsi_host +@@ -381,6 +383,7 @@ static int tc358768_calc_pll(struct tc358768_priv *priv, + priv->prd = best_prd; + priv->frs = frs; + priv->dsiclk = best_pll / 2; ++ priv->pclk = mode->clock * 1000; + + return 0; + } +@@ -639,6 +642,28 @@ static u32 tc358768_ps_to_ns(u32 ps) + return ps / 1000; + } + ++static u32 tc358768_dpi_to_ns(u32 val, u32 pclk) ++{ ++ return (u32)div_u64((u64)val * NANO, pclk); ++} ++ ++/* Convert value in DPI pixel clock units to DSI byte count */ ++static u32 tc358768_dpi_to_dsi_bytes(struct tc358768_priv *priv, u32 val) ++{ ++ u64 m = (u64)val * priv->dsiclk / 4 * priv->dsi_lanes; ++ u64 n = priv->pclk; ++ ++ return (u32)div_u64(m + n - 1, n); ++} ++ ++static u32 tc358768_dsi_bytes_to_ns(struct tc358768_priv *priv, u32 val) ++{ ++ u64 m = (u64)val * NANO; ++ u64 n = priv->dsiclk / 4 * priv->dsi_lanes; ++ ++ return (u32)div_u64(m, n); ++} ++ + static void tc358768_bridge_pre_enable(struct drm_bridge *bridge) + { + struct tc358768_priv *priv = bridge_to_tc358768(bridge); +@@ -648,11 +673,19 @@ static void tc358768_bridge_pre_enable(struct drm_bridge *bridge) + s32 raw_val; + const struct drm_display_mode *mode; + u32 hsbyteclk_ps, dsiclk_ps, ui_ps; +- u32 dsiclk, hsbyteclk, video_start; +- const u32 internal_delay = 40; ++ u32 dsiclk, hsbyteclk; + int ret, i; + struct videomode vm; + struct device *dev = priv->dev; ++ /* In pixelclock units */ ++ u32 dpi_htot, dpi_data_start; ++ /* In byte units */ ++ u32 dsi_dpi_htot, dsi_dpi_data_start; ++ u32 dsi_hsw, dsi_hbp, dsi_hact, dsi_hfp; ++ const u32 dsi_hss = 4; /* HSS is a short packet (4 bytes) */ ++ /* In hsbyteclk units */ ++ u32 dsi_vsdly; ++ const u32 internal_dly = 40; + + if (mode_flags & MIPI_DSI_CLOCK_NON_CONTINUOUS) { + dev_warn_once(dev, "Non-continuous mode unimplemented, falling back to continuous\n"); +@@ -687,27 +720,23 @@ static void tc358768_bridge_pre_enable(struct drm_bridge *bridge) + case MIPI_DSI_FMT_RGB888: + val |= (0x3 << 4); + hact = vm.hactive * 3; +- video_start = (vm.hsync_len + vm.hback_porch) * 3; + data_type = MIPI_DSI_PACKED_PIXEL_STREAM_24; + break; + case MIPI_DSI_FMT_RGB666: + val |= (0x4 << 4); + hact = vm.hactive * 3; +- video_start = (vm.hsync_len + vm.hback_porch) * 3; + data_type = MIPI_DSI_PACKED_PIXEL_STREAM_18; + break; + + case MIPI_DSI_FMT_RGB666_PACKED: + val |= (0x4 << 4) | BIT(3); + hact = vm.hactive * 18 / 8; +- video_start = (vm.hsync_len + vm.hback_porch) * 18 / 8; + data_type = MIPI_DSI_PIXEL_STREAM_3BYTE_18; + break; + + case MIPI_DSI_FMT_RGB565: + val |= (0x5 << 4); + hact = vm.hactive * 2; +- video_start = (vm.hsync_len + vm.hback_porch) * 2; + data_type = MIPI_DSI_PACKED_PIXEL_STREAM_16; + break; + default: +@@ -717,9 +746,152 @@ static void tc358768_bridge_pre_enable(struct drm_bridge *bridge) + return; + } + ++ /* ++ * There are three important things to make TC358768 work correctly, ++ * which are not trivial to manage: ++ * ++ * 1. Keep the DPI line-time and the DSI line-time as close to each ++ * other as possible. ++ * 2. TC358768 goes to LP mode after each line's active area. The DSI ++ * HFP period has to be long enough for entering and exiting LP mode. ++ * But it is not clear how to calculate this. ++ * 3. VSDly (video start delay) has to be long enough to ensure that the ++ * DSI TX does not start transmitting until we have started receiving ++ * pixel data from the DPI input. It is not clear how to calculate ++ * this either. ++ */ ++ ++ dpi_htot = vm.hactive + vm.hfront_porch + vm.hsync_len + vm.hback_porch; ++ dpi_data_start = vm.hsync_len + vm.hback_porch; ++ ++ dev_dbg(dev, "dpi horiz timing (pclk): %u + %u + %u + %u = %u\n", ++ vm.hsync_len, vm.hback_porch, vm.hactive, vm.hfront_porch, ++ dpi_htot); ++ ++ dev_dbg(dev, "dpi horiz timing (ns): %u + %u + %u + %u = %u\n", ++ tc358768_dpi_to_ns(vm.hsync_len, vm.pixelclock), ++ tc358768_dpi_to_ns(vm.hback_porch, vm.pixelclock), ++ tc358768_dpi_to_ns(vm.hactive, vm.pixelclock), ++ tc358768_dpi_to_ns(vm.hfront_porch, vm.pixelclock), ++ tc358768_dpi_to_ns(dpi_htot, vm.pixelclock)); ++ ++ dev_dbg(dev, "dpi data start (ns): %u + %u = %u\n", ++ tc358768_dpi_to_ns(vm.hsync_len, vm.pixelclock), ++ tc358768_dpi_to_ns(vm.hback_porch, vm.pixelclock), ++ tc358768_dpi_to_ns(dpi_data_start, vm.pixelclock)); ++ ++ dsi_dpi_htot = tc358768_dpi_to_dsi_bytes(priv, dpi_htot); ++ dsi_dpi_data_start = tc358768_dpi_to_dsi_bytes(priv, dpi_data_start); ++ ++ if (dsi_dev->mode_flags & MIPI_DSI_MODE_VIDEO_SYNC_PULSE) { ++ dsi_hsw = tc358768_dpi_to_dsi_bytes(priv, vm.hsync_len); ++ dsi_hbp = tc358768_dpi_to_dsi_bytes(priv, vm.hback_porch); ++ } else { ++ /* HBP is included in HSW in event mode */ ++ dsi_hbp = 0; ++ dsi_hsw = tc358768_dpi_to_dsi_bytes(priv, ++ vm.hsync_len + ++ vm.hback_porch); ++ ++ /* ++ * The pixel packet includes the actual pixel data, and: ++ * DSI packet header = 4 bytes ++ * DCS code = 1 byte ++ * DSI packet footer = 2 bytes ++ */ ++ dsi_hact = hact + 4 + 1 + 2; ++ ++ dsi_hfp = dsi_dpi_htot - dsi_hact - dsi_hsw - dsi_hss; ++ ++ /* ++ * Here we should check if HFP is long enough for entering LP ++ * and exiting LP, but it's not clear how to calculate that. ++ * Instead, this is a naive algorithm that just adjusts the HFP ++ * and HSW so that HFP is (at least) roughly 2/3 of the total ++ * blanking time. ++ */ ++ if (dsi_hfp < (dsi_hfp + dsi_hsw + dsi_hss) * 2 / 3) { ++ u32 old_hfp = dsi_hfp; ++ u32 old_hsw = dsi_hsw; ++ u32 tot = dsi_hfp + dsi_hsw + dsi_hss; ++ ++ dsi_hsw = tot / 3; ++ ++ /* ++ * Seems like sometimes HSW has to be divisible by num-lanes, but ++ * not always... ++ */ ++ dsi_hsw = roundup(dsi_hsw, priv->dsi_lanes); ++ ++ dsi_hfp = dsi_dpi_htot - dsi_hact - dsi_hsw - dsi_hss; ++ ++ dev_dbg(dev, ++ "hfp too short, adjusting dsi hfp and dsi hsw from %u, %u to %u, %u\n", ++ old_hfp, old_hsw, dsi_hfp, dsi_hsw); ++ } ++ ++ dev_dbg(dev, ++ "dsi horiz timing (bytes): %u, %u + %u + %u + %u = %u\n", ++ dsi_hss, dsi_hsw, dsi_hbp, dsi_hact, dsi_hfp, ++ dsi_hss + dsi_hsw + dsi_hbp + dsi_hact + dsi_hfp); ++ ++ dev_dbg(dev, "dsi horiz timing (ns): %u + %u + %u + %u + %u = %u\n", ++ tc358768_dsi_bytes_to_ns(priv, dsi_hss), ++ tc358768_dsi_bytes_to_ns(priv, dsi_hsw), ++ tc358768_dsi_bytes_to_ns(priv, dsi_hbp), ++ tc358768_dsi_bytes_to_ns(priv, dsi_hact), ++ tc358768_dsi_bytes_to_ns(priv, dsi_hfp), ++ tc358768_dsi_bytes_to_ns(priv, dsi_hss + dsi_hsw + ++ dsi_hbp + dsi_hact + dsi_hfp)); ++ } ++ ++ /* VSDly calculation */ ++ ++ /* Start with the HW internal delay */ ++ dsi_vsdly = internal_dly; ++ ++ /* Convert to byte units as the other variables are in byte units */ ++ dsi_vsdly *= priv->dsi_lanes; ++ ++ /* Do we need more delay, in addition to the internal? */ ++ if (dsi_dpi_data_start > dsi_vsdly + dsi_hss + dsi_hsw + dsi_hbp) { ++ dsi_vsdly = dsi_dpi_data_start - dsi_hss - dsi_hsw - dsi_hbp; ++ dsi_vsdly = roundup(dsi_vsdly, priv->dsi_lanes); ++ } ++ ++ dev_dbg(dev, "dsi data start (bytes) %u + %u + %u + %u = %u\n", ++ dsi_vsdly, dsi_hss, dsi_hsw, dsi_hbp, ++ dsi_vsdly + dsi_hss + dsi_hsw + dsi_hbp); ++ ++ dev_dbg(dev, "dsi data start (ns) %u + %u + %u + %u = %u\n", ++ tc358768_dsi_bytes_to_ns(priv, dsi_vsdly), ++ tc358768_dsi_bytes_to_ns(priv, dsi_hss), ++ tc358768_dsi_bytes_to_ns(priv, dsi_hsw), ++ tc358768_dsi_bytes_to_ns(priv, dsi_hbp), ++ tc358768_dsi_bytes_to_ns(priv, dsi_vsdly + dsi_hss + dsi_hsw + dsi_hbp)); ++ ++ /* Convert back to hsbyteclk */ ++ dsi_vsdly /= priv->dsi_lanes; ++ ++ /* ++ * The docs say that there is an internal delay of 40 cycles. ++ * However, we get underflows if we follow that rule. If we ++ * instead ignore the internal delay, things work. So either ++ * the docs are wrong or the calculations are wrong. ++ * ++ * As a temporary fix, add the internal delay here, to counter ++ * the subtraction when writing the register. ++ */ ++ dsi_vsdly += internal_dly; ++ ++ /* Clamp to the register max */ ++ if (dsi_vsdly - internal_dly > 0x3ff) { ++ dev_warn(dev, "VSDly too high, underflows likely\n"); ++ dsi_vsdly = 0x3ff + internal_dly; ++ } ++ + /* VSDly[9:0] */ +- video_start = max(video_start, internal_delay + 1) - internal_delay; +- tc358768_write(priv, TC358768_VSDLY, video_start); ++ tc358768_write(priv, TC358768_VSDLY, dsi_vsdly - internal_dly); + + tc358768_write(priv, TC358768_DATAFMT, val); + tc358768_write(priv, TC358768_DSITX_DT, data_type); +@@ -827,18 +999,6 @@ static void tc358768_bridge_pre_enable(struct drm_bridge *bridge) + + /* vbp */ + tc358768_write(priv, TC358768_DSI_VBPR, vm.vback_porch); +- +- /* hsw * byteclk * ndl / pclk */ +- val = (u32)div_u64(vm.hsync_len * +- (u64)hsbyteclk * priv->dsi_lanes, +- vm.pixelclock); +- tc358768_write(priv, TC358768_DSI_HSW, val); +- +- /* hbp * byteclk * ndl / pclk */ +- val = (u32)div_u64(vm.hback_porch * +- (u64)hsbyteclk * priv->dsi_lanes, +- vm.pixelclock); +- tc358768_write(priv, TC358768_DSI_HBPR, val); + } else { + /* Set event mode */ + tc358768_write(priv, TC358768_DSI_EVENT, 1); +@@ -852,16 +1012,13 @@ static void tc358768_bridge_pre_enable(struct drm_bridge *bridge) + + /* vbp (not used in event mode) */ + tc358768_write(priv, TC358768_DSI_VBPR, 0); ++ } + +- /* (hsw + hbp) * byteclk * ndl / pclk */ +- val = (u32)div_u64((vm.hsync_len + vm.hback_porch) * +- (u64)hsbyteclk * priv->dsi_lanes, +- vm.pixelclock); +- tc358768_write(priv, TC358768_DSI_HSW, val); ++ /* hsw (bytes) */ ++ tc358768_write(priv, TC358768_DSI_HSW, dsi_hsw); + +- /* hbp (not used in event mode) */ +- tc358768_write(priv, TC358768_DSI_HBPR, 0); +- } ++ /* hbp (bytes) */ ++ tc358768_write(priv, TC358768_DSI_HBPR, dsi_hbp); + + /* hact (bytes) */ + tc358768_write(priv, TC358768_DSI_HACT, hact); +-- +2.43.0 + diff --git a/queue-6.1/drm-tegra-zero-initialize-iosys_map.patch b/queue-6.1/drm-tegra-zero-initialize-iosys_map.patch new file mode 100644 index 00000000000..479d5a7d6fc --- /dev/null +++ b/queue-6.1/drm-tegra-zero-initialize-iosys_map.patch @@ -0,0 +1,37 @@ +From efd88eb5f041341ee33d7eb132b000a6436a7bff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 14:59:10 +0300 +Subject: drm/tegra: Zero-initialize iosys_map + +From: Mikko Perttunen + +[ Upstream commit 3868ff006b572cf501a3327832d36c64a9eca86a ] + +UBSAN reports an invalid load for bool, as the iosys_map is read +later without being initialized. Zero-initialize it to avoid this. + +Reported-by: Ashish Mhetre +Signed-off-by: Mikko Perttunen +Signed-off-by: Thierry Reding +Link: https://patchwork.freedesktop.org/patch/msgid/20230901115910.701518-2-cyndis@kapsi.fi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/gem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/tegra/gem.c b/drivers/gpu/drm/tegra/gem.c +index 81991090adcc9..cd06f25499549 100644 +--- a/drivers/gpu/drm/tegra/gem.c ++++ b/drivers/gpu/drm/tegra/gem.c +@@ -175,7 +175,7 @@ static void tegra_bo_unpin(struct host1x_bo_mapping *map) + static void *tegra_bo_mmap(struct host1x_bo *bo) + { + struct tegra_bo *obj = host1x_to_tegra_bo(bo); +- struct iosys_map map; ++ struct iosys_map map = { 0 }; + int ret; + + if (obj->vaddr) { +-- +2.43.0 + diff --git a/queue-6.1/gfs2-setattr_chown-add-missing-initialization.patch b/queue-6.1/gfs2-setattr_chown-add-missing-initialization.patch new file mode 100644 index 00000000000..f706d00298d --- /dev/null +++ b/queue-6.1/gfs2-setattr_chown-add-missing-initialization.patch @@ -0,0 +1,34 @@ +From cdea69860d563618e2a5bb6d71afcecf59a410a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Oct 2023 20:51:13 +0200 +Subject: gfs2: setattr_chown: Add missing initialization + +From: Andreas Gruenbacher + +[ Upstream commit 2d8d7990619878a848b1d916c2f936d3012ee17d ] + +Add a missing initialization of variable ap in setattr_chown(). +Without, chown() may be able to bypass quotas. + +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c +index 23e6962cdd6e3..04fc3e72a96e4 100644 +--- a/fs/gfs2/inode.c ++++ b/fs/gfs2/inode.c +@@ -1907,7 +1907,7 @@ static int setattr_chown(struct inode *inode, struct iattr *attr) + kuid_t ouid, nuid; + kgid_t ogid, ngid; + int error; +- struct gfs2_alloc_parms ap; ++ struct gfs2_alloc_parms ap = {}; + + ouid = inode->i_uid; + ogid = inode->i_gid; +-- +2.43.0 + diff --git a/queue-6.1/hwmon-ltc2992-avoid-division-by-zero.patch b/queue-6.1/hwmon-ltc2992-avoid-division-by-zero.patch new file mode 100644 index 00000000000..ceeb28512a5 --- /dev/null +++ b/queue-6.1/hwmon-ltc2992-avoid-division-by-zero.patch @@ -0,0 +1,42 @@ +From 920b9afd21c5143152e4f7dcfc9cbb8404e2d099 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Oct 2023 16:57:53 +0300 +Subject: hwmon: (ltc2992) Avoid division by zero + +From: Antoniu Miclaus + +[ Upstream commit 10b02902048737f376104bc69e5212466e65a542 ] + +Do not allow setting shunt resistor to 0. This results in a division by +zero when performing current value computations based on input voltages +and connected resistor values. + +Signed-off-by: Antoniu Miclaus +Link: https://lore.kernel.org/r/20231011135754.13508-1-antoniu.miclaus@analog.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/ltc2992.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/hwmon/ltc2992.c b/drivers/hwmon/ltc2992.c +index d88e883c7492c..984748f36594d 100644 +--- a/drivers/hwmon/ltc2992.c ++++ b/drivers/hwmon/ltc2992.c +@@ -875,8 +875,12 @@ static int ltc2992_parse_dt(struct ltc2992_state *st) + } + + ret = fwnode_property_read_u32(child, "shunt-resistor-micro-ohms", &val); +- if (!ret) ++ if (!ret) { ++ if (!val) ++ return dev_err_probe(&st->client->dev, -EINVAL, ++ "shunt resistor value cannot be zero\n"); + st->r_sense_uohm[addr] = val; ++ } + } + + return 0; +-- +2.43.0 + diff --git a/queue-6.1/i2c-riic-avoid-potential-division-by-zero.patch b/queue-6.1/i2c-riic-avoid-potential-division-by-zero.patch new file mode 100644 index 00000000000..03539c069f9 --- /dev/null +++ b/queue-6.1/i2c-riic-avoid-potential-division-by-zero.patch @@ -0,0 +1,35 @@ +From e441dbb0d371467420ade62d06e6f9b0d2a0e9a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Sep 2023 22:00:23 +0200 +Subject: i2c: riic: avoid potential division by zero + +From: Wolfram Sang + +[ Upstream commit 7890fce6201aed46d3576e3d641f9ee5c1f0e16f ] + +Value comes from DT, so it could be 0. Unlikely, but could be. + +Signed-off-by: Wolfram Sang +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-riic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-riic.c b/drivers/i2c/busses/i2c-riic.c +index 849848ccb0802..b9959621cc5d7 100644 +--- a/drivers/i2c/busses/i2c-riic.c ++++ b/drivers/i2c/busses/i2c-riic.c +@@ -314,7 +314,7 @@ static int riic_init_hw(struct riic_dev *riic, struct i2c_timings *t) + * frequency with only 62 clock ticks max (31 high, 31 low). + * Aim for a duty of 60% LOW, 40% HIGH. + */ +- total_ticks = DIV_ROUND_UP(rate, t->bus_freq_hz); ++ total_ticks = DIV_ROUND_UP(rate, t->bus_freq_hz ?: 1); + + for (cks = 0; cks < 7; cks++) { + /* +-- +2.43.0 + diff --git a/queue-6.1/i3c-mipi-i3c-hci-do-not-unmap-region-not-mapped-for-.patch b/queue-6.1/i3c-mipi-i3c-hci-do-not-unmap-region-not-mapped-for-.patch new file mode 100644 index 00000000000..b376a3db0e4 --- /dev/null +++ b/queue-6.1/i3c-mipi-i3c-hci-do-not-unmap-region-not-mapped-for-.patch @@ -0,0 +1,41 @@ +From 76b3e2b22d880f46a1423b8527a560eca401e847 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Sep 2023 08:57:01 +0300 +Subject: i3c: mipi-i3c-hci: Do not unmap region not mapped for transfer + +From: Jarkko Nikula + +[ Upstream commit b8806e0c939f168237593af0056c309bf31022b0 ] + +Fix following warning (with CONFIG_DMA_API_DEBUG) which happens with a +transfer without a data buffer. + + DMA-API: i3c mipi-i3c-hci.0: device driver tries to free DMA memory it has not allocated [device address=0x0000000000000000] [size=0 bytes] + +For those transfers the hci_dma_queue_xfer() doesn't create a mapping and +the DMA address pointer xfer->data_dma is not set. + +Signed-off-by: Jarkko Nikula +Link: https://lore.kernel.org/r/20230921055704.1087277-10-jarkko.nikula@linux.intel.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/i3c/master/mipi-i3c-hci/dma.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/i3c/master/mipi-i3c-hci/dma.c b/drivers/i3c/master/mipi-i3c-hci/dma.c +index a28ff177022ce..337c95d43f3f6 100644 +--- a/drivers/i3c/master/mipi-i3c-hci/dma.c ++++ b/drivers/i3c/master/mipi-i3c-hci/dma.c +@@ -345,6 +345,8 @@ static void hci_dma_unmap_xfer(struct i3c_hci *hci, + + for (i = 0; i < n; i++) { + xfer = xfer_list + i; ++ if (!xfer->data) ++ continue; + dma_unmap_single(&hci->master.dev, + xfer->data_dma, xfer->data_len, + xfer->rnw ? DMA_FROM_DEVICE : DMA_TO_DEVICE); +-- +2.43.0 + diff --git a/queue-6.1/i3c-mipi-i3c-hci-remove-bug-when-ring-abort-request-.patch b/queue-6.1/i3c-mipi-i3c-hci-remove-bug-when-ring-abort-request-.patch new file mode 100644 index 00000000000..c4a2cfcc37d --- /dev/null +++ b/queue-6.1/i3c-mipi-i3c-hci-remove-bug-when-ring-abort-request-.patch @@ -0,0 +1,42 @@ +From e3c7156a7c7ba08907929c872f6e56d3f81b694b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Sep 2023 08:56:57 +0300 +Subject: i3c: mipi-i3c-hci: Remove BUG() when Ring Abort request times out + +From: Jarkko Nikula + +[ Upstream commit 361acacaf7c706223968c8186f0d3b6e214e7403 ] + +Ring Abort request will timeout in case there is an error in the Host +Controller interrupt delivery or Ring Header configuration. Using BUG() +makes hard to debug those cases. + +Make it less severe and turn BUG() to WARN_ON(). + +Signed-off-by: Jarkko Nikula +Link: https://lore.kernel.org/r/20230921055704.1087277-6-jarkko.nikula@linux.intel.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/i3c/master/mipi-i3c-hci/dma.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/i3c/master/mipi-i3c-hci/dma.c b/drivers/i3c/master/mipi-i3c-hci/dma.c +index 71b5dbe45c45c..a28ff177022ce 100644 +--- a/drivers/i3c/master/mipi-i3c-hci/dma.c ++++ b/drivers/i3c/master/mipi-i3c-hci/dma.c +@@ -450,10 +450,9 @@ static bool hci_dma_dequeue_xfer(struct i3c_hci *hci, + /* + * We're deep in it if ever this condition is ever met. + * Hardware might still be writing to memory, etc. +- * Better suspend the world than risking silent corruption. + */ + dev_crit(&hci->master.dev, "unable to abort the ring\n"); +- BUG(); ++ WARN_ON(1); + } + + for (i = 0; i < n; i++) { +-- +2.43.0 + diff --git a/queue-6.1/ib-hfi1-fix-potential-deadlock-on-irq_src_lock-and-d.patch b/queue-6.1/ib-hfi1-fix-potential-deadlock-on-irq_src_lock-and-d.patch new file mode 100644 index 00000000000..6d2b45cce73 --- /dev/null +++ b/queue-6.1/ib-hfi1-fix-potential-deadlock-on-irq_src_lock-and-d.patch @@ -0,0 +1,77 @@ +From b2adc9a02c56230cdd6caf4c0852fd0b29c44cb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Sep 2023 10:11:16 +0000 +Subject: IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock + +From: Chengfeng Ye + +[ Upstream commit 2f19c4b8395ccb6eb25ccafee883c8cfbe3fc193 ] + +handle_receive_interrupt_napi_sp() running inside interrupt handler +could introduce inverse lock ordering between &dd->irq_src_lock +and &dd->uctxt_lock, if read_mod_write() is preempted by the isr. + + [CPU0] | [CPU1] +hfi1_ipoib_dev_open() | +--> hfi1_netdev_enable_queues() | +--> enable_queues(rx) | +--> hfi1_rcvctrl() | +--> set_intr_bits() | +--> read_mod_write() | +--> spin_lock(&dd->irq_src_lock) | + | hfi1_poll() + | --> poll_next() + | --> spin_lock_irq(&dd->uctxt_lock) + | + | --> hfi1_rcvctrl() + | --> set_intr_bits() + | --> read_mod_write() + | --> spin_lock(&dd->irq_src_lock) + | + --> handle_receive_interrupt_napi_sp() | + --> set_all_fastpath() | + --> hfi1_rcd_get_by_index() | + --> spin_lock_irqsave(&dd->uctxt_lock) | + +This flaw was found by an experimental static analysis tool I am +developing for irq-related deadlock. + +To prevent the potential deadlock, the patch use spin_lock_irqsave() +on &dd->irq_src_lock inside read_mod_write() to prevent the possible +deadlock scenario. + +Signed-off-by: Chengfeng Ye +Link: https://lore.kernel.org/r/20230926101116.2797-1-dg573847474@gmail.com +Acked-by: Dennis Dalessandro +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/chip.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/chip.c b/drivers/infiniband/hw/hfi1/chip.c +index 194cac40da653..c560552244ae8 100644 +--- a/drivers/infiniband/hw/hfi1/chip.c ++++ b/drivers/infiniband/hw/hfi1/chip.c +@@ -13183,15 +13183,16 @@ static void read_mod_write(struct hfi1_devdata *dd, u16 src, u64 bits, + { + u64 reg; + u16 idx = src / BITS_PER_REGISTER; ++ unsigned long flags; + +- spin_lock(&dd->irq_src_lock); ++ spin_lock_irqsave(&dd->irq_src_lock, flags); + reg = read_csr(dd, CCE_INT_MASK + (8 * idx)); + if (set) + reg |= bits; + else + reg &= ~bits; + write_csr(dd, CCE_INT_MASK + (8 * idx), reg); +- spin_unlock(&dd->irq_src_lock); ++ spin_unlock_irqrestore(&dd->irq_src_lock, flags); + } + + /** +-- +2.43.0 + diff --git a/queue-6.1/kbuild-rust_is_available-handle-failures-calling-rus.patch b/queue-6.1/kbuild-rust_is_available-handle-failures-calling-rus.patch new file mode 100644 index 00000000000..17fe3ba39f5 --- /dev/null +++ b/queue-6.1/kbuild-rust_is_available-handle-failures-calling-rus.patch @@ -0,0 +1,86 @@ +From 7e1d8f55a31ef73192c7bc17f09702387150340d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 02:16:29 +0200 +Subject: kbuild: rust_is_available: handle failures calling + `$RUSTC`/`$BINDGEN` + +From: Miguel Ojeda + +[ Upstream commit f295522886a4ebb628cadb2cd74d0661d6292978 ] + +The script already checks if `$RUSTC` and `$BINDGEN` exists via +`command`, but the environment variables may point to a +non-executable file, or the programs may fail for some other reason. +While the script successfully exits with a failure as it should, +the error given can be quite confusing depending on the shell and +the behavior of its `command`. For instance, with `dash`: + + $ RUSTC=./mm BINDGEN=bindgen CC=clang scripts/rust_is_available.sh + scripts/rust_is_available.sh: 19: arithmetic expression: expecting primary: "100000 * + 100 * + " + +Thus detect failure exit codes when calling `$RUSTC` and `$BINDGEN` and +print a better message, in a similar way to what we do when extracting +the `libclang` version found by `bindgen`. + +Link: https://lore.kernel.org/rust-for-linux/CAK7LNAQYk6s11MASRHW6oxtkqF00EJVqhHOP=5rynWt-QDUsXw@mail.gmail.com/ +Reviewed-by: Nathan Chancellor +Reviewed-by: Martin Rodriguez Reboredo +Link: https://lore.kernel.org/r/20230616001631.463536-10-ojeda@kernel.org +Signed-off-by: Miguel Ojeda +Stable-dep-of: 5ce86c6c8613 ("rust: suppress error messages from CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT") +Signed-off-by: Sasha Levin +--- + scripts/rust_is_available.sh | 28 ++++++++++++++++++++++++++-- + 1 file changed, 26 insertions(+), 2 deletions(-) + +diff --git a/scripts/rust_is_available.sh b/scripts/rust_is_available.sh +index db4519945f534..1c9081d9dbea7 100755 +--- a/scripts/rust_is_available.sh ++++ b/scripts/rust_is_available.sh +@@ -38,8 +38,20 @@ fi + # Check that the Rust compiler version is suitable. + # + # Non-stable and distributions' versions may have a version suffix, e.g. `-dev`. ++rust_compiler_output=$( \ ++ LC_ALL=C "$RUSTC" --version 2>/dev/null ++) || rust_compiler_code=$? ++if [ -n "$rust_compiler_code" ]; then ++ echo >&2 "***" ++ echo >&2 "*** Running '$RUSTC' to check the Rust compiler version failed with" ++ echo >&2 "*** code $rust_compiler_code. See output and docs below for details:" ++ echo >&2 "***" ++ echo >&2 "$rust_compiler_output" ++ echo >&2 "***" ++ exit 1 ++fi + rust_compiler_version=$( \ +- LC_ALL=C "$RUSTC" --version 2>/dev/null \ ++ echo "$rust_compiler_output" \ + | sed -nE '1s:.*rustc ([0-9]+\.[0-9]+\.[0-9]+).*:\1:p' + ) + rust_compiler_min_version=$($min_tool_version rustc) +@@ -64,8 +76,20 @@ fi + # Check that the Rust bindings generator is suitable. + # + # Non-stable and distributions' versions may have a version suffix, e.g. `-dev`. ++rust_bindings_generator_output=$( \ ++ LC_ALL=C "$BINDGEN" --version 2>/dev/null ++) || rust_bindings_generator_code=$? ++if [ -n "$rust_bindings_generator_code" ]; then ++ echo >&2 "***" ++ echo >&2 "*** Running '$BINDGEN' to check the Rust bindings generator version failed with" ++ echo >&2 "*** code $rust_bindings_generator_code. See output and docs below for details:" ++ echo >&2 "***" ++ echo >&2 "$rust_bindings_generator_output" ++ echo >&2 "***" ++ exit 1 ++fi + rust_bindings_generator_version=$( \ +- LC_ALL=C "$BINDGEN" --version 2>/dev/null \ ++ echo "$rust_bindings_generator_output" \ + | sed -nE '1s:.*bindgen ([0-9]+\.[0-9]+\.[0-9]+).*:\1:p' + ) + rust_bindings_generator_min_version=$($min_tool_version bindgen) +-- +2.43.0 + diff --git a/queue-6.1/kbuild-rust_is_available-normalize-version-matching.patch b/queue-6.1/kbuild-rust_is_available-normalize-version-matching.patch new file mode 100644 index 00000000000..22f7f644ce3 --- /dev/null +++ b/queue-6.1/kbuild-rust_is_available-normalize-version-matching.patch @@ -0,0 +1,72 @@ +From 742a0a6e0934029a04ef02bfa0652313321fba70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 02:16:28 +0200 +Subject: kbuild: rust_is_available: normalize version matching + +From: Miguel Ojeda + +[ Upstream commit 7cd6a3e1f94bab4f2a3425e06f70ab13eb8190d4 ] + +In order to match the version string, `sed` is used in a couple +cases, and `grep` and `head` in a couple others. + +Make the script more consistent and easier to understand by +using the same method, `sed`, for all of them. + +This makes the version matching also a bit more strict for +the changed cases, since the strings `rustc ` and `bindgen ` +will now be required, which should be fine since `rustc` +complains if one attempts to call it with another program +name, and `bindgen` uses a hardcoded string. + +In addition, clarify why one of the existing `sed` commands +does not provide an address like the others. + +Reviewed-by: Nathan Chancellor +Reviewed-by: Masahiro Yamada +Reviewed-by: Martin Rodriguez Reboredo +Link: https://lore.kernel.org/r/20230616001631.463536-9-ojeda@kernel.org +Signed-off-by: Miguel Ojeda +Stable-dep-of: 5ce86c6c8613 ("rust: suppress error messages from CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT") +Signed-off-by: Sasha Levin +--- + scripts/rust_is_available.sh | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/scripts/rust_is_available.sh b/scripts/rust_is_available.sh +index 7a925d2b20fc7..db4519945f534 100755 +--- a/scripts/rust_is_available.sh ++++ b/scripts/rust_is_available.sh +@@ -40,8 +40,7 @@ fi + # Non-stable and distributions' versions may have a version suffix, e.g. `-dev`. + rust_compiler_version=$( \ + LC_ALL=C "$RUSTC" --version 2>/dev/null \ +- | head -n 1 \ +- | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' \ ++ | sed -nE '1s:.*rustc ([0-9]+\.[0-9]+\.[0-9]+).*:\1:p' + ) + rust_compiler_min_version=$($min_tool_version rustc) + rust_compiler_cversion=$(get_canonical_version $rust_compiler_version) +@@ -67,8 +66,7 @@ fi + # Non-stable and distributions' versions may have a version suffix, e.g. `-dev`. + rust_bindings_generator_version=$( \ + LC_ALL=C "$BINDGEN" --version 2>/dev/null \ +- | head -n 1 \ +- | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' \ ++ | sed -nE '1s:.*bindgen ([0-9]+\.[0-9]+\.[0-9]+).*:\1:p' + ) + rust_bindings_generator_min_version=$($min_tool_version bindgen) + rust_bindings_generator_cversion=$(get_canonical_version $rust_bindings_generator_version) +@@ -110,6 +108,9 @@ fi + + # `bindgen` returned successfully, thus use the output to check that the version + # of the `libclang` found by the Rust bindings generator is suitable. ++# ++# Unlike other version checks, note that this one does not necessarily appear ++# in the first line of the output, thus no `sed` address is provided. + bindgen_libclang_version=$( \ + echo "$bindgen_libclang_output" \ + | sed -nE 's:.*clang version ([0-9]+\.[0-9]+\.[0-9]+).*:\1:p' +-- +2.43.0 + diff --git a/queue-6.1/md-raid5-cache-use-read_once-write_once-for-conf-log.patch b/queue-6.1/md-raid5-cache-use-read_once-write_once-for-conf-log.patch new file mode 100644 index 00000000000..07bab8def48 --- /dev/null +++ b/queue-6.1/md-raid5-cache-use-read_once-write_once-for-conf-log.patch @@ -0,0 +1,226 @@ +From f49ab7c8b315cf3b571439a1a5d96b1e99672c71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Oct 2023 23:19:41 +0800 +Subject: md/raid5-cache: use READ_ONCE/WRITE_ONCE for 'conf->log' + +From: Yu Kuai + +[ Upstream commit 06a4d0d8c642b5ea654e832b74dca12965356da0 ] + +'conf->log' is set with 'reconfig_mutex' grabbed, however, readers are +not procted, hence protect it with READ_ONCE/WRITE_ONCE to prevent +reading abnormal values. + +Signed-off-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20231010151958.145896-3-yukuai1@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/raid5-cache.c | 47 +++++++++++++++++++++------------------- + 1 file changed, 25 insertions(+), 22 deletions(-) + +diff --git a/drivers/md/raid5-cache.c b/drivers/md/raid5-cache.c +index eb66d0bfe39d2..4b9585875a669 100644 +--- a/drivers/md/raid5-cache.c ++++ b/drivers/md/raid5-cache.c +@@ -327,8 +327,9 @@ void r5l_wake_reclaim(struct r5l_log *log, sector_t space); + void r5c_check_stripe_cache_usage(struct r5conf *conf) + { + int total_cached; ++ struct r5l_log *log = READ_ONCE(conf->log); + +- if (!r5c_is_writeback(conf->log)) ++ if (!r5c_is_writeback(log)) + return; + + total_cached = atomic_read(&conf->r5c_cached_partial_stripes) + +@@ -344,7 +345,7 @@ void r5c_check_stripe_cache_usage(struct r5conf *conf) + */ + if (total_cached > conf->min_nr_stripes * 1 / 2 || + atomic_read(&conf->empty_inactive_list_nr) > 0) +- r5l_wake_reclaim(conf->log, 0); ++ r5l_wake_reclaim(log, 0); + } + + /* +@@ -353,7 +354,9 @@ void r5c_check_stripe_cache_usage(struct r5conf *conf) + */ + void r5c_check_cached_full_stripe(struct r5conf *conf) + { +- if (!r5c_is_writeback(conf->log)) ++ struct r5l_log *log = READ_ONCE(conf->log); ++ ++ if (!r5c_is_writeback(log)) + return; + + /* +@@ -363,7 +366,7 @@ void r5c_check_cached_full_stripe(struct r5conf *conf) + if (atomic_read(&conf->r5c_cached_full_stripes) >= + min(R5C_FULL_STRIPE_FLUSH_BATCH(conf), + conf->chunk_sectors >> RAID5_STRIPE_SHIFT(conf))) +- r5l_wake_reclaim(conf->log, 0); ++ r5l_wake_reclaim(log, 0); + } + + /* +@@ -396,7 +399,7 @@ void r5c_check_cached_full_stripe(struct r5conf *conf) + */ + static sector_t r5c_log_required_to_flush_cache(struct r5conf *conf) + { +- struct r5l_log *log = conf->log; ++ struct r5l_log *log = READ_ONCE(conf->log); + + if (!r5c_is_writeback(log)) + return 0; +@@ -449,7 +452,7 @@ static inline void r5c_update_log_state(struct r5l_log *log) + void r5c_make_stripe_write_out(struct stripe_head *sh) + { + struct r5conf *conf = sh->raid_conf; +- struct r5l_log *log = conf->log; ++ struct r5l_log *log = READ_ONCE(conf->log); + + BUG_ON(!r5c_is_writeback(log)); + +@@ -491,7 +494,7 @@ static void r5c_handle_parity_cached(struct stripe_head *sh) + */ + static void r5c_finish_cache_stripe(struct stripe_head *sh) + { +- struct r5l_log *log = sh->raid_conf->log; ++ struct r5l_log *log = READ_ONCE(sh->raid_conf->log); + + if (log->r5c_journal_mode == R5C_JOURNAL_MODE_WRITE_THROUGH) { + BUG_ON(test_bit(STRIPE_R5C_CACHING, &sh->state)); +@@ -692,7 +695,7 @@ static void r5c_disable_writeback_async(struct work_struct *work) + + /* wait superblock change before suspend */ + wait_event(mddev->sb_wait, +- conf->log == NULL || ++ !READ_ONCE(conf->log) || + (!test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags) && + (locked = mddev_trylock(mddev)))); + if (locked) { +@@ -1151,7 +1154,7 @@ static void r5l_run_no_space_stripes(struct r5l_log *log) + static sector_t r5c_calculate_new_cp(struct r5conf *conf) + { + struct stripe_head *sh; +- struct r5l_log *log = conf->log; ++ struct r5l_log *log = READ_ONCE(conf->log); + sector_t new_cp; + unsigned long flags; + +@@ -1159,12 +1162,12 @@ static sector_t r5c_calculate_new_cp(struct r5conf *conf) + return log->next_checkpoint; + + spin_lock_irqsave(&log->stripe_in_journal_lock, flags); +- if (list_empty(&conf->log->stripe_in_journal_list)) { ++ if (list_empty(&log->stripe_in_journal_list)) { + /* all stripes flushed */ + spin_unlock_irqrestore(&log->stripe_in_journal_lock, flags); + return log->next_checkpoint; + } +- sh = list_first_entry(&conf->log->stripe_in_journal_list, ++ sh = list_first_entry(&log->stripe_in_journal_list, + struct stripe_head, r5c); + new_cp = sh->log_start; + spin_unlock_irqrestore(&log->stripe_in_journal_lock, flags); +@@ -1399,7 +1402,7 @@ void r5c_flush_cache(struct r5conf *conf, int num) + struct stripe_head *sh, *next; + + lockdep_assert_held(&conf->device_lock); +- if (!conf->log) ++ if (!READ_ONCE(conf->log)) + return; + + count = 0; +@@ -1420,7 +1423,7 @@ void r5c_flush_cache(struct r5conf *conf, int num) + + static void r5c_do_reclaim(struct r5conf *conf) + { +- struct r5l_log *log = conf->log; ++ struct r5l_log *log = READ_ONCE(conf->log); + struct stripe_head *sh; + int count = 0; + unsigned long flags; +@@ -1549,7 +1552,7 @@ static void r5l_reclaim_thread(struct md_thread *thread) + { + struct mddev *mddev = thread->mddev; + struct r5conf *conf = mddev->private; +- struct r5l_log *log = conf->log; ++ struct r5l_log *log = READ_ONCE(conf->log); + + if (!log) + return; +@@ -1589,7 +1592,7 @@ void r5l_quiesce(struct r5l_log *log, int quiesce) + + bool r5l_log_disk_error(struct r5conf *conf) + { +- struct r5l_log *log = conf->log; ++ struct r5l_log *log = READ_ONCE(conf->log); + + /* don't allow write if journal disk is missing */ + if (!log) +@@ -2633,7 +2636,7 @@ int r5c_try_caching_write(struct r5conf *conf, + struct stripe_head_state *s, + int disks) + { +- struct r5l_log *log = conf->log; ++ struct r5l_log *log = READ_ONCE(conf->log); + int i; + struct r5dev *dev; + int to_cache = 0; +@@ -2800,7 +2803,7 @@ void r5c_finish_stripe_write_out(struct r5conf *conf, + struct stripe_head *sh, + struct stripe_head_state *s) + { +- struct r5l_log *log = conf->log; ++ struct r5l_log *log = READ_ONCE(conf->log); + int i; + int do_wakeup = 0; + sector_t tree_index; +@@ -2939,7 +2942,7 @@ int r5c_cache_data(struct r5l_log *log, struct stripe_head *sh) + /* check whether this big stripe is in write back cache. */ + bool r5c_big_stripe_cached(struct r5conf *conf, sector_t sect) + { +- struct r5l_log *log = conf->log; ++ struct r5l_log *log = READ_ONCE(conf->log); + sector_t tree_index; + void *slot; + +@@ -3047,14 +3050,14 @@ int r5l_start(struct r5l_log *log) + void r5c_update_on_rdev_error(struct mddev *mddev, struct md_rdev *rdev) + { + struct r5conf *conf = mddev->private; +- struct r5l_log *log = conf->log; ++ struct r5l_log *log = READ_ONCE(conf->log); + + if (!log) + return; + + if ((raid5_calc_degraded(conf) > 0 || + test_bit(Journal, &rdev->flags)) && +- conf->log->r5c_journal_mode == R5C_JOURNAL_MODE_WRITE_BACK) ++ log->r5c_journal_mode == R5C_JOURNAL_MODE_WRITE_BACK) + schedule_work(&log->disable_writeback_work); + } + +@@ -3143,7 +3146,7 @@ int r5l_init_log(struct r5conf *conf, struct md_rdev *rdev) + spin_lock_init(&log->stripe_in_journal_lock); + atomic_set(&log->stripe_in_journal_count, 0); + +- conf->log = log; ++ WRITE_ONCE(conf->log, log); + + set_bit(MD_HAS_JOURNAL, &conf->mddev->flags); + return 0; +@@ -3171,7 +3174,7 @@ void r5l_exit_log(struct r5conf *conf) + * 'reconfig_mutex' is held by caller, set 'confg->log' to NULL to + * ensure disable_writeback_work wakes up and exits. + */ +- conf->log = NULL; ++ WRITE_ONCE(conf->log, NULL); + wake_up(&conf->mddev->sb_wait); + flush_work(&log->disable_writeback_work); + +-- +2.43.0 + diff --git a/queue-6.1/media-qcom-venus-fix-incorrect-return-value.patch b/queue-6.1/media-qcom-venus-fix-incorrect-return-value.patch new file mode 100644 index 00000000000..bf003117b49 --- /dev/null +++ b/queue-6.1/media-qcom-venus-fix-incorrect-return-value.patch @@ -0,0 +1,37 @@ +From 76a21d8833f12ea40320b263e2941f510f1073d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Oct 2023 12:08:47 +0200 +Subject: media: qcom: venus: fix incorrect return value + +From: Hans Verkuil + +[ Upstream commit 51b74c09ac8c5862007fc2bf0d465529d06dd446 ] + +'pd' can be NULL, and in that case it shouldn't be passed to +PTR_ERR. Fixes a smatch warning: + +drivers/media/platform/qcom/venus/pm_helpers.c:873 vcodec_domains_get() warn: passing zero to 'PTR_ERR' + +Signed-off-by: Hans Verkuil +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Sasha Levin +--- + drivers/media/platform/qcom/venus/pm_helpers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/platform/qcom/venus/pm_helpers.c b/drivers/media/platform/qcom/venus/pm_helpers.c +index 48c9084bb4dba..a1b127caa90a7 100644 +--- a/drivers/media/platform/qcom/venus/pm_helpers.c ++++ b/drivers/media/platform/qcom/venus/pm_helpers.c +@@ -870,7 +870,7 @@ static int vcodec_domains_get(struct venus_core *core) + pd = dev_pm_domain_attach_by_name(dev, + res->vcodec_pmdomains[i]); + if (IS_ERR_OR_NULL(pd)) +- return PTR_ERR(pd) ? : -ENODATA; ++ return pd ? PTR_ERR(pd) : -ENODATA; + core->pmdomains[i] = pd; + } + +-- +2.43.0 + diff --git a/queue-6.1/media-radio-isa-use-dev_name-to-fill-in-bus_info.patch b/queue-6.1/media-radio-isa-use-dev_name-to-fill-in-bus_info.patch new file mode 100644 index 00000000000..1565425963d --- /dev/null +++ b/queue-6.1/media-radio-isa-use-dev_name-to-fill-in-bus_info.patch @@ -0,0 +1,41 @@ +From 60153b12e8e0d0ca43889fb250939599eb0f6508 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Sep 2023 17:21:04 +0200 +Subject: media: radio-isa: use dev_name to fill in bus_info + +From: Hans Verkuil + +[ Upstream commit 8b7f3cf4eb9a95940eaabad3226caeaa0d9aa59d ] + +This fixes this warning: + +drivers/media/radio/radio-isa.c: In function 'radio_isa_querycap': +drivers/media/radio/radio-isa.c:39:57: warning: '%s' directive output may be truncated writing up to 35 bytes into a region of size 28 [-Wformat-truncation=] + 39 | snprintf(v->bus_info, sizeof(v->bus_info), "ISA:%s", isa->v4l2_dev.name); + | ^~ +drivers/media/radio/radio-isa.c:39:9: note: 'snprintf' output between 5 and 40 bytes into a destination of size 32 + 39 | snprintf(v->bus_info, sizeof(v->bus_info), "ISA:%s", isa->v4l2_dev.name); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/radio/radio-isa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/radio/radio-isa.c b/drivers/media/radio/radio-isa.c +index c591c0851fa28..ad49151f5ff09 100644 +--- a/drivers/media/radio/radio-isa.c ++++ b/drivers/media/radio/radio-isa.c +@@ -36,7 +36,7 @@ static int radio_isa_querycap(struct file *file, void *priv, + + strscpy(v->driver, isa->drv->driver.driver.name, sizeof(v->driver)); + strscpy(v->card, isa->drv->card, sizeof(v->card)); +- snprintf(v->bus_info, sizeof(v->bus_info), "ISA:%s", isa->v4l2_dev.name); ++ snprintf(v->bus_info, sizeof(v->bus_info), "ISA:%s", dev_name(isa->v4l2_dev.dev)); + return 0; + } + +-- +2.43.0 + diff --git a/queue-6.1/media-s5p-mfc-fix-potential-deadlock-on-condlock.patch b/queue-6.1/media-s5p-mfc-fix-potential-deadlock-on-condlock.patch new file mode 100644 index 00000000000..602d4a2f568 --- /dev/null +++ b/queue-6.1/media-s5p-mfc-fix-potential-deadlock-on-condlock.patch @@ -0,0 +1,56 @@ +From dac6a17395c54c6cc15e836af810c14c6fca3f67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Sep 2023 10:53:30 +0000 +Subject: media: s5p-mfc: Fix potential deadlock on condlock + +From: Chengfeng Ye + +[ Upstream commit 04d19e65137e3cd4a5004e624c85c762933d115c ] + +As &dev->condlock is acquired under irq context along the following +call chain from s5p_mfc_irq(), other acquisition of the same lock +inside process context or softirq context should disable irq avoid double +lock. enc_post_frame_start() seems to be one such function that execute +under process context or softirq context. + + + +enc_post_frame_start() +--> clear_work_bit() +--> spin_loc(&dev->condlock) + + --> s5p_mfc_irq() + --> s5p_mfc_handle_frame() + --> clear_work_bit() + --> spin_lock(&dev->condlock) + +This flaw was found by an experimental static analysis tool I am +developing for irq-related deadlock. + +To prevent the potential deadlock, the patch change clear_work_bit() +inside enc_post_frame_start() to clear_work_bit_irqsave(). + +Signed-off-by: Chengfeng Ye +Acked-by: Marek Szyprowski +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/samsung/s5p-mfc/s5p_mfc_enc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/platform/samsung/s5p-mfc/s5p_mfc_enc.c b/drivers/media/platform/samsung/s5p-mfc/s5p_mfc_enc.c +index f62703cebb77c..4b4c129c09e70 100644 +--- a/drivers/media/platform/samsung/s5p-mfc/s5p_mfc_enc.c ++++ b/drivers/media/platform/samsung/s5p-mfc/s5p_mfc_enc.c +@@ -1297,7 +1297,7 @@ static int enc_post_frame_start(struct s5p_mfc_ctx *ctx) + if (ctx->state == MFCINST_FINISHING && ctx->ref_queue_cnt == 0) + src_ready = false; + if (!src_ready || ctx->dst_queue_cnt == 0) +- clear_work_bit(ctx); ++ clear_work_bit_irqsave(ctx); + + return 0; + } +-- +2.43.0 + diff --git a/queue-6.1/rcu-dump-memory-object-info-if-callback-function-is-.patch b/queue-6.1/rcu-dump-memory-object-info-if-callback-function-is-.patch new file mode 100644 index 00000000000..80d15c16b59 --- /dev/null +++ b/queue-6.1/rcu-dump-memory-object-info-if-callback-function-is-.patch @@ -0,0 +1,149 @@ +From 5c31983415551fc1316789491ec8800b2fc72140 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Aug 2023 11:17:26 +0800 +Subject: rcu: Dump memory object info if callback function is invalid + +From: Zhen Lei + +[ Upstream commit 2cbc482d325ee58001472c4359b311958c4efdd1 ] + +When a structure containing an RCU callback rhp is (incorrectly) freed +and reallocated after rhp is passed to call_rcu(), it is not unusual for +rhp->func to be set to NULL. This defeats the debugging prints used by +__call_rcu_common() in kernels built with CONFIG_DEBUG_OBJECTS_RCU_HEAD=y, +which expect to identify the offending code using the identity of this +function. + +And in kernels build without CONFIG_DEBUG_OBJECTS_RCU_HEAD=y, things +are even worse, as can be seen from this splat: + +Unable to handle kernel NULL pointer dereference at virtual address 0 +... ... +PC is at 0x0 +LR is at rcu_do_batch+0x1c0/0x3b8 +... ... + (rcu_do_batch) from (rcu_core+0x1d4/0x284) + (rcu_core) from (__do_softirq+0x24c/0x344) + (__do_softirq) from (__irq_exit_rcu+0x64/0x108) + (__irq_exit_rcu) from (irq_exit+0x8/0x10) + (irq_exit) from (__handle_domain_irq+0x74/0x9c) + (__handle_domain_irq) from (gic_handle_irq+0x8c/0x98) + (gic_handle_irq) from (__irq_svc+0x5c/0x94) + (__irq_svc) from (arch_cpu_idle+0x20/0x3c) + (arch_cpu_idle) from (default_idle_call+0x4c/0x78) + (default_idle_call) from (do_idle+0xf8/0x150) + (do_idle) from (cpu_startup_entry+0x18/0x20) + (cpu_startup_entry) from (0xc01530) + +This commit therefore adds calls to mem_dump_obj(rhp) to output some +information, for example: + + slab kmalloc-256 start ffff410c45019900 pointer offset 0 size 256 + +This provides the rough size of the memory block and the offset of the +rcu_head structure, which as least provides at least a few clues to help +locate the problem. If the problem is reproducible, additional slab +debugging can be enabled, for example, CONFIG_DEBUG_SLAB=y, which can +provide significantly more information. + +Signed-off-by: Zhen Lei +Signed-off-by: Paul E. McKenney +Signed-off-by: Frederic Weisbecker +Signed-off-by: Sasha Levin +--- + kernel/rcu/rcu.h | 7 +++++++ + kernel/rcu/srcutiny.c | 1 + + kernel/rcu/srcutree.c | 1 + + kernel/rcu/tasks.h | 1 + + kernel/rcu/tiny.c | 1 + + kernel/rcu/tree.c | 1 + + 6 files changed, 12 insertions(+) + +diff --git a/kernel/rcu/rcu.h b/kernel/rcu/rcu.h +index 48d8f754b730e..49ff955ed2034 100644 +--- a/kernel/rcu/rcu.h ++++ b/kernel/rcu/rcu.h +@@ -10,6 +10,7 @@ + #ifndef __LINUX_RCU_H + #define __LINUX_RCU_H + ++#include + #include + + /* +@@ -211,6 +212,12 @@ static inline void debug_rcu_head_unqueue(struct rcu_head *head) + } + #endif /* #else !CONFIG_DEBUG_OBJECTS_RCU_HEAD */ + ++static inline void debug_rcu_head_callback(struct rcu_head *rhp) ++{ ++ if (unlikely(!rhp->func)) ++ kmem_dump_obj(rhp); ++} ++ + extern int rcu_cpu_stall_suppress_at_boot; + + static inline bool rcu_stall_is_suppressed_at_boot(void) +diff --git a/kernel/rcu/srcutiny.c b/kernel/rcu/srcutiny.c +index 33adafdad2613..5e7f336baa06a 100644 +--- a/kernel/rcu/srcutiny.c ++++ b/kernel/rcu/srcutiny.c +@@ -138,6 +138,7 @@ void srcu_drive_gp(struct work_struct *wp) + while (lh) { + rhp = lh; + lh = lh->next; ++ debug_rcu_head_callback(rhp); + local_bh_disable(); + rhp->func(rhp); + local_bh_enable(); +diff --git a/kernel/rcu/srcutree.c b/kernel/rcu/srcutree.c +index 929dcbc04d29c..f7825900bdfd7 100644 +--- a/kernel/rcu/srcutree.c ++++ b/kernel/rcu/srcutree.c +@@ -1591,6 +1591,7 @@ static void srcu_invoke_callbacks(struct work_struct *work) + rhp = rcu_cblist_dequeue(&ready_cbs); + for (; rhp != NULL; rhp = rcu_cblist_dequeue(&ready_cbs)) { + debug_rcu_head_unqueue(rhp); ++ debug_rcu_head_callback(rhp); + local_bh_disable(); + rhp->func(rhp); + local_bh_enable(); +diff --git a/kernel/rcu/tasks.h b/kernel/rcu/tasks.h +index 456c956f481ef..bb6b037ef30fa 100644 +--- a/kernel/rcu/tasks.h ++++ b/kernel/rcu/tasks.h +@@ -487,6 +487,7 @@ static void rcu_tasks_invoke_cbs(struct rcu_tasks *rtp, struct rcu_tasks_percpu + raw_spin_unlock_irqrestore_rcu_node(rtpcp, flags); + len = rcl.len; + for (rhp = rcu_cblist_dequeue(&rcl); rhp; rhp = rcu_cblist_dequeue(&rcl)) { ++ debug_rcu_head_callback(rhp); + local_bh_disable(); + rhp->func(rhp); + local_bh_enable(); +diff --git a/kernel/rcu/tiny.c b/kernel/rcu/tiny.c +index a33a8d4942c37..21c040cba4bd0 100644 +--- a/kernel/rcu/tiny.c ++++ b/kernel/rcu/tiny.c +@@ -97,6 +97,7 @@ static inline bool rcu_reclaim_tiny(struct rcu_head *head) + + trace_rcu_invoke_callback("", head); + f = head->func; ++ debug_rcu_head_callback(head); + WRITE_ONCE(head->func, (rcu_callback_t)0L); + f(head); + rcu_lock_release(&rcu_callback_map); +diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c +index cd6144cea5a1a..86923a8914007 100644 +--- a/kernel/rcu/tree.c ++++ b/kernel/rcu/tree.c +@@ -2292,6 +2292,7 @@ static void rcu_do_batch(struct rcu_data *rdp) + trace_rcu_invoke_callback(rcu_state.name, rhp); + + f = rhp->func; ++ debug_rcu_head_callback(rhp); + WRITE_ONCE(rhp->func, (rcu_callback_t)0L); + f(rhp); + +-- +2.43.0 + diff --git a/queue-6.1/rcu-eliminate-rcu_gp_slow_unregister-false-positive.patch b/queue-6.1/rcu-eliminate-rcu_gp_slow_unregister-false-positive.patch new file mode 100644 index 00000000000..923c7b5178e --- /dev/null +++ b/queue-6.1/rcu-eliminate-rcu_gp_slow_unregister-false-positive.patch @@ -0,0 +1,44 @@ +From d6aceb7a93200615a3bd9bbe156c224739ecc388 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Aug 2023 08:53:58 -0700 +Subject: rcu: Eliminate rcu_gp_slow_unregister() false positive + +From: Paul E. McKenney + +[ Upstream commit 0ae9942f03d0d034fdb0a4f44fc99f62a3107987 ] + +When using rcutorture as a module, there are a number of conditions that +can abort the modprobe operation, for example, when attempting to run +both RCU CPU stall warning tests and forward-progress tests. This can +cause rcu_torture_cleanup() to be invoked on the unwind path out of +rcu_rcu_torture_init(), which will mean that rcu_gp_slow_unregister() +is invoked without a matching rcu_gp_slow_register(). This will cause +a splat because rcu_gp_slow_unregister() is passed rcu_fwd_cb_nodelay, +which does not match a NULL pointer. + +This commit therefore forgives a mismatch involving a NULL pointer, thus +avoiding this false-positive splat. + +Signed-off-by: Paul E. McKenney +Signed-off-by: Frederic Weisbecker +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c +index 86923a8914007..dd6e15ca63b0c 100644 +--- a/kernel/rcu/tree.c ++++ b/kernel/rcu/tree.c +@@ -1336,7 +1336,7 @@ EXPORT_SYMBOL_GPL(rcu_gp_slow_register); + /* Unregister a counter, with NULL for not caring which. */ + void rcu_gp_slow_unregister(atomic_t *rgssp) + { +- WARN_ON_ONCE(rgssp && rgssp != rcu_gp_slow_suppress); ++ WARN_ON_ONCE(rgssp && rgssp != rcu_gp_slow_suppress && rcu_gp_slow_suppress != NULL); + + WRITE_ONCE(rcu_gp_slow_suppress, NULL); + } +-- +2.43.0 + diff --git a/queue-6.1/rdma-rtrs-fix-the-problem-of-variable-not-initialize.patch b/queue-6.1/rdma-rtrs-fix-the-problem-of-variable-not-initialize.patch new file mode 100644 index 00000000000..c3482d1e320 --- /dev/null +++ b/queue-6.1/rdma-rtrs-fix-the-problem-of-variable-not-initialize.patch @@ -0,0 +1,36 @@ +From 04a7b2a086e24cdb8b51901bef8948547776ae3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Sep 2023 10:08:06 +0800 +Subject: RDMA/rtrs: Fix the problem of variable not initialized fully + +From: Zhu Yanjun + +[ Upstream commit c5930a1aa08aafe6ffe15b5d28fe875f88f6ac86 ] + +No functionality change. The variable which is not initialized fully +will introduce potential risks. + +Signed-off-by: Zhu Yanjun +Link: https://lore.kernel.org/r/20230919020806.534183-1-yanjun.zhu@intel.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/rtrs/rtrs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/ulp/rtrs/rtrs.c b/drivers/infiniband/ulp/rtrs/rtrs.c +index 716ec7baddefd..d71b1d83e9ffb 100644 +--- a/drivers/infiniband/ulp/rtrs/rtrs.c ++++ b/drivers/infiniband/ulp/rtrs/rtrs.c +@@ -255,7 +255,7 @@ static int create_cq(struct rtrs_con *con, int cq_vector, int nr_cqe, + static int create_qp(struct rtrs_con *con, struct ib_pd *pd, + u32 max_send_wr, u32 max_recv_wr, u32 max_sge) + { +- struct ib_qp_init_attr init_attr = {NULL}; ++ struct ib_qp_init_attr init_attr = {}; + struct rdma_cm_id *cm_id = con->cm_id; + int ret; + +-- +2.43.0 + diff --git a/queue-6.1/rust-fix-the-default-format-for-config_-rustc-bindge.patch b/queue-6.1/rust-fix-the-default-format-for-config_-rustc-bindge.patch new file mode 100644 index 00000000000..84eaa91f5b9 --- /dev/null +++ b/queue-6.1/rust-fix-the-default-format-for-config_-rustc-bindge.patch @@ -0,0 +1,55 @@ +From f58002b26fcdbed776efec0e13829e9af9069ade Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Jul 2024 23:03:00 +0900 +Subject: rust: fix the default format for CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT + +From: Masahiro Yamada + +[ Upstream commit aacf93e87f0d808ef46e621aa56caea336b4433c ] + +Another oddity in these config entries is their default value can fall +back to 'n', which is a value for bool or tristate symbols. + +The '|| echo n' is an incorrect workaround to avoid the syntax error. +This is not a big deal, as the entry is hidden by 'depends on RUST' in +situations where '$(RUSTC) --version' or '$(BINDGEN) --version' fails. +Anyway, it looks odd. + +The default of a string type symbol should be a double-quoted string +literal. Turn it into an empty string when the version command fails. + +Fixes: 2f7ab1267dc9 ("Kbuild: add Rust support") +Signed-off-by: Masahiro Yamada +Link: https://lore.kernel.org/r/20240727140302.1806011-2-masahiroy@kernel.org +[ Rebased on top of v6.11-rc1. - Miguel ] +Signed-off-by: Miguel Ojeda +Signed-off-by: Sasha Levin +--- + init/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 85e8bf76aeccb..2825c8cfde3b5 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1942,7 +1942,7 @@ config RUST + config RUSTC_VERSION_TEXT + string + depends on RUST +- default $(shell,$(RUSTC) --version 2>/dev/null || echo n) ++ default "$(shell,$(RUSTC) --version 2>/dev/null)" + + config BINDGEN_VERSION_TEXT + string +@@ -1950,7 +1950,7 @@ config BINDGEN_VERSION_TEXT + # The dummy parameter `workaround-for-0.69.0` is required to support 0.69.0 + # (https://github.com/rust-lang/rust-bindgen/pull/2678). It can be removed when + # the minimum version is upgraded past that (0.69.1 already fixed the issue). +- default $(shell,$(BINDGEN) --version workaround-for-0.69.0 2>/dev/null || echo n) ++ default "$(shell,$(BINDGEN) --version workaround-for-0.69.0 2>/dev/null)" + + # + # Place an empty function call at each tracepoint site. Can be +-- +2.43.0 + diff --git a/queue-6.1/rust-suppress-error-messages-from-config_-rustc-bind.patch b/queue-6.1/rust-suppress-error-messages-from-config_-rustc-bind.patch new file mode 100644 index 00000000000..ee4b2bc24b6 --- /dev/null +++ b/queue-6.1/rust-suppress-error-messages-from-config_-rustc-bind.patch @@ -0,0 +1,79 @@ +From 397f647ef65b36fa530811625bc2339b2c6281ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Jul 2024 23:02:59 +0900 +Subject: rust: suppress error messages from + CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT + +From: Masahiro Yamada + +[ Upstream commit 5ce86c6c861352c9346ebb5c96ed70cb67414aa3 ] + +While this is a somewhat unusual case, I encountered odd error messages +when I ran Kconfig in a foreign architecture chroot. + + $ make allmodconfig + sh: 1: rustc: not found + sh: 1: bindgen: not found + # + # configuration written to .config + # + +The successful execution of 'command -v rustc' does not necessarily mean +that 'rustc --version' will succeed. + + $ sh -c 'command -v rustc' + /home/masahiro/.cargo/bin/rustc + $ sh -c 'rustc --version' + sh: 1: rustc: not found + +Here, 'rustc' is built for x86, and I ran it in an arm64 system. + +The current code: + + command -v $(RUSTC) >/dev/null 2>&1 && $(RUSTC) --version || echo n + +can be turned into: + + command -v $(RUSTC) >/dev/null 2>&1 && $(RUSTC) --version 2>/dev/null || echo n + +However, I did not understand the necessity of 'command -v $(RUSTC)'. + +I simplified it to: + + $(RUSTC) --version 2>/dev/null || echo n + +Fixes: 2f7ab1267dc9 ("Kbuild: add Rust support") +Signed-off-by: Masahiro Yamada +Link: https://lore.kernel.org/r/20240727140302.1806011-1-masahiroy@kernel.org +[ Rebased on top of v6.11-rc1. - Miguel ] +Signed-off-by: Miguel Ojeda +Signed-off-by: Sasha Levin +--- + init/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 19de862768239..85e8bf76aeccb 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1942,7 +1942,7 @@ config RUST + config RUSTC_VERSION_TEXT + string + depends on RUST +- default $(shell,command -v $(RUSTC) >/dev/null 2>&1 && $(RUSTC) --version || echo n) ++ default $(shell,$(RUSTC) --version 2>/dev/null || echo n) + + config BINDGEN_VERSION_TEXT + string +@@ -1950,7 +1950,7 @@ config BINDGEN_VERSION_TEXT + # The dummy parameter `workaround-for-0.69.0` is required to support 0.69.0 + # (https://github.com/rust-lang/rust-bindgen/pull/2678). It can be removed when + # the minimum version is upgraded past that (0.69.1 already fixed the issue). +- default $(shell,command -v $(BINDGEN) >/dev/null 2>&1 && $(BINDGEN) --version workaround-for-0.69.0 || echo n) ++ default $(shell,$(BINDGEN) --version workaround-for-0.69.0 2>/dev/null || echo n) + + # + # Place an empty function call at each tracepoint site. Can be +-- +2.43.0 + diff --git a/queue-6.1/rust-work-around-bindgen-0.69.0-issue.patch b/queue-6.1/rust-work-around-bindgen-0.69.0-issue.patch new file mode 100644 index 00000000000..b00aa7d2dea --- /dev/null +++ b/queue-6.1/rust-work-around-bindgen-0.69.0-issue.patch @@ -0,0 +1,72 @@ +From bd06aba48f5926ff31787518194ebca4863907c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jul 2024 18:06:03 +0200 +Subject: rust: work around `bindgen` 0.69.0 issue + +From: Miguel Ojeda + +[ Upstream commit 9e98db17837093cb0f4dcfcc3524739d93249c45 ] + +`bindgen` 0.69.0 contains a bug: `--version` does not work without +providing a header [1]: + + error: the following required arguments were not provided: +
+ + Usage: bindgen
-- ... + +Thus, in preparation for supporting several `bindgen` versions, work +around the issue by passing a dummy argument. + +Include a comment so that we can remove the workaround in the future. + +Link: https://github.com/rust-lang/rust-bindgen/pull/2678 [1] +Reviewed-by: Finn Behrens +Tested-by: Benno Lossin +Tested-by: Andreas Hindborg +Link: https://lore.kernel.org/r/20240709160615.998336-9-ojeda@kernel.org +Signed-off-by: Miguel Ojeda +Stable-dep-of: 5ce86c6c8613 ("rust: suppress error messages from CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT") +Signed-off-by: Sasha Levin +--- + init/Kconfig | 5 ++++- + scripts/rust_is_available.sh | 6 +++++- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 4cd3fc82b09e5..19de862768239 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1947,7 +1947,10 @@ config RUSTC_VERSION_TEXT + config BINDGEN_VERSION_TEXT + string + depends on RUST +- default $(shell,command -v $(BINDGEN) >/dev/null 2>&1 && $(BINDGEN) --version || echo n) ++ # The dummy parameter `workaround-for-0.69.0` is required to support 0.69.0 ++ # (https://github.com/rust-lang/rust-bindgen/pull/2678). It can be removed when ++ # the minimum version is upgraded past that (0.69.1 already fixed the issue). ++ default $(shell,command -v $(BINDGEN) >/dev/null 2>&1 && $(BINDGEN) --version workaround-for-0.69.0 || echo n) + + # + # Place an empty function call at each tracepoint site. Can be +diff --git a/scripts/rust_is_available.sh b/scripts/rust_is_available.sh +index 1c9081d9dbea7..141644c164636 100755 +--- a/scripts/rust_is_available.sh ++++ b/scripts/rust_is_available.sh +@@ -76,8 +76,12 @@ fi + # Check that the Rust bindings generator is suitable. + # + # Non-stable and distributions' versions may have a version suffix, e.g. `-dev`. ++# ++# The dummy parameter `workaround-for-0.69.0` is required to support 0.69.0 ++# (https://github.com/rust-lang/rust-bindgen/pull/2678). It can be removed when ++# the minimum version is upgraded past that (0.69.1 already fixed the issue). + rust_bindings_generator_output=$( \ +- LC_ALL=C "$BINDGEN" --version 2>/dev/null ++ LC_ALL=C "$BINDGEN" --version workaround-for-0.69.0 2>/dev/null + ) || rust_bindings_generator_code=$? + if [ -n "$rust_bindings_generator_code" ]; then + echo >&2 "***" +-- +2.43.0 + diff --git a/queue-6.1/s390-smp-mcck-fix-early-ipi-handling.patch b/queue-6.1/s390-smp-mcck-fix-early-ipi-handling.patch new file mode 100644 index 00000000000..9bf8f9e8915 --- /dev/null +++ b/queue-6.1/s390-smp-mcck-fix-early-ipi-handling.patch @@ -0,0 +1,84 @@ +From d59d8337c2101d4d5822ebf78c04a956fe17631f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Sep 2023 15:49:37 +0200 +Subject: s390/smp,mcck: fix early IPI handling + +From: Heiko Carstens + +[ Upstream commit 4a1725281fc5b0009944b1c0e1d2c1dc311a09ec ] + +Both the external call as well as the emergency signal submask bits in +control register 0 are set before any interrupt handler is registered. + +Change the order and first register the interrupt handler and only then +enable the interrupts by setting the corresponding bits in control +register 0. + +This prevents that the second part of the machine check handler for +early machine check handling is not executed: the machine check handler +sends an IPI to the CPU it runs on. If the corresponding interrupts are +enabled, but no interrupt handler is present, the interrupt is ignored. + +Reviewed-by: Sven Schnelle +Acked-by: Alexander Gordeev +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/early.c | 12 +++--------- + arch/s390/kernel/smp.c | 4 ++-- + 2 files changed, 5 insertions(+), 11 deletions(-) + +diff --git a/arch/s390/kernel/early.c b/arch/s390/kernel/early.c +index 9693c8630e73f..b3cb256ec6692 100644 +--- a/arch/s390/kernel/early.c ++++ b/arch/s390/kernel/early.c +@@ -237,15 +237,9 @@ static inline void save_vector_registers(void) + #endif + } + +-static inline void setup_control_registers(void) ++static inline void setup_low_address_protection(void) + { +- unsigned long reg; +- +- __ctl_store(reg, 0, 0); +- reg |= CR0_LOW_ADDRESS_PROTECTION; +- reg |= CR0_EMERGENCY_SIGNAL_SUBMASK; +- reg |= CR0_EXTERNAL_CALL_SUBMASK; +- __ctl_load(reg, 0, 0); ++ __ctl_set_bit(0, 28); + } + + static inline void setup_access_registers(void) +@@ -304,7 +298,7 @@ void __init startup_init(void) + save_vector_registers(); + setup_topology(); + sclp_early_detect(); +- setup_control_registers(); ++ setup_low_address_protection(); + setup_access_registers(); + lockdep_on(); + } +diff --git a/arch/s390/kernel/smp.c b/arch/s390/kernel/smp.c +index 0031325ce4bc9..436dbf4d743d8 100644 +--- a/arch/s390/kernel/smp.c ++++ b/arch/s390/kernel/smp.c +@@ -1007,12 +1007,12 @@ void __init smp_fill_possible_mask(void) + + void __init smp_prepare_cpus(unsigned int max_cpus) + { +- /* request the 0x1201 emergency signal external interrupt */ + if (register_external_irq(EXT_IRQ_EMERGENCY_SIG, do_ext_call_interrupt)) + panic("Couldn't request external interrupt 0x1201"); +- /* request the 0x1202 external call external interrupt */ ++ ctl_set_bit(0, 14); + if (register_external_irq(EXT_IRQ_EXTERNAL_CALL, do_ext_call_interrupt)) + panic("Couldn't request external interrupt 0x1202"); ++ ctl_set_bit(0, 13); + } + + void __init smp_prepare_boot_cpu(void) +-- +2.43.0 + diff --git a/queue-6.1/scsi-spi-fix-sshdr-use.patch b/queue-6.1/scsi-spi-fix-sshdr-use.patch new file mode 100644 index 00000000000..73d70281454 --- /dev/null +++ b/queue-6.1/scsi-spi-fix-sshdr-use.patch @@ -0,0 +1,45 @@ +From a8b6f97d5764507c2b48b101bf3410b04bf7d09b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 16:00:07 -0500 +Subject: scsi: spi: Fix sshdr use + +From: Mike Christie + +[ Upstream commit 0b149cee836aa53989ea089af1cb9d90d7c6ac9e ] + +If scsi_execute_cmd returns < 0, it doesn't initialize the sshdr, so we +shouldn't access the sshdr. If it returns 0, then the cmd executed +successfully, so there is no need to check the sshdr. This has us access +the sshdr when we get a return value > 0. + +Signed-off-by: Mike Christie +Link: https://lore.kernel.org/r/20231004210013.5601-7-michael.christie@oracle.com +Reviewed-by: Christoph Hellwig +Reviewed-by: John Garry +Reviewed-by: Martin Wilck +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_spi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/scsi_transport_spi.c b/drivers/scsi/scsi_transport_spi.c +index f569cf0095c28..a95a35635c333 100644 +--- a/drivers/scsi/scsi_transport_spi.c ++++ b/drivers/scsi/scsi_transport_spi.c +@@ -677,10 +677,10 @@ spi_dv_device_echo_buffer(struct scsi_device *sdev, u8 *buffer, + for (r = 0; r < retries; r++) { + result = spi_execute(sdev, spi_write_buffer, DMA_TO_DEVICE, + buffer, len, &sshdr); +- if(result || !scsi_device_online(sdev)) { ++ if (result || !scsi_device_online(sdev)) { + + scsi_device_set_state(sdev, SDEV_QUIESCE); +- if (scsi_sense_valid(&sshdr) ++ if (result > 0 && scsi_sense_valid(&sshdr) + && sshdr.sense_key == ILLEGAL_REQUEST + /* INVALID FIELD IN CDB */ + && sshdr.asc == 0x24 && sshdr.ascq == 0x00) +-- +2.43.0 + diff --git a/queue-6.1/series b/queue-6.1/series index c7f52f1c458..6baebd935ff 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -109,3 +109,42 @@ net-hns3-fix-wrong-use-of-semaphore-up.patch net-hns3-use-the-user-s-cfg-after-reset.patch net-hns3-fix-a-deadlock-problem-when-config-tc-durin.patch alsa-hda-realtek-fix-noise-from-speakers-on-lenovo-i.patch +drm-amd-amdgpu-imu_v11_0-increase-buffer-size-to-ens.patch +ssb-fix-division-by-zero-issue-in-ssb_calc_clock_rat.patch +wifi-cfg80211-check-wiphy-mutex-is-held-for-wdev-mut.patch +wifi-mac80211-fix-ba-session-teardown-race.patch +rcu-dump-memory-object-info-if-callback-function-is-.patch +rcu-eliminate-rcu_gp_slow_unregister-false-positive.patch +wifi-cw1200-avoid-processing-an-invalid-tim-ie.patch +cgroup-avoid-extra-dereference-in-css_populate_dir.patch +i2c-riic-avoid-potential-division-by-zero.patch +rdma-rtrs-fix-the-problem-of-variable-not-initialize.patch +s390-smp-mcck-fix-early-ipi-handling.patch +drm-bridge-tc358768-attempt-to-fix-dsi-horizontal-ti.patch +i3c-mipi-i3c-hci-remove-bug-when-ring-abort-request-.patch +i3c-mipi-i3c-hci-do-not-unmap-region-not-mapped-for-.patch +drm-amdkfd-move-dma-unmapping-after-tlb-flush.patch +media-radio-isa-use-dev_name-to-fill-in-bus_info.patch +staging-iio-resolver-ad2s1210-fix-use-before-initial.patch +usb-gadget-uvc-cleanup-request-when-not-in-correct-s.patch +drm-amd-display-validate-hw_points_num-before-using-.patch +staging-ks7010-disable-bh-on-tx_dev_lock.patch +media-s5p-mfc-fix-potential-deadlock-on-condlock.patch +md-raid5-cache-use-read_once-write_once-for-conf-log.patch +binfmt_misc-cleanup-on-filesystem-umount.patch +drm-tegra-zero-initialize-iosys_map.patch +media-qcom-venus-fix-incorrect-return-value.patch +scsi-spi-fix-sshdr-use.patch +gfs2-setattr_chown-add-missing-initialization.patch +wifi-iwlwifi-abort-scan-when-rfkill-on-but-device-en.patch +wifi-iwlwifi-fw-fix-debugfs-command-sending.patch +clk-visconti-add-bounds-checking-coverage-for-struct.patch +ib-hfi1-fix-potential-deadlock-on-irq_src_lock-and-d.patch +hwmon-ltc2992-avoid-division-by-zero.patch +kbuild-rust_is_available-normalize-version-matching.patch +kbuild-rust_is_available-handle-failures-calling-rus.patch +rust-work-around-bindgen-0.69.0-issue.patch +rust-suppress-error-messages-from-config_-rustc-bind.patch +rust-fix-the-default-format-for-config_-rustc-bindge.patch +arm64-fix-kasan-random-tag-seed-initialization.patch +block-fix-lockdep-warning-in-blk_mq_mark_tag_wait.patch diff --git a/queue-6.1/ssb-fix-division-by-zero-issue-in-ssb_calc_clock_rat.patch b/queue-6.1/ssb-fix-division-by-zero-issue-in-ssb_calc_clock_rat.patch new file mode 100644 index 00000000000..8487b9ad7a1 --- /dev/null +++ b/queue-6.1/ssb-fix-division-by-zero-issue-in-ssb_calc_clock_rat.patch @@ -0,0 +1,49 @@ +From 5e98d3950b434501cc331ace0a928558c9ee0953 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Sep 2023 02:23:46 +0300 +Subject: ssb: Fix division by zero issue in ssb_calc_clock_rate +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rand Deeb + +[ Upstream commit e0b5127fa134fe0284d58877b6b3133939c8b3ce ] + +In ssb_calc_clock_rate(), there is a potential issue where the value of +m1 could be zero due to initialization using clkfactor_f6_resolv(). This +situation raised concerns about the possibility of a division by zero +error. + +We fixed it by following the suggestions provided by Larry Finger + and Michael Büsch . The fix +involves returning a value of 1 instead of 0 in clkfactor_f6_resolv(). +This modification ensures the proper functioning of the code and +eliminates the risk of division by zero errors. + +Signed-off-by: Rand Deeb +Acked-by: Larry Finger +Acked-by: Michael Büsch +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230904232346.34991-1-rand.sec96@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/ssb/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ssb/main.c b/drivers/ssb/main.c +index 8a93c83cb6f80..d52e91258e989 100644 +--- a/drivers/ssb/main.c ++++ b/drivers/ssb/main.c +@@ -837,7 +837,7 @@ static u32 clkfactor_f6_resolve(u32 v) + case SSB_CHIPCO_CLK_F6_7: + return 7; + } +- return 0; ++ return 1; + } + + /* Calculate the speed the backplane would run at a given set of clockcontrol values */ +-- +2.43.0 + diff --git a/queue-6.1/staging-iio-resolver-ad2s1210-fix-use-before-initial.patch b/queue-6.1/staging-iio-resolver-ad2s1210-fix-use-before-initial.patch new file mode 100644 index 00000000000..9dfcb794e7e --- /dev/null +++ b/queue-6.1/staging-iio-resolver-ad2s1210-fix-use-before-initial.patch @@ -0,0 +1,49 @@ +From f746bdf0139c617436cc14b77bcf3ccd899c8879 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Sep 2023 12:23:07 -0500 +Subject: staging: iio: resolver: ad2s1210: fix use before initialization + +From: David Lechner + +[ Upstream commit 7fe2d05cee46b1c4d9f1efaeab08cc31a0dfff60 ] + +This fixes a use before initialization in ad2s1210_probe(). The +ad2s1210_setup_gpios() function uses st->sdev but it was being called +before this field was initialized. + +Signed-off-by: David Lechner +Link: https://lore.kernel.org/r/20230929-ad2s1210-mainline-v3-2-fa4364281745@baylibre.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/staging/iio/resolver/ad2s1210.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/staging/iio/resolver/ad2s1210.c b/drivers/staging/iio/resolver/ad2s1210.c +index 636c45b128438..afe89c91c89ea 100644 +--- a/drivers/staging/iio/resolver/ad2s1210.c ++++ b/drivers/staging/iio/resolver/ad2s1210.c +@@ -657,9 +657,6 @@ static int ad2s1210_probe(struct spi_device *spi) + if (!indio_dev) + return -ENOMEM; + st = iio_priv(indio_dev); +- ret = ad2s1210_setup_gpios(st); +- if (ret < 0) +- return ret; + + spi_set_drvdata(spi, indio_dev); + +@@ -670,6 +667,10 @@ static int ad2s1210_probe(struct spi_device *spi) + st->resolution = 12; + st->fexcit = AD2S1210_DEF_EXCIT; + ++ ret = ad2s1210_setup_gpios(st); ++ if (ret < 0) ++ return ret; ++ + indio_dev->info = &ad2s1210_info; + indio_dev->modes = INDIO_DIRECT_MODE; + indio_dev->channels = ad2s1210_channels; +-- +2.43.0 + diff --git a/queue-6.1/staging-ks7010-disable-bh-on-tx_dev_lock.patch b/queue-6.1/staging-ks7010-disable-bh-on-tx_dev_lock.patch new file mode 100644 index 00000000000..bc6831bb680 --- /dev/null +++ b/queue-6.1/staging-ks7010-disable-bh-on-tx_dev_lock.patch @@ -0,0 +1,51 @@ +From 3e08678cb1e1cd0677df6183adb9540156ede733 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Sep 2023 16:13:23 +0000 +Subject: staging: ks7010: disable bh on tx_dev_lock + +From: Chengfeng Ye + +[ Upstream commit 058cbee52ccd7be77e373d31a4f14670cfd32018 ] + +As &priv->tx_dev.tx_dev_lock is also acquired by xmit callback which +could be call from timer under softirq context, use spin_lock_bh() +on it to prevent potential deadlock. + +hostif_sme_work() +--> hostif_sme_set_pmksa() +--> hostif_mib_set_request() +--> ks_wlan_hw_tx() +--> spin_lock(&priv->tx_dev.tx_dev_lock) + +ks_wlan_start_xmit() +--> hostif_data_request() +--> ks_wlan_hw_tx() +--> spin_lock(&priv->tx_dev.tx_dev_lock) + +Signed-off-by: Chengfeng Ye +Link: https://lore.kernel.org/r/20230926161323.41928-1-dg573847474@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/ks7010/ks7010_sdio.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/staging/ks7010/ks7010_sdio.c b/drivers/staging/ks7010/ks7010_sdio.c +index 9fb118e77a1f0..f1d44e4955fc6 100644 +--- a/drivers/staging/ks7010/ks7010_sdio.c ++++ b/drivers/staging/ks7010/ks7010_sdio.c +@@ -395,9 +395,9 @@ int ks_wlan_hw_tx(struct ks_wlan_private *priv, void *p, unsigned long size, + priv->hostt.buff[priv->hostt.qtail] = le16_to_cpu(hdr->event); + priv->hostt.qtail = (priv->hostt.qtail + 1) % SME_EVENT_BUFF_SIZE; + +- spin_lock(&priv->tx_dev.tx_dev_lock); ++ spin_lock_bh(&priv->tx_dev.tx_dev_lock); + result = enqueue_txdev(priv, p, size, complete_handler, skb); +- spin_unlock(&priv->tx_dev.tx_dev_lock); ++ spin_unlock_bh(&priv->tx_dev.tx_dev_lock); + + if (txq_has_space(priv)) + queue_delayed_work(priv->wq, &priv->rw_dwork, 0); +-- +2.43.0 + diff --git a/queue-6.1/usb-gadget-uvc-cleanup-request-when-not-in-correct-s.patch b/queue-6.1/usb-gadget-uvc-cleanup-request-when-not-in-correct-s.patch new file mode 100644 index 00000000000..e5cf57261e4 --- /dev/null +++ b/queue-6.1/usb-gadget-uvc-cleanup-request-when-not-in-correct-s.patch @@ -0,0 +1,45 @@ +From 6f13e605cfa7ee922f8aab72ab1283c19c1d2d6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Sep 2023 16:05:29 +0200 +Subject: usb: gadget: uvc: cleanup request when not in correct state + +From: Michael Grzeschik + +[ Upstream commit 52a39f2cf62bb5430ad1f54cd522dbfdab1d71ba ] + +The uvc_video_enable function of the uvc-gadget driver is dequeing and +immediately deallocs all requests on its disable codepath. This is not +save since the dequeue function is async and does not ensure that the +requests are left unlinked in the controller driver. + +By adding the ep_free_request into the completion path of the requests +we ensure that the request will be properly deallocated. + +Signed-off-by: Michael Grzeschik +Link: https://lore.kernel.org/r/20230911140530.2995138-3-m.grzeschik@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/uvc_video.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c +index be48d5ab17c7b..95e3611811cd6 100644 +--- a/drivers/usb/gadget/function/uvc_video.c ++++ b/drivers/usb/gadget/function/uvc_video.c +@@ -259,6 +259,12 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req) + struct uvc_device *uvc = video->uvc; + unsigned long flags; + ++ if (uvc->state == UVC_STATE_CONNECTED) { ++ usb_ep_free_request(video->ep, ureq->req); ++ ureq->req = NULL; ++ return; ++ } ++ + switch (req->status) { + case 0: + break; +-- +2.43.0 + diff --git a/queue-6.1/wifi-cfg80211-check-wiphy-mutex-is-held-for-wdev-mut.patch b/queue-6.1/wifi-cfg80211-check-wiphy-mutex-is-held-for-wdev-mut.patch new file mode 100644 index 00000000000..6015fbee370 --- /dev/null +++ b/queue-6.1/wifi-cfg80211-check-wiphy-mutex-is-held-for-wdev-mut.patch @@ -0,0 +1,52 @@ +From 148519e67356fe138d8489104f75f74eb2fef320 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Aug 2023 13:59:56 +0200 +Subject: wifi: cfg80211: check wiphy mutex is held for wdev mutex + +From: Johannes Berg + +[ Upstream commit 1474bc87fe57deac726cc10203f73daa6c3212f7 ] + +This might seem pretty pointless rather than changing the locking +immediately, but it seems safer to run for a while with checks and +the old locking scheme, and then remove the wdev lock later. + +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/core.h | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/core.h b/net/wireless/core.h +index ee980965a7cfb..8118b8614ac68 100644 +--- a/net/wireless/core.h ++++ b/net/wireless/core.h +@@ -228,6 +228,7 @@ void cfg80211_register_wdev(struct cfg80211_registered_device *rdev, + static inline void wdev_lock(struct wireless_dev *wdev) + __acquires(wdev) + { ++ lockdep_assert_held(&wdev->wiphy->mtx); + mutex_lock(&wdev->mtx); + __acquire(wdev->mtx); + } +@@ -235,11 +236,16 @@ static inline void wdev_lock(struct wireless_dev *wdev) + static inline void wdev_unlock(struct wireless_dev *wdev) + __releases(wdev) + { ++ lockdep_assert_held(&wdev->wiphy->mtx); + __release(wdev->mtx); + mutex_unlock(&wdev->mtx); + } + +-#define ASSERT_WDEV_LOCK(wdev) lockdep_assert_held(&(wdev)->mtx) ++static inline void ASSERT_WDEV_LOCK(struct wireless_dev *wdev) ++{ ++ lockdep_assert_held(&wdev->wiphy->mtx); ++ lockdep_assert_held(&wdev->mtx); ++} + + static inline bool cfg80211_has_monitors_only(struct cfg80211_registered_device *rdev) + { +-- +2.43.0 + diff --git a/queue-6.1/wifi-cw1200-avoid-processing-an-invalid-tim-ie.patch b/queue-6.1/wifi-cw1200-avoid-processing-an-invalid-tim-ie.patch new file mode 100644 index 00000000000..817b20faf94 --- /dev/null +++ b/queue-6.1/wifi-cw1200-avoid-processing-an-invalid-tim-ie.patch @@ -0,0 +1,39 @@ +From b611eaf8e06c8434cb63f706c665289ecc108707 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Aug 2023 11:22:57 -0700 +Subject: wifi: cw1200: Avoid processing an invalid TIM IE + +From: Jeff Johnson + +[ Upstream commit b7bcea9c27b3d87b54075735c870500123582145 ] + +While converting struct ieee80211_tim_ie::virtual_map to be a flexible +array it was observed that the TIM IE processing in cw1200_rx_cb() +could potentially process a malformed IE in a manner that could result +in a buffer over-read. Add logic to verify that the TIM IE length is +large enough to hold a valid TIM payload before processing it. + +Signed-off-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230831-ieee80211_tim_ie-v3-1-e10ff584ab5d@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/st/cw1200/txrx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/st/cw1200/txrx.c b/drivers/net/wireless/st/cw1200/txrx.c +index 6894b919ff94b..e16e9ae90d204 100644 +--- a/drivers/net/wireless/st/cw1200/txrx.c ++++ b/drivers/net/wireless/st/cw1200/txrx.c +@@ -1166,7 +1166,7 @@ void cw1200_rx_cb(struct cw1200_common *priv, + size_t ies_len = skb->len - (ies - (u8 *)(skb->data)); + + tim_ie = cfg80211_find_ie(WLAN_EID_TIM, ies, ies_len); +- if (tim_ie) { ++ if (tim_ie && tim_ie[1] >= sizeof(struct ieee80211_tim_ie)) { + struct ieee80211_tim_ie *tim = + (struct ieee80211_tim_ie *)&tim_ie[2]; + +-- +2.43.0 + diff --git a/queue-6.1/wifi-iwlwifi-abort-scan-when-rfkill-on-but-device-en.patch b/queue-6.1/wifi-iwlwifi-abort-scan-when-rfkill-on-but-device-en.patch new file mode 100644 index 00000000000..9e1f176409a --- /dev/null +++ b/queue-6.1/wifi-iwlwifi-abort-scan-when-rfkill-on-but-device-en.patch @@ -0,0 +1,47 @@ +From da53533582e35c25028742201fe2b67dbd39efb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 12:36:28 +0300 +Subject: wifi: iwlwifi: abort scan when rfkill on but device enabled + +From: Miri Korenblit + +[ Upstream commit 3c6a0b1f0add72e7f522bc9145222b86d0a7712a ] + +In RFKILL we first set the RFKILL bit, then we abort scan +(if one exists) by waiting for the notification from FW +and notifying mac80211. And then we stop the device. +But in case we have a scan ongoing in the period of time between +rfkill on and before the device is stopped - we will not wait for the +FW notification because of the iwl_mvm_is_radio_killed() condition, +and then the scan_status and uid_status are misconfigured, +(scan_status is cleared but uid_status not) +and when the notification suddenly arrives (before stopping the device) +we will get into the assert about scan_status and uid_status mismatch. +Fix this by waiting for FW notif when rfkill is on but the device isn't +disabled yet. + +Signed-off-by: Miri Korenblit +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20231004123422.c43b69aa2c77.Icc7b5efb47974d6f499156ff7510b786e177993b@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c +index 069bac72117fe..b58441c2af730 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c +@@ -3226,7 +3226,7 @@ int iwl_mvm_scan_stop(struct iwl_mvm *mvm, int type, bool notify) + if (!(mvm->scan_status & type)) + return 0; + +- if (iwl_mvm_is_radio_killed(mvm)) { ++ if (!test_bit(STATUS_DEVICE_ENABLED, &mvm->trans->status)) { + ret = 0; + goto out; + } +-- +2.43.0 + diff --git a/queue-6.1/wifi-iwlwifi-fw-fix-debugfs-command-sending.patch b/queue-6.1/wifi-iwlwifi-fw-fix-debugfs-command-sending.patch new file mode 100644 index 00000000000..6e6538b9d51 --- /dev/null +++ b/queue-6.1/wifi-iwlwifi-fw-fix-debugfs-command-sending.patch @@ -0,0 +1,46 @@ +From 2a543287d04838f8f61965014d648e1f7770446f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 12:36:32 +0300 +Subject: wifi: iwlwifi: fw: Fix debugfs command sending + +From: Mukesh Sisodiya + +[ Upstream commit 048449fc666d736a1a17d950fde0b5c5c8fd10cc ] + +During debugfs command handling transport function is used directly, +this bypasses the locking used by runtime operation function +and leads to a kernel warning when two commands are +sent in parallel. + +Fix it by using runtime operations function when sending +debugfs command. + +Signed-off-by: Mukesh Sisodiya +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20231004123422.4f80ac90658a.Ia1dfa1195c919f3002fe08db3eefbd2bfa921bbf@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/fw/debugfs.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/fw/debugfs.c b/drivers/net/wireless/intel/iwlwifi/fw/debugfs.c +index 607e07ed2477c..7d4340c56628a 100644 +--- a/drivers/net/wireless/intel/iwlwifi/fw/debugfs.c ++++ b/drivers/net/wireless/intel/iwlwifi/fw/debugfs.c +@@ -163,7 +163,11 @@ static int iwl_dbgfs_enabled_severities_write(struct iwl_fw_runtime *fwrt, + + event_cfg.enabled_severities = cpu_to_le32(enabled_severities); + +- ret = iwl_trans_send_cmd(fwrt->trans, &hcmd); ++ if (fwrt->ops && fwrt->ops->send_hcmd) ++ ret = fwrt->ops->send_hcmd(fwrt->ops_ctx, &hcmd); ++ else ++ ret = -EPERM; ++ + IWL_INFO(fwrt, + "sent host event cfg with enabled_severities: %u, ret: %d\n", + enabled_severities, ret); +-- +2.43.0 + diff --git a/queue-6.1/wifi-mac80211-fix-ba-session-teardown-race.patch b/queue-6.1/wifi-mac80211-fix-ba-session-teardown-race.patch new file mode 100644 index 00000000000..bbeb46875ed --- /dev/null +++ b/queue-6.1/wifi-mac80211-fix-ba-session-teardown-race.patch @@ -0,0 +1,113 @@ +From e25722460235cfe30d90850619709dcc198bd085 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Aug 2023 20:16:11 +0200 +Subject: wifi: mac80211: fix BA session teardown race + +From: Johannes Berg + +[ Upstream commit 05f136220d17839eb7c155f015ace9152f603225 ] + +As previously reported by Alexander, whose commit 69403bad97aa +("wifi: mac80211: sdata can be NULL during AMPDU start") I'm +reverting as part of this commit, there's a race between station +destruction and aggregation setup, where the aggregation setup +can happen while the station is being removed and queue the work +after ieee80211_sta_tear_down_BA_sessions() has already run in +__sta_info_destroy_part1(), and thus the worker will run with a +now freed station. In his case, this manifested in a NULL sdata +pointer, but really there's no guarantee whatsoever. + +The real issue seems to be that it's possible at all to have a +situation where this occurs - we want to stop the BA sessions +when doing _part1, but we cannot be sure, and WLAN_STA_BLOCK_BA +isn't necessarily effective since we don't know that the setup +isn't concurrently running and already got past the check. + +Simply call ieee80211_sta_tear_down_BA_sessions() again in the +second part of station destruction, since at that point really +nothing else can hold a reference to the station any more. + +Also revert the sdata checks since those are just misleading at +this point. + +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/agg-tx.c | 6 +----- + net/mac80211/driver-ops.c | 3 --- + net/mac80211/sta_info.c | 14 ++++++++++++++ + 3 files changed, 15 insertions(+), 8 deletions(-) + +diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c +index 85d2b9e4b51ce..e26a72f3a1042 100644 +--- a/net/mac80211/agg-tx.c ++++ b/net/mac80211/agg-tx.c +@@ -491,7 +491,7 @@ void ieee80211_tx_ba_session_handle_start(struct sta_info *sta, int tid) + { + struct tid_ampdu_tx *tid_tx; + struct ieee80211_local *local = sta->local; +- struct ieee80211_sub_if_data *sdata; ++ struct ieee80211_sub_if_data *sdata = sta->sdata; + struct ieee80211_ampdu_params params = { + .sta = &sta->sta, + .action = IEEE80211_AMPDU_TX_START, +@@ -519,7 +519,6 @@ void ieee80211_tx_ba_session_handle_start(struct sta_info *sta, int tid) + */ + synchronize_net(); + +- sdata = sta->sdata; + params.ssn = sta->tid_seq[tid] >> 4; + ret = drv_ampdu_action(local, sdata, ¶ms); + tid_tx->ssn = params.ssn; +@@ -533,9 +532,6 @@ void ieee80211_tx_ba_session_handle_start(struct sta_info *sta, int tid) + */ + set_bit(HT_AGG_STATE_DRV_READY, &tid_tx->state); + } else if (ret) { +- if (!sdata) +- return; +- + ht_dbg(sdata, + "BA request denied - HW unavailable for %pM tid %d\n", + sta->sta.addr, tid); +diff --git a/net/mac80211/driver-ops.c b/net/mac80211/driver-ops.c +index c08d3c9a4a177..5392ffa182704 100644 +--- a/net/mac80211/driver-ops.c ++++ b/net/mac80211/driver-ops.c +@@ -391,9 +391,6 @@ int drv_ampdu_action(struct ieee80211_local *local, + + might_sleep(); + +- if (!sdata) +- return -EIO; +- + sdata = get_bss_sdata(sdata); + if (!check_sdata_in_driver(sdata)) + return -EIO; +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c +index 91768abf2d75b..dd1864f6549f2 100644 +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -1272,6 +1272,20 @@ static void __sta_info_destroy_part2(struct sta_info *sta) + * after _part1 and before _part2! + */ + ++ /* ++ * There's a potential race in _part1 where we set WLAN_STA_BLOCK_BA ++ * but someone might have just gotten past a check, and not yet into ++ * queuing the work/creating the data/etc. ++ * ++ * Do another round of destruction so that the worker is certainly ++ * canceled before we later free the station. ++ * ++ * Since this is after synchronize_rcu()/synchronize_net() we're now ++ * certain that nobody can actually hold a reference to the STA and ++ * be calling e.g. ieee80211_start_tx_ba_session(). ++ */ ++ ieee80211_sta_tear_down_BA_sessions(sta, AGG_STOP_DESTROY_STA); ++ + might_sleep(); + lockdep_assert_held(&local->sta_mtx); + +-- +2.43.0 +