From: Greg Kroah-Hartman Date: Mon, 24 Jun 2024 16:39:20 +0000 (+0200) Subject: 6.9-stable patches X-Git-Tag: v6.1.96~40 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=347918bbb729881c4de48b72ea362a276e5d3d6a;p=thirdparty%2Fkernel%2Fstable-queue.git 6.9-stable patches added patches: alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14ahp9.patch alsa-hda-realtek-fix-mute-micmute-leds-don-t-work-for-probook-445-465-g11.patch alsa-hda-realtek-limit-mic-boost-on-n14ap7.patch ata-ahci-do-not-enable-lpm-if-no-lpm-states-are-supported-by-the-hba.patch btrfs-retry-block-group-reclaim-without-infinite-loop.patch cifs-fix-typo-in-module-parameter-enable_gcm_256.patch dmaengine-xilinx-xdma-fix-data-synchronisation-in-xdma_channel_isr.patch drm-amd-display-attempt-to-avoid-empty-tus-when-endpoint-is-dpia.patch drm-amd-display-remove-redundant-idle-optimization-check.patch drm-amdgpu-fix-locking-scope-when-flushing-tlb.patch drm-amdgpu-fix-ubsan-warning-in-kv_dpm.c.patch drm-i915-mso-using-joiner-is-not-possible-with-edp-mso.patch drm-radeon-fix-ubsan-warning-in-kv_dpm.c.patch dt-bindings-dma-fsl-edma-fix-dma-channels-constraints.patch gcov-add-support-for-gcc-14.patch kcov-don-t-lose-track-of-remote-references-during-softirqs.patch kvm-arm64-disassociate-vcpus-from-redistributor-region-on-teardown.patch kvm-fix-a-data-race-on-last_boosted_vcpu-in-kvm_vcpu_on_spin.patch kvm-x86-always-sync-pir-to-irr-prior-to-scanning-i-o-apic-routes.patch loongarch-fix-multiple-hardware-watchpoint-issues.patch loongarch-fix-watchpoint-setting-error.patch loongarch-trigger-user-space-watchpoints-correctly.patch net-do-not-leave-a-dangling-sk-pointer-when-socket-creation-fails.patch net-phy-dp83tg720-get-master-slave-configuration-in-link-down-state.patch net-phy-dp83tg720-wake-up-phys-in-managed-mode.patch net-stmmac-assign-configured-channel-value-to-extts-event.patch net-tcp_ao-don-t-leak-ao_info-on-error-path.patch net-usb-ax88179_178a-improve-reset-check.patch ocfs2-fix-null-pointer-dereference-in-ocfs2_abort_trigger.patch ocfs2-fix-null-pointer-dereference-in-ocfs2_journal_dirty.patch ovl-fix-encoding-fid-for-lower-only-root.patch rdma-mlx5-ensure-created-mkeys-always-have-a-populated-rb_key.patch rdma-mlx5-follow-rb_key.ats-when-creating-new-mkeys.patch rdma-mlx5-remove-extra-unlock-on-error-path.patch rdma-rxe-fix-data-copy-for-ib_send_inline.patch scsi-core-introduce-the-blist_skip_io_hints-flag.patch scsi-ufs-core-free-memory-allocated-for-model-before-reinit.patch scsi-usb-uas-do-not-query-the-io-advice-hints-grouping-mode-page-for-usb-uas-devices.patch wifi-mac80211-fix-monitor-channel-with-chanctx-emulation.patch --- diff --git a/queue-6.9/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14ahp9.patch b/queue-6.9/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14ahp9.patch new file mode 100644 index 00000000000..2bdaa75d510 --- /dev/null +++ b/queue-6.9/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14ahp9.patch @@ -0,0 +1,34 @@ +From ad22051afdad962b6012f3823d0ed1a735935386 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pablo=20Ca=C3=B1o?= +Date: Thu, 20 Jun 2024 17:25:33 +0200 +Subject: ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14AHP9 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pablo Caño + +commit ad22051afdad962b6012f3823d0ed1a735935386 upstream. + +Lenovo Yoga Pro 7 14AHP9 (PCI SSID 17aa:3891) seems requiring a similar workaround like Yoga 9 model and Yoga 7 Pro 14APH8 for the bass speaker. + +Cc: +Link: https://lore.kernel.org/all/20231207182035.30248-1-tiwai@suse.de/ +Signed-off-by: Pablo Caño +Link: https://patch.msgid.link/20240620152533.76712-1-pablocpascual@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10518,6 +10518,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x17aa, 0x3882, "Lenovo Yoga Pro 7 14APH8", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), + SND_PCI_QUIRK(0x17aa, 0x3884, "Y780 YG DUAL", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x3886, "Y780 VECO DUAL", ALC287_FIXUP_TAS2781_I2C), ++ SND_PCI_QUIRK(0x17aa, 0x3891, "Lenovo Yoga Pro 7 14AHP9", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), + SND_PCI_QUIRK(0x17aa, 0x38a7, "Y780P AMD YG dual", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x38a8, "Y780P AMD VECO dual", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x38a9, "Thinkbook 16P", ALC287_FIXUP_MG_RTKC_CSAMP_CS35L41_I2C_THINKPAD), diff --git a/queue-6.9/alsa-hda-realtek-fix-mute-micmute-leds-don-t-work-for-probook-445-465-g11.patch b/queue-6.9/alsa-hda-realtek-fix-mute-micmute-leds-don-t-work-for-probook-445-465-g11.patch new file mode 100644 index 00000000000..27d12fc7032 --- /dev/null +++ b/queue-6.9/alsa-hda-realtek-fix-mute-micmute-leds-don-t-work-for-probook-445-465-g11.patch @@ -0,0 +1,34 @@ +From ea5f8c4cffcd8a6b62b3a3bd5008275218c9d02a Mon Sep 17 00:00:00 2001 +From: Andy Chi +Date: Wed, 5 Jun 2024 17:22:41 +0800 +Subject: ALSA: hda/realtek: fix mute/micmute LEDs don't work for ProBook 445/465 G11. + +From: Andy Chi + +commit ea5f8c4cffcd8a6b62b3a3bd5008275218c9d02a upstream. + +HP ProBook 445/465 G11 needs ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF quirk to +make mic-mute/audio-mute working. + +Signed-off-by: Andy Chi +Cc: +Link: https://lore.kernel.org/r/20240605092243.41963-1-andy.chi@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10183,6 +10183,10 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x8c70, "HP EliteBook 835 G11", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8c71, "HP EliteBook 845 G11", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8c72, "HP EliteBook 865 G11", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8c7b, "HP ProBook 445 G11", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), ++ SND_PCI_QUIRK(0x103c, 0x8c7c, "HP ProBook 445 G11", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), ++ SND_PCI_QUIRK(0x103c, 0x8c7d, "HP ProBook 465 G11", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), ++ SND_PCI_QUIRK(0x103c, 0x8c7e, "HP ProBook 465 G11", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8c89, "HP ProBook 460 G11", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8c8a, "HP EliteBook 630", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8c8c, "HP EliteBook 660", ALC236_FIXUP_HP_GPIO_LED), diff --git a/queue-6.9/alsa-hda-realtek-limit-mic-boost-on-n14ap7.patch b/queue-6.9/alsa-hda-realtek-limit-mic-boost-on-n14ap7.patch new file mode 100644 index 00000000000..5acb19e7260 --- /dev/null +++ b/queue-6.9/alsa-hda-realtek-limit-mic-boost-on-n14ap7.patch @@ -0,0 +1,31 @@ +From 86a433862912f52597263aa224a9ed82bcd533bf Mon Sep 17 00:00:00 2001 +From: Edson Juliano Drosdeck +Date: Wed, 5 Jun 2024 12:39:23 -0300 +Subject: ALSA: hda/realtek: Limit mic boost on N14AP7 + +From: Edson Juliano Drosdeck + +commit 86a433862912f52597263aa224a9ed82bcd533bf upstream. + +The internal mic boost on the N14AP7 is too high. Fix this by applying the +ALC269_FIXUP_LIMIT_INT_MIC_BOOST fixup to the machine to limit the gain. + +Signed-off-by: Edson Juliano Drosdeck +Cc: +Link: https://lore.kernel.org/r/20240605153923.2837-1-edson.drosdeck@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10572,6 +10572,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1b7d, 0xa831, "Ordissimo EVE2 ", ALC269VB_FIXUP_ORDISSIMO_EVE2), /* Also known as Malata PC-B1303 */ + SND_PCI_QUIRK(0x1c06, 0x2013, "Lemote A1802", ALC269_FIXUP_LEMOTE_A1802), + SND_PCI_QUIRK(0x1c06, 0x2015, "Lemote A190X", ALC269_FIXUP_LEMOTE_A190X), ++ SND_PCI_QUIRK(0x1c6c, 0x122a, "Positivo N14AP7", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x1c6c, 0x1251, "Positivo N14KP6-TG", ALC288_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1d05, 0x1132, "TongFang PHxTxX1", ALC256_FIXUP_SET_COEF_DEFAULTS), + SND_PCI_QUIRK(0x1d05, 0x1096, "TongFang GMxMRxx", ALC269_FIXUP_NO_SHUTUP), diff --git a/queue-6.9/ata-ahci-do-not-enable-lpm-if-no-lpm-states-are-supported-by-the-hba.patch b/queue-6.9/ata-ahci-do-not-enable-lpm-if-no-lpm-states-are-supported-by-the-hba.patch new file mode 100644 index 00000000000..7d3d1fcbbd4 --- /dev/null +++ b/queue-6.9/ata-ahci-do-not-enable-lpm-if-no-lpm-states-are-supported-by-the-hba.patch @@ -0,0 +1,72 @@ +From fa997b0576c9df635ee363406f5e014dba0f9264 Mon Sep 17 00:00:00 2001 +From: Niklas Cassel +Date: Tue, 18 Jun 2024 17:28:29 +0200 +Subject: ata: ahci: Do not enable LPM if no LPM states are supported by the HBA + +From: Niklas Cassel + +commit fa997b0576c9df635ee363406f5e014dba0f9264 upstream. + +LPM consists of HIPM (host initiated power management) and DIPM +(device initiated power management). + +ata_eh_set_lpm() will only enable HIPM if both the HBA and the device +supports it. + +However, DIPM will be enabled as long as the device supports it. +The HBA will later reject the device's request to enter a power state +that it does not support (Slumber/Partial/DevSleep) (DevSleep is never +initiated by the device). + +For a HBA that doesn't support any LPM states, simply don't set a LPM +policy such that all the HIPM/DIPM probing/enabling will be skipped. + +Not enabling HIPM or DIPM in the first place is safer than relying on +the device following the AHCI specification and respecting the NAK. +(There are comments in the code that some devices misbehave when +receiving a NAK.) + +Performing this check in ahci_update_initial_lpm_policy() also has the +advantage that a HBA that doesn't support any LPM states will take the +exact same code paths as a port that is external/hot plug capable. + +Side note: the port in ata_port_dbg() has not been given a unique id yet, +but this is not overly important as the debug print is disabled unless +explicitly enabled using dynamic debug. A follow-up series will make sure +that the unique id assignment will be done earlier. For now, the important +thing is that the function returns before setting the LPM policy. + +Fixes: 7627a0edef54 ("ata: ahci: Drop low power policy board type") +Cc: stable@vger.kernel.org +Reviewed-by: Mario Limonciello +Reviewed-by: Mika Westerberg +Reviewed-by: Damien Le Moal +Link: https://lore.kernel.org/r/20240618152828.2686771-2-cassel@kernel.org +Signed-off-by: Niklas Cassel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/ahci.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index 07d66d2c5f0d..5eb38fbbbecd 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -1735,6 +1735,14 @@ static void ahci_update_initial_lpm_policy(struct ata_port *ap) + if (ap->pflags & ATA_PFLAG_EXTERNAL) + return; + ++ /* If no LPM states are supported by the HBA, do not bother with LPM */ ++ if ((ap->host->flags & ATA_HOST_NO_PART) && ++ (ap->host->flags & ATA_HOST_NO_SSC) && ++ (ap->host->flags & ATA_HOST_NO_DEVSLP)) { ++ ata_port_dbg(ap, "no LPM states supported, not enabling LPM\n"); ++ return; ++ } ++ + /* user modified policy via module param */ + if (mobile_lpm_policy != -1) { + policy = mobile_lpm_policy; +-- +2.45.2 + diff --git a/queue-6.9/btrfs-retry-block-group-reclaim-without-infinite-loop.patch b/queue-6.9/btrfs-retry-block-group-reclaim-without-infinite-loop.patch new file mode 100644 index 00000000000..9a7a881b0cf --- /dev/null +++ b/queue-6.9/btrfs-retry-block-group-reclaim-without-infinite-loop.patch @@ -0,0 +1,66 @@ +From 4eb4e85c4f818491efc67e9373aa16b123c3f522 Mon Sep 17 00:00:00 2001 +From: Boris Burkov +Date: Fri, 7 Jun 2024 12:50:14 -0700 +Subject: btrfs: retry block group reclaim without infinite loop + +From: Boris Burkov + +commit 4eb4e85c4f818491efc67e9373aa16b123c3f522 upstream. + +If inc_block_group_ro systematically fails (e.g. due to ETXTBUSY from +swap) or btrfs_relocate_chunk systematically fails (from lack of +space), then this worker becomes an infinite loop. + +At the very least, this strands the cleaner thread, but can also result +in hung tasks/RCU stalls on PREEMPT_NONE kernels and if the +reclaim_bgs_lock mutex is not contended. + +I believe the best long term fix is to manage reclaim via work queue, +where we queue up a relocation on the triggering condition and re-queue +on failure. In the meantime, this is an easy fix to apply to avoid the +immediate pain. + +Fixes: 7e2718099438 ("btrfs: reinsert BGs failed to reclaim") +CC: stable@vger.kernel.org # 6.6+ +Signed-off-by: Boris Burkov +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/block-group.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/block-group.c ++++ b/fs/btrfs/block-group.c +@@ -1785,6 +1785,7 @@ void btrfs_reclaim_bgs_work(struct work_ + container_of(work, struct btrfs_fs_info, reclaim_bgs_work); + struct btrfs_block_group *bg; + struct btrfs_space_info *space_info; ++ LIST_HEAD(retry_list); + + if (!test_bit(BTRFS_FS_OPEN, &fs_info->flags)) + return; +@@ -1921,8 +1922,11 @@ void btrfs_reclaim_bgs_work(struct work_ + } + + next: +- if (ret) +- btrfs_mark_bg_to_reclaim(bg); ++ if (ret) { ++ /* Refcount held by the reclaim_bgs list after splice. */ ++ btrfs_get_block_group(bg); ++ list_add_tail(&bg->bg_list, &retry_list); ++ } + btrfs_put_block_group(bg); + + mutex_unlock(&fs_info->reclaim_bgs_lock); +@@ -1942,6 +1946,9 @@ next: + spin_unlock(&fs_info->unused_bgs_lock); + mutex_unlock(&fs_info->reclaim_bgs_lock); + end: ++ spin_lock(&fs_info->unused_bgs_lock); ++ list_splice_tail(&retry_list, &fs_info->reclaim_bgs); ++ spin_unlock(&fs_info->unused_bgs_lock); + btrfs_exclop_finish(fs_info); + sb_end_write(fs_info->sb); + } diff --git a/queue-6.9/cifs-fix-typo-in-module-parameter-enable_gcm_256.patch b/queue-6.9/cifs-fix-typo-in-module-parameter-enable_gcm_256.patch new file mode 100644 index 00000000000..61e560ed219 --- /dev/null +++ b/queue-6.9/cifs-fix-typo-in-module-parameter-enable_gcm_256.patch @@ -0,0 +1,32 @@ +From 8bf0287528da1992c5e49d757b99ad6bbc34b522 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Wed, 19 Jun 2024 14:46:48 -0500 +Subject: cifs: fix typo in module parameter enable_gcm_256 + +From: Steve French + +commit 8bf0287528da1992c5e49d757b99ad6bbc34b522 upstream. + +enable_gcm_256 (which allows the server to require the strongest +encryption) is enabled by default, but the modinfo description +incorrectly showed it disabled by default. Fix the typo. + +Cc: stable@vger.kernel.org +Fixes: fee742b50289 ("smb3.1.1: enable negotiating stronger encryption by default") +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifsfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/smb/client/cifsfs.c ++++ b/fs/smb/client/cifsfs.c +@@ -134,7 +134,7 @@ module_param(enable_oplocks, bool, 0644) + MODULE_PARM_DESC(enable_oplocks, "Enable or disable oplocks. Default: y/Y/1"); + + module_param(enable_gcm_256, bool, 0644); +-MODULE_PARM_DESC(enable_gcm_256, "Enable requesting strongest (256 bit) GCM encryption. Default: n/N/0"); ++MODULE_PARM_DESC(enable_gcm_256, "Enable requesting strongest (256 bit) GCM encryption. Default: y/Y/0"); + + module_param(require_gcm_256, bool, 0644); + MODULE_PARM_DESC(require_gcm_256, "Require strongest (256 bit) GCM encryption. Default: n/N/0"); diff --git a/queue-6.9/dmaengine-xilinx-xdma-fix-data-synchronisation-in-xdma_channel_isr.patch b/queue-6.9/dmaengine-xilinx-xdma-fix-data-synchronisation-in-xdma_channel_isr.patch new file mode 100644 index 00000000000..e11076f09dd --- /dev/null +++ b/queue-6.9/dmaengine-xilinx-xdma-fix-data-synchronisation-in-xdma_channel_isr.patch @@ -0,0 +1,42 @@ +From 462237d2d93fc9e9221d1cf9f773954d27da83c0 Mon Sep 17 00:00:00 2001 +From: Louis Chauvet +Date: Fri, 7 Jun 2024 10:34:38 +0200 +Subject: dmaengine: xilinx: xdma: Fix data synchronisation in xdma_channel_isr() + +From: Louis Chauvet + +commit 462237d2d93fc9e9221d1cf9f773954d27da83c0 upstream. + +Requests the vchan lock before using xdma->stop_request. + +Fixes: 6a40fb824596 ("dmaengine: xilinx: xdma: Fix synchronization issue") +Cc: stable@vger.kernel.org +Signed-off-by: Louis Chauvet +Link: https://lore.kernel.org/r/20240607-xdma-fixes-v2-1-0282319ce345@bootlin.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/xilinx/xdma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/xilinx/xdma.c b/drivers/dma/xilinx/xdma.c +index e143a7330816..718842fdaf98 100644 +--- a/drivers/dma/xilinx/xdma.c ++++ b/drivers/dma/xilinx/xdma.c +@@ -885,11 +885,11 @@ static irqreturn_t xdma_channel_isr(int irq, void *dev_id) + u32 st; + bool repeat_tx; + ++ spin_lock(&xchan->vchan.lock); ++ + if (xchan->stop_requested) + complete(&xchan->last_interrupt); + +- spin_lock(&xchan->vchan.lock); +- + /* get submitted request */ + vd = vchan_next_desc(&xchan->vchan); + if (!vd) +-- +2.45.2 + diff --git a/queue-6.9/drm-amd-display-attempt-to-avoid-empty-tus-when-endpoint-is-dpia.patch b/queue-6.9/drm-amd-display-attempt-to-avoid-empty-tus-when-endpoint-is-dpia.patch new file mode 100644 index 00000000000..baa6d8bfb66 --- /dev/null +++ b/queue-6.9/drm-amd-display-attempt-to-avoid-empty-tus-when-endpoint-is-dpia.patch @@ -0,0 +1,133 @@ +From c03d770c0b014a3007a5874bf6b3c3e64d32aaac Mon Sep 17 00:00:00 2001 +From: Michael Strauss +Date: Tue, 7 May 2024 12:03:15 -0400 +Subject: drm/amd/display: Attempt to avoid empty TUs when endpoint is DPIA + +From: Michael Strauss + +commit c03d770c0b014a3007a5874bf6b3c3e64d32aaac upstream. + +[WHY] +Empty SST TUs are illegal to transmit over a USB4 DP tunnel. +Current policy is to configure stream encoder to pack 2 pixels per pclk +even when ODM combine is not in use, allowing seamless dynamic ODM +reconfiguration. However, in extreme edge cases where average pixel +count per TU is less than 2, this can lead to unexpected empty TU +generation during compliance testing. For example, VIC 1 with a 1xHBR3 +link configuration will average 1.98 pix/TU. + +[HOW] +Calculate average pixel count per TU, and block 2 pixels per clock if +endpoint is a DPIA tunnel and pixel clock is low enough that we will +never require 2:1 ODM combine. + +Cc: stable@vger.kernel.org # 6.6+ +Reviewed-by: Wenjing Liu +Acked-by: Hamza Mahfooz +Signed-off-by: Michael Strauss +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 72 ++++++++++++++++ + drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.h | 2 + drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_init.c | 2 + 3 files changed, 75 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c +@@ -1373,3 +1373,75 @@ void dcn35_set_static_screen_control(str + set_static_screen_control(pipe_ctx[i]->stream_res.tg, + triggers, params->num_frames); + } ++ ++static bool should_avoid_empty_tu(struct pipe_ctx *pipe_ctx) ++{ ++ /* Calculate average pixel count per TU, return false if under ~2.00 to ++ * avoid empty TUs. This is only required for DPIA tunneling as empty TUs ++ * are legal to generate for native DP links. Assume TU size 64 as there ++ * is currently no scenario where it's reprogrammed from HW default. ++ * MTPs have no such limitation, so this does not affect MST use cases. ++ */ ++ unsigned int pix_clk_mhz; ++ unsigned int symclk_mhz; ++ unsigned int avg_pix_per_tu_x1000; ++ unsigned int tu_size_bytes = 64; ++ struct dc_crtc_timing *timing = &pipe_ctx->stream->timing; ++ struct dc_link_settings *link_settings = &pipe_ctx->link_config.dp_link_settings; ++ const struct dc *dc = pipe_ctx->stream->link->dc; ++ ++ if (pipe_ctx->stream->link->ep_type != DISPLAY_ENDPOINT_USB4_DPIA) ++ return false; ++ ++ // Not necessary for MST configurations ++ if (pipe_ctx->stream->signal == SIGNAL_TYPE_DISPLAY_PORT_MST) ++ return false; ++ ++ pix_clk_mhz = timing->pix_clk_100hz / 10000; ++ ++ // If this is true, can't block due to dynamic ODM ++ if (pix_clk_mhz > dc->clk_mgr->bw_params->clk_table.entries[0].dispclk_mhz) ++ return false; ++ ++ switch (link_settings->link_rate) { ++ case LINK_RATE_LOW: ++ symclk_mhz = 162; ++ break; ++ case LINK_RATE_HIGH: ++ symclk_mhz = 270; ++ break; ++ case LINK_RATE_HIGH2: ++ symclk_mhz = 540; ++ break; ++ case LINK_RATE_HIGH3: ++ symclk_mhz = 810; ++ break; ++ default: ++ // We shouldn't be tunneling any other rates, something is wrong ++ ASSERT(0); ++ return false; ++ } ++ ++ avg_pix_per_tu_x1000 = (1000 * pix_clk_mhz * tu_size_bytes) ++ / (symclk_mhz * link_settings->lane_count); ++ ++ // Add small empirically-decided margin to account for potential jitter ++ return (avg_pix_per_tu_x1000 < 2020); ++} ++ ++bool dcn35_is_dp_dig_pixel_rate_div_policy(struct pipe_ctx *pipe_ctx) ++{ ++ struct dc *dc = pipe_ctx->stream->ctx->dc; ++ ++ if (!is_h_timing_divisible_by_2(pipe_ctx->stream)) ++ return false; ++ ++ if (should_avoid_empty_tu(pipe_ctx)) ++ return false; ++ ++ if (dc_is_dp_signal(pipe_ctx->stream->signal) && !dc->link_srv->dp_is_128b_132b_signal(pipe_ctx) && ++ dc->debug.enable_dp_dig_pixel_rate_div_policy) ++ return true; ++ ++ return false; ++} +--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.h ++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.h +@@ -93,4 +93,6 @@ void dcn35_set_drr(struct pipe_ctx **pip + void dcn35_set_static_screen_control(struct pipe_ctx **pipe_ctx, + int num_pipes, const struct dc_static_screen_params *params); + ++bool dcn35_is_dp_dig_pixel_rate_div_policy(struct pipe_ctx *pipe_ctx); ++ + #endif /* __DC_HWSS_DCN35_H__ */ +--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_init.c ++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_init.c +@@ -158,7 +158,7 @@ static const struct hwseq_private_funcs + .setup_hpo_hw_control = dcn35_setup_hpo_hw_control, + .calculate_dccg_k1_k2_values = dcn32_calculate_dccg_k1_k2_values, + .set_pixels_per_cycle = dcn32_set_pixels_per_cycle, +- .is_dp_dig_pixel_rate_div_policy = dcn32_is_dp_dig_pixel_rate_div_policy, ++ .is_dp_dig_pixel_rate_div_policy = dcn35_is_dp_dig_pixel_rate_div_policy, + .dsc_pg_control = dcn35_dsc_pg_control, + .dsc_pg_status = dcn32_dsc_pg_status, + .enable_plane = dcn35_enable_plane, diff --git a/queue-6.9/drm-amd-display-remove-redundant-idle-optimization-check.patch b/queue-6.9/drm-amd-display-remove-redundant-idle-optimization-check.patch new file mode 100644 index 00000000000..dab6157a3d9 --- /dev/null +++ b/queue-6.9/drm-amd-display-remove-redundant-idle-optimization-check.patch @@ -0,0 +1,40 @@ +From e2654a4453ba3dac9baacf9980d841d84e15b869 Mon Sep 17 00:00:00 2001 +From: Roman Li +Date: Tue, 7 May 2024 16:26:08 -0400 +Subject: drm/amd/display: Remove redundant idle optimization check + +From: Roman Li + +commit e2654a4453ba3dac9baacf9980d841d84e15b869 upstream. + +[Why] +Disable idle optimization for each atomic commit is unnecessary, +and can lead to a potential race condition. + +[How] +Remove idle optimization check from amdgpu_dm_atomic_commit_tail() + +Fixes: 196107eb1e15 ("drm/amd/display: Add IPS checks before dcn register access") +Cc: stable@vger.kernel.org +Reviewed-by: Hamza Mahfooz +Acked-by: Roman Li +Signed-off-by: Roman Li +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -9149,9 +9149,6 @@ static void amdgpu_dm_atomic_commit_tail + + trace_amdgpu_dm_atomic_commit_tail_begin(state); + +- if (dm->dc->caps.ips_support && dm->dc->idle_optimizations_allowed) +- dc_allow_idle_optimizations(dm->dc, false); +- + drm_atomic_helper_update_legacy_modeset_state(dev, state); + drm_dp_mst_atomic_wait_for_dependencies(state); + diff --git a/queue-6.9/drm-amdgpu-fix-locking-scope-when-flushing-tlb.patch b/queue-6.9/drm-amdgpu-fix-locking-scope-when-flushing-tlb.patch new file mode 100644 index 00000000000..4260cdc4271 --- /dev/null +++ b/queue-6.9/drm-amdgpu-fix-locking-scope-when-flushing-tlb.patch @@ -0,0 +1,120 @@ +From 84801d4f1e4fbd2c44dddecaec9099bdff100a42 Mon Sep 17 00:00:00 2001 +From: Yunxiang Li +Date: Thu, 23 May 2024 07:48:19 -0400 +Subject: drm/amdgpu: fix locking scope when flushing tlb +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yunxiang Li + +commit 84801d4f1e4fbd2c44dddecaec9099bdff100a42 upstream. + +Which method is used to flush tlb does not depend on whether a reset is +in progress or not. We should skip flush altogether if the GPU will get +reset. So put both path under reset_domain read lock. + +Signed-off-by: Yunxiang Li +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +CC: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 70 ++++++++++++++++---------------- + 1 file changed, 36 insertions(+), 34 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c +@@ -684,12 +684,17 @@ int amdgpu_gmc_flush_gpu_tlb_pasid(struc + struct amdgpu_ring *ring = &adev->gfx.kiq[inst].ring; + struct amdgpu_kiq *kiq = &adev->gfx.kiq[inst]; + unsigned int ndw; +- signed long r; ++ int r; + uint32_t seq; + +- if (!adev->gmc.flush_pasid_uses_kiq || !ring->sched.ready || +- !down_read_trylock(&adev->reset_domain->sem)) { ++ /* ++ * A GPU reset should flush all TLBs anyway, so no need to do ++ * this while one is ongoing. ++ */ ++ if (!down_read_trylock(&adev->reset_domain->sem)) ++ return 0; + ++ if (!adev->gmc.flush_pasid_uses_kiq || !ring->sched.ready) { + if (adev->gmc.flush_tlb_needs_extra_type_2) + adev->gmc.gmc_funcs->flush_gpu_tlb_pasid(adev, pasid, + 2, all_hub, +@@ -703,43 +708,40 @@ int amdgpu_gmc_flush_gpu_tlb_pasid(struc + adev->gmc.gmc_funcs->flush_gpu_tlb_pasid(adev, pasid, + flush_type, all_hub, + inst); +- return 0; +- } ++ r = 0; ++ } else { ++ /* 2 dwords flush + 8 dwords fence */ ++ ndw = kiq->pmf->invalidate_tlbs_size + 8; + +- /* 2 dwords flush + 8 dwords fence */ +- ndw = kiq->pmf->invalidate_tlbs_size + 8; ++ if (adev->gmc.flush_tlb_needs_extra_type_2) ++ ndw += kiq->pmf->invalidate_tlbs_size; + +- if (adev->gmc.flush_tlb_needs_extra_type_2) +- ndw += kiq->pmf->invalidate_tlbs_size; ++ if (adev->gmc.flush_tlb_needs_extra_type_0) ++ ndw += kiq->pmf->invalidate_tlbs_size; + +- if (adev->gmc.flush_tlb_needs_extra_type_0) +- ndw += kiq->pmf->invalidate_tlbs_size; ++ spin_lock(&adev->gfx.kiq[inst].ring_lock); ++ amdgpu_ring_alloc(ring, ndw); ++ if (adev->gmc.flush_tlb_needs_extra_type_2) ++ kiq->pmf->kiq_invalidate_tlbs(ring, pasid, 2, all_hub); + +- spin_lock(&adev->gfx.kiq[inst].ring_lock); +- amdgpu_ring_alloc(ring, ndw); +- if (adev->gmc.flush_tlb_needs_extra_type_2) +- kiq->pmf->kiq_invalidate_tlbs(ring, pasid, 2, all_hub); +- +- if (flush_type == 2 && adev->gmc.flush_tlb_needs_extra_type_0) +- kiq->pmf->kiq_invalidate_tlbs(ring, pasid, 0, all_hub); +- +- kiq->pmf->kiq_invalidate_tlbs(ring, pasid, flush_type, all_hub); +- r = amdgpu_fence_emit_polling(ring, &seq, MAX_KIQ_REG_WAIT); +- if (r) { +- amdgpu_ring_undo(ring); +- spin_unlock(&adev->gfx.kiq[inst].ring_lock); +- goto error_unlock_reset; +- } ++ if (flush_type == 2 && adev->gmc.flush_tlb_needs_extra_type_0) ++ kiq->pmf->kiq_invalidate_tlbs(ring, pasid, 0, all_hub); + +- amdgpu_ring_commit(ring); +- spin_unlock(&adev->gfx.kiq[inst].ring_lock); +- r = amdgpu_fence_wait_polling(ring, seq, usec_timeout); +- if (r < 1) { +- dev_err(adev->dev, "wait for kiq fence error: %ld.\n", r); +- r = -ETIME; +- goto error_unlock_reset; ++ kiq->pmf->kiq_invalidate_tlbs(ring, pasid, flush_type, all_hub); ++ r = amdgpu_fence_emit_polling(ring, &seq, MAX_KIQ_REG_WAIT); ++ if (r) { ++ amdgpu_ring_undo(ring); ++ spin_unlock(&adev->gfx.kiq[inst].ring_lock); ++ goto error_unlock_reset; ++ } ++ ++ amdgpu_ring_commit(ring); ++ spin_unlock(&adev->gfx.kiq[inst].ring_lock); ++ if (amdgpu_fence_wait_polling(ring, seq, usec_timeout) < 1) { ++ dev_err(adev->dev, "timeout waiting for kiq fence\n"); ++ r = -ETIME; ++ } + } +- r = 0; + + error_unlock_reset: + up_read(&adev->reset_domain->sem); diff --git a/queue-6.9/drm-amdgpu-fix-ubsan-warning-in-kv_dpm.c.patch b/queue-6.9/drm-amdgpu-fix-ubsan-warning-in-kv_dpm.c.patch new file mode 100644 index 00000000000..c74dc2ef616 --- /dev/null +++ b/queue-6.9/drm-amdgpu-fix-ubsan-warning-in-kv_dpm.c.patch @@ -0,0 +1,31 @@ +From f0d576f840153392d04b2d52cf3adab8f62e8cb6 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 20 May 2024 09:05:21 -0400 +Subject: drm/amdgpu: fix UBSAN warning in kv_dpm.c + +From: Alex Deucher + +commit f0d576f840153392d04b2d52cf3adab8f62e8cb6 upstream. + +Adds bounds check for sumo_vid_mapping_entry. + +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3392 +Reviewed-by: Mario Limonciello +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c ++++ b/drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c +@@ -164,6 +164,8 @@ static void sumo_construct_vid_mapping_t + + for (i = 0; i < SUMO_MAX_HARDWARE_POWERLEVELS; i++) { + if (table[i].ulSupportedSCLK != 0) { ++ if (table[i].usVoltageIndex >= SUMO_MAX_NUMBER_VOLTAGES) ++ continue; + vid_mapping_table->entries[table[i].usVoltageIndex].vid_7bit = + table[i].usVoltageID; + vid_mapping_table->entries[table[i].usVoltageIndex].vid_2bit = diff --git a/queue-6.9/drm-i915-mso-using-joiner-is-not-possible-with-edp-mso.patch b/queue-6.9/drm-i915-mso-using-joiner-is-not-possible-with-edp-mso.patch new file mode 100644 index 00000000000..8c5548cbe98 --- /dev/null +++ b/queue-6.9/drm-i915-mso-using-joiner-is-not-possible-with-edp-mso.patch @@ -0,0 +1,44 @@ +From 49cc17967be95d64606d5684416ee51eec35e84a Mon Sep 17 00:00:00 2001 +From: Jani Nikula +Date: Fri, 14 Jun 2024 17:23:11 +0300 +Subject: drm/i915/mso: using joiner is not possible with eDP MSO +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jani Nikula + +commit 49cc17967be95d64606d5684416ee51eec35e84a upstream. + +It's not possible to use the joiner at the same time with eDP MSO. When +a panel needs MSO, it's not optional, so MSO trumps joiner. + +v3: Only change intel_dp_has_joiner(), leave debugfs alone (Ville) + +Fixes: bc71194e8897 ("drm/i915/edp: enable eDP MSO during link training") +Cc: # v5.13+ +Cc: Ville Syrjala +Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/1668 +Reviewed-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20240614142311.589089-1-jani.nikula@intel.com +Signed-off-by: Jani Nikula +(cherry picked from commit 8b5a92ca24eb96bb71e2a55e352687487d87687f) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_dp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/i915/display/intel_dp.c ++++ b/drivers/gpu/drm/i915/display/intel_dp.c +@@ -431,6 +431,10 @@ bool intel_dp_can_bigjoiner(struct intel + struct intel_encoder *encoder = &intel_dig_port->base; + struct drm_i915_private *dev_priv = to_i915(encoder->base.dev); + ++ /* eDP MSO is not compatible with joiner */ ++ if (intel_dp->mso_link_count) ++ return false; ++ + return DISPLAY_VER(dev_priv) >= 12 || + (DISPLAY_VER(dev_priv) == 11 && + encoder->port != PORT_A); diff --git a/queue-6.9/drm-radeon-fix-ubsan-warning-in-kv_dpm.c.patch b/queue-6.9/drm-radeon-fix-ubsan-warning-in-kv_dpm.c.patch new file mode 100644 index 00000000000..46182839c7e --- /dev/null +++ b/queue-6.9/drm-radeon-fix-ubsan-warning-in-kv_dpm.c.patch @@ -0,0 +1,30 @@ +From a498df5421fd737d11bfd152428ba6b1c8538321 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 20 May 2024 09:11:45 -0400 +Subject: drm/radeon: fix UBSAN warning in kv_dpm.c + +From: Alex Deucher + +commit a498df5421fd737d11bfd152428ba6b1c8538321 upstream. + +Adds bounds check for sumo_vid_mapping_entry. + +Reviewed-by: Mario Limonciello +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/radeon/sumo_dpm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/radeon/sumo_dpm.c ++++ b/drivers/gpu/drm/radeon/sumo_dpm.c +@@ -1619,6 +1619,8 @@ void sumo_construct_vid_mapping_table(st + + for (i = 0; i < SUMO_MAX_HARDWARE_POWERLEVELS; i++) { + if (table[i].ulSupportedSCLK != 0) { ++ if (table[i].usVoltageIndex >= SUMO_MAX_NUMBER_VOLTAGES) ++ continue; + vid_mapping_table->entries[table[i].usVoltageIndex].vid_7bit = + table[i].usVoltageID; + vid_mapping_table->entries[table[i].usVoltageIndex].vid_2bit = diff --git a/queue-6.9/dt-bindings-dma-fsl-edma-fix-dma-channels-constraints.patch b/queue-6.9/dt-bindings-dma-fsl-edma-fix-dma-channels-constraints.patch new file mode 100644 index 00000000000..157a5e1d721 --- /dev/null +++ b/queue-6.9/dt-bindings-dma-fsl-edma-fix-dma-channels-constraints.patch @@ -0,0 +1,37 @@ +From 1345a13f18370ad9e5bc98995959a27f9bd71464 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Tue, 21 May 2024 10:30:02 +0200 +Subject: dt-bindings: dma: fsl-edma: fix dma-channels constraints + +From: Krzysztof Kozlowski + +commit 1345a13f18370ad9e5bc98995959a27f9bd71464 upstream. + +dma-channels is a number, not a list. Apply proper constraints on the +actual number. + +Fixes: 6eb439dff645 ("dt-bindings: fsl-dma: fsl-edma: add edma3 compatible string") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Peng Fan +Acked-by: Rob Herring (Arm) +Link: https://lore.kernel.org/r/20240521083002.23262-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/dma/fsl,edma.yaml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/Documentation/devicetree/bindings/dma/fsl,edma.yaml ++++ b/Documentation/devicetree/bindings/dma/fsl,edma.yaml +@@ -48,8 +48,8 @@ properties: + - 3 + + dma-channels: +- minItems: 1 +- maxItems: 64 ++ minimum: 1 ++ maximum: 64 + + clocks: + minItems: 1 diff --git a/queue-6.9/gcov-add-support-for-gcc-14.patch b/queue-6.9/gcov-add-support-for-gcc-14.patch new file mode 100644 index 00000000000..c79dac8534c --- /dev/null +++ b/queue-6.9/gcov-add-support-for-gcc-14.patch @@ -0,0 +1,40 @@ +From c1558bc57b8e5b4da5d821537cd30e2e660861d8 Mon Sep 17 00:00:00 2001 +From: Peter Oberparleiter +Date: Mon, 10 Jun 2024 11:27:43 +0200 +Subject: gcov: add support for GCC 14 + +From: Peter Oberparleiter + +commit c1558bc57b8e5b4da5d821537cd30e2e660861d8 upstream. + +Using gcov on kernels compiled with GCC 14 results in truncated 16-byte +long .gcda files with no usable data. To fix this, update GCOV_COUNTERS +to match the value defined by GCC 14. + +Tested with GCC versions 14.1.0 and 13.2.0. + +Link: https://lkml.kernel.org/r/20240610092743.1609845-1-oberpar@linux.ibm.com +Signed-off-by: Peter Oberparleiter +Reported-by: Allison Henderson +Reported-by: Chuck Lever III +Tested-by: Chuck Lever +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + kernel/gcov/gcc_4_7.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/kernel/gcov/gcc_4_7.c ++++ b/kernel/gcov/gcc_4_7.c +@@ -18,7 +18,9 @@ + #include + #include "gcov.h" + +-#if (__GNUC__ >= 10) ++#if (__GNUC__ >= 14) ++#define GCOV_COUNTERS 9 ++#elif (__GNUC__ >= 10) + #define GCOV_COUNTERS 8 + #elif (__GNUC__ >= 7) + #define GCOV_COUNTERS 9 diff --git a/queue-6.9/kcov-don-t-lose-track-of-remote-references-during-softirqs.patch b/queue-6.9/kcov-don-t-lose-track-of-remote-references-during-softirqs.patch new file mode 100644 index 00000000000..d84549efc1f --- /dev/null +++ b/queue-6.9/kcov-don-t-lose-track-of-remote-references-during-softirqs.patch @@ -0,0 +1,79 @@ +From 01c8f9806bde438ca1c8cbbc439f0a14a6694f6c Mon Sep 17 00:00:00 2001 +From: Aleksandr Nogikh +Date: Tue, 11 Jun 2024 15:32:29 +0200 +Subject: kcov: don't lose track of remote references during softirqs + +From: Aleksandr Nogikh + +commit 01c8f9806bde438ca1c8cbbc439f0a14a6694f6c upstream. + +In kcov_remote_start()/kcov_remote_stop(), we swap the previous KCOV +metadata of the current task into a per-CPU variable. However, the +kcov_mode_enabled(mode) check is not sufficient in the case of remote KCOV +coverage: current->kcov_mode always remains KCOV_MODE_DISABLED for remote +KCOV objects. + +If the original task that has invoked the KCOV_REMOTE_ENABLE ioctl happens +to get interrupted and kcov_remote_start() is called, it ultimately leads +to kcov_remote_stop() NOT restoring the original KCOV reference. So when +the task exits, all registered remote KCOV handles remain active forever. + +The most uncomfortable effect (at least for syzkaller) is that the bug +prevents the reuse of the same /sys/kernel/debug/kcov descriptor. If +we obtain it in the parent process and then e.g. drop some +capabilities and continuously fork to execute individual programs, at +some point current->kcov of the forked process is lost, +kcov_task_exit() takes no action, and all KCOV_REMOTE_ENABLE ioctls +calls from subsequent forks fail. + +And, yes, the efficiency is also affected if we keep on losing remote +kcov objects. +a) kcov_remote_map keeps on growing forever. +b) (If I'm not mistaken), we're also not freeing the memory referenced +by kcov->area. + +Fix it by introducing a special kcov_mode that is assigned to the task +that owns a KCOV remote object. It makes kcov_mode_enabled() return true +and yet does not trigger coverage collection in __sanitizer_cov_trace_pc() +and write_comp_data(). + +[nogikh@google.com: replace WRITE_ONCE() with an ordinary assignment] + Link: https://lkml.kernel.org/r/20240614171221.2837584-1-nogikh@google.com +Link: https://lkml.kernel.org/r/20240611133229.527822-1-nogikh@google.com +Fixes: 5ff3b30ab57d ("kcov: collect coverage from interrupts") +Signed-off-by: Aleksandr Nogikh +Reviewed-by: Dmitry Vyukov +Reviewed-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Cc: Alexander Potapenko +Cc: Arnd Bergmann +Cc: Marco Elver +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/kcov.h | 2 ++ + kernel/kcov.c | 1 + + 2 files changed, 3 insertions(+) + +--- a/include/linux/kcov.h ++++ b/include/linux/kcov.h +@@ -21,6 +21,8 @@ enum kcov_mode { + KCOV_MODE_TRACE_PC = 2, + /* Collecting comparison operands mode. */ + KCOV_MODE_TRACE_CMP = 3, ++ /* The process owns a KCOV remote reference. */ ++ KCOV_MODE_REMOTE = 4, + }; + + #define KCOV_IN_CTXSW (1 << 30) +--- a/kernel/kcov.c ++++ b/kernel/kcov.c +@@ -631,6 +631,7 @@ static int kcov_ioctl_locked(struct kcov + return -EINVAL; + kcov->mode = mode; + t->kcov = kcov; ++ t->kcov_mode = KCOV_MODE_REMOTE; + kcov->t = t; + kcov->remote = true; + kcov->remote_size = remote_arg->area_size; diff --git a/queue-6.9/kvm-arm64-disassociate-vcpus-from-redistributor-region-on-teardown.patch b/queue-6.9/kvm-arm64-disassociate-vcpus-from-redistributor-region-on-teardown.patch new file mode 100644 index 00000000000..2430a039378 --- /dev/null +++ b/queue-6.9/kvm-arm64-disassociate-vcpus-from-redistributor-region-on-teardown.patch @@ -0,0 +1,79 @@ +From 0d92e4a7ffd5c42b9fa864692f82476c0bf8bcc8 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Wed, 5 Jun 2024 18:56:37 +0100 +Subject: KVM: arm64: Disassociate vcpus from redistributor region on teardown + +From: Marc Zyngier + +commit 0d92e4a7ffd5c42b9fa864692f82476c0bf8bcc8 upstream. + +When tearing down a redistributor region, make sure we don't have +any dangling pointer to that region stored in a vcpu. + +Fixes: e5a35635464b ("kvm: arm64: vgic-v3: Introduce vgic_v3_free_redist_region()") +Reported-by: Alexander Potapenko +Reviewed-by: Oliver Upton +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20240605175637.1635653-1-maz@kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/vgic/vgic-init.c | 2 +- + arch/arm64/kvm/vgic/vgic-mmio-v3.c | 15 +++++++++++++-- + arch/arm64/kvm/vgic/vgic.h | 2 +- + 3 files changed, 15 insertions(+), 4 deletions(-) + +--- a/arch/arm64/kvm/vgic/vgic-init.c ++++ b/arch/arm64/kvm/vgic/vgic-init.c +@@ -355,7 +355,7 @@ static void kvm_vgic_dist_destroy(struct + + if (dist->vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3) { + list_for_each_entry_safe(rdreg, next, &dist->rd_regions, list) +- vgic_v3_free_redist_region(rdreg); ++ vgic_v3_free_redist_region(kvm, rdreg); + INIT_LIST_HEAD(&dist->rd_regions); + } else { + dist->vgic_cpu_base = VGIC_ADDR_UNDEF; +--- a/arch/arm64/kvm/vgic/vgic-mmio-v3.c ++++ b/arch/arm64/kvm/vgic/vgic-mmio-v3.c +@@ -919,8 +919,19 @@ free: + return ret; + } + +-void vgic_v3_free_redist_region(struct vgic_redist_region *rdreg) ++void vgic_v3_free_redist_region(struct kvm *kvm, struct vgic_redist_region *rdreg) + { ++ struct kvm_vcpu *vcpu; ++ unsigned long c; ++ ++ lockdep_assert_held(&kvm->arch.config_lock); ++ ++ /* Garbage collect the region */ ++ kvm_for_each_vcpu(c, vcpu, kvm) { ++ if (vcpu->arch.vgic_cpu.rdreg == rdreg) ++ vcpu->arch.vgic_cpu.rdreg = NULL; ++ } ++ + list_del(&rdreg->list); + kfree(rdreg); + } +@@ -945,7 +956,7 @@ int vgic_v3_set_redist_base(struct kvm * + + mutex_lock(&kvm->arch.config_lock); + rdreg = vgic_v3_rdist_region_from_index(kvm, index); +- vgic_v3_free_redist_region(rdreg); ++ vgic_v3_free_redist_region(kvm, rdreg); + mutex_unlock(&kvm->arch.config_lock); + return ret; + } +--- a/arch/arm64/kvm/vgic/vgic.h ++++ b/arch/arm64/kvm/vgic/vgic.h +@@ -317,7 +317,7 @@ vgic_v3_rd_region_size(struct kvm *kvm, + + struct vgic_redist_region *vgic_v3_rdist_region_from_index(struct kvm *kvm, + u32 index); +-void vgic_v3_free_redist_region(struct vgic_redist_region *rdreg); ++void vgic_v3_free_redist_region(struct kvm *kvm, struct vgic_redist_region *rdreg); + + bool vgic_v3_rdist_overlap(struct kvm *kvm, gpa_t base, size_t size); + diff --git a/queue-6.9/kvm-fix-a-data-race-on-last_boosted_vcpu-in-kvm_vcpu_on_spin.patch b/queue-6.9/kvm-fix-a-data-race-on-last_boosted_vcpu-in-kvm_vcpu_on_spin.patch new file mode 100644 index 00000000000..85aba03e1f5 --- /dev/null +++ b/queue-6.9/kvm-fix-a-data-race-on-last_boosted_vcpu-in-kvm_vcpu_on_spin.patch @@ -0,0 +1,96 @@ +From 49f683b41f28918df3e51ddc0d928cb2e934ccdb Mon Sep 17 00:00:00 2001 +From: Breno Leitao +Date: Fri, 10 May 2024 02:23:52 -0700 +Subject: KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() + +From: Breno Leitao + +commit 49f683b41f28918df3e51ddc0d928cb2e934ccdb upstream. + +Use {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the +loads and stores are atomic. In the extremely unlikely scenario the +compiler tears the stores, it's theoretically possible for KVM to attempt +to get a vCPU using an out-of-bounds index, e.g. if the write is split +into multiple 8-bit stores, and is paired with a 32-bit load on a VM with +257 vCPUs: + + CPU0 CPU1 + last_boosted_vcpu = 0xff; + + (last_boosted_vcpu = 0x100) + last_boosted_vcpu[15:8] = 0x01; + i = (last_boosted_vcpu = 0x1ff) + last_boosted_vcpu[7:0] = 0x00; + + vcpu = kvm->vcpu_array[0x1ff]; + +As detected by KCSAN: + + BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm] + + write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16: + kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm + handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel + vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? + arch/x86/kvm/vmx/vmx.c:6606) kvm_intel + vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm + kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm + kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm + __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) + __x64_sys_ioctl (fs/ioctl.c:890) + x64_sys_call (arch/x86/entry/syscall_64.c:33) + do_syscall_64 (arch/x86/entry/common.c:?) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + + read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4: + kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm + handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel + vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? + arch/x86/kvm/vmx/vmx.c:6606) kvm_intel + vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm + kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm + kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm + __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) + __x64_sys_ioctl (fs/ioctl.c:890) + x64_sys_call (arch/x86/entry/syscall_64.c:33) + do_syscall_64 (arch/x86/entry/common.c:?) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + + value changed: 0x00000012 -> 0x00000000 + +Fixes: 217ece6129f2 ("KVM: use yield_to instead of sleep in kvm_vcpu_on_spin") +Cc: stable@vger.kernel.org +Signed-off-by: Breno Leitao +Link: https://lore.kernel.org/r/20240510092353.2261824-1-leitao@debian.org +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/kvm_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -4067,12 +4067,13 @@ void kvm_vcpu_on_spin(struct kvm_vcpu *m + { + struct kvm *kvm = me->kvm; + struct kvm_vcpu *vcpu; +- int last_boosted_vcpu = me->kvm->last_boosted_vcpu; ++ int last_boosted_vcpu; + unsigned long i; + int yielded = 0; + int try = 3; + int pass; + ++ last_boosted_vcpu = READ_ONCE(kvm->last_boosted_vcpu); + kvm_vcpu_set_in_spin_loop(me, true); + /* + * We boost the priority of a VCPU that is runnable but not +@@ -4110,7 +4111,7 @@ void kvm_vcpu_on_spin(struct kvm_vcpu *m + + yielded = kvm_vcpu_yield_to(vcpu); + if (yielded > 0) { +- kvm->last_boosted_vcpu = i; ++ WRITE_ONCE(kvm->last_boosted_vcpu, i); + break; + } else if (yielded < 0) { + try--; diff --git a/queue-6.9/kvm-x86-always-sync-pir-to-irr-prior-to-scanning-i-o-apic-routes.patch b/queue-6.9/kvm-x86-always-sync-pir-to-irr-prior-to-scanning-i-o-apic-routes.patch new file mode 100644 index 00000000000..2048167ec5d --- /dev/null +++ b/queue-6.9/kvm-x86-always-sync-pir-to-irr-prior-to-scanning-i-o-apic-routes.patch @@ -0,0 +1,59 @@ +From f3ced000a2df53f4b12849e121769045a81a3b22 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Mon, 10 Jun 2024 18:48:45 -0700 +Subject: KVM: x86: Always sync PIR to IRR prior to scanning I/O APIC routes + +From: Sean Christopherson + +commit f3ced000a2df53f4b12849e121769045a81a3b22 upstream. + +Sync pending posted interrupts to the IRR prior to re-scanning I/O APIC +routes, irrespective of whether the I/O APIC is emulated by userspace or +by KVM. If a level-triggered interrupt routed through the I/O APIC is +pending or in-service for a vCPU, KVM needs to intercept EOIs on said +vCPU even if the vCPU isn't the destination for the new routing, e.g. if +servicing an interrupt using the old routing races with I/O APIC +reconfiguration. + +Commit fceb3a36c29a ("KVM: x86: ioapic: Fix level-triggered EOI and +userspace I/OAPIC reconfigure race") fixed the common cases, but +kvm_apic_pending_eoi() only checks if an interrupt is in the local +APIC's IRR or ISR, i.e. misses the uncommon case where an interrupt is +pending in the PIR. + +Failure to intercept EOI can manifest as guest hangs with Windows 11 if +the guest uses the RTC as its timekeeping source, e.g. if the VMM doesn't +expose a more modern form of time to the guest. + +Cc: stable@vger.kernel.org +Cc: Adamos Ttofari +Cc: Raghavendra Rao Ananta +Reviewed-by: Jim Mattson +Signed-off-by: Sean Christopherson +Message-ID: <20240611014845.82795-1-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -10677,13 +10677,12 @@ static void vcpu_scan_ioapic(struct kvm_ + + bitmap_zero(vcpu->arch.ioapic_handled_vectors, 256); + ++ static_call_cond(kvm_x86_sync_pir_to_irr)(vcpu); ++ + if (irqchip_split(vcpu->kvm)) + kvm_scan_ioapic_routes(vcpu, vcpu->arch.ioapic_handled_vectors); +- else { +- static_call_cond(kvm_x86_sync_pir_to_irr)(vcpu); +- if (ioapic_in_kernel(vcpu->kvm)) +- kvm_ioapic_scan_entry(vcpu, vcpu->arch.ioapic_handled_vectors); +- } ++ else if (ioapic_in_kernel(vcpu->kvm)) ++ kvm_ioapic_scan_entry(vcpu, vcpu->arch.ioapic_handled_vectors); + + if (is_guest_mode(vcpu)) + vcpu->arch.load_eoi_exitmap_pending = true; diff --git a/queue-6.9/loongarch-fix-multiple-hardware-watchpoint-issues.patch b/queue-6.9/loongarch-fix-multiple-hardware-watchpoint-issues.patch new file mode 100644 index 00000000000..160df6e5f33 --- /dev/null +++ b/queue-6.9/loongarch-fix-multiple-hardware-watchpoint-issues.patch @@ -0,0 +1,197 @@ +From 3eb2a8b23598e90fda43abb0f23cb267bd5018ba Mon Sep 17 00:00:00 2001 +From: Hui Li +Date: Fri, 21 Jun 2024 10:18:40 +0800 +Subject: LoongArch: Fix multiple hardware watchpoint issues + +From: Hui Li + +commit 3eb2a8b23598e90fda43abb0f23cb267bd5018ba upstream. + +In the current code, if multiple hardware breakpoints/watchpoints in +a user-space thread, some of them will not be triggered. + +When debugging the following code using gdb. + +lihui@bogon:~$ cat test.c + #include + int a = 0; + int main() + { + printf("start test\n"); + a = 1; + printf("a = %d\n", a); + printf("end test\n"); + return 0; + } +lihui@bogon:~$ gcc -g test.c -o test +lihui@bogon:~$ gdb test +... +(gdb) start +... +Temporary breakpoint 1, main () at test.c:5 +5 printf("start test\n"); +(gdb) watch a +Hardware watchpoint 2: a +(gdb) hbreak 8 +Hardware assisted breakpoint 3 at 0x1200006ec: file test.c, line 8. +(gdb) c +Continuing. +start test +a = 1 + +Breakpoint 3, main () at test.c:8 +8 printf("end test\n"); +... + +The first hardware watchpoint is not triggered, the root causes are: + +1. In hw_breakpoint_control(), The FWPnCFG1.2.4/MWPnCFG1.2.4 register + settings are not distinguished. They should be set based on hardware + watchpoint functions (fetch or load/store operations). + +2. In breakpoint_handler() and watchpoint_handler(), it doesn't identify + which watchpoint is triggered. So, all watchpoint-related perf_event + callbacks are called and siginfo is sent to the user space. This will + cause user-space unable to determine which watchpoint is triggered. + The kernel need to identity which watchpoint is triggered via MWPS/ + FWPS registers, and then call the corresponding perf event callbacks + to report siginfo to the user-space. + +Modify the relevant code to solve above issues. + +All changes according to the LoongArch Reference Manual: +https://loongson.github.io/LoongArch-Documentation/LoongArch-Vol1-EN.html#control-and-status-registers-related-to-watchpoints + +With this patch: + +lihui@bogon:~$ gdb test +... +(gdb) start +... +Temporary breakpoint 1, main () at test.c:5 +5 printf("start test\n"); +(gdb) watch a +Hardware watchpoint 2: a +(gdb) hbreak 8 +Hardware assisted breakpoint 3 at 0x1200006ec: file test.c, line 8. +(gdb) c +Continuing. +start test + +Hardware watchpoint 2: a + +Old value = 0 +New value = 1 +main () at test.c:7 +7 printf("a = %d\n", a); +(gdb) c +Continuing. +a = 1 + +Breakpoint 3, main () at test.c:8 +8 printf("end test\n"); +(gdb) c +Continuing. +end test +[Inferior 1 (process 778) exited normally] + +Cc: stable@vger.kernel.org +Signed-off-by: Hui Li +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kernel/hw_breakpoint.c | 57 +++++++++++++++++++--------------- + 1 file changed, 33 insertions(+), 24 deletions(-) + +--- a/arch/loongarch/kernel/hw_breakpoint.c ++++ b/arch/loongarch/kernel/hw_breakpoint.c +@@ -207,15 +207,15 @@ static int hw_breakpoint_control(struct + switch (ops) { + case HW_BREAKPOINT_INSTALL: + /* Set the FWPnCFG/MWPnCFG 1~4 register. */ +- write_wb_reg(CSR_CFG_ADDR, i, 0, info->address); +- write_wb_reg(CSR_CFG_ADDR, i, 1, info->address); +- write_wb_reg(CSR_CFG_MASK, i, 0, info->mask); +- write_wb_reg(CSR_CFG_MASK, i, 1, info->mask); +- write_wb_reg(CSR_CFG_ASID, i, 0, 0); +- write_wb_reg(CSR_CFG_ASID, i, 1, 0); + if (info->ctrl.type == LOONGARCH_BREAKPOINT_EXECUTE) { ++ write_wb_reg(CSR_CFG_ADDR, i, 0, info->address); ++ write_wb_reg(CSR_CFG_MASK, i, 0, info->mask); ++ write_wb_reg(CSR_CFG_ASID, i, 0, 0); + write_wb_reg(CSR_CFG_CTRL, i, 0, privilege); + } else { ++ write_wb_reg(CSR_CFG_ADDR, i, 1, info->address); ++ write_wb_reg(CSR_CFG_MASK, i, 1, info->mask); ++ write_wb_reg(CSR_CFG_ASID, i, 1, 0); + ctrl = encode_ctrl_reg(info->ctrl); + write_wb_reg(CSR_CFG_CTRL, i, 1, ctrl | privilege); + } +@@ -226,14 +226,17 @@ static int hw_breakpoint_control(struct + break; + case HW_BREAKPOINT_UNINSTALL: + /* Reset the FWPnCFG/MWPnCFG 1~4 register. */ +- write_wb_reg(CSR_CFG_ADDR, i, 0, 0); +- write_wb_reg(CSR_CFG_ADDR, i, 1, 0); +- write_wb_reg(CSR_CFG_MASK, i, 0, 0); +- write_wb_reg(CSR_CFG_MASK, i, 1, 0); +- write_wb_reg(CSR_CFG_CTRL, i, 0, 0); +- write_wb_reg(CSR_CFG_CTRL, i, 1, 0); +- write_wb_reg(CSR_CFG_ASID, i, 0, 0); +- write_wb_reg(CSR_CFG_ASID, i, 1, 0); ++ if (info->ctrl.type == LOONGARCH_BREAKPOINT_EXECUTE) { ++ write_wb_reg(CSR_CFG_ADDR, i, 0, 0); ++ write_wb_reg(CSR_CFG_MASK, i, 0, 0); ++ write_wb_reg(CSR_CFG_CTRL, i, 0, 0); ++ write_wb_reg(CSR_CFG_ASID, i, 0, 0); ++ } else { ++ write_wb_reg(CSR_CFG_ADDR, i, 1, 0); ++ write_wb_reg(CSR_CFG_MASK, i, 1, 0); ++ write_wb_reg(CSR_CFG_CTRL, i, 1, 0); ++ write_wb_reg(CSR_CFG_ASID, i, 1, 0); ++ } + if (bp->hw.target) + regs->csr_prmd &= ~CSR_PRMD_PWE; + break; +@@ -476,12 +479,15 @@ void breakpoint_handler(struct pt_regs * + slots = this_cpu_ptr(bp_on_reg); + + for (i = 0; i < boot_cpu_data.watch_ireg_count; ++i) { +- bp = slots[i]; +- if (bp == NULL) +- continue; +- perf_bp_event(bp, regs); ++ if ((csr_read32(LOONGARCH_CSR_FWPS) & (0x1 << i))) { ++ bp = slots[i]; ++ if (bp == NULL) ++ continue; ++ perf_bp_event(bp, regs); ++ csr_write32(0x1 << i, LOONGARCH_CSR_FWPS); ++ update_bp_registers(regs, 0, 0); ++ } + } +- update_bp_registers(regs, 0, 0); + } + NOKPROBE_SYMBOL(breakpoint_handler); + +@@ -493,12 +499,15 @@ void watchpoint_handler(struct pt_regs * + slots = this_cpu_ptr(wp_on_reg); + + for (i = 0; i < boot_cpu_data.watch_dreg_count; ++i) { +- wp = slots[i]; +- if (wp == NULL) +- continue; +- perf_bp_event(wp, regs); ++ if ((csr_read32(LOONGARCH_CSR_MWPS) & (0x1 << i))) { ++ wp = slots[i]; ++ if (wp == NULL) ++ continue; ++ perf_bp_event(wp, regs); ++ csr_write32(0x1 << i, LOONGARCH_CSR_MWPS); ++ update_bp_registers(regs, 0, 1); ++ } + } +- update_bp_registers(regs, 0, 1); + } + NOKPROBE_SYMBOL(watchpoint_handler); + diff --git a/queue-6.9/loongarch-fix-watchpoint-setting-error.patch b/queue-6.9/loongarch-fix-watchpoint-setting-error.patch new file mode 100644 index 00000000000..a2f068d6a10 --- /dev/null +++ b/queue-6.9/loongarch-fix-watchpoint-setting-error.patch @@ -0,0 +1,188 @@ +From f63a47b34b140ed1ca39d7e4bd4f1cdc617fc316 Mon Sep 17 00:00:00 2001 +From: Hui Li +Date: Fri, 21 Jun 2024 10:18:40 +0800 +Subject: LoongArch: Fix watchpoint setting error + +From: Hui Li + +commit f63a47b34b140ed1ca39d7e4bd4f1cdc617fc316 upstream. + +In the current code, when debugging the following code using gdb, +"invalid argument ..." message will be displayed. + +lihui@bogon:~$ cat test.c + #include + int a = 0; + int main() + { + a = 1; + return 0; + } +lihui@bogon:~$ gcc -g test.c -o test +lihui@bogon:~$ gdb test +... +(gdb) watch a +Hardware watchpoint 1: a +(gdb) r +... +Invalid argument setting hardware debug registers + +There are mainly two types of issues. + +1. Some incorrect judgment condition existed in user_watch_state + argument parsing, causing -EINVAL to be returned. + +When setting up a watchpoint, gdb uses the ptrace interface, +ptrace(PTRACE_SETREGSET, tid, NT_LOONGARCH_HW_WATCH, (void *) &iov)). +Register values in user_watch_state as follows: + + addr[0] = 0x0, mask[0] = 0x0, ctrl[0] = 0x0 + addr[1] = 0x0, mask[1] = 0x0, ctrl[1] = 0x0 + addr[2] = 0x0, mask[2] = 0x0, ctrl[2] = 0x0 + addr[3] = 0x0, mask[3] = 0x0, ctrl[3] = 0x0 + addr[4] = 0x0, mask[4] = 0x0, ctrl[4] = 0x0 + addr[5] = 0x0, mask[5] = 0x0, ctrl[5] = 0x0 + addr[6] = 0x0, mask[6] = 0x0, ctrl[6] = 0x0 + addr[7] = 0x12000803c, mask[7] = 0x0, ctrl[7] = 0x610 + +In arch_bp_generic_fields(), return -EINVAL when ctrl.len is +LOONGARCH_BREAKPOINT_LEN_8(0b00). So delete the incorrect judgment here. + +In ptrace_hbp_fill_attr_ctrl(), when note_type is NT_LOONGARCH_HW_WATCH +and ctrl[0] == 0x0, if ((type & HW_BREAKPOINT_RW) != type) will return +-EINVAL. Here ctrl.type should be set based on note_type, and unnecessary +judgments can be removed. + +2. The watchpoint argument was not set correctly due to unnecessary + offset and alignment_mask. + +Modify ptrace_hbp_fill_attr_ctrl() and hw_breakpoint_arch_parse(), which +ensure the watchpont argument is set correctly. + +All changes according to the LoongArch Reference Manual: +https://loongson.github.io/LoongArch-Documentation/LoongArch-Vol1-EN.html#control-and-status-registers-related-to-watchpoints + +Cc: stable@vger.kernel.org +Signed-off-by: Hui Li +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/include/asm/hw_breakpoint.h | 2 - + arch/loongarch/kernel/hw_breakpoint.c | 19 ++++------------- + arch/loongarch/kernel/ptrace.c | 32 +++++++++++++---------------- + 3 files changed, 21 insertions(+), 32 deletions(-) + +--- a/arch/loongarch/include/asm/hw_breakpoint.h ++++ b/arch/loongarch/include/asm/hw_breakpoint.h +@@ -101,7 +101,7 @@ struct perf_event; + struct perf_event_attr; + + extern int arch_bp_generic_fields(struct arch_hw_breakpoint_ctrl ctrl, +- int *gen_len, int *gen_type, int *offset); ++ int *gen_len, int *gen_type); + extern int arch_check_bp_in_kernelspace(struct arch_hw_breakpoint *hw); + extern int hw_breakpoint_arch_parse(struct perf_event *bp, + const struct perf_event_attr *attr, +--- a/arch/loongarch/kernel/hw_breakpoint.c ++++ b/arch/loongarch/kernel/hw_breakpoint.c +@@ -283,7 +283,7 @@ int arch_check_bp_in_kernelspace(struct + * to generic breakpoint descriptions. + */ + int arch_bp_generic_fields(struct arch_hw_breakpoint_ctrl ctrl, +- int *gen_len, int *gen_type, int *offset) ++ int *gen_len, int *gen_type) + { + /* Type */ + switch (ctrl.type) { +@@ -303,11 +303,6 @@ int arch_bp_generic_fields(struct arch_h + return -EINVAL; + } + +- if (!ctrl.len) +- return -EINVAL; +- +- *offset = __ffs(ctrl.len); +- + /* Len */ + switch (ctrl.len) { + case LOONGARCH_BREAKPOINT_LEN_1: +@@ -386,21 +381,17 @@ int hw_breakpoint_arch_parse(struct perf + struct arch_hw_breakpoint *hw) + { + int ret; +- u64 alignment_mask, offset; ++ u64 alignment_mask; + + /* Build the arch_hw_breakpoint. */ + ret = arch_build_bp_info(bp, attr, hw); + if (ret) + return ret; + +- if (hw->ctrl.type != LOONGARCH_BREAKPOINT_EXECUTE) +- alignment_mask = 0x7; +- else ++ if (hw->ctrl.type == LOONGARCH_BREAKPOINT_EXECUTE) { + alignment_mask = 0x3; +- offset = hw->address & alignment_mask; +- +- hw->address &= ~alignment_mask; +- hw->ctrl.len <<= offset; ++ hw->address &= ~alignment_mask; ++ } + + return 0; + } +--- a/arch/loongarch/kernel/ptrace.c ++++ b/arch/loongarch/kernel/ptrace.c +@@ -494,28 +494,14 @@ static int ptrace_hbp_fill_attr_ctrl(uns + struct arch_hw_breakpoint_ctrl ctrl, + struct perf_event_attr *attr) + { +- int err, len, type, offset; ++ int err, len, type; + +- err = arch_bp_generic_fields(ctrl, &len, &type, &offset); ++ err = arch_bp_generic_fields(ctrl, &len, &type); + if (err) + return err; + +- switch (note_type) { +- case NT_LOONGARCH_HW_BREAK: +- if ((type & HW_BREAKPOINT_X) != type) +- return -EINVAL; +- break; +- case NT_LOONGARCH_HW_WATCH: +- if ((type & HW_BREAKPOINT_RW) != type) +- return -EINVAL; +- break; +- default: +- return -EINVAL; +- } +- + attr->bp_len = len; + attr->bp_type = type; +- attr->bp_addr += offset; + + return 0; + } +@@ -609,7 +595,19 @@ static int ptrace_hbp_set_ctrl(unsigned + return PTR_ERR(bp); + + attr = bp->attr; +- decode_ctrl_reg(uctrl, &ctrl); ++ ++ switch (note_type) { ++ case NT_LOONGARCH_HW_BREAK: ++ ctrl.type = LOONGARCH_BREAKPOINT_EXECUTE; ++ ctrl.len = LOONGARCH_BREAKPOINT_LEN_4; ++ break; ++ case NT_LOONGARCH_HW_WATCH: ++ decode_ctrl_reg(uctrl, &ctrl); ++ break; ++ default: ++ return -EINVAL; ++ } ++ + err = ptrace_hbp_fill_attr_ctrl(note_type, ctrl, &attr); + if (err) + return err; diff --git a/queue-6.9/loongarch-trigger-user-space-watchpoints-correctly.patch b/queue-6.9/loongarch-trigger-user-space-watchpoints-correctly.patch new file mode 100644 index 00000000000..1457a5b74af --- /dev/null +++ b/queue-6.9/loongarch-trigger-user-space-watchpoints-correctly.patch @@ -0,0 +1,178 @@ +From c8e57ab0995c5b443d3c81c8a36b588776dcd0c3 Mon Sep 17 00:00:00 2001 +From: Hui Li +Date: Fri, 21 Jun 2024 10:18:40 +0800 +Subject: LoongArch: Trigger user-space watchpoints correctly + +From: Hui Li + +commit c8e57ab0995c5b443d3c81c8a36b588776dcd0c3 upstream. + +In the current code, gdb can set the watchpoint successfully through +ptrace interface, but watchpoint will not be triggered. + +When debugging the following code using gdb. + +lihui@bogon:~$ cat test.c + #include + int a = 0; + int main() + { + a = 1; + printf("a = %d\n", a); + return 0; + } +lihui@bogon:~$ gcc -g test.c -o test +lihui@bogon:~$ gdb test +... +(gdb) watch a +... +(gdb) r +... +a = 1 +[Inferior 1 (process 4650) exited normally] + +No watchpoints were triggered, the root causes are: + +1. Kernel uses perf_event and hw_breakpoint framework to control + watchpoint, but the perf_event corresponding to watchpoint is + not enabled. So it needs to be enabled according to MWPnCFG3 + or FWPnCFG3 PLV bit field in ptrace_hbp_set_ctrl(), and privilege + is set according to the monitored addr in hw_breakpoint_control(). + Furthermore, add a judgment in ptrace_hbp_set_addr() to ensure + kernel-space addr cannot be monitored in user mode. + +2. The global enable control for all watchpoints is the WE bit of + CSR.CRMD, and hardware sets the value to 0 when an exception is + triggered. When the ERTN instruction is executed to return, the + hardware restores the value of the PWE field of CSR.PRMD here. + So, before a thread containing watchpoints be scheduled, the PWE + field of CSR.PRMD needs to be set to 1. Add this modification in + hw_breakpoint_control(). + +All changes according to the LoongArch Reference Manual: +https://loongson.github.io/LoongArch-Documentation/LoongArch-Vol1-EN.html#control-and-status-registers-related-to-watchpoints +https://loongson.github.io/LoongArch-Documentation/LoongArch-Vol1-EN.html#basic-control-and-status-registers + +With this patch: + +lihui@bogon:~$ gdb test +... +(gdb) watch a +Hardware watchpoint 1: a +(gdb) r +... +Hardware watchpoint 1: a + +Old value = 0 +New value = 1 +main () at test.c:6 +6 printf("a = %d\n", a); +(gdb) c +Continuing. +a = 1 +[Inferior 1 (process 775) exited normally] + +Cc: stable@vger.kernel.org +Signed-off-by: Hui Li +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/include/asm/hw_breakpoint.h | 2 ++ + arch/loongarch/kernel/hw_breakpoint.c | 20 +++++++++++++++++--- + arch/loongarch/kernel/ptrace.c | 15 ++++++++++++--- + 3 files changed, 31 insertions(+), 6 deletions(-) + +--- a/arch/loongarch/include/asm/hw_breakpoint.h ++++ b/arch/loongarch/include/asm/hw_breakpoint.h +@@ -75,6 +75,8 @@ do { \ + #define CSR_MWPC_NUM 0x3f + + #define CTRL_PLV_ENABLE 0x1e ++#define CTRL_PLV0_ENABLE 0x02 ++#define CTRL_PLV3_ENABLE 0x10 + + #define MWPnCFG3_LoadEn 8 + #define MWPnCFG3_StoreEn 9 +--- a/arch/loongarch/kernel/hw_breakpoint.c ++++ b/arch/loongarch/kernel/hw_breakpoint.c +@@ -174,11 +174,21 @@ void flush_ptrace_hw_breakpoint(struct t + static int hw_breakpoint_control(struct perf_event *bp, + enum hw_breakpoint_ops ops) + { +- u32 ctrl; ++ u32 ctrl, privilege; + int i, max_slots, enable; ++ struct pt_regs *regs; + struct perf_event **slots; + struct arch_hw_breakpoint *info = counter_arch_bp(bp); + ++ if (arch_check_bp_in_kernelspace(info)) ++ privilege = CTRL_PLV0_ENABLE; ++ else ++ privilege = CTRL_PLV3_ENABLE; ++ ++ /* Whether bp belongs to a task. */ ++ if (bp->hw.target) ++ regs = task_pt_regs(bp->hw.target); ++ + if (info->ctrl.type == LOONGARCH_BREAKPOINT_EXECUTE) { + /* Breakpoint */ + slots = this_cpu_ptr(bp_on_reg); +@@ -204,13 +214,15 @@ static int hw_breakpoint_control(struct + write_wb_reg(CSR_CFG_ASID, i, 0, 0); + write_wb_reg(CSR_CFG_ASID, i, 1, 0); + if (info->ctrl.type == LOONGARCH_BREAKPOINT_EXECUTE) { +- write_wb_reg(CSR_CFG_CTRL, i, 0, CTRL_PLV_ENABLE); ++ write_wb_reg(CSR_CFG_CTRL, i, 0, privilege); + } else { + ctrl = encode_ctrl_reg(info->ctrl); +- write_wb_reg(CSR_CFG_CTRL, i, 1, ctrl | CTRL_PLV_ENABLE); ++ write_wb_reg(CSR_CFG_CTRL, i, 1, ctrl | privilege); + } + enable = csr_read64(LOONGARCH_CSR_CRMD); + csr_write64(CSR_CRMD_WE | enable, LOONGARCH_CSR_CRMD); ++ if (bp->hw.target) ++ regs->csr_prmd |= CSR_PRMD_PWE; + break; + case HW_BREAKPOINT_UNINSTALL: + /* Reset the FWPnCFG/MWPnCFG 1~4 register. */ +@@ -222,6 +234,8 @@ static int hw_breakpoint_control(struct + write_wb_reg(CSR_CFG_CTRL, i, 1, 0); + write_wb_reg(CSR_CFG_ASID, i, 0, 0); + write_wb_reg(CSR_CFG_ASID, i, 1, 0); ++ if (bp->hw.target) ++ regs->csr_prmd &= ~CSR_PRMD_PWE; + break; + } + +--- a/arch/loongarch/kernel/ptrace.c ++++ b/arch/loongarch/kernel/ptrace.c +@@ -608,9 +608,14 @@ static int ptrace_hbp_set_ctrl(unsigned + return -EINVAL; + } + +- err = ptrace_hbp_fill_attr_ctrl(note_type, ctrl, &attr); +- if (err) +- return err; ++ if (uctrl & CTRL_PLV_ENABLE) { ++ err = ptrace_hbp_fill_attr_ctrl(note_type, ctrl, &attr); ++ if (err) ++ return err; ++ attr.disabled = 0; ++ } else { ++ attr.disabled = 1; ++ } + + return modify_user_hw_breakpoint(bp, &attr); + } +@@ -641,6 +646,10 @@ static int ptrace_hbp_set_addr(unsigned + struct perf_event *bp; + struct perf_event_attr attr; + ++ /* Kernel-space address cannot be monitored by user-space */ ++ if ((unsigned long)addr >= XKPRANGE) ++ return -EINVAL; ++ + bp = ptrace_hbp_get_initialised_bp(note_type, tsk, idx); + if (IS_ERR(bp)) + return PTR_ERR(bp); diff --git a/queue-6.9/net-do-not-leave-a-dangling-sk-pointer-when-socket-creation-fails.patch b/queue-6.9/net-do-not-leave-a-dangling-sk-pointer-when-socket-creation-fails.patch new file mode 100644 index 00000000000..698b4412d67 --- /dev/null +++ b/queue-6.9/net-do-not-leave-a-dangling-sk-pointer-when-socket-creation-fails.patch @@ -0,0 +1,95 @@ +From 6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2 Mon Sep 17 00:00:00 2001 +From: Ignat Korchagin +Date: Mon, 17 Jun 2024 22:02:05 +0100 +Subject: net: do not leave a dangling sk pointer, when socket creation fails + +From: Ignat Korchagin + +commit 6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2 upstream. + +It is possible to trigger a use-after-free by: + * attaching an fentry probe to __sock_release() and the probe calling the + bpf_get_socket_cookie() helper + * running traceroute -I 1.1.1.1 on a freshly booted VM + +A KASAN enabled kernel will log something like below (decoded and stripped): +================================================================== +BUG: KASAN: slab-use-after-free in __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) +Read of size 8 at addr ffff888007110dd8 by task traceroute/299 + +CPU: 2 PID: 299 Comm: traceroute Tainted: G E 6.10.0-rc2+ #2 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 +Call Trace: + +dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1)) +print_report (mm/kasan/report.c:378 mm/kasan/report.c:488) +? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) +kasan_report (mm/kasan/report.c:603) +? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) +kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189) +__sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) +bpf_get_socket_ptr_cookie (./arch/x86/include/asm/preempt.h:94 ./include/linux/sock_diag.h:42 net/core/filter.c:5094 net/core/filter.c:5092) +bpf_prog_875642cf11f1d139___sock_release+0x6e/0x8e +bpf_trampoline_6442506592+0x47/0xaf +__sock_release (net/socket.c:652) +__sock_create (net/socket.c:1601) +... +Allocated by task 299 on cpu 2 at 78.328492s: +kasan_save_stack (mm/kasan/common.c:48) +kasan_save_track (mm/kasan/common.c:68) +__kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338) +kmem_cache_alloc_noprof (mm/slub.c:3941 mm/slub.c:4000 mm/slub.c:4007) +sk_prot_alloc (net/core/sock.c:2075) +sk_alloc (net/core/sock.c:2134) +inet_create (net/ipv4/af_inet.c:327 net/ipv4/af_inet.c:252) +__sock_create (net/socket.c:1572) +__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706) +__x64_sys_socket (net/socket.c:1718) +do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) +entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + +Freed by task 299 on cpu 2 at 78.328502s: +kasan_save_stack (mm/kasan/common.c:48) +kasan_save_track (mm/kasan/common.c:68) +kasan_save_free_info (mm/kasan/generic.c:582) +poison_slab_object (mm/kasan/common.c:242) +__kasan_slab_free (mm/kasan/common.c:256) +kmem_cache_free (mm/slub.c:4437 mm/slub.c:4511) +__sk_destruct (net/core/sock.c:2117 net/core/sock.c:2208) +inet_create (net/ipv4/af_inet.c:397 net/ipv4/af_inet.c:252) +__sock_create (net/socket.c:1572) +__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706) +__x64_sys_socket (net/socket.c:1718) +do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) +entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + +Fix this by clearing the struct socket reference in sk_common_release() to cover +all protocol families create functions, which may already attached the +reference to the sk object with sock_init_data(). + +Fixes: c5dbb89fc2ac ("bpf: Expose bpf_get_socket_cookie to tracing programs") +Suggested-by: Kuniyuki Iwashima +Signed-off-by: Ignat Korchagin +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/netdev/20240613194047.36478-1-kuniyu@amazon.com/T/ +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: D. Wythe +Link: https://lore.kernel.org/r/20240617210205.67311-1-ignat@cloudflare.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/core/sock.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -3743,6 +3743,9 @@ void sk_common_release(struct sock *sk) + + sk->sk_prot->unhash(sk); + ++ if (sk->sk_socket) ++ sk->sk_socket->sk = NULL; ++ + /* + * In this point socket cannot receive new packets, but it is possible + * that some packets are in flight because some CPU runs receiver and diff --git a/queue-6.9/net-phy-dp83tg720-get-master-slave-configuration-in-link-down-state.patch b/queue-6.9/net-phy-dp83tg720-get-master-slave-configuration-in-link-down-state.patch new file mode 100644 index 00000000000..5aa3fc2bf78 --- /dev/null +++ b/queue-6.9/net-phy-dp83tg720-get-master-slave-configuration-in-link-down-state.patch @@ -0,0 +1,87 @@ +From 40a64cc9679540ff7c46ecc51178b07d42abbb1c Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Fri, 14 Jun 2024 11:45:16 +0200 +Subject: net: phy: dp83tg720: get master/slave configuration in link down state + +From: Oleksij Rempel + +commit 40a64cc9679540ff7c46ecc51178b07d42abbb1c upstream. + +Get master/slave configuration for initial system start with the link in +down state. This ensures ethtool shows current configuration. Also +fixes link reconfiguration with ethtool while in down state, preventing +ethtool from displaying outdated configuration. + +Even though dp83tg720_config_init() is executed periodically as long as +the link is in admin up state but no carrier is detected, this is not +sufficient for the link in admin down state where +dp83tg720_read_status() is not periodically executed. To cover this +case, we need an extra read role configuration in +dp83tg720_config_aneg(). + +Fixes: cb80ee2f9bee1 ("net: phy: Add support for the DP83TG720S Ethernet PHY") +Cc: stable@vger.kernel.org +Signed-off-by: Oleksij Rempel +Link: https://lore.kernel.org/r/20240614094516.1481231-2-o.rempel@pengutronix.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/dp83tg720.c | 24 +++++++++++++++++++++--- + 1 file changed, 21 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/phy/dp83tg720.c b/drivers/net/phy/dp83tg720.c +index 1186dfc70fb3..c706429b225a 100644 +--- a/drivers/net/phy/dp83tg720.c ++++ b/drivers/net/phy/dp83tg720.c +@@ -36,11 +36,20 @@ + + static int dp83tg720_config_aneg(struct phy_device *phydev) + { ++ int ret; ++ + /* Autoneg is not supported and this PHY supports only one speed. + * We need to care only about master/slave configuration if it was + * changed by user. + */ +- return genphy_c45_pma_baset1_setup_master_slave(phydev); ++ ret = genphy_c45_pma_baset1_setup_master_slave(phydev); ++ if (ret) ++ return ret; ++ ++ /* Re-read role configuration to make changes visible even if ++ * the link is in administrative down state. ++ */ ++ return genphy_c45_pma_baset1_read_master_slave(phydev); + } + + static int dp83tg720_read_status(struct phy_device *phydev) +@@ -69,6 +78,8 @@ static int dp83tg720_read_status(struct phy_device *phydev) + return ret; + + /* After HW reset we need to restore master/slave configuration. ++ * genphy_c45_pma_baset1_read_master_slave() call will be done ++ * by the dp83tg720_config_aneg() function. + */ + ret = dp83tg720_config_aneg(phydev); + if (ret) +@@ -168,8 +179,15 @@ static int dp83tg720_config_init(struct phy_device *phydev) + /* In case the PHY is bootstrapped in managed mode, we need to + * wake it. + */ +- return phy_write_mmd(phydev, MDIO_MMD_VEND2, DP83TG720S_LPS_CFG3, +- DP83TG720S_LPS_CFG3_PWR_MODE_0); ++ ret = phy_write_mmd(phydev, MDIO_MMD_VEND2, DP83TG720S_LPS_CFG3, ++ DP83TG720S_LPS_CFG3_PWR_MODE_0); ++ if (ret) ++ return ret; ++ ++ /* Make role configuration visible for ethtool on init and after ++ * rest. ++ */ ++ return genphy_c45_pma_baset1_read_master_slave(phydev); + } + + static struct phy_driver dp83tg720_driver[] = { +-- +2.45.2 + diff --git a/queue-6.9/net-phy-dp83tg720-wake-up-phys-in-managed-mode.patch b/queue-6.9/net-phy-dp83tg720-wake-up-phys-in-managed-mode.patch new file mode 100644 index 00000000000..69839f2baab --- /dev/null +++ b/queue-6.9/net-phy-dp83tg720-wake-up-phys-in-managed-mode.patch @@ -0,0 +1,62 @@ +From cd6f12e173df44a20c2ac2ac110007dc14968088 Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Fri, 14 Jun 2024 11:45:15 +0200 +Subject: net: phy: dp83tg720: wake up PHYs in managed mode + +From: Oleksij Rempel + +commit cd6f12e173df44a20c2ac2ac110007dc14968088 upstream. + +In case this PHY is bootstrapped for managed mode, we need to manually +wake it. Otherwise no link will be detected. + +Cc: stable@vger.kernel.org +Fixes: cb80ee2f9bee1 ("net: phy: Add support for the DP83TG720S Ethernet PHY") +Signed-off-by: Oleksij Rempel +Link: https://lore.kernel.org/r/20240614094516.1481231-1-o.rempel@pengutronix.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/dp83tg720.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/phy/dp83tg720.c b/drivers/net/phy/dp83tg720.c +index 326c9770a6dc..1186dfc70fb3 100644 +--- a/drivers/net/phy/dp83tg720.c ++++ b/drivers/net/phy/dp83tg720.c +@@ -17,6 +17,11 @@ + #define DP83TG720S_PHY_RESET 0x1f + #define DP83TG720S_HW_RESET BIT(15) + ++#define DP83TG720S_LPS_CFG3 0x18c ++/* Power modes are documented as bit fields but used as values */ ++/* Power Mode 0 is Normal mode */ ++#define DP83TG720S_LPS_CFG3_PWR_MODE_0 BIT(0) ++ + #define DP83TG720S_RGMII_DELAY_CTRL 0x602 + /* In RGMII mode, Enable or disable the internal delay for RXD */ + #define DP83TG720S_RGMII_RX_CLK_SEL BIT(1) +@@ -154,10 +159,17 @@ static int dp83tg720_config_init(struct phy_device *phydev) + */ + usleep_range(1000, 2000); + +- if (phy_interface_is_rgmii(phydev)) +- return dp83tg720_config_rgmii_delay(phydev); ++ if (phy_interface_is_rgmii(phydev)) { ++ ret = dp83tg720_config_rgmii_delay(phydev); ++ if (ret) ++ return ret; ++ } + +- return 0; ++ /* In case the PHY is bootstrapped in managed mode, we need to ++ * wake it. ++ */ ++ return phy_write_mmd(phydev, MDIO_MMD_VEND2, DP83TG720S_LPS_CFG3, ++ DP83TG720S_LPS_CFG3_PWR_MODE_0); + } + + static struct phy_driver dp83tg720_driver[] = { +-- +2.45.2 + diff --git a/queue-6.9/net-stmmac-assign-configured-channel-value-to-extts-event.patch b/queue-6.9/net-stmmac-assign-configured-channel-value-to-extts-event.patch new file mode 100644 index 00000000000..c8659da523f --- /dev/null +++ b/queue-6.9/net-stmmac-assign-configured-channel-value-to-extts-event.patch @@ -0,0 +1,61 @@ +From 8851346912a1fa33e7a5966fe51f07313b274627 Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Tue, 18 Jun 2024 09:38:21 +0200 +Subject: net: stmmac: Assign configured channel value to EXTTS event + +From: Oleksij Rempel + +commit 8851346912a1fa33e7a5966fe51f07313b274627 upstream. + +Assign the configured channel value to the EXTTS event in the timestamp +interrupt handler. Without assigning the correct channel, applications +like ts2phc will refuse to accept the event, resulting in errors such +as: +... +ts2phc[656.834]: config item end1.ts2phc.pin_index is 0 +ts2phc[656.834]: config item end1.ts2phc.channel is 3 +ts2phc[656.834]: config item end1.ts2phc.extts_polarity is 2 +ts2phc[656.834]: config item end1.ts2phc.extts_correction is 0 +... +ts2phc[656.862]: extts on unexpected channel +ts2phc[658.141]: extts on unexpected channel +ts2phc[659.140]: extts on unexpected channel + +Fixes: f4da56529da60 ("net: stmmac: Add support for external trigger timestamping") +Cc: stable@vger.kernel.org +Signed-off-by: Oleksij Rempel +Reviewed-by: Wojciech Drewek +Link: https://lore.kernel.org/r/20240618073821.619751-1-o.rempel@pengutronix.de +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c +@@ -218,6 +218,7 @@ static void timestamp_interrupt(struct s + { + u32 num_snapshot, ts_status, tsync_int; + struct ptp_clock_event event; ++ u32 acr_value, channel; + unsigned long flags; + u64 ptp_time; + int i; +@@ -243,12 +244,15 @@ static void timestamp_interrupt(struct s + num_snapshot = (ts_status & GMAC_TIMESTAMP_ATSNS_MASK) >> + GMAC_TIMESTAMP_ATSNS_SHIFT; + ++ acr_value = readl(priv->ptpaddr + PTP_ACR); ++ channel = ilog2(FIELD_GET(PTP_ACR_MASK, acr_value)); ++ + for (i = 0; i < num_snapshot; i++) { + read_lock_irqsave(&priv->ptp_lock, flags); + get_ptptime(priv->ptpaddr, &ptp_time); + read_unlock_irqrestore(&priv->ptp_lock, flags); + event.type = PTP_CLOCK_EXTTS; +- event.index = 0; ++ event.index = channel; + event.timestamp = ptp_time; + ptp_clock_event(priv->ptp_clock, &event); + } diff --git a/queue-6.9/net-tcp_ao-don-t-leak-ao_info-on-error-path.patch b/queue-6.9/net-tcp_ao-don-t-leak-ao_info-on-error-path.patch new file mode 100644 index 00000000000..f98c803c529 --- /dev/null +++ b/queue-6.9/net-tcp_ao-don-t-leak-ao_info-on-error-path.patch @@ -0,0 +1,48 @@ +From f9ae848904289ddb16c7c9e4553ed4c64300de49 Mon Sep 17 00:00:00 2001 +From: Dmitry Safonov <0x7f454c46@gmail.com> +Date: Wed, 19 Jun 2024 01:29:04 +0100 +Subject: net/tcp_ao: Don't leak ao_info on error-path + +From: Dmitry Safonov <0x7f454c46@gmail.com> + +commit f9ae848904289ddb16c7c9e4553ed4c64300de49 upstream. + +It seems I introduced it together with TCP_AO_CMDF_AO_REQUIRED, on +version 5 [1] of TCP-AO patches. Quite frustrative that having all these +selftests that I've written, running kmemtest & kcov was always in todo. + +[1]: https://lore.kernel.org/netdev/20230215183335.800122-5-dima@arista.com/ + +Reported-by: Jakub Kicinski +Closes: https://lore.kernel.org/netdev/20240617072451.1403e1d2@kernel.org/ +Fixes: 0aadc73995d0 ("net/tcp: Prevent TCP-MD5 with TCP-AO being set") +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Safonov <0x7f454c46@gmail.com> +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240619-tcp-ao-required-leak-v1-1-6408f3c94247@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_ao.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c +index 37c42b63ff99..09c0fa6756b7 100644 +--- a/net/ipv4/tcp_ao.c ++++ b/net/ipv4/tcp_ao.c +@@ -1968,8 +1968,10 @@ static int tcp_ao_info_cmd(struct sock *sk, unsigned short int family, + first = true; + } + +- if (cmd.ao_required && tcp_ao_required_verify(sk)) +- return -EKEYREJECTED; ++ if (cmd.ao_required && tcp_ao_required_verify(sk)) { ++ err = -EKEYREJECTED; ++ goto out; ++ } + + /* For sockets in TCP_CLOSED it's possible set keys that aren't + * matching the future peer (address/port/VRF/etc), +-- +2.45.2 + diff --git a/queue-6.9/net-usb-ax88179_178a-improve-reset-check.patch b/queue-6.9/net-usb-ax88179_178a-improve-reset-check.patch new file mode 100644 index 00000000000..5f6cf21e6c3 --- /dev/null +++ b/queue-6.9/net-usb-ax88179_178a-improve-reset-check.patch @@ -0,0 +1,83 @@ +From 7be4cb7189f747b4e5b6977d0e4387bde3204e62 Mon Sep 17 00:00:00 2001 +From: Jose Ignacio Tornos Martinez +Date: Mon, 17 Jun 2024 12:28:21 +0200 +Subject: net: usb: ax88179_178a: improve reset check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jose Ignacio Tornos Martinez + +commit 7be4cb7189f747b4e5b6977d0e4387bde3204e62 upstream. + +After ecf848eb934b ("net: usb: ax88179_178a: fix link status when link is +set to down/up") to not reset from usbnet_open after the reset from +usbnet_probe at initialization stage to speed up this, some issues have +been reported. + +It seems to happen that if the initialization is slower, and some time +passes between the probe operation and the open operation, the second reset +from open is necessary too to have the device working. The reason is that +if there is no activity with the phy, this is "disconnected". + +In order to improve this, the solution is to detect when the phy is +"disconnected", and we can use the phy status register for this. So we will +only reset the device from reset operation in this situation, that is, only +if necessary. + +The same bahavior is happening when the device is stopped (link set to +down) and later is restarted (link set to up), so if the phy keeps working +we only need to enable the mac again, but if enough time passes between the +device stop and restart, reset is necessary, and we can detect the +situation checking the phy status register too. + +cc: stable@vger.kernel.org # 6.6+ +Fixes: ecf848eb934b ("net: usb: ax88179_178a: fix link status when link is set to down/up") +Reported-by: Yongqin Liu +Reported-by: Antje Miederhöfer +Reported-by: Arne Fitzenreiter +Tested-by: Yongqin Liu +Tested-by: Antje Miederhöfer +Signed-off-by: Jose Ignacio Tornos Martinez +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/ax88179_178a.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/drivers/net/usb/ax88179_178a.c ++++ b/drivers/net/usb/ax88179_178a.c +@@ -174,7 +174,6 @@ struct ax88179_data { + u32 wol_supported; + u32 wolopts; + u8 disconnecting; +- u8 initialized; + }; + + struct ax88179_int_data { +@@ -1676,12 +1675,21 @@ static int ax88179_reset(struct usbnet * + + static int ax88179_net_reset(struct usbnet *dev) + { +- struct ax88179_data *ax179_data = dev->driver_priv; ++ u16 tmp16; + +- if (ax179_data->initialized) ++ ax88179_read_cmd(dev, AX_ACCESS_PHY, AX88179_PHY_ID, GMII_PHY_PHYSR, ++ 2, &tmp16); ++ if (tmp16) { ++ ax88179_read_cmd(dev, AX_ACCESS_MAC, AX_MEDIUM_STATUS_MODE, ++ 2, 2, &tmp16); ++ if (!(tmp16 & AX_MEDIUM_RECEIVE_EN)) { ++ tmp16 |= AX_MEDIUM_RECEIVE_EN; ++ ax88179_write_cmd(dev, AX_ACCESS_MAC, AX_MEDIUM_STATUS_MODE, ++ 2, 2, &tmp16); ++ } ++ } else { + ax88179_reset(dev); +- else +- ax179_data->initialized = 1; ++ } + + return 0; + } diff --git a/queue-6.9/ocfs2-fix-null-pointer-dereference-in-ocfs2_abort_trigger.patch b/queue-6.9/ocfs2-fix-null-pointer-dereference-in-ocfs2_abort_trigger.patch new file mode 100644 index 00000000000..d9de0a784c9 --- /dev/null +++ b/queue-6.9/ocfs2-fix-null-pointer-dereference-in-ocfs2_abort_trigger.patch @@ -0,0 +1,364 @@ +From 685d03c3795378fca6a1b3d43581f7f1a3fc095f Mon Sep 17 00:00:00 2001 +From: Joseph Qi +Date: Thu, 30 May 2024 19:06:30 +0800 +Subject: ocfs2: fix NULL pointer dereference in ocfs2_abort_trigger() + +From: Joseph Qi + +commit 685d03c3795378fca6a1b3d43581f7f1a3fc095f upstream. + +bdev->bd_super has been removed and commit 8887b94d9322 change the usage +from bdev->bd_super to b_assoc_map->host->i_sb. Since ocfs2 hasn't set +bh->b_assoc_map, it will trigger NULL pointer dereference when calling +into ocfs2_abort_trigger(). + +Actually this was pointed out in history, see commit 74e364ad1b13. But +I've made a mistake when reviewing commit 8887b94d9322 and then +re-introduce this regression. + +Since we cannot revive bdev in buffer head, so fix this issue by +initializing all types of ocfs2 triggers when fill super, and then get the +specific ocfs2 trigger from ocfs2_caching_info when access journal. + +[joseph.qi@linux.alibaba.com: v2] + Link: https://lkml.kernel.org/r/20240602112045.1112708-1-joseph.qi@linux.alibaba.com +Link: https://lkml.kernel.org/r/20240530110630.3933832-2-joseph.qi@linux.alibaba.com +Fixes: 8887b94d9322 ("ocfs2: stop using bdev->bd_super for journal error logging") +Signed-off-by: Joseph Qi +Reviewed-by: Heming Zhao +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: [6.6+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/journal.c | 190 +++++++++++++++++++++++++++++------------------------ + fs/ocfs2/ocfs2.h | 27 +++++++ + fs/ocfs2/super.c | 4 - + 3 files changed, 135 insertions(+), 86 deletions(-) + +--- a/fs/ocfs2/journal.c ++++ b/fs/ocfs2/journal.c +@@ -479,12 +479,6 @@ bail: + return status; + } + +- +-struct ocfs2_triggers { +- struct jbd2_buffer_trigger_type ot_triggers; +- int ot_offset; +-}; +- + static inline struct ocfs2_triggers *to_ocfs2_trigger(struct jbd2_buffer_trigger_type *triggers) + { + return container_of(triggers, struct ocfs2_triggers, ot_triggers); +@@ -548,85 +542,76 @@ static void ocfs2_db_frozen_trigger(stru + static void ocfs2_abort_trigger(struct jbd2_buffer_trigger_type *triggers, + struct buffer_head *bh) + { ++ struct ocfs2_triggers *ot = to_ocfs2_trigger(triggers); ++ + mlog(ML_ERROR, + "ocfs2_abort_trigger called by JBD2. bh = 0x%lx, " + "bh->b_blocknr = %llu\n", + (unsigned long)bh, + (unsigned long long)bh->b_blocknr); + +- ocfs2_error(bh->b_assoc_map->host->i_sb, ++ ocfs2_error(ot->sb, + "JBD2 has aborted our journal, ocfs2 cannot continue\n"); + } + +-static struct ocfs2_triggers di_triggers = { +- .ot_triggers = { +- .t_frozen = ocfs2_frozen_trigger, +- .t_abort = ocfs2_abort_trigger, +- }, +- .ot_offset = offsetof(struct ocfs2_dinode, i_check), +-}; +- +-static struct ocfs2_triggers eb_triggers = { +- .ot_triggers = { +- .t_frozen = ocfs2_frozen_trigger, +- .t_abort = ocfs2_abort_trigger, +- }, +- .ot_offset = offsetof(struct ocfs2_extent_block, h_check), +-}; +- +-static struct ocfs2_triggers rb_triggers = { +- .ot_triggers = { +- .t_frozen = ocfs2_frozen_trigger, +- .t_abort = ocfs2_abort_trigger, +- }, +- .ot_offset = offsetof(struct ocfs2_refcount_block, rf_check), +-}; +- +-static struct ocfs2_triggers gd_triggers = { +- .ot_triggers = { +- .t_frozen = ocfs2_frozen_trigger, +- .t_abort = ocfs2_abort_trigger, +- }, +- .ot_offset = offsetof(struct ocfs2_group_desc, bg_check), +-}; +- +-static struct ocfs2_triggers db_triggers = { +- .ot_triggers = { +- .t_frozen = ocfs2_db_frozen_trigger, +- .t_abort = ocfs2_abort_trigger, +- }, +-}; +- +-static struct ocfs2_triggers xb_triggers = { +- .ot_triggers = { +- .t_frozen = ocfs2_frozen_trigger, +- .t_abort = ocfs2_abort_trigger, +- }, +- .ot_offset = offsetof(struct ocfs2_xattr_block, xb_check), +-}; +- +-static struct ocfs2_triggers dq_triggers = { +- .ot_triggers = { +- .t_frozen = ocfs2_dq_frozen_trigger, +- .t_abort = ocfs2_abort_trigger, +- }, +-}; +- +-static struct ocfs2_triggers dr_triggers = { +- .ot_triggers = { +- .t_frozen = ocfs2_frozen_trigger, +- .t_abort = ocfs2_abort_trigger, +- }, +- .ot_offset = offsetof(struct ocfs2_dx_root_block, dr_check), +-}; +- +-static struct ocfs2_triggers dl_triggers = { +- .ot_triggers = { +- .t_frozen = ocfs2_frozen_trigger, +- .t_abort = ocfs2_abort_trigger, +- }, +- .ot_offset = offsetof(struct ocfs2_dx_leaf, dl_check), +-}; ++static void ocfs2_setup_csum_triggers(struct super_block *sb, ++ enum ocfs2_journal_trigger_type type, ++ struct ocfs2_triggers *ot) ++{ ++ BUG_ON(type >= OCFS2_JOURNAL_TRIGGER_COUNT); ++ ++ switch (type) { ++ case OCFS2_JTR_DI: ++ ot->ot_triggers.t_frozen = ocfs2_frozen_trigger; ++ ot->ot_offset = offsetof(struct ocfs2_dinode, i_check); ++ break; ++ case OCFS2_JTR_EB: ++ ot->ot_triggers.t_frozen = ocfs2_frozen_trigger; ++ ot->ot_offset = offsetof(struct ocfs2_extent_block, h_check); ++ break; ++ case OCFS2_JTR_RB: ++ ot->ot_triggers.t_frozen = ocfs2_frozen_trigger; ++ ot->ot_offset = offsetof(struct ocfs2_refcount_block, rf_check); ++ break; ++ case OCFS2_JTR_GD: ++ ot->ot_triggers.t_frozen = ocfs2_frozen_trigger; ++ ot->ot_offset = offsetof(struct ocfs2_group_desc, bg_check); ++ break; ++ case OCFS2_JTR_DB: ++ ot->ot_triggers.t_frozen = ocfs2_db_frozen_trigger; ++ break; ++ case OCFS2_JTR_XB: ++ ot->ot_triggers.t_frozen = ocfs2_frozen_trigger; ++ ot->ot_offset = offsetof(struct ocfs2_xattr_block, xb_check); ++ break; ++ case OCFS2_JTR_DQ: ++ ot->ot_triggers.t_frozen = ocfs2_dq_frozen_trigger; ++ break; ++ case OCFS2_JTR_DR: ++ ot->ot_triggers.t_frozen = ocfs2_frozen_trigger; ++ ot->ot_offset = offsetof(struct ocfs2_dx_root_block, dr_check); ++ break; ++ case OCFS2_JTR_DL: ++ ot->ot_triggers.t_frozen = ocfs2_frozen_trigger; ++ ot->ot_offset = offsetof(struct ocfs2_dx_leaf, dl_check); ++ break; ++ case OCFS2_JTR_NONE: ++ /* To make compiler happy... */ ++ return; ++ } ++ ++ ot->ot_triggers.t_abort = ocfs2_abort_trigger; ++ ot->sb = sb; ++} ++ ++void ocfs2_initialize_journal_triggers(struct super_block *sb, ++ struct ocfs2_triggers triggers[]) ++{ ++ enum ocfs2_journal_trigger_type type; ++ ++ for (type = OCFS2_JTR_DI; type < OCFS2_JOURNAL_TRIGGER_COUNT; type++) ++ ocfs2_setup_csum_triggers(sb, type, &triggers[type]); ++} + + static int __ocfs2_journal_access(handle_t *handle, + struct ocfs2_caching_info *ci, +@@ -708,56 +693,91 @@ static int __ocfs2_journal_access(handle + int ocfs2_journal_access_di(handle_t *handle, struct ocfs2_caching_info *ci, + struct buffer_head *bh, int type) + { +- return __ocfs2_journal_access(handle, ci, bh, &di_triggers, type); ++ struct ocfs2_super *osb = OCFS2_SB(ocfs2_metadata_cache_get_super(ci)); ++ ++ return __ocfs2_journal_access(handle, ci, bh, ++ &osb->s_journal_triggers[OCFS2_JTR_DI], ++ type); + } + + int ocfs2_journal_access_eb(handle_t *handle, struct ocfs2_caching_info *ci, + struct buffer_head *bh, int type) + { +- return __ocfs2_journal_access(handle, ci, bh, &eb_triggers, type); ++ struct ocfs2_super *osb = OCFS2_SB(ocfs2_metadata_cache_get_super(ci)); ++ ++ return __ocfs2_journal_access(handle, ci, bh, ++ &osb->s_journal_triggers[OCFS2_JTR_EB], ++ type); + } + + int ocfs2_journal_access_rb(handle_t *handle, struct ocfs2_caching_info *ci, + struct buffer_head *bh, int type) + { +- return __ocfs2_journal_access(handle, ci, bh, &rb_triggers, ++ struct ocfs2_super *osb = OCFS2_SB(ocfs2_metadata_cache_get_super(ci)); ++ ++ return __ocfs2_journal_access(handle, ci, bh, ++ &osb->s_journal_triggers[OCFS2_JTR_RB], + type); + } + + int ocfs2_journal_access_gd(handle_t *handle, struct ocfs2_caching_info *ci, + struct buffer_head *bh, int type) + { +- return __ocfs2_journal_access(handle, ci, bh, &gd_triggers, type); ++ struct ocfs2_super *osb = OCFS2_SB(ocfs2_metadata_cache_get_super(ci)); ++ ++ return __ocfs2_journal_access(handle, ci, bh, ++ &osb->s_journal_triggers[OCFS2_JTR_GD], ++ type); + } + + int ocfs2_journal_access_db(handle_t *handle, struct ocfs2_caching_info *ci, + struct buffer_head *bh, int type) + { +- return __ocfs2_journal_access(handle, ci, bh, &db_triggers, type); ++ struct ocfs2_super *osb = OCFS2_SB(ocfs2_metadata_cache_get_super(ci)); ++ ++ return __ocfs2_journal_access(handle, ci, bh, ++ &osb->s_journal_triggers[OCFS2_JTR_DB], ++ type); + } + + int ocfs2_journal_access_xb(handle_t *handle, struct ocfs2_caching_info *ci, + struct buffer_head *bh, int type) + { +- return __ocfs2_journal_access(handle, ci, bh, &xb_triggers, type); ++ struct ocfs2_super *osb = OCFS2_SB(ocfs2_metadata_cache_get_super(ci)); ++ ++ return __ocfs2_journal_access(handle, ci, bh, ++ &osb->s_journal_triggers[OCFS2_JTR_XB], ++ type); + } + + int ocfs2_journal_access_dq(handle_t *handle, struct ocfs2_caching_info *ci, + struct buffer_head *bh, int type) + { +- return __ocfs2_journal_access(handle, ci, bh, &dq_triggers, type); ++ struct ocfs2_super *osb = OCFS2_SB(ocfs2_metadata_cache_get_super(ci)); ++ ++ return __ocfs2_journal_access(handle, ci, bh, ++ &osb->s_journal_triggers[OCFS2_JTR_DQ], ++ type); + } + + int ocfs2_journal_access_dr(handle_t *handle, struct ocfs2_caching_info *ci, + struct buffer_head *bh, int type) + { +- return __ocfs2_journal_access(handle, ci, bh, &dr_triggers, type); ++ struct ocfs2_super *osb = OCFS2_SB(ocfs2_metadata_cache_get_super(ci)); ++ ++ return __ocfs2_journal_access(handle, ci, bh, ++ &osb->s_journal_triggers[OCFS2_JTR_DR], ++ type); + } + + int ocfs2_journal_access_dl(handle_t *handle, struct ocfs2_caching_info *ci, + struct buffer_head *bh, int type) + { +- return __ocfs2_journal_access(handle, ci, bh, &dl_triggers, type); ++ struct ocfs2_super *osb = OCFS2_SB(ocfs2_metadata_cache_get_super(ci)); ++ ++ return __ocfs2_journal_access(handle, ci, bh, ++ &osb->s_journal_triggers[OCFS2_JTR_DL], ++ type); + } + + int ocfs2_journal_access(handle_t *handle, struct ocfs2_caching_info *ci, +--- a/fs/ocfs2/ocfs2.h ++++ b/fs/ocfs2/ocfs2.h +@@ -284,6 +284,30 @@ enum ocfs2_mount_options + #define OCFS2_OSB_ERROR_FS 0x0004 + #define OCFS2_DEFAULT_ATIME_QUANTUM 60 + ++struct ocfs2_triggers { ++ struct jbd2_buffer_trigger_type ot_triggers; ++ int ot_offset; ++ struct super_block *sb; ++}; ++ ++enum ocfs2_journal_trigger_type { ++ OCFS2_JTR_DI, ++ OCFS2_JTR_EB, ++ OCFS2_JTR_RB, ++ OCFS2_JTR_GD, ++ OCFS2_JTR_DB, ++ OCFS2_JTR_XB, ++ OCFS2_JTR_DQ, ++ OCFS2_JTR_DR, ++ OCFS2_JTR_DL, ++ OCFS2_JTR_NONE /* This must be the last entry */ ++}; ++ ++#define OCFS2_JOURNAL_TRIGGER_COUNT OCFS2_JTR_NONE ++ ++void ocfs2_initialize_journal_triggers(struct super_block *sb, ++ struct ocfs2_triggers triggers[]); ++ + struct ocfs2_journal; + struct ocfs2_slot_info; + struct ocfs2_recovery_map; +@@ -351,6 +375,9 @@ struct ocfs2_super + struct ocfs2_journal *journal; + unsigned long osb_commit_interval; + ++ /* Journal triggers for checksum */ ++ struct ocfs2_triggers s_journal_triggers[OCFS2_JOURNAL_TRIGGER_COUNT]; ++ + struct delayed_work la_enable_wq; + + /* +--- a/fs/ocfs2/super.c ++++ b/fs/ocfs2/super.c +@@ -1075,9 +1075,11 @@ static int ocfs2_fill_super(struct super + debugfs_create_file("fs_state", S_IFREG|S_IRUSR, osb->osb_debug_root, + osb, &ocfs2_osb_debug_fops); + +- if (ocfs2_meta_ecc(osb)) ++ if (ocfs2_meta_ecc(osb)) { ++ ocfs2_initialize_journal_triggers(sb, osb->s_journal_triggers); + ocfs2_blockcheck_stats_debugfs_install( &osb->osb_ecc_stats, + osb->osb_debug_root); ++ } + + status = ocfs2_mount_volume(sb); + if (status < 0) diff --git a/queue-6.9/ocfs2-fix-null-pointer-dereference-in-ocfs2_journal_dirty.patch b/queue-6.9/ocfs2-fix-null-pointer-dereference-in-ocfs2_journal_dirty.patch new file mode 100644 index 00000000000..742b51ae290 --- /dev/null +++ b/queue-6.9/ocfs2-fix-null-pointer-dereference-in-ocfs2_journal_dirty.patch @@ -0,0 +1,101 @@ +From 58f7e1e2c9e72c7974054c64c3abeac81c11f822 Mon Sep 17 00:00:00 2001 +From: Joseph Qi +Date: Thu, 30 May 2024 19:06:29 +0800 +Subject: ocfs2: fix NULL pointer dereference in ocfs2_journal_dirty() + +From: Joseph Qi + +commit 58f7e1e2c9e72c7974054c64c3abeac81c11f822 upstream. + +bdev->bd_super has been removed and commit 8887b94d9322 change the usage +from bdev->bd_super to b_assoc_map->host->i_sb. This introduces the +following NULL pointer dereference in ocfs2_journal_dirty() since +b_assoc_map is still not initialized. This can be easily reproduced by +running xfstests generic/186, which simulate no more credits. + +[ 134.351592] BUG: kernel NULL pointer dereference, address: 0000000000000000 +... +[ 134.355341] RIP: 0010:ocfs2_journal_dirty+0x14f/0x160 [ocfs2] +... +[ 134.365071] Call Trace: +[ 134.365312] +[ 134.365524] ? __die_body+0x1e/0x60 +[ 134.365868] ? page_fault_oops+0x13d/0x4f0 +[ 134.366265] ? __pfx_bit_wait_io+0x10/0x10 +[ 134.366659] ? schedule+0x27/0xb0 +[ 134.366981] ? exc_page_fault+0x6a/0x140 +[ 134.367356] ? asm_exc_page_fault+0x26/0x30 +[ 134.367762] ? ocfs2_journal_dirty+0x14f/0x160 [ocfs2] +[ 134.368305] ? ocfs2_journal_dirty+0x13d/0x160 [ocfs2] +[ 134.368837] ocfs2_create_new_meta_bhs.isra.51+0x139/0x2e0 [ocfs2] +[ 134.369454] ocfs2_grow_tree+0x688/0x8a0 [ocfs2] +[ 134.369927] ocfs2_split_and_insert.isra.67+0x35c/0x4a0 [ocfs2] +[ 134.370521] ocfs2_split_extent+0x314/0x4d0 [ocfs2] +[ 134.371019] ocfs2_change_extent_flag+0x174/0x410 [ocfs2] +[ 134.371566] ocfs2_add_refcount_flag+0x3fa/0x630 [ocfs2] +[ 134.372117] ocfs2_reflink_remap_extent+0x21b/0x4c0 [ocfs2] +[ 134.372994] ? inode_update_timestamps+0x4a/0x120 +[ 134.373692] ? __pfx_ocfs2_journal_access_di+0x10/0x10 [ocfs2] +[ 134.374545] ? __pfx_ocfs2_journal_access_di+0x10/0x10 [ocfs2] +[ 134.375393] ocfs2_reflink_remap_blocks+0xe4/0x4e0 [ocfs2] +[ 134.376197] ocfs2_remap_file_range+0x1de/0x390 [ocfs2] +[ 134.376971] ? security_file_permission+0x29/0x50 +[ 134.377644] vfs_clone_file_range+0xfe/0x320 +[ 134.378268] ioctl_file_clone+0x45/0xa0 +[ 134.378853] do_vfs_ioctl+0x457/0x990 +[ 134.379422] __x64_sys_ioctl+0x6e/0xd0 +[ 134.379987] do_syscall_64+0x5d/0x170 +[ 134.380550] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[ 134.381231] RIP: 0033:0x7fa4926397cb +[ 134.381786] Code: 73 01 c3 48 8b 0d bd 56 38 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8d 56 38 00 f7 d8 64 89 01 48 +[ 134.383930] RSP: 002b:00007ffc2b39f7b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +[ 134.384854] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fa4926397cb +[ 134.385734] RDX: 00007ffc2b39f7f0 RSI: 000000004020940d RDI: 0000000000000003 +[ 134.386606] RBP: 0000000000000000 R08: 00111a82a4f015bb R09: 00007fa494221000 +[ 134.387476] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +[ 134.388342] R13: 0000000000f10000 R14: 0000558e844e2ac8 R15: 0000000000f10000 +[ 134.389207] + +Fix it by only aborting transaction and journal in ocfs2_journal_dirty() +now, and leave ocfs2_abort() later when detecting an aborted handle, +e.g. start next transaction. Also log the handle details in this case. + +Link: https://lkml.kernel.org/r/20240530110630.3933832-1-joseph.qi@linux.alibaba.com +Fixes: 8887b94d9322 ("ocfs2: stop using bdev->bd_super for journal error logging") +Signed-off-by: Joseph Qi +Reviewed-by: Heming Zhao +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: [6.6+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/journal.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/fs/ocfs2/journal.c ++++ b/fs/ocfs2/journal.c +@@ -778,13 +778,15 @@ void ocfs2_journal_dirty(handle_t *handl + if (!is_handle_aborted(handle)) { + journal_t *journal = handle->h_transaction->t_journal; + +- mlog(ML_ERROR, "jbd2_journal_dirty_metadata failed. " +- "Aborting transaction and journal.\n"); ++ mlog(ML_ERROR, "jbd2_journal_dirty_metadata failed: " ++ "handle type %u started at line %u, credits %u/%u " ++ "errcode %d. Aborting transaction and journal.\n", ++ handle->h_type, handle->h_line_no, ++ handle->h_requested_credits, ++ jbd2_handle_buffer_credits(handle), status); + handle->h_err = status; + jbd2_journal_abort_handle(handle); + jbd2_journal_abort(journal, status); +- ocfs2_abort(bh->b_assoc_map->host->i_sb, +- "Journal already aborted.\n"); + } + } + } diff --git a/queue-6.9/ovl-fix-encoding-fid-for-lower-only-root.patch b/queue-6.9/ovl-fix-encoding-fid-for-lower-only-root.patch new file mode 100644 index 00000000000..b45e1c0da28 --- /dev/null +++ b/queue-6.9/ovl-fix-encoding-fid-for-lower-only-root.patch @@ -0,0 +1,51 @@ +From 004b8d1491b4bcbb7da1a3206d1e7e66822d47c6 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Fri, 14 Jun 2024 09:55:58 +0200 +Subject: ovl: fix encoding fid for lower only root + +From: Miklos Szeredi + +commit 004b8d1491b4bcbb7da1a3206d1e7e66822d47c6 upstream. + +ovl_check_encode_origin() should return a positive number if the lower +dentry is to be encoded, zero otherwise. If there's no upper layer at all +(read-only overlay), then it obviously needs to return positive. + +This was broken by commit 16aac5ad1fa9 ("ovl: support encoding +non-decodable file handles"), which didn't take the lower-only +configuration into account. + +Fix by checking the no-upper-layer case up-front. + +Reported-and-tested-by: Youzhong Yang +Closes: https://lore.kernel.org/all/CADpNCvaBimi+zCYfRJHvCOhMih8OU0rmZkwLuh24MKKroRuT8Q@mail.gmail.com/ +Fixes: 16aac5ad1fa9 ("ovl: support encoding non-decodable file handles") +Cc: # v6.6 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/overlayfs/export.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/overlayfs/export.c ++++ b/fs/overlayfs/export.c +@@ -181,6 +181,10 @@ static int ovl_check_encode_origin(struc + struct ovl_fs *ofs = OVL_FS(dentry->d_sb); + bool decodable = ofs->config.nfs_export; + ++ /* No upper layer? */ ++ if (!ovl_upper_mnt(ofs)) ++ return 1; ++ + /* Lower file handle for non-upper non-decodable */ + if (!ovl_dentry_upper(dentry) && !decodable) + return 1; +@@ -209,7 +213,7 @@ static int ovl_check_encode_origin(struc + * ovl_connect_layer() will try to make origin's layer "connected" by + * copying up a "connectable" ancestor. + */ +- if (d_is_dir(dentry) && ovl_upper_mnt(ofs) && decodable) ++ if (d_is_dir(dentry) && decodable) + return ovl_connect_layer(dentry); + + /* Lower file handle for indexed and non-upper dir/non-dir */ diff --git a/queue-6.9/rdma-mlx5-ensure-created-mkeys-always-have-a-populated-rb_key.patch b/queue-6.9/rdma-mlx5-ensure-created-mkeys-always-have-a-populated-rb_key.patch new file mode 100644 index 00000000000..4c35f4a6abc --- /dev/null +++ b/queue-6.9/rdma-mlx5-ensure-created-mkeys-always-have-a-populated-rb_key.patch @@ -0,0 +1,49 @@ +From 2e4c02fdecf2f6f55cefe48cb82d93fa4f8e2204 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Tue, 28 May 2024 15:52:54 +0300 +Subject: RDMA/mlx5: Ensure created mkeys always have a populated rb_key + +From: Jason Gunthorpe + +commit 2e4c02fdecf2f6f55cefe48cb82d93fa4f8e2204 upstream. + +cachable and mmkey.rb_key together are used by mlx5_revoke_mr() to put the +MR/mkey back into the cache. In all cases they should be set correctly. + +alloc_cacheable_mr() was setting cachable but not filling rb_key, +resulting in cache_ent_find_and_store() bucketing them all into a 0 length +entry. + +implicit_get_child_mr()/mlx5_ib_alloc_implicit_mr() failed to set cachable +or rb_key at all, so the cache was not working at all for implicit ODP. + +Cc: stable@vger.kernel.org +Fixes: 8c1185fef68c ("RDMA/mlx5: Change check for cacheable mkeys") +Fixes: dd1b913fb0d0 ("RDMA/mlx5: Cache all user cacheable mkeys on dereg MR flow") +Signed-off-by: Jason Gunthorpe +Link: https://lore.kernel.org/r/7778c02dfa0999a30d6746c79a23dd7140a9c729.1716900410.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx5/mr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/mlx5/mr.c ++++ b/drivers/infiniband/hw/mlx5/mr.c +@@ -718,6 +718,8 @@ static struct mlx5_ib_mr *_mlx5_mr_cache + } + mr->mmkey.cache_ent = ent; + mr->mmkey.type = MLX5_MKEY_MR; ++ mr->mmkey.rb_key = ent->rb_key; ++ mr->mmkey.cacheable = true; + init_waitqueue_head(&mr->mmkey.wait); + return mr; + } +@@ -1168,7 +1170,6 @@ static struct mlx5_ib_mr *alloc_cacheabl + mr->ibmr.pd = pd; + mr->umem = umem; + mr->page_shift = order_base_2(page_size); +- mr->mmkey.cacheable = true; + set_mr_fields(dev, mr, umem->length, access_flags, iova); + + return mr; diff --git a/queue-6.9/rdma-mlx5-follow-rb_key.ats-when-creating-new-mkeys.patch b/queue-6.9/rdma-mlx5-follow-rb_key.ats-when-creating-new-mkeys.patch new file mode 100644 index 00000000000..5883a602124 --- /dev/null +++ b/queue-6.9/rdma-mlx5-follow-rb_key.ats-when-creating-new-mkeys.patch @@ -0,0 +1,37 @@ +From f637040c3339a2ed8c12d65ad03f9552386e2fe7 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Tue, 28 May 2024 15:52:53 +0300 +Subject: RDMA/mlx5: Follow rb_key.ats when creating new mkeys + +From: Jason Gunthorpe + +commit f637040c3339a2ed8c12d65ad03f9552386e2fe7 upstream. + +When a cache ent already exists but doesn't have any mkeys in it the cache +will automatically create a new one based on the specification in the +ent->rb_key. + +ent->ats was missed when creating the new key and so ma_translation_mode +was not being set even though the ent requires it. + +Cc: stable@vger.kernel.org +Fixes: 73d09b2fe833 ("RDMA/mlx5: Introduce mlx5r_cache_rb_key") +Signed-off-by: Jason Gunthorpe +Reviewed-by: Michael Guralnik +Link: https://lore.kernel.org/r/7c5613458ecb89fbe5606b7aa4c8d990bdea5b9a.1716900410.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx5/mr.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/infiniband/hw/mlx5/mr.c ++++ b/drivers/infiniband/hw/mlx5/mr.c +@@ -246,6 +246,7 @@ static void set_cache_mkc(struct mlx5_ca + MLX5_SET(mkc, mkc, access_mode_1_0, ent->rb_key.access_mode & 0x3); + MLX5_SET(mkc, mkc, access_mode_4_2, + (ent->rb_key.access_mode >> 2) & 0x7); ++ MLX5_SET(mkc, mkc, ma_translation_mode, !!ent->rb_key.ats); + + MLX5_SET(mkc, mkc, translations_octword_size, + get_mkc_octo_size(ent->rb_key.access_mode, diff --git a/queue-6.9/rdma-mlx5-remove-extra-unlock-on-error-path.patch b/queue-6.9/rdma-mlx5-remove-extra-unlock-on-error-path.patch new file mode 100644 index 00000000000..128941602df --- /dev/null +++ b/queue-6.9/rdma-mlx5-remove-extra-unlock-on-error-path.patch @@ -0,0 +1,38 @@ +From c1eb2512596fb3542357bb6c34c286f5e0374538 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Tue, 28 May 2024 15:52:52 +0300 +Subject: RDMA/mlx5: Remove extra unlock on error path + +From: Jason Gunthorpe + +commit c1eb2512596fb3542357bb6c34c286f5e0374538 upstream. + +The below commit lifted the locking out of this function but left this +error path unlock behind resulting in unbalanced locking. Remove the +missed unlock too. + +Cc: stable@vger.kernel.org +Fixes: 627122280c87 ("RDMA/mlx5: Add work to remove temporary entries from the cache") +Signed-off-by: Jason Gunthorpe +Reviewed-by: Michael Guralnik +Link: https://lore.kernel.org/r/78090c210c750f47219b95248f9f782f34548bb1.1716900410.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx5/mr.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/infiniband/hw/mlx5/mr.c ++++ b/drivers/infiniband/hw/mlx5/mr.c +@@ -641,10 +641,8 @@ static int mlx5_cache_ent_insert(struct + new = &((*new)->rb_left); + if (cmp < 0) + new = &((*new)->rb_right); +- if (cmp == 0) { +- mutex_unlock(&cache->rb_lock); ++ if (cmp == 0) + return -EEXIST; +- } + } + + /* Add new node and rebalance tree. */ diff --git a/queue-6.9/rdma-rxe-fix-data-copy-for-ib_send_inline.patch b/queue-6.9/rdma-rxe-fix-data-copy-for-ib_send_inline.patch new file mode 100644 index 00000000000..ff273e91365 --- /dev/null +++ b/queue-6.9/rdma-rxe-fix-data-copy-for-ib_send_inline.patch @@ -0,0 +1,39 @@ +From 03fa18a992d5626fd7bf3557a52e826bf8b326b3 Mon Sep 17 00:00:00 2001 +From: Honggang LI +Date: Thu, 16 May 2024 17:50:52 +0800 +Subject: RDMA/rxe: Fix data copy for IB_SEND_INLINE + +From: Honggang LI + +commit 03fa18a992d5626fd7bf3557a52e826bf8b326b3 upstream. + +For RDMA Send and Write with IB_SEND_INLINE, the memory buffers +specified in sge list will be placed inline in the Send Request. + +The data should be copied by CPU from the virtual addresses of +corresponding sge list DMA addresses. + +Cc: stable@kernel.org +Fixes: 8d7c7c0eeb74 ("RDMA: Add ib_virt_dma_to_page()") +Signed-off-by: Honggang LI +Link: https://lore.kernel.org/r/20240516095052.542767-1-honggangli@163.com +Reviewed-by: Zhu Yanjun +Reviewed-by: Li Zhijian +Reviewed-by: Jason Gunthorpe +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/sw/rxe/rxe_verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/sw/rxe/rxe_verbs.c ++++ b/drivers/infiniband/sw/rxe/rxe_verbs.c +@@ -812,7 +812,7 @@ static void copy_inline_data_to_wqe(stru + int i; + + for (i = 0; i < ibwr->num_sge; i++, sge++) { +- memcpy(p, ib_virt_dma_to_page(sge->addr), sge->length); ++ memcpy(p, ib_virt_dma_to_ptr(sge->addr), sge->length); + p += sge->length; + } + } diff --git a/queue-6.9/scsi-core-introduce-the-blist_skip_io_hints-flag.patch b/queue-6.9/scsi-core-introduce-the-blist_skip_io_hints-flag.patch new file mode 100644 index 00000000000..9f007a6c977 --- /dev/null +++ b/queue-6.9/scsi-core-introduce-the-blist_skip_io_hints-flag.patch @@ -0,0 +1,61 @@ +From 633aeefafc9c2a07a76a62be6aac1d73c3e3defa Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Thu, 13 Jun 2024 14:18:26 -0700 +Subject: scsi: core: Introduce the BLIST_SKIP_IO_HINTS flag + +From: Bart Van Assche + +commit 633aeefafc9c2a07a76a62be6aac1d73c3e3defa upstream. + +Prepare for skipping the IO Advice Hints Grouping mode page for USB storage +devices. + +Cc: Alan Stern +Cc: Joao Machado +Cc: Andy Shevchenko +Cc: Christian Heusel +Cc: stable@vger.kernel.org +Fixes: 4f53138fffc2 ("scsi: sd: Translate data lifetime information") +Signed-off-by: Bart Van Assche +Link: https://lore.kernel.org/r/20240613211828.2077477-2-bvanassche@acm.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/sd.c | 4 ++++ + include/scsi/scsi_devinfo.h | 4 +++- + 2 files changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -63,6 +63,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -3125,6 +3126,9 @@ static void sd_read_io_hints(struct scsi + struct scsi_mode_data data; + int res; + ++ if (sdp->sdev_bflags & BLIST_SKIP_IO_HINTS) ++ return; ++ + res = scsi_mode_sense(sdp, /*dbd=*/0x8, /*modepage=*/0x0a, + /*subpage=*/0x05, buffer, SD_BUF_SIZE, SD_TIMEOUT, + sdkp->max_retries, &data, &sshdr); +--- a/include/scsi/scsi_devinfo.h ++++ b/include/scsi/scsi_devinfo.h +@@ -69,8 +69,10 @@ + #define BLIST_RETRY_ITF ((__force blist_flags_t)(1ULL << 32)) + /* Always retry ABORTED_COMMAND with ASC 0xc1 */ + #define BLIST_RETRY_ASC_C1 ((__force blist_flags_t)(1ULL << 33)) ++/* Do not query the IO Advice Hints Grouping mode page */ ++#define BLIST_SKIP_IO_HINTS ((__force blist_flags_t)(1ULL << 34)) + +-#define __BLIST_LAST_USED BLIST_RETRY_ASC_C1 ++#define __BLIST_LAST_USED BLIST_SKIP_IO_HINTS + + #define __BLIST_HIGH_UNUSED (~(__BLIST_LAST_USED | \ + (__force blist_flags_t) \ diff --git a/queue-6.9/scsi-ufs-core-free-memory-allocated-for-model-before-reinit.patch b/queue-6.9/scsi-ufs-core-free-memory-allocated-for-model-before-reinit.patch new file mode 100644 index 00000000000..97b9cd15b67 --- /dev/null +++ b/queue-6.9/scsi-ufs-core-free-memory-allocated-for-model-before-reinit.patch @@ -0,0 +1,56 @@ +From 135c6eb27a85c8b261a2cc1f5093abcda6ee9010 Mon Sep 17 00:00:00 2001 +From: Joel Slebodnick +Date: Thu, 13 Jun 2024 14:27:28 -0400 +Subject: scsi: ufs: core: Free memory allocated for model before reinit + +From: Joel Slebodnick + +commit 135c6eb27a85c8b261a2cc1f5093abcda6ee9010 upstream. + +Under the conditions that a device is to be reinitialized within +ufshcd_probe_hba(), the device must first be fully reset. + +Resetting the device should include freeing U8 model (member of dev_info) +but does not, and this causes a memory leak. ufs_put_device_desc() is +responsible for freeing model. + +unreferenced object 0xffff3f63008bee60 (size 32): + comm "kworker/u33:1", pid 60, jiffies 4294892642 + hex dump (first 32 bytes): + 54 48 47 4a 46 47 54 30 54 32 35 42 41 5a 5a 41 THGJFGT0T25BAZZA + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace (crc ed7ff1a9): + [] kmemleak_alloc+0x34/0x40 + [] __kmalloc_noprof+0x1e4/0x2fc + [] ufshcd_read_string_desc+0x94/0x190 + [] ufshcd_device_init+0x480/0xdf8 + [] ufshcd_probe_hba+0x3c/0x404 + [] ufshcd_async_scan+0x40/0x370 + [] async_run_entry_fn+0x34/0xe0 + [] process_one_work+0x154/0x298 + [] worker_thread+0x2f8/0x408 + [] kthread+0x114/0x118 + [] ret_from_fork+0x10/0x20 + +Fixes: 96a7141da332 ("scsi: ufs: core: Add support for reinitializing the UFS device") +Cc: +Reviewed-by: Andrew Halaney +Reviewed-by: Bart Van Assche +Signed-off-by: Joel Slebodnick +Link: https://lore.kernel.org/r/20240613200202.2524194-1-jslebodn@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/core/ufshcd.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -8972,6 +8972,7 @@ static int ufshcd_probe_hba(struct ufs_h + (hba->quirks & UFSHCD_QUIRK_REINIT_AFTER_MAX_GEAR_SWITCH)) { + /* Reset the device and controller before doing reinit */ + ufshcd_device_reset(hba); ++ ufs_put_device_desc(hba); + ufshcd_hba_stop(hba); + ufshcd_vops_reinit_notify(hba); + ret = ufshcd_hba_enable(hba); diff --git a/queue-6.9/scsi-usb-uas-do-not-query-the-io-advice-hints-grouping-mode-page-for-usb-uas-devices.patch b/queue-6.9/scsi-usb-uas-do-not-query-the-io-advice-hints-grouping-mode-page-for-usb-uas-devices.patch new file mode 100644 index 00000000000..733ec22ad75 --- /dev/null +++ b/queue-6.9/scsi-usb-uas-do-not-query-the-io-advice-hints-grouping-mode-page-for-usb-uas-devices.patch @@ -0,0 +1,75 @@ +From 57619f3cdeb5ae9f4252833b0ed600e9f81da722 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Thu, 13 Jun 2024 14:18:27 -0700 +Subject: scsi: usb: uas: Do not query the IO Advice Hints Grouping mode page for USB/UAS devices + +From: Bart Van Assche + +commit 57619f3cdeb5ae9f4252833b0ed600e9f81da722 upstream. + +Recently it was reported that the following USB storage devices are +unusable with Linux kernel 6.9: + + * Kingston DataTraveler G2 + * Garmin FR35 + +This is because attempting to read the IO Advice Hints Grouping mode page +causes these devices to reset. Hence do not read the IO Advice Hints +Grouping mode page from USB/UAS storage devices. + +Acked-by: Alan Stern +Cc: stable@vger.kernel.org +Fixes: 4f53138fffc2 ("scsi: sd: Translate data lifetime information") +Reported-by: Joao Machado +Closes: https://lore.kernel.org/linux-scsi/20240130214911.1863909-1-bvanassche@acm.org/T/#mf4e3410d8f210454d7e4c3d1fb5c0f41e651b85f +Tested-by: Andy Shevchenko +Bisected-by: Christian Heusel +Reported-by: Andy Shevchenko +Closes: https://lore.kernel.org/linux-scsi/CACLx9VdpUanftfPo2jVAqXdcWe8Y43MsDeZmMPooTzVaVJAh2w@mail.gmail.com/ +Signed-off-by: Bart Van Assche +Link: https://lore.kernel.org/r/20240613211828.2077477-3-bvanassche@acm.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/scsiglue.c | 6 ++++++ + drivers/usb/storage/uas.c | 7 +++++++ + 2 files changed, 13 insertions(+) + +--- a/drivers/usb/storage/scsiglue.c ++++ b/drivers/usb/storage/scsiglue.c +@@ -86,6 +86,12 @@ static int slave_alloc (struct scsi_devi + if (us->protocol == USB_PR_BULK && us->max_lun > 0) + sdev->sdev_bflags |= BLIST_FORCELUN; + ++ /* ++ * Some USB storage devices reset if the IO advice hints grouping mode ++ * page is queried. Hence skip that mode page. ++ */ ++ sdev->sdev_bflags |= BLIST_SKIP_IO_HINTS; ++ + return 0; + } + +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -820,6 +821,12 @@ static int uas_slave_alloc(struct scsi_d + struct uas_dev_info *devinfo = + (struct uas_dev_info *)sdev->host->hostdata; + ++ /* ++ * Some USB storage devices reset if the IO advice hints grouping mode ++ * page is queried. Hence skip that mode page. ++ */ ++ sdev->sdev_bflags |= BLIST_SKIP_IO_HINTS; ++ + sdev->hostdata = devinfo; + + /* diff --git a/queue-6.9/series b/queue-6.9/series index 0b0ce356c80..99878359ce8 100644 --- a/queue-6.9/series +++ b/queue-6.9/series @@ -179,3 +179,42 @@ rdma-mana_ib-ignore-optional-access-flags-for-mrs.patch acpi-ec-evaluate-orphan-_reg-under-ec-device.patch ext4-avoid-overflow-when-setting-values-via-sysfs.patch ext4-fix-slab-out-of-bounds-in-ext4_mb_find_good_group_avg_frag_lists.patch +net-phy-dp83tg720-wake-up-phys-in-managed-mode.patch +net-stmmac-assign-configured-channel-value-to-extts-event.patch +net-usb-ax88179_178a-improve-reset-check.patch +net-phy-dp83tg720-get-master-slave-configuration-in-link-down-state.patch +net-do-not-leave-a-dangling-sk-pointer-when-socket-creation-fails.patch +btrfs-retry-block-group-reclaim-without-infinite-loop.patch +scsi-ufs-core-free-memory-allocated-for-model-before-reinit.patch +cifs-fix-typo-in-module-parameter-enable_gcm_256.patch +loongarch-fix-watchpoint-setting-error.patch +loongarch-trigger-user-space-watchpoints-correctly.patch +loongarch-fix-multiple-hardware-watchpoint-issues.patch +kvm-fix-a-data-race-on-last_boosted_vcpu-in-kvm_vcpu_on_spin.patch +kvm-arm64-disassociate-vcpus-from-redistributor-region-on-teardown.patch +kvm-x86-always-sync-pir-to-irr-prior-to-scanning-i-o-apic-routes.patch +rdma-rxe-fix-data-copy-for-ib_send_inline.patch +rdma-mlx5-remove-extra-unlock-on-error-path.patch +rdma-mlx5-follow-rb_key.ats-when-creating-new-mkeys.patch +rdma-mlx5-ensure-created-mkeys-always-have-a-populated-rb_key.patch +ovl-fix-encoding-fid-for-lower-only-root.patch +wifi-mac80211-fix-monitor-channel-with-chanctx-emulation.patch +alsa-hda-realtek-fix-mute-micmute-leds-don-t-work-for-probook-445-465-g11.patch +alsa-hda-realtek-limit-mic-boost-on-n14ap7.patch +alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14ahp9.patch +drm-i915-mso-using-joiner-is-not-possible-with-edp-mso.patch +drm-radeon-fix-ubsan-warning-in-kv_dpm.c.patch +drm-amdgpu-fix-ubsan-warning-in-kv_dpm.c.patch +drm-amdgpu-fix-locking-scope-when-flushing-tlb.patch +drm-amd-display-remove-redundant-idle-optimization-check.patch +drm-amd-display-attempt-to-avoid-empty-tus-when-endpoint-is-dpia.patch +dt-bindings-dma-fsl-edma-fix-dma-channels-constraints.patch +ocfs2-fix-null-pointer-dereference-in-ocfs2_journal_dirty.patch +ocfs2-fix-null-pointer-dereference-in-ocfs2_abort_trigger.patch +scsi-core-introduce-the-blist_skip_io_hints-flag.patch +scsi-usb-uas-do-not-query-the-io-advice-hints-grouping-mode-page-for-usb-uas-devices.patch +ata-ahci-do-not-enable-lpm-if-no-lpm-states-are-supported-by-the-hba.patch +dmaengine-xilinx-xdma-fix-data-synchronisation-in-xdma_channel_isr.patch +net-tcp_ao-don-t-leak-ao_info-on-error-path.patch +gcov-add-support-for-gcc-14.patch +kcov-don-t-lose-track-of-remote-references-during-softirqs.patch diff --git a/queue-6.9/wifi-mac80211-fix-monitor-channel-with-chanctx-emulation.patch b/queue-6.9/wifi-mac80211-fix-monitor-channel-with-chanctx-emulation.patch new file mode 100644 index 00000000000..fafa5b6cd23 --- /dev/null +++ b/queue-6.9/wifi-mac80211-fix-monitor-channel-with-chanctx-emulation.patch @@ -0,0 +1,127 @@ +From 0d9c2beed116e623ac30810d382bd67163650f98 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 12 Jun 2024 12:23:51 +0200 +Subject: wifi: mac80211: fix monitor channel with chanctx emulation + +From: Johannes Berg + +commit 0d9c2beed116e623ac30810d382bd67163650f98 upstream. + +After the channel context emulation, there were reports that +changing the monitor channel no longer works. This is because +those drivers don't have WANT_MONITOR_VIF, so the setting the +channel always exits out quickly. + +Fix this by always allocating the virtual monitor sdata, and +simply not telling the driver about it unless it wanted to. +This way, we have an interface/sdata to bind the chanctx to, +and the emulation can work correctly. + +Cc: stable@vger.kernel.org +Fixes: 0a44dfc07074 ("wifi: mac80211: simplify non-chanctx drivers") +Reported-and-tested-by: Savyasaachi Vanga +Closes: https://lore.kernel.org/r/chwoymvpzwtbmzryrlitpwmta5j6mtndocxsyqvdyikqu63lon@gfds653hkknl +Link: https://msgid.link/20240612122351.b12d4a109dde.I1831a44417faaab92bea1071209abbe4efbe3fba@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/driver-ops.c | 17 +++++++++++++++++ + net/mac80211/iface.c | 21 +++++++++------------ + net/mac80211/util.c | 2 +- + 3 files changed, 27 insertions(+), 13 deletions(-) + +--- a/net/mac80211/driver-ops.c ++++ b/net/mac80211/driver-ops.c +@@ -311,6 +311,18 @@ int drv_assign_vif_chanctx(struct ieee80 + might_sleep(); + lockdep_assert_wiphy(local->hw.wiphy); + ++ /* ++ * We should perhaps push emulate chanctx down and only ++ * make it call ->config() when the chanctx is actually ++ * assigned here (and unassigned below), but that's yet ++ * another change to all drivers to add assign/unassign ++ * emulation callbacks. Maybe later. ++ */ ++ if (sdata->vif.type == NL80211_IFTYPE_MONITOR && ++ local->emulate_chanctx && ++ !ieee80211_hw_check(&local->hw, WANT_MONITOR_VIF)) ++ return 0; ++ + if (!check_sdata_in_driver(sdata)) + return -EIO; + +@@ -338,6 +350,11 @@ void drv_unassign_vif_chanctx(struct iee + might_sleep(); + lockdep_assert_wiphy(local->hw.wiphy); + ++ if (sdata->vif.type == NL80211_IFTYPE_MONITOR && ++ local->emulate_chanctx && ++ !ieee80211_hw_check(&local->hw, WANT_MONITOR_VIF)) ++ return; ++ + if (!check_sdata_in_driver(sdata)) + return; + +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -1122,9 +1122,6 @@ int ieee80211_add_virtual_monitor(struct + struct ieee80211_sub_if_data *sdata; + int ret; + +- if (!ieee80211_hw_check(&local->hw, WANT_MONITOR_VIF)) +- return 0; +- + ASSERT_RTNL(); + lockdep_assert_wiphy(local->hw.wiphy); + +@@ -1146,11 +1143,13 @@ int ieee80211_add_virtual_monitor(struct + + ieee80211_set_default_queues(sdata); + +- ret = drv_add_interface(local, sdata); +- if (WARN_ON(ret)) { +- /* ok .. stupid driver, it asked for this! */ +- kfree(sdata); +- return ret; ++ if (ieee80211_hw_check(&local->hw, WANT_MONITOR_VIF)) { ++ ret = drv_add_interface(local, sdata); ++ if (WARN_ON(ret)) { ++ /* ok .. stupid driver, it asked for this! */ ++ kfree(sdata); ++ return ret; ++ } + } + + set_bit(SDATA_STATE_RUNNING, &sdata->state); +@@ -1188,9 +1187,6 @@ void ieee80211_del_virtual_monitor(struc + { + struct ieee80211_sub_if_data *sdata; + +- if (!ieee80211_hw_check(&local->hw, WANT_MONITOR_VIF)) +- return; +- + ASSERT_RTNL(); + lockdep_assert_wiphy(local->hw.wiphy); + +@@ -1210,7 +1206,8 @@ void ieee80211_del_virtual_monitor(struc + + ieee80211_link_release_channel(&sdata->deflink); + +- drv_remove_interface(local, sdata); ++ if (ieee80211_hw_check(&local->hw, WANT_MONITOR_VIF)) ++ drv_remove_interface(local, sdata); + + kfree(sdata); + } +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -1841,7 +1841,7 @@ int ieee80211_reconfig(struct ieee80211_ + + /* add interfaces */ + sdata = wiphy_dereference(local->hw.wiphy, local->monitor_sdata); +- if (sdata) { ++ if (sdata && ieee80211_hw_check(&local->hw, WANT_MONITOR_VIF)) { + /* in HW restart it exists already */ + WARN_ON(local->resuming); + res = drv_add_interface(local, sdata);