From: Greg Kroah-Hartman Date: Sat, 14 Jan 2023 10:03:19 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v4.14.303~72 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=351262c8f1630165718897eb94d6b4685d2cfc23;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: acpi-fix-selecting-wrong-acpi-fwnode-for-the-igpu-on-some-dell-laptops.patch alsa-control-led-use-strscpy-in-set_led_id.patch alsa-hda-realtek-enable-mute-micmute-leds-on-hp-spectre-x360-13-aw0xxx.patch alsa-hda-realtek-turn-on-power-early.patch alsa-usb-audio-always-initialize-fixed_rate-in-snd_usb_find_implicit_fb_sync_format.patch arm64-cmpxchg_double-hazard-against-entire-exchange-variable.patch arm64-mte-avoid-the-racy-walk-of-the-vma-list-during-core-dump.patch arm64-mte-fix-double-freeing-of-the-temporary-tag-storage-during-coredump.patch asoc-qcom-lpass-cpu-fix-fallback-sd-line-index-handling.patch brcmfmac-prefer-dt-board-type-over-dmi-board-type.patch cpufreq-amd-pstate-fix-kernel-hang-issue-while-amd-pstate-unregistering.patch docs-fix-the-docs-build-with-sphinx-6.0.patch drm-amd-delay-removal-of-the-firmware-framebuffer.patch drm-amd-pm-add-the-missing-mapping-for-ppt-feature-on-smu13.0.0-and-13.0.7.patch drm-amd-pm-correct-the-reference-clock-for-fan-speed-rpm-calculation.patch drm-amd-pm-smu13-baco-is-supported-when-it-s-in-baco-state.patch drm-amdgpu-fixed-bug-on-error-when-unloading-amdgpu.patch drm-i915-fix-potential-context-uafs.patch drm-i915-gt-reset-twice.patch drm-i915-reserve-enough-fence-slot-for-i915_vma_unbind_async.patch drm-optimize-drm-buddy-top-down-allocation-method.patch drm-virtio-fix-gem-handle-creation-uaf.patch efi-fix-userspace-infinite-retry-read-efivars-after-efi-runtime-services-page-fault.patch efi-tpm-avoid-read_once-for-accessing-the-event-log.patch elfcore-add-a-cprm-parameter-to-elf_core_extra_-phdrs-data_size.patch io_uring-poll-add-hash-if-ready-poll-request-can-t-complete-inline.patch kvm-arm64-fix-s1ptw-handling-on-ro-memslots.patch kvm-x86-do-not-return-host-topology-information-from-kvm_get_supported_cpuid.patch net-stmmac-add-aux-timestamps-fifo-clearance-wait.patch netfilter-nft_payload-incorrect-arithmetics-when-fetching-vlan-header-bits.patch perf-auxtrace-fix-address-filter-duplicate-symbol-selection.patch revert-alsa-usb-audio-drop-superfluous-interface-setup-at-parsing.patch s390-cpum_sf-add-read_once-semantics-to-compare-and-swap-loops.patch s390-kexec-fix-ipl-report-address-for-kdump.patch s390-percpu-add-read_once-to-arch_this_cpu_to_op_simple.patch series --- diff --git a/queue-6.1/acpi-fix-selecting-wrong-acpi-fwnode-for-the-igpu-on-some-dell-laptops.patch b/queue-6.1/acpi-fix-selecting-wrong-acpi-fwnode-for-the-igpu-on-some-dell-laptops.patch new file mode 100644 index 00000000000..b2c1f0cf01e --- /dev/null +++ b/queue-6.1/acpi-fix-selecting-wrong-acpi-fwnode-for-the-igpu-on-some-dell-laptops.patch @@ -0,0 +1,140 @@ +From f64e4275ef7407d5c3eca20436519bbd1f796e40 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Tue, 10 Jan 2023 16:30:28 +0100 +Subject: ACPI: Fix selecting wrong ACPI fwnode for the iGPU on some Dell laptops + +From: Hans de Goede + +commit f64e4275ef7407d5c3eca20436519bbd1f796e40 upstream. + +The Dell Latitude E6430 both with and without the optional NVidia dGPU +has a bug in its ACPI tables which is causing Linux to assign the wrong +ACPI fwnode / companion to the pci_device for the i915 iGPU. + +Specifically under the PCI root bridge there are these 2 ACPI Device()s : + + Scope (_SB.PCI0) + { + Device (GFX0) + { + Name (_ADR, 0x00020000) // _ADR: Address + } + + ... + + Device (VID) + { + Name (_ADR, 0x00020000) // _ADR: Address + ... + + Method (_DOS, 1, NotSerialized) // _DOS: Disable Output Switching + { + VDP8 = Arg0 + VDP1 (One, VDP8) + } + + Method (_DOD, 0, NotSerialized) // _DOD: Display Output Devices + { + ... + } + ... + } + } + +The non-functional GFX0 ACPI device is a problem, because this gets +returned as ACPI companion-device by acpi_find_child_device() for the iGPU. + +This is a long standing problem and the i915 driver does use the ACPI +companion for some things, but works fine without it. + +However since commit 63f534b8bad9 ("ACPI: PCI: Rework acpi_get_pci_dev()") +acpi_get_pci_dev() relies on the physical-node pointer in the acpi_device +and that is set on the wrong acpi_device because of the wrong +acpi_find_child_device() return. This breaks the ACPI video code, +leading to non working backlight control in some cases. + +Add a type.backlight flag, mark ACPI video bus devices with this and make +find_child_checks() return a higher score for children with this flag set, +so that it picks the right companion-device. + +Fixes: 63f534b8bad9 ("ACPI: PCI: Rework acpi_get_pci_dev()") +Co-developed-by: Rafael J. Wysocki +Signed-off-by: Hans de Goede +Cc: 6.1+ # 6.1+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/glue.c | 14 ++++++++++++-- + drivers/acpi/scan.c | 7 +++++-- + include/acpi/acpi_bus.h | 3 ++- + 3 files changed, 19 insertions(+), 5 deletions(-) + +diff --git a/drivers/acpi/glue.c b/drivers/acpi/glue.c +index 204fe94c7e45..a194f30876c5 100644 +--- a/drivers/acpi/glue.c ++++ b/drivers/acpi/glue.c +@@ -75,7 +75,8 @@ static struct acpi_bus_type *acpi_get_bus_type(struct device *dev) + } + + #define FIND_CHILD_MIN_SCORE 1 +-#define FIND_CHILD_MAX_SCORE 2 ++#define FIND_CHILD_MID_SCORE 2 ++#define FIND_CHILD_MAX_SCORE 3 + + static int match_any(struct acpi_device *adev, void *not_used) + { +@@ -96,8 +97,17 @@ static int find_child_checks(struct acpi_device *adev, bool check_children) + return -ENODEV; + + status = acpi_evaluate_integer(adev->handle, "_STA", NULL, &sta); +- if (status == AE_NOT_FOUND) ++ if (status == AE_NOT_FOUND) { ++ /* ++ * Special case: backlight device objects without _STA are ++ * preferred to other objects with the same _ADR value, because ++ * it is more likely that they are actually useful. ++ */ ++ if (adev->pnp.type.backlight) ++ return FIND_CHILD_MID_SCORE; ++ + return FIND_CHILD_MIN_SCORE; ++ } + + if (ACPI_FAILURE(status) || !(sta & ACPI_STA_DEVICE_ENABLED)) + return -ENODEV; +diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c +index 274344434282..0c6f06abe3f4 100644 +--- a/drivers/acpi/scan.c ++++ b/drivers/acpi/scan.c +@@ -1370,9 +1370,12 @@ static void acpi_set_pnp_ids(acpi_handle handle, struct acpi_device_pnp *pnp, + * Some devices don't reliably have _HIDs & _CIDs, so add + * synthetic HIDs to make sure drivers can find them. + */ +- if (acpi_is_video_device(handle)) ++ if (acpi_is_video_device(handle)) { + acpi_add_id(pnp, ACPI_VIDEO_HID); +- else if (acpi_bay_match(handle)) ++ pnp->type.backlight = 1; ++ break; ++ } ++ if (acpi_bay_match(handle)) + acpi_add_id(pnp, ACPI_BAY_HID); + else if (acpi_dock_match(handle)) + acpi_add_id(pnp, ACPI_DOCK_HID); +diff --git a/include/acpi/acpi_bus.h b/include/acpi/acpi_bus.h +index cd3b75e08ec3..e44be31115a6 100644 +--- a/include/acpi/acpi_bus.h ++++ b/include/acpi/acpi_bus.h +@@ -230,7 +230,8 @@ struct acpi_pnp_type { + u32 hardware_id:1; + u32 bus_address:1; + u32 platform_id:1; +- u32 reserved:29; ++ u32 backlight:1; ++ u32 reserved:28; + }; + + struct acpi_device_pnp { +-- +2.39.0 + diff --git a/queue-6.1/alsa-control-led-use-strscpy-in-set_led_id.patch b/queue-6.1/alsa-control-led-use-strscpy-in-set_led_id.patch new file mode 100644 index 00000000000..b292874c7b8 --- /dev/null +++ b/queue-6.1/alsa-control-led-use-strscpy-in-set_led_id.patch @@ -0,0 +1,43 @@ +From 70051cffb31b5ee09096351c3b41fcae6f89de31 Mon Sep 17 00:00:00 2001 +From: Jaroslav Kysela +Date: Mon, 9 Jan 2023 16:12:49 +0100 +Subject: ALSA: control-led: use strscpy in set_led_id() + +From: Jaroslav Kysela + +commit 70051cffb31b5ee09096351c3b41fcae6f89de31 upstream. + +The use of strncpy() in the set_led_id() was incorrect. +The len variable should use 'min(sizeof(buf2) - 1, count)' +expression. + +Use strscpy() function to simplify things and handle the error gracefully. + +Fixes: a135dfb5de15 ("ALSA: led control - add sysfs kcontrol LED marking layer") +Reported-by: yang.yang29@zte.com.cn +Link: https://lore.kernel.org/alsa-devel/202301091945513559977@zte.com.cn/ +Cc: +Signed-off-by: Jaroslav Kysela +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/control_led.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/sound/core/control_led.c ++++ b/sound/core/control_led.c +@@ -530,12 +530,11 @@ static ssize_t set_led_id(struct snd_ctl + bool attach) + { + char buf2[256], *s, *os; +- size_t len = max(sizeof(s) - 1, count); + struct snd_ctl_elem_id id; + int err; + +- strncpy(buf2, buf, len); +- buf2[len] = '\0'; ++ if (strscpy(buf2, buf, sizeof(buf2)) < 0) ++ return -E2BIG; + memset(&id, 0, sizeof(id)); + id.iface = SNDRV_CTL_ELEM_IFACE_MIXER; + s = buf2; diff --git a/queue-6.1/alsa-hda-realtek-enable-mute-micmute-leds-on-hp-spectre-x360-13-aw0xxx.patch b/queue-6.1/alsa-hda-realtek-enable-mute-micmute-leds-on-hp-spectre-x360-13-aw0xxx.patch new file mode 100644 index 00000000000..acbfd8f3113 --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-enable-mute-micmute-leds-on-hp-spectre-x360-13-aw0xxx.patch @@ -0,0 +1,82 @@ +From ca88eeb308a221c2dcd4a64031d2e5fcd3db9eaa Mon Sep 17 00:00:00 2001 +From: Luka Guzenko +Date: Tue, 10 Jan 2023 21:25:14 +0100 +Subject: ALSA: hda/realtek: Enable mute/micmute LEDs on HP Spectre x360 13-aw0xxx + +From: Luka Guzenko + +commit ca88eeb308a221c2dcd4a64031d2e5fcd3db9eaa upstream. + +The HP Spectre x360 13-aw0xxx devices use the ALC285 codec with GPIO 0x04 +controlling the micmute LED and COEF 0x0b index 8 controlling the mute LED. +A quirk was added to make these work as well as a fixup. + +Signed-off-by: Luka Guzenko +Cc: +Link: https://lore.kernel.org/r/20230110202514.2792-1-l.guzenko@web.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4646,6 +4646,16 @@ static void alc285_fixup_hp_coef_micmute + } + } + ++static void alc285_fixup_hp_gpio_micmute_led(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ struct alc_spec *spec = codec->spec; ++ ++ if (action == HDA_FIXUP_ACT_PRE_PROBE) ++ spec->micmute_led_polarity = 1; ++ alc_fixup_hp_gpio_led(codec, action, 0, 0x04); ++} ++ + static void alc236_fixup_hp_coef_micmute_led(struct hda_codec *codec, + const struct hda_fixup *fix, int action) + { +@@ -4667,6 +4677,13 @@ static void alc285_fixup_hp_mute_led(str + alc285_fixup_hp_coef_micmute_led(codec, fix, action); + } + ++static void alc285_fixup_hp_spectre_x360_mute_led(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ alc285_fixup_hp_mute_led_coefbit(codec, fix, action); ++ alc285_fixup_hp_gpio_micmute_led(codec, fix, action); ++} ++ + static void alc236_fixup_hp_mute_led(struct hda_codec *codec, + const struct hda_fixup *fix, int action) + { +@@ -7108,6 +7125,7 @@ enum { + ALC285_FIXUP_ASUS_G533Z_PINS, + ALC285_FIXUP_HP_GPIO_LED, + ALC285_FIXUP_HP_MUTE_LED, ++ ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED, + ALC236_FIXUP_HP_GPIO_LED, + ALC236_FIXUP_HP_MUTE_LED, + ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF, +@@ -8488,6 +8506,10 @@ static const struct hda_fixup alc269_fix + .type = HDA_FIXUP_FUNC, + .v.func = alc285_fixup_hp_mute_led, + }, ++ [ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc285_fixup_hp_spectre_x360_mute_led, ++ }, + [ALC236_FIXUP_HP_GPIO_LED] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc236_fixup_hp_gpio_led, +@@ -9330,6 +9352,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x86c7, "HP Envy AiO 32", ALC274_FIXUP_HP_ENVY_GPIO), + SND_PCI_QUIRK(0x103c, 0x86e7, "HP Spectre x360 15-eb0xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1), + SND_PCI_QUIRK(0x103c, 0x86e8, "HP Spectre x360 15-eb0xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1), ++ SND_PCI_QUIRK(0x103c, 0x86f9, "HP Spectre x360 13-aw0xxx", ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x8716, "HP Elite Dragonfly G2 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8720, "HP EliteBook x360 1040 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8724, "HP EliteBook 850 G7", ALC285_FIXUP_HP_GPIO_LED), diff --git a/queue-6.1/alsa-hda-realtek-turn-on-power-early.patch b/queue-6.1/alsa-hda-realtek-turn-on-power-early.patch new file mode 100644 index 00000000000..91d9dd5d153 --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-turn-on-power-early.patch @@ -0,0 +1,81 @@ +From 1f680609bf1beac20e2a31ddcb1b88874123c39f Mon Sep 17 00:00:00 2001 +From: Yuchi Yang +Date: Fri, 30 Dec 2022 15:22:25 +0800 +Subject: ALSA: hda/realtek - Turn on power early + +From: Yuchi Yang + +commit 1f680609bf1beac20e2a31ddcb1b88874123c39f upstream. + +Turn on power early to avoid wrong state for power relation register. +This can earlier update JD state when resume back. + +Signed-off-by: Yuchi Yang +Cc: +Link: https://lore.kernel.org/r/e35d8f4fa18f4448a2315cc7d4a3715f@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 30 ++++++++++++++++-------------- + 1 file changed, 16 insertions(+), 14 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -3564,6 +3564,15 @@ static void alc256_init(struct hda_codec + hda_nid_t hp_pin = alc_get_hp_pin(spec); + bool hp_pin_sense; + ++ if (spec->ultra_low_power) { ++ alc_update_coef_idx(codec, 0x03, 1<<1, 1<<1); ++ alc_update_coef_idx(codec, 0x08, 3<<2, 3<<2); ++ alc_update_coef_idx(codec, 0x08, 7<<4, 0); ++ alc_update_coef_idx(codec, 0x3b, 1<<15, 0); ++ alc_update_coef_idx(codec, 0x0e, 7<<6, 7<<6); ++ msleep(30); ++ } ++ + if (!hp_pin) + hp_pin = 0x21; + +@@ -3575,14 +3584,6 @@ static void alc256_init(struct hda_codec + msleep(2); + + alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x1); /* Low power */ +- if (spec->ultra_low_power) { +- alc_update_coef_idx(codec, 0x03, 1<<1, 1<<1); +- alc_update_coef_idx(codec, 0x08, 3<<2, 3<<2); +- alc_update_coef_idx(codec, 0x08, 7<<4, 0); +- alc_update_coef_idx(codec, 0x3b, 1<<15, 0); +- alc_update_coef_idx(codec, 0x0e, 7<<6, 7<<6); +- msleep(30); +- } + + snd_hda_codec_write(codec, hp_pin, 0, + AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_MUTE); +@@ -3713,6 +3714,13 @@ static void alc225_init(struct hda_codec + hda_nid_t hp_pin = alc_get_hp_pin(spec); + bool hp1_pin_sense, hp2_pin_sense; + ++ if (spec->ultra_low_power) { ++ alc_update_coef_idx(codec, 0x08, 0x0f << 2, 3<<2); ++ alc_update_coef_idx(codec, 0x0e, 7<<6, 7<<6); ++ alc_update_coef_idx(codec, 0x33, 1<<11, 0); ++ msleep(30); ++ } ++ + if (spec->codec_variant != ALC269_TYPE_ALC287 && + spec->codec_variant != ALC269_TYPE_ALC245) + /* required only at boot or S3 and S4 resume time */ +@@ -3734,12 +3742,6 @@ static void alc225_init(struct hda_codec + msleep(2); + + alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x1); /* Low power */ +- if (spec->ultra_low_power) { +- alc_update_coef_idx(codec, 0x08, 0x0f << 2, 3<<2); +- alc_update_coef_idx(codec, 0x0e, 7<<6, 7<<6); +- alc_update_coef_idx(codec, 0x33, 1<<11, 0); +- msleep(30); +- } + + if (hp1_pin_sense || spec->ultra_low_power) + snd_hda_codec_write(codec, hp_pin, 0, diff --git a/queue-6.1/alsa-usb-audio-always-initialize-fixed_rate-in-snd_usb_find_implicit_fb_sync_format.patch b/queue-6.1/alsa-usb-audio-always-initialize-fixed_rate-in-snd_usb_find_implicit_fb_sync_format.patch new file mode 100644 index 00000000000..73dc382e7b1 --- /dev/null +++ b/queue-6.1/alsa-usb-audio-always-initialize-fixed_rate-in-snd_usb_find_implicit_fb_sync_format.patch @@ -0,0 +1,54 @@ +From 291e9da91403e0e628d7692b5ed505100e7b7706 Mon Sep 17 00:00:00 2001 +From: Jaroslav Kysela +Date: Mon, 9 Jan 2023 15:11:33 +0100 +Subject: ALSA: usb-audio: Always initialize fixed_rate in snd_usb_find_implicit_fb_sync_format() + +From: Jaroslav Kysela + +commit 291e9da91403e0e628d7692b5ed505100e7b7706 upstream. + +Handle the fallback code path, too. + +Fixes: fd28941cff1c ("ALSA: usb-audio: Add new quirk FIXED_RATE for JBL Quantum810 Wireless") +BugLink: https://lore.kernel.org/alsa-devel/Y7frf3N%2FxzvESEsN@kili/ +Reported-by: Dan Carpenter +Cc: +Signed-off-by: Jaroslav Kysela +Link: https://lore.kernel.org/r/20230109141133.335543-1-perex@perex.cz +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/implicit.c | 3 ++- + sound/usb/pcm.c | 2 ++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +--- a/sound/usb/implicit.c ++++ b/sound/usb/implicit.c +@@ -471,7 +471,7 @@ snd_usb_find_implicit_fb_sync_format(str + subs = find_matching_substream(chip, stream, target->sync_ep, + target->fmt_type); + if (!subs) +- return sync_fmt; ++ goto end; + + high_score = 0; + list_for_each_entry(fp, &subs->fmt_list, list) { +@@ -485,6 +485,7 @@ snd_usb_find_implicit_fb_sync_format(str + } + } + ++ end: + if (fixed_rate) + *fixed_rate = snd_usb_pcm_has_fixed_rate(subs); + return sync_fmt; +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -163,6 +163,8 @@ bool snd_usb_pcm_has_fixed_rate(struct s + struct snd_usb_audio *chip = subs->stream->chip; + int rate = -1; + ++ if (!subs) ++ return false; + if (!(chip->quirk_flags & QUIRK_FLAG_FIXED_RATE)) + return false; + list_for_each_entry(fp, &subs->fmt_list, list) { diff --git a/queue-6.1/arm64-cmpxchg_double-hazard-against-entire-exchange-variable.patch b/queue-6.1/arm64-cmpxchg_double-hazard-against-entire-exchange-variable.patch new file mode 100644 index 00000000000..b4864379079 --- /dev/null +++ b/queue-6.1/arm64-cmpxchg_double-hazard-against-entire-exchange-variable.patch @@ -0,0 +1,178 @@ +From 031af50045ea97ed4386eb3751ca2c134d0fc911 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Wed, 4 Jan 2023 15:16:26 +0000 +Subject: arm64: cmpxchg_double*: hazard against entire exchange variable + +From: Mark Rutland + +commit 031af50045ea97ed4386eb3751ca2c134d0fc911 upstream. + +The inline assembly for arm64's cmpxchg_double*() implementations use a ++Q constraint to hazard against other accesses to the memory location +being exchanged. However, the pointer passed to the constraint is a +pointer to unsigned long, and thus the hazard only applies to the first +8 bytes of the location. + +GCC can take advantage of this, assuming that other portions of the +location are unchanged, leading to a number of potential problems. + +This is similar to what we fixed back in commit: + + fee960bed5e857eb ("arm64: xchg: hazard against entire exchange variable") + +... but we forgot to adjust cmpxchg_double*() similarly at the same +time. + +The same problem applies, as demonstrated with the following test: + +| struct big { +| u64 lo, hi; +| } __aligned(128); +| +| unsigned long foo(struct big *b) +| { +| u64 hi_old, hi_new; +| +| hi_old = b->hi; +| cmpxchg_double_local(&b->lo, &b->hi, 0x12, 0x34, 0x56, 0x78); +| hi_new = b->hi; +| +| return hi_old ^ hi_new; +| } + +... which GCC 12.1.0 compiles as: + +| 0000000000000000 : +| 0: d503233f paciasp +| 4: aa0003e4 mov x4, x0 +| 8: 1400000e b 40 +| c: d2800240 mov x0, #0x12 // #18 +| 10: d2800681 mov x1, #0x34 // #52 +| 14: aa0003e5 mov x5, x0 +| 18: aa0103e6 mov x6, x1 +| 1c: d2800ac2 mov x2, #0x56 // #86 +| 20: d2800f03 mov x3, #0x78 // #120 +| 24: 48207c82 casp x0, x1, x2, x3, [x4] +| 28: ca050000 eor x0, x0, x5 +| 2c: ca060021 eor x1, x1, x6 +| 30: aa010000 orr x0, x0, x1 +| 34: d2800000 mov x0, #0x0 // #0 <--- BANG +| 38: d50323bf autiasp +| 3c: d65f03c0 ret +| 40: d2800240 mov x0, #0x12 // #18 +| 44: d2800681 mov x1, #0x34 // #52 +| 48: d2800ac2 mov x2, #0x56 // #86 +| 4c: d2800f03 mov x3, #0x78 // #120 +| 50: f9800091 prfm pstl1strm, [x4] +| 54: c87f1885 ldxp x5, x6, [x4] +| 58: ca0000a5 eor x5, x5, x0 +| 5c: ca0100c6 eor x6, x6, x1 +| 60: aa0600a6 orr x6, x5, x6 +| 64: b5000066 cbnz x6, 70 +| 68: c8250c82 stxp w5, x2, x3, [x4] +| 6c: 35ffff45 cbnz w5, 54 +| 70: d2800000 mov x0, #0x0 // #0 <--- BANG +| 74: d50323bf autiasp +| 78: d65f03c0 ret + +Notice that at the lines with "BANG" comments, GCC has assumed that the +higher 8 bytes are unchanged by the cmpxchg_double() call, and that +`hi_old ^ hi_new` can be reduced to a constant zero, for both LSE and +LL/SC versions of cmpxchg_double(). + +This patch fixes the issue by passing a pointer to __uint128_t into the ++Q constraint, ensuring that the compiler hazards against the entire 16 +bytes being modified. + +With this change, GCC 12.1.0 compiles the above test as: + +| 0000000000000000 : +| 0: f9400407 ldr x7, [x0, #8] +| 4: d503233f paciasp +| 8: aa0003e4 mov x4, x0 +| c: 1400000f b 48 +| 10: d2800240 mov x0, #0x12 // #18 +| 14: d2800681 mov x1, #0x34 // #52 +| 18: aa0003e5 mov x5, x0 +| 1c: aa0103e6 mov x6, x1 +| 20: d2800ac2 mov x2, #0x56 // #86 +| 24: d2800f03 mov x3, #0x78 // #120 +| 28: 48207c82 casp x0, x1, x2, x3, [x4] +| 2c: ca050000 eor x0, x0, x5 +| 30: ca060021 eor x1, x1, x6 +| 34: aa010000 orr x0, x0, x1 +| 38: f9400480 ldr x0, [x4, #8] +| 3c: d50323bf autiasp +| 40: ca0000e0 eor x0, x7, x0 +| 44: d65f03c0 ret +| 48: d2800240 mov x0, #0x12 // #18 +| 4c: d2800681 mov x1, #0x34 // #52 +| 50: d2800ac2 mov x2, #0x56 // #86 +| 54: d2800f03 mov x3, #0x78 // #120 +| 58: f9800091 prfm pstl1strm, [x4] +| 5c: c87f1885 ldxp x5, x6, [x4] +| 60: ca0000a5 eor x5, x5, x0 +| 64: ca0100c6 eor x6, x6, x1 +| 68: aa0600a6 orr x6, x5, x6 +| 6c: b5000066 cbnz x6, 78 +| 70: c8250c82 stxp w5, x2, x3, [x4] +| 74: 35ffff45 cbnz w5, 5c +| 78: f9400480 ldr x0, [x4, #8] +| 7c: d50323bf autiasp +| 80: ca0000e0 eor x0, x7, x0 +| 84: d65f03c0 ret + +... sampling the high 8 bytes before and after the cmpxchg, and +performing an EOR, as we'd expect. + +For backporting, I've tested this atop linux-4.9.y with GCC 5.5.0. Note +that linux-4.9.y is oldest currently supported stable release, and +mandates GCC 5.1+. Unfortunately I couldn't get a GCC 5.1 binary to run +on my machines due to library incompatibilities. + +I've also used a standalone test to check that we can use a __uint128_t +pointer in a +Q constraint at least as far back as GCC 4.8.5 and LLVM +3.9.1. + +Fixes: 5284e1b4bc8a ("arm64: xchg: Implement cmpxchg_double") +Fixes: e9a4b795652f ("arm64: cmpxchg_dbl: patch in lse instructions when supported by the CPU") +Reported-by: Boqun Feng +Link: https://lore.kernel.org/lkml/Y6DEfQXymYVgL3oJ@boqun-archlinux/ +Reported-by: Peter Zijlstra +Link: https://lore.kernel.org/lkml/Y6GXoO4qmH9OIZ5Q@hirez.programming.kicks-ass.net/ +Signed-off-by: Mark Rutland +Cc: stable@vger.kernel.org +Cc: Arnd Bergmann +Cc: Catalin Marinas +Cc: Steve Capper +Cc: Will Deacon +Link: https://lore.kernel.org/r/20230104151626.3262137-1-mark.rutland@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/atomic_ll_sc.h | 2 +- + arch/arm64/include/asm/atomic_lse.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/include/asm/atomic_ll_sc.h ++++ b/arch/arm64/include/asm/atomic_ll_sc.h +@@ -315,7 +315,7 @@ __ll_sc__cmpxchg_double##name(unsigned l + " cbnz %w0, 1b\n" \ + " " #mb "\n" \ + "2:" \ +- : "=&r" (tmp), "=&r" (ret), "+Q" (*(unsigned long *)ptr) \ ++ : "=&r" (tmp), "=&r" (ret), "+Q" (*(__uint128_t *)ptr) \ + : "r" (old1), "r" (old2), "r" (new1), "r" (new2) \ + : cl); \ + \ +--- a/arch/arm64/include/asm/atomic_lse.h ++++ b/arch/arm64/include/asm/atomic_lse.h +@@ -311,7 +311,7 @@ __lse__cmpxchg_double##name(unsigned lon + " eor %[old2], %[old2], %[oldval2]\n" \ + " orr %[old1], %[old1], %[old2]" \ + : [old1] "+&r" (x0), [old2] "+&r" (x1), \ +- [v] "+Q" (*(unsigned long *)ptr) \ ++ [v] "+Q" (*(__uint128_t *)ptr) \ + : [new1] "r" (x2), [new2] "r" (x3), [ptr] "r" (x4), \ + [oldval1] "r" (oldval1), [oldval2] "r" (oldval2) \ + : cl); \ diff --git a/queue-6.1/arm64-mte-avoid-the-racy-walk-of-the-vma-list-during-core-dump.patch b/queue-6.1/arm64-mte-avoid-the-racy-walk-of-the-vma-list-during-core-dump.patch new file mode 100644 index 00000000000..902d982a8c8 --- /dev/null +++ b/queue-6.1/arm64-mte-avoid-the-racy-walk-of-the-vma-list-during-core-dump.patch @@ -0,0 +1,143 @@ +From 4f4c549feb4ecca95ae9abb88887b941d196f83a Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Thu, 22 Dec 2022 18:12:51 +0000 +Subject: arm64: mte: Avoid the racy walk of the vma list during core dump + +From: Catalin Marinas + +commit 4f4c549feb4ecca95ae9abb88887b941d196f83a upstream. + +The MTE coredump code in arch/arm64/kernel/elfcore.c iterates over the +vma list without the mmap_lock held. This can race with another process +or userfaultfd concurrently modifying the vma list. Change the +for_each_mte_vma macro and its callers to instead use the vma snapshot +taken by dump_vma_snapshot() and stored in the cprm object. + +Fixes: 6dd8b1a0b6cb ("arm64: mte: Dump the MTE tags in the core file") +Cc: # 5.18.x +Signed-off-by: Catalin Marinas +Reported-by: Seth Jenkins +Suggested-by: Seth Jenkins +Cc: Will Deacon +Link: https://lore.kernel.org/r/20221222181251.1345752-4-catalin.marinas@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/elfcore.c | 56 ++++++++++++++++++++------------------------ + 1 file changed, 26 insertions(+), 30 deletions(-) + +--- a/arch/arm64/kernel/elfcore.c ++++ b/arch/arm64/kernel/elfcore.c +@@ -8,28 +8,27 @@ + #include + #include + +-#define for_each_mte_vma(vmi, vma) \ ++#define for_each_mte_vma(cprm, i, m) \ + if (system_supports_mte()) \ +- for_each_vma(vmi, vma) \ +- if (vma->vm_flags & VM_MTE) ++ for (i = 0, m = cprm->vma_meta; \ ++ i < cprm->vma_count; \ ++ i++, m = cprm->vma_meta + i) \ ++ if (m->flags & VM_MTE) + +-static unsigned long mte_vma_tag_dump_size(struct vm_area_struct *vma) ++static unsigned long mte_vma_tag_dump_size(struct core_vma_metadata *m) + { +- if (vma->vm_flags & VM_DONTDUMP) +- return 0; +- +- return vma_pages(vma) * MTE_PAGE_TAG_STORAGE; ++ return (m->dump_size >> PAGE_SHIFT) * MTE_PAGE_TAG_STORAGE; + } + + /* Derived from dump_user_range(); start/end must be page-aligned */ + static int mte_dump_tag_range(struct coredump_params *cprm, +- unsigned long start, unsigned long end) ++ unsigned long start, unsigned long len) + { + int ret = 1; + unsigned long addr; + void *tags = NULL; + +- for (addr = start; addr < end; addr += PAGE_SIZE) { ++ for (addr = start; addr < start + len; addr += PAGE_SIZE) { + struct page *page = get_dump_page(addr); + + /* +@@ -78,11 +77,11 @@ static int mte_dump_tag_range(struct cor + + Elf_Half elf_core_extra_phdrs(void) + { +- struct vm_area_struct *vma; ++ int i; ++ struct core_vma_metadata *m; + int vma_count = 0; +- VMA_ITERATOR(vmi, current->mm, 0); + +- for_each_mte_vma(vmi, vma) ++ for_each_mte_vma(cprm, i, m) + vma_count++; + + return vma_count; +@@ -90,18 +89,18 @@ Elf_Half elf_core_extra_phdrs(void) + + int elf_core_write_extra_phdrs(struct coredump_params *cprm, loff_t offset) + { +- struct vm_area_struct *vma; +- VMA_ITERATOR(vmi, current->mm, 0); ++ int i; ++ struct core_vma_metadata *m; + +- for_each_mte_vma(vmi, vma) { ++ for_each_mte_vma(cprm, i, m) { + struct elf_phdr phdr; + + phdr.p_type = PT_AARCH64_MEMTAG_MTE; + phdr.p_offset = offset; +- phdr.p_vaddr = vma->vm_start; ++ phdr.p_vaddr = m->start; + phdr.p_paddr = 0; +- phdr.p_filesz = mte_vma_tag_dump_size(vma); +- phdr.p_memsz = vma->vm_end - vma->vm_start; ++ phdr.p_filesz = mte_vma_tag_dump_size(m); ++ phdr.p_memsz = m->end - m->start; + offset += phdr.p_filesz; + phdr.p_flags = 0; + phdr.p_align = 0; +@@ -115,26 +114,23 @@ int elf_core_write_extra_phdrs(struct co + + size_t elf_core_extra_data_size(void) + { +- struct vm_area_struct *vma; ++ int i; ++ struct core_vma_metadata *m; + size_t data_size = 0; +- VMA_ITERATOR(vmi, current->mm, 0); + +- for_each_mte_vma(vmi, vma) +- data_size += mte_vma_tag_dump_size(vma); ++ for_each_mte_vma(cprm, i, m) ++ data_size += mte_vma_tag_dump_size(m); + + return data_size; + } + + int elf_core_write_extra_data(struct coredump_params *cprm) + { +- struct vm_area_struct *vma; +- VMA_ITERATOR(vmi, current->mm, 0); +- +- for_each_mte_vma(vmi, vma) { +- if (vma->vm_flags & VM_DONTDUMP) +- continue; ++ int i; ++ struct core_vma_metadata *m; + +- if (!mte_dump_tag_range(cprm, vma->vm_start, vma->vm_end)) ++ for_each_mte_vma(cprm, i, m) { ++ if (!mte_dump_tag_range(cprm, m->start, m->dump_size)) + return 0; + } + diff --git a/queue-6.1/arm64-mte-fix-double-freeing-of-the-temporary-tag-storage-during-coredump.patch b/queue-6.1/arm64-mte-fix-double-freeing-of-the-temporary-tag-storage-during-coredump.patch new file mode 100644 index 00000000000..abccbb4df13 --- /dev/null +++ b/queue-6.1/arm64-mte-fix-double-freeing-of-the-temporary-tag-storage-during-coredump.patch @@ -0,0 +1,36 @@ +From 736eedc974eaafbf4360e0ea85fc892cea72a223 Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Thu, 22 Dec 2022 18:12:49 +0000 +Subject: arm64: mte: Fix double-freeing of the temporary tag storage during coredump + +From: Catalin Marinas + +commit 736eedc974eaafbf4360e0ea85fc892cea72a223 upstream. + +Commit 16decce22efa ("arm64: mte: Fix the stack frame size warning in +mte_dump_tag_range()") moved the temporary tag storage array from the +stack to slab but it also introduced an error in double freeing this +object. Remove the in-loop freeing. + +Fixes: 16decce22efa ("arm64: mte: Fix the stack frame size warning in mte_dump_tag_range()") +Cc: # 5.18.x +Signed-off-by: Catalin Marinas +Reported-by: Seth Jenkins +Cc: Will Deacon +Link: https://lore.kernel.org/r/20221222181251.1345752-2-catalin.marinas@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/elfcore.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/arm64/kernel/elfcore.c ++++ b/arch/arm64/kernel/elfcore.c +@@ -65,7 +65,6 @@ static int mte_dump_tag_range(struct cor + mte_save_page_tags(page_address(page), tags); + put_page(page); + if (!dump_emit(cprm, tags, MTE_PAGE_TAG_STORAGE)) { +- mte_free_tag_storage(tags); + ret = 0; + break; + } diff --git a/queue-6.1/asoc-qcom-lpass-cpu-fix-fallback-sd-line-index-handling.patch b/queue-6.1/asoc-qcom-lpass-cpu-fix-fallback-sd-line-index-handling.patch new file mode 100644 index 00000000000..c3b96026737 --- /dev/null +++ b/queue-6.1/asoc-qcom-lpass-cpu-fix-fallback-sd-line-index-handling.patch @@ -0,0 +1,45 @@ +From 000bca8d706d1bf7cca01af75787247c5a2fdedf Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Fri, 30 Dec 2022 22:15:45 -0800 +Subject: ASoC: qcom: lpass-cpu: Fix fallback SD line index handling + +From: Brian Norris + +commit 000bca8d706d1bf7cca01af75787247c5a2fdedf upstream. + +These indices should reference the ID placed within the dai_driver +array, not the indices of the array itself. + +This fixes commit 4ff028f6c108 ("ASoC: qcom: lpass-cpu: Make I2S SD +lines configurable"), which among others, broke IPQ8064 audio +(sound/soc/qcom/lpass-ipq806x.c) because it uses ID 4 but we'd stop +initializing the mi2s_playback_sd_mode and mi2s_capture_sd_mode arrays +at ID 0. + +Fixes: 4ff028f6c108 ("ASoC: qcom: lpass-cpu: Make I2S SD lines configurable") +Cc: +Signed-off-by: Brian Norris +Reviewed-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20221231061545.2110253-1-computersforpeace@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/lpass-cpu.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/sound/soc/qcom/lpass-cpu.c ++++ b/sound/soc/qcom/lpass-cpu.c +@@ -1037,10 +1037,11 @@ static void of_lpass_cpu_parse_dai_data( + struct lpass_data *data) + { + struct device_node *node; +- int ret, id; ++ int ret, i, id; + + /* Allow all channels by default for backwards compatibility */ +- for (id = 0; id < data->variant->num_dai; id++) { ++ for (i = 0; i < data->variant->num_dai; i++) { ++ id = data->variant->dai_driver[i].id; + data->mi2s_playback_sd_mode[id] = LPAIF_I2SCTL_MODE_8CH; + data->mi2s_capture_sd_mode[id] = LPAIF_I2SCTL_MODE_8CH; + } diff --git a/queue-6.1/brcmfmac-prefer-dt-board-type-over-dmi-board-type.patch b/queue-6.1/brcmfmac-prefer-dt-board-type-over-dmi-board-type.patch new file mode 100644 index 00000000000..b6cf8c4a993 --- /dev/null +++ b/queue-6.1/brcmfmac-prefer-dt-board-type-over-dmi-board-type.patch @@ -0,0 +1,56 @@ +From a5a36720c3f650f859f5e9535dd62d06f13f4f3b Mon Sep 17 00:00:00 2001 +From: "Ivan T. Ivanov" +Date: Fri, 6 Jan 2023 15:19:05 +0200 +Subject: brcmfmac: Prefer DT board type over DMI board type + +From: Ivan T. Ivanov + +commit a5a36720c3f650f859f5e9535dd62d06f13f4f3b upstream. + +The introduction of support for Apple board types inadvertently changed +the precedence order, causing hybrid SMBIOS+DT platforms to look up the +firmware using the DMI information instead of the device tree compatible +to generate the board type. Revert back to the old behavior, +as affected platforms use firmwares named after the DT compatible. + +Fixes: 7682de8b3351 ("wifi: brcmfmac: of: Fetch Apple properties") + +[1] https://bugzilla.opensuse.org/show_bug.cgi?id=1206697#c13 + +Cc: stable@vger.kernel.org +Signed-off-by: Ivan T. Ivanov +Reviewed-by: Hector Martin +Reviewed-by: Arend van Spriel +Tested-by: Peter Robinson +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c +index a83699de01ec..fdd0c9abc1a1 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c +@@ -79,7 +79,8 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type, + /* Apple ARM64 platforms have their own idea of board type, passed in + * via the device tree. They also have an antenna SKU parameter + */ +- if (!of_property_read_string(np, "brcm,board-type", &prop)) ++ err = of_property_read_string(np, "brcm,board-type", &prop); ++ if (!err) + settings->board_type = prop; + + if (!of_property_read_string(np, "apple,antenna-sku", &prop)) +@@ -87,7 +88,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type, + + /* Set board-type to the first string of the machine compatible prop */ + root = of_find_node_by_path("/"); +- if (root && !settings->board_type) { ++ if (root && err) { + char *board_type; + const char *tmp; + +-- +2.39.0 + diff --git a/queue-6.1/cpufreq-amd-pstate-fix-kernel-hang-issue-while-amd-pstate-unregistering.patch b/queue-6.1/cpufreq-amd-pstate-fix-kernel-hang-issue-while-amd-pstate-unregistering.patch new file mode 100644 index 00000000000..6e03f961ada --- /dev/null +++ b/queue-6.1/cpufreq-amd-pstate-fix-kernel-hang-issue-while-amd-pstate-unregistering.patch @@ -0,0 +1,38 @@ +From 4f3085f87b51a551a0647f218d4f324796ecb703 Mon Sep 17 00:00:00 2001 +From: Perry Yuan +Date: Tue, 10 Jan 2023 23:10:29 +0800 +Subject: cpufreq: amd-pstate: fix kernel hang issue while amd-pstate unregistering + +From: Perry Yuan + +commit 4f3085f87b51a551a0647f218d4f324796ecb703 upstream. + +In the amd_pstate_adjust_perf(), there is one cpufreq_cpu_get() call to +increase increments the kobject reference count of policy and make it as +busy. Therefore, a corresponding call to cpufreq_cpu_put() is needed to +decrement the kobject reference count back, it will resolve the kernel +hang issue when unregistering the amd-pstate driver and register the +`amd_pstate_epp` driver instance. + +Fixes: 1d215f0319 ("cpufreq: amd-pstate: Add fast switch function for AMD P-State") +Acked-by: Huang Rui +Reviewed-by: Mario Limonciello +Tested-by: Wyes Karny +Signed-off-by: Perry Yuan +Cc: 5.17+ # 5.17+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/amd-pstate.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/cpufreq/amd-pstate.c ++++ b/drivers/cpufreq/amd-pstate.c +@@ -307,6 +307,7 @@ static void amd_pstate_adjust_perf(unsig + max_perf = min_perf; + + amd_pstate_update(cpudata, min_perf, des_perf, max_perf, true); ++ cpufreq_cpu_put(policy); + } + + static int amd_get_min_freq(struct amd_cpudata *cpudata) diff --git a/queue-6.1/docs-fix-the-docs-build-with-sphinx-6.0.patch b/queue-6.1/docs-fix-the-docs-build-with-sphinx-6.0.patch new file mode 100644 index 00000000000..923ca1ed57f --- /dev/null +++ b/queue-6.1/docs-fix-the-docs-build-with-sphinx-6.0.patch @@ -0,0 +1,49 @@ +From 0283189e8f3d0917e2ac399688df85211f48447b Mon Sep 17 00:00:00 2001 +From: Jonathan Corbet +Date: Wed, 4 Jan 2023 10:47:39 -0700 +Subject: docs: Fix the docs build with Sphinx 6.0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan Corbet + +commit 0283189e8f3d0917e2ac399688df85211f48447b upstream. + +Sphinx 6.0 removed the execfile_() function, which we use as part of the +configuration process. They *did* warn us... Just open-code the +functionality as is done in Sphinx itself. + +Tested (using SPHINX_CONF, since this code is only executed with an +alternative config file) on various Sphinx versions from 2.5 through 6.0. + +Reported-by: Martin Liška +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Corbet +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/sphinx/load_config.py | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/Documentation/sphinx/load_config.py ++++ b/Documentation/sphinx/load_config.py +@@ -3,7 +3,7 @@ + + import os + import sys +-from sphinx.util.pycompat import execfile_ ++from sphinx.util.osutil import fs_encoding + + # ------------------------------------------------------------------------------ + def loadConfig(namespace): +@@ -48,7 +48,9 @@ def loadConfig(namespace): + sys.stdout.write("load additional sphinx-config: %s\n" % config_file) + config = namespace.copy() + config['__file__'] = config_file +- execfile_(config_file, config) ++ with open(config_file, 'rb') as f: ++ code = compile(f.read(), fs_encoding, 'exec') ++ exec(code, config) + del config['__file__'] + namespace.update(config) + else: diff --git a/queue-6.1/drm-amd-delay-removal-of-the-firmware-framebuffer.patch b/queue-6.1/drm-amd-delay-removal-of-the-firmware-framebuffer.patch new file mode 100644 index 00000000000..ba119d0f5a5 --- /dev/null +++ b/queue-6.1/drm-amd-delay-removal-of-the-firmware-framebuffer.patch @@ -0,0 +1,81 @@ +From 1923bc5a56daeeabd7e9093bad2febcd6af2416a Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Tue, 27 Dec 2022 15:49:17 -0600 +Subject: drm/amd: Delay removal of the firmware framebuffer + +From: Mario Limonciello + +commit 1923bc5a56daeeabd7e9093bad2febcd6af2416a upstream. + +Removing the firmware framebuffer from the driver means that even +if the driver doesn't support the IP blocks in a GPU it will no +longer be functional after the driver fails to initialize. + +This change will ensure that unsupported IP blocks at least cause +the driver to work with the EFI framebuffer. + +Cc: stable@vger.kernel.org +Suggested-by: Alex Deucher +Reviewed-by: Alex Deucher +Reviewed-by: Lijo Lazar +Signed-off-by: Mario Limonciello +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 8 ++++++++ + drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 6 ------ + 2 files changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -36,6 +36,7 @@ + #include + #include + ++#include + #include + #include + #include +@@ -89,6 +90,8 @@ MODULE_FIRMWARE("amdgpu/navi12_gpu_info. + #define AMDGPU_MAX_RETRY_LIMIT 2 + #define AMDGPU_RETRY_SRIOV_RESET(r) ((r) == -EBUSY || (r) == -ETIMEDOUT || (r) == -EINVAL) + ++static const struct drm_driver amdgpu_kms_driver; ++ + const char *amdgpu_asic_name[] = { + "TAHITI", + "PITCAIRN", +@@ -3677,6 +3680,11 @@ int amdgpu_device_init(struct amdgpu_dev + if (r) + return r; + ++ /* Get rid of things like offb */ ++ r = drm_aperture_remove_conflicting_pci_framebuffers(adev->pdev, &amdgpu_kms_driver); ++ if (r) ++ return r; ++ + /* Enable TMZ based on IP_VERSION */ + amdgpu_gmc_tmz_set(adev); + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +@@ -23,7 +23,6 @@ + */ + + #include +-#include + #include + #include + #include +@@ -2123,11 +2122,6 @@ static int amdgpu_pci_probe(struct pci_d + } + #endif + +- /* Get rid of things like offb */ +- ret = drm_aperture_remove_conflicting_pci_framebuffers(pdev, &amdgpu_kms_driver); +- if (ret) +- return ret; +- + adev = devm_drm_dev_alloc(&pdev->dev, &amdgpu_kms_driver, typeof(*adev), ddev); + if (IS_ERR(adev)) + return PTR_ERR(adev); diff --git a/queue-6.1/drm-amd-pm-add-the-missing-mapping-for-ppt-feature-on-smu13.0.0-and-13.0.7.patch b/queue-6.1/drm-amd-pm-add-the-missing-mapping-for-ppt-feature-on-smu13.0.0-and-13.0.7.patch new file mode 100644 index 00000000000..8afb03f6615 --- /dev/null +++ b/queue-6.1/drm-amd-pm-add-the-missing-mapping-for-ppt-feature-on-smu13.0.0-and-13.0.7.patch @@ -0,0 +1,41 @@ +From 318ca20893c19ead02845a08204c3f9249bb74cd Mon Sep 17 00:00:00 2001 +From: Evan Quan +Date: Wed, 4 Jan 2023 10:45:01 +0800 +Subject: drm/amd/pm: add the missing mapping for PPT feature on SMU13.0.0 and 13.0.7 + +From: Evan Quan + +commit 318ca20893c19ead02845a08204c3f9249bb74cd upstream. + +Then we are able to set a new ppt limit via the hwmon interface(power1_cap). + +Signed-off-by: Evan Quan +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 6.0.x, 6.1.x +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 1 + + drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c +@@ -189,6 +189,7 @@ static struct cmn2asic_mapping smu_v13_0 + FEA_MAP(SOC_PCC), + [SMU_FEATURE_DPM_VCLK_BIT] = {1, FEATURE_MM_DPM_BIT}, + [SMU_FEATURE_DPM_DCLK_BIT] = {1, FEATURE_MM_DPM_BIT}, ++ [SMU_FEATURE_PPT_BIT] = {1, FEATURE_THROTTLERS_BIT}, + }; + + static struct cmn2asic_mapping smu_v13_0_0_table_map[SMU_TABLE_COUNT] = { +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c +@@ -191,6 +191,7 @@ static struct cmn2asic_mapping smu_v13_0 + FEA_MAP(SOC_PCC), + [SMU_FEATURE_DPM_VCLK_BIT] = {1, FEATURE_MM_DPM_BIT}, + [SMU_FEATURE_DPM_DCLK_BIT] = {1, FEATURE_MM_DPM_BIT}, ++ [SMU_FEATURE_PPT_BIT] = {1, FEATURE_THROTTLERS_BIT}, + }; + + static struct cmn2asic_mapping smu_v13_0_7_table_map[SMU_TABLE_COUNT] = { diff --git a/queue-6.1/drm-amd-pm-correct-the-reference-clock-for-fan-speed-rpm-calculation.patch b/queue-6.1/drm-amd-pm-correct-the-reference-clock-for-fan-speed-rpm-calculation.patch new file mode 100644 index 00000000000..2fdf6b45ac8 --- /dev/null +++ b/queue-6.1/drm-amd-pm-correct-the-reference-clock-for-fan-speed-rpm-calculation.patch @@ -0,0 +1,40 @@ +From 6fea87637bf36bd285227f490132e83582ab7513 Mon Sep 17 00:00:00 2001 +From: Evan Quan +Date: Fri, 16 Dec 2022 17:12:53 +0800 +Subject: drm/amd/pm: correct the reference clock for fan speed(rpm) calculation + +From: Evan Quan + +commit 6fea87637bf36bd285227f490132e83582ab7513 upstream. + +Correct the reference clock as 25Mhz for SMU13 fan speed calculation. + +Signed-off-by: Evan Quan +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 6.0.x, 6.1.x +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c +@@ -1258,7 +1258,8 @@ int smu_v13_0_set_fan_speed_rpm(struct s + uint32_t speed) + { + struct amdgpu_device *adev = smu->adev; +- uint32_t tach_period, crystal_clock_freq; ++ uint32_t crystal_clock_freq = 2500; ++ uint32_t tach_period; + int ret; + + if (!speed) +@@ -1268,7 +1269,6 @@ int smu_v13_0_set_fan_speed_rpm(struct s + if (ret) + return ret; + +- crystal_clock_freq = amdgpu_asic_get_xclk(adev); + tach_period = 60 * crystal_clock_freq * 10000 / (8 * speed); + WREG32_SOC15(THM, 0, regCG_TACH_CTRL, + REG_SET_FIELD(RREG32_SOC15(THM, 0, regCG_TACH_CTRL), diff --git a/queue-6.1/drm-amd-pm-smu13-baco-is-supported-when-it-s-in-baco-state.patch b/queue-6.1/drm-amd-pm-smu13-baco-is-supported-when-it-s-in-baco-state.patch new file mode 100644 index 00000000000..489b62290db --- /dev/null +++ b/queue-6.1/drm-amd-pm-smu13-baco-is-supported-when-it-s-in-baco-state.patch @@ -0,0 +1,35 @@ +From 972fb53d3605eb6cdf0d6ae9a52e910626a91ff7 Mon Sep 17 00:00:00 2001 +From: Guchun Chen +Date: Tue, 10 Jan 2023 11:33:44 +0800 +Subject: drm/amd/pm/smu13: BACO is supported when it's in BACO state + +From: Guchun Chen + +commit 972fb53d3605eb6cdf0d6ae9a52e910626a91ff7 upstream. + +This leverages the logic in smu11. No need to talk to SMU to +check BACO enablement as it's in BACO state already. + +Signed-off-by: Guchun Chen +Reviewed-by: Kenneth Feng +Reviewed-by: Lijo Lazar +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 6.0, 6.1 +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c +@@ -2249,6 +2249,10 @@ bool smu_v13_0_baco_is_support(struct sm + !smu_baco->platform_support) + return false; + ++ /* return true if ASIC is in BACO state already */ ++ if (smu_v13_0_baco_get_state(smu) == SMU_BACO_STATE_ENTER) ++ return true; ++ + if (smu_cmn_feature_is_supported(smu, SMU_FEATURE_BACO_BIT) && + !smu_cmn_feature_is_enabled(smu, SMU_FEATURE_BACO_BIT)) + return false; diff --git a/queue-6.1/drm-amdgpu-fixed-bug-on-error-when-unloading-amdgpu.patch b/queue-6.1/drm-amdgpu-fixed-bug-on-error-when-unloading-amdgpu.patch new file mode 100644 index 00000000000..0ae51516d66 --- /dev/null +++ b/queue-6.1/drm-amdgpu-fixed-bug-on-error-when-unloading-amdgpu.patch @@ -0,0 +1,76 @@ +From 99f1a36c90a7524972be5a028424c57fa17753ee Mon Sep 17 00:00:00 2001 +From: YiPeng Chai +Date: Fri, 6 Jan 2023 14:04:15 +0800 +Subject: drm/amdgpu: Fixed bug on error when unloading amdgpu +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: YiPeng Chai + +commit 99f1a36c90a7524972be5a028424c57fa17753ee upstream. + +Fixed bug on error when unloading amdgpu. + +The error message is as follows: +[ 377.706202] kernel BUG at drivers/gpu/drm/drm_buddy.c:278! +[ 377.706215] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI +[ 377.706222] CPU: 4 PID: 8610 Comm: modprobe Tainted: G IOE 6.0.0-thomas #1 +[ 377.706231] Hardware name: ASUS System Product Name/PRIME Z390-A, BIOS 2004 11/02/2021 +[ 377.706238] RIP: 0010:drm_buddy_free_block+0x26/0x30 [drm_buddy] +[ 377.706264] Code: 00 00 00 90 0f 1f 44 00 00 48 8b 0e 89 c8 25 00 0c 00 00 3d 00 04 00 00 75 10 48 8b 47 18 48 d3 e0 48 01 47 28 e9 fa fe ff ff <0f> 0b 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 55 48 89 f5 53 +[ 377.706282] RSP: 0018:ffffad2dc4683cb8 EFLAGS: 00010287 +[ 377.706289] RAX: 0000000000000000 RBX: ffff8b1743bd5138 RCX: 0000000000000000 +[ 377.706297] RDX: ffff8b1743bd5160 RSI: ffff8b1743bd5c78 RDI: ffff8b16d1b25f70 +[ 377.706304] RBP: ffff8b1743bd59e0 R08: 0000000000000001 R09: 0000000000000001 +[ 377.706311] R10: ffff8b16c8572400 R11: ffffad2dc4683cf0 R12: ffff8b16d1b25f70 +[ 377.706318] R13: ffff8b16d1b25fd0 R14: ffff8b1743bd59c0 R15: ffff8b16d1b25f70 +[ 377.706325] FS: 00007fec56c72c40(0000) GS:ffff8b1836500000(0000) knlGS:0000000000000000 +[ 377.706334] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 377.706340] CR2: 00007f9b88c1ba50 CR3: 0000000110450004 CR4: 00000000003706e0 +[ 377.706347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 377.706354] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 377.706361] Call Trace: +[ 377.706365] +[ 377.706369] drm_buddy_free_list+0x2a/0x60 [drm_buddy] +[ 377.706376] amdgpu_vram_mgr_fini+0xea/0x180 [amdgpu] +[ 377.706572] amdgpu_ttm_fini+0x12e/0x1a0 [amdgpu] +[ 377.706650] amdgpu_bo_fini+0x22/0x90 [amdgpu] +[ 377.706727] gmc_v11_0_sw_fini+0x26/0x30 [amdgpu] +[ 377.706821] amdgpu_device_fini_sw+0xa1/0x3c0 [amdgpu] +[ 377.706897] amdgpu_driver_release_kms+0x12/0x30 [amdgpu] +[ 377.706975] drm_dev_release+0x20/0x40 [drm] +[ 377.707006] release_nodes+0x35/0xb0 +[ 377.707014] devres_release_all+0x8b/0xc0 +[ 377.707020] device_unbind_cleanup+0xe/0x70 +[ 377.707027] device_release_driver_internal+0xee/0x160 +[ 377.707033] driver_detach+0x44/0x90 +[ 377.707039] bus_remove_driver+0x55/0xe0 +[ 377.707045] pci_unregister_driver+0x3b/0x90 +[ 377.707052] amdgpu_exit+0x11/0x6c [amdgpu] +[ 377.707194] __x64_sys_delete_module+0x142/0x2b0 +[ 377.707201] ? fpregs_assert_state_consistent+0x22/0x50 +[ 377.707208] ? exit_to_user_mode_prepare+0x3e/0x190 +[ 377.707215] do_syscall_64+0x38/0x90 +[ 377.707221] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Signed-off-by: YiPeng Chai +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c +@@ -882,7 +882,7 @@ void amdgpu_vram_mgr_fini(struct amdgpu_ + kfree(rsv); + + list_for_each_entry_safe(rsv, temp, &mgr->reserved_pages, blocks) { +- drm_buddy_free_list(&mgr->mm, &rsv->blocks); ++ drm_buddy_free_list(&mgr->mm, &rsv->allocated); + kfree(rsv); + } + drm_buddy_fini(&mgr->mm); diff --git a/queue-6.1/drm-i915-fix-potential-context-uafs.patch b/queue-6.1/drm-i915-fix-potential-context-uafs.patch new file mode 100644 index 00000000000..00def4327ff --- /dev/null +++ b/queue-6.1/drm-i915-fix-potential-context-uafs.patch @@ -0,0 +1,92 @@ +From afce71ff6daa9c0f852df0727fe32c6fb107f0fa Mon Sep 17 00:00:00 2001 +From: Rob Clark +Date: Tue, 3 Jan 2023 15:49:46 -0800 +Subject: drm/i915: Fix potential context UAFs + +From: Rob Clark + +commit afce71ff6daa9c0f852df0727fe32c6fb107f0fa upstream. + +gem_context_register() makes the context visible to userspace, and which +point a separate thread can trigger the I915_GEM_CONTEXT_DESTROY ioctl. +So we need to ensure that nothing uses the ctx ptr after this. And we +need to ensure that adding the ctx to the xarray is the *last* thing +that gem_context_register() does with the ctx pointer. + +Signed-off-by: Rob Clark +Fixes: eb4dedae920a ("drm/i915/gem: Delay tracking the GEM context until it is registered") +Fixes: a4c1cdd34e2c ("drm/i915/gem: Delay context creation (v3)") +Fixes: 49bd54b390c2 ("drm/i915: Track all user contexts per client") +Cc: # v5.10+ +Reviewed-by: Tvrtko Ursulin +Reviewed-by: Andi Shyti +[tursulin: Stable and fixes tags add/tidy.] +Signed-off-by: Tvrtko Ursulin +Link: https://patchwork.freedesktop.org/patch/msgid/20230103234948.1218393-1-robdclark@gmail.com +(cherry picked from commit bed4b455cf5374e68879be56971c1da563bcd90c) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gem/i915_gem_context.c | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/i915/gem/i915_gem_context.c ++++ b/drivers/gpu/drm/i915/gem/i915_gem_context.c +@@ -1688,6 +1688,10 @@ void i915_gem_init__contexts(struct drm_ + init_contexts(&i915->gem.contexts); + } + ++/* ++ * Note that this implicitly consumes the ctx reference, by placing ++ * the ctx in the context_xa. ++ */ + static void gem_context_register(struct i915_gem_context *ctx, + struct drm_i915_file_private *fpriv, + u32 id) +@@ -1703,10 +1707,6 @@ static void gem_context_register(struct + snprintf(ctx->name, sizeof(ctx->name), "%s[%d]", + current->comm, pid_nr(ctx->pid)); + +- /* And finally expose ourselves to userspace via the idr */ +- old = xa_store(&fpriv->context_xa, id, ctx, GFP_KERNEL); +- WARN_ON(old); +- + spin_lock(&ctx->client->ctx_lock); + list_add_tail_rcu(&ctx->client_link, &ctx->client->ctx_list); + spin_unlock(&ctx->client->ctx_lock); +@@ -1714,6 +1714,10 @@ static void gem_context_register(struct + spin_lock(&i915->gem.contexts.lock); + list_add_tail(&ctx->link, &i915->gem.contexts.list); + spin_unlock(&i915->gem.contexts.lock); ++ ++ /* And finally expose ourselves to userspace via the idr */ ++ old = xa_store(&fpriv->context_xa, id, ctx, GFP_KERNEL); ++ WARN_ON(old); + } + + int i915_gem_context_open(struct drm_i915_private *i915, +@@ -2199,14 +2203,22 @@ finalize_create_context_locked(struct dr + if (IS_ERR(ctx)) + return ctx; + ++ /* ++ * One for the xarray and one for the caller. We need to grab ++ * the reference *prior* to making the ctx visble to userspace ++ * in gem_context_register(), as at any point after that ++ * userspace can try to race us with another thread destroying ++ * the context under our feet. ++ */ ++ i915_gem_context_get(ctx); ++ + gem_context_register(ctx, file_priv, id); + + old = xa_erase(&file_priv->proto_context_xa, id); + GEM_BUG_ON(old != pc); + proto_context_close(file_priv->dev_priv, pc); + +- /* One for the xarray and one for the caller */ +- return i915_gem_context_get(ctx); ++ return ctx; + } + + struct i915_gem_context * diff --git a/queue-6.1/drm-i915-gt-reset-twice.patch b/queue-6.1/drm-i915-gt-reset-twice.patch new file mode 100644 index 00000000000..8b897836188 --- /dev/null +++ b/queue-6.1/drm-i915-gt-reset-twice.patch @@ -0,0 +1,85 @@ +From d3de5616d36462a646f5b360ba82d3b09ff668eb Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Mon, 12 Dec 2022 17:13:38 +0100 +Subject: drm/i915/gt: Reset twice + +From: Chris Wilson + +commit d3de5616d36462a646f5b360ba82d3b09ff668eb upstream. + +After applying an engine reset, on some platforms like Jasperlake, we +occasionally detect that the engine state is not cleared until shortly +after the resume. As we try to resume the engine with volatile internal +state, the first request fails with a spurious CS event (it looks like +it reports a lite-restore to the hung context, instead of the expected +idle->active context switch). + +Signed-off-by: Chris Wilson +Cc: stable@vger.kernel.org +Cc: Mika Kuoppala +Signed-off-by: Andi Shyti +Reviewed-by: Gwan-gyeong Mun +Link: https://patchwork.freedesktop.org/patch/msgid/20221212161338.1007659-1-andi.shyti@linux.intel.com +(cherry picked from commit 3db9d590557da3aa2c952f2fecd3e9b703dad790) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gt/intel_reset.c | 34 ++++++++++++++++++++++++++++------ + 1 file changed, 28 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/i915/gt/intel_reset.c ++++ b/drivers/gpu/drm/i915/gt/intel_reset.c +@@ -278,6 +278,7 @@ out: + static int gen6_hw_domain_reset(struct intel_gt *gt, u32 hw_domain_mask) + { + struct intel_uncore *uncore = gt->uncore; ++ int loops = 2; + int err; + + /* +@@ -285,18 +286,39 @@ static int gen6_hw_domain_reset(struct i + * for fifo space for the write or forcewake the chip for + * the read + */ +- intel_uncore_write_fw(uncore, GEN6_GDRST, hw_domain_mask); ++ do { ++ intel_uncore_write_fw(uncore, GEN6_GDRST, hw_domain_mask); + +- /* Wait for the device to ack the reset requests */ +- err = __intel_wait_for_register_fw(uncore, +- GEN6_GDRST, hw_domain_mask, 0, +- 500, 0, +- NULL); ++ /* ++ * Wait for the device to ack the reset requests. ++ * ++ * On some platforms, e.g. Jasperlake, we see that the ++ * engine register state is not cleared until shortly after ++ * GDRST reports completion, causing a failure as we try ++ * to immediately resume while the internal state is still ++ * in flux. If we immediately repeat the reset, the second ++ * reset appears to serialise with the first, and since ++ * it is a no-op, the registers should retain their reset ++ * value. However, there is still a concern that upon ++ * leaving the second reset, the internal engine state ++ * is still in flux and not ready for resuming. ++ */ ++ err = __intel_wait_for_register_fw(uncore, GEN6_GDRST, ++ hw_domain_mask, 0, ++ 2000, 0, ++ NULL); ++ } while (err == 0 && --loops); + if (err) + GT_TRACE(gt, + "Wait for 0x%08x engines reset failed\n", + hw_domain_mask); + ++ /* ++ * As we have observed that the engine state is still volatile ++ * after GDRST is acked, impose a small delay to let everything settle. ++ */ ++ udelay(50); ++ + return err; + } + diff --git a/queue-6.1/drm-i915-reserve-enough-fence-slot-for-i915_vma_unbind_async.patch b/queue-6.1/drm-i915-reserve-enough-fence-slot-for-i915_vma_unbind_async.patch new file mode 100644 index 00000000000..f47aecd7db4 --- /dev/null +++ b/queue-6.1/drm-i915-reserve-enough-fence-slot-for-i915_vma_unbind_async.patch @@ -0,0 +1,51 @@ +From 476fdcdaaae7b06c780cdfc234c704107f16c529 Mon Sep 17 00:00:00 2001 +From: Nirmoy Das +Date: Fri, 23 Dec 2022 10:20:11 +0100 +Subject: drm/i915: Reserve enough fence slot for i915_vma_unbind_async +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nirmoy Das + +commit 476fdcdaaae7b06c780cdfc234c704107f16c529 upstream. + +A nested dma_resv_reserve_fences(1) will not reserve slot from the +2nd call onwards and folowing dma_resv_add_fence() might hit the +"BUG_ON(fobj->num_fences >= fobj->max_fences)" check. + +I915 hit above nested dma_resv case in ttm_bo_handle_move_mem() with +async unbind: + +dma_resv_reserve_fences() from --> ttm_bo_handle_move_mem() + dma_resv_reserve_fences() from --> i915_vma_unbind_async() + dma_resv_add_fence() from --> i915_vma_unbind_async() +dma_resv_add_fence() from -->ttm_bo_move_accel_cleanup() + +Resolve this by adding an extra fence in i915_vma_unbind_async(). + +Suggested-by: Thomas Hellström +Fixes: 2f6b90da9192 ("drm/i915: Use vma resources for async unbinding") +Cc: # v5.18+ +Signed-off-by: Nirmoy Das +Reviewed-by: Matthew Auld +Signed-off-by: Matthew Auld +Link: https://patchwork.freedesktop.org/patch/msgid/20221223092011.11657-1-nirmoy.das@intel.com +(cherry picked from commit 4f0755c2faf7388616109717facc5bbde6850e60) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/i915_vma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/i915_vma.c ++++ b/drivers/gpu/drm/i915/i915_vma.c +@@ -2114,7 +2114,7 @@ int i915_vma_unbind_async(struct i915_vm + if (!obj->mm.rsgt) + return -EBUSY; + +- err = dma_resv_reserve_fences(obj->base.resv, 1); ++ err = dma_resv_reserve_fences(obj->base.resv, 2); + if (err) + return -EBUSY; + diff --git a/queue-6.1/drm-optimize-drm-buddy-top-down-allocation-method.patch b/queue-6.1/drm-optimize-drm-buddy-top-down-allocation-method.patch new file mode 100644 index 00000000000..d8697832e1f --- /dev/null +++ b/queue-6.1/drm-optimize-drm-buddy-top-down-allocation-method.patch @@ -0,0 +1,173 @@ +From 5640e81607152d7f2d2558227c0f6cb78b8f39cf Mon Sep 17 00:00:00 2001 +From: Arunpravin Paneer Selvam +Date: Thu, 12 Jan 2023 04:00:27 -0800 +Subject: drm: Optimize drm buddy top-down allocation method +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arunpravin Paneer Selvam + +commit 5640e81607152d7f2d2558227c0f6cb78b8f39cf upstream. + +We are observing performance drop in many usecases which include +games, 3D benchmark applications,etc.. To solve this problem, We +are strictly not allowing top down flag enabled allocations to +steal the memory space from cpu visible region. + +The idea is, we are sorting each order list entries in +ascending order and compare the last entry of each order +list in the freelist and return the max block. + +This patch improves the 3D benchmark scores and solves +fragmentation issues. + +All drm buddy selftests are verfied. +drm_buddy: pass:6 fail:0 skip:0 total:6 + +Signed-off-by: Arunpravin Paneer Selvam +Acked-by: Christian König +Acked-by: Alex Deucher +Reviewed-by: Matthew Auld +Link: https://patchwork.freedesktop.org/patch/msgid/20230112120027.3072-1-Arunpravin.PaneerSelvam@amd.com +Signed-off-by: Christian König +CC: Cc: stable@vger.kernel.org # 5.18+ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_buddy.c | 83 +++++++++++++++++++++++++++++--------------- + 1 file changed, 55 insertions(+), 28 deletions(-) + +--- a/drivers/gpu/drm/drm_buddy.c ++++ b/drivers/gpu/drm/drm_buddy.c +@@ -38,6 +38,25 @@ static void drm_block_free(struct drm_bu + kmem_cache_free(slab_blocks, block); + } + ++static void list_insert_sorted(struct drm_buddy *mm, ++ struct drm_buddy_block *block) ++{ ++ struct drm_buddy_block *node; ++ struct list_head *head; ++ ++ head = &mm->free_list[drm_buddy_block_order(block)]; ++ if (list_empty(head)) { ++ list_add(&block->link, head); ++ return; ++ } ++ ++ list_for_each_entry(node, head, link) ++ if (drm_buddy_block_offset(block) < drm_buddy_block_offset(node)) ++ break; ++ ++ __list_add(&block->link, node->link.prev, &node->link); ++} ++ + static void mark_allocated(struct drm_buddy_block *block) + { + block->header &= ~DRM_BUDDY_HEADER_STATE; +@@ -52,8 +71,7 @@ static void mark_free(struct drm_buddy * + block->header &= ~DRM_BUDDY_HEADER_STATE; + block->header |= DRM_BUDDY_FREE; + +- list_add(&block->link, +- &mm->free_list[drm_buddy_block_order(block)]); ++ list_insert_sorted(mm, block); + } + + static void mark_split(struct drm_buddy_block *block) +@@ -387,20 +405,26 @@ err_undo: + } + + static struct drm_buddy_block * +-get_maxblock(struct list_head *head) ++get_maxblock(struct drm_buddy *mm, unsigned int order) + { + struct drm_buddy_block *max_block = NULL, *node; ++ unsigned int i; + +- max_block = list_first_entry_or_null(head, +- struct drm_buddy_block, +- link); +- if (!max_block) +- return NULL; +- +- list_for_each_entry(node, head, link) { +- if (drm_buddy_block_offset(node) > +- drm_buddy_block_offset(max_block)) +- max_block = node; ++ for (i = order; i <= mm->max_order; ++i) { ++ if (!list_empty(&mm->free_list[i])) { ++ node = list_last_entry(&mm->free_list[i], ++ struct drm_buddy_block, ++ link); ++ if (!max_block) { ++ max_block = node; ++ continue; ++ } ++ ++ if (drm_buddy_block_offset(node) > ++ drm_buddy_block_offset(max_block)) { ++ max_block = node; ++ } ++ } + } + + return max_block; +@@ -412,20 +436,23 @@ alloc_from_freelist(struct drm_buddy *mm + unsigned long flags) + { + struct drm_buddy_block *block = NULL; +- unsigned int i; ++ unsigned int tmp; + int err; + +- for (i = order; i <= mm->max_order; ++i) { +- if (flags & DRM_BUDDY_TOPDOWN_ALLOCATION) { +- block = get_maxblock(&mm->free_list[i]); +- if (block) +- break; +- } else { +- block = list_first_entry_or_null(&mm->free_list[i], +- struct drm_buddy_block, +- link); +- if (block) +- break; ++ if (flags & DRM_BUDDY_TOPDOWN_ALLOCATION) { ++ block = get_maxblock(mm, order); ++ if (block) ++ /* Store the obtained block order */ ++ tmp = drm_buddy_block_order(block); ++ } else { ++ for (tmp = order; tmp <= mm->max_order; ++tmp) { ++ if (!list_empty(&mm->free_list[tmp])) { ++ block = list_last_entry(&mm->free_list[tmp], ++ struct drm_buddy_block, ++ link); ++ if (block) ++ break; ++ } + } + } + +@@ -434,18 +461,18 @@ alloc_from_freelist(struct drm_buddy *mm + + BUG_ON(!drm_buddy_block_is_free(block)); + +- while (i != order) { ++ while (tmp != order) { + err = split_block(mm, block); + if (unlikely(err)) + goto err_undo; + + block = block->right; +- i--; ++ tmp--; + } + return block; + + err_undo: +- if (i != order) ++ if (tmp != order) + __drm_buddy_free(mm, block); + return ERR_PTR(err); + } diff --git a/queue-6.1/drm-virtio-fix-gem-handle-creation-uaf.patch b/queue-6.1/drm-virtio-fix-gem-handle-creation-uaf.patch new file mode 100644 index 00000000000..ce75946f516 --- /dev/null +++ b/queue-6.1/drm-virtio-fix-gem-handle-creation-uaf.patch @@ -0,0 +1,68 @@ +From 52531258318ed59a2dc5a43df2eaf0eb1d65438e Mon Sep 17 00:00:00 2001 +From: Rob Clark +Date: Fri, 16 Dec 2022 15:33:55 -0800 +Subject: drm/virtio: Fix GEM handle creation UAF + +From: Rob Clark + +commit 52531258318ed59a2dc5a43df2eaf0eb1d65438e upstream. + +Userspace can guess the handle value and try to race GEM object creation +with handle close, resulting in a use-after-free if we dereference the +object after dropping the handle's reference. For that reason, dropping +the handle's reference must be done *after* we are done dereferencing +the object. + +Signed-off-by: Rob Clark +Reviewed-by: Chia-I Wu +Fixes: 62fb7a5e1096 ("virtio-gpu: add 3d/virgl support") +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Osipenko +Link: https://patchwork.freedesktop.org/patch/msgid/20221216233355.542197-2-robdclark@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/virtio/virtgpu_ioctl.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/virtio/virtgpu_ioctl.c ++++ b/drivers/gpu/drm/virtio/virtgpu_ioctl.c +@@ -358,10 +358,18 @@ static int virtio_gpu_resource_create_io + drm_gem_object_release(obj); + return ret; + } +- drm_gem_object_put(obj); + + rc->res_handle = qobj->hw_res_handle; /* similiar to a VM address */ + rc->bo_handle = handle; ++ ++ /* ++ * The handle owns the reference now. But we must drop our ++ * remaining reference *after* we no longer need to dereference ++ * the obj. Otherwise userspace could guess the handle and ++ * race closing it from another thread. ++ */ ++ drm_gem_object_put(obj); ++ + return 0; + } + +@@ -723,11 +731,18 @@ static int virtio_gpu_resource_create_bl + drm_gem_object_release(obj); + return ret; + } +- drm_gem_object_put(obj); + + rc_blob->res_handle = bo->hw_res_handle; + rc_blob->bo_handle = handle; + ++ /* ++ * The handle owns the reference now. But we must drop our ++ * remaining reference *after* we no longer need to dereference ++ * the obj. Otherwise userspace could guess the handle and ++ * race closing it from another thread. ++ */ ++ drm_gem_object_put(obj); ++ + return 0; + } + diff --git a/queue-6.1/efi-fix-userspace-infinite-retry-read-efivars-after-efi-runtime-services-page-fault.patch b/queue-6.1/efi-fix-userspace-infinite-retry-read-efivars-after-efi-runtime-services-page-fault.patch new file mode 100644 index 00000000000..dd7fc1aa545 --- /dev/null +++ b/queue-6.1/efi-fix-userspace-infinite-retry-read-efivars-after-efi-runtime-services-page-fault.patch @@ -0,0 +1,45 @@ +From e006ac3003080177cf0b673441a4241f77aaecce Mon Sep 17 00:00:00 2001 +From: Ding Hui +Date: Tue, 27 Dec 2022 23:09:36 +0800 +Subject: efi: fix userspace infinite retry read efivars after EFI runtime services page fault + +From: Ding Hui + +commit e006ac3003080177cf0b673441a4241f77aaecce upstream. + +After [1][2], if we catch exceptions due to EFI runtime service, we will +clear EFI_RUNTIME_SERVICES bit to disable EFI runtime service, then the +subsequent routine which invoke the EFI runtime service should fail. + +But the userspace cat efivars through /sys/firmware/efi/efivars/ will stuck +and infinite loop calling read() due to efivarfs_file_read() return -EINTR. + +The -EINTR is converted from EFI_ABORTED by efi_status_to_err(), and is +an improper return value in this situation, so let virt_efi_xxx() return +EFI_DEVICE_ERROR and converted to -EIO to invoker. + +Cc: +Fixes: 3425d934fc03 ("efi/x86: Handle page faults occurring while running EFI runtime services") +Fixes: 23715a26c8d8 ("arm64: efi: Recover from synchronous exceptions occurring in firmware") +Signed-off-by: Ding Hui +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/efi/runtime-wrappers.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/firmware/efi/runtime-wrappers.c b/drivers/firmware/efi/runtime-wrappers.c +index 7feee3d9c2bf..1fba4e09cdcf 100644 +--- a/drivers/firmware/efi/runtime-wrappers.c ++++ b/drivers/firmware/efi/runtime-wrappers.c +@@ -62,6 +62,7 @@ struct efi_runtime_work efi_rts_work; + \ + if (!efi_enabled(EFI_RUNTIME_SERVICES)) { \ + pr_warn_once("EFI Runtime Services are disabled!\n"); \ ++ efi_rts_work.status = EFI_DEVICE_ERROR; \ + goto exit; \ + } \ + \ +-- +2.39.0 + diff --git a/queue-6.1/efi-tpm-avoid-read_once-for-accessing-the-event-log.patch b/queue-6.1/efi-tpm-avoid-read_once-for-accessing-the-event-log.patch new file mode 100644 index 00000000000..48f04e9414d --- /dev/null +++ b/queue-6.1/efi-tpm-avoid-read_once-for-accessing-the-event-log.patch @@ -0,0 +1,51 @@ +From d3f450533bbcb6dd4d7d59cadc9b61b7321e4ac1 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Mon, 9 Jan 2023 10:44:31 +0100 +Subject: efi: tpm: Avoid READ_ONCE() for accessing the event log + +From: Ard Biesheuvel + +commit d3f450533bbcb6dd4d7d59cadc9b61b7321e4ac1 upstream. + +Nathan reports that recent kernels built with LTO will crash when doing +EFI boot using Fedora's GRUB and SHIM. The culprit turns out to be a +misaligned load from the TPM event log, which is annotated with +READ_ONCE(), and under LTO, this gets translated into a LDAR instruction +which does not tolerate misaligned accesses. + +Interestingly, this does not happen when booting the same kernel +straight from the UEFI shell, and so the fact that the event log may +appear misaligned in memory may be caused by a bug in GRUB or SHIM. + +However, using READ_ONCE() to access firmware tables is slightly unusual +in any case, and here, we only need to ensure that 'event' is not +dereferenced again after it gets unmapped, but this is already taken +care of by the implicit barrier() semantics of the early_memunmap() +call. + +Cc: +Cc: Peter Jones +Cc: Jarkko Sakkinen +Cc: Matthew Garrett +Reported-by: Nathan Chancellor +Tested-by: Nathan Chancellor +Link: https://github.com/ClangBuiltLinux/linux/issues/1782 +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/tpm_eventlog.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/tpm_eventlog.h ++++ b/include/linux/tpm_eventlog.h +@@ -198,8 +198,8 @@ static __always_inline int __calc_tpm2_e + * The loop below will unmap these fields if the log is larger than + * one page, so save them here for reference: + */ +- count = READ_ONCE(event->count); +- event_type = READ_ONCE(event->event_type); ++ count = event->count; ++ event_type = event->event_type; + + /* Verify that it's the log header */ + if (event_header->pcr_idx != 0 || diff --git a/queue-6.1/elfcore-add-a-cprm-parameter-to-elf_core_extra_-phdrs-data_size.patch b/queue-6.1/elfcore-add-a-cprm-parameter-to-elf_core_extra_-phdrs-data_size.patch new file mode 100644 index 00000000000..3d77bfc0647 --- /dev/null +++ b/queue-6.1/elfcore-add-a-cprm-parameter-to-elf_core_extra_-phdrs-data_size.patch @@ -0,0 +1,162 @@ +From 19e183b54528f11fafeca60fc6d0821e29ff281e Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Thu, 22 Dec 2022 18:12:50 +0000 +Subject: elfcore: Add a cprm parameter to elf_core_extra_{phdrs,data_size} + +From: Catalin Marinas + +commit 19e183b54528f11fafeca60fc6d0821e29ff281e upstream. + +A subsequent fix for arm64 will use this parameter to parse the vma +information from the snapshot created by dump_vma_snapshot() rather than +traversing the vma list without the mmap_lock. + +Fixes: 6dd8b1a0b6cb ("arm64: mte: Dump the MTE tags in the core file") +Cc: # 5.18.x +Signed-off-by: Catalin Marinas +Reported-by: Seth Jenkins +Suggested-by: Seth Jenkins +Cc: Will Deacon +Cc: Eric Biederman +Cc: Kees Cook +Link: https://lore.kernel.org/r/20221222181251.1345752-3-catalin.marinas@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/elfcore.c | 4 ++-- + arch/ia64/kernel/elfcore.c | 4 ++-- + arch/x86/um/elfcore.c | 4 ++-- + fs/binfmt_elf.c | 4 ++-- + fs/binfmt_elf_fdpic.c | 4 ++-- + include/linux/elfcore.h | 8 ++++---- + 6 files changed, 14 insertions(+), 14 deletions(-) + +--- a/arch/arm64/kernel/elfcore.c ++++ b/arch/arm64/kernel/elfcore.c +@@ -75,7 +75,7 @@ static int mte_dump_tag_range(struct cor + return ret; + } + +-Elf_Half elf_core_extra_phdrs(void) ++Elf_Half elf_core_extra_phdrs(struct coredump_params *cprm) + { + int i; + struct core_vma_metadata *m; +@@ -112,7 +112,7 @@ int elf_core_write_extra_phdrs(struct co + return 1; + } + +-size_t elf_core_extra_data_size(void) ++size_t elf_core_extra_data_size(struct coredump_params *cprm) + { + int i; + struct core_vma_metadata *m; +--- a/arch/ia64/kernel/elfcore.c ++++ b/arch/ia64/kernel/elfcore.c +@@ -7,7 +7,7 @@ + #include + + +-Elf64_Half elf_core_extra_phdrs(void) ++Elf64_Half elf_core_extra_phdrs(struct coredump_params *cprm) + { + return GATE_EHDR->e_phnum; + } +@@ -60,7 +60,7 @@ int elf_core_write_extra_data(struct cor + return 1; + } + +-size_t elf_core_extra_data_size(void) ++size_t elf_core_extra_data_size(struct coredump_params *cprm) + { + const struct elf_phdr *const gate_phdrs = + (const struct elf_phdr *) (GATE_ADDR + GATE_EHDR->e_phoff); +--- a/arch/x86/um/elfcore.c ++++ b/arch/x86/um/elfcore.c +@@ -7,7 +7,7 @@ + #include + + +-Elf32_Half elf_core_extra_phdrs(void) ++Elf32_Half elf_core_extra_phdrs(struct coredump_params *cprm) + { + return vsyscall_ehdr ? (((struct elfhdr *)vsyscall_ehdr)->e_phnum) : 0; + } +@@ -60,7 +60,7 @@ int elf_core_write_extra_data(struct cor + return 1; + } + +-size_t elf_core_extra_data_size(void) ++size_t elf_core_extra_data_size(struct coredump_params *cprm) + { + if ( vsyscall_ehdr ) { + const struct elfhdr *const ehdrp = +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -2209,7 +2209,7 @@ static int elf_core_dump(struct coredump + * The number of segs are recored into ELF header as 16bit value. + * Please check DEFAULT_MAX_MAP_COUNT definition when you modify here. + */ +- segs = cprm->vma_count + elf_core_extra_phdrs(); ++ segs = cprm->vma_count + elf_core_extra_phdrs(cprm); + + /* for notes section */ + segs++; +@@ -2249,7 +2249,7 @@ static int elf_core_dump(struct coredump + dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE); + + offset += cprm->vma_data_size; +- offset += elf_core_extra_data_size(); ++ offset += elf_core_extra_data_size(cprm); + e_shoff = offset; + + if (e_phnum == PN_XNUM) { +--- a/fs/binfmt_elf_fdpic.c ++++ b/fs/binfmt_elf_fdpic.c +@@ -1509,7 +1509,7 @@ static int elf_fdpic_core_dump(struct co + tmp->next = thread_list; + thread_list = tmp; + +- segs = cprm->vma_count + elf_core_extra_phdrs(); ++ segs = cprm->vma_count + elf_core_extra_phdrs(cprm); + + /* for notes section */ + segs++; +@@ -1555,7 +1555,7 @@ static int elf_fdpic_core_dump(struct co + dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE); + + offset += cprm->vma_data_size; +- offset += elf_core_extra_data_size(); ++ offset += elf_core_extra_data_size(cprm); + e_shoff = offset; + + if (e_phnum == PN_XNUM) { +--- a/include/linux/elfcore.h ++++ b/include/linux/elfcore.h +@@ -114,14 +114,14 @@ static inline int elf_core_copy_task_fpr + * Dumping its extra ELF program headers includes all the other information + * a debugger needs to easily find how the gate DSO was being used. + */ +-extern Elf_Half elf_core_extra_phdrs(void); ++extern Elf_Half elf_core_extra_phdrs(struct coredump_params *cprm); + extern int + elf_core_write_extra_phdrs(struct coredump_params *cprm, loff_t offset); + extern int + elf_core_write_extra_data(struct coredump_params *cprm); +-extern size_t elf_core_extra_data_size(void); ++extern size_t elf_core_extra_data_size(struct coredump_params *cprm); + #else +-static inline Elf_Half elf_core_extra_phdrs(void) ++static inline Elf_Half elf_core_extra_phdrs(struct coredump_params *cprm) + { + return 0; + } +@@ -136,7 +136,7 @@ static inline int elf_core_write_extra_d + return 1; + } + +-static inline size_t elf_core_extra_data_size(void) ++static inline size_t elf_core_extra_data_size(struct coredump_params *cprm) + { + return 0; + } diff --git a/queue-6.1/io_uring-poll-add-hash-if-ready-poll-request-can-t-complete-inline.patch b/queue-6.1/io_uring-poll-add-hash-if-ready-poll-request-can-t-complete-inline.patch new file mode 100644 index 00000000000..bcd617c0ab9 --- /dev/null +++ b/queue-6.1/io_uring-poll-add-hash-if-ready-poll-request-can-t-complete-inline.patch @@ -0,0 +1,64 @@ +From febb985c06cb6f5fac63598c0bffd4fd823d110d Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Mon, 9 Jan 2023 14:46:10 -0700 +Subject: io_uring/poll: add hash if ready poll request can't complete inline + +From: Jens Axboe + +commit febb985c06cb6f5fac63598c0bffd4fd823d110d upstream. + +If we don't, then we may lose access to it completely, leading to a +request leak. This will eventually stall the ring exit process as +well. + +Cc: stable@vger.kernel.org +Fixes: 49f1c68e048f ("io_uring: optimise submission side poll_refs") +Reported-and-tested-by: syzbot+6c95df01470a47fc3af4@syzkaller.appspotmail.com +Link: https://lore.kernel.org/io-uring/0000000000009f829805f1ce87b2@google.com/ +Suggested-by: Pavel Begunkov +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/poll.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/io_uring/poll.c ++++ b/io_uring/poll.c +@@ -549,6 +549,14 @@ static bool io_poll_can_finish_inline(st + return pt->owning || io_poll_get_ownership(req); + } + ++static void io_poll_add_hash(struct io_kiocb *req) ++{ ++ if (req->flags & REQ_F_HASH_LOCKED) ++ io_poll_req_insert_locked(req); ++ else ++ io_poll_req_insert(req); ++} ++ + /* + * Returns 0 when it's handed over for polling. The caller owns the requests if + * it returns non-zero, but otherwise should not touch it. Negative values +@@ -607,18 +615,17 @@ static int __io_arm_poll_handler(struct + + if (mask && + ((poll->events & (EPOLLET|EPOLLONESHOT)) == (EPOLLET|EPOLLONESHOT))) { +- if (!io_poll_can_finish_inline(req, ipt)) ++ if (!io_poll_can_finish_inline(req, ipt)) { ++ io_poll_add_hash(req); + return 0; ++ } + io_poll_remove_entries(req); + ipt->result_mask = mask; + /* no one else has access to the req, forget about the ref */ + return 1; + } + +- if (req->flags & REQ_F_HASH_LOCKED) +- io_poll_req_insert_locked(req); +- else +- io_poll_req_insert(req); ++ io_poll_add_hash(req); + + if (mask && (poll->events & EPOLLET) && + io_poll_can_finish_inline(req, ipt)) { diff --git a/queue-6.1/kvm-arm64-fix-s1ptw-handling-on-ro-memslots.patch b/queue-6.1/kvm-arm64-fix-s1ptw-handling-on-ro-memslots.patch new file mode 100644 index 00000000000..4ad6ef26ab6 --- /dev/null +++ b/queue-6.1/kvm-arm64-fix-s1ptw-handling-on-ro-memslots.patch @@ -0,0 +1,81 @@ +From 406504c7b0405d74d74c15a667cd4c4620c3e7a9 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Tue, 20 Dec 2022 14:03:52 +0000 +Subject: KVM: arm64: Fix S1PTW handling on RO memslots + +From: Marc Zyngier + +commit 406504c7b0405d74d74c15a667cd4c4620c3e7a9 upstream. + +A recent development on the EFI front has resulted in guests having +their page tables baked in the firmware binary, and mapped into the +IPA space as part of a read-only memslot. Not only is this legitimate, +but it also results in added security, so thumbs up. + +It is possible to take an S1PTW translation fault if the S1 PTs are +unmapped at stage-2. However, KVM unconditionally treats S1PTW as a +write to correctly handle hardware AF/DB updates to the S1 PTs. +Furthermore, KVM injects an exception into the guest for S1PTW writes. +In the aforementioned case this results in the guest taking an abort +it won't recover from, as the S1 PTs mapping the vectors suffer from +the same problem. + +So clearly our handling is... wrong. + +Instead, switch to a two-pronged approach: + +- On S1PTW translation fault, handle the fault as a read + +- On S1PTW permission fault, handle the fault as a write + +This is of no consequence to SW that *writes* to its PTs (the write +will trigger a non-S1PTW fault), and SW that uses RO PTs will not +use HW-assisted AF/DB anyway, as that'd be wrong. + +Only in the case described in c4ad98e4b72c ("KVM: arm64: Assume write +fault on S1PTW permission fault on instruction fetch") do we end-up +with two back-to-back faults (page being evicted and faulted back). +I don't think this is a case worth optimising for. + +Fixes: c4ad98e4b72c ("KVM: arm64: Assume write fault on S1PTW permission fault on instruction fetch") +Reviewed-by: Oliver Upton +Reviewed-by: Ard Biesheuvel +Regression-tested-by: Ard Biesheuvel +Signed-off-by: Marc Zyngier +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/kvm_emulate.h | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +--- a/arch/arm64/include/asm/kvm_emulate.h ++++ b/arch/arm64/include/asm/kvm_emulate.h +@@ -373,8 +373,26 @@ static __always_inline int kvm_vcpu_sys_ + + static inline bool kvm_is_write_fault(struct kvm_vcpu *vcpu) + { +- if (kvm_vcpu_abt_iss1tw(vcpu)) +- return true; ++ if (kvm_vcpu_abt_iss1tw(vcpu)) { ++ /* ++ * Only a permission fault on a S1PTW should be ++ * considered as a write. Otherwise, page tables baked ++ * in a read-only memslot will result in an exception ++ * being delivered in the guest. ++ * ++ * The drawback is that we end-up faulting twice if the ++ * guest is using any of HW AF/DB: a translation fault ++ * to map the page containing the PT (read only at ++ * first), then a permission fault to allow the flags ++ * to be set. ++ */ ++ switch (kvm_vcpu_trap_get_fault_type(vcpu)) { ++ case ESR_ELx_FSC_PERM: ++ return true; ++ default: ++ return false; ++ } ++ } + + if (kvm_vcpu_trap_is_iabt(vcpu)) + return false; diff --git a/queue-6.1/kvm-x86-do-not-return-host-topology-information-from-kvm_get_supported_cpuid.patch b/queue-6.1/kvm-x86-do-not-return-host-topology-information-from-kvm_get_supported_cpuid.patch new file mode 100644 index 00000000000..76b6709f641 --- /dev/null +++ b/queue-6.1/kvm-x86-do-not-return-host-topology-information-from-kvm_get_supported_cpuid.patch @@ -0,0 +1,115 @@ +From 45e966fcca03ecdcccac7cb236e16eea38cc18af Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Sat, 22 Oct 2022 04:17:53 -0400 +Subject: KVM: x86: Do not return host topology information from KVM_GET_SUPPORTED_CPUID + +From: Paolo Bonzini + +commit 45e966fcca03ecdcccac7cb236e16eea38cc18af upstream. + +Passing the host topology to the guest is almost certainly wrong +and will confuse the scheduler. In addition, several fields of +these CPUID leaves vary on each processor; it is simply impossible to +return the right values from KVM_GET_SUPPORTED_CPUID in such a way that +they can be passed to KVM_SET_CPUID2. + +The values that will most likely prevent confusion are all zeroes. +Userspace will have to override it anyway if it wishes to present a +specific topology to the guest. + +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/virt/kvm/api.rst | 14 ++++++++++++++ + arch/x86/kvm/cpuid.c | 32 ++++++++++++++++---------------- + 2 files changed, 30 insertions(+), 16 deletions(-) + +--- a/Documentation/virt/kvm/api.rst ++++ b/Documentation/virt/kvm/api.rst +@@ -8248,6 +8248,20 @@ CPU[EAX=1]:ECX[24] (TSC_DEADLINE) is not + It can be enabled if ``KVM_CAP_TSC_DEADLINE_TIMER`` is present and the kernel + has enabled in-kernel emulation of the local APIC. + ++CPU topology ++~~~~~~~~~~~~ ++ ++Several CPUID values include topology information for the host CPU: ++0x0b and 0x1f for Intel systems, 0x8000001e for AMD systems. Different ++versions of KVM return different values for this information and userspace ++should not rely on it. Currently they return all zeroes. ++ ++If userspace wishes to set up a guest topology, it should be careful that ++the values of these three leaves differ for each CPU. In particular, ++the APIC ID is found in EDX for all subleaves of 0x0b and 0x1f, and in EAX ++for 0x8000001e; the latter also encodes the core id and node id in bits ++7:0 of EBX and ECX respectively. ++ + Obsolete ioctls and capabilities + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +--- a/arch/x86/kvm/cpuid.c ++++ b/arch/x86/kvm/cpuid.c +@@ -759,16 +759,22 @@ struct kvm_cpuid_array { + int nent; + }; + ++static struct kvm_cpuid_entry2 *get_next_cpuid(struct kvm_cpuid_array *array) ++{ ++ if (array->nent >= array->maxnent) ++ return NULL; ++ ++ return &array->entries[array->nent++]; ++} ++ + static struct kvm_cpuid_entry2 *do_host_cpuid(struct kvm_cpuid_array *array, + u32 function, u32 index) + { +- struct kvm_cpuid_entry2 *entry; ++ struct kvm_cpuid_entry2 *entry = get_next_cpuid(array); + +- if (array->nent >= array->maxnent) ++ if (!entry) + return NULL; + +- entry = &array->entries[array->nent++]; +- + memset(entry, 0, sizeof(*entry)); + entry->function = function; + entry->index = index; +@@ -945,22 +951,13 @@ static inline int __do_cpuid_func(struct + entry->edx = edx.full; + break; + } +- /* +- * Per Intel's SDM, the 0x1f is a superset of 0xb, +- * thus they can be handled by common code. +- */ + case 0x1f: + case 0xb: + /* +- * Populate entries until the level type (ECX[15:8]) of the +- * previous entry is zero. Note, CPUID EAX.{0x1f,0xb}.0 is +- * the starting entry, filled by the primary do_host_cpuid(). ++ * No topology; a valid topology is indicated by the presence ++ * of subleaf 1. + */ +- for (i = 1; entry->ecx & 0xff00; ++i) { +- entry = do_host_cpuid(array, function, i); +- if (!entry) +- goto out; +- } ++ entry->eax = entry->ebx = entry->ecx = 0; + break; + case 0xd: { + u64 permitted_xcr0 = kvm_caps.supported_xcr0 & xstate_get_guest_group_perm(); +@@ -1193,6 +1190,9 @@ static inline int __do_cpuid_func(struct + entry->ebx = entry->ecx = entry->edx = 0; + break; + case 0x8000001e: ++ /* Do not return host topology information. */ ++ entry->eax = entry->ebx = entry->ecx = 0; ++ entry->edx = 0; /* reserved */ + break; + case 0x8000001F: + if (!kvm_cpu_cap_has(X86_FEATURE_SEV)) { diff --git a/queue-6.1/net-stmmac-add-aux-timestamps-fifo-clearance-wait.patch b/queue-6.1/net-stmmac-add-aux-timestamps-fifo-clearance-wait.patch new file mode 100644 index 00000000000..dfeaa5f4b7e --- /dev/null +++ b/queue-6.1/net-stmmac-add-aux-timestamps-fifo-clearance-wait.patch @@ -0,0 +1,37 @@ +From ae9dcb91c6069e20b3b9505d79cbc89fd6e086f5 Mon Sep 17 00:00:00 2001 +From: Noor Azura Ahmad Tarmizi +Date: Wed, 11 Jan 2023 13:02:00 +0800 +Subject: net: stmmac: add aux timestamps fifo clearance wait + +From: Noor Azura Ahmad Tarmizi + +commit ae9dcb91c6069e20b3b9505d79cbc89fd6e086f5 upstream. + +Add timeout polling wait for auxiliary timestamps snapshot FIFO clear bit +(ATSFC) to clear. This is to ensure no residue fifo value is being read +erroneously. + +Fixes: f4da56529da6 ("net: stmmac: Add support for external trigger timestamping") +Cc: # 5.10.x +Signed-off-by: Noor Azura Ahmad Tarmizi +Link: https://lore.kernel.org/r/20230111050200.2130-1-noor.azura.ahmad.tarmizi@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c +@@ -219,7 +219,10 @@ static int stmmac_enable(struct ptp_cloc + } + writel(acr_value, ptpaddr + PTP_ACR); + mutex_unlock(&priv->aux_ts_lock); +- ret = 0; ++ /* wait for auxts fifo clear to finish */ ++ ret = readl_poll_timeout(ptpaddr + PTP_ACR, acr_value, ++ !(acr_value & PTP_ACR_ATSFC), ++ 10, 10000); + break; + + default: diff --git a/queue-6.1/netfilter-nft_payload-incorrect-arithmetics-when-fetching-vlan-header-bits.patch b/queue-6.1/netfilter-nft_payload-incorrect-arithmetics-when-fetching-vlan-header-bits.patch new file mode 100644 index 00000000000..5f6133e63c3 --- /dev/null +++ b/queue-6.1/netfilter-nft_payload-incorrect-arithmetics-when-fetching-vlan-header-bits.patch @@ -0,0 +1,37 @@ +From 696e1a48b1a1b01edad542a1ef293665864a4dd0 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Wed, 11 Jan 2023 17:07:33 +0100 +Subject: netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits + +From: Pablo Neira Ayuso + +commit 696e1a48b1a1b01edad542a1ef293665864a4dd0 upstream. + +If the offset + length goes over the ethernet + vlan header, then the +length is adjusted to copy the bytes that are within the boundaries of +the vlan_ethhdr scratchpad area. The remaining bytes beyond ethernet + +vlan header are copied directly from the skbuff data area. + +Fix incorrect arithmetic operator: subtract, not add, the size of the +vlan header in case of double-tagged packets to adjust the length +accordingly to address CVE-2023-0179. + +Reported-by: Davide Ornaghi +Fixes: f6ae9f120dad ("netfilter: nft_payload: add C-VLAN support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_payload.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nft_payload.c ++++ b/net/netfilter/nft_payload.c +@@ -62,7 +62,7 @@ nft_payload_copy_vlan(u32 *d, const stru + return false; + + if (offset + len > VLAN_ETH_HLEN + vlan_hlen) +- ethlen -= offset + len - VLAN_ETH_HLEN + vlan_hlen; ++ ethlen -= offset + len - VLAN_ETH_HLEN - vlan_hlen; + + memcpy(dst_u8, vlanh + offset - vlan_hlen, ethlen); + diff --git a/queue-6.1/perf-auxtrace-fix-address-filter-duplicate-symbol-selection.patch b/queue-6.1/perf-auxtrace-fix-address-filter-duplicate-symbol-selection.patch new file mode 100644 index 00000000000..a4cf56afd1a --- /dev/null +++ b/queue-6.1/perf-auxtrace-fix-address-filter-duplicate-symbol-selection.patch @@ -0,0 +1,104 @@ +From cf129830ee820f7fc90b98df193cd49d49344d09 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Tue, 10 Jan 2023 20:56:59 +0200 +Subject: perf auxtrace: Fix address filter duplicate symbol selection + +From: Adrian Hunter + +commit cf129830ee820f7fc90b98df193cd49d49344d09 upstream. + +When a match has been made to the nth duplicate symbol, return +success not error. + +Example: + + Before: + + $ cat file.c + cat: file.c: No such file or directory + $ cat file1.c + #include + + static void func(void) + { + printf("First func\n"); + } + + void other(void); + + int main() + { + func(); + other(); + return 0; + } + $ cat file2.c + #include + + static void func(void) + { + printf("Second func\n"); + } + + void other(void) + { + func(); + } + + $ gcc -Wall -Wextra -o test file1.c file2.c + $ perf record -e intel_pt//u --filter 'filter func @ ./test' -- ./test + Multiple symbols with name 'func' + #1 0x1149 l func + which is near main + #2 0x1179 l func + which is near other + Disambiguate symbol name by inserting #n after the name e.g. func #2 + Or select a global symbol by inserting #0 or #g or #G + Failed to parse address filter: 'filter func @ ./test' + Filter format is: filter|start|stop|tracestop [/ ] [@] + Where multiple filters are separated by space or comma. + $ perf record -e intel_pt//u --filter 'filter func #2 @ ./test' -- ./test + Failed to parse address filter: 'filter func #2 @ ./test' + Filter format is: filter|start|stop|tracestop [/ ] [@] + Where multiple filters are separated by space or comma. + + After: + + $ perf record -e intel_pt//u --filter 'filter func #2 @ ./test' -- ./test + First func + Second func + [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 0.016 MB perf.data ] + $ perf script --itrace=b -Ftime,flags,ip,sym,addr --ns + 1231062.526977619: tr strt 0 [unknown] => 558495708179 func + 1231062.526977619: tr end call 558495708188 func => 558495708050 _init + 1231062.526979286: tr strt 0 [unknown] => 55849570818d func + 1231062.526979286: tr end return 55849570818f func => 55849570819d other + +Fixes: 1b36c03e356936d6 ("perf record: Add support for using symbols in address filters") +Reported-by: Dmitrii Dolgov <9erthalion6@gmail.com> +Signed-off-by: Adrian Hunter +Tested-by: Dmitry Dolgov <9erthalion6@gmail.com> +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230110185659.15979-1-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/auxtrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/util/auxtrace.c ++++ b/tools/perf/util/auxtrace.c +@@ -2610,7 +2610,7 @@ static int find_dso_sym(struct dso *dso, + *size = sym->start - *start; + if (idx > 0) { + if (*size) +- return 1; ++ return 0; + } else if (dso_sym_match(sym, sym_name, &cnt, idx)) { + print_duplicate_syms(dso, sym_name); + return -EINVAL; diff --git a/queue-6.1/revert-alsa-usb-audio-drop-superfluous-interface-setup-at-parsing.patch b/queue-6.1/revert-alsa-usb-audio-drop-superfluous-interface-setup-at-parsing.patch new file mode 100644 index 00000000000..d089ade93fe --- /dev/null +++ b/queue-6.1/revert-alsa-usb-audio-drop-superfluous-interface-setup-at-parsing.patch @@ -0,0 +1,40 @@ +From 16f1f838442dc6430d32d51ddda347b8421ec34b Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 4 Jan 2023 16:09:44 +0100 +Subject: Revert "ALSA: usb-audio: Drop superfluous interface setup at parsing" + +From: Takashi Iwai + +commit 16f1f838442dc6430d32d51ddda347b8421ec34b upstream. + +This reverts commit ac5e2fb425e1121ceef2b9d1b3ffccc195d55707. + +The commit caused a regression on Behringer UMC404HD (and likely +others). As the change was meant only as a minor optimization, it's +better to revert it to address the regression. + +Reported-and-tested-by: Michael Ralston +Cc: +Link: https://lore.kernel.org/r/CAC2975JXkS1A5Tj9b02G_sy25ZWN-ys+tc9wmkoS=qPgKCogSg@mail.gmail.com +Link: https://lore.kernel.org/r/20230104150944.24918-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/stream.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/sound/usb/stream.c ++++ b/sound/usb/stream.c +@@ -1222,6 +1222,12 @@ static int __snd_usb_parse_audio_interfa + if (err < 0) + return err; + } ++ ++ /* try to set the interface... */ ++ usb_set_interface(chip->dev, iface_no, 0); ++ snd_usb_init_pitch(chip, fp); ++ snd_usb_init_sample_rate(chip, fp, fp->rate_max); ++ usb_set_interface(chip->dev, iface_no, altno); + } + return 0; + } diff --git a/queue-6.1/s390-cpum_sf-add-read_once-semantics-to-compare-and-swap-loops.patch b/queue-6.1/s390-cpum_sf-add-read_once-semantics-to-compare-and-swap-loops.patch new file mode 100644 index 00000000000..d141ac6b0cf --- /dev/null +++ b/queue-6.1/s390-cpum_sf-add-read_once-semantics-to-compare-and-swap-loops.patch @@ -0,0 +1,345 @@ +From 82d3edb50a11bf3c5ef63294d5358ba230181413 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Thu, 5 Jan 2023 15:44:20 +0100 +Subject: s390/cpum_sf: add READ_ONCE() semantics to compare and swap loops + +From: Heiko Carstens + +commit 82d3edb50a11bf3c5ef63294d5358ba230181413 upstream. + +The current cmpxchg_double() loops within the perf hw sampling code do not +have READ_ONCE() semantics to read the old value from memory. This allows +the compiler to generate code which reads the "old" value several times +from memory, which again allows for inconsistencies. + +For example: + + /* Reset trailer (using compare-double-and-swap) */ + do { + te_flags = te->flags & ~SDB_TE_BUFFER_FULL_MASK; + te_flags |= SDB_TE_ALERT_REQ_MASK; + } while (!cmpxchg_double(&te->flags, &te->overflow, + te->flags, te->overflow, + te_flags, 0ULL)); + +The compiler could generate code where te->flags used within the +cmpxchg_double() call may be refetched from memory and which is not +necessarily identical to the previous read version which was used to +generate te_flags. Which in turn means that an incorrect update could +happen. + +Fix this by adding READ_ONCE() semantics to all cmpxchg_double() +loops. Given that READ_ONCE() cannot generate code on s390 which atomically +reads 16 bytes, use a private compare-and-swap-double implementation to +achieve that. + +Also replace cmpxchg_double() with the private implementation to be able to +re-use the old value within the loops. + +As a side effect this converts the whole code to only use bit fields +to read and modify bits within the hws trailer header. + +Reported-by: Alexander Gordeev +Acked-by: Alexander Gordeev +Acked-by: Hendrik Brueckner +Reviewed-by: Thomas Richter +Cc: +Link: https://lore.kernel.org/linux-s390/Y71QJBhNTIatvxUT@osiris/T/#ma14e2a5f7aa8ed4b94b6f9576799b3ad9c60f333 +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/cpu_mf.h | 31 +++++------- + arch/s390/kernel/perf_cpum_sf.c | 101 ++++++++++++++++++++++++---------------- + 2 files changed, 77 insertions(+), 55 deletions(-) + +--- a/arch/s390/include/asm/cpu_mf.h ++++ b/arch/s390/include/asm/cpu_mf.h +@@ -131,19 +131,21 @@ struct hws_combined_entry { + struct hws_diag_entry diag; /* Diagnostic-sampling data entry */ + } __packed; + +-struct hws_trailer_entry { +- union { +- struct { +- unsigned int f:1; /* 0 - Block Full Indicator */ +- unsigned int a:1; /* 1 - Alert request control */ +- unsigned int t:1; /* 2 - Timestamp format */ +- unsigned int :29; /* 3 - 31: Reserved */ +- unsigned int bsdes:16; /* 32-47: size of basic SDE */ +- unsigned int dsdes:16; /* 48-63: size of diagnostic SDE */ +- }; +- unsigned long long flags; /* 0 - 63: All indicators */ ++union hws_trailer_header { ++ struct { ++ unsigned int f:1; /* 0 - Block Full Indicator */ ++ unsigned int a:1; /* 1 - Alert request control */ ++ unsigned int t:1; /* 2 - Timestamp format */ ++ unsigned int :29; /* 3 - 31: Reserved */ ++ unsigned int bsdes:16; /* 32-47: size of basic SDE */ ++ unsigned int dsdes:16; /* 48-63: size of diagnostic SDE */ ++ unsigned long long overflow; /* 64 - Overflow Count */ + }; +- unsigned long long overflow; /* 64 - sample Overflow count */ ++ __uint128_t val; ++}; ++ ++struct hws_trailer_entry { ++ union hws_trailer_header header; /* 0 - 15 Flags + Overflow Count */ + unsigned char timestamp[16]; /* 16 - 31 timestamp */ + unsigned long long reserved1; /* 32 -Reserved */ + unsigned long long reserved2; /* */ +@@ -290,14 +292,11 @@ static inline unsigned long sample_rate_ + return USEC_PER_SEC * qsi->cpu_speed / rate; + } + +-#define SDB_TE_ALERT_REQ_MASK 0x4000000000000000UL +-#define SDB_TE_BUFFER_FULL_MASK 0x8000000000000000UL +- + /* Return TOD timestamp contained in an trailer entry */ + static inline unsigned long long trailer_timestamp(struct hws_trailer_entry *te) + { + /* TOD in STCKE format */ +- if (te->t) ++ if (te->header.t) + return *((unsigned long long *) &te->timestamp[1]); + + /* TOD in STCK format */ +--- a/arch/s390/kernel/perf_cpum_sf.c ++++ b/arch/s390/kernel/perf_cpum_sf.c +@@ -163,14 +163,15 @@ static void free_sampling_buffer(struct + + static int alloc_sample_data_block(unsigned long *sdbt, gfp_t gfp_flags) + { +- unsigned long sdb, *trailer; ++ struct hws_trailer_entry *te; ++ unsigned long sdb; + + /* Allocate and initialize sample-data-block */ + sdb = get_zeroed_page(gfp_flags); + if (!sdb) + return -ENOMEM; +- trailer = trailer_entry_ptr(sdb); +- *trailer = SDB_TE_ALERT_REQ_MASK; ++ te = (struct hws_trailer_entry *)trailer_entry_ptr(sdb); ++ te->header.a = 1; + + /* Link SDB into the sample-data-block-table */ + *sdbt = sdb; +@@ -1206,7 +1207,7 @@ static void hw_collect_samples(struct pe + "%s: Found unknown" + " sampling data entry: te->f %i" + " basic.def %#4x (%p)\n", __func__, +- te->f, sample->def, sample); ++ te->header.f, sample->def, sample); + /* Sample slot is not yet written or other record. + * + * This condition can occur if the buffer was reused +@@ -1217,7 +1218,7 @@ static void hw_collect_samples(struct pe + * that are not full. Stop processing if the first + * invalid format was detected. + */ +- if (!te->f) ++ if (!te->header.f) + break; + } + +@@ -1227,6 +1228,16 @@ static void hw_collect_samples(struct pe + } + } + ++static inline __uint128_t __cdsg(__uint128_t *ptr, __uint128_t old, __uint128_t new) ++{ ++ asm volatile( ++ " cdsg %[old],%[new],%[ptr]\n" ++ : [old] "+d" (old), [ptr] "+QS" (*ptr) ++ : [new] "d" (new) ++ : "memory", "cc"); ++ return old; ++} ++ + /* hw_perf_event_update() - Process sampling buffer + * @event: The perf event + * @flush_all: Flag to also flush partially filled sample-data-blocks +@@ -1243,10 +1254,11 @@ static void hw_collect_samples(struct pe + */ + static void hw_perf_event_update(struct perf_event *event, int flush_all) + { ++ unsigned long long event_overflow, sampl_overflow, num_sdb; ++ union hws_trailer_header old, prev, new; + struct hw_perf_event *hwc = &event->hw; + struct hws_trailer_entry *te; + unsigned long *sdbt; +- unsigned long long event_overflow, sampl_overflow, num_sdb, te_flags; + int done; + + /* +@@ -1266,25 +1278,25 @@ static void hw_perf_event_update(struct + te = (struct hws_trailer_entry *) trailer_entry_ptr(*sdbt); + + /* Leave loop if no more work to do (block full indicator) */ +- if (!te->f) { ++ if (!te->header.f) { + done = 1; + if (!flush_all) + break; + } + + /* Check the sample overflow count */ +- if (te->overflow) ++ if (te->header.overflow) + /* Account sample overflows and, if a particular limit + * is reached, extend the sampling buffer. + * For details, see sfb_account_overflows(). + */ +- sampl_overflow += te->overflow; ++ sampl_overflow += te->header.overflow; + + /* Timestamps are valid for full sample-data-blocks only */ + debug_sprintf_event(sfdbg, 6, "%s: sdbt %#lx " + "overflow %llu timestamp %#llx\n", +- __func__, (unsigned long)sdbt, te->overflow, +- (te->f) ? trailer_timestamp(te) : 0ULL); ++ __func__, (unsigned long)sdbt, te->header.overflow, ++ (te->header.f) ? trailer_timestamp(te) : 0ULL); + + /* Collect all samples from a single sample-data-block and + * flag if an (perf) event overflow happened. If so, the PMU +@@ -1294,12 +1306,16 @@ static void hw_perf_event_update(struct + num_sdb++; + + /* Reset trailer (using compare-double-and-swap) */ ++ /* READ_ONCE() 16 byte header */ ++ prev.val = __cdsg(&te->header.val, 0, 0); + do { +- te_flags = te->flags & ~SDB_TE_BUFFER_FULL_MASK; +- te_flags |= SDB_TE_ALERT_REQ_MASK; +- } while (!cmpxchg_double(&te->flags, &te->overflow, +- te->flags, te->overflow, +- te_flags, 0ULL)); ++ old.val = prev.val; ++ new.val = prev.val; ++ new.f = 0; ++ new.a = 1; ++ new.overflow = 0; ++ prev.val = __cdsg(&te->header.val, old.val, new.val); ++ } while (prev.val != old.val); + + /* Advance to next sample-data-block */ + sdbt++; +@@ -1384,7 +1400,7 @@ static void aux_output_end(struct perf_o + range_scan = AUX_SDB_NUM_ALERT(aux); + for (i = 0, idx = aux->head; i < range_scan; i++, idx++) { + te = aux_sdb_trailer(aux, idx); +- if (!(te->flags & SDB_TE_BUFFER_FULL_MASK)) ++ if (!te->header.f) + break; + } + /* i is num of SDBs which are full */ +@@ -1392,7 +1408,7 @@ static void aux_output_end(struct perf_o + + /* Remove alert indicators in the buffer */ + te = aux_sdb_trailer(aux, aux->alert_mark); +- te->flags &= ~SDB_TE_ALERT_REQ_MASK; ++ te->header.a = 0; + + debug_sprintf_event(sfdbg, 6, "%s: SDBs %ld range %ld head %ld\n", + __func__, i, range_scan, aux->head); +@@ -1437,9 +1453,9 @@ static int aux_output_begin(struct perf_ + idx = aux->empty_mark + 1; + for (i = 0; i < range_scan; i++, idx++) { + te = aux_sdb_trailer(aux, idx); +- te->flags &= ~(SDB_TE_BUFFER_FULL_MASK | +- SDB_TE_ALERT_REQ_MASK); +- te->overflow = 0; ++ te->header.f = 0; ++ te->header.a = 0; ++ te->header.overflow = 0; + } + /* Save the position of empty SDBs */ + aux->empty_mark = aux->head + range - 1; +@@ -1448,7 +1464,7 @@ static int aux_output_begin(struct perf_ + /* Set alert indicator */ + aux->alert_mark = aux->head + range/2 - 1; + te = aux_sdb_trailer(aux, aux->alert_mark); +- te->flags = te->flags | SDB_TE_ALERT_REQ_MASK; ++ te->header.a = 1; + + /* Reset hardware buffer head */ + head = AUX_SDB_INDEX(aux, aux->head); +@@ -1475,14 +1491,17 @@ static int aux_output_begin(struct perf_ + static bool aux_set_alert(struct aux_buffer *aux, unsigned long alert_index, + unsigned long long *overflow) + { +- unsigned long long orig_overflow, orig_flags, new_flags; ++ union hws_trailer_header old, prev, new; + struct hws_trailer_entry *te; + + te = aux_sdb_trailer(aux, alert_index); ++ /* READ_ONCE() 16 byte header */ ++ prev.val = __cdsg(&te->header.val, 0, 0); + do { +- orig_flags = te->flags; +- *overflow = orig_overflow = te->overflow; +- if (orig_flags & SDB_TE_BUFFER_FULL_MASK) { ++ old.val = prev.val; ++ new.val = prev.val; ++ *overflow = old.overflow; ++ if (old.f) { + /* + * SDB is already set by hardware. + * Abort and try to set somewhere +@@ -1490,10 +1509,10 @@ static bool aux_set_alert(struct aux_buf + */ + return false; + } +- new_flags = orig_flags | SDB_TE_ALERT_REQ_MASK; +- } while (!cmpxchg_double(&te->flags, &te->overflow, +- orig_flags, orig_overflow, +- new_flags, 0ULL)); ++ new.a = 1; ++ new.overflow = 0; ++ prev.val = __cdsg(&te->header.val, old.val, new.val); ++ } while (prev.val != old.val); + return true; + } + +@@ -1522,8 +1541,9 @@ static bool aux_set_alert(struct aux_buf + static bool aux_reset_buffer(struct aux_buffer *aux, unsigned long range, + unsigned long long *overflow) + { +- unsigned long long orig_overflow, orig_flags, new_flags; + unsigned long i, range_scan, idx, idx_old; ++ union hws_trailer_header old, prev, new; ++ unsigned long long orig_overflow; + struct hws_trailer_entry *te; + + debug_sprintf_event(sfdbg, 6, "%s: range %ld head %ld alert %ld " +@@ -1554,17 +1574,20 @@ static bool aux_reset_buffer(struct aux_ + idx_old = idx = aux->empty_mark + 1; + for (i = 0; i < range_scan; i++, idx++) { + te = aux_sdb_trailer(aux, idx); ++ /* READ_ONCE() 16 byte header */ ++ prev.val = __cdsg(&te->header.val, 0, 0); + do { +- orig_flags = te->flags; +- orig_overflow = te->overflow; +- new_flags = orig_flags & ~SDB_TE_BUFFER_FULL_MASK; ++ old.val = prev.val; ++ new.val = prev.val; ++ orig_overflow = old.overflow; ++ new.f = 0; ++ new.overflow = 0; + if (idx == aux->alert_mark) +- new_flags |= SDB_TE_ALERT_REQ_MASK; ++ new.a = 1; + else +- new_flags &= ~SDB_TE_ALERT_REQ_MASK; +- } while (!cmpxchg_double(&te->flags, &te->overflow, +- orig_flags, orig_overflow, +- new_flags, 0ULL)); ++ new.a = 0; ++ prev.val = __cdsg(&te->header.val, old.val, new.val); ++ } while (prev.val != old.val); + *overflow += orig_overflow; + } + diff --git a/queue-6.1/s390-kexec-fix-ipl-report-address-for-kdump.patch b/queue-6.1/s390-kexec-fix-ipl-report-address-for-kdump.patch new file mode 100644 index 00000000000..44d83ae620c --- /dev/null +++ b/queue-6.1/s390-kexec-fix-ipl-report-address-for-kdump.patch @@ -0,0 +1,60 @@ +From c2337a40e04dde1692b5b0a46ecc59f89aaba8a1 Mon Sep 17 00:00:00 2001 +From: Alexander Egorenkov +Date: Mon, 14 Nov 2022 11:40:08 +0100 +Subject: s390/kexec: fix ipl report address for kdump + +From: Alexander Egorenkov + +commit c2337a40e04dde1692b5b0a46ecc59f89aaba8a1 upstream. + +This commit addresses the following erroneous situation with file-based +kdump executed on a system with a valid IPL report. + +On s390, a kdump kernel, its initrd and IPL report if present are loaded +into a special and reserved on boot memory region - crashkernel. When +a system crashes and kdump was activated before, the purgatory code +is entered first which swaps the crashkernel and [0 - crashkernel size] +memory regions. Only after that the kdump kernel is entered. For this +reason, the pointer to an IPL report in lowcore must point to the IPL report +after the swap and not to the address of the IPL report that was located in +crashkernel memory region before the swap. Failing to do so, makes the +kdump's decompressor try to read memory from the crashkernel memory region +which already contains the production's kernel memory. + +The situation described above caused spontaneous kdump failures/hangs +on systems where the Secure IPL is activated because on such systems +an IPL report is always present. In that case kdump's decompressor tried +to parse an IPL report which frequently lead to illegal memory accesses +because an IPL report contains addresses to various data. + +Cc: +Fixes: 99feaa717e55 ("s390/kexec_file: Create ipl report and pass to next kernel") +Reviewed-by: Vasily Gorbik +Signed-off-by: Alexander Egorenkov +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kernel/machine_kexec_file.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/s390/kernel/machine_kexec_file.c ++++ b/arch/s390/kernel/machine_kexec_file.c +@@ -187,8 +187,6 @@ static int kexec_file_add_ipl_report(str + + data->memsz = ALIGN(data->memsz, PAGE_SIZE); + buf.mem = data->memsz; +- if (image->type == KEXEC_TYPE_CRASH) +- buf.mem += crashk_res.start; + + ptr = (void *)ipl_cert_list_addr; + end = ptr + ipl_cert_list_size; +@@ -225,6 +223,9 @@ static int kexec_file_add_ipl_report(str + data->kernel_buf + offsetof(struct lowcore, ipl_parmblock_ptr); + *lc_ipl_parmblock_ptr = (__u32)buf.mem; + ++ if (image->type == KEXEC_TYPE_CRASH) ++ buf.mem += crashk_res.start; ++ + ret = kexec_add_buffer(&buf); + out: + return ret; diff --git a/queue-6.1/s390-percpu-add-read_once-to-arch_this_cpu_to_op_simple.patch b/queue-6.1/s390-percpu-add-read_once-to-arch_this_cpu_to_op_simple.patch new file mode 100644 index 00000000000..99c0ce2dd33 --- /dev/null +++ b/queue-6.1/s390-percpu-add-read_once-to-arch_this_cpu_to_op_simple.patch @@ -0,0 +1,32 @@ +From e3f360db08d55a14112bd27454e616a24296a8b0 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Mon, 9 Jan 2023 11:51:20 +0100 +Subject: s390/percpu: add READ_ONCE() to arch_this_cpu_to_op_simple() + +From: Heiko Carstens + +commit e3f360db08d55a14112bd27454e616a24296a8b0 upstream. + +Make sure that *ptr__ within arch_this_cpu_to_op_simple() is only +dereferenced once by using READ_ONCE(). Otherwise the compiler could +generate incorrect code. + +Cc: +Reviewed-by: Alexander Gordeev +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/percpu.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/include/asm/percpu.h ++++ b/arch/s390/include/asm/percpu.h +@@ -31,7 +31,7 @@ + pcp_op_T__ *ptr__; \ + preempt_disable_notrace(); \ + ptr__ = raw_cpu_ptr(&(pcp)); \ +- prev__ = *ptr__; \ ++ prev__ = READ_ONCE(*ptr__); \ + do { \ + old__ = prev__; \ + new__ = old__ op (val); \ diff --git a/queue-6.1/series b/queue-6.1/series new file mode 100644 index 00000000000..2e19875aef0 --- /dev/null +++ b/queue-6.1/series @@ -0,0 +1,35 @@ +netfilter-nft_payload-incorrect-arithmetics-when-fetching-vlan-header-bits.patch +revert-alsa-usb-audio-drop-superfluous-interface-setup-at-parsing.patch +alsa-control-led-use-strscpy-in-set_led_id.patch +alsa-usb-audio-always-initialize-fixed_rate-in-snd_usb_find_implicit_fb_sync_format.patch +alsa-hda-realtek-turn-on-power-early.patch +alsa-hda-realtek-enable-mute-micmute-leds-on-hp-spectre-x360-13-aw0xxx.patch +kvm-x86-do-not-return-host-topology-information-from-kvm_get_supported_cpuid.patch +kvm-arm64-fix-s1ptw-handling-on-ro-memslots.patch +efi-fix-userspace-infinite-retry-read-efivars-after-efi-runtime-services-page-fault.patch +efi-tpm-avoid-read_once-for-accessing-the-event-log.patch +docs-fix-the-docs-build-with-sphinx-6.0.patch +io_uring-poll-add-hash-if-ready-poll-request-can-t-complete-inline.patch +arm64-mte-fix-double-freeing-of-the-temporary-tag-storage-during-coredump.patch +arm64-mte-avoid-the-racy-walk-of-the-vma-list-during-core-dump.patch +arm64-cmpxchg_double-hazard-against-entire-exchange-variable.patch +acpi-fix-selecting-wrong-acpi-fwnode-for-the-igpu-on-some-dell-laptops.patch +net-stmmac-add-aux-timestamps-fifo-clearance-wait.patch +perf-auxtrace-fix-address-filter-duplicate-symbol-selection.patch +s390-kexec-fix-ipl-report-address-for-kdump.patch +brcmfmac-prefer-dt-board-type-over-dmi-board-type.patch +asoc-qcom-lpass-cpu-fix-fallback-sd-line-index-handling.patch +elfcore-add-a-cprm-parameter-to-elf_core_extra_-phdrs-data_size.patch +cpufreq-amd-pstate-fix-kernel-hang-issue-while-amd-pstate-unregistering.patch +s390-cpum_sf-add-read_once-semantics-to-compare-and-swap-loops.patch +s390-percpu-add-read_once-to-arch_this_cpu_to_op_simple.patch +drm-virtio-fix-gem-handle-creation-uaf.patch +drm-amd-pm-smu13-baco-is-supported-when-it-s-in-baco-state.patch +drm-optimize-drm-buddy-top-down-allocation-method.patch +drm-i915-gt-reset-twice.patch +drm-i915-reserve-enough-fence-slot-for-i915_vma_unbind_async.patch +drm-i915-fix-potential-context-uafs.patch +drm-amd-delay-removal-of-the-firmware-framebuffer.patch +drm-amdgpu-fixed-bug-on-error-when-unloading-amdgpu.patch +drm-amd-pm-correct-the-reference-clock-for-fan-speed-rpm-calculation.patch +drm-amd-pm-add-the-missing-mapping-for-ppt-feature-on-smu13.0.0-and-13.0.7.patch