From: Greg Kroah-Hartman Date: Tue, 27 Aug 2024 12:52:15 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v6.1.107~23 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5a12c2d5a376889506784634fb5b779683d6f55d;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: alsa-timer-relax-start-tick-time-check-for-slave-timer-elements.patch bpf-fix-a-kernel-verifier-crash-in-stacksafe.patch drm-amdgpu-vcn-identify-unified-queue-in-sw-init.patch drm-amdgpu-vcn-not-pause-dpg-for-unified-queue.patch ksmbd-fix-race-condition-between-destroy_previous_session-and-smb2-operations.patch mm-numa-no-task_numa_fault-call-if-pmd-is-changed.patch mm-numa-no-task_numa_fault-call-if-pte-is-changed.patch net-ngbe-fix-phy-mode-set-to-external-phy.patch nfsd-simplify-error-paths-in-nfsd_svc.patch selftests-bpf-add-a-test-to-verify-previous-stacksafe-fix.patch --- diff --git a/queue-6.6/alsa-timer-relax-start-tick-time-check-for-slave-timer-elements.patch b/queue-6.6/alsa-timer-relax-start-tick-time-check-for-slave-timer-elements.patch new file mode 100644 index 00000000000..8ca96780a47 --- /dev/null +++ b/queue-6.6/alsa-timer-relax-start-tick-time-check-for-slave-timer-elements.patch @@ -0,0 +1,38 @@ +From ccbfcac05866ebe6eb3bc6d07b51d4ed4fcde436 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sat, 10 Aug 2024 10:48:32 +0200 +Subject: ALSA: timer: Relax start tick time check for slave timer elements + +From: Takashi Iwai + +commit ccbfcac05866ebe6eb3bc6d07b51d4ed4fcde436 upstream. + +The recent addition of a sanity check for a too low start tick time +seems breaking some applications that uses aloop with a certain slave +timer setup. They may have the initial resolution 0, hence it's +treated as if it were a too low value. + +Relax and skip the check for the slave timer instance for addressing +the regression. + +Fixes: 4a63bd179fa8 ("ALSA: timer: Set lower bound of start tick time") +Cc: +Link: https://github.com/raspberrypi/linux/issues/6294 +Link: https://patch.msgid.link/20240810084833.10939-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/timer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -556,7 +556,7 @@ static int snd_timer_start1(struct snd_t + /* check the actual time for the start tick; + * bail out as error if it's way too low (< 100us) + */ +- if (start) { ++ if (start && !(timer->hw.flags & SNDRV_TIMER_HW_SLAVE)) { + if ((u64)snd_timer_hw_resolution(timer) * ticks < 100000) { + result = -EINVAL; + goto unlock; diff --git a/queue-6.6/bpf-fix-a-kernel-verifier-crash-in-stacksafe.patch b/queue-6.6/bpf-fix-a-kernel-verifier-crash-in-stacksafe.patch new file mode 100644 index 00000000000..fb5da3606a0 --- /dev/null +++ b/queue-6.6/bpf-fix-a-kernel-verifier-crash-in-stacksafe.patch @@ -0,0 +1,56 @@ +From bed2eb964c70b780fb55925892a74f26cb590b25 Mon Sep 17 00:00:00 2001 +From: Yonghong Song +Date: Mon, 12 Aug 2024 14:48:47 -0700 +Subject: bpf: Fix a kernel verifier crash in stacksafe() + +From: Yonghong Song + +commit bed2eb964c70b780fb55925892a74f26cb590b25 upstream. + +Daniel Hodges reported a kernel verifier crash when playing with sched-ext. +Further investigation shows that the crash is due to invalid memory access +in stacksafe(). More specifically, it is the following code: + + if (exact != NOT_EXACT && + old->stack[spi].slot_type[i % BPF_REG_SIZE] != + cur->stack[spi].slot_type[i % BPF_REG_SIZE]) + return false; + +The 'i' iterates old->allocated_stack. +If cur->allocated_stack < old->allocated_stack the out-of-bound +access will happen. + +To fix the issue add 'i >= cur->allocated_stack' check such that if +the condition is true, stacksafe() should fail. Otherwise, +cur->stack[spi].slot_type[i % BPF_REG_SIZE] memory access is legal. + +Fixes: 2793a8b015f7 ("bpf: exact states comparison for iterator convergence checks") +Cc: Eduard Zingerman +Reported-by: Daniel Hodges +Acked-by: Eduard Zingerman +Signed-off-by: Yonghong Song +Link: https://lore.kernel.org/r/20240812214847.213612-1-yonghong.song@linux.dev +Signed-off-by: Alexei Starovoitov +[ shung-hsi.yu: "exact" variable is bool instead enum because commit + 4f81c16f50ba ("bpf: Recognize that two registers are safe when their + ranges match") is not present. ] +Signed-off-by: Shung-Hsi Yu +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -16124,8 +16124,9 @@ static bool stacksafe(struct bpf_verifie + spi = i / BPF_REG_SIZE; + + if (exact && +- old->stack[spi].slot_type[i % BPF_REG_SIZE] != +- cur->stack[spi].slot_type[i % BPF_REG_SIZE]) ++ (i >= cur->allocated_stack || ++ old->stack[spi].slot_type[i % BPF_REG_SIZE] != ++ cur->stack[spi].slot_type[i % BPF_REG_SIZE])) + return false; + + if (!(old->stack[spi].spilled_ptr.live & REG_LIVE_READ) && !exact) { diff --git a/queue-6.6/drm-amdgpu-vcn-identify-unified-queue-in-sw-init.patch b/queue-6.6/drm-amdgpu-vcn-identify-unified-queue-in-sw-init.patch new file mode 100644 index 00000000000..eb01fa5947d --- /dev/null +++ b/queue-6.6/drm-amdgpu-vcn-identify-unified-queue-in-sw-init.patch @@ -0,0 +1,171 @@ +From ecfa23c8df7ef3ea2a429dfe039341bf792e95b4 Mon Sep 17 00:00:00 2001 +From: Boyuan Zhang +Date: Thu, 11 Jul 2024 16:19:54 -0400 +Subject: drm/amdgpu/vcn: identify unified queue in sw init + +From: Boyuan Zhang + +commit ecfa23c8df7ef3ea2a429dfe039341bf792e95b4 upstream. + +Determine whether VCN using unified queue in sw_init, instead of calling +functions later on. + +v2: fix coding style + +Signed-off-by: Boyuan Zhang +Acked-by: Alex Deucher +Reviewed-by: Ruijing Dong +Signed-off-by: Alex Deucher +Signed-off-by: Mario Limonciello +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c | 39 ++++++++++++-------------------- + drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h | 1 + 2 files changed, 16 insertions(+), 24 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c +@@ -135,6 +135,10 @@ int amdgpu_vcn_sw_init(struct amdgpu_dev + } + } + ++ /* from vcn4 and above, only unified queue is used */ ++ adev->vcn.using_unified_queue = ++ adev->ip_versions[UVD_HWIP][0] >= IP_VERSION(4, 0, 0); ++ + hdr = (const struct common_firmware_header *)adev->vcn.fw->data; + adev->vcn.fw_version = le32_to_cpu(hdr->ucode_version); + +@@ -259,18 +263,6 @@ int amdgpu_vcn_sw_fini(struct amdgpu_dev + return 0; + } + +-/* from vcn4 and above, only unified queue is used */ +-static bool amdgpu_vcn_using_unified_queue(struct amdgpu_ring *ring) +-{ +- struct amdgpu_device *adev = ring->adev; +- bool ret = false; +- +- if (adev->ip_versions[UVD_HWIP][0] >= IP_VERSION(4, 0, 0)) +- ret = true; +- +- return ret; +-} +- + bool amdgpu_vcn_is_disabled_vcn(struct amdgpu_device *adev, enum vcn_ring_type type, uint32_t vcn_instance) + { + bool ret = false; +@@ -707,12 +699,11 @@ static int amdgpu_vcn_dec_sw_send_msg(st + struct amdgpu_job *job; + struct amdgpu_ib *ib; + uint64_t addr = AMDGPU_GPU_PAGE_ALIGN(ib_msg->gpu_addr); +- bool sq = amdgpu_vcn_using_unified_queue(ring); + uint32_t *ib_checksum; + uint32_t ib_pack_in_dw; + int i, r; + +- if (sq) ++ if (adev->vcn.using_unified_queue) + ib_size_dw += 8; + + r = amdgpu_job_alloc_with_ib(ring->adev, NULL, NULL, +@@ -725,7 +716,7 @@ static int amdgpu_vcn_dec_sw_send_msg(st + ib->length_dw = 0; + + /* single queue headers */ +- if (sq) { ++ if (adev->vcn.using_unified_queue) { + ib_pack_in_dw = sizeof(struct amdgpu_vcn_decode_buffer) / sizeof(uint32_t) + + 4 + 2; /* engine info + decoding ib in dw */ + ib_checksum = amdgpu_vcn_unified_ring_ib_header(ib, ib_pack_in_dw, false); +@@ -744,7 +735,7 @@ static int amdgpu_vcn_dec_sw_send_msg(st + for (i = ib->length_dw; i < ib_size_dw; ++i) + ib->ptr[i] = 0x0; + +- if (sq) ++ if (adev->vcn.using_unified_queue) + amdgpu_vcn_unified_ring_ib_checksum(&ib_checksum, ib_pack_in_dw); + + r = amdgpu_job_submit_direct(job, ring, &f); +@@ -834,15 +825,15 @@ static int amdgpu_vcn_enc_get_create_msg + struct dma_fence **fence) + { + unsigned int ib_size_dw = 16; ++ struct amdgpu_device *adev = ring->adev; + struct amdgpu_job *job; + struct amdgpu_ib *ib; + struct dma_fence *f = NULL; + uint32_t *ib_checksum = NULL; + uint64_t addr; +- bool sq = amdgpu_vcn_using_unified_queue(ring); + int i, r; + +- if (sq) ++ if (adev->vcn.using_unified_queue) + ib_size_dw += 8; + + r = amdgpu_job_alloc_with_ib(ring->adev, NULL, NULL, +@@ -856,7 +847,7 @@ static int amdgpu_vcn_enc_get_create_msg + + ib->length_dw = 0; + +- if (sq) ++ if (adev->vcn.using_unified_queue) + ib_checksum = amdgpu_vcn_unified_ring_ib_header(ib, 0x11, true); + + ib->ptr[ib->length_dw++] = 0x00000018; +@@ -878,7 +869,7 @@ static int amdgpu_vcn_enc_get_create_msg + for (i = ib->length_dw; i < ib_size_dw; ++i) + ib->ptr[i] = 0x0; + +- if (sq) ++ if (adev->vcn.using_unified_queue) + amdgpu_vcn_unified_ring_ib_checksum(&ib_checksum, 0x11); + + r = amdgpu_job_submit_direct(job, ring, &f); +@@ -901,15 +892,15 @@ static int amdgpu_vcn_enc_get_destroy_ms + struct dma_fence **fence) + { + unsigned int ib_size_dw = 16; ++ struct amdgpu_device *adev = ring->adev; + struct amdgpu_job *job; + struct amdgpu_ib *ib; + struct dma_fence *f = NULL; + uint32_t *ib_checksum = NULL; + uint64_t addr; +- bool sq = amdgpu_vcn_using_unified_queue(ring); + int i, r; + +- if (sq) ++ if (adev->vcn.using_unified_queue) + ib_size_dw += 8; + + r = amdgpu_job_alloc_with_ib(ring->adev, NULL, NULL, +@@ -923,7 +914,7 @@ static int amdgpu_vcn_enc_get_destroy_ms + + ib->length_dw = 0; + +- if (sq) ++ if (adev->vcn.using_unified_queue) + ib_checksum = amdgpu_vcn_unified_ring_ib_header(ib, 0x11, true); + + ib->ptr[ib->length_dw++] = 0x00000018; +@@ -945,7 +936,7 @@ static int amdgpu_vcn_enc_get_destroy_ms + for (i = ib->length_dw; i < ib_size_dw; ++i) + ib->ptr[i] = 0x0; + +- if (sq) ++ if (adev->vcn.using_unified_queue) + amdgpu_vcn_unified_ring_ib_checksum(&ib_checksum, 0x11); + + r = amdgpu_job_submit_direct(job, ring, &f); +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h +@@ -284,6 +284,7 @@ struct amdgpu_vcn { + + uint16_t inst_mask; + uint8_t num_inst_per_aid; ++ bool using_unified_queue; + }; + + struct amdgpu_fw_shared_rb_ptrs_struct { diff --git a/queue-6.6/drm-amdgpu-vcn-not-pause-dpg-for-unified-queue.patch b/queue-6.6/drm-amdgpu-vcn-not-pause-dpg-for-unified-queue.patch new file mode 100644 index 00000000000..d57c71b21f1 --- /dev/null +++ b/queue-6.6/drm-amdgpu-vcn-not-pause-dpg-for-unified-queue.patch @@ -0,0 +1,65 @@ +From 7d75ef3736a025db441be652c8cc8e84044a215f Mon Sep 17 00:00:00 2001 +From: Boyuan Zhang +Date: Wed, 10 Jul 2024 16:17:12 -0400 +Subject: drm/amdgpu/vcn: not pause dpg for unified queue + +From: Boyuan Zhang + +commit 7d75ef3736a025db441be652c8cc8e84044a215f upstream. + +For unified queue, DPG pause for encoding is done inside VCN firmware, +so there is no need to pause dpg based on ring type in kernel. + +For VCN3 and below, pausing DPG for encoding in kernel is still needed. + +v2: add more comments +v3: update commit message + +Signed-off-by: Boyuan Zhang +Acked-by: Alex Deucher +Reviewed-by: Ruijing Dong +Signed-off-by: Alex Deucher +Signed-off-by: Mario Limonciello +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c +@@ -372,7 +372,9 @@ static void amdgpu_vcn_idle_work_handler + for (i = 0; i < adev->vcn.num_enc_rings; ++i) + fence[j] += amdgpu_fence_count_emitted(&adev->vcn.inst[j].ring_enc[i]); + +- if (adev->pg_flags & AMD_PG_SUPPORT_VCN_DPG) { ++ /* Only set DPG pause for VCN3 or below, VCN4 and above will be handled by FW */ ++ if (adev->pg_flags & AMD_PG_SUPPORT_VCN_DPG && ++ !adev->vcn.using_unified_queue) { + struct dpg_pause_state new_state; + + if (fence[j] || +@@ -418,7 +420,9 @@ void amdgpu_vcn_ring_begin_use(struct am + amdgpu_device_ip_set_powergating_state(adev, AMD_IP_BLOCK_TYPE_VCN, + AMD_PG_STATE_UNGATE); + +- if (adev->pg_flags & AMD_PG_SUPPORT_VCN_DPG) { ++ /* Only set DPG pause for VCN3 or below, VCN4 and above will be handled by FW */ ++ if (adev->pg_flags & AMD_PG_SUPPORT_VCN_DPG && ++ !adev->vcn.using_unified_queue) { + struct dpg_pause_state new_state; + + if (ring->funcs->type == AMDGPU_RING_TYPE_VCN_ENC) { +@@ -444,8 +448,12 @@ void amdgpu_vcn_ring_begin_use(struct am + + void amdgpu_vcn_ring_end_use(struct amdgpu_ring *ring) + { ++ struct amdgpu_device *adev = ring->adev; ++ ++ /* Only set DPG pause for VCN3 or below, VCN4 and above will be handled by FW */ + if (ring->adev->pg_flags & AMD_PG_SUPPORT_VCN_DPG && +- ring->funcs->type == AMDGPU_RING_TYPE_VCN_ENC) ++ ring->funcs->type == AMDGPU_RING_TYPE_VCN_ENC && ++ !adev->vcn.using_unified_queue) + atomic_dec(&ring->adev->vcn.inst[ring->me].dpg_enc_submission_cnt); + + atomic_dec(&ring->adev->vcn.total_submission_cnt); diff --git a/queue-6.6/ksmbd-fix-race-condition-between-destroy_previous_session-and-smb2-operations.patch b/queue-6.6/ksmbd-fix-race-condition-between-destroy_previous_session-and-smb2-operations.patch new file mode 100644 index 00000000000..8485353be96 --- /dev/null +++ b/queue-6.6/ksmbd-fix-race-condition-between-destroy_previous_session-and-smb2-operations.patch @@ -0,0 +1,126 @@ +From 9e0a3d39a36f80fd39b5ec2f943b9514bba1e9bd Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Tue, 27 Aug 2024 09:27:56 +0900 +Subject: ksmbd: fix race condition between destroy_previous_session() and smb2 operations() + +From: Namjae Jeon + +[ Upstream commit 76e98a158b207771a6c9a0de0a60522a446a3447 ] + +If there is ->PreviousSessionId field in the session setup request, +The session of the previous connection should be destroyed. +During this, if the smb2 operation requests in the previous session are +being processed, a racy issue could happen with ksmbd_destroy_file_table(). +This patch sets conn->status to KSMBD_SESS_NEED_RECONNECT to block +incoming operations and waits until on-going operations are complete +(i.e. idle) before desctorying the previous session. + +Fixes: c8efcc786146 ("ksmbd: add support for durable handles v1/v2") +Cc: stable@vger.kernel.org # v6.6+ +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-25040 +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/connection.c | 34 +++++++++++++++++++++++++++++++++- + fs/smb/server/connection.h | 3 ++- + fs/smb/server/mgmt/user_session.c | 8 ++++++++ + fs/smb/server/smb2pdu.c | 2 +- + 4 files changed, 44 insertions(+), 3 deletions(-) + +--- a/fs/smb/server/connection.c ++++ b/fs/smb/server/connection.c +@@ -165,11 +165,43 @@ void ksmbd_all_conn_set_status(u64 sess_ + up_read(&conn_list_lock); + } + +-void ksmbd_conn_wait_idle(struct ksmbd_conn *conn, u64 sess_id) ++void ksmbd_conn_wait_idle(struct ksmbd_conn *conn) + { + wait_event(conn->req_running_q, atomic_read(&conn->req_running) < 2); + } + ++int ksmbd_conn_wait_idle_sess_id(struct ksmbd_conn *curr_conn, u64 sess_id) ++{ ++ struct ksmbd_conn *conn; ++ int rc, retry_count = 0, max_timeout = 120; ++ int rcount = 1; ++ ++retry_idle: ++ if (retry_count >= max_timeout) ++ return -EIO; ++ ++ down_read(&conn_list_lock); ++ list_for_each_entry(conn, &conn_list, conns_list) { ++ if (conn->binding || xa_load(&conn->sessions, sess_id)) { ++ if (conn == curr_conn) ++ rcount = 2; ++ if (atomic_read(&conn->req_running) >= rcount) { ++ rc = wait_event_timeout(conn->req_running_q, ++ atomic_read(&conn->req_running) < rcount, ++ HZ); ++ if (!rc) { ++ up_read(&conn_list_lock); ++ retry_count++; ++ goto retry_idle; ++ } ++ } ++ } ++ } ++ up_read(&conn_list_lock); ++ ++ return 0; ++} ++ + int ksmbd_conn_write(struct ksmbd_work *work) + { + struct ksmbd_conn *conn = work->conn; +--- a/fs/smb/server/connection.h ++++ b/fs/smb/server/connection.h +@@ -145,7 +145,8 @@ extern struct list_head conn_list; + extern struct rw_semaphore conn_list_lock; + + bool ksmbd_conn_alive(struct ksmbd_conn *conn); +-void ksmbd_conn_wait_idle(struct ksmbd_conn *conn, u64 sess_id); ++void ksmbd_conn_wait_idle(struct ksmbd_conn *conn); ++int ksmbd_conn_wait_idle_sess_id(struct ksmbd_conn *curr_conn, u64 sess_id); + struct ksmbd_conn *ksmbd_conn_alloc(void); + void ksmbd_conn_free(struct ksmbd_conn *conn); + bool ksmbd_conn_lookup_dialect(struct ksmbd_conn *c); +--- a/fs/smb/server/mgmt/user_session.c ++++ b/fs/smb/server/mgmt/user_session.c +@@ -310,6 +310,7 @@ void destroy_previous_session(struct ksm + { + struct ksmbd_session *prev_sess; + struct ksmbd_user *prev_user; ++ int err; + + down_write(&sessions_table_lock); + down_write(&conn->session_lock); +@@ -324,8 +325,15 @@ void destroy_previous_session(struct ksm + memcmp(user->passkey, prev_user->passkey, user->passkey_sz)) + goto out; + ++ ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_RECONNECT); ++ err = ksmbd_conn_wait_idle_sess_id(conn, id); ++ if (err) { ++ ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_NEGOTIATE); ++ goto out; ++ } + ksmbd_destroy_file_table(&prev_sess->file_table); + prev_sess->state = SMB2_SESSION_EXPIRED; ++ ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_NEGOTIATE); + out: + up_write(&conn->session_lock); + up_write(&sessions_table_lock); +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -2210,7 +2210,7 @@ int smb2_session_logoff(struct ksmbd_wor + ksmbd_conn_unlock(conn); + + ksmbd_close_session_fds(work); +- ksmbd_conn_wait_idle(conn, sess_id); ++ ksmbd_conn_wait_idle(conn); + + /* + * Re-lookup session to validate if session is deleted diff --git a/queue-6.6/mm-numa-no-task_numa_fault-call-if-pmd-is-changed.patch b/queue-6.6/mm-numa-no-task_numa_fault-call-if-pmd-is-changed.patch new file mode 100644 index 00000000000..40527014f7d --- /dev/null +++ b/queue-6.6/mm-numa-no-task_numa_fault-call-if-pmd-is-changed.patch @@ -0,0 +1,94 @@ +From fd8c35a92910f4829b7c99841f39b1b952c259d5 Mon Sep 17 00:00:00 2001 +From: Zi Yan +Date: Fri, 9 Aug 2024 10:59:05 -0400 +Subject: mm/numa: no task_numa_fault() call if PMD is changed + +From: Zi Yan + +commit fd8c35a92910f4829b7c99841f39b1b952c259d5 upstream. + +When handling a numa page fault, task_numa_fault() should be called by a +process that restores the page table of the faulted folio to avoid +duplicated stats counting. Commit c5b5a3dd2c1f ("mm: thp: refactor NUMA +fault handling") restructured do_huge_pmd_numa_page() and did not avoid +task_numa_fault() call in the second page table check after a numa +migration failure. Fix it by making all !pmd_same() return immediately. + +This issue can cause task_numa_fault() being called more than necessary +and lead to unexpected numa balancing results (It is hard to tell whether +the issue will cause positive or negative performance impact due to +duplicated numa fault counting). + +Link: https://lkml.kernel.org/r/20240809145906.1513458-3-ziy@nvidia.com +Fixes: c5b5a3dd2c1f ("mm: thp: refactor NUMA fault handling") +Reported-by: "Huang, Ying" +Closes: https://lore.kernel.org/linux-mm/87zfqfw0yw.fsf@yhuang6-desk2.ccr.corp.intel.com/ +Signed-off-by: Zi Yan +Acked-by: David Hildenbrand +Cc: Baolin Wang +Cc: "Huang, Ying" +Cc: Kefeng Wang +Cc: Mel Gorman +Cc: Yang Shi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/huge_memory.c | 30 +++++++++++++----------------- + 1 file changed, 13 insertions(+), 17 deletions(-) + +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -1504,7 +1504,7 @@ vm_fault_t do_huge_pmd_numa_page(struct + vmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd); + if (unlikely(!pmd_same(oldpmd, *vmf->pmd))) { + spin_unlock(vmf->ptl); +- goto out; ++ return 0; + } + + pmd = pmd_modify(oldpmd, vma->vm_page_prot); +@@ -1548,23 +1548,16 @@ vm_fault_t do_huge_pmd_numa_page(struct + if (migrated) { + flags |= TNF_MIGRATED; + page_nid = target_nid; +- } else { +- flags |= TNF_MIGRATE_FAIL; +- vmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd); +- if (unlikely(!pmd_same(oldpmd, *vmf->pmd))) { +- spin_unlock(vmf->ptl); +- goto out; +- } +- goto out_map; ++ task_numa_fault(last_cpupid, page_nid, HPAGE_PMD_NR, flags); ++ return 0; + } + +-out: +- if (page_nid != NUMA_NO_NODE) +- task_numa_fault(last_cpupid, page_nid, HPAGE_PMD_NR, +- flags); +- +- return 0; +- ++ flags |= TNF_MIGRATE_FAIL; ++ vmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd); ++ if (unlikely(!pmd_same(oldpmd, *vmf->pmd))) { ++ spin_unlock(vmf->ptl); ++ return 0; ++ } + out_map: + /* Restore the PMD */ + pmd = pmd_modify(oldpmd, vma->vm_page_prot); +@@ -1574,7 +1567,10 @@ out_map: + set_pmd_at(vma->vm_mm, haddr, vmf->pmd, pmd); + update_mmu_cache_pmd(vma, vmf->address, vmf->pmd); + spin_unlock(vmf->ptl); +- goto out; ++ ++ if (page_nid != NUMA_NO_NODE) ++ task_numa_fault(last_cpupid, page_nid, HPAGE_PMD_NR, flags); ++ return 0; + } + + /* diff --git a/queue-6.6/mm-numa-no-task_numa_fault-call-if-pte-is-changed.patch b/queue-6.6/mm-numa-no-task_numa_fault-call-if-pte-is-changed.patch new file mode 100644 index 00000000000..6caf8793c91 --- /dev/null +++ b/queue-6.6/mm-numa-no-task_numa_fault-call-if-pte-is-changed.patch @@ -0,0 +1,97 @@ +From 40b760cfd44566bca791c80e0720d70d75382b84 Mon Sep 17 00:00:00 2001 +From: Zi Yan +Date: Fri, 9 Aug 2024 10:59:04 -0400 +Subject: mm/numa: no task_numa_fault() call if PTE is changed + +From: Zi Yan + +commit 40b760cfd44566bca791c80e0720d70d75382b84 upstream. + +When handling a numa page fault, task_numa_fault() should be called by a +process that restores the page table of the faulted folio to avoid +duplicated stats counting. Commit b99a342d4f11 ("NUMA balancing: reduce +TLB flush via delaying mapping on hint page fault") restructured +do_numa_page() and did not avoid task_numa_fault() call in the second page +table check after a numa migration failure. Fix it by making all +!pte_same() return immediately. + +This issue can cause task_numa_fault() being called more than necessary +and lead to unexpected numa balancing results (It is hard to tell whether +the issue will cause positive or negative performance impact due to +duplicated numa fault counting). + +Link: https://lkml.kernel.org/r/20240809145906.1513458-2-ziy@nvidia.com +Fixes: b99a342d4f11 ("NUMA balancing: reduce TLB flush via delaying mapping on hint page fault") +Signed-off-by: Zi Yan +Reported-by: "Huang, Ying" +Closes: https://lore.kernel.org/linux-mm/87zfqfw0yw.fsf@yhuang6-desk2.ccr.corp.intel.com/ +Acked-by: David Hildenbrand +Cc: Baolin Wang +Cc: Kefeng Wang +Cc: Mel Gorman +Cc: Yang Shi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory.c | 33 ++++++++++++++++----------------- + 1 file changed, 16 insertions(+), 17 deletions(-) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -4775,7 +4775,7 @@ static vm_fault_t do_numa_page(struct vm + spin_lock(vmf->ptl); + if (unlikely(!pte_same(ptep_get(vmf->pte), vmf->orig_pte))) { + pte_unmap_unlock(vmf->pte, vmf->ptl); +- goto out; ++ return 0; + } + + /* Get the normal PTE */ +@@ -4840,23 +4840,19 @@ static vm_fault_t do_numa_page(struct vm + if (migrate_misplaced_page(page, vma, target_nid)) { + page_nid = target_nid; + flags |= TNF_MIGRATED; +- } else { +- flags |= TNF_MIGRATE_FAIL; +- vmf->pte = pte_offset_map_lock(vma->vm_mm, vmf->pmd, +- vmf->address, &vmf->ptl); +- if (unlikely(!vmf->pte)) +- goto out; +- if (unlikely(!pte_same(ptep_get(vmf->pte), vmf->orig_pte))) { +- pte_unmap_unlock(vmf->pte, vmf->ptl); +- goto out; +- } +- goto out_map; ++ task_numa_fault(last_cpupid, page_nid, 1, flags); ++ return 0; + } + +-out: +- if (page_nid != NUMA_NO_NODE) +- task_numa_fault(last_cpupid, page_nid, 1, flags); +- return 0; ++ flags |= TNF_MIGRATE_FAIL; ++ vmf->pte = pte_offset_map_lock(vma->vm_mm, vmf->pmd, ++ vmf->address, &vmf->ptl); ++ if (unlikely(!vmf->pte)) ++ return 0; ++ if (unlikely(!pte_same(ptep_get(vmf->pte), vmf->orig_pte))) { ++ pte_unmap_unlock(vmf->pte, vmf->ptl); ++ return 0; ++ } + out_map: + /* + * Make it present again, depending on how arch implements +@@ -4870,7 +4866,10 @@ out_map: + ptep_modify_prot_commit(vma, vmf->address, vmf->pte, old_pte, pte); + update_mmu_cache_range(vmf, vma, vmf->address, vmf->pte, 1); + pte_unmap_unlock(vmf->pte, vmf->ptl); +- goto out; ++ ++ if (page_nid != NUMA_NO_NODE) ++ task_numa_fault(last_cpupid, page_nid, 1, flags); ++ return 0; + } + + static inline vm_fault_t create_huge_pmd(struct vm_fault *vmf) diff --git a/queue-6.6/net-ngbe-fix-phy-mode-set-to-external-phy.patch b/queue-6.6/net-ngbe-fix-phy-mode-set-to-external-phy.patch new file mode 100644 index 00000000000..f9d6f4bfb52 --- /dev/null +++ b/queue-6.6/net-ngbe-fix-phy-mode-set-to-external-phy.patch @@ -0,0 +1,45 @@ +From f2916c83d746eb99f50f42c15cf4c47c2ea5f3b3 Mon Sep 17 00:00:00 2001 +From: Mengyuan Lou +Date: Tue, 20 Aug 2024 11:04:25 +0800 +Subject: net: ngbe: Fix phy mode set to external phy + +From: Mengyuan Lou + +commit f2916c83d746eb99f50f42c15cf4c47c2ea5f3b3 upstream. + +The MAC only has add the TX delay and it can not be modified. +MAC and PHY are both set the TX delay cause transmission problems. +So just disable TX delay in PHY, when use rgmii to attach to +external phy, set PHY_INTERFACE_MODE_RGMII_RXID to phy drivers. +And it is does not matter to internal phy. + +Fixes: bc2426d74aa3 ("net: ngbe: convert phylib to phylink") +Signed-off-by: Mengyuan Lou +Cc: stable@vger.kernel.org # 6.3+ +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/E6759CF1387CF84C+20240820030425.93003-1-mengyuanlou@net-swift.com +Signed-off-by: Paolo Abeni +Signed-off-by: mengyuanlou +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/wangxun/ngbe/ngbe_mdio.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/wangxun/ngbe/ngbe_mdio.c ++++ b/drivers/net/ethernet/wangxun/ngbe/ngbe_mdio.c +@@ -215,10 +215,14 @@ int ngbe_phy_connect(struct wx *wx) + { + int ret; + ++ /* The MAC only has add the Tx delay and it can not be modified. ++ * So just disable TX delay in PHY, and it is does not matter to ++ * internal phy. ++ */ + ret = phy_connect_direct(wx->netdev, + wx->phydev, + ngbe_handle_link_change, +- PHY_INTERFACE_MODE_RGMII_ID); ++ PHY_INTERFACE_MODE_RGMII_RXID); + if (ret) { + wx_err(wx, "PHY connect failed.\n"); + return ret; diff --git a/queue-6.6/nfsd-simplify-error-paths-in-nfsd_svc.patch b/queue-6.6/nfsd-simplify-error-paths-in-nfsd_svc.patch new file mode 100644 index 00000000000..d7e5459807a --- /dev/null +++ b/queue-6.6/nfsd-simplify-error-paths-in-nfsd_svc.patch @@ -0,0 +1,88 @@ +From bf32075256e9dd9c6b736859e2c5813981339908 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Mon, 25 Sep 2023 12:06:44 +1000 +Subject: NFSD: simplify error paths in nfsd_svc() + +From: NeilBrown + +commit bf32075256e9dd9c6b736859e2c5813981339908 upstream. + +The error paths in nfsd_svc() are needlessly complex and can result in a +final call to svc_put() without nfsd_last_thread() being called. This +results in the listening sockets not being closed properly. + +The per-netns setup provided by nfsd_startup_new() and removed by +nfsd_shutdown_net() is needed precisely when there are running threads. +So we don't need nfsd_up_before. We don't need to know if it *was* up. +We only need to know if any threads are left. If none are, then we must +call nfsd_shutdown_net(). But we don't need to do that explicitly as +nfsd_last_thread() does that for us. + +So simply call nfsd_last_thread() before the last svc_put() if there are +no running threads. That will always do the right thing. + +Also discard: + pr_info("nfsd: last server has exited, flushing export cache\n"); +It may not be true if an attempt to start the first server failed, and +it isn't particularly helpful and it simply reports normal behaviour. + +Signed-off-by: NeilBrown +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Reported-by: Li Lingfeng +Suggested-by: Li Lingfeng +Tested-by: Li Lingfeng +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfssvc.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +--- a/fs/nfsd/nfssvc.c ++++ b/fs/nfsd/nfssvc.c +@@ -567,7 +567,6 @@ void nfsd_last_thread(struct net *net) + return; + + nfsd_shutdown_net(net); +- pr_info("nfsd: last server has exited, flushing export cache\n"); + nfsd_export_flush(net); + } + +@@ -783,7 +782,6 @@ int + nfsd_svc(int nrservs, struct net *net, const struct cred *cred) + { + int error; +- bool nfsd_up_before; + struct nfsd_net *nn = net_generic(net, nfsd_net_id); + struct svc_serv *serv; + +@@ -803,8 +801,6 @@ nfsd_svc(int nrservs, struct net *net, c + error = nfsd_create_serv(net); + if (error) + goto out; +- +- nfsd_up_before = nn->nfsd_net_up; + serv = nn->nfsd_serv; + + error = nfsd_startup_net(net, cred); +@@ -812,17 +808,15 @@ nfsd_svc(int nrservs, struct net *net, c + goto out_put; + error = svc_set_num_threads(serv, NULL, nrservs); + if (error) +- goto out_shutdown; ++ goto out_put; + error = serv->sv_nrthreads; +- if (error == 0) +- nfsd_last_thread(net); +-out_shutdown: +- if (error < 0 && !nfsd_up_before) +- nfsd_shutdown_net(net); + out_put: + /* Threads now hold service active */ + if (xchg(&nn->keep_active, 0)) + svc_put(serv); ++ ++ if (serv->sv_nrthreads == 0) ++ nfsd_last_thread(net); + svc_put(serv); + out: + mutex_unlock(&nfsd_mutex); diff --git a/queue-6.6/selftests-bpf-add-a-test-to-verify-previous-stacksafe-fix.patch b/queue-6.6/selftests-bpf-add-a-test-to-verify-previous-stacksafe-fix.patch new file mode 100644 index 00000000000..ad41e1d5081 --- /dev/null +++ b/queue-6.6/selftests-bpf-add-a-test-to-verify-previous-stacksafe-fix.patch @@ -0,0 +1,91 @@ +From 662c3e2db00f92e50c26e9dc4fe47c52223d9982 Mon Sep 17 00:00:00 2001 +From: Yonghong Song +Date: Mon, 12 Aug 2024 14:48:52 -0700 +Subject: selftests/bpf: Add a test to verify previous stacksafe() fix + +From: Yonghong Song + +commit 662c3e2db00f92e50c26e9dc4fe47c52223d9982 upstream. + +A selftest is added such that without the previous patch, +a crash can happen. With the previous patch, the test can +run successfully. The new test is written in a way which +mimics original crash case: + main_prog + static_prog_1 + static_prog_2 +where static_prog_1 has different paths to static_prog_2 +and some path has stack allocated and some other path +does not. A stacksafe() checking in static_prog_2() +triggered the crash. + +Signed-off-by: Yonghong Song +Link: https://lore.kernel.org/r/20240812214852.214037-1-yonghong.song@linux.dev +Signed-off-by: Alexei Starovoitov +Signed-off-by: Shung-Hsi Yu +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/bpf/progs/iters.c | 54 ++++++++++++++++++++++++++++++ + 1 file changed, 54 insertions(+) + +--- a/tools/testing/selftests/bpf/progs/iters.c ++++ b/tools/testing/selftests/bpf/progs/iters.c +@@ -1411,4 +1411,58 @@ __naked int checkpoint_states_deletion(v + ); + } + ++__u32 upper, select_n, result; ++__u64 global; ++ ++static __noinline bool nest_2(char *str) ++{ ++ /* some insns (including branch insns) to ensure stacksafe() is triggered ++ * in nest_2(). This way, stacksafe() can compare frame associated with nest_1(). ++ */ ++ if (str[0] == 't') ++ return true; ++ if (str[1] == 'e') ++ return true; ++ if (str[2] == 's') ++ return true; ++ if (str[3] == 't') ++ return true; ++ return false; ++} ++ ++static __noinline bool nest_1(int n) ++{ ++ /* case 0: allocate stack, case 1: no allocate stack */ ++ switch (n) { ++ case 0: { ++ char comm[16]; ++ ++ if (bpf_get_current_comm(comm, 16)) ++ return false; ++ return nest_2(comm); ++ } ++ case 1: ++ return nest_2((char *)&global); ++ default: ++ return false; ++ } ++} ++ ++SEC("raw_tp") ++__success ++int iter_subprog_check_stacksafe(const void *ctx) ++{ ++ long i; ++ ++ bpf_for(i, 0, upper) { ++ if (!nest_1(select_n)) { ++ result = 1; ++ return 0; ++ } ++ } ++ ++ result = 2; ++ return 0; ++} ++ + char _license[] SEC("license") = "GPL"; diff --git a/queue-6.6/series b/queue-6.6/series index 6cfd906b152..803340633b0 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -327,3 +327,13 @@ hwmon-ltc2992-fix-memory-leak-in-ltc2992_parse_dt.patch drm-msm-mdss-specify-cfg-bandwidth-for-sdm670.patch drm-panel-nt36523-set-120hz-fps-for-xiaomi-elish-panels.patch igc-fix-qbv-tx-latency-by-setting-gtxoffset.patch +alsa-timer-relax-start-tick-time-check-for-slave-timer-elements.patch +mm-numa-no-task_numa_fault-call-if-pmd-is-changed.patch +mm-numa-no-task_numa_fault-call-if-pte-is-changed.patch +bpf-fix-a-kernel-verifier-crash-in-stacksafe.patch +selftests-bpf-add-a-test-to-verify-previous-stacksafe-fix.patch +nfsd-simplify-error-paths-in-nfsd_svc.patch +drm-amdgpu-vcn-identify-unified-queue-in-sw-init.patch +drm-amdgpu-vcn-not-pause-dpg-for-unified-queue.patch +ksmbd-fix-race-condition-between-destroy_previous_session-and-smb2-operations.patch +net-ngbe-fix-phy-mode-set-to-external-phy.patch