From: Sasha Levin Date: Tue, 30 Jul 2024 13:55:21 +0000 (-0400) Subject: Fixes for 6.6 X-Git-Tag: v6.1.103~15^2~6 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=855813f47654b6a55931e0eda973e673430a07d5;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.6 Signed-off-by: Sasha Levin --- diff --git a/queue-6.6/af_unix-disable-msg_oob-handling-for-sockets-in-sock.patch b/queue-6.6/af_unix-disable-msg_oob-handling-for-sockets-in-sock.patch new file mode 100644 index 00000000000..62ac37184e2 --- /dev/null +++ b/queue-6.6/af_unix-disable-msg_oob-handling-for-sockets-in-sock.patch @@ -0,0 +1,106 @@ +From 04920f7f4d32a3ebc08b0dd55db430f0bfacba09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jul 2024 21:41:38 +0200 +Subject: af_unix: Disable MSG_OOB handling for sockets in sockmap/sockhash + +From: Michal Luczaj + +[ Upstream commit 638f32604385fd23059985da8de918e9c18f0b98 ] + +AF_UNIX socket tracks the most recent OOB packet (in its receive queue) +with an `oob_skb` pointer. BPF redirecting does not account for that: when +an OOB packet is moved between sockets, `oob_skb` is left outdated. This +results in a single skb that may be accessed from two different sockets. + +Take the easy way out: silently drop MSG_OOB data targeting any socket that +is in a sockmap or a sockhash. Note that such silent drop is akin to the +fate of redirected skb's scm_fp_list (SCM_RIGHTS, SCM_CREDENTIALS). + +For symmetry, forbid MSG_OOB in unix_bpf_recvmsg(). + +Fixes: 314001f0bf92 ("af_unix: Add OOB support") +Suggested-by: Kuniyuki Iwashima +Signed-off-by: Michal Luczaj +Signed-off-by: Daniel Borkmann +Tested-by: Jakub Sitnicki +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Jakub Sitnicki +Link: https://lore.kernel.org/bpf/20240713200218.2140950-2-mhal@rbox.co +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 41 ++++++++++++++++++++++++++++++++++++++++- + net/unix/unix_bpf.c | 3 +++ + 2 files changed, 43 insertions(+), 1 deletion(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 5a26e785ce70d..a551be47cb6c6 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -2624,10 +2624,49 @@ static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk, + + static int unix_stream_read_skb(struct sock *sk, skb_read_actor_t recv_actor) + { ++ struct unix_sock *u = unix_sk(sk); ++ struct sk_buff *skb; ++ int err; ++ + if (unlikely(READ_ONCE(sk->sk_state) != TCP_ESTABLISHED)) + return -ENOTCONN; + +- return unix_read_skb(sk, recv_actor); ++ mutex_lock(&u->iolock); ++ skb = skb_recv_datagram(sk, MSG_DONTWAIT, &err); ++ mutex_unlock(&u->iolock); ++ if (!skb) ++ return err; ++ ++#if IS_ENABLED(CONFIG_AF_UNIX_OOB) ++ if (unlikely(skb == READ_ONCE(u->oob_skb))) { ++ bool drop = false; ++ ++ unix_state_lock(sk); ++ ++ if (sock_flag(sk, SOCK_DEAD)) { ++ unix_state_unlock(sk); ++ kfree_skb(skb); ++ return -ECONNRESET; ++ } ++ ++ spin_lock(&sk->sk_receive_queue.lock); ++ if (likely(skb == u->oob_skb)) { ++ WRITE_ONCE(u->oob_skb, NULL); ++ drop = true; ++ } ++ spin_unlock(&sk->sk_receive_queue.lock); ++ ++ unix_state_unlock(sk); ++ ++ if (drop) { ++ WARN_ON_ONCE(skb_unref(skb)); ++ kfree_skb(skb); ++ return -EAGAIN; ++ } ++ } ++#endif ++ ++ return recv_actor(sk, skb); + } + + static int unix_stream_read_generic(struct unix_stream_read_state *state, +diff --git a/net/unix/unix_bpf.c b/net/unix/unix_bpf.c +index bd84785bf8d6c..bca2d86ba97d8 100644 +--- a/net/unix/unix_bpf.c ++++ b/net/unix/unix_bpf.c +@@ -54,6 +54,9 @@ static int unix_bpf_recvmsg(struct sock *sk, struct msghdr *msg, + struct sk_psock *psock; + int copied; + ++ if (flags & MSG_OOB) ++ return -EOPNOTSUPP; ++ + if (!len) + return 0; + +-- +2.43.0 + diff --git a/queue-6.6/apparmor-fix-null-pointer-deref-when-receiving-skb-d.patch b/queue-6.6/apparmor-fix-null-pointer-deref-when-receiving-skb-d.patch new file mode 100644 index 00000000000..2a57bd9ed1d --- /dev/null +++ b/queue-6.6/apparmor-fix-null-pointer-deref-when-receiving-skb-d.patch @@ -0,0 +1,111 @@ +From 1a26d95e4cd50dc88c5662a5a7784a5df5fdd205 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Sep 2023 08:48:38 +0800 +Subject: apparmor: Fix null pointer deref when receiving skb during sock + creation + +From: Xiao Liang + +[ Upstream commit fce09ea314505a52f2436397608fa0a5d0934fb1 ] + +The panic below is observed when receiving ICMP packets with secmark set +while an ICMP raw socket is being created. SK_CTX(sk)->label is updated +in apparmor_socket_post_create(), but the packet is delivered to the +socket before that, causing the null pointer dereference. +Drop the packet if label context is not set. + + BUG: kernel NULL pointer dereference, address: 000000000000004c + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] PREEMPT SMP NOPTI + CPU: 0 PID: 407 Comm: a.out Not tainted 6.4.12-arch1-1 #1 3e6fa2753a2d75925c34ecb78e22e85a65d083df + Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/28/2020 + RIP: 0010:aa_label_next_confined+0xb/0x40 + Code: 00 00 48 89 ef e8 d5 25 0c 00 e9 66 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 89 f0 <8b> 77 4c 39 c6 7e 1f 48 63 d0 48 8d 14 d7 eb 0b 83 c0 01 48 83 c2 + RSP: 0018:ffffa92940003b08 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000e + RDX: ffffa92940003be8 RSI: 0000000000000000 RDI: 0000000000000000 + RBP: ffff8b57471e7800 R08: ffff8b574c642400 R09: 0000000000000002 + R10: ffffffffbd820eeb R11: ffffffffbeb7ff00 R12: ffff8b574c642400 + R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000 + FS: 00007fb092ea7640(0000) GS:ffff8b577bc00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 000000000000004c CR3: 00000001020f2005 CR4: 00000000007706f0 + PKRU: 55555554 + Call Trace: + + ? __die+0x23/0x70 + ? page_fault_oops+0x171/0x4e0 + ? exc_page_fault+0x7f/0x180 + ? asm_exc_page_fault+0x26/0x30 + ? aa_label_next_confined+0xb/0x40 + apparmor_secmark_check+0xec/0x330 + security_sock_rcv_skb+0x35/0x50 + sk_filter_trim_cap+0x47/0x250 + sock_queue_rcv_skb_reason+0x20/0x60 + raw_rcv+0x13c/0x210 + raw_local_deliver+0x1f3/0x250 + ip_protocol_deliver_rcu+0x4f/0x2f0 + ip_local_deliver_finish+0x76/0xa0 + __netif_receive_skb_one_core+0x89/0xa0 + netif_receive_skb+0x119/0x170 + ? __netdev_alloc_skb+0x3d/0x140 + vmxnet3_rq_rx_complete+0xb23/0x1010 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a] + vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a] + __napi_poll+0x28/0x1b0 + net_rx_action+0x2a4/0x380 + __do_softirq+0xd1/0x2c8 + __irq_exit_rcu+0xbb/0xf0 + common_interrupt+0x86/0xa0 + + + asm_common_interrupt+0x26/0x40 + RIP: 0010:apparmor_socket_post_create+0xb/0x200 + Code: 08 48 85 ff 75 a1 eb b1 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 <55> 48 89 fd 53 45 85 c0 0f 84 b2 00 00 00 48 8b 1d 80 56 3f 02 48 + RSP: 0018:ffffa92940ce7e50 EFLAGS: 00000286 + RAX: ffffffffbc756440 RBX: 0000000000000000 RCX: 0000000000000001 + RDX: 0000000000000003 RSI: 0000000000000002 RDI: ffff8b574eaab740 + RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 + R10: ffff8b57444cec70 R11: 0000000000000000 R12: 0000000000000003 + R13: 0000000000000002 R14: ffff8b574eaab740 R15: ffffffffbd8e4748 + ? __pfx_apparmor_socket_post_create+0x10/0x10 + security_socket_post_create+0x4b/0x80 + __sock_create+0x176/0x1f0 + __sys_socket+0x89/0x100 + __x64_sys_socket+0x17/0x20 + do_syscall_64+0x5d/0x90 + ? do_syscall_64+0x6c/0x90 + ? do_syscall_64+0x6c/0x90 + ? do_syscall_64+0x6c/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Fixes: ab9f2115081a ("apparmor: Allow filtering based on secmark policy") +Signed-off-by: Xiao Liang +Signed-off-by: John Johansen +Signed-off-by: Sasha Levin +--- + security/apparmor/lsm.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c +index 366cdfd6a7baf..5303a51eff9c1 100644 +--- a/security/apparmor/lsm.c ++++ b/security/apparmor/lsm.c +@@ -1130,6 +1130,13 @@ static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) + if (!skb->secmark) + return 0; + ++ /* ++ * If reach here before socket_post_create hook is called, in which ++ * case label is null, drop the packet. ++ */ ++ if (!ctx->label) ++ return -EACCES; ++ + return apparmor_secmark_check(ctx->label, OP_RECVMSG, AA_MAY_RECEIVE, + skb->secmark, sk); + } +-- +2.43.0 + diff --git a/queue-6.6/asoc-intel-use-soc_intel_is_byt_cr-only-when-iosf_mb.patch b/queue-6.6/asoc-intel-use-soc_intel_is_byt_cr-only-when-iosf_mb.patch new file mode 100644 index 00000000000..e5cf9789ca6 --- /dev/null +++ b/queue-6.6/asoc-intel-use-soc_intel_is_byt_cr-only-when-iosf_mb.patch @@ -0,0 +1,54 @@ +From 4b821cbec06c6f5b542ef57b81496ebbf7686475 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 10:30:02 +0200 +Subject: ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is + reachable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pierre-Louis Bossart + +[ Upstream commit 9931f7d5d251882a147cc5811060097df43e79f5 ] + +the Intel kbuild bot reports a link failure when IOSF_MBI is built-in +but the Merrifield driver is configured as a module. The +soc-intel-quirks.h is included for Merrifield platforms, but IOSF_MBI +is not selected for that platform. + +ld.lld: error: undefined symbol: iosf_mbi_read +>>> referenced by atom.c +>>> sound/soc/sof/intel/atom.o:(atom_machine_select) in archive vmlinux.a + +This patch forces the use of the fallback static inline when IOSF_MBI is not reachable. + +Fixes: 536cfd2f375d ("ASoC: Intel: use common helpers to detect CPUs") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202407160704.zpdhJ8da-lkp@intel.com/ +Suggested-by: Takashi Iwai +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Péter Ujfalusi +Reviewed-by: Bard Liao +Link: https://patch.msgid.link/20240722083002.10800-1-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/common/soc-intel-quirks.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/intel/common/soc-intel-quirks.h b/sound/soc/intel/common/soc-intel-quirks.h +index de4e550c5b34d..42bd51456b945 100644 +--- a/sound/soc/intel/common/soc-intel-quirks.h ++++ b/sound/soc/intel/common/soc-intel-quirks.h +@@ -11,7 +11,7 @@ + + #include + +-#if IS_ENABLED(CONFIG_X86) ++#if IS_REACHABLE(CONFIG_IOSF_MBI) + + #include + #include +-- +2.43.0 + diff --git a/queue-6.6/asoc-sof-amd-fix-for-firmware-reload-failure-in-vang.patch b/queue-6.6/asoc-sof-amd-fix-for-firmware-reload-failure-in-vang.patch new file mode 100644 index 00000000000..a30c1529fd1 --- /dev/null +++ b/queue-6.6/asoc-sof-amd-fix-for-firmware-reload-failure-in-vang.patch @@ -0,0 +1,41 @@ +From 553a98abdc6199d9e978e5d3e333b81507a990e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jul 2024 11:50:02 +0530 +Subject: ASoC: sof: amd: fix for firmware reload failure in Vangogh platform + +From: Venkata Prasad Potturu + +[ Upstream commit f2038c12e8133bf4c6bd4d1127a23310d55d9e21 ] + +Setting ACP ACLK as clock source when ACP enters D0 state causing +firmware load failure, as per design clock source should be internal +clock. + +Remove acp_clkmux_sel field so that ACP will use internal clock +source when ACP enters into D0 state. + +Fixes: d0dab6b76a9f ("ASoC: SOF: amd: Add sof support for vangogh platform") + +Signed-off-by: Venkata Prasad Potturu +Link: https://patch.msgid.link/20240718062004.581685-1-venkataprasad.potturu@amd.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/amd/pci-vangogh.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/sound/soc/sof/amd/pci-vangogh.c b/sound/soc/sof/amd/pci-vangogh.c +index d8be42fbcb6dd..b035e31fadaba 100644 +--- a/sound/soc/sof/amd/pci-vangogh.c ++++ b/sound/soc/sof/amd/pci-vangogh.c +@@ -34,7 +34,6 @@ static const struct sof_amd_acp_desc vangogh_chip_info = { + .dsp_intr_base = ACP5X_DSP_SW_INTR_BASE, + .sram_pte_offset = ACP5X_SRAM_PTE_OFFSET, + .hw_semaphore_offset = ACP5X_AXI2DAGB_SEM_0, +- .acp_clkmux_sel = ACP5X_CLKMUX_SEL, + .probe_reg_offset = ACP5X_FUTURE_REG_ACLK_0, + }; + +-- +2.43.0 + diff --git a/queue-6.6/asoc-sof-imx8m-fix-dsp-control-regmap-retrieval.patch b/queue-6.6/asoc-sof-imx8m-fix-dsp-control-regmap-retrieval.patch new file mode 100644 index 00000000000..bd41258148a --- /dev/null +++ b/queue-6.6/asoc-sof-imx8m-fix-dsp-control-regmap-retrieval.patch @@ -0,0 +1,41 @@ +From 5620203194a9962d37397fd495a9fce7b54f600e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jul 2024 18:16:53 +0300 +Subject: ASoC: SOF: imx8m: Fix DSP control regmap retrieval + +From: Daniel Baluta + +[ Upstream commit 2634f745eac25a33f032df32cf98fca8538a534a ] + +According to Documentation/devicetree/bindings/dsp/fsl,dsp.yaml +fsl,dsp-ctrl is a phandle to syscon block so we need to use correct +function to retrieve it. + +Currently there is no SOF DSP DTS merged into mainline so there is no +need to support the old way of retrieving the dsp control node. + +Fixes: 9ba23717b292 ("ASoC: SOF: imx8m: Implement DSP start") +Signed-off-by: Daniel Baluta +Link: https://patch.msgid.link/20240715151653.114751-1-daniel.baluta@oss.nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/imx/imx8m.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/sof/imx/imx8m.c b/sound/soc/sof/imx/imx8m.c +index 1243f8a6141ea..186ba4bbb5b26 100644 +--- a/sound/soc/sof/imx/imx8m.c ++++ b/sound/soc/sof/imx/imx8m.c +@@ -243,7 +243,7 @@ static int imx8m_probe(struct snd_sof_dev *sdev) + /* set default mailbox offset for FW ready message */ + sdev->dsp_box.offset = MBOX_OFFSET; + +- priv->regmap = syscon_regmap_lookup_by_compatible("fsl,dsp-ctrl"); ++ priv->regmap = syscon_regmap_lookup_by_phandle(np, "fsl,dsp-ctrl"); + if (IS_ERR(priv->regmap)) { + dev_err(sdev->dev, "cannot find dsp-ctrl registers"); + ret = PTR_ERR(priv->regmap); +-- +2.43.0 + diff --git a/queue-6.6/asoc-tas2781-fix-tasdev_load_calibrated_data.patch b/queue-6.6/asoc-tas2781-fix-tasdev_load_calibrated_data.patch new file mode 100644 index 00000000000..93926880f27 --- /dev/null +++ b/queue-6.6/asoc-tas2781-fix-tasdev_load_calibrated_data.patch @@ -0,0 +1,37 @@ +From 8bb9153a490d10b8de621a8207545c41c08097da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jul 2024 18:53:48 -0500 +Subject: ASoC: TAS2781: Fix tasdev_load_calibrated_data() + +From: Dan Carpenter + +[ Upstream commit 92c78222168e9035a9bfb8841c2e56ce23e51f73 ] + +This function has a reversed if statement so it's either a no-op or it +leads to a NULL dereference. + +Fixes: b195acf5266d ("ASoC: tas2781: Fix wrong loading calibrated data sequence") +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/18a29b68-cc85-4139-b7c7-2514e8409a42@stanley.mountain +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tas2781-fmwlib.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/tas2781-fmwlib.c b/sound/soc/codecs/tas2781-fmwlib.c +index 32ff4fb14998e..41ad82a429163 100644 +--- a/sound/soc/codecs/tas2781-fmwlib.c ++++ b/sound/soc/codecs/tas2781-fmwlib.c +@@ -2193,7 +2193,7 @@ static void tasdev_load_calibrated_data(struct tasdevice_priv *priv, int i) + return; + + cal = cal_fmw->calibrations; +- if (cal) ++ if (!cal) + return; + + load_calib_data(priv, &cal->dev_data); +-- +2.43.0 + diff --git a/queue-6.6/auxdisplay-ht16k33-drop-reference-after-led-registra.patch b/queue-6.6/auxdisplay-ht16k33-drop-reference-after-led-registra.patch new file mode 100644 index 00000000000..d9cf5cc7e30 --- /dev/null +++ b/queue-6.6/auxdisplay-ht16k33-drop-reference-after-led-registra.patch @@ -0,0 +1,38 @@ +From 5ba5562f37d291a0d606371e9c33a4f9d854c6e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jun 2024 17:02:15 +0200 +Subject: auxdisplay: ht16k33: Drop reference after LED registration + +From: Markus Elfring + +[ Upstream commit 2ccfe94bc3ac980d2d1df9f7a0b2c6d2137abe55 ] + +The reference count is bumped by device_get_named_child_node() +and never dropped. Since LED APIs do not require it to be +bumped by the user, drop the reference after LED registration. + +[andy: rewritten the commit message and amended the change] + +Fixes: c223d9c636ed ("auxdisplay: ht16k33: Add LED support") +Signed-off-by: Markus Elfring +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/auxdisplay/ht16k33.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/auxdisplay/ht16k33.c b/drivers/auxdisplay/ht16k33.c +index 3a2d883872249..b360ddefc4238 100644 +--- a/drivers/auxdisplay/ht16k33.c ++++ b/drivers/auxdisplay/ht16k33.c +@@ -507,6 +507,7 @@ static int ht16k33_led_probe(struct device *dev, struct led_classdev *led, + led->max_brightness = MAX_BRIGHTNESS; + + err = devm_led_classdev_register_ext(dev, led, &init_data); ++ fwnode_handle_put(init_data.fwnode); + if (err) + dev_err(dev, "Failed to register LED\n"); + +-- +2.43.0 + diff --git a/queue-6.6/bpf-events-use-prog-to-emit-ksymbol-event-for-main-p.patch b/queue-6.6/bpf-events-use-prog-to-emit-ksymbol-event-for-main-p.patch new file mode 100644 index 00000000000..dad4e196f88 --- /dev/null +++ b/queue-6.6/bpf-events-use-prog-to-emit-ksymbol-event-for-main-p.patch @@ -0,0 +1,84 @@ +From 15bfb49ebcf41e10b6c77e1c21327b1e5f61e524 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jul 2024 14:55:33 +0800 +Subject: bpf, events: Use prog to emit ksymbol event for main program + +From: Hou Tao + +[ Upstream commit 0be9ae5486cd9e767138c13638820d240713f5f1 ] + +Since commit 0108a4e9f358 ("bpf: ensure main program has an extable"), +prog->aux->func[0]->kallsyms is left as uninitialized. For BPF programs +with subprogs, the symbol for the main program is missing just as shown +in the output of perf script below: + + ffffffff81284b69 qp_trie_lookup_elem+0xb9 ([kernel.kallsyms]) + ffffffffc0011125 bpf_prog_a4a0eb0651e6af8b_lookup_qp_trie+0x5d (bpf...) + ffffffff8127bc2b bpf_for_each_array_elem+0x7b ([kernel.kallsyms]) + ffffffffc00110a1 +0x25 () + ffffffff8121a89a trace_call_bpf+0xca ([kernel.kallsyms]) + +Fix it by always using prog instead prog->aux->func[0] to emit ksymbol +event for the main program. After the fix, the output of perf script +will be correct: + + ffffffff81284b96 qp_trie_lookup_elem+0xe6 ([kernel.kallsyms]) + ffffffffc001382d bpf_prog_a4a0eb0651e6af8b_lookup_qp_trie+0x5d (bpf...) + ffffffff8127bc2b bpf_for_each_array_elem+0x7b ([kernel.kallsyms]) + ffffffffc0013779 bpf_prog_245c55ab25cfcf40_qp_trie_lookup+0x25 (bpf...) + ffffffff8121a89a trace_call_bpf+0xca ([kernel.kallsyms]) + +Fixes: 0108a4e9f358 ("bpf: ensure main program has an extable") +Signed-off-by: Hou Tao +Signed-off-by: Daniel Borkmann +Tested-by: Yonghong Song +Reviewed-by: Krister Johansen +Reviewed-by: Jiri Olsa +Link: https://lore.kernel.org/bpf/20240714065533.1112616-1-houtao@huaweicloud.com +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 28 +++++++++++++--------------- + 1 file changed, 13 insertions(+), 15 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 32723d53b970b..1b728f3f4b539 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -9273,21 +9273,19 @@ static void perf_event_bpf_emit_ksymbols(struct bpf_prog *prog, + bool unregister = type == PERF_BPF_EVENT_PROG_UNLOAD; + int i; + +- if (prog->aux->func_cnt == 0) { +- perf_event_ksymbol(PERF_RECORD_KSYMBOL_TYPE_BPF, +- (u64)(unsigned long)prog->bpf_func, +- prog->jited_len, unregister, +- prog->aux->ksym.name); +- } else { +- for (i = 0; i < prog->aux->func_cnt; i++) { +- struct bpf_prog *subprog = prog->aux->func[i]; +- +- perf_event_ksymbol( +- PERF_RECORD_KSYMBOL_TYPE_BPF, +- (u64)(unsigned long)subprog->bpf_func, +- subprog->jited_len, unregister, +- subprog->aux->ksym.name); +- } ++ perf_event_ksymbol(PERF_RECORD_KSYMBOL_TYPE_BPF, ++ (u64)(unsigned long)prog->bpf_func, ++ prog->jited_len, unregister, ++ prog->aux->ksym.name); ++ ++ for (i = 1; i < prog->aux->func_cnt; i++) { ++ struct bpf_prog *subprog = prog->aux->func[i]; ++ ++ perf_event_ksymbol( ++ PERF_RECORD_KSYMBOL_TYPE_BPF, ++ (u64)(unsigned long)subprog->bpf_func, ++ subprog->jited_len, unregister, ++ subprog->aux->ksym.name); + } + } + +-- +2.43.0 + diff --git a/queue-6.6/bpf-fix-a-segment-issue-when-downgrading-gso_size.patch b/queue-6.6/bpf-fix-a-segment-issue-when-downgrading-gso_size.patch new file mode 100644 index 00000000000..8e4e82f2058 --- /dev/null +++ b/queue-6.6/bpf-fix-a-segment-issue-when-downgrading-gso_size.patch @@ -0,0 +1,57 @@ +From 51cf1ae95d1e8993df8578acd12d09a6d909a48d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jul 2024 10:46:53 +0800 +Subject: bpf: Fix a segment issue when downgrading gso_size + +From: Fred Li + +[ Upstream commit fa5ef655615a01533035c6139248c5b33aa27028 ] + +Linearize the skb when downgrading gso_size because it may trigger a +BUG_ON() later when the skb is segmented as described in [1,2]. + +Fixes: 2be7e212d5419 ("bpf: add bpf_skb_adjust_room helper") +Signed-off-by: Fred Li +Signed-off-by: Daniel Borkmann +Reviewed-by: Willem de Bruijn +Acked-by: Daniel Borkmann +Link: https://lore.kernel.org/all/20240626065555.35460-2-dracodingfly@gmail.com [1] +Link: https://lore.kernel.org/all/668d5cf1ec330_1c18c32947@willemb.c.googlers.com.notmuch [2] +Link: https://lore.kernel.org/bpf/20240719024653.77006-1-dracodingfly@gmail.com +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/net/core/filter.c b/net/core/filter.c +index afe38b8dee024..8cb44cd29967b 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -3530,13 +3530,20 @@ static int bpf_skb_net_grow(struct sk_buff *skb, u32 off, u32 len_diff, + if (skb_is_gso(skb)) { + struct skb_shared_info *shinfo = skb_shinfo(skb); + +- /* Due to header grow, MSS needs to be downgraded. */ +- if (!(flags & BPF_F_ADJ_ROOM_FIXED_GSO)) +- skb_decrease_gso_size(shinfo, len_diff); +- + /* Header must be checked, and gso_segs recomputed. */ + shinfo->gso_type |= gso_type; + shinfo->gso_segs = 0; ++ ++ /* Due to header growth, MSS needs to be downgraded. ++ * There is a BUG_ON() when segmenting the frag_list with ++ * head_frag true, so linearize the skb after downgrading ++ * the MSS. ++ */ ++ if (!(flags & BPF_F_ADJ_ROOM_FIXED_GSO)) { ++ skb_decrease_gso_size(shinfo, len_diff); ++ if (shinfo->frag_list) ++ return skb_linearize(skb); ++ } + } + + return 0; +-- +2.43.0 + diff --git a/queue-6.6/ceph-fix-incorrect-kmalloc-size-of-pagevec-mempool.patch b/queue-6.6/ceph-fix-incorrect-kmalloc-size-of-pagevec-mempool.patch new file mode 100644 index 00000000000..88c39a9762f --- /dev/null +++ b/queue-6.6/ceph-fix-incorrect-kmalloc-size-of-pagevec-mempool.patch @@ -0,0 +1,38 @@ +From c6bb2610f1e674466cd49591574aa5ac67251fff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jul 2024 14:47:56 +0800 +Subject: ceph: fix incorrect kmalloc size of pagevec mempool + +From: ethanwu + +[ Upstream commit 03230edb0bd831662a7c08b6fef66b2a9a817774 ] + +The kmalloc size of pagevec mempool is incorrectly calculated. +It misses the size of page pointer and only accounts the number for the array. + +Fixes: a0102bda5bc0 ("ceph: move sb->wb_pagevec_pool to be a global mempool") +Signed-off-by: ethanwu +Reviewed-by: Xiubo Li +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/super.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/ceph/super.c b/fs/ceph/super.c +index 52af90beab000..ec51e398562c6 100644 +--- a/fs/ceph/super.c ++++ b/fs/ceph/super.c +@@ -958,7 +958,8 @@ static int __init init_caches(void) + if (!ceph_mds_request_cachep) + goto bad_mds_req; + +- ceph_wb_pagevec_pool = mempool_create_kmalloc_pool(10, CEPH_MAX_WRITE_SIZE >> PAGE_SHIFT); ++ ceph_wb_pagevec_pool = mempool_create_kmalloc_pool(10, ++ (CEPH_MAX_WRITE_SIZE >> PAGE_SHIFT) * sizeof(struct page *)); + if (!ceph_wb_pagevec_pool) + goto bad_pagevec_pool; + +-- +2.43.0 + diff --git a/queue-6.6/dma-fix-call-order-in-dmam_free_coherent.patch b/queue-6.6/dma-fix-call-order-in-dmam_free_coherent.patch new file mode 100644 index 00000000000..284a9accbe1 --- /dev/null +++ b/queue-6.6/dma-fix-call-order-in-dmam_free_coherent.patch @@ -0,0 +1,52 @@ +From 1eef76a1aa6b827168f15fff3f6c2c7a0f38f4ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jul 2024 14:38:24 +0000 +Subject: dma: fix call order in dmam_free_coherent + +From: Lance Richardson + +[ Upstream commit 28e8b7406d3a1f5329a03aa25a43aa28e087cb20 ] + +dmam_free_coherent() frees a DMA allocation, which makes the +freed vaddr available for reuse, then calls devres_destroy() +to remove and free the data structure used to track the DMA +allocation. Between the two calls, it is possible for a +concurrent task to make an allocation with the same vaddr +and add it to the devres list. + +If this happens, there will be two entries in the devres list +with the same vaddr and devres_destroy() can free the wrong +entry, triggering the WARN_ON() in dmam_match. + +Fix by destroying the devres entry before freeing the DMA +allocation. + +Tested: + kokonut //net/encryption + http://sponge2/b9145fe6-0f72-4325-ac2f-a84d81075b03 + +Fixes: 9ac7849e35f7 ("devres: device resource management") +Signed-off-by: Lance Richardson +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + kernel/dma/mapping.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/dma/mapping.c b/kernel/dma/mapping.c +index e323ca48f7f2a..f1d9f01b283d7 100644 +--- a/kernel/dma/mapping.c ++++ b/kernel/dma/mapping.c +@@ -67,8 +67,8 @@ void dmam_free_coherent(struct device *dev, size_t size, void *vaddr, + { + struct dma_devres match_data = { size, vaddr, dma_handle }; + +- dma_free_coherent(dev, size, vaddr, dma_handle); + WARN_ON(devres_destroy(dev, dmam_release, dmam_match, &match_data)); ++ dma_free_coherent(dev, size, vaddr, dma_handle); + } + EXPORT_SYMBOL(dmam_free_coherent); + +-- +2.43.0 + diff --git a/queue-6.6/dmaengine-ti-k3-udma-fix-bchan-count-with-uhc-and-hc.patch b/queue-6.6/dmaengine-ti-k3-udma-fix-bchan-count-with-uhc-and-hc.patch new file mode 100644 index 00000000000..3c7894af0a8 --- /dev/null +++ b/queue-6.6/dmaengine-ti-k3-udma-fix-bchan-count-with-uhc-and-hc.patch @@ -0,0 +1,42 @@ +From edb4fe32f4f817468e5745f759d49d15d07d2a03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jun 2024 23:41:03 +0530 +Subject: dmaengine: ti: k3-udma: Fix BCHAN count with UHC and HC channels + +From: Vignesh Raghavendra + +[ Upstream commit 372f8b3621294173f539b32976e41e6e12f5decf ] + +Unlike other channel counts in CAPx registers, BCDMA BCHAN CNT doesn't +include UHC and HC BC channels. So include them explicitly to arrive at +total BC channel in the instance. + +Fixes: 8844898028d4 ("dmaengine: ti: k3-udma: Add support for BCDMA channel TPL handling") +Signed-off-by: Vignesh Raghavendra +Signed-off-by: Jai Luthra +Tested-by: Jayesh Choudhary +Link: https://lore.kernel.org/r/20240607-bcdma_chan_cnt-v2-1-bf1a55529d91@ti.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/ti/k3-udma.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/ti/k3-udma.c b/drivers/dma/ti/k3-udma.c +index 037f1408e7983..02a1ab04f498e 100644 +--- a/drivers/dma/ti/k3-udma.c ++++ b/drivers/dma/ti/k3-udma.c +@@ -4470,7 +4470,9 @@ static int udma_get_mmrs(struct platform_device *pdev, struct udma_dev *ud) + ud->rchan_cnt = UDMA_CAP2_RCHAN_CNT(cap2); + break; + case DMA_TYPE_BCDMA: +- ud->bchan_cnt = BCDMA_CAP2_BCHAN_CNT(cap2); ++ ud->bchan_cnt = BCDMA_CAP2_BCHAN_CNT(cap2) + ++ BCDMA_CAP3_HBCHAN_CNT(cap3) + ++ BCDMA_CAP3_UBCHAN_CNT(cap3); + ud->tchan_cnt = BCDMA_CAP2_TCHAN_CNT(cap2); + ud->rchan_cnt = BCDMA_CAP2_RCHAN_CNT(cap2); + ud->rflow_cnt = ud->rchan_cnt; +-- +2.43.0 + diff --git a/queue-6.6/f2fs-fix-start-segno-of-large-section.patch b/queue-6.6/f2fs-fix-start-segno-of-large-section.patch new file mode 100644 index 00000000000..21a48ca10be --- /dev/null +++ b/queue-6.6/f2fs-fix-start-segno-of-large-section.patch @@ -0,0 +1,40 @@ +From 8faee08052f27574752418c79f8fc5cf4718781e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jul 2024 20:04:07 +0800 +Subject: f2fs: fix start segno of large section + +From: Sheng Yong + +[ Upstream commit 8c409989678e92e4a737e7cd2bb04f3efb81071a ] + +get_ckpt_valid_blocks() checks valid ckpt blocks in current section. +It counts all vblocks from the first to the last segment in the +large section. However, START_SEGNO() is used to get the first segno +in an SIT block. This patch fixes that to get the correct start segno. + +Fixes: 61461fc921b7 ("f2fs: fix to avoid touching checkpointed data in get_victim()") +Signed-off-by: Sheng Yong +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/segment.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/f2fs/segment.h b/fs/f2fs/segment.h +index 4595f1cc03828..952970166d5da 100644 +--- a/fs/f2fs/segment.h ++++ b/fs/f2fs/segment.h +@@ -348,7 +348,8 @@ static inline unsigned int get_ckpt_valid_blocks(struct f2fs_sb_info *sbi, + unsigned int segno, bool use_section) + { + if (use_section && __is_large_section(sbi)) { +- unsigned int start_segno = START_SEGNO(segno); ++ unsigned int secno = GET_SEC_FROM_SEG(sbi, segno); ++ unsigned int start_segno = GET_SEG_FROM_SEC(sbi, secno); + unsigned int blocks = 0; + int i; + +-- +2.43.0 + diff --git a/queue-6.6/f2fs-fix-to-truncate-preallocated-blocks-in-f2fs_fil.patch b/queue-6.6/f2fs-fix-to-truncate-preallocated-blocks-in-f2fs_fil.patch new file mode 100644 index 00000000000..f25f91f5183 --- /dev/null +++ b/queue-6.6/f2fs-fix-to-truncate-preallocated-blocks-in-f2fs_fil.patch @@ -0,0 +1,156 @@ +From a2267a434354fa87aec46f3b35188e792d6309ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 May 2024 18:01:03 +0800 +Subject: f2fs: fix to truncate preallocated blocks in f2fs_file_open() + +From: Chao Yu + +[ Upstream commit 298b1e4182d657c3e388adcc29477904e9600ed5 ] + +chenyuwen reports a f2fs bug as below: + +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000011 + fscrypt_set_bio_crypt_ctx+0x78/0x1e8 + f2fs_grab_read_bio+0x78/0x208 + f2fs_submit_page_read+0x44/0x154 + f2fs_get_read_data_page+0x288/0x5f4 + f2fs_get_lock_data_page+0x60/0x190 + truncate_partial_data_page+0x108/0x4fc + f2fs_do_truncate_blocks+0x344/0x5f0 + f2fs_truncate_blocks+0x6c/0x134 + f2fs_truncate+0xd8/0x200 + f2fs_iget+0x20c/0x5ac + do_garbage_collect+0x5d0/0xf6c + f2fs_gc+0x22c/0x6a4 + f2fs_disable_checkpoint+0xc8/0x310 + f2fs_fill_super+0x14bc/0x1764 + mount_bdev+0x1b4/0x21c + f2fs_mount+0x20/0x30 + legacy_get_tree+0x50/0xbc + vfs_get_tree+0x5c/0x1b0 + do_new_mount+0x298/0x4cc + path_mount+0x33c/0x5fc + __arm64_sys_mount+0xcc/0x15c + invoke_syscall+0x60/0x150 + el0_svc_common+0xb8/0xf8 + do_el0_svc+0x28/0xa0 + el0_svc+0x24/0x84 + el0t_64_sync_handler+0x88/0xec + +It is because inode.i_crypt_info is not initialized during below path: +- mount + - f2fs_fill_super + - f2fs_disable_checkpoint + - f2fs_gc + - f2fs_iget + - f2fs_truncate + +So, let's relocate truncation of preallocated blocks to f2fs_file_open(), +after fscrypt_file_open(). + +Fixes: d4dd19ec1ea0 ("f2fs: do not expose unwritten blocks to user by DIO") +Reported-by: chenyuwen +Closes: https://lore.kernel.org/linux-kernel/20240517085327.1188515-1-yuwen.chen@xjmz.com +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 1 + + fs/f2fs/file.c | 42 +++++++++++++++++++++++++++++++++++++++++- + fs/f2fs/inode.c | 8 -------- + 3 files changed, 42 insertions(+), 9 deletions(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index c7e717ab09000..3219662186e49 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -798,6 +798,7 @@ enum { + FI_COW_FILE, /* indicate COW file */ + FI_ATOMIC_COMMITTED, /* indicate atomic commit completed except disk sync */ + FI_ATOMIC_REPLACE, /* indicate atomic replace */ ++ FI_OPENED_FILE, /* indicate file has been opened */ + FI_MAX, /* max flag, never be used */ + }; + +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index 154c55c1a0f47..96bcde73882bf 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -534,6 +534,42 @@ static int f2fs_file_mmap(struct file *file, struct vm_area_struct *vma) + return 0; + } + ++static int finish_preallocate_blocks(struct inode *inode) ++{ ++ int ret; ++ ++ inode_lock(inode); ++ if (is_inode_flag_set(inode, FI_OPENED_FILE)) { ++ inode_unlock(inode); ++ return 0; ++ } ++ ++ if (!file_should_truncate(inode)) { ++ set_inode_flag(inode, FI_OPENED_FILE); ++ inode_unlock(inode); ++ return 0; ++ } ++ ++ f2fs_down_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]); ++ filemap_invalidate_lock(inode->i_mapping); ++ ++ truncate_setsize(inode, i_size_read(inode)); ++ ret = f2fs_truncate(inode); ++ ++ filemap_invalidate_unlock(inode->i_mapping); ++ f2fs_up_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]); ++ ++ if (!ret) ++ set_inode_flag(inode, FI_OPENED_FILE); ++ ++ inode_unlock(inode); ++ if (ret) ++ return ret; ++ ++ file_dont_truncate(inode); ++ return 0; ++} ++ + static int f2fs_file_open(struct inode *inode, struct file *filp) + { + int err = fscrypt_file_open(inode, filp); +@@ -551,7 +587,11 @@ static int f2fs_file_open(struct inode *inode, struct file *filp) + filp->f_mode |= FMODE_NOWAIT | FMODE_BUF_RASYNC; + filp->f_mode |= FMODE_CAN_ODIRECT; + +- return dquot_file_open(inode, filp); ++ err = dquot_file_open(inode, filp); ++ if (err) ++ return err; ++ ++ return finish_preallocate_blocks(inode); + } + + void f2fs_truncate_data_blocks_range(struct dnode_of_data *dn, int count) +diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c +index ab2eecd986ec5..928e8f6743f8f 100644 +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -610,14 +610,6 @@ struct inode *f2fs_iget(struct super_block *sb, unsigned long ino) + } + f2fs_set_inode_flags(inode); + +- if (file_should_truncate(inode) && +- !is_sbi_flag_set(sbi, SBI_POR_DOING)) { +- ret = f2fs_truncate(inode); +- if (ret) +- goto bad_inode; +- file_dont_truncate(inode); +- } +- + unlock_new_inode(inode); + trace_f2fs_iget(inode); + return inode; +-- +2.43.0 + diff --git a/queue-6.6/f2fs-fix-to-update-user-block-counts-in-block_operat.patch b/queue-6.6/f2fs-fix-to-update-user-block-counts-in-block_operat.patch new file mode 100644 index 00000000000..be473f88786 --- /dev/null +++ b/queue-6.6/f2fs-fix-to-update-user-block-counts-in-block_operat.patch @@ -0,0 +1,86 @@ +From 30237477ebc44c4c8a20219111ab20e5f2174de2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jun 2024 10:32:39 +0800 +Subject: f2fs: fix to update user block counts in block_operations() + +From: Chao Yu + +[ Upstream commit f06c0f82e38bbda7264d6ef3c90045ad2810e0f3 ] + +Commit 59c9081bc86e ("f2fs: allow write page cache when writting cp") +allows write() to write data to page cache during checkpoint, so block +count fields like .total_valid_block_count, .alloc_valid_block_count +and .rf_node_block_count may encounter race condition as below: + +CP Thread A +- write_checkpoint + - block_operations + - f2fs_down_write(&sbi->node_change) + - __prepare_cp_block + : ckpt->valid_block_count = .total_valid_block_count + - f2fs_up_write(&sbi->node_change) + - write + - f2fs_preallocate_blocks + - f2fs_map_blocks(,F2FS_GET_BLOCK_PRE_AIO) + - f2fs_map_lock + - f2fs_down_read(&sbi->node_change) + - f2fs_reserve_new_blocks + - inc_valid_block_count + : percpu_counter_add(&sbi->alloc_valid_block_count, count) + : sbi->total_valid_block_count += count + - f2fs_up_read(&sbi->node_change) + - do_checkpoint + : sbi->last_valid_block_count = sbi->total_valid_block_count + : percpu_counter_set(&sbi->alloc_valid_block_count, 0) + : percpu_counter_set(&sbi->rf_node_block_count, 0) + - fsync + - need_do_checkpoint + - f2fs_space_for_roll_forward + : alloc_valid_block_count was reset to zero, + so, it may missed last data during checkpoint + +Let's change to update .total_valid_block_count, .alloc_valid_block_count +and .rf_node_block_count in block_operations(), then their access can be +protected by .node_change and .cp_rwsem lock, so that it can avoid above +race condition. + +Fixes: 59c9081bc86e ("f2fs: allow write page cache when writting cp") +Cc: Yunlei He +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/checkpoint.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c +index 58ce751da92bf..1a33a8c1623f2 100644 +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -1170,6 +1170,11 @@ static void __prepare_cp_block(struct f2fs_sb_info *sbi) + ckpt->valid_node_count = cpu_to_le32(valid_node_count(sbi)); + ckpt->valid_inode_count = cpu_to_le32(valid_inode_count(sbi)); + ckpt->next_free_nid = cpu_to_le32(last_nid); ++ ++ /* update user_block_counts */ ++ sbi->last_valid_block_count = sbi->total_valid_block_count; ++ percpu_counter_set(&sbi->alloc_valid_block_count, 0); ++ percpu_counter_set(&sbi->rf_node_block_count, 0); + } + + static bool __need_flush_quota(struct f2fs_sb_info *sbi) +@@ -1559,11 +1564,6 @@ static int do_checkpoint(struct f2fs_sb_info *sbi, struct cp_control *cpc) + start_blk += NR_CURSEG_NODE_TYPE; + } + +- /* update user_block_counts */ +- sbi->last_valid_block_count = sbi->total_valid_block_count; +- percpu_counter_set(&sbi->alloc_valid_block_count, 0); +- percpu_counter_set(&sbi->rf_node_block_count, 0); +- + /* Here, we have one bio having CP pack except cp pack 2 page */ + f2fs_sync_meta_pages(sbi, META, LONG_MAX, FS_CP_META_IO); + /* Wait for all dirty meta pages to be submitted for IO */ +-- +2.43.0 + diff --git a/queue-6.6/fs-don-t-allow-non-init-s_user_ns-for-filesystems-wi.patch b/queue-6.6/fs-don-t-allow-non-init-s_user_ns-for-filesystems-wi.patch new file mode 100644 index 00000000000..06a5beb2fbb --- /dev/null +++ b/queue-6.6/fs-don-t-allow-non-init-s_user_ns-for-filesystems-wi.patch @@ -0,0 +1,65 @@ +From a36485b4a3ee70d15f94884b84e9d07afaf99ebe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jul 2024 09:53:59 -0500 +Subject: fs: don't allow non-init s_user_ns for filesystems without + FS_USERNS_MOUNT + +From: Seth Forshee (DigitalOcean) + +[ Upstream commit e1c5ae59c0f22f7fe5c07fb5513a29e4aad868c9 ] + +Christian noticed that it is possible for a privileged user to mount +most filesystems with a non-initial user namespace in sb->s_user_ns. +When fsopen() is called in a non-init namespace the caller's namespace +is recorded in fs_context->user_ns. If the returned file descriptor is +then passed to a process priviliged in init_user_ns, that process can +call fsconfig(fd_fs, FSCONFIG_CMD_CREATE), creating a new superblock +with sb->s_user_ns set to the namespace of the process which called +fsopen(). + +This is problematic. We cannot assume that any filesystem which does not +set FS_USERNS_MOUNT has been written with a non-initial s_user_ns in +mind, increasing the risk for bugs and security issues. + +Prevent this by returning EPERM from sget_fc() when FS_USERNS_MOUNT is +not set for the filesystem and a non-initial user namespace will be +used. sget() does not need to be updated as it always uses the user +namespace of the current context, or the initial user namespace if +SB_SUBMOUNT is set. + +Fixes: cb50b348c71f ("convenience helpers: vfs_get_super() and sget_fc()") +Reported-by: Christian Brauner +Signed-off-by: Seth Forshee (DigitalOcean) +Link: https://lore.kernel.org/r/20240724-s_user_ns-fix-v1-1-895d07c94701@kernel.org +Reviewed-by: Alexander Mikhalitsyn +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/super.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/fs/super.c b/fs/super.c +index 2d762ce67f6e6..576abb1ff0403 100644 +--- a/fs/super.c ++++ b/fs/super.c +@@ -781,6 +781,17 @@ struct super_block *sget_fc(struct fs_context *fc, + struct user_namespace *user_ns = fc->global ? &init_user_ns : fc->user_ns; + int err; + ++ /* ++ * Never allow s_user_ns != &init_user_ns when FS_USERNS_MOUNT is ++ * not set, as the filesystem is likely unprepared to handle it. ++ * This can happen when fsconfig() is called from init_user_ns with ++ * an fs_fd opened in another user namespace. ++ */ ++ if (user_ns != &init_user_ns && !(fc->fs_type->fs_flags & FS_USERNS_MOUNT)) { ++ errorfc(fc, "VFS: Mounting from non-initial user namespace is not allowed"); ++ return ERR_PTR(-EPERM); ++ } ++ + retry: + spin_lock(&sb_lock); + if (test) { +-- +2.43.0 + diff --git a/queue-6.6/ice-fix-recipe-read-procedure.patch b/queue-6.6/ice-fix-recipe-read-procedure.patch new file mode 100644 index 00000000000..c83fd1a290f --- /dev/null +++ b/queue-6.6/ice-fix-recipe-read-procedure.patch @@ -0,0 +1,50 @@ +From b3ef805cb0c39d1115d7f3f42c679e28c6f824f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jul 2024 11:05:46 +0200 +Subject: ice: Fix recipe read procedure + +From: Wojciech Drewek + +[ Upstream commit 19abb9c2b900bad59e0a9818d6c83bb4cc875437 ] + +When ice driver reads recipes from firmware information about +need_pass_l2 and allow_pass_l2 flags is not stored correctly. +Those flags are stored as one bit each in ice_sw_recipe structure. +Because of that, the result of checking a flag has to be casted to bool. +Note that the need_pass_l2 flag currently works correctly, because +it's stored in the first bit. + +Fixes: bccd9bce29e0 ("ice: Add guard rule when creating FDB in switchdev") +Reviewed-by: Marcin Szycik +Reviewed-by: Przemek Kitszel +Signed-off-by: Wojciech Drewek +Reviewed-by: Simon Horman +Tested-by: Sujai Buvaneswaran +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_switch.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_switch.c b/drivers/net/ethernet/intel/ice/ice_switch.c +index d2a2388d4fa0a..88ee2491312a5 100644 +--- a/drivers/net/ethernet/intel/ice/ice_switch.c ++++ b/drivers/net/ethernet/intel/ice/ice_switch.c +@@ -2271,10 +2271,10 @@ ice_get_recp_frm_fw(struct ice_hw *hw, struct ice_sw_recipe *recps, u8 rid, + /* Propagate some data to the recipe database */ + recps[idx].is_root = !!is_root; + recps[idx].priority = root_bufs.content.act_ctrl_fwd_priority; +- recps[idx].need_pass_l2 = root_bufs.content.act_ctrl & +- ICE_AQ_RECIPE_ACT_NEED_PASS_L2; +- recps[idx].allow_pass_l2 = root_bufs.content.act_ctrl & +- ICE_AQ_RECIPE_ACT_ALLOW_PASS_L2; ++ recps[idx].need_pass_l2 = !!(root_bufs.content.act_ctrl & ++ ICE_AQ_RECIPE_ACT_NEED_PASS_L2); ++ recps[idx].allow_pass_l2 = !!(root_bufs.content.act_ctrl & ++ ICE_AQ_RECIPE_ACT_ALLOW_PASS_L2); + bitmap_zero(recps[idx].res_idxs, ICE_MAX_FV_WORDS); + if (root_bufs.content.result_indx & ICE_AQ_RECIPE_RESULT_EN) { + recps[idx].chain_idx = root_bufs.content.result_indx & +-- +2.43.0 + diff --git a/queue-6.6/io_uring-fix-io_match_task-must_hold.patch b/queue-6.6/io_uring-fix-io_match_task-must_hold.patch new file mode 100644 index 00000000000..868068703b3 --- /dev/null +++ b/queue-6.6/io_uring-fix-io_match_task-must_hold.patch @@ -0,0 +1,37 @@ +From 77ce4c1bfe31fc02aed185808572d41ceb238186 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jul 2024 12:16:18 +0100 +Subject: io_uring: fix io_match_task must_hold + +From: Pavel Begunkov + +[ Upstream commit e142e9cd8891b0c6f277ac2c2c254199a6aa56e3 ] + +The __must_hold annotation in io_match_task() uses a non existing +parameter "req", fix it. + +Fixes: 6af3f48bf6156 ("io_uring: fix link traversal locking") +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/3e65ee7709e96507cef3d93291746f2c489f2307.1721819383.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/timeout.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/io_uring/timeout.c b/io_uring/timeout.c +index 7fd7dbb211d64..4f1f710197d62 100644 +--- a/io_uring/timeout.c ++++ b/io_uring/timeout.c +@@ -644,7 +644,7 @@ void io_queue_linked_timeout(struct io_kiocb *req) + + static bool io_match_task(struct io_kiocb *head, struct task_struct *task, + bool cancel_all) +- __must_hold(&req->ctx->timeout_lock) ++ __must_hold(&head->ctx->timeout_lock) + { + struct io_kiocb *req; + +-- +2.43.0 + diff --git a/queue-6.6/iommu-sprd-avoid-null-deref-in-sprd_iommu_hw_en.patch b/queue-6.6/iommu-sprd-avoid-null-deref-in-sprd_iommu_hw_en.patch new file mode 100644 index 00000000000..f35f8a227cd --- /dev/null +++ b/queue-6.6/iommu-sprd-avoid-null-deref-in-sprd_iommu_hw_en.patch @@ -0,0 +1,41 @@ +From 6910c0c983cbdc64864e0b2ed5354062a630040b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jul 2024 15:55:14 +0300 +Subject: iommu: sprd: Avoid NULL deref in sprd_iommu_hw_en + +From: Artem Chernyshev + +[ Upstream commit 630482ee0653decf9e2482ac6181897eb6cde5b8 ] + +In sprd_iommu_cleanup() before calling function sprd_iommu_hw_en() +dom->sdev is equal to NULL, which leads to null dereference. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 9afea57384d4 ("iommu/sprd: Release dma buffer to avoid memory leak") +Signed-off-by: Artem Chernyshev +Reviewed-by: Chunyan Zhang +Link: https://lore.kernel.org/r/20240716125522.3690358-1-artem.chernyshev@red-soft.ru +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/iommu/sprd-iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/sprd-iommu.c b/drivers/iommu/sprd-iommu.c +index 2fa9afebd4f5f..c8e79a2d8b4c6 100644 +--- a/drivers/iommu/sprd-iommu.c ++++ b/drivers/iommu/sprd-iommu.c +@@ -236,8 +236,8 @@ static void sprd_iommu_cleanup(struct sprd_iommu_domain *dom) + + pgt_size = sprd_iommu_pgt_size(&dom->domain); + dma_free_coherent(dom->sdev->dev, pgt_size, dom->pgt_va, dom->pgt_pa); +- dom->sdev = NULL; + sprd_iommu_hw_en(dom->sdev, false); ++ dom->sdev = NULL; + } + + static void sprd_iommu_domain_free(struct iommu_domain *domain) +-- +2.43.0 + diff --git a/queue-6.6/ipv4-fix-incorrect-source-address-in-record-route-op.patch b/queue-6.6/ipv4-fix-incorrect-source-address-in-record-route-op.patch new file mode 100644 index 00000000000..9d91c7e92cc --- /dev/null +++ b/queue-6.6/ipv4-fix-incorrect-source-address-in-record-route-op.patch @@ -0,0 +1,49 @@ +From 8d9dd04661a0ec268fe864c306f73c17805ed5ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jul 2024 15:34:07 +0300 +Subject: ipv4: Fix incorrect source address in Record Route option + +From: Ido Schimmel + +[ Upstream commit cc73bbab4b1fb8a4f53a24645871dafa5f81266a ] + +The Record Route IP option records the addresses of the routers that +routed the packet. In the case of forwarded packets, the kernel performs +a route lookup via fib_lookup() and fills in the preferred source +address of the matched route. + +The lookup is performed with the DS field of the forwarded packet, but +using the RT_TOS() macro which only masks one of the two ECN bits. If +the packet is ECT(0) or CE, the matched route might be different than +the route via which the packet was forwarded as the input path masks +both of the ECN bits, resulting in the wrong address being filled in the +Record Route option. + +Fix by masking both of the ECN bits. + +Fixes: 8e36360ae876 ("ipv4: Remove route key identity dependencies in ip_rt_get_source().") +Signed-off-by: Ido Schimmel +Reviewed-by: Guillaume Nault +Link: https://patch.msgid.link/20240718123407.434778-1-idosch@nvidia.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 4d169573148f6..285482060082f 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1275,7 +1275,7 @@ void ip_rt_get_source(u8 *addr, struct sk_buff *skb, struct rtable *rt) + struct flowi4 fl4 = { + .daddr = iph->daddr, + .saddr = iph->saddr, +- .flowi4_tos = RT_TOS(iph->tos), ++ .flowi4_tos = iph->tos & IPTOS_RT_MASK, + .flowi4_oif = rt->dst.dev->ifindex, + .flowi4_iif = skb->dev->ifindex, + .flowi4_mark = skb->mark, +-- +2.43.0 + diff --git a/queue-6.6/jfs-fix-array-index-out-of-bounds-in-difree.patch b/queue-6.6/jfs-fix-array-index-out-of-bounds-in-difree.patch new file mode 100644 index 00000000000..27d9d6b424e --- /dev/null +++ b/queue-6.6/jfs-fix-array-index-out-of-bounds-in-difree.patch @@ -0,0 +1,46 @@ +From b0dc892219bea1e52e03f950cca7bd5e0ffd26f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 May 2024 22:28:09 +0900 +Subject: jfs: Fix array-index-out-of-bounds in diFree + +From: Jeongjun Park + +[ Upstream commit f73f969b2eb39ad8056f6c7f3a295fa2f85e313a ] + +Reported-by: syzbot+241c815bda521982cb49@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jeongjun Park +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_imap.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c +index eeedf606cf9d4..4bc589c4dcca9 100644 +--- a/fs/jfs/jfs_imap.c ++++ b/fs/jfs/jfs_imap.c +@@ -290,7 +290,7 @@ int diSync(struct inode *ipimap) + int diRead(struct inode *ip) + { + struct jfs_sb_info *sbi = JFS_SBI(ip->i_sb); +- int iagno, ino, extno, rc; ++ int iagno, ino, extno, rc, agno; + struct inode *ipimap; + struct dinode *dp; + struct iag *iagp; +@@ -339,8 +339,11 @@ int diRead(struct inode *ip) + + /* get the ag for the iag */ + agstart = le64_to_cpu(iagp->agstart); ++ agno = BLKTOAG(agstart, JFS_SBI(ip->i_sb)); + + release_metapage(mp); ++ if (agno >= MAXAG || agno < 0) ++ return -EIO; + + rel_inode = (ino & (INOSPERPAGE - 1)); + pageno = blkno >> sbi->l2nbperpage; +-- +2.43.0 + diff --git a/queue-6.6/kbuild-avoid-build-error-when-single-dtb-is-turned-i.patch b/queue-6.6/kbuild-avoid-build-error-when-single-dtb-is-turned-i.patch new file mode 100644 index 00000000000..bb2592f1f6c --- /dev/null +++ b/queue-6.6/kbuild-avoid-build-error-when-single-dtb-is-turned-i.patch @@ -0,0 +1,99 @@ +From 20c67bb13a1132a5102b1d044d689c466007951e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jul 2024 22:13:58 +0900 +Subject: kbuild: avoid build error when single DTB is turned into composite + DTB + +From: Masahiro Yamada + +[ Upstream commit 712aba5543b88996bc4682086471076fbf048927 ] + +As commit afa974b77128 ("kbuild: add real-prereqs shorthand for +$(filter-out FORCE,$^)") explained, $(real-prereqs) is not just a list +of objects when linking a multi-object module. If a single-object module +is turned into a multi-object module, $^ (and therefore $(real-prereqs) +as well) contains header files recorded in the *.cmd file. Such headers +must be filtered out. + +Now that a DTB can be built either from a single source or multiple +source files, the same issue can occur. + +Consider the following scenario: + +First, foo.dtb is implemented as a single-blob device tree. + +The code looks something like this: + +[Sample Code 1] + + Makefile: + + dtb-y += foo.dtb + + foo.dts: + + #include + /dts-v1/; + / { }; + +When it is compiled, .foo.dtb.cmd records that foo.dtb depends on +scripts/dtc/include-prefixes/dt-bindings/gpio/gpio.h. + +Later, foo.dtb is split into a base and an overlay. The code looks +something like this: + +[Sample Code 2] + + Makefile: + + dtb-y += foo.dtb + foo-dtbs := foo-base.dtb foo-addon.dtbo + + foo-base.dts: + + #include + /dts-v1/; + / { }; + + foo-addon.dtso: + + /dts-v1/; + /plugin/; + / { }; + +If you rebuild foo.dtb without 'make clean', you will get this error: + + Overlay 'scripts/dtc/include-prefixes/dt-bindings/gpio/gpio.h' is incomplete + +$(real-prereqs) contains not only foo-base.dtb and foo-addon.dtbo but +also scripts/dtc/include-prefixes/dt-bindings/gpio/gpio.h, which is +passed to scripts/dtc/fdtoverlay. + +Fixes: 15d16d6dadf6 ("kbuild: Add generic rule to apply fdtoverlay") +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/Makefile.lib | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib +index 68d0134bdbf9d..e702552fb131a 100644 +--- a/scripts/Makefile.lib ++++ b/scripts/Makefile.lib +@@ -395,8 +395,12 @@ cmd_dtc = $(HOSTCC) -E $(dtc_cpp_flags) -x assembler-with-cpp -o $(dtc-tmp) $< ; + -d $(depfile).dtc.tmp $(dtc-tmp) ; \ + cat $(depfile).pre.tmp $(depfile).dtc.tmp > $(depfile) + ++# NOTE: ++# Do not replace $(filter %.dtb %.dtbo, $^) with $(real-prereqs). When a single ++# DTB is turned into a multi-blob DTB, $^ will contain header file dependencies ++# recorded in the .*.cmd file. + quiet_cmd_fdtoverlay = DTOVL $@ +- cmd_fdtoverlay = $(objtree)/scripts/dtc/fdtoverlay -o $@ -i $(real-prereqs) ++ cmd_fdtoverlay = $(objtree)/scripts/dtc/fdtoverlay -o $@ -i $(filter %.dtb %.dtbo, $^) + + $(multi-dtb-y): FORCE + $(call if_changed,fdtoverlay) +-- +2.43.0 + diff --git a/queue-6.6/kdb-address-wformat-security-warnings.patch b/queue-6.6/kdb-address-wformat-security-warnings.patch new file mode 100644 index 00000000000..72625c6ed60 --- /dev/null +++ b/queue-6.6/kdb-address-wformat-security-warnings.patch @@ -0,0 +1,58 @@ +From 10dbbf747da305f0f60ef8940d274f5d3db1c7a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 May 2024 14:11:48 +0200 +Subject: kdb: address -Wformat-security warnings + +From: Arnd Bergmann + +[ Upstream commit 70867efacf4370b6c7cdfc7a5b11300e9ef7de64 ] + +When -Wformat-security is not disabled, using a string pointer +as a format causes a warning: + +kernel/debug/kdb/kdb_io.c: In function 'kdb_read': +kernel/debug/kdb/kdb_io.c:365:36: error: format not a string literal and no format arguments [-Werror=format-security] + 365 | kdb_printf(kdb_prompt_str); + | ^~~~~~~~~~~~~~ +kernel/debug/kdb/kdb_io.c: In function 'kdb_getstr': +kernel/debug/kdb/kdb_io.c:456:20: error: format not a string literal and no format arguments [-Werror=format-security] + 456 | kdb_printf(kdb_prompt_str); + | ^~~~~~~~~~~~~~ + +Use an explcit "%s" format instead. + +Signed-off-by: Arnd Bergmann +Fixes: 5d5314d6795f ("kdb: core for kgdb back end (1 of 2)") +Reviewed-by: Douglas Anderson +Link: https://lore.kernel.org/r/20240528121154.3662553-1-arnd@kernel.org +Signed-off-by: Daniel Thompson +Signed-off-by: Sasha Levin +--- + kernel/debug/kdb/kdb_io.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c +index 2aeaf9765b248..2d65da509f699 100644 +--- a/kernel/debug/kdb/kdb_io.c ++++ b/kernel/debug/kdb/kdb_io.c +@@ -371,7 +371,7 @@ static char *kdb_read(char *buffer, size_t bufsize) + if (i >= dtab_count) + kdb_printf("..."); + kdb_printf("\n"); +- kdb_printf(kdb_prompt_str); ++ kdb_printf("%s", kdb_prompt_str); + kdb_printf("%s", buffer); + if (cp != lastchar) + kdb_position_cursor(kdb_prompt_str, buffer, cp); +@@ -463,7 +463,7 @@ char *kdb_getstr(char *buffer, size_t bufsize, const char *prompt) + { + if (prompt && kdb_prompt_str != prompt) + strscpy(kdb_prompt_str, prompt, CMD_BUFLEN); +- kdb_printf(kdb_prompt_str); ++ kdb_printf("%s", kdb_prompt_str); + kdb_nextline = 1; /* Prompt and input resets line number */ + return kdb_read(buffer, bufsize); + } +-- +2.43.0 + diff --git a/queue-6.6/kdb-use-the-passed-prompt-in-kdb_position_cursor.patch b/queue-6.6/kdb-use-the-passed-prompt-in-kdb_position_cursor.patch new file mode 100644 index 00000000000..0a1cd197dca --- /dev/null +++ b/queue-6.6/kdb-use-the-passed-prompt-in-kdb_position_cursor.patch @@ -0,0 +1,42 @@ +From 0f2e1afa643207eb9574a90aba6d8f033d854812 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 May 2024 07:11:48 -0700 +Subject: kdb: Use the passed prompt in kdb_position_cursor() + +From: Douglas Anderson + +[ Upstream commit e2e821095949cde46256034975a90f88626a2a73 ] + +The function kdb_position_cursor() takes in a "prompt" parameter but +never uses it. This doesn't _really_ matter since all current callers +of the function pass the same value and it's a global variable, but +it's a bit ugly. Let's clean it up. + +Found by code inspection. This patch is expected to functionally be a +no-op. + +Fixes: 09b35989421d ("kdb: Use format-strings rather than '\0' injection in kdb_read()") +Signed-off-by: Douglas Anderson +Link: https://lore.kernel.org/r/20240528071144.1.I0feb49839c6b6f4f2c4bf34764f5e95de3f55a66@changeid +Signed-off-by: Daniel Thompson +Signed-off-by: Sasha Levin +--- + kernel/debug/kdb/kdb_io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c +index 2d65da509f699..4799f6250bb26 100644 +--- a/kernel/debug/kdb/kdb_io.c ++++ b/kernel/debug/kdb/kdb_io.c +@@ -206,7 +206,7 @@ char kdb_getchar(void) + */ + static void kdb_position_cursor(char *prompt, char *buffer, char *cp) + { +- kdb_printf("\r%s", kdb_prompt_str); ++ kdb_printf("\r%s", prompt); + if (cp > buffer) + kdb_printf("%.*s", (int)(cp - buffer), buffer); + } +-- +2.43.0 + diff --git a/queue-6.6/libbpf-fix-no-args-func-prototype-btf-dumping-syntax.patch b/queue-6.6/libbpf-fix-no-args-func-prototype-btf-dumping-syntax.patch new file mode 100644 index 00000000000..74f42699e26 --- /dev/null +++ b/queue-6.6/libbpf-fix-no-args-func-prototype-btf-dumping-syntax.patch @@ -0,0 +1,96 @@ +From e5142503d1247e09900e2ee51322c3eb72946a52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Jul 2024 15:44:42 -0700 +Subject: libbpf: Fix no-args func prototype BTF dumping syntax + +From: Andrii Nakryiko + +[ Upstream commit 189f1a976e426011e6a5588f1d3ceedf71fe2965 ] + +For all these years libbpf's BTF dumper has been emitting not strictly +valid syntax for function prototypes that have no input arguments. + +Instead of `int (*blah)()` we should emit `int (*blah)(void)`. + +This is not normally a problem, but it manifests when we get kfuncs in +vmlinux.h that have no input arguments. Due to compiler internal +specifics, we get no BTF information for such kfuncs, if they are not +declared with proper `(void)`. + +The fix is trivial. We also need to adjust a few ancient tests that +happily assumed `()` is correct. + +Fixes: 351131b51c7a ("libbpf: add btf_dump API for BTF-to-C conversion") +Reported-by: Tejun Heo +Signed-off-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Acked-by: Stanislav Fomichev +Link: https://lore.kernel.org/bpf/20240712224442.282823-1-andrii@kernel.org +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/btf_dump.c | 8 +++++--- + .../selftests/bpf/progs/btf_dump_test_case_multidim.c | 4 ++-- + .../selftests/bpf/progs/btf_dump_test_case_syntax.c | 4 ++-- + 3 files changed, 9 insertions(+), 7 deletions(-) + +diff --git a/tools/lib/bpf/btf_dump.c b/tools/lib/bpf/btf_dump.c +index 4d9f30bf7f014..ebf56d21d08ee 100644 +--- a/tools/lib/bpf/btf_dump.c ++++ b/tools/lib/bpf/btf_dump.c +@@ -1559,10 +1559,12 @@ static void btf_dump_emit_type_chain(struct btf_dump *d, + * Clang for BPF target generates func_proto with no + * args as a func_proto with a single void arg (e.g., + * `int (*f)(void)` vs just `int (*f)()`). We are +- * going to pretend there are no args for such case. ++ * going to emit valid empty args (void) syntax for ++ * such case. Similarly and conveniently, valid ++ * no args case can be special-cased here as well. + */ +- if (vlen == 1 && p->type == 0) { +- btf_dump_printf(d, ")"); ++ if (vlen == 0 || (vlen == 1 && p->type == 0)) { ++ btf_dump_printf(d, "void)"); + return; + } + +diff --git a/tools/testing/selftests/bpf/progs/btf_dump_test_case_multidim.c b/tools/testing/selftests/bpf/progs/btf_dump_test_case_multidim.c +index ba97165bdb282..a657651eba523 100644 +--- a/tools/testing/selftests/bpf/progs/btf_dump_test_case_multidim.c ++++ b/tools/testing/selftests/bpf/progs/btf_dump_test_case_multidim.c +@@ -14,9 +14,9 @@ typedef int *ptr_arr_t[6]; + + typedef int *ptr_multiarr_t[7][8][9][10]; + +-typedef int * (*fn_ptr_arr_t[11])(); ++typedef int * (*fn_ptr_arr_t[11])(void); + +-typedef int * (*fn_ptr_multiarr_t[12][13])(); ++typedef int * (*fn_ptr_multiarr_t[12][13])(void); + + struct root_struct { + arr_t _1; +diff --git a/tools/testing/selftests/bpf/progs/btf_dump_test_case_syntax.c b/tools/testing/selftests/bpf/progs/btf_dump_test_case_syntax.c +index ad21ee8c7e234..29d01fff32bd2 100644 +--- a/tools/testing/selftests/bpf/progs/btf_dump_test_case_syntax.c ++++ b/tools/testing/selftests/bpf/progs/btf_dump_test_case_syntax.c +@@ -100,7 +100,7 @@ typedef void (*printf_fn_t)(const char *, ...); + * `int -> char *` function and returns pointer to a char. Equivalent: + * typedef char * (*fn_input_t)(int); + * typedef char * (*fn_output_outer_t)(fn_input_t); +- * typedef const fn_output_outer_t (* fn_output_inner_t)(); ++ * typedef const fn_output_outer_t (* fn_output_inner_t)(void); + * typedef const fn_output_inner_t fn_ptr_arr2_t[5]; + */ + /* ----- START-EXPECTED-OUTPUT ----- */ +@@ -127,7 +127,7 @@ typedef void (* (*signal_t)(int, void (*)(int)))(int); + + typedef char * (*fn_ptr_arr1_t[10])(int **); + +-typedef char * (* (* const fn_ptr_arr2_t[5])())(char * (*)(int)); ++typedef char * (* (* const fn_ptr_arr2_t[5])(void))(char * (*)(int)); + + struct struct_w_typedefs { + int_t a; +-- +2.43.0 + diff --git a/queue-6.6/lirc-rc_dev_get_from_fd-fix-file-leak.patch b/queue-6.6/lirc-rc_dev_get_from_fd-fix-file-leak.patch new file mode 100644 index 00000000000..c765ece4c62 --- /dev/null +++ b/queue-6.6/lirc-rc_dev_get_from_fd-fix-file-leak.patch @@ -0,0 +1,37 @@ +From 84f3f90b1811fd12a23e5ef5680ff33a74e50189 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 May 2024 23:58:26 -0400 +Subject: lirc: rc_dev_get_from_fd(): fix file leak + +From: Al Viro + +[ Upstream commit bba1f6758a9ec90c1adac5dcf78f8a15f1bad65b ] + +missing fdput() on a failure exit + +Fixes: 6a9d552483d50 "media: rc: bpf attach/detach requires write permission" # v6.9 +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + drivers/media/rc/lirc_dev.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/rc/lirc_dev.c b/drivers/media/rc/lirc_dev.c +index caad59f76793f..f8901d6fbe9bf 100644 +--- a/drivers/media/rc/lirc_dev.c ++++ b/drivers/media/rc/lirc_dev.c +@@ -828,8 +828,10 @@ struct rc_dev *rc_dev_get_from_fd(int fd, bool write) + return ERR_PTR(-EINVAL); + } + +- if (write && !(f.file->f_mode & FMODE_WRITE)) ++ if (write && !(f.file->f_mode & FMODE_WRITE)) { ++ fdput(f); + return ERR_PTR(-EPERM); ++ } + + fh = f.file->private_data; + dev = fh->rc; +-- +2.43.0 + diff --git a/queue-6.6/mips-smp-cps-fix-address-for-gcr_access-register-for.patch b/queue-6.6/mips-smp-cps-fix-address-for-gcr_access-register-for.patch new file mode 100644 index 00000000000..d606b2a5146 --- /dev/null +++ b/queue-6.6/mips-smp-cps-fix-address-for-gcr_access-register-for.patch @@ -0,0 +1,66 @@ +From e22d590345c618055b2c7e7982e6ceab3a1e7108 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 15:15:39 +0200 +Subject: MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later + +From: Gregory CLEMENT + +[ Upstream commit a263e5f309f32301e1f3ad113293f4e68a82a646 ] + +When the CM block migrated from CM2.5 to CM3.0, the address offset for +the Global CSR Access Privilege register was modified. We saw this in +the "MIPS64 I6500 Multiprocessing System Programmer's Guide," it is +stated that "the Global CSR Access Privilege register is located at +offset 0x0120" in section 5.4. It is at least the same for I6400. + +This fix allows to use the VP cores in SMP mode if the reset values +were modified by the bootloader. + +Based on the work of Vladimir Kondratiev + and the feedback from Jiaxun Yang +. + +Fixes: 197e89e0984a ("MIPS: mips-cm: Implement mips_cm_revision") +Signed-off-by: Gregory CLEMENT +Reviewed-by: Jiaxun Yang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/mips-cm.h | 4 ++++ + arch/mips/kernel/smp-cps.c | 5 ++++- + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/arch/mips/include/asm/mips-cm.h b/arch/mips/include/asm/mips-cm.h +index 23c67c0871b17..696b40beb774f 100644 +--- a/arch/mips/include/asm/mips-cm.h ++++ b/arch/mips/include/asm/mips-cm.h +@@ -228,6 +228,10 @@ GCR_ACCESSOR_RO(32, 0x0d0, gic_status) + GCR_ACCESSOR_RO(32, 0x0f0, cpc_status) + #define CM_GCR_CPC_STATUS_EX BIT(0) + ++/* GCR_ACCESS - Controls core/IOCU access to GCRs */ ++GCR_ACCESSOR_RW(32, 0x120, access_cm3) ++#define CM_GCR_ACCESS_ACCESSEN GENMASK(7, 0) ++ + /* GCR_L2_CONFIG - Indicates L2 cache configuration when Config5.L2C=1 */ + GCR_ACCESSOR_RW(32, 0x130, l2_config) + #define CM_GCR_L2_CONFIG_BYPASS BIT(20) +diff --git a/arch/mips/kernel/smp-cps.c b/arch/mips/kernel/smp-cps.c +index dd55d59b88db3..d445f8e849abd 100644 +--- a/arch/mips/kernel/smp-cps.c ++++ b/arch/mips/kernel/smp-cps.c +@@ -222,7 +222,10 @@ static void boot_core(unsigned int core, unsigned int vpe_id) + write_gcr_co_reset_ext_base(CM_GCR_Cx_RESET_EXT_BASE_UEB); + + /* Ensure the core can access the GCRs */ +- set_gcr_access(1 << core); ++ if (mips_cm_revision() < CM_REV_CM3) ++ set_gcr_access(1 << core); ++ else ++ set_gcr_access_cm3(1 << core); + + if (mips_cpc_present()) { + /* Reset the core */ +-- +2.43.0 + diff --git a/queue-6.6/misdn-fix-a-use-after-free-in-hfcmulti_tx.patch b/queue-6.6/misdn-fix-a-use-after-free-in-hfcmulti_tx.patch new file mode 100644 index 00000000000..17803d26f2a --- /dev/null +++ b/queue-6.6/misdn-fix-a-use-after-free-in-hfcmulti_tx.patch @@ -0,0 +1,55 @@ +From 531458de8da32583c25dfe9292184a6e2202ef7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jul 2024 11:08:18 -0500 +Subject: mISDN: Fix a use after free in hfcmulti_tx() + +From: Dan Carpenter + +[ Upstream commit 61ab751451f5ebd0b98e02276a44e23a10110402 ] + +Don't dereference *sp after calling dev_kfree_skb(*sp). + +Fixes: af69fb3a8ffa ("Add mISDN HFC multiport driver") +Signed-off-by: Dan Carpenter +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/8be65f5a-c2dd-4ba0-8a10-bfe5980b8cfb@stanley.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/isdn/hardware/mISDN/hfcmulti.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/isdn/hardware/mISDN/hfcmulti.c b/drivers/isdn/hardware/mISDN/hfcmulti.c +index 2e5cb9dde3ec5..44383cec1f47a 100644 +--- a/drivers/isdn/hardware/mISDN/hfcmulti.c ++++ b/drivers/isdn/hardware/mISDN/hfcmulti.c +@@ -1900,7 +1900,7 @@ hfcmulti_dtmf(struct hfc_multi *hc) + static void + hfcmulti_tx(struct hfc_multi *hc, int ch) + { +- int i, ii, temp, len = 0; ++ int i, ii, temp, tmp_len, len = 0; + int Zspace, z1, z2; /* must be int for calculation */ + int Fspace, f1, f2; + u_char *d; +@@ -2121,14 +2121,15 @@ hfcmulti_tx(struct hfc_multi *hc, int ch) + HFC_wait_nodebug(hc); + } + ++ tmp_len = (*sp)->len; + dev_kfree_skb(*sp); + /* check for next frame */ + if (bch && get_next_bframe(bch)) { +- len = (*sp)->len; ++ len = tmp_len; + goto next_frame; + } + if (dch && get_next_dframe(dch)) { +- len = (*sp)->len; ++ len = tmp_len; + goto next_frame; + } + +-- +2.43.0 + diff --git a/queue-6.6/net-bonding-correctly-annotate-rcu-in-bond_should_no.patch b/queue-6.6/net-bonding-correctly-annotate-rcu-in-bond_should_no.patch new file mode 100644 index 00000000000..89de386fef3 --- /dev/null +++ b/queue-6.6/net-bonding-correctly-annotate-rcu-in-bond_should_no.patch @@ -0,0 +1,53 @@ +From 11c75a7c897a4c38082ae2a8fb38a7eaa517d07d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jul 2024 09:41:18 -0700 +Subject: net: bonding: correctly annotate RCU in bond_should_notify_peers() + +From: Johannes Berg + +[ Upstream commit 3ba359c0cd6eb5ea772125a7aededb4a2d516684 ] + +RCU use in bond_should_notify_peers() looks wrong, since it does +rcu_dereference(), leaves the critical section, and uses the +pointer after that. + +Luckily, it's called either inside a nested RCU critical section +or with the RTNL held. + +Annotate it with rcu_dereference_rtnl() instead, and remove the +inner RCU critical section. + +Fixes: 4cb4f97b7e36 ("bonding: rebuild the lock use for bond_mii_monitor()") +Reviewed-by: Jiri Pirko +Signed-off-by: Johannes Berg +Acked-by: Jay Vosburgh +Link: https://patch.msgid.link/20240719094119.35c62455087d.I68eb9c0f02545b364b79a59f2110f2cf5682a8e2@changeid +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 34880b2db8050..722ac5c4992c9 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1121,13 +1121,10 @@ static struct slave *bond_find_best_slave(struct bonding *bond) + return bestslave; + } + ++/* must be called in RCU critical section or with RTNL held */ + static bool bond_should_notify_peers(struct bonding *bond) + { +- struct slave *slave; +- +- rcu_read_lock(); +- slave = rcu_dereference(bond->curr_active_slave); +- rcu_read_unlock(); ++ struct slave *slave = rcu_dereference_rtnl(bond->curr_active_slave); + + if (!slave || !bond->send_peer_notif || + bond->send_peer_notif % +-- +2.43.0 + diff --git a/queue-6.6/net-nexthop-initialize-all-fields-in-dumped-nexthops.patch b/queue-6.6/net-nexthop-initialize-all-fields-in-dumped-nexthops.patch new file mode 100644 index 00000000000..d757fbc34de --- /dev/null +++ b/queue-6.6/net-nexthop-initialize-all-fields-in-dumped-nexthops.patch @@ -0,0 +1,55 @@ +From 2802f4625fcca51145473d31fc1c7b25b9c9f239 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jul 2024 18:04:16 +0200 +Subject: net: nexthop: Initialize all fields in dumped nexthops + +From: Petr Machata + +[ Upstream commit 6d745cd0e9720282cd291d36b9db528aea18add2 ] + +struct nexthop_grp contains two reserved fields that are not initialized by +nla_put_nh_group(), and carry garbage. This can be observed e.g. with +strace (edited for clarity): + + # ip nexthop add id 1 dev lo + # ip nexthop add id 101 group 1 + # strace -e recvmsg ip nexthop get id 101 + ... + recvmsg(... [{nla_len=12, nla_type=NHA_GROUP}, + [{id=1, weight=0, resvd1=0x69, resvd2=0x67}]] ...) = 52 + +The fields are reserved and therefore not currently used. But as they are, they +leak kernel memory, and the fact they are not just zero complicates repurposing +of the fields for new ends. Initialize the full structure. + +Fixes: 430a049190de ("nexthop: Add support for nexthop groups") +Signed-off-by: Petr Machata +Reviewed-by: Ido Schimmel +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/nexthop.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c +index bbff68b5b5d4a..8d41b03942197 100644 +--- a/net/ipv4/nexthop.c ++++ b/net/ipv4/nexthop.c +@@ -676,9 +676,10 @@ static int nla_put_nh_group(struct sk_buff *skb, struct nh_group *nhg) + + p = nla_data(nla); + for (i = 0; i < nhg->num_nh; ++i) { +- p->id = nhg->nh_entries[i].nh->id; +- p->weight = nhg->nh_entries[i].weight - 1; +- p += 1; ++ *p++ = (struct nexthop_grp) { ++ .id = nhg->nh_entries[i].nh->id, ++ .weight = nhg->nh_entries[i].weight - 1, ++ }; + } + + if (nhg->resilient && nla_put_nh_group_res(skb, nhg)) +-- +2.43.0 + diff --git a/queue-6.6/net-stmmac-correct-byte-order-of-perfect_match.patch b/queue-6.6/net-stmmac-correct-byte-order-of-perfect_match.patch new file mode 100644 index 00000000000..2c732f82241 --- /dev/null +++ b/queue-6.6/net-stmmac-correct-byte-order-of-perfect_match.patch @@ -0,0 +1,110 @@ +From c757fe12b3c1a455764cef8134765a92beeb694b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jul 2024 14:29:27 +0100 +Subject: net: stmmac: Correct byte order of perfect_match + +From: Simon Horman + +[ Upstream commit e9dbebae2e3c338122716914fe105458f41e3a4a ] + +The perfect_match parameter of the update_vlan_hash operation is __le16, +and is correctly converted from host byte-order in the lone caller, +stmmac_vlan_update(). + +However, the implementations of this caller, dwxgmac2_update_vlan_hash() +and dwxgmac2_update_vlan_hash(), both treat this parameter as host byte +order, using the following pattern: + + u32 value = ... + ... + writel(value | perfect_match, ...); + +This is not correct because both: +1) value is host byte order; and +2) writel expects a host byte order value as it's first argument + +I believe that this will break on big endian systems. And I expect it +has gone unnoticed by only being exercised on little endian systems. + +The approach taken by this patch is to update the callback, and it's +caller to simply use a host byte order value. + +Flagged by Sparse. +Compile tested only. + +Fixes: c7ab0b8088d7 ("net: stmmac: Fallback to VLAN Perfect filtering if HASH is not available") +Signed-off-by: Simon Horman +Reviewed-by: Maxime Chevallier +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 2 +- + drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c | 2 +- + drivers/net/ethernet/stmicro/stmmac/hwif.h | 2 +- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 4 ++-- + 4 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +index 4ead0ddf43a7a..bf99495b51a9c 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +@@ -982,7 +982,7 @@ static void dwmac4_set_mac_loopback(void __iomem *ioaddr, bool enable) + } + + static void dwmac4_update_vlan_hash(struct mac_device_info *hw, u32 hash, +- __le16 perfect_match, bool is_double) ++ u16 perfect_match, bool is_double) + { + void __iomem *ioaddr = hw->pcsr; + u32 value; +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c +index 8bc317d2f7a61..052566f5b7f36 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c +@@ -615,7 +615,7 @@ static int dwxgmac2_rss_configure(struct mac_device_info *hw, + } + + static void dwxgmac2_update_vlan_hash(struct mac_device_info *hw, u32 hash, +- __le16 perfect_match, bool is_double) ++ u16 perfect_match, bool is_double) + { + void __iomem *ioaddr = hw->pcsr; + +diff --git a/drivers/net/ethernet/stmicro/stmmac/hwif.h b/drivers/net/ethernet/stmicro/stmmac/hwif.h +index 68aa2d5ca6e56..47fb8e1646c2e 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/hwif.h ++++ b/drivers/net/ethernet/stmicro/stmmac/hwif.h +@@ -386,7 +386,7 @@ struct stmmac_ops { + struct stmmac_rss *cfg, u32 num_rxq); + /* VLAN */ + void (*update_vlan_hash)(struct mac_device_info *hw, u32 hash, +- __le16 perfect_match, bool is_double); ++ u16 perfect_match, bool is_double); + void (*enable_vlan)(struct mac_device_info *hw, u32 type); + int (*add_hw_vlan_rx_fltr)(struct net_device *dev, + struct mac_device_info *hw, +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 19c58ad8df345..d6167a7b19f21 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -6473,7 +6473,7 @@ static u32 stmmac_vid_crc32_le(__le16 vid_le) + static int stmmac_vlan_update(struct stmmac_priv *priv, bool is_double) + { + u32 crc, hash = 0; +- __le16 pmatch = 0; ++ u16 pmatch = 0; + int count = 0; + u16 vid = 0; + +@@ -6488,7 +6488,7 @@ static int stmmac_vlan_update(struct stmmac_priv *priv, bool is_double) + if (count > 2) /* VID = 0 always passes filter */ + return -EOPNOTSUPP; + +- pmatch = cpu_to_le16(vid); ++ pmatch = vid; + hash = 0; + } + +-- +2.43.0 + diff --git a/queue-6.6/netfilter-nft_set_pipapo_avx2-disable-softinterrupts.patch b/queue-6.6/netfilter-nft_set_pipapo_avx2-disable-softinterrupts.patch new file mode 100644 index 00000000000..e4bb50a4d16 --- /dev/null +++ b/queue-6.6/netfilter-nft_set_pipapo_avx2-disable-softinterrupts.patch @@ -0,0 +1,71 @@ +From b9c122a3a2a0b2611a60a22d4fbb830c9b588048 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jul 2024 13:19:26 +0200 +Subject: netfilter: nft_set_pipapo_avx2: disable softinterrupts + +From: Florian Westphal + +[ Upstream commit a16909ae9982e931841c456061cb57fbaec9c59e ] + +We need to disable softinterrupts, else we get following problem: + +1. pipapo_avx2 called from process context; fpu usable +2. preempt_disable() called, pcpu scratchmap in use +3. softirq handles rx or tx, we re-enter pipapo_avx2 +4. fpu busy, fallback to generic non-avx version +5. fallback reuses scratch map and index, which are in use + by the preempted process + +Handle this same way as generic version by first disabling +softinterrupts while the scratchmap is in use. + +Fixes: f0b3d338064e ("netfilter: nft_set_pipapo_avx2: Add irq_fpu_usable() check, fallback to non-AVX2 version") +Cc: Stefano Brivio +Signed-off-by: Florian Westphal +Reviewed-by: Stefano Brivio +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo_avx2.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c +index 8910a5ac7ed12..b8d3c3213efee 100644 +--- a/net/netfilter/nft_set_pipapo_avx2.c ++++ b/net/netfilter/nft_set_pipapo_avx2.c +@@ -1139,8 +1139,14 @@ bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set, + bool map_index; + int i, ret = 0; + +- if (unlikely(!irq_fpu_usable())) +- return nft_pipapo_lookup(net, set, key, ext); ++ local_bh_disable(); ++ ++ if (unlikely(!irq_fpu_usable())) { ++ bool fallback_res = nft_pipapo_lookup(net, set, key, ext); ++ ++ local_bh_enable(); ++ return fallback_res; ++ } + + m = rcu_dereference(priv->match); + +@@ -1155,6 +1161,7 @@ bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set, + scratch = *raw_cpu_ptr(m->scratch); + if (unlikely(!scratch)) { + kernel_fpu_end(); ++ local_bh_enable(); + return false; + } + +@@ -1235,6 +1242,7 @@ bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set, + if (i % 2) + scratch->map_index = !map_index; + kernel_fpu_end(); ++ local_bh_enable(); + + return ret >= 0; + } +-- +2.43.0 + diff --git a/queue-6.6/nvme-pci-add-missing-condition-check-for-existence-o.patch b/queue-6.6/nvme-pci-add-missing-condition-check-for-existence-o.patch new file mode 100644 index 00000000000..ff0242df57e --- /dev/null +++ b/queue-6.6/nvme-pci-add-missing-condition-check-for-existence-o.patch @@ -0,0 +1,39 @@ +From 42dd0450363ddc72ea4ea3c8e196141686622b25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jul 2024 13:31:14 +0300 +Subject: nvme-pci: add missing condition check for existence of mapped data + +From: Leon Romanovsky + +[ Upstream commit c31fad1470389666ac7169fe43aa65bf5b7e2cfd ] + +nvme_map_data() is called when request has physical segments, hence +the nvme_unmap_data() should have same condition to avoid dereference. + +Fixes: 4aedb705437f ("nvme-pci: split metadata handling from nvme_map_data / nvme_unmap_data") +Signed-off-by: Leon Romanovsky +Reviewed-by: Christoph Hellwig +Reviewed-by: Nitesh Shetty +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 7c71431dbd6cc..796c2a00fea4a 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -863,7 +863,8 @@ static blk_status_t nvme_prep_rq(struct nvme_dev *dev, struct request *req) + nvme_start_request(req); + return BLK_STS_OK; + out_unmap_data: +- nvme_unmap_data(dev, req); ++ if (blk_rq_nr_phys_segments(req)) ++ nvme_unmap_data(dev, req); + out_free_cmd: + nvme_cleanup_cmd(req); + return ret; +-- +2.43.0 + diff --git a/queue-6.6/nvme-pci-fix-the-instructions-for-disabling-power-ma.patch b/queue-6.6/nvme-pci-fix-the-instructions-for-disabling-power-ma.patch new file mode 100644 index 00000000000..d8113cb8c8e --- /dev/null +++ b/queue-6.6/nvme-pci-fix-the-instructions-for-disabling-power-ma.patch @@ -0,0 +1,44 @@ +From ba0ede5e0078c013357268dc92423d135b63096d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jul 2024 15:59:52 -0700 +Subject: nvme-pci: Fix the instructions for disabling power management + +From: Bart Van Assche + +[ Upstream commit 92fc2c469eb26060384e9b2cd4cb0cc228aba582 ] + +pcie_aspm=off tells the kernel not to modify the ASPM configuration. This +setting does not guarantee that ASPM (Active State Power Management) is +disabled. Hence add pcie_port_pm=off. This disables power management for +all PCIe ports. + +This patch has been tested on a workstation with a Samsung SSD 970 EVO Plus +NVMe SSD. + +Fixes: 4641a8e6e145 ("nvme-pci: add trouble shooting steps for timeouts") +Cc: Keith Busch +Cc: Christoph Hellwig +Cc: Chaitanya Kulkarni +Signed-off-by: Bart Van Assche +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 710fd4d862520..7c71431dbd6cc 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1275,7 +1275,7 @@ static void nvme_warn_reset(struct nvme_dev *dev, u32 csts) + dev_warn(dev->ctrl.device, + "Does your device have a faulty power saving mode enabled?\n"); + dev_warn(dev->ctrl.device, +- "Try \"nvme_core.default_ps_max_latency_us=0 pcie_aspm=off\" and report a bug\n"); ++ "Try \"nvme_core.default_ps_max_latency_us=0 pcie_aspm=off pcie_port_pm=off\" and report a bug\n"); + } + + static enum blk_eh_timer_return nvme_timeout(struct request *req) +-- +2.43.0 + diff --git a/queue-6.6/phy-cadence-torrent-check-return-value-on-register-r.patch b/queue-6.6/phy-cadence-torrent-check-return-value-on-register-r.patch new file mode 100644 index 00000000000..59f7936fe6b --- /dev/null +++ b/queue-6.6/phy-cadence-torrent-check-return-value-on-register-r.patch @@ -0,0 +1,40 @@ +From 6895a807fabe9511eaa41cb7565e7b45586cee93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jul 2024 11:20:42 +0800 +Subject: phy: cadence-torrent: Check return value on register read + +From: Ma Ke + +[ Upstream commit 967969cf594ed3c1678a9918d6e9bb2d1591cbe9 ] + +cdns_torrent_dp_set_power_state() does not consider that ret might be +overwritten. Add return value check of regmap_read_poll_timeout() after +register read in cdns_torrent_dp_set_power_state(). + +Fixes: 5b16a790f18d ("phy: cadence-torrent: Reorder few functions to remove function declarations") +Signed-off-by: Ma Ke +Reviewed-by: Roger Quadros +Link: https://lore.kernel.org/r/20240702032042.3993031-1-make24@iscas.ac.cn +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/cadence/phy-cadence-torrent.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/phy/cadence/phy-cadence-torrent.c b/drivers/phy/cadence/phy-cadence-torrent.c +index a75c96385c57a..a23d7f9b7d10f 100644 +--- a/drivers/phy/cadence/phy-cadence-torrent.c ++++ b/drivers/phy/cadence/phy-cadence-torrent.c +@@ -1154,6 +1154,9 @@ static int cdns_torrent_dp_set_power_state(struct cdns_torrent_phy *cdns_phy, + ret = regmap_read_poll_timeout(regmap, PHY_PMA_XCVR_POWER_STATE_ACK, + read_val, (read_val & mask) == value, 0, + POLL_TIMEOUT_US); ++ if (ret) ++ return ret; ++ + cdns_torrent_dp_write(regmap, PHY_PMA_XCVR_POWER_STATE_REQ, 0x00000000); + ndelay(100); + +-- +2.43.0 + diff --git a/queue-6.6/phy-zynqmp-enable-reference-clock-correctly.patch b/queue-6.6/phy-zynqmp-enable-reference-clock-correctly.patch new file mode 100644 index 00000000000..80a21edf00a --- /dev/null +++ b/queue-6.6/phy-zynqmp-enable-reference-clock-correctly.patch @@ -0,0 +1,79 @@ +From e5a343101afe6415959ca40866ac8944d24ae90a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jun 2024 16:55:36 -0400 +Subject: phy: zynqmp: Enable reference clock correctly + +From: Sean Anderson + +[ Upstream commit 687d6bccb28238fcfa65f7c1badfdfeac498c428 ] + +Lanes can use other lanes' reference clocks, as determined by refclk. +Use refclk to determine the clock to enable/disable instead of always +using the lane's own reference clock. This ensures the clock selected in +xpsgtr_configure_pll is the one enabled. + +For the other half of the equation, always program REF_CLK_SEL even when +we are selecting the lane's own clock. This ensures that Linux's idea of +the reference clock matches the hardware. We use the "local" clock mux +for this instead of going through the ref clock network. + +Fixes: 25d700833513 ("phy: xilinx: phy-zynqmp: dynamic clock support for power-save") +Signed-off-by: Sean Anderson +Link: https://lore.kernel.org/r/20240628205540.3098010-2-sean.anderson@linux.dev +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/xilinx/phy-zynqmp.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/phy/xilinx/phy-zynqmp.c b/drivers/phy/xilinx/phy-zynqmp.c +index 2559c6594cea2..0cb5088e460b5 100644 +--- a/drivers/phy/xilinx/phy-zynqmp.c ++++ b/drivers/phy/xilinx/phy-zynqmp.c +@@ -80,7 +80,8 @@ + + /* Reference clock selection parameters */ + #define L0_Ln_REF_CLK_SEL(n) (0x2860 + (n) * 4) +-#define L0_REF_CLK_SEL_MASK 0x8f ++#define L0_REF_CLK_LCL_SEL BIT(7) ++#define L0_REF_CLK_SEL_MASK 0x9f + + /* Calibration digital logic parameters */ + #define L3_TM_CALIB_DIG19 0xec4c +@@ -349,11 +350,12 @@ static void xpsgtr_configure_pll(struct xpsgtr_phy *gtr_phy) + PLL_FREQ_MASK, ssc->pll_ref_clk); + + /* Enable lane clock sharing, if required */ +- if (gtr_phy->refclk != gtr_phy->lane) { +- /* Lane3 Ref Clock Selection Register */ ++ if (gtr_phy->refclk == gtr_phy->lane) ++ xpsgtr_clr_set(gtr_phy->dev, L0_Ln_REF_CLK_SEL(gtr_phy->lane), ++ L0_REF_CLK_SEL_MASK, L0_REF_CLK_LCL_SEL); ++ else + xpsgtr_clr_set(gtr_phy->dev, L0_Ln_REF_CLK_SEL(gtr_phy->lane), + L0_REF_CLK_SEL_MASK, 1 << gtr_phy->refclk); +- } + + /* SSC step size [7:0] */ + xpsgtr_clr_set_phy(gtr_phy, L0_PLL_SS_STEP_SIZE_0_LSB, +@@ -573,7 +575,7 @@ static int xpsgtr_phy_init(struct phy *phy) + mutex_lock(>r_dev->gtr_mutex); + + /* Configure and enable the clock when peripheral phy_init call */ +- if (clk_prepare_enable(gtr_dev->clk[gtr_phy->lane])) ++ if (clk_prepare_enable(gtr_dev->clk[gtr_phy->refclk])) + goto out; + + /* Skip initialization if not required. */ +@@ -625,7 +627,7 @@ static int xpsgtr_phy_exit(struct phy *phy) + gtr_phy->skip_phy_init = false; + + /* Ensure that disable clock only, which configure for lane */ +- clk_disable_unprepare(gtr_dev->clk[gtr_phy->lane]); ++ clk_disable_unprepare(gtr_dev->clk[gtr_phy->refclk]); + + return 0; + } +-- +2.43.0 + diff --git a/queue-6.6/powerpc-fix-a-file-leak-in-kvm_vcpu_ioctl_enable_cap.patch b/queue-6.6/powerpc-fix-a-file-leak-in-kvm_vcpu_ioctl_enable_cap.patch new file mode 100644 index 00000000000..671317541af --- /dev/null +++ b/queue-6.6/powerpc-fix-a-file-leak-in-kvm_vcpu_ioctl_enable_cap.patch @@ -0,0 +1,37 @@ +From 412aa67dc284d456a703c71a937a8e3abbb6f7ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 May 2024 23:54:55 -0400 +Subject: powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap() + +From: Al Viro + +[ Upstream commit b4cf5fc01ce83e5c0bcf3dbb9f929428646b9098 ] + +missing fdput() on one of the failure exits + +Fixes: eacc56bb9de3e # v5.2 +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/powerpc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/kvm/powerpc.c b/arch/powerpc/kvm/powerpc.c +index 7197c8256668b..6cef200c2404d 100644 +--- a/arch/powerpc/kvm/powerpc.c ++++ b/arch/powerpc/kvm/powerpc.c +@@ -1990,8 +1990,10 @@ static int kvm_vcpu_ioctl_enable_cap(struct kvm_vcpu *vcpu, + break; + + r = -ENXIO; +- if (!xive_enabled()) ++ if (!xive_enabled()) { ++ fdput(f); + break; ++ } + + r = -EPERM; + dev = kvm_device_from_filp(f.file); +-- +2.43.0 + diff --git a/queue-6.6/s390-cpum_cf-fix-endless-loop-in-cf_diag-event-stop.patch b/queue-6.6/s390-cpum_cf-fix-endless-loop-in-cf_diag-event-stop.patch new file mode 100644 index 00000000000..e9ccbd4dbe9 --- /dev/null +++ b/queue-6.6/s390-cpum_cf-fix-endless-loop-in-cf_diag-event-stop.patch @@ -0,0 +1,87 @@ +From 0c81ed874b7a43bba52842966fb25b3726721a75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jul 2024 12:07:29 +0200 +Subject: s390/cpum_cf: Fix endless loop in CF_DIAG event stop + +From: Thomas Richter + +[ Upstream commit e6ce1f12d777f6ee22b20e10ae6a771e7e6f44f5 ] + +Event CF_DIAG reads out complete counter sets using stcctm +instruction. This is done at event start time when the process +starts execution and at event stop time when the process is +removed from the CPU. During removal the difference of each +counter in the counter sets is calculated and saved as raw data +in the ring buffer. This works fine unless the number of counters +in a counter set is zero. This may happen for the extended counter +set. This set is machine specific and the size of the counter +set can be zero even when extended counter set is authorized for +read access. + +This case is not handled. cfdiag_diffctr() checks authorization +of the extended counter set. If true the functions assumes +the extended counter set has been saved in a data buffer. However +this is not the case, cfdiag_getctrset() does not save a counter +set with counter set size of zero. This mismatch causes an endless +loop in the counter set readout during event stop handling. + +The calculation of the difference of the counters in each counter +now verifies the size of the counter set is non-zero. A counter set +with size zero is skipped. + +Fixes: a029a4eab39e ("s390/cpumf: Allow concurrent access for CPU Measurement Counter Facility") +Signed-off-by: Thomas Richter +Acked-by: Sumanth Korikkar +Acked-by: Heiko Carstens +Cc: Heiko Carstens +Cc: Vasily Gorbik +Cc: Alexander Gordeev +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/perf_cpum_cf.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/arch/s390/kernel/perf_cpum_cf.c b/arch/s390/kernel/perf_cpum_cf.c +index 850c11ea631a6..5466e7bada03d 100644 +--- a/arch/s390/kernel/perf_cpum_cf.c ++++ b/arch/s390/kernel/perf_cpum_cf.c +@@ -556,25 +556,31 @@ static int cfdiag_diffctr(struct cpu_cf_events *cpuhw, unsigned long auth) + struct cf_trailer_entry *trailer_start, *trailer_stop; + struct cf_ctrset_entry *ctrstart, *ctrstop; + size_t offset = 0; ++ int i; + +- auth &= (1 << CPUMF_LCCTL_ENABLE_SHIFT) - 1; +- do { ++ for (i = CPUMF_CTR_SET_BASIC; i < CPUMF_CTR_SET_MAX; ++i) { + ctrstart = (struct cf_ctrset_entry *)(cpuhw->start + offset); + ctrstop = (struct cf_ctrset_entry *)(cpuhw->stop + offset); + ++ /* Counter set not authorized */ ++ if (!(auth & cpumf_ctr_ctl[i])) ++ continue; ++ /* Counter set size zero was not saved */ ++ if (!cpum_cf_read_setsize(i)) ++ continue; ++ + if (memcmp(ctrstop, ctrstart, sizeof(*ctrstop))) { + pr_err_once("cpum_cf_diag counter set compare error " + "in set %i\n", ctrstart->set); + return 0; + } +- auth &= ~cpumf_ctr_ctl[ctrstart->set]; + if (ctrstart->def == CF_DIAG_CTRSET_DEF) { + cfdiag_diffctrset((u64 *)(ctrstart + 1), + (u64 *)(ctrstop + 1), ctrstart->ctr); + offset += ctrstart->ctr * sizeof(u64) + + sizeof(*ctrstart); + } +- } while (ctrstart->def && auth); ++ } + + /* Save time_stamp from start of event in stop's trailer */ + trailer_start = (struct cf_trailer_entry *)(cpuhw->start + offset); +-- +2.43.0 + diff --git a/queue-6.6/s390-pci-allow-allocation-of-more-than-1-msi-interru.patch b/queue-6.6/s390-pci-allow-allocation-of-more-than-1-msi-interru.patch new file mode 100644 index 00000000000..ddfe152ffc7 --- /dev/null +++ b/queue-6.6/s390-pci-allow-allocation-of-more-than-1-msi-interru.patch @@ -0,0 +1,168 @@ +From eede70f4a9614d34e64c4cb951769c0d3a70ccdd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jul 2024 15:45:27 +0200 +Subject: s390/pci: Allow allocation of more than 1 MSI interrupt + +From: Gerd Bayer + +[ Upstream commit ab42fcb511fd9d241bbab7cc3ca04e34e9fc0666 ] + +On a PCI adapter that provides up to 8 MSI interrupt sources the s390 +implementation of PCI interrupts rejected to accommodate them, although +the underlying hardware is able to support that. + +For MSI-X it is sufficient to allocate a single irq_desc per msi_desc, +but for MSI multiple irq descriptors are attached to and controlled by +a single msi descriptor. Add the appropriate loops to maintain multiple +irq descriptors and tie/untie them to/from the appropriate AIBV bit, if +a device driver allocates more than 1 MSI interrupt. + +Common PCI code passes on requests to allocate a number of interrupt +vectors based on the device drivers' demand and the PCI functions' +capabilities. However, the root-complex of s390 systems support just a +limited number of interrupt vectors per PCI function. +Produce a kernel log message to inform about any architecture-specific +capping that might be done. + +With this change, we had a PCI adapter successfully raising +interrupts to its device driver via all 8 sources. + +Fixes: a384c8924a8b ("s390/PCI: Fix single MSI only check") +Signed-off-by: Gerd Bayer +Reviewed-by: Niklas Schnelle +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/pci/pci_irq.c | 62 ++++++++++++++++++++++++++++------------- + 1 file changed, 42 insertions(+), 20 deletions(-) + +diff --git a/arch/s390/pci/pci_irq.c b/arch/s390/pci/pci_irq.c +index 979f776b09b8d..84482a9213322 100644 +--- a/arch/s390/pci/pci_irq.c ++++ b/arch/s390/pci/pci_irq.c +@@ -298,8 +298,8 @@ static int __alloc_airq(struct zpci_dev *zdev, int msi_vecs, + + int arch_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type) + { ++ unsigned int hwirq, msi_vecs, irqs_per_msi, i, cpu; + struct zpci_dev *zdev = to_zpci(pdev); +- unsigned int hwirq, msi_vecs, cpu; + struct msi_desc *msi; + struct msi_msg msg; + unsigned long bit; +@@ -309,30 +309,46 @@ int arch_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type) + zdev->aisb = -1UL; + zdev->msi_first_bit = -1U; + +- if (type == PCI_CAP_ID_MSI && nvec > 1) +- return 1; + msi_vecs = min_t(unsigned int, nvec, zdev->max_msi); ++ if (msi_vecs < nvec) { ++ pr_info("%s requested %d irqs, allocate system limit of %d", ++ pci_name(pdev), nvec, zdev->max_msi); ++ } + + rc = __alloc_airq(zdev, msi_vecs, &bit); + if (rc < 0) + return rc; + +- /* Request MSI interrupts */ ++ /* ++ * Request MSI interrupts: ++ * When using MSI, nvec_used interrupt sources and their irq ++ * descriptors are controlled through one msi descriptor. ++ * Thus the outer loop over msi descriptors shall run only once, ++ * while two inner loops iterate over the interrupt vectors. ++ * When using MSI-X, each interrupt vector/irq descriptor ++ * is bound to exactly one msi descriptor (nvec_used is one). ++ * So the inner loops are executed once, while the outer iterates ++ * over the MSI-X descriptors. ++ */ + hwirq = bit; + msi_for_each_desc(msi, &pdev->dev, MSI_DESC_NOTASSOCIATED) { +- rc = -EIO; + if (hwirq - bit >= msi_vecs) + break; +- irq = __irq_alloc_descs(-1, 0, 1, 0, THIS_MODULE, +- (irq_delivery == DIRECTED) ? +- msi->affinity : NULL); ++ irqs_per_msi = min_t(unsigned int, msi_vecs, msi->nvec_used); ++ irq = __irq_alloc_descs(-1, 0, irqs_per_msi, 0, THIS_MODULE, ++ (irq_delivery == DIRECTED) ? ++ msi->affinity : NULL); + if (irq < 0) + return -ENOMEM; +- rc = irq_set_msi_desc(irq, msi); +- if (rc) +- return rc; +- irq_set_chip_and_handler(irq, &zpci_irq_chip, +- handle_percpu_irq); ++ ++ for (i = 0; i < irqs_per_msi; i++) { ++ rc = irq_set_msi_desc_off(irq, i, msi); ++ if (rc) ++ return rc; ++ irq_set_chip_and_handler(irq + i, &zpci_irq_chip, ++ handle_percpu_irq); ++ } ++ + msg.data = hwirq - bit; + if (irq_delivery == DIRECTED) { + if (msi->affinity) +@@ -345,31 +361,35 @@ int arch_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type) + msg.address_lo |= (cpu_addr << 8); + + for_each_possible_cpu(cpu) { +- airq_iv_set_data(zpci_ibv[cpu], hwirq, irq); ++ for (i = 0; i < irqs_per_msi; i++) ++ airq_iv_set_data(zpci_ibv[cpu], ++ hwirq + i, irq + i); + } + } else { + msg.address_lo = zdev->msi_addr & 0xffffffff; +- airq_iv_set_data(zdev->aibv, hwirq, irq); ++ for (i = 0; i < irqs_per_msi; i++) ++ airq_iv_set_data(zdev->aibv, hwirq + i, irq + i); + } + msg.address_hi = zdev->msi_addr >> 32; + pci_write_msi_msg(irq, &msg); +- hwirq++; ++ hwirq += irqs_per_msi; + } + + zdev->msi_first_bit = bit; +- zdev->msi_nr_irqs = msi_vecs; ++ zdev->msi_nr_irqs = hwirq - bit; + + rc = zpci_set_irq(zdev); + if (rc) + return rc; + +- return (msi_vecs == nvec) ? 0 : msi_vecs; ++ return (zdev->msi_nr_irqs == nvec) ? 0 : zdev->msi_nr_irqs; + } + + void arch_teardown_msi_irqs(struct pci_dev *pdev) + { + struct zpci_dev *zdev = to_zpci(pdev); + struct msi_desc *msi; ++ unsigned int i; + int rc; + + /* Disable interrupts */ +@@ -379,8 +399,10 @@ void arch_teardown_msi_irqs(struct pci_dev *pdev) + + /* Release MSI interrupts */ + msi_for_each_desc(msi, &pdev->dev, MSI_DESC_ASSOCIATED) { +- irq_set_msi_desc(msi->irq, NULL); +- irq_free_desc(msi->irq); ++ for (i = 0; i < msi->nvec_used; i++) { ++ irq_set_msi_desc(msi->irq + i, NULL); ++ irq_free_desc(msi->irq + i); ++ } + msi->msg.address_lo = 0; + msi->msg.address_hi = 0; + msi->msg.data = 0; +-- +2.43.0 + diff --git a/queue-6.6/s390-pci-refactor-arch_setup_msi_irqs.patch b/queue-6.6/s390-pci-refactor-arch_setup_msi_irqs.patch new file mode 100644 index 00000000000..db6a1bee912 --- /dev/null +++ b/queue-6.6/s390-pci-refactor-arch_setup_msi_irqs.patch @@ -0,0 +1,106 @@ +From 454619d92b8837a1c7acadfa85b582b587a2cf08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jul 2024 15:45:26 +0200 +Subject: s390/pci: Refactor arch_setup_msi_irqs() + +From: Gerd Bayer + +[ Upstream commit 5fd11b96b43708f2f6e3964412c301c1bd20ec0f ] + +Factor out adapter interrupt allocation from arch_setup_msi_irqs() in +preparation for enabling registration of multiple MSIs. Code movement +only, no change of functionality intended. + +Signed-off-by: Gerd Bayer +Reviewed-by: Niklas Schnelle +Signed-off-by: Vasily Gorbik +Stable-dep-of: ab42fcb511fd ("s390/pci: Allow allocation of more than 1 MSI interrupt") +Signed-off-by: Sasha Levin +--- + arch/s390/pci/pci_irq.c | 54 ++++++++++++++++++++++++----------------- + 1 file changed, 32 insertions(+), 22 deletions(-) + +diff --git a/arch/s390/pci/pci_irq.c b/arch/s390/pci/pci_irq.c +index 0ef83b6ac0db7..979f776b09b8d 100644 +--- a/arch/s390/pci/pci_irq.c ++++ b/arch/s390/pci/pci_irq.c +@@ -268,33 +268,20 @@ static void zpci_floating_irq_handler(struct airq_struct *airq, + } + } + +-int arch_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type) ++static int __alloc_airq(struct zpci_dev *zdev, int msi_vecs, ++ unsigned long *bit) + { +- struct zpci_dev *zdev = to_zpci(pdev); +- unsigned int hwirq, msi_vecs, cpu; +- unsigned long bit; +- struct msi_desc *msi; +- struct msi_msg msg; +- int cpu_addr; +- int rc, irq; +- +- zdev->aisb = -1UL; +- zdev->msi_first_bit = -1U; +- if (type == PCI_CAP_ID_MSI && nvec > 1) +- return 1; +- msi_vecs = min_t(unsigned int, nvec, zdev->max_msi); +- + if (irq_delivery == DIRECTED) { + /* Allocate cpu vector bits */ +- bit = airq_iv_alloc(zpci_ibv[0], msi_vecs); +- if (bit == -1UL) ++ *bit = airq_iv_alloc(zpci_ibv[0], msi_vecs); ++ if (*bit == -1UL) + return -EIO; + } else { + /* Allocate adapter summary indicator bit */ +- bit = airq_iv_alloc_bit(zpci_sbv); +- if (bit == -1UL) ++ *bit = airq_iv_alloc_bit(zpci_sbv); ++ if (*bit == -1UL) + return -EIO; +- zdev->aisb = bit; ++ zdev->aisb = *bit; + + /* Create adapter interrupt vector */ + zdev->aibv = airq_iv_create(msi_vecs, AIRQ_IV_DATA | AIRQ_IV_BITLOCK, NULL); +@@ -302,10 +289,33 @@ int arch_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type) + return -ENOMEM; + + /* Wire up shortcut pointer */ +- zpci_ibv[bit] = zdev->aibv; ++ zpci_ibv[*bit] = zdev->aibv; + /* Each function has its own interrupt vector */ +- bit = 0; ++ *bit = 0; + } ++ return 0; ++} ++ ++int arch_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type) ++{ ++ struct zpci_dev *zdev = to_zpci(pdev); ++ unsigned int hwirq, msi_vecs, cpu; ++ struct msi_desc *msi; ++ struct msi_msg msg; ++ unsigned long bit; ++ int cpu_addr; ++ int rc, irq; ++ ++ zdev->aisb = -1UL; ++ zdev->msi_first_bit = -1U; ++ ++ if (type == PCI_CAP_ID_MSI && nvec > 1) ++ return 1; ++ msi_vecs = min_t(unsigned int, nvec, zdev->max_msi); ++ ++ rc = __alloc_airq(zdev, msi_vecs, &bit); ++ if (rc < 0) ++ return rc; + + /* Request MSI interrupts */ + hwirq = bit; +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-fexit_sleep-fix-stack-allocation-for-a.patch b/queue-6.6/selftests-bpf-fexit_sleep-fix-stack-allocation-for-a.patch new file mode 100644 index 00000000000..b76ff4342b7 --- /dev/null +++ b/queue-6.6/selftests-bpf-fexit_sleep-fix-stack-allocation-for-a.patch @@ -0,0 +1,87 @@ +From d46b52df71091b6c6b0e6205bbdf631c3c39ebbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jul 2024 17:33:27 +0000 +Subject: selftests/bpf: fexit_sleep: Fix stack allocation for arm64 + +From: Puranjay Mohan + +[ Upstream commit e1ef78dce9b7b0fa7f9d88bb3554441d74d33b34 ] + +On ARM64 the stack pointer should be aligned at a 16 byte boundary or +the SPAlignmentFault can occur. The fexit_sleep selftest allocates the +stack for the child process as a character array, this is not guaranteed +to be aligned at 16 bytes. + +Because of the SPAlignmentFault, the child process is killed before it +can do the nanosleep call and hence fentry_cnt remains as 0. This causes +the main thread to hang on the following line: + +while (READ_ONCE(fexit_skel->bss->fentry_cnt) != 2); + +Fix this by allocating the stack using mmap() as described in the +example in the man page of clone(). + +Remove the fexit_sleep test from the DENYLIST of arm64. + +Fixes: eddbe8e65214 ("selftest/bpf: Add a test to check trampoline freeing logic.") +Signed-off-by: Puranjay Mohan +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20240715173327.8657-1-puranjay@kernel.org +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/DENYLIST.aarch64 | 1 - + tools/testing/selftests/bpf/prog_tests/fexit_sleep.c | 8 +++++++- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/bpf/DENYLIST.aarch64 b/tools/testing/selftests/bpf/DENYLIST.aarch64 +index 3babaf3eee5c4..ec6aa58fb1810 100644 +--- a/tools/testing/selftests/bpf/DENYLIST.aarch64 ++++ b/tools/testing/selftests/bpf/DENYLIST.aarch64 +@@ -1,6 +1,5 @@ + bpf_cookie/multi_kprobe_attach_api # kprobe_multi_link_api_subtest:FAIL:fentry_raw_skel_load unexpected error: -3 + bpf_cookie/multi_kprobe_link_api # kprobe_multi_link_api_subtest:FAIL:fentry_raw_skel_load unexpected error: -3 +-fexit_sleep # The test never returns. The remaining tests cannot start. + kprobe_multi_bench_attach # needs CONFIG_FPROBE + kprobe_multi_test # needs CONFIG_FPROBE + module_attach # prog 'kprobe_multi': failed to auto-attach: -95 +diff --git a/tools/testing/selftests/bpf/prog_tests/fexit_sleep.c b/tools/testing/selftests/bpf/prog_tests/fexit_sleep.c +index f949647dbbc21..552a0875ca6db 100644 +--- a/tools/testing/selftests/bpf/prog_tests/fexit_sleep.c ++++ b/tools/testing/selftests/bpf/prog_tests/fexit_sleep.c +@@ -21,13 +21,13 @@ static int do_sleep(void *skel) + } + + #define STACK_SIZE (1024 * 1024) +-static char child_stack[STACK_SIZE]; + + void test_fexit_sleep(void) + { + struct fexit_sleep_lskel *fexit_skel = NULL; + int wstatus, duration = 0; + pid_t cpid; ++ char *child_stack = NULL; + int err, fexit_cnt; + + fexit_skel = fexit_sleep_lskel__open_and_load(); +@@ -38,6 +38,11 @@ void test_fexit_sleep(void) + if (CHECK(err, "fexit_attach", "fexit attach failed: %d\n", err)) + goto cleanup; + ++ child_stack = mmap(NULL, STACK_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | ++ MAP_ANONYMOUS | MAP_STACK, -1, 0); ++ if (!ASSERT_NEQ(child_stack, MAP_FAILED, "mmap")) ++ goto cleanup; ++ + cpid = clone(do_sleep, child_stack + STACK_SIZE, CLONE_FILES | SIGCHLD, fexit_skel); + if (CHECK(cpid == -1, "clone", "%s\n", strerror(errno))) + goto cleanup; +@@ -78,5 +83,6 @@ void test_fexit_sleep(void) + goto cleanup; + + cleanup: ++ munmap(child_stack, STACK_SIZE); + fexit_sleep_lskel__destroy(fexit_skel); + } +-- +2.43.0 + diff --git a/queue-6.6/series b/queue-6.6/series index d2afed47370..e7203bd231f 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -512,3 +512,57 @@ mm-mglru-fix-ineffective-protection-calculation.patch wifi-mac80211-track-capability-opmode-nss-separately.patch pci-introduce-cleanup-helpers-for-device-reference-counts-and-locks.patch pci-dpc-fix-use-after-free-on-concurrent-dpc-and-hot-removal.patch +f2fs-fix-to-truncate-preallocated-blocks-in-f2fs_fil.patch +kdb-address-wformat-security-warnings.patch +kdb-use-the-passed-prompt-in-kdb_position_cursor.patch +jfs-fix-array-index-out-of-bounds-in-difree.patch +dmaengine-ti-k3-udma-fix-bchan-count-with-uhc-and-hc.patch +phy-cadence-torrent-check-return-value-on-register-r.patch +phy-zynqmp-enable-reference-clock-correctly.patch +um-time-travel-fix-time-travel-start-option.patch +um-time-travel-fix-signal-blocking-race-hang.patch +f2fs-fix-start-segno-of-large-section.patch +watchdog-rzg2l_wdt-use-pm_runtime_resume_and_get.patch +watchdog-rzg2l_wdt-check-return-status-of-pm_runtime.patch +f2fs-fix-to-update-user-block-counts-in-block_operat.patch +kbuild-avoid-build-error-when-single-dtb-is-turned-i.patch +selftests-bpf-fexit_sleep-fix-stack-allocation-for-a.patch +libbpf-fix-no-args-func-prototype-btf-dumping-syntax.patch +af_unix-disable-msg_oob-handling-for-sockets-in-sock.patch +dma-fix-call-order-in-dmam_free_coherent.patch +bpf-events-use-prog-to-emit-ksymbol-event-for-main-p.patch +tools-resolve_btfids-fix-comparison-of-distinct-poin.patch +mips-smp-cps-fix-address-for-gcr_access-register-for.patch +ipv4-fix-incorrect-source-address-in-record-route-op.patch +net-bonding-correctly-annotate-rcu-in-bond_should_no.patch +ice-fix-recipe-read-procedure.patch +netfilter-nft_set_pipapo_avx2-disable-softinterrupts.patch +tipc-return-non-zero-value-from-tipc_udp_addr2str-on.patch +net-stmmac-correct-byte-order-of-perfect_match.patch +net-nexthop-initialize-all-fields-in-dumped-nexthops.patch +bpf-fix-a-segment-issue-when-downgrading-gso_size.patch +misdn-fix-a-use-after-free-in-hfcmulti_tx.patch +apparmor-fix-null-pointer-deref-when-receiving-skb-d.patch +powerpc-fix-a-file-leak-in-kvm_vcpu_ioctl_enable_cap.patch +lirc-rc_dev_get_from_fd-fix-file-leak.patch +auxdisplay-ht16k33-drop-reference-after-led-registra.patch +asoc-sof-imx8m-fix-dsp-control-regmap-retrieval.patch +spi-microchip-core-fix-the-issues-in-the-isr.patch +spi-microchip-core-defer-asserting-chip-select-until.patch +spi-microchip-core-only-disable-spi-controller-when-.patch +spi-microchip-core-switch-to-use-modern-name.patch +spi-microchip-core-fix-init-function-not-setting-the.patch +spi-microchip-core-ensure-tx-and-rx-fifos-are-empty-.patch +nvme-pci-fix-the-instructions-for-disabling-power-ma.patch +asoc-sof-amd-fix-for-firmware-reload-failure-in-vang.patch +spi-spidev-add-correct-compatible-for-rohm-bh2228fv.patch +asoc-intel-use-soc_intel_is_byt_cr-only-when-iosf_mb.patch +asoc-tas2781-fix-tasdev_load_calibrated_data.patch +ceph-fix-incorrect-kmalloc-size-of-pagevec-mempool.patch +s390-pci-refactor-arch_setup_msi_irqs.patch +s390-pci-allow-allocation-of-more-than-1-msi-interru.patch +s390-cpum_cf-fix-endless-loop-in-cf_diag-event-stop.patch +iommu-sprd-avoid-null-deref-in-sprd_iommu_hw_en.patch +io_uring-fix-io_match_task-must_hold.patch +nvme-pci-add-missing-condition-check-for-existence-o.patch +fs-don-t-allow-non-init-s_user_ns-for-filesystems-wi.patch diff --git a/queue-6.6/spi-microchip-core-defer-asserting-chip-select-until.patch b/queue-6.6/spi-microchip-core-defer-asserting-chip-select-until.patch new file mode 100644 index 00000000000..294345800bb --- /dev/null +++ b/queue-6.6/spi-microchip-core-defer-asserting-chip-select-until.patch @@ -0,0 +1,91 @@ +From 04a8f0db32f200bcb777681f28f0c75e33a0f367 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jul 2024 12:13:53 +0100 +Subject: spi: microchip-core: defer asserting chip select until just before + write to TX FIFO + +From: Steve Wilkins + +[ Upstream commit 22fd98c107c792e35db7abe45298bc3a29bf4723 ] + +Setting up many of the registers for a new SPI transfer requires the +SPI controller to be disabled after set_cs() has been called to assert +the chip select line. However, disabling the controller results in the +SCLK and MOSI output pins being tristate, which can cause clock +transitions to be seen by a slave device whilst SS is active. To fix +this, the CS is only set to inactive inline, whilst setting it active +is deferred until all registers are set up and the any controller +disables have been completed. + +Fixes: 9ac8d17694b6 ("spi: add support for microchip fpga spi controllers") +Signed-off-by: Steve Wilkins +Signed-off-by: Conor Dooley +Link: https://patch.msgid.link/20240715-sanitizer-recant-dd96b7a97048@wendy +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-microchip-core.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-microchip-core.c b/drivers/spi/spi-microchip-core.c +index 1a19701cc6118..b49843f0c2e8e 100644 +--- a/drivers/spi/spi-microchip-core.c ++++ b/drivers/spi/spi-microchip-core.c +@@ -103,6 +103,7 @@ struct mchp_corespi { + u8 *rx_buf; + u32 clk_gen; /* divider for spi output clock generated by the controller */ + u32 clk_mode; ++ u32 pending_slave_select; + int irq; + int tx_len; + int rx_len; +@@ -249,8 +250,18 @@ static void mchp_corespi_set_cs(struct spi_device *spi, bool disable) + reg = mchp_corespi_read(corespi, REG_SLAVE_SELECT); + reg &= ~BIT(spi_get_chipselect(spi, 0)); + reg |= !disable << spi_get_chipselect(spi, 0); ++ corespi->pending_slave_select = reg; + +- mchp_corespi_write(corespi, REG_SLAVE_SELECT, reg); ++ /* ++ * Only deassert chip select immediately. Writing to some registers ++ * requires the controller to be disabled, which results in the ++ * output pins being tristated and can cause the SCLK and MOSI lines ++ * to transition. Therefore asserting the chip select is deferred ++ * until just before writing to the TX FIFO, to ensure the device ++ * doesn't see any spurious clock transitions whilst CS is enabled. ++ */ ++ if (((spi->mode & SPI_CS_HIGH) == 0) == disable) ++ mchp_corespi_write(corespi, REG_SLAVE_SELECT, reg); + } + + static int mchp_corespi_setup(struct spi_device *spi) +@@ -266,6 +277,7 @@ static int mchp_corespi_setup(struct spi_device *spi) + if (spi->mode & SPI_CS_HIGH) { + reg = mchp_corespi_read(corespi, REG_SLAVE_SELECT); + reg |= BIT(spi_get_chipselect(spi, 0)); ++ corespi->pending_slave_select = reg; + mchp_corespi_write(corespi, REG_SLAVE_SELECT, reg); + } + return 0; +@@ -307,7 +319,8 @@ static void mchp_corespi_init(struct spi_master *master, struct mchp_corespi *sp + * select is relinquished to the hardware. SSELOUT is enabled too so we + * can deal with active high slaves. + */ +- mchp_corespi_write(spi, REG_SLAVE_SELECT, SSELOUT | SSEL_DIRECT); ++ spi->pending_slave_select = SSELOUT | SSEL_DIRECT; ++ mchp_corespi_write(spi, REG_SLAVE_SELECT, spi->pending_slave_select); + + control = mchp_corespi_read(spi, REG_CONTROL); + +@@ -476,6 +489,8 @@ static int mchp_corespi_transfer_one(struct spi_master *master, + mchp_corespi_set_xfer_size(spi, (spi->tx_len > FIFO_DEPTH) + ? FIFO_DEPTH : spi->tx_len); + ++ mchp_corespi_write(spi, REG_SLAVE_SELECT, spi->pending_slave_select); ++ + while (spi->tx_len) + mchp_corespi_write_fifo(spi); + +-- +2.43.0 + diff --git a/queue-6.6/spi-microchip-core-ensure-tx-and-rx-fifos-are-empty-.patch b/queue-6.6/spi-microchip-core-ensure-tx-and-rx-fifos-are-empty-.patch new file mode 100644 index 00000000000..ff0cb8ab4f9 --- /dev/null +++ b/queue-6.6/spi-microchip-core-ensure-tx-and-rx-fifos-are-empty-.patch @@ -0,0 +1,51 @@ +From 281ff93c6605b0bfd306b33efcaa45970db15bfd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jul 2024 12:13:56 +0100 +Subject: spi: microchip-core: ensure TX and RX FIFOs are empty at start of a + transfer + +From: Steve Wilkins + +[ Upstream commit 9cf71eb0faef4bff01df4264841b8465382d7927 ] + +While transmitting with rx_len == 0, the RX FIFO is not going to be +emptied in the interrupt handler. A subsequent transfer could then +read crap from the previous transfer out of the RX FIFO into the +start RX buffer. The core provides a register that will empty the RX and +TX FIFOs, so do that before each transfer. + +Fixes: 9ac8d17694b6 ("spi: add support for microchip fpga spi controllers") +Signed-off-by: Steve Wilkins +Signed-off-by: Conor Dooley +Link: https://patch.msgid.link/20240715-flammable-provoke-459226d08e70@wendy +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-microchip-core.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/spi/spi-microchip-core.c b/drivers/spi/spi-microchip-core.c +index 6f59754c33472..aa05127c8696c 100644 +--- a/drivers/spi/spi-microchip-core.c ++++ b/drivers/spi/spi-microchip-core.c +@@ -91,6 +91,8 @@ + #define REG_CONTROL2 (0x28) + #define REG_COMMAND (0x2c) + #define COMMAND_CLRFRAMECNT BIT(4) ++#define COMMAND_TXFIFORST BIT(3) ++#define COMMAND_RXFIFORST BIT(2) + #define REG_PKTSIZE (0x30) + #define REG_CMD_SIZE (0x34) + #define REG_HWSTATUS (0x38) +@@ -493,6 +495,8 @@ static int mchp_corespi_transfer_one(struct spi_controller *host, + mchp_corespi_set_xfer_size(spi, (spi->tx_len > FIFO_DEPTH) + ? FIFO_DEPTH : spi->tx_len); + ++ mchp_corespi_write(spi, REG_COMMAND, COMMAND_RXFIFORST | COMMAND_TXFIFORST); ++ + mchp_corespi_write(spi, REG_SLAVE_SELECT, spi->pending_slave_select); + + while (spi->tx_len) +-- +2.43.0 + diff --git a/queue-6.6/spi-microchip-core-fix-init-function-not-setting-the.patch b/queue-6.6/spi-microchip-core-fix-init-function-not-setting-the.patch new file mode 100644 index 00000000000..ecf442496e9 --- /dev/null +++ b/queue-6.6/spi-microchip-core-fix-init-function-not-setting-the.patch @@ -0,0 +1,73 @@ +From 25514c19390459217196d64d00ad4ebfa42b7562 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jul 2024 12:13:55 +0100 +Subject: spi: microchip-core: fix init function not setting the master and + motorola modes + +From: Steve Wilkins + +[ Upstream commit 3a5e76283672efddf47cea39ccfe9f5735cc91d5 ] + +mchp_corespi_init() reads the CONTROL register, sets the master and +motorola bits, but doesn't write the value back to the register. The +function also doesn't ensure the controller is disabled at the start, +which may present a problem if the controller was used by an +earlier boot stage as some settings (including the mode) can only be +modified while the controller is disabled. + +Fixes: 9ac8d17694b6 ("spi: add support for microchip fpga spi controllers") +Signed-off-by: Steve Wilkins +Signed-off-by: Conor Dooley +Link: https://patch.msgid.link/20240715-designing-thus-05f7c26e1da7@wendy +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-microchip-core.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/spi/spi-microchip-core.c b/drivers/spi/spi-microchip-core.c +index 096008d006009..6f59754c33472 100644 +--- a/drivers/spi/spi-microchip-core.c ++++ b/drivers/spi/spi-microchip-core.c +@@ -292,17 +292,13 @@ static void mchp_corespi_init(struct spi_controller *host, struct mchp_corespi * + unsigned long clk_hz; + u32 control = mchp_corespi_read(spi, REG_CONTROL); + +- control |= CONTROL_MASTER; ++ control &= ~CONTROL_ENABLE; ++ mchp_corespi_write(spi, REG_CONTROL, control); + ++ control |= CONTROL_MASTER; + control &= ~CONTROL_MODE_MASK; + control |= MOTOROLA_MODE; + +- mchp_corespi_set_framesize(spi, DEFAULT_FRAMESIZE); +- +- /* max. possible spi clock rate is the apb clock rate */ +- clk_hz = clk_get_rate(spi->clk); +- host->max_speed_hz = clk_hz; +- + /* + * The controller must be configured so that it doesn't remove Chip + * Select until the entire message has been transferred, even if at +@@ -311,11 +307,16 @@ static void mchp_corespi_init(struct spi_controller *host, struct mchp_corespi * + * BIGFIFO mode is also enabled, which sets the fifo depth to 32 frames + * for the 8 bit transfers that this driver uses. + */ +- control = mchp_corespi_read(spi, REG_CONTROL); + control |= CONTROL_SPS | CONTROL_BIGFIFO; + + mchp_corespi_write(spi, REG_CONTROL, control); + ++ mchp_corespi_set_framesize(spi, DEFAULT_FRAMESIZE); ++ ++ /* max. possible spi clock rate is the apb clock rate */ ++ clk_hz = clk_get_rate(spi->clk); ++ host->max_speed_hz = clk_hz; ++ + mchp_corespi_enable_ints(spi); + + /* +-- +2.43.0 + diff --git a/queue-6.6/spi-microchip-core-fix-the-issues-in-the-isr.patch b/queue-6.6/spi-microchip-core-fix-the-issues-in-the-isr.patch new file mode 100644 index 00000000000..dc46a18d501 --- /dev/null +++ b/queue-6.6/spi-microchip-core-fix-the-issues-in-the-isr.patch @@ -0,0 +1,83 @@ +From b153d12fe04501775840286268567ebd1af007db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jul 2024 12:13:52 +0100 +Subject: spi: microchip-core: fix the issues in the isr + +From: Naga Sureshkumar Relli + +[ Upstream commit 502a582b8dd897d9282db47c0911d5320ef2e6b9 ] + +It is possible for the TXDONE interrupt be raised if the tx FIFO becomes +temporarily empty while transmitting, resulting in recursive calls to +mchp_corespi_write_fifo() and therefore a garbage message might be +transmitted depending on when the interrupt is triggered. Moving all of +the tx FIFO writes out of the TXDONE portion of the interrupt handler +avoids this problem. + +Most of rest of the TXDONE portion of the handler is problematic too. +Only reading the rx FIFO (and finalising the transfer) when the TXDONE +interrupt is raised can cause the transfer to stall, if the final bytes +of rx data are not available in the rx FIFO when the final TXDONE +interrupt is raised. The transfer should be finalised regardless of +which interrupt is raised, provided that all tx data has been set and +all rx data received. + +The first issue was encountered "in the wild", the second is +theoretical. + +Fixes: 9ac8d17694b6 ("spi: add support for microchip fpga spi controllers") +Signed-off-by: Naga Sureshkumar Relli +Signed-off-by: Conor Dooley +Link: https://patch.msgid.link/20240715-candied-deforest-585685ef3c8a@wendy +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-microchip-core.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/drivers/spi/spi-microchip-core.c b/drivers/spi/spi-microchip-core.c +index 6092f20f0a607..1a19701cc6118 100644 +--- a/drivers/spi/spi-microchip-core.c ++++ b/drivers/spi/spi-microchip-core.c +@@ -380,21 +380,18 @@ static irqreturn_t mchp_corespi_interrupt(int irq, void *dev_id) + if (intfield == 0) + return IRQ_NONE; + +- if (intfield & INT_TXDONE) { ++ if (intfield & INT_TXDONE) + mchp_corespi_write(spi, REG_INT_CLEAR, INT_TXDONE); + ++ if (intfield & INT_RXRDY) { ++ mchp_corespi_write(spi, REG_INT_CLEAR, INT_RXRDY); ++ + if (spi->rx_len) + mchp_corespi_read_fifo(spi); +- +- if (spi->tx_len) +- mchp_corespi_write_fifo(spi); +- +- if (!spi->rx_len) +- finalise = true; + } + +- if (intfield & INT_RXRDY) +- mchp_corespi_write(spi, REG_INT_CLEAR, INT_RXRDY); ++ if (!spi->rx_len && !spi->tx_len) ++ finalise = true; + + if (intfield & INT_RX_CHANNEL_OVERFLOW) { + mchp_corespi_write(spi, REG_INT_CLEAR, INT_RX_CHANNEL_OVERFLOW); +@@ -479,8 +476,9 @@ static int mchp_corespi_transfer_one(struct spi_master *master, + mchp_corespi_set_xfer_size(spi, (spi->tx_len > FIFO_DEPTH) + ? FIFO_DEPTH : spi->tx_len); + +- if (spi->tx_len) ++ while (spi->tx_len) + mchp_corespi_write_fifo(spi); ++ + return 1; + } + +-- +2.43.0 + diff --git a/queue-6.6/spi-microchip-core-only-disable-spi-controller-when-.patch b/queue-6.6/spi-microchip-core-only-disable-spi-controller-when-.patch new file mode 100644 index 00000000000..5e93d84865e --- /dev/null +++ b/queue-6.6/spi-microchip-core-only-disable-spi-controller-when-.patch @@ -0,0 +1,210 @@ +From 7f66fc5b6e6bf2fbea5f4f8f50f34af2144d5935 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jul 2024 12:13:54 +0100 +Subject: spi: microchip-core: only disable SPI controller when register value + change requires it + +From: Steve Wilkins + +[ Upstream commit de9850b5c606b754dd7861678d6e2874b96b04f8 ] + +Setting up many of the registers for a new SPI transfer involves +unconditionally disabling the SPI controller, writing the register +value and re-enabling the controller. This is being done for registers +even when the value is unchanged and is also done for registers that +don't require the controller to be disabled for the change to take +effect. Make an effort to detect changes to the register values, and +only disables the controller if the new register value is different +and disabling the controller is required. This stops the controller +being repeated disabled and the bus going tristate before every +transfer. + +Fixes: 9ac8d17694b6 ("spi: add support for microchip fpga spi controllers") +Signed-off-by: Steve Wilkins +Co-developed-by: Conor Dooley +Signed-off-by: Conor Dooley +Link: https://patch.msgid.link/20240715-depict-twirl-7e592eeabaad@wendy +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-microchip-core.c | 79 +++++++++++++++++--------------- + 1 file changed, 41 insertions(+), 38 deletions(-) + +diff --git a/drivers/spi/spi-microchip-core.c b/drivers/spi/spi-microchip-core.c +index b49843f0c2e8e..cd624872dafb8 100644 +--- a/drivers/spi/spi-microchip-core.c ++++ b/drivers/spi/spi-microchip-core.c +@@ -75,6 +75,7 @@ + + #define REG_CONTROL (0x00) + #define REG_FRAME_SIZE (0x04) ++#define FRAME_SIZE_MASK GENMASK(5, 0) + #define REG_STATUS (0x08) + #define REG_INT_CLEAR (0x0c) + #define REG_RX_DATA (0x10) +@@ -89,6 +90,7 @@ + #define REG_RIS (0x24) + #define REG_CONTROL2 (0x28) + #define REG_COMMAND (0x2c) ++#define COMMAND_CLRFRAMECNT BIT(4) + #define REG_PKTSIZE (0x30) + #define REG_CMD_SIZE (0x34) + #define REG_HWSTATUS (0x38) +@@ -149,62 +151,59 @@ static inline void mchp_corespi_read_fifo(struct mchp_corespi *spi) + + static void mchp_corespi_enable_ints(struct mchp_corespi *spi) + { +- u32 control, mask = INT_ENABLE_MASK; +- +- mchp_corespi_disable(spi); +- +- control = mchp_corespi_read(spi, REG_CONTROL); +- +- control |= mask; +- mchp_corespi_write(spi, REG_CONTROL, control); ++ u32 control = mchp_corespi_read(spi, REG_CONTROL); + +- control |= CONTROL_ENABLE; ++ control |= INT_ENABLE_MASK; + mchp_corespi_write(spi, REG_CONTROL, control); + } + + static void mchp_corespi_disable_ints(struct mchp_corespi *spi) + { +- u32 control, mask = INT_ENABLE_MASK; +- +- mchp_corespi_disable(spi); +- +- control = mchp_corespi_read(spi, REG_CONTROL); +- control &= ~mask; +- mchp_corespi_write(spi, REG_CONTROL, control); ++ u32 control = mchp_corespi_read(spi, REG_CONTROL); + +- control |= CONTROL_ENABLE; ++ control &= ~INT_ENABLE_MASK; + mchp_corespi_write(spi, REG_CONTROL, control); + } + + static inline void mchp_corespi_set_xfer_size(struct mchp_corespi *spi, int len) + { + u32 control; +- u16 lenpart; ++ u32 lenpart; ++ u32 frames = mchp_corespi_read(spi, REG_FRAMESUP); + + /* +- * Disable the SPI controller. Writes to transfer length have +- * no effect when the controller is enabled. ++ * Writing to FRAMECNT in REG_CONTROL will reset the frame count, taking ++ * a shortcut requires an explicit clear. + */ +- mchp_corespi_disable(spi); ++ if (frames == len) { ++ mchp_corespi_write(spi, REG_COMMAND, COMMAND_CLRFRAMECNT); ++ return; ++ } + + /* + * The lower 16 bits of the frame count are stored in the control reg + * for legacy reasons, but the upper 16 written to a different register: + * FRAMESUP. While both the upper and lower bits can be *READ* from the +- * FRAMESUP register, writing to the lower 16 bits is a NOP ++ * FRAMESUP register, writing to the lower 16 bits is (supposedly) a NOP. ++ * ++ * The driver used to disable the controller while modifying the frame ++ * count, and mask off the lower 16 bits of len while writing to ++ * FRAMES_UP. When the driver was changed to disable the controller as ++ * infrequently as possible, it was discovered that the logic of ++ * lenpart = len & 0xffff_0000 ++ * write(REG_FRAMESUP, lenpart) ++ * would actually write zeros into the lower 16 bits on an mpfs250t-es, ++ * despite documentation stating these bits were read-only. ++ * Writing len unmasked into FRAMES_UP ensures those bits aren't zeroed ++ * on an mpfs250t-es and will be a NOP for the lower 16 bits on hardware ++ * that matches the documentation. + */ + lenpart = len & 0xffff; +- + control = mchp_corespi_read(spi, REG_CONTROL); + control &= ~CONTROL_FRAMECNT_MASK; + control |= lenpart << CONTROL_FRAMECNT_SHIFT; + mchp_corespi_write(spi, REG_CONTROL, control); +- +- lenpart = len & 0xffff0000; +- mchp_corespi_write(spi, REG_FRAMESUP, lenpart); +- +- control |= CONTROL_ENABLE; +- mchp_corespi_write(spi, REG_CONTROL, control); ++ mchp_corespi_write(spi, REG_FRAMESUP, len); + } + + static inline void mchp_corespi_write_fifo(struct mchp_corespi *spi) +@@ -227,17 +226,22 @@ static inline void mchp_corespi_write_fifo(struct mchp_corespi *spi) + + static inline void mchp_corespi_set_framesize(struct mchp_corespi *spi, int bt) + { ++ u32 frame_size = mchp_corespi_read(spi, REG_FRAME_SIZE); + u32 control; + ++ if ((frame_size & FRAME_SIZE_MASK) == bt) ++ return; ++ + /* + * Disable the SPI controller. Writes to the frame size have + * no effect when the controller is enabled. + */ +- mchp_corespi_disable(spi); ++ control = mchp_corespi_read(spi, REG_CONTROL); ++ control &= ~CONTROL_ENABLE; ++ mchp_corespi_write(spi, REG_CONTROL, control); + + mchp_corespi_write(spi, REG_FRAME_SIZE, bt); + +- control = mchp_corespi_read(spi, REG_CONTROL); + control |= CONTROL_ENABLE; + mchp_corespi_write(spi, REG_CONTROL, control); + } +@@ -334,8 +338,6 @@ static inline void mchp_corespi_set_clk_gen(struct mchp_corespi *spi) + { + u32 control; + +- mchp_corespi_disable(spi); +- + control = mchp_corespi_read(spi, REG_CONTROL); + if (spi->clk_mode) + control |= CONTROL_CLKMODE; +@@ -344,12 +346,12 @@ static inline void mchp_corespi_set_clk_gen(struct mchp_corespi *spi) + + mchp_corespi_write(spi, REG_CLK_GEN, spi->clk_gen); + mchp_corespi_write(spi, REG_CONTROL, control); +- mchp_corespi_write(spi, REG_CONTROL, control | CONTROL_ENABLE); + } + + static inline void mchp_corespi_set_mode(struct mchp_corespi *spi, unsigned int mode) + { +- u32 control, mode_val; ++ u32 mode_val; ++ u32 control = mchp_corespi_read(spi, REG_CONTROL); + + switch (mode & SPI_MODE_X_MASK) { + case SPI_MODE_0: +@@ -367,12 +369,13 @@ static inline void mchp_corespi_set_mode(struct mchp_corespi *spi, unsigned int + } + + /* +- * Disable the SPI controller. Writes to the frame size have ++ * Disable the SPI controller. Writes to the frame protocol have + * no effect when the controller is enabled. + */ +- mchp_corespi_disable(spi); + +- control = mchp_corespi_read(spi, REG_CONTROL); ++ control &= ~CONTROL_ENABLE; ++ mchp_corespi_write(spi, REG_CONTROL, control); ++ + control &= ~(SPI_MODE_X_MASK << MODE_X_MASK_SHIFT); + control |= mode_val; + +-- +2.43.0 + diff --git a/queue-6.6/spi-microchip-core-switch-to-use-modern-name.patch b/queue-6.6/spi-microchip-core-switch-to-use-modern-name.patch new file mode 100644 index 00000000000..7887c5ebb27 --- /dev/null +++ b/queue-6.6/spi-microchip-core-switch-to-use-modern-name.patch @@ -0,0 +1,237 @@ +From 0af3cadcb2e243196154d0ec680e299a69818d6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Aug 2023 11:29:48 +0800 +Subject: spi: microchip-core: switch to use modern name + +From: Yang Yingliang + +[ Upstream commit 8f8bf52ed5b76fc7958b0fbe3131540aecdff8ac ] + +Change legacy name master/slave to modern name host/target or controller. + +No functional changed. + +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20230823033003.3407403-7-yangyingliang@huawei.com +Signed-off-by: Mark Brown +Stable-dep-of: 3a5e76283672 ("spi: microchip-core: fix init function not setting the master and motorola modes") +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-microchip-core.c | 74 ++++++++++++++++---------------- + 1 file changed, 37 insertions(+), 37 deletions(-) + +diff --git a/drivers/spi/spi-microchip-core.c b/drivers/spi/spi-microchip-core.c +index cd624872dafb8..096008d006009 100644 +--- a/drivers/spi/spi-microchip-core.c ++++ b/drivers/spi/spi-microchip-core.c +@@ -249,7 +249,7 @@ static inline void mchp_corespi_set_framesize(struct mchp_corespi *spi, int bt) + static void mchp_corespi_set_cs(struct spi_device *spi, bool disable) + { + u32 reg; +- struct mchp_corespi *corespi = spi_master_get_devdata(spi->master); ++ struct mchp_corespi *corespi = spi_controller_get_devdata(spi->controller); + + reg = mchp_corespi_read(corespi, REG_SLAVE_SELECT); + reg &= ~BIT(spi_get_chipselect(spi, 0)); +@@ -270,11 +270,11 @@ static void mchp_corespi_set_cs(struct spi_device *spi, bool disable) + + static int mchp_corespi_setup(struct spi_device *spi) + { +- struct mchp_corespi *corespi = spi_master_get_devdata(spi->master); ++ struct mchp_corespi *corespi = spi_controller_get_devdata(spi->controller); + u32 reg; + + /* +- * Active high slaves need to be specifically set to their inactive ++ * Active high targets need to be specifically set to their inactive + * states during probe by adding them to the "control group" & thus + * driving their select line low. + */ +@@ -287,7 +287,7 @@ static int mchp_corespi_setup(struct spi_device *spi) + return 0; + } + +-static void mchp_corespi_init(struct spi_master *master, struct mchp_corespi *spi) ++static void mchp_corespi_init(struct spi_controller *host, struct mchp_corespi *spi) + { + unsigned long clk_hz; + u32 control = mchp_corespi_read(spi, REG_CONTROL); +@@ -301,7 +301,7 @@ static void mchp_corespi_init(struct spi_master *master, struct mchp_corespi *sp + + /* max. possible spi clock rate is the apb clock rate */ + clk_hz = clk_get_rate(spi->clk); +- master->max_speed_hz = clk_hz; ++ host->max_speed_hz = clk_hz; + + /* + * The controller must be configured so that it doesn't remove Chip +@@ -321,7 +321,7 @@ static void mchp_corespi_init(struct spi_master *master, struct mchp_corespi *sp + /* + * It is required to enable direct mode, otherwise control over the chip + * select is relinquished to the hardware. SSELOUT is enabled too so we +- * can deal with active high slaves. ++ * can deal with active high targets. + */ + spi->pending_slave_select = SSELOUT | SSEL_DIRECT; + mchp_corespi_write(spi, REG_SLAVE_SELECT, spi->pending_slave_select); +@@ -387,8 +387,8 @@ static inline void mchp_corespi_set_mode(struct mchp_corespi *spi, unsigned int + + static irqreturn_t mchp_corespi_interrupt(int irq, void *dev_id) + { +- struct spi_master *master = dev_id; +- struct mchp_corespi *spi = spi_master_get_devdata(master); ++ struct spi_controller *host = dev_id; ++ struct mchp_corespi *spi = spi_controller_get_devdata(host); + u32 intfield = mchp_corespi_read(spi, REG_MIS) & 0xf; + bool finalise = false; + +@@ -412,7 +412,7 @@ static irqreturn_t mchp_corespi_interrupt(int irq, void *dev_id) + if (intfield & INT_RX_CHANNEL_OVERFLOW) { + mchp_corespi_write(spi, REG_INT_CLEAR, INT_RX_CHANNEL_OVERFLOW); + finalise = true; +- dev_err(&master->dev, ++ dev_err(&host->dev, + "%s: RX OVERFLOW: rxlen: %d, txlen: %d\n", __func__, + spi->rx_len, spi->tx_len); + } +@@ -420,13 +420,13 @@ static irqreturn_t mchp_corespi_interrupt(int irq, void *dev_id) + if (intfield & INT_TX_CHANNEL_UNDERRUN) { + mchp_corespi_write(spi, REG_INT_CLEAR, INT_TX_CHANNEL_UNDERRUN); + finalise = true; +- dev_err(&master->dev, ++ dev_err(&host->dev, + "%s: TX UNDERFLOW: rxlen: %d, txlen: %d\n", __func__, + spi->rx_len, spi->tx_len); + } + + if (finalise) +- spi_finalize_current_transfer(master); ++ spi_finalize_current_transfer(host); + + return IRQ_HANDLED; + } +@@ -468,16 +468,16 @@ static int mchp_corespi_calculate_clkgen(struct mchp_corespi *spi, + return 0; + } + +-static int mchp_corespi_transfer_one(struct spi_master *master, ++static int mchp_corespi_transfer_one(struct spi_controller *host, + struct spi_device *spi_dev, + struct spi_transfer *xfer) + { +- struct mchp_corespi *spi = spi_master_get_devdata(master); ++ struct mchp_corespi *spi = spi_controller_get_devdata(host); + int ret; + + ret = mchp_corespi_calculate_clkgen(spi, (unsigned long)xfer->speed_hz); + if (ret) { +- dev_err(&master->dev, "failed to set clk_gen for target %u Hz\n", xfer->speed_hz); ++ dev_err(&host->dev, "failed to set clk_gen for target %u Hz\n", xfer->speed_hz); + return ret; + } + +@@ -500,11 +500,11 @@ static int mchp_corespi_transfer_one(struct spi_master *master, + return 1; + } + +-static int mchp_corespi_prepare_message(struct spi_master *master, ++static int mchp_corespi_prepare_message(struct spi_controller *host, + struct spi_message *msg) + { + struct spi_device *spi_dev = msg->spi; +- struct mchp_corespi *spi = spi_master_get_devdata(master); ++ struct mchp_corespi *spi = spi_controller_get_devdata(host); + + mchp_corespi_set_framesize(spi, DEFAULT_FRAMESIZE); + mchp_corespi_set_mode(spi, spi_dev->mode); +@@ -514,32 +514,32 @@ static int mchp_corespi_prepare_message(struct spi_master *master, + + static int mchp_corespi_probe(struct platform_device *pdev) + { +- struct spi_master *master; ++ struct spi_controller *host; + struct mchp_corespi *spi; + struct resource *res; + u32 num_cs; + int ret = 0; + +- master = devm_spi_alloc_master(&pdev->dev, sizeof(*spi)); +- if (!master) ++ host = devm_spi_alloc_host(&pdev->dev, sizeof(*spi)); ++ if (!host) + return dev_err_probe(&pdev->dev, -ENOMEM, +- "unable to allocate master for SPI controller\n"); ++ "unable to allocate host for SPI controller\n"); + +- platform_set_drvdata(pdev, master); ++ platform_set_drvdata(pdev, host); + + if (of_property_read_u32(pdev->dev.of_node, "num-cs", &num_cs)) + num_cs = MAX_CS; + +- master->num_chipselect = num_cs; +- master->mode_bits = SPI_CPOL | SPI_CPHA | SPI_CS_HIGH; +- master->setup = mchp_corespi_setup; +- master->bits_per_word_mask = SPI_BPW_MASK(8); +- master->transfer_one = mchp_corespi_transfer_one; +- master->prepare_message = mchp_corespi_prepare_message; +- master->set_cs = mchp_corespi_set_cs; +- master->dev.of_node = pdev->dev.of_node; ++ host->num_chipselect = num_cs; ++ host->mode_bits = SPI_CPOL | SPI_CPHA | SPI_CS_HIGH; ++ host->setup = mchp_corespi_setup; ++ host->bits_per_word_mask = SPI_BPW_MASK(8); ++ host->transfer_one = mchp_corespi_transfer_one; ++ host->prepare_message = mchp_corespi_prepare_message; ++ host->set_cs = mchp_corespi_set_cs; ++ host->dev.of_node = pdev->dev.of_node; + +- spi = spi_master_get_devdata(master); ++ spi = spi_controller_get_devdata(host); + + spi->regs = devm_platform_get_and_ioremap_resource(pdev, 0, &res); + if (IS_ERR(spi->regs)) +@@ -550,7 +550,7 @@ static int mchp_corespi_probe(struct platform_device *pdev) + return spi->irq; + + ret = devm_request_irq(&pdev->dev, spi->irq, mchp_corespi_interrupt, +- IRQF_SHARED, dev_name(&pdev->dev), master); ++ IRQF_SHARED, dev_name(&pdev->dev), host); + if (ret) + return dev_err_probe(&pdev->dev, ret, + "could not request irq\n"); +@@ -565,25 +565,25 @@ static int mchp_corespi_probe(struct platform_device *pdev) + return dev_err_probe(&pdev->dev, ret, + "failed to enable clock\n"); + +- mchp_corespi_init(master, spi); ++ mchp_corespi_init(host, spi); + +- ret = devm_spi_register_master(&pdev->dev, master); ++ ret = devm_spi_register_controller(&pdev->dev, host); + if (ret) { + mchp_corespi_disable(spi); + clk_disable_unprepare(spi->clk); + return dev_err_probe(&pdev->dev, ret, +- "unable to register master for SPI controller\n"); ++ "unable to register host for SPI controller\n"); + } + +- dev_info(&pdev->dev, "Registered SPI controller %d\n", master->bus_num); ++ dev_info(&pdev->dev, "Registered SPI controller %d\n", host->bus_num); + + return 0; + } + + static void mchp_corespi_remove(struct platform_device *pdev) + { +- struct spi_master *master = platform_get_drvdata(pdev); +- struct mchp_corespi *spi = spi_master_get_devdata(master); ++ struct spi_controller *host = platform_get_drvdata(pdev); ++ struct mchp_corespi *spi = spi_controller_get_devdata(host); + + mchp_corespi_disable_ints(spi); + clk_disable_unprepare(spi->clk); +-- +2.43.0 + diff --git a/queue-6.6/spi-spidev-add-correct-compatible-for-rohm-bh2228fv.patch b/queue-6.6/spi-spidev-add-correct-compatible-for-rohm-bh2228fv.patch new file mode 100644 index 00000000000..67923b0c055 --- /dev/null +++ b/queue-6.6/spi-spidev-add-correct-compatible-for-rohm-bh2228fv.patch @@ -0,0 +1,41 @@ +From b94568a604f7786581bace013609bcae372f257c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Jul 2024 10:59:49 +0100 +Subject: spi: spidev: add correct compatible for Rohm BH2228FV + +From: Conor Dooley + +[ Upstream commit fc28d1c1fe3b3e2fbc50834c8f73dda72f6af9fc ] + +When Maxime originally added the BH2228FV to the spidev driver, he spelt +it incorrectly - the d should have been a b. Add the correctly spelt +compatible to the driver. Although the majority of users of this +compatible are abusers, there is at least one board that validly uses +the incorrect spelt compatible, so keep it in the driver to avoid +breaking the few real users it has. + +Fixes: 8fad805bdc52 ("spi: spidev: Add Rohm DH2228FV DAC compatible string") +Signed-off-by: Conor Dooley +Acked-by: Maxime Ripard +Link: https://patch.msgid.link/20240717-ventricle-strewn-a7678c509e85@spud +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spidev.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c +index d13dc15cc1919..1a8dd10012448 100644 +--- a/drivers/spi/spidev.c ++++ b/drivers/spi/spidev.c +@@ -738,6 +738,7 @@ static const struct of_device_id spidev_dt_ids[] = { + { .compatible = "lwn,bk4", .data = &spidev_of_check }, + { .compatible = "menlo,m53cpld", .data = &spidev_of_check }, + { .compatible = "micron,spi-authenta", .data = &spidev_of_check }, ++ { .compatible = "rohm,bh2228fv", .data = &spidev_of_check }, + { .compatible = "rohm,dh2228fv", .data = &spidev_of_check }, + { .compatible = "semtech,sx1301", .data = &spidev_of_check }, + { .compatible = "silabs,em3581", .data = &spidev_of_check }, +-- +2.43.0 + diff --git a/queue-6.6/tipc-return-non-zero-value-from-tipc_udp_addr2str-on.patch b/queue-6.6/tipc-return-non-zero-value-from-tipc_udp_addr2str-on.patch new file mode 100644 index 00000000000..0b231b025d1 --- /dev/null +++ b/queue-6.6/tipc-return-non-zero-value-from-tipc_udp_addr2str-on.patch @@ -0,0 +1,43 @@ +From bc3e4619e75308be2a8a662c7772a008900c4082 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jul 2024 11:09:05 +0900 +Subject: tipc: Return non-zero value from tipc_udp_addr2str() on error + +From: Shigeru Yoshida + +[ Upstream commit fa96c6baef1b5385e2f0c0677b32b3839e716076 ] + +tipc_udp_addr2str() should return non-zero value if the UDP media +address is invalid. Otherwise, a buffer overflow access can occur in +tipc_media_addr_printf(). Fix this by returning 1 on an invalid UDP +media address. + +Fixes: d0f91938bede ("tipc: add ip/udp media type") +Signed-off-by: Shigeru Yoshida +Reviewed-by: Tung Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/udp_media.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c +index f892b0903dbaf..cdc8378261ec3 100644 +--- a/net/tipc/udp_media.c ++++ b/net/tipc/udp_media.c +@@ -135,8 +135,11 @@ static int tipc_udp_addr2str(struct tipc_media_addr *a, char *buf, int size) + snprintf(buf, size, "%pI4:%u", &ua->ipv4, ntohs(ua->port)); + else if (ntohs(ua->proto) == ETH_P_IPV6) + snprintf(buf, size, "%pI6:%u", &ua->ipv6, ntohs(ua->port)); +- else ++ else { + pr_err("Invalid UDP media address\n"); ++ return 1; ++ } ++ + return 0; + } + +-- +2.43.0 + diff --git a/queue-6.6/tools-resolve_btfids-fix-comparison-of-distinct-poin.patch b/queue-6.6/tools-resolve_btfids-fix-comparison-of-distinct-poin.patch new file mode 100644 index 00000000000..b29209db12d --- /dev/null +++ b/queue-6.6/tools-resolve_btfids-fix-comparison-of-distinct-poin.patch @@ -0,0 +1,43 @@ +From daff559d5403b4fc59cc155156a4f6da07320624 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 16:32:59 +0800 +Subject: tools/resolve_btfids: Fix comparison of distinct pointer types + warning in resolve_btfids + +From: Liwei Song + +[ Upstream commit 13c9b702e6cb8e406d5fa6b2dca422fa42d2f13e ] + +Add a type cast for set8->pairs to fix below compile warning: + +main.c: In function 'sets_patch': +main.c:699:50: warning: comparison of distinct pointer types lacks a cast + 699 | BUILD_BUG_ON(set8->pairs != &set8->pairs[0].id); + | ^~ + +Fixes: 9707ac4fe2f5 ("tools/resolve_btfids: Refactor set sorting with types from btf_ids.h") +Signed-off-by: Liwei Song +Signed-off-by: Daniel Borkmann +Acked-by: Jiri Olsa +Link: https://lore.kernel.org/bpf/20240722083305.4009723-1-liwei.song.lsong@gmail.com +Signed-off-by: Sasha Levin +--- + tools/bpf/resolve_btfids/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/bpf/resolve_btfids/main.c b/tools/bpf/resolve_btfids/main.c +index af393c7dee1f1..b3edc239fe562 100644 +--- a/tools/bpf/resolve_btfids/main.c ++++ b/tools/bpf/resolve_btfids/main.c +@@ -696,7 +696,7 @@ static int sets_patch(struct object *obj) + * Make sure id is at the beginning of the pairs + * struct, otherwise the below qsort would not work. + */ +- BUILD_BUG_ON(set8->pairs != &set8->pairs[0].id); ++ BUILD_BUG_ON((u32 *)set8->pairs != &set8->pairs[0].id); + qsort(set8->pairs, set8->cnt, sizeof(set8->pairs[0]), cmp_id); + + /* +-- +2.43.0 + diff --git a/queue-6.6/um-time-travel-fix-signal-blocking-race-hang.patch b/queue-6.6/um-time-travel-fix-signal-blocking-race-hang.patch new file mode 100644 index 00000000000..149ce65eac0 --- /dev/null +++ b/queue-6.6/um-time-travel-fix-signal-blocking-race-hang.patch @@ -0,0 +1,254 @@ +From 6c6dd0939ef1ed37e00483f1a1938505462fb679 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jul 2024 13:01:45 +0200 +Subject: um: time-travel: fix signal blocking race/hang + +From: Johannes Berg + +[ Upstream commit 2cf3a3c4b84def5406b830452b1cb8bbfffe0ebe ] + +When signals are hard-blocked in order to do time-travel +socket processing, we set signals_blocked and then handle +SIGIO signals by setting the SIGIO bit in signals_pending. +When unblocking, we first set signals_blocked to 0, and +then handle all pending signals. We have to set it first, +so that we can again properly block/unblock inside the +unblock, if the time-travel handlers need to be processed. + +Unfortunately, this is racy. We can get into this situation: + +// signals_pending = SIGIO_MASK + +unblock_signals_hard() + signals_blocked = 0; + if (signals_pending && signals_enabled) { + block_signals(); + unblock_signals() + ... + sig_handler_common(SIGIO, NULL, NULL); + sigio_handler() + ... + sigio_reg_handler() + irq_do_timetravel_handler() + reg->timetravel_handler() == + vu_req_interrupt_comm_handler() + vu_req_read_message() + vhost_user_recv_req() + vhost_user_recv() + vhost_user_recv_header() + // reads 12 bytes header of + // 20 bytes message +<-- receive SIGIO here <-- +sig_handler() + int enabled = signals_enabled; // 1 + if ((signals_blocked || !enabled) && (sig == SIGIO)) { + if (!signals_blocked && time_travel_mode == TT_MODE_EXTERNAL) + sigio_run_timetravel_handlers() + _sigio_handler() + sigio_reg_handler() + ... as above ... + vhost_user_recv_header() + // reads 8 bytes that were message payload + // as if it were header - but aborts since + // it then gets -EAGAIN +... +--> end signal handler --> + // continue in vhost_user_recv() + // full_read() for 8 bytes payload busy loops + // entire process hangs here + +Conceptually, to fix this, we need to ensure that the +signal handler cannot run while we hard-unblock signals. +The thing that makes this more complex is that we can be +doing hard-block/unblock while unblocking. Introduce a +new signals_blocked_pending variable that we can keep at +non-zero as long as pending signals are being processed, +then we only need to ensure it's decremented safely and +the signal handler will only increment it if it's already +non-zero (or signals_blocked is set, of course.) + +Note also that only the outermost call to hard-unblock is +allowed to decrement signals_blocked_pending, since it +could otherwise reach zero in an inner call, and leave +the same race happening if the timetravel_handler loops, +but that's basically required of it. + +Fixes: d6b399a0e02a ("um: time-travel/signals: fix ndelay() in interrupt") +Link: https://patch.msgid.link/20240703110144.28034-2-johannes@sipsolutions.net +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + arch/um/os-Linux/signal.c | 118 +++++++++++++++++++++++++++++++------- + 1 file changed, 98 insertions(+), 20 deletions(-) + +diff --git a/arch/um/os-Linux/signal.c b/arch/um/os-Linux/signal.c +index 24a403a70a020..850d21e6473ee 100644 +--- a/arch/um/os-Linux/signal.c ++++ b/arch/um/os-Linux/signal.c +@@ -8,6 +8,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -65,9 +66,7 @@ static void sig_handler_common(int sig, struct siginfo *si, mcontext_t *mc) + + int signals_enabled; + #ifdef UML_CONFIG_UML_TIME_TRAVEL_SUPPORT +-static int signals_blocked; +-#else +-#define signals_blocked 0 ++static int signals_blocked, signals_blocked_pending; + #endif + static unsigned int signals_pending; + static unsigned int signals_active = 0; +@@ -76,14 +75,27 @@ void sig_handler(int sig, struct siginfo *si, mcontext_t *mc) + { + int enabled = signals_enabled; + +- if ((signals_blocked || !enabled) && (sig == SIGIO)) { ++#ifdef UML_CONFIG_UML_TIME_TRAVEL_SUPPORT ++ if ((signals_blocked || ++ __atomic_load_n(&signals_blocked_pending, __ATOMIC_SEQ_CST)) && ++ (sig == SIGIO)) { ++ /* increment so unblock will do another round */ ++ __atomic_add_fetch(&signals_blocked_pending, 1, ++ __ATOMIC_SEQ_CST); ++ return; ++ } ++#endif ++ ++ if (!enabled && (sig == SIGIO)) { + /* + * In TT_MODE_EXTERNAL, need to still call time-travel +- * handlers unless signals are also blocked for the +- * external time message processing. This will mark +- * signals_pending by itself (only if necessary.) ++ * handlers. This will mark signals_pending by itself ++ * (only if necessary.) ++ * Note we won't get here if signals are hard-blocked ++ * (which is handled above), in that case the hard- ++ * unblock will handle things. + */ +- if (!signals_blocked && time_travel_mode == TT_MODE_EXTERNAL) ++ if (time_travel_mode == TT_MODE_EXTERNAL) + sigio_run_timetravel_handlers(); + else + signals_pending |= SIGIO_MASK; +@@ -380,33 +392,99 @@ int um_set_signals_trace(int enable) + #ifdef UML_CONFIG_UML_TIME_TRAVEL_SUPPORT + void mark_sigio_pending(void) + { ++ /* ++ * It would seem that this should be atomic so ++ * it isn't a read-modify-write with a signal ++ * that could happen in the middle, losing the ++ * value set by the signal. ++ * ++ * However, this function is only called when in ++ * time-travel=ext simulation mode, in which case ++ * the only signal ever pending is SIGIO, which ++ * is blocked while this can be called, and the ++ * timer signal (SIGALRM) cannot happen. ++ */ + signals_pending |= SIGIO_MASK; + } + + void block_signals_hard(void) + { +- if (signals_blocked) +- return; +- signals_blocked = 1; ++ signals_blocked++; + barrier(); + } + + void unblock_signals_hard(void) + { ++ static bool unblocking; ++ + if (!signals_blocked) ++ panic("unblocking signals while not blocked"); ++ ++ if (--signals_blocked) + return; +- /* Must be set to 0 before we check the pending bits etc. */ +- signals_blocked = 0; ++ /* ++ * Must be set to 0 before we check pending so the ++ * SIGIO handler will run as normal unless we're still ++ * going to process signals_blocked_pending. ++ */ + barrier(); + +- if (signals_pending && signals_enabled) { +- /* this is a bit inefficient, but that's not really important */ +- block_signals(); +- unblock_signals(); +- } else if (signals_pending & SIGIO_MASK) { +- /* we need to run time-travel handlers even if not enabled */ +- sigio_run_timetravel_handlers(); ++ /* ++ * Note that block_signals_hard()/unblock_signals_hard() can be called ++ * within the unblock_signals()/sigio_run_timetravel_handlers() below. ++ * This would still be prone to race conditions since it's actually a ++ * call _within_ e.g. vu_req_read_message(), where we observed this ++ * issue, which loops. Thus, if the inner call handles the recorded ++ * pending signals, we can get out of the inner call with the real ++ * signal hander no longer blocked, and still have a race. Thus don't ++ * handle unblocking in the inner call, if it happens, but only in ++ * the outermost call - 'unblocking' serves as an ownership for the ++ * signals_blocked_pending decrement. ++ */ ++ if (unblocking) ++ return; ++ unblocking = true; ++ ++ while (__atomic_load_n(&signals_blocked_pending, __ATOMIC_SEQ_CST)) { ++ if (signals_enabled) { ++ /* signals are enabled so we can touch this */ ++ signals_pending |= SIGIO_MASK; ++ /* ++ * this is a bit inefficient, but that's ++ * not really important ++ */ ++ block_signals(); ++ unblock_signals(); ++ } else { ++ /* ++ * we need to run time-travel handlers even ++ * if not enabled ++ */ ++ sigio_run_timetravel_handlers(); ++ } ++ ++ /* ++ * The decrement of signals_blocked_pending must be atomic so ++ * that the signal handler will either happen before or after ++ * the decrement, not during a read-modify-write: ++ * - If it happens before, it can increment it and we'll ++ * decrement it and do another round in the loop. ++ * - If it happens after it'll see 0 for both signals_blocked ++ * and signals_blocked_pending and thus run the handler as ++ * usual (subject to signals_enabled, but that's unrelated.) ++ * ++ * Note that a call to unblock_signals_hard() within the calls ++ * to unblock_signals() or sigio_run_timetravel_handlers() above ++ * will do nothing due to the 'unblocking' state, so this cannot ++ * underflow as the only one decrementing will be the outermost ++ * one. ++ */ ++ if (__atomic_sub_fetch(&signals_blocked_pending, 1, ++ __ATOMIC_SEQ_CST) < 0) ++ panic("signals_blocked_pending underflow"); + } ++ ++ unblocking = false; + } + #endif + +-- +2.43.0 + diff --git a/queue-6.6/um-time-travel-fix-time-travel-start-option.patch b/queue-6.6/um-time-travel-fix-time-travel-start-option.patch new file mode 100644 index 00000000000..623b8600fc4 --- /dev/null +++ b/queue-6.6/um-time-travel-fix-time-travel-start-option.patch @@ -0,0 +1,40 @@ +From 0105eb1ec315be8fc6bac3056ec92e3fd7629b7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Apr 2024 10:27:45 +0200 +Subject: um: time-travel: fix time-travel-start option + +From: Johannes Berg + +[ Upstream commit 7d0a8a490aa3a2a82de8826aaf1dfa38575cb77a ] + +We need to have the = as part of the option so that the +value can be parsed properly. Also document that it must +be given in nanoseconds, not seconds. + +Fixes: 065038706f77 ("um: Support time travel mode") +Link: https://patch.msgid.link/20240417102744.14b9a9d4eba0.Ib22e9136513126b2099d932650f55f193120cd97@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + arch/um/kernel/time.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/um/kernel/time.c b/arch/um/kernel/time.c +index 3e270da6b6f67..c8c4ef94c753f 100644 +--- a/arch/um/kernel/time.c ++++ b/arch/um/kernel/time.c +@@ -874,9 +874,9 @@ int setup_time_travel_start(char *str) + return 1; + } + +-__setup("time-travel-start", setup_time_travel_start); ++__setup("time-travel-start=", setup_time_travel_start); + __uml_help(setup_time_travel_start, +-"time-travel-start=\n" ++"time-travel-start=\n" + "Configure the UML instance's wall clock to start at this value rather than\n" + "the host's wall clock at the time of UML boot.\n"); + #endif +-- +2.43.0 + diff --git a/queue-6.6/watchdog-rzg2l_wdt-check-return-status-of-pm_runtime.patch b/queue-6.6/watchdog-rzg2l_wdt-check-return-status-of-pm_runtime.patch new file mode 100644 index 00000000000..79f66206beb --- /dev/null +++ b/queue-6.6/watchdog-rzg2l_wdt-check-return-status-of-pm_runtime.patch @@ -0,0 +1,59 @@ +From 9794d9487b4b84550b72d8faa81ad680496583a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 May 2024 09:57:18 +0300 +Subject: watchdog: rzg2l_wdt: Check return status of pm_runtime_put() + +From: Claudiu Beznea + +[ Upstream commit 471e45a33302852bf79bc140fe418782f50734f6 ] + +pm_runtime_put() may return an error code. Check its return status. + +Along with it the rzg2l_wdt_set_timeout() function was updated to +propagate the result of rzg2l_wdt_stop() to its caller. + +Fixes: 2cbc5cd0b55f ("watchdog: Add Watchdog Timer driver for RZ/G2L") +Signed-off-by: Claudiu Beznea +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20240531065723.1085423-5-claudiu.beznea.uj@bp.renesas.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/rzg2l_wdt.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/watchdog/rzg2l_wdt.c b/drivers/watchdog/rzg2l_wdt.c +index d87d4f50180c5..7bce093316c4d 100644 +--- a/drivers/watchdog/rzg2l_wdt.c ++++ b/drivers/watchdog/rzg2l_wdt.c +@@ -144,9 +144,13 @@ static int rzg2l_wdt_start(struct watchdog_device *wdev) + static int rzg2l_wdt_stop(struct watchdog_device *wdev) + { + struct rzg2l_wdt_priv *priv = watchdog_get_drvdata(wdev); ++ int ret; + + rzg2l_wdt_reset(priv); +- pm_runtime_put(wdev->parent); ++ ++ ret = pm_runtime_put(wdev->parent); ++ if (ret < 0) ++ return ret; + + return 0; + } +@@ -163,7 +167,10 @@ static int rzg2l_wdt_set_timeout(struct watchdog_device *wdev, unsigned int time + * to reset the module) so that it is updated with new timeout values. + */ + if (watchdog_active(wdev)) { +- rzg2l_wdt_stop(wdev); ++ ret = rzg2l_wdt_stop(wdev); ++ if (ret) ++ return ret; ++ + ret = rzg2l_wdt_start(wdev); + } + +-- +2.43.0 + diff --git a/queue-6.6/watchdog-rzg2l_wdt-use-pm_runtime_resume_and_get.patch b/queue-6.6/watchdog-rzg2l_wdt-use-pm_runtime_resume_and_get.patch new file mode 100644 index 00000000000..f616e4d5152 --- /dev/null +++ b/queue-6.6/watchdog-rzg2l_wdt-use-pm_runtime_resume_and_get.patch @@ -0,0 +1,69 @@ +From 53ac471522342dc0e4b557e4f0c0a4d5288e6536 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 May 2024 09:57:17 +0300 +Subject: watchdog: rzg2l_wdt: Use pm_runtime_resume_and_get() + +From: Claudiu Beznea + +[ Upstream commit f0ba0fcdd19943809b1a7f760f77f6673c6aa7f7 ] + +pm_runtime_get_sync() may return with error. In case it returns with error +dev->power.usage_count needs to be decremented. pm_runtime_resume_and_get() +takes care of this. Thus use it. + +Along with it the rzg2l_wdt_set_timeout() function was updated to +propagate the result of rzg2l_wdt_start() to its caller. + +Fixes: 2cbc5cd0b55f ("watchdog: Add Watchdog Timer driver for RZ/G2L") +Signed-off-by: Claudiu Beznea +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20240531065723.1085423-4-claudiu.beznea.uj@bp.renesas.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/rzg2l_wdt.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/watchdog/rzg2l_wdt.c b/drivers/watchdog/rzg2l_wdt.c +index 1741f98ca67c5..d87d4f50180c5 100644 +--- a/drivers/watchdog/rzg2l_wdt.c ++++ b/drivers/watchdog/rzg2l_wdt.c +@@ -123,8 +123,11 @@ static void rzg2l_wdt_init_timeout(struct watchdog_device *wdev) + static int rzg2l_wdt_start(struct watchdog_device *wdev) + { + struct rzg2l_wdt_priv *priv = watchdog_get_drvdata(wdev); ++ int ret; + +- pm_runtime_get_sync(wdev->parent); ++ ret = pm_runtime_resume_and_get(wdev->parent); ++ if (ret) ++ return ret; + + /* Initialize time out */ + rzg2l_wdt_init_timeout(wdev); +@@ -150,6 +153,8 @@ static int rzg2l_wdt_stop(struct watchdog_device *wdev) + + static int rzg2l_wdt_set_timeout(struct watchdog_device *wdev, unsigned int timeout) + { ++ int ret = 0; ++ + wdev->timeout = timeout; + + /* +@@ -159,10 +164,10 @@ static int rzg2l_wdt_set_timeout(struct watchdog_device *wdev, unsigned int time + */ + if (watchdog_active(wdev)) { + rzg2l_wdt_stop(wdev); +- rzg2l_wdt_start(wdev); ++ ret = rzg2l_wdt_start(wdev); + } + +- return 0; ++ return ret; + } + + static int rzg2l_wdt_restart(struct watchdog_device *wdev, +-- +2.43.0 +