From: Sasha Levin Date: Sun, 11 Aug 2024 12:55:09 +0000 (-0400) Subject: Fixes for 6.6 X-Git-Tag: v6.1.105~120 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b1e8d7b75dcf2f9b38d40882e22ecae4866f4ce3;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.6 Signed-off-by: Sasha Levin --- diff --git a/queue-6.6/acpi-battery-create-alarm-sysfs-attribute-atomically.patch b/queue-6.6/acpi-battery-create-alarm-sysfs-attribute-atomically.patch new file mode 100644 index 00000000000..c639a423a9d --- /dev/null +++ b/queue-6.6/acpi-battery-create-alarm-sysfs-attribute-atomically.patch @@ -0,0 +1,79 @@ +From fbe7bc95cea484433147056e49689678278de125 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Jun 2024 09:27:16 +0200 +Subject: ACPI: battery: create alarm sysfs attribute atomically +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit a231eed10ed5a290129fda36ad7bcc263c53ff7d ] + +Let the power supply core register the attribute. +This ensures that the attribute is created before the device is +announced to userspace, avoid a race condition. + +Signed-off-by: Thomas Weißschuh +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/battery.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c +index 969bf81e8d546..7f7ad94f22b91 100644 +--- a/drivers/acpi/battery.c ++++ b/drivers/acpi/battery.c +@@ -678,12 +678,18 @@ static ssize_t acpi_battery_alarm_store(struct device *dev, + return count; + } + +-static const struct device_attribute alarm_attr = { ++static struct device_attribute alarm_attr = { + .attr = {.name = "alarm", .mode = 0644}, + .show = acpi_battery_alarm_show, + .store = acpi_battery_alarm_store, + }; + ++static struct attribute *acpi_battery_attrs[] = { ++ &alarm_attr.attr, ++ NULL ++}; ++ATTRIBUTE_GROUPS(acpi_battery); ++ + /* + * The Battery Hooking API + * +@@ -823,7 +829,10 @@ static void __exit battery_hook_exit(void) + + static int sysfs_add_battery(struct acpi_battery *battery) + { +- struct power_supply_config psy_cfg = { .drv_data = battery, }; ++ struct power_supply_config psy_cfg = { ++ .drv_data = battery, ++ .attr_grp = acpi_battery_groups, ++ }; + bool full_cap_broken = false; + + if (!ACPI_BATTERY_CAPACITY_VALID(battery->full_charge_capacity) && +@@ -868,7 +877,7 @@ static int sysfs_add_battery(struct acpi_battery *battery) + return result; + } + battery_hook_add_battery(battery); +- return device_create_file(&battery->bat->dev, &alarm_attr); ++ return 0; + } + + static void sysfs_remove_battery(struct acpi_battery *battery) +@@ -879,7 +888,6 @@ static void sysfs_remove_battery(struct acpi_battery *battery) + return; + } + battery_hook_remove_battery(battery); +- device_remove_file(&battery->bat->dev, &alarm_attr); + power_supply_unregister(battery->bat); + battery->bat = NULL; + mutex_unlock(&battery->sysfs_lock); +-- +2.43.0 + diff --git a/queue-6.6/acpi-sbs-manage-alarm-sysfs-attribute-through-psy-co.patch b/queue-6.6/acpi-sbs-manage-alarm-sysfs-attribute-through-psy-co.patch new file mode 100644 index 00000000000..ee8c0addf7f --- /dev/null +++ b/queue-6.6/acpi-sbs-manage-alarm-sysfs-attribute-through-psy-co.patch @@ -0,0 +1,95 @@ +From a7bc40f6df25bf71c2e1f9e34ebe52c58536c7ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Jun 2024 13:13:28 +0200 +Subject: ACPI: SBS: manage alarm sysfs attribute through psy core +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit 6bad28cfc30988a845fb3f59a99f4b8a4ce8fe95 ] + +Let the power supply core register the attribute. + +This ensures that the attribute is created before the device is +announced to userspace, avoiding a race condition. + +Signed-off-by: Thomas Weißschuh +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/sbs.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +diff --git a/drivers/acpi/sbs.c b/drivers/acpi/sbs.c +index 94e3c000df2e1..fdeb46ed21d69 100644 +--- a/drivers/acpi/sbs.c ++++ b/drivers/acpi/sbs.c +@@ -77,7 +77,6 @@ struct acpi_battery { + u16 spec; + u8 id; + u8 present:1; +- u8 have_sysfs_alarm:1; + }; + + #define to_acpi_battery(x) power_supply_get_drvdata(x) +@@ -462,12 +461,18 @@ static ssize_t acpi_battery_alarm_store(struct device *dev, + return count; + } + +-static const struct device_attribute alarm_attr = { ++static struct device_attribute alarm_attr = { + .attr = {.name = "alarm", .mode = 0644}, + .show = acpi_battery_alarm_show, + .store = acpi_battery_alarm_store, + }; + ++static struct attribute *acpi_battery_attrs[] = { ++ &alarm_attr.attr, ++ NULL ++}; ++ATTRIBUTE_GROUPS(acpi_battery); ++ + /* -------------------------------------------------------------------------- + Driver Interface + -------------------------------------------------------------------------- */ +@@ -518,7 +523,10 @@ static int acpi_battery_read(struct acpi_battery *battery) + static int acpi_battery_add(struct acpi_sbs *sbs, int id) + { + struct acpi_battery *battery = &sbs->battery[id]; +- struct power_supply_config psy_cfg = { .drv_data = battery, }; ++ struct power_supply_config psy_cfg = { ++ .drv_data = battery, ++ .attr_grp = acpi_battery_groups, ++ }; + int result; + + battery->id = id; +@@ -548,10 +556,6 @@ static int acpi_battery_add(struct acpi_sbs *sbs, int id) + goto end; + } + +- result = device_create_file(&battery->bat->dev, &alarm_attr); +- if (result) +- goto end; +- battery->have_sysfs_alarm = 1; + end: + pr_info("%s [%s]: Battery Slot [%s] (battery %s)\n", + ACPI_SBS_DEVICE_NAME, acpi_device_bid(sbs->device), +@@ -563,11 +567,8 @@ static void acpi_battery_remove(struct acpi_sbs *sbs, int id) + { + struct acpi_battery *battery = &sbs->battery[id]; + +- if (battery->bat) { +- if (battery->have_sysfs_alarm) +- device_remove_file(&battery->bat->dev, &alarm_attr); ++ if (battery->bat) + power_supply_unregister(battery->bat); +- } + } + + static int acpi_charger_add(struct acpi_sbs *sbs) +-- +2.43.0 + diff --git a/queue-6.6/af_unix-don-t-retry-after-unix_state_lock_nested-in-.patch b/queue-6.6/af_unix-don-t-retry-after-unix_state_lock_nested-in-.patch new file mode 100644 index 00000000000..739b8230f7f --- /dev/null +++ b/queue-6.6/af_unix-don-t-retry-after-unix_state_lock_nested-in-.patch @@ -0,0 +1,139 @@ +From e05972bc341cbacb1db8f5f547c068c26bcaa31d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jun 2024 13:56:15 -0700 +Subject: af_unix: Don't retry after unix_state_lock_nested() in + unix_stream_connect(). + +From: Kuniyuki Iwashima + +[ Upstream commit 1ca27e0c8c13ac50a4acf9cdf77069e2d94a547d ] + +When a SOCK_(STREAM|SEQPACKET) socket connect()s to another one, we need +to lock the two sockets to check their states in unix_stream_connect(). + +We use unix_state_lock() for the server and unix_state_lock_nested() for +client with tricky sk->sk_state check to avoid deadlock. + +The possible deadlock scenario are the following: + + 1) Self connect() + 2) Simultaneous connect() + +The former is simple, attempt to grab the same lock, and the latter is +AB-BA deadlock. + +After the server's unix_state_lock(), we check the server socket's state, +and if it's not TCP_LISTEN, connect() fails with -EINVAL. + +Then, we avoid the former deadlock by checking the client's state before +unix_state_lock_nested(). If its state is not TCP_LISTEN, we can make +sure that the client and the server are not identical based on the state. + +Also, the latter deadlock can be avoided in the same way. Due to the +server sk->sk_state requirement, AB-BA deadlock could happen only with +TCP_LISTEN sockets. So, if the client's state is TCP_LISTEN, we can +give up the second lock to avoid the deadlock. + + CPU 1 CPU 2 CPU 3 + connect(A -> B) connect(B -> A) listen(A) + --- --- --- + unix_state_lock(B) + B->sk_state == TCP_LISTEN + READ_ONCE(A->sk_state) == TCP_CLOSE + ^^^^^^^^^ + ok, will lock A unix_state_lock(A) + .--------------' WRITE_ONCE(A->sk_state, TCP_LISTEN) + | unix_state_unlock(A) + | + | unix_state_lock(A) + | A->sk_sk_state == TCP_LISTEN + | READ_ONCE(B->sk_state) == TCP_LISTEN + v ^^^^^^^^^^ + unix_state_lock_nested(A) Don't lock B !! + +Currently, while checking the client's state, we also check if it's +TCP_ESTABLISHED, but this is unlikely and can be checked after we know +the state is not TCP_CLOSE. + +Moreover, if it happens after the second lock, we now jump to the restart +label, but it's unlikely that the server is not found during the retry, +so the jump is mostly to revist the client state check. + +Let's remove the retry logic and check the state against TCP_CLOSE first. + +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 34 +++++++++------------------------- + 1 file changed, 9 insertions(+), 25 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index a551be47cb6c6..b7f62442d8268 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -1483,6 +1483,7 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, + struct unix_sock *u = unix_sk(sk), *newu, *otheru; + struct net *net = sock_net(sk); + struct sk_buff *skb = NULL; ++ unsigned char state; + long timeo; + int err; + +@@ -1529,7 +1530,6 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, + goto out; + } + +- /* Latch state of peer */ + unix_state_lock(other); + + /* Apparently VFS overslept socket death. Retry. */ +@@ -1559,37 +1559,21 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, + goto restart; + } + +- /* Latch our state. +- +- It is tricky place. We need to grab our state lock and cannot +- drop lock on peer. It is dangerous because deadlock is +- possible. Connect to self case and simultaneous +- attempt to connect are eliminated by checking socket +- state. other is TCP_LISTEN, if sk is TCP_LISTEN we +- check this before attempt to grab lock. +- +- Well, and we have to recheck the state after socket locked. ++ /* self connect and simultaneous connect are eliminated ++ * by rejecting TCP_LISTEN socket to avoid deadlock. + */ +- switch (READ_ONCE(sk->sk_state)) { +- case TCP_CLOSE: +- /* This is ok... continue with connect */ +- break; +- case TCP_ESTABLISHED: +- /* Socket is already connected */ +- err = -EISCONN; +- goto out_unlock; +- default: +- err = -EINVAL; ++ state = READ_ONCE(sk->sk_state); ++ if (unlikely(state != TCP_CLOSE)) { ++ err = state == TCP_ESTABLISHED ? -EISCONN : -EINVAL; + goto out_unlock; + } + + unix_state_lock_nested(sk, U_LOCK_SECOND); + +- if (sk->sk_state != TCP_CLOSE) { ++ if (unlikely(sk->sk_state != TCP_CLOSE)) { ++ err = sk->sk_state == TCP_ESTABLISHED ? -EISCONN : -EINVAL; + unix_state_unlock(sk); +- unix_state_unlock(other); +- sock_put(other); +- goto restart; ++ goto out_unlock; + } + + err = security_unix_stream_connect(sk, other, newsk); +-- +2.43.0 + diff --git a/queue-6.6/block-change-rq_integrity_vec-to-respect-the-iterato.patch b/queue-6.6/block-change-rq_integrity_vec-to-respect-the-iterato.patch new file mode 100644 index 00000000000..25a49795d7c --- /dev/null +++ b/queue-6.6/block-change-rq_integrity_vec-to-respect-the-iterato.patch @@ -0,0 +1,106 @@ +From b78ff15ec62a27d5026b0aa3536b60c3898750c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 May 2024 17:40:10 +0200 +Subject: block: change rq_integrity_vec to respect the iterator + +From: Mikulas Patocka + +[ Upstream commit cf546dd289e0f6d2594c25e2fb4e19ee67c6d988 ] + +If we allocate a bio that is larger than NVMe maximum request size, +attach integrity metadata to it and send it to the NVMe subsystem, the +integrity metadata will be corrupted. + +Splitting the bio works correctly. The function bio_split will clone the +bio, trim the iterator of the first bio and advance the iterator of the +second bio. + +However, the function rq_integrity_vec has a bug - it returns the first +vector of the bio's metadata and completely disregards the metadata +iterator that was advanced when the bio was split. Thus, the second bio +uses the same metadata as the first bio and this leads to metadata +corruption. + +This commit changes rq_integrity_vec, so that it calls mp_bvec_iter_bvec +instead of returning the first vector. mp_bvec_iter_bvec reads the +iterator and uses it to build a bvec for the current position in the +iterator. + +The "queue_max_integrity_segments(rq->q) > 1" check was removed, because +the updated rq_integrity_vec function works correctly with multiple +segments. + +Signed-off-by: Mikulas Patocka +Reviewed-by: Anuj Gupta +Reviewed-by: Kanchan Joshi +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/49d1afaa-f934-6ed2-a678-e0d428c63a65@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 6 +++--- + include/linux/blk-integrity.h | 14 +++++++------- + 2 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 796c2a00fea4a..0fc7aa78b2e5b 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -826,9 +826,9 @@ static blk_status_t nvme_map_metadata(struct nvme_dev *dev, struct request *req, + struct nvme_command *cmnd) + { + struct nvme_iod *iod = blk_mq_rq_to_pdu(req); ++ struct bio_vec bv = rq_integrity_vec(req); + +- iod->meta_dma = dma_map_bvec(dev->dev, rq_integrity_vec(req), +- rq_dma_dir(req), 0); ++ iod->meta_dma = dma_map_bvec(dev->dev, &bv, rq_dma_dir(req), 0); + if (dma_mapping_error(dev->dev, iod->meta_dma)) + return BLK_STS_IOERR; + cmnd->rw.metadata = cpu_to_le64(iod->meta_dma); +@@ -969,7 +969,7 @@ static __always_inline void nvme_pci_unmap_rq(struct request *req) + struct nvme_iod *iod = blk_mq_rq_to_pdu(req); + + dma_unmap_page(dev->dev, iod->meta_dma, +- rq_integrity_vec(req)->bv_len, rq_dma_dir(req)); ++ rq_integrity_vec(req).bv_len, rq_dma_dir(req)); + } + + if (blk_rq_nr_phys_segments(req)) +diff --git a/include/linux/blk-integrity.h b/include/linux/blk-integrity.h +index 378b2459efe2d..69f73d0546118 100644 +--- a/include/linux/blk-integrity.h ++++ b/include/linux/blk-integrity.h +@@ -105,14 +105,13 @@ static inline bool blk_integrity_rq(struct request *rq) + } + + /* +- * Return the first bvec that contains integrity data. Only drivers that are +- * limited to a single integrity segment should use this helper. ++ * Return the current bvec that contains the integrity data. bip_iter may be ++ * advanced to iterate over the integrity data. + */ +-static inline struct bio_vec *rq_integrity_vec(struct request *rq) ++static inline struct bio_vec rq_integrity_vec(struct request *rq) + { +- if (WARN_ON_ONCE(queue_max_integrity_segments(rq->q) > 1)) +- return NULL; +- return rq->bio->bi_integrity->bip_vec; ++ return mp_bvec_iter_bvec(rq->bio->bi_integrity->bip_vec, ++ rq->bio->bi_integrity->bip_iter); + } + #else /* CONFIG_BLK_DEV_INTEGRITY */ + static inline int blk_rq_count_integrity_sg(struct request_queue *q, +@@ -178,7 +177,8 @@ static inline int blk_integrity_rq(struct request *rq) + + static inline struct bio_vec *rq_integrity_vec(struct request *rq) + { +- return NULL; ++ /* the optimizer will remove all calls to this function */ ++ return (struct bio_vec){ }; + } + #endif /* CONFIG_BLK_DEV_INTEGRITY */ + #endif /* _LINUX_BLK_INTEGRITY_H */ +-- +2.43.0 + diff --git a/queue-6.6/bluetooth-btnxpuart-shutdown-timer-and-prevent-rearm.patch b/queue-6.6/bluetooth-btnxpuart-shutdown-timer-and-prevent-rearm.patch new file mode 100644 index 00000000000..922fcdc47df --- /dev/null +++ b/queue-6.6/bluetooth-btnxpuart-shutdown-timer-and-prevent-rearm.patch @@ -0,0 +1,70 @@ +From 262f3269d904d276835b23e20401550f4d31192e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 May 2024 19:15:35 +0800 +Subject: Bluetooth: btnxpuart: Shutdown timer and prevent rearming when driver + unloading + +From: Luke Wang + +[ Upstream commit 0d0df1e750bac0fdaa77940e711c1625cff08d33 ] + +When unload the btnxpuart driver, its associated timer will be deleted. +If the timer happens to be modified at this moment, it leads to the +kernel call this timer even after the driver unloaded, resulting in +kernel panic. +Use timer_shutdown_sync() instead of del_timer_sync() to prevent rearming. + +panic log: + Internal error: Oops: 0000000086000007 [#1] PREEMPT SMP + Modules linked in: algif_hash algif_skcipher af_alg moal(O) mlan(O) crct10dif_ce polyval_ce polyval_generic snd_soc_imx_card snd_soc_fsl_asoc_card snd_soc_imx_audmux mxc_jpeg_encdec v4l2_jpeg snd_soc_wm8962 snd_soc_fsl_micfil snd_soc_fsl_sai flexcan snd_soc_fsl_utils ap130x rpmsg_ctrl imx_pcm_dma can_dev rpmsg_char pwm_fan fuse [last unloaded: btnxpuart] + CPU: 5 PID: 723 Comm: memtester Tainted: G O 6.6.23-lts-next-06207-g4aef2658ac28 #1 + Hardware name: NXP i.MX95 19X19 board (DT) + pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : 0xffff80007a2cf464 + lr : call_timer_fn.isra.0+0x24/0x80 +... + Call trace: + 0xffff80007a2cf464 + __run_timers+0x234/0x280 + run_timer_softirq+0x20/0x40 + __do_softirq+0x100/0x26c + ____do_softirq+0x10/0x1c + call_on_irq_stack+0x24/0x4c + do_softirq_own_stack+0x1c/0x2c + irq_exit_rcu+0xc0/0xdc + el0_interrupt+0x54/0xd8 + __el0_irq_handler_common+0x18/0x24 + el0t_64_irq_handler+0x10/0x1c + el0t_64_irq+0x190/0x194 + Code: ???????? ???????? ???????? ???????? (????????) + ---[ end trace 0000000000000000 ]--- + Kernel panic - not syncing: Oops: Fatal exception in interrupt + SMP: stopping secondary CPUs + Kernel Offset: disabled + CPU features: 0x0,c0000000,40028143,1000721b + Memory Limit: none + ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]--- + +Signed-off-by: Luke Wang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btnxpuart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/btnxpuart.c b/drivers/bluetooth/btnxpuart.c +index 83e8e27a5ecec..b5d40e0e05f31 100644 +--- a/drivers/bluetooth/btnxpuart.c ++++ b/drivers/bluetooth/btnxpuart.c +@@ -340,7 +340,7 @@ static void ps_cancel_timer(struct btnxpuart_dev *nxpdev) + struct ps_data *psdata = &nxpdev->psdata; + + flush_work(&psdata->work); +- del_timer_sync(&psdata->ps_timer); ++ timer_shutdown_sync(&psdata->ps_timer); + } + + static void ps_control(struct hci_dev *hdev, u8 ps_state) +-- +2.43.0 + diff --git a/queue-6.6/bluetooth-hci_sync-avoid-dup-filtering-when-passive-.patch b/queue-6.6/bluetooth-hci_sync-avoid-dup-filtering-when-passive-.patch new file mode 100644 index 00000000000..29a8b054a7b --- /dev/null +++ b/queue-6.6/bluetooth-hci_sync-avoid-dup-filtering-when-passive-.patch @@ -0,0 +1,53 @@ +From 41e791bf05cf8088f47fe9e7be91ae9f7790206c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2024 21:58:10 +0200 +Subject: Bluetooth: hci_sync: avoid dup filtering when passive scanning with + adv monitor + +From: Anton Khirnov + +[ Upstream commit b5431dc2803ac159d6d4645ae237d15c3cb252db ] + +This restores behaviour (including the comment) from now-removed +hci_request.c, and also matches existing code for active scanning. + +Without this, the duplicates filter is always active when passive +scanning, which makes it impossible to work with devices that send +nontrivial dynamic data in their advertisement reports. + +Fixes: abfeea476c68 ("Bluetooth: hci_sync: Convert MGMT_OP_START_DISCOVERY") +Signed-off-by: Anton Khirnov +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sync.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 6dab0c99c82c7..38fee34887d8a 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -2905,6 +2905,20 @@ static int hci_passive_scan_sync(struct hci_dev *hdev) + } else if (hci_is_adv_monitoring(hdev)) { + window = hdev->le_scan_window_adv_monitor; + interval = hdev->le_scan_int_adv_monitor; ++ ++ /* Disable duplicates filter when scanning for advertisement ++ * monitor for the following reasons. ++ * ++ * For HW pattern filtering (ex. MSFT), Realtek and Qualcomm ++ * controllers ignore RSSI_Sampling_Period when the duplicates ++ * filter is enabled. ++ * ++ * For SW pattern filtering, when we're not doing interleaved ++ * scanning, it is necessary to disable duplicates filter, ++ * otherwise hosts can only receive one advertisement and it's ++ * impossible to know if a peer is still in range. ++ */ ++ filter_dups = LE_SCAN_FILTER_DUP_DISABLE; + } else { + window = hdev->le_scan_window; + interval = hdev->le_scan_interval; +-- +2.43.0 + diff --git a/queue-6.6/bluetooth-l2cap-always-unlock-channel-in-l2cap_conle.patch b/queue-6.6/bluetooth-l2cap-always-unlock-channel-in-l2cap_conle.patch new file mode 100644 index 00000000000..69d239b6276 --- /dev/null +++ b/queue-6.6/bluetooth-l2cap-always-unlock-channel-in-l2cap_conle.patch @@ -0,0 +1,37 @@ +From ea63fc7d8dbcae6efdd1304027097a295c6e27a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jul 2024 12:19:36 +0300 +Subject: Bluetooth: l2cap: always unlock channel in l2cap_conless_channel() + +From: Dmitry Antipov + +[ Upstream commit c531e63871c0b50c8c4e62c048535a08886fba3e ] + +Add missing call to 'l2cap_chan_unlock()' on receive error handling +path in 'l2cap_conless_channel()'. + +Fixes: a24cce144b98 ("Bluetooth: Fix reference counting of global L2CAP channels") +Reported-by: syzbot+45ac74737e866894acb0@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=45ac74737e866894acb0 +Signed-off-by: Dmitry Antipov +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 1164c6d927281..2651cc2d5c283 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -6775,6 +6775,7 @@ static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, + bt_cb(skb)->l2cap.psm = psm; + + if (!chan->ops->recv(chan, skb)) { ++ l2cap_chan_unlock(chan); + l2cap_chan_put(chan); + return; + } +-- +2.43.0 + diff --git a/queue-6.6/btrfs-do-not-clear-page-dirty-inside-extent_write_lo.patch b/queue-6.6/btrfs-do-not-clear-page-dirty-inside-extent_write_lo.patch new file mode 100644 index 00000000000..1b14461b2bf --- /dev/null +++ b/queue-6.6/btrfs-do-not-clear-page-dirty-inside-extent_write_lo.patch @@ -0,0 +1,201 @@ +From f629adb9afcb5ef5830f6a4eb0815acf6df22647 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Mar 2024 08:21:54 +1030 +Subject: btrfs: do not clear page dirty inside extent_write_locked_range() + +From: Qu Wenruo + +[ Upstream commit 97713b1a2ced1e4a2a6c40045903797ebd44d7e0 ] + +[BUG] +For subpage + zoned case, the following workload can lead to rsv data +leak at unmount time: + + # mkfs.btrfs -f -s 4k $dev + # mount $dev $mnt + # fsstress -w -n 8 -d $mnt -s 1709539240 + 0/0: fiemap - no filename + 0/1: copyrange read - no filename + 0/2: write - no filename + 0/3: rename - no source filename + 0/4: creat f0 x:0 0 0 + 0/4: creat add id=0,parent=-1 + 0/5: writev f0[259 1 0 0 0 0] [778052,113,965] 0 + 0/6: ioctl(FIEMAP) f0[259 1 0 0 224 887097] [1294220,2291618343991484791,0x10000] -1 + 0/7: dwrite - xfsctl(XFS_IOC_DIOINFO) f0[259 1 0 0 224 887097] return 25, fallback to stat() + 0/7: dwrite f0[259 1 0 0 224 887097] [696320,102400] 0 + # umount $mnt + +The dmesg includes the following rsv leak detection warning (all call +trace skipped): + + ------------[ cut here ]------------ + WARNING: CPU: 2 PID: 4528 at fs/btrfs/inode.c:8653 btrfs_destroy_inode+0x1e0/0x200 [btrfs] + ---[ end trace 0000000000000000 ]--- + ------------[ cut here ]------------ + WARNING: CPU: 2 PID: 4528 at fs/btrfs/inode.c:8654 btrfs_destroy_inode+0x1a8/0x200 [btrfs] + ---[ end trace 0000000000000000 ]--- + ------------[ cut here ]------------ + WARNING: CPU: 2 PID: 4528 at fs/btrfs/inode.c:8660 btrfs_destroy_inode+0x1a0/0x200 [btrfs] + ---[ end trace 0000000000000000 ]--- + BTRFS info (device sda): last unmount of filesystem 1b4abba9-de34-4f07-9e7f-157cf12a18d6 + ------------[ cut here ]------------ + WARNING: CPU: 3 PID: 4528 at fs/btrfs/block-group.c:4434 btrfs_free_block_groups+0x338/0x500 [btrfs] + ---[ end trace 0000000000000000 ]--- + BTRFS info (device sda): space_info DATA has 268218368 free, is not full + BTRFS info (device sda): space_info total=268435456, used=204800, pinned=0, reserved=0, may_use=12288, readonly=0 zone_unusable=0 + BTRFS info (device sda): global_block_rsv: size 0 reserved 0 + BTRFS info (device sda): trans_block_rsv: size 0 reserved 0 + BTRFS info (device sda): chunk_block_rsv: size 0 reserved 0 + BTRFS info (device sda): delayed_block_rsv: size 0 reserved 0 + BTRFS info (device sda): delayed_refs_rsv: size 0 reserved 0 + ------------[ cut here ]------------ + WARNING: CPU: 3 PID: 4528 at fs/btrfs/block-group.c:4434 btrfs_free_block_groups+0x338/0x500 [btrfs] + ---[ end trace 0000000000000000 ]--- + BTRFS info (device sda): space_info METADATA has 267796480 free, is not full + BTRFS info (device sda): space_info total=268435456, used=131072, pinned=0, reserved=0, may_use=262144, readonly=0 zone_unusable=245760 + BTRFS info (device sda): global_block_rsv: size 0 reserved 0 + BTRFS info (device sda): trans_block_rsv: size 0 reserved 0 + BTRFS info (device sda): chunk_block_rsv: size 0 reserved 0 + BTRFS info (device sda): delayed_block_rsv: size 0 reserved 0 + BTRFS info (device sda): delayed_refs_rsv: size 0 reserved 0 + +Above $dev is a tcmu-runner emulated zoned HDD, which has a max zone +append size of 64K, and the system has 64K page size. + +[CAUSE] +I have added several trace_printk() to show the events (header skipped): + + > btrfs_dirty_pages: r/i=5/259 dirty start=774144 len=114688 + > btrfs_dirty_pages: r/i=5/259 dirty part of page=720896 off_in_page=53248 len_in_page=12288 + > btrfs_dirty_pages: r/i=5/259 dirty part of page=786432 off_in_page=0 len_in_page=65536 + > btrfs_dirty_pages: r/i=5/259 dirty part of page=851968 off_in_page=0 len_in_page=36864 + +The above lines show our buffered write has dirtied 3 pages of inode +259 of root 5: + + 704K 768K 832K 896K + I |////I/////////////////I///////////| I + 756K 868K + + |///| is the dirtied range using subpage bitmaps. and 'I' is the page + boundary. + + Meanwhile all three pages (704K, 768K, 832K) have their PageDirty + flag set. + + > btrfs_direct_write: r/i=5/259 start dio filepos=696320 len=102400 + +Then direct IO write starts, since the range [680K, 780K) covers the +beginning part of the above dirty range, we need to writeback the +two pages at 704K and 768K. + + > cow_file_range: r/i=5/259 add ordered extent filepos=774144 len=65536 + > extent_write_locked_range: r/i=5/259 locked page=720896 start=774144 len=65536 + +Now the above 2 lines show that we're writing back for dirty range +[756K, 756K + 64K). +We only writeback 64K because the zoned device has max zone append size +as 64K. + + > extent_write_locked_range: r/i=5/259 clear dirty for page=786432 + +!!! The above line shows the root cause. !!! + +We're calling clear_page_dirty_for_io() inside extent_write_locked_range(), +for the page 768K. +This is because extent_write_locked_range() can go beyond the current +locked page, here we hit the page at 768K and clear its page dirt. + +In fact this would lead to the desync between subpage dirty and page +dirty flags. We have the page dirty flag cleared, but the subpage range +[820K, 832K) is still dirty. + +After the writeback of range [756K, 820K), the dirty flags look like +this, as page 768K no longer has dirty flag set. + + 704K 768K 832K 896K + I I | I/////////////| I + 820K 868K + +This means we will no longer writeback range [820K, 832K), thus the +reserved data/metadata space would never be properly released. + + > extent_write_cache_pages: r/i=5/259 skip non-dirty folio=786432 + +Now even though we try to start writeback for page 768K, since the +page is not dirty, we completely skip it at extent_write_cache_pages() +time. + + > btrfs_direct_write: r/i=5/259 dio done filepos=696320 len=0 + +Now the direct IO finished. + + > cow_file_range: r/i=5/259 add ordered extent filepos=851968 len=36864 + > extent_write_locked_range: r/i=5/259 locked page=851968 start=851968 len=36864 + +Now we writeback the remaining dirty range, which is [832K, 868K). +Causing the range [820K, 832K) never to be submitted, thus leaking the +reserved space. + +This bug only affects subpage and zoned case. For non-subpage and zoned +case, we have exactly one sector for each page, thus no such partial dirty +cases. + +For subpage and non-zoned case, we never go into run_delalloc_cow(), and +normally all the dirty subpage ranges would be properly submitted inside +__extent_writepage_io(). + +[FIX] +Just do not clear the page dirty at all inside extent_write_locked_range(). +As __extent_writepage_io() would do a more accurate, subpage compatible +clear for page and subpage dirty flags anyway. + +Now the correct trace would look like this: + + > btrfs_dirty_pages: r/i=5/259 dirty start=774144 len=114688 + > btrfs_dirty_pages: r/i=5/259 dirty part of page=720896 off_in_page=53248 len_in_page=12288 + > btrfs_dirty_pages: r/i=5/259 dirty part of page=786432 off_in_page=0 len_in_page=65536 + > btrfs_dirty_pages: r/i=5/259 dirty part of page=851968 off_in_page=0 len_in_page=36864 + +The page dirty part is still the same 3 pages. + + > btrfs_direct_write: r/i=5/259 start dio filepos=696320 len=102400 + > cow_file_range: r/i=5/259 add ordered extent filepos=774144 len=65536 + > extent_write_locked_range: r/i=5/259 locked page=720896 start=774144 len=65536 + +And the writeback for the first 64K is still correct. + + > cow_file_range: r/i=5/259 add ordered extent filepos=839680 len=49152 + > extent_write_locked_range: r/i=5/259 locked page=786432 start=839680 len=49152 + +Now with the fix, we can properly writeback the range [820K, 832K), and +properly release the reserved data/metadata space. + +Reviewed-by: Johannes Thumshirn +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/extent_io.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c +index 9fbffd84b16c5..c6a95dfa59c81 100644 +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -2172,10 +2172,8 @@ void extent_write_locked_range(struct inode *inode, struct page *locked_page, + + page = find_get_page(mapping, cur >> PAGE_SHIFT); + ASSERT(PageLocked(page)); +- if (pages_dirty && page != locked_page) { ++ if (pages_dirty && page != locked_page) + ASSERT(PageDirty(page)); +- clear_page_dirty_for_io(page); +- } + + ret = __extent_writepage_io(BTRFS_I(inode), page, &bio_ctrl, + i_size, &nr); +-- +2.43.0 + diff --git a/queue-6.6/btrfs-fix-bitmap-leak-when-loading-free-space-cache-.patch b/queue-6.6/btrfs-fix-bitmap-leak-when-loading-free-space-cache-.patch new file mode 100644 index 00000000000..636a1aee032 --- /dev/null +++ b/queue-6.6/btrfs-fix-bitmap-leak-when-loading-free-space-cache-.patch @@ -0,0 +1,39 @@ +From 85404c39748c927e711b23d627684b1e993dc0e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jul 2024 15:40:59 +0100 +Subject: btrfs: fix bitmap leak when loading free space cache on duplicate + entry + +From: Filipe Manana + +[ Upstream commit 320d8dc612660da84c3b70a28658bb38069e5a9a ] + +If we failed to link a free space entry because there's already a +conflicting entry for the same offset, we free the free space entry but +we don't free the associated bitmap that we had just allocated before. +Fix that by freeing the bitmap before freeing the entry. + +Reviewed-by: Johannes Thumshirn +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/free-space-cache.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/btrfs/free-space-cache.c b/fs/btrfs/free-space-cache.c +index f59e599766662..3e141c4dd2630 100644 +--- a/fs/btrfs/free-space-cache.c ++++ b/fs/btrfs/free-space-cache.c +@@ -855,6 +855,7 @@ static int __load_free_space_cache(struct btrfs_root *root, struct inode *inode, + spin_unlock(&ctl->tree_lock); + btrfs_err(fs_info, + "Duplicate entries in free space cache, dumping"); ++ kmem_cache_free(btrfs_free_space_bitmap_cachep, e->bitmap); + kmem_cache_free(btrfs_free_space_cachep, e); + goto free_cache; + } +-- +2.43.0 + diff --git a/queue-6.6/can-mcp251xfd-tef-prepare-to-workaround-broken-tef-f.patch b/queue-6.6/can-mcp251xfd-tef-prepare-to-workaround-broken-tef-f.patch new file mode 100644 index 00000000000..3b07c3e4a84 --- /dev/null +++ b/queue-6.6/can-mcp251xfd-tef-prepare-to-workaround-broken-tef-f.patch @@ -0,0 +1,211 @@ +From e87c7e5562d23007aef1ec1f2be261957e25d38b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Jan 2023 21:30:41 +0100 +Subject: can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index + erratum +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marc Kleine-Budde + +[ Upstream commit b8e0ddd36ce9536ad7478dd27df06c9ae92370ba ] + +This is a preparatory patch to work around a problem similar to +erratum DS80000789E 6 of the mcp2518fd, the other variants of the chip +family (mcp2517fd and mcp251863) are probably also affected. + +Erratum DS80000789E 6 says "reading of the FIFOCI bits in the FIFOSTA +register for an RX FIFO may be corrupted". However observation shows +that this problem is not limited to RX FIFOs but also effects the TEF +FIFO. + +When handling the TEF interrupt, the driver reads the FIFO header +index from the TEF FIFO STA register of the chip. + +In the bad case, the driver reads a too large head index. In the +original code, the driver always trusted the read value, which caused +old CAN transmit complete events that were already processed to be +re-processed. + +Instead of reading and trusting the head index, read the head index +and calculate the number of CAN frames that were supposedly received - +replace mcp251xfd_tef_ring_update() with mcp251xfd_get_tef_len(). + +The mcp251xfd_handle_tefif() function reads the CAN transmit complete +events from the chip, iterates over them and pushes them into the +network stack. The original driver already contains code to detect old +CAN transmit complete events, that will be updated in the next patch. + +Cc: Stefan Althöfer +Cc: Thomas Kopp +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + .../net/can/spi/mcp251xfd/mcp251xfd-ring.c | 2 + + drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c | 54 +++++++++++++------ + drivers/net/can/spi/mcp251xfd/mcp251xfd.h | 13 ++--- + 3 files changed, 43 insertions(+), 26 deletions(-) + +diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c b/drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c +index bfe4caa0c99d4..4cb79a4f24612 100644 +--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c ++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c +@@ -485,6 +485,8 @@ int mcp251xfd_ring_alloc(struct mcp251xfd_priv *priv) + clear_bit(MCP251XFD_FLAGS_FD_MODE, priv->flags); + } + ++ tx_ring->obj_num_shift_to_u8 = BITS_PER_TYPE(tx_ring->obj_num) - ++ ilog2(tx_ring->obj_num); + tx_ring->obj_size = tx_obj_size; + + rem = priv->rx_obj_num; +diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c +index e5bd57b65aafe..b41fad3b37c06 100644 +--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c ++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c +@@ -2,7 +2,7 @@ + // + // mcp251xfd - Microchip MCP251xFD Family CAN controller driver + // +-// Copyright (c) 2019, 2020, 2021 Pengutronix, ++// Copyright (c) 2019, 2020, 2021, 2023 Pengutronix, + // Marc Kleine-Budde + // + // Based on: +@@ -16,6 +16,11 @@ + + #include "mcp251xfd.h" + ++static inline bool mcp251xfd_tx_fifo_sta_full(u32 fifo_sta) ++{ ++ return !(fifo_sta & MCP251XFD_REG_FIFOSTA_TFNRFNIF); ++} ++ + static inline int + mcp251xfd_tef_tail_get_from_chip(const struct mcp251xfd_priv *priv, + u8 *tef_tail) +@@ -120,28 +125,44 @@ mcp251xfd_handle_tefif_one(struct mcp251xfd_priv *priv, + return 0; + } + +-static int mcp251xfd_tef_ring_update(struct mcp251xfd_priv *priv) ++static int ++mcp251xfd_get_tef_len(struct mcp251xfd_priv *priv, u8 *len_p) + { + const struct mcp251xfd_tx_ring *tx_ring = priv->tx; +- unsigned int new_head; +- u8 chip_tx_tail; ++ const u8 shift = tx_ring->obj_num_shift_to_u8; ++ u8 chip_tx_tail, tail, len; ++ u32 fifo_sta; + int err; + +- err = mcp251xfd_tx_tail_get_from_chip(priv, &chip_tx_tail); ++ err = regmap_read(priv->map_reg, MCP251XFD_REG_FIFOSTA(priv->tx->fifo_nr), ++ &fifo_sta); + if (err) + return err; + +- /* chip_tx_tail, is the next TX-Object send by the HW. +- * The new TEF head must be >= the old head, ... ++ if (mcp251xfd_tx_fifo_sta_full(fifo_sta)) { ++ *len_p = tx_ring->obj_num; ++ return 0; ++ } ++ ++ chip_tx_tail = FIELD_GET(MCP251XFD_REG_FIFOSTA_FIFOCI_MASK, fifo_sta); ++ ++ err = mcp251xfd_check_tef_tail(priv); ++ if (err) ++ return err; ++ tail = mcp251xfd_get_tef_tail(priv); ++ ++ /* First shift to full u8. The subtraction works on signed ++ * values, that keeps the difference steady around the u8 ++ * overflow. The right shift acts on len, which is an u8. + */ +- new_head = round_down(priv->tef->head, tx_ring->obj_num) + chip_tx_tail; +- if (new_head <= priv->tef->head) +- new_head += tx_ring->obj_num; ++ BUILD_BUG_ON(sizeof(tx_ring->obj_num) != sizeof(chip_tx_tail)); ++ BUILD_BUG_ON(sizeof(tx_ring->obj_num) != sizeof(tail)); ++ BUILD_BUG_ON(sizeof(tx_ring->obj_num) != sizeof(len)); + +- /* ... but it cannot exceed the TX head. */ +- priv->tef->head = min(new_head, tx_ring->head); ++ len = (chip_tx_tail << shift) - (tail << shift); ++ *len_p = len >> shift; + +- return mcp251xfd_check_tef_tail(priv); ++ return 0; + } + + static inline int +@@ -182,13 +203,12 @@ int mcp251xfd_handle_tefif(struct mcp251xfd_priv *priv) + u8 tef_tail, len, l; + int err, i; + +- err = mcp251xfd_tef_ring_update(priv); ++ err = mcp251xfd_get_tef_len(priv, &len); + if (err) + return err; + + tef_tail = mcp251xfd_get_tef_tail(priv); +- len = mcp251xfd_get_tef_len(priv); +- l = mcp251xfd_get_tef_linear_len(priv); ++ l = mcp251xfd_get_tef_linear_len(priv, len); + err = mcp251xfd_tef_obj_read(priv, hw_tef_obj, tef_tail, l); + if (err) + return err; +@@ -223,6 +243,8 @@ int mcp251xfd_handle_tefif(struct mcp251xfd_priv *priv) + struct mcp251xfd_tx_ring *tx_ring = priv->tx; + int offset; + ++ ring->head += len; ++ + /* Increment the TEF FIFO tail pointer 'len' times in + * a single SPI message. + * +diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd.h b/drivers/net/can/spi/mcp251xfd/mcp251xfd.h +index b35bfebd23f29..4628bf847bc9b 100644 +--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd.h ++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd.h +@@ -524,6 +524,7 @@ struct mcp251xfd_tef_ring { + + /* u8 obj_num equals tx_ring->obj_num */ + /* u8 obj_size equals sizeof(struct mcp251xfd_hw_tef_obj) */ ++ /* u8 obj_num_shift_to_u8 equals tx_ring->obj_num_shift_to_u8 */ + + union mcp251xfd_write_reg_buf irq_enable_buf; + struct spi_transfer irq_enable_xfer; +@@ -542,6 +543,7 @@ struct mcp251xfd_tx_ring { + u8 nr; + u8 fifo_nr; + u8 obj_num; ++ u8 obj_num_shift_to_u8; + u8 obj_size; + + struct mcp251xfd_tx_obj obj[MCP251XFD_TX_OBJ_NUM_MAX]; +@@ -861,17 +863,8 @@ static inline u8 mcp251xfd_get_tef_tail(const struct mcp251xfd_priv *priv) + return priv->tef->tail & (priv->tx->obj_num - 1); + } + +-static inline u8 mcp251xfd_get_tef_len(const struct mcp251xfd_priv *priv) ++static inline u8 mcp251xfd_get_tef_linear_len(const struct mcp251xfd_priv *priv, u8 len) + { +- return priv->tef->head - priv->tef->tail; +-} +- +-static inline u8 mcp251xfd_get_tef_linear_len(const struct mcp251xfd_priv *priv) +-{ +- u8 len; +- +- len = mcp251xfd_get_tef_len(priv); +- + return min_t(u8, len, priv->tx->obj_num - mcp251xfd_get_tef_tail(priv)); + } + +-- +2.43.0 + diff --git a/queue-6.6/can-mcp251xfd-tef-update-workaround-for-erratum-ds80.patch b/queue-6.6/can-mcp251xfd-tef-update-workaround-for-erratum-ds80.patch new file mode 100644 index 00000000000..baa77d6cfd8 --- /dev/null +++ b/queue-6.6/can-mcp251xfd-tef-update-workaround-for-erratum-ds80.patch @@ -0,0 +1,151 @@ +From 212bd374d47cd8270eb837caa93847acda32686f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Jan 2023 22:35:03 +0100 +Subject: can: mcp251xfd: tef: update workaround for erratum DS80000789E 6 of + mcp2518fd +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marc Kleine-Budde + +[ Upstream commit 3a0a88fcbaf9e027ecca3fe8775be9700b4d6460 ] + +This patch updates the workaround for a problem similar to erratum +DS80000789E 6 of the mcp2518fd, the other variants of the chip +family (mcp2517fd and mcp251863) are probably also affected. + +Erratum DS80000789E 6 says "reading of the FIFOCI bits in the FIFOSTA +register for an RX FIFO may be corrupted". However observation shows +that this problem is not limited to RX FIFOs but also effects the TEF +FIFO. + +In the bad case, the driver reads a too large head index. As the FIFO +is implemented as a ring buffer, this results in re-handling old CAN +transmit complete events. + +Every transmit complete event contains with a sequence number that +equals to the sequence number of the corresponding TX request. This +way old TX complete events can be detected. + +If the original driver detects a non matching sequence number, it +prints an info message and tries again later. As wrong sequence +numbers can be explained by the erratum DS80000789E 6, demote the info +message to debug level, streamline the code and update the comments. + +Keep the behavior: If an old CAN TX complete event is detected, abort +the iteration and mark the number of valid CAN TX complete events as +processed in the chip by incrementing the FIFO's tail index. + +Cc: Stefan Althöfer +Cc: Thomas Kopp +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c | 71 +++++++------------ + 1 file changed, 27 insertions(+), 44 deletions(-) + +diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c +index b41fad3b37c06..5b0c7890d4b44 100644 +--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c ++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c +@@ -60,56 +60,39 @@ static int mcp251xfd_check_tef_tail(const struct mcp251xfd_priv *priv) + return 0; + } + +-static int +-mcp251xfd_handle_tefif_recover(const struct mcp251xfd_priv *priv, const u32 seq) +-{ +- const struct mcp251xfd_tx_ring *tx_ring = priv->tx; +- u32 tef_sta; +- int err; +- +- err = regmap_read(priv->map_reg, MCP251XFD_REG_TEFSTA, &tef_sta); +- if (err) +- return err; +- +- if (tef_sta & MCP251XFD_REG_TEFSTA_TEFOVIF) { +- netdev_err(priv->ndev, +- "Transmit Event FIFO buffer overflow.\n"); +- return -ENOBUFS; +- } +- +- netdev_info(priv->ndev, +- "Transmit Event FIFO buffer %s. (seq=0x%08x, tef_tail=0x%08x, tef_head=0x%08x, tx_head=0x%08x).\n", +- tef_sta & MCP251XFD_REG_TEFSTA_TEFFIF ? +- "full" : tef_sta & MCP251XFD_REG_TEFSTA_TEFNEIF ? +- "not empty" : "empty", +- seq, priv->tef->tail, priv->tef->head, tx_ring->head); +- +- /* The Sequence Number in the TEF doesn't match our tef_tail. */ +- return -EAGAIN; +-} +- + static int + mcp251xfd_handle_tefif_one(struct mcp251xfd_priv *priv, + const struct mcp251xfd_hw_tef_obj *hw_tef_obj, + unsigned int *frame_len_ptr) + { + struct net_device_stats *stats = &priv->ndev->stats; ++ u32 seq, tef_tail_masked, tef_tail; + struct sk_buff *skb; +- u32 seq, seq_masked, tef_tail_masked, tef_tail; + +- seq = FIELD_GET(MCP251XFD_OBJ_FLAGS_SEQ_MCP2518FD_MASK, ++ /* Use the MCP2517FD mask on the MCP2518FD, too. We only ++ * compare 7 bits, this is enough to detect old TEF objects. ++ */ ++ seq = FIELD_GET(MCP251XFD_OBJ_FLAGS_SEQ_MCP2517FD_MASK, + hw_tef_obj->flags); +- +- /* Use the MCP2517FD mask on the MCP2518FD, too. We only +- * compare 7 bits, this should be enough to detect +- * net-yet-completed, i.e. old TEF objects. +- */ +- seq_masked = seq & +- field_mask(MCP251XFD_OBJ_FLAGS_SEQ_MCP2517FD_MASK); + tef_tail_masked = priv->tef->tail & + field_mask(MCP251XFD_OBJ_FLAGS_SEQ_MCP2517FD_MASK); +- if (seq_masked != tef_tail_masked) +- return mcp251xfd_handle_tefif_recover(priv, seq); ++ ++ /* According to mcp2518fd erratum DS80000789E 6. the FIFOCI ++ * bits of a FIFOSTA register, here the TX FIFO tail index ++ * might be corrupted and we might process past the TEF FIFO's ++ * head into old CAN frames. ++ * ++ * Compare the sequence number of the currently processed CAN ++ * frame with the expected sequence number. Abort with ++ * -EBADMSG if an old CAN frame is detected. ++ */ ++ if (seq != tef_tail_masked) { ++ netdev_dbg(priv->ndev, "%s: chip=0x%02x ring=0x%02x\n", __func__, ++ seq, tef_tail_masked); ++ stats->tx_fifo_errors++; ++ ++ return -EBADMSG; ++ } + + tef_tail = mcp251xfd_get_tef_tail(priv); + skb = priv->can.echo_skb[tef_tail]; +@@ -223,12 +206,12 @@ int mcp251xfd_handle_tefif(struct mcp251xfd_priv *priv) + unsigned int frame_len = 0; + + err = mcp251xfd_handle_tefif_one(priv, &hw_tef_obj[i], &frame_len); +- /* -EAGAIN means the Sequence Number in the TEF +- * doesn't match our tef_tail. This can happen if we +- * read the TEF objects too early. Leave loop let the +- * interrupt handler call us again. ++ /* -EBADMSG means we're affected by mcp2518fd erratum ++ * DS80000789E 6., i.e. the Sequence Number in the TEF ++ * doesn't match our tef_tail. Don't process any ++ * further and mark processed frames as good. + */ +- if (err == -EAGAIN) ++ if (err == -EBADMSG) + goto out_netif_wake_queue; + if (err) + return err; +-- +2.43.0 + diff --git a/queue-6.6/clocksource-drivers-sh_cmt-address-race-condition-fo.patch b/queue-6.6/clocksource-drivers-sh_cmt-address-race-condition-fo.patch new file mode 100644 index 00000000000..e4193ad0c7b --- /dev/null +++ b/queue-6.6/clocksource-drivers-sh_cmt-address-race-condition-fo.patch @@ -0,0 +1,144 @@ +From cf9b49f5c049c5ff4f5809b8410ee361a3d0f1c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jul 2024 21:02:30 +0200 +Subject: clocksource/drivers/sh_cmt: Address race condition for clock events +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Niklas Söderlund + +[ Upstream commit db19d3aa77612983a02bd223b3f273f896b243cf ] + +There is a race condition in the CMT interrupt handler. In the interrupt +handler the driver sets a driver private flag, FLAG_IRQCONTEXT. This +flag is used to indicate any call to set_next_event() should not be +directly propagated to the device, but instead cached. This is done as +the interrupt handler itself reprograms the device when needed before it +completes and this avoids this operation to take place twice. + +It is unclear why this design was chosen, my suspicion is to allow the +struct clock_event_device.event_handler callback, which is called while +the FLAG_IRQCONTEXT is set, can update the next event without having to +write to the device twice. + +Unfortunately there is a race between when the FLAG_IRQCONTEXT flag is +set and later cleared where the interrupt handler have already started to +write the next event to the device. If set_next_event() is called in +this window the value is only cached in the driver but not written. This +leads to the board to misbehave, or worse lockup and produce a splat. + + rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: + rcu: 0-...!: (0 ticks this GP) idle=f5e0/0/0x0 softirq=519/519 fqs=0 (false positive?) + rcu: (detected by 1, t=6502 jiffies, g=-595, q=77 ncpus=2) + Sending NMI from CPU 1 to CPUs 0: + NMI backtrace for cpu 0 + CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.10.0-rc5-arm64-renesas-00019-g74a6f86eaf1c-dirty #20 + Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT) + pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : tick_check_broadcast_expired+0xc/0x40 + lr : cpu_idle_poll.isra.0+0x8c/0x168 + sp : ffff800081c63d70 + x29: ffff800081c63d70 x28: 00000000580000c8 x27: 00000000bfee5610 + x26: 0000000000000027 x25: 0000000000000000 x24: 0000000000000000 + x23: ffff00007fbb9100 x22: ffff8000818f1008 x21: ffff8000800ef07c + x20: ffff800081c79ec0 x19: ffff800081c70c28 x18: 0000000000000000 + x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffc2c717d8 + x14: 0000000000000000 x13: ffff000009c18080 x12: ffff8000825f7fc0 + x11: 0000000000000000 x10: ffff8000818f3cd4 x9 : 0000000000000028 + x8 : ffff800081c79ec0 x7 : ffff800081c73000 x6 : 0000000000000000 + x5 : 0000000000000000 x4 : ffff7ffffe286000 x3 : 0000000000000000 + x2 : ffff7ffffe286000 x1 : ffff800082972900 x0 : ffff8000818f1008 + Call trace: + tick_check_broadcast_expired+0xc/0x40 + do_idle+0x9c/0x280 + cpu_startup_entry+0x34/0x40 + kernel_init+0x0/0x11c + do_one_initcall+0x0/0x260 + __primary_switched+0x80/0x88 + rcu: rcu_preempt kthread timer wakeup didn't happen for 6501 jiffies! g-595 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x402 + rcu: Possible timer handling issue on cpu=0 timer-softirq=262 + rcu: rcu_preempt kthread starved for 6502 jiffies! g-595 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x402 ->cpu=0 + rcu: Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior. + rcu: RCU grace-period kthread stack dump: + task:rcu_preempt state:I stack:0 pid:15 tgid:15 ppid:2 flags:0x00000008 + Call trace: + __switch_to+0xbc/0x100 + __schedule+0x358/0xbe0 + schedule+0x48/0x148 + schedule_timeout+0xc4/0x138 + rcu_gp_fqs_loop+0x12c/0x764 + rcu_gp_kthread+0x208/0x298 + kthread+0x10c/0x110 + ret_from_fork+0x10/0x20 + +The design have been part of the driver since it was first merged in +early 2009. It becomes increasingly harder to trigger the issue the +older kernel version one tries. It only takes a few boots on v6.10-rc5, +while hundreds of boots are needed to trigger it on v5.10. + +Close the race condition by using the CMT channel lock for the two +competing sections. The channel lock was added to the driver after its +initial design. + +Signed-off-by: Niklas Söderlund +Link: https://lore.kernel.org/r/20240702190230.3825292-1-niklas.soderlund+renesas@ragnatech.se +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/clocksource/sh_cmt.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/drivers/clocksource/sh_cmt.c b/drivers/clocksource/sh_cmt.c +index 26919556ef5f0..b72b36e0abed8 100644 +--- a/drivers/clocksource/sh_cmt.c ++++ b/drivers/clocksource/sh_cmt.c +@@ -528,6 +528,7 @@ static void sh_cmt_set_next(struct sh_cmt_channel *ch, unsigned long delta) + static irqreturn_t sh_cmt_interrupt(int irq, void *dev_id) + { + struct sh_cmt_channel *ch = dev_id; ++ unsigned long flags; + + /* clear flags */ + sh_cmt_write_cmcsr(ch, sh_cmt_read_cmcsr(ch) & +@@ -558,6 +559,8 @@ static irqreturn_t sh_cmt_interrupt(int irq, void *dev_id) + + ch->flags &= ~FLAG_SKIPEVENT; + ++ raw_spin_lock_irqsave(&ch->lock, flags); ++ + if (ch->flags & FLAG_REPROGRAM) { + ch->flags &= ~FLAG_REPROGRAM; + sh_cmt_clock_event_program_verify(ch, 1); +@@ -570,6 +573,8 @@ static irqreturn_t sh_cmt_interrupt(int irq, void *dev_id) + + ch->flags &= ~FLAG_IRQCONTEXT; + ++ raw_spin_unlock_irqrestore(&ch->lock, flags); ++ + return IRQ_HANDLED; + } + +@@ -780,12 +785,18 @@ static int sh_cmt_clock_event_next(unsigned long delta, + struct clock_event_device *ced) + { + struct sh_cmt_channel *ch = ced_to_sh_cmt(ced); ++ unsigned long flags; + + BUG_ON(!clockevent_state_oneshot(ced)); ++ ++ raw_spin_lock_irqsave(&ch->lock, flags); ++ + if (likely(ch->flags & FLAG_IRQCONTEXT)) + ch->next_match_value = delta - 1; + else +- sh_cmt_set_next(ch, delta - 1); ++ __sh_cmt_set_next(ch, delta - 1); ++ ++ raw_spin_unlock_irqrestore(&ch->lock, flags); + + return 0; + } +-- +2.43.0 + diff --git a/queue-6.6/drm-admgpu-fix-dereferencing-null-pointer-context.patch b/queue-6.6/drm-admgpu-fix-dereferencing-null-pointer-context.patch new file mode 100644 index 00000000000..a9f4f95315a --- /dev/null +++ b/queue-6.6/drm-admgpu-fix-dereferencing-null-pointer-context.patch @@ -0,0 +1,37 @@ +From c09e1b278436fc07215589f3f772bbc4ba05fe87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 10:57:04 +0800 +Subject: drm/admgpu: fix dereferencing null pointer context + +From: Jesse Zhang + +[ Upstream commit 030ffd4d43b433bc6671d9ec34fc12c59220b95d ] + +When user space sets an invalid ta type, the pointer context will be empty. +So it need to check the pointer context before using it + +Signed-off-by: Jesse Zhang +Suggested-by: Tim Huang +Reviewed-by: Tim Huang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_psp_ta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp_ta.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp_ta.c +index ca5c86e5f7cd6..8e8afbd237bcd 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp_ta.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp_ta.c +@@ -334,7 +334,7 @@ static ssize_t ta_if_invoke_debugfs_write(struct file *fp, const char *buf, size + + set_ta_context_funcs(psp, ta_type, &context); + +- if (!context->initialized) { ++ if (!context || !context->initialized) { + dev_err(adev->dev, "TA is not initialized\n"); + ret = -EINVAL; + goto err_free_shared_buf; +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-display-add-delay-to-improve-lttpr-uhbr-inte.patch b/queue-6.6/drm-amd-display-add-delay-to-improve-lttpr-uhbr-inte.patch new file mode 100644 index 00000000000..99fea87ddbe --- /dev/null +++ b/queue-6.6/drm-amd-display-add-delay-to-improve-lttpr-uhbr-inte.patch @@ -0,0 +1,45 @@ +From aba5c0e112abf667157b347a72bb37439c974b5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2024 12:00:34 -0400 +Subject: drm/amd/display: Add delay to improve LTTPR UHBR interop + +From: Michael Strauss + +[ Upstream commit 10839ee6a977ed1f7d0f4deb29f2d7e5d1f2a9dd ] + +[WHY] +Avoid race condition which puts LTTPR into bad state during UHBR LT. + +[HOW] +Delay 30ms between starting UHBR TPS1 PHY output and sending TPS1 via DPCD. + +Reviewed-by: Wenjing Liu +Acked-by: Aurabindo Pillai +Signed-off-by: Michael Strauss +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../dc/link/hwss/link_hwss_hpo_fixed_vs_pe_retimer_dp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/link/hwss/link_hwss_hpo_fixed_vs_pe_retimer_dp.c b/drivers/gpu/drm/amd/display/dc/link/hwss/link_hwss_hpo_fixed_vs_pe_retimer_dp.c +index b621b97711b61..a7f5b0f6272ce 100644 +--- a/drivers/gpu/drm/amd/display/dc/link/hwss/link_hwss_hpo_fixed_vs_pe_retimer_dp.c ++++ b/drivers/gpu/drm/amd/display/dc/link/hwss/link_hwss_hpo_fixed_vs_pe_retimer_dp.c +@@ -162,7 +162,12 @@ static void set_hpo_fixed_vs_pe_retimer_dp_link_test_pattern(struct dc_link *lin + link_res->hpo_dp_link_enc->funcs->set_link_test_pattern( + link_res->hpo_dp_link_enc, tp_params); + } ++ + link->dc->link_srv->dp_trace_source_sequence(link, DPCD_SOURCE_SEQ_AFTER_SET_SOURCE_PATTERN); ++ ++ // Give retimer extra time to lock before updating DP_TRAINING_PATTERN_SET to TPS1 ++ if (tp_params->dp_phy_pattern == DP_TEST_PATTERN_128b_132b_TPS1_TRAINING_MODE) ++ msleep(30); + } + + static void set_hpo_fixed_vs_pe_retimer_dp_lane_settings(struct dc_link *link, +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-display-add-null-check-for-afb-before-derefe.patch b/queue-6.6/drm-amd-display-add-null-check-for-afb-before-derefe.patch new file mode 100644 index 00000000000..b02ec15d192 --- /dev/null +++ b/queue-6.6/drm-amd-display-add-null-check-for-afb-before-derefe.patch @@ -0,0 +1,67 @@ +From a16214aeff73e6993ae53448d22605bb68760e55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jun 2024 21:13:40 +0530 +Subject: drm/amd/display: Add NULL check for 'afb' before dereferencing in + amdgpu_dm_plane_handle_cursor_update + +From: Srinivasan Shanmugam + +[ Upstream commit 38e6f715b02b572f74677eb2f29d3b4bc6f1ddff ] + +This commit adds a null check for the 'afb' variable in the +amdgpu_dm_plane_handle_cursor_update function. Previously, 'afb' was +assumed to be null, but was used later in the code without a null check. +This could potentially lead to a null pointer dereference. + +Fixes the below: +drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_plane.c:1298 amdgpu_dm_plane_handle_cursor_update() error: we previously assumed 'afb' could be null (see line 1252) + +Cc: Tom Chung +Cc: Rodrigo Siqueira +Cc: Roman Li +Cc: Hersen Wu +Cc: Alex Hung +Cc: Aurabindo Pillai +Cc: Harry Wentland +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Harry Wentland +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c +index cc74dd69acf2b..eb77de95f26f5 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c +@@ -1225,14 +1225,22 @@ void amdgpu_dm_plane_handle_cursor_update(struct drm_plane *plane, + { + struct amdgpu_device *adev = drm_to_adev(plane->dev); + struct amdgpu_framebuffer *afb = to_amdgpu_framebuffer(plane->state->fb); +- struct drm_crtc *crtc = afb ? plane->state->crtc : old_plane_state->crtc; +- struct dm_crtc_state *crtc_state = crtc ? to_dm_crtc_state(crtc->state) : NULL; +- struct amdgpu_crtc *amdgpu_crtc = to_amdgpu_crtc(crtc); +- uint64_t address = afb ? afb->address : 0; ++ struct drm_crtc *crtc; ++ struct dm_crtc_state *crtc_state; ++ struct amdgpu_crtc *amdgpu_crtc; ++ u64 address; + struct dc_cursor_position position = {0}; + struct dc_cursor_attributes attributes; + int ret; + ++ if (!afb) ++ return; ++ ++ crtc = plane->state->crtc ? plane->state->crtc : old_plane_state->crtc; ++ crtc_state = crtc ? to_dm_crtc_state(crtc->state) : NULL; ++ amdgpu_crtc = to_amdgpu_crtc(crtc); ++ address = afb->address; ++ + if (!plane->state->fb && !old_plane_state->fb) + return; + +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-display-add-null-checker-before-passing-vari.patch b/queue-6.6/drm-amd-display-add-null-checker-before-passing-vari.patch new file mode 100644 index 00000000000..71981c0e43c --- /dev/null +++ b/queue-6.6/drm-amd-display-add-null-checker-before-passing-vari.patch @@ -0,0 +1,59 @@ +From fd8fc00f2145c986b7baeb48557a3ac7bf8a300b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jun 2024 16:33:18 -0600 +Subject: drm/amd/display: Add null checker before passing variables + +From: Alex Hung + +[ Upstream commit 8092aa3ab8f7b737a34b71f91492c676a843043a ] + +Checks null pointer before passing variables to functions. + +This fixes 3 NULL_RETURNS issues reported by Coverity. + +Reviewed-by: Harry Wentland +Acked-by: Hamza Mahfooz +Signed-off-by: Alex Hung +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 60db3800666ec..94059aef762be 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -2628,7 +2628,8 @@ static int dm_suspend(void *handle) + + dm->cached_dc_state = dc_copy_state(dm->dc->current_state); + +- dm_gpureset_toggle_interrupts(adev, dm->cached_dc_state, false); ++ if (dm->cached_dc_state) ++ dm_gpureset_toggle_interrupts(adev, dm->cached_dc_state, false); + + amdgpu_dm_commit_zero_streams(dm->dc); + +@@ -6483,7 +6484,8 @@ static void create_eml_sink(struct amdgpu_dm_connector *aconnector) + aconnector->dc_sink = aconnector->dc_link->local_sink ? + aconnector->dc_link->local_sink : + aconnector->dc_em_sink; +- dc_sink_retain(aconnector->dc_sink); ++ if (aconnector->dc_sink) ++ dc_sink_retain(aconnector->dc_sink); + } + } + +@@ -7296,7 +7298,8 @@ static int amdgpu_dm_connector_get_modes(struct drm_connector *connector) + drm_add_modes_noedid(connector, 1920, 1080); + } else { + amdgpu_dm_connector_ddc_get_modes(connector, edid); +- amdgpu_dm_connector_add_common_modes(encoder, connector); ++ if (encoder) ++ amdgpu_dm_connector_add_common_modes(encoder, connector); + amdgpu_dm_connector_add_freesync_modes(connector, edid); + } + amdgpu_dm_fbc_init(connector); +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-pm-fix-the-null-pointer-dereference-for-vega.patch b/queue-6.6/drm-amd-pm-fix-the-null-pointer-dereference-for-vega.patch new file mode 100644 index 00000000000..adbe8b90144 --- /dev/null +++ b/queue-6.6/drm-amd-pm-fix-the-null-pointer-dereference-for-vega.patch @@ -0,0 +1,114 @@ +From ce03517e62a7a03d498af28f652d8b91b7b8e0f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 May 2024 15:01:22 +0800 +Subject: drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr + +From: Bob Zhou + +[ Upstream commit 50151b7f1c79a09117837eb95b76c2de76841dab ] + +Check return value and conduct null pointer handling to avoid null pointer dereference. + +Signed-off-by: Bob Zhou +Reviewed-by: Tim Huang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c | 29 ++++++++++++++++--- + 1 file changed, 25 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c +index 49c984f14e6b1..d43a530aba0e3 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c +@@ -3418,13 +3418,17 @@ static int vega10_find_dpm_states_clocks_in_dpm_table(struct pp_hwmgr *hwmgr, co + const struct vega10_power_state *vega10_ps = + cast_const_phw_vega10_power_state(states->pnew_state); + struct vega10_single_dpm_table *sclk_table = &(data->dpm_table.gfx_table); +- uint32_t sclk = vega10_ps->performance_levels +- [vega10_ps->performance_level_count - 1].gfx_clock; + struct vega10_single_dpm_table *mclk_table = &(data->dpm_table.mem_table); +- uint32_t mclk = vega10_ps->performance_levels +- [vega10_ps->performance_level_count - 1].mem_clock; ++ uint32_t sclk, mclk; + uint32_t i; + ++ if (vega10_ps == NULL) ++ return -EINVAL; ++ sclk = vega10_ps->performance_levels ++ [vega10_ps->performance_level_count - 1].gfx_clock; ++ mclk = vega10_ps->performance_levels ++ [vega10_ps->performance_level_count - 1].mem_clock; ++ + for (i = 0; i < sclk_table->count; i++) { + if (sclk == sclk_table->dpm_levels[i].value) + break; +@@ -3731,6 +3735,9 @@ static int vega10_generate_dpm_level_enable_mask( + cast_const_phw_vega10_power_state(states->pnew_state); + int i; + ++ if (vega10_ps == NULL) ++ return -EINVAL; ++ + PP_ASSERT_WITH_CODE(!vega10_trim_dpm_states(hwmgr, vega10_ps), + "Attempt to Trim DPM States Failed!", + return -1); +@@ -4998,6 +5005,8 @@ static int vega10_check_states_equal(struct pp_hwmgr *hwmgr, + + vega10_psa = cast_const_phw_vega10_power_state(pstate1); + vega10_psb = cast_const_phw_vega10_power_state(pstate2); ++ if (vega10_psa == NULL || vega10_psb == NULL) ++ return -EINVAL; + + /* If the two states don't even have the same number of performance levels + * they cannot be the same state. +@@ -5131,6 +5140,8 @@ static int vega10_set_sclk_od(struct pp_hwmgr *hwmgr, uint32_t value) + return -EINVAL; + + vega10_ps = cast_phw_vega10_power_state(&ps->hardware); ++ if (vega10_ps == NULL) ++ return -EINVAL; + + vega10_ps->performance_levels + [vega10_ps->performance_level_count - 1].gfx_clock = +@@ -5182,6 +5193,8 @@ static int vega10_set_mclk_od(struct pp_hwmgr *hwmgr, uint32_t value) + return -EINVAL; + + vega10_ps = cast_phw_vega10_power_state(&ps->hardware); ++ if (vega10_ps == NULL) ++ return -EINVAL; + + vega10_ps->performance_levels + [vega10_ps->performance_level_count - 1].mem_clock = +@@ -5423,6 +5436,9 @@ static void vega10_odn_update_power_state(struct pp_hwmgr *hwmgr) + return; + + vega10_ps = cast_phw_vega10_power_state(&ps->hardware); ++ if (vega10_ps == NULL) ++ return; ++ + max_level = vega10_ps->performance_level_count - 1; + + if (vega10_ps->performance_levels[max_level].gfx_clock != +@@ -5445,6 +5461,9 @@ static void vega10_odn_update_power_state(struct pp_hwmgr *hwmgr) + + ps = (struct pp_power_state *)((unsigned long)(hwmgr->ps) + hwmgr->ps_size * (hwmgr->num_ps - 1)); + vega10_ps = cast_phw_vega10_power_state(&ps->hardware); ++ if (vega10_ps == NULL) ++ return; ++ + max_level = vega10_ps->performance_level_count - 1; + + if (vega10_ps->performance_levels[max_level].gfx_clock != +@@ -5635,6 +5654,8 @@ static int vega10_get_performance_level(struct pp_hwmgr *hwmgr, const struct pp_ + return -EINVAL; + + vega10_ps = cast_const_phw_vega10_power_state(state); ++ if (vega10_ps == NULL) ++ return -EINVAL; + + i = index > vega10_ps->performance_level_count - 1 ? + vega10_ps->performance_level_count - 1 : index; +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-add-lock-around-vf-rlcg-interface.patch b/queue-6.6/drm-amdgpu-add-lock-around-vf-rlcg-interface.patch new file mode 100644 index 00000000000..a4ee8dc2b84 --- /dev/null +++ b/queue-6.6/drm-amdgpu-add-lock-around-vf-rlcg-interface.patch @@ -0,0 +1,78 @@ +From 8a517f4726526705df098e74284186fe8952dd18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 May 2024 16:10:43 -0400 +Subject: drm/amdgpu: Add lock around VF RLCG interface + +From: Victor Skvortsov + +[ Upstream commit e864180ee49b4d30e640fd1e1d852b86411420c9 ] + +flush_gpu_tlb may be called from another thread while +device_gpu_recover is running. + +Both of these threads access registers through the VF +RLCG interface during VF Full Access. Add a lock around this interface +to prevent race conditions between these threads. + +Signed-off-by: Victor Skvortsov +Reviewed-by: Zhigang Luo +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 1 + + drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c | 6 ++++++ + drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h | 2 ++ + 3 files changed, 9 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index ea1bce13db941..eb663eb811563 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -3561,6 +3561,7 @@ int amdgpu_device_init(struct amdgpu_device *adev, + mutex_init(&adev->grbm_idx_mutex); + mutex_init(&adev->mn_lock); + mutex_init(&adev->virt.vf_errors.lock); ++ mutex_init(&adev->virt.rlcg_reg_lock); + hash_init(adev->mn_hash); + mutex_init(&adev->psp.mutex); + mutex_init(&adev->notifier_lock); +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c +index 96857ae7fb5bc..ff4f52e07cc0d 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c +@@ -1003,6 +1003,9 @@ static u32 amdgpu_virt_rlcg_reg_rw(struct amdgpu_device *adev, u32 offset, u32 v + scratch_reg1 = (void __iomem *)adev->rmmio + 4 * reg_access_ctrl->scratch_reg1; + scratch_reg2 = (void __iomem *)adev->rmmio + 4 * reg_access_ctrl->scratch_reg2; + scratch_reg3 = (void __iomem *)adev->rmmio + 4 * reg_access_ctrl->scratch_reg3; ++ ++ mutex_lock(&adev->virt.rlcg_reg_lock); ++ + if (reg_access_ctrl->spare_int) + spare_int = (void __iomem *)adev->rmmio + 4 * reg_access_ctrl->spare_int; + +@@ -1058,6 +1061,9 @@ static u32 amdgpu_virt_rlcg_reg_rw(struct amdgpu_device *adev, u32 offset, u32 v + } + + ret = readl(scratch_reg0); ++ ++ mutex_unlock(&adev->virt.rlcg_reg_lock); ++ + return ret; + } + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h +index fabb83e9d9aec..23b6efa9d25df 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h +@@ -263,6 +263,8 @@ struct amdgpu_virt { + + /* the ucode id to signal the autoload */ + uint32_t autoload_ucode_id; ++ ++ struct mutex rlcg_reg_lock; + }; + + struct amdgpu_video_codec_info; +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-fix-potential-resource-leak-warning.patch b/queue-6.6/drm-amdgpu-fix-potential-resource-leak-warning.patch new file mode 100644 index 00000000000..b3bf7e386c6 --- /dev/null +++ b/queue-6.6/drm-amdgpu-fix-potential-resource-leak-warning.patch @@ -0,0 +1,42 @@ +From 8993fbdde5a9b66b17732930809e78fcee983459 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Apr 2024 11:09:00 +0800 +Subject: drm/amdgpu: fix potential resource leak warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tim Huang + +[ Upstream commit 22a5daaec0660dd19740c4c6608b78f38760d1e6 ] + +Clear resource leak warning that when the prepare fails, +the allocated amdgpu job object will never be released. + +Signed-off-by: Tim Huang +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vm_sdma.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_sdma.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_sdma.c +index 349416e176a12..1cf1498204678 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_sdma.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_sdma.c +@@ -102,6 +102,11 @@ static int amdgpu_vm_sdma_prepare(struct amdgpu_vm_update_params *p, + if (!r) + r = amdgpu_sync_push_to_job(&sync, p->job); + amdgpu_sync_free(&sync); ++ ++ if (r) { ++ p->num_dw_left = 0; ++ amdgpu_job_free(p->job); ++ } + return r; + } + +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-fix-the-null-pointer-dereference-to-ras_m.patch b/queue-6.6/drm-amdgpu-fix-the-null-pointer-dereference-to-ras_m.patch new file mode 100644 index 00000000000..0ccf45a1c92 --- /dev/null +++ b/queue-6.6/drm-amdgpu-fix-the-null-pointer-dereference-to-ras_m.patch @@ -0,0 +1,44 @@ +From 0def5d8a1d7259a657c5910affbd4279220ff4d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 May 2024 15:48:02 +0800 +Subject: drm/amdgpu: Fix the null pointer dereference to ras_manager + +From: Ma Jun + +[ Upstream commit 4c11d30c95576937c6c35e6f29884761f2dddb43 ] + +Check ras_manager before using it + +Signed-off-by: Ma Jun +Reviewed-by: Lijo Lazar +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c +index 67b75ff0f7c37..7cba98f8bbdca 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c +@@ -1780,12 +1780,15 @@ static void amdgpu_ras_interrupt_process_handler(struct work_struct *work) + int amdgpu_ras_interrupt_dispatch(struct amdgpu_device *adev, + struct ras_dispatch_if *info) + { +- struct ras_manager *obj = amdgpu_ras_find_obj(adev, &info->head); +- struct ras_ih_data *data = &obj->ih_data; ++ struct ras_manager *obj; ++ struct ras_ih_data *data; + ++ obj = amdgpu_ras_find_obj(adev, &info->head); + if (!obj) + return -EINVAL; + ++ data = &obj->ih_data; ++ + if (data->inuse == 0) + return 0; + +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-pm-fix-the-null-pointer-dereference-for-s.patch b/queue-6.6/drm-amdgpu-pm-fix-the-null-pointer-dereference-for-s.patch new file mode 100644 index 00000000000..d79c142c670 --- /dev/null +++ b/queue-6.6/drm-amdgpu-pm-fix-the-null-pointer-dereference-for-s.patch @@ -0,0 +1,99 @@ +From ca957f6b36b73eac8a2443675b557956f74def0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 May 2024 15:01:59 +0800 +Subject: drm/amdgpu/pm: Fix the null pointer dereference for smu7 + +From: Ma Jun + +[ Upstream commit c02c1960c93eede587576625a1221205a68a904f ] + +optimize the code to avoid pass a null pointer (hwmgr->backend) +to function smu7_update_edc_leakage_table. + +Signed-off-by: Ma Jun +Reviewed-by: Yang Wang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c | 50 +++++++++---------- + 1 file changed, 24 insertions(+), 26 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c +index aa91730e4eaff..15515025d995b 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c +@@ -2957,6 +2957,7 @@ static int smu7_update_edc_leakage_table(struct pp_hwmgr *hwmgr) + + static int smu7_hwmgr_backend_init(struct pp_hwmgr *hwmgr) + { ++ struct amdgpu_device *adev = hwmgr->adev; + struct smu7_hwmgr *data; + int result = 0; + +@@ -2993,40 +2994,37 @@ static int smu7_hwmgr_backend_init(struct pp_hwmgr *hwmgr) + /* Initalize Dynamic State Adjustment Rule Settings */ + result = phm_initializa_dynamic_state_adjustment_rule_settings(hwmgr); + +- if (0 == result) { +- struct amdgpu_device *adev = hwmgr->adev; ++ if (result) ++ goto fail; + +- data->is_tlu_enabled = false; ++ data->is_tlu_enabled = false; + +- hwmgr->platform_descriptor.hardwareActivityPerformanceLevels = ++ hwmgr->platform_descriptor.hardwareActivityPerformanceLevels = + SMU7_MAX_HARDWARE_POWERLEVELS; +- hwmgr->platform_descriptor.hardwarePerformanceLevels = 2; +- hwmgr->platform_descriptor.minimumClocksReductionPercentage = 50; ++ hwmgr->platform_descriptor.hardwarePerformanceLevels = 2; ++ hwmgr->platform_descriptor.minimumClocksReductionPercentage = 50; + +- data->pcie_gen_cap = adev->pm.pcie_gen_mask; +- if (data->pcie_gen_cap & CAIL_PCIE_LINK_SPEED_SUPPORT_GEN3) +- data->pcie_spc_cap = 20; +- else +- data->pcie_spc_cap = 16; +- data->pcie_lane_cap = adev->pm.pcie_mlw_mask; +- +- hwmgr->platform_descriptor.vbiosInterruptId = 0x20000400; /* IRQ_SOURCE1_SW_INT */ +-/* The true clock step depends on the frequency, typically 4.5 or 9 MHz. Here we use 5. */ +- hwmgr->platform_descriptor.clockStep.engineClock = 500; +- hwmgr->platform_descriptor.clockStep.memoryClock = 500; +- smu7_thermal_parameter_init(hwmgr); +- } else { +- /* Ignore return value in here, we are cleaning up a mess. */ +- smu7_hwmgr_backend_fini(hwmgr); +- } ++ data->pcie_gen_cap = adev->pm.pcie_gen_mask; ++ if (data->pcie_gen_cap & CAIL_PCIE_LINK_SPEED_SUPPORT_GEN3) ++ data->pcie_spc_cap = 20; ++ else ++ data->pcie_spc_cap = 16; ++ data->pcie_lane_cap = adev->pm.pcie_mlw_mask; ++ ++ hwmgr->platform_descriptor.vbiosInterruptId = 0x20000400; /* IRQ_SOURCE1_SW_INT */ ++ /* The true clock step depends on the frequency, typically 4.5 or 9 MHz. Here we use 5. */ ++ hwmgr->platform_descriptor.clockStep.engineClock = 500; ++ hwmgr->platform_descriptor.clockStep.memoryClock = 500; ++ smu7_thermal_parameter_init(hwmgr); + + result = smu7_update_edc_leakage_table(hwmgr); +- if (result) { +- smu7_hwmgr_backend_fini(hwmgr); +- return result; +- } ++ if (result) ++ goto fail; + + return 0; ++fail: ++ smu7_hwmgr_backend_fini(hwmgr); ++ return result; + } + + static int smu7_force_dpm_highest(struct pp_hwmgr *hwmgr) +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-pm-fix-the-null-pointer-dereference-in-ap.patch b/queue-6.6/drm-amdgpu-pm-fix-the-null-pointer-dereference-in-ap.patch new file mode 100644 index 00000000000..2b3fbc09ed2 --- /dev/null +++ b/queue-6.6/drm-amdgpu-pm-fix-the-null-pointer-dereference-in-ap.patch @@ -0,0 +1,105 @@ +From 1fca8af3e95e876f52159a1121890fdceaa80137 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 15:51:35 +0800 +Subject: drm/amdgpu/pm: Fix the null pointer dereference in + apply_state_adjust_rules + +From: Ma Jun + +[ Upstream commit d19fb10085a49b77578314f69fff21562f7cd054 ] + +Check the pointer value to fix potential null pointer +dereference + +Acked-by: Yang Wang +Signed-off-by: Ma Jun +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c | 7 +++++-- + .../gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c | 14 ++++++++------ + .../gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c | 7 +++++-- + 3 files changed, 18 insertions(+), 10 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c +index 15515025d995b..163864bd51c34 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c +@@ -3314,8 +3314,7 @@ static int smu7_apply_state_adjust_rules(struct pp_hwmgr *hwmgr, + const struct pp_power_state *current_ps) + { + struct amdgpu_device *adev = hwmgr->adev; +- struct smu7_power_state *smu7_ps = +- cast_phw_smu7_power_state(&request_ps->hardware); ++ struct smu7_power_state *smu7_ps; + uint32_t sclk; + uint32_t mclk; + struct PP_Clocks minimum_clocks = {0}; +@@ -3332,6 +3331,10 @@ static int smu7_apply_state_adjust_rules(struct pp_hwmgr *hwmgr, + uint32_t latency; + bool latency_allowed = false; + ++ smu7_ps = cast_phw_smu7_power_state(&request_ps->hardware); ++ if (!smu7_ps) ++ return -EINVAL; ++ + data->battery_state = (PP_StateUILabel_Battery == + request_ps->classification.ui_label); + data->mclk_ignore_signal = false; +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c +index b015a601b385a..eb744401e0567 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c +@@ -1065,16 +1065,18 @@ static int smu8_apply_state_adjust_rules(struct pp_hwmgr *hwmgr, + struct pp_power_state *prequest_ps, + const struct pp_power_state *pcurrent_ps) + { +- struct smu8_power_state *smu8_ps = +- cast_smu8_power_state(&prequest_ps->hardware); +- +- const struct smu8_power_state *smu8_current_ps = +- cast_const_smu8_power_state(&pcurrent_ps->hardware); +- ++ struct smu8_power_state *smu8_ps; ++ const struct smu8_power_state *smu8_current_ps; + struct smu8_hwmgr *data = hwmgr->backend; + struct PP_Clocks clocks = {0, 0, 0, 0}; + bool force_high; + ++ smu8_ps = cast_smu8_power_state(&prequest_ps->hardware); ++ smu8_current_ps = cast_const_smu8_power_state(&pcurrent_ps->hardware); ++ ++ if (!smu8_ps || !smu8_current_ps) ++ return -EINVAL; ++ + smu8_ps->need_dfs_bypass = true; + + data->battery_state = (PP_StateUILabel_Battery == prequest_ps->classification.ui_label); +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c +index 6d6bc6a380b36..49c984f14e6b1 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c +@@ -3259,8 +3259,7 @@ static int vega10_apply_state_adjust_rules(struct pp_hwmgr *hwmgr, + const struct pp_power_state *current_ps) + { + struct amdgpu_device *adev = hwmgr->adev; +- struct vega10_power_state *vega10_ps = +- cast_phw_vega10_power_state(&request_ps->hardware); ++ struct vega10_power_state *vega10_ps; + uint32_t sclk; + uint32_t mclk; + struct PP_Clocks minimum_clocks = {0}; +@@ -3278,6 +3277,10 @@ static int vega10_apply_state_adjust_rules(struct pp_hwmgr *hwmgr, + uint32_t stable_pstate_sclk = 0, stable_pstate_mclk = 0; + uint32_t latency; + ++ vega10_ps = cast_phw_vega10_power_state(&request_ps->hardware); ++ if (!vega10_ps) ++ return -EINVAL; ++ + data->battery_state = (PP_StateUILabel_Battery == + request_ps->classification.ui_label); + +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-pm-fix-the-param-type-of-set_power_profil.patch b/queue-6.6/drm-amdgpu-pm-fix-the-param-type-of-set_power_profil.patch new file mode 100644 index 00000000000..79581ea36a1 --- /dev/null +++ b/queue-6.6/drm-amdgpu-pm-fix-the-param-type-of-set_power_profil.patch @@ -0,0 +1,151 @@ +From 1feffa979fc13c393bce89412c881c710aa7a2cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Apr 2024 15:58:10 +0800 +Subject: drm/amdgpu/pm: Fix the param type of set_power_profile_mode + +From: Ma Jun + +[ Upstream commit f683f24093dd94a831085fe0ea8e9dc4c6c1a2d1 ] + +Function .set_power_profile_mode need an array as input +parameter. So define variable workload as an array to fix +the below coverity warning. + +"Passing &workload to function hwmgr->hwmgr_func->set_power_profile_mode +which uses it as an array. This might corrupt or misinterpret adjacent +memory locations" + +Signed-off-by: Ma Jun +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c | 8 ++++---- + drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c | 8 ++++---- + drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 16 ++++++++-------- + 3 files changed, 16 insertions(+), 16 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c b/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c +index 9e4f8a4104a34..7bf46e4974f88 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c +@@ -927,7 +927,7 @@ static int pp_dpm_switch_power_profile(void *handle, + enum PP_SMC_POWER_PROFILE type, bool en) + { + struct pp_hwmgr *hwmgr = handle; +- long workload; ++ long workload[1]; + uint32_t index; + + if (!hwmgr || !hwmgr->pm_en) +@@ -945,12 +945,12 @@ static int pp_dpm_switch_power_profile(void *handle, + hwmgr->workload_mask &= ~(1 << hwmgr->workload_prority[type]); + index = fls(hwmgr->workload_mask); + index = index > 0 && index <= Workload_Policy_Max ? index - 1 : 0; +- workload = hwmgr->workload_setting[index]; ++ workload[0] = hwmgr->workload_setting[index]; + } else { + hwmgr->workload_mask |= (1 << hwmgr->workload_prority[type]); + index = fls(hwmgr->workload_mask); + index = index <= Workload_Policy_Max ? index - 1 : 0; +- workload = hwmgr->workload_setting[index]; ++ workload[0] = hwmgr->workload_setting[index]; + } + + if (type == PP_SMC_POWER_PROFILE_COMPUTE && +@@ -960,7 +960,7 @@ static int pp_dpm_switch_power_profile(void *handle, + } + + if (hwmgr->dpm_level != AMD_DPM_FORCED_LEVEL_MANUAL) +- hwmgr->hwmgr_func->set_power_profile_mode(hwmgr, &workload, 0); ++ hwmgr->hwmgr_func->set_power_profile_mode(hwmgr, workload, 0); + + return 0; + } +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c +index 1d829402cd2e2..f4bd8e9357e22 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c +@@ -269,7 +269,7 @@ int psm_adjust_power_state_dynamic(struct pp_hwmgr *hwmgr, bool skip_display_set + struct pp_power_state *new_ps) + { + uint32_t index; +- long workload; ++ long workload[1]; + + if (hwmgr->not_vf) { + if (!skip_display_settings) +@@ -294,10 +294,10 @@ int psm_adjust_power_state_dynamic(struct pp_hwmgr *hwmgr, bool skip_display_set + if (hwmgr->dpm_level != AMD_DPM_FORCED_LEVEL_MANUAL) { + index = fls(hwmgr->workload_mask); + index = index > 0 && index <= Workload_Policy_Max ? index - 1 : 0; +- workload = hwmgr->workload_setting[index]; ++ workload[0] = hwmgr->workload_setting[index]; + +- if (hwmgr->power_profile_mode != workload && hwmgr->hwmgr_func->set_power_profile_mode) +- hwmgr->hwmgr_func->set_power_profile_mode(hwmgr, &workload, 0); ++ if (hwmgr->power_profile_mode != workload[0] && hwmgr->hwmgr_func->set_power_profile_mode) ++ hwmgr->hwmgr_func->set_power_profile_mode(hwmgr, workload, 0); + } + + return 0; +diff --git a/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c b/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c +index 56e4c312cb7a9..1402e468aa90f 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c +@@ -1846,7 +1846,7 @@ static int smu_adjust_power_state_dynamic(struct smu_context *smu, + { + int ret = 0; + int index = 0; +- long workload; ++ long workload[1]; + struct smu_dpm_context *smu_dpm_ctx = &(smu->smu_dpm); + + if (!skip_display_settings) { +@@ -1886,10 +1886,10 @@ static int smu_adjust_power_state_dynamic(struct smu_context *smu, + smu_dpm_ctx->dpm_level != AMD_DPM_FORCED_LEVEL_PERF_DETERMINISM) { + index = fls(smu->workload_mask); + index = index > 0 && index <= WORKLOAD_POLICY_MAX ? index - 1 : 0; +- workload = smu->workload_setting[index]; ++ workload[0] = smu->workload_setting[index]; + +- if (smu->power_profile_mode != workload) +- smu_bump_power_profile_mode(smu, &workload, 0); ++ if (smu->power_profile_mode != workload[0]) ++ smu_bump_power_profile_mode(smu, workload, 0); + } + + return ret; +@@ -1939,7 +1939,7 @@ static int smu_switch_power_profile(void *handle, + { + struct smu_context *smu = handle; + struct smu_dpm_context *smu_dpm_ctx = &(smu->smu_dpm); +- long workload; ++ long workload[1]; + uint32_t index; + + if (!smu->pm_enabled || !smu->adev->pm.dpm_enabled) +@@ -1952,17 +1952,17 @@ static int smu_switch_power_profile(void *handle, + smu->workload_mask &= ~(1 << smu->workload_prority[type]); + index = fls(smu->workload_mask); + index = index > 0 && index <= WORKLOAD_POLICY_MAX ? index - 1 : 0; +- workload = smu->workload_setting[index]; ++ workload[0] = smu->workload_setting[index]; + } else { + smu->workload_mask |= (1 << smu->workload_prority[type]); + index = fls(smu->workload_mask); + index = index <= WORKLOAD_POLICY_MAX ? index - 1 : 0; +- workload = smu->workload_setting[index]; ++ workload[0] = smu->workload_setting[index]; + } + + if (smu_dpm_ctx->dpm_level != AMD_DPM_FORCED_LEVEL_MANUAL && + smu_dpm_ctx->dpm_level != AMD_DPM_FORCED_LEVEL_PERF_DETERMINISM) +- smu_bump_power_profile_mode(smu, &workload, 0); ++ smu_bump_power_profile_mode(smu, workload, 0); + + return 0; + } +-- +2.43.0 + diff --git a/queue-6.6/ext4-fix-uninitialized-variable-in-ext4_inlinedir_to.patch b/queue-6.6/ext4-fix-uninitialized-variable-in-ext4_inlinedir_to.patch new file mode 100644 index 00000000000..43088432ada --- /dev/null +++ b/queue-6.6/ext4-fix-uninitialized-variable-in-ext4_inlinedir_to.patch @@ -0,0 +1,48 @@ +From 39263672c5c5fd92d89bbc7ec845738cb6f7e51d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Apr 2024 20:30:17 -0700 +Subject: ext4: fix uninitialized variable in ext4_inlinedir_to_tree + +From: Xiaxi Shen + +[ Upstream commit 8dc9c3da79c84b13fdb135e2fb0a149a8175bffe ] + +Syzbot has found an uninit-value bug in ext4_inlinedir_to_tree + +This error happens because ext4_inlinedir_to_tree does not +handle the case when ext4fs_dirhash returns an error + +This can be avoided by checking the return value of ext4fs_dirhash +and propagating the error, +similar to how it's done with ext4_htree_store_dirent + +Signed-off-by: Xiaxi Shen +Reported-and-tested-by: syzbot+eaba5abe296837a640c0@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=eaba5abe296837a640c0 +Link: https://patch.msgid.link/20240501033017.220000-1-shenxiaxi26@gmail.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/inline.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index 012d9259ff532..a604aa1d23aed 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -1411,7 +1411,11 @@ int ext4_inlinedir_to_tree(struct file *dir_file, + hinfo->hash = EXT4_DIRENT_HASH(de); + hinfo->minor_hash = EXT4_DIRENT_MINOR_HASH(de); + } else { +- ext4fs_dirhash(dir, de->name, de->name_len, hinfo); ++ err = ext4fs_dirhash(dir, de->name, de->name_len, hinfo); ++ if (err) { ++ ret = err; ++ goto out; ++ } + } + if ((hinfo->hash < start_hash) || + ((hinfo->hash == start_hash) && +-- +2.43.0 + diff --git a/queue-6.6/gpio-prevent-potential-speculation-leaks-in-gpio_dev.patch b/queue-6.6/gpio-prevent-potential-speculation-leaks-in-gpio_dev.patch new file mode 100644 index 00000000000..d2da6bac267 --- /dev/null +++ b/queue-6.6/gpio-prevent-potential-speculation-leaks-in-gpio_dev.patch @@ -0,0 +1,54 @@ +From b7546dc9b1ff0ae8a3dd7d0feca3a9314c6fb089 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 May 2024 08:53:32 +0000 +Subject: gpio: prevent potential speculation leaks in gpio_device_get_desc() + +From: Hagar Hemdan + +[ Upstream commit d795848ecce24a75dfd46481aee066ae6fe39775 ] + +Userspace may trigger a speculative read of an address outside the gpio +descriptor array. +Users can do that by calling gpio_ioctl() with an offset out of range. +Offset is copied from user and then used as an array index to get +the gpio descriptor without sanitization in gpio_device_get_desc(). + +This change ensures that the offset is sanitized by using +array_index_nospec() to mitigate any possibility of speculative +information leaks. + +This bug was discovered and resolved using Coverity Static Analysis +Security Testing (SAST) by Synopsys, Inc. + +Signed-off-by: Hagar Hemdan +Link: https://lore.kernel.org/r/20240523085332.1801-1-hagarhem@amazon.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c +index 1c512ed3fa6d9..5c0016c77d2ab 100644 +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -164,7 +165,7 @@ struct gpio_desc *gpiochip_get_desc(struct gpio_chip *gc, + if (hwnum >= gdev->ngpio) + return ERR_PTR(-EINVAL); + +- return &gdev->descs[hwnum]; ++ return &gdev->descs[array_index_nospec(hwnum, gdev->ngpio)]; + } + EXPORT_SYMBOL_GPL(gpiochip_get_desc); + +-- +2.43.0 + diff --git a/queue-6.6/hwmon-corsair-psu-add-usb-id-of-hx1200i-series-2023-.patch b/queue-6.6/hwmon-corsair-psu-add-usb-id-of-hx1200i-series-2023-.patch new file mode 100644 index 00000000000..6840b5d220c --- /dev/null +++ b/queue-6.6/hwmon-corsair-psu-add-usb-id-of-hx1200i-series-2023-.patch @@ -0,0 +1,69 @@ +From b05eca5d4e7ff3c2f9f27ab17ca1f6979c5b983a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 May 2024 04:38:11 +0000 +Subject: hwmon: corsair-psu: add USB id of HX1200i Series 2023 psu + +From: Wilken Gottwalt + +[ Upstream commit b9c15c96ccb47ad860af2e075c5f3c90c4cd1730 ] + +Add the usb id of the HX1200i Series 2023. Update the documentation +accordingly. Also fix the version comments, there are no Series 2022 +products. That are legacy or first version products going back many +many years. + +Signed-off-by: Wilken Gottwalt +Link: https://lore.kernel.org/r/ZlAZs4u0dU7JxtDf@monster.localdomain +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + Documentation/hwmon/corsair-psu.rst | 6 +++--- + drivers/hwmon/corsair-psu.c | 7 ++++--- + 2 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/Documentation/hwmon/corsair-psu.rst b/Documentation/hwmon/corsair-psu.rst +index 16db34d464dd6..7ed794087f848 100644 +--- a/Documentation/hwmon/corsair-psu.rst ++++ b/Documentation/hwmon/corsair-psu.rst +@@ -15,11 +15,11 @@ Supported devices: + + Corsair HX850i + +- Corsair HX1000i (Series 2022 and 2023) ++ Corsair HX1000i (Legacy and Series 2023) + +- Corsair HX1200i ++ Corsair HX1200i (Legacy and Series 2023) + +- Corsair HX1500i (Series 2022 and 2023) ++ Corsair HX1500i (Legacy and Series 2023) + + Corsair RM550i + +diff --git a/drivers/hwmon/corsair-psu.c b/drivers/hwmon/corsair-psu.c +index 2c7c92272fe39..f8f22b8a67cdf 100644 +--- a/drivers/hwmon/corsair-psu.c ++++ b/drivers/hwmon/corsair-psu.c +@@ -875,15 +875,16 @@ static const struct hid_device_id corsairpsu_idtable[] = { + { HID_USB_DEVICE(0x1b1c, 0x1c04) }, /* Corsair HX650i */ + { HID_USB_DEVICE(0x1b1c, 0x1c05) }, /* Corsair HX750i */ + { HID_USB_DEVICE(0x1b1c, 0x1c06) }, /* Corsair HX850i */ +- { HID_USB_DEVICE(0x1b1c, 0x1c07) }, /* Corsair HX1000i Series 2022 */ +- { HID_USB_DEVICE(0x1b1c, 0x1c08) }, /* Corsair HX1200i */ ++ { HID_USB_DEVICE(0x1b1c, 0x1c07) }, /* Corsair HX1000i Legacy */ ++ { HID_USB_DEVICE(0x1b1c, 0x1c08) }, /* Corsair HX1200i Legacy */ + { HID_USB_DEVICE(0x1b1c, 0x1c09) }, /* Corsair RM550i */ + { HID_USB_DEVICE(0x1b1c, 0x1c0a) }, /* Corsair RM650i */ + { HID_USB_DEVICE(0x1b1c, 0x1c0b) }, /* Corsair RM750i */ + { HID_USB_DEVICE(0x1b1c, 0x1c0c) }, /* Corsair RM850i */ + { HID_USB_DEVICE(0x1b1c, 0x1c0d) }, /* Corsair RM1000i */ + { HID_USB_DEVICE(0x1b1c, 0x1c1e) }, /* Corsair HX1000i Series 2023 */ +- { HID_USB_DEVICE(0x1b1c, 0x1c1f) }, /* Corsair HX1500i Series 2022 and 2023 */ ++ { HID_USB_DEVICE(0x1b1c, 0x1c1f) }, /* Corsair HX1500i Legacy and Series 2023 */ ++ { HID_USB_DEVICE(0x1b1c, 0x1c23) }, /* Corsair HX1200i Series 2023 */ + { }, + }; + MODULE_DEVICE_TABLE(hid, corsairpsu_idtable); +-- +2.43.0 + diff --git a/queue-6.6/ice-fix-reset-handler.patch b/queue-6.6/ice-fix-reset-handler.patch new file mode 100644 index 00000000000..aa7dd7a27e2 --- /dev/null +++ b/queue-6.6/ice-fix-reset-handler.patch @@ -0,0 +1,39 @@ +From eed5561d7909082917b2e5933a435c5439659972 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jul 2024 17:39:10 +0200 +Subject: ice: Fix reset handler + +From: Grzegorz Nitka + +[ Upstream commit 25a7123579ecac9a89a7e5b8d8a580bee4b68acd ] + +Synchronize OICR IRQ when preparing for reset to avoid potential +race conditions between the reset procedure and OICR + +Fixes: 4aad5335969f ("ice: add individual interrupt allocation") +Signed-off-by: Grzegorz Nitka +Signed-off-by: Sergey Temerkhanov +Reviewed-by: Przemek Kitszel +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 600a2f5370875..b168a37a5dfff 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -557,6 +557,8 @@ ice_prepare_for_reset(struct ice_pf *pf, enum ice_reset_req reset_type) + if (test_bit(ICE_PREPARED_FOR_RESET, pf->state)) + return; + ++ synchronize_irq(pf->oicr_irq.virq); ++ + ice_unplug_aux_dev(pf); + + /* Notify VFs of impending reset */ +-- +2.43.0 + diff --git a/queue-6.6/irqchip-mbigen-fix-mbigen-node-address-layout.patch b/queue-6.6/irqchip-mbigen-fix-mbigen-node-address-layout.patch new file mode 100644 index 00000000000..2e517852050 --- /dev/null +++ b/queue-6.6/irqchip-mbigen-fix-mbigen-node-address-layout.patch @@ -0,0 +1,89 @@ +From b8062172a49fdcde3b495560c35767ef76d3c613 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jul 2024 09:44:00 +0800 +Subject: irqchip/mbigen: Fix mbigen node address layout + +From: Yipeng Zou + +[ Upstream commit 6be6cba9c4371d27f78d900ccfe34bb880d9ee20 ] + +The mbigen interrupt chip has its per node registers located in a +contiguous region of page sized chunks. The code maps them into virtual +address space as a contiguous region and determines the address of a node +by using the node ID as index. + + mbigen chip + |-----------------|------------|--------------| + mgn_node_0 mgn_node_1 ... mgn_node_i +|--------------| |--------------| |----------------------| +[0x0000, 0x0x0FFF] [0x1000, 0x1FFF] [i*0x1000, (i+1)*0x1000 - 1] + +This works correctly up to 10 nodes, but then fails because the 11th's +array slot is used for the MGN_CLEAR registers. + + mbigen chip + |-----------|--------|--------|---------------|--------| +mgn_node_0 mgn_node_1 ... mgn_clear_register ... mgn_node_i + |-----------------| + [0xA000, 0xAFFF] + +Skip the MGN_CLEAR register space when calculating the offset for node IDs +greater than or equal to ten. + +Fixes: a6c2f87b8820 ("irqchip/mbigen: Implement the mbigen irq chip operation functions") +Signed-off-by: Yipeng Zou +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/all/20240730014400.1751530-1-zouyipeng@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-mbigen.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/drivers/irqchip/irq-mbigen.c b/drivers/irqchip/irq-mbigen.c +index 58881d3139792..244a8d489cac6 100644 +--- a/drivers/irqchip/irq-mbigen.c ++++ b/drivers/irqchip/irq-mbigen.c +@@ -64,6 +64,20 @@ struct mbigen_device { + void __iomem *base; + }; + ++static inline unsigned int get_mbigen_node_offset(unsigned int nid) ++{ ++ unsigned int offset = nid * MBIGEN_NODE_OFFSET; ++ ++ /* ++ * To avoid touched clear register in unexpected way, we need to directly ++ * skip clear register when access to more than 10 mbigen nodes. ++ */ ++ if (nid >= (REG_MBIGEN_CLEAR_OFFSET / MBIGEN_NODE_OFFSET)) ++ offset += MBIGEN_NODE_OFFSET; ++ ++ return offset; ++} ++ + static inline unsigned int get_mbigen_vec_reg(irq_hw_number_t hwirq) + { + unsigned int nid, pin; +@@ -72,8 +86,7 @@ static inline unsigned int get_mbigen_vec_reg(irq_hw_number_t hwirq) + nid = hwirq / IRQS_PER_MBIGEN_NODE + 1; + pin = hwirq % IRQS_PER_MBIGEN_NODE; + +- return pin * 4 + nid * MBIGEN_NODE_OFFSET +- + REG_MBIGEN_VEC_OFFSET; ++ return pin * 4 + get_mbigen_node_offset(nid) + REG_MBIGEN_VEC_OFFSET; + } + + static inline void get_mbigen_type_reg(irq_hw_number_t hwirq, +@@ -88,8 +101,7 @@ static inline void get_mbigen_type_reg(irq_hw_number_t hwirq, + *mask = 1 << (irq_ofst % 32); + ofst = irq_ofst / 32 * 4; + +- *addr = ofst + nid * MBIGEN_NODE_OFFSET +- + REG_MBIGEN_TYPE_OFFSET; ++ *addr = ofst + get_mbigen_node_offset(nid) + REG_MBIGEN_TYPE_OFFSET; + } + + static inline void get_mbigen_clear_reg(irq_hw_number_t hwirq, +-- +2.43.0 + diff --git a/queue-6.6/jbd2-avoid-memleak-in-jbd2_journal_write_metadata_bu.patch b/queue-6.6/jbd2-avoid-memleak-in-jbd2_journal_write_metadata_bu.patch new file mode 100644 index 00000000000..caa4e732487 --- /dev/null +++ b/queue-6.6/jbd2-avoid-memleak-in-jbd2_journal_write_metadata_bu.patch @@ -0,0 +1,37 @@ +From f25b188724334ea7b17a94e6e944c29e48578a64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 May 2024 19:24:30 +0800 +Subject: jbd2: avoid memleak in jbd2_journal_write_metadata_buffer + +From: Kemeng Shi + +[ Upstream commit cc102aa24638b90e04364d64e4f58a1fa91a1976 ] + +The new_bh is from alloc_buffer_head, we should call free_buffer_head to +free it in error case. + +Signed-off-by: Kemeng Shi +Reviewed-by: Zhang Yi +Reviewed-by: Jan Kara +Link: https://patch.msgid.link/20240514112438.1269037-2-shikemeng@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/jbd2/journal.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c +index 0168d28427077..57264eb4d9da3 100644 +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -399,6 +399,7 @@ int jbd2_journal_write_metadata_buffer(transaction_t *transaction, + tmp = jbd2_alloc(bh_in->b_size, GFP_NOFS); + if (!tmp) { + brelse(new_bh); ++ free_buffer_head(new_bh); + return -ENOMEM; + } + spin_lock(&jh_in->b_state_lock); +-- +2.43.0 + diff --git a/queue-6.6/jump_label-fix-the-fix-brown-paper-bags-galore.patch b/queue-6.6/jump_label-fix-the-fix-brown-paper-bags-galore.patch new file mode 100644 index 00000000000..d815098e402 --- /dev/null +++ b/queue-6.6/jump_label-fix-the-fix-brown-paper-bags-galore.patch @@ -0,0 +1,62 @@ +From 7442172301401d6d88df59821daa4799802ac8f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jul 2024 12:43:21 +0200 +Subject: jump_label: Fix the fix, brown paper bags galore + +From: Peter Zijlstra + +[ Upstream commit 224fa3552029a3d14bec7acf72ded8171d551b88 ] + +Per the example of: + + !atomic_cmpxchg(&key->enabled, 0, 1) + +the inverse was written as: + + atomic_cmpxchg(&key->enabled, 1, 0) + +except of course, that while !old is only true for old == 0, old is +true for everything except old == 0. + +Fix it to read: + + atomic_cmpxchg(&key->enabled, 1, 0) == 1 + +such that only the 1->0 transition returns true and goes on to disable +the keys. + +Fixes: 83ab38ef0a0b ("jump_label: Fix concurrency issues in static_key_slow_dec()") +Reported-by: Darrick J. Wong +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Darrick J. Wong +Link: https://lkml.kernel.org/r/20240731105557.GY33588@noisy.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + kernel/jump_label.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/jump_label.c b/kernel/jump_label.c +index eec802175ccc6..1ed269b2c4035 100644 +--- a/kernel/jump_label.c ++++ b/kernel/jump_label.c +@@ -231,7 +231,7 @@ void static_key_disable_cpuslocked(struct static_key *key) + } + + jump_label_lock(); +- if (atomic_cmpxchg(&key->enabled, 1, 0)) ++ if (atomic_cmpxchg(&key->enabled, 1, 0) == 1) + jump_label_update(key); + jump_label_unlock(); + } +@@ -284,7 +284,7 @@ static void __static_key_slow_dec_cpuslocked(struct static_key *key) + return; + + guard(mutex)(&jump_label_mutex); +- if (atomic_cmpxchg(&key->enabled, 1, 0)) ++ if (atomic_cmpxchg(&key->enabled, 1, 0) == 1) + jump_label_update(key); + else + WARN_ON_ONCE(!static_key_slow_try_dec(key)); +-- +2.43.0 + diff --git a/queue-6.6/l2tp-fix-lockdep-splat.patch b/queue-6.6/l2tp-fix-lockdep-splat.patch new file mode 100644 index 00000000000..80067fb4ff0 --- /dev/null +++ b/queue-6.6/l2tp-fix-lockdep-splat.patch @@ -0,0 +1,216 @@ +From 2babd2099d55f5295544fed2f1105b6124ecf012 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Aug 2024 17:06:26 +0100 +Subject: l2tp: fix lockdep splat + +From: James Chapman + +[ Upstream commit 86a41ea9fd79ddb6145cb8ebf5aeafceabca6f7d ] + +When l2tp tunnels use a socket provided by userspace, we can hit +lockdep splats like the below when data is transmitted through another +(unrelated) userspace socket which then gets routed over l2tp. + +This issue was previously discussed here: +https://lore.kernel.org/netdev/87sfialu2n.fsf@cloudflare.com/ + +The solution is to have lockdep treat socket locks of l2tp tunnel +sockets separately than those of standard INET sockets. To do so, use +a different lockdep subclass where lock nesting is possible. + + ============================================ + WARNING: possible recursive locking detected + 6.10.0+ #34 Not tainted + -------------------------------------------- + iperf3/771 is trying to acquire lock: + ffff8881027601d8 (slock-AF_INET/1){+.-.}-{2:2}, at: l2tp_xmit_skb+0x243/0x9d0 + + but task is already holding lock: + ffff888102650d98 (slock-AF_INET/1){+.-.}-{2:2}, at: tcp_v4_rcv+0x1848/0x1e10 + + other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(slock-AF_INET/1); + lock(slock-AF_INET/1); + + *** DEADLOCK *** + + May be due to missing lock nesting notation + + 10 locks held by iperf3/771: + #0: ffff888102650258 (sk_lock-AF_INET){+.+.}-{0:0}, at: tcp_sendmsg+0x1a/0x40 + #1: ffffffff822ac220 (rcu_read_lock){....}-{1:2}, at: __ip_queue_xmit+0x4b/0xbc0 + #2: ffffffff822ac220 (rcu_read_lock){....}-{1:2}, at: ip_finish_output2+0x17a/0x1130 + #3: ffffffff822ac220 (rcu_read_lock){....}-{1:2}, at: process_backlog+0x28b/0x9f0 + #4: ffffffff822ac220 (rcu_read_lock){....}-{1:2}, at: ip_local_deliver_finish+0xf9/0x260 + #5: ffff888102650d98 (slock-AF_INET/1){+.-.}-{2:2}, at: tcp_v4_rcv+0x1848/0x1e10 + #6: ffffffff822ac220 (rcu_read_lock){....}-{1:2}, at: __ip_queue_xmit+0x4b/0xbc0 + #7: ffffffff822ac220 (rcu_read_lock){....}-{1:2}, at: ip_finish_output2+0x17a/0x1130 + #8: ffffffff822ac1e0 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0xcc/0x1450 + #9: ffff888101f33258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: __dev_queue_xmit+0x513/0x1450 + + stack backtrace: + CPU: 2 UID: 0 PID: 771 Comm: iperf3 Not tainted 6.10.0+ #34 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 + Call Trace: + + dump_stack_lvl+0x69/0xa0 + dump_stack+0xc/0x20 + __lock_acquire+0x135d/0x2600 + ? srso_alias_return_thunk+0x5/0xfbef5 + lock_acquire+0xc4/0x2a0 + ? l2tp_xmit_skb+0x243/0x9d0 + ? __skb_checksum+0xa3/0x540 + _raw_spin_lock_nested+0x35/0x50 + ? l2tp_xmit_skb+0x243/0x9d0 + l2tp_xmit_skb+0x243/0x9d0 + l2tp_eth_dev_xmit+0x3c/0xc0 + dev_hard_start_xmit+0x11e/0x420 + sch_direct_xmit+0xc3/0x640 + __dev_queue_xmit+0x61c/0x1450 + ? ip_finish_output2+0xf4c/0x1130 + ip_finish_output2+0x6b6/0x1130 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? __ip_finish_output+0x217/0x380 + ? srso_alias_return_thunk+0x5/0xfbef5 + __ip_finish_output+0x217/0x380 + ip_output+0x99/0x120 + __ip_queue_xmit+0xae4/0xbc0 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? tcp_options_write.constprop.0+0xcb/0x3e0 + ip_queue_xmit+0x34/0x40 + __tcp_transmit_skb+0x1625/0x1890 + __tcp_send_ack+0x1b8/0x340 + tcp_send_ack+0x23/0x30 + __tcp_ack_snd_check+0xa8/0x530 + ? srso_alias_return_thunk+0x5/0xfbef5 + tcp_rcv_established+0x412/0xd70 + tcp_v4_do_rcv+0x299/0x420 + tcp_v4_rcv+0x1991/0x1e10 + ip_protocol_deliver_rcu+0x50/0x220 + ip_local_deliver_finish+0x158/0x260 + ip_local_deliver+0xc8/0xe0 + ip_rcv+0xe5/0x1d0 + ? __pfx_ip_rcv+0x10/0x10 + __netif_receive_skb_one_core+0xce/0xe0 + ? process_backlog+0x28b/0x9f0 + __netif_receive_skb+0x34/0xd0 + ? process_backlog+0x28b/0x9f0 + process_backlog+0x2cb/0x9f0 + __napi_poll.constprop.0+0x61/0x280 + net_rx_action+0x332/0x670 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? find_held_lock+0x2b/0x80 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? srso_alias_return_thunk+0x5/0xfbef5 + handle_softirqs+0xda/0x480 + ? __dev_queue_xmit+0xa2c/0x1450 + do_softirq+0xa1/0xd0 + + + __local_bh_enable_ip+0xc8/0xe0 + ? __dev_queue_xmit+0xa2c/0x1450 + __dev_queue_xmit+0xa48/0x1450 + ? ip_finish_output2+0xf4c/0x1130 + ip_finish_output2+0x6b6/0x1130 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? __ip_finish_output+0x217/0x380 + ? srso_alias_return_thunk+0x5/0xfbef5 + __ip_finish_output+0x217/0x380 + ip_output+0x99/0x120 + __ip_queue_xmit+0xae4/0xbc0 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? tcp_options_write.constprop.0+0xcb/0x3e0 + ip_queue_xmit+0x34/0x40 + __tcp_transmit_skb+0x1625/0x1890 + tcp_write_xmit+0x766/0x2fb0 + ? __entry_text_end+0x102ba9/0x102bad + ? srso_alias_return_thunk+0x5/0xfbef5 + ? __might_fault+0x74/0xc0 + ? srso_alias_return_thunk+0x5/0xfbef5 + __tcp_push_pending_frames+0x56/0x190 + tcp_push+0x117/0x310 + tcp_sendmsg_locked+0x14c1/0x1740 + tcp_sendmsg+0x28/0x40 + inet_sendmsg+0x5d/0x90 + sock_write_iter+0x242/0x2b0 + vfs_write+0x68d/0x800 + ? __pfx_sock_write_iter+0x10/0x10 + ksys_write+0xc8/0xf0 + __x64_sys_write+0x3d/0x50 + x64_sys_call+0xfaf/0x1f50 + do_syscall_64+0x6d/0x140 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + RIP: 0033:0x7f4d143af992 + Code: c3 8b 07 85 c0 75 24 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 e9 01 cc ff ff 41 54 b8 02 00 00 0 + RSP: 002b:00007ffd65032058 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 + RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f4d143af992 + RDX: 0000000000000025 RSI: 00007f4d143f3bcc RDI: 0000000000000005 + RBP: 00007f4d143f2b28 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4d143f3bcc + R13: 0000000000000005 R14: 0000000000000000 R15: 00007ffd650323f0 + + +Fixes: 0b2c59720e65 ("l2tp: close all race conditions in l2tp_tunnel_register()") +Suggested-by: Eric Dumazet +Reported-by: syzbot+6acef9e0a4d1f46c83d4@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=6acef9e0a4d1f46c83d4 +CC: gnault@redhat.com +CC: cong.wang@bytedance.com +Signed-off-by: James Chapman +Signed-off-by: Tom Parkin +Link: https://patch.msgid.link/20240806160626.1248317-1-jchapman@katalix.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_core.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index 8d21ff25f1602..70da78ab95202 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -88,6 +88,11 @@ + /* Default trace flags */ + #define L2TP_DEFAULT_DEBUG_FLAGS 0 + ++#define L2TP_DEPTH_NESTING 2 ++#if L2TP_DEPTH_NESTING == SINGLE_DEPTH_NESTING ++#error "L2TP requires its own lockdep subclass" ++#endif ++ + /* Private data stored for received packets in the skb. + */ + struct l2tp_skb_cb { +@@ -1041,7 +1046,13 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, uns + IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED | IPSKB_REROUTED); + nf_reset_ct(skb); + +- bh_lock_sock_nested(sk); ++ /* L2TP uses its own lockdep subclass to avoid lockdep splats caused by ++ * nested socket calls on the same lockdep socket class. This can ++ * happen when data from a user socket is routed over l2tp, which uses ++ * another userspace socket. ++ */ ++ spin_lock_nested(&sk->sk_lock.slock, L2TP_DEPTH_NESTING); ++ + if (sock_owned_by_user(sk)) { + kfree_skb(skb); + ret = NET_XMIT_DROP; +@@ -1093,7 +1104,7 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, uns + ret = l2tp_xmit_queue(tunnel, skb, &inet->cork.fl); + + out_unlock: +- bh_unlock_sock(sk); ++ spin_unlock(&sk->sk_lock.slock); + + return ret; + } +-- +2.43.0 + diff --git a/queue-6.6/md-do-not-delete-safemode_timer-in-mddev_suspend.patch b/queue-6.6/md-do-not-delete-safemode_timer-in-mddev_suspend.patch new file mode 100644 index 00000000000..2d1f457661a --- /dev/null +++ b/queue-6.6/md-do-not-delete-safemode_timer-in-mddev_suspend.patch @@ -0,0 +1,48 @@ +From 3e7ba64cd4f4c09d8c1f872b0d27323ac495c5a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 17:20:53 +0800 +Subject: md: do not delete safemode_timer in mddev_suspend + +From: Li Nan + +[ Upstream commit a8768a134518e406d41799a3594aeb74e0889cf7 ] + +The deletion of safemode_timer in mddev_suspend() is redundant and +potentially harmful now. If timer is about to be woken up but gets +deleted, 'in_sync' will remain 0 until the next write, causing array +to stay in the 'active' state instead of transitioning to 'clean'. + +Commit 0d9f4f135eb6 ("MD: Add del_timer_sync to mddev_suspend (fix +nasty panic))" introduced this deletion for dm, because if timer fired +after dm is destroyed, the resource which the timer depends on might +have been freed. + +However, commit 0dd84b319352 ("md: call __md_stop_writes in md_stop") +added __md_stop_writes() to md_stop(), which is called before freeing +resource. Timer is deleted in __md_stop_writes(), and the origin issue +is resolved. Therefore, delete safemode_timer can be removed safely now. + +Signed-off-by: Li Nan +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20240508092053.1447930-1-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index b5dea664f946d..35b003b83ef1b 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -456,7 +456,6 @@ void mddev_suspend(struct mddev *mddev) + clear_bit_unlock(MD_ALLOW_SB_UPDATE, &mddev->flags); + wait_event(mddev->sb_wait, !test_bit(MD_UPDATING_SB, &mddev->flags)); + +- del_timer_sync(&mddev->safemode_timer); + /* restrict memory reclaim I/O during raid array is suspend */ + mddev->noio_flag = memalloc_noio_save(); + } +-- +2.43.0 + diff --git a/queue-6.6/md-raid5-avoid-bug_on-while-continue-reshape-after-r.patch b/queue-6.6/md-raid5-avoid-bug_on-while-continue-reshape-after-r.patch new file mode 100644 index 00000000000..4a6898edf66 --- /dev/null +++ b/queue-6.6/md-raid5-avoid-bug_on-while-continue-reshape-after-r.patch @@ -0,0 +1,93 @@ +From 57f80a6c7813cc2e584089cd9141789486012af6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jun 2024 21:22:51 +0800 +Subject: md/raid5: avoid BUG_ON() while continue reshape after reassembling + +From: Yu Kuai + +[ Upstream commit 305a5170dc5cf3d395bb4c4e9239bca6d0b54b49 ] + +Currently, mdadm support --revert-reshape to abort the reshape while +reassembling, as the test 07revert-grow. However, following BUG_ON() +can be triggerred by the test: + +kernel BUG at drivers/md/raid5.c:6278! +invalid opcode: 0000 [#1] PREEMPT SMP PTI +irq event stamp: 158985 +CPU: 6 PID: 891 Comm: md0_reshape Not tainted 6.9.0-03335-g7592a0b0049a #94 +RIP: 0010:reshape_request+0x3f1/0xe60 +Call Trace: + + raid5_sync_request+0x43d/0x550 + md_do_sync+0xb7a/0x2110 + md_thread+0x294/0x2b0 + kthread+0x147/0x1c0 + ret_from_fork+0x59/0x70 + ret_from_fork_asm+0x1a/0x30 + + +Root cause is that --revert-reshape update the raid_disks from 5 to 4, +while reshape position is still set, and after reassembling the array, +reshape position will be read from super block, then during reshape the +checking of 'writepos' that is caculated by old reshape position will +fail. + +Fix this panic the easy way first, by converting the BUG_ON() to +WARN_ON(), and stop the reshape if checkings fail. + +Noted that mdadm must fix --revert-shape as well, and probably md/raid +should enhance metadata validation as well, however this means +reassemble will fail and there must be user tools to fix the wrong +metadata. + +Signed-off-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20240611132251.1967786-13-yukuai1@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/raid5.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c +index 1507540a9cb4e..2c7f11e576673 100644 +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -6326,7 +6326,9 @@ static sector_t reshape_request(struct mddev *mddev, sector_t sector_nr, int *sk + safepos = conf->reshape_safe; + sector_div(safepos, data_disks); + if (mddev->reshape_backwards) { +- BUG_ON(writepos < reshape_sectors); ++ if (WARN_ON(writepos < reshape_sectors)) ++ return MaxSector; ++ + writepos -= reshape_sectors; + readpos += reshape_sectors; + safepos += reshape_sectors; +@@ -6344,14 +6346,18 @@ static sector_t reshape_request(struct mddev *mddev, sector_t sector_nr, int *sk + * to set 'stripe_addr' which is where we will write to. + */ + if (mddev->reshape_backwards) { +- BUG_ON(conf->reshape_progress == 0); ++ if (WARN_ON(conf->reshape_progress == 0)) ++ return MaxSector; ++ + stripe_addr = writepos; +- BUG_ON((mddev->dev_sectors & +- ~((sector_t)reshape_sectors - 1)) +- - reshape_sectors - stripe_addr +- != sector_nr); ++ if (WARN_ON((mddev->dev_sectors & ++ ~((sector_t)reshape_sectors - 1)) - ++ reshape_sectors - stripe_addr != sector_nr)) ++ return MaxSector; + } else { +- BUG_ON(writepos != sector_nr + reshape_sectors); ++ if (WARN_ON(writepos != sector_nr + reshape_sectors)) ++ return MaxSector; ++ + stripe_addr = sector_nr; + } + +-- +2.43.0 + diff --git a/queue-6.6/media-amphion-remove-lock-in-s_ctrl-callback.patch b/queue-6.6/media-amphion-remove-lock-in-s_ctrl-callback.patch new file mode 100644 index 00000000000..5f927711279 --- /dev/null +++ b/queue-6.6/media-amphion-remove-lock-in-s_ctrl-callback.patch @@ -0,0 +1,65 @@ +From dde8c768d2461e31aa2498c96e97900fd5cbb55b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 May 2024 17:49:17 +0900 +Subject: media: amphion: Remove lock in s_ctrl callback + +From: Ming Qian + +[ Upstream commit 065927b51eb1f042c3e026cebfd55e72ccc26093 ] + +There is no need to add a lock in s_ctrl callback, it has been +synchronized by the ctrl_handler's lock, otherwise it may led to +a deadlock if the driver calls v4l2_ctrl_s_ctrl(). + +Signed-off-by: Ming Qian +Signed-off-by: Sebastian Fricke +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/amphion/vdec.c | 2 -- + drivers/media/platform/amphion/venc.c | 2 -- + 2 files changed, 4 deletions(-) + +diff --git a/drivers/media/platform/amphion/vdec.c b/drivers/media/platform/amphion/vdec.c +index 133d77d1ea0c3..4f438eaa7d385 100644 +--- a/drivers/media/platform/amphion/vdec.c ++++ b/drivers/media/platform/amphion/vdec.c +@@ -195,7 +195,6 @@ static int vdec_op_s_ctrl(struct v4l2_ctrl *ctrl) + struct vdec_t *vdec = inst->priv; + int ret = 0; + +- vpu_inst_lock(inst); + switch (ctrl->id) { + case V4L2_CID_MPEG_VIDEO_DEC_DISPLAY_DELAY_ENABLE: + vdec->params.display_delay_enable = ctrl->val; +@@ -207,7 +206,6 @@ static int vdec_op_s_ctrl(struct v4l2_ctrl *ctrl) + ret = -EINVAL; + break; + } +- vpu_inst_unlock(inst); + + return ret; + } +diff --git a/drivers/media/platform/amphion/venc.c b/drivers/media/platform/amphion/venc.c +index 4eb57d793a9c0..16ed4d21519cd 100644 +--- a/drivers/media/platform/amphion/venc.c ++++ b/drivers/media/platform/amphion/venc.c +@@ -518,7 +518,6 @@ static int venc_op_s_ctrl(struct v4l2_ctrl *ctrl) + struct venc_t *venc = inst->priv; + int ret = 0; + +- vpu_inst_lock(inst); + switch (ctrl->id) { + case V4L2_CID_MPEG_VIDEO_H264_PROFILE: + venc->params.profile = ctrl->val; +@@ -579,7 +578,6 @@ static int venc_op_s_ctrl(struct v4l2_ctrl *ctrl) + ret = -EINVAL; + break; + } +- vpu_inst_unlock(inst); + + return ret; + } +-- +2.43.0 + diff --git a/queue-6.6/media-uvcvideo-fix-the-bandwdith-quirk-on-usb-3.x.patch b/queue-6.6/media-uvcvideo-fix-the-bandwdith-quirk-on-usb-3.x.patch new file mode 100644 index 00000000000..7ba1ce151c9 --- /dev/null +++ b/queue-6.6/media-uvcvideo-fix-the-bandwdith-quirk-on-usb-3.x.patch @@ -0,0 +1,52 @@ +From 525008377e30b6a3b1416788aa48883d0e03d1d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Apr 2024 19:00:40 +0200 +Subject: media: uvcvideo: Fix the bandwdith quirk on USB 3.x + +From: Michal Pecio + +[ Upstream commit 9e3d55fbd160b3ca376599a68b4cddfdc67d4153 ] + +The bandwidth fixup quirk doesn't know that SuperSpeed exists and has +the same 8 service intervals per millisecond as High Speed, hence its +calculations are wrong. + +Assume that all speeds from HS up use 8 intervals per millisecond. + +No further changes are needed, updated code has been confirmed to work +with all speeds from FS to SS. + +Signed-off-by: Michal Pecio +Reviewed-by: Ricardo Ribalda +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/r/20240414190040.2255a0bc@foxbook +Signed-off-by: Laurent Pinchart +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_video.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c +index 3e9fdb9192540..91c350b254126 100644 +--- a/drivers/media/usb/uvc/uvc_video.c ++++ b/drivers/media/usb/uvc/uvc_video.c +@@ -214,13 +214,13 @@ static void uvc_fixup_video_ctrl(struct uvc_streaming *stream, + * Compute a bandwidth estimation by multiplying the frame + * size by the number of video frames per second, divide the + * result by the number of USB frames (or micro-frames for +- * high-speed devices) per second and add the UVC header size +- * (assumed to be 12 bytes long). ++ * high- and super-speed devices) per second and add the UVC ++ * header size (assumed to be 12 bytes long). + */ + bandwidth = frame->wWidth * frame->wHeight / 8 * format->bpp; + bandwidth *= 10000000 / interval + 1; + bandwidth /= 1000; +- if (stream->dev->udev->speed == USB_SPEED_HIGH) ++ if (stream->dev->udev->speed >= USB_SPEED_HIGH) + bandwidth /= 8; + bandwidth += 12; + +-- +2.43.0 + diff --git a/queue-6.6/media-uvcvideo-ignore-empty-ts-packets.patch b/queue-6.6/media-uvcvideo-ignore-empty-ts-packets.patch new file mode 100644 index 00000000000..070883fd3bb --- /dev/null +++ b/queue-6.6/media-uvcvideo-ignore-empty-ts-packets.patch @@ -0,0 +1,129 @@ +From c0c90521eb5717f644100a39f7c1a2bc8e49969e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Mar 2024 10:48:03 +0000 +Subject: media: uvcvideo: Ignore empty TS packets + +From: Ricardo Ribalda + +[ Upstream commit 5cd7c25f6f0576073b3d03bc4cfb1e8ca63a1195 ] + +Some SunplusIT cameras took a borderline interpretation of the UVC 1.5 +standard, and fill the PTS and SCR fields with invalid data if the +package does not contain data. + +"STC must be captured when the first video data of a video frame is put +on the USB bus." + +Some SunplusIT devices send, e.g., + +buffer: 0xa7755c00 len 000012 header:0x8c stc 00000000 sof 0000 pts 00000000 +buffer: 0xa7755c00 len 000012 header:0x8c stc 00000000 sof 0000 pts 00000000 +buffer: 0xa7755c00 len 000668 header:0x8c stc 73779dba sof 070c pts 7376d37a + +While the UVC specification meant that the first two packets shouldn't +have had the SCR bit set in the header. + +This borderline/buggy interpretation has been implemented in a variety +of devices, from directly SunplusIT and from other OEMs that rebrand +SunplusIT products. So quirking based on VID:PID will be problematic. + +All the affected modules have the following extension unit: +VideoControl Interface Descriptor: + guidExtensionCode {82066163-7050-ab49-b8cc-b3855e8d221d} + +But the vendor plans to use that GUID in the future and fix the bug, +this means that we should use heuristic to figure out the broken +packets. + +This patch takes care of this. + +lsusb of one of the affected cameras: + +Bus 001 Device 003: ID 1bcf:2a01 Sunplus Innovation Technology Inc. +Device Descriptor: + bLength 18 + bDescriptorType 1 + bcdUSB 2.01 + bDeviceClass 239 Miscellaneous Device + bDeviceSubClass 2 ? + bDeviceProtocol 1 Interface Association + bMaxPacketSize0 64 + idVendor 0x1bcf Sunplus Innovation Technology Inc. + idProduct 0x2a01 + bcdDevice 0.02 + iManufacturer 1 SunplusIT Inc + iProduct 2 HanChen Wise Camera + iSerial 3 01.00.00 + bNumConfigurations 1 + +Tested-by: HungNien Chen +Reviewed-by: Sergey Senozhatsky +Reviewed-by: Laurent Pinchart +Signed-off-by: Ricardo Ribalda +Reviewed-by: Tomasz Figa +Link: https://lore.kernel.org/r/20240323-resend-hwtimestamp-v10-2-b08e590d97c7@chromium.org +Signed-off-by: Laurent Pinchart +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_video.c | 31 ++++++++++++++++++++++++++++++- + 1 file changed, 30 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c +index 5eef560bc8cd8..3e9fdb9192540 100644 +--- a/drivers/media/usb/uvc/uvc_video.c ++++ b/drivers/media/usb/uvc/uvc_video.c +@@ -478,6 +478,7 @@ uvc_video_clock_decode(struct uvc_streaming *stream, struct uvc_buffer *buf, + ktime_t time; + u16 host_sof; + u16 dev_sof; ++ u32 dev_stc; + + switch (data[1] & (UVC_STREAM_PTS | UVC_STREAM_SCR)) { + case UVC_STREAM_PTS | UVC_STREAM_SCR: +@@ -526,6 +527,34 @@ uvc_video_clock_decode(struct uvc_streaming *stream, struct uvc_buffer *buf, + if (dev_sof == stream->clock.last_sof) + return; + ++ dev_stc = get_unaligned_le32(&data[header_size - 6]); ++ ++ /* ++ * STC (Source Time Clock) is the clock used by the camera. The UVC 1.5 ++ * standard states that it "must be captured when the first video data ++ * of a video frame is put on the USB bus". This is generally understood ++ * as requiring devices to clear the payload header's SCR bit before ++ * the first packet containing video data. ++ * ++ * Most vendors follow that interpretation, but some (namely SunplusIT ++ * on some devices) always set the `UVC_STREAM_SCR` bit, fill the SCR ++ * field with 0's,and expect that the driver only processes the SCR if ++ * there is data in the packet. ++ * ++ * Ignore all the hardware timestamp information if we haven't received ++ * any data for this frame yet, the packet contains no data, and both ++ * STC and SOF are zero. This heuristics should be safe on compliant ++ * devices. This should be safe with compliant devices, as in the very ++ * unlikely case where a UVC 1.1 device would send timing information ++ * only before the first packet containing data, and both STC and SOF ++ * happen to be zero for a particular frame, we would only miss one ++ * clock sample from many and the clock recovery algorithm wouldn't ++ * suffer from this condition. ++ */ ++ if (buf && buf->bytesused == 0 && len == header_size && ++ dev_stc == 0 && dev_sof == 0) ++ return; ++ + stream->clock.last_sof = dev_sof; + + host_sof = usb_get_current_frame_number(stream->dev->udev); +@@ -575,7 +604,7 @@ uvc_video_clock_decode(struct uvc_streaming *stream, struct uvc_buffer *buf, + spin_lock_irqsave(&stream->clock.lock, flags); + + sample = &stream->clock.samples[stream->clock.head]; +- sample->dev_stc = get_unaligned_le32(&data[header_size - 6]); ++ sample->dev_stc = dev_stc; + sample->dev_sof = dev_sof; + sample->host_sof = host_sof; + sample->host_time = time; +-- +2.43.0 + diff --git a/queue-6.6/media-xc2028-avoid-use-after-free-in-load_firmware_c.patch b/queue-6.6/media-xc2028-avoid-use-after-free-in-load_firmware_c.patch new file mode 100644 index 00000000000..8b2df54bec6 --- /dev/null +++ b/queue-6.6/media-xc2028-avoid-use-after-free-in-load_firmware_c.patch @@ -0,0 +1,129 @@ +From 1482da79a41c7597b53134180c989ffe49e6357a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Jun 2024 08:22:25 -0700 +Subject: media: xc2028: avoid use-after-free in load_firmware_cb() + +From: Chi Zhiling + +[ Upstream commit 68594cec291ff9523b9feb3f43fd853dcddd1f60 ] + +syzkaller reported use-after-free in load_firmware_cb() [1]. +The reason is because the module allocated a struct tuner in tuner_probe(), +and then the module initialization failed, the struct tuner was released. +A worker which created during module initialization accesses this struct +tuner later, it caused use-after-free. + +The process is as follows: + +task-6504 worker_thread +tuner_probe <= alloc dvb_frontend [2] +... +request_firmware_nowait <= create a worker +... +tuner_remove <= free dvb_frontend +... + request_firmware_work_func <= the firmware is ready + load_firmware_cb <= but now the dvb_frontend has been freed + +To fix the issue, check the dvd_frontend in load_firmware_cb(), if it is +null, report a warning and just return. + +[1]: + ================================================================== + BUG: KASAN: use-after-free in load_firmware_cb+0x1310/0x17a0 + Read of size 8 at addr ffff8000d7ca2308 by task kworker/2:3/6504 + + Call trace: + load_firmware_cb+0x1310/0x17a0 + request_firmware_work_func+0x128/0x220 + process_one_work+0x770/0x1824 + worker_thread+0x488/0xea0 + kthread+0x300/0x430 + ret_from_fork+0x10/0x20 + + Allocated by task 6504: + kzalloc + tuner_probe+0xb0/0x1430 + i2c_device_probe+0x92c/0xaf0 + really_probe+0x678/0xcd0 + driver_probe_device+0x280/0x370 + __device_attach_driver+0x220/0x330 + bus_for_each_drv+0x134/0x1c0 + __device_attach+0x1f4/0x410 + device_initial_probe+0x20/0x30 + bus_probe_device+0x184/0x200 + device_add+0x924/0x12c0 + device_register+0x24/0x30 + i2c_new_device+0x4e0/0xc44 + v4l2_i2c_new_subdev_board+0xbc/0x290 + v4l2_i2c_new_subdev+0xc8/0x104 + em28xx_v4l2_init+0x1dd0/0x3770 + + Freed by task 6504: + kfree+0x238/0x4e4 + tuner_remove+0x144/0x1c0 + i2c_device_remove+0xc8/0x290 + __device_release_driver+0x314/0x5fc + device_release_driver+0x30/0x44 + bus_remove_device+0x244/0x490 + device_del+0x350/0x900 + device_unregister+0x28/0xd0 + i2c_unregister_device+0x174/0x1d0 + v4l2_device_unregister+0x224/0x380 + em28xx_v4l2_init+0x1d90/0x3770 + + The buggy address belongs to the object at ffff8000d7ca2000 + which belongs to the cache kmalloc-2k of size 2048 + The buggy address is located 776 bytes inside of + 2048-byte region [ffff8000d7ca2000, ffff8000d7ca2800) + The buggy address belongs to the page: + page:ffff7fe00035f280 count:1 mapcount:0 mapping:ffff8000c001f000 index:0x0 + flags: 0x7ff800000000100(slab) + raw: 07ff800000000100 ffff7fe00049d880 0000000300000003 ffff8000c001f000 + raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 + page dumped because: kasan: bad access detected + + Memory state around the buggy address: + ffff8000d7ca2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8000d7ca2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + >ffff8000d7ca2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff8000d7ca2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8000d7ca2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ================================================================== + +[2] + Actually, it is allocated for struct tuner, and dvb_frontend is inside. + +Signed-off-by: Chi Zhiling +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/tuners/xc2028.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/tuners/xc2028.c b/drivers/media/tuners/xc2028.c +index 5a967edceca93..352b8a3679b72 100644 +--- a/drivers/media/tuners/xc2028.c ++++ b/drivers/media/tuners/xc2028.c +@@ -1361,9 +1361,16 @@ static void load_firmware_cb(const struct firmware *fw, + void *context) + { + struct dvb_frontend *fe = context; +- struct xc2028_data *priv = fe->tuner_priv; ++ struct xc2028_data *priv; + int rc; + ++ if (!fe) { ++ pr_warn("xc2028: No frontend in %s\n", __func__); ++ return; ++ } ++ ++ priv = fe->tuner_priv; ++ + tuner_dbg("request_firmware_nowait(): %s\n", fw ? "OK" : "error"); + if (!fw) { + tuner_err("Could not load firmware %s.\n", priv->fname); +-- +2.43.0 + diff --git a/queue-6.6/net-bcmgenet-properly-overlay-phy-and-mac-wake-on-la.patch b/queue-6.6/net-bcmgenet-properly-overlay-phy-and-mac-wake-on-la.patch new file mode 100644 index 00000000000..b70eda00461 --- /dev/null +++ b/queue-6.6/net-bcmgenet-properly-overlay-phy-and-mac-wake-on-la.patch @@ -0,0 +1,55 @@ +From ea507112a3fee18d310e1f061259d6a5c03c7485 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Aug 2024 10:56:59 -0700 +Subject: net: bcmgenet: Properly overlay PHY and MAC Wake-on-LAN capabilities + +From: Florian Fainelli + +[ Upstream commit 9ee09edc05f20422e7ced84b1f8a5d3359926ac8 ] + +Some Wake-on-LAN modes such as WAKE_FILTER may only be supported by the MAC, +while others might be only supported by the PHY. Make sure that the .get_wol() +returns the union of both rather than only that of the PHY if the PHY supports +Wake-on-LAN. + +Fixes: 7e400ff35cbe ("net: bcmgenet: Add support for PHY-based Wake-on-LAN") +Signed-off-by: Florian Fainelli +Link: https://patch.msgid.link/20240806175659.3232204-1-florian.fainelli@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c +index 1248792d7fd4d..0715ea5bf13ed 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c +@@ -42,19 +42,15 @@ void bcmgenet_get_wol(struct net_device *dev, struct ethtool_wolinfo *wol) + struct bcmgenet_priv *priv = netdev_priv(dev); + struct device *kdev = &priv->pdev->dev; + +- if (dev->phydev) { ++ if (dev->phydev) + phy_ethtool_get_wol(dev->phydev, wol); +- if (wol->supported) +- return; +- } + +- if (!device_can_wakeup(kdev)) { +- wol->supported = 0; +- wol->wolopts = 0; ++ /* MAC is not wake-up capable, return what the PHY does */ ++ if (!device_can_wakeup(kdev)) + return; +- } + +- wol->supported = WAKE_MAGIC | WAKE_MAGICSECURE | WAKE_FILTER; ++ /* Overlay MAC capabilities with that of the PHY queried before */ ++ wol->supported |= WAKE_MAGIC | WAKE_MAGICSECURE | WAKE_FILTER; + wol->wolopts = priv->wolopts; + memset(wol->sopass, 0, sizeof(wol->sopass)); + +-- +2.43.0 + diff --git a/queue-6.6/net-bridge-mcast-wait-for-previous-gc-cycles-when-re.patch b/queue-6.6/net-bridge-mcast-wait-for-previous-gc-cycles-when-re.patch new file mode 100644 index 00000000000..571c8f01ea7 --- /dev/null +++ b/queue-6.6/net-bridge-mcast-wait-for-previous-gc-cycles-when-re.patch @@ -0,0 +1,82 @@ +From 93fc8cf37aaa0c03af1ebf03499b99d52d85493f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Aug 2024 11:07:30 +0300 +Subject: net: bridge: mcast: wait for previous gc cycles when removing port + +From: Nikolay Aleksandrov + +[ Upstream commit 92c4ee25208d0f35dafc3213cdf355fbe449e078 ] + +syzbot hit a use-after-free[1] which is caused because the bridge doesn't +make sure that all previous garbage has been collected when removing a +port. What happens is: + CPU 1 CPU 2 + start gc cycle remove port + acquire gc lock first + wait for lock + call br_multicasg_gc() directly + acquire lock now but free port + the port can be freed + while grp timers still + running + +Make sure all previous gc cycles have finished by using flush_work before +freeing the port. + +[1] + BUG: KASAN: slab-use-after-free in br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861 + Read of size 8 at addr ffff888071d6d000 by task syz.5.1232/9699 + + CPU: 1 PID: 9699 Comm: syz.5.1232 Not tainted 6.10.0-rc5-syzkaller-00021-g24ca36a562d6 #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 + Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 + print_address_description mm/kasan/report.c:377 [inline] + print_report+0xc3/0x620 mm/kasan/report.c:488 + kasan_report+0xd9/0x110 mm/kasan/report.c:601 + br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861 + call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792 + expire_timers kernel/time/timer.c:1843 [inline] + __run_timers+0x74b/0xaf0 kernel/time/timer.c:2417 + __run_timer_base kernel/time/timer.c:2428 [inline] + __run_timer_base kernel/time/timer.c:2421 [inline] + run_timer_base+0x111/0x190 kernel/time/timer.c:2437 + +Reported-by: syzbot+263426984509be19c9a0@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=263426984509be19c9a0 +Fixes: e12cec65b554 ("net: bridge: mcast: destroy all entries via gc") +Signed-off-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20240802080730.3206303-1-razor@blackwall.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_multicast.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c +index 38373b4fb7ddf..c38244d60ff86 100644 +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -2044,16 +2044,14 @@ void br_multicast_del_port(struct net_bridge_port *port) + { + struct net_bridge *br = port->br; + struct net_bridge_port_group *pg; +- HLIST_HEAD(deleted_head); + struct hlist_node *n; + + /* Take care of the remaining groups, only perm ones should be left */ + spin_lock_bh(&br->multicast_lock); + hlist_for_each_entry_safe(pg, n, &port->mglist, mglist) + br_multicast_find_del_pg(br, pg); +- hlist_move_list(&br->mcast_gc_list, &deleted_head); + spin_unlock_bh(&br->multicast_lock); +- br_multicast_gc(&deleted_head); ++ flush_work(&br->mcast_gc_work); + br_multicast_port_ctx_deinit(&port->multicast_ctx); + free_percpu(port->mcast_stats); + } +-- +2.43.0 + diff --git a/queue-6.6/net-dsa-bcm_sf2-fix-a-possible-memory-leak-in-bcm_sf.patch b/queue-6.6/net-dsa-bcm_sf2-fix-a-possible-memory-leak-in-bcm_sf.patch new file mode 100644 index 00000000000..c033bc33fca --- /dev/null +++ b/queue-6.6/net-dsa-bcm_sf2-fix-a-possible-memory-leak-in-bcm_sf.patch @@ -0,0 +1,50 @@ +From 003c4919eaad6b53c4439cbff231aa2d1ece5266 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Aug 2024 10:13:27 +0900 +Subject: net: dsa: bcm_sf2: Fix a possible memory leak in + bcm_sf2_mdio_register() + +From: Joe Hattori + +[ Upstream commit e3862093ee93fcfbdadcb7957f5f8974fffa806a ] + +bcm_sf2_mdio_register() calls of_phy_find_device() and then +phy_device_remove() in a loop to remove existing PHY devices. +of_phy_find_device() eventually calls bus_find_device(), which calls +get_device() on the returned struct device * to increment the refcount. +The current implementation does not decrement the refcount, which causes +memory leak. + +This commit adds the missing phy_device_free() call to decrement the +refcount via put_device() to balance the refcount. + +Fixes: 771089c2a485 ("net: dsa: bcm_sf2: Ensure that MDIO diversion is used") +Signed-off-by: Joe Hattori +Tested-by: Florian Fainelli +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20240806011327.3817861-1-joe@pf.is.s.u-tokyo.ac.jp +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/bcm_sf2.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c +index cd1f240c90f39..257df16768750 100644 +--- a/drivers/net/dsa/bcm_sf2.c ++++ b/drivers/net/dsa/bcm_sf2.c +@@ -678,8 +678,10 @@ static int bcm_sf2_mdio_register(struct dsa_switch *ds) + of_remove_property(child, prop); + + phydev = of_phy_find_device(child); +- if (phydev) ++ if (phydev) { + phy_device_remove(phydev); ++ phy_device_free(phydev); ++ } + } + + err = mdiobus_register(priv->slave_mii_bus); +-- +2.43.0 + diff --git a/queue-6.6/net-fec-stop-pps-on-driver-remove.patch b/queue-6.6/net-fec-stop-pps-on-driver-remove.patch new file mode 100644 index 00000000000..4405d81c576 --- /dev/null +++ b/queue-6.6/net-fec-stop-pps-on-driver-remove.patch @@ -0,0 +1,46 @@ +From dc8d05e19d856b8ab195771860020a26777e1329 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Aug 2024 10:09:56 +0200 +Subject: net: fec: Stop PPS on driver remove +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Csókás, Bence + +[ Upstream commit 8fee6d5ad5fa18c270eedb2a2cdf58dbadefb94b ] + +PPS was not stopped in `fec_ptp_stop()`, called when +the adapter was removed. Consequentially, you couldn't +safely reload the driver with the PPS signal on. + +Fixes: 32cba57ba74b ("net: fec: introduce fec_ptp_stop and use in probe fail path") +Reviewed-by: Fabio Estevam +Link: https://lore.kernel.org/netdev/CAOMZO5BzcZR8PwKKwBssQq_wAGzVgf1ffwe_nhpQJjviTdxy-w@mail.gmail.com/T/#m01dcb810bfc451a492140f6797ca77443d0cb79f +Signed-off-by: Csókás, Bence +Reviewed-by: Andrew Lunn +Reviewed-by: Frank Li +Link: https://patch.msgid.link/20240807080956.2556602-1-csokas.bence@prolan.hu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_ptp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c +index e32f6724f5681..2e4f3e1782a25 100644 +--- a/drivers/net/ethernet/freescale/fec_ptp.c ++++ b/drivers/net/ethernet/freescale/fec_ptp.c +@@ -775,6 +775,9 @@ void fec_ptp_stop(struct platform_device *pdev) + struct net_device *ndev = platform_get_drvdata(pdev); + struct fec_enet_private *fep = netdev_priv(ndev); + ++ if (fep->pps_enable) ++ fec_ptp_enable_pps(fep, 0); ++ + cancel_delayed_work_sync(&fep->time_keep); + hrtimer_cancel(&fep->perout_timer); + if (fep->ptp_clock) +-- +2.43.0 + diff --git a/queue-6.6/net-linkwatch-use-system_unbound_wq.patch b/queue-6.6/net-linkwatch-use-system_unbound_wq.patch new file mode 100644 index 00000000000..4874f92c417 --- /dev/null +++ b/queue-6.6/net-linkwatch-use-system_unbound_wq.patch @@ -0,0 +1,52 @@ +From a2ac4d0a6dc802d9422aabd387ce04c56bd78ec6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Aug 2024 08:58:21 +0000 +Subject: net: linkwatch: use system_unbound_wq + +From: Eric Dumazet + +[ Upstream commit 3e7917c0cdad835a5121520fc5686d954b7a61ab ] + +linkwatch_event() grabs possibly very contended RTNL mutex. + +system_wq is not suitable for such work. + +Inspired by many noisy syzbot reports. + +3 locks held by kworker/0:7/5266: + #0: ffff888015480948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3206 [inline] + #0: ffff888015480948 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x90a/0x1830 kernel/workqueue.c:3312 + #1: ffffc90003f6fd00 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3207 [inline] + , at: process_scheduled_works+0x945/0x1830 kernel/workqueue.c:3312 + #2: ffffffff8fa6f208 (rtnl_mutex){+.+.}-{3:3}, at: linkwatch_event+0xe/0x60 net/core/link_watch.c:276 + +Reported-by: syzbot +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20240805085821.1616528-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/link_watch.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/core/link_watch.c b/net/core/link_watch.c +index cb43f5aebfbcc..cf867f6e38bf1 100644 +--- a/net/core/link_watch.c ++++ b/net/core/link_watch.c +@@ -153,9 +153,9 @@ static void linkwatch_schedule_work(int urgent) + * override the existing timer. + */ + if (test_bit(LW_URGENT, &linkwatch_flags)) +- mod_delayed_work(system_wq, &linkwatch_work, 0); ++ mod_delayed_work(system_unbound_wq, &linkwatch_work, 0); + else +- schedule_delayed_work(&linkwatch_work, delay); ++ queue_delayed_work(system_unbound_wq, &linkwatch_work, delay); + } + + +-- +2.43.0 + diff --git a/queue-6.6/net-mlx5e-shampo-fix-invalid-wq-linked-list-unlink.patch b/queue-6.6/net-mlx5e-shampo-fix-invalid-wq-linked-list-unlink.patch new file mode 100644 index 00000000000..5466a36d605 --- /dev/null +++ b/queue-6.6/net-mlx5e-shampo-fix-invalid-wq-linked-list-unlink.patch @@ -0,0 +1,44 @@ +From 4a155cdc70bdbe8eee3b6c22dc08d6a20c75e394 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jun 2024 00:22:08 +0300 +Subject: net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink + +From: Dragos Tatulea + +[ Upstream commit fba8334721e266f92079632598e46e5f89082f30 ] + +When all the strides in a WQE have been consumed, the WQE is unlinked +from the WQ linked list (mlx5_wq_ll_pop()). For SHAMPO, it is possible +to receive CQEs with 0 consumed strides for the same WQE even after the +WQE is fully consumed and unlinked. This triggers an additional unlink +for the same wqe which corrupts the linked list. + +Fix this scenario by accepting 0 sized consumed strides without +unlinking the WQE again. + +Signed-off-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Link: https://lore.kernel.org/r/20240603212219.1037656-4-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +index 8d9743a5e42c7..79ec6fcc9e259 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +@@ -2374,6 +2374,9 @@ static void mlx5e_handle_rx_cqe_mpwrq_shampo(struct mlx5e_rq *rq, struct mlx5_cq + if (likely(wi->consumed_strides < rq->mpwqe.num_strides)) + return; + ++ if (unlikely(!cstrides)) ++ return; ++ + wq = &rq->mpwqe.wq; + wqe = mlx5_wq_ll_get_wqe(wq, wqe_id); + mlx5_wq_ll_pop(wq, cqe->wqe_id, &wqe->next.next_wqe_index); +-- +2.43.0 + diff --git a/queue-6.6/net-smc-add-the-max-value-of-fallback-reason-count.patch b/queue-6.6/net-smc-add-the-max-value-of-fallback-reason-count.patch new file mode 100644 index 00000000000..cc5b0db99a9 --- /dev/null +++ b/queue-6.6/net-smc-add-the-max-value-of-fallback-reason-count.patch @@ -0,0 +1,42 @@ +From 94e1dd4231d5cf8d618cdabc28927de1ccbb8f0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Aug 2024 12:38:56 +0800 +Subject: net/smc: add the max value of fallback reason count + +From: Zhengchao Shao + +[ Upstream commit d27a835f41d947f62e6a95e89ba523299c9e6437 ] + +The number of fallback reasons defined in the smc_clc.h file has reached +36. For historical reasons, some are no longer quoted, and there's 33 +actually in use. So, add the max value of fallback reason count to 36. + +Fixes: 6ac1e6563f59 ("net/smc: support smc v2.x features validate") +Fixes: 7f0620b9940b ("net/smc: support max connections per lgr negotiation") +Fixes: 69b888e3bb4b ("net/smc: support max links per lgr negotiation in clc handshake") +Signed-off-by: Zhengchao Shao +Reviewed-by: Wenjia Zhang +Reviewed-by: D. Wythe +Link: https://patch.msgid.link/20240805043856.565677-1-shaozhengchao@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/smc/smc_stats.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/smc/smc_stats.h b/net/smc/smc_stats.h +index 9d32058db2b5d..e19177ce40923 100644 +--- a/net/smc/smc_stats.h ++++ b/net/smc/smc_stats.h +@@ -19,7 +19,7 @@ + + #include "smc_clc.h" + +-#define SMC_MAX_FBACK_RSN_CNT 30 ++#define SMC_MAX_FBACK_RSN_CNT 36 + + enum { + SMC_BUF_8K, +-- +2.43.0 + diff --git a/queue-6.6/net-stmmac-qcom-ethqos-enable-sgmii-loopback-during-.patch b/queue-6.6/net-stmmac-qcom-ethqos-enable-sgmii-loopback-during-.patch new file mode 100644 index 00000000000..817c037f884 --- /dev/null +++ b/queue-6.6/net-stmmac-qcom-ethqos-enable-sgmii-loopback-during-.patch @@ -0,0 +1,120 @@ +From 7b700098c7713e8ec33c69a3e28641f6920cfaad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jul 2024 20:14:59 +0200 +Subject: net: stmmac: qcom-ethqos: enable SGMII loopback during DMA reset on + sa8775p-ride-r3 + +From: Bartosz Golaszewski + +[ Upstream commit 3c466d6537b99f801b3f68af3d8124d4312437a0 ] + +On sa8775p-ride-r3 the RX clocks from the AQR115C PHY are not available at +the time of the DMA reset. We can however extract the RX clock from the +internal SERDES block. Once the link is up, we can revert to the +previous state. + +The AQR115C PHY doesn't support in-band signalling so we can count on +getting the link up notification and safely reuse existing callbacks +which are already used by another HW quirk workaround which enables the +functional clock to avoid a DMA reset due to timeout. + +Only enable loopback on revision 3 of the board - check the phy_mode to +make sure. + +Signed-off-by: Bartosz Golaszewski +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20240703181500.28491-3-brgl@bgdev.pl +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../stmicro/stmmac/dwmac-qcom-ethqos.c | 23 +++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c +index d5d2a4c776c1c..ded1bbda5266f 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c +@@ -21,6 +21,7 @@ + #define RGMII_IO_MACRO_CONFIG2 0x1C + #define RGMII_IO_MACRO_DEBUG1 0x20 + #define EMAC_SYSTEM_LOW_POWER_DEBUG 0x28 ++#define EMAC_WRAPPER_SGMII_PHY_CNTRL1 0xf4 + + /* RGMII_IO_MACRO_CONFIG fields */ + #define RGMII_CONFIG_FUNC_CLK_EN BIT(30) +@@ -79,6 +80,9 @@ + #define ETHQOS_MAC_CTRL_SPEED_MODE BIT(14) + #define ETHQOS_MAC_CTRL_PORT_SEL BIT(15) + ++/* EMAC_WRAPPER_SGMII_PHY_CNTRL1 bits */ ++#define SGMII_PHY_CNTRL1_SGMII_TX_TO_RX_LOOPBACK_EN BIT(3) ++ + #define SGMII_10M_RX_CLK_DVDR 0x31 + + struct ethqos_emac_por { +@@ -95,6 +99,7 @@ struct ethqos_emac_driver_data { + bool has_integrated_pcs; + u32 dma_addr_width; + struct dwmac4_addrs dwmac4_addrs; ++ bool needs_sgmii_loopback; + }; + + struct qcom_ethqos { +@@ -113,6 +118,7 @@ struct qcom_ethqos { + unsigned int num_por; + bool rgmii_config_loopback_en; + bool has_emac_ge_3; ++ bool needs_sgmii_loopback; + }; + + static int rgmii_readl(struct qcom_ethqos *ethqos, unsigned int offset) +@@ -187,8 +193,22 @@ ethqos_update_link_clk(struct qcom_ethqos *ethqos, unsigned int speed) + clk_set_rate(ethqos->link_clk, ethqos->link_clk_rate); + } + ++static void ++qcom_ethqos_set_sgmii_loopback(struct qcom_ethqos *ethqos, bool enable) ++{ ++ if (!ethqos->needs_sgmii_loopback || ++ ethqos->phy_mode != PHY_INTERFACE_MODE_2500BASEX) ++ return; ++ ++ rgmii_updatel(ethqos, ++ SGMII_PHY_CNTRL1_SGMII_TX_TO_RX_LOOPBACK_EN, ++ enable ? SGMII_PHY_CNTRL1_SGMII_TX_TO_RX_LOOPBACK_EN : 0, ++ EMAC_WRAPPER_SGMII_PHY_CNTRL1); ++} ++ + static void ethqos_set_func_clk_en(struct qcom_ethqos *ethqos) + { ++ qcom_ethqos_set_sgmii_loopback(ethqos, true); + rgmii_updatel(ethqos, RGMII_CONFIG_FUNC_CLK_EN, + RGMII_CONFIG_FUNC_CLK_EN, RGMII_IO_MACRO_CONFIG); + } +@@ -273,6 +293,7 @@ static const struct ethqos_emac_driver_data emac_v4_0_0_data = { + .has_emac_ge_3 = true, + .link_clk_name = "phyaux", + .has_integrated_pcs = true, ++ .needs_sgmii_loopback = true, + .dma_addr_width = 36, + .dwmac4_addrs = { + .dma_chan = 0x00008100, +@@ -646,6 +667,7 @@ static void ethqos_fix_mac_speed(void *priv, unsigned int speed, unsigned int mo + { + struct qcom_ethqos *ethqos = priv; + ++ qcom_ethqos_set_sgmii_loopback(ethqos, false); + ethqos->speed = speed; + ethqos_update_link_clk(ethqos, speed); + ethqos_configure(ethqos); +@@ -781,6 +803,7 @@ static int qcom_ethqos_probe(struct platform_device *pdev) + ethqos->num_por = data->num_por; + ethqos->rgmii_config_loopback_en = data->rgmii_config_loopback_en; + ethqos->has_emac_ge_3 = data->has_emac_ge_3; ++ ethqos->needs_sgmii_loopback = data->needs_sgmii_loopback; + + ethqos->link_clk = devm_clk_get(dev, data->link_clk_name ?: "rgmii"); + if (IS_ERR(ethqos->link_clk)) +-- +2.43.0 + diff --git a/queue-6.6/net-usb-qmi_wwan-fix-memory-leak-for-not-ip-packets.patch b/queue-6.6/net-usb-qmi_wwan-fix-memory-leak-for-not-ip-packets.patch new file mode 100644 index 00000000000..a414afcc198 --- /dev/null +++ b/queue-6.6/net-usb-qmi_wwan-fix-memory-leak-for-not-ip-packets.patch @@ -0,0 +1,38 @@ +From 043f228d8ac5db5bd15d8d8dd60161f6ed035f39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Aug 2024 15:55:12 +0200 +Subject: net: usb: qmi_wwan: fix memory leak for not ip packets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniele Palmas + +[ Upstream commit 7ab107544b777c3bd7feb9fe447367d8edd5b202 ] + +Free the unused skb when not ip packets arrive. + +Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support") +Signed-off-by: Daniele Palmas +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index befbca01bfe37..b1380cf1b13ab 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -201,6 +201,7 @@ static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + break; + default: + /* not ip - do not know what to do */ ++ kfree_skb(skbn); + goto skip; + } + +-- +2.43.0 + diff --git a/queue-6.6/pci-add-edimax-vendor-id-to-pci_ids.h.patch b/queue-6.6/pci-add-edimax-vendor-id-to-pci_ids.h.patch new file mode 100644 index 00000000000..060dc609919 --- /dev/null +++ b/queue-6.6/pci-add-edimax-vendor-id-to-pci_ids.h.patch @@ -0,0 +1,38 @@ +From 42b35d60f29146b3d87cc89201e3bf4a73e7fecc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jun 2024 08:55:01 +0900 +Subject: PCI: Add Edimax Vendor ID to pci_ids.h + +From: FUJITA Tomonori + +[ Upstream commit eee5528890d54b22b46f833002355a5ee94c3bb4 ] + +Add the Edimax Vendor ID (0x1432) for an ethernet driver for Tehuti +Networks TN40xx chips. This ID can be used for Realtek 8180 and Ralink +rt28xx wireless drivers. + +Signed-off-by: FUJITA Tomonori +Acked-by: Bjorn Helgaas +Link: https://patch.msgid.link/20240623235507.108147-2-fujita.tomonori@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/pci_ids.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h +index 0a85ff5c8db3c..abff4e3b6a58b 100644 +--- a/include/linux/pci_ids.h ++++ b/include/linux/pci_ids.h +@@ -2124,6 +2124,8 @@ + + #define PCI_VENDOR_ID_CHELSIO 0x1425 + ++#define PCI_VENDOR_ID_EDIMAX 0x1432 ++ + #define PCI_VENDOR_ID_ADLINK 0x144a + + #define PCI_VENDOR_ID_SAMSUNG 0x144d +-- +2.43.0 + diff --git a/queue-6.6/platform-x86-intel-ifs-gen2-scan-test-support.patch b/queue-6.6/platform-x86-intel-ifs-gen2-scan-test-support.patch new file mode 100644 index 00000000000..1e496b6f818 --- /dev/null +++ b/queue-6.6/platform-x86-intel-ifs-gen2-scan-test-support.patch @@ -0,0 +1,192 @@ +From c77c8e2032dc4168b2137463f996de6449392ab4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Oct 2023 12:51:32 -0700 +Subject: platform/x86/intel/ifs: Gen2 Scan test support +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jithu Joseph + +[ Upstream commit 72b96ee29ed6f7670bbb180ba694816e33d361d1 ] + +Width of chunk related bitfields is ACTIVATE_SCAN and SCAN_STATUS MSRs +are different in newer IFS generation compared to gen0. + +Make changes to scan test flow such that MSRs are populated +appropriately based on the generation supported by hardware. + +Account for the 8/16 bit MSR bitfield width differences between gen0 and +newer generations for the scan test trace event too. + +Signed-off-by: Jithu Joseph +Reviewed-by: Tony Luck +Reviewed-by: Ilpo Järvinen +Tested-by: Pengfei Xu +Link: https://lore.kernel.org/r/20231005195137.3117166-5-jithu.joseph@intel.com +Signed-off-by: Ilpo Järvinen +Stable-dep-of: 3114f77e9453 ("platform/x86/intel/ifs: Initialize union ifs_status to zero") +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel/ifs/ifs.h | 28 ++++++++++++++++++----- + drivers/platform/x86/intel/ifs/runtest.c | 29 ++++++++++++++++++------ + include/trace/events/intel_ifs.h | 16 ++++++------- + 3 files changed, 52 insertions(+), 21 deletions(-) + +diff --git a/drivers/platform/x86/intel/ifs/ifs.h b/drivers/platform/x86/intel/ifs/ifs.h +index d666aeed20fc2..6bc63ab705175 100644 +--- a/drivers/platform/x86/intel/ifs/ifs.h ++++ b/drivers/platform/x86/intel/ifs/ifs.h +@@ -174,9 +174,17 @@ union ifs_chunks_auth_status { + union ifs_scan { + u64 data; + struct { +- u32 start :8; +- u32 stop :8; +- u32 rsvd :16; ++ union { ++ struct { ++ u8 start; ++ u8 stop; ++ u16 rsvd; ++ } gen0; ++ struct { ++ u16 start; ++ u16 stop; ++ } gen2; ++ }; + u32 delay :31; + u32 sigmce :1; + }; +@@ -186,9 +194,17 @@ union ifs_scan { + union ifs_status { + u64 data; + struct { +- u32 chunk_num :8; +- u32 chunk_stop_index :8; +- u32 rsvd1 :16; ++ union { ++ struct { ++ u8 chunk_num; ++ u8 chunk_stop_index; ++ u16 rsvd1; ++ } gen0; ++ struct { ++ u16 chunk_num; ++ u16 chunk_stop_index; ++ } gen2; ++ }; + u32 error_code :8; + u32 rsvd2 :22; + u32 control_error :1; +diff --git a/drivers/platform/x86/intel/ifs/runtest.c b/drivers/platform/x86/intel/ifs/runtest.c +index 43c864add778f..fd6a9e3799a3f 100644 +--- a/drivers/platform/x86/intel/ifs/runtest.c ++++ b/drivers/platform/x86/intel/ifs/runtest.c +@@ -171,21 +171,31 @@ static void ifs_test_core(int cpu, struct device *dev) + union ifs_status status; + unsigned long timeout; + struct ifs_data *ifsd; ++ int to_start, to_stop; ++ int status_chunk; + u64 msrvals[2]; + int retries; + + ifsd = ifs_get_data(dev); + +- activate.rsvd = 0; ++ activate.gen0.rsvd = 0; + activate.delay = IFS_THREAD_WAIT; + activate.sigmce = 0; +- activate.start = 0; +- activate.stop = ifsd->valid_chunks - 1; ++ to_start = 0; ++ to_stop = ifsd->valid_chunks - 1; ++ ++ if (ifsd->generation) { ++ activate.gen2.start = to_start; ++ activate.gen2.stop = to_stop; ++ } else { ++ activate.gen0.start = to_start; ++ activate.gen0.stop = to_stop; ++ } + + timeout = jiffies + HZ / 2; + retries = MAX_IFS_RETRIES; + +- while (activate.start <= activate.stop) { ++ while (to_start <= to_stop) { + if (time_after(jiffies, timeout)) { + status.error_code = IFS_SW_TIMEOUT; + break; +@@ -196,13 +206,14 @@ static void ifs_test_core(int cpu, struct device *dev) + + status.data = msrvals[1]; + +- trace_ifs_status(cpu, activate, status); ++ trace_ifs_status(cpu, to_start, to_stop, status.data); + + /* Some cases can be retried, give up for others */ + if (!can_restart(status)) + break; + +- if (status.chunk_num == activate.start) { ++ status_chunk = ifsd->generation ? status.gen2.chunk_num : status.gen0.chunk_num; ++ if (status_chunk == to_start) { + /* Check for forward progress */ + if (--retries == 0) { + if (status.error_code == IFS_NO_ERROR) +@@ -211,7 +222,11 @@ static void ifs_test_core(int cpu, struct device *dev) + } + } else { + retries = MAX_IFS_RETRIES; +- activate.start = status.chunk_num; ++ if (ifsd->generation) ++ activate.gen2.start = status_chunk; ++ else ++ activate.gen0.start = status_chunk; ++ to_start = status_chunk; + } + } + +diff --git a/include/trace/events/intel_ifs.h b/include/trace/events/intel_ifs.h +index d7353024016cc..af0af3f1d9b7c 100644 +--- a/include/trace/events/intel_ifs.h ++++ b/include/trace/events/intel_ifs.h +@@ -10,25 +10,25 @@ + + TRACE_EVENT(ifs_status, + +- TP_PROTO(int cpu, union ifs_scan activate, union ifs_status status), ++ TP_PROTO(int cpu, int start, int stop, u64 status), + +- TP_ARGS(cpu, activate, status), ++ TP_ARGS(cpu, start, stop, status), + + TP_STRUCT__entry( + __field( u64, status ) + __field( int, cpu ) +- __field( u8, start ) +- __field( u8, stop ) ++ __field( u16, start ) ++ __field( u16, stop ) + ), + + TP_fast_assign( + __entry->cpu = cpu; +- __entry->start = activate.start; +- __entry->stop = activate.stop; +- __entry->status = status.data; ++ __entry->start = start; ++ __entry->stop = stop; ++ __entry->status = status; + ), + +- TP_printk("cpu: %d, start: %.2x, stop: %.2x, status: %llx", ++ TP_printk("cpu: %d, start: %.4x, stop: %.4x, status: %.16llx", + __entry->cpu, + __entry->start, + __entry->stop, +-- +2.43.0 + diff --git a/queue-6.6/platform-x86-intel-ifs-initialize-union-ifs_status-t.patch b/queue-6.6/platform-x86-intel-ifs-initialize-union-ifs_status-t.patch new file mode 100644 index 00000000000..282758f067b --- /dev/null +++ b/queue-6.6/platform-x86-intel-ifs-initialize-union-ifs_status-t.patch @@ -0,0 +1,47 @@ +From 8aff6b9e7bc7286478b68b3ec9ca62c3cdf52651 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jul 2024 15:59:30 +0000 +Subject: platform/x86/intel/ifs: Initialize union ifs_status to zero +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kuppuswamy Sathyanarayanan + +[ Upstream commit 3114f77e9453daa292ec0906f313a715c69b5943 ] + +If the IFS scan test exits prematurely due to a timeout before +completing a single run, the union ifs_status remains uninitialized, +leading to incorrect test status reporting. To prevent this, always +initialize the union ifs_status to zero. + +Fixes: 2b40e654b73a ("platform/x86/intel/ifs: Add scan test support") +Suggested-by: Ilpo Järvinen +Reviewed-by: Jithu Joseph +Reviewed-by: Ashok Raj +Signed-off-by: Kuppuswamy Sathyanarayanan +Link: https://lore.kernel.org/r/20240730155930.1754744-1-sathyanarayanan.kuppuswamy@linux.intel.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel/ifs/runtest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/intel/ifs/runtest.c b/drivers/platform/x86/intel/ifs/runtest.c +index fd6a9e3799a3f..c7a5bf24bef35 100644 +--- a/drivers/platform/x86/intel/ifs/runtest.c ++++ b/drivers/platform/x86/intel/ifs/runtest.c +@@ -167,8 +167,8 @@ static int doscan(void *data) + */ + static void ifs_test_core(int cpu, struct device *dev) + { ++ union ifs_status status = {}; + union ifs_scan activate; +- union ifs_status status; + unsigned long timeout; + struct ifs_data *ifsd; + int to_start, to_stop; +-- +2.43.0 + diff --git a/queue-6.6/platform-x86-intel-ifs-store-ifs-generation-number.patch b/queue-6.6/platform-x86-intel-ifs-store-ifs-generation-number.patch new file mode 100644 index 00000000000..5dbaae17b8d --- /dev/null +++ b/queue-6.6/platform-x86-intel-ifs-store-ifs-generation-number.patch @@ -0,0 +1,89 @@ +From cb17570e65e0ff768a05d04c6c2c63f67af66970 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Oct 2023 12:51:29 -0700 +Subject: platform/x86/intel/ifs: Store IFS generation number +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jithu Joseph + +[ Upstream commit 97a5e801b3045c1e800f76bc0fb544972538089d ] + +IFS generation number is reported via MSR_INTEGRITY_CAPS. As IFS +support gets added to newer CPUs, some differences are expected during +IFS image loading and test flows. + +Define MSR bitmasks to extract and store the generation in driver data, +so that driver can modify its MSR interaction appropriately. + +Signed-off-by: Jithu Joseph +Reviewed-by: Tony Luck +Reviewed-by: Ilpo Järvinen +Tested-by: Pengfei Xu +Link: https://lore.kernel.org/r/20231005195137.3117166-2-jithu.joseph@intel.com +Signed-off-by: Ilpo Järvinen +Stable-dep-of: 3114f77e9453 ("platform/x86/intel/ifs: Initialize union ifs_status to zero") +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/msr-index.h | 1 + + drivers/platform/x86/intel/ifs/core.c | 3 +++ + drivers/platform/x86/intel/ifs/ifs.h | 2 ++ + 3 files changed, 6 insertions(+) + +diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h +index 621bac6b74011..24b7bd255e983 100644 +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -237,6 +237,7 @@ + #define MSR_INTEGRITY_CAPS_ARRAY_BIST BIT(MSR_INTEGRITY_CAPS_ARRAY_BIST_BIT) + #define MSR_INTEGRITY_CAPS_PERIODIC_BIST_BIT 4 + #define MSR_INTEGRITY_CAPS_PERIODIC_BIST BIT(MSR_INTEGRITY_CAPS_PERIODIC_BIST_BIT) ++#define MSR_INTEGRITY_CAPS_SAF_GEN_MASK GENMASK_ULL(10, 9) + + #define MSR_LBR_NHM_FROM 0x00000680 + #define MSR_LBR_NHM_TO 0x000006c0 +diff --git a/drivers/platform/x86/intel/ifs/core.c b/drivers/platform/x86/intel/ifs/core.c +index 306f886b52d20..4ff2aa4b484bc 100644 +--- a/drivers/platform/x86/intel/ifs/core.c ++++ b/drivers/platform/x86/intel/ifs/core.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: GPL-2.0-only + /* Copyright(c) 2022 Intel Corporation. */ + ++#include + #include + #include + #include +@@ -94,6 +95,8 @@ static int __init ifs_init(void) + for (i = 0; i < IFS_NUMTESTS; i++) { + if (!(msrval & BIT(ifs_devices[i].test_caps->integrity_cap_bit))) + continue; ++ ifs_devices[i].rw_data.generation = FIELD_GET(MSR_INTEGRITY_CAPS_SAF_GEN_MASK, ++ msrval); + ret = misc_register(&ifs_devices[i].misc); + if (ret) + goto err_exit; +diff --git a/drivers/platform/x86/intel/ifs/ifs.h b/drivers/platform/x86/intel/ifs/ifs.h +index 93191855890f2..d666aeed20fc2 100644 +--- a/drivers/platform/x86/intel/ifs/ifs.h ++++ b/drivers/platform/x86/intel/ifs/ifs.h +@@ -229,6 +229,7 @@ struct ifs_test_caps { + * @status: it holds simple status pass/fail/untested + * @scan_details: opaque scan status code from h/w + * @cur_batch: number indicating the currently loaded test file ++ * @generation: IFS test generation enumerated by hardware + */ + struct ifs_data { + int loaded_version; +@@ -238,6 +239,7 @@ struct ifs_data { + int status; + u64 scan_details; + u32 cur_batch; ++ u32 generation; + }; + + struct ifs_work { +-- +2.43.0 + diff --git a/queue-6.6/r8169-remove-detection-of-chip-version-11-early-rtl8.patch b/queue-6.6/r8169-remove-detection-of-chip-version-11-early-rtl8.patch new file mode 100644 index 00000000000..5ede466a73c --- /dev/null +++ b/queue-6.6/r8169-remove-detection-of-chip-version-11-early-rtl8.patch @@ -0,0 +1,41 @@ +From 384648aa4771a4ba963f7ccf05c569fe4ebe588a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 May 2024 21:20:16 +0200 +Subject: r8169: remove detection of chip version 11 (early RTL8168b) + +From: Heiner Kallweit + +[ Upstream commit 982300c115d229565d7af8e8b38aa1ee7bb1f5bd ] + +This early RTL8168b version was the first PCIe chip version, and it's +quite quirky. Last sign of life is from more than 15 yrs ago. +Let's remove detection of this chip version, we'll see whether anybody +complains. If not, support for this chip version can be removed a few +kernel versions later. + +Signed-off-by: Heiner Kallweit +Link: https://lore.kernel.org/r/875cdcf4-843c-420a-ad5d-417447b68572@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index 8a732edac15a0..e924153ab6bb7 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -2135,7 +2135,9 @@ static enum mac_version rtl8169_get_mac_version(u16 xid, bool gmii) + + /* 8168B family. */ + { 0x7c8, 0x380, RTL_GIGA_MAC_VER_17 }, +- { 0x7c8, 0x300, RTL_GIGA_MAC_VER_11 }, ++ /* This one is very old and rare, let's see if anybody complains. ++ * { 0x7c8, 0x300, RTL_GIGA_MAC_VER_11 }, ++ */ + + /* 8101 family. */ + { 0x7c8, 0x448, RTL_GIGA_MAC_VER_39 }, +-- +2.43.0 + diff --git a/queue-6.6/rcu-fix-rcu_barrier-vs-post-cpuhp_teardown_cpu-invoc.patch b/queue-6.6/rcu-fix-rcu_barrier-vs-post-cpuhp_teardown_cpu-invoc.patch new file mode 100644 index 00000000000..250186eb546 --- /dev/null +++ b/queue-6.6/rcu-fix-rcu_barrier-vs-post-cpuhp_teardown_cpu-invoc.patch @@ -0,0 +1,120 @@ +From c3a4d94c9548f1fe1f4e7a052fe385187ee2794d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 May 2024 16:05:24 +0200 +Subject: rcu: Fix rcu_barrier() VS post CPUHP_TEARDOWN_CPU invocation + +From: Frederic Weisbecker + +[ Upstream commit 55d4669ef1b76823083caecfab12a8bd2ccdcf64 ] + +When rcu_barrier() calls rcu_rdp_cpu_online() and observes a CPU off +rnp->qsmaskinitnext, it means that all accesses from the offline CPU +preceding the CPUHP_TEARDOWN_CPU are visible to RCU barrier, including +callbacks expiration and counter updates. + +However interrupts can still fire after stop_machine() re-enables +interrupts and before rcutree_report_cpu_dead(). The related accesses +happening between CPUHP_TEARDOWN_CPU and rnp->qsmaskinitnext clearing +are _NOT_ guaranteed to be seen by rcu_barrier() without proper +ordering, especially when callbacks are invoked there to the end, making +rcutree_migrate_callback() bypass barrier_lock. + +The following theoretical race example can make rcu_barrier() hang: + +CPU 0 CPU 1 +----- ----- +//cpu_down() +smpboot_park_threads() +//ksoftirqd is parked now + +rcu_sched_clock_irq() + invoke_rcu_core() +do_softirq() + rcu_core() + rcu_do_batch() + // callback storm + // rcu_do_batch() returns + // before completing all + // of them + // do_softirq also returns early because of + // timeout. It defers to ksoftirqd but + // it's parked + +stop_machine() + take_cpu_down() + rcu_barrier() + spin_lock(barrier_lock) + // observes rcu_segcblist_n_cbs(&rdp->cblist) != 0 + +do_softirq() + rcu_core() + rcu_do_batch() + //completes all pending callbacks + //smp_mb() implied _after_ callback number dec + + +rcutree_report_cpu_dead() + rnp->qsmaskinitnext &= ~rdp->grpmask; + +rcutree_migrate_callback() + // no callback, early return without locking + // barrier_lock + //observes !rcu_rdp_cpu_online(rdp) + rcu_barrier_entrain() + rcu_segcblist_entrain() + // Observe rcu_segcblist_n_cbs(rsclp) == 0 + // because no barrier between reading + // rnp->qsmaskinitnext and rsclp->len + rcu_segcblist_add_len() + smp_mb__before_atomic() + // will now observe the 0 count and empty + // list, but too late, we enqueue regardless + WRITE_ONCE(rsclp->len, rsclp->len + v); + // ignored barrier callback + // rcu barrier stall... + +This could be solved with a read memory barrier, enforcing the message +passing between rnp->qsmaskinitnext and rsclp->len, matching the full +memory barrier after rsclp->len addition in rcu_segcblist_add_len() +performed at the end of rcu_do_batch(). + +However the rcu_barrier() is complicated enough and probably doesn't +need too many more subtleties. CPU down is a slowpath and the +barrier_lock seldom contended. Solve the issue with unconditionally +locking the barrier_lock on rcutree_migrate_callbacks(). This makes sure +that either rcu_barrier() sees the empty queue or its entrained +callback will be migrated. + +Signed-off-by: Frederic Weisbecker +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c +index 8cf6a6fef7965..583cc29080764 100644 +--- a/kernel/rcu/tree.c ++++ b/kernel/rcu/tree.c +@@ -4595,11 +4595,15 @@ void rcutree_migrate_callbacks(int cpu) + struct rcu_data *rdp = per_cpu_ptr(&rcu_data, cpu); + bool needwake; + +- if (rcu_rdp_is_offloaded(rdp) || +- rcu_segcblist_empty(&rdp->cblist)) +- return; /* No callbacks to migrate. */ ++ if (rcu_rdp_is_offloaded(rdp)) ++ return; + + raw_spin_lock_irqsave(&rcu_state.barrier_lock, flags); ++ if (rcu_segcblist_empty(&rdp->cblist)) { ++ raw_spin_unlock_irqrestore(&rcu_state.barrier_lock, flags); ++ return; /* No callbacks to migrate. */ ++ } ++ + WARN_ON_ONCE(rcu_rdp_cpu_online(rdp)); + rcu_barrier_entrain(rdp); + my_rdp = this_cpu_ptr(&rcu_data); +-- +2.43.0 + diff --git a/queue-6.6/rcutorture-fix-rcu_torture_fwd_cb_cr-data-race.patch b/queue-6.6/rcutorture-fix-rcu_torture_fwd_cb_cr-data-race.patch new file mode 100644 index 00000000000..a3509800e7a --- /dev/null +++ b/queue-6.6/rcutorture-fix-rcu_torture_fwd_cb_cr-data-race.patch @@ -0,0 +1,50 @@ +From b56ca32b78942cde0cc3e9778058e81d3ea11f3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 12:02:11 -0700 +Subject: rcutorture: Fix rcu_torture_fwd_cb_cr() data race + +From: Paul E. McKenney + +[ Upstream commit 6040072f4774a575fa67b912efe7722874be337b ] + +On powerpc systems, spinlock acquisition does not order prior stores +against later loads. This means that this statement: + + rfcp->rfc_next = NULL; + +Can be reordered to follow this statement: + + WRITE_ONCE(*rfcpp, rfcp); + +Which is then a data race with rcu_torture_fwd_prog_cr(), specifically, +this statement: + + rfcpn = READ_ONCE(rfcp->rfc_next) + +KCSAN located this data race, which represents a real failure on powerpc. + +Signed-off-by: Paul E. McKenney +Acked-by: Marco Elver +Cc: Andrey Konovalov +Cc: +Signed-off-by: Sasha Levin +--- + kernel/rcu/rcutorture.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c +index 781146600aa49..46612fb15fc6d 100644 +--- a/kernel/rcu/rcutorture.c ++++ b/kernel/rcu/rcutorture.c +@@ -2592,7 +2592,7 @@ static void rcu_torture_fwd_cb_cr(struct rcu_head *rhp) + spin_lock_irqsave(&rfp->rcu_fwd_lock, flags); + rfcpp = rfp->rcu_fwd_cb_tail; + rfp->rcu_fwd_cb_tail = &rfcp->rfc_next; +- WRITE_ONCE(*rfcpp, rfcp); ++ smp_store_release(rfcpp, rfcp); + WRITE_ONCE(rfp->n_launders_cb, rfp->n_launders_cb + 1); + i = ((jiffies - rfp->rcu_fwd_startat) / (HZ / FWD_CBS_HIST_DIV)); + if (i >= ARRAY_SIZE(rfp->n_launders_hist)) +-- +2.43.0 + diff --git a/queue-6.6/s390-sclp-prevent-release-of-buffer-in-i-o.patch b/queue-6.6/s390-sclp-prevent-release-of-buffer-in-i-o.patch new file mode 100644 index 00000000000..c21843e8dd7 --- /dev/null +++ b/queue-6.6/s390-sclp-prevent-release-of-buffer-in-i-o.patch @@ -0,0 +1,52 @@ +From 26529a08a05e67a21510d8a414befc3cb286fc27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jun 2024 14:20:27 +0200 +Subject: s390/sclp: Prevent release of buffer in I/O + +From: Peter Oberparleiter + +[ Upstream commit bf365071ea92b9579d5a272679b74052a5643e35 ] + +When a task waiting for completion of a Store Data operation is +interrupted, an attempt is made to halt this operation. If this attempt +fails due to a hardware or firmware problem, there is a chance that the +SCLP facility might store data into buffers referenced by the original +operation at a later time. + +Handle this situation by not releasing the referenced data buffers if +the halt attempt fails. For current use cases, this might result in a +leak of few pages of memory in case of a rare hardware/firmware +malfunction. + +Reviewed-by: Heiko Carstens +Signed-off-by: Peter Oberparleiter +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + drivers/s390/char/sclp_sd.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/s390/char/sclp_sd.c b/drivers/s390/char/sclp_sd.c +index f9e164be7568f..944e75beb160c 100644 +--- a/drivers/s390/char/sclp_sd.c ++++ b/drivers/s390/char/sclp_sd.c +@@ -320,8 +320,14 @@ static int sclp_sd_store_data(struct sclp_sd_data *result, u8 di) + &esize); + if (rc) { + /* Cancel running request if interrupted */ +- if (rc == -ERESTARTSYS) +- sclp_sd_sync(page, SD_EQ_HALT, di, 0, 0, NULL, NULL); ++ if (rc == -ERESTARTSYS) { ++ if (sclp_sd_sync(page, SD_EQ_HALT, di, 0, 0, NULL, NULL)) { ++ pr_warn("Could not stop Store Data request - leaking at least %zu bytes\n", ++ (size_t)dsize * PAGE_SIZE); ++ data = NULL; ++ asce = 0; ++ } ++ } + vfree(data); + goto out; + } +-- +2.43.0 + diff --git a/queue-6.6/sctp-fix-null-ptr-deref-in-reuseport_add_sock.patch b/queue-6.6/sctp-fix-null-ptr-deref-in-reuseport_add_sock.patch new file mode 100644 index 00000000000..86de6fa4ca1 --- /dev/null +++ b/queue-6.6/sctp-fix-null-ptr-deref-in-reuseport_add_sock.patch @@ -0,0 +1,169 @@ +From 2f047376a5e7e5db7adac666a75f0bf356251342 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jul 2024 16:46:24 -0700 +Subject: sctp: Fix null-ptr-deref in reuseport_add_sock(). + +From: Kuniyuki Iwashima + +[ Upstream commit 9ab0faa7f9ffe31296dbb9bbe6f76c72c14eea18 ] + +syzbot reported a null-ptr-deref while accessing sk2->sk_reuseport_cb in +reuseport_add_sock(). [0] + +The repro first creates a listener with SO_REUSEPORT. Then, it creates +another listener on the same port and concurrently closes the first +listener. + +The second listen() calls reuseport_add_sock() with the first listener as +sk2, where sk2->sk_reuseport_cb is not expected to be cleared concurrently, +but the close() does clear it by reuseport_detach_sock(). + +The problem is SCTP does not properly synchronise reuseport_alloc(), +reuseport_add_sock(), and reuseport_detach_sock(). + +The caller of reuseport_alloc() and reuseport_{add,detach}_sock() must +provide synchronisation for sockets that are classified into the same +reuseport group. + +Otherwise, such sockets form multiple identical reuseport groups, and +all groups except one would be silently dead. + + 1. Two sockets call listen() concurrently + 2. No socket in the same group found in sctp_ep_hashtable[] + 3. Two sockets call reuseport_alloc() and form two reuseport groups + 4. Only one group hit first in __sctp_rcv_lookup_endpoint() receives + incoming packets + +Also, the reported null-ptr-deref could occur. + +TCP/UDP guarantees that would not happen by holding the hash bucket lock. + +Let's apply the locking strategy to __sctp_hash_endpoint() and +__sctp_unhash_endpoint(). + +[0]: +Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI +KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] +CPU: 1 UID: 0 PID: 10230 Comm: syz-executor119 Not tainted 6.10.0-syzkaller-12585-g301927d2d2eb #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 +RIP: 0010:reuseport_add_sock+0x27e/0x5e0 net/core/sock_reuseport.c:350 +Code: 00 0f b7 5d 00 bf 01 00 00 00 89 de e8 1b a4 ff f7 83 fb 01 0f 85 a3 01 00 00 e8 6d a0 ff f7 49 8d 7e 12 48 89 f8 48 c1 e8 03 <42> 0f b6 04 28 84 c0 0f 85 4b 02 00 00 41 0f b7 5e 12 49 8d 7e 14 +RSP: 0018:ffffc9000b947c98 EFLAGS: 00010202 +RAX: 0000000000000002 RBX: ffff8880252ddf98 RCX: ffff888079478000 +RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000012 +RBP: 0000000000000001 R08: ffffffff8993e18d R09: 1ffffffff1fef385 +R10: dffffc0000000000 R11: fffffbfff1fef386 R12: ffff8880252ddac0 +R13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000 +FS: 00007f24e45b96c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ffcced5f7b8 CR3: 00000000241be000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + __sctp_hash_endpoint net/sctp/input.c:762 [inline] + sctp_hash_endpoint+0x52a/0x600 net/sctp/input.c:790 + sctp_listen_start net/sctp/socket.c:8570 [inline] + sctp_inet_listen+0x767/0xa20 net/sctp/socket.c:8625 + __sys_listen_socket net/socket.c:1883 [inline] + __sys_listen+0x1b7/0x230 net/socket.c:1894 + __do_sys_listen net/socket.c:1902 [inline] + __se_sys_listen net/socket.c:1900 [inline] + __x64_sys_listen+0x5a/0x70 net/socket.c:1900 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f24e46039b9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f24e45b9228 EFLAGS: 00000246 ORIG_RAX: 0000000000000032 +RAX: ffffffffffffffda RBX: 00007f24e468e428 RCX: 00007f24e46039b9 +RDX: 00007f24e46039b9 RSI: 0000000000000003 RDI: 0000000000000004 +RBP: 00007f24e468e420 R08: 00007f24e45b96c0 R09: 00007f24e45b96c0 +R10: 00007f24e45b96c0 R11: 0000000000000246 R12: 00007f24e468e42c +R13: 00007f24e465a5dc R14: 0020000000000001 R15: 00007ffcced5f7d8 + +Modules linked in: + +Fixes: 6ba845740267 ("sctp: process sk_reuseport in sctp_get_port_local") +Reported-by: syzbot+e6979a5d2f10ecb700e4@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=e6979a5d2f10ecb700e4 +Tested-by: syzbot+e6979a5d2f10ecb700e4@syzkaller.appspotmail.com +Signed-off-by: Kuniyuki Iwashima +Acked-by: Xin Long +Link: https://patch.msgid.link/20240731234624.94055-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/input.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/net/sctp/input.c b/net/sctp/input.c +index 17fcaa9b0df94..a8a254a5008e5 100644 +--- a/net/sctp/input.c ++++ b/net/sctp/input.c +@@ -735,15 +735,19 @@ static int __sctp_hash_endpoint(struct sctp_endpoint *ep) + struct sock *sk = ep->base.sk; + struct net *net = sock_net(sk); + struct sctp_hashbucket *head; ++ int err = 0; + + ep->hashent = sctp_ep_hashfn(net, ep->base.bind_addr.port); + head = &sctp_ep_hashtable[ep->hashent]; + ++ write_lock(&head->lock); + if (sk->sk_reuseport) { + bool any = sctp_is_ep_boundall(sk); + struct sctp_endpoint *ep2; + struct list_head *list; +- int cnt = 0, err = 1; ++ int cnt = 0; ++ ++ err = 1; + + list_for_each(list, &ep->base.bind_addr.address_list) + cnt++; +@@ -761,24 +765,24 @@ static int __sctp_hash_endpoint(struct sctp_endpoint *ep) + if (!err) { + err = reuseport_add_sock(sk, sk2, any); + if (err) +- return err; ++ goto out; + break; + } else if (err < 0) { +- return err; ++ goto out; + } + } + + if (err) { + err = reuseport_alloc(sk, any); + if (err) +- return err; ++ goto out; + } + } + +- write_lock(&head->lock); + hlist_add_head(&ep->node, &head->chain); ++out: + write_unlock(&head->lock); +- return 0; ++ return err; + } + + /* Add an endpoint to the hash. Local BH-safe. */ +@@ -803,10 +807,9 @@ static void __sctp_unhash_endpoint(struct sctp_endpoint *ep) + + head = &sctp_ep_hashtable[ep->hashent]; + ++ write_lock(&head->lock); + if (rcu_access_pointer(sk->sk_reuseport_cb)) + reuseport_detach_sock(sk); +- +- write_lock(&head->lock); + hlist_del_init(&ep->node); + write_unlock(&head->lock); + } +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-fix-send_signal-test-with-nested-confi.patch b/queue-6.6/selftests-bpf-fix-send_signal-test-with-nested-confi.patch new file mode 100644 index 00000000000..d7c62ed976a --- /dev/null +++ b/queue-6.6/selftests-bpf-fix-send_signal-test-with-nested-confi.patch @@ -0,0 +1,120 @@ +From 93389b5cb87ea70bc5460ce3bee07f41cd6048d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jun 2024 13:12:03 -0700 +Subject: selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT + +From: Yonghong Song + +[ Upstream commit 7015843afcaf68c132784c89528dfddc0005e483 ] + +Alexei reported that send_signal test may fail with nested CONFIG_PARAVIRT +configs. In this particular case, the base VM is AMD with 166 cpus, and I +run selftests with regular qemu on top of that and indeed send_signal test +failed. I also tried with an Intel box with 80 cpus and there is no issue. + +The main qemu command line includes: + + -enable-kvm -smp 16 -cpu host + +The failure log looks like: + + $ ./test_progs -t send_signal + [ 48.501588] watchdog: BUG: soft lockup - CPU#9 stuck for 26s! [test_progs:2225] + [ 48.503622] Modules linked in: bpf_testmod(O) + [ 48.503622] CPU: 9 PID: 2225 Comm: test_progs Tainted: G O 6.9.0-08561-g2c1713a8f1c9-dirty #69 + [ 48.507629] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 + [ 48.511635] RIP: 0010:handle_softirqs+0x71/0x290 + [ 48.511635] Code: [...] 10 0a 00 00 00 31 c0 65 66 89 05 d5 f4 fa 7e fb bb ff ff ff ff <49> c7 c2 cb + [ 48.518527] RSP: 0018:ffffc90000310fa0 EFLAGS: 00000246 + [ 48.519579] RAX: 0000000000000000 RBX: 00000000ffffffff RCX: 00000000000006e0 + [ 48.522526] RDX: 0000000000000006 RSI: ffff88810791ae80 RDI: 0000000000000000 + [ 48.523587] RBP: ffffc90000fabc88 R08: 00000005a0af4f7f R09: 0000000000000000 + [ 48.525525] R10: 0000000561d2f29c R11: 0000000000006534 R12: 0000000000000280 + [ 48.528525] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + [ 48.528525] FS: 00007f2f2885cd00(0000) GS:ffff888237c40000(0000) knlGS:0000000000000000 + [ 48.531600] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 48.535520] CR2: 00007f2f287059f0 CR3: 0000000106a28002 CR4: 00000000003706f0 + [ 48.537538] Call Trace: + [ 48.537538] + [ 48.537538] ? watchdog_timer_fn+0x1cd/0x250 + [ 48.539590] ? lockup_detector_update_enable+0x50/0x50 + [ 48.539590] ? __hrtimer_run_queues+0xff/0x280 + [ 48.542520] ? hrtimer_interrupt+0x103/0x230 + [ 48.544524] ? __sysvec_apic_timer_interrupt+0x4f/0x140 + [ 48.545522] ? sysvec_apic_timer_interrupt+0x3a/0x90 + [ 48.547612] ? asm_sysvec_apic_timer_interrupt+0x1a/0x20 + [ 48.547612] ? handle_softirqs+0x71/0x290 + [ 48.547612] irq_exit_rcu+0x63/0x80 + [ 48.551585] sysvec_apic_timer_interrupt+0x75/0x90 + [ 48.552521] + [ 48.553529] + [ 48.553529] asm_sysvec_apic_timer_interrupt+0x1a/0x20 + [ 48.555609] RIP: 0010:finish_task_switch.isra.0+0x90/0x260 + [ 48.556526] Code: [...] 9f 58 0a 00 00 48 85 db 0f 85 89 01 00 00 4c 89 ff e8 53 d9 bd 00 fb 66 90 <4d> 85 ed 74 + [ 48.562524] RSP: 0018:ffffc90000fabd38 EFLAGS: 00000282 + [ 48.563589] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff83385620 + [ 48.563589] RDX: ffff888237c73ae4 RSI: 0000000000000000 RDI: ffff888237c6fd00 + [ 48.568521] RBP: ffffc90000fabd68 R08: 0000000000000000 R09: 0000000000000000 + [ 48.569528] R10: 0000000000000001 R11: 0000000000000000 R12: ffff8881009d0000 + [ 48.573525] R13: ffff8881024e5400 R14: ffff88810791ae80 R15: ffff888237c6fd00 + [ 48.575614] ? finish_task_switch.isra.0+0x8d/0x260 + [ 48.576523] __schedule+0x364/0xac0 + [ 48.577535] schedule+0x2e/0x110 + [ 48.578555] pipe_read+0x301/0x400 + [ 48.579589] ? destroy_sched_domains_rcu+0x30/0x30 + [ 48.579589] vfs_read+0x2b3/0x2f0 + [ 48.579589] ksys_read+0x8b/0xc0 + [ 48.583590] do_syscall_64+0x3d/0xc0 + [ 48.583590] entry_SYSCALL_64_after_hwframe+0x4b/0x53 + [ 48.586525] RIP: 0033:0x7f2f28703fa1 + [ 48.587592] Code: [...] 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 80 3d c5 23 14 00 00 74 13 31 c0 0f 05 <48> 3d 00 f0 + [ 48.593534] RSP: 002b:00007ffd90f8cf88 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 + [ 48.595589] RAX: ffffffffffffffda RBX: 00007ffd90f8d5e8 RCX: 00007f2f28703fa1 + [ 48.595589] RDX: 0000000000000001 RSI: 00007ffd90f8cfb0 RDI: 0000000000000006 + [ 48.599592] RBP: 00007ffd90f8d2f0 R08: 0000000000000064 R09: 0000000000000000 + [ 48.602527] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 + [ 48.603589] R13: 00007ffd90f8d608 R14: 00007f2f288d8000 R15: 0000000000f6bdb0 + [ 48.605527] + +In the test, two processes are communicating through pipe. Further debugging +with strace found that the above splat is triggered as read() syscall could +not receive the data even if the corresponding write() syscall in another +process successfully wrote data into the pipe. + +The failed subtest is "send_signal_perf". The corresponding perf event has +sample_period 1 and config PERF_COUNT_SW_CPU_CLOCK. sample_period 1 means every +overflow event will trigger a call to the BPF program. So I suspect this may +overwhelm the system. So I increased the sample_period to 100,000 and the test +passed. The sample_period 10,000 still has the test failed. + +In other parts of selftest, e.g., [1], sample_freq is used instead. So I +decided to use sample_freq = 1,000 since the test can pass as well. + + [1] https://lore.kernel.org/bpf/20240604070700.3032142-1-song@kernel.org/ + +Reported-by: Alexei Starovoitov +Signed-off-by: Yonghong Song +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20240605201203.2603846-1-yonghong.song@linux.dev +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/send_signal.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/prog_tests/send_signal.c b/tools/testing/selftests/bpf/prog_tests/send_signal.c +index b15b343ebb6b1..9adcda7f1fedc 100644 +--- a/tools/testing/selftests/bpf/prog_tests/send_signal.c ++++ b/tools/testing/selftests/bpf/prog_tests/send_signal.c +@@ -156,7 +156,8 @@ static void test_send_signal_tracepoint(bool signal_thread) + static void test_send_signal_perf(bool signal_thread) + { + struct perf_event_attr attr = { +- .sample_period = 1, ++ .freq = 1, ++ .sample_freq = 1000, + .type = PERF_TYPE_SOFTWARE, + .config = PERF_COUNT_SW_CPU_CLOCK, + }; +-- +2.43.0 + diff --git a/queue-6.6/selftests-mptcp-join-ability-to-invert-add_addr-chec.patch b/queue-6.6/selftests-mptcp-join-ability-to-invert-add_addr-chec.patch new file mode 100644 index 00000000000..588c4008962 --- /dev/null +++ b/queue-6.6/selftests-mptcp-join-ability-to-invert-add_addr-chec.patch @@ -0,0 +1,147 @@ +From 948e273671d1fad2c394968275a004158a95d350 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jul 2024 13:05:58 +0200 +Subject: selftests: mptcp: join: ability to invert ADD_ADDR check + +From: Matthieu Baerts (NGI0) + +[ Upstream commit bec1f3b119ebc613d08dfbcdbaef01a79aa7de92 ] + +In the following commit, the client will initiate the ADD_ADDR, instead +of the server. We need to way to verify the ADD_ADDR have been correctly +sent. + +Note: the default expected counters for when the port number is given +are never changed by the caller, no need to accept them as parameter +then. + +The 'Fixes' tag here below is the same as the one from the previous +commit: this patch here is not fixing anything wrong in the selftests, +but it validates the previous fix for an issue introduced by this commit +ID. + +Fixes: 86e39e04482b ("mptcp: keep track of local endpoint still available for each msk") +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20240731-upstream-net-20240731-mptcp-endp-subflow-signal-v1-6-c8a9b036493b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../testing/selftests/net/mptcp/mptcp_join.sh | 40 ++++++++++++------- + 1 file changed, 26 insertions(+), 14 deletions(-) + +diff --git a/tools/testing/selftests/net/mptcp/mptcp_join.sh b/tools/testing/selftests/net/mptcp/mptcp_join.sh +index a2dae2a3a93e0..f928db7b999ee 100755 +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -1559,18 +1559,28 @@ chk_add_nr() + local add_nr=$1 + local echo_nr=$2 + local port_nr=${3:-0} +- local syn_nr=${4:-$port_nr} +- local syn_ack_nr=${5:-$port_nr} +- local ack_nr=${6:-$port_nr} +- local mis_syn_nr=${7:-0} +- local mis_ack_nr=${8:-0} ++ local ns_invert=${4:-""} ++ local syn_nr=$port_nr ++ local syn_ack_nr=$port_nr ++ local ack_nr=$port_nr ++ local mis_syn_nr=0 ++ local mis_ack_nr=0 ++ local ns_tx=$ns1 ++ local ns_rx=$ns2 ++ local extra_msg="" + local count + local timeout + +- timeout=$(ip netns exec $ns1 sysctl -n net.mptcp.add_addr_timeout) ++ if [[ $ns_invert = "invert" ]]; then ++ ns_tx=$ns2 ++ ns_rx=$ns1 ++ extra_msg="invert" ++ fi ++ ++ timeout=$(ip netns exec ${ns_tx} sysctl -n net.mptcp.add_addr_timeout) + + print_check "add" +- count=$(mptcp_lib_get_counter ${ns2} "MPTcpExtAddAddr") ++ count=$(mptcp_lib_get_counter ${ns_rx} "MPTcpExtAddAddr") + if [ -z "$count" ]; then + print_skip + # if the test configured a short timeout tolerate greater then expected +@@ -1582,7 +1592,7 @@ chk_add_nr() + fi + + print_check "echo" +- count=$(mptcp_lib_get_counter ${ns1} "MPTcpExtEchoAdd") ++ count=$(mptcp_lib_get_counter ${ns_tx} "MPTcpExtEchoAdd") + if [ -z "$count" ]; then + print_skip + elif [ "$count" != "$echo_nr" ]; then +@@ -1593,7 +1603,7 @@ chk_add_nr() + + if [ $port_nr -gt 0 ]; then + print_check "pt" +- count=$(mptcp_lib_get_counter ${ns2} "MPTcpExtPortAdd") ++ count=$(mptcp_lib_get_counter ${ns_rx} "MPTcpExtPortAdd") + if [ -z "$count" ]; then + print_skip + elif [ "$count" != "$port_nr" ]; then +@@ -1603,7 +1613,7 @@ chk_add_nr() + fi + + print_check "syn" +- count=$(mptcp_lib_get_counter ${ns1} "MPTcpExtMPJoinPortSynRx") ++ count=$(mptcp_lib_get_counter ${ns_tx} "MPTcpExtMPJoinPortSynRx") + if [ -z "$count" ]; then + print_skip + elif [ "$count" != "$syn_nr" ]; then +@@ -1614,7 +1624,7 @@ chk_add_nr() + fi + + print_check "synack" +- count=$(mptcp_lib_get_counter ${ns2} "MPTcpExtMPJoinPortSynAckRx") ++ count=$(mptcp_lib_get_counter ${ns_rx} "MPTcpExtMPJoinPortSynAckRx") + if [ -z "$count" ]; then + print_skip + elif [ "$count" != "$syn_ack_nr" ]; then +@@ -1625,7 +1635,7 @@ chk_add_nr() + fi + + print_check "ack" +- count=$(mptcp_lib_get_counter ${ns1} "MPTcpExtMPJoinPortAckRx") ++ count=$(mptcp_lib_get_counter ${ns_tx} "MPTcpExtMPJoinPortAckRx") + if [ -z "$count" ]; then + print_skip + elif [ "$count" != "$ack_nr" ]; then +@@ -1636,7 +1646,7 @@ chk_add_nr() + fi + + print_check "syn" +- count=$(mptcp_lib_get_counter ${ns1} "MPTcpExtMismatchPortSynRx") ++ count=$(mptcp_lib_get_counter ${ns_tx} "MPTcpExtMismatchPortSynRx") + if [ -z "$count" ]; then + print_skip + elif [ "$count" != "$mis_syn_nr" ]; then +@@ -1647,7 +1657,7 @@ chk_add_nr() + fi + + print_check "ack" +- count=$(mptcp_lib_get_counter ${ns1} "MPTcpExtMismatchPortAckRx") ++ count=$(mptcp_lib_get_counter ${ns_tx} "MPTcpExtMismatchPortAckRx") + if [ -z "$count" ]; then + print_skip + elif [ "$count" != "$mis_ack_nr" ]; then +@@ -1657,6 +1667,8 @@ chk_add_nr() + print_ok + fi + fi ++ ++ print_info "$extra_msg" + } + + chk_add_tx_nr() +-- +2.43.0 + diff --git a/queue-6.6/selftests-mptcp-join-test-both-signal-subflow.patch b/queue-6.6/selftests-mptcp-join-test-both-signal-subflow.patch new file mode 100644 index 00000000000..c3b1c38a6c0 --- /dev/null +++ b/queue-6.6/selftests-mptcp-join-test-both-signal-subflow.patch @@ -0,0 +1,69 @@ +From 7d7e260cc83ab2a75c2db111546f61cb4ed7af60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jul 2024 13:05:59 +0200 +Subject: selftests: mptcp: join: test both signal & subflow + +From: Matthieu Baerts (NGI0) + +[ Upstream commit 4d2868b5d191c74262f7407972d68d1bf3245d6a ] + +It should be quite uncommon to set both the subflow and the signal +flags: the initiator of the connection is typically the one creating new +subflows, not the other peer, then no need to announce additional local +addresses, and use it to create subflows. + +But some people might be confused about the flags, and set both "just to +be sure at least the right one is set". To verify the previous fix, and +avoid future regressions, this specific case is now validated: the +client announces a new address, and initiates a new subflow from the +same address. + +While working on this, another bug has been noticed, where the client +reset the new subflow because an ADD_ADDR echo got received as the 3rd +ACK: this new test also explicitly checks that no RST have been sent by +the client and server. + +The 'Fixes' tag here below is the same as the one from the previous +commit: this patch here is not fixing anything wrong in the selftests, +but it validates the previous fix for an issue introduced by this commit +ID. + +Fixes: 86e39e04482b ("mptcp: keep track of local endpoint still available for each msk") +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20240731-upstream-net-20240731-mptcp-endp-subflow-signal-v1-7-c8a9b036493b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/tools/testing/selftests/net/mptcp/mptcp_join.sh b/tools/testing/selftests/net/mptcp/mptcp_join.sh +index f928db7b999ee..5879c63af0249 100755 +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -2133,6 +2133,21 @@ signal_address_tests() + chk_add_nr 1 1 + fi + ++ # uncommon: subflow and signal flags on the same endpoint ++ # or because the user wrongly picked both, but still expects the client ++ # to create additional subflows ++ if reset "subflow and signal together"; then ++ pm_nl_set_limits $ns1 0 2 ++ pm_nl_set_limits $ns2 0 2 ++ pm_nl_add_endpoint $ns2 10.0.3.2 flags signal,subflow ++ run_tests $ns1 $ns2 10.0.1.1 ++ chk_join_nr 1 1 1 ++ chk_add_nr 1 1 0 invert # only initiated by ns2 ++ chk_add_nr 0 0 0 # none initiated by ns1 ++ chk_rst_nr 0 0 invert # no RST sent by the client ++ chk_rst_nr 0 0 # no RST sent by the server ++ fi ++ + # accept and use add_addr with additional subflows + if reset "multiple subflows and signal"; then + pm_nl_set_limits $ns1 0 3 +-- +2.43.0 + diff --git a/queue-6.6/series b/queue-6.6/series new file mode 100644 index 00000000000..87a84034c29 --- /dev/null +++ b/queue-6.6/series @@ -0,0 +1,70 @@ +irqchip-mbigen-fix-mbigen-node-address-layout.patch +platform-x86-intel-ifs-store-ifs-generation-number.patch +platform-x86-intel-ifs-gen2-scan-test-support.patch +platform-x86-intel-ifs-initialize-union-ifs_status-t.patch +jump_label-fix-the-fix-brown-paper-bags-galore.patch +x86-mm-fix-pti_clone_pgtable-alignment-assumption.patch +x86-mm-fix-pti_clone_entry_text-for-i386.patch +smb-client-handle-lack-of-fsctl_get_reparse_point-su.patch +wifi-ath12k-rename-the-sc-naming-convention-to-ab.patch +wifi-ath12k-add-ce-and-ext-irq-flag-to-indicate-irq_.patch +wifi-ath12k-fix-soft-lockup-on-suspend.patch +selftests-mptcp-join-ability-to-invert-add_addr-chec.patch +selftests-mptcp-join-test-both-signal-subflow.patch +sctp-fix-null-ptr-deref-in-reuseport_add_sock.patch +net-usb-qmi_wwan-fix-memory-leak-for-not-ip-packets.patch +net-bridge-mcast-wait-for-previous-gc-cycles-when-re.patch +net-linkwatch-use-system_unbound_wq.patch +ice-fix-reset-handler.patch +bluetooth-l2cap-always-unlock-channel-in-l2cap_conle.patch +bluetooth-hci_sync-avoid-dup-filtering-when-passive-.patch +net-smc-add-the-max-value-of-fallback-reason-count.patch +net-dsa-bcm_sf2-fix-a-possible-memory-leak-in-bcm_sf.patch +l2tp-fix-lockdep-splat.patch +net-bcmgenet-properly-overlay-phy-and-mac-wake-on-la.patch +net-fec-stop-pps-on-driver-remove.patch +gpio-prevent-potential-speculation-leaks-in-gpio_dev.patch +hwmon-corsair-psu-add-usb-id-of-hx1200i-series-2023-.patch +rcutorture-fix-rcu_torture_fwd_cb_cr-data-race.patch +md-do-not-delete-safemode_timer-in-mddev_suspend.patch +md-raid5-avoid-bug_on-while-continue-reshape-after-r.patch +block-change-rq_integrity_vec-to-respect-the-iterato.patch +rcu-fix-rcu_barrier-vs-post-cpuhp_teardown_cpu-invoc.patch +clocksource-drivers-sh_cmt-address-race-condition-fo.patch +acpi-battery-create-alarm-sysfs-attribute-atomically.patch +acpi-sbs-manage-alarm-sysfs-attribute-through-psy-co.patch +xen-privcmd-switch-from-mutex-to-spinlock-for-irqfds.patch +wifi-nl80211-disallow-setting-special-ap-channel-wid.patch +r8169-remove-detection-of-chip-version-11-early-rtl8.patch +wifi-ath12k-fix-memory-leak-in-ath12k_dp_rx_peer_fra.patch +net-mlx5e-shampo-fix-invalid-wq-linked-list-unlink.patch +selftests-bpf-fix-send_signal-test-with-nested-confi.patch +af_unix-don-t-retry-after-unix_state_lock_nested-in-.patch +pci-add-edimax-vendor-id-to-pci_ids.h.patch +udf-prevent-integer-overflow-in-udf_bitmap_free_bloc.patch +wifi-nl80211-don-t-give-key-data-to-userspace.patch +can-mcp251xfd-tef-prepare-to-workaround-broken-tef-f.patch +can-mcp251xfd-tef-update-workaround-for-erratum-ds80.patch +net-stmmac-qcom-ethqos-enable-sgmii-loopback-during-.patch +btrfs-do-not-clear-page-dirty-inside-extent_write_lo.patch +btrfs-fix-bitmap-leak-when-loading-free-space-cache-.patch +bluetooth-btnxpuart-shutdown-timer-and-prevent-rearm.patch +drm-amd-display-add-delay-to-improve-lttpr-uhbr-inte.patch +drm-amdgpu-fix-potential-resource-leak-warning.patch +drm-amdgpu-pm-fix-the-param-type-of-set_power_profil.patch +drm-amdgpu-pm-fix-the-null-pointer-dereference-for-s.patch +drm-amdgpu-fix-the-null-pointer-dereference-to-ras_m.patch +drm-amdgpu-pm-fix-the-null-pointer-dereference-in-ap.patch +drm-admgpu-fix-dereferencing-null-pointer-context.patch +drm-amdgpu-add-lock-around-vf-rlcg-interface.patch +drm-amd-pm-fix-the-null-pointer-dereference-for-vega.patch +media-amphion-remove-lock-in-s_ctrl-callback.patch +drm-amd-display-add-null-check-for-afb-before-derefe.patch +drm-amd-display-add-null-checker-before-passing-vari.patch +media-uvcvideo-ignore-empty-ts-packets.patch +media-uvcvideo-fix-the-bandwdith-quirk-on-usb-3.x.patch +media-xc2028-avoid-use-after-free-in-load_firmware_c.patch +ext4-fix-uninitialized-variable-in-ext4_inlinedir_to.patch +jbd2-avoid-memleak-in-jbd2_journal_write_metadata_bu.patch +s390-sclp-prevent-release-of-buffer-in-i-o.patch +sunrpc-fix-a-race-to-wake-a-sync-task.patch diff --git a/queue-6.6/smb-client-handle-lack-of-fsctl_get_reparse_point-su.patch b/queue-6.6/smb-client-handle-lack-of-fsctl_get_reparse_point-su.patch new file mode 100644 index 00000000000..8c92f33b186 --- /dev/null +++ b/queue-6.6/smb-client-handle-lack-of-fsctl_get_reparse_point-su.patch @@ -0,0 +1,134 @@ +From 1834f9630fda0d4cc8036727fd06d0431ae2424d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jul 2024 10:23:39 -0300 +Subject: smb: client: handle lack of FSCTL_GET_REPARSE_POINT support + +From: Paulo Alcantara + +[ Upstream commit 4b96024ef2296b1d323af327cae5e52809b61420 ] + +As per MS-FSA 2.1.5.10.14, support for FSCTL_GET_REPARSE_POINT is +optional and if the server doesn't support it, +STATUS_INVALID_DEVICE_REQUEST must be returned for the operation. + +If we find files with reparse points and we can't read them due to +lack of client or server support, just ignore it and then treat them +as regular files or junctions. + +Fixes: 5f71ebc41294 ("smb: client: parse reparse point flag in create response") +Reported-by: Sebastian Steinbeisser +Tested-by: Sebastian Steinbeisser +Acked-by: Tom Talpey +Signed-off-by: Paulo Alcantara (Red Hat) +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/inode.c | 17 +++++++++++++++-- + fs/smb/client/reparse.c | 4 ++++ + fs/smb/client/reparse.h | 19 +++++++++++++++++-- + fs/smb/client/smb2inode.c | 2 ++ + 4 files changed, 38 insertions(+), 4 deletions(-) + +diff --git a/fs/smb/client/inode.c b/fs/smb/client/inode.c +index 9cdbc3ccc1d14..e74ba047902d8 100644 +--- a/fs/smb/client/inode.c ++++ b/fs/smb/client/inode.c +@@ -1023,13 +1023,26 @@ static int reparse_info_to_fattr(struct cifs_open_info_data *data, + } + + rc = -EOPNOTSUPP; +- switch ((data->reparse.tag = tag)) { +- case 0: /* SMB1 symlink */ ++ data->reparse.tag = tag; ++ if (!data->reparse.tag) { + if (server->ops->query_symlink) { + rc = server->ops->query_symlink(xid, tcon, + cifs_sb, full_path, + &data->symlink_target); + } ++ if (rc == -EOPNOTSUPP) ++ data->reparse.tag = IO_REPARSE_TAG_INTERNAL; ++ } ++ ++ switch (data->reparse.tag) { ++ case 0: /* SMB1 symlink */ ++ break; ++ case IO_REPARSE_TAG_INTERNAL: ++ rc = 0; ++ if (le32_to_cpu(data->fi.Attributes) & ATTR_DIRECTORY) { ++ cifs_create_junction_fattr(fattr, sb); ++ goto out; ++ } + break; + case IO_REPARSE_TAG_MOUNT_POINT: + cifs_create_junction_fattr(fattr, sb); +diff --git a/fs/smb/client/reparse.c b/fs/smb/client/reparse.c +index a0ffbda907331..689d8a506d459 100644 +--- a/fs/smb/client/reparse.c ++++ b/fs/smb/client/reparse.c +@@ -505,6 +505,10 @@ bool cifs_reparse_point_to_fattr(struct cifs_sb_info *cifs_sb, + } + + switch (tag) { ++ case IO_REPARSE_TAG_INTERNAL: ++ if (!(fattr->cf_cifsattrs & ATTR_DIRECTORY)) ++ return false; ++ fallthrough; + case IO_REPARSE_TAG_DFS: + case IO_REPARSE_TAG_DFSR: + case IO_REPARSE_TAG_MOUNT_POINT: +diff --git a/fs/smb/client/reparse.h b/fs/smb/client/reparse.h +index 6b55d1df9e2f8..2c0644bc4e65a 100644 +--- a/fs/smb/client/reparse.h ++++ b/fs/smb/client/reparse.h +@@ -12,6 +12,12 @@ + #include "fs_context.h" + #include "cifsglob.h" + ++/* ++ * Used only by cifs.ko to ignore reparse points from files when client or ++ * server doesn't support FSCTL_GET_REPARSE_POINT. ++ */ ++#define IO_REPARSE_TAG_INTERNAL ((__u32)~0U) ++ + static inline dev_t reparse_nfs_mkdev(struct reparse_posix_data *buf) + { + u64 v = le64_to_cpu(*(__le64 *)buf->DataBuffer); +@@ -78,10 +84,19 @@ static inline u32 reparse_mode_wsl_tag(mode_t mode) + static inline bool reparse_inode_match(struct inode *inode, + struct cifs_fattr *fattr) + { ++ struct cifsInodeInfo *cinode = CIFS_I(inode); + struct timespec64 ctime = inode_get_ctime(inode); + +- return (CIFS_I(inode)->cifsAttrs & ATTR_REPARSE) && +- CIFS_I(inode)->reparse_tag == fattr->cf_cifstag && ++ /* ++ * Do not match reparse tags when client or server doesn't support ++ * FSCTL_GET_REPARSE_POINT. @fattr->cf_cifstag should contain correct ++ * reparse tag from query dir response but the client won't be able to ++ * read the reparse point data anyway. This spares us a revalidation. ++ */ ++ if (cinode->reparse_tag != IO_REPARSE_TAG_INTERNAL && ++ cinode->reparse_tag != fattr->cf_cifstag) ++ return false; ++ return (cinode->cifsAttrs & ATTR_REPARSE) && + timespec64_equal(&ctime, &fattr->cf_ctime); + } + +diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c +index 86f8c81791374..28031c7ba6b19 100644 +--- a/fs/smb/client/smb2inode.c ++++ b/fs/smb/client/smb2inode.c +@@ -930,6 +930,8 @@ int smb2_query_path_info(const unsigned int xid, + + switch (rc) { + case 0: ++ rc = parse_create_response(data, cifs_sb, &out_iov[0]); ++ break; + case -EOPNOTSUPP: + /* + * BB TODO: When support for special files added to Samba +-- +2.43.0 + diff --git a/queue-6.6/sunrpc-fix-a-race-to-wake-a-sync-task.patch b/queue-6.6/sunrpc-fix-a-race-to-wake-a-sync-task.patch new file mode 100644 index 00000000000..ccf699a69f7 --- /dev/null +++ b/queue-6.6/sunrpc-fix-a-race-to-wake-a-sync-task.patch @@ -0,0 +1,53 @@ +From 6c36d668a8d02c1eb7a37171fd0dcef82d2bfc2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Jul 2024 10:49:33 -0400 +Subject: SUNRPC: Fix a race to wake a sync task + +From: Benjamin Coddington + +[ Upstream commit ed0172af5d6fc07d1b40ca82f5ca3979300369f7 ] + +We've observed NFS clients with sync tasks sleeping in __rpc_execute +waiting on RPC_TASK_QUEUED that have not responded to a wake-up from +rpc_make_runnable(). I suspect this problem usually goes unnoticed, +because on a busy client the task will eventually be re-awoken by another +task completion or xprt event. However, if the state manager is draining +the slot table, a sync task missing a wake-up can result in a hung client. + +We've been able to prove that the waker in rpc_make_runnable() successfully +calls wake_up_bit() (ie- there's no race to tk_runstate), but the +wake_up_bit() call fails to wake the waiter. I suspect the waker is +missing the load of the bit's wait_queue_head, so waitqueue_active() is +false. There are some very helpful comments about this problem above +wake_up_bit(), prepare_to_wait(), and waitqueue_active(). + +Fix this by inserting smp_mb__after_atomic() before the wake_up_bit(), +which pairs with prepare_to_wait() calling set_current_state(). + +Signed-off-by: Benjamin Coddington +Reviewed-by: Jeff Layton +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + net/sunrpc/sched.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c +index 6debf4fd42d4e..cef623ea15060 100644 +--- a/net/sunrpc/sched.c ++++ b/net/sunrpc/sched.c +@@ -369,8 +369,10 @@ static void rpc_make_runnable(struct workqueue_struct *wq, + if (RPC_IS_ASYNC(task)) { + INIT_WORK(&task->u.tk_work, rpc_async_schedule); + queue_work(wq, &task->u.tk_work); +- } else ++ } else { ++ smp_mb__after_atomic(); + wake_up_bit(&task->tk_runstate, RPC_TASK_QUEUED); ++ } + } + + /* +-- +2.43.0 + diff --git a/queue-6.6/udf-prevent-integer-overflow-in-udf_bitmap_free_bloc.patch b/queue-6.6/udf-prevent-integer-overflow-in-udf_bitmap_free_bloc.patch new file mode 100644 index 00000000000..4fc8489cce1 --- /dev/null +++ b/queue-6.6/udf-prevent-integer-overflow-in-udf_bitmap_free_bloc.patch @@ -0,0 +1,113 @@ +From 22de9d26fea88d1171ee8243ad720d6a1ebcd15c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jun 2024 10:24:13 +0300 +Subject: udf: prevent integer overflow in udf_bitmap_free_blocks() + +From: Roman Smirnov + +[ Upstream commit 56e69e59751d20993f243fb7dd6991c4e522424c ] + +An overflow may occur if the function is called with the last +block and an offset greater than zero. It is necessary to add +a check to avoid this. + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +[JK: Make test cover also unalloc table freeing] + +Link: https://patch.msgid.link/20240620072413.7448-1-r.smirnov@omp.ru +Suggested-by: Jan Kara +Signed-off-by: Roman Smirnov +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/balloc.c | 36 +++++++++++++----------------------- + 1 file changed, 13 insertions(+), 23 deletions(-) + +diff --git a/fs/udf/balloc.c b/fs/udf/balloc.c +index 558ad046972ad..bb471ec364046 100644 +--- a/fs/udf/balloc.c ++++ b/fs/udf/balloc.c +@@ -18,6 +18,7 @@ + #include "udfdecl.h" + + #include ++#include + + #include "udf_i.h" + #include "udf_sb.h" +@@ -140,7 +141,6 @@ static void udf_bitmap_free_blocks(struct super_block *sb, + { + struct udf_sb_info *sbi = UDF_SB(sb); + struct buffer_head *bh = NULL; +- struct udf_part_map *partmap; + unsigned long block; + unsigned long block_group; + unsigned long bit; +@@ -149,19 +149,9 @@ static void udf_bitmap_free_blocks(struct super_block *sb, + unsigned long overflow; + + mutex_lock(&sbi->s_alloc_mutex); +- partmap = &sbi->s_partmaps[bloc->partitionReferenceNum]; +- if (bloc->logicalBlockNum + count < count || +- (bloc->logicalBlockNum + count) > partmap->s_partition_len) { +- udf_debug("%u < %d || %u + %u > %u\n", +- bloc->logicalBlockNum, 0, +- bloc->logicalBlockNum, count, +- partmap->s_partition_len); +- goto error_return; +- } +- ++ /* We make sure this cannot overflow when mounting the filesystem */ + block = bloc->logicalBlockNum + offset + + (sizeof(struct spaceBitmapDesc) << 3); +- + do { + overflow = 0; + block_group = block >> (sb->s_blocksize_bits + 3); +@@ -391,7 +381,6 @@ static void udf_table_free_blocks(struct super_block *sb, + uint32_t count) + { + struct udf_sb_info *sbi = UDF_SB(sb); +- struct udf_part_map *partmap; + uint32_t start, end; + uint32_t elen; + struct kernel_lb_addr eloc; +@@ -400,16 +389,6 @@ static void udf_table_free_blocks(struct super_block *sb, + struct udf_inode_info *iinfo; + + mutex_lock(&sbi->s_alloc_mutex); +- partmap = &sbi->s_partmaps[bloc->partitionReferenceNum]; +- if (bloc->logicalBlockNum + count < count || +- (bloc->logicalBlockNum + count) > partmap->s_partition_len) { +- udf_debug("%u < %d || %u + %u > %u\n", +- bloc->logicalBlockNum, 0, +- bloc->logicalBlockNum, count, +- partmap->s_partition_len); +- goto error_return; +- } +- + iinfo = UDF_I(table); + udf_add_free_space(sb, sbi->s_partition, count); + +@@ -684,6 +663,17 @@ void udf_free_blocks(struct super_block *sb, struct inode *inode, + { + uint16_t partition = bloc->partitionReferenceNum; + struct udf_part_map *map = &UDF_SB(sb)->s_partmaps[partition]; ++ uint32_t blk; ++ ++ if (check_add_overflow(bloc->logicalBlockNum, offset, &blk) || ++ check_add_overflow(blk, count, &blk) || ++ bloc->logicalBlockNum + count > map->s_partition_len) { ++ udf_debug("Invalid request to free blocks: (%d, %u), off %u, " ++ "len %u, partition len %u\n", ++ partition, bloc->logicalBlockNum, offset, count, ++ map->s_partition_len); ++ return; ++ } + + if (map->s_partition_flags & UDF_PART_FLAG_UNALLOC_BITMAP) { + udf_bitmap_free_blocks(sb, map->s_uspace.s_bitmap, +-- +2.43.0 + diff --git a/queue-6.6/wifi-ath12k-add-ce-and-ext-irq-flag-to-indicate-irq_.patch b/queue-6.6/wifi-ath12k-add-ce-and-ext-irq-flag-to-indicate-irq_.patch new file mode 100644 index 00000000000..4bbd172ca73 --- /dev/null +++ b/queue-6.6/wifi-ath12k-add-ce-and-ext-irq-flag-to-indicate-irq_.patch @@ -0,0 +1,105 @@ +From 790a67e64b0eddfa79da45c03f409ad43a13cb29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Dec 2023 18:09:47 +0200 +Subject: wifi: ath12k: add CE and ext IRQ flag to indicate irq_handler + +From: Kang Yang + +[ Upstream commit 604308a34487eaa382c50fcdb4396c435030b4fa ] + +Add two flags to indicate whether IRQ handler for CE and DP can be called. +This is because in one MSI vector case, interrupt is not disabled in +hif_stop and hif_irq_disable. So if interrupt is disabled, MHI interrupt +is disabled too. + +Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0-03427-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.15378.4 + +Signed-off-by: Kang Yang +Acked-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20231121021304.12966-3-quic_kangyang@quicinc.com +Stable-dep-of: a47f3320bb4b ("wifi: ath12k: fix soft lockup on suspend") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/core.h | 2 ++ + drivers/net/wireless/ath/ath12k/pci.c | 16 ++++++++++++++++ + 2 files changed, 18 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath12k/core.h b/drivers/net/wireless/ath/ath12k/core.h +index c926952c956ef..33f4706af880d 100644 +--- a/drivers/net/wireless/ath/ath12k/core.h ++++ b/drivers/net/wireless/ath/ath12k/core.h +@@ -181,6 +181,8 @@ enum ath12k_dev_flags { + ATH12K_FLAG_REGISTERED, + ATH12K_FLAG_QMI_FAIL, + ATH12K_FLAG_HTC_SUSPEND_COMPLETE, ++ ATH12K_FLAG_CE_IRQ_ENABLED, ++ ATH12K_FLAG_EXT_IRQ_ENABLED, + }; + + enum ath12k_monitor_flags { +diff --git a/drivers/net/wireless/ath/ath12k/pci.c b/drivers/net/wireless/ath/ath12k/pci.c +index a6a5f9bcffbd6..f27b93c20a349 100644 +--- a/drivers/net/wireless/ath/ath12k/pci.c ++++ b/drivers/net/wireless/ath/ath12k/pci.c +@@ -373,6 +373,8 @@ static void ath12k_pci_ce_irqs_disable(struct ath12k_base *ab) + { + int i; + ++ clear_bit(ATH12K_FLAG_CE_IRQ_ENABLED, &ab->dev_flags); ++ + for (i = 0; i < ab->hw_params->ce_count; i++) { + if (ath12k_ce_get_attr_flags(ab, i) & CE_ATTR_DIS_INTR) + continue; +@@ -406,6 +408,10 @@ static void ath12k_pci_ce_tasklet(struct tasklet_struct *t) + static irqreturn_t ath12k_pci_ce_interrupt_handler(int irq, void *arg) + { + struct ath12k_ce_pipe *ce_pipe = arg; ++ struct ath12k_base *ab = ce_pipe->ab; ++ ++ if (!test_bit(ATH12K_FLAG_CE_IRQ_ENABLED, &ab->dev_flags)) ++ return IRQ_HANDLED; + + /* last interrupt received for this CE */ + ce_pipe->timestamp = jiffies; +@@ -428,6 +434,8 @@ static void __ath12k_pci_ext_irq_disable(struct ath12k_base *ab) + { + int i; + ++ clear_bit(ATH12K_FLAG_EXT_IRQ_ENABLED, &ab->dev_flags); ++ + for (i = 0; i < ATH12K_EXT_IRQ_GRP_NUM_MAX; i++) { + struct ath12k_ext_irq_grp *irq_grp = &ab->ext_irq_grp[i]; + +@@ -483,6 +491,10 @@ static int ath12k_pci_ext_grp_napi_poll(struct napi_struct *napi, int budget) + static irqreturn_t ath12k_pci_ext_interrupt_handler(int irq, void *arg) + { + struct ath12k_ext_irq_grp *irq_grp = arg; ++ struct ath12k_base *ab = irq_grp->ab; ++ ++ if (!test_bit(ATH12K_FLAG_EXT_IRQ_ENABLED, &ab->dev_flags)) ++ return IRQ_HANDLED; + + ath12k_dbg(irq_grp->ab, ATH12K_DBG_PCI, "ext irq:%d\n", irq); + +@@ -626,6 +638,8 @@ static void ath12k_pci_ce_irqs_enable(struct ath12k_base *ab) + { + int i; + ++ set_bit(ATH12K_FLAG_CE_IRQ_ENABLED, &ab->dev_flags); ++ + for (i = 0; i < ab->hw_params->ce_count; i++) { + if (ath12k_ce_get_attr_flags(ab, i) & CE_ATTR_DIS_INTR) + continue; +@@ -956,6 +970,8 @@ void ath12k_pci_ext_irq_enable(struct ath12k_base *ab) + { + int i; + ++ set_bit(ATH12K_FLAG_EXT_IRQ_ENABLED, &ab->dev_flags); ++ + for (i = 0; i < ATH12K_EXT_IRQ_GRP_NUM_MAX; i++) { + struct ath12k_ext_irq_grp *irq_grp = &ab->ext_irq_grp[i]; + +-- +2.43.0 + diff --git a/queue-6.6/wifi-ath12k-fix-memory-leak-in-ath12k_dp_rx_peer_fra.patch b/queue-6.6/wifi-ath12k-fix-memory-leak-in-ath12k_dp_rx_peer_fra.patch new file mode 100644 index 00000000000..cfcca4d521d --- /dev/null +++ b/queue-6.6/wifi-ath12k-fix-memory-leak-in-ath12k_dp_rx_peer_fra.patch @@ -0,0 +1,40 @@ +From e1c29c221a87195652a587857f366f5c7aed49b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 May 2024 20:42:26 +0800 +Subject: wifi: ath12k: fix memory leak in ath12k_dp_rx_peer_frag_setup() + +From: Baochen Qiang + +[ Upstream commit 3d60041543189438cd1b03a1fa40ff6681c77970 ] + +Currently the resource allocated by crypto_alloc_shash() is not +freed in case ath12k_peer_find() fails, resulting in memory leak. + +Add crypto_free_shash() to fix it. + +This is found during code review, compile tested only. + +Signed-off-by: Baochen Qiang +Acked-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240526124226.24661-1-quic_bqiang@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/dp_rx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/ath12k/dp_rx.c b/drivers/net/wireless/ath/ath12k/dp_rx.c +index 2c17b1e7681a5..d9bc07844fb71 100644 +--- a/drivers/net/wireless/ath/ath12k/dp_rx.c ++++ b/drivers/net/wireless/ath/ath12k/dp_rx.c +@@ -2759,6 +2759,7 @@ int ath12k_dp_rx_peer_frag_setup(struct ath12k *ar, const u8 *peer_mac, int vdev + peer = ath12k_peer_find(ab, vdev_id, peer_mac); + if (!peer) { + spin_unlock_bh(&ab->base_lock); ++ crypto_free_shash(tfm); + ath12k_warn(ab, "failed to find the peer to set up fragment info\n"); + return -ENOENT; + } +-- +2.43.0 + diff --git a/queue-6.6/wifi-ath12k-fix-soft-lockup-on-suspend.patch b/queue-6.6/wifi-ath12k-fix-soft-lockup-on-suspend.patch new file mode 100644 index 00000000000..b1365e66415 --- /dev/null +++ b/queue-6.6/wifi-ath12k-fix-soft-lockup-on-suspend.patch @@ -0,0 +1,48 @@ +From 5521caebc9a852dc766087df59c2f38e85e63e48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jul 2024 09:31:32 +0200 +Subject: wifi: ath12k: fix soft lockup on suspend + +From: Johan Hovold + +[ Upstream commit a47f3320bb4ba6714abe8dddb36399367b491358 ] + +The ext interrupts are enabled when the firmware has been started, but +this may never happen, for example, if the board configuration file is +missing. + +When the system is later suspended, the driver unconditionally tries to +disable interrupts, which results in an irq disable imbalance and causes +the driver to spin indefinitely in napi_synchronize(). + +Make sure that the interrupts have been enabled before attempting to +disable them. + +Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") +Cc: stable@vger.kernel.org # 6.3 +Signed-off-by: Johan Hovold +Acked-by: Jeff Johnson +Link: https://patch.msgid.link/20240709073132.9168-1-johan+linaro@kernel.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/pci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath12k/pci.c b/drivers/net/wireless/ath/ath12k/pci.c +index f27b93c20a349..041a9602f0e15 100644 +--- a/drivers/net/wireless/ath/ath12k/pci.c ++++ b/drivers/net/wireless/ath/ath12k/pci.c +@@ -434,7 +434,8 @@ static void __ath12k_pci_ext_irq_disable(struct ath12k_base *ab) + { + int i; + +- clear_bit(ATH12K_FLAG_EXT_IRQ_ENABLED, &ab->dev_flags); ++ if (!test_and_clear_bit(ATH12K_FLAG_EXT_IRQ_ENABLED, &ab->dev_flags)) ++ return; + + for (i = 0; i < ATH12K_EXT_IRQ_GRP_NUM_MAX; i++) { + struct ath12k_ext_irq_grp *irq_grp = &ab->ext_irq_grp[i]; +-- +2.43.0 + diff --git a/queue-6.6/wifi-ath12k-rename-the-sc-naming-convention-to-ab.patch b/queue-6.6/wifi-ath12k-rename-the-sc-naming-convention-to-ab.patch new file mode 100644 index 00000000000..fab4f2da6fd --- /dev/null +++ b/queue-6.6/wifi-ath12k-rename-the-sc-naming-convention-to-ab.patch @@ -0,0 +1,80 @@ +From ab81cc3b83cd7e361d5ce3c05d5f0c27046ec87a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Oct 2023 21:00:08 +0530 +Subject: wifi: ath12k: rename the sc naming convention to ab + +From: Karthikeyan Periyasamy + +[ Upstream commit cda8607e824b8f4f1e5f26fef17736c8be4358f8 ] + +In PCI and HAL interface layer module, the identifier sc is used +to represent an instance of ath12k_base structure. However, +within ath12k, the convention is to use "ab" to represent an SoC +"base" struct. So change the all instances of sc to ab. + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.1.1-00125-QCAHKSWPL_SILICONZ-1 + +Signed-off-by: Karthikeyan Periyasamy +Acked-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20231018153008.29820-3-quic_periyasa@quicinc.com +Stable-dep-of: a47f3320bb4b ("wifi: ath12k: fix soft lockup on suspend") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/hif.h | 18 +++++++++--------- + drivers/net/wireless/ath/ath12k/pci.c | 4 ++-- + 2 files changed, 11 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath12k/hif.h b/drivers/net/wireless/ath/ath12k/hif.h +index 4cbf9b5c04b9c..c653ca1f59b22 100644 +--- a/drivers/net/wireless/ath/ath12k/hif.h ++++ b/drivers/net/wireless/ath/ath12k/hif.h +@@ -10,17 +10,17 @@ + #include "core.h" + + struct ath12k_hif_ops { +- u32 (*read32)(struct ath12k_base *sc, u32 address); +- void (*write32)(struct ath12k_base *sc, u32 address, u32 data); +- void (*irq_enable)(struct ath12k_base *sc); +- void (*irq_disable)(struct ath12k_base *sc); +- int (*start)(struct ath12k_base *sc); +- void (*stop)(struct ath12k_base *sc); +- int (*power_up)(struct ath12k_base *sc); +- void (*power_down)(struct ath12k_base *sc); ++ u32 (*read32)(struct ath12k_base *ab, u32 address); ++ void (*write32)(struct ath12k_base *ab, u32 address, u32 data); ++ void (*irq_enable)(struct ath12k_base *ab); ++ void (*irq_disable)(struct ath12k_base *ab); ++ int (*start)(struct ath12k_base *ab); ++ void (*stop)(struct ath12k_base *ab); ++ int (*power_up)(struct ath12k_base *ab); ++ void (*power_down)(struct ath12k_base *ab); + int (*suspend)(struct ath12k_base *ab); + int (*resume)(struct ath12k_base *ab); +- int (*map_service_to_pipe)(struct ath12k_base *sc, u16 service_id, ++ int (*map_service_to_pipe)(struct ath12k_base *ab, u16 service_id, + u8 *ul_pipe, u8 *dl_pipe); + int (*get_user_msi_vector)(struct ath12k_base *ab, char *user_name, + int *num_vectors, u32 *user_base_data, +diff --git a/drivers/net/wireless/ath/ath12k/pci.c b/drivers/net/wireless/ath/ath12k/pci.c +index 58cd678555964..a6a5f9bcffbd6 100644 +--- a/drivers/net/wireless/ath/ath12k/pci.c ++++ b/drivers/net/wireless/ath/ath12k/pci.c +@@ -424,12 +424,12 @@ static void ath12k_pci_ext_grp_disable(struct ath12k_ext_irq_grp *irq_grp) + disable_irq_nosync(irq_grp->ab->irq_num[irq_grp->irqs[i]]); + } + +-static void __ath12k_pci_ext_irq_disable(struct ath12k_base *sc) ++static void __ath12k_pci_ext_irq_disable(struct ath12k_base *ab) + { + int i; + + for (i = 0; i < ATH12K_EXT_IRQ_GRP_NUM_MAX; i++) { +- struct ath12k_ext_irq_grp *irq_grp = &sc->ext_irq_grp[i]; ++ struct ath12k_ext_irq_grp *irq_grp = &ab->ext_irq_grp[i]; + + ath12k_pci_ext_grp_disable(irq_grp); + +-- +2.43.0 + diff --git a/queue-6.6/wifi-nl80211-disallow-setting-special-ap-channel-wid.patch b/queue-6.6/wifi-nl80211-disallow-setting-special-ap-channel-wid.patch new file mode 100644 index 00000000000..52829abc2f1 --- /dev/null +++ b/queue-6.6/wifi-nl80211-disallow-setting-special-ap-channel-wid.patch @@ -0,0 +1,62 @@ +From d2122c26b2dc92cfbcb679130069f6b97c00c782 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 May 2024 14:16:00 +0200 +Subject: wifi: nl80211: disallow setting special AP channel widths + +From: Johannes Berg + +[ Upstream commit 23daf1b4c91db9b26f8425cc7039cf96d22ccbfe ] + +Setting the AP channel width is meant for use with the normal +20/40/... MHz channel width progression, and switching around +in S1G or narrow channels isn't supported. Disallow that. + +Reported-by: syzbot+bc0f5b92cc7091f45fb6@syzkaller.appspotmail.com +Link: https://msgid.link/20240515141600.d4a9590bfe32.I19a32d60097e81b527eafe6b0924f6c5fbb2dc45@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 8f8f077e6cd40..053258b4e28d2 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -3398,6 +3398,33 @@ static int __nl80211_set_channel(struct cfg80211_registered_device *rdev, + if (chandef.chan != cur_chan) + return -EBUSY; + ++ /* only allow this for regular channel widths */ ++ switch (wdev->links[link_id].ap.chandef.width) { ++ case NL80211_CHAN_WIDTH_20_NOHT: ++ case NL80211_CHAN_WIDTH_20: ++ case NL80211_CHAN_WIDTH_40: ++ case NL80211_CHAN_WIDTH_80: ++ case NL80211_CHAN_WIDTH_80P80: ++ case NL80211_CHAN_WIDTH_160: ++ case NL80211_CHAN_WIDTH_320: ++ break; ++ default: ++ return -EINVAL; ++ } ++ ++ switch (chandef.width) { ++ case NL80211_CHAN_WIDTH_20_NOHT: ++ case NL80211_CHAN_WIDTH_20: ++ case NL80211_CHAN_WIDTH_40: ++ case NL80211_CHAN_WIDTH_80: ++ case NL80211_CHAN_WIDTH_80P80: ++ case NL80211_CHAN_WIDTH_160: ++ case NL80211_CHAN_WIDTH_320: ++ break; ++ default: ++ return -EINVAL; ++ } ++ + result = rdev_set_ap_chanwidth(rdev, dev, link_id, + &chandef); + if (result) +-- +2.43.0 + diff --git a/queue-6.6/wifi-nl80211-don-t-give-key-data-to-userspace.patch b/queue-6.6/wifi-nl80211-don-t-give-key-data-to-userspace.patch new file mode 100644 index 00000000000..4d22d9e0389 --- /dev/null +++ b/queue-6.6/wifi-nl80211-don-t-give-key-data-to-userspace.patch @@ -0,0 +1,55 @@ +From c6670c58cae5a144c8c4861af257cee7c76c5238 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jun 2024 10:44:11 +0200 +Subject: wifi: nl80211: don't give key data to userspace + +From: Johannes Berg + +[ Upstream commit a7e5793035792cc46a1a4b0a783655ffa897dfe9 ] + +When a key is requested by userspace, there's really no need +to include the key data, the sequence counter is really what +userspace needs in this case. The fact that it's included is +just a historic quirk. + +Remove the key data. + +Reviewed-by: Miriam Rachel Korenblit +Link: https://patch.msgid.link/20240627104411.b6a4f097e4ea.I7e6cc976cb9e8a80ef25a3351330f313373b4578@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 053258b4e28d2..be5c42d6ffbea 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -4473,10 +4473,7 @@ static void get_key_callback(void *c, struct key_params *params) + struct nlattr *key; + struct get_key_cookie *cookie = c; + +- if ((params->key && +- nla_put(cookie->msg, NL80211_ATTR_KEY_DATA, +- params->key_len, params->key)) || +- (params->seq && ++ if ((params->seq && + nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ, + params->seq_len, params->seq)) || + (params->cipher && +@@ -4488,10 +4485,7 @@ static void get_key_callback(void *c, struct key_params *params) + if (!key) + goto nla_put_failure; + +- if ((params->key && +- nla_put(cookie->msg, NL80211_KEY_DATA, +- params->key_len, params->key)) || +- (params->seq && ++ if ((params->seq && + nla_put(cookie->msg, NL80211_KEY_SEQ, + params->seq_len, params->seq)) || + (params->cipher && +-- +2.43.0 + diff --git a/queue-6.6/x86-mm-fix-pti_clone_entry_text-for-i386.patch b/queue-6.6/x86-mm-fix-pti_clone_entry_text-for-i386.patch new file mode 100644 index 00000000000..66a9c2f082a --- /dev/null +++ b/queue-6.6/x86-mm-fix-pti_clone_entry_text-for-i386.patch @@ -0,0 +1,42 @@ +From b438b84009c534eead8a9deb80f06317b77d6b09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Aug 2024 12:42:25 +0200 +Subject: x86/mm: Fix pti_clone_entry_text() for i386 + +From: Peter Zijlstra + +[ Upstream commit 3db03fb4995ef85fc41e86262ead7b4852f4bcf0 ] + +While x86_64 has PMD aligned text sections, i386 does not have this +luxery. Notably ALIGN_ENTRY_TEXT_END is empty and _etext has PAGE +alignment. + +This means that text on i386 can be page granular at the tail end, +which in turn means that the PTI text clones should consistently +account for this. + +Make pti_clone_entry_text() consistent with pti_clone_kernel_text(). + +Fixes: 16a3fe634f6a ("x86/mm/pti: Clone kernel-image on PTE level for 32 bit") +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Sasha Levin +--- + arch/x86/mm/pti.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/mm/pti.c b/arch/x86/mm/pti.c +index f7d1bbe76eb94..41d8c8f475a7c 100644 +--- a/arch/x86/mm/pti.c ++++ b/arch/x86/mm/pti.c +@@ -496,7 +496,7 @@ static void pti_clone_entry_text(void) + { + pti_clone_pgtable((unsigned long) __entry_text_start, + (unsigned long) __entry_text_end, +- PTI_CLONE_PMD); ++ PTI_LEVEL_KERNEL_IMAGE); + } + + /* +-- +2.43.0 + diff --git a/queue-6.6/x86-mm-fix-pti_clone_pgtable-alignment-assumption.patch b/queue-6.6/x86-mm-fix-pti_clone_pgtable-alignment-assumption.patch new file mode 100644 index 00000000000..bc5bcc0786a --- /dev/null +++ b/queue-6.6/x86-mm-fix-pti_clone_pgtable-alignment-assumption.patch @@ -0,0 +1,68 @@ +From 36eab1335cff9be07e91ec594bfd71126c0ab297 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jul 2024 18:31:05 +0200 +Subject: x86/mm: Fix pti_clone_pgtable() alignment assumption + +From: Peter Zijlstra + +[ Upstream commit 41e71dbb0e0a0fe214545fe64af031303a08524c ] + +Guenter reported dodgy crashes on an i386-nosmp build using GCC-11 +that had the form of endless traps until entry stack exhaust and then +#DF from the stack guard. + +It turned out that pti_clone_pgtable() had alignment assumptions on +the start address, notably it hard assumes start is PMD aligned. This +is true on x86_64, but very much not true on i386. + +These assumptions can cause the end condition to malfunction, leading +to a 'short' clone. Guess what happens when the user mapping has a +short copy of the entry text? + +Use the correct increment form for addr to avoid alignment +assumptions. + +Fixes: 16a3fe634f6a ("x86/mm/pti: Clone kernel-image on PTE level for 32 bit") +Reported-by: Guenter Roeck +Tested-by: Guenter Roeck +Suggested-by: Thomas Gleixner +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20240731163105.GG33588@noisy.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + arch/x86/mm/pti.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/mm/pti.c b/arch/x86/mm/pti.c +index 51b6b78e6b175..f7d1bbe76eb94 100644 +--- a/arch/x86/mm/pti.c ++++ b/arch/x86/mm/pti.c +@@ -374,14 +374,14 @@ pti_clone_pgtable(unsigned long start, unsigned long end, + */ + *target_pmd = *pmd; + +- addr += PMD_SIZE; ++ addr = round_up(addr + 1, PMD_SIZE); + + } else if (level == PTI_CLONE_PTE) { + + /* Walk the page-table down to the pte level */ + pte = pte_offset_kernel(pmd, addr); + if (pte_none(*pte)) { +- addr += PAGE_SIZE; ++ addr = round_up(addr + 1, PAGE_SIZE); + continue; + } + +@@ -401,7 +401,7 @@ pti_clone_pgtable(unsigned long start, unsigned long end, + /* Clone the PTE */ + *target_pte = *pte; + +- addr += PAGE_SIZE; ++ addr = round_up(addr + 1, PAGE_SIZE); + + } else { + BUG(); +-- +2.43.0 + diff --git a/queue-6.6/xen-privcmd-switch-from-mutex-to-spinlock-for-irqfds.patch b/queue-6.6/xen-privcmd-switch-from-mutex-to-spinlock-for-irqfds.patch new file mode 100644 index 00000000000..61c2531ae35 --- /dev/null +++ b/queue-6.6/xen-privcmd-switch-from-mutex-to-spinlock-for-irqfds.patch @@ -0,0 +1,127 @@ +From a35c24ad18b8c46406423e427636d2818ae146e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jun 2024 15:12:28 +0530 +Subject: xen: privcmd: Switch from mutex to spinlock for irqfds + +From: Viresh Kumar + +[ Upstream commit 1c682593096a487fd9aebc079a307ff7a6d054a3 ] + +irqfd_wakeup() gets EPOLLHUP, when it is called by +eventfd_release() by way of wake_up_poll(&ctx->wqh, EPOLLHUP), which +gets called under spin_lock_irqsave(). We can't use a mutex here as it +will lead to a deadlock. + +Fix it by switching over to a spin lock. + +Reported-by: Al Viro +Signed-off-by: Viresh Kumar +Reviewed-by: Juergen Gross +Link: https://lore.kernel.org/r/a66d7a7a9001424d432f52a9fc3931a1f345464f.1718703669.git.viresh.kumar@linaro.org +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/privcmd.c | 25 +++++++++++++++---------- + 1 file changed, 15 insertions(+), 10 deletions(-) + +diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c +index da88173bac432..923f064c7e3e9 100644 +--- a/drivers/xen/privcmd.c ++++ b/drivers/xen/privcmd.c +@@ -841,7 +841,7 @@ static long privcmd_ioctl_mmap_resource(struct file *file, + #ifdef CONFIG_XEN_PRIVCMD_IRQFD + /* Irqfd support */ + static struct workqueue_struct *irqfd_cleanup_wq; +-static DEFINE_MUTEX(irqfds_lock); ++static DEFINE_SPINLOCK(irqfds_lock); + static LIST_HEAD(irqfds_list); + + struct privcmd_kernel_irqfd { +@@ -905,9 +905,11 @@ irqfd_wakeup(wait_queue_entry_t *wait, unsigned int mode, int sync, void *key) + irqfd_inject(kirqfd); + + if (flags & EPOLLHUP) { +- mutex_lock(&irqfds_lock); ++ unsigned long flags; ++ ++ spin_lock_irqsave(&irqfds_lock, flags); + irqfd_deactivate(kirqfd); +- mutex_unlock(&irqfds_lock); ++ spin_unlock_irqrestore(&irqfds_lock, flags); + } + + return 0; +@@ -925,6 +927,7 @@ irqfd_poll_func(struct file *file, wait_queue_head_t *wqh, poll_table *pt) + static int privcmd_irqfd_assign(struct privcmd_irqfd *irqfd) + { + struct privcmd_kernel_irqfd *kirqfd, *tmp; ++ unsigned long flags; + __poll_t events; + struct fd f; + void *dm_op; +@@ -964,18 +967,18 @@ static int privcmd_irqfd_assign(struct privcmd_irqfd *irqfd) + init_waitqueue_func_entry(&kirqfd->wait, irqfd_wakeup); + init_poll_funcptr(&kirqfd->pt, irqfd_poll_func); + +- mutex_lock(&irqfds_lock); ++ spin_lock_irqsave(&irqfds_lock, flags); + + list_for_each_entry(tmp, &irqfds_list, list) { + if (kirqfd->eventfd == tmp->eventfd) { + ret = -EBUSY; +- mutex_unlock(&irqfds_lock); ++ spin_unlock_irqrestore(&irqfds_lock, flags); + goto error_eventfd; + } + } + + list_add_tail(&kirqfd->list, &irqfds_list); +- mutex_unlock(&irqfds_lock); ++ spin_unlock_irqrestore(&irqfds_lock, flags); + + /* + * Check if there was an event already pending on the eventfd before we +@@ -1007,12 +1010,13 @@ static int privcmd_irqfd_deassign(struct privcmd_irqfd *irqfd) + { + struct privcmd_kernel_irqfd *kirqfd; + struct eventfd_ctx *eventfd; ++ unsigned long flags; + + eventfd = eventfd_ctx_fdget(irqfd->fd); + if (IS_ERR(eventfd)) + return PTR_ERR(eventfd); + +- mutex_lock(&irqfds_lock); ++ spin_lock_irqsave(&irqfds_lock, flags); + + list_for_each_entry(kirqfd, &irqfds_list, list) { + if (kirqfd->eventfd == eventfd) { +@@ -1021,7 +1025,7 @@ static int privcmd_irqfd_deassign(struct privcmd_irqfd *irqfd) + } + } + +- mutex_unlock(&irqfds_lock); ++ spin_unlock_irqrestore(&irqfds_lock, flags); + + eventfd_ctx_put(eventfd); + +@@ -1069,13 +1073,14 @@ static int privcmd_irqfd_init(void) + static void privcmd_irqfd_exit(void) + { + struct privcmd_kernel_irqfd *kirqfd, *tmp; ++ unsigned long flags; + +- mutex_lock(&irqfds_lock); ++ spin_lock_irqsave(&irqfds_lock, flags); + + list_for_each_entry_safe(kirqfd, tmp, &irqfds_list, list) + irqfd_deactivate(kirqfd); + +- mutex_unlock(&irqfds_lock); ++ spin_unlock_irqrestore(&irqfds_lock, flags); + + destroy_workqueue(irqfd_cleanup_wq); + } +-- +2.43.0 +