From: Sasha Levin Date: Sat, 4 Jan 2025 18:04:19 +0000 (-0500) Subject: Fixes for 6.12 X-Git-Tag: v5.4.289~52 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c6cb1d126107161416f103d886ed57560b5ece11;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.12 Signed-off-by: Sasha Levin --- diff --git a/queue-6.12/alsa-hda-ca0132-use-standard-hd-audio-quirk-matching.patch b/queue-6.12/alsa-hda-ca0132-use-standard-hd-audio-quirk-matching.patch new file mode 100644 index 00000000000..d990aad3806 --- /dev/null +++ b/queue-6.12/alsa-hda-ca0132-use-standard-hd-audio-quirk-matching.patch @@ -0,0 +1,141 @@ +From 04f0aea5cedb45cb8156cfcd6e4d2427e7fb8e08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Dec 2024 14:37:53 +0100 +Subject: ALSA: hda/ca0132: Use standard HD-audio quirk matching helpers + +From: Takashi Iwai + +[ Upstream commit 7c005292e20ac53dfa601bf2a7375fd4815511ad ] + +CA0132 used the PCI SSID lookup helper that doesn't support the model +string matching or quirk aliasing. + +Replace it with the standard HD-audio quirk helpers for supporting +those, and add the definition of the model strings for supported +quirks, too. There should be no visible change to the outside for the +working system, but the driver will parse the model option and apply +the quirk based on it from now on. + +Link: https://patch.msgid.link/20241207133754.3658-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_ca0132.c | 37 ++++++++++++++++++++---------------- + 1 file changed, 21 insertions(+), 16 deletions(-) + +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index e4673a71551a..d40197fb5fbd 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -1134,7 +1134,6 @@ struct ca0132_spec { + + struct hda_codec *codec; + struct delayed_work unsol_hp_work; +- int quirk; + + #ifdef ENABLE_TUNING_CONTROLS + long cur_ctl_vals[TUNING_CTLS_COUNT]; +@@ -1166,7 +1165,6 @@ struct ca0132_spec { + * CA0132 quirks table + */ + enum { +- QUIRK_NONE, + QUIRK_ALIENWARE, + QUIRK_ALIENWARE_M17XR4, + QUIRK_SBZ, +@@ -1176,10 +1174,11 @@ enum { + QUIRK_R3D, + QUIRK_AE5, + QUIRK_AE7, ++ QUIRK_NONE = HDA_FIXUP_ID_NOT_SET, + }; + + #ifdef CONFIG_PCI +-#define ca0132_quirk(spec) ((spec)->quirk) ++#define ca0132_quirk(spec) ((spec)->codec->fixup_id) + #define ca0132_use_pci_mmio(spec) ((spec)->use_pci_mmio) + #define ca0132_use_alt_functions(spec) ((spec)->use_alt_functions) + #define ca0132_use_alt_controls(spec) ((spec)->use_alt_controls) +@@ -1293,7 +1292,7 @@ static const struct hda_pintbl ae7_pincfgs[] = { + {} + }; + +-static const struct snd_pci_quirk ca0132_quirks[] = { ++static const struct hda_quirk ca0132_quirks[] = { + SND_PCI_QUIRK(0x1028, 0x057b, "Alienware M17x R4", QUIRK_ALIENWARE_M17XR4), + SND_PCI_QUIRK(0x1028, 0x0685, "Alienware 15 2015", QUIRK_ALIENWARE), + SND_PCI_QUIRK(0x1028, 0x0688, "Alienware 17 2015", QUIRK_ALIENWARE), +@@ -1316,6 +1315,19 @@ static const struct snd_pci_quirk ca0132_quirks[] = { + {} + }; + ++static const struct hda_model_fixup ca0132_quirk_models[] = { ++ { .id = QUIRK_ALIENWARE, .name = "alienware" }, ++ { .id = QUIRK_ALIENWARE_M17XR4, .name = "alienware-m17xr4" }, ++ { .id = QUIRK_SBZ, .name = "sbz" }, ++ { .id = QUIRK_ZXR, .name = "zxr" }, ++ { .id = QUIRK_ZXR_DBPRO, .name = "zxr-dbpro" }, ++ { .id = QUIRK_R3DI, .name = "r3di" }, ++ { .id = QUIRK_R3D, .name = "r3d" }, ++ { .id = QUIRK_AE5, .name = "ae5" }, ++ { .id = QUIRK_AE7, .name = "ae7" }, ++ {} ++}; ++ + /* Output selection quirk info structures. */ + #define MAX_QUIRK_MMIO_GPIO_SET_VALS 3 + #define MAX_QUIRK_SCP_SET_VALS 2 +@@ -9957,17 +9969,15 @@ static int ca0132_prepare_verbs(struct hda_codec *codec) + */ + static void sbz_detect_quirk(struct hda_codec *codec) + { +- struct ca0132_spec *spec = codec->spec; +- + switch (codec->core.subsystem_id) { + case 0x11020033: +- spec->quirk = QUIRK_ZXR; ++ codec->fixup_id = QUIRK_ZXR; + break; + case 0x1102003f: +- spec->quirk = QUIRK_ZXR_DBPRO; ++ codec->fixup_id = QUIRK_ZXR_DBPRO; + break; + default: +- spec->quirk = QUIRK_SBZ; ++ codec->fixup_id = QUIRK_SBZ; + break; + } + } +@@ -9976,7 +9986,6 @@ static int patch_ca0132(struct hda_codec *codec) + { + struct ca0132_spec *spec; + int err; +- const struct snd_pci_quirk *quirk; + + codec_dbg(codec, "patch_ca0132\n"); + +@@ -9987,11 +9996,7 @@ static int patch_ca0132(struct hda_codec *codec) + spec->codec = codec; + + /* Detect codec quirk */ +- quirk = snd_pci_quirk_lookup(codec->bus->pci, ca0132_quirks); +- if (quirk) +- spec->quirk = quirk->value; +- else +- spec->quirk = QUIRK_NONE; ++ snd_hda_pick_fixup(codec, ca0132_quirk_models, ca0132_quirks, NULL); + if (ca0132_quirk(spec) == QUIRK_SBZ) + sbz_detect_quirk(codec); + +@@ -10068,7 +10073,7 @@ static int patch_ca0132(struct hda_codec *codec) + spec->mem_base = pci_iomap(codec->bus->pci, 2, 0xC20); + if (spec->mem_base == NULL) { + codec_warn(codec, "pci_iomap failed! Setting quirk to QUIRK_NONE."); +- spec->quirk = QUIRK_NONE; ++ codec->fixup_id = QUIRK_NONE; + } + } + #endif +-- +2.39.5 + diff --git a/queue-6.12/alsa-hda-cs35l56-remove-calls-to-cs35l56_force_sync_.patch b/queue-6.12/alsa-hda-cs35l56-remove-calls-to-cs35l56_force_sync_.patch new file mode 100644 index 00000000000..407618c39da --- /dev/null +++ b/queue-6.12/alsa-hda-cs35l56-remove-calls-to-cs35l56_force_sync_.patch @@ -0,0 +1,80 @@ +From 557347fd65fb21dc66d2f711179773f7b874d85c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 10:57:57 +0000 +Subject: ALSA: hda: cs35l56: Remove calls to + cs35l56_force_sync_asp1_registers_from_cache() + +From: Simon Trimmer + +[ Upstream commit 47b17ba05a463b22fa79f132e6f6899d53538802 ] + +Commit 5d7e328e20b3 ("ASoC: cs35l56: Revert support for dual-ownership +of ASP registers") +replaced cs35l56_force_sync_asp1_registers_from_cache() with a dummy +implementation so that the HDA driver would continue to build. + +Remove the calls from HDA and remove the stub function. + +Signed-off-by: Simon Trimmer +Signed-off-by: Richard Fitzgerald +Link: https://patch.msgid.link/20241206105757.718750-1-rf@opensource.cirrus.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + include/sound/cs35l56.h | 6 ------ + sound/pci/hda/cs35l56_hda.c | 8 -------- + 2 files changed, 14 deletions(-) + +diff --git a/include/sound/cs35l56.h b/include/sound/cs35l56.h +index 94e8185c4795..3dc7a1551ac3 100644 +--- a/include/sound/cs35l56.h ++++ b/include/sound/cs35l56.h +@@ -271,12 +271,6 @@ struct cs35l56_base { + struct gpio_desc *reset_gpio; + }; + +-/* Temporary to avoid a build break with the HDA driver */ +-static inline int cs35l56_force_sync_asp1_registers_from_cache(struct cs35l56_base *cs35l56_base) +-{ +- return 0; +-} +- + static inline bool cs35l56_is_otp_register(unsigned int reg) + { + return (reg >> 16) == 3; +diff --git a/sound/pci/hda/cs35l56_hda.c b/sound/pci/hda/cs35l56_hda.c +index e3ac0e23ae32..7baf3b506eef 100644 +--- a/sound/pci/hda/cs35l56_hda.c ++++ b/sound/pci/hda/cs35l56_hda.c +@@ -151,10 +151,6 @@ static int cs35l56_hda_runtime_resume(struct device *dev) + } + } + +- ret = cs35l56_force_sync_asp1_registers_from_cache(&cs35l56->base); +- if (ret) +- goto err; +- + return 0; + + err: +@@ -1059,9 +1055,6 @@ int cs35l56_hda_common_probe(struct cs35l56_hda *cs35l56, int hid, int id) + + regmap_multi_reg_write(cs35l56->base.regmap, cs35l56_hda_dai_config, + ARRAY_SIZE(cs35l56_hda_dai_config)); +- ret = cs35l56_force_sync_asp1_registers_from_cache(&cs35l56->base); +- if (ret) +- goto dsp_err; + + /* + * By default only enable one ASP1TXn, where n=amplifier index, +@@ -1087,7 +1080,6 @@ int cs35l56_hda_common_probe(struct cs35l56_hda *cs35l56, int hid, int id) + + pm_err: + pm_runtime_disable(cs35l56->base.dev); +-dsp_err: + cs_dsp_remove(&cs35l56->cs_dsp); + err: + gpiod_set_value_cansleep(cs35l56->base.reset_gpio, 0); +-- +2.39.5 + diff --git a/queue-6.12/alsa-hda-realtek-add-new-alc2xx-fixup-headset-mic-mo.patch b/queue-6.12/alsa-hda-realtek-add-new-alc2xx-fixup-headset-mic-mo.patch new file mode 100644 index 00000000000..454cce2adf0 --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-add-new-alc2xx-fixup-headset-mic-mo.patch @@ -0,0 +1,40 @@ +From 667322674444c5ee50384fe77f0e6a263e8a6498 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Dec 2024 23:18:36 +0300 +Subject: ALSA: hda/realtek: Add new alc2xx-fixup-headset-mic model + +From: Vasiliy Kovalev + +[ Upstream commit 50db91fccea0da5c669bc68e2429e8de303758d3 ] + +Introduces the alc2xx-fixup-headset-mic model to simplify enabling +headset microphones on ALC2XX codecs. + +Many recent configurations, as well as older systems that lacked this +fix for a long time, leave headset microphones inactive by default. +This addition provides a flexible workaround using the existing +ALC2XX_FIXUP_HEADSET_MIC quirk. + +Signed-off-by: Vasiliy Kovalev +Link: https://patch.msgid.link/20241207201836.6879-1-kovalev@altlinux.org +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index e9ec5f79bd45..92fbfcd9ad31 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -11184,6 +11184,7 @@ static const struct hda_model_fixup alc269_fixup_models[] = { + {.id = ALC255_FIXUP_ACER_HEADPHONE_AND_MIC, .name = "alc255-acer-headphone-and-mic"}, + {.id = ALC285_FIXUP_HP_GPIO_AMP_INIT, .name = "alc285-hp-amp-init"}, + {.id = ALC236_FIXUP_LENOVO_INV_DMIC, .name = "alc236-fixup-lenovo-inv-mic"}, ++ {.id = ALC2XX_FIXUP_HEADSET_MIC, .name = "alc2xx-fixup-headset-mic"}, + {} + }; + #define ALC225_STANDARD_PINS \ +-- +2.39.5 + diff --git a/queue-6.12/alsa-hda-realtek-add-support-for-asus-zen-aio-27-z27.patch b/queue-6.12/alsa-hda-realtek-add-support-for-asus-zen-aio-27-z27.patch new file mode 100644 index 00000000000..5804af4ee5d --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-add-support-for-asus-zen-aio-27-z27.patch @@ -0,0 +1,78 @@ +From b81bd9f285b9ff718407a889bade23600ee2f29e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 00:03:06 +0300 +Subject: ALSA: hda/realtek - Add support for ASUS Zen AIO 27 Z272SD_A272SD + audio + +From: Vasiliy Kovalev + +[ Upstream commit 1b452c2de5555d832cd51c46824272a44ad7acac ] + +Introduces necessary quirks to enable audio functionality on the +ASUS Zen AIO 27 Z272SD_A272SD: +- configures verbs to activate internal speakers and headphone jack. +- implements adjustments for headset microphone functionality. + +The speaker and jack configurations were derived from a dump of +the working Windows driver, while the headset microphone +functionality was fine-tuned through experimental testing. + +Link: https://lore.kernel.org/all/CAGGMHBOGDUnMewBTrZgoBKFk_A4sNF4fEXwfH9Ay8SNTzjy0-g@mail.gmail.com/T/ +Signed-off-by: Vasiliy Kovalev +Link: https://patch.msgid.link/20241205210306.977634-1-kovalev@altlinux.org +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 192fc75b51e6..e9ec5f79bd45 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -7704,6 +7704,7 @@ enum { + ALC274_FIXUP_HP_MIC, + ALC274_FIXUP_HP_HEADSET_MIC, + ALC274_FIXUP_HP_ENVY_GPIO, ++ ALC274_FIXUP_ASUS_ZEN_AIO_27, + ALC256_FIXUP_ASUS_HPE, + ALC285_FIXUP_THINKPAD_NO_BASS_SPK_HEADSET_JACK, + ALC287_FIXUP_HP_GPIO_LED, +@@ -9505,6 +9506,26 @@ static const struct hda_fixup alc269_fixups[] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc274_fixup_hp_envy_gpio, + }, ++ [ALC274_FIXUP_ASUS_ZEN_AIO_27] = { ++ .type = HDA_FIXUP_VERBS, ++ .v.verbs = (const struct hda_verb[]) { ++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x10 }, ++ { 0x20, AC_VERB_SET_PROC_COEF, 0xc420 }, ++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x40 }, ++ { 0x20, AC_VERB_SET_PROC_COEF, 0x8800 }, ++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x49 }, ++ { 0x20, AC_VERB_SET_PROC_COEF, 0x0249 }, ++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x4a }, ++ { 0x20, AC_VERB_SET_PROC_COEF, 0x202b }, ++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x62 }, ++ { 0x20, AC_VERB_SET_PROC_COEF, 0xa007 }, ++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x6b }, ++ { 0x20, AC_VERB_SET_PROC_COEF, 0x5060 }, ++ {} ++ }, ++ .chained = true, ++ .chain_id = ALC2XX_FIXUP_HEADSET_MIC, ++ }, + [ALC256_FIXUP_ASUS_HPE] = { + .type = HDA_FIXUP_VERBS, + .v.verbs = (const struct hda_verb[]) { +@@ -10615,6 +10636,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x1f62, "ASUS UX7602ZM", ALC245_FIXUP_CS35L41_SPI_2), + SND_PCI_QUIRK(0x1043, 0x1f92, "ASUS ROG Flow X16", ALC289_FIXUP_ASUS_GA401), + SND_PCI_QUIRK(0x1043, 0x3030, "ASUS ZN270IE", ALC256_FIXUP_ASUS_AIO_GPIO2), ++ SND_PCI_QUIRK(0x1043, 0x31d0, "ASUS Zen AIO 27 Z272SD_A272SD", ALC274_FIXUP_ASUS_ZEN_AIO_27), + SND_PCI_QUIRK(0x1043, 0x3a20, "ASUS G614JZR", ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS), + SND_PCI_QUIRK(0x1043, 0x3a30, "ASUS G814JVR/JIR", ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS), + SND_PCI_QUIRK(0x1043, 0x3a40, "ASUS G814JZR", ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS), +-- +2.39.5 + diff --git a/queue-6.12/arc-bpf-correct-conditional-check-in-check_jmp_32.patch b/queue-6.12/arc-bpf-correct-conditional-check-in-check_jmp_32.patch new file mode 100644 index 00000000000..f04c7a8d935 --- /dev/null +++ b/queue-6.12/arc-bpf-correct-conditional-check-in-check_jmp_32.patch @@ -0,0 +1,42 @@ +From 6f79a7774bc646e286a2cf1f37669854119f6916 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Nov 2024 19:11:18 +0530 +Subject: ARC: bpf: Correct conditional check in 'check_jmp_32' + +From: Hardevsinh Palaniya + +[ Upstream commit 7dd9eb6ba88964b091b89855ce7d2a12405013af ] + +The original code checks 'if (ARC_CC_AL)', which is always true since +ARC_CC_AL is a constant. This makes the check redundant and likely +obscures the intention of verifying whether the jump is conditional. + +Updates the code to check cond == ARC_CC_AL instead, reflecting the intent +to differentiate conditional from unconditional jumps. + +Suggested-by: Vadim Fedorenko +Reviewed-by: Vadim Fedorenko +Acked-by: Shahab Vahedi +Signed-off-by: Hardevsinh Palaniya +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +--- + arch/arc/net/bpf_jit_arcv2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arc/net/bpf_jit_arcv2.c b/arch/arc/net/bpf_jit_arcv2.c +index 4458e409ca0a..6d989b6d88c6 100644 +--- a/arch/arc/net/bpf_jit_arcv2.c ++++ b/arch/arc/net/bpf_jit_arcv2.c +@@ -2916,7 +2916,7 @@ bool check_jmp_32(u32 curr_off, u32 targ_off, u8 cond) + addendum = (cond == ARC_CC_AL) ? 0 : INSN_len_normal; + disp = get_displacement(curr_off + addendum, targ_off); + +- if (ARC_CC_AL) ++ if (cond == ARC_CC_AL) + return is_valid_far_disp(disp); + else + return is_valid_near_disp(disp); +-- +2.39.5 + diff --git a/queue-6.12/arc-build-disallow-invalid-pae40-4k-page-config.patch b/queue-6.12/arc-build-disallow-invalid-pae40-4k-page-config.patch new file mode 100644 index 00000000000..6019d7f189b --- /dev/null +++ b/queue-6.12/arc-build-disallow-invalid-pae40-4k-page-config.patch @@ -0,0 +1,59 @@ +From b8d8f10a22c41d56aee7650d495c82b77260e9bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 10:33:22 -0700 +Subject: ARC: build: disallow invalid PAE40 + 4K page config + +From: Vineet Gupta + +[ Upstream commit 8871331b1769978ecece205a430338a2581e5050 ] + +The config option being built was +| CONFIG_ARC_MMU_V4=y +| CONFIG_ARC_PAGE_SIZE_4K=y +| CONFIG_HIGHMEM=y +| CONFIG_ARC_HAS_PAE40=y + +This was hitting a BUILD_BUG_ON() since a 4K page can't hoist 1k, 8-byte +PTE entries (8 byte due to PAE40). BUILD_BUG_ON() is a good last ditch +resort, but such a config needs to be disallowed explicitly in Kconfig. + +Side-note: the actual fix is single liner dependency, but while at it +cleaned out a few things: + - 4K dependency on MMU v3 or v4 is always true, since 288ff7de62af09 + ("ARC: retire MMUv1 and MMUv2 support") + - PAE40 dependency in on MMU ver not really ISA, although that follows + eventually. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202409160223.xydgucbY-lkp@intel.com/ +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +--- + arch/arc/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arc/Kconfig b/arch/arc/Kconfig +index 5b2488142041..69c6e71fa1e6 100644 +--- a/arch/arc/Kconfig ++++ b/arch/arc/Kconfig +@@ -297,7 +297,6 @@ config ARC_PAGE_SIZE_16K + config ARC_PAGE_SIZE_4K + bool "4KB" + select HAVE_PAGE_SIZE_4KB +- depends on ARC_MMU_V3 || ARC_MMU_V4 + + endchoice + +@@ -474,7 +473,8 @@ config HIGHMEM + + config ARC_HAS_PAE40 + bool "Support for the 40-bit Physical Address Extension" +- depends on ISA_ARCV2 ++ depends on MMU_V4 ++ depends on !ARC_PAGE_SIZE_4K + select HIGHMEM + select PHYS_ADDR_T_64BIT + help +-- +2.39.5 + diff --git a/queue-6.12/arc-build-try-to-guess-gcc-variant-of-cross-compiler.patch b/queue-6.12/arc-build-try-to-guess-gcc-variant-of-cross-compiler.patch new file mode 100644 index 00000000000..7c35ddaeb82 --- /dev/null +++ b/queue-6.12/arc-build-try-to-guess-gcc-variant-of-cross-compiler.patch @@ -0,0 +1,50 @@ +From cf091443156cd5e957e5b2c96fd17c07a93f775c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 14:37:15 +0200 +Subject: ARC: build: Try to guess GCC variant of cross compiler +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Leon Romanovsky + +[ Upstream commit 824927e88456331c7a999fdf5d9d27923b619590 ] + +ARC GCC compiler is packaged starting from Fedora 39i and the GCC +variant of cross compile tools has arc-linux-gnu- prefix and not +arc-linux-. This is causing that CROSS_COMPILE variable is left unset. + +This change allows builds without need to supply CROSS_COMPILE argument +if distro package is used. + +Before this change: +$ make -j 128 ARCH=arc W=1 drivers/infiniband/hw/mlx4/ + gcc: warning: ‘-mcpu=’ is deprecated; use ‘-mtune=’ or ‘-march=’ instead + gcc: error: unrecognized command-line option ‘-mmedium-calls’ + gcc: error: unrecognized command-line option ‘-mlock’ + gcc: error: unrecognized command-line option ‘-munaligned-access’ + +[1] https://packages.fedoraproject.org/pkgs/cross-gcc/gcc-arc-linux-gnu/index.html +Signed-off-by: Leon Romanovsky +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +--- + arch/arc/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arc/Makefile b/arch/arc/Makefile +index 2390dd042e36..fb98478ed1ab 100644 +--- a/arch/arc/Makefile ++++ b/arch/arc/Makefile +@@ -6,7 +6,7 @@ + KBUILD_DEFCONFIG := haps_hs_smp_defconfig + + ifeq ($(CROSS_COMPILE),) +-CROSS_COMPILE := $(call cc-cross-prefix, arc-linux- arceb-linux-) ++CROSS_COMPILE := $(call cc-cross-prefix, arc-linux- arceb-linux- arc-linux-gnu-) + endif + + cflags-y += -fno-common -pipe -fno-builtin -mmedium-calls -D__linux__ +-- +2.39.5 + diff --git a/queue-6.12/arc-build-use-__force-to-suppress-per-cpu-cmpxchg-wa.patch b/queue-6.12/arc-build-use-__force-to-suppress-per-cpu-cmpxchg-wa.patch new file mode 100644 index 00000000000..397df18c075 --- /dev/null +++ b/queue-6.12/arc-build-use-__force-to-suppress-per-cpu-cmpxchg-wa.patch @@ -0,0 +1,42 @@ +From 5e539b2310a047c6c424d418e715a9670c0c9c96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 10:55:13 -0700 +Subject: ARC: build: Use __force to suppress per-CPU cmpxchg warnings + +From: Paul E. McKenney + +[ Upstream commit 1e8af9f04346ecc0bccf0c53b728fc8eb3490a28 ] + +Currently, the cast of the first argument to cmpxchg_emu_u8() drops the +__percpu address-space designator, which results in sparse complaints +when applying cmpxchg() to per-CPU variables in ARC. Therefore, use +__force to suppress these complaints, given that this does not pertain +to cmpxchg() semantics, which are plently well-defined on variables in +general, whether per-CPU or otherwise. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202409251336.ToC0TvWB-lkp@intel.com/ +Signed-off-by: Paul E. McKenney +Cc: +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +--- + arch/arc/include/asm/cmpxchg.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arc/include/asm/cmpxchg.h b/arch/arc/include/asm/cmpxchg.h +index 58045c898340..76f43db0890f 100644 +--- a/arch/arc/include/asm/cmpxchg.h ++++ b/arch/arc/include/asm/cmpxchg.h +@@ -48,7 +48,7 @@ + \ + switch(sizeof((_p_))) { \ + case 1: \ +- _prev_ = (__typeof__(*(ptr)))cmpxchg_emu_u8((volatile u8 *)_p_, (uintptr_t)_o_, (uintptr_t)_n_); \ ++ _prev_ = (__typeof__(*(ptr)))cmpxchg_emu_u8((volatile u8 *__force)_p_, (uintptr_t)_o_, (uintptr_t)_n_); \ + break; \ + case 4: \ + _prev_ = __cmpxchg(_p_, _o_, _n_); \ +-- +2.39.5 + diff --git a/queue-6.12/asoc-audio-graph-card-call-of_node_put-on-correct-no.patch b/queue-6.12/asoc-audio-graph-card-call-of_node_put-on-correct-no.patch new file mode 100644 index 00000000000..bc037fd020e --- /dev/null +++ b/queue-6.12/asoc-audio-graph-card-call-of_node_put-on-correct-no.patch @@ -0,0 +1,34 @@ +From 54711ab081bc9e6dabcffce98910a44a38c4f4d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Dec 2024 23:22:56 +1100 +Subject: ASoC: audio-graph-card: Call of_node_put() on correct node + +From: Stephen Gordon + +[ Upstream commit 687630aa582acf674120c87350beb01d836c837c ] + +Signed-off-by: Stephen Gordon +Acked-by: Kuninori Morimoto +Link: https://patch.msgid.link/20241207122257.165096-1-gordoste@iinet.net.au +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/generic/audio-graph-card2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/generic/audio-graph-card2.c b/sound/soc/generic/audio-graph-card2.c +index 93eee40cec76..63837e259659 100644 +--- a/sound/soc/generic/audio-graph-card2.c ++++ b/sound/soc/generic/audio-graph-card2.c +@@ -779,7 +779,7 @@ static void graph_link_init(struct simple_util_priv *priv, + of_node_get(port_codec); + if (graph_lnk_is_multi(port_codec)) { + ep_codec = graph_get_next_multi_ep(&port_codec); +- of_node_put(port_cpu); ++ of_node_put(port_codec); + port_codec = ep_to_port(ep_codec); + } else { + ep_codec = port_to_endpoint(port_codec); +-- +2.39.5 + diff --git a/queue-6.12/bluetooth-hci_core-fix-sleeping-function-called-from.patch b/queue-6.12/bluetooth-hci_core-fix-sleeping-function-called-from.patch new file mode 100644 index 00000000000..4e95649f601 --- /dev/null +++ b/queue-6.12/bluetooth-hci_core-fix-sleeping-function-called-from.patch @@ -0,0 +1,424 @@ +From 1e9edf125143692e45152b1da1f1f9e976d4eba0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 16:07:32 -0500 +Subject: Bluetooth: hci_core: Fix sleeping function called from invalid + context + +From: Luiz Augusto von Dentz + +[ Upstream commit 4d94f05558271654670d18c26c912da0c1c15549 ] + +This reworks hci_cb_list to not use mutex hci_cb_list_lock to avoid bugs +like the bellow: + +BUG: sleeping function called from invalid context at kernel/locking/mutex.c:585 +in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5070, name: kworker/u9:2 +preempt_count: 0, expected: 0 +RCU nest depth: 1, expected: 0 +4 locks held by kworker/u9:2/5070: + #0: ffff888015be3948 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3229 [inline] + #0: ffff888015be3948 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x8e0/0x1770 kernel/workqueue.c:3335 + #1: ffffc90003b6fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3230 [inline] + #1: ffffc90003b6fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x91b/0x1770 kernel/workqueue.c:3335 + #2: ffff8880665d0078 (&hdev->lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0xcf/0xae0 net/bluetooth/hci_event.c:6914 + #3: ffffffff8e132020 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline] + #3: ffffffff8e132020 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline] + #3: ffffffff8e132020 (rcu_read_lock){....}-{1:2}, at: hci_le_create_big_complete_evt+0xdb/0xae0 net/bluetooth/hci_event.c:6915 +CPU: 0 PID: 5070 Comm: kworker/u9:2 Not tainted 6.8.0-syzkaller-08073-g480e035fc4c7 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 +Workqueue: hci0 hci_rx_work +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 + __might_resched+0x5d4/0x780 kernel/sched/core.c:10187 + __mutex_lock_common kernel/locking/mutex.c:585 [inline] + __mutex_lock+0xc1/0xd70 kernel/locking/mutex.c:752 + hci_connect_cfm include/net/bluetooth/hci_core.h:2004 [inline] + hci_le_create_big_complete_evt+0x3d9/0xae0 net/bluetooth/hci_event.c:6939 + hci_event_func net/bluetooth/hci_event.c:7514 [inline] + hci_event_packet+0xa53/0x1540 net/bluetooth/hci_event.c:7569 + hci_rx_work+0x3e8/0xca0 net/bluetooth/hci_core.c:4171 + process_one_work kernel/workqueue.c:3254 [inline] + process_scheduled_works+0xa00/0x1770 kernel/workqueue.c:3335 + worker_thread+0x86d/0xd70 kernel/workqueue.c:3416 + kthread+0x2f0/0x390 kernel/kthread.c:388 + ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 + + +Reported-by: syzbot+2fb0835e0c9cefc34614@syzkaller.appspotmail.com +Tested-by: syzbot+2fb0835e0c9cefc34614@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=2fb0835e0c9cefc34614 +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci_core.h | 108 ++++++++++++++++++++----------- + net/bluetooth/hci_core.c | 10 +-- + net/bluetooth/iso.c | 6 ++ + net/bluetooth/l2cap_core.c | 12 ++-- + net/bluetooth/rfcomm/core.c | 6 ++ + net/bluetooth/sco.c | 12 ++-- + 6 files changed, 97 insertions(+), 57 deletions(-) + +diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h +index c95f7e6ba255..ba7b52584770 100644 +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -804,7 +804,6 @@ struct hci_conn_params { + extern struct list_head hci_dev_list; + extern struct list_head hci_cb_list; + extern rwlock_t hci_dev_list_lock; +-extern struct mutex hci_cb_list_lock; + + #define hci_dev_set_flag(hdev, nr) set_bit((nr), (hdev)->dev_flags) + #define hci_dev_clear_flag(hdev, nr) clear_bit((nr), (hdev)->dev_flags) +@@ -2007,24 +2006,47 @@ struct hci_cb { + + char *name; + ++ bool (*match) (struct hci_conn *conn); + void (*connect_cfm) (struct hci_conn *conn, __u8 status); + void (*disconn_cfm) (struct hci_conn *conn, __u8 status); + void (*security_cfm) (struct hci_conn *conn, __u8 status, +- __u8 encrypt); ++ __u8 encrypt); + void (*key_change_cfm) (struct hci_conn *conn, __u8 status); + void (*role_switch_cfm) (struct hci_conn *conn, __u8 status, __u8 role); + }; + ++static inline void hci_cb_lookup(struct hci_conn *conn, struct list_head *list) ++{ ++ struct hci_cb *cb, *cpy; ++ ++ rcu_read_lock(); ++ list_for_each_entry_rcu(cb, &hci_cb_list, list) { ++ if (cb->match && cb->match(conn)) { ++ cpy = kmalloc(sizeof(*cpy), GFP_ATOMIC); ++ if (!cpy) ++ break; ++ ++ *cpy = *cb; ++ INIT_LIST_HEAD(&cpy->list); ++ list_add_rcu(&cpy->list, list); ++ } ++ } ++ rcu_read_unlock(); ++} ++ + static inline void hci_connect_cfm(struct hci_conn *conn, __u8 status) + { +- struct hci_cb *cb; ++ struct list_head list; ++ struct hci_cb *cb, *tmp; ++ ++ INIT_LIST_HEAD(&list); ++ hci_cb_lookup(conn, &list); + +- mutex_lock(&hci_cb_list_lock); +- list_for_each_entry(cb, &hci_cb_list, list) { ++ list_for_each_entry_safe(cb, tmp, &list, list) { + if (cb->connect_cfm) + cb->connect_cfm(conn, status); ++ kfree(cb); + } +- mutex_unlock(&hci_cb_list_lock); + + if (conn->connect_cfm_cb) + conn->connect_cfm_cb(conn, status); +@@ -2032,43 +2054,55 @@ static inline void hci_connect_cfm(struct hci_conn *conn, __u8 status) + + static inline void hci_disconn_cfm(struct hci_conn *conn, __u8 reason) + { +- struct hci_cb *cb; ++ struct list_head list; ++ struct hci_cb *cb, *tmp; ++ ++ INIT_LIST_HEAD(&list); ++ hci_cb_lookup(conn, &list); + +- mutex_lock(&hci_cb_list_lock); +- list_for_each_entry(cb, &hci_cb_list, list) { ++ list_for_each_entry_safe(cb, tmp, &list, list) { + if (cb->disconn_cfm) + cb->disconn_cfm(conn, reason); ++ kfree(cb); + } +- mutex_unlock(&hci_cb_list_lock); + + if (conn->disconn_cfm_cb) + conn->disconn_cfm_cb(conn, reason); + } + +-static inline void hci_auth_cfm(struct hci_conn *conn, __u8 status) ++static inline void hci_security_cfm(struct hci_conn *conn, __u8 status, ++ __u8 encrypt) + { +- struct hci_cb *cb; +- __u8 encrypt; +- +- if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) +- return; ++ struct list_head list; ++ struct hci_cb *cb, *tmp; + +- encrypt = test_bit(HCI_CONN_ENCRYPT, &conn->flags) ? 0x01 : 0x00; ++ INIT_LIST_HEAD(&list); ++ hci_cb_lookup(conn, &list); + +- mutex_lock(&hci_cb_list_lock); +- list_for_each_entry(cb, &hci_cb_list, list) { ++ list_for_each_entry_safe(cb, tmp, &list, list) { + if (cb->security_cfm) + cb->security_cfm(conn, status, encrypt); ++ kfree(cb); + } +- mutex_unlock(&hci_cb_list_lock); + + if (conn->security_cfm_cb) + conn->security_cfm_cb(conn, status); + } + ++static inline void hci_auth_cfm(struct hci_conn *conn, __u8 status) ++{ ++ __u8 encrypt; ++ ++ if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) ++ return; ++ ++ encrypt = test_bit(HCI_CONN_ENCRYPT, &conn->flags) ? 0x01 : 0x00; ++ ++ hci_security_cfm(conn, status, encrypt); ++} ++ + static inline void hci_encrypt_cfm(struct hci_conn *conn, __u8 status) + { +- struct hci_cb *cb; + __u8 encrypt; + + if (conn->state == BT_CONFIG) { +@@ -2095,40 +2129,38 @@ static inline void hci_encrypt_cfm(struct hci_conn *conn, __u8 status) + conn->sec_level = conn->pending_sec_level; + } + +- mutex_lock(&hci_cb_list_lock); +- list_for_each_entry(cb, &hci_cb_list, list) { +- if (cb->security_cfm) +- cb->security_cfm(conn, status, encrypt); +- } +- mutex_unlock(&hci_cb_list_lock); +- +- if (conn->security_cfm_cb) +- conn->security_cfm_cb(conn, status); ++ hci_security_cfm(conn, status, encrypt); + } + + static inline void hci_key_change_cfm(struct hci_conn *conn, __u8 status) + { +- struct hci_cb *cb; ++ struct list_head list; ++ struct hci_cb *cb, *tmp; ++ ++ INIT_LIST_HEAD(&list); ++ hci_cb_lookup(conn, &list); + +- mutex_lock(&hci_cb_list_lock); +- list_for_each_entry(cb, &hci_cb_list, list) { ++ list_for_each_entry_safe(cb, tmp, &list, list) { + if (cb->key_change_cfm) + cb->key_change_cfm(conn, status); ++ kfree(cb); + } +- mutex_unlock(&hci_cb_list_lock); + } + + static inline void hci_role_switch_cfm(struct hci_conn *conn, __u8 status, + __u8 role) + { +- struct hci_cb *cb; ++ struct list_head list; ++ struct hci_cb *cb, *tmp; ++ ++ INIT_LIST_HEAD(&list); ++ hci_cb_lookup(conn, &list); + +- mutex_lock(&hci_cb_list_lock); +- list_for_each_entry(cb, &hci_cb_list, list) { ++ list_for_each_entry_safe(cb, tmp, &list, list) { + if (cb->role_switch_cfm) + cb->role_switch_cfm(conn, status, role); ++ kfree(cb); + } +- mutex_unlock(&hci_cb_list_lock); + } + + static inline bool hci_bdaddr_is_rpa(bdaddr_t *bdaddr, u8 addr_type) +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 72439764186e..b5553c08e731 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -57,7 +57,6 @@ DEFINE_RWLOCK(hci_dev_list_lock); + + /* HCI callback list */ + LIST_HEAD(hci_cb_list); +-DEFINE_MUTEX(hci_cb_list_lock); + + /* HCI ID Numbering */ + static DEFINE_IDA(hci_index_ida); +@@ -2993,9 +2992,7 @@ int hci_register_cb(struct hci_cb *cb) + { + BT_DBG("%p name %s", cb, cb->name); + +- mutex_lock(&hci_cb_list_lock); +- list_add_tail(&cb->list, &hci_cb_list); +- mutex_unlock(&hci_cb_list_lock); ++ list_add_tail_rcu(&cb->list, &hci_cb_list); + + return 0; + } +@@ -3005,9 +3002,8 @@ int hci_unregister_cb(struct hci_cb *cb) + { + BT_DBG("%p name %s", cb, cb->name); + +- mutex_lock(&hci_cb_list_lock); +- list_del(&cb->list); +- mutex_unlock(&hci_cb_list_lock); ++ list_del_rcu(&cb->list); ++ synchronize_rcu(); + + return 0; + } +diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c +index 644b606743e2..bda2f2da7d73 100644 +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -2137,6 +2137,11 @@ int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags) + return HCI_LM_ACCEPT; + } + ++static bool iso_match(struct hci_conn *hcon) ++{ ++ return hcon->type == ISO_LINK || hcon->type == LE_LINK; ++} ++ + static void iso_connect_cfm(struct hci_conn *hcon, __u8 status) + { + if (hcon->type != ISO_LINK) { +@@ -2318,6 +2323,7 @@ void iso_recv(struct hci_conn *hcon, struct sk_buff *skb, u16 flags) + + static struct hci_cb iso_cb = { + .name = "ISO", ++ .match = iso_match, + .connect_cfm = iso_connect_cfm, + .disconn_cfm = iso_disconn_cfm, + }; +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 6544c1ed7143..27b4c4a2ba1f 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -7217,6 +7217,11 @@ static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c, + return NULL; + } + ++static bool l2cap_match(struct hci_conn *hcon) ++{ ++ return hcon->type == ACL_LINK || hcon->type == LE_LINK; ++} ++ + static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status) + { + struct hci_dev *hdev = hcon->hdev; +@@ -7224,9 +7229,6 @@ static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status) + struct l2cap_chan *pchan; + u8 dst_type; + +- if (hcon->type != ACL_LINK && hcon->type != LE_LINK) +- return; +- + BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status); + + if (status) { +@@ -7291,9 +7293,6 @@ int l2cap_disconn_ind(struct hci_conn *hcon) + + static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason) + { +- if (hcon->type != ACL_LINK && hcon->type != LE_LINK) +- return; +- + BT_DBG("hcon %p reason %d", hcon, reason); + + l2cap_conn_del(hcon, bt_to_errno(reason)); +@@ -7572,6 +7571,7 @@ void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags) + + static struct hci_cb l2cap_cb = { + .name = "L2CAP", ++ .match = l2cap_match, + .connect_cfm = l2cap_connect_cfm, + .disconn_cfm = l2cap_disconn_cfm, + .security_cfm = l2cap_security_cfm, +diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c +index ad5177e3a69b..4c56ca5a216c 100644 +--- a/net/bluetooth/rfcomm/core.c ++++ b/net/bluetooth/rfcomm/core.c +@@ -2134,6 +2134,11 @@ static int rfcomm_run(void *unused) + return 0; + } + ++static bool rfcomm_match(struct hci_conn *hcon) ++{ ++ return hcon->type == ACL_LINK; ++} ++ + static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt) + { + struct rfcomm_session *s; +@@ -2180,6 +2185,7 @@ static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt) + + static struct hci_cb rfcomm_cb = { + .name = "RFCOMM", ++ .match = rfcomm_match, + .security_cfm = rfcomm_security_cfm + }; + +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index b872a2ca3ff3..071c404c790a 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -1355,11 +1355,13 @@ int sco_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags) + return lm; + } + +-static void sco_connect_cfm(struct hci_conn *hcon, __u8 status) ++static bool sco_match(struct hci_conn *hcon) + { +- if (hcon->type != SCO_LINK && hcon->type != ESCO_LINK) +- return; ++ return hcon->type == SCO_LINK || hcon->type == ESCO_LINK; ++} + ++static void sco_connect_cfm(struct hci_conn *hcon, __u8 status) ++{ + BT_DBG("hcon %p bdaddr %pMR status %u", hcon, &hcon->dst, status); + + if (!status) { +@@ -1374,9 +1376,6 @@ static void sco_connect_cfm(struct hci_conn *hcon, __u8 status) + + static void sco_disconn_cfm(struct hci_conn *hcon, __u8 reason) + { +- if (hcon->type != SCO_LINK && hcon->type != ESCO_LINK) +- return; +- + BT_DBG("hcon %p reason %d", hcon, reason); + + sco_conn_del(hcon, bt_to_errno(reason)); +@@ -1402,6 +1401,7 @@ void sco_recv_scodata(struct hci_conn *hcon, struct sk_buff *skb) + + static struct hci_cb sco_cb = { + .name = "SCO", ++ .match = sco_match, + .connect_cfm = sco_connect_cfm, + .disconn_cfm = sco_disconn_cfm, + }; +-- +2.39.5 + diff --git a/queue-6.12/bpf-consider-that-tail-calls-invalidate-packet-point.patch b/queue-6.12/bpf-consider-that-tail-calls-invalidate-packet-point.patch new file mode 100644 index 00000000000..ceaf5a2b696 --- /dev/null +++ b/queue-6.12/bpf-consider-that-tail-calls-invalidate-packet-point.patch @@ -0,0 +1,76 @@ +From 984bd4a473eda067fa6716a5ee4855564d74aaa4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2024 20:10:59 -0800 +Subject: bpf: consider that tail calls invalidate packet pointers + +From: Eduard Zingerman + +[ Upstream commit 1a4607ffba35bf2a630aab299e34dd3f6e658d70 ] + +Tail-called programs could execute any of the helpers that invalidate +packet pointers. Hence, conservatively assume that each tail call +invalidates packet pointers. + +Making the change in bpf_helper_changes_pkt_data() automatically makes +use of check_cfg() logic that computes 'changes_pkt_data' effect for +global sub-programs, such that the following program could be +rejected: + + int tail_call(struct __sk_buff *sk) + { + bpf_tail_call_static(sk, &jmp_table, 0); + return 0; + } + + SEC("tc") + int not_safe(struct __sk_buff *sk) + { + int *p = (void *)(long)sk->data; + ... make p valid ... + tail_call(sk); + *p = 42; /* this is unsafe */ + ... + } + +The tc_bpf2bpf.c:subprog_tc() needs change: mark it as a function that +can invalidate packet pointers. Otherwise, it can't be freplaced with +tailcall_freplace.c:entry_freplace() that does a tail call. + +Signed-off-by: Eduard Zingerman +Link: https://lore.kernel.org/r/20241210041100.1898468-8-eddyz87@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 2 ++ + tools/testing/selftests/bpf/progs/tc_bpf2bpf.c | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/net/core/filter.c b/net/core/filter.c +index 4b0ad74cfff5..54a53fae9e98 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -7943,6 +7943,8 @@ bool bpf_helper_changes_pkt_data(enum bpf_func_id func_id) + case BPF_FUNC_xdp_adjust_head: + case BPF_FUNC_xdp_adjust_meta: + case BPF_FUNC_xdp_adjust_tail: ++ /* tail-called program could call any of the above */ ++ case BPF_FUNC_tail_call: + return true; + default: + return false; +diff --git a/tools/testing/selftests/bpf/progs/tc_bpf2bpf.c b/tools/testing/selftests/bpf/progs/tc_bpf2bpf.c +index 8a0632c37839..79f5087dade2 100644 +--- a/tools/testing/selftests/bpf/progs/tc_bpf2bpf.c ++++ b/tools/testing/selftests/bpf/progs/tc_bpf2bpf.c +@@ -10,6 +10,8 @@ int subprog(struct __sk_buff *skb) + int ret = 1; + + __sink(ret); ++ /* let verifier know that 'subprog_tc' can change pointers to skb->data */ ++ bpf_skb_change_proto(skb, 0, 0); + return ret; + } + +-- +2.39.5 + diff --git a/queue-6.12/bpf-fix-potential-error-return.patch b/queue-6.12/bpf-fix-potential-error-return.patch new file mode 100644 index 00000000000..cb7bbd0ff22 --- /dev/null +++ b/queue-6.12/bpf-fix-potential-error-return.patch @@ -0,0 +1,52 @@ +From 685c85178f98f63684977001b68c81d5a3fa9317 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 11:42:45 +0000 +Subject: bpf: fix potential error return + +From: Anton Protopopov + +[ Upstream commit c4441ca86afe4814039ee1b32c39d833c1a16bbc ] + +The bpf_remove_insns() function returns WARN_ON_ONCE(error), where +error is a result of bpf_adj_branches(), and thus should be always 0 +However, if for any reason it is not 0, then it will be converted to +boolean by WARN_ON_ONCE and returned to user space as 1, not an actual +error value. Fix this by returning the original err after the WARN check. + +Signed-off-by: Anton Protopopov +Acked-by: Jiri Olsa +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/r/20241210114245.836164-1-aspsk@isovalent.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/core.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index 233ea78f8f1b..3af5f42ea791 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -539,6 +539,8 @@ struct bpf_prog *bpf_patch_insn_single(struct bpf_prog *prog, u32 off, + + int bpf_remove_insns(struct bpf_prog *prog, u32 off, u32 cnt) + { ++ int err; ++ + /* Branch offsets can't overflow when program is shrinking, no need + * to call bpf_adj_branches(..., true) here + */ +@@ -546,7 +548,9 @@ int bpf_remove_insns(struct bpf_prog *prog, u32 off, u32 cnt) + sizeof(struct bpf_insn) * (prog->len - off - cnt)); + prog->len -= cnt; + +- return WARN_ON_ONCE(bpf_adj_branches(prog, off, off + cnt, off, false)); ++ err = bpf_adj_branches(prog, off, off + cnt, off, false); ++ WARN_ON_ONCE(err); ++ return err; + } + + static void bpf_prog_kallsyms_del_subprogs(struct bpf_prog *fp) +-- +2.39.5 + diff --git a/queue-6.12/bpf-refactor-bpf_helper_changes_pkt_data-to-use-help.patch b/queue-6.12/bpf-refactor-bpf_helper_changes_pkt_data-to-use-help.patch new file mode 100644 index 00000000000..0980b4f2705 --- /dev/null +++ b/queue-6.12/bpf-refactor-bpf_helper_changes_pkt_data-to-use-help.patch @@ -0,0 +1,144 @@ +From 902b683d7eab7703b8d9968e37971d32bd58c144 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2024 20:10:54 -0800 +Subject: bpf: refactor bpf_helper_changes_pkt_data to use helper number + +From: Eduard Zingerman + +[ Upstream commit b238e187b4a2d3b54d80aec05a9cab6466b79dde ] + +Use BPF helper number instead of function pointer in +bpf_helper_changes_pkt_data(). This would simplify usage of this +function in verifier.c:check_cfg() (in a follow-up patch), +where only helper number is easily available and there is no real need +to lookup helper proto. + +Signed-off-by: Eduard Zingerman +Link: https://lore.kernel.org/r/20241210041100.1898468-3-eddyz87@gmail.com +Signed-off-by: Alexei Starovoitov +Stable-dep-of: 1a4607ffba35 ("bpf: consider that tail calls invalidate packet pointers") +Signed-off-by: Sasha Levin +--- + include/linux/filter.h | 2 +- + kernel/bpf/core.c | 2 +- + kernel/bpf/verifier.c | 2 +- + net/core/filter.c | 63 +++++++++++++++++++----------------------- + 4 files changed, 31 insertions(+), 38 deletions(-) + +diff --git a/include/linux/filter.h b/include/linux/filter.h +index 7d7578a8eac1..5118caf8aa1c 100644 +--- a/include/linux/filter.h ++++ b/include/linux/filter.h +@@ -1121,7 +1121,7 @@ bool bpf_jit_supports_arena(void); + bool bpf_jit_supports_insn(struct bpf_insn *insn, bool in_arena); + u64 bpf_arch_uaddress_limit(void); + void arch_bpf_stack_walk(bool (*consume_fn)(void *cookie, u64 ip, u64 sp, u64 bp), void *cookie); +-bool bpf_helper_changes_pkt_data(void *func); ++bool bpf_helper_changes_pkt_data(enum bpf_func_id func_id); + + static inline bool bpf_dump_raw_ok(const struct cred *cred) + { +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index 3af5f42ea791..2b9c8c168a0b 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -2940,7 +2940,7 @@ void __weak bpf_jit_compile(struct bpf_prog *prog) + { + } + +-bool __weak bpf_helper_changes_pkt_data(void *func) ++bool __weak bpf_helper_changes_pkt_data(enum bpf_func_id func_id) + { + return false; + } +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 767f1cb8c27e..a0cab0d0252f 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -10476,7 +10476,7 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn + } + + /* With LD_ABS/IND some JITs save/restore skb from r1. */ +- changes_data = bpf_helper_changes_pkt_data(fn->func); ++ changes_data = bpf_helper_changes_pkt_data(func_id); + if (changes_data && fn->arg1_type != ARG_PTR_TO_CTX) { + verbose(env, "kernel subsystem misconfigured func %s#%d: r1 != ctx\n", + func_id_name(func_id), func_id); +diff --git a/net/core/filter.c b/net/core/filter.c +index 55495063621d..4b0ad74cfff5 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -7918,42 +7918,35 @@ static const struct bpf_func_proto bpf_tcp_raw_check_syncookie_ipv6_proto = { + + #endif /* CONFIG_INET */ + +-bool bpf_helper_changes_pkt_data(void *func) +-{ +- if (func == bpf_skb_vlan_push || +- func == bpf_skb_vlan_pop || +- func == bpf_skb_store_bytes || +- func == bpf_skb_change_proto || +- func == bpf_skb_change_head || +- func == sk_skb_change_head || +- func == bpf_skb_change_tail || +- func == sk_skb_change_tail || +- func == bpf_skb_adjust_room || +- func == sk_skb_adjust_room || +- func == bpf_skb_pull_data || +- func == sk_skb_pull_data || +- func == bpf_clone_redirect || +- func == bpf_l3_csum_replace || +- func == bpf_l4_csum_replace || +- func == bpf_xdp_adjust_head || +- func == bpf_xdp_adjust_meta || +- func == bpf_msg_pull_data || +- func == bpf_msg_push_data || +- func == bpf_msg_pop_data || +- func == bpf_xdp_adjust_tail || +-#if IS_ENABLED(CONFIG_IPV6_SEG6_BPF) +- func == bpf_lwt_seg6_store_bytes || +- func == bpf_lwt_seg6_adjust_srh || +- func == bpf_lwt_seg6_action || +-#endif +-#ifdef CONFIG_INET +- func == bpf_sock_ops_store_hdr_opt || +-#endif +- func == bpf_lwt_in_push_encap || +- func == bpf_lwt_xmit_push_encap) ++bool bpf_helper_changes_pkt_data(enum bpf_func_id func_id) ++{ ++ switch (func_id) { ++ case BPF_FUNC_clone_redirect: ++ case BPF_FUNC_l3_csum_replace: ++ case BPF_FUNC_l4_csum_replace: ++ case BPF_FUNC_lwt_push_encap: ++ case BPF_FUNC_lwt_seg6_action: ++ case BPF_FUNC_lwt_seg6_adjust_srh: ++ case BPF_FUNC_lwt_seg6_store_bytes: ++ case BPF_FUNC_msg_pop_data: ++ case BPF_FUNC_msg_pull_data: ++ case BPF_FUNC_msg_push_data: ++ case BPF_FUNC_skb_adjust_room: ++ case BPF_FUNC_skb_change_head: ++ case BPF_FUNC_skb_change_proto: ++ case BPF_FUNC_skb_change_tail: ++ case BPF_FUNC_skb_pull_data: ++ case BPF_FUNC_skb_store_bytes: ++ case BPF_FUNC_skb_vlan_pop: ++ case BPF_FUNC_skb_vlan_push: ++ case BPF_FUNC_store_hdr_opt: ++ case BPF_FUNC_xdp_adjust_head: ++ case BPF_FUNC_xdp_adjust_meta: ++ case BPF_FUNC_xdp_adjust_tail: + return true; +- +- return false; ++ default: ++ return false; ++ } + } + + const struct bpf_func_proto bpf_event_output_data_proto __weak; +-- +2.39.5 + diff --git a/queue-6.12/btrfs-allow-swap-activation-to-be-interruptible.patch b/queue-6.12/btrfs-allow-swap-activation-to-be-interruptible.patch new file mode 100644 index 00000000000..3a74221f5f8 --- /dev/null +++ b/queue-6.12/btrfs-allow-swap-activation-to-be-interruptible.patch @@ -0,0 +1,48 @@ +From 6dae8c4a635846f3c57dcf27cbaadd6ecdd1b65e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2024 16:31:41 +0000 +Subject: btrfs: allow swap activation to be interruptible + +From: Filipe Manana + +[ Upstream commit 9a45022a0efadd99bcc58f7f1cc2b6fb3b808c40 ] + +During swap activation we iterate over the extents of a file, then do +several checks for each extent, some of which may take some significant +time such as checking if an extent is shared. Since a file can have +many thousands of extents, this can be a very slow operation and it's +currently not interruptible. I had a bug during development of a previous +patch that resulted in an infinite loop when iterating the extents, so +a core was busy looping and I couldn't cancel the operation, which is very +annoying and requires a reboot. So make the loop interruptible by checking +for fatal signals at the end of each iteration and stopping immediately if +there is one. + +CC: stable@vger.kernel.org # 5.4+ +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/inode.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 4b3e256e0d0b..b5cfb85af937 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -10056,6 +10056,11 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, + bsi.block_start = physical_block_start; + bsi.block_len = len; + } ++ ++ if (fatal_signal_pending(current)) { ++ ret = -EINTR; ++ goto out; ++ } + } + + if (bsi.block_len) +-- +2.39.5 + diff --git a/queue-6.12/btrfs-flush-delalloc-workers-queue-before-stopping-c.patch b/queue-6.12/btrfs-flush-delalloc-workers-queue-before-stopping-c.patch new file mode 100644 index 00000000000..b8dfb6e2304 --- /dev/null +++ b/queue-6.12/btrfs-flush-delalloc-workers-queue-before-stopping-c.patch @@ -0,0 +1,213 @@ +From c11860dbe3054e37761cc5460a7245ecf5f660c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 11:53:27 +0000 +Subject: btrfs: flush delalloc workers queue before stopping cleaner kthread + during unmount + +From: Filipe Manana + +[ Upstream commit f10bef73fb355e3fc85e63a50386798be68ff486 ] + +During the unmount path, at close_ctree(), we first stop the cleaner +kthread, using kthread_stop() which frees the associated task_struct, and +then stop and destroy all the work queues. However after we stopped the +cleaner we may still have a worker from the delalloc_workers queue running +inode.c:submit_compressed_extents(), which calls btrfs_add_delayed_iput(), +which in turn tries to wake up the cleaner kthread - which was already +destroyed before, resulting in a use-after-free on the task_struct. + +Syzbot reported this with the following stack traces: + + BUG: KASAN: slab-use-after-free in __lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089 + Read of size 8 at addr ffff8880259d2818 by task kworker/u8:3/52 + + CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.13.0-rc1-syzkaller-00002-gcdd30ebb1b9f #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 + Workqueue: btrfs-delalloc btrfs_work_helper + Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0x169/0x550 mm/kasan/report.c:489 + kasan_report+0x143/0x180 mm/kasan/report.c:602 + __lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089 + lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] + _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162 + class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline] + try_to_wake_up+0xc2/0x1470 kernel/sched/core.c:4205 + submit_compressed_extents+0xdf/0x16e0 fs/btrfs/inode.c:1615 + run_ordered_work fs/btrfs/async-thread.c:288 [inline] + btrfs_work_helper+0x96f/0xc40 fs/btrfs/async-thread.c:324 + process_one_work kernel/workqueue.c:3229 [inline] + process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 + worker_thread+0x870/0xd30 kernel/workqueue.c:3391 + kthread+0x2f0/0x390 kernel/kthread.c:389 + ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 + + + Allocated by task 2: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 + unpoison_slab_object mm/kasan/common.c:319 [inline] + __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345 + kasan_slab_alloc include/linux/kasan.h:250 [inline] + slab_post_alloc_hook mm/slub.c:4104 [inline] + slab_alloc_node mm/slub.c:4153 [inline] + kmem_cache_alloc_node_noprof+0x1d9/0x380 mm/slub.c:4205 + alloc_task_struct_node kernel/fork.c:180 [inline] + dup_task_struct+0x57/0x8c0 kernel/fork.c:1113 + copy_process+0x5d1/0x3d50 kernel/fork.c:2225 + kernel_clone+0x223/0x870 kernel/fork.c:2807 + kernel_thread+0x1bc/0x240 kernel/fork.c:2869 + create_kthread kernel/kthread.c:412 [inline] + kthreadd+0x60d/0x810 kernel/kthread.c:767 + ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 + + Freed by task 24: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 + kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 + poison_slab_object mm/kasan/common.c:247 [inline] + __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 + kasan_slab_free include/linux/kasan.h:233 [inline] + slab_free_hook mm/slub.c:2338 [inline] + slab_free mm/slub.c:4598 [inline] + kmem_cache_free+0x195/0x410 mm/slub.c:4700 + put_task_struct include/linux/sched/task.h:144 [inline] + delayed_put_task_struct+0x125/0x300 kernel/exit.c:227 + rcu_do_batch kernel/rcu/tree.c:2567 [inline] + rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823 + handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:554 + run_ksoftirqd+0xca/0x130 kernel/softirq.c:943 + smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164 + kthread+0x2f0/0x390 kernel/kthread.c:389 + ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 + + Last potentially related work creation: + kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47 + __kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:544 + __call_rcu_common kernel/rcu/tree.c:3086 [inline] + call_rcu+0x167/0xa70 kernel/rcu/tree.c:3190 + context_switch kernel/sched/core.c:5372 [inline] + __schedule+0x1803/0x4be0 kernel/sched/core.c:6756 + __schedule_loop kernel/sched/core.c:6833 [inline] + schedule+0x14b/0x320 kernel/sched/core.c:6848 + schedule_timeout+0xb0/0x290 kernel/time/sleep_timeout.c:75 + do_wait_for_common kernel/sched/completion.c:95 [inline] + __wait_for_common kernel/sched/completion.c:116 [inline] + wait_for_common kernel/sched/completion.c:127 [inline] + wait_for_completion+0x355/0x620 kernel/sched/completion.c:148 + kthread_stop+0x19e/0x640 kernel/kthread.c:712 + close_ctree+0x524/0xd60 fs/btrfs/disk-io.c:4328 + generic_shutdown_super+0x139/0x2d0 fs/super.c:642 + kill_anon_super+0x3b/0x70 fs/super.c:1237 + btrfs_kill_super+0x41/0x50 fs/btrfs/super.c:2112 + deactivate_locked_super+0xc4/0x130 fs/super.c:473 + cleanup_mnt+0x41f/0x4b0 fs/namespace.c:1373 + task_work_run+0x24f/0x310 kernel/task_work.c:239 + ptrace_notify+0x2d2/0x380 kernel/signal.c:2503 + ptrace_report_syscall include/linux/ptrace.h:415 [inline] + ptrace_report_syscall_exit include/linux/ptrace.h:477 [inline] + syscall_exit_work+0xc7/0x1d0 kernel/entry/common.c:173 + syscall_exit_to_user_mode_prepare kernel/entry/common.c:200 [inline] + __syscall_exit_to_user_mode_work kernel/entry/common.c:205 [inline] + syscall_exit_to_user_mode+0x24a/0x340 kernel/entry/common.c:218 + do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + The buggy address belongs to the object at ffff8880259d1e00 + which belongs to the cache task_struct of size 7424 + The buggy address is located 2584 bytes inside of + freed 7424-byte region [ffff8880259d1e00, ffff8880259d3b00) + + The buggy address belongs to the physical page: + page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x259d0 + head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 + memcg:ffff88802f4b56c1 + flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) + page_type: f5(slab) + raw: 00fff00000000040 ffff88801bafe500 dead000000000100 dead000000000122 + raw: 0000000000000000 0000000000040004 00000001f5000000 ffff88802f4b56c1 + head: 00fff00000000040 ffff88801bafe500 dead000000000100 dead000000000122 + head: 0000000000000000 0000000000040004 00000001f5000000 ffff88802f4b56c1 + head: 00fff00000000003 ffffea0000967401 ffffffffffffffff 0000000000000000 + head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 + page dumped because: kasan: bad access detected + page_owner tracks the page as allocated + page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 12, tgid 12 (kworker/u8:1), ts 7328037942, free_ts 0 + set_page_owner include/linux/page_owner.h:32 [inline] + post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1556 + prep_new_page mm/page_alloc.c:1564 [inline] + get_page_from_freelist+0x3651/0x37a0 mm/page_alloc.c:3474 + __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4751 + alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265 + alloc_slab_page+0x6a/0x140 mm/slub.c:2408 + allocate_slab+0x5a/0x2f0 mm/slub.c:2574 + new_slab mm/slub.c:2627 [inline] + ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3815 + __slab_alloc+0x58/0xa0 mm/slub.c:3905 + __slab_alloc_node mm/slub.c:3980 [inline] + slab_alloc_node mm/slub.c:4141 [inline] + kmem_cache_alloc_node_noprof+0x269/0x380 mm/slub.c:4205 + alloc_task_struct_node kernel/fork.c:180 [inline] + dup_task_struct+0x57/0x8c0 kernel/fork.c:1113 + copy_process+0x5d1/0x3d50 kernel/fork.c:2225 + kernel_clone+0x223/0x870 kernel/fork.c:2807 + user_mode_thread+0x132/0x1a0 kernel/fork.c:2885 + call_usermodehelper_exec_work+0x5c/0x230 kernel/umh.c:171 + process_one_work kernel/workqueue.c:3229 [inline] + process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 + worker_thread+0x870/0xd30 kernel/workqueue.c:3391 + page_owner free stack trace missing + + Memory state around the buggy address: + ffff8880259d2700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880259d2780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + >ffff8880259d2800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff8880259d2880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880259d2900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ================================================================== + +Fix this by flushing the delalloc workers queue before stopping the +cleaner kthread. + +Reported-by: syzbot+b7cf50a0c173770dcb14@syzkaller.appspotmail.com +Link: https://lore.kernel.org/linux-btrfs/674ed7e8.050a0220.48a03.0031.GAE@google.com/ +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/disk-io.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index 43b7b331b2da..563f106774e5 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -4264,6 +4264,15 @@ void __cold close_ctree(struct btrfs_fs_info *fs_info) + * already the cleaner, but below we run all pending delayed iputs. + */ + btrfs_flush_workqueue(fs_info->fixup_workers); ++ /* ++ * Similar case here, we have to wait for delalloc workers before we ++ * proceed below and stop the cleaner kthread, otherwise we trigger a ++ * use-after-tree on the cleaner kthread task_struct when a delalloc ++ * worker running submit_compressed_extents() adds a delayed iput, which ++ * does a wake up on the cleaner kthread, which was already freed below ++ * when we call kthread_stop(). ++ */ ++ btrfs_flush_workqueue(fs_info->delalloc_workers); + + /* + * After we parked the cleaner kthread, ordered extents may have +-- +2.39.5 + diff --git a/queue-6.12/btrfs-handle-bio_split-errors.patch b/queue-6.12/btrfs-handle-bio_split-errors.patch new file mode 100644 index 00000000000..3d66e6f32d2 --- /dev/null +++ b/queue-6.12/btrfs-handle-bio_split-errors.patch @@ -0,0 +1,77 @@ +From a1dad7e5e16a042edb28a1b81ece21323d1ae6f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Dec 2024 23:40:22 -0800 +Subject: btrfs: handle bio_split() errors + +From: Johannes Thumshirn + +[ Upstream commit c7c97ceff98cc459bf5e358e5cbd06fcb651d501 ] + +Commit e546fe1da9bd ("block: Rework bio_split() return value") changed +bio_split() so that it can return errors. + +Add error handling for it in btrfs_split_bio() and ultimately +btrfs_submit_chunk(). As the bio is not submitted, the bio counter must +be decremented to pair btrfs_bio_counter_inc_blocked(). + +Reviewed-by: John Garry +Signed-off-by: Johannes Thumshirn +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/bio.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/bio.c b/fs/btrfs/bio.c +index 31f96c2d8691..5fd0b39d8c70 100644 +--- a/fs/btrfs/bio.c ++++ b/fs/btrfs/bio.c +@@ -81,6 +81,9 @@ static struct btrfs_bio *btrfs_split_bio(struct btrfs_fs_info *fs_info, + + bio = bio_split(&orig_bbio->bio, map_length >> SECTOR_SHIFT, GFP_NOFS, + &btrfs_clone_bioset); ++ if (IS_ERR(bio)) ++ return ERR_CAST(bio); ++ + bbio = btrfs_bio(bio); + btrfs_bio_init(bbio, fs_info, NULL, orig_bbio); + bbio->inode = orig_bbio->inode; +@@ -684,7 +687,8 @@ static bool btrfs_submit_chunk(struct btrfs_bio *bbio, int mirror_num) + &bioc, &smap, &mirror_num); + if (error) { + ret = errno_to_blk_status(error); +- goto fail; ++ btrfs_bio_counter_dec(fs_info); ++ goto end_bbio; + } + + map_length = min(map_length, length); +@@ -692,7 +696,15 @@ static bool btrfs_submit_chunk(struct btrfs_bio *bbio, int mirror_num) + map_length = btrfs_append_map_length(bbio, map_length); + + if (map_length < length) { +- bbio = btrfs_split_bio(fs_info, bbio, map_length); ++ struct btrfs_bio *split; ++ ++ split = btrfs_split_bio(fs_info, bbio, map_length); ++ if (IS_ERR(split)) { ++ ret = errno_to_blk_status(PTR_ERR(split)); ++ btrfs_bio_counter_dec(fs_info); ++ goto end_bbio; ++ } ++ bbio = split; + bio = &bbio->bio; + } + +@@ -766,6 +778,7 @@ static bool btrfs_submit_chunk(struct btrfs_bio *bbio, int mirror_num) + + btrfs_bio_end_io(remaining, ret); + } ++end_bbio: + btrfs_bio_end_io(bbio, ret); + /* Do not submit another chunk */ + return true; +-- +2.39.5 + diff --git a/queue-6.12/drm-amdgpu-use-sjt-mec-fw-on-gfx943-for-sriov.patch b/queue-6.12/drm-amdgpu-use-sjt-mec-fw-on-gfx943-for-sriov.patch new file mode 100644 index 00000000000..f4e7ace6eab --- /dev/null +++ b/queue-6.12/drm-amdgpu-use-sjt-mec-fw-on-gfx943-for-sriov.patch @@ -0,0 +1,52 @@ +From 6e1cc4b6d1d08b217cf7bf1abed02003569aafac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Nov 2024 18:37:43 +0800 +Subject: drm/amdgpu: use sjt mec fw on gfx943 for sriov + +From: Victor Zhao + +[ Upstream commit 9a4ab400f1fad0e6e8686b8f5fc5376383860ce8 ] + +Use second jump table in sriov for live migration or mulitple VF +support so different VF can load different version of MEC as long +as they support sjt + +Signed-off-by: Victor Zhao +Reviewed-by: Yang Wang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c +index c100845409f7..ffdb966c4127 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c +@@ -45,6 +45,8 @@ MODULE_FIRMWARE("amdgpu/gc_9_4_3_mec.bin"); + MODULE_FIRMWARE("amdgpu/gc_9_4_4_mec.bin"); + MODULE_FIRMWARE("amdgpu/gc_9_4_3_rlc.bin"); + MODULE_FIRMWARE("amdgpu/gc_9_4_4_rlc.bin"); ++MODULE_FIRMWARE("amdgpu/gc_9_4_3_sjt_mec.bin"); ++MODULE_FIRMWARE("amdgpu/gc_9_4_4_sjt_mec.bin"); + + #define GFX9_MEC_HPD_SIZE 4096 + #define RLCG_UCODE_LOADING_START_ADDRESS 0x00002000L +@@ -574,8 +576,12 @@ static int gfx_v9_4_3_init_cp_compute_microcode(struct amdgpu_device *adev, + { + int err; + +- err = amdgpu_ucode_request(adev, &adev->gfx.mec_fw, +- "amdgpu/%s_mec.bin", chip_name); ++ if (amdgpu_sriov_vf(adev)) ++ err = amdgpu_ucode_request(adev, &adev->gfx.mec_fw, ++ "amdgpu/%s_sjt_mec.bin", chip_name); ++ else ++ err = amdgpu_ucode_request(adev, &adev->gfx.mec_fw, ++ "amdgpu/%s_mec.bin", chip_name); + if (err) + goto out; + amdgpu_gfx_cp_init_microcode(adev, AMDGPU_UCODE_ID_CP_MEC1); +-- +2.39.5 + diff --git a/queue-6.12/drm-amdkfd-correct-the-migration-dma-map-direction.patch b/queue-6.12/drm-amdkfd-correct-the-migration-dma-map-direction.patch new file mode 100644 index 00000000000..d4339408baa --- /dev/null +++ b/queue-6.12/drm-amdkfd-correct-the-migration-dma-map-direction.patch @@ -0,0 +1,116 @@ +From 71f34b814bf7e526f18b8bc61fe2a22336a2048f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Nov 2024 09:57:42 +0800 +Subject: drm/amdkfd: Correct the migration DMA map direction + +From: Prike Liang + +[ Upstream commit 5c3de6b02d38eb9386edf50490e050bb44398e40 ] + +The SVM DMA device map direction should be set the same as +the DMA unmap setting, otherwise the DMA core will report +the following warning. + +Before finialize this solution, there're some discussion on +the DMA mapping type(stream-based or coherent) in this KFD +migration case, followed by https://lore.kernel.org/all/04d4ab32 +-45a1-4b88-86ee-fb0f35a0ca40@amd.com/T/. + +As there's no dma_sync_single_for_*() in the DMA buffer accessed +that because this migration operation should be sync properly and +automatically. Give that there's might not be a performance problem +in various cache sync policy of DMA sync. Therefore, in order to +simplify the DMA direction setting alignment, let's set the DMA map +direction as BIDIRECTIONAL. + +[ 150.834218] WARNING: CPU: 8 PID: 1812 at kernel/dma/debug.c:1028 check_unmap+0x1cc/0x930 +[ 150.834225] Modules linked in: amdgpu(OE) amdxcp drm_exec(OE) gpu_sched drm_buddy(OE) drm_ttm_helper(OE) ttm(OE) drm_suballoc_helper(OE) drm_display_helper(OE) drm_kms_helper(OE) i2c_algo_bit rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace netfs xt_conntrack xt_MASQUERADE nf_conntrack_netlink xfrm_user xfrm_algo iptable_nat xt_addrtype iptable_filter br_netfilter nvme_fabrics overlay nfnetlink_cttimeout nfnetlink openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c bridge stp llc sch_fq_codel intel_rapl_msr amd_atl intel_rapl_common snd_hda_codec_realtek snd_hda_codec_generic snd_hda_scodec_component snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg edac_mce_amd snd_pci_acp6x snd_hda_codec snd_acp_config snd_hda_core snd_hwdep snd_soc_acpi kvm_amd sunrpc snd_pcm kvm binfmt_misc snd_seq_midi crct10dif_pclmul snd_seq_midi_event ghash_clmulni_intel sha512_ssse3 snd_rawmidi nls_iso8859_1 sha256_ssse3 sha1_ssse3 snd_seq aesni_intel snd_seq_device crypto_simd snd_timer cryptd input_leds +[ 150.834310] wmi_bmof serio_raw k10temp rapl snd sp5100_tco ipmi_devintf soundcore ccp ipmi_msghandler cm32181 industrialio mac_hid msr parport_pc ppdev lp parport efi_pstore drm(OE) ip_tables x_tables pci_stub crc32_pclmul nvme ahci libahci i2c_piix4 r8169 nvme_core i2c_designware_pci realtek i2c_ccgx_ucsi video wmi hid_generic cdc_ether usbnet usbhid hid r8152 mii +[ 150.834354] CPU: 8 PID: 1812 Comm: rocrtst64 Tainted: G OE 6.10.0-custom #492 +[ 150.834358] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS RMJ1009A 06/13/2021 +[ 150.834360] RIP: 0010:check_unmap+0x1cc/0x930 +[ 150.834363] Code: c0 4c 89 4d c8 e8 34 bf 86 00 4c 8b 4d c8 4c 8b 45 c0 48 8b 4d b8 48 89 c6 41 57 4c 89 ea 48 c7 c7 80 49 b4 84 e8 b4 81 f3 ff <0f> 0b 48 c7 c7 04 83 ac 84 e8 76 ba fc ff 41 8b 76 4c 49 8d 7e 50 +[ 150.834365] RSP: 0018:ffffaac5023739e0 EFLAGS: 00010086 +[ 150.834368] RAX: 0000000000000000 RBX: ffffffff8566a2e0 RCX: 0000000000000027 +[ 150.834370] RDX: ffff8f6a8f621688 RSI: 0000000000000001 RDI: ffff8f6a8f621680 +[ 150.834372] RBP: ffffaac502373a30 R08: 00000000000000c9 R09: ffffaac502373850 +[ 150.834373] R10: ffffaac502373848 R11: ffffffff84f46328 R12: ffffaac502373a40 +[ 150.834375] R13: ffff8f6741045330 R14: ffff8f6741a77700 R15: ffffffff84ac831b +[ 150.834377] FS: 00007faf0fc94c00(0000) GS:ffff8f6a8f600000(0000) knlGS:0000000000000000 +[ 150.834379] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 150.834381] CR2: 00007faf0b600020 CR3: 000000010a52e000 CR4: 0000000000350ef0 +[ 150.834383] Call Trace: +[ 150.834385] +[ 150.834387] ? show_regs+0x6d/0x80 +[ 150.834393] ? __warn+0x8c/0x140 +[ 150.834397] ? check_unmap+0x1cc/0x930 +[ 150.834400] ? report_bug+0x193/0x1a0 +[ 150.834406] ? handle_bug+0x46/0x80 +[ 150.834410] ? exc_invalid_op+0x1d/0x80 +[ 150.834413] ? asm_exc_invalid_op+0x1f/0x30 +[ 150.834420] ? check_unmap+0x1cc/0x930 +[ 150.834425] debug_dma_unmap_page+0x86/0x90 +[ 150.834431] ? srso_return_thunk+0x5/0x5f +[ 150.834435] ? rmap_walk+0x28/0x50 +[ 150.834438] ? srso_return_thunk+0x5/0x5f +[ 150.834441] ? remove_migration_ptes+0x79/0x80 +[ 150.834445] ? srso_return_thunk+0x5/0x5f +[ 150.834448] dma_unmap_page_attrs+0xfa/0x1d0 +[ 150.834453] svm_range_dma_unmap_dev+0x8a/0xf0 [amdgpu] +[ 150.834710] svm_migrate_ram_to_vram+0x361/0x740 [amdgpu] +[ 150.834914] svm_migrate_to_vram+0xa8/0xe0 [amdgpu] +[ 150.835111] svm_range_set_attr+0xff2/0x1450 [amdgpu] +[ 150.835311] svm_ioctl+0x4a/0x50 [amdgpu] +[ 150.835510] kfd_ioctl_svm+0x54/0x90 [amdgpu] +[ 150.835701] kfd_ioctl+0x3c2/0x530 [amdgpu] +[ 150.835888] ? __pfx_kfd_ioctl_svm+0x10/0x10 [amdgpu] +[ 150.836075] ? srso_return_thunk+0x5/0x5f +[ 150.836080] ? tomoyo_file_ioctl+0x20/0x30 +[ 150.836086] __x64_sys_ioctl+0x9c/0xd0 +[ 150.836091] x64_sys_call+0x1219/0x20d0 +[ 150.836095] do_syscall_64+0x51/0x120 +[ 150.836098] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[ 150.836102] RIP: 0033:0x7faf0f11a94f +[ 150.836105] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00 +[ 150.836107] RSP: 002b:00007ffeced26bc0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +[ 150.836110] RAX: ffffffffffffffda RBX: 000055c683528fb0 RCX: 00007faf0f11a94f +[ 150.836112] RDX: 00007ffeced26c60 RSI: 00000000c0484b20 RDI: 0000000000000003 +[ 150.836114] RBP: 00007ffeced26c50 R08: 0000000000000000 R09: 0000000000000001 +[ 150.836115] R10: 0000000000000032 R11: 0000000000000246 R12: 000055c683528bd0 +[ 150.836117] R13: 0000000000000000 R14: 0000000000000021 R15: 0000000000000000 +[ 150.836122] +[ 150.836124] ---[ end trace 0000000000000000 ]--- + +Signed-off-by: Prike Liang +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_migrate.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_migrate.c b/drivers/gpu/drm/amd/amdkfd/kfd_migrate.c +index 8ee3d07ffbdf..f31e9fbf634a 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_migrate.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_migrate.c +@@ -306,7 +306,7 @@ svm_migrate_copy_to_vram(struct kfd_node *node, struct svm_range *prange, + spage = migrate_pfn_to_page(migrate->src[i]); + if (spage && !is_zone_device_page(spage)) { + src[i] = dma_map_page(dev, spage, 0, PAGE_SIZE, +- DMA_TO_DEVICE); ++ DMA_BIDIRECTIONAL); + r = dma_mapping_error(dev, src[i]); + if (r) { + dev_err(dev, "%s: fail %d dma_map_page\n", +@@ -630,7 +630,7 @@ svm_migrate_copy_to_ram(struct amdgpu_device *adev, struct svm_range *prange, + goto out_oom; + } + +- dst[i] = dma_map_page(dev, dpage, 0, PAGE_SIZE, DMA_FROM_DEVICE); ++ dst[i] = dma_map_page(dev, dpage, 0, PAGE_SIZE, DMA_BIDIRECTIONAL); + r = dma_mapping_error(dev, dst[i]); + if (r) { + dev_err(adev->dev, "%s: fail %d dma_map_page\n", __func__, r); +-- +2.39.5 + diff --git a/queue-6.12/irqchip-gic-correct-declaration-of-percpu_base-point.patch b/queue-6.12/irqchip-gic-correct-declaration-of-percpu_base-point.patch new file mode 100644 index 00000000000..dacbabdd874 --- /dev/null +++ b/queue-6.12/irqchip-gic-correct-declaration-of-percpu_base-point.patch @@ -0,0 +1,54 @@ +From b698b562ba2a5f752c9c1f9ba026d98660bcbc4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Dec 2024 15:57:53 +0100 +Subject: irqchip/gic: Correct declaration of *percpu_base pointer in union + gic_base + +From: Uros Bizjak + +[ Upstream commit a1855f1b7c33642c9f7a01991fb763342a312e9b ] + +percpu_base is used in various percpu functions that expect variable in +__percpu address space. Correct the declaration of percpu_base to + +void __iomem * __percpu *percpu_base; + +to declare the variable as __percpu pointer. + +The patch fixes several sparse warnings: + +irq-gic.c:1172:44: warning: incorrect type in assignment (different address spaces) +irq-gic.c:1172:44: expected void [noderef] __percpu *[noderef] __iomem *percpu_base +irq-gic.c:1172:44: got void [noderef] __iomem *[noderef] __percpu * +... +irq-gic.c:1231:43: warning: incorrect type in argument 1 (different address spaces) +irq-gic.c:1231:43: expected void [noderef] __percpu *__pdata +irq-gic.c:1231:43: got void [noderef] __percpu *[noderef] __iomem *percpu_base + +There were no changes in the resulting object files. + +Signed-off-by: Uros Bizjak +Signed-off-by: Thomas Gleixner +Acked-by: Marc Zyngier +Link: https://lore.kernel.org/all/20241213145809.2918-2-ubizjak@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-gic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-gic.c b/drivers/irqchip/irq-gic.c +index 3be7bd8cd8cd..32abc2916b40 100644 +--- a/drivers/irqchip/irq-gic.c ++++ b/drivers/irqchip/irq-gic.c +@@ -64,7 +64,7 @@ static void gic_check_cpu_features(void) + + union gic_base { + void __iomem *common_base; +- void __percpu * __iomem *percpu_base; ++ void __iomem * __percpu *percpu_base; + }; + + struct gic_chip_data { +-- +2.39.5 + diff --git a/queue-6.12/ksmbd-retry-iterate_dir-in-smb2_query_dir.patch b/queue-6.12/ksmbd-retry-iterate_dir-in-smb2_query_dir.patch new file mode 100644 index 00000000000..3ff18a68593 --- /dev/null +++ b/queue-6.12/ksmbd-retry-iterate_dir-in-smb2_query_dir.patch @@ -0,0 +1,75 @@ +From 4d86e1dad35c47d5d4937100c92bbd3c6b37e5a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2024 11:31:19 +0900 +Subject: ksmbd: retry iterate_dir in smb2_query_dir + +From: Hobin Woo + +[ Upstream commit 2b904d61a97e8ba79e3bc216ba290fd7e1d85028 ] + +Some file systems do not ensure that the single call of iterate_dir +reaches the end of the directory. For example, FUSE fetches entries from +a daemon using 4KB buffer and stops fetching if entries exceed the +buffer. And then an actor of caller, KSMBD, is used to fill the entries +from the buffer. +Thus, pattern searching on FUSE, files located after the 4KB could not +be found and STATUS_NO_SUCH_FILE was returned. + +Signed-off-by: Hobin Woo +Reviewed-by: Sungjong Seo +Reviewed-by: Namjae Jeon +Tested-by: Yoonho Shin +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/smb2pdu.c | 12 +++++++++++- + fs/smb/server/vfs.h | 1 + + 2 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c +index 7d01dd313351..aef5a1b7c490 100644 +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -4224,6 +4224,7 @@ static bool __query_dir(struct dir_context *ctx, const char *name, int namlen, + /* dot and dotdot entries are already reserved */ + if (!strcmp(".", name) || !strcmp("..", name)) + return true; ++ d_info->num_scan++; + if (ksmbd_share_veto_filename(priv->work->tcon->share_conf, name)) + return true; + if (!match_pattern(name, namlen, priv->search_pattern)) +@@ -4384,8 +4385,17 @@ int smb2_query_dir(struct ksmbd_work *work) + query_dir_private.info_level = req->FileInformationClass; + dir_fp->readdir_data.private = &query_dir_private; + set_ctx_actor(&dir_fp->readdir_data.ctx, __query_dir); +- ++again: ++ d_info.num_scan = 0; + rc = iterate_dir(dir_fp->filp, &dir_fp->readdir_data.ctx); ++ /* ++ * num_entry can be 0 if the directory iteration stops before reaching ++ * the end of the directory and no file is matched with the search ++ * pattern. ++ */ ++ if (rc >= 0 && !d_info.num_entry && d_info.num_scan && ++ d_info.out_buf_len > 0) ++ goto again; + /* + * req->OutputBufferLength is too small to contain even one entry. + * In this case, it immediately returns OutputBufferLength 0 to client. +diff --git a/fs/smb/server/vfs.h b/fs/smb/server/vfs.h +index cb76f4b5bafe..06903024a2d8 100644 +--- a/fs/smb/server/vfs.h ++++ b/fs/smb/server/vfs.h +@@ -43,6 +43,7 @@ struct ksmbd_dir_info { + char *rptr; + int name_len; + int out_buf_len; ++ int num_scan; + int num_entry; + int data_count; + int last_entry_offset; +-- +2.39.5 + diff --git a/queue-6.12/ksmbd-set-attr_ctime-flags-when-setting-mtime.patch b/queue-6.12/ksmbd-set-attr_ctime-flags-when-setting-mtime.patch new file mode 100644 index 00000000000..2653ce6f993 --- /dev/null +++ b/queue-6.12/ksmbd-set-attr_ctime-flags-when-setting-mtime.patch @@ -0,0 +1,105 @@ +From d3c01cc2f24668a3f5d9bc0c5300da8fa1aa939f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 17:25:25 +0900 +Subject: ksmbd: set ATTR_CTIME flags when setting mtime + +From: Namjae Jeon + +[ Upstream commit 21e46a79bbe6c4e1aa73b3ed998130f2ff07b128 ] + +David reported that the new warning from setattr_copy_mgtime is coming +like the following. + +[ 113.215316] ------------[ cut here ]------------ +[ 113.215974] WARNING: CPU: 1 PID: 31 at fs/attr.c:300 setattr_copy+0x1ee/0x200 +[ 113.219192] CPU: 1 UID: 0 PID: 31 Comm: kworker/1:1 Not tainted 6.13.0-rc1+ #234 +[ 113.220127] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 +[ 113.221530] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] +[ 113.222220] RIP: 0010:setattr_copy+0x1ee/0x200 +[ 113.222833] Code: 24 28 49 8b 44 24 30 48 89 53 58 89 43 6c 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 48 89 df e8 77 d6 ff ff e9 cd fe ff ff <0f> 0b e9 be fe ff ff 66 0 +[ 113.225110] RSP: 0018:ffffaf218010fb68 EFLAGS: 00010202 +[ 113.225765] RAX: 0000000000000120 RBX: ffffa446815f8568 RCX: 0000000000000003 +[ 113.226667] RDX: ffffaf218010fd38 RSI: ffffa446815f8568 RDI: ffffffff94eb03a0 +[ 113.227531] RBP: ffffaf218010fb90 R08: 0000001a251e217d R09: 00000000675259fa +[ 113.228426] R10: 0000000002ba8a6d R11: ffffa4468196c7a8 R12: ffffaf218010fd38 +[ 113.229304] R13: 0000000000000120 R14: ffffffff94eb03a0 R15: 0000000000000000 +[ 113.230210] FS: 0000000000000000(0000) GS:ffffa44739d00000(0000) knlGS:0000000000000000 +[ 113.231215] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 113.232055] CR2: 00007efe0053d27e CR3: 000000000331a000 CR4: 00000000000006b0 +[ 113.232926] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 113.233812] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 113.234797] Call Trace: +[ 113.235116] +[ 113.235393] ? __warn+0x73/0xd0 +[ 113.235802] ? setattr_copy+0x1ee/0x200 +[ 113.236299] ? report_bug+0xf3/0x1e0 +[ 113.236757] ? handle_bug+0x4d/0x90 +[ 113.237202] ? exc_invalid_op+0x13/0x60 +[ 113.237689] ? asm_exc_invalid_op+0x16/0x20 +[ 113.238185] ? setattr_copy+0x1ee/0x200 +[ 113.238692] btrfs_setattr+0x80/0x820 [btrfs] +[ 113.239285] ? get_stack_info_noinstr+0x12/0xf0 +[ 113.239857] ? __module_address+0x22/0xa0 +[ 113.240368] ? handle_ksmbd_work+0x6e/0x460 [ksmbd] +[ 113.240993] ? __module_text_address+0x9/0x50 +[ 113.241545] ? __module_address+0x22/0xa0 +[ 113.242033] ? unwind_next_frame+0x10e/0x920 +[ 113.242600] ? __pfx_stack_trace_consume_entry+0x10/0x10 +[ 113.243268] notify_change+0x2c2/0x4e0 +[ 113.243746] ? stack_depot_save_flags+0x27/0x730 +[ 113.244339] ? set_file_basic_info+0x130/0x2b0 [ksmbd] +[ 113.244993] set_file_basic_info+0x130/0x2b0 [ksmbd] +[ 113.245613] ? process_scheduled_works+0xbe/0x310 +[ 113.246181] ? worker_thread+0x100/0x240 +[ 113.246696] ? kthread+0xc8/0x100 +[ 113.247126] ? ret_from_fork+0x2b/0x40 +[ 113.247606] ? ret_from_fork_asm+0x1a/0x30 +[ 113.248132] smb2_set_info+0x63f/0xa70 [ksmbd] + +ksmbd is trying to set the atime and mtime via notify_change without also +setting the ctime. so This patch add ATTR_CTIME flags when setting mtime +to avoid a warning. + +Reported-by: David Disseldorp +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/smb2pdu.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c +index aef5a1b7c490..04ffc5b158c3 100644 +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -6016,15 +6016,13 @@ static int set_file_basic_info(struct ksmbd_file *fp, + attrs.ia_valid |= (ATTR_ATIME | ATTR_ATIME_SET); + } + +- attrs.ia_valid |= ATTR_CTIME; + if (file_info->ChangeTime) +- attrs.ia_ctime = ksmbd_NTtimeToUnix(file_info->ChangeTime); +- else +- attrs.ia_ctime = inode_get_ctime(inode); ++ inode_set_ctime_to_ts(inode, ++ ksmbd_NTtimeToUnix(file_info->ChangeTime)); + + if (file_info->LastWriteTime) { + attrs.ia_mtime = ksmbd_NTtimeToUnix(file_info->LastWriteTime); +- attrs.ia_valid |= (ATTR_MTIME | ATTR_MTIME_SET); ++ attrs.ia_valid |= (ATTR_MTIME | ATTR_MTIME_SET | ATTR_CTIME); + } + + if (file_info->Attributes) { +@@ -6066,8 +6064,6 @@ static int set_file_basic_info(struct ksmbd_file *fp, + return -EACCES; + + inode_lock(inode); +- inode_set_ctime_to_ts(inode, attrs.ia_ctime); +- attrs.ia_valid &= ~ATTR_CTIME; + rc = notify_change(idmap, dentry, &attrs, NULL); + inode_unlock(inode); + } +-- +2.39.5 + diff --git a/queue-6.12/net-usb-qmi_wwan-add-telit-fe910c04-compositions.patch b/queue-6.12/net-usb-qmi_wwan-add-telit-fe910c04-compositions.patch new file mode 100644 index 00000000000..39a1fe1ec5f --- /dev/null +++ b/queue-6.12/net-usb-qmi_wwan-add-telit-fe910c04-compositions.patch @@ -0,0 +1,109 @@ +From ae2c2f846e18131eb8ce19d0be47a6489f9492da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2024 16:18:21 +0100 +Subject: net: usb: qmi_wwan: add Telit FE910C04 compositions + +From: Daniele Palmas + +[ Upstream commit 3b58b53a26598209a7ad8259a5114ce71f7c3d64 ] + +Add the following Telit FE910C04 compositions: + +0x10c0: rmnet + tty (AT/NMEA) + tty (AT) + tty (diag) +T: Bus=02 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 13 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=10c0 Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FE910 +S: SerialNumber=f71b8b32 +C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +0x10c4: rmnet + tty (AT) + tty (AT) + tty (diag) +T: Bus=02 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 14 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=10c4 Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FE910 +S: SerialNumber=f71b8b32 +C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +0x10c8: rmnet + tty (AT) + tty (diag) + DPL (data packet logging) + adb +T: Bus=02 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 17 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=10c8 Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FE910 +S: SerialNumber=f71b8b32 +C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: Daniele Palmas +Link: https://patch.msgid.link/20241209151821.3688829-1-dnlplm@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/qmi_wwan.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 0c011d8f5d4d..9fe7f704a2f7 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1365,6 +1365,9 @@ static const struct usb_device_id products[] = { + {QMI_QUIRK_SET_DTR(0x1bc7, 0x10a0, 0)}, /* Telit FN920C04 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x10a4, 0)}, /* Telit FN920C04 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x10a9, 0)}, /* Telit FN920C04 */ ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x10c0, 0)}, /* Telit FE910C04 */ ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x10c4, 0)}, /* Telit FE910C04 */ ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x10c8, 0)}, /* Telit FE910C04 */ + {QMI_FIXED_INTF(0x1bc7, 0x1100, 3)}, /* Telit ME910 */ + {QMI_FIXED_INTF(0x1bc7, 0x1101, 3)}, /* Telit ME910 dual modem */ + {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */ +-- +2.39.5 + diff --git a/queue-6.12/perf-x86-intel-add-arrow-lake-u-support.patch b/queue-6.12/perf-x86-intel-add-arrow-lake-u-support.patch new file mode 100644 index 00000000000..bfaff6b203f --- /dev/null +++ b/queue-6.12/perf-x86-intel-add-arrow-lake-u-support.patch @@ -0,0 +1,35 @@ +From c144d714dd62565c09c91d9499af876be74a45b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Nov 2024 10:05:26 -0800 +Subject: perf/x86/intel: Add Arrow Lake U support + +From: Kan Liang + +[ Upstream commit 4e54ed496343702837ddca5f5af720161c6a5407 ] + +From PMU's perspective, the new Arrow Lake U is the same as the +Meteor Lake. + +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20241121180526.2364759-1-kan.liang@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c +index 28b4312f2563..f558be868a50 100644 +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -7067,6 +7067,7 @@ __init int intel_pmu_init(void) + + case INTEL_METEORLAKE: + case INTEL_METEORLAKE_L: ++ case INTEL_ARROWLAKE_U: + intel_pmu_init_hybrid(hybrid_big_small); + + x86_pmu.pebs_latency_data = cmt_latency_data; +-- +2.39.5 + diff --git a/queue-6.12/series b/queue-6.12/series index f5afe34f1ff..b4250e6465e 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -73,3 +73,33 @@ af_packet-fix-vlan_get_protocol_dgram-vs-msg_peek.patch ila-serialize-calls-to-nf_register_net_hooks.patch net-ti-icssg-prueth-fix-firmware-load-sequence.patch net-ti-icssg-prueth-fix-clearing-of-iep_cmp_cfg-regi.patch +btrfs-allow-swap-activation-to-be-interruptible.patch +perf-x86-intel-add-arrow-lake-u-support.patch +wifi-mac80211-fix-mbss-changed-flags-corruption-on-3.patch +wifi-cfg80211-clear-link-id-from-bitmap-during-link-.patch +wifi-mac80211-wake-the-queues-in-case-of-failure-in-.patch +drm-amdgpu-use-sjt-mec-fw-on-gfx943-for-sriov.patch +drm-amdkfd-correct-the-migration-dma-map-direction.patch +alsa-hda-cs35l56-remove-calls-to-cs35l56_force_sync_.patch +alsa-hda-realtek-add-support-for-asus-zen-aio-27-z27.patch +btrfs-handle-bio_split-errors.patch +btrfs-flush-delalloc-workers-queue-before-stopping-c.patch +alsa-hda-ca0132-use-standard-hd-audio-quirk-matching.patch +alsa-hda-realtek-add-new-alc2xx-fixup-headset-mic-mo.patch +sound-usb-enable-dsd-output-for-ddhifi-tc44c.patch +sound-usb-format-don-t-warn-that-raw-dsd-is-unsuppor.patch +spi-spi-cadence-qspi-disable-stig-mode-for-altera-so.patch +asoc-audio-graph-card-call-of_node_put-on-correct-no.patch +arc-build-disallow-invalid-pae40-4k-page-config.patch +arc-build-use-__force-to-suppress-per-cpu-cmpxchg-wa.patch +arc-bpf-correct-conditional-check-in-check_jmp_32.patch +bpf-fix-potential-error-return.patch +ksmbd-retry-iterate_dir-in-smb2_query_dir.patch +ksmbd-set-attr_ctime-flags-when-setting-mtime.patch +smb-client-destroy-cfid_put_wq-on-module-exit.patch +net-usb-qmi_wwan-add-telit-fe910c04-compositions.patch +bluetooth-hci_core-fix-sleeping-function-called-from.patch +irqchip-gic-correct-declaration-of-percpu_base-point.patch +arc-build-try-to-guess-gcc-variant-of-cross-compiler.patch +bpf-refactor-bpf_helper_changes_pkt_data-to-use-help.patch +bpf-consider-that-tail-calls-invalidate-packet-point.patch diff --git a/queue-6.12/smb-client-destroy-cfid_put_wq-on-module-exit.patch b/queue-6.12/smb-client-destroy-cfid_put_wq-on-module-exit.patch new file mode 100644 index 00000000000..f9afb700aaf --- /dev/null +++ b/queue-6.12/smb-client-destroy-cfid_put_wq-on-module-exit.patch @@ -0,0 +1,33 @@ +From c3a5f3b37a5d22b95fdee4d7f7f1cbed4029087c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 10:21:48 -0300 +Subject: smb: client: destroy cfid_put_wq on module exit + +From: Enzo Matsumiya + +[ Upstream commit 633609c48a358134d3f8ef8241dff24841577f58 ] + +Fix potential problem in rmmod + +Signed-off-by: Enzo Matsumiya +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/cifsfs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/smb/client/cifsfs.c b/fs/smb/client/cifsfs.c +index bf909c2f6b96..0ceebde38f9f 100644 +--- a/fs/smb/client/cifsfs.c ++++ b/fs/smb/client/cifsfs.c +@@ -2018,6 +2018,7 @@ exit_cifs(void) + destroy_workqueue(decrypt_wq); + destroy_workqueue(fileinfo_put_wq); + destroy_workqueue(serverclose_wq); ++ destroy_workqueue(cfid_put_wq); + destroy_workqueue(cifsiod_wq); + cifs_proc_clean(); + } +-- +2.39.5 + diff --git a/queue-6.12/sound-usb-enable-dsd-output-for-ddhifi-tc44c.patch b/queue-6.12/sound-usb-enable-dsd-output-for-ddhifi-tc44c.patch new file mode 100644 index 00000000000..e11ea63866f --- /dev/null +++ b/queue-6.12/sound-usb-enable-dsd-output-for-ddhifi-tc44c.patch @@ -0,0 +1,74 @@ +From 4dc731ef9914a77b737d8ec9e4f19384e7b5c9af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2024 11:05:28 +0200 +Subject: sound: usb: enable DSD output for ddHiFi TC44C + +From: Adrian Ratiu + +[ Upstream commit c84bd6c810d1880194fea2229c7086e4b73fddc1 ] + +This is a UAC 2 DAC capable of raw DSD on intf 2 alt 4: + +Bus 007 Device 004: ID 262a:9302 SAVITECH Corp. TC44C +Device Descriptor: + bLength 18 + bDescriptorType 1 + bcdUSB 2.00 + bDeviceClass 239 Miscellaneous Device + bDeviceSubClass 2 [unknown] + bDeviceProtocol 1 Interface Association + bMaxPacketSize0 64 + idVendor 0x262a SAVITECH Corp. + idProduct 0x9302 TC44C + bcdDevice 0.01 + iManufacturer 1 DDHIFI + iProduct 2 TC44C + iSerial 6 5000000001 +....... + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 2 + bAlternateSetting 4 + bNumEndpoints 2 + bInterfaceClass 1 Audio + bInterfaceSubClass 2 Streaming + bInterfaceProtocol 32 + iInterface 0 + AudioStreaming Interface Descriptor: + bLength 16 + bDescriptorType 36 + bDescriptorSubtype 1 (AS_GENERAL) + bTerminalLink 3 + bmControls 0x00 + bFormatType 1 + bmFormats 0x80000000 + bNrChannels 2 + bmChannelConfig 0x00000000 + iChannelNames 0 +....... + +Signed-off-by: Adrian Ratiu +Link: https://patch.msgid.link/20241209090529.16134-1-adrian.ratiu@collabora.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index a0767de7f1b7..8ba0aff8be2e 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -2325,6 +2325,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = { + QUIRK_FLAG_DSD_RAW), + DEVICE_FLG(0x2522, 0x0007, /* LH Labs Geek Out HD Audio 1V5 */ + QUIRK_FLAG_SET_IFACE_FIRST), ++ DEVICE_FLG(0x262a, 0x9302, /* ddHiFi TC44C */ ++ QUIRK_FLAG_DSD_RAW), + DEVICE_FLG(0x2708, 0x0002, /* Audient iD14 */ + QUIRK_FLAG_IGNORE_CTL_ERROR), + DEVICE_FLG(0x2912, 0x30c8, /* Audioengine D1 */ +-- +2.39.5 + diff --git a/queue-6.12/sound-usb-format-don-t-warn-that-raw-dsd-is-unsuppor.patch b/queue-6.12/sound-usb-format-don-t-warn-that-raw-dsd-is-unsuppor.patch new file mode 100644 index 00000000000..2b881e21678 --- /dev/null +++ b/queue-6.12/sound-usb-format-don-t-warn-that-raw-dsd-is-unsuppor.patch @@ -0,0 +1,75 @@ +From 2a0c39fce7a9212e51c9529b7e0e52a5454bc2f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2024 11:05:29 +0200 +Subject: sound: usb: format: don't warn that raw DSD is unsupported + +From: Adrian Ratiu + +[ Upstream commit b50a3e98442b8d72f061617c7f7a71f7dba19484 ] + +UAC 2 & 3 DAC's set bit 31 of the format to signal support for a +RAW_DATA type, typically used for DSD playback. + +This is correctly tested by (format & UAC*_FORMAT_TYPE_I_RAW_DATA), +fp->dsd_raw = true; and call snd_usb_interface_dsd_format_quirks(), +however a confusing and unnecessary message gets printed because +the bit is not properly tested in the last "unsupported" if test: +if (format & ~0x3F) { ... } + +For example the output: + +usb 7-1: new high-speed USB device number 5 using xhci_hcd +usb 7-1: New USB device found, idVendor=262a, idProduct=9302, bcdDevice=0.01 +usb 7-1: New USB device strings: Mfr=1, Product=2, SerialNumber=6 +usb 7-1: Product: TC44C +usb 7-1: Manufacturer: TC44C +usb 7-1: SerialNumber: 5000000001 +hid-generic 0003:262A:9302.001E: No inputs registered, leaving +hid-generic 0003:262A:9302.001E: hidraw6: USB HID v1.00 Device [DDHIFI TC44C] on usb-0000:08:00.3-1/input0 +usb 7-1: 2:4 : unsupported format bits 0x100000000 + +This last "unsupported format" is actually wrong: we know the +format is a RAW_DATA which we assume is DSD, so there is no need +to print the confusing message. + +This we unset bit 31 of the format after recognizing it, to avoid +the message. + +Suggested-by: Takashi Iwai +Signed-off-by: Adrian Ratiu +Link: https://patch.msgid.link/20241209090529.16134-2-adrian.ratiu@collabora.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/format.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/sound/usb/format.c b/sound/usb/format.c +index 0cbf1d4fbe6e..6049d957694c 100644 +--- a/sound/usb/format.c ++++ b/sound/usb/format.c +@@ -60,6 +60,8 @@ static u64 parse_audio_format_i_type(struct snd_usb_audio *chip, + pcm_formats |= SNDRV_PCM_FMTBIT_SPECIAL; + /* flag potentially raw DSD capable altsettings */ + fp->dsd_raw = true; ++ /* clear special format bit to avoid "unsupported format" msg below */ ++ format &= ~UAC2_FORMAT_TYPE_I_RAW_DATA; + } + + format <<= 1; +@@ -71,8 +73,11 @@ static u64 parse_audio_format_i_type(struct snd_usb_audio *chip, + sample_width = as->bBitResolution; + sample_bytes = as->bSubslotSize; + +- if (format & UAC3_FORMAT_TYPE_I_RAW_DATA) ++ if (format & UAC3_FORMAT_TYPE_I_RAW_DATA) { + pcm_formats |= SNDRV_PCM_FMTBIT_SPECIAL; ++ /* clear special format bit to avoid "unsupported format" msg below */ ++ format &= ~UAC3_FORMAT_TYPE_I_RAW_DATA; ++ } + + format <<= 1; + break; +-- +2.39.5 + diff --git a/queue-6.12/spi-spi-cadence-qspi-disable-stig-mode-for-altera-so.patch b/queue-6.12/spi-spi-cadence-qspi-disable-stig-mode-for-altera-so.patch new file mode 100644 index 00000000000..98d42c8db58 --- /dev/null +++ b/queue-6.12/spi-spi-cadence-qspi-disable-stig-mode-for-altera-so.patch @@ -0,0 +1,74 @@ +From 748433d73762c8cab97b53cf5fb056fe0a3cbd3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2024 14:33:38 +0800 +Subject: spi: spi-cadence-qspi: Disable STIG mode for Altera SoCFPGA. + +From: Niravkumar L Rabara + +[ Upstream commit 25fb0e77b90e290a1ca30900d54c6a495eea65e2 ] + +STIG mode is enabled by default for less than 8 bytes data read/write. +STIG mode doesn't work with Altera SocFPGA platform due hardware +limitation. +Add a quirks to disable STIG mode for Altera SoCFPGA platform. + +Signed-off-by: Niravkumar L Rabara +Link: https://patch.msgid.link/20241204063338.296959-1-niravkumar.l.rabara@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-cadence-quadspi.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c +index 1755ca026f08..73b1edd0531b 100644 +--- a/drivers/spi/spi-cadence-quadspi.c ++++ b/drivers/spi/spi-cadence-quadspi.c +@@ -43,6 +43,7 @@ static_assert(CQSPI_MAX_CHIPSELECT <= SPI_CS_CNT_MAX); + #define CQSPI_SLOW_SRAM BIT(4) + #define CQSPI_NEEDS_APB_AHB_HAZARD_WAR BIT(5) + #define CQSPI_RD_NO_IRQ BIT(6) ++#define CQSPI_DISABLE_STIG_MODE BIT(7) + + /* Capabilities */ + #define CQSPI_SUPPORTS_OCTAL BIT(0) +@@ -103,6 +104,7 @@ struct cqspi_st { + bool apb_ahb_hazard; + + bool is_jh7110; /* Flag for StarFive JH7110 SoC */ ++ bool disable_stig_mode; + + const struct cqspi_driver_platdata *ddata; + }; +@@ -1416,7 +1418,8 @@ static int cqspi_mem_process(struct spi_mem *mem, const struct spi_mem_op *op) + * reads, prefer STIG mode for such small reads. + */ + if (!op->addr.nbytes || +- op->data.nbytes <= CQSPI_STIG_DATA_LEN_MAX) ++ (op->data.nbytes <= CQSPI_STIG_DATA_LEN_MAX && ++ !cqspi->disable_stig_mode)) + return cqspi_command_read(f_pdata, op); + + return cqspi_read(f_pdata, op); +@@ -1880,6 +1883,8 @@ static int cqspi_probe(struct platform_device *pdev) + if (ret) + goto probe_reset_failed; + } ++ if (ddata->quirks & CQSPI_DISABLE_STIG_MODE) ++ cqspi->disable_stig_mode = true; + + if (of_device_is_compatible(pdev->dev.of_node, + "xlnx,versal-ospi-1.0")) { +@@ -2043,7 +2048,8 @@ static const struct cqspi_driver_platdata intel_lgm_qspi = { + static const struct cqspi_driver_platdata socfpga_qspi = { + .quirks = CQSPI_DISABLE_DAC_MODE + | CQSPI_NO_SUPPORT_WR_COMPLETION +- | CQSPI_SLOW_SRAM, ++ | CQSPI_SLOW_SRAM ++ | CQSPI_DISABLE_STIG_MODE, + }; + + static const struct cqspi_driver_platdata versal_ospi = { +-- +2.39.5 + diff --git a/queue-6.12/wifi-cfg80211-clear-link-id-from-bitmap-during-link-.patch b/queue-6.12/wifi-cfg80211-clear-link-id-from-bitmap-during-link-.patch new file mode 100644 index 00000000000..9d01f1fdf1b --- /dev/null +++ b/queue-6.12/wifi-cfg80211-clear-link-id-from-bitmap-during-link-.patch @@ -0,0 +1,79 @@ +From 530a5a4c90009fff79525b9c0b9838f62e557bde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Nov 2024 09:45:30 +0530 +Subject: wifi: cfg80211: clear link ID from bitmap during link delete after + clean up + +From: Aditya Kumar Singh + +[ Upstream commit b5c32ff6a3a38c74facdd1fe34c0d709a55527fd ] + +Currently, during link deletion, the link ID is first removed from the +valid_links bitmap before performing any clean-up operations. However, some +functions require the link ID to remain in the valid_links bitmap. One +such example is cfg80211_cac_event(). The flow is - + +nl80211_remove_link() + cfg80211_remove_link() + ieee80211_del_intf_link() + ieee80211_vif_set_links() + ieee80211_vif_update_links() + ieee80211_link_stop() + cfg80211_cac_event() + +cfg80211_cac_event() requires link ID to be present but it is cleared +already in cfg80211_remove_link(). Ultimately, WARN_ON() is hit. + +Therefore, clear the link ID from the bitmap only after completing the link +clean-up. + +Signed-off-by: Aditya Kumar Singh +Link: https://patch.msgid.link/20241121-mlo_dfs_fix-v2-1-92c3bf7ab551@quicinc.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 8 +++++++- + net/wireless/util.c | 3 +-- + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index 1b1bf044378d..f11fd360b422 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -4992,10 +4992,16 @@ static void ieee80211_del_intf_link(struct wiphy *wiphy, + unsigned int link_id) + { + struct ieee80211_sub_if_data *sdata = IEEE80211_WDEV_TO_SUB_IF(wdev); ++ u16 new_links = wdev->valid_links & ~BIT(link_id); + + lockdep_assert_wiphy(sdata->local->hw.wiphy); + +- ieee80211_vif_set_links(sdata, wdev->valid_links, 0); ++ /* During the link teardown process, certain functions require the ++ * link_id to remain in the valid_links bitmap. Therefore, instead ++ * of removing the link_id from the bitmap, pass a masked value to ++ * simulate as if link_id does not exist anymore. ++ */ ++ ieee80211_vif_set_links(sdata, new_links, 0); + } + + static int +diff --git a/net/wireless/util.c b/net/wireless/util.c +index f49b55724f83..18585b1416c6 100644 +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -2843,10 +2843,9 @@ void cfg80211_remove_link(struct wireless_dev *wdev, unsigned int link_id) + break; + } + +- wdev->valid_links &= ~BIT(link_id); +- + rdev_del_intf_link(rdev, wdev, link_id); + ++ wdev->valid_links &= ~BIT(link_id); + eth_zero_addr(wdev->links[link_id].addr); + } + +-- +2.39.5 + diff --git a/queue-6.12/wifi-mac80211-fix-mbss-changed-flags-corruption-on-3.patch b/queue-6.12/wifi-mac80211-fix-mbss-changed-flags-corruption-on-3.patch new file mode 100644 index 00000000000..e80ccec72e0 --- /dev/null +++ b/queue-6.12/wifi-mac80211-fix-mbss-changed-flags-corruption-on-3.patch @@ -0,0 +1,78 @@ +From d6622dc1439d2c043f36e640f63e8a44294fdc95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Nov 2024 17:29:20 +0100 +Subject: wifi: mac80211: fix mbss changed flags corruption on 32 bit systems + +From: Issam Hamdi + +[ Upstream commit 49dba1ded8dd5a6a12748631403240b2ab245c34 ] + +On 32-bit systems, the size of an unsigned long is 4 bytes, +while a u64 is 8 bytes. Therefore, when using +or_each_set_bit(bit, &bits, sizeof(changed) * BITS_PER_BYTE), +the code is incorrectly searching for a bit in a 32-bit +variable that is expected to be 64 bits in size, +leading to incorrect bit finding. + +Solution: Ensure that the size of the bits variable is correctly +adjusted for each architecture. + + Call Trace: + ? show_regs+0x54/0x58 + ? __warn+0x6b/0xd4 + ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211] + ? report_bug+0x113/0x150 + ? exc_overflow+0x30/0x30 + ? handle_bug+0x27/0x44 + ? exc_invalid_op+0x18/0x50 + ? handle_exception+0xf6/0xf6 + ? exc_overflow+0x30/0x30 + ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211] + ? exc_overflow+0x30/0x30 + ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211] + ? ieee80211_mesh_work+0xff/0x260 [mac80211] + ? cfg80211_wiphy_work+0x72/0x98 [cfg80211] + ? process_one_work+0xf1/0x1fc + ? worker_thread+0x2c0/0x3b4 + ? kthread+0xc7/0xf0 + ? mod_delayed_work_on+0x4c/0x4c + ? kthread_complete_and_exit+0x14/0x14 + ? ret_from_fork+0x24/0x38 + ? kthread_complete_and_exit+0x14/0x14 + ? ret_from_fork_asm+0xf/0x14 + ? entry_INT80_32+0xf0/0xf0 + +Signed-off-by: Issam Hamdi +Link: https://patch.msgid.link/20241125162920.2711462-1-ih@simonwunderlich.de +[restore no-op path for no changes] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c +index 640239f4425b..50eb1d8cd43d 100644 +--- a/net/mac80211/mesh.c ++++ b/net/mac80211/mesh.c +@@ -1157,14 +1157,14 @@ void ieee80211_mbss_info_change_notify(struct ieee80211_sub_if_data *sdata, + u64 changed) + { + struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh; +- unsigned long bits = changed; ++ unsigned long bits[] = { BITMAP_FROM_U64(changed) }; + u32 bit; + +- if (!bits) ++ if (!changed) + return; + + /* if we race with running work, worst case this work becomes a noop */ +- for_each_set_bit(bit, &bits, sizeof(changed) * BITS_PER_BYTE) ++ for_each_set_bit(bit, bits, sizeof(changed) * BITS_PER_BYTE) + set_bit(bit, ifmsh->mbss_changed); + set_bit(MESH_WORK_MBSS_CHANGED, &ifmsh->wrkq_flags); + wiphy_work_queue(sdata->local->hw.wiphy, &sdata->work); +-- +2.39.5 + diff --git a/queue-6.12/wifi-mac80211-wake-the-queues-in-case-of-failure-in-.patch b/queue-6.12/wifi-mac80211-wake-the-queues-in-case-of-failure-in-.patch new file mode 100644 index 00000000000..0cfd9d7144b --- /dev/null +++ b/queue-6.12/wifi-mac80211-wake-the-queues-in-case-of-failure-in-.patch @@ -0,0 +1,44 @@ +From ecc86b23b84839a45eed4b8eec5d9805a8050fcf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Nov 2024 17:35:39 +0200 +Subject: wifi: mac80211: wake the queues in case of failure in resume + +From: Emmanuel Grumbach + +[ Upstream commit 220bf000530f9b1114fa2a1022a871c7ce8a0b38 ] + +In case we fail to resume, we'll WARN with +"Hardware became unavailable during restart." and we'll wait until user +space does something. It'll typically bring the interface down and up to +recover. This won't work though because the queues are still stopped on +IEEE80211_QUEUE_STOP_REASON_SUSPEND reason. +Make sure we clear that reason so that we give a chance to the recovery +to succeed. + +Signed-off-by: Emmanuel Grumbach +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219447 +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20241119173108.cd628f560f97.I76a15fdb92de450e5329940125f3c58916be3942@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/util.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/mac80211/util.c b/net/mac80211/util.c +index b4814e97cf74..38c30e4ddda9 100644 +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -1825,6 +1825,9 @@ int ieee80211_reconfig(struct ieee80211_local *local) + WARN(1, "Hardware became unavailable upon resume. This could be a software issue prior to suspend or a hardware issue.\n"); + else + WARN(1, "Hardware became unavailable during restart.\n"); ++ ieee80211_wake_queues_by_reason(hw, IEEE80211_MAX_QUEUE_MAP, ++ IEEE80211_QUEUE_STOP_REASON_SUSPEND, ++ false); + ieee80211_handle_reconfig_failure(local); + return res; + } +-- +2.39.5 +