From: Greg Kroah-Hartman Date: Sun, 23 Jul 2023 14:12:53 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v6.1.41~41 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e2df5430f603db070b5835c06dbdc12da6375b38;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: arm64-fpsimd-ensure-sme-storage-is-allocated-after-sve-vl-changes.patch asoc-codecs-wcd-mbhc-v2-fix-resource-leaks-on-component-remove.patch asoc-codecs-wcd934x-fix-resource-leaks-on-component-remove.patch asoc-codecs-wcd938x-fix-codec-initialisation-race.patch asoc-codecs-wcd938x-fix-missing-clsh-ctrl-error-handling.patch asoc-codecs-wcd938x-fix-missing-mbhc-init-error-handling.patch asoc-codecs-wcd938x-fix-resource-leaks-on-component-remove.patch asoc-codecs-wcd938x-fix-soundwire-initialisation-race.patch asoc-cs42l51-fix-driver-to-properly-autoload-with-automatic-module-loading.patch asoc-fsl_sai-disable-bit-clock-with-transmitter.patch asoc-fsl_sai-revert-asoc-fsl_sai-enable-mctl_mclk_en-bit-for-master-mode.patch asoc-qdsp6-audioreach-fix-topology-probe-deferral.patch asoc-rt5640-fix-sleep-in-atomic-context.patch asoc-tegra-fix-adx-byte-map.patch asoc-tegra-fix-amx-byte-map.patch btrfs-fix-race-between-balance-and-cancel-pause.patch btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch btrfs-set_page_extent_mapped-after-read_folio-in-btrfs_cont_expand.patch btrfs-zoned-fix-memory-leak-after-finding-block-group-with-super-blocks.patch can-bcm-fix-uaf-in-bcm_proc_show.patch can-gs_usb-gs_can_open-improve-error-handling.patch can-mcp251xfd-__mcp251xfd_chip_set_mode-increase-poll-timeout.patch can-raw-fix-receiver-memory-leak.patch dma-buf-dma-resv-stop-leaking-on-krealloc-failure.patch drm-amd-display-check-tg-is-non-null-before-checking-if-enabled.patch drm-amd-display-disable-mpc-split-by-default-on-special-asic.patch drm-amd-display-keep-phy-active-for-dp-displays-on-dcn31.patch drm-amd-display-only-accept-async-flips-for-fast-updates.patch drm-amdgpu-pm-make-gfxclock-consistent-for-sienna-cichlid.patch drm-amdgpu-pm-make-mclk-consistent-for-smu-13.0.7.patch drm-amdgpu-vkms-relax-timer-deactivation-by-hrtimer_try_to_cancel.patch drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch drm-client-fix-memory-leak-in-drm_client_target_cloned.patch fuse-apply-flags2-only-when-userspace-set-the-fuse_init_ext.patch fuse-ioctl-translate-enosys-in-outarg.patch fuse-revalidate-don-t-invalidate-if-interrupted.patch keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch maple_tree-fix-node-allocation-testing-on-32-bit.patch maple_tree-set-the-node-limit-when-creating-a-new-root-node.patch of-preserve-of-display-device-name-for-compatibility.patch perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch regmap-account-for-register-length-in-smbus-i-o-limits.patch regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch selftests-tc-add-conntrack-procfs-kconfig.patch selftests-tc-add-ct-action-kconfig-dep.patch selftests-tc-set-timeout-to-15-minutes.patch --- diff --git a/queue-6.1/arm64-fpsimd-ensure-sme-storage-is-allocated-after-sve-vl-changes.patch b/queue-6.1/arm64-fpsimd-ensure-sme-storage-is-allocated-after-sve-vl-changes.patch new file mode 100644 index 00000000000..19d5f56cb49 --- /dev/null +++ b/queue-6.1/arm64-fpsimd-ensure-sme-storage-is-allocated-after-sve-vl-changes.patch @@ -0,0 +1,93 @@ +From d4d5be94a87872421ea2569044092535aff0b886 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Thu, 20 Jul 2023 19:38:58 +0100 +Subject: arm64/fpsimd: Ensure SME storage is allocated after SVE VL changes + +From: Mark Brown + +commit d4d5be94a87872421ea2569044092535aff0b886 upstream. + +When we reconfigure the SVE vector length we discard the backing storage +for the SVE vectors and then reallocate on next SVE use, leaving the SME +specific state alone. This means that we do not enable SME traps if they +were already disabled. That means that userspace code can enter streaming +mode without trapping, putting the task in a state where if we try to save +the state of the task we will fault. + +Since the ABI does not specify that changing the SVE vector length disturbs +SME state, and since SVE code may not be aware of SME code in the process, +we shouldn't simply discard any ZA state. Instead immediately reallocate +the storage for SVE, and disable SME if we change the SVE vector length +while there is no SME state active. + +Disabling SME traps on SVE vector length changes would make the overall +code more complex since we would have a state where we have valid SME state +stored but might get a SME trap. + +Fixes: 9e4ab6c89109 ("arm64/sme: Implement vector length configuration prctl()s") +Reported-by: David Spickett +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230720-arm64-fix-sve-sme-vl-change-v2-1-8eea06b82d57@kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/fpsimd.c | 33 +++++++++++++++++++++++++-------- + 1 file changed, 25 insertions(+), 8 deletions(-) + +--- a/arch/arm64/kernel/fpsimd.c ++++ b/arch/arm64/kernel/fpsimd.c +@@ -803,6 +803,8 @@ void sve_sync_from_fpsimd_zeropad(struct + int vec_set_vector_length(struct task_struct *task, enum vec_type type, + unsigned long vl, unsigned long flags) + { ++ bool free_sme = false; ++ + if (flags & ~(unsigned long)(PR_SVE_VL_INHERIT | + PR_SVE_SET_VL_ONEXEC)) + return -EINVAL; +@@ -851,21 +853,36 @@ int vec_set_vector_length(struct task_st + thread_sm_enabled(&task->thread)) + sve_to_fpsimd(task); + +- if (system_supports_sme() && type == ARM64_VEC_SME) { +- task->thread.svcr &= ~(SVCR_SM_MASK | +- SVCR_ZA_MASK); +- clear_thread_flag(TIF_SME); ++ if (system_supports_sme()) { ++ if (type == ARM64_VEC_SME || ++ !(task->thread.svcr & (SVCR_SM_MASK | SVCR_ZA_MASK))) { ++ /* ++ * We are changing the SME VL or weren't using ++ * SME anyway, discard the state and force a ++ * reallocation. ++ */ ++ task->thread.svcr &= ~(SVCR_SM_MASK | ++ SVCR_ZA_MASK); ++ clear_thread_flag(TIF_SME); ++ free_sme = true; ++ } + } + + if (task == current) + put_cpu_fpsimd_context(); + + /* +- * Force reallocation of task SVE and SME state to the correct +- * size on next use: ++ * Free the changed states if they are not in use, SME will be ++ * reallocated to the correct size on next use and we just ++ * allocate SVE now in case it is needed for use in streaming ++ * mode. + */ +- sve_free(task); +- if (system_supports_sme() && type == ARM64_VEC_SME) ++ if (system_supports_sve()) { ++ sve_free(task); ++ sve_alloc(task, true); ++ } ++ ++ if (free_sme) + sme_free(task); + + task_set_vl(task, type, vl); diff --git a/queue-6.1/asoc-codecs-wcd-mbhc-v2-fix-resource-leaks-on-component-remove.patch b/queue-6.1/asoc-codecs-wcd-mbhc-v2-fix-resource-leaks-on-component-remove.patch new file mode 100644 index 00000000000..aabe42628e5 --- /dev/null +++ b/queue-6.1/asoc-codecs-wcd-mbhc-v2-fix-resource-leaks-on-component-remove.patch @@ -0,0 +1,157 @@ +From a5475829adcc600bc69ee9ff7c9e3e43fb4f8d30 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 5 Jul 2023 14:30:16 +0200 +Subject: ASoC: codecs: wcd-mbhc-v2: fix resource leaks on component remove + +From: Johan Hovold + +commit a5475829adcc600bc69ee9ff7c9e3e43fb4f8d30 upstream. + +The MBHC resources must be released on component probe failure and +removal so can not be tied to the lifetime of the component device. + +This is specifically needed to allow probe deferrals of the sound card +which otherwise fails when reprobing the codec component: + + snd-sc8280xp sound: ASoC: failed to instantiate card -517 + genirq: Flags mismatch irq 299. 00002001 (mbhc sw intr) vs. 00002001 (mbhc sw intr) + wcd938x_codec audio-codec: Failed to request mbhc interrupts -16 + wcd938x_codec audio-codec: mbhc initialization failed + wcd938x_codec audio-codec: ASoC: error at snd_soc_component_probe on audio-codec: -16 + snd-sc8280xp sound: ASoC: failed to instantiate card -16 + +Fixes: 0e5c9e7ff899 ("ASoC: codecs: wcd: add multi button Headset detection support") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230705123018.30903-7-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd-mbhc-v2.c | 57 +++++++++++++++++++++++++++++------------ + 1 file changed, 41 insertions(+), 16 deletions(-) + +--- a/sound/soc/codecs/wcd-mbhc-v2.c ++++ b/sound/soc/codecs/wcd-mbhc-v2.c +@@ -1454,7 +1454,7 @@ struct wcd_mbhc *wcd_mbhc_init(struct sn + return ERR_PTR(-EINVAL); + } + +- mbhc = devm_kzalloc(dev, sizeof(*mbhc), GFP_KERNEL); ++ mbhc = kzalloc(sizeof(*mbhc), GFP_KERNEL); + if (!mbhc) + return ERR_PTR(-ENOMEM); + +@@ -1474,61 +1474,76 @@ struct wcd_mbhc *wcd_mbhc_init(struct sn + + INIT_WORK(&mbhc->correct_plug_swch, wcd_correct_swch_plug); + +- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_sw_intr, NULL, ++ ret = request_threaded_irq(mbhc->intr_ids->mbhc_sw_intr, NULL, + wcd_mbhc_mech_plug_detect_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "mbhc sw intr", mbhc); + if (ret) +- goto err; ++ goto err_free_mbhc; + +- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_btn_press_intr, NULL, ++ ret = request_threaded_irq(mbhc->intr_ids->mbhc_btn_press_intr, NULL, + wcd_mbhc_btn_press_handler, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "Button Press detect", mbhc); + if (ret) +- goto err; ++ goto err_free_sw_intr; + +- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_btn_release_intr, NULL, ++ ret = request_threaded_irq(mbhc->intr_ids->mbhc_btn_release_intr, NULL, + wcd_mbhc_btn_release_handler, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "Button Release detect", mbhc); + if (ret) +- goto err; ++ goto err_free_btn_press_intr; + +- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_hs_ins_intr, NULL, ++ ret = request_threaded_irq(mbhc->intr_ids->mbhc_hs_ins_intr, NULL, + wcd_mbhc_adc_hs_ins_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "Elect Insert", mbhc); + if (ret) +- goto err; ++ goto err_free_btn_release_intr; + + disable_irq_nosync(mbhc->intr_ids->mbhc_hs_ins_intr); + +- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_hs_rem_intr, NULL, ++ ret = request_threaded_irq(mbhc->intr_ids->mbhc_hs_rem_intr, NULL, + wcd_mbhc_adc_hs_rem_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "Elect Remove", mbhc); + if (ret) +- goto err; ++ goto err_free_hs_ins_intr; + + disable_irq_nosync(mbhc->intr_ids->mbhc_hs_rem_intr); + +- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->hph_left_ocp, NULL, ++ ret = request_threaded_irq(mbhc->intr_ids->hph_left_ocp, NULL, + wcd_mbhc_hphl_ocp_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "HPH_L OCP detect", mbhc); + if (ret) +- goto err; ++ goto err_free_hs_rem_intr; + +- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->hph_right_ocp, NULL, ++ ret = request_threaded_irq(mbhc->intr_ids->hph_right_ocp, NULL, + wcd_mbhc_hphr_ocp_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "HPH_R OCP detect", mbhc); + if (ret) +- goto err; ++ goto err_free_hph_left_ocp; + + return mbhc; +-err: ++ ++err_free_hph_left_ocp: ++ free_irq(mbhc->intr_ids->hph_left_ocp, mbhc); ++err_free_hs_rem_intr: ++ free_irq(mbhc->intr_ids->mbhc_hs_rem_intr, mbhc); ++err_free_hs_ins_intr: ++ free_irq(mbhc->intr_ids->mbhc_hs_ins_intr, mbhc); ++err_free_btn_release_intr: ++ free_irq(mbhc->intr_ids->mbhc_btn_release_intr, mbhc); ++err_free_btn_press_intr: ++ free_irq(mbhc->intr_ids->mbhc_btn_press_intr, mbhc); ++err_free_sw_intr: ++ free_irq(mbhc->intr_ids->mbhc_sw_intr, mbhc); ++err_free_mbhc: ++ kfree(mbhc); ++ + dev_err(dev, "Failed to request mbhc interrupts %d\n", ret); + + return ERR_PTR(ret); +@@ -1537,9 +1552,19 @@ EXPORT_SYMBOL(wcd_mbhc_init); + + void wcd_mbhc_deinit(struct wcd_mbhc *mbhc) + { ++ free_irq(mbhc->intr_ids->hph_right_ocp, mbhc); ++ free_irq(mbhc->intr_ids->hph_left_ocp, mbhc); ++ free_irq(mbhc->intr_ids->mbhc_hs_rem_intr, mbhc); ++ free_irq(mbhc->intr_ids->mbhc_hs_ins_intr, mbhc); ++ free_irq(mbhc->intr_ids->mbhc_btn_release_intr, mbhc); ++ free_irq(mbhc->intr_ids->mbhc_btn_press_intr, mbhc); ++ free_irq(mbhc->intr_ids->mbhc_sw_intr, mbhc); ++ + mutex_lock(&mbhc->lock); + wcd_cancel_hs_detect_plug(mbhc, &mbhc->correct_plug_swch); + mutex_unlock(&mbhc->lock); ++ ++ kfree(mbhc); + } + EXPORT_SYMBOL(wcd_mbhc_deinit); + diff --git a/queue-6.1/asoc-codecs-wcd934x-fix-resource-leaks-on-component-remove.patch b/queue-6.1/asoc-codecs-wcd934x-fix-resource-leaks-on-component-remove.patch new file mode 100644 index 00000000000..c86cf2752f1 --- /dev/null +++ b/queue-6.1/asoc-codecs-wcd934x-fix-resource-leaks-on-component-remove.patch @@ -0,0 +1,54 @@ +From 798590cc7d3c2b5f3a7548d96dd4d8a081c1bc39 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 5 Jul 2023 14:30:15 +0200 +Subject: ASoC: codecs: wcd934x: fix resource leaks on component remove + +From: Johan Hovold + +commit 798590cc7d3c2b5f3a7548d96dd4d8a081c1bc39 upstream. + +Make sure to release allocated MBHC resources also on component remove. + +This is specifically needed to allow probe deferrals of the sound card +which otherwise fails when reprobing the codec component. + +Fixes: 9fb9b1690f0b ("ASoC: codecs: wcd934x: add mbhc support") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230705123018.30903-6-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd934x.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/sound/soc/codecs/wcd934x.c ++++ b/sound/soc/codecs/wcd934x.c +@@ -3044,6 +3044,17 @@ static int wcd934x_mbhc_init(struct snd_ + + return 0; + } ++ ++static void wcd934x_mbhc_deinit(struct snd_soc_component *component) ++{ ++ struct wcd934x_codec *wcd = snd_soc_component_get_drvdata(component); ++ ++ if (!wcd->mbhc) ++ return; ++ ++ wcd_mbhc_deinit(wcd->mbhc); ++} ++ + static int wcd934x_comp_probe(struct snd_soc_component *component) + { + struct wcd934x_codec *wcd = dev_get_drvdata(component->dev); +@@ -3077,6 +3088,7 @@ static void wcd934x_comp_remove(struct s + { + struct wcd934x_codec *wcd = dev_get_drvdata(comp->dev); + ++ wcd934x_mbhc_deinit(comp); + wcd_clsh_ctrl_free(wcd->clsh_ctrl); + } + diff --git a/queue-6.1/asoc-codecs-wcd938x-fix-codec-initialisation-race.patch b/queue-6.1/asoc-codecs-wcd938x-fix-codec-initialisation-race.patch new file mode 100644 index 00000000000..3e47419b85b --- /dev/null +++ b/queue-6.1/asoc-codecs-wcd938x-fix-codec-initialisation-race.patch @@ -0,0 +1,54 @@ +From 85a61b1ce461a3f62f1019e5e6423c393c542bff Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 30 Jun 2023 14:03:18 +0200 +Subject: ASoC: codecs: wcd938x: fix codec initialisation race + +From: Johan Hovold + +commit 85a61b1ce461a3f62f1019e5e6423c393c542bff upstream. + +Make sure to resume the codec and soundwire device before trying to read +the codec variant and configure the device during component probe. + +This specifically avoids interpreting (a masked and shifted) -EBUSY +errno as the variant: + + wcd938x_codec audio-codec: ASoC: error at soc_component_read_no_lock on audio-codec for register: [0x000034b0] -16 + +when the soundwire device happens to be suspended, which in turn +prevents some headphone controls from being registered. + +Fixes: 8d78602aa87a ("ASoC: codecs: wcd938x: add basic driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Reported-by: Steev Klimaszewski +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20230630120318.6571-1-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -3095,6 +3095,10 @@ static int wcd938x_soc_codec_probe(struc + + snd_soc_component_init_regmap(component, wcd938x->regmap); + ++ ret = pm_runtime_resume_and_get(dev); ++ if (ret < 0) ++ return ret; ++ + wcd938x->variant = snd_soc_component_read_field(component, + WCD938X_DIGITAL_EFUSE_REG_0, + WCD938X_ID_MASK); +@@ -3112,6 +3116,8 @@ static int wcd938x_soc_codec_probe(struc + (WCD938X_DIGITAL_INTR_LEVEL_0 + i), 0); + } + ++ pm_runtime_put(dev); ++ + wcd938x->hphr_pdm_wd_int = regmap_irq_get_virq(wcd938x->irq_chip, + WCD938X_IRQ_HPHR_PDM_WD_INT); + wcd938x->hphl_pdm_wd_int = regmap_irq_get_virq(wcd938x->irq_chip, diff --git a/queue-6.1/asoc-codecs-wcd938x-fix-missing-clsh-ctrl-error-handling.patch b/queue-6.1/asoc-codecs-wcd938x-fix-missing-clsh-ctrl-error-handling.patch new file mode 100644 index 00000000000..a2e1b76ba60 --- /dev/null +++ b/queue-6.1/asoc-codecs-wcd938x-fix-missing-clsh-ctrl-error-handling.patch @@ -0,0 +1,37 @@ +From ed0dd9205bf69593edb495cb4b086dbae96a3f05 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 5 Jul 2023 14:30:13 +0200 +Subject: ASoC: codecs: wcd938x: fix missing clsh ctrl error handling + +From: Johan Hovold + +commit ed0dd9205bf69593edb495cb4b086dbae96a3f05 upstream. + +Allocation of the clash control structure may fail so add the missing +error handling to avoid dereferencing an error pointer. + +Fixes: 8d78602aa87a ("ASoC: codecs: wcd938x: add basic driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230705123018.30903-4-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -3090,6 +3090,10 @@ static int wcd938x_soc_codec_probe(struc + WCD938X_ID_MASK); + + wcd938x->clsh_info = wcd_clsh_ctrl_alloc(component, WCD938X); ++ if (IS_ERR(wcd938x->clsh_info)) { ++ pm_runtime_put(dev); ++ return PTR_ERR(wcd938x->clsh_info); ++ } + + wcd938x_io_init(wcd938x); + /* Set all interrupts as edge triggered */ diff --git a/queue-6.1/asoc-codecs-wcd938x-fix-missing-mbhc-init-error-handling.patch b/queue-6.1/asoc-codecs-wcd938x-fix-missing-mbhc-init-error-handling.patch new file mode 100644 index 00000000000..a98d816a471 --- /dev/null +++ b/queue-6.1/asoc-codecs-wcd938x-fix-missing-mbhc-init-error-handling.patch @@ -0,0 +1,51 @@ +From 7dfae2631bfbdebecd35fe7b472ab3cc95c9ed66 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 3 Jul 2023 14:47:01 +0200 +Subject: ASoC: codecs: wcd938x: fix missing mbhc init error handling + +From: Johan Hovold + +commit 7dfae2631bfbdebecd35fe7b472ab3cc95c9ed66 upstream. + +MBHC initialisation can fail so add the missing error handling to avoid +dereferencing an error pointer when later configuring the jack: + + Unable to handle kernel paging request at virtual address fffffffffffffff8 + + pc : wcd_mbhc_start+0x28/0x380 [snd_soc_wcd_mbhc] + lr : wcd938x_codec_set_jack+0x28/0x48 [snd_soc_wcd938x] + + Call trace: + wcd_mbhc_start+0x28/0x380 [snd_soc_wcd_mbhc] + wcd938x_codec_set_jack+0x28/0x48 [snd_soc_wcd938x] + snd_soc_component_set_jack+0x28/0x8c [snd_soc_core] + qcom_snd_wcd_jack_setup+0x7c/0x19c [snd_soc_qcom_common] + sc8280xp_snd_init+0x20/0x2c [snd_soc_sc8280xp] + snd_soc_link_init+0x28/0x90 [snd_soc_core] + snd_soc_bind_card+0x628/0xbfc [snd_soc_core] + snd_soc_register_card+0xec/0x104 [snd_soc_core] + devm_snd_soc_register_card+0x4c/0xa4 [snd_soc_core] + sc8280xp_platform_probe+0xf0/0x108 [snd_soc_sc8280xp] + +Fixes: bcee7ed09b8e ("ASoC: codecs: wcd938x: add Multi Button Headset Control support") +Cc: stable@vger.kernel.org # 5.15 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20230703124701.11734-1-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -2625,6 +2625,8 @@ static int wcd938x_mbhc_init(struct snd_ + WCD938X_IRQ_HPHR_OCP_INT); + + wcd938x->wcd_mbhc = wcd_mbhc_init(component, &mbhc_cb, intr_ids, wcd_mbhc_fields, true); ++ if (IS_ERR(wcd938x->wcd_mbhc)) ++ return PTR_ERR(wcd938x->wcd_mbhc); + + snd_soc_add_component_controls(component, impedance_detect_controls, + ARRAY_SIZE(impedance_detect_controls)); diff --git a/queue-6.1/asoc-codecs-wcd938x-fix-resource-leaks-on-component-remove.patch b/queue-6.1/asoc-codecs-wcd938x-fix-resource-leaks-on-component-remove.patch new file mode 100644 index 00000000000..40f70a75c04 --- /dev/null +++ b/queue-6.1/asoc-codecs-wcd938x-fix-resource-leaks-on-component-remove.patch @@ -0,0 +1,151 @@ +From a3406f87775fee986876e03f93a84385f54d5999 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 5 Jul 2023 14:30:14 +0200 +Subject: ASoC: codecs: wcd938x: fix resource leaks on component remove + +From: Johan Hovold + +commit a3406f87775fee986876e03f93a84385f54d5999 upstream. + +Make sure to release allocated resources on component probe failure and +on remove. + +This is specifically needed to allow probe deferrals of the sound card +which otherwise fails when reprobing the codec component: + + snd-sc8280xp sound: ASoC: failed to instantiate card -517 + genirq: Flags mismatch irq 289. 00002001 (HPHR PDM WD INT) vs. 00002001 (HPHR PDM WD INT) + wcd938x_codec audio-codec: Failed to request HPHR WD interrupt (-16) + genirq: Flags mismatch irq 290. 00002001 (HPHL PDM WD INT) vs. 00002001 (HPHL PDM WD INT) + wcd938x_codec audio-codec: Failed to request HPHL WD interrupt (-16) + genirq: Flags mismatch irq 291. 00002001 (AUX PDM WD INT) vs. 00002001 (AUX PDM WD INT) + wcd938x_codec audio-codec: Failed to request Aux WD interrupt (-16) + genirq: Flags mismatch irq 292. 00002001 (mbhc sw intr) vs. 00002001 (mbhc sw intr) + wcd938x_codec audio-codec: Failed to request mbhc interrupts -16 + +Fixes: 8d78602aa87a ("ASoC: codecs: wcd938x: add basic driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230705123018.30903-5-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 55 +++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 48 insertions(+), 7 deletions(-) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -2633,6 +2633,14 @@ static int wcd938x_mbhc_init(struct snd_ + + return 0; + } ++ ++static void wcd938x_mbhc_deinit(struct snd_soc_component *component) ++{ ++ struct wcd938x_priv *wcd938x = snd_soc_component_get_drvdata(component); ++ ++ wcd_mbhc_deinit(wcd938x->wcd_mbhc); ++} ++ + /* END MBHC */ + + static const struct snd_kcontrol_new wcd938x_snd_controls[] = { +@@ -3113,20 +3121,26 @@ static int wcd938x_soc_codec_probe(struc + ret = request_threaded_irq(wcd938x->hphr_pdm_wd_int, NULL, wcd938x_wd_handle_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "HPHR PDM WD INT", wcd938x); +- if (ret) ++ if (ret) { + dev_err(dev, "Failed to request HPHR WD interrupt (%d)\n", ret); ++ goto err_free_clsh_ctrl; ++ } + + ret = request_threaded_irq(wcd938x->hphl_pdm_wd_int, NULL, wcd938x_wd_handle_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "HPHL PDM WD INT", wcd938x); +- if (ret) ++ if (ret) { + dev_err(dev, "Failed to request HPHL WD interrupt (%d)\n", ret); ++ goto err_free_hphr_pdm_wd_int; ++ } + + ret = request_threaded_irq(wcd938x->aux_pdm_wd_int, NULL, wcd938x_wd_handle_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "AUX PDM WD INT", wcd938x); +- if (ret) ++ if (ret) { + dev_err(dev, "Failed to request Aux WD interrupt (%d)\n", ret); ++ goto err_free_hphl_pdm_wd_int; ++ } + + /* Disable watchdog interrupt for HPH and AUX */ + disable_irq_nosync(wcd938x->hphr_pdm_wd_int); +@@ -3141,7 +3155,7 @@ static int wcd938x_soc_codec_probe(struc + dev_err(component->dev, + "%s: Failed to add snd ctrls for variant: %d\n", + __func__, wcd938x->variant); +- goto err; ++ goto err_free_aux_pdm_wd_int; + } + break; + case WCD9385: +@@ -3151,7 +3165,7 @@ static int wcd938x_soc_codec_probe(struc + dev_err(component->dev, + "%s: Failed to add snd ctrls for variant: %d\n", + __func__, wcd938x->variant); +- goto err; ++ goto err_free_aux_pdm_wd_int; + } + break; + default: +@@ -3159,12 +3173,38 @@ static int wcd938x_soc_codec_probe(struc + } + + ret = wcd938x_mbhc_init(component); +- if (ret) ++ if (ret) { + dev_err(component->dev, "mbhc initialization failed\n"); +-err: ++ goto err_free_aux_pdm_wd_int; ++ } ++ ++ return 0; ++ ++err_free_aux_pdm_wd_int: ++ free_irq(wcd938x->aux_pdm_wd_int, wcd938x); ++err_free_hphl_pdm_wd_int: ++ free_irq(wcd938x->hphl_pdm_wd_int, wcd938x); ++err_free_hphr_pdm_wd_int: ++ free_irq(wcd938x->hphr_pdm_wd_int, wcd938x); ++err_free_clsh_ctrl: ++ wcd_clsh_ctrl_free(wcd938x->clsh_info); ++ + return ret; + } + ++static void wcd938x_soc_codec_remove(struct snd_soc_component *component) ++{ ++ struct wcd938x_priv *wcd938x = snd_soc_component_get_drvdata(component); ++ ++ wcd938x_mbhc_deinit(component); ++ ++ free_irq(wcd938x->aux_pdm_wd_int, wcd938x); ++ free_irq(wcd938x->hphl_pdm_wd_int, wcd938x); ++ free_irq(wcd938x->hphr_pdm_wd_int, wcd938x); ++ ++ wcd_clsh_ctrl_free(wcd938x->clsh_info); ++} ++ + static int wcd938x_codec_set_jack(struct snd_soc_component *comp, + struct snd_soc_jack *jack, void *data) + { +@@ -3181,6 +3221,7 @@ static int wcd938x_codec_set_jack(struct + static const struct snd_soc_component_driver soc_codec_dev_wcd938x = { + .name = "wcd938x_codec", + .probe = wcd938x_soc_codec_probe, ++ .remove = wcd938x_soc_codec_remove, + .controls = wcd938x_snd_controls, + .num_controls = ARRAY_SIZE(wcd938x_snd_controls), + .dapm_widgets = wcd938x_dapm_widgets, diff --git a/queue-6.1/asoc-codecs-wcd938x-fix-soundwire-initialisation-race.patch b/queue-6.1/asoc-codecs-wcd938x-fix-soundwire-initialisation-race.patch new file mode 100644 index 00000000000..b36252e567d --- /dev/null +++ b/queue-6.1/asoc-codecs-wcd938x-fix-soundwire-initialisation-race.patch @@ -0,0 +1,55 @@ +From 6f49256897083848ce9a59651f6b53fc80462397 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Sat, 1 Jul 2023 11:47:23 +0200 +Subject: ASoC: codecs: wcd938x: fix soundwire initialisation race + +From: Johan Hovold + +commit 6f49256897083848ce9a59651f6b53fc80462397 upstream. + +Make sure that the soundwire device used for register accesses has been +enumerated and initialised before trying to read the codec variant +during component probe. + +This specifically avoids interpreting (a masked and shifted) -EBUSY +errno as the variant: + + wcd938x_codec audio-codec: ASoC: error at soc_component_read_no_lock on audio-codec for register: [0x000034b0] -16 + +in case the soundwire device has not yet been initialised, which in turn +prevents some headphone controls from being registered. + +Fixes: 8d78602aa87a ("ASoC: codecs: wcd938x: add basic driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Reported-by: Steev Klimaszewski +Signed-off-by: Johan Hovold +Tested-by: Steev Klimaszewski +Link: https://lore.kernel.org/r/20230701094723.29379-1-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -3090,9 +3090,18 @@ static int wcd938x_irq_init(struct wcd93 + static int wcd938x_soc_codec_probe(struct snd_soc_component *component) + { + struct wcd938x_priv *wcd938x = snd_soc_component_get_drvdata(component); ++ struct sdw_slave *tx_sdw_dev = wcd938x->tx_sdw_dev; + struct device *dev = component->dev; ++ unsigned long time_left; + int ret, i; + ++ time_left = wait_for_completion_timeout(&tx_sdw_dev->initialization_complete, ++ msecs_to_jiffies(2000)); ++ if (!time_left) { ++ dev_err(dev, "soundwire device init timeout\n"); ++ return -ETIMEDOUT; ++ } ++ + snd_soc_component_init_regmap(component, wcd938x->regmap); + + ret = pm_runtime_resume_and_get(dev); diff --git a/queue-6.1/asoc-cs42l51-fix-driver-to-properly-autoload-with-automatic-module-loading.patch b/queue-6.1/asoc-cs42l51-fix-driver-to-properly-autoload-with-automatic-module-loading.patch new file mode 100644 index 00000000000..6729b149d1e --- /dev/null +++ b/queue-6.1/asoc-cs42l51-fix-driver-to-properly-autoload-with-automatic-module-loading.patch @@ -0,0 +1,86 @@ +From e51df4f81b02bcdd828a04de7c1eb6a92988b61e Mon Sep 17 00:00:00 2001 +From: Thomas Petazzoni +Date: Thu, 13 Jul 2023 13:21:12 +0200 +Subject: ASoC: cs42l51: fix driver to properly autoload with automatic module loading + +From: Thomas Petazzoni + +commit e51df4f81b02bcdd828a04de7c1eb6a92988b61e upstream. + +In commit 2cb1e0259f50 ("ASoC: cs42l51: re-hook of_match_table +pointer"), 9 years ago, some random guy fixed the cs42l51 after it was +split into a core part and an I2C part to properly match based on a +Device Tree compatible string. + +However, the fix in this commit is wrong: the MODULE_DEVICE_TABLE(of, +....) is in the core part of the driver, not the I2C part. Therefore, +automatic module loading based on module.alias, based on matching with +the DT compatible string, loads the core part of the driver, but not +the I2C part. And threfore, the i2c_driver is not registered, and the +codec is not known to the system, nor matched with a DT node with the +corresponding compatible string. + +In order to fix that, we move the MODULE_DEVICE_TABLE(of, ...) into +the I2C part of the driver. The cs42l51_of_match[] array is also moved +as well, as it is not possible to have this definition in one file, +and the MODULE_DEVICE_TABLE(of, ...) invocation in another file, due +to how MODULE_DEVICE_TABLE works. + +Thanks to this commit, the I2C part of the driver now properly +autoloads, and thanks to its dependency on the core part, the core +part gets autoloaded as well, resulting in a functional sound card +without having to manually load kernel modules. + +Fixes: 2cb1e0259f50 ("ASoC: cs42l51: re-hook of_match_table pointer") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Petazzoni +Link: https://lore.kernel.org/r/20230713112112.778576-1-thomas.petazzoni@bootlin.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/cs42l51-i2c.c | 6 ++++++ + sound/soc/codecs/cs42l51.c | 7 ------- + sound/soc/codecs/cs42l51.h | 1 - + 3 files changed, 6 insertions(+), 8 deletions(-) + +--- a/sound/soc/codecs/cs42l51-i2c.c ++++ b/sound/soc/codecs/cs42l51-i2c.c +@@ -19,6 +19,12 @@ static struct i2c_device_id cs42l51_i2c_ + }; + MODULE_DEVICE_TABLE(i2c, cs42l51_i2c_id); + ++const struct of_device_id cs42l51_of_match[] = { ++ { .compatible = "cirrus,cs42l51", }, ++ { } ++}; ++MODULE_DEVICE_TABLE(of, cs42l51_of_match); ++ + static int cs42l51_i2c_probe(struct i2c_client *i2c) + { + struct regmap_config config; +--- a/sound/soc/codecs/cs42l51.c ++++ b/sound/soc/codecs/cs42l51.c +@@ -826,13 +826,6 @@ int __maybe_unused cs42l51_resume(struct + } + EXPORT_SYMBOL_GPL(cs42l51_resume); + +-const struct of_device_id cs42l51_of_match[] = { +- { .compatible = "cirrus,cs42l51", }, +- { } +-}; +-MODULE_DEVICE_TABLE(of, cs42l51_of_match); +-EXPORT_SYMBOL_GPL(cs42l51_of_match); +- + MODULE_AUTHOR("Arnaud Patard "); + MODULE_DESCRIPTION("Cirrus Logic CS42L51 ALSA SoC Codec Driver"); + MODULE_LICENSE("GPL"); +--- a/sound/soc/codecs/cs42l51.h ++++ b/sound/soc/codecs/cs42l51.h +@@ -16,7 +16,6 @@ int cs42l51_probe(struct device *dev, st + void cs42l51_remove(struct device *dev); + int __maybe_unused cs42l51_suspend(struct device *dev); + int __maybe_unused cs42l51_resume(struct device *dev); +-extern const struct of_device_id cs42l51_of_match[]; + + #define CS42L51_CHIP_ID 0x1B + #define CS42L51_CHIP_REV_A 0x00 diff --git a/queue-6.1/asoc-fsl_sai-disable-bit-clock-with-transmitter.patch b/queue-6.1/asoc-fsl_sai-disable-bit-clock-with-transmitter.patch new file mode 100644 index 00000000000..6e550a45412 --- /dev/null +++ b/queue-6.1/asoc-fsl_sai-disable-bit-clock-with-transmitter.patch @@ -0,0 +1,43 @@ +From 269f399dc19f0e5c51711c3ba3bd06e0ef6ef403 Mon Sep 17 00:00:00 2001 +From: Matus Gajdos +Date: Wed, 12 Jul 2023 14:49:33 +0200 +Subject: ASoC: fsl_sai: Disable bit clock with transmitter + +From: Matus Gajdos + +commit 269f399dc19f0e5c51711c3ba3bd06e0ef6ef403 upstream. + +Otherwise bit clock remains running writing invalid data to the DAC. + +Signed-off-by: Matus Gajdos +Acked-by: Shengjiu Wang +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230712124934.32232-1-matuszpd@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/fsl/fsl_sai.c | 2 +- + sound/soc/fsl/fsl_sai.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/soc/fsl/fsl_sai.c ++++ b/sound/soc/fsl/fsl_sai.c +@@ -719,7 +719,7 @@ static void fsl_sai_config_disable(struc + u32 xcsr, count = 100; + + regmap_update_bits(sai->regmap, FSL_SAI_xCSR(tx, ofs), +- FSL_SAI_CSR_TERE, 0); ++ FSL_SAI_CSR_TERE | FSL_SAI_CSR_BCE, 0); + + /* TERE will remain set till the end of current frame */ + do { +--- a/sound/soc/fsl/fsl_sai.h ++++ b/sound/soc/fsl/fsl_sai.h +@@ -91,6 +91,7 @@ + /* SAI Transmit/Receive Control Register */ + #define FSL_SAI_CSR_TERE BIT(31) + #define FSL_SAI_CSR_SE BIT(30) ++#define FSL_SAI_CSR_BCE BIT(28) + #define FSL_SAI_CSR_FR BIT(25) + #define FSL_SAI_CSR_SR BIT(24) + #define FSL_SAI_CSR_xF_SHIFT 16 diff --git a/queue-6.1/asoc-fsl_sai-revert-asoc-fsl_sai-enable-mctl_mclk_en-bit-for-master-mode.patch b/queue-6.1/asoc-fsl_sai-revert-asoc-fsl_sai-enable-mctl_mclk_en-bit-for-master-mode.patch new file mode 100644 index 00000000000..a55b0cded21 --- /dev/null +++ b/queue-6.1/asoc-fsl_sai-revert-asoc-fsl_sai-enable-mctl_mclk_en-bit-for-master-mode.patch @@ -0,0 +1,58 @@ +From 86867aca7330e4fbcfa2a117e20b48bbb6c758a9 Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Thu, 6 Jul 2023 19:18:27 -0300 +Subject: ASoC: fsl_sai: Revert "ASoC: fsl_sai: Enable MCTL_MCLK_EN bit for master mode" + +From: Fabio Estevam + +commit 86867aca7330e4fbcfa2a117e20b48bbb6c758a9 upstream. + +This reverts commit ff87d619ac180444db297f043962a5c325ded47b. + +Andreas reports that on an i.MX8MP-based system where MCLK needs to be +used as an input, the MCLK pin is actually an output, despite not having +the 'fsl,sai-mclk-direction-output' property present in the devicetree. + +This is caused by commit ff87d619ac18 ("ASoC: fsl_sai: Enable +MCTL_MCLK_EN bit for master mode") that sets FSL_SAI_MCTL_MCLK_EN +unconditionally for imx8mm/8mn/8mp/93, causing the MCLK to always +be configured as output. + +FSL_SAI_MCTL_MCLK_EN corresponds to the MOE (MCLK Output Enable) bit +of register MCR and the drivers sets it when the +'fsl,sai-mclk-direction-output' devicetree property is present. + +Revert the commit to allow SAI to use MCLK as input as well. + +Cc: stable@vger.kernel.org +Fixes: ff87d619ac18 ("ASoC: fsl_sai: Enable MCTL_MCLK_EN bit for master mode") +Reported-by: Andreas Henriksson +Signed-off-by: Fabio Estevam +Acked-by: Shengjiu Wang +Link: https://lore.kernel.org/r/20230706221827.1938990-1-festevam@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/fsl/fsl_sai.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c +index 5e09f634c61b..54b4bf3744c6 100644 +--- a/sound/soc/fsl/fsl_sai.c ++++ b/sound/soc/fsl/fsl_sai.c +@@ -507,12 +507,6 @@ static int fsl_sai_set_bclk(struct snd_soc_dai *dai, bool tx, u32 freq) + savediv / 2 - 1); + } + +- if (sai->soc_data->max_register >= FSL_SAI_MCTL) { +- /* SAI is in master mode at this point, so enable MCLK */ +- regmap_update_bits(sai->regmap, FSL_SAI_MCTL, +- FSL_SAI_MCTL_MCLK_EN, FSL_SAI_MCTL_MCLK_EN); +- } +- + return 0; + } + +-- +2.41.0 + diff --git a/queue-6.1/asoc-qdsp6-audioreach-fix-topology-probe-deferral.patch b/queue-6.1/asoc-qdsp6-audioreach-fix-topology-probe-deferral.patch new file mode 100644 index 00000000000..05bc39f7c2d --- /dev/null +++ b/queue-6.1/asoc-qdsp6-audioreach-fix-topology-probe-deferral.patch @@ -0,0 +1,37 @@ +From 46ec420573cefa1fc98025e7e6841bdafd6f1e20 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 5 Jul 2023 14:30:12 +0200 +Subject: ASoC: qdsp6: audioreach: fix topology probe deferral + +From: Johan Hovold + +commit 46ec420573cefa1fc98025e7e6841bdafd6f1e20 upstream. + +Propagate errors when failing to load the topology component so that +probe deferrals can be handled. + +Fixes: 36ad9bf1d93d ("ASoC: qdsp6: audioreach: add topology support") +Cc: stable@vger.kernel.org # 5.17 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230705123018.30903-3-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/qdsp6/topology.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/soc/qcom/qdsp6/topology.c ++++ b/sound/soc/qcom/qdsp6/topology.c +@@ -1100,8 +1100,8 @@ int audioreach_tplg_init(struct snd_soc_ + + ret = snd_soc_tplg_component_load(component, &audioreach_tplg_ops, fw); + if (ret < 0) { +- dev_err(dev, "tplg component load failed%d\n", ret); +- ret = -EINVAL; ++ if (ret != -EPROBE_DEFER) ++ dev_err(dev, "tplg component load failed: %d\n", ret); + } + + release_firmware(fw); diff --git a/queue-6.1/asoc-rt5640-fix-sleep-in-atomic-context.patch b/queue-6.1/asoc-rt5640-fix-sleep-in-atomic-context.patch new file mode 100644 index 00000000000..b9768db1672 --- /dev/null +++ b/queue-6.1/asoc-rt5640-fix-sleep-in-atomic-context.patch @@ -0,0 +1,65 @@ +From 70a6404ff610aa4889d98977da131c37f9ff9d1f Mon Sep 17 00:00:00 2001 +From: Sameer Pujar +Date: Thu, 29 Jun 2023 10:42:15 +0530 +Subject: ASoC: rt5640: Fix sleep in atomic context + +From: Sameer Pujar + +commit 70a6404ff610aa4889d98977da131c37f9ff9d1f upstream. + +Following prints are observed while testing audio on Jetson AGX Orin which +has onboard RT5640 audio codec: + + BUG: sleeping function called from invalid context at kernel/workqueue.c:3027 + in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 0, name: swapper/0 + preempt_count: 10001, expected: 0 + RCU nest depth: 0, expected: 0 + ------------[ cut here ]------------ + WARNING: CPU: 0 PID: 0 at kernel/irq/handle.c:159 __handle_irq_event_percpu+0x1e0/0x270 + ---[ end trace ad1c64905aac14a6 ]- + +The IRQ handler rt5640_irq() runs in interrupt context and can sleep +during cancel_delayed_work_sync(). + +Fix this by running IRQ handler, rt5640_irq(), in thread context. +Hence replace request_irq() calls with devm_request_threaded_irq(). + +Fixes: 051dade34695 ("ASoC: rt5640: Fix the wrong state of JD1 and JD2") +Cc: stable@vger.kernel.org +Cc: Oder Chiou +Signed-off-by: Sameer Pujar +Link: https://lore.kernel.org/r/1688015537-31682-4-git-send-email-spujar@nvidia.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/rt5640.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/sound/soc/codecs/rt5640.c ++++ b/sound/soc/codecs/rt5640.c +@@ -2562,9 +2562,10 @@ static void rt5640_enable_jack_detect(st + if (jack_data && jack_data->use_platform_clock) + rt5640->use_platform_clock = jack_data->use_platform_clock; + +- ret = request_irq(rt5640->irq, rt5640_irq, +- IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING | IRQF_ONESHOT, +- "rt5640", rt5640); ++ ret = devm_request_threaded_irq(component->dev, rt5640->irq, ++ NULL, rt5640_irq, ++ IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING | IRQF_ONESHOT, ++ "rt5640", rt5640); + if (ret) { + dev_warn(component->dev, "Failed to reguest IRQ %d: %d\n", rt5640->irq, ret); + rt5640_disable_jack_detect(component); +@@ -2617,8 +2618,9 @@ static void rt5640_enable_hda_jack_detec + + rt5640->jack = jack; + +- ret = request_irq(rt5640->irq, rt5640_irq, +- IRQF_TRIGGER_RISING | IRQF_ONESHOT, "rt5640", rt5640); ++ ret = devm_request_threaded_irq(component->dev, rt5640->irq, ++ NULL, rt5640_irq, IRQF_TRIGGER_RISING | IRQF_ONESHOT, ++ "rt5640", rt5640); + if (ret) { + dev_warn(component->dev, "Failed to reguest IRQ %d: %d\n", rt5640->irq, ret); + rt5640->irq = -ENXIO; diff --git a/queue-6.1/asoc-tegra-fix-adx-byte-map.patch b/queue-6.1/asoc-tegra-fix-adx-byte-map.patch new file mode 100644 index 00000000000..f0550624f34 --- /dev/null +++ b/queue-6.1/asoc-tegra-fix-adx-byte-map.patch @@ -0,0 +1,124 @@ +From 6dfe70be0b0dec0f9297811501bec26c05fd96ad Mon Sep 17 00:00:00 2001 +From: Sheetal +Date: Thu, 29 Jun 2023 10:42:14 +0530 +Subject: ASoC: tegra: Fix ADX byte map + +From: Sheetal + +commit 6dfe70be0b0dec0f9297811501bec26c05fd96ad upstream. + +Byte mask for channel-1 of stream-1 is not getting enabled and this +causes failures during ADX use cases. This happens because the byte +map value 0 matches the byte map array and put() callback returns +without enabling the corresponding bits in the byte mask. + +ADX supports 4 output streams and each stream can have a maximum of +16 channels. Each byte in the input frame is uniquely mapped to a +byte in one of these 4 outputs. This mapping is done with the help of +byte map array via user space control setting. The byte map array +size in the driver is 16 and each array element is of size 4 bytes. +This corresponds to 64 byte map values. + +Each byte in the byte map array can have any value between 0 to 255 +to enable the corresponding bits in the byte mask. The value 256 is +used as a way to disable the byte map. However the byte map array +element cannot store this value. The put() callback disables the byte +mask for 256 value and byte map value is reset to 0 for this case. +This causes problems during subsequent runs since put() callback, +for value of 0, just returns without enabling the byte mask. In short, +the problem is coming because 0 and 256 control values are stored as +0 in the byte map array. + +Right now fix the put() callback by actually looking at the byte mask +array state to identify if any change is needed and update the fields +accordingly. The get() callback needs an update as well to return the +correct control value that user has set before. Note that when user +set 256, the value is stored as 0 and byte mask is disabled. So byte +mask state is used to either return 256 or the value from byte map +array. + +Given above, this looks bit complicated and all this happens because +the byte map array is tightly packed and cannot actually store the 256 +value. Right now the priority is to fix the existing failure and a TODO +item is put to improve this logic. + +Fixes: 3c97881b8c8a ("ASoC: tegra: Fix kcontrol put callback in ADX") +Cc: stable@vger.kernel.org +Signed-off-by: Sheetal +Reviewed-by: Mohan Kumar D +Reviewed-by: Sameer Pujar +Link: https://lore.kernel.org/r/1688015537-31682-3-git-send-email-spujar@nvidia.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/tegra/tegra210_adx.c | 34 ++++++++++++++++++++++------------ + 1 file changed, 22 insertions(+), 12 deletions(-) + +diff --git a/sound/soc/tegra/tegra210_adx.c b/sound/soc/tegra/tegra210_adx.c +index bd0b10c70c4c..7d003f0c8d0f 100644 +--- a/sound/soc/tegra/tegra210_adx.c ++++ b/sound/soc/tegra/tegra210_adx.c +@@ -2,7 +2,7 @@ + // + // tegra210_adx.c - Tegra210 ADX driver + // +-// Copyright (c) 2021 NVIDIA CORPORATION. All rights reserved. ++// Copyright (c) 2021-2023 NVIDIA CORPORATION. All rights reserved. + + #include + #include +@@ -175,10 +175,20 @@ static int tegra210_adx_get_byte_map(struct snd_kcontrol *kcontrol, + mc = (struct soc_mixer_control *)kcontrol->private_value; + enabled = adx->byte_mask[mc->reg / 32] & (1 << (mc->reg % 32)); + ++ /* ++ * TODO: Simplify this logic to just return from bytes_map[] ++ * ++ * Presently below is required since bytes_map[] is ++ * tightly packed and cannot store the control value of 256. ++ * Byte mask state is used to know if 256 needs to be returned. ++ * Note that for control value of 256, the put() call stores 0 ++ * in the bytes_map[] and disables the corresponding bit in ++ * byte_mask[]. ++ */ + if (enabled) + ucontrol->value.integer.value[0] = bytes_map[mc->reg]; + else +- ucontrol->value.integer.value[0] = 0; ++ ucontrol->value.integer.value[0] = 256; + + return 0; + } +@@ -192,19 +202,19 @@ static int tegra210_adx_put_byte_map(struct snd_kcontrol *kcontrol, + int value = ucontrol->value.integer.value[0]; + struct soc_mixer_control *mc = + (struct soc_mixer_control *)kcontrol->private_value; ++ unsigned int mask_val = adx->byte_mask[mc->reg / 32]; + +- if (value == bytes_map[mc->reg]) ++ if (value >= 0 && value <= 255) ++ mask_val |= (1 << (mc->reg % 32)); ++ else ++ mask_val &= ~(1 << (mc->reg % 32)); ++ ++ if (mask_val == adx->byte_mask[mc->reg / 32]) + return 0; + +- if (value >= 0 && value <= 255) { +- /* update byte map and enable slot */ +- bytes_map[mc->reg] = value; +- adx->byte_mask[mc->reg / 32] |= (1 << (mc->reg % 32)); +- } else { +- /* reset byte map and disable slot */ +- bytes_map[mc->reg] = 0; +- adx->byte_mask[mc->reg / 32] &= ~(1 << (mc->reg % 32)); +- } ++ /* Update byte map and slot */ ++ bytes_map[mc->reg] = value % 256; ++ adx->byte_mask[mc->reg / 32] = mask_val; + + return 1; + } +-- +2.41.0 + diff --git a/queue-6.1/asoc-tegra-fix-amx-byte-map.patch b/queue-6.1/asoc-tegra-fix-amx-byte-map.patch new file mode 100644 index 00000000000..c707318c8b8 --- /dev/null +++ b/queue-6.1/asoc-tegra-fix-amx-byte-map.patch @@ -0,0 +1,125 @@ +From 49bd7b08149417a30aa7d92c8c85b3518de44a76 Mon Sep 17 00:00:00 2001 +From: Sheetal +Date: Thu, 29 Jun 2023 10:42:13 +0530 +Subject: ASoC: tegra: Fix AMX byte map + +From: Sheetal + +commit 49bd7b08149417a30aa7d92c8c85b3518de44a76 upstream. + +Byte mask for channel-1 of stream-1 is not getting enabled and this +causes failures during AMX use cases. This happens because the byte +map value 0 matches the byte map array and put() callback returns +without enabling the corresponding bits in the byte mask. + +AMX supports 4 input streams and each stream can take a maximum of +16 channels. Each byte in the output frame is uniquely mapped to a +byte in one of these 4 inputs. This mapping is done with the help of +byte map array via user space control setting. The byte map array +size in the driver is 16 and each array element is of size 4 bytes. +This corresponds to 64 byte map values. + +Each byte in the byte map array can have any value between 0 to 255 +to enable the corresponding bits in the byte mask. The value 256 is +used as a way to disable the byte map. However the byte map array +element cannot store this value. The put() callback disables the byte +mask for 256 value and byte map value is reset to 0 for this case. +This causes problems during subsequent runs since put() callback, +for value of 0, just returns without enabling the byte mask. In short, +the problem is coming because 0 and 256 control values are stored as +0 in the byte map array. + +Right now fix the put() callback by actually looking at the byte mask +array state to identify if any change is needed and update the fields +accordingly. The get() callback needs an update as well to return the +correct control value that user has set before. Note that when user +sets 256, the value is stored as 0 and byte mask is disabled. So byte +mask state is used to either return 256 or the value from byte map +array. + +Given above, this looks bit complicated and all this happens because +the byte map array is tightly packed and cannot actually store the 256 +value. Right now the priority is to fix the existing failure and a TODO +item is put to improve this logic. + +Fixes: 8db78ace1ba8 ("ASoC: tegra: Fix kcontrol put callback in AMX") +Cc: stable@vger.kernel.org +Signed-off-by: Sheetal +Reviewed-by: Mohan Kumar D +Reviewed-by: Sameer Pujar +Link: https://lore.kernel.org/r/1688015537-31682-2-git-send-email-spujar@nvidia.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/tegra/tegra210_amx.c | 40 ++++++++++++++++++++++------------------ + 1 file changed, 22 insertions(+), 18 deletions(-) + +--- a/sound/soc/tegra/tegra210_amx.c ++++ b/sound/soc/tegra/tegra210_amx.c +@@ -2,7 +2,7 @@ + // + // tegra210_amx.c - Tegra210 AMX driver + // +-// Copyright (c) 2021 NVIDIA CORPORATION. All rights reserved. ++// Copyright (c) 2021-2023 NVIDIA CORPORATION. All rights reserved. + + #include + #include +@@ -203,10 +203,20 @@ static int tegra210_amx_get_byte_map(str + else + enabled = amx->byte_mask[0] & (1 << reg); + ++ /* ++ * TODO: Simplify this logic to just return from bytes_map[] ++ * ++ * Presently below is required since bytes_map[] is ++ * tightly packed and cannot store the control value of 256. ++ * Byte mask state is used to know if 256 needs to be returned. ++ * Note that for control value of 256, the put() call stores 0 ++ * in the bytes_map[] and disables the corresponding bit in ++ * byte_mask[]. ++ */ + if (enabled) + ucontrol->value.integer.value[0] = bytes_map[reg]; + else +- ucontrol->value.integer.value[0] = 0; ++ ucontrol->value.integer.value[0] = 256; + + return 0; + } +@@ -221,25 +231,19 @@ static int tegra210_amx_put_byte_map(str + unsigned char *bytes_map = (unsigned char *)&amx->map; + int reg = mc->reg; + int value = ucontrol->value.integer.value[0]; ++ unsigned int mask_val = amx->byte_mask[reg / 32]; + +- if (value == bytes_map[reg]) ++ if (value >= 0 && value <= 255) ++ mask_val |= (1 << (reg % 32)); ++ else ++ mask_val &= ~(1 << (reg % 32)); ++ ++ if (mask_val == amx->byte_mask[reg / 32]) + return 0; + +- if (value >= 0 && value <= 255) { +- /* Update byte map and enable slot */ +- bytes_map[reg] = value; +- if (reg > 31) +- amx->byte_mask[1] |= (1 << (reg - 32)); +- else +- amx->byte_mask[0] |= (1 << reg); +- } else { +- /* Reset byte map and disable slot */ +- bytes_map[reg] = 0; +- if (reg > 31) +- amx->byte_mask[1] &= ~(1 << (reg - 32)); +- else +- amx->byte_mask[0] &= ~(1 << reg); +- } ++ /* Update byte map and slot */ ++ bytes_map[reg] = value % 256; ++ amx->byte_mask[reg / 32] = mask_val; + + return 1; + } diff --git a/queue-6.1/btrfs-fix-race-between-balance-and-cancel-pause.patch b/queue-6.1/btrfs-fix-race-between-balance-and-cancel-pause.patch new file mode 100644 index 00000000000..3ed2af4c02b --- /dev/null +++ b/queue-6.1/btrfs-fix-race-between-balance-and-cancel-pause.patch @@ -0,0 +1,96 @@ +From b19c98f237cd76981aaded52c258ce93f7daa8cb Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Fri, 23 Jun 2023 01:05:41 -0400 +Subject: btrfs: fix race between balance and cancel/pause + +From: Josef Bacik + +commit b19c98f237cd76981aaded52c258ce93f7daa8cb upstream. + +Syzbot reported a panic that looks like this: + + assertion failed: fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE_PAUSED, in fs/btrfs/ioctl.c:465 + ------------[ cut here ]------------ + kernel BUG at fs/btrfs/messages.c:259! + RIP: 0010:btrfs_assertfail+0x2c/0x30 fs/btrfs/messages.c:259 + Call Trace: + + btrfs_exclop_balance fs/btrfs/ioctl.c:465 [inline] + btrfs_ioctl_balance fs/btrfs/ioctl.c:3564 [inline] + btrfs_ioctl+0x531e/0x5b30 fs/btrfs/ioctl.c:4632 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:870 [inline] + __se_sys_ioctl fs/ioctl.c:856 [inline] + __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +The reproducer is running a balance and a cancel or pause in parallel. +The way balance finishes is a bit wonky, if we were paused we need to +save the balance_ctl in the fs_info, but clear it otherwise and cleanup. +However we rely on the return values being specific errors, or having a +cancel request or no pause request. If balance completes and returns 0, +but we have a pause or cancel request we won't do the appropriate +cleanup, and then the next time we try to start a balance we'll trip +this ASSERT. + +The error handling is just wrong here, we always want to clean up, +unless we got -ECANCELLED and we set the appropriate pause flag in the +exclusive op. With this patch the reproducer ran for an hour without +tripping, previously it would trip in less than a few minutes. + +Reported-by: syzbot+c0f3acf145cb465426d5@syzkaller.appspotmail.com +CC: stable@vger.kernel.org # 6.1+ +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -4092,14 +4092,6 @@ static int alloc_profile_is_valid(u64 fl + return has_single_bit_set(flags); + } + +-static inline int balance_need_close(struct btrfs_fs_info *fs_info) +-{ +- /* cancel requested || normal exit path */ +- return atomic_read(&fs_info->balance_cancel_req) || +- (atomic_read(&fs_info->balance_pause_req) == 0 && +- atomic_read(&fs_info->balance_cancel_req) == 0); +-} +- + /* + * Validate target profile against allowed profiles and return true if it's OK. + * Otherwise print the error message and return false. +@@ -4289,6 +4281,7 @@ int btrfs_balance(struct btrfs_fs_info * + u64 num_devices; + unsigned seq; + bool reducing_redundancy; ++ bool paused = false; + int i; + + if (btrfs_fs_closing(fs_info) || +@@ -4419,6 +4412,7 @@ int btrfs_balance(struct btrfs_fs_info * + if (ret == -ECANCELED && atomic_read(&fs_info->balance_pause_req)) { + btrfs_info(fs_info, "balance: paused"); + btrfs_exclop_balance(fs_info, BTRFS_EXCLOP_BALANCE_PAUSED); ++ paused = true; + } + /* + * Balance can be canceled by: +@@ -4447,8 +4441,8 @@ int btrfs_balance(struct btrfs_fs_info * + btrfs_update_ioctl_balance_args(fs_info, bargs); + } + +- if ((ret && ret != -ECANCELED && ret != -ENOSPC) || +- balance_need_close(fs_info)) { ++ /* We didn't pause, we can clean everything up. */ ++ if (!paused) { + reset_balance_state(fs_info); + btrfs_exclop_finish(fs_info); + } diff --git a/queue-6.1/btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch b/queue-6.1/btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch new file mode 100644 index 00000000000..e7d032f0c09 --- /dev/null +++ b/queue-6.1/btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch @@ -0,0 +1,89 @@ +From aa84ce8a78a1a5c10cdf9c7a5fb0c999fbc2c8d6 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Fri, 14 Jul 2023 13:42:06 +0100 +Subject: btrfs: fix warning when putting transaction with qgroups enabled after abort + +From: Filipe Manana + +commit aa84ce8a78a1a5c10cdf9c7a5fb0c999fbc2c8d6 upstream. + +If we have a transaction abort with qgroups enabled we get a warning +triggered when doing the final put on the transaction, like this: + + [552.6789] ------------[ cut here ]------------ + [552.6815] WARNING: CPU: 4 PID: 81745 at fs/btrfs/transaction.c:144 btrfs_put_transaction+0x123/0x130 [btrfs] + [552.6817] Modules linked in: btrfs blake2b_generic xor (...) + [552.6819] CPU: 4 PID: 81745 Comm: btrfs-transacti Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 + [552.6819] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 + [552.6819] RIP: 0010:btrfs_put_transaction+0x123/0x130 [btrfs] + [552.6821] Code: bd a0 01 00 (...) + [552.6821] RSP: 0018:ffffa168c0527e28 EFLAGS: 00010286 + [552.6821] RAX: ffff936042caed00 RBX: ffff93604a3eb448 RCX: 0000000000000000 + [552.6821] RDX: ffff93606421b028 RSI: ffffffff92ff0878 RDI: ffff93606421b010 + [552.6821] RBP: ffff93606421b000 R08: 0000000000000000 R09: ffffa168c0d07c20 + [552.6821] R10: 0000000000000000 R11: ffff93608dc52950 R12: ffffa168c0527e70 + [552.6821] R13: ffff93606421b000 R14: ffff93604a3eb420 R15: ffff93606421b028 + [552.6821] FS: 0000000000000000(0000) GS:ffff93675fb00000(0000) knlGS:0000000000000000 + [552.6821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [552.6821] CR2: 0000558ad262b000 CR3: 000000014feda005 CR4: 0000000000370ee0 + [552.6822] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [552.6822] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [552.6822] Call Trace: + [552.6822] + [552.6822] ? __warn+0x80/0x130 + [552.6822] ? btrfs_put_transaction+0x123/0x130 [btrfs] + [552.6824] ? report_bug+0x1f4/0x200 + [552.6824] ? handle_bug+0x42/0x70 + [552.6824] ? exc_invalid_op+0x14/0x70 + [552.6824] ? asm_exc_invalid_op+0x16/0x20 + [552.6824] ? btrfs_put_transaction+0x123/0x130 [btrfs] + [552.6826] btrfs_cleanup_transaction+0xe7/0x5e0 [btrfs] + [552.6828] ? _raw_spin_unlock_irqrestore+0x23/0x40 + [552.6828] ? try_to_wake_up+0x94/0x5e0 + [552.6828] ? __pfx_process_timeout+0x10/0x10 + [552.6828] transaction_kthread+0x103/0x1d0 [btrfs] + [552.6830] ? __pfx_transaction_kthread+0x10/0x10 [btrfs] + [552.6832] kthread+0xee/0x120 + [552.6832] ? __pfx_kthread+0x10/0x10 + [552.6832] ret_from_fork+0x29/0x50 + [552.6832] + [552.6832] ---[ end trace 0000000000000000 ]--- + +This corresponds to this line of code: + + void btrfs_put_transaction(struct btrfs_transaction *transaction) + { + (...) + WARN_ON(!RB_EMPTY_ROOT( + &transaction->delayed_refs.dirty_extent_root)); + (...) + } + +The warning happens because btrfs_qgroup_destroy_extent_records(), called +in the transaction abort path, we free all entries from the rbtree +"dirty_extent_root" with rbtree_postorder_for_each_entry_safe(), but we +don't actually empty the rbtree - it's still pointing to nodes that were +freed. + +So set the rbtree's root node to NULL to avoid this warning (assign +RB_ROOT). + +Fixes: 81f7eb00ff5b ("btrfs: destroy qgroup extent records on transaction abort") +CC: stable@vger.kernel.org # 5.10+ +Reviewed-by: Josef Bacik +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/qgroup.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -4410,4 +4410,5 @@ void btrfs_qgroup_destroy_extent_records + ulist_free(entry->old_roots); + kfree(entry); + } ++ *root = RB_ROOT; + } diff --git a/queue-6.1/btrfs-set_page_extent_mapped-after-read_folio-in-btrfs_cont_expand.patch b/queue-6.1/btrfs-set_page_extent_mapped-after-read_folio-in-btrfs_cont_expand.patch new file mode 100644 index 00000000000..73ba6f451c7 --- /dev/null +++ b/queue-6.1/btrfs-set_page_extent_mapped-after-read_folio-in-btrfs_cont_expand.patch @@ -0,0 +1,98 @@ +From 17b17fcd6d446b95904a6929c40012ee7f0afc0c Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Wed, 12 Jul 2023 12:44:12 -0400 +Subject: btrfs: set_page_extent_mapped after read_folio in btrfs_cont_expand + +From: Josef Bacik + +commit 17b17fcd6d446b95904a6929c40012ee7f0afc0c upstream. + +While trying to get the subpage blocksize tests running, I hit the +following panic on generic/476 + + assertion failed: PagePrivate(page) && page->private, in fs/btrfs/subpage.c:229 + kernel BUG at fs/btrfs/subpage.c:229! + Internal error: Oops - BUG: 00000000f2000800 [#1] SMP + CPU: 1 PID: 1453 Comm: fsstress Not tainted 6.4.0-rc7+ #12 + Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20230301gitf80f052277c8-26.fc38 03/01/2023 + pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) + pc : btrfs_subpage_assert+0xbc/0xf0 + lr : btrfs_subpage_assert+0xbc/0xf0 + Call trace: + btrfs_subpage_assert+0xbc/0xf0 + btrfs_subpage_clear_checked+0x38/0xc0 + btrfs_page_clear_checked+0x48/0x98 + btrfs_truncate_block+0x5d0/0x6a8 + btrfs_cont_expand+0x5c/0x528 + btrfs_write_check.isra.0+0xf8/0x150 + btrfs_buffered_write+0xb4/0x760 + btrfs_do_write_iter+0x2f8/0x4b0 + btrfs_file_write_iter+0x1c/0x30 + do_iter_readv_writev+0xc8/0x158 + do_iter_write+0x9c/0x210 + vfs_iter_write+0x24/0x40 + iter_file_splice_write+0x224/0x390 + direct_splice_actor+0x38/0x68 + splice_direct_to_actor+0x12c/0x260 + do_splice_direct+0x90/0xe8 + generic_copy_file_range+0x50/0x90 + vfs_copy_file_range+0x29c/0x470 + __arm64_sys_copy_file_range+0xcc/0x498 + invoke_syscall.constprop.0+0x80/0xd8 + do_el0_svc+0x6c/0x168 + el0_svc+0x50/0x1b0 + el0t_64_sync_handler+0x114/0x120 + el0t_64_sync+0x194/0x198 + +This happens because during btrfs_cont_expand we'll get a page, set it +as mapped, and if it's not Uptodate we'll read it. However between the +read and re-locking the page we could have called release_folio() on the +page, but left the page in the file mapping. release_folio() can clear +the page private, and thus further down we blow up when we go to modify +the subpage bits. + +Fix this by putting the set_page_extent_mapped() after the read. This +is safe because read_folio() will call set_page_extent_mapped() before +it does the read, and then if we clear page private but leave it on the +mapping we're completely safe re-setting set_page_extent_mapped(). With +this patch I can now run generic/476 without panicing. + +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Christoph Hellwig +Signed-off-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -4913,9 +4913,6 @@ again: + ret = -ENOMEM; + goto out; + } +- ret = set_page_extent_mapped(page); +- if (ret < 0) +- goto out_unlock; + + if (!PageUptodate(page)) { + ret = btrfs_read_folio(NULL, page_folio(page)); +@@ -4930,6 +4927,17 @@ again: + goto out_unlock; + } + } ++ ++ /* ++ * We unlock the page after the io is completed and then re-lock it ++ * above. release_folio() could have come in between that and cleared ++ * PagePrivate(), but left the page in the mapping. Set the page mapped ++ * here to make sure it's properly set for the subpage stuff. ++ */ ++ ret = set_page_extent_mapped(page); ++ if (ret < 0) ++ goto out_unlock; ++ + wait_on_page_writeback(page); + + lock_extent(io_tree, block_start, block_end, &cached_state); diff --git a/queue-6.1/btrfs-zoned-fix-memory-leak-after-finding-block-group-with-super-blocks.patch b/queue-6.1/btrfs-zoned-fix-memory-leak-after-finding-block-group-with-super-blocks.patch new file mode 100644 index 00000000000..e720c66d9df --- /dev/null +++ b/queue-6.1/btrfs-zoned-fix-memory-leak-after-finding-block-group-with-super-blocks.patch @@ -0,0 +1,38 @@ +From f1a07c2b4e2c473ec322b8b9ece071b8c88a3512 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Mon, 3 Jul 2023 12:03:21 +0100 +Subject: btrfs: zoned: fix memory leak after finding block group with super blocks + +From: Filipe Manana + +commit f1a07c2b4e2c473ec322b8b9ece071b8c88a3512 upstream. + +At exclude_super_stripes(), if we happen to find a block group that has +super blocks mapped to it and we are on a zoned filesystem, we error out +as this is not supposed to happen, indicating either a bug or maybe some +memory corruption for example. However we are exiting the function without +freeing the memory allocated for the logical address of the super blocks. +Fix this by freeing the logical address. + +Fixes: 12659251ca5d ("btrfs: implement log-structured superblock for ZONED mode") +CC: stable@vger.kernel.org # 5.10+ +Reviewed-by: Johannes Thumshirn +Reviewed-by: Anand Jain +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/block-group.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/block-group.c ++++ b/fs/btrfs/block-group.c +@@ -1894,6 +1894,7 @@ static int exclude_super_stripes(struct + + /* Shouldn't have super stripes in sequential zones */ + if (zoned && nr) { ++ kfree(logical); + btrfs_err(fs_info, + "zoned: block group %llu must not contain super block", + cache->start); diff --git a/queue-6.1/can-bcm-fix-uaf-in-bcm_proc_show.patch b/queue-6.1/can-bcm-fix-uaf-in-bcm_proc_show.patch new file mode 100644 index 00000000000..5aad27d3ae2 --- /dev/null +++ b/queue-6.1/can-bcm-fix-uaf-in-bcm_proc_show.patch @@ -0,0 +1,92 @@ +From 55c3b96074f3f9b0aee19bf93cd71af7516582bb Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Sat, 15 Jul 2023 17:25:43 +0800 +Subject: can: bcm: Fix UAF in bcm_proc_show() + +From: YueHaibing + +commit 55c3b96074f3f9b0aee19bf93cd71af7516582bb upstream. + +BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80 +Read of size 8 at addr ffff888155846230 by task cat/7862 + +CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +Call Trace: + + dump_stack_lvl+0xd5/0x150 + print_report+0xc1/0x5e0 + kasan_report+0xba/0xf0 + bcm_proc_show+0x969/0xa80 + seq_read_iter+0x4f6/0x1260 + seq_read+0x165/0x210 + proc_reg_read+0x227/0x300 + vfs_read+0x1d5/0x8d0 + ksys_read+0x11e/0x240 + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Allocated by task 7846: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + __kasan_kmalloc+0x9e/0xa0 + bcm_sendmsg+0x264b/0x44e0 + sock_sendmsg+0xda/0x180 + ____sys_sendmsg+0x735/0x920 + ___sys_sendmsg+0x11d/0x1b0 + __sys_sendmsg+0xfa/0x1d0 + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Freed by task 7846: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + kasan_save_free_info+0x27/0x40 + ____kasan_slab_free+0x161/0x1c0 + slab_free_freelist_hook+0x119/0x220 + __kmem_cache_free+0xb4/0x2e0 + rcu_core+0x809/0x1bd0 + +bcm_op is freed before procfs entry be removed in bcm_release(), +this lead to bcm_proc_show() may read the freed bcm_op. + +Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol") +Signed-off-by: YueHaibing +Reviewed-by: Oliver Hartkopp +Acked-by: Oliver Hartkopp +Link: https://lore.kernel.org/all/20230715092543.15548-1-yuehaibing@huawei.com +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/bcm.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -1526,6 +1526,12 @@ static int bcm_release(struct socket *so + + lock_sock(sk); + ++#if IS_ENABLED(CONFIG_PROC_FS) ++ /* remove procfs entry */ ++ if (net->can.bcmproc_dir && bo->bcm_proc_read) ++ remove_proc_entry(bo->procname, net->can.bcmproc_dir); ++#endif /* CONFIG_PROC_FS */ ++ + list_for_each_entry_safe(op, next, &bo->tx_ops, list) + bcm_remove_op(op); + +@@ -1561,12 +1567,6 @@ static int bcm_release(struct socket *so + list_for_each_entry_safe(op, next, &bo->rx_ops, list) + bcm_remove_op(op); + +-#if IS_ENABLED(CONFIG_PROC_FS) +- /* remove procfs entry */ +- if (net->can.bcmproc_dir && bo->bcm_proc_read) +- remove_proc_entry(bo->procname, net->can.bcmproc_dir); +-#endif /* CONFIG_PROC_FS */ +- + /* remove device reference */ + if (bo->bound) { + bo->bound = 0; diff --git a/queue-6.1/can-gs_usb-gs_can_open-improve-error-handling.patch b/queue-6.1/can-gs_usb-gs_can_open-improve-error-handling.patch new file mode 100644 index 00000000000..81c130c4563 --- /dev/null +++ b/queue-6.1/can-gs_usb-gs_can_open-improve-error-handling.patch @@ -0,0 +1,117 @@ +From 2603be9e8167ddc7bea95dcfab9ffc33414215aa Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Fri, 7 Jul 2023 13:43:10 +0200 +Subject: can: gs_usb: gs_can_open(): improve error handling + +From: Marc Kleine-Budde + +commit 2603be9e8167ddc7bea95dcfab9ffc33414215aa upstream. + +The gs_usb driver handles USB devices with more than 1 CAN channel. +The RX path for all channels share the same bulk endpoint (the +transmitted bulk data encodes the channel number). These per-device +resources are allocated and submitted by the first opened channel. + +During this allocation, the resources are either released immediately +in case of a failure or the URBs are anchored. All anchored URBs are +finally killed with gs_usb_disconnect(). + +Currently, gs_can_open() returns with an error if the allocation of a +URB or a buffer fails. However, if usb_submit_urb() fails, the driver +continues with the URBs submitted so far, even if no URBs were +successfully submitted. + +Treat every error as fatal and free all allocated resources +immediately. + +Switch to goto-style error handling, to prepare the driver for more +per-device resource allocation. + +Cc: stable@vger.kernel.org +Cc: John Whittington +Link: https://lore.kernel.org/all/20230716-gs_usb-fix-time-stamp-counter-v1-1-9017cefcd9d5@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/gs_usb.c | 31 ++++++++++++++++++++++--------- + 1 file changed, 22 insertions(+), 9 deletions(-) + +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -833,6 +833,7 @@ static int gs_can_open(struct net_device + .mode = cpu_to_le32(GS_CAN_MODE_START), + }; + struct gs_host_frame *hf; ++ struct urb *urb = NULL; + u32 ctrlmode; + u32 flags = 0; + int rc, i; +@@ -858,13 +859,14 @@ static int gs_can_open(struct net_device + + if (!parent->active_channels) { + for (i = 0; i < GS_MAX_RX_URBS; i++) { +- struct urb *urb; + u8 *buf; + + /* alloc rx urb */ + urb = usb_alloc_urb(0, GFP_KERNEL); +- if (!urb) +- return -ENOMEM; ++ if (!urb) { ++ rc = -ENOMEM; ++ goto out_usb_kill_anchored_urbs; ++ } + + /* alloc rx buffer */ + buf = kmalloc(dev->parent->hf_size_rx, +@@ -872,8 +874,8 @@ static int gs_can_open(struct net_device + if (!buf) { + netdev_err(netdev, + "No memory left for USB buffer\n"); +- usb_free_urb(urb); +- return -ENOMEM; ++ rc = -ENOMEM; ++ goto out_usb_free_urb; + } + + /* fill, anchor, and submit rx urb */ +@@ -896,9 +898,7 @@ static int gs_can_open(struct net_device + netdev_err(netdev, + "usb_submit failed (err=%d)\n", rc); + +- usb_unanchor_urb(urb); +- usb_free_urb(urb); +- break; ++ goto out_usb_unanchor_urb; + } + + /* Drop reference, +@@ -944,7 +944,8 @@ static int gs_can_open(struct net_device + if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP) + gs_usb_timestamp_stop(dev); + dev->can.state = CAN_STATE_STOPPED; +- return rc; ++ ++ goto out_usb_kill_anchored_urbs; + } + + parent->active_channels++; +@@ -952,6 +953,18 @@ static int gs_can_open(struct net_device + netif_start_queue(netdev); + + return 0; ++ ++out_usb_unanchor_urb: ++ usb_unanchor_urb(urb); ++out_usb_free_urb: ++ usb_free_urb(urb); ++out_usb_kill_anchored_urbs: ++ if (!parent->active_channels) ++ usb_kill_anchored_urbs(&dev->tx_submitted); ++ ++ close_candev(netdev); ++ ++ return rc; + } + + static int gs_can_close(struct net_device *netdev) diff --git a/queue-6.1/can-mcp251xfd-__mcp251xfd_chip_set_mode-increase-poll-timeout.patch b/queue-6.1/can-mcp251xfd-__mcp251xfd_chip_set_mode-increase-poll-timeout.patch new file mode 100644 index 00000000000..e554d4718c6 --- /dev/null +++ b/queue-6.1/can-mcp251xfd-__mcp251xfd_chip_set_mode-increase-poll-timeout.patch @@ -0,0 +1,87 @@ +From 9efa1a5407e81265ea502cab83be4de503decc49 Mon Sep 17 00:00:00 2001 +From: Fedor Ross +Date: Thu, 4 May 2023 21:50:59 +0200 +Subject: can: mcp251xfd: __mcp251xfd_chip_set_mode(): increase poll timeout + +From: Fedor Ross + +commit 9efa1a5407e81265ea502cab83be4de503decc49 upstream. + +The mcp251xfd controller needs an idle bus to enter 'Normal CAN 2.0 +mode' or . The maximum length of a CAN frame is 736 bits (64 data +bytes, CAN-FD, EFF mode, worst case bit stuffing and interframe +spacing). For low bit rates like 10 kbit/s the arbitrarily chosen +MCP251XFD_POLL_TIMEOUT_US of 1 ms is too small. + +Otherwise during polling for the CAN controller to enter 'Normal CAN +2.0 mode' the timeout limit is exceeded and the configuration fails +with: + +| $ ip link set dev can1 up type can bitrate 10000 +| [ 731.911072] mcp251xfd spi2.1 can1: Controller failed to enter mode CAN 2.0 Mode (6) and stays in Configuration Mode (4) (con=0x068b0760, osc=0x00000468). +| [ 731.927192] mcp251xfd spi2.1 can1: CRC read error at address 0x0e0c (length=4, data=00 00 00 00, CRC=0x0000) retrying. +| [ 731.938101] A link change request failed with some changes committed already. Interface can1 may have been left with an inconsistent configuration, please check. +| RTNETLINK answers: Connection timed out + +Make MCP251XFD_POLL_TIMEOUT_US timeout calculation dynamic. Use +maximum of 1ms and bit time of 1 full 64 data bytes CAN-FD frame in +EFF mode, worst case bit stuffing and interframe spacing at the +current bit rate. + +For easier backporting define the macro MCP251XFD_FRAME_LEN_MAX_BITS +that holds the max frame length in bits, which is 736. This can be +replaced by can_frame_bits(true, true, true, true, CANFD_MAX_DLEN) in +a cleanup patch later. + +Fixes: 55e5b97f003e8 ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI CAN") +Signed-off-by: Fedor Ross +Signed-off-by: Marek Vasut +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20230717-mcp251xfd-fix-increase-poll-timeout-v5-1-06600f34c684@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 10 ++++++++-- + drivers/net/can/spi/mcp251xfd/mcp251xfd.h | 1 + + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c ++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c +@@ -227,6 +227,8 @@ static int + __mcp251xfd_chip_set_mode(const struct mcp251xfd_priv *priv, + const u8 mode_req, bool nowait) + { ++ const struct can_bittiming *bt = &priv->can.bittiming; ++ unsigned long timeout_us = MCP251XFD_POLL_TIMEOUT_US; + u32 con = 0, con_reqop, osc = 0; + u8 mode; + int err; +@@ -246,12 +248,16 @@ __mcp251xfd_chip_set_mode(const struct m + if (mode_req == MCP251XFD_REG_CON_MODE_SLEEP || nowait) + return 0; + ++ if (bt->bitrate) ++ timeout_us = max_t(unsigned long, timeout_us, ++ MCP251XFD_FRAME_LEN_MAX_BITS * USEC_PER_SEC / ++ bt->bitrate); ++ + err = regmap_read_poll_timeout(priv->map_reg, MCP251XFD_REG_CON, con, + !mcp251xfd_reg_invalid(con) && + FIELD_GET(MCP251XFD_REG_CON_OPMOD_MASK, + con) == mode_req, +- MCP251XFD_POLL_SLEEP_US, +- MCP251XFD_POLL_TIMEOUT_US); ++ MCP251XFD_POLL_SLEEP_US, timeout_us); + if (err != -ETIMEDOUT && err != -EBADMSG) + return err; + +--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd.h ++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd.h +@@ -387,6 +387,7 @@ static_assert(MCP251XFD_TIMESTAMP_WORK_D + #define MCP251XFD_OSC_STAB_TIMEOUT_US (10 * MCP251XFD_OSC_STAB_SLEEP_US) + #define MCP251XFD_POLL_SLEEP_US (10) + #define MCP251XFD_POLL_TIMEOUT_US (USEC_PER_MSEC) ++#define MCP251XFD_FRAME_LEN_MAX_BITS (736) + + /* Misc */ + #define MCP251XFD_NAPI_WEIGHT 32 diff --git a/queue-6.1/can-raw-fix-receiver-memory-leak.patch b/queue-6.1/can-raw-fix-receiver-memory-leak.patch new file mode 100644 index 00000000000..26a08c5711e --- /dev/null +++ b/queue-6.1/can-raw-fix-receiver-memory-leak.patch @@ -0,0 +1,233 @@ +From ee8b94c8510ce64afe0b87ef548d23e00915fb10 Mon Sep 17 00:00:00 2001 +From: Ziyang Xuan +Date: Tue, 11 Jul 2023 09:17:37 +0800 +Subject: can: raw: fix receiver memory leak + +From: Ziyang Xuan + +commit ee8b94c8510ce64afe0b87ef548d23e00915fb10 upstream. + +Got kmemleak errors with the following ltp can_filter testcase: + +for ((i=1; i<=100; i++)) +do + ./can_filter & + sleep 0.1 +done + +============================================================== +[<00000000db4a4943>] can_rx_register+0x147/0x360 [can] +[<00000000a289549d>] raw_setsockopt+0x5ef/0x853 [can_raw] +[<000000006d3d9ebd>] __sys_setsockopt+0x173/0x2c0 +[<00000000407dbfec>] __x64_sys_setsockopt+0x61/0x70 +[<00000000fd468496>] do_syscall_64+0x33/0x40 +[<00000000b7e47d51>] entry_SYSCALL_64_after_hwframe+0x61/0xc6 + +It's a bug in the concurrent scenario of unregister_netdevice_many() +and raw_release() as following: + + cpu0 cpu1 +unregister_netdevice_many(can_dev) + unlist_netdevice(can_dev) // dev_get_by_index() return NULL after this + net_set_todo(can_dev) + raw_release(can_socket) + dev = dev_get_by_index(, ro->ifindex); // dev == NULL + if (dev) { // receivers in dev_rcv_lists not free because dev is NULL + raw_disable_allfilters(, dev, ); + dev_put(dev); + } + ... + ro->bound = 0; + ... + +call_netdevice_notifiers(NETDEV_UNREGISTER, ) + raw_notify(, NETDEV_UNREGISTER, ) + if (ro->bound) // invalid because ro->bound has been set 0 + raw_disable_allfilters(, dev, ); // receivers in dev_rcv_lists will never be freed + +Add a net_device pointer member in struct raw_sock to record bound +can_dev, and use rtnl_lock to serialize raw_socket members between +raw_bind(), raw_release(), raw_setsockopt() and raw_notify(). Use +ro->dev to decide whether to free receivers in dev_rcv_lists. + +Fixes: 8d0caedb7596 ("can: bcm/raw/isotp: use per module netdevice notifier") +Reviewed-by: Oliver Hartkopp +Acked-by: Oliver Hartkopp +Signed-off-by: Ziyang Xuan +Link: https://lore.kernel.org/all/20230711011737.1969582-1-william.xuanziyang@huawei.com +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/raw.c | 57 ++++++++++++++++++++++++--------------------------------- + 1 file changed, 24 insertions(+), 33 deletions(-) + +--- a/net/can/raw.c ++++ b/net/can/raw.c +@@ -84,6 +84,7 @@ struct raw_sock { + struct sock sk; + int bound; + int ifindex; ++ struct net_device *dev; + struct list_head notifier; + int loopback; + int recv_own_msgs; +@@ -277,7 +278,7 @@ static void raw_notify(struct raw_sock * + if (!net_eq(dev_net(dev), sock_net(sk))) + return; + +- if (ro->ifindex != dev->ifindex) ++ if (ro->dev != dev) + return; + + switch (msg) { +@@ -292,6 +293,7 @@ static void raw_notify(struct raw_sock * + + ro->ifindex = 0; + ro->bound = 0; ++ ro->dev = NULL; + ro->count = 0; + release_sock(sk); + +@@ -337,6 +339,7 @@ static int raw_init(struct sock *sk) + + ro->bound = 0; + ro->ifindex = 0; ++ ro->dev = NULL; + + /* set default filter to single entry dfilter */ + ro->dfilter.can_id = 0; +@@ -385,19 +388,13 @@ static int raw_release(struct socket *so + + lock_sock(sk); + ++ rtnl_lock(); + /* remove current filters & unregister */ + if (ro->bound) { +- if (ro->ifindex) { +- struct net_device *dev; +- +- dev = dev_get_by_index(sock_net(sk), ro->ifindex); +- if (dev) { +- raw_disable_allfilters(dev_net(dev), dev, sk); +- dev_put(dev); +- } +- } else { ++ if (ro->dev) ++ raw_disable_allfilters(dev_net(ro->dev), ro->dev, sk); ++ else + raw_disable_allfilters(sock_net(sk), NULL, sk); +- } + } + + if (ro->count > 1) +@@ -405,8 +402,10 @@ static int raw_release(struct socket *so + + ro->ifindex = 0; + ro->bound = 0; ++ ro->dev = NULL; + ro->count = 0; + free_percpu(ro->uniq); ++ rtnl_unlock(); + + sock_orphan(sk); + sock->sk = NULL; +@@ -422,6 +421,7 @@ static int raw_bind(struct socket *sock, + struct sockaddr_can *addr = (struct sockaddr_can *)uaddr; + struct sock *sk = sock->sk; + struct raw_sock *ro = raw_sk(sk); ++ struct net_device *dev = NULL; + int ifindex; + int err = 0; + int notify_enetdown = 0; +@@ -431,14 +431,13 @@ static int raw_bind(struct socket *sock, + if (addr->can_family != AF_CAN) + return -EINVAL; + ++ rtnl_lock(); + lock_sock(sk); + + if (ro->bound && addr->can_ifindex == ro->ifindex) + goto out; + + if (addr->can_ifindex) { +- struct net_device *dev; +- + dev = dev_get_by_index(sock_net(sk), addr->can_ifindex); + if (!dev) { + err = -ENODEV; +@@ -467,26 +466,20 @@ static int raw_bind(struct socket *sock, + if (!err) { + if (ro->bound) { + /* unregister old filters */ +- if (ro->ifindex) { +- struct net_device *dev; +- +- dev = dev_get_by_index(sock_net(sk), +- ro->ifindex); +- if (dev) { +- raw_disable_allfilters(dev_net(dev), +- dev, sk); +- dev_put(dev); +- } +- } else { ++ if (ro->dev) ++ raw_disable_allfilters(dev_net(ro->dev), ++ ro->dev, sk); ++ else + raw_disable_allfilters(sock_net(sk), NULL, sk); +- } + } + ro->ifindex = ifindex; + ro->bound = 1; ++ ro->dev = dev; + } + + out: + release_sock(sk); ++ rtnl_unlock(); + + if (notify_enetdown) { + sk->sk_err = ENETDOWN; +@@ -552,9 +545,9 @@ static int raw_setsockopt(struct socket + rtnl_lock(); + lock_sock(sk); + +- if (ro->bound && ro->ifindex) { +- dev = dev_get_by_index(sock_net(sk), ro->ifindex); +- if (!dev) { ++ dev = ro->dev; ++ if (ro->bound && dev) { ++ if (dev->reg_state != NETREG_REGISTERED) { + if (count > 1) + kfree(filter); + err = -ENODEV; +@@ -595,7 +588,6 @@ static int raw_setsockopt(struct socket + ro->count = count; + + out_fil: +- dev_put(dev); + release_sock(sk); + rtnl_unlock(); + +@@ -613,9 +605,9 @@ static int raw_setsockopt(struct socket + rtnl_lock(); + lock_sock(sk); + +- if (ro->bound && ro->ifindex) { +- dev = dev_get_by_index(sock_net(sk), ro->ifindex); +- if (!dev) { ++ dev = ro->dev; ++ if (ro->bound && dev) { ++ if (dev->reg_state != NETREG_REGISTERED) { + err = -ENODEV; + goto out_err; + } +@@ -639,7 +631,6 @@ static int raw_setsockopt(struct socket + ro->err_mask = err_mask; + + out_err: +- dev_put(dev); + release_sock(sk); + rtnl_unlock(); + diff --git a/queue-6.1/dma-buf-dma-resv-stop-leaking-on-krealloc-failure.patch b/queue-6.1/dma-buf-dma-resv-stop-leaking-on-krealloc-failure.patch new file mode 100644 index 00000000000..2fa44ff85d9 --- /dev/null +++ b/queue-6.1/dma-buf-dma-resv-stop-leaking-on-krealloc-failure.patch @@ -0,0 +1,71 @@ +From 05abb3be91d8788328231ee02973ab3d47f5e3d2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Thu, 13 Jul 2023 22:47:45 +0300 +Subject: dma-buf/dma-resv: Stop leaking on krealloc() failure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit 05abb3be91d8788328231ee02973ab3d47f5e3d2 upstream. + +Currently dma_resv_get_fences() will leak the previously +allocated array if the fence iteration got restarted and +the krealloc_array() fails. + +Free the old array by hand, and make sure we still clear +the returned *fences so the caller won't end up accessing +freed memory. Some (but not all) of the callers of +dma_resv_get_fences() seem to still trawl through the +array even when dma_resv_get_fences() failed. And let's +zero out *num_fences as well for good measure. + +Cc: Sumit Semwal +Cc: Christian König +Cc: linux-media@vger.kernel.org +Cc: dri-devel@lists.freedesktop.org +Cc: linaro-mm-sig@lists.linaro.org +Fixes: d3c80698c9f5 ("dma-buf: use new iterator in dma_resv_get_fences v3") +Signed-off-by: Ville Syrjälä +Reviewed-by: Christian König +Cc: stable@vger.kernel.org +Link: https://patchwork.freedesktop.org/patch/msgid/20230713194745.1751-1-ville.syrjala@linux.intel.com +Signed-off-by: Christian König +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma-buf/dma-resv.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/dma-buf/dma-resv.c ++++ b/drivers/dma-buf/dma-resv.c +@@ -566,6 +566,7 @@ int dma_resv_get_fences(struct dma_resv + dma_resv_for_each_fence_unlocked(&cursor, fence) { + + if (dma_resv_iter_is_restarted(&cursor)) { ++ struct dma_fence **new_fences; + unsigned int count; + + while (*num_fences) +@@ -574,13 +575,17 @@ int dma_resv_get_fences(struct dma_resv + count = cursor.num_fences + 1; + + /* Eventually re-allocate the array */ +- *fences = krealloc_array(*fences, count, +- sizeof(void *), +- GFP_KERNEL); +- if (count && !*fences) { ++ new_fences = krealloc_array(*fences, count, ++ sizeof(void *), ++ GFP_KERNEL); ++ if (count && !new_fences) { ++ kfree(*fences); ++ *fences = NULL; ++ *num_fences = 0; + dma_resv_iter_end(&cursor); + return -ENOMEM; + } ++ *fences = new_fences; + } + + (*fences)[(*num_fences)++] = dma_fence_get(fence); diff --git a/queue-6.1/drm-amd-display-check-tg-is-non-null-before-checking-if-enabled.patch b/queue-6.1/drm-amd-display-check-tg-is-non-null-before-checking-if-enabled.patch new file mode 100644 index 00000000000..b1ab441d828 --- /dev/null +++ b/queue-6.1/drm-amd-display-check-tg-is-non-null-before-checking-if-enabled.patch @@ -0,0 +1,38 @@ +From 5a25cefc0920088bb9afafeb80ad3dcd84fe278b Mon Sep 17 00:00:00 2001 +From: Taimur Hassan +Date: Tue, 20 Jun 2023 17:00:28 -0400 +Subject: drm/amd/display: check TG is non-null before checking if enabled + +From: Taimur Hassan + +commit 5a25cefc0920088bb9afafeb80ad3dcd84fe278b upstream. + +[Why & How] +If there is no TG allocation we can dereference a NULL pointer when +checking if the TG is enabled. + +Cc: Mario Limonciello +Cc: Alex Deucher +Cc: stable@vger.kernel.org +Reviewed-by: Nicholas Kazlauskas +Acked-by: Alan Liu +Signed-off-by: Taimur Hassan +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c +@@ -3293,7 +3293,8 @@ void dcn10_wait_for_mpcc_disconnect( + if (pipe_ctx->stream_res.opp->mpcc_disconnect_pending[mpcc_inst]) { + struct hubp *hubp = get_hubp_by_inst(res_pool, mpcc_inst); + +- if (pipe_ctx->stream_res.tg->funcs->is_tg_enabled(pipe_ctx->stream_res.tg)) ++ if (pipe_ctx->stream_res.tg && ++ pipe_ctx->stream_res.tg->funcs->is_tg_enabled(pipe_ctx->stream_res.tg)) + res_pool->mpc->funcs->wait_for_idle(res_pool->mpc, mpcc_inst); + pipe_ctx->stream_res.opp->mpcc_disconnect_pending[mpcc_inst] = false; + hubp->funcs->set_blank(hubp, true); diff --git a/queue-6.1/drm-amd-display-disable-mpc-split-by-default-on-special-asic.patch b/queue-6.1/drm-amd-display-disable-mpc-split-by-default-on-special-asic.patch new file mode 100644 index 00000000000..6b589736210 --- /dev/null +++ b/queue-6.1/drm-amd-display-disable-mpc-split-by-default-on-special-asic.patch @@ -0,0 +1,42 @@ +From a460beefe77d780ac48f19d39333852a7f93ffc1 Mon Sep 17 00:00:00 2001 +From: Zhikai Zhai +Date: Fri, 30 Jun 2023 11:35:14 +0800 +Subject: drm/amd/display: Disable MPC split by default on special asic + +From: Zhikai Zhai + +commit a460beefe77d780ac48f19d39333852a7f93ffc1 upstream. + +[WHY] +All of pipes will be used when the MPC split enable on the dcn +which just has 2 pipes. Then MPO enter will trigger the minimal +transition which need programe dcn from 2 pipes MPC split to 2 +pipes MPO. This action will cause lag if happen frequently. + +[HOW] +Disable the MPC split for the platform which dcn resource is limited + +Cc: Mario Limonciello +Cc: Alex Deucher +Cc: stable@vger.kernel.org +Reviewed-by: Alvin Lee +Acked-by: Alan Liu +Signed-off-by: Zhikai Zhai +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dcn303/dcn303_resource.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/dcn303/dcn303_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn303/dcn303_resource.c +@@ -65,7 +65,7 @@ static const struct dc_debug_options deb + .timing_trace = false, + .clock_trace = true, + .disable_pplib_clock_request = true, +- .pipe_split_policy = MPC_SPLIT_DYNAMIC, ++ .pipe_split_policy = MPC_SPLIT_AVOID, + .force_single_disp_pipe_split = false, + .disable_dcc = DCC_ENABLE, + .vsr_support = true, diff --git a/queue-6.1/drm-amd-display-keep-phy-active-for-dp-displays-on-dcn31.patch b/queue-6.1/drm-amd-display-keep-phy-active-for-dp-displays-on-dcn31.patch new file mode 100644 index 00000000000..587a6956896 --- /dev/null +++ b/queue-6.1/drm-amd-display-keep-phy-active-for-dp-displays-on-dcn31.patch @@ -0,0 +1,42 @@ +From 2387ccf43e3c6cb5dbd757c5ef410cca9f14b971 Mon Sep 17 00:00:00 2001 +From: Nicholas Kazlauskas +Date: Thu, 29 Jun 2023 10:35:59 -0400 +Subject: drm/amd/display: Keep PHY active for DP displays on DCN31 + +From: Nicholas Kazlauskas + +commit 2387ccf43e3c6cb5dbd757c5ef410cca9f14b971 upstream. + +[Why & How] +Port of a change that went into DCN314 to keep the PHY enabled +when we have a connected and active DP display. + +The PHY can hang if PHY refclk is disabled inadvertently. + +Cc: Mario Limonciello +Cc: Alex Deucher +Cc: stable@vger.kernel.org +Reviewed-by: Josip Pavic +Acked-by: Alan Liu +Signed-off-by: Nicholas Kazlauskas +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/clk_mgr/dcn31/dcn31_clk_mgr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn31/dcn31_clk_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn31/dcn31_clk_mgr.c +@@ -86,6 +86,11 @@ static int dcn31_get_active_display_cnt_ + stream->signal == SIGNAL_TYPE_DVI_SINGLE_LINK || + stream->signal == SIGNAL_TYPE_DVI_DUAL_LINK) + tmds_present = true; ++ ++ /* Checking stream / link detection ensuring that PHY is active*/ ++ if (dc_is_dp_signal(stream->signal) && !stream->dpms_off) ++ display_count++; ++ + } + + for (i = 0; i < dc->link_count; i++) { diff --git a/queue-6.1/drm-amd-display-only-accept-async-flips-for-fast-updates.patch b/queue-6.1/drm-amd-display-only-accept-async-flips-for-fast-updates.patch new file mode 100644 index 00000000000..b66e30d5918 --- /dev/null +++ b/queue-6.1/drm-amd-display-only-accept-async-flips-for-fast-updates.patch @@ -0,0 +1,82 @@ +From 1ca67aba8d11c2849d395013e1fdce02918d5657 Mon Sep 17 00:00:00 2001 +From: Simon Ser +Date: Wed, 21 Jun 2023 17:24:59 -0300 +Subject: drm/amd/display: only accept async flips for fast updates +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Simon Ser + +commit 1ca67aba8d11c2849d395013e1fdce02918d5657 upstream. + +Up until now, amdgpu was silently degrading to vsync when +user-space requested an async flip but the hardware didn't support +it. + +The hardware doesn't support immediate flips when the update changes +the FB pitch, the DCC state, the rotation, enables or disables CRTCs +or planes, etc. This is reflected in the dm_crtc_state.update_type +field: UPDATE_TYPE_FAST means that immediate flip is supported. + +Silently degrading async flips to vsync is not the expected behavior +from a uAPI point-of-view. Xorg expects async flips to fail if +unsupported, to be able to fall back to a blit. i915 already behaves +this way. + +This patch aligns amdgpu with uAPI expectations and returns a failure +when an async flip is not possible. + +Signed-off-by: Simon Ser +Reviewed-by: André Almeida +Reviewed-by: Alex Deucher +Reviewed-by: Harry Wentland +Signed-off-by: André Almeida +Signed-off-by: Hamza Mahfooz +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 8 ++++++++ + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 12 ++++++++++++ + 2 files changed, 20 insertions(+) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -7757,7 +7757,15 @@ static void amdgpu_dm_commit_planes(stru + * Only allow immediate flips for fast updates that don't + * change memory domain, FB pitch, DCC state, rotation or + * mirroring. ++ * ++ * dm_crtc_helper_atomic_check() only accepts async flips with ++ * fast updates. + */ ++ if (crtc->state->async_flip && ++ acrtc_state->update_type != UPDATE_TYPE_FAST) ++ drm_warn_once(state->dev, ++ "[PLANE:%d:%s] async flip with non-fast update\n", ++ plane->base.id, plane->name); + bundle->flip_addrs[planes_count].flip_immediate = + crtc->state->async_flip && + acrtc_state->update_type == UPDATE_TYPE_FAST && +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c +@@ -406,6 +406,18 @@ static int dm_crtc_helper_atomic_check(s + return -EINVAL; + } + ++ /* ++ * Only allow async flips for fast updates that don't change the FB ++ * pitch, the DCC state, rotation, etc. ++ */ ++ if (crtc_state->async_flip && ++ dm_crtc_state->update_type != UPDATE_TYPE_FAST) { ++ drm_dbg_atomic(crtc->dev, ++ "[CRTC:%d:%s] async flips are only supported for fast updates\n", ++ crtc->base.id, crtc->name); ++ return -EINVAL; ++ } ++ + /* In some use cases, like reset, no stream is attached */ + if (!dm_crtc_state->stream) + return 0; diff --git a/queue-6.1/drm-amdgpu-pm-make-gfxclock-consistent-for-sienna-cichlid.patch b/queue-6.1/drm-amdgpu-pm-make-gfxclock-consistent-for-sienna-cichlid.patch new file mode 100644 index 00000000000..b8fd75b4f0b --- /dev/null +++ b/queue-6.1/drm-amdgpu-pm-make-gfxclock-consistent-for-sienna-cichlid.patch @@ -0,0 +1,45 @@ +From a4eb11824170d742531998f4ebd1c6a18b63db47 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Tue, 13 Jun 2023 12:15:38 -0400 +Subject: drm/amdgpu/pm: make gfxclock consistent for sienna cichlid + +From: Alex Deucher + +commit a4eb11824170d742531998f4ebd1c6a18b63db47 upstream. + +Use average gfxclock for consistency with other dGPUs. + +Reviewed-by: Kenneth Feng +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 6.1.x +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c +index f6599c00a6fd..0cda3b276f61 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c +@@ -1927,12 +1927,16 @@ static int sienna_cichlid_read_sensor(struct smu_context *smu, + *size = 4; + break; + case AMDGPU_PP_SENSOR_GFX_MCLK: +- ret = sienna_cichlid_get_current_clk_freq_by_table(smu, SMU_UCLK, (uint32_t *)data); ++ ret = sienna_cichlid_get_smu_metrics_data(smu, ++ METRICS_CURR_UCLK, ++ (uint32_t *)data); + *(uint32_t *)data *= 100; + *size = 4; + break; + case AMDGPU_PP_SENSOR_GFX_SCLK: +- ret = sienna_cichlid_get_current_clk_freq_by_table(smu, SMU_GFXCLK, (uint32_t *)data); ++ ret = sienna_cichlid_get_smu_metrics_data(smu, ++ METRICS_AVERAGE_GFXCLK, ++ (uint32_t *)data); + *(uint32_t *)data *= 100; + *size = 4; + break; +-- +2.41.0 + diff --git a/queue-6.1/drm-amdgpu-pm-make-mclk-consistent-for-smu-13.0.7.patch b/queue-6.1/drm-amdgpu-pm-make-mclk-consistent-for-smu-13.0.7.patch new file mode 100644 index 00000000000..27426d1dce5 --- /dev/null +++ b/queue-6.1/drm-amdgpu-pm-make-mclk-consistent-for-smu-13.0.7.patch @@ -0,0 +1,30 @@ +From 068c8bb10f37bb84824625dbbda053a3a3e0d6e1 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Tue, 13 Jun 2023 12:36:17 -0400 +Subject: drm/amdgpu/pm: make mclk consistent for smu 13.0.7 + +From: Alex Deucher + +commit 068c8bb10f37bb84824625dbbda053a3a3e0d6e1 upstream. + +Use current uclk to be consistent with other dGPUs. + +Reviewed-by: Kenneth Feng +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 6.1.x +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c +@@ -940,7 +940,7 @@ static int smu_v13_0_7_read_sensor(struc + break; + case AMDGPU_PP_SENSOR_GFX_MCLK: + ret = smu_v13_0_7_get_smu_metrics_data(smu, +- METRICS_AVERAGE_UCLK, ++ METRICS_CURR_UCLK, + (uint32_t *)data); + *(uint32_t *)data *= 100; + *size = 4; diff --git a/queue-6.1/drm-amdgpu-vkms-relax-timer-deactivation-by-hrtimer_try_to_cancel.patch b/queue-6.1/drm-amdgpu-vkms-relax-timer-deactivation-by-hrtimer_try_to_cancel.patch new file mode 100644 index 00000000000..d26cdf175ba --- /dev/null +++ b/queue-6.1/drm-amdgpu-vkms-relax-timer-deactivation-by-hrtimer_try_to_cancel.patch @@ -0,0 +1,101 @@ +From b42ae87a7b3878afaf4c3852ca66c025a5b996e0 Mon Sep 17 00:00:00 2001 +From: Guchun Chen +Date: Thu, 6 Jul 2023 15:57:21 +0800 +Subject: drm/amdgpu/vkms: relax timer deactivation by hrtimer_try_to_cancel +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Guchun Chen + +commit b42ae87a7b3878afaf4c3852ca66c025a5b996e0 upstream. + +In below thousands of screen rotation loop tests with virtual display +enabled, a CPU hard lockup issue may happen, leading system to unresponsive +and crash. + +do { + xrandr --output Virtual --rotate inverted + xrandr --output Virtual --rotate right + xrandr --output Virtual --rotate left + xrandr --output Virtual --rotate normal +} while (1); + +NMI watchdog: Watchdog detected hard LOCKUP on cpu 1 + +? hrtimer_run_softirq+0x140/0x140 +? store_vblank+0xe0/0xe0 [drm] +hrtimer_cancel+0x15/0x30 +amdgpu_vkms_disable_vblank+0x15/0x30 [amdgpu] +drm_vblank_disable_and_save+0x185/0x1f0 [drm] +drm_crtc_vblank_off+0x159/0x4c0 [drm] +? record_print_text.cold+0x11/0x11 +? wait_for_completion_timeout+0x232/0x280 +? drm_crtc_wait_one_vblank+0x40/0x40 [drm] +? bit_wait_io_timeout+0xe0/0xe0 +? wait_for_completion_interruptible+0x1d7/0x320 +? mutex_unlock+0x81/0xd0 +amdgpu_vkms_crtc_atomic_disable + +It's caused by a stuck in lock dependency in such scenario on different +CPUs. + +CPU1 CPU2 +drm_crtc_vblank_off hrtimer_interrupt + grab event_lock (irq disabled) __hrtimer_run_queues + grab vbl_lock/vblank_time_block amdgpu_vkms_vblank_simulate + amdgpu_vkms_disable_vblank drm_handle_vblank + hrtimer_cancel grab dev->event_lock + +So CPU1 stucks in hrtimer_cancel as timer callback is running endless on +current clock base, as that timer queue on CPU2 has no chance to finish it +because of failing to hold the lock. So NMI watchdog will throw the errors +after its threshold, and all later CPUs are impacted/blocked. + +So use hrtimer_try_to_cancel to fix this, as disable_vblank callback +does not need to wait the handler to finish. And also it's not necessary +to check the return value of hrtimer_try_to_cancel, because even if it's +-1 which means current timer callback is running, it will be reprogrammed +in hrtimer_start with calling enable_vblank to make it works. + +v2: only re-arm timer when vblank is enabled (Christian) and add a Fixes +tag as well + +v3: drop warn printing (Christian) + +v4: drop superfluous check of blank->enabled in timer function, as it's +guaranteed in drm_handle_vblank (Christian) + +Fixes: 84ec374bd580 ("drm/amdgpu: create amdgpu_vkms (v4)") +Cc: stable@vger.kernel.org +Suggested-by: Christian König +Signed-off-by: Guchun Chen +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vkms.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vkms.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vkms.c +@@ -55,8 +55,9 @@ static enum hrtimer_restart amdgpu_vkms_ + DRM_WARN("%s: vblank timer overrun\n", __func__); + + ret = drm_crtc_handle_vblank(crtc); ++ /* Don't queue timer again when vblank is disabled. */ + if (!ret) +- DRM_ERROR("amdgpu_vkms failure on handling vblank"); ++ return HRTIMER_NORESTART; + + return HRTIMER_RESTART; + } +@@ -81,7 +82,7 @@ static void amdgpu_vkms_disable_vblank(s + { + struct amdgpu_crtc *amdgpu_crtc = to_amdgpu_crtc(crtc); + +- hrtimer_cancel(&amdgpu_crtc->vblank_timer); ++ hrtimer_try_to_cancel(&amdgpu_crtc->vblank_timer); + } + + static bool amdgpu_vkms_get_vblank_timestamp(struct drm_crtc *crtc, diff --git a/queue-6.1/drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch b/queue-6.1/drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch new file mode 100644 index 00000000000..d3db537579d --- /dev/null +++ b/queue-6.1/drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch @@ -0,0 +1,46 @@ +From 2329cc7a101af1a844fbf706c0724c0baea38365 Mon Sep 17 00:00:00 2001 +From: Jocelyn Falempe +Date: Tue, 11 Jul 2023 11:20:44 +0200 +Subject: drm/client: Fix memory leak in drm_client_modeset_probe + +From: Jocelyn Falempe + +commit 2329cc7a101af1a844fbf706c0724c0baea38365 upstream. + +When a new mode is set to modeset->mode, the previous mode should be freed. +This fixes the following kmemleak report: + +drm_mode_duplicate+0x45/0x220 [drm] +drm_client_modeset_probe+0x944/0xf50 [drm] +__drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper] +drm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper] +drm_client_register+0x169/0x240 [drm] +ast_pci_probe+0x142/0x190 [ast] +local_pci_probe+0xdc/0x180 +work_for_cpu_fn+0x4e/0xa0 +process_one_work+0x8b7/0x1540 +worker_thread+0x70a/0xed0 +kthread+0x29f/0x340 +ret_from_fork+0x1f/0x30 + +cc: +Reported-by: Zhang Yi +Signed-off-by: Jocelyn Falempe +Reviewed-by: Javier Martinez Canillas +Reviewed-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20230711092203.68157-3-jfalempe@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_client_modeset.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/drm_client_modeset.c ++++ b/drivers/gpu/drm/drm_client_modeset.c +@@ -871,6 +871,7 @@ int drm_client_modeset_probe(struct drm_ + break; + } + ++ kfree(modeset->mode); + modeset->mode = drm_mode_duplicate(dev, mode); + drm_connector_get(connector); + modeset->connectors[modeset->num_connectors++] = connector; diff --git a/queue-6.1/drm-client-fix-memory-leak-in-drm_client_target_cloned.patch b/queue-6.1/drm-client-fix-memory-leak-in-drm_client_target_cloned.patch new file mode 100644 index 00000000000..5e8d014937f --- /dev/null +++ b/queue-6.1/drm-client-fix-memory-leak-in-drm_client_target_cloned.patch @@ -0,0 +1,68 @@ +From c2a88e8bdf5f6239948d75283d0ae7e0c7945b03 Mon Sep 17 00:00:00 2001 +From: Jocelyn Falempe +Date: Tue, 11 Jul 2023 11:20:43 +0200 +Subject: drm/client: Fix memory leak in drm_client_target_cloned + +From: Jocelyn Falempe + +commit c2a88e8bdf5f6239948d75283d0ae7e0c7945b03 upstream. + +dmt_mode is allocated and never freed in this function. +It was found with the ast driver, but most drivers using generic fbdev +setup are probably affected. + +This fixes the following kmemleak report: + backtrace: + [<00000000b391296d>] drm_mode_duplicate+0x45/0x220 [drm] + [<00000000e45bb5b3>] drm_client_target_cloned.constprop.0+0x27b/0x480 [drm] + [<00000000ed2d3a37>] drm_client_modeset_probe+0x6bd/0xf50 [drm] + [<0000000010e5cc9d>] __drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper] + [<00000000909f82ca>] drm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper] + [<00000000063a69aa>] drm_client_register+0x169/0x240 [drm] + [<00000000a8c61525>] ast_pci_probe+0x142/0x190 [ast] + [<00000000987f19bb>] local_pci_probe+0xdc/0x180 + [<000000004fca231b>] work_for_cpu_fn+0x4e/0xa0 + [<0000000000b85301>] process_one_work+0x8b7/0x1540 + [<000000003375b17c>] worker_thread+0x70a/0xed0 + [<00000000b0d43cd9>] kthread+0x29f/0x340 + [<000000008d770833>] ret_from_fork+0x1f/0x30 +unreferenced object 0xff11000333089a00 (size 128): + +cc: +Fixes: 1d42bbc8f7f9 ("drm/fbdev: fix cloning on fbcon") +Reported-by: Zhang Yi +Signed-off-by: Jocelyn Falempe +Reviewed-by: Javier Martinez Canillas +Reviewed-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20230711092203.68157-2-jfalempe@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_client_modeset.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/drm_client_modeset.c ++++ b/drivers/gpu/drm/drm_client_modeset.c +@@ -315,6 +315,9 @@ static bool drm_client_target_cloned(str + can_clone = true; + dmt_mode = drm_mode_find_dmt(dev, 1024, 768, 60, false); + ++ if (!dmt_mode) ++ goto fail; ++ + for (i = 0; i < connector_count; i++) { + if (!enabled[i]) + continue; +@@ -330,11 +333,13 @@ static bool drm_client_target_cloned(str + if (!modes[i]) + can_clone = false; + } ++ kfree(dmt_mode); + + if (can_clone) { + DRM_DEBUG_KMS("can clone using 1024x768\n"); + return true; + } ++fail: + DRM_INFO("kms: can't enable cloning when we probably wanted to.\n"); + return false; + } diff --git a/queue-6.1/fuse-apply-flags2-only-when-userspace-set-the-fuse_init_ext.patch b/queue-6.1/fuse-apply-flags2-only-when-userspace-set-the-fuse_init_ext.patch new file mode 100644 index 00000000000..a4291d7d271 --- /dev/null +++ b/queue-6.1/fuse-apply-flags2-only-when-userspace-set-the-fuse_init_ext.patch @@ -0,0 +1,45 @@ +From 3066ff93476c35679cb07a97cce37d9bb07632ff Mon Sep 17 00:00:00 2001 +From: Bernd Schubert +Date: Fri, 15 Apr 2022 13:53:56 +0200 +Subject: fuse: Apply flags2 only when userspace set the FUSE_INIT_EXT + +From: Bernd Schubert + +commit 3066ff93476c35679cb07a97cce37d9bb07632ff upstream. + +This is just a safety precaution to avoid checking flags on memory that was +initialized on the user space side. libfuse zeroes struct fuse_init_out +outarg, but this is not guranteed to be done in all implementations. +Better is to act on flags and to only apply flags2 when FUSE_INIT_EXT is +set. + +There is a risk with this change, though - it might break existing user +space libraries, which are already using flags2 without setting +FUSE_INIT_EXT. + +The corresponding libfuse patch is here +https://github.com/libfuse/libfuse/pull/662 + +Signed-off-by: Bernd Schubert +Fixes: 53db28933e95 ("fuse: extend init flags") +Cc: # v5.17 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/inode.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/fuse/inode.c ++++ b/fs/fuse/inode.c +@@ -1127,7 +1127,10 @@ static void process_init_reply(struct fu + process_init_limits(fc, arg); + + if (arg->minor >= 6) { +- u64 flags = arg->flags | (u64) arg->flags2 << 32; ++ u64 flags = arg->flags; ++ ++ if (flags & FUSE_INIT_EXT) ++ flags |= (u64) arg->flags2 << 32; + + ra_pages = arg->max_readahead / PAGE_SIZE; + if (flags & FUSE_ASYNC_READ) diff --git a/queue-6.1/fuse-ioctl-translate-enosys-in-outarg.patch b/queue-6.1/fuse-ioctl-translate-enosys-in-outarg.patch new file mode 100644 index 00000000000..ffa3f307976 --- /dev/null +++ b/queue-6.1/fuse-ioctl-translate-enosys-in-outarg.patch @@ -0,0 +1,88 @@ +From 6a567e920fd0451bf29abc418df96c3365925770 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 7 Jun 2023 17:49:21 +0200 +Subject: fuse: ioctl: translate ENOSYS in outarg + +From: Miklos Szeredi + +commit 6a567e920fd0451bf29abc418df96c3365925770 upstream. + +Fuse shouldn't return ENOSYS from its ioctl implementation. If userspace +responds with ENOSYS it should be translated to ENOTTY. + +There are two ways to return an error from the IOCTL request: + + - fuse_out_header.error + - fuse_ioctl_out.result + +Commit 02c0cab8e734 ("fuse: ioctl: translate ENOSYS") already fixed this +issue for the first case, but missed the second case. This patch fixes the +second case. + +Reported-by: Jonathan Katz +Closes: https://lore.kernel.org/all/CALKgVmcC1VUV_gJVq70n--omMJZUb4HSh_FqvLTHgNBc+HCLFQ@mail.gmail.com/ +Fixes: 02c0cab8e734 ("fuse: ioctl: translate ENOSYS") +Cc: +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/ioctl.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +--- a/fs/fuse/ioctl.c ++++ b/fs/fuse/ioctl.c +@@ -9,14 +9,23 @@ + #include + #include + +-static ssize_t fuse_send_ioctl(struct fuse_mount *fm, struct fuse_args *args) ++static ssize_t fuse_send_ioctl(struct fuse_mount *fm, struct fuse_args *args, ++ struct fuse_ioctl_out *outarg) + { +- ssize_t ret = fuse_simple_request(fm, args); ++ ssize_t ret; ++ ++ args->out_args[0].size = sizeof(*outarg); ++ args->out_args[0].value = outarg; ++ ++ ret = fuse_simple_request(fm, args); + + /* Translate ENOSYS, which shouldn't be returned from fs */ + if (ret == -ENOSYS) + ret = -ENOTTY; + ++ if (ret >= 0 && outarg->result == -ENOSYS) ++ outarg->result = -ENOTTY; ++ + return ret; + } + +@@ -264,13 +273,11 @@ long fuse_do_ioctl(struct file *file, un + } + + ap.args.out_numargs = 2; +- ap.args.out_args[0].size = sizeof(outarg); +- ap.args.out_args[0].value = &outarg; + ap.args.out_args[1].size = out_size; + ap.args.out_pages = true; + ap.args.out_argvar = true; + +- transferred = fuse_send_ioctl(fm, &ap.args); ++ transferred = fuse_send_ioctl(fm, &ap.args, &outarg); + err = transferred; + if (transferred < 0) + goto out; +@@ -399,12 +406,10 @@ static int fuse_priv_ioctl(struct inode + args.in_args[1].size = inarg.in_size; + args.in_args[1].value = ptr; + args.out_numargs = 2; +- args.out_args[0].size = sizeof(outarg); +- args.out_args[0].value = &outarg; + args.out_args[1].size = inarg.out_size; + args.out_args[1].value = ptr; + +- err = fuse_send_ioctl(fm, &args); ++ err = fuse_send_ioctl(fm, &args, &outarg); + if (!err) { + if (outarg.result < 0) + err = outarg.result; diff --git a/queue-6.1/fuse-revalidate-don-t-invalidate-if-interrupted.patch b/queue-6.1/fuse-revalidate-don-t-invalidate-if-interrupted.patch new file mode 100644 index 00000000000..46e5be8f3be --- /dev/null +++ b/queue-6.1/fuse-revalidate-don-t-invalidate-if-interrupted.patch @@ -0,0 +1,34 @@ +From a9d1c4c6df0e568207907c04aed9e7beb1294c42 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 7 Jun 2023 17:49:20 +0200 +Subject: fuse: revalidate: don't invalidate if interrupted + +From: Miklos Szeredi + +commit a9d1c4c6df0e568207907c04aed9e7beb1294c42 upstream. + +If the LOOKUP request triggered from fuse_dentry_revalidate() is +interrupted, then the dentry will be invalidated, possibly resulting in +submounts being unmounted. + +Reported-by: Xu Rongbo +Closes: https://lore.kernel.org/all/CAJfpegswN_CJJ6C3RZiaK6rpFmNyWmXfaEpnQUJ42KCwNF5tWw@mail.gmail.com/ +Fixes: 9e6268db496a ("[PATCH] FUSE - read-write operations") +Cc: +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/fuse/dir.c ++++ b/fs/fuse/dir.c +@@ -258,7 +258,7 @@ static int fuse_dentry_revalidate(struct + spin_unlock(&fi->lock); + } + kfree(forget); +- if (ret == -ENOMEM) ++ if (ret == -ENOMEM || ret == -EINTR) + goto out; + if (ret || fuse_invalid_attr(&outarg.attr) || + fuse_stale_inode(inode, outarg.generation, &outarg.attr)) diff --git a/queue-6.1/keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch b/queue-6.1/keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch new file mode 100644 index 00000000000..75ed3459f73 --- /dev/null +++ b/queue-6.1/keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch @@ -0,0 +1,177 @@ +From d55901522f96082a43b9842d34867363c0cdbac5 Mon Sep 17 00:00:00 2001 +From: Petr Pavlu +Date: Thu, 23 Mar 2023 14:04:12 +0100 +Subject: keys: Fix linking a duplicate key to a keyring's assoc_array + +From: Petr Pavlu + +commit d55901522f96082a43b9842d34867363c0cdbac5 upstream. + +When making a DNS query inside the kernel using dns_query(), the request +code can in rare cases end up creating a duplicate index key in the +assoc_array of the destination keyring. It is eventually found by +a BUG_ON() check in the assoc_array implementation and results in +a crash. + +Example report: +[2158499.700025] kernel BUG at ../lib/assoc_array.c:652! +[2158499.700039] invalid opcode: 0000 [#1] SMP PTI +[2158499.700065] CPU: 3 PID: 31985 Comm: kworker/3:1 Kdump: loaded Not tainted 5.3.18-150300.59.90-default #1 SLE15-SP3 +[2158499.700096] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 +[2158499.700351] Workqueue: cifsiod cifs_resolve_server [cifs] +[2158499.700380] RIP: 0010:assoc_array_insert+0x85f/0xa40 +[2158499.700401] Code: ff 74 2b 48 8b 3b 49 8b 45 18 4c 89 e6 48 83 e7 fe e8 95 ec 74 00 3b 45 88 7d db 85 c0 79 d4 0f 0b 0f 0b 0f 0b e8 41 f2 be ff <0f> 0b 0f 0b 81 7d 88 ff ff ff 7f 4c 89 eb 4c 8b ad 58 ff ff ff 0f +[2158499.700448] RSP: 0018:ffffc0bd6187faf0 EFLAGS: 00010282 +[2158499.700470] RAX: ffff9f1ea7da2fe8 RBX: ffff9f1ea7da2fc1 RCX: 0000000000000005 +[2158499.700492] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000 +[2158499.700515] RBP: ffffc0bd6187fbb0 R08: ffff9f185faf1100 R09: 0000000000000000 +[2158499.700538] R10: ffff9f1ea7da2cc0 R11: 000000005ed8cec8 R12: ffffc0bd6187fc28 +[2158499.700561] R13: ffff9f15feb8d000 R14: ffff9f1ea7da2fc0 R15: ffff9f168dc0d740 +[2158499.700585] FS: 0000000000000000(0000) GS:ffff9f185fac0000(0000) knlGS:0000000000000000 +[2158499.700610] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[2158499.700630] CR2: 00007fdd94fca238 CR3: 0000000809d8c006 CR4: 00000000003706e0 +[2158499.700702] Call Trace: +[2158499.700741] ? key_alloc+0x447/0x4b0 +[2158499.700768] ? __key_link_begin+0x43/0xa0 +[2158499.700790] __key_link_begin+0x43/0xa0 +[2158499.700814] request_key_and_link+0x2c7/0x730 +[2158499.700847] ? dns_resolver_read+0x20/0x20 [dns_resolver] +[2158499.700873] ? key_default_cmp+0x20/0x20 +[2158499.700898] request_key_tag+0x43/0xa0 +[2158499.700926] dns_query+0x114/0x2ca [dns_resolver] +[2158499.701127] dns_resolve_server_name_to_ip+0x194/0x310 [cifs] +[2158499.701164] ? scnprintf+0x49/0x90 +[2158499.701190] ? __switch_to_asm+0x40/0x70 +[2158499.701211] ? __switch_to_asm+0x34/0x70 +[2158499.701405] reconn_set_ipaddr_from_hostname+0x81/0x2a0 [cifs] +[2158499.701603] cifs_resolve_server+0x4b/0xd0 [cifs] +[2158499.701632] process_one_work+0x1f8/0x3e0 +[2158499.701658] worker_thread+0x2d/0x3f0 +[2158499.701682] ? process_one_work+0x3e0/0x3e0 +[2158499.701703] kthread+0x10d/0x130 +[2158499.701723] ? kthread_park+0xb0/0xb0 +[2158499.701746] ret_from_fork+0x1f/0x40 + +The situation occurs as follows: +* Some kernel facility invokes dns_query() to resolve a hostname, for + example, "abcdef". The function registers its global DNS resolver + cache as current->cred.thread_keyring and passes the query to + request_key_net() -> request_key_tag() -> request_key_and_link(). +* Function request_key_and_link() creates a keyring_search_context + object. Its match_data.cmp method gets set via a call to + type->match_preparse() (resolves to dns_resolver_match_preparse()) to + dns_resolver_cmp(). +* Function request_key_and_link() continues and invokes + search_process_keyrings_rcu() which returns that a given key was not + found. The control is then passed to request_key_and_link() -> + construct_alloc_key(). +* Concurrently to that, a second task similarly makes a DNS query for + "abcdef." and its result gets inserted into the DNS resolver cache. +* Back on the first task, function construct_alloc_key() first runs + __key_link_begin() to determine an assoc_array_edit operation to + insert a new key. Index keys in the array are compared exactly as-is, + using keyring_compare_object(). The operation finds that "abcdef" is + not yet present in the destination keyring. +* Function construct_alloc_key() continues and checks if a given key is + already present on some keyring by again calling + search_process_keyrings_rcu(). This search is done using + dns_resolver_cmp() and "abcdef" gets matched with now present key + "abcdef.". +* The found key is linked on the destination keyring by calling + __key_link() and using the previously calculated assoc_array_edit + operation. This inserts the "abcdef." key in the array but creates + a duplicity because the same index key is already present. + +Fix the problem by postponing __key_link_begin() in +construct_alloc_key() until an actual key which should be linked into +the destination keyring is determined. + +[jarkko@kernel.org: added a fixes tag and cc to stable] +Cc: stable@vger.kernel.org # v5.3+ +Fixes: df593ee23e05 ("keys: Hoist locking out of __key_link_begin()") +Signed-off-by: Petr Pavlu +Reviewed-by: Joey Lee +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + security/keys/request_key.c | 35 ++++++++++++++++++++++++----------- + 1 file changed, 24 insertions(+), 11 deletions(-) + +--- a/security/keys/request_key.c ++++ b/security/keys/request_key.c +@@ -401,17 +401,21 @@ static int construct_alloc_key(struct ke + set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags); + + if (dest_keyring) { +- ret = __key_link_lock(dest_keyring, &ctx->index_key); ++ ret = __key_link_lock(dest_keyring, &key->index_key); + if (ret < 0) + goto link_lock_failed; +- ret = __key_link_begin(dest_keyring, &ctx->index_key, &edit); +- if (ret < 0) +- goto link_prealloc_failed; + } + +- /* attach the key to the destination keyring under lock, but we do need ++ /* ++ * Attach the key to the destination keyring under lock, but we do need + * to do another check just in case someone beat us to it whilst we +- * waited for locks */ ++ * waited for locks. ++ * ++ * The caller might specify a comparison function which looks for keys ++ * that do not exactly match but are still equivalent from the caller's ++ * perspective. The __key_link_begin() operation must be done only after ++ * an actual key is determined. ++ */ + mutex_lock(&key_construction_mutex); + + rcu_read_lock(); +@@ -420,12 +424,16 @@ static int construct_alloc_key(struct ke + if (!IS_ERR(key_ref)) + goto key_already_present; + +- if (dest_keyring) ++ if (dest_keyring) { ++ ret = __key_link_begin(dest_keyring, &key->index_key, &edit); ++ if (ret < 0) ++ goto link_alloc_failed; + __key_link(dest_keyring, key, &edit); ++ } + + mutex_unlock(&key_construction_mutex); + if (dest_keyring) +- __key_link_end(dest_keyring, &ctx->index_key, edit); ++ __key_link_end(dest_keyring, &key->index_key, edit); + mutex_unlock(&user->cons_lock); + *_key = key; + kleave(" = 0 [%d]", key_serial(key)); +@@ -438,10 +446,13 @@ key_already_present: + mutex_unlock(&key_construction_mutex); + key = key_ref_to_ptr(key_ref); + if (dest_keyring) { ++ ret = __key_link_begin(dest_keyring, &key->index_key, &edit); ++ if (ret < 0) ++ goto link_alloc_failed_unlocked; + ret = __key_link_check_live_key(dest_keyring, key); + if (ret == 0) + __key_link(dest_keyring, key, &edit); +- __key_link_end(dest_keyring, &ctx->index_key, edit); ++ __key_link_end(dest_keyring, &key->index_key, edit); + if (ret < 0) + goto link_check_failed; + } +@@ -456,8 +467,10 @@ link_check_failed: + kleave(" = %d [linkcheck]", ret); + return ret; + +-link_prealloc_failed: +- __key_link_end(dest_keyring, &ctx->index_key, edit); ++link_alloc_failed: ++ mutex_unlock(&key_construction_mutex); ++link_alloc_failed_unlocked: ++ __key_link_end(dest_keyring, &key->index_key, edit); + link_lock_failed: + mutex_unlock(&user->cons_lock); + key_put(key); diff --git a/queue-6.1/maple_tree-fix-node-allocation-testing-on-32-bit.patch b/queue-6.1/maple_tree-fix-node-allocation-testing-on-32-bit.patch new file mode 100644 index 00000000000..3ca068f24d3 --- /dev/null +++ b/queue-6.1/maple_tree-fix-node-allocation-testing-on-32-bit.patch @@ -0,0 +1,40 @@ +From ef5c3de5211b5a3a8102b25aa83eb4cde65ac2fd Mon Sep 17 00:00:00 2001 +From: "Liam R. Howlett" +Date: Wed, 12 Jul 2023 13:39:16 -0400 +Subject: maple_tree: fix node allocation testing on 32 bit + +From: Liam R. Howlett + +commit ef5c3de5211b5a3a8102b25aa83eb4cde65ac2fd upstream. + +Internal node counting was altered and the 64 bit test was updated, +however the 32bit test was missed. + +Restore the 32bit test to a functional state. + +Link: https://lore.kernel.org/linux-mm/CAMuHMdV4T53fOw7VPoBgPR7fP6RYqf=CBhD_y_vOg53zZX_DnA@mail.gmail.com/ +Link: https://lkml.kernel.org/r/20230712173916.168805-2-Liam.Howlett@oracle.com +Fixes: 541e06b772c1 ("maple_tree: remove GFP_ZERO from kmem_cache_alloc() and kmem_cache_alloc_bulk()") +Signed-off-by: Liam R. Howlett +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/radix-tree/maple.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/tools/testing/radix-tree/maple.c ++++ b/tools/testing/radix-tree/maple.c +@@ -181,9 +181,9 @@ static noinline void check_new_node(stru + e = i - 1; + } else { + if (i >= 4) +- e = i - 4; +- else if (i == 3) +- e = i - 2; ++ e = i - 3; ++ else if (i >= 1) ++ e = i - 1; + else + e = 0; + } diff --git a/queue-6.1/maple_tree-set-the-node-limit-when-creating-a-new-root-node.patch b/queue-6.1/maple_tree-set-the-node-limit-when-creating-a-new-root-node.patch new file mode 100644 index 00000000000..b8ab8e3199a --- /dev/null +++ b/queue-6.1/maple_tree-set-the-node-limit-when-creating-a-new-root-node.patch @@ -0,0 +1,44 @@ +From 3c769fd88b9742954763a968e84de09f7ad78cfe Mon Sep 17 00:00:00 2001 +From: Peng Zhang +Date: Tue, 11 Jul 2023 11:54:37 +0800 +Subject: maple_tree: set the node limit when creating a new root node + +From: Peng Zhang + +commit 3c769fd88b9742954763a968e84de09f7ad78cfe upstream. + +Set the node limit of the root node so that the last pivot of all nodes is +the node limit (if the node is not full). + +This patch also fixes a bug in mas_rev_awalk(). Effectively, always +setting a maximum makes mas_logical_pivot() behave as mas_safe_pivot(). +Without this fix, it is possible that very small tasks would fail to find +the correct gap. Although this has not been observed with real tasks, it +has been reported to happen in m68k nommu running the maple tree tests. + +Link: https://lkml.kernel.org/r/20230711035444.526-1-zhangpeng.00@bytedance.com +Link: https://lore.kernel.org/linux-mm/CAMuHMdV4T53fOw7VPoBgPR7fP6RYqf=CBhD_y_vOg53zZX_DnA@mail.gmail.com/ +Link: https://lkml.kernel.org/r/20230711035444.526-2-zhangpeng.00@bytedance.com +Fixes: 54a611b60590 ("Maple Tree: add new data structure") +Signed-off-by: Peng Zhang +Reviewed-by: Liam R. Howlett +Tested-by: Geert Uytterhoeven +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + lib/maple_tree.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/lib/maple_tree.c ++++ b/lib/maple_tree.c +@@ -3711,7 +3711,8 @@ static inline int mas_root_expand(struct + mas->offset = slot; + pivots[slot] = mas->last; + if (mas->last != ULONG_MAX) +- slot++; ++ pivots[++slot] = ULONG_MAX; ++ + mas->depth = 1; + mas_set_height(mas); + ma_set_meta(node, maple_leaf_64, 0, slot); diff --git a/queue-6.1/of-preserve-of-display-device-name-for-compatibility.patch b/queue-6.1/of-preserve-of-display-device-name-for-compatibility.patch new file mode 100644 index 00000000000..825e32fdd09 --- /dev/null +++ b/queue-6.1/of-preserve-of-display-device-name-for-compatibility.patch @@ -0,0 +1,51 @@ +From 0bb8f49cd2cc8cb32ac51189ff9fcbe7ec3d9d65 Mon Sep 17 00:00:00 2001 +From: Rob Herring +Date: Mon, 10 Jul 2023 11:40:07 -0600 +Subject: of: Preserve "of-display" device name for compatibility +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rob Herring + +commit 0bb8f49cd2cc8cb32ac51189ff9fcbe7ec3d9d65 upstream. + +Since commit 241d2fb56a18 ("of: Make OF framebuffer device names unique"), +as spotted by Frédéric Bonnard, the historical "of-display" device is +gone: the updated logic creates "of-display.0" instead, then as many +"of-display.N" as required. + +This means that offb no longer finds the expected device, which prevents +the Debian Installer from setting up its interface, at least on ppc64el. + +Fix this by keeping "of-display" for the first device and "of-display.N" +for subsequent devices. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217328 +Link: https://bugs.debian.org/1033058 +Fixes: 241d2fb56a18 ("of: Make OF framebuffer device names unique") +Cc: stable@vger.kernel.org +Cc: Cyril Brulebois +Cc: Thomas Zimmermann +Cc: Helge Deller +Acked-by: Helge Deller +Acked-by: Thomas Zimmermann +Reviewed-by: Michal Suchánek +Link: https://lore.kernel.org/r/20230710174007.2291013-1-robh@kernel.org +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/platform.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/of/platform.c ++++ b/drivers/of/platform.c +@@ -557,7 +557,7 @@ static int __init of_platform_default_po + if (!of_get_property(node, "linux,opened", NULL) || + !of_get_property(node, "linux,boot-display", NULL)) + continue; +- dev = of_platform_device_create(node, "of-display.0", NULL); ++ dev = of_platform_device_create(node, "of-display", NULL); + of_node_put(node); + if (WARN_ON(!dev)) + return -ENOMEM; diff --git a/queue-6.1/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch b/queue-6.1/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch new file mode 100644 index 00000000000..ac282bd2634 --- /dev/null +++ b/queue-6.1/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch @@ -0,0 +1,115 @@ +From 56cbeacf143530576905623ac72ae0964f3293a6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Georg=20M=C3=BCller?= +Date: Wed, 28 Jun 2023 10:45:50 +0200 +Subject: perf probe: Add test for regression introduced by switch to die_get_decl_file() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Georg Müller + +commit 56cbeacf143530576905623ac72ae0964f3293a6 upstream. + +This patch adds a test to validate that 'perf probe' works for binaries +where DWARF info is split into multiple CUs + +Signed-off-by: Georg Müller +Acked-by: Masami Hiramatsu (Google) +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: regressions@lists.linux.dev +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230628084551.1860532-5-georgmueller@gmx.net +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/shell/test_uprobe_from_different_cu.sh | 77 ++++++++++++++++ + 1 file changed, 77 insertions(+) + create mode 100755 tools/perf/tests/shell/test_uprobe_from_different_cu.sh + +--- /dev/null ++++ b/tools/perf/tests/shell/test_uprobe_from_different_cu.sh +@@ -0,0 +1,77 @@ ++#!/bin/bash ++# test perf probe of function from different CU ++# SPDX-License-Identifier: GPL-2.0 ++ ++set -e ++ ++temp_dir=$(mktemp -d /tmp/perf-uprobe-different-cu-sh.XXXXXXXXXX) ++ ++cleanup() ++{ ++ trap - EXIT TERM INT ++ if [[ "${temp_dir}" =~ ^/tmp/perf-uprobe-different-cu-sh.*$ ]]; then ++ echo "--- Cleaning up ---" ++ perf probe -x ${temp_dir}/testfile -d foo ++ rm -f "${temp_dir}/"* ++ rmdir "${temp_dir}" ++ fi ++} ++ ++trap_cleanup() ++{ ++ cleanup ++ exit 1 ++} ++ ++trap trap_cleanup EXIT TERM INT ++ ++cat > ${temp_dir}/testfile-foo.h << EOF ++struct t ++{ ++ int *p; ++ int c; ++}; ++ ++extern int foo (int i, struct t *t); ++EOF ++ ++cat > ${temp_dir}/testfile-foo.c << EOF ++#include "testfile-foo.h" ++ ++int ++foo (int i, struct t *t) ++{ ++ int j, res = 0; ++ for (j = 0; j < i && j < t->c; j++) ++ res += t->p[j]; ++ ++ return res; ++} ++EOF ++ ++cat > ${temp_dir}/testfile-main.c << EOF ++#include "testfile-foo.h" ++ ++static struct t g; ++ ++int ++main (int argc, char **argv) ++{ ++ int i; ++ int j[argc]; ++ g.c = argc; ++ g.p = j; ++ for (i = 0; i < argc; i++) ++ j[i] = (int) argv[i][0]; ++ return foo (3, &g); ++} ++EOF ++ ++gcc -g -Og -flto -c ${temp_dir}/testfile-foo.c -o ${temp_dir}/testfile-foo.o ++gcc -g -Og -c ${temp_dir}/testfile-main.c -o ${temp_dir}/testfile-main.o ++gcc -g -Og -o ${temp_dir}/testfile ${temp_dir}/testfile-foo.o ${temp_dir}/testfile-main.o ++ ++perf probe -x ${temp_dir}/testfile --funcs foo ++perf probe -x ${temp_dir}/testfile foo ++ ++cleanup diff --git a/queue-6.1/regmap-account-for-register-length-in-smbus-i-o-limits.patch b/queue-6.1/regmap-account-for-register-length-in-smbus-i-o-limits.patch new file mode 100644 index 00000000000..b920fc52b6d --- /dev/null +++ b/queue-6.1/regmap-account-for-register-length-in-smbus-i-o-limits.patch @@ -0,0 +1,54 @@ +From 0c9d2eb5e94792fe64019008a04d4df5e57625af Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Wed, 12 Jul 2023 12:16:40 +0100 +Subject: regmap: Account for register length in SMBus I/O limits + +From: Mark Brown + +commit 0c9d2eb5e94792fe64019008a04d4df5e57625af upstream. + +The SMBus I2C buses have limits on the size of transfers they can do but +do not factor in the register length meaning we may try to do a transfer +longer than our length limit, the core will not take care of this. +Future changes will factor this out into the core but there are a number +of users that assume current behaviour so let's just do something +conservative here. + +This does not take account padding bits but practically speaking these +are very rarely if ever used on I2C buses given that they generally run +slowly enough to mean there's no issue. + +Cc: stable@kernel.org +Signed-off-by: Mark Brown +Reviewed-by: Xu Yilun +Link: https://lore.kernel.org/r/20230712-regmap-max-transfer-v1-2-80e2aed22e83@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/regmap/regmap-i2c.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/base/regmap/regmap-i2c.c ++++ b/drivers/base/regmap/regmap-i2c.c +@@ -242,8 +242,8 @@ static int regmap_i2c_smbus_i2c_read(voi + static const struct regmap_bus regmap_i2c_smbus_i2c_block = { + .write = regmap_i2c_smbus_i2c_write, + .read = regmap_i2c_smbus_i2c_read, +- .max_raw_read = I2C_SMBUS_BLOCK_MAX, +- .max_raw_write = I2C_SMBUS_BLOCK_MAX, ++ .max_raw_read = I2C_SMBUS_BLOCK_MAX - 1, ++ .max_raw_write = I2C_SMBUS_BLOCK_MAX - 1, + }; + + static int regmap_i2c_smbus_i2c_write_reg16(void *context, const void *data, +@@ -299,8 +299,8 @@ static int regmap_i2c_smbus_i2c_read_reg + static const struct regmap_bus regmap_i2c_smbus_i2c_block_reg16 = { + .write = regmap_i2c_smbus_i2c_write_reg16, + .read = regmap_i2c_smbus_i2c_read_reg16, +- .max_raw_read = I2C_SMBUS_BLOCK_MAX, +- .max_raw_write = I2C_SMBUS_BLOCK_MAX, ++ .max_raw_read = I2C_SMBUS_BLOCK_MAX - 2, ++ .max_raw_write = I2C_SMBUS_BLOCK_MAX - 2, + }; + + static const struct regmap_bus *regmap_get_i2c_bus(struct i2c_client *i2c, diff --git a/queue-6.1/regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch b/queue-6.1/regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch new file mode 100644 index 00000000000..c84dadbe2f9 --- /dev/null +++ b/queue-6.1/regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch @@ -0,0 +1,64 @@ +From bc64734825c59e18a27ac266b07e14944c111fd8 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Wed, 12 Jul 2023 12:16:39 +0100 +Subject: regmap: Drop initial version of maximum transfer length fixes + +From: Mark Brown + +commit bc64734825c59e18a27ac266b07e14944c111fd8 upstream. + +When problems were noticed with the register address not being taken +into account when limiting raw transfers with I2C devices we fixed this +in the core. Unfortunately it has subsequently been realised that a lot +of buses were relying on the prior behaviour, partly due to unclear +documentation not making it obvious what was intended in the core. This +is all more involved to fix than is sensible for a fix commit so let's +just drop the original fixes, a separate commit will fix the originally +observed problem in an I2C specific way + +Fixes: 3981514180c9 ("regmap: Account for register length when chunking") +Fixes: c8e796895e23 ("regmap: spi-avmm: Fix regmap_bus max_raw_write") +Signed-off-by: Mark Brown +Reviewed-by: Xu Yilun +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20230712-regmap-max-transfer-v1-1-80e2aed22e83@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/regmap/regmap-spi-avmm.c | 2 +- + drivers/base/regmap/regmap.c | 6 ++---- + 2 files changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/base/regmap/regmap-spi-avmm.c ++++ b/drivers/base/regmap/regmap-spi-avmm.c +@@ -660,7 +660,7 @@ static const struct regmap_bus regmap_sp + .reg_format_endian_default = REGMAP_ENDIAN_NATIVE, + .val_format_endian_default = REGMAP_ENDIAN_NATIVE, + .max_raw_read = SPI_AVMM_VAL_SIZE * MAX_READ_CNT, +- .max_raw_write = SPI_AVMM_REG_SIZE + SPI_AVMM_VAL_SIZE * MAX_WRITE_CNT, ++ .max_raw_write = SPI_AVMM_VAL_SIZE * MAX_WRITE_CNT, + .free_context = spi_avmm_bridge_ctx_free, + }; + +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -2064,8 +2064,6 @@ int _regmap_raw_write(struct regmap *map + size_t val_count = val_len / val_bytes; + size_t chunk_count, chunk_bytes; + size_t chunk_regs = val_count; +- size_t max_data = map->max_raw_write - map->format.reg_bytes - +- map->format.pad_bytes; + int ret, i; + + if (!val_count) +@@ -2073,8 +2071,8 @@ int _regmap_raw_write(struct regmap *map + + if (map->use_single_write) + chunk_regs = 1; +- else if (map->max_raw_write && val_len > max_data) +- chunk_regs = max_data / val_bytes; ++ else if (map->max_raw_write && val_len > map->max_raw_write) ++ chunk_regs = map->max_raw_write / val_bytes; + + chunk_count = val_count / chunk_regs; + chunk_bytes = chunk_regs * val_bytes; diff --git a/queue-6.1/selftests-tc-add-conntrack-procfs-kconfig.patch b/queue-6.1/selftests-tc-add-conntrack-procfs-kconfig.patch new file mode 100644 index 00000000000..cdab180886e --- /dev/null +++ b/queue-6.1/selftests-tc-add-conntrack-procfs-kconfig.patch @@ -0,0 +1,42 @@ +From 031c99e71fedcce93b6785d38b7d287bf59e3952 Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Thu, 13 Jul 2023 23:16:46 +0200 +Subject: selftests: tc: add ConnTrack procfs kconfig + +From: Matthieu Baerts + +commit 031c99e71fedcce93b6785d38b7d287bf59e3952 upstream. + +When looking at the TC selftest reports, I noticed one test was failing +because /proc/net/nf_conntrack was not available. + + not ok 373 3992 - Add ct action triggering DNAT tuple conflict + Could not match regex pattern. Verify command output: + cat: /proc/net/nf_conntrack: No such file or directory + +It is only available if NF_CONNTRACK_PROCFS kconfig is set. So the issue +can be fixed simply by adding it to the list of required kconfig. + +Fixes: e46905641316 ("tc-testing: add test for ct DNAT tuple collision") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/netdev/0e061d4a-9a23-9f58-3b35-d8919de332d7@tessares.net/T/ [1] +Signed-off-by: Matthieu Baerts +Tested-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20230713-tc-selftests-lkft-v1-3-1eb4fd3a96e7@tessares.net +Acked-by: Jamal Hadi Salim +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/tc-testing/config | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/testing/selftests/tc-testing/config ++++ b/tools/testing/selftests/tc-testing/config +@@ -5,6 +5,7 @@ CONFIG_NF_CONNTRACK=m + CONFIG_NF_CONNTRACK_MARK=y + CONFIG_NF_CONNTRACK_ZONES=y + CONFIG_NF_CONNTRACK_LABELS=y ++CONFIG_NF_CONNTRACK_PROCFS=y + CONFIG_NF_FLOW_TABLE=m + CONFIG_NF_NAT=m + CONFIG_NETFILTER_XT_TARGET_LOG=m diff --git a/queue-6.1/selftests-tc-add-ct-action-kconfig-dep.patch b/queue-6.1/selftests-tc-add-ct-action-kconfig-dep.patch new file mode 100644 index 00000000000..07859eec8d1 --- /dev/null +++ b/queue-6.1/selftests-tc-add-ct-action-kconfig-dep.patch @@ -0,0 +1,43 @@ +From 719b4774a8cb1a501e2d22a5a4a3a0a870e427d5 Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Thu, 13 Jul 2023 23:16:45 +0200 +Subject: selftests: tc: add 'ct' action kconfig dep + +From: Matthieu Baerts + +commit 719b4774a8cb1a501e2d22a5a4a3a0a870e427d5 upstream. + +When looking for something else in LKFT reports [1], I noticed most of +the tests were skipped because the "teardown stage" did not complete +successfully. + +Pedro found out this is due to the fact CONFIG_NF_FLOW_TABLE is required +but not listed in the 'config' file. Adding it to the list fixes the +issues on LKFT side. CONFIG_NET_ACT_CT is now set to 'm' in the final +kconfig. + +Fixes: c34b961a2492 ("net/sched: act_ct: Create nf flow table per zone") +Cc: stable@vger.kernel.org +Link: https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20230711/testrun/18267241/suite/kselftest-tc-testing/test/tc-testing_tdc_sh/log [1] +Link: https://lore.kernel.org/netdev/0e061d4a-9a23-9f58-3b35-d8919de332d7@tessares.net/T/ [2] +Suggested-by: Pedro Tammela +Signed-off-by: Matthieu Baerts +Tested-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20230713-tc-selftests-lkft-v1-2-1eb4fd3a96e7@tessares.net +Acked-by: Jamal Hadi Salim +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/tc-testing/config | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/testing/selftests/tc-testing/config ++++ b/tools/testing/selftests/tc-testing/config +@@ -5,6 +5,7 @@ CONFIG_NF_CONNTRACK=m + CONFIG_NF_CONNTRACK_MARK=y + CONFIG_NF_CONNTRACK_ZONES=y + CONFIG_NF_CONNTRACK_LABELS=y ++CONFIG_NF_FLOW_TABLE=m + CONFIG_NF_NAT=m + CONFIG_NETFILTER_XT_TARGET_LOG=m + diff --git a/queue-6.1/selftests-tc-set-timeout-to-15-minutes.patch b/queue-6.1/selftests-tc-set-timeout-to-15-minutes.patch new file mode 100644 index 00000000000..ea00bbfff7d --- /dev/null +++ b/queue-6.1/selftests-tc-set-timeout-to-15-minutes.patch @@ -0,0 +1,43 @@ +From fda05798c22a354efde09a76bdfc276b2d591829 Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Thu, 13 Jul 2023 23:16:44 +0200 +Subject: selftests: tc: set timeout to 15 minutes + +From: Matthieu Baerts + +commit fda05798c22a354efde09a76bdfc276b2d591829 upstream. + +When looking for something else in LKFT reports [1], I noticed that the +TC selftest ended with a timeout error: + + not ok 1 selftests: tc-testing: tdc.sh # TIMEOUT 45 seconds + +The timeout had been introduced 3 years ago, see the Fixes commit below. + +This timeout is only in place when executing the selftests via the +kselftests runner scripts. I guess this is not what most TC devs are +using and nobody noticed the issue before. + +The new timeout is set to 15 minutes as suggested by Pedro [2]. It looks +like it is plenty more time than what it takes in "normal" conditions. + +Fixes: 852c8cbf34d3 ("selftests/kselftest/runner.sh: Add 45 second timeout per test") +Cc: stable@vger.kernel.org +Link: https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20230711/testrun/18267241/suite/kselftest-tc-testing/test/tc-testing_tdc_sh/log [1] +Link: https://lore.kernel.org/netdev/0e061d4a-9a23-9f58-3b35-d8919de332d7@tessares.net/T/ [2] +Suggested-by: Pedro Tammela +Signed-off-by: Matthieu Baerts +Reviewed-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20230713-tc-selftests-lkft-v1-1-1eb4fd3a96e7@tessares.net +Acked-by: Jamal Hadi Salim +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/tc-testing/settings | 1 + + 1 file changed, 1 insertion(+) + create mode 100644 tools/testing/selftests/tc-testing/settings + +--- /dev/null ++++ b/tools/testing/selftests/tc-testing/settings +@@ -0,0 +1 @@ ++timeout=900 diff --git a/queue-6.1/series b/queue-6.1/series index 18fa415b037..91a71ac95c4 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -2,3 +2,49 @@ io_uring-treat-eagain-for-req_f_nowait-as-final-for-io-wq.patch alsa-hda-realtek-remove-3k-pull-low-procedure.patch alsa-hda-realtek-add-quirk-for-clevo-ns70au.patch alsa-hda-realtek-enable-mute-led-on-hp-laptop-15s-eq2xxx.patch +maple_tree-set-the-node-limit-when-creating-a-new-root-node.patch +maple_tree-fix-node-allocation-testing-on-32-bit.patch +keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch +perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch +btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch +fuse-revalidate-don-t-invalidate-if-interrupted.patch +fuse-apply-flags2-only-when-userspace-set-the-fuse_init_ext.patch +btrfs-set_page_extent_mapped-after-read_folio-in-btrfs_cont_expand.patch +btrfs-zoned-fix-memory-leak-after-finding-block-group-with-super-blocks.patch +fuse-ioctl-translate-enosys-in-outarg.patch +btrfs-fix-race-between-balance-and-cancel-pause.patch +selftests-tc-set-timeout-to-15-minutes.patch +selftests-tc-add-ct-action-kconfig-dep.patch +regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch +of-preserve-of-display-device-name-for-compatibility.patch +regmap-account-for-register-length-in-smbus-i-o-limits.patch +arm64-fpsimd-ensure-sme-storage-is-allocated-after-sve-vl-changes.patch +can-raw-fix-receiver-memory-leak.patch +can-mcp251xfd-__mcp251xfd_chip_set_mode-increase-poll-timeout.patch +can-bcm-fix-uaf-in-bcm_proc_show.patch +can-gs_usb-gs_can_open-improve-error-handling.patch +selftests-tc-add-conntrack-procfs-kconfig.patch +dma-buf-dma-resv-stop-leaking-on-krealloc-failure.patch +drm-amdgpu-vkms-relax-timer-deactivation-by-hrtimer_try_to_cancel.patch +drm-amdgpu-pm-make-gfxclock-consistent-for-sienna-cichlid.patch +drm-amdgpu-pm-make-mclk-consistent-for-smu-13.0.7.patch +drm-client-fix-memory-leak-in-drm_client_target_cloned.patch +drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch +drm-amd-display-only-accept-async-flips-for-fast-updates.patch +drm-amd-display-disable-mpc-split-by-default-on-special-asic.patch +drm-amd-display-check-tg-is-non-null-before-checking-if-enabled.patch +drm-amd-display-keep-phy-active-for-dp-displays-on-dcn31.patch +asoc-fsl_sai-disable-bit-clock-with-transmitter.patch +asoc-fsl_sai-revert-asoc-fsl_sai-enable-mctl_mclk_en-bit-for-master-mode.patch +asoc-tegra-fix-adx-byte-map.patch +asoc-rt5640-fix-sleep-in-atomic-context.patch +asoc-cs42l51-fix-driver-to-properly-autoload-with-automatic-module-loading.patch +asoc-codecs-wcd938x-fix-missing-clsh-ctrl-error-handling.patch +asoc-codecs-wcd-mbhc-v2-fix-resource-leaks-on-component-remove.patch +asoc-qdsp6-audioreach-fix-topology-probe-deferral.patch +asoc-tegra-fix-amx-byte-map.patch +asoc-codecs-wcd938x-fix-resource-leaks-on-component-remove.patch +asoc-codecs-wcd938x-fix-missing-mbhc-init-error-handling.patch +asoc-codecs-wcd934x-fix-resource-leaks-on-component-remove.patch +asoc-codecs-wcd938x-fix-codec-initialisation-race.patch +asoc-codecs-wcd938x-fix-soundwire-initialisation-race.patch