From: Greg Kroah-Hartman Date: Sun, 12 Jan 2025 09:37:24 +0000 (+0100) Subject: 6.12-stable patches X-Git-Tag: v6.1.125~46 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f4aad1d68e43680fbe255cf8d72ba723d501d9b4;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: acpi-resource-add-asus-vivobook-x1504vap-to-irq1_level_low_skip_override.patch acpi-resource-add-tongfang-gm5hg0a-to-irq1_edge_low_force_override.patch arm64-dts-qcom-sa8775p-fix-the-size-of-addr_space-regions.patch arm64-dts-qcom-x1e80100-fix-up-bar-space-size-for-pcie6a.patch drm-amd-display-fix-divide-error-in-dm-plane-scale-calcs.patch drm-amd-display-fix-page-fault-due-to-max-surface-definition-mismatch.patch drm-amd-display-increase-max_surfaces-to-the-value-supported-by-hw.patch drm-amd-pm-fix-bug-scheduling-while-atomic.patch drm-amdgpu-add-a-lock-when-accessing-the-buddy-trim-function.patch drm-amdkfd-fixed-page-fault-when-enable-mes-shader-debugger.patch drm-amdkfd-wq_release-signals-dma_fence-only-when-available.patch fs-kill-mnt_onrb.patch gpio-loongson-fix-loongson-2k2000-acpi-gpio-register-offset.patch io_uring-sqpoll-zero-sqd-thread-on-tctx-errors.patch io_uring-timeout-fix-multishot-updates.patch riscv-fix-sleeping-in-invalid-context-in-die.patch riscv-kprobes-fix-incorrect-address-calculation.patch smb-client-sync-the-root-session-and-superblock-context-passwords-before-automounting.patch --- diff --git a/queue-6.12/acpi-resource-add-asus-vivobook-x1504vap-to-irq1_level_low_skip_override.patch b/queue-6.12/acpi-resource-add-asus-vivobook-x1504vap-to-irq1_level_low_skip_override.patch new file mode 100644 index 00000000000..d9f267149de --- /dev/null +++ b/queue-6.12/acpi-resource-add-asus-vivobook-x1504vap-to-irq1_level_low_skip_override.patch @@ -0,0 +1,42 @@ +From 66d337fede44dcbab4107d37684af8fcab3d648e Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Fri, 20 Dec 2024 19:13:52 +0100 +Subject: ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[] + +From: Hans de Goede + +commit 66d337fede44dcbab4107d37684af8fcab3d648e upstream. + +Like the Vivobook X1704VAP the X1504VAP has its keyboard IRQ (1) described +as ActiveLow in the DSDT, which the kernel overrides to EdgeHigh which +breaks the keyboard. + +Add the X1504VAP to the irq1_level_low_skip_override[] quirk table to fix +this. + +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219224 +Cc: All applicable +Signed-off-by: Hans de Goede +Link: https://patch.msgid.link/20241220181352.25974-1-hdegoede@redhat.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/resource.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -441,6 +441,13 @@ static const struct dmi_system_id irq1_l + }, + }, + { ++ /* Asus Vivobook X1504VAP */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_BOARD_NAME, "X1504VAP"), ++ }, ++ }, ++ { + /* Asus Vivobook X1704VAP */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), diff --git a/queue-6.12/acpi-resource-add-tongfang-gm5hg0a-to-irq1_edge_low_force_override.patch b/queue-6.12/acpi-resource-add-tongfang-gm5hg0a-to-irq1_edge_low_force_override.patch new file mode 100644 index 00000000000..40e02de5c87 --- /dev/null +++ b/queue-6.12/acpi-resource-add-tongfang-gm5hg0a-to-irq1_edge_low_force_override.patch @@ -0,0 +1,58 @@ +From 7ed4e4a659d99499dc6968c61970d41b64feeac0 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 28 Dec 2024 17:48:45 +0100 +Subject: ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[] + +From: Hans de Goede + +commit 7ed4e4a659d99499dc6968c61970d41b64feeac0 upstream. + +The TongFang GM5HG0A is a TongFang barebone design which is sold under +various brand names. + +The ACPI IRQ override for the keyboard IRQ must be used on these AMD Zen +laptops in order for the IRQ to work. + +At least on the SKIKK Vanaheim variant the DMI product- and board-name +strings have been replaced by the OEM with "Vanaheim" so checking that +board-name contains "GM5HG0A" as is usually done for TongFang barebones +quirks does not work. + +The DMI OEM strings do contain "GM5HG0A". I have looked at the dmidecode +for a few other TongFang devices and the TongFang code-name string being +in the OEM strings seems to be something which is consistently true. + +Add a quirk checking one of the DMI_OEM_STRING(s) is "GM5HG0A" in the hope +that this will work for other OEM versions of the "GM5HG0A" too. + +Link: https://www.skikk.eu/en/laptops/vanaheim-15-rtx-4060 +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219614 +Cc: All applicable +Signed-off-by: Hans de Goede +Link: https://patch.msgid.link/20241228164845.42381-1-hdegoede@redhat.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/resource.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -646,6 +646,17 @@ static const struct dmi_system_id irq1_e + DMI_MATCH(DMI_BOARD_NAME, "GMxHGxx"), + }, + }, ++ { ++ /* ++ * TongFang GM5HG0A in case of the SKIKK Vanaheim relabel the ++ * board-name is changed, so check OEM strings instead. Note ++ * OEM string matches are always exact matches. ++ * https://bugzilla.kernel.org/show_bug.cgi?id=219614 ++ */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_OEM_STRING, "GM5HG0A"), ++ }, ++ }, + { } + }; + diff --git a/queue-6.12/arm64-dts-qcom-sa8775p-fix-the-size-of-addr_space-regions.patch b/queue-6.12/arm64-dts-qcom-sa8775p-fix-the-size-of-addr_space-regions.patch new file mode 100644 index 00000000000..04b1e3cdf30 --- /dev/null +++ b/queue-6.12/arm64-dts-qcom-sa8775p-fix-the-size-of-addr_space-regions.patch @@ -0,0 +1,46 @@ +From e60b14f47d779edc38bc1f14d2c995d477cec6f9 Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Thu, 28 Nov 2024 20:21:47 +0530 +Subject: arm64: dts: qcom: sa8775p: Fix the size of 'addr_space' regions + +From: Manivannan Sadhasivam + +commit e60b14f47d779edc38bc1f14d2c995d477cec6f9 upstream. + +For both the controller instances, size of the 'addr_space' region should +be 0x1fe00000 as per the hardware memory layout. + +Otherwise, endpoint drivers cannot request even reasonable BAR size of 1MB. + +Cc: stable@vger.kernel.org # 6.11 +Fixes: c5f5de8434ec ("arm64: dts: qcom: sa8775p: Add ep pcie1 controller node") +Fixes: 1924f5518224 ("arm64: dts: qcom: sa8775p: Add ep pcie0 controller node") +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20241128145147.145618-1-manivannan.sadhasivam@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/sa8775p.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/qcom/sa8775p.dtsi ++++ b/arch/arm64/boot/dts/qcom/sa8775p.dtsi +@@ -5587,7 +5587,7 @@ + <0x0 0x40000000 0x0 0xf20>, + <0x0 0x40000f20 0x0 0xa8>, + <0x0 0x40001000 0x0 0x4000>, +- <0x0 0x40200000 0x0 0x100000>, ++ <0x0 0x40200000 0x0 0x1fe00000>, + <0x0 0x01c03000 0x0 0x1000>, + <0x0 0x40005000 0x0 0x2000>; + reg-names = "parf", "dbi", "elbi", "atu", "addr_space", +@@ -5744,7 +5744,7 @@ + <0x0 0x60000000 0x0 0xf20>, + <0x0 0x60000f20 0x0 0xa8>, + <0x0 0x60001000 0x0 0x4000>, +- <0x0 0x60200000 0x0 0x100000>, ++ <0x0 0x60200000 0x0 0x1fe00000>, + <0x0 0x01c13000 0x0 0x1000>, + <0x0 0x60005000 0x0 0x2000>; + reg-names = "parf", "dbi", "elbi", "atu", "addr_space", diff --git a/queue-6.12/arm64-dts-qcom-x1e80100-fix-up-bar-space-size-for-pcie6a.patch b/queue-6.12/arm64-dts-qcom-x1e80100-fix-up-bar-space-size-for-pcie6a.patch new file mode 100644 index 00000000000..544550df12d --- /dev/null +++ b/queue-6.12/arm64-dts-qcom-x1e80100-fix-up-bar-space-size-for-pcie6a.patch @@ -0,0 +1,36 @@ +From fb8e7b33c2174e00dfa411361eeed21eeaf3634b Mon Sep 17 00:00:00 2001 +From: Qiang Yu +Date: Wed, 13 Nov 2024 00:05:08 -0800 +Subject: arm64: dts: qcom: x1e80100: Fix up BAR space size for PCIe6a + +From: Qiang Yu + +commit fb8e7b33c2174e00dfa411361eeed21eeaf3634b upstream. + +As per memory map table, the region for PCIe6a is 64MByte. Hence, set the +size of 32 bit non-prefetchable memory region beginning on address +0x70300000 as 0x3d00000 so that BAR space assigned to BAR registers can be +allocated from 0x70300000 to 0x74000000. + +Fixes: 7af141850012 ("arm64: dts: qcom: x1e80100: Fix up BAR spaces") +Cc: stable@vger.kernel.org +Signed-off-by: Qiang Yu +Reviewed-by: Johan Hovold +Link: https://lore.kernel.org/r/20241113080508.3458849-1-quic_qianyu@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/x1e80100.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/qcom/x1e80100.dtsi ++++ b/arch/arm64/boot/dts/qcom/x1e80100.dtsi +@@ -2925,7 +2925,7 @@ + #address-cells = <3>; + #size-cells = <2>; + ranges = <0x01000000 0x0 0x00000000 0x0 0x70200000 0x0 0x100000>, +- <0x02000000 0x0 0x70300000 0x0 0x70300000 0x0 0x1d00000>; ++ <0x02000000 0x0 0x70300000 0x0 0x70300000 0x0 0x3d00000>; + bus-range = <0x00 0xff>; + + dma-coherent; diff --git a/queue-6.12/drm-amd-display-fix-divide-error-in-dm-plane-scale-calcs.patch b/queue-6.12/drm-amd-display-fix-divide-error-in-dm-plane-scale-calcs.patch new file mode 100644 index 00000000000..9cf1ab828d4 --- /dev/null +++ b/queue-6.12/drm-amd-display-fix-divide-error-in-dm-plane-scale-calcs.patch @@ -0,0 +1,113 @@ +From 5225fd2a26211d012533acf98a6ad3f983885817 Mon Sep 17 00:00:00 2001 +From: Melissa Wen +Date: Tue, 17 Dec 2024 17:45:05 -0300 +Subject: drm/amd/display: fix divide error in DM plane scale calcs + +From: Melissa Wen + +commit 5225fd2a26211d012533acf98a6ad3f983885817 upstream. + +dm_get_plane_scale doesn't take into account plane scaled size equal to +zero, leading to a kernel oops due to division by zero. Fix by setting +out-scale size as zero when the dst size is zero, similar to what is +done by drm_calc_scale(). This issue started with the introduction of +cursor ovelay mode that uses this function to assess cursor mode changes +via dm_crtc_get_cursor_mode() before checking plane state. + +[Dec17 17:14] Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI +[ +0.000018] CPU: 5 PID: 1660 Comm: surface-DP-1 Not tainted 6.10.0+ #231 +[ +0.000007] Hardware name: Valve Jupiter/Jupiter, BIOS F7A0131 01/30/2024 +[ +0.000004] RIP: 0010:dm_get_plane_scale+0x3f/0x60 [amdgpu] +[ +0.000553] Code: 44 0f b7 41 3a 44 0f b7 49 3e 83 e0 0f 48 0f a3 c2 73 21 69 41 28 e8 03 00 00 31 d2 41 f7 f1 31 d2 89 06 69 41 2c e8 03 00 00 <41> f7 f0 89 07 e9 d7 d8 7e e9 44 89 c8 45 89 c1 41 89 c0 eb d4 66 +[ +0.000005] RSP: 0018:ffffa8df0de6b8a0 EFLAGS: 00010246 +[ +0.000006] RAX: 00000000000003e8 RBX: ffff9ac65c1f6e00 RCX: ffff9ac65d055500 +[ +0.000003] RDX: 0000000000000000 RSI: ffffa8df0de6b8b0 RDI: ffffa8df0de6b8b4 +[ +0.000004] RBP: ffff9ac64e7a5800 R08: 0000000000000000 R09: 0000000000000a00 +[ +0.000003] R10: 00000000000000ff R11: 0000000000000054 R12: ffff9ac6d0700010 +[ +0.000003] R13: ffff9ac65d054f00 R14: ffff9ac65d055500 R15: ffff9ac64e7a60a0 +[ +0.000004] FS: 00007f869ea00640(0000) GS:ffff9ac970080000(0000) knlGS:0000000000000000 +[ +0.000004] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ +0.000003] CR2: 000055ca701becd0 CR3: 000000010e7f2000 CR4: 0000000000350ef0 +[ +0.000004] Call Trace: +[ +0.000007] +[ +0.000006] ? __die_body.cold+0x19/0x27 +[ +0.000009] ? die+0x2e/0x50 +[ +0.000007] ? do_trap+0xca/0x110 +[ +0.000007] ? do_error_trap+0x6a/0x90 +[ +0.000006] ? dm_get_plane_scale+0x3f/0x60 [amdgpu] +[ +0.000504] ? exc_divide_error+0x38/0x50 +[ +0.000005] ? dm_get_plane_scale+0x3f/0x60 [amdgpu] +[ +0.000488] ? asm_exc_divide_error+0x1a/0x20 +[ +0.000011] ? dm_get_plane_scale+0x3f/0x60 [amdgpu] +[ +0.000593] dm_crtc_get_cursor_mode+0x33f/0x430 [amdgpu] +[ +0.000562] amdgpu_dm_atomic_check+0x2ef/0x1770 [amdgpu] +[ +0.000501] drm_atomic_check_only+0x5e1/0xa30 [drm] +[ +0.000047] drm_mode_atomic_ioctl+0x832/0xcb0 [drm] +[ +0.000050] ? __pfx_drm_mode_atomic_ioctl+0x10/0x10 [drm] +[ +0.000047] drm_ioctl_kernel+0xb3/0x100 [drm] +[ +0.000062] drm_ioctl+0x27a/0x4f0 [drm] +[ +0.000049] ? __pfx_drm_mode_atomic_ioctl+0x10/0x10 [drm] +[ +0.000055] amdgpu_drm_ioctl+0x4e/0x90 [amdgpu] +[ +0.000360] __x64_sys_ioctl+0x97/0xd0 +[ +0.000010] do_syscall_64+0x82/0x190 +[ +0.000008] ? __pfx_drm_mode_createblob_ioctl+0x10/0x10 [drm] +[ +0.000044] ? srso_return_thunk+0x5/0x5f +[ +0.000006] ? drm_ioctl_kernel+0xb3/0x100 [drm] +[ +0.000040] ? srso_return_thunk+0x5/0x5f +[ +0.000005] ? __check_object_size+0x50/0x220 +[ +0.000007] ? srso_return_thunk+0x5/0x5f +[ +0.000005] ? srso_return_thunk+0x5/0x5f +[ +0.000005] ? drm_ioctl+0x2a4/0x4f0 [drm] +[ +0.000039] ? __pfx_drm_mode_createblob_ioctl+0x10/0x10 [drm] +[ +0.000043] ? srso_return_thunk+0x5/0x5f +[ +0.000005] ? srso_return_thunk+0x5/0x5f +[ +0.000005] ? __pm_runtime_suspend+0x69/0xc0 +[ +0.000006] ? srso_return_thunk+0x5/0x5f +[ +0.000005] ? amdgpu_drm_ioctl+0x71/0x90 [amdgpu] +[ +0.000366] ? srso_return_thunk+0x5/0x5f +[ +0.000006] ? syscall_exit_to_user_mode+0x77/0x210 +[ +0.000007] ? srso_return_thunk+0x5/0x5f +[ +0.000005] ? do_syscall_64+0x8e/0x190 +[ +0.000006] ? srso_return_thunk+0x5/0x5f +[ +0.000006] ? do_syscall_64+0x8e/0x190 +[ +0.000006] ? srso_return_thunk+0x5/0x5f +[ +0.000007] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[ +0.000008] RIP: 0033:0x55bb7cd962bc +[ +0.000007] Code: 4c 89 6c 24 18 4c 89 64 24 20 4c 89 74 24 28 0f 57 c0 0f 11 44 24 30 89 c7 48 8d 54 24 08 b8 10 00 00 00 be bc 64 38 c0 0f 05 <49> 89 c7 48 83 3b 00 74 09 4c 89 c7 ff 15 62 64 99 00 48 83 7b 18 +[ +0.000005] RSP: 002b:00007f869e9f4da0 EFLAGS: 00000217 ORIG_RAX: 0000000000000010 +[ +0.000007] RAX: ffffffffffffffda RBX: 00007f869e9f4fb8 RCX: 000055bb7cd962bc +[ +0.000004] RDX: 00007f869e9f4da8 RSI: 00000000c03864bc RDI: 000000000000003b +[ +0.000003] RBP: 000055bb9ddcbcc0 R08: 00007f86541b9920 R09: 0000000000000009 +[ +0.000004] R10: 0000000000000004 R11: 0000000000000217 R12: 00007f865406c6b0 +[ +0.000003] R13: 00007f86541b5290 R14: 00007f865410b700 R15: 000055bb9ddcbc18 +[ +0.000009] + +Fixes: 1b04dcca4fb1 ("drm/amd/display: Introduce overlay cursor mode") +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3729 +Reported-by: Fabio Scaccabarozzi +Co-developed-by: Fabio Scaccabarozzi +Signed-off-by: Fabio Scaccabarozzi +Signed-off-by: Melissa Wen +Reviewed-by: Rodrigo Siqueira +Signed-off-by: Rodrigo Siqueira +Signed-off-by: Alex Deucher +(cherry picked from commit ab75a0d2e07942ae15d32c0a5092fd336451378c) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -11115,8 +11115,8 @@ dm_get_plane_scale(struct drm_plane_stat + int plane_src_w, plane_src_h; + + dm_get_oriented_plane_size(plane_state, &plane_src_w, &plane_src_h); +- *out_plane_scale_w = plane_state->crtc_w * 1000 / plane_src_w; +- *out_plane_scale_h = plane_state->crtc_h * 1000 / plane_src_h; ++ *out_plane_scale_w = plane_src_w ? plane_state->crtc_w * 1000 / plane_src_w : 0; ++ *out_plane_scale_h = plane_src_h ? plane_state->crtc_h * 1000 / plane_src_h : 0; + } + + /* diff --git a/queue-6.12/drm-amd-display-fix-page-fault-due-to-max-surface-definition-mismatch.patch b/queue-6.12/drm-amd-display-fix-page-fault-due-to-max-surface-definition-mismatch.patch new file mode 100644 index 00000000000..f3cf487bc4c --- /dev/null +++ b/queue-6.12/drm-amd-display-fix-page-fault-due-to-max-surface-definition-mismatch.patch @@ -0,0 +1,177 @@ +From 7de8d5c90be9ad9f6575e818a674801db2ada794 Mon Sep 17 00:00:00 2001 +From: Melissa Wen +Date: Tue, 17 Dec 2024 17:45:03 -0300 +Subject: drm/amd/display: fix page fault due to max surface definition mismatch + +From: Melissa Wen + +commit 7de8d5c90be9ad9f6575e818a674801db2ada794 upstream. + +DC driver is using two different values to define the maximum number of +surfaces: MAX_SURFACES and MAX_SURFACE_NUM. Consolidate MAX_SURFACES as +the unique definition for surface updates across DC. + +It fixes page fault faced by Cosmic users on AMD display versions that +support two overlay planes, since the introduction of cursor overlay +mode. + +[Nov26 21:33] BUG: unable to handle page fault for address: 0000000051d0f08b +[ +0.000015] #PF: supervisor read access in kernel mode +[ +0.000006] #PF: error_code(0x0000) - not-present page +[ +0.000005] PGD 0 P4D 0 +[ +0.000007] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI +[ +0.000006] CPU: 4 PID: 71 Comm: kworker/u32:6 Not tainted 6.10.0+ #300 +[ +0.000006] Hardware name: Valve Jupiter/Jupiter, BIOS F7A0131 01/30/2024 +[ +0.000007] Workqueue: events_unbound commit_work [drm_kms_helper] +[ +0.000040] RIP: 0010:copy_stream_update_to_stream.isra.0+0x30d/0x750 [amdgpu] +[ +0.000847] Code: 8b 10 49 89 94 24 f8 00 00 00 48 8b 50 08 49 89 94 24 00 01 00 00 8b 40 10 41 89 84 24 08 01 00 00 49 8b 45 78 48 85 c0 74 0b <0f> b6 00 41 88 84 24 90 64 00 00 49 8b 45 60 48 85 c0 74 3b 48 8b +[ +0.000010] RSP: 0018:ffffc203802f79a0 EFLAGS: 00010206 +[ +0.000009] RAX: 0000000051d0f08b RBX: 0000000000000004 RCX: ffff9f964f0a8070 +[ +0.000004] RDX: ffff9f9710f90e40 RSI: ffff9f96600c8000 RDI: ffff9f964f000000 +[ +0.000004] RBP: ffffc203802f79f8 R08: 0000000000000000 R09: 0000000000000000 +[ +0.000005] R10: 0000000000000000 R11: 0000000000000000 R12: ffff9f96600c8000 +[ +0.000004] R13: ffff9f9710f90e40 R14: ffff9f964f000000 R15: ffff9f96600c8000 +[ +0.000004] FS: 0000000000000000(0000) GS:ffff9f9970000000(0000) knlGS:0000000000000000 +[ +0.000005] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ +0.000005] CR2: 0000000051d0f08b CR3: 00000002e6a20000 CR4: 0000000000350ef0 +[ +0.000005] Call Trace: +[ +0.000011] +[ +0.000010] ? __die_body.cold+0x19/0x27 +[ +0.000012] ? page_fault_oops+0x15a/0x2d0 +[ +0.000014] ? exc_page_fault+0x7e/0x180 +[ +0.000009] ? asm_exc_page_fault+0x26/0x30 +[ +0.000013] ? copy_stream_update_to_stream.isra.0+0x30d/0x750 [amdgpu] +[ +0.000739] ? dc_commit_state_no_check+0xd6c/0xe70 [amdgpu] +[ +0.000470] update_planes_and_stream_state+0x49b/0x4f0 [amdgpu] +[ +0.000450] ? srso_return_thunk+0x5/0x5f +[ +0.000009] ? commit_minimal_transition_state+0x239/0x3d0 [amdgpu] +[ +0.000446] update_planes_and_stream_v2+0x24a/0x590 [amdgpu] +[ +0.000464] ? srso_return_thunk+0x5/0x5f +[ +0.000009] ? sort+0x31/0x50 +[ +0.000007] ? amdgpu_dm_atomic_commit_tail+0x159f/0x3a30 [amdgpu] +[ +0.000508] ? srso_return_thunk+0x5/0x5f +[ +0.000009] ? amdgpu_crtc_get_scanout_position+0x28/0x40 [amdgpu] +[ +0.000377] ? srso_return_thunk+0x5/0x5f +[ +0.000009] ? drm_crtc_vblank_helper_get_vblank_timestamp_internal+0x160/0x390 [drm] +[ +0.000058] ? srso_return_thunk+0x5/0x5f +[ +0.000005] ? dma_fence_default_wait+0x8c/0x260 +[ +0.000010] ? srso_return_thunk+0x5/0x5f +[ +0.000005] ? wait_for_completion_timeout+0x13b/0x170 +[ +0.000006] ? srso_return_thunk+0x5/0x5f +[ +0.000005] ? dma_fence_wait_timeout+0x108/0x140 +[ +0.000010] ? commit_tail+0x94/0x130 [drm_kms_helper] +[ +0.000024] ? process_one_work+0x177/0x330 +[ +0.000008] ? worker_thread+0x266/0x3a0 +[ +0.000006] ? __pfx_worker_thread+0x10/0x10 +[ +0.000004] ? kthread+0xd2/0x100 +[ +0.000006] ? __pfx_kthread+0x10/0x10 +[ +0.000006] ? ret_from_fork+0x34/0x50 +[ +0.000004] ? __pfx_kthread+0x10/0x10 +[ +0.000005] ? ret_from_fork_asm+0x1a/0x30 +[ +0.000011] + +Fixes: 1b04dcca4fb1 ("drm/amd/display: Introduce overlay cursor mode") +Suggested-by: Leo Li +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3693 +Signed-off-by: Melissa Wen +Reviewed-by: Rodrigo Siqueira +Signed-off-by: Rodrigo Siqueira +Signed-off-by: Alex Deucher +(cherry picked from commit 1c86c81a86c60f9b15d3e3f43af0363cf56063e7) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/core/dc.c | 2 +- + drivers/gpu/drm/amd/display/dc/core/dc_state.c | 8 ++++---- + drivers/gpu/drm/amd/display/dc/dc.h | 2 +- + drivers/gpu/drm/amd/display/dc/dc_stream.h | 2 +- + drivers/gpu/drm/amd/display/dc/dc_types.h | 1 - + drivers/gpu/drm/amd/display/dc/dml2/dml2_mall_phantom.c | 2 +- + 6 files changed, 8 insertions(+), 9 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -4421,7 +4421,7 @@ static bool commit_minimal_transition_ba + struct pipe_split_policy_backup policy; + struct dc_state *intermediate_context; + struct dc_state *old_current_state = dc->current_state; +- struct dc_surface_update srf_updates[MAX_SURFACE_NUM] = {0}; ++ struct dc_surface_update srf_updates[MAX_SURFACES] = {0}; + int surface_count; + + /* +--- a/drivers/gpu/drm/amd/display/dc/core/dc_state.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_state.c +@@ -483,9 +483,9 @@ bool dc_state_add_plane( + if (stream_status == NULL) { + dm_error("Existing stream not found; failed to attach surface!\n"); + goto out; +- } else if (stream_status->plane_count == MAX_SURFACE_NUM) { ++ } else if (stream_status->plane_count == MAX_SURFACES) { + dm_error("Surface: can not attach plane_state %p! Maximum is: %d\n", +- plane_state, MAX_SURFACE_NUM); ++ plane_state, MAX_SURFACES); + goto out; + } else if (!otg_master_pipe) { + goto out; +@@ -600,7 +600,7 @@ bool dc_state_rem_all_planes_for_stream( + { + int i, old_plane_count; + struct dc_stream_status *stream_status = NULL; +- struct dc_plane_state *del_planes[MAX_SURFACE_NUM] = { 0 }; ++ struct dc_plane_state *del_planes[MAX_SURFACES] = { 0 }; + + for (i = 0; i < state->stream_count; i++) + if (state->streams[i] == stream) { +@@ -875,7 +875,7 @@ bool dc_state_rem_all_phantom_planes_for + { + int i, old_plane_count; + struct dc_stream_status *stream_status = NULL; +- struct dc_plane_state *del_planes[MAX_SURFACE_NUM] = { 0 }; ++ struct dc_plane_state *del_planes[MAX_SURFACES] = { 0 }; + + for (i = 0; i < state->stream_count; i++) + if (state->streams[i] == phantom_stream) { +--- a/drivers/gpu/drm/amd/display/dc/dc.h ++++ b/drivers/gpu/drm/amd/display/dc/dc.h +@@ -1390,7 +1390,7 @@ struct dc_scratch_space { + * store current value in plane states so we can still recover + * a valid current state during dc update. + */ +- struct dc_plane_state plane_states[MAX_SURFACE_NUM]; ++ struct dc_plane_state plane_states[MAX_SURFACES]; + + struct dc_stream_state stream_state; + }; +--- a/drivers/gpu/drm/amd/display/dc/dc_stream.h ++++ b/drivers/gpu/drm/amd/display/dc/dc_stream.h +@@ -56,7 +56,7 @@ struct dc_stream_status { + int plane_count; + int audio_inst; + struct timing_sync_info timing_sync_info; +- struct dc_plane_state *plane_states[MAX_SURFACE_NUM]; ++ struct dc_plane_state *plane_states[MAX_SURFACES]; + bool is_abm_supported; + struct mall_stream_config mall_stream_config; + bool fpo_in_use; +--- a/drivers/gpu/drm/amd/display/dc/dc_types.h ++++ b/drivers/gpu/drm/amd/display/dc/dc_types.h +@@ -76,7 +76,6 @@ struct dc_perf_trace { + unsigned long last_entry_write; + }; + +-#define MAX_SURFACE_NUM 6 + #define NUM_PIXEL_FORMATS 10 + + enum tiling_mode { +--- a/drivers/gpu/drm/amd/display/dc/dml2/dml2_mall_phantom.c ++++ b/drivers/gpu/drm/amd/display/dc/dml2/dml2_mall_phantom.c +@@ -813,7 +813,7 @@ static bool remove_all_phantom_planes_fo + { + int i, old_plane_count; + struct dc_stream_status *stream_status = NULL; +- struct dc_plane_state *del_planes[MAX_SURFACE_NUM] = { 0 }; ++ struct dc_plane_state *del_planes[MAX_SURFACES] = { 0 }; + + for (i = 0; i < context->stream_count; i++) + if (context->streams[i] == stream) { diff --git a/queue-6.12/drm-amd-display-increase-max_surfaces-to-the-value-supported-by-hw.patch b/queue-6.12/drm-amd-display-increase-max_surfaces-to-the-value-supported-by-hw.patch new file mode 100644 index 00000000000..52cbc14443b --- /dev/null +++ b/queue-6.12/drm-amd-display-increase-max_surfaces-to-the-value-supported-by-hw.patch @@ -0,0 +1,38 @@ +From 21541bc6b44241e3f791f9e552352d8440b2b29e Mon Sep 17 00:00:00 2001 +From: Melissa Wen +Date: Tue, 17 Dec 2024 17:45:04 -0300 +Subject: drm/amd/display: increase MAX_SURFACES to the value supported by hw + +From: Melissa Wen + +commit 21541bc6b44241e3f791f9e552352d8440b2b29e upstream. + +As the hw supports up to 4 surfaces, increase the maximum number of +surfaces to prevent the DC error when trying to use more than three +planes. + +[drm:dc_state_add_plane [amdgpu]] *ERROR* Surface: can not attach plane_state 000000003e2cb82c! Maximum is: 3 + +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3693 +Signed-off-by: Melissa Wen +Reviewed-by: Rodrigo Siqueira +Signed-off-by: Rodrigo Siqueira +Signed-off-by: Alex Deucher +(cherry picked from commit b8d6daffc871a42026c3c20bff7b8fa0302298c1) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dc.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/dc.h ++++ b/drivers/gpu/drm/amd/display/dc/dc.h +@@ -57,7 +57,7 @@ struct dmub_notification; + + #define DC_VER "3.2.301" + +-#define MAX_SURFACES 3 ++#define MAX_SURFACES 4 + #define MAX_PLANES 6 + #define MAX_STREAMS 6 + #define MIN_VIEWPORT_SIZE 12 diff --git a/queue-6.12/drm-amd-pm-fix-bug-scheduling-while-atomic.patch b/queue-6.12/drm-amd-pm-fix-bug-scheduling-while-atomic.patch new file mode 100644 index 00000000000..c9087dbaa26 --- /dev/null +++ b/queue-6.12/drm-amd-pm-fix-bug-scheduling-while-atomic.patch @@ -0,0 +1,110 @@ +From 2a238b09bfd04e8155a7a323364bce1c38b28c0f Mon Sep 17 00:00:00 2001 +From: Kun Liu +Date: Fri, 27 Dec 2024 11:43:22 +0800 +Subject: drm/amd/pm: fix BUG: scheduling while atomic + +From: Kun Liu + +commit 2a238b09bfd04e8155a7a323364bce1c38b28c0f upstream. + +atomic scheduling will be triggered in interrupt handler for +AC/DC mode switch as following backtrace. +Call Trace: + + dump_stack_lvl + __schedule_bug + __schedule + schedule + schedule_preempt_disabled + __mutex_lock + smu_cmn_send_smc_msg_with_param + smu_v13_0_irq_process + amdgpu_irq_dispatch + amdgpu_ih_process + amdgpu_irq_handler + __handle_irq_event_percpu + handle_irq_event + handle_edge_irq + __common_interrupt + common_interrupt + + + asm_common_interrupt + +Reviewed-by: Lijo Lazar +Reviewed-by: Kenneth Feng +Signed-off-by: Kun Liu +Signed-off-by: Alex Deucher +(cherry picked from commit 03cc84b102d1a832e8dfc59344346dedcebcdf42) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h | 2 ++ + drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c | 12 ++++++------ + drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 1 + + drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 1 + + 4 files changed, 10 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h ++++ b/drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h +@@ -302,5 +302,7 @@ int smu_v13_0_set_wbrf_exclusion_ranges( + int smu_v13_0_get_boot_freq_by_index(struct smu_context *smu, + enum smu_clk_type clk_type, + uint32_t *value); ++ ++void smu_v13_0_interrupt_work(struct smu_context *smu); + #endif + #endif +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c +@@ -1320,11 +1320,11 @@ static int smu_v13_0_set_irq_state(struc + return 0; + } + +-static int smu_v13_0_ack_ac_dc_interrupt(struct smu_context *smu) ++void smu_v13_0_interrupt_work(struct smu_context *smu) + { +- return smu_cmn_send_smc_msg(smu, +- SMU_MSG_ReenableAcDcInterrupt, +- NULL); ++ smu_cmn_send_smc_msg(smu, ++ SMU_MSG_ReenableAcDcInterrupt, ++ NULL); + } + + #define THM_11_0__SRCID__THM_DIG_THERM_L2H 0 /* ASIC_TEMP > CG_THERMAL_INT.DIG_THERM_INTH */ +@@ -1377,12 +1377,12 @@ static int smu_v13_0_irq_process(struct + switch (ctxid) { + case SMU_IH_INTERRUPT_CONTEXT_ID_AC: + dev_dbg(adev->dev, "Switched to AC mode!\n"); +- smu_v13_0_ack_ac_dc_interrupt(smu); ++ schedule_work(&smu->interrupt_work); + adev->pm.ac_power = true; + break; + case SMU_IH_INTERRUPT_CONTEXT_ID_DC: + dev_dbg(adev->dev, "Switched to DC mode!\n"); +- smu_v13_0_ack_ac_dc_interrupt(smu); ++ schedule_work(&smu->interrupt_work); + adev->pm.ac_power = false; + break; + case SMU_IH_INTERRUPT_CONTEXT_ID_THERMAL_THROTTLING: +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c +@@ -3126,6 +3126,7 @@ static const struct pptable_funcs smu_v1 + .is_asic_wbrf_supported = smu_v13_0_0_wbrf_support_check, + .enable_uclk_shadow = smu_v13_0_enable_uclk_shadow, + .set_wbrf_exclusion_ranges = smu_v13_0_set_wbrf_exclusion_ranges, ++ .interrupt_work = smu_v13_0_interrupt_work, + }; + + void smu_v13_0_0_set_ppt_funcs(struct smu_context *smu) +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c +@@ -2704,6 +2704,7 @@ static const struct pptable_funcs smu_v1 + .is_asic_wbrf_supported = smu_v13_0_7_wbrf_support_check, + .enable_uclk_shadow = smu_v13_0_enable_uclk_shadow, + .set_wbrf_exclusion_ranges = smu_v13_0_set_wbrf_exclusion_ranges, ++ .interrupt_work = smu_v13_0_interrupt_work, + }; + + void smu_v13_0_7_set_ppt_funcs(struct smu_context *smu) diff --git a/queue-6.12/drm-amdgpu-add-a-lock-when-accessing-the-buddy-trim-function.patch b/queue-6.12/drm-amdgpu-add-a-lock-when-accessing-the-buddy-trim-function.patch new file mode 100644 index 00000000000..ed1d3e14ffa --- /dev/null +++ b/queue-6.12/drm-amdgpu-add-a-lock-when-accessing-the-buddy-trim-function.patch @@ -0,0 +1,90 @@ +From 75c8b703e5bded1e33b08fb09b829e7c2c1ed50a Mon Sep 17 00:00:00 2001 +From: Arunpravin Paneer Selvam +Date: Tue, 10 Dec 2024 12:50:08 +0530 +Subject: drm/amdgpu: Add a lock when accessing the buddy trim function +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arunpravin Paneer Selvam + +commit 75c8b703e5bded1e33b08fb09b829e7c2c1ed50a upstream. + +When running YouTube videos and Steam games simultaneously, +the tester found a system hang / race condition issue with +the multi-display configuration setting. Adding a lock to +the buddy allocator's trim function would be the solution. + + +[ 7197.250436] general protection fault, probably for non-canonical address 0xdead000000000108 +[ 7197.250447] RIP: 0010:__alloc_range+0x8b/0x340 [amddrm_buddy] +[ 7197.250470] Call Trace: +[ 7197.250472] +[ 7197.250475] ? show_regs+0x6d/0x80 +[ 7197.250481] ? die_addr+0x37/0xa0 +[ 7197.250483] ? exc_general_protection+0x1db/0x480 +[ 7197.250488] ? drm_suballoc_new+0x13c/0x93d [drm_suballoc_helper] +[ 7197.250493] ? asm_exc_general_protection+0x27/0x30 +[ 7197.250498] ? __alloc_range+0x8b/0x340 [amddrm_buddy] +[ 7197.250501] ? __alloc_range+0x109/0x340 [amddrm_buddy] +[ 7197.250506] amddrm_buddy_block_trim+0x1b5/0x260 [amddrm_buddy] +[ 7197.250511] amdgpu_vram_mgr_new+0x4f5/0x590 [amdgpu] +[ 7197.250682] amdttm_resource_alloc+0x46/0xb0 [amdttm] +[ 7197.250689] ttm_bo_alloc_resource+0xe4/0x370 [amdttm] +[ 7197.250696] amdttm_bo_validate+0x9d/0x180 [amdttm] +[ 7197.250701] amdgpu_bo_pin+0x15a/0x2f0 [amdgpu] +[ 7197.250831] amdgpu_dm_plane_helper_prepare_fb+0xb2/0x360 [amdgpu] +[ 7197.251025] ? try_wait_for_completion+0x59/0x70 +[ 7197.251030] drm_atomic_helper_prepare_planes.part.0+0x2f/0x1e0 +[ 7197.251035] drm_atomic_helper_prepare_planes+0x5d/0x70 +[ 7197.251037] drm_atomic_helper_commit+0x84/0x160 +[ 7197.251040] drm_atomic_nonblocking_commit+0x59/0x70 +[ 7197.251043] drm_mode_atomic_ioctl+0x720/0x850 +[ 7197.251047] ? __pfx_drm_mode_atomic_ioctl+0x10/0x10 +[ 7197.251049] drm_ioctl_kernel+0xb9/0x120 +[ 7197.251053] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 7197.251056] drm_ioctl+0x2d4/0x550 +[ 7197.251058] ? __pfx_drm_mode_atomic_ioctl+0x10/0x10 +[ 7197.251063] amdgpu_drm_ioctl+0x4e/0x90 [amdgpu] +[ 7197.251186] __x64_sys_ioctl+0xa0/0xf0 +[ 7197.251190] x64_sys_call+0x143b/0x25c0 +[ 7197.251193] do_syscall_64+0x7f/0x180 +[ 7197.251197] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 7197.251199] ? amdgpu_display_user_framebuffer_create+0x215/0x320 [amdgpu] +[ 7197.251329] ? drm_internal_framebuffer_create+0xb7/0x1a0 +[ 7197.251332] ? srso_alias_return_thunk+0x5/0xfbef5 + +Signed-off-by: Arunpravin Paneer Selvam +Fixes: 4a5ad08f5377 ("drm/amdgpu: Add address alignment support to DCC buffers") +Acked-by: Christian König +Signed-off-by: Alex Deucher +(cherry picked from commit 3318ba94e56b9183d0304577c74b33b6b01ce516) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c +index 7d26a962f811..ff5e52025266 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c +@@ -567,7 +567,6 @@ static int amdgpu_vram_mgr_new(struct ttm_resource_manager *man, + else + remaining_size -= size; + } +- mutex_unlock(&mgr->lock); + + if (bo->flags & AMDGPU_GEM_CREATE_VRAM_CONTIGUOUS && adjust_dcc_size) { + struct drm_buddy_block *dcc_block; +@@ -584,6 +583,7 @@ static int amdgpu_vram_mgr_new(struct ttm_resource_manager *man, + (u64)vres->base.size, + &vres->blocks); + } ++ mutex_unlock(&mgr->lock); + + vres->base.start = 0; + size = max_t(u64, amdgpu_vram_mgr_blocks_size(&vres->blocks), +-- +2.48.0 + diff --git a/queue-6.12/drm-amdkfd-fixed-page-fault-when-enable-mes-shader-debugger.patch b/queue-6.12/drm-amdkfd-fixed-page-fault-when-enable-mes-shader-debugger.patch new file mode 100644 index 00000000000..855a2dfc3cb --- /dev/null +++ b/queue-6.12/drm-amdkfd-fixed-page-fault-when-enable-mes-shader-debugger.patch @@ -0,0 +1,74 @@ +From 9738609449c3e44d1afb73eecab4763362b57930 Mon Sep 17 00:00:00 2001 +From: "Jesse.zhang@amd.com" +Date: Wed, 18 Dec 2024 18:23:52 +0800 +Subject: drm/amdkfd: fixed page fault when enable MES shader debugger + +From: Jesse.zhang@amd.com + +commit 9738609449c3e44d1afb73eecab4763362b57930 upstream. + +Initialize the process context address before setting the shader debugger. + +[ 260.781212] amdgpu 0000:03:00.0: amdgpu: [gfxhub] page fault (src_id:0 ring:32 vmid:0 pasid:0) +[ 260.781236] amdgpu 0000:03:00.0: amdgpu: in page starting at address 0x0000000000000000 from client 10 +[ 260.781255] amdgpu 0000:03:00.0: amdgpu: GCVM_L2_PROTECTION_FAULT_STATUS:0x00040A40 +[ 260.781270] amdgpu 0000:03:00.0: amdgpu: Faulty UTCL2 client ID: CPC (0x5) +[ 260.781284] amdgpu 0000:03:00.0: amdgpu: MORE_FAULTS: 0x0 +[ 260.781296] amdgpu 0000:03:00.0: amdgpu: WALKER_ERROR: 0x0 +[ 260.781308] amdgpu 0000:03:00.0: amdgpu: PERMISSION_FAULTS: 0x4 +[ 260.781320] amdgpu 0000:03:00.0: amdgpu: MAPPING_ERROR: 0x0 +[ 260.781332] amdgpu 0000:03:00.0: amdgpu: RW: 0x1 +[ 260.782017] amdgpu 0000:03:00.0: amdgpu: [gfxhub] page fault (src_id:0 ring:32 vmid:0 pasid:0) +[ 260.782039] amdgpu 0000:03:00.0: amdgpu: in page starting at address 0x0000000000000000 from client 10 +[ 260.782058] amdgpu 0000:03:00.0: amdgpu: GCVM_L2_PROTECTION_FAULT_STATUS:0x00040A41 +[ 260.782073] amdgpu 0000:03:00.0: amdgpu: Faulty UTCL2 client ID: CPC (0x5) +[ 260.782087] amdgpu 0000:03:00.0: amdgpu: MORE_FAULTS: 0x1 +[ 260.782098] amdgpu 0000:03:00.0: amdgpu: WALKER_ERROR: 0x0 +[ 260.782110] amdgpu 0000:03:00.0: amdgpu: PERMISSION_FAULTS: 0x4 +[ 260.782122] amdgpu 0000:03:00.0: amdgpu: MAPPING_ERROR: 0x0 +[ 260.782137] amdgpu 0000:03:00.0: amdgpu: RW: 0x1 +[ 260.782155] amdgpu 0000:03:00.0: amdgpu: [gfxhub] page fault (src_id:0 ring:32 vmid:0 pasid:0) +[ 260.782166] amdgpu 0000:03:00.0: amdgpu: in page starting at address 0x0000000000000000 from client 10 + +Fixes: 438b39ac74e2 ("drm/amdkfd: pause autosuspend when creating pdd") +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3849 +Signed-off-by: Jesse Zhang +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +(cherry picked from commit 5b231f5bc9ff02ec5737f2ec95cdf15ac95088e9) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdkfd/kfd_debug.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +--- a/drivers/gpu/drm/amd/amdkfd/kfd_debug.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_debug.c +@@ -350,10 +350,27 @@ int kfd_dbg_set_mes_debug_mode(struct kf + { + uint32_t spi_dbg_cntl = pdd->spi_dbg_override | pdd->spi_dbg_launch_mode; + uint32_t flags = pdd->process->dbg_flags; ++ struct amdgpu_device *adev = pdd->dev->adev; ++ int r; + + if (!kfd_dbg_is_per_vmid_supported(pdd->dev)) + return 0; + ++ if (!pdd->proc_ctx_cpu_ptr) { ++ r = amdgpu_amdkfd_alloc_gtt_mem(adev, ++ AMDGPU_MES_PROC_CTX_SIZE, ++ &pdd->proc_ctx_bo, ++ &pdd->proc_ctx_gpu_addr, ++ &pdd->proc_ctx_cpu_ptr, ++ false); ++ if (r) { ++ dev_err(adev->dev, ++ "failed to allocate process context bo\n"); ++ return r; ++ } ++ memset(pdd->proc_ctx_cpu_ptr, 0, AMDGPU_MES_PROC_CTX_SIZE); ++ } ++ + return amdgpu_mes_set_shader_debugger(pdd->dev->adev, pdd->proc_ctx_gpu_addr, spi_dbg_cntl, + pdd->watch_points, flags, sq_trap_en); + } diff --git a/queue-6.12/drm-amdkfd-wq_release-signals-dma_fence-only-when-available.patch b/queue-6.12/drm-amdkfd-wq_release-signals-dma_fence-only-when-available.patch new file mode 100644 index 00000000000..6c936691ceb --- /dev/null +++ b/queue-6.12/drm-amdkfd-wq_release-signals-dma_fence-only-when-available.patch @@ -0,0 +1,76 @@ +From a993d319aebb7cce8a10c6e685344b7c2ad5c4c2 Mon Sep 17 00:00:00 2001 +From: Zhu Lingshan +Date: Wed, 11 Dec 2024 11:51:13 +0800 +Subject: drm/amdkfd: wq_release signals dma_fence only when available + +From: Zhu Lingshan + +commit a993d319aebb7cce8a10c6e685344b7c2ad5c4c2 upstream. + +kfd_process_wq_release() signals eviction fence by +dma_fence_signal() which wanrs if dma_fence +is NULL. + +kfd_process->ef is initialized by kfd_process_device_init_vm() +through ioctl. That means the fence is NULL for a new +created kfd_process, and close a kfd_process right +after open it will trigger the warning. + +This commit conditionally signals the eviction fence +in kfd_process_wq_release() only when it is available. + +[ 503.660882] WARNING: CPU: 0 PID: 9 at drivers/dma-buf/dma-fence.c:467 dma_fence_signal+0x74/0xa0 +[ 503.782940] Workqueue: kfd_process_wq kfd_process_wq_release [amdgpu] +[ 503.789640] RIP: 0010:dma_fence_signal+0x74/0xa0 +[ 503.877620] Call Trace: +[ 503.880066] +[ 503.882168] ? __warn+0xcd/0x260 +[ 503.885407] ? dma_fence_signal+0x74/0xa0 +[ 503.889416] ? report_bug+0x288/0x2d0 +[ 503.893089] ? handle_bug+0x53/0xa0 +[ 503.896587] ? exc_invalid_op+0x14/0x50 +[ 503.900424] ? asm_exc_invalid_op+0x16/0x20 +[ 503.904616] ? dma_fence_signal+0x74/0xa0 +[ 503.908626] kfd_process_wq_release+0x6b/0x370 [amdgpu] +[ 503.914081] process_one_work+0x654/0x10a0 +[ 503.918186] worker_thread+0x6c3/0xe70 +[ 503.921943] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 503.926735] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 503.931527] ? __kthread_parkme+0x82/0x140 +[ 503.935631] ? __pfx_worker_thread+0x10/0x10 +[ 503.939904] kthread+0x2a8/0x380 +[ 503.943132] ? __pfx_kthread+0x10/0x10 +[ 503.946882] ret_from_fork+0x2d/0x70 +[ 503.950458] ? __pfx_kthread+0x10/0x10 +[ 503.954210] ret_from_fork_asm+0x1a/0x30 +[ 503.958142] +[ 503.960328] ---[ end trace 0000000000000000 ]--- + +Fixes: 967d226eaae8 ("dma-buf: add WARN_ON() illegal dma-fence signaling") +Signed-off-by: Zhu Lingshan +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +(cherry picked from commit 2774ef7625adb5fb9e9265c26a59dca7b8fd171e) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdkfd/kfd_process.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process.c b/drivers/gpu/drm/amd/amdkfd/kfd_process.c +index d0ee173acf82..edfe0b4788f4 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_process.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process.c +@@ -1160,7 +1160,8 @@ static void kfd_process_wq_release(struct work_struct *work) + */ + synchronize_rcu(); + ef = rcu_access_pointer(p->ef); +- dma_fence_signal(ef); ++ if (ef) ++ dma_fence_signal(ef); + + kfd_process_remove_sysfs(p); + +-- +2.48.0 + diff --git a/queue-6.12/fs-kill-mnt_onrb.patch b/queue-6.12/fs-kill-mnt_onrb.patch new file mode 100644 index 00000000000..927b46e8ea8 --- /dev/null +++ b/queue-6.12/fs-kill-mnt_onrb.patch @@ -0,0 +1,201 @@ +From 344bac8f0d73fe970cd9f5b2f132906317d29e8b Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Sun, 15 Dec 2024 21:17:05 +0100 +Subject: fs: kill MNT_ONRB + +From: Christian Brauner + +commit 344bac8f0d73fe970cd9f5b2f132906317d29e8b upstream. + +Move mnt->mnt_node into the union with mnt->mnt_rcu and mnt->mnt_llist +instead of keeping it with mnt->mnt_list. This allows us to use +RB_CLEAR_NODE(&mnt->mnt_node) in umount_tree() as well as +list_empty(&mnt->mnt_node). That in turn allows us to remove MNT_ONRB. + +This also fixes the bug reported in [1] where seemingly MNT_ONRB wasn't +set in @mnt->mnt_flags even though the mount was present in the mount +rbtree of the mount namespace. + +The root cause is the following race. When a btrfs subvolume is mounted +a temporary mount is created: + +btrfs_get_tree_subvol() +{ + mnt = fc_mount() + // Register the newly allocated mount with sb->mounts: + lock_mount_hash(); + list_add_tail(&mnt->mnt_instance, &mnt->mnt.mnt_sb->s_mounts); + unlock_mount_hash(); +} + +and registered on sb->s_mounts. Later it is added to an anonymous mount +namespace via mount_subvol(): + +-> mount_subvol() + -> mount_subtree() + -> alloc_mnt_ns() + mnt_add_to_ns() + vfs_path_lookup() + put_mnt_ns() + +The mnt_add_to_ns() call raises MNT_ONRB in @mnt->mnt_flags. If someone +concurrently does a ro remount: + +reconfigure_super() +-> sb_prepare_remount_readonly() + { + list_for_each_entry(mnt, &sb->s_mounts, mnt_instance) { + } + +all mounts registered in sb->s_mounts are visited and first +MNT_WRITE_HOLD is raised, then MNT_READONLY is raised, and finally +MNT_WRITE_HOLD is removed again. + +The flag modification for MNT_WRITE_HOLD/MNT_READONLY and MNT_ONRB race +so MNT_ONRB might be lost. + +Fixes: 2eea9ce4310d ("mounts: keep list of mounts in an rbtree") +Cc: # v6.8+ +Link: https://lore.kernel.org/r/20241215-vfs-6-14-mount-work-v1-1-fd55922c4af8@kernel.org +Link: https://lore.kernel.org/r/ec6784ed-8722-4695-980a-4400d4e7bd1a@gmx.com [1] +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/mount.h | 15 +++++++++------ + fs/namespace.c | 14 ++++++-------- + include/linux/mount.h | 3 +-- + 3 files changed, 16 insertions(+), 16 deletions(-) + +diff --git a/fs/mount.h b/fs/mount.h +index 185fc56afc13..179f690a0c72 100644 +--- a/fs/mount.h ++++ b/fs/mount.h +@@ -38,6 +38,7 @@ struct mount { + struct dentry *mnt_mountpoint; + struct vfsmount mnt; + union { ++ struct rb_node mnt_node; /* node in the ns->mounts rbtree */ + struct rcu_head mnt_rcu; + struct llist_node mnt_llist; + }; +@@ -51,10 +52,7 @@ struct mount { + struct list_head mnt_child; /* and going through their mnt_child */ + struct list_head mnt_instance; /* mount instance on sb->s_mounts */ + const char *mnt_devname; /* Name of device e.g. /dev/dsk/hda1 */ +- union { +- struct rb_node mnt_node; /* Under ns->mounts */ +- struct list_head mnt_list; +- }; ++ struct list_head mnt_list; + struct list_head mnt_expire; /* link in fs-specific expiry list */ + struct list_head mnt_share; /* circular list of shared mounts */ + struct list_head mnt_slave_list;/* list of slave mounts */ +@@ -145,11 +143,16 @@ static inline bool is_anon_ns(struct mnt_namespace *ns) + return ns->seq == 0; + } + ++static inline bool mnt_ns_attached(const struct mount *mnt) ++{ ++ return !RB_EMPTY_NODE(&mnt->mnt_node); ++} ++ + static inline void move_from_ns(struct mount *mnt, struct list_head *dt_list) + { +- WARN_ON(!(mnt->mnt.mnt_flags & MNT_ONRB)); +- mnt->mnt.mnt_flags &= ~MNT_ONRB; ++ WARN_ON(!mnt_ns_attached(mnt)); + rb_erase(&mnt->mnt_node, &mnt->mnt_ns->mounts); ++ RB_CLEAR_NODE(&mnt->mnt_node); + list_add_tail(&mnt->mnt_list, dt_list); + } + +diff --git a/fs/namespace.c b/fs/namespace.c +index 23e81c2a1e3f..847fa8443e8a 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -344,6 +344,7 @@ static struct mount *alloc_vfsmnt(const char *name) + INIT_HLIST_NODE(&mnt->mnt_mp_list); + INIT_LIST_HEAD(&mnt->mnt_umounting); + INIT_HLIST_HEAD(&mnt->mnt_stuck_children); ++ RB_CLEAR_NODE(&mnt->mnt_node); + mnt->mnt.mnt_idmap = &nop_mnt_idmap; + } + return mnt; +@@ -1124,7 +1125,7 @@ static void mnt_add_to_ns(struct mnt_namespace *ns, struct mount *mnt) + struct rb_node **link = &ns->mounts.rb_node; + struct rb_node *parent = NULL; + +- WARN_ON(mnt->mnt.mnt_flags & MNT_ONRB); ++ WARN_ON(mnt_ns_attached(mnt)); + mnt->mnt_ns = ns; + while (*link) { + parent = *link; +@@ -1135,7 +1136,6 @@ static void mnt_add_to_ns(struct mnt_namespace *ns, struct mount *mnt) + } + rb_link_node(&mnt->mnt_node, parent, link); + rb_insert_color(&mnt->mnt_node, &ns->mounts); +- mnt->mnt.mnt_flags |= MNT_ONRB; + } + + /* +@@ -1305,7 +1305,7 @@ static struct mount *clone_mnt(struct mount *old, struct dentry *root, + } + + mnt->mnt.mnt_flags = old->mnt.mnt_flags; +- mnt->mnt.mnt_flags &= ~(MNT_WRITE_HOLD|MNT_MARKED|MNT_INTERNAL|MNT_ONRB); ++ mnt->mnt.mnt_flags &= ~(MNT_WRITE_HOLD|MNT_MARKED|MNT_INTERNAL); + + atomic_inc(&sb->s_active); + mnt->mnt.mnt_idmap = mnt_idmap_get(mnt_idmap(&old->mnt)); +@@ -1763,7 +1763,7 @@ static void umount_tree(struct mount *mnt, enum umount_tree_flags how) + /* Gather the mounts to umount */ + for (p = mnt; p; p = next_mnt(p, mnt)) { + p->mnt.mnt_flags |= MNT_UMOUNT; +- if (p->mnt.mnt_flags & MNT_ONRB) ++ if (mnt_ns_attached(p)) + move_from_ns(p, &tmp_list); + else + list_move(&p->mnt_list, &tmp_list); +@@ -1912,16 +1912,14 @@ static int do_umount(struct mount *mnt, int flags) + + event++; + if (flags & MNT_DETACH) { +- if (mnt->mnt.mnt_flags & MNT_ONRB || +- !list_empty(&mnt->mnt_list)) ++ if (mnt_ns_attached(mnt) || !list_empty(&mnt->mnt_list)) + umount_tree(mnt, UMOUNT_PROPAGATE); + retval = 0; + } else { + shrink_submounts(mnt); + retval = -EBUSY; + if (!propagate_mount_busy(mnt, 2)) { +- if (mnt->mnt.mnt_flags & MNT_ONRB || +- !list_empty(&mnt->mnt_list)) ++ if (mnt_ns_attached(mnt) || !list_empty(&mnt->mnt_list)) + umount_tree(mnt, UMOUNT_PROPAGATE|UMOUNT_SYNC); + retval = 0; + } +diff --git a/include/linux/mount.h b/include/linux/mount.h +index c34c18b4e8f3..04213d8ef837 100644 +--- a/include/linux/mount.h ++++ b/include/linux/mount.h +@@ -50,7 +50,7 @@ struct path; + #define MNT_ATIME_MASK (MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME ) + + #define MNT_INTERNAL_FLAGS (MNT_SHARED | MNT_WRITE_HOLD | MNT_INTERNAL | \ +- MNT_DOOMED | MNT_SYNC_UMOUNT | MNT_MARKED | MNT_ONRB) ++ MNT_DOOMED | MNT_SYNC_UMOUNT | MNT_MARKED) + + #define MNT_INTERNAL 0x4000 + +@@ -64,7 +64,6 @@ struct path; + #define MNT_SYNC_UMOUNT 0x2000000 + #define MNT_MARKED 0x4000000 + #define MNT_UMOUNT 0x8000000 +-#define MNT_ONRB 0x10000000 + + struct vfsmount { + struct dentry *mnt_root; /* root of the mounted tree */ +-- +2.48.0 + diff --git a/queue-6.12/gpio-loongson-fix-loongson-2k2000-acpi-gpio-register-offset.patch b/queue-6.12/gpio-loongson-fix-loongson-2k2000-acpi-gpio-register-offset.patch new file mode 100644 index 00000000000..f7f3c64336d --- /dev/null +++ b/queue-6.12/gpio-loongson-fix-loongson-2k2000-acpi-gpio-register-offset.patch @@ -0,0 +1,47 @@ +From e59f4c97172de0c302894cfd5616161c1f0c4d85 Mon Sep 17 00:00:00 2001 +From: Binbin Zhou +Date: Tue, 7 Jan 2025 18:38:56 +0800 +Subject: gpio: loongson: Fix Loongson-2K2000 ACPI GPIO register offset + +From: Binbin Zhou + +commit e59f4c97172de0c302894cfd5616161c1f0c4d85 upstream. + +Since commit 3feb70a61740 ("gpio: loongson: add more gpio chip +support"), the Loongson-2K2000 GPIO is supported. + +However, according to the firmware development specification, the +Loongson-2K2000 ACPI GPIO register offsets in the driver do not match +the register base addresses in the firmware, resulting in the registers +not being accessed properly. + +Now, we fix it to ensure the GPIO function works properly. + +Cc: stable@vger.kernel.org +Cc: Yinbo Zhu +Fixes: 3feb70a61740 ("gpio: loongson: add more gpio chip support") +Co-developed-by: Hongliang Wang +Signed-off-by: Hongliang Wang +Signed-off-by: Binbin Zhou +Link: https://lore.kernel.org/r/20250107103856.1037222-1-zhoubinbin@loongson.cn +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-loongson-64bit.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gpio/gpio-loongson-64bit.c ++++ b/drivers/gpio/gpio-loongson-64bit.c +@@ -237,9 +237,9 @@ static const struct loongson_gpio_chip_d + static const struct loongson_gpio_chip_data loongson_gpio_ls2k2000_data2 = { + .label = "ls2k2000_gpio", + .mode = BIT_CTRL_MODE, +- .conf_offset = 0x84, +- .in_offset = 0x88, +- .out_offset = 0x80, ++ .conf_offset = 0x4, ++ .in_offset = 0x8, ++ .out_offset = 0x0, + }; + + static const struct loongson_gpio_chip_data loongson_gpio_ls3a5000_data = { diff --git a/queue-6.12/io_uring-sqpoll-zero-sqd-thread-on-tctx-errors.patch b/queue-6.12/io_uring-sqpoll-zero-sqd-thread-on-tctx-errors.patch new file mode 100644 index 00000000000..e904abed086 --- /dev/null +++ b/queue-6.12/io_uring-sqpoll-zero-sqd-thread-on-tctx-errors.patch @@ -0,0 +1,55 @@ +From 4b7cfa8b6c28a9fa22b86894166a1a34f6d630ba Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Fri, 10 Jan 2025 14:31:23 +0000 +Subject: io_uring/sqpoll: zero sqd->thread on tctx errors + +From: Pavel Begunkov + +commit 4b7cfa8b6c28a9fa22b86894166a1a34f6d630ba upstream. + +Syzkeller reports: + +BUG: KASAN: slab-use-after-free in thread_group_cputime+0x409/0x700 kernel/sched/cputime.c:341 +Read of size 8 at addr ffff88803578c510 by task syz.2.3223/27552 + Call Trace: + + ... + kasan_report+0x143/0x180 mm/kasan/report.c:602 + thread_group_cputime+0x409/0x700 kernel/sched/cputime.c:341 + thread_group_cputime_adjusted+0xa6/0x340 kernel/sched/cputime.c:639 + getrusage+0x1000/0x1340 kernel/sys.c:1863 + io_uring_show_fdinfo+0xdfe/0x1770 io_uring/fdinfo.c:197 + seq_show+0x608/0x770 fs/proc/fd.c:68 + ... + +That's due to sqd->task not being cleared properly in cases where +SQPOLL task tctx setup fails, which can essentially only happen with +fault injection to insert allocation errors. + +Cc: stable@vger.kernel.org +Fixes: 1251d2025c3e1 ("io_uring/sqpoll: early exit thread if task_context wasn't allocated") +Reported-by: syzbot+3d92cfcfa84070b0a470@syzkaller.appspotmail.com +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/efc7ec7010784463b2e7466d7b5c02c2cb381635.1736519461.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/sqpoll.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/io_uring/sqpoll.c ++++ b/io_uring/sqpoll.c +@@ -275,8 +275,12 @@ static int io_sq_thread(void *data) + DEFINE_WAIT(wait); + + /* offload context creation failed, just exit */ +- if (!current->io_uring) ++ if (!current->io_uring) { ++ mutex_lock(&sqd->lock); ++ sqd->thread = NULL; ++ mutex_unlock(&sqd->lock); + goto err_out; ++ } + + snprintf(buf, sizeof(buf), "iou-sqp-%d", sqd->task_pid); + set_task_comm(current, buf); diff --git a/queue-6.12/io_uring-timeout-fix-multishot-updates.patch b/queue-6.12/io_uring-timeout-fix-multishot-updates.patch new file mode 100644 index 00000000000..4b25e7e4d94 --- /dev/null +++ b/queue-6.12/io_uring-timeout-fix-multishot-updates.patch @@ -0,0 +1,41 @@ +From c83c846231db8b153bfcb44d552d373c34f78245 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Sat, 4 Jan 2025 18:29:02 +0000 +Subject: io_uring/timeout: fix multishot updates + +From: Pavel Begunkov + +commit c83c846231db8b153bfcb44d552d373c34f78245 upstream. + +After update only the first shot of a multishot timeout request adheres +to the new timeout value while all subsequent retries continue to use +the old value. Don't forget to update the timeout stored in struct +io_timeout_data. + +Cc: stable@vger.kernel.org +Fixes: ea97f6c8558e8 ("io_uring: add support for multishot timeouts") +Reported-by: Christian Mazakas +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/e6516c3304eb654ec234cfa65c88a9579861e597.1736015288.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/timeout.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/io_uring/timeout.c ++++ b/io_uring/timeout.c +@@ -409,10 +409,12 @@ static int io_timeout_update(struct io_r + + timeout->off = 0; /* noseq */ + data = req->async_data; ++ data->ts = *ts; ++ + list_add_tail(&timeout->list, &ctx->timeout_list); + hrtimer_init(&data->timer, io_timeout_get_clock(data), mode); + data->timer.function = io_timeout_fn; +- hrtimer_start(&data->timer, timespec64_to_ktime(*ts), mode); ++ hrtimer_start(&data->timer, timespec64_to_ktime(data->ts), mode); + return 0; + } + diff --git a/queue-6.12/riscv-fix-sleeping-in-invalid-context-in-die.patch b/queue-6.12/riscv-fix-sleeping-in-invalid-context-in-die.patch new file mode 100644 index 00000000000..1a77bb4a1ef --- /dev/null +++ b/queue-6.12/riscv-fix-sleeping-in-invalid-context-in-die.patch @@ -0,0 +1,74 @@ +From 6a97f4118ac07cfdc316433f385dbdc12af5025e Mon Sep 17 00:00:00 2001 +From: Nam Cao +Date: Mon, 18 Nov 2024 10:13:33 +0100 +Subject: riscv: Fix sleeping in invalid context in die() + +From: Nam Cao + +commit 6a97f4118ac07cfdc316433f385dbdc12af5025e upstream. + +die() can be called in exception handler, and therefore cannot sleep. +However, die() takes spinlock_t which can sleep with PREEMPT_RT enabled. +That causes the following warning: + +BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 +in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 285, name: mutex +preempt_count: 110001, expected: 0 +RCU nest depth: 0, expected: 0 +CPU: 0 UID: 0 PID: 285 Comm: mutex Not tainted 6.12.0-rc7-00022-ge19049cf7d56-dirty #234 +Hardware name: riscv-virtio,qemu (DT) +Call Trace: + dump_backtrace+0x1c/0x24 + show_stack+0x2c/0x38 + dump_stack_lvl+0x5a/0x72 + dump_stack+0x14/0x1c + __might_resched+0x130/0x13a + rt_spin_lock+0x2a/0x5c + die+0x24/0x112 + do_trap_insn_illegal+0xa0/0xea + _new_vmalloc_restore_context_a0+0xcc/0xd8 +Oops - illegal instruction [#1] + +Switch to use raw_spinlock_t, which does not sleep even with PREEMPT_RT +enabled. + +Fixes: 76d2a0493a17 ("RISC-V: Init and Halt Code") +Signed-off-by: Nam Cao +Cc: stable@vger.kernel.org +Reviewed-by: Sebastian Andrzej Siewior +Link: https://lore.kernel.org/r/20241118091333.1185288-1-namcao@linutronix.de +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/traps.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/riscv/kernel/traps.c ++++ b/arch/riscv/kernel/traps.c +@@ -35,7 +35,7 @@ + + int show_unhandled_signals = 1; + +-static DEFINE_SPINLOCK(die_lock); ++static DEFINE_RAW_SPINLOCK(die_lock); + + static int copy_code(struct pt_regs *regs, u16 *val, const u16 *insns) + { +@@ -81,7 +81,7 @@ void die(struct pt_regs *regs, const cha + + oops_enter(); + +- spin_lock_irqsave(&die_lock, flags); ++ raw_spin_lock_irqsave(&die_lock, flags); + console_verbose(); + bust_spinlocks(1); + +@@ -100,7 +100,7 @@ void die(struct pt_regs *regs, const cha + + bust_spinlocks(0); + add_taint(TAINT_DIE, LOCKDEP_NOW_UNRELIABLE); +- spin_unlock_irqrestore(&die_lock, flags); ++ raw_spin_unlock_irqrestore(&die_lock, flags); + oops_exit(); + + if (in_interrupt()) diff --git a/queue-6.12/riscv-kprobes-fix-incorrect-address-calculation.patch b/queue-6.12/riscv-kprobes-fix-incorrect-address-calculation.patch new file mode 100644 index 00000000000..267441f42b7 --- /dev/null +++ b/queue-6.12/riscv-kprobes-fix-incorrect-address-calculation.patch @@ -0,0 +1,59 @@ +From 13134cc949148e1dfa540a0fe5dc73569bc62155 Mon Sep 17 00:00:00 2001 +From: Nam Cao +Date: Tue, 19 Nov 2024 12:10:56 +0100 +Subject: riscv: kprobes: Fix incorrect address calculation + +From: Nam Cao + +commit 13134cc949148e1dfa540a0fe5dc73569bc62155 upstream. + +p->ainsn.api.insn is a pointer to u32, therefore arithmetic operations are +multiplied by four. This is clearly undesirable for this case. + +Cast it to (void *) first before any calculation. + +Below is a sample before/after. The dumped memory is two kprobe slots, the +first slot has + + - c.addiw a0, 0x1c (0x7125) + - ebreak (0x00100073) + +and the second slot has: + + - c.addiw a0, -4 (0x7135) + - ebreak (0x00100073) + +Before this patch: + +(gdb) x/16xh 0xff20000000135000 +0xff20000000135000: 0x7125 0x0000 0x0000 0x0000 0x7135 0x0010 0x0000 0x0000 +0xff20000000135010: 0x0073 0x0010 0x0000 0x0000 0x0000 0x0000 0x0000 0x0000 + +After this patch: + +(gdb) x/16xh 0xff20000000125000 +0xff20000000125000: 0x7125 0x0073 0x0010 0x0000 0x7135 0x0073 0x0010 0x0000 +0xff20000000125010: 0x0000 0x0000 0x0000 0x0000 0x0000 0x0000 0x0000 0x0000 + +Fixes: b1756750a397 ("riscv: kprobes: Use patch_text_nosync() for insn slots") +Signed-off-by: Nam Cao +Cc: stable@vger.kernel.org +Reviewed-by: Alexandre Ghiti +Link: https://lore.kernel.org/r/20241119111056.2554419-1-namcao@linutronix.de +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/probes/kprobes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/riscv/kernel/probes/kprobes.c ++++ b/arch/riscv/kernel/probes/kprobes.c +@@ -30,7 +30,7 @@ static void __kprobes arch_prepare_ss_sl + p->ainsn.api.restore = (unsigned long)p->addr + len; + + patch_text_nosync(p->ainsn.api.insn, &p->opcode, len); +- patch_text_nosync(p->ainsn.api.insn + len, &insn, GET_INSN_LENGTH(insn)); ++ patch_text_nosync((void *)p->ainsn.api.insn + len, &insn, GET_INSN_LENGTH(insn)); + } + + static void __kprobes arch_prepare_simulate(struct kprobe *p) diff --git a/queue-6.12/series b/queue-6.12/series index a7e4b70921a..3539e6db6dc 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -109,3 +109,21 @@ sched_ext-replace-rq_lock-to-raw_spin_rq_lock-in-scx.patch sched_ext-switch-class-when-preempted-by-higher-prio.patch cgroup-cpuset-remove-kernfs-active-break.patch sched_ext-idle-refresh-idle-masks-during-idle-to-idl.patch +arm64-dts-qcom-x1e80100-fix-up-bar-space-size-for-pcie6a.patch +arm64-dts-qcom-sa8775p-fix-the-size-of-addr_space-regions.patch +smb-client-sync-the-root-session-and-superblock-context-passwords-before-automounting.patch +fs-kill-mnt_onrb.patch +riscv-fix-sleeping-in-invalid-context-in-die.patch +riscv-kprobes-fix-incorrect-address-calculation.patch +gpio-loongson-fix-loongson-2k2000-acpi-gpio-register-offset.patch +acpi-resource-add-tongfang-gm5hg0a-to-irq1_edge_low_force_override.patch +acpi-resource-add-asus-vivobook-x1504vap-to-irq1_level_low_skip_override.patch +drm-amdgpu-add-a-lock-when-accessing-the-buddy-trim-function.patch +drm-amd-pm-fix-bug-scheduling-while-atomic.patch +drm-amdkfd-fixed-page-fault-when-enable-mes-shader-debugger.patch +drm-amdkfd-wq_release-signals-dma_fence-only-when-available.patch +drm-amd-display-fix-divide-error-in-dm-plane-scale-calcs.patch +drm-amd-display-fix-page-fault-due-to-max-surface-definition-mismatch.patch +drm-amd-display-increase-max_surfaces-to-the-value-supported-by-hw.patch +io_uring-timeout-fix-multishot-updates.patch +io_uring-sqpoll-zero-sqd-thread-on-tctx-errors.patch diff --git a/queue-6.12/smb-client-sync-the-root-session-and-superblock-context-passwords-before-automounting.patch b/queue-6.12/smb-client-sync-the-root-session-and-superblock-context-passwords-before-automounting.patch new file mode 100644 index 00000000000..0234a820b1d --- /dev/null +++ b/queue-6.12/smb-client-sync-the-root-session-and-superblock-context-passwords-before-automounting.patch @@ -0,0 +1,62 @@ +From 20b1aa912316ffb7fbb5f407f17c330f2a22ddff Mon Sep 17 00:00:00 2001 +From: Meetakshi Setiya +Date: Wed, 8 Jan 2025 05:10:34 -0500 +Subject: smb: client: sync the root session and superblock context passwords before automounting + +From: Meetakshi Setiya + +commit 20b1aa912316ffb7fbb5f407f17c330f2a22ddff upstream. + +In some cases, when password2 becomes the working password, the +client swaps the two password fields in the root session struct, but +not in the smb3_fs_context struct in cifs_sb. DFS automounts inherit +fs context from their parent mounts. Therefore, they might end up +getting the passwords in the stale order. +The automount should succeed, because the mount function will end up +retrying with the actual password anyway. But to reduce these +unnecessary session setup retries for automounts, we can sync the +parent context's passwords with the root session's passwords before +duplicating it to the child's fs context. + +Cc: stable@vger.kernel.org +Signed-off-by: Meetakshi Setiya +Reviewed-by: Shyam Prasad N +Acked-by: Paulo Alcantara (Red Hat) +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/namespace.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +--- a/fs/smb/client/namespace.c ++++ b/fs/smb/client/namespace.c +@@ -196,11 +196,28 @@ static struct vfsmount *cifs_do_automoun + struct smb3_fs_context tmp; + char *full_path; + struct vfsmount *mnt; ++ struct cifs_sb_info *mntpt_sb; ++ struct cifs_ses *ses; + + if (IS_ROOT(mntpt)) + return ERR_PTR(-ESTALE); + +- cur_ctx = CIFS_SB(mntpt->d_sb)->ctx; ++ mntpt_sb = CIFS_SB(mntpt->d_sb); ++ ses = cifs_sb_master_tcon(mntpt_sb)->ses; ++ cur_ctx = mntpt_sb->ctx; ++ ++ /* ++ * At this point, the root session should be in the mntpt sb. We should ++ * bring the sb context passwords in sync with the root session's ++ * passwords. This would help prevent unnecessary retries and password ++ * swaps for automounts. ++ */ ++ mutex_lock(&ses->session_mutex); ++ rc = smb3_sync_session_ctx_passwords(mntpt_sb, ses); ++ mutex_unlock(&ses->session_mutex); ++ ++ if (rc) ++ return ERR_PTR(rc); + + fc = fs_context_for_submount(path->mnt->mnt_sb->s_type, mntpt); + if (IS_ERR(fc))