From 220db9d7a3e2e9db310e43eeff0a2d3d44dabdce Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 12 Aug 2024 14:32:02 +0200 Subject: [PATCH] 6.6-stable patches added patches: asoc-amd-yc-add-quirk-entry-for-omen-by-hp-gaming-laptop-16-n0xxx.patch btrfs-avoid-using-fixed-char-array-size-for-tree-names.patch drm-bridge-analogix_dp-properly-handle-zero-sized-aux-transactions.patch drm-dp_mst-skip-csn-if-topology-probing-is-not-done-yet.patch drm-lima-mark-simple_ondemand-governor-as-softdep.patch drm-mgag200-bind-i2c-lifetime-to-drm-device.patch drm-mgag200-set-ddc-timeout-in-milliseconds.patch drm-radeon-remove-__counted_by-from-statearray.states.patch eventfs-don-t-return-null-in-eventfs_create_dir.patch eventfs-use-srcu-for-freeing-eventfs_inodes.patch genirq-irqdesc-honor-caller-provided-affinity-in-alloc_desc.patch irqchip-xilinx-fix-shift-out-of-bounds.patch kcov-properly-check-for-softirq-context.patch loongarch-enable-general-efi-poweroff-method.patch memcg-protect-concurrent-access-to-mem_cgroup_idr.patch mptcp-fully-established-after-add_addr-echo-on-mpj.patch mptcp-pm-fix-backup-support-in-signal-endpoints.patch padata-fix-possible-divide-by-0-panic-in-padata_mt_helper.patch parisc-fix-a-possible-dma-corruption.patch parisc-fix-unaligned-accesses-in-bpf.patch power-supply-axp288_charger-fix-constant_charge_voltage-writes.patch power-supply-axp288_charger-round-constant_charge_voltage-writes-down.patch power-supply-qcom_battmgr-return-eagain-when-firmware-service-is-not-up.patch sched-core-fix-unbalance-set_rq_online-offline-in-sched_cpu_deactivate.patch sched-core-introduce-sched_set_rq_on-offline-helper.patch sched-smt-fix-unbalance-sched_smt_present-dec-inc.patch sched-smt-introduce-sched_smt_present_inc-dec-helper.patch selftests-mm-add-s390-to-arch-check.patch selftests-mptcp-fix-error-path.patch serial-core-check-uartclk-for-zero-to-avoid-divide-by-zero.patch smb3-fix-setting-securityflags-when-encryption-is-required.patch tracing-fix-overflow-in-get_free_elt.patch x86-mtrr-check-if-fixed-mtrrs-exist-before-saving-them.patch x86-paravirt-fix-incorrect-virt-spinlock-setting-on-bare-metal.patch --- ...or-omen-by-hp-gaming-laptop-16-n0xxx.patch | 38 +++++ ...fixed-char-array-size-for-tree-names.patch | 66 ++++++++ ...y-handle-zero-sized-aux-transactions.patch | 58 +++++++ ...-if-topology-probing-is-not-done-yet.patch | 60 +++++++ ...-simple_ondemand-governor-as-softdep.patch | 55 +++++++ ...g200-bind-i2c-lifetime-to-drm-device.patch | 60 +++++++ ...g200-set-ddc-timeout-in-milliseconds.patch | 41 +++++ ...-__counted_by-from-statearray.states.patch | 67 ++++++++ ...-t-return-null-in-eventfs_create_dir.patch | 45 ++++++ ...-use-srcu-for-freeing-eventfs_inodes.patch | 40 +++++ ...ller-provided-affinity-in-alloc_desc.patch | 43 +++++ ...qchip-xilinx-fix-shift-out-of-bounds.patch | 46 ++++++ ...v-properly-check-for-softirq-context.patch | 96 +++++++++++ ...h-enable-general-efi-poweroff-method.patch | 42 +++++ ...-concurrent-access-to-mem_cgroup_idr.patch | 104 ++++++++++++ ...tablished-after-add_addr-echo-on-mpj.patch | 47 ++++++ ...x-backup-support-in-signal-endpoints.patch | 153 ++++++++++++++++++ ...ivide-by-0-panic-in-padata_mt_helper.patch | 65 ++++++++ ...parisc-fix-a-possible-dma-corruption.patch | 62 +++++++ ...parisc-fix-unaligned-accesses-in-bpf.patch | 48 ++++++ ...r-fix-constant_charge_voltage-writes.patch | 39 +++++ ...-constant_charge_voltage-writes-down.patch | 56 +++++++ ...gain-when-firmware-service-is-not-up.patch | 76 +++++++++ ...line-offline-in-sched_cpu_deactivate.patch | 31 ++++ ...oduce-sched_set_rq_on-offline-helper.patch | 98 +++++++++++ ...-unbalance-sched_smt_present-dec-inc.patch | 52 ++++++ ...uce-sched_smt_present_inc-dec-helper.patch | 77 +++++++++ .../selftests-mm-add-s390-to-arch-check.patch | 46 ++++++ .../selftests-mptcp-fix-error-path.patch | 38 +++++ ...clk-for-zero-to-avoid-divide-by-zero.patch | 68 ++++++++ queue-6.6/series | 34 ++++ ...ityflags-when-encryption-is-required.patch | 91 +++++++++++ ...tracing-fix-overflow-in-get_free_elt.patch | 65 ++++++++ ...fixed-mtrrs-exist-before-saving-them.patch | 44 +++++ ...-virt-spinlock-setting-on-bare-metal.patch | 100 ++++++++++++ 35 files changed, 2151 insertions(+) create mode 100644 queue-6.6/asoc-amd-yc-add-quirk-entry-for-omen-by-hp-gaming-laptop-16-n0xxx.patch create mode 100644 queue-6.6/btrfs-avoid-using-fixed-char-array-size-for-tree-names.patch create mode 100644 queue-6.6/drm-bridge-analogix_dp-properly-handle-zero-sized-aux-transactions.patch create mode 100644 queue-6.6/drm-dp_mst-skip-csn-if-topology-probing-is-not-done-yet.patch create mode 100644 queue-6.6/drm-lima-mark-simple_ondemand-governor-as-softdep.patch create mode 100644 queue-6.6/drm-mgag200-bind-i2c-lifetime-to-drm-device.patch create mode 100644 queue-6.6/drm-mgag200-set-ddc-timeout-in-milliseconds.patch create mode 100644 queue-6.6/drm-radeon-remove-__counted_by-from-statearray.states.patch create mode 100644 queue-6.6/eventfs-don-t-return-null-in-eventfs_create_dir.patch create mode 100644 queue-6.6/eventfs-use-srcu-for-freeing-eventfs_inodes.patch create mode 100644 queue-6.6/genirq-irqdesc-honor-caller-provided-affinity-in-alloc_desc.patch create mode 100644 queue-6.6/irqchip-xilinx-fix-shift-out-of-bounds.patch create mode 100644 queue-6.6/kcov-properly-check-for-softirq-context.patch create mode 100644 queue-6.6/loongarch-enable-general-efi-poweroff-method.patch create mode 100644 queue-6.6/memcg-protect-concurrent-access-to-mem_cgroup_idr.patch create mode 100644 queue-6.6/mptcp-fully-established-after-add_addr-echo-on-mpj.patch create mode 100644 queue-6.6/mptcp-pm-fix-backup-support-in-signal-endpoints.patch create mode 100644 queue-6.6/padata-fix-possible-divide-by-0-panic-in-padata_mt_helper.patch create mode 100644 queue-6.6/parisc-fix-a-possible-dma-corruption.patch create mode 100644 queue-6.6/parisc-fix-unaligned-accesses-in-bpf.patch create mode 100644 queue-6.6/power-supply-axp288_charger-fix-constant_charge_voltage-writes.patch create mode 100644 queue-6.6/power-supply-axp288_charger-round-constant_charge_voltage-writes-down.patch create mode 100644 queue-6.6/power-supply-qcom_battmgr-return-eagain-when-firmware-service-is-not-up.patch create mode 100644 queue-6.6/sched-core-fix-unbalance-set_rq_online-offline-in-sched_cpu_deactivate.patch create mode 100644 queue-6.6/sched-core-introduce-sched_set_rq_on-offline-helper.patch create mode 100644 queue-6.6/sched-smt-fix-unbalance-sched_smt_present-dec-inc.patch create mode 100644 queue-6.6/sched-smt-introduce-sched_smt_present_inc-dec-helper.patch create mode 100644 queue-6.6/selftests-mm-add-s390-to-arch-check.patch create mode 100644 queue-6.6/selftests-mptcp-fix-error-path.patch create mode 100644 queue-6.6/serial-core-check-uartclk-for-zero-to-avoid-divide-by-zero.patch create mode 100644 queue-6.6/smb3-fix-setting-securityflags-when-encryption-is-required.patch create mode 100644 queue-6.6/tracing-fix-overflow-in-get_free_elt.patch create mode 100644 queue-6.6/x86-mtrr-check-if-fixed-mtrrs-exist-before-saving-them.patch create mode 100644 queue-6.6/x86-paravirt-fix-incorrect-virt-spinlock-setting-on-bare-metal.patch diff --git a/queue-6.6/asoc-amd-yc-add-quirk-entry-for-omen-by-hp-gaming-laptop-16-n0xxx.patch b/queue-6.6/asoc-amd-yc-add-quirk-entry-for-omen-by-hp-gaming-laptop-16-n0xxx.patch new file mode 100644 index 00000000000..489418f5338 --- /dev/null +++ b/queue-6.6/asoc-amd-yc-add-quirk-entry-for-omen-by-hp-gaming-laptop-16-n0xxx.patch @@ -0,0 +1,38 @@ +From 6675e76a5c441b52b1b983ebb714122087020ebe Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 7 Aug 2024 19:02:27 +0200 +Subject: ASoC: amd: yc: Add quirk entry for OMEN by HP Gaming Laptop 16-n0xxx + +From: Takashi Iwai + +commit 6675e76a5c441b52b1b983ebb714122087020ebe upstream. + +Fix the missing mic on OMEN by HP Gaming Laptop 16-n0xxx by adding the +quirk entry with the board ID 8A44. + +Cc: stable@vger.kernel.org +Link: https://bugzilla.suse.com/show_bug.cgi?id=1227182 +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20240807170249.16490-1-tiwai@suse.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -413,6 +413,13 @@ static const struct dmi_system_id yc_acp + .driver_data = &acp6x_card, + .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "HP"), ++ DMI_MATCH(DMI_BOARD_NAME, "8A44"), ++ } ++ }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "HP"), + DMI_MATCH(DMI_BOARD_NAME, "8A22"), + } + }, diff --git a/queue-6.6/btrfs-avoid-using-fixed-char-array-size-for-tree-names.patch b/queue-6.6/btrfs-avoid-using-fixed-char-array-size-for-tree-names.patch new file mode 100644 index 00000000000..2fd1a976e3b --- /dev/null +++ b/queue-6.6/btrfs-avoid-using-fixed-char-array-size-for-tree-names.patch @@ -0,0 +1,66 @@ +From 12653ec36112ab55fa06c01db7c4432653d30a8d Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Fri, 19 Jul 2024 18:56:46 +0930 +Subject: btrfs: avoid using fixed char array size for tree names +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Qu Wenruo + +commit 12653ec36112ab55fa06c01db7c4432653d30a8d upstream. + +[BUG] +There is a bug report that using the latest trunk GCC 15, btrfs would cause +unterminated-string-initialization warning: + + linux-6.6/fs/btrfs/print-tree.c:29:49: error: initializer-string for array of ‘char’ is too long [-Werror=unterminated-string-initialization] + 29 | { BTRFS_BLOCK_GROUP_TREE_OBJECTID, "BLOCK_GROUP_TREE" }, + | + ^~~~~~~~~~~~~~~~~~ + +[CAUSE] +To print tree names we have an array of root_name_map structure, which +uses "char name[16];" to store the name string of a tree. + +But the following trees have names exactly at 16 chars length: +- "BLOCK_GROUP_TREE" +- "RAID_STRIPE_TREE" + +This means we will have no space for the terminating '\0', and can lead +to unexpected access when printing the name. + +[FIX] +Instead of "char name[16];" use "const char *" instead. + +Since the name strings are all read-only data, and are all NULL +terminated by default, there is not much need to bother the length at +all. + +Reported-by: Sam James +Reported-by: Alejandro Colomar +Fixes: edde81f1abf29 ("btrfs: add raid stripe tree pretty printer") +Fixes: 9c54e80ddc6bd ("btrfs: add code to support the block group root") +CC: stable@vger.kernel.org # 6.1+ +Suggested-by: Alejandro Colomar +Reviewed-by: Johannes Thumshirn +Reviewed-by: Alejandro Colomar +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/print-tree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/print-tree.c ++++ b/fs/btrfs/print-tree.c +@@ -12,7 +12,7 @@ + + struct root_name_map { + u64 id; +- char name[16]; ++ const char *name; + }; + + static const struct root_name_map root_map[] = { diff --git a/queue-6.6/drm-bridge-analogix_dp-properly-handle-zero-sized-aux-transactions.patch b/queue-6.6/drm-bridge-analogix_dp-properly-handle-zero-sized-aux-transactions.patch new file mode 100644 index 00000000000..776a65f06a1 --- /dev/null +++ b/queue-6.6/drm-bridge-analogix_dp-properly-handle-zero-sized-aux-transactions.patch @@ -0,0 +1,58 @@ +From e82290a2e0e8ec5e836ecad1ca025021b3855c2d Mon Sep 17 00:00:00 2001 +From: Lucas Stach +Date: Mon, 18 Mar 2024 21:39:23 +0100 +Subject: drm/bridge: analogix_dp: properly handle zero sized AUX transactions + +From: Lucas Stach + +commit e82290a2e0e8ec5e836ecad1ca025021b3855c2d upstream. + +Address only transactions without any data are valid and should not +be flagged as short transactions. Simply return the message size when +no transaction errors occured. + +CC: stable@vger.kernel.org +Signed-off-by: Lucas Stach +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20240318203925.2837689-1-l.stach@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c ++++ b/drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c +@@ -1027,7 +1027,6 @@ ssize_t analogix_dp_transfer(struct anal + u32 status_reg; + u8 *buffer = msg->buffer; + unsigned int i; +- int num_transferred = 0; + int ret; + + /* Buffer size of AUX CH is 16 bytes */ +@@ -1079,7 +1078,6 @@ ssize_t analogix_dp_transfer(struct anal + reg = buffer[i]; + writel(reg, dp->reg_base + ANALOGIX_DP_BUF_DATA_0 + + 4 * i); +- num_transferred++; + } + } + +@@ -1127,7 +1125,6 @@ ssize_t analogix_dp_transfer(struct anal + reg = readl(dp->reg_base + ANALOGIX_DP_BUF_DATA_0 + + 4 * i); + buffer[i] = (unsigned char)reg; +- num_transferred++; + } + } + +@@ -1144,7 +1141,7 @@ ssize_t analogix_dp_transfer(struct anal + (msg->request & ~DP_AUX_I2C_MOT) == DP_AUX_NATIVE_READ) + msg->reply = DP_AUX_NATIVE_REPLY_ACK; + +- return num_transferred > 0 ? num_transferred : -EBUSY; ++ return msg->size; + + aux_error: + /* if aux err happen, reset aux */ diff --git a/queue-6.6/drm-dp_mst-skip-csn-if-topology-probing-is-not-done-yet.patch b/queue-6.6/drm-dp_mst-skip-csn-if-topology-probing-is-not-done-yet.patch new file mode 100644 index 00000000000..5576b2067ac --- /dev/null +++ b/queue-6.6/drm-dp_mst-skip-csn-if-topology-probing-is-not-done-yet.patch @@ -0,0 +1,60 @@ +From ddf983488c3e8d30d5c2e2b315ae7d9cd87096ed Mon Sep 17 00:00:00 2001 +From: Wayne Lin +Date: Wed, 26 Jun 2024 16:48:24 +0800 +Subject: drm/dp_mst: Skip CSN if topology probing is not done yet + +From: Wayne Lin + +commit ddf983488c3e8d30d5c2e2b315ae7d9cd87096ed upstream. + +[Why] +During resume, observe that we receive CSN event before we start topology +probing. Handling CSN at this moment based on uncertain topology is +unnecessary. + +[How] +Add checking condition in drm_dp_mst_handle_up_req() to skip handling CSN +if the topology is yet to be probed. + +Cc: Lyude Paul +Cc: Harry Wentland +Cc: Jani Nikula +Cc: Imre Deak +Cc: Daniel Vetter +Cc: stable@vger.kernel.org +Signed-off-by: Wayne Lin +Reviewed-by: Lyude Paul +Signed-off-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20240626084825.878565-3-Wayne.Lin@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/display/drm_dp_mst_topology.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/gpu/drm/display/drm_dp_mst_topology.c ++++ b/drivers/gpu/drm/display/drm_dp_mst_topology.c +@@ -4024,6 +4024,7 @@ static int drm_dp_mst_handle_up_req(stru + if (up_req->msg.req_type == DP_CONNECTION_STATUS_NOTIFY) { + const struct drm_dp_connection_status_notify *conn_stat = + &up_req->msg.u.conn_stat; ++ bool handle_csn; + + drm_dbg_kms(mgr->dev, "Got CSN: pn: %d ldps:%d ddps: %d mcs: %d ip: %d pdt: %d\n", + conn_stat->port_number, +@@ -4032,6 +4033,16 @@ static int drm_dp_mst_handle_up_req(stru + conn_stat->message_capability_status, + conn_stat->input_port, + conn_stat->peer_device_type); ++ ++ mutex_lock(&mgr->probe_lock); ++ handle_csn = mgr->mst_primary->link_address_sent; ++ mutex_unlock(&mgr->probe_lock); ++ ++ if (!handle_csn) { ++ drm_dbg_kms(mgr->dev, "Got CSN before finish topology probing. Skip it."); ++ kfree(up_req); ++ goto out; ++ } + } else if (up_req->msg.req_type == DP_RESOURCE_STATUS_NOTIFY) { + const struct drm_dp_resource_status_notify *res_stat = + &up_req->msg.u.resource_stat; diff --git a/queue-6.6/drm-lima-mark-simple_ondemand-governor-as-softdep.patch b/queue-6.6/drm-lima-mark-simple_ondemand-governor-as-softdep.patch new file mode 100644 index 00000000000..dc68dd7b197 --- /dev/null +++ b/queue-6.6/drm-lima-mark-simple_ondemand-governor-as-softdep.patch @@ -0,0 +1,55 @@ +From 0c94f58cef319ad054fd909b3bf4b7d09c03e11c Mon Sep 17 00:00:00 2001 +From: Dragan Simic +Date: Mon, 17 Jun 2024 22:22:02 +0200 +Subject: drm/lima: Mark simple_ondemand governor as softdep + +From: Dragan Simic + +commit 0c94f58cef319ad054fd909b3bf4b7d09c03e11c upstream. + +Lima DRM driver uses devfreq to perform DVFS, while using simple_ondemand +devfreq governor by default. This causes driver initialization to fail on +boot when simple_ondemand governor isn't built into the kernel statically, +as a result of the missing module dependency and, consequently, the +required governor module not being included in the initial ramdisk. Thus, +let's mark simple_ondemand governor as a softdep for Lima, to have its +kernel module included in the initial ramdisk. + +This is a rather longstanding issue that has forced distributions to build +devfreq governors statically into their kernels, [1][2] or may have forced +some users to introduce unnecessary workarounds. + +Having simple_ondemand marked as a softdep for Lima may not resolve this +issue for all Linux distributions. In particular, it will remain +unresolved for the distributions whose utilities for the initial ramdisk +generation do not handle the available softdep information [3] properly +yet. However, some Linux distributions already handle softdeps properly +while generating their initial ramdisks, [4] and this is a prerequisite +step in the right direction for the distributions that don't handle them +properly yet. + +[1] https://gitlab.manjaro.org/manjaro-arm/packages/core/linux-pinephone/-/blob/6.7-megi/config?ref_type=heads#L5749 +[2] https://gitlab.com/postmarketOS/pmaports/-/blob/7f64e287e7732c9eaa029653e73ca3d4ba1c8598/main/linux-postmarketos-allwinner/config-postmarketos-allwinner.aarch64#L4654 +[3] https://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git/commit/?id=49d8e0b59052999de577ab732b719cfbeb89504d +[4] https://github.com/archlinux/mkinitcpio/commit/97ac4d37aae084a050be512f6d8f4489054668ad + +Cc: Philip Muller +Cc: Oliver Smith +Cc: Daniel Smith +Cc: stable@vger.kernel.org +Fixes: 1996970773a3 ("drm/lima: Add optional devfreq and cooling device support") +Signed-off-by: Dragan Simic +Signed-off-by: Qiang Yu +Link: https://patchwork.freedesktop.org/patch/msgid/fdaf2e41bb6a0c5118ff9cc21f4f62583208d885.1718655070.git.dsimic@manjaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/lima/lima_drv.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/lima/lima_drv.c ++++ b/drivers/gpu/drm/lima/lima_drv.c +@@ -486,3 +486,4 @@ module_platform_driver(lima_platform_dri + MODULE_AUTHOR("Lima Project Developers"); + MODULE_DESCRIPTION("Lima DRM Driver"); + MODULE_LICENSE("GPL v2"); ++MODULE_SOFTDEP("pre: governor_simpleondemand"); diff --git a/queue-6.6/drm-mgag200-bind-i2c-lifetime-to-drm-device.patch b/queue-6.6/drm-mgag200-bind-i2c-lifetime-to-drm-device.patch new file mode 100644 index 00000000000..d435d00cf9c --- /dev/null +++ b/queue-6.6/drm-mgag200-bind-i2c-lifetime-to-drm-device.patch @@ -0,0 +1,60 @@ +From eb1ae34e48a09b7a1179c579aed042b032e408f4 Mon Sep 17 00:00:00 2001 +From: Thomas Zimmermann +Date: Mon, 13 May 2024 14:51:07 +0200 +Subject: drm/mgag200: Bind I2C lifetime to DRM device + +From: Thomas Zimmermann + +commit eb1ae34e48a09b7a1179c579aed042b032e408f4 upstream. + +Managed cleanup with devm_add_action_or_reset() will release the I2C +adapter when the underlying Linux device goes away. But the connector +still refers to it, so this cleanup leaves behind a stale pointer +in struct drm_connector.ddc. + +Bind the lifetime of the I2C adapter to the connector's lifetime by +using DRM's managed release. When the DRM device goes away (after +the Linux device) DRM will first clean up the connector and then +clean up the I2C adapter. + +Signed-off-by: Thomas Zimmermann +Reviewed-by: Jocelyn Falempe +Fixes: b279df242972 ("drm/mgag200: Switch I2C code to managed cleanup") +Cc: Thomas Zimmermann +Cc: Jocelyn Falempe +Cc: Dave Airlie +Cc: dri-devel@lists.freedesktop.org +Cc: # v6.0+ +Link: https://patchwork.freedesktop.org/patch/msgid/20240513125620.6337-3-tzimmermann@suse.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/mgag200/mgag200_i2c.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/mgag200/mgag200_i2c.c ++++ b/drivers/gpu/drm/mgag200/mgag200_i2c.c +@@ -31,6 +31,8 @@ + #include + #include + ++#include ++ + #include "mgag200_drv.h" + + static int mga_i2c_read_gpio(struct mga_device *mdev) +@@ -86,7 +88,7 @@ static int mga_gpio_getscl(void *data) + return (mga_i2c_read_gpio(mdev) & i2c->clock) ? 1 : 0; + } + +-static void mgag200_i2c_release(void *res) ++static void mgag200_i2c_release(struct drm_device *dev, void *res) + { + struct mga_i2c_chan *i2c = res; + +@@ -126,5 +128,5 @@ int mgag200_i2c_init(struct mga_device * + if (ret) + return ret; + +- return devm_add_action_or_reset(dev->dev, mgag200_i2c_release, i2c); ++ return drmm_add_action_or_reset(dev, mgag200_i2c_release, i2c); + } diff --git a/queue-6.6/drm-mgag200-set-ddc-timeout-in-milliseconds.patch b/queue-6.6/drm-mgag200-set-ddc-timeout-in-milliseconds.patch new file mode 100644 index 00000000000..5e89edeff1f --- /dev/null +++ b/queue-6.6/drm-mgag200-set-ddc-timeout-in-milliseconds.patch @@ -0,0 +1,41 @@ +From ecde5db1598aecab54cc392282c15114f526f05f Mon Sep 17 00:00:00 2001 +From: Thomas Zimmermann +Date: Mon, 13 May 2024 14:51:06 +0200 +Subject: drm/mgag200: Set DDC timeout in milliseconds + +From: Thomas Zimmermann + +commit ecde5db1598aecab54cc392282c15114f526f05f upstream. + +Compute the i2c timeout in jiffies from a value in milliseconds. The +original values of 2 jiffies equals 2 milliseconds if HZ has been +configured to a value of 1000. This corresponds to 2.2 milliseconds +used by most other DRM drivers. Update mgag200 accordingly. + +Signed-off-by: Thomas Zimmermann +Reviewed-by: Jocelyn Falempe +Fixes: 414c45310625 ("mgag200: initial g200se driver (v2)") +Cc: Dave Airlie +Cc: Maarten Lankhorst +Cc: Maxime Ripard +Cc: Thomas Zimmermann +Cc: Jocelyn Falempe +Cc: dri-devel@lists.freedesktop.org +Cc: # v3.5+ +Link: https://patchwork.freedesktop.org/patch/msgid/20240513125620.6337-2-tzimmermann@suse.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/mgag200/mgag200_i2c.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/mgag200/mgag200_i2c.c ++++ b/drivers/gpu/drm/mgag200/mgag200_i2c.c +@@ -115,7 +115,7 @@ int mgag200_i2c_init(struct mga_device * + i2c->adapter.algo_data = &i2c->bit; + + i2c->bit.udelay = 10; +- i2c->bit.timeout = 2; ++ i2c->bit.timeout = usecs_to_jiffies(2200); + i2c->bit.data = i2c; + i2c->bit.setsda = mga_gpio_setsda; + i2c->bit.setscl = mga_gpio_setscl; diff --git a/queue-6.6/drm-radeon-remove-__counted_by-from-statearray.states.patch b/queue-6.6/drm-radeon-remove-__counted_by-from-statearray.states.patch new file mode 100644 index 00000000000..6285c61c8d8 --- /dev/null +++ b/queue-6.6/drm-radeon-remove-__counted_by-from-statearray.states.patch @@ -0,0 +1,67 @@ +From 2bac084468847cfe5bbc7166082b2a208514bb1c Mon Sep 17 00:00:00 2001 +From: Bill Wendling +Date: Wed, 29 May 2024 14:54:44 -0700 +Subject: drm/radeon: Remove __counted_by from StateArray.states[] + +From: Bill Wendling + +commit 2bac084468847cfe5bbc7166082b2a208514bb1c upstream. + +Work for __counted_by on generic pointers in structures (not just +flexible array members) has started landing in Clang 19 (current tip of +tree). During the development of this feature, a restriction was added +to __counted_by to prevent the flexible array member's element type from +including a flexible array member itself such as: + + struct foo { + int count; + char buf[]; + }; + + struct bar { + int count; + struct foo data[] __counted_by(count); + }; + +because the size of data cannot be calculated with the standard array +size formula: + + sizeof(struct foo) * count + +This restriction was downgraded to a warning but due to CONFIG_WERROR, +it can still break the build. The application of __counted_by on the +states member of 'struct _StateArray' triggers this restriction, +resulting in: + + drivers/gpu/drm/radeon/pptable.h:442:5: error: 'counted_by' should not be applied to an array with element of unknown size because 'ATOM_PPLIB_STATE_V2' (aka 'struct _ATOM_PPLIB_STATE_V2') is a struct type with a flexible array member. This will be an error in a future compiler version [-Werror,-Wbounds-safety-counted-by-elt-type-unknown-size] + 442 | ATOM_PPLIB_STATE_V2 states[] __counted_by(ucNumEntries); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 1 error generated. + +Remove this use of __counted_by to fix the warning/error. However, +rather than remove it altogether, leave it commented, as it may be +possible to support this in future compiler releases. + +Cc: stable@vger.kernel.org +Closes: https://github.com/ClangBuiltLinux/linux/issues/2028 +Fixes: efade6fe50e7 ("drm/radeon: silence UBSAN warning (v3)") +Signed-off-by: Bill Wendling +Co-developed-by: Nathan Chancellor +Signed-off-by: Nathan Chancellor +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/radeon/pptable.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/radeon/pptable.h ++++ b/drivers/gpu/drm/radeon/pptable.h +@@ -439,7 +439,7 @@ typedef struct _StateArray{ + //how many states we have + UCHAR ucNumEntries; + +- ATOM_PPLIB_STATE_V2 states[] __counted_by(ucNumEntries); ++ ATOM_PPLIB_STATE_V2 states[] /* __counted_by(ucNumEntries) */; + }StateArray; + + diff --git a/queue-6.6/eventfs-don-t-return-null-in-eventfs_create_dir.patch b/queue-6.6/eventfs-don-t-return-null-in-eventfs_create_dir.patch new file mode 100644 index 00000000000..60c07e002c8 --- /dev/null +++ b/queue-6.6/eventfs-don-t-return-null-in-eventfs_create_dir.patch @@ -0,0 +1,45 @@ +From 12c20c65d0460cf34f9a665d8f0c0d77d45a3829 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Tue, 23 Jul 2024 14:25:21 +0200 +Subject: eventfs: Don't return NULL in eventfs_create_dir() + +From: Mathias Krause + +commit 12c20c65d0460cf34f9a665d8f0c0d77d45a3829 upstream. + +Commit 77a06c33a22d ("eventfs: Test for ei->is_freed when accessing +ei->dentry") added another check, testing if the parent was freed after +we released the mutex. If so, the function returns NULL. However, all +callers expect it to either return a valid pointer or an error pointer, +at least since commit 5264a2f4bb3b ("tracing: Fix a NULL vs IS_ERR() bug +in event_subsystem_dir()"). Returning NULL will therefore fail the error +condition check in the caller. + +Fix this by substituting the NULL return value with a fitting error +pointer. + +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Cc: stable@vger.kernel.org +Fixes: 77a06c33a22d ("eventfs: Test for ei->is_freed when accessing ei->dentry") +Link: https://lore.kernel.org/20240723122522.2724-1-minipli@grsecurity.net +Reviewed-by: Dan Carpenter +Reviewed-by: Ajay Kaher +Signed-off-by: Mathias Krause +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + fs/tracefs/event_inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/tracefs/event_inode.c ++++ b/fs/tracefs/event_inode.c +@@ -806,7 +806,7 @@ struct eventfs_inode *eventfs_create_dir + /* Was the parent freed? */ + if (list_empty(&ei->list)) { + cleanup_ei(ei); +- ei = NULL; ++ ei = ERR_PTR(-EBUSY); + } + return ei; + } diff --git a/queue-6.6/eventfs-use-srcu-for-freeing-eventfs_inodes.patch b/queue-6.6/eventfs-use-srcu-for-freeing-eventfs_inodes.patch new file mode 100644 index 00000000000..2e051f81c14 --- /dev/null +++ b/queue-6.6/eventfs-use-srcu-for-freeing-eventfs_inodes.patch @@ -0,0 +1,40 @@ +From 8e556432477e97ad6179c61b61a32bf5f1af2355 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Tue, 23 Jul 2024 23:07:53 +0200 +Subject: eventfs: Use SRCU for freeing eventfs_inodes + +From: Mathias Krause + +commit 8e556432477e97ad6179c61b61a32bf5f1af2355 upstream. + +To mirror the SRCU lock held in eventfs_iterate() when iterating over +eventfs inodes, use call_srcu() to free them too. + +This was accidentally(?) degraded to RCU in commit 43aa6f97c2d0 +("eventfs: Get rid of dentry pointers without refcounts"). + +Cc: Ajay Kaher +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Cc: Linus Torvalds +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/20240723210755.8970-1-minipli@grsecurity.net +Fixes: 43aa6f97c2d0 ("eventfs: Get rid of dentry pointers without refcounts") +Signed-off-by: Mathias Krause +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + fs/tracefs/event_inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/tracefs/event_inode.c ++++ b/fs/tracefs/event_inode.c +@@ -113,7 +113,7 @@ static void release_ei(struct kref *ref) + entry->release(entry->name, ei->data); + } + +- call_rcu(&ei->rcu, free_ei_rcu); ++ call_srcu(&eventfs_srcu, &ei->rcu, free_ei_rcu); + } + + static inline void put_ei(struct eventfs_inode *ei) diff --git a/queue-6.6/genirq-irqdesc-honor-caller-provided-affinity-in-alloc_desc.patch b/queue-6.6/genirq-irqdesc-honor-caller-provided-affinity-in-alloc_desc.patch new file mode 100644 index 00000000000..166fb35c1a1 --- /dev/null +++ b/queue-6.6/genirq-irqdesc-honor-caller-provided-affinity-in-alloc_desc.patch @@ -0,0 +1,43 @@ +From edbbaae42a56f9a2b39c52ef2504dfb3fb0a7858 Mon Sep 17 00:00:00 2001 +From: Shay Drory +Date: Tue, 6 Aug 2024 10:20:44 +0300 +Subject: genirq/irqdesc: Honor caller provided affinity in alloc_desc() + +From: Shay Drory + +commit edbbaae42a56f9a2b39c52ef2504dfb3fb0a7858 upstream. + +Currently, whenever a caller is providing an affinity hint for an +interrupt, the allocation code uses it to calculate the node and copies the +cpumask into irq_desc::affinity. + +If the affinity for the interrupt is not marked 'managed' then the startup +of the interrupt ignores irq_desc::affinity and uses the system default +affinity mask. + +Prevent this by setting the IRQD_AFFINITY_SET flag for the interrupt in the +allocator, which causes irq_setup_affinity() to use irq_desc::affinity on +interrupt startup if the mask contains an online CPU. + +[ tglx: Massaged changelog ] + +Fixes: 45ddcecbfa94 ("genirq: Use affinity hint in irqdesc allocation") +Signed-off-by: Shay Drory +Signed-off-by: Thomas Gleixner +Cc: +Link: https://lore.kernel.org/all/20240806072044.837827-1-shayd@nvidia.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/irq/irqdesc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/irq/irqdesc.c ++++ b/kernel/irq/irqdesc.c +@@ -517,6 +517,7 @@ static int alloc_descs(unsigned int star + flags = IRQD_AFFINITY_MANAGED | + IRQD_MANAGED_SHUTDOWN; + } ++ flags |= IRQD_AFFINITY_SET; + mask = &affinity->mask; + node = cpu_to_node(cpumask_first(mask)); + affinity++; diff --git a/queue-6.6/irqchip-xilinx-fix-shift-out-of-bounds.patch b/queue-6.6/irqchip-xilinx-fix-shift-out-of-bounds.patch new file mode 100644 index 00000000000..47500503bbe --- /dev/null +++ b/queue-6.6/irqchip-xilinx-fix-shift-out-of-bounds.patch @@ -0,0 +1,46 @@ +From d73f0f49daa84176c3beee1606e73c7ffb6af8b2 Mon Sep 17 00:00:00 2001 +From: Radhey Shyam Pandey +Date: Fri, 9 Aug 2024 12:32:24 +0530 +Subject: irqchip/xilinx: Fix shift out of bounds + +From: Radhey Shyam Pandey + +commit d73f0f49daa84176c3beee1606e73c7ffb6af8b2 upstream. + +The device tree property 'xlnx,kind-of-intr' is sanity checked that the +bitmask contains only set bits which are in the range of the number of +interrupts supported by the controller. + +The check is done by shifting the mask right by the number of supported +interrupts and checking the result for zero. + +The data type of the mask is u32 and the number of supported interrupts is +up to 32. In case of 32 interrupts the shift is out of bounds, resulting in +a mismatch warning. The out of bounds condition is also reported by UBSAN: + + UBSAN: shift-out-of-bounds in irq-xilinx-intc.c:332:22 + shift exponent 32 is too large for 32-bit type 'unsigned int' + +Fix it by promoting the mask to u64 for the test. + +Fixes: d50466c90724 ("microblaze: intc: Refactor DT sanity check") +Signed-off-by: Radhey Shyam Pandey +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/1723186944-3571957-1-git-send-email-radhey.shyam.pandey@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-xilinx-intc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/irqchip/irq-xilinx-intc.c ++++ b/drivers/irqchip/irq-xilinx-intc.c +@@ -189,7 +189,7 @@ static int __init xilinx_intc_of_init(st + irqc->intr_mask = 0; + } + +- if (irqc->intr_mask >> irqc->nr_irq) ++ if ((u64)irqc->intr_mask >> irqc->nr_irq) + pr_warn("irq-xilinx: mismatch in kind-of-intr param\n"); + + pr_info("irq-xilinx: %pOF: num_irq=%d, edge=0x%x\n", diff --git a/queue-6.6/kcov-properly-check-for-softirq-context.patch b/queue-6.6/kcov-properly-check-for-softirq-context.patch new file mode 100644 index 00000000000..7c9ef9dfbba --- /dev/null +++ b/queue-6.6/kcov-properly-check-for-softirq-context.patch @@ -0,0 +1,96 @@ +From 7d4df2dad312f270d62fecb0e5c8b086c6d7dcfc Mon Sep 17 00:00:00 2001 +From: Andrey Konovalov +Date: Mon, 29 Jul 2024 04:21:58 +0200 +Subject: kcov: properly check for softirq context + +From: Andrey Konovalov + +commit 7d4df2dad312f270d62fecb0e5c8b086c6d7dcfc upstream. + +When collecting coverage from softirqs, KCOV uses in_serving_softirq() to +check whether the code is running in the softirq context. Unfortunately, +in_serving_softirq() is > 0 even when the code is running in the hardirq +or NMI context for hardirqs and NMIs that happened during a softirq. + +As a result, if a softirq handler contains a remote coverage collection +section and a hardirq with another remote coverage collection section +happens during handling the softirq, KCOV incorrectly detects a nested +softirq coverate collection section and prints a WARNING, as reported by +syzbot. + +This issue was exposed by commit a7f3813e589f ("usb: gadget: dummy_hcd: +Switch to hrtimer transfer scheduler"), which switched dummy_hcd to using +hrtimer and made the timer's callback be executed in the hardirq context. + +Change the related checks in KCOV to account for this behavior of +in_serving_softirq() and make KCOV ignore remote coverage collection +sections in the hardirq and NMI contexts. + +This prevents the WARNING printed by syzbot but does not fix the inability +of KCOV to collect coverage from the __usb_hcd_giveback_urb when dummy_hcd +is in use (caused by a7f3813e589f); a separate patch is required for that. + +Link: https://lkml.kernel.org/r/20240729022158.92059-1-andrey.konovalov@linux.dev +Fixes: 5ff3b30ab57d ("kcov: collect coverage from interrupts") +Signed-off-by: Andrey Konovalov +Reported-by: syzbot+2388cdaeb6b10f0c13ac@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=2388cdaeb6b10f0c13ac +Acked-by: Marco Elver +Cc: Alan Stern +Cc: Aleksandr Nogikh +Cc: Alexander Potapenko +Cc: Dmitry Vyukov +Cc: Greg Kroah-Hartman +Cc: Marcello Sylvester Bauer +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + kernel/kcov.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/kernel/kcov.c ++++ b/kernel/kcov.c +@@ -161,6 +161,15 @@ static void kcov_remote_area_put(struct + kmsan_unpoison_memory(&area->list, sizeof(area->list)); + } + ++/* ++ * Unlike in_serving_softirq(), this function returns false when called during ++ * a hardirq or an NMI that happened in the softirq context. ++ */ ++static inline bool in_softirq_really(void) ++{ ++ return in_serving_softirq() && !in_hardirq() && !in_nmi(); ++} ++ + static notrace bool check_kcov_mode(enum kcov_mode needed_mode, struct task_struct *t) + { + unsigned int mode; +@@ -170,7 +179,7 @@ static notrace bool check_kcov_mode(enum + * so we ignore code executed in interrupts, unless we are in a remote + * coverage collection section in a softirq. + */ +- if (!in_task() && !(in_serving_softirq() && t->kcov_softirq)) ++ if (!in_task() && !(in_softirq_really() && t->kcov_softirq)) + return false; + mode = READ_ONCE(t->kcov_mode); + /* +@@ -848,7 +857,7 @@ void kcov_remote_start(u64 handle) + + if (WARN_ON(!kcov_check_handle(handle, true, true, true))) + return; +- if (!in_task() && !in_serving_softirq()) ++ if (!in_task() && !in_softirq_really()) + return; + + local_lock_irqsave(&kcov_percpu_data.lock, flags); +@@ -990,7 +999,7 @@ void kcov_remote_stop(void) + int sequence; + unsigned long flags; + +- if (!in_task() && !in_serving_softirq()) ++ if (!in_task() && !in_softirq_really()) + return; + + local_lock_irqsave(&kcov_percpu_data.lock, flags); diff --git a/queue-6.6/loongarch-enable-general-efi-poweroff-method.patch b/queue-6.6/loongarch-enable-general-efi-poweroff-method.patch new file mode 100644 index 00000000000..316d52b8961 --- /dev/null +++ b/queue-6.6/loongarch-enable-general-efi-poweroff-method.patch @@ -0,0 +1,42 @@ +From e688c220732e518c2eb1639e9ef77d4a9311713c Mon Sep 17 00:00:00 2001 +From: Miao Wang +Date: Wed, 7 Aug 2024 17:37:11 +0800 +Subject: LoongArch: Enable general EFI poweroff method + +From: Miao Wang + +commit e688c220732e518c2eb1639e9ef77d4a9311713c upstream. + +efi_shutdown_init() can register a general sys_off handler named +efi_power_off(). Enable this by providing efi_poweroff_required(), +like arm and x86. Since EFI poweroff is also supported on LoongArch, +and the enablement makes the poweroff function usable for hardwares +which lack ACPI S5. + +We prefer ACPI poweroff rather than EFI poweroff (like x86), so we only +require EFI poweroff if acpi_gbl_reduced_hardware or acpi_no_s5 is true. + +Cc: stable@vger.kernel.org +Acked-by: Ard Biesheuvel +Signed-off-by: Miao Wang +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kernel/efi.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/loongarch/kernel/efi.c ++++ b/arch/loongarch/kernel/efi.c +@@ -66,6 +66,12 @@ void __init efi_runtime_init(void) + set_bit(EFI_RUNTIME_SERVICES, &efi.flags); + } + ++bool efi_poweroff_required(void) ++{ ++ return efi_enabled(EFI_RUNTIME_SERVICES) && ++ (acpi_gbl_reduced_hardware || acpi_no_s5); ++} ++ + unsigned long __initdata screen_info_table = EFI_INVALID_TABLE_ADDR; + + static void __init init_screen_info(void) diff --git a/queue-6.6/memcg-protect-concurrent-access-to-mem_cgroup_idr.patch b/queue-6.6/memcg-protect-concurrent-access-to-mem_cgroup_idr.patch new file mode 100644 index 00000000000..ebaf4ed70b3 --- /dev/null +++ b/queue-6.6/memcg-protect-concurrent-access-to-mem_cgroup_idr.patch @@ -0,0 +1,104 @@ +From 9972605a238339b85bd16b084eed5f18414d22db Mon Sep 17 00:00:00 2001 +From: Shakeel Butt +Date: Fri, 2 Aug 2024 16:58:22 -0700 +Subject: memcg: protect concurrent access to mem_cgroup_idr + +From: Shakeel Butt + +commit 9972605a238339b85bd16b084eed5f18414d22db upstream. + +Commit 73f576c04b94 ("mm: memcontrol: fix cgroup creation failure after +many small jobs") decoupled the memcg IDs from the CSS ID space to fix the +cgroup creation failures. It introduced IDR to maintain the memcg ID +space. The IDR depends on external synchronization mechanisms for +modifications. For the mem_cgroup_idr, the idr_alloc() and idr_replace() +happen within css callback and thus are protected through cgroup_mutex +from concurrent modifications. However idr_remove() for mem_cgroup_idr +was not protected against concurrency and can be run concurrently for +different memcgs when they hit their refcnt to zero. Fix that. + +We have been seeing list_lru based kernel crashes at a low frequency in +our fleet for a long time. These crashes were in different part of +list_lru code including list_lru_add(), list_lru_del() and reparenting +code. Upon further inspection, it looked like for a given object (dentry +and inode), the super_block's list_lru didn't have list_lru_one for the +memcg of that object. The initial suspicions were either the object is +not allocated through kmem_cache_alloc_lru() or somehow +memcg_list_lru_alloc() failed to allocate list_lru_one() for a memcg but +returned success. No evidence were found for these cases. + +Looking more deeply, we started seeing situations where valid memcg's id +is not present in mem_cgroup_idr and in some cases multiple valid memcgs +have same id and mem_cgroup_idr is pointing to one of them. So, the most +reasonable explanation is that these situations can happen due to race +between multiple idr_remove() calls or race between +idr_alloc()/idr_replace() and idr_remove(). These races are causing +multiple memcgs to acquire the same ID and then offlining of one of them +would cleanup list_lrus on the system for all of them. Later access from +other memcgs to the list_lru cause crashes due to missing list_lru_one. + +Link: https://lkml.kernel.org/r/20240802235822.1830976-1-shakeel.butt@linux.dev +Fixes: 73f576c04b94 ("mm: memcontrol: fix cgroup creation failure after many small jobs") +Signed-off-by: Shakeel Butt +Acked-by: Muchun Song +Reviewed-by: Roman Gushchin +Acked-by: Johannes Weiner +Cc: Michal Hocko +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/memcontrol.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -5167,11 +5167,28 @@ static struct cftype mem_cgroup_legacy_f + + #define MEM_CGROUP_ID_MAX ((1UL << MEM_CGROUP_ID_SHIFT) - 1) + static DEFINE_IDR(mem_cgroup_idr); ++static DEFINE_SPINLOCK(memcg_idr_lock); ++ ++static int mem_cgroup_alloc_id(void) ++{ ++ int ret; ++ ++ idr_preload(GFP_KERNEL); ++ spin_lock(&memcg_idr_lock); ++ ret = idr_alloc(&mem_cgroup_idr, NULL, 1, MEM_CGROUP_ID_MAX + 1, ++ GFP_NOWAIT); ++ spin_unlock(&memcg_idr_lock); ++ idr_preload_end(); ++ return ret; ++} + + static void mem_cgroup_id_remove(struct mem_cgroup *memcg) + { + if (memcg->id.id > 0) { ++ spin_lock(&memcg_idr_lock); + idr_remove(&mem_cgroup_idr, memcg->id.id); ++ spin_unlock(&memcg_idr_lock); ++ + memcg->id.id = 0; + } + } +@@ -5294,8 +5311,7 @@ static struct mem_cgroup *mem_cgroup_all + if (!memcg) + return ERR_PTR(error); + +- memcg->id.id = idr_alloc(&mem_cgroup_idr, NULL, +- 1, MEM_CGROUP_ID_MAX + 1, GFP_KERNEL); ++ memcg->id.id = mem_cgroup_alloc_id(); + if (memcg->id.id < 0) { + error = memcg->id.id; + goto fail; +@@ -5430,7 +5446,9 @@ static int mem_cgroup_css_online(struct + * publish it here at the end of onlining. This matches the + * regular ID destruction during offlining. + */ ++ spin_lock(&memcg_idr_lock); + idr_replace(&mem_cgroup_idr, memcg, memcg->id.id); ++ spin_unlock(&memcg_idr_lock); + + return 0; + offline_kmem: diff --git a/queue-6.6/mptcp-fully-established-after-add_addr-echo-on-mpj.patch b/queue-6.6/mptcp-fully-established-after-add_addr-echo-on-mpj.patch new file mode 100644 index 00000000000..1c30e5f64c4 --- /dev/null +++ b/queue-6.6/mptcp-fully-established-after-add_addr-echo-on-mpj.patch @@ -0,0 +1,47 @@ +From d67c5649c1541dc93f202eeffc6f49220a4ed71d Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Wed, 31 Jul 2024 13:05:53 +0200 +Subject: mptcp: fully established after ADD_ADDR echo on MPJ + +From: Matthieu Baerts (NGI0) + +commit d67c5649c1541dc93f202eeffc6f49220a4ed71d upstream. + +Before this patch, receiving an ADD_ADDR echo on the just connected +MP_JOIN subflow -- initiator side, after the MP_JOIN 3WHS -- was +resulting in an MP_RESET. That's because only ACKs with a DSS or +ADD_ADDRs without the echo bit were allowed. + +Not allowing the ADD_ADDR echo after an MP_CAPABLE 3WHS makes sense, as +we are not supposed to send an ADD_ADDR before because it requires to be +in full established mode first. For the MP_JOIN 3WHS, that's different: +the ADD_ADDR can be sent on a previous subflow, and the ADD_ADDR echo +can be received on the recently created one. The other peer will already +be in fully established, so it is allowed to send that. + +We can then relax the conditions here to accept the ADD_ADDR echo for +MPJ subflows. + +Fixes: 67b12f792d5e ("mptcp: full fully established support after ADD_ADDR") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20240731-upstream-net-20240731-mptcp-endp-subflow-signal-v1-1-c8a9b036493b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/options.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/mptcp/options.c ++++ b/net/mptcp/options.c +@@ -958,7 +958,8 @@ static bool check_fully_established(stru + + if (subflow->remote_key_valid && + (((mp_opt->suboptions & OPTION_MPTCP_DSS) && mp_opt->use_ack) || +- ((mp_opt->suboptions & OPTION_MPTCP_ADD_ADDR) && !mp_opt->echo))) { ++ ((mp_opt->suboptions & OPTION_MPTCP_ADD_ADDR) && ++ (!mp_opt->echo || subflow->mp_join)))) { + /* subflows are fully established as soon as we get any + * additional ack, including ADD_ADDR. + */ diff --git a/queue-6.6/mptcp-pm-fix-backup-support-in-signal-endpoints.patch b/queue-6.6/mptcp-pm-fix-backup-support-in-signal-endpoints.patch new file mode 100644 index 00000000000..f07db77ecf4 --- /dev/null +++ b/queue-6.6/mptcp-pm-fix-backup-support-in-signal-endpoints.patch @@ -0,0 +1,153 @@ +From 6834097fc38c5416701c793da94558cea49c0a1f Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Sat, 27 Jul 2024 12:01:28 +0200 +Subject: mptcp: pm: fix backup support in signal endpoints + +From: Matthieu Baerts (NGI0) + +commit 6834097fc38c5416701c793da94558cea49c0a1f upstream. + +There was a support for signal endpoints, but only when the endpoint's +flag was changed during a connection. If an endpoint with the signal and +backup was already present, the MP_JOIN reply was not containing the +backup flag as expected. + +That's confusing to have this inconsistent behaviour. On the other hand, +the infrastructure to set the backup flag in the SYN + ACK + MP_JOIN was +already there, it was just never set before. Now when requesting the +local ID from the path-manager, the backup status is also requested. + +Note that when the userspace PM is used, the backup flag can be set if +the local address was already used before with a backup flag, e.g. if +the address was announced with the 'backup' flag, or a subflow was +created with the 'backup' flag. + +Fixes: 4596a2c1b7f5 ("mptcp: allow creating non-backup subflows") +Cc: stable@vger.kernel.org +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/507 +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: Paolo Abeni +[ Conflicts in pm_userspace.c because the context has changed in commit + 1e07938e29c5 ("net: mptcp: rename netlink handlers to + mptcp_pm_nl__{doit,dumpit}") which is not in this version. This + commit is unrelated to this modification. + Conflicts in protocol.h because the context has changed in commit + 9ae7846c4b6b ("mptcp: dump addrs in userspace pm list") which is not + in this version. This commit is unrelated to this modification. ] +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm.c | 12 ++++++++++++ + net/mptcp/pm_netlink.c | 18 ++++++++++++++++++ + net/mptcp/pm_userspace.c | 18 ++++++++++++++++++ + net/mptcp/protocol.h | 3 +++ + net/mptcp/subflow.c | 3 +++ + 5 files changed, 54 insertions(+) + +--- a/net/mptcp/pm.c ++++ b/net/mptcp/pm.c +@@ -427,6 +427,18 @@ int mptcp_pm_get_local_id(struct mptcp_s + return mptcp_pm_nl_get_local_id(msk, &skc_local); + } + ++bool mptcp_pm_is_backup(struct mptcp_sock *msk, struct sock_common *skc) ++{ ++ struct mptcp_addr_info skc_local; ++ ++ mptcp_local_address((struct sock_common *)skc, &skc_local); ++ ++ if (mptcp_pm_is_userspace(msk)) ++ return mptcp_userspace_pm_is_backup(msk, &skc_local); ++ ++ return mptcp_pm_nl_is_backup(msk, &skc_local); ++} ++ + int mptcp_pm_get_flags_and_ifindex_by_id(struct mptcp_sock *msk, unsigned int id, + u8 *flags, int *ifindex) + { +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -1109,6 +1109,24 @@ int mptcp_pm_nl_get_local_id(struct mptc + return ret; + } + ++bool mptcp_pm_nl_is_backup(struct mptcp_sock *msk, struct mptcp_addr_info *skc) ++{ ++ struct pm_nl_pernet *pernet = pm_nl_get_pernet_from_msk(msk); ++ struct mptcp_pm_addr_entry *entry; ++ bool backup = false; ++ ++ rcu_read_lock(); ++ list_for_each_entry_rcu(entry, &pernet->local_addr_list, list) { ++ if (mptcp_addresses_equal(&entry->addr, skc, entry->addr.port)) { ++ backup = !!(entry->flags & MPTCP_PM_ADDR_FLAG_BACKUP); ++ break; ++ } ++ } ++ rcu_read_unlock(); ++ ++ return backup; ++} ++ + #define MPTCP_PM_CMD_GRP_OFFSET 0 + #define MPTCP_PM_EV_GRP_OFFSET 1 + +--- a/net/mptcp/pm_userspace.c ++++ b/net/mptcp/pm_userspace.c +@@ -157,6 +157,24 @@ int mptcp_userspace_pm_get_local_id(stru + return mptcp_userspace_pm_append_new_local_addr(msk, &new_entry, true); + } + ++bool mptcp_userspace_pm_is_backup(struct mptcp_sock *msk, ++ struct mptcp_addr_info *skc) ++{ ++ struct mptcp_pm_addr_entry *entry; ++ bool backup = false; ++ ++ spin_lock_bh(&msk->pm.lock); ++ list_for_each_entry(entry, &msk->pm.userspace_pm_local_addr_list, list) { ++ if (mptcp_addresses_equal(&entry->addr, skc, false)) { ++ backup = !!(entry->flags & MPTCP_PM_ADDR_FLAG_BACKUP); ++ break; ++ } ++ } ++ spin_unlock_bh(&msk->pm.lock); ++ ++ return backup; ++} ++ + int mptcp_nl_cmd_announce(struct sk_buff *skb, struct genl_info *info) + { + struct nlattr *token = info->attrs[MPTCP_PM_ATTR_TOKEN]; +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -1032,6 +1032,9 @@ bool mptcp_pm_rm_addr_signal(struct mptc + int mptcp_pm_get_local_id(struct mptcp_sock *msk, struct sock_common *skc); + int mptcp_pm_nl_get_local_id(struct mptcp_sock *msk, struct mptcp_addr_info *skc); + int mptcp_userspace_pm_get_local_id(struct mptcp_sock *msk, struct mptcp_addr_info *skc); ++bool mptcp_pm_is_backup(struct mptcp_sock *msk, struct sock_common *skc); ++bool mptcp_pm_nl_is_backup(struct mptcp_sock *msk, struct mptcp_addr_info *skc); ++bool mptcp_userspace_pm_is_backup(struct mptcp_sock *msk, struct mptcp_addr_info *skc); + + static inline u8 subflow_get_local_id(const struct mptcp_subflow_context *subflow) + { +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -100,6 +100,7 @@ static struct mptcp_sock *subflow_token_ + return NULL; + } + subflow_req->local_id = local_id; ++ subflow_req->request_bkup = mptcp_pm_is_backup(msk, (struct sock_common *)req); + + return msk; + } +@@ -601,6 +602,8 @@ static int subflow_chk_local_id(struct s + return err; + + subflow_set_local_id(subflow, err); ++ subflow->request_bkup = mptcp_pm_is_backup(msk, (struct sock_common *)sk); ++ + return 0; + } + diff --git a/queue-6.6/padata-fix-possible-divide-by-0-panic-in-padata_mt_helper.patch b/queue-6.6/padata-fix-possible-divide-by-0-panic-in-padata_mt_helper.patch new file mode 100644 index 00000000000..11b78f756a5 --- /dev/null +++ b/queue-6.6/padata-fix-possible-divide-by-0-panic-in-padata_mt_helper.patch @@ -0,0 +1,65 @@ +From 6d45e1c948a8b7ed6ceddb14319af69424db730c Mon Sep 17 00:00:00 2001 +From: Waiman Long +Date: Tue, 6 Aug 2024 13:46:47 -0400 +Subject: padata: Fix possible divide-by-0 panic in padata_mt_helper() + +From: Waiman Long + +commit 6d45e1c948a8b7ed6ceddb14319af69424db730c upstream. + +We are hit with a not easily reproducible divide-by-0 panic in padata.c at +bootup time. + + [ 10.017908] Oops: divide error: 0000 1 PREEMPT SMP NOPTI + [ 10.017908] CPU: 26 PID: 2627 Comm: kworker/u1666:1 Not tainted 6.10.0-15.el10.x86_64 #1 + [ 10.017908] Hardware name: Lenovo ThinkSystem SR950 [7X12CTO1WW]/[7X12CTO1WW], BIOS [PSE140J-2.30] 07/20/2021 + [ 10.017908] Workqueue: events_unbound padata_mt_helper + [ 10.017908] RIP: 0010:padata_mt_helper+0x39/0xb0 + : + [ 10.017963] Call Trace: + [ 10.017968] + [ 10.018004] ? padata_mt_helper+0x39/0xb0 + [ 10.018084] process_one_work+0x174/0x330 + [ 10.018093] worker_thread+0x266/0x3a0 + [ 10.018111] kthread+0xcf/0x100 + [ 10.018124] ret_from_fork+0x31/0x50 + [ 10.018138] ret_from_fork_asm+0x1a/0x30 + [ 10.018147] + +Looking at the padata_mt_helper() function, the only way a divide-by-0 +panic can happen is when ps->chunk_size is 0. The way that chunk_size is +initialized in padata_do_multithreaded(), chunk_size can be 0 when the +min_chunk in the passed-in padata_mt_job structure is 0. + +Fix this divide-by-0 panic by making sure that chunk_size will be at least +1 no matter what the input parameters are. + +Link: https://lkml.kernel.org/r/20240806174647.1050398-1-longman@redhat.com +Fixes: 004ed42638f4 ("padata: add basic support for multithreaded jobs") +Signed-off-by: Waiman Long +Cc: Daniel Jordan +Cc: Steffen Klassert +Cc: Waiman Long +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + kernel/padata.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/kernel/padata.c ++++ b/kernel/padata.c +@@ -516,6 +516,13 @@ void __init padata_do_multithreaded(stru + ps.chunk_size = max(ps.chunk_size, job->min_chunk); + ps.chunk_size = roundup(ps.chunk_size, job->align); + ++ /* ++ * chunk_size can be 0 if the caller sets min_chunk to 0. So force it ++ * to at least 1 to prevent divide-by-0 panic in padata_mt_helper().` ++ */ ++ if (!ps.chunk_size) ++ ps.chunk_size = 1U; ++ + list_for_each_entry(pw, &works, pw_list) + queue_work(system_unbound_wq, &pw->pw_work); + diff --git a/queue-6.6/parisc-fix-a-possible-dma-corruption.patch b/queue-6.6/parisc-fix-a-possible-dma-corruption.patch new file mode 100644 index 00000000000..81998074f28 --- /dev/null +++ b/queue-6.6/parisc-fix-a-possible-dma-corruption.patch @@ -0,0 +1,62 @@ +From 7ae04ba36b381bffe2471eff3a93edced843240f Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sat, 27 Jul 2024 20:22:52 +0200 +Subject: parisc: fix a possible DMA corruption + +From: Mikulas Patocka + +commit 7ae04ba36b381bffe2471eff3a93edced843240f upstream. + +ARCH_DMA_MINALIGN was defined as 16 - this is too small - it may be +possible that two unrelated 16-byte allocations share a cache line. If +one of these allocations is written using DMA and the other is written +using cached write, the value that was written with DMA may be +corrupted. + +This commit changes ARCH_DMA_MINALIGN to be 128 on PA20 and 32 on PA1.1 - +that's the largest possible cache line size. + +As different parisc microarchitectures have different cache line size, we +define arch_slab_minalign(), cache_line_size() and +dma_get_cache_alignment() so that the kernel may tune slab cache +parameters dynamically, based on the detected cache line size. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/Kconfig | 1 + + arch/parisc/include/asm/cache.h | 11 ++++++++++- + 2 files changed, 11 insertions(+), 1 deletion(-) + +--- a/arch/parisc/Kconfig ++++ b/arch/parisc/Kconfig +@@ -18,6 +18,7 @@ config PARISC + select ARCH_SUPPORTS_HUGETLBFS if PA20 + select ARCH_SUPPORTS_MEMORY_FAILURE + select ARCH_STACKWALK ++ select ARCH_HAS_CACHE_LINE_SIZE + select ARCH_HAS_DEBUG_VM_PGTABLE + select HAVE_RELIABLE_STACKTRACE + select DMA_OPS +--- a/arch/parisc/include/asm/cache.h ++++ b/arch/parisc/include/asm/cache.h +@@ -20,7 +20,16 @@ + + #define SMP_CACHE_BYTES L1_CACHE_BYTES + +-#define ARCH_DMA_MINALIGN L1_CACHE_BYTES ++#ifdef CONFIG_PA20 ++#define ARCH_DMA_MINALIGN 128 ++#else ++#define ARCH_DMA_MINALIGN 32 ++#endif ++#define ARCH_KMALLOC_MINALIGN 16 /* ldcw requires 16-byte alignment */ ++ ++#define arch_slab_minalign() ((unsigned)dcache_stride) ++#define cache_line_size() dcache_stride ++#define dma_get_cache_alignment cache_line_size + + #define __read_mostly __section(".data..read_mostly") + diff --git a/queue-6.6/parisc-fix-unaligned-accesses-in-bpf.patch b/queue-6.6/parisc-fix-unaligned-accesses-in-bpf.patch new file mode 100644 index 00000000000..cbd939a5b86 --- /dev/null +++ b/queue-6.6/parisc-fix-unaligned-accesses-in-bpf.patch @@ -0,0 +1,48 @@ +From 1fd2c10acb7b35d72101a4619ee5b2cddb9efd3a Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sat, 27 Jul 2024 12:11:02 +0200 +Subject: parisc: fix unaligned accesses in BPF + +From: Mikulas Patocka + +commit 1fd2c10acb7b35d72101a4619ee5b2cddb9efd3a upstream. + +There were spurious unaligned access warnings when calling BPF code. +Sometimes, the warnings were triggered with any incoming packet, making +the machine hard to use. + +The reason for the warnings is this: on parisc64, pointers to functions +are not really pointers to functions, they are pointers to 16-byte +descriptor. The first 8 bytes of the descriptor is a pointer to the +function and the next 8 bytes of the descriptor is the content of the +"dp" register. This descriptor is generated in the function +bpf_jit_build_prologue. + +The problem is that the function bpf_int_jit_compile advertises 4-byte +alignment when calling bpf_jit_binary_alloc, bpf_jit_binary_alloc +randomizes the returned array and if the array happens to be not aligned +on 8-byte boundary, the descriptor generated in bpf_jit_build_prologue is +also not aligned and this triggers the unaligned access warning. + +Fix this by advertising 8-byte alignment on parisc64 when calling +bpf_jit_binary_alloc. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/net/bpf_jit_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/parisc/net/bpf_jit_core.c ++++ b/arch/parisc/net/bpf_jit_core.c +@@ -114,7 +114,7 @@ struct bpf_prog *bpf_int_jit_compile(str + jit_data->header = + bpf_jit_binary_alloc(prog_size + extable_size, + &jit_data->image, +- sizeof(u32), ++ sizeof(long), + bpf_fill_ill_insns); + if (!jit_data->header) { + prog = orig_prog; diff --git a/queue-6.6/power-supply-axp288_charger-fix-constant_charge_voltage-writes.patch b/queue-6.6/power-supply-axp288_charger-fix-constant_charge_voltage-writes.patch new file mode 100644 index 00000000000..88c4b050abc --- /dev/null +++ b/queue-6.6/power-supply-axp288_charger-fix-constant_charge_voltage-writes.patch @@ -0,0 +1,39 @@ +From b34ce4a59cfe9cd0d6f870e6408e8ec88a964585 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 17 Jul 2024 22:03:32 +0200 +Subject: power: supply: axp288_charger: Fix constant_charge_voltage writes + +From: Hans de Goede + +commit b34ce4a59cfe9cd0d6f870e6408e8ec88a964585 upstream. + +info->max_cv is in millivolts, divide the microvolt value being written +to constant_charge_voltage by 1000 *before* clamping it to info->max_cv. + +Before this fix the code always tried to set constant_charge_voltage +to max_cv / 1000 = 4 millivolt, which ends up in setting it to 4.1V +which is the lowest supported value. + +Fixes: 843735b788a4 ("power: axp288_charger: axp288 charger driver") +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20240717200333.56669-1-hdegoede@redhat.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/axp288_charger.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/power/supply/axp288_charger.c ++++ b/drivers/power/supply/axp288_charger.c +@@ -337,8 +337,8 @@ static int axp288_charger_usb_set_proper + } + break; + case POWER_SUPPLY_PROP_CONSTANT_CHARGE_VOLTAGE: +- scaled_val = min(val->intval, info->max_cv); +- scaled_val = DIV_ROUND_CLOSEST(scaled_val, 1000); ++ scaled_val = DIV_ROUND_CLOSEST(val->intval, 1000); ++ scaled_val = min(scaled_val, info->max_cv); + ret = axp288_charger_set_cv(info, scaled_val); + if (ret < 0) { + dev_warn(&info->pdev->dev, "set charge voltage failed\n"); diff --git a/queue-6.6/power-supply-axp288_charger-round-constant_charge_voltage-writes-down.patch b/queue-6.6/power-supply-axp288_charger-round-constant_charge_voltage-writes-down.patch new file mode 100644 index 00000000000..9649a365054 --- /dev/null +++ b/queue-6.6/power-supply-axp288_charger-round-constant_charge_voltage-writes-down.patch @@ -0,0 +1,56 @@ +From 81af7f2342d162e24ac820c10e68684d9f927663 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 17 Jul 2024 22:03:33 +0200 +Subject: power: supply: axp288_charger: Round constant_charge_voltage writes down + +From: Hans de Goede + +commit 81af7f2342d162e24ac820c10e68684d9f927663 upstream. + +Round constant_charge_voltage writes down to the first supported lower +value, rather then rounding them up to the first supported higher value. + +This fixes e.g. writing 4250000 resulting in a value of 4350000 which +might be dangerous, instead writing 4250000 will now result in a safe +4200000 value. + +Fixes: 843735b788a4 ("power: axp288_charger: axp288 charger driver") +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20240717200333.56669-2-hdegoede@redhat.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/axp288_charger.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/drivers/power/supply/axp288_charger.c ++++ b/drivers/power/supply/axp288_charger.c +@@ -178,18 +178,18 @@ static inline int axp288_charger_set_cv( + u8 reg_val; + int ret; + +- if (cv <= CV_4100MV) { +- reg_val = CHRG_CCCV_CV_4100MV; +- cv = CV_4100MV; +- } else if (cv <= CV_4150MV) { +- reg_val = CHRG_CCCV_CV_4150MV; +- cv = CV_4150MV; +- } else if (cv <= CV_4200MV) { ++ if (cv >= CV_4350MV) { ++ reg_val = CHRG_CCCV_CV_4350MV; ++ cv = CV_4350MV; ++ } else if (cv >= CV_4200MV) { + reg_val = CHRG_CCCV_CV_4200MV; + cv = CV_4200MV; ++ } else if (cv >= CV_4150MV) { ++ reg_val = CHRG_CCCV_CV_4150MV; ++ cv = CV_4150MV; + } else { +- reg_val = CHRG_CCCV_CV_4350MV; +- cv = CV_4350MV; ++ reg_val = CHRG_CCCV_CV_4100MV; ++ cv = CV_4100MV; + } + + reg_val = reg_val << CHRG_CCCV_CV_BIT_POS; diff --git a/queue-6.6/power-supply-qcom_battmgr-return-eagain-when-firmware-service-is-not-up.patch b/queue-6.6/power-supply-qcom_battmgr-return-eagain-when-firmware-service-is-not-up.patch new file mode 100644 index 00000000000..89f2ab5c72a --- /dev/null +++ b/queue-6.6/power-supply-qcom_battmgr-return-eagain-when-firmware-service-is-not-up.patch @@ -0,0 +1,76 @@ +From bf9d5cb588755ee41ac12a8976dccf44ae18281b Mon Sep 17 00:00:00 2001 +From: Neil Armstrong +Date: Mon, 15 Jul 2024 14:57:06 +0200 +Subject: power: supply: qcom_battmgr: return EAGAIN when firmware service is not up + +From: Neil Armstrong + +commit bf9d5cb588755ee41ac12a8976dccf44ae18281b upstream. + +The driver returns -ENODEV when the firmware battmrg service hasn't +started yet, while per-se -ENODEV is fine, we usually use -EAGAIN to +tell the user to retry again later. And the power supply core uses +-EGAIN when the device isn't initialized, let's use the same return. + +This notably causes an infinite spam of: +thermal thermal_zoneXX: failed to read out thermal zone (-19) +because the thermal core doesn't understand -ENODEV, but only +considers -EAGAIN as a non-fatal error. + +While it didn't appear until now, commit [1] fixes thermal core +and no more ignores thermal zones returning an error at first +temperature update. + +[1] 5725f40698b9 ("thermal: core: Call monitor_thermal_zone() if zone temperature is invalid") + +Link: https://lore.kernel.org/all/2ed4c630-204a-4f80-a37f-f2ca838eb455@linaro.org/ +Cc: stable@vger.kernel.org +Fixes: 29e8142b5623 ("power: supply: Introduce Qualcomm PMIC GLINK power supply") +Signed-off-by: Neil Armstrong +Tested-by: Stephan Gerhold +Reviewed-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20240715-topic-sm8x50-upstream-fix-battmgr-temp-tz-warn-v1-1-16e842ccead7@linaro.org +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/qcom_battmgr.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/power/supply/qcom_battmgr.c ++++ b/drivers/power/supply/qcom_battmgr.c +@@ -486,7 +486,7 @@ static int qcom_battmgr_bat_get_property + int ret; + + if (!battmgr->service_up) +- return -ENODEV; ++ return -EAGAIN; + + if (battmgr->variant == QCOM_BATTMGR_SC8280XP) + ret = qcom_battmgr_bat_sc8280xp_update(battmgr, psp); +@@ -683,7 +683,7 @@ static int qcom_battmgr_ac_get_property( + int ret; + + if (!battmgr->service_up) +- return -ENODEV; ++ return -EAGAIN; + + ret = qcom_battmgr_bat_sc8280xp_update(battmgr, psp); + if (ret) +@@ -748,7 +748,7 @@ static int qcom_battmgr_usb_get_property + int ret; + + if (!battmgr->service_up) +- return -ENODEV; ++ return -EAGAIN; + + if (battmgr->variant == QCOM_BATTMGR_SC8280XP) + ret = qcom_battmgr_bat_sc8280xp_update(battmgr, psp); +@@ -867,7 +867,7 @@ static int qcom_battmgr_wls_get_property + int ret; + + if (!battmgr->service_up) +- return -ENODEV; ++ return -EAGAIN; + + if (battmgr->variant == QCOM_BATTMGR_SC8280XP) + ret = qcom_battmgr_bat_sc8280xp_update(battmgr, psp); diff --git a/queue-6.6/sched-core-fix-unbalance-set_rq_online-offline-in-sched_cpu_deactivate.patch b/queue-6.6/sched-core-fix-unbalance-set_rq_online-offline-in-sched_cpu_deactivate.patch new file mode 100644 index 00000000000..03e6c70c5b5 --- /dev/null +++ b/queue-6.6/sched-core-fix-unbalance-set_rq_online-offline-in-sched_cpu_deactivate.patch @@ -0,0 +1,31 @@ +From fe7a11c78d2a9bdb8b50afc278a31ac177000948 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Wed, 3 Jul 2024 11:16:10 +0800 +Subject: sched/core: Fix unbalance set_rq_online/offline() in sched_cpu_deactivate() + +From: Yang Yingliang + +commit fe7a11c78d2a9bdb8b50afc278a31ac177000948 upstream. + +If cpuset_cpu_inactive() fails, set_rq_online() need be called to rollback. + +Fixes: 120455c514f7 ("sched: Fix hotplug vs CPU bandwidth control") +Cc: stable@kernel.org +Signed-off-by: Yang Yingliang +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/r/20240703031610.587047-5-yangyingliang@huaweicloud.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -9773,6 +9773,7 @@ int sched_cpu_deactivate(unsigned int cp + ret = cpuset_cpu_inactive(cpu); + if (ret) { + sched_smt_present_inc(cpu); ++ sched_set_rq_online(rq, cpu); + balance_push_set(cpu, false); + set_cpu_active(cpu, true); + sched_update_numa(cpu, true); diff --git a/queue-6.6/sched-core-introduce-sched_set_rq_on-offline-helper.patch b/queue-6.6/sched-core-introduce-sched_set_rq_on-offline-helper.patch new file mode 100644 index 00000000000..a3db74fd4d6 --- /dev/null +++ b/queue-6.6/sched-core-introduce-sched_set_rq_on-offline-helper.patch @@ -0,0 +1,98 @@ +From 2f027354122f58ee846468a6f6b48672fff92e9b Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Wed, 3 Jul 2024 11:16:09 +0800 +Subject: sched/core: Introduce sched_set_rq_on/offline() helper + +From: Yang Yingliang + +commit 2f027354122f58ee846468a6f6b48672fff92e9b upstream. + +Introduce sched_set_rq_on/offline() helper, so it can be called +in normal or error path simply. No functional changed. + +Cc: stable@kernel.org +Signed-off-by: Yang Yingliang +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/r/20240703031610.587047-4-yangyingliang@huaweicloud.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/core.c | 40 ++++++++++++++++++++++++++-------------- + 1 file changed, 26 insertions(+), 14 deletions(-) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -9596,6 +9596,30 @@ void set_rq_offline(struct rq *rq) + } + } + ++static inline void sched_set_rq_online(struct rq *rq, int cpu) ++{ ++ struct rq_flags rf; ++ ++ rq_lock_irqsave(rq, &rf); ++ if (rq->rd) { ++ BUG_ON(!cpumask_test_cpu(cpu, rq->rd->span)); ++ set_rq_online(rq); ++ } ++ rq_unlock_irqrestore(rq, &rf); ++} ++ ++static inline void sched_set_rq_offline(struct rq *rq, int cpu) ++{ ++ struct rq_flags rf; ++ ++ rq_lock_irqsave(rq, &rf); ++ if (rq->rd) { ++ BUG_ON(!cpumask_test_cpu(cpu, rq->rd->span)); ++ set_rq_offline(rq); ++ } ++ rq_unlock_irqrestore(rq, &rf); ++} ++ + /* + * used to mark begin/end of suspend/resume: + */ +@@ -9665,7 +9689,6 @@ static inline void sched_smt_present_dec + int sched_cpu_activate(unsigned int cpu) + { + struct rq *rq = cpu_rq(cpu); +- struct rq_flags rf; + + /* + * Clear the balance_push callback and prepare to schedule +@@ -9694,12 +9717,7 @@ int sched_cpu_activate(unsigned int cpu) + * 2) At runtime, if cpuset_cpu_active() fails to rebuild the + * domains. + */ +- rq_lock_irqsave(rq, &rf); +- if (rq->rd) { +- BUG_ON(!cpumask_test_cpu(cpu, rq->rd->span)); +- set_rq_online(rq); +- } +- rq_unlock_irqrestore(rq, &rf); ++ sched_set_rq_online(rq, cpu); + + return 0; + } +@@ -9707,7 +9725,6 @@ int sched_cpu_activate(unsigned int cpu) + int sched_cpu_deactivate(unsigned int cpu) + { + struct rq *rq = cpu_rq(cpu); +- struct rq_flags rf; + int ret; + + /* +@@ -9738,12 +9755,7 @@ int sched_cpu_deactivate(unsigned int cp + */ + synchronize_rcu(); + +- rq_lock_irqsave(rq, &rf); +- if (rq->rd) { +- BUG_ON(!cpumask_test_cpu(cpu, rq->rd->span)); +- set_rq_offline(rq); +- } +- rq_unlock_irqrestore(rq, &rf); ++ sched_set_rq_offline(rq, cpu); + + /* + * When going down, decrement the number of cores with SMT present. diff --git a/queue-6.6/sched-smt-fix-unbalance-sched_smt_present-dec-inc.patch b/queue-6.6/sched-smt-fix-unbalance-sched_smt_present-dec-inc.patch new file mode 100644 index 00000000000..19648713631 --- /dev/null +++ b/queue-6.6/sched-smt-fix-unbalance-sched_smt_present-dec-inc.patch @@ -0,0 +1,52 @@ +From e22f910a26cc2a3ac9c66b8e935ef2a7dd881117 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Wed, 3 Jul 2024 11:16:08 +0800 +Subject: sched/smt: Fix unbalance sched_smt_present dec/inc + +From: Yang Yingliang + +commit e22f910a26cc2a3ac9c66b8e935ef2a7dd881117 upstream. + +I got the following warn report while doing stress test: + +jump label: negative count! +WARNING: CPU: 3 PID: 38 at kernel/jump_label.c:263 static_key_slow_try_dec+0x9d/0xb0 +Call Trace: + + __static_key_slow_dec_cpuslocked+0x16/0x70 + sched_cpu_deactivate+0x26e/0x2a0 + cpuhp_invoke_callback+0x3ad/0x10d0 + cpuhp_thread_fun+0x3f5/0x680 + smpboot_thread_fn+0x56d/0x8d0 + kthread+0x309/0x400 + ret_from_fork+0x41/0x70 + ret_from_fork_asm+0x1b/0x30 + + +Because when cpuset_cpu_inactive() fails in sched_cpu_deactivate(), +the cpu offline failed, but sched_smt_present is decremented before +calling sched_cpu_deactivate(), it leads to unbalanced dec/inc, so +fix it by incrementing sched_smt_present in the error path. + +Fixes: c5511d03ec09 ("sched/smt: Make sched_smt_present track topology") +Cc: stable@kernel.org +Signed-off-by: Yang Yingliang +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Chen Yu +Reviewed-by: Tim Chen +Link: https://lore.kernel.org/r/20240703031610.587047-3-yangyingliang@huaweicloud.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -9760,6 +9760,7 @@ int sched_cpu_deactivate(unsigned int cp + sched_update_numa(cpu, false); + ret = cpuset_cpu_inactive(cpu); + if (ret) { ++ sched_smt_present_inc(cpu); + balance_push_set(cpu, false); + set_cpu_active(cpu, true); + sched_update_numa(cpu, true); diff --git a/queue-6.6/sched-smt-introduce-sched_smt_present_inc-dec-helper.patch b/queue-6.6/sched-smt-introduce-sched_smt_present_inc-dec-helper.patch new file mode 100644 index 00000000000..dcb95b66d19 --- /dev/null +++ b/queue-6.6/sched-smt-introduce-sched_smt_present_inc-dec-helper.patch @@ -0,0 +1,77 @@ +From 31b164e2e4af84d08d2498083676e7eeaa102493 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Wed, 3 Jul 2024 11:16:07 +0800 +Subject: sched/smt: Introduce sched_smt_present_inc/dec() helper + +From: Yang Yingliang + +commit 31b164e2e4af84d08d2498083676e7eeaa102493 upstream. + +Introduce sched_smt_present_inc/dec() helper, so it can be called +in normal or error path simply. No functional changed. + +Cc: stable@kernel.org +Signed-off-by: Yang Yingliang +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/r/20240703031610.587047-2-yangyingliang@huaweicloud.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/core.c | 26 +++++++++++++++++++------- + 1 file changed, 19 insertions(+), 7 deletions(-) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -9646,6 +9646,22 @@ static int cpuset_cpu_inactive(unsigned + return 0; + } + ++static inline void sched_smt_present_inc(int cpu) ++{ ++#ifdef CONFIG_SCHED_SMT ++ if (cpumask_weight(cpu_smt_mask(cpu)) == 2) ++ static_branch_inc_cpuslocked(&sched_smt_present); ++#endif ++} ++ ++static inline void sched_smt_present_dec(int cpu) ++{ ++#ifdef CONFIG_SCHED_SMT ++ if (cpumask_weight(cpu_smt_mask(cpu)) == 2) ++ static_branch_dec_cpuslocked(&sched_smt_present); ++#endif ++} ++ + int sched_cpu_activate(unsigned int cpu) + { + struct rq *rq = cpu_rq(cpu); +@@ -9657,13 +9673,10 @@ int sched_cpu_activate(unsigned int cpu) + */ + balance_push_set(cpu, false); + +-#ifdef CONFIG_SCHED_SMT + /* + * When going up, increment the number of cores with SMT present. + */ +- if (cpumask_weight(cpu_smt_mask(cpu)) == 2) +- static_branch_inc_cpuslocked(&sched_smt_present); +-#endif ++ sched_smt_present_inc(cpu); + set_cpu_active(cpu, true); + + if (sched_smp_initialized) { +@@ -9732,13 +9745,12 @@ int sched_cpu_deactivate(unsigned int cp + } + rq_unlock_irqrestore(rq, &rf); + +-#ifdef CONFIG_SCHED_SMT + /* + * When going down, decrement the number of cores with SMT present. + */ +- if (cpumask_weight(cpu_smt_mask(cpu)) == 2) +- static_branch_dec_cpuslocked(&sched_smt_present); ++ sched_smt_present_dec(cpu); + ++#ifdef CONFIG_SCHED_SMT + sched_core_cpu_deactivate(cpu); + #endif + diff --git a/queue-6.6/selftests-mm-add-s390-to-arch-check.patch b/queue-6.6/selftests-mm-add-s390-to-arch-check.patch new file mode 100644 index 00000000000..dfc4ac1b2c9 --- /dev/null +++ b/queue-6.6/selftests-mm-add-s390-to-arch-check.patch @@ -0,0 +1,46 @@ +From 30b651c8bc788c068a978dc760e9d5f824f7019e Mon Sep 17 00:00:00 2001 +From: Nico Pache +Date: Wed, 24 Jul 2024 15:35:17 -0600 +Subject: selftests: mm: add s390 to ARCH check + +From: Nico Pache + +commit 30b651c8bc788c068a978dc760e9d5f824f7019e upstream. + +commit 0518dbe97fe6 ("selftests/mm: fix cross compilation with LLVM") +changed the env variable for the architecture from MACHINE to ARCH. + +This is preventing 3 required TEST_GEN_FILES from being included when +cross compiling s390x and errors when trying to run the test suite. This +is due to the ARCH variable already being set and the arch folder name +being s390. + +Add "s390" to the filtered list to cover this case and have the 3 files +included in the build. + +Link: https://lkml.kernel.org/r/20240724213517.23918-1-npache@redhat.com +Fixes: 0518dbe97fe6 ("selftests/mm: fix cross compilation with LLVM") +Signed-off-by: Nico Pache +Cc: Mark Brown +Cc: Albert Ou +Cc: Palmer Dabbelt +Cc: Paul Walmsley +Cc: Shuah Khan +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/mm/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/mm/Makefile ++++ b/tools/testing/selftests/mm/Makefile +@@ -101,7 +101,7 @@ endif + + endif + +-ifneq (,$(filter $(ARCH),arm64 ia64 mips64 parisc64 powerpc riscv64 s390x sparc64 x86_64)) ++ifneq (,$(filter $(ARCH),arm64 ia64 mips64 parisc64 powerpc riscv64 s390x sparc64 x86_64 s390)) + TEST_GEN_FILES += va_high_addr_switch + TEST_GEN_FILES += virtual_address_range + TEST_GEN_FILES += write_to_hugetlbfs diff --git a/queue-6.6/selftests-mptcp-fix-error-path.patch b/queue-6.6/selftests-mptcp-fix-error-path.patch new file mode 100644 index 00000000000..d6dc849e2f0 --- /dev/null +++ b/queue-6.6/selftests-mptcp-fix-error-path.patch @@ -0,0 +1,38 @@ +From 4a2f48992ddf4b8c2fba846c6754089edae6db5a Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Sat, 27 Jul 2024 11:04:02 +0200 +Subject: selftests: mptcp: fix error path + +From: Paolo Abeni + +commit 4a2f48992ddf4b8c2fba846c6754089edae6db5a upstream. + +pm_nl_check_endpoint() currently calls an not existing helper +to mark the test as failed. Fix the wrong call. + +Fixes: 03668c65d153 ("selftests: mptcp: join: rework detailed report") +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: David S. Miller +[ Conflicts in mptcp_join.sh because the context has changed in commit + 571d79664a4a ("selftests: mptcp: join: update endpoint ops") which is + not in this version. This commit is unrelated to this modification. ] +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -812,7 +812,7 @@ pm_nl_check_endpoint() + done + + if [ -z "$id" ]; then +- test_fail "bad test - missing endpoint id" ++ fail_test "bad test - missing endpoint id" + return + fi + diff --git a/queue-6.6/serial-core-check-uartclk-for-zero-to-avoid-divide-by-zero.patch b/queue-6.6/serial-core-check-uartclk-for-zero-to-avoid-divide-by-zero.patch new file mode 100644 index 00000000000..ccaaff4dec2 --- /dev/null +++ b/queue-6.6/serial-core-check-uartclk-for-zero-to-avoid-divide-by-zero.patch @@ -0,0 +1,68 @@ +From 6eabce6608d6f3440f4c03aa3d3ef50a47a3d193 Mon Sep 17 00:00:00 2001 +From: George Kennedy +Date: Wed, 17 Jul 2024 07:24:38 -0500 +Subject: serial: core: check uartclk for zero to avoid divide by zero + +From: George Kennedy + +commit 6eabce6608d6f3440f4c03aa3d3ef50a47a3d193 upstream. + +Calling ioctl TIOCSSERIAL with an invalid baud_base can +result in uartclk being zero, which will result in a +divide by zero error in uart_get_divisor(). The check for +uartclk being zero in uart_set_info() needs to be done +before other settings are made as subsequent calls to +ioctl TIOCSSERIAL for the same port would be impacted if +the uartclk check was done where uartclk gets set. + +Oops: divide error: 0000 PREEMPT SMP KASAN PTI +RIP: 0010:uart_get_divisor (drivers/tty/serial/serial_core.c:580) +Call Trace: + +serial8250_get_divisor (drivers/tty/serial/8250/8250_port.c:2576 + drivers/tty/serial/8250/8250_port.c:2589) +serial8250_do_set_termios (drivers/tty/serial/8250/8250_port.c:502 + drivers/tty/serial/8250/8250_port.c:2741) +serial8250_set_termios (drivers/tty/serial/8250/8250_port.c:2862) +uart_change_line_settings (./include/linux/spinlock.h:376 + ./include/linux/serial_core.h:608 drivers/tty/serial/serial_core.c:222) +uart_port_startup (drivers/tty/serial/serial_core.c:342) +uart_startup (drivers/tty/serial/serial_core.c:368) +uart_set_info (drivers/tty/serial/serial_core.c:1034) +uart_set_info_user (drivers/tty/serial/serial_core.c:1059) +tty_set_serial (drivers/tty/tty_io.c:2637) +tty_ioctl (drivers/tty/tty_io.c:2647 drivers/tty/tty_io.c:2791) +__x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:907 + fs/ioctl.c:893 fs/ioctl.c:893) +do_syscall_64 (arch/x86/entry/common.c:52 + (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1)) +entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + +Reported-by: syzkaller +Cc: stable@vger.kernel.org +Signed-off-by: George Kennedy +Rule: add +Link: https://lore.kernel.org/stable/1721148848-9784-1-git-send-email-george.kennedy%40oracle.com +Link: https://lore.kernel.org/r/1721219078-3209-1-git-send-email-george.kennedy@oracle.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/serial_core.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -876,6 +876,14 @@ static int uart_set_info(struct tty_stru + new_flags = (__force upf_t)new_info->flags; + old_custom_divisor = uport->custom_divisor; + ++ if (!(uport->flags & UPF_FIXED_PORT)) { ++ unsigned int uartclk = new_info->baud_base * 16; ++ /* check needs to be done here before other settings made */ ++ if (uartclk == 0) { ++ retval = -EINVAL; ++ goto exit; ++ } ++ } + if (!capable(CAP_SYS_ADMIN)) { + retval = -EPERM; + if (change_irq || change_port || diff --git a/queue-6.6/series b/queue-6.6/series index 7e42bd41aca..8b10a5965ea 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -133,3 +133,37 @@ tracefs-fix-inode-allocation.patch tracefs-use-generic-inode-rcu-for-synchronizing-freeing.patch ntp-safeguard-against-time_constant-overflow.patch timekeeping-fix-bogus-clock_was_set-invocation-in-do_adjtimex.patch +serial-core-check-uartclk-for-zero-to-avoid-divide-by-zero.patch +memcg-protect-concurrent-access-to-mem_cgroup_idr.patch +parisc-fix-unaligned-accesses-in-bpf.patch +parisc-fix-a-possible-dma-corruption.patch +asoc-amd-yc-add-quirk-entry-for-omen-by-hp-gaming-laptop-16-n0xxx.patch +kcov-properly-check-for-softirq-context.patch +irqchip-xilinx-fix-shift-out-of-bounds.patch +genirq-irqdesc-honor-caller-provided-affinity-in-alloc_desc.patch +loongarch-enable-general-efi-poweroff-method.patch +power-supply-qcom_battmgr-return-eagain-when-firmware-service-is-not-up.patch +power-supply-axp288_charger-fix-constant_charge_voltage-writes.patch +power-supply-axp288_charger-round-constant_charge_voltage-writes-down.patch +tracing-fix-overflow-in-get_free_elt.patch +padata-fix-possible-divide-by-0-panic-in-padata_mt_helper.patch +smb3-fix-setting-securityflags-when-encryption-is-required.patch +eventfs-don-t-return-null-in-eventfs_create_dir.patch +eventfs-use-srcu-for-freeing-eventfs_inodes.patch +selftests-mm-add-s390-to-arch-check.patch +btrfs-avoid-using-fixed-char-array-size-for-tree-names.patch +x86-paravirt-fix-incorrect-virt-spinlock-setting-on-bare-metal.patch +x86-mtrr-check-if-fixed-mtrrs-exist-before-saving-them.patch +sched-smt-introduce-sched_smt_present_inc-dec-helper.patch +sched-smt-fix-unbalance-sched_smt_present-dec-inc.patch +sched-core-introduce-sched_set_rq_on-offline-helper.patch +sched-core-fix-unbalance-set_rq_online-offline-in-sched_cpu_deactivate.patch +drm-bridge-analogix_dp-properly-handle-zero-sized-aux-transactions.patch +drm-dp_mst-skip-csn-if-topology-probing-is-not-done-yet.patch +drm-lima-mark-simple_ondemand-governor-as-softdep.patch +drm-mgag200-set-ddc-timeout-in-milliseconds.patch +drm-mgag200-bind-i2c-lifetime-to-drm-device.patch +drm-radeon-remove-__counted_by-from-statearray.states.patch +mptcp-fully-established-after-add_addr-echo-on-mpj.patch +mptcp-pm-fix-backup-support-in-signal-endpoints.patch +selftests-mptcp-fix-error-path.patch diff --git a/queue-6.6/smb3-fix-setting-securityflags-when-encryption-is-required.patch b/queue-6.6/smb3-fix-setting-securityflags-when-encryption-is-required.patch new file mode 100644 index 00000000000..723bc1efd5a --- /dev/null +++ b/queue-6.6/smb3-fix-setting-securityflags-when-encryption-is-required.patch @@ -0,0 +1,91 @@ +From 1b5487aefb1ce7a6b1f15a33297d1231306b4122 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Wed, 31 Jul 2024 21:38:50 -0500 +Subject: smb3: fix setting SecurityFlags when encryption is required + +From: Steve French + +commit 1b5487aefb1ce7a6b1f15a33297d1231306b4122 upstream. + +Setting encryption as required in security flags was broken. +For example (to require all mounts to be encrypted by setting): + + "echo 0x400c5 > /proc/fs/cifs/SecurityFlags" + +Would return "Invalid argument" and log "Unsupported security flags" +This patch fixes that (e.g. allowing overriding the default for +SecurityFlags 0x00c5, including 0x40000 to require seal, ie +SMB3.1.1 encryption) so now that works and forces encryption +on subsequent mounts. + +Acked-by: Bharath SM +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/admin-guide/cifs/usage.rst | 2 +- + fs/smb/client/cifs_debug.c | 2 +- + fs/smb/client/cifsglob.h | 8 ++++---- + fs/smb/client/smb2pdu.c | 3 +++ + 4 files changed, 9 insertions(+), 6 deletions(-) + +--- a/Documentation/admin-guide/cifs/usage.rst ++++ b/Documentation/admin-guide/cifs/usage.rst +@@ -741,7 +741,7 @@ SecurityFlags Flags which control secur + may use NTLMSSP 0x00080 + must use NTLMSSP 0x80080 + seal (packet encryption) 0x00040 +- must seal (not implemented yet) 0x40040 ++ must seal 0x40040 + + cifsFYI If set to non-zero value, additional debug information + will be logged to the system error log. This field +--- a/fs/smb/client/cifs_debug.c ++++ b/fs/smb/client/cifs_debug.c +@@ -1072,7 +1072,7 @@ static int cifs_security_flags_proc_open + static void + cifs_security_flags_handle_must_flags(unsigned int *flags) + { +- unsigned int signflags = *flags & CIFSSEC_MUST_SIGN; ++ unsigned int signflags = *flags & (CIFSSEC_MUST_SIGN | CIFSSEC_MUST_SEAL); + + if ((*flags & CIFSSEC_MUST_KRB5) == CIFSSEC_MUST_KRB5) + *flags = CIFSSEC_MUST_KRB5; +--- a/fs/smb/client/cifsglob.h ++++ b/fs/smb/client/cifsglob.h +@@ -1922,7 +1922,7 @@ static inline bool is_replayable_error(i + #define CIFSSEC_MAY_SIGN 0x00001 + #define CIFSSEC_MAY_NTLMV2 0x00004 + #define CIFSSEC_MAY_KRB5 0x00008 +-#define CIFSSEC_MAY_SEAL 0x00040 /* not supported yet */ ++#define CIFSSEC_MAY_SEAL 0x00040 + #define CIFSSEC_MAY_NTLMSSP 0x00080 /* raw ntlmssp with ntlmv2 */ + + #define CIFSSEC_MUST_SIGN 0x01001 +@@ -1932,11 +1932,11 @@ require use of the stronger protocol */ + #define CIFSSEC_MUST_NTLMV2 0x04004 + #define CIFSSEC_MUST_KRB5 0x08008 + #ifdef CONFIG_CIFS_UPCALL +-#define CIFSSEC_MASK 0x8F08F /* flags supported if no weak allowed */ ++#define CIFSSEC_MASK 0xCF0CF /* flags supported if no weak allowed */ + #else +-#define CIFSSEC_MASK 0x87087 /* flags supported if no weak allowed */ ++#define CIFSSEC_MASK 0xC70C7 /* flags supported if no weak allowed */ + #endif /* UPCALL */ +-#define CIFSSEC_MUST_SEAL 0x40040 /* not supported yet */ ++#define CIFSSEC_MUST_SEAL 0x40040 + #define CIFSSEC_MUST_NTLMSSP 0x80080 /* raw ntlmssp with ntlmv2 */ + + #define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP | CIFSSEC_MAY_SEAL) +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -80,6 +80,9 @@ int smb3_encryption_required(const struc + if (tcon->seal && + (tcon->ses->server->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION)) + return 1; ++ if (((global_secflags & CIFSSEC_MUST_SEAL) == CIFSSEC_MUST_SEAL) && ++ (tcon->ses->server->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION)) ++ return 1; + return 0; + } + diff --git a/queue-6.6/tracing-fix-overflow-in-get_free_elt.patch b/queue-6.6/tracing-fix-overflow-in-get_free_elt.patch new file mode 100644 index 00000000000..f2adf30386f --- /dev/null +++ b/queue-6.6/tracing-fix-overflow-in-get_free_elt.patch @@ -0,0 +1,65 @@ +From bcf86c01ca4676316557dd482c8416ece8c2e143 Mon Sep 17 00:00:00 2001 +From: Tze-nan Wu +Date: Mon, 5 Aug 2024 13:59:22 +0800 +Subject: tracing: Fix overflow in get_free_elt() + +From: Tze-nan Wu + +commit bcf86c01ca4676316557dd482c8416ece8c2e143 upstream. + +"tracing_map->next_elt" in get_free_elt() is at risk of overflowing. + +Once it overflows, new elements can still be inserted into the tracing_map +even though the maximum number of elements (`max_elts`) has been reached. +Continuing to insert elements after the overflow could result in the +tracing_map containing "tracing_map->max_size" elements, leaving no empty +entries. +If any attempt is made to insert an element into a full tracing_map using +`__tracing_map_insert()`, it will cause an infinite loop with preemption +disabled, leading to a CPU hang problem. + +Fix this by preventing any further increments to "tracing_map->next_elt" +once it reaches "tracing_map->max_elt". + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Fixes: 08d43a5fa063e ("tracing: Add lock-free tracing_map") +Co-developed-by: Cheng-Jui Wang +Link: https://lore.kernel.org/20240805055922.6277-1-Tze-nan.Wu@mediatek.com +Signed-off-by: Cheng-Jui Wang +Signed-off-by: Tze-nan Wu +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/tracing_map.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/kernel/trace/tracing_map.c ++++ b/kernel/trace/tracing_map.c +@@ -454,7 +454,7 @@ static struct tracing_map_elt *get_free_ + struct tracing_map_elt *elt = NULL; + int idx; + +- idx = atomic_inc_return(&map->next_elt); ++ idx = atomic_fetch_add_unless(&map->next_elt, 1, map->max_elts); + if (idx < map->max_elts) { + elt = *(TRACING_MAP_ELT(map->elts, idx)); + if (map->ops && map->ops->elt_init) +@@ -699,7 +699,7 @@ void tracing_map_clear(struct tracing_ma + { + unsigned int i; + +- atomic_set(&map->next_elt, -1); ++ atomic_set(&map->next_elt, 0); + atomic64_set(&map->hits, 0); + atomic64_set(&map->drops, 0); + +@@ -783,7 +783,7 @@ struct tracing_map *tracing_map_create(u + + map->map_bits = map_bits; + map->max_elts = (1 << map_bits); +- atomic_set(&map->next_elt, -1); ++ atomic_set(&map->next_elt, 0); + + map->map_size = (1 << (map_bits + 1)); + map->ops = ops; diff --git a/queue-6.6/x86-mtrr-check-if-fixed-mtrrs-exist-before-saving-them.patch b/queue-6.6/x86-mtrr-check-if-fixed-mtrrs-exist-before-saving-them.patch new file mode 100644 index 00000000000..2cb5cd2a310 --- /dev/null +++ b/queue-6.6/x86-mtrr-check-if-fixed-mtrrs-exist-before-saving-them.patch @@ -0,0 +1,44 @@ +From 919f18f961c03d6694aa726c514184f2311a4614 Mon Sep 17 00:00:00 2001 +From: Andi Kleen +Date: Wed, 7 Aug 2024 17:02:44 -0700 +Subject: x86/mtrr: Check if fixed MTRRs exist before saving them + +From: Andi Kleen + +commit 919f18f961c03d6694aa726c514184f2311a4614 upstream. + +MTRRs have an obsolete fixed variant for fine grained caching control +of the 640K-1MB region that uses separate MSRs. This fixed variant has +a separate capability bit in the MTRR capability MSR. + +So far all x86 CPUs which support MTRR have this separate bit set, so it +went unnoticed that mtrr_save_state() does not check the capability bit +before accessing the fixed MTRR MSRs. + +Though on a CPU that does not support the fixed MTRR capability this +results in a #GP. The #GP itself is harmless because the RDMSR fault is +handled gracefully, but results in a WARN_ON(). + +Add the missing capability check to prevent this. + +Fixes: 2b1f6278d77c ("[PATCH] x86: Save the MTRRs of the BSP before booting an AP") +Signed-off-by: Andi Kleen +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20240808000244.946864-1-ak@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/mtrr/mtrr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/mtrr/mtrr.c ++++ b/arch/x86/kernel/cpu/mtrr/mtrr.c +@@ -609,7 +609,7 @@ void mtrr_save_state(void) + { + int first_cpu; + +- if (!mtrr_enabled()) ++ if (!mtrr_enabled() || !mtrr_state.have_fixed) + return; + + first_cpu = cpumask_first(cpu_online_mask); diff --git a/queue-6.6/x86-paravirt-fix-incorrect-virt-spinlock-setting-on-bare-metal.patch b/queue-6.6/x86-paravirt-fix-incorrect-virt-spinlock-setting-on-bare-metal.patch new file mode 100644 index 00000000000..d18cf01a00c --- /dev/null +++ b/queue-6.6/x86-paravirt-fix-incorrect-virt-spinlock-setting-on-bare-metal.patch @@ -0,0 +1,100 @@ +From e639222a51196c69c70b49b67098ce2f9919ed08 Mon Sep 17 00:00:00 2001 +From: Chen Yu +Date: Tue, 6 Aug 2024 19:22:07 +0800 +Subject: x86/paravirt: Fix incorrect virt spinlock setting on bare metal + +From: Chen Yu + +commit e639222a51196c69c70b49b67098ce2f9919ed08 upstream. + +The kernel can change spinlock behavior when running as a guest. But this +guest-friendly behavior causes performance problems on bare metal. + +The kernel uses a static key to switch between the two modes. + +In theory, the static key is enabled by default (run in guest mode) and +should be disabled for bare metal (and in some guests that want native +behavior or paravirt spinlock). + +A performance drop is reported when running encode/decode workload and +BenchSEE cache sub-workload. + +Bisect points to commit ce0a1b608bfc ("x86/paravirt: Silence unused +native_pv_lock_init() function warning"). When CONFIG_PARAVIRT_SPINLOCKS is +disabled the virt_spin_lock_key is incorrectly set to true on bare +metal. The qspinlock degenerates to test-and-set spinlock, which decreases +the performance on bare metal. + +Set the default value of virt_spin_lock_key to false. If booting in a VM, +enable this key. Later during the VM initialization, if other +high-efficient spinlock is preferred (e.g. paravirt-spinlock), or the user +wants the native qspinlock (via nopvspin boot commandline), the +virt_spin_lock_key is disabled accordingly. + +This results in the following decision matrix: + +X86_FEATURE_HYPERVISOR Y Y Y N +CONFIG_PARAVIRT_SPINLOCKS Y Y N Y/N +PV spinlock Y N N Y/N + +virt_spin_lock_key N Y/N Y N + +Fixes: ce0a1b608bfc ("x86/paravirt: Silence unused native_pv_lock_init() function warning") +Reported-by: Prem Nath Dey +Reported-by: Xiaoping Zhou +Suggested-by: Dave Hansen +Suggested-by: Qiuxu Zhuo +Suggested-by: Nikolay Borisov +Signed-off-by: Chen Yu +Signed-off-by: Thomas Gleixner +Reviewed-by: Nikolay Borisov +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20240806112207.29792-1-yu.c.chen@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/qspinlock.h | 12 +++++++----- + arch/x86/kernel/paravirt.c | 7 +++---- + 2 files changed, 10 insertions(+), 9 deletions(-) + +--- a/arch/x86/include/asm/qspinlock.h ++++ b/arch/x86/include/asm/qspinlock.h +@@ -66,13 +66,15 @@ static inline bool vcpu_is_preempted(lon + + #ifdef CONFIG_PARAVIRT + /* +- * virt_spin_lock_key - enables (by default) the virt_spin_lock() hijack. ++ * virt_spin_lock_key - disables by default the virt_spin_lock() hijack. + * +- * Native (and PV wanting native due to vCPU pinning) should disable this key. +- * It is done in this backwards fashion to only have a single direction change, +- * which removes ordering between native_pv_spin_init() and HV setup. ++ * Native (and PV wanting native due to vCPU pinning) should keep this key ++ * disabled. Native does not touch the key. ++ * ++ * When in a guest then native_pv_lock_init() enables the key first and ++ * KVM/XEN might conditionally disable it later in the boot process again. + */ +-DECLARE_STATIC_KEY_TRUE(virt_spin_lock_key); ++DECLARE_STATIC_KEY_FALSE(virt_spin_lock_key); + + /* + * Shortcut for the queued_spin_lock_slowpath() function that allows +--- a/arch/x86/kernel/paravirt.c ++++ b/arch/x86/kernel/paravirt.c +@@ -71,13 +71,12 @@ DEFINE_PARAVIRT_ASM(pv_native_irq_enable + DEFINE_PARAVIRT_ASM(pv_native_read_cr2, "mov %cr2, %rax", .noinstr.text); + #endif + +-DEFINE_STATIC_KEY_TRUE(virt_spin_lock_key); ++DEFINE_STATIC_KEY_FALSE(virt_spin_lock_key); + + void __init native_pv_lock_init(void) + { +- if (IS_ENABLED(CONFIG_PARAVIRT_SPINLOCKS) && +- !boot_cpu_has(X86_FEATURE_HYPERVISOR)) +- static_branch_disable(&virt_spin_lock_key); ++ if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) ++ static_branch_enable(&virt_spin_lock_key); + } + + static void native_tlb_remove_table(struct mmu_gather *tlb, void *table) -- 2.47.3