From 5473b672c0080ded21fe1d84d6e31a84ab64b3f5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 20 Oct 2024 11:32:53 +0200 Subject: [PATCH] 6.11-stable patches added patches: blk-mq-setup-queue-tag_set-before-initializing-hctx.patch blk-rq-qos-fix-crash-on-rq_qos_wait-vs.-rq_qos_wake_function-race.patch drm-radeon-fix-encoder-possible_clones.patch fgraph-use-cpu-hotplug-mechanism-to-initialize-idle-shadow-stacks.patch input-xpad-add-support-for-8bitdo-ultimate-2c-wireless-controller.patch input-xpad-add-support-for-msi-claw-a1m.patch io_uring-sqpoll-close-race-on-waiting-for-sqring-entries.patch io_uring-sqpoll-ensure-task-state-is-task_running-when-running-task_work.patch scsi-mpi3mr-validate-sas-port-assignments.patch scsi-ufs-core-fix-the-issue-of-icu-failure.patch scsi-ufs-core-requeue-aborted-request.patch scsi-ufs-core-set-sdev_offline-when-ufs-is-shut-down.patch selftest-hid-add-the-missing-tests-directory.patch ublk-don-t-allow-user-copy-for-unprivileged-device.patch --- ...eue-tag_set-before-initializing-hctx.patch | 55 ++++++ ...s_wait-vs.-rq_qos_wake_function-race.patch | 107 +++++++++++ ...m-radeon-fix-encoder-possible_clones.patch | 50 +++++ ...ism-to-initialize-idle-shadow-stacks.patch | 121 ++++++++++++ ...itdo-ultimate-2c-wireless-controller.patch | 32 ++++ ...ut-xpad-add-support-for-msi-claw-a1m.patch | 41 ++++ ...e-race-on-waiting-for-sqring-entries.patch | 54 ++++++ ...-task_running-when-running-task_work.patch | 65 +++++++ ...mpi3mr-validate-sas-port-assignments.patch | 180 ++++++++++++++++++ ...fs-core-fix-the-issue-of-icu-failure.patch | 64 +++++++ ...csi-ufs-core-requeue-aborted-request.patch | 73 +++++++ ...t-sdev_offline-when-ufs-is-shut-down.patch | 71 +++++++ ...-hid-add-the-missing-tests-directory.patch | 52 +++++ queue-6.11/series | 14 ++ ...ow-user-copy-for-unprivileged-device.patch | 66 +++++++ 15 files changed, 1045 insertions(+) create mode 100644 queue-6.11/blk-mq-setup-queue-tag_set-before-initializing-hctx.patch create mode 100644 queue-6.11/blk-rq-qos-fix-crash-on-rq_qos_wait-vs.-rq_qos_wake_function-race.patch create mode 100644 queue-6.11/drm-radeon-fix-encoder-possible_clones.patch create mode 100644 queue-6.11/fgraph-use-cpu-hotplug-mechanism-to-initialize-idle-shadow-stacks.patch create mode 100644 queue-6.11/input-xpad-add-support-for-8bitdo-ultimate-2c-wireless-controller.patch create mode 100644 queue-6.11/input-xpad-add-support-for-msi-claw-a1m.patch create mode 100644 queue-6.11/io_uring-sqpoll-close-race-on-waiting-for-sqring-entries.patch create mode 100644 queue-6.11/io_uring-sqpoll-ensure-task-state-is-task_running-when-running-task_work.patch create mode 100644 queue-6.11/scsi-mpi3mr-validate-sas-port-assignments.patch create mode 100644 queue-6.11/scsi-ufs-core-fix-the-issue-of-icu-failure.patch create mode 100644 queue-6.11/scsi-ufs-core-requeue-aborted-request.patch create mode 100644 queue-6.11/scsi-ufs-core-set-sdev_offline-when-ufs-is-shut-down.patch create mode 100644 queue-6.11/selftest-hid-add-the-missing-tests-directory.patch create mode 100644 queue-6.11/ublk-don-t-allow-user-copy-for-unprivileged-device.patch diff --git a/queue-6.11/blk-mq-setup-queue-tag_set-before-initializing-hctx.patch b/queue-6.11/blk-mq-setup-queue-tag_set-before-initializing-hctx.patch new file mode 100644 index 00000000000..ba28cb69eba --- /dev/null +++ b/queue-6.11/blk-mq-setup-queue-tag_set-before-initializing-hctx.patch @@ -0,0 +1,55 @@ +From c25c0c9035bb8b28c844dfddeda7b8bdbcfcae95 Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Mon, 14 Oct 2024 08:51:15 +0800 +Subject: blk-mq: setup queue ->tag_set before initializing hctx + +From: Ming Lei + +commit c25c0c9035bb8b28c844dfddeda7b8bdbcfcae95 upstream. + +Commit 7b815817aa58 ("blk-mq: add helper for checking if one CPU is mapped to specified hctx") +needs to check queue mapping via tag set in hctx's cpuhp handler. + +However, q->tag_set may not be setup yet when the cpuhp handler is +enabled, then kernel oops is triggered. + +Fix the issue by setup queue tag_set before initializing hctx. + +Cc: stable@vger.kernel.org +Reported-and-tested-by: Rick Koch +Closes: https://lore.kernel.org/linux-block/CANa58eeNDozLaBHKPLxSAhEy__FPfJT_F71W=sEQw49UCrC9PQ@mail.gmail.com +Fixes: 7b815817aa58 ("blk-mq: add helper for checking if one CPU is mapped to specified hctx") +Signed-off-by: Ming Lei +Reviewed-by: Christoph Hellwig +Reviewed-by: John Garry +Link: https://lore.kernel.org/r/20241014005115.2699642-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-mq.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -4307,6 +4307,12 @@ int blk_mq_init_allocated_queue(struct b + /* mark the queue as mq asap */ + q->mq_ops = set->ops; + ++ /* ++ * ->tag_set has to be setup before initialize hctx, which cpuphp ++ * handler needs it for checking queue mapping ++ */ ++ q->tag_set = set; ++ + if (blk_mq_alloc_ctxs(q)) + goto err_exit; + +@@ -4325,8 +4331,6 @@ int blk_mq_init_allocated_queue(struct b + INIT_WORK(&q->timeout_work, blk_mq_timeout_work); + blk_queue_rq_timeout(q, set->timeout ? set->timeout : 30 * HZ); + +- q->tag_set = set; +- + q->queue_flags |= QUEUE_FLAG_MQ_DEFAULT; + + INIT_DELAYED_WORK(&q->requeue_work, blk_mq_requeue_work); diff --git a/queue-6.11/blk-rq-qos-fix-crash-on-rq_qos_wait-vs.-rq_qos_wake_function-race.patch b/queue-6.11/blk-rq-qos-fix-crash-on-rq_qos_wait-vs.-rq_qos_wake_function-race.patch new file mode 100644 index 00000000000..9c0d1bed8f1 --- /dev/null +++ b/queue-6.11/blk-rq-qos-fix-crash-on-rq_qos_wait-vs.-rq_qos_wake_function-race.patch @@ -0,0 +1,107 @@ +From e972b08b91ef48488bae9789f03cfedb148667fb Mon Sep 17 00:00:00 2001 +From: Omar Sandoval +Date: Tue, 15 Oct 2024 10:59:46 -0700 +Subject: blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race + +From: Omar Sandoval + +commit e972b08b91ef48488bae9789f03cfedb148667fb upstream. + +We're seeing crashes from rq_qos_wake_function that look like this: + + BUG: unable to handle page fault for address: ffffafe180a40084 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + PGD 100000067 P4D 100000067 PUD 10027c067 PMD 10115d067 PTE 0 + Oops: Oops: 0002 [#1] PREEMPT SMP PTI + CPU: 17 UID: 0 PID: 0 Comm: swapper/17 Not tainted 6.12.0-rc3-00013-geca631b8fe80 #11 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + RIP: 0010:_raw_spin_lock_irqsave+0x1d/0x40 + Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 9c 41 5c fa 65 ff 05 62 97 30 4c 31 c0 ba 01 00 00 00 0f b1 17 75 0a 4c 89 e0 41 5c c3 cc cc cc cc 89 c6 e8 2c 0b 00 + RSP: 0018:ffffafe180580ca0 EFLAGS: 00010046 + RAX: 0000000000000000 RBX: ffffafe180a3f7a8 RCX: 0000000000000011 + RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffffafe180a40084 + RBP: 0000000000000000 R08: 00000000001e7240 R09: 0000000000000011 + R10: 0000000000000028 R11: 0000000000000888 R12: 0000000000000002 + R13: ffffafe180a40084 R14: 0000000000000000 R15: 0000000000000003 + FS: 0000000000000000(0000) GS:ffff9aaf1f280000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: ffffafe180a40084 CR3: 000000010e428002 CR4: 0000000000770ef0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + + try_to_wake_up+0x5a/0x6a0 + rq_qos_wake_function+0x71/0x80 + __wake_up_common+0x75/0xa0 + __wake_up+0x36/0x60 + scale_up.part.0+0x50/0x110 + wb_timer_fn+0x227/0x450 + ... + +So rq_qos_wake_function() calls wake_up_process(data->task), which calls +try_to_wake_up(), which faults in raw_spin_lock_irqsave(&p->pi_lock). + +p comes from data->task, and data comes from the waitqueue entry, which +is stored on the waiter's stack in rq_qos_wait(). Analyzing the core +dump with drgn, I found that the waiter had already woken up and moved +on to a completely unrelated code path, clobbering what was previously +data->task. Meanwhile, the waker was passing the clobbered garbage in +data->task to wake_up_process(), leading to the crash. + +What's happening is that in between rq_qos_wake_function() deleting the +waitqueue entry and calling wake_up_process(), rq_qos_wait() is finding +that it already got a token and returning. The race looks like this: + +rq_qos_wait() rq_qos_wake_function() +============================================================== +prepare_to_wait_exclusive() + data->got_token = true; + list_del_init(&curr->entry); +if (data.got_token) + break; +finish_wait(&rqw->wait, &data.wq); + ^- returns immediately because + list_empty_careful(&wq_entry->entry) + is true +... return, go do something else ... + wake_up_process(data->task) + (NO LONGER VALID!)-^ + +Normally, finish_wait() is supposed to synchronize against the waker. +But, as noted above, it is returning immediately because the waitqueue +entry has already been removed from the waitqueue. + +The bug is that rq_qos_wake_function() is accessing the waitqueue entry +AFTER deleting it. Note that autoremove_wake_function() wakes the waiter +and THEN deletes the waitqueue entry, which is the proper order. + +Fix it by swapping the order. We also need to use +list_del_init_careful() to match the list_empty_careful() in +finish_wait(). + +Fixes: 38cfb5a45ee0 ("blk-wbt: improve waking of tasks") +Cc: stable@vger.kernel.org +Signed-off-by: Omar Sandoval +Acked-by: Tejun Heo +Reviewed-by: Johannes Thumshirn +Link: https://lore.kernel.org/r/d3bee2463a67b1ee597211823bf7ad3721c26e41.1729014591.git.osandov@fb.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-rq-qos.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/block/blk-rq-qos.c ++++ b/block/blk-rq-qos.c +@@ -219,8 +219,8 @@ static int rq_qos_wake_function(struct w + + data->got_token = true; + smp_wmb(); +- list_del_init(&curr->entry); + wake_up_process(data->task); ++ list_del_init_careful(&curr->entry); + return 1; + } + diff --git a/queue-6.11/drm-radeon-fix-encoder-possible_clones.patch b/queue-6.11/drm-radeon-fix-encoder-possible_clones.patch new file mode 100644 index 00000000000..e6c9244d619 --- /dev/null +++ b/queue-6.11/drm-radeon-fix-encoder-possible_clones.patch @@ -0,0 +1,50 @@ +From 28127dba64d8ae1a0b737b973d6d029908599611 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Mon, 14 Oct 2024 19:09:36 +0300 +Subject: drm/radeon: Fix encoder->possible_clones +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit 28127dba64d8ae1a0b737b973d6d029908599611 upstream. + +Include the encoder itself in its possible_clones bitmask. +In the past nothing validated that drivers were populating +possible_clones correctly, but that changed in commit +74d2aacbe840 ("drm: Validate encoder->possible_clones"). +Looks like radeon never got the memo and is still not +following the rules 100% correctly. + +This results in some warnings during driver initialization: +Bogus possible_clones: [ENCODER:46:TV-46] possible_clones=0x4 (full encoder mask=0x7) +WARNING: CPU: 0 PID: 170 at drivers/gpu/drm/drm_mode_config.c:615 drm_mode_config_validate+0x113/0x39c +... + +Cc: Alex Deucher +Cc: amd-gfx@lists.freedesktop.org +Fixes: 74d2aacbe840 ("drm: Validate encoder->possible_clones") +Reported-by: Erhard Furtner +Closes: https://lore.kernel.org/dri-devel/20241009000321.418e4294@yea/ +Tested-by: Erhard Furtner +Signed-off-by: Ville Syrjälä +Signed-off-by: Alex Deucher +(cherry picked from commit 3b6e7d40649c0d75572039aff9d0911864c689db) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/radeon/radeon_encoders.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/radeon/radeon_encoders.c ++++ b/drivers/gpu/drm/radeon/radeon_encoders.c +@@ -43,7 +43,7 @@ static uint32_t radeon_encoder_clones(st + struct radeon_device *rdev = dev->dev_private; + struct radeon_encoder *radeon_encoder = to_radeon_encoder(encoder); + struct drm_encoder *clone_encoder; +- uint32_t index_mask = 0; ++ uint32_t index_mask = drm_encoder_mask(encoder); + int count; + + /* DIG routing gets problematic */ diff --git a/queue-6.11/fgraph-use-cpu-hotplug-mechanism-to-initialize-idle-shadow-stacks.patch b/queue-6.11/fgraph-use-cpu-hotplug-mechanism-to-initialize-idle-shadow-stacks.patch new file mode 100644 index 00000000000..f739cc5b2d7 --- /dev/null +++ b/queue-6.11/fgraph-use-cpu-hotplug-mechanism-to-initialize-idle-shadow-stacks.patch @@ -0,0 +1,121 @@ +From 2c02f7375e658ae93d57a31a66f91b62754ef8f1 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Fri, 18 Oct 2024 21:43:00 -0400 +Subject: fgraph: Use CPU hotplug mechanism to initialize idle shadow stacks + +From: Steven Rostedt + +commit 2c02f7375e658ae93d57a31a66f91b62754ef8f1 upstream. + +The function graph infrastructure allocates a shadow stack for every task +when enabled. This includes the idle tasks. The first time the function +graph is invoked, the shadow stacks are created and never freed until the +task exits. This includes the idle tasks. + +Only the idle tasks that were for online CPUs had their shadow stacks +created when function graph tracing started. If function graph tracing is +enabled and a CPU comes online, the idle task representing that CPU will +not have its shadow stack created, and all function graph tracing for that +idle task will be silently dropped. + +Instead, use the CPU hotplug mechanism to allocate the idle shadow stacks. +This will include idle tasks for CPUs that come online during tracing. + +This issue can be reproduced by: + + # cd /sys/kernel/tracing + # echo 0 > /sys/devices/system/cpu/cpu1/online + # echo 0 > set_ftrace_pid + # echo function_graph > current_tracer + # echo 1 > options/funcgraph-proc + # echo 1 > /sys/devices/system/cpu/cpu1 + # grep '' per_cpu/cpu1/trace | head + +Before, nothing would show up. + +After: + 1) -0 | 0.811 us | __enqueue_entity(); + 1) -0 | 5.626 us | } /* enqueue_entity */ + 1) -0 | | dl_server_update_idle_time() { + 1) -0 | | dl_scaled_delta_exec() { + 1) -0 | 0.450 us | arch_scale_cpu_capacity(); + 1) -0 | 1.242 us | } + 1) -0 | 1.908 us | } + 1) -0 | | dl_server_start() { + 1) -0 | | enqueue_dl_entity() { + 1) -0 | | task_contending() { + +Note, if tracing stops and restarts, the old way would then initialize +the onlined CPUs. + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Cc: Mark Rutland +Cc: Thomas Gleixner +Link: https://lore.kernel.org/20241018214300.6df82178@rorschach +Fixes: 868baf07b1a25 ("ftrace: Fix memory leak with function graph and cpu hotplug") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/fgraph.c | 28 +++++++++++++++++++++------- + 1 file changed, 21 insertions(+), 7 deletions(-) + +--- a/kernel/trace/fgraph.c ++++ b/kernel/trace/fgraph.c +@@ -1160,19 +1160,13 @@ void fgraph_update_pid_func(void) + static int start_graph_tracing(void) + { + unsigned long **ret_stack_list; +- int ret, cpu; ++ int ret; + + ret_stack_list = kmalloc(SHADOW_STACK_SIZE, GFP_KERNEL); + + if (!ret_stack_list) + return -ENOMEM; + +- /* The cpu_boot init_task->ret_stack will never be freed */ +- for_each_online_cpu(cpu) { +- if (!idle_task(cpu)->ret_stack) +- ftrace_graph_init_idle_task(idle_task(cpu), cpu); +- } +- + do { + ret = alloc_retstack_tasklist(ret_stack_list); + } while (ret == -EAGAIN); +@@ -1242,14 +1236,34 @@ static void ftrace_graph_disable_direct( + fgraph_direct_gops = &fgraph_stub; + } + ++/* The cpu_boot init_task->ret_stack will never be freed */ ++static int fgraph_cpu_init(unsigned int cpu) ++{ ++ if (!idle_task(cpu)->ret_stack) ++ ftrace_graph_init_idle_task(idle_task(cpu), cpu); ++ return 0; ++} ++ + int register_ftrace_graph(struct fgraph_ops *gops) + { ++ static bool fgraph_initialized; + int command = 0; + int ret = 0; + int i = -1; + + mutex_lock(&ftrace_lock); + ++ if (!fgraph_initialized) { ++ ret = cpuhp_setup_state(CPUHP_AP_ONLINE_DYN, "fgraph_idle_init", ++ fgraph_cpu_init, NULL); ++ if (ret < 0) { ++ pr_warn("fgraph: Error to init cpu hotplug support\n"); ++ return ret; ++ } ++ fgraph_initialized = true; ++ ret = 0; ++ } ++ + if (!fgraph_array[0]) { + /* The array must always have real data on it */ + for (i = 0; i < FGRAPH_ARRAY_SIZE; i++) diff --git a/queue-6.11/input-xpad-add-support-for-8bitdo-ultimate-2c-wireless-controller.patch b/queue-6.11/input-xpad-add-support-for-8bitdo-ultimate-2c-wireless-controller.patch new file mode 100644 index 00000000000..182baf7face --- /dev/null +++ b/queue-6.11/input-xpad-add-support-for-8bitdo-ultimate-2c-wireless-controller.patch @@ -0,0 +1,32 @@ +From ea330429a04b383bd319c66261a5eca4798801e4 Mon Sep 17 00:00:00 2001 +From: Stefan Kerkmann +Date: Wed, 16 Oct 2024 12:37:06 -0700 +Subject: Input: xpad - add support for 8BitDo Ultimate 2C Wireless Controller + +From: Stefan Kerkmann + +commit ea330429a04b383bd319c66261a5eca4798801e4 upstream. + +This XBOX360 compatible gamepad uses the new product id 0x310a under the +8BitDo's vendor id 0x2dc8. The change was tested using the gamepad in a +wired and wireless dongle configuration. + +Signed-off-by: Stefan Kerkmann +Link: https://lore.kernel.org/r/20241015-8bitdo_2c_ultimate_wireless-v1-1-9c9f9db2e995@pengutronix.de +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/joystick/xpad.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -373,6 +373,7 @@ static const struct xpad_device { + { 0x294b, 0x3404, "Snakebyte GAMEPAD RGB X", 0, XTYPE_XBOXONE }, + { 0x2dc8, 0x2000, "8BitDo Pro 2 Wired Controller fox Xbox", 0, XTYPE_XBOXONE }, + { 0x2dc8, 0x3106, "8BitDo Pro 2 Wired Controller", 0, XTYPE_XBOX360 }, ++ { 0x2dc8, 0x310a, "8BitDo Ultimate 2C Wireless Controller", 0, XTYPE_XBOX360 }, + { 0x2e24, 0x0652, "Hyperkin Duke X-Box One pad", 0, XTYPE_XBOXONE }, + { 0x31e3, 0x1100, "Wooting One", 0, XTYPE_XBOX360 }, + { 0x31e3, 0x1200, "Wooting Two", 0, XTYPE_XBOX360 }, diff --git a/queue-6.11/input-xpad-add-support-for-msi-claw-a1m.patch b/queue-6.11/input-xpad-add-support-for-msi-claw-a1m.patch new file mode 100644 index 00000000000..89df1a84bfc --- /dev/null +++ b/queue-6.11/input-xpad-add-support-for-msi-claw-a1m.patch @@ -0,0 +1,41 @@ +From 22a18935d7d96bbb1a28076f843c1926d0ba189e Mon Sep 17 00:00:00 2001 +From: John Edwards +Date: Thu, 10 Oct 2024 23:09:23 +0000 +Subject: Input: xpad - add support for MSI Claw A1M + +From: John Edwards + +commit 22a18935d7d96bbb1a28076f843c1926d0ba189e upstream. + +Add MSI Claw A1M controller to xpad_device match table when in xinput mode. +Add MSI VID as XPAD_XBOX360_VENDOR. + +Signed-off-by: John Edwards +Reviewed-by: Derek J. Clark +Reviewed-by: Christopher Snowhill +Link: https://lore.kernel.org/r/20241010232020.3292284-4-uejji@uejji.net +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/joystick/xpad.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -218,6 +218,7 @@ static const struct xpad_device { + { 0x0c12, 0x8810, "Zeroplus Xbox Controller", 0, XTYPE_XBOX }, + { 0x0c12, 0x9902, "HAMA VibraX - *FAULTY HARDWARE*", 0, XTYPE_XBOX }, + { 0x0d2f, 0x0002, "Andamiro Pump It Up pad", MAP_DPAD_TO_BUTTONS, XTYPE_XBOX }, ++ { 0x0db0, 0x1901, "Micro Star International Xbox360 Controller for Windows", 0, XTYPE_XBOX360 }, + { 0x0e4c, 0x1097, "Radica Gamester Controller", 0, XTYPE_XBOX }, + { 0x0e4c, 0x1103, "Radica Gamester Reflex", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOX }, + { 0x0e4c, 0x2390, "Radica Games Jtech Controller", 0, XTYPE_XBOX }, +@@ -493,6 +494,7 @@ static const struct usb_device_id xpad_t + XPAD_XBOX360_VENDOR(0x07ff), /* Mad Catz Gamepad */ + XPAD_XBOXONE_VENDOR(0x0b05), /* ASUS controllers */ + XPAD_XBOX360_VENDOR(0x0c12), /* Zeroplus X-Box 360 controllers */ ++ XPAD_XBOX360_VENDOR(0x0db0), /* Micro Star International X-Box 360 controllers */ + XPAD_XBOX360_VENDOR(0x0e6f), /* 0x0e6f Xbox 360 controllers */ + XPAD_XBOXONE_VENDOR(0x0e6f), /* 0x0e6f Xbox One controllers */ + XPAD_XBOX360_VENDOR(0x0f0d), /* Hori controllers */ diff --git a/queue-6.11/io_uring-sqpoll-close-race-on-waiting-for-sqring-entries.patch b/queue-6.11/io_uring-sqpoll-close-race-on-waiting-for-sqring-entries.patch new file mode 100644 index 00000000000..68eb5f8e074 --- /dev/null +++ b/queue-6.11/io_uring-sqpoll-close-race-on-waiting-for-sqring-entries.patch @@ -0,0 +1,54 @@ +From 28aabffae6be54284869a91cd8bccd3720041129 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Tue, 15 Oct 2024 08:58:25 -0600 +Subject: io_uring/sqpoll: close race on waiting for sqring entries + +From: Jens Axboe + +commit 28aabffae6be54284869a91cd8bccd3720041129 upstream. + +When an application uses SQPOLL, it must wait for the SQPOLL thread to +consume SQE entries, if it fails to get an sqe when calling +io_uring_get_sqe(). It can do so by calling io_uring_enter(2) with the +flag value of IORING_ENTER_SQ_WAIT. In liburing, this is generally done +with io_uring_sqring_wait(). There's a natural expectation that once +this call returns, a new SQE entry can be retrieved, filled out, and +submitted. However, the kernel uses the cached sq head to determine if +the SQRING is full or not. If the SQPOLL thread is currently in the +process of submitting SQE entries, it may have updated the cached sq +head, but not yet committed it to the SQ ring. Hence the kernel may find +that there are SQE entries ready to be consumed, and return successfully +to the application. If the SQPOLL thread hasn't yet committed the SQ +ring entries by the time the application returns to userspace and +attempts to get a new SQE, it will fail getting a new SQE. + +Fix this by having io_sqring_full() always use the user visible SQ ring +head entry, rather than the internally cached one. + +Cc: stable@vger.kernel.org # 5.10+ +Link: https://github.com/axboe/liburing/discussions/1267 +Reported-by: Benedek Thaler +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.h | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/io_uring/io_uring.h ++++ b/io_uring/io_uring.h +@@ -279,7 +279,14 @@ static inline bool io_sqring_full(struct + { + struct io_rings *r = ctx->rings; + +- return READ_ONCE(r->sq.tail) - ctx->cached_sq_head == ctx->sq_entries; ++ /* ++ * SQPOLL must use the actual sqring head, as using the cached_sq_head ++ * is race prone if the SQPOLL thread has grabbed entries but not yet ++ * committed them to the ring. For !SQPOLL, this doesn't matter, but ++ * since this helper is just used for SQPOLL sqring waits (or POLLOUT), ++ * just read the actual sqring head unconditionally. ++ */ ++ return READ_ONCE(r->sq.tail) - READ_ONCE(r->sq.head) == ctx->sq_entries; + } + + static inline unsigned int io_sqring_entries(struct io_ring_ctx *ctx) diff --git a/queue-6.11/io_uring-sqpoll-ensure-task-state-is-task_running-when-running-task_work.patch b/queue-6.11/io_uring-sqpoll-ensure-task-state-is-task_running-when-running-task_work.patch new file mode 100644 index 00000000000..b0c0c883da8 --- /dev/null +++ b/queue-6.11/io_uring-sqpoll-ensure-task-state-is-task_running-when-running-task_work.patch @@ -0,0 +1,65 @@ +From 8f7033aa4089fbaf7a33995f0f2ee6c9d7b9ca1b Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Thu, 17 Oct 2024 08:31:56 -0600 +Subject: io_uring/sqpoll: ensure task state is TASK_RUNNING when running task_work + +From: Jens Axboe + +commit 8f7033aa4089fbaf7a33995f0f2ee6c9d7b9ca1b upstream. + +When the sqpoll is exiting and cancels pending work items, it may need +to run task_work. If this happens from within io_uring_cancel_generic(), +then it may be under waiting for the io_uring_task waitqueue. This +results in the below splat from the scheduler, as the ring mutex may be +attempted grabbed while in a TASK_INTERRUPTIBLE state. + +Ensure that the task state is set appropriately for that, just like what +is done for the other cases in io_run_task_work(). + +do not call blocking ops when !TASK_RUNNING; state=1 set at [<0000000029387fd2>] prepare_to_wait+0x88/0x2fc +WARNING: CPU: 6 PID: 59939 at kernel/sched/core.c:8561 __might_sleep+0xf4/0x140 +Modules linked in: +CPU: 6 UID: 0 PID: 59939 Comm: iou-sqp-59938 Not tainted 6.12.0-rc3-00113-g8d020023b155 #7456 +Hardware name: linux,dummy-virt (DT) +pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) +pc : __might_sleep+0xf4/0x140 +lr : __might_sleep+0xf4/0x140 +sp : ffff80008c5e7830 +x29: ffff80008c5e7830 x28: ffff0000d93088c0 x27: ffff60001c2d7230 +x26: dfff800000000000 x25: ffff0000e16b9180 x24: ffff80008c5e7a50 +x23: 1ffff000118bcf4a x22: ffff0000e16b9180 x21: ffff0000e16b9180 +x20: 000000000000011b x19: ffff80008310fac0 x18: 1ffff000118bcd90 +x17: 30303c5b20746120 x16: 74657320313d6574 x15: 0720072007200720 +x14: 0720072007200720 x13: 0720072007200720 x12: ffff600036c64f0b +x11: 1fffe00036c64f0a x10: ffff600036c64f0a x9 : dfff800000000000 +x8 : 00009fffc939b0f6 x7 : ffff0001b6327853 x6 : 0000000000000001 +x5 : ffff0001b6327850 x4 : ffff600036c64f0b x3 : ffff8000803c35bc +x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000e16b9180 +Call trace: + __might_sleep+0xf4/0x140 + mutex_lock+0x84/0x124 + io_handle_tw_list+0xf4/0x260 + tctx_task_work_run+0x94/0x340 + io_run_task_work+0x1ec/0x3c0 + io_uring_cancel_generic+0x364/0x524 + io_sq_thread+0x820/0x124c + ret_from_fork+0x10/0x20 + +Cc: stable@vger.kernel.org +Fixes: af5d68f8892f ("io_uring/sqpoll: manage task_work privately") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/io_uring/io_uring.h ++++ b/io_uring/io_uring.h +@@ -322,6 +322,7 @@ static inline int io_run_task_work(void) + if (current->io_uring) { + unsigned int count = 0; + ++ __set_current_state(TASK_RUNNING); + tctx_task_work_run(current->io_uring, UINT_MAX, &count); + if (count) + ret = true; diff --git a/queue-6.11/scsi-mpi3mr-validate-sas-port-assignments.patch b/queue-6.11/scsi-mpi3mr-validate-sas-port-assignments.patch new file mode 100644 index 00000000000..4837b10935a --- /dev/null +++ b/queue-6.11/scsi-mpi3mr-validate-sas-port-assignments.patch @@ -0,0 +1,180 @@ +From b9e63d6c7c0e94a99e1af7c9c0c7fad13a2f2453 Mon Sep 17 00:00:00 2001 +From: Ranjan Kumar +Date: Tue, 8 Oct 2024 13:13:53 +0530 +Subject: scsi: mpi3mr: Validate SAS port assignments + +From: Ranjan Kumar + +commit b9e63d6c7c0e94a99e1af7c9c0c7fad13a2f2453 upstream. + +A sanity check on phy_mask was added in commit 3668651def2c ("scsi: +mpi3mr: Sanitise num_phys"). This causes warning messages when more than +64 phys are detected and devices connected to phys greater than 64 are +dropped. + +The phy_mask bitmap is only needed for controller phys and not required +for expander phys. Controller phys can go up to a maximum of 64 and +therefore u64 is good enough to contain phy_mask bitmap. + +To suppress those warnings and allow devices to be discovered as before +the offending commit, restrict the phy_mask setting and lowest phy +setting only to the controller phys. + +Fixes: 3668651def2c ("scsi: mpi3mr: Sanitise num_phys") +Cc: stable@vger.kernel.org +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202410051943.Mp9o5DlF-lkp@intel.com/ +Reported-by: Alexander Motin +Signed-off-by: Ranjan Kumar +Link: https://lore.kernel.org/r/20241008074353.200379-1-ranjan.kumar@broadcom.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/mpi3mr/mpi3mr.h | 4 +-- + drivers/scsi/mpi3mr/mpi3mr_transport.c | 42 +++++++++++++++++++++------------ + 2 files changed, 29 insertions(+), 17 deletions(-) + +--- a/drivers/scsi/mpi3mr/mpi3mr.h ++++ b/drivers/scsi/mpi3mr/mpi3mr.h +@@ -541,8 +541,8 @@ struct mpi3mr_hba_port { + * @port_list: List of ports belonging to a SAS node + * @num_phys: Number of phys associated with port + * @marked_responding: used while refresing the sas ports +- * @lowest_phy: lowest phy ID of current sas port +- * @phy_mask: phy_mask of current sas port ++ * @lowest_phy: lowest phy ID of current sas port, valid for controller port ++ * @phy_mask: phy_mask of current sas port, valid for controller port + * @hba_port: HBA port entry + * @remote_identify: Attached device identification + * @rphy: SAS transport layer rphy object +--- a/drivers/scsi/mpi3mr/mpi3mr_transport.c ++++ b/drivers/scsi/mpi3mr/mpi3mr_transport.c +@@ -590,12 +590,13 @@ static enum sas_linkrate mpi3mr_convert_ + * @mrioc: Adapter instance reference + * @mr_sas_port: Internal Port object + * @mr_sas_phy: Internal Phy object ++ * @host_node: Flag to indicate this is a host_node + * + * Return: None. + */ + static void mpi3mr_delete_sas_phy(struct mpi3mr_ioc *mrioc, + struct mpi3mr_sas_port *mr_sas_port, +- struct mpi3mr_sas_phy *mr_sas_phy) ++ struct mpi3mr_sas_phy *mr_sas_phy, u8 host_node) + { + u64 sas_address = mr_sas_port->remote_identify.sas_address; + +@@ -605,9 +606,13 @@ static void mpi3mr_delete_sas_phy(struct + + list_del(&mr_sas_phy->port_siblings); + mr_sas_port->num_phys--; +- mr_sas_port->phy_mask &= ~(1 << mr_sas_phy->phy_id); +- if (mr_sas_port->lowest_phy == mr_sas_phy->phy_id) +- mr_sas_port->lowest_phy = ffs(mr_sas_port->phy_mask) - 1; ++ ++ if (host_node) { ++ mr_sas_port->phy_mask &= ~(1 << mr_sas_phy->phy_id); ++ ++ if (mr_sas_port->lowest_phy == mr_sas_phy->phy_id) ++ mr_sas_port->lowest_phy = ffs(mr_sas_port->phy_mask) - 1; ++ } + sas_port_delete_phy(mr_sas_port->port, mr_sas_phy->phy); + mr_sas_phy->phy_belongs_to_port = 0; + } +@@ -617,12 +622,13 @@ static void mpi3mr_delete_sas_phy(struct + * @mrioc: Adapter instance reference + * @mr_sas_port: Internal Port object + * @mr_sas_phy: Internal Phy object ++ * @host_node: Flag to indicate this is a host_node + * + * Return: None. + */ + static void mpi3mr_add_sas_phy(struct mpi3mr_ioc *mrioc, + struct mpi3mr_sas_port *mr_sas_port, +- struct mpi3mr_sas_phy *mr_sas_phy) ++ struct mpi3mr_sas_phy *mr_sas_phy, u8 host_node) + { + u64 sas_address = mr_sas_port->remote_identify.sas_address; + +@@ -632,9 +638,12 @@ static void mpi3mr_add_sas_phy(struct mp + + list_add_tail(&mr_sas_phy->port_siblings, &mr_sas_port->phy_list); + mr_sas_port->num_phys++; +- mr_sas_port->phy_mask |= (1 << mr_sas_phy->phy_id); +- if (mr_sas_phy->phy_id < mr_sas_port->lowest_phy) +- mr_sas_port->lowest_phy = ffs(mr_sas_port->phy_mask) - 1; ++ if (host_node) { ++ mr_sas_port->phy_mask |= (1 << mr_sas_phy->phy_id); ++ ++ if (mr_sas_phy->phy_id < mr_sas_port->lowest_phy) ++ mr_sas_port->lowest_phy = ffs(mr_sas_port->phy_mask) - 1; ++ } + sas_port_add_phy(mr_sas_port->port, mr_sas_phy->phy); + mr_sas_phy->phy_belongs_to_port = 1; + } +@@ -675,7 +684,7 @@ static void mpi3mr_add_phy_to_an_existin + if (srch_phy == mr_sas_phy) + return; + } +- mpi3mr_add_sas_phy(mrioc, mr_sas_port, mr_sas_phy); ++ mpi3mr_add_sas_phy(mrioc, mr_sas_port, mr_sas_phy, mr_sas_node->host_node); + return; + } + } +@@ -736,7 +745,7 @@ static void mpi3mr_del_phy_from_an_exist + mpi3mr_delete_sas_port(mrioc, mr_sas_port); + else + mpi3mr_delete_sas_phy(mrioc, mr_sas_port, +- mr_sas_phy); ++ mr_sas_phy, mr_sas_node->host_node); + return; + } + } +@@ -1028,7 +1037,7 @@ mpi3mr_alloc_hba_port(struct mpi3mr_ioc + /** + * mpi3mr_get_hba_port_by_id - find hba port by id + * @mrioc: Adapter instance reference +- * @port_id - Port ID to search ++ * @port_id: Port ID to search + * + * Return: mpi3mr_hba_port reference for the matched port + */ +@@ -1367,7 +1376,8 @@ static struct mpi3mr_sas_port *mpi3mr_sa + mpi3mr_sas_port_sanity_check(mrioc, mr_sas_node, + mr_sas_port->remote_identify.sas_address, hba_port); + +- if (mr_sas_node->num_phys >= sizeof(mr_sas_port->phy_mask) * 8) ++ if (mr_sas_node->host_node && mr_sas_node->num_phys >= ++ sizeof(mr_sas_port->phy_mask) * 8) + ioc_info(mrioc, "max port count %u could be too high\n", + mr_sas_node->num_phys); + +@@ -1377,7 +1387,7 @@ static struct mpi3mr_sas_port *mpi3mr_sa + (mr_sas_node->phy[i].hba_port != hba_port)) + continue; + +- if (i >= sizeof(mr_sas_port->phy_mask) * 8) { ++ if (mr_sas_node->host_node && (i >= sizeof(mr_sas_port->phy_mask) * 8)) { + ioc_warn(mrioc, "skipping port %u, max allowed value is %zu\n", + i, sizeof(mr_sas_port->phy_mask) * 8); + goto out_fail; +@@ -1385,7 +1395,8 @@ static struct mpi3mr_sas_port *mpi3mr_sa + list_add_tail(&mr_sas_node->phy[i].port_siblings, + &mr_sas_port->phy_list); + mr_sas_port->num_phys++; +- mr_sas_port->phy_mask |= (1 << i); ++ if (mr_sas_node->host_node) ++ mr_sas_port->phy_mask |= (1 << i); + } + + if (!mr_sas_port->num_phys) { +@@ -1394,7 +1405,8 @@ static struct mpi3mr_sas_port *mpi3mr_sa + goto out_fail; + } + +- mr_sas_port->lowest_phy = ffs(mr_sas_port->phy_mask) - 1; ++ if (mr_sas_node->host_node) ++ mr_sas_port->lowest_phy = ffs(mr_sas_port->phy_mask) - 1; + + if (mr_sas_port->remote_identify.device_type == SAS_END_DEVICE) { + tgtdev = mpi3mr_get_tgtdev_by_addr(mrioc, diff --git a/queue-6.11/scsi-ufs-core-fix-the-issue-of-icu-failure.patch b/queue-6.11/scsi-ufs-core-fix-the-issue-of-icu-failure.patch new file mode 100644 index 00000000000..cf6a482b03c --- /dev/null +++ b/queue-6.11/scsi-ufs-core-fix-the-issue-of-icu-failure.patch @@ -0,0 +1,64 @@ +From bf0c6cc73f7f91ec70307f7c72343f6cb7d65d01 Mon Sep 17 00:00:00 2001 +From: Peter Wang +Date: Tue, 1 Oct 2024 17:19:16 +0800 +Subject: scsi: ufs: core: Fix the issue of ICU failure + +From: Peter Wang + +commit bf0c6cc73f7f91ec70307f7c72343f6cb7d65d01 upstream. + +When setting the ICU bit without using read-modify-write, SQRTCy will +restart SQ again and receive an RTC return error code 2 (Failure - SQ +not stopped). + +Additionally, the error log has been modified so that this type of error +can be observed. + +Fixes: ab248643d3d6 ("scsi: ufs: core: Add error handling for MCQ mode") +Cc: stable@vger.kernel.org +Signed-off-by: Peter Wang +Link: https://lore.kernel.org/r/20241001091917.6917-2-peter.wang@mediatek.com +Reviewed-by: Bao D. Nguyen +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/core/ufs-mcq.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/drivers/ufs/core/ufs-mcq.c ++++ b/drivers/ufs/core/ufs-mcq.c +@@ -539,7 +539,7 @@ int ufshcd_mcq_sq_cleanup(struct ufs_hba + struct scsi_cmnd *cmd = lrbp->cmd; + struct ufs_hw_queue *hwq; + void __iomem *reg, *opr_sqd_base; +- u32 nexus, id, val; ++ u32 nexus, id, val, rtc; + int err; + + if (hba->quirks & UFSHCD_QUIRK_MCQ_BROKEN_RTC) +@@ -569,17 +569,18 @@ int ufshcd_mcq_sq_cleanup(struct ufs_hba + opr_sqd_base = mcq_opr_base(hba, OPR_SQD, id); + writel(nexus, opr_sqd_base + REG_SQCTI); + +- /* SQRTCy.ICU = 1 */ +- writel(SQ_ICU, opr_sqd_base + REG_SQRTC); ++ /* Initiate Cleanup */ ++ writel(readl(opr_sqd_base + REG_SQRTC) | SQ_ICU, ++ opr_sqd_base + REG_SQRTC); + + /* Poll SQRTSy.CUS = 1. Return result from SQRTSy.RTC */ + reg = opr_sqd_base + REG_SQRTS; + err = read_poll_timeout(readl, val, val & SQ_CUS, 20, + MCQ_POLL_US, false, reg); +- if (err) +- dev_err(hba->dev, "%s: failed. hwq=%d, tag=%d err=%ld\n", +- __func__, id, task_tag, +- FIELD_GET(SQ_ICU_ERR_CODE_MASK, readl(reg))); ++ rtc = FIELD_GET(SQ_ICU_ERR_CODE_MASK, readl(reg)); ++ if (err || rtc) ++ dev_err(hba->dev, "%s: failed. hwq=%d, tag=%d err=%d RTC=%d\n", ++ __func__, id, task_tag, err, rtc); + + if (ufshcd_mcq_sq_start(hba, hwq)) + err = -ETIMEDOUT; diff --git a/queue-6.11/scsi-ufs-core-requeue-aborted-request.patch b/queue-6.11/scsi-ufs-core-requeue-aborted-request.patch new file mode 100644 index 00000000000..2ae9f2fb2c8 --- /dev/null +++ b/queue-6.11/scsi-ufs-core-requeue-aborted-request.patch @@ -0,0 +1,73 @@ +From 8fa075804cb3b00960dd5c06554308175c834530 Mon Sep 17 00:00:00 2001 +From: Peter Wang +Date: Tue, 1 Oct 2024 17:19:17 +0800 +Subject: scsi: ufs: core: Requeue aborted request + +From: Peter Wang + +commit 8fa075804cb3b00960dd5c06554308175c834530 upstream. + +After the SQ cleanup fix, the CQ will receive a response with the +corresponding tag marked as OCS: ABORTED. To align with the behavior of +Legacy SDB mode, the handling of OCS: ABORTED has been changed to match +that of OCS_INVALID_COMMAND_STATUS (SDB), with both returning a SCSI +result of DID_REQUEUE. + +Furthermore, the workaround implemented before the SQ cleanup fix can be +removed. + +Fixes: ab248643d3d6 ("scsi: ufs: core: Add error handling for MCQ mode") +Cc: stable@vger.kernel.org +Signed-off-by: Peter Wang +Link: https://lore.kernel.org/r/20241001091917.6917-3-peter.wang@mediatek.com +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/core/ufshcd.c | 20 ++++---------------- + 1 file changed, 4 insertions(+), 16 deletions(-) + +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -5403,10 +5403,12 @@ ufshcd_transfer_rsp_status(struct ufs_hb + } + break; + case OCS_ABORTED: +- result |= DID_ABORT << 16; +- break; + case OCS_INVALID_COMMAND_STATUS: + result |= DID_REQUEUE << 16; ++ dev_warn(hba->dev, ++ "OCS %s from controller for tag %d\n", ++ (ocs == OCS_ABORTED ? "aborted" : "invalid"), ++ lrbp->task_tag); + break; + case OCS_INVALID_CMD_TABLE_ATTR: + case OCS_INVALID_PRDT_ATTR: +@@ -6470,26 +6472,12 @@ static bool ufshcd_abort_one(struct requ + struct scsi_device *sdev = cmd->device; + struct Scsi_Host *shost = sdev->host; + struct ufs_hba *hba = shost_priv(shost); +- struct ufshcd_lrb *lrbp = &hba->lrb[tag]; +- struct ufs_hw_queue *hwq; +- unsigned long flags; + + *ret = ufshcd_try_to_abort_task(hba, tag); + dev_err(hba->dev, "Aborting tag %d / CDB %#02x %s\n", tag, + hba->lrb[tag].cmd ? hba->lrb[tag].cmd->cmnd[0] : -1, + *ret ? "failed" : "succeeded"); + +- /* Release cmd in MCQ mode if abort succeeds */ +- if (hba->mcq_enabled && (*ret == 0)) { +- hwq = ufshcd_mcq_req_to_hwq(hba, scsi_cmd_to_rq(lrbp->cmd)); +- if (!hwq) +- return 0; +- spin_lock_irqsave(&hwq->cq_lock, flags); +- if (ufshcd_cmd_inflight(lrbp->cmd)) +- ufshcd_release_scsi_cmd(hba, lrbp); +- spin_unlock_irqrestore(&hwq->cq_lock, flags); +- } +- + return *ret == 0; + } + diff --git a/queue-6.11/scsi-ufs-core-set-sdev_offline-when-ufs-is-shut-down.patch b/queue-6.11/scsi-ufs-core-set-sdev_offline-when-ufs-is-shut-down.patch new file mode 100644 index 00000000000..ed1af86a56b --- /dev/null +++ b/queue-6.11/scsi-ufs-core-set-sdev_offline-when-ufs-is-shut-down.patch @@ -0,0 +1,71 @@ +From 19a198b67767d952c8f3d0cf24eb3100522a8223 Mon Sep 17 00:00:00 2001 +From: Seunghwan Baek +Date: Thu, 29 Aug 2024 18:39:13 +0900 +Subject: scsi: ufs: core: Set SDEV_OFFLINE when UFS is shut down + +From: Seunghwan Baek + +commit 19a198b67767d952c8f3d0cf24eb3100522a8223 upstream. + +There is a history of deadlock if reboot is performed at the beginning +of booting. SDEV_QUIESCE was set for all LU's scsi_devices by UFS +shutdown, and at that time the audio driver was waiting on +blk_mq_submit_bio() holding a mutex_lock while reading the fw binary. +After that, a deadlock issue occurred while audio driver shutdown was +waiting for mutex_unlock of blk_mq_submit_bio(). To solve this, set +SDEV_OFFLINE for all LUs except WLUN, so that any I/O that comes down +after a UFS shutdown will return an error. + +[ 31.907781]I[0: swapper/0: 0] 1 130705007 1651079834 11289729804 0 D( 2) 3 ffffff882e208000 * init [device_shutdown] +[ 31.907793]I[0: swapper/0: 0] Mutex: 0xffffff8849a2b8b0: owner[0xffffff882e28cb00 kworker/6:0 :49] +[ 31.907806]I[0: swapper/0: 0] Call trace: +[ 31.907810]I[0: swapper/0: 0] __switch_to+0x174/0x338 +[ 31.907819]I[0: swapper/0: 0] __schedule+0x5ec/0x9cc +[ 31.907826]I[0: swapper/0: 0] schedule+0x7c/0xe8 +[ 31.907834]I[0: swapper/0: 0] schedule_preempt_disabled+0x24/0x40 +[ 31.907842]I[0: swapper/0: 0] __mutex_lock+0x408/0xdac +[ 31.907849]I[0: swapper/0: 0] __mutex_lock_slowpath+0x14/0x24 +[ 31.907858]I[0: swapper/0: 0] mutex_lock+0x40/0xec +[ 31.907866]I[0: swapper/0: 0] device_shutdown+0x108/0x280 +[ 31.907875]I[0: swapper/0: 0] kernel_restart+0x4c/0x11c +[ 31.907883]I[0: swapper/0: 0] __arm64_sys_reboot+0x15c/0x280 +[ 31.907890]I[0: swapper/0: 0] invoke_syscall+0x70/0x158 +[ 31.907899]I[0: swapper/0: 0] el0_svc_common+0xb4/0xf4 +[ 31.907909]I[0: swapper/0: 0] do_el0_svc+0x2c/0xb0 +[ 31.907918]I[0: swapper/0: 0] el0_svc+0x34/0xe0 +[ 31.907928]I[0: swapper/0: 0] el0t_64_sync_handler+0x68/0xb4 +[ 31.907937]I[0: swapper/0: 0] el0t_64_sync+0x1a0/0x1a4 + +[ 31.908774]I[0: swapper/0: 0] 49 0 11960702 11236868007 0 D( 2) 6 ffffff882e28cb00 * kworker/6:0 [__bio_queue_enter] +[ 31.908783]I[0: swapper/0: 0] Call trace: +[ 31.908788]I[0: swapper/0: 0] __switch_to+0x174/0x338 +[ 31.908796]I[0: swapper/0: 0] __schedule+0x5ec/0x9cc +[ 31.908803]I[0: swapper/0: 0] schedule+0x7c/0xe8 +[ 31.908811]I[0: swapper/0: 0] __bio_queue_enter+0xb8/0x178 +[ 31.908818]I[0: swapper/0: 0] blk_mq_submit_bio+0x194/0x67c +[ 31.908827]I[0: swapper/0: 0] __submit_bio+0xb8/0x19c + +Fixes: b294ff3e3449 ("scsi: ufs: core: Enable power management for wlun") +Cc: stable@vger.kernel.org +Signed-off-by: Seunghwan Baek +Link: https://lore.kernel.org/r/20240829093913.6282-2-sh8267.baek@samsung.com +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/core/ufshcd.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -10214,7 +10214,9 @@ static void ufshcd_wl_shutdown(struct de + shost_for_each_device(sdev, hba->host) { + if (sdev == hba->ufs_device_wlun) + continue; +- scsi_device_quiesce(sdev); ++ mutex_lock(&sdev->state_mutex); ++ scsi_device_set_state(sdev, SDEV_OFFLINE); ++ mutex_unlock(&sdev->state_mutex); + } + __ufshcd_wl_suspend(hba, UFS_SHUTDOWN_PM); + diff --git a/queue-6.11/selftest-hid-add-the-missing-tests-directory.patch b/queue-6.11/selftest-hid-add-the-missing-tests-directory.patch new file mode 100644 index 00000000000..e5e9bc9d63f --- /dev/null +++ b/queue-6.11/selftest-hid-add-the-missing-tests-directory.patch @@ -0,0 +1,52 @@ +From fe05c40ca9c18cfdb003f639a30fc78a7ab49519 Mon Sep 17 00:00:00 2001 +From: Yun Lu +Date: Tue, 15 Oct 2024 17:15:20 +0800 +Subject: selftest: hid: add the missing tests directory + +From: Yun Lu + +commit fe05c40ca9c18cfdb003f639a30fc78a7ab49519 upstream. + +Commit 160c826b4dd0 ("selftest: hid: add missing run-hid-tools-tests.sh") +has added the run-hid-tools-tests.sh script for it to be installed, but +I forgot to add the tests directory together. + +If running the test case without the tests directory, will results in +the following error message: + + make -C tools/testing/selftests/ TARGETS=hid install \ + INSTALL_PATH=$KSFT_INSTALL_PATH + cd $KSFT_INSTALL_PATH + ./run_kselftest.sh -t hid:hid-core.sh + + /usr/lib/python3.11/site-packages/_pytest/config/__init__.py:331: PluggyTeardownRaisedWarning: A plugin raised an exception during an old-style hookwrapper teardown. + Plugin: helpconfig, Hook: pytest_cmdline_parse + UsageError: usage: __main__.py [options] [file_or_dir] [file_or_dir] [...] + __main__.py: error: unrecognized arguments: --udevd + inifile: None + rootdir: /root/linux/kselftest_install/hid + +In fact, the run-hid-tools-tests.sh script uses the scripts in the tests +directory to run tests. The tests directory also needs to be added to be +installed. + +Fixes: ffb85d5c9e80 ("selftests: hid: import hid-tools hid-core tests") +Cc: stable@vger.kernel.org +Signed-off-by: Yun Lu +Acked-by: Benjamin Tissoires +Signed-off-by: Shuah Khan +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/hid/Makefile | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/testing/selftests/hid/Makefile ++++ b/tools/testing/selftests/hid/Makefile +@@ -18,6 +18,7 @@ TEST_PROGS += hid-usb_crash.sh + TEST_PROGS += hid-wacom.sh + + TEST_FILES := run-hid-tools-tests.sh ++TEST_FILES += tests + + CXX ?= $(CROSS_COMPILE)g++ + diff --git a/queue-6.11/series b/queue-6.11/series index 0fa2655b63a..0637db3c50a 100644 --- a/queue-6.11/series +++ b/queue-6.11/series @@ -43,3 +43,17 @@ x86-cpufeatures-add-a-ibpb_no_ret-bug-flag.patch x86-entry-have-entry_ibpb-invalidate-return-predictions.patch x86-bugs-skip-rsb-fill-at-vmexit.patch x86-bugs-do-not-use-untrain_ret-with-ibpb-on-entry.patch +fgraph-use-cpu-hotplug-mechanism-to-initialize-idle-shadow-stacks.patch +input-xpad-add-support-for-8bitdo-ultimate-2c-wireless-controller.patch +blk-rq-qos-fix-crash-on-rq_qos_wait-vs.-rq_qos_wake_function-race.patch +io_uring-sqpoll-close-race-on-waiting-for-sqring-entries.patch +blk-mq-setup-queue-tag_set-before-initializing-hctx.patch +ublk-don-t-allow-user-copy-for-unprivileged-device.patch +io_uring-sqpoll-ensure-task-state-is-task_running-when-running-task_work.patch +selftest-hid-add-the-missing-tests-directory.patch +input-xpad-add-support-for-msi-claw-a1m.patch +scsi-mpi3mr-validate-sas-port-assignments.patch +scsi-ufs-core-set-sdev_offline-when-ufs-is-shut-down.patch +scsi-ufs-core-fix-the-issue-of-icu-failure.patch +scsi-ufs-core-requeue-aborted-request.patch +drm-radeon-fix-encoder-possible_clones.patch diff --git a/queue-6.11/ublk-don-t-allow-user-copy-for-unprivileged-device.patch b/queue-6.11/ublk-don-t-allow-user-copy-for-unprivileged-device.patch new file mode 100644 index 00000000000..2ba10bfaf5b --- /dev/null +++ b/queue-6.11/ublk-don-t-allow-user-copy-for-unprivileged-device.patch @@ -0,0 +1,66 @@ +From 42aafd8b48adac1c3b20fe5892b1b91b80c1a1e6 Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Wed, 16 Oct 2024 21:48:47 +0800 +Subject: ublk: don't allow user copy for unprivileged device + +From: Ming Lei + +commit 42aafd8b48adac1c3b20fe5892b1b91b80c1a1e6 upstream. + +UBLK_F_USER_COPY requires userspace to call write() on ublk char +device for filling request buffer, and unprivileged device can't +be trusted. + +So don't allow user copy for unprivileged device. + +Cc: stable@vger.kernel.org +Fixes: 1172d5b8beca ("ublk: support user copy") +Signed-off-by: Ming Lei +Link: https://lore.kernel.org/r/20241016134847.2911721-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/ublk_drv.c | 11 ++++++++++- + include/uapi/linux/ublk_cmd.h | 8 +++++++- + 2 files changed, 17 insertions(+), 2 deletions(-) + +--- a/drivers/block/ublk_drv.c ++++ b/drivers/block/ublk_drv.c +@@ -2381,10 +2381,19 @@ static int ublk_ctrl_add_dev(struct io_u + * TODO: provide forward progress for RECOVERY handler, so that + * unprivileged device can benefit from it + */ +- if (info.flags & UBLK_F_UNPRIVILEGED_DEV) ++ if (info.flags & UBLK_F_UNPRIVILEGED_DEV) { + info.flags &= ~(UBLK_F_USER_RECOVERY_REISSUE | + UBLK_F_USER_RECOVERY); + ++ /* ++ * For USER_COPY, we depends on userspace to fill request ++ * buffer by pwrite() to ublk char device, which can't be ++ * used for unprivileged device ++ */ ++ if (info.flags & UBLK_F_USER_COPY) ++ return -EINVAL; ++ } ++ + /* the created device is always owned by current user */ + ublk_store_owner_uid_gid(&info.owner_uid, &info.owner_gid); + +--- a/include/uapi/linux/ublk_cmd.h ++++ b/include/uapi/linux/ublk_cmd.h +@@ -175,7 +175,13 @@ + /* use ioctl encoding for uring command */ + #define UBLK_F_CMD_IOCTL_ENCODE (1UL << 6) + +-/* Copy between request and user buffer by pread()/pwrite() */ ++/* ++ * Copy between request and user buffer by pread()/pwrite() ++ * ++ * Not available for UBLK_F_UNPRIVILEGED_DEV, otherwise userspace may ++ * deceive us by not filling request buffer, then kernel uninitialized ++ * data may be leaked. ++ */ + #define UBLK_F_USER_COPY (1UL << 7) + + /* -- 2.47.3