From 5e6014141eed0d05eec5a05e4bdb1f5c48471099 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 26 May 2024 13:03:58 -0400 Subject: [PATCH] Fixes for 6.9 Signed-off-by: Sasha Levin --- ...-indicate-support-for-_tfp-thru-_osc.patch | 52 + ...e-support-for-irq-resourcesource-thr.patch | 51 + ...e-support-for-more-than-16-p-states-.patch | 51 + ...e-support-for-the-generic-event-devi.patch | 52 + .../acpi-disable-wstringop-truncation.patch | 48 + ...-generic-initiator-affinity-_osc-bit.patch | 40 + ...ise-number-of-chip-selects-via-prope.patch | 35 + ...-call-packet_read_pending-from-tpack.patch | 49 + ...-races-in-unix_release_sock-unix_str.patch | 76 + ...-remove-speaker-id-for-lenovo-legion.patch | 44 + ...arm-configs-sunxi-enable-drm_dw_hdmi.patch | 41 + ...ecessary-irqflags-alternative.h-incl.patch | 37 + ...l-avs-fix-asrc-module-initialization.patch | 36 + ...vs-fix-debug-slot-offset-calculation.patch | 46 + ...l-avs-fix-potential-integer-overflow.patch | 41 + ...restore-stream-decoupling-on-prepare.patch | 57 + ...s-ssm4567-do-not-ignore-route-checks.patch | 36 + ...-test-result-of-avs_get_module_entry.patch | 59 + ...able-route-checks-for-skylake-boards.patch | 209 +++ ...kwood-fix-potential-null-dereference.patch | 41 + ...sign-dummy-when-codec-not-specified-.patch | 45 + ...da-dai-fix-channel-map-configuration.patch | 92 ++ ...sof-intel-lnl-correct-rom_status_reg.patch | 79 + ...sof-intel-mtl-correct-rom_status_reg.patch | 71 + ...tl-disable-interrupts-when-firmware-.patch | 40 + ...tl-implement-firmware-boot-state-che.patch | 88 ++ ...ort-snd_soc_dapm_dir_out-to-its-valu.patch | 48 + ...rence-count-leak-issue-of-net_device.patch | 53 + ...erence-count-leak-issues-of-ax25_dev.patch | 74 + ...universal-linked-list-to-implement-a.patch | 163 ++ .../bitops-add-missing-prototype-check.patch | 40 + ...simplify-blkdevparts-cmdline-parsing.patch | 208 +++ ...-the-eof-check-in-blkdev_iomap_begin.patch | 43 + ...upport-to-account-io_ticks-precisely.patch | 152 ++ ...e-le-flow-credits-based-on-recvbuf-s.patch | 388 +++++ ...bluetooth-hci-remove-hci_amp-support.patch | 1398 +++++++++++++++++ ...nn-hci_sync-use-__counted_by-to-avoi.patch | 335 ++++ ...re-fix-not-handling-hdev-le_num_of_a.patch | 134 ++ ...iso-make-iso_get_sock_listen-generic.patch | 198 +++ ...x-error-code-in-qca_read_fw_build_in.patch | 39 + ...ift-undefined-behavior-in-bnxt_qplib.patch | 122 ++ ..._type_cgroup_skb-attach-type-enforce.patch | 50 + ...verifier-assumptions-about-socket-sk.patch | 220 +++ .../bpf-pack-struct-bpf_fib_lookup.patch | 74 + ...register-from-being-marked-as-precis.patch | 58 + ...ol-fix-missing-pids-during-link-show.patch | 89 ++ ...ffs-on-provided-dir-instead-of-paren.patch | 264 ++++ ...on-clone-before-calling-copy_extent_.patch | 94 ++ ...k-mediatek-mt8365-mm-fix-dpi0-parent.patch | 52 + ...fh-don-t-log-error-for-missing-fhctl.patch | 52 + ...pss-ipq-pll-fix-pll-rate-for-ipq5018.patch | 48 + ...ha-pll-remove-invalid-stromer-regist.patch | 51 + ...dispcc-sm6350-fix-displayport-clocks.patch | 65 + ...dispcc-sm8450-fix-displayport-clocks.patch | 109 ++ ...dispcc-sm8550-fix-displayport-clocks.patch | 110 ++ ...dispcc-sm8650-fix-displayport-clocks.patch | 110 ++ ...com-fix-sc_camcc_8280xp-dependencies.patch | 46 + ...-qcom-fix-sm_gpucc_8650-dependencies.patch | 46 + ...m-mmcc-msm8998-fix-venus-clock-issue.patch | 114 ++ ...esas-r8a779a0-fix-canfd-parent-clock.patch | 40 + ...7g043-add-clock-and-reset-entry-for-.patch | 59 + ...ng-default-value-for-clock-amplitude.patch | 72 + ...osautov9-fix-wrong-pll-clock-id-valu.patch | 47 + ...1-propagate-peric0-usi-spi-clock-rat.patch | 290 ++++ ...1-propagate-peric1-usi-spi-clock-rat.patch | 189 +++ ...ix-possible-null-pointer-dereference.patch | 65 + ...avs-cpufreq-iso-c90-forbids-mixed-de.patch | 44 + .../cpufreq-exit-callback-is-optional.patch | 58 + .../crypto-bcm-fix-pointer-arithmetic.patch | 40 + ...rypto-ccp-drop-platform-ifdef-checks.patch | 94 ++ ...-add-missing-check-for-dma_map_singl.patch | 39 + ...ve-error-logging-to-be-consistent-ac.patch | 37 + ...ve-error-message-in-adf_get_arbiter_.patch | 50 + ...qat-specify-firmware-files-for-402xx.patch | 43 + ...validate-slices-count-returned-by-fw.patch | 101 ++ ...o-x86-nh-avx2-add-missing-vzeroupper.patch | 36 + ...6-sha256-avx2-add-missing-vzeroupper.patch | 37 + ...6-sha512-avx2-add-missing-vzeroupper.patch | 37 + ...use-down_write_killable-for-non-user.patch | 46 + ...cking-for-unregister_dax_dev-unregis.patch | 138 ++ ...ce-warn_on_once-with-lockdep-asserts.patch | 120 ++ ...e-right-locking-mode-read-vs-write-i.patch | 46 + ...dev_printk-add-and-use-dev_no_printk.patch | 98 ++ ...user-space-lock-decision-to-copy-lvb.patch | 143 ++ ...hung-task-introduced-by-kthread-mode.patch | 43 + .../dm-delay-fix-max_delay-calculations.patch | 51 + ...delay-fix-workqueue-delay_timer-race.patch | 55 + ...l-fix-return-value-check-for-kmemdup.patch | 40 + ...i-hns3-actually-use-devm_add_action_.patch | 43 + ...i-hns3-fix-out-of-bound-access-when-.patch | 70 + ...i_pcie-fix-out-of-bound-access-when-.patch | 69 + ...n-fix-pfnmap-pte-checks-in-acrn_vm_r.patch | 195 +++ ...fix-potential-index-out-of-bounds-in.patch | 58 + ...remove-redundant-condition-in-dcn35_.patch | 51 + ...ix-a-possible-null-pointer-dereferen.patch | 42 + ...25-don-t-log-an-error-when-dsi-host-.patch | 49 + ...25-update-audio-status-while-detecti.patch | 54 + ...mhdp8546-fix-possible-null-pointer-d.patch | 43 + ...33-don-t-log-an-error-when-dsi-host-.patch | 80 + ...mproper-bridge-init-order-with-pre_e.patch | 154 ++ ...11-don-t-log-an-error-when-dsi-host-.patch | 49 + ...2b-don-t-log-an-error-when-dsi-host-.patch | 49 + ...1-don-t-log-an-error-when-dsi-host-c.patch | 50 + ...1uxc-don-t-log-an-error-when-dsi-hos.patch | 51 + ...775-don-t-log-an-error-when-dsi-host.patch | 49 + ...date-device-type-for-volteer-devices.patch | 52 + ...opology-block-for-all-dispid-structu.patch | 83 + ...-imagination-avoid-woverflow-warning.patch | 64 + ...-disable-clocks-on-already-suspended.patch | 61 + ...-add-0-size-check-to-mtk_drm_gem_obj.patch | 44 + ...atek-init-ddp_comp-with-devm_kcalloc.patch | 60 + ...ix-calculation-of-59.94-fractional-r.patch | 65 + ...-correct-return-type-for-the-dsc-fun.patch | 69 + ...nt-for-the-timeout-in-wait_hpd_asser.patch | 97 ++ ...llow-voltage-swing-pre-emphasis-of-3.patch | 138 ++ ...-a-long-timeout-for-aux-transfer-if-.patch | 133 ++ ...ix-incorrect-return-code-in-r535_dp_.patch | 48 + ...fix-console-by-implementing-fb_dirty.patch | 54 + ...mapdrm-fix-console-with-deferred-ops.patch | 156 ++ ...xc20-fix-unbalanced-regulator-in-the.patch | 74 + ...d-prepare_to_enable-to-200ms-for-mnc.patch | 56 + ...h3146w-add-mipi_dsi_mode_video-to-lt.patch | 44 + ...h3146w-drop-duplicate-commands-from-.patch | 41 + ...k-nt35950-don-t-log-an-error-when-ds.patch | 49 + ...-add-missing-innolux-g121x1-l03-form.patch | 50 + ...2-do-not-divide-height-twice-for-yuv.patch | 83 + ...ix-possible-null-pointer-dereference.patch | 39 + ...mal-loongson-ls2k-thermal-add-loongs.patch | 40 + ...mal-loongson-ls2k-thermal-fix-incorr.patch | 83 + ...fs-fix-buffer-size-for-tag-66-packet.patch | 116 ++ ...mmon-allow-decoding-of-sgx-addresses.patch | 43 + ...enetc-avoid-truncating-error-message.patch | 41 + ...e-.ndo_poll_controller-to-avoid-dead.patch | 67 + ...sive-credit-estimate-in-ext4_tmpfile.patch | 52 + ...-fix-potential-unnitialized-variable.patch | 40 + ...move-the-redundant-folio_wait_stable.patch | 42 + .../fbdev-sh7760fb-allow-modular-build.patch | 50 + ...dev-shmobile-fix-snprintf-truncation.patch | 40 + .../fbdev-sisfb-hide-unused-variables.patch | 68 + ...m-fix-unused-qcom_scm_qseecom_allowl.patch | 44 + ...m-fix-__scm-and-waitq-completion-var.patch | 70 + ...rypi-use-correct-device-for-dma-mapp.patch | 65 + queue-6.9/gfs2-do_xmote-fixes.patch | 128 ++ ...-forget-to-complete-delayed-withdraw.patch | 39 + queue-6.9/gfs2-finish_xmote-cleanup.patch | 108 ++ ...gnore-unlock-failures-after-withdraw.patch | 63 + ...tial-glock-use-after-free-on-unmount.patch | 227 +++ ...-remove-ill-placed-consistency-check.patch | 37 + ...o-nuvoton-fix-sgpio-irq-handle-error.patch | 55 + ...h-handle-no-sensors-in-pm-operations.patch | 52 + ...d-ipc-add-check-for-pci_alloc_irq_ve.patch | 41 + ...2-put-ip-into-rpm-suspend-on-failure.patch | 56 + .../hwrng-stm32-repair-clock-handling.patch | 79 + ...-stm32-use-logical-or-in-conditional.patch | 37 + ...write64_copy-for-write-combining-sto.patch | 83 + .../ice-fix-package-download-algorithm.patch | 56 + ...-over-ethtool-tcp-data-split-setting.patch | 53 + ...ix-inet_fill_ifaddr-flags-truncation.patch | 77 + ...-next_work-before-dropping-acct_lock.patch | 76 + ...ing-net-fix-sendzc-lazy-wake-polling.patch | 37 + ...-right-type-for-work_llist-empty-che.patch | 37 + ...-guest-translation-after-reading-iom.patch | 65 + ...-attachment-only-for-the-devices-tha.patch | 86 + ...ple-igfx_off-from-graphic-identity-m.patch | 139 ++ .../ipv6-sr-add-missing-seg6_local_exit.patch | 38 + ...v6-sr-fix-incorrect-unregister-order.patch | 39 + ...sr-fix-invalid-unregister-error-path.patch | 46 + ...si-fix-off-by-one-in-allocation-erro.patch | 40 + ...-pch-msi-fix-off-by-one-on-allocatio.patch | 41 + ...ttr-node-from-overflowing-the-eraseb.patch | 81 + ...arly-in-__kunit_test_suites_init-if-.patch | 47 + queue-6.9/kunit-fix-kthread-reference.patch | 70 + ...y-fix-mismatched-kvalloc-vfree-usage.patch | 64 + ...x-replaced-failure-path-to-unbreak-_.patch | 82 + ...kunit-unregister-the-device-on-error.patch | 39 + ...error-handling-for-udp-encap-sockets.patch | 133 ++ ...andle-src_pfns-and-dst_pfns-allocati.patch | 62 + ...error-message-in-attach_kprobe_multi.patch | 37 + ...eature-detectors-when-using-token_fd.patch | 57 + ...ull-pointer-dereference-when-prog-to.patch | 57 + .../libfs-add-simple_offset_rename-api.patch | 85 + ...fs-fix-simple_offset_rename_exchange.patch | 85 + ...ble-cfi-checking-for-perms-functions.patch | 59 + ...86-correct-the-definition-of-__arch_.patch | 40 + ...nlock-race-in-kernel-thread-creation.patch | 77 + ...m68k-mac-fix-reboot-hang-on-mac-iici.patch | 99 ++ ...68k-move-arch_has_cpu_cache_aliasing.patch | 38 + ...cii-fix-bug-sleeping-function-called.patch | 59 + ...ftlockup-when-bitmap-size-is-less-th.patch | 93 ++ ...h_css-fix-a-null-pointer-dereference.patch | 52 + ...i2rx-configure-dphy-before-starting-.patch | 91 ++ ...s-ovti-ov2680-fix-the-power-supply-n.patch | 77 + ...-don-t-strip-remove-function-when-dr.patch | 57 + .../media-ipu3-cio2-request-irq-earlier.patch | 52 + ...dvb_ca_en50221_init-return-value-che.patch | 40 + ...o-shark2-avoid-led_names-truncations.patch | 40 + ...ork-around-wenum-compare-conditional.patch | 47 + ...deo-add-quirk-for-logitech-rally-bar.patch | 106 ++ ...dev-fix-stream-handling-for-crop-api.patch | 47 + .../mlx5-avoid-truncating-error-message.patch | 41 + .../mlx5-stop-warning-for-64kb-pages.patch | 57 + ...m-ksm-fix-ksm-exec-support-for-prctl.patch | 116 ++ ...e-inverted-data-to-corrupt-kmem-cach.patch | 69 + ...o-not-place-zeropages-when-zeropages.patch | 95 ++ ...-.export_symbol-section-from-the-fin.patch | 35 + ...ptcp-fix-full-tcp-keep-alive-support.patch | 157 ++ ...-so_keepalive-fix-getsockopt-support.patch | 53 + ...error-if-first-mtd_otp_size-call-fai.patch | 44 + queue-6.9/mtd-rawnand-hynix-fixed-typo.patch | 43 + ...t-bridge-mst-fix-vlan-use-after-free.patch | 123 ++ ...make-sure-we-have-at-least-eth-heade.patch | 90 ++ ...x-add-support-for-model-specific-pre.patch | 234 +++ ...x-avoid-eeprom-timeout-without-eepro.patch | 173 ++ .../net-ethernet-cortina-locking-fixes.patch | 86 + ...iatek-split-tx-and-rx-fields-in-mtk_.patch | 618 ++++++++ ...iatek-use-admav1-instead-of-admav2.0.patch | 138 ++ ...ndo_poll_controller-to-avoid-deadloc.patch | 75 + ...ances-to-rcu-in-netdev_wait_allrefs_.patch | 54 + ...ng-start-position-when-receive-hop-b.patch | 41 + ...eceiving-the-timestamp-in-the-frame-.patch | 44 + ...imeout-to-acquire-the-command-queue-.patch | 156 ++ ...-command-completions-in-internal-err.patch | 75 + ...r-devlink-set-for-sf-representor-dev.patch | 166 ++ ...only-ib-representors-upon-lag-disabl.patch | 222 +++ .../net-mlx5e-fix-netif-state-handling.patch | 154 ++ ...fix-overwriting-ct-original-tuple-fo.patch | 86 + queue-6.9/net-qrtr-ns-fix-module-refcnt.patch | 83 + ...e-the-est-lock-to-struct-stmmac_priv.patch | 192 +++ .../net-txgbe-fix-to-control-vlan-strip.patch | 278 ++++ ...sc95xx-stop-lying-about-skb-truesize.patch | 87 + ...sr9700-stop-lying-about-skb-truesize.patch | 59 + ...et-wangxun-fix-to-change-rx-features.patch | 47 + ...un-match-vlan-ctag-and-stag-features.patch | 123 ++ ...ix-possible-dead-lock-in-nr_rt_ioctl.patch | 192 +++ ...e-nfsv4recoverydir-in-nfsdfs-when-no.patch | 68 + .../nilfs2-fix-out-of-range-warning.patch | 45 + ...rblock-data-array-index-computation-.patch | 73 + ...sing-mutex_destroy-at-module-removal.patch | 37 + ...buffer-overflow-check-in-of_modalias.patch | 50 + ...nish-conversion-to-the-new-mount-api.patch | 58 + ...on-t-send-signals-to-kernel-mode-thr.patch | 91 ++ .../openrisc-use-do_kernel_power_off.patch | 58 + ...c-add-missing-export-of-__cmpxchg_u8.patch | 36 + ...omi-wmi-fix-race-condition-when-repo.patch | 95 ++ ...e-simplify-charge_behaviour-formatti.patch | 73 + ...c-fsl-soc-hide-unused-const-variable.patch | 48 + .../printk-let-no_printk-use-_printk.patch | 55 + queue-6.9/ptp-ocp-fix-dpll-functions.patch | 55 + ...-check-for-error-from-clk_round_rate.patch | 62 + ...l_u64_u64_div_u64-for-frequency-calc.patch | 51 + ...-probe-function-using-devm-functions.patch | 115 ++ ...d-avoid-truncating-work-queue-length.patch | 58 + ...fer-overflow-in-print_cpu_stall_info.patch | 51 + ...ow_rcu_tasks_trace_gp_kthread-buffer.patch | 45 + ...mleak-in-rdma_core-observed-during-b.patch | 77 + ..._ah-and-cq-moderation-capacities-in-.patch | 92 ++ ...hns-fix-deadlock-on-srq-async-events.patch | 69 + .../rdma-hns-fix-gmv-table-pagesize.patch | 39 + ...-hns-fix-mismatch-exception-rollback.patch | 38 + ...x-return-value-in-hns_roce_map_mr_sg.patch | 75 + .../rdma-hns-fix-uaf-for-cq-async-event.patch | 91 ++ ...-modify-the-print-level-of-cqe-error.patch | 42 + ...s-use-complete-parentheses-in-macros.patch | 52 + ...format-truncation-compilation-errors.patch | 66 + ...ndary-check-before-installing-cq-cal.patch | 37 + ...roduce-helpers-to-create-and-destroy.patch | 109 ++ ..._ib-use-struct-mana_ib_queue-for-cqs.patch | 231 +++ ...-remote-atomic-access-flag-to-updata.patch | 39 + ...lx5-change-check-for-cacheable-mkeys.patch | 103 ++ ...eable-mkey-has-neither-rb_key-or-cac.patch | 38 + ...ow-good-work-requests-to-be-executed.patch | 58 + ...-fix-incorrect-rxe_put-in-error-path.patch | 55 + ...-fix-seg-fault-in-rxe_comp_queue_pkt.patch | 52 + ...-compile-kselftest-headers-with-d_gn.patch | 73 + ...-sgx-include-khdr_includes-in-makefi.patch | 54 + ...-calling-csum_partial-with-misaligne.patch | 187 +++ ...v-fix-the-typo-in-scountovf-csr-name.patch | 60 + ...some-atomic-operations-fully-ordered.patch | 97 ++ ...a-barrier-for-bpf_fetch-instructions.patch | 62 + ...fix-tracepoint-subchannel-type-field.patch | 38 + ...e-the-shared-zeropage-for-pv-and-ske.patch | 369 +++++ ....s-drop-.hash-and-.gnu.hash-for-conf.patch | 46 + ...-fix-incorrect-free-in-populate_rule.patch | 51 + ...ncorrect-initialization-of-the-burst.patch | 71 + ...as-checks-before-updating-root_domai.patch | 148 ++ ...-disabling-sched_balance_newidle-wit.patch | 64 + ...ure-the-copied-buf-is-nul-terminated.patch | 49 + ...location-size-for-scsi_host-private-.patch | 41 + ...the-failure-of-adding-phy-with-zero-.patch | 55 + ...ure-the-copied-buf-is-nul-terminated.patch | 40 + ...-debugfs-output-for-fw_resource_coun.patch | 43 + ...tfrm-perform-read-back-after-writing.patch | 50 + ...s-core-mcq-fix-ufshcd_mcq_sqe_search.patch | 50 + ...rform-read-back-after-disabling-inte.patch | 53 + ...rform-read-back-after-disabling-uic_.patch | 52 + ...rform-read-back-after-writing-utp_ta.patch | 53 + ...rform-read-back-after-writing-cgc-en.patch | 51 + ...rform-read-back-after-writing-reg_uf.patch | 51 + ...rform-read-back-after-writing-reset-.patch | 71 + ...rform-read-back-after-writing-unipro.patch | 52 + ...fs-use-the-makefile-s-rules-not-make.patch | 71 + ...x-a-fd-leak-in-error-paths-in-open_n.patch | 40 + ...x-pointer-arithmetic-in-test_xdp_do_.patch | 62 + ...x-umount-cgroup2-error-in-test_sockm.patch | 43 + ...n-cgroup1_hierarchy-test-in-own-moun.patch | 92 ++ ...-skip-test_cgcore_lesser_ns_open-whe.patch | 221 +++ ...e-kselftest-headers-with-d_gnu_sourc.patch | 82 + ..._damon_sysfs-check-errors-from-nr_sc.patch | 39 + ...default-to-host-arch-for-llvm-builds.patch | 85 + ...lftests-kcmp-remove-unused-open-mode.patch | 42 + ...ktap_helpers-make-it-posix-compliant.patch | 53 + ...ts-net-add-missing-config-for-amt.sh.patch | 35 + ...idge-increase-igmp-mld-exclude-timeo.patch | 82 + ...b-no-need-to-record-ns-name-if-it-al.patch | 56 + ...ve-amt-to-socat-for-better-compatibi.patch | 77 + ...power_supply-make-it-posix-compliant.patch | 43 + ...l-fix-clang-build-failure-use-local_.patch | 60 + ...gx-include-khdr_includes-in-makefile.patch | 58 + queue-6.9/series | 386 +++++ ...-arch_copy_kprobe-into-arch_prepare_.patch | 53 + queue-6.9/shmem-fix-shmem_rename2.patch | 55 + ...-cmdq-fix-typo-of-cmdq_jump_relative.patch | 49 + ...ink-don-t-traverse-clients-list-with.patch | 56 + ..._glink-make-client-lock-non-sleeping.patch | 142 ++ ...ink-notify-clients-about-the-current.patch | 48 + ...arfive-remove-links-when-unregisteri.patch | 40 + .../sunrpc-fix-gss_free_in_token_pages.patch | 78 + ...sunrpc-removed-redundant-procp-check.patch | 39 + ...d-premature-drops-in-tcp_add_backlog.patch | 87 + ...crease-the-default-tcp-scaling-ratio.patch | 71 + ...avoid-excessive-updates-of-trip-poin.patch | 86 + ...create-records-for-cdev-states-as-th.patch | 50 + ...pass-cooling-device-state-to-thermal.patch | 131 ++ ...mediatek-lvts_thermal-add-coeff-for-.patch | 45 + ...s-tsens-fix-null-pointer-dereference.patch | 42 + ...events-fix-non-spaced-field-matching.patch | 139 ++ ...l-to-compute_score-on-multiple-sites.patch | 164 ++ ...aqc111-stop-lying-about-skb-truesize.patch | 55 + .../virt-acrn-stop-using-follow_pfn.patch | 71 + ...-enable-proper-endpoint-verification.patch | 99 ++ ...an-error-code-problem-in-ath10k_dbg_.patch | 43 + ...-service-ready-message-before-failin.patch | 81 + ...h10k-populate-board-data-for-wcn3990.patch | 65 + ...t-force-enable-power-save-on-non-run.patch | 94 ++ ...out-of-bound-access-of-qmi_invoke_ha.patch | 72 + ...correct-flag-field-for-320-mhz-chann.patch | 44 + ...ie-handle-randbuf-allocation-failure.patch | 71 + ...d-a-proper-sanity-check-for-endpoint.patch | 97 ++ ...9170-re-fix-fortified-memset-warning.patch | 60 + ...gnore-non-tx-bsss-in-per-sta-profile.patch | 160 ++ ...ix-ieee80211_mle_basic_sta_prof_size.patch | 45 + ...-allocate-sta-links-only-for-active-.patch | 50 + ...-calculate-emlsr-mode-after-connecti.patch | 177 +++ ...-do-not-warn-on-invalid-link-on-scan.patch | 44 + ...-don-t-always-disable-emlsr-due-to-b.patch | 203 +++ ...-fix-active-link-counting-during-rec.patch | 87 + ...-fix-check-in-iwl_mvm_sta_fw_id_mask.patch | 41 + ...iwlwifi-mvm-init-vif-works-only-once.patch | 116 ++ ...ifi-mvm-introduce-esr_disable_reason.patch | 216 +++ ...-select-sta-mask-only-for-active-lin.patch | 72 + ...-set-wider-bw-ofdma-ignore-correctly.patch | 55 + ...fi-reconfigure-tlc-during-hw-restart.patch | 45 + ...n-t-select-link-id-if-not-provided-i.patch | 56 + ...ansmit-deauth-only-if-link-is-availa.patch | 257 +++ ...-check-for-null-before-dereferencing.patch | 37 + ...-use-muar-idx-0xe-for-non-mt799x-as-.patch | 35 + ...-add-wpdma-tx-eof-flag-for-pse-clien.patch | 33 + ...603-fix-tx-queue-of-loopback-packets.patch | 109 ++ ...-workaround-too-long-expansion-spars.patch | 62 + ...-ensure-4-byte-alignment-for-suspend.patch | 49 + ...-fix-potential-memory-leakage-when-r.patch | 49 + ...7996-fix-size-of-txpower-mcu-command.patch | 68 + ...-fix-uninitialized-variable-in-mt799.patch | 37 + ...i-mwl8k-initialize-cmd-addr-properly.patch | 38 + ...id-address-calculations-via-out-of-b.patch | 70 + ...efine-wowlan-flows-of-hci-interrupts.patch | 108 ++ ...r-most-of-cr4-in-startup_64-except-p.patch | 74 + ...relocations-in-.notes-sections-in-wa.patch | 54 + ...fred-fix-typo-in-kconfig-description.patch | 39 + ...-versions-of-vpdpbusd-vpdpbusds-vpdp.patch | 75 + ...h-instruction-in-x86-instruction-dec.patch | 98 ++ ...d-avoid-wformat-warning-with-clang-1.patch | 49 + ...t-lookup-of-cfmws-ranges-with-numa_f.patch | 118 ++ ...violation-false-positives-when-runni.patch | 144 ++ ...introduce-lookup_address_in_pgd_attr.patch | 127 ++ ...-pat-restructure-_lookup_address_cpa.patch | 51 + ...itch-to-the-position-independent-sma.patch | 81 + 387 files changed, 32113 insertions(+) create mode 100644 queue-6.9/acpi-bus-indicate-support-for-_tfp-thru-_osc.patch create mode 100644 queue-6.9/acpi-bus-indicate-support-for-irq-resourcesource-thr.patch create mode 100644 queue-6.9/acpi-bus-indicate-support-for-more-than-16-p-states-.patch create mode 100644 queue-6.9/acpi-bus-indicate-support-for-the-generic-event-devi.patch create mode 100644 queue-6.9/acpi-disable-wstringop-truncation.patch create mode 100644 queue-6.9/acpi-fix-generic-initiator-affinity-_osc-bit.patch create mode 100644 queue-6.9/acpi-lpss-advertise-number-of-chip-selects-via-prope.patch create mode 100644 queue-6.9/af_packet-do-not-call-packet_read_pending-from-tpack.patch create mode 100644 queue-6.9/af_unix-fix-data-races-in-unix_release_sock-unix_str.patch create mode 100644 queue-6.9/alsa-hda-cs35l41-remove-speaker-id-for-lenovo-legion.patch create mode 100644 queue-6.9/arm-configs-sunxi-enable-drm_dw_hdmi.patch create mode 100644 queue-6.9/arm64-remove-unnecessary-irqflags-alternative.h-incl.patch create mode 100644 queue-6.9/asoc-intel-avs-fix-asrc-module-initialization.patch create mode 100644 queue-6.9/asoc-intel-avs-fix-debug-slot-offset-calculation.patch create mode 100644 queue-6.9/asoc-intel-avs-fix-potential-integer-overflow.patch create mode 100644 queue-6.9/asoc-intel-avs-restore-stream-decoupling-on-prepare.patch create mode 100644 queue-6.9/asoc-intel-avs-ssm4567-do-not-ignore-route-checks.patch create mode 100644 queue-6.9/asoc-intel-avs-test-result-of-avs_get_module_entry.patch create mode 100644 queue-6.9/asoc-intel-disable-route-checks-for-skylake-boards.patch create mode 100644 queue-6.9/asoc-kirkwood-fix-potential-null-dereference.patch create mode 100644 queue-6.9/asoc-mediatek-assign-dummy-when-codec-not-specified-.patch create mode 100644 queue-6.9/asoc-sof-intel-hda-dai-fix-channel-map-configuration.patch create mode 100644 queue-6.9/asoc-sof-intel-lnl-correct-rom_status_reg.patch create mode 100644 queue-6.9/asoc-sof-intel-mtl-correct-rom_status_reg.patch create mode 100644 queue-6.9/asoc-sof-intel-mtl-disable-interrupts-when-firmware-.patch create mode 100644 queue-6.9/asoc-sof-intel-mtl-implement-firmware-boot-state-che.patch create mode 100644 queue-6.9/asoc-tracing-export-snd_soc_dapm_dir_out-to-its-valu.patch create mode 100644 queue-6.9/ax25-fix-reference-count-leak-issue-of-net_device.patch create mode 100644 queue-6.9/ax25-fix-reference-count-leak-issues-of-ax25_dev.patch create mode 100644 queue-6.9/ax25-use-kernel-universal-linked-list-to-implement-a.patch create mode 100644 queue-6.9/bitops-add-missing-prototype-check.patch create mode 100644 queue-6.9/block-fix-and-simplify-blkdevparts-cmdline-parsing.patch create mode 100644 queue-6.9/block-refine-the-eof-check-in-blkdev_iomap_begin.patch create mode 100644 queue-6.9/block-support-to-account-io_ticks-precisely.patch create mode 100644 queue-6.9/bluetooth-compute-le-flow-credits-based-on-recvbuf-s.patch create mode 100644 queue-6.9/bluetooth-hci-remove-hci_amp-support.patch create mode 100644 queue-6.9/bluetooth-hci_conn-hci_sync-use-__counted_by-to-avoi.patch create mode 100644 queue-6.9/bluetooth-hci_core-fix-not-handling-hdev-le_num_of_a.patch create mode 100644 queue-6.9/bluetooth-iso-make-iso_get_sock_listen-generic.patch create mode 100644 queue-6.9/bluetooth-qca-fix-error-code-in-qca_read_fw_build_in.patch create mode 100644 queue-6.9/bnxt_re-avoid-shift-undefined-behavior-in-bnxt_qplib.patch create mode 100644 queue-6.9/bpf-add-bpf_prog_type_cgroup_skb-attach-type-enforce.patch create mode 100644 queue-6.9/bpf-fix-verifier-assumptions-about-socket-sk.patch create mode 100644 queue-6.9/bpf-pack-struct-bpf_fib_lookup.patch create mode 100644 queue-6.9/bpf-prevent-r10-register-from-being-marked-as-precis.patch create mode 100644 queue-6.9/bpftool-fix-missing-pids-during-link-show.patch create mode 100644 queue-6.9/bpftool-mount-bpffs-on-provided-dir-instead-of-paren.patch create mode 100644 queue-6.9/btrfs-set-start-on-clone-before-calling-copy_extent_.patch create mode 100644 queue-6.9/clk-mediatek-mt8365-mm-fix-dpi0-parent.patch create mode 100644 queue-6.9/clk-mediatek-pllfh-don-t-log-error-for-missing-fhctl.patch create mode 100644 queue-6.9/clk-qcom-apss-ipq-pll-fix-pll-rate-for-ipq5018.patch create mode 100644 queue-6.9/clk-qcom-clk-alpha-pll-remove-invalid-stromer-regist.patch create mode 100644 queue-6.9/clk-qcom-dispcc-sm6350-fix-displayport-clocks.patch create mode 100644 queue-6.9/clk-qcom-dispcc-sm8450-fix-displayport-clocks.patch create mode 100644 queue-6.9/clk-qcom-dispcc-sm8550-fix-displayport-clocks.patch create mode 100644 queue-6.9/clk-qcom-dispcc-sm8650-fix-displayport-clocks.patch create mode 100644 queue-6.9/clk-qcom-fix-sc_camcc_8280xp-dependencies.patch create mode 100644 queue-6.9/clk-qcom-fix-sm_gpucc_8650-dependencies.patch create mode 100644 queue-6.9/clk-qcom-mmcc-msm8998-fix-venus-clock-issue.patch create mode 100644 queue-6.9/clk-renesas-r8a779a0-fix-canfd-parent-clock.patch create mode 100644 queue-6.9/clk-renesas-r9a07g043-add-clock-and-reset-entry-for-.patch create mode 100644 queue-6.9/clk-rs9-fix-wrong-default-value-for-clock-amplitude.patch create mode 100644 queue-6.9/clk-samsung-exynosautov9-fix-wrong-pll-clock-id-valu.patch create mode 100644 queue-6.9/clk-samsung-gs101-propagate-peric0-usi-spi-clock-rat.patch create mode 100644 queue-6.9/clk-samsung-gs101-propagate-peric1-usi-spi-clock-rat.patch create mode 100644 queue-6.9/cppc_cpufreq-fix-possible-null-pointer-dereference.patch create mode 100644 queue-6.9/cpufreq-brcmstb-avs-cpufreq-iso-c90-forbids-mixed-de.patch create mode 100644 queue-6.9/cpufreq-exit-callback-is-optional.patch create mode 100644 queue-6.9/crypto-bcm-fix-pointer-arithmetic.patch create mode 100644 queue-6.9/crypto-ccp-drop-platform-ifdef-checks.patch create mode 100644 queue-6.9/crypto-octeontx2-add-missing-check-for-dma_map_singl.patch create mode 100644 queue-6.9/crypto-qat-improve-error-logging-to-be-consistent-ac.patch create mode 100644 queue-6.9/crypto-qat-improve-error-message-in-adf_get_arbiter_.patch create mode 100644 queue-6.9/crypto-qat-specify-firmware-files-for-402xx.patch create mode 100644 queue-6.9/crypto-qat-validate-slices-count-returned-by-fw.patch create mode 100644 queue-6.9/crypto-x86-nh-avx2-add-missing-vzeroupper.patch create mode 100644 queue-6.9/crypto-x86-sha256-avx2-add-missing-vzeroupper.patch create mode 100644 queue-6.9/crypto-x86-sha512-avx2-add-missing-vzeroupper.patch create mode 100644 queue-6.9/dax-bus.c-don-t-use-down_write_killable-for-non-user.patch create mode 100644 queue-6.9/dax-bus.c-fix-locking-for-unregister_dax_dev-unregis.patch create mode 100644 queue-6.9/dax-bus.c-replace-warn_on_once-with-lockdep-asserts.patch create mode 100644 queue-6.9/dax-bus.c-use-the-right-locking-mode-read-vs-write-i.patch create mode 100644 queue-6.9/dev_printk-add-and-use-dev_no_printk.patch create mode 100644 queue-6.9/dlm-fix-user-space-lock-decision-to-copy-lvb.patch create mode 100644 queue-6.9/dm-delay-fix-hung-task-introduced-by-kthread-mode.patch create mode 100644 queue-6.9/dm-delay-fix-max_delay-calculations.patch create mode 100644 queue-6.9/dm-delay-fix-workqueue-delay_timer-race.patch create mode 100644 queue-6.9/dpll-fix-return-value-check-for-kmemdup.patch create mode 100644 queue-6.9/drivers-perf-hisi-hns3-actually-use-devm_add_action_.patch create mode 100644 queue-6.9/drivers-perf-hisi-hns3-fix-out-of-bound-access-when-.patch create mode 100644 queue-6.9/drivers-perf-hisi_pcie-fix-out-of-bound-access-when-.patch create mode 100644 queue-6.9/drivers-virt-acrn-fix-pfnmap-pte-checks-in-acrn_vm_r.patch create mode 100644 queue-6.9/drm-amd-display-fix-potential-index-out-of-bounds-in.patch create mode 100644 queue-6.9/drm-amd-display-remove-redundant-condition-in-dcn35_.patch create mode 100644 queue-6.9/drm-arm-malidp-fix-a-possible-null-pointer-dereferen.patch create mode 100644 queue-6.9/drm-bridge-anx7625-don-t-log-an-error-when-dsi-host-.patch create mode 100644 queue-6.9/drm-bridge-anx7625-update-audio-status-while-detecti.patch create mode 100644 queue-6.9/drm-bridge-cdns-mhdp8546-fix-possible-null-pointer-d.patch create mode 100644 queue-6.9/drm-bridge-dpc3433-don-t-log-an-error-when-dsi-host-.patch create mode 100644 queue-6.9/drm-bridge-fix-improper-bridge-init-order-with-pre_e.patch create mode 100644 queue-6.9/drm-bridge-icn6211-don-t-log-an-error-when-dsi-host-.patch create mode 100644 queue-6.9/drm-bridge-lt8912b-don-t-log-an-error-when-dsi-host-.patch create mode 100644 queue-6.9/drm-bridge-lt9611-don-t-log-an-error-when-dsi-host-c.patch create mode 100644 queue-6.9/drm-bridge-lt9611uxc-don-t-log-an-error-when-dsi-hos.patch create mode 100644 queue-6.9/drm-bridge-tc358775-don-t-log-an-error-when-dsi-host.patch create mode 100644 queue-6.9/drm-ci-update-device-type-for-volteer-devices.patch create mode 100644 queue-6.9/drm-edid-parse-topology-block-for-all-dispid-structu.patch create mode 100644 queue-6.9/drm-imagination-avoid-woverflow-warning.patch create mode 100644 queue-6.9/drm-lcdif-do-not-disable-clocks-on-already-suspended.patch create mode 100644 queue-6.9/drm-mediatek-add-0-size-check-to-mtk_drm_gem_obj.patch create mode 100644 queue-6.9/drm-mediatek-init-ddp_comp-with-devm_kcalloc.patch create mode 100644 queue-6.9/drm-meson-vclk-fix-calculation-of-59.94-fractional-r.patch create mode 100644 queue-6.9/drm-mipi-dsi-use-correct-return-type-for-the-dsc-fun.patch create mode 100644 queue-6.9/drm-msm-dp-account-for-the-timeout-in-wait_hpd_asser.patch create mode 100644 queue-6.9/drm-msm-dp-allow-voltage-swing-pre-emphasis-of-3.patch create mode 100644 queue-6.9/drm-msm-dp-avoid-a-long-timeout-for-aux-transfer-if-.patch create mode 100644 queue-6.9/drm-nouveau-dp-fix-incorrect-return-code-in-r535_dp_.patch create mode 100644 queue-6.9/drm-omapdrm-fix-console-by-implementing-fb_dirty.patch create mode 100644 queue-6.9/drm-omapdrm-fix-console-with-deferred-ops.patch create mode 100644 queue-6.9/drm-panel-atna33xc20-fix-unbalanced-regulator-in-the.patch create mode 100644 queue-6.9/drm-panel-edp-add-prepare_to_enable-to-200ms-for-mnc.patch create mode 100644 queue-6.9/drm-panel-ltk050h3146w-add-mipi_dsi_mode_video-to-lt.patch create mode 100644 queue-6.9/drm-panel-ltk050h3146w-drop-duplicate-commands-from-.patch create mode 100644 queue-6.9/drm-panel-novatek-nt35950-don-t-log-an-error-when-ds.patch create mode 100644 queue-6.9/drm-panel-simple-add-missing-innolux-g121x1-l03-form.patch create mode 100644 queue-6.9/drm-rockchip-vop2-do-not-divide-height-twice-for-yuv.patch create mode 100644 queue-6.9/drm-vc4-fix-possible-null-pointer-dereference.patch create mode 100644 queue-6.9/dt-bindings-thermal-loongson-ls2k-thermal-add-loongs.patch create mode 100644 queue-6.9/dt-bindings-thermal-loongson-ls2k-thermal-fix-incorr.patch create mode 100644 queue-6.9/ecryptfs-fix-buffer-size-for-tag-66-packet.patch create mode 100644 queue-6.9/edac-skx_common-allow-decoding-of-sgx-addresses.patch create mode 100644 queue-6.9/enetc-avoid-truncating-error-message.patch create mode 100644 queue-6.9/eth-sungem-remove-.ndo_poll_controller-to-avoid-dead.patch create mode 100644 queue-6.9/ext4-avoid-excessive-credit-estimate-in-ext4_tmpfile.patch create mode 100644 queue-6.9/ext4-fix-potential-unnitialized-variable.patch create mode 100644 queue-6.9/ext4-remove-the-redundant-folio_wait_stable.patch create mode 100644 queue-6.9/fbdev-sh7760fb-allow-modular-build.patch create mode 100644 queue-6.9/fbdev-shmobile-fix-snprintf-truncation.patch create mode 100644 queue-6.9/fbdev-sisfb-hide-unused-variables.patch create mode 100644 queue-6.9/firmware-qcom-qcm-fix-unused-qcom_scm_qseecom_allowl.patch create mode 100644 queue-6.9/firmware-qcom-scm-fix-__scm-and-waitq-completion-var.patch create mode 100644 queue-6.9/firmware-raspberrypi-use-correct-device-for-dma-mapp.patch create mode 100644 queue-6.9/gfs2-do_xmote-fixes.patch create mode 100644 queue-6.9/gfs2-don-t-forget-to-complete-delayed-withdraw.patch create mode 100644 queue-6.9/gfs2-finish_xmote-cleanup.patch create mode 100644 queue-6.9/gfs2-fix-ignore-unlock-failures-after-withdraw.patch create mode 100644 queue-6.9/gfs2-fix-potential-glock-use-after-free-on-unmount.patch create mode 100644 queue-6.9/gfs2-remove-ill-placed-consistency-check.patch create mode 100644 queue-6.9/gpio-nuvoton-fix-sgpio-irq-handle-error.patch create mode 100644 queue-6.9/hid-amd_sfh-handle-no-sensors-in-pm-operations.patch create mode 100644 queue-6.9/hid-intel-ish-hid-ipc-add-check-for-pci_alloc_irq_ve.patch create mode 100644 queue-6.9/hwrng-stm32-put-ip-into-rpm-suspend-on-failure.patch create mode 100644 queue-6.9/hwrng-stm32-repair-clock-handling.patch create mode 100644 queue-6.9/hwrng-stm32-use-logical-or-in-conditional.patch create mode 100644 queue-6.9/ib-mlx5-use-__iowrite64_copy-for-write-combining-sto.patch create mode 100644 queue-6.9/ice-fix-package-download-algorithm.patch create mode 100644 queue-6.9/idpf-don-t-skip-over-ethtool-tcp-data-split-setting.patch create mode 100644 queue-6.9/inet-fix-inet_fill_ifaddr-flags-truncation.patch create mode 100644 queue-6.9/io-wq-write-next_work-before-dropping-acct_lock.patch create mode 100644 queue-6.9/io_uring-net-fix-sendzc-lazy-wake-polling.patch create mode 100644 queue-6.9/io_uring-use-the-right-type-for-work_llist-empty-che.patch create mode 100644 queue-6.9/iommu-amd-enable-guest-translation-after-reading-iom.patch create mode 100644 queue-6.9/iommu-undo-pasid-attachment-only-for-the-devices-tha.patch create mode 100644 queue-6.9/iommu-vt-d-decouple-igfx_off-from-graphic-identity-m.patch create mode 100644 queue-6.9/ipv6-sr-add-missing-seg6_local_exit.patch create mode 100644 queue-6.9/ipv6-sr-fix-incorrect-unregister-order.patch create mode 100644 queue-6.9/ipv6-sr-fix-invalid-unregister-error-path.patch create mode 100644 queue-6.9/irqchip-alpine-msi-fix-off-by-one-in-allocation-erro.patch create mode 100644 queue-6.9/irqchip-loongson-pch-msi-fix-off-by-one-on-allocatio.patch create mode 100644 queue-6.9/jffs2-prevent-xattr-node-from-overflowing-the-eraseb.patch create mode 100644 queue-6.9/kunit-bail-out-early-in-__kunit_test_suites_init-if-.patch create mode 100644 queue-6.9/kunit-fix-kthread-reference.patch create mode 100644 queue-6.9/kunit-fortify-fix-mismatched-kvalloc-vfree-usage.patch create mode 100644 queue-6.9/kunit-fortify-fix-replaced-failure-path-to-unbreak-_.patch create mode 100644 queue-6.9/kunit-unregister-the-device-on-error.patch create mode 100644 queue-6.9/l2tp-fix-icmp-error-handling-for-udp-encap-sockets.patch create mode 100644 queue-6.9/lib-test_hmm.c-handle-src_pfns-and-dst_pfns-allocati.patch create mode 100644 queue-6.9/libbpf-fix-error-message-in-attach_kprobe_multi.patch create mode 100644 queue-6.9/libbpf-fix-feature-detectors-when-using-token_fd.patch create mode 100644 queue-6.9/libbpf-prevent-null-pointer-dereference-when-prog-to.patch create mode 100644 queue-6.9/libfs-add-simple_offset_rename-api.patch create mode 100644 queue-6.9/libfs-fix-simple_offset_rename_exchange.patch create mode 100644 queue-6.9/lkdtm-disable-cfi-checking-for-perms-functions.patch create mode 100644 queue-6.9/locking-atomic-x86-correct-the-definition-of-__arch_.patch create mode 100644 queue-6.9/m68k-fix-spinlock-race-in-kernel-thread-creation.patch create mode 100644 queue-6.9/m68k-mac-fix-reboot-hang-on-mac-iici.patch create mode 100644 queue-6.9/m68k-move-arch_has_cpu_cache_aliasing.patch create mode 100644 queue-6.9/macintosh-via-macii-fix-bug-sleeping-function-called.patch create mode 100644 queue-6.9/md-fix-resync-softlockup-when-bitmap-size-is-less-th.patch create mode 100644 queue-6.9/media-atomisp-ssh_css-fix-a-null-pointer-dereference.patch create mode 100644 queue-6.9/media-cadence-csi2rx-configure-dphy-before-starting-.patch create mode 100644 queue-6.9/media-dt-bindings-ovti-ov2680-fix-the-power-supply-n.patch create mode 100644 queue-6.9/media-i2c-et8ek8-don-t-strip-remove-function-when-dr.patch create mode 100644 queue-6.9/media-ipu3-cio2-request-irq-earlier.patch create mode 100644 queue-6.9/media-ngene-add-dvb_ca_en50221_init-return-value-che.patch create mode 100644 queue-6.9/media-radio-shark2-avoid-led_names-truncations.patch create mode 100644 queue-6.9/media-rcar-vin-work-around-wenum-compare-conditional.patch create mode 100644 queue-6.9/media-uvcvideo-add-quirk-for-logitech-rally-bar.patch create mode 100644 queue-6.9/media-v4l2-subdev-fix-stream-handling-for-crop-api.patch create mode 100644 queue-6.9/mlx5-avoid-truncating-error-message.patch create mode 100644 queue-6.9/mlx5-stop-warning-for-64kb-pages.patch create mode 100644 queue-6.9/mm-ksm-fix-ksm-exec-support-for-prctl.patch create mode 100644 queue-6.9/mm-slub-kunit-use-inverted-data-to-corrupt-kmem-cach.patch create mode 100644 queue-6.9/mm-userfaultfd-do-not-place-zeropages-when-zeropages.patch create mode 100644 queue-6.9/modules-drop-the-.export_symbol-section-from-the-fin.patch create mode 100644 queue-6.9/mptcp-fix-full-tcp-keep-alive-support.patch create mode 100644 queue-6.9/mptcp-so_keepalive-fix-getsockopt-support.patch create mode 100644 queue-6.9/mtd-core-report-error-if-first-mtd_otp_size-call-fai.patch create mode 100644 queue-6.9/mtd-rawnand-hynix-fixed-typo.patch create mode 100644 queue-6.9/net-bridge-mst-fix-vlan-use-after-free.patch create mode 100644 queue-6.9/net-bridge-xmit-make-sure-we-have-at-least-eth-heade.patch create mode 100644 queue-6.9/net-dsa-mv88e6xxx-add-support-for-model-specific-pre.patch create mode 100644 queue-6.9/net-dsa-mv88e6xxx-avoid-eeprom-timeout-without-eepro.patch create mode 100644 queue-6.9/net-ethernet-cortina-locking-fixes.patch create mode 100644 queue-6.9/net-ethernet-mediatek-split-tx-and-rx-fields-in-mtk_.patch create mode 100644 queue-6.9/net-ethernet-mediatek-use-admav1-instead-of-admav2.0.patch create mode 100644 queue-6.9/net-fec-remove-.ndo_poll_controller-to-avoid-deadloc.patch create mode 100644 queue-6.9/net-give-more-chances-to-rcu-in-netdev_wait_allrefs_.patch create mode 100644 queue-6.9/net-ipv6-fix-wrong-start-position-when-receive-hop-b.patch create mode 100644 queue-6.9/net-micrel-fix-receiving-the-timestamp-in-the-frame-.patch create mode 100644 queue-6.9/net-mlx5-add-a-timeout-to-acquire-the-command-queue-.patch create mode 100644 queue-6.9/net-mlx5-discard-command-completions-in-internal-err.patch create mode 100644 queue-6.9/net-mlx5-fix-peer-devlink-set-for-sf-representor-dev.patch create mode 100644 queue-6.9/net-mlx5-reload-only-ib-representors-upon-lag-disabl.patch create mode 100644 queue-6.9/net-mlx5e-fix-netif-state-handling.patch create mode 100644 queue-6.9/net-openvswitch-fix-overwriting-ct-original-tuple-fo.patch create mode 100644 queue-6.9/net-qrtr-ns-fix-module-refcnt.patch create mode 100644 queue-6.9/net-stmmac-move-the-est-lock-to-struct-stmmac_priv.patch create mode 100644 queue-6.9/net-txgbe-fix-to-control-vlan-strip.patch create mode 100644 queue-6.9/net-usb-smsc95xx-stop-lying-about-skb-truesize.patch create mode 100644 queue-6.9/net-usb-sr9700-stop-lying-about-skb-truesize.patch create mode 100644 queue-6.9/net-wangxun-fix-to-change-rx-features.patch create mode 100644 queue-6.9/net-wangxun-match-vlan-ctag-and-stag-features.patch create mode 100644 queue-6.9/netrom-fix-possible-dead-lock-in-nr_rt_ioctl.patch create mode 100644 queue-6.9/nfsd-don-t-create-nfsv4recoverydir-in-nfsdfs-when-no.patch create mode 100644 queue-6.9/nilfs2-fix-out-of-range-warning.patch create mode 100644 queue-6.9/nilfs2-make-superblock-data-array-index-computation-.patch create mode 100644 queue-6.9/null_blk-fix-missing-mutex_destroy-at-module-removal.patch create mode 100644 queue-6.9/of-module-add-buffer-overflow-check-in-of_modalias.patch create mode 100644 queue-6.9/openpromfs-finish-conversion-to-the-new-mount-api.patch create mode 100644 queue-6.9/openrisc-traps-don-t-send-signals-to-kernel-mode-thr.patch create mode 100644 queue-6.9/openrisc-use-do_kernel_power_off.patch create mode 100644 queue-6.9/parisc-add-missing-export-of-__cmpxchg_u8.patch create mode 100644 queue-6.9/platform-x86-xiaomi-wmi-fix-race-condition-when-repo.patch create mode 100644 queue-6.9/power-supply-core-simplify-charge_behaviour-formatti.patch create mode 100644 queue-6.9/powerpc-fsl-soc-hide-unused-const-variable.patch create mode 100644 queue-6.9/printk-let-no_printk-use-_printk.patch create mode 100644 queue-6.9/ptp-ocp-fix-dpll-functions.patch create mode 100644 queue-6.9/pwm-meson-add-check-for-error-from-clk_round_rate.patch create mode 100644 queue-6.9/pwm-meson-use-mul_u64_u64_div_u64-for-frequency-calc.patch create mode 100644 queue-6.9/pwm-sti-simplify-probe-function-using-devm-functions.patch create mode 100644 queue-6.9/qed-avoid-truncating-work-queue-length.patch create mode 100644 queue-6.9/rcu-fix-buffer-overflow-in-print_cpu_stall_info.patch create mode 100644 queue-6.9/rcu-tasks-fix-show_rcu_tasks_trace_gp_kthread-buffer.patch create mode 100644 queue-6.9/rdma-cma-fix-kmemleak-in-rdma_core-observed-during-b.patch create mode 100644 queue-6.9/rdma-hns-add-max_ah-and-cq-moderation-capacities-in-.patch create mode 100644 queue-6.9/rdma-hns-fix-deadlock-on-srq-async-events.patch create mode 100644 queue-6.9/rdma-hns-fix-gmv-table-pagesize.patch create mode 100644 queue-6.9/rdma-hns-fix-mismatch-exception-rollback.patch create mode 100644 queue-6.9/rdma-hns-fix-return-value-in-hns_roce_map_mr_sg.patch create mode 100644 queue-6.9/rdma-hns-fix-uaf-for-cq-async-event.patch create mode 100644 queue-6.9/rdma-hns-modify-the-print-level-of-cqe-error.patch create mode 100644 queue-6.9/rdma-hns-use-complete-parentheses-in-macros.patch create mode 100644 queue-6.9/rdma-ipoib-fix-format-truncation-compilation-errors.patch create mode 100644 queue-6.9/rdma-mana_ib-boundary-check-before-installing-cq-cal.patch create mode 100644 queue-6.9/rdma-mana_ib-introduce-helpers-to-create-and-destroy.patch create mode 100644 queue-6.9/rdma-mana_ib-use-struct-mana_ib_queue-for-cqs.patch create mode 100644 queue-6.9/rdma-mlx5-adding-remote-atomic-access-flag-to-updata.patch create mode 100644 queue-6.9/rdma-mlx5-change-check-for-cacheable-mkeys.patch create mode 100644 queue-6.9/rdma-mlx5-uncacheable-mkey-has-neither-rb_key-or-cac.patch create mode 100644 queue-6.9/rdma-rxe-allow-good-work-requests-to-be-executed.patch create mode 100644 queue-6.9/rdma-rxe-fix-incorrect-rxe_put-in-error-path.patch create mode 100644 queue-6.9/rdma-rxe-fix-seg-fault-in-rxe_comp_queue_pkt.patch create mode 100644 queue-6.9/revert-selftests-compile-kselftest-headers-with-d_gn.patch create mode 100644 queue-6.9/revert-selftests-sgx-include-khdr_includes-in-makefi.patch create mode 100644 queue-6.9/revert-sh-handle-calling-csum_partial-with-misaligne.patch create mode 100644 queue-6.9/risc-v-fix-the-typo-in-scountovf-csr-name.patch create mode 100644 queue-6.9/riscv-bpf-make-some-atomic-operations-fully-ordered.patch create mode 100644 queue-6.9/s390-bpf-emit-a-barrier-for-bpf_fetch-instructions.patch create mode 100644 queue-6.9/s390-cio-fix-tracepoint-subchannel-type-field.patch create mode 100644 queue-6.9/s390-mm-re-enable-the-shared-zeropage-for-pv-and-ske.patch create mode 100644 queue-6.9/s390-vmlinux.lds.s-drop-.hash-and-.gnu.hash-for-conf.patch create mode 100644 queue-6.9/samples-landlock-fix-incorrect-free-in-populate_rule.patch create mode 100644 queue-6.9/sched-core-fix-incorrect-initialization-of-the-burst.patch create mode 100644 queue-6.9/sched-fair-add-eas-checks-before-updating-root_domai.patch create mode 100644 queue-6.9/sched-fair-allow-disabling-sched_balance_newidle-wit.patch create mode 100644 queue-6.9/scsi-bfa-ensure-the-copied-buf-is-nul-terminated.patch create mode 100644 queue-6.9/scsi-hpsa-fix-allocation-size-for-scsi_host-private-.patch create mode 100644 queue-6.9/scsi-libsas-fix-the-failure-of-adding-phy-with-zero-.patch create mode 100644 queue-6.9/scsi-qedf-ensure-the-copied-buf-is-nul-terminated.patch create mode 100644 queue-6.9/scsi-qla2xxx-fix-debugfs-output-for-fw_resource_coun.patch create mode 100644 queue-6.9/scsi-ufs-cdns-pltfrm-perform-read-back-after-writing.patch create mode 100644 queue-6.9/scsi-ufs-core-mcq-fix-ufshcd_mcq_sqe_search.patch create mode 100644 queue-6.9/scsi-ufs-core-perform-read-back-after-disabling-inte.patch create mode 100644 queue-6.9/scsi-ufs-core-perform-read-back-after-disabling-uic_.patch create mode 100644 queue-6.9/scsi-ufs-core-perform-read-back-after-writing-utp_ta.patch create mode 100644 queue-6.9/scsi-ufs-qcom-perform-read-back-after-writing-cgc-en.patch create mode 100644 queue-6.9/scsi-ufs-qcom-perform-read-back-after-writing-reg_uf.patch create mode 100644 queue-6.9/scsi-ufs-qcom-perform-read-back-after-writing-reset-.patch create mode 100644 queue-6.9/scsi-ufs-qcom-perform-read-back-after-writing-unipro.patch create mode 100644 queue-6.9/selftests-binderfs-use-the-makefile-s-rules-not-make.patch create mode 100644 queue-6.9/selftests-bpf-fix-a-fd-leak-in-error-paths-in-open_n.patch create mode 100644 queue-6.9/selftests-bpf-fix-pointer-arithmetic-in-test_xdp_do_.patch create mode 100644 queue-6.9/selftests-bpf-fix-umount-cgroup2-error-in-test_sockm.patch create mode 100644 queue-6.9/selftests-bpf-run-cgroup1_hierarchy-test-in-own-moun.patch create mode 100644 queue-6.9/selftests-cgroup-skip-test_cgcore_lesser_ns_open-whe.patch create mode 100644 queue-6.9/selftests-compile-kselftest-headers-with-d_gnu_sourc.patch create mode 100644 queue-6.9/selftests-damon-_damon_sysfs-check-errors-from-nr_sc.patch create mode 100644 queue-6.9/selftests-default-to-host-arch-for-llvm-builds.patch create mode 100644 queue-6.9/selftests-kcmp-remove-unused-open-mode.patch create mode 100644 queue-6.9/selftests-ktap_helpers-make-it-posix-compliant.patch create mode 100644 queue-6.9/selftests-net-add-missing-config-for-amt.sh.patch create mode 100644 queue-6.9/selftests-net-bridge-increase-igmp-mld-exclude-timeo.patch create mode 100644 queue-6.9/selftests-net-lib-no-need-to-record-ns-name-if-it-al.patch create mode 100644 queue-6.9/selftests-net-move-amt-to-socat-for-better-compatibi.patch create mode 100644 queue-6.9/selftests-power_supply-make-it-posix-compliant.patch create mode 100644 queue-6.9/selftests-resctrl-fix-clang-build-failure-use-local_.patch create mode 100644 queue-6.9/selftests-sgx-include-khdr_includes-in-makefile.patch create mode 100644 queue-6.9/sh-kprobes-merge-arch_copy_kprobe-into-arch_prepare_.patch create mode 100644 queue-6.9/shmem-fix-shmem_rename2.patch create mode 100644 queue-6.9/soc-mediatek-cmdq-fix-typo-of-cmdq_jump_relative.patch create mode 100644 queue-6.9/soc-qcom-pmic_glink-don-t-traverse-clients-list-with.patch create mode 100644 queue-6.9/soc-qcom-pmic_glink-make-client-lock-non-sleeping.patch create mode 100644 queue-6.9/soc-qcom-pmic_glink-notify-clients-about-the-current.patch create mode 100644 queue-6.9/staging-media-starfive-remove-links-when-unregisteri.patch create mode 100644 queue-6.9/sunrpc-fix-gss_free_in_token_pages.patch create mode 100644 queue-6.9/sunrpc-removed-redundant-procp-check.patch create mode 100644 queue-6.9/tcp-avoid-premature-drops-in-tcp_add_backlog.patch create mode 100644 queue-6.9/tcp-increase-the-default-tcp-scaling-ratio.patch create mode 100644 queue-6.9/thermal-debugfs-avoid-excessive-updates-of-trip-poin.patch create mode 100644 queue-6.9/thermal-debugfs-create-records-for-cdev-states-as-th.patch create mode 100644 queue-6.9/thermal-debugfs-pass-cooling-device-state-to-thermal.patch create mode 100644 queue-6.9/thermal-drivers-mediatek-lvts_thermal-add-coeff-for-.patch create mode 100644 queue-6.9/thermal-drivers-tsens-fix-null-pointer-dereference.patch create mode 100644 queue-6.9/tracing-user_events-fix-non-spaced-field-matching.patch create mode 100644 queue-6.9/udp-avoid-call-to-compute_score-on-multiple-sites.patch create mode 100644 queue-6.9/usb-aqc111-stop-lying-about-skb-truesize.patch create mode 100644 queue-6.9/virt-acrn-stop-using-follow_pfn.patch create mode 100644 queue-6.9/wifi-ar5523-enable-proper-endpoint-verification.patch create mode 100644 queue-6.9/wifi-ath10k-fix-an-error-code-problem-in-ath10k_dbg_.patch create mode 100644 queue-6.9/wifi-ath10k-poll-service-ready-message-before-failin.patch create mode 100644 queue-6.9/wifi-ath10k-populate-board-data-for-wcn3990.patch create mode 100644 queue-6.9/wifi-ath11k-don-t-force-enable-power-save-on-non-run.patch create mode 100644 queue-6.9/wifi-ath12k-fix-out-of-bound-access-of-qmi_invoke_ha.patch create mode 100644 queue-6.9/wifi-ath12k-use-correct-flag-field-for-320-mhz-chann.patch create mode 100644 queue-6.9/wifi-brcmfmac-pcie-handle-randbuf-allocation-failure.patch create mode 100644 queue-6.9/wifi-carl9170-add-a-proper-sanity-check-for-endpoint.patch create mode 100644 queue-6.9/wifi-carl9170-re-fix-fortified-memset-warning.patch create mode 100644 queue-6.9/wifi-cfg80211-ignore-non-tx-bsss-in-per-sta-profile.patch create mode 100644 queue-6.9/wifi-ieee80211-fix-ieee80211_mle_basic_sta_prof_size.patch create mode 100644 queue-6.9/wifi-iwlwifi-mvm-allocate-sta-links-only-for-active-.patch create mode 100644 queue-6.9/wifi-iwlwifi-mvm-calculate-emlsr-mode-after-connecti.patch create mode 100644 queue-6.9/wifi-iwlwifi-mvm-do-not-warn-on-invalid-link-on-scan.patch create mode 100644 queue-6.9/wifi-iwlwifi-mvm-don-t-always-disable-emlsr-due-to-b.patch create mode 100644 queue-6.9/wifi-iwlwifi-mvm-fix-active-link-counting-during-rec.patch create mode 100644 queue-6.9/wifi-iwlwifi-mvm-fix-check-in-iwl_mvm_sta_fw_id_mask.patch create mode 100644 queue-6.9/wifi-iwlwifi-mvm-init-vif-works-only-once.patch create mode 100644 queue-6.9/wifi-iwlwifi-mvm-introduce-esr_disable_reason.patch create mode 100644 queue-6.9/wifi-iwlwifi-mvm-select-sta-mask-only-for-active-lin.patch create mode 100644 queue-6.9/wifi-iwlwifi-mvm-set-wider-bw-ofdma-ignore-correctly.patch create mode 100644 queue-6.9/wifi-iwlwifi-reconfigure-tlc-during-hw-restart.patch create mode 100644 queue-6.9/wifi-mac80211-don-t-select-link-id-if-not-provided-i.patch create mode 100644 queue-6.9/wifi-mac80211-transmit-deauth-only-if-link-is-availa.patch create mode 100644 queue-6.9/wifi-mt76-connac-check-for-null-before-dereferencing.patch create mode 100644 queue-6.9/wifi-mt76-connac-use-muar-idx-0xe-for-non-mt799x-as-.patch create mode 100644 queue-6.9/wifi-mt76-mt7603-add-wpdma-tx-eof-flag-for-pse-clien.patch create mode 100644 queue-6.9/wifi-mt76-mt7603-fix-tx-queue-of-loopback-packets.patch create mode 100644 queue-6.9/wifi-mt76-mt7915-workaround-too-long-expansion-spars.patch create mode 100644 queue-6.9/wifi-mt76-mt7925-ensure-4-byte-alignment-for-suspend.patch create mode 100644 queue-6.9/wifi-mt76-mt7996-fix-potential-memory-leakage-when-r.patch create mode 100644 queue-6.9/wifi-mt76-mt7996-fix-size-of-txpower-mcu-command.patch create mode 100644 queue-6.9/wifi-mt76-mt7996-fix-uninitialized-variable-in-mt799.patch create mode 100644 queue-6.9/wifi-mwl8k-initialize-cmd-addr-properly.patch create mode 100644 queue-6.9/wifi-nl80211-avoid-address-calculations-via-out-of-b.patch create mode 100644 queue-6.9/wifi-rtw89-wow-refine-wowlan-flows-of-hci-interrupts.patch create mode 100644 queue-6.9/x86-boot-64-clear-most-of-cr4-in-startup_64-except-p.patch create mode 100644 queue-6.9/x86-boot-ignore-relocations-in-.notes-sections-in-wa.patch create mode 100644 queue-6.9/x86-fred-fix-typo-in-kconfig-description.patch create mode 100644 queue-6.9/x86-insn-add-vex-versions-of-vpdpbusd-vpdpbusds-vpdp.patch create mode 100644 queue-6.9/x86-insn-fix-push-instruction-in-x86-instruction-dec.patch create mode 100644 queue-6.9/x86-microcode-amd-avoid-wformat-warning-with-clang-1.patch create mode 100644 queue-6.9/x86-numa-fix-srat-lookup-of-cfmws-ranges-with-numa_f.patch create mode 100644 queue-6.9/x86-pat-fix-w-x-violation-false-positives-when-runni.patch create mode 100644 queue-6.9/x86-pat-introduce-lookup_address_in_pgd_attr.patch create mode 100644 queue-6.9/x86-pat-restructure-_lookup_address_cpa.patch create mode 100644 queue-6.9/x86-purgatory-switch-to-the-position-independent-sma.patch diff --git a/queue-6.9/acpi-bus-indicate-support-for-_tfp-thru-_osc.patch b/queue-6.9/acpi-bus-indicate-support-for-_tfp-thru-_osc.patch new file mode 100644 index 00000000000..2484a45fad9 --- /dev/null +++ b/queue-6.9/acpi-bus-indicate-support-for-_tfp-thru-_osc.patch @@ -0,0 +1,52 @@ +From ce7ed6e2416e63b6832a14c737245e66deea4d62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Mar 2024 21:13:06 +0100 +Subject: ACPI: bus: Indicate support for _TFP thru _OSC + +From: Armin Wolf + +[ Upstream commit 95d43290f1e476b3be782dd17642e452d0436266 ] + +The ACPI thermal driver already uses the _TPF ACPI method to retrieve +precise sampling time values, but this is not reported thru _OSC. + +Fix this by setting bit 9 ("Fast Thermal Sampling support") when +evaluating _OSC. + +Fixes: a2ee7581afd5 ("ACPI: thermal: Add Thermal fast Sampling Period (_TFP) support") +Signed-off-by: Armin Wolf +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/bus.c | 2 ++ + include/linux/acpi.h | 1 + + 2 files changed, 3 insertions(+) + +diff --git a/drivers/acpi/bus.c b/drivers/acpi/bus.c +index d9fa730416f19..9c13a4e43fa82 100644 +--- a/drivers/acpi/bus.c ++++ b/drivers/acpi/bus.c +@@ -316,6 +316,8 @@ static void acpi_bus_osc_negotiate_platform_control(void) + capbuf[OSC_SUPPORT_DWORD] |= OSC_SB_PAD_SUPPORT; + if (IS_ENABLED(CONFIG_ACPI_PROCESSOR)) + capbuf[OSC_SUPPORT_DWORD] |= OSC_SB_PPC_OST_SUPPORT; ++ if (IS_ENABLED(CONFIG_ACPI_THERMAL)) ++ capbuf[OSC_SUPPORT_DWORD] |= OSC_SB_FAST_THERMAL_SAMPLING_SUPPORT; + + capbuf[OSC_SUPPORT_DWORD] |= OSC_SB_HOTPLUG_OST_SUPPORT; + capbuf[OSC_SUPPORT_DWORD] |= OSC_SB_PCLPI_SUPPORT; +diff --git a/include/linux/acpi.h b/include/linux/acpi.h +index 34829f2c517ac..51bdd9e08f6da 100644 +--- a/include/linux/acpi.h ++++ b/include/linux/acpi.h +@@ -573,6 +573,7 @@ acpi_status acpi_run_osc(acpi_handle handle, struct acpi_osc_context *context); + #define OSC_SB_CPCV2_SUPPORT 0x00000040 + #define OSC_SB_PCLPI_SUPPORT 0x00000080 + #define OSC_SB_OSLPI_SUPPORT 0x00000100 ++#define OSC_SB_FAST_THERMAL_SAMPLING_SUPPORT 0x00000200 + #define OSC_SB_CPC_DIVERSE_HIGH_SUPPORT 0x00001000 + #define OSC_SB_GENERIC_INITIATOR_SUPPORT 0x00002000 + #define OSC_SB_CPC_FLEXIBLE_ADR_SPACE 0x00004000 +-- +2.43.0 + diff --git a/queue-6.9/acpi-bus-indicate-support-for-irq-resourcesource-thr.patch b/queue-6.9/acpi-bus-indicate-support-for-irq-resourcesource-thr.patch new file mode 100644 index 00000000000..fac86787dd5 --- /dev/null +++ b/queue-6.9/acpi-bus-indicate-support-for-irq-resourcesource-thr.patch @@ -0,0 +1,51 @@ +From 55f381711c96ad2b9760216c90b333ddf534c4ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Mar 2024 21:13:10 +0100 +Subject: ACPI: bus: Indicate support for IRQ ResourceSource thru _OSC + +From: Armin Wolf + +[ Upstream commit 403ad17c06509794fdf6e4d4b3070bd5b56e2a8e ] + +The ACPI IRQ mapping code supports parsing of ResourceSource, +but this is not reported thru _OSC. + +Fix this by setting bit 13 ("Interrupt ResourceSource support") +when evaluating _OSC. + +Fixes: d44fa3d46079 ("ACPI: Add support for ResourceSource/IRQ domain mapping") +Signed-off-by: Armin Wolf +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/bus.c | 1 + + include/linux/acpi.h | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/acpi/bus.c b/drivers/acpi/bus.c +index 0c48b603098a8..a87b10eef77df 100644 +--- a/drivers/acpi/bus.c ++++ b/drivers/acpi/bus.c +@@ -323,6 +323,7 @@ static void acpi_bus_osc_negotiate_platform_control(void) + capbuf[OSC_SUPPORT_DWORD] |= OSC_SB_PCLPI_SUPPORT; + capbuf[OSC_SUPPORT_DWORD] |= OSC_SB_OVER_16_PSTATES_SUPPORT; + capbuf[OSC_SUPPORT_DWORD] |= OSC_SB_GED_SUPPORT; ++ capbuf[OSC_SUPPORT_DWORD] |= OSC_SB_IRQ_RESOURCE_SOURCE_SUPPORT; + if (IS_ENABLED(CONFIG_ACPI_PRMT)) + capbuf[OSC_SUPPORT_DWORD] |= OSC_SB_PRM_SUPPORT; + if (IS_ENABLED(CONFIG_ACPI_FFH)) +diff --git a/include/linux/acpi.h b/include/linux/acpi.h +index e77783e101c36..168201e4c7827 100644 +--- a/include/linux/acpi.h ++++ b/include/linux/acpi.h +@@ -577,6 +577,7 @@ acpi_status acpi_run_osc(acpi_handle handle, struct acpi_osc_context *context); + #define OSC_SB_OVER_16_PSTATES_SUPPORT 0x00000400 + #define OSC_SB_GED_SUPPORT 0x00000800 + #define OSC_SB_CPC_DIVERSE_HIGH_SUPPORT 0x00001000 ++#define OSC_SB_IRQ_RESOURCE_SOURCE_SUPPORT 0x00002000 + #define OSC_SB_CPC_FLEXIBLE_ADR_SPACE 0x00004000 + #define OSC_SB_GENERIC_INITIATOR_SUPPORT 0x00020000 + #define OSC_SB_NATIVE_USB4_SUPPORT 0x00040000 +-- +2.43.0 + diff --git a/queue-6.9/acpi-bus-indicate-support-for-more-than-16-p-states-.patch b/queue-6.9/acpi-bus-indicate-support-for-more-than-16-p-states-.patch new file mode 100644 index 00000000000..f9b8af5801f --- /dev/null +++ b/queue-6.9/acpi-bus-indicate-support-for-more-than-16-p-states-.patch @@ -0,0 +1,51 @@ +From be6469f8240857b7dee57eef8dadf5694beebe60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Mar 2024 21:13:07 +0100 +Subject: ACPI: bus: Indicate support for more than 16 p-states thru _OSC + +From: Armin Wolf + +[ Upstream commit 6e8345f23ca37d6d41bb76be5d6a705ddf542817 ] + +The code responsible for parsing the available p-states should +have no problems handling more than 16 p-states. + +Indicate this by setting bit 10 ("Greater Than 16 p-state support") +when evaluating _OSC. + +Signed-off-by: Armin Wolf +Signed-off-by: Rafael J. Wysocki +Stable-dep-of: a8a967a243d7 ("ACPI: bus: Indicate support for the Generic Event Device thru _OSC") +Signed-off-by: Sasha Levin +--- + drivers/acpi/bus.c | 1 + + include/linux/acpi.h | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/acpi/bus.c b/drivers/acpi/bus.c +index 9c13a4e43fa82..d5b0e80dc48e4 100644 +--- a/drivers/acpi/bus.c ++++ b/drivers/acpi/bus.c +@@ -321,6 +321,7 @@ static void acpi_bus_osc_negotiate_platform_control(void) + + capbuf[OSC_SUPPORT_DWORD] |= OSC_SB_HOTPLUG_OST_SUPPORT; + capbuf[OSC_SUPPORT_DWORD] |= OSC_SB_PCLPI_SUPPORT; ++ capbuf[OSC_SUPPORT_DWORD] |= OSC_SB_OVER_16_PSTATES_SUPPORT; + if (IS_ENABLED(CONFIG_ACPI_PRMT)) + capbuf[OSC_SUPPORT_DWORD] |= OSC_SB_PRM_SUPPORT; + if (IS_ENABLED(CONFIG_ACPI_FFH)) +diff --git a/include/linux/acpi.h b/include/linux/acpi.h +index 51bdd9e08f6da..0e0b027e27e21 100644 +--- a/include/linux/acpi.h ++++ b/include/linux/acpi.h +@@ -574,6 +574,7 @@ acpi_status acpi_run_osc(acpi_handle handle, struct acpi_osc_context *context); + #define OSC_SB_PCLPI_SUPPORT 0x00000080 + #define OSC_SB_OSLPI_SUPPORT 0x00000100 + #define OSC_SB_FAST_THERMAL_SAMPLING_SUPPORT 0x00000200 ++#define OSC_SB_OVER_16_PSTATES_SUPPORT 0x00000400 + #define OSC_SB_CPC_DIVERSE_HIGH_SUPPORT 0x00001000 + #define OSC_SB_GENERIC_INITIATOR_SUPPORT 0x00002000 + #define OSC_SB_CPC_FLEXIBLE_ADR_SPACE 0x00004000 +-- +2.43.0 + diff --git a/queue-6.9/acpi-bus-indicate-support-for-the-generic-event-devi.patch b/queue-6.9/acpi-bus-indicate-support-for-the-generic-event-devi.patch new file mode 100644 index 00000000000..0da605ec6ca --- /dev/null +++ b/queue-6.9/acpi-bus-indicate-support-for-the-generic-event-devi.patch @@ -0,0 +1,52 @@ +From ee74dc151bafbdec06616ddfaa4c41464278b2e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Mar 2024 21:13:08 +0100 +Subject: ACPI: bus: Indicate support for the Generic Event Device thru _OSC + +From: Armin Wolf + +[ Upstream commit a8a967a243d71dd635ede076020f665a4df51c63 ] + +A device driver for the Generic Event Device (ACPI0013) already +exists for quite some time, but support for it was never reported +thru _OSC. + +Fix this by setting bit 11 ("Generic Event Device support") when +evaluating _OSC. + +Fixes: 3db80c230da1 ("ACPI: implement Generic Event Device") +Signed-off-by: Armin Wolf +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/bus.c | 1 + + include/linux/acpi.h | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/acpi/bus.c b/drivers/acpi/bus.c +index d5b0e80dc48e4..0c48b603098a8 100644 +--- a/drivers/acpi/bus.c ++++ b/drivers/acpi/bus.c +@@ -322,6 +322,7 @@ static void acpi_bus_osc_negotiate_platform_control(void) + capbuf[OSC_SUPPORT_DWORD] |= OSC_SB_HOTPLUG_OST_SUPPORT; + capbuf[OSC_SUPPORT_DWORD] |= OSC_SB_PCLPI_SUPPORT; + capbuf[OSC_SUPPORT_DWORD] |= OSC_SB_OVER_16_PSTATES_SUPPORT; ++ capbuf[OSC_SUPPORT_DWORD] |= OSC_SB_GED_SUPPORT; + if (IS_ENABLED(CONFIG_ACPI_PRMT)) + capbuf[OSC_SUPPORT_DWORD] |= OSC_SB_PRM_SUPPORT; + if (IS_ENABLED(CONFIG_ACPI_FFH)) +diff --git a/include/linux/acpi.h b/include/linux/acpi.h +index 0e0b027e27e21..b0d909d1f5fc3 100644 +--- a/include/linux/acpi.h ++++ b/include/linux/acpi.h +@@ -575,6 +575,7 @@ acpi_status acpi_run_osc(acpi_handle handle, struct acpi_osc_context *context); + #define OSC_SB_OSLPI_SUPPORT 0x00000100 + #define OSC_SB_FAST_THERMAL_SAMPLING_SUPPORT 0x00000200 + #define OSC_SB_OVER_16_PSTATES_SUPPORT 0x00000400 ++#define OSC_SB_GED_SUPPORT 0x00000800 + #define OSC_SB_CPC_DIVERSE_HIGH_SUPPORT 0x00001000 + #define OSC_SB_GENERIC_INITIATOR_SUPPORT 0x00002000 + #define OSC_SB_CPC_FLEXIBLE_ADR_SPACE 0x00004000 +-- +2.43.0 + diff --git a/queue-6.9/acpi-disable-wstringop-truncation.patch b/queue-6.9/acpi-disable-wstringop-truncation.patch new file mode 100644 index 00000000000..53c33a5dfb3 --- /dev/null +++ b/queue-6.9/acpi-disable-wstringop-truncation.patch @@ -0,0 +1,48 @@ +From bb36c866f2ff4f0580c61049573ee46bb7a5de86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2024 16:00:55 +0200 +Subject: ACPI: disable -Wstringop-truncation + +From: Arnd Bergmann + +[ Upstream commit a3403d304708f60565582d60af4316289d0316a0 ] + +gcc -Wstringop-truncation warns about copying a string that results in a +missing nul termination: + +drivers/acpi/acpica/tbfind.c: In function 'acpi_tb_find_table': +drivers/acpi/acpica/tbfind.c:60:9: error: 'strncpy' specified bound 6 equals destination size [-Werror=stringop-truncation] + 60 | strncpy(header.oem_id, oem_id, ACPI_OEM_ID_SIZE); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/acpi/acpica/tbfind.c:61:9: error: 'strncpy' specified bound 8 equals destination size [-Werror=stringop-truncation] + 61 | strncpy(header.oem_table_id, oem_table_id, ACPI_OEM_TABLE_ID_SIZE); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The code works as intended, and the warning could be addressed by using +a memcpy(), but turning the warning off for this file works equally well +and may be easier to merge. + +Fixes: 47c08729bf1c ("ACPICA: Fix for LoadTable operator, input strings") +Link: https://lore.kernel.org/lkml/CAJZ5v0hoUfv54KW7y4223Mn9E7D4xvR7whRFNLTBqCZMUxT50Q@mail.gmail.com/#t +Signed-off-by: Arnd Bergmann +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/Makefile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/acpi/acpica/Makefile b/drivers/acpi/acpica/Makefile +index 30f3fc13c29d1..8d18af396de92 100644 +--- a/drivers/acpi/acpica/Makefile ++++ b/drivers/acpi/acpica/Makefile +@@ -5,6 +5,7 @@ + + ccflags-y := -D_LINUX -DBUILDING_ACPICA + ccflags-$(CONFIG_ACPI_DEBUG) += -DACPI_DEBUG_OUTPUT ++CFLAGS_tbfind.o += $(call cc-disable-warning, stringop-truncation) + + # use acpi.o to put all files here into acpi.o modparam namespace + obj-y += acpi.o +-- +2.43.0 + diff --git a/queue-6.9/acpi-fix-generic-initiator-affinity-_osc-bit.patch b/queue-6.9/acpi-fix-generic-initiator-affinity-_osc-bit.patch new file mode 100644 index 00000000000..3563eb0e667 --- /dev/null +++ b/queue-6.9/acpi-fix-generic-initiator-affinity-_osc-bit.patch @@ -0,0 +1,40 @@ +From 856aeb98cc25c7763e5d4b02950b9c8a8a257790 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Mar 2024 21:13:09 +0100 +Subject: ACPI: Fix Generic Initiator Affinity _OSC bit + +From: Armin Wolf + +[ Upstream commit d0d4f1474e36b195eaad477373127ae621334c01 ] + +The ACPI spec says bit 17 should be used to indicate support +for Generic Initiator Affinity Structure in SRAT, but we currently +set bit 13 ("Interrupt ResourceSource support"). + +Fix this by actually setting bit 17 when evaluating _OSC. + +Fixes: 01aabca2fd54 ("ACPI: Let ACPI know we support Generic Initiator Affinity Structures") +Signed-off-by: Armin Wolf +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + include/linux/acpi.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/acpi.h b/include/linux/acpi.h +index b0d909d1f5fc3..e77783e101c36 100644 +--- a/include/linux/acpi.h ++++ b/include/linux/acpi.h +@@ -577,8 +577,8 @@ acpi_status acpi_run_osc(acpi_handle handle, struct acpi_osc_context *context); + #define OSC_SB_OVER_16_PSTATES_SUPPORT 0x00000400 + #define OSC_SB_GED_SUPPORT 0x00000800 + #define OSC_SB_CPC_DIVERSE_HIGH_SUPPORT 0x00001000 +-#define OSC_SB_GENERIC_INITIATOR_SUPPORT 0x00002000 + #define OSC_SB_CPC_FLEXIBLE_ADR_SPACE 0x00004000 ++#define OSC_SB_GENERIC_INITIATOR_SUPPORT 0x00020000 + #define OSC_SB_NATIVE_USB4_SUPPORT 0x00040000 + #define OSC_SB_PRM_SUPPORT 0x00200000 + #define OSC_SB_FFH_OPR_SUPPORT 0x00400000 +-- +2.43.0 + diff --git a/queue-6.9/acpi-lpss-advertise-number-of-chip-selects-via-prope.patch b/queue-6.9/acpi-lpss-advertise-number-of-chip-selects-via-prope.patch new file mode 100644 index 00000000000..78ff92f0d2e --- /dev/null +++ b/queue-6.9/acpi-lpss-advertise-number-of-chip-selects-via-prope.patch @@ -0,0 +1,35 @@ +From 4cf0d514e0ea91a6d025d24dd063b83f2d85c818 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Apr 2024 15:06:58 +0300 +Subject: ACPI: LPSS: Advertise number of chip selects via property + +From: Andy Shevchenko + +[ Upstream commit 07b73ee599428b41d0240f2f7b31b524eba07dd0 ] + +Advertise number of chip selects via property for Intel Braswell. + +Fixes: 620c803f42de ("ACPI: LPSS: Provide an SSP type to the driver") +Signed-off-by: Andy Shevchenko +Reviewed-by: Kuppuswamy Sathyanarayanan +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_lpss.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/acpi/acpi_lpss.c b/drivers/acpi/acpi_lpss.c +index 04e273167e92a..8e01792228d1e 100644 +--- a/drivers/acpi/acpi_lpss.c ++++ b/drivers/acpi/acpi_lpss.c +@@ -325,6 +325,7 @@ static const struct lpss_device_desc bsw_i2c_dev_desc = { + + static const struct property_entry bsw_spi_properties[] = { + PROPERTY_ENTRY_U32("intel,spi-pxa2xx-type", LPSS_BSW_SSP), ++ PROPERTY_ENTRY_U32("num-cs", 2), + { } + }; + +-- +2.43.0 + diff --git a/queue-6.9/af_packet-do-not-call-packet_read_pending-from-tpack.patch b/queue-6.9/af_packet-do-not-call-packet_read_pending-from-tpack.patch new file mode 100644 index 00000000000..555c2e10b45 --- /dev/null +++ b/queue-6.9/af_packet-do-not-call-packet_read_pending-from-tpack.patch @@ -0,0 +1,49 @@ +From bf08a871c7ebb334eda7d479a17555d8663f63e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 May 2024 16:33:58 +0000 +Subject: af_packet: do not call packet_read_pending() from + tpacket_destruct_skb() + +From: Eric Dumazet + +[ Upstream commit 581073f626e387d3e7eed55c48c8495584ead7ba ] + +trafgen performance considerably sank on hosts with many cores +after the blamed commit. + +packet_read_pending() is very expensive, and calling it +in af_packet fast path defeats Daniel intent in commit +b013840810c2 ("packet: use percpu mmap tx frame pending refcount") + +tpacket_destruct_skb() makes room for one packet, we can immediately +wakeup a producer, no need to completely drain the tx ring. + +Fixes: 89ed5b519004 ("af_packet: Block execution of tasks waiting for transmit to complete in AF_PACKET") +Signed-off-by: Eric Dumazet +Cc: Neil Horman +Cc: Daniel Borkmann +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20240515163358.4105915-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 18f616f487eaa..150451ddd7553 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2522,8 +2522,7 @@ static void tpacket_destruct_skb(struct sk_buff *skb) + ts = __packet_set_timestamp(po, ph, skb); + __packet_set_status(po, ph, TP_STATUS_AVAILABLE | ts); + +- if (!packet_read_pending(&po->tx_ring)) +- complete(&po->skb_completion); ++ complete(&po->skb_completion); + } + + sock_wfree(skb); +-- +2.43.0 + diff --git a/queue-6.9/af_unix-fix-data-races-in-unix_release_sock-unix_str.patch b/queue-6.9/af_unix-fix-data-races-in-unix_release_sock-unix_str.patch new file mode 100644 index 00000000000..22c48dcf2fa --- /dev/null +++ b/queue-6.9/af_unix-fix-data-races-in-unix_release_sock-unix_str.patch @@ -0,0 +1,76 @@ +From 0d36e3e6fda9650889d677271c4c143961591ef9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 01:14:46 -0700 +Subject: af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg + +From: Breno Leitao + +[ Upstream commit 540bf24fba16b88c1b3b9353927204b4f1074e25 ] + +A data-race condition has been identified in af_unix. In one data path, +the write function unix_release_sock() atomically writes to +sk->sk_shutdown using WRITE_ONCE. However, on the reader side, +unix_stream_sendmsg() does not read it atomically. Consequently, this +issue is causing the following KCSAN splat to occur: + + BUG: KCSAN: data-race in unix_release_sock / unix_stream_sendmsg + + write (marked) to 0xffff88867256ddbb of 1 bytes by task 7270 on cpu 28: + unix_release_sock (net/unix/af_unix.c:640) + unix_release (net/unix/af_unix.c:1050) + sock_close (net/socket.c:659 net/socket.c:1421) + __fput (fs/file_table.c:422) + __fput_sync (fs/file_table.c:508) + __se_sys_close (fs/open.c:1559 fs/open.c:1541) + __x64_sys_close (fs/open.c:1541) + x64_sys_call (arch/x86/entry/syscall_64.c:33) + do_syscall_64 (arch/x86/entry/common.c:?) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + + read to 0xffff88867256ddbb of 1 bytes by task 989 on cpu 14: + unix_stream_sendmsg (net/unix/af_unix.c:2273) + __sock_sendmsg (net/socket.c:730 net/socket.c:745) + ____sys_sendmsg (net/socket.c:2584) + __sys_sendmmsg (net/socket.c:2638 net/socket.c:2724) + __x64_sys_sendmmsg (net/socket.c:2753 net/socket.c:2750 net/socket.c:2750) + x64_sys_call (arch/x86/entry/syscall_64.c:33) + do_syscall_64 (arch/x86/entry/common.c:?) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + + value changed: 0x01 -> 0x03 + +The line numbers are related to commit dd5a440a31fa ("Linux 6.9-rc7"). + +Commit e1d09c2c2f57 ("af_unix: Fix data races around sk->sk_shutdown.") +addressed a comparable issue in the past regarding sk->sk_shutdown. +However, it overlooked resolving this particular data path. +This patch only offending unix_stream_sendmsg() function, since the +other reads seem to be protected by unix_state_lock() as discussed in +Link: https://lore.kernel.org/all/20240508173324.53565-1-kuniyu@amazon.com/ + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Breno Leitao +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20240509081459.2807828-1-leitao@debian.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 9a6ad5974dff5..e94839d89b09d 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -2270,7 +2270,7 @@ static int unix_stream_sendmsg(struct socket *sock, struct msghdr *msg, + goto out_err; + } + +- if (sk->sk_shutdown & SEND_SHUTDOWN) ++ if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN) + goto pipe_err; + + while (sent < len) { +-- +2.43.0 + diff --git a/queue-6.9/alsa-hda-cs35l41-remove-speaker-id-for-lenovo-legion.patch b/queue-6.9/alsa-hda-cs35l41-remove-speaker-id-for-lenovo-legion.patch new file mode 100644 index 00000000000..c7e06f2b9b2 --- /dev/null +++ b/queue-6.9/alsa-hda-cs35l41-remove-speaker-id-for-lenovo-legion.patch @@ -0,0 +1,44 @@ +From 93b5d3b47b9e89b4ca00546bb232ac9caca1c995 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Apr 2024 12:08:13 +0100 +Subject: ALSA: hda: cs35l41: Remove Speaker ID for Lenovo Legion slim 7 + 16ARHA7 + +From: Stefan Binding + +[ Upstream commit 4a1a8065f5d3565677347d34a908ff2d0803b14f ] + +These laptops do not have _DSD and must be added by configuration +table, however, the initial entries for them are incorrect: +Neither laptop contains a Speaker ID GPIO. +This issue would not affect audio playback, but may affect which files +are loaded when loading firmware. + +Fixes: b67a7dc418aa ("ALSA: hda/realtek: Add sound quirks for Lenovo Legion slim 7 16ARHA7 models") + +Signed-off-by: Stefan Binding +Signed-off-by: Takashi Iwai +Message-ID: <20240411110813.330483-8-sbinding@opensource.cirrus.com> +Signed-off-by: Sasha Levin +--- + sound/pci/hda/cs35l41_hda_property.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/cs35l41_hda_property.c b/sound/pci/hda/cs35l41_hda_property.c +index 8fb688e414148..4f5e581cdd5ff 100644 +--- a/sound/pci/hda/cs35l41_hda_property.c ++++ b/sound/pci/hda/cs35l41_hda_property.c +@@ -110,8 +110,8 @@ static const struct cs35l41_config cs35l41_config_table[] = { + { "10431F62", 2, EXTERNAL, { CS35L41_LEFT, CS35L41_RIGHT, 0, 0 }, 1, 2, 0, 0, 0, 0 }, + { "10433A60", 2, INTERNAL, { CS35L41_LEFT, CS35L41_RIGHT, 0, 0 }, 1, 2, 0, 1000, 4500, 24 }, + { "17AA386F", 2, EXTERNAL, { CS35L41_LEFT, CS35L41_RIGHT, 0, 0 }, 0, -1, -1, 0, 0, 0 }, +- { "17AA3877", 2, EXTERNAL, { CS35L41_LEFT, CS35L41_RIGHT, 0, 0 }, 0, 1, -1, 0, 0, 0 }, +- { "17AA3878", 2, EXTERNAL, { CS35L41_LEFT, CS35L41_RIGHT, 0, 0 }, 0, 1, -1, 0, 0, 0 }, ++ { "17AA3877", 2, EXTERNAL, { CS35L41_LEFT, CS35L41_RIGHT, 0, 0 }, 0, -1, -1, 0, 0, 0 }, ++ { "17AA3878", 2, EXTERNAL, { CS35L41_LEFT, CS35L41_RIGHT, 0, 0 }, 0, -1, -1, 0, 0, 0 }, + { "17AA38A9", 2, EXTERNAL, { CS35L41_LEFT, CS35L41_RIGHT, 0, 0 }, 0, 2, -1, 0, 0, 0 }, + { "17AA38AB", 2, EXTERNAL, { CS35L41_LEFT, CS35L41_RIGHT, 0, 0 }, 0, 2, -1, 0, 0, 0 }, + { "17AA38B4", 2, EXTERNAL, { CS35L41_LEFT, CS35L41_RIGHT, 0, 0 }, 0, 1, -1, 0, 0, 0 }, +-- +2.43.0 + diff --git a/queue-6.9/arm-configs-sunxi-enable-drm_dw_hdmi.patch b/queue-6.9/arm-configs-sunxi-enable-drm_dw_hdmi.patch new file mode 100644 index 00000000000..d32afccc31c --- /dev/null +++ b/queue-6.9/arm-configs-sunxi-enable-drm_dw_hdmi.patch @@ -0,0 +1,41 @@ +From 4fa052cc0d37b3a24b1ba672c24020da72c5f2dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 12:56:23 +0200 +Subject: ARM: configs: sunxi: Enable DRM_DW_HDMI + +From: Maxime Ripard + +[ Upstream commit deff401b14e2d832b25b55862ad6c73378fe034e ] + +Commit 4fc8cb47fcfd ("drm/display: Move HDMI helpers into display-helper +module") turned the DRM_DW_HDMI dependency of DRM_SUN8I_DW_HDMI into a +depends on which ended up disabling the driver in the defconfig. Make +sure it's still enabled. + +Fixes: 4fc8cb47fcfd ("drm/display: Move HDMI helpers into display-helper module") +Reported-by: Mark Brown +Reported-by: Alexander Stein +Signed-off-by: Maxime Ripard +Acked-by: Jernej Skrabec +Link: https://lore.kernel.org/r/20240403-fix-dw-hdmi-kconfig-v1-5-afbc4a835c38@kernel.org +Signed-off-by: Jernej Skrabec +Signed-off-by: Sasha Levin +--- + arch/arm/configs/sunxi_defconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/configs/sunxi_defconfig b/arch/arm/configs/sunxi_defconfig +index bddc82f789421..a83d29fed1756 100644 +--- a/arch/arm/configs/sunxi_defconfig ++++ b/arch/arm/configs/sunxi_defconfig +@@ -110,6 +110,7 @@ CONFIG_DRM_PANEL_LVDS=y + CONFIG_DRM_PANEL_SIMPLE=y + CONFIG_DRM_PANEL_EDP=y + CONFIG_DRM_SIMPLE_BRIDGE=y ++CONFIG_DRM_DW_HDMI=y + CONFIG_DRM_LIMA=y + CONFIG_FB_SIMPLE=y + CONFIG_BACKLIGHT_CLASS_DEVICE=y +-- +2.43.0 + diff --git a/queue-6.9/arm64-remove-unnecessary-irqflags-alternative.h-incl.patch b/queue-6.9/arm64-remove-unnecessary-irqflags-alternative.h-incl.patch new file mode 100644 index 00000000000..0aceb67b40f --- /dev/null +++ b/queue-6.9/arm64-remove-unnecessary-irqflags-alternative.h-incl.patch @@ -0,0 +1,37 @@ +From b6ad63805ef5456e1bfba9f4f459ec6d7376a108 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Mar 2024 14:38:19 +0800 +Subject: arm64: Remove unnecessary irqflags alternative.h include + +From: Jinjie Ruan + +[ Upstream commit 98631c4904bf6380834c8585ce50451f00eb5389 ] + +Since commit 20af807d806d ("arm64: Avoid cpus_have_const_cap() for +ARM64_HAS_GIC_PRIO_MASKING"), the alternative.h include is not used, +so remove it. + +Fixes: 20af807d806d ("arm64: Avoid cpus_have_const_cap() for ARM64_HAS_GIC_PRIO_MASKING") +Signed-off-by: Jinjie Ruan +Link: https://lore.kernel.org/r/20240314063819.2636445-1-ruanjinjie@huawei.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/irqflags.h | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm64/include/asm/irqflags.h b/arch/arm64/include/asm/irqflags.h +index 0a7186a93882d..d4d7451c2c129 100644 +--- a/arch/arm64/include/asm/irqflags.h ++++ b/arch/arm64/include/asm/irqflags.h +@@ -5,7 +5,6 @@ + #ifndef __ASM_IRQFLAGS_H + #define __ASM_IRQFLAGS_H + +-#include + #include + #include + #include +-- +2.43.0 + diff --git a/queue-6.9/asoc-intel-avs-fix-asrc-module-initialization.patch b/queue-6.9/asoc-intel-avs-fix-asrc-module-initialization.patch new file mode 100644 index 00000000000..ffe5afb86b4 --- /dev/null +++ b/queue-6.9/asoc-intel-avs-fix-asrc-module-initialization.patch @@ -0,0 +1,36 @@ +From 3bdd56c9c6d110d8a4b4746e5b758339b1b2448c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 11:09:21 +0200 +Subject: ASoC: Intel: avs: Fix ASRC module initialization + +From: Cezary Rojewski + +[ Upstream commit 9d2e26f31c7cc3fa495c423af9b4902ec0dc7be3 ] + +The ASRC module configuration consists of several reserved fields. Zero +them out when initializing the module to avoid sending invalid data. + +Fixes: 274d79e51875 ("ASoC: Intel: avs: Configure modules according to their type") +Signed-off-by: Cezary Rojewski +Link: https://msgid.link/r/20240405090929.1184068-6-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/avs/path.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/intel/avs/path.c b/sound/soc/intel/avs/path.c +index e785fc2a7008f..a44ed33b56080 100644 +--- a/sound/soc/intel/avs/path.c ++++ b/sound/soc/intel/avs/path.c +@@ -367,6 +367,7 @@ static int avs_asrc_create(struct avs_dev *adev, struct avs_path_module *mod) + struct avs_tplg_module *t = mod->template; + struct avs_asrc_cfg cfg; + ++ memset(&cfg, 0, sizeof(cfg)); + cfg.base.cpc = t->cfg_base->cpc; + cfg.base.ibs = t->cfg_base->ibs; + cfg.base.obs = t->cfg_base->obs; +-- +2.43.0 + diff --git a/queue-6.9/asoc-intel-avs-fix-debug-slot-offset-calculation.patch b/queue-6.9/asoc-intel-avs-fix-debug-slot-offset-calculation.patch new file mode 100644 index 00000000000..3dc0badc6ed --- /dev/null +++ b/queue-6.9/asoc-intel-avs-fix-debug-slot-offset-calculation.patch @@ -0,0 +1,46 @@ +From fe798fb7ba16b073f9ac09c599f4d26adb10e139 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 11:09:18 +0200 +Subject: ASoC: Intel: avs: Fix debug-slot offset calculation + +From: Cezary Rojewski + +[ Upstream commit c91b692781c1839fcc389b2a9120e46593c6424b ] + +For resources with ID other than 0 the current calculus is incorrect. + +Fixes: 275b583d047a ("ASoC: Intel: avs: ICL-based platforms support") +Signed-off-by: Cezary Rojewski +Link: https://msgid.link/r/20240405090929.1184068-3-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/avs/icl.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/intel/avs/icl.c b/sound/soc/intel/avs/icl.c +index d2554c8577326..284d38f3b1caf 100644 +--- a/sound/soc/intel/avs/icl.c ++++ b/sound/soc/intel/avs/icl.c +@@ -66,7 +66,7 @@ struct avs_icl_memwnd2 { + struct avs_icl_memwnd2_desc slot_desc[AVS_ICL_MEMWND2_SLOTS_COUNT]; + u8 rsvd[SZ_4K]; + }; +- u8 slot_array[AVS_ICL_MEMWND2_SLOTS_COUNT][PAGE_SIZE]; ++ u8 slot_array[AVS_ICL_MEMWND2_SLOTS_COUNT][SZ_4K]; + } __packed; + + #define AVS_ICL_SLOT_UNUSED \ +@@ -89,8 +89,7 @@ static int avs_icl_slot_offset(struct avs_dev *adev, union avs_icl_memwnd2_slot_ + + for (i = 0; i < AVS_ICL_MEMWND2_SLOTS_COUNT; i++) + if (desc[i].slot_id.val == slot_type.val) +- return offsetof(struct avs_icl_memwnd2, slot_array) + +- avs_skl_log_buffer_offset(adev, i); ++ return offsetof(struct avs_icl_memwnd2, slot_array) + i * SZ_4K; + return -ENXIO; + } + +-- +2.43.0 + diff --git a/queue-6.9/asoc-intel-avs-fix-potential-integer-overflow.patch b/queue-6.9/asoc-intel-avs-fix-potential-integer-overflow.patch new file mode 100644 index 00000000000..94f17b2ae0e --- /dev/null +++ b/queue-6.9/asoc-intel-avs-fix-potential-integer-overflow.patch @@ -0,0 +1,41 @@ +From 4ef2866b5c622751f48bab3e5709c028c1e24c50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 11:09:23 +0200 +Subject: ASoC: Intel: avs: Fix potential integer overflow + +From: Cezary Rojewski + +[ Upstream commit c7e832cabe635df47c2bf6df7801e97bf3045b1e ] + +While stream_tag for CLDMA on SKL-based platforms is always 1, function +hda_cldma_setup() uses AZX_SD_CTL_STRM() macro which does: + stream_tag << 20 + +what combined with stream_tag type of 'unsigned int' generates a +potential overflow issue. Update the field type to fix that. + +Fixes: 45864e49a05a ("ASoC: Intel: avs: Implement CLDMA transfer") +Signed-off-by: Cezary Rojewski +Link: https://msgid.link/r/20240405090929.1184068-8-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/avs/cldma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/intel/avs/cldma.c b/sound/soc/intel/avs/cldma.c +index d7a9390b5e483..585579840b646 100644 +--- a/sound/soc/intel/avs/cldma.c ++++ b/sound/soc/intel/avs/cldma.c +@@ -35,7 +35,7 @@ struct hda_cldma { + + unsigned int buffer_size; + unsigned int num_periods; +- unsigned int stream_tag; ++ unsigned char stream_tag; + void __iomem *sd_addr; + + struct snd_dma_buffer dmab_data; +-- +2.43.0 + diff --git a/queue-6.9/asoc-intel-avs-restore-stream-decoupling-on-prepare.patch b/queue-6.9/asoc-intel-avs-restore-stream-decoupling-on-prepare.patch new file mode 100644 index 00000000000..0cace758c81 --- /dev/null +++ b/queue-6.9/asoc-intel-avs-restore-stream-decoupling-on-prepare.patch @@ -0,0 +1,57 @@ +From 8f1639c41c2483c2a4a97ecffb01d1dd873825c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 11:09:17 +0200 +Subject: ASoC: Intel: avs: Restore stream decoupling on prepare +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Amadeusz Sławiński + +[ Upstream commit 680507581e025d16a0b6d3782603ca8c598fbe2b ] + +Revert changes from commit b87b8f43afd5 ("ASoC: Intel: avs: Drop +superfluous stream decoupling") to restore working streaming during S3. + +Fixes: b87b8f43afd5 ("ASoC: Intel: avs: Drop superfluous stream decoupling") +Signed-off-by: Amadeusz Sławiński +Signed-off-by: Cezary Rojewski +Link: https://msgid.link/r/20240405090929.1184068-2-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/avs/pcm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/soc/intel/avs/pcm.c b/sound/soc/intel/avs/pcm.c +index 2cafbc392cdbe..72f1bc3b7b1fe 100644 +--- a/sound/soc/intel/avs/pcm.c ++++ b/sound/soc/intel/avs/pcm.c +@@ -356,6 +356,7 @@ static int avs_dai_hda_be_prepare(struct snd_pcm_substream *substream, struct sn + stream_info->sig_bits); + format_val = snd_hdac_stream_format(runtime->channels, bits, runtime->rate); + ++ snd_hdac_ext_stream_decouple(bus, link_stream, true); + snd_hdac_ext_stream_reset(link_stream); + snd_hdac_ext_stream_setup(link_stream, format_val); + +@@ -611,6 +612,7 @@ static int avs_dai_fe_prepare(struct snd_pcm_substream *substream, struct snd_so + struct avs_dev *adev = to_avs_dev(dai->dev); + struct hdac_ext_stream *host_stream; + unsigned int format_val; ++ struct hdac_bus *bus; + unsigned int bits; + int ret; + +@@ -620,6 +622,8 @@ static int avs_dai_fe_prepare(struct snd_pcm_substream *substream, struct snd_so + if (hdac_stream(host_stream)->prepared) + return 0; + ++ bus = hdac_stream(host_stream)->bus; ++ snd_hdac_ext_stream_decouple(bus, data->host_stream, true); + snd_hdac_stream_reset(hdac_stream(host_stream)); + + stream_info = snd_soc_dai_get_pcm_stream(dai, substream->stream); +-- +2.43.0 + diff --git a/queue-6.9/asoc-intel-avs-ssm4567-do-not-ignore-route-checks.patch b/queue-6.9/asoc-intel-avs-ssm4567-do-not-ignore-route-checks.patch new file mode 100644 index 00000000000..4a37ffb632c --- /dev/null +++ b/queue-6.9/asoc-intel-avs-ssm4567-do-not-ignore-route-checks.patch @@ -0,0 +1,36 @@ +From f57385628a7a533f9a1bd3cbcfcc727192758db1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Mar 2024 10:05:00 +0100 +Subject: ASoC: Intel: avs: ssm4567: Do not ignore route checks + +From: Cezary Rojewski + +[ Upstream commit e6719d48ba6329536c459dcee5a571e535687094 ] + +A copy-paste from intel/boards/skl_nau88l25_ssm4567.c made the avs's +equivalent disable route checks as well. Such behavior is not desired. + +Fixes: 69ea14efe99b ("ASoC: Intel: avs: Add ssm4567 machine board") +Signed-off-by: Cezary Rojewski +Link: https://msgid.link/r/20240308090502.2136760-4-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/avs/boards/ssm4567.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/sound/soc/intel/avs/boards/ssm4567.c b/sound/soc/intel/avs/boards/ssm4567.c +index d6f7f046c24e5..f634261e4f604 100644 +--- a/sound/soc/intel/avs/boards/ssm4567.c ++++ b/sound/soc/intel/avs/boards/ssm4567.c +@@ -172,7 +172,6 @@ static int avs_ssm4567_probe(struct platform_device *pdev) + card->dapm_routes = card_base_routes; + card->num_dapm_routes = ARRAY_SIZE(card_base_routes); + card->fully_routed = true; +- card->disable_route_checks = true; + + ret = snd_soc_fixup_dai_links_platform_name(card, pname); + if (ret) +-- +2.43.0 + diff --git a/queue-6.9/asoc-intel-avs-test-result-of-avs_get_module_entry.patch b/queue-6.9/asoc-intel-avs-test-result-of-avs_get_module_entry.patch new file mode 100644 index 00000000000..b04d756f7bb --- /dev/null +++ b/queue-6.9/asoc-intel-avs-test-result-of-avs_get_module_entry.patch @@ -0,0 +1,59 @@ +From 96aba6b881387450cfb168a869cd34b7718f1d6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 11:09:24 +0200 +Subject: ASoC: Intel: avs: Test result of avs_get_module_entry() + +From: Cezary Rojewski + +[ Upstream commit 41bf4525fadb3d8df3860420d6ac9025c51a3bac ] + +While PROBE_MOD_UUID is always part of the base AudioDSP firmware +manifest, from maintenance point of view it is better to check the +result. + +Fixes: dab8d000e25c ("ASoC: Intel: avs: Add data probing requests") +Signed-off-by: Cezary Rojewski +Link: https://msgid.link/r/20240405090929.1184068-9-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/avs/probes.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/sound/soc/intel/avs/probes.c b/sound/soc/intel/avs/probes.c +index 817e543036f29..7e781a3156909 100644 +--- a/sound/soc/intel/avs/probes.c ++++ b/sound/soc/intel/avs/probes.c +@@ -19,8 +19,11 @@ static int avs_dsp_init_probe(struct avs_dev *adev, union avs_connector_node_id + struct avs_probe_cfg cfg = {{0}}; + struct avs_module_entry mentry; + u8 dummy; ++ int ret; + +- avs_get_module_entry(adev, &AVS_PROBE_MOD_UUID, &mentry); ++ ret = avs_get_module_entry(adev, &AVS_PROBE_MOD_UUID, &mentry); ++ if (ret) ++ return ret; + + /* + * Probe module uses no cycles, audio data format and input and output +@@ -39,11 +42,12 @@ static int avs_dsp_init_probe(struct avs_dev *adev, union avs_connector_node_id + static void avs_dsp_delete_probe(struct avs_dev *adev) + { + struct avs_module_entry mentry; ++ int ret; + +- avs_get_module_entry(adev, &AVS_PROBE_MOD_UUID, &mentry); +- +- /* There is only ever one probe module instance. */ +- avs_dsp_delete_module(adev, mentry.module_id, 0, INVALID_PIPELINE_ID, 0); ++ ret = avs_get_module_entry(adev, &AVS_PROBE_MOD_UUID, &mentry); ++ if (!ret) ++ /* There is only ever one probe module instance. */ ++ avs_dsp_delete_module(adev, mentry.module_id, 0, INVALID_PIPELINE_ID, 0); + } + + static inline struct hdac_ext_stream *avs_compr_get_host_stream(struct snd_compr_stream *cstream) +-- +2.43.0 + diff --git a/queue-6.9/asoc-intel-disable-route-checks-for-skylake-boards.patch b/queue-6.9/asoc-intel-disable-route-checks-for-skylake-boards.patch new file mode 100644 index 00000000000..aa6b4fb2871 --- /dev/null +++ b/queue-6.9/asoc-intel-disable-route-checks-for-skylake-boards.patch @@ -0,0 +1,209 @@ +From 7d20c86ef33ba688011f089c164406ea3261f5a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Mar 2024 10:04:58 +0100 +Subject: ASoC: Intel: Disable route checks for Skylake boards + +From: Cezary Rojewski + +[ Upstream commit 0cb3b7fd530b8c107443218ce6db5cb6e7b5dbe1 ] + +Topology files that are propagated to the world and utilized by the +skylake-driver carry shortcomings in their SectionGraphs. + +Since commit daa480bde6b3 ("ASoC: soc-core: tidyup for +snd_soc_dapm_add_routes()") route checks are no longer permissive. Probe +failures for Intel boards have been partially addressed by commit +a22ae72b86a4 ("ASoC: soc-core: disable route checks for legacy devices") +and its follow up but only skl_nau88l25_ssm4567.c is patched. Fix the +problem for the rest of the boards. + +Link: https://lore.kernel.org/all/20200309192744.18380-1-pierre-louis.bossart@linux.intel.com/ +Fixes: daa480bde6b3 ("ASoC: soc-core: tidyup for snd_soc_dapm_add_routes()") +Signed-off-by: Cezary Rojewski +Link: https://msgid.link/r/20240308090502.2136760-2-cezary.rojewski@intel.com +Reviewed-by: Pierre-Louis Bossart +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/bxt_da7219_max98357a.c | 1 + + sound/soc/intel/boards/bxt_rt298.c | 1 + + sound/soc/intel/boards/glk_rt5682_max98357a.c | 2 ++ + sound/soc/intel/boards/kbl_da7219_max98357a.c | 1 + + sound/soc/intel/boards/kbl_da7219_max98927.c | 4 ++++ + sound/soc/intel/boards/kbl_rt5660.c | 1 + + sound/soc/intel/boards/kbl_rt5663_max98927.c | 2 ++ + sound/soc/intel/boards/kbl_rt5663_rt5514_max98927.c | 1 + + sound/soc/intel/boards/skl_hda_dsp_generic.c | 2 ++ + sound/soc/intel/boards/skl_nau88l25_max98357a.c | 1 + + sound/soc/intel/boards/skl_rt286.c | 1 + + 11 files changed, 17 insertions(+) + +diff --git a/sound/soc/intel/boards/bxt_da7219_max98357a.c b/sound/soc/intel/boards/bxt_da7219_max98357a.c +index 540f7a29310a9..3fe3f38c6cb69 100644 +--- a/sound/soc/intel/boards/bxt_da7219_max98357a.c ++++ b/sound/soc/intel/boards/bxt_da7219_max98357a.c +@@ -768,6 +768,7 @@ static struct snd_soc_card broxton_audio_card = { + .dapm_routes = audio_map, + .num_dapm_routes = ARRAY_SIZE(audio_map), + .fully_routed = true, ++ .disable_route_checks = true, + .late_probe = bxt_card_late_probe, + }; + +diff --git a/sound/soc/intel/boards/bxt_rt298.c b/sound/soc/intel/boards/bxt_rt298.c +index c0eb65c14aa97..afc499be8db26 100644 +--- a/sound/soc/intel/boards/bxt_rt298.c ++++ b/sound/soc/intel/boards/bxt_rt298.c +@@ -574,6 +574,7 @@ static struct snd_soc_card broxton_rt298 = { + .dapm_routes = broxton_rt298_map, + .num_dapm_routes = ARRAY_SIZE(broxton_rt298_map), + .fully_routed = true, ++ .disable_route_checks = true, + .late_probe = bxt_card_late_probe, + + }; +diff --git a/sound/soc/intel/boards/glk_rt5682_max98357a.c b/sound/soc/intel/boards/glk_rt5682_max98357a.c +index 657e4658234ce..4098b2d32f9bc 100644 +--- a/sound/soc/intel/boards/glk_rt5682_max98357a.c ++++ b/sound/soc/intel/boards/glk_rt5682_max98357a.c +@@ -649,6 +649,8 @@ static int geminilake_audio_probe(struct platform_device *pdev) + card = &glk_audio_card_rt5682_m98357a; + card->dev = &pdev->dev; + snd_soc_card_set_drvdata(card, ctx); ++ if (!snd_soc_acpi_sof_parent(&pdev->dev)) ++ card->disable_route_checks = true; + + /* override platform name, if required */ + mach = pdev->dev.platform_data; +diff --git a/sound/soc/intel/boards/kbl_da7219_max98357a.c b/sound/soc/intel/boards/kbl_da7219_max98357a.c +index a5d8965303a88..9dbc15f9d1c9b 100644 +--- a/sound/soc/intel/boards/kbl_da7219_max98357a.c ++++ b/sound/soc/intel/boards/kbl_da7219_max98357a.c +@@ -639,6 +639,7 @@ static struct snd_soc_card kabylake_audio_card_da7219_m98357a = { + .dapm_routes = kabylake_map, + .num_dapm_routes = ARRAY_SIZE(kabylake_map), + .fully_routed = true, ++ .disable_route_checks = true, + .late_probe = kabylake_card_late_probe, + }; + +diff --git a/sound/soc/intel/boards/kbl_da7219_max98927.c b/sound/soc/intel/boards/kbl_da7219_max98927.c +index 98c11ec0adc01..e662da5af83b5 100644 +--- a/sound/soc/intel/boards/kbl_da7219_max98927.c ++++ b/sound/soc/intel/boards/kbl_da7219_max98927.c +@@ -1036,6 +1036,7 @@ static struct snd_soc_card kbl_audio_card_da7219_m98927 = { + .codec_conf = max98927_codec_conf, + .num_configs = ARRAY_SIZE(max98927_codec_conf), + .fully_routed = true, ++ .disable_route_checks = true, + .late_probe = kabylake_card_late_probe, + }; + +@@ -1054,6 +1055,7 @@ static struct snd_soc_card kbl_audio_card_max98927 = { + .codec_conf = max98927_codec_conf, + .num_configs = ARRAY_SIZE(max98927_codec_conf), + .fully_routed = true, ++ .disable_route_checks = true, + .late_probe = kabylake_card_late_probe, + }; + +@@ -1071,6 +1073,7 @@ static struct snd_soc_card kbl_audio_card_da7219_m98373 = { + .codec_conf = max98373_codec_conf, + .num_configs = ARRAY_SIZE(max98373_codec_conf), + .fully_routed = true, ++ .disable_route_checks = true, + .late_probe = kabylake_card_late_probe, + }; + +@@ -1088,6 +1091,7 @@ static struct snd_soc_card kbl_audio_card_max98373 = { + .codec_conf = max98373_codec_conf, + .num_configs = ARRAY_SIZE(max98373_codec_conf), + .fully_routed = true, ++ .disable_route_checks = true, + .late_probe = kabylake_card_late_probe, + }; + +diff --git a/sound/soc/intel/boards/kbl_rt5660.c b/sound/soc/intel/boards/kbl_rt5660.c +index 30e0aca161cd5..894d127c482a3 100644 +--- a/sound/soc/intel/boards/kbl_rt5660.c ++++ b/sound/soc/intel/boards/kbl_rt5660.c +@@ -518,6 +518,7 @@ static struct snd_soc_card kabylake_audio_card_rt5660 = { + .dapm_routes = kabylake_rt5660_map, + .num_dapm_routes = ARRAY_SIZE(kabylake_rt5660_map), + .fully_routed = true, ++ .disable_route_checks = true, + .late_probe = kabylake_card_late_probe, + }; + +diff --git a/sound/soc/intel/boards/kbl_rt5663_max98927.c b/sound/soc/intel/boards/kbl_rt5663_max98927.c +index 9071b1f1cbd00..646e8ff8e9619 100644 +--- a/sound/soc/intel/boards/kbl_rt5663_max98927.c ++++ b/sound/soc/intel/boards/kbl_rt5663_max98927.c +@@ -966,6 +966,7 @@ static struct snd_soc_card kabylake_audio_card_rt5663_m98927 = { + .codec_conf = max98927_codec_conf, + .num_configs = ARRAY_SIZE(max98927_codec_conf), + .fully_routed = true, ++ .disable_route_checks = true, + .late_probe = kabylake_card_late_probe, + }; + +@@ -982,6 +983,7 @@ static struct snd_soc_card kabylake_audio_card_rt5663 = { + .dapm_routes = kabylake_5663_map, + .num_dapm_routes = ARRAY_SIZE(kabylake_5663_map), + .fully_routed = true, ++ .disable_route_checks = true, + .late_probe = kabylake_card_late_probe, + }; + +diff --git a/sound/soc/intel/boards/kbl_rt5663_rt5514_max98927.c b/sound/soc/intel/boards/kbl_rt5663_rt5514_max98927.c +index 178fe9c37df62..924d5d1de03ac 100644 +--- a/sound/soc/intel/boards/kbl_rt5663_rt5514_max98927.c ++++ b/sound/soc/intel/boards/kbl_rt5663_rt5514_max98927.c +@@ -791,6 +791,7 @@ static struct snd_soc_card kabylake_audio_card = { + .codec_conf = max98927_codec_conf, + .num_configs = ARRAY_SIZE(max98927_codec_conf), + .fully_routed = true, ++ .disable_route_checks = true, + .late_probe = kabylake_card_late_probe, + }; + +diff --git a/sound/soc/intel/boards/skl_hda_dsp_generic.c b/sound/soc/intel/boards/skl_hda_dsp_generic.c +index 6e172719c9795..4aa7fd2a05e46 100644 +--- a/sound/soc/intel/boards/skl_hda_dsp_generic.c ++++ b/sound/soc/intel/boards/skl_hda_dsp_generic.c +@@ -227,6 +227,8 @@ static int skl_hda_audio_probe(struct platform_device *pdev) + ctx->common_hdmi_codec_drv = mach->mach_params.common_hdmi_codec_drv; + + hda_soc_card.dev = &pdev->dev; ++ if (!snd_soc_acpi_sof_parent(&pdev->dev)) ++ hda_soc_card.disable_route_checks = true; + + if (mach->mach_params.dmic_num > 0) { + snprintf(hda_soc_components, sizeof(hda_soc_components), +diff --git a/sound/soc/intel/boards/skl_nau88l25_max98357a.c b/sound/soc/intel/boards/skl_nau88l25_max98357a.c +index 0e7025834594a..e4630c33176e2 100644 +--- a/sound/soc/intel/boards/skl_nau88l25_max98357a.c ++++ b/sound/soc/intel/boards/skl_nau88l25_max98357a.c +@@ -654,6 +654,7 @@ static struct snd_soc_card skylake_audio_card = { + .dapm_routes = skylake_map, + .num_dapm_routes = ARRAY_SIZE(skylake_map), + .fully_routed = true, ++ .disable_route_checks = true, + .late_probe = skylake_card_late_probe, + }; + +diff --git a/sound/soc/intel/boards/skl_rt286.c b/sound/soc/intel/boards/skl_rt286.c +index c59c60e280916..9a80442749081 100644 +--- a/sound/soc/intel/boards/skl_rt286.c ++++ b/sound/soc/intel/boards/skl_rt286.c +@@ -523,6 +523,7 @@ static struct snd_soc_card skylake_rt286 = { + .dapm_routes = skylake_rt286_map, + .num_dapm_routes = ARRAY_SIZE(skylake_rt286_map), + .fully_routed = true, ++ .disable_route_checks = true, + .late_probe = skylake_card_late_probe, + }; + +-- +2.43.0 + diff --git a/queue-6.9/asoc-kirkwood-fix-potential-null-dereference.patch b/queue-6.9/asoc-kirkwood-fix-potential-null-dereference.patch new file mode 100644 index 00000000000..7dc41cfb789 --- /dev/null +++ b/queue-6.9/asoc-kirkwood-fix-potential-null-dereference.patch @@ -0,0 +1,41 @@ +From f82f5c5e2c0848b52976e06969d8ed3c125f0e42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 20:33:37 +0300 +Subject: ASoC: kirkwood: Fix potential NULL dereference + +From: Aleksandr Mishin + +[ Upstream commit ea60ab95723f5738e7737b56dda95e6feefa5b50 ] + +In kirkwood_dma_hw_params() mv_mbus_dram_info() returns NULL if +CONFIG_PLAT_ORION macro is not defined. +Fix this bug by adding NULL check. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: bb6a40fc5a83 ("ASoC: kirkwood: Fix reference to PCM buffer address") +Signed-off-by: Aleksandr Mishin +Link: https://msgid.link/r/20240328173337.21406-1-amishin@t-argos.ru +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/kirkwood/kirkwood-dma.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/kirkwood/kirkwood-dma.c b/sound/soc/kirkwood/kirkwood-dma.c +index dd2f806526c10..ef00792e1d49a 100644 +--- a/sound/soc/kirkwood/kirkwood-dma.c ++++ b/sound/soc/kirkwood/kirkwood-dma.c +@@ -182,6 +182,9 @@ static int kirkwood_dma_hw_params(struct snd_soc_component *component, + const struct mbus_dram_target_info *dram = mv_mbus_dram_info(); + unsigned long addr = substream->runtime->dma_addr; + ++ if (!dram) ++ return 0; ++ + if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) + kirkwood_dma_conf_mbus_windows(priv->io, + KIRKWOOD_PLAYBACK_WIN, addr, dram); +-- +2.43.0 + diff --git a/queue-6.9/asoc-mediatek-assign-dummy-when-codec-not-specified-.patch b/queue-6.9/asoc-mediatek-assign-dummy-when-codec-not-specified-.patch new file mode 100644 index 00000000000..227327e782e --- /dev/null +++ b/queue-6.9/asoc-mediatek-assign-dummy-when-codec-not-specified-.patch @@ -0,0 +1,45 @@ +From c395cd0084c9b28a4a15b1903dea5b2ae30dc2b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Mar 2024 12:01:29 +0100 +Subject: ASoC: mediatek: Assign dummy when codec not specified for a DAI link + +From: AngeloGioacchino Del Regno + +[ Upstream commit 5f39231888c63f0a7708abc86b51b847476379d8 ] + +MediaTek sound card drivers are checking whether a DAI link is present +and used on a board to assign the correct parameters and this is done +by checking the codec DAI names at probe time. + +If no real codec is present, assign the dummy codec to the DAI link +to avoid NULL pointer during string comparison. + +Fixes: 4302187d955f ("ASoC: mediatek: common: add soundcard driver common code") +Signed-off-by: AngeloGioacchino Del Regno +Link: https://msgid.link/r/20240313110147.1267793-5-angelogioacchino.delregno@collabora.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/mediatek/common/mtk-soundcard-driver.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/mediatek/common/mtk-soundcard-driver.c b/sound/soc/mediatek/common/mtk-soundcard-driver.c +index a58e1e3674dec..000a086a8cf44 100644 +--- a/sound/soc/mediatek/common/mtk-soundcard-driver.c ++++ b/sound/soc/mediatek/common/mtk-soundcard-driver.c +@@ -22,7 +22,11 @@ static int set_card_codec_info(struct snd_soc_card *card, + + codec_node = of_get_child_by_name(sub_node, "codec"); + if (!codec_node) { +- dev_dbg(dev, "%s no specified codec\n", dai_link->name); ++ dev_dbg(dev, "%s no specified codec: setting dummy.\n", dai_link->name); ++ ++ dai_link->codecs = &snd_soc_dummy_dlc; ++ dai_link->num_codecs = 1; ++ dai_link->dynamic = 1; + return 0; + } + +-- +2.43.0 + diff --git a/queue-6.9/asoc-sof-intel-hda-dai-fix-channel-map-configuration.patch b/queue-6.9/asoc-sof-intel-hda-dai-fix-channel-map-configuration.patch new file mode 100644 index 00000000000..e32bf43f1e7 --- /dev/null +++ b/queue-6.9/asoc-sof-intel-hda-dai-fix-channel-map-configuration.patch @@ -0,0 +1,92 @@ +From ff7497ecead1647d741f8d4143bb028dedc5ef80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Apr 2024 10:18:12 -0500 +Subject: ASoC: SOF: Intel: hda-dai: fix channel map configuration for + aggregated dailink + +From: Pierre-Louis Bossart + +[ Upstream commit 831045513c8a2ef14c3cf39b33d1ccedf588c4a8 ] + +The existing code derives the channel map used to program the HDaudio +link DMA from the hw_params, but that is not quite right in the case +of aggregation. The code in soc-pcm.c splits the hw_params depending +on the codec_ch_map, and we need to reconstruct the channel-map to +insert the data in the right places. + +This issue is seen only on amplifier feedback capture where the data +from the second amplifier was replaced by that of the first amplifier. + +Note that the loop iterator of the macro for_each_rtd_cpu_dais() is +reused in a following loop. This is different to all existing usages +of that macro, hence the use of a boolean flag to avoid an access to +an uninitialized variable. + +Fixes: 2960ee5c4814 ("ASoC: SOF: Intel: hda-dai: add helpers for SoundWire callbacks") +Reviewed-by: Bard Liao +Reviewed-by: Rander Wang +Signed-off-by: Pierre-Louis Bossart +Link: https://msgid.link/r/20240402151828.175002-2-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/intel/hda-dai.c | 31 +++++++++++++++++++++++++++++-- + 1 file changed, 29 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/sof/intel/hda-dai.c b/sound/soc/sof/intel/hda-dai.c +index c1682bcdb5a66..6a39ca632f55e 100644 +--- a/sound/soc/sof/intel/hda-dai.c ++++ b/sound/soc/sof/intel/hda-dai.c +@@ -439,10 +439,17 @@ int sdw_hda_dai_hw_params(struct snd_pcm_substream *substream, + int link_id) + { + struct snd_soc_dapm_widget *w = snd_soc_dai_get_widget(cpu_dai, substream->stream); ++ struct snd_soc_pcm_runtime *rtd = snd_soc_substream_to_rtd(substream); + const struct hda_dai_widget_dma_ops *ops; ++ struct snd_soc_dai_link_ch_map *ch_maps; + struct hdac_ext_stream *hext_stream; ++ struct snd_soc_dai *dai; + struct snd_sof_dev *sdev; ++ bool cpu_dai_found = false; ++ int cpu_dai_id; ++ int ch_mask; + int ret; ++ int j; + + ret = non_hda_dai_hw_params(substream, params, cpu_dai); + if (ret < 0) { +@@ -457,9 +464,29 @@ int sdw_hda_dai_hw_params(struct snd_pcm_substream *substream, + if (!hext_stream) + return -ENODEV; + +- /* in the case of SoundWire we need to program the PCMSyCM registers */ ++ /* ++ * in the case of SoundWire we need to program the PCMSyCM registers. In case ++ * of aggregated devices, we need to define the channel mask for each sublink ++ * by reconstructing the split done in soc-pcm.c ++ */ ++ for_each_rtd_cpu_dais(rtd, cpu_dai_id, dai) { ++ if (dai == cpu_dai) { ++ cpu_dai_found = true; ++ break; ++ } ++ } ++ ++ if (!cpu_dai_found) ++ return -ENODEV; ++ ++ ch_mask = 0; ++ for_each_link_ch_maps(rtd->dai_link, j, ch_maps) { ++ if (ch_maps->cpu == cpu_dai_id) ++ ch_mask |= ch_maps->ch_mask; ++ } ++ + ret = hdac_bus_eml_sdw_map_stream_ch(sof_to_bus(sdev), link_id, cpu_dai->id, +- GENMASK(params_channels(params) - 1, 0), ++ ch_mask, + hdac_stream(hext_stream)->stream_tag, + substream->stream); + if (ret < 0) { +-- +2.43.0 + diff --git a/queue-6.9/asoc-sof-intel-lnl-correct-rom_status_reg.patch b/queue-6.9/asoc-sof-intel-lnl-correct-rom_status_reg.patch new file mode 100644 index 00000000000..901498f8e0a --- /dev/null +++ b/queue-6.9/asoc-sof-intel-lnl-correct-rom_status_reg.patch @@ -0,0 +1,79 @@ +From 199761c0b8b8ed79746bd553cdd314247b0a9f3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 13:52:06 +0300 +Subject: ASoC: SOF: Intel: lnl: Correct rom_status_reg + +From: Peter Ujfalusi + +[ Upstream commit b852574c671a9983dd51c81582c8c5085f3dc382 ] + +ACE2 architecture changed the place where the ROM updates the status code +from the shared SRAM window (and HFFLGP1QW0 in ACE1) to HFDSC register for +the status and HFDEC (HFDSC + 4) for the error code. + +The rom_status_reg is not used on LNL because it was wrongly assigned based +on older platform convention (SRAM window) and it was giving inconsistent +readings. + +Add new header file for lnl specific register definitions. + +Fixes: 64a63d9914a5 ("ASoC: SOF: Intel: LNL: Add support for Lunarlake platform") +Signed-off-by: Peter Ujfalusi +Reviewed-by: Rander Wang +Reviewed-by: Kai Vehmanen +Reviewed-by: Pierre-Louis Bossart +Reviewed-by: Liam Girdwood +Link: https://msgid.link/r/20240403105210.17949-4-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/intel/lnl.c | 3 ++- + sound/soc/sof/intel/lnl.h | 15 +++++++++++++++ + 2 files changed, 17 insertions(+), 1 deletion(-) + create mode 100644 sound/soc/sof/intel/lnl.h + +diff --git a/sound/soc/sof/intel/lnl.c b/sound/soc/sof/intel/lnl.c +index aeb4350cce6bb..6055a33bb4bf6 100644 +--- a/sound/soc/sof/intel/lnl.c ++++ b/sound/soc/sof/intel/lnl.c +@@ -16,6 +16,7 @@ + #include "hda-ipc.h" + #include "../sof-audio.h" + #include "mtl.h" ++#include "lnl.h" + #include + + /* LunarLake ops */ +@@ -208,7 +209,7 @@ const struct sof_intel_dsp_desc lnl_chip_info = { + .ipc_ack = MTL_DSP_REG_HFIPCXIDA, + .ipc_ack_mask = MTL_DSP_REG_HFIPCXIDA_DONE, + .ipc_ctl = MTL_DSP_REG_HFIPCXCTL, +- .rom_status_reg = MTL_DSP_ROM_STS, ++ .rom_status_reg = LNL_DSP_REG_HFDSC, + .rom_init_timeout = 300, + .ssp_count = MTL_SSP_COUNT, + .d0i3_offset = MTL_HDA_VS_D0I3C, +diff --git a/sound/soc/sof/intel/lnl.h b/sound/soc/sof/intel/lnl.h +new file mode 100644 +index 0000000000000..4f4734fe7e089 +--- /dev/null ++++ b/sound/soc/sof/intel/lnl.h +@@ -0,0 +1,15 @@ ++/* SPDX-License-Identifier: (GPL-2.0-only OR BSD-3-Clause) */ ++/* ++ * This file is provided under a dual BSD/GPLv2 license. When using or ++ * redistributing this file, you may do so under either license. ++ * ++ * Copyright(c) 2024 Intel Corporation. All rights reserved. ++ */ ++ ++#ifndef __SOF_INTEL_LNL_H ++#define __SOF_INTEL_LNL_H ++ ++#define LNL_DSP_REG_HFDSC 0x160200 /* DSP core0 status */ ++#define LNL_DSP_REG_HFDEC 0x160204 /* DSP core0 error */ ++ ++#endif /* __SOF_INTEL_LNL_H */ +-- +2.43.0 + diff --git a/queue-6.9/asoc-sof-intel-mtl-correct-rom_status_reg.patch b/queue-6.9/asoc-sof-intel-mtl-correct-rom_status_reg.patch new file mode 100644 index 00000000000..0b10808eef1 --- /dev/null +++ b/queue-6.9/asoc-sof-intel-mtl-correct-rom_status_reg.patch @@ -0,0 +1,71 @@ +From 2064a01305cf52d5eebf50d026fc718c4ad4efc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 13:52:05 +0300 +Subject: ASoC: SOF: Intel: mtl: Correct rom_status_reg + +From: Peter Ujfalusi + +[ Upstream commit 1f1b820dc3c65b6883da3130ba3b8624dcbf87db ] + +ACE1 architecture changed the place where the ROM updates the status code +from the shared SRAM window to HFFLGP1QW0 register for the status and +HFFLGP1QW0 + 4 for the error code. + +The rom_status_reg is not used on MTL because it was wrongly assigned based +on older platform convention (SRAM window) and it was giving inconsistent +readings. + +Fixes: 064520e8aeaa ("ASoC: SOF: Intel: Add support for MeteorLake (MTL)") +Signed-off-by: Peter Ujfalusi +Reviewed-by: Rander Wang +Reviewed-by: Kai Vehmanen +Reviewed-by: Pierre-Louis Bossart +Reviewed-by: Liam Girdwood +Link: https://msgid.link/r/20240403105210.17949-3-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/intel/mtl.c | 4 ++-- + sound/soc/sof/intel/mtl.h | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/sof/intel/mtl.c b/sound/soc/sof/intel/mtl.c +index 060c34988e90d..1454e2a98c3b0 100644 +--- a/sound/soc/sof/intel/mtl.c ++++ b/sound/soc/sof/intel/mtl.c +@@ -727,7 +727,7 @@ const struct sof_intel_dsp_desc mtl_chip_info = { + .ipc_ack = MTL_DSP_REG_HFIPCXIDA, + .ipc_ack_mask = MTL_DSP_REG_HFIPCXIDA_DONE, + .ipc_ctl = MTL_DSP_REG_HFIPCXCTL, +- .rom_status_reg = MTL_DSP_ROM_STS, ++ .rom_status_reg = MTL_DSP_REG_HFFLGPXQWY, + .rom_init_timeout = 300, + .ssp_count = MTL_SSP_COUNT, + .ssp_base_offset = CNL_SSP_BASE_OFFSET, +@@ -755,7 +755,7 @@ const struct sof_intel_dsp_desc arl_s_chip_info = { + .ipc_ack = MTL_DSP_REG_HFIPCXIDA, + .ipc_ack_mask = MTL_DSP_REG_HFIPCXIDA_DONE, + .ipc_ctl = MTL_DSP_REG_HFIPCXCTL, +- .rom_status_reg = MTL_DSP_ROM_STS, ++ .rom_status_reg = MTL_DSP_REG_HFFLGPXQWY, + .rom_init_timeout = 300, + .ssp_count = MTL_SSP_COUNT, + .ssp_base_offset = CNL_SSP_BASE_OFFSET, +diff --git a/sound/soc/sof/intel/mtl.h b/sound/soc/sof/intel/mtl.h +index ea8c1b83f7127..3c56427a966bf 100644 +--- a/sound/soc/sof/intel/mtl.h ++++ b/sound/soc/sof/intel/mtl.h +@@ -70,8 +70,8 @@ + #define MTL_DSP_ROM_STS MTL_SRAM_WINDOW_OFFSET(0) /* ROM status */ + #define MTL_DSP_ROM_ERROR (MTL_SRAM_WINDOW_OFFSET(0) + 0x4) /* ROM error code */ + +-#define MTL_DSP_REG_HFFLGPXQWY 0x163200 /* ROM debug status */ +-#define MTL_DSP_REG_HFFLGPXQWY_ERROR 0x163204 /* ROM debug error code */ ++#define MTL_DSP_REG_HFFLGPXQWY 0x163200 /* DSP core0 status */ ++#define MTL_DSP_REG_HFFLGPXQWY_ERROR 0x163204 /* DSP core0 error */ + #define MTL_DSP_REG_HfIMRIS1 0x162088 + #define MTL_DSP_REG_HfIMRIS1_IU_MASK BIT(0) + +-- +2.43.0 + diff --git a/queue-6.9/asoc-sof-intel-mtl-disable-interrupts-when-firmware-.patch b/queue-6.9/asoc-sof-intel-mtl-disable-interrupts-when-firmware-.patch new file mode 100644 index 00000000000..6a7c2aa7c31 --- /dev/null +++ b/queue-6.9/asoc-sof-intel-mtl-disable-interrupts-when-firmware-.patch @@ -0,0 +1,40 @@ +From de87db74a3409a4e1e67284130b41281940ec33b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 13:52:07 +0300 +Subject: ASoC: SOF: Intel: mtl: Disable interrupts when firmware boot failed + +From: Peter Ujfalusi + +[ Upstream commit 26187f44aabdf3df7609b7c78724a059c230a2ad ] + +In case of error during the firmware boot we need to disable the interrupts +which were enabled as part of the boot sequence. + +Fixes: 064520e8aeaa ("ASoC: SOF: Intel: Add support for MeteorLake (MTL)") +Signed-off-by: Peter Ujfalusi +Reviewed-by: Rander Wang +Reviewed-by: Kai Vehmanen +Reviewed-by: Pierre-Louis Bossart +Reviewed-by: Liam Girdwood +Link: https://msgid.link/r/20240403105210.17949-5-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/intel/mtl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/sof/intel/mtl.c b/sound/soc/sof/intel/mtl.c +index 1454e2a98c3b0..fbd7cf77e8174 100644 +--- a/sound/soc/sof/intel/mtl.c ++++ b/sound/soc/sof/intel/mtl.c +@@ -503,6 +503,7 @@ int mtl_dsp_cl_init(struct snd_sof_dev *sdev, int stream_tag, bool imr_boot) + dump_msg = kasprintf(GFP_KERNEL, "Boot iteration failed: %d/%d", + hda->boot_iteration, HDA_FW_BOOT_ATTEMPTS); + snd_sof_dsp_dbg_dump(sdev, dump_msg, flags); ++ mtl_enable_interrupts(sdev, false); + mtl_dsp_core_power_down(sdev, SOF_DSP_PRIMARY_CORE); + + kfree(dump_msg); +-- +2.43.0 + diff --git a/queue-6.9/asoc-sof-intel-mtl-implement-firmware-boot-state-che.patch b/queue-6.9/asoc-sof-intel-mtl-implement-firmware-boot-state-che.patch new file mode 100644 index 00000000000..ef4169b34c7 --- /dev/null +++ b/queue-6.9/asoc-sof-intel-mtl-implement-firmware-boot-state-che.patch @@ -0,0 +1,88 @@ +From c4780f95777a8d6495d2b0dbe4f8766a337ee9ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 13:52:08 +0300 +Subject: ASoC: SOF: Intel: mtl: Implement firmware boot state check + +From: Peter Ujfalusi + +[ Upstream commit 6b1c1c47e76f0161bda2b1ac2e86a219fe70244f ] + +With the corrected rom_status_reg values we can now add a check for target +boot status for firmware booting. +With the check now we can identify failed firmware boots (IMR boots) and +we can use the fallback to purge boot the DSP. + +Fixes: 064520e8aeaa ("ASoC: SOF: Intel: Add support for MeteorLake (MTL)") +Signed-off-by: Peter Ujfalusi +Reviewed-by: Rander Wang +Reviewed-by: Kai Vehmanen +Reviewed-by: Pierre-Louis Bossart +Reviewed-by: Liam Girdwood +Link: https://msgid.link/r/20240403105210.17949-6-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/intel/mtl.c | 37 ++++++++++++++++++++++++++++++++----- + 1 file changed, 32 insertions(+), 5 deletions(-) + +diff --git a/sound/soc/sof/intel/mtl.c b/sound/soc/sof/intel/mtl.c +index fbd7cf77e8174..05023763080d9 100644 +--- a/sound/soc/sof/intel/mtl.c ++++ b/sound/soc/sof/intel/mtl.c +@@ -439,7 +439,7 @@ int mtl_dsp_cl_init(struct snd_sof_dev *sdev, int stream_tag, bool imr_boot) + { + struct sof_intel_hda_dev *hda = sdev->pdata->hw_pdata; + const struct sof_intel_dsp_desc *chip = hda->desc; +- unsigned int status; ++ unsigned int status, target_status; + u32 ipc_hdr, flags; + char *dump_msg; + int ret; +@@ -485,13 +485,40 @@ int mtl_dsp_cl_init(struct snd_sof_dev *sdev, int stream_tag, bool imr_boot) + + mtl_enable_ipc_interrupts(sdev); + ++ if (chip->rom_status_reg == MTL_DSP_ROM_STS) { ++ /* ++ * Workaround: when the ROM status register is pointing to ++ * the SRAM window (MTL_DSP_ROM_STS) the platform cannot catch ++ * ROM_INIT_DONE because of a very short timing window. ++ * Follow the recommendations and skip target state waiting. ++ */ ++ return 0; ++ } ++ + /* +- * ACE workaround: don't wait for ROM INIT. +- * The platform cannot catch ROM_INIT_DONE because of a very short +- * timing window. Follow the recommendations and skip this part. ++ * step 7: ++ * - Cold/Full boot: wait for ROM init to proceed to download the firmware ++ * - IMR boot: wait for ROM firmware entered (firmware booted up from IMR) + */ ++ if (imr_boot) ++ target_status = FSR_STATE_FW_ENTERED; ++ else ++ target_status = FSR_STATE_INIT_DONE; + +- return 0; ++ ret = snd_sof_dsp_read_poll_timeout(sdev, HDA_DSP_BAR, ++ chip->rom_status_reg, status, ++ (FSR_TO_STATE_CODE(status) == target_status), ++ HDA_DSP_REG_POLL_INTERVAL_US, ++ chip->rom_init_timeout * ++ USEC_PER_MSEC); ++ ++ if (!ret) ++ return 0; ++ ++ if (hda->boot_iteration == HDA_FW_BOOT_ATTEMPTS) ++ dev_err(sdev->dev, ++ "%s: timeout with rom_status_reg (%#x) read\n", ++ __func__, chip->rom_status_reg); + + err: + flags = SOF_DBG_DUMP_PCI | SOF_DBG_DUMP_MBOX | SOF_DBG_DUMP_OPTIONAL; +-- +2.43.0 + diff --git a/queue-6.9/asoc-tracing-export-snd_soc_dapm_dir_out-to-its-valu.patch b/queue-6.9/asoc-tracing-export-snd_soc_dapm_dir_out-to-its-valu.patch new file mode 100644 index 00000000000..72733f8df7b --- /dev/null +++ b/queue-6.9/asoc-tracing-export-snd_soc_dapm_dir_out-to-its-valu.patch @@ -0,0 +1,48 @@ +From bccc66e1ec063744570be29f411ce524e71f8920 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Apr 2024 00:03:03 -0400 +Subject: ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value + +From: Steven Rostedt + +[ Upstream commit 58300f8d6a48e58d1843199be743f819e2791ea3 ] + +The string SND_SOC_DAPM_DIR_OUT is printed in the snd_soc_dapm_path trace +event instead of its value: + + (((REC->path_dir) == SND_SOC_DAPM_DIR_OUT) ? "->" : "<-") + +User space cannot parse this, as it has no idea what SND_SOC_DAPM_DIR_OUT +is. Use TRACE_DEFINE_ENUM() to convert it to its value: + + (((REC->path_dir) == 1) ? "->" : "<-") + +So that user space tools, such as perf and trace-cmd, can parse it +correctly. + +Reported-by: Luca Ceresoli +Fixes: 6e588a0d839b5 ("ASoC: dapm: Consolidate path trace events") +Signed-off-by: Steven Rostedt (Google) +Link: https://lore.kernel.org/r/20240416000303.04670cdf@rorschach.local.home +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + include/trace/events/asoc.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/trace/events/asoc.h b/include/trace/events/asoc.h +index 4eed9028bb119..517015ef36a84 100644 +--- a/include/trace/events/asoc.h ++++ b/include/trace/events/asoc.h +@@ -12,6 +12,8 @@ + #define DAPM_DIRECT "(direct)" + #define DAPM_ARROW(dir) (((dir) == SND_SOC_DAPM_DIR_OUT) ? "->" : "<-") + ++TRACE_DEFINE_ENUM(SND_SOC_DAPM_DIR_OUT); ++ + struct snd_soc_jack; + struct snd_soc_card; + struct snd_soc_dapm_widget; +-- +2.43.0 + diff --git a/queue-6.9/ax25-fix-reference-count-leak-issue-of-net_device.patch b/queue-6.9/ax25-fix-reference-count-leak-issue-of-net_device.patch new file mode 100644 index 00000000000..43160044420 --- /dev/null +++ b/queue-6.9/ax25-fix-reference-count-leak-issue-of-net_device.patch @@ -0,0 +1,53 @@ +From de4b623a97643a2e1d53a401d4d8322208efd420 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 17:37:02 +0800 +Subject: ax25: Fix reference count leak issue of net_device + +From: Duoming Zhou + +[ Upstream commit 36e56b1b002bb26440403053f19f9e1a8bc075b2 ] + +There is a reference count leak issue of the object "net_device" in +ax25_dev_device_down(). When the ax25 device is shutting down, the +ax25_dev_device_down() drops the reference count of net_device one +or zero times depending on if we goto unlock_put or not, which will +cause memory leak. + +In order to solve the above issue, decrease the reference count of +net_device after dev->ax25_ptr is set to null. + +Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") +Suggested-by: Dan Carpenter +Signed-off-by: Duoming Zhou +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/7ce3b23a40d9084657ba1125432f0ecc380cbc80.1715247018.git.duoming@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ax25/ax25_dev.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c +index 52ccc37d5687a..c9d55b99a7a57 100644 +--- a/net/ax25/ax25_dev.c ++++ b/net/ax25/ax25_dev.c +@@ -118,15 +118,10 @@ void ax25_dev_device_down(struct net_device *dev) + list_for_each_entry(s, &ax25_dev_list, list) { + if (s == ax25_dev) { + list_del(&s->list); +- goto unlock_put; ++ break; + } + } +- dev->ax25_ptr = NULL; +- spin_unlock_bh(&ax25_dev_lock); +- ax25_dev_put(ax25_dev); +- return; + +-unlock_put: + dev->ax25_ptr = NULL; + spin_unlock_bh(&ax25_dev_lock); + netdev_put(dev, &ax25_dev->dev_tracker); +-- +2.43.0 + diff --git a/queue-6.9/ax25-fix-reference-count-leak-issues-of-ax25_dev.patch b/queue-6.9/ax25-fix-reference-count-leak-issues-of-ax25_dev.patch new file mode 100644 index 00000000000..bac87d9f409 --- /dev/null +++ b/queue-6.9/ax25-fix-reference-count-leak-issues-of-ax25_dev.patch @@ -0,0 +1,74 @@ +From a4a479e06ebe4332a67d15bddc2e05297ba340ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 17:36:47 +0800 +Subject: ax25: Fix reference count leak issues of ax25_dev + +From: Duoming Zhou + +[ Upstream commit b505e0319852b08a3a716b64620168eab21f4ced ] + +The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference +count leak issue of the object "ax25_dev". + +Memory leak issue in ax25_addr_ax25dev(): + +The reference count of the object "ax25_dev" can be increased multiple +times in ax25_addr_ax25dev(). This will cause a memory leak. + +Memory leak issues in ax25_dev_device_down(): + +The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and +then increase the reference count when ax25_dev is added to ax25_dev_list. +As a result, the reference count of ax25_dev is 2. But when the device is +shutting down. The ax25_dev_device_down() drops the reference count once +or twice depending on if we goto unlock_put or not, which will cause +memory leak. + +As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer +to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the +issue of ax25_dev_device_down(), increase the reference count of ax25_dev +once in ax25_dev_device_up() and decrease the reference count of ax25_dev +after it is removed from the ax25_dev_list. + +Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") +Suggested-by: Dan Carpenter +Signed-off-by: Duoming Zhou +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/361bbf2a4b091e120006279ec3b382d73c4a0c17.1715247018.git.duoming@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ax25/ax25_dev.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c +index f16ee5c09d07a..52ccc37d5687a 100644 +--- a/net/ax25/ax25_dev.c ++++ b/net/ax25/ax25_dev.c +@@ -39,6 +39,7 @@ ax25_dev *ax25_addr_ax25dev(ax25_address *addr) + if (ax25cmp(addr, (const ax25_address *)ax25_dev->dev->dev_addr) == 0) { + res = ax25_dev; + ax25_dev_hold(ax25_dev); ++ break; + } + spin_unlock_bh(&ax25_dev_lock); + +@@ -88,7 +89,6 @@ void ax25_dev_device_up(struct net_device *dev) + list_add(&ax25_dev->list, &ax25_dev_list); + dev->ax25_ptr = ax25_dev; + spin_unlock_bh(&ax25_dev_lock); +- ax25_dev_hold(ax25_dev); + + ax25_register_dev_sysctl(ax25_dev); + } +@@ -129,7 +129,6 @@ void ax25_dev_device_down(struct net_device *dev) + unlock_put: + dev->ax25_ptr = NULL; + spin_unlock_bh(&ax25_dev_lock); +- ax25_dev_put(ax25_dev); + netdev_put(dev, &ax25_dev->dev_tracker); + ax25_dev_put(ax25_dev); + } +-- +2.43.0 + diff --git a/queue-6.9/ax25-use-kernel-universal-linked-list-to-implement-a.patch b/queue-6.9/ax25-use-kernel-universal-linked-list-to-implement-a.patch new file mode 100644 index 00000000000..e50faf9014c --- /dev/null +++ b/queue-6.9/ax25-use-kernel-universal-linked-list-to-implement-a.patch @@ -0,0 +1,163 @@ +From fef3cfb459b1387775ea50e7dcc6f7fef8b87303 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 17:36:33 +0800 +Subject: ax25: Use kernel universal linked list to implement ax25_dev_list + +From: Duoming Zhou + +[ Upstream commit a7d6e36b9ad052926ba2ecba3a59d8bb67dabcb4 ] + +The origin ax25_dev_list implements its own single linked list, +which is complicated and error-prone. For example, when deleting +the node of ax25_dev_list in ax25_dev_device_down(), we have to +operate on the head node and other nodes separately. + +This patch uses kernel universal linked list to replace original +ax25_dev_list, which make the operation of ax25_dev_list easier. + +We should do "dev->ax25_ptr = ax25_dev;" and "dev->ax25_ptr = NULL;" +while holding the spinlock, otherwise the ax25_dev_device_up() and +ax25_dev_device_down() could race. + +Suggested-by: Dan Carpenter +Signed-off-by: Duoming Zhou +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/85bba3af651ca0e1a519da8d0d715b949891171c.1715247018.git.duoming@zju.edu.cn +Signed-off-by: Jakub Kicinski +Stable-dep-of: b505e0319852 ("ax25: Fix reference count leak issues of ax25_dev") +Signed-off-by: Sasha Levin +--- + include/net/ax25.h | 3 +-- + net/ax25/ax25_dev.c | 40 +++++++++++++++------------------------- + 2 files changed, 16 insertions(+), 27 deletions(-) + +diff --git a/include/net/ax25.h b/include/net/ax25.h +index 0d939e5aee4ec..c2a85fd3f5ea4 100644 +--- a/include/net/ax25.h ++++ b/include/net/ax25.h +@@ -216,7 +216,7 @@ typedef struct { + struct ctl_table; + + typedef struct ax25_dev { +- struct ax25_dev *next; ++ struct list_head list; + + struct net_device *dev; + netdevice_tracker dev_tracker; +@@ -330,7 +330,6 @@ int ax25_addr_size(const ax25_digi *); + void ax25_digi_invert(const ax25_digi *, ax25_digi *); + + /* ax25_dev.c */ +-extern ax25_dev *ax25_dev_list; + extern spinlock_t ax25_dev_lock; + + #if IS_ENABLED(CONFIG_AX25) +diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c +index 282ec581c0720..f16ee5c09d07a 100644 +--- a/net/ax25/ax25_dev.c ++++ b/net/ax25/ax25_dev.c +@@ -22,11 +22,12 @@ + #include + #include + #include ++#include + #include + #include + #include + +-ax25_dev *ax25_dev_list; ++static LIST_HEAD(ax25_dev_list); + DEFINE_SPINLOCK(ax25_dev_lock); + + ax25_dev *ax25_addr_ax25dev(ax25_address *addr) +@@ -34,7 +35,7 @@ ax25_dev *ax25_addr_ax25dev(ax25_address *addr) + ax25_dev *ax25_dev, *res = NULL; + + spin_lock_bh(&ax25_dev_lock); +- for (ax25_dev = ax25_dev_list; ax25_dev != NULL; ax25_dev = ax25_dev->next) ++ list_for_each_entry(ax25_dev, &ax25_dev_list, list) + if (ax25cmp(addr, (const ax25_address *)ax25_dev->dev->dev_addr) == 0) { + res = ax25_dev; + ax25_dev_hold(ax25_dev); +@@ -59,7 +60,6 @@ void ax25_dev_device_up(struct net_device *dev) + } + + refcount_set(&ax25_dev->refcount, 1); +- dev->ax25_ptr = ax25_dev; + ax25_dev->dev = dev; + netdev_hold(dev, &ax25_dev->dev_tracker, GFP_KERNEL); + ax25_dev->forward = NULL; +@@ -85,8 +85,8 @@ void ax25_dev_device_up(struct net_device *dev) + #endif + + spin_lock_bh(&ax25_dev_lock); +- ax25_dev->next = ax25_dev_list; +- ax25_dev_list = ax25_dev; ++ list_add(&ax25_dev->list, &ax25_dev_list); ++ dev->ax25_ptr = ax25_dev; + spin_unlock_bh(&ax25_dev_lock); + ax25_dev_hold(ax25_dev); + +@@ -111,32 +111,25 @@ void ax25_dev_device_down(struct net_device *dev) + /* + * Remove any packet forwarding that points to this device. + */ +- for (s = ax25_dev_list; s != NULL; s = s->next) ++ list_for_each_entry(s, &ax25_dev_list, list) + if (s->forward == dev) + s->forward = NULL; + +- if ((s = ax25_dev_list) == ax25_dev) { +- ax25_dev_list = s->next; +- goto unlock_put; +- } +- +- while (s != NULL && s->next != NULL) { +- if (s->next == ax25_dev) { +- s->next = ax25_dev->next; ++ list_for_each_entry(s, &ax25_dev_list, list) { ++ if (s == ax25_dev) { ++ list_del(&s->list); + goto unlock_put; + } +- +- s = s->next; + } +- spin_unlock_bh(&ax25_dev_lock); + dev->ax25_ptr = NULL; ++ spin_unlock_bh(&ax25_dev_lock); + ax25_dev_put(ax25_dev); + return; + + unlock_put: ++ dev->ax25_ptr = NULL; + spin_unlock_bh(&ax25_dev_lock); + ax25_dev_put(ax25_dev); +- dev->ax25_ptr = NULL; + netdev_put(dev, &ax25_dev->dev_tracker); + ax25_dev_put(ax25_dev); + } +@@ -200,16 +193,13 @@ struct net_device *ax25_fwd_dev(struct net_device *dev) + */ + void __exit ax25_dev_free(void) + { +- ax25_dev *s, *ax25_dev; ++ ax25_dev *s, *n; + + spin_lock_bh(&ax25_dev_lock); +- ax25_dev = ax25_dev_list; +- while (ax25_dev != NULL) { +- s = ax25_dev; +- netdev_put(ax25_dev->dev, &ax25_dev->dev_tracker); +- ax25_dev = ax25_dev->next; ++ list_for_each_entry_safe(s, n, &ax25_dev_list, list) { ++ netdev_put(s->dev, &s->dev_tracker); ++ list_del(&s->list); + kfree(s); + } +- ax25_dev_list = NULL; + spin_unlock_bh(&ax25_dev_lock); + } +-- +2.43.0 + diff --git a/queue-6.9/bitops-add-missing-prototype-check.patch b/queue-6.9/bitops-add-missing-prototype-check.patch new file mode 100644 index 00000000000..373563d2350 --- /dev/null +++ b/queue-6.9/bitops-add-missing-prototype-check.patch @@ -0,0 +1,40 @@ +From 2dc034ec75aaf9a6742b30003f41e83f2286ad9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Mar 2024 16:23:41 +0100 +Subject: bitops: add missing prototype check + +From: Alexander Lobakin + +[ Upstream commit 72cc1980a0ef3ccad0d539e7dace63d0d7d432a4 ] + +Commit 8238b4579866 ("wait_on_bit: add an acquire memory barrier") added +a new bitop, test_bit_acquire(), with proper wrapping in order to try to +optimize it at compile-time, but missed the list of bitops used for +checking their prototypes a bit below. +The functions added have consistent prototypes, so that no more changes +are required and no functional changes take place. + +Fixes: 8238b4579866 ("wait_on_bit: add an acquire memory barrier") +Reviewed-by: Przemek Kitszel +Signed-off-by: Alexander Lobakin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/bitops.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/bitops.h b/include/linux/bitops.h +index 2ba557e067fe6..f7f5a783da2aa 100644 +--- a/include/linux/bitops.h ++++ b/include/linux/bitops.h +@@ -80,6 +80,7 @@ __check_bitop_pr(__test_and_set_bit); + __check_bitop_pr(__test_and_clear_bit); + __check_bitop_pr(__test_and_change_bit); + __check_bitop_pr(test_bit); ++__check_bitop_pr(test_bit_acquire); + + #undef __check_bitop_pr + +-- +2.43.0 + diff --git a/queue-6.9/block-fix-and-simplify-blkdevparts-cmdline-parsing.patch b/queue-6.9/block-fix-and-simplify-blkdevparts-cmdline-parsing.patch new file mode 100644 index 00000000000..cb1c338865b --- /dev/null +++ b/queue-6.9/block-fix-and-simplify-blkdevparts-cmdline-parsing.patch @@ -0,0 +1,208 @@ +From 9ab4d0e8fffdabba8ec2471d2dd95685c4b4b95f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Apr 2024 16:39:52 +0900 +Subject: block: fix and simplify blkdevparts= cmdline parsing + +From: INAGAKI Hiroshi + +[ Upstream commit bc2e07dfd2c49aaa4b52302cf7b55cf94e025f79 ] + +Fix the cmdline parsing of the "blkdevparts=" parameter using strsep(), +which makes the code simpler. + +Before commit 146afeb235cc ("block: use strscpy() to instead of +strncpy()"), we used a strncpy() to copy a block device name and partition +names. The commit simply replaced a strncpy() and NULL termination with +a strscpy(). It did not update calculations of length passed to strscpy(). +While the length passed to strncpy() is just a length of valid characters +without NULL termination ('\0'), strscpy() takes it as a length of the +destination buffer, including a NULL termination. + +Since the source buffer is not necessarily NULL terminated, the current +code copies "length - 1" characters and puts a NULL character in the +destination buffer. It replaces the last character with NULL and breaks +the parsing. + +As an example, that buffer will be passed to parse_parts() and breaks +parsing sub-partitions due to the missing ')' at the end, like the +following. + +example (Check Point V-80 & OpenWrt): + +- Linux Kernel 6.6 + + [ 0.000000] Kernel command line: console=ttyS0,115200 earlycon=uart8250,mmio32,0xf0512000 crashkernel=30M mvpp2x.queue_mode=1 blkdevparts=mmcblk1:48M@10M(kernel-1),1M(dtb-1),720M(rootfs-1),48M(kernel-2),1M(dtb-2),720M(rootfs-2),300M(default_sw),650M(logs),1M(preset_cfg),1M(adsl),-(storage) maxcpus=4 + ... + [ 0.884016] mmc1: new HS200 MMC card at address 0001 + [ 0.889951] mmcblk1: mmc1:0001 004GA0 3.69 GiB + [ 0.895043] cmdline partition format is invalid. + [ 0.895704] mmcblk1: p1 + [ 0.903447] mmcblk1boot0: mmc1:0001 004GA0 2.00 MiB + [ 0.908667] mmcblk1boot1: mmc1:0001 004GA0 2.00 MiB + [ 0.913765] mmcblk1rpmb: mmc1:0001 004GA0 512 KiB, chardev (248:0) + + 1. "48M@10M(kernel-1),..." is passed to strscpy() with length=17 + from parse_parts() + 2. strscpy() returns -E2BIG and the destination buffer has + "48M@10M(kernel-1\0" + 3. "48M@10M(kernel-1\0" is passed to parse_subpart() + 4. parse_subpart() fails to find ')' when parsing a partition name, + and returns error + +- Linux Kernel 6.1 + + [ 0.000000] Kernel command line: console=ttyS0,115200 earlycon=uart8250,mmio32,0xf0512000 crashkernel=30M mvpp2x.queue_mode=1 blkdevparts=mmcblk1:48M@10M(kernel-1),1M(dtb-1),720M(rootfs-1),48M(kernel-2),1M(dtb-2),720M(rootfs-2),300M(default_sw),650M(logs),1M(preset_cfg),1M(adsl),-(storage) maxcpus=4 + ... + [ 0.953142] mmc1: new HS200 MMC card at address 0001 + [ 0.959114] mmcblk1: mmc1:0001 004GA0 3.69 GiB + [ 0.964259] mmcblk1: p1(kernel-1) p2(dtb-1) p3(rootfs-1) p4(kernel-2) p5(dtb-2) 6(rootfs-2) p7(default_sw) p8(logs) p9(preset_cfg) p10(adsl) p11(storage) + [ 0.979174] mmcblk1boot0: mmc1:0001 004GA0 2.00 MiB + [ 0.984674] mmcblk1boot1: mmc1:0001 004GA0 2.00 MiB + [ 0.989926] mmcblk1rpmb: mmc1:0001 004GA0 512 KiB, chardev (248:0 + +By the way, strscpy() takes a length of destination buffer and it is +often confusing when copying characters with a specified length. Using +strsep() helps to separate the string by the specified character. Then, +we can use strscpy() naturally with the size of the destination buffer. + +Separating the string on the fly is also useful to omit the redundant +string copy, reducing memory usage and improve the code readability. + +Fixes: 146afeb235cc ("block: use strscpy() to instead of strncpy()") +Suggested-by: Naohiro Aota +Signed-off-by: INAGAKI Hiroshi +Reviewed-by: Daniel Golle +Link: https://lore.kernel.org/r/20240421074005.565-1-musashino.open@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/partitions/cmdline.c | 49 ++++++++++---------------------------- + 1 file changed, 12 insertions(+), 37 deletions(-) + +diff --git a/block/partitions/cmdline.c b/block/partitions/cmdline.c +index c03bc105e5753..152c85df92b20 100644 +--- a/block/partitions/cmdline.c ++++ b/block/partitions/cmdline.c +@@ -70,8 +70,8 @@ static int parse_subpart(struct cmdline_subpart **subpart, char *partdef) + } + + if (*partdef == '(') { +- int length; +- char *next = strchr(++partdef, ')'); ++ partdef++; ++ char *next = strsep(&partdef, ")"); + + if (!next) { + pr_warn("cmdline partition format is invalid."); +@@ -79,11 +79,7 @@ static int parse_subpart(struct cmdline_subpart **subpart, char *partdef) + goto fail; + } + +- length = min_t(int, next - partdef, +- sizeof(new_subpart->name) - 1); +- strscpy(new_subpart->name, partdef, length); +- +- partdef = ++next; ++ strscpy(new_subpart->name, next, sizeof(new_subpart->name)); + } else + new_subpart->name[0] = '\0'; + +@@ -117,14 +113,12 @@ static void free_subpart(struct cmdline_parts *parts) + } + } + +-static int parse_parts(struct cmdline_parts **parts, const char *bdevdef) ++static int parse_parts(struct cmdline_parts **parts, char *bdevdef) + { + int ret = -EINVAL; + char *next; +- int length; + struct cmdline_subpart **next_subpart; + struct cmdline_parts *newparts; +- char buf[BDEVNAME_SIZE + 32 + 4]; + + *parts = NULL; + +@@ -132,28 +126,19 @@ static int parse_parts(struct cmdline_parts **parts, const char *bdevdef) + if (!newparts) + return -ENOMEM; + +- next = strchr(bdevdef, ':'); ++ next = strsep(&bdevdef, ":"); + if (!next) { + pr_warn("cmdline partition has no block device."); + goto fail; + } + +- length = min_t(int, next - bdevdef, sizeof(newparts->name) - 1); +- strscpy(newparts->name, bdevdef, length); ++ strscpy(newparts->name, next, sizeof(newparts->name)); + newparts->nr_subparts = 0; + + next_subpart = &newparts->subpart; + +- while (next && *(++next)) { +- bdevdef = next; +- next = strchr(bdevdef, ','); +- +- length = (!next) ? (sizeof(buf) - 1) : +- min_t(int, next - bdevdef, sizeof(buf) - 1); +- +- strscpy(buf, bdevdef, length); +- +- ret = parse_subpart(next_subpart, buf); ++ while ((next = strsep(&bdevdef, ","))) { ++ ret = parse_subpart(next_subpart, next); + if (ret) + goto fail; + +@@ -199,24 +184,17 @@ static int cmdline_parts_parse(struct cmdline_parts **parts, + + *parts = NULL; + +- next = pbuf = buf = kstrdup(cmdline, GFP_KERNEL); ++ pbuf = buf = kstrdup(cmdline, GFP_KERNEL); + if (!buf) + return -ENOMEM; + + next_parts = parts; + +- while (next && *pbuf) { +- next = strchr(pbuf, ';'); +- if (next) +- *next = '\0'; +- +- ret = parse_parts(next_parts, pbuf); ++ while ((next = strsep(&pbuf, ";"))) { ++ ret = parse_parts(next_parts, next); + if (ret) + goto fail; + +- if (next) +- pbuf = ++next; +- + next_parts = &(*next_parts)->next_parts; + } + +@@ -250,7 +228,6 @@ static struct cmdline_parts *bdev_parts; + static int add_part(int slot, struct cmdline_subpart *subpart, + struct parsed_partitions *state) + { +- int label_min; + struct partition_meta_info *info; + char tmp[sizeof(info->volname) + 4]; + +@@ -262,9 +239,7 @@ static int add_part(int slot, struct cmdline_subpart *subpart, + + info = &state->parts[slot].info; + +- label_min = min_t(int, sizeof(info->volname) - 1, +- sizeof(subpart->name)); +- strscpy(info->volname, subpart->name, label_min); ++ strscpy(info->volname, subpart->name, sizeof(info->volname)); + + snprintf(tmp, sizeof(tmp), "(%s)", info->volname); + strlcat(state->pp_buf, tmp, PAGE_SIZE); +-- +2.43.0 + diff --git a/queue-6.9/block-refine-the-eof-check-in-blkdev_iomap_begin.patch b/queue-6.9/block-refine-the-eof-check-in-blkdev_iomap_begin.patch new file mode 100644 index 00000000000..5f922ece993 --- /dev/null +++ b/queue-6.9/block-refine-the-eof-check-in-blkdev_iomap_begin.patch @@ -0,0 +1,43 @@ +From 6b7c527604d4d8de347574b10c1470aea1b4601d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 May 2024 10:10:42 +0200 +Subject: block: refine the EOF check in blkdev_iomap_begin + +From: Christoph Hellwig + +[ Upstream commit 0c12028aec837f5a002009bbf68d179d506510e8 ] + +blkdev_iomap_begin rounds down the offset to the logical block size +before stashing it in iomap->offset and checking that it still is +inside the inode size. + +Check the i_size check to the raw pos value so that we don't try a +zero size write if iter->pos is unaligned. + +Fixes: 487c607df790 ("block: use iomap for writes to block devices") +Reported-by: syzbot+0a3683a0a6fecf909244@syzkaller.appspotmail.com +Signed-off-by: Christoph Hellwig +Tested-by: syzbot+0a3683a0a6fecf909244@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20240503081042.2078062-1-hch@lst.de +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/fops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/fops.c b/block/fops.c +index 679d9b752fe82..df2c68d3f198e 100644 +--- a/block/fops.c ++++ b/block/fops.c +@@ -390,7 +390,7 @@ static int blkdev_iomap_begin(struct inode *inode, loff_t offset, loff_t length, + + iomap->bdev = bdev; + iomap->offset = ALIGN_DOWN(offset, bdev_logical_block_size(bdev)); +- if (iomap->offset >= isize) ++ if (offset >= isize) + return -EIO; + iomap->type = IOMAP_MAPPED; + iomap->addr = iomap->offset; +-- +2.43.0 + diff --git a/queue-6.9/block-support-to-account-io_ticks-precisely.patch b/queue-6.9/block-support-to-account-io_ticks-precisely.patch new file mode 100644 index 00000000000..3955818e039 --- /dev/null +++ b/queue-6.9/block-support-to-account-io_ticks-precisely.patch @@ -0,0 +1,152 @@ +From 2e2fbcd8ea839b4e80e0c0d86483e4f0dc9bba3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 20:37:16 +0800 +Subject: block: support to account io_ticks precisely + +From: Yu Kuai + +[ Upstream commit 99dc422335d8b2bd4d105797241d3e715bae90e9 ] + +Currently, io_ticks is accounted based on sampling, specifically +update_io_ticks() will always account io_ticks by 1 jiffies from +bdev_start_io_acct()/blk_account_io_start(), and the result can be +inaccurate, for example(HZ is 250): + +Test script: +fio -filename=/dev/sda -bs=4k -rw=write -direct=1 -name=test -thinktime=4ms + +Test result: util is about 90%, while the disk is really idle. + +This behaviour is introduced by commit 5b18b5a73760 ("block: delete +part_round_stats and switch to less precise counting"), however, there +was a key point that is missed that this patch also improve performance +a lot: + +Before the commit: +part_round_stats: + if (part->stamp != now) + stats |= 1; + + part_in_flight() + -> there can be lots of task here in 1 jiffies. + part_round_stats_single() + __part_stat_add() + part->stamp = now; + +After the commit: +update_io_ticks: + stamp = part->bd_stamp; + if (time_after(now, stamp)) + if (try_cmpxchg()) + __part_stat_add() + -> only one task can reach here in 1 jiffies. + +Hence in order to account io_ticks precisely, we only need to know if +there are IO inflight at most once in one jiffies. Noted that for +rq-based device, iterating tags should not be used here because +'tags->lock' is grabbed in blk_mq_find_and_get_req(), hence +part_stat_lock_inc/dec() and part_in_flight() is used to trace inflight. +The additional overhead is quite little: + + - per cpu add/dec for each IO for rq-based device; + - per cpu sum for each jiffies; + +And it's verified by null-blk that there are no performance degration +under heavy IO pressure. + +Fixes: 5b18b5a73760 ("block: delete part_round_stats and switch to less precise counting") +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20240509123717.3223892-2-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-core.c | 9 +++++---- + block/blk-merge.c | 2 ++ + block/blk-mq.c | 4 ++++ + block/blk.h | 1 + + block/genhd.c | 2 +- + 5 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/block/blk-core.c b/block/blk-core.c +index b795ac177281a..6fcf8ed5fc1f1 100644 +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -987,10 +987,11 @@ void update_io_ticks(struct block_device *part, unsigned long now, bool end) + unsigned long stamp; + again: + stamp = READ_ONCE(part->bd_stamp); +- if (unlikely(time_after(now, stamp))) { +- if (likely(try_cmpxchg(&part->bd_stamp, &stamp, now))) +- __part_stat_add(part, io_ticks, end ? now - stamp : 1); +- } ++ if (unlikely(time_after(now, stamp)) && ++ likely(try_cmpxchg(&part->bd_stamp, &stamp, now)) && ++ (end || part_in_flight(part))) ++ __part_stat_add(part, io_ticks, now - stamp); ++ + if (part->bd_partno) { + part = bdev_whole(part); + goto again; +diff --git a/block/blk-merge.c b/block/blk-merge.c +index 4e3483a16b757..ae61a9c2fc93c 100644 +--- a/block/blk-merge.c ++++ b/block/blk-merge.c +@@ -779,6 +779,8 @@ static void blk_account_io_merge_request(struct request *req) + if (blk_do_io_stat(req)) { + part_stat_lock(); + part_stat_inc(req->part, merges[op_stat_group(req_op(req))]); ++ part_stat_local_dec(req->part, ++ in_flight[op_is_write(req_op(req))]); + part_stat_unlock(); + } + } +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 32afb87efbd0e..5ac2087b05630 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -997,6 +997,8 @@ static inline void blk_account_io_done(struct request *req, u64 now) + update_io_ticks(req->part, jiffies, true); + part_stat_inc(req->part, ios[sgrp]); + part_stat_add(req->part, nsecs[sgrp], now - req->start_time_ns); ++ part_stat_local_dec(req->part, ++ in_flight[op_is_write(req_op(req))]); + part_stat_unlock(); + } + } +@@ -1019,6 +1021,8 @@ static inline void blk_account_io_start(struct request *req) + + part_stat_lock(); + update_io_ticks(req->part, jiffies, false); ++ part_stat_local_inc(req->part, ++ in_flight[op_is_write(req_op(req))]); + part_stat_unlock(); + } + } +diff --git a/block/blk.h b/block/blk.h +index d9f584984bc44..da5dbc6b13068 100644 +--- a/block/blk.h ++++ b/block/blk.h +@@ -357,6 +357,7 @@ static inline bool blk_do_io_stat(struct request *rq) + } + + void update_io_ticks(struct block_device *part, unsigned long now, bool end); ++unsigned int part_in_flight(struct block_device *part); + + static inline void req_set_nomerge(struct request_queue *q, struct request *req) + { +diff --git a/block/genhd.c b/block/genhd.c +index 52a4521df067b..345d80ab9791b 100644 +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -118,7 +118,7 @@ static void part_stat_read_all(struct block_device *part, + } + } + +-static unsigned int part_in_flight(struct block_device *part) ++unsigned int part_in_flight(struct block_device *part) + { + unsigned int inflight = 0; + int cpu; +-- +2.43.0 + diff --git a/queue-6.9/bluetooth-compute-le-flow-credits-based-on-recvbuf-s.patch b/queue-6.9/bluetooth-compute-le-flow-credits-based-on-recvbuf-s.patch new file mode 100644 index 00000000000..ed3dc29b2f5 --- /dev/null +++ b/queue-6.9/bluetooth-compute-le-flow-credits-based-on-recvbuf-s.patch @@ -0,0 +1,388 @@ +From 3cea93e5582266f2a74c8ebded77153609dbac1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 May 2024 12:08:58 +0200 +Subject: Bluetooth: compute LE flow credits based on recvbuf space + +From: Sebastian Urban + +[ Upstream commit ce60b9231b66710b6ee24042ded26efee120ecfc ] + +Previously LE flow credits were returned to the +sender even if the socket's receive buffer was +full. This meant that no back-pressure +was applied to the sender, thus it continued to +send data, resulting in data loss without any +error being reported. Furthermore, the amount +of credits was essentially fixed to a small +amount, leading to reduced performance. + +This is fixed by computing the number of returned +LE flow credits based on the estimated available +space in the receive buffer of an L2CAP socket. +Consequently, if the receive buffer is full, no +credits are returned until the buffer is read and +thus cleared by user-space. + +Since the computation of available receive buffer +space can only be performed approximately (due to +sk_buff overhead) and the receive buffer size may +be changed by user-space after flow credits have +been sent, superfluous received data is temporary +stored within l2cap_pinfo. This is necessary +because Bluetooth LE provides no retransmission +mechanism once the data has been acked by the +physical layer. + +If receive buffer space estimation is not possible +at the moment, we fall back to providing credits +for one full packet as before. This is currently +the case during connection setup, when MPS is not +yet available. + +Fixes: b1c325c23d75 ("Bluetooth: Implement returning of LE L2CAP credits") +Signed-off-by: Sebastian Urban +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/l2cap.h | 11 ++++- + net/bluetooth/l2cap_core.c | 56 ++++++++++++++++++--- + net/bluetooth/l2cap_sock.c | 91 ++++++++++++++++++++++++++++------- + 3 files changed, 132 insertions(+), 26 deletions(-) + +diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h +index a4278aa618ab1..3434cfc26b6af 100644 +--- a/include/net/bluetooth/l2cap.h ++++ b/include/net/bluetooth/l2cap.h +@@ -548,6 +548,9 @@ struct l2cap_chan { + __u16 tx_credits; + __u16 rx_credits; + ++ /* estimated available receive buffer space or -1 if unknown */ ++ ssize_t rx_avail; ++ + __u8 tx_state; + __u8 rx_state; + +@@ -682,10 +685,15 @@ struct l2cap_user { + /* ----- L2CAP socket info ----- */ + #define l2cap_pi(sk) ((struct l2cap_pinfo *) sk) + ++struct l2cap_rx_busy { ++ struct list_head list; ++ struct sk_buff *skb; ++}; ++ + struct l2cap_pinfo { + struct bt_sock bt; + struct l2cap_chan *chan; +- struct sk_buff *rx_busy_skb; ++ struct list_head rx_busy; + }; + + enum { +@@ -943,6 +951,7 @@ int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid, + int l2cap_chan_reconfigure(struct l2cap_chan *chan, __u16 mtu); + int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len); + void l2cap_chan_busy(struct l2cap_chan *chan, int busy); ++void l2cap_chan_rx_avail(struct l2cap_chan *chan, ssize_t rx_avail); + int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator); + void l2cap_chan_set_defaults(struct l2cap_chan *chan); + int l2cap_ertm_init(struct l2cap_chan *chan); +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 3f7a82f10fe98..44454115c10ad 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -457,6 +457,9 @@ struct l2cap_chan *l2cap_chan_create(void) + /* Set default lock nesting level */ + atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL); + ++ /* Available receive buffer space is initially unknown */ ++ chan->rx_avail = -1; ++ + write_lock(&chan_list_lock); + list_add(&chan->global_l, &chan_list); + write_unlock(&chan_list_lock); +@@ -538,6 +541,28 @@ void l2cap_chan_set_defaults(struct l2cap_chan *chan) + } + EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults); + ++static __u16 l2cap_le_rx_credits(struct l2cap_chan *chan) ++{ ++ size_t sdu_len = chan->sdu ? chan->sdu->len : 0; ++ ++ if (chan->mps == 0) ++ return 0; ++ ++ /* If we don't know the available space in the receiver buffer, give ++ * enough credits for a full packet. ++ */ ++ if (chan->rx_avail == -1) ++ return (chan->imtu / chan->mps) + 1; ++ ++ /* If we know how much space is available in the receive buffer, give ++ * out as many credits as would fill the buffer. ++ */ ++ if (chan->rx_avail <= sdu_len) ++ return 0; ++ ++ return DIV_ROUND_UP(chan->rx_avail - sdu_len, chan->mps); ++} ++ + static void l2cap_le_flowctl_init(struct l2cap_chan *chan, u16 tx_credits) + { + chan->sdu = NULL; +@@ -546,8 +571,7 @@ static void l2cap_le_flowctl_init(struct l2cap_chan *chan, u16 tx_credits) + chan->tx_credits = tx_credits; + /* Derive MPS from connection MTU to stop HCI fragmentation */ + chan->mps = min_t(u16, chan->imtu, chan->conn->mtu - L2CAP_HDR_SIZE); +- /* Give enough credits for a full packet */ +- chan->rx_credits = (chan->imtu / chan->mps) + 1; ++ chan->rx_credits = l2cap_le_rx_credits(chan); + + skb_queue_head_init(&chan->tx_q); + } +@@ -559,7 +583,7 @@ static void l2cap_ecred_init(struct l2cap_chan *chan, u16 tx_credits) + /* L2CAP implementations shall support a minimum MPS of 64 octets */ + if (chan->mps < L2CAP_ECRED_MIN_MPS) { + chan->mps = L2CAP_ECRED_MIN_MPS; +- chan->rx_credits = (chan->imtu / chan->mps) + 1; ++ chan->rx_credits = l2cap_le_rx_credits(chan); + } + } + +@@ -6513,9 +6537,7 @@ static void l2cap_chan_le_send_credits(struct l2cap_chan *chan) + { + struct l2cap_conn *conn = chan->conn; + struct l2cap_le_credits pkt; +- u16 return_credits; +- +- return_credits = (chan->imtu / chan->mps) + 1; ++ u16 return_credits = l2cap_le_rx_credits(chan); + + if (chan->rx_credits >= return_credits) + return; +@@ -6534,6 +6556,19 @@ static void l2cap_chan_le_send_credits(struct l2cap_chan *chan) + l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt); + } + ++void l2cap_chan_rx_avail(struct l2cap_chan *chan, ssize_t rx_avail) ++{ ++ if (chan->rx_avail == rx_avail) ++ return; ++ ++ BT_DBG("chan %p has %zd bytes avail for rx", chan, rx_avail); ++ ++ chan->rx_avail = rx_avail; ++ ++ if (chan->state == BT_CONNECTED) ++ l2cap_chan_le_send_credits(chan); ++} ++ + static int l2cap_ecred_recv(struct l2cap_chan *chan, struct sk_buff *skb) + { + int err; +@@ -6543,6 +6578,12 @@ static int l2cap_ecred_recv(struct l2cap_chan *chan, struct sk_buff *skb) + /* Wait recv to confirm reception before updating the credits */ + err = chan->ops->recv(chan, skb); + ++ if (err < 0 && chan->rx_avail != -1) { ++ BT_ERR("Queueing received LE L2CAP data failed"); ++ l2cap_send_disconn_req(chan, ECONNRESET); ++ return err; ++ } ++ + /* Update credits whenever an SDU is received */ + l2cap_chan_le_send_credits(chan); + +@@ -6565,7 +6606,8 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) + } + + chan->rx_credits--; +- BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits); ++ BT_DBG("chan %p: rx_credits %u -> %u", ++ chan, chan->rx_credits + 1, chan->rx_credits); + + /* Update if remote had run out of credits, this should only happens + * if the remote is not using the entire MPS. +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index 5cc83f906c123..8645461d45e81 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1131,6 +1131,34 @@ static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg, + return err; + } + ++static void l2cap_publish_rx_avail(struct l2cap_chan *chan) ++{ ++ struct sock *sk = chan->data; ++ ssize_t avail = sk->sk_rcvbuf - atomic_read(&sk->sk_rmem_alloc); ++ int expected_skbs, skb_overhead; ++ ++ if (avail <= 0) { ++ l2cap_chan_rx_avail(chan, 0); ++ return; ++ } ++ ++ if (!chan->mps) { ++ l2cap_chan_rx_avail(chan, -1); ++ return; ++ } ++ ++ /* Correct available memory by estimated sk_buff overhead. ++ * This is significant due to small transfer sizes. However, accept ++ * at least one full packet if receive space is non-zero. ++ */ ++ expected_skbs = DIV_ROUND_UP(avail, chan->mps); ++ skb_overhead = expected_skbs * sizeof(struct sk_buff); ++ if (skb_overhead < avail) ++ l2cap_chan_rx_avail(chan, avail - skb_overhead); ++ else ++ l2cap_chan_rx_avail(chan, -1); ++} ++ + static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg, + size_t len, int flags) + { +@@ -1167,28 +1195,33 @@ static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg, + else + err = bt_sock_recvmsg(sock, msg, len, flags); + +- if (pi->chan->mode != L2CAP_MODE_ERTM) ++ if (pi->chan->mode != L2CAP_MODE_ERTM && ++ pi->chan->mode != L2CAP_MODE_LE_FLOWCTL && ++ pi->chan->mode != L2CAP_MODE_EXT_FLOWCTL) + return err; + +- /* Attempt to put pending rx data in the socket buffer */ +- + lock_sock(sk); + +- if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state)) +- goto done; ++ l2cap_publish_rx_avail(pi->chan); + +- if (pi->rx_busy_skb) { +- if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb)) +- pi->rx_busy_skb = NULL; +- else ++ /* Attempt to put pending rx data in the socket buffer */ ++ while (!list_empty(&pi->rx_busy)) { ++ struct l2cap_rx_busy *rx_busy = ++ list_first_entry(&pi->rx_busy, ++ struct l2cap_rx_busy, ++ list); ++ if (__sock_queue_rcv_skb(sk, rx_busy->skb) < 0) + goto done; ++ list_del(&rx_busy->list); ++ kfree(rx_busy); + } + + /* Restore data flow when half of the receive buffer is + * available. This avoids resending large numbers of + * frames. + */ +- if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1) ++ if (test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state) && ++ atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1) + l2cap_chan_busy(pi->chan, 0); + + done: +@@ -1449,17 +1482,20 @@ static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan) + static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) + { + struct sock *sk = chan->data; ++ struct l2cap_pinfo *pi = l2cap_pi(sk); + int err; + + lock_sock(sk); + +- if (l2cap_pi(sk)->rx_busy_skb) { ++ if (chan->mode == L2CAP_MODE_ERTM && !list_empty(&pi->rx_busy)) { + err = -ENOMEM; + goto done; + } + + if (chan->mode != L2CAP_MODE_ERTM && +- chan->mode != L2CAP_MODE_STREAMING) { ++ chan->mode != L2CAP_MODE_STREAMING && ++ chan->mode != L2CAP_MODE_LE_FLOWCTL && ++ chan->mode != L2CAP_MODE_EXT_FLOWCTL) { + /* Even if no filter is attached, we could potentially + * get errors from security modules, etc. + */ +@@ -1470,7 +1506,9 @@ static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) + + err = __sock_queue_rcv_skb(sk, skb); + +- /* For ERTM, handle one skb that doesn't fit into the recv ++ l2cap_publish_rx_avail(chan); ++ ++ /* For ERTM and LE, handle a skb that doesn't fit into the recv + * buffer. This is important to do because the data frames + * have already been acked, so the skb cannot be discarded. + * +@@ -1479,8 +1517,18 @@ static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) + * acked and reassembled until there is buffer space + * available. + */ +- if (err < 0 && chan->mode == L2CAP_MODE_ERTM) { +- l2cap_pi(sk)->rx_busy_skb = skb; ++ if (err < 0 && ++ (chan->mode == L2CAP_MODE_ERTM || ++ chan->mode == L2CAP_MODE_LE_FLOWCTL || ++ chan->mode == L2CAP_MODE_EXT_FLOWCTL)) { ++ struct l2cap_rx_busy *rx_busy = ++ kmalloc(sizeof(*rx_busy), GFP_KERNEL); ++ if (!rx_busy) { ++ err = -ENOMEM; ++ goto done; ++ } ++ rx_busy->skb = skb; ++ list_add_tail(&rx_busy->list, &pi->rx_busy); + l2cap_chan_busy(chan, 1); + err = 0; + } +@@ -1706,6 +1754,8 @@ static const struct l2cap_ops l2cap_chan_ops = { + + static void l2cap_sock_destruct(struct sock *sk) + { ++ struct l2cap_rx_busy *rx_busy, *next; ++ + BT_DBG("sk %p", sk); + + if (l2cap_pi(sk)->chan) { +@@ -1713,9 +1763,10 @@ static void l2cap_sock_destruct(struct sock *sk) + l2cap_chan_put(l2cap_pi(sk)->chan); + } + +- if (l2cap_pi(sk)->rx_busy_skb) { +- kfree_skb(l2cap_pi(sk)->rx_busy_skb); +- l2cap_pi(sk)->rx_busy_skb = NULL; ++ list_for_each_entry_safe(rx_busy, next, &l2cap_pi(sk)->rx_busy, list) { ++ kfree_skb(rx_busy->skb); ++ list_del(&rx_busy->list); ++ kfree(rx_busy); + } + + skb_queue_purge(&sk->sk_receive_queue); +@@ -1799,6 +1850,8 @@ static void l2cap_sock_init(struct sock *sk, struct sock *parent) + + chan->data = sk; + chan->ops = &l2cap_chan_ops; ++ ++ l2cap_publish_rx_avail(chan); + } + + static struct proto l2cap_proto = { +@@ -1820,6 +1873,8 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, + sk->sk_destruct = l2cap_sock_destruct; + sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT; + ++ INIT_LIST_HEAD(&l2cap_pi(sk)->rx_busy); ++ + chan = l2cap_chan_create(); + if (!chan) { + sk_free(sk); +-- +2.43.0 + diff --git a/queue-6.9/bluetooth-hci-remove-hci_amp-support.patch b/queue-6.9/bluetooth-hci-remove-hci_amp-support.patch new file mode 100644 index 00000000000..3c515317c0d --- /dev/null +++ b/queue-6.9/bluetooth-hci-remove-hci_amp-support.patch @@ -0,0 +1,1398 @@ +From 1cf5ede135787d5c452f6e6d998480fd455e7026 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 May 2024 18:33:52 -0400 +Subject: Bluetooth: HCI: Remove HCI_AMP support + +From: Luiz Augusto von Dentz + +[ Upstream commit 84a4bb6548a29326564f0e659fb8064503ecc1c7 ] + +Since BT_HS has been remove HCI_AMP controllers no longer has any use so +remove it along with the capability of creating AMP controllers. + +Since we no longer need to differentiate between AMP and Primary +controllers, as only HCI_PRIMARY is left, this also remove +hdev->dev_type altogether. + +Fixes: e7b02296fb40 ("Bluetooth: Remove BT_HS") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btmrvl_main.c | 9 -- + drivers/bluetooth/btrsi.c | 1 - + drivers/bluetooth/btsdio.c | 8 -- + drivers/bluetooth/btusb.c | 5 -- + drivers/bluetooth/hci_bcm4377.c | 1 - + drivers/bluetooth/hci_ldisc.c | 6 -- + drivers/bluetooth/hci_serdev.c | 5 -- + drivers/bluetooth/hci_uart.h | 1 - + drivers/bluetooth/hci_vhci.c | 10 +-- + drivers/bluetooth/virtio_bt.c | 2 - + include/net/bluetooth/hci.h | 114 ------------------------ + include/net/bluetooth/hci_core.h | 46 +--------- + include/uapi/linux/virtio_bt.h | 1 - + net/bluetooth/hci_conn.c | 3 +- + net/bluetooth/hci_core.c | 132 +++------------------------ + net/bluetooth/hci_event.c | 147 ------------------------------- + net/bluetooth/hci_sock.c | 5 +- + net/bluetooth/hci_sync.c | 112 +---------------------- + net/bluetooth/l2cap_core.c | 21 +---- + net/bluetooth/mgmt.c | 84 ++++++------------ + 20 files changed, 49 insertions(+), 664 deletions(-) + +diff --git a/drivers/bluetooth/btmrvl_main.c b/drivers/bluetooth/btmrvl_main.c +index 9658b33c824a7..18f34998a1204 100644 +--- a/drivers/bluetooth/btmrvl_main.c ++++ b/drivers/bluetooth/btmrvl_main.c +@@ -121,13 +121,6 @@ int btmrvl_process_event(struct btmrvl_private *priv, struct sk_buff *skb) + ((event->data[2] == MODULE_BROUGHT_UP) || + (event->data[2] == MODULE_ALREADY_UP)) ? + "Bring-up succeed" : "Bring-up failed"); +- +- if (event->length > 3 && event->data[3]) +- priv->btmrvl_dev.dev_type = HCI_AMP; +- else +- priv->btmrvl_dev.dev_type = HCI_PRIMARY; +- +- BT_DBG("dev_type: %d", priv->btmrvl_dev.dev_type); + } else if (priv->btmrvl_dev.sendcmdflag && + event->data[1] == MODULE_SHUTDOWN_REQ) { + BT_DBG("EVENT:%s", (event->data[2]) ? +@@ -686,8 +679,6 @@ int btmrvl_register_hdev(struct btmrvl_private *priv) + hdev->wakeup = btmrvl_wakeup; + SET_HCIDEV_DEV(hdev, &card->func->dev); + +- hdev->dev_type = priv->btmrvl_dev.dev_type; +- + ret = hci_register_dev(hdev); + if (ret < 0) { + BT_ERR("Can not register HCI device"); +diff --git a/drivers/bluetooth/btrsi.c b/drivers/bluetooth/btrsi.c +index 634cf8f5ed2db..0c91d7635ac39 100644 +--- a/drivers/bluetooth/btrsi.c ++++ b/drivers/bluetooth/btrsi.c +@@ -134,7 +134,6 @@ static int rsi_hci_attach(void *priv, struct rsi_proto_ops *ops) + hdev->bus = HCI_USB; + + hci_set_drvdata(hdev, h_adapter); +- hdev->dev_type = HCI_PRIMARY; + hdev->open = rsi_hci_open; + hdev->close = rsi_hci_close; + hdev->flush = rsi_hci_flush; +diff --git a/drivers/bluetooth/btsdio.c b/drivers/bluetooth/btsdio.c +index f19d31ee37ea8..fdcfe9c50313e 100644 +--- a/drivers/bluetooth/btsdio.c ++++ b/drivers/bluetooth/btsdio.c +@@ -32,9 +32,6 @@ static const struct sdio_device_id btsdio_table[] = { + /* Generic Bluetooth Type-B SDIO device */ + { SDIO_DEVICE_CLASS(SDIO_CLASS_BT_B) }, + +- /* Generic Bluetooth AMP controller */ +- { SDIO_DEVICE_CLASS(SDIO_CLASS_BT_AMP) }, +- + { } /* Terminating entry */ + }; + +@@ -319,11 +316,6 @@ static int btsdio_probe(struct sdio_func *func, + hdev->bus = HCI_SDIO; + hci_set_drvdata(hdev, data); + +- if (id->class == SDIO_CLASS_BT_AMP) +- hdev->dev_type = HCI_AMP; +- else +- hdev->dev_type = HCI_PRIMARY; +- + data->hdev = hdev; + + SET_HCIDEV_DEV(hdev, &func->dev); +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 01b99471d1bbe..fb716849b60f3 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -4332,11 +4332,6 @@ static int btusb_probe(struct usb_interface *intf, + hdev->bus = HCI_USB; + hci_set_drvdata(hdev, data); + +- if (id->driver_info & BTUSB_AMP) +- hdev->dev_type = HCI_AMP; +- else +- hdev->dev_type = HCI_PRIMARY; +- + data->hdev = hdev; + + SET_HCIDEV_DEV(hdev, &intf->dev); +diff --git a/drivers/bluetooth/hci_bcm4377.c b/drivers/bluetooth/hci_bcm4377.c +index 9a7243d5db71f..0c2f15235b4cd 100644 +--- a/drivers/bluetooth/hci_bcm4377.c ++++ b/drivers/bluetooth/hci_bcm4377.c +@@ -2361,7 +2361,6 @@ static int bcm4377_probe(struct pci_dev *pdev, const struct pci_device_id *id) + bcm4377->hdev = hdev; + + hdev->bus = HCI_PCI; +- hdev->dev_type = HCI_PRIMARY; + hdev->open = bcm4377_hci_open; + hdev->close = bcm4377_hci_close; + hdev->send = bcm4377_hci_send_frame; +diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c +index a26367e9fb197..17a2f158a0dfa 100644 +--- a/drivers/bluetooth/hci_ldisc.c ++++ b/drivers/bluetooth/hci_ldisc.c +@@ -667,11 +667,6 @@ static int hci_uart_register_dev(struct hci_uart *hu) + if (!test_bit(HCI_UART_RESET_ON_INIT, &hu->hdev_flags)) + set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks); + +- if (test_bit(HCI_UART_CREATE_AMP, &hu->hdev_flags)) +- hdev->dev_type = HCI_AMP; +- else +- hdev->dev_type = HCI_PRIMARY; +- + /* Only call open() for the protocol after hdev is fully initialized as + * open() (or a timer/workqueue it starts) may attempt to reference it. + */ +@@ -722,7 +717,6 @@ static int hci_uart_set_flags(struct hci_uart *hu, unsigned long flags) + { + unsigned long valid_flags = BIT(HCI_UART_RAW_DEVICE) | + BIT(HCI_UART_RESET_ON_INIT) | +- BIT(HCI_UART_CREATE_AMP) | + BIT(HCI_UART_INIT_PENDING) | + BIT(HCI_UART_EXT_CONFIG) | + BIT(HCI_UART_VND_DETECT); +diff --git a/drivers/bluetooth/hci_serdev.c b/drivers/bluetooth/hci_serdev.c +index 85c0d9b68f5f7..89a22e9b3253a 100644 +--- a/drivers/bluetooth/hci_serdev.c ++++ b/drivers/bluetooth/hci_serdev.c +@@ -366,11 +366,6 @@ int hci_uart_register_device_priv(struct hci_uart *hu, + if (test_bit(HCI_UART_EXT_CONFIG, &hu->hdev_flags)) + set_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks); + +- if (test_bit(HCI_UART_CREATE_AMP, &hu->hdev_flags)) +- hdev->dev_type = HCI_AMP; +- else +- hdev->dev_type = HCI_PRIMARY; +- + if (test_bit(HCI_UART_INIT_PENDING, &hu->hdev_flags)) + return 0; + +diff --git a/drivers/bluetooth/hci_uart.h b/drivers/bluetooth/hci_uart.h +index 68c8c7e95d64d..00bf7ae82c5b7 100644 +--- a/drivers/bluetooth/hci_uart.h ++++ b/drivers/bluetooth/hci_uart.h +@@ -37,7 +37,6 @@ + + #define HCI_UART_RAW_DEVICE 0 + #define HCI_UART_RESET_ON_INIT 1 +-#define HCI_UART_CREATE_AMP 2 + #define HCI_UART_INIT_PENDING 3 + #define HCI_UART_EXT_CONFIG 4 + #define HCI_UART_VND_DETECT 5 +diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c +index 572d68d52965f..28750a40f0ed5 100644 +--- a/drivers/bluetooth/hci_vhci.c ++++ b/drivers/bluetooth/hci_vhci.c +@@ -384,17 +384,10 @@ static int __vhci_create_device(struct vhci_data *data, __u8 opcode) + { + struct hci_dev *hdev; + struct sk_buff *skb; +- __u8 dev_type; + + if (data->hdev) + return -EBADFD; + +- /* bits 0-1 are dev_type (Primary or AMP) */ +- dev_type = opcode & 0x03; +- +- if (dev_type != HCI_PRIMARY && dev_type != HCI_AMP) +- return -EINVAL; +- + /* bits 2-5 are reserved (must be zero) */ + if (opcode & 0x3c) + return -EINVAL; +@@ -412,7 +405,6 @@ static int __vhci_create_device(struct vhci_data *data, __u8 opcode) + data->hdev = hdev; + + hdev->bus = HCI_VIRTUAL; +- hdev->dev_type = dev_type; + hci_set_drvdata(hdev, data); + + hdev->open = vhci_open_dev; +@@ -634,7 +626,7 @@ static void vhci_open_timeout(struct work_struct *work) + struct vhci_data *data = container_of(work, struct vhci_data, + open_timeout.work); + +- vhci_create_device(data, amp ? HCI_AMP : HCI_PRIMARY); ++ vhci_create_device(data, 0x00); + } + + static int vhci_open(struct inode *inode, struct file *file) +diff --git a/drivers/bluetooth/virtio_bt.c b/drivers/bluetooth/virtio_bt.c +index 2ac70b560c46d..18208e152a367 100644 +--- a/drivers/bluetooth/virtio_bt.c ++++ b/drivers/bluetooth/virtio_bt.c +@@ -274,7 +274,6 @@ static int virtbt_probe(struct virtio_device *vdev) + + switch (type) { + case VIRTIO_BT_CONFIG_TYPE_PRIMARY: +- case VIRTIO_BT_CONFIG_TYPE_AMP: + break; + default: + return -EINVAL; +@@ -303,7 +302,6 @@ static int virtbt_probe(struct virtio_device *vdev) + vbt->hdev = hdev; + + hdev->bus = HCI_VIRTIO; +- hdev->dev_type = type; + hci_set_drvdata(hdev, vbt); + + hdev->open = virtbt_open; +diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h +index 07198beb3d80b..4dd540a3f9250 100644 +--- a/include/net/bluetooth/hci.h ++++ b/include/net/bluetooth/hci.h +@@ -33,9 +33,6 @@ + #define HCI_MAX_FRAME_SIZE (HCI_MAX_ACL_SIZE + 4) + + #define HCI_LINK_KEY_SIZE 16 +-#define HCI_AMP_LINK_KEY_SIZE (2 * HCI_LINK_KEY_SIZE) +- +-#define HCI_MAX_AMP_ASSOC_SIZE 672 + + #define HCI_MAX_CPB_DATA_SIZE 252 + +@@ -71,26 +68,6 @@ + #define HCI_SMD 9 + #define HCI_VIRTIO 10 + +-/* HCI controller types */ +-#define HCI_PRIMARY 0x00 +-#define HCI_AMP 0x01 +- +-/* First BR/EDR Controller shall have ID = 0 */ +-#define AMP_ID_BREDR 0x00 +- +-/* AMP controller types */ +-#define AMP_TYPE_BREDR 0x00 +-#define AMP_TYPE_80211 0x01 +- +-/* AMP controller status */ +-#define AMP_STATUS_POWERED_DOWN 0x00 +-#define AMP_STATUS_BLUETOOTH_ONLY 0x01 +-#define AMP_STATUS_NO_CAPACITY 0x02 +-#define AMP_STATUS_LOW_CAPACITY 0x03 +-#define AMP_STATUS_MEDIUM_CAPACITY 0x04 +-#define AMP_STATUS_HIGH_CAPACITY 0x05 +-#define AMP_STATUS_FULL_CAPACITY 0x06 +- + /* HCI device quirks */ + enum { + /* When this quirk is set, the HCI Reset command is send when +@@ -528,7 +505,6 @@ enum { + #define ESCO_LINK 0x02 + /* Low Energy links do not have defined link type. Use invented one */ + #define LE_LINK 0x80 +-#define AMP_LINK 0x81 + #define ISO_LINK 0x82 + #define INVALID_LINK 0xff + +@@ -944,56 +920,6 @@ struct hci_cp_io_capability_neg_reply { + __u8 reason; + } __packed; + +-#define HCI_OP_CREATE_PHY_LINK 0x0435 +-struct hci_cp_create_phy_link { +- __u8 phy_handle; +- __u8 key_len; +- __u8 key_type; +- __u8 key[HCI_AMP_LINK_KEY_SIZE]; +-} __packed; +- +-#define HCI_OP_ACCEPT_PHY_LINK 0x0436 +-struct hci_cp_accept_phy_link { +- __u8 phy_handle; +- __u8 key_len; +- __u8 key_type; +- __u8 key[HCI_AMP_LINK_KEY_SIZE]; +-} __packed; +- +-#define HCI_OP_DISCONN_PHY_LINK 0x0437 +-struct hci_cp_disconn_phy_link { +- __u8 phy_handle; +- __u8 reason; +-} __packed; +- +-struct ext_flow_spec { +- __u8 id; +- __u8 stype; +- __le16 msdu; +- __le32 sdu_itime; +- __le32 acc_lat; +- __le32 flush_to; +-} __packed; +- +-#define HCI_OP_CREATE_LOGICAL_LINK 0x0438 +-#define HCI_OP_ACCEPT_LOGICAL_LINK 0x0439 +-struct hci_cp_create_accept_logical_link { +- __u8 phy_handle; +- struct ext_flow_spec tx_flow_spec; +- struct ext_flow_spec rx_flow_spec; +-} __packed; +- +-#define HCI_OP_DISCONN_LOGICAL_LINK 0x043a +-struct hci_cp_disconn_logical_link { +- __le16 log_handle; +-} __packed; +- +-#define HCI_OP_LOGICAL_LINK_CANCEL 0x043b +-struct hci_cp_logical_link_cancel { +- __u8 phy_handle; +- __u8 flow_spec_id; +-} __packed; +- + #define HCI_OP_ENHANCED_SETUP_SYNC_CONN 0x043d + struct hci_coding_format { + __u8 id; +@@ -1615,46 +1541,6 @@ struct hci_rp_read_enc_key_size { + __u8 key_size; + } __packed; + +-#define HCI_OP_READ_LOCAL_AMP_INFO 0x1409 +-struct hci_rp_read_local_amp_info { +- __u8 status; +- __u8 amp_status; +- __le32 total_bw; +- __le32 max_bw; +- __le32 min_latency; +- __le32 max_pdu; +- __u8 amp_type; +- __le16 pal_cap; +- __le16 max_assoc_size; +- __le32 max_flush_to; +- __le32 be_flush_to; +-} __packed; +- +-#define HCI_OP_READ_LOCAL_AMP_ASSOC 0x140a +-struct hci_cp_read_local_amp_assoc { +- __u8 phy_handle; +- __le16 len_so_far; +- __le16 max_len; +-} __packed; +-struct hci_rp_read_local_amp_assoc { +- __u8 status; +- __u8 phy_handle; +- __le16 rem_len; +- __u8 frag[]; +-} __packed; +- +-#define HCI_OP_WRITE_REMOTE_AMP_ASSOC 0x140b +-struct hci_cp_write_remote_amp_assoc { +- __u8 phy_handle; +- __le16 len_so_far; +- __le16 rem_len; +- __u8 frag[]; +-} __packed; +-struct hci_rp_write_remote_amp_assoc { +- __u8 status; +- __u8 phy_handle; +-} __packed; +- + #define HCI_OP_GET_MWS_TRANSPORT_CONFIG 0x140c + + #define HCI_OP_ENABLE_DUT_MODE 0x1803 +diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h +index b1c8489ff93e4..762b049bdabf1 100644 +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -126,7 +126,6 @@ enum suspended_state { + struct hci_conn_hash { + struct list_head list; + unsigned int acl_num; +- unsigned int amp_num; + unsigned int sco_num; + unsigned int iso_num; + unsigned int le_num; +@@ -341,14 +340,6 @@ struct adv_monitor { + /* Default authenticated payload timeout 30s */ + #define DEFAULT_AUTH_PAYLOAD_TIMEOUT 0x0bb8 + +-struct amp_assoc { +- __u16 len; +- __u16 offset; +- __u16 rem_len; +- __u16 len_so_far; +- __u8 data[HCI_MAX_AMP_ASSOC_SIZE]; +-}; +- + #define HCI_MAX_PAGES 3 + + struct hci_dev { +@@ -361,7 +352,6 @@ struct hci_dev { + unsigned long flags; + __u16 id; + __u8 bus; +- __u8 dev_type; + bdaddr_t bdaddr; + bdaddr_t setup_addr; + bdaddr_t public_addr; +@@ -467,21 +457,6 @@ struct hci_dev { + __u16 sniff_min_interval; + __u16 sniff_max_interval; + +- __u8 amp_status; +- __u32 amp_total_bw; +- __u32 amp_max_bw; +- __u32 amp_min_latency; +- __u32 amp_max_pdu; +- __u8 amp_type; +- __u16 amp_pal_cap; +- __u16 amp_assoc_size; +- __u32 amp_max_flush_to; +- __u32 amp_be_flush_to; +- +- struct amp_assoc loc_assoc; +- +- __u8 flow_ctl_mode; +- + unsigned int auto_accept_delay; + + unsigned long quirks; +@@ -501,11 +476,6 @@ struct hci_dev { + unsigned int le_pkts; + unsigned int iso_pkts; + +- __u16 block_len; +- __u16 block_mtu; +- __u16 num_blocks; +- __u16 block_cnt; +- + unsigned long acl_last_tx; + unsigned long sco_last_tx; + unsigned long le_last_tx; +@@ -778,7 +748,6 @@ struct hci_conn { + void *l2cap_data; + void *sco_data; + void *iso_data; +- struct amp_mgr *amp_mgr; + + struct list_head link_list; + struct hci_conn *parent; +@@ -805,7 +774,6 @@ struct hci_chan { + struct sk_buff_head data_q; + unsigned int sent; + __u8 state; +- bool amp; + }; + + struct hci_conn_params { +@@ -1014,9 +982,6 @@ static inline void hci_conn_hash_add(struct hci_dev *hdev, struct hci_conn *c) + case ACL_LINK: + h->acl_num++; + break; +- case AMP_LINK: +- h->amp_num++; +- break; + case LE_LINK: + h->le_num++; + if (c->role == HCI_ROLE_SLAVE) +@@ -1043,9 +1008,6 @@ static inline void hci_conn_hash_del(struct hci_dev *hdev, struct hci_conn *c) + case ACL_LINK: + h->acl_num--; + break; +- case AMP_LINK: +- h->amp_num--; +- break; + case LE_LINK: + h->le_num--; + if (c->role == HCI_ROLE_SLAVE) +@@ -1067,8 +1029,6 @@ static inline unsigned int hci_conn_num(struct hci_dev *hdev, __u8 type) + switch (type) { + case ACL_LINK: + return h->acl_num; +- case AMP_LINK: +- return h->amp_num; + case LE_LINK: + return h->le_num; + case SCO_LINK: +@@ -1085,7 +1045,7 @@ static inline unsigned int hci_conn_count(struct hci_dev *hdev) + { + struct hci_conn_hash *c = &hdev->conn_hash; + +- return c->acl_num + c->amp_num + c->sco_num + c->le_num + c->iso_num; ++ return c->acl_num + c->sco_num + c->le_num + c->iso_num; + } + + static inline bool hci_conn_valid(struct hci_dev *hdev, struct hci_conn *conn) +@@ -1611,10 +1571,6 @@ static inline void hci_conn_drop(struct hci_conn *conn) + } + break; + +- case AMP_LINK: +- timeo = conn->disc_timeout; +- break; +- + default: + timeo = 0; + break; +diff --git a/include/uapi/linux/virtio_bt.h b/include/uapi/linux/virtio_bt.h +index af798f4c96804..3cc7d633456b6 100644 +--- a/include/uapi/linux/virtio_bt.h ++++ b/include/uapi/linux/virtio_bt.h +@@ -13,7 +13,6 @@ + + enum virtio_bt_config_type { + VIRTIO_BT_CONFIG_TYPE_PRIMARY = 0, +- VIRTIO_BT_CONFIG_TYPE_AMP = 1, + }; + + enum virtio_bt_config_vendor { +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index 6ab404dda7949..08ae30fd31551 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -1173,8 +1173,7 @@ struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type) + + list_for_each_entry(d, &hci_dev_list, list) { + if (!test_bit(HCI_UP, &d->flags) || +- hci_dev_test_flag(d, HCI_USER_CHANNEL) || +- d->dev_type != HCI_PRIMARY) ++ hci_dev_test_flag(d, HCI_USER_CHANNEL)) + continue; + + /* Simple routing: +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index bc5086423ab83..e32725650a319 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -395,11 +395,6 @@ int hci_inquiry(void __user *arg) + goto done; + } + +- if (hdev->dev_type != HCI_PRIMARY) { +- err = -EOPNOTSUPP; +- goto done; +- } +- + if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) { + err = -EOPNOTSUPP; + goto done; +@@ -752,11 +747,6 @@ int hci_dev_cmd(unsigned int cmd, void __user *arg) + goto done; + } + +- if (hdev->dev_type != HCI_PRIMARY) { +- err = -EOPNOTSUPP; +- goto done; +- } +- + if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) { + err = -EOPNOTSUPP; + goto done; +@@ -910,7 +900,7 @@ int hci_get_dev_info(void __user *arg) + + strscpy(di.name, hdev->name, sizeof(di.name)); + di.bdaddr = hdev->bdaddr; +- di.type = (hdev->bus & 0x0f) | ((hdev->dev_type & 0x03) << 4); ++ di.type = (hdev->bus & 0x0f); + di.flags = flags; + di.pkt_type = hdev->pkt_type; + if (lmp_bredr_capable(hdev)) { +@@ -1026,8 +1016,7 @@ static void hci_power_on(struct work_struct *work) + */ + if (hci_dev_test_flag(hdev, HCI_RFKILLED) || + hci_dev_test_flag(hdev, HCI_UNCONFIGURED) || +- (hdev->dev_type == HCI_PRIMARY && +- !bacmp(&hdev->bdaddr, BDADDR_ANY) && ++ (!bacmp(&hdev->bdaddr, BDADDR_ANY) && + !bacmp(&hdev->static_addr, BDADDR_ANY))) { + hci_dev_clear_flag(hdev, HCI_AUTO_OFF); + hci_dev_do_close(hdev); +@@ -2635,21 +2624,7 @@ int hci_register_dev(struct hci_dev *hdev) + if (!hdev->open || !hdev->close || !hdev->send) + return -EINVAL; + +- /* Do not allow HCI_AMP devices to register at index 0, +- * so the index can be used as the AMP controller ID. +- */ +- switch (hdev->dev_type) { +- case HCI_PRIMARY: +- id = ida_alloc_max(&hci_index_ida, HCI_MAX_ID - 1, GFP_KERNEL); +- break; +- case HCI_AMP: +- id = ida_alloc_range(&hci_index_ida, 1, HCI_MAX_ID - 1, +- GFP_KERNEL); +- break; +- default: +- return -EINVAL; +- } +- ++ id = ida_alloc_max(&hci_index_ida, HCI_MAX_ID - 1, GFP_KERNEL); + if (id < 0) + return id; + +@@ -2701,12 +2676,10 @@ int hci_register_dev(struct hci_dev *hdev) + hci_dev_set_flag(hdev, HCI_SETUP); + hci_dev_set_flag(hdev, HCI_AUTO_OFF); + +- if (hdev->dev_type == HCI_PRIMARY) { +- /* Assume BR/EDR support until proven otherwise (such as +- * through reading supported features during init. +- */ +- hci_dev_set_flag(hdev, HCI_BREDR_ENABLED); +- } ++ /* Assume BR/EDR support until proven otherwise (such as ++ * through reading supported features during init. ++ */ ++ hci_dev_set_flag(hdev, HCI_BREDR_ENABLED); + + write_lock(&hci_dev_list_lock); + list_add(&hdev->list, &hci_dev_list); +@@ -3242,17 +3215,7 @@ static void hci_queue_acl(struct hci_chan *chan, struct sk_buff_head *queue, + + hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT; + +- switch (hdev->dev_type) { +- case HCI_PRIMARY: +- hci_add_acl_hdr(skb, conn->handle, flags); +- break; +- case HCI_AMP: +- hci_add_acl_hdr(skb, chan->handle, flags); +- break; +- default: +- bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type); +- return; +- } ++ hci_add_acl_hdr(skb, conn->handle, flags); + + list = skb_shinfo(skb)->frag_list; + if (!list) { +@@ -3412,9 +3375,6 @@ static inline void hci_quote_sent(struct hci_conn *conn, int num, int *quote) + case ACL_LINK: + cnt = hdev->acl_cnt; + break; +- case AMP_LINK: +- cnt = hdev->block_cnt; +- break; + case SCO_LINK: + case ESCO_LINK: + cnt = hdev->sco_cnt; +@@ -3612,12 +3572,6 @@ static void hci_prio_recalculate(struct hci_dev *hdev, __u8 type) + + } + +-static inline int __get_blocks(struct hci_dev *hdev, struct sk_buff *skb) +-{ +- /* Calculate count of blocks used by this packet */ +- return DIV_ROUND_UP(skb->len - HCI_ACL_HDR_SIZE, hdev->block_len); +-} +- + static void __check_timeout(struct hci_dev *hdev, unsigned int cnt, u8 type) + { + unsigned long last_tx; +@@ -3731,81 +3685,15 @@ static void hci_sched_acl_pkt(struct hci_dev *hdev) + hci_prio_recalculate(hdev, ACL_LINK); + } + +-static void hci_sched_acl_blk(struct hci_dev *hdev) +-{ +- unsigned int cnt = hdev->block_cnt; +- struct hci_chan *chan; +- struct sk_buff *skb; +- int quote; +- u8 type; +- +- BT_DBG("%s", hdev->name); +- +- if (hdev->dev_type == HCI_AMP) +- type = AMP_LINK; +- else +- type = ACL_LINK; +- +- __check_timeout(hdev, cnt, type); +- +- while (hdev->block_cnt > 0 && +- (chan = hci_chan_sent(hdev, type, "e))) { +- u32 priority = (skb_peek(&chan->data_q))->priority; +- while (quote > 0 && (skb = skb_peek(&chan->data_q))) { +- int blocks; +- +- BT_DBG("chan %p skb %p len %d priority %u", chan, skb, +- skb->len, skb->priority); +- +- /* Stop if priority has changed */ +- if (skb->priority < priority) +- break; +- +- skb = skb_dequeue(&chan->data_q); +- +- blocks = __get_blocks(hdev, skb); +- if (blocks > hdev->block_cnt) +- return; +- +- hci_conn_enter_active_mode(chan->conn, +- bt_cb(skb)->force_active); +- +- hci_send_frame(hdev, skb); +- hdev->acl_last_tx = jiffies; +- +- hdev->block_cnt -= blocks; +- quote -= blocks; +- +- chan->sent += blocks; +- chan->conn->sent += blocks; +- } +- } +- +- if (cnt != hdev->block_cnt) +- hci_prio_recalculate(hdev, type); +-} +- + static void hci_sched_acl(struct hci_dev *hdev) + { + BT_DBG("%s", hdev->name); + + /* No ACL link over BR/EDR controller */ +- if (!hci_conn_num(hdev, ACL_LINK) && hdev->dev_type == HCI_PRIMARY) +- return; +- +- /* No AMP link over AMP controller */ +- if (!hci_conn_num(hdev, AMP_LINK) && hdev->dev_type == HCI_AMP) ++ if (!hci_conn_num(hdev, ACL_LINK)) + return; + +- switch (hdev->flow_ctl_mode) { +- case HCI_FLOW_CTL_MODE_PACKET_BASED: +- hci_sched_acl_pkt(hdev); +- break; +- +- case HCI_FLOW_CTL_MODE_BLOCK_BASED: +- hci_sched_acl_blk(hdev); +- break; +- } ++ hci_sched_acl_pkt(hdev); + } + + static void hci_sched_le(struct hci_dev *hdev) +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 4de8f0dc1a523..33fac5cab1a8d 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -913,21 +913,6 @@ static u8 hci_cc_read_local_ext_features(struct hci_dev *hdev, void *data, + return rp->status; + } + +-static u8 hci_cc_read_flow_control_mode(struct hci_dev *hdev, void *data, +- struct sk_buff *skb) +-{ +- struct hci_rp_read_flow_control_mode *rp = data; +- +- bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); +- +- if (rp->status) +- return rp->status; +- +- hdev->flow_ctl_mode = rp->mode; +- +- return rp->status; +-} +- + static u8 hci_cc_read_buffer_size(struct hci_dev *hdev, void *data, + struct sk_buff *skb) + { +@@ -1071,28 +1056,6 @@ static u8 hci_cc_write_page_scan_type(struct hci_dev *hdev, void *data, + return rp->status; + } + +-static u8 hci_cc_read_data_block_size(struct hci_dev *hdev, void *data, +- struct sk_buff *skb) +-{ +- struct hci_rp_read_data_block_size *rp = data; +- +- bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); +- +- if (rp->status) +- return rp->status; +- +- hdev->block_mtu = __le16_to_cpu(rp->max_acl_len); +- hdev->block_len = __le16_to_cpu(rp->block_len); +- hdev->num_blocks = __le16_to_cpu(rp->num_blocks); +- +- hdev->block_cnt = hdev->num_blocks; +- +- BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu, +- hdev->block_cnt, hdev->block_len); +- +- return rp->status; +-} +- + static u8 hci_cc_read_clock(struct hci_dev *hdev, void *data, + struct sk_buff *skb) + { +@@ -1127,30 +1090,6 @@ static u8 hci_cc_read_clock(struct hci_dev *hdev, void *data, + return rp->status; + } + +-static u8 hci_cc_read_local_amp_info(struct hci_dev *hdev, void *data, +- struct sk_buff *skb) +-{ +- struct hci_rp_read_local_amp_info *rp = data; +- +- bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); +- +- if (rp->status) +- return rp->status; +- +- hdev->amp_status = rp->amp_status; +- hdev->amp_total_bw = __le32_to_cpu(rp->total_bw); +- hdev->amp_max_bw = __le32_to_cpu(rp->max_bw); +- hdev->amp_min_latency = __le32_to_cpu(rp->min_latency); +- hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu); +- hdev->amp_type = rp->amp_type; +- hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap); +- hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size); +- hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to); +- hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to); +- +- return rp->status; +-} +- + static u8 hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, void *data, + struct sk_buff *skb) + { +@@ -4121,12 +4060,6 @@ static const struct hci_cc { + HCI_CC(HCI_OP_READ_PAGE_SCAN_TYPE, hci_cc_read_page_scan_type, + sizeof(struct hci_rp_read_page_scan_type)), + HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_TYPE, hci_cc_write_page_scan_type), +- HCI_CC(HCI_OP_READ_DATA_BLOCK_SIZE, hci_cc_read_data_block_size, +- sizeof(struct hci_rp_read_data_block_size)), +- HCI_CC(HCI_OP_READ_FLOW_CONTROL_MODE, hci_cc_read_flow_control_mode, +- sizeof(struct hci_rp_read_flow_control_mode)), +- HCI_CC(HCI_OP_READ_LOCAL_AMP_INFO, hci_cc_read_local_amp_info, +- sizeof(struct hci_rp_read_local_amp_info)), + HCI_CC(HCI_OP_READ_CLOCK, hci_cc_read_clock, + sizeof(struct hci_rp_read_clock)), + HCI_CC(HCI_OP_READ_ENC_KEY_SIZE, hci_cc_read_enc_key_size, +@@ -4461,11 +4394,6 @@ static void hci_num_comp_pkts_evt(struct hci_dev *hdev, void *data, + flex_array_size(ev, handles, ev->num))) + return; + +- if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) { +- bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode); +- return; +- } +- + bt_dev_dbg(hdev, "num %d", ev->num); + + for (i = 0; i < ev->num; i++) { +@@ -4533,78 +4461,6 @@ static void hci_num_comp_pkts_evt(struct hci_dev *hdev, void *data, + queue_work(hdev->workqueue, &hdev->tx_work); + } + +-static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev, +- __u16 handle) +-{ +- struct hci_chan *chan; +- +- switch (hdev->dev_type) { +- case HCI_PRIMARY: +- return hci_conn_hash_lookup_handle(hdev, handle); +- case HCI_AMP: +- chan = hci_chan_lookup_handle(hdev, handle); +- if (chan) +- return chan->conn; +- break; +- default: +- bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type); +- break; +- } +- +- return NULL; +-} +- +-static void hci_num_comp_blocks_evt(struct hci_dev *hdev, void *data, +- struct sk_buff *skb) +-{ +- struct hci_ev_num_comp_blocks *ev = data; +- int i; +- +- if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_BLOCKS, +- flex_array_size(ev, handles, ev->num_hndl))) +- return; +- +- if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) { +- bt_dev_err(hdev, "wrong event for mode %d", +- hdev->flow_ctl_mode); +- return; +- } +- +- bt_dev_dbg(hdev, "num_blocks %d num_hndl %d", ev->num_blocks, +- ev->num_hndl); +- +- for (i = 0; i < ev->num_hndl; i++) { +- struct hci_comp_blocks_info *info = &ev->handles[i]; +- struct hci_conn *conn = NULL; +- __u16 handle, block_count; +- +- handle = __le16_to_cpu(info->handle); +- block_count = __le16_to_cpu(info->blocks); +- +- conn = __hci_conn_lookup_handle(hdev, handle); +- if (!conn) +- continue; +- +- conn->sent -= block_count; +- +- switch (conn->type) { +- case ACL_LINK: +- case AMP_LINK: +- hdev->block_cnt += block_count; +- if (hdev->block_cnt > hdev->num_blocks) +- hdev->block_cnt = hdev->num_blocks; +- break; +- +- default: +- bt_dev_err(hdev, "unknown type %d conn %p", +- conn->type, conn); +- break; +- } +- } +- +- queue_work(hdev->workqueue, &hdev->tx_work); +-} +- + static void hci_mode_change_evt(struct hci_dev *hdev, void *data, + struct sk_buff *skb) + { +@@ -7512,9 +7368,6 @@ static const struct hci_ev { + /* [0x3e = HCI_EV_LE_META] */ + HCI_EV_REQ_VL(HCI_EV_LE_META, hci_le_meta_evt, + sizeof(struct hci_ev_le_meta), HCI_MAX_EVENT_SIZE), +- /* [0x48 = HCI_EV_NUM_COMP_BLOCKS] */ +- HCI_EV(HCI_EV_NUM_COMP_BLOCKS, hci_num_comp_blocks_evt, +- sizeof(struct hci_ev_num_comp_blocks)), + /* [0xff = HCI_EV_VENDOR] */ + HCI_EV_VL(HCI_EV_VENDOR, msft_vendor_evt, 0, HCI_MAX_EVENT_SIZE), + }; +diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c +index 703b84bd48d5b..69c2ba1e843eb 100644 +--- a/net/bluetooth/hci_sock.c ++++ b/net/bluetooth/hci_sock.c +@@ -485,7 +485,7 @@ static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event) + return NULL; + + ni = skb_put(skb, HCI_MON_NEW_INDEX_SIZE); +- ni->type = hdev->dev_type; ++ ni->type = 0x00; /* Old hdev->dev_type */ + ni->bus = hdev->bus; + bacpy(&ni->bdaddr, &hdev->bdaddr); + memcpy_and_pad(ni->name, sizeof(ni->name), hdev->name, +@@ -1007,9 +1007,6 @@ static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd, + if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) + return -EOPNOTSUPP; + +- if (hdev->dev_type != HCI_PRIMARY) +- return -EOPNOTSUPP; +- + switch (cmd) { + case HCISETRAW: + if (!capable(CAP_NET_ADMIN)) +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 4c707eb64e6f6..5e4ec698e6e3b 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -3523,10 +3523,6 @@ static int hci_unconf_init_sync(struct hci_dev *hdev) + /* Read Local Supported Features. */ + static int hci_read_local_features_sync(struct hci_dev *hdev) + { +- /* Not all AMP controllers support this command */ +- if (hdev->dev_type == HCI_AMP && !(hdev->commands[14] & 0x20)) +- return 0; +- + return __hci_cmd_sync_status(hdev, HCI_OP_READ_LOCAL_FEATURES, + 0, NULL, HCI_CMD_TIMEOUT); + } +@@ -3561,51 +3557,6 @@ static int hci_read_local_cmds_sync(struct hci_dev *hdev) + return 0; + } + +-/* Read Local AMP Info */ +-static int hci_read_local_amp_info_sync(struct hci_dev *hdev) +-{ +- return __hci_cmd_sync_status(hdev, HCI_OP_READ_LOCAL_AMP_INFO, +- 0, NULL, HCI_CMD_TIMEOUT); +-} +- +-/* Read Data Blk size */ +-static int hci_read_data_block_size_sync(struct hci_dev *hdev) +-{ +- return __hci_cmd_sync_status(hdev, HCI_OP_READ_DATA_BLOCK_SIZE, +- 0, NULL, HCI_CMD_TIMEOUT); +-} +- +-/* Read Flow Control Mode */ +-static int hci_read_flow_control_mode_sync(struct hci_dev *hdev) +-{ +- return __hci_cmd_sync_status(hdev, HCI_OP_READ_FLOW_CONTROL_MODE, +- 0, NULL, HCI_CMD_TIMEOUT); +-} +- +-/* Read Location Data */ +-static int hci_read_location_data_sync(struct hci_dev *hdev) +-{ +- return __hci_cmd_sync_status(hdev, HCI_OP_READ_LOCATION_DATA, +- 0, NULL, HCI_CMD_TIMEOUT); +-} +- +-/* AMP Controller init stage 1 command sequence */ +-static const struct hci_init_stage amp_init1[] = { +- /* HCI_OP_READ_LOCAL_VERSION */ +- HCI_INIT(hci_read_local_version_sync), +- /* HCI_OP_READ_LOCAL_COMMANDS */ +- HCI_INIT(hci_read_local_cmds_sync), +- /* HCI_OP_READ_LOCAL_AMP_INFO */ +- HCI_INIT(hci_read_local_amp_info_sync), +- /* HCI_OP_READ_DATA_BLOCK_SIZE */ +- HCI_INIT(hci_read_data_block_size_sync), +- /* HCI_OP_READ_FLOW_CONTROL_MODE */ +- HCI_INIT(hci_read_flow_control_mode_sync), +- /* HCI_OP_READ_LOCATION_DATA */ +- HCI_INIT(hci_read_location_data_sync), +- {} +-}; +- + static int hci_init1_sync(struct hci_dev *hdev) + { + int err; +@@ -3619,28 +3570,9 @@ static int hci_init1_sync(struct hci_dev *hdev) + return err; + } + +- switch (hdev->dev_type) { +- case HCI_PRIMARY: +- hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_PACKET_BASED; +- return hci_init_stage_sync(hdev, br_init1); +- case HCI_AMP: +- hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_BLOCK_BASED; +- return hci_init_stage_sync(hdev, amp_init1); +- default: +- bt_dev_err(hdev, "Unknown device type %d", hdev->dev_type); +- break; +- } +- +- return 0; ++ return hci_init_stage_sync(hdev, br_init1); + } + +-/* AMP Controller init stage 2 command sequence */ +-static const struct hci_init_stage amp_init2[] = { +- /* HCI_OP_READ_LOCAL_FEATURES */ +- HCI_INIT(hci_read_local_features_sync), +- {} +-}; +- + /* Read Buffer Size (ACL mtu, max pkt, etc.) */ + static int hci_read_buffer_size_sync(struct hci_dev *hdev) + { +@@ -3898,9 +3830,6 @@ static int hci_init2_sync(struct hci_dev *hdev) + + bt_dev_dbg(hdev, ""); + +- if (hdev->dev_type == HCI_AMP) +- return hci_init_stage_sync(hdev, amp_init2); +- + err = hci_init_stage_sync(hdev, hci_init2); + if (err) + return err; +@@ -4728,13 +4657,6 @@ static int hci_init_sync(struct hci_dev *hdev) + if (err < 0) + return err; + +- /* HCI_PRIMARY covers both single-mode LE, BR/EDR and dual-mode +- * BR/EDR/LE type controllers. AMP controllers only need the +- * first two stages of init. +- */ +- if (hdev->dev_type != HCI_PRIMARY) +- return 0; +- + err = hci_init3_sync(hdev); + if (err < 0) + return err; +@@ -4963,12 +4885,8 @@ int hci_dev_open_sync(struct hci_dev *hdev) + * In case of user channel usage, it is not important + * if a public address or static random address is + * available. +- * +- * This check is only valid for BR/EDR controllers +- * since AMP controllers do not have an address. + */ + if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL) && +- hdev->dev_type == HCI_PRIMARY && + !bacmp(&hdev->bdaddr, BDADDR_ANY) && + !bacmp(&hdev->static_addr, BDADDR_ANY)) { + ret = -EADDRNOTAVAIL; +@@ -5003,8 +4921,7 @@ int hci_dev_open_sync(struct hci_dev *hdev) + !hci_dev_test_flag(hdev, HCI_CONFIG) && + !hci_dev_test_flag(hdev, HCI_UNCONFIGURED) && + !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) && +- hci_dev_test_flag(hdev, HCI_MGMT) && +- hdev->dev_type == HCI_PRIMARY) { ++ hci_dev_test_flag(hdev, HCI_MGMT)) { + ret = hci_powered_update_sync(hdev); + mgmt_power_on(hdev, ret); + } +@@ -5149,8 +5066,7 @@ int hci_dev_close_sync(struct hci_dev *hdev) + + auto_off = hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF); + +- if (!auto_off && hdev->dev_type == HCI_PRIMARY && +- !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) && ++ if (!auto_off && !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) && + hci_dev_test_flag(hdev, HCI_MGMT)) + __mgmt_power_off(hdev); + +@@ -5212,9 +5128,6 @@ int hci_dev_close_sync(struct hci_dev *hdev) + hdev->flags &= BIT(HCI_RAW); + hci_dev_clear_volatile_flags(hdev); + +- /* Controller radio is available but is currently powered down */ +- hdev->amp_status = AMP_STATUS_POWERED_DOWN; +- + memset(hdev->eir, 0, sizeof(hdev->eir)); + memset(hdev->dev_class, 0, sizeof(hdev->dev_class)); + bacpy(&hdev->random_addr, BDADDR_ANY); +@@ -5251,8 +5164,7 @@ static int hci_power_on_sync(struct hci_dev *hdev) + */ + if (hci_dev_test_flag(hdev, HCI_RFKILLED) || + hci_dev_test_flag(hdev, HCI_UNCONFIGURED) || +- (hdev->dev_type == HCI_PRIMARY && +- !bacmp(&hdev->bdaddr, BDADDR_ANY) && ++ (!bacmp(&hdev->bdaddr, BDADDR_ANY) && + !bacmp(&hdev->static_addr, BDADDR_ANY))) { + hci_dev_clear_flag(hdev, HCI_AUTO_OFF); + hci_dev_close_sync(hdev); +@@ -5354,27 +5266,11 @@ int hci_stop_discovery_sync(struct hci_dev *hdev) + return 0; + } + +-static int hci_disconnect_phy_link_sync(struct hci_dev *hdev, u16 handle, +- u8 reason) +-{ +- struct hci_cp_disconn_phy_link cp; +- +- memset(&cp, 0, sizeof(cp)); +- cp.phy_handle = HCI_PHY_HANDLE(handle); +- cp.reason = reason; +- +- return __hci_cmd_sync_status(hdev, HCI_OP_DISCONN_PHY_LINK, +- sizeof(cp), &cp, HCI_CMD_TIMEOUT); +-} +- + static int hci_disconnect_sync(struct hci_dev *hdev, struct hci_conn *conn, + u8 reason) + { + struct hci_cp_disconnect cp; + +- if (conn->type == AMP_LINK) +- return hci_disconnect_phy_link_sync(hdev, conn->handle, reason); +- + if (test_bit(HCI_CONN_BIG_CREATED, &conn->flags)) { + /* This is a BIS connection, hci_conn_del will + * do the necessary cleanup. +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 44454115c10ad..4a633c1b68825 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -3930,7 +3930,7 @@ static inline int l2cap_command_rej(struct l2cap_conn *conn, + } + + static void l2cap_connect(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, +- u8 *data, u8 rsp_code, u8 amp_id) ++ u8 *data, u8 rsp_code) + { + struct l2cap_conn_req *req = (struct l2cap_conn_req *) data; + struct l2cap_conn_rsp rsp; +@@ -4009,17 +4009,8 @@ static void l2cap_connect(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, + status = L2CAP_CS_AUTHOR_PEND; + chan->ops->defer(chan); + } else { +- /* Force pending result for AMP controllers. +- * The connection will succeed after the +- * physical link is up. +- */ +- if (amp_id == AMP_ID_BREDR) { +- l2cap_state_change(chan, BT_CONFIG); +- result = L2CAP_CR_SUCCESS; +- } else { +- l2cap_state_change(chan, BT_CONNECT2); +- result = L2CAP_CR_PEND; +- } ++ l2cap_state_change(chan, BT_CONNECT2); ++ result = L2CAP_CR_PEND; + status = L2CAP_CS_NO_INFO; + } + } else { +@@ -4084,7 +4075,7 @@ static int l2cap_connect_req(struct l2cap_conn *conn, + mgmt_device_connected(hdev, hcon, NULL, 0); + hci_dev_unlock(hdev); + +- l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0); ++ l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP); + return 0; + } + +@@ -7495,10 +7486,6 @@ void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags) + struct l2cap_conn *conn = hcon->l2cap_data; + int len; + +- /* For AMP controller do not create l2cap conn */ +- if (!conn && hcon->hdev->dev_type != HCI_PRIMARY) +- goto drop; +- + if (!conn) + conn = l2cap_conn_add(hcon); + +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index 965f621ef865a..80f220b7e19d5 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -443,8 +443,7 @@ static int read_index_list(struct sock *sk, struct hci_dev *hdev, void *data, + + count = 0; + list_for_each_entry(d, &hci_dev_list, list) { +- if (d->dev_type == HCI_PRIMARY && +- !hci_dev_test_flag(d, HCI_UNCONFIGURED)) ++ if (!hci_dev_test_flag(d, HCI_UNCONFIGURED)) + count++; + } + +@@ -468,8 +467,7 @@ static int read_index_list(struct sock *sk, struct hci_dev *hdev, void *data, + if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks)) + continue; + +- if (d->dev_type == HCI_PRIMARY && +- !hci_dev_test_flag(d, HCI_UNCONFIGURED)) { ++ if (!hci_dev_test_flag(d, HCI_UNCONFIGURED)) { + rp->index[count++] = cpu_to_le16(d->id); + bt_dev_dbg(hdev, "Added hci%u", d->id); + } +@@ -503,8 +501,7 @@ static int read_unconf_index_list(struct sock *sk, struct hci_dev *hdev, + + count = 0; + list_for_each_entry(d, &hci_dev_list, list) { +- if (d->dev_type == HCI_PRIMARY && +- hci_dev_test_flag(d, HCI_UNCONFIGURED)) ++ if (hci_dev_test_flag(d, HCI_UNCONFIGURED)) + count++; + } + +@@ -528,8 +525,7 @@ static int read_unconf_index_list(struct sock *sk, struct hci_dev *hdev, + if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks)) + continue; + +- if (d->dev_type == HCI_PRIMARY && +- hci_dev_test_flag(d, HCI_UNCONFIGURED)) { ++ if (hci_dev_test_flag(d, HCI_UNCONFIGURED)) { + rp->index[count++] = cpu_to_le16(d->id); + bt_dev_dbg(hdev, "Added hci%u", d->id); + } +@@ -561,10 +557,8 @@ static int read_ext_index_list(struct sock *sk, struct hci_dev *hdev, + read_lock(&hci_dev_list_lock); + + count = 0; +- list_for_each_entry(d, &hci_dev_list, list) { +- if (d->dev_type == HCI_PRIMARY || d->dev_type == HCI_AMP) +- count++; +- } ++ list_for_each_entry(d, &hci_dev_list, list) ++ count++; + + rp = kmalloc(struct_size(rp, entry, count), GFP_ATOMIC); + if (!rp) { +@@ -585,16 +579,10 @@ static int read_ext_index_list(struct sock *sk, struct hci_dev *hdev, + if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks)) + continue; + +- if (d->dev_type == HCI_PRIMARY) { +- if (hci_dev_test_flag(d, HCI_UNCONFIGURED)) +- rp->entry[count].type = 0x01; +- else +- rp->entry[count].type = 0x00; +- } else if (d->dev_type == HCI_AMP) { +- rp->entry[count].type = 0x02; +- } else { +- continue; +- } ++ if (hci_dev_test_flag(d, HCI_UNCONFIGURED)) ++ rp->entry[count].type = 0x01; ++ else ++ rp->entry[count].type = 0x00; + + rp->entry[count].bus = d->bus; + rp->entry[count++].index = cpu_to_le16(d->id); +@@ -9331,23 +9319,14 @@ void mgmt_index_added(struct hci_dev *hdev) + if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks)) + return; + +- switch (hdev->dev_type) { +- case HCI_PRIMARY: +- if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) { +- mgmt_index_event(MGMT_EV_UNCONF_INDEX_ADDED, hdev, +- NULL, 0, HCI_MGMT_UNCONF_INDEX_EVENTS); +- ev.type = 0x01; +- } else { +- mgmt_index_event(MGMT_EV_INDEX_ADDED, hdev, NULL, 0, +- HCI_MGMT_INDEX_EVENTS); +- ev.type = 0x00; +- } +- break; +- case HCI_AMP: +- ev.type = 0x02; +- break; +- default: +- return; ++ if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) { ++ mgmt_index_event(MGMT_EV_UNCONF_INDEX_ADDED, hdev, NULL, 0, ++ HCI_MGMT_UNCONF_INDEX_EVENTS); ++ ev.type = 0x01; ++ } else { ++ mgmt_index_event(MGMT_EV_INDEX_ADDED, hdev, NULL, 0, ++ HCI_MGMT_INDEX_EVENTS); ++ ev.type = 0x00; + } + + ev.bus = hdev->bus; +@@ -9364,25 +9343,16 @@ void mgmt_index_removed(struct hci_dev *hdev) + if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks)) + return; + +- switch (hdev->dev_type) { +- case HCI_PRIMARY: +- mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status); ++ mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status); + +- if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) { +- mgmt_index_event(MGMT_EV_UNCONF_INDEX_REMOVED, hdev, +- NULL, 0, HCI_MGMT_UNCONF_INDEX_EVENTS); +- ev.type = 0x01; +- } else { +- mgmt_index_event(MGMT_EV_INDEX_REMOVED, hdev, NULL, 0, +- HCI_MGMT_INDEX_EVENTS); +- ev.type = 0x00; +- } +- break; +- case HCI_AMP: +- ev.type = 0x02; +- break; +- default: +- return; ++ if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) { ++ mgmt_index_event(MGMT_EV_UNCONF_INDEX_REMOVED, hdev, NULL, 0, ++ HCI_MGMT_UNCONF_INDEX_EVENTS); ++ ev.type = 0x01; ++ } else { ++ mgmt_index_event(MGMT_EV_INDEX_REMOVED, hdev, NULL, 0, ++ HCI_MGMT_INDEX_EVENTS); ++ ev.type = 0x00; + } + + ev.bus = hdev->bus; +-- +2.43.0 + diff --git a/queue-6.9/bluetooth-hci_conn-hci_sync-use-__counted_by-to-avoi.patch b/queue-6.9/bluetooth-hci_conn-hci_sync-use-__counted_by-to-avoi.patch new file mode 100644 index 00000000000..1f4920e8917 --- /dev/null +++ b/queue-6.9/bluetooth-hci_conn-hci_sync-use-__counted_by-to-avoi.patch @@ -0,0 +1,335 @@ +From aac00b23e5a32ab90c0426067c8ba089e36ca1f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Apr 2024 16:52:46 -0600 +Subject: Bluetooth: hci_conn, hci_sync: Use __counted_by() to avoid -Wfamnae + warnings + +From: Gustavo A. R. Silva + +[ Upstream commit c4585edf708edb5277a3cc4b8581ccb833f3307d ] + +Prepare for the coming implementation by GCC and Clang of the +__counted_by attribute. Flexible array members annotated with +__counted_by can have their accesses bounds-checked at run-time +via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE +(for strcpy/memcpy-family functions). + +Also, -Wflex-array-member-not-at-end is coming in GCC-14, and we are +getting ready to enable it globally. + +So, use the `DEFINE_FLEX()` helper for multiple on-stack definitions +of a flexible structure where the size of the flexible-array member +is known at compile-time, and refactor the rest of the code, +accordingly. + +Notice that, due to the use of `__counted_by()` in `struct +hci_cp_le_create_cis`, the for loop in function `hci_cs_le_create_cis()` +had to be modified. Once the index `i`, through which `cp->cis[i]` is +accessed, falls in the interval [0, cp->num_cis), `cp->num_cis` cannot +be decremented all the way down to zero while accessing `cp->cis[]`: + +net/bluetooth/hci_event.c:4310: +4310 for (i = 0; cp->num_cis; cp->num_cis--, i++) { + ... +4314 handle = __le16_to_cpu(cp->cis[i].cis_handle); + +otherwise, only half (one iteration before `cp->num_cis == i`) or half +plus one (one iteration before `cp->num_cis < i`) of the items in the +array will be accessed before running into an out-of-bounds issue. So, +in order to avoid this, set `cp->num_cis` to zero just after the for +loop. + +Also, make use of `aux_num_cis` variable to update `cmd->num_cis` after +a `list_for_each_entry_rcu()` loop. + +With these changes, fix the following warnings: +net/bluetooth/hci_sync.c:1239:56: warning: structure containing a flexible +array member is not at the end of another structure +[-Wflex-array-member-not-at-end] +net/bluetooth/hci_sync.c:1415:51: warning: structure containing a flexible +array member is not at the end of another structure +[-Wflex-array-member-not-at-end] +net/bluetooth/hci_sync.c:1731:51: warning: structure containing a flexible +array member is not at the end of another structure +[-Wflex-array-member-not-at-end] +net/bluetooth/hci_sync.c:6497:45: warning: structure containing a flexible +array member is not at the end of another structure +[-Wflex-array-member-not-at-end] + +Link: https://github.com/KSPP/linux/issues/202 +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Luiz Augusto von Dentz +Stable-dep-of: e77f43d531af ("Bluetooth: hci_core: Fix not handling hdev->le_num_of_adv_sets=1") +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci.h | 8 ++-- + net/bluetooth/hci_event.c | 3 +- + net/bluetooth/hci_sync.c | 84 +++++++++++++++---------------------- + 3 files changed, 40 insertions(+), 55 deletions(-) + +diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h +index 4dd540a3f9250..f187510428ca6 100644 +--- a/include/net/bluetooth/hci.h ++++ b/include/net/bluetooth/hci.h +@@ -1921,7 +1921,7 @@ struct hci_cp_le_set_ext_adv_data { + __u8 operation; + __u8 frag_pref; + __u8 length; +- __u8 data[]; ++ __u8 data[] __counted_by(length); + } __packed; + + #define HCI_OP_LE_SET_EXT_SCAN_RSP_DATA 0x2038 +@@ -1930,7 +1930,7 @@ struct hci_cp_le_set_ext_scan_rsp_data { + __u8 operation; + __u8 frag_pref; + __u8 length; +- __u8 data[]; ++ __u8 data[] __counted_by(length); + } __packed; + + #define HCI_OP_LE_SET_EXT_ADV_ENABLE 0x2039 +@@ -1956,7 +1956,7 @@ struct hci_cp_le_set_per_adv_data { + __u8 handle; + __u8 operation; + __u8 length; +- __u8 data[]; ++ __u8 data[] __counted_by(length); + } __packed; + + #define HCI_OP_LE_SET_PER_ADV_ENABLE 0x2040 +@@ -2057,7 +2057,7 @@ struct hci_cis { + + struct hci_cp_le_create_cis { + __u8 num_cis; +- struct hci_cis cis[]; ++ struct hci_cis cis[] __counted_by(num_cis); + } __packed; + + #define HCI_OP_LE_REMOVE_CIG 0x2065 +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 33fac5cab1a8d..cce73749f2dce 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -4250,7 +4250,7 @@ static void hci_cs_le_create_cis(struct hci_dev *hdev, u8 status) + hci_dev_lock(hdev); + + /* Remove connection if command failed */ +- for (i = 0; cp->num_cis; cp->num_cis--, i++) { ++ for (i = 0; i < cp->num_cis; i++) { + struct hci_conn *conn; + u16 handle; + +@@ -4266,6 +4266,7 @@ static void hci_cs_le_create_cis(struct hci_dev *hdev, u8 status) + hci_conn_del(conn); + } + } ++ cp->num_cis = 0; + + if (pending) + hci_le_create_cis_pending(hdev); +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 5e4ec698e6e3b..4f736ff4cda23 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -1235,31 +1235,27 @@ int hci_setup_ext_adv_instance_sync(struct hci_dev *hdev, u8 instance) + + static int hci_set_ext_scan_rsp_data_sync(struct hci_dev *hdev, u8 instance) + { +- struct { +- struct hci_cp_le_set_ext_scan_rsp_data cp; +- u8 data[HCI_MAX_EXT_AD_LENGTH]; +- } pdu; ++ DEFINE_FLEX(struct hci_cp_le_set_ext_scan_rsp_data, pdu, data, length, ++ HCI_MAX_EXT_AD_LENGTH); + u8 len; + struct adv_info *adv = NULL; + int err; + +- memset(&pdu, 0, sizeof(pdu)); +- + if (instance) { + adv = hci_find_adv_instance(hdev, instance); + if (!adv || !adv->scan_rsp_changed) + return 0; + } + +- len = eir_create_scan_rsp(hdev, instance, pdu.data); ++ len = eir_create_scan_rsp(hdev, instance, pdu->data); + +- pdu.cp.handle = instance; +- pdu.cp.length = len; +- pdu.cp.operation = LE_SET_ADV_DATA_OP_COMPLETE; +- pdu.cp.frag_pref = LE_SET_ADV_DATA_NO_FRAG; ++ pdu->handle = instance; ++ pdu->length = len; ++ pdu->operation = LE_SET_ADV_DATA_OP_COMPLETE; ++ pdu->frag_pref = LE_SET_ADV_DATA_NO_FRAG; + + err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_SCAN_RSP_DATA, +- sizeof(pdu.cp) + len, &pdu.cp, ++ struct_size(pdu, data, len), pdu, + HCI_CMD_TIMEOUT); + if (err) + return err; +@@ -1267,7 +1263,7 @@ static int hci_set_ext_scan_rsp_data_sync(struct hci_dev *hdev, u8 instance) + if (adv) { + adv->scan_rsp_changed = false; + } else { +- memcpy(hdev->scan_rsp_data, pdu.data, len); ++ memcpy(hdev->scan_rsp_data, pdu->data, len); + hdev->scan_rsp_data_len = len; + } + +@@ -1411,14 +1407,10 @@ static int hci_set_per_adv_params_sync(struct hci_dev *hdev, u8 instance, + + static int hci_set_per_adv_data_sync(struct hci_dev *hdev, u8 instance) + { +- struct { +- struct hci_cp_le_set_per_adv_data cp; +- u8 data[HCI_MAX_PER_AD_LENGTH]; +- } pdu; ++ DEFINE_FLEX(struct hci_cp_le_set_per_adv_data, pdu, data, length, ++ HCI_MAX_PER_AD_LENGTH); + u8 len; + +- memset(&pdu, 0, sizeof(pdu)); +- + if (instance) { + struct adv_info *adv = hci_find_adv_instance(hdev, instance); + +@@ -1426,14 +1418,14 @@ static int hci_set_per_adv_data_sync(struct hci_dev *hdev, u8 instance) + return 0; + } + +- len = eir_create_per_adv_data(hdev, instance, pdu.data); ++ len = eir_create_per_adv_data(hdev, instance, pdu->data); + +- pdu.cp.length = len; +- pdu.cp.handle = instance; +- pdu.cp.operation = LE_SET_ADV_DATA_OP_COMPLETE; ++ pdu->length = len; ++ pdu->handle = instance; ++ pdu->operation = LE_SET_ADV_DATA_OP_COMPLETE; + + return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_PER_ADV_DATA, +- sizeof(pdu.cp) + len, &pdu, ++ struct_size(pdu, data, len), pdu, + HCI_CMD_TIMEOUT); + } + +@@ -1727,31 +1719,27 @@ int hci_le_terminate_big_sync(struct hci_dev *hdev, u8 handle, u8 reason) + + static int hci_set_ext_adv_data_sync(struct hci_dev *hdev, u8 instance) + { +- struct { +- struct hci_cp_le_set_ext_adv_data cp; +- u8 data[HCI_MAX_EXT_AD_LENGTH]; +- } pdu; ++ DEFINE_FLEX(struct hci_cp_le_set_ext_adv_data, pdu, data, length, ++ HCI_MAX_EXT_AD_LENGTH); + u8 len; + struct adv_info *adv = NULL; + int err; + +- memset(&pdu, 0, sizeof(pdu)); +- + if (instance) { + adv = hci_find_adv_instance(hdev, instance); + if (!adv || !adv->adv_data_changed) + return 0; + } + +- len = eir_create_adv_data(hdev, instance, pdu.data); ++ len = eir_create_adv_data(hdev, instance, pdu->data); + +- pdu.cp.length = len; +- pdu.cp.handle = instance; +- pdu.cp.operation = LE_SET_ADV_DATA_OP_COMPLETE; +- pdu.cp.frag_pref = LE_SET_ADV_DATA_NO_FRAG; ++ pdu->length = len; ++ pdu->handle = instance; ++ pdu->operation = LE_SET_ADV_DATA_OP_COMPLETE; ++ pdu->frag_pref = LE_SET_ADV_DATA_NO_FRAG; + + err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_DATA, +- sizeof(pdu.cp) + len, &pdu.cp, ++ struct_size(pdu, data, len), pdu, + HCI_CMD_TIMEOUT); + if (err) + return err; +@@ -1760,7 +1748,7 @@ static int hci_set_ext_adv_data_sync(struct hci_dev *hdev, u8 instance) + if (adv) { + adv->adv_data_changed = false; + } else { +- memcpy(hdev->adv_data, pdu.data, len); ++ memcpy(hdev->adv_data, pdu->data, len); + hdev->adv_data_len = len; + } + +@@ -6389,10 +6377,8 @@ static int hci_le_create_conn_sync(struct hci_dev *hdev, void *data) + + int hci_le_create_cis_sync(struct hci_dev *hdev) + { +- struct { +- struct hci_cp_le_create_cis cp; +- struct hci_cis cis[0x1f]; +- } cmd; ++ DEFINE_FLEX(struct hci_cp_le_create_cis, cmd, cis, num_cis, 0x1f); ++ size_t aux_num_cis = 0; + struct hci_conn *conn; + u8 cig = BT_ISO_QOS_CIG_UNSET; + +@@ -6419,8 +6405,6 @@ int hci_le_create_cis_sync(struct hci_dev *hdev) + * remains pending. + */ + +- memset(&cmd, 0, sizeof(cmd)); +- + hci_dev_lock(hdev); + + rcu_read_lock(); +@@ -6457,7 +6441,7 @@ int hci_le_create_cis_sync(struct hci_dev *hdev) + goto done; + + list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) { +- struct hci_cis *cis = &cmd.cis[cmd.cp.num_cis]; ++ struct hci_cis *cis = &cmd->cis[aux_num_cis]; + + if (hci_conn_check_create_cis(conn) || + conn->iso_qos.ucast.cig != cig) +@@ -6466,25 +6450,25 @@ int hci_le_create_cis_sync(struct hci_dev *hdev) + set_bit(HCI_CONN_CREATE_CIS, &conn->flags); + cis->acl_handle = cpu_to_le16(conn->parent->handle); + cis->cis_handle = cpu_to_le16(conn->handle); +- cmd.cp.num_cis++; ++ aux_num_cis++; + +- if (cmd.cp.num_cis >= ARRAY_SIZE(cmd.cis)) ++ if (aux_num_cis >= 0x1f) + break; + } ++ cmd->num_cis = aux_num_cis; + + done: + rcu_read_unlock(); + + hci_dev_unlock(hdev); + +- if (!cmd.cp.num_cis) ++ if (!aux_num_cis) + return 0; + + /* Wait for HCI_LE_CIS_Established */ + return __hci_cmd_sync_status_sk(hdev, HCI_OP_LE_CREATE_CIS, +- sizeof(cmd.cp) + sizeof(cmd.cis[0]) * +- cmd.cp.num_cis, &cmd, +- HCI_EVT_LE_CIS_ESTABLISHED, ++ struct_size(cmd, cis, cmd->num_cis), ++ cmd, HCI_EVT_LE_CIS_ESTABLISHED, + conn->conn_timeout, NULL); + } + +-- +2.43.0 + diff --git a/queue-6.9/bluetooth-hci_core-fix-not-handling-hdev-le_num_of_a.patch b/queue-6.9/bluetooth-hci_core-fix-not-handling-hdev-le_num_of_a.patch new file mode 100644 index 00000000000..15a2fd9b8f5 --- /dev/null +++ b/queue-6.9/bluetooth-hci_core-fix-not-handling-hdev-le_num_of_a.patch @@ -0,0 +1,134 @@ +From 80bed1dc9f74675b04f0bc8ced0449c191af1b3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 16:07:55 -0400 +Subject: Bluetooth: hci_core: Fix not handling hdev->le_num_of_adv_sets=1 + +From: Luiz Augusto von Dentz + +[ Upstream commit e77f43d531af41e9ce299eab10dcae8fa5dbc293 ] + +If hdev->le_num_of_adv_sets is set to 1 it means that only handle 0x00 +can be used, but since the MGMT interface instances start from 1 +(instance 0 means all instances in case of MGMT_OP_REMOVE_ADVERTISING) +the code needs to map the instance to handle otherwise users will not be +able to advertise as instance 1 would attempt to use handle 0x01. + +Fixes: 1d0fac2c38ed ("Bluetooth: Use controller sets when available") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci_core.h | 1 + + net/bluetooth/hci_core.c | 9 +++++++++ + net/bluetooth/hci_sync.c | 17 ++++++++--------- + 3 files changed, 18 insertions(+), 9 deletions(-) + +diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h +index 762b049bdabf1..5277c6d5134ca 100644 +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -246,6 +246,7 @@ struct adv_info { + bool periodic; + __u8 mesh; + __u8 instance; ++ __u8 handle; + __u32 flags; + __u16 timeout; + __u16 remaining_time; +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index e32725650a319..24f6b6a5c7721 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -1758,6 +1758,15 @@ struct adv_info *hci_add_adv_instance(struct hci_dev *hdev, u8 instance, + + adv->pending = true; + adv->instance = instance; ++ ++ /* If controller support only one set and the instance is set to ++ * 1 then there is no option other than using handle 0x00. ++ */ ++ if (hdev->le_num_of_adv_sets == 1 && instance == 1) ++ adv->handle = 0x00; ++ else ++ adv->handle = instance; ++ + list_add(&adv->list, &hdev->adv_instances); + hdev->adv_instance_cnt++; + } +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 4f736ff4cda23..64f794d198cdc 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -1043,11 +1043,10 @@ static int hci_disable_ext_adv_instance_sync(struct hci_dev *hdev, u8 instance) + struct hci_cp_ext_adv_set *set; + u8 data[sizeof(*cp) + sizeof(*set) * 1]; + u8 size; ++ struct adv_info *adv = NULL; + + /* If request specifies an instance that doesn't exist, fail */ + if (instance > 0) { +- struct adv_info *adv; +- + adv = hci_find_adv_instance(hdev, instance); + if (!adv) + return -EINVAL; +@@ -1066,7 +1065,7 @@ static int hci_disable_ext_adv_instance_sync(struct hci_dev *hdev, u8 instance) + cp->num_of_sets = !!instance; + cp->enable = 0x00; + +- set->handle = instance; ++ set->handle = adv ? adv->handle : instance; + + size = sizeof(*cp) + sizeof(*set) * cp->num_of_sets; + +@@ -1249,7 +1248,7 @@ static int hci_set_ext_scan_rsp_data_sync(struct hci_dev *hdev, u8 instance) + + len = eir_create_scan_rsp(hdev, instance, pdu->data); + +- pdu->handle = instance; ++ pdu->handle = adv ? adv->handle : instance; + pdu->length = len; + pdu->operation = LE_SET_ADV_DATA_OP_COMPLETE; + pdu->frag_pref = LE_SET_ADV_DATA_NO_FRAG; +@@ -1331,7 +1330,7 @@ int hci_enable_ext_advertising_sync(struct hci_dev *hdev, u8 instance) + + memset(set, 0, sizeof(*set)); + +- set->handle = instance; ++ set->handle = adv ? adv->handle : instance; + + /* Set duration per instance since controller is responsible for + * scheduling it. +@@ -1410,10 +1409,10 @@ static int hci_set_per_adv_data_sync(struct hci_dev *hdev, u8 instance) + DEFINE_FLEX(struct hci_cp_le_set_per_adv_data, pdu, data, length, + HCI_MAX_PER_AD_LENGTH); + u8 len; ++ struct adv_info *adv = NULL; + + if (instance) { +- struct adv_info *adv = hci_find_adv_instance(hdev, instance); +- ++ adv = hci_find_adv_instance(hdev, instance); + if (!adv || !adv->periodic) + return 0; + } +@@ -1421,7 +1420,7 @@ static int hci_set_per_adv_data_sync(struct hci_dev *hdev, u8 instance) + len = eir_create_per_adv_data(hdev, instance, pdu->data); + + pdu->length = len; +- pdu->handle = instance; ++ pdu->handle = adv ? adv->handle : instance; + pdu->operation = LE_SET_ADV_DATA_OP_COMPLETE; + + return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_PER_ADV_DATA, +@@ -1734,7 +1733,7 @@ static int hci_set_ext_adv_data_sync(struct hci_dev *hdev, u8 instance) + len = eir_create_adv_data(hdev, instance, pdu->data); + + pdu->length = len; +- pdu->handle = instance; ++ pdu->handle = adv ? adv->handle : instance; + pdu->operation = LE_SET_ADV_DATA_OP_COMPLETE; + pdu->frag_pref = LE_SET_ADV_DATA_NO_FRAG; + +-- +2.43.0 + diff --git a/queue-6.9/bluetooth-iso-make-iso_get_sock_listen-generic.patch b/queue-6.9/bluetooth-iso-make-iso_get_sock_listen-generic.patch new file mode 100644 index 00000000000..805b7929671 --- /dev/null +++ b/queue-6.9/bluetooth-iso-make-iso_get_sock_listen-generic.patch @@ -0,0 +1,198 @@ +From bcda0c8462ca719726eecb9957036e77346d8937 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Apr 2024 14:39:30 +0300 +Subject: Bluetooth: ISO: Make iso_get_sock_listen generic + +From: Iulia Tanasescu + +[ Upstream commit 311527e9dafdcae0c5a20d62f4f84ad01b33b5f4 ] + +This makes iso_get_sock_listen more generic, to return matching socket +in the state provided as argument. + +Signed-off-by: Iulia Tanasescu +Signed-off-by: Luiz Augusto von Dentz +Stable-dep-of: a5b862c6a221 ("Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init()") +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/bluetooth.h | 2 +- + net/bluetooth/iso.c | 75 +++++++++++++++++-------------- + 2 files changed, 43 insertions(+), 34 deletions(-) + +diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h +index eaec5d6caa29d..b3228bd6cd6be 100644 +--- a/include/net/bluetooth/bluetooth.h ++++ b/include/net/bluetooth/bluetooth.h +@@ -285,7 +285,7 @@ void bt_err_ratelimited(const char *fmt, ...); + bt_err_ratelimited("%s: " fmt, bt_dev_name(hdev), ##__VA_ARGS__) + + /* Connection and socket states */ +-enum { ++enum bt_sock_state { + BT_CONNECTED = 1, /* Equal to TCP_ESTABLISHED to make net code happy */ + BT_OPEN, + BT_BOUND, +diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c +index 6bed4aa8291de..6cb41f9d174e2 100644 +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -85,8 +85,9 @@ static void iso_sock_disconn(struct sock *sk); + + typedef bool (*iso_sock_match_t)(struct sock *sk, void *data); + +-static struct sock *iso_get_sock_listen(bdaddr_t *src, bdaddr_t *dst, +- iso_sock_match_t match, void *data); ++static struct sock *iso_get_sock(bdaddr_t *src, bdaddr_t *dst, ++ enum bt_sock_state state, ++ iso_sock_match_t match, void *data); + + /* ---- ISO timers ---- */ + #define ISO_CONN_TIMEOUT (HZ * 40) +@@ -233,10 +234,11 @@ static void iso_conn_del(struct hci_conn *hcon, int err) + * terminated are not processed anymore. + */ + if (test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags)) { +- parent = iso_get_sock_listen(&hcon->src, +- &hcon->dst, +- iso_match_conn_sync_handle, +- hcon); ++ parent = iso_get_sock(&hcon->src, ++ &hcon->dst, ++ BT_LISTEN, ++ iso_match_conn_sync_handle, ++ hcon); + + if (parent) { + set_bit(BT_SK_PA_SYNC_TERM, +@@ -581,22 +583,23 @@ static struct sock *__iso_get_sock_listen_by_sid(bdaddr_t *ba, bdaddr_t *bc, + return NULL; + } + +-/* Find socket listening: ++/* Find socket in given state: + * source bdaddr (Unicast) + * destination bdaddr (Broadcast only) + * match func - pass NULL to ignore + * match func data - pass -1 to ignore + * Returns closest match. + */ +-static struct sock *iso_get_sock_listen(bdaddr_t *src, bdaddr_t *dst, +- iso_sock_match_t match, void *data) ++static struct sock *iso_get_sock(bdaddr_t *src, bdaddr_t *dst, ++ enum bt_sock_state state, ++ iso_sock_match_t match, void *data) + { + struct sock *sk = NULL, *sk1 = NULL; + + read_lock(&iso_sk_list.lock); + + sk_for_each(sk, &iso_sk_list.head) { +- if (sk->sk_state != BT_LISTEN) ++ if (sk->sk_state != state) + continue; + + /* Match Broadcast destination */ +@@ -1777,32 +1780,37 @@ static void iso_conn_ready(struct iso_conn *conn) + HCI_EVT_LE_BIG_SYNC_ESTABILISHED); + + /* Get reference to PA sync parent socket, if it exists */ +- parent = iso_get_sock_listen(&hcon->src, +- &hcon->dst, +- iso_match_pa_sync_flag, NULL); ++ parent = iso_get_sock(&hcon->src, &hcon->dst, ++ BT_LISTEN, ++ iso_match_pa_sync_flag, ++ NULL); + if (!parent && ev) +- parent = iso_get_sock_listen(&hcon->src, +- &hcon->dst, +- iso_match_big, ev); ++ parent = iso_get_sock(&hcon->src, ++ &hcon->dst, ++ BT_LISTEN, ++ iso_match_big, ev); + } else if (test_bit(HCI_CONN_PA_SYNC_FAILED, &hcon->flags)) { + ev2 = hci_recv_event_data(hcon->hdev, + HCI_EV_LE_PA_SYNC_ESTABLISHED); + if (ev2) +- parent = iso_get_sock_listen(&hcon->src, +- &hcon->dst, +- iso_match_sid, ev2); ++ parent = iso_get_sock(&hcon->src, ++ &hcon->dst, ++ BT_LISTEN, ++ iso_match_sid, ev2); + } else if (test_bit(HCI_CONN_PA_SYNC, &hcon->flags)) { + ev3 = hci_recv_event_data(hcon->hdev, + HCI_EVT_LE_BIG_INFO_ADV_REPORT); + if (ev3) +- parent = iso_get_sock_listen(&hcon->src, +- &hcon->dst, +- iso_match_sync_handle, ev3); ++ parent = iso_get_sock(&hcon->src, ++ &hcon->dst, ++ BT_LISTEN, ++ iso_match_sync_handle, ++ ev3); + } + + if (!parent) +- parent = iso_get_sock_listen(&hcon->src, +- BDADDR_ANY, NULL, NULL); ++ parent = iso_get_sock(&hcon->src, BDADDR_ANY, ++ BT_LISTEN, NULL, NULL); + + if (!parent) + return; +@@ -1923,8 +1931,8 @@ int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags) + */ + ev1 = hci_recv_event_data(hdev, HCI_EV_LE_PA_SYNC_ESTABLISHED); + if (ev1) { +- sk = iso_get_sock_listen(&hdev->bdaddr, bdaddr, iso_match_sid, +- ev1); ++ sk = iso_get_sock(&hdev->bdaddr, bdaddr, BT_LISTEN, ++ iso_match_sid, ev1); + if (sk && !ev1->status) + iso_pi(sk)->sync_handle = le16_to_cpu(ev1->handle); + +@@ -1934,12 +1942,12 @@ int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags) + ev2 = hci_recv_event_data(hdev, HCI_EVT_LE_BIG_INFO_ADV_REPORT); + if (ev2) { + /* Try to get PA sync listening socket, if it exists */ +- sk = iso_get_sock_listen(&hdev->bdaddr, bdaddr, +- iso_match_pa_sync_flag, NULL); ++ sk = iso_get_sock(&hdev->bdaddr, bdaddr, BT_LISTEN, ++ iso_match_pa_sync_flag, NULL); + + if (!sk) { +- sk = iso_get_sock_listen(&hdev->bdaddr, bdaddr, +- iso_match_sync_handle, ev2); ++ sk = iso_get_sock(&hdev->bdaddr, bdaddr, BT_LISTEN, ++ iso_match_sync_handle, ev2); + + /* If PA Sync is in process of terminating, + * do not handle any more BIGInfo adv reports. +@@ -1979,8 +1987,8 @@ int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags) + u8 *base; + struct hci_conn *hcon; + +- sk = iso_get_sock_listen(&hdev->bdaddr, bdaddr, +- iso_match_sync_handle_pa_report, ev3); ++ sk = iso_get_sock(&hdev->bdaddr, bdaddr, BT_LISTEN, ++ iso_match_sync_handle_pa_report, ev3); + if (!sk) + goto done; + +@@ -2029,7 +2037,8 @@ int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags) + hcon->le_per_adv_data_len = 0; + } + } else { +- sk = iso_get_sock_listen(&hdev->bdaddr, BDADDR_ANY, NULL, NULL); ++ sk = iso_get_sock(&hdev->bdaddr, BDADDR_ANY, ++ BT_LISTEN, NULL, NULL); + } + + done: +-- +2.43.0 + diff --git a/queue-6.9/bluetooth-qca-fix-error-code-in-qca_read_fw_build_in.patch b/queue-6.9/bluetooth-qca-fix-error-code-in-qca_read_fw_build_in.patch new file mode 100644 index 00000000000..16074780647 --- /dev/null +++ b/queue-6.9/bluetooth-qca-fix-error-code-in-qca_read_fw_build_in.patch @@ -0,0 +1,39 @@ +From cbe2c3f9c45ea7c8fc535ffecaa39c6261ebcb7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 May 2024 14:25:43 +0300 +Subject: Bluetooth: qca: Fix error code in qca_read_fw_build_info() + +From: Dan Carpenter + +[ Upstream commit a189f0ee6685457528db7a36ded3085e5d13ddc3 ] + +Return -ENOMEM on allocation failure. Don't return success. + +Fixes: cda0d6a198e2 ("Bluetooth: qca: fix info leak when fetching fw build id") +Signed-off-by: Dan Carpenter +Reviewed-by: Johan Hovold +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btqca.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c +index 638074992c829..35fb26cbf2294 100644 +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -148,8 +148,10 @@ static int qca_read_fw_build_info(struct hci_dev *hdev) + } + + build_label = kstrndup(&edl->data[1], build_lbl_len, GFP_KERNEL); +- if (!build_label) ++ if (!build_label) { ++ err = -ENOMEM; + goto out; ++ } + + hci_set_fw_info(hdev, "%s", build_label); + +-- +2.43.0 + diff --git a/queue-6.9/bnxt_re-avoid-shift-undefined-behavior-in-bnxt_qplib.patch b/queue-6.9/bnxt_re-avoid-shift-undefined-behavior-in-bnxt_qplib.patch new file mode 100644 index 00000000000..00d9a6de210 --- /dev/null +++ b/queue-6.9/bnxt_re-avoid-shift-undefined-behavior-in-bnxt_qplib.patch @@ -0,0 +1,122 @@ +From 9a2f9219019aea5ffd0607a74dd281de5fdf6d61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 May 2024 12:39:28 +0200 +Subject: bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq + +From: Michal Schmidt + +[ Upstream commit 78cfd17142ef70599d6409cbd709d94b3da58659 ] + +Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called +with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0. +In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called. +roundup_pow_of_two is documented as undefined for 0. + +Fix it in the one caller that had this combination. + +The undefined behavior was detected by UBSAN: + UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13 + shift exponent 64 is too large for 64-bit type 'long unsigned int' + CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4 + Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023 + Call Trace: + + dump_stack_lvl+0x5d/0x80 + ubsan_epilogue+0x5/0x30 + __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec + __roundup_pow_of_two+0x25/0x35 [bnxt_re] + bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re] + bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re] + bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re] + ? srso_alias_return_thunk+0x5/0xfbef5 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? __kmalloc+0x1b6/0x4f0 + ? create_qp.part.0+0x128/0x1c0 [ib_core] + ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re] + create_qp.part.0+0x128/0x1c0 [ib_core] + ib_create_qp_kernel+0x50/0xd0 [ib_core] + create_mad_qp+0x8e/0xe0 [ib_core] + ? __pfx_qp_event_handler+0x10/0x10 [ib_core] + ib_mad_init_device+0x2be/0x680 [ib_core] + add_client_context+0x10d/0x1a0 [ib_core] + enable_device_and_get+0xe0/0x1d0 [ib_core] + ib_register_device+0x53c/0x630 [ib_core] + ? srso_alias_return_thunk+0x5/0xfbef5 + bnxt_re_probe+0xbd8/0xe50 [bnxt_re] + ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re] + auxiliary_bus_probe+0x49/0x80 + ? driver_sysfs_add+0x57/0xc0 + really_probe+0xde/0x340 + ? pm_runtime_barrier+0x54/0x90 + ? __pfx___driver_attach+0x10/0x10 + __driver_probe_device+0x78/0x110 + driver_probe_device+0x1f/0xa0 + __driver_attach+0xba/0x1c0 + bus_for_each_dev+0x8f/0xe0 + bus_add_driver+0x146/0x220 + driver_register+0x72/0xd0 + __auxiliary_driver_register+0x6e/0xd0 + ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re] + bnxt_re_mod_init+0x3e/0xff0 [bnxt_re] + ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re] + do_one_initcall+0x5b/0x310 + do_init_module+0x90/0x250 + init_module_from_file+0x86/0xc0 + idempotent_init_module+0x121/0x2b0 + __x64_sys_finit_module+0x5e/0xb0 + do_syscall_64+0x82/0x160 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? syscall_exit_to_user_mode_prepare+0x149/0x170 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? syscall_exit_to_user_mode+0x75/0x230 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? do_syscall_64+0x8e/0x160 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? __count_memcg_events+0x69/0x100 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? count_memcg_events.constprop.0+0x1a/0x30 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? handle_mm_fault+0x1f0/0x300 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? do_user_addr_fault+0x34e/0x640 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? srso_alias_return_thunk+0x5/0xfbef5 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + RIP: 0033:0x7f4e5132821d + Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48 + RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 + RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d + RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b + RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0 + R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d + R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60 + + ---[ end trace ]--- + +Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation") +Signed-off-by: Michal Schmidt +Link: https://lore.kernel.org/r/20240507103929.30003-1-mschmidt@redhat.com +Acked-by: Selvin Xavier +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_fp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +index 439d0c7c5d0ca..04258676d0726 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +@@ -1013,7 +1013,8 @@ int bnxt_qplib_create_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp) + hwq_attr.stride = sizeof(struct sq_sge); + hwq_attr.depth = bnxt_qplib_get_depth(sq); + hwq_attr.aux_stride = psn_sz; +- hwq_attr.aux_depth = bnxt_qplib_set_sq_size(sq, qp->wqe_mode); ++ hwq_attr.aux_depth = psn_sz ? bnxt_qplib_set_sq_size(sq, qp->wqe_mode) ++ : 0; + /* Update msn tbl size */ + if (BNXT_RE_HW_RETX(qp->dev_cap_flags) && psn_sz) { + hwq_attr.aux_depth = roundup_pow_of_two(bnxt_qplib_set_sq_size(sq, qp->wqe_mode)); +-- +2.43.0 + diff --git a/queue-6.9/bpf-add-bpf_prog_type_cgroup_skb-attach-type-enforce.patch b/queue-6.9/bpf-add-bpf_prog_type_cgroup_skb-attach-type-enforce.patch new file mode 100644 index 00000000000..305e5f88dc7 --- /dev/null +++ b/queue-6.9/bpf-add-bpf_prog_type_cgroup_skb-attach-type-enforce.patch @@ -0,0 +1,50 @@ +From 2c1f0b81eeb15934bdbb715f47377041aec3e380 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Apr 2024 16:16:18 -0700 +Subject: bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in + BPF_LINK_CREATE + +From: Stanislav Fomichev + +[ Upstream commit 543576ec15b17c0c93301ac8297333c7b6e84ac7 ] + +bpf_prog_attach uses attach_type_to_prog_type to enforce proper +attach type for BPF_PROG_TYPE_CGROUP_SKB. link_create uses +bpf_prog_get and relies on bpf_prog_attach_check_attach_type +to properly verify prog_type <> attach_type association. + +Add missing attach_type enforcement for the link_create case. +Otherwise, it's currently possible to attach cgroup_skb prog +types to other cgroup hooks. + +Fixes: af6eea57437a ("bpf: Implement bpf_link-based cgroup BPF program attachment") +Link: https://lore.kernel.org/bpf/0000000000004792a90615a1dde0@google.com/ +Reported-by: syzbot+838346b979830606c854@syzkaller.appspotmail.com +Signed-off-by: Stanislav Fomichev +Acked-by: Eduard Zingerman +Link: https://lore.kernel.org/r/20240426231621.2716876-2-sdf@google.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + kernel/bpf/syscall.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index c287925471f68..cb61d8880dbe0 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -3985,6 +3985,11 @@ static int bpf_prog_attach_check_attach_type(const struct bpf_prog *prog, + * check permissions at attach time. + */ + return -EPERM; ++ ++ ptype = attach_type_to_prog_type(attach_type); ++ if (prog->type != ptype) ++ return -EINVAL; ++ + return prog->enforce_expected_attach_type && + prog->expected_attach_type != attach_type ? + -EINVAL : 0; +-- +2.43.0 + diff --git a/queue-6.9/bpf-fix-verifier-assumptions-about-socket-sk.patch b/queue-6.9/bpf-fix-verifier-assumptions-about-socket-sk.patch new file mode 100644 index 00000000000..c326ece47c7 --- /dev/null +++ b/queue-6.9/bpf-fix-verifier-assumptions-about-socket-sk.patch @@ -0,0 +1,220 @@ +From 7c3e8c193c7a1d3f372f3df59f7b1701b95c336d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Apr 2024 17:25:44 -0700 +Subject: bpf: Fix verifier assumptions about socket->sk + +From: Alexei Starovoitov + +[ Upstream commit 0db63c0b86e981a1e97d2596d64ceceba1a5470e ] + +The verifier assumes that 'sk' field in 'struct socket' is valid +and non-NULL when 'socket' pointer itself is trusted and non-NULL. +That may not be the case when socket was just created and +passed to LSM socket_accept hook. +Fix this verifier assumption and adjust tests. + +Reported-by: Liam Wisehart +Acked-by: Kumar Kartikeya Dwivedi +Fixes: 6fcd486b3a0a ("bpf: Refactor RCU enforcement in the verifier.") +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/r/20240427002544.68803-1-alexei.starovoitov@gmail.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 23 +++++++++++++++---- + .../bpf/progs/bench_local_storage_create.c | 5 ++-- + .../selftests/bpf/progs/local_storage.c | 20 ++++++++-------- + .../testing/selftests/bpf/progs/lsm_cgroup.c | 8 +++++-- + 4 files changed, 38 insertions(+), 18 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index f3faee45753e8..2c90b1eb12e2c 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -2359,6 +2359,8 @@ static void mark_btf_ld_reg(struct bpf_verifier_env *env, + regs[regno].type = PTR_TO_BTF_ID | flag; + regs[regno].btf = btf; + regs[regno].btf_id = btf_id; ++ if (type_may_be_null(flag)) ++ regs[regno].id = ++env->id_gen; + } + + #define DEF_NOT_SUBREG (0) +@@ -5388,8 +5390,6 @@ static int check_map_kptr_access(struct bpf_verifier_env *env, u32 regno, + */ + mark_btf_ld_reg(env, cur_regs(env), value_regno, PTR_TO_BTF_ID, kptr_field->kptr.btf, + kptr_field->kptr.btf_id, btf_ld_kptr_type(env, kptr_field)); +- /* For mark_ptr_or_null_reg */ +- val_reg->id = ++env->id_gen; + } else if (class == BPF_STX) { + val_reg = reg_state(env, value_regno); + if (!register_is_null(val_reg) && +@@ -5707,7 +5707,8 @@ static bool is_trusted_reg(const struct bpf_reg_state *reg) + return true; + + /* Types listed in the reg2btf_ids are always trusted */ +- if (reg2btf_ids[base_type(reg->type)]) ++ if (reg2btf_ids[base_type(reg->type)] && ++ !bpf_type_has_unsafe_modifiers(reg->type)) + return true; + + /* If a register is not referenced, it is trusted if it has the +@@ -6327,6 +6328,7 @@ static int bpf_map_direct_read(struct bpf_map *map, int off, int size, u64 *val, + #define BTF_TYPE_SAFE_RCU(__type) __PASTE(__type, __safe_rcu) + #define BTF_TYPE_SAFE_RCU_OR_NULL(__type) __PASTE(__type, __safe_rcu_or_null) + #define BTF_TYPE_SAFE_TRUSTED(__type) __PASTE(__type, __safe_trusted) ++#define BTF_TYPE_SAFE_TRUSTED_OR_NULL(__type) __PASTE(__type, __safe_trusted_or_null) + + /* + * Allow list few fields as RCU trusted or full trusted. +@@ -6390,7 +6392,7 @@ BTF_TYPE_SAFE_TRUSTED(struct dentry) { + struct inode *d_inode; + }; + +-BTF_TYPE_SAFE_TRUSTED(struct socket) { ++BTF_TYPE_SAFE_TRUSTED_OR_NULL(struct socket) { + struct sock *sk; + }; + +@@ -6425,11 +6427,20 @@ static bool type_is_trusted(struct bpf_verifier_env *env, + BTF_TYPE_EMIT(BTF_TYPE_SAFE_TRUSTED(struct linux_binprm)); + BTF_TYPE_EMIT(BTF_TYPE_SAFE_TRUSTED(struct file)); + BTF_TYPE_EMIT(BTF_TYPE_SAFE_TRUSTED(struct dentry)); +- BTF_TYPE_EMIT(BTF_TYPE_SAFE_TRUSTED(struct socket)); + + return btf_nested_type_is_trusted(&env->log, reg, field_name, btf_id, "__safe_trusted"); + } + ++static bool type_is_trusted_or_null(struct bpf_verifier_env *env, ++ struct bpf_reg_state *reg, ++ const char *field_name, u32 btf_id) ++{ ++ BTF_TYPE_EMIT(BTF_TYPE_SAFE_TRUSTED_OR_NULL(struct socket)); ++ ++ return btf_nested_type_is_trusted(&env->log, reg, field_name, btf_id, ++ "__safe_trusted_or_null"); ++} ++ + static int check_ptr_to_btf_access(struct bpf_verifier_env *env, + struct bpf_reg_state *regs, + int regno, int off, int size, +@@ -6538,6 +6549,8 @@ static int check_ptr_to_btf_access(struct bpf_verifier_env *env, + */ + if (type_is_trusted(env, reg, field_name, btf_id)) { + flag |= PTR_TRUSTED; ++ } else if (type_is_trusted_or_null(env, reg, field_name, btf_id)) { ++ flag |= PTR_TRUSTED | PTR_MAYBE_NULL; + } else if (in_rcu_cs(env) && !type_may_be_null(reg->type)) { + if (type_is_rcu(env, reg, field_name, btf_id)) { + /* ignore __rcu tag and mark it MEM_RCU */ +diff --git a/tools/testing/selftests/bpf/progs/bench_local_storage_create.c b/tools/testing/selftests/bpf/progs/bench_local_storage_create.c +index e4bfbba6c1936..c8ec0d0368e4a 100644 +--- a/tools/testing/selftests/bpf/progs/bench_local_storage_create.c ++++ b/tools/testing/selftests/bpf/progs/bench_local_storage_create.c +@@ -61,14 +61,15 @@ SEC("lsm.s/socket_post_create") + int BPF_PROG(socket_post_create, struct socket *sock, int family, int type, + int protocol, int kern) + { ++ struct sock *sk = sock->sk; + struct storage *stg; + __u32 pid; + + pid = bpf_get_current_pid_tgid() >> 32; +- if (pid != bench_pid) ++ if (pid != bench_pid || !sk) + return 0; + +- stg = bpf_sk_storage_get(&sk_storage_map, sock->sk, NULL, ++ stg = bpf_sk_storage_get(&sk_storage_map, sk, NULL, + BPF_LOCAL_STORAGE_GET_F_CREATE); + + if (stg) +diff --git a/tools/testing/selftests/bpf/progs/local_storage.c b/tools/testing/selftests/bpf/progs/local_storage.c +index e5e3a8b8dd075..637e75df2e146 100644 +--- a/tools/testing/selftests/bpf/progs/local_storage.c ++++ b/tools/testing/selftests/bpf/progs/local_storage.c +@@ -140,11 +140,12 @@ int BPF_PROG(socket_bind, struct socket *sock, struct sockaddr *address, + { + __u32 pid = bpf_get_current_pid_tgid() >> 32; + struct local_storage *storage; ++ struct sock *sk = sock->sk; + +- if (pid != monitored_pid) ++ if (pid != monitored_pid || !sk) + return 0; + +- storage = bpf_sk_storage_get(&sk_storage_map, sock->sk, 0, 0); ++ storage = bpf_sk_storage_get(&sk_storage_map, sk, 0, 0); + if (!storage) + return 0; + +@@ -155,24 +156,24 @@ int BPF_PROG(socket_bind, struct socket *sock, struct sockaddr *address, + /* This tests that we can associate multiple elements + * with the local storage. + */ +- storage = bpf_sk_storage_get(&sk_storage_map2, sock->sk, 0, ++ storage = bpf_sk_storage_get(&sk_storage_map2, sk, 0, + BPF_LOCAL_STORAGE_GET_F_CREATE); + if (!storage) + return 0; + +- if (bpf_sk_storage_delete(&sk_storage_map2, sock->sk)) ++ if (bpf_sk_storage_delete(&sk_storage_map2, sk)) + return 0; + +- storage = bpf_sk_storage_get(&sk_storage_map2, sock->sk, 0, ++ storage = bpf_sk_storage_get(&sk_storage_map2, sk, 0, + BPF_LOCAL_STORAGE_GET_F_CREATE); + if (!storage) + return 0; + +- if (bpf_sk_storage_delete(&sk_storage_map, sock->sk)) ++ if (bpf_sk_storage_delete(&sk_storage_map, sk)) + return 0; + + /* Ensure that the sk_storage_map is disconnected from the storage. */ +- if (!sock->sk->sk_bpf_storage || sock->sk->sk_bpf_storage->smap) ++ if (!sk->sk_bpf_storage || sk->sk_bpf_storage->smap) + return 0; + + sk_storage_result = 0; +@@ -185,11 +186,12 @@ int BPF_PROG(socket_post_create, struct socket *sock, int family, int type, + { + __u32 pid = bpf_get_current_pid_tgid() >> 32; + struct local_storage *storage; ++ struct sock *sk = sock->sk; + +- if (pid != monitored_pid) ++ if (pid != monitored_pid || !sk) + return 0; + +- storage = bpf_sk_storage_get(&sk_storage_map, sock->sk, 0, ++ storage = bpf_sk_storage_get(&sk_storage_map, sk, 0, + BPF_LOCAL_STORAGE_GET_F_CREATE); + if (!storage) + return 0; +diff --git a/tools/testing/selftests/bpf/progs/lsm_cgroup.c b/tools/testing/selftests/bpf/progs/lsm_cgroup.c +index 02c11d16b692a..d7598538aa2da 100644 +--- a/tools/testing/selftests/bpf/progs/lsm_cgroup.c ++++ b/tools/testing/selftests/bpf/progs/lsm_cgroup.c +@@ -103,11 +103,15 @@ static __always_inline int real_bind(struct socket *sock, + int addrlen) + { + struct sockaddr_ll sa = {}; ++ struct sock *sk = sock->sk; + +- if (sock->sk->__sk_common.skc_family != AF_PACKET) ++ if (!sk) ++ return 1; ++ ++ if (sk->__sk_common.skc_family != AF_PACKET) + return 1; + +- if (sock->sk->sk_kern_sock) ++ if (sk->sk_kern_sock) + return 1; + + bpf_probe_read_kernel(&sa, sizeof(sa), address); +-- +2.43.0 + diff --git a/queue-6.9/bpf-pack-struct-bpf_fib_lookup.patch b/queue-6.9/bpf-pack-struct-bpf_fib_lookup.patch new file mode 100644 index 00000000000..d384bac81af --- /dev/null +++ b/queue-6.9/bpf-pack-struct-bpf_fib_lookup.patch @@ -0,0 +1,74 @@ +From 4dec284b555ec17f94639fdb53ea6bc9cca430d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 14:33:03 +0200 +Subject: bpf: Pack struct bpf_fib_lookup + +From: Anton Protopopov + +[ Upstream commit f91717007217d975aa975ddabd91ae1a107b9bff ] + +The struct bpf_fib_lookup is supposed to be of size 64. A recent commit +59b418c7063d ("bpf: Add a check for struct bpf_fib_lookup size") added +a static assertion to check this property so that future changes to the +structure will not accidentally break this assumption. + +As it immediately turned out, on some 32-bit arm systems, when AEABI=n, +the total size of the structure was equal to 68, see [1]. This happened +because the bpf_fib_lookup structure contains a union of two 16-bit +fields: + + union { + __u16 tot_len; + __u16 mtu_result; + }; + +which was supposed to compile to a 16-bit-aligned 16-bit field. On the +aforementioned setups it was instead both aligned and padded to 32-bits. + +Declare this inner union as __attribute__((packed, aligned(2))) such +that it always is of size 2 and is aligned to 16 bits. + + [1] https://lore.kernel.org/all/CA+G9fYtsoP51f-oP_Sp5MOq-Ffv8La2RztNpwvE6+R1VtFiLrw@mail.gmail.com/#t + +Reported-by: Naresh Kamboju +Fixes: e1850ea9bd9e ("bpf: bpf_fib_lookup return MTU value as output when looked up") +Signed-off-by: Anton Protopopov +Signed-off-by: Andrii Nakryiko +Reviewed-by: Alexander Lobakin +Acked-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20240403123303.1452184-1-aspsk@isovalent.com +Signed-off-by: Sasha Levin +--- + include/uapi/linux/bpf.h | 2 +- + tools/include/uapi/linux/bpf.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h +index 3c42b9f1bada3..bcd84985faf48 100644 +--- a/include/uapi/linux/bpf.h ++++ b/include/uapi/linux/bpf.h +@@ -7150,7 +7150,7 @@ struct bpf_fib_lookup { + + /* output: MTU value */ + __u16 mtu_result; +- }; ++ } __attribute__((packed, aligned(2))); + /* input: L3 device index for lookup + * output: device index from FIB lookup + */ +diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h +index 3c42b9f1bada3..bcd84985faf48 100644 +--- a/tools/include/uapi/linux/bpf.h ++++ b/tools/include/uapi/linux/bpf.h +@@ -7150,7 +7150,7 @@ struct bpf_fib_lookup { + + /* output: MTU value */ + __u16 mtu_result; +- }; ++ } __attribute__((packed, aligned(2))); + /* input: L3 device index for lookup + * output: device index from FIB lookup + */ +-- +2.43.0 + diff --git a/queue-6.9/bpf-prevent-r10-register-from-being-marked-as-precis.patch b/queue-6.9/bpf-prevent-r10-register-from-being-marked-as-precis.patch new file mode 100644 index 00000000000..744fe82bb50 --- /dev/null +++ b/queue-6.9/bpf-prevent-r10-register-from-being-marked-as-precis.patch @@ -0,0 +1,58 @@ +From 87ccf0d08eb6fe7353b348886083a1e5083ae537 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Apr 2024 14:45:35 -0700 +Subject: bpf: prevent r10 register from being marked as precise + +From: Andrii Nakryiko + +[ Upstream commit 1f2a74b41ea8b902687eb97c4e7e3f558801865b ] + +r10 is a special register that is not under BPF program's control and is +always effectively precise. The rest of precision logic assumes that +only r0-r9 SCALAR registers are marked as precise, so prevent r10 from +being marked precise. + +This can happen due to signed cast instruction allowing to do something +like `r0 = (s8)r10;`, which later, if r0 needs to be precise, would lead +to an attempt to mark r10 as precise. + +Prevent this with an extra check during instruction backtracking. + +Fixes: 8100928c8814 ("bpf: Support new sign-extension mov insns") +Reported-by: syzbot+148110ee7cf72f39f33e@syzkaller.appspotmail.com +Signed-off-by: Andrii Nakryiko +Acked-by: Yonghong Song +Link: https://lore.kernel.org/r/20240404214536.3551295-1-andrii@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index cb7ad1f795e18..f3faee45753e8 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -3615,7 +3615,8 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx, + * sreg needs precision before this insn + */ + bt_clear_reg(bt, dreg); +- bt_set_reg(bt, sreg); ++ if (sreg != BPF_REG_FP) ++ bt_set_reg(bt, sreg); + } else { + /* dreg = K + * dreg needs precision after this insn. +@@ -3631,7 +3632,8 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx, + * both dreg and sreg need precision + * before this insn + */ +- bt_set_reg(bt, sreg); ++ if (sreg != BPF_REG_FP) ++ bt_set_reg(bt, sreg); + } /* else dreg += K + * dreg still needs precision before this insn + */ +-- +2.43.0 + diff --git a/queue-6.9/bpftool-fix-missing-pids-during-link-show.patch b/queue-6.9/bpftool-fix-missing-pids-during-link-show.patch new file mode 100644 index 00000000000..f1ad2f74c72 --- /dev/null +++ b/queue-6.9/bpftool-fix-missing-pids-during-link-show.patch @@ -0,0 +1,89 @@ +From 8f19c7de4f1eb659fde91e005488fe3010d2ac12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Mar 2024 19:32:49 -0700 +Subject: bpftool: Fix missing pids during link show + +From: Yonghong Song + +[ Upstream commit fe879bb42f8a6513ed18e9d22efb99cb35590201 ] + +Current 'bpftool link' command does not show pids, e.g., + $ tools/build/bpftool/bpftool link + ... + 4: tracing prog 23 + prog_type lsm attach_type lsm_mac + target_obj_id 1 target_btf_id 31320 + +Hack the following change to enable normal libbpf debug output, + --- a/tools/bpf/bpftool/pids.c + +++ b/tools/bpf/bpftool/pids.c + @@ -121,9 +121,9 @@ int build_obj_refs_table(struct hashmap **map, enum bpf_obj_type type) + /* we don't want output polluted with libbpf errors if bpf_iter is not + * supported + */ + - default_print = libbpf_set_print(libbpf_print_none); + + /* default_print = libbpf_set_print(libbpf_print_none); */ + err = pid_iter_bpf__load(skel); + - libbpf_set_print(default_print); + + /* libbpf_set_print(default_print); */ + +Rerun the above bpftool command: + $ tools/build/bpftool/bpftool link + libbpf: prog 'iter': BPF program load failed: Permission denied + libbpf: prog 'iter': -- BEGIN PROG LOAD LOG -- + 0: R1=ctx() R10=fp0 + ; struct task_struct *task = ctx->task; @ pid_iter.bpf.c:69 + 0: (79) r6 = *(u64 *)(r1 +8) ; R1=ctx() R6_w=ptr_or_null_task_struct(id=1) + ; struct file *file = ctx->file; @ pid_iter.bpf.c:68 + ... + ; struct bpf_link *link = (struct bpf_link *) file->private_data; @ pid_iter.bpf.c:103 + 80: (79) r3 = *(u64 *)(r8 +432) ; R3_w=scalar() R8=ptr_file() + ; if (link->type == bpf_core_enum_value(enum bpf_link_type___local, @ pid_iter.bpf.c:105 + 81: (61) r1 = *(u32 *)(r3 +12) + R3 invalid mem access 'scalar' + processed 39 insns (limit 1000000) max_states_per_insn 0 total_states 3 peak_states 3 mark_read 2 + -- END PROG LOAD LOG -- + libbpf: prog 'iter': failed to load: -13 + ... + +The 'file->private_data' returns a 'void' type and this caused subsequent 'link->type' +(insn #81) failed in verification. + +To fix the issue, restore the previous BPF_CORE_READ so old kernels can also work. +With this patch, the 'bpftool link' runs successfully with 'pids'. + $ tools/build/bpftool/bpftool link + ... + 4: tracing prog 23 + prog_type lsm attach_type lsm_mac + target_obj_id 1 target_btf_id 31320 + pids systemd(1) + +Fixes: 44ba7b30e84f ("bpftool: Use a local copy of BPF_LINK_TYPE_PERF_EVENT in pid_iter.bpf.c") +Signed-off-by: Yonghong Song +Signed-off-by: Andrii Nakryiko +Tested-by: Quentin Monnet +Reviewed-by: Quentin Monnet +Link: https://lore.kernel.org/bpf/20240312023249.3776718-1-yonghong.song@linux.dev +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/skeleton/pid_iter.bpf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/bpf/bpftool/skeleton/pid_iter.bpf.c b/tools/bpf/bpftool/skeleton/pid_iter.bpf.c +index 26004f0c5a6ae..7bdbcac3cf628 100644 +--- a/tools/bpf/bpftool/skeleton/pid_iter.bpf.c ++++ b/tools/bpf/bpftool/skeleton/pid_iter.bpf.c +@@ -102,8 +102,8 @@ int iter(struct bpf_iter__task_file *ctx) + BPF_LINK_TYPE_PERF_EVENT___local)) { + struct bpf_link *link = (struct bpf_link *) file->private_data; + +- if (link->type == bpf_core_enum_value(enum bpf_link_type___local, +- BPF_LINK_TYPE_PERF_EVENT___local)) { ++ if (BPF_CORE_READ(link, type) == bpf_core_enum_value(enum bpf_link_type___local, ++ BPF_LINK_TYPE_PERF_EVENT___local)) { + e.has_bpf_cookie = true; + e.bpf_cookie = get_bpf_cookie(link); + } +-- +2.43.0 + diff --git a/queue-6.9/bpftool-mount-bpffs-on-provided-dir-instead-of-paren.patch b/queue-6.9/bpftool-mount-bpffs-on-provided-dir-instead-of-paren.patch new file mode 100644 index 00000000000..fe8b02361a5 --- /dev/null +++ b/queue-6.9/bpftool-mount-bpffs-on-provided-dir-instead-of-paren.patch @@ -0,0 +1,264 @@ +From 6f093e5309396fa3a3cea3d9b20ad77fe8daefb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 00:52:19 +0530 +Subject: bpftool: Mount bpffs on provided dir instead of parent dir + +From: Sahil Siddiq + +[ Upstream commit 478a535ae54ad3831371904d93b5dfc403222e17 ] + +When pinning programs/objects under PATH (eg: during "bpftool prog +loadall") the bpffs is mounted on the parent dir of PATH in the +following situations: +- the given dir exists but it is not bpffs. +- the given dir doesn't exist and the parent dir is not bpffs. + +Mounting on the parent dir can also have the unintentional side- +effect of hiding other files located under the parent dir. + +If the given dir exists but is not bpffs, then the bpffs should +be mounted on the given dir and not its parent dir. + +Similarly, if the given dir doesn't exist and its parent dir is not +bpffs, then the given dir should be created and the bpffs should be +mounted on this new dir. + +Fixes: 2a36c26fe3b8 ("bpftool: Support bpffs mountpoint as pin path for prog loadall") +Signed-off-by: Sahil Siddiq +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/2da44d24-74ae-a564-1764-afccf395eeec@isovalent.com/T/#t +Link: https://lore.kernel.org/bpf/20240404192219.52373-1-icegambit91@gmail.com + +Closes: https://github.com/libbpf/bpftool/issues/100 + +Changes since v1: + - Split "mount_bpffs_for_pin" into two functions. + This is done to improve maintainability and readability. + +Changes since v2: +- mount_bpffs_for_pin: rename to "create_and_mount_bpffs_dir". +- mount_bpffs_given_file: rename to "mount_bpffs_given_file". +- create_and_mount_bpffs_dir: + - introduce "dir_exists" boolean. + - remove new dir if "mnt_fs" fails. +- improve error handling and error messages. + +Changes since v3: +- Rectify function name. +- Improve error messages and formatting. +- mount_bpffs_for_file: + - Check if dir exists before block_mount check. + +Changes since v4: +- Use strdup instead of strcpy. +- create_and_mount_bpffs_dir: + - Use S_IRWXU instead of 0700. +- Improve error handling and formatting. + +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/common.c | 96 +++++++++++++++++++++++++++++----- + tools/bpf/bpftool/iter.c | 2 +- + tools/bpf/bpftool/main.h | 3 +- + tools/bpf/bpftool/prog.c | 5 +- + tools/bpf/bpftool/struct_ops.c | 2 +- + 5 files changed, 92 insertions(+), 16 deletions(-) + +diff --git a/tools/bpf/bpftool/common.c b/tools/bpf/bpftool/common.c +index cc6e6aae2447d..958e92acca8e2 100644 +--- a/tools/bpf/bpftool/common.c ++++ b/tools/bpf/bpftool/common.c +@@ -244,29 +244,101 @@ int open_obj_pinned_any(const char *path, enum bpf_obj_type exp_type) + return fd; + } + +-int mount_bpffs_for_pin(const char *name, bool is_dir) ++int create_and_mount_bpffs_dir(const char *dir_name) + { + char err_str[ERR_MAX_LEN]; +- char *file; +- char *dir; ++ bool dir_exists; + int err = 0; + +- if (is_dir && is_bpffs(name)) ++ if (is_bpffs(dir_name)) + return err; + +- file = malloc(strlen(name) + 1); +- if (!file) { ++ dir_exists = access(dir_name, F_OK) == 0; ++ ++ if (!dir_exists) { ++ char *temp_name; ++ char *parent_name; ++ ++ temp_name = strdup(dir_name); ++ if (!temp_name) { ++ p_err("mem alloc failed"); ++ return -1; ++ } ++ ++ parent_name = dirname(temp_name); ++ ++ if (is_bpffs(parent_name)) { ++ /* nothing to do if already mounted */ ++ free(temp_name); ++ return err; ++ } ++ ++ if (access(parent_name, F_OK) == -1) { ++ p_err("can't create dir '%s' to pin BPF object: parent dir '%s' doesn't exist", ++ dir_name, parent_name); ++ free(temp_name); ++ return -1; ++ } ++ ++ free(temp_name); ++ } ++ ++ if (block_mount) { ++ p_err("no BPF file system found, not mounting it due to --nomount option"); ++ return -1; ++ } ++ ++ if (!dir_exists) { ++ err = mkdir(dir_name, S_IRWXU); ++ if (err) { ++ p_err("failed to create dir '%s': %s", dir_name, strerror(errno)); ++ return err; ++ } ++ } ++ ++ err = mnt_fs(dir_name, "bpf", err_str, ERR_MAX_LEN); ++ if (err) { ++ err_str[ERR_MAX_LEN - 1] = '\0'; ++ p_err("can't mount BPF file system on given dir '%s': %s", ++ dir_name, err_str); ++ ++ if (!dir_exists) ++ rmdir(dir_name); ++ } ++ ++ return err; ++} ++ ++int mount_bpffs_for_file(const char *file_name) ++{ ++ char err_str[ERR_MAX_LEN]; ++ char *temp_name; ++ char *dir; ++ int err = 0; ++ ++ if (access(file_name, F_OK) != -1) { ++ p_err("can't pin BPF object: path '%s' already exists", file_name); ++ return -1; ++ } ++ ++ temp_name = strdup(file_name); ++ if (!temp_name) { + p_err("mem alloc failed"); + return -1; + } + +- strcpy(file, name); +- dir = dirname(file); ++ dir = dirname(temp_name); + + if (is_bpffs(dir)) + /* nothing to do if already mounted */ + goto out_free; + ++ if (access(dir, F_OK) == -1) { ++ p_err("can't pin BPF object: dir '%s' doesn't exist", dir); ++ err = -1; ++ goto out_free; ++ } ++ + if (block_mount) { + p_err("no BPF file system found, not mounting it due to --nomount option"); + err = -1; +@@ -276,12 +348,12 @@ int mount_bpffs_for_pin(const char *name, bool is_dir) + err = mnt_fs(dir, "bpf", err_str, ERR_MAX_LEN); + if (err) { + err_str[ERR_MAX_LEN - 1] = '\0'; +- p_err("can't mount BPF file system to pin the object (%s): %s", +- name, err_str); ++ p_err("can't mount BPF file system to pin the object '%s': %s", ++ file_name, err_str); + } + + out_free: +- free(file); ++ free(temp_name); + return err; + } + +@@ -289,7 +361,7 @@ int do_pin_fd(int fd, const char *name) + { + int err; + +- err = mount_bpffs_for_pin(name, false); ++ err = mount_bpffs_for_file(name); + if (err) + return err; + +diff --git a/tools/bpf/bpftool/iter.c b/tools/bpf/bpftool/iter.c +index 6b0e5202ca7a9..5c39c2ed36a2b 100644 +--- a/tools/bpf/bpftool/iter.c ++++ b/tools/bpf/bpftool/iter.c +@@ -76,7 +76,7 @@ static int do_pin(int argc, char **argv) + goto close_obj; + } + +- err = mount_bpffs_for_pin(path, false); ++ err = mount_bpffs_for_file(path); + if (err) + goto close_link; + +diff --git a/tools/bpf/bpftool/main.h b/tools/bpf/bpftool/main.h +index b8bb08d10dec9..9eb764fe4cc8b 100644 +--- a/tools/bpf/bpftool/main.h ++++ b/tools/bpf/bpftool/main.h +@@ -142,7 +142,8 @@ const char *get_fd_type_name(enum bpf_obj_type type); + char *get_fdinfo(int fd, const char *key); + int open_obj_pinned(const char *path, bool quiet); + int open_obj_pinned_any(const char *path, enum bpf_obj_type exp_type); +-int mount_bpffs_for_pin(const char *name, bool is_dir); ++int mount_bpffs_for_file(const char *file_name); ++int create_and_mount_bpffs_dir(const char *dir_name); + int do_pin_any(int argc, char **argv, int (*get_fd_by_id)(int *, char ***)); + int do_pin_fd(int fd, const char *name); + +diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c +index 9cb42a3366c07..4c4cf16a40ba7 100644 +--- a/tools/bpf/bpftool/prog.c ++++ b/tools/bpf/bpftool/prog.c +@@ -1778,7 +1778,10 @@ static int load_with_options(int argc, char **argv, bool first_prog_only) + goto err_close_obj; + } + +- err = mount_bpffs_for_pin(pinfile, !first_prog_only); ++ if (first_prog_only) ++ err = mount_bpffs_for_file(pinfile); ++ else ++ err = create_and_mount_bpffs_dir(pinfile); + if (err) + goto err_close_obj; + +diff --git a/tools/bpf/bpftool/struct_ops.c b/tools/bpf/bpftool/struct_ops.c +index d573f2640d8e9..aa43dead249cb 100644 +--- a/tools/bpf/bpftool/struct_ops.c ++++ b/tools/bpf/bpftool/struct_ops.c +@@ -515,7 +515,7 @@ static int do_register(int argc, char **argv) + if (argc == 1) + linkdir = GET_ARG(); + +- if (linkdir && mount_bpffs_for_pin(linkdir, true)) { ++ if (linkdir && create_and_mount_bpffs_dir(linkdir)) { + p_err("can't mount bpffs for pinning"); + return -1; + } +-- +2.43.0 + diff --git a/queue-6.9/btrfs-set-start-on-clone-before-calling-copy_extent_.patch b/queue-6.9/btrfs-set-start-on-clone-before-calling-copy_extent_.patch new file mode 100644 index 00000000000..0cf0335f490 --- /dev/null +++ b/queue-6.9/btrfs-set-start-on-clone-before-calling-copy_extent_.patch @@ -0,0 +1,94 @@ +From e8abefb34d3792f1e7b38bc1b76b6a58d766a080 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Apr 2024 05:42:43 +0000 +Subject: btrfs: set start on clone before calling copy_extent_buffer_full + +From: Josef Bacik + +[ Upstream commit 53e24158684b527d013b5b2204ccb34d1f94c248 ] + +Our subpage testing started hanging on generic/560 and I bisected it +down to 1cab1375ba6d ("btrfs: reuse cloned extent buffer during +fiemap to avoid re-allocations"). This is subtle because we use +eb->start to figure out where in the folio we're copying to when we're +subpage, as our ->start may refer to an area inside of the folio. + +For example, assume a 16K page size machine with a 4K node size, and +assume that we already have a cloned extent buffer when we cloned the +previous search. + +copy_extent_buffer_full() will do the following when copying the extent +buffer path->nodes[0] (src) into cloned (dest): + + src->start = 8k; // this is the new leaf we're cloning + cloned->start = 4k; // this is left over from the previous clone + + src_addr = folio_address(src->folios[0]); + dest_addr = folio_address(dest->folios[0]); + + memcpy(dest_addr + get_eb_offset_in_folio(dst, 0), + src_addr + get_eb_offset_in_folio(src, 0), src->len); + +Now get_eb_offset_in_folio() is where the problems occur, because for +sub-pagesize blocksize we can have multiple eb's per folio, the code for +this is as follows + + size_t get_eb_offset_in_folio(eb, offset) { + return (eb->start + offset & (folio_size(eb->folio[0]) - 1)); + } + +So in the above example we are copying into offset 4K inside the folio. +However once we update cloned->start to 8K to match the src the math for +get_eb_offset_in_folio() changes, and any subsequent reads (i.e. +btrfs_item_key_to_cpu()) will start reading from the offset 8K instead +of 4K where we copied to, giving us garbage. + +Fix this by setting start before we co copy_extent_buffer_full() to make +sure that we're copying into the same offset inside of the folio that we +will read from later. + +All other sites of copy_extent_buffer_full() are correct because we +either set ->start beforehand or we simply don't change it in the case +of the tree-log usage. + +With this fix we now pass generic/560 on our subpage tests. + +Fixes: 1cab1375ba6d ("btrfs: reuse cloned extent buffer during fiemap to avoid re-allocations") +Reviewed-by: Filipe Manana +Reviewed-by: Qu Wenruo +Signed-off-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/extent_io.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c +index 2776112dbdf8d..87f487b116577 100644 +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -2773,13 +2773,19 @@ static int fiemap_next_leaf_item(struct btrfs_inode *inode, struct btrfs_path *p + goto out; + } + +- /* See the comment at fiemap_search_slot() about why we clone. */ +- copy_extent_buffer_full(clone, path->nodes[0]); + /* + * Important to preserve the start field, for the optimizations when + * checking if extents are shared (see extent_fiemap()). ++ * ++ * We must set ->start before calling copy_extent_buffer_full(). If we ++ * are on sub-pagesize blocksize, we use ->start to determine the offset ++ * into the folio where our eb exists, and if we update ->start after ++ * the fact then any subsequent reads of the eb may read from a ++ * different offset in the folio than where we originally copied into. + */ + clone->start = path->nodes[0]->start; ++ /* See the comment at fiemap_search_slot() about why we clone. */ ++ copy_extent_buffer_full(clone, path->nodes[0]); + + slot = path->slots[0]; + btrfs_release_path(path); +-- +2.43.0 + diff --git a/queue-6.9/clk-mediatek-mt8365-mm-fix-dpi0-parent.patch b/queue-6.9/clk-mediatek-mt8365-mm-fix-dpi0-parent.patch new file mode 100644 index 00000000000..5c8538d0779 --- /dev/null +++ b/queue-6.9/clk-mediatek-mt8365-mm-fix-dpi0-parent.patch @@ -0,0 +1,52 @@ +From 43da1243b0c52f7b4021f61f50437c181a908e06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Apr 2024 16:17:00 +0200 +Subject: clk: mediatek: mt8365-mm: fix DPI0 parent + +From: Alexandre Mergnat + +[ Upstream commit 4c0c087772d7e29bc2489ddb068d5167140bfc38 ] + +To have a working display through DPI, a workaround has been +implemented downstream to add "mm_dpi0_dpi0" and "dpi0_sel" to +the DPI node. Shortly, that add an extra clock. + +It seems consistent to have the "dpi0_sel" as parent. +Additionnaly, "vpll_dpix" isn't used/managed. + +Then, set the "mm_dpi0_dpi0" parent clock to "dpi0_sel". + +The new clock tree is: + +clk26m + lvdspll + lvdspll_X (2, 4, 8, 16) + dpi0_sel + mm_dpi0_dpi0 + +Fixes: d46adccb7966 ("clk: mediatek: add driver for MT8365 SoC") +Signed-off-by: Alexandre Mergnat +Link: https://lore.kernel.org/r/20231023-display-support-v3-12-53388f3ed34b@baylibre.com +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/mediatek/clk-mt8365-mm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/mediatek/clk-mt8365-mm.c b/drivers/clk/mediatek/clk-mt8365-mm.c +index 01a2ef8f594ef..3f62ec7507336 100644 +--- a/drivers/clk/mediatek/clk-mt8365-mm.c ++++ b/drivers/clk/mediatek/clk-mt8365-mm.c +@@ -53,7 +53,7 @@ static const struct mtk_gate mm_clks[] = { + GATE_MM0(CLK_MM_MM_DSI0, "mm_dsi0", "mm_sel", 17), + GATE_MM0(CLK_MM_MM_DISP_RDMA1, "mm_disp_rdma1", "mm_sel", 18), + GATE_MM0(CLK_MM_MM_MDP_RDMA1, "mm_mdp_rdma1", "mm_sel", 19), +- GATE_MM0(CLK_MM_DPI0_DPI0, "mm_dpi0_dpi0", "vpll_dpix", 20), ++ GATE_MM0(CLK_MM_DPI0_DPI0, "mm_dpi0_dpi0", "dpi0_sel", 20), + GATE_MM0(CLK_MM_MM_FAKE, "mm_fake", "mm_sel", 21), + GATE_MM0(CLK_MM_MM_SMI_COMMON, "mm_smi_common", "mm_sel", 22), + GATE_MM0(CLK_MM_MM_SMI_LARB0, "mm_smi_larb0", "mm_sel", 23), +-- +2.43.0 + diff --git a/queue-6.9/clk-mediatek-pllfh-don-t-log-error-for-missing-fhctl.patch b/queue-6.9/clk-mediatek-pllfh-don-t-log-error-for-missing-fhctl.patch new file mode 100644 index 00000000000..5211785359c --- /dev/null +++ b/queue-6.9/clk-mediatek-pllfh-don-t-log-error-for-missing-fhctl.patch @@ -0,0 +1,52 @@ +From 88c8f48691d586856b0dacb3494d3b7fc8b0b28d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Mar 2024 15:29:56 -0500 +Subject: clk: mediatek: pllfh: Don't log error for missing fhctl node +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +[ Upstream commit bb7b3c8e7180f36de75cdea200ab7127f93f58cc ] + +Support for fhctl clocks in apmixedsys was introduced at a later point +and to this moment only one mt6795 based platform has a fhctl DT node +present. Therefore the fhctl support in apmixedsys should be seen as +optional and not cause an error when it is missing. + +Change the message's log level to warning. The warning level is chosen +so that it will still alert the fact that fhctl support might be +unintentionally missing, but without implying that this is necessarily +an issue. + +Even if the FHCTL DT nodes are added to all current platforms moving +forward, since those changes won't be backported, this ensures stable +kernel releases won't have live with this error. + +Fixes: d7964de8a8ea ("clk: mediatek: Add new clock driver to handle FHCTL hardware") +Signed-off-by: Nícolas F. R. A. Prado +Link: https://lore.kernel.org/r/20240308-mtk-fhctl-no-node-error-v1-1-51e446eb149a@collabora.com +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/mediatek/clk-pllfh.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/mediatek/clk-pllfh.c b/drivers/clk/mediatek/clk-pllfh.c +index 3a2b3f90be25d..094ec8a26d668 100644 +--- a/drivers/clk/mediatek/clk-pllfh.c ++++ b/drivers/clk/mediatek/clk-pllfh.c +@@ -68,7 +68,7 @@ void fhctl_parse_dt(const u8 *compatible_node, struct mtk_pllfh_data *pllfhs, + + node = of_find_compatible_node(NULL, NULL, compatible_node); + if (!node) { +- pr_err("cannot find \"%s\"\n", compatible_node); ++ pr_warn("cannot find \"%s\"\n", compatible_node); + return; + } + +-- +2.43.0 + diff --git a/queue-6.9/clk-qcom-apss-ipq-pll-fix-pll-rate-for-ipq5018.patch b/queue-6.9/clk-qcom-apss-ipq-pll-fix-pll-rate-for-ipq5018.patch new file mode 100644 index 00000000000..ea26aa55e9c --- /dev/null +++ b/queue-6.9/clk-qcom-apss-ipq-pll-fix-pll-rate-for-ipq5018.patch @@ -0,0 +1,48 @@ +From baa7dd6e8eb4d07390d8657523d0eab0c3480f87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 14:34:11 +0100 +Subject: clk: qcom: apss-ipq-pll: fix PLL rate for IPQ5018 + +From: Gabor Juhos + +[ Upstream commit c55f7ee2ec239b6afd8639c7ac06493876deb0ea ] + +According to ipq5018.dtsi, the maximum supported rate by the +CPU is 1.008 GHz on the IPQ5018 platform, however the current +configuration of the PLL results in 1.2 GHz rate. + +Change the 'L' value in the PLL configuration to limit the +rate to 1.008 GHz. The downstream kernel also uses the same +value [1]. Also add a comment to indicate the desired +frequency. + +[1] https://git.codelinaro.org/clo/qsdk/oss/kernel/linux-ipq-5.4/-/blob/NHSS.QSDK.12.4/drivers/clk/qcom/apss-ipq5018.c?ref_type=heads#L151 + +Fixes: 50492f929486 ("clk: qcom: apss-ipq-pll: add support for IPQ5018") +Signed-off-by: Gabor Juhos +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20240326-fix-ipq5018-apss-pll-rate-v1-1-82ab31c9da7e@gmail.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/apss-ipq-pll.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/qcom/apss-ipq-pll.c b/drivers/clk/qcom/apss-ipq-pll.c +index 678b805f13d45..5e3da5558f4e0 100644 +--- a/drivers/clk/qcom/apss-ipq-pll.c ++++ b/drivers/clk/qcom/apss-ipq-pll.c +@@ -73,8 +73,9 @@ static struct clk_alpha_pll ipq_pll_stromer_plus = { + }, + }; + ++/* 1.008 GHz configuration */ + static const struct alpha_pll_config ipq5018_pll_config = { +- .l = 0x32, ++ .l = 0x2a, + .config_ctl_val = 0x4001075b, + .config_ctl_hi_val = 0x304, + .main_output_mask = BIT(0), +-- +2.43.0 + diff --git a/queue-6.9/clk-qcom-clk-alpha-pll-remove-invalid-stromer-regist.patch b/queue-6.9/clk-qcom-clk-alpha-pll-remove-invalid-stromer-regist.patch new file mode 100644 index 00000000000..64dee495302 --- /dev/null +++ b/queue-6.9/clk-qcom-clk-alpha-pll-remove-invalid-stromer-regist.patch @@ -0,0 +1,51 @@ +From eca90d73c4b2bf7d99f8b1b44ed440ded6b7fc96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Mar 2024 19:45:19 +0100 +Subject: clk: qcom: clk-alpha-pll: remove invalid Stromer register offset + +From: Gabor Juhos + +[ Upstream commit 4f2bc4acbb1916b8cd2ce4bb3ba7b1cd7cb705fa ] + +The offset of the CONFIG_CTL_U register defined for the Stromer +PLL is wrong. It is not aligned on a 4 bytes boundary which might +causes errors in regmap operations. + +Maybe the intention behind of using the 0xff value was to indicate +that the register is not implemented in the PLL, but this is not +verified anywhere in the code. Moreover, this value is not used +even in other register offset arrays despite that those PLLs also +have unimplemented registers. + +Additionally, on the Stromer PLLs the current code only touches +the CONFIG_CTL_U register if the result of pll_has_64bit_config() +is true which condition is not affected by the change. + +Due to the reasons above, simply remove the CONFIG_CTL_U entry +from the Stromer specific array. + +Fixes: e47a4f55f240 ("clk: qcom: clk-alpha-pll: Add support for Stromer PLLs") +Signed-off-by: Gabor Juhos +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20240311-alpha-pll-stromer-cleanup-v1-1-f7c0c5607cca@gmail.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/clk-alpha-pll.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/clk/qcom/clk-alpha-pll.c b/drivers/clk/qcom/clk-alpha-pll.c +index 8a412ef47e163..734a73f322b3a 100644 +--- a/drivers/clk/qcom/clk-alpha-pll.c ++++ b/drivers/clk/qcom/clk-alpha-pll.c +@@ -213,7 +213,6 @@ const u8 clk_alpha_pll_regs[][PLL_OFF_MAX_REGS] = { + [PLL_OFF_USER_CTL] = 0x18, + [PLL_OFF_USER_CTL_U] = 0x1c, + [PLL_OFF_CONFIG_CTL] = 0x20, +- [PLL_OFF_CONFIG_CTL_U] = 0xff, + [PLL_OFF_TEST_CTL] = 0x30, + [PLL_OFF_TEST_CTL_U] = 0x34, + [PLL_OFF_STATUS] = 0x28, +-- +2.43.0 + diff --git a/queue-6.9/clk-qcom-dispcc-sm6350-fix-displayport-clocks.patch b/queue-6.9/clk-qcom-dispcc-sm6350-fix-displayport-clocks.patch new file mode 100644 index 00000000000..2672fe0555e --- /dev/null +++ b/queue-6.9/clk-qcom-dispcc-sm6350-fix-displayport-clocks.patch @@ -0,0 +1,65 @@ +From 19d53ca725cacbffc4d6638fe8392ba7e32059cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Apr 2024 04:39:30 +0300 +Subject: clk: qcom: dispcc-sm6350: fix DisplayPort clocks + +From: Dmitry Baryshkov + +[ Upstream commit 1113501cfb46d5c0eb960f0a8a9f6c0f91dc6fb6 ] + +On SM6350 DisplayPort link clocks use frequency tables inherited from +the vendor kernel, it is not applicable in the upstream kernel. Drop +frequency tables and use clk_byte2_ops for those clocks. + +This fixes frequency selection in the OPP core (which otherwise attempts +to use invalid 810 KHz as DP link rate), also fixing the following +message: +msm-dp-display ae90000.displayport-controller: _opp_config_clk_single: failed to set clock rate: -22 + +Fixes: 837519775f1d ("clk: qcom: Add display clock controller driver for SM6350") +Reviewed-by: Neil Armstrong +Tested-by: Luca Weiss +Reviewed-by: Konrad Dybcio +Signed-off-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20240424-dispcc-dp-clocks-v2-2-b44038f3fa96@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/dispcc-sm6350.c | 11 +---------- + 1 file changed, 1 insertion(+), 10 deletions(-) + +diff --git a/drivers/clk/qcom/dispcc-sm6350.c b/drivers/clk/qcom/dispcc-sm6350.c +index 839435362010e..e4b7464c4d0e9 100644 +--- a/drivers/clk/qcom/dispcc-sm6350.c ++++ b/drivers/clk/qcom/dispcc-sm6350.c +@@ -221,26 +221,17 @@ static struct clk_rcg2 disp_cc_mdss_dp_crypto_clk_src = { + }, + }; + +-static const struct freq_tbl ftbl_disp_cc_mdss_dp_link_clk_src[] = { +- F(162000, P_DP_PHY_PLL_LINK_CLK, 1, 0, 0), +- F(270000, P_DP_PHY_PLL_LINK_CLK, 1, 0, 0), +- F(540000, P_DP_PHY_PLL_LINK_CLK, 1, 0, 0), +- F(810000, P_DP_PHY_PLL_LINK_CLK, 1, 0, 0), +- { } +-}; +- + static struct clk_rcg2 disp_cc_mdss_dp_link_clk_src = { + .cmd_rcgr = 0x10f8, + .mnd_width = 0, + .hid_width = 5, + .parent_map = disp_cc_parent_map_0, +- .freq_tbl = ftbl_disp_cc_mdss_dp_link_clk_src, + .clkr.hw.init = &(struct clk_init_data){ + .name = "disp_cc_mdss_dp_link_clk_src", + .parent_data = disp_cc_parent_data_0, + .num_parents = ARRAY_SIZE(disp_cc_parent_data_0), + .flags = CLK_SET_RATE_PARENT | CLK_GET_RATE_NOCACHE, +- .ops = &clk_rcg2_ops, ++ .ops = &clk_byte2_ops, + }, + }; + +-- +2.43.0 + diff --git a/queue-6.9/clk-qcom-dispcc-sm8450-fix-displayport-clocks.patch b/queue-6.9/clk-qcom-dispcc-sm8450-fix-displayport-clocks.patch new file mode 100644 index 00000000000..8690710d52c --- /dev/null +++ b/queue-6.9/clk-qcom-dispcc-sm8450-fix-displayport-clocks.patch @@ -0,0 +1,109 @@ +From 290b47f143bd49ea497caddb01120918b98e2d08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Apr 2024 04:39:29 +0300 +Subject: clk: qcom: dispcc-sm8450: fix DisplayPort clocks + +From: Dmitry Baryshkov + +[ Upstream commit e801038a02ce1e8c652a0b668dd233a4ee48aeb7 ] + +On SM8450 DisplayPort link clocks use frequency tables inherited from +the vendor kernel, it is not applicable in the upstream kernel. Drop +frequency tables and use clk_byte2_ops for those clocks. + +This fixes frequency selection in the OPP core (which otherwise attempts +to use invalid 810 KHz as DP link rate), also fixing the following +message: +msm-dp-display ae90000.displayport-controller: _opp_config_clk_single: failed to set clock rate: -22 + +Fixes: 16fb89f92ec4 ("clk: qcom: Add support for Display Clock Controller on SM8450") +Reviewed-by: Neil Armstrong +Reviewed-by: Konrad Dybcio +Signed-off-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20240424-dispcc-dp-clocks-v2-1-b44038f3fa96@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/dispcc-sm8450.c | 20 ++++---------------- + 1 file changed, 4 insertions(+), 16 deletions(-) + +diff --git a/drivers/clk/qcom/dispcc-sm8450.c b/drivers/clk/qcom/dispcc-sm8450.c +index 92e9c4e7b13dc..49bb4f58c3915 100644 +--- a/drivers/clk/qcom/dispcc-sm8450.c ++++ b/drivers/clk/qcom/dispcc-sm8450.c +@@ -309,26 +309,17 @@ static struct clk_rcg2 disp_cc_mdss_dptx0_aux_clk_src = { + }, + }; + +-static const struct freq_tbl ftbl_disp_cc_mdss_dptx0_link_clk_src[] = { +- F(162000, P_DP0_PHY_PLL_LINK_CLK, 1, 0, 0), +- F(270000, P_DP0_PHY_PLL_LINK_CLK, 1, 0, 0), +- F(540000, P_DP0_PHY_PLL_LINK_CLK, 1, 0, 0), +- F(810000, P_DP0_PHY_PLL_LINK_CLK, 1, 0, 0), +- { } +-}; +- + static struct clk_rcg2 disp_cc_mdss_dptx0_link_clk_src = { + .cmd_rcgr = 0x819c, + .mnd_width = 0, + .hid_width = 5, + .parent_map = disp_cc_parent_map_3, +- .freq_tbl = ftbl_disp_cc_mdss_dptx0_link_clk_src, + .clkr.hw.init = &(struct clk_init_data) { + .name = "disp_cc_mdss_dptx0_link_clk_src", + .parent_data = disp_cc_parent_data_3, + .num_parents = ARRAY_SIZE(disp_cc_parent_data_3), + .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, ++ .ops = &clk_byte2_ops, + }, + }; + +@@ -382,13 +373,12 @@ static struct clk_rcg2 disp_cc_mdss_dptx1_link_clk_src = { + .mnd_width = 0, + .hid_width = 5, + .parent_map = disp_cc_parent_map_3, +- .freq_tbl = ftbl_disp_cc_mdss_dptx0_link_clk_src, + .clkr.hw.init = &(struct clk_init_data) { + .name = "disp_cc_mdss_dptx1_link_clk_src", + .parent_data = disp_cc_parent_data_3, + .num_parents = ARRAY_SIZE(disp_cc_parent_data_3), + .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, ++ .ops = &clk_byte2_ops, + }, + }; + +@@ -442,13 +432,12 @@ static struct clk_rcg2 disp_cc_mdss_dptx2_link_clk_src = { + .mnd_width = 0, + .hid_width = 5, + .parent_map = disp_cc_parent_map_3, +- .freq_tbl = ftbl_disp_cc_mdss_dptx0_link_clk_src, + .clkr.hw.init = &(struct clk_init_data) { + .name = "disp_cc_mdss_dptx2_link_clk_src", + .parent_data = disp_cc_parent_data_3, + .num_parents = ARRAY_SIZE(disp_cc_parent_data_3), + .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, ++ .ops = &clk_byte2_ops, + }, + }; + +@@ -502,13 +491,12 @@ static struct clk_rcg2 disp_cc_mdss_dptx3_link_clk_src = { + .mnd_width = 0, + .hid_width = 5, + .parent_map = disp_cc_parent_map_3, +- .freq_tbl = ftbl_disp_cc_mdss_dptx0_link_clk_src, + .clkr.hw.init = &(struct clk_init_data) { + .name = "disp_cc_mdss_dptx3_link_clk_src", + .parent_data = disp_cc_parent_data_3, + .num_parents = ARRAY_SIZE(disp_cc_parent_data_3), + .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, ++ .ops = &clk_byte2_ops, + }, + }; + +-- +2.43.0 + diff --git a/queue-6.9/clk-qcom-dispcc-sm8550-fix-displayport-clocks.patch b/queue-6.9/clk-qcom-dispcc-sm8550-fix-displayport-clocks.patch new file mode 100644 index 00000000000..f7e03ef7714 --- /dev/null +++ b/queue-6.9/clk-qcom-dispcc-sm8550-fix-displayport-clocks.patch @@ -0,0 +1,110 @@ +From aeda8810531656d4cc6308b634ee60c6bea6f6b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Apr 2024 04:39:31 +0300 +Subject: clk: qcom: dispcc-sm8550: fix DisplayPort clocks + +From: Dmitry Baryshkov + +[ Upstream commit e90b5139da8465a15c3820b4b67ca9468dce93b4 ] + +On SM8550 DisplayPort link clocks use frequency tables inherited from +the vendor kernel, it is not applicable in the upstream kernel. Drop +frequency tables and use clk_byte2_ops for those clocks. + +This fixes frequency selection in the OPP core (which otherwise attempts +to use invalid 810 KHz as DP link rate), also fixing the following +message: +msm-dp-display ae90000.displayport-controller: _opp_config_clk_single: failed to set clock rate: -22 + +Fixes: 90114ca11476 ("clk: qcom: add SM8550 DISPCC driver") +Reviewed-by: Neil Armstrong +Tested-by: Neil Armstrong # on SM8550-HDK +Reviewed-by: Konrad Dybcio +Signed-off-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20240424-dispcc-dp-clocks-v2-3-b44038f3fa96@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/dispcc-sm8550.c | 20 ++++---------------- + 1 file changed, 4 insertions(+), 16 deletions(-) + +diff --git a/drivers/clk/qcom/dispcc-sm8550.c b/drivers/clk/qcom/dispcc-sm8550.c +index 3672c73ac11c6..38ecea805503d 100644 +--- a/drivers/clk/qcom/dispcc-sm8550.c ++++ b/drivers/clk/qcom/dispcc-sm8550.c +@@ -345,26 +345,17 @@ static struct clk_rcg2 disp_cc_mdss_dptx0_aux_clk_src = { + }, + }; + +-static const struct freq_tbl ftbl_disp_cc_mdss_dptx0_link_clk_src[] = { +- F(162000, P_DP0_PHY_PLL_LINK_CLK, 1, 0, 0), +- F(270000, P_DP0_PHY_PLL_LINK_CLK, 1, 0, 0), +- F(540000, P_DP0_PHY_PLL_LINK_CLK, 1, 0, 0), +- F(810000, P_DP0_PHY_PLL_LINK_CLK, 1, 0, 0), +- { } +-}; +- + static struct clk_rcg2 disp_cc_mdss_dptx0_link_clk_src = { + .cmd_rcgr = 0x8170, + .mnd_width = 0, + .hid_width = 5, + .parent_map = disp_cc_parent_map_7, +- .freq_tbl = ftbl_disp_cc_mdss_dptx0_link_clk_src, + .clkr.hw.init = &(struct clk_init_data) { + .name = "disp_cc_mdss_dptx0_link_clk_src", + .parent_data = disp_cc_parent_data_7, + .num_parents = ARRAY_SIZE(disp_cc_parent_data_7), + .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, ++ .ops = &clk_byte2_ops, + }, + }; + +@@ -418,13 +409,12 @@ static struct clk_rcg2 disp_cc_mdss_dptx1_link_clk_src = { + .mnd_width = 0, + .hid_width = 5, + .parent_map = disp_cc_parent_map_3, +- .freq_tbl = ftbl_disp_cc_mdss_dptx0_link_clk_src, + .clkr.hw.init = &(struct clk_init_data) { + .name = "disp_cc_mdss_dptx1_link_clk_src", + .parent_data = disp_cc_parent_data_3, + .num_parents = ARRAY_SIZE(disp_cc_parent_data_3), + .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, ++ .ops = &clk_byte2_ops, + }, + }; + +@@ -478,13 +468,12 @@ static struct clk_rcg2 disp_cc_mdss_dptx2_link_clk_src = { + .mnd_width = 0, + .hid_width = 5, + .parent_map = disp_cc_parent_map_3, +- .freq_tbl = ftbl_disp_cc_mdss_dptx0_link_clk_src, + .clkr.hw.init = &(struct clk_init_data) { + .name = "disp_cc_mdss_dptx2_link_clk_src", + .parent_data = disp_cc_parent_data_3, + .num_parents = ARRAY_SIZE(disp_cc_parent_data_3), + .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, ++ .ops = &clk_byte2_ops, + }, + }; + +@@ -538,13 +527,12 @@ static struct clk_rcg2 disp_cc_mdss_dptx3_link_clk_src = { + .mnd_width = 0, + .hid_width = 5, + .parent_map = disp_cc_parent_map_3, +- .freq_tbl = ftbl_disp_cc_mdss_dptx0_link_clk_src, + .clkr.hw.init = &(struct clk_init_data) { + .name = "disp_cc_mdss_dptx3_link_clk_src", + .parent_data = disp_cc_parent_data_3, + .num_parents = ARRAY_SIZE(disp_cc_parent_data_3), + .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, ++ .ops = &clk_byte2_ops, + }, + }; + +-- +2.43.0 + diff --git a/queue-6.9/clk-qcom-dispcc-sm8650-fix-displayport-clocks.patch b/queue-6.9/clk-qcom-dispcc-sm8650-fix-displayport-clocks.patch new file mode 100644 index 00000000000..ef6db213c8b --- /dev/null +++ b/queue-6.9/clk-qcom-dispcc-sm8650-fix-displayport-clocks.patch @@ -0,0 +1,110 @@ +From b155bf7fc220bdceabb48e7727e946c7d7e0792a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Apr 2024 04:39:32 +0300 +Subject: clk: qcom: dispcc-sm8650: fix DisplayPort clocks + +From: Dmitry Baryshkov + +[ Upstream commit 615a292ee4d51303246278f3fa33cc38700fe00e ] + +On SM8650 DisplayPort link clocks use frequency tables inherited from +the vendor kernel, it is not applicable in the upstream kernel. Drop +frequency tables and use clk_byte2_ops for those clocks. + +This fixes frequency selection in the OPP core (which otherwise attempts +to use invalid 810 KHz as DP link rate), also fixing the following +message: +msm-dp-display af54000.displayport-controller: _opp_config_clk_single: failed to set clock rate: -22 + +Fixes: 9e939f008338 ("clk: qcom: add the SM8650 Display Clock Controller driver") +Reviewed-by: Neil Armstrong +Tested-by: Neil Armstrong # on SM8650-HDK +Reviewed-by: Konrad Dybcio +Signed-off-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20240424-dispcc-dp-clocks-v2-4-b44038f3fa96@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/dispcc-sm8650.c | 20 ++++---------------- + 1 file changed, 4 insertions(+), 16 deletions(-) + +diff --git a/drivers/clk/qcom/dispcc-sm8650.c b/drivers/clk/qcom/dispcc-sm8650.c +index 9539db0d91145..3eb64bcad487e 100644 +--- a/drivers/clk/qcom/dispcc-sm8650.c ++++ b/drivers/clk/qcom/dispcc-sm8650.c +@@ -343,26 +343,17 @@ static struct clk_rcg2 disp_cc_mdss_dptx0_aux_clk_src = { + }, + }; + +-static const struct freq_tbl ftbl_disp_cc_mdss_dptx0_link_clk_src[] = { +- F(162000, P_DP0_PHY_PLL_LINK_CLK, 1, 0, 0), +- F(270000, P_DP0_PHY_PLL_LINK_CLK, 1, 0, 0), +- F(540000, P_DP0_PHY_PLL_LINK_CLK, 1, 0, 0), +- F(810000, P_DP0_PHY_PLL_LINK_CLK, 1, 0, 0), +- { } +-}; +- + static struct clk_rcg2 disp_cc_mdss_dptx0_link_clk_src = { + .cmd_rcgr = 0x8170, + .mnd_width = 0, + .hid_width = 5, + .parent_map = disp_cc_parent_map_7, +- .freq_tbl = ftbl_disp_cc_mdss_dptx0_link_clk_src, + .clkr.hw.init = &(const struct clk_init_data) { + .name = "disp_cc_mdss_dptx0_link_clk_src", + .parent_data = disp_cc_parent_data_7, + .num_parents = ARRAY_SIZE(disp_cc_parent_data_7), + .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, ++ .ops = &clk_byte2_ops, + }, + }; + +@@ -416,13 +407,12 @@ static struct clk_rcg2 disp_cc_mdss_dptx1_link_clk_src = { + .mnd_width = 0, + .hid_width = 5, + .parent_map = disp_cc_parent_map_3, +- .freq_tbl = ftbl_disp_cc_mdss_dptx0_link_clk_src, + .clkr.hw.init = &(const struct clk_init_data) { + .name = "disp_cc_mdss_dptx1_link_clk_src", + .parent_data = disp_cc_parent_data_3, + .num_parents = ARRAY_SIZE(disp_cc_parent_data_3), + .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, ++ .ops = &clk_byte2_ops, + }, + }; + +@@ -476,13 +466,12 @@ static struct clk_rcg2 disp_cc_mdss_dptx2_link_clk_src = { + .mnd_width = 0, + .hid_width = 5, + .parent_map = disp_cc_parent_map_3, +- .freq_tbl = ftbl_disp_cc_mdss_dptx0_link_clk_src, + .clkr.hw.init = &(const struct clk_init_data) { + .name = "disp_cc_mdss_dptx2_link_clk_src", + .parent_data = disp_cc_parent_data_3, + .num_parents = ARRAY_SIZE(disp_cc_parent_data_3), + .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, ++ .ops = &clk_byte2_ops, + }, + }; + +@@ -536,13 +525,12 @@ static struct clk_rcg2 disp_cc_mdss_dptx3_link_clk_src = { + .mnd_width = 0, + .hid_width = 5, + .parent_map = disp_cc_parent_map_3, +- .freq_tbl = ftbl_disp_cc_mdss_dptx0_link_clk_src, + .clkr.hw.init = &(const struct clk_init_data) { + .name = "disp_cc_mdss_dptx3_link_clk_src", + .parent_data = disp_cc_parent_data_3, + .num_parents = ARRAY_SIZE(disp_cc_parent_data_3), + .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, ++ .ops = &clk_byte2_ops, + }, + }; + +-- +2.43.0 + diff --git a/queue-6.9/clk-qcom-fix-sc_camcc_8280xp-dependencies.patch b/queue-6.9/clk-qcom-fix-sc_camcc_8280xp-dependencies.patch new file mode 100644 index 00000000000..ac36f7990fe --- /dev/null +++ b/queue-6.9/clk-qcom-fix-sc_camcc_8280xp-dependencies.patch @@ -0,0 +1,46 @@ +From 0c36af2358ddeb79480eb401754f8eceb240bdee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Mar 2024 08:18:10 -0700 +Subject: clk: qcom: Fix SC_CAMCC_8280XP dependencies + +From: Nathan Chancellor + +[ Upstream commit e00f2540a581f8b8c165e5ae8afe52e4ad038550 ] + +CONFIG_SC_GCC_8280XP depends on ARM64 but it is selected by +CONFIG_SC_CAMCC_8280XP, which can be selected on ARM, resulting in a +Kconfig warning. + +WARNING: unmet direct dependencies detected for SC_GCC_8280XP + Depends on [n]: COMMON_CLK [=y] && COMMON_CLK_QCOM [=y] && (ARM64 || COMPILE_TEST [=n]) + Selected by [y]: + - SC_CAMCC_8280XP [=y] && COMMON_CLK [=y] && COMMON_CLK_QCOM [=y] + +Add the same dependencies to CONFIG_SC_CAMCC_8280XP to resolve the +warning. + +Fixes: ff93872a9c61 ("clk: qcom: camcc-sc8280xp: Add sc8280xp CAMCC") +Signed-off-by: Nathan Chancellor +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20240318-fix-some-qcom-kconfig-deps-v1-1-ea0773e3df5a@kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/qcom/Kconfig b/drivers/clk/qcom/Kconfig +index 8ab08e7b5b6c6..b9ff32cab329b 100644 +--- a/drivers/clk/qcom/Kconfig ++++ b/drivers/clk/qcom/Kconfig +@@ -474,6 +474,7 @@ config SC_CAMCC_7280 + + config SC_CAMCC_8280XP + tristate "SC8280XP Camera Clock Controller" ++ depends on ARM64 || COMPILE_TEST + select SC_GCC_8280XP + help + Support for the camera clock controller on Qualcomm Technologies, Inc +-- +2.43.0 + diff --git a/queue-6.9/clk-qcom-fix-sm_gpucc_8650-dependencies.patch b/queue-6.9/clk-qcom-fix-sm_gpucc_8650-dependencies.patch new file mode 100644 index 00000000000..2d95ba14f29 --- /dev/null +++ b/queue-6.9/clk-qcom-fix-sm_gpucc_8650-dependencies.patch @@ -0,0 +1,46 @@ +From f355bd4f7651e25711bcc1fb966d8584a450c6c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Mar 2024 08:18:11 -0700 +Subject: clk: qcom: Fix SM_GPUCC_8650 dependencies + +From: Nathan Chancellor + +[ Upstream commit 07fb0a76bb757990b99fc2ab78ad7d1709cc441d ] + +CONFIG_SM_GCC_8650 depends on ARM64 but it is selected by +CONFIG_SM_GPUCC_8650, which can be selected on ARM, resulting in a +Kconfig warning. + +WARNING: unmet direct dependencies detected for SM_GCC_8650 + Depends on [n]: COMMON_CLK [=y] && COMMON_CLK_QCOM [=y] && (ARM64 || COMPILE_TEST [=n]) + Selected by [y]: + - SM_GPUCC_8650 [=y] && COMMON_CLK [=y] && COMMON_CLK_QCOM [=y] + +Add the same dependencies to CONFIG_SM_GPUCC_8650 to resolve the +warning. + +Fixes: 8676fd4f3874 ("clk: qcom: add the SM8650 GPU Clock Controller driver") +Signed-off-by: Nathan Chancellor +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20240318-fix-some-qcom-kconfig-deps-v1-2-ea0773e3df5a@kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/qcom/Kconfig b/drivers/clk/qcom/Kconfig +index b9ff32cab329b..1bb51a0588726 100644 +--- a/drivers/clk/qcom/Kconfig ++++ b/drivers/clk/qcom/Kconfig +@@ -1095,6 +1095,7 @@ config SM_GPUCC_8550 + + config SM_GPUCC_8650 + tristate "SM8650 Graphics Clock Controller" ++ depends on ARM64 || COMPILE_TEST + select SM_GCC_8650 + help + Support for the graphics clock controller on SM8650 devices. +-- +2.43.0 + diff --git a/queue-6.9/clk-qcom-mmcc-msm8998-fix-venus-clock-issue.patch b/queue-6.9/clk-qcom-mmcc-msm8998-fix-venus-clock-issue.patch new file mode 100644 index 00000000000..992cb1cd372 --- /dev/null +++ b/queue-6.9/clk-qcom-mmcc-msm8998-fix-venus-clock-issue.patch @@ -0,0 +1,114 @@ +From c8ded8755b60c0395541b9cf1363ad5fcc7a54ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Apr 2024 17:07:07 +0200 +Subject: clk: qcom: mmcc-msm8998: fix venus clock issue + +From: Marc Gonzalez + +[ Upstream commit e20ae5ae9f0c843aded4f06f3d1cab7384789e92 ] + +Right now, msm8998 video decoder (venus) is non-functional: + +$ time mpv --hwdec=v4l2m2m-copy --vd-lavc-software-fallback=no --vo=null --no-audio --untimed --length=30 --quiet demo-480.webm + (+) Video --vid=1 (*) (vp9 854x480 29.970fps) + Audio --aid=1 --alang=eng (*) (opus 2ch 48000Hz) +[ffmpeg/video] vp9_v4l2m2m: output VIDIOC_REQBUFS failed: Connection timed out +[ffmpeg/video] vp9_v4l2m2m: no v4l2 output context's buffers +[ffmpeg/video] vp9_v4l2m2m: can't configure decoder +Could not open codec. +Software decoding fallback is disabled. +Exiting... (Quit) + +Bryan O'Donoghue suggested the proper fix: +- Set required register offsets in venus GDSC structs. +- Set HW_CTRL flag. + +$ time mpv --hwdec=v4l2m2m-copy --vd-lavc-software-fallback=no --vo=null --no-audio --untimed --length=30 --quiet demo-480.webm + (+) Video --vid=1 (*) (vp9 854x480 29.970fps) + Audio --aid=1 --alang=eng (*) (opus 2ch 48000Hz) +[ffmpeg/video] vp9_v4l2m2m: VIDIOC_G_FMT ioctl +[ffmpeg/video] vp9_v4l2m2m: VIDIOC_G_FMT ioctl +... +Using hardware decoding (v4l2m2m-copy). +VO: [null] 854x480 nv12 +Exiting... (End of file) +real 0m3.315s +user 0m1.277s +sys 0m0.453s + +NOTES: + +GDSC = Globally Distributed Switch Controller + +Use same code as mmcc-msm8996 with: +s/venus_gdsc/video_top_gdsc/ +s/venus_core0_gdsc/video_subcore0_gdsc/ +s/venus_core1_gdsc/video_subcore1_gdsc/ + +https://git.codelinaro.org/clo/la/kernel/msm-4.4/-/blob/caf_migration/kernel.lnx.4.4.r38-rel/include/dt-bindings/clock/msm-clocks-hwio-8996.h +https://git.codelinaro.org/clo/la/kernel/msm-4.4/-/blob/caf_migration/kernel.lnx.4.4.r38-rel/include/dt-bindings/clock/msm-clocks-hwio-8998.h + +0x1024 = MMSS_VIDEO GDSCR (undocumented) +0x1028 = MMSS_VIDEO_CORE_CBCR +0x1030 = MMSS_VIDEO_AHB_CBCR +0x1034 = MMSS_VIDEO_AXI_CBCR +0x1038 = MMSS_VIDEO_MAXI_CBCR +0x1040 = MMSS_VIDEO_SUBCORE0 GDSCR (undocumented) +0x1044 = MMSS_VIDEO_SUBCORE1 GDSCR (undocumented) +0x1048 = MMSS_VIDEO_SUBCORE0_CBCR +0x104c = MMSS_VIDEO_SUBCORE1_CBCR + +Fixes: d14b15b5931c2b ("clk: qcom: Add MSM8998 Multimedia Clock Controller (MMCC) driver") +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Marc Gonzalez +Reviewed-by: Jeffrey Hugo +Link: https://lore.kernel.org/r/ff4e2e34-a677-4c39-8c29-83655c5512ae@freebox.fr +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/mmcc-msm8998.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/clk/qcom/mmcc-msm8998.c b/drivers/clk/qcom/mmcc-msm8998.c +index 1180e48c687ac..275fb3b71ede4 100644 +--- a/drivers/clk/qcom/mmcc-msm8998.c ++++ b/drivers/clk/qcom/mmcc-msm8998.c +@@ -2535,6 +2535,8 @@ static struct clk_branch vmem_ahb_clk = { + + static struct gdsc video_top_gdsc = { + .gdscr = 0x1024, ++ .cxcs = (unsigned int []){ 0x1028, 0x1034, 0x1038 }, ++ .cxc_count = 3, + .pd = { + .name = "video_top", + }, +@@ -2543,20 +2545,26 @@ static struct gdsc video_top_gdsc = { + + static struct gdsc video_subcore0_gdsc = { + .gdscr = 0x1040, ++ .cxcs = (unsigned int []){ 0x1048 }, ++ .cxc_count = 1, + .pd = { + .name = "video_subcore0", + }, + .parent = &video_top_gdsc.pd, + .pwrsts = PWRSTS_OFF_ON, ++ .flags = HW_CTRL, + }; + + static struct gdsc video_subcore1_gdsc = { + .gdscr = 0x1044, ++ .cxcs = (unsigned int []){ 0x104c }, ++ .cxc_count = 1, + .pd = { + .name = "video_subcore1", + }, + .parent = &video_top_gdsc.pd, + .pwrsts = PWRSTS_OFF_ON, ++ .flags = HW_CTRL, + }; + + static struct gdsc mdss_gdsc = { +-- +2.43.0 + diff --git a/queue-6.9/clk-renesas-r8a779a0-fix-canfd-parent-clock.patch b/queue-6.9/clk-renesas-r8a779a0-fix-canfd-parent-clock.patch new file mode 100644 index 00000000000..8c853db0971 --- /dev/null +++ b/queue-6.9/clk-renesas-r8a779a0-fix-canfd-parent-clock.patch @@ -0,0 +1,40 @@ +From 8306d348f2f2bb70424517bba8ffd36dcaa861e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Apr 2024 17:00:51 +0200 +Subject: clk: renesas: r8a779a0: Fix CANFD parent clock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +[ Upstream commit 3b23118bdbd898dc2f4de8f549d598d492c42ba8 ] + +According to Figure 52A.1 ("RS-CANFD Module Block Diagram (in classical +CAN mode)") in the R-Car V3U Series User’s Manual Rev. 0.5, the parent +clock for the CANFD peripheral module clock is the S3D2 clock. + +Fixes: 9b621b6adff53346 ("clk: renesas: r8a779a0: Add CANFD module clock") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/aef9300f44c9141b1465343f91c5cc7303249b6e.1713279523.git.geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + drivers/clk/renesas/r8a779a0-cpg-mssr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/renesas/r8a779a0-cpg-mssr.c b/drivers/clk/renesas/r8a779a0-cpg-mssr.c +index 4c2872f45387f..ff3f85e906fe1 100644 +--- a/drivers/clk/renesas/r8a779a0-cpg-mssr.c ++++ b/drivers/clk/renesas/r8a779a0-cpg-mssr.c +@@ -139,7 +139,7 @@ static const struct mssr_mod_clk r8a779a0_mod_clks[] __initconst = { + DEF_MOD("avb3", 214, R8A779A0_CLK_S3D2), + DEF_MOD("avb4", 215, R8A779A0_CLK_S3D2), + DEF_MOD("avb5", 216, R8A779A0_CLK_S3D2), +- DEF_MOD("canfd0", 328, R8A779A0_CLK_CANFD), ++ DEF_MOD("canfd0", 328, R8A779A0_CLK_S3D2), + DEF_MOD("csi40", 331, R8A779A0_CLK_CSI0), + DEF_MOD("csi41", 400, R8A779A0_CLK_CSI0), + DEF_MOD("csi42", 401, R8A779A0_CLK_CSI0), +-- +2.43.0 + diff --git a/queue-6.9/clk-renesas-r9a07g043-add-clock-and-reset-entry-for-.patch b/queue-6.9/clk-renesas-r9a07g043-add-clock-and-reset-entry-for-.patch new file mode 100644 index 00000000000..8dfe16c1367 --- /dev/null +++ b/queue-6.9/clk-renesas-r9a07g043-add-clock-and-reset-entry-for-.patch @@ -0,0 +1,59 @@ +From b70dbc5ff40a4969cca55e9729509a9813d485a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 21:09:52 +0100 +Subject: clk: renesas: r9a07g043: Add clock and reset entry for PLIC + +From: Lad Prabhakar + +[ Upstream commit 44019387fce230beda35b83da3a2c9fc5787704e ] + +Add the missing clock and reset entry for PLIC. Also add +R9A07G043_NCEPLIC_ACLK to the critical clocks list. + +Fixes: 95d48d270305ad2c ("clk: renesas: r9a07g043: Add support for RZ/Five SoC") +Signed-off-by: Lad Prabhakar +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20240403200952.633084-1-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + drivers/clk/renesas/r9a07g043-cpg.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/clk/renesas/r9a07g043-cpg.c b/drivers/clk/renesas/r9a07g043-cpg.c +index 33532673d25d7..26b71547fdbe3 100644 +--- a/drivers/clk/renesas/r9a07g043-cpg.c ++++ b/drivers/clk/renesas/r9a07g043-cpg.c +@@ -280,6 +280,10 @@ static struct rzg2l_mod_clk r9a07g043_mod_clks[] = { + 0x5a8, 1), + DEF_MOD("tsu_pclk", R9A07G043_TSU_PCLK, R9A07G043_CLK_TSU, + 0x5ac, 0), ++#ifdef CONFIG_RISCV ++ DEF_MOD("nceplic_aclk", R9A07G043_NCEPLIC_ACLK, R9A07G043_CLK_P1, ++ 0x608, 0), ++#endif + }; + + static struct rzg2l_reset r9a07g043_resets[] = { +@@ -338,6 +342,10 @@ static struct rzg2l_reset r9a07g043_resets[] = { + DEF_RST(R9A07G043_ADC_PRESETN, 0x8a8, 0), + DEF_RST(R9A07G043_ADC_ADRST_N, 0x8a8, 1), + DEF_RST(R9A07G043_TSU_PRESETN, 0x8ac, 0), ++#ifdef CONFIG_RISCV ++ DEF_RST(R9A07G043_NCEPLIC_ARESETN, 0x908, 0), ++#endif ++ + }; + + static const unsigned int r9a07g043_crit_mod_clks[] __initconst = { +@@ -347,6 +355,7 @@ static const unsigned int r9a07g043_crit_mod_clks[] __initconst = { + #endif + #ifdef CONFIG_RISCV + MOD_CLK_BASE + R9A07G043_IAX45_CLK, ++ MOD_CLK_BASE + R9A07G043_NCEPLIC_ACLK, + #endif + MOD_CLK_BASE + R9A07G043_DMAC_ACLK, + }; +-- +2.43.0 + diff --git a/queue-6.9/clk-rs9-fix-wrong-default-value-for-clock-amplitude.patch b/queue-6.9/clk-rs9-fix-wrong-default-value-for-clock-amplitude.patch new file mode 100644 index 00000000000..2c0ebebe298 --- /dev/null +++ b/queue-6.9/clk-rs9-fix-wrong-default-value-for-clock-amplitude.patch @@ -0,0 +1,72 @@ +From 1901cf5dd8bdc4acf23cb117e07ef3c1044e3721 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 16:03:48 +0200 +Subject: clk: rs9: fix wrong default value for clock amplitude + +From: Catalin Popescu + +[ Upstream commit 1758c68c81b8b881818fcebaaeb91055362a82f8 ] + +According to 9FGV0241, 9FGV0441 & 9FGV0841 datasheets, the default +value for the clock amplitude is 0.8V, while the driver assumes 0.7V. + +Additionally, define constants for default values for both clock +amplitude and spread spectrum and use them. + +Fixes: 892e0ddea1aa ("clk: rs9: Add Renesas 9-series PCIe clock generator driver") +Signed-off-by: Catalin Popescu +Reviewed-by: Marek Vasut +Link: https://lore.kernel.org/r/20240415140348.2887619-1-catalin.popescu@leica-geosystems.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-renesas-pcie.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/clk/clk-renesas-pcie.c b/drivers/clk/clk-renesas-pcie.c +index 53e21ac302e6d..4c3a5e4eb77ac 100644 +--- a/drivers/clk/clk-renesas-pcie.c ++++ b/drivers/clk/clk-renesas-pcie.c +@@ -25,10 +25,12 @@ + #define RS9_REG_SS_AMP_0V7 0x1 + #define RS9_REG_SS_AMP_0V8 0x2 + #define RS9_REG_SS_AMP_0V9 0x3 ++#define RS9_REG_SS_AMP_DEFAULT RS9_REG_SS_AMP_0V8 + #define RS9_REG_SS_AMP_MASK 0x3 + #define RS9_REG_SS_SSC_100 0 + #define RS9_REG_SS_SSC_M025 (1 << 3) + #define RS9_REG_SS_SSC_M050 (3 << 3) ++#define RS9_REG_SS_SSC_DEFAULT RS9_REG_SS_SSC_100 + #define RS9_REG_SS_SSC_MASK (3 << 3) + #define RS9_REG_SS_SSC_LOCK BIT(5) + #define RS9_REG_SR 0x2 +@@ -205,8 +207,8 @@ static int rs9_get_common_config(struct rs9_driver_data *rs9) + int ret; + + /* Set defaults */ +- rs9->pll_amplitude = RS9_REG_SS_AMP_0V7; +- rs9->pll_ssc = RS9_REG_SS_SSC_100; ++ rs9->pll_amplitude = RS9_REG_SS_AMP_DEFAULT; ++ rs9->pll_ssc = RS9_REG_SS_SSC_DEFAULT; + + /* Output clock amplitude */ + ret = of_property_read_u32(np, "renesas,out-amplitude-microvolt", +@@ -247,13 +249,13 @@ static void rs9_update_config(struct rs9_driver_data *rs9) + int i; + + /* If amplitude is non-default, update it. */ +- if (rs9->pll_amplitude != RS9_REG_SS_AMP_0V7) { ++ if (rs9->pll_amplitude != RS9_REG_SS_AMP_DEFAULT) { + regmap_update_bits(rs9->regmap, RS9_REG_SS, RS9_REG_SS_AMP_MASK, + rs9->pll_amplitude); + } + + /* If SSC is non-default, update it. */ +- if (rs9->pll_ssc != RS9_REG_SS_SSC_100) { ++ if (rs9->pll_ssc != RS9_REG_SS_SSC_DEFAULT) { + regmap_update_bits(rs9->regmap, RS9_REG_SS, RS9_REG_SS_SSC_MASK, + rs9->pll_ssc); + } +-- +2.43.0 + diff --git a/queue-6.9/clk-samsung-exynosautov9-fix-wrong-pll-clock-id-valu.patch b/queue-6.9/clk-samsung-exynosautov9-fix-wrong-pll-clock-id-valu.patch new file mode 100644 index 00000000000..3f0025801ae --- /dev/null +++ b/queue-6.9/clk-samsung-exynosautov9-fix-wrong-pll-clock-id-valu.patch @@ -0,0 +1,47 @@ +From f7146f989e8274f4ddb551860f350dd992f52869 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 18:10:00 +0900 +Subject: clk: samsung: exynosautov9: fix wrong pll clock id value + +From: Jaewon Kim + +[ Upstream commit 04ee3a0b44e3d18cf6b0c712d14b98624877fd26 ] + +All PLL id values of CMU_TOP were incorrectly set to FOUT_SHARED0_PLL. +It modified to the correct PLL clock id value. + +Fixes: 6587c62f69dc ("clk: samsung: add top clock support for Exynos Auto v9 SoC") +Signed-off-by: Jaewon Kim +Reviewed-by: Sam Protsenko +Link: https://lore.kernel.org/r/20240328091000.17660-1-jaewon02.kim@samsung.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/clk/samsung/clk-exynosautov9.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/clk/samsung/clk-exynosautov9.c b/drivers/clk/samsung/clk-exynosautov9.c +index e9c06eb93e666..f04bacacab2cb 100644 +--- a/drivers/clk/samsung/clk-exynosautov9.c ++++ b/drivers/clk/samsung/clk-exynosautov9.c +@@ -352,13 +352,13 @@ static const struct samsung_pll_clock top_pll_clks[] __initconst = { + /* CMU_TOP_PURECLKCOMP */ + PLL(pll_0822x, FOUT_SHARED0_PLL, "fout_shared0_pll", "oscclk", + PLL_LOCKTIME_PLL_SHARED0, PLL_CON3_PLL_SHARED0, NULL), +- PLL(pll_0822x, FOUT_SHARED0_PLL, "fout_shared1_pll", "oscclk", ++ PLL(pll_0822x, FOUT_SHARED1_PLL, "fout_shared1_pll", "oscclk", + PLL_LOCKTIME_PLL_SHARED1, PLL_CON3_PLL_SHARED1, NULL), +- PLL(pll_0822x, FOUT_SHARED0_PLL, "fout_shared2_pll", "oscclk", ++ PLL(pll_0822x, FOUT_SHARED2_PLL, "fout_shared2_pll", "oscclk", + PLL_LOCKTIME_PLL_SHARED2, PLL_CON3_PLL_SHARED2, NULL), +- PLL(pll_0822x, FOUT_SHARED0_PLL, "fout_shared3_pll", "oscclk", ++ PLL(pll_0822x, FOUT_SHARED3_PLL, "fout_shared3_pll", "oscclk", + PLL_LOCKTIME_PLL_SHARED3, PLL_CON3_PLL_SHARED3, NULL), +- PLL(pll_0822x, FOUT_SHARED0_PLL, "fout_shared4_pll", "oscclk", ++ PLL(pll_0822x, FOUT_SHARED4_PLL, "fout_shared4_pll", "oscclk", + PLL_LOCKTIME_PLL_SHARED4, PLL_CON3_PLL_SHARED4, NULL), + }; + +-- +2.43.0 + diff --git a/queue-6.9/clk-samsung-gs101-propagate-peric0-usi-spi-clock-rat.patch b/queue-6.9/clk-samsung-gs101-propagate-peric0-usi-spi-clock-rat.patch new file mode 100644 index 00000000000..0cd283bc33e --- /dev/null +++ b/queue-6.9/clk-samsung-gs101-propagate-peric0-usi-spi-clock-rat.patch @@ -0,0 +1,290 @@ +From 5440f05ef5b93e939982e2dbdeb3b83b10439032 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Apr 2024 10:09:14 +0000 +Subject: clk: samsung: gs101: propagate PERIC0 USI SPI clock rate +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tudor Ambarus + +[ Upstream commit 7b54d9113cd4923432c0b2441c5e2663873b4e5b ] + +Introduce nMUX() for MUX clocks that can be reparented on clock rate +change. "nMUX" comes from "n-to-1 selector", hopefully emphasising that +the selector can change on clock rate changes. Ideally MUX/MUX_F() +should change to not have the CLK_SET_RATE_NO_REPARENT flag set by +default, and all their users to be updated to add the flag back +(like in the case of DIV and GATE). But this is a very intrusive change +and because for now only GS101 allows MUX reparenting on clock rate +change, stick with nMUX(). + +GS101 defines MUX clocks that are dedicated for each instance of the IP. +One example is USI IP (SPI, I2C, serial). The reparenting of these MUX +clocks will not affect other instances of the same IP or different IPs +altogether. + +When SPI transfer is being prepared, the spi-s3c64xx driver will call +clk_set_rate() to change the rate of SPI source clock (IPCLK). But IPCLK +is a gate (leaf) clock, so it must propagate the rate change up the +clock tree, so that corresponding MUX/DIV clocks can actually change +their values. Add CLK_SET_RATE_PARENT flag to corresponding clocks for +all USI instances in GS101 PERIC0: USI{1-8, 14}. This change involves the +following clocks: + +PERIC0 USI*: + + Clock Div range MUX Selection + ------------------------------------------------------------------- + gout_peric0_peric0_top0_ipclk_* - - + dout_peric0_usi*_usi /1..16 - + mout_peric0_usi*_usi_user - {24.5 MHz, 400 MHz} + +With input clock of 400 MHz this scheme provides the following IPCLK +rate range, for each USI block: + + PERIC0 USI*: 1.5 MHz ... 400 MHz + +Accounting for internal /4 divider in SPI blocks, and because the max +SPI frequency is limited at 50 MHz, it gives us next SPI SCK rates: + + PERIC0 USI_SPI*: 384 KHz ... 49.9 MHz + +Fixes: 893f133a040b ("clk: samsung: gs101: add support for cmu_peric0") +Reviewed-by: Peter Griffin +Acked-by: André Draszik +Signed-off-by: Tudor Ambarus +Link: https://lore.kernel.org/r/20240419100915.2168573-2-tudor.ambarus@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/clk/samsung/clk-gs101.c | 135 +++++++++++++++++--------------- + drivers/clk/samsung/clk.h | 11 ++- + 2 files changed, 81 insertions(+), 65 deletions(-) + +diff --git a/drivers/clk/samsung/clk-gs101.c b/drivers/clk/samsung/clk-gs101.c +index d065e343a85dd..76d4d0fa1168a 100644 +--- a/drivers/clk/samsung/clk-gs101.c ++++ b/drivers/clk/samsung/clk-gs101.c +@@ -2763,33 +2763,33 @@ static const struct samsung_mux_clock peric0_mux_clks[] __initconst = { + MUX(CLK_MOUT_PERIC0_USI0_UART_USER, + "mout_peric0_usi0_uart_user", mout_peric0_usi0_uart_user_p, + PLL_CON0_MUX_CLKCMU_PERIC0_USI0_UART_USER, 4, 1), +- MUX(CLK_MOUT_PERIC0_USI14_USI_USER, +- "mout_peric0_usi14_usi_user", mout_peric0_usi_usi_user_p, +- PLL_CON0_MUX_CLKCMU_PERIC0_USI14_USI_USER, 4, 1), +- MUX(CLK_MOUT_PERIC0_USI1_USI_USER, +- "mout_peric0_usi1_usi_user", mout_peric0_usi_usi_user_p, +- PLL_CON0_MUX_CLKCMU_PERIC0_USI1_USI_USER, 4, 1), +- MUX(CLK_MOUT_PERIC0_USI2_USI_USER, +- "mout_peric0_usi2_usi_user", mout_peric0_usi_usi_user_p, +- PLL_CON0_MUX_CLKCMU_PERIC0_USI2_USI_USER, 4, 1), +- MUX(CLK_MOUT_PERIC0_USI3_USI_USER, +- "mout_peric0_usi3_usi_user", mout_peric0_usi_usi_user_p, +- PLL_CON0_MUX_CLKCMU_PERIC0_USI3_USI_USER, 4, 1), +- MUX(CLK_MOUT_PERIC0_USI4_USI_USER, +- "mout_peric0_usi4_usi_user", mout_peric0_usi_usi_user_p, +- PLL_CON0_MUX_CLKCMU_PERIC0_USI4_USI_USER, 4, 1), +- MUX(CLK_MOUT_PERIC0_USI5_USI_USER, +- "mout_peric0_usi5_usi_user", mout_peric0_usi_usi_user_p, +- PLL_CON0_MUX_CLKCMU_PERIC0_USI5_USI_USER, 4, 1), +- MUX(CLK_MOUT_PERIC0_USI6_USI_USER, +- "mout_peric0_usi6_usi_user", mout_peric0_usi_usi_user_p, +- PLL_CON0_MUX_CLKCMU_PERIC0_USI6_USI_USER, 4, 1), +- MUX(CLK_MOUT_PERIC0_USI7_USI_USER, +- "mout_peric0_usi7_usi_user", mout_peric0_usi_usi_user_p, +- PLL_CON0_MUX_CLKCMU_PERIC0_USI7_USI_USER, 4, 1), +- MUX(CLK_MOUT_PERIC0_USI8_USI_USER, +- "mout_peric0_usi8_usi_user", mout_peric0_usi_usi_user_p, +- PLL_CON0_MUX_CLKCMU_PERIC0_USI8_USI_USER, 4, 1), ++ nMUX(CLK_MOUT_PERIC0_USI14_USI_USER, ++ "mout_peric0_usi14_usi_user", mout_peric0_usi_usi_user_p, ++ PLL_CON0_MUX_CLKCMU_PERIC0_USI14_USI_USER, 4, 1), ++ nMUX(CLK_MOUT_PERIC0_USI1_USI_USER, ++ "mout_peric0_usi1_usi_user", mout_peric0_usi_usi_user_p, ++ PLL_CON0_MUX_CLKCMU_PERIC0_USI1_USI_USER, 4, 1), ++ nMUX(CLK_MOUT_PERIC0_USI2_USI_USER, ++ "mout_peric0_usi2_usi_user", mout_peric0_usi_usi_user_p, ++ PLL_CON0_MUX_CLKCMU_PERIC0_USI2_USI_USER, 4, 1), ++ nMUX(CLK_MOUT_PERIC0_USI3_USI_USER, ++ "mout_peric0_usi3_usi_user", mout_peric0_usi_usi_user_p, ++ PLL_CON0_MUX_CLKCMU_PERIC0_USI3_USI_USER, 4, 1), ++ nMUX(CLK_MOUT_PERIC0_USI4_USI_USER, ++ "mout_peric0_usi4_usi_user", mout_peric0_usi_usi_user_p, ++ PLL_CON0_MUX_CLKCMU_PERIC0_USI4_USI_USER, 4, 1), ++ nMUX(CLK_MOUT_PERIC0_USI5_USI_USER, ++ "mout_peric0_usi5_usi_user", mout_peric0_usi_usi_user_p, ++ PLL_CON0_MUX_CLKCMU_PERIC0_USI5_USI_USER, 4, 1), ++ nMUX(CLK_MOUT_PERIC0_USI6_USI_USER, ++ "mout_peric0_usi6_usi_user", mout_peric0_usi_usi_user_p, ++ PLL_CON0_MUX_CLKCMU_PERIC0_USI6_USI_USER, 4, 1), ++ nMUX(CLK_MOUT_PERIC0_USI7_USI_USER, ++ "mout_peric0_usi7_usi_user", mout_peric0_usi_usi_user_p, ++ PLL_CON0_MUX_CLKCMU_PERIC0_USI7_USI_USER, 4, 1), ++ nMUX(CLK_MOUT_PERIC0_USI8_USI_USER, ++ "mout_peric0_usi8_usi_user", mout_peric0_usi_usi_user_p, ++ PLL_CON0_MUX_CLKCMU_PERIC0_USI8_USI_USER, 4, 1), + }; + + static const struct samsung_div_clock peric0_div_clks[] __initconst = { +@@ -2798,33 +2798,42 @@ static const struct samsung_div_clock peric0_div_clks[] __initconst = { + DIV(CLK_DOUT_PERIC0_USI0_UART, + "dout_peric0_usi0_uart", "mout_peric0_usi0_uart_user", + CLK_CON_DIV_DIV_CLK_PERIC0_USI0_UART, 0, 4), +- DIV(CLK_DOUT_PERIC0_USI14_USI, +- "dout_peric0_usi14_usi", "mout_peric0_usi14_usi_user", +- CLK_CON_DIV_DIV_CLK_PERIC0_USI14_USI, 0, 4), +- DIV(CLK_DOUT_PERIC0_USI1_USI, +- "dout_peric0_usi1_usi", "mout_peric0_usi1_usi_user", +- CLK_CON_DIV_DIV_CLK_PERIC0_USI1_USI, 0, 4), +- DIV(CLK_DOUT_PERIC0_USI2_USI, +- "dout_peric0_usi2_usi", "mout_peric0_usi2_usi_user", +- CLK_CON_DIV_DIV_CLK_PERIC0_USI2_USI, 0, 4), +- DIV(CLK_DOUT_PERIC0_USI3_USI, +- "dout_peric0_usi3_usi", "mout_peric0_usi3_usi_user", +- CLK_CON_DIV_DIV_CLK_PERIC0_USI3_USI, 0, 4), +- DIV(CLK_DOUT_PERIC0_USI4_USI, +- "dout_peric0_usi4_usi", "mout_peric0_usi4_usi_user", +- CLK_CON_DIV_DIV_CLK_PERIC0_USI4_USI, 0, 4), +- DIV(CLK_DOUT_PERIC0_USI5_USI, +- "dout_peric0_usi5_usi", "mout_peric0_usi5_usi_user", +- CLK_CON_DIV_DIV_CLK_PERIC0_USI5_USI, 0, 4), +- DIV(CLK_DOUT_PERIC0_USI6_USI, +- "dout_peric0_usi6_usi", "mout_peric0_usi6_usi_user", +- CLK_CON_DIV_DIV_CLK_PERIC0_USI6_USI, 0, 4), +- DIV(CLK_DOUT_PERIC0_USI7_USI, +- "dout_peric0_usi7_usi", "mout_peric0_usi7_usi_user", +- CLK_CON_DIV_DIV_CLK_PERIC0_USI7_USI, 0, 4), +- DIV(CLK_DOUT_PERIC0_USI8_USI, +- "dout_peric0_usi8_usi", "mout_peric0_usi8_usi_user", +- CLK_CON_DIV_DIV_CLK_PERIC0_USI8_USI, 0, 4), ++ DIV_F(CLK_DOUT_PERIC0_USI14_USI, ++ "dout_peric0_usi14_usi", "mout_peric0_usi14_usi_user", ++ CLK_CON_DIV_DIV_CLK_PERIC0_USI14_USI, 0, 4, ++ CLK_SET_RATE_PARENT, 0), ++ DIV_F(CLK_DOUT_PERIC0_USI1_USI, ++ "dout_peric0_usi1_usi", "mout_peric0_usi1_usi_user", ++ CLK_CON_DIV_DIV_CLK_PERIC0_USI1_USI, 0, 4, ++ CLK_SET_RATE_PARENT, 0), ++ DIV_F(CLK_DOUT_PERIC0_USI2_USI, ++ "dout_peric0_usi2_usi", "mout_peric0_usi2_usi_user", ++ CLK_CON_DIV_DIV_CLK_PERIC0_USI2_USI, 0, 4, ++ CLK_SET_RATE_PARENT, 0), ++ DIV_F(CLK_DOUT_PERIC0_USI3_USI, ++ "dout_peric0_usi3_usi", "mout_peric0_usi3_usi_user", ++ CLK_CON_DIV_DIV_CLK_PERIC0_USI3_USI, 0, 4, ++ CLK_SET_RATE_PARENT, 0), ++ DIV_F(CLK_DOUT_PERIC0_USI4_USI, ++ "dout_peric0_usi4_usi", "mout_peric0_usi4_usi_user", ++ CLK_CON_DIV_DIV_CLK_PERIC0_USI4_USI, 0, 4, ++ CLK_SET_RATE_PARENT, 0), ++ DIV_F(CLK_DOUT_PERIC0_USI5_USI, ++ "dout_peric0_usi5_usi", "mout_peric0_usi5_usi_user", ++ CLK_CON_DIV_DIV_CLK_PERIC0_USI5_USI, 0, 4, ++ CLK_SET_RATE_PARENT, 0), ++ DIV_F(CLK_DOUT_PERIC0_USI6_USI, ++ "dout_peric0_usi6_usi", "mout_peric0_usi6_usi_user", ++ CLK_CON_DIV_DIV_CLK_PERIC0_USI6_USI, 0, 4, ++ CLK_SET_RATE_PARENT, 0), ++ DIV_F(CLK_DOUT_PERIC0_USI7_USI, ++ "dout_peric0_usi7_usi", "mout_peric0_usi7_usi_user", ++ CLK_CON_DIV_DIV_CLK_PERIC0_USI7_USI, 0, 4, ++ CLK_SET_RATE_PARENT, 0), ++ DIV_F(CLK_DOUT_PERIC0_USI8_USI, ++ "dout_peric0_usi8_usi", "mout_peric0_usi8_usi_user", ++ CLK_CON_DIV_DIV_CLK_PERIC0_USI8_USI, 0, 4, ++ CLK_SET_RATE_PARENT, 0), + }; + + static const struct samsung_gate_clock peric0_gate_clks[] __initconst = { +@@ -2857,11 +2866,11 @@ static const struct samsung_gate_clock peric0_gate_clks[] __initconst = { + GATE(CLK_GOUT_PERIC0_PERIC0_TOP0_IPCLK_0, + "gout_peric0_peric0_top0_ipclk_0", "dout_peric0_usi1_usi", + CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_IPCLK_0, +- 21, 0, 0), ++ 21, CLK_SET_RATE_PARENT, 0), + GATE(CLK_GOUT_PERIC0_PERIC0_TOP0_IPCLK_1, + "gout_peric0_peric0_top0_ipclk_1", "dout_peric0_usi2_usi", + CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_IPCLK_1, +- 21, 0, 0), ++ 21, CLK_SET_RATE_PARENT, 0), + GATE(CLK_GOUT_PERIC0_PERIC0_TOP0_IPCLK_10, + "gout_peric0_peric0_top0_ipclk_10", "dout_peric0_i3c", + CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_IPCLK_10, +@@ -2889,27 +2898,27 @@ static const struct samsung_gate_clock peric0_gate_clks[] __initconst = { + GATE(CLK_GOUT_PERIC0_PERIC0_TOP0_IPCLK_2, + "gout_peric0_peric0_top0_ipclk_2", "dout_peric0_usi3_usi", + CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_IPCLK_2, +- 21, 0, 0), ++ 21, CLK_SET_RATE_PARENT, 0), + GATE(CLK_GOUT_PERIC0_PERIC0_TOP0_IPCLK_3, + "gout_peric0_peric0_top0_ipclk_3", "dout_peric0_usi4_usi", + CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_IPCLK_3, +- 21, 0, 0), ++ 21, CLK_SET_RATE_PARENT, 0), + GATE(CLK_GOUT_PERIC0_PERIC0_TOP0_IPCLK_4, + "gout_peric0_peric0_top0_ipclk_4", "dout_peric0_usi5_usi", + CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_IPCLK_4, +- 21, 0, 0), ++ 21, CLK_SET_RATE_PARENT, 0), + GATE(CLK_GOUT_PERIC0_PERIC0_TOP0_IPCLK_5, + "gout_peric0_peric0_top0_ipclk_5", "dout_peric0_usi6_usi", + CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_IPCLK_5, +- 21, 0, 0), ++ 21, CLK_SET_RATE_PARENT, 0), + GATE(CLK_GOUT_PERIC0_PERIC0_TOP0_IPCLK_6, + "gout_peric0_peric0_top0_ipclk_6", "dout_peric0_usi7_usi", + CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_IPCLK_6, +- 21, 0, 0), ++ 21, CLK_SET_RATE_PARENT, 0), + GATE(CLK_GOUT_PERIC0_PERIC0_TOP0_IPCLK_7, + "gout_peric0_peric0_top0_ipclk_7", "dout_peric0_usi8_usi", + CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_IPCLK_7, +- 21, 0, 0), ++ 21, CLK_SET_RATE_PARENT, 0), + GATE(CLK_GOUT_PERIC0_PERIC0_TOP0_IPCLK_8, + "gout_peric0_peric0_top0_ipclk_8", "dout_peric0_i3c", + CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_IPCLK_8, +@@ -2990,7 +2999,7 @@ static const struct samsung_gate_clock peric0_gate_clks[] __initconst = { + GATE(CLK_GOUT_PERIC0_PERIC0_TOP1_IPCLK_2, + "gout_peric0_peric0_top1_ipclk_2", "dout_peric0_usi14_usi", + CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP1_IPCLKPORT_IPCLK_2, +- 21, 0, 0), ++ 21, CLK_SET_RATE_PARENT, 0), + /* Disabling this clock makes the system hang. Mark the clock as critical. */ + GATE(CLK_GOUT_PERIC0_PERIC0_TOP1_PCLK_0, + "gout_peric0_peric0_top1_pclk_0", "mout_peric0_bus_user", +diff --git a/drivers/clk/samsung/clk.h b/drivers/clk/samsung/clk.h +index a763309e6f129..556167350bff5 100644 +--- a/drivers/clk/samsung/clk.h ++++ b/drivers/clk/samsung/clk.h +@@ -133,7 +133,7 @@ struct samsung_mux_clock { + .name = cname, \ + .parent_names = pnames, \ + .num_parents = ARRAY_SIZE(pnames), \ +- .flags = (f) | CLK_SET_RATE_NO_REPARENT, \ ++ .flags = f, \ + .offset = o, \ + .shift = s, \ + .width = w, \ +@@ -141,9 +141,16 @@ struct samsung_mux_clock { + } + + #define MUX(_id, cname, pnames, o, s, w) \ +- __MUX(_id, cname, pnames, o, s, w, 0, 0) ++ __MUX(_id, cname, pnames, o, s, w, CLK_SET_RATE_NO_REPARENT, 0) + + #define MUX_F(_id, cname, pnames, o, s, w, f, mf) \ ++ __MUX(_id, cname, pnames, o, s, w, (f) | CLK_SET_RATE_NO_REPARENT, mf) ++ ++/* Used by MUX clocks where reparenting on clock rate change is allowed. */ ++#define nMUX(_id, cname, pnames, o, s, w) \ ++ __MUX(_id, cname, pnames, o, s, w, 0, 0) ++ ++#define nMUX_F(_id, cname, pnames, o, s, w, f, mf) \ + __MUX(_id, cname, pnames, o, s, w, f, mf) + + /** +-- +2.43.0 + diff --git a/queue-6.9/clk-samsung-gs101-propagate-peric1-usi-spi-clock-rat.patch b/queue-6.9/clk-samsung-gs101-propagate-peric1-usi-spi-clock-rat.patch new file mode 100644 index 00000000000..86304d46df9 --- /dev/null +++ b/queue-6.9/clk-samsung-gs101-propagate-peric1-usi-spi-clock-rat.patch @@ -0,0 +1,189 @@ +From b046d68623bfc4cab27adfeeeaa2518b2cc4cfb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Apr 2024 10:09:15 +0000 +Subject: clk: samsung: gs101: propagate PERIC1 USI SPI clock rate +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tudor Ambarus + +[ Upstream commit 7cf0324ba0bc61a8c360d23d284e06d2994b1fef ] + +When SPI transfer is being prepared, the spi-s3c64xx driver will call +clk_set_rate() to change the rate of SPI source clock (IPCLK). But IPCLK +is a gate (leaf) clock, so it must propagate the rate change up the +clock tree, so that corresponding MUX/DIV clocks can actually change +their values. Add CLK_SET_RATE_PARENT flag to corresponding clocks for +all USI instances in GS101 PERIC1: USI{0, 9, 10, 11, 12, 13}. This change +involves the following clocks: + +PERIC1 USI*: + + Clock Div range MUX Selection + ------------------------------------------------------------------- + gout_peric1_peric1_top0_ipclk_* - - + dout_peric1_usi*_usi /1..16 - + mout_peric1_usi*_usi_user - {24.5 MHz, 400 MHz} + +With input clock of 400 MHz this scheme provides the following IPCLK +rate range, for each USI block: + + PERIC1 USI*: 1.5 MHz ... 400 MHz + +Accounting for internal /4 divider in SPI blocks, and because the max +SPI frequency is limited at 50 MHz, it gives us next SPI SCK rates: + + PERIC1 USI_SPI*: 384 KHz ... 49.9 MHz + +Which shall be fine for the applications of the SPI bus. + +Note that with this we allow the reparenting of the MUX_USIx clocks to +OSCCLK. Each instance of the USI IP has its own MUX_USI clock, thus the +reparenting of a MUX_USI clock corresponds to a single instance of the +USI IP. The datasheet mentions OSCCLK just in the low-power mode +context, but the downstream driver reparents too the MUX_USI clocks to +OSCCLK. Follow the downstream driver and do the same. + +Fixes: 2999e786d7e9 ("clk: samsung: gs101: add support for cmu_peric1") +Reviewed-by: Peter Griffin +Acked-by: André Draszik +Signed-off-by: Tudor Ambarus +Link: https://lore.kernel.org/r/20240419100915.2168573-3-tudor.ambarus@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/clk/samsung/clk-gs101.c | 90 ++++++++++++++++++--------------- + 1 file changed, 48 insertions(+), 42 deletions(-) + +diff --git a/drivers/clk/samsung/clk-gs101.c b/drivers/clk/samsung/clk-gs101.c +index 76d4d0fa1168a..bd3c1b02715b5 100644 +--- a/drivers/clk/samsung/clk-gs101.c ++++ b/drivers/clk/samsung/clk-gs101.c +@@ -3239,47 +3239,53 @@ static const struct samsung_mux_clock peric1_mux_clks[] __initconst = { + MUX(CLK_MOUT_PERIC1_I3C_USER, + "mout_peric1_i3c_user", mout_peric1_nonbususer_p, + PLL_CON0_MUX_CLKCMU_PERIC1_I3C_USER, 4, 1), +- MUX(CLK_MOUT_PERIC1_USI0_USI_USER, +- "mout_peric1_usi0_usi_user", mout_peric1_nonbususer_p, +- PLL_CON0_MUX_CLKCMU_PERIC1_USI0_USI_USER, 4, 1), +- MUX(CLK_MOUT_PERIC1_USI10_USI_USER, +- "mout_peric1_usi10_usi_user", mout_peric1_nonbususer_p, +- PLL_CON0_MUX_CLKCMU_PERIC1_USI10_USI_USER, 4, 1), +- MUX(CLK_MOUT_PERIC1_USI11_USI_USER, +- "mout_peric1_usi11_usi_user", mout_peric1_nonbususer_p, +- PLL_CON0_MUX_CLKCMU_PERIC1_USI11_USI_USER, 4, 1), +- MUX(CLK_MOUT_PERIC1_USI12_USI_USER, +- "mout_peric1_usi12_usi_user", mout_peric1_nonbususer_p, +- PLL_CON0_MUX_CLKCMU_PERIC1_USI12_USI_USER, 4, 1), +- MUX(CLK_MOUT_PERIC1_USI13_USI_USER, +- "mout_peric1_usi13_usi_user", mout_peric1_nonbususer_p, +- PLL_CON0_MUX_CLKCMU_PERIC1_USI13_USI_USER, 4, 1), +- MUX(CLK_MOUT_PERIC1_USI9_USI_USER, +- "mout_peric1_usi9_usi_user", mout_peric1_nonbususer_p, +- PLL_CON0_MUX_CLKCMU_PERIC1_USI9_USI_USER, 4, 1), ++ nMUX(CLK_MOUT_PERIC1_USI0_USI_USER, ++ "mout_peric1_usi0_usi_user", mout_peric1_nonbususer_p, ++ PLL_CON0_MUX_CLKCMU_PERIC1_USI0_USI_USER, 4, 1), ++ nMUX(CLK_MOUT_PERIC1_USI10_USI_USER, ++ "mout_peric1_usi10_usi_user", mout_peric1_nonbususer_p, ++ PLL_CON0_MUX_CLKCMU_PERIC1_USI10_USI_USER, 4, 1), ++ nMUX(CLK_MOUT_PERIC1_USI11_USI_USER, ++ "mout_peric1_usi11_usi_user", mout_peric1_nonbususer_p, ++ PLL_CON0_MUX_CLKCMU_PERIC1_USI11_USI_USER, 4, 1), ++ nMUX(CLK_MOUT_PERIC1_USI12_USI_USER, ++ "mout_peric1_usi12_usi_user", mout_peric1_nonbususer_p, ++ PLL_CON0_MUX_CLKCMU_PERIC1_USI12_USI_USER, 4, 1), ++ nMUX(CLK_MOUT_PERIC1_USI13_USI_USER, ++ "mout_peric1_usi13_usi_user", mout_peric1_nonbususer_p, ++ PLL_CON0_MUX_CLKCMU_PERIC1_USI13_USI_USER, 4, 1), ++ nMUX(CLK_MOUT_PERIC1_USI9_USI_USER, ++ "mout_peric1_usi9_usi_user", mout_peric1_nonbususer_p, ++ PLL_CON0_MUX_CLKCMU_PERIC1_USI9_USI_USER, 4, 1), + }; + + static const struct samsung_div_clock peric1_div_clks[] __initconst = { + DIV(CLK_DOUT_PERIC1_I3C, "dout_peric1_i3c", "mout_peric1_i3c_user", + CLK_CON_DIV_DIV_CLK_PERIC1_I3C, 0, 4), +- DIV(CLK_DOUT_PERIC1_USI0_USI, +- "dout_peric1_usi0_usi", "mout_peric1_usi0_usi_user", +- CLK_CON_DIV_DIV_CLK_PERIC1_USI0_USI, 0, 4), +- DIV(CLK_DOUT_PERIC1_USI10_USI, +- "dout_peric1_usi10_usi", "mout_peric1_usi10_usi_user", +- CLK_CON_DIV_DIV_CLK_PERIC1_USI10_USI, 0, 4), +- DIV(CLK_DOUT_PERIC1_USI11_USI, +- "dout_peric1_usi11_usi", "mout_peric1_usi11_usi_user", +- CLK_CON_DIV_DIV_CLK_PERIC1_USI11_USI, 0, 4), +- DIV(CLK_DOUT_PERIC1_USI12_USI, +- "dout_peric1_usi12_usi", "mout_peric1_usi12_usi_user", +- CLK_CON_DIV_DIV_CLK_PERIC1_USI12_USI, 0, 4), +- DIV(CLK_DOUT_PERIC1_USI13_USI, +- "dout_peric1_usi13_usi", "mout_peric1_usi13_usi_user", +- CLK_CON_DIV_DIV_CLK_PERIC1_USI13_USI, 0, 4), +- DIV(CLK_DOUT_PERIC1_USI9_USI, +- "dout_peric1_usi9_usi", "mout_peric1_usi9_usi_user", +- CLK_CON_DIV_DIV_CLK_PERIC1_USI9_USI, 0, 4), ++ DIV_F(CLK_DOUT_PERIC1_USI0_USI, ++ "dout_peric1_usi0_usi", "mout_peric1_usi0_usi_user", ++ CLK_CON_DIV_DIV_CLK_PERIC1_USI0_USI, 0, 4, ++ CLK_SET_RATE_PARENT, 0), ++ DIV_F(CLK_DOUT_PERIC1_USI10_USI, ++ "dout_peric1_usi10_usi", "mout_peric1_usi10_usi_user", ++ CLK_CON_DIV_DIV_CLK_PERIC1_USI10_USI, 0, 4, ++ CLK_SET_RATE_PARENT, 0), ++ DIV_F(CLK_DOUT_PERIC1_USI11_USI, ++ "dout_peric1_usi11_usi", "mout_peric1_usi11_usi_user", ++ CLK_CON_DIV_DIV_CLK_PERIC1_USI11_USI, 0, 4, ++ CLK_SET_RATE_PARENT, 0), ++ DIV_F(CLK_DOUT_PERIC1_USI12_USI, ++ "dout_peric1_usi12_usi", "mout_peric1_usi12_usi_user", ++ CLK_CON_DIV_DIV_CLK_PERIC1_USI12_USI, 0, 4, ++ CLK_SET_RATE_PARENT, 0), ++ DIV_F(CLK_DOUT_PERIC1_USI13_USI, ++ "dout_peric1_usi13_usi", "mout_peric1_usi13_usi_user", ++ CLK_CON_DIV_DIV_CLK_PERIC1_USI13_USI, 0, 4, ++ CLK_SET_RATE_PARENT, 0), ++ DIV_F(CLK_DOUT_PERIC1_USI9_USI, ++ "dout_peric1_usi9_usi", "mout_peric1_usi9_usi_user", ++ CLK_CON_DIV_DIV_CLK_PERIC1_USI9_USI, 0, 4, ++ CLK_SET_RATE_PARENT, 0), + }; + + static const struct samsung_gate_clock peric1_gate_clks[] __initconst = { +@@ -3314,27 +3320,27 @@ static const struct samsung_gate_clock peric1_gate_clks[] __initconst = { + GATE(CLK_GOUT_PERIC1_PERIC1_TOP0_IPCLK_1, + "gout_peric1_peric1_top0_ipclk_1", "dout_peric1_usi0_usi", + CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_IPCLK_1, +- 21, 0, 0), ++ 21, CLK_SET_RATE_PARENT, 0), + GATE(CLK_GOUT_PERIC1_PERIC1_TOP0_IPCLK_2, + "gout_peric1_peric1_top0_ipclk_2", "dout_peric1_usi9_usi", + CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_IPCLK_2, +- 21, 0, 0), ++ 21, CLK_SET_RATE_PARENT, 0), + GATE(CLK_GOUT_PERIC1_PERIC1_TOP0_IPCLK_3, + "gout_peric1_peric1_top0_ipclk_3", "dout_peric1_usi10_usi", + CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_IPCLK_3, +- 21, 0, 0), ++ 21, CLK_SET_RATE_PARENT, 0), + GATE(CLK_GOUT_PERIC1_PERIC1_TOP0_IPCLK_4, + "gout_peric1_peric1_top0_ipclk_4", "dout_peric1_usi11_usi", + CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_IPCLK_4, +- 21, 0, 0), ++ 21, CLK_SET_RATE_PARENT, 0), + GATE(CLK_GOUT_PERIC1_PERIC1_TOP0_IPCLK_5, + "gout_peric1_peric1_top0_ipclk_5", "dout_peric1_usi12_usi", + CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_IPCLK_5, +- 21, 0, 0), ++ 21, CLK_SET_RATE_PARENT, 0), + GATE(CLK_GOUT_PERIC1_PERIC1_TOP0_IPCLK_6, + "gout_peric1_peric1_top0_ipclk_6", "dout_peric1_usi13_usi", + CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_IPCLK_6, +- 21, 0, 0), ++ 21, CLK_SET_RATE_PARENT, 0), + GATE(CLK_GOUT_PERIC1_PERIC1_TOP0_IPCLK_8, + "gout_peric1_peric1_top0_ipclk_8", "dout_peric1_i3c", + CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_IPCLK_8, +-- +2.43.0 + diff --git a/queue-6.9/cppc_cpufreq-fix-possible-null-pointer-dereference.patch b/queue-6.9/cppc_cpufreq-fix-possible-null-pointer-dereference.patch new file mode 100644 index 00000000000..ea2a3a86ff8 --- /dev/null +++ b/queue-6.9/cppc_cpufreq-fix-possible-null-pointer-dereference.patch @@ -0,0 +1,65 @@ +From 63e1d42b001ad050f814686a2a425af32832eaad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 12:35:36 +0300 +Subject: cppc_cpufreq: Fix possible null pointer dereference + +From: Aleksandr Mishin + +[ Upstream commit cf7de25878a1f4508c69dc9f6819c21ba177dbfe ] + +cppc_cpufreq_get_rate() and hisi_cppc_cpufreq_get_rate() can be called from +different places with various parameters. So cpufreq_cpu_get() can return +null as 'policy' in some circumstances. +Fix this bug by adding null return check. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: a28b2bfc099c ("cppc_cpufreq: replace per-cpu data array with a list") +Signed-off-by: Aleksandr Mishin +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/cppc_cpufreq.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/cpufreq/cppc_cpufreq.c b/drivers/cpufreq/cppc_cpufreq.c +index 64420d9cfd1ed..15f1d41920a33 100644 +--- a/drivers/cpufreq/cppc_cpufreq.c ++++ b/drivers/cpufreq/cppc_cpufreq.c +@@ -741,10 +741,15 @@ static unsigned int cppc_cpufreq_get_rate(unsigned int cpu) + { + struct cppc_perf_fb_ctrs fb_ctrs_t0 = {0}, fb_ctrs_t1 = {0}; + struct cpufreq_policy *policy = cpufreq_cpu_get(cpu); +- struct cppc_cpudata *cpu_data = policy->driver_data; ++ struct cppc_cpudata *cpu_data; + u64 delivered_perf; + int ret; + ++ if (!policy) ++ return -ENODEV; ++ ++ cpu_data = policy->driver_data; ++ + cpufreq_cpu_put(policy); + + ret = cppc_get_perf_ctrs(cpu, &fb_ctrs_t0); +@@ -822,10 +827,15 @@ static struct cpufreq_driver cppc_cpufreq_driver = { + static unsigned int hisi_cppc_cpufreq_get_rate(unsigned int cpu) + { + struct cpufreq_policy *policy = cpufreq_cpu_get(cpu); +- struct cppc_cpudata *cpu_data = policy->driver_data; ++ struct cppc_cpudata *cpu_data; + u64 desired_perf; + int ret; + ++ if (!policy) ++ return -ENODEV; ++ ++ cpu_data = policy->driver_data; ++ + cpufreq_cpu_put(policy); + + ret = cppc_get_desired_perf(cpu, &desired_perf); +-- +2.43.0 + diff --git a/queue-6.9/cpufreq-brcmstb-avs-cpufreq-iso-c90-forbids-mixed-de.patch b/queue-6.9/cpufreq-brcmstb-avs-cpufreq-iso-c90-forbids-mixed-de.patch new file mode 100644 index 00000000000..3cc0c661476 --- /dev/null +++ b/queue-6.9/cpufreq-brcmstb-avs-cpufreq-iso-c90-forbids-mixed-de.patch @@ -0,0 +1,44 @@ +From cc91721932aab13947351a1b3d193be9cabaf356 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Apr 2024 15:02:20 +1000 +Subject: cpufreq: brcmstb-avs-cpufreq: ISO C90 forbids mixed declarations + +From: Portia Stephens + +[ Upstream commit fa7bd98f3c8b33fb68c6b2bc69cff32b63db69f8 ] + +There is a compile warning because a NULL pointer check was added before +a struct was declared. This moves the NULL pointer check to after the +struct is declared and moves the struct assignment to after the NULL +pointer check. + +Fixes: f661017e6d32 ("cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value") +Signed-off-by: Portia Stephens +Acked-by: Florian Fainelli +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/brcmstb-avs-cpufreq.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/cpufreq/brcmstb-avs-cpufreq.c b/drivers/cpufreq/brcmstb-avs-cpufreq.c +index 1a1857b0a6f48..ea8438550b490 100644 +--- a/drivers/cpufreq/brcmstb-avs-cpufreq.c ++++ b/drivers/cpufreq/brcmstb-avs-cpufreq.c +@@ -481,9 +481,12 @@ static bool brcm_avs_is_firmware_loaded(struct private_data *priv) + static unsigned int brcm_avs_cpufreq_get(unsigned int cpu) + { + struct cpufreq_policy *policy = cpufreq_cpu_get(cpu); ++ struct private_data *priv; ++ + if (!policy) + return 0; +- struct private_data *priv = policy->driver_data; ++ ++ priv = policy->driver_data; + + cpufreq_cpu_put(policy); + +-- +2.43.0 + diff --git a/queue-6.9/cpufreq-exit-callback-is-optional.patch b/queue-6.9/cpufreq-exit-callback-is-optional.patch new file mode 100644 index 00000000000..d794cdd690c --- /dev/null +++ b/queue-6.9/cpufreq-exit-callback-is-optional.patch @@ -0,0 +1,58 @@ +From b0ed7c2b8f5445ff328aae62fae628154d9993bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 11:19:20 +0530 +Subject: cpufreq: exit() callback is optional + +From: Viresh Kumar + +[ Upstream commit b8f85833c05730d631576008daaa34096bc7f3ce ] + +The exit() callback is optional and shouldn't be called without checking +a valid pointer first. + +Also, we must clear freq_table pointer even if the exit() callback isn't +present. + +Signed-off-by: Viresh Kumar +Fixes: 91a12e91dc39 ("cpufreq: Allow light-weight tear down and bring up of CPUs") +Fixes: f339f3541701 ("cpufreq: Rearrange locking in cpufreq_remove_dev()") +Reported-by: Lizhe +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/cpufreq.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c +index 66e10a19d76ab..fd9c3ed21f49c 100644 +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -1679,10 +1679,13 @@ static void __cpufreq_offline(unsigned int cpu, struct cpufreq_policy *policy) + */ + if (cpufreq_driver->offline) { + cpufreq_driver->offline(policy); +- } else if (cpufreq_driver->exit) { +- cpufreq_driver->exit(policy); +- policy->freq_table = NULL; ++ return; + } ++ ++ if (cpufreq_driver->exit) ++ cpufreq_driver->exit(policy); ++ ++ policy->freq_table = NULL; + } + + static int cpufreq_offline(unsigned int cpu) +@@ -1740,7 +1743,7 @@ static void cpufreq_remove_dev(struct device *dev, struct subsys_interface *sif) + } + + /* We did light-weight exit earlier, do full tear down now */ +- if (cpufreq_driver->offline) ++ if (cpufreq_driver->offline && cpufreq_driver->exit) + cpufreq_driver->exit(policy); + + up_write(&policy->rwsem); +-- +2.43.0 + diff --git a/queue-6.9/crypto-bcm-fix-pointer-arithmetic.patch b/queue-6.9/crypto-bcm-fix-pointer-arithmetic.patch new file mode 100644 index 00000000000..9757a0c5209 --- /dev/null +++ b/queue-6.9/crypto-bcm-fix-pointer-arithmetic.patch @@ -0,0 +1,40 @@ +From 297c6997dd92be7c7ab46f0d74acf4fa21b18dd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Mar 2024 23:59:15 +0300 +Subject: crypto: bcm - Fix pointer arithmetic + +From: Aleksandr Mishin + +[ Upstream commit 2b3460cbf454c6b03d7429e9ffc4fe09322eb1a9 ] + +In spu2_dump_omd() value of ptr is increased by ciph_key_len +instead of hash_iv_len which could lead to going beyond the +buffer boundaries. +Fix this bug by changing ciph_key_len to hash_iv_len. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver") +Signed-off-by: Aleksandr Mishin +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/bcm/spu2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/bcm/spu2.c b/drivers/crypto/bcm/spu2.c +index 07989bb8c220a..3fdc64b5a65e7 100644 +--- a/drivers/crypto/bcm/spu2.c ++++ b/drivers/crypto/bcm/spu2.c +@@ -495,7 +495,7 @@ static void spu2_dump_omd(u8 *omd, u16 hash_key_len, u16 ciph_key_len, + if (hash_iv_len) { + packet_log(" Hash IV Length %u bytes\n", hash_iv_len); + packet_dump(" hash IV: ", ptr, hash_iv_len); +- ptr += ciph_key_len; ++ ptr += hash_iv_len; + } + + if (ciph_iv_len) { +-- +2.43.0 + diff --git a/queue-6.9/crypto-ccp-drop-platform-ifdef-checks.patch b/queue-6.9/crypto-ccp-drop-platform-ifdef-checks.patch new file mode 100644 index 00000000000..bff8e98cd57 --- /dev/null +++ b/queue-6.9/crypto-ccp-drop-platform-ifdef-checks.patch @@ -0,0 +1,94 @@ +From 176073173f602596b7959d29f0bac2e999fccf55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 10:06:42 +0200 +Subject: crypto: ccp - drop platform ifdef checks + +From: Arnd Bergmann + +[ Upstream commit 42c2d7d02977ef09d434b1f5b354f5bc6c1027ab ] + +When both ACPI and OF are disabled, the dev_vdata variable is unused: + +drivers/crypto/ccp/sp-platform.c:33:34: error: unused variable 'dev_vdata' [-Werror,-Wunused-const-variable] + +This is not a useful configuration, and there is not much point in saving +a few bytes when only one of the two is enabled, so just remove all +these ifdef checks and rely on of_match_node() and acpi_match_device() +returning NULL when these subsystems are disabled. + +Fixes: 6c5063434098 ("crypto: ccp - Add ACPI support") +Signed-off-by: Arnd Bergmann +Acked-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccp/sp-platform.c | 14 ++------------ + 1 file changed, 2 insertions(+), 12 deletions(-) + +diff --git a/drivers/crypto/ccp/sp-platform.c b/drivers/crypto/ccp/sp-platform.c +index 4733012377601..ff6ceb4feee04 100644 +--- a/drivers/crypto/ccp/sp-platform.c ++++ b/drivers/crypto/ccp/sp-platform.c +@@ -39,44 +39,38 @@ static const struct sp_dev_vdata dev_vdata[] = { + }, + }; + +-#ifdef CONFIG_ACPI + static const struct acpi_device_id sp_acpi_match[] = { + { "AMDI0C00", (kernel_ulong_t)&dev_vdata[0] }, + { }, + }; + MODULE_DEVICE_TABLE(acpi, sp_acpi_match); +-#endif + +-#ifdef CONFIG_OF + static const struct of_device_id sp_of_match[] = { + { .compatible = "amd,ccp-seattle-v1a", + .data = (const void *)&dev_vdata[0] }, + { }, + }; + MODULE_DEVICE_TABLE(of, sp_of_match); +-#endif + + static struct sp_dev_vdata *sp_get_of_version(struct platform_device *pdev) + { +-#ifdef CONFIG_OF + const struct of_device_id *match; + + match = of_match_node(sp_of_match, pdev->dev.of_node); + if (match && match->data) + return (struct sp_dev_vdata *)match->data; +-#endif ++ + return NULL; + } + + static struct sp_dev_vdata *sp_get_acpi_version(struct platform_device *pdev) + { +-#ifdef CONFIG_ACPI + const struct acpi_device_id *match; + + match = acpi_match_device(sp_acpi_match, &pdev->dev); + if (match && match->driver_data) + return (struct sp_dev_vdata *)match->driver_data; +-#endif ++ + return NULL; + } + +@@ -212,12 +206,8 @@ static int sp_platform_resume(struct platform_device *pdev) + static struct platform_driver sp_platform_driver = { + .driver = { + .name = "ccp", +-#ifdef CONFIG_ACPI + .acpi_match_table = sp_acpi_match, +-#endif +-#ifdef CONFIG_OF + .of_match_table = sp_of_match, +-#endif + }, + .probe = sp_platform_probe, + .remove_new = sp_platform_remove, +-- +2.43.0 + diff --git a/queue-6.9/crypto-octeontx2-add-missing-check-for-dma_map_singl.patch b/queue-6.9/crypto-octeontx2-add-missing-check-for-dma_map_singl.patch new file mode 100644 index 00000000000..f2cd94c8c37 --- /dev/null +++ b/queue-6.9/crypto-octeontx2-add-missing-check-for-dma_map_singl.patch @@ -0,0 +1,39 @@ +From 79a439bee68488d3c3b19edf8c506d21eed096ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 01:59:14 +0000 +Subject: crypto: octeontx2 - add missing check for dma_map_single + +From: Chen Ni + +[ Upstream commit 6a6d6a3a328a59ed0d8ae2e65696ef38e49133a0 ] + +Add check for dma_map_single() and return error if it fails in order +to avoid invalid dma address. + +Fixes: e92971117c2c ("crypto: octeontx2 - add ctx_val workaround") +Signed-off-by: Chen Ni +Reviewed-by: Bharat Bhushan +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/marvell/octeontx2/cn10k_cpt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/crypto/marvell/octeontx2/cn10k_cpt.c b/drivers/crypto/marvell/octeontx2/cn10k_cpt.c +index 79b4e74804f6d..6bfc59e677478 100644 +--- a/drivers/crypto/marvell/octeontx2/cn10k_cpt.c ++++ b/drivers/crypto/marvell/octeontx2/cn10k_cpt.c +@@ -138,6 +138,10 @@ int cn10k_cpt_hw_ctx_init(struct pci_dev *pdev, + return -ENOMEM; + cptr_dma = dma_map_single(&pdev->dev, hctx, CN10K_CPT_HW_CTX_SIZE, + DMA_BIDIRECTIONAL); ++ if (dma_mapping_error(&pdev->dev, cptr_dma)) { ++ kfree(hctx); ++ return -ENOMEM; ++ } + + cn10k_cpt_hw_ctx_set(hctx, 1); + er_ctx->hw_ctx = hctx; +-- +2.43.0 + diff --git a/queue-6.9/crypto-qat-improve-error-logging-to-be-consistent-ac.patch b/queue-6.9/crypto-qat-improve-error-logging-to-be-consistent-ac.patch new file mode 100644 index 00000000000..746bcfc9cfb --- /dev/null +++ b/queue-6.9/crypto-qat-improve-error-logging-to-be-consistent-ac.patch @@ -0,0 +1,37 @@ +From 7dbc5b6346d2bb98a0dc82a80237925519cec29a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 13:24:03 +0100 +Subject: crypto: qat - improve error logging to be consistent across features + +From: Adam Guerin + +[ Upstream commit d281a28bd2a94d72c440457e05a2f04a52f15947 ] + +Improve error logging in rate limiting feature. Staying consistent with +the error logging found in the telemetry feature. + +Fixes: d9fb8408376e ("crypto: qat - add rate limiting feature to qat_4xxx") +Signed-off-by: Adam Guerin +Reviewed-by: Giovanni Cabiddu +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/intel/qat/qat_common/adf_rl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/intel/qat/qat_common/adf_rl.c b/drivers/crypto/intel/qat/qat_common/adf_rl.c +index d4f2db3c53d8c..e10f0024f4b85 100644 +--- a/drivers/crypto/intel/qat/qat_common/adf_rl.c ++++ b/drivers/crypto/intel/qat/qat_common/adf_rl.c +@@ -1125,7 +1125,7 @@ int adf_rl_start(struct adf_accel_dev *accel_dev) + } + + if ((fw_caps & RL_CAPABILITY_MASK) != RL_CAPABILITY_VALUE) { +- dev_info(&GET_DEV(accel_dev), "not supported\n"); ++ dev_info(&GET_DEV(accel_dev), "feature not supported by FW\n"); + ret = -EOPNOTSUPP; + goto ret_free; + } +-- +2.43.0 + diff --git a/queue-6.9/crypto-qat-improve-error-message-in-adf_get_arbiter_.patch b/queue-6.9/crypto-qat-improve-error-message-in-adf_get_arbiter_.patch new file mode 100644 index 00000000000..83b39c41904 --- /dev/null +++ b/queue-6.9/crypto-qat-improve-error-message-in-adf_get_arbiter_.patch @@ -0,0 +1,50 @@ +From 2550c93cea6a100f3f5ab89ad204b0bb8df51c5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 13:24:02 +0100 +Subject: crypto: qat - improve error message in adf_get_arbiter_mapping() + +From: Adam Guerin + +[ Upstream commit 4a4fc6c0c7fe29f2538013a57ebd7813ec6c12a8 ] + +Improve error message to be more readable. + +Fixes: 5da6a2d5353e ("crypto: qat - generate dynamically arbiter mappings") +Signed-off-by: Adam Guerin +Reviewed-by: Giovanni Cabiddu +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c | 2 +- + drivers/crypto/intel/qat/qat_4xxx/adf_4xxx_hw_data.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c b/drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c +index 1102c47f8293d..1d0ef47a9f250 100644 +--- a/drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c ++++ b/drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c +@@ -296,7 +296,7 @@ static const u32 *adf_get_arbiter_mapping(struct adf_accel_dev *accel_dev) + { + if (adf_gen4_init_thd2arb_map(accel_dev)) + dev_warn(&GET_DEV(accel_dev), +- "Generate of the thread to arbiter map failed"); ++ "Failed to generate thread to arbiter mapping"); + + return GET_HW_DATA(accel_dev)->thd_to_arb_map; + } +diff --git a/drivers/crypto/intel/qat/qat_4xxx/adf_4xxx_hw_data.c b/drivers/crypto/intel/qat/qat_4xxx/adf_4xxx_hw_data.c +index 927506cf271d0..fb34fd7f03952 100644 +--- a/drivers/crypto/intel/qat/qat_4xxx/adf_4xxx_hw_data.c ++++ b/drivers/crypto/intel/qat/qat_4xxx/adf_4xxx_hw_data.c +@@ -208,7 +208,7 @@ static const u32 *adf_get_arbiter_mapping(struct adf_accel_dev *accel_dev) + { + if (adf_gen4_init_thd2arb_map(accel_dev)) + dev_warn(&GET_DEV(accel_dev), +- "Generate of the thread to arbiter map failed"); ++ "Failed to generate thread to arbiter mapping"); + + return GET_HW_DATA(accel_dev)->thd_to_arb_map; + } +-- +2.43.0 + diff --git a/queue-6.9/crypto-qat-specify-firmware-files-for-402xx.patch b/queue-6.9/crypto-qat-specify-firmware-files-for-402xx.patch new file mode 100644 index 00000000000..ae9ff9380b3 --- /dev/null +++ b/queue-6.9/crypto-qat-specify-firmware-files-for-402xx.patch @@ -0,0 +1,43 @@ +From 85d678fdf63809b072ef44f4192395effcd0ba61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Apr 2024 15:13:17 +0100 +Subject: crypto: qat - specify firmware files for 402xx + +From: Giovanni Cabiddu + +[ Upstream commit a3dc1f2b6b932a13f139d3be3c765155542c1070 ] + +The 4xxx driver can probe 4xxx and 402xx devices. However, the driver +only specifies the firmware images required for 4xxx. +This might result in external tools missing these binaries, if required, +in the initramfs. + +Specify the firmware image used by 402xx with the MODULE_FIRMWARE() +macros in the 4xxx driver. + +Fixes: a3e8c919b993 ("crypto: qat - add support for 402xx devices") +Signed-off-by: Giovanni Cabiddu +Reviewed-by: Damian Muszynski +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/intel/qat/qat_4xxx/adf_drv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/crypto/intel/qat/qat_4xxx/adf_drv.c b/drivers/crypto/intel/qat/qat_4xxx/adf_drv.c +index 9762f2bf7727f..d26564cebdec4 100644 +--- a/drivers/crypto/intel/qat/qat_4xxx/adf_drv.c ++++ b/drivers/crypto/intel/qat/qat_4xxx/adf_drv.c +@@ -197,7 +197,9 @@ module_pci_driver(adf_driver); + MODULE_LICENSE("Dual BSD/GPL"); + MODULE_AUTHOR("Intel"); + MODULE_FIRMWARE(ADF_4XXX_FW); ++MODULE_FIRMWARE(ADF_402XX_FW); + MODULE_FIRMWARE(ADF_4XXX_MMP); ++MODULE_FIRMWARE(ADF_402XX_MMP); + MODULE_DESCRIPTION("Intel(R) QuickAssist Technology"); + MODULE_VERSION(ADF_DRV_VERSION); + MODULE_SOFTDEP("pre: crypto-intel_qat"); +-- +2.43.0 + diff --git a/queue-6.9/crypto-qat-validate-slices-count-returned-by-fw.patch b/queue-6.9/crypto-qat-validate-slices-count-returned-by-fw.patch new file mode 100644 index 00000000000..f6b6d5e9088 --- /dev/null +++ b/queue-6.9/crypto-qat-validate-slices-count-returned-by-fw.patch @@ -0,0 +1,101 @@ +From c26617c2b996cd93aad8debea846f1fa43e66376 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Apr 2024 12:33:37 +0200 +Subject: crypto: qat - validate slices count returned by FW + +From: Lucas Segarra Fernandez + +[ Upstream commit 483fd65ce29317044d1d00757e3fd23503b6b04c ] + +The function adf_send_admin_tl_start() enables the telemetry (TL) +feature on a QAT device by sending the ICP_QAT_FW_TL_START message to +the firmware. This triggers the FW to start writing TL data to a DMA +buffer in memory and returns an array containing the number of +accelerators of each type (slices) supported by this HW. +The pointer to this array is stored in the adf_tl_hw_data data +structure called slice_cnt. + +The array slice_cnt is then used in the function tl_print_dev_data() +to report in debugfs only statistics about the supported accelerators. +An incorrect value of the elements in slice_cnt might lead to an out +of bounds memory read. +At the moment, there isn't an implementation of FW that returns a wrong +value, but for robustness validate the slice count array returned by FW. + +Fixes: 69e7649f7cc2 ("crypto: qat - add support for device telemetry") +Signed-off-by: Lucas Segarra Fernandez +Reviewed-by: Damian Muszynski +Reviewed-by: Giovanni Cabiddu +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + .../crypto/intel/qat/qat_common/adf_gen4_tl.c | 1 + + .../intel/qat/qat_common/adf_telemetry.c | 21 +++++++++++++++++++ + .../intel/qat/qat_common/adf_telemetry.h | 1 + + 3 files changed, 23 insertions(+) + +diff --git a/drivers/crypto/intel/qat/qat_common/adf_gen4_tl.c b/drivers/crypto/intel/qat/qat_common/adf_gen4_tl.c +index 7fc7a77f6aed9..c7ad8cf07863b 100644 +--- a/drivers/crypto/intel/qat/qat_common/adf_gen4_tl.c ++++ b/drivers/crypto/intel/qat/qat_common/adf_gen4_tl.c +@@ -149,5 +149,6 @@ void adf_gen4_init_tl_data(struct adf_tl_hw_data *tl_data) + tl_data->sl_exec_counters = sl_exec_counters; + tl_data->rp_counters = rp_counters; + tl_data->num_rp_counters = ARRAY_SIZE(rp_counters); ++ tl_data->max_sl_cnt = ADF_GEN4_TL_MAX_SLICES_PER_TYPE; + } + EXPORT_SYMBOL_GPL(adf_gen4_init_tl_data); +diff --git a/drivers/crypto/intel/qat/qat_common/adf_telemetry.c b/drivers/crypto/intel/qat/qat_common/adf_telemetry.c +index 2ff714d11bd2f..74fb0c2ed2412 100644 +--- a/drivers/crypto/intel/qat/qat_common/adf_telemetry.c ++++ b/drivers/crypto/intel/qat/qat_common/adf_telemetry.c +@@ -41,6 +41,20 @@ static int validate_tl_data(struct adf_tl_hw_data *tl_data) + return 0; + } + ++static int validate_tl_slice_counters(struct icp_qat_fw_init_admin_slice_cnt *slice_count, ++ u8 max_slices_per_type) ++{ ++ u8 *sl_counter = (u8 *)slice_count; ++ int i; ++ ++ for (i = 0; i < ADF_TL_SL_CNT_COUNT; i++) { ++ if (sl_counter[i] > max_slices_per_type) ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++ + static int adf_tl_alloc_mem(struct adf_accel_dev *accel_dev) + { + struct adf_tl_hw_data *tl_data = &GET_TL_DATA(accel_dev); +@@ -214,6 +228,13 @@ int adf_tl_run(struct adf_accel_dev *accel_dev, int state) + return ret; + } + ++ ret = validate_tl_slice_counters(&telemetry->slice_cnt, tl_data->max_sl_cnt); ++ if (ret) { ++ dev_err(dev, "invalid value returned by FW\n"); ++ adf_send_admin_tl_stop(accel_dev); ++ return ret; ++ } ++ + telemetry->hbuffs = state; + atomic_set(&telemetry->state, state); + +diff --git a/drivers/crypto/intel/qat/qat_common/adf_telemetry.h b/drivers/crypto/intel/qat/qat_common/adf_telemetry.h +index 9be81cd3b8860..e54a406cc1b4a 100644 +--- a/drivers/crypto/intel/qat/qat_common/adf_telemetry.h ++++ b/drivers/crypto/intel/qat/qat_common/adf_telemetry.h +@@ -40,6 +40,7 @@ struct adf_tl_hw_data { + u8 num_dev_counters; + u8 num_rp_counters; + u8 max_rp; ++ u8 max_sl_cnt; + }; + + struct adf_telemetry { +-- +2.43.0 + diff --git a/queue-6.9/crypto-x86-nh-avx2-add-missing-vzeroupper.patch b/queue-6.9/crypto-x86-nh-avx2-add-missing-vzeroupper.patch new file mode 100644 index 00000000000..2738421ed40 --- /dev/null +++ b/queue-6.9/crypto-x86-nh-avx2-add-missing-vzeroupper.patch @@ -0,0 +1,36 @@ +From 15539aa48d91bd9d14a7b465201198c96f3dfca8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 20:26:08 -0400 +Subject: crypto: x86/nh-avx2 - add missing vzeroupper + +From: Eric Biggers + +[ Upstream commit 4ad096cca942959871d8ff73826d30f81f856f6e ] + +Since nh_avx2() uses ymm registers, execute vzeroupper before returning +from it. This is necessary to avoid reducing the performance of SSE +code. + +Fixes: 0f961f9f670e ("crypto: x86/nhpoly1305 - add AVX2 accelerated NHPoly1305") +Signed-off-by: Eric Biggers +Acked-by: Tim Chen +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + arch/x86/crypto/nh-avx2-x86_64.S | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/crypto/nh-avx2-x86_64.S b/arch/x86/crypto/nh-avx2-x86_64.S +index ef73a3ab87263..791386d9a83aa 100644 +--- a/arch/x86/crypto/nh-avx2-x86_64.S ++++ b/arch/x86/crypto/nh-avx2-x86_64.S +@@ -154,5 +154,6 @@ SYM_TYPED_FUNC_START(nh_avx2) + vpaddq T1, T0, T0 + vpaddq T4, T0, T0 + vmovdqu T0, (HASH) ++ vzeroupper + RET + SYM_FUNC_END(nh_avx2) +-- +2.43.0 + diff --git a/queue-6.9/crypto-x86-sha256-avx2-add-missing-vzeroupper.patch b/queue-6.9/crypto-x86-sha256-avx2-add-missing-vzeroupper.patch new file mode 100644 index 00000000000..ba82d7c321d --- /dev/null +++ b/queue-6.9/crypto-x86-sha256-avx2-add-missing-vzeroupper.patch @@ -0,0 +1,37 @@ +From 16ac60c33a410a072a764211863ddcb58975fdc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 20:26:09 -0400 +Subject: crypto: x86/sha256-avx2 - add missing vzeroupper + +From: Eric Biggers + +[ Upstream commit 57ce8a4e162599cf9adafef1f29763160a8e5564 ] + +Since sha256_transform_rorx() uses ymm registers, execute vzeroupper +before returning from it. This is necessary to avoid reducing the +performance of SSE code. + +Fixes: d34a460092d8 ("crypto: sha256 - Optimized sha256 x86_64 routine using AVX2's RORX instructions") +Signed-off-by: Eric Biggers +Acked-by: Tim Chen +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + arch/x86/crypto/sha256-avx2-asm.S | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/crypto/sha256-avx2-asm.S b/arch/x86/crypto/sha256-avx2-asm.S +index 9918212faf914..0ffb072be9561 100644 +--- a/arch/x86/crypto/sha256-avx2-asm.S ++++ b/arch/x86/crypto/sha256-avx2-asm.S +@@ -716,6 +716,7 @@ SYM_TYPED_FUNC_START(sha256_transform_rorx) + popq %r13 + popq %r12 + popq %rbx ++ vzeroupper + RET + SYM_FUNC_END(sha256_transform_rorx) + +-- +2.43.0 + diff --git a/queue-6.9/crypto-x86-sha512-avx2-add-missing-vzeroupper.patch b/queue-6.9/crypto-x86-sha512-avx2-add-missing-vzeroupper.patch new file mode 100644 index 00000000000..f4bd37f9a49 --- /dev/null +++ b/queue-6.9/crypto-x86-sha512-avx2-add-missing-vzeroupper.patch @@ -0,0 +1,37 @@ +From a6ea7ac5e6a02243d7aab5ebe24d3e358e6adcec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 20:26:10 -0400 +Subject: crypto: x86/sha512-avx2 - add missing vzeroupper + +From: Eric Biggers + +[ Upstream commit 6a24fdfe1edbafacdacd53516654d99068f20eec ] + +Since sha512_transform_rorx() uses ymm registers, execute vzeroupper +before returning from it. This is necessary to avoid reducing the +performance of SSE code. + +Fixes: e01d69cb0195 ("crypto: sha512 - Optimized SHA512 x86_64 assembly routine using AVX instructions.") +Signed-off-by: Eric Biggers +Acked-by: Tim Chen +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + arch/x86/crypto/sha512-avx2-asm.S | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/crypto/sha512-avx2-asm.S b/arch/x86/crypto/sha512-avx2-asm.S +index f08496cd68708..24973f42c43ff 100644 +--- a/arch/x86/crypto/sha512-avx2-asm.S ++++ b/arch/x86/crypto/sha512-avx2-asm.S +@@ -680,6 +680,7 @@ SYM_TYPED_FUNC_START(sha512_transform_rorx) + pop %r12 + pop %rbx + ++ vzeroupper + RET + SYM_FUNC_END(sha512_transform_rorx) + +-- +2.43.0 + diff --git a/queue-6.9/dax-bus.c-don-t-use-down_write_killable-for-non-user.patch b/queue-6.9/dax-bus.c-don-t-use-down_write_killable-for-non-user.patch new file mode 100644 index 00000000000..8f0fd967839 --- /dev/null +++ b/queue-6.9/dax-bus.c-don-t-use-down_write_killable-for-non-user.patch @@ -0,0 +1,46 @@ +From ec98f16594074cb1a00c703e91b59c0f284ec9ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Apr 2024 11:44:25 -0600 +Subject: dax/bus.c: don't use down_write_killable for non-user processes + +From: Vishal Verma + +[ Upstream commit e39dbcfba714c4c2e924e96fc8fdde1080a5a737 ] + +Change an instance of down_write_killable() to a simple down_write() where +there is no user process that might want to interrupt the operation. + +Link: https://lkml.kernel.org/r/20240430-vv-dax_abi_fixes-v3-3-e3dcd755774c@intel.com +Fixes: c05ae9d85b47 ("dax/bus.c: replace driver-core lock usage by a local rwsem") +Signed-off-by: Vishal Verma +Reported-by: Dan Williams +Reviewed-by: Dan Williams +Cc: Alison Schofield +Cc: Dave Jiang +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + drivers/dax/bus.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/dax/bus.c b/drivers/dax/bus.c +index e2c7354ce3281..0011a6e6a8f2a 100644 +--- a/drivers/dax/bus.c ++++ b/drivers/dax/bus.c +@@ -1540,12 +1540,8 @@ static struct dev_dax *__devm_create_dev_dax(struct dev_dax_data *data) + struct dev_dax *devm_create_dev_dax(struct dev_dax_data *data) + { + struct dev_dax *dev_dax; +- int rc; +- +- rc = down_write_killable(&dax_region_rwsem); +- if (rc) +- return ERR_PTR(rc); + ++ down_write(&dax_region_rwsem); + dev_dax = __devm_create_dev_dax(data); + up_write(&dax_region_rwsem); + +-- +2.43.0 + diff --git a/queue-6.9/dax-bus.c-fix-locking-for-unregister_dax_dev-unregis.patch b/queue-6.9/dax-bus.c-fix-locking-for-unregister_dax_dev-unregis.patch new file mode 100644 index 00000000000..468f7fc09c1 --- /dev/null +++ b/queue-6.9/dax-bus.c-fix-locking-for-unregister_dax_dev-unregis.patch @@ -0,0 +1,138 @@ +From 9292fd837049095799bbf930b64261251116cc07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Apr 2024 11:44:24 -0600 +Subject: dax/bus.c: fix locking for unregister_dax_dev / + unregister_dax_mapping paths + +From: Vishal Verma + +[ Upstream commit 6f6544f27e41f9d7dca55c288f12175a9c48dfe2 ] + +Commit c05ae9d85b47 ("dax/bus.c: replace driver-core lock usage by a local +rwsem") aimed to undo device_lock() abuses for protecting changes to +dax-driver internal data-structures like the dax_region resource tree to +device-dax-instance range structures. However, the device_lock() was +legitimately enforcing that devices to be deleted were not current +actively attached to any driver nor assigned any capacity from the region. + +As a result of the device_lock restoration in delete_store(), the +conditional locking in unregister_dev_dax() and unregister_dax_mapping() +can be removed. + +Link: https://lkml.kernel.org/r/20240430-vv-dax_abi_fixes-v3-2-e3dcd755774c@intel.com +Fixes: c05ae9d85b47 ("dax/bus.c: replace driver-core lock usage by a local rwsem") +Signed-off-by: Vishal Verma +Reported-by: Dan Williams +Reviewed-by: Dan Williams +Cc: Alison Schofield +Cc: Dave Jiang +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + drivers/dax/bus.c | 42 ++++++++---------------------------------- + 1 file changed, 8 insertions(+), 34 deletions(-) + +diff --git a/drivers/dax/bus.c b/drivers/dax/bus.c +index 7924dd542a139..e2c7354ce3281 100644 +--- a/drivers/dax/bus.c ++++ b/drivers/dax/bus.c +@@ -465,26 +465,17 @@ static void free_dev_dax_ranges(struct dev_dax *dev_dax) + trim_dev_dax_range(dev_dax); + } + +-static void __unregister_dev_dax(void *dev) ++static void unregister_dev_dax(void *dev) + { + struct dev_dax *dev_dax = to_dev_dax(dev); + + dev_dbg(dev, "%s\n", __func__); + ++ down_write(&dax_region_rwsem); + kill_dev_dax(dev_dax); + device_del(dev); + free_dev_dax_ranges(dev_dax); + put_device(dev); +-} +- +-static void unregister_dev_dax(void *dev) +-{ +- if (rwsem_is_locked(&dax_region_rwsem)) +- return __unregister_dev_dax(dev); +- +- if (WARN_ON_ONCE(down_write_killable(&dax_region_rwsem) != 0)) +- return; +- __unregister_dev_dax(dev); + up_write(&dax_region_rwsem); + } + +@@ -560,15 +551,10 @@ static ssize_t delete_store(struct device *dev, struct device_attribute *attr, + if (!victim) + return -ENXIO; + +- rc = down_write_killable(&dax_region_rwsem); +- if (rc) +- return rc; +- rc = down_write_killable(&dax_dev_rwsem); +- if (rc) { +- up_write(&dax_region_rwsem); +- return rc; +- } ++ device_lock(dev); ++ device_lock(victim); + dev_dax = to_dev_dax(victim); ++ down_write(&dax_dev_rwsem); + if (victim->driver || dev_dax_size(dev_dax)) + rc = -EBUSY; + else { +@@ -589,11 +575,12 @@ static ssize_t delete_store(struct device *dev, struct device_attribute *attr, + rc = -EBUSY; + } + up_write(&dax_dev_rwsem); ++ device_unlock(victim); + + /* won the race to invalidate the device, clean it up */ + if (do_del) + devm_release_action(dev, unregister_dev_dax, victim); +- up_write(&dax_region_rwsem); ++ device_unlock(dev); + put_device(victim); + + return rc; +@@ -705,7 +692,7 @@ static void dax_mapping_release(struct device *dev) + put_device(parent); + } + +-static void __unregister_dax_mapping(void *data) ++static void unregister_dax_mapping(void *data) + { + struct device *dev = data; + struct dax_mapping *mapping = to_dax_mapping(dev); +@@ -713,25 +700,12 @@ static void __unregister_dax_mapping(void *data) + + dev_dbg(dev, "%s\n", __func__); + +- lockdep_assert_held_write(&dax_region_rwsem); +- + dev_dax->ranges[mapping->range_id].mapping = NULL; + mapping->range_id = -1; + + device_unregister(dev); + } + +-static void unregister_dax_mapping(void *data) +-{ +- if (rwsem_is_locked(&dax_region_rwsem)) +- return __unregister_dax_mapping(data); +- +- if (WARN_ON_ONCE(down_write_killable(&dax_region_rwsem) != 0)) +- return; +- __unregister_dax_mapping(data); +- up_write(&dax_region_rwsem); +-} +- + static struct dev_dax_range *get_dax_range(struct device *dev) + { + struct dax_mapping *mapping = to_dax_mapping(dev); +-- +2.43.0 + diff --git a/queue-6.9/dax-bus.c-replace-warn_on_once-with-lockdep-asserts.patch b/queue-6.9/dax-bus.c-replace-warn_on_once-with-lockdep-asserts.patch new file mode 100644 index 00000000000..82d0c502b0d --- /dev/null +++ b/queue-6.9/dax-bus.c-replace-warn_on_once-with-lockdep-asserts.patch @@ -0,0 +1,120 @@ +From 420d9d129ed4287423e5f28a5a404b0b29b5746a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Apr 2024 11:44:23 -0600 +Subject: dax/bus.c: replace WARN_ON_ONCE() with lockdep asserts + +From: Vishal Verma + +[ Upstream commit c14c647bbe23fd96f6bffcc122b9c6c8c46c7928 ] + +Patch series "dax/bus.c: Fixups for dax-bus locking", v3. + +Commit Fixes: c05ae9d85b47 ("dax/bus.c: replace driver-core lock usage by +a local rwsem") introduced a few problems that this series aims to fix. +Add back device_lock() where it was correctly used (during device +manipulation operations), remove conditional locking in +unregister_dax_dev() and unregister_dax_mapping(), use non-interruptible +versions of rwsem locks when not called from a user process, and fix up a +write vs. read usage of an rwsem. + +This patch (of 4): + +In [1], Dan points out that all of the WARN_ON_ONCE() usage in the +referenced patch should be replaced with lockdep_assert_held, or +lockdep_held_assert_write(). Replace these as appropriate. + +Link: https://lkml.kernel.org/r/20240430-vv-dax_abi_fixes-v3-0-e3dcd755774c@intel.com +Link: https://lore.kernel.org/r/65f0b5ef41817_aa222941a@dwillia2-mobl3.amr.corp.intel.com.notmuch [1] +Link: https://lkml.kernel.org/r/20240430-vv-dax_abi_fixes-v3-1-e3dcd755774c@intel.com +Fixes: c05ae9d85b47 ("dax/bus.c: replace driver-core lock usage by a local rwsem") +Signed-off-by: Vishal Verma +Reported-by: Dan Williams +Reviewed-by: Dan Williams +Cc: Alison Schofield +Cc: Dave Jiang +Cc: Vishal Verma +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + drivers/dax/bus.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/dax/bus.c b/drivers/dax/bus.c +index 797e1ebff2997..7924dd542a139 100644 +--- a/drivers/dax/bus.c ++++ b/drivers/dax/bus.c +@@ -192,7 +192,7 @@ static u64 dev_dax_size(struct dev_dax *dev_dax) + u64 size = 0; + int i; + +- WARN_ON_ONCE(!rwsem_is_locked(&dax_dev_rwsem)); ++ lockdep_assert_held(&dax_dev_rwsem); + + for (i = 0; i < dev_dax->nr_range; i++) + size += range_len(&dev_dax->ranges[i].range); +@@ -302,7 +302,7 @@ static unsigned long long dax_region_avail_size(struct dax_region *dax_region) + resource_size_t size = resource_size(&dax_region->res); + struct resource *res; + +- WARN_ON_ONCE(!rwsem_is_locked(&dax_region_rwsem)); ++ lockdep_assert_held(&dax_region_rwsem); + + for_each_dax_region_resource(dax_region, res) + size -= resource_size(res); +@@ -447,7 +447,7 @@ static void trim_dev_dax_range(struct dev_dax *dev_dax) + struct range *range = &dev_dax->ranges[i].range; + struct dax_region *dax_region = dev_dax->region; + +- WARN_ON_ONCE(!rwsem_is_locked(&dax_region_rwsem)); ++ lockdep_assert_held_write(&dax_region_rwsem); + dev_dbg(&dev_dax->dev, "delete range[%d]: %#llx:%#llx\n", i, + (unsigned long long)range->start, + (unsigned long long)range->end); +@@ -507,7 +507,7 @@ static int __free_dev_dax_id(struct dev_dax *dev_dax) + struct dax_region *dax_region; + int rc = dev_dax->id; + +- WARN_ON_ONCE(!rwsem_is_locked(&dax_dev_rwsem)); ++ lockdep_assert_held_write(&dax_dev_rwsem); + + if (!dev_dax->dyn_id || dev_dax->id < 0) + return -1; +@@ -713,7 +713,7 @@ static void __unregister_dax_mapping(void *data) + + dev_dbg(dev, "%s\n", __func__); + +- WARN_ON_ONCE(!rwsem_is_locked(&dax_region_rwsem)); ++ lockdep_assert_held_write(&dax_region_rwsem); + + dev_dax->ranges[mapping->range_id].mapping = NULL; + mapping->range_id = -1; +@@ -830,7 +830,7 @@ static int devm_register_dax_mapping(struct dev_dax *dev_dax, int range_id) + struct device *dev; + int rc; + +- WARN_ON_ONCE(!rwsem_is_locked(&dax_region_rwsem)); ++ lockdep_assert_held_write(&dax_region_rwsem); + + if (dev_WARN_ONCE(&dev_dax->dev, !dax_region->dev->driver, + "region disabled\n")) +@@ -876,7 +876,7 @@ static int alloc_dev_dax_range(struct dev_dax *dev_dax, u64 start, + struct resource *alloc; + int i, rc; + +- WARN_ON_ONCE(!rwsem_is_locked(&dax_region_rwsem)); ++ lockdep_assert_held_write(&dax_region_rwsem); + + /* handle the seed alloc special case */ + if (!size) { +@@ -935,7 +935,7 @@ static int adjust_dev_dax_range(struct dev_dax *dev_dax, struct resource *res, r + struct device *dev = &dev_dax->dev; + int rc; + +- WARN_ON_ONCE(!rwsem_is_locked(&dax_region_rwsem)); ++ lockdep_assert_held_write(&dax_region_rwsem); + + if (dev_WARN_ONCE(dev, !size, "deletion is handled by dev_dax_shrink\n")) + return -EINVAL; +-- +2.43.0 + diff --git a/queue-6.9/dax-bus.c-use-the-right-locking-mode-read-vs-write-i.patch b/queue-6.9/dax-bus.c-use-the-right-locking-mode-read-vs-write-i.patch new file mode 100644 index 00000000000..8db9c4a3234 --- /dev/null +++ b/queue-6.9/dax-bus.c-use-the-right-locking-mode-read-vs-write-i.patch @@ -0,0 +1,46 @@ +From 2eda4622187bf637375c484dfe4ebc870298c108 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Apr 2024 11:44:26 -0600 +Subject: dax/bus.c: use the right locking mode (read vs write) in size_show + +From: Vishal Verma + +[ Upstream commit 2acf04532d6d655d8c3b2ee4ddeb320107043086 ] + +In size_show(), the dax_dev_rwsem only needs a read lock, but was +acquiring a write lock. Change it to down_read_interruptible() so it +doesn't unnecessarily hold a write lock. + +Link: https://lkml.kernel.org/r/20240430-vv-dax_abi_fixes-v3-4-e3dcd755774c@intel.com +Fixes: c05ae9d85b47 ("dax/bus.c: replace driver-core lock usage by a local rwsem") +Signed-off-by: Vishal Verma +Reviewed-by: Dan Williams +Cc: Alison Schofield +Cc: Dave Jiang +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + drivers/dax/bus.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/dax/bus.c b/drivers/dax/bus.c +index 0011a6e6a8f2a..f24b67c64d5ec 100644 +--- a/drivers/dax/bus.c ++++ b/drivers/dax/bus.c +@@ -937,11 +937,11 @@ static ssize_t size_show(struct device *dev, + unsigned long long size; + int rc; + +- rc = down_write_killable(&dax_dev_rwsem); ++ rc = down_read_interruptible(&dax_dev_rwsem); + if (rc) + return rc; + size = dev_dax_size(dev_dax); +- up_write(&dax_dev_rwsem); ++ up_read(&dax_dev_rwsem); + + return sysfs_emit(buf, "%llu\n", size); + } +-- +2.43.0 + diff --git a/queue-6.9/dev_printk-add-and-use-dev_no_printk.patch b/queue-6.9/dev_printk-add-and-use-dev_no_printk.patch new file mode 100644 index 00000000000..66981bc3a44 --- /dev/null +++ b/queue-6.9/dev_printk-add-and-use-dev_no_printk.patch @@ -0,0 +1,98 @@ +From 71aee11e3b4ea1194dcf1a1328386019e2f7ef94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 15:00:03 +0100 +Subject: dev_printk: Add and use dev_no_printk() + +From: Geert Uytterhoeven + +[ Upstream commit c26ec799042a3888935d59b599f33e41efedf5f8 ] + +When printk-indexing is enabled, each dev_printk() invocation emits a +pi_entry structure. This is even true when the dev_printk() is +protected by an always-false check, as is typically the case for debug +messages: while the actual code to print the message is optimized out by +the compiler, the pi_entry structure is still emitted. + +Avoid emitting pi_entry structures for unavailable dev_printk() kernel +messages by: + 1. Introducing a dev_no_printk() helper, mimicked after the existing + no_printk() helper, which calls _dev_printk() instead of + dev_printk(), + 2. Replacing all "if (0) dev_printk(...)" constructs by calls to the + new helper. + +This reduces the size of an arm64 defconfig kernel with +CONFIG_PRINTK_INDEX=y by 957 KiB. + +Fixes: ad7d61f159db7397 ("printk: index: Add indexing support to dev_printk") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Andy Shevchenko +Reviewed-by: Xiubo Li +Reviewed-by: Chris Down +Reviewed-by: Petr Mladek +Link: https://lore.kernel.org/r/8583d54f1687c801c6cda8edddf2cf0344c6e883.1709127473.git.geert+renesas@glider.be +Signed-off-by: Petr Mladek +Signed-off-by: Sasha Levin +--- + include/linux/dev_printk.h | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +diff --git a/include/linux/dev_printk.h b/include/linux/dev_printk.h +index 6bfe70decc9fb..ae80a303c216b 100644 +--- a/include/linux/dev_printk.h ++++ b/include/linux/dev_printk.h +@@ -129,6 +129,16 @@ void _dev_info(const struct device *dev, const char *fmt, ...) + _dev_printk(level, dev, fmt, ##__VA_ARGS__); \ + }) + ++/* ++ * Dummy dev_printk for disabled debugging statements to use whilst maintaining ++ * gcc's format checking. ++ */ ++#define dev_no_printk(level, dev, fmt, ...) \ ++ ({ \ ++ if (0) \ ++ _dev_printk(level, dev, fmt, ##__VA_ARGS__); \ ++ }) ++ + /* + * #defines for all the dev_ macros to prefix with whatever + * possible use of #define dev_fmt(fmt) ... +@@ -158,10 +168,7 @@ void _dev_info(const struct device *dev, const char *fmt, ...) + dev_printk(KERN_DEBUG, dev, dev_fmt(fmt), ##__VA_ARGS__) + #else + #define dev_dbg(dev, fmt, ...) \ +-({ \ +- if (0) \ +- dev_printk(KERN_DEBUG, dev, dev_fmt(fmt), ##__VA_ARGS__); \ +-}) ++ dev_no_printk(KERN_DEBUG, dev, dev_fmt(fmt), ##__VA_ARGS__) + #endif + + #ifdef CONFIG_PRINTK +@@ -247,20 +254,14 @@ do { \ + } while (0) + #else + #define dev_dbg_ratelimited(dev, fmt, ...) \ +-do { \ +- if (0) \ +- dev_printk(KERN_DEBUG, dev, dev_fmt(fmt), ##__VA_ARGS__); \ +-} while (0) ++ dev_no_printk(KERN_DEBUG, dev, dev_fmt(fmt), ##__VA_ARGS__) + #endif + + #ifdef VERBOSE_DEBUG + #define dev_vdbg dev_dbg + #else + #define dev_vdbg(dev, fmt, ...) \ +-({ \ +- if (0) \ +- dev_printk(KERN_DEBUG, dev, dev_fmt(fmt), ##__VA_ARGS__); \ +-}) ++ dev_no_printk(KERN_DEBUG, dev, dev_fmt(fmt), ##__VA_ARGS__) + #endif + + /* +-- +2.43.0 + diff --git a/queue-6.9/dlm-fix-user-space-lock-decision-to-copy-lvb.patch b/queue-6.9/dlm-fix-user-space-lock-decision-to-copy-lvb.patch new file mode 100644 index 00000000000..7fc858a2c38 --- /dev/null +++ b/queue-6.9/dlm-fix-user-space-lock-decision-to-copy-lvb.patch @@ -0,0 +1,143 @@ +From 3607973ea415750c99936c68dcd3c21e9bfbb64b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 11:48:33 -0400 +Subject: dlm: fix user space lock decision to copy lvb + +From: Alexander Aring + +[ Upstream commit ad191e0eeebf64a60ca2d16ca01a223d2b1dd25e ] + +This patch fixes the copy lvb decision for user space lock requests. +Checking dlm_lvb_operations is done earlier, where granted/requested +lock modes are available to use in the matrix. + +The decision had been moved to the wrong location, where granted mode +and requested mode where the same, which causes the dlm_lvb_operations +matix to produce the wrong copy decision. For PW or EX requests, the +caller could get invalid lvb data. + +Fixes: 61bed0baa4db ("fs: dlm: use a non-static queue for callbacks") +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/ast.c | 14 ++++++++++++++ + fs/dlm/dlm_internal.h | 1 + + fs/dlm/user.c | 15 ++------------- + 3 files changed, 17 insertions(+), 13 deletions(-) + +diff --git a/fs/dlm/ast.c b/fs/dlm/ast.c +index 1f2f70a1b824e..decedc4ee15f6 100644 +--- a/fs/dlm/ast.c ++++ b/fs/dlm/ast.c +@@ -12,6 +12,7 @@ + #include + + #include "dlm_internal.h" ++#include "lvb_table.h" + #include "memory.h" + #include "lock.h" + #include "user.h" +@@ -42,6 +43,7 @@ int dlm_enqueue_lkb_callback(struct dlm_lkb *lkb, uint32_t flags, int mode, + struct dlm_ls *ls = lkb->lkb_resource->res_ls; + int rv = DLM_ENQUEUE_CALLBACK_SUCCESS; + struct dlm_callback *cb; ++ int copy_lvb = 0; + int prev_mode; + + if (flags & DLM_CB_BAST) { +@@ -73,6 +75,17 @@ int dlm_enqueue_lkb_callback(struct dlm_lkb *lkb, uint32_t flags, int mode, + goto out; + } + } ++ } else if (flags & DLM_CB_CAST) { ++ if (test_bit(DLM_DFL_USER_BIT, &lkb->lkb_dflags)) { ++ if (lkb->lkb_last_cast) ++ prev_mode = lkb->lkb_last_cb->mode; ++ else ++ prev_mode = -1; ++ ++ if (!status && lkb->lkb_lksb->sb_lvbptr && ++ dlm_lvb_operations[prev_mode + 1][mode + 1]) ++ copy_lvb = 1; ++ } + } + + cb = dlm_allocate_cb(); +@@ -85,6 +98,7 @@ int dlm_enqueue_lkb_callback(struct dlm_lkb *lkb, uint32_t flags, int mode, + cb->mode = mode; + cb->sb_status = status; + cb->sb_flags = (sbflags & 0x000000FF); ++ cb->copy_lvb = copy_lvb; + kref_init(&cb->ref); + if (!test_and_set_bit(DLM_IFL_CB_PENDING_BIT, &lkb->lkb_iflags)) + rv = DLM_ENQUEUE_CALLBACK_NEED_SCHED; +diff --git a/fs/dlm/dlm_internal.h b/fs/dlm/dlm_internal.h +index 3b4dbce849f0f..a9137c90f3483 100644 +--- a/fs/dlm/dlm_internal.h ++++ b/fs/dlm/dlm_internal.h +@@ -222,6 +222,7 @@ struct dlm_callback { + int sb_status; /* copy to lksb status */ + uint8_t sb_flags; /* copy to lksb flags */ + int8_t mode; /* rq mode of bast, gr mode of cast */ ++ int copy_lvb; + + struct list_head list; + struct kref ref; +diff --git a/fs/dlm/user.c b/fs/dlm/user.c +index 9f9b68448830e..12a483deeef5e 100644 +--- a/fs/dlm/user.c ++++ b/fs/dlm/user.c +@@ -21,7 +21,6 @@ + #include "dlm_internal.h" + #include "lockspace.h" + #include "lock.h" +-#include "lvb_table.h" + #include "user.h" + #include "ast.h" + #include "config.h" +@@ -806,8 +805,7 @@ static ssize_t device_read(struct file *file, char __user *buf, size_t count, + struct dlm_lkb *lkb; + DECLARE_WAITQUEUE(wait, current); + struct dlm_callback *cb; +- int rv, ret, copy_lvb = 0; +- int old_mode, new_mode; ++ int rv, ret; + + if (count == sizeof(struct dlm_device_version)) { + rv = copy_version_to_user(buf, count); +@@ -864,9 +862,6 @@ static ssize_t device_read(struct file *file, char __user *buf, size_t count, + + lkb = list_first_entry(&proc->asts, struct dlm_lkb, lkb_cb_list); + +- /* rem_lkb_callback sets a new lkb_last_cast */ +- old_mode = lkb->lkb_last_cast->mode; +- + rv = dlm_dequeue_lkb_callback(lkb, &cb); + switch (rv) { + case DLM_DEQUEUE_CALLBACK_EMPTY: +@@ -895,12 +890,6 @@ static ssize_t device_read(struct file *file, char __user *buf, size_t count, + if (cb->flags & DLM_CB_BAST) { + trace_dlm_bast(lkb->lkb_resource->res_ls, lkb, cb->mode); + } else if (cb->flags & DLM_CB_CAST) { +- new_mode = cb->mode; +- +- if (!cb->sb_status && lkb->lkb_lksb->sb_lvbptr && +- dlm_lvb_operations[old_mode + 1][new_mode + 1]) +- copy_lvb = 1; +- + lkb->lkb_lksb->sb_status = cb->sb_status; + lkb->lkb_lksb->sb_flags = cb->sb_flags; + trace_dlm_ast(lkb->lkb_resource->res_ls, lkb); +@@ -908,7 +897,7 @@ static ssize_t device_read(struct file *file, char __user *buf, size_t count, + + ret = copy_result_to_user(lkb->lkb_ua, + test_bit(DLM_PROC_FLAGS_COMPAT, &proc->flags), +- cb->flags, cb->mode, copy_lvb, buf, count); ++ cb->flags, cb->mode, cb->copy_lvb, buf, count); + + kref_put(&cb->ref, dlm_release_callback); + +-- +2.43.0 + diff --git a/queue-6.9/dm-delay-fix-hung-task-introduced-by-kthread-mode.patch b/queue-6.9/dm-delay-fix-hung-task-introduced-by-kthread-mode.patch new file mode 100644 index 00000000000..28542d49071 --- /dev/null +++ b/queue-6.9/dm-delay-fix-hung-task-introduced-by-kthread-mode.patch @@ -0,0 +1,43 @@ +From 7b0a62e39c03add06222ae0cd4d82f507a13cb78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 May 2024 09:25:23 +0200 +Subject: dm-delay: fix hung task introduced by kthread mode + +From: Joel Colledge + +[ Upstream commit d14646f23300a5fc85be867bafdc0702c2002789 ] + +If the worker thread is not woken due to a bio, then it is not woken at +all. This causes the hung task check to trigger. This occurs, for +instance, when no bios are submitted. Also when a delay of 0 is +configured, delay_bio() returns without waking the worker. + +Prevent the hung task check from triggering by creating the thread with +kthread_run() instead of using kthread_create() directly. + +Fixes: 70bbeb29fab0 ("dm delay: for short delays, use kthread instead of timers and wq") +Signed-off-by: Joel Colledge +Reviewed-by: Benjamin Marzinski +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-delay.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/md/dm-delay.c b/drivers/md/dm-delay.c +index eec0daa4b227a..4ba12d5369949 100644 +--- a/drivers/md/dm-delay.c ++++ b/drivers/md/dm-delay.c +@@ -269,8 +269,7 @@ static int delay_ctr(struct dm_target *ti, unsigned int argc, char **argv) + * In case of small requested delays, use kthread instead of + * timers and workqueue to achieve better latency. + */ +- dc->worker = kthread_create(&flush_worker_fn, dc, +- "dm-delay-flush-worker"); ++ dc->worker = kthread_run(&flush_worker_fn, dc, "dm-delay-flush-worker"); + if (IS_ERR(dc->worker)) { + ret = PTR_ERR(dc->worker); + dc->worker = NULL; +-- +2.43.0 + diff --git a/queue-6.9/dm-delay-fix-max_delay-calculations.patch b/queue-6.9/dm-delay-fix-max_delay-calculations.patch new file mode 100644 index 00000000000..9e7b22812ea --- /dev/null +++ b/queue-6.9/dm-delay-fix-max_delay-calculations.patch @@ -0,0 +1,51 @@ +From f81f44923d5df73d30125a7b4dce679f39c398ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 May 2024 17:55:44 -0400 +Subject: dm-delay: fix max_delay calculations + +From: Benjamin Marzinski + +[ Upstream commit 64eb88d6caee2c8eb806a68dab3f184f14f818a4 ] + +delay_ctr() pointlessly compared max_delay in cases where multiple delay +classes were initialized identically. Also, when write delays were +configured different than read delays, delay_ctr() never compared their +value against max_delay. Fix these issues. + +Fixes: 70bbeb29fab0 ("dm delay: for short delays, use kthread instead of timers and wq") +Signed-off-by: Benjamin Marzinski +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-delay.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/md/dm-delay.c b/drivers/md/dm-delay.c +index 4ba12d5369949..2ac43d1f1b92c 100644 +--- a/drivers/md/dm-delay.c ++++ b/drivers/md/dm-delay.c +@@ -242,19 +242,18 @@ static int delay_ctr(struct dm_target *ti, unsigned int argc, char **argv) + ret = delay_class_ctr(ti, &dc->flush, argv); + if (ret) + goto bad; +- max_delay = max(max_delay, dc->write.delay); +- max_delay = max(max_delay, dc->flush.delay); + goto out; + } + + ret = delay_class_ctr(ti, &dc->write, argv + 3); + if (ret) + goto bad; ++ max_delay = max(max_delay, dc->write.delay); ++ + if (argc == 6) { + ret = delay_class_ctr(ti, &dc->flush, argv + 3); + if (ret) + goto bad; +- max_delay = max(max_delay, dc->flush.delay); + goto out; + } + +-- +2.43.0 + diff --git a/queue-6.9/dm-delay-fix-workqueue-delay_timer-race.patch b/queue-6.9/dm-delay-fix-workqueue-delay_timer-race.patch new file mode 100644 index 00000000000..d9bea3c0b87 --- /dev/null +++ b/queue-6.9/dm-delay-fix-workqueue-delay_timer-race.patch @@ -0,0 +1,55 @@ +From 6c03c93b0111606f11789689da929fbdb0bbc60a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 May 2024 17:16:23 -0400 +Subject: dm-delay: fix workqueue delay_timer race + +From: Benjamin Marzinski + +[ Upstream commit 8d24790ed08ab4e619ce58ed4a1b353ab77ffdc5 ] + +delay_timer could be pending when delay_dtr() is called. It needs to be +shut down before kdelayd_wq is destroyed, so it won't try queueing more +work to kdelayd_wq while that's getting destroyed. + +Also the del_timer_sync() call in delay_presuspend() doesn't protect +against the timer getting immediately rearmed by the queued call to +flush_delayed_bios(), but there's no real harm if that does happen. +timer_delete() is less work, and is basically just as likely to stop a +pointless call to flush_delayed_bios(). + +Fixes: 26b9f228703f ("dm: delay target") +Signed-off-by: Benjamin Marzinski +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-delay.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/dm-delay.c b/drivers/md/dm-delay.c +index 5eabdb06c6498..eec0daa4b227a 100644 +--- a/drivers/md/dm-delay.c ++++ b/drivers/md/dm-delay.c +@@ -154,8 +154,10 @@ static void delay_dtr(struct dm_target *ti) + { + struct delay_c *dc = ti->private; + +- if (dc->kdelayd_wq) ++ if (dc->kdelayd_wq) { ++ timer_shutdown_sync(&dc->delay_timer); + destroy_workqueue(dc->kdelayd_wq); ++ } + + if (dc->read.dev) + dm_put_device(ti, dc->read.dev); +@@ -335,7 +337,7 @@ static void delay_presuspend(struct dm_target *ti) + mutex_unlock(&delayed_bios_lock); + + if (!delay_is_fast(dc)) +- del_timer_sync(&dc->delay_timer); ++ timer_delete(&dc->delay_timer); + flush_delayed_bios(dc, true); + } + +-- +2.43.0 + diff --git a/queue-6.9/dpll-fix-return-value-check-for-kmemdup.patch b/queue-6.9/dpll-fix-return-value-check-for-kmemdup.patch new file mode 100644 index 00000000000..dc4324e8b9d --- /dev/null +++ b/queue-6.9/dpll-fix-return-value-check-for-kmemdup.patch @@ -0,0 +1,40 @@ +From 39d2e9822eb52ff84ac7da62bd125a57e22f4b42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 11:28:24 +0800 +Subject: dpll: fix return value check for kmemdup + +From: Chen Ni + +[ Upstream commit ad506586cb69292b6ac59ab95468aadd54b19ab7 ] + +The return value of kmemdup() is dst->freq_supported, not +src->freq_supported. Update the check accordingly. + +Fixes: 830ead5fb0c5 ("dpll: fix pin dump crash for rebound module") +Signed-off-by: Chen Ni +Reviewed-by: Przemek Kitszel +Reviewed-by: Arkadiusz Kubalewski +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/20240513032824.2410459-1-nichen@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/dpll/dpll_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dpll/dpll_core.c b/drivers/dpll/dpll_core.c +index d0f6693ca1426..32019dc33cca7 100644 +--- a/drivers/dpll/dpll_core.c ++++ b/drivers/dpll/dpll_core.c +@@ -449,7 +449,7 @@ static int dpll_pin_prop_dup(const struct dpll_pin_properties *src, + sizeof(*src->freq_supported); + dst->freq_supported = kmemdup(src->freq_supported, + freq_size, GFP_KERNEL); +- if (!src->freq_supported) ++ if (!dst->freq_supported) + return -ENOMEM; + } + if (src->board_label) { +-- +2.43.0 + diff --git a/queue-6.9/drivers-perf-hisi-hns3-actually-use-devm_add_action_.patch b/queue-6.9/drivers-perf-hisi-hns3-actually-use-devm_add_action_.patch new file mode 100644 index 00000000000..1cacac00cf0 --- /dev/null +++ b/queue-6.9/drivers-perf-hisi-hns3-actually-use-devm_add_action_.patch @@ -0,0 +1,43 @@ +From f15cecb6325cb03740a59767d33da36620bb4a11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Apr 2024 20:46:27 +0800 +Subject: drivers/perf: hisi: hns3: Actually use devm_add_action_or_reset() + +From: Hao Chen + +[ Upstream commit 582c1aeee0a9e73010cf1c4cef338709860deeb0 ] + +pci_alloc_irq_vectors() allocates an irq vector. When devm_add_action() +fails, the irq vector is not freed, which leads to a memory leak. + +Replace the devm_add_action with devm_add_action_or_reset to ensure +the irq vector can be destroyed when it fails. + +Fixes: 66637ab137b4 ("drivers/perf: hisi: add driver for HNS3 PMU") +Signed-off-by: Hao Chen +Signed-off-by: Junhao He +Reviewed-by: Jijie Shao +Acked-by: Jonathan Cameron +Link: https://lore.kernel.org/r/20240425124627.13764-4-hejunhao3@huawei.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/hisilicon/hns3_pmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/perf/hisilicon/hns3_pmu.c b/drivers/perf/hisilicon/hns3_pmu.c +index cbdd53b0a0342..60062eaa342aa 100644 +--- a/drivers/perf/hisilicon/hns3_pmu.c ++++ b/drivers/perf/hisilicon/hns3_pmu.c +@@ -1527,7 +1527,7 @@ static int hns3_pmu_irq_register(struct pci_dev *pdev, + return ret; + } + +- ret = devm_add_action(&pdev->dev, hns3_pmu_free_irq, pdev); ++ ret = devm_add_action_or_reset(&pdev->dev, hns3_pmu_free_irq, pdev); + if (ret) { + pci_err(pdev, "failed to add free irq action, ret = %d.\n", ret); + return ret; +-- +2.43.0 + diff --git a/queue-6.9/drivers-perf-hisi-hns3-fix-out-of-bound-access-when-.patch b/queue-6.9/drivers-perf-hisi-hns3-fix-out-of-bound-access-when-.patch new file mode 100644 index 00000000000..0225663286c --- /dev/null +++ b/queue-6.9/drivers-perf-hisi-hns3-fix-out-of-bound-access-when-.patch @@ -0,0 +1,70 @@ +From f7aff22b0fd91cfc58c27cbdc9ba779fa2aeb880 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Apr 2024 20:46:26 +0800 +Subject: drivers/perf: hisi: hns3: Fix out-of-bound access when valid event + group + +From: Junhao He + +[ Upstream commit 81bdd60a3d1d3b05e6cc6674845afb1694dd3a0e ] + +The perf tool allows users to create event groups through following +cmd [1], but the driver does not check whether the array index is out +of bounds when writing data to the event_group array. If the number of +events in an event_group is greater than HNS3_PMU_MAX_HW_EVENTS, the +memory write overflow of event_group array occurs. + +Add array index check to fix the possible array out of bounds violation, +and return directly when write new events are written to array bounds. + +There are 9 different events in an event_group. +[1] perf stat -e '{pmu/event1/, ... ,pmu/event9/} + +Fixes: 66637ab137b4 ("drivers/perf: hisi: add driver for HNS3 PMU") +Signed-off-by: Junhao He +Signed-off-by: Hao Chen +Acked-by: Jonathan Cameron +Reviewed-by: Jijie Shao +Link: https://lore.kernel.org/r/20240425124627.13764-3-hejunhao3@huawei.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/hisilicon/hns3_pmu.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/drivers/perf/hisilicon/hns3_pmu.c b/drivers/perf/hisilicon/hns3_pmu.c +index 16869bf5bf4cc..cbdd53b0a0342 100644 +--- a/drivers/perf/hisilicon/hns3_pmu.c ++++ b/drivers/perf/hisilicon/hns3_pmu.c +@@ -1085,15 +1085,27 @@ static bool hns3_pmu_validate_event_group(struct perf_event *event) + return false; + + for (num = 0; num < counters; num++) { ++ /* ++ * If we find a related event, then it's a valid group ++ * since we don't need to allocate a new counter for it. ++ */ + if (hns3_pmu_cmp_event(event_group[num], sibling)) + break; + } + ++ /* ++ * Otherwise it's a new event but if there's no available counter, ++ * fail the check since we cannot schedule all the events in ++ * the group simultaneously. ++ */ ++ if (num == HNS3_PMU_MAX_HW_EVENTS) ++ return false; ++ + if (num == counters) + event_group[counters++] = sibling; + } + +- return counters <= HNS3_PMU_MAX_HW_EVENTS; ++ return true; + } + + static u32 hns3_pmu_get_filter_condition(struct perf_event *event) +-- +2.43.0 + diff --git a/queue-6.9/drivers-perf-hisi_pcie-fix-out-of-bound-access-when-.patch b/queue-6.9/drivers-perf-hisi_pcie-fix-out-of-bound-access-when-.patch new file mode 100644 index 00000000000..acbb1645ef3 --- /dev/null +++ b/queue-6.9/drivers-perf-hisi_pcie-fix-out-of-bound-access-when-.patch @@ -0,0 +1,69 @@ +From 6e288adb6bfd06e30b878539935848632b392892 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Apr 2024 20:46:25 +0800 +Subject: drivers/perf: hisi_pcie: Fix out-of-bound access when valid event + group + +From: Junhao He + +[ Upstream commit 77fce82678ea5fd51442e62febec2004f79e041b ] + +The perf tool allows users to create event groups through following +cmd [1], but the driver does not check whether the array index is out of +bounds when writing data to the event_group array. If the number of events +in an event_group is greater than HISI_PCIE_MAX_COUNTERS, the memory write +overflow of event_group array occurs. + +Add array index check to fix the possible array out of bounds violation, +and return directly when write new events are written to array bounds. + +There are 9 different events in an event_group. +[1] perf stat -e '{pmu/event1/, ... ,pmu/event9/}' + +Fixes: 8404b0fbc7fb ("drivers/perf: hisi: Add driver for HiSilicon PCIe PMU") +Signed-off-by: Junhao He +Reviewed-by: Jijie Shao +Acked-by: Jonathan Cameron +Link: https://lore.kernel.org/r/20240425124627.13764-2-hejunhao3@huawei.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/hisilicon/hisi_pcie_pmu.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/drivers/perf/hisilicon/hisi_pcie_pmu.c b/drivers/perf/hisilicon/hisi_pcie_pmu.c +index 5d1f0e9fdb08d..dba3991256586 100644 +--- a/drivers/perf/hisilicon/hisi_pcie_pmu.c ++++ b/drivers/perf/hisilicon/hisi_pcie_pmu.c +@@ -350,15 +350,27 @@ static bool hisi_pcie_pmu_validate_event_group(struct perf_event *event) + return false; + + for (num = 0; num < counters; num++) { ++ /* ++ * If we find a related event, then it's a valid group ++ * since we don't need to allocate a new counter for it. ++ */ + if (hisi_pcie_pmu_cmp_event(event_group[num], sibling)) + break; + } + ++ /* ++ * Otherwise it's a new event but if there's no available counter, ++ * fail the check since we cannot schedule all the events in ++ * the group simultaneously. ++ */ ++ if (num == HISI_PCIE_MAX_COUNTERS) ++ return false; ++ + if (num == counters) + event_group[counters++] = sibling; + } + +- return counters <= HISI_PCIE_MAX_COUNTERS; ++ return true; + } + + static int hisi_pcie_pmu_event_init(struct perf_event *event) +-- +2.43.0 + diff --git a/queue-6.9/drivers-virt-acrn-fix-pfnmap-pte-checks-in-acrn_vm_r.patch b/queue-6.9/drivers-virt-acrn-fix-pfnmap-pte-checks-in-acrn_vm_r.patch new file mode 100644 index 00000000000..f18b2400108 --- /dev/null +++ b/queue-6.9/drivers-virt-acrn-fix-pfnmap-pte-checks-in-acrn_vm_r.patch @@ -0,0 +1,195 @@ +From 4bb010d6d20113f5f686998fb77c87cabdc3ee9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Apr 2024 17:55:25 +0200 +Subject: drivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map() + +From: David Hildenbrand + +[ Upstream commit 3d6586008f7b638f91f3332602592caa8b00b559 ] + +Patch series "mm: follow_pte() improvements and acrn follow_pte() fixes". + +Patch #1 fixes a bunch of issues I spotted in the acrn driver. It +compiles, that's all I know. I'll appreciate some review and testing from +acrn folks. + +Patch #2+#3 improve follow_pte(), passing a VMA instead of the MM, adding +more sanity checks, and improving the documentation. Gave it a quick test +on x86-64 using VM_PAT that ends up using follow_pte(). + +This patch (of 3): + +We currently miss handling various cases, resulting in a dangerous +follow_pte() (previously follow_pfn()) usage. + +(1) We're not checking PTE write permissions. + +Maybe we should simply always require pte_write() like we do for +pin_user_pages_fast(FOLL_WRITE)? Hard to tell, so let's check for +ACRN_MEM_ACCESS_WRITE for now. + +(2) We're not rejecting refcounted pages. + +As we are not using MMU notifiers, messing with refcounted pages is +dangerous and can result in use-after-free. Let's make sure to reject them. + +(3) We are only looking at the first PTE of a bigger range. + +We only lookup a single PTE, but memmap->len may span a larger area. +Let's loop over all involved PTEs and make sure the PFN range is +actually contiguous. Reject everything else: it couldn't have worked +either way, and rather made use access PFNs we shouldn't be accessing. + +Link: https://lkml.kernel.org/r/20240410155527.474777-1-david@redhat.com +Link: https://lkml.kernel.org/r/20240410155527.474777-2-david@redhat.com +Fixes: 8a6e85f75a83 ("virt: acrn: obtain pa from VMA with PFNMAP flag") +Signed-off-by: David Hildenbrand +Cc: Alex Williamson +Cc: Christoph Hellwig +Cc: Fei Li +Cc: Gerald Schaefer +Cc: Heiko Carstens +Cc: Ingo Molnar +Cc: Paolo Bonzini +Cc: Yonghua Huang +Cc: Sean Christopherson +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + drivers/virt/acrn/mm.c | 63 +++++++++++++++++++++++++++++++----------- + 1 file changed, 47 insertions(+), 16 deletions(-) + +diff --git a/drivers/virt/acrn/mm.c b/drivers/virt/acrn/mm.c +index 69c3f619f8819..9c75de0656d8d 100644 +--- a/drivers/virt/acrn/mm.c ++++ b/drivers/virt/acrn/mm.c +@@ -155,23 +155,29 @@ int acrn_vm_memseg_unmap(struct acrn_vm *vm, struct acrn_vm_memmap *memmap) + int acrn_vm_ram_map(struct acrn_vm *vm, struct acrn_vm_memmap *memmap) + { + struct vm_memory_region_batch *regions_info; +- int nr_pages, i = 0, order, nr_regions = 0; ++ int nr_pages, i, order, nr_regions = 0; + struct vm_memory_mapping *region_mapping; + struct vm_memory_region_op *vm_region; + struct page **pages = NULL, *page; + void *remap_vaddr; + int ret, pinned; + u64 user_vm_pa; +- unsigned long pfn; + struct vm_area_struct *vma; + + if (!vm || !memmap) + return -EINVAL; + ++ /* Get the page number of the map region */ ++ nr_pages = memmap->len >> PAGE_SHIFT; ++ if (!nr_pages) ++ return -EINVAL; ++ + mmap_read_lock(current->mm); + vma = vma_lookup(current->mm, memmap->vma_base); + if (vma && ((vma->vm_flags & VM_PFNMAP) != 0)) { ++ unsigned long start_pfn, cur_pfn; + spinlock_t *ptl; ++ bool writable; + pte_t *ptep; + + if ((memmap->vma_base + memmap->len) > vma->vm_end) { +@@ -179,25 +185,53 @@ int acrn_vm_ram_map(struct acrn_vm *vm, struct acrn_vm_memmap *memmap) + return -EINVAL; + } + +- ret = follow_pte(vma->vm_mm, memmap->vma_base, &ptep, &ptl); +- if (ret < 0) { +- mmap_read_unlock(current->mm); ++ for (i = 0; i < nr_pages; i++) { ++ ret = follow_pte(vma->vm_mm, ++ memmap->vma_base + i * PAGE_SIZE, ++ &ptep, &ptl); ++ if (ret) ++ break; ++ ++ cur_pfn = pte_pfn(ptep_get(ptep)); ++ if (i == 0) ++ start_pfn = cur_pfn; ++ writable = !!pte_write(ptep_get(ptep)); ++ pte_unmap_unlock(ptep, ptl); ++ ++ /* Disallow write access if the PTE is not writable. */ ++ if (!writable && ++ (memmap->attr & ACRN_MEM_ACCESS_WRITE)) { ++ ret = -EFAULT; ++ break; ++ } ++ ++ /* Disallow refcounted pages. */ ++ if (pfn_valid(cur_pfn) && ++ !PageReserved(pfn_to_page(cur_pfn))) { ++ ret = -EFAULT; ++ break; ++ } ++ ++ /* Disallow non-contiguous ranges. */ ++ if (cur_pfn != start_pfn + i) { ++ ret = -EINVAL; ++ break; ++ } ++ } ++ mmap_read_unlock(current->mm); ++ ++ if (ret) { + dev_dbg(acrn_dev.this_device, + "Failed to lookup PFN at VMA:%pK.\n", (void *)memmap->vma_base); + return ret; + } +- pfn = pte_pfn(ptep_get(ptep)); +- pte_unmap_unlock(ptep, ptl); +- mmap_read_unlock(current->mm); + + return acrn_mm_region_add(vm, memmap->user_vm_pa, +- PFN_PHYS(pfn), memmap->len, ++ PFN_PHYS(start_pfn), memmap->len, + ACRN_MEM_TYPE_WB, memmap->attr); + } + mmap_read_unlock(current->mm); + +- /* Get the page number of the map region */ +- nr_pages = memmap->len >> PAGE_SHIFT; + pages = vzalloc(array_size(nr_pages, sizeof(*pages))); + if (!pages) + return -ENOMEM; +@@ -241,12 +275,11 @@ int acrn_vm_ram_map(struct acrn_vm *vm, struct acrn_vm_memmap *memmap) + mutex_unlock(&vm->regions_mapping_lock); + + /* Calculate count of vm_memory_region_op */ +- while (i < nr_pages) { ++ for (i = 0; i < nr_pages; i += 1 << order) { + page = pages[i]; + VM_BUG_ON_PAGE(PageTail(page), page); + order = compound_order(page); + nr_regions++; +- i += 1 << order; + } + + /* Prepare the vm_memory_region_batch */ +@@ -263,8 +296,7 @@ int acrn_vm_ram_map(struct acrn_vm *vm, struct acrn_vm_memmap *memmap) + regions_info->vmid = vm->vmid; + regions_info->regions_gpa = virt_to_phys(vm_region); + user_vm_pa = memmap->user_vm_pa; +- i = 0; +- while (i < nr_pages) { ++ for (i = 0; i < nr_pages; i += 1 << order) { + u32 region_size; + + page = pages[i]; +@@ -280,7 +312,6 @@ int acrn_vm_ram_map(struct acrn_vm *vm, struct acrn_vm_memmap *memmap) + + vm_region++; + user_vm_pa += region_size; +- i += 1 << order; + } + + /* Inform the ACRN Hypervisor to set up EPT mappings */ +-- +2.43.0 + diff --git a/queue-6.9/drm-amd-display-fix-potential-index-out-of-bounds-in.patch b/queue-6.9/drm-amd-display-fix-potential-index-out-of-bounds-in.patch new file mode 100644 index 00000000000..83056c2bea6 --- /dev/null +++ b/queue-6.9/drm-amd-display-fix-potential-index-out-of-bounds-in.patch @@ -0,0 +1,58 @@ +From b4667e8a0bfa59b84454251af051e6229450c9fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Feb 2024 18:38:08 +0530 +Subject: drm/amd/display: Fix potential index out of bounds in color + transformation function + +From: Srinivasan Shanmugam + +[ Upstream commit 63ae548f1054a0b71678d0349c7dc9628ddd42ca ] + +Fixes index out of bounds issue in the color transformation function. +The issue could occur when the index 'i' exceeds the number of transfer +function points (TRANSFER_FUNC_POINTS). + +The fix adds a check to ensure 'i' is within bounds before accessing the +transfer function points. If 'i' is out of bounds, an error message is +logged and the function returns false to indicate an error. + +Reported by smatch: +drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:405 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max +drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:406 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max +drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:407 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max + +Fixes: b629596072e5 ("drm/amd/display: Build unity lut for shaper") +Cc: Vitaly Prosyak +Cc: Charlene Liu +Cc: Harry Wentland +Cc: Rodrigo Siqueira +Cc: Roman Li +Cc: Aurabindo Pillai +Cc: Tom Chung +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Tom Chung +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c +index b7e57aa273619..b0d192c6e63eb 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c +@@ -402,6 +402,11 @@ bool cm_helper_translate_curve_to_hw_format(struct dc_context *ctx, + i += increment) { + if (j == hw_points - 1) + break; ++ if (i >= TRANSFER_FUNC_POINTS) { ++ DC_LOG_ERROR("Index out of bounds: i=%d, TRANSFER_FUNC_POINTS=%d\n", ++ i, TRANSFER_FUNC_POINTS); ++ return false; ++ } + rgb_resulted[j].red = output_tf->tf_pts.red[i]; + rgb_resulted[j].green = output_tf->tf_pts.green[i]; + rgb_resulted[j].blue = output_tf->tf_pts.blue[i]; +-- +2.43.0 + diff --git a/queue-6.9/drm-amd-display-remove-redundant-condition-in-dcn35_.patch b/queue-6.9/drm-amd-display-remove-redundant-condition-in-dcn35_.patch new file mode 100644 index 00000000000..97ec0b3bd25 --- /dev/null +++ b/queue-6.9/drm-amd-display-remove-redundant-condition-in-dcn35_.patch @@ -0,0 +1,51 @@ +From 5988e1af7cf8ee5d8ae38c818f1358d397fc9d9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Feb 2024 09:23:53 +0530 +Subject: drm/amd/display: Remove redundant condition in + dcn35_calc_blocks_to_gate() + +From: Srinivasan Shanmugam + +[ Upstream commit a43dbeaba81eb645a12a004c67722c632ed0d94b ] + +pipe_ctx->plane_res.mpcc_inst is of a type that can only hold values +between 0 and 255, so it's always greater than or equal to 0. + +Thus the condition 'pipe_ctx->plane_res.mpcc_inst >= 0' was always true +and has been removed. + +Fixes the below: +drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn35/dcn35_hwseq.c:1023 dcn35_calc_blocks_to_gate() warn: always true condition '(pipe_ctx->plane_res.mpcc_inst >= 0) => (0-255 >= 0)' + +Fixes: 6f8b7565cca4 ("drm/amd/display: Add DCN35 HWSEQ") +Cc: Qingqing Zhuo +Cc: Harry Wentland +Cc: Rodrigo Siqueira +Cc: Roman Li +Cc: Aurabindo Pillai +Cc: Tom Chung +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Rodrigo Siqueira +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c +index 9067ca78f8511..a14f99f4f14a5 100644 +--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c +@@ -999,8 +999,7 @@ void dcn35_calc_blocks_to_gate(struct dc *dc, struct dc_state *context, + if (pipe_ctx->plane_res.dpp) + update_state->pg_pipe_res_update[PG_DPP][pipe_ctx->plane_res.hubp->inst] = false; + +- if ((pipe_ctx->plane_res.dpp || pipe_ctx->stream_res.opp) && +- pipe_ctx->plane_res.mpcc_inst >= 0) ++ if (pipe_ctx->plane_res.dpp || pipe_ctx->stream_res.opp) + update_state->pg_pipe_res_update[PG_MPCC][pipe_ctx->plane_res.mpcc_inst] = false; + + if (pipe_ctx->stream_res.dsc) +-- +2.43.0 + diff --git a/queue-6.9/drm-arm-malidp-fix-a-possible-null-pointer-dereferen.patch b/queue-6.9/drm-arm-malidp-fix-a-possible-null-pointer-dereferen.patch new file mode 100644 index 00000000000..e48f3a7c5d2 --- /dev/null +++ b/queue-6.9/drm-arm-malidp-fix-a-possible-null-pointer-dereferen.patch @@ -0,0 +1,42 @@ +From beaf2c385327a4eb3f8fe5137f1684fb303ff158 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Apr 2024 14:30:53 +0800 +Subject: drm/arm/malidp: fix a possible null pointer dereference + +From: Huai-Yuan Liu + +[ Upstream commit a1f95aede6285dba6dd036d907196f35ae3a11ea ] + +In malidp_mw_connector_reset, new memory is allocated with kzalloc, but +no check is performed. In order to prevent null pointer dereferencing, +ensure that mw_state is checked before calling +__drm_atomic_helper_connector_reset. + +Fixes: 8cbc5caf36ef ("drm: mali-dp: Add writeback connector") +Signed-off-by: Huai-Yuan Liu +Signed-off-by: Liviu Dudau +Link: https://patchwork.freedesktop.org/patch/msgid/20240407063053.5481-1-qq810974084@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/arm/malidp_mw.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/arm/malidp_mw.c b/drivers/gpu/drm/arm/malidp_mw.c +index 626709bec6f5f..2577f0cef8fcd 100644 +--- a/drivers/gpu/drm/arm/malidp_mw.c ++++ b/drivers/gpu/drm/arm/malidp_mw.c +@@ -72,7 +72,10 @@ static void malidp_mw_connector_reset(struct drm_connector *connector) + __drm_atomic_helper_connector_destroy_state(connector->state); + + kfree(connector->state); +- __drm_atomic_helper_connector_reset(connector, &mw_state->base); ++ connector->state = NULL; ++ ++ if (mw_state) ++ __drm_atomic_helper_connector_reset(connector, &mw_state->base); + } + + static enum drm_connector_status +-- +2.43.0 + diff --git a/queue-6.9/drm-bridge-anx7625-don-t-log-an-error-when-dsi-host-.patch b/queue-6.9/drm-bridge-anx7625-don-t-log-an-error-when-dsi-host-.patch new file mode 100644 index 00000000000..437bcfc2c73 --- /dev/null +++ b/queue-6.9/drm-bridge-anx7625-don-t-log-an-error-when-dsi-host-.patch @@ -0,0 +1,49 @@ +From b884b886c76c305d514510c727e378765744e2a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 17:49:29 -0400 +Subject: drm/bridge: anx7625: Don't log an error when DSI host can't be found +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +[ Upstream commit ef4a9204d594fe959cdbc7418273caf4001535c8 ] + +Given that failing to find a DSI host causes the driver to defer probe, +make use of dev_err_probe() to log the reason. This makes the defer +probe reason available and avoids alerting userspace about something +that is not necessarily an error. + +Fixes: 269332997a16 ("drm/bridge: anx7625: Return -EPROBE_DEFER if the dsi host was not found") +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Neil Armstrong +Reviewed-by: Laurent Pinchart +Signed-off-by: Nícolas F. R. A. Prado +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20240415-anx7625-defer-log-no-dsi-host-v3-1-619a28148e5c@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/analogix/anx7625.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/analogix/anx7625.c b/drivers/gpu/drm/bridge/analogix/anx7625.c +index 9d96d28d6fe8e..02bf450053076 100644 +--- a/drivers/gpu/drm/bridge/analogix/anx7625.c ++++ b/drivers/gpu/drm/bridge/analogix/anx7625.c +@@ -2066,10 +2066,8 @@ static int anx7625_setup_dsi_device(struct anx7625_data *ctx) + }; + + host = of_find_mipi_dsi_host_by_node(ctx->pdata.mipi_host_node); +- if (!host) { +- DRM_DEV_ERROR(dev, "fail to find dsi host.\n"); +- return -EPROBE_DEFER; +- } ++ if (!host) ++ return dev_err_probe(dev, -EPROBE_DEFER, "fail to find dsi host.\n"); + + dsi = devm_mipi_dsi_device_register_full(dev, host, &info); + if (IS_ERR(dsi)) { +-- +2.43.0 + diff --git a/queue-6.9/drm-bridge-anx7625-update-audio-status-while-detecti.patch b/queue-6.9/drm-bridge-anx7625-update-audio-status-while-detecti.patch new file mode 100644 index 00000000000..10fdd544824 --- /dev/null +++ b/queue-6.9/drm-bridge-anx7625-update-audio-status-while-detecti.patch @@ -0,0 +1,54 @@ +From 3383d5f50af9d0112f2537644bf60fbc8aa55f82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Apr 2024 07:21:35 +0000 +Subject: drm/bridge: anx7625: Update audio status while detecting + +From: Hsin-Te Yuan + +[ Upstream commit a665b4e60369867cddf50f37f16169a3e2f434ad ] + +Previously, the audio status was not updated during detection, leading +to a persistent audio despite hot plugging events. To resolve this +issue, update the audio status during detection. + +Fixes: 566fef1226c1 ("drm/bridge: anx7625: add HDMI audio function") +Signed-off-by: Hsin-Te Yuan +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20240416-anx7625-v3-1-f916ae31bdd7@chromium.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/analogix/anx7625.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/analogix/anx7625.c b/drivers/gpu/drm/bridge/analogix/anx7625.c +index 02bf450053076..59e9ad3499696 100644 +--- a/drivers/gpu/drm/bridge/analogix/anx7625.c ++++ b/drivers/gpu/drm/bridge/analogix/anx7625.c +@@ -2469,15 +2469,22 @@ static void anx7625_bridge_atomic_disable(struct drm_bridge *bridge, + mutex_unlock(&ctx->aux_lock); + } + ++static void ++anx7625_audio_update_connector_status(struct anx7625_data *ctx, ++ enum drm_connector_status status); ++ + static enum drm_connector_status + anx7625_bridge_detect(struct drm_bridge *bridge) + { + struct anx7625_data *ctx = bridge_to_anx7625(bridge); + struct device *dev = ctx->dev; ++ enum drm_connector_status status; + + DRM_DEV_DEBUG_DRIVER(dev, "drm bridge detect\n"); + +- return anx7625_sink_detect(ctx); ++ status = anx7625_sink_detect(ctx); ++ anx7625_audio_update_connector_status(ctx, status); ++ return status; + } + + static const struct drm_edid *anx7625_bridge_edid_read(struct drm_bridge *bridge, +-- +2.43.0 + diff --git a/queue-6.9/drm-bridge-cdns-mhdp8546-fix-possible-null-pointer-d.patch b/queue-6.9/drm-bridge-cdns-mhdp8546-fix-possible-null-pointer-d.patch new file mode 100644 index 00000000000..3eb73ca78b8 --- /dev/null +++ b/queue-6.9/drm-bridge-cdns-mhdp8546-fix-possible-null-pointer-d.patch @@ -0,0 +1,43 @@ +From 677e916b9167f30ec22b5195fa0ce5f4ae550057 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 15:58:10 +0300 +Subject: drm: bridge: cdns-mhdp8546: Fix possible null pointer dereference + +From: Aleksandr Mishin + +[ Upstream commit 935a92a1c400285545198ca2800a4c6c519c650a ] + +In cdns_mhdp_atomic_enable(), the return value of drm_mode_duplicate() is +assigned to mhdp_state->current_mode, and there is a dereference of it in +drm_mode_set_name(), which will lead to a NULL pointer dereference on +failure of drm_mode_duplicate(). + +Fix this bug add a check of mhdp_state->current_mode. + +Fixes: fb43aa0acdfd ("drm: bridge: Add support for Cadence MHDP8546 DPI/DP bridge") +Signed-off-by: Aleksandr Mishin +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20240408125810.21899-1-amishin@t-argos.ru +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c +index e226acc5c15e1..8a91ef0ae0651 100644 +--- a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c ++++ b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c +@@ -2059,6 +2059,9 @@ static void cdns_mhdp_atomic_enable(struct drm_bridge *bridge, + mhdp_state = to_cdns_mhdp_bridge_state(new_state); + + mhdp_state->current_mode = drm_mode_duplicate(bridge->dev, mode); ++ if (!mhdp_state->current_mode) ++ return; ++ + drm_mode_set_name(mhdp_state->current_mode); + + dev_dbg(mhdp->dev, "%s: Enabling mode %s\n", __func__, mode->name); +-- +2.43.0 + diff --git a/queue-6.9/drm-bridge-dpc3433-don-t-log-an-error-when-dsi-host-.patch b/queue-6.9/drm-bridge-dpc3433-don-t-log-an-error-when-dsi-host-.patch new file mode 100644 index 00000000000..a7e2a7232ce --- /dev/null +++ b/queue-6.9/drm-bridge-dpc3433-don-t-log-an-error-when-dsi-host-.patch @@ -0,0 +1,80 @@ +From e8218dafb966fec3161dfa880cb2823ec0792fa8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 17:49:35 -0400 +Subject: drm/bridge: dpc3433: Don't log an error when DSI host can't be found +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +[ Upstream commit 24f4f575214de776539d346b99b8717bffa8ebba ] + +Given that failing to find a DSI host causes the driver to defer probe, +make use of dev_err_probe() to log the reason. This makes the defer +probe reason available and avoids alerting userspace about something +that is not necessarily an error. + +Also move the "failed to attach" error message so that it's only printed +when the devm_mipi_dsi_attach() call fails. + +Fixes: 6352cd451ddb ("drm: bridge: Add TI DLPC3433 DSI to DMD bridge") +Suggested-by: AngeloGioacchino Del Regno +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Laurent Pinchart +Signed-off-by: Nícolas F. R. A. Prado +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20240415-anx7625-defer-log-no-dsi-host-v3-7-619a28148e5c@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/ti-dlpc3433.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/ti-dlpc3433.c b/drivers/gpu/drm/bridge/ti-dlpc3433.c +index ca3348109bcd2..6b559e0713012 100644 +--- a/drivers/gpu/drm/bridge/ti-dlpc3433.c ++++ b/drivers/gpu/drm/bridge/ti-dlpc3433.c +@@ -319,12 +319,11 @@ static int dlpc_host_attach(struct dlpc *dlpc) + .channel = 0, + .node = NULL, + }; ++ int ret; + + host = of_find_mipi_dsi_host_by_node(dlpc->host_node); +- if (!host) { +- DRM_DEV_ERROR(dev, "failed to find dsi host\n"); +- return -EPROBE_DEFER; +- } ++ if (!host) ++ return dev_err_probe(dev, -EPROBE_DEFER, "failed to find dsi host\n"); + + dlpc->dsi = mipi_dsi_device_register_full(host, &info); + if (IS_ERR(dlpc->dsi)) { +@@ -336,7 +335,11 @@ static int dlpc_host_attach(struct dlpc *dlpc) + dlpc->dsi->format = MIPI_DSI_FMT_RGB565; + dlpc->dsi->lanes = dlpc->dsi_lanes; + +- return devm_mipi_dsi_attach(dev, dlpc->dsi); ++ ret = devm_mipi_dsi_attach(dev, dlpc->dsi); ++ if (ret) ++ DRM_DEV_ERROR(dev, "failed to attach dsi host\n"); ++ ++ return ret; + } + + static int dlpc3433_probe(struct i2c_client *client) +@@ -367,10 +370,8 @@ static int dlpc3433_probe(struct i2c_client *client) + drm_bridge_add(&dlpc->bridge); + + ret = dlpc_host_attach(dlpc); +- if (ret) { +- DRM_DEV_ERROR(dev, "failed to attach dsi host\n"); ++ if (ret) + goto err_remove_bridge; +- } + + return 0; + +-- +2.43.0 + diff --git a/queue-6.9/drm-bridge-fix-improper-bridge-init-order-with-pre_e.patch b/queue-6.9/drm-bridge-fix-improper-bridge-init-order-with-pre_e.patch new file mode 100644 index 00000000000..4ce9d08aee8 --- /dev/null +++ b/queue-6.9/drm-bridge-fix-improper-bridge-init-order-with-pre_e.patch @@ -0,0 +1,154 @@ +From 9b788e8cfdcea8fa30def4ee1aad1f57701c2323 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Mar 2023 22:37:51 +0530 +Subject: drm/bridge: Fix improper bridge init order with pre_enable_prev_first + +From: Jagan Teki + +[ Upstream commit e18aeeda0b6905c333df5a0566b99f5c84426098 ] + +For a given bridge pipeline if any bridge sets pre_enable_prev_first +flag then the pre_enable for the previous bridge will be called before +pre_enable of this bridge and opposite is done for post_disable. + +These are the potential bridge flags to alter bridge init order in order +to satisfy the MIPI DSI host and downstream panel or bridge to function. +However the existing pre_enable_prev_first logic with associated bridge +ordering has broken for both pre_enable and post_disable calls. + +[pre_enable] + +The altered bridge ordering has failed if two consecutive bridges on a +given pipeline enables the pre_enable_prev_first flag. + +Example: +- Panel +- Bridge 1 +- Bridge 2 pre_enable_prev_first +- Bridge 3 +- Bridge 4 pre_enable_prev_first +- Bridge 5 pre_enable_prev_first +- Bridge 6 +- Encoder + +In this example, Bridge 4 and Bridge 5 have pre_enable_prev_first. + +The logic looks for a bridge which enabled pre_enable_prev_first flag +on each iteration and assigned the previou bridge to limit pointer +if the bridge doesn't enable pre_enable_prev_first flags. + +If control found Bridge 2 is pre_enable_prev_first then the iteration +looks for Bridge 3 and found it is not pre_enable_prev_first and assigns +it's previous Bridge 4 to limit pointer and calls pre_enable of Bridge 3 +and Bridge 2 and assign iter pointer with limit which is Bridge 4. + +Here is the actual problem, for the next iteration control look for +Bridge 5 instead of Bridge 4 has iter pointer in previous iteration +moved to Bridge 4 so this iteration skips the Bridge 4. The iteration +found Bridge 6 doesn't pre_enable_prev_first flags so the limit assigned +to Encoder. From next iteration Encoder skips as it is the last bridge +for reverse order pipeline. + +So, the resulting pre_enable bridge order would be, +- Panel, Bridge 1, Bridge 3, Bridge 2, Bridge 6, Bridge 5. + +This patch fixes this by assigning limit to next pointer instead of +previous bridge since the iteration always looks for bridge that does +NOT request prev so assigning next makes sure the last bridge on a +given iteration what exactly the limit bridge is. + +So, the resulting pre_enable bridge order with fix would be, +- Panel, Bridge 1, Bridge 3, Bridge 2, Bridge 6, Bridge 5, Bridge 4, + Encoder. + +[post_disable] + +The altered bridge ordering has failed if two consecutive bridges on a +given pipeline enables the pre_enable_prev_first flag. + +Example: +- Panel +- Bridge 1 +- Bridge 2 pre_enable_prev_first +- Bridge 3 +- Bridge 4 pre_enable_prev_first +- Bridge 5 pre_enable_prev_first +- Bridge 6 +- Encoder + +In this example Bridge 5 and Bridge 4 have pre_enable_prev_first. + +The logic looks for a bridge which enabled pre_enable_prev_first flags +on each iteration and assigned the previou bridge to next and next to +limit pointer if the bridge does enable pre_enable_prev_first flag. + +If control starts from Bridge 6 then it found next Bridge 5 is +pre_enable_prev_first and immediately the next assigned to previous +Bridge 6 and limit assignments to next Bridge 6 and call post_enable +of Bridge 6 even though the next consecutive Bridge 5 is enabled with +pre_enable_prev_first. This clearly misses the logic to find the state +of next conducive bridge as everytime the next and limit assigns +previous bridge if given bridge enabled pre_enable_prev_first. + +So, the resulting post_disable bridge order would be, +- Encoder, Bridge 6, Bridge 5, Bridge 4, Bridge 3, Bridge 2, Bridge 1, + Panel. + +This patch fixes this by assigning next with previou bridge only if the +bridge doesn't enable pre_enable_prev_first flag and the next further +assign it to limit. This way we can find the bridge that NOT requested +prev to disable last. + +So, the resulting pre_enable bridge order with fix would be, +- Encoder, Bridge 4, Bridge 5, Bridge 6, Bridge 2, Bridge 3, Bridge 1, + Panel. + +Validated the bridge init ordering by incorporating dummy bridges in +the sun6i-mipi-dsi pipeline + +Fixes: 4fb912e5e190 ("drm/bridge: Introduce pre_enable_prev_first to alter bridge init order") +Signed-off-by: Jagan Teki +Tested-by: Michael Trimarchi +Reviewed-by: Dave Stevenson +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20230328170752.1102347-1-jagan@amarulasolutions.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_bridge.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/drm_bridge.c b/drivers/gpu/drm/drm_bridge.c +index 521a71c61b164..17ed94885dc3b 100644 +--- a/drivers/gpu/drm/drm_bridge.c ++++ b/drivers/gpu/drm/drm_bridge.c +@@ -687,11 +687,17 @@ void drm_atomic_bridge_chain_post_disable(struct drm_bridge *bridge, + */ + list_for_each_entry_from(next, &encoder->bridge_chain, + chain_node) { +- if (next->pre_enable_prev_first) { ++ if (!next->pre_enable_prev_first) { + next = list_prev_entry(next, chain_node); + limit = next; + break; + } ++ ++ if (list_is_last(&next->chain_node, ++ &encoder->bridge_chain)) { ++ limit = next; ++ break; ++ } + } + + /* Call these bridges in reverse order */ +@@ -774,7 +780,7 @@ void drm_atomic_bridge_chain_pre_enable(struct drm_bridge *bridge, + /* Found first bridge that does NOT + * request prev to be enabled first + */ +- limit = list_prev_entry(next, chain_node); ++ limit = next; + break; + } + } +-- +2.43.0 + diff --git a/queue-6.9/drm-bridge-icn6211-don-t-log-an-error-when-dsi-host-.patch b/queue-6.9/drm-bridge-icn6211-don-t-log-an-error-when-dsi-host-.patch new file mode 100644 index 00000000000..f451c3e2fc0 --- /dev/null +++ b/queue-6.9/drm-bridge-icn6211-don-t-log-an-error-when-dsi-host-.patch @@ -0,0 +1,49 @@ +From 40bc07692c51e4cd5bed608913bf31338516df79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 17:49:30 -0400 +Subject: drm/bridge: icn6211: Don't log an error when DSI host can't be found +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +[ Upstream commit 275fafe58faa7fdb10fa245412696ecef676aac5 ] + +Given that failing to find a DSI host causes the driver to defer probe, +make use of dev_err_probe() to log the reason. This makes the defer +probe reason available and avoids alerting userspace about something +that is not necessarily an error. + +Fixes: 8dde6f7452a1 ("drm: bridge: icn6211: Add I2C configuration support") +Suggested-by: AngeloGioacchino Del Regno +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Laurent Pinchart +Signed-off-by: Nícolas F. R. A. Prado +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20240415-anx7625-defer-log-no-dsi-host-v3-2-619a28148e5c@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/chipone-icn6211.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/chipone-icn6211.c b/drivers/gpu/drm/bridge/chipone-icn6211.c +index 82d23e4df09eb..ff3284b6b1a37 100644 +--- a/drivers/gpu/drm/bridge/chipone-icn6211.c ++++ b/drivers/gpu/drm/bridge/chipone-icn6211.c +@@ -563,10 +563,8 @@ static int chipone_dsi_host_attach(struct chipone *icn) + + host = of_find_mipi_dsi_host_by_node(host_node); + of_node_put(host_node); +- if (!host) { +- dev_err(dev, "failed to find dsi host\n"); +- return -EPROBE_DEFER; +- } ++ if (!host) ++ return dev_err_probe(dev, -EPROBE_DEFER, "failed to find dsi host\n"); + + dsi = mipi_dsi_device_register_full(host, &info); + if (IS_ERR(dsi)) { +-- +2.43.0 + diff --git a/queue-6.9/drm-bridge-lt8912b-don-t-log-an-error-when-dsi-host-.patch b/queue-6.9/drm-bridge-lt8912b-don-t-log-an-error-when-dsi-host-.patch new file mode 100644 index 00000000000..956c7ac71bb --- /dev/null +++ b/queue-6.9/drm-bridge-lt8912b-don-t-log-an-error-when-dsi-host-.patch @@ -0,0 +1,49 @@ +From 18a081f150748de6dc33e13ff1c28f6e632ad3c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 17:49:31 -0400 +Subject: drm/bridge: lt8912b: Don't log an error when DSI host can't be found +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +[ Upstream commit b3b4695ff47c4964d4ccb930890c9ffd8e455e20 ] + +Given that failing to find a DSI host causes the driver to defer probe, +make use of dev_err_probe() to log the reason. This makes the defer +probe reason available and avoids alerting userspace about something +that is not necessarily an error. + +Fixes: 30e2ae943c26 ("drm/bridge: Introduce LT8912B DSI to HDMI bridge") +Suggested-by: AngeloGioacchino Del Regno +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Laurent Pinchart +Signed-off-by: Nícolas F. R. A. Prado +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20240415-anx7625-defer-log-no-dsi-host-v3-3-619a28148e5c@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/lontium-lt8912b.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/lontium-lt8912b.c b/drivers/gpu/drm/bridge/lontium-lt8912b.c +index 4b2ae27f0a57f..1a9defa15663c 100644 +--- a/drivers/gpu/drm/bridge/lontium-lt8912b.c ++++ b/drivers/gpu/drm/bridge/lontium-lt8912b.c +@@ -494,10 +494,8 @@ static int lt8912_attach_dsi(struct lt8912 *lt) + }; + + host = of_find_mipi_dsi_host_by_node(lt->host_node); +- if (!host) { +- dev_err(dev, "failed to find dsi host\n"); +- return -EPROBE_DEFER; +- } ++ if (!host) ++ return dev_err_probe(dev, -EPROBE_DEFER, "failed to find dsi host\n"); + + dsi = devm_mipi_dsi_device_register_full(dev, host, &info); + if (IS_ERR(dsi)) { +-- +2.43.0 + diff --git a/queue-6.9/drm-bridge-lt9611-don-t-log-an-error-when-dsi-host-c.patch b/queue-6.9/drm-bridge-lt9611-don-t-log-an-error-when-dsi-host-c.patch new file mode 100644 index 00000000000..2a8c916a1c2 --- /dev/null +++ b/queue-6.9/drm-bridge-lt9611-don-t-log-an-error-when-dsi-host-c.patch @@ -0,0 +1,50 @@ +From 6adacd3f42de81d417b3c4dbb328156a32a4dfa4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 17:49:32 -0400 +Subject: drm/bridge: lt9611: Don't log an error when DSI host can't be found +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +[ Upstream commit cd0a2c6a081ff67007323725b9ff07d9934b1ed8 ] + +Given that failing to find a DSI host causes the driver to defer probe, +make use of dev_err_probe() to log the reason. This makes the defer +probe reason available and avoids alerting userspace about something +that is not necessarily an error. + +Fixes: 23278bf54afe ("drm/bridge: Introduce LT9611 DSI to HDMI bridge") +Suggested-by: AngeloGioacchino Del Regno +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Laurent Pinchart +Signed-off-by: Nícolas F. R. A. Prado +Reviewed-by: Dmitry Baryshkov +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20240415-anx7625-defer-log-no-dsi-host-v3-4-619a28148e5c@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/lontium-lt9611.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/lontium-lt9611.c b/drivers/gpu/drm/bridge/lontium-lt9611.c +index a9c7e2b07ea10..b99fe87ec7389 100644 +--- a/drivers/gpu/drm/bridge/lontium-lt9611.c ++++ b/drivers/gpu/drm/bridge/lontium-lt9611.c +@@ -761,10 +761,8 @@ static struct mipi_dsi_device *lt9611_attach_dsi(struct lt9611 *lt9611, + int ret; + + host = of_find_mipi_dsi_host_by_node(dsi_node); +- if (!host) { +- dev_err(lt9611->dev, "failed to find dsi host\n"); +- return ERR_PTR(-EPROBE_DEFER); +- } ++ if (!host) ++ return ERR_PTR(dev_err_probe(lt9611->dev, -EPROBE_DEFER, "failed to find dsi host\n")); + + dsi = devm_mipi_dsi_device_register_full(dev, host, &info); + if (IS_ERR(dsi)) { +-- +2.43.0 + diff --git a/queue-6.9/drm-bridge-lt9611uxc-don-t-log-an-error-when-dsi-hos.patch b/queue-6.9/drm-bridge-lt9611uxc-don-t-log-an-error-when-dsi-hos.patch new file mode 100644 index 00000000000..ce0f6adef5e --- /dev/null +++ b/queue-6.9/drm-bridge-lt9611uxc-don-t-log-an-error-when-dsi-hos.patch @@ -0,0 +1,51 @@ +From 2ada876a1d7a9ca4b850d1d13dd3814161e314ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 17:49:33 -0400 +Subject: drm/bridge: lt9611uxc: Don't log an error when DSI host can't be + found +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +[ Upstream commit 6d9e877cde7e9b516a9a99751b8222c87557436d ] + +Given that failing to find a DSI host causes the driver to defer probe, +make use of dev_err_probe() to log the reason. This makes the defer +probe reason available and avoids alerting userspace about something +that is not necessarily an error. + +Fixes: 0cbbd5b1a012 ("drm: bridge: add support for lontium LT9611UXC bridge") +Suggested-by: AngeloGioacchino Del Regno +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Laurent Pinchart +Signed-off-by: Nícolas F. R. A. Prado +Reviewed-by: Dmitry Baryshkov +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20240415-anx7625-defer-log-no-dsi-host-v3-5-619a28148e5c@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/lontium-lt9611uxc.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/lontium-lt9611uxc.c b/drivers/gpu/drm/bridge/lontium-lt9611uxc.c +index f4f593ad8f795..ab702471f3ab1 100644 +--- a/drivers/gpu/drm/bridge/lontium-lt9611uxc.c ++++ b/drivers/gpu/drm/bridge/lontium-lt9611uxc.c +@@ -266,10 +266,8 @@ static struct mipi_dsi_device *lt9611uxc_attach_dsi(struct lt9611uxc *lt9611uxc, + int ret; + + host = of_find_mipi_dsi_host_by_node(dsi_node); +- if (!host) { +- dev_err(dev, "failed to find dsi host\n"); +- return ERR_PTR(-EPROBE_DEFER); +- } ++ if (!host) ++ return ERR_PTR(dev_err_probe(dev, -EPROBE_DEFER, "failed to find dsi host\n")); + + dsi = devm_mipi_dsi_device_register_full(dev, host, &info); + if (IS_ERR(dsi)) { +-- +2.43.0 + diff --git a/queue-6.9/drm-bridge-tc358775-don-t-log-an-error-when-dsi-host.patch b/queue-6.9/drm-bridge-tc358775-don-t-log-an-error-when-dsi-host.patch new file mode 100644 index 00000000000..4e1c503815e --- /dev/null +++ b/queue-6.9/drm-bridge-tc358775-don-t-log-an-error-when-dsi-host.patch @@ -0,0 +1,49 @@ +From c609f18386d6e7fefc677bf156f73becdb329fdc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 17:49:34 -0400 +Subject: drm/bridge: tc358775: Don't log an error when DSI host can't be found +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +[ Upstream commit 272377aa0e3dddeec3f568c8bb9d12c7a79d8ef5 ] + +Given that failing to find a DSI host causes the driver to defer probe, +make use of dev_err_probe() to log the reason. This makes the defer +probe reason available and avoids alerting userspace about something +that is not necessarily an error. + +Fixes: b26975593b17 ("display/drm/bridge: TC358775 DSI/LVDS driver") +Suggested-by: AngeloGioacchino Del Regno +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Laurent Pinchart +Signed-off-by: Nícolas F. R. A. Prado +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20240415-anx7625-defer-log-no-dsi-host-v3-6-619a28148e5c@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/tc358775.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/tc358775.c b/drivers/gpu/drm/bridge/tc358775.c +index 90a89d70d8328..fea4f00a20f83 100644 +--- a/drivers/gpu/drm/bridge/tc358775.c ++++ b/drivers/gpu/drm/bridge/tc358775.c +@@ -610,10 +610,8 @@ static int tc_attach_host(struct tc_data *tc) + }; + + host = of_find_mipi_dsi_host_by_node(tc->host_node); +- if (!host) { +- dev_err(dev, "failed to find dsi host\n"); +- return -EPROBE_DEFER; +- } ++ if (!host) ++ return dev_err_probe(dev, -EPROBE_DEFER, "failed to find dsi host\n"); + + dsi = devm_mipi_dsi_device_register_full(dev, host, &info); + if (IS_ERR(dsi)) { +-- +2.43.0 + diff --git a/queue-6.9/drm-ci-update-device-type-for-volteer-devices.patch b/queue-6.9/drm-ci-update-device-type-for-volteer-devices.patch new file mode 100644 index 00000000000..95933cd126e --- /dev/null +++ b/queue-6.9/drm-ci-update-device-type-for-volteer-devices.patch @@ -0,0 +1,52 @@ +From fd7fa2e852095fc2c734a8bef3abdb96c0e8fb1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 07:48:41 +0530 +Subject: drm/ci: update device type for volteer devices + +From: Vignesh Raman + +[ Upstream commit a2c71b711e7efc6478976233768bdbc3386e6dce ] + +Volteer devices in the collabora lab are categorized under the +asus-cx9400-volteer device type. The majority of these units +has an Intel Core i5-1130G7 CPU, while some of them have a +Intel Core i7-1160G7 CPU instead. So due to this difference, +new device type template is added for the Intel Core i5-1130G7 +and i7-1160G7 variants of the Acer Chromebook Spin 514 (CP514-2H) +volteer Chromebooks. So update the same in drm-ci. + +https://gitlab.collabora.com/lava/lava/-/merge_requests/149 + +Fixes: 0119c894ab0d ("drm: Add initial ci/ subdirectory") +Reviewed-by: David Heidelberg +Signed-off-by: Vignesh Raman +Acked-by: Helen Koike +Signed-off-by: Helen Koike +Link: https://patchwork.freedesktop.org/patch/msgid/20240307021841.100561-1-vignesh.raman@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/ci/test.yml | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/ci/test.yml b/drivers/gpu/drm/ci/test.yml +index 0857773e5c5fd..8bc63912fddb4 100644 +--- a/drivers/gpu/drm/ci/test.yml ++++ b/drivers/gpu/drm/ci/test.yml +@@ -252,11 +252,11 @@ i915:cml: + i915:tgl: + extends: + - .i915 +- parallel: 8 ++ parallel: 5 + variables: +- DEVICE_TYPE: asus-cx9400-volteer ++ DEVICE_TYPE: acer-cp514-2h-1130g7-volteer + GPU_VERSION: tgl +- RUNNER_TAG: mesa-ci-x86-64-lava-asus-cx9400-volteer ++ RUNNER_TAG: mesa-ci-x86-64-lava-acer-cp514-2h-1130g7-volteer + + .amdgpu: + extends: +-- +2.43.0 + diff --git a/queue-6.9/drm-edid-parse-topology-block-for-all-dispid-structu.patch b/queue-6.9/drm-edid-parse-topology-block-for-all-dispid-structu.patch new file mode 100644 index 00000000000..13d18c014a7 --- /dev/null +++ b/queue-6.9/drm-edid-parse-topology-block-for-all-dispid-structu.patch @@ -0,0 +1,83 @@ +From adb1e1c3aaf671cfc0003d91d979c27b74bb35b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Apr 2024 21:01:39 +0300 +Subject: drm/edid: Parse topology block for all DispID structure v1.x +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +[ Upstream commit e0a200ab4b72afd581bd6f82fc1ef510a4fb5478 ] + +DisplayID spec v1.3 revision history notes do claim that +the toplogy block was added in v1.3 so requiring structure +v1.2 would seem correct, but there is at least one EDID in +edid.tv with a topology block and structure v1.0. And +there are also EDIDs with DisplayID structure v1.3 which +seems to be totally incorrect as DisplayID spec v1.3 lists +structure v1.2 as the only legal value. + +Unfortunately I couldn't find copies of DisplayID spec +v1.0-v1.2 anywhere (even on vesa.org), so I'll have to +go on empirical evidence alone. + +We used to parse the topology block on all v1.x +structures until the check for structure v2.0 was added. +Let's go back to doing that as the evidence does suggest +that there are DisplayIDs in the wild that would miss +out on the topology stuff otherwise. + +Also toss out DISPLAY_ID_STRUCTURE_VER_12 entirely as +it doesn't appear we can really use it for anything. + +I *think* we could technically skip all the structure +version checks as the block tags shouldn't conflict +between v2.0 and v1.x. But no harm in having a bit of +extra sanity checks I guess. + +So far I'm not aware of any user reported regressions +from overly strict check, but I do know that it broke +igt/kms_tiled_display's fake DisplayID as that one +gets generated with structure v1.0. + +Cc: Jani Nikula +Cc: Dmitry Osipenko +Fixes: c5a486af9df7 ("drm/edid: parse Tiled Display Topology Data Block for DisplayID 2.0") +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20240410180139.21352-1-ville.syrjala@linux.intel.com +Acked-by: Jani Nikula +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_edid.c | 2 +- + include/drm/drm_displayid.h | 1 - + 2 files changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c +index 923c4423151c1..9064cdeb1319b 100644 +--- a/drivers/gpu/drm/drm_edid.c ++++ b/drivers/gpu/drm/drm_edid.c +@@ -7324,7 +7324,7 @@ static void drm_parse_tiled_block(struct drm_connector *connector, + static bool displayid_is_tiled_block(const struct displayid_iter *iter, + const struct displayid_block *block) + { +- return (displayid_version(iter) == DISPLAY_ID_STRUCTURE_VER_12 && ++ return (displayid_version(iter) < DISPLAY_ID_STRUCTURE_VER_20 && + block->tag == DATA_BLOCK_TILED_DISPLAY) || + (displayid_version(iter) == DISPLAY_ID_STRUCTURE_VER_20 && + block->tag == DATA_BLOCK_2_TILED_DISPLAY_TOPOLOGY); +diff --git a/include/drm/drm_displayid.h b/include/drm/drm_displayid.h +index 566497eeb3b81..bc1f6b378195f 100644 +--- a/include/drm/drm_displayid.h ++++ b/include/drm/drm_displayid.h +@@ -30,7 +30,6 @@ struct drm_edid; + #define VESA_IEEE_OUI 0x3a0292 + + /* DisplayID Structure versions */ +-#define DISPLAY_ID_STRUCTURE_VER_12 0x12 + #define DISPLAY_ID_STRUCTURE_VER_20 0x20 + + /* DisplayID Structure v1r2 Data Blocks */ +-- +2.43.0 + diff --git a/queue-6.9/drm-imagination-avoid-woverflow-warning.patch b/queue-6.9/drm-imagination-avoid-woverflow-warning.patch new file mode 100644 index 00000000000..4f967cd50f8 --- /dev/null +++ b/queue-6.9/drm-imagination-avoid-woverflow-warning.patch @@ -0,0 +1,64 @@ +From 6d5507dfa1d4850bff0cd628a063c530836c5ab4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Mar 2024 14:01:09 +0100 +Subject: drm/imagination: avoid -Woverflow warning + +From: Arnd Bergmann + +[ Upstream commit 07b9d0144fff9af08b8dcd0ae134510bfd539e42 ] + +The array size calculation in pvr_vm_mips_fini() appears to be incorrect based on +taking the size of the pointer rather than the size of the array, which manifests +as a warning about signed integer overflow: + +In file included from include/linux/kernel.h:16, + from drivers/gpu/drm/imagination/pvr_rogue_fwif.h:10, + from drivers/gpu/drm/imagination/pvr_ccb.h:7, + from drivers/gpu/drm/imagination/pvr_device.h:7, + from drivers/gpu/drm/imagination/pvr_vm_mips.c:4: +drivers/gpu/drm/imagination/pvr_vm_mips.c: In function 'pvr_vm_mips_fini': +include/linux/array_size.h:11:25: error: overflow in conversion from 'long unsigned int' to 'int' changes value from '18446744073709551615' to '-1' [-Werror=overflow] + 11 | #define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]) + __must_be_array(arr)) + | ^ +drivers/gpu/drm/imagination/pvr_vm_mips.c:106:24: note: in expansion of macro 'ARRAY_SIZE' + 106 | for (page_nr = ARRAY_SIZE(mips_data->pt_pages) - 1; page_nr >= 0; page_nr--) { + | ^~~~~~~~~~ + +Just use the number of array elements directly here, and in the corresponding +init function for consistency. + +Fixes: 927f3e0253c1 ("drm/imagination: Implement MIPS firmware processor and MMU support") +Reviewed-by: Donald Robson +Link: https://lore.kernel.org/lkml/9df9e4f87727399928c068dbbf614c9895ae15f9.camel@imgtec.com/ +Signed-off-by: Arnd Bergmann +Signed-off-by: Matt Coster +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/imagination/pvr_vm_mips.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/imagination/pvr_vm_mips.c b/drivers/gpu/drm/imagination/pvr_vm_mips.c +index b7fef3c797e6c..4f99b4af871c0 100644 +--- a/drivers/gpu/drm/imagination/pvr_vm_mips.c ++++ b/drivers/gpu/drm/imagination/pvr_vm_mips.c +@@ -46,7 +46,7 @@ pvr_vm_mips_init(struct pvr_device *pvr_dev) + if (!mips_data) + return -ENOMEM; + +- for (page_nr = 0; page_nr < ARRAY_SIZE(mips_data->pt_pages); page_nr++) { ++ for (page_nr = 0; page_nr < PVR_MIPS_PT_PAGE_COUNT; page_nr++) { + mips_data->pt_pages[page_nr] = alloc_page(GFP_KERNEL | __GFP_ZERO); + if (!mips_data->pt_pages[page_nr]) { + err = -ENOMEM; +@@ -102,7 +102,7 @@ pvr_vm_mips_fini(struct pvr_device *pvr_dev) + int page_nr; + + vunmap(mips_data->pt); +- for (page_nr = ARRAY_SIZE(mips_data->pt_pages) - 1; page_nr >= 0; page_nr--) { ++ for (page_nr = PVR_MIPS_PT_PAGE_COUNT - 1; page_nr >= 0; page_nr--) { + dma_unmap_page(from_pvr_device(pvr_dev)->dev, + mips_data->pt_dma_addr[page_nr], PAGE_SIZE, DMA_TO_DEVICE); + +-- +2.43.0 + diff --git a/queue-6.9/drm-lcdif-do-not-disable-clocks-on-already-suspended.patch b/queue-6.9/drm-lcdif-do-not-disable-clocks-on-already-suspended.patch new file mode 100644 index 00000000000..f507db1af8c --- /dev/null +++ b/queue-6.9/drm-lcdif-do-not-disable-clocks-on-already-suspended.patch @@ -0,0 +1,61 @@ +From 8ba249b98e7771928389cea0be13150571f4d072 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Feb 2024 09:26:27 +0100 +Subject: drm/lcdif: Do not disable clocks on already suspended hardware + +From: Marek Vasut + +[ Upstream commit 172695f145fb4798ab605e8a73f6e87711930124 ] + +In case the LCDIF is enabled in DT but unused, the clocks used by the +LCDIF are not enabled. Those clocks may even have a use count of 0 in +case there are no other users of those clocks. This can happen e.g. in +case the LCDIF drives HDMI bridge which has no panel plugged into the +HDMI connector. + +Do not attempt to disable clocks in the suspend callback and re-enable +clocks in the resume callback unless the LCDIF is enabled and was in +use before the system entered suspend, otherwise the driver might end +up trying to disable clocks which are already disabled with use count +0, and would trigger a warning from clock core about this condition. + +Note that the lcdif_rpm_suspend() and lcdif_rpm_resume() functions +internally perform the clocks disable and enable operations and act +as runtime PM hooks too. + +Reviewed-by: Liu Ying +Fixes: 9db35bb349a0 ("drm: lcdif: Add support for i.MX8MP LCDIF variant") +Signed-off-by: Marek Vasut +Link: https://patchwork.freedesktop.org/patch/msgid/20240226082644.32603-1-marex@denx.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mxsfb/lcdif_drv.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/mxsfb/lcdif_drv.c b/drivers/gpu/drm/mxsfb/lcdif_drv.c +index ea10bf81582e9..0f895b8a99d62 100644 +--- a/drivers/gpu/drm/mxsfb/lcdif_drv.c ++++ b/drivers/gpu/drm/mxsfb/lcdif_drv.c +@@ -343,6 +343,9 @@ static int __maybe_unused lcdif_suspend(struct device *dev) + if (ret) + return ret; + ++ if (pm_runtime_suspended(dev)) ++ return 0; ++ + return lcdif_rpm_suspend(dev); + } + +@@ -350,7 +353,8 @@ static int __maybe_unused lcdif_resume(struct device *dev) + { + struct drm_device *drm = dev_get_drvdata(dev); + +- lcdif_rpm_resume(dev); ++ if (!pm_runtime_suspended(dev)) ++ lcdif_rpm_resume(dev); + + return drm_mode_config_helper_resume(drm); + } +-- +2.43.0 + diff --git a/queue-6.9/drm-mediatek-add-0-size-check-to-mtk_drm_gem_obj.patch b/queue-6.9/drm-mediatek-add-0-size-check-to-mtk_drm_gem_obj.patch new file mode 100644 index 00000000000..3d5708999f9 --- /dev/null +++ b/queue-6.9/drm-mediatek-add-0-size-check-to-mtk_drm_gem_obj.patch @@ -0,0 +1,44 @@ +From 8e59fd2e602c08aadd9c3d4d4fddbabed6a0b56b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 13:00:51 -0500 +Subject: drm/mediatek: Add 0 size check to mtk_drm_gem_obj + +From: Justin Green + +[ Upstream commit 1e4350095e8ab2577ee05f8c3b044e661b5af9a0 ] + +Add a check to mtk_drm_gem_init if we attempt to allocate a GEM object +of 0 bytes. Currently, no such check exists and the kernel will panic if +a userspace application attempts to allocate a 0x0 GBM buffer. + +Tested by attempting to allocate a 0x0 GBM buffer on an MT8188 and +verifying that we now return EINVAL. + +Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") +Signed-off-by: Justin Green +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: CK Hu +Link: https://patchwork.kernel.org/project/dri-devel/patch/20240307180051.4104425-1-greenjustin@chromium.org/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_gem.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c +index 4f2e3feabc0f8..1bf229615b018 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c +@@ -38,6 +38,9 @@ static struct mtk_drm_gem_obj *mtk_drm_gem_init(struct drm_device *dev, + + size = round_up(size, PAGE_SIZE); + ++ if (size == 0) ++ return ERR_PTR(-EINVAL); ++ + mtk_gem_obj = kzalloc(sizeof(*mtk_gem_obj), GFP_KERNEL); + if (!mtk_gem_obj) + return ERR_PTR(-ENOMEM); +-- +2.43.0 + diff --git a/queue-6.9/drm-mediatek-init-ddp_comp-with-devm_kcalloc.patch b/queue-6.9/drm-mediatek-init-ddp_comp-with-devm_kcalloc.patch new file mode 100644 index 00000000000..79a3ea01a14 --- /dev/null +++ b/queue-6.9/drm-mediatek-init-ddp_comp-with-devm_kcalloc.patch @@ -0,0 +1,60 @@ +From 12f3f03cf713bd0473b81c830808f567388867ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 09:22:49 -0700 +Subject: drm/mediatek: Init `ddp_comp` with devm_kcalloc() + +From: Douglas Anderson + +[ Upstream commit 01a2c5123e27b3c4685bf2fc4c2e879f6e0c7b33 ] + +In the case where `conn_routes` is true we allocate an extra slot in +the `ddp_comp` array but mtk_drm_crtc_create() never seemed to +initialize it in the test case I ran. For me, this caused a later +crash when we looped through the array in mtk_drm_crtc_mode_valid(). +This showed up for me when I booted with `slub_debug=FZPUA` which +poisons the memory initially. Without `slub_debug` I couldn't +reproduce, presumably because the later code handles the value being +NULL and in most cases (not guaranteed in all cases) the memory the +allocator returned started out as 0. + +It really doesn't hurt to initialize the array with devm_kcalloc() +since the array is small and the overhead of initting a handful of +elements to 0 is small. In general initting memory to zero is a safer +practice and usually it's suggested to only use the non-initting alloc +functions if you really need to. + +Let's switch the function to use an allocation function that zeros the +memory. For me, this avoids the crash. + +Fixes: 01389b324c97 ("drm/mediatek: Add connector dynamic selection capability") +Signed-off-by: Douglas Anderson +Reviewed-by: CK Hu +Link: https://patchwork.kernel.org/project/dri-devel/patch/20240328092248.1.I2e73c38c0f264ee2fa4a09cdd83994e37ba9f541@changeid/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c +index a04499c4f9ca2..29207b2756c14 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c +@@ -1009,10 +1009,10 @@ int mtk_drm_crtc_create(struct drm_device *drm_dev, + + mtk_crtc->mmsys_dev = priv->mmsys_dev; + mtk_crtc->ddp_comp_nr = path_len; +- mtk_crtc->ddp_comp = devm_kmalloc_array(dev, +- mtk_crtc->ddp_comp_nr + (conn_routes ? 1 : 0), +- sizeof(*mtk_crtc->ddp_comp), +- GFP_KERNEL); ++ mtk_crtc->ddp_comp = devm_kcalloc(dev, ++ mtk_crtc->ddp_comp_nr + (conn_routes ? 1 : 0), ++ sizeof(*mtk_crtc->ddp_comp), ++ GFP_KERNEL); + if (!mtk_crtc->ddp_comp) + return -ENOMEM; + +-- +2.43.0 + diff --git a/queue-6.9/drm-meson-vclk-fix-calculation-of-59.94-fractional-r.patch b/queue-6.9/drm-meson-vclk-fix-calculation-of-59.94-fractional-r.patch new file mode 100644 index 00000000000..bd4d172e9c3 --- /dev/null +++ b/queue-6.9/drm-meson-vclk-fix-calculation-of-59.94-fractional-r.patch @@ -0,0 +1,65 @@ +From ffc19173a6c7c99fd215e646d2301a27491f3baa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jan 2024 23:07:04 +0000 +Subject: drm/meson: vclk: fix calculation of 59.94 fractional rates + +From: Christian Hewitt + +[ Upstream commit bfbc68e4d8695497f858a45a142665e22a512ea3 ] + +Playing 4K media with 59.94 fractional rate (typically VP9) causes the screen to lose +sync with the following error reported in the system log: + +[ 89.610280] Fatal Error, invalid HDMI vclk freq 593406 + +Modetest shows the following: + +3840x2160 59.94 3840 4016 4104 4400 2160 2168 2178 2250 593407 flags: xxxx, xxxx, +drm calculated value -------------------------------------^ + +Change the fractional rate calculation to stop DIV_ROUND_CLOSEST rounding down which +results in vclk freq failing to match correctly. + +Fixes: e5fab2ec9ca4 ("drm/meson: vclk: add support for YUV420 setup") +Signed-off-by: Christian Hewitt +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20240109230704.4120561-1-christianshewitt@gmail.com +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20240109230704.4120561-1-christianshewitt@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_vclk.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/meson/meson_vclk.c b/drivers/gpu/drm/meson/meson_vclk.c +index 2a82119eb58ed..2a942dc6a6dc2 100644 +--- a/drivers/gpu/drm/meson/meson_vclk.c ++++ b/drivers/gpu/drm/meson/meson_vclk.c +@@ -790,13 +790,13 @@ meson_vclk_vic_supported_freq(struct meson_drm *priv, unsigned int phy_freq, + FREQ_1000_1001(params[i].pixel_freq)); + DRM_DEBUG_DRIVER("i = %d phy_freq = %d alt = %d\n", + i, params[i].phy_freq, +- FREQ_1000_1001(params[i].phy_freq/10)*10); ++ FREQ_1000_1001(params[i].phy_freq/1000)*1000); + /* Match strict frequency */ + if (phy_freq == params[i].phy_freq && + vclk_freq == params[i].vclk_freq) + return MODE_OK; + /* Match 1000/1001 variant */ +- if (phy_freq == (FREQ_1000_1001(params[i].phy_freq/10)*10) && ++ if (phy_freq == (FREQ_1000_1001(params[i].phy_freq/1000)*1000) && + vclk_freq == FREQ_1000_1001(params[i].vclk_freq)) + return MODE_OK; + } +@@ -1070,7 +1070,7 @@ void meson_vclk_setup(struct meson_drm *priv, unsigned int target, + + for (freq = 0 ; params[freq].pixel_freq ; ++freq) { + if ((phy_freq == params[freq].phy_freq || +- phy_freq == FREQ_1000_1001(params[freq].phy_freq/10)*10) && ++ phy_freq == FREQ_1000_1001(params[freq].phy_freq/1000)*1000) && + (vclk_freq == params[freq].vclk_freq || + vclk_freq == FREQ_1000_1001(params[freq].vclk_freq))) { + if (vclk_freq != params[freq].vclk_freq) +-- +2.43.0 + diff --git a/queue-6.9/drm-mipi-dsi-use-correct-return-type-for-the-dsc-fun.patch b/queue-6.9/drm-mipi-dsi-use-correct-return-type-for-the-dsc-fun.patch new file mode 100644 index 00000000000..5d4cab71b16 --- /dev/null +++ b/queue-6.9/drm-mipi-dsi-use-correct-return-type-for-the-dsc-fun.patch @@ -0,0 +1,69 @@ +From 89f910191dfcdc1c9b8f07a674225a7e8390f7b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 02:53:51 +0300 +Subject: drm/mipi-dsi: use correct return type for the DSC functions + +From: Dmitry Baryshkov + +[ Upstream commit de1c705c50326acaceaf1f02bc5bf6f267c572bd ] + +The functions mipi_dsi_compression_mode() and +mipi_dsi_picture_parameter_set() return 0-or-error rather than a buffer +size. Follow example of other similar MIPI DSI functions and use int +return type instead of size_t. + +Fixes: f4dea1aaa9a1 ("drm/dsi: add helpers for DSI compression mode and PPS packets") +Reviewed-by: Marijn Suijten +Reviewed-by: Jessica Zhang +Signed-off-by: Dmitry Baryshkov +Link: https://patchwork.freedesktop.org/patch/msgid/20240408-lg-sw43408-panel-v5-2-4e092da22991@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_mipi_dsi.c | 6 +++--- + include/drm/drm_mipi_dsi.h | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c +index ef6e416522f8a..9874ff6d47181 100644 +--- a/drivers/gpu/drm/drm_mipi_dsi.c ++++ b/drivers/gpu/drm/drm_mipi_dsi.c +@@ -654,7 +654,7 @@ EXPORT_SYMBOL(mipi_dsi_set_maximum_return_packet_size); + * + * Return: 0 on success or a negative error code on failure. + */ +-ssize_t mipi_dsi_compression_mode(struct mipi_dsi_device *dsi, bool enable) ++int mipi_dsi_compression_mode(struct mipi_dsi_device *dsi, bool enable) + { + /* Note: Needs updating for non-default PPS or algorithm */ + u8 tx[2] = { enable << 0, 0 }; +@@ -679,8 +679,8 @@ EXPORT_SYMBOL(mipi_dsi_compression_mode); + * + * Return: 0 on success or a negative error code on failure. + */ +-ssize_t mipi_dsi_picture_parameter_set(struct mipi_dsi_device *dsi, +- const struct drm_dsc_picture_parameter_set *pps) ++int mipi_dsi_picture_parameter_set(struct mipi_dsi_device *dsi, ++ const struct drm_dsc_picture_parameter_set *pps) + { + struct mipi_dsi_msg msg = { + .channel = dsi->channel, +diff --git a/include/drm/drm_mipi_dsi.h b/include/drm/drm_mipi_dsi.h +index c0aec0d4d664e..3011d33eccbd2 100644 +--- a/include/drm/drm_mipi_dsi.h ++++ b/include/drm/drm_mipi_dsi.h +@@ -241,9 +241,9 @@ int mipi_dsi_shutdown_peripheral(struct mipi_dsi_device *dsi); + int mipi_dsi_turn_on_peripheral(struct mipi_dsi_device *dsi); + int mipi_dsi_set_maximum_return_packet_size(struct mipi_dsi_device *dsi, + u16 value); +-ssize_t mipi_dsi_compression_mode(struct mipi_dsi_device *dsi, bool enable); +-ssize_t mipi_dsi_picture_parameter_set(struct mipi_dsi_device *dsi, +- const struct drm_dsc_picture_parameter_set *pps); ++int mipi_dsi_compression_mode(struct mipi_dsi_device *dsi, bool enable); ++int mipi_dsi_picture_parameter_set(struct mipi_dsi_device *dsi, ++ const struct drm_dsc_picture_parameter_set *pps); + + ssize_t mipi_dsi_generic_write(struct mipi_dsi_device *dsi, const void *payload, + size_t size); +-- +2.43.0 + diff --git a/queue-6.9/drm-msm-dp-account-for-the-timeout-in-wait_hpd_asser.patch b/queue-6.9/drm-msm-dp-account-for-the-timeout-in-wait_hpd_asser.patch new file mode 100644 index 00000000000..69e0d84c706 --- /dev/null +++ b/queue-6.9/drm-msm-dp-account-for-the-timeout-in-wait_hpd_asser.patch @@ -0,0 +1,97 @@ +From 1e7b8fc98898d84df3323209d008f43d948a8c5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Mar 2024 14:36:30 -0700 +Subject: drm/msm/dp: Account for the timeout in wait_hpd_asserted() callback + +From: Douglas Anderson + +[ Upstream commit c8520d5e5d8fe2e329f21ce04464a22b3d456caa ] + +The DP wait_hpd_asserted() callback is passed a timeout which +indicates how long we should wait for HPD. This timeout was being +ignored in the MSM DP implementation and instead a hardcoded 500 ms +timeout was used. Fix it to use the proper timeout. + +As part of this we move the hardcoded 500 ms number into the AUX +transfer function, which isn't given a timeout. The wait in the AUX +transfer function will be removed in a future commit. + +Fixes: e2969ee30252 ("drm/msm/dp: move of_dp_aux_populate_bus() to eDP probe()") +Signed-off-by: Douglas Anderson +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/583128/ +Link: https://lore.kernel.org/r/20240315143621.v2.2.I7758d18a1773821fa39c034b16a12ef3f18a51ee@changeid +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dp/dp_aux.c | 5 +++-- + drivers/gpu/drm/msm/dp/dp_catalog.c | 7 ++++--- + drivers/gpu/drm/msm/dp/dp_catalog.h | 3 ++- + 3 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dp/dp_aux.c b/drivers/gpu/drm/msm/dp/dp_aux.c +index f98d089ea5b1a..707489776e913 100644 +--- a/drivers/gpu/drm/msm/dp/dp_aux.c ++++ b/drivers/gpu/drm/msm/dp/dp_aux.c +@@ -325,7 +325,8 @@ static ssize_t dp_aux_transfer(struct drm_dp_aux *dp_aux, + * avoid ever doing the extra long wait for DP. + */ + if (aux->is_edp) { +- ret = dp_catalog_aux_wait_for_hpd_connect_state(aux->catalog); ++ ret = dp_catalog_aux_wait_for_hpd_connect_state(aux->catalog, ++ 500000); + if (ret) { + DRM_DEBUG_DP("Panel not ready for aux transactions\n"); + goto exit; +@@ -533,7 +534,7 @@ static int dp_wait_hpd_asserted(struct drm_dp_aux *dp_aux, + aux = container_of(dp_aux, struct dp_aux_private, dp_aux); + + pm_runtime_get_sync(aux->dev); +- ret = dp_catalog_aux_wait_for_hpd_connect_state(aux->catalog); ++ ret = dp_catalog_aux_wait_for_hpd_connect_state(aux->catalog, wait_us); + pm_runtime_put_sync(aux->dev); + + return ret; +diff --git a/drivers/gpu/drm/msm/dp/dp_catalog.c b/drivers/gpu/drm/msm/dp/dp_catalog.c +index 3e7c84cdef472..628c8181ddd48 100644 +--- a/drivers/gpu/drm/msm/dp/dp_catalog.c ++++ b/drivers/gpu/drm/msm/dp/dp_catalog.c +@@ -263,17 +263,18 @@ void dp_catalog_aux_enable(struct dp_catalog *dp_catalog, bool enable) + dp_write_aux(catalog, REG_DP_AUX_CTRL, aux_ctrl); + } + +-int dp_catalog_aux_wait_for_hpd_connect_state(struct dp_catalog *dp_catalog) ++int dp_catalog_aux_wait_for_hpd_connect_state(struct dp_catalog *dp_catalog, ++ unsigned long wait_us) + { + u32 state; + struct dp_catalog_private *catalog = container_of(dp_catalog, + struct dp_catalog_private, dp_catalog); + +- /* poll for hpd connected status every 2ms and timeout after 500ms */ ++ /* poll for hpd connected status every 2ms and timeout after wait_us */ + return readl_poll_timeout(catalog->io.aux.base + + REG_DP_DP_HPD_INT_STATUS, + state, state & DP_DP_HPD_STATE_STATUS_CONNECTED, +- 2000, 500000); ++ min(wait_us, 2000), wait_us); + } + + static void dump_regs(void __iomem *base, int len) +diff --git a/drivers/gpu/drm/msm/dp/dp_catalog.h b/drivers/gpu/drm/msm/dp/dp_catalog.h +index 75ec290127c77..72a85810607e8 100644 +--- a/drivers/gpu/drm/msm/dp/dp_catalog.h ++++ b/drivers/gpu/drm/msm/dp/dp_catalog.h +@@ -87,7 +87,8 @@ int dp_catalog_aux_clear_trans(struct dp_catalog *dp_catalog, bool read); + int dp_catalog_aux_clear_hw_interrupts(struct dp_catalog *dp_catalog); + void dp_catalog_aux_reset(struct dp_catalog *dp_catalog); + void dp_catalog_aux_enable(struct dp_catalog *dp_catalog, bool enable); +-int dp_catalog_aux_wait_for_hpd_connect_state(struct dp_catalog *dp_catalog); ++int dp_catalog_aux_wait_for_hpd_connect_state(struct dp_catalog *dp_catalog, ++ unsigned long wait_us); + u32 dp_catalog_aux_get_irq(struct dp_catalog *dp_catalog); + + /* DP Controller APIs */ +-- +2.43.0 + diff --git a/queue-6.9/drm-msm-dp-allow-voltage-swing-pre-emphasis-of-3.patch b/queue-6.9/drm-msm-dp-allow-voltage-swing-pre-emphasis-of-3.patch new file mode 100644 index 00000000000..977d9dea427 --- /dev/null +++ b/queue-6.9/drm-msm-dp-allow-voltage-swing-pre-emphasis-of-3.patch @@ -0,0 +1,138 @@ +From 7e365911e16d875a71fdd10d412db71b2f50aded Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Feb 2024 15:47:25 +0200 +Subject: drm/msm/dp: allow voltage swing / pre emphasis of 3 + +From: Dmitry Baryshkov + +[ Upstream commit 22578178e5dd6d3aa4490879df8b6c2977d980be ] + +Both dp_link_adjust_levels() and dp_ctrl_update_vx_px() limit swing and +pre-emphasis to 2, while the real maximum value for the sum of the +voltage swing and pre-emphasis is 3. Fix the DP code to remove this +limitation. + +Fixes: c943b4948b58 ("drm/msm/dp: add displayPort driver support") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Kuogee Hsieh +Tested-by: Kuogee Hsieh +Patchwork: https://patchwork.freedesktop.org/patch/577006/ +Link: https://lore.kernel.org/r/20240203-dp-swing-3-v1-1-6545e1706196@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dp/dp_ctrl.c | 6 +++--- + drivers/gpu/drm/msm/dp/dp_link.c | 22 +++++++++++----------- + drivers/gpu/drm/msm/dp/dp_link.h | 14 +------------- + 3 files changed, 15 insertions(+), 27 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dp/dp_ctrl.c b/drivers/gpu/drm/msm/dp/dp_ctrl.c +index c4dda1faef677..112c7e54fc7a6 100644 +--- a/drivers/gpu/drm/msm/dp/dp_ctrl.c ++++ b/drivers/gpu/drm/msm/dp/dp_ctrl.c +@@ -1052,14 +1052,14 @@ static int dp_ctrl_update_vx_px(struct dp_ctrl_private *ctrl) + if (ret) + return ret; + +- if (voltage_swing_level >= DP_TRAIN_VOLTAGE_SWING_MAX) { ++ if (voltage_swing_level >= DP_TRAIN_LEVEL_MAX) { + drm_dbg_dp(ctrl->drm_dev, + "max. voltage swing level reached %d\n", + voltage_swing_level); + max_level_reached |= DP_TRAIN_MAX_SWING_REACHED; + } + +- if (pre_emphasis_level >= DP_TRAIN_PRE_EMPHASIS_MAX) { ++ if (pre_emphasis_level >= DP_TRAIN_LEVEL_MAX) { + drm_dbg_dp(ctrl->drm_dev, + "max. pre-emphasis level reached %d\n", + pre_emphasis_level); +@@ -1150,7 +1150,7 @@ static int dp_ctrl_link_train_1(struct dp_ctrl_private *ctrl, + } + + if (ctrl->link->phy_params.v_level >= +- DP_TRAIN_VOLTAGE_SWING_MAX) { ++ DP_TRAIN_LEVEL_MAX) { + DRM_ERROR_RATELIMITED("max v_level reached\n"); + return -EAGAIN; + } +diff --git a/drivers/gpu/drm/msm/dp/dp_link.c b/drivers/gpu/drm/msm/dp/dp_link.c +index 49dfac1fd1ef2..ea911d9244be7 100644 +--- a/drivers/gpu/drm/msm/dp/dp_link.c ++++ b/drivers/gpu/drm/msm/dp/dp_link.c +@@ -1109,6 +1109,7 @@ int dp_link_get_colorimetry_config(struct dp_link *dp_link) + int dp_link_adjust_levels(struct dp_link *dp_link, u8 *link_status) + { + int i; ++ u8 max_p_level; + int v_max = 0, p_max = 0; + struct dp_link_private *link; + +@@ -1140,30 +1141,29 @@ int dp_link_adjust_levels(struct dp_link *dp_link, u8 *link_status) + * Adjust the voltage swing and pre-emphasis level combination to within + * the allowable range. + */ +- if (dp_link->phy_params.v_level > DP_TRAIN_VOLTAGE_SWING_MAX) { ++ if (dp_link->phy_params.v_level > DP_TRAIN_LEVEL_MAX) { + drm_dbg_dp(link->drm_dev, + "Requested vSwingLevel=%d, change to %d\n", + dp_link->phy_params.v_level, +- DP_TRAIN_VOLTAGE_SWING_MAX); +- dp_link->phy_params.v_level = DP_TRAIN_VOLTAGE_SWING_MAX; ++ DP_TRAIN_LEVEL_MAX); ++ dp_link->phy_params.v_level = DP_TRAIN_LEVEL_MAX; + } + +- if (dp_link->phy_params.p_level > DP_TRAIN_PRE_EMPHASIS_MAX) { ++ if (dp_link->phy_params.p_level > DP_TRAIN_LEVEL_MAX) { + drm_dbg_dp(link->drm_dev, + "Requested preEmphasisLevel=%d, change to %d\n", + dp_link->phy_params.p_level, +- DP_TRAIN_PRE_EMPHASIS_MAX); +- dp_link->phy_params.p_level = DP_TRAIN_PRE_EMPHASIS_MAX; ++ DP_TRAIN_LEVEL_MAX); ++ dp_link->phy_params.p_level = DP_TRAIN_LEVEL_MAX; + } + +- if ((dp_link->phy_params.p_level > DP_TRAIN_PRE_EMPHASIS_LVL_1) +- && (dp_link->phy_params.v_level == +- DP_TRAIN_VOLTAGE_SWING_LVL_2)) { ++ max_p_level = DP_TRAIN_LEVEL_MAX - dp_link->phy_params.v_level; ++ if (dp_link->phy_params.p_level > max_p_level) { + drm_dbg_dp(link->drm_dev, + "Requested preEmphasisLevel=%d, change to %d\n", + dp_link->phy_params.p_level, +- DP_TRAIN_PRE_EMPHASIS_LVL_1); +- dp_link->phy_params.p_level = DP_TRAIN_PRE_EMPHASIS_LVL_1; ++ max_p_level); ++ dp_link->phy_params.p_level = max_p_level; + } + + drm_dbg_dp(link->drm_dev, "adjusted: v_level=%d, p_level=%d\n", +diff --git a/drivers/gpu/drm/msm/dp/dp_link.h b/drivers/gpu/drm/msm/dp/dp_link.h +index 83da170bc56bf..42aed9c90b732 100644 +--- a/drivers/gpu/drm/msm/dp/dp_link.h ++++ b/drivers/gpu/drm/msm/dp/dp_link.h +@@ -19,19 +19,7 @@ struct dp_link_info { + unsigned long capabilities; + }; + +-enum dp_link_voltage_level { +- DP_TRAIN_VOLTAGE_SWING_LVL_0 = 0, +- DP_TRAIN_VOLTAGE_SWING_LVL_1 = 1, +- DP_TRAIN_VOLTAGE_SWING_LVL_2 = 2, +- DP_TRAIN_VOLTAGE_SWING_MAX = DP_TRAIN_VOLTAGE_SWING_LVL_2, +-}; +- +-enum dp_link_preemaphasis_level { +- DP_TRAIN_PRE_EMPHASIS_LVL_0 = 0, +- DP_TRAIN_PRE_EMPHASIS_LVL_1 = 1, +- DP_TRAIN_PRE_EMPHASIS_LVL_2 = 2, +- DP_TRAIN_PRE_EMPHASIS_MAX = DP_TRAIN_PRE_EMPHASIS_LVL_2, +-}; ++#define DP_TRAIN_LEVEL_MAX 3 + + struct dp_link_test_video { + u32 test_video_pattern; +-- +2.43.0 + diff --git a/queue-6.9/drm-msm-dp-avoid-a-long-timeout-for-aux-transfer-if-.patch b/queue-6.9/drm-msm-dp-avoid-a-long-timeout-for-aux-transfer-if-.patch new file mode 100644 index 00000000000..96aa5be0ae6 --- /dev/null +++ b/queue-6.9/drm-msm-dp-avoid-a-long-timeout-for-aux-transfer-if-.patch @@ -0,0 +1,133 @@ +From 745d47dff724283b54e027130def27f862c221db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Mar 2024 14:36:29 -0700 +Subject: drm/msm/dp: Avoid a long timeout for AUX transfer if nothing + connected + +From: Douglas Anderson + +[ Upstream commit 5d1a7493343cc00d9019880b686e4e0a0f649531 ] + +As documented in the description of the transfer() function of +"struct drm_dp_aux", the transfer() function can be called at any time +regardless of the state of the DP port. Specifically if the kernel has +the DP AUX character device enabled and userspace accesses +"/dev/drm_dp_auxN" directly then the AUX transfer function will be +called regardless of whether a DP device is connected. + +For eDP panels we have a special rule where we wait (with a 5 second +timeout) for HPD to go high. This rule was important before all panels +drivers were converted to call wait_hpd_asserted() and actually can be +removed in a future commit. + +For external DP devices we never checked for HPD. That means that +trying to access the DP AUX character device (AKA `hexdump -C +/dev/drm_dp_auxN`) would very, very slowly timeout. Specifically on my +system: + $ time hexdump -C /dev/drm_dp_aux0 + hexdump: /dev/drm_dp_aux0: Connection timed out + real 0m8.200s +We want access to the drm_dp_auxN character device to fail faster than +8 seconds when no DP cable is plugged in. + +Let's add a test to make transfers fail right away if a device isn't +plugged in. Rather than testing the HPD line directly, we have the +dp_display module tell us when AUX transfers should be enabled so we +can handle cases where HPD is signaled out of band like with Type C. + +Fixes: c943b4948b58 ("drm/msm/dp: add displayPort driver support") +Signed-off-by: Douglas Anderson +Reviewed-by: Guenter Roeck +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/583127/ +Link: https://lore.kernel.org/r/20240315143621.v2.1.I16aff881c9fe82b5e0fc06ca312da017aa7b5b3e@changeid +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dp/dp_aux.c | 20 ++++++++++++++++++++ + drivers/gpu/drm/msm/dp/dp_aux.h | 1 + + drivers/gpu/drm/msm/dp/dp_display.c | 4 ++++ + 3 files changed, 25 insertions(+) + +diff --git a/drivers/gpu/drm/msm/dp/dp_aux.c b/drivers/gpu/drm/msm/dp/dp_aux.c +index adbd5a367395c..f98d089ea5b1a 100644 +--- a/drivers/gpu/drm/msm/dp/dp_aux.c ++++ b/drivers/gpu/drm/msm/dp/dp_aux.c +@@ -38,6 +38,7 @@ struct dp_aux_private { + bool no_send_stop; + bool initted; + bool is_edp; ++ bool enable_xfers; + u32 offset; + u32 segment; + +@@ -304,6 +305,17 @@ static ssize_t dp_aux_transfer(struct drm_dp_aux *dp_aux, + goto exit; + } + ++ /* ++ * If we're using DP and an external display isn't connected then the ++ * transfer won't succeed. Return right away. If we don't do this we ++ * can end up with long timeouts if someone tries to access the DP AUX ++ * character device when no DP device is connected. ++ */ ++ if (!aux->is_edp && !aux->enable_xfers) { ++ ret = -ENXIO; ++ goto exit; ++ } ++ + /* + * For eDP it's important to give a reasonably long wait here for HPD + * to be asserted. This is because the panel driver may have _just_ +@@ -436,6 +448,14 @@ irqreturn_t dp_aux_isr(struct drm_dp_aux *dp_aux) + return IRQ_HANDLED; + } + ++void dp_aux_enable_xfers(struct drm_dp_aux *dp_aux, bool enabled) ++{ ++ struct dp_aux_private *aux; ++ ++ aux = container_of(dp_aux, struct dp_aux_private, dp_aux); ++ aux->enable_xfers = enabled; ++} ++ + void dp_aux_reconfig(struct drm_dp_aux *dp_aux) + { + struct dp_aux_private *aux; +diff --git a/drivers/gpu/drm/msm/dp/dp_aux.h b/drivers/gpu/drm/msm/dp/dp_aux.h +index f47d591c1f54e..4f65e892a8076 100644 +--- a/drivers/gpu/drm/msm/dp/dp_aux.h ++++ b/drivers/gpu/drm/msm/dp/dp_aux.h +@@ -12,6 +12,7 @@ + int dp_aux_register(struct drm_dp_aux *dp_aux); + void dp_aux_unregister(struct drm_dp_aux *dp_aux); + irqreturn_t dp_aux_isr(struct drm_dp_aux *dp_aux); ++void dp_aux_enable_xfers(struct drm_dp_aux *dp_aux, bool enabled); + void dp_aux_init(struct drm_dp_aux *dp_aux); + void dp_aux_deinit(struct drm_dp_aux *dp_aux); + void dp_aux_reconfig(struct drm_dp_aux *dp_aux); +diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c +index ffbfde9225898..36a0ef1cdc1b9 100644 +--- a/drivers/gpu/drm/msm/dp/dp_display.c ++++ b/drivers/gpu/drm/msm/dp/dp_display.c +@@ -555,6 +555,8 @@ static int dp_hpd_plug_handle(struct dp_display_private *dp, u32 data) + int ret; + struct platform_device *pdev = dp->dp_display.pdev; + ++ dp_aux_enable_xfers(dp->aux, true); ++ + mutex_lock(&dp->event_mutex); + + state = dp->hpd_state; +@@ -620,6 +622,8 @@ static int dp_hpd_unplug_handle(struct dp_display_private *dp, u32 data) + u32 state; + struct platform_device *pdev = dp->dp_display.pdev; + ++ dp_aux_enable_xfers(dp->aux, false); ++ + mutex_lock(&dp->event_mutex); + + state = dp->hpd_state; +-- +2.43.0 + diff --git a/queue-6.9/drm-nouveau-dp-fix-incorrect-return-code-in-r535_dp_.patch b/queue-6.9/drm-nouveau-dp-fix-incorrect-return-code-in-r535_dp_.patch new file mode 100644 index 00000000000..4d62bb844fc --- /dev/null +++ b/queue-6.9/drm-nouveau-dp-fix-incorrect-return-code-in-r535_dp_.patch @@ -0,0 +1,48 @@ +From df84efea825c7c6f3b0fd87984e5e536ac993dd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Mar 2024 17:20:56 -0400 +Subject: drm/nouveau/dp: Fix incorrect return code in r535_dp_aux_xfer() + +From: Lyude Paul + +[ Upstream commit 97252d0a4bfbb07079503d059f7522d305fe0f7a ] + +I've recently been seeing some unexplained GSP errors on my RTX 6000 from +failed aux transactions: + + [ 132.915867] nouveau 0000:1f:00.0: gsp: cli:0xc1d00002 obj:0x00730000 + ctrl cmd:0x00731341 failed: 0x0000ffff + +While the cause of these is not yet clear, these messages made me notice +that the aux transactions causing these transactions were succeeding - not +failing. As it turns out, this is because we're currently not returning the +correct variable when r535_dp_aux_xfer() hits an error - causing us to +never propagate GSP errors for failed aux transactions to userspace. + +So, let's fix that. + +Fixes: 4ae3a20102b2 ("nouveau/gsp: don't free ctrl messages on errors") +Signed-off-by: Lyude Paul +Reviewed-by: Dave Airlie +Link: https://patchwork.freedesktop.org/patch/msgid/20240315212104.776936-1-lyude@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nvkm/engine/disp/r535.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/r535.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/r535.c +index 6a0a4d3b8902d..027867c2a8c5b 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/r535.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/r535.c +@@ -1080,7 +1080,7 @@ r535_dp_aux_xfer(struct nvkm_outp *outp, u8 type, u32 addr, u8 *data, u8 *psize) + ret = nvkm_gsp_rm_ctrl_push(&disp->rm.objcom, &ctrl, sizeof(*ctrl)); + if (ret) { + nvkm_gsp_rm_ctrl_done(&disp->rm.objcom, ctrl); +- return PTR_ERR(ctrl); ++ return ret; + } + + memcpy(data, ctrl->data, size); +-- +2.43.0 + diff --git a/queue-6.9/drm-omapdrm-fix-console-by-implementing-fb_dirty.patch b/queue-6.9/drm-omapdrm-fix-console-by-implementing-fb_dirty.patch new file mode 100644 index 00000000000..133e06b0404 --- /dev/null +++ b/queue-6.9/drm-omapdrm-fix-console-by-implementing-fb_dirty.patch @@ -0,0 +1,54 @@ +From 83e471c099f964d7fa659e983be3372ba932c424 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 08:35:31 +0200 +Subject: drm/omapdrm: Fix console by implementing fb_dirty + +From: Tony Lindgren + +[ Upstream commit 632bac50544c0929ced9eed41e7d04c08adecbb0 ] + +The framebuffer console stopped updating with commit f231af498c29 +("drm/fb-helper: Disconnect damage worker from update logic"). + +Let's fix the issue by implementing fb_dirty similar to what was done +with commit 039a72ce7e57 ("drm/i915/fbdev: Implement fb_dirty for intel +custom fb helper"). + +Fixes: f231af498c29 ("drm/fb-helper: Disconnect damage worker from update logic") +Reviewed-by: Thomas Zimmermann +Signed-off-by: Tony Lindgren +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20240228063540.4444-2-tony@atomide.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/omapdrm/omap_fbdev.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/gpu/drm/omapdrm/omap_fbdev.c b/drivers/gpu/drm/omapdrm/omap_fbdev.c +index 6b08b137af1ad..7c5af3de1e727 100644 +--- a/drivers/gpu/drm/omapdrm/omap_fbdev.c ++++ b/drivers/gpu/drm/omapdrm/omap_fbdev.c +@@ -238,8 +238,20 @@ static int omap_fbdev_create(struct drm_fb_helper *helper, + return ret; + } + ++static int omap_fbdev_dirty(struct drm_fb_helper *helper, struct drm_clip_rect *clip) ++{ ++ if (!(clip->x1 < clip->x2 && clip->y1 < clip->y2)) ++ return 0; ++ ++ if (helper->fb->funcs->dirty) ++ return helper->fb->funcs->dirty(helper->fb, NULL, 0, 0, clip, 1); ++ ++ return 0; ++} ++ + static const struct drm_fb_helper_funcs omap_fb_helper_funcs = { + .fb_probe = omap_fbdev_create, ++ .fb_dirty = omap_fbdev_dirty, + }; + + static struct drm_fb_helper *get_fb(struct fb_info *fbi) +-- +2.43.0 + diff --git a/queue-6.9/drm-omapdrm-fix-console-with-deferred-ops.patch b/queue-6.9/drm-omapdrm-fix-console-with-deferred-ops.patch new file mode 100644 index 00000000000..a9e3f1afc5f --- /dev/null +++ b/queue-6.9/drm-omapdrm-fix-console-with-deferred-ops.patch @@ -0,0 +1,156 @@ +From 7d393e7c5ddff74011d4d223dac5618c2a12ade5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 08:35:32 +0200 +Subject: drm/omapdrm: Fix console with deferred ops + +From: Tony Lindgren + +[ Upstream commit 01c0cce88c5480cc2505b79330246ef12eda938f ] + +Commit 95da53d63dcf ("drm/omapdrm: Use regular fbdev I/O helpers") +stopped console from updating for command mode displays because there is +no damage handling in fb_sys_write() unlike we had earlier in +drm_fb_helper_sys_write(). + +Let's fix the issue by adding FB_GEN_DEFAULT_DEFERRED_DMAMEM_OPS and +FB_DMAMEM_HELPERS_DEFERRED as suggested by Thomas. We cannot use the +FB_DEFAULT_DEFERRED_OPS as fb_deferred_io_mmap() won't work properly +for write-combine. + +Fixes: 95da53d63dcf ("drm/omapdrm: Use regular fbdev I/O helpers") +Suggested-by: Thomas Zimmermann +Reviewed-by: Thomas Zimmermann +Signed-off-by: Tony Lindgren +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20240228063540.4444-3-tony@atomide.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/omapdrm/Kconfig | 2 +- + drivers/gpu/drm/omapdrm/omap_fbdev.c | 28 ++++++++++++++++++++++------ + drivers/video/fbdev/core/Kconfig | 6 ++++++ + include/linux/fb.h | 4 ++++ + 4 files changed, 33 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/omapdrm/Kconfig b/drivers/gpu/drm/omapdrm/Kconfig +index b715301ec79f6..6c49270cb290a 100644 +--- a/drivers/gpu/drm/omapdrm/Kconfig ++++ b/drivers/gpu/drm/omapdrm/Kconfig +@@ -4,7 +4,7 @@ config DRM_OMAP + depends on DRM && OF + depends on ARCH_OMAP2PLUS + select DRM_KMS_HELPER +- select FB_DMAMEM_HELPERS if DRM_FBDEV_EMULATION ++ select FB_DMAMEM_HELPERS_DEFERRED if DRM_FBDEV_EMULATION + select VIDEOMODE_HELPERS + select HDMI + default n +diff --git a/drivers/gpu/drm/omapdrm/omap_fbdev.c b/drivers/gpu/drm/omapdrm/omap_fbdev.c +index 7c5af3de1e727..523be34682caf 100644 +--- a/drivers/gpu/drm/omapdrm/omap_fbdev.c ++++ b/drivers/gpu/drm/omapdrm/omap_fbdev.c +@@ -51,6 +51,10 @@ static void pan_worker(struct work_struct *work) + omap_gem_roll(bo, fbi->var.yoffset * npages); + } + ++FB_GEN_DEFAULT_DEFERRED_DMAMEM_OPS(omap_fbdev, ++ drm_fb_helper_damage_range, ++ drm_fb_helper_damage_area) ++ + static int omap_fbdev_pan_display(struct fb_var_screeninfo *var, + struct fb_info *fbi) + { +@@ -78,11 +82,9 @@ static int omap_fbdev_pan_display(struct fb_var_screeninfo *var, + + static int omap_fbdev_fb_mmap(struct fb_info *info, struct vm_area_struct *vma) + { +- struct drm_fb_helper *helper = info->par; +- struct drm_framebuffer *fb = helper->fb; +- struct drm_gem_object *bo = drm_gem_fb_get_obj(fb, 0); ++ vma->vm_page_prot = pgprot_writecombine(vm_get_page_prot(vma->vm_flags)); + +- return drm_gem_mmap_obj(bo, omap_gem_mmap_size(bo), vma); ++ return fb_deferred_io_mmap(info, vma); + } + + static void omap_fbdev_fb_destroy(struct fb_info *info) +@@ -94,6 +96,7 @@ static void omap_fbdev_fb_destroy(struct fb_info *info) + + DBG(); + ++ fb_deferred_io_cleanup(info); + drm_fb_helper_fini(helper); + + omap_gem_unpin(bo); +@@ -104,15 +107,19 @@ static void omap_fbdev_fb_destroy(struct fb_info *info) + kfree(fbdev); + } + ++/* ++ * For now, we cannot use FB_DEFAULT_DEFERRED_OPS and fb_deferred_io_mmap() ++ * because we use write-combine. ++ */ + static const struct fb_ops omap_fb_ops = { + .owner = THIS_MODULE, +- __FB_DEFAULT_DMAMEM_OPS_RDWR, ++ __FB_DEFAULT_DEFERRED_OPS_RDWR(omap_fbdev), + .fb_check_var = drm_fb_helper_check_var, + .fb_set_par = drm_fb_helper_set_par, + .fb_setcmap = drm_fb_helper_setcmap, + .fb_blank = drm_fb_helper_blank, + .fb_pan_display = omap_fbdev_pan_display, +- __FB_DEFAULT_DMAMEM_OPS_DRAW, ++ __FB_DEFAULT_DEFERRED_OPS_DRAW(omap_fbdev), + .fb_ioctl = drm_fb_helper_ioctl, + .fb_mmap = omap_fbdev_fb_mmap, + .fb_destroy = omap_fbdev_fb_destroy, +@@ -213,6 +220,15 @@ static int omap_fbdev_create(struct drm_fb_helper *helper, + fbi->fix.smem_start = dma_addr; + fbi->fix.smem_len = bo->size; + ++ /* deferred I/O */ ++ helper->fbdefio.delay = HZ / 20; ++ helper->fbdefio.deferred_io = drm_fb_helper_deferred_io; ++ ++ fbi->fbdefio = &helper->fbdefio; ++ ret = fb_deferred_io_init(fbi); ++ if (ret) ++ goto fail; ++ + /* if we have DMM, then we can use it for scrolling by just + * shuffling pages around in DMM rather than doing sw blit. + */ +diff --git a/drivers/video/fbdev/core/Kconfig b/drivers/video/fbdev/core/Kconfig +index db09fe87fcd4f..0ab8848ba2f10 100644 +--- a/drivers/video/fbdev/core/Kconfig ++++ b/drivers/video/fbdev/core/Kconfig +@@ -144,6 +144,12 @@ config FB_DMAMEM_HELPERS + select FB_SYS_IMAGEBLIT + select FB_SYSMEM_FOPS + ++config FB_DMAMEM_HELPERS_DEFERRED ++ bool ++ depends on FB_CORE ++ select FB_DEFERRED_IO ++ select FB_DMAMEM_HELPERS ++ + config FB_IOMEM_FOPS + tristate + depends on FB_CORE +diff --git a/include/linux/fb.h b/include/linux/fb.h +index 0dd27364d56fe..811e47f9d1c3f 100644 +--- a/include/linux/fb.h ++++ b/include/linux/fb.h +@@ -694,6 +694,10 @@ extern int fb_deferred_io_fsync(struct file *file, loff_t start, + __FB_GEN_DEFAULT_DEFERRED_OPS_RDWR(__prefix, __damage_range, sys) \ + __FB_GEN_DEFAULT_DEFERRED_OPS_DRAW(__prefix, __damage_area, sys) + ++#define FB_GEN_DEFAULT_DEFERRED_DMAMEM_OPS(__prefix, __damage_range, __damage_area) \ ++ __FB_GEN_DEFAULT_DEFERRED_OPS_RDWR(__prefix, __damage_range, sys) \ ++ __FB_GEN_DEFAULT_DEFERRED_OPS_DRAW(__prefix, __damage_area, sys) ++ + /* + * Initializes struct fb_ops for deferred I/O. + */ +-- +2.43.0 + diff --git a/queue-6.9/drm-panel-atna33xc20-fix-unbalanced-regulator-in-the.patch b/queue-6.9/drm-panel-atna33xc20-fix-unbalanced-regulator-in-the.patch new file mode 100644 index 00000000000..d83b70ce207 --- /dev/null +++ b/queue-6.9/drm-panel-atna33xc20-fix-unbalanced-regulator-in-the.patch @@ -0,0 +1,74 @@ +From 10ed71cc417d990a46497645bc51f92069c2133d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Mar 2024 14:12:14 -0700 +Subject: drm/panel: atna33xc20: Fix unbalanced regulator in the case HPD + doesn't assert + +From: Douglas Anderson + +[ Upstream commit 5e842d55bad7794823a50f24fd645b58f2ef93ab ] + +When the atna33xc20 driver was first written the resume code never +returned an error. If there was a problem waiting for HPD it just +printed a warning and moved on. This changed in response to review +feedback [1] on a future patch but I accidentally didn't account for +rolling back the regulator enable in the error cases. Do so now. + +[1] https://lore.kernel.org/all/5f3cf3a6-1cc2-63e4-f76b-4ee686764705@linaro.org/ + +Fixes: 3b5765df375c ("drm/panel: atna33xc20: Take advantage of wait_hpd_asserted() in struct drm_dp_aux") +Acked-by: Jessica Zhang +Signed-off-by: Douglas Anderson +Link: https://patchwork.freedesktop.org/patch/msgid/20240313-homestarpanel-regulator-v1-1-b8e3a336da12@chromium.org +Signed-off-by: Sasha Levin +--- + .../gpu/drm/panel/panel-samsung-atna33xc20.c | 22 +++++++++++-------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpu/drm/panel/panel-samsung-atna33xc20.c b/drivers/gpu/drm/panel/panel-samsung-atna33xc20.c +index 76c2a8f6718c8..9c336c71562b9 100644 +--- a/drivers/gpu/drm/panel/panel-samsung-atna33xc20.c ++++ b/drivers/gpu/drm/panel/panel-samsung-atna33xc20.c +@@ -109,19 +109,17 @@ static int atana33xc20_resume(struct device *dev) + if (hpd_asserted < 0) + ret = hpd_asserted; + +- if (ret) ++ if (ret) { + dev_warn(dev, "Error waiting for HPD GPIO: %d\n", ret); +- +- return ret; +- } +- +- if (p->aux->wait_hpd_asserted) { ++ goto error; ++ } ++ } else if (p->aux->wait_hpd_asserted) { + ret = p->aux->wait_hpd_asserted(p->aux, HPD_MAX_US); + +- if (ret) ++ if (ret) { + dev_warn(dev, "Controller error waiting for HPD: %d\n", ret); +- +- return ret; ++ goto error; ++ } + } + + /* +@@ -133,6 +131,12 @@ static int atana33xc20_resume(struct device *dev) + * right times. + */ + return 0; ++ ++error: ++ drm_dp_dpcd_set_powered(p->aux, false); ++ regulator_disable(p->supply); ++ ++ return ret; + } + + static int atana33xc20_disable(struct drm_panel *panel) +-- +2.43.0 + diff --git a/queue-6.9/drm-panel-edp-add-prepare_to_enable-to-200ms-for-mnc.patch b/queue-6.9/drm-panel-edp-add-prepare_to_enable-to-200ms-for-mnc.patch new file mode 100644 index 00000000000..536fcf21e4f --- /dev/null +++ b/queue-6.9/drm-panel-edp-add-prepare_to_enable-to-200ms-for-mnc.patch @@ -0,0 +1,56 @@ +From 9e8217e75980cec1e1188f7b2e74760fda72d7e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Mar 2024 16:40:06 +0800 +Subject: drm/panel-edp: Add prepare_to_enable to 200ms for MNC207QS1-1 + +From: Zhengqiao Xia + +[ Upstream commit e635b7eb7062b464bbd9795308b1a80eac0b01f5 ] + +For MNC207QS1-1 panel, Splash screen occur when switch from VT1 to VT2. +The BL_EN signal does not conform to the VESA protocol. +BL_EN signal needs to be pulled high after video signal. +So add prepare_to_enable to 200ms. + +[ dianders: Adjusted subject prefix and added Fixes tag ] + +Fixes: 0547692ac146 ("drm/panel-edp: Add several generic edp panels") +Signed-off-by: Zhengqiao Xia +Reviewed-by: Douglas Anderson +Signed-off-by: Douglas Anderson +Link: https://patchwork.freedesktop.org/patch/msgid/20240301084006.14422-1-xiazhengqiao@huaqin.corp-partner.google.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-edp.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/panel/panel-edp.c b/drivers/gpu/drm/panel/panel-edp.c +index d58f90bc48fba..745f3e48f02ac 100644 +--- a/drivers/gpu/drm/panel/panel-edp.c ++++ b/drivers/gpu/drm/panel/panel-edp.c +@@ -1865,6 +1865,13 @@ static const struct panel_delay delay_200_500_e50 = { + .enable = 50, + }; + ++static const struct panel_delay delay_200_500_e50_p2e200 = { ++ .hpd_absent = 200, ++ .unprepare = 500, ++ .enable = 50, ++ .prepare_to_enable = 200, ++}; ++ + static const struct panel_delay delay_200_500_e80 = { + .hpd_absent = 200, + .unprepare = 500, +@@ -2034,7 +2041,7 @@ static const struct edp_panel_entry edp_panels[] = { + EDP_PANEL_ENTRY('C', 'M', 'N', 0x14d6, &delay_200_500_e80_d50, "N140BGA-EA4"), + EDP_PANEL_ENTRY('C', 'M', 'N', 0x14e5, &delay_200_500_e80_d50, "N140HGA-EA1"), + +- EDP_PANEL_ENTRY('C', 'S', 'O', 0x1200, &delay_200_500_e50, "MNC207QS1-1"), ++ EDP_PANEL_ENTRY('C', 'S', 'O', 0x1200, &delay_200_500_e50_p2e200, "MNC207QS1-1"), + + EDP_PANEL_ENTRY('H', 'K', 'C', 0x2d51, &delay_200_500_e200, "Unknown"), + EDP_PANEL_ENTRY('H', 'K', 'C', 0x2d5b, &delay_200_500_e200, "Unknown"), +-- +2.43.0 + diff --git a/queue-6.9/drm-panel-ltk050h3146w-add-mipi_dsi_mode_video-to-lt.patch b/queue-6.9/drm-panel-ltk050h3146w-add-mipi_dsi_mode_video-to-lt.patch new file mode 100644 index 00000000000..f2774456797 --- /dev/null +++ b/queue-6.9/drm-panel-ltk050h3146w-add-mipi_dsi_mode_video-to-lt.patch @@ -0,0 +1,44 @@ +From ef295a963b9705f2ba04866cc26e30157d6a7151 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Mar 2024 14:12:31 +0100 +Subject: drm/panel: ltk050h3146w: add MIPI_DSI_MODE_VIDEO to LTK050H3148W + flags + +From: Heiko Stuebner + +[ Upstream commit 80cc8c0d09e6bab3bd016ddaccd0570cadbe1891 ] + +Similar to other variants, the LTK050H3148W wants to run in video mode +when displaying data. So far only the Synopsis DSI driver was using this +panel and it is always switching to video mode, independent of this flag +being set. + +Other DSI drivers might handle this differently, so add the flag. + +Fixes: e5f9d543419c ("drm/panel: ltk050h3146w: add support for Leadtek LTK050H3148W-CTA6 variant") +Signed-off-by: Heiko Stuebner +Reviewed-by: Quentin Schulz +Acked-by: Jessica Zhang +Link: https://patchwork.freedesktop.org/patch/msgid/20240320131232.327196-1-heiko@sntech.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-leadtek-ltk050h3146w.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/panel/panel-leadtek-ltk050h3146w.c b/drivers/gpu/drm/panel/panel-leadtek-ltk050h3146w.c +index 9d87cc1a357e3..57b56ade48add 100644 +--- a/drivers/gpu/drm/panel/panel-leadtek-ltk050h3146w.c ++++ b/drivers/gpu/drm/panel/panel-leadtek-ltk050h3146w.c +@@ -326,7 +326,8 @@ static const struct drm_display_mode ltk050h3148w_mode = { + static const struct ltk050h3146w_desc ltk050h3148w_data = { + .mode = <k050h3148w_mode, + .init = ltk050h3148w_init_sequence, +- .mode_flags = MIPI_DSI_MODE_VIDEO_SYNC_PULSE | MIPI_DSI_MODE_VIDEO_BURST, ++ .mode_flags = MIPI_DSI_MODE_VIDEO | MIPI_DSI_MODE_VIDEO_SYNC_PULSE | ++ MIPI_DSI_MODE_VIDEO_BURST, + }; + + static int ltk050h3146w_init_sequence(struct ltk050h3146w *ctx) +-- +2.43.0 + diff --git a/queue-6.9/drm-panel-ltk050h3146w-drop-duplicate-commands-from-.patch b/queue-6.9/drm-panel-ltk050h3146w-drop-duplicate-commands-from-.patch new file mode 100644 index 00000000000..88e67778581 --- /dev/null +++ b/queue-6.9/drm-panel-ltk050h3146w-drop-duplicate-commands-from-.patch @@ -0,0 +1,41 @@ +From 6a9875cc625a333594b18147229ca9f19bdd70a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Mar 2024 14:12:32 +0100 +Subject: drm/panel: ltk050h3146w: drop duplicate commands from LTK050H3148W + init + +From: Heiko Stuebner + +[ Upstream commit 55679cc22e60e8ec23b2340248389022798416cd ] + +The init sequence specifies the 0x11 and 0x29 dsi commands, which are +the exit-sleep and display-on commands. + +In the actual prepare step the driver already uses the appropriate +function calls for those, so drop the duplicates. + +Fixes: e5f9d543419c ("drm/panel: ltk050h3146w: add support for Leadtek LTK050H3148W-CTA6 variant") +Signed-off-by: Heiko Stuebner +Reviewed-by: Quentin Schulz +Link: https://patchwork.freedesktop.org/patch/msgid/20240320131232.327196-2-heiko@sntech.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-leadtek-ltk050h3146w.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/gpu/drm/panel/panel-leadtek-ltk050h3146w.c b/drivers/gpu/drm/panel/panel-leadtek-ltk050h3146w.c +index 57b56ade48add..1a26205701b5e 100644 +--- a/drivers/gpu/drm/panel/panel-leadtek-ltk050h3146w.c ++++ b/drivers/gpu/drm/panel/panel-leadtek-ltk050h3146w.c +@@ -295,8 +295,6 @@ static int ltk050h3148w_init_sequence(struct ltk050h3146w *ctx) + mipi_dsi_dcs_write_seq(dsi, 0xbd, 0x00); + mipi_dsi_dcs_write_seq(dsi, 0xc6, 0xef); + mipi_dsi_dcs_write_seq(dsi, 0xd4, 0x02); +- mipi_dsi_dcs_write_seq(dsi, 0x11); +- mipi_dsi_dcs_write_seq(dsi, 0x29); + + ret = mipi_dsi_dcs_set_tear_on(dsi, 1); + if (ret < 0) { +-- +2.43.0 + diff --git a/queue-6.9/drm-panel-novatek-nt35950-don-t-log-an-error-when-ds.patch b/queue-6.9/drm-panel-novatek-nt35950-don-t-log-an-error-when-ds.patch new file mode 100644 index 00000000000..4a042b2e30a --- /dev/null +++ b/queue-6.9/drm-panel-novatek-nt35950-don-t-log-an-error-when-ds.patch @@ -0,0 +1,49 @@ +From 525066dbd9841a7b4e1702c334dea73d5ca8d6e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 17:49:36 -0400 +Subject: drm/panel: novatek-nt35950: Don't log an error when DSI host can't be + found +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +[ Upstream commit 5ff5505b9a2d827cae3f95dceba258c963138175 ] + +Given that failing to find a DSI host causes the driver to defer probe, +make use of dev_err_probe() to log the reason. This makes the defer +probe reason available and avoids alerting userspace about something +that is not necessarily an error. + +Fixes: 623a3531e9cf ("drm/panel: Add driver for Novatek NT35950 DSI DriverIC panels") +Suggested-by: AngeloGioacchino Del Regno +Reviewed-by: Laurent Pinchart +Signed-off-by: Nícolas F. R. A. Prado +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20240415-anx7625-defer-log-no-dsi-host-v3-8-619a28148e5c@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-novatek-nt35950.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/panel/panel-novatek-nt35950.c b/drivers/gpu/drm/panel/panel-novatek-nt35950.c +index 648ce92014265..028fdac293f77 100644 +--- a/drivers/gpu/drm/panel/panel-novatek-nt35950.c ++++ b/drivers/gpu/drm/panel/panel-novatek-nt35950.c +@@ -556,10 +556,8 @@ static int nt35950_probe(struct mipi_dsi_device *dsi) + } + dsi_r_host = of_find_mipi_dsi_host_by_node(dsi_r); + of_node_put(dsi_r); +- if (!dsi_r_host) { +- dev_err(dev, "Cannot get secondary DSI host\n"); +- return -EPROBE_DEFER; +- } ++ if (!dsi_r_host) ++ return dev_err_probe(dev, -EPROBE_DEFER, "Cannot get secondary DSI host\n"); + + nt->dsi[1] = mipi_dsi_device_register_full(dsi_r_host, info); + if (!nt->dsi[1]) { +-- +2.43.0 + diff --git a/queue-6.9/drm-panel-simple-add-missing-innolux-g121x1-l03-form.patch b/queue-6.9/drm-panel-simple-add-missing-innolux-g121x1-l03-form.patch new file mode 100644 index 00000000000..332133fbb90 --- /dev/null +++ b/queue-6.9/drm-panel-simple-add-missing-innolux-g121x1-l03-form.patch @@ -0,0 +1,50 @@ +From 8eceb358dd5c4b562dd129644a92d22139736ec5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 11:27:36 +0100 +Subject: drm/panel: simple: Add missing Innolux G121X1-L03 format, flags, + connector + +From: Marek Vasut + +[ Upstream commit 11ac72d033b9f577e8ba0c7a41d1c312bb232593 ] + +The .bpc = 6 implies .bus_format = MEDIA_BUS_FMT_RGB666_1X7X3_SPWG , +add the missing bus_format. Add missing connector type and bus_flags +as well. + +Documentation [1] 1.4 GENERAL SPECIFICATI0NS indicates this panel is +capable of both RGB 18bit/24bit panel, the current configuration uses +18bit mode, .bus_format = MEDIA_BUS_FMT_RGB666_1X7X3_SPWG , .bpc = 6. + +Support for the 24bit mode would require another entry in panel-simple +with .bus_format = MEDIA_BUS_FMT_RGB666_1X7X4_SPWG and .bpc = 8, which +is out of scope of this fix. + +[1] https://www.distec.de/fileadmin/pdf/produkte/TFT-Displays/Innolux/G121X1-L03_Datasheet.pdf + +Fixes: f8fa17ba812b ("drm/panel: simple: Add support for Innolux G121X1-L03") +Signed-off-by: Marek Vasut +Acked-by: Jessica Zhang +Link: https://patchwork.freedesktop.org/patch/msgid/20240328102746.17868-2-marex@denx.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index 20e3df1c59d48..e8fe5a69454d0 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -2591,6 +2591,9 @@ static const struct panel_desc innolux_g121x1_l03 = { + .unprepare = 200, + .disable = 400, + }, ++ .bus_format = MEDIA_BUS_FMT_RGB666_1X7X3_SPWG, ++ .bus_flags = DRM_BUS_FLAG_DE_HIGH, ++ .connector_type = DRM_MODE_CONNECTOR_LVDS, + }; + + static const struct display_timing innolux_g156hce_l01_timings = { +-- +2.43.0 + diff --git a/queue-6.9/drm-rockchip-vop2-do-not-divide-height-twice-for-yuv.patch b/queue-6.9/drm-rockchip-vop2-do-not-divide-height-twice-for-yuv.patch new file mode 100644 index 00000000000..0e0abf0ad75 --- /dev/null +++ b/queue-6.9/drm-rockchip-vop2-do-not-divide-height-twice-for-yuv.patch @@ -0,0 +1,83 @@ +From 7971e2048a77bae08617a6ba69f9e4d7b7fac3af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Apr 2024 14:27:06 -0400 +Subject: drm/rockchip: vop2: Do not divide height twice for YUV + +From: Detlev Casanova + +[ Upstream commit e80c219f52861e756181d7f88b0d341116daac2b ] + +For the cbcr format, gt2 and gt4 are computed again after src_h has been +divided by vsub. + +As src_h as already been divided by 2 before, introduce cbcr_src_h and +cbcr_src_w to keep a copy of those values to be used for cbcr gt2 and +gt4 computation. + +This fixes yuv planes being unaligned vertically when down scaling to +1080 pixels from 2160. + +Signed-off-by: Detlev Casanova +Fixes: 604be85547ce ("drm/rockchip: Add VOP2 driver") +Acked-by: Andy Yan +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20240414182706.655270-1-detlev.casanova@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/rockchip_drm_vop2.c | 22 +++++++++++--------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c +index fdd768bbd487c..62ebbdb16253d 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c +@@ -706,6 +706,8 @@ static void vop2_setup_scale(struct vop2 *vop2, const struct vop2_win *win, + const struct drm_format_info *info; + u16 hor_scl_mode, ver_scl_mode; + u16 hscl_filter_mode, vscl_filter_mode; ++ uint16_t cbcr_src_w = src_w; ++ uint16_t cbcr_src_h = src_h; + u8 gt2 = 0; + u8 gt4 = 0; + u32 val; +@@ -763,27 +765,27 @@ static void vop2_setup_scale(struct vop2 *vop2, const struct vop2_win *win, + vop2_win_write(win, VOP2_WIN_YRGB_VSCL_FILTER_MODE, vscl_filter_mode); + + if (info->is_yuv) { +- src_w /= info->hsub; +- src_h /= info->vsub; ++ cbcr_src_w /= info->hsub; ++ cbcr_src_h /= info->vsub; + + gt4 = 0; + gt2 = 0; + +- if (src_h >= (4 * dst_h)) { ++ if (cbcr_src_h >= (4 * dst_h)) { + gt4 = 1; +- src_h >>= 2; +- } else if (src_h >= (2 * dst_h)) { ++ cbcr_src_h >>= 2; ++ } else if (cbcr_src_h >= (2 * dst_h)) { + gt2 = 1; +- src_h >>= 1; ++ cbcr_src_h >>= 1; + } + +- hor_scl_mode = scl_get_scl_mode(src_w, dst_w); +- ver_scl_mode = scl_get_scl_mode(src_h, dst_h); ++ hor_scl_mode = scl_get_scl_mode(cbcr_src_w, dst_w); ++ ver_scl_mode = scl_get_scl_mode(cbcr_src_h, dst_h); + +- val = vop2_scale_factor(src_w, dst_w); ++ val = vop2_scale_factor(cbcr_src_w, dst_w); + vop2_win_write(win, VOP2_WIN_SCALE_CBCR_X, val); + +- val = vop2_scale_factor(src_h, dst_h); ++ val = vop2_scale_factor(cbcr_src_h, dst_h); + vop2_win_write(win, VOP2_WIN_SCALE_CBCR_Y, val); + + vop2_win_write(win, VOP2_WIN_VSD_CBCR_GT4, gt4); +-- +2.43.0 + diff --git a/queue-6.9/drm-vc4-fix-possible-null-pointer-dereference.patch b/queue-6.9/drm-vc4-fix-possible-null-pointer-dereference.patch new file mode 100644 index 00000000000..1417a416bc1 --- /dev/null +++ b/queue-6.9/drm-vc4-fix-possible-null-pointer-dereference.patch @@ -0,0 +1,39 @@ +From e6668bb7314c8f097591026ba3375ef3f879d1d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2024 10:56:22 +0300 +Subject: drm: vc4: Fix possible null pointer dereference + +From: Aleksandr Mishin + +[ Upstream commit c534b63bede6cb987c2946ed4d0b0013a52c5ba7 ] + +In vc4_hdmi_audio_init() of_get_address() may return +NULL which is later dereferenced. Fix this bug by adding NULL check. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: bb7d78568814 ("drm/vc4: Add HDMI audio support") +Signed-off-by: Aleksandr Mishin +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20240409075622.11783-1-amishin@t-argos.ru +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_hdmi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c +index d8751ea203032..5f8d51b293705 100644 +--- a/drivers/gpu/drm/vc4/vc4_hdmi.c ++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c +@@ -2740,6 +2740,8 @@ static int vc4_hdmi_audio_init(struct vc4_hdmi *vc4_hdmi) + index = 1; + + addr = of_get_address(dev->of_node, index, NULL, NULL); ++ if (!addr) ++ return -EINVAL; + + vc4_hdmi->audio.dma_data.addr = be32_to_cpup(addr) + mai_data->offset; + vc4_hdmi->audio.dma_data.addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES; +-- +2.43.0 + diff --git a/queue-6.9/dt-bindings-thermal-loongson-ls2k-thermal-add-loongs.patch b/queue-6.9/dt-bindings-thermal-loongson-ls2k-thermal-add-loongs.patch new file mode 100644 index 00000000000..cca14833e9b --- /dev/null +++ b/queue-6.9/dt-bindings-thermal-loongson-ls2k-thermal-add-loongs.patch @@ -0,0 +1,40 @@ +From 4431e8108365924f906b4d7e48cd4ffc9287bd6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Apr 2024 09:59:01 +0800 +Subject: dt-bindings: thermal: loongson,ls2k-thermal: Add Loongson-2K0500 + compatible + +From: Binbin Zhou + +[ Upstream commit 25c7d8472f6e90390931e93f59135478af3e5d86 ] + +The thermal on the Loongson-2K0500 shares the design with the +Loongson-2K1000. Define corresponding compatible string, having the +loongson,ls2k1000-thermal as a fallback. + +Signed-off-by: Binbin Zhou +Acked-by: Rob Herring +Acked-by: Huacai Chen +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/26524a63abd2d032e4c45efe6ce3fedb46841768.1713837379.git.zhoubinbin@loongson.cn +Stable-dep-of: c8c435368577 ("dt-bindings: thermal: loongson,ls2k-thermal: Fix incorrect compatible definition") +Signed-off-by: Sasha Levin +--- + .../devicetree/bindings/thermal/loongson,ls2k-thermal.yaml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Documentation/devicetree/bindings/thermal/loongson,ls2k-thermal.yaml b/Documentation/devicetree/bindings/thermal/loongson,ls2k-thermal.yaml +index b634f57cd011d..9748a479dcd4d 100644 +--- a/Documentation/devicetree/bindings/thermal/loongson,ls2k-thermal.yaml ++++ b/Documentation/devicetree/bindings/thermal/loongson,ls2k-thermal.yaml +@@ -20,6 +20,7 @@ properties: + - loongson,ls2k1000-thermal + - items: + - enum: ++ - loongson,ls2k0500-thermal + - loongson,ls2k2000-thermal + - const: loongson,ls2k1000-thermal + +-- +2.43.0 + diff --git a/queue-6.9/dt-bindings-thermal-loongson-ls2k-thermal-fix-incorr.patch b/queue-6.9/dt-bindings-thermal-loongson-ls2k-thermal-fix-incorr.patch new file mode 100644 index 00000000000..668155c1695 --- /dev/null +++ b/queue-6.9/dt-bindings-thermal-loongson-ls2k-thermal-fix-incorr.patch @@ -0,0 +1,83 @@ +From 6e803d13269b6bca2e02e0c229703ba9f833e416 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Apr 2024 09:59:02 +0800 +Subject: dt-bindings: thermal: loongson,ls2k-thermal: Fix incorrect compatible + definition + +From: Binbin Zhou + +[ Upstream commit c8c4353685778e75e186103411e9d01a4a3f2b90 ] + +The temperature output register of the Loongson-2K2000 is defined in the +chip configuration domain, which is different from the Loongson-2K1000, +so it can't be fallbacked. + +We need to use two groups of registers to describe it: the first group +is the high and low temperature threshold setting register; the second +group is the temperature output register. + +It is true that this fix will cause ABI corruption, but it is necessary +otherwise the Loongson-2K2000 temperature sensor will not work properly. + +Fixes: 72684d99a854 ("thermal: dt-bindings: add loongson-2 thermal") +Cc: Yinbo Zhu +Signed-off-by: Binbin Zhou +Reviewed-by: Krzysztof Kozlowski +Acked-by: Huacai Chen +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/5198999d679f1a1c3457385acb9fadfc85da1f1e.1713837379.git.zhoubinbin@loongson.cn +Signed-off-by: Sasha Levin +--- + .../thermal/loongson,ls2k-thermal.yaml | 23 +++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +diff --git a/Documentation/devicetree/bindings/thermal/loongson,ls2k-thermal.yaml b/Documentation/devicetree/bindings/thermal/loongson,ls2k-thermal.yaml +index 9748a479dcd4d..ca81c8afba79c 100644 +--- a/Documentation/devicetree/bindings/thermal/loongson,ls2k-thermal.yaml ++++ b/Documentation/devicetree/bindings/thermal/loongson,ls2k-thermal.yaml +@@ -18,14 +18,15 @@ properties: + oneOf: + - enum: + - loongson,ls2k1000-thermal ++ - loongson,ls2k2000-thermal + - items: + - enum: + - loongson,ls2k0500-thermal +- - loongson,ls2k2000-thermal + - const: loongson,ls2k1000-thermal + + reg: +- maxItems: 1 ++ minItems: 1 ++ maxItems: 2 + + interrupts: + maxItems: 1 +@@ -39,6 +40,24 @@ required: + - interrupts + - '#thermal-sensor-cells' + ++if: ++ properties: ++ compatible: ++ contains: ++ enum: ++ - loongson,ls2k2000-thermal ++ ++then: ++ properties: ++ reg: ++ minItems: 2 ++ maxItems: 2 ++ ++else: ++ properties: ++ reg: ++ maxItems: 1 ++ + unevaluatedProperties: false + + examples: +-- +2.43.0 + diff --git a/queue-6.9/ecryptfs-fix-buffer-size-for-tag-66-packet.patch b/queue-6.9/ecryptfs-fix-buffer-size-for-tag-66-packet.patch new file mode 100644 index 00000000000..ce4ea74ab79 --- /dev/null +++ b/queue-6.9/ecryptfs-fix-buffer-size-for-tag-66-packet.patch @@ -0,0 +1,116 @@ +From 1749252c4f9dc4c37dd2a68ef04a45b0c7ac3237 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Mar 2024 07:46:00 -0700 +Subject: ecryptfs: Fix buffer size for tag 66 packet + +From: Brian Kubisiak + +[ Upstream commit 85a6a1aff08ec9f5b929d345d066e2830e8818e5 ] + +The 'TAG 66 Packet Format' description is missing the cipher code and +checksum fields that are packed into the message packet. As a result, +the buffer allocated for the packet is 3 bytes too small and +write_tag_66_packet() will write up to 3 bytes past the end of the +buffer. + +Fix this by increasing the size of the allocation so the whole packet +will always fit in the buffer. + +This fixes the below kasan slab-out-of-bounds bug: + + BUG: KASAN: slab-out-of-bounds in ecryptfs_generate_key_packet_set+0x7d6/0xde0 + Write of size 1 at addr ffff88800afbb2a5 by task touch/181 + + CPU: 0 PID: 181 Comm: touch Not tainted 6.6.13-gnu #1 4c9534092be820851bb687b82d1f92a426598dc6 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2/GNU Guix 04/01/2014 + Call Trace: + + dump_stack_lvl+0x4c/0x70 + print_report+0xc5/0x610 + ? ecryptfs_generate_key_packet_set+0x7d6/0xde0 + ? kasan_complete_mode_report_info+0x44/0x210 + ? ecryptfs_generate_key_packet_set+0x7d6/0xde0 + kasan_report+0xc2/0x110 + ? ecryptfs_generate_key_packet_set+0x7d6/0xde0 + __asan_store1+0x62/0x80 + ecryptfs_generate_key_packet_set+0x7d6/0xde0 + ? __pfx_ecryptfs_generate_key_packet_set+0x10/0x10 + ? __alloc_pages+0x2e2/0x540 + ? __pfx_ovl_open+0x10/0x10 [overlay 30837f11141636a8e1793533a02e6e2e885dad1d] + ? dentry_open+0x8f/0xd0 + ecryptfs_write_metadata+0x30a/0x550 + ? __pfx_ecryptfs_write_metadata+0x10/0x10 + ? ecryptfs_get_lower_file+0x6b/0x190 + ecryptfs_initialize_file+0x77/0x150 + ecryptfs_create+0x1c2/0x2f0 + path_openat+0x17cf/0x1ba0 + ? __pfx_path_openat+0x10/0x10 + do_filp_open+0x15e/0x290 + ? __pfx_do_filp_open+0x10/0x10 + ? __kasan_check_write+0x18/0x30 + ? _raw_spin_lock+0x86/0xf0 + ? __pfx__raw_spin_lock+0x10/0x10 + ? __kasan_check_write+0x18/0x30 + ? alloc_fd+0xf4/0x330 + do_sys_openat2+0x122/0x160 + ? __pfx_do_sys_openat2+0x10/0x10 + __x64_sys_openat+0xef/0x170 + ? __pfx___x64_sys_openat+0x10/0x10 + do_syscall_64+0x60/0xd0 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + RIP: 0033:0x7f00a703fd67 + Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f + RSP: 002b:00007ffc088e30b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 + RAX: ffffffffffffffda RBX: 00007ffc088e3368 RCX: 00007f00a703fd67 + RDX: 0000000000000941 RSI: 00007ffc088e48d7 RDI: 00000000ffffff9c + RBP: 00007ffc088e48d7 R08: 0000000000000001 R09: 0000000000000000 + R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000941 + R13: 0000000000000000 R14: 00007ffc088e48d7 R15: 00007f00a7180040 + + + Allocated by task 181: + kasan_save_stack+0x2f/0x60 + kasan_set_track+0x29/0x40 + kasan_save_alloc_info+0x25/0x40 + __kasan_kmalloc+0xc5/0xd0 + __kmalloc+0x66/0x160 + ecryptfs_generate_key_packet_set+0x6d2/0xde0 + ecryptfs_write_metadata+0x30a/0x550 + ecryptfs_initialize_file+0x77/0x150 + ecryptfs_create+0x1c2/0x2f0 + path_openat+0x17cf/0x1ba0 + do_filp_open+0x15e/0x290 + do_sys_openat2+0x122/0x160 + __x64_sys_openat+0xef/0x170 + do_syscall_64+0x60/0xd0 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +Fixes: dddfa461fc89 ("[PATCH] eCryptfs: Public key; packet management") +Signed-off-by: Brian Kubisiak +Link: https://lore.kernel.org/r/5j2q56p6qkhezva6b2yuqfrsurmvrrqtxxzrnp3wqu7xrz22i7@hoecdztoplbl +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/ecryptfs/keystore.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c +index 3fe41964c0d8d..7f9f68c00ef63 100644 +--- a/fs/ecryptfs/keystore.c ++++ b/fs/ecryptfs/keystore.c +@@ -300,9 +300,11 @@ write_tag_66_packet(char *signature, u8 cipher_code, + * | Key Identifier Size | 1 or 2 bytes | + * | Key Identifier | arbitrary | + * | File Encryption Key Size | 1 or 2 bytes | ++ * | Cipher Code | 1 byte | + * | File Encryption Key | arbitrary | ++ * | Checksum | 2 bytes | + */ +- data_len = (5 + ECRYPTFS_SIG_SIZE_HEX + crypt_stat->key_size); ++ data_len = (8 + ECRYPTFS_SIG_SIZE_HEX + crypt_stat->key_size); + *packet = kmalloc(data_len, GFP_KERNEL); + message = *packet; + if (!message) { +-- +2.43.0 + diff --git a/queue-6.9/edac-skx_common-allow-decoding-of-sgx-addresses.patch b/queue-6.9/edac-skx_common-allow-decoding-of-sgx-addresses.patch new file mode 100644 index 00000000000..ab229040dc8 --- /dev/null +++ b/queue-6.9/edac-skx_common-allow-decoding-of-sgx-addresses.patch @@ -0,0 +1,43 @@ +From 7aa16534a079cab96f052a17ab95bff0b802a1dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 20:04:19 +0800 +Subject: EDAC/skx_common: Allow decoding of SGX addresses + +From: Qiuxu Zhuo + +[ Upstream commit e0d335077831196bffe6a634ffe385fc684192ca ] + +There are no "struct page" associations with SGX pages, causing the check +pfn_to_online_page() to fail. This results in the inability to decode the +SGX addresses and warning messages like: + + Invalid address 0x34cc9a98840 in IA32_MC17_ADDR + +Add an additional check to allow the decoding of the error address and to +skip the warning message, if the error address is an SGX address. + +Fixes: 1e92af09fab1 ("EDAC/skx_common: Filter out the invalid address") +Signed-off-by: Qiuxu Zhuo +Signed-off-by: Tony Luck +Link: https://lore.kernel.org/r/20240408120419.50234-1-qiuxu.zhuo@intel.com +Signed-off-by: Sasha Levin +--- + drivers/edac/skx_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/edac/skx_common.c b/drivers/edac/skx_common.c +index 9c5b6f8bd8bd5..27996b7924c82 100644 +--- a/drivers/edac/skx_common.c ++++ b/drivers/edac/skx_common.c +@@ -648,7 +648,7 @@ int skx_mce_check_error(struct notifier_block *nb, unsigned long val, + memset(&res, 0, sizeof(res)); + res.mce = mce; + res.addr = mce->addr & MCI_ADDR_PHYSADDR; +- if (!pfn_to_online_page(res.addr >> PAGE_SHIFT)) { ++ if (!pfn_to_online_page(res.addr >> PAGE_SHIFT) && !arch_is_platform_page(res.addr)) { + pr_err("Invalid address 0x%llx in IA32_MC%d_ADDR\n", mce->addr, mce->bank); + return NOTIFY_DONE; + } +-- +2.43.0 + diff --git a/queue-6.9/enetc-avoid-truncating-error-message.patch b/queue-6.9/enetc-avoid-truncating-error-message.patch new file mode 100644 index 00000000000..739f5fb7554 --- /dev/null +++ b/queue-6.9/enetc-avoid-truncating-error-message.patch @@ -0,0 +1,41 @@ +From 6a4187d6dbee19643908d903a398a80980b05cd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 23:38:01 +0100 +Subject: enetc: avoid truncating error message + +From: Arnd Bergmann + +[ Upstream commit 9046d581ed586f3c715357638ca12c0e84402002 ] + +As clang points out, the error message in enetc_setup_xdp_prog() +still does not fit in the buffer and will be truncated: + +drivers/net/ethernet/freescale/enetc/enetc.c:2771:3: error: 'snprintf' will always be truncated; specified size is 80, but format string expands to at least 87 [-Werror,-Wformat-truncation] + +Replace it with an even shorter message that should fit. + +Fixes: f968c56417f0 ("net: enetc: shorten enetc_setup_xdp_prog() error message to fit NETLINK_MAX_FMTMSG_LEN") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20240326223825.4084412-3-arnd@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/enetc/enetc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/enetc/enetc.c b/drivers/net/ethernet/freescale/enetc/enetc.c +index 9f07f4947b631..5c45f42232d32 100644 +--- a/drivers/net/ethernet/freescale/enetc/enetc.c ++++ b/drivers/net/ethernet/freescale/enetc/enetc.c +@@ -2769,7 +2769,7 @@ static int enetc_setup_xdp_prog(struct net_device *ndev, struct bpf_prog *prog, + if (priv->min_num_stack_tx_queues + num_xdp_tx_queues > + priv->num_tx_rings) { + NL_SET_ERR_MSG_FMT_MOD(extack, +- "Reserving %d XDP TXQs does not leave a minimum of %d for stack (total %d)", ++ "Reserving %d XDP TXQs leaves under %d for stack (total %d)", + num_xdp_tx_queues, + priv->min_num_stack_tx_queues, + priv->num_tx_rings); +-- +2.43.0 + diff --git a/queue-6.9/eth-sungem-remove-.ndo_poll_controller-to-avoid-dead.patch b/queue-6.9/eth-sungem-remove-.ndo_poll_controller-to-avoid-dead.patch new file mode 100644 index 00000000000..33506bbbd68 --- /dev/null +++ b/queue-6.9/eth-sungem-remove-.ndo_poll_controller-to-avoid-dead.patch @@ -0,0 +1,67 @@ +From 1c2f3877119378c9aaa3821a0cef562c6d1d3aae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 06:45:04 -0700 +Subject: eth: sungem: remove .ndo_poll_controller to avoid deadlocks + +From: Jakub Kicinski + +[ Upstream commit ac0a230f719b02432d8c7eba7615ebd691da86f4 ] + +Erhard reports netpoll warnings from sungem: + + netpoll_send_skb_on_dev(): eth0 enabled interrupts in poll (gem_start_xmit+0x0/0x398) + WARNING: CPU: 1 PID: 1 at net/core/netpoll.c:370 netpoll_send_skb+0x1fc/0x20c + +gem_poll_controller() disables interrupts, which may sleep. +We can't sleep in netpoll, it has interrupts disabled completely. +Strangely, gem_poll_controller() doesn't even poll the completions, +and instead acts as if an interrupt has fired so it just schedules +NAPI and exits. None of this has been necessary for years, since +netpoll invokes NAPI directly. + +Fixes: fe09bb619096 ("sungem: Spring cleaning and GRO support") +Reported-and-tested-by: Erhard Furtner +Link: https://lore.kernel.org/all/20240428125306.2c3080ef@legion +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240508134504.3560956-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sun/sungem.c | 14 -------------- + 1 file changed, 14 deletions(-) + +diff --git a/drivers/net/ethernet/sun/sungem.c b/drivers/net/ethernet/sun/sungem.c +index 9bd1df8308d24..d3a2fbb14140e 100644 +--- a/drivers/net/ethernet/sun/sungem.c ++++ b/drivers/net/ethernet/sun/sungem.c +@@ -949,17 +949,6 @@ static irqreturn_t gem_interrupt(int irq, void *dev_id) + return IRQ_HANDLED; + } + +-#ifdef CONFIG_NET_POLL_CONTROLLER +-static void gem_poll_controller(struct net_device *dev) +-{ +- struct gem *gp = netdev_priv(dev); +- +- disable_irq(gp->pdev->irq); +- gem_interrupt(gp->pdev->irq, dev); +- enable_irq(gp->pdev->irq); +-} +-#endif +- + static void gem_tx_timeout(struct net_device *dev, unsigned int txqueue) + { + struct gem *gp = netdev_priv(dev); +@@ -2839,9 +2828,6 @@ static const struct net_device_ops gem_netdev_ops = { + .ndo_change_mtu = gem_change_mtu, + .ndo_validate_addr = eth_validate_addr, + .ndo_set_mac_address = gem_set_mac_address, +-#ifdef CONFIG_NET_POLL_CONTROLLER +- .ndo_poll_controller = gem_poll_controller, +-#endif + }; + + static int gem_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) +-- +2.43.0 + diff --git a/queue-6.9/ext4-avoid-excessive-credit-estimate-in-ext4_tmpfile.patch b/queue-6.9/ext4-avoid-excessive-credit-estimate-in-ext4_tmpfile.patch new file mode 100644 index 00000000000..00bae833389 --- /dev/null +++ b/queue-6.9/ext4-avoid-excessive-credit-estimate-in-ext4_tmpfile.patch @@ -0,0 +1,52 @@ +From c5322aaec0e15c36d72210b2add196ae8c7ce8ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 12:53:20 +0100 +Subject: ext4: avoid excessive credit estimate in ext4_tmpfile() + +From: Jan Kara + +[ Upstream commit 35a1f12f0ca857fee1d7a04ef52cbd5f1f84de13 ] + +A user with minimum journal size (1024 blocks these days) complained +about the following error triggered by generic/697 test in +ext4_tmpfile(): + +run fstests generic/697 at 2024-02-28 05:34:46 +JBD2: vfstest wants too many credits credits:260 rsv_credits:0 max:256 +EXT4-fs error (device loop0) in __ext4_new_inode:1083: error 28 + +Indeed the credit estimate in ext4_tmpfile() is huge. +EXT4_MAXQUOTAS_INIT_BLOCKS() is 219, then 10 credits from ext4_tmpfile() +itself and then ext4_xattr_credits_for_new_inode() adds more credits +needed for security attributes and ACLs. Now the +EXT4_MAXQUOTAS_INIT_BLOCKS() is in fact unnecessary because we've +already initialized quotas with dquot_init() shortly before and so +EXT4_MAXQUOTAS_TRANS_BLOCKS() is enough (which boils down to 3 credits). + +Fixes: af51a2ac36d1 ("ext4: ->tmpfile() support") +Signed-off-by: Jan Kara +Tested-by: Luis Henriques +Tested-by: Disha Goel +Link: https://lore.kernel.org/r/20240307115320.28949-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/namei.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 5e4f65c14dfb9..a630b27a4cc6e 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -2897,7 +2897,7 @@ static int ext4_tmpfile(struct mnt_idmap *idmap, struct inode *dir, + inode = ext4_new_inode_start_handle(idmap, dir, mode, + NULL, 0, NULL, + EXT4_HT_DIR, +- EXT4_MAXQUOTAS_INIT_BLOCKS(dir->i_sb) + ++ EXT4_MAXQUOTAS_TRANS_BLOCKS(dir->i_sb) + + 4 + EXT4_XATTR_TRANS_BLOCKS); + handle = ext4_journal_current_handle(); + err = PTR_ERR(inode); +-- +2.43.0 + diff --git a/queue-6.9/ext4-fix-potential-unnitialized-variable.patch b/queue-6.9/ext4-fix-potential-unnitialized-variable.patch new file mode 100644 index 00000000000..0ae933e6ed8 --- /dev/null +++ b/queue-6.9/ext4-fix-potential-unnitialized-variable.patch @@ -0,0 +1,40 @@ +From d505456082125da8023d776a7db06795b41ef770 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Apr 2024 21:10:40 +0300 +Subject: ext4: fix potential unnitialized variable + +From: Dan Carpenter + +[ Upstream commit 3f4830abd236d0428e50451e1ecb62e14c365e9b ] + +Smatch complains "err" can be uninitialized in the caller. + + fs/ext4/indirect.c:349 ext4_alloc_branch() + error: uninitialized symbol 'err'. + +Set the error to zero on the success path. + +Fixes: 8016e29f4362 ("ext4: fast commit recovery path") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/363a4673-0fb8-4adf-b4fb-90a499077276@moroto.mountain +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/mballoc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 12b3f196010b8..714f83632e3f9 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -6113,6 +6113,7 @@ ext4_mb_new_blocks_simple(struct ext4_allocation_request *ar, int *errp) + ext4_mb_mark_bb(sb, block, 1, true); + ar->len = 1; + ++ *errp = 0; + return block; + } + +-- +2.43.0 + diff --git a/queue-6.9/ext4-remove-the-redundant-folio_wait_stable.patch b/queue-6.9/ext4-remove-the-redundant-folio_wait_stable.patch new file mode 100644 index 00000000000..342cb18322e --- /dev/null +++ b/queue-6.9/ext4-remove-the-redundant-folio_wait_stable.patch @@ -0,0 +1,42 @@ +From ccfc478d4637118d4f7dc3dce8916d687ad7a024 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Apr 2024 10:30:05 +0800 +Subject: ext4: remove the redundant folio_wait_stable() + +From: Zhang Yi + +[ Upstream commit df0b5afc62f3368d657a8fe4a8d393ac481474c2 ] + +__filemap_get_folio() with FGP_WRITEBEGIN parameter has already wait +for stable folio, so remove the redundant folio_wait_stable() in +ext4_da_write_begin(), it was left over from the commit cc883236b792 +("ext4: drop unnecessary journal handle in delalloc write") that +removed the retry getting page logic. + +Fixes: cc883236b792 ("ext4: drop unnecessary journal handle in delalloc write") +Signed-off-by: Zhang Yi +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20240419023005.2719050-1-yi.zhang@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/inode.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 537803250ca9a..6de6bf57699be 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -2887,9 +2887,6 @@ static int ext4_da_write_begin(struct file *file, struct address_space *mapping, + if (IS_ERR(folio)) + return PTR_ERR(folio); + +- /* In case writeback began while the folio was unlocked */ +- folio_wait_stable(folio); +- + #ifdef CONFIG_FS_ENCRYPTION + ret = ext4_block_write_begin(folio, pos, len, ext4_da_get_block_prep); + #else +-- +2.43.0 + diff --git a/queue-6.9/fbdev-sh7760fb-allow-modular-build.patch b/queue-6.9/fbdev-sh7760fb-allow-modular-build.patch new file mode 100644 index 00000000000..ba425168c77 --- /dev/null +++ b/queue-6.9/fbdev-sh7760fb-allow-modular-build.patch @@ -0,0 +1,50 @@ +From cb9338bb410bf68c8ff9f9a09f930af361ee395c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Feb 2024 21:39:38 -0800 +Subject: fbdev: sh7760fb: allow modular build + +From: Randy Dunlap + +[ Upstream commit 51084f89d687e14d96278241e5200cde4b0985c7 ] + +There is no reason to prohibit sh7760fb from being built as a +loadable module as suggested by Geert, so change the config symbol +from bool to tristate to allow that and change the FB dependency as +needed. + +Fixes: f75f71b2c418 ("fbdev/sh7760fb: Depend on FB=y") +Suggested-by: Geert Uytterhoeven +Signed-off-by: Randy Dunlap +Cc: Thomas Zimmermann +Cc: Javier Martinez Canillas +Cc: John Paul Adrian Glaubitz +Cc: Sam Ravnborg +Cc: Helge Deller +Cc: linux-fbdev@vger.kernel.org +Cc: dri-devel@lists.freedesktop.org +Acked-by: John Paul Adrian Glaubitz +Acked-by: Javier Martinez Canillas +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/Kconfig b/drivers/video/fbdev/Kconfig +index 197b6d5268e94..3f46663aa563d 100644 +--- a/drivers/video/fbdev/Kconfig ++++ b/drivers/video/fbdev/Kconfig +@@ -1648,8 +1648,8 @@ config FB_COBALT + select FB_IOMEM_HELPERS + + config FB_SH7760 +- bool "SH7760/SH7763/SH7720/SH7721 LCDC support" +- depends on FB=y && (CPU_SUBTYPE_SH7760 || CPU_SUBTYPE_SH7763 \ ++ tristate "SH7760/SH7763/SH7720/SH7721 LCDC support" ++ depends on FB && (CPU_SUBTYPE_SH7760 || CPU_SUBTYPE_SH7763 \ + || CPU_SUBTYPE_SH7720 || CPU_SUBTYPE_SH7721) + select FB_IOMEM_HELPERS + help +-- +2.43.0 + diff --git a/queue-6.9/fbdev-shmobile-fix-snprintf-truncation.patch b/queue-6.9/fbdev-shmobile-fix-snprintf-truncation.patch new file mode 100644 index 00000000000..cfa88d4eeef --- /dev/null +++ b/queue-6.9/fbdev-shmobile-fix-snprintf-truncation.patch @@ -0,0 +1,40 @@ +From ea8fed05ca00db885b26e6e96849b68f8a1328e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 23:38:00 +0100 +Subject: fbdev: shmobile: fix snprintf truncation + +From: Arnd Bergmann + +[ Upstream commit 26c8cfb9d1e4b252336d23dd5127a8cbed414a32 ] + +The name of the overlay does not fit into the fixed-length field: + +drivers/video/fbdev/sh_mobile_lcdcfb.c:1577:2: error: 'snprintf' will always be truncated; specified size is 16, but format string expands to at least 25 + +Make it short enough by changing the string. + +Fixes: c5deac3c9b22 ("fbdev: sh_mobile_lcdc: Implement overlays support") +Signed-off-by: Arnd Bergmann +Reviewed-by: Laurent Pinchart +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/sh_mobile_lcdcfb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/sh_mobile_lcdcfb.c b/drivers/video/fbdev/sh_mobile_lcdcfb.c +index eb2297b37504c..d35d2cf999988 100644 +--- a/drivers/video/fbdev/sh_mobile_lcdcfb.c ++++ b/drivers/video/fbdev/sh_mobile_lcdcfb.c +@@ -1575,7 +1575,7 @@ sh_mobile_lcdc_overlay_fb_init(struct sh_mobile_lcdc_overlay *ovl) + */ + info->fix = sh_mobile_lcdc_overlay_fix; + snprintf(info->fix.id, sizeof(info->fix.id), +- "SH Mobile LCDC Overlay %u", ovl->index); ++ "SHMobile ovl %u", ovl->index); + info->fix.smem_start = ovl->dma_handle; + info->fix.smem_len = ovl->fb_size; + info->fix.line_length = ovl->pitch; +-- +2.43.0 + diff --git a/queue-6.9/fbdev-sisfb-hide-unused-variables.patch b/queue-6.9/fbdev-sisfb-hide-unused-variables.patch new file mode 100644 index 00000000000..36fbd56be26 --- /dev/null +++ b/queue-6.9/fbdev-sisfb-hide-unused-variables.patch @@ -0,0 +1,68 @@ +From 1dc19c2755acca65f4339ff935879ef12b3ad7bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 10:06:31 +0200 +Subject: fbdev: sisfb: hide unused variables + +From: Arnd Bergmann + +[ Upstream commit 688cf598665851b9e8cb5083ff1d208ce43d10ff ] + +Building with W=1 shows that a couple of variables in this driver are only +used in certain configurations: + +drivers/video/fbdev/sis/init301.c:239:28: error: 'SiS_Part2CLVX_6' defined but not used [-Werror=unused-const-variable=] + 239 | static const unsigned char SiS_Part2CLVX_6[] = { /* 1080i */ + | ^~~~~~~~~~~~~~~ +drivers/video/fbdev/sis/init301.c:230:28: error: 'SiS_Part2CLVX_5' defined but not used [-Werror=unused-const-variable=] + 230 | static const unsigned char SiS_Part2CLVX_5[] = { /* 750p */ + | ^~~~~~~~~~~~~~~ +drivers/video/fbdev/sis/init301.c:211:28: error: 'SiS_Part2CLVX_4' defined but not used [-Werror=unused-const-variable=] + 211 | static const unsigned char SiS_Part2CLVX_4[] = { /* PAL */ + | ^~~~~~~~~~~~~~~ +drivers/video/fbdev/sis/init301.c:192:28: error: 'SiS_Part2CLVX_3' defined but not used [-Werror=unused-const-variable=] + 192 | static const unsigned char SiS_Part2CLVX_3[] = { /* NTSC, 525i, 525p */ + | ^~~~~~~~~~~~~~~ +drivers/video/fbdev/sis/init301.c:184:28: error: 'SiS_Part2CLVX_2' defined but not used [-Werror=unused-const-variable=] + 184 | static const unsigned char SiS_Part2CLVX_2[] = { + | ^~~~~~~~~~~~~~~ +drivers/video/fbdev/sis/init301.c:176:28: error: 'SiS_Part2CLVX_1' defined but not used [-Werror=unused-const-variable=] + 176 | static const unsigned char SiS_Part2CLVX_1[] = { + | ^~~~~~~~~~~~~~~ + +This started showing up after the definitions were moved into the +source file from the header, which was not flagged by the compiler. +Move the definition into the appropriate #ifdef block that already +exists next to them. + +Fixes: 5908986ef348 ("video: fbdev: sis: avoid mismatched prototypes") +Signed-off-by: Arnd Bergmann +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/sis/init301.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/sis/init301.c b/drivers/video/fbdev/sis/init301.c +index a8fb41f1a2580..09329072004f4 100644 +--- a/drivers/video/fbdev/sis/init301.c ++++ b/drivers/video/fbdev/sis/init301.c +@@ -172,7 +172,7 @@ static const unsigned char SiS_HiTVGroup3_2[] = { + }; + + /* 301C / 302ELV extended Part2 TV registers (4 tap scaler) */ +- ++#ifdef CONFIG_FB_SIS_315 + static const unsigned char SiS_Part2CLVX_1[] = { + 0x00,0x00, + 0x00,0x20,0x00,0x00,0x7F,0x20,0x02,0x7F,0x7D,0x20,0x04,0x7F,0x7D,0x1F,0x06,0x7E, +@@ -245,7 +245,6 @@ static const unsigned char SiS_Part2CLVX_6[] = { /* 1080i */ + 0xFF,0xFF, + }; + +-#ifdef CONFIG_FB_SIS_315 + /* 661 et al LCD data structure (2.03.00) */ + static const unsigned char SiS_LCDStruct661[] = { + /* 1024x768 */ +-- +2.43.0 + diff --git a/queue-6.9/firmware-qcom-qcm-fix-unused-qcom_scm_qseecom_allowl.patch b/queue-6.9/firmware-qcom-qcm-fix-unused-qcom_scm_qseecom_allowl.patch new file mode 100644 index 00000000000..b62fc0839e0 --- /dev/null +++ b/queue-6.9/firmware-qcom-qcm-fix-unused-qcom_scm_qseecom_allowl.patch @@ -0,0 +1,44 @@ +From acdfd161370a05585d25e55845e9630f01430478 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Nov 2023 19:56:23 +0100 +Subject: firmware: qcom: qcm: fix unused qcom_scm_qseecom_allowlist +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Krzysztof Kozlowski + +[ Upstream commit e478c5fb6aa10af7b7edbff69bc8aef6fbb5f0ed ] + +For !OF builds, the qcom_scm_qseecom_allowlist is unused: + + drivers/firmware/qcom/qcom_scm.c:1652:34: error: ‘qcom_scm_qseecom_allowlist’ defined but not used [-Werror=unused-const-variable=] + +Fixes: 00b1248606ba ("firmware: qcom_scm: Add support for Qualcomm Secure Execution Environment SCM interface") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202311191654.S4wlVUrz-lkp@intel.com/ +Signed-off-by: Krzysztof Kozlowski +Acked-by: Maximilian Luz +Link: https://lore.kernel.org/r/20231120185623.338608-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/firmware/qcom/qcom_scm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/qcom/qcom_scm.c b/drivers/firmware/qcom/qcom_scm.c +index 90283f160a228..ca381cb2ee979 100644 +--- a/drivers/firmware/qcom/qcom_scm.c ++++ b/drivers/firmware/qcom/qcom_scm.c +@@ -1624,7 +1624,7 @@ EXPORT_SYMBOL_GPL(qcom_scm_qseecom_app_send); + * We do not yet support re-entrant calls via the qseecom interface. To prevent + + any potential issues with this, only allow validated machines for now. + */ +-static const struct of_device_id qcom_scm_qseecom_allowlist[] = { ++static const struct of_device_id qcom_scm_qseecom_allowlist[] __maybe_unused = { + { .compatible = "lenovo,thinkpad-x13s", }, + { } + }; +-- +2.43.0 + diff --git a/queue-6.9/firmware-qcom-scm-fix-__scm-and-waitq-completion-var.patch b/queue-6.9/firmware-qcom-scm-fix-__scm-and-waitq-completion-var.patch new file mode 100644 index 00000000000..3b92720180a --- /dev/null +++ b/queue-6.9/firmware-qcom-scm-fix-__scm-and-waitq-completion-var.patch @@ -0,0 +1,70 @@ +From 890ba9118cda33f476721f2a504b5344c6d1e8dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Mar 2024 20:54:02 +0530 +Subject: firmware: qcom: scm: Fix __scm and waitq completion variable + initialization + +From: Mukesh Ojha + +[ Upstream commit 2e4955167ec5c04534cebea9e8273a907e7a75e1 ] + +It is possible qcom_scm_is_available() gives wrong indication that +if __scm is initialized while __scm->dev is not and similar issue +is also possible with __scm->waitq_comp. + +Fix this appropriately by the use of release barrier and read barrier +that will make sure if __scm is initialized so, is all of its field +variable. + +Fixes: d0f6fa7ba2d6 ("firmware: qcom: scm: Convert SCM to platform driver") +Fixes: 6bf325992236 ("firmware: qcom: scm: Add wait-queue handling logic") +Signed-off-by: Mukesh Ojha +Link: https://lore.kernel.org/r/1711034642-22860-4-git-send-email-quic_mojha@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/firmware/qcom/qcom_scm.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/firmware/qcom/qcom_scm.c b/drivers/firmware/qcom/qcom_scm.c +index ca381cb2ee979..29c24578ad2bf 100644 +--- a/drivers/firmware/qcom/qcom_scm.c ++++ b/drivers/firmware/qcom/qcom_scm.c +@@ -1713,7 +1713,7 @@ static int qcom_scm_qseecom_init(struct qcom_scm *scm) + */ + bool qcom_scm_is_available(void) + { +- return !!__scm; ++ return !!READ_ONCE(__scm); + } + EXPORT_SYMBOL_GPL(qcom_scm_is_available); + +@@ -1794,10 +1794,12 @@ static int qcom_scm_probe(struct platform_device *pdev) + if (!scm) + return -ENOMEM; + ++ scm->dev = &pdev->dev; + ret = qcom_scm_find_dload_address(&pdev->dev, &scm->dload_mode_addr); + if (ret < 0) + return ret; + ++ init_completion(&scm->waitq_comp); + mutex_init(&scm->scm_bw_lock); + + scm->path = devm_of_icc_get(&pdev->dev, NULL); +@@ -1829,10 +1831,8 @@ static int qcom_scm_probe(struct platform_device *pdev) + if (ret) + return ret; + +- __scm = scm; +- __scm->dev = &pdev->dev; +- +- init_completion(&__scm->waitq_comp); ++ /* Let all above stores be available after this */ ++ smp_store_release(&__scm, scm); + + irq = platform_get_irq_optional(pdev, 0); + if (irq < 0) { +-- +2.43.0 + diff --git a/queue-6.9/firmware-raspberrypi-use-correct-device-for-dma-mapp.patch b/queue-6.9/firmware-raspberrypi-use-correct-device-for-dma-mapp.patch new file mode 100644 index 00000000000..cbb1ce27367 --- /dev/null +++ b/queue-6.9/firmware-raspberrypi-use-correct-device-for-dma-mapp.patch @@ -0,0 +1,65 @@ +From d66071d6adc6fe70b4d140d657acbe795e8f4653 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 21:58:06 +0200 +Subject: firmware: raspberrypi: Use correct device for DMA mappings + +From: Laurent Pinchart + +[ Upstream commit df518a0ae1b982a4dcf2235464016c0c4576a34d ] + +The buffer used to transfer data over the mailbox interface is mapped +using the client's device. This is incorrect, as the device performing +the DMA transfer is the mailbox itself. Fix it by using the mailbox +controller device instead. + +This requires including the mailbox_controller.h header to dereference +the mbox_chan and mbox_controller structures. The header is not meant to +be included by clients. This could be fixed by extending the client API +with a function to access the controller's device. + +Fixes: 4e3d60656a72 ("ARM: bcm2835: Add the Raspberry Pi firmware driver") +Signed-off-by: Laurent Pinchart +Reviewed-by: Stefan Wahren +Tested-by: Ivan T. Ivanov +Link: https://lore.kernel.org/r/20240326195807.15163-3-laurent.pinchart@ideasonboard.com +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + drivers/firmware/raspberrypi.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/firmware/raspberrypi.c b/drivers/firmware/raspberrypi.c +index 322aada20f742..ac34876a97f8b 100644 +--- a/drivers/firmware/raspberrypi.c ++++ b/drivers/firmware/raspberrypi.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -97,8 +98,8 @@ int rpi_firmware_property_list(struct rpi_firmware *fw, + if (size & 3) + return -EINVAL; + +- buf = dma_alloc_coherent(fw->cl.dev, PAGE_ALIGN(size), &bus_addr, +- GFP_ATOMIC); ++ buf = dma_alloc_coherent(fw->chan->mbox->dev, PAGE_ALIGN(size), ++ &bus_addr, GFP_ATOMIC); + if (!buf) + return -ENOMEM; + +@@ -126,7 +127,7 @@ int rpi_firmware_property_list(struct rpi_firmware *fw, + ret = -EINVAL; + } + +- dma_free_coherent(fw->cl.dev, PAGE_ALIGN(size), buf, bus_addr); ++ dma_free_coherent(fw->chan->mbox->dev, PAGE_ALIGN(size), buf, bus_addr); + + return ret; + } +-- +2.43.0 + diff --git a/queue-6.9/gfs2-do_xmote-fixes.patch b/queue-6.9/gfs2-do_xmote-fixes.patch new file mode 100644 index 00000000000..5cc94003927 --- /dev/null +++ b/queue-6.9/gfs2-do_xmote-fixes.patch @@ -0,0 +1,128 @@ +From e56ebf22cb7f4c280d1ab7ccf6ff4006556690e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 11:23:04 +0200 +Subject: gfs2: do_xmote fixes + +From: Andreas Gruenbacher + +[ Upstream commit 9947a06d29c0a30da88cdc6376ca5fd87083e130 ] + +Function do_xmote() is called with the glock spinlock held. Commit +86934198eefa added a 'goto skip_inval' statement at the beginning of the +function to further below where the glock spinlock is expected not to be +held anymore. Then it added code there that requires the glock spinlock +to be held. This doesn't make sense; fix this up by dropping and +retaking the spinlock where needed. + +In addition, when ->lm_lock() returned an error, do_xmote() didn't fail +the locking operation, and simply left the glock hanging; fix that as +well. (This is a much older error.) + +Fixes: 86934198eefa ("gfs2: Clear flags when withdraw prevents xmote") +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/glock.c | 44 +++++++++++++++++++++++++------------------- + 1 file changed, 25 insertions(+), 19 deletions(-) + +diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c +index 0c719fcd4fbc5..2507fe34cbdf0 100644 +--- a/fs/gfs2/glock.c ++++ b/fs/gfs2/glock.c +@@ -713,6 +713,7 @@ __acquires(&gl->gl_lockref.lock) + { + const struct gfs2_glock_operations *glops = gl->gl_ops; + struct gfs2_sbd *sdp = gl->gl_name.ln_sbd; ++ struct lm_lockstruct *ls = &sdp->sd_lockstruct; + unsigned int lck_flags = (unsigned int)(gh ? gh->gh_flags : 0); + int ret; + +@@ -741,6 +742,9 @@ __acquires(&gl->gl_lockref.lock) + (gl->gl_state == LM_ST_EXCLUSIVE) || + (lck_flags & (LM_FLAG_TRY|LM_FLAG_TRY_1CB))) + clear_bit(GLF_BLOCKING, &gl->gl_flags); ++ if (!glops->go_inval && !glops->go_sync) ++ goto skip_inval; ++ + spin_unlock(&gl->gl_lockref.lock); + if (glops->go_sync) { + ret = glops->go_sync(gl); +@@ -753,6 +757,7 @@ __acquires(&gl->gl_lockref.lock) + fs_err(sdp, "Error %d syncing glock \n", ret); + gfs2_dump_glock(NULL, gl, true); + } ++ spin_lock(&gl->gl_lockref.lock); + goto skip_inval; + } + } +@@ -773,9 +778,10 @@ __acquires(&gl->gl_lockref.lock) + glops->go_inval(gl, target == LM_ST_DEFERRED ? 0 : DIO_METADATA); + clear_bit(GLF_INVALIDATE_IN_PROGRESS, &gl->gl_flags); + } ++ spin_lock(&gl->gl_lockref.lock); + + skip_inval: +- gfs2_glock_hold(gl); ++ gl->gl_lockref.count++; + /* + * Check for an error encountered since we called go_sync and go_inval. + * If so, we can't withdraw from the glock code because the withdraw +@@ -817,37 +823,37 @@ __acquires(&gl->gl_lockref.lock) + */ + clear_bit(GLF_LOCK, &gl->gl_flags); + clear_bit(GLF_DEMOTE_IN_PROGRESS, &gl->gl_flags); +- gfs2_glock_queue_work(gl, GL_GLOCK_DFT_HOLD); +- goto out; ++ __gfs2_glock_queue_work(gl, GL_GLOCK_DFT_HOLD); ++ return; + } else { + clear_bit(GLF_INVALIDATE_IN_PROGRESS, &gl->gl_flags); + } + } + +- if (sdp->sd_lockstruct.ls_ops->lm_lock) { +- struct lm_lockstruct *ls = &sdp->sd_lockstruct; ++ if (ls->ls_ops->lm_lock) { ++ spin_unlock(&gl->gl_lockref.lock); ++ ret = ls->ls_ops->lm_lock(gl, target, lck_flags); ++ spin_lock(&gl->gl_lockref.lock); + +- /* lock_dlm */ +- ret = sdp->sd_lockstruct.ls_ops->lm_lock(gl, target, lck_flags); + if (ret == -EINVAL && gl->gl_target == LM_ST_UNLOCKED && + target == LM_ST_UNLOCKED && + test_bit(DFL_UNMOUNT, &ls->ls_recover_flags)) { +- spin_lock(&gl->gl_lockref.lock); +- finish_xmote(gl, target); +- __gfs2_glock_queue_work(gl, 0); +- spin_unlock(&gl->gl_lockref.lock); ++ /* ++ * The lockspace has been released and the lock has ++ * been unlocked implicitly. ++ */ + } else if (ret) { + fs_err(sdp, "lm_lock ret %d\n", ret); +- GLOCK_BUG_ON(gl, !gfs2_withdrawing_or_withdrawn(sdp)); ++ target = gl->gl_state | LM_OUT_ERROR; ++ } else { ++ /* The operation will be completed asynchronously. */ ++ return; + } +- } else { /* lock_nolock */ +- spin_lock(&gl->gl_lockref.lock); +- finish_xmote(gl, target); +- __gfs2_glock_queue_work(gl, 0); +- spin_unlock(&gl->gl_lockref.lock); + } +-out: +- spin_lock(&gl->gl_lockref.lock); ++ ++ /* Complete the operation now. */ ++ finish_xmote(gl, target); ++ __gfs2_glock_queue_work(gl, 0); + } + + /** +-- +2.43.0 + diff --git a/queue-6.9/gfs2-don-t-forget-to-complete-delayed-withdraw.patch b/queue-6.9/gfs2-don-t-forget-to-complete-delayed-withdraw.patch new file mode 100644 index 00000000000..50ef962a82b --- /dev/null +++ b/queue-6.9/gfs2-don-t-forget-to-complete-delayed-withdraw.patch @@ -0,0 +1,39 @@ +From 88d8c18c344a6acf256459728874cfa6cee76877 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jan 2024 11:49:44 +0100 +Subject: gfs2: Don't forget to complete delayed withdraw + +From: Andreas Gruenbacher + +[ Upstream commit b01189333ee91c1ae6cd96dfd1e3a3c2e69202f0 ] + +Commit fffe9bee14b0 ("gfs2: Delay withdraw from atomic context") +switched from gfs2_withdraw() to gfs2_withdraw_delayed() in +gfs2_ail_error(), but failed to then check if a delayed withdraw had +occurred. Fix that by adding the missing check in __gfs2_ail_flush(), +where the spin locks are already dropped and a withdraw is possible. + +Fixes: fffe9bee14b0 ("gfs2: Delay withdraw from atomic context") +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/glops.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/gfs2/glops.c b/fs/gfs2/glops.c +index 45653cbc8a87d..e0e8dfeee777d 100644 +--- a/fs/gfs2/glops.c ++++ b/fs/gfs2/glops.c +@@ -82,6 +82,9 @@ static void __gfs2_ail_flush(struct gfs2_glock *gl, bool fsync, + GLOCK_BUG_ON(gl, !fsync && atomic_read(&gl->gl_ail_count)); + spin_unlock(&sdp->sd_ail_lock); + gfs2_log_unlock(sdp); ++ ++ if (gfs2_withdrawing(sdp)) ++ gfs2_withdraw(sdp); + } + + +-- +2.43.0 + diff --git a/queue-6.9/gfs2-finish_xmote-cleanup.patch b/queue-6.9/gfs2-finish_xmote-cleanup.patch new file mode 100644 index 00000000000..4e61db49b50 --- /dev/null +++ b/queue-6.9/gfs2-finish_xmote-cleanup.patch @@ -0,0 +1,108 @@ +From dc574e91b66a2b4d739c346ecf6e39a8acb1802f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 19:16:58 +0200 +Subject: gfs2: finish_xmote cleanup + +From: Andreas Gruenbacher + +[ Upstream commit 1cd28e15864054f3c48baee9eecda1c0441c48ac ] + +Currently, function finish_xmote() takes and releases the glock +spinlock. However, all of its callers immediately take that spinlock +again, so it makes more sense to take the spin lock before calling +finish_xmote() already. + +With that, thaw_glock() is the only place that sets the GLF_HAVE_REPLY +flag outside of the glock spinlock, but it also takes that spinlock +immediately thereafter. Change that to set the bit when the spinlock is +already held. This allows to switch from test_and_clear_bit() to +test_bit() and clear_bit() in glock_work_func(). + +Signed-off-by: Andreas Gruenbacher +Stable-dep-of: 9947a06d29c0 ("gfs2: do_xmote fixes") +Signed-off-by: Sasha Levin +--- + fs/gfs2/glock.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c +index 1bf0d751ece0a..0c719fcd4fbc5 100644 +--- a/fs/gfs2/glock.c ++++ b/fs/gfs2/glock.c +@@ -617,7 +617,6 @@ static void finish_xmote(struct gfs2_glock *gl, unsigned int ret) + struct gfs2_holder *gh; + unsigned state = ret & LM_OUT_ST_MASK; + +- spin_lock(&gl->gl_lockref.lock); + trace_gfs2_glock_state_change(gl, state); + state_change(gl, state); + gh = find_first_waiter(gl); +@@ -665,7 +664,6 @@ static void finish_xmote(struct gfs2_glock *gl, unsigned int ret) + gl->gl_target, state); + GLOCK_BUG_ON(gl, 1); + } +- spin_unlock(&gl->gl_lockref.lock); + return; + } + +@@ -688,7 +686,6 @@ static void finish_xmote(struct gfs2_glock *gl, unsigned int ret) + } + out: + clear_bit(GLF_LOCK, &gl->gl_flags); +- spin_unlock(&gl->gl_lockref.lock); + } + + static bool is_system_glock(struct gfs2_glock *gl) +@@ -835,15 +832,19 @@ __acquires(&gl->gl_lockref.lock) + if (ret == -EINVAL && gl->gl_target == LM_ST_UNLOCKED && + target == LM_ST_UNLOCKED && + test_bit(DFL_UNMOUNT, &ls->ls_recover_flags)) { ++ spin_lock(&gl->gl_lockref.lock); + finish_xmote(gl, target); +- gfs2_glock_queue_work(gl, 0); ++ __gfs2_glock_queue_work(gl, 0); ++ spin_unlock(&gl->gl_lockref.lock); + } else if (ret) { + fs_err(sdp, "lm_lock ret %d\n", ret); + GLOCK_BUG_ON(gl, !gfs2_withdrawing_or_withdrawn(sdp)); + } + } else { /* lock_nolock */ ++ spin_lock(&gl->gl_lockref.lock); + finish_xmote(gl, target); +- gfs2_glock_queue_work(gl, 0); ++ __gfs2_glock_queue_work(gl, 0); ++ spin_unlock(&gl->gl_lockref.lock); + } + out: + spin_lock(&gl->gl_lockref.lock); +@@ -1099,11 +1100,12 @@ static void glock_work_func(struct work_struct *work) + struct gfs2_glock *gl = container_of(work, struct gfs2_glock, gl_work.work); + unsigned int drop_refs = 1; + +- if (test_and_clear_bit(GLF_REPLY_PENDING, &gl->gl_flags)) { ++ spin_lock(&gl->gl_lockref.lock); ++ if (test_bit(GLF_REPLY_PENDING, &gl->gl_flags)) { ++ clear_bit(GLF_REPLY_PENDING, &gl->gl_flags); + finish_xmote(gl, gl->gl_reply); + drop_refs++; + } +- spin_lock(&gl->gl_lockref.lock); + if (test_bit(GLF_PENDING_DEMOTE, &gl->gl_flags) && + gl->gl_state != LM_ST_UNLOCKED && + gl->gl_demote_state != LM_ST_EXCLUSIVE) { +@@ -2176,8 +2178,11 @@ static void thaw_glock(struct gfs2_glock *gl) + return; + if (!lockref_get_not_dead(&gl->gl_lockref)) + return; ++ ++ spin_lock(&gl->gl_lockref.lock); + set_bit(GLF_REPLY_PENDING, &gl->gl_flags); +- gfs2_glock_queue_work(gl, 0); ++ __gfs2_glock_queue_work(gl, 0); ++ spin_unlock(&gl->gl_lockref.lock); + } + + /** +-- +2.43.0 + diff --git a/queue-6.9/gfs2-fix-ignore-unlock-failures-after-withdraw.patch b/queue-6.9/gfs2-fix-ignore-unlock-failures-after-withdraw.patch new file mode 100644 index 00000000000..0f24b1314b0 --- /dev/null +++ b/queue-6.9/gfs2-fix-ignore-unlock-failures-after-withdraw.patch @@ -0,0 +1,63 @@ +From 8cf5208fc2a9b96e63b85b9ce53aacf76932ce3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 13:47:51 +0200 +Subject: gfs2: Fix "ignore unlock failures after withdraw" + +From: Andreas Gruenbacher + +[ Upstream commit 5d9231111966b6c5a65016d58dcbeab91055bc91 ] + +Commit 3e11e53041502 tries to suppress dlm_lock() lock conversion errors +that occur when the lockspace has already been released. + +It does that by setting and checking the SDF_SKIP_DLM_UNLOCK flag. This +conflicts with the intended meaning of the SDF_SKIP_DLM_UNLOCK flag, so +check whether the lockspace is still allocated instead. + +(Given the current DLM API, checking for this kind of error after the +fact seems easier that than to make sure that the lockspace is still +allocated before calling dlm_lock(). Changing the DLM API so that users +maintain the lockspace references themselves would be an option.) + +Fixes: 3e11e53041502 ("GFS2: ignore unlock failures after withdraw") +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/glock.c | 4 +++- + fs/gfs2/util.c | 1 - + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c +index 34540f9d011ca..385561cd4f4c7 100644 +--- a/fs/gfs2/glock.c ++++ b/fs/gfs2/glock.c +@@ -802,11 +802,13 @@ __acquires(&gl->gl_lockref.lock) + } + + if (sdp->sd_lockstruct.ls_ops->lm_lock) { ++ struct lm_lockstruct *ls = &sdp->sd_lockstruct; ++ + /* lock_dlm */ + ret = sdp->sd_lockstruct.ls_ops->lm_lock(gl, target, lck_flags); + if (ret == -EINVAL && gl->gl_target == LM_ST_UNLOCKED && + target == LM_ST_UNLOCKED && +- test_bit(SDF_SKIP_DLM_UNLOCK, &sdp->sd_flags)) { ++ test_bit(DFL_UNMOUNT, &ls->ls_recover_flags)) { + finish_xmote(gl, target); + gfs2_glock_queue_work(gl, 0); + } else if (ret) { +diff --git a/fs/gfs2/util.c b/fs/gfs2/util.c +index f52141ce94853..fc3ecb180ac53 100644 +--- a/fs/gfs2/util.c ++++ b/fs/gfs2/util.c +@@ -350,7 +350,6 @@ int gfs2_withdraw(struct gfs2_sbd *sdp) + fs_err(sdp, "telling LM to unmount\n"); + lm->lm_unmount(sdp); + } +- set_bit(SDF_SKIP_DLM_UNLOCK, &sdp->sd_flags); + fs_err(sdp, "File system withdrawn\n"); + dump_stack(); + clear_bit(SDF_WITHDRAW_IN_PROG, &sdp->sd_flags); +-- +2.43.0 + diff --git a/queue-6.9/gfs2-fix-potential-glock-use-after-free-on-unmount.patch b/queue-6.9/gfs2-fix-potential-glock-use-after-free-on-unmount.patch new file mode 100644 index 00000000000..368ffadfb50 --- /dev/null +++ b/queue-6.9/gfs2-fix-potential-glock-use-after-free-on-unmount.patch @@ -0,0 +1,227 @@ +From 9342fc697b20168f49c33d9ad647226cf18a9160 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Apr 2024 04:50:18 +0200 +Subject: gfs2: Fix potential glock use-after-free on unmount + +From: Andreas Gruenbacher + +[ Upstream commit d98779e687726d8f8860f1c54b5687eec5f63a73 ] + +When a DLM lockspace is released and there ares still locks in that +lockspace, DLM will unlock those locks automatically. Commit +fb6791d100d1b started exploiting this behavior to speed up filesystem +unmount: gfs2 would simply free glocks it didn't want to unlock and then +release the lockspace. This didn't take the bast callbacks for +asynchronous lock contention notifications into account, which remain +active until until a lock is unlocked or its lockspace is released. + +To prevent those callbacks from accessing deallocated objects, put the +glocks that should not be unlocked on the sd_dead_glocks list, release +the lockspace, and only then free those glocks. + +As an additional measure, ignore unexpected ast and bast callbacks if +the receiving glock is dead. + +Fixes: fb6791d100d1b ("GFS2: skip dlm_unlock calls in unmount") +Signed-off-by: Andreas Gruenbacher +Cc: David Teigland +Signed-off-by: Sasha Levin +--- + fs/gfs2/glock.c | 35 ++++++++++++++++++++++++++++++++--- + fs/gfs2/glock.h | 1 + + fs/gfs2/incore.h | 1 + + fs/gfs2/lock_dlm.c | 32 ++++++++++++++++++++++---------- + fs/gfs2/ops_fstype.c | 1 + + fs/gfs2/super.c | 3 --- + 6 files changed, 57 insertions(+), 16 deletions(-) + +diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c +index 5d5b3235d4e59..1bf0d751ece0a 100644 +--- a/fs/gfs2/glock.c ++++ b/fs/gfs2/glock.c +@@ -166,18 +166,45 @@ static bool glock_blocked_by_withdraw(struct gfs2_glock *gl) + return true; + } + +-void gfs2_glock_free(struct gfs2_glock *gl) ++static void __gfs2_glock_free(struct gfs2_glock *gl) + { +- struct gfs2_sbd *sdp = gl->gl_name.ln_sbd; +- + rhashtable_remove_fast(&gl_hash_table, &gl->gl_node, ht_parms); + smp_mb(); + wake_up_glock(gl); + call_rcu(&gl->gl_rcu, gfs2_glock_dealloc); ++} ++ ++void gfs2_glock_free(struct gfs2_glock *gl) { ++ struct gfs2_sbd *sdp = gl->gl_name.ln_sbd; ++ ++ __gfs2_glock_free(gl); + if (atomic_dec_and_test(&sdp->sd_glock_disposal)) + wake_up(&sdp->sd_kill_wait); + } + ++void gfs2_glock_free_later(struct gfs2_glock *gl) { ++ struct gfs2_sbd *sdp = gl->gl_name.ln_sbd; ++ ++ spin_lock(&lru_lock); ++ list_add(&gl->gl_lru, &sdp->sd_dead_glocks); ++ spin_unlock(&lru_lock); ++ if (atomic_dec_and_test(&sdp->sd_glock_disposal)) ++ wake_up(&sdp->sd_kill_wait); ++} ++ ++static void gfs2_free_dead_glocks(struct gfs2_sbd *sdp) ++{ ++ struct list_head *list = &sdp->sd_dead_glocks; ++ ++ while(!list_empty(list)) { ++ struct gfs2_glock *gl; ++ ++ gl = list_first_entry(list, struct gfs2_glock, gl_lru); ++ list_del_init(&gl->gl_lru); ++ __gfs2_glock_free(gl); ++ } ++} ++ + /** + * gfs2_glock_hold() - increment reference count on glock + * @gl: The glock to hold +@@ -2226,6 +2253,8 @@ void gfs2_gl_hash_clear(struct gfs2_sbd *sdp) + wait_event_timeout(sdp->sd_kill_wait, + atomic_read(&sdp->sd_glock_disposal) == 0, + HZ * 600); ++ gfs2_lm_unmount(sdp); ++ gfs2_free_dead_glocks(sdp); + glock_hash_walk(dump_glock_func, sdp); + } + +diff --git a/fs/gfs2/glock.h b/fs/gfs2/glock.h +index 0114f3e0ebe01..86987a59a0580 100644 +--- a/fs/gfs2/glock.h ++++ b/fs/gfs2/glock.h +@@ -252,6 +252,7 @@ void gfs2_gl_dq_holders(struct gfs2_sbd *sdp); + void gfs2_glock_thaw(struct gfs2_sbd *sdp); + void gfs2_glock_add_to_lru(struct gfs2_glock *gl); + void gfs2_glock_free(struct gfs2_glock *gl); ++void gfs2_glock_free_later(struct gfs2_glock *gl); + + int __init gfs2_glock_init(void); + void gfs2_glock_exit(void); +diff --git a/fs/gfs2/incore.h b/fs/gfs2/incore.h +index 95a334d64da2a..60abd7050c998 100644 +--- a/fs/gfs2/incore.h ++++ b/fs/gfs2/incore.h +@@ -838,6 +838,7 @@ struct gfs2_sbd { + /* For quiescing the filesystem */ + struct gfs2_holder sd_freeze_gh; + struct mutex sd_freeze_mutex; ++ struct list_head sd_dead_glocks; + + char sd_fsname[GFS2_FSNAME_LEN + 3 * sizeof(int) + 2]; + char sd_table_name[GFS2_FSNAME_LEN]; +diff --git a/fs/gfs2/lock_dlm.c b/fs/gfs2/lock_dlm.c +index d1ac5d0679ea6..e028e55e67d95 100644 +--- a/fs/gfs2/lock_dlm.c ++++ b/fs/gfs2/lock_dlm.c +@@ -121,6 +121,11 @@ static void gdlm_ast(void *arg) + struct gfs2_glock *gl = arg; + unsigned ret = gl->gl_state; + ++ /* If the glock is dead, we only react to a dlm_unlock() reply. */ ++ if (__lockref_is_dead(&gl->gl_lockref) && ++ gl->gl_lksb.sb_status != -DLM_EUNLOCK) ++ return; ++ + gfs2_update_reply_times(gl); + BUG_ON(gl->gl_lksb.sb_flags & DLM_SBF_DEMOTED); + +@@ -171,6 +176,9 @@ static void gdlm_bast(void *arg, int mode) + { + struct gfs2_glock *gl = arg; + ++ if (__lockref_is_dead(&gl->gl_lockref)) ++ return; ++ + switch (mode) { + case DLM_LOCK_EX: + gfs2_glock_cb(gl, LM_ST_UNLOCKED); +@@ -291,8 +299,12 @@ static void gdlm_put_lock(struct gfs2_glock *gl) + struct lm_lockstruct *ls = &sdp->sd_lockstruct; + int error; + +- if (gl->gl_lksb.sb_lkid == 0) +- goto out_free; ++ BUG_ON(!__lockref_is_dead(&gl->gl_lockref)); ++ ++ if (gl->gl_lksb.sb_lkid == 0) { ++ gfs2_glock_free(gl); ++ return; ++ } + + clear_bit(GLF_BLOCKING, &gl->gl_flags); + gfs2_glstats_inc(gl, GFS2_LKS_DCOUNT); +@@ -300,13 +312,17 @@ static void gdlm_put_lock(struct gfs2_glock *gl) + gfs2_update_request_times(gl); + + /* don't want to call dlm if we've unmounted the lock protocol */ +- if (test_bit(DFL_UNMOUNT, &ls->ls_recover_flags)) +- goto out_free; ++ if (test_bit(DFL_UNMOUNT, &ls->ls_recover_flags)) { ++ gfs2_glock_free(gl); ++ return; ++ } + /* don't want to skip dlm_unlock writing the lvb when lock has one */ + + if (test_bit(SDF_SKIP_DLM_UNLOCK, &sdp->sd_flags) && +- !gl->gl_lksb.sb_lvbptr) +- goto out_free; ++ !gl->gl_lksb.sb_lvbptr) { ++ gfs2_glock_free_later(gl); ++ return; ++ } + + again: + error = dlm_unlock(ls->ls_dlm, gl->gl_lksb.sb_lkid, DLM_LKF_VALBLK, +@@ -321,10 +337,6 @@ static void gdlm_put_lock(struct gfs2_glock *gl) + gl->gl_name.ln_type, + (unsigned long long)gl->gl_name.ln_number, error); + } +- return; +- +-out_free: +- gfs2_glock_free(gl); + } + + static void gdlm_cancel(struct gfs2_glock *gl) +diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c +index 572d58e86296f..cde7118599abb 100644 +--- a/fs/gfs2/ops_fstype.c ++++ b/fs/gfs2/ops_fstype.c +@@ -136,6 +136,7 @@ static struct gfs2_sbd *init_sbd(struct super_block *sb) + atomic_set(&sdp->sd_log_in_flight, 0); + init_waitqueue_head(&sdp->sd_log_flush_wait); + mutex_init(&sdp->sd_freeze_mutex); ++ INIT_LIST_HEAD(&sdp->sd_dead_glocks); + + return sdp; + +diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c +index e5f79466340d2..2d780b4701a23 100644 +--- a/fs/gfs2/super.c ++++ b/fs/gfs2/super.c +@@ -646,10 +646,7 @@ static void gfs2_put_super(struct super_block *sb) + gfs2_gl_hash_clear(sdp); + truncate_inode_pages_final(&sdp->sd_aspace); + gfs2_delete_debugfs_file(sdp); +- /* Unmount the locking protocol */ +- gfs2_lm_unmount(sdp); + +- /* At this point, we're through participating in the lockspace */ + gfs2_sys_fs_del(sdp); + free_sbd(sdp); + } +-- +2.43.0 + diff --git a/queue-6.9/gfs2-remove-ill-placed-consistency-check.patch b/queue-6.9/gfs2-remove-ill-placed-consistency-check.patch new file mode 100644 index 00000000000..d72d8c316d1 --- /dev/null +++ b/queue-6.9/gfs2-remove-ill-placed-consistency-check.patch @@ -0,0 +1,37 @@ +From 49965e7064a7203828e49f6965a87717ba1613de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Apr 2024 04:24:56 +0200 +Subject: gfs2: Remove ill-placed consistency check + +From: Andreas Gruenbacher + +[ Upstream commit 59f60005797b4018d7b46620037e0c53d690795e ] + +This consistency check was originally added by commit 9287c6452d2b1 +("gfs2: Fix occasional glock use-after-free"). It is ill-placed in +gfs2_glock_free() because if it holds there, it must equally hold in +__gfs2_glock_put() already. Either way, the check doesn't seem +necessary anymore. + +Signed-off-by: Andreas Gruenbacher +Stable-dep-of: d98779e68772 ("gfs2: Fix potential glock use-after-free on unmount") +Signed-off-by: Sasha Levin +--- + fs/gfs2/glock.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c +index 385561cd4f4c7..5d5b3235d4e59 100644 +--- a/fs/gfs2/glock.c ++++ b/fs/gfs2/glock.c +@@ -170,7 +170,6 @@ void gfs2_glock_free(struct gfs2_glock *gl) + { + struct gfs2_sbd *sdp = gl->gl_name.ln_sbd; + +- gfs2_glock_assert_withdraw(gl, atomic_read(&gl->gl_revokes) == 0); + rhashtable_remove_fast(&gl_hash_table, &gl->gl_node, ht_parms); + smp_mb(); + wake_up_glock(gl); +-- +2.43.0 + diff --git a/queue-6.9/gpio-nuvoton-fix-sgpio-irq-handle-error.patch b/queue-6.9/gpio-nuvoton-fix-sgpio-irq-handle-error.patch new file mode 100644 index 00000000000..738a5d3a966 --- /dev/null +++ b/queue-6.9/gpio-nuvoton-fix-sgpio-irq-handle-error.patch @@ -0,0 +1,55 @@ +From b76f23ec13fc8fec6ff943328f25405dd16fccab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 May 2024 14:42:44 +0800 +Subject: gpio: nuvoton: Fix sgpio irq handle error + +From: Jim Liu + +[ Upstream commit 7f45fe2ea3b8c85787976293126a4a7133b107de ] + +The generic_handle_domain_irq() function calls irq_resolve_mapping(). +Thus delete a duplicative irq_find_mapping() call +so that a stack trace and an RCU stall will be avoided. + +Fixes: c4f8457d17ce ("gpio: nuvoton: Add Nuvoton NPCM sgpio driver") +Signed-off-by: Jim Liu +Reviewed-by: Linus Walleij +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/20240506064244.1645922-1-JJLIU0@nuvoton.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-npcm-sgpio.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpio/gpio-npcm-sgpio.c b/drivers/gpio/gpio-npcm-sgpio.c +index d31788b43abcc..2605706145434 100644 +--- a/drivers/gpio/gpio-npcm-sgpio.c ++++ b/drivers/gpio/gpio-npcm-sgpio.c +@@ -434,7 +434,7 @@ static void npcm_sgpio_irq_handler(struct irq_desc *desc) + struct gpio_chip *gc = irq_desc_get_handler_data(desc); + struct irq_chip *ic = irq_desc_get_chip(desc); + struct npcm_sgpio *gpio = gpiochip_get_data(gc); +- unsigned int i, j, girq; ++ unsigned int i, j; + unsigned long reg; + + chained_irq_enter(ic, desc); +@@ -443,11 +443,9 @@ static void npcm_sgpio_irq_handler(struct irq_desc *desc) + const struct npcm_sgpio_bank *bank = &npcm_sgpio_banks[i]; + + reg = ioread8(bank_reg(gpio, bank, EVENT_STS)); +- for_each_set_bit(j, ®, 8) { +- girq = irq_find_mapping(gc->irq.domain, +- i * 8 + gpio->nout_sgpio + j); +- generic_handle_domain_irq(gc->irq.domain, girq); +- } ++ for_each_set_bit(j, ®, 8) ++ generic_handle_domain_irq(gc->irq.domain, ++ i * 8 + gpio->nout_sgpio + j); + } + + chained_irq_exit(ic, desc); +-- +2.43.0 + diff --git a/queue-6.9/hid-amd_sfh-handle-no-sensors-in-pm-operations.patch b/queue-6.9/hid-amd_sfh-handle-no-sensors-in-pm-operations.patch new file mode 100644 index 00000000000..5e6d281f971 --- /dev/null +++ b/queue-6.9/hid-amd_sfh-handle-no-sensors-in-pm-operations.patch @@ -0,0 +1,52 @@ +From 25a73a2a56f00326bf412eed1f0a9f82cc7ff9ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 May 2024 12:40:44 +0530 +Subject: HID: amd_sfh: Handle "no sensors" in PM operations + +From: Basavaraj Natikar + +[ Upstream commit 077e3e3bc84a51891e732507bbbd9acf6e0e4c8b ] + +Resume or suspend each sensor device based on the num_hid_devices. +Therefore, add a check to handle the special case where no sensors are +present. + +Fixes: 93ce5e0231d7 ("HID: amd_sfh: Implement SFH1.1 functionality") +Signed-off-by: Basavaraj Natikar +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c +index 5b24d5f63701a..c2f9fc1f20a24 100644 +--- a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c ++++ b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c +@@ -227,6 +227,11 @@ static void amd_sfh_resume(struct amd_mp2_dev *mp2) + struct amd_mp2_sensor_info info; + int i, status; + ++ if (!cl_data->is_any_sensor_enabled) { ++ amd_sfh_clear_intr(mp2); ++ return; ++ } ++ + for (i = 0; i < cl_data->num_hid_devices; i++) { + if (cl_data->sensor_sts[i] == SENSOR_DISABLED) { + info.sensor_idx = cl_data->sensor_idx[i]; +@@ -252,6 +257,11 @@ static void amd_sfh_suspend(struct amd_mp2_dev *mp2) + struct amdtp_cl_data *cl_data = mp2->cl_data; + int i, status; + ++ if (!cl_data->is_any_sensor_enabled) { ++ amd_sfh_clear_intr(mp2); ++ return; ++ } ++ + for (i = 0; i < cl_data->num_hid_devices; i++) { + if (cl_data->sensor_idx[i] != HPD_IDX && + cl_data->sensor_sts[i] == SENSOR_ENABLED) { +-- +2.43.0 + diff --git a/queue-6.9/hid-intel-ish-hid-ipc-add-check-for-pci_alloc_irq_ve.patch b/queue-6.9/hid-intel-ish-hid-ipc-add-check-for-pci_alloc_irq_ve.patch new file mode 100644 index 00000000000..99e416dd7e2 --- /dev/null +++ b/queue-6.9/hid-intel-ish-hid-ipc-add-check-for-pci_alloc_irq_ve.patch @@ -0,0 +1,41 @@ +From 0706a401748d573aa84eee329e60753916ff2254 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Apr 2024 16:54:22 +0800 +Subject: HID: intel-ish-hid: ipc: Add check for pci_alloc_irq_vectors + +From: Chen Ni + +[ Upstream commit 6baa4524027fd64d7ca524e1717c88c91a354b93 ] + +Add a check for the return value of pci_alloc_irq_vectors() and return +error if it fails. + +[jkosina@suse.com: reworded changelog based on Srinivas' suggestion] +Fixes: 74fbc7d371d9 ("HID: intel-ish-hid: add MSI interrupt support") +Signed-off-by: Chen Ni +Acked-by: Srinivas Pandruvada +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/intel-ish-hid/ipc/pci-ish.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/hid/intel-ish-hid/ipc/pci-ish.c b/drivers/hid/intel-ish-hid/ipc/pci-ish.c +index 56bd4f02f3191..4b8232360cc46 100644 +--- a/drivers/hid/intel-ish-hid/ipc/pci-ish.c ++++ b/drivers/hid/intel-ish-hid/ipc/pci-ish.c +@@ -173,6 +173,11 @@ static int ish_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + /* request and enable interrupt */ + ret = pci_alloc_irq_vectors(pdev, 1, 1, PCI_IRQ_ALL_TYPES); ++ if (ret < 0) { ++ dev_err(dev, "ISH: Failed to allocate IRQ vectors\n"); ++ return ret; ++ } ++ + if (!pdev->msi_enabled && !pdev->msix_enabled) + irq_flag = IRQF_SHARED; + +-- +2.43.0 + diff --git a/queue-6.9/hwrng-stm32-put-ip-into-rpm-suspend-on-failure.patch b/queue-6.9/hwrng-stm32-put-ip-into-rpm-suspend-on-failure.patch new file mode 100644 index 00000000000..26cbfa290db --- /dev/null +++ b/queue-6.9/hwrng-stm32-put-ip-into-rpm-suspend-on-failure.patch @@ -0,0 +1,56 @@ +From cbc5e2f029f00f5d149d7992945984b456ed6fe1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Apr 2024 07:01:13 +0200 +Subject: hwrng: stm32 - put IP into RPM suspend on failure + +From: Marek Vasut + +[ Upstream commit da62ed5c019cc48648f37c7a07e6a56cf637a795 ] + +In case of an irrecoverable failure, put the IP into RPM suspend +to avoid RPM imbalance. I did not trigger this case, but it seems +it should be done based on reading the code. + +Fixes: b17bc6eb7c2b ("hwrng: stm32 - rework error handling in stm32_rng_read()") +Signed-off-by: Marek Vasut +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/stm32-rng.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/char/hw_random/stm32-rng.c b/drivers/char/hw_random/stm32-rng.c +index 1cc61ef8ee54c..b6182f86d8a4b 100644 +--- a/drivers/char/hw_random/stm32-rng.c ++++ b/drivers/char/hw_random/stm32-rng.c +@@ -220,7 +220,8 @@ static int stm32_rng_read(struct hwrng *rng, void *data, size_t max, bool wait) + if (err && i > RNG_NB_RECOVER_TRIES) { + dev_err((struct device *)priv->rng.priv, + "Couldn't recover from seed error\n"); +- return -ENOTRECOVERABLE; ++ retval = -ENOTRECOVERABLE; ++ goto exit_rpm; + } + + continue; +@@ -238,7 +239,8 @@ static int stm32_rng_read(struct hwrng *rng, void *data, size_t max, bool wait) + if (err && i > RNG_NB_RECOVER_TRIES) { + dev_err((struct device *)priv->rng.priv, + "Couldn't recover from seed error"); +- return -ENOTRECOVERABLE; ++ retval = -ENOTRECOVERABLE; ++ goto exit_rpm; + } + + continue; +@@ -250,6 +252,7 @@ static int stm32_rng_read(struct hwrng *rng, void *data, size_t max, bool wait) + max -= sizeof(u32); + } + ++exit_rpm: + pm_runtime_mark_last_busy((struct device *) priv->rng.priv); + pm_runtime_put_sync_autosuspend((struct device *) priv->rng.priv); + +-- +2.43.0 + diff --git a/queue-6.9/hwrng-stm32-repair-clock-handling.patch b/queue-6.9/hwrng-stm32-repair-clock-handling.patch new file mode 100644 index 00000000000..db777532392 --- /dev/null +++ b/queue-6.9/hwrng-stm32-repair-clock-handling.patch @@ -0,0 +1,79 @@ +From 8212c9ad8a11ebe2b6411fe66a3c0c48dc7b27f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Apr 2024 07:01:14 +0200 +Subject: hwrng: stm32 - repair clock handling + +From: Marek Vasut + +[ Upstream commit c819d7b836c5dfca0854d3e56664293601f2176d ] + +The clock management in this driver does not seem to be correct. The +struct hwrng .init callback enables the clock, but there is no matching +.cleanup callback to disable the clock. The clock get disabled as some +later point by runtime PM suspend callback. + +Furthermore, both runtime PM and sleep suspend callbacks access registers +first and disable clock which are used for register access second. If the +IP is already in RPM suspend and the system enters sleep state, the sleep +callback will attempt to access registers while the register clock are +already disabled. This bug has been fixed once before already in commit +9bae54942b13 ("hwrng: stm32 - fix pm_suspend issue"), and regressed in +commit ff4e46104f2e ("hwrng: stm32 - rework power management sequences") . + +Fix this slightly differently, disable register clock at the end of .init +callback, this way the IP is disabled after .init. On every access to the +IP, which really is only stm32_rng_read(), do pm_runtime_get_sync() which +is already done in stm32_rng_read() to bring the IP from RPM suspend, and +pm_runtime_mark_last_busy()/pm_runtime_put_sync_autosuspend() to put it +back into RPM suspend. + +Change sleep suspend/resume callbacks to enable and disable register clock +around register access, as those cannot use the RPM suspend/resume callbacks +due to slightly different initialization in those sleep callbacks. This way, +the register access should always be performed with clock surely enabled. + +Fixes: ff4e46104f2e ("hwrng: stm32 - rework power management sequences") +Signed-off-by: Marek Vasut +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/stm32-rng.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/char/hw_random/stm32-rng.c b/drivers/char/hw_random/stm32-rng.c +index b6182f86d8a4b..0e903d6e22e30 100644 +--- a/drivers/char/hw_random/stm32-rng.c ++++ b/drivers/char/hw_random/stm32-rng.c +@@ -363,6 +363,8 @@ static int stm32_rng_init(struct hwrng *rng) + return -EINVAL; + } + ++ clk_disable_unprepare(priv->clk); ++ + return 0; + } + +@@ -387,6 +389,11 @@ static int __maybe_unused stm32_rng_runtime_suspend(struct device *dev) + static int __maybe_unused stm32_rng_suspend(struct device *dev) + { + struct stm32_rng_private *priv = dev_get_drvdata(dev); ++ int err; ++ ++ err = clk_prepare_enable(priv->clk); ++ if (err) ++ return err; + + if (priv->data->has_cond_reset) { + priv->pm_conf.nscr = readl_relaxed(priv->base + RNG_NSCR); +@@ -468,6 +475,8 @@ static int __maybe_unused stm32_rng_resume(struct device *dev) + writel_relaxed(reg, priv->base + RNG_CR); + } + ++ clk_disable_unprepare(priv->clk); ++ + return 0; + } + +-- +2.43.0 + diff --git a/queue-6.9/hwrng-stm32-use-logical-or-in-conditional.patch b/queue-6.9/hwrng-stm32-use-logical-or-in-conditional.patch new file mode 100644 index 00000000000..cc9463675d8 --- /dev/null +++ b/queue-6.9/hwrng-stm32-use-logical-or-in-conditional.patch @@ -0,0 +1,37 @@ +From 202a8de2f1599e23bb16b35247a390dac9096aa9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Apr 2024 07:01:12 +0200 +Subject: hwrng: stm32 - use logical OR in conditional + +From: Marek Vasut + +[ Upstream commit 31b57788a5024d3a114b28dad224a93831b90b5f ] + +The conditional is used to check whether err is non-zero OR whether +reg variable is non-zero after clearing bits from it. This should be +done using logical OR, not bitwise OR, fix it. + +Fixes: 6b85a7e141cb ("hwrng: stm32 - implement STM32MP13x support") +Signed-off-by: Marek Vasut +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/stm32-rng.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/char/hw_random/stm32-rng.c b/drivers/char/hw_random/stm32-rng.c +index 379bc245c5202..1cc61ef8ee54c 100644 +--- a/drivers/char/hw_random/stm32-rng.c ++++ b/drivers/char/hw_random/stm32-rng.c +@@ -353,7 +353,7 @@ static int stm32_rng_init(struct hwrng *rng) + err = readl_relaxed_poll_timeout_atomic(priv->base + RNG_SR, reg, + reg & RNG_SR_DRDY, + 10, 100000); +- if (err | (reg & ~RNG_SR_DRDY)) { ++ if (err || (reg & ~RNG_SR_DRDY)) { + clk_disable_unprepare(priv->clk); + dev_err((struct device *)priv->rng.priv, + "%s: timeout:%x SR: %x!\n", __func__, err, reg); +-- +2.43.0 + diff --git a/queue-6.9/ib-mlx5-use-__iowrite64_copy-for-write-combining-sto.patch b/queue-6.9/ib-mlx5-use-__iowrite64_copy-for-write-combining-sto.patch new file mode 100644 index 00000000000..ca655a0bae3 --- /dev/null +++ b/queue-6.9/ib-mlx5-use-__iowrite64_copy-for-write-combining-sto.patch @@ -0,0 +1,83 @@ +From 3f81f837604483aedfe905ec6c749b6088afdbee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Apr 2024 13:46:19 -0300 +Subject: IB/mlx5: Use __iowrite64_copy() for write combining stores + +From: Jason Gunthorpe + +[ Upstream commit ef302283ddfceaba2657923af3f90fd58e6dff06 ] + +mlx5 has a built in self-test at driver startup to evaluate if the +platform supports write combining to generate a 64 byte PCIe TLP or +not. This has proven necessary because a lot of common scenarios end up +with broken write combining (especially inside virtual machines) and there +is other way to learn this information. + +This self test has been consistently failing on new ARM64 CPU +designs (specifically with NVIDIA Grace's implementation of Neoverse +V2). The C loop around writeq() generates some pretty terrible ARM64 +assembly, but historically this has worked on a lot of existing ARM64 CPUs +till now. + +We see it succeed about 1 time in 10,000 on the worst effected +systems. The CPU architects speculate that the load instructions +interspersed with the stores makes the WC buffers statistically flush too +often and thus the generation of large TLPs becomes infrequent. This makes +the boot up test unreliable in that it indicates no write-combining, +however userspace would be fine since it uses a ST4 instruction. + +Further, S390 has similar issues where only the special zpci_memcpy_toio() +will actually generate large TLPs, and the open coded loop does not +trigger it at all. + +Fix both ARM64 and S390 by switching to __iowrite64_copy() which now +provides architecture specific variants that have a high change of +generating a large TLP with write combining. x86 continues to use a +similar writeq loop in the generate __iowrite64_copy(). + +Fixes: 11f552e21755 ("IB/mlx5: Test write combining support") +Link: https://lore.kernel.org/r/6-v3-1893cd8b9369+1925-mlx5_arm_wc_jgg@nvidia.com +Tested-by: Niklas Schnelle +Acked-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/mem.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/mem.c b/drivers/infiniband/hw/mlx5/mem.c +index 96ffbbaf0a73d..5a22be14d958f 100644 +--- a/drivers/infiniband/hw/mlx5/mem.c ++++ b/drivers/infiniband/hw/mlx5/mem.c +@@ -30,6 +30,7 @@ + * SOFTWARE. + */ + ++#include + #include + #include "mlx5_ib.h" + #include +@@ -108,7 +109,6 @@ static int post_send_nop(struct mlx5_ib_dev *dev, struct ib_qp *ibqp, u64 wr_id, + __be32 mmio_wqe[16] = {}; + unsigned long flags; + unsigned int idx; +- int i; + + if (unlikely(dev->mdev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR)) + return -EIO; +@@ -148,10 +148,8 @@ static int post_send_nop(struct mlx5_ib_dev *dev, struct ib_qp *ibqp, u64 wr_id, + * we hit doorbell + */ + wmb(); +- for (i = 0; i < 8; i++) +- mlx5_write64(&mmio_wqe[i * 2], +- bf->bfreg->map + bf->offset + i * 8); +- io_stop_wc(); ++ __iowrite64_copy(bf->bfreg->map + bf->offset, mmio_wqe, ++ sizeof(mmio_wqe) / 8); + + bf->offset ^= bf->buf_size; + +-- +2.43.0 + diff --git a/queue-6.9/ice-fix-package-download-algorithm.patch b/queue-6.9/ice-fix-package-download-algorithm.patch new file mode 100644 index 00000000000..3408b05e46b --- /dev/null +++ b/queue-6.9/ice-fix-package-download-algorithm.patch @@ -0,0 +1,56 @@ +From 48e7a05944fd8b52ed4ca90365d48c71b4e23181 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 10:19:07 -0700 +Subject: ice: Fix package download algorithm + +From: Dan Nowlin + +[ Upstream commit 6d51d44ecddb5c2962688ef06e55e4fbc949f04a ] + +Previously, the driver assumed that all signature segments would contain +one or more buffers to download. In the future, there will be signature +segments that will contain no buffers to download. + +Correct download flow to allow for signature segments that have zero +download buffers and skip the download in this case. + +Fixes: 3cbdb0343022 ("ice: Add support for E830 DDP package segment") +Reviewed-by: Przemek Kitszel +Signed-off-by: Dan Nowlin +Signed-off-by: Paul Greenwalt +Reviewed-by: Paul Menzel +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Link: https://lore.kernel.org/r/20240508171908.2760776-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_ddp.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_ddp.c b/drivers/net/ethernet/intel/ice/ice_ddp.c +index fc91c4d411863..4df561d64bc38 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ddp.c ++++ b/drivers/net/ethernet/intel/ice/ice_ddp.c +@@ -1424,14 +1424,14 @@ ice_dwnld_sign_and_cfg_segs(struct ice_hw *hw, struct ice_pkg_hdr *pkg_hdr, + goto exit; + } + +- conf_idx = le32_to_cpu(seg->signed_seg_idx); +- start = le32_to_cpu(seg->signed_buf_start); + count = le32_to_cpu(seg->signed_buf_count); +- + state = ice_download_pkg_sig_seg(hw, seg); +- if (state) ++ if (state || !count) + goto exit; + ++ conf_idx = le32_to_cpu(seg->signed_seg_idx); ++ start = le32_to_cpu(seg->signed_buf_start); ++ + state = ice_download_pkg_config_seg(hw, pkg_hdr, conf_idx, start, + count); + +-- +2.43.0 + diff --git a/queue-6.9/idpf-don-t-skip-over-ethtool-tcp-data-split-setting.patch b/queue-6.9/idpf-don-t-skip-over-ethtool-tcp-data-split-setting.patch new file mode 100644 index 00000000000..0470091c941 --- /dev/null +++ b/queue-6.9/idpf-don-t-skip-over-ethtool-tcp-data-split-setting.patch @@ -0,0 +1,53 @@ +From 5f1a9196ed963ba7b1eb482ce6ce01d87b6b0732 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 May 2024 11:24:14 +0200 +Subject: idpf: don't skip over ethtool tcp-data-split setting + +From: Michal Schmidt + +[ Upstream commit 67708158e732bf03d076fba1e3d4453fbf8292a2 ] + +Disabling tcp-data-split on idpf silently fails: + # ethtool -G $NETDEV tcp-data-split off + # ethtool -g $NETDEV | grep 'TCP data split' + TCP data split: on + +But it works if you also change 'tx' or 'rx': + # ethtool -G $NETDEV tcp-data-split off tx 256 + # ethtool -g $NETDEV | grep 'TCP data split' + TCP data split: off + +The bug is in idpf_set_ringparam, where it takes a shortcut out if the +TX and RX sizes are not changing. Fix it by checking also if the +tcp-data-split setting remains unchanged. Only then can the soft reset +be skipped. + +Fixes: 9b1aa3ef2328 ("idpf: add get/set for Ethtool's header split ringparam") +Reported-by: Xu Du +Closes: https://issues.redhat.com/browse/RHEL-36182 +Signed-off-by: Michal Schmidt +Reviewed-by: Alexander Lobakin +Link: https://lore.kernel.org/r/20240515092414.158079-1-mschmidt@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf_ethtool.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c +index 986d429d11755..6972d728431cb 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c +@@ -376,7 +376,8 @@ static int idpf_set_ringparam(struct net_device *netdev, + new_tx_count); + + if (new_tx_count == vport->txq_desc_count && +- new_rx_count == vport->rxq_desc_count) ++ new_rx_count == vport->rxq_desc_count && ++ kring->tcp_data_split == idpf_vport_get_hsplit(vport)) + goto unlock_mutex; + + if (!idpf_vport_set_hsplit(vport, kring->tcp_data_split)) { +-- +2.43.0 + diff --git a/queue-6.9/inet-fix-inet_fill_ifaddr-flags-truncation.patch b/queue-6.9/inet-fix-inet_fill_ifaddr-flags-truncation.patch new file mode 100644 index 00000000000..51ca54af7ef --- /dev/null +++ b/queue-6.9/inet-fix-inet_fill_ifaddr-flags-truncation.patch @@ -0,0 +1,77 @@ +From b957eeb85ca8a25ed64178ced731738494775802 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 May 2024 07:29:32 +0000 +Subject: inet: fix inet_fill_ifaddr() flags truncation + +From: Eric Dumazet + +[ Upstream commit 1af7f88af269c4e06a4dc3bc920ff6cdf7471124 ] + +I missed that (struct ifaddrmsg)->ifa_flags was only 8bits, +while (struct in_ifaddr)->ifa_flags is 32bits. + +Use a temporary 32bit variable as I did in set_ifa_lifetime() +and check_lifetime(). + +Fixes: 3ddc2231c810 ("inet: annotate data-races around ifa->ifa_flags") +Reported-by: Yu Watanabe +Dianosed-by: Yu Watanabe +Closes: https://github.com/systemd/systemd/pull/32666#issuecomment-2103977928 +Signed-off-by: Eric Dumazet +Reviewed-by: Larysa Zaremba +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20240510072932.2678952-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/devinet.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index 7a437f0d41905..7e45c34c8340a 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -1683,6 +1683,7 @@ static int inet_fill_ifaddr(struct sk_buff *skb, const struct in_ifaddr *ifa, + struct nlmsghdr *nlh; + unsigned long tstamp; + u32 preferred, valid; ++ u32 flags; + + nlh = nlmsg_put(skb, args->portid, args->seq, args->event, sizeof(*ifm), + args->flags); +@@ -1692,7 +1693,13 @@ static int inet_fill_ifaddr(struct sk_buff *skb, const struct in_ifaddr *ifa, + ifm = nlmsg_data(nlh); + ifm->ifa_family = AF_INET; + ifm->ifa_prefixlen = ifa->ifa_prefixlen; +- ifm->ifa_flags = READ_ONCE(ifa->ifa_flags); ++ ++ flags = READ_ONCE(ifa->ifa_flags); ++ /* Warning : ifm->ifa_flags is an __u8, it holds only 8 bits. ++ * The 32bit value is given in IFA_FLAGS attribute. ++ */ ++ ifm->ifa_flags = (__u8)flags; ++ + ifm->ifa_scope = ifa->ifa_scope; + ifm->ifa_index = ifa->ifa_dev->dev->ifindex; + +@@ -1701,7 +1708,7 @@ static int inet_fill_ifaddr(struct sk_buff *skb, const struct in_ifaddr *ifa, + goto nla_put_failure; + + tstamp = READ_ONCE(ifa->ifa_tstamp); +- if (!(ifm->ifa_flags & IFA_F_PERMANENT)) { ++ if (!(flags & IFA_F_PERMANENT)) { + preferred = READ_ONCE(ifa->ifa_preferred_lft); + valid = READ_ONCE(ifa->ifa_valid_lft); + if (preferred != INFINITY_LIFE_TIME) { +@@ -1732,7 +1739,7 @@ static int inet_fill_ifaddr(struct sk_buff *skb, const struct in_ifaddr *ifa, + nla_put_string(skb, IFA_LABEL, ifa->ifa_label)) || + (ifa->ifa_proto && + nla_put_u8(skb, IFA_PROTO, ifa->ifa_proto)) || +- nla_put_u32(skb, IFA_FLAGS, ifm->ifa_flags) || ++ nla_put_u32(skb, IFA_FLAGS, flags) || + (ifa->ifa_rt_priority && + nla_put_u32(skb, IFA_RT_PRIORITY, ifa->ifa_rt_priority)) || + put_cacheinfo(skb, READ_ONCE(ifa->ifa_cstamp), tstamp, +-- +2.43.0 + diff --git a/queue-6.9/io-wq-write-next_work-before-dropping-acct_lock.patch b/queue-6.9/io-wq-write-next_work-before-dropping-acct_lock.patch new file mode 100644 index 00000000000..95e6dbbaf88 --- /dev/null +++ b/queue-6.9/io-wq-write-next_work-before-dropping-acct_lock.patch @@ -0,0 +1,76 @@ +From 71ecb2afc4e2f6fb100ae83d8090e820946b94e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 22:10:53 -0400 +Subject: io-wq: write next_work before dropping acct_lock + +From: Gabriel Krisman Bertazi + +[ Upstream commit 068c27e32e51e94e4a9eb30ae85f4097a3602980 ] + +Commit 361aee450c6e ("io-wq: add intermediate work step between pending +list and active work") closed a race between a cancellation and the work +being removed from the wq for execution. To ensure the request is +always reachable by the cancellation, we need to move it within the wq +lock, which also synchronizes the cancellation. But commit +42abc95f05bf ("io-wq: decouple work_list protection from the big +wqe->lock") replaced the wq lock here and accidentally reintroduced the +race by releasing the acct_lock too early. + +In other words: + + worker | cancellation +work = io_get_next_work() | +raw_spin_unlock(&acct->lock); | + | + | io_acct_cancel_pending_work + | io_wq_worker_cancel() +worker->next_work = work + +Using acct_lock is still enough since we synchronize on it on +io_acct_cancel_pending_work. + +Fixes: 42abc95f05bf ("io-wq: decouple work_list protection from the big wqe->lock") +Signed-off-by: Gabriel Krisman Bertazi +Link: https://lore.kernel.org/r/20240416021054.3940-2-krisman@suse.de +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/io-wq.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/io_uring/io-wq.c b/io_uring/io-wq.c +index 522196dfb0ff5..318ed067dbf64 100644 +--- a/io_uring/io-wq.c ++++ b/io_uring/io-wq.c +@@ -564,10 +564,7 @@ static void io_worker_handle_work(struct io_wq_acct *acct, + * clear the stalled flag. + */ + work = io_get_next_work(acct, worker); +- raw_spin_unlock(&acct->lock); + if (work) { +- __io_worker_busy(wq, worker); +- + /* + * Make sure cancelation can find this, even before + * it becomes the active work. That avoids a window +@@ -578,9 +575,15 @@ static void io_worker_handle_work(struct io_wq_acct *acct, + raw_spin_lock(&worker->lock); + worker->next_work = work; + raw_spin_unlock(&worker->lock); +- } else { +- break; + } ++ ++ raw_spin_unlock(&acct->lock); ++ ++ if (!work) ++ break; ++ ++ __io_worker_busy(wq, worker); ++ + io_assign_current_work(worker, work); + __set_current_state(TASK_RUNNING); + +-- +2.43.0 + diff --git a/queue-6.9/io_uring-net-fix-sendzc-lazy-wake-polling.patch b/queue-6.9/io_uring-net-fix-sendzc-lazy-wake-polling.patch new file mode 100644 index 00000000000..47459e2469a --- /dev/null +++ b/queue-6.9/io_uring-net-fix-sendzc-lazy-wake-polling.patch @@ -0,0 +1,37 @@ +From 4870bd61b5b91398be4149354c3851d5bc256432 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Apr 2024 16:42:30 +0100 +Subject: io_uring/net: fix sendzc lazy wake polling + +From: Pavel Begunkov + +[ Upstream commit ef42b85a5609cd822ca0a68dd2bef2b12b5d1ca3 ] + +SEND[MSG]_ZC produces multiple CQEs via notifications, LAZY_WAKE doesn't +handle it and so disable LAZY_WAKE for sendzc polling. It should be +fine, sends are not likely to be polled in the first place. + +Fixes: 6ce4a93dbb5b ("io_uring/poll: use IOU_F_TWQ_LAZY_WAKE for wakeups") +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/5b360fb352d91e3aec751d75c87dfb4753a084ee.1714488419.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/net.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/io_uring/net.c b/io_uring/net.c +index 4afb475d41974..3896e6220d0bf 100644 +--- a/io_uring/net.c ++++ b/io_uring/net.c +@@ -1041,6 +1041,7 @@ int io_send_zc_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe) + struct io_kiocb *notif; + + zc->done_io = 0; ++ req->flags |= REQ_F_POLL_NO_LAZY; + + if (unlikely(READ_ONCE(sqe->__pad2[0]) || READ_ONCE(sqe->addr3))) + return -EINVAL; +-- +2.43.0 + diff --git a/queue-6.9/io_uring-use-the-right-type-for-work_llist-empty-che.patch b/queue-6.9/io_uring-use-the-right-type-for-work_llist-empty-che.patch new file mode 100644 index 00000000000..2247c3398b8 --- /dev/null +++ b/queue-6.9/io_uring-use-the-right-type-for-work_llist-empty-che.patch @@ -0,0 +1,37 @@ +From be4f5dfafce1c3e6b0a54d4888452979fe693e33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 18:53:33 -0600 +Subject: io_uring: use the right type for work_llist empty check + +From: Jens Axboe + +[ Upstream commit 22537c9f79417fed70b352d54d01d2586fee9521 ] + +io_task_work_pending() uses wq_list_empty() on ctx->work_llist, but it's +not an io_wq_work_list, it's a struct llist_head. They both have +->first as head-of-list, and it turns out the checks are identical. But +be proper and use the right helper. + +Fixes: dac6a0eae793 ("io_uring: ensure iopoll runs local task work as well") +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/io_uring.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/io_uring/io_uring.h b/io_uring/io_uring.h +index 6426ee382276b..03e52094630ac 100644 +--- a/io_uring/io_uring.h ++++ b/io_uring/io_uring.h +@@ -340,7 +340,7 @@ static inline int io_run_task_work(void) + + static inline bool io_task_work_pending(struct io_ring_ctx *ctx) + { +- return task_work_pending(current) || !wq_list_empty(&ctx->work_llist); ++ return task_work_pending(current) || !llist_empty(&ctx->work_llist); + } + + static inline void io_tw_lock(struct io_ring_ctx *ctx, struct io_tw_state *ts) +-- +2.43.0 + diff --git a/queue-6.9/iommu-amd-enable-guest-translation-after-reading-iom.patch b/queue-6.9/iommu-amd-enable-guest-translation-after-reading-iom.patch new file mode 100644 index 00000000000..55384e3673a --- /dev/null +++ b/queue-6.9/iommu-amd-enable-guest-translation-after-reading-iom.patch @@ -0,0 +1,65 @@ +From c8b946c02a0292820c903fad5adafc6866c4d334 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 May 2024 08:20:39 +0000 +Subject: iommu/amd: Enable Guest Translation after reading IOMMU feature + register + +From: Vasant Hegde + +[ Upstream commit de111f6b4f6a3010020825d22a068f416bc29c95 ] + +Commit 8e0179733172 ("iommu/amd: Enable Guest Translation before +registering devices") moved IOMMU Guest Translation (GT) enablement to +early init path. It does feature check based on Global EFR value (got from +ACPI IVRS table). Later it adjusts EFR value based on IOMMU feature +register (late_iommu_features_init()). + +It seems in some systems BIOS doesn't set gloabl EFR value properly. +This is causing mismatch. Hence move IOMMU GT enablement after +late_iommu_features_init() so that it does check based on IOMMU EFR +value. + +Fixes: 8e0179733172 ("iommu/amd: Enable Guest Translation before registering devices") +Reported-by: Klara Modin +Closes: https://lore.kernel.org/linux-iommu/333e6eb6-361c-4afb-8107-2573324bf689@gmail.com/ +Signed-off-by: Vasant Hegde +Tested-by: Klara Modin +Link: https://lore.kernel.org/r/20240506082039.7575-1-vasant.hegde@amd.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd/init.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c +index ac6754a85f350..f440ca440d924 100644 +--- a/drivers/iommu/amd/init.c ++++ b/drivers/iommu/amd/init.c +@@ -2097,6 +2097,8 @@ static int __init iommu_init_pci(struct amd_iommu *iommu) + amd_iommu_max_glx_val = glxval; + else + amd_iommu_max_glx_val = min(amd_iommu_max_glx_val, glxval); ++ ++ iommu_enable_gt(iommu); + } + + if (check_feature(FEATURE_PPR) && alloc_ppr_log(iommu)) +@@ -2773,7 +2775,6 @@ static void early_enable_iommu(struct amd_iommu *iommu) + iommu_enable_command_buffer(iommu); + iommu_enable_event_buffer(iommu); + iommu_set_exclusion_range(iommu); +- iommu_enable_gt(iommu); + iommu_enable_ga(iommu); + iommu_enable_xt(iommu); + iommu_enable_irtcachedis(iommu); +@@ -2830,7 +2831,6 @@ static void early_enable_iommus(void) + iommu_disable_irtcachedis(iommu); + iommu_enable_command_buffer(iommu); + iommu_enable_event_buffer(iommu); +- iommu_enable_gt(iommu); + iommu_enable_ga(iommu); + iommu_enable_xt(iommu); + iommu_enable_irtcachedis(iommu); +-- +2.43.0 + diff --git a/queue-6.9/iommu-undo-pasid-attachment-only-for-the-devices-tha.patch b/queue-6.9/iommu-undo-pasid-attachment-only-for-the-devices-tha.patch new file mode 100644 index 00000000000..c962e80cecf --- /dev/null +++ b/queue-6.9/iommu-undo-pasid-attachment-only-for-the-devices-tha.patch @@ -0,0 +1,86 @@ +From 70bcf3355de787448ef71da72825bb5ca1e250bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 05:29:57 -0700 +Subject: iommu: Undo pasid attachment only for the devices that have succeeded + +From: Yi Liu + +[ Upstream commit b025dea63cded0d82bccd591fa105d39efc6435d ] + +There is no error handling now in __iommu_set_group_pasid(), it relies on +its caller to loop all the devices to undo the pasid attachment. This is +not self-contained and has drawbacks. It would result in unnecessary +remove_dev_pasid() calls on the devices that have not been attached to the +new domain. But the remove_dev_pasid() callback would get the new domain +from the group->pasid_array. So for such devices, the iommu driver won't +find the attachment under the domain, hence unable to do cleanup. This may +not be a real problem today. But it depends on the implementation of the +underlying iommu driver. e.g. the intel iommu driver would warn for such +devices. Such warnings are unnecessary. + +To solve the above problem, it is necessary to handle the error within +__iommu_set_group_pasid(). It only loops the devices that have attached +to the new domain, and undo it. + +Fixes: 16603704559c ("iommu: Add attach/detach_dev_pasid iommu interfaces") +Suggested-by: Jason Gunthorpe +Reviewed-by: Jason Gunthorpe +Reviewed-by: Kevin Tian +Signed-off-by: Yi Liu +Reviewed-by: Lu Baolu +Link: https://lore.kernel.org/r/20240328122958.83332-2-yi.l.liu@intel.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/iommu.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c +index a95a483def2d2..659a77f7bb833 100644 +--- a/drivers/iommu/iommu.c ++++ b/drivers/iommu/iommu.c +@@ -3317,15 +3317,26 @@ EXPORT_SYMBOL_GPL(iommu_group_dma_owner_claimed); + static int __iommu_set_group_pasid(struct iommu_domain *domain, + struct iommu_group *group, ioasid_t pasid) + { +- struct group_device *device; +- int ret = 0; ++ struct group_device *device, *last_gdev; ++ int ret; + + for_each_group_device(group, device) { + ret = domain->ops->set_dev_pasid(domain, device->dev, pasid); + if (ret) +- break; ++ goto err_revert; + } + ++ return 0; ++ ++err_revert: ++ last_gdev = device; ++ for_each_group_device(group, device) { ++ const struct iommu_ops *ops = dev_iommu_ops(device->dev); ++ ++ if (device == last_gdev) ++ break; ++ ops->remove_dev_pasid(device->dev, pasid); ++ } + return ret; + } + +@@ -3383,10 +3394,8 @@ int iommu_attach_device_pasid(struct iommu_domain *domain, + } + + ret = __iommu_set_group_pasid(domain, group, pasid); +- if (ret) { +- __iommu_remove_group_pasid(group, pasid); ++ if (ret) + xa_erase(&group->pasid_array, pasid); +- } + out_unlock: + mutex_unlock(&group->mutex); + return ret; +-- +2.43.0 + diff --git a/queue-6.9/iommu-vt-d-decouple-igfx_off-from-graphic-identity-m.patch b/queue-6.9/iommu-vt-d-decouple-igfx_off-from-graphic-identity-m.patch new file mode 100644 index 00000000000..c11d99d5ab1 --- /dev/null +++ b/queue-6.9/iommu-vt-d-decouple-igfx_off-from-graphic-identity-m.patch @@ -0,0 +1,139 @@ +From 045570902fddb83c546d3b8a909068c92d337b82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 May 2024 21:36:02 +0800 +Subject: iommu/vt-d: Decouple igfx_off from graphic identity mapping + +From: Lu Baolu + +[ Upstream commit ba00196ca41c4f6d0b0d3c4a6748a133577abe05 ] + +A kernel command called igfx_off was introduced in commit +("Intel IOMMU: Intel IOMMU driver"). This command allows the user to +disable the IOMMU dedicated to SOC-integrated graphic devices. + +Commit <9452618e7462> ("iommu/intel: disable DMAR for g4x integrated gfx") +used this mechanism to disable the graphic-dedicated IOMMU for some +problematic devices. Later, more problematic graphic devices were added +to the list by commit <1f76249cc3beb> ("iommu/vt-d: Declare Broadwell igfx +dmar support snafu"). + +On the other hand, commit <19943b0e30b05> ("intel-iommu: Unify hardware +and software passthrough support") uses the identity domain for graphic +devices if CONFIG_DMAR_BROKEN_GFX_WA is selected. + ++ if (iommu_pass_through) ++ iommu_identity_mapping = 1; ++#ifdef CONFIG_DMAR_BROKEN_GFX_WA ++ else ++ iommu_identity_mapping = 2; ++#endif +... + +static int iommu_should_identity_map(struct pci_dev *pdev, int startup) +{ ++ if (iommu_identity_mapping == 2) ++ return IS_GFX_DEVICE(pdev); +... + +In the following driver evolution, CONFIG_DMAR_BROKEN_GFX_WA and +quirk_iommu_igfx() are mixed together, causing confusion in the driver's +device_def_domain_type callback. On one hand, dmar_map_gfx is used to turn +off the graphic-dedicated IOMMU as a workaround for some buggy hardware; +on the other hand, for those graphic devices, IDENTITY mapping is required +for the IOMMU core. + +Commit <4b8d18c0c986> "iommu/vt-d: Remove INTEL_IOMMU_BROKEN_GFX_WA" has +removed the CONFIG_DMAR_BROKEN_GFX_WA option, so the IDENTITY_DOMAIN +requirement for graphic devices is no longer needed. Therefore, this +requirement can be removed from device_def_domain_type() and igfx_off can +be made independent. + +Fixes: 4b8d18c0c986 ("iommu/vt-d: Remove INTEL_IOMMU_BROKEN_GFX_WA") +Signed-off-by: Lu Baolu +Reviewed-by: Kevin Tian +Link: https://lore.kernel.org/r/20240428032020.214616-1-baolu.lu@linux.intel.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel/iommu.c | 19 ++++++------------- + 1 file changed, 6 insertions(+), 13 deletions(-) + +diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c +index a7ecd90303dc4..e4a03588a8a0f 100644 +--- a/drivers/iommu/intel/iommu.c ++++ b/drivers/iommu/intel/iommu.c +@@ -221,12 +221,11 @@ int intel_iommu_sm = IS_ENABLED(CONFIG_INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON); + int intel_iommu_enabled = 0; + EXPORT_SYMBOL_GPL(intel_iommu_enabled); + +-static int dmar_map_gfx = 1; + static int intel_iommu_superpage = 1; + static int iommu_identity_mapping; + static int iommu_skip_te_disable; ++static int disable_igfx_iommu; + +-#define IDENTMAP_GFX 2 + #define IDENTMAP_AZALIA 4 + + const struct iommu_ops intel_iommu_ops; +@@ -265,7 +264,7 @@ static int __init intel_iommu_setup(char *str) + no_platform_optin = 1; + pr_info("IOMMU disabled\n"); + } else if (!strncmp(str, "igfx_off", 8)) { +- dmar_map_gfx = 0; ++ disable_igfx_iommu = 1; + pr_info("Disable GFX device mapping\n"); + } else if (!strncmp(str, "forcedac", 8)) { + pr_warn("intel_iommu=forcedac deprecated; use iommu.forcedac instead\n"); +@@ -2402,9 +2401,6 @@ static int device_def_domain_type(struct device *dev) + + if ((iommu_identity_mapping & IDENTMAP_AZALIA) && IS_AZALIA(pdev)) + return IOMMU_DOMAIN_IDENTITY; +- +- if ((iommu_identity_mapping & IDENTMAP_GFX) && IS_GFX_DEVICE(pdev)) +- return IOMMU_DOMAIN_IDENTITY; + } + + return 0; +@@ -2705,9 +2701,6 @@ static int __init init_dmars(void) + iommu_set_root_entry(iommu); + } + +- if (!dmar_map_gfx) +- iommu_identity_mapping |= IDENTMAP_GFX; +- + check_tylersburg_isoch(); + + ret = si_domain_init(hw_pass_through); +@@ -2798,7 +2791,7 @@ static void __init init_no_remapping_devices(void) + /* This IOMMU has *only* gfx devices. Either bypass it or + set the gfx_mapped flag, as appropriate */ + drhd->gfx_dedicated = 1; +- if (!dmar_map_gfx) ++ if (disable_igfx_iommu) + drhd->ignored = 1; + } + } +@@ -4875,7 +4868,7 @@ static void quirk_iommu_igfx(struct pci_dev *dev) + return; + + pci_info(dev, "Disabling IOMMU for graphics on this chipset\n"); +- dmar_map_gfx = 0; ++ disable_igfx_iommu = 1; + } + + /* G4x/GM45 integrated gfx dmar support is totally busted. */ +@@ -4956,8 +4949,8 @@ static void quirk_calpella_no_shadow_gtt(struct pci_dev *dev) + + if (!(ggc & GGC_MEMORY_VT_ENABLED)) { + pci_info(dev, "BIOS has allocated no shadow GTT; disabling IOMMU for graphics\n"); +- dmar_map_gfx = 0; +- } else if (dmar_map_gfx) { ++ disable_igfx_iommu = 1; ++ } else if (!disable_igfx_iommu) { + /* we have to ensure the gfx device is idle before we flush */ + pci_info(dev, "Disabling batched IOTLB flush on Ironlake\n"); + iommu_set_dma_strict(); +-- +2.43.0 + diff --git a/queue-6.9/ipv6-sr-add-missing-seg6_local_exit.patch b/queue-6.9/ipv6-sr-add-missing-seg6_local_exit.patch new file mode 100644 index 00000000000..4decd4ac82c --- /dev/null +++ b/queue-6.9/ipv6-sr-add-missing-seg6_local_exit.patch @@ -0,0 +1,38 @@ +From 0d0db5018406d78a56de14a1a085be3cd83dec61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 21:18:10 +0800 +Subject: ipv6: sr: add missing seg6_local_exit + +From: Hangbin Liu + +[ Upstream commit 3321687e321307629c71b664225b861ebf3e5753 ] + +Currently, we only call seg6_local_exit() in seg6_init() if +seg6_local_init() failed. But forgot to call it in seg6_exit(). + +Fixes: d1df6fd8a1d2 ("ipv6: sr: define core operations for seg6local lightweight tunnel") +Signed-off-by: Hangbin Liu +Reviewed-by: Sabrina Dubroca +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20240509131812.1662197-2-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/seg6.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c +index 35508abd76f43..5423f1f2aa626 100644 +--- a/net/ipv6/seg6.c ++++ b/net/ipv6/seg6.c +@@ -564,6 +564,7 @@ void seg6_exit(void) + seg6_hmac_exit(); + #endif + #ifdef CONFIG_IPV6_SEG6_LWTUNNEL ++ seg6_local_exit(); + seg6_iptunnel_exit(); + #endif + unregister_pernet_subsys(&ip6_segments_ops); +-- +2.43.0 + diff --git a/queue-6.9/ipv6-sr-fix-incorrect-unregister-order.patch b/queue-6.9/ipv6-sr-fix-incorrect-unregister-order.patch new file mode 100644 index 00000000000..190957287f2 --- /dev/null +++ b/queue-6.9/ipv6-sr-fix-incorrect-unregister-order.patch @@ -0,0 +1,39 @@ +From 54e9d35518c9ddb603b6a0e6f26e3418c620ac5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 21:18:11 +0800 +Subject: ipv6: sr: fix incorrect unregister order + +From: Hangbin Liu + +[ Upstream commit 6e370a771d2985107e82d0f6174381c1acb49c20 ] + +Commit 5559cea2d5aa ("ipv6: sr: fix possible use-after-free and +null-ptr-deref") changed the register order in seg6_init(). But the +unregister order in seg6_exit() is not updated. + +Fixes: 5559cea2d5aa ("ipv6: sr: fix possible use-after-free and null-ptr-deref") +Signed-off-by: Hangbin Liu +Reviewed-by: Sabrina Dubroca +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20240509131812.1662197-3-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/seg6.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c +index 5423f1f2aa626..c4ef96c8fdaca 100644 +--- a/net/ipv6/seg6.c ++++ b/net/ipv6/seg6.c +@@ -567,6 +567,6 @@ void seg6_exit(void) + seg6_local_exit(); + seg6_iptunnel_exit(); + #endif +- unregister_pernet_subsys(&ip6_segments_ops); + genl_unregister_family(&seg6_genl_family); ++ unregister_pernet_subsys(&ip6_segments_ops); + } +-- +2.43.0 + diff --git a/queue-6.9/ipv6-sr-fix-invalid-unregister-error-path.patch b/queue-6.9/ipv6-sr-fix-invalid-unregister-error-path.patch new file mode 100644 index 00000000000..be3b20103bf --- /dev/null +++ b/queue-6.9/ipv6-sr-fix-invalid-unregister-error-path.patch @@ -0,0 +1,46 @@ +From df23d6e2819e51b57ef878f686f3a4756d28412d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 21:18:12 +0800 +Subject: ipv6: sr: fix invalid unregister error path + +From: Hangbin Liu + +[ Upstream commit 160e9d2752181fcf18c662e74022d77d3164cd45 ] + +The error path of seg6_init() is wrong in case CONFIG_IPV6_SEG6_LWTUNNEL +is not defined. In that case if seg6_hmac_init() fails, the +genl_unregister_family() isn't called. + +This issue exist since commit 46738b1317e1 ("ipv6: sr: add option to control +lwtunnel support"), and commit 5559cea2d5aa ("ipv6: sr: fix possible +use-after-free and null-ptr-deref") replaced unregister_pernet_subsys() +with genl_unregister_family() in this error path. + +Fixes: 46738b1317e1 ("ipv6: sr: add option to control lwtunnel support") +Reported-by: Guillaume Nault +Signed-off-by: Hangbin Liu +Reviewed-by: Sabrina Dubroca +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20240509131812.1662197-4-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/seg6.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c +index c4ef96c8fdaca..a31521e270f78 100644 +--- a/net/ipv6/seg6.c ++++ b/net/ipv6/seg6.c +@@ -551,6 +551,8 @@ int __init seg6_init(void) + #endif + #ifdef CONFIG_IPV6_SEG6_LWTUNNEL + out_unregister_genl: ++#endif ++#if IS_ENABLED(CONFIG_IPV6_SEG6_LWTUNNEL) || IS_ENABLED(CONFIG_IPV6_SEG6_HMAC) + genl_unregister_family(&seg6_genl_family); + #endif + out_unregister_pernet: +-- +2.43.0 + diff --git a/queue-6.9/irqchip-alpine-msi-fix-off-by-one-in-allocation-erro.patch b/queue-6.9/irqchip-alpine-msi-fix-off-by-one-in-allocation-erro.patch new file mode 100644 index 00000000000..b359dd1a571 --- /dev/null +++ b/queue-6.9/irqchip-alpine-msi-fix-off-by-one-in-allocation-erro.patch @@ -0,0 +1,40 @@ +From 61169c2efcfacf29f4aae8857a5bad9fe8d254c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Mar 2024 22:23:05 +0800 +Subject: irqchip/alpine-msi: Fix off-by-one in allocation error path + +From: Zenghui Yu + +[ Upstream commit ff3669a71afa06208de58d6bea1cc49d5e3fcbd1 ] + +When alpine_msix_gic_domain_alloc() fails, there is an off-by-one in the +number of interrupts to be freed. + +Fix it by passing the number of successfully allocated interrupts, instead +of the relative index of the last allocated one. + +Fixes: 3841245e8498 ("irqchip/alpine-msi: Fix freeing of interrupts on allocation error path") +Signed-off-by: Zenghui Yu +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/20240327142305.1048-1-yuzenghui@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-alpine-msi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-alpine-msi.c b/drivers/irqchip/irq-alpine-msi.c +index 9c8b1349ee17b..a1430ab60a8a3 100644 +--- a/drivers/irqchip/irq-alpine-msi.c ++++ b/drivers/irqchip/irq-alpine-msi.c +@@ -165,7 +165,7 @@ static int alpine_msix_middle_domain_alloc(struct irq_domain *domain, + return 0; + + err_sgi: +- irq_domain_free_irqs_parent(domain, virq, i - 1); ++ irq_domain_free_irqs_parent(domain, virq, i); + alpine_msix_free_sgi(priv, sgi, nr_irqs); + return err; + } +-- +2.43.0 + diff --git a/queue-6.9/irqchip-loongson-pch-msi-fix-off-by-one-on-allocatio.patch b/queue-6.9/irqchip-loongson-pch-msi-fix-off-by-one-on-allocatio.patch new file mode 100644 index 00000000000..6250d685c26 --- /dev/null +++ b/queue-6.9/irqchip-loongson-pch-msi-fix-off-by-one-on-allocatio.patch @@ -0,0 +1,41 @@ +From fec7ba2e13496206ce9f11f7ae6a63ff42cf9ff8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Mar 2024 22:23:34 +0800 +Subject: irqchip/loongson-pch-msi: Fix off-by-one on allocation error path + +From: Zenghui Yu + +[ Upstream commit b327708798809328f21da8dc14cc8883d1e8a4b3 ] + +When pch_msi_parent_domain_alloc() returns an error, there is an off-by-one +in the number of interrupts to be freed. + +Fix it by passing the number of successfully allocated interrupts, instead of the +relative index of the last allocated one. + +Fixes: 632dcc2c75ef ("irqchip: Add Loongson PCH MSI controller") +Signed-off-by: Zenghui Yu +Signed-off-by: Thomas Gleixner +Reviewed-by: Jiaxun Yang +Link: https://lore.kernel.org/r/20240327142334.1098-1-yuzenghui@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-loongson-pch-msi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-loongson-pch-msi.c b/drivers/irqchip/irq-loongson-pch-msi.c +index 6e1e1f011bb29..dd4d699170f4e 100644 +--- a/drivers/irqchip/irq-loongson-pch-msi.c ++++ b/drivers/irqchip/irq-loongson-pch-msi.c +@@ -136,7 +136,7 @@ static int pch_msi_middle_domain_alloc(struct irq_domain *domain, + + err_hwirq: + pch_msi_free_hwirq(priv, hwirq, nr_irqs); +- irq_domain_free_irqs_parent(domain, virq, i - 1); ++ irq_domain_free_irqs_parent(domain, virq, i); + + return err; + } +-- +2.43.0 + diff --git a/queue-6.9/jffs2-prevent-xattr-node-from-overflowing-the-eraseb.patch b/queue-6.9/jffs2-prevent-xattr-node-from-overflowing-the-eraseb.patch new file mode 100644 index 00000000000..227c6517a6d --- /dev/null +++ b/queue-6.9/jffs2-prevent-xattr-node-from-overflowing-the-eraseb.patch @@ -0,0 +1,81 @@ +From b6e68473812ce2d98b91bc3fc2ff99799f2afb0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 18:53:54 +0300 +Subject: jffs2: prevent xattr node from overflowing the eraseblock + +From: Ilya Denisyev + +[ Upstream commit c6854e5a267c28300ff045480b5a7ee7f6f1d913 ] + +Add a check to make sure that the requested xattr node size is no larger +than the eraseblock minus the cleanmarker. + +Unlike the usual inode nodes, the xattr nodes aren't split into parts +and spread across multiple eraseblocks, which means that a xattr node +must not occupy more than one eraseblock. If the requested xattr value is +too large, the xattr node can spill onto the next eraseblock, overwriting +the nodes and causing errors such as: + +jffs2: argh. node added in wrong place at 0x0000b050(2) +jffs2: nextblock 0x0000a000, expected at 0000b00c +jffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050, +read=0xfc892c93, calc=0x000000 +jffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed +at 0x01e00c. {848f,2fc4,0fef511f,59a3d171} +jffs2: Node at 0x0000000c with length 0x00001044 would run over the +end of the erase block +jffs2: Perhaps the file system was created with the wrong erase size? +jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found +at 0x00000010: 0x1044 instead + +This breaks the filesystem and can lead to KASAN crashes such as: + +BUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0 +Read of size 4 at addr ffff88802c31e914 by task repro/830 +CPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), +BIOS Arch Linux 1.16.3-1-1 04/01/2014 +Call Trace: + + dump_stack_lvl+0xc6/0x120 + print_report+0xc4/0x620 + ? __virt_addr_valid+0x308/0x5b0 + kasan_report+0xc1/0xf0 + ? jffs2_sum_add_kvec+0x125e/0x15d0 + ? jffs2_sum_add_kvec+0x125e/0x15d0 + jffs2_sum_add_kvec+0x125e/0x15d0 + jffs2_flash_direct_writev+0xa8/0xd0 + jffs2_flash_writev+0x9c9/0xef0 + ? __x64_sys_setxattr+0xc4/0x160 + ? do_syscall_64+0x69/0x140 + ? entry_SYSCALL_64_after_hwframe+0x76/0x7e + [...] + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: aa98d7cf59b5 ("[JFFS2][XATTR] XATTR support on JFFS2 (version. 5)") +Signed-off-by: Ilya Denisyev +Link: https://lore.kernel.org/r/20240412155357.237803-1-dev@elkcl.ru +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/jffs2/xattr.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/jffs2/xattr.c b/fs/jffs2/xattr.c +index 00224f3a8d6e7..defb4162c3d5b 100644 +--- a/fs/jffs2/xattr.c ++++ b/fs/jffs2/xattr.c +@@ -1110,6 +1110,9 @@ int do_jffs2_setxattr(struct inode *inode, int xprefix, const char *xname, + return rc; + + request = PAD(sizeof(struct jffs2_raw_xattr) + strlen(xname) + 1 + size); ++ if (request > c->sector_size - c->cleanmarker_size) ++ return -ERANGE; ++ + rc = jffs2_reserve_space(c, request, &length, + ALLOC_NORMAL, JFFS2_SUMMARY_XATTR_SIZE); + if (rc) { +-- +2.43.0 + diff --git a/queue-6.9/kunit-bail-out-early-in-__kunit_test_suites_init-if-.patch b/queue-6.9/kunit-bail-out-early-in-__kunit_test_suites_init-if-.patch new file mode 100644 index 00000000000..00a4be3c690 --- /dev/null +++ b/queue-6.9/kunit-bail-out-early-in-__kunit_test_suites_init-if-.patch @@ -0,0 +1,47 @@ +From 38924b5df9dddcb01b5d0d3ddf5ba37e274b2da1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Mar 2024 10:32:00 -0400 +Subject: kunit: bail out early in __kunit_test_suites_init() if there are no + suites to test + +From: Scott Mayhew + +[ Upstream commit 5496b9b77d7420652202b73cf036e69760be5deb ] + +Commit c72a870926c2 added a mutex to prevent kunit tests from running +concurrently. Unfortunately that mutex gets locked during module load +regardless of whether the module actually has any kunit tests. This +causes a problem for kunit tests that might need to load other kernel +modules (e.g. gss_krb5_test loading the camellia module). + +So check to see if there are actually any tests to run before locking +the kunit_run_lock mutex. + +Fixes: c72a870926c2 ("kunit: add ability to run tests after boot using debugfs") +Reported-by: Nico Pache +Signed-off-by: Scott Mayhew +Reviewed-by: Rae Moar +Reviewed-by: David Gow +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + lib/kunit/test.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/kunit/test.c b/lib/kunit/test.c +index 1d1475578515c..b8514dbb337c0 100644 +--- a/lib/kunit/test.c ++++ b/lib/kunit/test.c +@@ -712,6 +712,9 @@ int __kunit_test_suites_init(struct kunit_suite * const * const suites, int num_ + { + unsigned int i; + ++ if (num_suites == 0) ++ return 0; ++ + if (!kunit_enabled() && num_suites > 0) { + pr_info("kunit: disabled\n"); + return 0; +-- +2.43.0 + diff --git a/queue-6.9/kunit-fix-kthread-reference.patch b/queue-6.9/kunit-fix-kthread-reference.patch new file mode 100644 index 00000000000..0a1b84682b5 --- /dev/null +++ b/queue-6.9/kunit-fix-kthread-reference.patch @@ -0,0 +1,70 @@ +From 508518de9b4e8972b6fe8c852483cd69e3d7135b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 09:46:20 +0200 +Subject: kunit: Fix kthread reference +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mickaël Salaün + +[ Upstream commit f8aa1b98ce40184521ed95ec26cc115a255183b2 ] + +There is a race condition when a kthread finishes after the deadline and +before the call to kthread_stop(), which may lead to use after free. + +Cc: Brendan Higgins +Cc: Shuah Khan +Reviewed-by: Kees Cook +Fixes: adf505457032 ("kunit: fix UAF when run kfence test case test_gfpzero") +Reviewed-by: David Gow +Reviewed-by: Rae Moar +Signed-off-by: Mickaël Salaün +Link: https://lore.kernel.org/r/20240408074625.65017-3-mic@digikod.net +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + lib/kunit/try-catch.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/lib/kunit/try-catch.c b/lib/kunit/try-catch.c +index f7825991d576a..d9d1df28cc52e 100644 +--- a/lib/kunit/try-catch.c ++++ b/lib/kunit/try-catch.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + + #include "try-catch-impl.h" + +@@ -65,13 +66,14 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context) + try_catch->context = context; + try_catch->try_completion = &try_completion; + try_catch->try_result = 0; +- task_struct = kthread_run(kunit_generic_run_threadfn_adapter, +- try_catch, +- "kunit_try_catch_thread"); ++ task_struct = kthread_create(kunit_generic_run_threadfn_adapter, ++ try_catch, "kunit_try_catch_thread"); + if (IS_ERR(task_struct)) { + try_catch->catch(try_catch->context); + return; + } ++ get_task_struct(task_struct); ++ wake_up_process(task_struct); + + time_remaining = wait_for_completion_timeout(&try_completion, + kunit_test_timeout()); +@@ -81,6 +83,7 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context) + kthread_stop(task_struct); + } + ++ put_task_struct(task_struct); + exit_code = try_catch->try_result; + + if (!exit_code) +-- +2.43.0 + diff --git a/queue-6.9/kunit-fortify-fix-mismatched-kvalloc-vfree-usage.patch b/queue-6.9/kunit-fortify-fix-mismatched-kvalloc-vfree-usage.patch new file mode 100644 index 00000000000..00a10ef03c7 --- /dev/null +++ b/queue-6.9/kunit-fortify-fix-mismatched-kvalloc-vfree-usage.patch @@ -0,0 +1,64 @@ +From 5c8d0be788ef54f79b0b22dd6fd002b4c4a9515c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Apr 2024 16:06:22 -0700 +Subject: kunit/fortify: Fix mismatched kvalloc()/vfree() usage + +From: Kees Cook + +[ Upstream commit 998b18072ceb0613629c256b409f4d299829c7ec ] + +The kv*() family of tests were accidentally freeing with vfree() instead +of kvfree(). Use kvfree() instead. + +Fixes: 9124a2640148 ("kunit/fortify: Validate __alloc_size attribute results") +Link: https://lore.kernel.org/r/20240425230619.work.299-kees@kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + lib/fortify_kunit.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/lib/fortify_kunit.c b/lib/fortify_kunit.c +index 493ec02dd5b32..86c1b1a6e2c89 100644 +--- a/lib/fortify_kunit.c ++++ b/lib/fortify_kunit.c +@@ -267,28 +267,28 @@ DEFINE_ALLOC_SIZE_TEST_PAIR(vmalloc) + \ + checker((expected_pages) * PAGE_SIZE, \ + kvmalloc((alloc_pages) * PAGE_SIZE, gfp), \ +- vfree(p)); \ ++ kvfree(p)); \ + checker((expected_pages) * PAGE_SIZE, \ + kvmalloc_node((alloc_pages) * PAGE_SIZE, gfp, NUMA_NO_NODE), \ +- vfree(p)); \ ++ kvfree(p)); \ + checker((expected_pages) * PAGE_SIZE, \ + kvzalloc((alloc_pages) * PAGE_SIZE, gfp), \ +- vfree(p)); \ ++ kvfree(p)); \ + checker((expected_pages) * PAGE_SIZE, \ + kvzalloc_node((alloc_pages) * PAGE_SIZE, gfp, NUMA_NO_NODE), \ +- vfree(p)); \ ++ kvfree(p)); \ + checker((expected_pages) * PAGE_SIZE, \ + kvcalloc(1, (alloc_pages) * PAGE_SIZE, gfp), \ +- vfree(p)); \ ++ kvfree(p)); \ + checker((expected_pages) * PAGE_SIZE, \ + kvcalloc((alloc_pages) * PAGE_SIZE, 1, gfp), \ +- vfree(p)); \ ++ kvfree(p)); \ + checker((expected_pages) * PAGE_SIZE, \ + kvmalloc_array(1, (alloc_pages) * PAGE_SIZE, gfp), \ +- vfree(p)); \ ++ kvfree(p)); \ + checker((expected_pages) * PAGE_SIZE, \ + kvmalloc_array((alloc_pages) * PAGE_SIZE, 1, gfp), \ +- vfree(p)); \ ++ kvfree(p)); \ + \ + prev_size = (expected_pages) * PAGE_SIZE; \ + orig = kvmalloc(prev_size, gfp); \ +-- +2.43.0 + diff --git a/queue-6.9/kunit-fortify-fix-replaced-failure-path-to-unbreak-_.patch b/queue-6.9/kunit-fortify-fix-replaced-failure-path-to-unbreak-_.patch new file mode 100644 index 00000000000..13e0ccbc371 --- /dev/null +++ b/queue-6.9/kunit-fortify-fix-replaced-failure-path-to-unbreak-_.patch @@ -0,0 +1,82 @@ +From 2bb605b67ffdb84694c6a7b39647fd0925dcbfcc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 May 2024 16:29:48 -0700 +Subject: kunit/fortify: Fix replaced failure path to unbreak __alloc_size + +From: Kees Cook + +[ Upstream commit 74df22453c51392476117d7330bf02cee6e987cf ] + +The __alloc_size annotation for kmemdup() was getting disabled under +KUnit testing because the replaced fortify_panic macro implementation +was using "return NULL" as a way to survive the sanity checking. But +having the chance to return NULL invalidated __alloc_size, so kmemdup +was not passing the __builtin_dynamic_object_size() tests any more: + +[23:26:18] [PASSED] fortify_test_alloc_size_kmalloc_const +[23:26:19] # fortify_test_alloc_size_kmalloc_dynamic: EXPECTATION FAILED at lib/fortify_kunit.c:265 +[23:26:19] Expected __builtin_dynamic_object_size(p, 1) == expected, but +[23:26:19] __builtin_dynamic_object_size(p, 1) == -1 (0xffffffffffffffff) +[23:26:19] expected == 11 (0xb) +[23:26:19] __alloc_size() not working with __bdos on kmemdup("hello there", len, gfp) +[23:26:19] [FAILED] fortify_test_alloc_size_kmalloc_dynamic + +Normal builds were not affected: __alloc_size continued to work there. + +Use a zero-sized allocation instead, which allows __alloc_size to +behave. + +Fixes: 4ce615e798a7 ("fortify: Provide KUnit counters for failure testing") +Fixes: fa4a3f86d498 ("fortify: Add KUnit tests for runtime overflows") +Link: https://lore.kernel.org/r/20240501232937.work.532-kees@kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + include/linux/fortify-string.h | 3 ++- + lib/fortify_kunit.c | 6 +++--- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h +index 6aeebe0a67770..6eaa190d0083c 100644 +--- a/include/linux/fortify-string.h ++++ b/include/linux/fortify-string.h +@@ -734,7 +734,8 @@ __FORTIFY_INLINE void *kmemdup(const void * const POS0 p, size_t size, gfp_t gfp + if (__compiletime_lessthan(p_size, size)) + __read_overflow(); + if (p_size < size) +- fortify_panic(FORTIFY_FUNC_kmemdup, FORTIFY_READ, p_size, size, NULL); ++ fortify_panic(FORTIFY_FUNC_kmemdup, FORTIFY_READ, p_size, size, ++ __real_kmemdup(p, 0, gfp)); + return __real_kmemdup(p, size, gfp); + } + +diff --git a/lib/fortify_kunit.c b/lib/fortify_kunit.c +index 86c1b1a6e2c89..fdba0eaf19a59 100644 +--- a/lib/fortify_kunit.c ++++ b/lib/fortify_kunit.c +@@ -917,19 +917,19 @@ static void kmemdup_test(struct kunit *test) + + /* Out of bounds by 1 byte. */ + copy = kmemdup(src, len + 1, GFP_KERNEL); +- KUNIT_EXPECT_NULL(test, copy); ++ KUNIT_EXPECT_PTR_EQ(test, copy, ZERO_SIZE_PTR); + KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1); + kfree(copy); + + /* Way out of bounds. */ + copy = kmemdup(src, len * 2, GFP_KERNEL); +- KUNIT_EXPECT_NULL(test, copy); ++ KUNIT_EXPECT_PTR_EQ(test, copy, ZERO_SIZE_PTR); + KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2); + kfree(copy); + + /* Starting offset causing out of bounds. */ + copy = kmemdup(src + 1, len, GFP_KERNEL); +- KUNIT_EXPECT_NULL(test, copy); ++ KUNIT_EXPECT_PTR_EQ(test, copy, ZERO_SIZE_PTR); + KUNIT_EXPECT_EQ(test, fortify_read_overflows, 3); + kfree(copy); + } +-- +2.43.0 + diff --git a/queue-6.9/kunit-unregister-the-device-on-error.patch b/queue-6.9/kunit-unregister-the-device-on-error.patch new file mode 100644 index 00000000000..6df7b418937 --- /dev/null +++ b/queue-6.9/kunit-unregister-the-device-on-error.patch @@ -0,0 +1,39 @@ +From 86770b58aea143305e6f3dba452254060f4c31d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Apr 2024 10:25:01 -0300 +Subject: kunit: unregister the device on error + +From: Wander Lairson Costa + +[ Upstream commit fabd480b721eb30aa4e2c89507b53933069f9f6e ] + +kunit_init_device() should unregister the device on bus register error, +but mistakenly it tries to unregister the bus. + +Unregister the device instead of the bus. + +Signed-off-by: Wander Lairson Costa +Fixes: d03c720e03bd ("kunit: Add APIs for managing devices") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + lib/kunit/device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/kunit/device.c b/lib/kunit/device.c +index abc603730b8ea..25c81ed465fb7 100644 +--- a/lib/kunit/device.c ++++ b/lib/kunit/device.c +@@ -51,7 +51,7 @@ int kunit_bus_init(void) + + error = bus_register(&kunit_bus_type); + if (error) +- bus_unregister(&kunit_bus_type); ++ root_device_unregister(kunit_bus_device); + return error; + } + +-- +2.43.0 + diff --git a/queue-6.9/l2tp-fix-icmp-error-handling-for-udp-encap-sockets.patch b/queue-6.9/l2tp-fix-icmp-error-handling-for-udp-encap-sockets.patch new file mode 100644 index 00000000000..9a971e45b67 --- /dev/null +++ b/queue-6.9/l2tp-fix-icmp-error-handling-for-udp-encap-sockets.patch @@ -0,0 +1,133 @@ +From c296145e765e79487bf56b1e9c267a05c7a54e59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 18:22:47 +0100 +Subject: l2tp: fix ICMP error handling for UDP-encap sockets + +From: Tom Parkin + +[ Upstream commit 6e828dc60e509b79ef09882264952f341cb58425 ] + +Since commit a36e185e8c85 +("udp: Handle ICMP errors for tunnels with same destination port on both endpoints") +UDP's handling of ICMP errors has allowed for UDP-encap tunnels to +determine socket associations in scenarios where the UDP hash lookup +could not. + +Subsequently, commit d26796ae58940 +("udp: check udp sock encap_type in __udp_lib_err") +subtly tweaked the approach such that UDP ICMP error handling would be +skipped for any UDP socket which has encapsulation enabled. + +In the case of L2TP tunnel sockets using UDP-encap, this latter +modification effectively broke ICMP error reporting for the L2TP +control plane. + +To a degree this isn't catastrophic inasmuch as the L2TP control +protocol defines a reliable transport on top of the underlying packet +switching network which will eventually detect errors and time out. + +However, paying attention to the ICMP error reporting allows for more +timely detection of errors in L2TP userspace, and aids in debugging +connectivity issues. + +Reinstate ICMP error handling for UDP encap L2TP tunnels: + + * implement struct udp_tunnel_sock_cfg .encap_err_rcv in order to allow + the L2TP code to handle ICMP errors; + + * only implement error-handling for tunnels which have a managed + socket: unmanaged tunnels using a kernel socket have no userspace to + report errors back to; + + * flag the error on the socket, which allows for userspace to get an + error such as -ECONNREFUSED back from sendmsg/recvmsg; + + * pass the error into ip[v6]_icmp_error() which allows for userspace to + get extended error information via. MSG_ERRQUEUE. + +Fixes: d26796ae5894 ("udp: check udp sock encap_type in __udp_lib_err") +Signed-off-by: Tom Parkin +Link: https://lore.kernel.org/r/20240513172248.623261-1-tparkin@katalix.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_core.c | 44 +++++++++++++++++++++++++++++++++----------- + 1 file changed, 33 insertions(+), 11 deletions(-) + +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index 8d21ff25f1602..4a0fb8731eee9 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -887,22 +887,20 @@ static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb) + return 1; + } + +-/* UDP encapsulation receive handler. See net/ipv4/udp.c. +- * Return codes: +- * 0 : success. +- * <0: error +- * >0: skb should be passed up to userspace as UDP. ++/* UDP encapsulation receive and error receive handlers. ++ * See net/ipv4/udp.c for details. ++ * ++ * Note that these functions are called from inside an ++ * RCU-protected region, but without the socket being locked. ++ * ++ * Hence we use rcu_dereference_sk_user_data to access the ++ * tunnel data structure rather the usual l2tp_sk_to_tunnel ++ * accessor function. + */ + int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb) + { + struct l2tp_tunnel *tunnel; + +- /* Note that this is called from the encap_rcv hook inside an +- * RCU-protected region, but without the socket being locked. +- * Hence we use rcu_dereference_sk_user_data to access the +- * tunnel data structure rather the usual l2tp_sk_to_tunnel +- * accessor function. +- */ + tunnel = rcu_dereference_sk_user_data(sk); + if (!tunnel) + goto pass_up; +@@ -919,6 +917,29 @@ int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb) + } + EXPORT_SYMBOL_GPL(l2tp_udp_encap_recv); + ++static void l2tp_udp_encap_err_recv(struct sock *sk, struct sk_buff *skb, int err, ++ __be16 port, u32 info, u8 *payload) ++{ ++ struct l2tp_tunnel *tunnel; ++ ++ tunnel = rcu_dereference_sk_user_data(sk); ++ if (!tunnel || tunnel->fd < 0) ++ return; ++ ++ sk->sk_err = err; ++ sk_error_report(sk); ++ ++ if (ip_hdr(skb)->version == IPVERSION) { ++ if (inet_test_bit(RECVERR, sk)) ++ return ip_icmp_error(sk, skb, err, port, info, payload); ++#if IS_ENABLED(CONFIG_IPV6) ++ } else { ++ if (inet6_test_bit(RECVERR6, sk)) ++ return ipv6_icmp_error(sk, skb, err, port, info, payload); ++#endif ++ } ++} ++ + /************************************************************************ + * Transmit handling + ***********************************************************************/ +@@ -1493,6 +1514,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, + .sk_user_data = tunnel, + .encap_type = UDP_ENCAP_L2TPINUDP, + .encap_rcv = l2tp_udp_encap_recv, ++ .encap_err_rcv = l2tp_udp_encap_err_recv, + .encap_destroy = l2tp_udp_encap_destroy, + }; + +-- +2.43.0 + diff --git a/queue-6.9/lib-test_hmm.c-handle-src_pfns-and-dst_pfns-allocati.patch b/queue-6.9/lib-test_hmm.c-handle-src_pfns-and-dst_pfns-allocati.patch new file mode 100644 index 00000000000..040ed1a6130 --- /dev/null +++ b/queue-6.9/lib-test_hmm.c-handle-src_pfns-and-dst_pfns-allocati.patch @@ -0,0 +1,62 @@ +From 3b0e131e946b42491c8c1ac5d8c0c1e180c904a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Mar 2024 08:59:05 +0800 +Subject: lib/test_hmm.c: handle src_pfns and dst_pfns allocation failure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Duoming Zhou + +[ Upstream commit c2af060d1c18beaec56351cf9c9bcbbc5af341a3 ] + +The kcalloc() in dmirror_device_evict_chunk() will return null if the +physical memory has run out. As a result, if src_pfns or dst_pfns is +dereferenced, the null pointer dereference bug will happen. + +Moreover, the device is going away. If the kcalloc() fails, the pages +mapping a chunk could not be evicted. So add a __GFP_NOFAIL flag in +kcalloc(). + +Finally, as there is no need to have physically contiguous memory, Switch +kcalloc() to kvcalloc() in order to avoid failing allocations. + +Link: https://lkml.kernel.org/r/20240312005905.9939-1-duoming@zju.edu.cn +Fixes: b2ef9f5a5cb3 ("mm/hmm/test: add selftest driver for HMM") +Signed-off-by: Duoming Zhou +Cc: Jérôme Glisse +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + lib/test_hmm.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/lib/test_hmm.c b/lib/test_hmm.c +index 717dcb8301273..b823ba7cb6a15 100644 +--- a/lib/test_hmm.c ++++ b/lib/test_hmm.c +@@ -1226,8 +1226,8 @@ static void dmirror_device_evict_chunk(struct dmirror_chunk *chunk) + unsigned long *src_pfns; + unsigned long *dst_pfns; + +- src_pfns = kcalloc(npages, sizeof(*src_pfns), GFP_KERNEL); +- dst_pfns = kcalloc(npages, sizeof(*dst_pfns), GFP_KERNEL); ++ src_pfns = kvcalloc(npages, sizeof(*src_pfns), GFP_KERNEL | __GFP_NOFAIL); ++ dst_pfns = kvcalloc(npages, sizeof(*dst_pfns), GFP_KERNEL | __GFP_NOFAIL); + + migrate_device_range(src_pfns, start_pfn, npages); + for (i = 0; i < npages; i++) { +@@ -1250,8 +1250,8 @@ static void dmirror_device_evict_chunk(struct dmirror_chunk *chunk) + } + migrate_device_pages(src_pfns, dst_pfns, npages); + migrate_device_finalize(src_pfns, dst_pfns, npages); +- kfree(src_pfns); +- kfree(dst_pfns); ++ kvfree(src_pfns); ++ kvfree(dst_pfns); + } + + /* Removes free pages from the free list so they can't be re-allocated */ +-- +2.43.0 + diff --git a/queue-6.9/libbpf-fix-error-message-in-attach_kprobe_multi.patch b/queue-6.9/libbpf-fix-error-message-in-attach_kprobe_multi.patch new file mode 100644 index 00000000000..b443842ff13 --- /dev/null +++ b/queue-6.9/libbpf-fix-error-message-in-attach_kprobe_multi.patch @@ -0,0 +1,37 @@ +From 1a7fd67f74b10b54568ccc6feb29b2f8672e7bb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 May 2024 09:55:41 +0200 +Subject: libbpf: Fix error message in attach_kprobe_multi + +From: Jiri Olsa + +[ Upstream commit 7c13ef16e87ac2e44d16c0468b1191bceb06f95c ] + +We just failed to retrieve pattern, so we need to print spec instead. + +Fixes: ddc6b04989eb ("libbpf: Add bpf_program__attach_kprobe_multi_opts function") +Reported-by: Andrii Nakryiko +Signed-off-by: Jiri Olsa +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20240502075541.1425761-2-jolsa@kernel.org +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index 4980ed4f7559b..f515cf264a0a2 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -11475,7 +11475,7 @@ static int attach_kprobe_multi(const struct bpf_program *prog, long cookie, stru + + n = sscanf(spec, "%m[a-zA-Z0-9_.*?]", &pattern); + if (n < 1) { +- pr_warn("kprobe multi pattern is invalid: %s\n", pattern); ++ pr_warn("kprobe multi pattern is invalid: %s\n", spec); + return -EINVAL; + } + +-- +2.43.0 + diff --git a/queue-6.9/libbpf-fix-feature-detectors-when-using-token_fd.patch b/queue-6.9/libbpf-fix-feature-detectors-when-using-token_fd.patch new file mode 100644 index 00000000000..84ae18e917f --- /dev/null +++ b/queue-6.9/libbpf-fix-feature-detectors-when-using-token_fd.patch @@ -0,0 +1,57 @@ +From 530f96f6d3bffe5771e399e98584ac02790c55a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 11:08:03 -0700 +Subject: libbpf: fix feature detectors when using token_fd + +From: Andrii Nakryiko + +[ Upstream commit 1de27bba6d50a909647f304eadc0f7c59a842a50 ] + +Adjust `union bpf_attr` size passed to kernel in two feature-detecting +functions to take into account prog_token_fd field. + +Libbpf is avoiding memset()'ing entire `union bpf_attr` by only using +minimal set of bpf_attr's fields. Two places have been missed when +wiring BPF token support in libbpf's feature detection logic. + +Fix them trivially. + +Fixes: f3dcee938f48 ("libbpf: Wire up token_fd into feature probing logic") +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/r/20240513180804.403775-1-andrii@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/bpf.c | 2 +- + tools/lib/bpf/features.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/lib/bpf/bpf.c b/tools/lib/bpf/bpf.c +index 97ec005c3c47f..145b8bd1d5ff1 100644 +--- a/tools/lib/bpf/bpf.c ++++ b/tools/lib/bpf/bpf.c +@@ -105,7 +105,7 @@ int sys_bpf_prog_load(union bpf_attr *attr, unsigned int size, int attempts) + */ + int probe_memcg_account(int token_fd) + { +- const size_t attr_sz = offsetofend(union bpf_attr, attach_btf_obj_fd); ++ const size_t attr_sz = offsetofend(union bpf_attr, prog_token_fd); + struct bpf_insn insns[] = { + BPF_EMIT_CALL(BPF_FUNC_ktime_get_coarse_ns), + BPF_EXIT_INSN(), +diff --git a/tools/lib/bpf/features.c b/tools/lib/bpf/features.c +index 4e783cc7fc4b5..a336786a22a38 100644 +--- a/tools/lib/bpf/features.c ++++ b/tools/lib/bpf/features.c +@@ -22,7 +22,7 @@ int probe_fd(int fd) + + static int probe_kern_prog_name(int token_fd) + { +- const size_t attr_sz = offsetofend(union bpf_attr, prog_name); ++ const size_t attr_sz = offsetofend(union bpf_attr, prog_token_fd); + struct bpf_insn insns[] = { + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), +-- +2.43.0 + diff --git a/queue-6.9/libbpf-prevent-null-pointer-dereference-when-prog-to.patch b/queue-6.9/libbpf-prevent-null-pointer-dereference-when-prog-to.patch new file mode 100644 index 00000000000..9242371cc7f --- /dev/null +++ b/queue-6.9/libbpf-prevent-null-pointer-dereference-when-prog-to.patch @@ -0,0 +1,57 @@ +From 3638d74cf735ac1800e298b8422e38eb1c988b3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Mar 2024 15:04:38 +0000 +Subject: libbpf: Prevent null-pointer dereference when prog to load has no BTF + +From: Quentin Monnet + +[ Upstream commit 9bf48fa19a4b1d186e08b20bf7e5de26a15644fb ] + +In bpf_objec_load_prog(), there's no guarantee that obj->btf is non-NULL +when passing it to btf__fd(), and this function does not perform any +check before dereferencing its argument (as bpf_object__btf_fd() used to +do). As a consequence, we get segmentation fault errors in bpftool (for +example) when trying to load programs that come without BTF information. + +v2: Keep btf__fd() in the fix instead of reverting to bpf_object__btf_fd(). + +Fixes: df7c3f7d3a3d ("libbpf: make uniform use of btf__fd() accessor inside libbpf") +Suggested-by: Andrii Nakryiko +Signed-off-by: Quentin Monnet +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20240314150438.232462-1-qmo@kernel.org +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index a2061fcd612d7..4980ed4f7559b 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -7321,9 +7321,9 @@ static int bpf_object_load_prog(struct bpf_object *obj, struct bpf_program *prog + char *cp, errmsg[STRERR_BUFSIZE]; + size_t log_buf_size = 0; + char *log_buf = NULL, *tmp; +- int btf_fd, ret, err; + bool own_log_buf = true; + __u32 log_level = prog->log_level; ++ int ret, err; + + if (prog->type == BPF_PROG_TYPE_UNSPEC) { + /* +@@ -7347,9 +7347,8 @@ static int bpf_object_load_prog(struct bpf_object *obj, struct bpf_program *prog + load_attr.prog_ifindex = prog->prog_ifindex; + + /* specify func_info/line_info only if kernel supports them */ +- btf_fd = btf__fd(obj->btf); +- if (btf_fd >= 0 && kernel_supports(obj, FEAT_BTF_FUNC)) { +- load_attr.prog_btf_fd = btf_fd; ++ if (obj->btf && btf__fd(obj->btf) >= 0 && kernel_supports(obj, FEAT_BTF_FUNC)) { ++ load_attr.prog_btf_fd = btf__fd(obj->btf); + load_attr.func_info = prog->func_info; + load_attr.func_info_rec_size = prog->func_info_rec_size; + load_attr.func_info_cnt = prog->func_info_cnt; +-- +2.43.0 + diff --git a/queue-6.9/libfs-add-simple_offset_rename-api.patch b/queue-6.9/libfs-add-simple_offset_rename-api.patch new file mode 100644 index 00000000000..bd419810df9 --- /dev/null +++ b/queue-6.9/libfs-add-simple_offset_rename-api.patch @@ -0,0 +1,85 @@ +From d8739ce9d48627720366896f14f10122c216f70c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 11:20:55 -0400 +Subject: libfs: Add simple_offset_rename() API + +From: Chuck Lever + +[ Upstream commit 5a1a25be995e1014abd01600479915683e356f5c ] + +I'm about to fix a tmpfs rename bug that requires the use of +internal simple_offset helpers that are not available in mm/shmem.c + +Signed-off-by: Chuck Lever +Link: https://lore.kernel.org/r/20240415152057.4605-3-cel@kernel.org +Signed-off-by: Christian Brauner +Stable-dep-of: ad191eb6d694 ("shmem: Fix shmem_rename2()") +Signed-off-by: Sasha Levin +--- + fs/libfs.c | 21 +++++++++++++++++++++ + include/linux/fs.h | 2 ++ + mm/shmem.c | 3 +-- + 3 files changed, 24 insertions(+), 2 deletions(-) + +diff --git a/fs/libfs.c b/fs/libfs.c +index ab61fae92cde8..c392a6edd3930 100644 +--- a/fs/libfs.c ++++ b/fs/libfs.c +@@ -357,6 +357,27 @@ int simple_offset_empty(struct dentry *dentry) + return ret; + } + ++/** ++ * simple_offset_rename - handle directory offsets for rename ++ * @old_dir: parent directory of source entry ++ * @old_dentry: dentry of source entry ++ * @new_dir: parent_directory of destination entry ++ * @new_dentry: dentry of destination ++ * ++ * Caller provides appropriate serialization. ++ * ++ * Returns zero on success, a negative errno value on failure. ++ */ ++int simple_offset_rename(struct inode *old_dir, struct dentry *old_dentry, ++ struct inode *new_dir, struct dentry *new_dentry) ++{ ++ struct offset_ctx *old_ctx = old_dir->i_op->get_offset_ctx(old_dir); ++ struct offset_ctx *new_ctx = new_dir->i_op->get_offset_ctx(new_dir); ++ ++ simple_offset_remove(old_ctx, old_dentry); ++ return simple_offset_add(new_ctx, old_dentry); ++} ++ + /** + * simple_offset_rename_exchange - exchange rename with directory offsets + * @old_dir: parent of dentry being moved +diff --git a/include/linux/fs.h b/include/linux/fs.h +index 8dfd53b52744a..b09f141321105 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -3340,6 +3340,8 @@ void simple_offset_init(struct offset_ctx *octx); + int simple_offset_add(struct offset_ctx *octx, struct dentry *dentry); + void simple_offset_remove(struct offset_ctx *octx, struct dentry *dentry); + int simple_offset_empty(struct dentry *dentry); ++int simple_offset_rename(struct inode *old_dir, struct dentry *old_dentry, ++ struct inode *new_dir, struct dentry *new_dentry); + int simple_offset_rename_exchange(struct inode *old_dir, + struct dentry *old_dentry, + struct inode *new_dir, +diff --git a/mm/shmem.c b/mm/shmem.c +index 94ab99b6b574a..1f84a41aeb850 100644 +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -3467,8 +3467,7 @@ static int shmem_rename2(struct mnt_idmap *idmap, + return error; + } + +- simple_offset_remove(shmem_get_offset_ctx(old_dir), old_dentry); +- error = simple_offset_add(shmem_get_offset_ctx(new_dir), old_dentry); ++ error = simple_offset_rename(old_dir, old_dentry, new_dir, new_dentry); + if (error) + return error; + +-- +2.43.0 + diff --git a/queue-6.9/libfs-fix-simple_offset_rename_exchange.patch b/queue-6.9/libfs-fix-simple_offset_rename_exchange.patch new file mode 100644 index 00000000000..4222c38f887 --- /dev/null +++ b/queue-6.9/libfs-fix-simple_offset_rename_exchange.patch @@ -0,0 +1,85 @@ +From 1be58f7fcedb9dae8ac9dbf4d41a4245eacccc82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 11:20:54 -0400 +Subject: libfs: Fix simple_offset_rename_exchange() + +From: Chuck Lever + +[ Upstream commit 23cdd0eed3f1fff3af323092b0b88945a7950d8e ] + +User space expects the replacement (old) directory entry to have +the same directory offset after the rename. + +Suggested-by: Christian Brauner +Fixes: a2e459555c5f ("shmem: stable directory offsets") +Signed-off-by: Chuck Lever +Link: https://lore.kernel.org/r/20240415152057.4605-2-cel@kernel.org +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/libfs.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +diff --git a/fs/libfs.c b/fs/libfs.c +index 3a6f2cb364f8c..ab61fae92cde8 100644 +--- a/fs/libfs.c ++++ b/fs/libfs.c +@@ -295,6 +295,18 @@ int simple_offset_add(struct offset_ctx *octx, struct dentry *dentry) + return 0; + } + ++static int simple_offset_replace(struct offset_ctx *octx, struct dentry *dentry, ++ long offset) ++{ ++ int ret; ++ ++ ret = mtree_store(&octx->mt, offset, dentry, GFP_KERNEL); ++ if (ret) ++ return ret; ++ offset_set(dentry, offset); ++ return 0; ++} ++ + /** + * simple_offset_remove - Remove an entry to a directory's offset map + * @octx: directory offset ctx to be updated +@@ -352,6 +364,9 @@ int simple_offset_empty(struct dentry *dentry) + * @new_dir: destination parent + * @new_dentry: destination dentry + * ++ * This API preserves the directory offset values. Caller provides ++ * appropriate serialization. ++ * + * Returns zero on success. Otherwise a negative errno is returned and the + * rename is rolled back. + */ +@@ -369,11 +384,11 @@ int simple_offset_rename_exchange(struct inode *old_dir, + simple_offset_remove(old_ctx, old_dentry); + simple_offset_remove(new_ctx, new_dentry); + +- ret = simple_offset_add(new_ctx, old_dentry); ++ ret = simple_offset_replace(new_ctx, old_dentry, new_index); + if (ret) + goto out_restore; + +- ret = simple_offset_add(old_ctx, new_dentry); ++ ret = simple_offset_replace(old_ctx, new_dentry, old_index); + if (ret) { + simple_offset_remove(new_ctx, old_dentry); + goto out_restore; +@@ -388,10 +403,8 @@ int simple_offset_rename_exchange(struct inode *old_dir, + return 0; + + out_restore: +- offset_set(old_dentry, old_index); +- mtree_store(&old_ctx->mt, old_index, old_dentry, GFP_KERNEL); +- offset_set(new_dentry, new_index); +- mtree_store(&new_ctx->mt, new_index, new_dentry, GFP_KERNEL); ++ (void)simple_offset_replace(old_ctx, old_dentry, old_index); ++ (void)simple_offset_replace(new_ctx, new_dentry, new_index); + return ret; + } + +-- +2.43.0 + diff --git a/queue-6.9/lkdtm-disable-cfi-checking-for-perms-functions.patch b/queue-6.9/lkdtm-disable-cfi-checking-for-perms-functions.patch new file mode 100644 index 00000000000..116294550e5 --- /dev/null +++ b/queue-6.9/lkdtm-disable-cfi-checking-for-perms-functions.patch @@ -0,0 +1,59 @@ +From 2de3efeb0774b951ae1992da32de705e085c3316 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Apr 2024 16:49:57 -0700 +Subject: lkdtm: Disable CFI checking for perms functions + +From: Kees Cook + +[ Upstream commit fb28a8862dc4b5bf8e44578338f35d9c6c68339d ] + +The EXEC_RODATA test plays a lot of tricks to live in the .rodata section, +and once again ran into objtool's (completely reasonable) assumptions +that executable code should live in an executable section. However, this +manifested only under CONFIG_CFI_CLANG=y, as one of the .cfi_sites was +pointing into the .rodata section. + +Since we're testing non-CFI execution properties in perms.c (and +rodata.c), we can disable CFI for the involved functions, and remove the +CFI arguments from rodata.c entirely. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202308301532.d7acf63e-oliver.sang@intel.com +Fixes: 6342a20efbd8 ("objtool: Add elf_create_section_pair()") +Link: https://lore.kernel.org/r/20240430234953.work.760-kees@kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + drivers/misc/lkdtm/Makefile | 2 +- + drivers/misc/lkdtm/perms.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/misc/lkdtm/Makefile b/drivers/misc/lkdtm/Makefile +index 95ef971b5e1cb..b28701138b4bc 100644 +--- a/drivers/misc/lkdtm/Makefile ++++ b/drivers/misc/lkdtm/Makefile +@@ -19,7 +19,7 @@ KASAN_SANITIZE_rodata.o := n + KCSAN_SANITIZE_rodata.o := n + KCOV_INSTRUMENT_rodata.o := n + OBJECT_FILES_NON_STANDARD_rodata.o := y +-CFLAGS_REMOVE_rodata.o += $(CC_FLAGS_LTO) $(RETHUNK_CFLAGS) ++CFLAGS_REMOVE_rodata.o += $(CC_FLAGS_LTO) $(RETHUNK_CFLAGS) $(CC_FLAGS_CFI) + + OBJCOPYFLAGS := + OBJCOPYFLAGS_rodata_objcopy.o := \ +diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c +index b93404d656509..5b861dbff27e9 100644 +--- a/drivers/misc/lkdtm/perms.c ++++ b/drivers/misc/lkdtm/perms.c +@@ -61,7 +61,7 @@ static void *setup_function_descriptor(func_desc_t *fdesc, void *dst) + return fdesc; + } + +-static noinline void execute_location(void *dst, bool write) ++static noinline __nocfi void execute_location(void *dst, bool write) + { + void (*func)(void); + func_desc_t fdesc; +-- +2.43.0 + diff --git a/queue-6.9/locking-atomic-x86-correct-the-definition-of-__arch_.patch b/queue-6.9/locking-atomic-x86-correct-the-definition-of-__arch_.patch new file mode 100644 index 00000000000..94335a7c33f --- /dev/null +++ b/queue-6.9/locking-atomic-x86-correct-the-definition-of-__arch_.patch @@ -0,0 +1,40 @@ +From 310bce8e5444972466c6fc95ee2b661251dfb7b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 11:13:56 +0200 +Subject: locking/atomic/x86: Correct the definition of __arch_try_cmpxchg128() + +From: Uros Bizjak + +[ Upstream commit 929ad065ba2967be238dfdc0895b79fda62c7f16 ] + +Correct the definition of __arch_try_cmpxchg128(), introduced by: + + b23e139d0b66 ("arch: Introduce arch_{,try_}_cmpxchg128{,_local}()") + +Fixes: b23e139d0b66 ("arch: Introduce arch_{,try_}_cmpxchg128{,_local}()") +Signed-off-by: Uros Bizjak +Signed-off-by: Ingo Molnar +Cc: Linus Torvalds +Cc: "H. Peter Anvin" +Link: https://lore.kernel.org/r/20240408091547.90111-2-ubizjak@gmail.com +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/cmpxchg_64.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/cmpxchg_64.h b/arch/x86/include/asm/cmpxchg_64.h +index 44b08b53ab32f..c1d6cd58f8094 100644 +--- a/arch/x86/include/asm/cmpxchg_64.h ++++ b/arch/x86/include/asm/cmpxchg_64.h +@@ -62,7 +62,7 @@ static __always_inline u128 arch_cmpxchg128_local(volatile u128 *ptr, u128 old, + asm volatile(_lock "cmpxchg16b %[ptr]" \ + CC_SET(e) \ + : CC_OUT(e) (ret), \ +- [ptr] "+m" (*ptr), \ ++ [ptr] "+m" (*(_ptr)), \ + "+a" (o.low), "+d" (o.high) \ + : "b" (n.low), "c" (n.high) \ + : "memory"); \ +-- +2.43.0 + diff --git a/queue-6.9/m68k-fix-spinlock-race-in-kernel-thread-creation.patch b/queue-6.9/m68k-fix-spinlock-race-in-kernel-thread-creation.patch new file mode 100644 index 00000000000..8a9188bb843 --- /dev/null +++ b/queue-6.9/m68k-fix-spinlock-race-in-kernel-thread-creation.patch @@ -0,0 +1,77 @@ +From 087ff024ecf04705daa29d740043f72706487f8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Apr 2024 15:36:31 +1200 +Subject: m68k: Fix spinlock race in kernel thread creation + +From: Michael Schmitz + +[ Upstream commit da89ce46f02470ef08f0f580755d14d547da59ed ] + +Context switching does take care to retain the correct lock owner across +the switch from 'prev' to 'next' tasks. This does rely on interrupts +remaining disabled for the entire duration of the switch. + +This condition is guaranteed for normal process creation and context +switching between already running processes, because both 'prev' and +'next' already have interrupts disabled in their saved copies of the +status register. + +The situation is different for newly created kernel threads. The status +register is set to PS_S in copy_thread(), which does leave the IPL at 0. +Upon restoring the 'next' thread's status register in switch_to() aka +resume(), interrupts then become enabled prematurely. resume() then +returns via ret_from_kernel_thread() and schedule_tail() where run queue +lock is released (see finish_task_switch() and finish_lock_switch()). + +A timer interrupt calling scheduler_tick() before the lock is released +in finish_task_switch() will find the lock already taken, with the +current task as lock owner. This causes a spinlock recursion warning as +reported by Guenter Roeck. + +As far as I can ascertain, this race has been opened in commit +533e6903bea0 ("m68k: split ret_from_fork(), simplify kernel_thread()") +but I haven't done a detailed study of kernel history so it may well +predate that commit. + +Interrupts cannot be disabled in the saved status register copy for +kernel threads (init will complain about interrupts disabled when +finally starting user space). Disable interrupts temporarily when +switching the tasks' register sets in resume(). + +Note that a simple oriw 0x700,%sr after restoring sr is not enough here +- this leaves enough of a race for the 'spinlock recursion' warning to +still be observed. + +Tested on ARAnyM and qemu (Quadra 800 emulation). + +Fixes: 533e6903bea0 ("m68k: split ret_from_fork(), simplify kernel_thread()") +Reported-by: Guenter Roeck +Closes: https://lore.kernel.org/all/07811b26-677c-4d05-aeb4-996cd880b789@roeck-us.net +Signed-off-by: Michael Schmitz +Tested-by: Guenter Roeck +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20240411033631.16335-1-schmitzmic@gmail.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/kernel/entry.S | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/m68k/kernel/entry.S b/arch/m68k/kernel/entry.S +index 3bcdd32a6b366..338b474910f74 100644 +--- a/arch/m68k/kernel/entry.S ++++ b/arch/m68k/kernel/entry.S +@@ -430,7 +430,9 @@ resume: + movec %a0,%dfc + + /* restore status register */ +- movew %a1@(TASK_THREAD+THREAD_SR),%sr ++ movew %a1@(TASK_THREAD+THREAD_SR),%d0 ++ oriw #0x0700,%d0 ++ movew %d0,%sr + + rts + +-- +2.43.0 + diff --git a/queue-6.9/m68k-mac-fix-reboot-hang-on-mac-iici.patch b/queue-6.9/m68k-mac-fix-reboot-hang-on-mac-iici.patch new file mode 100644 index 00000000000..efd681be617 --- /dev/null +++ b/queue-6.9/m68k-mac-fix-reboot-hang-on-mac-iici.patch @@ -0,0 +1,99 @@ +From e386cd018e4071d36d68b0c5d15a275f3cf62477 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 May 2024 14:31:12 +1000 +Subject: m68k: mac: Fix reboot hang on Mac IIci + +From: Finn Thain + +[ Upstream commit 265a3b322df9a973ff1fc63da70af456ab6ae1d6 ] + +Calling mac_reset() on a Mac IIci does reset the system, but what +follows is a POST failure that requires a manual reset to resolve. +Avoid that by using the 68030 asm implementation instead of the C +implementation. + +Apparently the SE/30 has a similar problem as it has used the asm +implementation since before git. This patch extends that solution to +other systems with a similar ROM. + +After this patch, the only systems still using the C implementation are +68040 systems where adb_type is either MAC_ADB_IOP or MAC_ADB_II. This +implies a 1 MiB Quadra ROM. + +This now includes the Quadra 900/950, which previously fell through to +the "should never get here" catch-all. + +Reported-and-tested-by: Stan Johnson +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/480ebd1249d229c6dc1f3f1c6d599b8505483fd8.1714797072.git.fthain@linux-m68k.org +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/mac/misc.c | 36 ++++++++++++++++++------------------ + 1 file changed, 18 insertions(+), 18 deletions(-) + +diff --git a/arch/m68k/mac/misc.c b/arch/m68k/mac/misc.c +index 4c8f8cbfa05f3..e7f0f72c1b36e 100644 +--- a/arch/m68k/mac/misc.c ++++ b/arch/m68k/mac/misc.c +@@ -453,30 +453,18 @@ void mac_poweroff(void) + + void mac_reset(void) + { +- if (macintosh_config->adb_type == MAC_ADB_II && +- macintosh_config->ident != MAC_MODEL_SE30) { +- /* need ROMBASE in booter */ +- /* indeed, plus need to MAP THE ROM !! */ +- +- if (mac_bi_data.rombase == 0) +- mac_bi_data.rombase = 0x40800000; +- +- /* works on some */ +- rom_reset = (void *) (mac_bi_data.rombase + 0xa); +- +- local_irq_disable(); +- rom_reset(); + #ifdef CONFIG_ADB_CUDA +- } else if (macintosh_config->adb_type == MAC_ADB_EGRET || +- macintosh_config->adb_type == MAC_ADB_CUDA) { ++ if (macintosh_config->adb_type == MAC_ADB_EGRET || ++ macintosh_config->adb_type == MAC_ADB_CUDA) { + cuda_restart(); ++ } else + #endif + #ifdef CONFIG_ADB_PMU +- } else if (macintosh_config->adb_type == MAC_ADB_PB2) { ++ if (macintosh_config->adb_type == MAC_ADB_PB2) { + pmu_restart(); ++ } else + #endif +- } else if (CPU_IS_030) { +- ++ if (CPU_IS_030) { + /* 030-specific reset routine. The idea is general, but the + * specific registers to reset are '030-specific. Until I + * have a non-030 machine, I can't test anything else. +@@ -524,6 +512,18 @@ void mac_reset(void) + "jmp %/a0@\n\t" /* jump to the reset vector */ + ".chip 68k" + : : "r" (offset), "a" (rombase) : "a0"); ++ } else { ++ /* need ROMBASE in booter */ ++ /* indeed, plus need to MAP THE ROM !! */ ++ ++ if (mac_bi_data.rombase == 0) ++ mac_bi_data.rombase = 0x40800000; ++ ++ /* works on some */ ++ rom_reset = (void *)(mac_bi_data.rombase + 0xa); ++ ++ local_irq_disable(); ++ rom_reset(); + } + + /* should never get here */ +-- +2.43.0 + diff --git a/queue-6.9/m68k-move-arch_has_cpu_cache_aliasing.patch b/queue-6.9/m68k-move-arch_has_cpu_cache_aliasing.patch new file mode 100644 index 00000000000..d5e7828c34e --- /dev/null +++ b/queue-6.9/m68k-move-arch_has_cpu_cache_aliasing.patch @@ -0,0 +1,38 @@ +From b3b5461a54de5e74eecbe5f52734320407bdeac2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 May 2024 09:06:41 +0200 +Subject: m68k: Move ARCH_HAS_CPU_CACHE_ALIASING + +From: Geert Uytterhoeven + +[ Upstream commit c66b7b950bbf45eadcdee467e53f80568f4a0a7f ] + +Move the recently added ARCH_HAS_CPU_CACHE_ALIASING to restore +alphabetical sort order. + +Fixes: 8690bbcf3b7010b3 ("Introduce cpu_dcache_is_aliasing() across all architectures") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Mathieu Desnoyers +Link: https://lore.kernel.org/r/4574ad6cc1117e4b5d29812c165bf7f6e5b60773.1714978406.git.geert@linux-m68k.org +Signed-off-by: Sasha Levin +--- + arch/m68k/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/m68k/Kconfig b/arch/m68k/Kconfig +index 6ffa295851945..99837d4e8c977 100644 +--- a/arch/m68k/Kconfig ++++ b/arch/m68k/Kconfig +@@ -3,8 +3,8 @@ config M68K + bool + default y + select ARCH_32BIT_OFF_T +- select ARCH_HAS_CPU_CACHE_ALIASING + select ARCH_HAS_BINFMT_FLAT ++ select ARCH_HAS_CPU_CACHE_ALIASING + select ARCH_HAS_CPU_FINALIZE_INIT if MMU + select ARCH_HAS_CURRENT_STACK_POINTER + select ARCH_HAS_DMA_PREP_COHERENT if M68K_NONCOHERENT_DMA && !COLDFIRE +-- +2.43.0 + diff --git a/queue-6.9/macintosh-via-macii-fix-bug-sleeping-function-called.patch b/queue-6.9/macintosh-via-macii-fix-bug-sleeping-function-called.patch new file mode 100644 index 00000000000..ca519ae300e --- /dev/null +++ b/queue-6.9/macintosh-via-macii-fix-bug-sleeping-function-called.patch @@ -0,0 +1,59 @@ +From 70732e6d9c87b1401139cfd93c327bc2fe2d40e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Mar 2024 13:53:41 +1100 +Subject: macintosh/via-macii: Fix "BUG: sleeping function called from invalid + context" + +From: Finn Thain + +[ Upstream commit d301a71c76ee4c384b4e03cdc320a55f5cf1df05 ] + +The via-macii ADB driver calls request_irq() after disabling hard +interrupts. But disabling interrupts isn't necessary here because the +VIA shift register interrupt was masked during VIA1 initialization. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/419fcc09d0e563b425c419053d02236b044d86b0.1710298421.git.fthain@linux-m68k.org +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + drivers/macintosh/via-macii.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/drivers/macintosh/via-macii.c b/drivers/macintosh/via-macii.c +index db9270da5b8e9..b6ddf1d47cb4e 100644 +--- a/drivers/macintosh/via-macii.c ++++ b/drivers/macintosh/via-macii.c +@@ -140,24 +140,19 @@ static int macii_probe(void) + /* Initialize the driver */ + static int macii_init(void) + { +- unsigned long flags; + int err; + +- local_irq_save(flags); +- + err = macii_init_via(); + if (err) +- goto out; ++ return err; + + err = request_irq(IRQ_MAC_ADB, macii_interrupt, 0, "ADB", + macii_interrupt); + if (err) +- goto out; ++ return err; + + macii_state = idle; +-out: +- local_irq_restore(flags); +- return err; ++ return 0; + } + + /* initialize the hardware */ +-- +2.43.0 + diff --git a/queue-6.9/md-fix-resync-softlockup-when-bitmap-size-is-less-th.patch b/queue-6.9/md-fix-resync-softlockup-when-bitmap-size-is-less-th.patch new file mode 100644 index 00000000000..ceec0742878 --- /dev/null +++ b/queue-6.9/md-fix-resync-softlockup-when-bitmap-size-is-less-th.patch @@ -0,0 +1,93 @@ +From 6cd2aacacfcaf5a0d4016cea88b3c9fd7e9eb4c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Apr 2024 14:58:24 +0800 +Subject: md: fix resync softlockup when bitmap size is less than array size + +From: Yu Kuai + +[ Upstream commit f0e729af2eb6bee9eb58c4df1087f14ebaefe26b ] + +Is is reported that for dm-raid10, lvextend + lvchange --syncaction will +trigger following softlockup: + +kernel:watchdog: BUG: soft lockup - CPU#3 stuck for 26s! [mdX_resync:6976] +CPU: 7 PID: 3588 Comm: mdX_resync Kdump: loaded Not tainted 6.9.0-rc4-next-20240419 #1 +RIP: 0010:_raw_spin_unlock_irq+0x13/0x30 +Call Trace: + + md_bitmap_start_sync+0x6b/0xf0 + raid10_sync_request+0x25c/0x1b40 [raid10] + md_do_sync+0x64b/0x1020 + md_thread+0xa7/0x170 + kthread+0xcf/0x100 + ret_from_fork+0x30/0x50 + ret_from_fork_asm+0x1a/0x30 + +And the detailed process is as follows: + +md_do_sync + j = mddev->resync_min + while (j < max_sectors) + sectors = raid10_sync_request(mddev, j, &skipped) + if (!md_bitmap_start_sync(..., &sync_blocks)) + // md_bitmap_start_sync set sync_blocks to 0 + return sync_blocks + sectors_skippe; + // sectors = 0; + j += sectors; + // j never change + +Root cause is that commit 301867b1c168 ("md/raid10: check +slab-out-of-bounds in md_bitmap_get_counter") return early from +md_bitmap_get_counter(), without setting returned blocks. + +Fix this problem by always set returned blocks from +md_bitmap_get_counter"(), as it used to be. + +Noted that this patch just fix the softlockup problem in kernel, the +case that bitmap size doesn't match array size still need to be fixed. + +Fixes: 301867b1c168 ("md/raid10: check slab-out-of-bounds in md_bitmap_get_counter") +Reported-and-tested-by: Nigel Croxon +Closes: https://lore.kernel.org/all/71ba5272-ab07-43ba-8232-d2da642acb4e@redhat.com/ +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20240422065824.2516-1-yukuai1@huaweicloud.com +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/md-bitmap.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c +index 059afc24c08be..0a2d37eb38ef9 100644 +--- a/drivers/md/md-bitmap.c ++++ b/drivers/md/md-bitmap.c +@@ -1424,7 +1424,7 @@ __acquires(bitmap->lock) + sector_t chunk = offset >> bitmap->chunkshift; + unsigned long page = chunk >> PAGE_COUNTER_SHIFT; + unsigned long pageoff = (chunk & PAGE_COUNTER_MASK) << COUNTER_BYTE_SHIFT; +- sector_t csize; ++ sector_t csize = ((sector_t)1) << bitmap->chunkshift; + int err; + + if (page >= bitmap->pages) { +@@ -1433,6 +1433,7 @@ __acquires(bitmap->lock) + * End-of-device while looking for a whole page or + * user set a huge number to sysfs bitmap_set_bits. + */ ++ *blocks = csize - (offset & (csize - 1)); + return NULL; + } + err = md_bitmap_checkpage(bitmap, page, create, 0); +@@ -1441,8 +1442,7 @@ __acquires(bitmap->lock) + bitmap->bp[page].map == NULL) + csize = ((sector_t)1) << (bitmap->chunkshift + + PAGE_COUNTER_SHIFT); +- else +- csize = ((sector_t)1) << bitmap->chunkshift; ++ + *blocks = csize - (offset & (csize - 1)); + + if (err < 0) +-- +2.43.0 + diff --git a/queue-6.9/media-atomisp-ssh_css-fix-a-null-pointer-dereference.patch b/queue-6.9/media-atomisp-ssh_css-fix-a-null-pointer-dereference.patch new file mode 100644 index 00000000000..008bbd0a539 --- /dev/null +++ b/queue-6.9/media-atomisp-ssh_css-fix-a-null-pointer-dereference.patch @@ -0,0 +1,52 @@ +From 4a6efc85d8a6d2105411b6280df9e981f3eda27f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jan 2024 16:13:00 +0100 +Subject: media: atomisp: ssh_css: Fix a null-pointer dereference in + load_video_binaries + +From: Zhipeng Lu + +[ Upstream commit 3b621e9e9e148c0928ab109ac3d4b81487469acb ] + +The allocation failure of mycs->yuv_scaler_binary in load_video_binaries() +is followed with a dereference of mycs->yuv_scaler_binary after the +following call chain: + +sh_css_pipe_load_binaries() + |-> load_video_binaries(mycs->yuv_scaler_binary == NULL) + | + |-> sh_css_pipe_unload_binaries() + |-> unload_video_binaries() + +In unload_video_binaries(), it calls to ia_css_binary_unload with argument +&pipe->pipe_settings.video.yuv_scaler_binary[i], which refers to the +same memory slot as mycs->yuv_scaler_binary. Thus, a null-pointer +dereference is triggered. + +Link: https://lore.kernel.org/r/20240118151303.3828292-1-alexious@zju.edu.cn + +Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2") +Signed-off-by: Zhipeng Lu +Reviewed-by: Andy Shevchenko +Signed-off-by: Hans de Goede +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/atomisp/pci/sh_css.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/staging/media/atomisp/pci/sh_css.c b/drivers/staging/media/atomisp/pci/sh_css.c +index 938a4ea89c590..8c30191b21a77 100644 +--- a/drivers/staging/media/atomisp/pci/sh_css.c ++++ b/drivers/staging/media/atomisp/pci/sh_css.c +@@ -4690,6 +4690,7 @@ static int load_video_binaries(struct ia_css_pipe *pipe) + sizeof(struct ia_css_binary), + GFP_KERNEL); + if (!mycs->yuv_scaler_binary) { ++ mycs->num_yuv_scaler = 0; + err = -ENOMEM; + return err; + } +-- +2.43.0 + diff --git a/queue-6.9/media-cadence-csi2rx-configure-dphy-before-starting-.patch b/queue-6.9/media-cadence-csi2rx-configure-dphy-before-starting-.patch new file mode 100644 index 00000000000..a73ccb4178b --- /dev/null +++ b/queue-6.9/media-cadence-csi2rx-configure-dphy-before-starting-.patch @@ -0,0 +1,91 @@ +From 4f1004feaabcc9ba083c31cb9689ac4df4b82c1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Feb 2024 13:53:01 +0530 +Subject: media: cadence: csi2rx: configure DPHY before starting source stream + +From: Pratyush Yadav + +[ Upstream commit fd64dda48f7e3f67ada1e1fe47e784ab350da72e ] + +When the source device is operating above 1.5 Gbps per lane, it needs to +send the Skew Calibration Sequence before sending any HS data. If the +DPHY is initialized after the source stream is started, then it might +miss the sequence and not be able to receive data properly. Move the +start of source subdev to the end of the sequence to make sure +everything is ready to receive data before the source starts streaming. + +Signed-off-by: Pratyush Yadav +Fixes: 3295cf1241d3 ("media: cadence: Add support for external dphy") +Tested-by: Julien Massot +Tested-by: Changhuang Liang +Reviewed-by: Julien Massot +Reviewed-by: Changhuang Liang +Signed-off-by: Jai Luthra +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/cadence/cdns-csi2rx.c | 26 +++++++++++--------- + 1 file changed, 14 insertions(+), 12 deletions(-) + +diff --git a/drivers/media/platform/cadence/cdns-csi2rx.c b/drivers/media/platform/cadence/cdns-csi2rx.c +index 2d7b0508cc9af..6f7d27a48eff0 100644 +--- a/drivers/media/platform/cadence/cdns-csi2rx.c ++++ b/drivers/media/platform/cadence/cdns-csi2rx.c +@@ -239,10 +239,6 @@ static int csi2rx_start(struct csi2rx_priv *csi2rx) + + writel(reg, csi2rx->base + CSI2RX_STATIC_CFG_REG); + +- ret = v4l2_subdev_call(csi2rx->source_subdev, video, s_stream, true); +- if (ret) +- goto err_disable_pclk; +- + /* Enable DPHY clk and data lanes. */ + if (csi2rx->dphy) { + reg = CSI2RX_DPHY_CL_EN | CSI2RX_DPHY_CL_RST; +@@ -252,6 +248,13 @@ static int csi2rx_start(struct csi2rx_priv *csi2rx) + } + + writel(reg, csi2rx->base + CSI2RX_DPHY_LANE_CTRL_REG); ++ ++ ret = csi2rx_configure_ext_dphy(csi2rx); ++ if (ret) { ++ dev_err(csi2rx->dev, ++ "Failed to configure external DPHY: %d\n", ret); ++ goto err_disable_pclk; ++ } + } + + /* +@@ -291,14 +294,9 @@ static int csi2rx_start(struct csi2rx_priv *csi2rx) + + reset_control_deassert(csi2rx->sys_rst); + +- if (csi2rx->dphy) { +- ret = csi2rx_configure_ext_dphy(csi2rx); +- if (ret) { +- dev_err(csi2rx->dev, +- "Failed to configure external DPHY: %d\n", ret); +- goto err_disable_sysclk; +- } +- } ++ ret = v4l2_subdev_call(csi2rx->source_subdev, video, s_stream, true); ++ if (ret) ++ goto err_disable_sysclk; + + clk_disable_unprepare(csi2rx->p_clk); + +@@ -312,6 +310,10 @@ static int csi2rx_start(struct csi2rx_priv *csi2rx) + clk_disable_unprepare(csi2rx->pixel_clk[i - 1]); + } + ++ if (csi2rx->dphy) { ++ writel(0, csi2rx->base + CSI2RX_DPHY_LANE_CTRL_REG); ++ phy_power_off(csi2rx->dphy); ++ } + err_disable_pclk: + clk_disable_unprepare(csi2rx->p_clk); + +-- +2.43.0 + diff --git a/queue-6.9/media-dt-bindings-ovti-ov2680-fix-the-power-supply-n.patch b/queue-6.9/media-dt-bindings-ovti-ov2680-fix-the-power-supply-n.patch new file mode 100644 index 00000000000..23edb4d8124 --- /dev/null +++ b/queue-6.9/media-dt-bindings-ovti-ov2680-fix-the-power-supply-n.patch @@ -0,0 +1,77 @@ +From ef59d00d8fa79323d79a6af833b158cde74561f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Apr 2024 14:40:27 -0300 +Subject: media: dt-bindings: ovti,ov2680: Fix the power supply names + +From: Fabio Estevam + +[ Upstream commit e2f6ea61b6f3e4ebbb7dff857eea6220c18cd17b ] + +The original .txt bindings had the OV2680 power supply names correct, +but the transition from .txt to yaml spelled them incorrectly. + +Fix the OV2680 power supply names as the original .txt bindings +as these are the names used by the OV2680 driver and in devicetree. + +Fixes: 57226cd8c8bf ("media: dt-bindings: ov2680: convert bindings to yaml") +Signed-off-by: Fabio Estevam +Reviewed-by: Rob Herring +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + .../bindings/media/i2c/ovti,ov2680.yaml | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/Documentation/devicetree/bindings/media/i2c/ovti,ov2680.yaml b/Documentation/devicetree/bindings/media/i2c/ovti,ov2680.yaml +index cf456f8d9ddcb..c87677f5e2a25 100644 +--- a/Documentation/devicetree/bindings/media/i2c/ovti,ov2680.yaml ++++ b/Documentation/devicetree/bindings/media/i2c/ovti,ov2680.yaml +@@ -37,15 +37,15 @@ properties: + active low. + maxItems: 1 + +- dovdd-supply: ++ DOVDD-supply: + description: + Definition of the regulator used as interface power supply. + +- avdd-supply: ++ AVDD-supply: + description: + Definition of the regulator used as analog power supply. + +- dvdd-supply: ++ DVDD-supply: + description: + Definition of the regulator used as digital power supply. + +@@ -59,9 +59,9 @@ required: + - reg + - clocks + - clock-names +- - dovdd-supply +- - avdd-supply +- - dvdd-supply ++ - DOVDD-supply ++ - AVDD-supply ++ - DVDD-supply + - reset-gpios + - port + +@@ -82,9 +82,9 @@ examples: + clock-names = "xvclk"; + reset-gpios = <&gpio1 3 GPIO_ACTIVE_LOW>; + +- dovdd-supply = <&sw2_reg>; +- dvdd-supply = <&sw2_reg>; +- avdd-supply = <®_peri_3p15v>; ++ DOVDD-supply = <&sw2_reg>; ++ DVDD-supply = <&sw2_reg>; ++ AVDD-supply = <®_peri_3p15v>; + + port { + ov2680_to_mipi: endpoint { +-- +2.43.0 + diff --git a/queue-6.9/media-i2c-et8ek8-don-t-strip-remove-function-when-dr.patch b/queue-6.9/media-i2c-et8ek8-don-t-strip-remove-function-when-dr.patch new file mode 100644 index 00000000000..11c4d7b0597 --- /dev/null +++ b/queue-6.9/media-i2c-et8ek8-don-t-strip-remove-function-when-dr.patch @@ -0,0 +1,57 @@ +From 025591555f83da6289fc5487c6ec8fb60c9714b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Mar 2024 17:00:44 +0100 +Subject: media: i2c: et8ek8: Don't strip remove function when driver is + builtin +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 545b215736c5c4b354e182d99c578a472ac9bfce ] + +Using __exit for the remove function results in the remove callback +being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets +unbound (e.g. using sysfs or hotplug), the driver is just removed +without the cleanup being performed. This results in resource leaks. Fix +it by compiling in the remove callback unconditionally. + +This also fixes a W=1 modpost warning: + + WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text) + +Fixes: c5254e72b8ed ("[media] media: Driver for Toshiba et8ek8 5MP sensor") +Signed-off-by: Uwe Kleine-König +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/et8ek8/et8ek8_driver.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/i2c/et8ek8/et8ek8_driver.c b/drivers/media/i2c/et8ek8/et8ek8_driver.c +index f548b1bb75fb9..e932d25ca7b3a 100644 +--- a/drivers/media/i2c/et8ek8/et8ek8_driver.c ++++ b/drivers/media/i2c/et8ek8/et8ek8_driver.c +@@ -1475,7 +1475,7 @@ static int et8ek8_probe(struct i2c_client *client) + return ret; + } + +-static void __exit et8ek8_remove(struct i2c_client *client) ++static void et8ek8_remove(struct i2c_client *client) + { + struct v4l2_subdev *subdev = i2c_get_clientdata(client); + struct et8ek8_sensor *sensor = to_et8ek8_sensor(subdev); +@@ -1517,7 +1517,7 @@ static struct i2c_driver et8ek8_i2c_driver = { + .of_match_table = et8ek8_of_table, + }, + .probe = et8ek8_probe, +- .remove = __exit_p(et8ek8_remove), ++ .remove = et8ek8_remove, + .id_table = et8ek8_id_table, + }; + +-- +2.43.0 + diff --git a/queue-6.9/media-ipu3-cio2-request-irq-earlier.patch b/queue-6.9/media-ipu3-cio2-request-irq-earlier.patch new file mode 100644 index 00000000000..bc8ad58c8a1 --- /dev/null +++ b/queue-6.9/media-ipu3-cio2-request-irq-earlier.patch @@ -0,0 +1,52 @@ +From 8181bb46854bb67cdee0365b5d9acc181faf9272 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Dec 2022 16:01:20 +0200 +Subject: media: ipu3-cio2: Request IRQ earlier + +From: Sakari Ailus + +[ Upstream commit a069f79bfa6ec1ea0744981ea8425c8a25322579 ] + +Call devm_request_irq() before registering the async notifier, as otherwise +it would be possible to use the device before the interrupts could be +delivered to the driver. + +Fixes: c2a6a07afe4a ("media: intel-ipu3: cio2: add new MIPI-CSI2 driver") +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/pci/intel/ipu3/ipu3-cio2.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/media/pci/intel/ipu3/ipu3-cio2.c b/drivers/media/pci/intel/ipu3/ipu3-cio2.c +index c42adc5a408db..00090e7f5f9da 100644 +--- a/drivers/media/pci/intel/ipu3/ipu3-cio2.c ++++ b/drivers/media/pci/intel/ipu3/ipu3-cio2.c +@@ -1752,11 +1752,6 @@ static int cio2_pci_probe(struct pci_dev *pci_dev, + + v4l2_async_nf_init(&cio2->notifier, &cio2->v4l2_dev); + +- /* Register notifier for subdevices we care */ +- r = cio2_parse_firmware(cio2); +- if (r) +- goto fail_clean_notifier; +- + r = devm_request_irq(dev, pci_dev->irq, cio2_irq, IRQF_SHARED, + CIO2_NAME, cio2); + if (r) { +@@ -1764,6 +1759,11 @@ static int cio2_pci_probe(struct pci_dev *pci_dev, + goto fail_clean_notifier; + } + ++ /* Register notifier for subdevices we care */ ++ r = cio2_parse_firmware(cio2); ++ if (r) ++ goto fail_clean_notifier; ++ + pm_runtime_put_noidle(dev); + pm_runtime_allow(dev); + +-- +2.43.0 + diff --git a/queue-6.9/media-ngene-add-dvb_ca_en50221_init-return-value-che.patch b/queue-6.9/media-ngene-add-dvb_ca_en50221_init-return-value-che.patch new file mode 100644 index 00000000000..449e84e8b13 --- /dev/null +++ b/queue-6.9/media-ngene-add-dvb_ca_en50221_init-return-value-che.patch @@ -0,0 +1,40 @@ +From dc3d5a1636f3715ea7461f6d7fa715e4e6d7a7b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Mar 2024 14:15:53 +0300 +Subject: media: ngene: Add dvb_ca_en50221_init return value check + +From: Aleksandr Burakov + +[ Upstream commit 9bb1fd7eddcab2d28cfc11eb20f1029154dac718 ] + +The return value of dvb_ca_en50221_init() is not checked here that may +cause undefined behavior in case of nonzero value return. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 25aee3debe04 ("[media] Rename media/dvb as media/pci") +Signed-off-by: Aleksandr Burakov +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/pci/ngene/ngene-core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/pci/ngene/ngene-core.c b/drivers/media/pci/ngene/ngene-core.c +index 7481f553f9595..24ec576dc3bff 100644 +--- a/drivers/media/pci/ngene/ngene-core.c ++++ b/drivers/media/pci/ngene/ngene-core.c +@@ -1488,7 +1488,9 @@ static int init_channel(struct ngene_channel *chan) + } + + if (dev->ci.en && (io & NGENE_IO_TSOUT)) { +- dvb_ca_en50221_init(adapter, dev->ci.en, 0, 1); ++ ret = dvb_ca_en50221_init(adapter, dev->ci.en, 0, 1); ++ if (ret != 0) ++ goto err; + set_transfer(chan, 1); + chan->dev->channel[2].DataFormatFlags = DF_SWAP32; + set_transfer(&chan->dev->channel[2], 1); +-- +2.43.0 + diff --git a/queue-6.9/media-radio-shark2-avoid-led_names-truncations.patch b/queue-6.9/media-radio-shark2-avoid-led_names-truncations.patch new file mode 100644 index 00000000000..b6a6825c23a --- /dev/null +++ b/queue-6.9/media-radio-shark2-avoid-led_names-truncations.patch @@ -0,0 +1,40 @@ +From 23a53c66673d618422e5b6db55e1c9fa68be6ec7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 14:50:24 +0000 +Subject: media: radio-shark2: Avoid led_names truncations +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ricardo Ribalda + +[ Upstream commit 1820e16a3019b6258e6009d34432946a6ddd0a90 ] + +Increase the size of led_names so it can fit any valid v4l2 device name. + +Fixes: +drivers/media/radio/radio-shark2.c:197:17: warning: ‘%s’ directive output may be truncated writing up to 35 bytes into a region of size 32 [-Wformat-truncation=] + +Signed-off-by: Ricardo Ribalda +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/radio/radio-shark2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/radio/radio-shark2.c b/drivers/media/radio/radio-shark2.c +index f1c5c0a6a335c..e3e6aa87fe081 100644 +--- a/drivers/media/radio/radio-shark2.c ++++ b/drivers/media/radio/radio-shark2.c +@@ -62,7 +62,7 @@ struct shark_device { + #ifdef SHARK_USE_LEDS + struct work_struct led_work; + struct led_classdev leds[NO_LEDS]; +- char led_names[NO_LEDS][32]; ++ char led_names[NO_LEDS][64]; + atomic_t brightness[NO_LEDS]; + unsigned long brightness_new; + #endif +-- +2.43.0 + diff --git a/queue-6.9/media-rcar-vin-work-around-wenum-compare-conditional.patch b/queue-6.9/media-rcar-vin-work-around-wenum-compare-conditional.patch new file mode 100644 index 00000000000..1293fa0a82d --- /dev/null +++ b/queue-6.9/media-rcar-vin-work-around-wenum-compare-conditional.patch @@ -0,0 +1,47 @@ +From be0231ed30073aeadba8d54c002e37afcbeb25fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Mar 2024 14:33:46 +0100 +Subject: media: rcar-vin: work around -Wenum-compare-conditional warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnd Bergmann + +[ Upstream commit 1a742c6010d136cb6c441a0f1dd2bfbfae3c4df2 ] + +clang-19 warns about mixing two enum types here: + +drivers/media/platform/renesas/rcar-vin/rcar-vin.h:296:12: error: conditional expression between different enumeration types ('enum rvin_csi_id' and 'enum rvin_isp_id') [-Werror,-Wenum-compare-conditional] +drivers/media/platform/renesas/rcar-vin/rcar-core.c:216:18: error: conditional expression between different enumeration types ('enum rvin_csi_id' and 'enum rvin_isp_id') [-Werror,-Wenum-compare-conditional] +drivers/media/platform/renesas/rcar-vin/rcar-vin.h:296:12: error: conditional expression between different enumeration types ('enum rvin_csi_id' and 'enum rvin_isp_id') [-Werror,-Wenum-compare-conditional] +drivers/media/platform/renesas/rcar-vin/rcar-vin.h:296:12: error: conditional expression between different enumeration types ('enum rvin_csi_id' and 'enum rvin_isp_id') [-Werror,-Wenum-compare-conditional] + +This one is intentional, and there is already a cast to work around another +warning, so address this by adding another cast. + +Fixes: 406bb586dec0 ("media: rcar-vin: Add r8a779a0 support") +Signed-off-by: Arnd Bergmann +Reviewed-by: Niklas Söderlund +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/renesas/rcar-vin/rcar-vin.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/platform/renesas/rcar-vin/rcar-vin.h b/drivers/media/platform/renesas/rcar-vin/rcar-vin.h +index 792336dada447..997a66318a293 100644 +--- a/drivers/media/platform/renesas/rcar-vin/rcar-vin.h ++++ b/drivers/media/platform/renesas/rcar-vin/rcar-vin.h +@@ -59,7 +59,7 @@ enum rvin_isp_id { + + #define RVIN_REMOTES_MAX \ + (((unsigned int)RVIN_CSI_MAX) > ((unsigned int)RVIN_ISP_MAX) ? \ +- RVIN_CSI_MAX : RVIN_ISP_MAX) ++ (unsigned int)RVIN_CSI_MAX : (unsigned int)RVIN_ISP_MAX) + + /** + * enum rvin_dma_state - DMA states +-- +2.43.0 + diff --git a/queue-6.9/media-uvcvideo-add-quirk-for-logitech-rally-bar.patch b/queue-6.9/media-uvcvideo-add-quirk-for-logitech-rally-bar.patch new file mode 100644 index 00000000000..cc99f06bc4a --- /dev/null +++ b/queue-6.9/media-uvcvideo-add-quirk-for-logitech-rally-bar.patch @@ -0,0 +1,106 @@ +From f6e51cd8179cfa1bec1f7dbcb8444970047ed712 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Apr 2024 18:00:49 +0000 +Subject: media: uvcvideo: Add quirk for Logitech Rally Bar + +From: Ricardo Ribalda + +[ Upstream commit 07731053d11f7647d5d8bc23caac997a4d562dfe ] + +Logitech Rally Bar devices, despite behaving as UVC cameras, have a +different power management system that the other cameras from Logitech. + +USB_QUIRK_RESET_RESUME is applied to all the UVC cameras from Logitech +at the usb core. Unfortunately, USB_QUIRK_RESET_RESUME causes undesired +USB disconnects in the Rally Bar that make them completely unusable. + +There is an open discussion about if we should fix this in the core or +add a quirk in the UVC driver. In order to enable this hardware, let's +land this patch first, and we can revert it later if there is a +different conclusion. + +Fixes: e387ef5c47dd ("usb: Add USB_QUIRK_RESET_RESUME for all Logitech UVC webcams") +Acked-by: Greg Kroah-Hartman +Reviewed-by: Devinder Khroad +Reviewed-by: Sergey Senozhatsky +Reviewed-by: Laurent Pinchart +Signed-off-by: Ricardo Ribalda +Link: https://lore.kernel.org/r/20240404-rallybar-v6-1-6d67bb6b69af@chromium.org +Signed-off-by: Laurent Pinchart +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_driver.c | 31 ++++++++++++++++++++++++++++++ + drivers/media/usb/uvc/uvcvideo.h | 1 + + 2 files changed, 32 insertions(+) + +diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c +index bbd90123a4e76..91a41aa3ced24 100644 +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -2232,6 +2233,9 @@ static int uvc_probe(struct usb_interface *intf, + goto error; + } + ++ if (dev->quirks & UVC_QUIRK_NO_RESET_RESUME) ++ udev->quirks &= ~USB_QUIRK_RESET_RESUME; ++ + uvc_dbg(dev, PROBE, "UVC device initialized\n"); + usb_enable_autosuspend(udev); + return 0; +@@ -2574,6 +2578,33 @@ static const struct usb_device_id uvc_ids[] = { + .bInterfaceSubClass = 1, + .bInterfaceProtocol = 0, + .driver_info = UVC_INFO_QUIRK(UVC_QUIRK_RESTORE_CTRLS_ON_INIT) }, ++ /* Logitech Rally Bar Huddle */ ++ { .match_flags = USB_DEVICE_ID_MATCH_DEVICE ++ | USB_DEVICE_ID_MATCH_INT_INFO, ++ .idVendor = 0x046d, ++ .idProduct = 0x087c, ++ .bInterfaceClass = USB_CLASS_VIDEO, ++ .bInterfaceSubClass = 1, ++ .bInterfaceProtocol = 0, ++ .driver_info = UVC_INFO_QUIRK(UVC_QUIRK_NO_RESET_RESUME) }, ++ /* Logitech Rally Bar */ ++ { .match_flags = USB_DEVICE_ID_MATCH_DEVICE ++ | USB_DEVICE_ID_MATCH_INT_INFO, ++ .idVendor = 0x046d, ++ .idProduct = 0x089b, ++ .bInterfaceClass = USB_CLASS_VIDEO, ++ .bInterfaceSubClass = 1, ++ .bInterfaceProtocol = 0, ++ .driver_info = UVC_INFO_QUIRK(UVC_QUIRK_NO_RESET_RESUME) }, ++ /* Logitech Rally Bar Mini */ ++ { .match_flags = USB_DEVICE_ID_MATCH_DEVICE ++ | USB_DEVICE_ID_MATCH_INT_INFO, ++ .idVendor = 0x046d, ++ .idProduct = 0x08d3, ++ .bInterfaceClass = USB_CLASS_VIDEO, ++ .bInterfaceSubClass = 1, ++ .bInterfaceProtocol = 0, ++ .driver_info = UVC_INFO_QUIRK(UVC_QUIRK_NO_RESET_RESUME) }, + /* Chicony CNF7129 (Asus EEE 100HE) */ + { .match_flags = USB_DEVICE_ID_MATCH_DEVICE + | USB_DEVICE_ID_MATCH_INT_INFO, +diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvideo.h +index 6fb0a78b1b009..88218693f6f0b 100644 +--- a/drivers/media/usb/uvc/uvcvideo.h ++++ b/drivers/media/usb/uvc/uvcvideo.h +@@ -73,6 +73,7 @@ + #define UVC_QUIRK_FORCE_Y8 0x00000800 + #define UVC_QUIRK_FORCE_BPP 0x00001000 + #define UVC_QUIRK_WAKE_AUTOSUSPEND 0x00002000 ++#define UVC_QUIRK_NO_RESET_RESUME 0x00004000 + + /* Format flags */ + #define UVC_FMT_FLAG_COMPRESSED 0x00000001 +-- +2.43.0 + diff --git a/queue-6.9/media-v4l2-subdev-fix-stream-handling-for-crop-api.patch b/queue-6.9/media-v4l2-subdev-fix-stream-handling-for-crop-api.patch new file mode 100644 index 00000000000..b065e4a6048 --- /dev/null +++ b/queue-6.9/media-v4l2-subdev-fix-stream-handling-for-crop-api.patch @@ -0,0 +1,47 @@ +From 5b73401b126df3bdeec0d62d6f22fc41b1f05f37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Apr 2024 02:37:25 +0300 +Subject: media: v4l2-subdev: Fix stream handling for crop API + +From: Laurent Pinchart + +[ Upstream commit 34d7bf1c8e59f5fbf438ee32c96389ebe41ca2e8 ] + +When support for streams was added to the V4L2 subdev API, the +v4l2_subdev_crop structure was extended with a stream field, but the +field was not handled in the core code that translates the +VIDIOC_SUBDEV_[GS]_CROP ioctls to the selection API. Fix it. + +Fixes: 2f91e10ee6fd ("media: subdev: add stream based configuration") +Signed-off-by: Laurent Pinchart +Reviewed-by: Tomi Valkeinen +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/v4l2-core/v4l2-subdev.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/v4l2-core/v4l2-subdev.c b/drivers/media/v4l2-core/v4l2-subdev.c +index 4c6198c48dd61..45836f0a2b0a7 100644 +--- a/drivers/media/v4l2-core/v4l2-subdev.c ++++ b/drivers/media/v4l2-core/v4l2-subdev.c +@@ -732,6 +732,7 @@ static long subdev_do_ioctl(struct file *file, unsigned int cmd, void *arg, + memset(&sel, 0, sizeof(sel)); + sel.which = crop->which; + sel.pad = crop->pad; ++ sel.stream = crop->stream; + sel.target = V4L2_SEL_TGT_CROP; + + rval = v4l2_subdev_call( +@@ -756,6 +757,7 @@ static long subdev_do_ioctl(struct file *file, unsigned int cmd, void *arg, + memset(&sel, 0, sizeof(sel)); + sel.which = crop->which; + sel.pad = crop->pad; ++ sel.stream = crop->stream; + sel.target = V4L2_SEL_TGT_CROP; + sel.r = crop->rect; + +-- +2.43.0 + diff --git a/queue-6.9/mlx5-avoid-truncating-error-message.patch b/queue-6.9/mlx5-avoid-truncating-error-message.patch new file mode 100644 index 00000000000..76728d882b3 --- /dev/null +++ b/queue-6.9/mlx5-avoid-truncating-error-message.patch @@ -0,0 +1,41 @@ +From 259f9f048fdbef9ec651e1544a64320295598548 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 23:38:03 +0100 +Subject: mlx5: avoid truncating error message + +From: Arnd Bergmann + +[ Upstream commit b324a960354b872431d25959ad384ab66a7116ec ] + +clang warns that one error message is too long for its destination buffer: + +drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c:1876:4: error: 'snprintf' will always be truncated; specified size is 80, but format string expands to at least 94 [-Werror,-Wformat-truncation-non-kprintf] + +Reword it to be a bit shorter so it always fits. + +Fixes: 70f0302b3f20 ("net/mlx5: Bridge, implement mdb offload") +Signed-off-by: Arnd Bergmann +Reviewed-by: Subbaraya Sundeep +Link: https://lore.kernel.org/r/20240326223825.4084412-5-arnd@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c +index 1b9bc32efd6fa..c5ea1d1d2b035 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c +@@ -1874,7 +1874,7 @@ int mlx5_esw_bridge_port_mdb_add(struct net_device *dev, u16 vport_num, u16 esw_ + "Failed to lookup bridge port vlan metadata to create MDB (MAC=%pM,vid=%u,vport=%u)\n", + addr, vid, vport_num); + NL_SET_ERR_MSG_FMT_MOD(extack, +- "Failed to lookup bridge port vlan metadata to create MDB (MAC=%pM,vid=%u,vport=%u)\n", ++ "Failed to lookup vlan metadata for MDB (MAC=%pM,vid=%u,vport=%u)\n", + addr, vid, vport_num); + return -EINVAL; + } +-- +2.43.0 + diff --git a/queue-6.9/mlx5-stop-warning-for-64kb-pages.patch b/queue-6.9/mlx5-stop-warning-for-64kb-pages.patch new file mode 100644 index 00000000000..50cc2034090 --- /dev/null +++ b/queue-6.9/mlx5-stop-warning-for-64kb-pages.patch @@ -0,0 +1,57 @@ +From cab13cffc1ee550c07d5620aadde8a54a66c4c6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 15:30:46 +0100 +Subject: mlx5: stop warning for 64KB pages + +From: Arnd Bergmann + +[ Upstream commit a5535e5336943b33689f558199366102387b7bbf ] + +When building with 64KB pages, clang points out that xsk->chunk_size +can never be PAGE_SIZE: + +drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c:19:22: error: result of comparison of constant 65536 with expression of type 'u16' (aka 'unsigned short') is always false [-Werror,-Wtautological-constant-out-of-range-compare] + if (xsk->chunk_size > PAGE_SIZE || + ~~~~~~~~~~~~~~~ ^ ~~~~~~~~~ + +In older versions of this code, using PAGE_SIZE was the only +possibility, so this would have never worked on 64KB page kernels, +but the patch apparently did not address this case completely. + +As Maxim Mikityanskiy suggested, 64KB chunks are really not all that +useful, so just shut up the warning by adding a cast. + +Fixes: 282c0c798f8e ("net/mlx5e: Allow XSK frames smaller than a page") +Link: https://lore.kernel.org/netdev/20211013150232.2942146-1-arnd@kernel.org/ +Link: https://lore.kernel.org/lkml/a7b27541-0ebb-4f2d-bd06-270a4d404613@app.fastmail.com/ +Signed-off-by: Arnd Bergmann +Acked-by: Maxim Mikityanskiy +Reviewed-by: Justin Stitt +Reviewed-by: Tariq Toukan +Link: https://lore.kernel.org/r/20240328143051.1069575-9-arnd@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c b/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c +index 06592b9f04242..9240cfe25d102 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c +@@ -28,8 +28,10 @@ bool mlx5e_validate_xsk_param(struct mlx5e_params *params, + struct mlx5e_xsk_param *xsk, + struct mlx5_core_dev *mdev) + { +- /* AF_XDP doesn't support frames larger than PAGE_SIZE. */ +- if (xsk->chunk_size > PAGE_SIZE || xsk->chunk_size < MLX5E_MIN_XSK_CHUNK_SIZE) { ++ /* AF_XDP doesn't support frames larger than PAGE_SIZE, ++ * and xsk->chunk_size is limited to 65535 bytes. ++ */ ++ if ((size_t)xsk->chunk_size > PAGE_SIZE || xsk->chunk_size < MLX5E_MIN_XSK_CHUNK_SIZE) { + mlx5_core_err(mdev, "XSK chunk size %u out of bounds [%u, %lu]\n", xsk->chunk_size, + MLX5E_MIN_XSK_CHUNK_SIZE, PAGE_SIZE); + return false; +-- +2.43.0 + diff --git a/queue-6.9/mm-ksm-fix-ksm-exec-support-for-prctl.patch b/queue-6.9/mm-ksm-fix-ksm-exec-support-for-prctl.patch new file mode 100644 index 00000000000..d9598681510 --- /dev/null +++ b/queue-6.9/mm-ksm-fix-ksm-exec-support-for-prctl.patch @@ -0,0 +1,116 @@ +From 89d85f0567ac29842eba96dc5e132d873d398523 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 19:10:08 +0800 +Subject: mm/ksm: fix ksm exec support for prctl + +From: Jinjiang Tu + +[ Upstream commit 3a9e567ca45fb5280065283d10d9a11f0db61d2b ] + +Patch series "mm/ksm: fix ksm exec support for prctl", v4. + +commit 3c6f33b7273a ("mm/ksm: support fork/exec for prctl") inherits +MMF_VM_MERGE_ANY flag when a task calls execve(). However, it doesn't +create the mm_slot, so ksmd will not try to scan this task. The first +patch fixes the issue. + +The second patch refactors to prepare for the third patch. The third +patch extends the selftests of ksm to verfity the deduplication really +happens after fork/exec inherits ths KSM setting. + +This patch (of 3): + +commit 3c6f33b7273a ("mm/ksm: support fork/exec for prctl") inherits +MMF_VM_MERGE_ANY flag when a task calls execve(). Howerver, it doesn't +create the mm_slot, so ksmd will not try to scan this task. + +To fix it, allocate and add the mm_slot to ksm_mm_head in __bprm_mm_init() +when the mm has MMF_VM_MERGE_ANY flag. + +Link: https://lkml.kernel.org/r/20240328111010.1502191-1-tujinjiang@huawei.com +Link: https://lkml.kernel.org/r/20240328111010.1502191-2-tujinjiang@huawei.com +Fixes: 3c6f33b7273a ("mm/ksm: support fork/exec for prctl") +Signed-off-by: Jinjiang Tu +Reviewed-by: David Hildenbrand +Cc: Johannes Weiner +Cc: Kefeng Wang +Cc: Nanyong Sun +Cc: Rik van Riel +Cc: Stefan Roesch +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/exec.c | 11 +++++++++++ + include/linux/ksm.h | 13 +++++++++++++ + 2 files changed, 24 insertions(+) + +diff --git a/fs/exec.c b/fs/exec.c +index cf1df7f16e55c..0c5f06d08c355 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -67,6 +67,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -267,6 +268,14 @@ static int __bprm_mm_init(struct linux_binprm *bprm) + goto err_free; + } + ++ /* ++ * Need to be called with mmap write lock ++ * held, to avoid race with ksmd. ++ */ ++ err = ksm_execve(mm); ++ if (err) ++ goto err_ksm; ++ + /* + * Place the stack at the largest stack address the architecture + * supports. Later, we'll move this to an appropriate place. We don't +@@ -288,6 +297,8 @@ static int __bprm_mm_init(struct linux_binprm *bprm) + bprm->p = vma->vm_end - sizeof(void *); + return 0; + err: ++ ksm_exit(mm); ++err_ksm: + mmap_write_unlock(mm); + err_free: + bprm->vma = NULL; +diff --git a/include/linux/ksm.h b/include/linux/ksm.h +index 401348e9f92b4..7e2b1de3996ac 100644 +--- a/include/linux/ksm.h ++++ b/include/linux/ksm.h +@@ -59,6 +59,14 @@ static inline int ksm_fork(struct mm_struct *mm, struct mm_struct *oldmm) + return 0; + } + ++static inline int ksm_execve(struct mm_struct *mm) ++{ ++ if (test_bit(MMF_VM_MERGE_ANY, &mm->flags)) ++ return __ksm_enter(mm); ++ ++ return 0; ++} ++ + static inline void ksm_exit(struct mm_struct *mm) + { + if (test_bit(MMF_VM_MERGEABLE, &mm->flags)) +@@ -107,6 +115,11 @@ static inline int ksm_fork(struct mm_struct *mm, struct mm_struct *oldmm) + return 0; + } + ++static inline int ksm_execve(struct mm_struct *mm) ++{ ++ return 0; ++} ++ + static inline void ksm_exit(struct mm_struct *mm) + { + } +-- +2.43.0 + diff --git a/queue-6.9/mm-slub-kunit-use-inverted-data-to-corrupt-kmem-cach.patch b/queue-6.9/mm-slub-kunit-use-inverted-data-to-corrupt-kmem-cach.patch new file mode 100644 index 00000000000..047b66a8d67 --- /dev/null +++ b/queue-6.9/mm-slub-kunit-use-inverted-data-to-corrupt-kmem-cach.patch @@ -0,0 +1,69 @@ +From edb29317f3a81dc3743ba8ace43e8efbe944343d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Apr 2024 06:38:39 -0700 +Subject: mm/slub, kunit: Use inverted data to corrupt kmem cache + +From: Guenter Roeck + +[ Upstream commit b1080c667b3b2c8c38a7fa83ca5567124887abae ] + +Two failure patterns are seen randomly when running slub_kunit tests with +CONFIG_SLAB_FREELIST_RANDOM and CONFIG_SLAB_FREELIST_HARDENED enabled. + +Pattern 1: + # test_clobber_zone: pass:1 fail:0 skip:0 total:1 + ok 1 test_clobber_zone + # test_next_pointer: EXPECTATION FAILED at lib/slub_kunit.c:72 + Expected 3 == slab_errors, but + slab_errors == 0 (0x0) + # test_next_pointer: EXPECTATION FAILED at lib/slub_kunit.c:84 + Expected 2 == slab_errors, but + slab_errors == 0 (0x0) + # test_next_pointer: pass:0 fail:1 skip:0 total:1 + not ok 2 test_next_pointer + +In this case, test_next_pointer() overwrites p[s->offset], but the data +at p[s->offset] is already 0x12. + +Pattern 2: + ok 1 test_clobber_zone + # test_next_pointer: EXPECTATION FAILED at lib/slub_kunit.c:72 + Expected 3 == slab_errors, but + slab_errors == 2 (0x2) + # test_next_pointer: pass:0 fail:1 skip:0 total:1 + not ok 2 test_next_pointer + +In this case, p[s->offset] has a value other than 0x12, but one of the +expected failures is nevertheless missing. + +Invert data instead of writing a fixed value to corrupt the cache data +structures to fix the problem. + +Fixes: 1f9f78b1b376 ("mm/slub, kunit: add a KUnit test for SLUB debugging functionality") +Cc: Oliver Glitta +Cc: Vlastimil Babka +CC: Daniel Latypov +Cc: Marco Elver +Signed-off-by: Guenter Roeck +Signed-off-by: Vlastimil Babka +Signed-off-by: Sasha Levin +--- + lib/slub_kunit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/slub_kunit.c b/lib/slub_kunit.c +index d4a3730b08fa7..4ce9604388069 100644 +--- a/lib/slub_kunit.c ++++ b/lib/slub_kunit.c +@@ -55,7 +55,7 @@ static void test_next_pointer(struct kunit *test) + + ptr_addr = (unsigned long *)(p + s->offset); + tmp = *ptr_addr; +- p[s->offset] = 0x12; ++ p[s->offset] = ~p[s->offset]; + + /* + * Expecting three errors. +-- +2.43.0 + diff --git a/queue-6.9/mm-userfaultfd-do-not-place-zeropages-when-zeropages.patch b/queue-6.9/mm-userfaultfd-do-not-place-zeropages-when-zeropages.patch new file mode 100644 index 00000000000..04653328ab3 --- /dev/null +++ b/queue-6.9/mm-userfaultfd-do-not-place-zeropages-when-zeropages.patch @@ -0,0 +1,95 @@ +From 75e998bfe0e6436e7254db80ad128fac1795bc2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Apr 2024 18:14:40 +0200 +Subject: mm/userfaultfd: Do not place zeropages when zeropages are disallowed + +From: David Hildenbrand + +[ Upstream commit 90a7592da14951bd21f74a53246ba30955a648aa ] + +s390x must disable shared zeropages for processes running VMs, because +the VMs could end up making use of "storage keys" or protected +virtualization, which are incompatible with shared zeropages. + +Yet, with userfaultfd it is possible to insert shared zeropages into +such processes. Let's fallback to simply allocating a fresh zeroed +anonymous folio and insert that instead. + +mm_forbids_zeropage() was introduced in commit 593befa6ab74 ("mm: introduce +mm_forbids_zeropage function"), briefly before userfaultfd went +upstream. + +Note that we don't want to fail the UFFDIO_ZEROPAGE request like we do +for hugetlb, it would be rather unexpected. Further, we also +cannot really indicated "not supported" to user space ahead of time: it +could be that the MM disallows zeropages after userfaultfd was already +registered. + +[ agordeev: Fixed checkpatch complaints ] + +Fixes: c1a4de99fada ("userfaultfd: mcopy_atomic|mfill_zeropage: UFFDIO_COPY|UFFDIO_ZEROPAGE preparation") +Reviewed-by: Peter Xu +Link: https://lore.kernel.org/r/20240411161441.910170-2-david@redhat.com +Signed-off-by: David Hildenbrand +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + mm/userfaultfd.c | 35 +++++++++++++++++++++++++++++++++++ + 1 file changed, 35 insertions(+) + +diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c +index 3c3539c573e7f..829f7b1089fc6 100644 +--- a/mm/userfaultfd.c ++++ b/mm/userfaultfd.c +@@ -316,6 +316,38 @@ static int mfill_atomic_pte_copy(pmd_t *dst_pmd, + goto out; + } + ++static int mfill_atomic_pte_zeroed_folio(pmd_t *dst_pmd, ++ struct vm_area_struct *dst_vma, ++ unsigned long dst_addr) ++{ ++ struct folio *folio; ++ int ret = -ENOMEM; ++ ++ folio = vma_alloc_zeroed_movable_folio(dst_vma, dst_addr); ++ if (!folio) ++ return ret; ++ ++ if (mem_cgroup_charge(folio, dst_vma->vm_mm, GFP_KERNEL)) ++ goto out_put; ++ ++ /* ++ * The memory barrier inside __folio_mark_uptodate makes sure that ++ * zeroing out the folio become visible before mapping the page ++ * using set_pte_at(). See do_anonymous_page(). ++ */ ++ __folio_mark_uptodate(folio); ++ ++ ret = mfill_atomic_install_pte(dst_pmd, dst_vma, dst_addr, ++ &folio->page, true, 0); ++ if (ret) ++ goto out_put; ++ ++ return 0; ++out_put: ++ folio_put(folio); ++ return ret; ++} ++ + static int mfill_atomic_pte_zeropage(pmd_t *dst_pmd, + struct vm_area_struct *dst_vma, + unsigned long dst_addr) +@@ -324,6 +356,9 @@ static int mfill_atomic_pte_zeropage(pmd_t *dst_pmd, + spinlock_t *ptl; + int ret; + ++ if (mm_forbids_zeropage(dst_vma->vm_mm)) ++ return mfill_atomic_pte_zeroed_folio(dst_pmd, dst_vma, dst_addr); ++ + _dst_pte = pte_mkspecial(pfn_pte(my_zero_pfn(dst_addr), + dst_vma->vm_page_prot)); + ret = -EAGAIN; +-- +2.43.0 + diff --git a/queue-6.9/modules-drop-the-.export_symbol-section-from-the-fin.patch b/queue-6.9/modules-drop-the-.export_symbol-section-from-the-fin.patch new file mode 100644 index 00000000000..1dd18fdfb98 --- /dev/null +++ b/queue-6.9/modules-drop-the-.export_symbol-section-from-the-fin.patch @@ -0,0 +1,35 @@ +From bd399fb460c5d2da7635f218eb2561f6ae490d35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Apr 2024 13:35:30 +0800 +Subject: modules: Drop the .export_symbol section from the final modules + +From: Wang Yao + +[ Upstream commit 8fe51b45c5645c259f759479c374648e9dfeaa03 ] + +Commit ddb5cdbafaaa ("kbuild: generate KSYMTAB entries by modpost") +forget drop the .export_symbol section from the final modules. + +Fixes: ddb5cdbafaaa ("kbuild: generate KSYMTAB entries by modpost") +Signed-off-by: Wang Yao +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/module.lds.S | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/scripts/module.lds.S b/scripts/module.lds.S +index bf5bcf2836d81..89ff01a22634f 100644 +--- a/scripts/module.lds.S ++++ b/scripts/module.lds.S +@@ -13,6 +13,7 @@ SECTIONS { + /DISCARD/ : { + *(.discard) + *(.discard.*) ++ *(.export_symbol) + } + + __ksymtab 0 : { *(SORT(___ksymtab+*)) } +-- +2.43.0 + diff --git a/queue-6.9/mptcp-fix-full-tcp-keep-alive-support.patch b/queue-6.9/mptcp-fix-full-tcp-keep-alive-support.patch new file mode 100644 index 00000000000..8aed2cf4f45 --- /dev/null +++ b/queue-6.9/mptcp-fix-full-tcp-keep-alive-support.patch @@ -0,0 +1,157 @@ +From fcda711b0b91a4332bff5a195c4ebdc6c6bf8be3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 18:13:26 -0700 +Subject: mptcp: fix full TCP keep-alive support + +From: Matthieu Baerts (NGI0) + +[ Upstream commit bd11dc4fb969ec148e50cd87f88a78246dbc4d0b ] + +SO_KEEPALIVE support has been added a while ago, as part of a series +"adding SOL_SOCKET" support. To have a full control of this keep-alive +feature, it is important to also support TCP_KEEP* socket options at the +SOL_TCP level. + +Supporting them on the setsockopt() part is easy, it is just a matter of +remembering each value in the MPTCP sock structure, and calling +tcp_sock_set_keep*() helpers on each subflow. If the value is not +modified (0), calling these helpers will not do anything. For the +getsockopt() part, the corresponding value from the MPTCP sock structure +or the default one is simply returned. All of this is very similar to +other TCP_* socket options supported by MPTCP. + +It looks important for kernels supporting SO_KEEPALIVE, to also support +TCP_KEEP* options as well: some apps seem to (wrongly) consider that if +the former is supported, the latter ones will be supported as well. But +also, not having this simple and isolated change is preventing MPTCP +support in some apps, and libraries like GoLang [1]. This is why this +patch is seen as a fix. + +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/383 +Fixes: 1b3e7ede1365 ("mptcp: setsockopt: handle SO_KEEPALIVE and SO_PRIORITY") +Link: https://github.com/golang/go/issues/56539 [1] +Acked-by: Paolo Abeni +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: Mat Martineau +Link: https://lore.kernel.org/r/20240514011335.176158-3-martineau@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/protocol.h | 3 +++ + net/mptcp/sockopt.c | 58 ++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 61 insertions(+) + +diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h +index a10ebf3ee10a1..9d1ee199490bb 100644 +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -308,6 +308,9 @@ struct mptcp_sock { + free_first:1, + rcvspace_init:1; + u32 notsent_lowat; ++ int keepalive_cnt; ++ int keepalive_idle; ++ int keepalive_intvl; + struct work_struct work; + struct sk_buff *ooo_last_skb; + struct rb_root out_of_order_queue; +diff --git a/net/mptcp/sockopt.c b/net/mptcp/sockopt.c +index 08b7be2b1b69e..19ee684f9e401 100644 +--- a/net/mptcp/sockopt.c ++++ b/net/mptcp/sockopt.c +@@ -622,6 +622,31 @@ static int mptcp_setsockopt_sol_tcp_congestion(struct mptcp_sock *msk, sockptr_t + return ret; + } + ++static int __mptcp_setsockopt_set_val(struct mptcp_sock *msk, int max, ++ int (*set_val)(struct sock *, int), ++ int *msk_val, int val) ++{ ++ struct mptcp_subflow_context *subflow; ++ int err = 0; ++ ++ mptcp_for_each_subflow(msk, subflow) { ++ struct sock *ssk = mptcp_subflow_tcp_sock(subflow); ++ int ret; ++ ++ lock_sock(ssk); ++ ret = set_val(ssk, val); ++ err = err ? : ret; ++ release_sock(ssk); ++ } ++ ++ if (!err) { ++ *msk_val = val; ++ sockopt_seq_inc(msk); ++ } ++ ++ return err; ++} ++ + static int __mptcp_setsockopt_sol_tcp_cork(struct mptcp_sock *msk, int val) + { + struct mptcp_subflow_context *subflow; +@@ -818,6 +843,22 @@ static int mptcp_setsockopt_sol_tcp(struct mptcp_sock *msk, int optname, + case TCP_NODELAY: + ret = __mptcp_setsockopt_sol_tcp_nodelay(msk, val); + break; ++ case TCP_KEEPIDLE: ++ ret = __mptcp_setsockopt_set_val(msk, MAX_TCP_KEEPIDLE, ++ &tcp_sock_set_keepidle_locked, ++ &msk->keepalive_idle, val); ++ break; ++ case TCP_KEEPINTVL: ++ ret = __mptcp_setsockopt_set_val(msk, MAX_TCP_KEEPINTVL, ++ &tcp_sock_set_keepintvl, ++ &msk->keepalive_intvl, val); ++ break; ++ case TCP_KEEPCNT: ++ ret = __mptcp_setsockopt_set_val(msk, MAX_TCP_KEEPCNT, ++ &tcp_sock_set_keepcnt, ++ &msk->keepalive_cnt, ++ val); ++ break; + default: + ret = -ENOPROTOOPT; + } +@@ -1320,6 +1361,8 @@ static int mptcp_put_int_option(struct mptcp_sock *msk, char __user *optval, + static int mptcp_getsockopt_sol_tcp(struct mptcp_sock *msk, int optname, + char __user *optval, int __user *optlen) + { ++ struct sock *sk = (void *)msk; ++ + switch (optname) { + case TCP_ULP: + case TCP_CONGESTION: +@@ -1338,6 +1381,18 @@ static int mptcp_getsockopt_sol_tcp(struct mptcp_sock *msk, int optname, + return mptcp_put_int_option(msk, optval, optlen, msk->cork); + case TCP_NODELAY: + return mptcp_put_int_option(msk, optval, optlen, msk->nodelay); ++ case TCP_KEEPIDLE: ++ return mptcp_put_int_option(msk, optval, optlen, ++ msk->keepalive_idle ? : ++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_keepalive_time) / HZ); ++ case TCP_KEEPINTVL: ++ return mptcp_put_int_option(msk, optval, optlen, ++ msk->keepalive_intvl ? : ++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_keepalive_intvl) / HZ); ++ case TCP_KEEPCNT: ++ return mptcp_put_int_option(msk, optval, optlen, ++ msk->keepalive_cnt ? : ++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_keepalive_probes)); + case TCP_NOTSENT_LOWAT: + return mptcp_put_int_option(msk, optval, optlen, msk->notsent_lowat); + } +@@ -1455,6 +1510,9 @@ static void sync_socket_options(struct mptcp_sock *msk, struct sock *ssk) + tcp_set_congestion_control(ssk, msk->ca_name, false, true); + __tcp_sock_set_cork(ssk, !!msk->cork); + __tcp_sock_set_nodelay(ssk, !!msk->nodelay); ++ tcp_sock_set_keepidle_locked(ssk, msk->keepalive_idle); ++ tcp_sock_set_keepintvl(ssk, msk->keepalive_intvl); ++ tcp_sock_set_keepcnt(ssk, msk->keepalive_cnt); + + inet_assign_bit(TRANSPARENT, ssk, inet_test_bit(TRANSPARENT, sk)); + inet_assign_bit(FREEBIND, ssk, inet_test_bit(FREEBIND, sk)); +-- +2.43.0 + diff --git a/queue-6.9/mptcp-so_keepalive-fix-getsockopt-support.patch b/queue-6.9/mptcp-so_keepalive-fix-getsockopt-support.patch new file mode 100644 index 00000000000..810b6ed4776 --- /dev/null +++ b/queue-6.9/mptcp-so_keepalive-fix-getsockopt-support.patch @@ -0,0 +1,53 @@ +From 0ab3118941cff286858b6695ed5eefb753eee5c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 18:13:25 -0700 +Subject: mptcp: SO_KEEPALIVE: fix getsockopt support + +From: Matthieu Baerts (NGI0) + +[ Upstream commit a65198136eaa15b74ee0abf73f12ef83d469a334 ] + +SO_KEEPALIVE support has to be set on each subflow: on each TCP socket, +where sk_prot->keepalive is defined. Technically, nothing has to be done +on the MPTCP socket. That's why mptcp_sol_socket_sync_intval() was +called instead of mptcp_sol_socket_intval(). + +Except that when nothing is done on the MPTCP socket, the +getsockopt(SO_KEEPALIVE), handled in net/core/sock.c:sk_getsockopt(), +will not know if SO_KEEPALIVE has been set on the different subflows or +not. + +The fix is simple: simply call mptcp_sol_socket_intval() which will end +up calling net/core/sock.c:sk_setsockopt() where the SOCK_KEEPOPEN flag +will be set, the one used in sk_getsockopt(). + +So now, getsockopt(SO_KEEPALIVE) on an MPTCP socket will return the same +value as the one previously set with setsockopt(SO_KEEPALIVE). + +Fixes: 1b3e7ede1365 ("mptcp: setsockopt: handle SO_KEEPALIVE and SO_PRIORITY") +Acked-by: Paolo Abeni +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: Mat Martineau +Link: https://lore.kernel.org/r/20240514011335.176158-2-martineau@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/sockopt.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/net/mptcp/sockopt.c b/net/mptcp/sockopt.c +index 73fdf423de44e..08b7be2b1b69e 100644 +--- a/net/mptcp/sockopt.c ++++ b/net/mptcp/sockopt.c +@@ -181,8 +181,6 @@ static int mptcp_setsockopt_sol_socket_int(struct mptcp_sock *msk, int optname, + + switch (optname) { + case SO_KEEPALIVE: +- mptcp_sol_socket_sync_intval(msk, optname, val); +- return 0; + case SO_DEBUG: + case SO_MARK: + case SO_PRIORITY: +-- +2.43.0 + diff --git a/queue-6.9/mtd-core-report-error-if-first-mtd_otp_size-call-fai.patch b/queue-6.9/mtd-core-report-error-if-first-mtd_otp_size-call-fai.patch new file mode 100644 index 00000000000..6f37fd0e3d9 --- /dev/null +++ b/queue-6.9/mtd-core-report-error-if-first-mtd_otp_size-call-fai.patch @@ -0,0 +1,44 @@ +From 53b819e9714622c483d59e225d3b2fa61014390d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Mar 2024 19:34:24 +0200 +Subject: mtd: core: Report error if first mtd_otp_size() call fails in + mtd_otp_nvmem_add() + +From: Aapo Vienamo + +[ Upstream commit d44f0bbbd8d182debcce88bda55b05269f3d33d6 ] + +Jump to the error reporting code in mtd_otp_nvmem_add() if the +mtd_otp_size() call fails. Without this fix, the error is not logged. + +Signed-off-by: Aapo Vienamo +Reviewed-by: Mika Westerberg +Reviewed-by: Michael Walle +Fixes: 4b361cfa8624 ("mtd: core: add OTP nvmem provider support") +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20240313173425.1325790-2-aapo.vienamo@linux.intel.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/mtdcore.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/mtdcore.c b/drivers/mtd/mtdcore.c +index 0de87bc638405..6d5c755411de0 100644 +--- a/drivers/mtd/mtdcore.c ++++ b/drivers/mtd/mtdcore.c +@@ -956,8 +956,10 @@ static int mtd_otp_nvmem_add(struct mtd_info *mtd) + + if (mtd->_get_user_prot_info && mtd->_read_user_prot_reg) { + size = mtd_otp_size(mtd, true); +- if (size < 0) +- return size; ++ if (size < 0) { ++ err = size; ++ goto err; ++ } + + if (size > 0) { + nvmem = mtd_otp_nvmem_register(mtd, "user-otp", size, +-- +2.43.0 + diff --git a/queue-6.9/mtd-rawnand-hynix-fixed-typo.patch b/queue-6.9/mtd-rawnand-hynix-fixed-typo.patch new file mode 100644 index 00000000000..428194cb8a8 --- /dev/null +++ b/queue-6.9/mtd-rawnand-hynix-fixed-typo.patch @@ -0,0 +1,43 @@ +From f8c8104edb10664351577ccc32bfade2b45c9699 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Mar 2024 13:27:20 +0300 +Subject: mtd: rawnand: hynix: fixed typo + +From: Maxim Korotkov + +[ Upstream commit 6819db94e1cd3ce24a432f3616cd563ed0c4eaba ] + +The function hynix_nand_rr_init() should probably return an error code. +Judging by the usage, it seems that the return code is passed up +the call stack. +Right now, it always returns 0 and the function hynix_nand_cleanup() +in hynix_nand_init() has never been called. + +Found by RASU JSC and Linux Verification Center (linuxtesting.org) + +Fixes: 626994e07480 ("mtd: nand: hynix: Add read-retry support for 1x nm MLC NANDs") + +Signed-off-by: Maxim Korotkov +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20240313102721.1991299-1-korotkov.maxim.s@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/nand_hynix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/nand/raw/nand_hynix.c b/drivers/mtd/nand/raw/nand_hynix.c +index a74e64e0cfa32..c02e50608816a 100644 +--- a/drivers/mtd/nand/raw/nand_hynix.c ++++ b/drivers/mtd/nand/raw/nand_hynix.c +@@ -401,7 +401,7 @@ static int hynix_nand_rr_init(struct nand_chip *chip) + if (ret) + pr_warn("failed to initialize read-retry infrastructure"); + +- return 0; ++ return ret; + } + + static void hynix_nand_extract_oobsize(struct nand_chip *chip, +-- +2.43.0 + diff --git a/queue-6.9/net-bridge-mst-fix-vlan-use-after-free.patch b/queue-6.9/net-bridge-mst-fix-vlan-use-after-free.patch new file mode 100644 index 00000000000..18d3f5b9dc0 --- /dev/null +++ b/queue-6.9/net-bridge-mst-fix-vlan-use-after-free.patch @@ -0,0 +1,123 @@ +From 7adc264302ef474b2537e7d38f670c02de3543b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 14:06:27 +0300 +Subject: net: bridge: mst: fix vlan use-after-free + +From: Nikolay Aleksandrov + +[ Upstream commit 3a7c1661ae1383364cd6092d851f5e5da64d476b ] + +syzbot reported a suspicious rcu usage[1] in bridge's mst code. While +fixing it I noticed that nothing prevents a vlan to be freed while +walking the list from the same path (br forward delay timer). Fix the rcu +usage and also make sure we are not accessing freed memory by making +br_mst_vlan_set_state use rcu read lock. + +[1] + WARNING: suspicious RCU usage + 6.9.0-rc6-syzkaller #0 Not tainted + ----------------------------- + net/bridge/br_private.h:1599 suspicious rcu_dereference_protected() usage! + ... + stack backtrace: + CPU: 1 PID: 8017 Comm: syz-executor.1 Not tainted 6.9.0-rc6-syzkaller #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 + Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 + lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712 + nbp_vlan_group net/bridge/br_private.h:1599 [inline] + br_mst_set_state+0x1ea/0x650 net/bridge/br_mst.c:105 + br_set_state+0x28a/0x7b0 net/bridge/br_stp.c:47 + br_forward_delay_timer_expired+0x176/0x440 net/bridge/br_stp_timer.c:88 + call_timer_fn+0x18e/0x650 kernel/time/timer.c:1793 + expire_timers kernel/time/timer.c:1844 [inline] + __run_timers kernel/time/timer.c:2418 [inline] + __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2429 + run_timer_base kernel/time/timer.c:2438 [inline] + run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2448 + __do_softirq+0x2c6/0x980 kernel/softirq.c:554 + invoke_softirq kernel/softirq.c:428 [inline] + __irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633 + irq_exit_rcu+0x9/0x30 kernel/softirq.c:645 + instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] + sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043 + + + asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 + RIP: 0010:lock_acquire+0x264/0x550 kernel/locking/lockdep.c:5758 + Code: 2b 00 74 08 4c 89 f7 e8 ba d1 84 00 f6 44 24 61 02 0f 85 85 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25 + RSP: 0018:ffffc90013657100 EFLAGS: 00000206 + RAX: 0000000000000001 RBX: 1ffff920026cae2c RCX: 0000000000000001 + RDX: dffffc0000000000 RSI: ffffffff8bcaca00 RDI: ffffffff8c1eaa60 + RBP: ffffc90013657260 R08: ffffffff92efe507 R09: 1ffffffff25dfca0 + R10: dffffc0000000000 R11: fffffbfff25dfca1 R12: 1ffff920026cae28 + R13: dffffc0000000000 R14: ffffc90013657160 R15: 0000000000000246 + +Fixes: ec7328b59176 ("net: bridge: mst: Multiple Spanning Tree (MST) mode") +Reported-by: syzbot+fa04eb8a56fd923fc5d8@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=fa04eb8a56fd923fc5d8 +Signed-off-by: Nikolay Aleksandrov +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/bridge/br_mst.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/net/bridge/br_mst.c b/net/bridge/br_mst.c +index ee680adcee179..3c66141d34d62 100644 +--- a/net/bridge/br_mst.c ++++ b/net/bridge/br_mst.c +@@ -78,7 +78,7 @@ static void br_mst_vlan_set_state(struct net_bridge_port *p, struct net_bridge_v + { + struct net_bridge_vlan_group *vg = nbp_vlan_group(p); + +- if (v->state == state) ++ if (br_vlan_get_state(v) == state) + return; + + br_vlan_set_state(v, state); +@@ -100,11 +100,12 @@ int br_mst_set_state(struct net_bridge_port *p, u16 msti, u8 state, + }; + struct net_bridge_vlan_group *vg; + struct net_bridge_vlan *v; +- int err; ++ int err = 0; + ++ rcu_read_lock(); + vg = nbp_vlan_group(p); + if (!vg) +- return 0; ++ goto out; + + /* MSTI 0 (CST) state changes are notified via the regular + * SWITCHDEV_ATTR_ID_PORT_STP_STATE. +@@ -112,17 +113,20 @@ int br_mst_set_state(struct net_bridge_port *p, u16 msti, u8 state, + if (msti) { + err = switchdev_port_attr_set(p->dev, &attr, extack); + if (err && err != -EOPNOTSUPP) +- return err; ++ goto out; + } + +- list_for_each_entry(v, &vg->vlan_list, vlist) { ++ err = 0; ++ list_for_each_entry_rcu(v, &vg->vlan_list, vlist) { + if (v->brvlan->msti != msti) + continue; + + br_mst_vlan_set_state(p, v, state); + } + +- return 0; ++out: ++ rcu_read_unlock(); ++ return err; + } + + static void br_mst_vlan_sync_state(struct net_bridge_vlan *pv, u16 msti) +-- +2.43.0 + diff --git a/queue-6.9/net-bridge-xmit-make-sure-we-have-at-least-eth-heade.patch b/queue-6.9/net-bridge-xmit-make-sure-we-have-at-least-eth-heade.patch new file mode 100644 index 00000000000..b9baf96de09 --- /dev/null +++ b/queue-6.9/net-bridge-xmit-make-sure-we-have-at-least-eth-heade.patch @@ -0,0 +1,90 @@ +From 4191f1e8e26096736b68d928ac52a2a7e7e6a922 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 13:34:19 +0300 +Subject: net: bridge: xmit: make sure we have at least eth header len bytes + +From: Nikolay Aleksandrov + +[ Upstream commit 8bd67ebb50c0145fd2ca8681ab65eb7e8cde1afc ] + +syzbot triggered an uninit value[1] error in bridge device's xmit path +by sending a short (less than ETH_HLEN bytes) skb. To fix it check if +we can actually pull that amount instead of assuming. + +Tested with dropwatch: + drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3) + origin: software + timestamp: Mon May 13 11:31:53 2024 778214037 nsec + protocol: 0x88a8 + length: 2 + original length: 2 + drop reason: PKT_TOO_SMALL + +[1] +BUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 + br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 + __netdev_start_xmit include/linux/netdevice.h:4903 [inline] + netdev_start_xmit include/linux/netdevice.h:4917 [inline] + xmit_one net/core/dev.c:3531 [inline] + dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547 + __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341 + dev_queue_xmit include/linux/netdevice.h:3091 [inline] + __bpf_tx_skb net/core/filter.c:2136 [inline] + __bpf_redirect_common net/core/filter.c:2180 [inline] + __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187 + ____bpf_clone_redirect net/core/filter.c:2460 [inline] + bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432 + ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997 + __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238 + bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] + __bpf_prog_run include/linux/filter.h:657 [inline] + bpf_prog_run include/linux/filter.h:664 [inline] + bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425 + bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058 + bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269 + __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678 + __do_sys_bpf kernel/bpf/syscall.c:5767 [inline] + __se_sys_bpf kernel/bpf/syscall.c:5765 [inline] + __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765 + x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+a63a1f6a062033cf0f40@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=a63a1f6a062033cf0f40 +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/bridge/br_device.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c +index c366ccc8b3db7..ecac7886988b1 100644 +--- a/net/bridge/br_device.c ++++ b/net/bridge/br_device.c +@@ -27,6 +27,7 @@ EXPORT_SYMBOL_GPL(nf_br_ops); + /* net device transmit always called with BH disabled */ + netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev) + { ++ enum skb_drop_reason reason = pskb_may_pull_reason(skb, ETH_HLEN); + struct net_bridge_mcast_port *pmctx_null = NULL; + struct net_bridge *br = netdev_priv(dev); + struct net_bridge_mcast *brmctx = &br->multicast_ctx; +@@ -38,6 +39,11 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev) + const unsigned char *dest; + u16 vid = 0; + ++ if (unlikely(reason != SKB_NOT_DROPPED_YET)) { ++ kfree_skb_reason(skb, reason); ++ return NETDEV_TX_OK; ++ } ++ + memset(skb->cb, 0, sizeof(struct br_input_skb_cb)); + br_tc_skb_miss_set(skb, false); + +-- +2.43.0 + diff --git a/queue-6.9/net-dsa-mv88e6xxx-add-support-for-model-specific-pre.patch b/queue-6.9/net-dsa-mv88e6xxx-add-support-for-model-specific-pre.patch new file mode 100644 index 00000000000..82b800da0e7 --- /dev/null +++ b/queue-6.9/net-dsa-mv88e6xxx-add-support-for-model-specific-pre.patch @@ -0,0 +1,234 @@ +From 9db839170154794caf27dfd4bc5d1ad2c0489285 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Apr 2024 09:47:48 +0200 +Subject: net: dsa: mv88e6xxx: Add support for model-specific pre- and + post-reset handlers + +From: Matthias Schiffer + +[ Upstream commit 0fdd27b9d6d7c60bd319d3497ad797934bab13cb ] + +Instead of calling mv88e6xxx_g2_eeprom_wait() directly from +mv88e6xxx_hardware_reset(), add configurable pre- and post-reset hard +reset handlers. Initially, the handlers are set to +mv88e6xxx_g2_eeprom_wait() for all families that have get/set_eeprom() +to match the existing behavior. No functional change intended (except +for additional error messages on failure). + +Fixes: 6ccf50d4d474 ("net: dsa: mv88e6xxx: Avoid EEPROM timeout when EEPROM is absent") +Signed-off-by: Matthias Schiffer +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 50 +++++++++++++++++++++++++++++--- + drivers/net/dsa/mv88e6xxx/chip.h | 6 ++++ + 2 files changed, 52 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index 0918bd6fa81dd..ab13c8bc199c0 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -3146,6 +3146,7 @@ static int mv88e6xxx_software_reset(struct mv88e6xxx_chip *chip) + static void mv88e6xxx_hardware_reset(struct mv88e6xxx_chip *chip) + { + struct gpio_desc *gpiod = chip->reset; ++ int err; + + /* If there is a GPIO connected to the reset pin, toggle it */ + if (gpiod) { +@@ -3154,17 +3155,26 @@ static void mv88e6xxx_hardware_reset(struct mv88e6xxx_chip *chip) + * mid-byte, causing the first EEPROM read after the reset + * from the wrong location resulting in the switch booting + * to wrong mode and inoperable. ++ * For this reason, switch families with EEPROM support ++ * generally wait for EEPROM loads to complete as their pre- ++ * and post-reset handlers. + */ +- if (chip->info->ops->get_eeprom) +- mv88e6xxx_g2_eeprom_wait(chip); ++ if (chip->info->ops->hardware_reset_pre) { ++ err = chip->info->ops->hardware_reset_pre(chip); ++ if (err) ++ dev_err(chip->dev, "pre-reset error: %d\n", err); ++ } + + gpiod_set_value_cansleep(gpiod, 1); + usleep_range(10000, 20000); + gpiod_set_value_cansleep(gpiod, 0); + usleep_range(10000, 20000); + +- if (chip->info->ops->get_eeprom) +- mv88e6xxx_g2_eeprom_wait(chip); ++ if (chip->info->ops->hardware_reset_post) { ++ err = chip->info->ops->hardware_reset_post(chip); ++ if (err) ++ dev_err(chip->dev, "post-reset error: %d\n", err); ++ } + } + } + +@@ -4394,6 +4404,8 @@ static const struct mv88e6xxx_ops mv88e6141_ops = { + .watchdog_ops = &mv88e6390_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6390_g1_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .rmu_disable = mv88e6390_g1_rmu_disable, + .atu_get_hash = mv88e6165_g1_atu_get_hash, +@@ -4584,6 +4596,8 @@ static const struct mv88e6xxx_ops mv88e6172_ops = { + .watchdog_ops = &mv88e6097_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6352_g2_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .rmu_disable = mv88e6352_g1_rmu_disable, + .atu_get_hash = mv88e6165_g1_atu_get_hash, +@@ -4684,6 +4698,8 @@ static const struct mv88e6xxx_ops mv88e6176_ops = { + .watchdog_ops = &mv88e6097_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6352_g2_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .rmu_disable = mv88e6352_g1_rmu_disable, + .atu_get_hash = mv88e6165_g1_atu_get_hash, +@@ -4778,6 +4794,8 @@ static const struct mv88e6xxx_ops mv88e6190_ops = { + .watchdog_ops = &mv88e6390_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6390_g1_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .rmu_disable = mv88e6390_g1_rmu_disable, + .atu_get_hash = mv88e6165_g1_atu_get_hash, +@@ -4836,6 +4854,8 @@ static const struct mv88e6xxx_ops mv88e6190x_ops = { + .watchdog_ops = &mv88e6390_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6390_g1_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .rmu_disable = mv88e6390_g1_rmu_disable, + .atu_get_hash = mv88e6165_g1_atu_get_hash, +@@ -4892,6 +4912,8 @@ static const struct mv88e6xxx_ops mv88e6191_ops = { + .watchdog_ops = &mv88e6390_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6390_g1_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .rmu_disable = mv88e6390_g1_rmu_disable, + .atu_get_hash = mv88e6165_g1_atu_get_hash, +@@ -4951,6 +4973,8 @@ static const struct mv88e6xxx_ops mv88e6240_ops = { + .watchdog_ops = &mv88e6097_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6352_g2_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .rmu_disable = mv88e6352_g1_rmu_disable, + .atu_get_hash = mv88e6165_g1_atu_get_hash, +@@ -5004,6 +5028,8 @@ static const struct mv88e6xxx_ops mv88e6250_ops = { + .watchdog_ops = &mv88e6250_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6352_g2_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6250_g1_reset, + .vtu_getnext = mv88e6185_g1_vtu_getnext, + .vtu_loadpurge = mv88e6185_g1_vtu_loadpurge, +@@ -5051,6 +5077,8 @@ static const struct mv88e6xxx_ops mv88e6290_ops = { + .watchdog_ops = &mv88e6390_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6390_g1_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .rmu_disable = mv88e6390_g1_rmu_disable, + .atu_get_hash = mv88e6165_g1_atu_get_hash, +@@ -5110,6 +5138,8 @@ static const struct mv88e6xxx_ops mv88e6320_ops = { + .watchdog_ops = &mv88e6390_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6352_g2_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .vtu_getnext = mv88e6185_g1_vtu_getnext, + .vtu_loadpurge = mv88e6185_g1_vtu_loadpurge, +@@ -5156,6 +5186,8 @@ static const struct mv88e6xxx_ops mv88e6321_ops = { + .set_egress_port = mv88e6095_g1_set_egress_port, + .watchdog_ops = &mv88e6390_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6352_g2_mgmt_rsvd2cpu, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .vtu_getnext = mv88e6185_g1_vtu_getnext, + .vtu_loadpurge = mv88e6185_g1_vtu_loadpurge, +@@ -5206,6 +5238,8 @@ static const struct mv88e6xxx_ops mv88e6341_ops = { + .watchdog_ops = &mv88e6390_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6390_g1_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .rmu_disable = mv88e6390_g1_rmu_disable, + .atu_get_hash = mv88e6165_g1_atu_get_hash, +@@ -5361,6 +5395,8 @@ static const struct mv88e6xxx_ops mv88e6352_ops = { + .watchdog_ops = &mv88e6097_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6352_g2_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .rmu_disable = mv88e6352_g1_rmu_disable, + .atu_get_hash = mv88e6165_g1_atu_get_hash, +@@ -5423,6 +5459,8 @@ static const struct mv88e6xxx_ops mv88e6390_ops = { + .watchdog_ops = &mv88e6390_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6390_g1_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .rmu_disable = mv88e6390_g1_rmu_disable, + .atu_get_hash = mv88e6165_g1_atu_get_hash, +@@ -5485,6 +5523,8 @@ static const struct mv88e6xxx_ops mv88e6390x_ops = { + .watchdog_ops = &mv88e6390_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6390_g1_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .rmu_disable = mv88e6390_g1_rmu_disable, + .atu_get_hash = mv88e6165_g1_atu_get_hash, +@@ -5550,6 +5590,8 @@ static const struct mv88e6xxx_ops mv88e6393x_ops = { + .watchdog_ops = &mv88e6393x_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6393x_port_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, ++ .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, + .reset = mv88e6352_g1_reset, + .rmu_disable = mv88e6390_g1_rmu_disable, + .atu_get_hash = mv88e6165_g1_atu_get_hash, +diff --git a/drivers/net/dsa/mv88e6xxx/chip.h b/drivers/net/dsa/mv88e6xxx/chip.h +index 85eb293381a7e..c34caf9815c5c 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.h ++++ b/drivers/net/dsa/mv88e6xxx/chip.h +@@ -487,6 +487,12 @@ struct mv88e6xxx_ops { + int (*ppu_enable)(struct mv88e6xxx_chip *chip); + int (*ppu_disable)(struct mv88e6xxx_chip *chip); + ++ /* Additional handlers to run before and after hard reset, to make sure ++ * that the switch and EEPROM are in a good state. ++ */ ++ int (*hardware_reset_pre)(struct mv88e6xxx_chip *chip); ++ int (*hardware_reset_post)(struct mv88e6xxx_chip *chip); ++ + /* Switch Software Reset */ + int (*reset)(struct mv88e6xxx_chip *chip); + +-- +2.43.0 + diff --git a/queue-6.9/net-dsa-mv88e6xxx-avoid-eeprom-timeout-without-eepro.patch b/queue-6.9/net-dsa-mv88e6xxx-avoid-eeprom-timeout-without-eepro.patch new file mode 100644 index 00000000000..2457930fc44 --- /dev/null +++ b/queue-6.9/net-dsa-mv88e6xxx-avoid-eeprom-timeout-without-eepro.patch @@ -0,0 +1,173 @@ +From 63d4b97b84b5e81c101fb9537cffd6e0fd9ad93b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Apr 2024 09:47:49 +0200 +Subject: net: dsa: mv88e6xxx: Avoid EEPROM timeout without EEPROM on + 88E6250-family switches + +From: Matthias Schiffer + +[ Upstream commit e44894e2aa4eb311ceda134de8b6f51ff979211b ] + +88E6250-family switches have the quirk that the EEPROM Running flag can +get stuck at 1 when no EEPROM is connected, causing +mv88e6xxx_g2_eeprom_wait() to time out. We still want to wait for the +EEPROM however, to avoid interrupting a transfer and leaving the EEPROM +in an invalid state. + +The condition to wait for recommended by the hardware spec is the EEInt +flag, however this flag is cleared on read, so before the hardware reset, +is may have been cleared already even though the EEPROM has been read +successfully. + +For this reason, we revive the mv88e6xxx_g1_wait_eeprom_done() function +that was removed in commit 6ccf50d4d474 +("net: dsa: mv88e6xxx: Avoid EEPROM timeout when EEPROM is absent") in a +slightly refactored form, and introduce a new +mv88e6xxx_g1_wait_eeprom_done_prereset() that additionally handles this +case by triggering another EEPROM reload that can be waited on. + +On other switch models without this quirk, mv88e6xxx_g2_eeprom_wait() is +kept, as it avoids the additional reload. + +Fixes: 6ccf50d4d474 ("net: dsa: mv88e6xxx: Avoid EEPROM timeout when EEPROM is absent") +Signed-off-by: Matthias Schiffer +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 4 +- + drivers/net/dsa/mv88e6xxx/global1.c | 89 +++++++++++++++++++++++++++++ + drivers/net/dsa/mv88e6xxx/global1.h | 2 + + 3 files changed, 93 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index ab13c8bc199c0..5a202edfec371 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -5028,8 +5028,8 @@ static const struct mv88e6xxx_ops mv88e6250_ops = { + .watchdog_ops = &mv88e6250_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6352_g2_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, +- .hardware_reset_pre = mv88e6xxx_g2_eeprom_wait, +- .hardware_reset_post = mv88e6xxx_g2_eeprom_wait, ++ .hardware_reset_pre = mv88e6250_g1_wait_eeprom_done_prereset, ++ .hardware_reset_post = mv88e6xxx_g1_wait_eeprom_done, + .reset = mv88e6250_g1_reset, + .vtu_getnext = mv88e6185_g1_vtu_getnext, + .vtu_loadpurge = mv88e6185_g1_vtu_loadpurge, +diff --git a/drivers/net/dsa/mv88e6xxx/global1.c b/drivers/net/dsa/mv88e6xxx/global1.c +index 49444a72ff095..9820cd5967574 100644 +--- a/drivers/net/dsa/mv88e6xxx/global1.c ++++ b/drivers/net/dsa/mv88e6xxx/global1.c +@@ -75,6 +75,95 @@ static int mv88e6xxx_g1_wait_init_ready(struct mv88e6xxx_chip *chip) + return mv88e6xxx_g1_wait_bit(chip, MV88E6XXX_G1_STS, bit, 1); + } + ++static int mv88e6250_g1_eeprom_reload(struct mv88e6xxx_chip *chip) ++{ ++ /* MV88E6185_G1_CTL1_RELOAD_EEPROM is also valid for 88E6250 */ ++ int bit = __bf_shf(MV88E6185_G1_CTL1_RELOAD_EEPROM); ++ u16 val; ++ int err; ++ ++ err = mv88e6xxx_g1_read(chip, MV88E6XXX_G1_CTL1, &val); ++ if (err) ++ return err; ++ ++ val |= MV88E6185_G1_CTL1_RELOAD_EEPROM; ++ ++ err = mv88e6xxx_g1_write(chip, MV88E6XXX_G1_CTL1, val); ++ if (err) ++ return err; ++ ++ return mv88e6xxx_g1_wait_bit(chip, MV88E6XXX_G1_CTL1, bit, 0); ++} ++ ++/* Returns 0 when done, -EBUSY when waiting, other negative codes on error */ ++static int mv88e6xxx_g1_is_eeprom_done(struct mv88e6xxx_chip *chip) ++{ ++ u16 val; ++ int err; ++ ++ err = mv88e6xxx_g1_read(chip, MV88E6XXX_G1_STS, &val); ++ if (err < 0) { ++ dev_err(chip->dev, "Error reading status"); ++ return err; ++ } ++ ++ /* If the switch is still resetting, it may not ++ * respond on the bus, and so MDIO read returns ++ * 0xffff. Differentiate between that, and waiting for ++ * the EEPROM to be done by bit 0 being set. ++ */ ++ if (val == 0xffff || !(val & BIT(MV88E6XXX_G1_STS_IRQ_EEPROM_DONE))) ++ return -EBUSY; ++ ++ return 0; ++} ++ ++/* As the EEInt (EEPROM done) flag clears on read if the status register, this ++ * function must be called directly after a hard reset or EEPROM ReLoad request, ++ * or the done condition may have been missed ++ */ ++int mv88e6xxx_g1_wait_eeprom_done(struct mv88e6xxx_chip *chip) ++{ ++ const unsigned long timeout = jiffies + 1 * HZ; ++ int ret; ++ ++ /* Wait up to 1 second for the switch to finish reading the ++ * EEPROM. ++ */ ++ while (time_before(jiffies, timeout)) { ++ ret = mv88e6xxx_g1_is_eeprom_done(chip); ++ if (ret != -EBUSY) ++ return ret; ++ } ++ ++ dev_err(chip->dev, "Timeout waiting for EEPROM done"); ++ return -ETIMEDOUT; ++} ++ ++int mv88e6250_g1_wait_eeprom_done_prereset(struct mv88e6xxx_chip *chip) ++{ ++ int ret; ++ ++ ret = mv88e6xxx_g1_is_eeprom_done(chip); ++ if (ret != -EBUSY) ++ return ret; ++ ++ /* Pre-reset, we don't know the state of the switch - when ++ * mv88e6xxx_g1_is_eeprom_done() returns -EBUSY, that may be because ++ * the switch is actually busy reading the EEPROM, or because ++ * MV88E6XXX_G1_STS_IRQ_EEPROM_DONE has been cleared by an unrelated ++ * status register read already. ++ * ++ * To account for the latter case, trigger another EEPROM reload for ++ * another chance at seeing the done flag. ++ */ ++ ret = mv88e6250_g1_eeprom_reload(chip); ++ if (ret) ++ return ret; ++ ++ return mv88e6xxx_g1_wait_eeprom_done(chip); ++} ++ + /* Offset 0x01: Switch MAC Address Register Bytes 0 & 1 + * Offset 0x02: Switch MAC Address Register Bytes 2 & 3 + * Offset 0x03: Switch MAC Address Register Bytes 4 & 5 +diff --git a/drivers/net/dsa/mv88e6xxx/global1.h b/drivers/net/dsa/mv88e6xxx/global1.h +index 1095261f5b490..3dbb7a1b8fe11 100644 +--- a/drivers/net/dsa/mv88e6xxx/global1.h ++++ b/drivers/net/dsa/mv88e6xxx/global1.h +@@ -282,6 +282,8 @@ int mv88e6xxx_g1_set_switch_mac(struct mv88e6xxx_chip *chip, u8 *addr); + int mv88e6185_g1_reset(struct mv88e6xxx_chip *chip); + int mv88e6352_g1_reset(struct mv88e6xxx_chip *chip); + int mv88e6250_g1_reset(struct mv88e6xxx_chip *chip); ++int mv88e6xxx_g1_wait_eeprom_done(struct mv88e6xxx_chip *chip); ++int mv88e6250_g1_wait_eeprom_done_prereset(struct mv88e6xxx_chip *chip); + + int mv88e6185_g1_ppu_enable(struct mv88e6xxx_chip *chip); + int mv88e6185_g1_ppu_disable(struct mv88e6xxx_chip *chip); +-- +2.43.0 + diff --git a/queue-6.9/net-ethernet-cortina-locking-fixes.patch b/queue-6.9/net-ethernet-cortina-locking-fixes.patch new file mode 100644 index 00000000000..4d6bf4a6882 --- /dev/null +++ b/queue-6.9/net-ethernet-cortina-locking-fixes.patch @@ -0,0 +1,86 @@ +From e35aba2faaddfde309c44defc95e7684acc82fb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 09:44:54 +0200 +Subject: net: ethernet: cortina: Locking fixes + +From: Linus Walleij + +[ Upstream commit 812552808f7ff71133fc59768cdc253c5b8ca1bf ] + +This fixes a probably long standing problem in the Cortina +Gemini ethernet driver: there are some paths in the code +where the IRQ registers are written without taking the proper +locks. + +Fixes: 4d5ae32f5e1e ("net: ethernet: Add a driver for Gemini gigabit ethernet") +Signed-off-by: Linus Walleij +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240509-gemini-ethernet-locking-v1-1-afd00a528b95@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cortina/gemini.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c +index 705c3eb19cd3f..d1fbadbf86d4a 100644 +--- a/drivers/net/ethernet/cortina/gemini.c ++++ b/drivers/net/ethernet/cortina/gemini.c +@@ -1107,10 +1107,13 @@ static void gmac_tx_irq_enable(struct net_device *netdev, + { + struct gemini_ethernet_port *port = netdev_priv(netdev); + struct gemini_ethernet *geth = port->geth; ++ unsigned long flags; + u32 val, mask; + + netdev_dbg(netdev, "%s device %d\n", __func__, netdev->dev_id); + ++ spin_lock_irqsave(&geth->irq_lock, flags); ++ + mask = GMAC0_IRQ0_TXQ0_INTS << (6 * netdev->dev_id + txq); + + if (en) +@@ -1119,6 +1122,8 @@ static void gmac_tx_irq_enable(struct net_device *netdev, + val = readl(geth->base + GLOBAL_INTERRUPT_ENABLE_0_REG); + val = en ? val | mask : val & ~mask; + writel(val, geth->base + GLOBAL_INTERRUPT_ENABLE_0_REG); ++ ++ spin_unlock_irqrestore(&geth->irq_lock, flags); + } + + static void gmac_tx_irq(struct net_device *netdev, unsigned int txq_num) +@@ -1415,15 +1420,19 @@ static unsigned int gmac_rx(struct net_device *netdev, unsigned int budget) + union gmac_rxdesc_3 word3; + struct page *page = NULL; + unsigned int page_offs; ++ unsigned long flags; + unsigned short r, w; + union dma_rwptr rw; + dma_addr_t mapping; + int frag_nr = 0; + ++ spin_lock_irqsave(&geth->irq_lock, flags); + rw.bits32 = readl(ptr_reg); + /* Reset interrupt as all packages until here are taken into account */ + writel(DEFAULT_Q0_INT_BIT << netdev->dev_id, + geth->base + GLOBAL_INTERRUPT_STATUS_1_REG); ++ spin_unlock_irqrestore(&geth->irq_lock, flags); ++ + r = rw.bits.rptr; + w = rw.bits.wptr; + +@@ -1726,10 +1735,9 @@ static irqreturn_t gmac_irq(int irq, void *data) + gmac_update_hw_stats(netdev); + + if (val & (GMAC0_RX_OVERRUN_INT_BIT << (netdev->dev_id * 8))) { ++ spin_lock(&geth->irq_lock); + writel(GMAC0_RXDERR_INT_BIT << (netdev->dev_id * 8), + geth->base + GLOBAL_INTERRUPT_STATUS_4_REG); +- +- spin_lock(&geth->irq_lock); + u64_stats_update_begin(&port->ir_stats_syncp); + ++port->stats.rx_fifo_errors; + u64_stats_update_end(&port->ir_stats_syncp); +-- +2.43.0 + diff --git a/queue-6.9/net-ethernet-mediatek-split-tx-and-rx-fields-in-mtk_.patch b/queue-6.9/net-ethernet-mediatek-split-tx-and-rx-fields-in-mtk_.patch new file mode 100644 index 00000000000..5610f5e3624 --- /dev/null +++ b/queue-6.9/net-ethernet-mediatek-split-tx-and-rx-fields-in-mtk_.patch @@ -0,0 +1,618 @@ +From e3af4abd7635f662bc75aeb611a9587d1453c752 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 11:43:34 +0100 +Subject: net: ethernet: mediatek: split tx and rx fields in mtk_soc_data + struct + +From: Lorenzo Bianconi + +[ Upstream commit ecb51fa37ee22f137a87fa140b1e9f1759949f9a ] + +Split tx and rx fields in mtk_soc_data struct. This is a preliminary +patch to roll back to ADMAv1 for MT7986 and MT7981 SoC in order to fix a +hw hang if the device receives a corrupted packet when using ADMAv2.0. + +Fixes: 197c9e9b17b1 ("net: ethernet: mtk_eth_soc: introduce support for mt7986 chipset") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Daniel Golle +Reviewed-by: Przemek Kitszel +Link: https://lore.kernel.org/r/70a799b1f060ec2f57883e88ccb420ac0fb0abb5.1715164770.git.daniel@makrotopia.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 210 ++++++++++++-------- + drivers/net/ethernet/mediatek/mtk_eth_soc.h | 29 +-- + 2 files changed, 139 insertions(+), 100 deletions(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index caa13b9cedff0..3eefb735ce197 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -1139,7 +1139,7 @@ static int mtk_init_fq_dma(struct mtk_eth *eth) + eth->scratch_ring = eth->sram_base; + else + eth->scratch_ring = dma_alloc_coherent(eth->dma_dev, +- cnt * soc->txrx.txd_size, ++ cnt * soc->tx.desc_size, + ð->phy_scratch_ring, + GFP_KERNEL); + if (unlikely(!eth->scratch_ring)) +@@ -1155,17 +1155,17 @@ static int mtk_init_fq_dma(struct mtk_eth *eth) + if (unlikely(dma_mapping_error(eth->dma_dev, dma_addr))) + return -ENOMEM; + +- phy_ring_tail = eth->phy_scratch_ring + soc->txrx.txd_size * (cnt - 1); ++ phy_ring_tail = eth->phy_scratch_ring + soc->tx.desc_size * (cnt - 1); + + for (i = 0; i < cnt; i++) { + dma_addr_t addr = dma_addr + i * MTK_QDMA_PAGE_SIZE; + struct mtk_tx_dma_v2 *txd; + +- txd = eth->scratch_ring + i * soc->txrx.txd_size; ++ txd = eth->scratch_ring + i * soc->tx.desc_size; + txd->txd1 = addr; + if (i < cnt - 1) + txd->txd2 = eth->phy_scratch_ring + +- (i + 1) * soc->txrx.txd_size; ++ (i + 1) * soc->tx.desc_size; + + txd->txd3 = TX_DMA_PLEN0(MTK_QDMA_PAGE_SIZE); + if (MTK_HAS_CAPS(soc->caps, MTK_36BIT_DMA)) +@@ -1416,7 +1416,7 @@ static int mtk_tx_map(struct sk_buff *skb, struct net_device *dev, + if (itxd == ring->last_free) + return -ENOMEM; + +- itx_buf = mtk_desc_to_tx_buf(ring, itxd, soc->txrx.txd_size); ++ itx_buf = mtk_desc_to_tx_buf(ring, itxd, soc->tx.desc_size); + memset(itx_buf, 0, sizeof(*itx_buf)); + + txd_info.addr = dma_map_single(eth->dma_dev, skb->data, txd_info.size, +@@ -1457,7 +1457,7 @@ static int mtk_tx_map(struct sk_buff *skb, struct net_device *dev, + + memset(&txd_info, 0, sizeof(struct mtk_tx_dma_desc_info)); + txd_info.size = min_t(unsigned int, frag_size, +- soc->txrx.dma_max_len); ++ soc->tx.dma_max_len); + txd_info.qid = queue; + txd_info.last = i == skb_shinfo(skb)->nr_frags - 1 && + !(frag_size - txd_info.size); +@@ -1470,7 +1470,7 @@ static int mtk_tx_map(struct sk_buff *skb, struct net_device *dev, + mtk_tx_set_dma_desc(dev, txd, &txd_info); + + tx_buf = mtk_desc_to_tx_buf(ring, txd, +- soc->txrx.txd_size); ++ soc->tx.desc_size); + if (new_desc) + memset(tx_buf, 0, sizeof(*tx_buf)); + tx_buf->data = (void *)MTK_DMA_DUMMY_DESC; +@@ -1513,7 +1513,7 @@ static int mtk_tx_map(struct sk_buff *skb, struct net_device *dev, + } else { + int next_idx; + +- next_idx = NEXT_DESP_IDX(txd_to_idx(ring, txd, soc->txrx.txd_size), ++ next_idx = NEXT_DESP_IDX(txd_to_idx(ring, txd, soc->tx.desc_size), + ring->dma_size); + mtk_w32(eth, next_idx, MT7628_TX_CTX_IDX0); + } +@@ -1522,7 +1522,7 @@ static int mtk_tx_map(struct sk_buff *skb, struct net_device *dev, + + err_dma: + do { +- tx_buf = mtk_desc_to_tx_buf(ring, itxd, soc->txrx.txd_size); ++ tx_buf = mtk_desc_to_tx_buf(ring, itxd, soc->tx.desc_size); + + /* unmap dma */ + mtk_tx_unmap(eth, tx_buf, NULL, false); +@@ -1547,7 +1547,7 @@ static int mtk_cal_txd_req(struct mtk_eth *eth, struct sk_buff *skb) + for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) { + frag = &skb_shinfo(skb)->frags[i]; + nfrags += DIV_ROUND_UP(skb_frag_size(frag), +- eth->soc->txrx.dma_max_len); ++ eth->soc->tx.dma_max_len); + } + } else { + nfrags += skb_shinfo(skb)->nr_frags; +@@ -1654,7 +1654,7 @@ static struct mtk_rx_ring *mtk_get_rx_ring(struct mtk_eth *eth) + + ring = ð->rx_ring[i]; + idx = NEXT_DESP_IDX(ring->calc_idx, ring->dma_size); +- rxd = ring->dma + idx * eth->soc->txrx.rxd_size; ++ rxd = ring->dma + idx * eth->soc->rx.desc_size; + if (rxd->rxd2 & RX_DMA_DONE) { + ring->calc_idx_update = true; + return ring; +@@ -1822,7 +1822,7 @@ static int mtk_xdp_submit_frame(struct mtk_eth *eth, struct xdp_frame *xdpf, + } + htxd = txd; + +- tx_buf = mtk_desc_to_tx_buf(ring, txd, soc->txrx.txd_size); ++ tx_buf = mtk_desc_to_tx_buf(ring, txd, soc->tx.desc_size); + memset(tx_buf, 0, sizeof(*tx_buf)); + htx_buf = tx_buf; + +@@ -1841,7 +1841,7 @@ static int mtk_xdp_submit_frame(struct mtk_eth *eth, struct xdp_frame *xdpf, + goto unmap; + + tx_buf = mtk_desc_to_tx_buf(ring, txd, +- soc->txrx.txd_size); ++ soc->tx.desc_size); + memset(tx_buf, 0, sizeof(*tx_buf)); + n_desc++; + } +@@ -1879,7 +1879,7 @@ static int mtk_xdp_submit_frame(struct mtk_eth *eth, struct xdp_frame *xdpf, + } else { + int idx; + +- idx = txd_to_idx(ring, txd, soc->txrx.txd_size); ++ idx = txd_to_idx(ring, txd, soc->tx.desc_size); + mtk_w32(eth, NEXT_DESP_IDX(idx, ring->dma_size), + MT7628_TX_CTX_IDX0); + } +@@ -1890,7 +1890,7 @@ static int mtk_xdp_submit_frame(struct mtk_eth *eth, struct xdp_frame *xdpf, + + unmap: + while (htxd != txd) { +- tx_buf = mtk_desc_to_tx_buf(ring, htxd, soc->txrx.txd_size); ++ tx_buf = mtk_desc_to_tx_buf(ring, htxd, soc->tx.desc_size); + mtk_tx_unmap(eth, tx_buf, NULL, false); + + htxd->txd3 = TX_DMA_LS0 | TX_DMA_OWNER_CPU; +@@ -2021,7 +2021,7 @@ static int mtk_poll_rx(struct napi_struct *napi, int budget, + goto rx_done; + + idx = NEXT_DESP_IDX(ring->calc_idx, ring->dma_size); +- rxd = ring->dma + idx * eth->soc->txrx.rxd_size; ++ rxd = ring->dma + idx * eth->soc->rx.desc_size; + data = ring->data[idx]; + + if (!mtk_rx_get_desc(eth, &trxd, rxd)) +@@ -2156,7 +2156,7 @@ static int mtk_poll_rx(struct napi_struct *napi, int budget, + rxdcsum = &trxd.rxd4; + } + +- if (*rxdcsum & eth->soc->txrx.rx_dma_l4_valid) ++ if (*rxdcsum & eth->soc->rx.dma_l4_valid) + skb->ip_summed = CHECKSUM_UNNECESSARY; + else + skb_checksum_none_assert(skb); +@@ -2280,7 +2280,7 @@ static int mtk_poll_tx_qdma(struct mtk_eth *eth, int budget, + break; + + tx_buf = mtk_desc_to_tx_buf(ring, desc, +- eth->soc->txrx.txd_size); ++ eth->soc->tx.desc_size); + if (!tx_buf->data) + break; + +@@ -2331,7 +2331,7 @@ static int mtk_poll_tx_pdma(struct mtk_eth *eth, int budget, + } + mtk_tx_unmap(eth, tx_buf, &bq, true); + +- desc = ring->dma + cpu * eth->soc->txrx.txd_size; ++ desc = ring->dma + cpu * eth->soc->tx.desc_size; + ring->last_free = desc; + atomic_inc(&ring->free_count); + +@@ -2421,7 +2421,7 @@ static int mtk_napi_rx(struct napi_struct *napi, int budget) + do { + int rx_done; + +- mtk_w32(eth, eth->soc->txrx.rx_irq_done_mask, ++ mtk_w32(eth, eth->soc->rx.irq_done_mask, + reg_map->pdma.irq_status); + rx_done = mtk_poll_rx(napi, budget - rx_done_total, eth); + rx_done_total += rx_done; +@@ -2437,10 +2437,10 @@ static int mtk_napi_rx(struct napi_struct *napi, int budget) + return budget; + + } while (mtk_r32(eth, reg_map->pdma.irq_status) & +- eth->soc->txrx.rx_irq_done_mask); ++ eth->soc->rx.irq_done_mask); + + if (napi_complete_done(napi, rx_done_total)) +- mtk_rx_irq_enable(eth, eth->soc->txrx.rx_irq_done_mask); ++ mtk_rx_irq_enable(eth, eth->soc->rx.irq_done_mask); + + return rx_done_total; + } +@@ -2449,7 +2449,7 @@ static int mtk_tx_alloc(struct mtk_eth *eth) + { + const struct mtk_soc_data *soc = eth->soc; + struct mtk_tx_ring *ring = ð->tx_ring; +- int i, sz = soc->txrx.txd_size; ++ int i, sz = soc->tx.desc_size; + struct mtk_tx_dma_v2 *txd; + int ring_size; + u32 ofs, val; +@@ -2572,14 +2572,14 @@ static void mtk_tx_clean(struct mtk_eth *eth) + } + if (!MTK_HAS_CAPS(soc->caps, MTK_SRAM) && ring->dma) { + dma_free_coherent(eth->dma_dev, +- ring->dma_size * soc->txrx.txd_size, ++ ring->dma_size * soc->tx.desc_size, + ring->dma, ring->phys); + ring->dma = NULL; + } + + if (ring->dma_pdma) { + dma_free_coherent(eth->dma_dev, +- ring->dma_size * soc->txrx.txd_size, ++ ring->dma_size * soc->tx.desc_size, + ring->dma_pdma, ring->phys_pdma); + ring->dma_pdma = NULL; + } +@@ -2634,15 +2634,15 @@ static int mtk_rx_alloc(struct mtk_eth *eth, int ring_no, int rx_flag) + if (!MTK_HAS_CAPS(eth->soc->caps, MTK_SRAM) || + rx_flag != MTK_RX_FLAGS_NORMAL) { + ring->dma = dma_alloc_coherent(eth->dma_dev, +- rx_dma_size * eth->soc->txrx.rxd_size, +- &ring->phys, GFP_KERNEL); ++ rx_dma_size * eth->soc->rx.desc_size, ++ &ring->phys, GFP_KERNEL); + } else { + struct mtk_tx_ring *tx_ring = ð->tx_ring; + + ring->dma = tx_ring->dma + tx_ring_size * +- eth->soc->txrx.txd_size * (ring_no + 1); ++ eth->soc->tx.desc_size * (ring_no + 1); + ring->phys = tx_ring->phys + tx_ring_size * +- eth->soc->txrx.txd_size * (ring_no + 1); ++ eth->soc->tx.desc_size * (ring_no + 1); + } + + if (!ring->dma) +@@ -2653,7 +2653,7 @@ static int mtk_rx_alloc(struct mtk_eth *eth, int ring_no, int rx_flag) + dma_addr_t dma_addr; + void *data; + +- rxd = ring->dma + i * eth->soc->txrx.rxd_size; ++ rxd = ring->dma + i * eth->soc->rx.desc_size; + if (ring->page_pool) { + data = mtk_page_pool_get_buff(ring->page_pool, + &dma_addr, GFP_KERNEL); +@@ -2744,7 +2744,7 @@ static void mtk_rx_clean(struct mtk_eth *eth, struct mtk_rx_ring *ring, bool in_ + if (!ring->data[i]) + continue; + +- rxd = ring->dma + i * eth->soc->txrx.rxd_size; ++ rxd = ring->dma + i * eth->soc->rx.desc_size; + if (!rxd->rxd1) + continue; + +@@ -2761,7 +2761,7 @@ static void mtk_rx_clean(struct mtk_eth *eth, struct mtk_rx_ring *ring, bool in_ + + if (!in_sram && ring->dma) { + dma_free_coherent(eth->dma_dev, +- ring->dma_size * eth->soc->txrx.rxd_size, ++ ring->dma_size * eth->soc->rx.desc_size, + ring->dma, ring->phys); + ring->dma = NULL; + } +@@ -3124,7 +3124,7 @@ static void mtk_dma_free(struct mtk_eth *eth) + netdev_reset_queue(eth->netdev[i]); + if (!MTK_HAS_CAPS(soc->caps, MTK_SRAM) && eth->scratch_ring) { + dma_free_coherent(eth->dma_dev, +- MTK_QDMA_RING_SIZE * soc->txrx.txd_size, ++ MTK_QDMA_RING_SIZE * soc->tx.desc_size, + eth->scratch_ring, eth->phy_scratch_ring); + eth->scratch_ring = NULL; + eth->phy_scratch_ring = 0; +@@ -3174,7 +3174,7 @@ static irqreturn_t mtk_handle_irq_rx(int irq, void *_eth) + + eth->rx_events++; + if (likely(napi_schedule_prep(ð->rx_napi))) { +- mtk_rx_irq_disable(eth, eth->soc->txrx.rx_irq_done_mask); ++ mtk_rx_irq_disable(eth, eth->soc->rx.irq_done_mask); + __napi_schedule(ð->rx_napi); + } + +@@ -3200,9 +3200,9 @@ static irqreturn_t mtk_handle_irq(int irq, void *_eth) + const struct mtk_reg_map *reg_map = eth->soc->reg_map; + + if (mtk_r32(eth, reg_map->pdma.irq_mask) & +- eth->soc->txrx.rx_irq_done_mask) { ++ eth->soc->rx.irq_done_mask) { + if (mtk_r32(eth, reg_map->pdma.irq_status) & +- eth->soc->txrx.rx_irq_done_mask) ++ eth->soc->rx.irq_done_mask) + mtk_handle_irq_rx(irq, _eth); + } + if (mtk_r32(eth, reg_map->tx_irq_mask) & MTK_TX_DONE_INT) { +@@ -3220,10 +3220,10 @@ static void mtk_poll_controller(struct net_device *dev) + struct mtk_eth *eth = mac->hw; + + mtk_tx_irq_disable(eth, MTK_TX_DONE_INT); +- mtk_rx_irq_disable(eth, eth->soc->txrx.rx_irq_done_mask); ++ mtk_rx_irq_disable(eth, eth->soc->rx.irq_done_mask); + mtk_handle_irq_rx(eth->irq[2], dev); + mtk_tx_irq_enable(eth, MTK_TX_DONE_INT); +- mtk_rx_irq_enable(eth, eth->soc->txrx.rx_irq_done_mask); ++ mtk_rx_irq_enable(eth, eth->soc->rx.irq_done_mask); + } + #endif + +@@ -3387,7 +3387,7 @@ static int mtk_open(struct net_device *dev) + napi_enable(ð->tx_napi); + napi_enable(ð->rx_napi); + mtk_tx_irq_enable(eth, MTK_TX_DONE_INT); +- mtk_rx_irq_enable(eth, soc->txrx.rx_irq_done_mask); ++ mtk_rx_irq_enable(eth, soc->rx.irq_done_mask); + refcount_set(ð->dma_refcnt, 1); + } + else +@@ -3471,7 +3471,7 @@ static int mtk_stop(struct net_device *dev) + mtk_gdm_config(eth, MTK_GDMA_DROP_ALL); + + mtk_tx_irq_disable(eth, MTK_TX_DONE_INT); +- mtk_rx_irq_disable(eth, eth->soc->txrx.rx_irq_done_mask); ++ mtk_rx_irq_disable(eth, eth->soc->rx.irq_done_mask); + napi_disable(ð->tx_napi); + napi_disable(ð->rx_napi); + +@@ -3947,9 +3947,9 @@ static int mtk_hw_init(struct mtk_eth *eth, bool reset) + + /* FE int grouping */ + mtk_w32(eth, MTK_TX_DONE_INT, reg_map->pdma.int_grp); +- mtk_w32(eth, eth->soc->txrx.rx_irq_done_mask, reg_map->pdma.int_grp + 4); ++ mtk_w32(eth, eth->soc->rx.irq_done_mask, reg_map->pdma.int_grp + 4); + mtk_w32(eth, MTK_TX_DONE_INT, reg_map->qdma.int_grp); +- mtk_w32(eth, eth->soc->txrx.rx_irq_done_mask, reg_map->qdma.int_grp + 4); ++ mtk_w32(eth, eth->soc->rx.irq_done_mask, reg_map->qdma.int_grp + 4); + mtk_w32(eth, 0x21021000, MTK_FE_INT_GRP); + + if (mtk_is_netsys_v3_or_greater(eth)) { +@@ -5039,11 +5039,15 @@ static const struct mtk_soc_data mt2701_data = { + .required_clks = MT7623_CLKS_BITMAP, + .required_pctl = true, + .version = 1, +- .txrx = { +- .txd_size = sizeof(struct mtk_tx_dma), +- .rxd_size = sizeof(struct mtk_rx_dma), +- .rx_irq_done_mask = MTK_RX_DONE_INT, +- .rx_dma_l4_valid = RX_DMA_L4_VALID, ++ .tx = { ++ .desc_size = sizeof(struct mtk_tx_dma), ++ .dma_max_len = MTK_TX_DMA_BUF_LEN, ++ .dma_len_offset = 16, ++ }, ++ .rx = { ++ .desc_size = sizeof(struct mtk_rx_dma), ++ .irq_done_mask = MTK_RX_DONE_INT, ++ .dma_l4_valid = RX_DMA_L4_VALID, + .dma_max_len = MTK_TX_DMA_BUF_LEN, + .dma_len_offset = 16, + }, +@@ -5059,11 +5063,15 @@ static const struct mtk_soc_data mt7621_data = { + .offload_version = 1, + .hash_offset = 2, + .foe_entry_size = MTK_FOE_ENTRY_V1_SIZE, +- .txrx = { +- .txd_size = sizeof(struct mtk_tx_dma), +- .rxd_size = sizeof(struct mtk_rx_dma), +- .rx_irq_done_mask = MTK_RX_DONE_INT, +- .rx_dma_l4_valid = RX_DMA_L4_VALID, ++ .tx = { ++ .desc_size = sizeof(struct mtk_tx_dma), ++ .dma_max_len = MTK_TX_DMA_BUF_LEN, ++ .dma_len_offset = 16, ++ }, ++ .rx = { ++ .desc_size = sizeof(struct mtk_rx_dma), ++ .irq_done_mask = MTK_RX_DONE_INT, ++ .dma_l4_valid = RX_DMA_L4_VALID, + .dma_max_len = MTK_TX_DMA_BUF_LEN, + .dma_len_offset = 16, + }, +@@ -5081,11 +5089,15 @@ static const struct mtk_soc_data mt7622_data = { + .hash_offset = 2, + .has_accounting = true, + .foe_entry_size = MTK_FOE_ENTRY_V1_SIZE, +- .txrx = { +- .txd_size = sizeof(struct mtk_tx_dma), +- .rxd_size = sizeof(struct mtk_rx_dma), +- .rx_irq_done_mask = MTK_RX_DONE_INT, +- .rx_dma_l4_valid = RX_DMA_L4_VALID, ++ .tx = { ++ .desc_size = sizeof(struct mtk_tx_dma), ++ .dma_max_len = MTK_TX_DMA_BUF_LEN, ++ .dma_len_offset = 16, ++ }, ++ .rx = { ++ .desc_size = sizeof(struct mtk_rx_dma), ++ .irq_done_mask = MTK_RX_DONE_INT, ++ .dma_l4_valid = RX_DMA_L4_VALID, + .dma_max_len = MTK_TX_DMA_BUF_LEN, + .dma_len_offset = 16, + }, +@@ -5102,11 +5114,15 @@ static const struct mtk_soc_data mt7623_data = { + .hash_offset = 2, + .foe_entry_size = MTK_FOE_ENTRY_V1_SIZE, + .disable_pll_modes = true, +- .txrx = { +- .txd_size = sizeof(struct mtk_tx_dma), +- .rxd_size = sizeof(struct mtk_rx_dma), +- .rx_irq_done_mask = MTK_RX_DONE_INT, +- .rx_dma_l4_valid = RX_DMA_L4_VALID, ++ .tx = { ++ .desc_size = sizeof(struct mtk_tx_dma), ++ .dma_max_len = MTK_TX_DMA_BUF_LEN, ++ .dma_len_offset = 16, ++ }, ++ .rx = { ++ .desc_size = sizeof(struct mtk_rx_dma), ++ .irq_done_mask = MTK_RX_DONE_INT, ++ .dma_l4_valid = RX_DMA_L4_VALID, + .dma_max_len = MTK_TX_DMA_BUF_LEN, + .dma_len_offset = 16, + }, +@@ -5121,11 +5137,15 @@ static const struct mtk_soc_data mt7629_data = { + .required_pctl = false, + .has_accounting = true, + .version = 1, +- .txrx = { +- .txd_size = sizeof(struct mtk_tx_dma), +- .rxd_size = sizeof(struct mtk_rx_dma), +- .rx_irq_done_mask = MTK_RX_DONE_INT, +- .rx_dma_l4_valid = RX_DMA_L4_VALID, ++ .tx = { ++ .desc_size = sizeof(struct mtk_tx_dma), ++ .dma_max_len = MTK_TX_DMA_BUF_LEN, ++ .dma_len_offset = 16, ++ }, ++ .rx = { ++ .desc_size = sizeof(struct mtk_rx_dma), ++ .irq_done_mask = MTK_RX_DONE_INT, ++ .dma_l4_valid = RX_DMA_L4_VALID, + .dma_max_len = MTK_TX_DMA_BUF_LEN, + .dma_len_offset = 16, + }, +@@ -5143,11 +5163,15 @@ static const struct mtk_soc_data mt7981_data = { + .hash_offset = 4, + .has_accounting = true, + .foe_entry_size = MTK_FOE_ENTRY_V2_SIZE, +- .txrx = { +- .txd_size = sizeof(struct mtk_tx_dma_v2), +- .rxd_size = sizeof(struct mtk_rx_dma_v2), +- .rx_irq_done_mask = MTK_RX_DONE_INT_V2, +- .rx_dma_l4_valid = RX_DMA_L4_VALID_V2, ++ .tx = { ++ .desc_size = sizeof(struct mtk_tx_dma_v2), ++ .dma_max_len = MTK_TX_DMA_BUF_LEN_V2, ++ .dma_len_offset = 8, ++ }, ++ .rx = { ++ .desc_size = sizeof(struct mtk_rx_dma_v2), ++ .irq_done_mask = MTK_RX_DONE_INT_V2, ++ .dma_l4_valid = RX_DMA_L4_VALID_V2, + .dma_max_len = MTK_TX_DMA_BUF_LEN_V2, + .dma_len_offset = 8, + }, +@@ -5165,11 +5189,15 @@ static const struct mtk_soc_data mt7986_data = { + .hash_offset = 4, + .has_accounting = true, + .foe_entry_size = MTK_FOE_ENTRY_V2_SIZE, +- .txrx = { +- .txd_size = sizeof(struct mtk_tx_dma_v2), +- .rxd_size = sizeof(struct mtk_rx_dma_v2), +- .rx_irq_done_mask = MTK_RX_DONE_INT_V2, +- .rx_dma_l4_valid = RX_DMA_L4_VALID_V2, ++ .tx = { ++ .desc_size = sizeof(struct mtk_tx_dma_v2), ++ .dma_max_len = MTK_TX_DMA_BUF_LEN_V2, ++ .dma_len_offset = 8, ++ }, ++ .rx = { ++ .desc_size = sizeof(struct mtk_rx_dma_v2), ++ .irq_done_mask = MTK_RX_DONE_INT_V2, ++ .dma_l4_valid = RX_DMA_L4_VALID_V2, + .dma_max_len = MTK_TX_DMA_BUF_LEN_V2, + .dma_len_offset = 8, + }, +@@ -5187,11 +5215,15 @@ static const struct mtk_soc_data mt7988_data = { + .hash_offset = 4, + .has_accounting = true, + .foe_entry_size = MTK_FOE_ENTRY_V3_SIZE, +- .txrx = { +- .txd_size = sizeof(struct mtk_tx_dma_v2), +- .rxd_size = sizeof(struct mtk_rx_dma_v2), +- .rx_irq_done_mask = MTK_RX_DONE_INT_V2, +- .rx_dma_l4_valid = RX_DMA_L4_VALID_V2, ++ .tx = { ++ .desc_size = sizeof(struct mtk_tx_dma_v2), ++ .dma_max_len = MTK_TX_DMA_BUF_LEN_V2, ++ .dma_len_offset = 8, ++ }, ++ .rx = { ++ .desc_size = sizeof(struct mtk_rx_dma_v2), ++ .irq_done_mask = MTK_RX_DONE_INT_V2, ++ .dma_l4_valid = RX_DMA_L4_VALID_V2, + .dma_max_len = MTK_TX_DMA_BUF_LEN_V2, + .dma_len_offset = 8, + }, +@@ -5204,11 +5236,15 @@ static const struct mtk_soc_data rt5350_data = { + .required_clks = MT7628_CLKS_BITMAP, + .required_pctl = false, + .version = 1, +- .txrx = { +- .txd_size = sizeof(struct mtk_tx_dma), +- .rxd_size = sizeof(struct mtk_rx_dma), +- .rx_irq_done_mask = MTK_RX_DONE_INT, +- .rx_dma_l4_valid = RX_DMA_L4_VALID_PDMA, ++ .tx = { ++ .desc_size = sizeof(struct mtk_tx_dma), ++ .dma_max_len = MTK_TX_DMA_BUF_LEN, ++ .dma_len_offset = 16, ++ }, ++ .rx = { ++ .desc_size = sizeof(struct mtk_rx_dma), ++ .irq_done_mask = MTK_RX_DONE_INT, ++ .dma_l4_valid = RX_DMA_L4_VALID_PDMA, + .dma_max_len = MTK_TX_DMA_BUF_LEN, + .dma_len_offset = 16, + }, +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.h b/drivers/net/ethernet/mediatek/mtk_eth_soc.h +index 9ae3b8a71d0e6..39b50de1decbf 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.h ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.h +@@ -327,8 +327,8 @@ + /* QDMA descriptor txd3 */ + #define TX_DMA_OWNER_CPU BIT(31) + #define TX_DMA_LS0 BIT(30) +-#define TX_DMA_PLEN0(x) (((x) & eth->soc->txrx.dma_max_len) << eth->soc->txrx.dma_len_offset) +-#define TX_DMA_PLEN1(x) ((x) & eth->soc->txrx.dma_max_len) ++#define TX_DMA_PLEN0(x) (((x) & eth->soc->tx.dma_max_len) << eth->soc->tx.dma_len_offset) ++#define TX_DMA_PLEN1(x) ((x) & eth->soc->tx.dma_max_len) + #define TX_DMA_SWC BIT(14) + #define TX_DMA_PQID GENMASK(3, 0) + #define TX_DMA_ADDR64_MASK GENMASK(3, 0) +@@ -348,8 +348,8 @@ + /* QDMA descriptor rxd2 */ + #define RX_DMA_DONE BIT(31) + #define RX_DMA_LSO BIT(30) +-#define RX_DMA_PREP_PLEN0(x) (((x) & eth->soc->txrx.dma_max_len) << eth->soc->txrx.dma_len_offset) +-#define RX_DMA_GET_PLEN0(x) (((x) >> eth->soc->txrx.dma_len_offset) & eth->soc->txrx.dma_max_len) ++#define RX_DMA_PREP_PLEN0(x) (((x) & eth->soc->rx.dma_max_len) << eth->soc->rx.dma_len_offset) ++#define RX_DMA_GET_PLEN0(x) (((x) >> eth->soc->rx.dma_len_offset) & eth->soc->rx.dma_max_len) + #define RX_DMA_VTAG BIT(15) + #define RX_DMA_ADDR64_MASK GENMASK(3, 0) + #if IS_ENABLED(CONFIG_64BIT) +@@ -1153,10 +1153,9 @@ struct mtk_reg_map { + * @foe_entry_size Foe table entry size. + * @has_accounting Bool indicating support for accounting of + * offloaded flows. +- * @txd_size Tx DMA descriptor size. +- * @rxd_size Rx DMA descriptor size. +- * @rx_irq_done_mask Rx irq done register mask. +- * @rx_dma_l4_valid Rx DMA valid register mask. ++ * @desc_size Tx/Rx DMA descriptor size. ++ * @irq_done_mask Rx irq done register mask. ++ * @dma_l4_valid Rx DMA valid register mask. + * @dma_max_len Max DMA tx/rx buffer length. + * @dma_len_offset Tx/Rx DMA length field offset. + */ +@@ -1174,13 +1173,17 @@ struct mtk_soc_data { + bool has_accounting; + bool disable_pll_modes; + struct { +- u32 txd_size; +- u32 rxd_size; +- u32 rx_irq_done_mask; +- u32 rx_dma_l4_valid; ++ u32 desc_size; + u32 dma_max_len; + u32 dma_len_offset; +- } txrx; ++ } tx; ++ struct { ++ u32 desc_size; ++ u32 irq_done_mask; ++ u32 dma_l4_valid; ++ u32 dma_max_len; ++ u32 dma_len_offset; ++ } rx; + }; + + #define MTK_DMA_MONITOR_TIMEOUT msecs_to_jiffies(1000) +-- +2.43.0 + diff --git a/queue-6.9/net-ethernet-mediatek-use-admav1-instead-of-admav2.0.patch b/queue-6.9/net-ethernet-mediatek-use-admav1-instead-of-admav2.0.patch new file mode 100644 index 00000000000..8d1c9d1fb89 --- /dev/null +++ b/queue-6.9/net-ethernet-mediatek-use-admav1-instead-of-admav2.0.patch @@ -0,0 +1,138 @@ +From 6a5fadf68ad303c067712956be0cca388d2e63f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 11:43:56 +0100 +Subject: net: ethernet: mediatek: use ADMAv1 instead of ADMAv2.0 on MT7981 and + MT7986 + +From: Daniel Golle + +[ Upstream commit 5e69ff84f3e6cc54502a902043847b37ed78afd4 ] + +ADMAv2.0 is plagued by RX hangs which can't easily detected and happen upon +receival of a corrupted Ethernet frame. + +Use ADMAv1 instead which is also still present and usable, and doesn't +suffer from that problem. + +Fixes: 197c9e9b17b1 ("net: ethernet: mtk_eth_soc: introduce support for mt7986 chipset") +Co-developed-by: Lorenzo Bianconi +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Daniel Golle +Link: https://lore.kernel.org/r/57cef74bbd0c243366ad1ff4221e3f72f437ec80.1715164770.git.daniel@makrotopia.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 46 ++++++++++----------- + 1 file changed, 23 insertions(+), 23 deletions(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index 3eefb735ce197..d7d73295f0dc4 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -110,16 +110,16 @@ static const struct mtk_reg_map mt7986_reg_map = { + .tx_irq_mask = 0x461c, + .tx_irq_status = 0x4618, + .pdma = { +- .rx_ptr = 0x6100, +- .rx_cnt_cfg = 0x6104, +- .pcrx_ptr = 0x6108, +- .glo_cfg = 0x6204, +- .rst_idx = 0x6208, +- .delay_irq = 0x620c, +- .irq_status = 0x6220, +- .irq_mask = 0x6228, +- .adma_rx_dbg0 = 0x6238, +- .int_grp = 0x6250, ++ .rx_ptr = 0x4100, ++ .rx_cnt_cfg = 0x4104, ++ .pcrx_ptr = 0x4108, ++ .glo_cfg = 0x4204, ++ .rst_idx = 0x4208, ++ .delay_irq = 0x420c, ++ .irq_status = 0x4220, ++ .irq_mask = 0x4228, ++ .adma_rx_dbg0 = 0x4238, ++ .int_grp = 0x4250, + }, + .qdma = { + .qtx_cfg = 0x4400, +@@ -1107,7 +1107,7 @@ static bool mtk_rx_get_desc(struct mtk_eth *eth, struct mtk_rx_dma_v2 *rxd, + rxd->rxd1 = READ_ONCE(dma_rxd->rxd1); + rxd->rxd3 = READ_ONCE(dma_rxd->rxd3); + rxd->rxd4 = READ_ONCE(dma_rxd->rxd4); +- if (mtk_is_netsys_v2_or_greater(eth)) { ++ if (mtk_is_netsys_v3_or_greater(eth)) { + rxd->rxd5 = READ_ONCE(dma_rxd->rxd5); + rxd->rxd6 = READ_ONCE(dma_rxd->rxd6); + } +@@ -2028,7 +2028,7 @@ static int mtk_poll_rx(struct napi_struct *napi, int budget, + break; + + /* find out which mac the packet come from. values start at 1 */ +- if (mtk_is_netsys_v2_or_greater(eth)) { ++ if (mtk_is_netsys_v3_or_greater(eth)) { + u32 val = RX_DMA_GET_SPORT_V2(trxd.rxd5); + + switch (val) { +@@ -2140,7 +2140,7 @@ static int mtk_poll_rx(struct napi_struct *napi, int budget, + skb->dev = netdev; + bytes += skb->len; + +- if (mtk_is_netsys_v2_or_greater(eth)) { ++ if (mtk_is_netsys_v3_or_greater(eth)) { + reason = FIELD_GET(MTK_RXD5_PPE_CPU_REASON, trxd.rxd5); + hash = trxd.rxd5 & MTK_RXD5_FOE_ENTRY; + if (hash != MTK_RXD5_FOE_ENTRY) +@@ -2690,7 +2690,7 @@ static int mtk_rx_alloc(struct mtk_eth *eth, int ring_no, int rx_flag) + + rxd->rxd3 = 0; + rxd->rxd4 = 0; +- if (mtk_is_netsys_v2_or_greater(eth)) { ++ if (mtk_is_netsys_v3_or_greater(eth)) { + rxd->rxd5 = 0; + rxd->rxd6 = 0; + rxd->rxd7 = 0; +@@ -3893,7 +3893,7 @@ static int mtk_hw_init(struct mtk_eth *eth, bool reset) + else + mtk_hw_reset(eth); + +- if (mtk_is_netsys_v2_or_greater(eth)) { ++ if (mtk_is_netsys_v3_or_greater(eth)) { + /* Set FE to PDMAv2 if necessary */ + val = mtk_r32(eth, MTK_FE_GLO_MISC); + mtk_w32(eth, val | BIT(4), MTK_FE_GLO_MISC); +@@ -5169,11 +5169,11 @@ static const struct mtk_soc_data mt7981_data = { + .dma_len_offset = 8, + }, + .rx = { +- .desc_size = sizeof(struct mtk_rx_dma_v2), +- .irq_done_mask = MTK_RX_DONE_INT_V2, ++ .desc_size = sizeof(struct mtk_rx_dma), ++ .irq_done_mask = MTK_RX_DONE_INT, + .dma_l4_valid = RX_DMA_L4_VALID_V2, +- .dma_max_len = MTK_TX_DMA_BUF_LEN_V2, +- .dma_len_offset = 8, ++ .dma_max_len = MTK_TX_DMA_BUF_LEN, ++ .dma_len_offset = 16, + }, + }; + +@@ -5195,11 +5195,11 @@ static const struct mtk_soc_data mt7986_data = { + .dma_len_offset = 8, + }, + .rx = { +- .desc_size = sizeof(struct mtk_rx_dma_v2), +- .irq_done_mask = MTK_RX_DONE_INT_V2, ++ .desc_size = sizeof(struct mtk_rx_dma), ++ .irq_done_mask = MTK_RX_DONE_INT, + .dma_l4_valid = RX_DMA_L4_VALID_V2, +- .dma_max_len = MTK_TX_DMA_BUF_LEN_V2, +- .dma_len_offset = 8, ++ .dma_max_len = MTK_TX_DMA_BUF_LEN, ++ .dma_len_offset = 16, + }, + }; + +-- +2.43.0 + diff --git a/queue-6.9/net-fec-remove-.ndo_poll_controller-to-avoid-deadloc.patch b/queue-6.9/net-fec-remove-.ndo_poll_controller-to-avoid-deadloc.patch new file mode 100644 index 00000000000..b97cf022cf5 --- /dev/null +++ b/queue-6.9/net-fec-remove-.ndo_poll_controller-to-avoid-deadloc.patch @@ -0,0 +1,75 @@ +From 95ff9c8fd3363f797404ea0be415ba21e19c9fd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 May 2024 14:20:09 +0800 +Subject: net: fec: remove .ndo_poll_controller to avoid deadlocks + +From: Wei Fang + +[ Upstream commit c2e0c58b25a0a0c37ec643255558c5af4450c9f5 ] + +There is a deadlock issue found in sungem driver, please refer to the +commit ac0a230f719b ("eth: sungem: remove .ndo_poll_controller to avoid +deadlocks"). The root cause of the issue is that netpoll is in atomic +context and disable_irq() is called by .ndo_poll_controller interface +of sungem driver, however, disable_irq() might sleep. After analyzing +the implementation of fec_poll_controller(), the fec driver should have +the same issue. Due to the fec driver uses NAPI for TX completions, the +.ndo_poll_controller is unnecessary to be implemented in the fec driver, +so fec_poll_controller() can be safely removed. + +Fixes: 7f5c6addcdc0 ("net/fec: add poll controller function for fec nic") +Signed-off-by: Wei Fang +Link: https://lore.kernel.org/r/20240511062009.652918-1-wei.fang@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 26 ----------------------- + 1 file changed, 26 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index 8bd213da8fb6f..a72d8a2eb0b31 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -3674,29 +3674,6 @@ fec_set_mac_address(struct net_device *ndev, void *p) + return 0; + } + +-#ifdef CONFIG_NET_POLL_CONTROLLER +-/** +- * fec_poll_controller - FEC Poll controller function +- * @dev: The FEC network adapter +- * +- * Polled functionality used by netconsole and others in non interrupt mode +- * +- */ +-static void fec_poll_controller(struct net_device *dev) +-{ +- int i; +- struct fec_enet_private *fep = netdev_priv(dev); +- +- for (i = 0; i < FEC_IRQ_NUM; i++) { +- if (fep->irq[i] > 0) { +- disable_irq(fep->irq[i]); +- fec_enet_interrupt(fep->irq[i], dev); +- enable_irq(fep->irq[i]); +- } +- } +-} +-#endif +- + static inline void fec_enet_set_netdev_features(struct net_device *netdev, + netdev_features_t features) + { +@@ -4003,9 +3980,6 @@ static const struct net_device_ops fec_netdev_ops = { + .ndo_tx_timeout = fec_timeout, + .ndo_set_mac_address = fec_set_mac_address, + .ndo_eth_ioctl = phy_do_ioctl_running, +-#ifdef CONFIG_NET_POLL_CONTROLLER +- .ndo_poll_controller = fec_poll_controller, +-#endif + .ndo_set_features = fec_set_features, + .ndo_bpf = fec_enet_bpf, + .ndo_xdp_xmit = fec_enet_xdp_xmit, +-- +2.43.0 + diff --git a/queue-6.9/net-give-more-chances-to-rcu-in-netdev_wait_allrefs_.patch b/queue-6.9/net-give-more-chances-to-rcu-in-netdev_wait_allrefs_.patch new file mode 100644 index 00000000000..c115fb1f8f6 --- /dev/null +++ b/queue-6.9/net-give-more-chances-to-rcu-in-netdev_wait_allrefs_.patch @@ -0,0 +1,54 @@ +From 61ef3cec3a5603d2be0dd2650634bb966dca36d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Apr 2024 06:42:22 +0000 +Subject: net: give more chances to rcu in netdev_wait_allrefs_any() + +From: Eric Dumazet + +[ Upstream commit cd42ba1c8ac9deb9032add6adf491110e7442040 ] + +This came while reviewing commit c4e86b4363ac ("net: add two more +call_rcu_hurry()"). + +Paolo asked if adding one synchronize_rcu() would help. + +While synchronize_rcu() does not help, making sure to call +rcu_barrier() before msleep(wait) is definitely helping +to make sure lazy call_rcu() are completed. + +Instead of waiting ~100 seconds in my tests, the ref_tracker +splats occurs one time only, and netdev_wait_allrefs_any() +latency is reduced to the strict minimum. + +Ideally we should audit our call_rcu() users to make sure +no refcount (or cascading call_rcu()) is held too long, +because rcu_barrier() is quite expensive. + +Fixes: 0e4be9e57e8c ("net: use exponential backoff in netdev_wait_allrefs") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/all/28bbf698-befb-42f6-b561-851c67f464aa@kernel.org/T/#m76d73ed6b03cd930778ac4d20a777f22a08d6824 +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 331848eca7d31..e8fb4ef8a85f8 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -10488,8 +10488,9 @@ static struct net_device *netdev_wait_allrefs_any(struct list_head *list) + rebroadcast_time = jiffies; + } + ++ rcu_barrier(); ++ + if (!wait) { +- rcu_barrier(); + wait = WAIT_REFS_MIN_MSECS; + } else { + msleep(wait); +-- +2.43.0 + diff --git a/queue-6.9/net-ipv6-fix-wrong-start-position-when-receive-hop-b.patch b/queue-6.9/net-ipv6-fix-wrong-start-position-when-receive-hop-b.patch new file mode 100644 index 00000000000..628459ba822 --- /dev/null +++ b/queue-6.9/net-ipv6-fix-wrong-start-position-when-receive-hop-b.patch @@ -0,0 +1,41 @@ +From e170b70da165875cca6cfae545675ac59b7dc7c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Apr 2024 17:19:17 +0800 +Subject: net: ipv6: fix wrong start position when receive hop-by-hop fragment + +From: gaoxingwang + +[ Upstream commit 1cd354fe1e4864eeaff62f66ee513080ec946f20 ] + +In IPv6, ipv6_rcv_core will parse the hop-by-hop type extension header and increase skb->transport_header by one extension header length. +But if there are more other extension headers like fragment header at this time, the skb->transport_header points to the second extension header, +not the transport layer header or the first extension header. + +This will result in the start and nexthdrp variable not pointing to the same position in ipv6frag_thdr_trunced, +and ipv6_skip_exthdr returning incorrect offset and frag_off.Sometimes,the length of the last sharded packet is smaller than the calculated incorrect offset, resulting in packet loss. +We can use network header to offset and calculate the correct position to solve this problem. + +Fixes: 9d9e937b1c8b (ipv6/netfilter: Discard first fragment not including all headers) +Signed-off-by: Gao Xingwang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/reassembly.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c +index acb4f119e11f0..148bf9e3131a1 100644 +--- a/net/ipv6/reassembly.c ++++ b/net/ipv6/reassembly.c +@@ -369,7 +369,7 @@ static int ipv6_frag_rcv(struct sk_buff *skb) + * the source of the fragment, with the Pointer field set to zero. + */ + nexthdr = hdr->nexthdr; +- if (ipv6frag_thdr_truncated(skb, skb_transport_offset(skb), &nexthdr)) { ++ if (ipv6frag_thdr_truncated(skb, skb_network_offset(skb) + sizeof(struct ipv6hdr), &nexthdr)) { + __IP6_INC_STATS(net, __in6_dev_get_safely(skb->dev), + IPSTATS_MIB_INHDRERRORS); + icmpv6_param_prob(skb, ICMPV6_HDR_INCOMP, 0); +-- +2.43.0 + diff --git a/queue-6.9/net-micrel-fix-receiving-the-timestamp-in-the-frame-.patch b/queue-6.9/net-micrel-fix-receiving-the-timestamp-in-the-frame-.patch new file mode 100644 index 00000000000..6431b950d07 --- /dev/null +++ b/queue-6.9/net-micrel-fix-receiving-the-timestamp-in-the-frame-.patch @@ -0,0 +1,44 @@ +From 34b33a053bcf83f7a5d1e92b19573e194a04692a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 21:21:57 +0200 +Subject: net: micrel: Fix receiving the timestamp in the frame for lan8841 + +From: Horatiu Vultur + +[ Upstream commit aea27a92a41dae14843f92c79e9e42d8f570105c ] + +The blamed commit started to use the ptp workqueue to get the second +part of the timestamp. And when the port was set down, then this +workqueue is stopped. But if the config option NETWORK_PHY_TIMESTAMPING +is not enabled, then the ptp_clock is not initialized so then it would +crash when it would try to access the delayed work. +So then basically by setting up and then down the port, it would crash. +The fix consists in checking if the ptp_clock is initialized and only +then cancel the delayed work. + +Fixes: cc7554954848 ("net: micrel: Change to receive timestamp in the frame for lan8841") +Signed-off-by: Horatiu Vultur +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/micrel.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c +index ddb50a0e2bc82..87780465cd0d5 100644 +--- a/drivers/net/phy/micrel.c ++++ b/drivers/net/phy/micrel.c +@@ -4676,7 +4676,8 @@ static int lan8841_suspend(struct phy_device *phydev) + struct kszphy_priv *priv = phydev->priv; + struct kszphy_ptp_priv *ptp_priv = &priv->ptp_priv; + +- ptp_cancel_worker_sync(ptp_priv->ptp_clock); ++ if (ptp_priv->ptp_clock) ++ ptp_cancel_worker_sync(ptp_priv->ptp_clock); + + return genphy_suspend(phydev); + } +-- +2.43.0 + diff --git a/queue-6.9/net-mlx5-add-a-timeout-to-acquire-the-command-queue-.patch b/queue-6.9/net-mlx5-add-a-timeout-to-acquire-the-command-queue-.patch new file mode 100644 index 00000000000..f0b889a60e2 --- /dev/null +++ b/queue-6.9/net-mlx5-add-a-timeout-to-acquire-the-command-queue-.patch @@ -0,0 +1,156 @@ +From 2452eadabe4f8735224ac2712c2f08bad3bf4a92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 14:29:50 +0300 +Subject: net/mlx5: Add a timeout to acquire the command queue semaphore + +From: Akiva Goldberger + +[ Upstream commit 485d65e1357123a697c591a5aeb773994b247ad7 ] + +Prevent forced completion handling on an entry that has not yet been +assigned an index, causing an out of bounds access on idx = -22. +Instead of waiting indefinitely for the sem, blocking flow now waits for +index to be allocated or a sem acquisition timeout before beginning the +timer for FW completion. + +Kernel log example: +mlx5_core 0000:06:00.0: wait_func_handle_exec_timeout:1128:(pid 185911): cmd[-22]: CREATE_UCTX(0xa04) No done completion + +Fixes: 8e715cd613a1 ("net/mlx5: Set command entry semaphore up once got index free") +Signed-off-by: Akiva Goldberger +Reviewed-by: Moshe Shemesh +Signed-off-by: Tariq Toukan +Link: https://lore.kernel.org/r/20240509112951.590184-5-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 41 +++++++++++++++---- + include/linux/mlx5/driver.h | 1 + + 2 files changed, 33 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index 4957412ff1f65..511e7fee39ac5 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -969,19 +969,32 @@ static void cmd_work_handler(struct work_struct *work) + bool poll_cmd = ent->polling; + struct mlx5_cmd_layout *lay; + struct mlx5_core_dev *dev; +- unsigned long cb_timeout; +- struct semaphore *sem; ++ unsigned long timeout; + unsigned long flags; + int alloc_ret; + int cmd_mode; + ++ complete(&ent->handling); ++ + dev = container_of(cmd, struct mlx5_core_dev, cmd); +- cb_timeout = msecs_to_jiffies(mlx5_tout_ms(dev, CMD)); ++ timeout = msecs_to_jiffies(mlx5_tout_ms(dev, CMD)); + +- complete(&ent->handling); +- sem = ent->page_queue ? &cmd->vars.pages_sem : &cmd->vars.sem; +- down(sem); + if (!ent->page_queue) { ++ if (down_timeout(&cmd->vars.sem, timeout)) { ++ mlx5_core_warn(dev, "%s(0x%x) timed out while waiting for a slot.\n", ++ mlx5_command_str(ent->op), ent->op); ++ if (ent->callback) { ++ ent->callback(-EBUSY, ent->context); ++ mlx5_free_cmd_msg(dev, ent->out); ++ free_msg(dev, ent->in); ++ cmd_ent_put(ent); ++ } else { ++ ent->ret = -EBUSY; ++ complete(&ent->done); ++ } ++ complete(&ent->slotted); ++ return; ++ } + alloc_ret = cmd_alloc_index(cmd, ent); + if (alloc_ret < 0) { + mlx5_core_err_rl(dev, "failed to allocate command entry\n"); +@@ -994,10 +1007,11 @@ static void cmd_work_handler(struct work_struct *work) + ent->ret = -EAGAIN; + complete(&ent->done); + } +- up(sem); ++ up(&cmd->vars.sem); + return; + } + } else { ++ down(&cmd->vars.pages_sem); + ent->idx = cmd->vars.max_reg_cmds; + spin_lock_irqsave(&cmd->alloc_lock, flags); + clear_bit(ent->idx, &cmd->vars.bitmask); +@@ -1005,6 +1019,8 @@ static void cmd_work_handler(struct work_struct *work) + spin_unlock_irqrestore(&cmd->alloc_lock, flags); + } + ++ complete(&ent->slotted); ++ + lay = get_inst(cmd, ent->idx); + ent->lay = lay; + memset(lay, 0, sizeof(*lay)); +@@ -1023,7 +1039,7 @@ static void cmd_work_handler(struct work_struct *work) + ent->ts1 = ktime_get_ns(); + cmd_mode = cmd->mode; + +- if (ent->callback && schedule_delayed_work(&ent->cb_timeout_work, cb_timeout)) ++ if (ent->callback && schedule_delayed_work(&ent->cb_timeout_work, timeout)) + cmd_ent_get(ent); + set_bit(MLX5_CMD_ENT_STATE_PENDING_COMP, &ent->state); + +@@ -1143,6 +1159,9 @@ static int wait_func(struct mlx5_core_dev *dev, struct mlx5_cmd_work_ent *ent) + ent->ret = -ECANCELED; + goto out_err; + } ++ ++ wait_for_completion(&ent->slotted); ++ + if (cmd->mode == CMD_MODE_POLLING || ent->polling) + wait_for_completion(&ent->done); + else if (!wait_for_completion_timeout(&ent->done, timeout)) +@@ -1157,6 +1176,9 @@ static int wait_func(struct mlx5_core_dev *dev, struct mlx5_cmd_work_ent *ent) + } else if (err == -ECANCELED) { + mlx5_core_warn(dev, "%s(0x%x) canceled on out of queue timeout.\n", + mlx5_command_str(ent->op), ent->op); ++ } else if (err == -EBUSY) { ++ mlx5_core_warn(dev, "%s(0x%x) timeout while waiting for command semaphore.\n", ++ mlx5_command_str(ent->op), ent->op); + } + mlx5_core_dbg(dev, "err %d, delivery status %s(%d)\n", + err, deliv_status_to_str(ent->status), ent->status); +@@ -1208,6 +1230,7 @@ static int mlx5_cmd_invoke(struct mlx5_core_dev *dev, struct mlx5_cmd_msg *in, + ent->polling = force_polling; + + init_completion(&ent->handling); ++ init_completion(&ent->slotted); + if (!callback) + init_completion(&ent->done); + +@@ -1225,7 +1248,7 @@ static int mlx5_cmd_invoke(struct mlx5_core_dev *dev, struct mlx5_cmd_msg *in, + return 0; /* mlx5_cmd_comp_handler() will put(ent) */ + + err = wait_func(dev, ent); +- if (err == -ETIMEDOUT || err == -ECANCELED) ++ if (err == -ETIMEDOUT || err == -ECANCELED || err == -EBUSY) + goto out_free; + + ds = ent->ts2 - ent->ts1; +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h +index bf9324a31ae97..80452bd982531 100644 +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -862,6 +862,7 @@ struct mlx5_cmd_work_ent { + void *context; + int idx; + struct completion handling; ++ struct completion slotted; + struct completion done; + struct mlx5_cmd *cmd; + struct work_struct work; +-- +2.43.0 + diff --git a/queue-6.9/net-mlx5-discard-command-completions-in-internal-err.patch b/queue-6.9/net-mlx5-discard-command-completions-in-internal-err.patch new file mode 100644 index 00000000000..df299d58c4c --- /dev/null +++ b/queue-6.9/net-mlx5-discard-command-completions-in-internal-err.patch @@ -0,0 +1,75 @@ +From 9c204d542323062cda95d0163cd3011d53dc2fbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 14:29:51 +0300 +Subject: net/mlx5: Discard command completions in internal error + +From: Akiva Goldberger + +[ Upstream commit db9b31aa9bc56ff0d15b78f7e827d61c4a096e40 ] + +Fix use after free when FW completion arrives while device is in +internal error state. Avoid calling completion handler in this case, +since the device will flush the command interface and trigger all +completions manually. + +Kernel log: +------------[ cut here ]------------ +refcount_t: underflow; use-after-free. +... +RIP: 0010:refcount_warn_saturate+0xd8/0xe0 +... +Call Trace: + +? __warn+0x79/0x120 +? refcount_warn_saturate+0xd8/0xe0 +? report_bug+0x17c/0x190 +? handle_bug+0x3c/0x60 +? exc_invalid_op+0x14/0x70 +? asm_exc_invalid_op+0x16/0x20 +? refcount_warn_saturate+0xd8/0xe0 +cmd_ent_put+0x13b/0x160 [mlx5_core] +mlx5_cmd_comp_handler+0x5f9/0x670 [mlx5_core] +cmd_comp_notifier+0x1f/0x30 [mlx5_core] +notifier_call_chain+0x35/0xb0 +atomic_notifier_call_chain+0x16/0x20 +mlx5_eq_async_int+0xf6/0x290 [mlx5_core] +notifier_call_chain+0x35/0xb0 +atomic_notifier_call_chain+0x16/0x20 +irq_int_handler+0x19/0x30 [mlx5_core] +__handle_irq_event_percpu+0x4b/0x160 +handle_irq_event+0x2e/0x80 +handle_edge_irq+0x98/0x230 +__common_interrupt+0x3b/0xa0 +common_interrupt+0x7b/0xa0 + + +asm_common_interrupt+0x22/0x40 + +Fixes: 51d138c2610a ("net/mlx5: Fix health error state handling") +Signed-off-by: Akiva Goldberger +Reviewed-by: Moshe Shemesh +Signed-off-by: Tariq Toukan +Link: https://lore.kernel.org/r/20240509112951.590184-6-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index 511e7fee39ac5..20768ef2e9d2b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -1634,6 +1634,9 @@ static int cmd_comp_notifier(struct notifier_block *nb, + dev = container_of(cmd, struct mlx5_core_dev, cmd); + eqe = data; + ++ if (dev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR) ++ return NOTIFY_DONE; ++ + mlx5_cmd_comp_handler(dev, be32_to_cpu(eqe->data.cmd.vector), false); + + return NOTIFY_OK; +-- +2.43.0 + diff --git a/queue-6.9/net-mlx5-fix-peer-devlink-set-for-sf-representor-dev.patch b/queue-6.9/net-mlx5-fix-peer-devlink-set-for-sf-representor-dev.patch new file mode 100644 index 00000000000..31a6394d0fc --- /dev/null +++ b/queue-6.9/net-mlx5-fix-peer-devlink-set-for-sf-representor-dev.patch @@ -0,0 +1,166 @@ +From 952f1205bd42750f7bf04fff786940c2d12b54aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 14:29:48 +0300 +Subject: net/mlx5: Fix peer devlink set for SF representor devlink port + +From: Shay Drory + +[ Upstream commit 3c453e8cc672de1f9c662948dba43176bc68d7f0 ] + +The cited patch change register devlink flow, and neglect to reflect +the changes for peer devlink set logic. Peer devlink set is +triggering a call trace if done after devl_register.[1] + +Hence, align peer devlink set logic with register devlink flow. + +[1] +WARNING: CPU: 4 PID: 3394 at net/devlink/core.c:155 devlink_rel_nested_in_add+0x177/0x180 +CPU: 4 PID: 3394 Comm: kworker/u40:1 Not tainted 6.9.0-rc4_for_linust_min_debug_2024_04_16_14_08 #1 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +Workqueue: mlx5_vhca_event0 mlx5_vhca_state_work_handler [mlx5_core] +RIP: 0010:devlink_rel_nested_in_add+0x177/0x180 +Call Trace: + + ? __warn+0x78/0x120 + ? devlink_rel_nested_in_add+0x177/0x180 + ? report_bug+0x16d/0x180 + ? handle_bug+0x3c/0x60 + ? exc_invalid_op+0x14/0x70 + ? asm_exc_invalid_op+0x16/0x20 + ? devlink_port_init+0x30/0x30 + ? devlink_port_type_clear+0x50/0x50 + ? devlink_rel_nested_in_add+0x177/0x180 + ? devlink_rel_nested_in_add+0xdd/0x180 + mlx5_sf_mdev_event+0x74/0xb0 [mlx5_core] + notifier_call_chain+0x35/0xb0 + blocking_notifier_call_chain+0x3d/0x60 + mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core] + mlx5_sf_dev_probe+0x185/0x3e0 [mlx5_core] + auxiliary_bus_probe+0x38/0x80 + ? driver_sysfs_add+0x51/0x80 + really_probe+0xc5/0x3a0 + ? driver_probe_device+0x90/0x90 + __driver_probe_device+0x80/0x160 + driver_probe_device+0x1e/0x90 + __device_attach_driver+0x7d/0x100 + bus_for_each_drv+0x80/0xd0 + __device_attach+0xbc/0x1f0 + bus_probe_device+0x86/0xa0 + device_add+0x64f/0x860 + __auxiliary_device_add+0x3b/0xa0 + mlx5_sf_dev_add+0x139/0x330 [mlx5_core] + mlx5_sf_dev_state_change_handler+0x1e4/0x250 [mlx5_core] + notifier_call_chain+0x35/0xb0 + blocking_notifier_call_chain+0x3d/0x60 + mlx5_vhca_state_work_handler+0x151/0x200 [mlx5_core] + process_one_work+0x13f/0x2e0 + worker_thread+0x2bd/0x3c0 + ? rescuer_thread+0x410/0x410 + kthread+0xc4/0xf0 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork+0x2d/0x50 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork_asm+0x11/0x20 + + +Fixes: bf729988303a ("net/mlx5: Restore mistakenly dropped parts in register devlink flow") +Fixes: c6e77aa9dd82 ("net/mlx5: Register devlink first under devlink lock") +Signed-off-by: Shay Drory +Reviewed-by: Moshe Shemesh +Signed-off-by: Tariq Toukan +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240509112951.590184-3-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/main.c | 14 +++++--------- + .../mellanox/mlx5/core/sf/dev/driver.c | 19 ++++++++----------- + 2 files changed, 13 insertions(+), 20 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c +index 331ce47f51a17..6574c145dc1e2 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -1680,6 +1680,8 @@ int mlx5_init_one_light(struct mlx5_core_dev *dev) + struct devlink *devlink = priv_to_devlink(dev); + int err; + ++ devl_lock(devlink); ++ devl_register(devlink); + dev->state = MLX5_DEVICE_STATE_UP; + err = mlx5_function_enable(dev, true, mlx5_tout_ms(dev, FW_PRE_INIT_TIMEOUT)); + if (err) { +@@ -1693,27 +1695,21 @@ int mlx5_init_one_light(struct mlx5_core_dev *dev) + goto query_hca_caps_err; + } + +- devl_lock(devlink); +- devl_register(devlink); +- + err = mlx5_devlink_params_register(priv_to_devlink(dev)); + if (err) { + mlx5_core_warn(dev, "mlx5_devlink_param_reg err = %d\n", err); +- goto params_reg_err; ++ goto query_hca_caps_err; + } + + devl_unlock(devlink); + return 0; + +-params_reg_err: +- devl_unregister(devlink); +- devl_unlock(devlink); + query_hca_caps_err: +- devl_unregister(devlink); +- devl_unlock(devlink); + mlx5_function_disable(dev, true); + out: + dev->state = MLX5_DEVICE_STATE_INTERNAL_ERROR; ++ devl_unregister(devlink); ++ devl_unlock(devlink); + return err; + } + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c +index 7ebe712808275..b2986175d9afe 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c +@@ -60,6 +60,13 @@ static int mlx5_sf_dev_probe(struct auxiliary_device *adev, const struct auxilia + goto remap_err; + } + ++ /* Peer devlink logic expects to work on unregistered devlink instance. */ ++ err = mlx5_core_peer_devlink_set(sf_dev, devlink); ++ if (err) { ++ mlx5_core_warn(mdev, "mlx5_core_peer_devlink_set err=%d\n", err); ++ goto peer_devlink_set_err; ++ } ++ + if (MLX5_ESWITCH_MANAGER(sf_dev->parent_mdev)) + err = mlx5_init_one_light(mdev); + else +@@ -69,20 +76,10 @@ static int mlx5_sf_dev_probe(struct auxiliary_device *adev, const struct auxilia + goto init_one_err; + } + +- err = mlx5_core_peer_devlink_set(sf_dev, devlink); +- if (err) { +- mlx5_core_warn(mdev, "mlx5_core_peer_devlink_set err=%d\n", err); +- goto peer_devlink_set_err; +- } +- + return 0; + +-peer_devlink_set_err: +- if (mlx5_dev_is_lightweight(sf_dev->mdev)) +- mlx5_uninit_one_light(sf_dev->mdev); +- else +- mlx5_uninit_one(sf_dev->mdev); + init_one_err: ++peer_devlink_set_err: + iounmap(mdev->iseg); + remap_err: + mlx5_mdev_uninit(mdev); +-- +2.43.0 + diff --git a/queue-6.9/net-mlx5-reload-only-ib-representors-upon-lag-disabl.patch b/queue-6.9/net-mlx5-reload-only-ib-representors-upon-lag-disabl.patch new file mode 100644 index 00000000000..f1be5072660 --- /dev/null +++ b/queue-6.9/net-mlx5-reload-only-ib-representors-upon-lag-disabl.patch @@ -0,0 +1,222 @@ +From ed058e4f76079ba95d8e55489fc60e4d4edfffb4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 14:29:49 +0300 +Subject: net/mlx5: Reload only IB representors upon lag disable/enable + +From: Maher Sanalla + +[ Upstream commit 0f06228d4a2dcc1fca5b3ddb0eefa09c05b102c4 ] + +On lag disable, the bond IB device along with all of its +representors are destroyed, and then the slaves' representors get reloaded. + +In case the slave IB representor load fails, the eswitch error flow +unloads all representors, including ethernet representors, where the +netdevs get detached and removed from lag bond. Such flow is inaccurate +as the lag driver is not responsible for loading/unloading ethernet +representors. Furthermore, the flow described above begins by holding +lag lock to prevent bond changes during disable flow. However, when +reaching the ethernet representors detachment from lag, the lag lock is +required again, triggering the following deadlock: + +Call trace: +__switch_to+0xf4/0x148 +__schedule+0x2c8/0x7d0 +schedule+0x50/0xe0 +schedule_preempt_disabled+0x18/0x28 +__mutex_lock.isra.13+0x2b8/0x570 +__mutex_lock_slowpath+0x1c/0x28 +mutex_lock+0x4c/0x68 +mlx5_lag_remove_netdev+0x3c/0x1a0 [mlx5_core] +mlx5e_uplink_rep_disable+0x70/0xa0 [mlx5_core] +mlx5e_detach_netdev+0x6c/0xb0 [mlx5_core] +mlx5e_netdev_change_profile+0x44/0x138 [mlx5_core] +mlx5e_netdev_attach_nic_profile+0x28/0x38 [mlx5_core] +mlx5e_vport_rep_unload+0x184/0x1b8 [mlx5_core] +mlx5_esw_offloads_rep_load+0xd8/0xe0 [mlx5_core] +mlx5_eswitch_reload_reps+0x74/0xd0 [mlx5_core] +mlx5_disable_lag+0x130/0x138 [mlx5_core] +mlx5_lag_disable_change+0x6c/0x70 [mlx5_core] // hold ldev->lock +mlx5_devlink_eswitch_mode_set+0xc0/0x410 [mlx5_core] +devlink_nl_cmd_eswitch_set_doit+0xdc/0x180 +genl_family_rcv_msg_doit.isra.17+0xe8/0x138 +genl_rcv_msg+0xe4/0x220 +netlink_rcv_skb+0x44/0x108 +genl_rcv+0x40/0x58 +netlink_unicast+0x198/0x268 +netlink_sendmsg+0x1d4/0x418 +sock_sendmsg+0x54/0x60 +__sys_sendto+0xf4/0x120 +__arm64_sys_sendto+0x30/0x40 +el0_svc_common+0x8c/0x120 +do_el0_svc+0x30/0xa0 +el0_svc+0x20/0x30 +el0_sync_handler+0x90/0xb8 +el0_sync+0x160/0x180 + +Thus, upon lag enable/disable, load and unload only the IB representors +of the slaves preventing the deadlock mentioned above. + +While at it, refactor the mlx5_esw_offloads_rep_load() function to have +a static helper method for its internal logic, in symmetry with the +representor unload design. + +Fixes: 598fe77df855 ("net/mlx5: Lag, Create shared FDB when in switchdev mode") +Co-developed-by: Mark Bloch +Signed-off-by: Mark Bloch +Signed-off-by: Maher Sanalla +Signed-off-by: Tariq Toukan +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240509112951.590184-4-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/eswitch.h | 4 +-- + .../mellanox/mlx5/core/eswitch_offloads.c | 28 ++++++++++++------- + .../net/ethernet/mellanox/mlx5/core/lag/lag.c | 6 ++-- + .../ethernet/mellanox/mlx5/core/lag/mpesw.c | 4 +-- + 4 files changed, 25 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h +index 349e28a6dd8df..ef55674876cb4 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h +@@ -833,7 +833,7 @@ int mlx5_eswitch_offloads_single_fdb_add_one(struct mlx5_eswitch *master_esw, + struct mlx5_eswitch *slave_esw, int max_slaves); + void mlx5_eswitch_offloads_single_fdb_del_one(struct mlx5_eswitch *master_esw, + struct mlx5_eswitch *slave_esw); +-int mlx5_eswitch_reload_reps(struct mlx5_eswitch *esw); ++int mlx5_eswitch_reload_ib_reps(struct mlx5_eswitch *esw); + + bool mlx5_eswitch_block_encap(struct mlx5_core_dev *dev); + void mlx5_eswitch_unblock_encap(struct mlx5_core_dev *dev); +@@ -925,7 +925,7 @@ mlx5_eswitch_offloads_single_fdb_del_one(struct mlx5_eswitch *master_esw, + static inline int mlx5_eswitch_get_npeers(struct mlx5_eswitch *esw) { return 0; } + + static inline int +-mlx5_eswitch_reload_reps(struct mlx5_eswitch *esw) ++mlx5_eswitch_reload_ib_reps(struct mlx5_eswitch *esw) + { + return 0; + } +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +index 844d3e3a65ddf..e8caf12f4c4f8 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +@@ -2502,6 +2502,16 @@ void esw_offloads_cleanup(struct mlx5_eswitch *esw) + esw_offloads_cleanup_reps(esw); + } + ++static int __esw_offloads_load_rep(struct mlx5_eswitch *esw, ++ struct mlx5_eswitch_rep *rep, u8 rep_type) ++{ ++ if (atomic_cmpxchg(&rep->rep_data[rep_type].state, ++ REP_REGISTERED, REP_LOADED) == REP_REGISTERED) ++ return esw->offloads.rep_ops[rep_type]->load(esw->dev, rep); ++ ++ return 0; ++} ++ + static void __esw_offloads_unload_rep(struct mlx5_eswitch *esw, + struct mlx5_eswitch_rep *rep, u8 rep_type) + { +@@ -2526,13 +2536,11 @@ static int mlx5_esw_offloads_rep_load(struct mlx5_eswitch *esw, u16 vport_num) + int err; + + rep = mlx5_eswitch_get_rep(esw, vport_num); +- for (rep_type = 0; rep_type < NUM_REP_TYPES; rep_type++) +- if (atomic_cmpxchg(&rep->rep_data[rep_type].state, +- REP_REGISTERED, REP_LOADED) == REP_REGISTERED) { +- err = esw->offloads.rep_ops[rep_type]->load(esw->dev, rep); +- if (err) +- goto err_reps; +- } ++ for (rep_type = 0; rep_type < NUM_REP_TYPES; rep_type++) { ++ err = __esw_offloads_load_rep(esw, rep, rep_type); ++ if (err) ++ goto err_reps; ++ } + + return 0; + +@@ -3277,7 +3285,7 @@ static void esw_destroy_offloads_acl_tables(struct mlx5_eswitch *esw) + esw_vport_destroy_offloads_acl_tables(esw, vport); + } + +-int mlx5_eswitch_reload_reps(struct mlx5_eswitch *esw) ++int mlx5_eswitch_reload_ib_reps(struct mlx5_eswitch *esw) + { + struct mlx5_eswitch_rep *rep; + unsigned long i; +@@ -3290,13 +3298,13 @@ int mlx5_eswitch_reload_reps(struct mlx5_eswitch *esw) + if (atomic_read(&rep->rep_data[REP_ETH].state) != REP_LOADED) + return 0; + +- ret = mlx5_esw_offloads_rep_load(esw, MLX5_VPORT_UPLINK); ++ ret = __esw_offloads_load_rep(esw, rep, REP_IB); + if (ret) + return ret; + + mlx5_esw_for_each_rep(esw, i, rep) { + if (atomic_read(&rep->rep_data[REP_ETH].state) == REP_LOADED) +- mlx5_esw_offloads_rep_load(esw, rep->vport); ++ __esw_offloads_load_rep(esw, rep, REP_IB); + } + + return 0; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c +index 69d482f7c5a29..37598d116f3b8 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c +@@ -814,7 +814,7 @@ void mlx5_disable_lag(struct mlx5_lag *ldev) + if (shared_fdb) + for (i = 0; i < ldev->ports; i++) + if (!(ldev->pf[i].dev->priv.flags & MLX5_PRIV_FLAGS_DISABLE_ALL_ADEV)) +- mlx5_eswitch_reload_reps(ldev->pf[i].dev->priv.eswitch); ++ mlx5_eswitch_reload_ib_reps(ldev->pf[i].dev->priv.eswitch); + } + + static bool mlx5_shared_fdb_supported(struct mlx5_lag *ldev) +@@ -922,7 +922,7 @@ static void mlx5_do_bond(struct mlx5_lag *ldev) + mlx5_rescan_drivers_locked(dev0); + + for (i = 0; i < ldev->ports; i++) { +- err = mlx5_eswitch_reload_reps(ldev->pf[i].dev->priv.eswitch); ++ err = mlx5_eswitch_reload_ib_reps(ldev->pf[i].dev->priv.eswitch); + if (err) + break; + } +@@ -933,7 +933,7 @@ static void mlx5_do_bond(struct mlx5_lag *ldev) + mlx5_deactivate_lag(ldev); + mlx5_lag_add_devices(ldev); + for (i = 0; i < ldev->ports; i++) +- mlx5_eswitch_reload_reps(ldev->pf[i].dev->priv.eswitch); ++ mlx5_eswitch_reload_ib_reps(ldev->pf[i].dev->priv.eswitch); + mlx5_core_err(dev0, "Failed to enable lag\n"); + return; + } +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag/mpesw.c b/drivers/net/ethernet/mellanox/mlx5/core/lag/mpesw.c +index 82889f30506ea..571ea26edd0ca 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/mpesw.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/mpesw.c +@@ -99,7 +99,7 @@ static int enable_mpesw(struct mlx5_lag *ldev) + dev0->priv.flags &= ~MLX5_PRIV_FLAGS_DISABLE_IB_ADEV; + mlx5_rescan_drivers_locked(dev0); + for (i = 0; i < ldev->ports; i++) { +- err = mlx5_eswitch_reload_reps(ldev->pf[i].dev->priv.eswitch); ++ err = mlx5_eswitch_reload_ib_reps(ldev->pf[i].dev->priv.eswitch); + if (err) + goto err_rescan_drivers; + } +@@ -113,7 +113,7 @@ static int enable_mpesw(struct mlx5_lag *ldev) + err_add_devices: + mlx5_lag_add_devices(ldev); + for (i = 0; i < ldev->ports; i++) +- mlx5_eswitch_reload_reps(ldev->pf[i].dev->priv.eswitch); ++ mlx5_eswitch_reload_ib_reps(ldev->pf[i].dev->priv.eswitch); + mlx5_mpesw_metadata_cleanup(ldev); + return err; + } +-- +2.43.0 + diff --git a/queue-6.9/net-mlx5e-fix-netif-state-handling.patch b/queue-6.9/net-mlx5e-fix-netif-state-handling.patch new file mode 100644 index 00000000000..895f301514b --- /dev/null +++ b/queue-6.9/net-mlx5e-fix-netif-state-handling.patch @@ -0,0 +1,154 @@ +From a71ff938fd782904205e3e6b5a608caa24ac5da9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 14:29:47 +0300 +Subject: net/mlx5e: Fix netif state handling + +From: Shay Drory + +[ Upstream commit 3d5918477f94e4c2f064567875c475468e264644 ] + +mlx5e_suspend cleans resources only if netif_device_present() returns +true. However, mlx5e_resume changes the state of netif, via +mlx5e_nic_enable, only if reg_state == NETREG_REGISTERED. +In the below case, the above leads to NULL-ptr Oops[1] and memory +leaks: + +mlx5e_probe + _mlx5e_resume + mlx5e_attach_netdev + mlx5e_nic_enable <-- netdev not reg, not calling netif_device_attach() + register_netdev <-- failed for some reason. +ERROR_FLOW: + _mlx5e_suspend <-- netif_device_present return false, resources aren't freed :( + +Hence, clean resources in this case as well. + +[1] +BUG: kernel NULL pointer dereference, address: 0000000000000000 +PGD 0 P4D 0 +Oops: 0010 [#1] SMP +CPU: 2 PID: 9345 Comm: test-ovs-ct-gen Not tainted 6.5.0_for_upstream_min_debug_2023_09_05_16_01 #1 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +RIP: 0010:0x0 +Code: Unable to access opcode bytes at0xffffffffffffffd6. +RSP: 0018:ffff888178aaf758 EFLAGS: 00010246 +Call Trace: + + ? __die+0x20/0x60 + ? page_fault_oops+0x14c/0x3c0 + ? exc_page_fault+0x75/0x140 + ? asm_exc_page_fault+0x22/0x30 + notifier_call_chain+0x35/0xb0 + blocking_notifier_call_chain+0x3d/0x60 + mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core] + mlx5_core_uplink_netdev_event_replay+0x3e/0x60 [mlx5_core] + mlx5_mdev_netdev_track+0x53/0x60 [mlx5_ib] + mlx5_ib_roce_init+0xc3/0x340 [mlx5_ib] + __mlx5_ib_add+0x34/0xd0 [mlx5_ib] + mlx5r_probe+0xe1/0x210 [mlx5_ib] + ? auxiliary_match_id+0x6a/0x90 + auxiliary_bus_probe+0x38/0x80 + ? driver_sysfs_add+0x51/0x80 + really_probe+0xc9/0x3e0 + ? driver_probe_device+0x90/0x90 + __driver_probe_device+0x80/0x160 + driver_probe_device+0x1e/0x90 + __device_attach_driver+0x7d/0x100 + bus_for_each_drv+0x80/0xd0 + __device_attach+0xbc/0x1f0 + bus_probe_device+0x86/0xa0 + device_add+0x637/0x840 + __auxiliary_device_add+0x3b/0xa0 + add_adev+0xc9/0x140 [mlx5_core] + mlx5_rescan_drivers_locked+0x22a/0x310 [mlx5_core] + mlx5_register_device+0x53/0xa0 [mlx5_core] + mlx5_init_one_devl_locked+0x5c4/0x9c0 [mlx5_core] + mlx5_init_one+0x3b/0x60 [mlx5_core] + probe_one+0x44c/0x730 [mlx5_core] + local_pci_probe+0x3e/0x90 + pci_device_probe+0xbf/0x210 + ? kernfs_create_link+0x5d/0xa0 + ? sysfs_do_create_link_sd+0x60/0xc0 + really_probe+0xc9/0x3e0 + ? driver_probe_device+0x90/0x90 + __driver_probe_device+0x80/0x160 + driver_probe_device+0x1e/0x90 + __device_attach_driver+0x7d/0x100 + bus_for_each_drv+0x80/0xd0 + __device_attach+0xbc/0x1f0 + pci_bus_add_device+0x54/0x80 + pci_iov_add_virtfn+0x2e6/0x320 + sriov_enable+0x208/0x420 + mlx5_core_sriov_configure+0x9e/0x200 [mlx5_core] + sriov_numvfs_store+0xae/0x1a0 + kernfs_fop_write_iter+0x10c/0x1a0 + vfs_write+0x291/0x3c0 + ksys_write+0x5f/0xe0 + do_syscall_64+0x3d/0x90 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + CR2: 0000000000000000 + ---[ end trace 0000000000000000 ]--- + +Fixes: 2c3b5beec46a ("net/mlx5e: More generic netdev management API") +Signed-off-by: Shay Drory +Signed-off-by: Tariq Toukan +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240509112951.590184-2-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 319930c04093b..64497b6eebd36 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -6058,7 +6058,7 @@ static int mlx5e_resume(struct auxiliary_device *adev) + return 0; + } + +-static int _mlx5e_suspend(struct auxiliary_device *adev) ++static int _mlx5e_suspend(struct auxiliary_device *adev, bool pre_netdev_reg) + { + struct mlx5e_dev *mlx5e_dev = auxiliary_get_drvdata(adev); + struct mlx5e_priv *priv = mlx5e_dev->priv; +@@ -6067,7 +6067,7 @@ static int _mlx5e_suspend(struct auxiliary_device *adev) + struct mlx5_core_dev *pos; + int i; + +- if (!netif_device_present(netdev)) { ++ if (!pre_netdev_reg && !netif_device_present(netdev)) { + if (test_bit(MLX5E_STATE_DESTROYING, &priv->state)) + mlx5_sd_for_each_dev(i, mdev, pos) + mlx5e_destroy_mdev_resources(pos); +@@ -6090,7 +6090,7 @@ static int mlx5e_suspend(struct auxiliary_device *adev, pm_message_t state) + + actual_adev = mlx5_sd_get_adev(mdev, adev, edev->idx); + if (actual_adev) +- err = _mlx5e_suspend(actual_adev); ++ err = _mlx5e_suspend(actual_adev, false); + + mlx5_sd_cleanup(mdev); + return err; +@@ -6157,7 +6157,7 @@ static int _mlx5e_probe(struct auxiliary_device *adev) + return 0; + + err_resume: +- _mlx5e_suspend(adev); ++ _mlx5e_suspend(adev, true); + err_profile_cleanup: + profile->cleanup(priv); + err_destroy_netdev: +@@ -6197,7 +6197,7 @@ static void _mlx5e_remove(struct auxiliary_device *adev) + mlx5_core_uplink_netdev_set(mdev, NULL); + mlx5e_dcbnl_delete_app(priv); + unregister_netdev(priv->netdev); +- _mlx5e_suspend(adev); ++ _mlx5e_suspend(adev, false); + priv->profile->cleanup(priv); + mlx5e_destroy_netdev(priv); + mlx5e_devlink_port_unregister(mlx5e_dev); +-- +2.43.0 + diff --git a/queue-6.9/net-openvswitch-fix-overwriting-ct-original-tuple-fo.patch b/queue-6.9/net-openvswitch-fix-overwriting-ct-original-tuple-fo.patch new file mode 100644 index 00000000000..15fd35b1fe9 --- /dev/null +++ b/queue-6.9/net-openvswitch-fix-overwriting-ct-original-tuple-fo.patch @@ -0,0 +1,86 @@ +From 09b33e429c97ce6402e029356380ccf553329631 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 11:38:05 +0200 +Subject: net: openvswitch: fix overwriting ct original tuple for ICMPv6 + +From: Ilya Maximets + +[ Upstream commit 7c988176b6c16c516474f6fceebe0f055af5eb56 ] + +OVS_PACKET_CMD_EXECUTE has 3 main attributes: + - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format. + - OVS_PACKET_ATTR_PACKET - Binary packet content. + - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet. + +OVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure +with the metadata like conntrack state, input port, recirculation id, +etc. Then the packet itself gets parsed to populate the rest of the +keys from the packet headers. + +Whenever the packet parsing code starts parsing the ICMPv6 header, it +first zeroes out fields in the key corresponding to Neighbor Discovery +information even if it is not an ND packet. + +It is an 'ipv6.nd' field. However, the 'ipv6' is a union that shares +the space between 'nd' and 'ct_orig' that holds the original tuple +conntrack metadata parsed from the OVS_PACKET_ATTR_KEY. + +ND packets should not normally have conntrack state, so it's fine to +share the space, but normal ICMPv6 Echo packets or maybe other types of +ICMPv6 can have the state attached and it should not be overwritten. + +The issue results in all but the last 4 bytes of the destination +address being wiped from the original conntrack tuple leading to +incorrect packet matching and potentially executing wrong actions +in case this packet recirculates within the datapath or goes back +to userspace. + +ND fields should not be accessed in non-ND packets, so not clearing +them should be fine. Executing memset() only for actual ND packets to +avoid the issue. + +Initializing the whole thing before parsing is needed because ND packet +may not contain all the options. + +The issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't +affect packets entering OVS datapath from network interfaces, because +in this case CT metadata is populated from skb after the packet is +already parsed. + +Fixes: 9dd7f8907c37 ("openvswitch: Add original direction conntrack tuple to sw_flow_key.") +Reported-by: Antonin Bas +Closes: https://github.com/openvswitch/ovs-issues/issues/327 +Signed-off-by: Ilya Maximets +Acked-by: Aaron Conole +Acked-by: Eelco Chaudron +Link: https://lore.kernel.org/r/20240509094228.1035477-1-i.maximets@ovn.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/openvswitch/flow.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c +index 33b21a0c05481..8a848ce72e291 100644 +--- a/net/openvswitch/flow.c ++++ b/net/openvswitch/flow.c +@@ -561,7 +561,6 @@ static int parse_icmpv6(struct sk_buff *skb, struct sw_flow_key *key, + */ + key->tp.src = htons(icmp->icmp6_type); + key->tp.dst = htons(icmp->icmp6_code); +- memset(&key->ipv6.nd, 0, sizeof(key->ipv6.nd)); + + if (icmp->icmp6_code == 0 && + (icmp->icmp6_type == NDISC_NEIGHBOUR_SOLICITATION || +@@ -570,6 +569,8 @@ static int parse_icmpv6(struct sk_buff *skb, struct sw_flow_key *key, + struct nd_msg *nd; + int offset; + ++ memset(&key->ipv6.nd, 0, sizeof(key->ipv6.nd)); ++ + /* In order to process neighbor discovery options, we need the + * entire packet. + */ +-- +2.43.0 + diff --git a/queue-6.9/net-qrtr-ns-fix-module-refcnt.patch b/queue-6.9/net-qrtr-ns-fix-module-refcnt.patch new file mode 100644 index 00000000000..c6620f21a7a --- /dev/null +++ b/queue-6.9/net-qrtr-ns-fix-module-refcnt.patch @@ -0,0 +1,83 @@ +From 277a4269d0cc871fe1d267ee4e41fd754e3a8ded Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 10:31:46 -0700 +Subject: net: qrtr: ns: Fix module refcnt + +From: Chris Lew + +[ Upstream commit fd76e5ccc48f9f54eb44909dd7c0b924005f1582 ] + +The qrtr protocol core logic and the qrtr nameservice are combined into +a single module. Neither the core logic or nameservice provide much +functionality by themselves; combining the two into a single module also +prevents any possible issues that may stem from client modules loading +inbetween qrtr and the ns. + +Creating a socket takes two references to the module that owns the +socket protocol. Since the ns needs to create the control socket, this +creates a scenario where there are always two references to the qrtr +module. This prevents the execution of 'rmmod' for qrtr. + +To resolve this, forcefully put the module refcount for the socket +opened by the nameservice. + +Fixes: a365023a76f2 ("net: qrtr: combine nameservice into main module") +Reported-by: Jeffrey Hugo +Tested-by: Jeffrey Hugo +Signed-off-by: Chris Lew +Reviewed-by: Manivannan Sadhasivam +Reviewed-by: Jeffrey Hugo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/qrtr/ns.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c +index abb0c70ffc8b0..654a3cc0d3479 100644 +--- a/net/qrtr/ns.c ++++ b/net/qrtr/ns.c +@@ -725,6 +725,24 @@ int qrtr_ns_init(void) + if (ret < 0) + goto err_wq; + ++ /* As the qrtr ns socket owner and creator is the same module, we have ++ * to decrease the qrtr module reference count to guarantee that it ++ * remains zero after the ns socket is created, otherwise, executing ++ * "rmmod" command is unable to make the qrtr module deleted after the ++ * qrtr module is inserted successfully. ++ * ++ * However, the reference count is increased twice in ++ * sock_create_kern(): one is to increase the reference count of owner ++ * of qrtr socket's proto_ops struct; another is to increment the ++ * reference count of owner of qrtr proto struct. Therefore, we must ++ * decrement the module reference count twice to ensure that it keeps ++ * zero after server's listening socket is created. Of course, we ++ * must bump the module reference count twice as well before the socket ++ * is closed. ++ */ ++ module_put(qrtr_ns.sock->ops->owner); ++ module_put(qrtr_ns.sock->sk->sk_prot_creator->owner); ++ + return 0; + + err_wq: +@@ -739,6 +757,15 @@ void qrtr_ns_remove(void) + { + cancel_work_sync(&qrtr_ns.work); + destroy_workqueue(qrtr_ns.workqueue); ++ ++ /* sock_release() expects the two references that were put during ++ * qrtr_ns_init(). This function is only called during module remove, ++ * so try_stop_module() has already set the refcnt to 0. Use ++ * __module_get() instead of try_module_get() to successfully take two ++ * references. ++ */ ++ __module_get(qrtr_ns.sock->ops->owner); ++ __module_get(qrtr_ns.sock->sk->sk_prot_creator->owner); + sock_release(qrtr_ns.sock); + } + EXPORT_SYMBOL_GPL(qrtr_ns_remove); +-- +2.43.0 + diff --git a/queue-6.9/net-stmmac-move-the-est-lock-to-struct-stmmac_priv.patch b/queue-6.9/net-stmmac-move-the-est-lock-to-struct-stmmac_priv.patch new file mode 100644 index 00000000000..388ccc78c5e --- /dev/null +++ b/queue-6.9/net-stmmac-move-the-est-lock-to-struct-stmmac_priv.patch @@ -0,0 +1,192 @@ +From 5406538472d2c43f2f9a59b842f4c0b336e0b387 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 09:43:45 +0800 +Subject: net: stmmac: move the EST lock to struct stmmac_priv + +From: Xiaolei Wang + +[ Upstream commit 36ac9e7f2e5786bd37c5cd91132e1f39c29b8197 ] + +Reinitialize the whole EST structure would also reset the mutex +lock which is embedded in the EST structure, and then trigger +the following warning. To address this, move the lock to struct +stmmac_priv. We also need to reacquire the mutex lock when doing +this initialization. + +DEBUG_LOCKS_WARN_ON(lock->magic != lock) +WARNING: CPU: 3 PID: 505 at kernel/locking/mutex.c:587 __mutex_lock+0xd84/0x1068 + Modules linked in: + CPU: 3 PID: 505 Comm: tc Not tainted 6.9.0-rc6-00053-g0106679839f7-dirty #29 + Hardware name: NXP i.MX8MPlus EVK board (DT) + pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : __mutex_lock+0xd84/0x1068 + lr : __mutex_lock+0xd84/0x1068 + sp : ffffffc0864e3570 + x29: ffffffc0864e3570 x28: ffffffc0817bdc78 x27: 0000000000000003 + x26: ffffff80c54f1808 x25: ffffff80c9164080 x24: ffffffc080d723ac + x23: 0000000000000000 x22: 0000000000000002 x21: 0000000000000000 + x20: 0000000000000000 x19: ffffffc083bc3000 x18: ffffffffffffffff + x17: ffffffc08117b080 x16: 0000000000000002 x15: ffffff80d2d40000 + x14: 00000000000002da x13: ffffff80d2d404b8 x12: ffffffc082b5a5c8 + x11: ffffffc082bca680 x10: ffffffc082bb2640 x9 : ffffffc082bb2698 + x8 : 0000000000017fe8 x7 : c0000000ffffefff x6 : 0000000000000001 + x5 : ffffff8178fe0d48 x4 : 0000000000000000 x3 : 0000000000000027 + x2 : ffffff8178fe0d50 x1 : 0000000000000000 x0 : 0000000000000000 + Call trace: + __mutex_lock+0xd84/0x1068 + mutex_lock_nested+0x28/0x34 + tc_setup_taprio+0x118/0x68c + stmmac_setup_tc+0x50/0xf0 + taprio_change+0x868/0xc9c + +Fixes: b2aae654a479 ("net: stmmac: add mutex lock to protect est parameters") +Signed-off-by: Xiaolei Wang +Reviewed-by: Simon Horman +Reviewed-by: Serge Semin +Reviewed-by: Andrew Halaney +Link: https://lore.kernel.org/r/20240513014346.1718740-2-xiaolei.wang@windriver.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac.h | 2 ++ + .../net/ethernet/stmicro/stmmac/stmmac_ptp.c | 8 ++++---- + .../net/ethernet/stmicro/stmmac/stmmac_tc.c | 18 ++++++++++-------- + include/linux/stmmac.h | 1 - + 4 files changed, 16 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac.h b/drivers/net/ethernet/stmicro/stmmac/stmmac.h +index dddcaa9220cc3..64b21c83e2b84 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac.h ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac.h +@@ -261,6 +261,8 @@ struct stmmac_priv { + struct stmmac_extra_stats xstats ____cacheline_aligned_in_smp; + struct stmmac_safety_stats sstats; + struct plat_stmmacenet_data *plat; ++ /* Protect est parameters */ ++ struct mutex est_lock; + struct dma_features dma_cap; + struct stmmac_counters mmc; + int hw_cap_support; +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c +index e04830a3a1fb1..0c5aab6dd7a73 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c +@@ -70,11 +70,11 @@ static int stmmac_adjust_time(struct ptp_clock_info *ptp, s64 delta) + /* If EST is enabled, disabled it before adjust ptp time. */ + if (priv->plat->est && priv->plat->est->enable) { + est_rst = true; +- mutex_lock(&priv->plat->est->lock); ++ mutex_lock(&priv->est_lock); + priv->plat->est->enable = false; + stmmac_est_configure(priv, priv, priv->plat->est, + priv->plat->clk_ptp_rate); +- mutex_unlock(&priv->plat->est->lock); ++ mutex_unlock(&priv->est_lock); + } + + write_lock_irqsave(&priv->ptp_lock, flags); +@@ -87,7 +87,7 @@ static int stmmac_adjust_time(struct ptp_clock_info *ptp, s64 delta) + ktime_t current_time_ns, basetime; + u64 cycle_time; + +- mutex_lock(&priv->plat->est->lock); ++ mutex_lock(&priv->est_lock); + priv->ptp_clock_ops.gettime64(&priv->ptp_clock_ops, ¤t_time); + current_time_ns = timespec64_to_ktime(current_time); + time.tv_nsec = priv->plat->est->btr_reserve[0]; +@@ -104,7 +104,7 @@ static int stmmac_adjust_time(struct ptp_clock_info *ptp, s64 delta) + priv->plat->est->enable = true; + ret = stmmac_est_configure(priv, priv, priv->plat->est, + priv->plat->clk_ptp_rate); +- mutex_unlock(&priv->plat->est->lock); ++ mutex_unlock(&priv->est_lock); + if (ret) + netdev_err(priv->dev, "failed to configure EST\n"); + } +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c +index cce00719937db..620c16e9be3a6 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c +@@ -1004,17 +1004,19 @@ static int tc_taprio_configure(struct stmmac_priv *priv, + if (!plat->est) + return -ENOMEM; + +- mutex_init(&priv->plat->est->lock); ++ mutex_init(&priv->est_lock); + } else { ++ mutex_lock(&priv->est_lock); + memset(plat->est, 0, sizeof(*plat->est)); ++ mutex_unlock(&priv->est_lock); + } + + size = qopt->num_entries; + +- mutex_lock(&priv->plat->est->lock); ++ mutex_lock(&priv->est_lock); + priv->plat->est->gcl_size = size; + priv->plat->est->enable = qopt->cmd == TAPRIO_CMD_REPLACE; +- mutex_unlock(&priv->plat->est->lock); ++ mutex_unlock(&priv->est_lock); + + for (i = 0; i < size; i++) { + s64 delta_ns = qopt->entries[i].interval; +@@ -1045,7 +1047,7 @@ static int tc_taprio_configure(struct stmmac_priv *priv, + priv->plat->est->gcl[i] = delta_ns | (gates << wid); + } + +- mutex_lock(&priv->plat->est->lock); ++ mutex_lock(&priv->est_lock); + /* Adjust for real system time */ + priv->ptp_clock_ops.gettime64(&priv->ptp_clock_ops, ¤t_time); + current_time_ns = timespec64_to_ktime(current_time); +@@ -1068,7 +1070,7 @@ static int tc_taprio_configure(struct stmmac_priv *priv, + tc_taprio_map_maxsdu_txq(priv, qopt); + + if (fpe && !priv->dma_cap.fpesel) { +- mutex_unlock(&priv->plat->est->lock); ++ mutex_unlock(&priv->est_lock); + return -EOPNOTSUPP; + } + +@@ -1079,7 +1081,7 @@ static int tc_taprio_configure(struct stmmac_priv *priv, + + ret = stmmac_est_configure(priv, priv, priv->plat->est, + priv->plat->clk_ptp_rate); +- mutex_unlock(&priv->plat->est->lock); ++ mutex_unlock(&priv->est_lock); + if (ret) { + netdev_err(priv->dev, "failed to configure EST\n"); + goto disable; +@@ -1096,7 +1098,7 @@ static int tc_taprio_configure(struct stmmac_priv *priv, + + disable: + if (priv->plat->est) { +- mutex_lock(&priv->plat->est->lock); ++ mutex_lock(&priv->est_lock); + priv->plat->est->enable = false; + stmmac_est_configure(priv, priv, priv->plat->est, + priv->plat->clk_ptp_rate); +@@ -1105,7 +1107,7 @@ static int tc_taprio_configure(struct stmmac_priv *priv, + priv->xstats.max_sdu_txq_drop[i] = 0; + priv->xstats.mtl_est_txq_hlbf[i] = 0; + } +- mutex_unlock(&priv->plat->est->lock); ++ mutex_unlock(&priv->est_lock); + } + + priv->plat->fpe_cfg->enable = false; +diff --git a/include/linux/stmmac.h b/include/linux/stmmac.h +index dfa1828cd756a..c0d74f97fd187 100644 +--- a/include/linux/stmmac.h ++++ b/include/linux/stmmac.h +@@ -117,7 +117,6 @@ struct stmmac_axi { + + #define EST_GCL 1024 + struct stmmac_est { +- struct mutex lock; + int enable; + u32 btr_reserve[2]; + u32 btr_offset[2]; +-- +2.43.0 + diff --git a/queue-6.9/net-txgbe-fix-to-control-vlan-strip.patch b/queue-6.9/net-txgbe-fix-to-control-vlan-strip.patch new file mode 100644 index 00000000000..0e81df93674 --- /dev/null +++ b/queue-6.9/net-txgbe-fix-to-control-vlan-strip.patch @@ -0,0 +1,278 @@ +From 0f26e1b6c2cbf64b0c6abd8ebd9f73d9475cb8d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 May 2024 14:51:40 +0800 +Subject: net: txgbe: fix to control VLAN strip + +From: Jiawen Wu + +[ Upstream commit 1d3c6414950badaa38002af3b5857e01a21f01e9 ] + +When VLAN tag strip is changed to enable or disable, the hardware requires +the Rx ring to be in a disabled state, otherwise the feature cannot be +changed. + +Fixes: f3b03c655f67 ("net: wangxun: Implement vlan add and kill functions") +Signed-off-by: Jiawen Wu +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/wangxun/libwx/wx_hw.c | 2 ++ + drivers/net/ethernet/wangxun/libwx/wx_lib.c | 6 ++-- + drivers/net/ethernet/wangxun/libwx/wx_type.h | 22 ++++++++++++++ + .../net/ethernet/wangxun/ngbe/ngbe_ethtool.c | 18 +++++++---- + .../ethernet/wangxun/txgbe/txgbe_ethtool.c | 18 +++++++---- + .../net/ethernet/wangxun/txgbe/txgbe_main.c | 30 +++++++++++++++++++ + .../net/ethernet/wangxun/txgbe/txgbe_type.h | 1 + + 7 files changed, 84 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/wangxun/libwx/wx_hw.c b/drivers/net/ethernet/wangxun/libwx/wx_hw.c +index 945c13d1a9829..c09a6f7445754 100644 +--- a/drivers/net/ethernet/wangxun/libwx/wx_hw.c ++++ b/drivers/net/ethernet/wangxun/libwx/wx_hw.c +@@ -1958,6 +1958,8 @@ int wx_sw_init(struct wx *wx) + return -ENOMEM; + } + ++ bitmap_zero(wx->state, WX_STATE_NBITS); ++ + return 0; + } + EXPORT_SYMBOL(wx_sw_init); +diff --git a/drivers/net/ethernet/wangxun/libwx/wx_lib.c b/drivers/net/ethernet/wangxun/libwx/wx_lib.c +index d0cb09a4bd3d4..07ba3a270a14f 100644 +--- a/drivers/net/ethernet/wangxun/libwx/wx_lib.c ++++ b/drivers/net/ethernet/wangxun/libwx/wx_lib.c +@@ -2692,9 +2692,9 @@ int wx_set_features(struct net_device *netdev, netdev_features_t features) + + netdev->features = features; + +- if (changed & +- (NETIF_F_HW_VLAN_CTAG_RX | +- NETIF_F_HW_VLAN_STAG_RX)) ++ if (wx->mac.type == wx_mac_sp && changed & NETIF_F_HW_VLAN_CTAG_RX) ++ wx->do_reset(netdev); ++ else if (changed & (NETIF_F_HW_VLAN_CTAG_RX | NETIF_F_HW_VLAN_CTAG_FILTER)) + wx_set_rx_mode(netdev); + + return 0; +diff --git a/drivers/net/ethernet/wangxun/libwx/wx_type.h b/drivers/net/ethernet/wangxun/libwx/wx_type.h +index 1fdeb464d5f4a..5aaf7b1fa2db9 100644 +--- a/drivers/net/ethernet/wangxun/libwx/wx_type.h ++++ b/drivers/net/ethernet/wangxun/libwx/wx_type.h +@@ -982,8 +982,13 @@ struct wx_hw_stats { + u64 qmprc; + }; + ++enum wx_state { ++ WX_STATE_RESETTING, ++ WX_STATE_NBITS, /* must be last */ ++}; + struct wx { + unsigned long active_vlans[BITS_TO_LONGS(VLAN_N_VID)]; ++ DECLARE_BITMAP(state, WX_STATE_NBITS); + + void *priv; + u8 __iomem *hw_addr; +@@ -1071,6 +1076,8 @@ struct wx { + u64 hw_csum_rx_good; + u64 hw_csum_rx_error; + u64 alloc_rx_buff_failed; ++ ++ void (*do_reset)(struct net_device *netdev); + }; + + #define WX_INTR_ALL (~0ULL) +@@ -1131,4 +1138,19 @@ static inline struct wx *phylink_to_wx(struct phylink_config *config) + return container_of(config, struct wx, phylink_config); + } + ++static inline int wx_set_state_reset(struct wx *wx) ++{ ++ u8 timeout = 50; ++ ++ while (test_and_set_bit(WX_STATE_RESETTING, wx->state)) { ++ timeout--; ++ if (!timeout) ++ return -EBUSY; ++ ++ usleep_range(1000, 2000); ++ } ++ ++ return 0; ++} ++ + #endif /* _WX_TYPE_H_ */ +diff --git a/drivers/net/ethernet/wangxun/ngbe/ngbe_ethtool.c b/drivers/net/ethernet/wangxun/ngbe/ngbe_ethtool.c +index 786a652ae64f3..46a5a3e952021 100644 +--- a/drivers/net/ethernet/wangxun/ngbe/ngbe_ethtool.c ++++ b/drivers/net/ethernet/wangxun/ngbe/ngbe_ethtool.c +@@ -52,7 +52,7 @@ static int ngbe_set_ringparam(struct net_device *netdev, + struct wx *wx = netdev_priv(netdev); + u32 new_rx_count, new_tx_count; + struct wx_ring *temp_ring; +- int i; ++ int i, err = 0; + + new_tx_count = clamp_t(u32, ring->tx_pending, WX_MIN_TXD, WX_MAX_TXD); + new_tx_count = ALIGN(new_tx_count, WX_REQ_TX_DESCRIPTOR_MULTIPLE); +@@ -64,6 +64,10 @@ static int ngbe_set_ringparam(struct net_device *netdev, + new_rx_count == wx->rx_ring_count) + return 0; + ++ err = wx_set_state_reset(wx); ++ if (err) ++ return err; ++ + if (!netif_running(wx->netdev)) { + for (i = 0; i < wx->num_tx_queues; i++) + wx->tx_ring[i]->count = new_tx_count; +@@ -72,14 +76,16 @@ static int ngbe_set_ringparam(struct net_device *netdev, + wx->tx_ring_count = new_tx_count; + wx->rx_ring_count = new_rx_count; + +- return 0; ++ goto clear_reset; + } + + /* allocate temporary buffer to store rings in */ + i = max_t(int, wx->num_tx_queues, wx->num_rx_queues); + temp_ring = kvmalloc_array(i, sizeof(struct wx_ring), GFP_KERNEL); +- if (!temp_ring) +- return -ENOMEM; ++ if (!temp_ring) { ++ err = -ENOMEM; ++ goto clear_reset; ++ } + + ngbe_down(wx); + +@@ -89,7 +95,9 @@ static int ngbe_set_ringparam(struct net_device *netdev, + wx_configure(wx); + ngbe_up(wx); + +- return 0; ++clear_reset: ++ clear_bit(WX_STATE_RESETTING, wx->state); ++ return err; + } + + static int ngbe_set_channels(struct net_device *dev, +diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_ethtool.c b/drivers/net/ethernet/wangxun/txgbe/txgbe_ethtool.c +index db675512ce4dc..31fde3fa7c6b5 100644 +--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_ethtool.c ++++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_ethtool.c +@@ -19,7 +19,7 @@ static int txgbe_set_ringparam(struct net_device *netdev, + struct wx *wx = netdev_priv(netdev); + u32 new_rx_count, new_tx_count; + struct wx_ring *temp_ring; +- int i; ++ int i, err = 0; + + new_tx_count = clamp_t(u32, ring->tx_pending, WX_MIN_TXD, WX_MAX_TXD); + new_tx_count = ALIGN(new_tx_count, WX_REQ_TX_DESCRIPTOR_MULTIPLE); +@@ -31,6 +31,10 @@ static int txgbe_set_ringparam(struct net_device *netdev, + new_rx_count == wx->rx_ring_count) + return 0; + ++ err = wx_set_state_reset(wx); ++ if (err) ++ return err; ++ + if (!netif_running(wx->netdev)) { + for (i = 0; i < wx->num_tx_queues; i++) + wx->tx_ring[i]->count = new_tx_count; +@@ -39,14 +43,16 @@ static int txgbe_set_ringparam(struct net_device *netdev, + wx->tx_ring_count = new_tx_count; + wx->rx_ring_count = new_rx_count; + +- return 0; ++ goto clear_reset; + } + + /* allocate temporary buffer to store rings in */ + i = max_t(int, wx->num_tx_queues, wx->num_rx_queues); + temp_ring = kvmalloc_array(i, sizeof(struct wx_ring), GFP_KERNEL); +- if (!temp_ring) +- return -ENOMEM; ++ if (!temp_ring) { ++ err = -ENOMEM; ++ goto clear_reset; ++ } + + txgbe_down(wx); + +@@ -55,7 +61,9 @@ static int txgbe_set_ringparam(struct net_device *netdev, + + txgbe_up(wx); + +- return 0; ++clear_reset: ++ clear_bit(WX_STATE_RESETTING, wx->state); ++ return err; + } + + static int txgbe_set_channels(struct net_device *dev, +diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_main.c b/drivers/net/ethernet/wangxun/txgbe/txgbe_main.c +index b3c0058b045da..8c7a74981b907 100644 +--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_main.c ++++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_main.c +@@ -269,6 +269,8 @@ static int txgbe_sw_init(struct wx *wx) + wx->tx_work_limit = TXGBE_DEFAULT_TX_WORK; + wx->rx_work_limit = TXGBE_DEFAULT_RX_WORK; + ++ wx->do_reset = txgbe_do_reset; ++ + return 0; + } + +@@ -421,6 +423,34 @@ int txgbe_setup_tc(struct net_device *dev, u8 tc) + return 0; + } + ++static void txgbe_reinit_locked(struct wx *wx) ++{ ++ int err = 0; ++ ++ netif_trans_update(wx->netdev); ++ ++ err = wx_set_state_reset(wx); ++ if (err) { ++ wx_err(wx, "wait device reset timeout\n"); ++ return; ++ } ++ ++ txgbe_down(wx); ++ txgbe_up(wx); ++ ++ clear_bit(WX_STATE_RESETTING, wx->state); ++} ++ ++void txgbe_do_reset(struct net_device *netdev) ++{ ++ struct wx *wx = netdev_priv(netdev); ++ ++ if (netif_running(netdev)) ++ txgbe_reinit_locked(wx); ++ else ++ txgbe_reset(wx); ++} ++ + static const struct net_device_ops txgbe_netdev_ops = { + .ndo_open = txgbe_open, + .ndo_stop = txgbe_close, +diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h b/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h +index 1b4ff50d58571..f434a7865cb7b 100644 +--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h ++++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h +@@ -134,6 +134,7 @@ extern char txgbe_driver_name[]; + void txgbe_down(struct wx *wx); + void txgbe_up(struct wx *wx); + int txgbe_setup_tc(struct net_device *dev, u8 tc); ++void txgbe_do_reset(struct net_device *netdev); + + #define NODE_PROP(_NAME, _PROP) \ + (const struct software_node) { \ +-- +2.43.0 + diff --git a/queue-6.9/net-usb-smsc95xx-stop-lying-about-skb-truesize.patch b/queue-6.9/net-usb-smsc95xx-stop-lying-about-skb-truesize.patch new file mode 100644 index 00000000000..e36ad3f38d3 --- /dev/null +++ b/queue-6.9/net-usb-smsc95xx-stop-lying-about-skb-truesize.patch @@ -0,0 +1,87 @@ +From 4239afccee099733e48bf2d2e5254f2983f0b1d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 08:33:13 +0000 +Subject: net: usb: smsc95xx: stop lying about skb->truesize + +From: Eric Dumazet + +[ Upstream commit d50729f1d60bca822ef6d9c1a5fb28d486bd7593 ] + +Some usb drivers try to set small skb->truesize and break +core networking stacks. + +In this patch, I removed one of the skb->truesize override. + +I also replaced one skb_clone() by an allocation of a fresh +and small skb, to get minimally sized skbs, like we did +in commit 1e2c61172342 ("net: cdc_ncm: reduce skb truesize +in rx path") and 4ce62d5b2f7a ("net: usb: ax88179_178a: +stop lying about skb->truesize") + +v3: also fix a sparse error ( https://lore.kernel.org/oe-kbuild-all/202405091310.KvncIecx-lkp@intel.com/ ) +v2: leave the skb_trim() game because smsc95xx_rx_csum_offload() + needs the csum part. (Jakub) + While we are it, use get_unaligned() in smsc95xx_rx_csum_offload(). + +Fixes: 2f7ca802bdae ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver") +Signed-off-by: Eric Dumazet +Cc: Steve Glendinning +Cc: UNGLinuxDriver@microchip.com +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240509083313.2113832-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc95xx.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c +index 2fa46baa589e5..cbea246664795 100644 +--- a/drivers/net/usb/smsc95xx.c ++++ b/drivers/net/usb/smsc95xx.c +@@ -1810,9 +1810,11 @@ static int smsc95xx_reset_resume(struct usb_interface *intf) + + static void smsc95xx_rx_csum_offload(struct sk_buff *skb) + { +- skb->csum = *(u16 *)(skb_tail_pointer(skb) - 2); ++ u16 *csum_ptr = (u16 *)(skb_tail_pointer(skb) - 2); ++ ++ skb->csum = (__force __wsum)get_unaligned(csum_ptr); + skb->ip_summed = CHECKSUM_COMPLETE; +- skb_trim(skb, skb->len - 2); ++ skb_trim(skb, skb->len - 2); /* remove csum */ + } + + static int smsc95xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb) +@@ -1870,25 +1872,22 @@ static int smsc95xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + if (dev->net->features & NETIF_F_RXCSUM) + smsc95xx_rx_csum_offload(skb); + skb_trim(skb, skb->len - 4); /* remove fcs */ +- skb->truesize = size + sizeof(struct sk_buff); + + return 1; + } + +- ax_skb = skb_clone(skb, GFP_ATOMIC); ++ ax_skb = netdev_alloc_skb_ip_align(dev->net, size); + if (unlikely(!ax_skb)) { + netdev_warn(dev->net, "Error allocating skb\n"); + return 0; + } + +- ax_skb->len = size; +- ax_skb->data = packet; +- skb_set_tail_pointer(ax_skb, size); ++ skb_put(ax_skb, size); ++ memcpy(ax_skb->data, packet, size); + + if (dev->net->features & NETIF_F_RXCSUM) + smsc95xx_rx_csum_offload(ax_skb); + skb_trim(ax_skb, ax_skb->len - 4); /* remove fcs */ +- ax_skb->truesize = size + sizeof(struct sk_buff); + + usbnet_skb_return(dev, ax_skb); + } +-- +2.43.0 + diff --git a/queue-6.9/net-usb-sr9700-stop-lying-about-skb-truesize.patch b/queue-6.9/net-usb-sr9700-stop-lying-about-skb-truesize.patch new file mode 100644 index 00000000000..ca0f00bbf23 --- /dev/null +++ b/queue-6.9/net-usb-sr9700-stop-lying-about-skb-truesize.patch @@ -0,0 +1,59 @@ +From 4e85d5045cb4390eeffc4102ae924be1a2194d33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 May 2024 14:39:39 +0000 +Subject: net: usb: sr9700: stop lying about skb->truesize + +From: Eric Dumazet + +[ Upstream commit 05417aa9c0c038da2464a0c504b9d4f99814a23b ] + +Some usb drivers set small skb->truesize and break +core networking stacks. + +In this patch, I removed one of the skb->truesize override. + +I also replaced one skb_clone() by an allocation of a fresh +and small skb, to get minimally sized skbs, like we did +in commit 1e2c61172342 ("net: cdc_ncm: reduce skb truesize +in rx path") and 4ce62d5b2f7a ("net: usb: ax88179_178a: +stop lying about skb->truesize") + +Fixes: c9b37458e956 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240506143939.3673865-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/sr9700.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c +index 3164451e1010c..0a662e42ed965 100644 +--- a/drivers/net/usb/sr9700.c ++++ b/drivers/net/usb/sr9700.c +@@ -421,19 +421,15 @@ static int sr9700_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + skb_pull(skb, 3); + skb->len = len; + skb_set_tail_pointer(skb, len); +- skb->truesize = len + sizeof(struct sk_buff); + return 2; + } + +- /* skb_clone is used for address align */ +- sr_skb = skb_clone(skb, GFP_ATOMIC); ++ sr_skb = netdev_alloc_skb_ip_align(dev->net, len); + if (!sr_skb) + return 0; + +- sr_skb->len = len; +- sr_skb->data = skb->data + 3; +- skb_set_tail_pointer(sr_skb, len); +- sr_skb->truesize = len + sizeof(struct sk_buff); ++ skb_put(sr_skb, len); ++ memcpy(sr_skb->data, skb->data + 3, len); + usbnet_skb_return(dev, sr_skb); + + skb_pull(skb, len + SR_RX_OVERHEAD); +-- +2.43.0 + diff --git a/queue-6.9/net-wangxun-fix-to-change-rx-features.patch b/queue-6.9/net-wangxun-fix-to-change-rx-features.patch new file mode 100644 index 00000000000..19843e1e115 --- /dev/null +++ b/queue-6.9/net-wangxun-fix-to-change-rx-features.patch @@ -0,0 +1,47 @@ +From cfa12765c333bb7ac7daf94ff0d7849662503b62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 May 2024 14:51:38 +0800 +Subject: net: wangxun: fix to change Rx features + +From: Jiawen Wu + +[ Upstream commit 68067f065ee730c7c67b361c3c81808d25d5a90b ] + +Fix the issue where some Rx features cannot be changed. + +When using ethtool -K to turn off rx offload, it returns error and +displays "Could not change any device features". And netdev->features +is not assigned a new value to actually configure the hardware. + +Fixes: 6dbedcffcf54 ("net: libwx: Implement xx_set_features ops") +Signed-off-by: Jiawen Wu +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/wangxun/libwx/wx_lib.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/wangxun/libwx/wx_lib.c b/drivers/net/ethernet/wangxun/libwx/wx_lib.c +index 6fae161cbcb82..667a5675998cb 100644 +--- a/drivers/net/ethernet/wangxun/libwx/wx_lib.c ++++ b/drivers/net/ethernet/wangxun/libwx/wx_lib.c +@@ -2690,12 +2690,14 @@ int wx_set_features(struct net_device *netdev, netdev_features_t features) + wx->rss_enabled = false; + } + ++ netdev->features = features; ++ + if (changed & + (NETIF_F_HW_VLAN_CTAG_RX | + NETIF_F_HW_VLAN_STAG_RX)) + wx_set_rx_mode(netdev); + +- return 1; ++ return 0; + } + EXPORT_SYMBOL(wx_set_features); + +-- +2.43.0 + diff --git a/queue-6.9/net-wangxun-match-vlan-ctag-and-stag-features.patch b/queue-6.9/net-wangxun-match-vlan-ctag-and-stag-features.patch new file mode 100644 index 00000000000..8f7fa932b9f --- /dev/null +++ b/queue-6.9/net-wangxun-match-vlan-ctag-and-stag-features.patch @@ -0,0 +1,123 @@ +From 823cc1d83d0529acf6f084b0dba148cbe9d151e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 May 2024 14:51:39 +0800 +Subject: net: wangxun: match VLAN CTAG and STAG features + +From: Jiawen Wu + +[ Upstream commit ac71ab7816b675f1c9614015bd87bfccb456c394 ] + +Hardware requires VLAN CTAG and STAG configuration always matches. And +whether VLAN CTAG or STAG changes, the configuration needs to be changed +as well. + +Fixes: 6670f1ece2c8 ("net: txgbe: Add netdev features support") +Signed-off-by: Jiawen Wu +Reviewed-by: Sai Krishna +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/wangxun/libwx/wx_lib.c | 46 +++++++++++++++++++ + drivers/net/ethernet/wangxun/libwx/wx_lib.h | 2 + + drivers/net/ethernet/wangxun/ngbe/ngbe_main.c | 1 + + .../net/ethernet/wangxun/txgbe/txgbe_main.c | 1 + + 4 files changed, 50 insertions(+) + +diff --git a/drivers/net/ethernet/wangxun/libwx/wx_lib.c b/drivers/net/ethernet/wangxun/libwx/wx_lib.c +index 667a5675998cb..d0cb09a4bd3d4 100644 +--- a/drivers/net/ethernet/wangxun/libwx/wx_lib.c ++++ b/drivers/net/ethernet/wangxun/libwx/wx_lib.c +@@ -2701,6 +2701,52 @@ int wx_set_features(struct net_device *netdev, netdev_features_t features) + } + EXPORT_SYMBOL(wx_set_features); + ++#define NETIF_VLAN_STRIPPING_FEATURES (NETIF_F_HW_VLAN_CTAG_RX | \ ++ NETIF_F_HW_VLAN_STAG_RX) ++ ++#define NETIF_VLAN_INSERTION_FEATURES (NETIF_F_HW_VLAN_CTAG_TX | \ ++ NETIF_F_HW_VLAN_STAG_TX) ++ ++#define NETIF_VLAN_FILTERING_FEATURES (NETIF_F_HW_VLAN_CTAG_FILTER | \ ++ NETIF_F_HW_VLAN_STAG_FILTER) ++ ++netdev_features_t wx_fix_features(struct net_device *netdev, ++ netdev_features_t features) ++{ ++ netdev_features_t changed = netdev->features ^ features; ++ struct wx *wx = netdev_priv(netdev); ++ ++ if (changed & NETIF_VLAN_STRIPPING_FEATURES) { ++ if ((features & NETIF_VLAN_STRIPPING_FEATURES) != NETIF_VLAN_STRIPPING_FEATURES && ++ (features & NETIF_VLAN_STRIPPING_FEATURES) != 0) { ++ features &= ~NETIF_VLAN_STRIPPING_FEATURES; ++ features |= netdev->features & NETIF_VLAN_STRIPPING_FEATURES; ++ wx_err(wx, "802.1Q and 802.1ad VLAN stripping must be either both on or both off."); ++ } ++ } ++ ++ if (changed & NETIF_VLAN_INSERTION_FEATURES) { ++ if ((features & NETIF_VLAN_INSERTION_FEATURES) != NETIF_VLAN_INSERTION_FEATURES && ++ (features & NETIF_VLAN_INSERTION_FEATURES) != 0) { ++ features &= ~NETIF_VLAN_INSERTION_FEATURES; ++ features |= netdev->features & NETIF_VLAN_INSERTION_FEATURES; ++ wx_err(wx, "802.1Q and 802.1ad VLAN insertion must be either both on or both off."); ++ } ++ } ++ ++ if (changed & NETIF_VLAN_FILTERING_FEATURES) { ++ if ((features & NETIF_VLAN_FILTERING_FEATURES) != NETIF_VLAN_FILTERING_FEATURES && ++ (features & NETIF_VLAN_FILTERING_FEATURES) != 0) { ++ features &= ~NETIF_VLAN_FILTERING_FEATURES; ++ features |= netdev->features & NETIF_VLAN_FILTERING_FEATURES; ++ wx_err(wx, "802.1Q and 802.1ad VLAN filtering must be either both on or both off."); ++ } ++ } ++ ++ return features; ++} ++EXPORT_SYMBOL(wx_fix_features); ++ + void wx_set_ring(struct wx *wx, u32 new_tx_count, + u32 new_rx_count, struct wx_ring *temp_ring) + { +diff --git a/drivers/net/ethernet/wangxun/libwx/wx_lib.h b/drivers/net/ethernet/wangxun/libwx/wx_lib.h +index ec909e876720c..c41b29ea812ff 100644 +--- a/drivers/net/ethernet/wangxun/libwx/wx_lib.h ++++ b/drivers/net/ethernet/wangxun/libwx/wx_lib.h +@@ -30,6 +30,8 @@ int wx_setup_resources(struct wx *wx); + void wx_get_stats64(struct net_device *netdev, + struct rtnl_link_stats64 *stats); + int wx_set_features(struct net_device *netdev, netdev_features_t features); ++netdev_features_t wx_fix_features(struct net_device *netdev, ++ netdev_features_t features); + void wx_set_ring(struct wx *wx, u32 new_tx_count, + u32 new_rx_count, struct wx_ring *temp_ring); + +diff --git a/drivers/net/ethernet/wangxun/ngbe/ngbe_main.c b/drivers/net/ethernet/wangxun/ngbe/ngbe_main.c +index fdd6b4f70b7a5..e894e01d030d1 100644 +--- a/drivers/net/ethernet/wangxun/ngbe/ngbe_main.c ++++ b/drivers/net/ethernet/wangxun/ngbe/ngbe_main.c +@@ -499,6 +499,7 @@ static const struct net_device_ops ngbe_netdev_ops = { + .ndo_start_xmit = wx_xmit_frame, + .ndo_set_rx_mode = wx_set_rx_mode, + .ndo_set_features = wx_set_features, ++ .ndo_fix_features = wx_fix_features, + .ndo_validate_addr = eth_validate_addr, + .ndo_set_mac_address = wx_set_mac, + .ndo_get_stats64 = wx_get_stats64, +diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_main.c b/drivers/net/ethernet/wangxun/txgbe/txgbe_main.c +index bd4624d14ca03..b3c0058b045da 100644 +--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_main.c ++++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_main.c +@@ -428,6 +428,7 @@ static const struct net_device_ops txgbe_netdev_ops = { + .ndo_start_xmit = wx_xmit_frame, + .ndo_set_rx_mode = wx_set_rx_mode, + .ndo_set_features = wx_set_features, ++ .ndo_fix_features = wx_fix_features, + .ndo_validate_addr = eth_validate_addr, + .ndo_set_mac_address = wx_set_mac, + .ndo_get_stats64 = wx_get_stats64, +-- +2.43.0 + diff --git a/queue-6.9/netrom-fix-possible-dead-lock-in-nr_rt_ioctl.patch b/queue-6.9/netrom-fix-possible-dead-lock-in-nr_rt_ioctl.patch new file mode 100644 index 00000000000..f638d6c3208 --- /dev/null +++ b/queue-6.9/netrom-fix-possible-dead-lock-in-nr_rt_ioctl.patch @@ -0,0 +1,192 @@ +From 151855c4f7e6e51a6dc5c21f591fca2328528853 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 May 2024 14:29:34 +0000 +Subject: netrom: fix possible dead-lock in nr_rt_ioctl() + +From: Eric Dumazet + +[ Upstream commit e03e7f20ebf7e1611d40d1fdc1bde900fd3335f6 ] + +syzbot loves netrom, and found a possible deadlock in nr_rt_ioctl [1] + +Make sure we always acquire nr_node_list_lock before nr_node_lock(nr_node) + +[1] +WARNING: possible circular locking dependency detected +6.9.0-rc7-syzkaller-02147-g654de42f3fc6 #0 Not tainted +------------------------------------------------------ +syz-executor350/5129 is trying to acquire lock: + ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] + ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_node_lock include/net/netrom.h:152 [inline] + ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:464 [inline] + ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697 + +but task is already holding lock: + ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] + ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline] + ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_rt_ioctl+0x10a/0x1090 net/netrom/nr_route.c:697 + +which lock already depends on the new lock. + +the existing dependency chain (in reverse order) is: + +-> #1 (nr_node_list_lock){+...}-{2:2}: + lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754 + __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] + _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178 + spin_lock_bh include/linux/spinlock.h:356 [inline] + nr_remove_node net/netrom/nr_route.c:299 [inline] + nr_del_node+0x4b4/0x820 net/netrom/nr_route.c:355 + nr_rt_ioctl+0xa95/0x1090 net/netrom/nr_route.c:683 + sock_do_ioctl+0x158/0x460 net/socket.c:1222 + sock_ioctl+0x629/0x8e0 net/socket.c:1341 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:904 [inline] + __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +-> #0 (&nr_node->node_lock){+...}-{2:2}: + check_prev_add kernel/locking/lockdep.c:3134 [inline] + check_prevs_add kernel/locking/lockdep.c:3253 [inline] + validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869 + __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137 + lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754 + __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] + _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178 + spin_lock_bh include/linux/spinlock.h:356 [inline] + nr_node_lock include/net/netrom.h:152 [inline] + nr_dec_obs net/netrom/nr_route.c:464 [inline] + nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697 + sock_do_ioctl+0x158/0x460 net/socket.c:1222 + sock_ioctl+0x629/0x8e0 net/socket.c:1341 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:904 [inline] + __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +other info that might help us debug this: + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(nr_node_list_lock); + lock(&nr_node->node_lock); + lock(nr_node_list_lock); + lock(&nr_node->node_lock); + + *** DEADLOCK *** + +1 lock held by syz-executor350/5129: + #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] + #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline] + #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_rt_ioctl+0x10a/0x1090 net/netrom/nr_route.c:697 + +stack backtrace: +CPU: 0 PID: 5129 Comm: syz-executor350 Not tainted 6.9.0-rc7-syzkaller-02147-g654de42f3fc6 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 + check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2187 + check_prev_add kernel/locking/lockdep.c:3134 [inline] + check_prevs_add kernel/locking/lockdep.c:3253 [inline] + validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869 + __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137 + lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754 + __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] + _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178 + spin_lock_bh include/linux/spinlock.h:356 [inline] + nr_node_lock include/net/netrom.h:152 [inline] + nr_dec_obs net/netrom/nr_route.c:464 [inline] + nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697 + sock_do_ioctl+0x158/0x460 net/socket.c:1222 + sock_ioctl+0x629/0x8e0 net/socket.c:1341 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:904 [inline] + __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240515142934.3708038-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netrom/nr_route.c | 19 +++++++------------ + 1 file changed, 7 insertions(+), 12 deletions(-) + +diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c +index 70480869ad1c5..bd2b17b219ae9 100644 +--- a/net/netrom/nr_route.c ++++ b/net/netrom/nr_route.c +@@ -285,22 +285,14 @@ static int __must_check nr_add_node(ax25_address *nr, const char *mnemonic, + return 0; + } + +-static inline void __nr_remove_node(struct nr_node *nr_node) ++static void nr_remove_node_locked(struct nr_node *nr_node) + { ++ lockdep_assert_held(&nr_node_list_lock); ++ + hlist_del_init(&nr_node->node_node); + nr_node_put(nr_node); + } + +-#define nr_remove_node_locked(__node) \ +- __nr_remove_node(__node) +- +-static void nr_remove_node(struct nr_node *nr_node) +-{ +- spin_lock_bh(&nr_node_list_lock); +- __nr_remove_node(nr_node); +- spin_unlock_bh(&nr_node_list_lock); +-} +- + static inline void __nr_remove_neigh(struct nr_neigh *nr_neigh) + { + hlist_del_init(&nr_neigh->neigh_node); +@@ -339,6 +331,7 @@ static int nr_del_node(ax25_address *callsign, ax25_address *neighbour, struct n + return -EINVAL; + } + ++ spin_lock_bh(&nr_node_list_lock); + nr_node_lock(nr_node); + for (i = 0; i < nr_node->count; i++) { + if (nr_node->routes[i].neighbour == nr_neigh) { +@@ -352,7 +345,7 @@ static int nr_del_node(ax25_address *callsign, ax25_address *neighbour, struct n + nr_node->count--; + + if (nr_node->count == 0) { +- nr_remove_node(nr_node); ++ nr_remove_node_locked(nr_node); + } else { + switch (i) { + case 0: +@@ -367,12 +360,14 @@ static int nr_del_node(ax25_address *callsign, ax25_address *neighbour, struct n + nr_node_put(nr_node); + } + nr_node_unlock(nr_node); ++ spin_unlock_bh(&nr_node_list_lock); + + return 0; + } + } + nr_neigh_put(nr_neigh); + nr_node_unlock(nr_node); ++ spin_unlock_bh(&nr_node_list_lock); + nr_node_put(nr_node); + + return -EINVAL; +-- +2.43.0 + diff --git a/queue-6.9/nfsd-don-t-create-nfsv4recoverydir-in-nfsdfs-when-no.patch b/queue-6.9/nfsd-don-t-create-nfsv4recoverydir-in-nfsdfs-when-no.patch new file mode 100644 index 00000000000..07b19eb0bcf --- /dev/null +++ b/queue-6.9/nfsd-don-t-create-nfsv4recoverydir-in-nfsdfs-when-no.patch @@ -0,0 +1,68 @@ +From 919645e1c5df97fe0cac8f3921d47843fb78b658 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Apr 2024 07:23:02 +1000 +Subject: nfsd: don't create nfsv4recoverydir in nfsdfs when not used. + +From: NeilBrown + +[ Upstream commit 0770249b90f9d9f69714b76adc36cf6c895bc1f9 ] + +When CONFIG_NFSD_LEGACY_CLIENT_TRACKING is not set, the virtual file + /proc/fs/nfsd/nfsv4recoverydir +is created but responds EINVAL to any access. +This is not useful, is somewhat surprising, and it causes ltp to +complain. + +The only known user of this file is in nfs-utils, which handles +non-existence and read-failure equally well. So there is nothing to +gain from leaving the file present but inaccessible. + +So this patch removes the file when its content is not available - i.e. +when that config option is not selected. + +Also remove the #ifdef which hides some of the enum values when +CONFIG_NFSD_V$ not selection. simple_fill_super() quietly ignores array +entries that are not present, so having slots in the array that don't +get used is perfectly acceptable. So there is no value in this #ifdef. + +Reported-by: Petr Vorel +Reviewed-by: Jeff Layton +Fixes: 74fd48739d04 ("nfsd: new Kconfig option for legacy client tracking") +Signed-off-by: NeilBrown +Reviewed-by: Petr Vorel +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfsctl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c +index ecd18bffeebc7..4d23bb1d08c0a 100644 +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -48,12 +48,10 @@ enum { + NFSD_MaxBlkSize, + NFSD_MaxConnections, + NFSD_Filecache, +-#ifdef CONFIG_NFSD_V4 + NFSD_Leasetime, + NFSD_Gracetime, + NFSD_RecoveryDir, + NFSD_V4EndGrace, +-#endif + NFSD_MaxReserved + }; + +@@ -1360,7 +1358,9 @@ static int nfsd_fill_super(struct super_block *sb, struct fs_context *fc) + #ifdef CONFIG_NFSD_V4 + [NFSD_Leasetime] = {"nfsv4leasetime", &transaction_ops, S_IWUSR|S_IRUSR}, + [NFSD_Gracetime] = {"nfsv4gracetime", &transaction_ops, S_IWUSR|S_IRUSR}, ++#ifdef CONFIG_NFSD_LEGACY_CLIENT_TRACKING + [NFSD_RecoveryDir] = {"nfsv4recoverydir", &transaction_ops, S_IWUSR|S_IRUSR}, ++#endif + [NFSD_V4EndGrace] = {"v4_end_grace", &transaction_ops, S_IWUSR|S_IRUGO}, + #endif + /* last one */ {""} +-- +2.43.0 + diff --git a/queue-6.9/nilfs2-fix-out-of-range-warning.patch b/queue-6.9/nilfs2-fix-out-of-range-warning.patch new file mode 100644 index 00000000000..55bedf82bb2 --- /dev/null +++ b/queue-6.9/nilfs2-fix-out-of-range-warning.patch @@ -0,0 +1,45 @@ +From 45bfda3cdc2fa16ab28d2e472b1f1c8effb6bd22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 15:30:44 +0100 +Subject: nilfs2: fix out-of-range warning + +From: Arnd Bergmann + +[ Upstream commit c473bcdd80d4ab2ae79a7a509a6712818366e32a ] + +clang-14 points out that v_size is always smaller than a 64KB +page size if that is configured by the CPU architecture: + +fs/nilfs2/ioctl.c:63:19: error: result of comparison of constant 65536 with expression of type '__u16' (aka 'unsigned short') is always false [-Werror,-Wtautological-constant-out-of-range-compare] + if (argv->v_size > PAGE_SIZE) + ~~~~~~~~~~~~ ^ ~~~~~~~~~ + +This is ok, so just shut up that warning with a cast. + +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20240328143051.1069575-7-arnd@kernel.org +Fixes: 3358b4aaa84f ("nilfs2: fix problems of memory allocation in ioctl") +Acked-by: Ryusuke Konishi +Reviewed-by: Justin Stitt +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/nilfs2/ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c +index f1a01c191cf53..8be471ce4f195 100644 +--- a/fs/nilfs2/ioctl.c ++++ b/fs/nilfs2/ioctl.c +@@ -60,7 +60,7 @@ static int nilfs_ioctl_wrap_copy(struct the_nilfs *nilfs, + if (argv->v_nmembs == 0) + return 0; + +- if (argv->v_size > PAGE_SIZE) ++ if ((size_t)argv->v_size > PAGE_SIZE) + return -EINVAL; + + /* +-- +2.43.0 + diff --git a/queue-6.9/nilfs2-make-superblock-data-array-index-computation-.patch b/queue-6.9/nilfs2-make-superblock-data-array-index-computation-.patch new file mode 100644 index 00000000000..6db48ae60eb --- /dev/null +++ b/queue-6.9/nilfs2-make-superblock-data-array-index-computation-.patch @@ -0,0 +1,73 @@ +From 5017482ff3b29550015cce7f81279dc69aefd6fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Apr 2024 17:00:19 +0900 +Subject: nilfs2: make superblock data array index computation sparse friendly + +From: Ryusuke Konishi + +[ Upstream commit 91d743a9c8299de1fc1b47428d8bb4c85face00f ] + +Upon running sparse, "warning: dubious: x & !y" is output at an array +index calculation within nilfs_load_super_block(). + +The calculation is not wrong, but to eliminate the sparse warning, replace +it with an equivalent calculation. + +Also, add a comment to make it easier to understand what the unintuitive +array index calculation is doing and whether it's correct. + +Link: https://lkml.kernel.org/r/20240430080019.4242-3-konishi.ryusuke@gmail.com +Fixes: e339ad31f599 ("nilfs2: introduce secondary super block") +Signed-off-by: Ryusuke Konishi +Cc: Bart Van Assche +Cc: Jens Axboe +Cc: kernel test robot +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/nilfs2/the_nilfs.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +diff --git a/fs/nilfs2/the_nilfs.c b/fs/nilfs2/the_nilfs.c +index 2ae2c1bbf6d17..adbc6e87471ab 100644 +--- a/fs/nilfs2/the_nilfs.c ++++ b/fs/nilfs2/the_nilfs.c +@@ -592,7 +592,7 @@ static int nilfs_load_super_block(struct the_nilfs *nilfs, + struct nilfs_super_block **sbp = nilfs->ns_sbp; + struct buffer_head **sbh = nilfs->ns_sbh; + u64 sb2off, devsize = bdev_nr_bytes(nilfs->ns_bdev); +- int valid[2], swp = 0; ++ int valid[2], swp = 0, older; + + if (devsize < NILFS_SEG_MIN_BLOCKS * NILFS_MIN_BLOCK_SIZE + 4096) { + nilfs_err(sb, "device size too small"); +@@ -648,9 +648,25 @@ static int nilfs_load_super_block(struct the_nilfs *nilfs, + if (swp) + nilfs_swap_super_block(nilfs); + ++ /* ++ * Calculate the array index of the older superblock data. ++ * If one has been dropped, set index 0 pointing to the remaining one, ++ * otherwise set index 1 pointing to the old one (including if both ++ * are the same). ++ * ++ * Divided case valid[0] valid[1] swp -> older ++ * ------------------------------------------------------------- ++ * Both SBs are invalid 0 0 N/A (Error) ++ * SB1 is invalid 0 1 1 0 ++ * SB2 is invalid 1 0 0 0 ++ * SB2 is newer 1 1 1 0 ++ * SB2 is older or the same 1 1 0 1 ++ */ ++ older = valid[1] ^ swp; ++ + nilfs->ns_sbwcount = 0; + nilfs->ns_sbwtime = le64_to_cpu(sbp[0]->s_wtime); +- nilfs->ns_prot_seq = le64_to_cpu(sbp[valid[1] & !swp]->s_last_seq); ++ nilfs->ns_prot_seq = le64_to_cpu(sbp[older]->s_last_seq); + *sbpp = sbp[0]; + return 0; + } +-- +2.43.0 + diff --git a/queue-6.9/null_blk-fix-missing-mutex_destroy-at-module-removal.patch b/queue-6.9/null_blk-fix-missing-mutex_destroy-at-module-removal.patch new file mode 100644 index 00000000000..a191a7b2a8d --- /dev/null +++ b/queue-6.9/null_blk-fix-missing-mutex_destroy-at-module-removal.patch @@ -0,0 +1,37 @@ +From 858c1708b3c0f58a2602972c4d785c77f8d68a6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Apr 2024 19:16:35 +0200 +Subject: null_blk: Fix missing mutex_destroy() at module removal + +From: Zhu Yanjun + +[ Upstream commit 07d1b99825f40f9c0d93e6b99d79a08d0717bac1 ] + +When a mutex lock is not used any more, the function mutex_destroy +should be called to mark the mutex lock uninitialized. + +Fixes: f2298c0403b0 ("null_blk: multi queue aware block test driver") +Signed-off-by: Zhu Yanjun +Link: https://lore.kernel.org/r/20240425171635.4227-1-yanjun.zhu@linux.dev +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/null_blk/main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/block/null_blk/main.c b/drivers/block/null_blk/main.c +index ed33cf7192d21..eed63f95e89d0 100644 +--- a/drivers/block/null_blk/main.c ++++ b/drivers/block/null_blk/main.c +@@ -2113,6 +2113,8 @@ static void __exit null_exit(void) + + if (tag_set.ops) + blk_mq_free_tag_set(&tag_set); ++ ++ mutex_destroy(&lock); + } + + module_init(null_init); +-- +2.43.0 + diff --git a/queue-6.9/of-module-add-buffer-overflow-check-in-of_modalias.patch b/queue-6.9/of-module-add-buffer-overflow-check-in-of_modalias.patch new file mode 100644 index 00000000000..b5ee69eac36 --- /dev/null +++ b/queue-6.9/of-module-add-buffer-overflow-check-in-of_modalias.patch @@ -0,0 +1,50 @@ +From c51e5acd7bf5303cfe59ea375301e527f70bd04d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Apr 2024 11:51:39 +0300 +Subject: of: module: add buffer overflow check in of_modalias() + +From: Sergey Shtylyov + +[ Upstream commit cf7385cb26ac4f0ee6c7385960525ad534323252 ] + +In of_modalias(), if the buffer happens to be too small even for the 1st +snprintf() call, the len parameter will become negative and str parameter +(if not NULL initially) will point beyond the buffer's end. Add the buffer +overflow check after the 1st snprintf() call and fix such check after the +strlen() call (accounting for the terminating NUL char). + +Fixes: bc575064d688 ("of/device: use of_property_for_each_string to parse compatible strings") +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/bbfc6be0-c687-62b6-d015-5141b93f313e@omp.ru +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/module.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/of/module.c b/drivers/of/module.c +index f58e624953a20..780fd82a7ecc5 100644 +--- a/drivers/of/module.c ++++ b/drivers/of/module.c +@@ -29,14 +29,15 @@ ssize_t of_modalias(const struct device_node *np, char *str, ssize_t len) + csize = snprintf(str, len, "of:N%pOFn%c%s", np, 'T', + of_node_get_device_type(np)); + tsize = csize; ++ if (csize >= len) ++ csize = len > 0 ? len - 1 : 0; + len -= csize; +- if (str) +- str += csize; ++ str += csize; + + of_property_for_each_string(np, "compatible", p, compat) { + csize = strlen(compat) + 1; + tsize += csize; +- if (csize > len) ++ if (csize >= len) + continue; + + csize = snprintf(str, len, "C%s", compat); +-- +2.43.0 + diff --git a/queue-6.9/openpromfs-finish-conversion-to-the-new-mount-api.patch b/queue-6.9/openpromfs-finish-conversion-to-the-new-mount-api.patch new file mode 100644 index 00000000000..5167ac4e0c5 --- /dev/null +++ b/queue-6.9/openpromfs-finish-conversion-to-the-new-mount-api.patch @@ -0,0 +1,58 @@ +From b587d36e17dd5ab60338ee405a80c4833a284cdf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Mar 2024 16:33:11 -0600 +Subject: openpromfs: finish conversion to the new mount API + +From: Eric Sandeen + +[ Upstream commit 8f27829974b025d4df2e78894105d75e3bf349f0 ] + +The original mount API conversion inexplicably left out the change +from ->remount_fs to ->reconfigure; do that now. + +Fixes: 7ab2fa7693c3 ("vfs: Convert openpromfs to use the new mount API") +Signed-off-by: Eric Sandeen +Link: https://lore.kernel.org/r/90b968aa-c979-420f-ba37-5acc3391b28f@redhat.com +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/openpromfs/inode.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/openpromfs/inode.c b/fs/openpromfs/inode.c +index 4a0779e3ef792..a7b527ea50d3c 100644 +--- a/fs/openpromfs/inode.c ++++ b/fs/openpromfs/inode.c +@@ -355,10 +355,10 @@ static struct inode *openprom_iget(struct super_block *sb, ino_t ino) + return inode; + } + +-static int openprom_remount(struct super_block *sb, int *flags, char *data) ++static int openpromfs_reconfigure(struct fs_context *fc) + { +- sync_filesystem(sb); +- *flags |= SB_NOATIME; ++ sync_filesystem(fc->root->d_sb); ++ fc->sb_flags |= SB_NOATIME; + return 0; + } + +@@ -366,7 +366,6 @@ static const struct super_operations openprom_sops = { + .alloc_inode = openprom_alloc_inode, + .free_inode = openprom_free_inode, + .statfs = simple_statfs, +- .remount_fs = openprom_remount, + }; + + static int openprom_fill_super(struct super_block *s, struct fs_context *fc) +@@ -415,6 +414,7 @@ static int openpromfs_get_tree(struct fs_context *fc) + + static const struct fs_context_operations openpromfs_context_ops = { + .get_tree = openpromfs_get_tree, ++ .reconfigure = openpromfs_reconfigure, + }; + + static int openpromfs_init_fs_context(struct fs_context *fc) +-- +2.43.0 + diff --git a/queue-6.9/openrisc-traps-don-t-send-signals-to-kernel-mode-thr.patch b/queue-6.9/openrisc-traps-don-t-send-signals-to-kernel-mode-thr.patch new file mode 100644 index 00000000000..9e6a78463db --- /dev/null +++ b/queue-6.9/openrisc-traps-don-t-send-signals-to-kernel-mode-thr.patch @@ -0,0 +1,91 @@ +From bf133d0582a11c9511b4c916e07eb10439b0177e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Mar 2024 14:42:49 +0000 +Subject: openrisc: traps: Don't send signals to kernel mode threads + +From: Stafford Horne + +[ Upstream commit c88cfb5cea5f8f9868ef02cc9ce9183a26dcf20f ] + +OpenRISC exception handling sends signals to user processes on floating +point exceptions and trap instructions (for debugging) among others. +There is a bug where the trap handling logic may send signals to kernel +threads, we should not send these signals to kernel threads, if that +happens we treat it as an error. + +This patch adds conditions to die if the kernel receives these +exceptions in kernel mode code. + +Fixes: 27267655c531 ("openrisc: Support floating point user api") +Signed-off-by: Stafford Horne +Signed-off-by: Sasha Levin +--- + arch/openrisc/kernel/traps.c | 48 ++++++++++++++++++++++-------------- + 1 file changed, 29 insertions(+), 19 deletions(-) + +diff --git a/arch/openrisc/kernel/traps.c b/arch/openrisc/kernel/traps.c +index 9370888c9a7e3..90554a5558fbc 100644 +--- a/arch/openrisc/kernel/traps.c ++++ b/arch/openrisc/kernel/traps.c +@@ -180,29 +180,39 @@ asmlinkage void unhandled_exception(struct pt_regs *regs, int ea, int vector) + + asmlinkage void do_fpe_trap(struct pt_regs *regs, unsigned long address) + { +- int code = FPE_FLTUNK; +- unsigned long fpcsr = regs->fpcsr; +- +- if (fpcsr & SPR_FPCSR_IVF) +- code = FPE_FLTINV; +- else if (fpcsr & SPR_FPCSR_OVF) +- code = FPE_FLTOVF; +- else if (fpcsr & SPR_FPCSR_UNF) +- code = FPE_FLTUND; +- else if (fpcsr & SPR_FPCSR_DZF) +- code = FPE_FLTDIV; +- else if (fpcsr & SPR_FPCSR_IXF) +- code = FPE_FLTRES; +- +- /* Clear all flags */ +- regs->fpcsr &= ~SPR_FPCSR_ALLF; +- +- force_sig_fault(SIGFPE, code, (void __user *)regs->pc); ++ if (user_mode(regs)) { ++ int code = FPE_FLTUNK; ++ unsigned long fpcsr = regs->fpcsr; ++ ++ if (fpcsr & SPR_FPCSR_IVF) ++ code = FPE_FLTINV; ++ else if (fpcsr & SPR_FPCSR_OVF) ++ code = FPE_FLTOVF; ++ else if (fpcsr & SPR_FPCSR_UNF) ++ code = FPE_FLTUND; ++ else if (fpcsr & SPR_FPCSR_DZF) ++ code = FPE_FLTDIV; ++ else if (fpcsr & SPR_FPCSR_IXF) ++ code = FPE_FLTRES; ++ ++ /* Clear all flags */ ++ regs->fpcsr &= ~SPR_FPCSR_ALLF; ++ ++ force_sig_fault(SIGFPE, code, (void __user *)regs->pc); ++ } else { ++ pr_emerg("KERNEL: Illegal fpe exception 0x%.8lx\n", regs->pc); ++ die("Die:", regs, SIGFPE); ++ } + } + + asmlinkage void do_trap(struct pt_regs *regs, unsigned long address) + { +- force_sig_fault(SIGTRAP, TRAP_BRKPT, (void __user *)regs->pc); ++ if (user_mode(regs)) { ++ force_sig_fault(SIGTRAP, TRAP_BRKPT, (void __user *)regs->pc); ++ } else { ++ pr_emerg("KERNEL: Illegal trap exception 0x%.8lx\n", regs->pc); ++ die("Die:", regs, SIGILL); ++ } + } + + asmlinkage void do_unaligned_access(struct pt_regs *regs, unsigned long address) +-- +2.43.0 + diff --git a/queue-6.9/openrisc-use-do_kernel_power_off.patch b/queue-6.9/openrisc-use-do_kernel_power_off.patch new file mode 100644 index 00000000000..29e7a292882 --- /dev/null +++ b/queue-6.9/openrisc-use-do_kernel_power_off.patch @@ -0,0 +1,58 @@ +From 821c1c4f94c8b6fc345583cda54d1730df3a28df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Mar 2024 16:29:08 +0000 +Subject: openrisc: Use do_kernel_power_off() + +From: Stafford Horne + +[ Upstream commit c94195a34e09dacfe2feef03602c911e82f49994 ] + +After commit 14c5678720bd ("power: reset: syscon-poweroff: Use +devm_register_sys_off_handler(POWER_OFF)") setting up of pm_power_off +was removed from the driver, this causes OpenRISC platforms using +syscon-poweroff to no longer shutdown. + +The kernel now supports chained power-off handlers. Use +do_kernel_power_off() that invokes chained power-off handlers. All +architectures have moved away from using pm_power_off except OpenRISC. + +This patch migrates openrisc to use do_kernel_power_off() instead of the +legacy pm_power_off(). + +Fixes: 14c5678720bd ("power: reset: syscon-poweroff: Use devm_register_sys_off_handler(POWER_OFF)") +Signed-off-by: Stafford Horne +Reviewed-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + arch/openrisc/kernel/process.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/arch/openrisc/kernel/process.c b/arch/openrisc/kernel/process.c +index 86e02929f3ace..3c27d1c727189 100644 +--- a/arch/openrisc/kernel/process.c ++++ b/arch/openrisc/kernel/process.c +@@ -65,7 +65,7 @@ void machine_restart(char *cmd) + } + + /* +- * This is used if pm_power_off has not been set by a power management ++ * This is used if a sys-off handler was not set by a power management + * driver, in this case we can assume we are on a simulator. On + * OpenRISC simulators l.nop 1 will trigger the simulator exit. + */ +@@ -89,10 +89,8 @@ void machine_halt(void) + void machine_power_off(void) + { + printk(KERN_INFO "*** MACHINE POWER OFF ***\n"); +- if (pm_power_off != NULL) +- pm_power_off(); +- else +- default_power_off(); ++ do_kernel_power_off(); ++ default_power_off(); + } + + /* +-- +2.43.0 + diff --git a/queue-6.9/parisc-add-missing-export-of-__cmpxchg_u8.patch b/queue-6.9/parisc-add-missing-export-of-__cmpxchg_u8.patch new file mode 100644 index 00000000000..68e3082b584 --- /dev/null +++ b/queue-6.9/parisc-add-missing-export-of-__cmpxchg_u8.patch @@ -0,0 +1,36 @@ +From e38f85e8b55f8e91be304a8f6bbf30495ac7673c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Apr 2024 22:35:54 -0400 +Subject: parisc: add missing export of __cmpxchg_u8() + +From: Al Viro + +[ Upstream commit c57e5dccb06decf3cb6c272ab138c033727149b5 ] + +__cmpxchg_u8() had been added (initially) for the sake of +drivers/phy/ti/phy-tusb1210.c; the thing is, that drivers is +modular, so we need an export + +Fixes: b344d6a83d01 "parisc: add support for cmpxchg on u8 pointers" +Signed-off-by: Al Viro +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + arch/parisc/kernel/parisc_ksyms.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/parisc/kernel/parisc_ksyms.c b/arch/parisc/kernel/parisc_ksyms.c +index 6f0c92e8149d8..dcf61cbd31470 100644 +--- a/arch/parisc/kernel/parisc_ksyms.c ++++ b/arch/parisc/kernel/parisc_ksyms.c +@@ -22,6 +22,7 @@ EXPORT_SYMBOL(memset); + #include + EXPORT_SYMBOL(__xchg8); + EXPORT_SYMBOL(__xchg32); ++EXPORT_SYMBOL(__cmpxchg_u8); + EXPORT_SYMBOL(__cmpxchg_u32); + EXPORT_SYMBOL(__cmpxchg_u64); + #ifdef CONFIG_SMP +-- +2.43.0 + diff --git a/queue-6.9/platform-x86-xiaomi-wmi-fix-race-condition-when-repo.patch b/queue-6.9/platform-x86-xiaomi-wmi-fix-race-condition-when-repo.patch new file mode 100644 index 00000000000..5bc015d1c5b --- /dev/null +++ b/queue-6.9/platform-x86-xiaomi-wmi-fix-race-condition-when-repo.patch @@ -0,0 +1,95 @@ +From 0ba47d245481d8db8b93535dfba3a93439f0ac42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Apr 2024 16:30:57 +0200 +Subject: platform/x86: xiaomi-wmi: Fix race condition when reporting key + events + +From: Armin Wolf + +[ Upstream commit 290680c2da8061e410bcaec4b21584ed951479af ] + +Multiple WMI events can be received concurrently, so multiple instances +of xiaomi_wmi_notify() can be active at the same time. Since the input +device is shared between those handlers, the key input sequence can be +disturbed. + +Fix this by protecting the key input sequence with a mutex. + +Compile-tested only. + +Fixes: edb73f4f0247 ("platform/x86: wmi: add Xiaomi WMI key driver") +Signed-off-by: Armin Wolf +Link: https://lore.kernel.org/r/20240402143059.8456-2-W_Armin@gmx.de +Reviewed-by: Kuppuswamy Sathyanarayanan +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/xiaomi-wmi.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/drivers/platform/x86/xiaomi-wmi.c b/drivers/platform/x86/xiaomi-wmi.c +index 54a2546bb93bf..be80f0bda9484 100644 +--- a/drivers/platform/x86/xiaomi-wmi.c ++++ b/drivers/platform/x86/xiaomi-wmi.c +@@ -2,8 +2,10 @@ + /* WMI driver for Xiaomi Laptops */ + + #include ++#include + #include + #include ++#include + #include + + #include +@@ -20,12 +22,21 @@ + + struct xiaomi_wmi { + struct input_dev *input_dev; ++ struct mutex key_lock; /* Protects the key event sequence */ + unsigned int key_code; + }; + ++static void xiaomi_mutex_destroy(void *data) ++{ ++ struct mutex *lock = data; ++ ++ mutex_destroy(lock); ++} ++ + static int xiaomi_wmi_probe(struct wmi_device *wdev, const void *context) + { + struct xiaomi_wmi *data; ++ int ret; + + if (wdev == NULL || context == NULL) + return -EINVAL; +@@ -35,6 +46,11 @@ static int xiaomi_wmi_probe(struct wmi_device *wdev, const void *context) + return -ENOMEM; + dev_set_drvdata(&wdev->dev, data); + ++ mutex_init(&data->key_lock); ++ ret = devm_add_action_or_reset(&wdev->dev, xiaomi_mutex_destroy, &data->key_lock); ++ if (ret < 0) ++ return ret; ++ + data->input_dev = devm_input_allocate_device(&wdev->dev); + if (data->input_dev == NULL) + return -ENOMEM; +@@ -59,10 +75,12 @@ static void xiaomi_wmi_notify(struct wmi_device *wdev, union acpi_object *dummy) + if (data == NULL) + return; + ++ mutex_lock(&data->key_lock); + input_report_key(data->input_dev, data->key_code, 1); + input_sync(data->input_dev); + input_report_key(data->input_dev, data->key_code, 0); + input_sync(data->input_dev); ++ mutex_unlock(&data->key_lock); + } + + static const struct wmi_device_id xiaomi_wmi_id_table[] = { +-- +2.43.0 + diff --git a/queue-6.9/power-supply-core-simplify-charge_behaviour-formatti.patch b/queue-6.9/power-supply-core-simplify-charge_behaviour-formatti.patch new file mode 100644 index 00000000000..c6d0ddbe24c --- /dev/null +++ b/queue-6.9/power-supply-core-simplify-charge_behaviour-formatti.patch @@ -0,0 +1,73 @@ +From 8f0afc1c795ed3281c4691d4510be5d3368500bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 09:18:29 +0100 +Subject: power: supply: core: simplify charge_behaviour formatting +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit 91b623cda43e449a49177ba99b6723f551a4bfbe ] + +The function power_supply_show_charge_behaviour() is not needed and can +be removed completely. +Removing the function also saves a spurious read of the property from +the driver on each call. + +The convulted logic was a leftover from an earlier patch revision. +Some restructuring made this cleanup possible. + +Suggested-by: Hans de Goede +Link: https://lore.kernel.org/all/9e035ae4-cb07-4f84-8336-1a0050855bea@redhat.com/ +Fixes: 4e61f1e9d58f ("power: supply: core: fix charge_behaviour formatting") +Signed-off-by: Thomas Weißschuh +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/20240329-power-supply-simplify-v1-1-416f1002739f@weissschuh.net +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/power_supply_sysfs.c | 20 ++------------------ + 1 file changed, 2 insertions(+), 18 deletions(-) + +diff --git a/drivers/power/supply/power_supply_sysfs.c b/drivers/power/supply/power_supply_sysfs.c +index 0d2c3724d0bc0..b86e11bdc07ef 100644 +--- a/drivers/power/supply/power_supply_sysfs.c ++++ b/drivers/power/supply/power_supply_sysfs.c +@@ -271,23 +271,6 @@ static ssize_t power_supply_show_usb_type(struct device *dev, + return count; + } + +-static ssize_t power_supply_show_charge_behaviour(struct device *dev, +- struct power_supply *psy, +- union power_supply_propval *value, +- char *buf) +-{ +- int ret; +- +- ret = power_supply_get_property(psy, +- POWER_SUPPLY_PROP_CHARGE_BEHAVIOUR, +- value); +- if (ret < 0) +- return ret; +- +- return power_supply_charge_behaviour_show(dev, psy->desc->charge_behaviours, +- value->intval, buf); +-} +- + static ssize_t power_supply_show_property(struct device *dev, + struct device_attribute *attr, + char *buf) { +@@ -321,7 +304,8 @@ static ssize_t power_supply_show_property(struct device *dev, + &value, buf); + break; + case POWER_SUPPLY_PROP_CHARGE_BEHAVIOUR: +- ret = power_supply_show_charge_behaviour(dev, psy, &value, buf); ++ ret = power_supply_charge_behaviour_show(dev, psy->desc->charge_behaviours, ++ value.intval, buf); + break; + case POWER_SUPPLY_PROP_MODEL_NAME ... POWER_SUPPLY_PROP_SERIAL_NUMBER: + ret = sysfs_emit(buf, "%s\n", value.strval); +-- +2.43.0 + diff --git a/queue-6.9/powerpc-fsl-soc-hide-unused-const-variable.patch b/queue-6.9/powerpc-fsl-soc-hide-unused-const-variable.patch new file mode 100644 index 00000000000..adfa62a768d --- /dev/null +++ b/queue-6.9/powerpc-fsl-soc-hide-unused-const-variable.patch @@ -0,0 +1,48 @@ +From b2d6bc10c4775c2253e782407ce2faebbbcbe7c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 10:06:19 +0200 +Subject: powerpc/fsl-soc: hide unused const variable + +From: Arnd Bergmann + +[ Upstream commit 01acaf3aa75e1641442cc23d8fe0a7bb4226efb1 ] + +vmpic_msi_feature is only used conditionally, which triggers a rare +-Werror=unused-const-variable= warning with gcc: + +arch/powerpc/sysdev/fsl_msi.c:567:37: error: 'vmpic_msi_feature' defined but not used [-Werror=unused-const-variable=] + 567 | static const struct fsl_msi_feature vmpic_msi_feature = + +Hide this one in the same #ifdef as the reference so we can turn on +the warning by default. + +Fixes: 305bcf26128e ("powerpc/fsl-soc: use CONFIG_EPAPR_PARAVIRT for hcalls") +Signed-off-by: Arnd Bergmann +Reviewed-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240403080702.3509288-2-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/sysdev/fsl_msi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/sysdev/fsl_msi.c b/arch/powerpc/sysdev/fsl_msi.c +index 8e6c84df4ca10..e205135ae1fea 100644 +--- a/arch/powerpc/sysdev/fsl_msi.c ++++ b/arch/powerpc/sysdev/fsl_msi.c +@@ -564,10 +564,12 @@ static const struct fsl_msi_feature ipic_msi_feature = { + .msiir_offset = 0x38, + }; + ++#ifdef CONFIG_EPAPR_PARAVIRT + static const struct fsl_msi_feature vmpic_msi_feature = { + .fsl_pic_ip = FSL_PIC_IP_VMPIC, + .msiir_offset = 0, + }; ++#endif + + static const struct of_device_id fsl_of_msi_ids[] = { + { +-- +2.43.0 + diff --git a/queue-6.9/printk-let-no_printk-use-_printk.patch b/queue-6.9/printk-let-no_printk-use-_printk.patch new file mode 100644 index 00000000000..fdebc69fe1e --- /dev/null +++ b/queue-6.9/printk-let-no_printk-use-_printk.patch @@ -0,0 +1,55 @@ +From 8e0d57eef0310fe6db738c22f921c169ba34375a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 15:00:02 +0100 +Subject: printk: Let no_printk() use _printk() + +From: Geert Uytterhoeven + +[ Upstream commit 8522f6b760ca588928eede740d5d69dd1e936b49 ] + +When printk-indexing is enabled, each printk() invocation emits a +pi_entry structure, containing the format string and other information +related to its location in the kernel sources. This is even true for +no_printk(): while the actual code to print the message is optimized out +by the compiler due to the always-false check, the pi_entry structure is +still emitted. + +As the main purpose of no_printk() is to provide a helper to maintain +printf()-style format checking when debugging is disabled, this leads to +the inclusion in the index of lots of printk formats that cannot be +emitted by the current kernel. + +Fix this by switching no_printk() from printk() to _printk(). + +This reduces the size of an arm64 defconfig kernel with +CONFIG_PRINTK_INDEX=y by 576 KiB. + +Fixes: 337015573718b161 ("printk: Userspace format indexing support") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Andy Shevchenko +Reviewed-by: Xiubo Li +Reviewed-by: Chris Down +Reviewed-by: Petr Mladek +Link: https://lore.kernel.org/r/56cf92edccffea970e1f40a075334dd6cf5bb2a4.1709127473.git.geert+renesas@glider.be +Signed-off-by: Petr Mladek +Signed-off-by: Sasha Levin +--- + include/linux/printk.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/printk.h b/include/linux/printk.h +index 955e31860095e..2fde40cc96778 100644 +--- a/include/linux/printk.h ++++ b/include/linux/printk.h +@@ -126,7 +126,7 @@ struct va_format { + #define no_printk(fmt, ...) \ + ({ \ + if (0) \ +- printk(fmt, ##__VA_ARGS__); \ ++ _printk(fmt, ##__VA_ARGS__); \ + 0; \ + }) + +-- +2.43.0 + diff --git a/queue-6.9/ptp-ocp-fix-dpll-functions.patch b/queue-6.9/ptp-ocp-fix-dpll-functions.patch new file mode 100644 index 00000000000..b08494d2b73 --- /dev/null +++ b/queue-6.9/ptp-ocp-fix-dpll-functions.patch @@ -0,0 +1,55 @@ +From 95f2e3514b0fbfea138a844d863c877197b4fd89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 13:21:11 +0000 +Subject: ptp: ocp: fix DPLL functions + +From: Vadim Fedorenko + +[ Upstream commit a2c78977950da00aca83a3f8865d1f54e715770d ] + +In ptp_ocp driver pin actions assume sma_nr starts with 1, but for DPLL +subsystem callback 0-based index was used. Fix it providing proper index. + +Fixes: 09eeb3aecc6c ("ptp_ocp: implement DPLL ops") +Signed-off-by: Vadim Fedorenko +Link: https://lore.kernel.org/r/20240508132111.11545-1-vadim.fedorenko@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/ptp/ptp_ocp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/ptp/ptp_ocp.c b/drivers/ptp/ptp_ocp.c +index 6506cfb89aa94..ee2ced88ab34f 100644 +--- a/drivers/ptp/ptp_ocp.c ++++ b/drivers/ptp/ptp_ocp.c +@@ -4562,7 +4562,7 @@ static int ptp_ocp_dpll_direction_set(const struct dpll_pin *pin, + return -EOPNOTSUPP; + mode = direction == DPLL_PIN_DIRECTION_INPUT ? + SMA_MODE_IN : SMA_MODE_OUT; +- return ptp_ocp_sma_store_val(bp, 0, mode, sma_nr); ++ return ptp_ocp_sma_store_val(bp, 0, mode, sma_nr + 1); + } + + static int ptp_ocp_dpll_frequency_set(const struct dpll_pin *pin, +@@ -4583,7 +4583,7 @@ static int ptp_ocp_dpll_frequency_set(const struct dpll_pin *pin, + tbl = bp->sma_op->tbl[sma->mode]; + for (i = 0; tbl[i].name; i++) + if (tbl[i].frequency == frequency) +- return ptp_ocp_sma_store_val(bp, i, sma->mode, sma_nr); ++ return ptp_ocp_sma_store_val(bp, i, sma->mode, sma_nr + 1); + return -EINVAL; + } + +@@ -4600,7 +4600,7 @@ static int ptp_ocp_dpll_frequency_get(const struct dpll_pin *pin, + u32 val; + int i; + +- val = bp->sma_op->get(bp, sma_nr); ++ val = bp->sma_op->get(bp, sma_nr + 1); + tbl = bp->sma_op->tbl[sma->mode]; + for (i = 0; tbl[i].name; i++) + if (val == tbl[i].value) { +-- +2.43.0 + diff --git a/queue-6.9/pwm-meson-add-check-for-error-from-clk_round_rate.patch b/queue-6.9/pwm-meson-add-check-for-error-from-clk_round_rate.patch new file mode 100644 index 00000000000..08bab3dfd61 --- /dev/null +++ b/queue-6.9/pwm-meson-add-check-for-error-from-clk_round_rate.patch @@ -0,0 +1,62 @@ +From 7dbbd0fcb9f29df7b7cf067cdd5812a4c316623d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Apr 2024 20:12:52 +0300 +Subject: pwm: meson: Add check for error from clk_round_rate() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: George Stark + +[ Upstream commit 3e551115aee079931b82e1ec78c05f3d5033473f ] + +clk_round_rate() can return not only zero if requested frequency can not +be provided but also negative error code so add check for it too. + +Also change type of variable holding clk_round_rate() result from +unsigned long to long. It's safe due to clk_round_rate() returns long. + +Fixes: 329db102a26d ("pwm: meson: make full use of common clock framework") +Signed-off-by: Dmitry Rokosov +Signed-off-by: George Stark +Link: https://lore.kernel.org/r/20240425171253.2752877-3-gnstark@salutedevices.com +Signed-off-by: Uwe Kleine-König +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-meson.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/pwm/pwm-meson.c b/drivers/pwm/pwm-meson.c +index a02fdbc612562..b5d5fe4669993 100644 +--- a/drivers/pwm/pwm-meson.c ++++ b/drivers/pwm/pwm-meson.c +@@ -147,7 +147,7 @@ static int meson_pwm_calc(struct pwm_chip *chip, struct pwm_device *pwm, + struct meson_pwm *meson = to_meson_pwm(chip); + struct meson_pwm_channel *channel = &meson->channels[pwm->hwpwm]; + unsigned int cnt, duty_cnt; +- unsigned long fin_freq; ++ long fin_freq; + u64 duty, period, freq; + + duty = state->duty_cycle; +@@ -167,12 +167,13 @@ static int meson_pwm_calc(struct pwm_chip *chip, struct pwm_device *pwm, + freq = ULONG_MAX; + + fin_freq = clk_round_rate(channel->clk, freq); +- if (fin_freq == 0) { +- dev_err(pwmchip_parent(chip), "invalid source clock frequency\n"); +- return -EINVAL; ++ if (fin_freq <= 0) { ++ dev_err(pwmchip_parent(chip), ++ "invalid source clock frequency %llu\n", freq); ++ return fin_freq ? fin_freq : -EINVAL; + } + +- dev_dbg(pwmchip_parent(chip), "fin_freq: %lu Hz\n", fin_freq); ++ dev_dbg(pwmchip_parent(chip), "fin_freq: %ld Hz\n", fin_freq); + + cnt = div_u64(fin_freq * period, NSEC_PER_SEC); + if (cnt > 0xffff) { +-- +2.43.0 + diff --git a/queue-6.9/pwm-meson-use-mul_u64_u64_div_u64-for-frequency-calc.patch b/queue-6.9/pwm-meson-use-mul_u64_u64_div_u64-for-frequency-calc.patch new file mode 100644 index 00000000000..408fca5b7d9 --- /dev/null +++ b/queue-6.9/pwm-meson-use-mul_u64_u64_div_u64-for-frequency-calc.patch @@ -0,0 +1,51 @@ +From 14556f9ea0e06a086c6d385c10f7c56741e4378f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Apr 2024 20:12:53 +0300 +Subject: pwm: meson: Use mul_u64_u64_div_u64() for frequency calculating +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: George Stark + +[ Upstream commit 32c44e1fa921aebf8a5ef9f778534a30aab39313 ] + +While calculating frequency for the given period u64 numbers are +multiplied before division what can lead to overflow in theory so use +secure mul_u64_u64_div_u64() which handles overflow correctly. + +Fixes: 329db102a26d ("pwm: meson: make full use of common clock framework") +Suggested-by: Uwe Kleine-König +Signed-off-by: George Stark +Link: https://lore.kernel.org/r/20240425171253.2752877-4-gnstark@salutedevices.com +Signed-off-by: Uwe Kleine-König +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-meson.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/pwm/pwm-meson.c b/drivers/pwm/pwm-meson.c +index b5d5fe4669993..e12b6ff70baba 100644 +--- a/drivers/pwm/pwm-meson.c ++++ b/drivers/pwm/pwm-meson.c +@@ -175,7 +175,7 @@ static int meson_pwm_calc(struct pwm_chip *chip, struct pwm_device *pwm, + + dev_dbg(pwmchip_parent(chip), "fin_freq: %ld Hz\n", fin_freq); + +- cnt = div_u64(fin_freq * period, NSEC_PER_SEC); ++ cnt = mul_u64_u64_div_u64(fin_freq, period, NSEC_PER_SEC); + if (cnt > 0xffff) { + dev_err(pwmchip_parent(chip), "unable to get period cnt\n"); + return -EINVAL; +@@ -190,7 +190,7 @@ static int meson_pwm_calc(struct pwm_chip *chip, struct pwm_device *pwm, + channel->hi = 0; + channel->lo = cnt; + } else { +- duty_cnt = div_u64(fin_freq * duty, NSEC_PER_SEC); ++ duty_cnt = mul_u64_u64_div_u64(fin_freq, duty, NSEC_PER_SEC); + + dev_dbg(pwmchip_parent(chip), "duty=%llu duty_cnt=%u\n", duty, duty_cnt); + +-- +2.43.0 + diff --git a/queue-6.9/pwm-sti-simplify-probe-function-using-devm-functions.patch b/queue-6.9/pwm-sti-simplify-probe-function-using-devm-functions.patch new file mode 100644 index 00000000000..9f28c78bf09 --- /dev/null +++ b/queue-6.9/pwm-sti-simplify-probe-function-using-devm-functions.patch @@ -0,0 +1,115 @@ +From 63bde4e03ac9f426fbf20687eedcbfd71a963f00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Mar 2024 12:00:54 +0100 +Subject: pwm: sti: Simplify probe function using devm functions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 5bb0b194aeee5d5da6881232f4e9989b35957c25 ] + +Instead of of_clk_get_by_name() use devm_clk_get_prepared() which has +several advantages: + + - Combines getting the clock and a call to clk_prepare(). The latter + can be dropped from sti_pwm_probe() accordingly. + - Cares for calling clk_put() which is missing in both probe's error + path and the remove function. + - Cares for calling clk_unprepare() which can be dropped from the error + paths and the remove function. (Note that not all error path got this + right.) + +With additionally using devm_pwmchip_add() instead of pwmchip_add() the +remove callback can be dropped completely. With it the last user of +platform_get_drvdata() goes away and so platform_set_drvdata() can be +dropped from the probe function, too. + +Fixes: 378fe115d19d ("pwm: sti: Add new driver for ST's PWM IP") +Link: https://lore.kernel.org/r/81f0e1d173652f435afda6719adaed1922fe059a.1710068192.git.u.kleine-koenig@pengutronix.de +Signed-off-by: Uwe Kleine-König +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-sti.c | 39 +++------------------------------------ + 1 file changed, 3 insertions(+), 36 deletions(-) + +diff --git a/drivers/pwm/pwm-sti.c b/drivers/pwm/pwm-sti.c +index 39d80da0e14af..f07b1126e7a81 100644 +--- a/drivers/pwm/pwm-sti.c ++++ b/drivers/pwm/pwm-sti.c +@@ -624,32 +624,20 @@ static int sti_pwm_probe(struct platform_device *pdev) + return ret; + + if (cdata->pwm_num_devs) { +- pc->pwm_clk = of_clk_get_by_name(dev->of_node, "pwm"); ++ pc->pwm_clk = devm_clk_get_prepared(dev, "pwm"); + if (IS_ERR(pc->pwm_clk)) { + dev_err(dev, "failed to get PWM clock\n"); + return PTR_ERR(pc->pwm_clk); + } +- +- ret = clk_prepare(pc->pwm_clk); +- if (ret) { +- dev_err(dev, "failed to prepare clock\n"); +- return ret; +- } + } + + if (cdata->cpt_num_devs) { +- pc->cpt_clk = of_clk_get_by_name(dev->of_node, "capture"); ++ pc->cpt_clk = devm_clk_get_prepared(dev, "capture"); + if (IS_ERR(pc->cpt_clk)) { + dev_err(dev, "failed to get PWM capture clock\n"); + return PTR_ERR(pc->cpt_clk); + } + +- ret = clk_prepare(pc->cpt_clk); +- if (ret) { +- dev_err(dev, "failed to prepare clock\n"); +- return ret; +- } +- + cdata->ddata = devm_kzalloc(dev, cdata->cpt_num_devs * sizeof(*cdata->ddata), GFP_KERNEL); + if (!cdata->ddata) + return -ENOMEM; +@@ -664,27 +652,7 @@ static int sti_pwm_probe(struct platform_device *pdev) + mutex_init(&ddata->lock); + } + +- ret = pwmchip_add(chip); +- if (ret < 0) { +- clk_unprepare(pc->pwm_clk); +- clk_unprepare(pc->cpt_clk); +- return ret; +- } +- +- platform_set_drvdata(pdev, chip); +- +- return 0; +-} +- +-static void sti_pwm_remove(struct platform_device *pdev) +-{ +- struct pwm_chip *chip = platform_get_drvdata(pdev); +- struct sti_pwm_chip *pc = to_sti_pwmchip(chip); +- +- pwmchip_remove(chip); +- +- clk_unprepare(pc->pwm_clk); +- clk_unprepare(pc->cpt_clk); ++ return devm_pwmchip_add(dev, chip); + } + + static const struct of_device_id sti_pwm_of_match[] = { +@@ -699,7 +667,6 @@ static struct platform_driver sti_pwm_driver = { + .of_match_table = sti_pwm_of_match, + }, + .probe = sti_pwm_probe, +- .remove_new = sti_pwm_remove, + }; + module_platform_driver(sti_pwm_driver); + +-- +2.43.0 + diff --git a/queue-6.9/qed-avoid-truncating-work-queue-length.patch b/queue-6.9/qed-avoid-truncating-work-queue-length.patch new file mode 100644 index 00000000000..41a1e7cb331 --- /dev/null +++ b/queue-6.9/qed-avoid-truncating-work-queue-length.patch @@ -0,0 +1,58 @@ +From baee601c8ee5644d397179155b1e850fd3165471 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 23:38:02 +0100 +Subject: qed: avoid truncating work queue length + +From: Arnd Bergmann + +[ Upstream commit 954fd908f177604d4cce77e2a88cc50b29bad5ff ] + +clang complains that the temporary string for the name passed into +alloc_workqueue() is too short for its contents: + +drivers/net/ethernet/qlogic/qed/qed_main.c:1218:3: error: 'snprintf' will always be truncated; specified size is 16, but format string expands to at least 18 [-Werror,-Wformat-truncation] + +There is no need for a temporary buffer, and the actual name of a workqueue +is 32 bytes (WQ_NAME_LEN), so just use the interface as intended to avoid +the truncation. + +Fixes: 59ccf86fe69a ("qed: Add driver infrastucture for handling mfw requests.") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20240326223825.4084412-4-arnd@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_main.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_main.c b/drivers/net/ethernet/qlogic/qed/qed_main.c +index c278f8893042b..8159b4c315b5d 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_main.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_main.c +@@ -1206,7 +1206,6 @@ static void qed_slowpath_task(struct work_struct *work) + static int qed_slowpath_wq_start(struct qed_dev *cdev) + { + struct qed_hwfn *hwfn; +- char name[NAME_SIZE]; + int i; + + if (IS_VF(cdev)) +@@ -1215,11 +1214,11 @@ static int qed_slowpath_wq_start(struct qed_dev *cdev) + for_each_hwfn(cdev, i) { + hwfn = &cdev->hwfns[i]; + +- snprintf(name, NAME_SIZE, "slowpath-%02x:%02x.%02x", +- cdev->pdev->bus->number, +- PCI_SLOT(cdev->pdev->devfn), hwfn->abs_pf_id); ++ hwfn->slowpath_wq = alloc_workqueue("slowpath-%02x:%02x.%02x", ++ 0, 0, cdev->pdev->bus->number, ++ PCI_SLOT(cdev->pdev->devfn), ++ hwfn->abs_pf_id); + +- hwfn->slowpath_wq = alloc_workqueue(name, 0, 0); + if (!hwfn->slowpath_wq) { + DP_NOTICE(hwfn, "Cannot create slowpath workqueue\n"); + return -ENOMEM; +-- +2.43.0 + diff --git a/queue-6.9/rcu-fix-buffer-overflow-in-print_cpu_stall_info.patch b/queue-6.9/rcu-fix-buffer-overflow-in-print_cpu_stall_info.patch new file mode 100644 index 00000000000..66ba4795eb8 --- /dev/null +++ b/queue-6.9/rcu-fix-buffer-overflow-in-print_cpu_stall_info.patch @@ -0,0 +1,51 @@ +From e69d1efca02371b2c1848c67248e9b2174fe89b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Apr 2024 22:43:15 +0300 +Subject: rcu: Fix buffer overflow in print_cpu_stall_info() + +From: Nikita Kiryushin + +[ Upstream commit 3758f7d9917bd7ef0482c4184c0ad673b4c4e069 ] + +The rcuc-starvation output from print_cpu_stall_info() might overflow the +buffer if there is a huge difference in jiffies difference. The situation +might seem improbable, but computers sometimes get very confused about +time, which can result in full-sized integers, and, in this case, +buffer overflow. + +Also, the unsigned jiffies difference is printed using %ld, which is +normally for signed integers. This is intentional for debugging purposes, +but it is not obvious from the code. + +This commit therefore changes sprintf() to snprintf() and adds a +clarifying comment about intention of %ld format. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 245a62982502 ("rcu: Dump rcuc kthread status for CPUs not reporting quiescent state") +Signed-off-by: Nikita Kiryushin +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Paul E. McKenney +Signed-off-by: Uladzislau Rezki (Sony) +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree_stall.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/rcu/tree_stall.h b/kernel/rcu/tree_stall.h +index 5d666428546b0..b5ec62b2d850a 100644 +--- a/kernel/rcu/tree_stall.h ++++ b/kernel/rcu/tree_stall.h +@@ -504,7 +504,8 @@ static void print_cpu_stall_info(int cpu) + rcu_dynticks_in_eqs(rcu_dynticks_snap(cpu)); + rcuc_starved = rcu_is_rcuc_kthread_starving(rdp, &j); + if (rcuc_starved) +- sprintf(buf, " rcuc=%ld jiffies(starved)", j); ++ // Print signed value, as negative values indicate a probable bug. ++ snprintf(buf, sizeof(buf), " rcuc=%ld jiffies(starved)", j); + pr_err("\t%d-%c%c%c%c: (%lu %s) idle=%04x/%ld/%#lx softirq=%u/%u fqs=%ld%s%s\n", + cpu, + "O."[!!cpu_online(cpu)], +-- +2.43.0 + diff --git a/queue-6.9/rcu-tasks-fix-show_rcu_tasks_trace_gp_kthread-buffer.patch b/queue-6.9/rcu-tasks-fix-show_rcu_tasks_trace_gp_kthread-buffer.patch new file mode 100644 index 00000000000..2dbe751677c --- /dev/null +++ b/queue-6.9/rcu-tasks-fix-show_rcu_tasks_trace_gp_kthread-buffer.patch @@ -0,0 +1,45 @@ +From 15c5bc7398691e2925bfda7d9f447b02fc5ddb27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Mar 2024 20:47:47 +0300 +Subject: rcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow + +From: Nikita Kiryushin + +[ Upstream commit cc5645fddb0ce28492b15520306d092730dffa48 ] + +There is a possibility of buffer overflow in +show_rcu_tasks_trace_gp_kthread() if counters, passed +to sprintf() are huge. Counter numbers, needed for this +are unrealistically high, but buffer overflow is still +possible. + +Use snprintf() with buffer size instead of sprintf(). + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: edf3775f0ad6 ("rcu-tasks: Add count for idle tasks on offline CPUs") +Signed-off-by: Nikita Kiryushin +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Paul E. McKenney +Signed-off-by: Uladzislau Rezki (Sony) +Signed-off-by: Sasha Levin +--- + kernel/rcu/tasks.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/rcu/tasks.h b/kernel/rcu/tasks.h +index 147b5945d67a0..2a453de9f3d95 100644 +--- a/kernel/rcu/tasks.h ++++ b/kernel/rcu/tasks.h +@@ -1994,7 +1994,7 @@ void show_rcu_tasks_trace_gp_kthread(void) + { + char buf[64]; + +- sprintf(buf, "N%lu h:%lu/%lu/%lu", ++ snprintf(buf, sizeof(buf), "N%lu h:%lu/%lu/%lu", + data_race(n_trc_holdouts), + data_race(n_heavy_reader_ofl_updates), + data_race(n_heavy_reader_updates), +-- +2.43.0 + diff --git a/queue-6.9/rdma-cma-fix-kmemleak-in-rdma_core-observed-during-b.patch b/queue-6.9/rdma-cma-fix-kmemleak-in-rdma_core-observed-during-b.patch new file mode 100644 index 00000000000..a3f738fb55f --- /dev/null +++ b/queue-6.9/rdma-cma-fix-kmemleak-in-rdma_core-observed-during-b.patch @@ -0,0 +1,77 @@ +From e1a5d0dcc2a75b3cf680f6d58437d6f6d6d5ab27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 May 2024 23:12:47 +0200 +Subject: RDMA/cma: Fix kmemleak in rdma_core observed during blktests + nvme/rdma use siw + +From: Zhu Yanjun + +[ Upstream commit 9c0731832d3b7420cbadba6a7f334363bc8dfb15 ] + +When running blktests nvme/rdma, the following kmemleak issue will appear. + +kmemleak: Kernel memory leak detector initialized (mempool available:36041) +kmemleak: Automatic memory scanning thread started +kmemleak: 2 new suspected memory leaks (see /sys/kernel/debug/kmemleak) +kmemleak: 8 new suspected memory leaks (see /sys/kernel/debug/kmemleak) +kmemleak: 17 new suspected memory leaks (see /sys/kernel/debug/kmemleak) +kmemleak: 4 new suspected memory leaks (see /sys/kernel/debug/kmemleak) + +unreferenced object 0xffff88855da53400 (size 192): + comm "rdma", pid 10630, jiffies 4296575922 + hex dump (first 32 bytes): + 37 00 00 00 00 00 00 00 c0 ff ff ff 1f 00 00 00 7............... + 10 34 a5 5d 85 88 ff ff 10 34 a5 5d 85 88 ff ff .4.].....4.].... + backtrace (crc 47f66721): + [] kmalloc_trace+0x30d/0x3b0 + [] alloc_gid_entry+0x47/0x380 [ib_core] + [] add_modify_gid+0x166/0x930 [ib_core] + [] ib_cache_update.part.0+0x6d8/0x910 [ib_core] + [] ib_cache_setup_one+0x24a/0x350 [ib_core] + [] ib_register_device+0x9e/0x3a0 [ib_core] + [] 0xffffffffc2a3d389 + [] nldev_newlink+0x2b8/0x520 [ib_core] + [] rdma_nl_rcv_msg+0x2c3/0x520 [ib_core] + [] +rdma_nl_rcv_skb.constprop.0.isra.0+0x23c/0x3a0 [ib_core] + [] netlink_unicast+0x445/0x710 + [] netlink_sendmsg+0x761/0xc40 + [] __sys_sendto+0x3a9/0x420 + [] __x64_sys_sendto+0xdc/0x1b0 + [] do_syscall_64+0x93/0x180 + [] entry_SYSCALL_64_after_hwframe+0x71/0x79 + +The root cause: rdma_put_gid_attr is not called when sgid_attr is set +to ERR_PTR(-ENODEV). + +Reported-and-tested-by: Yi Zhang +Closes: https://lore.kernel.org/all/19bf5745-1b3b-4b8a-81c2-20d945943aaf@linux.dev/T/ +Fixes: f8ef1be816bf ("RDMA/cma: Avoid GID lookups on iWARP devices") +Reviewed-by: Chuck Lever +Signed-off-by: Zhu Yanjun +Link: https://lore.kernel.org/r/20240510211247.31345-1-yanjun.zhu@linux.dev +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cma.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index 1e2cd7c8716e8..64ace0b968f07 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -715,8 +715,10 @@ cma_validate_port(struct ib_device *device, u32 port, + rcu_read_lock(); + ndev = rcu_dereference(sgid_attr->ndev); + if (!net_eq(dev_net(ndev), dev_addr->net) || +- ndev->ifindex != bound_if_index) ++ ndev->ifindex != bound_if_index) { ++ rdma_put_gid_attr(sgid_attr); + sgid_attr = ERR_PTR(-ENODEV); ++ } + rcu_read_unlock(); + goto out; + } +-- +2.43.0 + diff --git a/queue-6.9/rdma-hns-add-max_ah-and-cq-moderation-capacities-in-.patch b/queue-6.9/rdma-hns-add-max_ah-and-cq-moderation-capacities-in-.patch new file mode 100644 index 00000000000..2595b17e9bc --- /dev/null +++ b/queue-6.9/rdma-hns-add-max_ah-and-cq-moderation-capacities-in-.patch @@ -0,0 +1,92 @@ +From afd9be3f1ae228da6513778c91c4694f408cd82a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 17:16:09 +0800 +Subject: RDMA/hns: Add max_ah and cq moderation capacities in query_device() + +From: Chengchang Tang + +[ Upstream commit 2ce384307f2ddf39dc662878e151722199afc9ae ] + +Add max_ah and cq moderation capacities to hns_roce_query_device(). + +Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver") +Signed-off-by: Chengchang Tang +Signed-off-by: Junxian Huang +Link: https://lore.kernel.org/r/20240412091616.370789-4-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_device.h | 3 +++ + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 2 +- + drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 2 +- + drivers/infiniband/hw/hns/hns_roce_main.c | 7 +++++++ + 4 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_device.h b/drivers/infiniband/hw/hns/hns_roce_device.h +index c3cbd0a494bfd..0b47c6d68804f 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_device.h ++++ b/drivers/infiniband/hw/hns/hns_roce_device.h +@@ -100,6 +100,9 @@ + #define CQ_BANKID_SHIFT 2 + #define CQ_BANKID_MASK GENMASK(1, 0) + ++#define HNS_ROCE_MAX_CQ_COUNT 0xFFFF ++#define HNS_ROCE_MAX_CQ_PERIOD 0xFFFF ++ + enum { + SERV_TYPE_RC, + SERV_TYPE_UC, +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index ba7ae792d279d..99f6ae6135c2f 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -5802,7 +5802,7 @@ static int hns_roce_v2_modify_cq(struct ib_cq *cq, u16 cq_count, u16 cq_period) + dev_info(hr_dev->dev, + "cq_period(%u) reached the upper limit, adjusted to 65.\n", + cq_period); +- cq_period = HNS_ROCE_MAX_CQ_PERIOD; ++ cq_period = HNS_ROCE_MAX_CQ_PERIOD_HIP08; + } + cq_period *= HNS_ROCE_CLOCK_ADJUST; + } +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +index df04bc8ede57b..dfed6b4ddb04d 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +@@ -1334,7 +1334,7 @@ struct fmea_ram_ecc { + + /* only for RNR timeout issue of HIP08 */ + #define HNS_ROCE_CLOCK_ADJUST 1000 +-#define HNS_ROCE_MAX_CQ_PERIOD 65 ++#define HNS_ROCE_MAX_CQ_PERIOD_HIP08 65 + #define HNS_ROCE_MAX_EQ_PERIOD 65 + #define HNS_ROCE_RNR_TIMER_10NS 1 + #define HNS_ROCE_1US_CFG 999 +diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c +index 1dc60c2b2b7ab..4d94fcb8685ab 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_main.c ++++ b/drivers/infiniband/hw/hns/hns_roce_main.c +@@ -40,6 +40,7 @@ + #include "hns_roce_common.h" + #include "hns_roce_device.h" + #include "hns_roce_hem.h" ++#include "hns_roce_hw_v2.h" + + static int hns_roce_set_mac(struct hns_roce_dev *hr_dev, u32 port, + const u8 *addr) +@@ -192,6 +193,12 @@ static int hns_roce_query_device(struct ib_device *ib_dev, + IB_ATOMIC_HCA : IB_ATOMIC_NONE; + props->max_pkeys = 1; + props->local_ca_ack_delay = hr_dev->caps.local_ca_ack_delay; ++ props->max_ah = INT_MAX; ++ props->cq_caps.max_cq_moderation_period = HNS_ROCE_MAX_CQ_PERIOD; ++ props->cq_caps.max_cq_moderation_count = HNS_ROCE_MAX_CQ_COUNT; ++ if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08) ++ props->cq_caps.max_cq_moderation_period = HNS_ROCE_MAX_CQ_PERIOD_HIP08; ++ + if (hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_SRQ) { + props->max_srq = hr_dev->caps.num_srqs; + props->max_srq_wr = hr_dev->caps.max_srq_wrs; +-- +2.43.0 + diff --git a/queue-6.9/rdma-hns-fix-deadlock-on-srq-async-events.patch b/queue-6.9/rdma-hns-fix-deadlock-on-srq-async-events.patch new file mode 100644 index 00000000000..1e496427ee7 --- /dev/null +++ b/queue-6.9/rdma-hns-fix-deadlock-on-srq-async-events.patch @@ -0,0 +1,69 @@ +From 1d404510313a8053def8d9985b879a9bad5a1363 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 17:16:10 +0800 +Subject: RDMA/hns: Fix deadlock on SRQ async events. + +From: Chengchang Tang + +[ Upstream commit b46494b6f9c19f141114a57729e198698f40af37 ] + +xa_lock for SRQ table may be required in AEQ. Use xa_store_irq()/ +xa_erase_irq() to avoid deadlock. + +Fixes: 81fce6291d99 ("RDMA/hns: Add SRQ asynchronous event support") +Signed-off-by: Chengchang Tang +Signed-off-by: Junxian Huang +Link: https://lore.kernel.org/r/20240412091616.370789-5-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_main.c | 1 + + drivers/infiniband/hw/hns/hns_roce_srq.c | 6 +++--- + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c +index 4d94fcb8685ab..d202258368ed9 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_main.c ++++ b/drivers/infiniband/hw/hns/hns_roce_main.c +@@ -37,6 +37,7 @@ + #include + #include + #include ++#include "hnae3.h" + #include "hns_roce_common.h" + #include "hns_roce_device.h" + #include "hns_roce_hem.h" +diff --git a/drivers/infiniband/hw/hns/hns_roce_srq.c b/drivers/infiniband/hw/hns/hns_roce_srq.c +index 4abae94778544..8f48c6723e07e 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_srq.c ++++ b/drivers/infiniband/hw/hns/hns_roce_srq.c +@@ -123,7 +123,7 @@ static int alloc_srqc(struct hns_roce_dev *hr_dev, struct hns_roce_srq *srq) + return ret; + } + +- ret = xa_err(xa_store(&srq_table->xa, srq->srqn, srq, GFP_KERNEL)); ++ ret = xa_err(xa_store_irq(&srq_table->xa, srq->srqn, srq, GFP_KERNEL)); + if (ret) { + ibdev_err(ibdev, "failed to store SRQC, ret = %d.\n", ret); + goto err_put; +@@ -136,7 +136,7 @@ static int alloc_srqc(struct hns_roce_dev *hr_dev, struct hns_roce_srq *srq) + return 0; + + err_xa: +- xa_erase(&srq_table->xa, srq->srqn); ++ xa_erase_irq(&srq_table->xa, srq->srqn); + err_put: + hns_roce_table_put(hr_dev, &srq_table->table, srq->srqn); + +@@ -154,7 +154,7 @@ static void free_srqc(struct hns_roce_dev *hr_dev, struct hns_roce_srq *srq) + dev_err(hr_dev->dev, "DESTROY_SRQ failed (%d) for SRQN %06lx\n", + ret, srq->srqn); + +- xa_erase(&srq_table->xa, srq->srqn); ++ xa_erase_irq(&srq_table->xa, srq->srqn); + + if (refcount_dec_and_test(&srq->refcount)) + complete(&srq->free); +-- +2.43.0 + diff --git a/queue-6.9/rdma-hns-fix-gmv-table-pagesize.patch b/queue-6.9/rdma-hns-fix-gmv-table-pagesize.patch new file mode 100644 index 00000000000..56db611e8f9 --- /dev/null +++ b/queue-6.9/rdma-hns-fix-gmv-table-pagesize.patch @@ -0,0 +1,39 @@ +From 3be01fe1dea701b4ca4899e690648a2d2de7cc6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 17:16:13 +0800 +Subject: RDMA/hns: Fix GMV table pagesize + +From: Chengchang Tang + +[ Upstream commit ee045493283403969591087bd405fa280103282a ] + +GMV's BA table only supports 4K pages. Currently, PAGESIZE is used to +calculate gmv_bt_num, which will cause an abnormal number of gmv_bt_num +in a 64K OS. + +Fixes: d6d91e46210f ("RDMA/hns: Add support for configuring GMV table") +Signed-off-by: Chengchang Tang +Signed-off-by: Junxian Huang +Link: https://lore.kernel.org/r/20240412091616.370789-8-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index 99f6ae6135c2f..1120c7d3fa8ef 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -2105,7 +2105,7 @@ static void apply_func_caps(struct hns_roce_dev *hr_dev) + caps->gmv_bt_num * + (HNS_HW_PAGE_SIZE / caps->gmv_entry_sz)); + +- caps->gmv_entry_num = caps->gmv_bt_num * (PAGE_SIZE / ++ caps->gmv_entry_num = caps->gmv_bt_num * (HNS_HW_PAGE_SIZE / + caps->gmv_entry_sz); + } else { + u32 func_num = max_t(u32, 1, hr_dev->func_num); +-- +2.43.0 + diff --git a/queue-6.9/rdma-hns-fix-mismatch-exception-rollback.patch b/queue-6.9/rdma-hns-fix-mismatch-exception-rollback.patch new file mode 100644 index 00000000000..137d960f57f --- /dev/null +++ b/queue-6.9/rdma-hns-fix-mismatch-exception-rollback.patch @@ -0,0 +1,38 @@ +From 78bbbbc0ce9f63ec34f0ba4492041278cc5ef5e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 17:16:12 +0800 +Subject: RDMA/hns: Fix mismatch exception rollback + +From: wenglianfa + +[ Upstream commit dc3bda6e568e9310b7cd07769dd70a3f0cd696ca ] + +When dma_alloc_coherent() fails in hns_roce_alloc_hem(), just call +kfree() to release hem instead of hns_roce_free_hem(). + +Fixes: c00743cbf2b8 ("RDMA/hns: Simplify 'struct hns_roce_hem' allocation") +Signed-off-by: wenglianfa +Signed-off-by: Junxian Huang +Link: https://lore.kernel.org/r/20240412091616.370789-7-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c b/drivers/infiniband/hw/hns/hns_roce_hem.c +index a4b3f19161dc1..658c522be7583 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hem.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hem.c +@@ -281,7 +281,7 @@ static struct hns_roce_hem *hns_roce_alloc_hem(struct hns_roce_dev *hr_dev, + return hem; + + fail: +- hns_roce_free_hem(hr_dev, hem); ++ kfree(hem); + return NULL; + } + +-- +2.43.0 + diff --git a/queue-6.9/rdma-hns-fix-return-value-in-hns_roce_map_mr_sg.patch b/queue-6.9/rdma-hns-fix-return-value-in-hns_roce_map_mr_sg.patch new file mode 100644 index 00000000000..44fd83c3d49 --- /dev/null +++ b/queue-6.9/rdma-hns-fix-return-value-in-hns_roce_map_mr_sg.patch @@ -0,0 +1,75 @@ +From 35e3d1ffae0c42263fed37ba1c726f77157e0064 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Apr 2024 11:38:51 +0800 +Subject: RDMA/hns: Fix return value in hns_roce_map_mr_sg + +From: Zhengchao Shao + +[ Upstream commit 203b70fda63425a4eb29f03f9074859afe821a39 ] + +As described in the ib_map_mr_sg function comment, it returns the number +of sg elements that were mapped to the memory region. However, +hns_roce_map_mr_sg returns the number of pages required for mapping the +DMA area. Fix it. + +Fixes: 9b2cf76c9f05 ("RDMA/hns: Optimize PBL buffer allocation process") +Signed-off-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20240411033851.2884771-1-shaozhengchao@huawei.com +Reviewed-by: Junxian Huang +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_mr.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_mr.c b/drivers/infiniband/hw/hns/hns_roce_mr.c +index 9e05b57a2d67d..80c050d7d0ea6 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_mr.c ++++ b/drivers/infiniband/hw/hns/hns_roce_mr.c +@@ -441,18 +441,18 @@ int hns_roce_map_mr_sg(struct ib_mr *ibmr, struct scatterlist *sg, int sg_nents, + struct ib_device *ibdev = &hr_dev->ib_dev; + struct hns_roce_mr *mr = to_hr_mr(ibmr); + struct hns_roce_mtr *mtr = &mr->pbl_mtr; +- int ret = 0; ++ int ret, sg_num = 0; + + mr->npages = 0; + mr->page_list = kvcalloc(mr->pbl_mtr.hem_cfg.buf_pg_count, + sizeof(dma_addr_t), GFP_KERNEL); + if (!mr->page_list) +- return ret; ++ return sg_num; + +- ret = ib_sg_to_pages(ibmr, sg, sg_nents, sg_offset, hns_roce_set_page); +- if (ret < 1) { ++ sg_num = ib_sg_to_pages(ibmr, sg, sg_nents, sg_offset, hns_roce_set_page); ++ if (sg_num < 1) { + ibdev_err(ibdev, "failed to store sg pages %u %u, cnt = %d.\n", +- mr->npages, mr->pbl_mtr.hem_cfg.buf_pg_count, ret); ++ mr->npages, mr->pbl_mtr.hem_cfg.buf_pg_count, sg_num); + goto err_page_list; + } + +@@ -463,17 +463,16 @@ int hns_roce_map_mr_sg(struct ib_mr *ibmr, struct scatterlist *sg, int sg_nents, + ret = hns_roce_mtr_map(hr_dev, mtr, mr->page_list, mr->npages); + if (ret) { + ibdev_err(ibdev, "failed to map sg mtr, ret = %d.\n", ret); +- ret = 0; ++ sg_num = 0; + } else { + mr->pbl_mtr.hem_cfg.buf_pg_shift = (u32)ilog2(ibmr->page_size); +- ret = mr->npages; + } + + err_page_list: + kvfree(mr->page_list); + mr->page_list = NULL; + +- return ret; ++ return sg_num; + } + + static void hns_roce_mw_free(struct hns_roce_dev *hr_dev, +-- +2.43.0 + diff --git a/queue-6.9/rdma-hns-fix-uaf-for-cq-async-event.patch b/queue-6.9/rdma-hns-fix-uaf-for-cq-async-event.patch new file mode 100644 index 00000000000..0ca43c08c96 --- /dev/null +++ b/queue-6.9/rdma-hns-fix-uaf-for-cq-async-event.patch @@ -0,0 +1,91 @@ +From 838e87c4457b6f21415ecdf51c965bce0ae87fe5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 17:16:11 +0800 +Subject: RDMA/hns: Fix UAF for cq async event + +From: Chengchang Tang + +[ Upstream commit a942ec2745ca864cd8512142100e4027dc306a42 ] + +The refcount of CQ is not protected by locks. When CQ asynchronous +events and CQ destruction are concurrent, CQ may have been released, +which will cause UAF. + +Use the xa_lock() to protect the CQ refcount. + +Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver") +Signed-off-by: Chengchang Tang +Signed-off-by: Junxian Huang +Link: https://lore.kernel.org/r/20240412091616.370789-6-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_cq.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_cq.c b/drivers/infiniband/hw/hns/hns_roce_cq.c +index 7250d0643b5c5..68e22f368d43a 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_cq.c ++++ b/drivers/infiniband/hw/hns/hns_roce_cq.c +@@ -149,7 +149,7 @@ static int alloc_cqc(struct hns_roce_dev *hr_dev, struct hns_roce_cq *hr_cq) + return ret; + } + +- ret = xa_err(xa_store(&cq_table->array, hr_cq->cqn, hr_cq, GFP_KERNEL)); ++ ret = xa_err(xa_store_irq(&cq_table->array, hr_cq->cqn, hr_cq, GFP_KERNEL)); + if (ret) { + ibdev_err(ibdev, "failed to xa_store CQ, ret = %d.\n", ret); + goto err_put; +@@ -163,7 +163,7 @@ static int alloc_cqc(struct hns_roce_dev *hr_dev, struct hns_roce_cq *hr_cq) + return 0; + + err_xa: +- xa_erase(&cq_table->array, hr_cq->cqn); ++ xa_erase_irq(&cq_table->array, hr_cq->cqn); + err_put: + hns_roce_table_put(hr_dev, &cq_table->table, hr_cq->cqn); + +@@ -182,7 +182,7 @@ static void free_cqc(struct hns_roce_dev *hr_dev, struct hns_roce_cq *hr_cq) + dev_err(dev, "DESTROY_CQ failed (%d) for CQN %06lx\n", ret, + hr_cq->cqn); + +- xa_erase(&cq_table->array, hr_cq->cqn); ++ xa_erase_irq(&cq_table->array, hr_cq->cqn); + + /* Waiting interrupt process procedure carried out */ + synchronize_irq(hr_dev->eq_table.eq[hr_cq->vector].irq); +@@ -476,13 +476,6 @@ void hns_roce_cq_event(struct hns_roce_dev *hr_dev, u32 cqn, int event_type) + struct ib_event event; + struct ib_cq *ibcq; + +- hr_cq = xa_load(&hr_dev->cq_table.array, +- cqn & (hr_dev->caps.num_cqs - 1)); +- if (!hr_cq) { +- dev_warn(dev, "async event for bogus CQ 0x%06x\n", cqn); +- return; +- } +- + if (event_type != HNS_ROCE_EVENT_TYPE_CQ_ID_INVALID && + event_type != HNS_ROCE_EVENT_TYPE_CQ_ACCESS_ERROR && + event_type != HNS_ROCE_EVENT_TYPE_CQ_OVERFLOW) { +@@ -491,7 +484,16 @@ void hns_roce_cq_event(struct hns_roce_dev *hr_dev, u32 cqn, int event_type) + return; + } + +- refcount_inc(&hr_cq->refcount); ++ xa_lock(&hr_dev->cq_table.array); ++ hr_cq = xa_load(&hr_dev->cq_table.array, ++ cqn & (hr_dev->caps.num_cqs - 1)); ++ if (hr_cq) ++ refcount_inc(&hr_cq->refcount); ++ xa_unlock(&hr_dev->cq_table.array); ++ if (!hr_cq) { ++ dev_warn(dev, "async event for bogus CQ 0x%06x\n", cqn); ++ return; ++ } + + ibcq = &hr_cq->ib_cq; + if (ibcq->event_handler) { +-- +2.43.0 + diff --git a/queue-6.9/rdma-hns-modify-the-print-level-of-cqe-error.patch b/queue-6.9/rdma-hns-modify-the-print-level-of-cqe-error.patch new file mode 100644 index 00000000000..62298a672f3 --- /dev/null +++ b/queue-6.9/rdma-hns-modify-the-print-level-of-cqe-error.patch @@ -0,0 +1,42 @@ +From f1d56f615c1f35d3fff69f3e13b747a1853aab56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 17:16:16 +0800 +Subject: RDMA/hns: Modify the print level of CQE error + +From: Chengchang Tang + +[ Upstream commit 349e859952285ab9689779fb46de163f13f18f43 ] + +Too much print may lead to a panic in kernel. Change ibdev_err() to +ibdev_err_ratelimited(), and change the printing level of cqe dump +to debug level. + +Fixes: 7c044adca272 ("RDMA/hns: Simplify the cqe code of poll cq") +Signed-off-by: Chengchang Tang +Signed-off-by: Junxian Huang +Link: https://lore.kernel.org/r/20240412091616.370789-11-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index 1120c7d3fa8ef..8800464c9a0cd 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -3711,8 +3711,9 @@ static void get_cqe_status(struct hns_roce_dev *hr_dev, struct hns_roce_qp *qp, + wc->status == IB_WC_WR_FLUSH_ERR)) + return; + +- ibdev_err(&hr_dev->ib_dev, "error cqe status 0x%x:\n", cqe_status); +- print_hex_dump(KERN_ERR, "", DUMP_PREFIX_NONE, 16, 4, cqe, ++ ibdev_err_ratelimited(&hr_dev->ib_dev, "error cqe status 0x%x:\n", ++ cqe_status); ++ print_hex_dump(KERN_DEBUG, "", DUMP_PREFIX_NONE, 16, 4, cqe, + cq->cqe_size, false); + wc->vendor_err = hr_reg_read(cqe, CQE_SUB_STATUS); + +-- +2.43.0 + diff --git a/queue-6.9/rdma-hns-use-complete-parentheses-in-macros.patch b/queue-6.9/rdma-hns-use-complete-parentheses-in-macros.patch new file mode 100644 index 00000000000..a68bffdddf8 --- /dev/null +++ b/queue-6.9/rdma-hns-use-complete-parentheses-in-macros.patch @@ -0,0 +1,52 @@ +From c9047a0caa510c55fb16fa69520d74e28ab047ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 17:16:15 +0800 +Subject: RDMA/hns: Use complete parentheses in macros + +From: Chengchang Tang + +[ Upstream commit 4125269bb9b22e1d8cdf4412c81be8074dbc61ca ] + +Use complete parentheses to ensure that macro expansion does +not produce unexpected results. + +Fixes: a25d13cbe816 ("RDMA/hns: Add the interfaces to support multi hop addressing for the contexts in hip08") +Signed-off-by: Chengchang Tang +Signed-off-by: Junxian Huang +Link: https://lore.kernel.org/r/20240412091616.370789-10-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hem.h | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.h b/drivers/infiniband/hw/hns/hns_roce_hem.h +index 6fb51db9682b8..9c415b2541af8 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hem.h ++++ b/drivers/infiniband/hw/hns/hns_roce_hem.h +@@ -57,16 +57,16 @@ enum { + }; + + #define check_whether_bt_num_3(type, hop_num) \ +- (type < HEM_TYPE_MTT && hop_num == 2) ++ ((type) < HEM_TYPE_MTT && (hop_num) == 2) + + #define check_whether_bt_num_2(type, hop_num) \ +- ((type < HEM_TYPE_MTT && hop_num == 1) || \ +- (type >= HEM_TYPE_MTT && hop_num == 2)) ++ (((type) < HEM_TYPE_MTT && (hop_num) == 1) || \ ++ ((type) >= HEM_TYPE_MTT && (hop_num) == 2)) + + #define check_whether_bt_num_1(type, hop_num) \ +- ((type < HEM_TYPE_MTT && hop_num == HNS_ROCE_HOP_NUM_0) || \ +- (type >= HEM_TYPE_MTT && hop_num == 1) || \ +- (type >= HEM_TYPE_MTT && hop_num == HNS_ROCE_HOP_NUM_0)) ++ (((type) < HEM_TYPE_MTT && (hop_num) == HNS_ROCE_HOP_NUM_0) || \ ++ ((type) >= HEM_TYPE_MTT && (hop_num) == 1) || \ ++ ((type) >= HEM_TYPE_MTT && (hop_num) == HNS_ROCE_HOP_NUM_0)) + + struct hns_roce_hem { + void *buf; +-- +2.43.0 + diff --git a/queue-6.9/rdma-ipoib-fix-format-truncation-compilation-errors.patch b/queue-6.9/rdma-ipoib-fix-format-truncation-compilation-errors.patch new file mode 100644 index 00000000000..03f06dac0ee --- /dev/null +++ b/queue-6.9/rdma-ipoib-fix-format-truncation-compilation-errors.patch @@ -0,0 +1,66 @@ +From 06773541e25c6ef30f995a97b20d28a1e2169171 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 10:39:33 +0300 +Subject: RDMA/IPoIB: Fix format truncation compilation errors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Leon Romanovsky + +[ Upstream commit 49ca2b2ef3d003402584c68ae7b3055ba72e750a ] + +Truncate the device name to store IPoIB VLAN name. + +[leonro@5b4e8fba4ddd kernel]$ make -s -j 20 allmodconfig +[leonro@5b4e8fba4ddd kernel]$ make -s -j 20 W=1 drivers/infiniband/ulp/ipoib/ +drivers/infiniband/ulp/ipoib/ipoib_vlan.c: In function ‘ipoib_vlan_add’: +drivers/infiniband/ulp/ipoib/ipoib_vlan.c:187:52: error: ‘%04x’ +directive output may be truncated writing 4 bytes into a region of size +between 0 and 15 [-Werror=format-truncation=] + 187 | snprintf(intf_name, sizeof(intf_name), "%s.%04x", + | ^~~~ +drivers/infiniband/ulp/ipoib/ipoib_vlan.c:187:48: note: directive +argument in the range [0, 65535] + 187 | snprintf(intf_name, sizeof(intf_name), "%s.%04x", + | ^~~~~~~~~ +drivers/infiniband/ulp/ipoib/ipoib_vlan.c:187:9: note: ‘snprintf’ output +between 6 and 21 bytes into a destination of size 16 + 187 | snprintf(intf_name, sizeof(intf_name), "%s.%04x", + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 188 | ppriv->dev->name, pkey); + | ~~~~~~~~~~~~~~~~~~~~~~~ +cc1: all warnings being treated as errors +make[6]: *** [scripts/Makefile.build:244: drivers/infiniband/ulp/ipoib/ipoib_vlan.o] Error 1 +make[6]: *** Waiting for unfinished jobs.... + +Fixes: 9baa0b036410 ("IB/ipoib: Add rtnl_link_ops support") +Link: https://lore.kernel.org/r/e9d3e1fef69df4c9beaf402cc3ac342bad680791.1715240029.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c +index 4bd161e86f8dd..562df2b3ef187 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c +@@ -184,8 +184,12 @@ int ipoib_vlan_add(struct net_device *pdev, unsigned short pkey) + + ppriv = ipoib_priv(pdev); + +- snprintf(intf_name, sizeof(intf_name), "%s.%04x", +- ppriv->dev->name, pkey); ++ /* If you increase IFNAMSIZ, update snprintf below ++ * to allow longer names. ++ */ ++ BUILD_BUG_ON(IFNAMSIZ != 16); ++ snprintf(intf_name, sizeof(intf_name), "%.10s.%04x", ppriv->dev->name, ++ pkey); + + ndev = ipoib_intf_alloc(ppriv->ca, ppriv->port, intf_name); + if (IS_ERR(ndev)) { +-- +2.43.0 + diff --git a/queue-6.9/rdma-mana_ib-boundary-check-before-installing-cq-cal.patch b/queue-6.9/rdma-mana_ib-boundary-check-before-installing-cq-cal.patch new file mode 100644 index 00000000000..a0a886d8bd2 --- /dev/null +++ b/queue-6.9/rdma-mana_ib-boundary-check-before-installing-cq-cal.patch @@ -0,0 +1,37 @@ +From 43a1a627515ba7906c0b037c6eb4e95084206398 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Apr 2024 06:12:39 -0700 +Subject: RDMA/mana_ib: boundary check before installing cq callbacks + +From: Konstantin Taranov + +[ Upstream commit f79edef79b6a2161f4124112f9b0c46891bb0b74 ] + +Add a boundary check inside mana_ib_install_cq_cb to prevent index overflow. + +Fixes: 2a31c5a7e0d8 ("RDMA/mana_ib: Introduce mana_ib_install_cq_cb helper function") +Signed-off-by: Konstantin Taranov +Link: https://lore.kernel.org/r/1714137160-5222-5-git-send-email-kotaranov@linux.microsoft.com +Reviewed-by: Long Li +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mana/cq.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/hw/mana/cq.c b/drivers/infiniband/hw/mana/cq.c +index c9129218f1be1..89fcc09ded8a4 100644 +--- a/drivers/infiniband/hw/mana/cq.c ++++ b/drivers/infiniband/hw/mana/cq.c +@@ -81,6 +81,8 @@ int mana_ib_install_cq_cb(struct mana_ib_dev *mdev, struct mana_ib_cq *cq) + struct gdma_context *gc = mdev_to_gc(mdev); + struct gdma_queue *gdma_cq; + ++ if (cq->queue.id >= gc->max_num_cqs) ++ return -EINVAL; + /* Create CQ table entry */ + WARN_ON(gc->cq_table[cq->queue.id]); + gdma_cq = kzalloc(sizeof(*gdma_cq), GFP_KERNEL); +-- +2.43.0 + diff --git a/queue-6.9/rdma-mana_ib-introduce-helpers-to-create-and-destroy.patch b/queue-6.9/rdma-mana_ib-introduce-helpers-to-create-and-destroy.patch new file mode 100644 index 00000000000..0d506a8c220 --- /dev/null +++ b/queue-6.9/rdma-mana_ib-introduce-helpers-to-create-and-destroy.patch @@ -0,0 +1,109 @@ +From d925fb1292be6f78c78c10e5f7152ee2e316bf3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 13:08:05 -0700 +Subject: RDMA/mana_ib: Introduce helpers to create and destroy mana queues + +From: Konstantin Taranov + +[ Upstream commit 46f5be7cd4bceb3a503c544b3dab7b75fe4bb96b ] + +Intoduce helpers to work with mana ib queues (struct mana_ib_queue). +A queue always consists of umem, gdma_region, and id. +A queue can become a WQ or a CQ. + +Signed-off-by: Konstantin Taranov +Link: https://lore.kernel.org/r/1711483688-24358-2-git-send-email-kotaranov@linux.microsoft.com +Reviewed-by: Long Li +Signed-off-by: Leon Romanovsky +Stable-dep-of: f79edef79b6a ("RDMA/mana_ib: boundary check before installing cq callbacks") +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mana/main.c | 43 ++++++++++++++++++++++++++++ + drivers/infiniband/hw/mana/mana_ib.h | 10 +++++++ + 2 files changed, 53 insertions(+) + +diff --git a/drivers/infiniband/hw/mana/main.c b/drivers/infiniband/hw/mana/main.c +index 71e33feee61bb..4524c6b807487 100644 +--- a/drivers/infiniband/hw/mana/main.c ++++ b/drivers/infiniband/hw/mana/main.c +@@ -237,6 +237,49 @@ void mana_ib_dealloc_ucontext(struct ib_ucontext *ibcontext) + ibdev_dbg(ibdev, "Failed to destroy doorbell page %d\n", ret); + } + ++int mana_ib_create_queue(struct mana_ib_dev *mdev, u64 addr, u32 size, ++ struct mana_ib_queue *queue) ++{ ++ struct ib_umem *umem; ++ int err; ++ ++ queue->umem = NULL; ++ queue->id = INVALID_QUEUE_ID; ++ queue->gdma_region = GDMA_INVALID_DMA_REGION; ++ ++ umem = ib_umem_get(&mdev->ib_dev, addr, size, IB_ACCESS_LOCAL_WRITE); ++ if (IS_ERR(umem)) { ++ err = PTR_ERR(umem); ++ ibdev_dbg(&mdev->ib_dev, "Failed to get umem, %d\n", err); ++ return err; ++ } ++ ++ err = mana_ib_create_zero_offset_dma_region(mdev, umem, &queue->gdma_region); ++ if (err) { ++ ibdev_dbg(&mdev->ib_dev, "Failed to create dma region, %d\n", err); ++ goto free_umem; ++ } ++ queue->umem = umem; ++ ++ ibdev_dbg(&mdev->ib_dev, ++ "create_dma_region ret %d gdma_region 0x%llx\n", ++ err, queue->gdma_region); ++ ++ return 0; ++free_umem: ++ ib_umem_release(umem); ++ return err; ++} ++ ++void mana_ib_destroy_queue(struct mana_ib_dev *mdev, struct mana_ib_queue *queue) ++{ ++ /* Ignore return code as there is not much we can do about it. ++ * The error message is printed inside. ++ */ ++ mana_ib_gd_destroy_dma_region(mdev, queue->gdma_region); ++ ib_umem_release(queue->umem); ++} ++ + static int + mana_ib_gd_first_dma_region(struct mana_ib_dev *dev, + struct gdma_context *gc, +diff --git a/drivers/infiniband/hw/mana/mana_ib.h b/drivers/infiniband/hw/mana/mana_ib.h +index f83390eebb7d7..859fd3bfc764f 100644 +--- a/drivers/infiniband/hw/mana/mana_ib.h ++++ b/drivers/infiniband/hw/mana/mana_ib.h +@@ -45,6 +45,12 @@ struct mana_ib_adapter_caps { + u32 max_inline_data_size; + }; + ++struct mana_ib_queue { ++ struct ib_umem *umem; ++ u64 gdma_region; ++ u64 id; ++}; ++ + struct mana_ib_dev { + struct ib_device ib_dev; + struct gdma_dev *gdma_dev; +@@ -169,6 +175,10 @@ int mana_ib_create_dma_region(struct mana_ib_dev *dev, struct ib_umem *umem, + int mana_ib_gd_destroy_dma_region(struct mana_ib_dev *dev, + mana_handle_t gdma_region); + ++int mana_ib_create_queue(struct mana_ib_dev *mdev, u64 addr, u32 size, ++ struct mana_ib_queue *queue); ++void mana_ib_destroy_queue(struct mana_ib_dev *mdev, struct mana_ib_queue *queue); ++ + struct ib_wq *mana_ib_create_wq(struct ib_pd *pd, + struct ib_wq_init_attr *init_attr, + struct ib_udata *udata); +-- +2.43.0 + diff --git a/queue-6.9/rdma-mana_ib-use-struct-mana_ib_queue-for-cqs.patch b/queue-6.9/rdma-mana_ib-use-struct-mana_ib_queue-for-cqs.patch new file mode 100644 index 00000000000..f48c8840bbb --- /dev/null +++ b/queue-6.9/rdma-mana_ib-use-struct-mana_ib_queue-for-cqs.patch @@ -0,0 +1,231 @@ +From cd3174171f01e9553cf98d6bbd0962066215a88b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 13:08:06 -0700 +Subject: RDMA/mana_ib: Use struct mana_ib_queue for CQs + +From: Konstantin Taranov + +[ Upstream commit 60a7ac0b8bec5df9764b7460ffee91fc981e8a31 ] + +Use struct mana_ib_queue and its helpers for CQs + +Signed-off-by: Konstantin Taranov +Link: https://lore.kernel.org/r/1711483688-24358-3-git-send-email-kotaranov@linux.microsoft.com +Reviewed-by: Long Li +Signed-off-by: Leon Romanovsky +Stable-dep-of: f79edef79b6a ("RDMA/mana_ib: boundary check before installing cq callbacks") +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mana/cq.c | 52 ++++++---------------------- + drivers/infiniband/hw/mana/mana_ib.h | 4 +-- + drivers/infiniband/hw/mana/qp.c | 26 +++++++------- + 3 files changed, 24 insertions(+), 58 deletions(-) + +diff --git a/drivers/infiniband/hw/mana/cq.c b/drivers/infiniband/hw/mana/cq.c +index 4a71e678d09c1..c9129218f1be1 100644 +--- a/drivers/infiniband/hw/mana/cq.c ++++ b/drivers/infiniband/hw/mana/cq.c +@@ -39,37 +39,13 @@ int mana_ib_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr, + } + + cq->cqe = attr->cqe; +- cq->umem = ib_umem_get(ibdev, ucmd.buf_addr, cq->cqe * COMP_ENTRY_SIZE, +- IB_ACCESS_LOCAL_WRITE); +- if (IS_ERR(cq->umem)) { +- err = PTR_ERR(cq->umem); +- ibdev_dbg(ibdev, "Failed to get umem for create cq, err %d\n", +- err); +- return err; +- } +- +- err = mana_ib_create_zero_offset_dma_region(mdev, cq->umem, &cq->gdma_region); ++ err = mana_ib_create_queue(mdev, ucmd.buf_addr, cq->cqe * COMP_ENTRY_SIZE, &cq->queue); + if (err) { +- ibdev_dbg(ibdev, +- "Failed to create dma region for create cq, %d\n", +- err); +- goto err_release_umem; ++ ibdev_dbg(ibdev, "Failed to create queue for create cq, %d\n", err); ++ return err; + } + +- ibdev_dbg(ibdev, +- "create_dma_region ret %d gdma_region 0x%llx\n", +- err, cq->gdma_region); +- +- /* +- * The CQ ID is not known at this time. The ID is generated at create_qp +- */ +- cq->id = INVALID_QUEUE_ID; +- + return 0; +- +-err_release_umem: +- ib_umem_release(cq->umem); +- return err; + } + + int mana_ib_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata) +@@ -78,24 +54,16 @@ int mana_ib_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata) + struct ib_device *ibdev = ibcq->device; + struct mana_ib_dev *mdev; + struct gdma_context *gc; +- int err; + + mdev = container_of(ibdev, struct mana_ib_dev, ib_dev); + gc = mdev_to_gc(mdev); + +- err = mana_ib_gd_destroy_dma_region(mdev, cq->gdma_region); +- if (err) { +- ibdev_dbg(ibdev, +- "Failed to destroy dma region, %d\n", err); +- return err; +- } +- +- if (cq->id != INVALID_QUEUE_ID) { +- kfree(gc->cq_table[cq->id]); +- gc->cq_table[cq->id] = NULL; ++ if (cq->queue.id != INVALID_QUEUE_ID) { ++ kfree(gc->cq_table[cq->queue.id]); ++ gc->cq_table[cq->queue.id] = NULL; + } + +- ib_umem_release(cq->umem); ++ mana_ib_destroy_queue(mdev, &cq->queue); + + return 0; + } +@@ -114,7 +82,7 @@ int mana_ib_install_cq_cb(struct mana_ib_dev *mdev, struct mana_ib_cq *cq) + struct gdma_queue *gdma_cq; + + /* Create CQ table entry */ +- WARN_ON(gc->cq_table[cq->id]); ++ WARN_ON(gc->cq_table[cq->queue.id]); + gdma_cq = kzalloc(sizeof(*gdma_cq), GFP_KERNEL); + if (!gdma_cq) + return -ENOMEM; +@@ -122,7 +90,7 @@ int mana_ib_install_cq_cb(struct mana_ib_dev *mdev, struct mana_ib_cq *cq) + gdma_cq->cq.context = cq; + gdma_cq->type = GDMA_CQ; + gdma_cq->cq.callback = mana_ib_cq_handler; +- gdma_cq->id = cq->id; +- gc->cq_table[cq->id] = gdma_cq; ++ gdma_cq->id = cq->queue.id; ++ gc->cq_table[cq->queue.id] = gdma_cq; + return 0; + } +diff --git a/drivers/infiniband/hw/mana/mana_ib.h b/drivers/infiniband/hw/mana/mana_ib.h +index 859fd3bfc764f..6acb5c281c368 100644 +--- a/drivers/infiniband/hw/mana/mana_ib.h ++++ b/drivers/infiniband/hw/mana/mana_ib.h +@@ -88,10 +88,8 @@ struct mana_ib_mr { + + struct mana_ib_cq { + struct ib_cq ibcq; +- struct ib_umem *umem; ++ struct mana_ib_queue queue; + int cqe; +- u64 gdma_region; +- u64 id; + u32 comp_vector; + }; + +diff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c +index 6e7627745c957..d7485ee6a6854 100644 +--- a/drivers/infiniband/hw/mana/qp.c ++++ b/drivers/infiniband/hw/mana/qp.c +@@ -197,7 +197,7 @@ static int mana_ib_create_qp_rss(struct ib_qp *ibqp, struct ib_pd *pd, + wq_spec.gdma_region = wq->gdma_region; + wq_spec.queue_size = wq->wq_buf_size; + +- cq_spec.gdma_region = cq->gdma_region; ++ cq_spec.gdma_region = cq->queue.gdma_region; + cq_spec.queue_size = cq->cqe * COMP_ENTRY_SIZE; + cq_spec.modr_ctx_id = 0; + eq = &mpc->ac->eqs[cq->comp_vector % gc->max_num_queues]; +@@ -213,16 +213,16 @@ static int mana_ib_create_qp_rss(struct ib_qp *ibqp, struct ib_pd *pd, + + /* The GDMA regions are now owned by the WQ object */ + wq->gdma_region = GDMA_INVALID_DMA_REGION; +- cq->gdma_region = GDMA_INVALID_DMA_REGION; ++ cq->queue.gdma_region = GDMA_INVALID_DMA_REGION; + + wq->id = wq_spec.queue_index; +- cq->id = cq_spec.queue_index; ++ cq->queue.id = cq_spec.queue_index; + + ibdev_dbg(&mdev->ib_dev, + "ret %d rx_object 0x%llx wq id %llu cq id %llu\n", +- ret, wq->rx_object, wq->id, cq->id); ++ ret, wq->rx_object, wq->id, cq->queue.id); + +- resp.entries[i].cqid = cq->id; ++ resp.entries[i].cqid = cq->queue.id; + resp.entries[i].wqid = wq->id; + + mana_ind_table[i] = wq->rx_object; +@@ -232,7 +232,7 @@ static int mana_ib_create_qp_rss(struct ib_qp *ibqp, struct ib_pd *pd, + if (ret) + goto fail; + +- gdma_cq_allocated[i] = gc->cq_table[cq->id]; ++ gdma_cq_allocated[i] = gc->cq_table[cq->queue.id]; + } + resp.num_entries = i; + +@@ -264,7 +264,7 @@ static int mana_ib_create_qp_rss(struct ib_qp *ibqp, struct ib_pd *pd, + wq = container_of(ibwq, struct mana_ib_wq, ibwq); + cq = container_of(ibcq, struct mana_ib_cq, ibcq); + +- gc->cq_table[cq->id] = NULL; ++ gc->cq_table[cq->queue.id] = NULL; + kfree(gdma_cq_allocated[i]); + + mana_destroy_wq_obj(mpc, GDMA_RQ, wq->rx_object); +@@ -374,7 +374,7 @@ static int mana_ib_create_qp_raw(struct ib_qp *ibqp, struct ib_pd *ibpd, + wq_spec.gdma_region = qp->sq_gdma_region; + wq_spec.queue_size = ucmd.sq_buf_size; + +- cq_spec.gdma_region = send_cq->gdma_region; ++ cq_spec.gdma_region = send_cq->queue.gdma_region; + cq_spec.queue_size = send_cq->cqe * COMP_ENTRY_SIZE; + cq_spec.modr_ctx_id = 0; + eq_vec = send_cq->comp_vector % gc->max_num_queues; +@@ -392,10 +392,10 @@ static int mana_ib_create_qp_raw(struct ib_qp *ibqp, struct ib_pd *ibpd, + + /* The GDMA regions are now owned by the WQ object */ + qp->sq_gdma_region = GDMA_INVALID_DMA_REGION; +- send_cq->gdma_region = GDMA_INVALID_DMA_REGION; ++ send_cq->queue.gdma_region = GDMA_INVALID_DMA_REGION; + + qp->sq_id = wq_spec.queue_index; +- send_cq->id = cq_spec.queue_index; ++ send_cq->queue.id = cq_spec.queue_index; + + /* Create CQ table entry */ + err = mana_ib_install_cq_cb(mdev, send_cq); +@@ -404,10 +404,10 @@ static int mana_ib_create_qp_raw(struct ib_qp *ibqp, struct ib_pd *ibpd, + + ibdev_dbg(&mdev->ib_dev, + "ret %d qp->tx_object 0x%llx sq id %llu cq id %llu\n", err, +- qp->tx_object, qp->sq_id, send_cq->id); ++ qp->tx_object, qp->sq_id, send_cq->queue.id); + + resp.sqid = qp->sq_id; +- resp.cqid = send_cq->id; ++ resp.cqid = send_cq->queue.id; + resp.tx_vp_offset = pd->tx_vp_offset; + + err = ib_copy_to_udata(udata, &resp, sizeof(resp)); +@@ -422,7 +422,7 @@ static int mana_ib_create_qp_raw(struct ib_qp *ibqp, struct ib_pd *ibpd, + + err_release_gdma_cq: + kfree(gdma_cq); +- gc->cq_table[send_cq->id] = NULL; ++ gc->cq_table[send_cq->queue.id] = NULL; + + err_destroy_wq_obj: + mana_destroy_wq_obj(mpc, GDMA_SQ, qp->tx_object); +-- +2.43.0 + diff --git a/queue-6.9/rdma-mlx5-adding-remote-atomic-access-flag-to-updata.patch b/queue-6.9/rdma-mlx5-adding-remote-atomic-access-flag-to-updata.patch new file mode 100644 index 00000000000..a6402c0aecf --- /dev/null +++ b/queue-6.9/rdma-mlx5-adding-remote-atomic-access-flag-to-updata.patch @@ -0,0 +1,39 @@ +From 405b50946ef72e8c55bab51828e5ec45942fa56e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 13:36:01 +0300 +Subject: RDMA/mlx5: Adding remote atomic access flag to updatable flags + +From: Or Har-Toov + +[ Upstream commit 2ca7e93bc963d9ec2f5c24d117176851454967af ] + +Currently IB_ACCESS_REMOTE_ATOMIC is blocked from being updated via UMR +although in some cases it should be possible. These cases are checked in +mlx5r_umr_can_reconfig function. + +Fixes: ef3642c4f54d ("RDMA/mlx5: Fix error unwinds for rereg_mr") +Signed-off-by: Or Har-Toov +Link: https://lore.kernel.org/r/24dac73e2fa48cb806f33a932d97f3e402a5ea2c.1712140377.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/mr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c +index 7f7b1f59b5f05..ecc111ed5d86e 100644 +--- a/drivers/infiniband/hw/mlx5/mr.c ++++ b/drivers/infiniband/hw/mlx5/mr.c +@@ -1572,7 +1572,8 @@ static bool can_use_umr_rereg_access(struct mlx5_ib_dev *dev, + unsigned int diffs = current_access_flags ^ target_access_flags; + + if (diffs & ~(IB_ACCESS_LOCAL_WRITE | IB_ACCESS_REMOTE_WRITE | +- IB_ACCESS_REMOTE_READ | IB_ACCESS_RELAXED_ORDERING)) ++ IB_ACCESS_REMOTE_READ | IB_ACCESS_RELAXED_ORDERING | ++ IB_ACCESS_REMOTE_ATOMIC)) + return false; + return mlx5r_umr_can_reconfig(dev, current_access_flags, + target_access_flags); +-- +2.43.0 + diff --git a/queue-6.9/rdma-mlx5-change-check-for-cacheable-mkeys.patch b/queue-6.9/rdma-mlx5-change-check-for-cacheable-mkeys.patch new file mode 100644 index 00000000000..5f8958af628 --- /dev/null +++ b/queue-6.9/rdma-mlx5-change-check-for-cacheable-mkeys.patch @@ -0,0 +1,103 @@ +From c07fa4343c5439156da323355362aed88efd378d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 13:36:00 +0300 +Subject: RDMA/mlx5: Change check for cacheable mkeys + +From: Or Har-Toov + +[ Upstream commit 8c1185fef68cc603b954fece2a434c9f851d6a86 ] + +umem can be NULL for user application mkeys in some cases. Therefore +umem can't be used for checking if the mkey is cacheable and it is +changed for checking a flag that indicates it. Also make sure that +all mkeys which are not returned to the cache will be destroyed. + +Fixes: dd1b913fb0d0 ("RDMA/mlx5: Cache all user cacheable mkeys on dereg MR flow") +Signed-off-by: Or Har-Toov +Link: https://lore.kernel.org/r/2690bc5c6896bcb937f89af16a1ff0343a7ab3d0.1712140377.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/mlx5_ib.h | 1 + + drivers/infiniband/hw/mlx5/mr.c | 32 +++++++++++++++++++--------- + 2 files changed, 23 insertions(+), 10 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/mlx5_ib.h b/drivers/infiniband/hw/mlx5/mlx5_ib.h +index e74f048650624..f255a12e26a02 100644 +--- a/drivers/infiniband/hw/mlx5/mlx5_ib.h ++++ b/drivers/infiniband/hw/mlx5/mlx5_ib.h +@@ -646,6 +646,7 @@ struct mlx5_ib_mkey { + /* Cacheable user Mkey must hold either a rb_key or a cache_ent. */ + struct mlx5r_cache_rb_key rb_key; + struct mlx5_cache_ent *cache_ent; ++ u8 cacheable : 1; + }; + + #define MLX5_IB_MTT_PRESENT (MLX5_IB_MTT_READ | MLX5_IB_MTT_WRITE) +diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c +index a8ee2ca1f4a17..7f7b1f59b5f05 100644 +--- a/drivers/infiniband/hw/mlx5/mr.c ++++ b/drivers/infiniband/hw/mlx5/mr.c +@@ -1158,6 +1158,7 @@ static struct mlx5_ib_mr *alloc_cacheable_mr(struct ib_pd *pd, + if (IS_ERR(mr)) + return mr; + mr->mmkey.rb_key = rb_key; ++ mr->mmkey.cacheable = true; + return mr; + } + +@@ -1168,6 +1169,7 @@ static struct mlx5_ib_mr *alloc_cacheable_mr(struct ib_pd *pd, + mr->ibmr.pd = pd; + mr->umem = umem; + mr->page_shift = order_base_2(page_size); ++ mr->mmkey.cacheable = true; + set_mr_fields(dev, mr, umem->length, access_flags, iova); + + return mr; +@@ -1835,6 +1837,23 @@ static int cache_ent_find_and_store(struct mlx5_ib_dev *dev, + return ret; + } + ++static int mlx5_revoke_mr(struct mlx5_ib_mr *mr) ++{ ++ struct mlx5_ib_dev *dev = to_mdev(mr->ibmr.device); ++ struct mlx5_cache_ent *ent = mr->mmkey.cache_ent; ++ ++ if (mr->mmkey.cacheable && !mlx5r_umr_revoke_mr(mr) && !cache_ent_find_and_store(dev, mr)) ++ return 0; ++ ++ if (ent) { ++ spin_lock_irq(&ent->mkeys_queue.lock); ++ ent->in_use--; ++ mr->mmkey.cache_ent = NULL; ++ spin_unlock_irq(&ent->mkeys_queue.lock); ++ } ++ return destroy_mkey(dev, mr); ++} ++ + int mlx5_ib_dereg_mr(struct ib_mr *ibmr, struct ib_udata *udata) + { + struct mlx5_ib_mr *mr = to_mmr(ibmr); +@@ -1880,16 +1899,9 @@ int mlx5_ib_dereg_mr(struct ib_mr *ibmr, struct ib_udata *udata) + } + + /* Stop DMA */ +- if (mr->umem && mlx5r_umr_can_load_pas(dev, mr->umem->length)) +- if (mlx5r_umr_revoke_mr(mr) || +- cache_ent_find_and_store(dev, mr)) +- mr->mmkey.cache_ent = NULL; +- +- if (!mr->mmkey.cache_ent) { +- rc = destroy_mkey(to_mdev(mr->ibmr.device), mr); +- if (rc) +- return rc; +- } ++ rc = mlx5_revoke_mr(mr); ++ if (rc) ++ return rc; + + if (mr->umem) { + bool is_odp = is_odp_mr(mr); +-- +2.43.0 + diff --git a/queue-6.9/rdma-mlx5-uncacheable-mkey-has-neither-rb_key-or-cac.patch b/queue-6.9/rdma-mlx5-uncacheable-mkey-has-neither-rb_key-or-cac.patch new file mode 100644 index 00000000000..c5deb209da9 --- /dev/null +++ b/queue-6.9/rdma-mlx5-uncacheable-mkey-has-neither-rb_key-or-cac.patch @@ -0,0 +1,38 @@ +From b838a6b189673e4dd48b081d801d338f886d8d45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 13:35:59 +0300 +Subject: RDMA/mlx5: Uncacheable mkey has neither rb_key or cache_ent + +From: Or Har-Toov + +[ Upstream commit 0611a8e8b475fc5230b9a24d29c8397aaab20b63 ] + +As some mkeys can't be modified with UMR due to some UMR limitations, +like the size of translation that can be updated, not all user mkeys can +be cached. + +Fixes: dd1b913fb0d0 ("RDMA/mlx5: Cache all user cacheable mkeys on dereg MR flow") +Signed-off-by: Or Har-Toov +Link: https://lore.kernel.org/r/f2742dd934ed73b2d32c66afb8e91b823063880c.1712140377.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/mlx5_ib.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx5/mlx5_ib.h b/drivers/infiniband/hw/mlx5/mlx5_ib.h +index a8de35c07c9ef..e74f048650624 100644 +--- a/drivers/infiniband/hw/mlx5/mlx5_ib.h ++++ b/drivers/infiniband/hw/mlx5/mlx5_ib.h +@@ -643,7 +643,7 @@ struct mlx5_ib_mkey { + unsigned int ndescs; + struct wait_queue_head wait; + refcount_t usecount; +- /* User Mkey must hold either a rb_key or a cache_ent. */ ++ /* Cacheable user Mkey must hold either a rb_key or a cache_ent. */ + struct mlx5r_cache_rb_key rb_key; + struct mlx5_cache_ent *cache_ent; + }; +-- +2.43.0 + diff --git a/queue-6.9/rdma-rxe-allow-good-work-requests-to-be-executed.patch b/queue-6.9/rdma-rxe-allow-good-work-requests-to-be-executed.patch new file mode 100644 index 00000000000..bb139ff1dd5 --- /dev/null +++ b/queue-6.9/rdma-rxe-allow-good-work-requests-to-be-executed.patch @@ -0,0 +1,58 @@ +From a7d91694e5a8723879fddf28ad2d790b3d7fc6ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 09:55:05 -0500 +Subject: RDMA/rxe: Allow good work requests to be executed + +From: Bob Pearson + +[ Upstream commit b703374837a8f8422fa3f1edcf65505421a65a6a ] + +A previous commit incorrectly added an 'if(!err)' before scheduling the +requester task in rxe_post_send_kernel(). But if there were send wrs +successfully added to the send queue before a bad wr they might never get +executed. + +This commit fixes this by scheduling the requester task if any wqes were +successfully posted in rxe_post_send_kernel() in rxe_verbs.c. + +Link: https://lore.kernel.org/r/20240329145513.35381-5-rpearsonhpe@gmail.com +Signed-off-by: Bob Pearson +Fixes: 5bf944f24129 ("RDMA/rxe: Add error messages") +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_verbs.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.c b/drivers/infiniband/sw/rxe/rxe_verbs.c +index 614581989b381..a49784e5156c5 100644 +--- a/drivers/infiniband/sw/rxe/rxe_verbs.c ++++ b/drivers/infiniband/sw/rxe/rxe_verbs.c +@@ -888,6 +888,7 @@ static int rxe_post_send_kernel(struct rxe_qp *qp, + { + int err = 0; + unsigned long flags; ++ int good = 0; + + spin_lock_irqsave(&qp->sq.sq_lock, flags); + while (ibwr) { +@@ -895,12 +896,15 @@ static int rxe_post_send_kernel(struct rxe_qp *qp, + if (err) { + *bad_wr = ibwr; + break; ++ } else { ++ good++; + } + ibwr = ibwr->next; + } + spin_unlock_irqrestore(&qp->sq.sq_lock, flags); + +- if (!err) ++ /* kickoff processing of any posted wqes */ ++ if (good) + rxe_sched_task(&qp->req.task); + + spin_lock_irqsave(&qp->state_lock, flags); +-- +2.43.0 + diff --git a/queue-6.9/rdma-rxe-fix-incorrect-rxe_put-in-error-path.patch b/queue-6.9/rdma-rxe-fix-incorrect-rxe_put-in-error-path.patch new file mode 100644 index 00000000000..30d2b59ff02 --- /dev/null +++ b/queue-6.9/rdma-rxe-fix-incorrect-rxe_put-in-error-path.patch @@ -0,0 +1,55 @@ +From f597c32125355b55ef9b8708fb0ffcedade33d9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 09:55:12 -0500 +Subject: RDMA/rxe: Fix incorrect rxe_put in error path + +From: Bob Pearson + +[ Upstream commit 8776618dbbd1b6f210b31509507e1aad461d6435 ] + +In rxe_send() a ref is taken on the qp to keep it alive until the +kfree_skb() has a chance to call the skb destructor rxe_skb_tx_dtor() +which drops the reference. If the packet has an incorrect protocol the +error path just calls kfree_skb() which will call the destructor which +will drop the ref. Currently the driver also calls rxe_put() which is +incorrect. Additionally since the packets sent to rxe_send() are under the +control of the driver and it only ever produces IPV4 or IPV6 packets the +simplest fix is to remove all the code in this block. + +Link: https://lore.kernel.org/r/20240329145513.35381-12-rpearsonhpe@gmail.com +Signed-off-by: Bob Pearson +Fixes: 9eb7f8e44d13 ("IB/rxe: Move refcounting earlier in rxe_send()") +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_net.c | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_net.c b/drivers/infiniband/sw/rxe/rxe_net.c +index cd59666158b18..e5827064ab1e2 100644 +--- a/drivers/infiniband/sw/rxe/rxe_net.c ++++ b/drivers/infiniband/sw/rxe/rxe_net.c +@@ -366,18 +366,10 @@ static int rxe_send(struct sk_buff *skb, struct rxe_pkt_info *pkt) + rxe_get(pkt->qp); + atomic_inc(&pkt->qp->skb_out); + +- if (skb->protocol == htons(ETH_P_IP)) { ++ if (skb->protocol == htons(ETH_P_IP)) + err = ip_local_out(dev_net(skb_dst(skb)->dev), skb->sk, skb); +- } else if (skb->protocol == htons(ETH_P_IPV6)) { ++ else + err = ip6_local_out(dev_net(skb_dst(skb)->dev), skb->sk, skb); +- } else { +- rxe_dbg_qp(pkt->qp, "Unknown layer 3 protocol: %d\n", +- skb->protocol); +- atomic_dec(&pkt->qp->skb_out); +- rxe_put(pkt->qp); +- kfree_skb(skb); +- return -EINVAL; +- } + + if (unlikely(net_xmit_eval(err))) { + rxe_dbg_qp(pkt->qp, "error sending packet: %d\n", err); +-- +2.43.0 + diff --git a/queue-6.9/rdma-rxe-fix-seg-fault-in-rxe_comp_queue_pkt.patch b/queue-6.9/rdma-rxe-fix-seg-fault-in-rxe_comp_queue_pkt.patch new file mode 100644 index 00000000000..a7035a080aa --- /dev/null +++ b/queue-6.9/rdma-rxe-fix-seg-fault-in-rxe_comp_queue_pkt.patch @@ -0,0 +1,52 @@ +From d3a53bbf0b7dd944c1a848a7f764e577bf1d2ce0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 09:55:04 -0500 +Subject: RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt + +From: Bob Pearson + +[ Upstream commit 2b23b6097303ed0ba5f4bc036a1c07b6027af5c6 ] + +In rxe_comp_queue_pkt() an incoming response packet skb is enqueued to the +resp_pkts queue and then a decision is made whether to run the completer +task inline or schedule it. Finally the skb is dereferenced to bump a 'hw' +performance counter. This is wrong because if the completer task is +already running in a separate thread it may have already processed the skb +and freed it which can cause a seg fault. This has been observed +infrequently in testing at high scale. + +This patch fixes this by changing the order of enqueuing the packet until +after the counter is accessed. + +Link: https://lore.kernel.org/r/20240329145513.35381-4-rpearsonhpe@gmail.com +Signed-off-by: Bob Pearson +Fixes: 0b1e5b99a48b ("IB/rxe: Add port protocol stats") +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_comp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_comp.c b/drivers/infiniband/sw/rxe/rxe_comp.c +index b78b8c0856abd..c997b7cbf2a9e 100644 +--- a/drivers/infiniband/sw/rxe/rxe_comp.c ++++ b/drivers/infiniband/sw/rxe/rxe_comp.c +@@ -131,12 +131,12 @@ void rxe_comp_queue_pkt(struct rxe_qp *qp, struct sk_buff *skb) + { + int must_sched; + +- skb_queue_tail(&qp->resp_pkts, skb); +- +- must_sched = skb_queue_len(&qp->resp_pkts) > 1; ++ must_sched = skb_queue_len(&qp->resp_pkts) > 0; + if (must_sched != 0) + rxe_counter_inc(SKB_TO_PKT(skb)->rxe, RXE_CNT_COMPLETER_SCHED); + ++ skb_queue_tail(&qp->resp_pkts, skb); ++ + if (must_sched) + rxe_sched_task(&qp->comp.task); + else +-- +2.43.0 + diff --git a/queue-6.9/revert-selftests-compile-kselftest-headers-with-d_gn.patch b/queue-6.9/revert-selftests-compile-kselftest-headers-with-d_gn.patch new file mode 100644 index 00000000000..d6ba73a0a92 --- /dev/null +++ b/queue-6.9/revert-selftests-compile-kselftest-headers-with-d_gn.patch @@ -0,0 +1,73 @@ +From e4f5f98bf219b98f431af32e5fb0651fcb02ac43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 May 2024 20:51:07 -0600 +Subject: Revert "selftests: Compile kselftest headers with -D_GNU_SOURCE" + +From: Shuah Khan + +[ Upstream commit cee27ae5f1fb8bc4762f5d5de19ec6de6c45e239 ] + +This reverts commit daef47b89efd0b745e8478d69a3ad724bd8b4dc6. + +This framework change to add D_GNU_SOURCE to KHDR_INCLUDES +to Makefile, lib.mk, and kselftest_harness.h is causing build +failures and warnings. + +Revert this change. + +Reported-by: Mark Brown +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/Makefile | 4 ++-- + tools/testing/selftests/kselftest_harness.h | 2 +- + tools/testing/selftests/lib.mk | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile +index ed012a7f07865..e1504833654db 100644 +--- a/tools/testing/selftests/Makefile ++++ b/tools/testing/selftests/Makefile +@@ -161,11 +161,11 @@ ifneq ($(KBUILD_OUTPUT),) + # $(realpath ...) resolves symlinks + abs_objtree := $(realpath $(abs_objtree)) + BUILD := $(abs_objtree)/kselftest +- KHDR_INCLUDES := -D_GNU_SOURCE -isystem ${abs_objtree}/usr/include ++ KHDR_INCLUDES := -isystem ${abs_objtree}/usr/include + else + BUILD := $(CURDIR) + abs_srctree := $(shell cd $(top_srcdir) && pwd) +- KHDR_INCLUDES := -D_GNU_SOURCE -isystem ${abs_srctree}/usr/include ++ KHDR_INCLUDES := -isystem ${abs_srctree}/usr/include + DEFAULT_INSTALL_HDR_PATH := 1 + endif + +diff --git a/tools/testing/selftests/kselftest_harness.h b/tools/testing/selftests/kselftest_harness.h +index 37b03f1b8741d..3c8f2965c2850 100644 +--- a/tools/testing/selftests/kselftest_harness.h ++++ b/tools/testing/selftests/kselftest_harness.h +@@ -51,7 +51,7 @@ + #define __KSELFTEST_HARNESS_H + + #ifndef _GNU_SOURCE +-static_assert(0, "kselftest harness requires _GNU_SOURCE to be defined"); ++#define _GNU_SOURCE + #endif + #include + #include +diff --git a/tools/testing/selftests/lib.mk b/tools/testing/selftests/lib.mk +index 7fa4a96e26ed6..8ae203d8ed7fa 100644 +--- a/tools/testing/selftests/lib.mk ++++ b/tools/testing/selftests/lib.mk +@@ -53,7 +53,7 @@ selfdir = $(realpath $(dir $(filter %/lib.mk,$(MAKEFILE_LIST)))) + top_srcdir = $(selfdir)/../../.. + + ifeq ($(KHDR_INCLUDES),) +-KHDR_INCLUDES := -D_GNU_SOURCE -isystem $(top_srcdir)/usr/include ++KHDR_INCLUDES := -isystem $(top_srcdir)/usr/include + endif + + # The following are built by lib.mk common compile rules. +-- +2.43.0 + diff --git a/queue-6.9/revert-selftests-sgx-include-khdr_includes-in-makefi.patch b/queue-6.9/revert-selftests-sgx-include-khdr_includes-in-makefi.patch new file mode 100644 index 00000000000..edf06ae74be --- /dev/null +++ b/queue-6.9/revert-selftests-sgx-include-khdr_includes-in-makefi.patch @@ -0,0 +1,54 @@ +From dfbf1641853e6208c5c6c252a6e5858a88cc2e6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 May 2024 20:58:26 -0600 +Subject: Revert "selftests/sgx: Include KHDR_INCLUDES in Makefile" + +From: Shuah Khan + +[ Upstream commit 3da164023582969280df17636a9d829752787b1c ] + +This reverts commit 2c3b8f8f37c6c0c926d584cf4158db95e62b960c. + +The framework change to add D_GNU_SOURCE to KHDR_INCLUDES +to Makefile, lib.mk, and kselftest_harness.h is reverted +as it is causing build failures and warnings. + +Revert this change as this change depends on the framework +change. + +Reported-by: Mark Brown +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/sgx/Makefile | 2 +- + tools/testing/selftests/sgx/sigstruct.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/sgx/Makefile b/tools/testing/selftests/sgx/Makefile +index 26ea30fae23ca..867f88ce2570a 100644 +--- a/tools/testing/selftests/sgx/Makefile ++++ b/tools/testing/selftests/sgx/Makefile +@@ -12,7 +12,7 @@ OBJCOPY := $(CROSS_COMPILE)objcopy + endif + + INCLUDES := -I$(top_srcdir)/tools/include +-HOST_CFLAGS := -Wall -Werror $(KHDR_INCLUDES) -g $(INCLUDES) -fPIC ++HOST_CFLAGS := -Wall -Werror -g $(INCLUDES) -fPIC + HOST_LDFLAGS := -z noexecstack -lcrypto + ENCL_CFLAGS += -Wall -Werror -static-pie -nostdlib -ffreestanding -fPIE \ + -fno-stack-protector -mrdrnd $(INCLUDES) +diff --git a/tools/testing/selftests/sgx/sigstruct.c b/tools/testing/selftests/sgx/sigstruct.c +index 200034a0fee51..d73b29becf5b0 100644 +--- a/tools/testing/selftests/sgx/sigstruct.c ++++ b/tools/testing/selftests/sgx/sigstruct.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: GPL-2.0 + /* Copyright(c) 2016-20 Intel Corporation. */ + ++#define _GNU_SOURCE + #include + #include + #include +-- +2.43.0 + diff --git a/queue-6.9/revert-sh-handle-calling-csum_partial-with-misaligne.patch b/queue-6.9/revert-sh-handle-calling-csum_partial-with-misaligne.patch new file mode 100644 index 00000000000..ad334863585 --- /dev/null +++ b/queue-6.9/revert-sh-handle-calling-csum_partial-with-misaligne.patch @@ -0,0 +1,187 @@ +From 3b82c2828f875c1d74defacbf8eeba36202dad65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Mar 2024 16:18:04 -0700 +Subject: Revert "sh: Handle calling csum_partial with misaligned data" + +From: Guenter Roeck + +[ Upstream commit b5319c96292ff877f6b58d349acf0a9dc8d3b454 ] + +This reverts commit cadc4e1a2b4d20d0cc0e81f2c6ba0588775e54e5. + +Commit cadc4e1a2b4d ("sh: Handle calling csum_partial with misaligned +data") causes bad checksum calculations on unaligned data. Reverting +it fixes the problem. + + # Subtest: checksum + # module: checksum_kunit + 1..5 + # test_csum_fixed_random_inputs: ASSERTION FAILED at lib/checksum_kunit.c:500 + Expected ( u64)result == ( u64)expec, but + ( u64)result == 53378 (0xd082) + ( u64)expec == 33488 (0x82d0) + # test_csum_fixed_random_inputs: pass:0 fail:1 skip:0 total:1 + not ok 1 test_csum_fixed_random_inputs + # test_csum_all_carry_inputs: ASSERTION FAILED at lib/checksum_kunit.c:525 + Expected ( u64)result == ( u64)expec, but + ( u64)result == 65281 (0xff01) + ( u64)expec == 65280 (0xff00) + # test_csum_all_carry_inputs: pass:0 fail:1 skip:0 total:1 + not ok 2 test_csum_all_carry_inputs + # test_csum_no_carry_inputs: ASSERTION FAILED at lib/checksum_kunit.c:573 + Expected ( u64)result == ( u64)expec, but + ( u64)result == 65535 (0xffff) + ( u64)expec == 65534 (0xfffe) + # test_csum_no_carry_inputs: pass:0 fail:1 skip:0 total:1 + not ok 3 test_csum_no_carry_inputs + # test_ip_fast_csum: pass:1 fail:0 skip:0 total:1 + ok 4 test_ip_fast_csum + # test_csum_ipv6_magic: pass:1 fail:0 skip:0 total:1 + ok 5 test_csum_ipv6_magic + # checksum: pass:2 fail:3 skip:0 total:5 + # Totals: pass:2 fail:3 skip:0 total:5 +not ok 22 checksum + +Fixes: cadc4e1a2b4d ("sh: Handle calling csum_partial with misaligned data") +Signed-off-by: Guenter Roeck +Tested-by: Geert Uytterhoeven +Reviewed-by: John Paul Adrian Glaubitz +Link: https://lore.kernel.org/r/20240324231804.841099-1-linux@roeck-us.net +Signed-off-by: John Paul Adrian Glaubitz +Signed-off-by: Sasha Levin +--- + arch/sh/lib/checksum.S | 67 ++++++++++++------------------------------ + 1 file changed, 18 insertions(+), 49 deletions(-) + +diff --git a/arch/sh/lib/checksum.S b/arch/sh/lib/checksum.S +index 3e07074e00981..06fed5a21e8ba 100644 +--- a/arch/sh/lib/checksum.S ++++ b/arch/sh/lib/checksum.S +@@ -33,7 +33,8 @@ + */ + + /* +- * asmlinkage __wsum csum_partial(const void *buf, int len, __wsum sum); ++ * unsigned int csum_partial(const unsigned char *buf, int len, ++ * unsigned int sum); + */ + + .text +@@ -45,31 +46,11 @@ ENTRY(csum_partial) + * Fortunately, it is easy to convert 2-byte alignment to 4-byte + * alignment for the unrolled loop. + */ ++ mov r5, r1 + mov r4, r0 +- tst #3, r0 ! Check alignment. +- bt/s 2f ! Jump if alignment is ok. +- mov r4, r7 ! Keep a copy to check for alignment ++ tst #2, r0 ! Check alignment. ++ bt 2f ! Jump if alignment is ok. + ! +- tst #1, r0 ! Check alignment. +- bt 21f ! Jump if alignment is boundary of 2bytes. +- +- ! buf is odd +- tst r5, r5 +- add #-1, r5 +- bt 9f +- mov.b @r4+, r0 +- extu.b r0, r0 +- addc r0, r6 ! t=0 from previous tst +- mov r6, r0 +- shll8 r6 +- shlr16 r0 +- shlr8 r0 +- or r0, r6 +- mov r4, r0 +- tst #2, r0 +- bt 2f +-21: +- ! buf is 2 byte aligned (len could be 0) + add #-2, r5 ! Alignment uses up two bytes. + cmp/pz r5 ! + bt/s 1f ! Jump if we had at least two bytes. +@@ -77,17 +58,16 @@ ENTRY(csum_partial) + bra 6f + add #2, r5 ! r5 was < 2. Deal with it. + 1: ++ mov r5, r1 ! Save new len for later use. + mov.w @r4+, r0 + extu.w r0, r0 + addc r0, r6 + bf 2f + add #1, r6 + 2: +- ! buf is 4 byte aligned (len could be 0) +- mov r5, r1 + mov #-5, r0 +- shld r0, r1 +- tst r1, r1 ++ shld r0, r5 ++ tst r5, r5 + bt/s 4f ! if it's =0, go to 4f + clrt + .align 2 +@@ -109,31 +89,30 @@ ENTRY(csum_partial) + addc r0, r6 + addc r2, r6 + movt r0 +- dt r1 ++ dt r5 + bf/s 3b + cmp/eq #1, r0 +- ! here, we know r1==0 +- addc r1, r6 ! add carry to r6 ++ ! here, we know r5==0 ++ addc r5, r6 ! add carry to r6 + 4: +- mov r5, r0 ++ mov r1, r0 + and #0x1c, r0 + tst r0, r0 +- bt 6f +- ! 4 bytes or more remaining +- mov r0, r1 +- shlr2 r1 ++ bt/s 6f ++ mov r0, r5 ++ shlr2 r5 + mov #0, r2 + 5: + addc r2, r6 + mov.l @r4+, r2 + movt r0 +- dt r1 ++ dt r5 + bf/s 5b + cmp/eq #1, r0 + addc r2, r6 +- addc r1, r6 ! r1==0 here, so it means add carry-bit ++ addc r5, r6 ! r5==0 here, so it means add carry-bit + 6: +- ! 3 bytes or less remaining ++ mov r1, r5 + mov #3, r0 + and r0, r5 + tst r5, r5 +@@ -159,16 +138,6 @@ ENTRY(csum_partial) + mov #0, r0 + addc r0, r6 + 9: +- ! Check if the buffer was misaligned, if so realign sum +- mov r7, r0 +- tst #1, r0 +- bt 10f +- mov r6, r0 +- shll8 r6 +- shlr16 r0 +- shlr8 r0 +- or r0, r6 +-10: + rts + mov r6, r0 + +-- +2.43.0 + diff --git a/queue-6.9/risc-v-fix-the-typo-in-scountovf-csr-name.patch b/queue-6.9/risc-v-fix-the-typo-in-scountovf-csr-name.patch new file mode 100644 index 00000000000..8d8107b97aa --- /dev/null +++ b/queue-6.9/risc-v-fix-the-typo-in-scountovf-csr-name.patch @@ -0,0 +1,60 @@ +From 595fb53ef8662f74663e68491002958c374ee256 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Apr 2024 08:17:17 -0700 +Subject: RISC-V: Fix the typo in Scountovf CSR name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Atish Patra + +[ Upstream commit d1927f64e0e1094f296842e127138cb5f3bf3c6d ] + +The counter overflow CSR name is "scountovf" not "sscountovf". + +Fix the csr name. + +Fixes: 4905ec2fb7e6 ("RISC-V: Add sscofpmf extension support") +Reviewed-by: Clément Léger +Reviewed-by: Conor Dooley +Reviewed-by: Anup Patel +Reviewed-by: Andrew Jones +Acked-by: Palmer Dabbelt +Signed-off-by: Atish Patra +Link: https://lore.kernel.org/r/20240420151741.962500-2-atishp@rivosinc.com +Signed-off-by: Anup Patel +Signed-off-by: Sasha Levin +--- + arch/riscv/include/asm/csr.h | 2 +- + drivers/perf/riscv_pmu_sbi.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/riscv/include/asm/csr.h b/arch/riscv/include/asm/csr.h +index 2468c55933cd0..9d1b07932794e 100644 +--- a/arch/riscv/include/asm/csr.h ++++ b/arch/riscv/include/asm/csr.h +@@ -281,7 +281,7 @@ + #define CSR_HPMCOUNTER30H 0xc9e + #define CSR_HPMCOUNTER31H 0xc9f + +-#define CSR_SSCOUNTOVF 0xda0 ++#define CSR_SCOUNTOVF 0xda0 + + #define CSR_SSTATUS 0x100 + #define CSR_SIE 0x104 +diff --git a/drivers/perf/riscv_pmu_sbi.c b/drivers/perf/riscv_pmu_sbi.c +index 8cbe6e5f9c39a..3e44d2fb8bf81 100644 +--- a/drivers/perf/riscv_pmu_sbi.c ++++ b/drivers/perf/riscv_pmu_sbi.c +@@ -27,7 +27,7 @@ + + #define ALT_SBI_PMU_OVERFLOW(__ovl) \ + asm volatile(ALTERNATIVE_2( \ +- "csrr %0, " __stringify(CSR_SSCOUNTOVF), \ ++ "csrr %0, " __stringify(CSR_SCOUNTOVF), \ + "csrr %0, " __stringify(THEAD_C9XX_CSR_SCOUNTEROF), \ + THEAD_VENDOR_ID, ERRATA_THEAD_PMU, \ + CONFIG_ERRATA_THEAD_PMU, \ +-- +2.43.0 + diff --git a/queue-6.9/riscv-bpf-make-some-atomic-operations-fully-ordered.patch b/queue-6.9/riscv-bpf-make-some-atomic-operations-fully-ordered.patch new file mode 100644 index 00000000000..0e46c8889ad --- /dev/null +++ b/queue-6.9/riscv-bpf-make-some-atomic-operations-fully-ordered.patch @@ -0,0 +1,97 @@ +From 655fb325c32106b1c25cabb54d3ae41a56a443e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 May 2024 20:16:33 +0000 +Subject: riscv, bpf: make some atomic operations fully ordered + +From: Puranjay Mohan + +[ Upstream commit 20a759df3bba35bf5c3ddec0c02ad69b603b584c ] + +The BPF atomic operations with the BPF_FETCH modifier along with +BPF_XCHG and BPF_CMPXCHG are fully ordered but the RISC-V JIT implements +all atomic operations except BPF_CMPXCHG with relaxed ordering. + +Section 8.1 of the "The RISC-V Instruction Set Manual Volume I: +Unprivileged ISA" [1], titled, "Specifying Ordering of Atomic +Instructions" says: + +| To provide more efficient support for release consistency [5], each +| atomic instruction has two bits, aq and rl, used to specify additional +| memory ordering constraints as viewed by other RISC-V harts. + +and + +| If only the aq bit is set, the atomic memory operation is treated as +| an acquire access. +| If only the rl bit is set, the atomic memory operation is treated as a +| release access. +| +| If both the aq and rl bits are set, the atomic memory operation is +| sequentially consistent. + +Fix this by setting both aq and rl bits as 1 for operations with +BPF_FETCH and BPF_XCHG. + +[1] https://riscv.org/wp-content/uploads/2017/05/riscv-spec-v2.2.pdf + +Fixes: dd642ccb45ec ("riscv, bpf: Implement more atomic operations for RV64") +Signed-off-by: Puranjay Mohan +Reviewed-by: Pu Lehui +Link: https://lore.kernel.org/r/20240505201633.123115-1-puranjay@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/riscv/net/bpf_jit_comp64.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/arch/riscv/net/bpf_jit_comp64.c b/arch/riscv/net/bpf_jit_comp64.c +index ec9d692838fca..fb5d1950042b7 100644 +--- a/arch/riscv/net/bpf_jit_comp64.c ++++ b/arch/riscv/net/bpf_jit_comp64.c +@@ -498,33 +498,33 @@ static void emit_atomic(u8 rd, u8 rs, s16 off, s32 imm, bool is64, + break; + /* src_reg = atomic_fetch_(dst_reg + off16, src_reg) */ + case BPF_ADD | BPF_FETCH: +- emit(is64 ? rv_amoadd_d(rs, rs, rd, 0, 0) : +- rv_amoadd_w(rs, rs, rd, 0, 0), ctx); ++ emit(is64 ? rv_amoadd_d(rs, rs, rd, 1, 1) : ++ rv_amoadd_w(rs, rs, rd, 1, 1), ctx); + if (!is64) + emit_zextw(rs, rs, ctx); + break; + case BPF_AND | BPF_FETCH: +- emit(is64 ? rv_amoand_d(rs, rs, rd, 0, 0) : +- rv_amoand_w(rs, rs, rd, 0, 0), ctx); ++ emit(is64 ? rv_amoand_d(rs, rs, rd, 1, 1) : ++ rv_amoand_w(rs, rs, rd, 1, 1), ctx); + if (!is64) + emit_zextw(rs, rs, ctx); + break; + case BPF_OR | BPF_FETCH: +- emit(is64 ? rv_amoor_d(rs, rs, rd, 0, 0) : +- rv_amoor_w(rs, rs, rd, 0, 0), ctx); ++ emit(is64 ? rv_amoor_d(rs, rs, rd, 1, 1) : ++ rv_amoor_w(rs, rs, rd, 1, 1), ctx); + if (!is64) + emit_zextw(rs, rs, ctx); + break; + case BPF_XOR | BPF_FETCH: +- emit(is64 ? rv_amoxor_d(rs, rs, rd, 0, 0) : +- rv_amoxor_w(rs, rs, rd, 0, 0), ctx); ++ emit(is64 ? rv_amoxor_d(rs, rs, rd, 1, 1) : ++ rv_amoxor_w(rs, rs, rd, 1, 1), ctx); + if (!is64) + emit_zextw(rs, rs, ctx); + break; + /* src_reg = atomic_xchg(dst_reg + off16, src_reg); */ + case BPF_XCHG: +- emit(is64 ? rv_amoswap_d(rs, rs, rd, 0, 0) : +- rv_amoswap_w(rs, rs, rd, 0, 0), ctx); ++ emit(is64 ? rv_amoswap_d(rs, rs, rd, 1, 1) : ++ rv_amoswap_w(rs, rs, rd, 1, 1), ctx); + if (!is64) + emit_zextw(rs, rs, ctx); + break; +-- +2.43.0 + diff --git a/queue-6.9/s390-bpf-emit-a-barrier-for-bpf_fetch-instructions.patch b/queue-6.9/s390-bpf-emit-a-barrier-for-bpf_fetch-instructions.patch new file mode 100644 index 00000000000..3d0f461ec46 --- /dev/null +++ b/queue-6.9/s390-bpf-emit-a-barrier-for-bpf_fetch-instructions.patch @@ -0,0 +1,62 @@ +From 4b302504006bf311ea6a9a8009ec17038788ef94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 May 2024 02:02:49 +0200 +Subject: s390/bpf: Emit a barrier for BPF_FETCH instructions + +From: Ilya Leoshkevich + +[ Upstream commit 68378982f0b21de02ac3c6a11e2420badefcb4bc ] + +BPF_ATOMIC_OP() macro documentation states that "BPF_ADD | BPF_FETCH" +should be the same as atomic_fetch_add(), which is currently not the +case on s390x: the serialization instruction "bcr 14,0" is missing. +This applies to "and", "or" and "xor" variants too. + +s390x is allowed to reorder stores with subsequent fetches from +different addresses, so code relying on BPF_FETCH acting as a barrier, +for example: + + stw [%r0], 1 + afadd [%r1], %r2 + ldxw %r3, [%r4] + +may be broken. Fix it by emitting "bcr 14,0". + +Note that a separate serialization instruction is not needed for +BPF_XCHG and BPF_CMPXCHG, because COMPARE AND SWAP performs +serialization itself. + +Fixes: ba3b86b9cef0 ("s390/bpf: Implement new atomic ops") +Reported-by: Puranjay Mohan +Closes: https://lore.kernel.org/bpf/mb61p34qvq3wf.fsf@kernel.org/ +Signed-off-by: Ilya Leoshkevich +Reviewed-by: Puranjay Mohan +Link: https://lore.kernel.org/r/20240507000557.12048-1-iii@linux.ibm.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/s390/net/bpf_jit_comp.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c +index 5af0402e94b88..1d168a98ae21b 100644 +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -1427,8 +1427,12 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, + EMIT6_DISP_LH(0xeb000000, is32 ? (op32) : (op64), \ + (insn->imm & BPF_FETCH) ? src_reg : REG_W0, \ + src_reg, dst_reg, off); \ +- if (is32 && (insn->imm & BPF_FETCH)) \ +- EMIT_ZERO(src_reg); \ ++ if (insn->imm & BPF_FETCH) { \ ++ /* bcr 14,0 - see atomic_fetch_{add,and,or,xor}() */ \ ++ _EMIT2(0x07e0); \ ++ if (is32) \ ++ EMIT_ZERO(src_reg); \ ++ } \ + } while (0) + case BPF_ADD: + case BPF_ADD | BPF_FETCH: +-- +2.43.0 + diff --git a/queue-6.9/s390-cio-fix-tracepoint-subchannel-type-field.patch b/queue-6.9/s390-cio-fix-tracepoint-subchannel-type-field.patch new file mode 100644 index 00000000000..a9ddbbbffe2 --- /dev/null +++ b/queue-6.9/s390-cio-fix-tracepoint-subchannel-type-field.patch @@ -0,0 +1,38 @@ +From d62d93ece6d2c10a4d8f3a42427e3bedb9a02549 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 17:04:56 +0100 +Subject: s390/cio: fix tracepoint subchannel type field + +From: Peter Oberparleiter + +[ Upstream commit 8692a24d0fae19f674d51726d179ad04ba95d958 ] + +The subchannel-type field "st" of s390_cio_stsch and s390_cio_msch +tracepoints is incorrectly filled with the subchannel-enabled SCHIB +value "ena". Fix this by assigning the correct value. + +Fixes: d1de8633d96a ("s390 cio: Rewrite trace point class s390_class_schib") +Reviewed-by: Heiko Carstens +Signed-off-by: Peter Oberparleiter +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + drivers/s390/cio/trace.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/s390/cio/trace.h b/drivers/s390/cio/trace.h +index 86993de253451..a4c5c6736b310 100644 +--- a/drivers/s390/cio/trace.h ++++ b/drivers/s390/cio/trace.h +@@ -50,7 +50,7 @@ DECLARE_EVENT_CLASS(s390_class_schib, + __entry->devno = schib->pmcw.dev; + __entry->schib = *schib; + __entry->pmcw_ena = schib->pmcw.ena; +- __entry->pmcw_st = schib->pmcw.ena; ++ __entry->pmcw_st = schib->pmcw.st; + __entry->pmcw_dnv = schib->pmcw.dnv; + __entry->pmcw_dev = schib->pmcw.dev; + __entry->pmcw_lpm = schib->pmcw.lpm; +-- +2.43.0 + diff --git a/queue-6.9/s390-mm-re-enable-the-shared-zeropage-for-pv-and-ske.patch b/queue-6.9/s390-mm-re-enable-the-shared-zeropage-for-pv-and-ske.patch new file mode 100644 index 00000000000..026545a5963 --- /dev/null +++ b/queue-6.9/s390-mm-re-enable-the-shared-zeropage-for-pv-and-ske.patch @@ -0,0 +1,369 @@ +From ed5bea8f12c40f4ed7cc3d240007a707afff054a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Apr 2024 18:14:41 +0200 +Subject: s390/mm: Re-enable the shared zeropage for !PV and !skeys KVM guests + +From: David Hildenbrand + +[ Upstream commit 06201e00ee3e4beacac48aab2b83eff64ebf0bc0 ] + +commit fa41ba0d08de ("s390/mm: avoid empty zero pages for KVM guests to +avoid postcopy hangs") introduced an undesired side effect when combined +with memory ballooning and VM migration: memory part of the inflated +memory balloon will consume memory. + +Assuming we have a 100GiB VM and inflated the balloon to 40GiB. Our VM +will consume ~60GiB of memory. If we now trigger a VM migration, +hypervisors like QEMU will read all VM memory. As s390x does not support +the shared zeropage, we'll end up allocating for all previously-inflated +memory part of the memory balloon: 50 GiB. So we might easily +(unexpectedly) crash the VM on the migration source. + +Even worse, hypervisors like QEMU optimize for zeropage migration to not +consume memory on the migration destination: when migrating a +"page full of zeroes", on the migration destination they check whether the +target memory is already zero (by reading the destination memory) and avoid +writing to the memory to not allocate memory: however, s390x will also +allocate memory here, implying that also on the migration destination, we +will end up allocating all previously-inflated memory part of the memory +balloon. + +This is especially bad if actual memory overcommit was not desired, when +memory ballooning is used for dynamic VM memory resizing, setting aside +some memory during boot that can be added later on demand. Alternatives +like virtio-mem that would avoid this issue are not yet available on +s390x. + +There could be ways to optimize some cases in user space: before reading +memory in an anonymous private mapping on the migration source, check via +/proc/self/pagemap if anything is already populated. Similarly check on +the migration destination before reading. While that would avoid +populating tables full of shared zeropages on all architectures, it's +harder to get right and performant, and requires user space changes. + +Further, with posctopy live migration we must place a page, so there, +"avoid touching memory to avoid allocating memory" is not really +possible. (Note that a previously we would have falsely inserted +shared zeropages into processes using UFFDIO_ZEROPAGE where +mm_forbids_zeropage() would have actually forbidden it) + +PV is currently incompatible with memory ballooning, and in the common +case, KVM guests don't make use of storage keys. Instead of zapping +zeropages when enabling storage keys / PV, that turned out to be +problematic in the past, let's do exactly the same we do with KSM pages: +trigger unsharing faults to replace the shared zeropages by proper +anonymous folios. + +What about added latency when enabling storage kes? Having a lot of +zeropages in applicable environments (PV, legacy guests, unittests) is +unexpected. Further, KSM could today already unshare the zeropages +and unmerging KSM pages when enabling storage kets would unshare the +KSM-placed zeropages in the same way, resulting in the same latency. + +[ agordeev: Fixed sparse and checkpatch complaints and error handling ] + +Reviewed-by: Christian Borntraeger +Tested-by: Christian Borntraeger +Fixes: fa41ba0d08de ("s390/mm: avoid empty zero pages for KVM guests to avoid postcopy hangs") +Signed-off-by: David Hildenbrand +Link: https://lore.kernel.org/r/20240411161441.910170-3-david@redhat.com +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/include/asm/gmap.h | 2 +- + arch/s390/include/asm/mmu.h | 5 + + arch/s390/include/asm/mmu_context.h | 1 + + arch/s390/include/asm/pgtable.h | 16 ++- + arch/s390/kvm/kvm-s390.c | 4 +- + arch/s390/mm/gmap.c | 165 +++++++++++++++++++++------- + 6 files changed, 146 insertions(+), 47 deletions(-) + +diff --git a/arch/s390/include/asm/gmap.h b/arch/s390/include/asm/gmap.h +index 5cc46e0dde620..9725586f42597 100644 +--- a/arch/s390/include/asm/gmap.h ++++ b/arch/s390/include/asm/gmap.h +@@ -146,7 +146,7 @@ int gmap_mprotect_notify(struct gmap *, unsigned long start, + + void gmap_sync_dirty_log_pmd(struct gmap *gmap, unsigned long dirty_bitmap[4], + unsigned long gaddr, unsigned long vmaddr); +-int gmap_mark_unmergeable(void); ++int s390_disable_cow_sharing(void); + void s390_unlist_old_asce(struct gmap *gmap); + int s390_replace_asce(struct gmap *gmap); + void s390_uv_destroy_pfns(unsigned long count, unsigned long *pfns); +diff --git a/arch/s390/include/asm/mmu.h b/arch/s390/include/asm/mmu.h +index bb1b4bef1878b..4c2dc7abc2858 100644 +--- a/arch/s390/include/asm/mmu.h ++++ b/arch/s390/include/asm/mmu.h +@@ -32,6 +32,11 @@ typedef struct { + unsigned int uses_skeys:1; + /* The mmu context uses CMM. */ + unsigned int uses_cmm:1; ++ /* ++ * The mmu context allows COW-sharing of memory pages (KSM, zeropage). ++ * Note that COW-sharing during fork() is currently always allowed. ++ */ ++ unsigned int allow_cow_sharing:1; + /* The gmaps associated with this context are allowed to use huge pages. */ + unsigned int allow_gmap_hpage_1m:1; + } mm_context_t; +diff --git a/arch/s390/include/asm/mmu_context.h b/arch/s390/include/asm/mmu_context.h +index 929af18b09081..a7789a9f62186 100644 +--- a/arch/s390/include/asm/mmu_context.h ++++ b/arch/s390/include/asm/mmu_context.h +@@ -35,6 +35,7 @@ static inline int init_new_context(struct task_struct *tsk, + mm->context.has_pgste = 0; + mm->context.uses_skeys = 0; + mm->context.uses_cmm = 0; ++ mm->context.allow_cow_sharing = 1; + mm->context.allow_gmap_hpage_1m = 0; + #endif + switch (mm->context.asce_limit) { +diff --git a/arch/s390/include/asm/pgtable.h b/arch/s390/include/asm/pgtable.h +index 60950e7a25f58..259c2439c2517 100644 +--- a/arch/s390/include/asm/pgtable.h ++++ b/arch/s390/include/asm/pgtable.h +@@ -566,10 +566,20 @@ static inline pud_t set_pud_bit(pud_t pud, pgprot_t prot) + } + + /* +- * In the case that a guest uses storage keys +- * faults should no longer be backed by zero pages ++ * As soon as the guest uses storage keys or enables PV, we deduplicate all ++ * mapped shared zeropages and prevent new shared zeropages from getting ++ * mapped. + */ +-#define mm_forbids_zeropage mm_has_pgste ++#define mm_forbids_zeropage mm_forbids_zeropage ++static inline int mm_forbids_zeropage(struct mm_struct *mm) ++{ ++#ifdef CONFIG_PGSTE ++ if (!mm->context.allow_cow_sharing) ++ return 1; ++#endif ++ return 0; ++} ++ + static inline int mm_uses_skeys(struct mm_struct *mm) + { + #ifdef CONFIG_PGSTE +diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c +index 7721eb522f43d..82e9631cd9efb 100644 +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -2631,9 +2631,7 @@ static int kvm_s390_handle_pv(struct kvm *kvm, struct kvm_pv_cmd *cmd) + if (r) + break; + +- mmap_write_lock(current->mm); +- r = gmap_mark_unmergeable(); +- mmap_write_unlock(current->mm); ++ r = s390_disable_cow_sharing(); + if (r) + break; + +diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c +index 12d22a7fa32fd..474a25ca5c48f 100644 +--- a/arch/s390/mm/gmap.c ++++ b/arch/s390/mm/gmap.c +@@ -2549,41 +2549,6 @@ static inline void thp_split_mm(struct mm_struct *mm) + } + #endif /* CONFIG_TRANSPARENT_HUGEPAGE */ + +-/* +- * Remove all empty zero pages from the mapping for lazy refaulting +- * - This must be called after mm->context.has_pgste is set, to avoid +- * future creation of zero pages +- * - This must be called after THP was disabled. +- * +- * mm contracts with s390, that even if mm were to remove a page table, +- * racing with the loop below and so causing pte_offset_map_lock() to fail, +- * it will never insert a page table containing empty zero pages once +- * mm_forbids_zeropage(mm) i.e. mm->context.has_pgste is set. +- */ +-static int __zap_zero_pages(pmd_t *pmd, unsigned long start, +- unsigned long end, struct mm_walk *walk) +-{ +- unsigned long addr; +- +- for (addr = start; addr != end; addr += PAGE_SIZE) { +- pte_t *ptep; +- spinlock_t *ptl; +- +- ptep = pte_offset_map_lock(walk->mm, pmd, addr, &ptl); +- if (!ptep) +- break; +- if (is_zero_pfn(pte_pfn(*ptep))) +- ptep_xchg_direct(walk->mm, addr, ptep, __pte(_PAGE_INVALID)); +- pte_unmap_unlock(ptep, ptl); +- } +- return 0; +-} +- +-static const struct mm_walk_ops zap_zero_walk_ops = { +- .pmd_entry = __zap_zero_pages, +- .walk_lock = PGWALK_WRLOCK, +-}; +- + /* + * switch on pgstes for its userspace process (for kvm) + */ +@@ -2601,22 +2566,142 @@ int s390_enable_sie(void) + mm->context.has_pgste = 1; + /* split thp mappings and disable thp for future mappings */ + thp_split_mm(mm); +- walk_page_range(mm, 0, TASK_SIZE, &zap_zero_walk_ops, NULL); + mmap_write_unlock(mm); + return 0; + } + EXPORT_SYMBOL_GPL(s390_enable_sie); + +-int gmap_mark_unmergeable(void) ++static int find_zeropage_pte_entry(pte_t *pte, unsigned long addr, ++ unsigned long end, struct mm_walk *walk) ++{ ++ unsigned long *found_addr = walk->private; ++ ++ /* Return 1 of the page is a zeropage. */ ++ if (is_zero_pfn(pte_pfn(*pte))) { ++ /* ++ * Shared zeropage in e.g., a FS DAX mapping? We cannot do the ++ * right thing and likely don't care: FAULT_FLAG_UNSHARE ++ * currently only works in COW mappings, which is also where ++ * mm_forbids_zeropage() is checked. ++ */ ++ if (!is_cow_mapping(walk->vma->vm_flags)) ++ return -EFAULT; ++ ++ *found_addr = addr; ++ return 1; ++ } ++ return 0; ++} ++ ++static const struct mm_walk_ops find_zeropage_ops = { ++ .pte_entry = find_zeropage_pte_entry, ++ .walk_lock = PGWALK_WRLOCK, ++}; ++ ++/* ++ * Unshare all shared zeropages, replacing them by anonymous pages. Note that ++ * we cannot simply zap all shared zeropages, because this could later ++ * trigger unexpected userfaultfd missing events. ++ * ++ * This must be called after mm->context.allow_cow_sharing was ++ * set to 0, to avoid future mappings of shared zeropages. ++ * ++ * mm contracts with s390, that even if mm were to remove a page table, ++ * and racing with walk_page_range_vma() calling pte_offset_map_lock() ++ * would fail, it will never insert a page table containing empty zero ++ * pages once mm_forbids_zeropage(mm) i.e. ++ * mm->context.allow_cow_sharing is set to 0. ++ */ ++static int __s390_unshare_zeropages(struct mm_struct *mm) ++{ ++ struct vm_area_struct *vma; ++ VMA_ITERATOR(vmi, mm, 0); ++ unsigned long addr; ++ vm_fault_t fault; ++ int rc; ++ ++ for_each_vma(vmi, vma) { ++ /* ++ * We could only look at COW mappings, but it's more future ++ * proof to catch unexpected zeropages in other mappings and ++ * fail. ++ */ ++ if ((vma->vm_flags & VM_PFNMAP) || is_vm_hugetlb_page(vma)) ++ continue; ++ addr = vma->vm_start; ++ ++retry: ++ rc = walk_page_range_vma(vma, addr, vma->vm_end, ++ &find_zeropage_ops, &addr); ++ if (rc < 0) ++ return rc; ++ else if (!rc) ++ continue; ++ ++ /* addr was updated by find_zeropage_pte_entry() */ ++ fault = handle_mm_fault(vma, addr, ++ FAULT_FLAG_UNSHARE | FAULT_FLAG_REMOTE, ++ NULL); ++ if (fault & VM_FAULT_OOM) ++ return -ENOMEM; ++ /* ++ * See break_ksm(): even after handle_mm_fault() returned 0, we ++ * must start the lookup from the current address, because ++ * handle_mm_fault() may back out if there's any difficulty. ++ * ++ * VM_FAULT_SIGBUS and VM_FAULT_SIGSEGV are unexpected but ++ * maybe they could trigger in the future on concurrent ++ * truncation. In that case, the shared zeropage would be gone ++ * and we can simply retry and make progress. ++ */ ++ cond_resched(); ++ goto retry; ++ } ++ ++ return 0; ++} ++ ++static int __s390_disable_cow_sharing(struct mm_struct *mm) + { ++ int rc; ++ ++ if (!mm->context.allow_cow_sharing) ++ return 0; ++ ++ mm->context.allow_cow_sharing = 0; ++ ++ /* Replace all shared zeropages by anonymous pages. */ ++ rc = __s390_unshare_zeropages(mm); + /* + * Make sure to disable KSM (if enabled for the whole process or + * individual VMAs). Note that nothing currently hinders user space + * from re-enabling it. + */ +- return ksm_disable(current->mm); ++ if (!rc) ++ rc = ksm_disable(mm); ++ if (rc) ++ mm->context.allow_cow_sharing = 1; ++ return rc; ++} ++ ++/* ++ * Disable most COW-sharing of memory pages for the whole process: ++ * (1) Disable KSM and unmerge/unshare any KSM pages. ++ * (2) Disallow shared zeropages and unshare any zerpages that are mapped. ++ * ++ * Not that we currently don't bother with COW-shared pages that are shared ++ * with parent/child processes due to fork(). ++ */ ++int s390_disable_cow_sharing(void) ++{ ++ int rc; ++ ++ mmap_write_lock(current->mm); ++ rc = __s390_disable_cow_sharing(current->mm); ++ mmap_write_unlock(current->mm); ++ return rc; + } +-EXPORT_SYMBOL_GPL(gmap_mark_unmergeable); ++EXPORT_SYMBOL_GPL(s390_disable_cow_sharing); + + /* + * Enable storage key handling from now on and initialize the storage +@@ -2685,7 +2770,7 @@ int s390_enable_skey(void) + goto out_up; + + mm->context.uses_skeys = 1; +- rc = gmap_mark_unmergeable(); ++ rc = __s390_disable_cow_sharing(mm); + if (rc) { + mm->context.uses_skeys = 0; + goto out_up; +-- +2.43.0 + diff --git a/queue-6.9/s390-vmlinux.lds.s-drop-.hash-and-.gnu.hash-for-conf.patch b/queue-6.9/s390-vmlinux.lds.s-drop-.hash-and-.gnu.hash-for-conf.patch new file mode 100644 index 00000000000..820bfda532d --- /dev/null +++ b/queue-6.9/s390-vmlinux.lds.s-drop-.hash-and-.gnu.hash-for-conf.patch @@ -0,0 +1,46 @@ +From dbaf29498838e3662a389e0681325251f908fd5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Apr 2024 16:59:30 +0200 +Subject: s390: vmlinux.lds.S: Drop .hash and .gnu.hash for !CONFIG_PIE_BUILD + +From: Sumanth Korikkar + +[ Upstream commit 5f90003f09042b504d90ee38618cfd380ce16f4a ] + +Sections .hash and .gnu.hash are only created when CONFIG_PIE_BUILD +option is enabled. Drop these for the case CONFIG_PIE_BUILD is disabled. + +[ agordeev: Reworded the commit message ] + +Fixes: 778666df60f0 ("s390: compile relocatable kernel without -fPIE") +Suggested-by: Alexander Gordeev +Signed-off-by: Sumanth Korikkar +Reviewed-by: Alexander Gordeev +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/vmlinux.lds.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/vmlinux.lds.S b/arch/s390/kernel/vmlinux.lds.S +index 48de296e8905c..fb9b32f936c45 100644 +--- a/arch/s390/kernel/vmlinux.lds.S ++++ b/arch/s390/kernel/vmlinux.lds.S +@@ -209,13 +209,13 @@ SECTIONS + .dynstr ALIGN(8) : { + *(.dynstr) + } +-#endif + .hash ALIGN(8) : { + *(.hash) + } + .gnu.hash ALIGN(8) : { + *(.gnu.hash) + } ++#endif + + . = ALIGN(PAGE_SIZE); + __init_end = .; /* freed after init ends here */ +-- +2.43.0 + diff --git a/queue-6.9/samples-landlock-fix-incorrect-free-in-populate_rule.patch b/queue-6.9/samples-landlock-fix-incorrect-free-in-populate_rule.patch new file mode 100644 index 00000000000..91b9d717d40 --- /dev/null +++ b/queue-6.9/samples-landlock-fix-incorrect-free-in-populate_rule.patch @@ -0,0 +1,51 @@ +From fbd9aae844c78e90abff7ff9c310d9065b7c02bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 17:56:25 +0800 +Subject: samples/landlock: Fix incorrect free in populate_ruleset_net +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ivanov Mikhail + +[ Upstream commit 42212936d9d811c7cf6efc4804747a6c417aafd4 ] + +Pointer env_port_name changes after strsep(). Memory allocated via +strdup() will not be freed if landlock_add_rule() returns non-zero value. + +Fixes: 5e990dcef12e ("samples/landlock: Support TCP restrictions") +Signed-off-by: Ivanov Mikhail +Reviewed-by: Konstantin Meskhidze +Link: https://lore.kernel.org/r/20240326095625.3576164-1-ivanov.mikhail1@huawei-partners.com +Signed-off-by: Mickaël Salaün +Signed-off-by: Sasha Levin +--- + samples/landlock/sandboxer.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c +index 32e930c853bba..8b8ecd65c28c4 100644 +--- a/samples/landlock/sandboxer.c ++++ b/samples/landlock/sandboxer.c +@@ -153,7 +153,7 @@ static int populate_ruleset_net(const char *const env_var, const int ruleset_fd, + const __u64 allowed_access) + { + int ret = 1; +- char *env_port_name, *strport; ++ char *env_port_name, *env_port_name_next, *strport; + struct landlock_net_port_attr net_port = { + .allowed_access = allowed_access, + .port = 0, +@@ -165,7 +165,8 @@ static int populate_ruleset_net(const char *const env_var, const int ruleset_fd, + env_port_name = strdup(env_port_name); + unsetenv(env_var); + +- while ((strport = strsep(&env_port_name, ENV_DELIMITER))) { ++ env_port_name_next = env_port_name; ++ while ((strport = strsep(&env_port_name_next, ENV_DELIMITER))) { + net_port.port = atoi(strport); + if (landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, + &net_port, 0)) { +-- +2.43.0 + diff --git a/queue-6.9/sched-core-fix-incorrect-initialization-of-the-burst.patch b/queue-6.9/sched-core-fix-incorrect-initialization-of-the-burst.patch new file mode 100644 index 00000000000..46f40779b8e --- /dev/null +++ b/queue-6.9/sched-core-fix-incorrect-initialization-of-the-burst.patch @@ -0,0 +1,71 @@ +From 010193805ad93b1e93b56ede52655b95b80fbb26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Apr 2024 21:24:38 +0800 +Subject: sched/core: Fix incorrect initialization of the 'burst' parameter in + cpu_max_write() + +From: Cheng Yu + +[ Upstream commit 49217ea147df7647cb89161b805c797487783fc0 ] + +In the cgroup v2 CPU subsystem, assuming we have a +cgroup named 'test', and we set cpu.max and cpu.max.burst: + + # echo 1000000 > /sys/fs/cgroup/test/cpu.max + # echo 1000000 > /sys/fs/cgroup/test/cpu.max.burst + +then we check cpu.max and cpu.max.burst: + + # cat /sys/fs/cgroup/test/cpu.max + 1000000 100000 + # cat /sys/fs/cgroup/test/cpu.max.burst + 1000000 + +Next we set cpu.max again and check cpu.max and +cpu.max.burst: + + # echo 2000000 > /sys/fs/cgroup/test/cpu.max + # cat /sys/fs/cgroup/test/cpu.max + 2000000 100000 + + # cat /sys/fs/cgroup/test/cpu.max.burst + 1000 + +... we find that the cpu.max.burst value changed unexpectedly. + +In cpu_max_write(), the unit of the burst value returned +by tg_get_cfs_burst() is microseconds, while in cpu_max_write(), +the burst unit used for calculation should be nanoseconds, +which leads to the bug. + +To fix it, get the burst value directly from tg->cfs_bandwidth.burst. + +Fixes: f4183717b370 ("sched/fair: Introduce the burstable CFS controller") +Reported-by: Qixin Liao +Signed-off-by: Cheng Yu +Signed-off-by: Zhang Qiao +Signed-off-by: Ingo Molnar +Reviewed-by: Vincent Guittot +Tested-by: Vincent Guittot +Link: https://lore.kernel.org/r/20240424132438.514720-1-serein.chengyu@huawei.com +Signed-off-by: Sasha Levin +--- + kernel/sched/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 7019a40457a6d..d211d40a2edc9 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -11402,7 +11402,7 @@ static ssize_t cpu_max_write(struct kernfs_open_file *of, + { + struct task_group *tg = css_tg(of_css(of)); + u64 period = tg_get_cfs_period(tg); +- u64 burst = tg_get_cfs_burst(tg); ++ u64 burst = tg->cfs_bandwidth.burst; + u64 quota; + int ret; + +-- +2.43.0 + diff --git a/queue-6.9/sched-fair-add-eas-checks-before-updating-root_domai.patch b/queue-6.9/sched-fair-add-eas-checks-before-updating-root_domai.patch new file mode 100644 index 00000000000..26c6b7ddc15 --- /dev/null +++ b/queue-6.9/sched-fair-add-eas-checks-before-updating-root_domai.patch @@ -0,0 +1,148 @@ +From 50f8b5ab6bc08010b5511a561fc5f2aaddfcdb08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 14:27:23 +0530 +Subject: sched/fair: Add EAS checks before updating root_domain::overutilized + +From: Shrikanth Hegde + +[ Upstream commit be3a51e68f2f1b17250ce40d8872c7645b7a2991 ] + +root_domain::overutilized is only used for EAS(energy aware scheduler) +to decide whether to do load balance or not. It is not used if EAS +not possible. + +Currently enqueue_task_fair and task_tick_fair accesses, sometime updates +this field. In update_sd_lb_stats it is updated often. This causes cache +contention due to true sharing and burns a lot of cycles. ::overload and +::overutilized are part of the same cacheline. Updating it often invalidates +the cacheline. That causes access to ::overload to slow down due to +false sharing. Hence add EAS check before accessing/updating this field. +EAS check is optimized at compile time or it is a static branch. +Hence it shouldn't cost much. + +With the patch, both enqueue_task_fair and newidle_balance don't show +up as hot routines in perf profile. + + 6.8-rc4: + 7.18% swapper [kernel.vmlinux] [k] enqueue_task_fair + 6.78% s [kernel.vmlinux] [k] newidle_balance + + +patch: + 0.14% swapper [kernel.vmlinux] [k] enqueue_task_fair + 0.00% swapper [kernel.vmlinux] [k] newidle_balance + +While at it: trace_sched_overutilized_tp expect that second argument to +be bool. So do a int to bool conversion for that. + +Fixes: 2802bf3cd936 ("sched/fair: Add over-utilization/tipping point indicator") +Signed-off-by: Shrikanth Hegde +Signed-off-by: Ingo Molnar +Reviewed-by: Qais Yousef +Reviewed-by: Srikar Dronamraju +Reviewed-by: Vincent Guittot +Link: https://lore.kernel.org/r/20240307085725.444486-2-sshegde@linux.ibm.com +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 53 +++++++++++++++++++++++++++++---------------- + 1 file changed, 34 insertions(+), 19 deletions(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index c62805dbd6088..213c94d027a4c 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -6675,22 +6675,42 @@ static inline void hrtick_update(struct rq *rq) + #ifdef CONFIG_SMP + static inline bool cpu_overutilized(int cpu) + { +- unsigned long rq_util_min = uclamp_rq_get(cpu_rq(cpu), UCLAMP_MIN); +- unsigned long rq_util_max = uclamp_rq_get(cpu_rq(cpu), UCLAMP_MAX); ++ unsigned long rq_util_min, rq_util_max; ++ ++ if (!sched_energy_enabled()) ++ return false; ++ ++ rq_util_min = uclamp_rq_get(cpu_rq(cpu), UCLAMP_MIN); ++ rq_util_max = uclamp_rq_get(cpu_rq(cpu), UCLAMP_MAX); + + /* Return true only if the utilization doesn't fit CPU's capacity */ + return !util_fits_cpu(cpu_util_cfs(cpu), rq_util_min, rq_util_max, cpu); + } + +-static inline void update_overutilized_status(struct rq *rq) ++static inline void set_rd_overutilized_status(struct root_domain *rd, ++ unsigned int status) + { +- if (!READ_ONCE(rq->rd->overutilized) && cpu_overutilized(rq->cpu)) { +- WRITE_ONCE(rq->rd->overutilized, SG_OVERUTILIZED); +- trace_sched_overutilized_tp(rq->rd, SG_OVERUTILIZED); +- } ++ if (!sched_energy_enabled()) ++ return; ++ ++ WRITE_ONCE(rd->overutilized, status); ++ trace_sched_overutilized_tp(rd, !!status); ++} ++ ++static inline void check_update_overutilized_status(struct rq *rq) ++{ ++ /* ++ * overutilized field is used for load balancing decisions only ++ * if energy aware scheduler is being used ++ */ ++ if (!sched_energy_enabled()) ++ return; ++ ++ if (!READ_ONCE(rq->rd->overutilized) && cpu_overutilized(rq->cpu)) ++ set_rd_overutilized_status(rq->rd, SG_OVERUTILIZED); + } + #else +-static inline void update_overutilized_status(struct rq *rq) { } ++static inline void check_update_overutilized_status(struct rq *rq) { } + #endif + + /* Runqueue only has SCHED_IDLE tasks enqueued */ +@@ -6791,7 +6811,7 @@ enqueue_task_fair(struct rq *rq, struct task_struct *p, int flags) + * and the following generally works well enough in practice. + */ + if (!task_new) +- update_overutilized_status(rq); ++ check_update_overutilized_status(rq); + + enqueue_throttle: + assert_list_leaf_cfs_rq(rq); +@@ -10608,19 +10628,14 @@ static inline void update_sd_lb_stats(struct lb_env *env, struct sd_lb_stats *sd + env->fbq_type = fbq_classify_group(&sds->busiest_stat); + + if (!env->sd->parent) { +- struct root_domain *rd = env->dst_rq->rd; +- + /* update overload indicator if we are at root domain */ +- WRITE_ONCE(rd->overload, sg_status & SG_OVERLOAD); ++ WRITE_ONCE(env->dst_rq->rd->overload, sg_status & SG_OVERLOAD); + + /* Update over-utilization (tipping point, U >= 0) indicator */ +- WRITE_ONCE(rd->overutilized, sg_status & SG_OVERUTILIZED); +- trace_sched_overutilized_tp(rd, sg_status & SG_OVERUTILIZED); ++ set_rd_overutilized_status(env->dst_rq->rd, ++ sg_status & SG_OVERUTILIZED); + } else if (sg_status & SG_OVERUTILIZED) { +- struct root_domain *rd = env->dst_rq->rd; +- +- WRITE_ONCE(rd->overutilized, SG_OVERUTILIZED); +- trace_sched_overutilized_tp(rd, SG_OVERUTILIZED); ++ set_rd_overutilized_status(env->dst_rq->rd, SG_OVERUTILIZED); + } + + update_idle_cpu_scan(env, sum_util); +@@ -12621,7 +12636,7 @@ static void task_tick_fair(struct rq *rq, struct task_struct *curr, int queued) + task_tick_numa(rq, curr); + + update_misfit_status(curr, rq); +- update_overutilized_status(task_rq(curr)); ++ check_update_overutilized_status(task_rq(curr)); + + task_tick_core(rq, curr); + } +-- +2.43.0 + diff --git a/queue-6.9/sched-fair-allow-disabling-sched_balance_newidle-wit.patch b/queue-6.9/sched-fair-allow-disabling-sched_balance_newidle-wit.patch new file mode 100644 index 00000000000..36f0582ecff --- /dev/null +++ b/queue-6.9/sched-fair-allow-disabling-sched_balance_newidle-wit.patch @@ -0,0 +1,64 @@ +From 568447cf5a151230ebdfbf4b41bf13c597e1ad7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Apr 2024 18:05:23 +0300 +Subject: sched/fair: Allow disabling sched_balance_newidle with + sched_relax_domain_level + +From: Vitalii Bursov + +[ Upstream commit a1fd0b9d751f840df23ef0e75b691fc00cfd4743 ] + +Change relax_domain_level checks so that it would be possible +to include or exclude all domains from newidle balancing. + +This matches the behavior described in the documentation: + + -1 no request. use system default or follow request of others. + 0 no search. + 1 search siblings (hyperthreads in a core). + +"2" enables levels 0 and 1, level_max excludes the last (level_max) +level, and level_max+1 includes all levels. + +Fixes: 1d3504fcf560 ("sched, cpuset: customize sched domains, core") +Signed-off-by: Vitalii Bursov +Signed-off-by: Ingo Molnar +Tested-by: Dietmar Eggemann +Reviewed-by: Vincent Guittot +Reviewed-by: Valentin Schneider +Link: https://lore.kernel.org/r/bd6de28e80073c79466ec6401cdeae78f0d4423d.1714488502.git.vitaly@bursov.com +Signed-off-by: Sasha Levin +--- + kernel/cgroup/cpuset.c | 2 +- + kernel/sched/topology.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c +index 4237c8748715d..da24187c4e025 100644 +--- a/kernel/cgroup/cpuset.c ++++ b/kernel/cgroup/cpuset.c +@@ -2948,7 +2948,7 @@ bool current_cpuset_is_being_rebound(void) + static int update_relax_domain_level(struct cpuset *cs, s64 val) + { + #ifdef CONFIG_SMP +- if (val < -1 || val >= sched_domain_level_max) ++ if (val < -1 || val > sched_domain_level_max + 1) + return -EINVAL; + #endif + +diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c +index 99ea5986038ce..3127c9b30af18 100644 +--- a/kernel/sched/topology.c ++++ b/kernel/sched/topology.c +@@ -1468,7 +1468,7 @@ static void set_domain_attribute(struct sched_domain *sd, + } else + request = attr->relax_domain_level; + +- if (sd->level > request) { ++ if (sd->level >= request) { + /* Turn off idle balance on this domain: */ + sd->flags &= ~(SD_BALANCE_WAKE|SD_BALANCE_NEWIDLE); + } +-- +2.43.0 + diff --git a/queue-6.9/scsi-bfa-ensure-the-copied-buf-is-nul-terminated.patch b/queue-6.9/scsi-bfa-ensure-the-copied-buf-is-nul-terminated.patch new file mode 100644 index 00000000000..379bcf32aea --- /dev/null +++ b/queue-6.9/scsi-bfa-ensure-the-copied-buf-is-nul-terminated.patch @@ -0,0 +1,49 @@ +From f40ead83848c847067582dc8059b491d59f8e26a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Apr 2024 21:44:20 +0700 +Subject: scsi: bfa: Ensure the copied buf is NUL terminated + +From: Bui Quang Minh + +[ Upstream commit 13d0cecb4626fae67c00c84d3c7851f6b62f7df3 ] + +Currently, we allocate a nbytes-sized kernel buffer and copy nbytes from +userspace to that buffer. Later, we use sscanf on this buffer but we don't +ensure that the string is terminated inside the buffer, this can lead to +OOB read when using sscanf. Fix this issue by using memdup_user_nul instead +of memdup_user. + +Fixes: 9f30b674759b ("bfa: replace 2 kzalloc/copy_from_user by memdup_user") +Signed-off-by: Bui Quang Minh +Link: https://lore.kernel.org/r/20240424-fix-oob-read-v2-3-f1f1b53a10f4@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/bfa/bfad_debugfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/bfa/bfad_debugfs.c b/drivers/scsi/bfa/bfad_debugfs.c +index 52db147d9979d..f6dd077d47c9a 100644 +--- a/drivers/scsi/bfa/bfad_debugfs.c ++++ b/drivers/scsi/bfa/bfad_debugfs.c +@@ -250,7 +250,7 @@ bfad_debugfs_write_regrd(struct file *file, const char __user *buf, + unsigned long flags; + void *kern_buf; + +- kern_buf = memdup_user(buf, nbytes); ++ kern_buf = memdup_user_nul(buf, nbytes); + if (IS_ERR(kern_buf)) + return PTR_ERR(kern_buf); + +@@ -317,7 +317,7 @@ bfad_debugfs_write_regwr(struct file *file, const char __user *buf, + unsigned long flags; + void *kern_buf; + +- kern_buf = memdup_user(buf, nbytes); ++ kern_buf = memdup_user_nul(buf, nbytes); + if (IS_ERR(kern_buf)) + return PTR_ERR(kern_buf); + +-- +2.43.0 + diff --git a/queue-6.9/scsi-hpsa-fix-allocation-size-for-scsi_host-private-.patch b/queue-6.9/scsi-hpsa-fix-allocation-size-for-scsi_host-private-.patch new file mode 100644 index 00000000000..871025c0fd4 --- /dev/null +++ b/queue-6.9/scsi-hpsa-fix-allocation-size-for-scsi_host-private-.patch @@ -0,0 +1,41 @@ +From 832019691ce998d01db6815fc6cd3d3d721f3a08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Mar 2024 20:04:47 +0300 +Subject: scsi: hpsa: Fix allocation size for Scsi_Host private data + +From: Yuri Karpov + +[ Upstream commit 504e2bed5d50610c1836046c0c195b0a6dba9c72 ] + +struct Scsi_Host private data contains pointer to struct ctlr_info. + +Restore allocation of only 8 bytes to store pointer in struct Scsi_Host +private data area. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: bbbd25499100 ("scsi: hpsa: Fix allocation size for scsi_host_alloc()") +Signed-off-by: Yuri Karpov +Link: https://lore.kernel.org/r/20240312170447.743709-1-YKarpov@ispras.ru +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hpsa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c +index af18d20f30794..49c57a9c110b5 100644 +--- a/drivers/scsi/hpsa.c ++++ b/drivers/scsi/hpsa.c +@@ -5850,7 +5850,7 @@ static int hpsa_scsi_host_alloc(struct ctlr_info *h) + { + struct Scsi_Host *sh; + +- sh = scsi_host_alloc(&hpsa_driver_template, sizeof(struct ctlr_info)); ++ sh = scsi_host_alloc(&hpsa_driver_template, sizeof(struct ctlr_info *)); + if (sh == NULL) { + dev_err(&h->pdev->dev, "scsi_host_alloc failed\n"); + return -ENOMEM; +-- +2.43.0 + diff --git a/queue-6.9/scsi-libsas-fix-the-failure-of-adding-phy-with-zero-.patch b/queue-6.9/scsi-libsas-fix-the-failure-of-adding-phy-with-zero-.patch new file mode 100644 index 00000000000..fe53000f7ca --- /dev/null +++ b/queue-6.9/scsi-libsas-fix-the-failure-of-adding-phy-with-zero-.patch @@ -0,0 +1,55 @@ +From 40bfda91b3f8e7d01ea71f22d7dc9ad2e581e0bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Mar 2024 14:11:03 +0000 +Subject: scsi: libsas: Fix the failure of adding phy with zero-address to port + +From: Xingui Yang + +[ Upstream commit 06036a0a5db34642c5dbe22021a767141f010b7a ] + +As of commit 7d1d86518118 ("[SCSI] libsas: fix false positive 'device +attached' conditions"), reset the phy->entacted_sas_addr address to a +zero-address when the link rate is less than 1.5G. + +Currently we find that when a new device is attached, and the link rate is +less than 1.5G, but the device type is not NO_DEVICE, for example: the link +rate is SAS_PHY_RESET_IN_PROGRESS and the device type is stp. After setting +the phy->entacted_sas_addr address to the zero address, the port will +continue to be created for the phy with the zero-address, and other phys +with the zero-address will be tried to be added to the new port: + +[562240.051197] sas: ex 500e004aaaaaaa1f phy19:U:0 attached: 0000000000000000 (no device) +// phy19 is deleted but still on the parent port's phy_list +[562240.062536] sas: ex 500e004aaaaaaa1f phy0 new device attached +[562240.062616] sas: ex 500e004aaaaaaa1f phy00:U:5 attached: 0000000000000000 (stp) +[562240.062680] port-7:7:0: trying to add phy phy-7:7:19 fails: it's already part of another port + +Therefore, it should be the same as sas_get_phy_attached_dev(). Only when +device_type is SAS_PHY_UNUSED, sas_address is set to the 0 address. + +Fixes: 7d1d86518118 ("[SCSI] libsas: fix false positive 'device attached' conditions") +Signed-off-by: Xingui Yang +Link: https://lore.kernel.org/r/20240312141103.31358-5-yangxingui@huawei.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libsas/sas_expander.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c +index f6e6db8b8aba9..e97f4e01a865a 100644 +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -239,8 +239,7 @@ static void sas_set_ex_phy(struct domain_device *dev, int phy_id, + /* help some expanders that fail to zero sas_address in the 'no + * device' case + */ +- if (phy->attached_dev_type == SAS_PHY_UNUSED || +- phy->linkrate < SAS_LINK_RATE_1_5_GBPS) ++ if (phy->attached_dev_type == SAS_PHY_UNUSED) + memset(phy->attached_sas_addr, 0, SAS_ADDR_SIZE); + else + memcpy(phy->attached_sas_addr, dr->attached_sas_addr, SAS_ADDR_SIZE); +-- +2.43.0 + diff --git a/queue-6.9/scsi-qedf-ensure-the-copied-buf-is-nul-terminated.patch b/queue-6.9/scsi-qedf-ensure-the-copied-buf-is-nul-terminated.patch new file mode 100644 index 00000000000..5eb8e20fbdb --- /dev/null +++ b/queue-6.9/scsi-qedf-ensure-the-copied-buf-is-nul-terminated.patch @@ -0,0 +1,40 @@ +From 128d85044db75c33004febb6b36d65121337171d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Apr 2024 21:44:21 +0700 +Subject: scsi: qedf: Ensure the copied buf is NUL terminated + +From: Bui Quang Minh + +[ Upstream commit d0184a375ee797eb657d74861ba0935b6e405c62 ] + +Currently, we allocate a count-sized kernel buffer and copy count from +userspace to that buffer. Later, we use kstrtouint on this buffer but we +don't ensure that the string is terminated inside the buffer, this can +lead to OOB read when using kstrtouint. Fix this issue by using +memdup_user_nul instead of memdup_user. + +Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.") +Signed-off-by: Bui Quang Minh +Link: https://lore.kernel.org/r/20240424-fix-oob-read-v2-4-f1f1b53a10f4@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedf/qedf_debugfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c +index 451fd236bfd05..96174353e3898 100644 +--- a/drivers/scsi/qedf/qedf_debugfs.c ++++ b/drivers/scsi/qedf/qedf_debugfs.c +@@ -170,7 +170,7 @@ qedf_dbg_debug_cmd_write(struct file *filp, const char __user *buffer, + if (!count || *ppos) + return 0; + +- kern_buf = memdup_user(buffer, count); ++ kern_buf = memdup_user_nul(buffer, count); + if (IS_ERR(kern_buf)) + return PTR_ERR(kern_buf); + +-- +2.43.0 + diff --git a/queue-6.9/scsi-qla2xxx-fix-debugfs-output-for-fw_resource_coun.patch b/queue-6.9/scsi-qla2xxx-fix-debugfs-output-for-fw_resource_coun.patch new file mode 100644 index 00000000000..7034671d74e --- /dev/null +++ b/queue-6.9/scsi-qla2xxx-fix-debugfs-output-for-fw_resource_coun.patch @@ -0,0 +1,43 @@ +From 92e12b7fd836ac91491635f621ec3d88face9af9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Apr 2024 02:00:56 +0000 +Subject: scsi: qla2xxx: Fix debugfs output for fw_resource_count + +From: Himanshu Madhani + +[ Upstream commit 998d09c5ef6183bd8137d1a892ba255b15978bb4 ] + +DebugFS output for fw_resource_count shows: + +estimate exchange used[0] high water limit [1945] n estimate iocb2 used [0] high water limit [5141] + estimate exchange2 used[0] high water limit [1945] + +Which shows incorrect display due to missing newline in seq_print(). + +[mkp: fix checkpatch warning about space before newline] + +Fixes: 5f63a163ed2f ("scsi: qla2xxx: Fix exchange oversubscription for management commands") +Signed-off-by: Himanshu Madhani +Link: https://lore.kernel.org/r/20240426020056.3639406-1-himanshu.madhani@oracle.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_dfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_dfs.c b/drivers/scsi/qla2xxx/qla_dfs.c +index 55ff3d7482b3e..a1545dad0c0ce 100644 +--- a/drivers/scsi/qla2xxx/qla_dfs.c ++++ b/drivers/scsi/qla2xxx/qla_dfs.c +@@ -274,7 +274,7 @@ qla_dfs_fw_resource_cnt_show(struct seq_file *s, void *unused) + seq_printf(s, "Driver: estimate iocb used [%d] high water limit [%d]\n", + iocbs_used, ha->base_qpair->fwres.iocbs_limit); + +- seq_printf(s, "estimate exchange used[%d] high water limit [%d] n", ++ seq_printf(s, "estimate exchange used[%d] high water limit [%d]\n", + exch_used, ha->base_qpair->fwres.exch_limit); + + if (ql2xenforce_iocb_limit == 2) { +-- +2.43.0 + diff --git a/queue-6.9/scsi-ufs-cdns-pltfrm-perform-read-back-after-writing.patch b/queue-6.9/scsi-ufs-cdns-pltfrm-perform-read-back-after-writing.patch new file mode 100644 index 00000000000..c157ba27ca3 --- /dev/null +++ b/queue-6.9/scsi-ufs-cdns-pltfrm-perform-read-back-after-writing.patch @@ -0,0 +1,50 @@ +From cf09a0660450b594b6a2352972663cffa0606ca3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 15:46:48 -0500 +Subject: scsi: ufs: cdns-pltfrm: Perform read back after writing HCLKDIV + +From: Andrew Halaney + +[ Upstream commit b715c55daf598aac8fa339048e4ca8a0916b332e ] + +Currently, HCLKDIV is written to and then completed with an mb(). + +mb() ensures that the write completes, but completion doesn't mean that it +isn't stored in a buffer somewhere. The recommendation for ensuring this +bit has taken effect on the device is to perform a read back to force it to +make it all the way to the device. This is documented in device-io.rst and +a talk by Will Deacon on this can be seen over here: + + https://youtu.be/i6DayghhA8Q?si=MiyxB5cKJXSaoc01&t=1678 + +Let's do that to ensure the bit hits the device. Because the mb()'s purpose +wasn't to add extra ordering (on top of the ordering guaranteed by +writel()/readl()), it can safely be removed. + +Fixes: d90996dae8e4 ("scsi: ufs: Add UFS platform driver for Cadence UFS") +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Andrew Halaney +Link: https://lore.kernel.org/r/20240329-ufs-reset-ensure-effect-before-delay-v5-6-181252004586@redhat.com +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/host/cdns-pltfrm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ufs/host/cdns-pltfrm.c b/drivers/ufs/host/cdns-pltfrm.c +index bb30267da4711..66811d8d1929c 100644 +--- a/drivers/ufs/host/cdns-pltfrm.c ++++ b/drivers/ufs/host/cdns-pltfrm.c +@@ -136,7 +136,7 @@ static int cdns_ufs_set_hclkdiv(struct ufs_hba *hba) + * Make sure the register was updated, + * UniPro layer will not work with an incorrect value. + */ +- mb(); ++ ufshcd_readl(hba, CDNS_UFS_REG_HCLKDIV); + + return 0; + } +-- +2.43.0 + diff --git a/queue-6.9/scsi-ufs-core-mcq-fix-ufshcd_mcq_sqe_search.patch b/queue-6.9/scsi-ufs-core-mcq-fix-ufshcd_mcq_sqe_search.patch new file mode 100644 index 00000000000..f346e524f9d --- /dev/null +++ b/queue-6.9/scsi-ufs-core-mcq-fix-ufshcd_mcq_sqe_search.patch @@ -0,0 +1,50 @@ +From 24735823c5eb68ff9ba84f0cc3f5f7aa0419e63c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2024 17:07:45 -0700 +Subject: scsi: ufs: core: mcq: Fix ufshcd_mcq_sqe_search() + +From: Bart Van Assche + +[ Upstream commit 3c5d0dce8ce0a2781ac306b9ad1492b005ecbab5 ] + +Fix the calculation of the utrd pointer. This patch addresses the following +Coverity complaint: + +CID 1538170: (#1 of 1): Extra sizeof expression (SIZEOF_MISMATCH) +suspicious_pointer_arithmetic: Adding sq_head_slot * 32UL /* sizeof (struct +utp_transfer_req_desc) */ to pointer hwq->sqe_base_addr of type struct +utp_transfer_req_desc * is suspicious because adding an integral value to +this pointer automatically scales that value by the size, 32 bytes, of the +pointed-to type, struct utp_transfer_req_desc. Most likely, the +multiplication by sizeof (struct utp_transfer_req_desc) in this expression +is extraneous and should be eliminated. + +Cc: Bao D. Nguyen +Cc: Stanley Chu +Cc: Can Guo +Fixes: 8d7290348992 ("scsi: ufs: mcq: Add supporting functions for MCQ abort") +Signed-off-by: Bart Van Assche +Link: https://lore.kernel.org/r/20240410000751.1047758-1-bvanassche@acm.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/core/ufs-mcq.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/ufs/core/ufs-mcq.c b/drivers/ufs/core/ufs-mcq.c +index 768bf87cd80d3..005d63ab1f441 100644 +--- a/drivers/ufs/core/ufs-mcq.c ++++ b/drivers/ufs/core/ufs-mcq.c +@@ -601,8 +601,7 @@ static bool ufshcd_mcq_sqe_search(struct ufs_hba *hba, + addr = le64_to_cpu(cmd_desc_base_addr) & CQE_UCD_BA; + + while (sq_head_slot != hwq->sq_tail_slot) { +- utrd = hwq->sqe_base_addr + +- sq_head_slot * sizeof(struct utp_transfer_req_desc); ++ utrd = hwq->sqe_base_addr + sq_head_slot; + match = le64_to_cpu(utrd->command_desc_base_addr) & CQE_UCD_BA; + if (addr == match) { + ufshcd_mcq_nullify_sqe(utrd); +-- +2.43.0 + diff --git a/queue-6.9/scsi-ufs-core-perform-read-back-after-disabling-inte.patch b/queue-6.9/scsi-ufs-core-perform-read-back-after-disabling-inte.patch new file mode 100644 index 00000000000..8cb0f464621 --- /dev/null +++ b/queue-6.9/scsi-ufs-core-perform-read-back-after-disabling-inte.patch @@ -0,0 +1,53 @@ +From 8860954f24829844daf03c89aa3ef795965ca16c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 15:46:50 -0500 +Subject: scsi: ufs: core: Perform read back after disabling interrupts + +From: Andrew Halaney + +[ Upstream commit e4a628877119bd40164a651d20321247b6f94a8b ] + +Currently, interrupts are cleared and disabled prior to registering the +interrupt. An mb() is used to complete the clear/disable writes before the +interrupt is registered. + +mb() ensures that the write completes, but completion doesn't mean that it +isn't stored in a buffer somewhere. The recommendation for ensuring these +bits have taken effect on the device is to perform a read back to force it +to make it all the way to the device. This is documented in device-io.rst +and a talk by Will Deacon on this can be seen over here: + + https://youtu.be/i6DayghhA8Q?si=MiyxB5cKJXSaoc01&t=1678 + +Let's do that to ensure these bits hit the device. Because the mb()'s +purpose wasn't to add extra ordering (on top of the ordering guaranteed by +writel()/readl()), it can safely be removed. + +Fixes: 199ef13cac7d ("scsi: ufs: avoid spurious UFS host controller interrupts") +Reviewed-by: Manivannan Sadhasivam +Reviewed-by: Bart Van Assche +Reviewed-by: Can Guo +Signed-off-by: Andrew Halaney +Link: https://lore.kernel.org/r/20240329-ufs-reset-ensure-effect-before-delay-v5-8-181252004586@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/core/ufshcd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c +index 1352f11c94bb6..5ade57c5a6f4f 100644 +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -10621,7 +10621,7 @@ int ufshcd_init(struct ufs_hba *hba, void __iomem *mmio_base, unsigned int irq) + * Make sure that UFS interrupts are disabled and any pending interrupt + * status is cleared before registering UFS interrupt handler. + */ +- mb(); ++ ufshcd_readl(hba, REG_INTERRUPT_ENABLE); + + /* IRQ registration */ + err = devm_request_irq(dev, irq, ufshcd_intr, IRQF_SHARED, UFSHCD, hba); +-- +2.43.0 + diff --git a/queue-6.9/scsi-ufs-core-perform-read-back-after-disabling-uic_.patch b/queue-6.9/scsi-ufs-core-perform-read-back-after-disabling-uic_.patch new file mode 100644 index 00000000000..cd13c170e0f --- /dev/null +++ b/queue-6.9/scsi-ufs-core-perform-read-back-after-disabling-uic_.patch @@ -0,0 +1,52 @@ +From 66b1aa9c6f8b5b87496a3a1974bd4f90edff0090 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 15:46:51 -0500 +Subject: scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL + +From: Andrew Halaney + +[ Upstream commit 4bf3855497b60765ca03b983d064b25e99b97657 ] + +Currently, the UIC_COMMAND_COMPL interrupt is disabled and a wmb() is used +to complete the register write before any following writes. + +wmb() ensures the writes complete in that order, but completion doesn't +mean that it isn't stored in a buffer somewhere. The recommendation for +ensuring this bit has taken effect on the device is to perform a read back +to force it to make it all the way to the device. This is documented in +device-io.rst and a talk by Will Deacon on this can be seen over here: + + https://youtu.be/i6DayghhA8Q?si=MiyxB5cKJXSaoc01&t=1678 + +Let's do that to ensure the bit hits the device. Because the wmb()'s +purpose wasn't to add extra ordering (on top of the ordering guaranteed by +writel()/readl()), it can safely be removed. + +Fixes: d75f7fe495cf ("scsi: ufs: reduce the interrupts for power mode change requests") +Reviewed-by: Bart Van Assche +Reviewed-by: Can Guo +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Andrew Halaney +Link: https://lore.kernel.org/r/20240329-ufs-reset-ensure-effect-before-delay-v5-9-181252004586@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/core/ufshcd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c +index 5ade57c5a6f4f..1322a9c318cff 100644 +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -4289,7 +4289,7 @@ static int ufshcd_uic_pwr_ctrl(struct ufs_hba *hba, struct uic_command *cmd) + * Make sure UIC command completion interrupt is disabled before + * issuing UIC command. + */ +- wmb(); ++ ufshcd_readl(hba, REG_INTERRUPT_ENABLE); + reenable_intr = true; + } + spin_unlock_irqrestore(hba->host->host_lock, flags); +-- +2.43.0 + diff --git a/queue-6.9/scsi-ufs-core-perform-read-back-after-writing-utp_ta.patch b/queue-6.9/scsi-ufs-core-perform-read-back-after-writing-utp_ta.patch new file mode 100644 index 00000000000..0ce2f328e07 --- /dev/null +++ b/queue-6.9/scsi-ufs-core-perform-read-back-after-writing-utp_ta.patch @@ -0,0 +1,53 @@ +From f1a4d1897729f5309ddace191d700d430cb9f396 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 15:46:49 -0500 +Subject: scsi: ufs: core: Perform read back after writing + UTP_TASK_REQ_LIST_BASE_H + +From: Andrew Halaney + +[ Upstream commit 408e28086f1c7a6423efc79926a43d7001902fae ] + +Currently, the UTP_TASK_REQ_LIST_BASE_L/UTP_TASK_REQ_LIST_BASE_H regs are +written to and then completed with an mb(). + +mb() ensures that the write completes, but completion doesn't mean that it +isn't stored in a buffer somewhere. The recommendation for ensuring these +bits have taken effect on the device is to perform a read back to force it +to make it all the way to the device. This is documented in device-io.rst +and a talk by Will Deacon on this can be seen over here: + + https://youtu.be/i6DayghhA8Q?si=MiyxB5cKJXSaoc01&t=1678 + +Let's do that to ensure the bits hit the device. Because the mb()'s purpose +wasn't to add extra ordering (on top of the ordering guaranteed by +writel()/readl()), it can safely be removed. + +Fixes: 88441a8d355d ("scsi: ufs: core: Add hibernation callbacks") +Reviewed-by: Manivannan Sadhasivam +Reviewed-by: Bart Van Assche +Reviewed-by: Can Guo +Signed-off-by: Andrew Halaney +Link: https://lore.kernel.org/r/20240329-ufs-reset-ensure-effect-before-delay-v5-7-181252004586@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/core/ufshcd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c +index a0f8e930167d7..1352f11c94bb6 100644 +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -10400,7 +10400,7 @@ int ufshcd_system_restore(struct device *dev) + * are updated with the latest queue addresses. Only after + * updating these addresses, we can queue the new commands. + */ +- mb(); ++ ufshcd_readl(hba, REG_UTP_TASK_REQ_LIST_BASE_H); + + /* Resuming from hibernate, assume that link was OFF */ + ufshcd_set_link_off(hba); +-- +2.43.0 + diff --git a/queue-6.9/scsi-ufs-qcom-perform-read-back-after-writing-cgc-en.patch b/queue-6.9/scsi-ufs-qcom-perform-read-back-after-writing-cgc-en.patch new file mode 100644 index 00000000000..af4e0e93346 --- /dev/null +++ b/queue-6.9/scsi-ufs-qcom-perform-read-back-after-writing-cgc-en.patch @@ -0,0 +1,51 @@ +From 040aa85bd6587119cc2a5a4e2169f30959510e98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 15:46:47 -0500 +Subject: scsi: ufs: qcom: Perform read back after writing CGC enable + +From: Andrew Halaney + +[ Upstream commit d9488511b3ac7eb48a91bc5eded7027525525e03 ] + +Currently, the CGC enable bit is written and then an mb() is used to ensure +that completes before continuing. + +mb() ensures that the write completes, but completion doesn't mean that it +isn't stored in a buffer somewhere. The recommendation for ensuring this +bit has taken effect on the device is to perform a read back to force it to +make it all the way to the device. This is documented in device-io.rst and +a talk by Will Deacon on this can be seen over here: + + https://youtu.be/i6DayghhA8Q?si=MiyxB5cKJXSaoc01&t=1678 + +Let's do that to ensure the bit hits the device. Because the mb()'s purpose +wasn't to add extra ordering (on top of the ordering guaranteed by +writel()/readl()), it can safely be removed. + +Reviewed-by: Manivannan Sadhasivam +Reviewed-by: Can Guo +Fixes: 81c0fc51b7a7 ("ufs-qcom: add support for Qualcomm Technologies Inc platforms") +Signed-off-by: Andrew Halaney +Link: https://lore.kernel.org/r/20240329-ufs-reset-ensure-effect-before-delay-v5-5-181252004586@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/host/ufs-qcom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ufs/host/ufs-qcom.c b/drivers/ufs/host/ufs-qcom.c +index 004a0f6b1fffa..62c343444d973 100644 +--- a/drivers/ufs/host/ufs-qcom.c ++++ b/drivers/ufs/host/ufs-qcom.c +@@ -412,7 +412,7 @@ static void ufs_qcom_enable_hw_clk_gating(struct ufs_hba *hba) + REG_UFS_CFG2); + + /* Ensure that HW clock gating is enabled before next operations */ +- mb(); ++ ufshcd_readl(hba, REG_UFS_CFG2); + } + + static int ufs_qcom_hce_enable_notify(struct ufs_hba *hba, +-- +2.43.0 + diff --git a/queue-6.9/scsi-ufs-qcom-perform-read-back-after-writing-reg_uf.patch b/queue-6.9/scsi-ufs-qcom-perform-read-back-after-writing-reg_uf.patch new file mode 100644 index 00000000000..7c8a95179c4 --- /dev/null +++ b/queue-6.9/scsi-ufs-qcom-perform-read-back-after-writing-reg_uf.patch @@ -0,0 +1,51 @@ +From e23f747559281708dfc2d2131c4c9d264a0c6aba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 15:46:44 -0500 +Subject: scsi: ufs: qcom: Perform read back after writing REG_UFS_SYS1CLK_1US + +From: Andrew Halaney + +[ Upstream commit a862fafa263aea0f427d51aca6ff7fd9eeaaa8bd ] + +Currently after writing to REG_UFS_SYS1CLK_1US a mb() is used to ensure +that write has gone through to the device. + +mb() ensures that the write completes, but completion doesn't mean that it +isn't stored in a buffer somewhere. The recommendation for ensuring this +bit has taken effect on the device is to perform a read back to force it to +make it all the way to the device. This is documented in device-io.rst and +a talk by Will Deacon on this can be seen over here: + + https://youtu.be/i6DayghhA8Q?si=MiyxB5cKJXSaoc01&t=1678 + +Let's do that to ensure the bit hits the device. Because the mb()'s purpose +wasn't to add extra ordering (on top of the ordering guaranteed by +writel()/readl()), it can safely be removed. + +Fixes: f06fcc7155dc ("scsi: ufs-qcom: add QUniPro hardware support and power optimizations") +Reviewed-by: Can Guo +Signed-off-by: Andrew Halaney +Link: https://lore.kernel.org/r/20240329-ufs-reset-ensure-effect-before-delay-v5-2-181252004586@redhat.com +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/host/ufs-qcom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ufs/host/ufs-qcom.c b/drivers/ufs/host/ufs-qcom.c +index 7a00004bfd036..bb3445e5efa8b 100644 +--- a/drivers/ufs/host/ufs-qcom.c ++++ b/drivers/ufs/host/ufs-qcom.c +@@ -507,7 +507,7 @@ static int ufs_qcom_cfg_timers(struct ufs_hba *hba, u32 gear, + * make sure above write gets applied before we return from + * this function. + */ +- mb(); ++ ufshcd_readl(hba, REG_UFS_SYS1CLK_1US); + } + + return 0; +-- +2.43.0 + diff --git a/queue-6.9/scsi-ufs-qcom-perform-read-back-after-writing-reset-.patch b/queue-6.9/scsi-ufs-qcom-perform-read-back-after-writing-reset-.patch new file mode 100644 index 00000000000..1312c90be8a --- /dev/null +++ b/queue-6.9/scsi-ufs-qcom-perform-read-back-after-writing-reset-.patch @@ -0,0 +1,71 @@ +From 5805892667546472ba822e258eb926e25ce8e805 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 15:46:43 -0500 +Subject: scsi: ufs: qcom: Perform read back after writing reset bit + +From: Andrew Halaney + +[ Upstream commit c4d28e06b0c94636f6e35d003fa9ebac0a94e1ae ] + +Currently, the reset bit for the UFS provided reset controller (used by its +phy) is written to, and then a mb() happens to try and ensure that hit the +device. Immediately afterwards a usleep_range() occurs. + +mb() ensures that the write completes, but completion doesn't mean that it +isn't stored in a buffer somewhere. The recommendation for ensuring this +bit has taken effect on the device is to perform a read back to force it to +make it all the way to the device. This is documented in device-io.rst and +a talk by Will Deacon on this can be seen over here: + + https://youtu.be/i6DayghhA8Q?si=MiyxB5cKJXSaoc01&t=1678 + +Let's do that to ensure the bit hits the device. By doing so and +guaranteeing the ordering against the immediately following usleep_range(), +the mb() can safely be removed. + +Fixes: 81c0fc51b7a7 ("ufs-qcom: add support for Qualcomm Technologies Inc platforms") +Reviewed-by: Manivannan Sadhasivam +Reviewed-by: Can Guo +Signed-off-by: Andrew Halaney +Link: https://lore.kernel.org/r/20240329-ufs-reset-ensure-effect-before-delay-v5-1-181252004586@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/host/ufs-qcom.h | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/ufs/host/ufs-qcom.h b/drivers/ufs/host/ufs-qcom.h +index 9dd9a391ebb76..b9de170983c9e 100644 +--- a/drivers/ufs/host/ufs-qcom.h ++++ b/drivers/ufs/host/ufs-qcom.h +@@ -151,10 +151,10 @@ static inline void ufs_qcom_assert_reset(struct ufs_hba *hba) + ufshcd_rmwl(hba, UFS_PHY_SOFT_RESET, UFS_PHY_SOFT_RESET, REG_UFS_CFG1); + + /* +- * Make sure assertion of ufs phy reset is written to +- * register before returning ++ * Dummy read to ensure the write takes effect before doing any sort ++ * of delay + */ +- mb(); ++ ufshcd_readl(hba, REG_UFS_CFG1); + } + + static inline void ufs_qcom_deassert_reset(struct ufs_hba *hba) +@@ -162,10 +162,10 @@ static inline void ufs_qcom_deassert_reset(struct ufs_hba *hba) + ufshcd_rmwl(hba, UFS_PHY_SOFT_RESET, 0, REG_UFS_CFG1); + + /* +- * Make sure de-assertion of ufs phy reset is written to +- * register before returning ++ * Dummy read to ensure the write takes effect before doing any sort ++ * of delay + */ +- mb(); ++ ufshcd_readl(hba, REG_UFS_CFG1); + } + + /* Host controller hardware version: major.minor.step */ +-- +2.43.0 + diff --git a/queue-6.9/scsi-ufs-qcom-perform-read-back-after-writing-unipro.patch b/queue-6.9/scsi-ufs-qcom-perform-read-back-after-writing-unipro.patch new file mode 100644 index 00000000000..457872b683e --- /dev/null +++ b/queue-6.9/scsi-ufs-qcom-perform-read-back-after-writing-unipro.patch @@ -0,0 +1,52 @@ +From 0a540ccb4bb8f1b5c6fcb4d5d949a40144ca6b9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 15:46:46 -0500 +Subject: scsi: ufs: qcom: Perform read back after writing unipro mode + +From: Andrew Halaney + +[ Upstream commit 823150ecf04f958213cf3bf162187cd1a91c885c ] + +Currently, the QUNIPRO_SEL bit is written to and then an mb() is used to +ensure that completes before continuing. + +mb() ensures that the write completes, but completion doesn't mean that it +isn't stored in a buffer somewhere. The recommendation for ensuring this +bit has taken effect on the device is to perform a read back to force it to +make it all the way to the device. This is documented in device-io.rst and +a talk by Will Deacon on this can be seen over here: + + https://youtu.be/i6DayghhA8Q?si=MiyxB5cKJXSaoc01&t=1678 + +But, there's really no reason to even ensure completion before +continuing. The only requirement here is that this write is ordered to this +endpoint (which readl()/writel() guarantees already). For that reason the +mb() can be dropped altogether without anything forcing completion. + +Fixes: f06fcc7155dc ("scsi: ufs-qcom: add QUniPro hardware support and power optimizations") +Signed-off-by: Andrew Halaney +Link: https://lore.kernel.org/r/20240329-ufs-reset-ensure-effect-before-delay-v5-4-181252004586@redhat.com +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/host/ufs-qcom.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/ufs/host/ufs-qcom.c b/drivers/ufs/host/ufs-qcom.c +index bb3445e5efa8b..004a0f6b1fffa 100644 +--- a/drivers/ufs/host/ufs-qcom.c ++++ b/drivers/ufs/host/ufs-qcom.c +@@ -284,9 +284,6 @@ static void ufs_qcom_select_unipro_mode(struct ufs_qcom_host *host) + + if (host->hw_ver.major >= 0x05) + ufshcd_rmwl(host->hba, QUNIPRO_G4_SEL, 0, REG_UFS_CFG0); +- +- /* make sure above configuration is applied before we return */ +- mb(); + } + + /* +-- +2.43.0 + diff --git a/queue-6.9/selftests-binderfs-use-the-makefile-s-rules-not-make.patch b/queue-6.9/selftests-binderfs-use-the-makefile-s-rules-not-make.patch new file mode 100644 index 00000000000..e8d1abf2e8b --- /dev/null +++ b/queue-6.9/selftests-binderfs-use-the-makefile-s-rules-not-make.patch @@ -0,0 +1,71 @@ +From 57b81eb88d27f28257804d58595b431d22e1cb06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 May 2024 18:58:20 -0700 +Subject: selftests/binderfs: use the Makefile's rules, not Make's implicit + rules + +From: John Hubbard + +[ Upstream commit 019baf635eb6ffe8d6c1343f81788f02a7e0ed98 ] + +First of all, in order to build with clang at all, one must first apply +Valentin Obst's build fix for LLVM [1]. Once that is done, then when +building with clang, via: + + make LLVM=1 -C tools/testing/selftests + +...the following error occurs: + + clang: error: cannot specify -o when generating multiple output files + +This is because clang, unlike gcc, won't accept invocations of this +form: + + clang file1.c header2.h + +While trying to fix this, I noticed that: + +a) selftests/lib.mk already avoids the problem, and + +b) The binderfs Makefile indavertently bypasses the selftests/lib.mk +build system, and quitely uses Make's implicit build rules for .c files +instead. + +The Makefile attempts to set up both a dependency and a source file, +neither of which was needed, because lib.mk is able to automatically +handle both. This line: + + binderfs_test: binderfs_test.c + +...causes Make's implicit rules to run, which builds binderfs_test +without ever looking at lib.mk. + +Fix this by simply deleting the "binderfs_test:" Makefile target and +letting lib.mk handle it instead. + +[1] https://lore.kernel.org/all/20240329-selftests-libmk-llvm-rfc-v1-1-2f9ed7d1c49f@valentinobst.de/ + +Fixes: 6e29225af902 ("binderfs: port tests to test harness infrastructure") +Cc: Christian Brauner +Signed-off-by: John Hubbard +Reviewed-by: Christian Brauner +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/filesystems/binderfs/Makefile | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/tools/testing/selftests/filesystems/binderfs/Makefile b/tools/testing/selftests/filesystems/binderfs/Makefile +index c2f7cef919c04..eb4c3b4119348 100644 +--- a/tools/testing/selftests/filesystems/binderfs/Makefile ++++ b/tools/testing/selftests/filesystems/binderfs/Makefile +@@ -3,6 +3,4 @@ + CFLAGS += $(KHDR_INCLUDES) -pthread + TEST_GEN_PROGS := binderfs_test + +-binderfs_test: binderfs_test.c ../../kselftest.h ../../kselftest_harness.h +- + include ../../lib.mk +-- +2.43.0 + diff --git a/queue-6.9/selftests-bpf-fix-a-fd-leak-in-error-paths-in-open_n.patch b/queue-6.9/selftests-bpf-fix-a-fd-leak-in-error-paths-in-open_n.patch new file mode 100644 index 00000000000..c40f4e7bf0b --- /dev/null +++ b/queue-6.9/selftests-bpf-fix-a-fd-leak-in-error-paths-in-open_n.patch @@ -0,0 +1,40 @@ +From 73df180fc6b61e7abd4237893a1b07ba7743ec5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Apr 2024 18:35:27 +0800 +Subject: selftests/bpf: Fix a fd leak in error paths in open_netns + +From: Geliang Tang + +[ Upstream commit 151f7442436658ee84076681d8f52e987fe147ea ] + +As Martin mentioned in review comment, there is an existing bug that +orig_netns_fd will be leaked in the later "goto fail;" case after +open("/proc/self/ns/net") in open_netns() in network_helpers.c. This +patch adds "close(token->orig_netns_fd);" before "free(token);" to +fix it. + +Fixes: a30338840fa5 ("selftests/bpf: Move open_netns() and close_netns() into network_helpers.c") +Signed-off-by: Geliang Tang +Link: https://lore.kernel.org/r/a104040b47c3c34c67f3f125cdfdde244a870d3c.1713868264.git.tanggeliang@kylinos.cn +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/network_helpers.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/testing/selftests/bpf/network_helpers.c b/tools/testing/selftests/bpf/network_helpers.c +index 6db27a9088e97..be96bf022316f 100644 +--- a/tools/testing/selftests/bpf/network_helpers.c ++++ b/tools/testing/selftests/bpf/network_helpers.c +@@ -461,6 +461,8 @@ struct nstoken *open_netns(const char *name) + + return token; + fail: ++ if (token->orig_netns_fd != -1) ++ close(token->orig_netns_fd); + free(token); + return NULL; + } +-- +2.43.0 + diff --git a/queue-6.9/selftests-bpf-fix-pointer-arithmetic-in-test_xdp_do_.patch b/queue-6.9/selftests-bpf-fix-pointer-arithmetic-in-test_xdp_do_.patch new file mode 100644 index 00000000000..4fa12492955 --- /dev/null +++ b/queue-6.9/selftests-bpf-fix-pointer-arithmetic-in-test_xdp_do_.patch @@ -0,0 +1,62 @@ +From 6619cbba39b953f3ad929287b980a59a959980f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 May 2024 16:50:22 +0200 +Subject: selftests/bpf: Fix pointer arithmetic in test_xdp_do_redirect +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michal Schmidt + +[ Upstream commit e549b39a0ab8880d7ae6c6495b00fc1cb8f36174 ] + +Cast operation has a higher precedence than addition. The code here +wants to zero the 2nd half of the 64-bit metadata, but due to a pointer +arithmetic mistake, it writes the zero at offset 16 instead. + +Just adding parentheses around "data + 4" would fix this, but I think +this will be slightly better readable with array syntax. + +I was unable to test this with tools/testing/selftests/bpf/vmtest.sh, +because my glibc is newer than glibc in the provided VM image. +So I just checked the difference in the compiled code. +objdump -S tools/testing/selftests/bpf/xdp_do_redirect.test.o: + - *((__u32 *)data) = 0x42; /* metadata test value */ + + ((__u32 *)data)[0] = 0x42; /* metadata test value */ + be7: 48 8d 85 30 fc ff ff lea -0x3d0(%rbp),%rax + bee: c7 00 42 00 00 00 movl $0x42,(%rax) + - *((__u32 *)data + 4) = 0; + + ((__u32 *)data)[1] = 0; + bf4: 48 8d 85 30 fc ff ff lea -0x3d0(%rbp),%rax + - bfb: 48 83 c0 10 add $0x10,%rax + + bfb: 48 83 c0 04 add $0x4,%rax + bff: c7 00 00 00 00 00 movl $0x0,(%rax) + +Fixes: 5640b6d89434 ("selftests/bpf: fix "metadata marker" getting overwritten by the netstack") +Signed-off-by: Michal Schmidt +Signed-off-by: Andrii Nakryiko +Reviewed-by: Toke Høiland-Jørgensen +Link: https://lore.kernel.org/bpf/20240506145023.214248-1-mschmidt@redhat.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/xdp_do_redirect.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/bpf/prog_tests/xdp_do_redirect.c b/tools/testing/selftests/bpf/prog_tests/xdp_do_redirect.c +index 498d3bdaa4b0b..bad0ea167be70 100644 +--- a/tools/testing/selftests/bpf/prog_tests/xdp_do_redirect.c ++++ b/tools/testing/selftests/bpf/prog_tests/xdp_do_redirect.c +@@ -107,8 +107,8 @@ void test_xdp_do_redirect(void) + .attach_point = BPF_TC_INGRESS); + + memcpy(&data[sizeof(__u64)], &pkt_udp, sizeof(pkt_udp)); +- *((__u32 *)data) = 0x42; /* metadata test value */ +- *((__u32 *)data + 4) = 0; ++ ((__u32 *)data)[0] = 0x42; /* metadata test value */ ++ ((__u32 *)data)[1] = 0; + + skel = test_xdp_do_redirect__open(); + if (!ASSERT_OK_PTR(skel, "skel")) +-- +2.43.0 + diff --git a/queue-6.9/selftests-bpf-fix-umount-cgroup2-error-in-test_sockm.patch b/queue-6.9/selftests-bpf-fix-umount-cgroup2-error-in-test_sockm.patch new file mode 100644 index 00000000000..add4297828c --- /dev/null +++ b/queue-6.9/selftests-bpf-fix-umount-cgroup2-error-in-test_sockm.patch @@ -0,0 +1,43 @@ +From 3e532cda049bdce7d3e3e8078e2de809258a8999 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2024 13:18:40 +0800 +Subject: selftests/bpf: Fix umount cgroup2 error in test_sockmap + +From: Geliang Tang + +[ Upstream commit d75142dbeb2bd1587b9cc19f841578f541275a64 ] + +This patch fixes the following "umount cgroup2" error in test_sockmap.c: + + (cgroup_helpers.c:353: errno: Device or resource busy) umount cgroup2 + +Cgroup fd cg_fd should be closed before cleanup_cgroup_environment(). + +Fixes: 13a5f3ffd202 ("bpf: Selftests, sockmap test prog run without setting cgroup") +Signed-off-by: Geliang Tang +Acked-by: Yonghong Song +Link: https://lore.kernel.org/r/0399983bde729708773416b8488bac2cd5e022b8.1712639568.git.tanggeliang@kylinos.cn +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/test_sockmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/test_sockmap.c b/tools/testing/selftests/bpf/test_sockmap.c +index 024a0faafb3be..43612de44fbf5 100644 +--- a/tools/testing/selftests/bpf/test_sockmap.c ++++ b/tools/testing/selftests/bpf/test_sockmap.c +@@ -2104,9 +2104,9 @@ int main(int argc, char **argv) + free(options.whitelist); + if (options.blacklist) + free(options.blacklist); ++ close(cg_fd); + if (cg_created) + cleanup_cgroup_environment(); +- close(cg_fd); + return err; + } + +-- +2.43.0 + diff --git a/queue-6.9/selftests-bpf-run-cgroup1_hierarchy-test-in-own-moun.patch b/queue-6.9/selftests-bpf-run-cgroup1_hierarchy-test-in-own-moun.patch new file mode 100644 index 00000000000..587b4f3e582 --- /dev/null +++ b/queue-6.9/selftests-bpf-run-cgroup1_hierarchy-test-in-own-moun.patch @@ -0,0 +1,92 @@ +From 7799d4d1fc7731e28c74cc40c90a21fa4afa4726 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Apr 2024 13:23:11 +0200 +Subject: selftests/bpf: Run cgroup1_hierarchy test in own mount namespace + +From: Viktor Malik + +[ Upstream commit 19468ed51488dae19254e8a67c75d583b05fa5e3 ] + +The cgroup1_hierarchy test uses setup_classid_environment to setup +cgroupv1 environment. The problem is that the environment is set in +/sys/fs/cgroup and therefore, if not run under an own mount namespace, +effectively deletes all system cgroups: + + $ ls /sys/fs/cgroup | wc -l + 27 + $ sudo ./test_progs -t cgroup1_hierarchy + #41/1 cgroup1_hierarchy/test_cgroup1_hierarchy:OK + #41/2 cgroup1_hierarchy/test_root_cgid:OK + #41/3 cgroup1_hierarchy/test_invalid_level:OK + #41/4 cgroup1_hierarchy/test_invalid_cgid:OK + #41/5 cgroup1_hierarchy/test_invalid_hid:OK + #41/6 cgroup1_hierarchy/test_invalid_cgrp_name:OK + #41/7 cgroup1_hierarchy/test_invalid_cgrp_name2:OK + #41/8 cgroup1_hierarchy/test_sleepable_prog:OK + #41 cgroup1_hierarchy:OK + Summary: 1/8 PASSED, 0 SKIPPED, 0 FAILED + $ ls /sys/fs/cgroup | wc -l + 1 + +To avoid this, run setup_cgroup_environment first which will create an +own mount namespace. This only affects the cgroupv1_hierarchy test as +all other cgroup1 test progs already run setup_cgroup_environment prior +to running setup_classid_environment. + +Also add a comment to the header of setup_classid_environment to warn +against this invalid usage in future. + +Fixes: 360769233cc9 ("selftests/bpf: Add selftests for cgroup1 hierarchy") +Signed-off-by: Viktor Malik +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20240429112311.402497-1-vmalik@redhat.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/cgroup_helpers.c | 3 +++ + tools/testing/selftests/bpf/prog_tests/cgroup1_hierarchy.c | 7 ++++++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/cgroup_helpers.c b/tools/testing/selftests/bpf/cgroup_helpers.c +index 19be9c63d5e84..e812876d79c7e 100644 +--- a/tools/testing/selftests/bpf/cgroup_helpers.c ++++ b/tools/testing/selftests/bpf/cgroup_helpers.c +@@ -508,6 +508,9 @@ int cgroup_setup_and_join(const char *path) { + /** + * setup_classid_environment() - Setup the cgroupv1 net_cls environment + * ++ * This function should only be called in a custom mount namespace, e.g. ++ * created by running setup_cgroup_environment. ++ * + * After calling this function, cleanup_classid_environment should be called + * once testing is complete. + * +diff --git a/tools/testing/selftests/bpf/prog_tests/cgroup1_hierarchy.c b/tools/testing/selftests/bpf/prog_tests/cgroup1_hierarchy.c +index 74d6d7546f40f..25332e596750f 100644 +--- a/tools/testing/selftests/bpf/prog_tests/cgroup1_hierarchy.c ++++ b/tools/testing/selftests/bpf/prog_tests/cgroup1_hierarchy.c +@@ -87,9 +87,12 @@ void test_cgroup1_hierarchy(void) + goto destroy; + + /* Setup cgroup1 hierarchy */ ++ err = setup_cgroup_environment(); ++ if (!ASSERT_OK(err, "setup_cgroup_environment")) ++ goto destroy; + err = setup_classid_environment(); + if (!ASSERT_OK(err, "setup_classid_environment")) +- goto destroy; ++ goto cleanup_cgroup; + + err = join_classid(); + if (!ASSERT_OK(err, "join_cgroup1")) +@@ -153,6 +156,8 @@ void test_cgroup1_hierarchy(void) + + cleanup: + cleanup_classid_environment(); ++cleanup_cgroup: ++ cleanup_cgroup_environment(); + destroy: + test_cgroup1_hierarchy__destroy(skel); + } +-- +2.43.0 + diff --git a/queue-6.9/selftests-cgroup-skip-test_cgcore_lesser_ns_open-whe.patch b/queue-6.9/selftests-cgroup-skip-test_cgcore_lesser_ns_open-whe.patch new file mode 100644 index 00000000000..a35c02677e2 --- /dev/null +++ b/queue-6.9/selftests-cgroup-skip-test_cgcore_lesser_ns_open-whe.patch @@ -0,0 +1,221 @@ +From 60b1bd544d743dd8bd1d40b50e55b50da7dcb5cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Mar 2024 10:44:37 +0800 +Subject: selftests: cgroup: skip test_cgcore_lesser_ns_open when cgroup2 + mounted without nsdelegate + +From: Tianchen Ding + +[ Upstream commit 4793cb599b1bdc3d356f0374c2c99ffe890ae876 ] + +The test case test_cgcore_lesser_ns_open only tasks effect when cgroup2 +is mounted with "nsdelegate" mount option. If it misses this option, or +is remounted without "nsdelegate", the test case will fail. For example, +running bpf/test_cgroup_storage first, and then run cgroup/test_core will +fail on test_cgcore_lesser_ns_open. Skip it if "nsdelegate" is not +detected in cgroup2 mount options. + +Fixes: bf35a7879f1d ("selftests: cgroup: Test open-time cgroup namespace usage for migration checks") +Signed-off-by: Tianchen Ding +Reviewed-by: Muhammad Usama Anjum +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/cgroup/cgroup_util.c | 8 +++++--- + tools/testing/selftests/cgroup/cgroup_util.h | 2 +- + tools/testing/selftests/cgroup/test_core.c | 7 ++++++- + tools/testing/selftests/cgroup/test_cpu.c | 2 +- + tools/testing/selftests/cgroup/test_cpuset.c | 2 +- + tools/testing/selftests/cgroup/test_freezer.c | 2 +- + tools/testing/selftests/cgroup/test_hugetlb_memcg.c | 2 +- + tools/testing/selftests/cgroup/test_kill.c | 2 +- + tools/testing/selftests/cgroup/test_kmem.c | 2 +- + tools/testing/selftests/cgroup/test_memcontrol.c | 2 +- + tools/testing/selftests/cgroup/test_zswap.c | 2 +- + 11 files changed, 20 insertions(+), 13 deletions(-) + +diff --git a/tools/testing/selftests/cgroup/cgroup_util.c b/tools/testing/selftests/cgroup/cgroup_util.c +index 0340d4ca8f51c..432db923bced0 100644 +--- a/tools/testing/selftests/cgroup/cgroup_util.c ++++ b/tools/testing/selftests/cgroup/cgroup_util.c +@@ -195,10 +195,10 @@ int cg_write_numeric(const char *cgroup, const char *control, long value) + return cg_write(cgroup, control, buf); + } + +-int cg_find_unified_root(char *root, size_t len) ++int cg_find_unified_root(char *root, size_t len, bool *nsdelegate) + { + char buf[10 * PAGE_SIZE]; +- char *fs, *mount, *type; ++ char *fs, *mount, *type, *options; + const char delim[] = "\n\t "; + + if (read_text("/proc/self/mounts", buf, sizeof(buf)) <= 0) +@@ -211,12 +211,14 @@ int cg_find_unified_root(char *root, size_t len) + for (fs = strtok(buf, delim); fs; fs = strtok(NULL, delim)) { + mount = strtok(NULL, delim); + type = strtok(NULL, delim); +- strtok(NULL, delim); ++ options = strtok(NULL, delim); + strtok(NULL, delim); + strtok(NULL, delim); + + if (strcmp(type, "cgroup2") == 0) { + strncpy(root, mount, len); ++ if (nsdelegate) ++ *nsdelegate = !!strstr(options, "nsdelegate"); + return 0; + } + } +diff --git a/tools/testing/selftests/cgroup/cgroup_util.h b/tools/testing/selftests/cgroup/cgroup_util.h +index 1df7f202214af..89e8519fb2719 100644 +--- a/tools/testing/selftests/cgroup/cgroup_util.h ++++ b/tools/testing/selftests/cgroup/cgroup_util.h +@@ -21,7 +21,7 @@ static inline int values_close(long a, long b, int err) + return abs(a - b) <= (a + b) / 100 * err; + } + +-extern int cg_find_unified_root(char *root, size_t len); ++extern int cg_find_unified_root(char *root, size_t len, bool *nsdelegate); + extern char *cg_name(const char *root, const char *name); + extern char *cg_name_indexed(const char *root, const char *name, int index); + extern char *cg_control(const char *cgroup, const char *control); +diff --git a/tools/testing/selftests/cgroup/test_core.c b/tools/testing/selftests/cgroup/test_core.c +index 80aa6b2373b96..a5672a91d273c 100644 +--- a/tools/testing/selftests/cgroup/test_core.c ++++ b/tools/testing/selftests/cgroup/test_core.c +@@ -18,6 +18,8 @@ + #include "../kselftest.h" + #include "cgroup_util.h" + ++static bool nsdelegate; ++ + static int touch_anon(char *buf, size_t size) + { + int fd; +@@ -775,6 +777,9 @@ static int test_cgcore_lesser_ns_open(const char *root) + pid_t pid; + int status; + ++ if (!nsdelegate) ++ return KSFT_SKIP; ++ + cg_test_a = cg_name(root, "cg_test_a"); + cg_test_b = cg_name(root, "cg_test_b"); + +@@ -862,7 +867,7 @@ int main(int argc, char *argv[]) + char root[PATH_MAX]; + int i, ret = EXIT_SUCCESS; + +- if (cg_find_unified_root(root, sizeof(root))) ++ if (cg_find_unified_root(root, sizeof(root), &nsdelegate)) + ksft_exit_skip("cgroup v2 isn't mounted\n"); + + if (cg_read_strstr(root, "cgroup.subtree_control", "memory")) +diff --git a/tools/testing/selftests/cgroup/test_cpu.c b/tools/testing/selftests/cgroup/test_cpu.c +index 24020a2c68dcd..186bf96f6a284 100644 +--- a/tools/testing/selftests/cgroup/test_cpu.c ++++ b/tools/testing/selftests/cgroup/test_cpu.c +@@ -700,7 +700,7 @@ int main(int argc, char *argv[]) + char root[PATH_MAX]; + int i, ret = EXIT_SUCCESS; + +- if (cg_find_unified_root(root, sizeof(root))) ++ if (cg_find_unified_root(root, sizeof(root), NULL)) + ksft_exit_skip("cgroup v2 isn't mounted\n"); + + if (cg_read_strstr(root, "cgroup.subtree_control", "cpu")) +diff --git a/tools/testing/selftests/cgroup/test_cpuset.c b/tools/testing/selftests/cgroup/test_cpuset.c +index b061ed1e05b4d..4034d14ba69ac 100644 +--- a/tools/testing/selftests/cgroup/test_cpuset.c ++++ b/tools/testing/selftests/cgroup/test_cpuset.c +@@ -249,7 +249,7 @@ int main(int argc, char *argv[]) + char root[PATH_MAX]; + int i, ret = EXIT_SUCCESS; + +- if (cg_find_unified_root(root, sizeof(root))) ++ if (cg_find_unified_root(root, sizeof(root), NULL)) + ksft_exit_skip("cgroup v2 isn't mounted\n"); + + if (cg_read_strstr(root, "cgroup.subtree_control", "cpuset")) +diff --git a/tools/testing/selftests/cgroup/test_freezer.c b/tools/testing/selftests/cgroup/test_freezer.c +index 8845353aca53b..8730645d363a7 100644 +--- a/tools/testing/selftests/cgroup/test_freezer.c ++++ b/tools/testing/selftests/cgroup/test_freezer.c +@@ -827,7 +827,7 @@ int main(int argc, char *argv[]) + char root[PATH_MAX]; + int i, ret = EXIT_SUCCESS; + +- if (cg_find_unified_root(root, sizeof(root))) ++ if (cg_find_unified_root(root, sizeof(root), NULL)) + ksft_exit_skip("cgroup v2 isn't mounted\n"); + for (i = 0; i < ARRAY_SIZE(tests); i++) { + switch (tests[i].fn(root)) { +diff --git a/tools/testing/selftests/cgroup/test_hugetlb_memcg.c b/tools/testing/selftests/cgroup/test_hugetlb_memcg.c +index f0fefeb4cc24c..856f9508ea562 100644 +--- a/tools/testing/selftests/cgroup/test_hugetlb_memcg.c ++++ b/tools/testing/selftests/cgroup/test_hugetlb_memcg.c +@@ -214,7 +214,7 @@ int main(int argc, char **argv) + return ret; + } + +- if (cg_find_unified_root(root, sizeof(root))) ++ if (cg_find_unified_root(root, sizeof(root), NULL)) + ksft_exit_skip("cgroup v2 isn't mounted\n"); + + switch (test_hugetlb_memcg(root)) { +diff --git a/tools/testing/selftests/cgroup/test_kill.c b/tools/testing/selftests/cgroup/test_kill.c +index 6153690319c9c..0e5bb6c7307a5 100644 +--- a/tools/testing/selftests/cgroup/test_kill.c ++++ b/tools/testing/selftests/cgroup/test_kill.c +@@ -276,7 +276,7 @@ int main(int argc, char *argv[]) + char root[PATH_MAX]; + int i, ret = EXIT_SUCCESS; + +- if (cg_find_unified_root(root, sizeof(root))) ++ if (cg_find_unified_root(root, sizeof(root), NULL)) + ksft_exit_skip("cgroup v2 isn't mounted\n"); + for (i = 0; i < ARRAY_SIZE(tests); i++) { + switch (tests[i].fn(root)) { +diff --git a/tools/testing/selftests/cgroup/test_kmem.c b/tools/testing/selftests/cgroup/test_kmem.c +index c82f974b85c94..137506db03127 100644 +--- a/tools/testing/selftests/cgroup/test_kmem.c ++++ b/tools/testing/selftests/cgroup/test_kmem.c +@@ -420,7 +420,7 @@ int main(int argc, char **argv) + char root[PATH_MAX]; + int i, ret = EXIT_SUCCESS; + +- if (cg_find_unified_root(root, sizeof(root))) ++ if (cg_find_unified_root(root, sizeof(root), NULL)) + ksft_exit_skip("cgroup v2 isn't mounted\n"); + + /* +diff --git a/tools/testing/selftests/cgroup/test_memcontrol.c b/tools/testing/selftests/cgroup/test_memcontrol.c +index c7c9572003a8c..b462416b38061 100644 +--- a/tools/testing/selftests/cgroup/test_memcontrol.c ++++ b/tools/testing/selftests/cgroup/test_memcontrol.c +@@ -1314,7 +1314,7 @@ int main(int argc, char **argv) + char root[PATH_MAX]; + int i, proc_status, ret = EXIT_SUCCESS; + +- if (cg_find_unified_root(root, sizeof(root))) ++ if (cg_find_unified_root(root, sizeof(root), NULL)) + ksft_exit_skip("cgroup v2 isn't mounted\n"); + + /* +diff --git a/tools/testing/selftests/cgroup/test_zswap.c b/tools/testing/selftests/cgroup/test_zswap.c +index f0e488ed90d89..ef7f395453173 100644 +--- a/tools/testing/selftests/cgroup/test_zswap.c ++++ b/tools/testing/selftests/cgroup/test_zswap.c +@@ -440,7 +440,7 @@ int main(int argc, char **argv) + char root[PATH_MAX]; + int i, ret = EXIT_SUCCESS; + +- if (cg_find_unified_root(root, sizeof(root))) ++ if (cg_find_unified_root(root, sizeof(root), NULL)) + ksft_exit_skip("cgroup v2 isn't mounted\n"); + + if (!zswap_configured()) +-- +2.43.0 + diff --git a/queue-6.9/selftests-compile-kselftest-headers-with-d_gnu_sourc.patch b/queue-6.9/selftests-compile-kselftest-headers-with-d_gnu_sourc.patch new file mode 100644 index 00000000000..3fe24a425d8 --- /dev/null +++ b/queue-6.9/selftests-compile-kselftest-headers-with-d_gnu_sourc.patch @@ -0,0 +1,82 @@ +From e5999fc65e6c67fb235be1e285467bb2d4b3bbd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 May 2024 21:38:26 +0000 +Subject: selftests: Compile kselftest headers with -D_GNU_SOURCE + +From: Edward Liaw + +[ Upstream commit daef47b89efd0b745e8478d69a3ad724bd8b4dc6 ] + +Add the -D_GNU_SOURCE flag to KHDR_INCLUDES so that it is defined in a +central location. + +Commit 809216233555 ("selftests/harness: remove use of LINE_MAX") +introduced asprintf into kselftest_harness.h, which is a GNU extension +and needs _GNU_SOURCE to either be defined prior to including headers or +with the -D_GNU_SOURCE flag passed to the compiler. + +Fixed up commit log: +Shuah Khan + +Fixes: 809216233555 ("selftests/harness: remove use of LINE_MAX") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202404301040.3bea5782-oliver.sang@intel.com +Signed-off-by: Edward Liaw +Reviewed-by: Muhammad Usama Anjum +Reviewed-by: Mark Brown +Reviewed-by: John Hubbard +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/Makefile | 4 ++-- + tools/testing/selftests/kselftest_harness.h | 2 +- + tools/testing/selftests/lib.mk | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile +index e1504833654db..ed012a7f07865 100644 +--- a/tools/testing/selftests/Makefile ++++ b/tools/testing/selftests/Makefile +@@ -161,11 +161,11 @@ ifneq ($(KBUILD_OUTPUT),) + # $(realpath ...) resolves symlinks + abs_objtree := $(realpath $(abs_objtree)) + BUILD := $(abs_objtree)/kselftest +- KHDR_INCLUDES := -isystem ${abs_objtree}/usr/include ++ KHDR_INCLUDES := -D_GNU_SOURCE -isystem ${abs_objtree}/usr/include + else + BUILD := $(CURDIR) + abs_srctree := $(shell cd $(top_srcdir) && pwd) +- KHDR_INCLUDES := -isystem ${abs_srctree}/usr/include ++ KHDR_INCLUDES := -D_GNU_SOURCE -isystem ${abs_srctree}/usr/include + DEFAULT_INSTALL_HDR_PATH := 1 + endif + +diff --git a/tools/testing/selftests/kselftest_harness.h b/tools/testing/selftests/kselftest_harness.h +index 3c8f2965c2850..37b03f1b8741d 100644 +--- a/tools/testing/selftests/kselftest_harness.h ++++ b/tools/testing/selftests/kselftest_harness.h +@@ -51,7 +51,7 @@ + #define __KSELFTEST_HARNESS_H + + #ifndef _GNU_SOURCE +-#define _GNU_SOURCE ++static_assert(0, "kselftest harness requires _GNU_SOURCE to be defined"); + #endif + #include + #include +diff --git a/tools/testing/selftests/lib.mk b/tools/testing/selftests/lib.mk +index 8ae203d8ed7fa..7fa4a96e26ed6 100644 +--- a/tools/testing/selftests/lib.mk ++++ b/tools/testing/selftests/lib.mk +@@ -53,7 +53,7 @@ selfdir = $(realpath $(dir $(filter %/lib.mk,$(MAKEFILE_LIST)))) + top_srcdir = $(selfdir)/../../.. + + ifeq ($(KHDR_INCLUDES),) +-KHDR_INCLUDES := -isystem $(top_srcdir)/usr/include ++KHDR_INCLUDES := -D_GNU_SOURCE -isystem $(top_srcdir)/usr/include + endif + + # The following are built by lib.mk common compile rules. +-- +2.43.0 + diff --git a/queue-6.9/selftests-damon-_damon_sysfs-check-errors-from-nr_sc.patch b/queue-6.9/selftests-damon-_damon_sysfs-check-errors-from-nr_sc.patch new file mode 100644 index 00000000000..7dff9cbbcbc --- /dev/null +++ b/queue-6.9/selftests-damon-_damon_sysfs-check-errors-from-nr_sc.patch @@ -0,0 +1,39 @@ +From 35144c0feb503131a1b5d6675170a2c9651e8fcb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 May 2024 11:03:10 -0700 +Subject: selftests/damon/_damon_sysfs: check errors from nr_schemes file reads + +From: SeongJae Park + +[ Upstream commit 732b8815c079199d29b0426d9372bb098c63cdc7 ] + +DAMON context staging method in _damon_sysfs.py is not checking the +returned error from nr_schemes file read. Check it. + +Link: https://lkml.kernel.org/r/20240503180318.72798-3-sj@kernel.org +Fixes: f5f0e5a2bef9 ("selftests/damon/_damon_sysfs: implement kdamonds start function") +Signed-off-by: SeongJae Park +Cc: Jonathan Corbet +Cc: Shuah Khan +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/damon/_damon_sysfs.py | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/testing/selftests/damon/_damon_sysfs.py b/tools/testing/selftests/damon/_damon_sysfs.py +index d23d7398a27a8..fe77d7e73a25b 100644 +--- a/tools/testing/selftests/damon/_damon_sysfs.py ++++ b/tools/testing/selftests/damon/_damon_sysfs.py +@@ -287,6 +287,8 @@ class DamonCtx: + nr_schemes_file = os.path.join( + self.sysfs_dir(), 'schemes', 'nr_schemes') + content, err = read_file(nr_schemes_file) ++ if err is not None: ++ return err + if int(content) != len(self.schemes): + err = write_file(nr_schemes_file, '%d' % len(self.schemes)) + if err != None: +-- +2.43.0 + diff --git a/queue-6.9/selftests-default-to-host-arch-for-llvm-builds.patch b/queue-6.9/selftests-default-to-host-arch-for-llvm-builds.patch new file mode 100644 index 00000000000..25d507d3c91 --- /dev/null +++ b/queue-6.9/selftests-default-to-host-arch-for-llvm-builds.patch @@ -0,0 +1,85 @@ +From 88fbcd62dde816e2862e5481074d2dcf2025e480 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 11:49:43 +0100 +Subject: selftests: default to host arch for LLVM builds + +From: Valentin Obst + +[ Upstream commit d4e6fbd245c48b272cc591d1c5e7c07aedd7f071 ] + +Align the behavior for gcc and clang builds by interpreting unset +`ARCH` and `CROSS_COMPILE` variables in `LLVM` builds as a sign that the +user wants to build for the host architecture. + +This patch preserves the properties that setting the `ARCH` variable to an +unknown value will trigger an error that complains about insufficient +information, and that a set `CROSS_COMPILE` variable will override the +target triple that is determined based on presence/absence of `ARCH`. + +When compiling with clang, i.e., `LLVM` is set, an unset `ARCH` variable in +combination with an unset `CROSS_COMPILE` variable, i.e., compiling for +the host architecture, leads to compilation failures since `lib.mk` can +not determine the clang target triple. In this case, the following error +message is displayed for each subsystem that does not set `ARCH` in its +own Makefile before including `lib.mk` (lines wrapped at 75 chrs): + + make[1]: Entering directory '/mnt/build/linux/tools/testing/selftests/ + sysctl' + ../lib.mk:33: *** Specify CROSS_COMPILE or add '--target=' option to + lib.mk. Stop. + make[1]: Leaving directory '/mnt/build/linux/tools/testing/selftests/ + sysctl' + +In the same scenario a gcc build would default to the host architecture, +i.e., it would use plain `gcc`. + +Fixes: 795285ef2425 ("selftests: Fix clang cross compilation") +Reviewed-by: Mark Brown +Signed-off-by: Valentin Obst +Reviewed-by: John Hubbard +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/lib.mk | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/lib.mk b/tools/testing/selftests/lib.mk +index da2cade3bab0e..8ae203d8ed7fa 100644 +--- a/tools/testing/selftests/lib.mk ++++ b/tools/testing/selftests/lib.mk +@@ -7,6 +7,8 @@ else ifneq ($(filter -%,$(LLVM)),) + LLVM_SUFFIX := $(LLVM) + endif + ++CLANG := $(LLVM_PREFIX)clang$(LLVM_SUFFIX) ++ + CLANG_TARGET_FLAGS_arm := arm-linux-gnueabi + CLANG_TARGET_FLAGS_arm64 := aarch64-linux-gnu + CLANG_TARGET_FLAGS_hexagon := hexagon-linux-musl +@@ -18,7 +20,13 @@ CLANG_TARGET_FLAGS_riscv := riscv64-linux-gnu + CLANG_TARGET_FLAGS_s390 := s390x-linux-gnu + CLANG_TARGET_FLAGS_x86 := x86_64-linux-gnu + CLANG_TARGET_FLAGS_x86_64 := x86_64-linux-gnu +-CLANG_TARGET_FLAGS := $(CLANG_TARGET_FLAGS_$(ARCH)) ++ ++# Default to host architecture if ARCH is not explicitly given. ++ifeq ($(ARCH),) ++CLANG_TARGET_FLAGS := $(shell $(CLANG) -print-target-triple) ++else ++CLANG_TARGET_FLAGS := $(CLANG_TARGET_FLAGS_$(ARCH)) ++endif + + ifeq ($(CROSS_COMPILE),) + ifeq ($(CLANG_TARGET_FLAGS),) +@@ -30,7 +38,7 @@ else + CLANG_FLAGS += --target=$(notdir $(CROSS_COMPILE:%-=%)) + endif # CROSS_COMPILE + +-CC := $(LLVM_PREFIX)clang$(LLVM_SUFFIX) $(CLANG_FLAGS) -fintegrated-as ++CC := $(CLANG) $(CLANG_FLAGS) -fintegrated-as + else + CC := $(CROSS_COMPILE)gcc + endif # LLVM +-- +2.43.0 + diff --git a/queue-6.9/selftests-kcmp-remove-unused-open-mode.patch b/queue-6.9/selftests-kcmp-remove-unused-open-mode.patch new file mode 100644 index 00000000000..d667601bd45 --- /dev/null +++ b/queue-6.9/selftests-kcmp-remove-unused-open-mode.patch @@ -0,0 +1,42 @@ +From 4f464f1e857c813b988dd1ef799bef3d5af4a32d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Apr 2024 23:46:09 +0000 +Subject: selftests/kcmp: remove unused open mode + +From: Edward Liaw + +[ Upstream commit eb59a58113717df04b8a8229befd8ab1e5dbf86e ] + +Android bionic warns that open modes are ignored if O_CREAT or O_TMPFILE +aren't specified. The permissions for the file are set above: + + fd1 = open(kpath, O_RDWR | O_CREAT | O_TRUNC, 0644); + +Link: https://lkml.kernel.org/r/20240429234610.191144-1-edliaw@google.com +Fixes: d97b46a64674 ("syscalls, x86: add __NR_kcmp syscall") +Signed-off-by: Edward Liaw +Reviewed-by: Cyrill Gorcunov +Cc: Eric Biederman +Cc: Shuah Khan +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/kcmp/kcmp_test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/kcmp/kcmp_test.c b/tools/testing/selftests/kcmp/kcmp_test.c +index 25110c7c0b3ed..d7a8e321bb16b 100644 +--- a/tools/testing/selftests/kcmp/kcmp_test.c ++++ b/tools/testing/selftests/kcmp/kcmp_test.c +@@ -91,7 +91,7 @@ int main(int argc, char **argv) + ksft_print_header(); + ksft_set_plan(3); + +- fd2 = open(kpath, O_RDWR, 0644); ++ fd2 = open(kpath, O_RDWR); + if (fd2 < 0) { + perror("Can't open file"); + ksft_exit_fail(); +-- +2.43.0 + diff --git a/queue-6.9/selftests-ktap_helpers-make-it-posix-compliant.patch b/queue-6.9/selftests-ktap_helpers-make-it-posix-compliant.patch new file mode 100644 index 00000000000..157bd87deea --- /dev/null +++ b/queue-6.9/selftests-ktap_helpers-make-it-posix-compliant.patch @@ -0,0 +1,53 @@ +From 28b99a6acdb90c9f63becd34ea9c6cb8d653240e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 11:32:15 -0400 +Subject: selftests: ktap_helpers: Make it POSIX-compliant +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +[ Upstream commit 45d5a2b1886a3ff0fe5627ebee84c089db7ff5f2 ] + +There are a couple uses of bash specific syntax in the script. Change +them to the equivalent POSIX syntax. This doesn't change functionality +and allows non-bash test scripts to make use of these helpers. + +Reported-by: Mike Looijmans +Closes: https://lore.kernel.org/all/efae4037-c22a-40be-8ba9-7c1c12ece042@topic.nl/ +Fixes: 2dd0b5a8fcc4 ("selftests: ktap_helpers: Add a helper to finish the test") +Fixes: 14571ab1ad21 ("kselftest: Add new test for detecting unprobed Devicetree devices") +Signed-off-by: Nícolas F. R. A. Prado +Reviewed-by: Muhammad Usama Anjum +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/kselftest/ktap_helpers.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/kselftest/ktap_helpers.sh b/tools/testing/selftests/kselftest/ktap_helpers.sh +index f2fbb914e058d..79a125eb24c2e 100644 +--- a/tools/testing/selftests/kselftest/ktap_helpers.sh ++++ b/tools/testing/selftests/kselftest/ktap_helpers.sh +@@ -43,7 +43,7 @@ __ktap_test() { + directive="$3" # optional + + local directive_str= +- [[ ! -z "$directive" ]] && directive_str="# $directive" ++ [ ! -z "$directive" ] && directive_str="# $directive" + + echo $result $KTAP_TESTNO $description $directive_str + +@@ -99,7 +99,7 @@ ktap_exit_fail_msg() { + ktap_finished() { + ktap_print_totals + +- if [ $(("$KTAP_CNT_PASS" + "$KTAP_CNT_SKIP")) -eq "$KSFT_NUM_TESTS" ]; then ++ if [ $((KTAP_CNT_PASS + KTAP_CNT_SKIP)) -eq "$KSFT_NUM_TESTS" ]; then + exit "$KSFT_PASS" + else + exit "$KSFT_FAIL" +-- +2.43.0 + diff --git a/queue-6.9/selftests-net-add-missing-config-for-amt.sh.patch b/queue-6.9/selftests-net-add-missing-config-for-amt.sh.patch new file mode 100644 index 00000000000..c6250dc0d6b --- /dev/null +++ b/queue-6.9/selftests-net-add-missing-config-for-amt.sh.patch @@ -0,0 +1,35 @@ +From af06d5bd400682bb214d5adaab6d7ffb91a0894c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 09:19:19 -0700 +Subject: selftests: net: add missing config for amt.sh + +From: Jakub Kicinski + +[ Upstream commit c499fe96d3f75a5cf50de6089dd8f1cddd1301a9 ] + +Test needs IPv6 multicast. smcroute currently crashes when trying +to install a route in a kernel without IPv6 multicast. + +Fixes: c08e8baea78e ("selftests: add amt interface selftest script") +Link: https://lore.kernel.org/r/20240509161919.3939966-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/config | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/net/config b/tools/testing/selftests/net/config +index 5e4390cac17ed..04de7a6ba6f31 100644 +--- a/tools/testing/selftests/net/config ++++ b/tools/testing/selftests/net/config +@@ -30,6 +30,7 @@ CONFIG_IP_GRE=m + CONFIG_NETFILTER=y + CONFIG_NETFILTER_ADVANCED=y + CONFIG_NF_CONNTRACK=m ++CONFIG_IPV6_MROUTE=y + CONFIG_IPV6_SIT=y + CONFIG_IP_DCCP=m + CONFIG_NF_NAT=m +-- +2.43.0 + diff --git a/queue-6.9/selftests-net-bridge-increase-igmp-mld-exclude-timeo.patch b/queue-6.9/selftests-net-bridge-increase-igmp-mld-exclude-timeo.patch new file mode 100644 index 00000000000..964e52e553a --- /dev/null +++ b/queue-6.9/selftests-net-bridge-increase-igmp-mld-exclude-timeo.patch @@ -0,0 +1,82 @@ +From e02f6bee323746e460350b859062b489dd2edcd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 13:52:57 +0300 +Subject: selftests: net: bridge: increase IGMP/MLD exclude timeout membership + interval + +From: Nikolay Aleksandrov + +[ Upstream commit 06080ea23095afe04a2cb7a8d05fab4311782623 ] + +When running the bridge IGMP/MLD selftests on debug kernels we can get +spurious errors when setting up the IGMP/MLD exclude timeout tests +because the membership interval is just 3 seconds and the setup has 2 +seconds of sleep plus various validations, the one second that is left +is not enough. Increase the membership interval from 3 to 5 seconds to +make room for the setup validation and 2 seconds of sleep. + +Fixes: 34d7ecb3d4f7 ("selftests: net: bridge: update IGMP/MLD membership interval value") +Reported-by: Jakub Kicinski +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/forwarding/bridge_igmp.sh | 6 +++--- + tools/testing/selftests/net/forwarding/bridge_mld.sh | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/net/forwarding/bridge_igmp.sh b/tools/testing/selftests/net/forwarding/bridge_igmp.sh +index 2aa66d2a1702b..e6a3e04fd83f3 100755 +--- a/tools/testing/selftests/net/forwarding/bridge_igmp.sh ++++ b/tools/testing/selftests/net/forwarding/bridge_igmp.sh +@@ -478,10 +478,10 @@ v3exc_timeout_test() + RET=0 + local X=("192.0.2.20" "192.0.2.30") + +- # GMI should be 3 seconds ++ # GMI should be 5 seconds + ip link set dev br0 type bridge mcast_query_interval 100 \ + mcast_query_response_interval 100 \ +- mcast_membership_interval 300 ++ mcast_membership_interval 500 + + v3exclude_prepare $h1 $ALL_MAC $ALL_GROUP + ip link set dev br0 type bridge mcast_query_interval 500 \ +@@ -489,7 +489,7 @@ v3exc_timeout_test() + mcast_membership_interval 1500 + + $MZ $h1 -c 1 -b $ALL_MAC -B $ALL_GROUP -t ip "proto=2,p=$MZPKT_ALLOW2" -q +- sleep 3 ++ sleep 5 + bridge -j -d -s mdb show dev br0 \ + | jq -e ".[].mdb[] | \ + select(.grp == \"$TEST_GROUP\" and \ +diff --git a/tools/testing/selftests/net/forwarding/bridge_mld.sh b/tools/testing/selftests/net/forwarding/bridge_mld.sh +index e2b9ff773c6b6..f84ab2e657547 100755 +--- a/tools/testing/selftests/net/forwarding/bridge_mld.sh ++++ b/tools/testing/selftests/net/forwarding/bridge_mld.sh +@@ -478,10 +478,10 @@ mldv2exc_timeout_test() + RET=0 + local X=("2001:db8:1::20" "2001:db8:1::30") + +- # GMI should be 3 seconds ++ # GMI should be 5 seconds + ip link set dev br0 type bridge mcast_query_interval 100 \ + mcast_query_response_interval 100 \ +- mcast_membership_interval 300 ++ mcast_membership_interval 500 + + mldv2exclude_prepare $h1 + ip link set dev br0 type bridge mcast_query_interval 500 \ +@@ -489,7 +489,7 @@ mldv2exc_timeout_test() + mcast_membership_interval 1500 + + $MZ $h1 -c 1 $MZPKT_ALLOW2 -q +- sleep 3 ++ sleep 5 + bridge -j -d -s mdb show dev br0 \ + | jq -e ".[].mdb[] | \ + select(.grp == \"$TEST_GROUP\" and \ +-- +2.43.0 + diff --git a/queue-6.9/selftests-net-lib-no-need-to-record-ns-name-if-it-al.patch b/queue-6.9/selftests-net-lib-no-need-to-record-ns-name-if-it-al.patch new file mode 100644 index 00000000000..ce4d6338ab7 --- /dev/null +++ b/queue-6.9/selftests-net-lib-no-need-to-record-ns-name-if-it-al.patch @@ -0,0 +1,56 @@ +From 1590703e484a9f2c88f1c8a5e02dae7de929d8f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 May 2024 10:33:59 +0800 +Subject: selftests/net/lib: no need to record ns name if it already exist + +From: Hangbin Liu + +[ Upstream commit 83e93942796db58652288f0391ac00072401816f ] + +There is no need to add the name to ns_list again if the netns already +recoreded. + +Fixes: 25ae948b4478 ("selftests/net: add lib.sh") +Signed-off-by: Hangbin Liu +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/lib.sh | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/lib.sh b/tools/testing/selftests/net/lib.sh +index f9fe182dfbd44..56a9454b7ba35 100644 +--- a/tools/testing/selftests/net/lib.sh ++++ b/tools/testing/selftests/net/lib.sh +@@ -73,15 +73,17 @@ setup_ns() + local ns="" + local ns_name="" + local ns_list="" ++ local ns_exist= + for ns_name in "$@"; do + # Some test may setup/remove same netns multi times + if unset ${ns_name} 2> /dev/null; then + ns="${ns_name,,}-$(mktemp -u XXXXXX)" + eval readonly ${ns_name}="$ns" ++ ns_exist=false + else + eval ns='$'${ns_name} + cleanup_ns "$ns" +- ++ ns_exist=true + fi + + if ! ip netns add "$ns"; then +@@ -90,7 +92,7 @@ setup_ns() + return $ksft_skip + fi + ip -n "$ns" link set lo up +- ns_list="$ns_list $ns" ++ ! $ns_exist && ns_list="$ns_list $ns" + done + NS_LIST="$NS_LIST $ns_list" + } +-- +2.43.0 + diff --git a/queue-6.9/selftests-net-move-amt-to-socat-for-better-compatibi.patch b/queue-6.9/selftests-net-move-amt-to-socat-for-better-compatibi.patch new file mode 100644 index 00000000000..1df5cdb6af8 --- /dev/null +++ b/queue-6.9/selftests-net-move-amt-to-socat-for-better-compatibi.patch @@ -0,0 +1,77 @@ +From 672595f04c6b428048954b83e02256d847e94994 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 09:19:52 -0700 +Subject: selftests: net: move amt to socat for better compatibility + +From: Jakub Kicinski + +[ Upstream commit 4c639b6a7b9db236c0907aca8e92d1537076f2cd ] + +The test seems to expect that nc will exit after the first +received message. This is not the case with Ncat 7.94. +There are multiple versions of nc out there, switch +to socat for better compatibility. + +Tell socat to exit after 128 bytes and pad the message. + +Since the test sets -e make sure we don't set exit code +(|| true) and print the pass / fail rather then silently +moving over the test and just setting non-zero exit code +with no output indicating what failed. + +Fixes: c08e8baea78e ("selftests: add amt interface selftest script") +Acked-by: Paolo Abeni +Tested-by: Taehee Yoo +Link: https://lore.kernel.org/r/20240509161952.3940476-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/amt.sh | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/net/amt.sh b/tools/testing/selftests/net/amt.sh +index 75528788cb95e..5175a42cbe8a2 100755 +--- a/tools/testing/selftests/net/amt.sh ++++ b/tools/testing/selftests/net/amt.sh +@@ -210,8 +210,8 @@ check_features() + + test_ipv4_forward() + { +- RESULT4=$(ip netns exec "${LISTENER}" nc -w 1 -l -u 239.0.0.1 4000) +- if [ "$RESULT4" == "172.17.0.2" ]; then ++ RESULT4=$(ip netns exec "${LISTENER}" timeout 15 socat - UDP4-LISTEN:4000,readbytes=128 || true) ++ if echo "$RESULT4" | grep -q "172.17.0.2"; then + printf "TEST: %-60s [ OK ]\n" "IPv4 amt multicast forwarding" + exit 0 + else +@@ -222,8 +222,8 @@ test_ipv4_forward() + + test_ipv6_forward() + { +- RESULT6=$(ip netns exec "${LISTENER}" nc -w 1 -l -u ff0e::5:6 6000) +- if [ "$RESULT6" == "2001:db8:3::2" ]; then ++ RESULT6=$(ip netns exec "${LISTENER}" timeout 15 socat - UDP6-LISTEN:6000,readbytes=128 || true) ++ if echo "$RESULT6" | grep -q "2001:db8:3::2"; then + printf "TEST: %-60s [ OK ]\n" "IPv6 amt multicast forwarding" + exit 0 + else +@@ -236,14 +236,14 @@ send_mcast4() + { + sleep 2 + ip netns exec "${SOURCE}" bash -c \ +- 'echo 172.17.0.2 | nc -w 1 -u 239.0.0.1 4000' & ++ 'printf "%s %128s" 172.17.0.2 | nc -w 1 -u 239.0.0.1 4000' & + } + + send_mcast6() + { + sleep 2 + ip netns exec "${SOURCE}" bash -c \ +- 'echo 2001:db8:3::2 | nc -w 1 -u ff0e::5:6 6000' & ++ 'printf "%s %128s" 2001:db8:3::2 | nc -w 1 -u ff0e::5:6 6000' & + } + + check_features +-- +2.43.0 + diff --git a/queue-6.9/selftests-power_supply-make-it-posix-compliant.patch b/queue-6.9/selftests-power_supply-make-it-posix-compliant.patch new file mode 100644 index 00000000000..9122d85f2ac --- /dev/null +++ b/queue-6.9/selftests-power_supply-make-it-posix-compliant.patch @@ -0,0 +1,43 @@ +From cc7ac39a5ae4cedf802b9f2b7fb01cebcb5225d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 11:32:16 -0400 +Subject: selftests: power_supply: Make it POSIX-compliant +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +[ Upstream commit 5b1c8b1e56ff8b5e9c1a09606af3627bb55933cf ] + +There is one use of bash specific syntax in the script. Change it to the +equivalent POSIX syntax. This doesn't change functionality and allows +the test to be run on shells other than bash. + +Reported-by: Mike Looijmans +Closes: https://lore.kernel.org/all/efae4037-c22a-40be-8ba9-7c1c12ece042@topic.nl/ +Fixes: 4a679c5afca0 ("selftests: Add test to verify power supply properties") +Signed-off-by: Nícolas F. R. A. Prado +Reviewed-by: Muhammad Usama Anjum +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../selftests/power_supply/test_power_supply_properties.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/power_supply/test_power_supply_properties.sh b/tools/testing/selftests/power_supply/test_power_supply_properties.sh +index df272dfe1d2a9..a66b1313ed882 100755 +--- a/tools/testing/selftests/power_supply/test_power_supply_properties.sh ++++ b/tools/testing/selftests/power_supply/test_power_supply_properties.sh +@@ -23,7 +23,7 @@ count_tests() { + total_tests=0 + + for i in $SUPPLIES; do +- total_tests=$(("$total_tests" + "$NUM_TESTS")) ++ total_tests=$((total_tests + NUM_TESTS)) + done + + echo "$total_tests" +-- +2.43.0 + diff --git a/queue-6.9/selftests-resctrl-fix-clang-build-failure-use-local_.patch b/queue-6.9/selftests-resctrl-fix-clang-build-failure-use-local_.patch new file mode 100644 index 00000000000..6c7a83eab63 --- /dev/null +++ b/queue-6.9/selftests-resctrl-fix-clang-build-failure-use-local_.patch @@ -0,0 +1,60 @@ +From 318ff52f36ceec28e4938ac86c1d6849c46830a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 May 2024 19:17:12 -0700 +Subject: selftests/resctrl: fix clang build failure: use LOCAL_HDRS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: John Hubbard + +[ Upstream commit d8171aa4ca72f1a67bf3c14c59441d63c1d2585f ] + +First of all, in order to build with clang at all, one must first apply +Valentin Obst's build fix for LLVM [1]. Once that is done, then when +building with clang, via: + + make LLVM=1 -C tools/testing/selftests + +...the following error occurs: + + clang: error: cannot specify -o when generating multiple output files + +This is because clang, unlike gcc, won't accept invocations of this +form: + + clang file1.c header2.h + +Fix this by using selftests/lib.mk facilities for tracking local header +file dependencies: add them to LOCAL_HDRS, leaving only the .c files to +be passed to the compiler. + +[1] https://lore.kernel.org/all/20240329-selftests-libmk-llvm-rfc-v1-1-2f9ed7d1c49f@valentinobst.de/ + +Fixes: 8e289f454289 ("selftests/resctrl: Add resctrl.h into build deps") +Cc: Ilpo Järvinen +Signed-off-by: John Hubbard +Acked-by: Reinette Chatre +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/resctrl/Makefile | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/resctrl/Makefile b/tools/testing/selftests/resctrl/Makefile +index 2deac2031de9e..021863f86053a 100644 +--- a/tools/testing/selftests/resctrl/Makefile ++++ b/tools/testing/selftests/resctrl/Makefile +@@ -5,6 +5,8 @@ CFLAGS += $(KHDR_INCLUDES) + + TEST_GEN_PROGS := resctrl_tests + ++LOCAL_HDRS += $(wildcard *.h) ++ + include ../lib.mk + +-$(OUTPUT)/resctrl_tests: $(wildcard *.[ch]) ++$(OUTPUT)/resctrl_tests: $(wildcard *.c) +-- +2.43.0 + diff --git a/queue-6.9/selftests-sgx-include-khdr_includes-in-makefile.patch b/queue-6.9/selftests-sgx-include-khdr_includes-in-makefile.patch new file mode 100644 index 00000000000..58fc364458c --- /dev/null +++ b/queue-6.9/selftests-sgx-include-khdr_includes-in-makefile.patch @@ -0,0 +1,58 @@ +From 8f7b67cf33e5aaaa583d30e1dc04916929c744ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 May 2024 21:38:27 +0000 +Subject: selftests/sgx: Include KHDR_INCLUDES in Makefile + +From: Edward Liaw + +[ Upstream commit 2c3b8f8f37c6c0c926d584cf4158db95e62b960c ] + +Add KHDR_INCLUDES to the CFLAGS to pull in the kselftest harness +dependencies (-D_GNU_SOURCE). + +Also, remove redefinitions of _GNU_SOURCE in the source code. + +Fixes: 809216233555 ("selftests/harness: remove use of LINE_MAX") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202404301040.3bea5782-oliver.sang@intel.com +Signed-off-by: Edward Liaw +Reviewed-by: Muhammad Usama Anjum +Acked-by: Dave Hansen +Reviewed-by: Jarkko Sakkinen +Tested-by: Jarkko Sakkinen +Reviewed-by: John Hubbard +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/sgx/Makefile | 2 +- + tools/testing/selftests/sgx/sigstruct.c | 1 - + 2 files changed, 1 insertion(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/sgx/Makefile b/tools/testing/selftests/sgx/Makefile +index 867f88ce2570a..26ea30fae23ca 100644 +--- a/tools/testing/selftests/sgx/Makefile ++++ b/tools/testing/selftests/sgx/Makefile +@@ -12,7 +12,7 @@ OBJCOPY := $(CROSS_COMPILE)objcopy + endif + + INCLUDES := -I$(top_srcdir)/tools/include +-HOST_CFLAGS := -Wall -Werror -g $(INCLUDES) -fPIC ++HOST_CFLAGS := -Wall -Werror $(KHDR_INCLUDES) -g $(INCLUDES) -fPIC + HOST_LDFLAGS := -z noexecstack -lcrypto + ENCL_CFLAGS += -Wall -Werror -static-pie -nostdlib -ffreestanding -fPIE \ + -fno-stack-protector -mrdrnd $(INCLUDES) +diff --git a/tools/testing/selftests/sgx/sigstruct.c b/tools/testing/selftests/sgx/sigstruct.c +index d73b29becf5b0..200034a0fee51 100644 +--- a/tools/testing/selftests/sgx/sigstruct.c ++++ b/tools/testing/selftests/sgx/sigstruct.c +@@ -1,7 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0 + /* Copyright(c) 2016-20 Intel Corporation. */ + +-#define _GNU_SOURCE + #include + #include + #include +-- +2.43.0 + diff --git a/queue-6.9/series b/queue-6.9/series index 61de0aef6a0..4850bb5a26f 100644 --- a/queue-6.9/series +++ b/queue-6.9/series @@ -36,3 +36,389 @@ alsa-timer-set-lower-bound-of-start-tick-time.patch alsa-fix-deadlocks-with-kctl-removals-at-disconnection.patch keys-asymmetric-add-missing-dependency-on-crypto_sig.patch keys-asymmetric-add-missing-dependencies-of-fips_signature_selftest.patch +openpromfs-finish-conversion-to-the-new-mount-api.patch +crypto-bcm-fix-pointer-arithmetic.patch +firmware-qcom-qcm-fix-unused-qcom_scm_qseecom_allowl.patch +mm-slub-kunit-use-inverted-data-to-corrupt-kmem-cach.patch +firmware-raspberrypi-use-correct-device-for-dma-mapp.patch +ecryptfs-fix-buffer-size-for-tag-66-packet.patch +nilfs2-fix-out-of-range-warning.patch +parisc-add-missing-export-of-__cmpxchg_u8.patch +crypto-ccp-drop-platform-ifdef-checks.patch +crypto-x86-nh-avx2-add-missing-vzeroupper.patch +crypto-x86-sha256-avx2-add-missing-vzeroupper.patch +crypto-x86-sha512-avx2-add-missing-vzeroupper.patch +s390-cio-fix-tracepoint-subchannel-type-field.patch +io_uring-use-the-right-type-for-work_llist-empty-che.patch +rcu-tasks-fix-show_rcu_tasks_trace_gp_kthread-buffer.patch +rcu-fix-buffer-overflow-in-print_cpu_stall_info.patch +arm-configs-sunxi-enable-drm_dw_hdmi.patch +jffs2-prevent-xattr-node-from-overflowing-the-eraseb.patch +libfs-fix-simple_offset_rename_exchange.patch +libfs-add-simple_offset_rename-api.patch +shmem-fix-shmem_rename2.patch +io-wq-write-next_work-before-dropping-acct_lock.patch +mm-userfaultfd-do-not-place-zeropages-when-zeropages.patch +s390-mm-re-enable-the-shared-zeropage-for-pv-and-ske.patch +crypto-octeontx2-add-missing-check-for-dma_map_singl.patch +crypto-qat-improve-error-message-in-adf_get_arbiter_.patch +crypto-qat-improve-error-logging-to-be-consistent-ac.patch +soc-qcom-pmic_glink-don-t-traverse-clients-list-with.patch +soc-qcom-pmic_glink-notify-clients-about-the-current.patch +firmware-qcom-scm-fix-__scm-and-waitq-completion-var.patch +soc-mediatek-cmdq-fix-typo-of-cmdq_jump_relative.patch +null_blk-fix-missing-mutex_destroy-at-module-removal.patch +crypto-qat-validate-slices-count-returned-by-fw.patch +hwrng-stm32-use-logical-or-in-conditional.patch +hwrng-stm32-put-ip-into-rpm-suspend-on-failure.patch +hwrng-stm32-repair-clock-handling.patch +kunit-fortify-fix-mismatched-kvalloc-vfree-usage.patch +s390-vmlinux.lds.s-drop-.hash-and-.gnu.hash-for-conf.patch +io_uring-net-fix-sendzc-lazy-wake-polling.patch +soc-qcom-pmic_glink-make-client-lock-non-sleeping.patch +lkdtm-disable-cfi-checking-for-perms-functions.patch +kunit-fortify-fix-replaced-failure-path-to-unbreak-_.patch +md-fix-resync-softlockup-when-bitmap-size-is-less-th.patch +crypto-qat-specify-firmware-files-for-402xx.patch +block-refine-the-eof-check-in-blkdev_iomap_begin.patch +block-fix-and-simplify-blkdevparts-cmdline-parsing.patch +block-support-to-account-io_ticks-precisely.patch +wifi-ath10k-poll-service-ready-message-before-failin.patch +wifi-brcmfmac-pcie-handle-randbuf-allocation-failure.patch +wifi-ath11k-don-t-force-enable-power-save-on-non-run.patch +bpftool-fix-missing-pids-during-link-show.patch +libbpf-prevent-null-pointer-dereference-when-prog-to.patch +wifi-ath12k-use-correct-flag-field-for-320-mhz-chann.patch +wifi-mt76-mt7915-workaround-too-long-expansion-spars.patch +x86-boot-ignore-relocations-in-.notes-sections-in-wa.patch +x86-fred-fix-typo-in-kconfig-description.patch +wifi-ieee80211-fix-ieee80211_mle_basic_sta_prof_size.patch +wifi-cfg80211-ignore-non-tx-bsss-in-per-sta-profile.patch +wifi-iwlwifi-mvm-do-not-warn-on-invalid-link-on-scan.patch +wifi-iwlwifi-mvm-allocate-sta-links-only-for-active-.patch +wifi-mac80211-don-t-select-link-id-if-not-provided-i.patch +wifi-iwlwifi-mvm-fix-active-link-counting-during-rec.patch +wifi-iwlwifi-mvm-set-wider-bw-ofdma-ignore-correctly.patch +wifi-iwlwifi-mvm-select-sta-mask-only-for-active-lin.patch +wifi-iwlwifi-reconfigure-tlc-during-hw-restart.patch +wifi-iwlwifi-mvm-fix-check-in-iwl_mvm_sta_fw_id_mask.patch +sched-fair-add-eas-checks-before-updating-root_domai.patch +acpi-bus-indicate-support-for-_tfp-thru-_osc.patch +acpi-bus-indicate-support-for-more-than-16-p-states-.patch +acpi-bus-indicate-support-for-the-generic-event-devi.patch +acpi-fix-generic-initiator-affinity-_osc-bit.patch +acpi-bus-indicate-support-for-irq-resourcesource-thr.patch +enetc-avoid-truncating-error-message.patch +qed-avoid-truncating-work-queue-length.patch +mlx5-avoid-truncating-error-message.patch +mlx5-stop-warning-for-64kb-pages.patch +bitops-add-missing-prototype-check.patch +dlm-fix-user-space-lock-decision-to-copy-lvb.patch +wifi-carl9170-re-fix-fortified-memset-warning.patch +bpftool-mount-bpffs-on-provided-dir-instead-of-paren.patch +bpf-pack-struct-bpf_fib_lookup.patch +bpf-prevent-r10-register-from-being-marked-as-precis.patch +x86-microcode-amd-avoid-wformat-warning-with-clang-1.patch +scsi-ufs-qcom-perform-read-back-after-writing-reset-.patch +scsi-ufs-qcom-perform-read-back-after-writing-reg_uf.patch +scsi-ufs-qcom-perform-read-back-after-writing-unipro.patch +scsi-ufs-qcom-perform-read-back-after-writing-cgc-en.patch +scsi-ufs-cdns-pltfrm-perform-read-back-after-writing.patch +scsi-ufs-core-perform-read-back-after-writing-utp_ta.patch +scsi-ufs-core-perform-read-back-after-disabling-inte.patch +scsi-ufs-core-perform-read-back-after-disabling-uic_.patch +acpi-lpss-advertise-number-of-chip-selects-via-prope.patch +edac-skx_common-allow-decoding-of-sgx-addresses.patch +locking-atomic-x86-correct-the-definition-of-__arch_.patch +irqchip-alpine-msi-fix-off-by-one-in-allocation-erro.patch +irqchip-loongson-pch-msi-fix-off-by-one-on-allocatio.patch +acpi-disable-wstringop-truncation.patch +gfs2-don-t-forget-to-complete-delayed-withdraw.patch +gfs2-fix-ignore-unlock-failures-after-withdraw.patch +arm64-remove-unnecessary-irqflags-alternative.h-incl.patch +x86-boot-64-clear-most-of-cr4-in-startup_64-except-p.patch +selftests-bpf-fix-umount-cgroup2-error-in-test_sockm.patch +tcp-increase-the-default-tcp-scaling-ratio.patch +cpufreq-exit-callback-is-optional.patch +x86-pat-introduce-lookup_address_in_pgd_attr.patch +x86-pat-restructure-_lookup_address_cpa.patch +x86-pat-fix-w-x-violation-false-positives-when-runni.patch +udp-avoid-call-to-compute_score-on-multiple-sites.patch +openrisc-use-do_kernel_power_off.patch +openrisc-traps-don-t-send-signals-to-kernel-mode-thr.patch +cppc_cpufreq-fix-possible-null-pointer-dereference.patch +wifi-mac80211-transmit-deauth-only-if-link-is-availa.patch +wifi-iwlwifi-mvm-introduce-esr_disable_reason.patch +wifi-iwlwifi-mvm-calculate-emlsr-mode-after-connecti.patch +wifi-iwlwifi-mvm-don-t-always-disable-emlsr-due-to-b.patch +wifi-iwlwifi-mvm-init-vif-works-only-once.patch +scsi-libsas-fix-the-failure-of-adding-phy-with-zero-.patch +scsi-hpsa-fix-allocation-size-for-scsi_host-private-.patch +x86-purgatory-switch-to-the-position-independent-sma.patch +wifi-ath12k-fix-out-of-bound-access-of-qmi_invoke_ha.patch +thermal-drivers-mediatek-lvts_thermal-add-coeff-for-.patch +thermal-drivers-tsens-fix-null-pointer-dereference.patch +dt-bindings-thermal-loongson-ls2k-thermal-add-loongs.patch +dt-bindings-thermal-loongson-ls2k-thermal-fix-incorr.patch +wifi-ath10k-fix-an-error-code-problem-in-ath10k_dbg_.patch +gfs2-remove-ill-placed-consistency-check.patch +gfs2-fix-potential-glock-use-after-free-on-unmount.patch +gfs2-finish_xmote-cleanup.patch +gfs2-do_xmote-fixes.patch +thermal-debugfs-avoid-excessive-updates-of-trip-poin.patch +selftests-bpf-fix-a-fd-leak-in-error-paths-in-open_n.patch +scsi-ufs-core-mcq-fix-ufshcd_mcq_sqe_search.patch +cpufreq-brcmstb-avs-cpufreq-iso-c90-forbids-mixed-de.patch +wifi-ath10k-populate-board-data-for-wcn3990.patch +net-dsa-mv88e6xxx-add-support-for-model-specific-pre.patch +net-dsa-mv88e6xxx-avoid-eeprom-timeout-without-eepro.patch +tcp-avoid-premature-drops-in-tcp_add_backlog.patch +thermal-debugfs-create-records-for-cdev-states-as-th.patch +thermal-debugfs-pass-cooling-device-state-to-thermal.patch +pwm-sti-simplify-probe-function-using-devm-functions.patch +drivers-perf-hisi_pcie-fix-out-of-bound-access-when-.patch +drivers-perf-hisi-hns3-fix-out-of-bound-access-when-.patch +drivers-perf-hisi-hns3-actually-use-devm_add_action_.patch +net-give-more-chances-to-rcu-in-netdev_wait_allrefs_.patch +macintosh-via-macii-fix-bug-sleeping-function-called.patch +wifi-carl9170-add-a-proper-sanity-check-for-endpoint.patch +bpf-fix-verifier-assumptions-about-socket-sk.patch +selftests-bpf-run-cgroup1_hierarchy-test-in-own-moun.patch +wifi-ar5523-enable-proper-endpoint-verification.patch +pwm-meson-add-check-for-error-from-clk_round_rate.patch +pwm-meson-use-mul_u64_u64_div_u64-for-frequency-calc.patch +bpf-add-bpf_prog_type_cgroup_skb-attach-type-enforce.patch +sh-kprobes-merge-arch_copy_kprobe-into-arch_prepare_.patch +revert-sh-handle-calling-csum_partial-with-misaligne.patch +wifi-mt76-mt7603-fix-tx-queue-of-loopback-packets.patch +wifi-mt76-mt7603-add-wpdma-tx-eof-flag-for-pse-clien.patch +wifi-mt76-connac-check-for-null-before-dereferencing.patch +wifi-mt76-mt7996-fix-size-of-txpower-mcu-command.patch +wifi-mt76-mt7925-ensure-4-byte-alignment-for-suspend.patch +wifi-mt76-mt7996-fix-uninitialized-variable-in-mt799.patch +wifi-mt76-mt7996-fix-potential-memory-leakage-when-r.patch +wifi-mt76-connac-use-muar-idx-0xe-for-non-mt799x-as-.patch +libbpf-fix-error-message-in-attach_kprobe_multi.patch +wifi-nl80211-avoid-address-calculations-via-out-of-b.patch +wifi-rtw89-wow-refine-wowlan-flows-of-hci-interrupts.patch +selftests-ktap_helpers-make-it-posix-compliant.patch +selftests-power_supply-make-it-posix-compliant.patch +selftests-binderfs-use-the-makefile-s-rules-not-make.patch +selftests-resctrl-fix-clang-build-failure-use-local_.patch +selftests-default-to-host-arch-for-llvm-builds.patch +kunit-fix-kthread-reference.patch +kunit-unregister-the-device-on-error.patch +kunit-bail-out-early-in-__kunit_test_suites_init-if-.patch +selftests-bpf-fix-pointer-arithmetic-in-test_xdp_do_.patch +hid-intel-ish-hid-ipc-add-check-for-pci_alloc_irq_ve.patch +scsi-bfa-ensure-the-copied-buf-is-nul-terminated.patch +scsi-qedf-ensure-the-copied-buf-is-nul-terminated.patch +scsi-qla2xxx-fix-debugfs-output-for-fw_resource_coun.patch +gpio-nuvoton-fix-sgpio-irq-handle-error.patch +x86-numa-fix-srat-lookup-of-cfmws-ranges-with-numa_f.patch +wifi-mwl8k-initialize-cmd-addr-properly.patch +hid-amd_sfh-handle-no-sensors-in-pm-operations.patch +btrfs-set-start-on-clone-before-calling-copy_extent_.patch +usb-aqc111-stop-lying-about-skb-truesize.patch +net-usb-sr9700-stop-lying-about-skb-truesize.patch +m68k-fix-spinlock-race-in-kernel-thread-creation.patch +m68k-mac-fix-reboot-hang-on-mac-iici.patch +m68k-move-arch_has_cpu_cache_aliasing.patch +selftests-compile-kselftest-headers-with-d_gnu_sourc.patch +selftests-sgx-include-khdr_includes-in-makefile.patch +dm-delay-fix-workqueue-delay_timer-race.patch +dm-delay-fix-hung-task-introduced-by-kthread-mode.patch +dm-delay-fix-max_delay-calculations.patch +ptp-ocp-fix-dpll-functions.patch +net-ipv6-fix-wrong-start-position-when-receive-hop-b.patch +eth-sungem-remove-.ndo_poll_controller-to-avoid-dead.patch +selftests-net-add-missing-config-for-amt.sh.patch +selftests-net-move-amt-to-socat-for-better-compatibi.patch +net-ethernet-mediatek-split-tx-and-rx-fields-in-mtk_.patch +net-ethernet-mediatek-use-admav1-instead-of-admav2.0.patch +ice-fix-package-download-algorithm.patch +net-ethernet-cortina-locking-fixes.patch +af_unix-fix-data-races-in-unix_release_sock-unix_str.patch +net-usb-smsc95xx-stop-lying-about-skb-truesize.patch +net-openvswitch-fix-overwriting-ct-original-tuple-fo.patch +ipv6-sr-add-missing-seg6_local_exit.patch +ipv6-sr-fix-incorrect-unregister-order.patch +ipv6-sr-fix-invalid-unregister-error-path.patch +net-mlx5e-fix-netif-state-handling.patch +net-mlx5-fix-peer-devlink-set-for-sf-representor-dev.patch +net-mlx5-reload-only-ib-representors-upon-lag-disabl.patch +net-mlx5-add-a-timeout-to-acquire-the-command-queue-.patch +net-mlx5-discard-command-completions-in-internal-err.patch +s390-bpf-emit-a-barrier-for-bpf_fetch-instructions.patch +riscv-bpf-make-some-atomic-operations-fully-ordered.patch +inet-fix-inet_fill_ifaddr-flags-truncation.patch +ax25-use-kernel-universal-linked-list-to-implement-a.patch +ax25-fix-reference-count-leak-issues-of-ax25_dev.patch +ax25-fix-reference-count-leak-issue-of-net_device.patch +dpll-fix-return-value-check-for-kmemdup.patch +net-fec-remove-.ndo_poll_controller-to-avoid-deadloc.patch +mptcp-so_keepalive-fix-getsockopt-support.patch +mptcp-fix-full-tcp-keep-alive-support.patch +net-stmmac-move-the-est-lock-to-struct-stmmac_priv.patch +net-micrel-fix-receiving-the-timestamp-in-the-frame-.patch +bluetooth-compute-le-flow-credits-based-on-recvbuf-s.patch +bluetooth-qca-fix-error-code-in-qca_read_fw_build_in.patch +bluetooth-iso-make-iso_get_sock_listen-generic.patch +bluetooth-hci-remove-hci_amp-support.patch +bluetooth-hci_conn-hci_sync-use-__counted_by-to-avoi.patch +bluetooth-hci_core-fix-not-handling-hdev-le_num_of_a.patch +drm-panel-edp-add-prepare_to_enable-to-200ms-for-mnc.patch +drm-bridge-fix-improper-bridge-init-order-with-pre_e.patch +drm-ci-update-device-type-for-volteer-devices.patch +drm-nouveau-dp-fix-incorrect-return-code-in-r535_dp_.patch +drm-omapdrm-fix-console-by-implementing-fb_dirty.patch +drm-omapdrm-fix-console-with-deferred-ops.patch +printk-let-no_printk-use-_printk.patch +dev_printk-add-and-use-dev_no_printk.patch +drm-lcdif-do-not-disable-clocks-on-already-suspended.patch +drm-panel-atna33xc20-fix-unbalanced-regulator-in-the.patch +drm-amd-display-fix-potential-index-out-of-bounds-in.patch +drm-amd-display-remove-redundant-condition-in-dcn35_.patch +asoc-intel-disable-route-checks-for-skylake-boards.patch +asoc-intel-avs-ssm4567-do-not-ignore-route-checks.patch +mtd-core-report-error-if-first-mtd_otp_size-call-fai.patch +mtd-rawnand-hynix-fixed-typo.patch +drm-imagination-avoid-woverflow-warning.patch +asoc-mediatek-assign-dummy-when-codec-not-specified-.patch +drm-panel-ltk050h3146w-add-mipi_dsi_mode_video-to-lt.patch +drm-panel-ltk050h3146w-drop-duplicate-commands-from-.patch +fbdev-shmobile-fix-snprintf-truncation.patch +asoc-kirkwood-fix-potential-null-dereference.patch +drm-meson-vclk-fix-calculation-of-59.94-fractional-r.patch +drm-mediatek-add-0-size-check-to-mtk_drm_gem_obj.patch +drm-mediatek-init-ddp_comp-with-devm_kcalloc.patch +asoc-sof-intel-hda-dai-fix-channel-map-configuration.patch +powerpc-fsl-soc-hide-unused-const-variable.patch +asoc-sof-intel-mtl-correct-rom_status_reg.patch +asoc-sof-intel-lnl-correct-rom_status_reg.patch +asoc-sof-intel-mtl-disable-interrupts-when-firmware-.patch +asoc-sof-intel-mtl-implement-firmware-boot-state-che.patch +fbdev-sisfb-hide-unused-variables.patch +selftests-cgroup-skip-test_cgcore_lesser_ns_open-whe.patch +asoc-intel-avs-restore-stream-decoupling-on-prepare.patch +asoc-intel-avs-fix-debug-slot-offset-calculation.patch +asoc-intel-avs-fix-asrc-module-initialization.patch +asoc-intel-avs-fix-potential-integer-overflow.patch +asoc-intel-avs-test-result-of-avs_get_module_entry.patch +media-ngene-add-dvb_ca_en50221_init-return-value-che.patch +staging-media-starfive-remove-links-when-unregisteri.patch +media-rcar-vin-work-around-wenum-compare-conditional.patch +media-radio-shark2-avoid-led_names-truncations.patch +drm-bridge-cdns-mhdp8546-fix-possible-null-pointer-d.patch +platform-x86-xiaomi-wmi-fix-race-condition-when-repo.patch +drm-msm-dp-allow-voltage-swing-pre-emphasis-of-3.patch +drm-msm-dp-avoid-a-long-timeout-for-aux-transfer-if-.patch +drm-msm-dp-account-for-the-timeout-in-wait_hpd_asser.patch +media-ipu3-cio2-request-irq-earlier.patch +media-dt-bindings-ovti-ov2680-fix-the-power-supply-n.patch +media-i2c-et8ek8-don-t-strip-remove-function-when-dr.patch +media-v4l2-subdev-fix-stream-handling-for-crop-api.patch +fbdev-sh7760fb-allow-modular-build.patch +media-atomisp-ssh_css-fix-a-null-pointer-dereference.patch +drm-arm-malidp-fix-a-possible-null-pointer-dereferen.patch +drm-vc4-fix-possible-null-pointer-dereference.patch +asoc-tracing-export-snd_soc_dapm_dir_out-to-its-valu.patch +drm-bridge-anx7625-don-t-log-an-error-when-dsi-host-.patch +drm-bridge-icn6211-don-t-log-an-error-when-dsi-host-.patch +drm-bridge-lt8912b-don-t-log-an-error-when-dsi-host-.patch +drm-bridge-lt9611-don-t-log-an-error-when-dsi-host-c.patch +drm-bridge-lt9611uxc-don-t-log-an-error-when-dsi-hos.patch +drm-bridge-tc358775-don-t-log-an-error-when-dsi-host.patch +drm-bridge-dpc3433-don-t-log-an-error-when-dsi-host-.patch +drm-panel-novatek-nt35950-don-t-log-an-error-when-ds.patch +drm-bridge-anx7625-update-audio-status-while-detecti.patch +drm-panel-simple-add-missing-innolux-g121x1-l03-form.patch +alsa-hda-cs35l41-remove-speaker-id-for-lenovo-legion.patch +drm-mipi-dsi-use-correct-return-type-for-the-dsc-fun.patch +media-uvcvideo-add-quirk-for-logitech-rally-bar.patch +drm-rockchip-vop2-do-not-divide-height-twice-for-yuv.patch +risc-v-fix-the-typo-in-scountovf-csr-name.patch +drm-edid-parse-topology-block-for-all-dispid-structu.patch +media-cadence-csi2rx-configure-dphy-before-starting-.patch +power-supply-core-simplify-charge_behaviour-formatti.patch +clk-samsung-exynosautov9-fix-wrong-pll-clock-id-valu.patch +rdma-mlx5-uncacheable-mkey-has-neither-rb_key-or-cac.patch +rdma-mlx5-change-check-for-cacheable-mkeys.patch +rdma-mlx5-adding-remote-atomic-access-flag-to-updata.patch +clk-mediatek-pllfh-don-t-log-error-for-missing-fhctl.patch +iommu-undo-pasid-attachment-only-for-the-devices-tha.patch +rdma-hns-fix-return-value-in-hns_roce_map_mr_sg.patch +rdma-hns-add-max_ah-and-cq-moderation-capacities-in-.patch +rdma-hns-fix-deadlock-on-srq-async-events.patch +rdma-hns-fix-uaf-for-cq-async-event.patch +rdma-hns-fix-mismatch-exception-rollback.patch +rdma-hns-fix-gmv-table-pagesize.patch +rdma-hns-use-complete-parentheses-in-macros.patch +rdma-hns-modify-the-print-level-of-cqe-error.patch +clk-mediatek-mt8365-mm-fix-dpi0-parent.patch +clk-rs9-fix-wrong-default-value-for-clock-amplitude.patch +clk-qcom-clk-alpha-pll-remove-invalid-stromer-regist.patch +clk-samsung-gs101-propagate-peric0-usi-spi-clock-rat.patch +clk-samsung-gs101-propagate-peric1-usi-spi-clock-rat.patch +rdma-rxe-fix-seg-fault-in-rxe_comp_queue_pkt.patch +rdma-rxe-allow-good-work-requests-to-be-executed.patch +rdma-rxe-fix-incorrect-rxe_put-in-error-path.patch +ib-mlx5-use-__iowrite64_copy-for-write-combining-sto.patch +clk-renesas-r8a779a0-fix-canfd-parent-clock.patch +clk-renesas-r9a07g043-add-clock-and-reset-entry-for-.patch +lib-test_hmm.c-handle-src_pfns-and-dst_pfns-allocati.patch +mm-ksm-fix-ksm-exec-support-for-prctl.patch +clk-qcom-dispcc-sm8450-fix-displayport-clocks.patch +clk-qcom-dispcc-sm6350-fix-displayport-clocks.patch +clk-qcom-dispcc-sm8550-fix-displayport-clocks.patch +clk-qcom-dispcc-sm8650-fix-displayport-clocks.patch +clk-qcom-mmcc-msm8998-fix-venus-clock-issue.patch +x86-insn-fix-push-instruction-in-x86-instruction-dec.patch +x86-insn-add-vex-versions-of-vpdpbusd-vpdpbusds-vpdp.patch +ext4-avoid-excessive-credit-estimate-in-ext4_tmpfile.patch +rdma-mana_ib-introduce-helpers-to-create-and-destroy.patch +rdma-mana_ib-use-struct-mana_ib_queue-for-cqs.patch +rdma-mana_ib-boundary-check-before-installing-cq-cal.patch +virt-acrn-stop-using-follow_pfn.patch +drivers-virt-acrn-fix-pfnmap-pte-checks-in-acrn_vm_r.patch +iommu-vt-d-decouple-igfx_off-from-graphic-identity-m.patch +iommu-amd-enable-guest-translation-after-reading-iom.patch +sunrpc-removed-redundant-procp-check.patch +nfsd-don-t-create-nfsv4recoverydir-in-nfsdfs-when-no.patch +dax-bus.c-replace-warn_on_once-with-lockdep-asserts.patch +dax-bus.c-fix-locking-for-unregister_dax_dev-unregis.patch +dax-bus.c-don-t-use-down_write_killable-for-non-user.patch +dax-bus.c-use-the-right-locking-mode-read-vs-write-i.patch +ext4-fix-potential-unnitialized-variable.patch +ext4-remove-the-redundant-folio_wait_stable.patch +clk-qcom-fix-sc_camcc_8280xp-dependencies.patch +clk-qcom-fix-sm_gpucc_8650-dependencies.patch +clk-qcom-apss-ipq-pll-fix-pll-rate-for-ipq5018.patch +nilfs2-make-superblock-data-array-index-computation-.patch +of-module-add-buffer-overflow-check-in-of_modalias.patch +bnxt_re-avoid-shift-undefined-behavior-in-bnxt_qplib.patch +sunrpc-fix-gss_free_in_token_pages.patch +selftests-damon-_damon_sysfs-check-errors-from-nr_sc.patch +selftests-kcmp-remove-unused-open-mode.patch +rdma-ipoib-fix-format-truncation-compilation-errors.patch +rdma-cma-fix-kmemleak-in-rdma_core-observed-during-b.patch +samples-landlock-fix-incorrect-free-in-populate_rule.patch +tracing-user_events-fix-non-spaced-field-matching.patch +modules-drop-the-.export_symbol-section-from-the-fin.patch +net-bridge-xmit-make-sure-we-have-at-least-eth-heade.patch +selftests-net-bridge-increase-igmp-mld-exclude-timeo.patch +net-bridge-mst-fix-vlan-use-after-free.patch +libbpf-fix-feature-detectors-when-using-token_fd.patch +net-qrtr-ns-fix-module-refcnt.patch +selftests-net-lib-no-need-to-record-ns-name-if-it-al.patch +idpf-don-t-skip-over-ethtool-tcp-data-split-setting.patch +netrom-fix-possible-dead-lock-in-nr_rt_ioctl.patch +af_packet-do-not-call-packet_read_pending-from-tpack.patch +sched-fair-allow-disabling-sched_balance_newidle-wit.patch +sched-core-fix-incorrect-initialization-of-the-burst.patch +net-wangxun-fix-to-change-rx-features.patch +net-wangxun-match-vlan-ctag-and-stag-features.patch +net-txgbe-fix-to-control-vlan-strip.patch +l2tp-fix-icmp-error-handling-for-udp-encap-sockets.patch +revert-selftests-compile-kselftest-headers-with-d_gn.patch +revert-selftests-sgx-include-khdr_includes-in-makefi.patch diff --git a/queue-6.9/sh-kprobes-merge-arch_copy_kprobe-into-arch_prepare_.patch b/queue-6.9/sh-kprobes-merge-arch_copy_kprobe-into-arch_prepare_.patch new file mode 100644 index 00000000000..775ecbb16c1 --- /dev/null +++ b/queue-6.9/sh-kprobes-merge-arch_copy_kprobe-into-arch_prepare_.patch @@ -0,0 +1,53 @@ +From c3e72f76b0f28454ed1e04632115417e5bc3c514 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Mar 2024 22:02:30 +0100 +Subject: sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe() + +From: Geert Uytterhoeven + +[ Upstream commit 1422ae080b66134fe192082d9b721ab7bd93fcc5 ] + +arch/sh/kernel/kprobes.c:52:16: warning: no previous prototype for 'arch_copy_kprobe' [-Wmissing-prototypes] + +Although SH kprobes support was only merged in v2.6.28, it missed the +earlier removal of the arch_copy_kprobe() callback in v2.6.15. + +Based on the powerpc part of commit 49a2a1b83ba6fa40 ("[PATCH] kprobes: +changed from using spinlock to mutex"). + +Fixes: d39f5450146ff39f ("sh: Add kprobes support.") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: John Paul Adrian Glaubitz +Link: https://lore.kernel.org/r/717d47a19689cc944fae6e981a1ad7cae1642c89.1709326528.git.geert+renesas@glider.be +Signed-off-by: John Paul Adrian Glaubitz +Signed-off-by: Sasha Levin +--- + arch/sh/kernel/kprobes.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/arch/sh/kernel/kprobes.c b/arch/sh/kernel/kprobes.c +index aed1ea8e2c2f0..74051b8ddf3e7 100644 +--- a/arch/sh/kernel/kprobes.c ++++ b/arch/sh/kernel/kprobes.c +@@ -44,17 +44,12 @@ int __kprobes arch_prepare_kprobe(struct kprobe *p) + if (OPCODE_RTE(opcode)) + return -EFAULT; /* Bad breakpoint */ + ++ memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t)); + p->opcode = opcode; + + return 0; + } + +-void __kprobes arch_copy_kprobe(struct kprobe *p) +-{ +- memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t)); +- p->opcode = *p->addr; +-} +- + void __kprobes arch_arm_kprobe(struct kprobe *p) + { + *p->addr = BREAKPOINT_INSTRUCTION; +-- +2.43.0 + diff --git a/queue-6.9/shmem-fix-shmem_rename2.patch b/queue-6.9/shmem-fix-shmem_rename2.patch new file mode 100644 index 00000000000..092b94e953c --- /dev/null +++ b/queue-6.9/shmem-fix-shmem_rename2.patch @@ -0,0 +1,55 @@ +From 2a19b5907894edf435a9aa7f4638f1d321730eb4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 11:20:56 -0400 +Subject: shmem: Fix shmem_rename2() + +From: Chuck Lever + +[ Upstream commit ad191eb6d6942bb835a0b20b647f7c53c1d99ca4 ] + +When renaming onto an existing directory entry, user space expects +the replacement entry to have the same directory offset as the +original one. + +Link: https://gitlab.alpinelinux.org/alpine/aports/-/issues/15966 +Fixes: a2e459555c5f ("shmem: stable directory offsets") +Signed-off-by: Chuck Lever +Link: https://lore.kernel.org/r/20240415152057.4605-4-cel@kernel.org +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/libfs.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fs/libfs.c b/fs/libfs.c +index c392a6edd3930..b635ee5adbcce 100644 +--- a/fs/libfs.c ++++ b/fs/libfs.c +@@ -366,6 +366,9 @@ int simple_offset_empty(struct dentry *dentry) + * + * Caller provides appropriate serialization. + * ++ * User space expects the directory offset value of the replaced ++ * (new) directory entry to be unchanged after a rename. ++ * + * Returns zero on success, a negative errno value on failure. + */ + int simple_offset_rename(struct inode *old_dir, struct dentry *old_dentry, +@@ -373,8 +376,14 @@ int simple_offset_rename(struct inode *old_dir, struct dentry *old_dentry, + { + struct offset_ctx *old_ctx = old_dir->i_op->get_offset_ctx(old_dir); + struct offset_ctx *new_ctx = new_dir->i_op->get_offset_ctx(new_dir); ++ long new_offset = dentry2offset(new_dentry); + + simple_offset_remove(old_ctx, old_dentry); ++ ++ if (new_offset) { ++ offset_set(new_dentry, 0); ++ return simple_offset_replace(new_ctx, old_dentry, new_offset); ++ } + return simple_offset_add(new_ctx, old_dentry); + } + +-- +2.43.0 + diff --git a/queue-6.9/soc-mediatek-cmdq-fix-typo-of-cmdq_jump_relative.patch b/queue-6.9/soc-mediatek-cmdq-fix-typo-of-cmdq_jump_relative.patch new file mode 100644 index 00000000000..8c2cfc61f1b --- /dev/null +++ b/queue-6.9/soc-mediatek-cmdq-fix-typo-of-cmdq_jump_relative.patch @@ -0,0 +1,49 @@ +From 623f842da7d34fb98ffca698a053be1408184e60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Feb 2024 15:41:09 +0000 +Subject: soc: mediatek: cmdq: Fix typo of CMDQ_JUMP_RELATIVE + +From: Chun-Kuang Hu + +[ Upstream commit ed4d5ab179b9f0a60da87c650a31f1816db9b4b4 ] + +For cmdq jump command, offset 0 means relative jump and offset 1 +means absolute jump. cmdq_pkt_jump() is absolute jump, so fix the +typo of CMDQ_JUMP_RELATIVE in cmdq_pkt_jump(). + +Fixes: 946f1792d3d7 ("soc: mediatek: cmdq: add jump function") +Signed-off-by: Chun-Kuang Hu +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20240222154120.16959-2-chunkuang.hu@kernel.org +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Sasha Levin +--- + drivers/soc/mediatek/mtk-cmdq-helper.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/mediatek/mtk-cmdq-helper.c b/drivers/soc/mediatek/mtk-cmdq-helper.c +index b0cd071c4719b..0b2e5690dacfa 100644 +--- a/drivers/soc/mediatek/mtk-cmdq-helper.c ++++ b/drivers/soc/mediatek/mtk-cmdq-helper.c +@@ -14,7 +14,8 @@ + #define CMDQ_POLL_ENABLE_MASK BIT(0) + #define CMDQ_EOC_IRQ_EN BIT(0) + #define CMDQ_REG_TYPE 1 +-#define CMDQ_JUMP_RELATIVE 1 ++#define CMDQ_JUMP_RELATIVE 0 ++#define CMDQ_JUMP_ABSOLUTE 1 + + struct cmdq_instruction { + union { +@@ -397,7 +398,7 @@ int cmdq_pkt_jump(struct cmdq_pkt *pkt, dma_addr_t addr) + struct cmdq_instruction inst = {}; + + inst.op = CMDQ_CODE_JUMP; +- inst.offset = CMDQ_JUMP_RELATIVE; ++ inst.offset = CMDQ_JUMP_ABSOLUTE; + inst.value = addr >> + cmdq_get_shift_pa(((struct cmdq_client *)pkt->cl)->chan); + return cmdq_pkt_append_command(pkt, inst); +-- +2.43.0 + diff --git a/queue-6.9/soc-qcom-pmic_glink-don-t-traverse-clients-list-with.patch b/queue-6.9/soc-qcom-pmic_glink-don-t-traverse-clients-list-with.patch new file mode 100644 index 00000000000..7230f7b3a4b --- /dev/null +++ b/queue-6.9/soc-qcom-pmic_glink-don-t-traverse-clients-list-with.patch @@ -0,0 +1,56 @@ +From 3def2d38b076b97ffa823dd4d57fada42ae68394 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 06:10:57 +0300 +Subject: soc: qcom: pmic_glink: don't traverse clients list without a lock + +From: Dmitry Baryshkov + +[ Upstream commit 635ce0db89567ba62f64b79e8c6664ba3eff6516 ] + +Take the client_lock before traversing the clients list at the +pmic_glink_state_notify_clients() function. This is required to keep the +list traversal safe from concurrent modification. + +Fixes: 58ef4ece1e41 ("soc: qcom: pmic_glink: Introduce base PMIC GLINK driver") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Andrew Halaney +Reviewed-by: Mukesh Ojha +Tested-by: Xilin Wu # on QCS8550 AYN Odin 2 +Link: https://lore.kernel.org/r/20240403-pmic-glink-fix-clients-v2-1-aed4e02baacc@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/pmic_glink.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/soc/qcom/pmic_glink.c b/drivers/soc/qcom/pmic_glink.c +index f913e9bd57ed4..2b2cdf4796542 100644 +--- a/drivers/soc/qcom/pmic_glink.c ++++ b/drivers/soc/qcom/pmic_glink.c +@@ -115,10 +115,12 @@ static int pmic_glink_rpmsg_callback(struct rpmsg_device *rpdev, void *data, + + hdr = data; + ++ mutex_lock(&pg->client_lock); + list_for_each_entry(client, &pg->clients, node) { + if (client->id == le32_to_cpu(hdr->owner)) + client->cb(data, len, client->priv); + } ++ mutex_unlock(&pg->client_lock); + + return 0; + } +@@ -168,8 +170,10 @@ static void pmic_glink_state_notify_clients(struct pmic_glink *pg) + } + + if (new_state != pg->client_state) { ++ mutex_lock(&pg->client_lock); + list_for_each_entry(client, &pg->clients, node) + client->pdr_notify(client->priv, new_state); ++ mutex_unlock(&pg->client_lock); + pg->client_state = new_state; + } + } +-- +2.43.0 + diff --git a/queue-6.9/soc-qcom-pmic_glink-make-client-lock-non-sleeping.patch b/queue-6.9/soc-qcom-pmic_glink-make-client-lock-non-sleeping.patch new file mode 100644 index 00000000000..3e5a9c76997 --- /dev/null +++ b/queue-6.9/soc-qcom-pmic_glink-make-client-lock-non-sleeping.patch @@ -0,0 +1,142 @@ +From 4ae7a6f7d4fe6b91d183c5e410e6323bd2816efc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Apr 2024 20:38:57 -0700 +Subject: soc: qcom: pmic_glink: Make client-lock non-sleeping + +From: Bjorn Andersson + +[ Upstream commit 9329933699b32d467a99befa20415c4b2172389a ] + +The recently introduced commit '635ce0db8956 ("soc: qcom: pmic_glink: +don't traverse clients list without a lock")' ensured that the clients +list is not modified while traversed. + +But the callback is made from the GLINK IRQ handler and as such this +mutual exclusion can not be provided by a (sleepable) mutex. + +Replace the mutex with a spinlock. + +Fixes: 635ce0db8956 ("soc: qcom: pmic_glink: don't traverse clients list without a lock") +Signed-off-by: Bjorn Andersson +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20240430-pmic-glink-sleep-while-atomic-v1-1-88fb493e8545@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/pmic_glink.c | 25 +++++++++++++++---------- + 1 file changed, 15 insertions(+), 10 deletions(-) + +diff --git a/drivers/soc/qcom/pmic_glink.c b/drivers/soc/qcom/pmic_glink.c +index e85a12ec2aab1..823fd108fa039 100644 +--- a/drivers/soc/qcom/pmic_glink.c ++++ b/drivers/soc/qcom/pmic_glink.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + + enum { + PMIC_GLINK_CLIENT_BATT = 0, +@@ -36,7 +37,7 @@ struct pmic_glink { + unsigned int pdr_state; + + /* serializing clients list updates */ +- struct mutex client_lock; ++ spinlock_t client_lock; + struct list_head clients; + }; + +@@ -58,10 +59,11 @@ static void _devm_pmic_glink_release_client(struct device *dev, void *res) + { + struct pmic_glink_client *client = (struct pmic_glink_client *)res; + struct pmic_glink *pg = client->pg; ++ unsigned long flags; + +- mutex_lock(&pg->client_lock); ++ spin_lock_irqsave(&pg->client_lock, flags); + list_del(&client->node); +- mutex_unlock(&pg->client_lock); ++ spin_unlock_irqrestore(&pg->client_lock, flags); + } + + struct pmic_glink_client *devm_pmic_glink_register_client(struct device *dev, +@@ -72,6 +74,7 @@ struct pmic_glink_client *devm_pmic_glink_register_client(struct device *dev, + { + struct pmic_glink_client *client; + struct pmic_glink *pg = dev_get_drvdata(dev->parent); ++ unsigned long flags; + + client = devres_alloc(_devm_pmic_glink_release_client, sizeof(*client), GFP_KERNEL); + if (!client) +@@ -84,12 +87,12 @@ struct pmic_glink_client *devm_pmic_glink_register_client(struct device *dev, + client->priv = priv; + + mutex_lock(&pg->state_lock); +- mutex_lock(&pg->client_lock); ++ spin_lock_irqsave(&pg->client_lock, flags); + + list_add(&client->node, &pg->clients); + client->pdr_notify(client->priv, pg->client_state); + +- mutex_unlock(&pg->client_lock); ++ spin_unlock_irqrestore(&pg->client_lock, flags); + mutex_unlock(&pg->state_lock); + + devres_add(dev, client); +@@ -112,6 +115,7 @@ static int pmic_glink_rpmsg_callback(struct rpmsg_device *rpdev, void *data, + struct pmic_glink_client *client; + struct pmic_glink_hdr *hdr; + struct pmic_glink *pg = dev_get_drvdata(&rpdev->dev); ++ unsigned long flags; + + if (len < sizeof(*hdr)) { + dev_warn(pg->dev, "ignoring truncated message\n"); +@@ -120,12 +124,12 @@ static int pmic_glink_rpmsg_callback(struct rpmsg_device *rpdev, void *data, + + hdr = data; + +- mutex_lock(&pg->client_lock); ++ spin_lock_irqsave(&pg->client_lock, flags); + list_for_each_entry(client, &pg->clients, node) { + if (client->id == le32_to_cpu(hdr->owner)) + client->cb(data, len, client->priv); + } +- mutex_unlock(&pg->client_lock); ++ spin_unlock_irqrestore(&pg->client_lock, flags); + + return 0; + } +@@ -165,6 +169,7 @@ static void pmic_glink_state_notify_clients(struct pmic_glink *pg) + { + struct pmic_glink_client *client; + unsigned int new_state = pg->client_state; ++ unsigned long flags; + + if (pg->client_state != SERVREG_SERVICE_STATE_UP) { + if (pg->pdr_state == SERVREG_SERVICE_STATE_UP && pg->ept) +@@ -175,10 +180,10 @@ static void pmic_glink_state_notify_clients(struct pmic_glink *pg) + } + + if (new_state != pg->client_state) { +- mutex_lock(&pg->client_lock); ++ spin_lock_irqsave(&pg->client_lock, flags); + list_for_each_entry(client, &pg->clients, node) + client->pdr_notify(client->priv, new_state); +- mutex_unlock(&pg->client_lock); ++ spin_unlock_irqrestore(&pg->client_lock, flags); + pg->client_state = new_state; + } + } +@@ -265,7 +270,7 @@ static int pmic_glink_probe(struct platform_device *pdev) + pg->dev = &pdev->dev; + + INIT_LIST_HEAD(&pg->clients); +- mutex_init(&pg->client_lock); ++ spin_lock_init(&pg->client_lock); + mutex_init(&pg->state_lock); + + match_data = (unsigned long *)of_device_get_match_data(&pdev->dev); +-- +2.43.0 + diff --git a/queue-6.9/soc-qcom-pmic_glink-notify-clients-about-the-current.patch b/queue-6.9/soc-qcom-pmic_glink-notify-clients-about-the-current.patch new file mode 100644 index 00000000000..efc988d64f4 --- /dev/null +++ b/queue-6.9/soc-qcom-pmic_glink-notify-clients-about-the-current.patch @@ -0,0 +1,48 @@ +From ad77ccd9cede77553d9e1eb038c89da6b98be72c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 06:10:58 +0300 +Subject: soc: qcom: pmic_glink: notify clients about the current state + +From: Dmitry Baryshkov + +[ Upstream commit d6cbce2cd354c9a37a558f290a8f1dfd20584f99 ] + +In case the client is registered after the pmic-glink recived a response +from the Protection Domain mapper, it is going to miss the notification +about the state. Notify clients about the current state upon +registration. + +Fixes: 58ef4ece1e41 ("soc: qcom: pmic_glink: Introduce base PMIC GLINK driver") +Reviewed-by: Andrew Halaney +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Mukesh Ojha +Tested-by: Xilin Wu # on QCS8550 AYN Odin 2 +Link: https://lore.kernel.org/r/20240403-pmic-glink-fix-clients-v2-2-aed4e02baacc@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/pmic_glink.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/soc/qcom/pmic_glink.c b/drivers/soc/qcom/pmic_glink.c +index 2b2cdf4796542..e85a12ec2aab1 100644 +--- a/drivers/soc/qcom/pmic_glink.c ++++ b/drivers/soc/qcom/pmic_glink.c +@@ -83,9 +83,14 @@ struct pmic_glink_client *devm_pmic_glink_register_client(struct device *dev, + client->pdr_notify = pdr; + client->priv = priv; + ++ mutex_lock(&pg->state_lock); + mutex_lock(&pg->client_lock); ++ + list_add(&client->node, &pg->clients); ++ client->pdr_notify(client->priv, pg->client_state); ++ + mutex_unlock(&pg->client_lock); ++ mutex_unlock(&pg->state_lock); + + devres_add(dev, client); + +-- +2.43.0 + diff --git a/queue-6.9/staging-media-starfive-remove-links-when-unregisteri.patch b/queue-6.9/staging-media-starfive-remove-links-when-unregisteri.patch new file mode 100644 index 00000000000..65c26f6889c --- /dev/null +++ b/queue-6.9/staging-media-starfive-remove-links-when-unregisteri.patch @@ -0,0 +1,40 @@ +From 8923124ca123db0e4ec273cd00fe61d946053997 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Mar 2024 05:03:09 -0700 +Subject: staging: media: starfive: Remove links when unregistering devices + +From: Changhuang Liang + +[ Upstream commit 810dd605e917c716f6f83e6cd8ea23d9155d32a2 ] + +Need to remove links when unregistering devices. + +Fixes: ac7da4a73b10 ("media: staging: media: starfive: camss: Register devices") + +Signed-off-by: Changhuang Liang +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/staging/media/starfive/camss/stf-camss.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/staging/media/starfive/camss/stf-camss.c b/drivers/staging/media/starfive/camss/stf-camss.c +index a587f860101ae..323aa70fdeaf1 100644 +--- a/drivers/staging/media/starfive/camss/stf-camss.c ++++ b/drivers/staging/media/starfive/camss/stf-camss.c +@@ -162,6 +162,12 @@ static int stfcamss_register_devs(struct stfcamss *stfcamss) + + static void stfcamss_unregister_devs(struct stfcamss *stfcamss) + { ++ struct stf_capture *cap_yuv = &stfcamss->captures[STF_CAPTURE_YUV]; ++ struct stf_isp_dev *isp_dev = &stfcamss->isp_dev; ++ ++ media_entity_remove_links(&isp_dev->subdev.entity); ++ media_entity_remove_links(&cap_yuv->video.vdev.entity); ++ + stf_isp_unregister(&stfcamss->isp_dev); + stf_capture_unregister(stfcamss); + } +-- +2.43.0 + diff --git a/queue-6.9/sunrpc-fix-gss_free_in_token_pages.patch b/queue-6.9/sunrpc-fix-gss_free_in_token_pages.patch new file mode 100644 index 00000000000..503b393e995 --- /dev/null +++ b/queue-6.9/sunrpc-fix-gss_free_in_token_pages.patch @@ -0,0 +1,78 @@ +From c561483e3706fef93c06f015eaf31f25d450aca9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 May 2024 09:10:41 -0400 +Subject: SUNRPC: Fix gss_free_in_token_pages() + +From: Chuck Lever + +[ Upstream commit bafa6b4d95d97877baa61883ff90f7e374427fae ] + +Dan Carpenter says: +> Commit 5866efa8cbfb ("SUNRPC: Fix svcauth_gss_proxy_init()") from Oct +> 24, 2019 (linux-next), leads to the following Smatch static checker +> warning: +> +> net/sunrpc/auth_gss/svcauth_gss.c:1039 gss_free_in_token_pages() +> warn: iterator 'i' not incremented +> +> net/sunrpc/auth_gss/svcauth_gss.c +> 1034 static void gss_free_in_token_pages(struct gssp_in_token *in_token) +> 1035 { +> 1036 u32 inlen; +> 1037 int i; +> 1038 +> --> 1039 i = 0; +> 1040 inlen = in_token->page_len; +> 1041 while (inlen) { +> 1042 if (in_token->pages[i]) +> 1043 put_page(in_token->pages[i]); +> ^ +> This puts page zero over and over. +> +> 1044 inlen -= inlen > PAGE_SIZE ? PAGE_SIZE : inlen; +> 1045 } +> 1046 +> 1047 kfree(in_token->pages); +> 1048 in_token->pages = NULL; +> 1049 } + +Based on the way that the ->pages[] array is constructed in +gss_read_proxy_verf(), we know that once the loop encounters a NULL +page pointer, the remaining array elements must also be NULL. + +Reported-by: Dan Carpenter +Suggested-by: Trond Myklebust +Fixes: 5866efa8cbfb ("SUNRPC: Fix svcauth_gss_proxy_init()") +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + net/sunrpc/auth_gss/svcauth_gss.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c +index 24de941847003..96ab50eda9c2e 100644 +--- a/net/sunrpc/auth_gss/svcauth_gss.c ++++ b/net/sunrpc/auth_gss/svcauth_gss.c +@@ -1033,17 +1033,11 @@ svcauth_gss_proc_init_verf(struct cache_detail *cd, struct svc_rqst *rqstp, + + static void gss_free_in_token_pages(struct gssp_in_token *in_token) + { +- u32 inlen; + int i; + + i = 0; +- inlen = in_token->page_len; +- while (inlen) { +- if (in_token->pages[i]) +- put_page(in_token->pages[i]); +- inlen -= inlen > PAGE_SIZE ? PAGE_SIZE : inlen; +- } +- ++ while (in_token->pages[i]) ++ put_page(in_token->pages[i++]); + kfree(in_token->pages); + in_token->pages = NULL; + } +-- +2.43.0 + diff --git a/queue-6.9/sunrpc-removed-redundant-procp-check.patch b/queue-6.9/sunrpc-removed-redundant-procp-check.patch new file mode 100644 index 00000000000..b0a94fe5f1a --- /dev/null +++ b/queue-6.9/sunrpc-removed-redundant-procp-check.patch @@ -0,0 +1,39 @@ +From f81723486a40533d6ea007e549d17f37bd1c5921 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Mar 2024 14:10:44 +0700 +Subject: sunrpc: removed redundant procp check + +From: Aleksandr Aprelkov + +[ Upstream commit a576f36971ab4097b6aa76433532aa1fb5ee2d3b ] + +since vs_proc pointer is dereferenced before getting it's address there's +no need to check for NULL. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 8e5b67731d08 ("SUNRPC: Add a callback to initialise server requests") +Signed-off-by: Aleksandr Aprelkov +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + net/sunrpc/svc.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c +index b33e429336fb7..2b4b1276d4e86 100644 +--- a/net/sunrpc/svc.c ++++ b/net/sunrpc/svc.c +@@ -1265,8 +1265,6 @@ svc_generic_init_request(struct svc_rqst *rqstp, + if (rqstp->rq_proc >= versp->vs_nproc) + goto err_bad_proc; + rqstp->rq_procinfo = procp = &versp->vs_proc[rqstp->rq_proc]; +- if (!procp) +- goto err_bad_proc; + + /* Initialize storage for argp and resp */ + memset(rqstp->rq_argp, 0, procp->pc_argzero); +-- +2.43.0 + diff --git a/queue-6.9/tcp-avoid-premature-drops-in-tcp_add_backlog.patch b/queue-6.9/tcp-avoid-premature-drops-in-tcp_add_backlog.patch new file mode 100644 index 00000000000..d8b7c13af54 --- /dev/null +++ b/queue-6.9/tcp-avoid-premature-drops-in-tcp_add_backlog.patch @@ -0,0 +1,87 @@ +From 22e104eac37ec413518f64adcb2b1897122762e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Apr 2024 12:56:20 +0000 +Subject: tcp: avoid premature drops in tcp_add_backlog() + +From: Eric Dumazet + +[ Upstream commit ec00ed472bdb7d0af840da68c8c11bff9f4d9caa ] + +While testing TCP performance with latest trees, +I saw suspect SOCKET_BACKLOG drops. + +tcp_add_backlog() computes its limit with : + + limit = (u32)READ_ONCE(sk->sk_rcvbuf) + + (u32)(READ_ONCE(sk->sk_sndbuf) >> 1); + limit += 64 * 1024; + +This does not take into account that sk->sk_backlog.len +is reset only at the very end of __release_sock(). + +Both sk->sk_backlog.len and sk->sk_rmem_alloc could reach +sk_rcvbuf in normal conditions. + +We should double sk->sk_rcvbuf contribution in the formula +to absorb bubbles in the backlog, which happen more often +for very fast flows. + +This change maintains decent protection against abuses. + +Fixes: c377411f2494 ("net: sk_add_backlog() take rmem_alloc into account") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240423125620.3309458-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ipv4.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index e0cef75f85fb9..92511b7fd5249 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -2001,7 +2001,7 @@ int tcp_v4_early_demux(struct sk_buff *skb) + bool tcp_add_backlog(struct sock *sk, struct sk_buff *skb, + enum skb_drop_reason *reason) + { +- u32 limit, tail_gso_size, tail_gso_segs; ++ u32 tail_gso_size, tail_gso_segs; + struct skb_shared_info *shinfo; + const struct tcphdr *th; + struct tcphdr *thtail; +@@ -2010,6 +2010,7 @@ bool tcp_add_backlog(struct sock *sk, struct sk_buff *skb, + bool fragstolen; + u32 gso_segs; + u32 gso_size; ++ u64 limit; + int delta; + + /* In case all data was pulled from skb frags (in __pskb_pull_tail()), +@@ -2107,7 +2108,13 @@ bool tcp_add_backlog(struct sock *sk, struct sk_buff *skb, + __skb_push(skb, hdrlen); + + no_coalesce: +- limit = (u32)READ_ONCE(sk->sk_rcvbuf) + (u32)(READ_ONCE(sk->sk_sndbuf) >> 1); ++ /* sk->sk_backlog.len is reset only at the end of __release_sock(). ++ * Both sk->sk_backlog.len and sk->sk_rmem_alloc could reach ++ * sk_rcvbuf in normal conditions. ++ */ ++ limit = ((u64)READ_ONCE(sk->sk_rcvbuf)) << 1; ++ ++ limit += ((u32)READ_ONCE(sk->sk_sndbuf)) >> 1; + + /* Only socket owner can try to collapse/prune rx queues + * to reduce memory overhead, so add a little headroom here. +@@ -2115,6 +2122,8 @@ bool tcp_add_backlog(struct sock *sk, struct sk_buff *skb, + */ + limit += 64 * 1024; + ++ limit = min_t(u64, limit, UINT_MAX); ++ + if (unlikely(sk_add_backlog(sk, skb, limit))) { + bh_unlock_sock(sk); + *reason = SKB_DROP_REASON_SOCKET_BACKLOG; +-- +2.43.0 + diff --git a/queue-6.9/tcp-increase-the-default-tcp-scaling-ratio.patch b/queue-6.9/tcp-increase-the-default-tcp-scaling-ratio.patch new file mode 100644 index 00000000000..325e7c25aa7 --- /dev/null +++ b/queue-6.9/tcp-increase-the-default-tcp-scaling-ratio.patch @@ -0,0 +1,71 @@ +From d15dead080bc67c776282919d872bcd759b9b8d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2024 09:43:55 -0700 +Subject: tcp: increase the default TCP scaling ratio + +From: Hechao Li + +[ Upstream commit 697a6c8cec03c2299f850fa50322641a8bf6b915 ] + +After commit dfa2f0483360 ("tcp: get rid of sysctl_tcp_adv_win_scale"), +we noticed an application-level timeout due to reduced throughput. + +Before the commit, for a client that sets SO_RCVBUF to 65k, it takes +around 22 seconds to transfer 10M data. After the commit, it takes 40 +seconds. Because our application has a 30-second timeout, this +regression broke the application. + +The reason that it takes longer to transfer data is that +tp->scaling_ratio is initialized to a value that results in ~0.25 of +rcvbuf. In our case, SO_RCVBUF is set to 65536 by the application, which +translates to 2 * 65536 = 131,072 bytes in rcvbuf and hence a ~28k +initial receive window. + +Later, even though the scaling_ratio is updated to a more accurate +skb->len/skb->truesize, which is ~0.66 in our environment, the window +stays at ~0.25 * rcvbuf. This is because tp->window_clamp does not +change together with the tp->scaling_ratio update when autotuning is +disabled due to SO_RCVBUF. As a result, the window size is capped at the +initial window_clamp, which is also ~0.25 * rcvbuf, and never grows +bigger. + +Most modern applications let the kernel do autotuning, and benefit from +the increased scaling_ratio. But there are applications such as kafka +that has a default setting of SO_RCVBUF=64k. + +This patch increases the initial scaling_ratio from ~25% to 50% in order +to make it backward compatible with the original default +sysctl_tcp_adv_win_scale for applications setting SO_RCVBUF. + +Fixes: dfa2f0483360 ("tcp: get rid of sysctl_tcp_adv_win_scale") +Signed-off-by: Hechao Li +Reviewed-by: Tycho Andersen +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/netdev/20240402215405.432863-1-hli@netflix.com/ +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 6ae35199d3b3c..2bcf30381d75f 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1539,11 +1539,10 @@ static inline int tcp_space_from_win(const struct sock *sk, int win) + return __tcp_space_from_win(tcp_sk(sk)->scaling_ratio, win); + } + +-/* Assume a conservative default of 1200 bytes of payload per 4K page. ++/* Assume a 50% default for skb->len/skb->truesize ratio. + * This may be adjusted later in tcp_measure_rcv_mss(). + */ +-#define TCP_DEFAULT_SCALING_RATIO ((1200 << TCP_RMEM_TO_WIN_SCALE) / \ +- SKB_TRUESIZE(4096)) ++#define TCP_DEFAULT_SCALING_RATIO (1 << (TCP_RMEM_TO_WIN_SCALE - 1)) + + static inline void tcp_scaling_ratio_init(struct sock *sk) + { +-- +2.43.0 + diff --git a/queue-6.9/thermal-debugfs-avoid-excessive-updates-of-trip-poin.patch b/queue-6.9/thermal-debugfs-avoid-excessive-updates-of-trip-poin.patch new file mode 100644 index 00000000000..2d062d62f97 --- /dev/null +++ b/queue-6.9/thermal-debugfs-avoid-excessive-updates-of-trip-poin.patch @@ -0,0 +1,86 @@ +From 41181f44d08dc6aa410e55041ef2c777938bd74a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Apr 2024 15:09:46 +0200 +Subject: thermal/debugfs: Avoid excessive updates of trip point statistics + +From: Rafael J. Wysocki + +[ Upstream commit 0a293c77580581c4b058eb40287acadac6ffd14a ] + +Since thermal_debug_update_temp() is called before invoking +thermal_debug_tz_trip_down() for the trips that were crossed by the +zone temperature on the way up, it updates the statistics for them +as though the current zone temperature was above the low temperature +of each of them. However, if a given trip has just been crossed on the +way down, the zone temperature is in fact below its low temperature, +but this is handled by thermal_debug_tz_trip_down() running after the +update of the trip statistics. + +The remedy is to call thermal_debug_update_temp() after +thermal_debug_tz_trip_down() has been invoked for all of the +trips in question, but then thermal_debug_tz_trip_up() needs to +be adjusted, so it does not update the statistics for the trips +that has just been crossed on the way up, as that will be taken +care of by thermal_debug_update_temp() down the road. + +Modify the code accordingly. + +Fixes: 7ef01f228c9f ("thermal/debugfs: Add thermal debugfs information for mitigation episodes") +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Lukasz Luba +Acked-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/thermal/thermal_core.c | 3 ++- + drivers/thermal/thermal_debugfs.c | 7 ------- + 2 files changed, 2 insertions(+), 8 deletions(-) + +diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c +index 34a31bc720230..015d41a9a368b 100644 +--- a/drivers/thermal/thermal_core.c ++++ b/drivers/thermal/thermal_core.c +@@ -431,7 +431,6 @@ static void update_temperature(struct thermal_zone_device *tz) + trace_thermal_temperature(tz); + + thermal_genl_sampling_temp(tz->id, temp); +- thermal_debug_update_temp(tz); + } + + static void thermal_zone_device_check(struct work_struct *work) +@@ -475,6 +474,8 @@ void __thermal_zone_device_update(struct thermal_zone_device *tz, + for_each_trip(tz, trip) + handle_thermal_trip(tz, trip); + ++ thermal_debug_update_temp(tz); ++ + monitor_thermal_zone(tz); + } + +diff --git a/drivers/thermal/thermal_debugfs.c b/drivers/thermal/thermal_debugfs.c +index 5693cc8b231aa..47ab95b3699e9 100644 +--- a/drivers/thermal/thermal_debugfs.c ++++ b/drivers/thermal/thermal_debugfs.c +@@ -555,7 +555,6 @@ void thermal_debug_tz_trip_up(struct thermal_zone_device *tz, + struct tz_episode *tze; + struct tz_debugfs *tz_dbg; + struct thermal_debugfs *thermal_dbg = tz->debugfs; +- int temperature = tz->temperature; + int trip_id = thermal_zone_trip_id(tz, trip); + ktime_t now = ktime_get(); + +@@ -624,12 +623,6 @@ void thermal_debug_tz_trip_up(struct thermal_zone_device *tz, + + tze = list_first_entry(&tz_dbg->tz_episodes, struct tz_episode, node); + tze->trip_stats[trip_id].timestamp = now; +- tze->trip_stats[trip_id].max = max(tze->trip_stats[trip_id].max, temperature); +- tze->trip_stats[trip_id].min = min(tze->trip_stats[trip_id].min, temperature); +- tze->trip_stats[trip_id].count++; +- tze->trip_stats[trip_id].avg = tze->trip_stats[trip_id].avg + +- (temperature - tze->trip_stats[trip_id].avg) / +- tze->trip_stats[trip_id].count; + + unlock: + mutex_unlock(&thermal_dbg->lock); +-- +2.43.0 + diff --git a/queue-6.9/thermal-debugfs-create-records-for-cdev-states-as-th.patch b/queue-6.9/thermal-debugfs-create-records-for-cdev-states-as-th.patch new file mode 100644 index 00000000000..3b3974c4633 --- /dev/null +++ b/queue-6.9/thermal-debugfs-create-records-for-cdev-states-as-th.patch @@ -0,0 +1,50 @@ +From 72210b1692846ea3143315547e4ef2dfdfb169f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Apr 2024 14:24:10 +0200 +Subject: thermal/debugfs: Create records for cdev states as they get used + +From: Rafael J. Wysocki + +[ Upstream commit f4ae18fcb652c6cccc834ded525ac37f91d5cdb1 ] + +Because thermal_debug_cdev_state_update() only creates a duration record +for the old state of a cooling device, if its new state is used for the +first time, there will be no record for it and cdev_dt_seq_show() will +not print the duration information for it even though it contains code +to compute the duration value in that case. + +Address this by making thermal_debug_cdev_state_update() create a +duration record for the new state if there is none. + +Fixes: 755113d76786 ("thermal/debugfs: Add thermal cooling device debugfs information") +Reported-by: Lukasz Luba +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Lukasz Luba +Tested-by: Lukasz Luba +Signed-off-by: Sasha Levin +--- + drivers/thermal/thermal_debugfs.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/thermal/thermal_debugfs.c b/drivers/thermal/thermal_debugfs.c +index 47ab95b3699e9..2891d2ab4875c 100644 +--- a/drivers/thermal/thermal_debugfs.c ++++ b/drivers/thermal/thermal_debugfs.c +@@ -435,6 +435,14 @@ void thermal_debug_cdev_state_update(const struct thermal_cooling_device *cdev, + } + + cdev_dbg->current_state = new_state; ++ ++ /* ++ * Create a record for the new state if it is not there, so its ++ * duration will be printed by cdev_dt_seq_show() as expected if it ++ * runs before the next state transition. ++ */ ++ thermal_debugfs_cdev_record_get(thermal_dbg, cdev_dbg->durations, new_state); ++ + transition = (old_state << 16) | new_state; + + /* +-- +2.43.0 + diff --git a/queue-6.9/thermal-debugfs-pass-cooling-device-state-to-thermal.patch b/queue-6.9/thermal-debugfs-pass-cooling-device-state-to-thermal.patch new file mode 100644 index 00000000000..78f92cdb192 --- /dev/null +++ b/queue-6.9/thermal-debugfs-pass-cooling-device-state-to-thermal.patch @@ -0,0 +1,131 @@ +From e03d4a93e13f5104c93f46e06937c864209e2376 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Apr 2024 14:24:20 +0200 +Subject: thermal/debugfs: Pass cooling device state to + thermal_debug_cdev_add() + +From: Rafael J. Wysocki + +[ Upstream commit 31a0fa0019b022024cc082ae292951a596b06f8c ] + +If cdev_dt_seq_show() runs before the first state transition of a cooling +device, it will not print any state residency information for it, even +though it might be reasonably expected to print residency information for +the initial state of the cooling device. + +For this reason, rearrange the code to get the initial state of a cooling +device at the registration time and pass it to thermal_debug_cdev_add(), +so that the latter can create a duration record for that state which will +allow cdev_dt_seq_show() to print its residency information. + +Fixes: 755113d76786 ("thermal/debugfs: Add thermal cooling device debugfs information") +Reported-by: Lukasz Luba +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Lukasz Luba +Tested-by: Lukasz Luba +Signed-off-by: Sasha Levin +--- + drivers/thermal/thermal_core.c | 9 +++++++-- + drivers/thermal/thermal_debugfs.c | 12 ++++++++++-- + drivers/thermal/thermal_debugfs.h | 4 ++-- + 3 files changed, 19 insertions(+), 6 deletions(-) + +diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c +index 015d41a9a368b..38b7d02384d7c 100644 +--- a/drivers/thermal/thermal_core.c ++++ b/drivers/thermal/thermal_core.c +@@ -898,6 +898,7 @@ __thermal_cooling_device_register(struct device_node *np, + { + struct thermal_cooling_device *cdev; + struct thermal_zone_device *pos = NULL; ++ unsigned long current_state; + int id, ret; + + if (!ops || !ops->get_max_state || !ops->get_cur_state || +@@ -935,6 +936,10 @@ __thermal_cooling_device_register(struct device_node *np, + if (ret) + goto out_cdev_type; + ++ ret = cdev->ops->get_cur_state(cdev, ¤t_state); ++ if (ret) ++ goto out_cdev_type; ++ + thermal_cooling_device_setup_sysfs(cdev); + + ret = dev_set_name(&cdev->device, "cooling_device%d", cdev->id); +@@ -948,6 +953,8 @@ __thermal_cooling_device_register(struct device_node *np, + return ERR_PTR(ret); + } + ++ thermal_debug_cdev_add(cdev, current_state); ++ + /* Add 'this' new cdev to the global cdev list */ + mutex_lock(&thermal_list_lock); + +@@ -963,8 +970,6 @@ __thermal_cooling_device_register(struct device_node *np, + + mutex_unlock(&thermal_list_lock); + +- thermal_debug_cdev_add(cdev); +- + return cdev; + + out_cooling_dev: +diff --git a/drivers/thermal/thermal_debugfs.c b/drivers/thermal/thermal_debugfs.c +index 2891d2ab4875c..403f74d663dce 100644 +--- a/drivers/thermal/thermal_debugfs.c ++++ b/drivers/thermal/thermal_debugfs.c +@@ -468,8 +468,9 @@ void thermal_debug_cdev_state_update(const struct thermal_cooling_device *cdev, + * Allocates a cooling device object for debug, initializes the + * statistics and create the entries in sysfs. + * @cdev: a pointer to a cooling device ++ * @state: current state of the cooling device + */ +-void thermal_debug_cdev_add(struct thermal_cooling_device *cdev) ++void thermal_debug_cdev_add(struct thermal_cooling_device *cdev, int state) + { + struct thermal_debugfs *thermal_dbg; + struct cdev_debugfs *cdev_dbg; +@@ -486,9 +487,16 @@ void thermal_debug_cdev_add(struct thermal_cooling_device *cdev) + INIT_LIST_HEAD(&cdev_dbg->durations[i]); + } + +- cdev_dbg->current_state = 0; ++ cdev_dbg->current_state = state; + cdev_dbg->timestamp = ktime_get(); + ++ /* ++ * Create a record for the initial cooling device state, so its ++ * duration will be printed by cdev_dt_seq_show() as expected if it ++ * runs before the first state transition. ++ */ ++ thermal_debugfs_cdev_record_get(thermal_dbg, cdev_dbg->durations, state); ++ + debugfs_create_file("trans_table", 0400, thermal_dbg->d_top, + thermal_dbg, &tt_fops); + +diff --git a/drivers/thermal/thermal_debugfs.h b/drivers/thermal/thermal_debugfs.h +index 155b9af5fe870..c28bd4c114124 100644 +--- a/drivers/thermal/thermal_debugfs.h ++++ b/drivers/thermal/thermal_debugfs.h +@@ -2,7 +2,7 @@ + + #ifdef CONFIG_THERMAL_DEBUGFS + void thermal_debug_init(void); +-void thermal_debug_cdev_add(struct thermal_cooling_device *cdev); ++void thermal_debug_cdev_add(struct thermal_cooling_device *cdev, int state); + void thermal_debug_cdev_remove(struct thermal_cooling_device *cdev); + void thermal_debug_cdev_state_update(const struct thermal_cooling_device *cdev, int state); + void thermal_debug_tz_add(struct thermal_zone_device *tz); +@@ -14,7 +14,7 @@ void thermal_debug_tz_trip_down(struct thermal_zone_device *tz, + void thermal_debug_update_temp(struct thermal_zone_device *tz); + #else + static inline void thermal_debug_init(void) {} +-static inline void thermal_debug_cdev_add(struct thermal_cooling_device *cdev) {} ++static inline void thermal_debug_cdev_add(struct thermal_cooling_device *cdev, int state) {} + static inline void thermal_debug_cdev_remove(struct thermal_cooling_device *cdev) {} + static inline void thermal_debug_cdev_state_update(const struct thermal_cooling_device *cdev, + int state) {} +-- +2.43.0 + diff --git a/queue-6.9/thermal-drivers-mediatek-lvts_thermal-add-coeff-for-.patch b/queue-6.9/thermal-drivers-mediatek-lvts_thermal-add-coeff-for-.patch new file mode 100644 index 00000000000..764cb8c3d53 --- /dev/null +++ b/queue-6.9/thermal-drivers-mediatek-lvts_thermal-add-coeff-for-.patch @@ -0,0 +1,45 @@ +From b478809ccdb54dccb37f40573bee98ab1e3d5361 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Apr 2024 07:35:47 +0000 +Subject: thermal/drivers/mediatek/lvts_thermal: Add coeff for mt8192 + +From: Hsin-Te Yuan + +[ Upstream commit 7954c92ede882b0dfd52a5db90291a4151b44c1a ] + +In order for lvts_raw_to_temp to function properly on mt8192, +temperature coefficients for mt8192 need to be added. + +Fixes: 288732242db4 ("thermal/drivers/mediatek/lvts_thermal: Add mt8192 support") +Signed-off-by: Hsin-Te Yuan +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20240416-lvts_thermal-v2-1-f8a36882cc53@chromium.org +Signed-off-by: Sasha Levin +--- + drivers/thermal/mediatek/lvts_thermal.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/thermal/mediatek/lvts_thermal.c b/drivers/thermal/mediatek/lvts_thermal.c +index fd4bd650c77a6..4e5c213a89225 100644 +--- a/drivers/thermal/mediatek/lvts_thermal.c ++++ b/drivers/thermal/mediatek/lvts_thermal.c +@@ -1530,11 +1530,15 @@ static const struct lvts_data mt7988_lvts_ap_data = { + static const struct lvts_data mt8192_lvts_mcu_data = { + .lvts_ctrl = mt8192_lvts_mcu_data_ctrl, + .num_lvts_ctrl = ARRAY_SIZE(mt8192_lvts_mcu_data_ctrl), ++ .temp_factor = LVTS_COEFF_A_MT8195, ++ .temp_offset = LVTS_COEFF_B_MT8195, + }; + + static const struct lvts_data mt8192_lvts_ap_data = { + .lvts_ctrl = mt8192_lvts_ap_data_ctrl, + .num_lvts_ctrl = ARRAY_SIZE(mt8192_lvts_ap_data_ctrl), ++ .temp_factor = LVTS_COEFF_A_MT8195, ++ .temp_offset = LVTS_COEFF_B_MT8195, + }; + + static const struct lvts_data mt8195_lvts_mcu_data = { +-- +2.43.0 + diff --git a/queue-6.9/thermal-drivers-tsens-fix-null-pointer-dereference.patch b/queue-6.9/thermal-drivers-tsens-fix-null-pointer-dereference.patch new file mode 100644 index 00000000000..c0ca7ac2289 --- /dev/null +++ b/queue-6.9/thermal-drivers-tsens-fix-null-pointer-dereference.patch @@ -0,0 +1,42 @@ +From 38610d46aad497f1b3e154a2a85e90bddc269f41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Apr 2024 14:40:21 +0300 +Subject: thermal/drivers/tsens: Fix null pointer dereference + +From: Aleksandr Mishin + +[ Upstream commit d998ddc86a27c92140b9f7984ff41e3d1d07a48f ] + +compute_intercept_slope() is called from calibrate_8960() (in tsens-8960.c) +as compute_intercept_slope(priv, p1, NULL, ONE_PT_CALIB) which lead to null +pointer dereference (if DEBUG or DYNAMIC_DEBUG set). +Fix this bug by adding null pointer check. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: dfc1193d4dbd ("thermal/drivers/tsens: Replace custom 8960 apis with generic apis") +Signed-off-by: Aleksandr Mishin +Reviewed-by: Konrad Dybcio +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20240411114021.12203-1-amishin@t-argos.ru +Signed-off-by: Sasha Levin +--- + drivers/thermal/qcom/tsens.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/thermal/qcom/tsens.c b/drivers/thermal/qcom/tsens.c +index 6d7c16ccb44dc..4edee8d929a75 100644 +--- a/drivers/thermal/qcom/tsens.c ++++ b/drivers/thermal/qcom/tsens.c +@@ -264,7 +264,7 @@ void compute_intercept_slope(struct tsens_priv *priv, u32 *p1, + for (i = 0; i < priv->num_sensors; i++) { + dev_dbg(priv->dev, + "%s: sensor%d - data_point1:%#x data_point2:%#x\n", +- __func__, i, p1[i], p2[i]); ++ __func__, i, p1[i], p2 ? p2[i] : 0); + + if (!priv->sensor[i].slope) + priv->sensor[i].slope = SLOPE_DEFAULT; +-- +2.43.0 + diff --git a/queue-6.9/tracing-user_events-fix-non-spaced-field-matching.patch b/queue-6.9/tracing-user_events-fix-non-spaced-field-matching.patch new file mode 100644 index 00000000000..bddf43d4da4 --- /dev/null +++ b/queue-6.9/tracing-user_events-fix-non-spaced-field-matching.patch @@ -0,0 +1,139 @@ +From e502c265ad12821367088a1f060ce7f427381e90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Apr 2024 16:23:37 +0000 +Subject: tracing/user_events: Fix non-spaced field matching + +From: Beau Belgrave + +[ Upstream commit bd125a084091396f3e796bb3dc009940d9771811 ] + +When the ABI was updated to prevent same name w/different args, it +missed an important corner case when fields don't end with a space. +Typically, space is used for fields to help separate them, like +"u8 field1; u8 field2". If no spaces are used, like +"u8 field1;u8 field2", then the parsing works for the first time. +However, the match check fails on a subsequent register, leading to +confusion. + +This is because the match check uses argv_split() and assumes that all +fields will be split upon the space. When spaces are used, we get back +{ "u8", "field1;" }, without spaces we get back { "u8", "field1;u8" }. +This causes a mismatch, and the user program gets back -EADDRINUSE. + +Add a method to detect this case before calling argv_split(). If found +force a space after the field separator character ';'. This ensures all +cases work properly for matching. + +With this fix, the following are all treated as matching: +u8 field1;u8 field2 +u8 field1; u8 field2 +u8 field1;\tu8 field2 +u8 field1;\nu8 field2 + +Link: https://lore.kernel.org/linux-trace-kernel/20240423162338.292-2-beaub@linux.microsoft.com + +Fixes: ba470eebc2f6 ("tracing/user_events: Prevent same name but different args event") +Signed-off-by: Beau Belgrave +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_events_user.c | 76 +++++++++++++++++++++++++++++++- + 1 file changed, 75 insertions(+), 1 deletion(-) + +diff --git a/kernel/trace/trace_events_user.c b/kernel/trace/trace_events_user.c +index 70d428c394b68..82b191f33a28f 100644 +--- a/kernel/trace/trace_events_user.c ++++ b/kernel/trace/trace_events_user.c +@@ -1989,6 +1989,80 @@ static int user_event_set_tp_name(struct user_event *user) + return 0; + } + ++/* ++ * Counts how many ';' without a trailing space are in the args. ++ */ ++static int count_semis_no_space(char *args) ++{ ++ int count = 0; ++ ++ while ((args = strchr(args, ';'))) { ++ args++; ++ ++ if (!isspace(*args)) ++ count++; ++ } ++ ++ return count; ++} ++ ++/* ++ * Copies the arguments while ensuring all ';' have a trailing space. ++ */ ++static char *insert_space_after_semis(char *args, int count) ++{ ++ char *fixed, *pos; ++ int len; ++ ++ len = strlen(args) + count; ++ fixed = kmalloc(len + 1, GFP_KERNEL); ++ ++ if (!fixed) ++ return NULL; ++ ++ pos = fixed; ++ ++ /* Insert a space after ';' if there is no trailing space. */ ++ while (*args) { ++ *pos = *args++; ++ ++ if (*pos++ == ';' && !isspace(*args)) ++ *pos++ = ' '; ++ } ++ ++ *pos = '\0'; ++ ++ return fixed; ++} ++ ++static char **user_event_argv_split(char *args, int *argc) ++{ ++ char **split; ++ char *fixed; ++ int count; ++ ++ /* Count how many ';' without a trailing space */ ++ count = count_semis_no_space(args); ++ ++ /* No fixup is required */ ++ if (!count) ++ return argv_split(GFP_KERNEL, args, argc); ++ ++ /* We must fixup 'field;field' to 'field; field' */ ++ fixed = insert_space_after_semis(args, count); ++ ++ if (!fixed) ++ return NULL; ++ ++ /* We do a normal split afterwards */ ++ split = argv_split(GFP_KERNEL, fixed, argc); ++ ++ /* We can free since argv_split makes a copy */ ++ kfree(fixed); ++ ++ return split; ++} ++ + /* + * Parses the event name, arguments and flags then registers if successful. + * The name buffer lifetime is owned by this method for success cases only. +@@ -2012,7 +2086,7 @@ static int user_event_parse(struct user_event_group *group, char *name, + return -EPERM; + + if (args) { +- argv = argv_split(GFP_KERNEL, args, &argc); ++ argv = user_event_argv_split(args, &argc); + + if (!argv) + return -ENOMEM; +-- +2.43.0 + diff --git a/queue-6.9/udp-avoid-call-to-compute_score-on-multiple-sites.patch b/queue-6.9/udp-avoid-call-to-compute_score-on-multiple-sites.patch new file mode 100644 index 00000000000..696c4661aa4 --- /dev/null +++ b/queue-6.9/udp-avoid-call-to-compute_score-on-multiple-sites.patch @@ -0,0 +1,164 @@ +From 5398429313ce981ceef69d1fc4d4b4d634fbdcf4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 17:20:04 -0400 +Subject: udp: Avoid call to compute_score on multiple sites + +From: Gabriel Krisman Bertazi + +[ Upstream commit 50aee97d15113b95a68848db1f0cb2a6c09f753a ] + +We've observed a 7-12% performance regression in iperf3 UDP ipv4 and +ipv6 tests with multiple sockets on Zen3 cpus, which we traced back to +commit f0ea27e7bfe1 ("udp: re-score reuseport groups when connected +sockets are present"). The failing tests were those that would spawn +UDP sockets per-cpu on systems that have a high number of cpus. + +Unsurprisingly, it is not caused by the extra re-scoring of the reused +socket, but due to the compiler no longer inlining compute_score, once +it has the extra call site in udp4_lib_lookup2. This is augmented by +the "Safe RET" mitigation for SRSO, needed in our Zen3 cpus. + +We could just explicitly inline it, but compute_score() is quite a large +function, around 300b. Inlining in two sites would almost double +udp4_lib_lookup2, which is a silly thing to do just to workaround a +mitigation. Instead, this patch shuffles the code a bit to avoid the +multiple calls to compute_score. Since it is a static function used in +one spot, the compiler can safely fold it in, as it did before, without +increasing the text size. + +With this patch applied I ran my original iperf3 testcases. The failing +cases all looked like this (ipv4): + iperf3 -c 127.0.0.1 --udp -4 -f K -b $R -l 8920 -t 30 -i 5 -P 64 -O 2 + +where $R is either 1G/10G/0 (max, unlimited). I ran 3 times each. +baseline is v6.9-rc3. harmean == harmonic mean; CV == coefficient of +variation. + +ipv4: + 1G 10G MAX + HARMEAN (CV) HARMEAN (CV) HARMEAN (CV) +baseline 1743852.66(0.0208) 1725933.02(0.0167) 1705203.78(0.0386) +patched 1968727.61(0.0035) 1962283.22(0.0195) 1923853.50(0.0256) + +ipv6: + 1G 10G MAX + HARMEAN (CV) HARMEAN (CV) HARMEAN (CV) +baseline 1729020.03(0.0028) 1691704.49(0.0243) 1692251.34(0.0083) +patched 1900422.19(0.0067) 1900968.01(0.0067) 1568532.72(0.1519) + +This restores the performance we had before the change above with this +benchmark. We obviously don't expect any real impact when mitigations +are disabled, but just to be sure it also doesn't regresses: + +mitigations=off ipv4: + 1G 10G MAX + HARMEAN (CV) HARMEAN (CV) HARMEAN (CV) +baseline 3230279.97(0.0066) 3229320.91(0.0060) 2605693.19(0.0697) +patched 3242802.36(0.0073) 3239310.71(0.0035) 2502427.19(0.0882) + +Cc: Lorenz Bauer +Fixes: f0ea27e7bfe1 ("udp: re-score reuseport groups when connected sockets are present") +Signed-off-by: Gabriel Krisman Bertazi +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/udp.c | 21 ++++++++++++++++----- + net/ipv6/udp.c | 20 ++++++++++++++++---- + 2 files changed, 32 insertions(+), 9 deletions(-) + +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index b32cf2eeeb41d..b5ad0c527c521 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -427,15 +427,21 @@ static struct sock *udp4_lib_lookup2(struct net *net, + { + struct sock *sk, *result; + int score, badness; ++ bool need_rescore; + + result = NULL; + badness = 0; + udp_portaddr_for_each_entry_rcu(sk, &hslot2->head) { +- score = compute_score(sk, net, saddr, sport, +- daddr, hnum, dif, sdif); ++ need_rescore = false; ++rescore: ++ score = compute_score(need_rescore ? result : sk, net, saddr, ++ sport, daddr, hnum, dif, sdif); + if (score > badness) { + badness = score; + ++ if (need_rescore) ++ continue; ++ + if (sk->sk_state == TCP_ESTABLISHED) { + result = sk; + continue; +@@ -456,9 +462,14 @@ static struct sock *udp4_lib_lookup2(struct net *net, + if (IS_ERR(result)) + continue; + +- badness = compute_score(result, net, saddr, sport, +- daddr, hnum, dif, sdif); +- ++ /* compute_score is too long of a function to be ++ * inlined, and calling it again here yields ++ * measureable overhead for some ++ * workloads. Work around it by jumping ++ * backwards to rescore 'result'. ++ */ ++ need_rescore = true; ++ goto rescore; + } + } + return result; +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index 8f7aa8bac1e7b..e0dd5bc2b30eb 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -168,15 +168,21 @@ static struct sock *udp6_lib_lookup2(struct net *net, + { + struct sock *sk, *result; + int score, badness; ++ bool need_rescore; + + result = NULL; + badness = -1; + udp_portaddr_for_each_entry_rcu(sk, &hslot2->head) { +- score = compute_score(sk, net, saddr, sport, +- daddr, hnum, dif, sdif); ++ need_rescore = false; ++rescore: ++ score = compute_score(need_rescore ? result : sk, net, saddr, ++ sport, daddr, hnum, dif, sdif); + if (score > badness) { + badness = score; + ++ if (need_rescore) ++ continue; ++ + if (sk->sk_state == TCP_ESTABLISHED) { + result = sk; + continue; +@@ -197,8 +203,14 @@ static struct sock *udp6_lib_lookup2(struct net *net, + if (IS_ERR(result)) + continue; + +- badness = compute_score(sk, net, saddr, sport, +- daddr, hnum, dif, sdif); ++ /* compute_score is too long of a function to be ++ * inlined, and calling it again here yields ++ * measureable overhead for some ++ * workloads. Work around it by jumping ++ * backwards to rescore 'result'. ++ */ ++ need_rescore = true; ++ goto rescore; + } + } + return result; +-- +2.43.0 + diff --git a/queue-6.9/usb-aqc111-stop-lying-about-skb-truesize.patch b/queue-6.9/usb-aqc111-stop-lying-about-skb-truesize.patch new file mode 100644 index 00000000000..1e03123cb26 --- /dev/null +++ b/queue-6.9/usb-aqc111-stop-lying-about-skb-truesize.patch @@ -0,0 +1,55 @@ +From 3555c6691e94bd375701cae1ba7dc20ab5a838cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 May 2024 13:55:46 +0000 +Subject: usb: aqc111: stop lying about skb->truesize + +From: Eric Dumazet + +[ Upstream commit 9aad6e45c4e7d16b2bb7c3794154b828fb4384b4 ] + +Some usb drivers try to set small skb->truesize and break +core networking stacks. + +I replace one skb_clone() by an allocation of a fresh +and small skb, to get minimally sized skbs, like we did +in commit 1e2c61172342 ("net: cdc_ncm: reduce skb truesize +in rx path") and 4ce62d5b2f7a ("net: usb: ax88179_178a: +stop lying about skb->truesize") + +Fixes: 361459cd9642 ("net: usb: aqc111: Implement RX data path") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240506135546.3641185-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/aqc111.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c +index 7b8afa589a53c..284375f662f1e 100644 +--- a/drivers/net/usb/aqc111.c ++++ b/drivers/net/usb/aqc111.c +@@ -1141,17 +1141,15 @@ static int aqc111_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + continue; + } + +- /* Clone SKB */ +- new_skb = skb_clone(skb, GFP_ATOMIC); ++ new_skb = netdev_alloc_skb_ip_align(dev->net, pkt_len); + + if (!new_skb) + goto err; + +- new_skb->len = pkt_len; ++ skb_put(new_skb, pkt_len); ++ memcpy(new_skb->data, skb->data, pkt_len); + skb_pull(new_skb, AQ_RX_HW_PAD); +- skb_set_tail_pointer(new_skb, new_skb->len); + +- new_skb->truesize = SKB_TRUESIZE(new_skb->len); + if (aqc111_data->rx_checksum) + aqc111_rx_checksum(new_skb, pkt_desc); + +-- +2.43.0 + diff --git a/queue-6.9/virt-acrn-stop-using-follow_pfn.patch b/queue-6.9/virt-acrn-stop-using-follow_pfn.patch new file mode 100644 index 00000000000..3a30502d7c8 --- /dev/null +++ b/queue-6.9/virt-acrn-stop-using-follow_pfn.patch @@ -0,0 +1,71 @@ +From 5ffd8113642c2132078d4df0e7632b5feb414892 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 07:45:40 +0800 +Subject: virt: acrn: stop using follow_pfn + +From: Christoph Hellwig + +[ Upstream commit 1b265da7ea1e1ae997fa119c2846bb389eb39c6b ] + +Patch series "remove follow_pfn". + +This series open codes follow_pfn in the only remaining caller, although +the code there remains questionable. It then also moves follow_phys into +the only user and simplifies it a bit. + +This patch (of 3): + +Switch from follow_pfn to follow_pte so that we can get rid of follow_pfn. +Note that this doesn't fix any of the pre-existing raciness and lack of +permission checking in the code. + +Link: https://lkml.kernel.org/r/20240324234542.2038726-1-hch@lst.de +Link: https://lkml.kernel.org/r/20240324234542.2038726-2-hch@lst.de +Signed-off-by: Christoph Hellwig +Reviewed-by: David Hildenbrand +Cc: Andy Lutomirski +Cc: Dave Hansen +Cc: Fei Li +Cc: Peter Zijlstra +Cc: Ingo Molnar +Signed-off-by: Andrew Morton +Stable-dep-of: 3d6586008f7b ("drivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map()") +Signed-off-by: Sasha Levin +--- + drivers/virt/acrn/mm.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/virt/acrn/mm.c b/drivers/virt/acrn/mm.c +index fa5d9ca6be570..69c3f619f8819 100644 +--- a/drivers/virt/acrn/mm.c ++++ b/drivers/virt/acrn/mm.c +@@ -171,18 +171,24 @@ int acrn_vm_ram_map(struct acrn_vm *vm, struct acrn_vm_memmap *memmap) + mmap_read_lock(current->mm); + vma = vma_lookup(current->mm, memmap->vma_base); + if (vma && ((vma->vm_flags & VM_PFNMAP) != 0)) { ++ spinlock_t *ptl; ++ pte_t *ptep; ++ + if ((memmap->vma_base + memmap->len) > vma->vm_end) { + mmap_read_unlock(current->mm); + return -EINVAL; + } + +- ret = follow_pfn(vma, memmap->vma_base, &pfn); +- mmap_read_unlock(current->mm); ++ ret = follow_pte(vma->vm_mm, memmap->vma_base, &ptep, &ptl); + if (ret < 0) { ++ mmap_read_unlock(current->mm); + dev_dbg(acrn_dev.this_device, + "Failed to lookup PFN at VMA:%pK.\n", (void *)memmap->vma_base); + return ret; + } ++ pfn = pte_pfn(ptep_get(ptep)); ++ pte_unmap_unlock(ptep, ptl); ++ mmap_read_unlock(current->mm); + + return acrn_mm_region_add(vm, memmap->user_vm_pa, + PFN_PHYS(pfn), memmap->len, +-- +2.43.0 + diff --git a/queue-6.9/wifi-ar5523-enable-proper-endpoint-verification.patch b/queue-6.9/wifi-ar5523-enable-proper-endpoint-verification.patch new file mode 100644 index 00000000000..ef3f942584a --- /dev/null +++ b/queue-6.9/wifi-ar5523-enable-proper-endpoint-verification.patch @@ -0,0 +1,99 @@ +From 2403767f44170391ef515734170e1af5abad4d5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 05:14:25 -0700 +Subject: wifi: ar5523: enable proper endpoint verification + +From: Nikita Zhandarovich + +[ Upstream commit e120b6388d7d88635d67dcae6483f39c37111850 ] + +Syzkaller reports [1] hitting a warning about an endpoint in use +not having an expected type to it. + +Fix the issue by checking for the existence of all proper +endpoints with their according types intact. + +Sadly, this patch has not been tested on real hardware. + +[1] Syzkaller report: +------------[ cut here ]------------ +usb 1-1: BOGUS urb xfer, pipe 3 != type 1 +WARNING: CPU: 0 PID: 3643 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 +... +Call Trace: + + ar5523_cmd+0x41b/0x780 drivers/net/wireless/ath/ar5523/ar5523.c:275 + ar5523_cmd_read drivers/net/wireless/ath/ar5523/ar5523.c:302 [inline] + ar5523_host_available drivers/net/wireless/ath/ar5523/ar5523.c:1376 [inline] + ar5523_probe+0x14b0/0x1d10 drivers/net/wireless/ath/ar5523/ar5523.c:1655 + usb_probe_interface+0x30f/0x7f0 drivers/usb/core/driver.c:396 + call_driver_probe drivers/base/dd.c:560 [inline] + really_probe+0x249/0xb90 drivers/base/dd.c:639 + __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778 + driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808 + __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936 + bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427 + __device_attach+0x1e4/0x530 drivers/base/dd.c:1008 + bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487 + device_add+0xbd9/0x1e90 drivers/base/core.c:3517 + usb_set_configuration+0x101d/0x1900 drivers/usb/core/message.c:2170 + usb_generic_driver_probe+0xbe/0x100 drivers/usb/core/generic.c:238 + usb_probe_device+0xd8/0x2c0 drivers/usb/core/driver.c:293 + call_driver_probe drivers/base/dd.c:560 [inline] + really_probe+0x249/0xb90 drivers/base/dd.c:639 + __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778 + driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808 + __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936 + bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427 + __device_attach+0x1e4/0x530 drivers/base/dd.c:1008 + bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487 + device_add+0xbd9/0x1e90 drivers/base/core.c:3517 + usb_new_device.cold+0x685/0x10ad drivers/usb/core/hub.c:2573 + hub_port_connect drivers/usb/core/hub.c:5353 [inline] + hub_port_connect_change drivers/usb/core/hub.c:5497 [inline] + port_event drivers/usb/core/hub.c:5653 [inline] + hub_event+0x26cb/0x45d0 drivers/usb/core/hub.c:5735 + process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 + worker_thread+0x669/0x1090 kernel/workqueue.c:2436 + kthread+0x2e8/0x3a0 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 + + +Reported-and-tested-by: syzbot+1bc2c2afd44f820a669f@syzkaller.appspotmail.com +Fixes: b7d572e1871d ("ar5523: Add new driver") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240408121425.29392-1-n.zhandarovich@fintech.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ar5523/ar5523.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c +index 815f8f599f5d1..5a55db349cb57 100644 +--- a/drivers/net/wireless/ath/ar5523/ar5523.c ++++ b/drivers/net/wireless/ath/ar5523/ar5523.c +@@ -1594,6 +1594,20 @@ static int ar5523_probe(struct usb_interface *intf, + struct ar5523 *ar; + int error = -ENOMEM; + ++ static const u8 bulk_ep_addr[] = { ++ AR5523_CMD_TX_PIPE | USB_DIR_OUT, ++ AR5523_DATA_TX_PIPE | USB_DIR_OUT, ++ AR5523_CMD_RX_PIPE | USB_DIR_IN, ++ AR5523_DATA_RX_PIPE | USB_DIR_IN, ++ 0}; ++ ++ if (!usb_check_bulk_endpoints(intf, bulk_ep_addr)) { ++ dev_err(&dev->dev, ++ "Could not find all expected endpoints\n"); ++ error = -ENODEV; ++ goto out; ++ } ++ + /* + * Load firmware if the device requires it. This will return + * -ENXIO on success and we'll get called back afer the usb +-- +2.43.0 + diff --git a/queue-6.9/wifi-ath10k-fix-an-error-code-problem-in-ath10k_dbg_.patch b/queue-6.9/wifi-ath10k-fix-an-error-code-problem-in-ath10k_dbg_.patch new file mode 100644 index 00000000000..6f716a39c14 --- /dev/null +++ b/queue-6.9/wifi-ath10k-fix-an-error-code-problem-in-ath10k_dbg_.patch @@ -0,0 +1,43 @@ +From 9b52e8a22b550d8dadf69ef59d2129ba25c5e5b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Apr 2024 11:42:44 +0800 +Subject: wifi: ath10k: Fix an error code problem in + ath10k_dbg_sta_write_peer_debug_trigger() + +From: Su Hui + +[ Upstream commit c511a9c12674d246916bb16c479d496b76983193 ] + +Clang Static Checker (scan-build) warns: + +drivers/net/wireless/ath/ath10k/debugfs_sta.c:line 429, column 3 +Value stored to 'ret' is never read. + +Return 'ret' rather than 'count' when 'ret' stores an error code. + +Fixes: ee8b08a1be82 ("ath10k: add debugfs support to get per peer tids log via tracing") +Signed-off-by: Su Hui +Acked-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240422034243.938962-1-suhui@nfschina.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/debugfs_sta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath10k/debugfs_sta.c b/drivers/net/wireless/ath/ath10k/debugfs_sta.c +index 394bf3c32abff..0f6de862c3a9b 100644 +--- a/drivers/net/wireless/ath/ath10k/debugfs_sta.c ++++ b/drivers/net/wireless/ath/ath10k/debugfs_sta.c +@@ -439,7 +439,7 @@ ath10k_dbg_sta_write_peer_debug_trigger(struct file *file, + } + out: + mutex_unlock(&ar->conf_mutex); +- return count; ++ return ret ?: count; + } + + static const struct file_operations fops_peer_debug_trigger = { +-- +2.43.0 + diff --git a/queue-6.9/wifi-ath10k-poll-service-ready-message-before-failin.patch b/queue-6.9/wifi-ath10k-poll-service-ready-message-before-failin.patch new file mode 100644 index 00000000000..9772cbc017b --- /dev/null +++ b/queue-6.9/wifi-ath10k-poll-service-ready-message-before-failin.patch @@ -0,0 +1,81 @@ +From 8d5d8cb1f824fc10a289f0917133829932ed4653 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Mar 2024 07:15:14 +0200 +Subject: wifi: ath10k: poll service ready message before failing + +From: Baochen Qiang + +[ Upstream commit e57b7d62a1b2f496caf0beba81cec3c90fad80d5 ] + +Currently host relies on CE interrupts to get notified that +the service ready message is ready. This results in timeout +issue if the interrupt is not fired, due to some unknown +reasons. See below logs: + +[76321.937866] ath10k_pci 0000:02:00.0: wmi service ready event not received +... +[76322.016738] ath10k_pci 0000:02:00.0: Could not init core: -110 + +And finally it causes WLAN interface bring up failure. + +Change to give it one more chance here by polling CE rings, +before failing directly. + +Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00157-QCARMSWPZ-1 + +Fixes: 5e3dd157d7e7 ("ath10k: mac80211 driver for Qualcomm Atheros 802.11ac CQA98xx devices") +Reported-by: James Prestwood +Tested-By: James Prestwood # on QCA6174 hw3.2 +Link: https://lore.kernel.org/linux-wireless/304ce305-fbe6-420e-ac2a-d61ae5e6ca1a@gmail.com/ +Signed-off-by: Baochen Qiang +Acked-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240227030409.89702-1-quic_bqiang@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/wmi.c | 26 +++++++++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c +index 2e9661f4bea82..80d255aaff1be 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi.c ++++ b/drivers/net/wireless/ath/ath10k/wmi.c +@@ -1763,12 +1763,32 @@ void ath10k_wmi_put_wmi_channel(struct ath10k *ar, struct wmi_channel *ch, + + int ath10k_wmi_wait_for_service_ready(struct ath10k *ar) + { +- unsigned long time_left; ++ unsigned long time_left, i; + + time_left = wait_for_completion_timeout(&ar->wmi.service_ready, + WMI_SERVICE_READY_TIMEOUT_HZ); +- if (!time_left) +- return -ETIMEDOUT; ++ if (!time_left) { ++ /* Sometimes the PCI HIF doesn't receive interrupt ++ * for the service ready message even if the buffer ++ * was completed. PCIe sniffer shows that it's ++ * because the corresponding CE ring doesn't fires ++ * it. Workaround here by polling CE rings once. ++ */ ++ ath10k_warn(ar, "failed to receive service ready completion, polling..\n"); ++ ++ for (i = 0; i < CE_COUNT; i++) ++ ath10k_hif_send_complete_check(ar, i, 1); ++ ++ time_left = wait_for_completion_timeout(&ar->wmi.service_ready, ++ WMI_SERVICE_READY_TIMEOUT_HZ); ++ if (!time_left) { ++ ath10k_warn(ar, "polling timed out\n"); ++ return -ETIMEDOUT; ++ } ++ ++ ath10k_warn(ar, "service ready completion received, continuing normally\n"); ++ } ++ + return 0; + } + +-- +2.43.0 + diff --git a/queue-6.9/wifi-ath10k-populate-board-data-for-wcn3990.patch b/queue-6.9/wifi-ath10k-populate-board-data-for-wcn3990.patch new file mode 100644 index 00000000000..48d60f1171b --- /dev/null +++ b/queue-6.9/wifi-ath10k-populate-board-data-for-wcn3990.patch @@ -0,0 +1,65 @@ +From 28c8e038710559975b9e363a52b65e856d249a8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jan 2024 08:47:06 +0200 +Subject: wifi: ath10k: populate board data for WCN3990 + +From: Dmitry Baryshkov + +[ Upstream commit f1f1b5b055c9f27a2f90fd0f0521f5920e9b3c18 ] + +Specify board data size (and board.bin filename) for the WCN3990 +platform. + +Reported-by: Yongqin Liu +Fixes: 03a72288c546 ("ath10k: wmi: add hw params entry for wcn3990") +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240130-wcn3990-board-fw-v1-1-738f7c19a8c8@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/core.c | 3 +++ + drivers/net/wireless/ath/ath10k/hw.h | 1 + + drivers/net/wireless/ath/ath10k/targaddrs.h | 3 +++ + 3 files changed, 7 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath10k/core.c b/drivers/net/wireless/ath/ath10k/core.c +index 9ce6f49ab2614..fa5e2e6518313 100644 +--- a/drivers/net/wireless/ath/ath10k/core.c ++++ b/drivers/net/wireless/ath/ath10k/core.c +@@ -720,6 +720,9 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = { + .max_spatial_stream = 4, + .fw = { + .dir = WCN3990_HW_1_0_FW_DIR, ++ .board = WCN3990_HW_1_0_BOARD_DATA_FILE, ++ .board_size = WCN3990_BOARD_DATA_SZ, ++ .board_ext_size = WCN3990_BOARD_EXT_DATA_SZ, + }, + .sw_decrypt_mcast_mgmt = true, + .rx_desc_ops = &wcn3990_rx_desc_ops, +diff --git a/drivers/net/wireless/ath/ath10k/hw.h b/drivers/net/wireless/ath/ath10k/hw.h +index 93c0730919966..9aa2d821b5078 100644 +--- a/drivers/net/wireless/ath/ath10k/hw.h ++++ b/drivers/net/wireless/ath/ath10k/hw.h +@@ -133,6 +133,7 @@ enum qca9377_chip_id_rev { + /* WCN3990 1.0 definitions */ + #define WCN3990_HW_1_0_DEV_VERSION ATH10K_HW_WCN3990 + #define WCN3990_HW_1_0_FW_DIR ATH10K_FW_DIR "/WCN3990/hw1.0" ++#define WCN3990_HW_1_0_BOARD_DATA_FILE "board.bin" + + #define ATH10K_FW_FILE_BASE "firmware" + #define ATH10K_FW_API_MAX 6 +diff --git a/drivers/net/wireless/ath/ath10k/targaddrs.h b/drivers/net/wireless/ath/ath10k/targaddrs.h +index ec556bb88d658..ba37e6c7ced08 100644 +--- a/drivers/net/wireless/ath/ath10k/targaddrs.h ++++ b/drivers/net/wireless/ath/ath10k/targaddrs.h +@@ -491,4 +491,7 @@ struct host_interest { + #define QCA4019_BOARD_DATA_SZ 12064 + #define QCA4019_BOARD_EXT_DATA_SZ 0 + ++#define WCN3990_BOARD_DATA_SZ 26328 ++#define WCN3990_BOARD_EXT_DATA_SZ 0 ++ + #endif /* __TARGADDRS_H__ */ +-- +2.43.0 + diff --git a/queue-6.9/wifi-ath11k-don-t-force-enable-power-save-on-non-run.patch b/queue-6.9/wifi-ath11k-don-t-force-enable-power-save-on-non-run.patch new file mode 100644 index 00000000000..6afff9a2370 --- /dev/null +++ b/queue-6.9/wifi-ath11k-don-t-force-enable-power-save-on-non-run.patch @@ -0,0 +1,94 @@ +From d84d774c30e1221cbcb7cf3be64fcc6c0427fdbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Mar 2024 19:31:15 +0800 +Subject: wifi: ath11k: don't force enable power save on non-running vdevs + +From: Baochen Qiang + +[ Upstream commit 01296b39d3515f20a1db64d3c421c592b1e264a0 ] + +Currently we force enable power save on non-running vdevs, this results +in unexpected ping latency in below scenarios: + 1. disable power save from userspace. + 2. trigger suspend/resume. + +With step 1 power save is disabled successfully and we get a good latency: + +PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. +64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=5.13 ms +64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=5.45 ms +64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=5.99 ms +64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 time=6.34 ms +64 bytes from 192.168.1.1: icmp_seq=5 ttl=64 time=4.47 ms +64 bytes from 192.168.1.1: icmp_seq=6 ttl=64 time=6.45 ms + +While after step 2, the latency becomes much larger: + +PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. +64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=17.7 ms +64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=15.0 ms +64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=14.3 ms +64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 time=16.5 ms +64 bytes from 192.168.1.1: icmp_seq=5 ttl=64 time=20.1 ms + +The reason is, with step 2, power save is force enabled due to vdev not +running, although mac80211 was trying to disable it to honor userspace +configuration: + +ath11k_pci 0000:03:00.0: wmi cmd sta powersave mode psmode 1 vdev id 0 +Call Trace: + ath11k_wmi_pdev_set_ps_mode + ath11k_mac_op_bss_info_changed + ieee80211_bss_info_change_notify + ieee80211_reconfig + ieee80211_resume + wiphy_resume + +This logic is taken from ath10k where it was added due to below comment: + + Firmware doesn't behave nicely and consumes more power than + necessary if PS is disabled on a non-started vdev. + +However we don't know whether such an issue also occurs to ath11k firmware +or not. But even if it does, it's not appropriate because it goes against +userspace, even cfg/mac80211 don't know we have enabled it in fact. + +Remove it to fix this issue. In this way we not only get a better latency, +but also, and the most important, keeps the consistency between userspace +and kernel/driver. The biggest price for that would be the power consumption, +which is not that important, compared with the consistency. + +Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30 + +Fixes: b2beffa7d9a6 ("ath11k: enable 802.11 power save mode in station mode") +Signed-off-by: Baochen Qiang +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240309113115.11498-1-quic_bqiang@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/mac.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index 9f4bf41a3d41e..2fca415322aec 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -1231,14 +1231,7 @@ static int ath11k_mac_vif_setup_ps(struct ath11k_vif *arvif) + + enable_ps = arvif->ps; + +- if (!arvif->is_started) { +- /* mac80211 can update vif powersave state while disconnected. +- * Firmware doesn't behave nicely and consumes more power than +- * necessary if PS is disabled on a non-started vdev. Hence +- * force-enable PS for non-running vdevs. +- */ +- psmode = WMI_STA_PS_MODE_ENABLED; +- } else if (enable_ps) { ++ if (enable_ps) { + psmode = WMI_STA_PS_MODE_ENABLED; + param = WMI_STA_PS_PARAM_INACTIVITY_TIME; + +-- +2.43.0 + diff --git a/queue-6.9/wifi-ath12k-fix-out-of-bound-access-of-qmi_invoke_ha.patch b/queue-6.9/wifi-ath12k-fix-out-of-bound-access-of-qmi_invoke_ha.patch new file mode 100644 index 00000000000..c56fb32c044 --- /dev/null +++ b/queue-6.9/wifi-ath12k-fix-out-of-bound-access-of-qmi_invoke_ha.patch @@ -0,0 +1,72 @@ +From be7fe445718cf9a3a6c0f862dfd21c0ca30ffdae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Apr 2024 18:30:25 +0300 +Subject: wifi: ath12k: fix out-of-bound access of qmi_invoke_handler() + +From: Karthikeyan Kathirvel + +[ Upstream commit e1bdff48a1bb4a4ac660c19c55a820968c48b3f2 ] + +Currently, there is no terminator entry for ath12k_qmi_msg_handlers hence +facing below KASAN warning, + + ================================================================== + BUG: KASAN: global-out-of-bounds in qmi_invoke_handler+0xa4/0x148 + Read of size 8 at addr ffffffd00a6428d8 by task kworker/u8:2/1273 + + CPU: 0 PID: 1273 Comm: kworker/u8:2 Not tainted 5.4.213 #0 + Workqueue: qmi_msg_handler qmi_data_ready_work + Call trace: + dump_backtrace+0x0/0x20c + show_stack+0x14/0x1c + dump_stack+0xe0/0x138 + print_address_description.isra.5+0x30/0x330 + __kasan_report+0x16c/0x1bc + kasan_report+0xc/0x14 + __asan_load8+0xa8/0xb0 + qmi_invoke_handler+0xa4/0x148 + qmi_handle_message+0x18c/0x1bc + qmi_data_ready_work+0x4ec/0x528 + process_one_work+0x2c0/0x440 + worker_thread+0x324/0x4b8 + kthread+0x210/0x228 + ret_from_fork+0x10/0x18 + + The address belongs to the variable: + ath12k_mac_mon_status_filter_default+0x4bd8/0xfffffffffffe2300 [ath12k] + [...] + ================================================================== + +Add a dummy terminator entry at the end to assist the qmi_invoke_handler() +in traversing up to the terminator entry without accessing an +out-of-boundary index. + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1 + +Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") +Reviewed-by: Jeff Johnson +Signed-off-by: Karthikeyan Kathirvel +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240416080234.2882725-1-quic_kathirve@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/qmi.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath12k/qmi.c b/drivers/net/wireless/ath/ath12k/qmi.c +index 92845ffff44ad..40b6abccbb508 100644 +--- a/drivers/net/wireless/ath/ath12k/qmi.c ++++ b/drivers/net/wireless/ath/ath12k/qmi.c +@@ -3178,6 +3178,9 @@ static const struct qmi_msg_handler ath12k_qmi_msg_handlers[] = { + .decoded_size = sizeof(struct qmi_wlanfw_fw_ready_ind_msg_v01), + .fn = ath12k_qmi_msg_fw_ready_cb, + }, ++ ++ /* end of list */ ++ {}, + }; + + static int ath12k_qmi_ops_new_server(struct qmi_handle *qmi_hdl, +-- +2.43.0 + diff --git a/queue-6.9/wifi-ath12k-use-correct-flag-field-for-320-mhz-chann.patch b/queue-6.9/wifi-ath12k-use-correct-flag-field-for-320-mhz-chann.patch new file mode 100644 index 00000000000..104f1c072b9 --- /dev/null +++ b/queue-6.9/wifi-ath12k-use-correct-flag-field-for-320-mhz-chann.patch @@ -0,0 +1,44 @@ +From 1016691814cab2c825e4e0cfe882f9e5876d0aaf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Mar 2024 13:46:51 -0700 +Subject: wifi: ath12k: use correct flag field for 320 MHz channels + +From: Aloka Dixit + +[ Upstream commit 020e08ae5e68cbc0791e8d842443a86eb6aa99f6 ] + +Due to an error during rebasing the patchset 320 MHz channel support got +broken. ath12k was setting the QoS bit instead of the correct flag. +WMI_PEER_EXT_320MHZ (0x2) is defined as an extended flag, replace +peer_flags by peer_flags_ext while sending peer data. + +This affected both QCN9274 and WCN7850 which use the same flag. + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1 + +Fixes: 6734cf9b4cc7 ("wifi: ath12k: peer assoc for 320 MHz") +Signed-off-by: Aloka Dixit +Acked-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240314204651.11075-1-quic_alokad@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/wmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c +index 9d69a17699264..34de3d16efc09 100644 +--- a/drivers/net/wireless/ath/ath12k/wmi.c ++++ b/drivers/net/wireless/ath/ath12k/wmi.c +@@ -1900,7 +1900,7 @@ static void ath12k_wmi_copy_peer_flags(struct wmi_peer_assoc_complete_cmd *cmd, + if (arg->bw_160) + cmd->peer_flags |= cpu_to_le32(WMI_PEER_160MHZ); + if (arg->bw_320) +- cmd->peer_flags |= cpu_to_le32(WMI_PEER_EXT_320MHZ); ++ cmd->peer_flags_ext |= cpu_to_le32(WMI_PEER_EXT_320MHZ); + + /* Typically if STBC is enabled for VHT it should be enabled + * for HT as well +-- +2.43.0 + diff --git a/queue-6.9/wifi-brcmfmac-pcie-handle-randbuf-allocation-failure.patch b/queue-6.9/wifi-brcmfmac-pcie-handle-randbuf-allocation-failure.patch new file mode 100644 index 00000000000..4cfc3682664 --- /dev/null +++ b/queue-6.9/wifi-brcmfmac-pcie-handle-randbuf-allocation-failure.patch @@ -0,0 +1,71 @@ +From d05b0018ed550ee9880cd8581da7c1f34eee7dde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Mar 2024 22:04:37 +0800 +Subject: wifi: brcmfmac: pcie: handle randbuf allocation failure + +From: Duoming Zhou + +[ Upstream commit 316f790ebcf94bdf59f794b7cdea4068dc676d4c ] + +The kzalloc() in brcmf_pcie_download_fw_nvram() will return null +if the physical memory has run out. As a result, if we use +get_random_bytes() to generate random bytes in the randbuf, the +null pointer dereference bug will happen. + +In order to prevent allocation failure, this patch adds a separate +function using buffer on kernel stack to generate random bytes in +the randbuf, which could prevent the kernel stack from overflow. + +Fixes: 91918ce88d9f ("wifi: brcmfmac: pcie: Provide a buffer of random bytes to the device") +Suggested-by: Arnd Bergmann +Signed-off-by: Duoming Zhou +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240306140437.18177-1-duoming@zju.edu.cn +Signed-off-by: Sasha Levin +--- + .../wireless/broadcom/brcm80211/brcmfmac/pcie.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +index d7fb88bb6ae1a..06698a714b523 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +@@ -1675,6 +1675,15 @@ struct brcmf_random_seed_footer { + #define BRCMF_RANDOM_SEED_MAGIC 0xfeedc0de + #define BRCMF_RANDOM_SEED_LENGTH 0x100 + ++static noinline_for_stack void ++brcmf_pcie_provide_random_bytes(struct brcmf_pciedev_info *devinfo, u32 address) ++{ ++ u8 randbuf[BRCMF_RANDOM_SEED_LENGTH]; ++ ++ get_random_bytes(randbuf, BRCMF_RANDOM_SEED_LENGTH); ++ memcpy_toio(devinfo->tcm + address, randbuf, BRCMF_RANDOM_SEED_LENGTH); ++} ++ + static int brcmf_pcie_download_fw_nvram(struct brcmf_pciedev_info *devinfo, + const struct firmware *fw, void *nvram, + u32 nvram_len) +@@ -1717,7 +1726,6 @@ static int brcmf_pcie_download_fw_nvram(struct brcmf_pciedev_info *devinfo, + .length = cpu_to_le32(rand_len), + .magic = cpu_to_le32(BRCMF_RANDOM_SEED_MAGIC), + }; +- void *randbuf; + + /* Some Apple chips/firmwares expect a buffer of random + * data to be present before NVRAM +@@ -1729,10 +1737,7 @@ static int brcmf_pcie_download_fw_nvram(struct brcmf_pciedev_info *devinfo, + sizeof(footer)); + + address -= rand_len; +- randbuf = kzalloc(rand_len, GFP_KERNEL); +- get_random_bytes(randbuf, rand_len); +- memcpy_toio(devinfo->tcm + address, randbuf, rand_len); +- kfree(randbuf); ++ brcmf_pcie_provide_random_bytes(devinfo, address); + } + } else { + brcmf_dbg(PCIE, "No matching NVRAM file found %s\n", +-- +2.43.0 + diff --git a/queue-6.9/wifi-carl9170-add-a-proper-sanity-check-for-endpoint.patch b/queue-6.9/wifi-carl9170-add-a-proper-sanity-check-for-endpoint.patch new file mode 100644 index 00000000000..d3f80796990 --- /dev/null +++ b/queue-6.9/wifi-carl9170-add-a-proper-sanity-check-for-endpoint.patch @@ -0,0 +1,97 @@ +From 7e6dc3ec26428c1cc22c552cb12d75ef9acc846e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Apr 2024 11:33:55 -0700 +Subject: wifi: carl9170: add a proper sanity check for endpoints + +From: Nikita Zhandarovich + +[ Upstream commit b6dd09b3dac89b45d1ea3e3bd035a3859c0369a0 ] + +Syzkaller reports [1] hitting a warning which is caused by presence +of a wrong endpoint type at the URB sumbitting stage. While there +was a check for a specific 4th endpoint, since it can switch types +between bulk and interrupt, other endpoints are trusted implicitly. +Similar warning is triggered in a couple of other syzbot issues [2]. + +Fix the issue by doing a comprehensive check of all endpoints +taking into account difference between high- and full-speed +configuration. + +[1] Syzkaller report: +... +WARNING: CPU: 0 PID: 4721 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 +... +Call Trace: + + carl9170_usb_send_rx_irq_urb+0x273/0x340 drivers/net/wireless/ath/carl9170/usb.c:504 + carl9170_usb_init_device drivers/net/wireless/ath/carl9170/usb.c:939 [inline] + carl9170_usb_firmware_finish drivers/net/wireless/ath/carl9170/usb.c:999 [inline] + carl9170_usb_firmware_step2+0x175/0x240 drivers/net/wireless/ath/carl9170/usb.c:1028 + request_firmware_work_func+0x130/0x240 drivers/base/firmware_loader/main.c:1107 + process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 + worker_thread+0x669/0x1090 kernel/workqueue.c:2436 + kthread+0x2e8/0x3a0 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + + +[2] Related syzkaller crashes: +Link: https://syzkaller.appspot.com/bug?extid=e394db78ae0b0032cb4d +Link: https://syzkaller.appspot.com/bug?extid=9468df99cb63a4a4c4e1 + +Reported-and-tested-by: syzbot+0ae4804973be759fa420@syzkaller.appspotmail.com +Fixes: a84fab3cbfdc ("carl9170: 802.11 rx/tx processing and usb backend") +Signed-off-by: Nikita Zhandarovich +Acked-By: Christian Lamparter +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240422183355.3785-1-n.zhandarovich@fintech.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/carl9170/usb.c | 32 +++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +diff --git a/drivers/net/wireless/ath/carl9170/usb.c b/drivers/net/wireless/ath/carl9170/usb.c +index c4edf83559410..a3e03580cd9ff 100644 +--- a/drivers/net/wireless/ath/carl9170/usb.c ++++ b/drivers/net/wireless/ath/carl9170/usb.c +@@ -1069,6 +1069,38 @@ static int carl9170_usb_probe(struct usb_interface *intf, + ar->usb_ep_cmd_is_bulk = true; + } + ++ /* Verify that all expected endpoints are present */ ++ if (ar->usb_ep_cmd_is_bulk) { ++ u8 bulk_ep_addr[] = { ++ AR9170_USB_EP_RX | USB_DIR_IN, ++ AR9170_USB_EP_TX | USB_DIR_OUT, ++ AR9170_USB_EP_CMD | USB_DIR_OUT, ++ 0}; ++ u8 int_ep_addr[] = { ++ AR9170_USB_EP_IRQ | USB_DIR_IN, ++ 0}; ++ if (!usb_check_bulk_endpoints(intf, bulk_ep_addr) || ++ !usb_check_int_endpoints(intf, int_ep_addr)) ++ err = -ENODEV; ++ } else { ++ u8 bulk_ep_addr[] = { ++ AR9170_USB_EP_RX | USB_DIR_IN, ++ AR9170_USB_EP_TX | USB_DIR_OUT, ++ 0}; ++ u8 int_ep_addr[] = { ++ AR9170_USB_EP_IRQ | USB_DIR_IN, ++ AR9170_USB_EP_CMD | USB_DIR_OUT, ++ 0}; ++ if (!usb_check_bulk_endpoints(intf, bulk_ep_addr) || ++ !usb_check_int_endpoints(intf, int_ep_addr)) ++ err = -ENODEV; ++ } ++ ++ if (err) { ++ carl9170_free(ar); ++ return err; ++ } ++ + usb_set_intfdata(intf, ar); + SET_IEEE80211_DEV(ar->hw, &intf->dev); + +-- +2.43.0 + diff --git a/queue-6.9/wifi-carl9170-re-fix-fortified-memset-warning.patch b/queue-6.9/wifi-carl9170-re-fix-fortified-memset-warning.patch new file mode 100644 index 00000000000..ee2659780ee --- /dev/null +++ b/queue-6.9/wifi-carl9170-re-fix-fortified-memset-warning.patch @@ -0,0 +1,60 @@ +From b4202c4edc3c2c11bdd9d4e9ff3145c717026824 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Apr 2024 09:35:58 +0300 +Subject: wifi: carl9170: re-fix fortified-memset warning + +From: Arnd Bergmann + +[ Upstream commit 066afafc10c9476ee36c47c9062527a17e763901 ] + +The carl9170_tx_release() function sometimes triggers a fortified-memset +warning in my randconfig builds: + +In file included from include/linux/string.h:254, + from drivers/net/wireless/ath/carl9170/tx.c:40: +In function 'fortify_memset_chk', + inlined from 'carl9170_tx_release' at drivers/net/wireless/ath/carl9170/tx.c:283:2, + inlined from 'kref_put' at include/linux/kref.h:65:3, + inlined from 'carl9170_tx_put_skb' at drivers/net/wireless/ath/carl9170/tx.c:342:9: +include/linux/fortify-string.h:493:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning] + 493 | __write_overflow_field(p_size_field, size); + +Kees previously tried to avoid this by using memset_after(), but it seems +this does not fully address the problem. I noticed that the memset_after() +here is done on a different part of the union (status) than the original +cast was from (rate_driver_data), which may confuse the compiler. + +Unfortunately, the memset_after() trick does not work on driver_rates[] +because that is part of an anonymous struct, and I could not get +struct_group() to do this either. Using two separate memset() calls +on the two members does address the warning though. + +Fixes: fb5f6a0e8063b ("mac80211: Use memset_after() to clear tx status") +Link: https://lore.kernel.org/lkml/20230623152443.2296825-1-arnd@kernel.org/ +Signed-off-by: Arnd Bergmann +Reviewed-by: Kees Cook +Acked-by: Christian Lamparter +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240328135509.3755090-2-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/carl9170/tx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/carl9170/tx.c b/drivers/net/wireless/ath/carl9170/tx.c +index e902ca80eba78..0226c31a6cae2 100644 +--- a/drivers/net/wireless/ath/carl9170/tx.c ++++ b/drivers/net/wireless/ath/carl9170/tx.c +@@ -280,7 +280,8 @@ static void carl9170_tx_release(struct kref *ref) + * carl9170_tx_fill_rateinfo() has filled the rate information + * before we get to this point. + */ +- memset_after(&txinfo->status, 0, rates); ++ memset(&txinfo->pad, 0, sizeof(txinfo->pad)); ++ memset(&txinfo->rate_driver_data, 0, sizeof(txinfo->rate_driver_data)); + + if (atomic_read(&ar->tx_total_queued)) + ar->tx_schedule = true; +-- +2.43.0 + diff --git a/queue-6.9/wifi-cfg80211-ignore-non-tx-bsss-in-per-sta-profile.patch b/queue-6.9/wifi-cfg80211-ignore-non-tx-bsss-in-per-sta-profile.patch new file mode 100644 index 00000000000..7ffd5cd2b34 --- /dev/null +++ b/queue-6.9/wifi-cfg80211-ignore-non-tx-bsss-in-per-sta-profile.patch @@ -0,0 +1,160 @@ +From 9ccc05e8007e3a0cd31bcc67621a47a540a219c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Mar 2024 18:53:29 +0200 +Subject: wifi: cfg80211: ignore non-TX BSSs in per-STA profile + +From: Benjamin Berg + +[ Upstream commit 97f8df4db4c8ef50b659d8b228c1f42fe111e7c8 ] + +If a non-TX BSS is included in a per-STA profile, then we cannot set +transmitted_bss for it. Even worse, if we do things properly we should +be configuring both bssid_index and max_bssid_indicator correctly. We do +not actually have both pieces of information (and, some APs currently +do not include either). + +So, ignore any per-STA profile where the RNR says that the BSS is not +transmitted. Also fix transmitted_bss to never be set for per-STA +profiles. + +This fixes issues where mac80211 was setting the reference BSSID to an +incorrect value. + +Fixes: 2481b5da9c6b ("wifi: cfg80211: handle BSS data contained in ML probe responses") +Signed-off-by: Benjamin Berg +Reviewed-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240318184907.6a0babed655a.Iad447fea417c63f683da793556b97c31d07a4aab@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 47 ++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 38 insertions(+), 9 deletions(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index 5a5dd3ce497fc..9b0dbcd6cf79a 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -2207,12 +2207,16 @@ cfg80211_inform_single_bss_data(struct wiphy *wiphy, + tmp.pub.use_for = data->use_for; + tmp.pub.cannot_use_reasons = data->cannot_use_reasons; + +- if (data->bss_source != BSS_SOURCE_DIRECT) { ++ switch (data->bss_source) { ++ case BSS_SOURCE_MBSSID: + tmp.pub.transmitted_bss = data->source_bss; ++ fallthrough; ++ case BSS_SOURCE_STA_PROFILE: + ts = bss_from_pub(data->source_bss)->ts; + tmp.pub.bssid_index = data->bssid_index; + tmp.pub.max_bssid_indicator = data->max_bssid_indicator; +- } else { ++ break; ++ case BSS_SOURCE_DIRECT: + ts = jiffies; + + if (channel->band == NL80211_BAND_60GHZ) { +@@ -2227,6 +2231,7 @@ cfg80211_inform_single_bss_data(struct wiphy *wiphy, + regulatory_hint_found_beacon(wiphy, channel, + gfp); + } ++ break; + } + + /* +@@ -2655,6 +2660,7 @@ struct tbtt_info_iter_data { + u8 param_ch_count; + u32 use_for; + u8 mld_id, link_id; ++ bool non_tx; + }; + + static enum cfg80211_rnr_iter_ret +@@ -2665,14 +2671,20 @@ cfg802121_mld_ap_rnr_iter(void *_data, u8 type, + const struct ieee80211_rnr_mld_params *mld_params; + struct tbtt_info_iter_data *data = _data; + u8 link_id; ++ bool non_tx = false; + + if (type == IEEE80211_TBTT_INFO_TYPE_TBTT && + tbtt_info_len >= offsetofend(struct ieee80211_tbtt_info_ge_11, +- mld_params)) +- mld_params = (void *)(tbtt_info + +- offsetof(struct ieee80211_tbtt_info_ge_11, +- mld_params)); +- else if (type == IEEE80211_TBTT_INFO_TYPE_MLD && ++ mld_params)) { ++ const struct ieee80211_tbtt_info_ge_11 *tbtt_info_ge_11 = ++ (void *)tbtt_info; ++ ++ non_tx = (tbtt_info_ge_11->bss_params & ++ (IEEE80211_RNR_TBTT_PARAMS_MULTI_BSSID | ++ IEEE80211_RNR_TBTT_PARAMS_TRANSMITTED_BSSID)) == ++ IEEE80211_RNR_TBTT_PARAMS_MULTI_BSSID; ++ mld_params = &tbtt_info_ge_11->mld_params; ++ } else if (type == IEEE80211_TBTT_INFO_TYPE_MLD && + tbtt_info_len >= sizeof(struct ieee80211_rnr_mld_params)) + mld_params = (void *)tbtt_info; + else +@@ -2691,6 +2703,7 @@ cfg802121_mld_ap_rnr_iter(void *_data, u8 type, + data->param_ch_count = + le16_get_bits(mld_params->params, + IEEE80211_RNR_MLD_PARAMS_BSS_CHANGE_COUNT); ++ data->non_tx = non_tx; + + if (type == IEEE80211_TBTT_INFO_TYPE_TBTT) + data->use_for = NL80211_BSS_USE_FOR_ALL; +@@ -2702,7 +2715,7 @@ cfg802121_mld_ap_rnr_iter(void *_data, u8 type, + static u8 + cfg80211_rnr_info_for_mld_ap(const u8 *ie, size_t ielen, u8 mld_id, u8 link_id, + const struct ieee80211_neighbor_ap_info **ap_info, +- u8 *param_ch_count) ++ u8 *param_ch_count, bool *non_tx) + { + struct tbtt_info_iter_data data = { + .mld_id = mld_id, +@@ -2713,6 +2726,7 @@ cfg80211_rnr_info_for_mld_ap(const u8 *ie, size_t ielen, u8 mld_id, u8 link_id, + + *ap_info = data.ap_info; + *param_ch_count = data.param_ch_count; ++ *non_tx = data.non_tx; + + return data.use_for; + } +@@ -2892,6 +2906,7 @@ cfg80211_parse_ml_elem_sta_data(struct wiphy *wiphy, + ssize_t profile_len; + u8 param_ch_count; + u8 link_id, use_for; ++ bool non_tx; + + if (!ieee80211_mle_basic_sta_prof_size_ok((u8 *)mle->sta_prof[i], + mle->sta_prof_len[i])) +@@ -2937,10 +2952,24 @@ cfg80211_parse_ml_elem_sta_data(struct wiphy *wiphy, + tx_data->ielen, + mld_id, link_id, + &ap_info, +- ¶m_ch_count); ++ ¶m_ch_count, ++ &non_tx); + if (!use_for) + continue; + ++ /* ++ * As of 802.11be_D5.0, the specification does not give us any ++ * way of discovering both the MaxBSSID and the Multiple-BSSID ++ * Index. It does seem like the Multiple-BSSID Index element ++ * may be provided, but section 9.4.2.45 explicitly forbids ++ * including a Multiple-BSSID Element (in this case without any ++ * subelements). ++ * Without both pieces of information we cannot calculate the ++ * reference BSSID, so simply ignore the BSS. ++ */ ++ if (non_tx) ++ continue; ++ + /* We could sanity check the BSSID is included */ + + if (!ieee80211_operating_class_to_band(ap_info->op_class, +-- +2.43.0 + diff --git a/queue-6.9/wifi-ieee80211-fix-ieee80211_mle_basic_sta_prof_size.patch b/queue-6.9/wifi-ieee80211-fix-ieee80211_mle_basic_sta_prof_size.patch new file mode 100644 index 00000000000..594d484b516 --- /dev/null +++ b/queue-6.9/wifi-ieee80211-fix-ieee80211_mle_basic_sta_prof_size.patch @@ -0,0 +1,45 @@ +From 87dc8530b623a3eed30417e1cbd6f023ff752a8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Mar 2024 18:53:18 +0200 +Subject: wifi: ieee80211: fix ieee80211_mle_basic_sta_prof_size_ok() + +From: Johannes Berg + +[ Upstream commit c121514df0daa800cc500dc2738e0b8a1c54af98 ] + +If there was a possibility of an MLE basic STA profile without +subelements, we might reject it because we account for the one +octet for sta_info_len twice (it's part of itself, and in the +fixed portion). Like in ieee80211_mle_reconf_sta_prof_size_ok, +subtract 1 to adjust that. + +When reading the elements we did take this into account, and +since there are always elements, this never really mattered. + +Fixes: 7b6f08771bf6 ("wifi: ieee80211: Support validating ML station profile length") +Signed-off-by: Johannes Berg +Reviewed-by: Ilan Peer +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240318184907.00bb0b20ed60.I8c41dd6fc14c4b187ab901dea15ade73c79fb98c@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + include/linux/ieee80211.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h +index 3385a2cc5b099..ac5be38d8aaf0 100644 +--- a/include/linux/ieee80211.h ++++ b/include/linux/ieee80211.h +@@ -5302,7 +5302,7 @@ static inline bool ieee80211_mle_basic_sta_prof_size_ok(const u8 *data, + info_len += 1; + + return prof->sta_info_len >= info_len && +- fixed + prof->sta_info_len <= len; ++ fixed + prof->sta_info_len - 1 <= len; + } + + /** +-- +2.43.0 + diff --git a/queue-6.9/wifi-iwlwifi-mvm-allocate-sta-links-only-for-active-.patch b/queue-6.9/wifi-iwlwifi-mvm-allocate-sta-links-only-for-active-.patch new file mode 100644 index 00000000000..23c754f04fd --- /dev/null +++ b/queue-6.9/wifi-iwlwifi-mvm-allocate-sta-links-only-for-active-.patch @@ -0,0 +1,50 @@ +From 3a51f628087345eb4546b70aa3e4b16615f35eee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Mar 2024 10:10:27 +0200 +Subject: wifi: iwlwifi: mvm: allocate STA links only for active links + +From: Johannes Berg + +[ Upstream commit 62bdd97598f8be82a24f556f78336b05d1c3e84b ] + +For the mvm driver, data structures match what's in the firmware, +we allocate FW IDs for them already etc. During link switch we +already allocate/free the STA links appropriately, but initially +we'd allocate them always. Fix this to allocate memory, a STA ID, +etc. only for active links. + +Fixes: 57974a55d995 ("wifi: iwlwifi: mvm: refactor iwl_mvm_mac_sta_state_common()") +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240319100755.f2093ff73465.Ie891e1cc9c9df09ae22be6aad5c143e376f40f0e@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/mld-sta.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mld-sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/mld-sta.c +index 23e64a757cfe8..4ba1599ed71ca 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mld-sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mld-sta.c +@@ -582,14 +582,14 @@ static int iwl_mvm_mld_alloc_sta_links(struct iwl_mvm *mvm, + struct ieee80211_sta *sta) + { + struct iwl_mvm_sta *mvm_sta = iwl_mvm_sta_from_mac80211(sta); ++ struct ieee80211_link_sta *link_sta; + unsigned int link_id; + int ret; + + lockdep_assert_held(&mvm->mutex); + +- for (link_id = 0; link_id < ARRAY_SIZE(sta->link); link_id++) { +- if (!rcu_access_pointer(sta->link[link_id]) || +- mvm_sta->link[link_id]) ++ for_each_sta_active_link(vif, sta, link_sta, link_id) { ++ if (WARN_ON(mvm_sta->link[link_id])) + continue; + + ret = iwl_mvm_mld_alloc_sta_link(mvm, vif, sta, link_id); +-- +2.43.0 + diff --git a/queue-6.9/wifi-iwlwifi-mvm-calculate-emlsr-mode-after-connecti.patch b/queue-6.9/wifi-iwlwifi-mvm-calculate-emlsr-mode-after-connecti.patch new file mode 100644 index 00000000000..3870320b560 --- /dev/null +++ b/queue-6.9/wifi-iwlwifi-mvm-calculate-emlsr-mode-after-connecti.patch @@ -0,0 +1,177 @@ +From 0b94496624bfeb4577c20fa6359e3a588fa2a6a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Apr 2024 13:53:59 +0300 +Subject: wifi: iwlwifi: mvm: calculate EMLSR mode after connection + +From: Miri Korenblit + +[ Upstream commit 9c6921121961cc0cecccb95652be6d98116f854b ] + +The function iwl_mvm_can_enter_esr() is (among others) calculating +if EMLSR mode is disabled due to BT coex by calling +iwl_mvm_bt_coex_calculate_esr_mode(), then stores the decision in +mvmvif::esr_disable_reason. +But there is no need to calculate this every time iwl_mvm_can_enter_esr +is called. Fix this by calculating it once after authorization, +and in iwl_mvm_can_enter_esr only check mvmvif::esr_disable_reason. + +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240416134215.a767e243366e.I3b32d36cda23f67dc103a28a9bdccb0039d22574@changeid +Signed-off-by: Johannes Berg +Stable-dep-of: 585ba158233f ("wifi: iwlwifi: mvm: don't always disable EMLSR due to BT coex") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/coex.c | 10 ++++----- + .../net/wireless/intel/iwlwifi/mvm/mac80211.c | 21 +++++++++++++++++++ + .../wireless/intel/iwlwifi/mvm/mld-mac80211.c | 13 ++++-------- + drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 9 +++----- + drivers/net/wireless/intel/iwlwifi/mvm/rx.c | 4 ++-- + 5 files changed, 35 insertions(+), 22 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/coex.c b/drivers/net/wireless/intel/iwlwifi/mvm/coex.c +index 2a28e611088d6..5416e41189657 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/coex.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/coex.c +@@ -281,7 +281,7 @@ static void iwl_mvm_bt_coex_enable_esr(struct iwl_mvm *mvm, + * This function receives the LB link id and checks if eSR should be + * enabled or disabled (due to BT coex) + */ +-bool ++static bool + iwl_mvm_bt_coex_calculate_esr_mode(struct iwl_mvm *mvm, + struct ieee80211_vif *vif, + int link_id, int primary_link) +@@ -338,9 +338,9 @@ iwl_mvm_bt_coex_calculate_esr_mode(struct iwl_mvm *mvm, + return wifi_loss_rate <= IWL_MVM_BT_COEX_WIFI_LOSS_THRESH; + } + +-void iwl_mvm_bt_coex_update_vif_esr(struct iwl_mvm *mvm, +- struct ieee80211_vif *vif, +- int link_id) ++void iwl_mvm_bt_coex_update_link_esr(struct iwl_mvm *mvm, ++ struct ieee80211_vif *vif, ++ int link_id) + { + unsigned long usable_links = ieee80211_vif_usable_links(vif); + int primary_link = iwl_mvm_mld_get_primary_link(mvm, vif, +@@ -402,7 +402,7 @@ static void iwl_mvm_bt_notif_per_link(struct iwl_mvm *mvm, + return; + } + +- iwl_mvm_bt_coex_update_vif_esr(mvm, vif, link_id); ++ iwl_mvm_bt_coex_update_link_esr(mvm, vif, link_id); + + if (fw_has_capa(&mvm->fw->ucode_capa, IWL_UCODE_TLV_CAPA_COEX_SCHEMA_2)) + min_ag_for_static_smps = BT_VERY_HIGH_TRAFFIC; +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +index 5d937d647d98d..2425c22e83f4a 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +@@ -3789,6 +3789,24 @@ iwl_mvm_sta_state_auth_to_assoc(struct ieee80211_hw *hw, + return callbacks->update_sta(mvm, vif, sta); + } + ++static void iwl_mvm_bt_coex_update_vif_esr(struct iwl_mvm *mvm, ++ struct ieee80211_vif *vif) ++{ ++ unsigned long usable_links = ieee80211_vif_usable_links(vif); ++ u8 link_id; ++ ++ for_each_set_bit(link_id, &usable_links, IEEE80211_MLD_MAX_NUM_LINKS) { ++ struct ieee80211_bss_conf *link_conf = ++ link_conf_dereference_protected(vif, link_id); ++ ++ if (WARN_ON_ONCE(!link_conf)) ++ return; ++ ++ if (link_conf->chanreq.oper.chan->band == NL80211_BAND_2GHZ) ++ iwl_mvm_bt_coex_update_link_esr(mvm, vif, link_id); ++ } ++} ++ + static int + iwl_mvm_sta_state_assoc_to_authorized(struct iwl_mvm *mvm, + struct ieee80211_vif *vif, +@@ -3816,6 +3834,9 @@ iwl_mvm_sta_state_assoc_to_authorized(struct iwl_mvm *mvm, + callbacks->mac_ctxt_changed(mvm, vif, false); + iwl_mvm_mei_host_associated(mvm, vif, mvm_sta); + ++ /* Calculate eSR mode due to BT coex */ ++ iwl_mvm_bt_coex_update_vif_esr(mvm, vif); ++ + /* when client is authorized (AP station marked as such), + * try to enable more links + */ +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c +index 7a2a18f8b86e2..6ae8406ceb889 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c +@@ -1294,13 +1294,13 @@ static bool iwl_mvm_can_enter_esr(struct iwl_mvm *mvm, + unsigned long desired_links) + { + struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif); +- int primary_link = iwl_mvm_mld_get_primary_link(mvm, vif, +- desired_links); ++ u16 usable_links = ieee80211_vif_usable_links(vif); + const struct wiphy_iftype_ext_capab *ext_capa; + bool ret = true; + int link_id; + +- if (primary_link < 0) ++ if (!ieee80211_vif_is_mld(vif) || !vif->cfg.assoc || ++ hweight16(usable_links) <= 1) + return false; + + if (!(vif->cfg.eml_cap & IEEE80211_EML_CAP_EMLSR_SUPP)) +@@ -1323,12 +1323,7 @@ static bool iwl_mvm_can_enter_esr(struct iwl_mvm *mvm, + if (link_conf->chanreq.oper.chan->band != NL80211_BAND_2GHZ) + continue; + +- ret = iwl_mvm_bt_coex_calculate_esr_mode(mvm, vif, link_id, +- primary_link); +- // Mark eSR as disabled for the next time +- if (!ret) +- mvmvif->esr_disable_reason |= IWL_MVM_ESR_DISABLE_COEX; +- break; ++ return !(mvmvif->esr_disable_reason & IWL_MVM_ESR_DISABLE_COEX); + } + + return ret; +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h +index 609565fadfefe..7bf838b5bd98d 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h +@@ -2141,12 +2141,9 @@ bool iwl_mvm_bt_coex_is_tpc_allowed(struct iwl_mvm *mvm, + u8 iwl_mvm_bt_coex_get_single_ant_msk(struct iwl_mvm *mvm, u8 enabled_ants); + u8 iwl_mvm_bt_coex_tx_prio(struct iwl_mvm *mvm, struct ieee80211_hdr *hdr, + struct ieee80211_tx_info *info, u8 ac); +-bool iwl_mvm_bt_coex_calculate_esr_mode(struct iwl_mvm *mvm, +- struct ieee80211_vif *vif, +- int link_id, int primary_link); +-void iwl_mvm_bt_coex_update_vif_esr(struct iwl_mvm *mvm, +- struct ieee80211_vif *vif, +- int link_id); ++void iwl_mvm_bt_coex_update_link_esr(struct iwl_mvm *mvm, ++ struct ieee80211_vif *vif, ++ int link_id); + + /* beacon filtering */ + #ifdef CONFIG_IWLWIFI_DEBUGFS +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rx.c b/drivers/net/wireless/intel/iwlwifi/mvm/rx.c +index b1add7942c5bf..395aef04f691f 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/rx.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rx.c +@@ -889,8 +889,8 @@ iwl_mvm_stat_iterator_all_links(struct iwl_mvm *mvm, + + if (link_info->phy_ctxt && + link_info->phy_ctxt->channel->band == NL80211_BAND_2GHZ) +- iwl_mvm_bt_coex_update_vif_esr(mvm, bss_conf->vif, +- link_id); ++ iwl_mvm_bt_coex_update_link_esr(mvm, bss_conf->vif, ++ link_id); + + /* make sure that beacon statistics don't go backwards with TCM + * request to clear statistics +-- +2.43.0 + diff --git a/queue-6.9/wifi-iwlwifi-mvm-do-not-warn-on-invalid-link-on-scan.patch b/queue-6.9/wifi-iwlwifi-mvm-do-not-warn-on-invalid-link-on-scan.patch new file mode 100644 index 00000000000..9c7dd2a3648 --- /dev/null +++ b/queue-6.9/wifi-iwlwifi-mvm-do-not-warn-on-invalid-link-on-scan.patch @@ -0,0 +1,44 @@ +From eb2ae6f4f21784c59795a0244fa1a6b4cb8fb5c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Mar 2024 10:10:25 +0200 +Subject: wifi: iwlwifi: mvm: Do not warn on invalid link on scan complete + +From: Ilan Peer + +[ Upstream commit 1c78d39f4ede227e50e36165b3a76bc7c37ead02 ] + +As it is possible that by the time the scan is completed the link was +already removed. + +Fixes: 3a5a5cb06700 ("wifi: iwlwifi: mvm: Correctly report TSF data in scan complete") +Signed-off-by: Ilan Peer +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240319100755.619d3574a757.I0523e92547f0288c8b0119b1fdc5e967a5a8956e@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c +index 11559563ae381..22bc032cffc8b 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c +@@ -3171,8 +3171,13 @@ void iwl_mvm_rx_umac_scan_complete_notif(struct iwl_mvm *mvm, + struct iwl_mvm_vif_link_info *link_info = + scan_vif->link[mvm->scan_link_id]; + +- if (!WARN_ON(!link_info)) ++ /* It is possible that by the time the scan is complete the link ++ * was already removed and is not valid. ++ */ ++ if (link_info) + memcpy(info.tsf_bssid, link_info->bssid, ETH_ALEN); ++ else ++ IWL_DEBUG_SCAN(mvm, "Scan link is no longer valid\n"); + + ieee80211_scan_completed(mvm->hw, &info); + mvm->scan_vif = NULL; +-- +2.43.0 + diff --git a/queue-6.9/wifi-iwlwifi-mvm-don-t-always-disable-emlsr-due-to-b.patch b/queue-6.9/wifi-iwlwifi-mvm-don-t-always-disable-emlsr-due-to-b.patch new file mode 100644 index 00000000000..44418390afe --- /dev/null +++ b/queue-6.9/wifi-iwlwifi-mvm-don-t-always-disable-emlsr-due-to-b.patch @@ -0,0 +1,203 @@ +From ad441580e676c1ead2aeffb05e88bc13fe4730ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Apr 2024 13:54:00 +0300 +Subject: wifi: iwlwifi: mvm: don't always disable EMLSR due to BT coex + +From: Miri Korenblit + +[ Upstream commit 585ba158233f97da05d9bcc59d13ddf45135c8c9 ] + +2.4 GHz/LB (low band) link can't be used in an EMLSR links pair when +BT is on. But EMLSR is still allowed for a pair of links which none of +them operates in LB. +In the existing code, EMLSR will always be disabled if one of the +usable links is in LB (and BT is on). +Move this check to the code that verifies a specific pair of links, +and only if one of these links operates on LB - disable EMLSR. + +Fixes: 10159a45666b ("wifi: iwlwifi: disable eSR when BT is active") +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240416134215.2841006b5cc4.I45ffd583f593daa950322852ceb9454cbf497e24@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + .../wireless/intel/iwlwifi/mvm/mld-mac80211.c | 89 +++++++++++-------- + drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 9 +- + 2 files changed, 56 insertions(+), 42 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c +index 6ae8406ceb889..ffbcc5a2d0ae7 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c +@@ -602,10 +602,49 @@ struct iwl_mvm_link_sel_data { + bool active; + }; + +-static bool iwl_mvm_mld_valid_link_pair(struct iwl_mvm_link_sel_data *a, ++static bool iwl_mvm_mld_valid_link_pair(struct ieee80211_vif *vif, ++ struct iwl_mvm_link_sel_data *a, + struct iwl_mvm_link_sel_data *b) + { +- return a->band != b->band; ++ struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif); ++ ++ if (a->band == b->band) ++ return false; ++ ++ /* BT Coex effects eSR mode only if one of the link is on LB */ ++ if (a->band == NL80211_BAND_2GHZ || b->band == NL80211_BAND_2GHZ) ++ return !(mvmvif->esr_disable_reason & IWL_MVM_ESR_DISABLE_COEX); ++ ++ return true; ++} ++ ++static u8 ++iwl_mvm_set_link_selection_data(struct ieee80211_vif *vif, ++ struct iwl_mvm_link_sel_data *data, ++ unsigned long usable_links) ++{ ++ u8 n_data = 0; ++ unsigned long link_id; ++ ++ rcu_read_lock(); ++ ++ for_each_set_bit(link_id, &usable_links, IEEE80211_MLD_MAX_NUM_LINKS) { ++ struct ieee80211_bss_conf *link_conf = ++ rcu_dereference(vif->link_conf[link_id]); ++ ++ if (WARN_ON_ONCE(!link_conf)) ++ continue; ++ ++ data[n_data].link_id = link_id; ++ data[n_data].band = link_conf->chanreq.oper.chan->band; ++ data[n_data].width = link_conf->chanreq.oper.width; ++ data[n_data].active = vif->active_links & BIT(link_id); ++ n_data++; ++ } ++ ++ rcu_read_unlock(); ++ ++ return n_data; + } + + void iwl_mvm_mld_select_links(struct iwl_mvm *mvm, struct ieee80211_vif *vif, +@@ -615,7 +654,7 @@ void iwl_mvm_mld_select_links(struct iwl_mvm *mvm, struct ieee80211_vif *vif, + unsigned long usable_links = ieee80211_vif_usable_links(vif); + u32 max_active_links = iwl_mvm_max_active_links(mvm, vif); + u16 new_active_links; +- u8 link_id, n_data = 0, i, j; ++ u8 n_data, i, j; + + if (!IWL_MVM_AUTO_EML_ENABLE) + return; +@@ -640,23 +679,7 @@ void iwl_mvm_mld_select_links(struct iwl_mvm *mvm, struct ieee80211_vif *vif, + if (hweight16(vif->active_links) == max_active_links) + return; + +- rcu_read_lock(); +- +- for_each_set_bit(link_id, &usable_links, IEEE80211_MLD_MAX_NUM_LINKS) { +- struct ieee80211_bss_conf *link_conf = +- rcu_dereference(vif->link_conf[link_id]); +- +- if (WARN_ON_ONCE(!link_conf)) +- continue; +- +- data[n_data].link_id = link_id; +- data[n_data].band = link_conf->chanreq.oper.chan->band; +- data[n_data].width = link_conf->chanreq.oper.width; +- data[n_data].active = vif->active_links & BIT(link_id); +- n_data++; +- } +- +- rcu_read_unlock(); ++ n_data = iwl_mvm_set_link_selection_data(vif, data, usable_links); + + /* this is expected to be the current active link */ + if (n_data == 1) +@@ -680,7 +703,8 @@ void iwl_mvm_mld_select_links(struct iwl_mvm *mvm, struct ieee80211_vif *vif, + if (i == j) + continue; + +- if (iwl_mvm_mld_valid_link_pair(&data[i], &data[j])) ++ if (iwl_mvm_mld_valid_link_pair(vif, &data[i], ++ &data[j])) + break; + } + +@@ -696,7 +720,7 @@ void iwl_mvm_mld_select_links(struct iwl_mvm *mvm, struct ieee80211_vif *vif, + if (i == j) + continue; + +- if (iwl_mvm_mld_valid_link_pair(&data[i], ++ if (iwl_mvm_mld_valid_link_pair(vif, &data[i], + &data[j])) + break; + } +@@ -1293,11 +1317,10 @@ static bool iwl_mvm_can_enter_esr(struct iwl_mvm *mvm, + struct ieee80211_vif *vif, + unsigned long desired_links) + { +- struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif); + u16 usable_links = ieee80211_vif_usable_links(vif); ++ struct iwl_mvm_link_sel_data data[IEEE80211_MLD_MAX_NUM_LINKS]; + const struct wiphy_iftype_ext_capab *ext_capa; +- bool ret = true; +- int link_id; ++ u8 n_data; + + if (!ieee80211_vif_is_mld(vif) || !vif->cfg.assoc || + hweight16(usable_links) <= 1) +@@ -1312,21 +1335,13 @@ static bool iwl_mvm_can_enter_esr(struct iwl_mvm *mvm, + !(ext_capa->eml_capabilities & IEEE80211_EML_CAP_EMLSR_SUPP)) + return false; + +- for_each_set_bit(link_id, &desired_links, IEEE80211_MLD_MAX_NUM_LINKS) { +- struct ieee80211_bss_conf *link_conf = +- link_conf_dereference_protected(vif, link_id); +- +- if (WARN_ON_ONCE(!link_conf)) +- continue; ++ n_data = iwl_mvm_set_link_selection_data(vif, data, desired_links); + +- /* BT Coex effects eSR mode only if one of the link is on LB */ +- if (link_conf->chanreq.oper.chan->band != NL80211_BAND_2GHZ) +- continue; ++ if (n_data != 2) ++ return false; + +- return !(mvmvif->esr_disable_reason & IWL_MVM_ESR_DISABLE_COEX); +- } + +- return ret; ++ return iwl_mvm_mld_valid_link_pair(vif, &data[0], &data[1]); + } + + static bool iwl_mvm_mld_can_activate_links(struct ieee80211_hw *hw, +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h +index 7bf838b5bd98d..c45039d2ad2fa 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h +@@ -1580,15 +1580,14 @@ static inline int iwl_mvm_max_active_links(struct iwl_mvm *mvm, + struct iwl_trans *trans = mvm->fwrt.trans; + struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif); + +- lockdep_assert_held(&mvm->mutex); +- + if (vif->type == NL80211_IFTYPE_AP) + return mvm->fw->ucode_capa.num_beacons; + ++ /* Check if HW supports eSR or STR */ + if ((iwl_mvm_is_esr_supported(trans) && +- !mvmvif->esr_disable_reason) || +- ((CSR_HW_RFID_TYPE(trans->hw_rf_id) == IWL_CFG_RF_TYPE_FM && +- CSR_HW_RFID_IS_CDB(trans->hw_rf_id)))) ++ !(mvmvif->esr_disable_reason & ~IWL_MVM_ESR_DISABLE_COEX)) || ++ (CSR_HW_RFID_TYPE(trans->hw_rf_id) == IWL_CFG_RF_TYPE_FM && ++ CSR_HW_RFID_IS_CDB(trans->hw_rf_id))) + return IWL_MVM_FW_MAX_ACTIVE_LINKS_NUM; + + return 1; +-- +2.43.0 + diff --git a/queue-6.9/wifi-iwlwifi-mvm-fix-active-link-counting-during-rec.patch b/queue-6.9/wifi-iwlwifi-mvm-fix-active-link-counting-during-rec.patch new file mode 100644 index 00000000000..1c761682da4 --- /dev/null +++ b/queue-6.9/wifi-iwlwifi-mvm-fix-active-link-counting-during-rec.patch @@ -0,0 +1,87 @@ +From 31b0049d02f8876cb82e251e22494ebfde1c85a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Mar 2024 23:26:25 +0200 +Subject: wifi: iwlwifi: mvm: fix active link counting during recovery + +From: Benjamin Berg + +[ Upstream commit 9737da2f00d6409ae48a79d4dddd9362b230aa31 ] + +During recovery, the chanctx_conf in mac80211 is still non-NULL even +though the channel context has not yet been assigned again. In that +case, the real count is actually lower. + +Switch to instead count the phy_ctx assignment and ensure that the +assignment is cleared at the start of recovery. + +Fixes: 12bacfc2c065 ("wifi: iwlwifi: handle eSR transitions") +Signed-off-by: Benjamin Berg +Reviewed-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240320232419.55f37339e7d1.I57006568a90ffb7a1232def1b2f3264dea711ba6@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + .../wireless/intel/iwlwifi/mvm/mld-mac80211.c | 20 ++++++++----------- + 1 file changed, 8 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c +index 084314bf6f369..d18304ac126cd 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c +@@ -189,17 +189,13 @@ static void iwl_mvm_mld_mac_remove_interface(struct ieee80211_hw *hw, + mutex_unlock(&mvm->mutex); + } + +-static unsigned int iwl_mvm_mld_count_active_links(struct ieee80211_vif *vif) ++static unsigned int iwl_mvm_mld_count_active_links(struct iwl_mvm_vif *mvmvif) + { + unsigned int n_active = 0; + int i; + + for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++) { +- struct ieee80211_bss_conf *link_conf; +- +- link_conf = link_conf_dereference_protected(vif, i); +- if (link_conf && +- rcu_access_pointer(link_conf->chanctx_conf)) ++ if (mvmvif->link[i] && mvmvif->link[i]->phy_ctxt) + n_active++; + } + +@@ -245,18 +241,18 @@ __iwl_mvm_mld_assign_vif_chanctx(struct iwl_mvm *mvm, + { + u16 *phy_ctxt_id = (u16 *)ctx->drv_priv; + struct iwl_mvm_phy_ctxt *phy_ctxt = &mvm->phy_ctxts[*phy_ctxt_id]; +- unsigned int n_active = iwl_mvm_mld_count_active_links(vif); + struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif); ++ unsigned int n_active = iwl_mvm_mld_count_active_links(mvmvif); + unsigned int link_id = link_conf->link_id; + int ret; + +- /* if the assigned one was not counted yet, count it now */ +- if (!rcu_access_pointer(link_conf->chanctx_conf)) +- n_active++; +- + if (WARN_ON_ONCE(!mvmvif->link[link_id])) + return -EINVAL; + ++ /* if the assigned one was not counted yet, count it now */ ++ if (!mvmvif->link[link_id]->phy_ctxt) ++ n_active++; ++ + /* mac parameters such as HE support can change at this stage + * For sta, need first to configure correct state from drv_sta_state + * and only after that update mac config. +@@ -416,7 +412,7 @@ __iwl_mvm_mld_unassign_vif_chanctx(struct iwl_mvm *mvm, + + { + struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif); +- unsigned int n_active = iwl_mvm_mld_count_active_links(vif); ++ unsigned int n_active = iwl_mvm_mld_count_active_links(mvmvif); + unsigned int link_id = link_conf->link_id; + + /* shouldn't happen, but verify link_id is valid before accessing */ +-- +2.43.0 + diff --git a/queue-6.9/wifi-iwlwifi-mvm-fix-check-in-iwl_mvm_sta_fw_id_mask.patch b/queue-6.9/wifi-iwlwifi-mvm-fix-check-in-iwl_mvm_sta_fw_id_mask.patch new file mode 100644 index 00000000000..44d163141e0 --- /dev/null +++ b/queue-6.9/wifi-iwlwifi-mvm-fix-check-in-iwl_mvm_sta_fw_id_mask.patch @@ -0,0 +1,41 @@ +From c8396cf692050bbc2553026085054e9e556c2010 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 18:08:51 +0100 +Subject: wifi: iwlwifi: mvm: fix check in iwl_mvm_sta_fw_id_mask + +From: Johannes Berg + +[ Upstream commit d69aef8084cc72df7b0f2583096d9b037c647ec8 ] + +In the previous commit, I renamed the variable to differentiate +mac80211/mvm link STA, but forgot to adjust the check. The one +from mac80211 is already non-NULL anyway, but the mvm one can +be NULL when the mac80211 isn't during link switch conditions. +Fix the check. + +Fixes: 2783ab506eaa ("wifi: iwlwifi: mvm: select STA mask only for active links") +Reviewed-by: Daniel Gabay +Reviewed-by: Miriam Rachel Korenblit +Link: https://msgid.link/20240325180850.e95b442bafe9.I8c0119fce7b00cb4f65782930d2c167ed5dd0a6e@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/mld-sta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mld-sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/mld-sta.c +index dffdd00f8ab62..36dc291d98dd6 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mld-sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mld-sta.c +@@ -36,7 +36,7 @@ u32 iwl_mvm_sta_fw_id_mask(struct iwl_mvm *mvm, struct ieee80211_sta *sta, + mvm_link_sta = + rcu_dereference_check(mvmsta->link[link_id], + lockdep_is_held(&mvm->mutex)); +- if (!link_sta) ++ if (!mvm_link_sta) + continue; + + result |= BIT(mvm_link_sta->sta_id); +-- +2.43.0 + diff --git a/queue-6.9/wifi-iwlwifi-mvm-init-vif-works-only-once.patch b/queue-6.9/wifi-iwlwifi-mvm-init-vif-works-only-once.patch new file mode 100644 index 00000000000..8054d73ae20 --- /dev/null +++ b/queue-6.9/wifi-iwlwifi-mvm-init-vif-works-only-once.patch @@ -0,0 +1,116 @@ +From 5a0559aeb320fb8dce641125e90de2f46e85066b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Apr 2024 13:54:05 +0300 +Subject: wifi: iwlwifi: mvm: init vif works only once + +From: Johannes Berg + +[ Upstream commit 0bcc2155983e03c41b21a356af87ae839a6b3ead ] + +It's dangerous to re-initialize works repeatedly, especially +delayed ones that have an associated timer, and even more so +if they're not necessarily canceled inbetween. This can be +the case for these workers here during FW restart scenarios, +so make sure to initialize it only once. + +While at it, also ensure it is cancelled correctly. + +Fixes: f67806140220 ("iwlwifi: mvm: disconnect in case of bad channel switch parameters") +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240416134215.ddf8eece5eac.I4164f5c9c444b64a9abbaab14c23858713778e35@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + .../net/wireless/intel/iwlwifi/mvm/mac80211.c | 19 +++++++++++++++++-- + .../wireless/intel/iwlwifi/mvm/mld-mac80211.c | 2 ++ + drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 2 ++ + 3 files changed, 21 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +index 2425c22e83f4a..7ed7444c98715 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +@@ -1564,6 +1564,17 @@ static int iwl_mvm_alloc_bcast_mcast_sta(struct iwl_mvm *mvm, + IWL_STA_MULTICAST); + } + ++void iwl_mvm_mac_init_mvmvif(struct iwl_mvm *mvm, struct iwl_mvm_vif *mvmvif) ++{ ++ lockdep_assert_held(&mvm->mutex); ++ ++ if (test_bit(IWL_MVM_STATUS_IN_HW_RESTART, &mvm->status)) ++ return; ++ ++ INIT_DELAYED_WORK(&mvmvif->csa_work, ++ iwl_mvm_channel_switch_disconnect_wk); ++} ++ + static int iwl_mvm_mac_add_interface(struct ieee80211_hw *hw, + struct ieee80211_vif *vif) + { +@@ -1574,6 +1585,8 @@ static int iwl_mvm_mac_add_interface(struct ieee80211_hw *hw, + + mutex_lock(&mvm->mutex); + ++ iwl_mvm_mac_init_mvmvif(mvm, mvmvif); ++ + mvmvif->mvm = mvm; + + /* the first link always points to the default one */ +@@ -1655,8 +1668,6 @@ static int iwl_mvm_mac_add_interface(struct ieee80211_hw *hw, + mvm->p2p_device_vif = vif; + + iwl_mvm_tcm_add_vif(mvm, vif); +- INIT_DELAYED_WORK(&mvmvif->csa_work, +- iwl_mvm_channel_switch_disconnect_wk); + + if (vif->type == NL80211_IFTYPE_MONITOR) { + mvm->monitor_on = true; +@@ -1694,6 +1705,8 @@ static int iwl_mvm_mac_add_interface(struct ieee80211_hw *hw, + void iwl_mvm_prepare_mac_removal(struct iwl_mvm *mvm, + struct ieee80211_vif *vif) + { ++ struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif); ++ + if (vif->type == NL80211_IFTYPE_P2P_DEVICE) { + /* + * Flush the ROC worker which will flush the OFFCHANNEL queue. +@@ -1702,6 +1715,8 @@ void iwl_mvm_prepare_mac_removal(struct iwl_mvm *mvm, + */ + flush_work(&mvm->roc_done_wk); + } ++ ++ cancel_delayed_work_sync(&mvmvif->csa_work); + } + + /* This function is doing the common part of removing the interface for +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c +index ffbcc5a2d0ae7..df183a79db4c8 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c +@@ -14,6 +14,8 @@ static int iwl_mvm_mld_mac_add_interface(struct ieee80211_hw *hw, + + mutex_lock(&mvm->mutex); + ++ iwl_mvm_mac_init_mvmvif(mvm, mvmvif); ++ + mvmvif->mvm = mvm; + + /* Not much to do here. The stack will not allow interface +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h +index c45039d2ad2fa..d1ab35eb55b23 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h +@@ -1783,6 +1783,8 @@ int iwl_mvm_load_d3_fw(struct iwl_mvm *mvm); + + int iwl_mvm_mac_setup_register(struct iwl_mvm *mvm); + ++void iwl_mvm_mac_init_mvmvif(struct iwl_mvm *mvm, struct iwl_mvm_vif *mvmvif); ++ + /* + * FW notifications / CMD responses handlers + * Convention: iwl_mvm_rx_ +-- +2.43.0 + diff --git a/queue-6.9/wifi-iwlwifi-mvm-introduce-esr_disable_reason.patch b/queue-6.9/wifi-iwlwifi-mvm-introduce-esr_disable_reason.patch new file mode 100644 index 00000000000..6982d8d1754 --- /dev/null +++ b/queue-6.9/wifi-iwlwifi-mvm-introduce-esr_disable_reason.patch @@ -0,0 +1,216 @@ +From af5501d5848725ca458b57a14c0a9ee85b82ac53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Apr 2024 13:53:56 +0300 +Subject: wifi: iwlwifi: mvm: introduce esr_disable_reason + +From: Emmanuel Grumbach + +[ Upstream commit 76f9864d7ac6d04036ba85a8616e2361f2d2d06c ] + +This will maintain a bitmap of reasons for which we want to avoid +enabling EMLSR. +For now, we have a single reason: BT coexistence, but we will add soon +more reasons. Make it a bitmap to make it easier to manage. + +Since we'll impact the parameters that impact the enablement / +disablement of EMLSR from several places, introduce a generic function +that takes into account the current state and execute the decision that +must be taken. + +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240416134215.94c3590c6f27.I6a190da5025d0523ef483ffac0c64e26675041e6@changeid +Signed-off-by: Johannes Berg +Stable-dep-of: 585ba158233f ("wifi: iwlwifi: mvm: don't always disable EMLSR due to BT coex") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/coex.c | 32 +++++-------------- + .../wireless/intel/iwlwifi/mvm/mld-mac80211.c | 29 ++++++++++++++++- + drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 18 +++++++++-- + 3 files changed, 51 insertions(+), 28 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/coex.c b/drivers/net/wireless/intel/iwlwifi/mvm/coex.c +index 535edb51d1c09..2a28e611088d6 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/coex.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/coex.c +@@ -1,6 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause + /* +- * Copyright (C) 2013-2014, 2018-2020, 2022-2023 Intel Corporation ++ * Copyright (C) 2013-2014, 2018-2020, 2022-2024 Intel Corporation + * Copyright (C) 2013-2015 Intel Mobile Communications GmbH + */ + #include +@@ -259,7 +259,6 @@ static void iwl_mvm_bt_coex_enable_esr(struct iwl_mvm *mvm, + struct ieee80211_vif *vif, bool enable) + { + struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif); +- int link_id; + + lockdep_assert_held(&mvm->mutex); + +@@ -267,30 +266,15 @@ static void iwl_mvm_bt_coex_enable_esr(struct iwl_mvm *mvm, + return; + + /* Done already */ +- if (mvmvif->bt_coex_esr_disabled == !enable) ++ if ((mvmvif->esr_disable_reason & IWL_MVM_ESR_DISABLE_COEX) == !enable) + return; + +- mvmvif->bt_coex_esr_disabled = !enable; +- +- /* Nothing to do */ +- if (mvmvif->esr_active == enable) +- return; +- +- if (enable) { +- /* Try to re-enable eSR*/ +- iwl_mvm_mld_select_links(mvm, vif, false); +- return; +- } +- +- /* +- * Find the primary link, as we want to switch to it and drop the +- * secondary one. +- */ +- link_id = iwl_mvm_mld_get_primary_link(mvm, vif, vif->active_links); +- WARN_ON(link_id < 0); ++ if (enable) ++ mvmvif->esr_disable_reason &= ~IWL_MVM_ESR_DISABLE_COEX; ++ else ++ mvmvif->esr_disable_reason |= IWL_MVM_ESR_DISABLE_COEX; + +- ieee80211_set_active_links_async(vif, +- vif->active_links & BIT(link_id)); ++ iwl_mvm_recalc_esr(mvm, vif); + } + + /* +@@ -338,7 +322,7 @@ iwl_mvm_bt_coex_calculate_esr_mode(struct iwl_mvm *mvm, + if (!link_rssi) + wifi_loss_rate = mvm->last_bt_notif.wifi_loss_mid_high_rssi; + +- else if (!mvmvif->bt_coex_esr_disabled) ++ else if (!(mvmvif->esr_disable_reason & IWL_MVM_ESR_DISABLE_COEX)) + /* RSSI needs to get really low to disable eSR... */ + wifi_loss_rate = + link_rssi <= -IWL_MVM_BT_COEX_DISABLE_ESR_THRESH ? +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c +index 32ccc3b883b2c..7a2a18f8b86e2 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c +@@ -1258,6 +1258,33 @@ int iwl_mvm_mld_get_primary_link(struct iwl_mvm *mvm, + return data[1].link_id; + } + ++void iwl_mvm_recalc_esr(struct iwl_mvm *mvm, struct ieee80211_vif *vif) ++{ ++ struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif); ++ bool enable = !mvmvif->esr_disable_reason; ++ int link_id; ++ ++ /* Nothing to do */ ++ if (mvmvif->esr_active == enable) ++ return; ++ ++ if (enable) { ++ /* Try to re-enable eSR */ ++ iwl_mvm_mld_select_links(mvm, vif, false); ++ return; ++ } ++ ++ /* ++ * Find the primary link, as we want to switch to it and drop the ++ * secondary one. ++ */ ++ link_id = iwl_mvm_mld_get_primary_link(mvm, vif, vif->active_links); ++ WARN_ON(link_id < 0); ++ ++ ieee80211_set_active_links_async(vif, ++ vif->active_links & BIT(link_id)); ++} ++ + /* + * This function receives a bitmap of usable links and check if we can enter + * eSR on those links. +@@ -1300,7 +1327,7 @@ static bool iwl_mvm_can_enter_esr(struct iwl_mvm *mvm, + primary_link); + // Mark eSR as disabled for the next time + if (!ret) +- mvmvif->bt_coex_esr_disabled = true; ++ mvmvif->esr_disable_reason |= IWL_MVM_ESR_DISABLE_COEX; + break; + } + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h +index f0b24f00938bd..609565fadfefe 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h +@@ -346,6 +346,14 @@ struct iwl_mvm_vif_link_info { + u16 mgmt_queue; + }; + ++/** ++ * enum iwl_mvm_esr_disable_reason - reasons for which we can't enable EMLSR ++ * @IWL_MVM_ESR_DISABLE_COEX: COEX is preventing the enablement of EMLSR ++ */ ++enum iwl_mvm_esr_disable_reason { ++ IWL_MVM_ESR_DISABLE_COEX = BIT(0), ++}; ++ + /** + * struct iwl_mvm_vif - data per Virtual Interface, it is a MAC context + * @mvm: pointer back to the mvm struct +@@ -361,7 +369,6 @@ struct iwl_mvm_vif_link_info { + * @pm_enabled - indicate if MAC power management is allowed + * @monitor_active: indicates that monitor context is configured, and that the + * interface should get quota etc. +- * @bt_coex_esr_disabled: indicates if esr is disabled due to bt coex + * @low_latency: bit flags for low latency + * see enum &iwl_mvm_low_latency_cause for causes. + * @low_latency_actual: boolean, indicates low latency is set, +@@ -378,6 +385,7 @@ struct iwl_mvm_vif_link_info { + * @deflink: default link data for use in non-MLO + * @link: link data for each link in MLO + * @esr_active: indicates eSR mode is active ++ * @esr_disable_reason: a bitmap of enum iwl_mvm_esr_disable_reason + * @pm_enabled: indicates powersave is enabled + */ + struct iwl_mvm_vif { +@@ -392,7 +400,6 @@ struct iwl_mvm_vif { + bool pm_enabled; + bool monitor_active; + bool esr_active; +- bool bt_coex_esr_disabled; + + u8 low_latency: 6; + u8 low_latency_actual: 1; +@@ -400,6 +407,7 @@ struct iwl_mvm_vif { + u8 authorized:1; + bool ps_disabled; + ++ u32 esr_disable_reason; + u32 ap_beacon_time; + struct iwl_mvm_vif_bf_data bf_data; + +@@ -1578,7 +1586,7 @@ static inline int iwl_mvm_max_active_links(struct iwl_mvm *mvm, + return mvm->fw->ucode_capa.num_beacons; + + if ((iwl_mvm_is_esr_supported(trans) && +- !mvmvif->bt_coex_esr_disabled) || ++ !mvmvif->esr_disable_reason) || + ((CSR_HW_RFID_TYPE(trans->hw_rf_id) == IWL_CFG_RF_TYPE_FM && + CSR_HW_RFID_IS_CDB(trans->hw_rf_id)))) + return IWL_MVM_FW_MAX_ACTIVE_LINKS_NUM; +@@ -2779,4 +2787,8 @@ int iwl_mvm_roc_add_cmd(struct iwl_mvm *mvm, + struct ieee80211_channel *channel, + struct ieee80211_vif *vif, + int duration, u32 activity); ++ ++/* EMLSR */ ++void iwl_mvm_recalc_esr(struct iwl_mvm *mvm, struct ieee80211_vif *vif); ++ + #endif /* __IWL_MVM_H__ */ +-- +2.43.0 + diff --git a/queue-6.9/wifi-iwlwifi-mvm-select-sta-mask-only-for-active-lin.patch b/queue-6.9/wifi-iwlwifi-mvm-select-sta-mask-only-for-active-lin.patch new file mode 100644 index 00000000000..28c291d6ec2 --- /dev/null +++ b/queue-6.9/wifi-iwlwifi-mvm-select-sta-mask-only-for-active-lin.patch @@ -0,0 +1,72 @@ +From 64baefd02d79b84c79d9c9d5a0020b7b5df2b8fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Mar 2024 23:26:36 +0200 +Subject: wifi: iwlwifi: mvm: select STA mask only for active links + +From: Johannes Berg + +[ Upstream commit 2783ab506eaa36dbef40bda0f96eb49fe149790e ] + +During reconfig, we might send keys, but those should be only +sent to already active link stations. Iterate only active ones +to fix that issue. + +Fixes: aea99650f731 ("wifi: iwlwifi: mvm: set STA mask for keys in MLO") +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240320232419.c6818d1c6033.I6357f05c55ef111002ddc169287eb356ca0c1b21@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/mld-sta.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mld-sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/mld-sta.c +index 4ba1599ed71ca..dffdd00f8ab62 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mld-sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mld-sta.c +@@ -9,7 +9,9 @@ + u32 iwl_mvm_sta_fw_id_mask(struct iwl_mvm *mvm, struct ieee80211_sta *sta, + int filter_link_id) + { ++ struct ieee80211_link_sta *link_sta; + struct iwl_mvm_sta *mvmsta; ++ struct ieee80211_vif *vif; + unsigned int link_id; + u32 result = 0; + +@@ -17,26 +19,27 @@ u32 iwl_mvm_sta_fw_id_mask(struct iwl_mvm *mvm, struct ieee80211_sta *sta, + return 0; + + mvmsta = iwl_mvm_sta_from_mac80211(sta); ++ vif = mvmsta->vif; + + /* it's easy when the STA is not an MLD */ + if (!sta->valid_links) + return BIT(mvmsta->deflink.sta_id); + + /* but if it is an MLD, get the mask of all the FW STAs it has ... */ +- for (link_id = 0; link_id < ARRAY_SIZE(mvmsta->link); link_id++) { +- struct iwl_mvm_link_sta *link_sta; ++ for_each_sta_active_link(vif, sta, link_sta, link_id) { ++ struct iwl_mvm_link_sta *mvm_link_sta; + + /* unless we have a specific link in mind */ + if (filter_link_id >= 0 && link_id != filter_link_id) + continue; + +- link_sta = ++ mvm_link_sta = + rcu_dereference_check(mvmsta->link[link_id], + lockdep_is_held(&mvm->mutex)); + if (!link_sta) + continue; + +- result |= BIT(link_sta->sta_id); ++ result |= BIT(mvm_link_sta->sta_id); + } + + return result; +-- +2.43.0 + diff --git a/queue-6.9/wifi-iwlwifi-mvm-set-wider-bw-ofdma-ignore-correctly.patch b/queue-6.9/wifi-iwlwifi-mvm-set-wider-bw-ofdma-ignore-correctly.patch new file mode 100644 index 00000000000..b51a1d361a1 --- /dev/null +++ b/queue-6.9/wifi-iwlwifi-mvm-set-wider-bw-ofdma-ignore-correctly.patch @@ -0,0 +1,55 @@ +From db22fe3af923fe3f8b57c4615864ef999f443acc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Mar 2024 23:26:35 +0200 +Subject: wifi: iwlwifi: mvm: set wider BW OFDMA ignore correctly + +From: Johannes Berg + +[ Upstream commit b97b0c04f895003ec60b08879180068889d19c9e ] + +Clearly, I put this flag into the wrong place: devices using the +code in mac80211.c only do not support EHT, so this isn't even +relevant. Fix this by moving the code to the right function. + +Fixes: 32a5690e9acb ("wifi: iwlwifi: mvm: support wider-bandwidth OFDMA") +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240320232419.0d5fb0e971e4.I3b67c5e0ddcbe6e58143ec0bc4e40dd6dba4f863@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 3 --- + drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c | 3 +++ + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +index 8f4b063d6243e..5d937d647d98d 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +@@ -1651,9 +1651,6 @@ static int iwl_mvm_mac_add_interface(struct ieee80211_hw *hw, + IEEE80211_VIF_SUPPORTS_CQM_RSSI; + } + +- if (vif->p2p || iwl_fw_lookup_cmd_ver(mvm->fw, PHY_CONTEXT_CMD, 1) < 5) +- vif->driver_flags |= IEEE80211_VIF_IGNORE_OFDMA_WIDER_BW; +- + if (vif->type == NL80211_IFTYPE_P2P_DEVICE) + mvm->p2p_device_vif = vif; + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c +index d18304ac126cd..5a4973431c8b7 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c +@@ -92,6 +92,9 @@ static int iwl_mvm_mld_mac_add_interface(struct ieee80211_hw *hw, + mvm->csme_vif = vif; + } + ++ if (vif->p2p || iwl_fw_lookup_cmd_ver(mvm->fw, PHY_CONTEXT_CMD, 1) < 5) ++ vif->driver_flags |= IEEE80211_VIF_IGNORE_OFDMA_WIDER_BW; ++ + goto out_unlock; + + out_free_bf: +-- +2.43.0 + diff --git a/queue-6.9/wifi-iwlwifi-reconfigure-tlc-during-hw-restart.patch b/queue-6.9/wifi-iwlwifi-reconfigure-tlc-during-hw-restart.patch new file mode 100644 index 00000000000..4176ae10ed8 --- /dev/null +++ b/queue-6.9/wifi-iwlwifi-reconfigure-tlc-during-hw-restart.patch @@ -0,0 +1,45 @@ +From f70b7ea7995a2c870264a2db282826c6f6a8702d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Mar 2024 23:26:38 +0200 +Subject: wifi: iwlwifi: reconfigure TLC during HW restart + +From: Johannes Berg + +[ Upstream commit 96833fb3c7abfd57bb3ee2de2534c5a3f52b0838 ] + +Since the HW restart flow with multi-link is very similar to +the initial association, we do need to reconfigure TLC there. +Remove the check that prevented that. + +Fixes: d2d0468f60cd ("wifi: iwlwifi: mvm: configure TLC on link activation") +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240320232419.a00adcfe381a.Ic798beccbb7b7d852dc976d539205353588853b0@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c +index 5a4973431c8b7..32ccc3b883b2c 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c +@@ -295,13 +295,8 @@ __iwl_mvm_mld_assign_vif_chanctx(struct iwl_mvm *mvm, + * this needs the phy context assigned (and in FW?), and we cannot + * do it later because it needs to be initialized as soon as we're + * able to TX on the link, i.e. when active. +- * +- * Firmware restart isn't quite correct yet for MLO, but we don't +- * need to do it in that case anyway since it will happen from the +- * normal station state callback. + */ +- if (mvmvif->ap_sta && +- !test_bit(IWL_MVM_STATUS_IN_HW_RESTART, &mvm->status)) { ++ if (mvmvif->ap_sta) { + struct ieee80211_link_sta *link_sta; + + rcu_read_lock(); +-- +2.43.0 + diff --git a/queue-6.9/wifi-mac80211-don-t-select-link-id-if-not-provided-i.patch b/queue-6.9/wifi-mac80211-don-t-select-link-id-if-not-provided-i.patch new file mode 100644 index 00000000000..9c6c8c3f508 --- /dev/null +++ b/queue-6.9/wifi-mac80211-don-t-select-link-id-if-not-provided-i.patch @@ -0,0 +1,56 @@ +From e42e35527c171f3b209d9259c034b2ed791b5cc9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Mar 2024 09:14:02 +0200 +Subject: wifi: mac80211: don't select link ID if not provided in scan request + +From: Ayala Beker + +[ Upstream commit 80b0aacd1ad046b46d471cf8ed6203bbd777f988 ] + +If scan request doesn't include a link ID to be used for TSF +reporting, don't select it as it might become inactive before +scan is actually started by the driver. +Instead, let the driver select one of the active links. + +Fixes: cbde0b49f276 ("wifi: mac80211: Extend support for scanning while MLO connected") +Signed-off-by: Ayala Beker +Reviewed-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240320091155.a6b643a15755.Ic28ed9a611432387b7f85e9ca9a97a4ce34a6e0f@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/scan.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c +index 73850312580f7..3da1c5c450358 100644 +--- a/net/mac80211/scan.c ++++ b/net/mac80211/scan.c +@@ -708,19 +708,11 @@ static int __ieee80211_start_scan(struct ieee80211_sub_if_data *sdata, + return -EBUSY; + + /* For an MLO connection, if a link ID was specified, validate that it +- * is indeed active. If no link ID was specified, select one of the +- * active links. ++ * is indeed active. + */ +- if (ieee80211_vif_is_mld(&sdata->vif)) { +- if (req->tsf_report_link_id >= 0) { +- if (!(sdata->vif.active_links & +- BIT(req->tsf_report_link_id))) +- return -EINVAL; +- } else { +- req->tsf_report_link_id = +- __ffs(sdata->vif.active_links); +- } +- } ++ if (ieee80211_vif_is_mld(&sdata->vif) && req->tsf_report_link_id >= 0 && ++ !(sdata->vif.active_links & BIT(req->tsf_report_link_id))) ++ return -EINVAL; + + if (!__ieee80211_can_leave_ch(sdata)) + return -EBUSY; +-- +2.43.0 + diff --git a/queue-6.9/wifi-mac80211-transmit-deauth-only-if-link-is-availa.patch b/queue-6.9/wifi-mac80211-transmit-deauth-only-if-link-is-availa.patch new file mode 100644 index 00000000000..4665e4acdfc --- /dev/null +++ b/queue-6.9/wifi-mac80211-transmit-deauth-only-if-link-is-availa.patch @@ -0,0 +1,257 @@ +From 0a903025c2c8358c0cc910d3eb432e01f5450529 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 11:27:12 +0300 +Subject: wifi: mac80211: transmit deauth only if link is available + +From: Johannes Berg + +[ Upstream commit 570944a094c24ee3a09b2cb5e580063cfde64d7a ] + +There's an issue in that when we disconnect from an AP +due to the AP switching to an unsupported channel, we +might not tell the driver about this before we try to +send the deauth. If the underlying implementation has +detected the quiet CSA, this may cause issues if this +is the only active link. Avoid this by transmitting +(and flushing) the deauth only when there's an active +link available that's not affected by quiet CSA. + +Since this introduces link->u.mgd.csa_blocked_tx and we +no longer check sdata->csa_blocked_tx for the TX itself +also rename the latter to csa_blocked_queues. + +Fixes: 6f0107d195a8 ("wifi: mac80211: introduce a feature flag for quiet in CSA") +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240415112355.1d91db5e95aa.Iad3a5df3367f305dff48cd61776abfd6cf0fd4ab@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 12 ++++----- + net/mac80211/ieee80211_i.h | 3 ++- + net/mac80211/iface.c | 4 +-- + net/mac80211/mlme.c | 53 ++++++++++++++++++++++++++------------ + 4 files changed, 46 insertions(+), 26 deletions(-) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index f67c1d0218121..07abaf7820c56 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1607,10 +1607,10 @@ static int ieee80211_stop_ap(struct wiphy *wiphy, struct net_device *dev, + /* abort any running channel switch or color change */ + link_conf->csa_active = false; + link_conf->color_change_active = false; +- if (sdata->csa_blocked_tx) { ++ if (sdata->csa_blocked_queues) { + ieee80211_wake_vif_queues(local, sdata, + IEEE80211_QUEUE_STOP_REASON_CSA); +- sdata->csa_blocked_tx = false; ++ sdata->csa_blocked_queues = false; + } + + ieee80211_free_next_beacon(link); +@@ -3648,7 +3648,7 @@ void ieee80211_channel_switch_disconnect(struct ieee80211_vif *vif, bool block_t + struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; + struct ieee80211_local *local = sdata->local; + +- sdata->csa_blocked_tx = block_tx; ++ sdata->csa_blocked_queues = block_tx; + sdata_info(sdata, "channel switch failed, disconnecting\n"); + wiphy_work_queue(local->hw.wiphy, &ifmgd->csa_connection_drop_work); + } +@@ -3734,10 +3734,10 @@ static int __ieee80211_csa_finalize(struct ieee80211_link_data *link_data) + + ieee80211_link_info_change_notify(sdata, link_data, changed); + +- if (sdata->csa_blocked_tx) { ++ if (sdata->csa_blocked_queues) { + ieee80211_wake_vif_queues(local, sdata, + IEEE80211_QUEUE_STOP_REASON_CSA); +- sdata->csa_blocked_tx = false; ++ sdata->csa_blocked_queues = false; + } + + err = drv_post_channel_switch(link_data); +@@ -4019,7 +4019,7 @@ __ieee80211_channel_switch(struct wiphy *wiphy, struct net_device *dev, + !ieee80211_hw_check(&local->hw, HANDLES_QUIET_CSA)) { + ieee80211_stop_vif_queues(local, sdata, + IEEE80211_QUEUE_STOP_REASON_CSA); +- sdata->csa_blocked_tx = true; ++ sdata->csa_blocked_queues = true; + } + + cfg80211_ch_switch_started_notify(sdata->dev, +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h +index bd507d6b65e3f..70c67c860e995 100644 +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -974,6 +974,7 @@ struct ieee80211_link_data_managed { + + bool csa_waiting_bcn; + bool csa_ignored_same_chan; ++ bool csa_blocked_tx; + struct wiphy_delayed_work chswitch_work; + + struct wiphy_work request_smps_work; +@@ -1092,7 +1093,7 @@ struct ieee80211_sub_if_data { + + unsigned long state; + +- bool csa_blocked_tx; ++ bool csa_blocked_queues; + + char name[IFNAMSIZ]; + +diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c +index 395de62d9cb2d..ef6b0fc82d022 100644 +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -544,10 +544,10 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, bool going_do + sdata->vif.bss_conf.csa_active = false; + if (sdata->vif.type == NL80211_IFTYPE_STATION) + sdata->deflink.u.mgd.csa_waiting_bcn = false; +- if (sdata->csa_blocked_tx) { ++ if (sdata->csa_blocked_queues) { + ieee80211_wake_vif_queues(local, sdata, + IEEE80211_QUEUE_STOP_REASON_CSA); +- sdata->csa_blocked_tx = false; ++ sdata->csa_blocked_queues = false; + } + + wiphy_work_cancel(local->hw.wiphy, &sdata->deflink.csa_finalize_work); +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 3bbb216a0fc8c..497677e3d8b27 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -1933,13 +1933,14 @@ static void ieee80211_chswitch_post_beacon(struct ieee80211_link_data *link) + + WARN_ON(!link->conf->csa_active); + +- if (sdata->csa_blocked_tx) { ++ if (sdata->csa_blocked_queues) { + ieee80211_wake_vif_queues(local, sdata, + IEEE80211_QUEUE_STOP_REASON_CSA); +- sdata->csa_blocked_tx = false; ++ sdata->csa_blocked_queues = false; + } + + link->conf->csa_active = false; ++ link->u.mgd.csa_blocked_tx = false; + link->u.mgd.csa_waiting_bcn = false; + + ret = drv_post_channel_switch(link); +@@ -1999,13 +2000,14 @@ ieee80211_sta_abort_chanswitch(struct ieee80211_link_data *link) + + ieee80211_link_unreserve_chanctx(link); + +- if (sdata->csa_blocked_tx) { ++ if (sdata->csa_blocked_queues) { + ieee80211_wake_vif_queues(local, sdata, + IEEE80211_QUEUE_STOP_REASON_CSA); +- sdata->csa_blocked_tx = false; ++ sdata->csa_blocked_queues = false; + } + + link->conf->csa_active = false; ++ link->u.mgd.csa_blocked_tx = false; + + drv_abort_channel_switch(link); + } +@@ -2165,12 +2167,13 @@ ieee80211_sta_process_chanswitch(struct ieee80211_link_data *link, + link->csa_chanreq = csa_ie.chanreq; + link->u.mgd.csa_ignored_same_chan = false; + link->u.mgd.beacon_crc_valid = false; ++ link->u.mgd.csa_blocked_tx = csa_ie.mode; + + if (csa_ie.mode && + !ieee80211_hw_check(&local->hw, HANDLES_QUIET_CSA)) { + ieee80211_stop_vif_queues(local, sdata, + IEEE80211_QUEUE_STOP_REASON_CSA); +- sdata->csa_blocked_tx = true; ++ sdata->csa_blocked_queues = true; + } + + cfg80211_ch_switch_started_notify(sdata->dev, &csa_ie.chanreq.oper, +@@ -2199,7 +2202,8 @@ ieee80211_sta_process_chanswitch(struct ieee80211_link_data *link, + * reset when the disconnection worker runs. + */ + link->conf->csa_active = true; +- sdata->csa_blocked_tx = ++ link->u.mgd.csa_blocked_tx = csa_ie.mode; ++ sdata->csa_blocked_queues = + csa_ie.mode && !ieee80211_hw_check(&local->hw, HANDLES_QUIET_CSA); + + wiphy_work_queue(sdata->local->hw.wiphy, +@@ -3252,12 +3256,13 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata, + } + + sdata->vif.bss_conf.csa_active = false; ++ sdata->deflink.u.mgd.csa_blocked_tx = false; + sdata->deflink.u.mgd.csa_waiting_bcn = false; + sdata->deflink.u.mgd.csa_ignored_same_chan = false; +- if (sdata->csa_blocked_tx) { ++ if (sdata->csa_blocked_queues) { + ieee80211_wake_vif_queues(local, sdata, + IEEE80211_QUEUE_STOP_REASON_CSA); +- sdata->csa_blocked_tx = false; ++ sdata->csa_blocked_queues = false; + } + + /* existing TX TSPEC sessions no longer exist */ +@@ -3563,19 +3568,32 @@ static void __ieee80211_disconnect(struct ieee80211_sub_if_data *sdata) + struct ieee80211_local *local = sdata->local; + struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; + u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN]; +- bool tx; ++ bool tx = false; + + lockdep_assert_wiphy(local->hw.wiphy); + + if (!ifmgd->associated) + return; + +- /* +- * MLO drivers should have HANDLES_QUIET_CSA, so that csa_blocked_tx +- * is always false; if they don't then this may try to transmit the +- * frame but queues will be stopped. +- */ +- tx = !sdata->csa_blocked_tx; ++ /* only transmit if we have a link that makes that worthwhile */ ++ for (unsigned int link_id = 0; ++ link_id < ARRAY_SIZE(sdata->link); ++ link_id++) { ++ struct ieee80211_link_data *link; ++ ++ if (!ieee80211_vif_link_active(&sdata->vif, link_id)) ++ continue; ++ ++ link = sdata_dereference(sdata->link[link_id], sdata); ++ if (WARN_ON_ONCE(!link)) ++ continue; ++ ++ if (link->u.mgd.csa_blocked_tx) ++ continue; ++ ++ tx = true; ++ break; ++ } + + if (!ifmgd->driver_disconnect) { + unsigned int link_id; +@@ -3608,10 +3626,11 @@ static void __ieee80211_disconnect(struct ieee80211_sub_if_data *sdata) + /* the other links will be destroyed */ + sdata->vif.bss_conf.csa_active = false; + sdata->deflink.u.mgd.csa_waiting_bcn = false; +- if (sdata->csa_blocked_tx) { ++ sdata->deflink.u.mgd.csa_blocked_tx = false; ++ if (sdata->csa_blocked_queues) { + ieee80211_wake_vif_queues(local, sdata, + IEEE80211_QUEUE_STOP_REASON_CSA); +- sdata->csa_blocked_tx = false; ++ sdata->csa_blocked_queues = false; + } + + ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), tx, +-- +2.43.0 + diff --git a/queue-6.9/wifi-mt76-connac-check-for-null-before-dereferencing.patch b/queue-6.9/wifi-mt76-connac-check-for-null-before-dereferencing.patch new file mode 100644 index 00000000000..b9fb1d3947e --- /dev/null +++ b/queue-6.9/wifi-mt76-connac-check-for-null-before-dereferencing.patch @@ -0,0 +1,37 @@ +From e3d61aab62a43b37e8db1211c0b74c3529c112d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Mar 2024 19:44:06 +0500 +Subject: wifi: mt76: connac: check for null before dereferencing + +From: Muhammad Usama Anjum + +[ Upstream commit cb47c7be0e93dd5acda078163799401ac3a78e10 ] + +The wcid can be NULL. It should be checked for validity before +dereferencing it to avoid crash. + +Fixes: 098428c400ff ("wifi: mt76: connac: set correct muar_idx for mt799x chipsets") +Signed-off-by: Muhammad Usama Anjum +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c +index af0c2b2aacb00..7af60eebe517a 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c +@@ -283,7 +283,7 @@ __mt76_connac_mcu_alloc_sta_req(struct mt76_dev *dev, struct mt76_vif *mvif, + }; + struct sk_buff *skb; + +- if (is_mt799x(dev) && !wcid->sta) ++ if (is_mt799x(dev) && wcid && !wcid->sta) + hdr.muar_idx = 0xe; + + mt76_connac_mcu_get_wlan_idx(dev, wcid, &hdr.wlan_idx_lo, +-- +2.43.0 + diff --git a/queue-6.9/wifi-mt76-connac-use-muar-idx-0xe-for-non-mt799x-as-.patch b/queue-6.9/wifi-mt76-connac-use-muar-idx-0xe-for-non-mt799x-as-.patch new file mode 100644 index 00000000000..c24aeb0da8b --- /dev/null +++ b/queue-6.9/wifi-mt76-connac-use-muar-idx-0xe-for-non-mt799x-as-.patch @@ -0,0 +1,35 @@ +From e7ea0200cb63e1b6d9c262738c7f0c4e34a97837 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 13:01:01 +0200 +Subject: wifi: mt76: connac: use muar idx 0xe for non-mt799x as well + +From: Felix Fietkau + +[ Upstream commit 64bfcdbe025699d3d81ec11af24bd4895c0f6ddd ] + +This is expected by the firmware of older chipsets as well, though it may +not have been as strongly required as on mt799x + +Fixes: 098428c400ff ("wifi: mt76: connac: set correct muar_idx for mt799x chipsets") +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c +index 990738a23eee5..fb8bd50eb7de8 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c +@@ -283,7 +283,7 @@ __mt76_connac_mcu_alloc_sta_req(struct mt76_dev *dev, struct mt76_vif *mvif, + }; + struct sk_buff *skb; + +- if (is_mt799x(dev) && wcid && !wcid->sta) ++ if (wcid && !wcid->sta) + hdr.muar_idx = 0xe; + + mt76_connac_mcu_get_wlan_idx(dev, wcid, &hdr.wlan_idx_lo, +-- +2.43.0 + diff --git a/queue-6.9/wifi-mt76-mt7603-add-wpdma-tx-eof-flag-for-pse-clien.patch b/queue-6.9/wifi-mt76-mt7603-add-wpdma-tx-eof-flag-for-pse-clien.patch new file mode 100644 index 00000000000..70cd28d0701 --- /dev/null +++ b/queue-6.9/wifi-mt76-mt7603-add-wpdma-tx-eof-flag-for-pse-clien.patch @@ -0,0 +1,33 @@ +From 033c7e3034ee142006da436ca21653353ffea081 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 11:11:54 +0200 +Subject: wifi: mt76: mt7603: add wpdma tx eof flag for PSE client reset + +From: Felix Fietkau + +[ Upstream commit 21de5f72260b4246e2415bc900c18139bc52ea80 ] + +This flag is needed for the PSE client reset. Fixes watchdog reset issues. + +Fixes: c677dda16523 ("wifi: mt76: mt7603: improve watchdog reset reliablity") +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7603/mac.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7603/mac.c b/drivers/net/wireless/mediatek/mt76/mt7603/mac.c +index cf21d06257e53..dc8a77f0a1cc4 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7603/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7603/mac.c +@@ -1393,6 +1393,7 @@ void mt7603_pse_client_reset(struct mt7603_dev *dev) + MT_CLIENT_RESET_TX_R_E_2_S); + + /* Start PSE client TX abort */ ++ mt76_set(dev, MT_WPDMA_GLO_CFG, MT_WPDMA_GLO_CFG_FORCE_TX_EOF); + mt76_set(dev, addr, MT_CLIENT_RESET_TX_R_E_1); + mt76_poll_msec(dev, addr, MT_CLIENT_RESET_TX_R_E_1_S, + MT_CLIENT_RESET_TX_R_E_1_S, 500); +-- +2.43.0 + diff --git a/queue-6.9/wifi-mt76-mt7603-fix-tx-queue-of-loopback-packets.patch b/queue-6.9/wifi-mt76-mt7603-fix-tx-queue-of-loopback-packets.patch new file mode 100644 index 00000000000..5d4bce303b9 --- /dev/null +++ b/queue-6.9/wifi-mt76-mt7603-fix-tx-queue-of-loopback-packets.patch @@ -0,0 +1,109 @@ +From 25c2067ea75d5adb692a1f544f080f252d73d20c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Apr 2024 20:14:34 +0200 +Subject: wifi: mt76: mt7603: fix tx queue of loopback packets + +From: Felix Fietkau + +[ Upstream commit b473c0e47f04d3b4ee9d05d2e79234134aad14d5 ] + +Use the correct WMM AC queue instead of the MGMT one to fix potential issues +with aggregation sequence number tracking. Drop non-bufferable packets. + +Fixes: fca9615f1a43 ("mt76: mt7603: fix up hardware queue index for PS filtered packets") +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + .../net/wireless/mediatek/mt76/mt7603/dma.c | 46 +++++++++++++------ + 1 file changed, 32 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7603/dma.c b/drivers/net/wireless/mediatek/mt76/mt7603/dma.c +index 7a2f5d38562b4..14304b0637158 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7603/dma.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7603/dma.c +@@ -4,6 +4,13 @@ + #include "mac.h" + #include "../dma.h" + ++static const u8 wmm_queue_map[] = { ++ [IEEE80211_AC_BK] = 0, ++ [IEEE80211_AC_BE] = 1, ++ [IEEE80211_AC_VI] = 2, ++ [IEEE80211_AC_VO] = 3, ++}; ++ + static void + mt7603_rx_loopback_skb(struct mt7603_dev *dev, struct sk_buff *skb) + { +@@ -22,10 +29,10 @@ mt7603_rx_loopback_skb(struct mt7603_dev *dev, struct sk_buff *skb) + struct ieee80211_sta *sta; + struct mt7603_sta *msta; + struct mt76_wcid *wcid; ++ u8 tid = 0, hwq = 0; + void *priv; + int idx; + u32 val; +- u8 tid = 0; + + if (skb->len < MT_TXD_SIZE + sizeof(struct ieee80211_hdr)) + goto free; +@@ -42,19 +49,36 @@ mt7603_rx_loopback_skb(struct mt7603_dev *dev, struct sk_buff *skb) + goto free; + + priv = msta = container_of(wcid, struct mt7603_sta, wcid); +- val = le32_to_cpu(txd[0]); +- val &= ~(MT_TXD0_P_IDX | MT_TXD0_Q_IDX); +- val |= FIELD_PREP(MT_TXD0_Q_IDX, MT_TX_HW_QUEUE_MGMT); +- txd[0] = cpu_to_le32(val); + + sta = container_of(priv, struct ieee80211_sta, drv_priv); + hdr = (struct ieee80211_hdr *)&skb->data[MT_TXD_SIZE]; +- if (ieee80211_is_data_qos(hdr->frame_control)) ++ ++ hwq = wmm_queue_map[IEEE80211_AC_BE]; ++ if (ieee80211_is_data_qos(hdr->frame_control)) { + tid = *ieee80211_get_qos_ctl(hdr) & +- IEEE80211_QOS_CTL_TAG1D_MASK; +- skb_set_queue_mapping(skb, tid_to_ac[tid]); ++ IEEE80211_QOS_CTL_TAG1D_MASK; ++ u8 qid = tid_to_ac[tid]; ++ hwq = wmm_queue_map[qid]; ++ skb_set_queue_mapping(skb, qid); ++ } else if (ieee80211_is_data(hdr->frame_control)) { ++ skb_set_queue_mapping(skb, IEEE80211_AC_BE); ++ hwq = wmm_queue_map[IEEE80211_AC_BE]; ++ } else { ++ skb_pull(skb, MT_TXD_SIZE); ++ if (!ieee80211_is_bufferable_mmpdu(skb)) ++ goto free; ++ skb_push(skb, MT_TXD_SIZE); ++ skb_set_queue_mapping(skb, MT_TXQ_PSD); ++ hwq = MT_TX_HW_QUEUE_MGMT; ++ } ++ + ieee80211_sta_set_buffered(sta, tid, true); + ++ val = le32_to_cpu(txd[0]); ++ val &= ~(MT_TXD0_P_IDX | MT_TXD0_Q_IDX); ++ val |= FIELD_PREP(MT_TXD0_Q_IDX, hwq); ++ txd[0] = cpu_to_le32(val); ++ + spin_lock_bh(&dev->ps_lock); + __skb_queue_tail(&msta->psq, skb); + if (skb_queue_len(&msta->psq) >= 64) { +@@ -151,12 +175,6 @@ static int mt7603_poll_tx(struct napi_struct *napi, int budget) + + int mt7603_dma_init(struct mt7603_dev *dev) + { +- static const u8 wmm_queue_map[] = { +- [IEEE80211_AC_BK] = 0, +- [IEEE80211_AC_BE] = 1, +- [IEEE80211_AC_VI] = 2, +- [IEEE80211_AC_VO] = 3, +- }; + int ret; + int i; + +-- +2.43.0 + diff --git a/queue-6.9/wifi-mt76-mt7915-workaround-too-long-expansion-spars.patch b/queue-6.9/wifi-mt76-mt7915-workaround-too-long-expansion-spars.patch new file mode 100644 index 00000000000..724239acd5e --- /dev/null +++ b/queue-6.9/wifi-mt76-mt7915-workaround-too-long-expansion-spars.patch @@ -0,0 +1,62 @@ +From 8ee14a333b30d9b88f4ad1eaf46d334ea7a0ce5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Mar 2024 16:12:47 +0100 +Subject: wifi: mt76: mt7915: workaround too long expansion sparse warnings + +From: Lorenzo Bianconi + +[ Upstream commit 2d5cde1143eca31c72547dfd589702c6b4a7e684 ] + +Fix the following sparse warnings: + +drivers/net/wireless/mediatek/mt76/mt7915/debugfs.c:1133:29: error: too long token expansion +drivers/net/wireless/mediatek/mt76/mt7915/debugfs.c:1133:29: error: too long token expansion +drivers/net/wireless/mediatek/mt76/mt7915/debugfs.c:1133:29: error: too long token expansion +drivers/net/wireless/mediatek/mt76/mt7915/debugfs.c:1133:29: error: too long token expansion + +No functional changes, compile tested only. + +Fixes: e3296759f347 ("wifi: mt76: mt7915: enable per bandwidth power limit support") +Signed-off-by: Lorenzo Bianconi +Acked-by: Felix Fietkau +Signed-off-by: Kalle Valo +Link: https://msgid.link/5457b92e41909dd75ab3db7a0e9ec372b917a386.1710858172.git.lorenzo@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7915/debugfs.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/debugfs.c b/drivers/net/wireless/mediatek/mt76/mt7915/debugfs.c +index 6c3696c8c7002..450f4d221184b 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7915/debugfs.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/debugfs.c +@@ -1049,6 +1049,7 @@ static ssize_t + mt7915_rate_txpower_set(struct file *file, const char __user *user_buf, + size_t count, loff_t *ppos) + { ++ int i, ret, pwr, pwr160 = 0, pwr80 = 0, pwr40 = 0, pwr20 = 0; + struct mt7915_phy *phy = file->private_data; + struct mt7915_dev *dev = phy->dev; + struct mt76_phy *mphy = phy->mt76; +@@ -1057,7 +1058,6 @@ mt7915_rate_txpower_set(struct file *file, const char __user *user_buf, + .band_idx = phy->mt76->band_idx, + }; + char buf[100]; +- int i, ret, pwr160 = 0, pwr80 = 0, pwr40 = 0, pwr20 = 0; + enum mac80211_rx_encoding mode; + u32 offs = 0, len = 0; + +@@ -1130,8 +1130,8 @@ mt7915_rate_txpower_set(struct file *file, const char __user *user_buf, + if (ret) + goto out; + +- mphy->txpower_cur = max(mphy->txpower_cur, +- max(pwr160, max(pwr80, max(pwr40, pwr20)))); ++ pwr = max3(pwr80, pwr40, pwr20); ++ mphy->txpower_cur = max3(mphy->txpower_cur, pwr160, pwr); + out: + mutex_unlock(&dev->mt76.mutex); + +-- +2.43.0 + diff --git a/queue-6.9/wifi-mt76-mt7925-ensure-4-byte-alignment-for-suspend.patch b/queue-6.9/wifi-mt76-mt7925-ensure-4-byte-alignment-for-suspend.patch new file mode 100644 index 00000000000..7a295f6dcb4 --- /dev/null +++ b/queue-6.9/wifi-mt76-mt7925-ensure-4-byte-alignment-for-suspend.patch @@ -0,0 +1,49 @@ +From a67f7ca66753867bd682ca91026aeb401c9528d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 19:08:15 +0800 +Subject: wifi: mt76: mt7925: ensure 4-byte alignment for suspend & wow command + +From: Ming Yen Hsieh + +[ Upstream commit fa46bd62c9a8ab195d9c5108a91abf0680fec10e ] + +Before sending suspend & wow command to FW, its length should be +4-bytes alignd. + +Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips") +Signed-off-by: Ming Yen Hsieh +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 1 + + drivers/net/wireless/mediatek/mt76/mt7925/mcu.h | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c +index 7af60eebe517a..990738a23eee5 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c +@@ -2527,6 +2527,7 @@ int mt76_connac_mcu_set_hif_suspend(struct mt76_dev *dev, bool suspend) + __le16 tag; + __le16 len; + u8 suspend; ++ u8 pad[7]; + } __packed hif_suspend; + } req = { + .hif_suspend = { +diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.h b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.h +index 2a0bbfe7bfa5e..b8315a89f4a9a 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.h ++++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.h +@@ -535,7 +535,7 @@ struct mt7925_wow_pattern_tlv { + u8 offset; + u8 mask[MT76_CONNAC_WOW_MASK_MAX_LEN]; + u8 pattern[MT76_CONNAC_WOW_PATTEN_MAX_LEN]; +- u8 rsv[4]; ++ u8 rsv[7]; + } __packed; + + static inline enum connac3_mcu_cipher_type +-- +2.43.0 + diff --git a/queue-6.9/wifi-mt76-mt7996-fix-potential-memory-leakage-when-r.patch b/queue-6.9/wifi-mt76-mt7996-fix-potential-memory-leakage-when-r.patch new file mode 100644 index 00000000000..e3b448e67a2 --- /dev/null +++ b/queue-6.9/wifi-mt76-mt7996-fix-potential-memory-leakage-when-r.patch @@ -0,0 +1,49 @@ +From bcb8b285ceb3ac3019209314f371ef0266490088 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Mar 2024 19:09:14 +0800 +Subject: wifi: mt76: mt7996: fix potential memory leakage when reading chip + temperature + +From: Howard Hsu + +[ Upstream commit 474b9412f33be87076b40a49756662594598a85e ] + +Without this commit, reading chip temperature will cause memory leakage. + +Fixes: 6879b2e94172 ("wifi: mt76: mt7996: add thermal sensor device support") +Reported-by: Ryder Lee +Signed-off-by: Howard Hsu +Signed-off-by: Shayne Chen +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +index cfb5a7d348eb8..e86c05d0eecc9 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +@@ -3729,6 +3729,7 @@ int mt7996_mcu_get_temperature(struct mt7996_phy *phy) + } __packed * res; + struct sk_buff *skb; + int ret; ++ u32 temp; + + ret = mt76_mcu_send_and_get_msg(&phy->dev->mt76, MCU_WM_UNI_CMD(THERMAL), + &req, sizeof(req), true, &skb); +@@ -3736,8 +3737,10 @@ int mt7996_mcu_get_temperature(struct mt7996_phy *phy) + return ret; + + res = (void *)skb->data; ++ temp = le32_to_cpu(res->temperature); ++ dev_kfree_skb(skb); + +- return le32_to_cpu(res->temperature); ++ return temp; + } + + int mt7996_mcu_set_thermal_throttling(struct mt7996_phy *phy, u8 state) +-- +2.43.0 + diff --git a/queue-6.9/wifi-mt76-mt7996-fix-size-of-txpower-mcu-command.patch b/queue-6.9/wifi-mt76-mt7996-fix-size-of-txpower-mcu-command.patch new file mode 100644 index 00000000000..cebf16747e0 --- /dev/null +++ b/queue-6.9/wifi-mt76-mt7996-fix-size-of-txpower-mcu-command.patch @@ -0,0 +1,68 @@ +From 32e8245f429137b9c95895f7197b9d24b9aa62f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2024 17:55:35 +0000 +Subject: wifi: mt76: mt7996: fix size of txpower MCU command + +From: Chad Monroe + +[ Upstream commit 66ffcb9abae68625c704b247c7d15cbbc7837391 ] + +Fixes issues with scanning and low power output at some rates. + +Fixes: f75e4779d215 ("wifi: mt76: mt7996: add txpower setting support") +Signed-off-by: Chad Monroe +Signed-off-by: Ryder Lee +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 7 +++++-- + drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h | 1 + + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +index b44abe2acc81b..cfb5a7d348eb8 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +@@ -4464,7 +4464,7 @@ int mt7996_mcu_set_txpower_sku(struct mt7996_phy *phy) + u8 band_idx; + } __packed req = { + .tag = cpu_to_le16(UNI_TXPOWER_POWER_LIMIT_TABLE_CTRL), +- .len = cpu_to_le16(sizeof(req) + MT7996_SKU_RATE_NUM - 4), ++ .len = cpu_to_le16(sizeof(req) + MT7996_SKU_PATH_NUM - 4), + .power_ctrl_id = UNI_TXPOWER_POWER_LIMIT_TABLE_CTRL, + .power_limit_type = TX_POWER_LIMIT_TABLE_RATE, + .band_idx = phy->mt76->band_idx, +@@ -4479,7 +4479,7 @@ int mt7996_mcu_set_txpower_sku(struct mt7996_phy *phy) + mphy->txpower_cur = tx_power; + + skb = mt76_mcu_msg_alloc(&dev->mt76, NULL, +- sizeof(req) + MT7996_SKU_RATE_NUM); ++ sizeof(req) + MT7996_SKU_PATH_NUM); + if (!skb) + return -ENOMEM; + +@@ -4503,6 +4503,9 @@ int mt7996_mcu_set_txpower_sku(struct mt7996_phy *phy) + /* eht */ + skb_put_data(skb, &la.eht[0], sizeof(la.eht)); + ++ /* padding */ ++ skb_put_zero(skb, MT7996_SKU_PATH_NUM - MT7996_SKU_RATE_NUM); ++ + return mt76_mcu_skb_send_msg(&dev->mt76, skb, + MCU_WM_UNI_CMD(TXPOWER), true); + } +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h +index 36d1f247d55aa..ddeb40d522c5a 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h +@@ -50,6 +50,7 @@ + #define MT7996_CFEND_RATE_11B 0x03 /* 11B LP, 11M */ + + #define MT7996_SKU_RATE_NUM 417 ++#define MT7996_SKU_PATH_NUM 494 + + #define MT7996_MAX_TWT_AGRT 16 + #define MT7996_MAX_STA_TWT_AGRT 8 +-- +2.43.0 + diff --git a/queue-6.9/wifi-mt76-mt7996-fix-uninitialized-variable-in-mt799.patch b/queue-6.9/wifi-mt76-mt7996-fix-uninitialized-variable-in-mt799.patch new file mode 100644 index 00000000000..21c9c738be4 --- /dev/null +++ b/queue-6.9/wifi-mt76-mt7996-fix-uninitialized-variable-in-mt799.patch @@ -0,0 +1,37 @@ +From 7dd85c99f09d36e33d78219ccffdc74c1e30cae4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Mar 2024 13:05:36 +0100 +Subject: wifi: mt76: mt7996: fix uninitialized variable in + mt7996_irq_tasklet() + +From: Lorenzo Bianconi + +[ Upstream commit 1ac710a6e8545c6df7a292f167dd088880a74c05 ] + +Set intr1 to 0 in mt7996_irq_tasklet() in order to avoid possible +uninitialized variable usage if wed is not active for hif2. + +Fixes: 83eafc9251d6 ("wifi: mt76: mt7996: add wed tx support") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7996/mmio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mmio.c b/drivers/net/wireless/mediatek/mt76/mt7996/mmio.c +index 304e5fd148034..928a9663b49e0 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/mmio.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mmio.c +@@ -519,7 +519,7 @@ static void mt7996_irq_tasklet(struct tasklet_struct *t) + struct mt7996_dev *dev = from_tasklet(dev, t, mt76.irq_tasklet); + struct mtk_wed_device *wed = &dev->mt76.mmio.wed; + struct mtk_wed_device *wed_hif2 = &dev->mt76.mmio.wed_hif2; +- u32 i, intr, mask, intr1; ++ u32 i, intr, mask, intr1 = 0; + + if (dev->hif2 && mtk_wed_device_active(wed_hif2)) { + mtk_wed_device_irq_set_mask(wed_hif2, 0); +-- +2.43.0 + diff --git a/queue-6.9/wifi-mwl8k-initialize-cmd-addr-properly.patch b/queue-6.9/wifi-mwl8k-initialize-cmd-addr-properly.patch new file mode 100644 index 00000000000..c1aa378e08c --- /dev/null +++ b/queue-6.9/wifi-mwl8k-initialize-cmd-addr-properly.patch @@ -0,0 +1,38 @@ +From 3a98257154194d6f1bc61032f7ce0717dbbe9e5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 May 2024 14:38:15 +0300 +Subject: wifi: mwl8k: initialize cmd->addr[] properly + +From: Dan Carpenter + +[ Upstream commit 1d60eabb82694e58543e2b6366dae3e7465892a5 ] + +This loop is supposed to copy the mac address to cmd->addr but the +i++ increment is missing so it copies everything to cmd->addr[0] and +only the last address is recorded. + +Fixes: 22bedad3ce11 ("net: convert multicast list to list_head") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Link: https://msgid.link/b788be9a-15f5-4cca-a3fe-79df4c8ce7b2@moroto.mountain +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwl8k.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/marvell/mwl8k.c b/drivers/net/wireless/marvell/mwl8k.c +index ce8fea76dbb24..7a4ef5c83be48 100644 +--- a/drivers/net/wireless/marvell/mwl8k.c ++++ b/drivers/net/wireless/marvell/mwl8k.c +@@ -2718,7 +2718,7 @@ __mwl8k_cmd_mac_multicast_adr(struct ieee80211_hw *hw, int allmulti, + cmd->action |= cpu_to_le16(MWL8K_ENABLE_RX_MULTICAST); + cmd->numaddr = cpu_to_le16(mc_count); + netdev_hw_addr_list_for_each(ha, mc_list) { +- memcpy(cmd->addr[i], ha->addr, ETH_ALEN); ++ memcpy(cmd->addr[i++], ha->addr, ETH_ALEN); + } + } + +-- +2.43.0 + diff --git a/queue-6.9/wifi-nl80211-avoid-address-calculations-via-out-of-b.patch b/queue-6.9/wifi-nl80211-avoid-address-calculations-via-out-of-b.patch new file mode 100644 index 00000000000..0505a02d413 --- /dev/null +++ b/queue-6.9/wifi-nl80211-avoid-address-calculations-via-out-of-b.patch @@ -0,0 +1,70 @@ +From a0c7eca1595a798e969b2f29c9e99d13d4dc1c35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Apr 2024 15:01:01 -0700 +Subject: wifi: nl80211: Avoid address calculations via out of bounds array + indexing + +From: Kees Cook + +[ Upstream commit 838c7b8f1f278404d9d684c34a8cb26dc41aaaa1 ] + +Before request->channels[] can be used, request->n_channels must be set. +Additionally, address calculations for memory after the "channels" array +need to be calculated from the allocation base ("request") rather than +via the first "out of bounds" index of "channels", otherwise run-time +bounds checking will throw a warning. + +Reported-by: Nathan Chancellor +Fixes: e3eac9f32ec0 ("wifi: cfg80211: Annotate struct cfg80211_scan_request with __counted_by") +Signed-off-by: Kees Cook +Tested-by: Nathan Chancellor +Link: https://msgid.link/20240424220057.work.819-kees@kernel.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 30ff9a4708134..65c416e8d25eb 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -9162,6 +9162,7 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info) + struct wiphy *wiphy; + int err, tmp, n_ssids = 0, n_channels, i; + size_t ie_len, size; ++ size_t ssids_offset, ie_offset; + + wiphy = &rdev->wiphy; + +@@ -9207,21 +9208,20 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info) + return -EINVAL; + + size = struct_size(request, channels, n_channels); ++ ssids_offset = size; + size = size_add(size, array_size(sizeof(*request->ssids), n_ssids)); ++ ie_offset = size; + size = size_add(size, ie_len); + request = kzalloc(size, GFP_KERNEL); + if (!request) + return -ENOMEM; ++ request->n_channels = n_channels; + + if (n_ssids) +- request->ssids = (void *)&request->channels[n_channels]; ++ request->ssids = (void *)request + ssids_offset; + request->n_ssids = n_ssids; +- if (ie_len) { +- if (n_ssids) +- request->ie = (void *)(request->ssids + n_ssids); +- else +- request->ie = (void *)(request->channels + n_channels); +- } ++ if (ie_len) ++ request->ie = (void *)request + ie_offset; + + i = 0; + if (scan_freqs) { +-- +2.43.0 + diff --git a/queue-6.9/wifi-rtw89-wow-refine-wowlan-flows-of-hci-interrupts.patch b/queue-6.9/wifi-rtw89-wow-refine-wowlan-flows-of-hci-interrupts.patch new file mode 100644 index 00000000000..8818eee08f8 --- /dev/null +++ b/queue-6.9/wifi-rtw89-wow-refine-wowlan-flows-of-hci-interrupts.patch @@ -0,0 +1,108 @@ +From 0ef5a57c4dabba31cfc1c1d13ba7a56e8e84a3e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 May 2024 10:24:55 +0800 +Subject: wifi: rtw89: wow: refine WoWLAN flows of HCI interrupts and low power + mode + +From: Chih-Kang Chang + +[ Upstream commit baaf806e4632a259cc959fd1c516c2d9ed48df6d ] + +After enabling packet offload, the TX will be stuck after resume from +WoWLAN mode. And the 8852c gets error messages like + +rtw89_8852ce 0000:04:00.0: No busy txwd pages available +rtw89_8852ce 0000:04:00.0: queue 0 txwd 100 is not idle +rtw89_8852ce 0000:04:00.0: queue 0 txwd 101 is not idle +rtw89_8852ce 0000:04:00.0: queue 0 txwd 102 is not idle +rtw89_8852ce 0000:04:00.0: queue 0 txwd 103 is not idle + +If suspend/resume many times that firmware will download failed and +disconnection. + +To fix these issues, We removed the rtw89_hci_disable_intr() and +rtw89_hci_enable_intr() during rtw89_wow_swap_fw() to prevent add packet +offload can't receive c2h back due to interrupt disable. Only 8852C and +8922A needs to disable interrupt before downloading fw. + +Furthermore, we avoid using low power HCI mode on WoWLAN mode, to prevent +interrupt enabled, then get interrupt and calculate RXBD mismatched due to +software RXBD index already reset but hardware RXBD index not yet. + +Fixes: 5c12bb66b79d ("wifi: rtw89: refine packet offload flow") +Signed-off-by: Chih-Kang Chang +Signed-off-by: Ping-Ke Shih +Link: https://msgid.link/20240502022505.28966-3-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw89/ps.c | 3 ++- + drivers/net/wireless/realtek/rtw89/wow.c | 12 ++++++++++-- + 2 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtw89/ps.c b/drivers/net/wireless/realtek/rtw89/ps.c +index 31290d8cb7f7c..92074b73ebebd 100644 +--- a/drivers/net/wireless/realtek/rtw89/ps.c ++++ b/drivers/net/wireless/realtek/rtw89/ps.c +@@ -55,7 +55,8 @@ static void rtw89_ps_power_mode_change_with_hci(struct rtw89_dev *rtwdev, + + static void rtw89_ps_power_mode_change(struct rtw89_dev *rtwdev, bool enter) + { +- if (rtwdev->chip->low_power_hci_modes & BIT(rtwdev->ps_mode)) ++ if (rtwdev->chip->low_power_hci_modes & BIT(rtwdev->ps_mode) && ++ !test_bit(RTW89_FLAG_WOWLAN, rtwdev->flags)) + rtw89_ps_power_mode_change_with_hci(rtwdev, enter); + else + rtw89_mac_power_mode_change(rtwdev, enter); +diff --git a/drivers/net/wireless/realtek/rtw89/wow.c b/drivers/net/wireless/realtek/rtw89/wow.c +index ccad026defb50..ca4835008b56e 100644 +--- a/drivers/net/wireless/realtek/rtw89/wow.c ++++ b/drivers/net/wireless/realtek/rtw89/wow.c +@@ -457,14 +457,17 @@ static int rtw89_wow_swap_fw(struct rtw89_dev *rtwdev, bool wow) + struct rtw89_wow_param *rtw_wow = &rtwdev->wow; + struct ieee80211_vif *wow_vif = rtw_wow->wow_vif; + struct rtw89_vif *rtwvif = (struct rtw89_vif *)wow_vif->drv_priv; ++ enum rtw89_core_chip_id chip_id = rtwdev->chip->chip_id; + const struct rtw89_chip_info *chip = rtwdev->chip; + bool include_bb = !!chip->bbmcu_nr; ++ bool disable_intr_for_dlfw = false; + struct ieee80211_sta *wow_sta; + struct rtw89_sta *rtwsta = NULL; + bool is_conn = true; + int ret; + +- rtw89_hci_disable_intr(rtwdev); ++ if (chip_id == RTL8852C || chip_id == RTL8922A) ++ disable_intr_for_dlfw = true; + + wow_sta = ieee80211_find_sta(wow_vif, rtwvif->bssid); + if (wow_sta) +@@ -472,12 +475,18 @@ static int rtw89_wow_swap_fw(struct rtw89_dev *rtwdev, bool wow) + else + is_conn = false; + ++ if (disable_intr_for_dlfw) ++ rtw89_hci_disable_intr(rtwdev); ++ + ret = rtw89_fw_download(rtwdev, fw_type, include_bb); + if (ret) { + rtw89_warn(rtwdev, "download fw failed\n"); + return ret; + } + ++ if (disable_intr_for_dlfw) ++ rtw89_hci_enable_intr(rtwdev); ++ + rtw89_phy_init_rf_reg(rtwdev, true); + + ret = rtw89_fw_h2c_role_maintain(rtwdev, rtwvif, rtwsta, +@@ -520,7 +529,6 @@ static int rtw89_wow_swap_fw(struct rtw89_dev *rtwdev, bool wow) + } + + rtw89_mac_hw_mgnt_sec(rtwdev, wow); +- rtw89_hci_enable_intr(rtwdev); + + return 0; + } +-- +2.43.0 + diff --git a/queue-6.9/x86-boot-64-clear-most-of-cr4-in-startup_64-except-p.patch b/queue-6.9/x86-boot-64-clear-most-of-cr4-in-startup_64-except-p.patch new file mode 100644 index 00000000000..f81b99de1f2 --- /dev/null +++ b/queue-6.9/x86-boot-64-clear-most-of-cr4-in-startup_64-except-p.patch @@ -0,0 +1,74 @@ +From 034e6418f223be7f24b5ae01354ec13821a5e304 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Apr 2024 17:13:55 +0200 +Subject: x86/boot/64: Clear most of CR4 in startup_64(), except PAE, MCE and + LA57 + +From: Ard Biesheuvel + +[ Upstream commit a0025f587c685e5ff842fb0194036f2ca0b6eaf4 ] + +The early 64-bit boot code must be entered with a 1:1 mapping of the +bootable image, but it cannot operate without a 1:1 mapping of all the +assets in memory that it accesses, and therefore, it creates such +mappings for all known assets upfront, and additional ones on demand +when a page fault happens on a memory address. + +These mappings are created with the global bit G set, as the flags used +to create page table descriptors are based on __PAGE_KERNEL_LARGE_EXEC +defined by the core kernel, even though the context where these mappings +are used is very different. + +This means that the TLB maintenance carried out by the decompressor is +not sufficient if it is entered with CR4.PGE enabled, which has been +observed to happen with the stage0 bootloader of project Oak. While this +is a dubious practice if no global mappings are being used to begin +with, the decompressor is clearly at fault here for creating global +mappings and not performing the appropriate TLB maintenance. + +Since commit: + + f97b67a773cd84b ("x86/decompressor: Only call the trampoline when changing paging levels") + +CR4 is no longer modified by the decompressor if no change in the number +of paging levels is needed. Before that, CR4 would always be set to a +consistent value with PGE cleared. + +So let's reinstate a simplified version of the original logic to put CR4 +into a known state, and preserve the PAE, MCE and LA57 bits, none of +which can be modified freely at this point (PAE and LA57 cannot be +changed while running in long mode, and MCE cannot be cleared when +running under some hypervisors). + +This effectively clears PGE and works around the project Oak bug. + +Fixes: f97b67a773cd84b ("x86/decompressor: Only call the trampoline when ...") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Ingo Molnar +Cc: Linus Torvalds +Cc: "H. Peter Anvin" +Link: https://lore.kernel.org/r/20240410151354.506098-2-ardb+git@google.com +Signed-off-by: Sasha Levin +--- + arch/x86/boot/compressed/head_64.S | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S +index bf4a10a5794f1..1dcb794c5479e 100644 +--- a/arch/x86/boot/compressed/head_64.S ++++ b/arch/x86/boot/compressed/head_64.S +@@ -398,6 +398,11 @@ SYM_CODE_START(startup_64) + call sev_enable + #endif + ++ /* Preserve only the CR4 bits that must be preserved, and clear the rest */ ++ movq %cr4, %rax ++ andl $(X86_CR4_PAE | X86_CR4_MCE | X86_CR4_LA57), %eax ++ movq %rax, %cr4 ++ + /* + * configure_5level_paging() updates the number of paging levels using + * a trampoline in 32-bit addressable memory if the current number does +-- +2.43.0 + diff --git a/queue-6.9/x86-boot-ignore-relocations-in-.notes-sections-in-wa.patch b/queue-6.9/x86-boot-ignore-relocations-in-.notes-sections-in-wa.patch new file mode 100644 index 00000000000..9a8a60fb2e2 --- /dev/null +++ b/queue-6.9/x86-boot-ignore-relocations-in-.notes-sections-in-wa.patch @@ -0,0 +1,54 @@ +From e0c2156251a907c0c7f6d2f30003f6e27229b487 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Mar 2024 23:05:47 +0800 +Subject: x86/boot: Ignore relocations in .notes sections in walk_relocs() too + +From: Guixiong Wei + +[ Upstream commit 76e9762d66373354b45c33b60e9a53ef2a3c5ff2 ] + +Commit: + + aaa8736370db ("x86, relocs: Ignore relocations in .notes section") + +... only started ignoring the .notes sections in print_absolute_relocs(), +but the same logic should also by applied in walk_relocs() to avoid +such relocations. + +[ mingo: Fixed various typos in the changelog, removed extra curly braces from the code. ] + +Fixes: aaa8736370db ("x86, relocs: Ignore relocations in .notes section") +Fixes: 5ead97c84fa7 ("xen: Core Xen implementation") +Fixes: da1a679cde9b ("Add /sys/kernel/notes") +Signed-off-by: Guixiong Wei +Signed-off-by: Ingo Molnar +Reviewed-by: Kees Cook +Link: https://lore.kernel.org/r/20240317150547.24910-1-weiguixiong@bytedance.com +Signed-off-by: Sasha Levin +--- + arch/x86/tools/relocs.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c +index b029fb81ebeee..e7a44a7f617fb 100644 +--- a/arch/x86/tools/relocs.c ++++ b/arch/x86/tools/relocs.c +@@ -746,6 +746,15 @@ static void walk_relocs(int (*process)(struct section *sec, Elf_Rel *rel, + if (!(sec_applies->shdr.sh_flags & SHF_ALLOC)) { + continue; + } ++ ++ /* ++ * Do not perform relocations in .notes sections; any ++ * values there are meant for pre-boot consumption (e.g. ++ * startup_xen). ++ */ ++ if (sec_applies->shdr.sh_type == SHT_NOTE) ++ continue; ++ + sh_symtab = sec_symtab->symtab; + sym_strtab = sec_symtab->link->strtab; + for (j = 0; j < sec->shdr.sh_size/sizeof(Elf_Rel); j++) { +-- +2.43.0 + diff --git a/queue-6.9/x86-fred-fix-typo-in-kconfig-description.patch b/queue-6.9/x86-fred-fix-typo-in-kconfig-description.patch new file mode 100644 index 00000000000..230c673d681 --- /dev/null +++ b/queue-6.9/x86-fred-fix-typo-in-kconfig-description.patch @@ -0,0 +1,39 @@ +From 038ee576a90ffe8b6187fd481fb756fbcba691b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Mar 2024 17:19:58 +0100 +Subject: x86/fred: Fix typo in Kconfig description + +From: Paul Menzel + +[ Upstream commit 3c41786cab885f9c542e89f624bcdb71187dbb75 ] + +Fixes: 2cce95918d63 ("x86/fred: Add Kconfig option for FRED (CONFIG_X86_FRED)") +Signed-off-by: Paul Menzel +Signed-off-by: Ingo Molnar +Acked-by: H. Peter Anvin (Intel) +Link: https://lore.kernel.org/r/20240312161958.102927-2-pmenzel@molgen.mpg.de + + arch/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Signed-off-by: Sasha Levin +--- + arch/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 928820e61cb50..f5b3d14ff385b 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -501,7 +501,7 @@ config X86_FRED + When enabled, try to use Flexible Return and Event Delivery + instead of the legacy SYSCALL/SYSENTER/IDT architecture for + ring transitions and exception/interrupt handling if the +- system supports. ++ system supports it. + + if X86_32 + config X86_BIGSMP +-- +2.43.0 + diff --git a/queue-6.9/x86-insn-add-vex-versions-of-vpdpbusd-vpdpbusds-vpdp.patch b/queue-6.9/x86-insn-add-vex-versions-of-vpdpbusd-vpdpbusds-vpdp.patch new file mode 100644 index 00000000000..6c3957a9dd5 --- /dev/null +++ b/queue-6.9/x86-insn-add-vex-versions-of-vpdpbusd-vpdpbusds-vpdp.patch @@ -0,0 +1,75 @@ +From 9ab3b1b4c3c0698ac80300296d9ff4d7072eafb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 May 2024 13:58:46 +0300 +Subject: x86/insn: Add VEX versions of VPDPBUSD, VPDPBUSDS, VPDPWSSD and + VPDPWSSDS + +From: Adrian Hunter + +[ Upstream commit b8000264348979b60dbe479255570a40e1b3a097 ] + +The x86 instruction decoder is used not only for decoding kernel +instructions. It is also used by perf uprobes (user space probes) and by +perf tools Intel Processor Trace decoding. Consequently, it needs to +support instructions executed by user space also. + +Intel Architecture Instruction Set Extensions and Future Features manual +number 319433-044 of May 2021, documented VEX versions of instructions +VPDPBUSD, VPDPBUSDS, VPDPWSSD and VPDPWSSDS, but the opcode map has them +listed as EVEX only. + +Remove EVEX-only (ev) annotation from instructions VPDPBUSD, VPDPBUSDS, +VPDPWSSD and VPDPWSSDS, which allows them to be decoded with either a VEX +or EVEX prefix. + +Fixes: 0153d98f2dd6 ("x86/insn: Add misc instructions to x86 instruction decoder") +Signed-off-by: Adrian Hunter +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20240502105853.5338-4-adrian.hunter@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/lib/x86-opcode-map.txt | 8 ++++---- + tools/arch/x86/lib/x86-opcode-map.txt | 8 ++++---- + 2 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/arch/x86/lib/x86-opcode-map.txt b/arch/x86/lib/x86-opcode-map.txt +index 84ffe9e528e78..da9347552be69 100644 +--- a/arch/x86/lib/x86-opcode-map.txt ++++ b/arch/x86/lib/x86-opcode-map.txt +@@ -698,10 +698,10 @@ AVXcode: 2 + 4d: vrcp14ss/d Vsd,Hpd,Wsd (66),(ev) + 4e: vrsqrt14ps/d Vpd,Wpd (66),(ev) + 4f: vrsqrt14ss/d Vsd,Hsd,Wsd (66),(ev) +-50: vpdpbusd Vx,Hx,Wx (66),(ev) +-51: vpdpbusds Vx,Hx,Wx (66),(ev) +-52: vdpbf16ps Vx,Hx,Wx (F3),(ev) | vpdpwssd Vx,Hx,Wx (66),(ev) | vp4dpwssd Vdqq,Hdqq,Wdq (F2),(ev) +-53: vpdpwssds Vx,Hx,Wx (66),(ev) | vp4dpwssds Vdqq,Hdqq,Wdq (F2),(ev) ++50: vpdpbusd Vx,Hx,Wx (66) ++51: vpdpbusds Vx,Hx,Wx (66) ++52: vdpbf16ps Vx,Hx,Wx (F3),(ev) | vpdpwssd Vx,Hx,Wx (66) | vp4dpwssd Vdqq,Hdqq,Wdq (F2),(ev) ++53: vpdpwssds Vx,Hx,Wx (66) | vp4dpwssds Vdqq,Hdqq,Wdq (F2),(ev) + 54: vpopcntb/w Vx,Wx (66),(ev) + 55: vpopcntd/q Vx,Wx (66),(ev) + 58: vpbroadcastd Vx,Wx (66),(v) +diff --git a/tools/arch/x86/lib/x86-opcode-map.txt b/tools/arch/x86/lib/x86-opcode-map.txt +index 84ffe9e528e78..da9347552be69 100644 +--- a/tools/arch/x86/lib/x86-opcode-map.txt ++++ b/tools/arch/x86/lib/x86-opcode-map.txt +@@ -698,10 +698,10 @@ AVXcode: 2 + 4d: vrcp14ss/d Vsd,Hpd,Wsd (66),(ev) + 4e: vrsqrt14ps/d Vpd,Wpd (66),(ev) + 4f: vrsqrt14ss/d Vsd,Hsd,Wsd (66),(ev) +-50: vpdpbusd Vx,Hx,Wx (66),(ev) +-51: vpdpbusds Vx,Hx,Wx (66),(ev) +-52: vdpbf16ps Vx,Hx,Wx (F3),(ev) | vpdpwssd Vx,Hx,Wx (66),(ev) | vp4dpwssd Vdqq,Hdqq,Wdq (F2),(ev) +-53: vpdpwssds Vx,Hx,Wx (66),(ev) | vp4dpwssds Vdqq,Hdqq,Wdq (F2),(ev) ++50: vpdpbusd Vx,Hx,Wx (66) ++51: vpdpbusds Vx,Hx,Wx (66) ++52: vdpbf16ps Vx,Hx,Wx (F3),(ev) | vpdpwssd Vx,Hx,Wx (66) | vp4dpwssd Vdqq,Hdqq,Wdq (F2),(ev) ++53: vpdpwssds Vx,Hx,Wx (66) | vp4dpwssds Vdqq,Hdqq,Wdq (F2),(ev) + 54: vpopcntb/w Vx,Wx (66),(ev) + 55: vpopcntd/q Vx,Wx (66),(ev) + 58: vpbroadcastd Vx,Wx (66),(v) +-- +2.43.0 + diff --git a/queue-6.9/x86-insn-fix-push-instruction-in-x86-instruction-dec.patch b/queue-6.9/x86-insn-fix-push-instruction-in-x86-instruction-dec.patch new file mode 100644 index 00000000000..7fadebfdba4 --- /dev/null +++ b/queue-6.9/x86-insn-fix-push-instruction-in-x86-instruction-dec.patch @@ -0,0 +1,98 @@ +From e7b8ced1ae151b6e2f02198808db0ed239a6dab3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 May 2024 13:58:45 +0300 +Subject: x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map + +From: Adrian Hunter + +[ Upstream commit 59162e0c11d7257cde15f907d19fefe26da66692 ] + +The x86 instruction decoder is used not only for decoding kernel +instructions. It is also used by perf uprobes (user space probes) and by +perf tools Intel Processor Trace decoding. Consequently, it needs to +support instructions executed by user space also. + +Opcode 0x68 PUSH instruction is currently defined as 64-bit operand size +only i.e. (d64). That was based on Intel SDM Opcode Map. However that is +contradicted by the Instruction Set Reference section for PUSH in the +same manual. + +Remove 64-bit operand size only annotation from opcode 0x68 PUSH +instruction. + +Example: + + $ cat pushw.s + .global _start + .text + _start: + pushw $0x1234 + mov $0x1,%eax # system call number (sys_exit) + int $0x80 + $ as -o pushw.o pushw.s + $ ld -s -o pushw pushw.o + $ objdump -d pushw | tail -4 + 0000000000401000 <.text>: + 401000: 66 68 34 12 pushw $0x1234 + 401004: b8 01 00 00 00 mov $0x1,%eax + 401009: cd 80 int $0x80 + $ perf record -e intel_pt//u ./pushw + [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 0.014 MB perf.data ] + + Before: + + $ perf script --insn-trace=disasm + Warning: + 1 instruction trace errors + pushw 10349 [000] 10586.869237014: 401000 [unknown] (/home/ahunter/git/misc/rtit-tests/pushw) pushw $0x1234 + pushw 10349 [000] 10586.869237014: 401006 [unknown] (/home/ahunter/git/misc/rtit-tests/pushw) addb %al, (%rax) + pushw 10349 [000] 10586.869237014: 401008 [unknown] (/home/ahunter/git/misc/rtit-tests/pushw) addb %cl, %ch + pushw 10349 [000] 10586.869237014: 40100a [unknown] (/home/ahunter/git/misc/rtit-tests/pushw) addb $0x2e, (%rax) + instruction trace error type 1 time 10586.869237224 cpu 0 pid 10349 tid 10349 ip 0x40100d code 6: Trace doesn't match instruction + + After: + + $ perf script --insn-trace=disasm + pushw 10349 [000] 10586.869237014: 401000 [unknown] (./pushw) pushw $0x1234 + pushw 10349 [000] 10586.869237014: 401004 [unknown] (./pushw) movl $1, %eax + +Fixes: eb13296cfaf6 ("x86: Instruction decoder API") +Signed-off-by: Adrian Hunter +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20240502105853.5338-3-adrian.hunter@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/lib/x86-opcode-map.txt | 2 +- + tools/arch/x86/lib/x86-opcode-map.txt | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/lib/x86-opcode-map.txt b/arch/x86/lib/x86-opcode-map.txt +index 12af572201a29..84ffe9e528e78 100644 +--- a/arch/x86/lib/x86-opcode-map.txt ++++ b/arch/x86/lib/x86-opcode-map.txt +@@ -148,7 +148,7 @@ AVXcode: + 65: SEG=GS (Prefix) + 66: Operand-Size (Prefix) + 67: Address-Size (Prefix) +-68: PUSH Iz (d64) ++68: PUSH Iz + 69: IMUL Gv,Ev,Iz + 6a: PUSH Ib (d64) + 6b: IMUL Gv,Ev,Ib +diff --git a/tools/arch/x86/lib/x86-opcode-map.txt b/tools/arch/x86/lib/x86-opcode-map.txt +index 12af572201a29..84ffe9e528e78 100644 +--- a/tools/arch/x86/lib/x86-opcode-map.txt ++++ b/tools/arch/x86/lib/x86-opcode-map.txt +@@ -148,7 +148,7 @@ AVXcode: + 65: SEG=GS (Prefix) + 66: Operand-Size (Prefix) + 67: Address-Size (Prefix) +-68: PUSH Iz (d64) ++68: PUSH Iz + 69: IMUL Gv,Ev,Iz + 6a: PUSH Ib (d64) + 6b: IMUL Gv,Ev,Ib +-- +2.43.0 + diff --git a/queue-6.9/x86-microcode-amd-avoid-wformat-warning-with-clang-1.patch b/queue-6.9/x86-microcode-amd-avoid-wformat-warning-with-clang-1.patch new file mode 100644 index 00000000000..803b7219d3f --- /dev/null +++ b/queue-6.9/x86-microcode-amd-avoid-wformat-warning-with-clang-1.patch @@ -0,0 +1,49 @@ +From 536924467609372b076082c5bd4dae7142ddd3dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 22:49:07 +0200 +Subject: x86/microcode/AMD: Avoid -Wformat warning with clang-15 + +From: Arnd Bergmann + +[ Upstream commit 9e11fc78e2df7a2649764413029441a0c897fb11 ] + +Older versions of clang show a warning for amd.c after a fix for a gcc +warning: + + arch/x86/kernel/cpu/microcode/amd.c:478:47: error: format specifies type \ + 'unsigned char' but the argument has type 'u16' (aka 'unsigned short') [-Werror,-Wformat] + "amd-ucode/microcode_amd_fam%02hhxh.bin", family); + ~~~~~~ ^~~~~~ + %02hx + +In clang-16 and higher, this warning is disabled by default, but clang-15 is +still supported, and it's trivial to avoid by adapting the types according +to the range of the passed data and the format string. + + [ bp: Massage commit message. ] + +Fixes: 2e9064faccd1 ("x86/microcode/amd: Fix snprintf() format string warning in W=1 build") +Signed-off-by: Arnd Bergmann +Signed-off-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/r/20240405204919.1003409-1-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/microcode/amd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c +index 13b45b9c806da..620f0af713ca2 100644 +--- a/arch/x86/kernel/cpu/microcode/amd.c ++++ b/arch/x86/kernel/cpu/microcode/amd.c +@@ -465,7 +465,7 @@ static bool early_apply_microcode(u32 cpuid_1_eax, u32 old_rev, void *ucode, siz + return !__apply_microcode_amd(mc); + } + +-static bool get_builtin_microcode(struct cpio_data *cp, unsigned int family) ++static bool get_builtin_microcode(struct cpio_data *cp, u8 family) + { + char fw_name[36] = "amd-ucode/microcode_amd.bin"; + struct firmware fw; +-- +2.43.0 + diff --git a/queue-6.9/x86-numa-fix-srat-lookup-of-cfmws-ranges-with-numa_f.patch b/queue-6.9/x86-numa-fix-srat-lookup-of-cfmws-ranges-with-numa_f.patch new file mode 100644 index 00000000000..74912ad82b3 --- /dev/null +++ b/queue-6.9/x86-numa-fix-srat-lookup-of-cfmws-ranges-with-numa_f.patch @@ -0,0 +1,118 @@ +From 42786d3fb7556de41bc827877ba2f6d8d267bb0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 May 2024 15:10:09 +0200 +Subject: x86/numa: Fix SRAT lookup of CFMWS ranges with numa_fill_memblks() + +From: Robert Richter + +[ Upstream commit f9f67e5adc8dc2e1cc51ab2d3d6382fa97f074d4 ] + +For configurations that have the kconfig option NUMA_KEEP_MEMINFO +disabled, numa_fill_memblks() only returns with NUMA_NO_MEMBLK (-1). +SRAT lookup fails then because an existing SRAT memory range cannot be +found for a CFMWS address range. This causes the addition of a +duplicate numa_memblk with a different node id and a subsequent page +fault and kernel crash during boot. + +Fix this by making numa_fill_memblks() always available regardless of +NUMA_KEEP_MEMINFO. + +As Dan suggested, the fix is implemented to remove numa_fill_memblks() +from sparsemem.h and alos using __weak for the function. + +Note that the issue was initially introduced with [1]. But since +phys_to_target_node() was originally used that returned the valid node +0, an additional numa_memblk was not added. Though, the node id was +wrong too, a message is seen then in the logs: + + kernel/numa.c: pr_info_once("Unknown target node for memory at 0x%llx, assuming node 0\n", + +[1] commit fd49f99c1809 ("ACPI: NUMA: Add a node and memblk for each + CFMWS not in SRAT") + +Suggested-by: Dan Williams +Link: https://lore.kernel.org/all/66271b0072317_69102944c@dwillia2-xfh.jf.intel.com.notmuch/ +Fixes: 8f1004679987 ("ACPI/NUMA: Apply SRAT proximity domain to entire CFMWS window") +Reviewed-by: Jonathan Cameron +Reviewed-by: Alison Schofield +Reviewed-by: Dan Williams +Signed-off-by: Robert Richter +Acked-by: Borislav Petkov (AMD) +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/sparsemem.h | 2 -- + arch/x86/mm/numa.c | 4 ++-- + drivers/acpi/numa/srat.c | 5 +++++ + include/linux/numa.h | 7 +------ + 4 files changed, 8 insertions(+), 10 deletions(-) + +diff --git a/arch/x86/include/asm/sparsemem.h b/arch/x86/include/asm/sparsemem.h +index 1be13b2dfe8bf..64df897c0ee30 100644 +--- a/arch/x86/include/asm/sparsemem.h ++++ b/arch/x86/include/asm/sparsemem.h +@@ -37,8 +37,6 @@ extern int phys_to_target_node(phys_addr_t start); + #define phys_to_target_node phys_to_target_node + extern int memory_add_physaddr_to_nid(u64 start); + #define memory_add_physaddr_to_nid memory_add_physaddr_to_nid +-extern int numa_fill_memblks(u64 start, u64 end); +-#define numa_fill_memblks numa_fill_memblks + #endif + #endif /* __ASSEMBLY__ */ + +diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c +index 65e9a6e391c04..ce84ba86e69e9 100644 +--- a/arch/x86/mm/numa.c ++++ b/arch/x86/mm/numa.c +@@ -929,6 +929,8 @@ int memory_add_physaddr_to_nid(u64 start) + } + EXPORT_SYMBOL_GPL(memory_add_physaddr_to_nid); + ++#endif ++ + static int __init cmp_memblk(const void *a, const void *b) + { + const struct numa_memblk *ma = *(const struct numa_memblk **)a; +@@ -1001,5 +1003,3 @@ int __init numa_fill_memblks(u64 start, u64 end) + } + return 0; + } +- +-#endif +diff --git a/drivers/acpi/numa/srat.c b/drivers/acpi/numa/srat.c +index e45e64993c504..3b09fd39eeb4f 100644 +--- a/drivers/acpi/numa/srat.c ++++ b/drivers/acpi/numa/srat.c +@@ -208,6 +208,11 @@ int __init srat_disabled(void) + return acpi_numa < 0; + } + ++__weak int __init numa_fill_memblks(u64 start, u64 end) ++{ ++ return NUMA_NO_MEMBLK; ++} ++ + #if defined(CONFIG_X86) || defined(CONFIG_ARM64) || defined(CONFIG_LOONGARCH) + /* + * Callback for SLIT parsing. pxm_to_node() returns NUMA_NO_NODE for +diff --git a/include/linux/numa.h b/include/linux/numa.h +index 915033a757315..1d43371fafd2f 100644 +--- a/include/linux/numa.h ++++ b/include/linux/numa.h +@@ -36,12 +36,7 @@ int memory_add_physaddr_to_nid(u64 start); + int phys_to_target_node(u64 start); + #endif + +-#ifndef numa_fill_memblks +-static inline int __init numa_fill_memblks(u64 start, u64 end) +-{ +- return NUMA_NO_MEMBLK; +-} +-#endif ++int numa_fill_memblks(u64 start, u64 end); + + #else /* !CONFIG_NUMA */ + static inline int numa_nearest_node(int node, unsigned int state) +-- +2.43.0 + diff --git a/queue-6.9/x86-pat-fix-w-x-violation-false-positives-when-runni.patch b/queue-6.9/x86-pat-fix-w-x-violation-false-positives-when-runni.patch new file mode 100644 index 00000000000..b44f1d264b0 --- /dev/null +++ b/queue-6.9/x86-pat-fix-w-x-violation-false-positives-when-runni.patch @@ -0,0 +1,144 @@ +From 5f99c29a56c7a1a94fcb4f307d05bef21e99f196 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 17:12:58 +0200 +Subject: x86/pat: Fix W^X violation false-positives when running as Xen PV + guest + +From: Juergen Gross + +[ Upstream commit 5bc8b0f5dac04cd4ebe47f8090a5942f2f2647ef ] + +When running as Xen PV guest in some cases W^X violation WARN()s have +been observed. Those WARN()s are produced by verify_rwx(), which looks +into the PTE to verify that writable kernel pages have the NX bit set +in order to avoid code modifications of the kernel by rogue code. + +As the NX bits of all levels of translation entries are or-ed and the +RW bits of all levels are and-ed, looking just into the PTE isn't enough +for the decision that a writable page is executable, too. + +When running as a Xen PV guest, the direct map PMDs and kernel high +map PMDs share the same set of PTEs. Xen kernel initialization will set +the NX bit in the direct map PMD entries, and not the shared PTEs. + +Fixes: 652c5bf380ad ("x86/mm: Refuse W^X violations") +Reported-by: Jason Andryuk +Signed-off-by: Juergen Gross +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20240412151258.9171-5-jgross@suse.com +Signed-off-by: Sasha Levin +--- + arch/x86/mm/pat/set_memory.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +diff --git a/arch/x86/mm/pat/set_memory.c b/arch/x86/mm/pat/set_memory.c +index 4ebccaf29bf2a..19fdfbb171ed6 100644 +--- a/arch/x86/mm/pat/set_memory.c ++++ b/arch/x86/mm/pat/set_memory.c +@@ -619,7 +619,8 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long start, + * Validate strict W^X semantics. + */ + static inline pgprot_t verify_rwx(pgprot_t old, pgprot_t new, unsigned long start, +- unsigned long pfn, unsigned long npg) ++ unsigned long pfn, unsigned long npg, ++ bool nx, bool rw) + { + unsigned long end; + +@@ -641,6 +642,10 @@ static inline pgprot_t verify_rwx(pgprot_t old, pgprot_t new, unsigned long star + if ((pgprot_val(new) & (_PAGE_RW | _PAGE_NX)) != _PAGE_RW) + return new; + ++ /* Non-leaf translation entries can disable writing or execution. */ ++ if (!rw || nx) ++ return new; ++ + end = start + npg * PAGE_SIZE - 1; + WARN_ONCE(1, "CPA detected W^X violation: %016llx -> %016llx range: 0x%016lx - 0x%016lx PFN %lx\n", + (unsigned long long)pgprot_val(old), +@@ -742,7 +747,7 @@ pte_t *lookup_address(unsigned long address, unsigned int *level) + EXPORT_SYMBOL_GPL(lookup_address); + + static pte_t *_lookup_address_cpa(struct cpa_data *cpa, unsigned long address, +- unsigned int *level) ++ unsigned int *level, bool *nx, bool *rw) + { + pgd_t *pgd; + +@@ -751,7 +756,7 @@ static pte_t *_lookup_address_cpa(struct cpa_data *cpa, unsigned long address, + else + pgd = cpa->pgd + pgd_index(address); + +- return lookup_address_in_pgd(pgd, address, level); ++ return lookup_address_in_pgd_attr(pgd, address, level, nx, rw); + } + + /* +@@ -879,12 +884,13 @@ static int __should_split_large_page(pte_t *kpte, unsigned long address, + pgprot_t old_prot, new_prot, req_prot, chk_prot; + pte_t new_pte, *tmp; + enum pg_level level; ++ bool nx, rw; + + /* + * Check for races, another CPU might have split this page + * up already: + */ +- tmp = _lookup_address_cpa(cpa, address, &level); ++ tmp = _lookup_address_cpa(cpa, address, &level, &nx, &rw); + if (tmp != kpte) + return 1; + +@@ -995,7 +1001,8 @@ static int __should_split_large_page(pte_t *kpte, unsigned long address, + new_prot = static_protections(req_prot, lpaddr, old_pfn, numpages, + psize, CPA_DETECT); + +- new_prot = verify_rwx(old_prot, new_prot, lpaddr, old_pfn, numpages); ++ new_prot = verify_rwx(old_prot, new_prot, lpaddr, old_pfn, numpages, ++ nx, rw); + + /* + * If there is a conflict, split the large page. +@@ -1076,6 +1083,7 @@ __split_large_page(struct cpa_data *cpa, pte_t *kpte, unsigned long address, + pte_t *pbase = (pte_t *)page_address(base); + unsigned int i, level; + pgprot_t ref_prot; ++ bool nx, rw; + pte_t *tmp; + + spin_lock(&pgd_lock); +@@ -1083,7 +1091,7 @@ __split_large_page(struct cpa_data *cpa, pte_t *kpte, unsigned long address, + * Check for races, another CPU might have split this page + * up for us already: + */ +- tmp = _lookup_address_cpa(cpa, address, &level); ++ tmp = _lookup_address_cpa(cpa, address, &level, &nx, &rw); + if (tmp != kpte) { + spin_unlock(&pgd_lock); + return 1; +@@ -1624,10 +1632,11 @@ static int __change_page_attr(struct cpa_data *cpa, int primary) + int do_split, err; + unsigned int level; + pte_t *kpte, old_pte; ++ bool nx, rw; + + address = __cpa_addr(cpa, cpa->curpage); + repeat: +- kpte = _lookup_address_cpa(cpa, address, &level); ++ kpte = _lookup_address_cpa(cpa, address, &level, &nx, &rw); + if (!kpte) + return __cpa_process_fault(cpa, address, primary); + +@@ -1649,7 +1658,8 @@ static int __change_page_attr(struct cpa_data *cpa, int primary) + new_prot = static_protections(new_prot, address, pfn, 1, 0, + CPA_PROTECT); + +- new_prot = verify_rwx(old_prot, new_prot, address, pfn, 1); ++ new_prot = verify_rwx(old_prot, new_prot, address, pfn, 1, ++ nx, rw); + + new_prot = pgprot_clear_protnone_bits(new_prot); + +-- +2.43.0 + diff --git a/queue-6.9/x86-pat-introduce-lookup_address_in_pgd_attr.patch b/queue-6.9/x86-pat-introduce-lookup_address_in_pgd_attr.patch new file mode 100644 index 00000000000..b2d3f941a28 --- /dev/null +++ b/queue-6.9/x86-pat-introduce-lookup_address_in_pgd_attr.patch @@ -0,0 +1,127 @@ +From 9a28858751852a654ddd6ecd97a9f1c9ecd67a6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 17:12:55 +0200 +Subject: x86/pat: Introduce lookup_address_in_pgd_attr() + +From: Juergen Gross + +[ Upstream commit ceb647b4b529fdeca9021cd34486f5a170746bda ] + +Add lookup_address_in_pgd_attr() doing the same as the already +existing lookup_address_in_pgd(), but returning the effective settings +of the NX and RW bits of all walked page table levels, too. + +This will be needed in order to match hardware behavior when looking +for effective access rights, especially for detecting writable code +pages. + +In order to avoid code duplication, let lookup_address_in_pgd() call +lookup_address_in_pgd_attr() with dummy parameters. + +Signed-off-by: Juergen Gross +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20240412151258.9171-2-jgross@suse.com +Stable-dep-of: 5bc8b0f5dac0 ("x86/pat: Fix W^X violation false-positives when running as Xen PV guest") +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/pgtable_types.h | 2 ++ + arch/x86/mm/pat/set_memory.c | 33 +++++++++++++++++++++++++--- + 2 files changed, 32 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/include/asm/pgtable_types.h b/arch/x86/include/asm/pgtable_types.h +index 9abb8cc4cd474..b786449626267 100644 +--- a/arch/x86/include/asm/pgtable_types.h ++++ b/arch/x86/include/asm/pgtable_types.h +@@ -567,6 +567,8 @@ static inline void update_page_count(int level, unsigned long pages) { } + extern pte_t *lookup_address(unsigned long address, unsigned int *level); + extern pte_t *lookup_address_in_pgd(pgd_t *pgd, unsigned long address, + unsigned int *level); ++pte_t *lookup_address_in_pgd_attr(pgd_t *pgd, unsigned long address, ++ unsigned int *level, bool *nx, bool *rw); + extern pmd_t *lookup_pmd_address(unsigned long address); + extern phys_addr_t slow_virt_to_phys(void *__address); + extern int __init kernel_map_pages_in_pgd(pgd_t *pgd, u64 pfn, +diff --git a/arch/x86/mm/pat/set_memory.c b/arch/x86/mm/pat/set_memory.c +index 80c9037ffadff..bfa0aae45d48c 100644 +--- a/arch/x86/mm/pat/set_memory.c ++++ b/arch/x86/mm/pat/set_memory.c +@@ -657,20 +657,26 @@ static inline pgprot_t verify_rwx(pgprot_t old, pgprot_t new, unsigned long star + + /* + * Lookup the page table entry for a virtual address in a specific pgd. +- * Return a pointer to the entry and the level of the mapping. ++ * Return a pointer to the entry, the level of the mapping, and the effective ++ * NX and RW bits of all page table levels. + */ +-pte_t *lookup_address_in_pgd(pgd_t *pgd, unsigned long address, +- unsigned int *level) ++pte_t *lookup_address_in_pgd_attr(pgd_t *pgd, unsigned long address, ++ unsigned int *level, bool *nx, bool *rw) + { + p4d_t *p4d; + pud_t *pud; + pmd_t *pmd; + + *level = PG_LEVEL_NONE; ++ *nx = false; ++ *rw = true; + + if (pgd_none(*pgd)) + return NULL; + ++ *nx |= pgd_flags(*pgd) & _PAGE_NX; ++ *rw &= pgd_flags(*pgd) & _PAGE_RW; ++ + p4d = p4d_offset(pgd, address); + if (p4d_none(*p4d)) + return NULL; +@@ -679,6 +685,9 @@ pte_t *lookup_address_in_pgd(pgd_t *pgd, unsigned long address, + if (p4d_leaf(*p4d) || !p4d_present(*p4d)) + return (pte_t *)p4d; + ++ *nx |= p4d_flags(*p4d) & _PAGE_NX; ++ *rw &= p4d_flags(*p4d) & _PAGE_RW; ++ + pud = pud_offset(p4d, address); + if (pud_none(*pud)) + return NULL; +@@ -687,6 +696,9 @@ pte_t *lookup_address_in_pgd(pgd_t *pgd, unsigned long address, + if (pud_leaf(*pud) || !pud_present(*pud)) + return (pte_t *)pud; + ++ *nx |= pud_flags(*pud) & _PAGE_NX; ++ *rw &= pud_flags(*pud) & _PAGE_RW; ++ + pmd = pmd_offset(pud, address); + if (pmd_none(*pmd)) + return NULL; +@@ -695,11 +707,26 @@ pte_t *lookup_address_in_pgd(pgd_t *pgd, unsigned long address, + if (pmd_leaf(*pmd) || !pmd_present(*pmd)) + return (pte_t *)pmd; + ++ *nx |= pmd_flags(*pmd) & _PAGE_NX; ++ *rw &= pmd_flags(*pmd) & _PAGE_RW; ++ + *level = PG_LEVEL_4K; + + return pte_offset_kernel(pmd, address); + } + ++/* ++ * Lookup the page table entry for a virtual address in a specific pgd. ++ * Return a pointer to the entry and the level of the mapping. ++ */ ++pte_t *lookup_address_in_pgd(pgd_t *pgd, unsigned long address, ++ unsigned int *level) ++{ ++ bool nx, rw; ++ ++ return lookup_address_in_pgd_attr(pgd, address, level, &nx, &rw); ++} ++ + /* + * Lookup the page table entry for a virtual address. Return a pointer + * to the entry and the level of the mapping. +-- +2.43.0 + diff --git a/queue-6.9/x86-pat-restructure-_lookup_address_cpa.patch b/queue-6.9/x86-pat-restructure-_lookup_address_cpa.patch new file mode 100644 index 00000000000..93890741bca --- /dev/null +++ b/queue-6.9/x86-pat-restructure-_lookup_address_cpa.patch @@ -0,0 +1,51 @@ +From f65b5336afd46cbccd8513a62a93ac4ccd2f7056 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 17:12:57 +0200 +Subject: x86/pat: Restructure _lookup_address_cpa() + +From: Juergen Gross + +[ Upstream commit 02eac06b820c3eae73e5736ae62f986d37fed991 ] + +Modify _lookup_address_cpa() to no longer use lookup_address(), but +only lookup_address_in_pgd(). + +This is done in preparation of using lookup_address_in_pgd_attr(). + +No functional change intended. + +Signed-off-by: Juergen Gross +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20240412151258.9171-4-jgross@suse.com +Stable-dep-of: 5bc8b0f5dac0 ("x86/pat: Fix W^X violation false-positives when running as Xen PV guest") +Signed-off-by: Sasha Levin +--- + arch/x86/mm/pat/set_memory.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/mm/pat/set_memory.c b/arch/x86/mm/pat/set_memory.c +index bfa0aae45d48c..4ebccaf29bf2a 100644 +--- a/arch/x86/mm/pat/set_memory.c ++++ b/arch/x86/mm/pat/set_memory.c +@@ -744,11 +744,14 @@ EXPORT_SYMBOL_GPL(lookup_address); + static pte_t *_lookup_address_cpa(struct cpa_data *cpa, unsigned long address, + unsigned int *level) + { +- if (cpa->pgd) +- return lookup_address_in_pgd(cpa->pgd + pgd_index(address), +- address, level); ++ pgd_t *pgd; ++ ++ if (!cpa->pgd) ++ pgd = pgd_offset_k(address); ++ else ++ pgd = cpa->pgd + pgd_index(address); + +- return lookup_address(address, level); ++ return lookup_address_in_pgd(pgd, address, level); + } + + /* +-- +2.43.0 + diff --git a/queue-6.9/x86-purgatory-switch-to-the-position-independent-sma.patch b/queue-6.9/x86-purgatory-switch-to-the-position-independent-sma.patch new file mode 100644 index 00000000000..da5548da304 --- /dev/null +++ b/queue-6.9/x86-purgatory-switch-to-the-position-independent-sma.patch @@ -0,0 +1,81 @@ +From 2dfca6a17dee673bebac3bfb6e44d56d6df1c3d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Apr 2024 22:17:06 +0200 +Subject: x86/purgatory: Switch to the position-independent small code model + +From: Ard Biesheuvel + +[ Upstream commit cba786af84a0f9716204e09f518ce3b7ada8555e ] + +On x86, the ordinary, position dependent small and kernel code models +only support placement of the executable in 32-bit addressable memory, +due to the use of 32-bit signed immediates to generate references to +global variables. For the kernel, this implies that all global variables +must reside in the top 2 GiB of the kernel virtual address space, where +the implicit address bits 63:32 are equal to sign bit 31. + +This means the kernel code model is not suitable for other bare metal +executables such as the kexec purgatory, which can be placed arbitrarily +in the physical address space, where its address may no longer be +representable as a sign extended 32-bit quantity. For this reason, +commit + + e16c2983fba0 ("x86/purgatory: Change compiler flags from -mcmodel=kernel to -mcmodel=large to fix kexec relocation errors") + +switched to the large code model, which uses 64-bit immediates for all +symbol references, including function calls, in order to avoid relying +on any assumptions regarding proximity of symbols in the final +executable. + +The large code model is rarely used, clunky and the least likely to +operate in a similar fashion when comparing GCC and Clang, so it is best +avoided. This is especially true now that Clang 18 has started to emit +executable code in two separate sections (.text and .ltext), which +triggers an issue in the kexec loading code at runtime. + +The SUSE bugzilla fixes tag points to gcc 13 having issues with the +large model too and that perhaps the large model should simply not be +used at all. + +Instead, use the position independent small code model, which makes no +assumptions about placement but only about proximity, where all +referenced symbols must be within -/+ 2 GiB, i.e., in range for a +RIP-relative reference. Use hidden visibility to suppress the use of a +GOT, which carries absolute addresses that are not covered by static ELF +relocations, and is therefore incompatible with the kexec loader's +relocation logic. + + [ bp: Massage commit message. ] + +Fixes: e16c2983fba0 ("x86/purgatory: Change compiler flags from -mcmodel=kernel to -mcmodel=large to fix kexec relocation errors") +Fixes: https://bugzilla.suse.com/show_bug.cgi?id=1211853 +Closes: https://github.com/ClangBuiltLinux/linux/issues/2016 +Signed-off-by: Ard Biesheuvel +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Nathan Chancellor +Reviewed-by: Fangrui Song +Acked-by: Nick Desaulniers +Tested-by: Nathan Chancellor +Link: https://lore.kernel.org/all/20240417-x86-fix-kexec-with-llvm-18-v1-0-5383121e8fb7@kernel.org/ +Signed-off-by: Sasha Levin +--- + arch/x86/purgatory/Makefile | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/purgatory/Makefile b/arch/x86/purgatory/Makefile +index bc31863c5ee63..a18591f6e6d94 100644 +--- a/arch/x86/purgatory/Makefile ++++ b/arch/x86/purgatory/Makefile +@@ -42,7 +42,8 @@ KCOV_INSTRUMENT := n + # make up the standalone purgatory.ro + + PURGATORY_CFLAGS_REMOVE := -mcmodel=kernel +-PURGATORY_CFLAGS := -mcmodel=large -ffreestanding -fno-zero-initialized-in-bss -g0 ++PURGATORY_CFLAGS := -mcmodel=small -ffreestanding -fno-zero-initialized-in-bss -g0 ++PURGATORY_CFLAGS += -fpic -fvisibility=hidden + PURGATORY_CFLAGS += $(DISABLE_STACKLEAK_PLUGIN) -DDISABLE_BRANCH_PROFILING + PURGATORY_CFLAGS += -fno-stack-protector + +-- +2.43.0 + -- 2.47.3