From e977e56ccdca87d897f9c57e8d319ddc3288765b Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Wed, 2 Oct 2024 01:17:34 -0400 Subject: [PATCH] Fixes for 6.6 Signed-off-by: Sasha Levin --- ...etting-file-private-on-concurrent-ls.patch | 156 ++++++++++++ ...rfs-reorder-btrfs_inode-to-fill-gaps.patch | 57 +++++ ...x-the-bitmap-dump-which-can-cause-bi.patch | 55 +++++ ...-comment-for-struct-btrfs_inode-lock.patch | 129 ++++++++++ ...ngs-spi-nxp-fspi-add-imx8ulp-support.patch | 39 +++ ...i-nxp-fspi-support-i.mx93-and-i.mx95.patch | 55 +++++ .../lib-bitmap-add-bitmap_-read-write.patch | 138 +++++++++++ ...add-an-error-check-in-parport_attach.patch | 65 +++++ ...-of-the-deprecated-ida_simple_xx-api.patch | 59 +++++ ...-uninitialized-value-in-uart_poll_in.patch | 73 ++++++ queue-6.6/series | 19 ++ ...alview-fix-memory-leak-during-device.patch | 50 ++++ ...alview-fix-soc_dev-leak-during-devic.patch | 63 +++++ ...al-kgdboc-fix-8250_-kgdb-over-serial.patch | 111 +++++++++ ...urex-fix-race-between-read-and-write.patch | 63 +++++ ...xhci-fix-loss-of-data-on-cadence-xhc.patch | 117 +++++++++ ...e-snprintf-with-the-safer-scnprintf-.patch | 77 ++++++ ...-unwanted-instrumentation-in-common_.patch | 112 +++++++++ ...orporate-definitions-declarations-of.patch | 225 ++++++++++++++++++ ...k-for-writing-erst-in-high-low-order.patch | 65 +++++ 20 files changed, 1728 insertions(+) create mode 100644 queue-6.6/btrfs-fix-race-setting-file-private-on-concurrent-ls.patch create mode 100644 queue-6.6/btrfs-reorder-btrfs_inode-to-fill-gaps.patch create mode 100644 queue-6.6/btrfs-subpage-fix-the-bitmap-dump-which-can-cause-bi.patch create mode 100644 queue-6.6/btrfs-update-comment-for-struct-btrfs_inode-lock.patch create mode 100644 queue-6.6/dt-bindings-spi-nxp-fspi-add-imx8ulp-support.patch create mode 100644 queue-6.6/dt-bindings-spi-nxp-fspi-support-i.mx93-and-i.mx95.patch create mode 100644 queue-6.6/lib-bitmap-add-bitmap_-read-write.patch create mode 100644 queue-6.6/pps-add-an-error-check-in-parport_attach.patch create mode 100644 queue-6.6/pps-remove-usage-of-the-deprecated-ida_simple_xx-api.patch create mode 100644 queue-6.6/serial-don-t-use-uninitialized-value-in-uart_poll_in.patch create mode 100644 queue-6.6/soc-versatile-realview-fix-memory-leak-during-device.patch create mode 100644 queue-6.6/soc-versatile-realview-fix-soc_dev-leak-during-devic.patch create mode 100644 queue-6.6/tty-serial-kgdboc-fix-8250_-kgdb-over-serial.patch create mode 100644 queue-6.6/usb-misc-yurex-fix-race-between-read-and-write.patch create mode 100644 queue-6.6/usb-xhci-fix-loss-of-data-on-cadence-xhc.patch create mode 100644 queue-6.6/usb-yurex-replace-snprintf-with-the-safer-scnprintf-.patch create mode 100644 queue-6.6/x86-entry-remove-unwanted-instrumentation-in-common_.patch create mode 100644 queue-6.6/x86-idtentry-incorporate-definitions-declarations-of.patch create mode 100644 queue-6.6/xhci-add-a-quirk-for-writing-erst-in-high-low-order.patch diff --git a/queue-6.6/btrfs-fix-race-setting-file-private-on-concurrent-ls.patch b/queue-6.6/btrfs-fix-race-setting-file-private-on-concurrent-ls.patch new file mode 100644 index 00000000000..938c1fba9a0 --- /dev/null +++ b/queue-6.6/btrfs-fix-race-setting-file-private-on-concurrent-ls.patch @@ -0,0 +1,156 @@ +From 6a1429215d08d2186e75af8183dc46a5200a8294 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Sep 2024 10:55:36 +0100 +Subject: btrfs: fix race setting file private on concurrent lseek using same + fd + +From: Filipe Manana + +[ Upstream commit 7ee85f5515e86a4e2a2f51969795920733912bad ] + +When doing concurrent lseek(2) system calls against the same file +descriptor, using multiple threads belonging to the same process, we have +a short time window where a race happens and can result in a memory leak. + +The race happens like this: + +1) A program opens a file descriptor for a file and then spawns two + threads (with the pthreads library for example), lets call them + task A and task B; + +2) Task A calls lseek with SEEK_DATA or SEEK_HOLE and ends up at + file.c:find_desired_extent() while holding a read lock on the inode; + +3) At the start of find_desired_extent(), it extracts the file's + private_data pointer into a local variable named 'private', which has + a value of NULL; + +4) Task B also calls lseek with SEEK_DATA or SEEK_HOLE, locks the inode + in shared mode and enters file.c:find_desired_extent(), where it also + extracts file->private_data into its local variable 'private', which + has a NULL value; + +5) Because it saw a NULL file private, task A allocates a private + structure and assigns to the file structure; + +6) Task B also saw a NULL file private so it also allocates its own file + private and then assigns it to the same file structure, since both + tasks are using the same file descriptor. + + At this point we leak the private structure allocated by task A. + +Besides the memory leak, there's also the detail that both tasks end up +using the same cached state record in the private structure (struct +btrfs_file_private::llseek_cached_state), which can result in a +use-after-free problem since one task can free it while the other is +still using it (only one task took a reference count on it). Also, sharing +the cached state is not a good idea since it could result in incorrect +results in the future - right now it should not be a problem because it +end ups being used only in extent-io-tree.c:count_range_bits() where we do +range validation before using the cached state. + +Fix this by protecting the private assignment and check of a file while +holding the inode's spinlock and keep track of the task that allocated +the private, so that it's used only by that task in order to prevent +user-after-free issues with the cached state record as well as potentially +using it incorrectly in the future. + +Fixes: 3c32c7212f16 ("btrfs: use cached state when looking for delalloc ranges with lseek") +CC: stable@vger.kernel.org # 6.6+ +Reviewed-by: Josef Bacik +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/btrfs_inode.h | 1 + + fs/btrfs/ctree.h | 2 ++ + fs/btrfs/file.c | 34 +++++++++++++++++++++++++++++++--- + 3 files changed, 34 insertions(+), 3 deletions(-) + +diff --git a/fs/btrfs/btrfs_inode.h b/fs/btrfs/btrfs_inode.h +index e9a979d0a9585..ec6679a538c1d 100644 +--- a/fs/btrfs/btrfs_inode.h ++++ b/fs/btrfs/btrfs_inode.h +@@ -85,6 +85,7 @@ struct btrfs_inode { + * logged_trans), to access/update delalloc_bytes, new_delalloc_bytes, + * defrag_bytes, disk_i_size, outstanding_extents, csum_bytes and to + * update the VFS' inode number of bytes used. ++ * Also protects setting struct file::private_data. + */ + spinlock_t lock; + +diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h +index 06333a74d6c4c..f7bb4c34b984b 100644 +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -445,6 +445,8 @@ struct btrfs_file_private { + void *filldir_buf; + u64 last_index; + struct extent_state *llseek_cached_state; ++ /* Task that allocated this structure. */ ++ struct task_struct *owner_task; + }; + + static inline u32 BTRFS_LEAF_DATA_SIZE(const struct btrfs_fs_info *info) +diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c +index 15fd8c00f4c08..fc6c91773bc89 100644 +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -3481,7 +3481,7 @@ static bool find_desired_extent_in_hole(struct btrfs_inode *inode, int whence, + static loff_t find_desired_extent(struct file *file, loff_t offset, int whence) + { + struct btrfs_inode *inode = BTRFS_I(file->f_mapping->host); +- struct btrfs_file_private *private = file->private_data; ++ struct btrfs_file_private *private; + struct btrfs_fs_info *fs_info = inode->root->fs_info; + struct extent_state *cached_state = NULL; + struct extent_state **delalloc_cached_state; +@@ -3509,7 +3509,19 @@ static loff_t find_desired_extent(struct file *file, loff_t offset, int whence) + inode_get_bytes(&inode->vfs_inode) == i_size) + return i_size; + +- if (!private) { ++ spin_lock(&inode->lock); ++ private = file->private_data; ++ spin_unlock(&inode->lock); ++ ++ if (private && private->owner_task != current) { ++ /* ++ * Not allocated by us, don't use it as its cached state is used ++ * by the task that allocated it and we don't want neither to ++ * mess with it nor get incorrect results because it reflects an ++ * invalid state for the current task. ++ */ ++ private = NULL; ++ } else if (!private) { + private = kzalloc(sizeof(*private), GFP_KERNEL); + /* + * No worries if memory allocation failed. +@@ -3517,7 +3529,23 @@ static loff_t find_desired_extent(struct file *file, loff_t offset, int whence) + * lseek SEEK_HOLE/DATA calls to a file when there's delalloc, + * so everything will still be correct. + */ +- file->private_data = private; ++ if (private) { ++ bool free = false; ++ ++ private->owner_task = current; ++ ++ spin_lock(&inode->lock); ++ if (file->private_data) ++ free = true; ++ else ++ file->private_data = private; ++ spin_unlock(&inode->lock); ++ ++ if (free) { ++ kfree(private); ++ private = NULL; ++ } ++ } + } + + if (private) +-- +2.43.0 + diff --git a/queue-6.6/btrfs-reorder-btrfs_inode-to-fill-gaps.patch b/queue-6.6/btrfs-reorder-btrfs_inode-to-fill-gaps.patch new file mode 100644 index 00000000000..bffe1317aef --- /dev/null +++ b/queue-6.6/btrfs-reorder-btrfs_inode-to-fill-gaps.patch @@ -0,0 +1,57 @@ +From 6f376e5856018b35f0f732c67af58f2d180253d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Sep 2023 21:04:32 +0200 +Subject: btrfs: reorder btrfs_inode to fill gaps + +From: David Sterba + +[ Upstream commit 398fb9131f31bd25aa187613c9942f4232e952b7 ] + +Previous commit created a hole in struct btrfs_inode, we can move +outstanding_extents there. This reduces size by 8 bytes from 1120 to +1112 on a release config. + +Signed-off-by: David Sterba +Stable-dep-of: 7ee85f5515e8 ("btrfs: fix race setting file private on concurrent lseek using same fd") +Signed-off-by: Sasha Levin +--- + fs/btrfs/btrfs_inode.h | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/fs/btrfs/btrfs_inode.h b/fs/btrfs/btrfs_inode.h +index bda1fdbba666a..b75c7f5934780 100644 +--- a/fs/btrfs/btrfs_inode.h ++++ b/fs/btrfs/btrfs_inode.h +@@ -102,6 +102,14 @@ struct btrfs_inode { + /* held while logging the inode in tree-log.c */ + struct mutex log_mutex; + ++ /* ++ * Counters to keep track of the number of extent item's we may use due ++ * to delalloc and such. outstanding_extents is the number of extent ++ * items we think we'll end up using, and reserved_extents is the number ++ * of extent items we've reserved metadata for. ++ */ ++ unsigned outstanding_extents; ++ + /* used to order data wrt metadata */ + struct btrfs_ordered_inode_tree ordered_tree; + +@@ -223,14 +231,6 @@ struct btrfs_inode { + /* Read-only compatibility flags, upper half of inode_item::flags */ + u32 ro_flags; + +- /* +- * Counters to keep track of the number of extent item's we may use due +- * to delalloc and such. outstanding_extents is the number of extent +- * items we think we'll end up using, and reserved_extents is the number +- * of extent items we've reserved metadata for. +- */ +- unsigned outstanding_extents; +- + struct btrfs_block_rsv block_rsv; + + /* +-- +2.43.0 + diff --git a/queue-6.6/btrfs-subpage-fix-the-bitmap-dump-which-can-cause-bi.patch b/queue-6.6/btrfs-subpage-fix-the-bitmap-dump-which-can-cause-bi.patch new file mode 100644 index 00000000000..30a5aedf8cd --- /dev/null +++ b/queue-6.6/btrfs-subpage-fix-the-bitmap-dump-which-can-cause-bi.patch @@ -0,0 +1,55 @@ +From 0ee6c631ddf129206d318890c6460cdceb05603e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Aug 2024 16:35:48 +0930 +Subject: btrfs: subpage: fix the bitmap dump which can cause bitmap corruption + +From: Qu Wenruo + +[ Upstream commit 77b0b98bb743f5d04d8f995ba1936e1143689d4a ] + +In commit 75258f20fb70 ("btrfs: subpage: dump extra subpage bitmaps for +debug") an internal macro GET_SUBPAGE_BITMAP() is introduced to grab the +bitmap of each attribute. + +But that commit is using bitmap_cut() which will do the left shift of +the larger bitmap, causing incorrect values. + +Thankfully this bitmap_cut() is only called for debug usage, and so far +it's not yet causing problem. + +Fix it to use bitmap_read() to only grab the desired sub-bitmap. + +Fixes: 75258f20fb70 ("btrfs: subpage: dump extra subpage bitmaps for debug") +CC: stable@vger.kernel.org # 6.6+ +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/subpage.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/subpage.c b/fs/btrfs/subpage.c +index 1b999c6e41930..b98d42ca55647 100644 +--- a/fs/btrfs/subpage.c ++++ b/fs/btrfs/subpage.c +@@ -713,8 +713,14 @@ void btrfs_page_unlock_writer(struct btrfs_fs_info *fs_info, struct page *page, + } + + #define GET_SUBPAGE_BITMAP(subpage, subpage_info, name, dst) \ +- bitmap_cut(dst, subpage->bitmaps, 0, \ +- subpage_info->name##_offset, subpage_info->bitmap_nr_bits) ++{ \ ++ const int bitmap_nr_bits = subpage_info->bitmap_nr_bits; \ ++ \ ++ ASSERT(bitmap_nr_bits < BITS_PER_LONG); \ ++ *dst = bitmap_read(subpage->bitmaps, \ ++ subpage_info->name##_offset, \ ++ bitmap_nr_bits); \ ++} + + void __cold btrfs_subpage_dump_bitmap(const struct btrfs_fs_info *fs_info, + struct page *page, u64 start, u32 len) +-- +2.43.0 + diff --git a/queue-6.6/btrfs-update-comment-for-struct-btrfs_inode-lock.patch b/queue-6.6/btrfs-update-comment-for-struct-btrfs_inode-lock.patch new file mode 100644 index 00000000000..8e57f03550c --- /dev/null +++ b/queue-6.6/btrfs-update-comment-for-struct-btrfs_inode-lock.patch @@ -0,0 +1,129 @@ +From ef89aa4243059a7d94c227705f37f1a0bca4ec90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 11:38:53 +0100 +Subject: btrfs: update comment for struct btrfs_inode::lock + +From: Filipe Manana + +[ Upstream commit 68539bd0e73b457f88a9d00cabb6533ec8582dc9 ] + +Update the comment for the lock named "lock" in struct btrfs_inode because +it does not mention that the fields "delalloc_bytes", "defrag_bytes", +"csum_bytes", "outstanding_extents" and "disk_i_size" are also protected +by that lock. + +Also add a comment on top of each field protected by this lock to mention +that the lock protects them. + +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Stable-dep-of: 7ee85f5515e8 ("btrfs: fix race setting file private on concurrent lseek using same fd") +Signed-off-by: Sasha Levin +--- + fs/btrfs/btrfs_inode.h | 32 ++++++++++++++++++-------------- + 1 file changed, 18 insertions(+), 14 deletions(-) + +diff --git a/fs/btrfs/btrfs_inode.h b/fs/btrfs/btrfs_inode.h +index b75c7f5934780..e9a979d0a9585 100644 +--- a/fs/btrfs/btrfs_inode.h ++++ b/fs/btrfs/btrfs_inode.h +@@ -82,8 +82,9 @@ struct btrfs_inode { + /* + * Lock for counters and all fields used to determine if the inode is in + * the log or not (last_trans, last_sub_trans, last_log_commit, +- * logged_trans), to access/update new_delalloc_bytes and to update the +- * VFS' inode number of bytes used. ++ * logged_trans), to access/update delalloc_bytes, new_delalloc_bytes, ++ * defrag_bytes, disk_i_size, outstanding_extents, csum_bytes and to ++ * update the VFS' inode number of bytes used. + */ + spinlock_t lock; + +@@ -106,7 +107,7 @@ struct btrfs_inode { + * Counters to keep track of the number of extent item's we may use due + * to delalloc and such. outstanding_extents is the number of extent + * items we think we'll end up using, and reserved_extents is the number +- * of extent items we've reserved metadata for. ++ * of extent items we've reserved metadata for. Protected by 'lock'. + */ + unsigned outstanding_extents; + +@@ -130,28 +131,31 @@ struct btrfs_inode { + u64 generation; + + /* +- * transid of the trans_handle that last modified this inode ++ * ID of the transaction handle that last modified this inode. ++ * Protected by 'lock'. + */ + u64 last_trans; + + /* +- * transid that last logged this inode ++ * ID of the transaction that last logged this inode. ++ * Protected by 'lock'. + */ + u64 logged_trans; + + /* +- * log transid when this inode was last modified ++ * Log transaction ID when this inode was last modified. ++ * Protected by 'lock'. + */ + int last_sub_trans; + +- /* a local copy of root's last_log_commit */ ++ /* A local copy of root's last_log_commit. Protected by 'lock'. */ + int last_log_commit; + + union { + /* + * Total number of bytes pending delalloc, used by stat to + * calculate the real block usage of the file. This is used +- * only for files. ++ * only for files. Protected by 'lock'. + */ + u64 delalloc_bytes; + /* +@@ -169,7 +173,7 @@ struct btrfs_inode { + * Total number of bytes pending delalloc that fall within a file + * range that is either a hole or beyond EOF (and no prealloc extent + * exists in the range). This is always <= delalloc_bytes and this +- * is used only for files. ++ * is used only for files. Protected by 'lock'. + */ + u64 new_delalloc_bytes; + /* +@@ -180,15 +184,15 @@ struct btrfs_inode { + }; + + /* +- * total number of bytes pending defrag, used by stat to check whether +- * it needs COW. ++ * Total number of bytes pending defrag, used by stat to check whether ++ * it needs COW. Protected by 'lock'. + */ + u64 defrag_bytes; + + /* +- * the size of the file stored in the metadata on disk. data=ordered ++ * The size of the file stored in the metadata on disk. data=ordered + * means the in-memory i_size might be larger than the size on disk +- * because not all the blocks are written yet. ++ * because not all the blocks are written yet. Protected by 'lock'. + */ + u64 disk_i_size; + +@@ -222,7 +226,7 @@ struct btrfs_inode { + + /* + * Number of bytes outstanding that are going to need csums. This is +- * used in ENOSPC accounting. ++ * used in ENOSPC accounting. Protected by 'lock'. + */ + u64 csum_bytes; + +-- +2.43.0 + diff --git a/queue-6.6/dt-bindings-spi-nxp-fspi-add-imx8ulp-support.patch b/queue-6.6/dt-bindings-spi-nxp-fspi-add-imx8ulp-support.patch new file mode 100644 index 00000000000..e0ed3409074 --- /dev/null +++ b/queue-6.6/dt-bindings-spi-nxp-fspi-add-imx8ulp-support.patch @@ -0,0 +1,39 @@ +From c15b18b658a279077463d236e54f83e51699082d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Sep 2024 17:43:35 +0800 +Subject: dt-bindings: spi: nxp-fspi: add imx8ulp support + +From: Haibo Chen + +[ Upstream commit 12736adc43b7cd5cb83f274f8f37b0f89d107c97 ] + +The flexspi on imx8ulp only has 16 number of LUTs, it is different +with flexspi on other imx SoC which has 32 number of LUTs. + +Fixes: ef89fd56bdfc ("arm64: dts: imx8ulp: add flexspi node") +Cc: stable@kernel.org +Acked-by: Krzysztof Kozlowski +Signed-off-by: Haibo Chen +Reviewed-by: Frank Li +Link: https://patch.msgid.link/20240905094338.1986871-2-haibo.chen@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + Documentation/devicetree/bindings/spi/spi-nxp-fspi.yaml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Documentation/devicetree/bindings/spi/spi-nxp-fspi.yaml b/Documentation/devicetree/bindings/spi/spi-nxp-fspi.yaml +index 4a5f41bde00f3..902db92da8320 100644 +--- a/Documentation/devicetree/bindings/spi/spi-nxp-fspi.yaml ++++ b/Documentation/devicetree/bindings/spi/spi-nxp-fspi.yaml +@@ -21,6 +21,7 @@ properties: + - nxp,imx8mm-fspi + - nxp,imx8mp-fspi + - nxp,imx8qxp-fspi ++ - nxp,imx8ulp-fspi + - nxp,lx2160a-fspi + - items: + - enum: +-- +2.43.0 + diff --git a/queue-6.6/dt-bindings-spi-nxp-fspi-support-i.mx93-and-i.mx95.patch b/queue-6.6/dt-bindings-spi-nxp-fspi-support-i.mx93-and-i.mx95.patch new file mode 100644 index 00000000000..8a6742da159 --- /dev/null +++ b/queue-6.6/dt-bindings-spi-nxp-fspi-support-i.mx93-and-i.mx95.patch @@ -0,0 +1,55 @@ +From f2ac4e43aaacb47a2d04ae6cfdc822db772829dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jan 2024 17:15:10 +0800 +Subject: dt-bindings: spi: nxp-fspi: support i.MX93 and i.MX95 + +From: Peng Fan + +[ Upstream commit 18ab9e9e8889ecba23a5e8b7f8924f09284e33d8 ] + +Add i.MX93/95 flexspi compatible strings, which are compatible with +i.MX8MM + +Signed-off-by: Peng Fan +Acked-by: Han Xu +Acked-by: Conor Dooley +Link: https://msgid.link/r/20240122091510.2077498-2-peng.fan@oss.nxp.com +Signed-off-by: Mark Brown +Stable-dep-of: 12736adc43b7 ("dt-bindings: spi: nxp-fspi: add imx8ulp support") +Signed-off-by: Sasha Levin +--- + .../devicetree/bindings/spi/spi-nxp-fspi.yaml | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/Documentation/devicetree/bindings/spi/spi-nxp-fspi.yaml b/Documentation/devicetree/bindings/spi/spi-nxp-fspi.yaml +index 7fd5911454800..4a5f41bde00f3 100644 +--- a/Documentation/devicetree/bindings/spi/spi-nxp-fspi.yaml ++++ b/Documentation/devicetree/bindings/spi/spi-nxp-fspi.yaml +@@ -15,12 +15,18 @@ allOf: + + properties: + compatible: +- enum: +- - nxp,imx8dxl-fspi +- - nxp,imx8mm-fspi +- - nxp,imx8mp-fspi +- - nxp,imx8qxp-fspi +- - nxp,lx2160a-fspi ++ oneOf: ++ - enum: ++ - nxp,imx8dxl-fspi ++ - nxp,imx8mm-fspi ++ - nxp,imx8mp-fspi ++ - nxp,imx8qxp-fspi ++ - nxp,lx2160a-fspi ++ - items: ++ - enum: ++ - nxp,imx93-fspi ++ - nxp,imx95-fspi ++ - const: nxp,imx8mm-fspi + + reg: + items: +-- +2.43.0 + diff --git a/queue-6.6/lib-bitmap-add-bitmap_-read-write.patch b/queue-6.6/lib-bitmap-add-bitmap_-read-write.patch new file mode 100644 index 00000000000..c8cf03d5535 --- /dev/null +++ b/queue-6.6/lib-bitmap-add-bitmap_-read-write.patch @@ -0,0 +1,138 @@ +From e02e44af9e4b5e896dd23c67b6490f36860f0327 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Mar 2024 16:23:38 +0100 +Subject: lib/bitmap: add bitmap_{read,write}() + +From: Syed Nayyar Waris + +[ Upstream commit 63c15822b8dd02a2423cfd92232245ace3f7a11b ] + +The two new functions allow reading/writing values of length up to +BITS_PER_LONG bits at arbitrary position in the bitmap. + +The code was taken from "bitops: Introduce the for_each_set_clump macro" +by Syed Nayyar Waris with a number of changes and simplifications: + - instead of using roundup(), which adds an unnecessary dependency + on , we calculate space as BITS_PER_LONG-offset; + - indentation is reduced by not using else-clauses (suggested by + checkpatch for bitmap_get_value()); + - bitmap_get_value()/bitmap_set_value() are renamed to bitmap_read() + and bitmap_write(); + - some redundant computations are omitted. + +Cc: Arnd Bergmann +Signed-off-by: Syed Nayyar Waris +Signed-off-by: William Breathitt Gray +Link: https://lore.kernel.org/lkml/fe12eedf3666f4af5138de0e70b67a07c7f40338.1592224129.git.syednwaris@gmail.com/ +Suggested-by: Yury Norov +Co-developed-by: Alexander Potapenko +Signed-off-by: Alexander Potapenko +Reviewed-by: Andy Shevchenko +Acked-by: Yury Norov +Signed-off-by: Yury Norov +Signed-off-by: Alexander Lobakin +Signed-off-by: David S. Miller +Stable-dep-of: 77b0b98bb743 ("btrfs: subpage: fix the bitmap dump which can cause bitmap corruption") +Signed-off-by: Sasha Levin +--- + include/linux/bitmap.h | 77 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 77 insertions(+) + +diff --git a/include/linux/bitmap.h b/include/linux/bitmap.h +index 3c8d2b87a9edc..729ec2453149f 100644 +--- a/include/linux/bitmap.h ++++ b/include/linux/bitmap.h +@@ -77,6 +77,10 @@ struct device; + * bitmap_to_arr64(buf, src, nbits) Copy nbits from buf to u64[] dst + * bitmap_get_value8(map, start) Get 8bit value from map at start + * bitmap_set_value8(map, value, start) Set 8bit value to map at start ++ * bitmap_read(map, start, nbits) Read an nbits-sized value from ++ * map at start ++ * bitmap_write(map, value, start, nbits) Write an nbits-sized value to ++ * map at start + * + * Note, bitmap_zero() and bitmap_fill() operate over the region of + * unsigned longs, that is, bits behind bitmap till the unsigned long +@@ -613,6 +617,79 @@ static inline void bitmap_set_value8(unsigned long *map, unsigned long value, + map[index] |= value << offset; + } + ++/** ++ * bitmap_read - read a value of n-bits from the memory region ++ * @map: address to the bitmap memory region ++ * @start: bit offset of the n-bit value ++ * @nbits: size of value in bits, nonzero, up to BITS_PER_LONG ++ * ++ * Returns: value of @nbits bits located at the @start bit offset within the ++ * @map memory region. For @nbits = 0 and @nbits > BITS_PER_LONG the return ++ * value is undefined. ++ */ ++static inline unsigned long bitmap_read(const unsigned long *map, ++ unsigned long start, ++ unsigned long nbits) ++{ ++ size_t index = BIT_WORD(start); ++ unsigned long offset = start % BITS_PER_LONG; ++ unsigned long space = BITS_PER_LONG - offset; ++ unsigned long value_low, value_high; ++ ++ if (unlikely(!nbits || nbits > BITS_PER_LONG)) ++ return 0; ++ ++ if (space >= nbits) ++ return (map[index] >> offset) & BITMAP_LAST_WORD_MASK(nbits); ++ ++ value_low = map[index] & BITMAP_FIRST_WORD_MASK(start); ++ value_high = map[index + 1] & BITMAP_LAST_WORD_MASK(start + nbits); ++ return (value_low >> offset) | (value_high << space); ++} ++ ++/** ++ * bitmap_write - write n-bit value within a memory region ++ * @map: address to the bitmap memory region ++ * @value: value to write, clamped to nbits ++ * @start: bit offset of the n-bit value ++ * @nbits: size of value in bits, nonzero, up to BITS_PER_LONG. ++ * ++ * bitmap_write() behaves as-if implemented as @nbits calls of __assign_bit(), ++ * i.e. bits beyond @nbits are ignored: ++ * ++ * for (bit = 0; bit < nbits; bit++) ++ * __assign_bit(start + bit, bitmap, val & BIT(bit)); ++ * ++ * For @nbits == 0 and @nbits > BITS_PER_LONG no writes are performed. ++ */ ++static inline void bitmap_write(unsigned long *map, unsigned long value, ++ unsigned long start, unsigned long nbits) ++{ ++ size_t index; ++ unsigned long offset; ++ unsigned long space; ++ unsigned long mask; ++ bool fit; ++ ++ if (unlikely(!nbits || nbits > BITS_PER_LONG)) ++ return; ++ ++ mask = BITMAP_LAST_WORD_MASK(nbits); ++ value &= mask; ++ offset = start % BITS_PER_LONG; ++ space = BITS_PER_LONG - offset; ++ fit = space >= nbits; ++ index = BIT_WORD(start); ++ ++ map[index] &= (fit ? (~(mask << offset)) : ~BITMAP_FIRST_WORD_MASK(start)); ++ map[index] |= value << offset; ++ if (fit) ++ return; ++ ++ map[index + 1] &= BITMAP_FIRST_WORD_MASK(start + nbits); ++ map[index + 1] |= (value >> space); ++} ++ + #endif /* __ASSEMBLY__ */ + + #endif /* __LINUX_BITMAP_H */ +-- +2.43.0 + diff --git a/queue-6.6/pps-add-an-error-check-in-parport_attach.patch b/queue-6.6/pps-add-an-error-check-in-parport_attach.patch new file mode 100644 index 00000000000..484ade6ffa8 --- /dev/null +++ b/queue-6.6/pps-add-an-error-check-in-parport_attach.patch @@ -0,0 +1,65 @@ +From 3c412e2f6e8934dead0528a2dad27d80f80a8be9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Aug 2024 21:18:14 +0800 +Subject: pps: add an error check in parport_attach + +From: Ma Ke + +[ Upstream commit 62c5a01a5711c8e4be8ae7b6f0db663094615d48 ] + +In parport_attach, the return value of ida_alloc is unchecked, witch leads +to the use of an invalid index value. + +To address this issue, index should be checked. When the index value is +abnormal, the device should be freed. + +Found by code review, compile tested only. + +Cc: stable@vger.kernel.org +Fixes: fb56d97df70e ("pps: client: use new parport device model") +Signed-off-by: Ma Ke +Acked-by: Rodolfo Giometti +Link: https://lore.kernel.org/r/20240828131814.3034338-1-make24@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/pps/clients/pps_parport.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/pps/clients/pps_parport.c b/drivers/pps/clients/pps_parport.c +index af972cdc04b53..53e9c304ae0a7 100644 +--- a/drivers/pps/clients/pps_parport.c ++++ b/drivers/pps/clients/pps_parport.c +@@ -149,6 +149,9 @@ static void parport_attach(struct parport *port) + } + + index = ida_alloc(&pps_client_index, GFP_KERNEL); ++ if (index < 0) ++ goto err_free_device; ++ + memset(&pps_client_cb, 0, sizeof(pps_client_cb)); + pps_client_cb.private = device; + pps_client_cb.irq_func = parport_irq; +@@ -159,7 +162,7 @@ static void parport_attach(struct parport *port) + index); + if (!device->pardev) { + pr_err("couldn't register with %s\n", port->name); +- goto err_free; ++ goto err_free_ida; + } + + if (parport_claim_or_block(device->pardev) < 0) { +@@ -187,8 +190,9 @@ static void parport_attach(struct parport *port) + parport_release(device->pardev); + err_unregister_dev: + parport_unregister_device(device->pardev); +-err_free: ++err_free_ida: + ida_free(&pps_client_index, index); ++err_free_device: + kfree(device); + } + +-- +2.43.0 + diff --git a/queue-6.6/pps-remove-usage-of-the-deprecated-ida_simple_xx-api.patch b/queue-6.6/pps-remove-usage-of-the-deprecated-ida_simple_xx-api.patch new file mode 100644 index 00000000000..80b3684dec7 --- /dev/null +++ b/queue-6.6/pps-remove-usage-of-the-deprecated-ida_simple_xx-api.patch @@ -0,0 +1,59 @@ +From 166cd2840e79554bfb9a53a0be32c52f9577ee84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Apr 2024 12:10:17 +0200 +Subject: pps: remove usage of the deprecated ida_simple_xx() API + +From: Christophe JAILLET + +[ Upstream commit 55dbc5b5174d0e7d1fa397d05aa4cb145e8b887e ] + +ida_alloc() and ida_free() should be preferred to the deprecated +ida_simple_get() and ida_simple_remove(). + +This is less verbose. + +Link: https://lkml.kernel.org/r/9f681747d446b874952a892491387d79ffe565a9.1713089394.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Christophe JAILLET +Cc: Rodolfo Giometti +Cc: Greg Kroah-Hartman +Signed-off-by: Andrew Morton +Stable-dep-of: 62c5a01a5711 ("pps: add an error check in parport_attach") +Signed-off-by: Sasha Levin +--- + drivers/pps/clients/pps_parport.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/pps/clients/pps_parport.c b/drivers/pps/clients/pps_parport.c +index 42f93d4c6ee32..af972cdc04b53 100644 +--- a/drivers/pps/clients/pps_parport.c ++++ b/drivers/pps/clients/pps_parport.c +@@ -148,7 +148,7 @@ static void parport_attach(struct parport *port) + return; + } + +- index = ida_simple_get(&pps_client_index, 0, 0, GFP_KERNEL); ++ index = ida_alloc(&pps_client_index, GFP_KERNEL); + memset(&pps_client_cb, 0, sizeof(pps_client_cb)); + pps_client_cb.private = device; + pps_client_cb.irq_func = parport_irq; +@@ -188,7 +188,7 @@ static void parport_attach(struct parport *port) + err_unregister_dev: + parport_unregister_device(device->pardev); + err_free: +- ida_simple_remove(&pps_client_index, index); ++ ida_free(&pps_client_index, index); + kfree(device); + } + +@@ -208,7 +208,7 @@ static void parport_detach(struct parport *port) + pps_unregister_source(device->pps); + parport_release(pardev); + parport_unregister_device(pardev); +- ida_simple_remove(&pps_client_index, device->index); ++ ida_free(&pps_client_index, device->index); + kfree(device); + } + +-- +2.43.0 + diff --git a/queue-6.6/serial-don-t-use-uninitialized-value-in-uart_poll_in.patch b/queue-6.6/serial-don-t-use-uninitialized-value-in-uart_poll_in.patch new file mode 100644 index 00000000000..3e94c6a154a --- /dev/null +++ b/queue-6.6/serial-don-t-use-uninitialized-value-in-uart_poll_in.patch @@ -0,0 +1,73 @@ +From d359c7c35d2fd925b184b57b22c1cf7afe95bbd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Aug 2024 12:20:36 +0200 +Subject: serial: don't use uninitialized value in uart_poll_init() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jiri Slaby (SUSE) + +[ Upstream commit d0009a32c9e4e083358092f3c97e3c6e803a8930 ] + +Coverity reports (as CID 1536978) that uart_poll_init() passes +uninitialized pm_state to uart_change_pm(). It is in case the first 'if' +takes the true branch (does "goto out;"). + +Fix this and simplify the function by simple guard(mutex). The code +needs no labels after this at all. And it is pretty clear that the code +has not fiddled with pm_state at that point. + +Signed-off-by: Jiri Slaby (SUSE) +Fixes: 5e227ef2aa38 (serial: uart_poll_init() should power on the UART) +Cc: stable@vger.kernel.org +Cc: Douglas Anderson +Cc: Greg Kroah-Hartman +Reviewed-by: Ilpo Järvinen +Reviewed-by: Douglas Anderson +Link: https://lore.kernel.org/r/20240805102046.307511-4-jirislaby@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/serial_core.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c +index 3fb55f46a8914..5d5570bebfeb6 100644 +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -2694,14 +2694,13 @@ static int uart_poll_init(struct tty_driver *driver, int line, char *options) + int ret = 0; + + tport = &state->port; +- mutex_lock(&tport->mutex); ++ ++ guard(mutex)(&tport->mutex); + + port = uart_port_check(state); + if (!port || port->type == PORT_UNKNOWN || +- !(port->ops->poll_get_char && port->ops->poll_put_char)) { +- ret = -1; +- goto out; +- } ++ !(port->ops->poll_get_char && port->ops->poll_put_char)) ++ return -1; + + pm_state = state->pm_state; + uart_change_pm(state, UART_PM_STATE_ON); +@@ -2721,10 +2720,10 @@ static int uart_poll_init(struct tty_driver *driver, int line, char *options) + ret = uart_set_options(port, NULL, baud, parity, bits, flow); + console_list_unlock(); + } +-out: ++ + if (ret) + uart_change_pm(state, pm_state); +- mutex_unlock(&tport->mutex); ++ + return ret; + } + +-- +2.43.0 + diff --git a/queue-6.6/series b/queue-6.6/series index 59623c1ad62..ef6b0fcc972 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -487,3 +487,22 @@ cpuidle-riscv-sbi-use-scoped-device-node-handling-to-fix-missing-of_node_put.pat padata-use-integer-wrap-around-to-prevent-deadlock-on-seq_nr-overflow.patch spi-fspi-involve-lut_num-for-struct-nxp_fspi_devtype_data.patch arm-dts-imx6ul-geam-fix-fsl-pins-property-in-tscgrp-pinctrl.patch +soc-versatile-realview-fix-memory-leak-during-device.patch +soc-versatile-realview-fix-soc_dev-leak-during-devic.patch +usb-yurex-replace-snprintf-with-the-safer-scnprintf-.patch +usb-misc-yurex-fix-race-between-read-and-write.patch +xhci-add-a-quirk-for-writing-erst-in-high-low-order.patch +usb-xhci-fix-loss-of-data-on-cadence-xhc.patch +pps-remove-usage-of-the-deprecated-ida_simple_xx-api.patch +pps-add-an-error-check-in-parport_attach.patch +tty-serial-kgdboc-fix-8250_-kgdb-over-serial.patch +serial-don-t-use-uninitialized-value-in-uart_poll_in.patch +x86-idtentry-incorporate-definitions-declarations-of.patch +x86-entry-remove-unwanted-instrumentation-in-common_.patch +lib-bitmap-add-bitmap_-read-write.patch +btrfs-subpage-fix-the-bitmap-dump-which-can-cause-bi.patch +btrfs-reorder-btrfs_inode-to-fill-gaps.patch +btrfs-update-comment-for-struct-btrfs_inode-lock.patch +btrfs-fix-race-setting-file-private-on-concurrent-ls.patch +dt-bindings-spi-nxp-fspi-support-i.mx93-and-i.mx95.patch +dt-bindings-spi-nxp-fspi-add-imx8ulp-support.patch diff --git a/queue-6.6/soc-versatile-realview-fix-memory-leak-during-device.patch b/queue-6.6/soc-versatile-realview-fix-memory-leak-during-device.patch new file mode 100644 index 00000000000..cb3b178e6b2 --- /dev/null +++ b/queue-6.6/soc-versatile-realview-fix-memory-leak-during-device.patch @@ -0,0 +1,50 @@ +From 508ad93cbb86386fdff8bd64c31c75598300761b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Aug 2024 20:05:23 +0200 +Subject: soc: versatile: realview: fix memory leak during device remove + +From: Krzysztof Kozlowski + +[ Upstream commit 1c4f26a41f9d052f334f6ae629e01f598ed93508 ] + +If device is unbound, the memory allocated for soc_dev_attr should be +freed to prevent leaks. + +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/20240825-soc-dev-fixes-v1-2-ff4b35abed83@linaro.org +Signed-off-by: Linus Walleij +Stable-dep-of: c774f2564c00 ("soc: versatile: realview: fix soc_dev leak during device remove") +Signed-off-by: Sasha Levin +--- + drivers/soc/versatile/soc-realview.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/soc/versatile/soc-realview.c b/drivers/soc/versatile/soc-realview.c +index c6876d232d8fd..d304ee69287af 100644 +--- a/drivers/soc/versatile/soc-realview.c ++++ b/drivers/soc/versatile/soc-realview.c +@@ -93,7 +93,7 @@ static int realview_soc_probe(struct platform_device *pdev) + if (IS_ERR(syscon_regmap)) + return PTR_ERR(syscon_regmap); + +- soc_dev_attr = kzalloc(sizeof(*soc_dev_attr), GFP_KERNEL); ++ soc_dev_attr = devm_kzalloc(&pdev->dev, sizeof(*soc_dev_attr), GFP_KERNEL); + if (!soc_dev_attr) + return -ENOMEM; + +@@ -106,10 +106,9 @@ static int realview_soc_probe(struct platform_device *pdev) + soc_dev_attr->family = "Versatile"; + soc_dev_attr->custom_attr_group = realview_groups[0]; + soc_dev = soc_device_register(soc_dev_attr); +- if (IS_ERR(soc_dev)) { +- kfree(soc_dev_attr); ++ if (IS_ERR(soc_dev)) + return -ENODEV; +- } ++ + ret = regmap_read(syscon_regmap, REALVIEW_SYS_ID_OFFSET, + &realview_coreid); + if (ret) +-- +2.43.0 + diff --git a/queue-6.6/soc-versatile-realview-fix-soc_dev-leak-during-devic.patch b/queue-6.6/soc-versatile-realview-fix-soc_dev-leak-during-devic.patch new file mode 100644 index 00000000000..b8ab36294f0 --- /dev/null +++ b/queue-6.6/soc-versatile-realview-fix-soc_dev-leak-during-devic.patch @@ -0,0 +1,63 @@ +From 45667e904bfba3ea45958bbbd667bd1b76d1b720 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Aug 2024 20:05:24 +0200 +Subject: soc: versatile: realview: fix soc_dev leak during device remove + +From: Krzysztof Kozlowski + +[ Upstream commit c774f2564c0086c23f5269fd4691f233756bf075 ] + +If device is unbound, the soc_dev should be unregistered to prevent +memory leak. + +Fixes: a2974c9c1f83 ("soc: add driver for the ARM RealView") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/20240825-soc-dev-fixes-v1-3-ff4b35abed83@linaro.org +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/soc/versatile/soc-realview.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/drivers/soc/versatile/soc-realview.c b/drivers/soc/versatile/soc-realview.c +index d304ee69287af..cf91abe07d38d 100644 +--- a/drivers/soc/versatile/soc-realview.c ++++ b/drivers/soc/versatile/soc-realview.c +@@ -4,6 +4,7 @@ + * + * Author: Linus Walleij + */ ++#include + #include + #include + #include +@@ -81,6 +82,13 @@ static struct attribute *realview_attrs[] = { + + ATTRIBUTE_GROUPS(realview); + ++static void realview_soc_socdev_release(void *data) ++{ ++ struct soc_device *soc_dev = data; ++ ++ soc_device_unregister(soc_dev); ++} ++ + static int realview_soc_probe(struct platform_device *pdev) + { + struct regmap *syscon_regmap; +@@ -109,6 +117,11 @@ static int realview_soc_probe(struct platform_device *pdev) + if (IS_ERR(soc_dev)) + return -ENODEV; + ++ ret = devm_add_action_or_reset(&pdev->dev, realview_soc_socdev_release, ++ soc_dev); ++ if (ret) ++ return ret; ++ + ret = regmap_read(syscon_regmap, REALVIEW_SYS_ID_OFFSET, + &realview_coreid); + if (ret) +-- +2.43.0 + diff --git a/queue-6.6/tty-serial-kgdboc-fix-8250_-kgdb-over-serial.patch b/queue-6.6/tty-serial-kgdboc-fix-8250_-kgdb-over-serial.patch new file mode 100644 index 00000000000..6dc98fe8cb8 --- /dev/null +++ b/queue-6.6/tty-serial-kgdboc-fix-8250_-kgdb-over-serial.patch @@ -0,0 +1,111 @@ +From 6e1e24980b025fd7e6f0d89728be0fdb46ae9675 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Dec 2023 14:12:00 +0100 +Subject: tty: serial: kgdboc: Fix 8250_* kgdb over serial + +From: Michael Trimarchi + +[ Upstream commit 788aeef392d27545ae99af2875068a9dd0531d5f ] + +Check if port type is not PORT_UNKNOWN during poll_init. +The kgdboc calls the tty_find_polling_driver that check +if the serial is able to use poll_init. The poll_init calls +the uart uart_poll_init that try to configure the uart with the +selected boot parameters. The uart must be ready before setting +parameters. Seems that PORT_UNKNOWN is already used by other +functions in serial_core to detect uart status, so use the same +to avoid to use it in invalid state. + +The crash happen for instance in am62x architecture where the 8250 +register the platform driver after the 8250 core is initialized. + +Follow the report crash coming from KGDB + +Thread 2 received signal SIGSEGV, Segmentation fault. +[Switching to Thread 1] +_outb (addr=, value=) at ./include/asm-generic/io.h:584 +584 __raw_writeb(value, PCI_IOBASE + addr); +(gdb) bt + +This section of the code is too early because in this case +the omap serial is not probed + +Thread 2 received signal SIGSEGV, Segmentation fault. +[Switching to Thread 1] +_outb (addr=, value=) at ./include/asm-generic/io.h:584 +584 __raw_writeb(value, PCI_IOBASE + addr); +(gdb) bt + +Thread 2 received signal SIGSEGV, Segmentation fault. +[Switching to Thread 1] +_outb (addr=, value=) at ./include/asm-generic/io.h:584 +584 __raw_writeb(value, PCI_IOBASE + addr); +(gdb) bt +0 _outb (addr=, value=) at ./include/asm-generic/io.h:584 +1 logic_outb (value=0 '\000', addr=18446739675637874689) at lib/logic_pio.c:299 +2 0xffff80008082dfcc in io_serial_out (p=0x0, offset=16760830, value=0) at drivers/tty/serial/8250/8250_port.c:416 +3 0xffff80008082fe34 in serial_port_out (value=, offset=, up=) + at ./include/linux/serial_core.h:677 +4 serial8250_do_set_termios (port=0xffff8000828ee940 , termios=0xffff80008292b93c, old=0x0) + at drivers/tty/serial/8250/8250_port.c:2860 +5 0xffff800080830064 in serial8250_set_termios (port=0xfffffbfffe800000, termios=0xffbffe, old=0x0) + at drivers/tty/serial/8250/8250_port.c:2912 +6 0xffff80008082571c in uart_set_options (port=0xffff8000828ee940 , co=0x0, baud=115200, parity=110, bits=8, flow=110) + at drivers/tty/serial/serial_core.c:2285 +7 0xffff800080828434 in uart_poll_init (driver=0xfffffbfffe800000, line=16760830, options=0xffff8000828f7506 "115200n8") + at drivers/tty/serial/serial_core.c:2656 +8 0xffff800080801690 in tty_find_polling_driver (name=0xffff8000828f7500 "ttyS2,115200n8", line=0xffff80008292ba90) + at drivers/tty/tty_io.c:410 +9 0xffff80008086c0b0 in configure_kgdboc () at drivers/tty/serial/kgdboc.c:194 +10 0xffff80008086c1ec in kgdboc_probe (pdev=0xfffffbfffe800000) at drivers/tty/serial/kgdboc.c:249 +11 0xffff8000808b399c in platform_probe (_dev=0xffff000000ebb810) at drivers/base/platform.c:1404 +12 0xffff8000808b0b44 in call_driver_probe (drv=, dev=) at drivers/base/dd.c:579 +13 really_probe (dev=0xffff000000ebb810, drv=0xffff80008277f138 ) at drivers/base/dd.c:658 +14 0xffff8000808b0d2c in __driver_probe_device (drv=0xffff80008277f138 , dev=0xffff000000ebb810) + at drivers/base/dd.c:800 +15 0xffff8000808b0eb8 in driver_probe_device (drv=0xfffffbfffe800000, dev=0xffff000000ebb810) at drivers/base/dd.c:830 +16 0xffff8000808b0ff4 in __device_attach_driver (drv=0xffff80008277f138 , _data=0xffff80008292bc48) + at drivers/base/dd.c:958 +17 0xffff8000808ae970 in bus_for_each_drv (bus=0xfffffbfffe800000, start=0x0, data=0xffff80008292bc48, + fn=0xffff8000808b0f3c <__device_attach_driver>) at drivers/base/bus.c:457 +18 0xffff8000808b1408 in __device_attach (dev=0xffff000000ebb810, allow_async=true) at drivers/base/dd.c:1030 +19 0xffff8000808b16d8 in device_initial_probe (dev=0xfffffbfffe800000) at drivers/base/dd.c:1079 +20 0xffff8000808af9f4 in bus_probe_device (dev=0xffff000000ebb810) at drivers/base/bus.c:532 +21 0xffff8000808ac77c in device_add (dev=0xfffffbfffe800000) at drivers/base/core.c:3625 +22 0xffff8000808b3428 in platform_device_add (pdev=0xffff000000ebb800) at drivers/base/platform.c:716 +23 0xffff800081b5dc0c in init_kgdboc () at drivers/tty/serial/kgdboc.c:292 +24 0xffff800080014db0 in do_one_initcall (fn=0xffff800081b5dba4 ) at init/main.c:1236 +25 0xffff800081b0114c in do_initcall_level (command_line=, level=) at init/main.c:1298 +26 do_initcalls () at init/main.c:1314 +27 do_basic_setup () at init/main.c:1333 +28 kernel_init_freeable () at init/main.c:1551 +29 0xffff8000810271ec in kernel_init (unused=0xfffffbfffe800000) at init/main.c:1441 +30 0xffff800080015e80 in ret_from_fork () at arch/arm64/kernel/entry.S:857 + +Reviewed-by: Douglas Anderson +Signed-off-by: Michael Trimarchi +Link: https://lore.kernel.org/r/20231224131200.266224-1-michael@amarulasolutions.com +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: d0009a32c9e4 ("serial: don't use uninitialized value in uart_poll_init()") +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/serial_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c +index ed8798fdf522a..3fb55f46a8914 100644 +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -2697,7 +2697,8 @@ static int uart_poll_init(struct tty_driver *driver, int line, char *options) + mutex_lock(&tport->mutex); + + port = uart_port_check(state); +- if (!port || !(port->ops->poll_get_char && port->ops->poll_put_char)) { ++ if (!port || port->type == PORT_UNKNOWN || ++ !(port->ops->poll_get_char && port->ops->poll_put_char)) { + ret = -1; + goto out; + } +-- +2.43.0 + diff --git a/queue-6.6/usb-misc-yurex-fix-race-between-read-and-write.patch b/queue-6.6/usb-misc-yurex-fix-race-between-read-and-write.patch new file mode 100644 index 00000000000..c2926e98629 --- /dev/null +++ b/queue-6.6/usb-misc-yurex-fix-race-between-read-and-write.patch @@ -0,0 +1,63 @@ +From e61b6c8873a8ebcdc696b5e9018c315592b8ca86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Sep 2024 15:21:22 +0200 +Subject: USB: misc: yurex: fix race between read and write + +From: Oliver Neukum + +[ Upstream commit 93907620b308609c72ba4b95b09a6aa2658bb553 ] + +The write code path touches the bbu member in a non atomic manner +without taking the spinlock. Fix it. + +The bug is as old as the driver. + +Signed-off-by: Oliver Neukum +CC: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240912132126.1034743-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/misc/yurex.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c +index 5a13cddace0e6..44136989f6c6a 100644 +--- a/drivers/usb/misc/yurex.c ++++ b/drivers/usb/misc/yurex.c +@@ -404,7 +404,6 @@ static ssize_t yurex_read(struct file *file, char __user *buffer, size_t count, + struct usb_yurex *dev; + int len = 0; + char in_buffer[MAX_S64_STRLEN]; +- unsigned long flags; + + dev = file->private_data; + +@@ -417,9 +416,9 @@ static ssize_t yurex_read(struct file *file, char __user *buffer, size_t count, + if (WARN_ON_ONCE(dev->bbu > S64_MAX || dev->bbu < S64_MIN)) + return -EIO; + +- spin_lock_irqsave(&dev->lock, flags); ++ spin_lock_irq(&dev->lock); + scnprintf(in_buffer, MAX_S64_STRLEN, "%lld\n", dev->bbu); +- spin_unlock_irqrestore(&dev->lock, flags); ++ spin_unlock_irq(&dev->lock); + mutex_unlock(&dev->io_mutex); + + return simple_read_from_buffer(buffer, count, ppos, in_buffer, len); +@@ -509,8 +508,11 @@ static ssize_t yurex_write(struct file *file, const char __user *user_buffer, + __func__, retval); + goto error; + } +- if (set && timeout) ++ if (set && timeout) { ++ spin_lock_irq(&dev->lock); + dev->bbu = c2; ++ spin_unlock_irq(&dev->lock); ++ } + return timeout ? count : -EIO; + + error: +-- +2.43.0 + diff --git a/queue-6.6/usb-xhci-fix-loss-of-data-on-cadence-xhc.patch b/queue-6.6/usb-xhci-fix-loss-of-data-on-cadence-xhc.patch new file mode 100644 index 00000000000..081284ecf8d --- /dev/null +++ b/queue-6.6/usb-xhci-fix-loss-of-data-on-cadence-xhc.patch @@ -0,0 +1,117 @@ +From 7f8a03afa248b787fa5d2ad3e216862894c93a05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Sep 2024 07:03:28 +0000 +Subject: usb: xhci: fix loss of data on Cadence xHC + +From: Pawel Laszczak + +[ Upstream commit e5fa8db0be3e8757e8641600c518425a4589b85c ] + +Streams should flush their TRB cache, re-read TRBs, and start executing +TRBs from the beginning of the new dequeue pointer after a 'Set TR Dequeue +Pointer' command. + +Cadence controllers may fail to start from the beginning of the dequeue +TRB as it doesn't clear the Opaque 'RsvdO' field of the stream context +during 'Set TR Dequeue' command. This stream context area is where xHC +stores information about the last partially executed TD when a stream +is stopped. xHC uses this information to resume the transfer where it left +mid TD, when the stream is restarted. + +Patch fixes this by clearing out all RsvdO fields before initializing new +Stream transfer using a 'Set TR Dequeue Pointer' command. + +Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") +cc: stable@vger.kernel.org +Signed-off-by: Pawel Laszczak +Reviewed-by: Peter Chen +Link: https://lore.kernel.org/r/PH7PR07MB95386A40146E3EC64086F409DD9D2@PH7PR07MB9538.namprd07.prod.outlook.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/cdns3/host.c | 4 +++- + drivers/usb/host/xhci-pci.c | 7 +++++++ + drivers/usb/host/xhci-ring.c | 14 ++++++++++++++ + drivers/usb/host/xhci.h | 1 + + 4 files changed, 25 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/cdns3/host.c b/drivers/usb/cdns3/host.c +index ceca4d839dfd4..7ba760ee62e33 100644 +--- a/drivers/usb/cdns3/host.c ++++ b/drivers/usb/cdns3/host.c +@@ -62,7 +62,9 @@ static const struct xhci_plat_priv xhci_plat_cdns3_xhci = { + .resume_quirk = xhci_cdns3_resume_quirk, + }; + +-static const struct xhci_plat_priv xhci_plat_cdnsp_xhci; ++static const struct xhci_plat_priv xhci_plat_cdnsp_xhci = { ++ .quirks = XHCI_CDNS_SCTX_QUIRK, ++}; + + static int __cdns_host_init(struct cdns *cdns) + { +diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c +index 5c6fb99582113..dd02b064ecd4b 100644 +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -75,6 +75,9 @@ + #define PCI_DEVICE_ID_ASMEDIA_2142_XHCI 0x2142 + #define PCI_DEVICE_ID_ASMEDIA_3242_XHCI 0x3242 + ++#define PCI_DEVICE_ID_CADENCE 0x17CD ++#define PCI_DEVICE_ID_CADENCE_SSP 0x0200 ++ + static const char hcd_name[] = "xhci_hcd"; + + static struct hc_driver __read_mostly xhci_pci_hc_driver; +@@ -539,6 +542,10 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) + xhci->quirks |= XHCI_ZHAOXIN_TRB_FETCH; + } + ++ if (pdev->vendor == PCI_DEVICE_ID_CADENCE && ++ pdev->device == PCI_DEVICE_ID_CADENCE_SSP) ++ xhci->quirks |= XHCI_CDNS_SCTX_QUIRK; ++ + /* xHC spec requires PCI devices to support D3hot and D3cold */ + if (xhci->hci_version >= 0x120) + xhci->quirks |= XHCI_DEFAULT_PM_RUNTIME_ALLOW; +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index 8dd85221cd927..95d8cf24b0154 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -1414,6 +1414,20 @@ static void xhci_handle_cmd_set_deq(struct xhci_hcd *xhci, int slot_id, + struct xhci_stream_ctx *ctx = + &ep->stream_info->stream_ctx_array[stream_id]; + deq = le64_to_cpu(ctx->stream_ring) & SCTX_DEQ_MASK; ++ ++ /* ++ * Cadence xHCI controllers store some endpoint state ++ * information within Rsvd0 fields of Stream Endpoint ++ * context. This field is not cleared during Set TR ++ * Dequeue Pointer command which causes XDMA to skip ++ * over transfer ring and leads to data loss on stream ++ * pipe. ++ * To fix this issue driver must clear Rsvd0 field. ++ */ ++ if (xhci->quirks & XHCI_CDNS_SCTX_QUIRK) { ++ ctx->reserved[0] = 0; ++ ctx->reserved[1] = 0; ++ } + } else { + deq = le64_to_cpu(ep_ctx->deq) & ~EP_CTX_CYCLE_MASK; + } +diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h +index 8e4d465b9dd66..f5efee06ff067 100644 +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -1915,6 +1915,7 @@ struct xhci_hcd { + #define XHCI_ZHAOXIN_TRB_FETCH BIT_ULL(45) + #define XHCI_ZHAOXIN_HOST BIT_ULL(46) + #define XHCI_WRITE_64_HI_LO BIT_ULL(47) ++#define XHCI_CDNS_SCTX_QUIRK BIT_ULL(48) + + unsigned int num_active_eps; + unsigned int limit_active_eps; +-- +2.43.0 + diff --git a/queue-6.6/usb-yurex-replace-snprintf-with-the-safer-scnprintf-.patch b/queue-6.6/usb-yurex-replace-snprintf-with-the-safer-scnprintf-.patch new file mode 100644 index 00000000000..68d2adf7bca --- /dev/null +++ b/queue-6.6/usb-yurex-replace-snprintf-with-the-safer-scnprintf-.patch @@ -0,0 +1,77 @@ +From 9b2fb74f730da691cb7f879f3aa9026971dae41e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Dec 2023 16:42:37 +0000 +Subject: usb: yurex: Replace snprintf() with the safer scnprintf() variant + +From: Lee Jones + +[ Upstream commit 86b20af11e84c26ae3fde4dcc4f490948e3f8035 ] + +There is a general misunderstanding amongst engineers that {v}snprintf() +returns the length of the data *actually* encoded into the destination +array. However, as per the C99 standard {v}snprintf() really returns +the length of the data that *would have been* written if there were +enough space for it. This misunderstanding has led to buffer-overruns +in the past. It's generally considered safer to use the {v}scnprintf() +variants in their place (or even sprintf() in simple cases). So let's +do that. + +Whilst we're at it, let's define some magic numbers to increase +readability and ease of maintenance. + +Link: https://lwn.net/Articles/69419/ +Link: https://github.com/KSPP/linux/issues/105 +Cc: Tomoki Sekiyama +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20231213164246.1021885-9-lee@kernel.org +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 93907620b308 ("USB: misc: yurex: fix race between read and write") +Signed-off-by: Sasha Levin +--- + drivers/usb/misc/yurex.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c +index c640f98d20c54..5a13cddace0e6 100644 +--- a/drivers/usb/misc/yurex.c ++++ b/drivers/usb/misc/yurex.c +@@ -34,6 +34,8 @@ + #define YUREX_BUF_SIZE 8 + #define YUREX_WRITE_TIMEOUT (HZ*2) + ++#define MAX_S64_STRLEN 20 /* {-}922337203685477580{7,8} */ ++ + /* table of devices that work with this driver */ + static struct usb_device_id yurex_table[] = { + { USB_DEVICE(YUREX_VENDOR_ID, YUREX_PRODUCT_ID) }, +@@ -401,7 +403,7 @@ static ssize_t yurex_read(struct file *file, char __user *buffer, size_t count, + { + struct usb_yurex *dev; + int len = 0; +- char in_buffer[20]; ++ char in_buffer[MAX_S64_STRLEN]; + unsigned long flags; + + dev = file->private_data; +@@ -412,14 +414,14 @@ static ssize_t yurex_read(struct file *file, char __user *buffer, size_t count, + return -ENODEV; + } + ++ if (WARN_ON_ONCE(dev->bbu > S64_MAX || dev->bbu < S64_MIN)) ++ return -EIO; ++ + spin_lock_irqsave(&dev->lock, flags); +- len = snprintf(in_buffer, 20, "%lld\n", dev->bbu); ++ scnprintf(in_buffer, MAX_S64_STRLEN, "%lld\n", dev->bbu); + spin_unlock_irqrestore(&dev->lock, flags); + mutex_unlock(&dev->io_mutex); + +- if (WARN_ON_ONCE(len >= sizeof(in_buffer))) +- return -EIO; +- + return simple_read_from_buffer(buffer, count, ppos, in_buffer, len); + } + +-- +2.43.0 + diff --git a/queue-6.6/x86-entry-remove-unwanted-instrumentation-in-common_.patch b/queue-6.6/x86-entry-remove-unwanted-instrumentation-in-common_.patch new file mode 100644 index 00000000000..0501be8d94a --- /dev/null +++ b/queue-6.6/x86-entry-remove-unwanted-instrumentation-in-common_.patch @@ -0,0 +1,112 @@ +From e1145902a6010ad78e091563cdfe10b0d8605242 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jun 2024 09:50:30 +0200 +Subject: x86/entry: Remove unwanted instrumentation in common_interrupt() + +From: Dmitry Vyukov + +[ Upstream commit 477d81a1c47a1b79b9c08fc92b5dea3c5143800b ] + +common_interrupt() and related variants call kvm_set_cpu_l1tf_flush_l1d(), +which is neither marked noinstr nor __always_inline. + +So compiler puts it out of line and adds instrumentation to it. Since the +call is inside of instrumentation_begin/end(), objtool does not warn about +it. + +The manifestation is that KCOV produces spurious coverage in +kvm_set_cpu_l1tf_flush_l1d() in random places because the call happens when +preempt count is not yet updated to say that the kernel is in an interrupt. + +Mark kvm_set_cpu_l1tf_flush_l1d() as __always_inline and move it out of the +instrumentation_begin/end() section. It only calls __this_cpu_write() +which is already safe to call in noinstr contexts. + +Fixes: 6368558c3710 ("x86/entry: Provide IDTENTRY_SYSVEC") +Signed-off-by: Dmitry Vyukov +Signed-off-by: Thomas Gleixner +Reviewed-by: Alexander Potapenko +Acked-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/3f9a1de9e415fcb53d07dc9e19fa8481bb021b1b.1718092070.git.dvyukov@google.com +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/hardirq.h | 8 ++++++-- + arch/x86/include/asm/idtentry.h | 6 +++--- + 2 files changed, 9 insertions(+), 5 deletions(-) + +diff --git a/arch/x86/include/asm/hardirq.h b/arch/x86/include/asm/hardirq.h +index 66837b8c67f1a..f2e245741afc2 100644 +--- a/arch/x86/include/asm/hardirq.h ++++ b/arch/x86/include/asm/hardirq.h +@@ -63,7 +63,11 @@ extern u64 arch_irq_stat(void); + #define local_softirq_pending_ref pcpu_hot.softirq_pending + + #if IS_ENABLED(CONFIG_KVM_INTEL) +-static inline void kvm_set_cpu_l1tf_flush_l1d(void) ++/* ++ * This function is called from noinstr interrupt contexts ++ * and must be inlined to not get instrumentation. ++ */ ++static __always_inline void kvm_set_cpu_l1tf_flush_l1d(void) + { + __this_cpu_write(irq_stat.kvm_cpu_l1tf_flush_l1d, 1); + } +@@ -78,7 +82,7 @@ static __always_inline bool kvm_get_cpu_l1tf_flush_l1d(void) + return __this_cpu_read(irq_stat.kvm_cpu_l1tf_flush_l1d); + } + #else /* !IS_ENABLED(CONFIG_KVM_INTEL) */ +-static inline void kvm_set_cpu_l1tf_flush_l1d(void) { } ++static __always_inline void kvm_set_cpu_l1tf_flush_l1d(void) { } + #endif /* IS_ENABLED(CONFIG_KVM_INTEL) */ + + #endif /* _ASM_X86_HARDIRQ_H */ +diff --git a/arch/x86/include/asm/idtentry.h b/arch/x86/include/asm/idtentry.h +index e2585f61082cd..10603e185111d 100644 +--- a/arch/x86/include/asm/idtentry.h ++++ b/arch/x86/include/asm/idtentry.h +@@ -212,8 +212,8 @@ __visible noinstr void func(struct pt_regs *regs, \ + irqentry_state_t state = irqentry_enter(regs); \ + u32 vector = (u32)(u8)error_code; \ + \ ++ kvm_set_cpu_l1tf_flush_l1d(); \ + instrumentation_begin(); \ +- kvm_set_cpu_l1tf_flush_l1d(); \ + run_irq_on_irqstack_cond(__##func, regs, vector); \ + instrumentation_end(); \ + irqentry_exit(regs, state); \ +@@ -250,7 +250,6 @@ static void __##func(struct pt_regs *regs); \ + \ + static __always_inline void instr_##func(struct pt_regs *regs) \ + { \ +- kvm_set_cpu_l1tf_flush_l1d(); \ + run_sysvec_on_irqstack_cond(__##func, regs); \ + } \ + \ +@@ -258,6 +257,7 @@ __visible noinstr void func(struct pt_regs *regs) \ + { \ + irqentry_state_t state = irqentry_enter(regs); \ + \ ++ kvm_set_cpu_l1tf_flush_l1d(); \ + instrumentation_begin(); \ + instr_##func (regs); \ + instrumentation_end(); \ +@@ -288,7 +288,6 @@ static __always_inline void __##func(struct pt_regs *regs); \ + static __always_inline void instr_##func(struct pt_regs *regs) \ + { \ + __irq_enter_raw(); \ +- kvm_set_cpu_l1tf_flush_l1d(); \ + __##func (regs); \ + __irq_exit_raw(); \ + } \ +@@ -297,6 +296,7 @@ __visible noinstr void func(struct pt_regs *regs) \ + { \ + irqentry_state_t state = irqentry_enter(regs); \ + \ ++ kvm_set_cpu_l1tf_flush_l1d(); \ + instrumentation_begin(); \ + instr_##func (regs); \ + instrumentation_end(); \ +-- +2.43.0 + diff --git a/queue-6.6/x86-idtentry-incorporate-definitions-declarations-of.patch b/queue-6.6/x86-idtentry-incorporate-definitions-declarations-of.patch new file mode 100644 index 00000000000..9fc563a413c --- /dev/null +++ b/queue-6.6/x86-idtentry-incorporate-definitions-declarations-of.patch @@ -0,0 +1,225 @@ +From 87691b166a0cdfdf44768c4cc2a1a33e5f78adbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Dec 2023 02:50:11 -0800 +Subject: x86/idtentry: Incorporate definitions/declarations of the FRED + entries + +From: Xin Li + +[ Upstream commit 90f357208200a941e90e75757123326684d715d0 ] + +FRED and IDT can share most of the definitions and declarations so +that in the majority of cases the actual handler implementation is the +same. + +The differences are the exceptions where FRED stores exception related +information on the stack and the sysvec implementations as FRED can +handle irqentry/exit() in the dispatcher instead of having it in each +handler. + +Also add stub defines for vectors which are not used due to Kconfig +decisions to spare the ifdeffery in the actual FRED dispatch code. + +Suggested-by: Thomas Gleixner +Signed-off-by: Xin Li +Signed-off-by: Thomas Gleixner +Signed-off-by: Borislav Petkov (AMD) +Tested-by: Shan Kang +Link: https://lore.kernel.org/r/20231205105030.8698-23-xin3.li@intel.com +Stable-dep-of: 477d81a1c47a ("x86/entry: Remove unwanted instrumentation in common_interrupt()") +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/idtentry.h | 71 +++++++++++++++++++++++++++++---- + 1 file changed, 63 insertions(+), 8 deletions(-) + +diff --git a/arch/x86/include/asm/idtentry.h b/arch/x86/include/asm/idtentry.h +index 13639e57e1f8a..e2585f61082cd 100644 +--- a/arch/x86/include/asm/idtentry.h ++++ b/arch/x86/include/asm/idtentry.h +@@ -13,15 +13,18 @@ + + #include + ++typedef void (*idtentry_t)(struct pt_regs *regs); ++ + /** + * DECLARE_IDTENTRY - Declare functions for simple IDT entry points + * No error code pushed by hardware + * @vector: Vector number (ignored for C) + * @func: Function name of the entry point + * +- * Declares three functions: ++ * Declares four functions: + * - The ASM entry point: asm_##func + * - The XEN PV trap entry point: xen_##func (maybe unused) ++ * - The C handler called from the FRED event dispatcher (maybe unused) + * - The C handler called from the ASM entry point + * + * Note: This is the C variant of DECLARE_IDTENTRY(). As the name says it +@@ -31,6 +34,7 @@ + #define DECLARE_IDTENTRY(vector, func) \ + asmlinkage void asm_##func(void); \ + asmlinkage void xen_asm_##func(void); \ ++ void fred_##func(struct pt_regs *regs); \ + __visible void func(struct pt_regs *regs) + + /** +@@ -137,6 +141,17 @@ static __always_inline void __##func(struct pt_regs *regs, \ + #define DEFINE_IDTENTRY_RAW(func) \ + __visible noinstr void func(struct pt_regs *regs) + ++/** ++ * DEFINE_FREDENTRY_RAW - Emit code for raw FRED entry points ++ * @func: Function name of the entry point ++ * ++ * @func is called from the FRED event dispatcher with interrupts disabled. ++ * ++ * See @DEFINE_IDTENTRY_RAW for further details. ++ */ ++#define DEFINE_FREDENTRY_RAW(func) \ ++noinstr void fred_##func(struct pt_regs *regs) ++ + /** + * DECLARE_IDTENTRY_RAW_ERRORCODE - Declare functions for raw IDT entry points + * Error code pushed by hardware +@@ -233,17 +248,27 @@ static noinline void __##func(struct pt_regs *regs, u32 vector) + #define DEFINE_IDTENTRY_SYSVEC(func) \ + static void __##func(struct pt_regs *regs); \ + \ ++static __always_inline void instr_##func(struct pt_regs *regs) \ ++{ \ ++ kvm_set_cpu_l1tf_flush_l1d(); \ ++ run_sysvec_on_irqstack_cond(__##func, regs); \ ++} \ ++ \ + __visible noinstr void func(struct pt_regs *regs) \ + { \ + irqentry_state_t state = irqentry_enter(regs); \ + \ + instrumentation_begin(); \ +- kvm_set_cpu_l1tf_flush_l1d(); \ +- run_sysvec_on_irqstack_cond(__##func, regs); \ ++ instr_##func (regs); \ + instrumentation_end(); \ + irqentry_exit(regs, state); \ + } \ + \ ++void fred_##func(struct pt_regs *regs) \ ++{ \ ++ instr_##func (regs); \ ++} \ ++ \ + static noinline void __##func(struct pt_regs *regs) + + /** +@@ -260,19 +285,29 @@ static noinline void __##func(struct pt_regs *regs) + #define DEFINE_IDTENTRY_SYSVEC_SIMPLE(func) \ + static __always_inline void __##func(struct pt_regs *regs); \ + \ +-__visible noinstr void func(struct pt_regs *regs) \ ++static __always_inline void instr_##func(struct pt_regs *regs) \ + { \ +- irqentry_state_t state = irqentry_enter(regs); \ +- \ +- instrumentation_begin(); \ + __irq_enter_raw(); \ + kvm_set_cpu_l1tf_flush_l1d(); \ + __##func (regs); \ + __irq_exit_raw(); \ ++} \ ++ \ ++__visible noinstr void func(struct pt_regs *regs) \ ++{ \ ++ irqentry_state_t state = irqentry_enter(regs); \ ++ \ ++ instrumentation_begin(); \ ++ instr_##func (regs); \ + instrumentation_end(); \ + irqentry_exit(regs, state); \ + } \ + \ ++void fred_##func(struct pt_regs *regs) \ ++{ \ ++ instr_##func (regs); \ ++} \ ++ \ + static __always_inline void __##func(struct pt_regs *regs) + + /** +@@ -410,15 +445,18 @@ __visible noinstr void func(struct pt_regs *regs, \ + /* C-Code mapping */ + #define DECLARE_IDTENTRY_NMI DECLARE_IDTENTRY_RAW + #define DEFINE_IDTENTRY_NMI DEFINE_IDTENTRY_RAW ++#define DEFINE_FREDENTRY_NMI DEFINE_FREDENTRY_RAW + + #ifdef CONFIG_X86_64 + #define DECLARE_IDTENTRY_MCE DECLARE_IDTENTRY_IST + #define DEFINE_IDTENTRY_MCE DEFINE_IDTENTRY_IST + #define DEFINE_IDTENTRY_MCE_USER DEFINE_IDTENTRY_NOIST ++#define DEFINE_FREDENTRY_MCE DEFINE_FREDENTRY_RAW + + #define DECLARE_IDTENTRY_DEBUG DECLARE_IDTENTRY_IST + #define DEFINE_IDTENTRY_DEBUG DEFINE_IDTENTRY_IST + #define DEFINE_IDTENTRY_DEBUG_USER DEFINE_IDTENTRY_NOIST ++#define DEFINE_FREDENTRY_DEBUG DEFINE_FREDENTRY_RAW + #endif + + #else /* !__ASSEMBLY__ */ +@@ -655,23 +693,36 @@ DECLARE_IDTENTRY(RESCHEDULE_VECTOR, sysvec_reschedule_ipi); + DECLARE_IDTENTRY_SYSVEC(REBOOT_VECTOR, sysvec_reboot); + DECLARE_IDTENTRY_SYSVEC(CALL_FUNCTION_SINGLE_VECTOR, sysvec_call_function_single); + DECLARE_IDTENTRY_SYSVEC(CALL_FUNCTION_VECTOR, sysvec_call_function); ++#else ++# define fred_sysvec_reschedule_ipi NULL ++# define fred_sysvec_reboot NULL ++# define fred_sysvec_call_function_single NULL ++# define fred_sysvec_call_function NULL + #endif + + #ifdef CONFIG_X86_LOCAL_APIC + # ifdef CONFIG_X86_MCE_THRESHOLD + DECLARE_IDTENTRY_SYSVEC(THRESHOLD_APIC_VECTOR, sysvec_threshold); ++# else ++# define fred_sysvec_threshold NULL + # endif + + # ifdef CONFIG_X86_MCE_AMD + DECLARE_IDTENTRY_SYSVEC(DEFERRED_ERROR_VECTOR, sysvec_deferred_error); ++# else ++# define fred_sysvec_deferred_error NULL + # endif + + # ifdef CONFIG_X86_THERMAL_VECTOR + DECLARE_IDTENTRY_SYSVEC(THERMAL_APIC_VECTOR, sysvec_thermal); ++# else ++# define fred_sysvec_thermal NULL + # endif + + # ifdef CONFIG_IRQ_WORK + DECLARE_IDTENTRY_SYSVEC(IRQ_WORK_VECTOR, sysvec_irq_work); ++# else ++# define fred_sysvec_irq_work NULL + # endif + #endif + +@@ -679,12 +730,16 @@ DECLARE_IDTENTRY_SYSVEC(IRQ_WORK_VECTOR, sysvec_irq_work); + DECLARE_IDTENTRY_SYSVEC(POSTED_INTR_VECTOR, sysvec_kvm_posted_intr_ipi); + DECLARE_IDTENTRY_SYSVEC(POSTED_INTR_WAKEUP_VECTOR, sysvec_kvm_posted_intr_wakeup_ipi); + DECLARE_IDTENTRY_SYSVEC(POSTED_INTR_NESTED_VECTOR, sysvec_kvm_posted_intr_nested_ipi); ++#else ++# define fred_sysvec_kvm_posted_intr_ipi NULL ++# define fred_sysvec_kvm_posted_intr_wakeup_ipi NULL ++# define fred_sysvec_kvm_posted_intr_nested_ipi NULL + #endif + + #if IS_ENABLED(CONFIG_HYPERV) + DECLARE_IDTENTRY_SYSVEC(HYPERVISOR_CALLBACK_VECTOR, sysvec_hyperv_callback); + DECLARE_IDTENTRY_SYSVEC(HYPERV_REENLIGHTENMENT_VECTOR, sysvec_hyperv_reenlightenment); +-DECLARE_IDTENTRY_SYSVEC(HYPERV_STIMER0_VECTOR, sysvec_hyperv_stimer0); ++DECLARE_IDTENTRY_SYSVEC(HYPERV_STIMER0_VECTOR, sysvec_hyperv_stimer0); + #endif + + #if IS_ENABLED(CONFIG_ACRN_GUEST) +-- +2.43.0 + diff --git a/queue-6.6/xhci-add-a-quirk-for-writing-erst-in-high-low-order.patch b/queue-6.6/xhci-add-a-quirk-for-writing-erst-in-high-low-order.patch new file mode 100644 index 00000000000..30428b4e06f --- /dev/null +++ b/queue-6.6/xhci-add-a-quirk-for-writing-erst-in-high-low-order.patch @@ -0,0 +1,65 @@ +From 75a214a82b4ba3b31ee6d0bbee2360a0121cd9f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jun 2024 20:39:12 +0900 +Subject: xhci: Add a quirk for writing ERST in high-low order + +From: Daehwan Jung + +[ Upstream commit bc162403e33e1d57e40994977acaf19f1434e460 ] + +This quirk is for the controller that has a limitation in supporting +separate ERSTBA_HI and ERSTBA_LO programming. It's supported when +the ERSTBA is programmed ERSTBA_HI before ERSTBA_LO. That's because +the internal initialization of event ring fetches the +"Event Ring Segment Table Entry" based on the indication of ERSTBA_LO +written. + +Signed-off-by: Daehwan Jung +Link: https://lore.kernel.org/r/1718019553-111939-3-git-send-email-dh10.jung@samsung.com +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: e5fa8db0be3e ("usb: xhci: fix loss of data on Cadence xHC") +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-mem.c | 5 ++++- + drivers/usb/host/xhci.h | 2 ++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c +index b1e3fa54c6397..54c47463c215c 100644 +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -2289,7 +2289,10 @@ xhci_add_interrupter(struct xhci_hcd *xhci, struct xhci_interrupter *ir, + erst_base = xhci_read_64(xhci, &ir->ir_set->erst_base); + erst_base &= ERST_BASE_RSVDP; + erst_base |= ir->erst.erst_dma_addr & ~ERST_BASE_RSVDP; +- xhci_write_64(xhci, erst_base, &ir->ir_set->erst_base); ++ if (xhci->quirks & XHCI_WRITE_64_HI_LO) ++ hi_lo_writeq(erst_base, &ir->ir_set->erst_base); ++ else ++ xhci_write_64(xhci, erst_base, &ir->ir_set->erst_base); + + /* Set the event ring dequeue address of this interrupter */ + xhci_set_hc_event_deq(xhci, ir); +diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h +index b29fe4716f34e..8e4d465b9dd66 100644 +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + + /* Code sharing between pci-quirks and xhci hcd */ + #include "xhci-ext-caps.h" +@@ -1913,6 +1914,7 @@ struct xhci_hcd { + #define XHCI_RESET_TO_DEFAULT BIT_ULL(44) + #define XHCI_ZHAOXIN_TRB_FETCH BIT_ULL(45) + #define XHCI_ZHAOXIN_HOST BIT_ULL(46) ++#define XHCI_WRITE_64_HI_LO BIT_ULL(47) + + unsigned int num_active_eps; + unsigned int limit_active_eps; +-- +2.43.0 + -- 2.47.3