diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-04-29 13:56:07 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-04-29 13:56:07 +0200 |
| commit | 8aca0473583f41035efd6c0e54940635d5f5ce27 (patch) | |
| tree | 4548174f5bae57b5a3f9f7510bfb37025d6986de | |
| parent | cfb2aa33051e38068ec64ebf5f0e3913a8a3ab9d (diff) | |
| download | stable-queue-8aca0473583f41035efd6c0e54940635d5f5ce27.tar.gz | |
6.6-stable patches
added patches:
acpi-cppc-fix-access-width-used-for-pcc-registers.patch
acpi-cppc-fix-bit_offset-shift-in-mask_val-macro.patch
acpi-cppc-use-access_width-over-bit_width-for-system-memory-accesses.patch
arm64-dts-qcom-sc8280xp-add-missing-pcie-minimum-opp.patch
arm64-dts-qcom-sm8450-fix-the-msi-map-entries.patch
arm64-dts-rockchip-enable-internal-pull-up-for-q7_thrm-on-rk3399-puma.patch
bluetooth-btusb-add-realtek-rtl8852be-support-id-0x0bda-0x4853.patch
bluetooth-fix-type-of-len-in-l2cap-sco-_sock_getsockopt_old.patch
bluetooth-qca-fix-null-deref-on-non-serdev-setup.patch
bluetooth-qca-fix-null-deref-on-non-serdev-suspend.patch
btrfs-fallback-if-compressed-io-fails-for-enospc.patch
btrfs-fix-information-leak-in-btrfs_ioctl_logical_to_ino.patch
btrfs-fix-wrong-block_start-calculation-for-btrfs_drop_extent_map_range.patch
btrfs-scrub-run-relocation-repair-when-only-needed.patch
cpu-re-enable-cpu-mitigations-by-default-for-x86-architectures.patch
drm-amdgpu-assign-correct-bits-for-sdma-hdp-flush.patch
drm-amdgpu-fix-leak-when-gpu-memory-allocation-fails.patch
drm-amdgpu-sdma5.2-use-legacy-hdp-flush-for-sdma2-3.patch
hid-i2c-hid-remove-i2c_hid_read_pending-flag-to-prevent-lock-up.patch
irqchip-gic-v3-its-prevent-double-free-on-error.patch
kbuild-rust-force-alloc-extern-to-allow-empty-rust-files.patch
kbuild-rust-remove-unneeded-rustc_cfg-to-avoid-ice.patch
loongarch-fix-access-error-when-read-fault-on-a-write-only-vma.patch
loongarch-fix-callchain-parse-error-with-kernel-tracepoint-events.patch
mm-create-folio_flag_false-and-folio_type_ops-macros.patch
mm-hugetlb-fix-missing-hugetlb_lock-for-resv-uncharge.patch
mm-support-page_mapcount-on-page_has_type-pages.patch
mmc-sdhci-msm-pervent-access-to-suspended-controller.patch
mtd-rawnand-qcom-fix-broken-op_reset_device-command-in-qcom_misc_cmd_type_exec.patch
rust-don-t-select-constructors.patch
rust-init-remove-impl-zeroable-for-infallible.patch
rust-kernel-require-send-for-module-implementations.patch
rust-make-mutually-exclusive-with-cfi_clang.patch
rust-remove-params-from-module-macro-example.patch
smb-client-fix-struct_group-usage-in-__packed-structs.patch
smb3-fix-lock-ordering-potential-deadlock-in-cifs_sync_mid_result.patch
smb3-missing-lock-when-picking-channel.patch
38 files changed, 2765 insertions, 0 deletions
diff --git a/queue-6.6/acpi-cppc-fix-access-width-used-for-pcc-registers.patch b/queue-6.6/acpi-cppc-fix-access-width-used-for-pcc-registers.patch new file mode 100644 index 0000000000..26c698ef09 --- /dev/null +++ b/queue-6.6/acpi-cppc-fix-access-width-used-for-pcc-registers.patch @@ -0,0 +1,155 @@ +From f489c948028b69cea235d9c0de1cc10eeb26a172 Mon Sep 17 00:00:00 2001 +From: Vanshidhar Konda <vanshikonda@os.amperecomputing.com> +Date: Thu, 11 Apr 2024 16:18:44 -0700 +Subject: ACPI: CPPC: Fix access width used for PCC registers + +From: Vanshidhar Konda <vanshikonda@os.amperecomputing.com> + +commit f489c948028b69cea235d9c0de1cc10eeb26a172 upstream. + +commit 2f4a4d63a193 ("ACPI: CPPC: Use access_width over bit_width for system +memory accesses") modified cpc_read()/cpc_write() to use access_width to +read CPC registers. + +However, for PCC registers the access width field in the ACPI register +macro specifies the PCC subspace ID. For non-zero PCC subspace ID it is +incorrectly treated as access width. This causes errors when reading +from PCC registers in the CPPC driver. + +For PCC registers, base the size of read/write on the bit width field. +The debug message in cpc_read()/cpc_write() is updated to print relevant +information for the address space type used to read the register. + +Fixes: 2f4a4d63a193 ("ACPI: CPPC: Use access_width over bit_width for system memory accesses") +Signed-off-by: Vanshidhar Konda <vanshikonda@os.amperecomputing.com> +Tested-by: Jarred White <jarredwhite@linux.microsoft.com> +Reviewed-by: Jarred White <jarredwhite@linux.microsoft.com> +Reviewed-by: Easwar Hariharan <eahariha@linux.microsoft.com> +Cc: 5.15+ <stable@vger.kernel.org> # 5.15+ +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/acpi/cppc_acpi.c | 53 ++++++++++++++++++++++++++++++++--------------- + 1 file changed, 37 insertions(+), 16 deletions(-) + +--- a/drivers/acpi/cppc_acpi.c ++++ b/drivers/acpi/cppc_acpi.c +@@ -999,14 +999,14 @@ static int cpc_read(int cpu, struct cpc_ + } + + *val = 0; ++ size = GET_BIT_WIDTH(reg); + + if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_IO) { +- u32 width = GET_BIT_WIDTH(reg); + u32 val_u32; + acpi_status status; + + status = acpi_os_read_port((acpi_io_address)reg->address, +- &val_u32, width); ++ &val_u32, size); + if (ACPI_FAILURE(status)) { + pr_debug("Error: Failed to read SystemIO port %llx\n", + reg->address); +@@ -1015,17 +1015,22 @@ static int cpc_read(int cpu, struct cpc_ + + *val = val_u32; + return 0; +- } else if (reg->space_id == ACPI_ADR_SPACE_PLATFORM_COMM && pcc_ss_id >= 0) ++ } else if (reg->space_id == ACPI_ADR_SPACE_PLATFORM_COMM && pcc_ss_id >= 0) { ++ /* ++ * For registers in PCC space, the register size is determined ++ * by the bit width field; the access size is used to indicate ++ * the PCC subspace id. ++ */ ++ size = reg->bit_width; + vaddr = GET_PCC_VADDR(reg->address, pcc_ss_id); ++ } + else if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) + vaddr = reg_res->sys_mem_vaddr; + else if (reg->space_id == ACPI_ADR_SPACE_FIXED_HARDWARE) + return cpc_read_ffh(cpu, reg, val); + else + return acpi_os_read_memory((acpi_physical_address)reg->address, +- val, reg->bit_width); +- +- size = GET_BIT_WIDTH(reg); ++ val, size); + + switch (size) { + case 8: +@@ -1041,8 +1046,13 @@ static int cpc_read(int cpu, struct cpc_ + *val = readq_relaxed(vaddr); + break; + default: +- pr_debug("Error: Cannot read %u bit width from PCC for ss: %d\n", +- reg->bit_width, pcc_ss_id); ++ if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) { ++ pr_debug("Error: Cannot read %u bit width from system memory: 0x%llx\n", ++ size, reg->address); ++ } else if (reg->space_id == ACPI_ADR_SPACE_PLATFORM_COMM) { ++ pr_debug("Error: Cannot read %u bit width from PCC for ss: %d\n", ++ size, pcc_ss_id); ++ } + return -EFAULT; + } + +@@ -1060,12 +1070,13 @@ static int cpc_write(int cpu, struct cpc + int pcc_ss_id = per_cpu(cpu_pcc_subspace_idx, cpu); + struct cpc_reg *reg = ®_res->cpc_entry.reg; + ++ size = GET_BIT_WIDTH(reg); ++ + if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_IO) { +- u32 width = GET_BIT_WIDTH(reg); + acpi_status status; + + status = acpi_os_write_port((acpi_io_address)reg->address, +- (u32)val, width); ++ (u32)val, size); + if (ACPI_FAILURE(status)) { + pr_debug("Error: Failed to write SystemIO port %llx\n", + reg->address); +@@ -1073,17 +1084,22 @@ static int cpc_write(int cpu, struct cpc + } + + return 0; +- } else if (reg->space_id == ACPI_ADR_SPACE_PLATFORM_COMM && pcc_ss_id >= 0) ++ } else if (reg->space_id == ACPI_ADR_SPACE_PLATFORM_COMM && pcc_ss_id >= 0) { ++ /* ++ * For registers in PCC space, the register size is determined ++ * by the bit width field; the access size is used to indicate ++ * the PCC subspace id. ++ */ ++ size = reg->bit_width; + vaddr = GET_PCC_VADDR(reg->address, pcc_ss_id); ++ } + else if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) + vaddr = reg_res->sys_mem_vaddr; + else if (reg->space_id == ACPI_ADR_SPACE_FIXED_HARDWARE) + return cpc_write_ffh(cpu, reg, val); + else + return acpi_os_write_memory((acpi_physical_address)reg->address, +- val, reg->bit_width); +- +- size = GET_BIT_WIDTH(reg); ++ val, size); + + if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) + val = MASK_VAL(reg, val); +@@ -1102,8 +1118,13 @@ static int cpc_write(int cpu, struct cpc + writeq_relaxed(val, vaddr); + break; + default: +- pr_debug("Error: Cannot write %u bit width to PCC for ss: %d\n", +- reg->bit_width, pcc_ss_id); ++ if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) { ++ pr_debug("Error: Cannot write %u bit width to system memory: 0x%llx\n", ++ size, reg->address); ++ } else if (reg->space_id == ACPI_ADR_SPACE_PLATFORM_COMM) { ++ pr_debug("Error: Cannot write %u bit width to PCC for ss: %d\n", ++ size, pcc_ss_id); ++ } + ret_val = -EFAULT; + break; + } diff --git a/queue-6.6/acpi-cppc-fix-bit_offset-shift-in-mask_val-macro.patch b/queue-6.6/acpi-cppc-fix-bit_offset-shift-in-mask_val-macro.patch new file mode 100644 index 0000000000..ff3e9f7554 --- /dev/null +++ b/queue-6.6/acpi-cppc-fix-bit_offset-shift-in-mask_val-macro.patch @@ -0,0 +1,42 @@ +From 05d92ee782eeb7b939bdd0189e6efcab9195bf95 Mon Sep 17 00:00:00 2001 +From: Jarred White <jarredwhite@linux.microsoft.com> +Date: Mon, 8 Apr 2024 22:23:09 -0700 +Subject: ACPI: CPPC: Fix bit_offset shift in MASK_VAL() macro + +From: Jarred White <jarredwhite@linux.microsoft.com> + +commit 05d92ee782eeb7b939bdd0189e6efcab9195bf95 upstream. + +Commit 2f4a4d63a193 ("ACPI: CPPC: Use access_width over bit_width for +system memory accesses") neglected to properly wrap the bit_offset shift +when it comes to applying the mask. This may cause incorrect values to be +read and may cause the cpufreq module not be loaded. + +[ 11.059751] cpu_capacity: CPU0 missing/invalid highest performance. +[ 11.066005] cpu_capacity: partial information: fallback to 1024 for all CPUs + +Also, corrected the bitmask generation in GENMASK (extra bit being added). + +Fixes: 2f4a4d63a193 ("ACPI: CPPC: Use access_width over bit_width for system memory accesses") +Signed-off-by: Jarred White <jarredwhite@linux.microsoft.com> +Cc: 5.15+ <stable@vger.kernel.org> # 5.15+ +Reviewed-by: Vanshidhar Konda <vanshikonda@os.amperecomputing.com> +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/acpi/cppc_acpi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/acpi/cppc_acpi.c ++++ b/drivers/acpi/cppc_acpi.c +@@ -167,8 +167,8 @@ show_cppc_data(cppc_get_perf_ctrs, cppc_ + #define GET_BIT_WIDTH(reg) ((reg)->access_width ? (8 << ((reg)->access_width - 1)) : (reg)->bit_width) + + /* Shift and apply the mask for CPC reads/writes */ +-#define MASK_VAL(reg, val) ((val) >> ((reg)->bit_offset & \ +- GENMASK(((reg)->bit_width), 0))) ++#define MASK_VAL(reg, val) (((val) >> (reg)->bit_offset) & \ ++ GENMASK(((reg)->bit_width) - 1, 0)) + + static ssize_t show_feedback_ctrs(struct kobject *kobj, + struct kobj_attribute *attr, char *buf) diff --git a/queue-6.6/acpi-cppc-use-access_width-over-bit_width-for-system-memory-accesses.patch b/queue-6.6/acpi-cppc-use-access_width-over-bit_width-for-system-memory-accesses.patch new file mode 100644 index 0000000000..5f11426aec --- /dev/null +++ b/queue-6.6/acpi-cppc-use-access_width-over-bit_width-for-system-memory-accesses.patch @@ -0,0 +1,182 @@ +From 2f4a4d63a193be6fd530d180bb13c3592052904c Mon Sep 17 00:00:00 2001 +From: Jarred White <jarredwhite@linux.microsoft.com> +Date: Fri, 1 Mar 2024 11:25:59 -0800 +Subject: ACPI: CPPC: Use access_width over bit_width for system memory accesses + +From: Jarred White <jarredwhite@linux.microsoft.com> + +commit 2f4a4d63a193be6fd530d180bb13c3592052904c upstream. + +To align with ACPI 6.3+, since bit_width can be any 8-bit value, it +cannot be depended on to be always on a clean 8b boundary. This was +uncovered on the Cobalt 100 platform. + +SError Interrupt on CPU26, code 0xbe000011 -- SError + CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted 5.15.2.1-13 #1 + Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION + pstate: 62400009 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--) + pc : cppc_get_perf_caps+0xec/0x410 + lr : cppc_get_perf_caps+0xe8/0x410 + sp : ffff8000155ab730 + x29: ffff8000155ab730 x28: ffff0080139d0038 x27: ffff0080139d0078 + x26: 0000000000000000 x25: ffff0080139d0058 x24: 00000000ffffffff + x23: ffff0080139d0298 x22: ffff0080139d0278 x21: 0000000000000000 + x20: ffff00802b251910 x19: ffff0080139d0000 x18: ffffffffffffffff + x17: 0000000000000000 x16: ffffdc7e111bad04 x15: ffff00802b251008 + x14: ffffffffffffffff x13: ffff013f1fd63300 x12: 0000000000000006 + x11: ffffdc7e128f4420 x10: 0000000000000000 x9 : ffffdc7e111badec + x8 : ffff00802b251980 x7 : 0000000000000000 x6 : ffff0080139d0028 + x5 : 0000000000000000 x4 : ffff0080139d0018 x3 : 00000000ffffffff + x2 : 0000000000000008 x1 : ffff8000155ab7a0 x0 : 0000000000000000 + Kernel panic - not syncing: Asynchronous SError Interrupt + CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted +5.15.2.1-13 #1 + Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION + Call trace: + dump_backtrace+0x0/0x1e0 + show_stack+0x24/0x30 + dump_stack_lvl+0x8c/0xb8 + dump_stack+0x18/0x34 + panic+0x16c/0x384 + add_taint+0x0/0xc0 + arm64_serror_panic+0x7c/0x90 + arm64_is_fatal_ras_serror+0x34/0xa4 + do_serror+0x50/0x6c + el1h_64_error_handler+0x40/0x74 + el1h_64_error+0x7c/0x80 + cppc_get_perf_caps+0xec/0x410 + cppc_cpufreq_cpu_init+0x74/0x400 [cppc_cpufreq] + cpufreq_online+0x2dc/0xa30 + cpufreq_add_dev+0xc0/0xd4 + subsys_interface_register+0x134/0x14c + cpufreq_register_driver+0x1b0/0x354 + cppc_cpufreq_init+0x1a8/0x1000 [cppc_cpufreq] + do_one_initcall+0x50/0x250 + do_init_module+0x60/0x27c + load_module+0x2300/0x2570 + __do_sys_finit_module+0xa8/0x114 + __arm64_sys_finit_module+0x2c/0x3c + invoke_syscall+0x78/0x100 + el0_svc_common.constprop.0+0x180/0x1a0 + do_el0_svc+0x84/0xa0 + el0_svc+0x2c/0xc0 + el0t_64_sync_handler+0xa4/0x12c + el0t_64_sync+0x1a4/0x1a8 + +Instead, use access_width to determine the size and use the offset and +width to shift and mask the bits to read/write out. Make sure to add a +check for system memory since pcc redefines the access_width to +subspace id. + +If access_width is not set, then fall back to using bit_width. + +Signed-off-by: Jarred White <jarredwhite@linux.microsoft.com> +Reviewed-by: Easwar Hariharan <eahariha@linux.microsoft.com> +Cc: 5.15+ <stable@vger.kernel.org> # 5.15+ +[ rjw: Subject and changelog edits, comment adjustments ] +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/acpi/cppc_acpi.c | 31 ++++++++++++++++++++++++++----- + 1 file changed, 26 insertions(+), 5 deletions(-) + +--- a/drivers/acpi/cppc_acpi.c ++++ b/drivers/acpi/cppc_acpi.c +@@ -163,6 +163,13 @@ show_cppc_data(cppc_get_perf_caps, cppc_ + show_cppc_data(cppc_get_perf_ctrs, cppc_perf_fb_ctrs, reference_perf); + show_cppc_data(cppc_get_perf_ctrs, cppc_perf_fb_ctrs, wraparound_time); + ++/* Check for valid access_width, otherwise, fallback to using bit_width */ ++#define GET_BIT_WIDTH(reg) ((reg)->access_width ? (8 << ((reg)->access_width - 1)) : (reg)->bit_width) ++ ++/* Shift and apply the mask for CPC reads/writes */ ++#define MASK_VAL(reg, val) ((val) >> ((reg)->bit_offset & \ ++ GENMASK(((reg)->bit_width), 0))) ++ + static ssize_t show_feedback_ctrs(struct kobject *kobj, + struct kobj_attribute *attr, char *buf) + { +@@ -777,6 +784,7 @@ int acpi_cppc_processor_probe(struct acp + } else if (gas_t->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) { + if (gas_t->address) { + void __iomem *addr; ++ size_t access_width; + + if (!osc_cpc_flexible_adr_space_confirmed) { + pr_debug("Flexible address space capability not supported\n"); +@@ -784,7 +792,8 @@ int acpi_cppc_processor_probe(struct acp + goto out_free; + } + +- addr = ioremap(gas_t->address, gas_t->bit_width/8); ++ access_width = GET_BIT_WIDTH(gas_t) / 8; ++ addr = ioremap(gas_t->address, access_width); + if (!addr) + goto out_free; + cpc_ptr->cpc_regs[i-2].sys_mem_vaddr = addr; +@@ -980,6 +989,7 @@ int __weak cpc_write_ffh(int cpunum, str + static int cpc_read(int cpu, struct cpc_register_resource *reg_res, u64 *val) + { + void __iomem *vaddr = NULL; ++ int size; + int pcc_ss_id = per_cpu(cpu_pcc_subspace_idx, cpu); + struct cpc_reg *reg = ®_res->cpc_entry.reg; + +@@ -991,7 +1001,7 @@ static int cpc_read(int cpu, struct cpc_ + *val = 0; + + if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_IO) { +- u32 width = 8 << (reg->access_width - 1); ++ u32 width = GET_BIT_WIDTH(reg); + u32 val_u32; + acpi_status status; + +@@ -1015,7 +1025,9 @@ static int cpc_read(int cpu, struct cpc_ + return acpi_os_read_memory((acpi_physical_address)reg->address, + val, reg->bit_width); + +- switch (reg->bit_width) { ++ size = GET_BIT_WIDTH(reg); ++ ++ switch (size) { + case 8: + *val = readb_relaxed(vaddr); + break; +@@ -1034,18 +1046,22 @@ static int cpc_read(int cpu, struct cpc_ + return -EFAULT; + } + ++ if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) ++ *val = MASK_VAL(reg, *val); ++ + return 0; + } + + static int cpc_write(int cpu, struct cpc_register_resource *reg_res, u64 val) + { + int ret_val = 0; ++ int size; + void __iomem *vaddr = NULL; + int pcc_ss_id = per_cpu(cpu_pcc_subspace_idx, cpu); + struct cpc_reg *reg = ®_res->cpc_entry.reg; + + if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_IO) { +- u32 width = 8 << (reg->access_width - 1); ++ u32 width = GET_BIT_WIDTH(reg); + acpi_status status; + + status = acpi_os_write_port((acpi_io_address)reg->address, +@@ -1067,7 +1083,12 @@ static int cpc_write(int cpu, struct cpc + return acpi_os_write_memory((acpi_physical_address)reg->address, + val, reg->bit_width); + +- switch (reg->bit_width) { ++ size = GET_BIT_WIDTH(reg); ++ ++ if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) ++ val = MASK_VAL(reg, val); ++ ++ switch (size) { + case 8: + writeb_relaxed(val, vaddr); + break; diff --git a/queue-6.6/arm64-dts-qcom-sc8280xp-add-missing-pcie-minimum-opp.patch b/queue-6.6/arm64-dts-qcom-sc8280xp-add-missing-pcie-minimum-opp.patch new file mode 100644 index 0000000000..7ee4a0818f --- /dev/null +++ b/queue-6.6/arm64-dts-qcom-sc8280xp-add-missing-pcie-minimum-opp.patch @@ -0,0 +1,67 @@ +From 8b8ec83a1d7d3b6605d9163d2e306971295a4ce8 Mon Sep 17 00:00:00 2001 +From: Johan Hovold <johan+linaro@kernel.org> +Date: Wed, 6 Mar 2024 10:56:50 +0100 +Subject: arm64: dts: qcom: sc8280xp: add missing PCIe minimum OPP + +From: Johan Hovold <johan+linaro@kernel.org> + +commit 8b8ec83a1d7d3b6605d9163d2e306971295a4ce8 upstream. + +Add the missing PCIe CX performance level votes to avoid relying on +other drivers (e.g. USB or UFS) to maintain the nominal performance +level required for Gen3 speeds. + +Fixes: 813e83157001 ("arm64: dts: qcom: sc8280xp/sa8540p: add PCIe2-4 nodes") +Cc: stable@vger.kernel.org # 6.2 +Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org> +Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> +Signed-off-by: Johan Hovold <johan+linaro@kernel.org> +Link: https://lore.kernel.org/r/20240306095651.4551-5-johan+linaro@kernel.org +Signed-off-by: Bjorn Andersson <andersson@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/arm64/boot/dts/qcom/sc8280xp.dtsi | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/arm64/boot/dts/qcom/sc8280xp.dtsi ++++ b/arch/arm64/boot/dts/qcom/sc8280xp.dtsi +@@ -1773,6 +1773,7 @@ + reset-names = "pci"; + + power-domains = <&gcc PCIE_4_GDSC>; ++ required-opps = <&rpmhpd_opp_nom>; + + phys = <&pcie4_phy>; + phy-names = "pciephy"; +@@ -1871,6 +1872,7 @@ + reset-names = "pci"; + + power-domains = <&gcc PCIE_3B_GDSC>; ++ required-opps = <&rpmhpd_opp_nom>; + + phys = <&pcie3b_phy>; + phy-names = "pciephy"; +@@ -1969,6 +1971,7 @@ + reset-names = "pci"; + + power-domains = <&gcc PCIE_3A_GDSC>; ++ required-opps = <&rpmhpd_opp_nom>; + + phys = <&pcie3a_phy>; + phy-names = "pciephy"; +@@ -2070,6 +2073,7 @@ + reset-names = "pci"; + + power-domains = <&gcc PCIE_2B_GDSC>; ++ required-opps = <&rpmhpd_opp_nom>; + + phys = <&pcie2b_phy>; + phy-names = "pciephy"; +@@ -2168,6 +2172,7 @@ + reset-names = "pci"; + + power-domains = <&gcc PCIE_2A_GDSC>; ++ required-opps = <&rpmhpd_opp_nom>; + + phys = <&pcie2a_phy>; + phy-names = "pciephy"; diff --git a/queue-6.6/arm64-dts-qcom-sm8450-fix-the-msi-map-entries.patch b/queue-6.6/arm64-dts-qcom-sm8450-fix-the-msi-map-entries.patch new file mode 100644 index 0000000000..a843cc0b78 --- /dev/null +++ b/queue-6.6/arm64-dts-qcom-sm8450-fix-the-msi-map-entries.patch @@ -0,0 +1,61 @@ +From ecc3ac293ed15ac2536e9fde2810154486f84010 Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> +Date: Mon, 18 Mar 2024 12:49:03 +0530 +Subject: arm64: dts: qcom: sm8450: Fix the msi-map entries + +From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> + +commit ecc3ac293ed15ac2536e9fde2810154486f84010 upstream. + +While adding the GIC ITS MSI support, it was found that the msi-map entries +needed to be swapped to receive MSIs from the endpoint. + +But later it was identified that the swapping was needed due to a bug in +the Qualcomm PCIe controller driver. And since the bug is now fixed with +commit bf79e33cdd89 ("PCI: qcom: Enable BDF to SID translation properly"), +let's fix the msi-map entries also to reflect the actual mapping in the +hardware. + +Cc: stable@vger.kernel.org # 6.3: bf79e33cdd89 ("PCI: qcom: Enable BDF to SID translation properly") +Fixes: ff384ab56f16 ("arm64: dts: qcom: sm8450: Use GIC-ITS for PCIe0 and PCIe1") +Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> +Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org> +Link: https://lore.kernel.org/r/20240318-pci-bdf-sid-fix-v1-1-acca6c5d9cf1@linaro.org +Signed-off-by: Bjorn Andersson <andersson@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/arm64/boot/dts/qcom/sm8450.dtsi | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +--- a/arch/arm64/boot/dts/qcom/sm8450.dtsi ++++ b/arch/arm64/boot/dts/qcom/sm8450.dtsi +@@ -1774,12 +1774,8 @@ + ranges = <0x01000000 0x0 0x00000000 0x0 0x60200000 0x0 0x100000>, + <0x02000000 0x0 0x60300000 0x0 0x60300000 0x0 0x3d00000>; + +- /* +- * MSIs for BDF (1:0.0) only works with Device ID 0x5980. +- * Hence, the IDs are swapped. +- */ +- msi-map = <0x0 &gic_its 0x5981 0x1>, +- <0x100 &gic_its 0x5980 0x1>; ++ msi-map = <0x0 &gic_its 0x5980 0x1>, ++ <0x100 &gic_its 0x5981 0x1>; + msi-map-mask = <0xff00>; + interrupts = <GIC_SPI 141 IRQ_TYPE_LEVEL_HIGH>; + interrupt-names = "msi"; +@@ -1888,12 +1884,8 @@ + ranges = <0x01000000 0x0 0x00000000 0x0 0x40200000 0x0 0x100000>, + <0x02000000 0x0 0x40300000 0x0 0x40300000 0x0 0x1fd00000>; + +- /* +- * MSIs for BDF (1:0.0) only works with Device ID 0x5a00. +- * Hence, the IDs are swapped. +- */ +- msi-map = <0x0 &gic_its 0x5a01 0x1>, +- <0x100 &gic_its 0x5a00 0x1>; ++ msi-map = <0x0 &gic_its 0x5a00 0x1>, ++ <0x100 &gic_its 0x5a01 0x1>; + msi-map-mask = <0xff00>; + interrupts = <GIC_SPI 307 IRQ_TYPE_LEVEL_HIGH>; + interrupt-names = "msi"; diff --git a/queue-6.6/arm64-dts-rockchip-enable-internal-pull-up-for-q7_thrm-on-rk3399-puma.patch b/queue-6.6/arm64-dts-rockchip-enable-internal-pull-up-for-q7_thrm-on-rk3399-puma.patch new file mode 100644 index 0000000000..e52e60f7d7 --- /dev/null +++ b/queue-6.6/arm64-dts-rockchip-enable-internal-pull-up-for-q7_thrm-on-rk3399-puma.patch @@ -0,0 +1,45 @@ +From 0ac417b8f124427c90ec8c2ef4f632b821d924cc Mon Sep 17 00:00:00 2001 +From: Iskander Amara <iskander.amara@theobroma-systems.com> +Date: Fri, 8 Mar 2024 09:52:42 +0100 +Subject: arm64: dts: rockchip: enable internal pull-up for Q7_THRM# on RK3399 Puma + +From: Iskander Amara <iskander.amara@theobroma-systems.com> + +commit 0ac417b8f124427c90ec8c2ef4f632b821d924cc upstream. + +Q7_THRM# pin is connected to a diode on the module which is used +as a level shifter, and the pin have a pull-down enabled by +default. We need to configure it to internal pull-up, other- +wise whenever the pin is configured as INPUT and we try to +control it externally the value will always remain zero. + +Signed-off-by: Iskander Amara <iskander.amara@theobroma-systems.com> +Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM") +Reviewed-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240308085243.69903-1-iskander.amara@theobroma-systems.com +Signed-off-by: Heiko Stuebner <heiko@sntech.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi +@@ -407,6 +407,16 @@ + }; + + &pinctrl { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&q7_thermal_pin>; ++ ++ gpios { ++ q7_thermal_pin: q7-thermal-pin { ++ rockchip,pins = ++ <0 RK_PA3 RK_FUNC_GPIO &pcfg_pull_up>; ++ }; ++ }; ++ + i2c8 { + i2c8_xfer_a: i2c8-xfer { + rockchip,pins = diff --git a/queue-6.6/bluetooth-btusb-add-realtek-rtl8852be-support-id-0x0bda-0x4853.patch b/queue-6.6/bluetooth-btusb-add-realtek-rtl8852be-support-id-0x0bda-0x4853.patch new file mode 100644 index 0000000000..95b3e07f43 --- /dev/null +++ b/queue-6.6/bluetooth-btusb-add-realtek-rtl8852be-support-id-0x0bda-0x4853.patch @@ -0,0 +1,69 @@ +From d1a5a7eede2977da3d2002d5ea3b519019cc1a98 Mon Sep 17 00:00:00 2001 +From: WangYuli <wangyuli@uniontech.com> +Date: Fri, 29 Mar 2024 10:34:39 +0800 +Subject: Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0bda:0x4853 + +From: WangYuli <wangyuli@uniontech.com> + +commit d1a5a7eede2977da3d2002d5ea3b519019cc1a98 upstream. + +Add the support ID(0x0bda, 0x4853) to usb_device_id table for +Realtek RTL8852BE. + +Without this change the device utilizes an obsolete version of +the firmware that is encoded in it rather than the updated Realtek +firmware and config files from the firmware directory. The latter +files implement many new features. + +The device table is as follows: + +T: Bus=03 Lev=01 Prnt=01 Port=09 Cnt=03 Dev#= 4 Spd=12 MxCh= 0 +D: Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0bda ProdID=4853 Rev= 0.00 +S: Manufacturer=Realtek +S: Product=Bluetooth Radio +S: SerialNumber=00e04c000001 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms + +Cc: stable@vger.kernel.org +Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> +Signed-off-by: WangYuli <wangyuli@uniontech.com> +Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/bluetooth/btusb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -541,6 +541,8 @@ static const struct usb_device_id quirks + /* Realtek 8852BE Bluetooth devices */ + { USB_DEVICE(0x0cb8, 0xc559), .driver_info = BTUSB_REALTEK | + BTUSB_WIDEBAND_SPEECH }, ++ { USB_DEVICE(0x0bda, 0x4853), .driver_info = BTUSB_REALTEK | ++ BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x0bda, 0x887b), .driver_info = BTUSB_REALTEK | + BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x0bda, 0xb85b), .driver_info = BTUSB_REALTEK | diff --git a/queue-6.6/bluetooth-fix-type-of-len-in-l2cap-sco-_sock_getsockopt_old.patch b/queue-6.6/bluetooth-fix-type-of-len-in-l2cap-sco-_sock_getsockopt_old.patch new file mode 100644 index 0000000000..ab99523995 --- /dev/null +++ b/queue-6.6/bluetooth-fix-type-of-len-in-l2cap-sco-_sock_getsockopt_old.patch @@ -0,0 +1,128 @@ +From 9bf4e919ccad613b3596eebf1ff37b05b6405307 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor <nathan@kernel.org> +Date: Mon, 1 Apr 2024 11:24:17 -0700 +Subject: Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old() + +From: Nathan Chancellor <nathan@kernel.org> + +commit 9bf4e919ccad613b3596eebf1ff37b05b6405307 upstream. + +After an innocuous optimization change in LLVM main (19.0.0), x86_64 +allmodconfig (which enables CONFIG_KCSAN / -fsanitize=thread) fails to +build due to the checks in check_copy_size(): + + In file included from net/bluetooth/sco.c:27: + In file included from include/linux/module.h:13: + In file included from include/linux/stat.h:19: + In file included from include/linux/time.h:60: + In file included from include/linux/time32.h:13: + In file included from include/linux/timex.h:67: + In file included from arch/x86/include/asm/timex.h:6: + In file included from arch/x86/include/asm/tsc.h:10: + In file included from arch/x86/include/asm/msr.h:15: + In file included from include/linux/percpu.h:7: + In file included from include/linux/smp.h:118: + include/linux/thread_info.h:244:4: error: call to '__bad_copy_from' + declared with 'error' attribute: copy source size is too small + 244 | __bad_copy_from(); + | ^ + +The same exact error occurs in l2cap_sock.c. The copy_to_user() +statements that are failing come from l2cap_sock_getsockopt_old() and +sco_sock_getsockopt_old(). This does not occur with GCC with or without +KCSAN or Clang without KCSAN enabled. + +len is defined as an 'int' because it is assigned from +'__user int *optlen'. However, it is clamped against the result of +sizeof(), which has a type of 'size_t' ('unsigned long' for 64-bit +platforms). This is done with min_t() because min() requires compatible +types, which results in both len and the result of sizeof() being casted +to 'unsigned int', meaning len changes signs and the result of sizeof() +is truncated. From there, len is passed to copy_to_user(), which has a +third parameter type of 'unsigned long', so it is widened and changes +signs again. This excessive casting in combination with the KCSAN +instrumentation causes LLVM to fail to eliminate the __bad_copy_from() +call, failing the build. + +The official recommendation from LLVM developers is to consistently use +long types for all size variables to avoid the unnecessary casting in +the first place. Change the type of len to size_t in both +l2cap_sock_getsockopt_old() and sco_sock_getsockopt_old(). This clears +up the error while allowing min_t() to be replaced with min(), resulting +in simpler code with no casts and fewer implicit conversions. While len +is a different type than optlen now, it should result in no functional +change because the result of sizeof() will clamp all values of optlen in +the same manner as before. + +Cc: stable@vger.kernel.org +Closes: https://github.com/ClangBuiltLinux/linux/issues/2007 +Link: https://github.com/llvm/llvm-project/issues/85647 +Signed-off-by: Nathan Chancellor <nathan@kernel.org> +Reviewed-by: Justin Stitt <justinstitt@google.com> +Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/bluetooth/l2cap_sock.c | 7 ++++--- + net/bluetooth/sco.c | 7 ++++--- + 2 files changed, 8 insertions(+), 6 deletions(-) + +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -438,7 +438,8 @@ static int l2cap_sock_getsockopt_old(str + struct l2cap_chan *chan = l2cap_pi(sk)->chan; + struct l2cap_options opts; + struct l2cap_conninfo cinfo; +- int len, err = 0; ++ int err = 0; ++ size_t len; + u32 opt; + + BT_DBG("sk %p", sk); +@@ -485,7 +486,7 @@ static int l2cap_sock_getsockopt_old(str + + BT_DBG("mode 0x%2.2x", chan->mode); + +- len = min_t(unsigned int, len, sizeof(opts)); ++ len = min(len, sizeof(opts)); + if (copy_to_user(optval, (char *) &opts, len)) + err = -EFAULT; + +@@ -535,7 +536,7 @@ static int l2cap_sock_getsockopt_old(str + cinfo.hci_handle = chan->conn->hcon->handle; + memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3); + +- len = min_t(unsigned int, len, sizeof(cinfo)); ++ len = min(len, sizeof(cinfo)); + if (copy_to_user(optval, (char *) &cinfo, len)) + err = -EFAULT; + +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -963,7 +963,8 @@ static int sco_sock_getsockopt_old(struc + struct sock *sk = sock->sk; + struct sco_options opts; + struct sco_conninfo cinfo; +- int len, err = 0; ++ int err = 0; ++ size_t len; + + BT_DBG("sk %p", sk); + +@@ -985,7 +986,7 @@ static int sco_sock_getsockopt_old(struc + + BT_DBG("mtu %u", opts.mtu); + +- len = min_t(unsigned int, len, sizeof(opts)); ++ len = min(len, sizeof(opts)); + if (copy_to_user(optval, (char *)&opts, len)) + err = -EFAULT; + +@@ -1003,7 +1004,7 @@ static int sco_sock_getsockopt_old(struc + cinfo.hci_handle = sco_pi(sk)->conn->hcon->handle; + memcpy(cinfo.dev_class, sco_pi(sk)->conn->hcon->dev_class, 3); + +- len = min_t(unsigned int, len, sizeof(cinfo)); ++ len = min(len, sizeof(cinfo)); + if (copy_to_user(optval, (char *)&cinfo, len)) + err = -EFAULT; + diff --git a/queue-6.6/bluetooth-qca-fix-null-deref-on-non-serdev-setup.patch b/queue-6.6/bluetooth-qca-fix-null-deref-on-non-serdev-setup.patch new file mode 100644 index 0000000000..2c77d4b51c --- /dev/null +++ b/queue-6.6/bluetooth-qca-fix-null-deref-on-non-serdev-setup.patch @@ -0,0 +1,40 @@ +From 7ddb9de6af0f1c71147785b12fd7c8ec3f06cc86 Mon Sep 17 00:00:00 2001 +From: Johan Hovold <johan+linaro@kernel.org> +Date: Mon, 22 Apr 2024 15:57:48 +0200 +Subject: Bluetooth: qca: fix NULL-deref on non-serdev setup + +From: Johan Hovold <johan+linaro@kernel.org> + +commit 7ddb9de6af0f1c71147785b12fd7c8ec3f06cc86 upstream. + +Qualcomm ROME controllers can be registered from the Bluetooth line +discipline and in this case the HCI UART serdev pointer is NULL. + +Add the missing sanity check to prevent a NULL-pointer dereference when +setup() is called for a non-serdev controller. + +Fixes: e9b3e5b8c657 ("Bluetooth: hci_qca: only assign wakeup with serial port support") +Cc: stable@vger.kernel.org # 6.2 +Cc: Zhengping Jiang <jiangzp@google.com> +Signed-off-by: Johan Hovold <johan+linaro@kernel.org> +Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/bluetooth/hci_qca.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -1938,8 +1938,10 @@ retry: + qca_debugfs_init(hdev); + hu->hdev->hw_error = qca_hw_error; + hu->hdev->cmd_timeout = qca_cmd_timeout; +- if (device_can_wakeup(hu->serdev->ctrl->dev.parent)) +- hu->hdev->wakeup = qca_wakeup; ++ if (hu->serdev) { ++ if (device_can_wakeup(hu->serdev->ctrl->dev.parent)) ++ hu->hdev->wakeup = qca_wakeup; ++ } + } else if (ret == -ENOENT) { + /* No patch/nvm-config found, run with original fw/config */ + set_bit(QCA_ROM_FW, &qca->flags); diff --git a/queue-6.6/bluetooth-qca-fix-null-deref-on-non-serdev-suspend.patch b/queue-6.6/bluetooth-qca-fix-null-deref-on-non-serdev-suspend.patch new file mode 100644 index 0000000000..64e9378f31 --- /dev/null +++ b/queue-6.6/bluetooth-qca-fix-null-deref-on-non-serdev-suspend.patch @@ -0,0 +1,41 @@ +From 73e87c0a49fda31d7b589edccf4c72e924411371 Mon Sep 17 00:00:00 2001 +From: Johan Hovold <johan+linaro@kernel.org> +Date: Mon, 22 Apr 2024 15:57:47 +0200 +Subject: Bluetooth: qca: fix NULL-deref on non-serdev suspend + +From: Johan Hovold <johan+linaro@kernel.org> + +commit 73e87c0a49fda31d7b589edccf4c72e924411371 upstream. + +Qualcomm ROME controllers can be registered from the Bluetooth line +discipline and in this case the HCI UART serdev pointer is NULL. + +Add the missing sanity check to prevent a NULL-pointer dereference when +wakeup() is called for a non-serdev controller during suspend. + +Just return true for now to restore the original behaviour and address +the crash with pre-6.2 kernels, which do not have commit e9b3e5b8c657 +("Bluetooth: hci_qca: only assign wakeup with serial port support") that +causes the crash to happen already at setup() time. + +Fixes: c1a74160eaf1 ("Bluetooth: hci_qca: Add device_may_wakeup support") +Cc: stable@vger.kernel.org # 5.13 +Signed-off-by: Johan Hovold <johan+linaro@kernel.org> +Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/bluetooth/hci_qca.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -1672,6 +1672,9 @@ static bool qca_wakeup(struct hci_dev *h + struct hci_uart *hu = hci_get_drvdata(hdev); + bool wakeup; + ++ if (!hu->serdev) ++ return true; ++ + /* BT SoC attached through the serial bus is handled by the serdev driver. + * So we need to use the device handle of the serdev driver to get the + * status of device may wakeup. diff --git a/queue-6.6/btrfs-fallback-if-compressed-io-fails-for-enospc.patch b/queue-6.6/btrfs-fallback-if-compressed-io-fails-for-enospc.patch new file mode 100644 index 0000000000..97e5e77407 --- /dev/null +++ b/queue-6.6/btrfs-fallback-if-compressed-io-fails-for-enospc.patch @@ -0,0 +1,71 @@ +From 131a821a243f89be312ced9e62ccc37b2cf3846c Mon Sep 17 00:00:00 2001 +From: Sweet Tea Dorminy <sweettea-kernel@dorminy.me> +Date: Sat, 6 Apr 2024 04:45:02 -0400 +Subject: btrfs: fallback if compressed IO fails for ENOSPC + +From: Sweet Tea Dorminy <sweettea-kernel@dorminy.me> + +commit 131a821a243f89be312ced9e62ccc37b2cf3846c upstream. + +In commit b4ccace878f4 ("btrfs: refactor submit_compressed_extents()"), if +an async extent compressed but failed to find enough space, we changed +from falling back to an uncompressed write to just failing the write +altogether. The principle was that if there's not enough space to write +the compressed version of the data, there can't possibly be enough space +to write the larger, uncompressed version of the data. + +However, this isn't necessarily true: due to fragmentation, there could +be enough discontiguous free blocks to write the uncompressed version, +but not enough contiguous free blocks to write the smaller but +unsplittable compressed version. + +This has occurred to an internal workload which relied on write()'s +return value indicating there was space. While rare, it has happened a +few times. + +Thus, in order to prevent early ENOSPC, re-add a fallback to +uncompressed writing. + +Fixes: b4ccace878f4 ("btrfs: refactor submit_compressed_extents()") +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Qu Wenruo <wqu@suse.com> +Co-developed-by: Neal Gompa <neal@gompa.dev> +Signed-off-by: Neal Gompa <neal@gompa.dev> +Signed-off-by: Sweet Tea Dorminy <sweettea-kernel@dorminy.me> +Reviewed-by: David Sterba <dsterba@suse.com> +Signed-off-by: David Sterba <dsterba@suse.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/btrfs/inode.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -1134,13 +1134,13 @@ static void submit_one_async_extent(stru + 0, *alloc_hint, &ins, 1, 1); + if (ret) { + /* +- * Here we used to try again by going back to non-compressed +- * path for ENOSPC. But we can't reserve space even for +- * compressed size, how could it work for uncompressed size +- * which requires larger size? So here we directly go error +- * path. ++ * We can't reserve contiguous space for the compressed size. ++ * Unlikely, but it's possible that we could have enough ++ * non-contiguous space for the uncompressed size instead. So ++ * fall back to uncompressed. + */ +- goto out_free; ++ submit_uncompressed_range(inode, async_extent, locked_page); ++ goto done; + } + + /* Here we're doing allocation and writeback of the compressed pages */ +@@ -1192,7 +1192,6 @@ done: + out_free_reserve: + btrfs_dec_block_group_reservations(fs_info, ins.objectid); + btrfs_free_reserved_extent(fs_info, ins.objectid, ins.offset, 1); +-out_free: + mapping_set_error(inode->vfs_inode.i_mapping, -EIO); + extent_clear_unlock_delalloc(inode, start, end, + NULL, EXTENT_LOCKED | EXTENT_DELALLOC | diff --git a/queue-6.6/btrfs-fix-information-leak-in-btrfs_ioctl_logical_to_ino.patch b/queue-6.6/btrfs-fix-information-leak-in-btrfs_ioctl_logical_to_ino.patch new file mode 100644 index 0000000000..c1d2d785bf --- /dev/null +++ b/queue-6.6/btrfs-fix-information-leak-in-btrfs_ioctl_logical_to_ino.patch @@ -0,0 +1,95 @@ +From 2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf Mon Sep 17 00:00:00 2001 +From: Johannes Thumshirn <johannes.thumshirn@wdc.com> +Date: Wed, 17 Apr 2024 10:45:47 +0200 +Subject: btrfs: fix information leak in btrfs_ioctl_logical_to_ino() + +From: Johannes Thumshirn <johannes.thumshirn@wdc.com> + +commit 2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf upstream. + +Syzbot reported the following information leak for in +btrfs_ioctl_logical_to_ino(): + + BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] + BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40 + instrument_copy_to_user include/linux/instrumented.h:114 [inline] + _copy_to_user+0xbc/0x110 lib/usercopy.c:40 + copy_to_user include/linux/uaccess.h:191 [inline] + btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499 + btrfs_ioctl+0x714/0x1260 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:904 [inline] + __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890 + __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890 + x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + Uninit was created at: + __kmalloc_large_node+0x231/0x370 mm/slub.c:3921 + __do_kmalloc_node mm/slub.c:3954 [inline] + __kmalloc_node+0xb07/0x1060 mm/slub.c:3973 + kmalloc_node include/linux/slab.h:648 [inline] + kvmalloc_node+0xc0/0x2d0 mm/util.c:634 + kvmalloc include/linux/slab.h:766 [inline] + init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779 + btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480 + btrfs_ioctl+0x714/0x1260 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:904 [inline] + __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890 + __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890 + x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + Bytes 40-65535 of 65536 are uninitialized + Memory access of size 65536 starts at ffff888045a40000 + +This happens, because we're copying a 'struct btrfs_data_container' back +to user-space. This btrfs_data_container is allocated in +'init_data_container()' via kvmalloc(), which does not zero-fill the +memory. + +Fix this by using kvzalloc() which zeroes out the memory on allocation. + +CC: stable@vger.kernel.org # 4.14+ +Reported-by: <syzbot+510a1abbb8116eeb341d@syzkaller.appspotmail.com> +Reviewed-by: Qu Wenruo <wqu@suse.com> +Reviewed-by: Filipe Manana <fdmanana@suse.com> +Signed-off-by: Johannes Thumshirn <Johannes.thumshirn@wdc.com> +Reviewed-by: David Sterba <dsterba@suse.com> +Signed-off-by: David Sterba <dsterba@suse.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/btrfs/backref.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +--- a/fs/btrfs/backref.c ++++ b/fs/btrfs/backref.c +@@ -2770,20 +2770,14 @@ struct btrfs_data_container *init_data_c + size_t alloc_bytes; + + alloc_bytes = max_t(size_t, total_bytes, sizeof(*data)); +- data = kvmalloc(alloc_bytes, GFP_KERNEL); ++ data = kvzalloc(alloc_bytes, GFP_KERNEL); + if (!data) + return ERR_PTR(-ENOMEM); + +- if (total_bytes >= sizeof(*data)) { ++ if (total_bytes >= sizeof(*data)) + data->bytes_left = total_bytes - sizeof(*data); +- data->bytes_missing = 0; +- } else { ++ else + data->bytes_missing = sizeof(*data) - total_bytes; +- data->bytes_left = 0; +- } +- +- data->elem_cnt = 0; +- data->elem_missed = 0; + + return data; + } diff --git a/queue-6.6/btrfs-fix-wrong-block_start-calculation-for-btrfs_drop_extent_map_range.patch b/queue-6.6/btrfs-fix-wrong-block_start-calculation-for-btrfs_drop_extent_map_range.patch new file mode 100644 index 0000000000..06dff00dea --- /dev/null +++ b/queue-6.6/btrfs-fix-wrong-block_start-calculation-for-btrfs_drop_extent_map_range.patch @@ -0,0 +1,103 @@ +From fe1c6c7acce10baf9521d6dccc17268d91ee2305 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo <wqu@suse.com> +Date: Tue, 9 Apr 2024 20:32:34 +0930 +Subject: btrfs: fix wrong block_start calculation for btrfs_drop_extent_map_range() + +From: Qu Wenruo <wqu@suse.com> + +commit fe1c6c7acce10baf9521d6dccc17268d91ee2305 upstream. + +[BUG] +During my extent_map cleanup/refactor, with extra sanity checks, +extent-map-tests::test_case_7() would not pass the checks. + +The problem is, after btrfs_drop_extent_map_range(), the resulted +extent_map has a @block_start way too large. +Meanwhile my btrfs_file_extent_item based members are returning a +correct @disk_bytenr/@offset combination. + +The extent map layout looks like this: + + 0 16K 32K 48K + | PINNED | | Regular | + +The regular em at [32K, 48K) also has 32K @block_start. + +Then drop range [0, 36K), which should shrink the regular one to be +[36K, 48K). +However the @block_start is incorrect, we expect 32K + 4K, but got 52K. + +[CAUSE] +Inside btrfs_drop_extent_map_range() function, if we hit an extent_map +that covers the target range but is still beyond it, we need to split +that extent map into half: + + |<-- drop range -->| + |<----- existing extent_map --->| + +And if the extent map is not compressed, we need to forward +extent_map::block_start by the difference between the end of drop range +and the extent map start. + +However in that particular case, the difference is calculated using +(start + len - em->start). + +The problem is @start can be modified if the drop range covers any +pinned extent. + +This leads to wrong calculation, and would be caught by my later +extent_map sanity checks, which checks the em::block_start against +btrfs_file_extent_item::disk_bytenr + btrfs_file_extent_item::offset. + +This is a regression caused by commit c962098ca4af ("btrfs: fix +incorrect splitting in btrfs_drop_extent_map_range"), which removed the +@len update for pinned extents. + +[FIX] +Fix it by avoiding using @start completely, and use @end - em->start +instead, which @end is exclusive bytenr number. + +And update the test case to verify the @block_start to prevent such +problem from happening. + +Thankfully this is not going to lead to any data corruption, as IO path +does not utilize btrfs_drop_extent_map_range() with @skip_pinned set. + +So this fix is only here for the sake of consistency/correctness. + +CC: stable@vger.kernel.org # 6.5+ +Fixes: c962098ca4af ("btrfs: fix incorrect splitting in btrfs_drop_extent_map_range") +Reviewed-by: Filipe Manana <fdmanana@suse.com> +Signed-off-by: Qu Wenruo <wqu@suse.com> +Signed-off-by: David Sterba <dsterba@suse.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/btrfs/extent_map.c | 2 +- + fs/btrfs/tests/extent-map-tests.c | 5 +++++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/extent_map.c ++++ b/fs/btrfs/extent_map.c +@@ -843,7 +843,7 @@ void btrfs_drop_extent_map_range(struct + split->block_len = em->block_len; + split->orig_start = em->orig_start; + } else { +- const u64 diff = start + len - em->start; ++ const u64 diff = end - em->start; + + split->block_len = split->len; + split->block_start += diff; +--- a/fs/btrfs/tests/extent-map-tests.c ++++ b/fs/btrfs/tests/extent-map-tests.c +@@ -826,6 +826,11 @@ static int test_case_7(void) + goto out; + } + ++ if (em->block_start != SZ_32K + SZ_4K) { ++ test_err("em->block_start is %llu, expected 36K", em->block_start); ++ goto out; ++ } ++ + free_extent_map(em); + + read_lock(&em_tree->lock); diff --git a/queue-6.6/btrfs-scrub-run-relocation-repair-when-only-needed.patch b/queue-6.6/btrfs-scrub-run-relocation-repair-when-only-needed.patch new file mode 100644 index 0000000000..86a709358c --- /dev/null +++ b/queue-6.6/btrfs-scrub-run-relocation-repair-when-only-needed.patch @@ -0,0 +1,69 @@ +From 7192833c4e55b26e8f15ef58577867a1bc808036 Mon Sep 17 00:00:00 2001 +From: Naohiro Aota <naohiro.aota@wdc.com> +Date: Tue, 9 Apr 2024 23:18:52 +0900 +Subject: btrfs: scrub: run relocation repair when/only needed + +From: Naohiro Aota <naohiro.aota@wdc.com> + +commit 7192833c4e55b26e8f15ef58577867a1bc808036 upstream. + +When btrfs scrub finds an error, it reads mirrors to find correct data. If +all the errors are fixed, sctx->error_bitmap is cleared for the stripe +range. However, in the zoned mode, it runs relocation to repair scrub +errors when the bitmap is *not* empty, which is a flipped condition. + +Also, it runs the relocation even if the scrub is read-only. This was +missed by a fix in commit 1f2030ff6e49 ("btrfs: scrub: respect the +read-only flag during repair"). + +The repair is only necessary when there is a repaired sector and should be +done on read-write scrub. So, tweak the condition for both regular and +zoned case. + +Fixes: 54765392a1b9 ("btrfs: scrub: introduce helper to queue a stripe for scrub") +Fixes: 1f2030ff6e49 ("btrfs: scrub: respect the read-only flag during repair") +CC: stable@vger.kernel.org # 6.6+ +Reviewed-by: Qu Wenruo <wqu@suse.com> +Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com> +Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com> +Signed-off-by: David Sterba <dsterba@suse.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/btrfs/scrub.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/fs/btrfs/scrub.c ++++ b/fs/btrfs/scrub.c +@@ -1013,6 +1013,7 @@ static void scrub_stripe_read_repair_wor + struct btrfs_fs_info *fs_info = sctx->fs_info; + int num_copies = btrfs_num_copies(fs_info, stripe->bg->start, + stripe->bg->length); ++ unsigned long repaired; + int mirror; + int i; + +@@ -1079,16 +1080,15 @@ out: + * Submit the repaired sectors. For zoned case, we cannot do repair + * in-place, but queue the bg to be relocated. + */ +- if (btrfs_is_zoned(fs_info)) { +- if (!bitmap_empty(&stripe->error_bitmap, stripe->nr_sectors)) ++ bitmap_andnot(&repaired, &stripe->init_error_bitmap, &stripe->error_bitmap, ++ stripe->nr_sectors); ++ if (!sctx->readonly && !bitmap_empty(&repaired, stripe->nr_sectors)) { ++ if (btrfs_is_zoned(fs_info)) { + btrfs_repair_one_zone(fs_info, sctx->stripes[0].bg->start); +- } else if (!sctx->readonly) { +- unsigned long repaired; +- +- bitmap_andnot(&repaired, &stripe->init_error_bitmap, +- &stripe->error_bitmap, stripe->nr_sectors); +- scrub_write_sectors(sctx, stripe, repaired, false); +- wait_scrub_stripe_io(stripe); ++ } else { ++ scrub_write_sectors(sctx, stripe, repaired, false); ++ wait_scrub_stripe_io(stripe); ++ } + } + + scrub_stripe_report_errors(sctx, stripe); diff --git a/queue-6.6/cpu-re-enable-cpu-mitigations-by-default-for-x86-architectures.patch b/queue-6.6/cpu-re-enable-cpu-mitigations-by-default-for-x86-architectures.patch new file mode 100644 index 0000000000..0a7a349b01 --- /dev/null +++ b/queue-6.6/cpu-re-enable-cpu-mitigations-by-default-for-x86-architectures.patch @@ -0,0 +1,108 @@ +From fe42754b94a42d08cf9501790afc25c4f6a5f631 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson <seanjc@google.com> +Date: Fri, 19 Apr 2024 17:05:54 -0700 +Subject: cpu: Re-enable CPU mitigations by default for !X86 architectures + +From: Sean Christopherson <seanjc@google.com> + +commit fe42754b94a42d08cf9501790afc25c4f6a5f631 upstream. + +Rename x86's to CPU_MITIGATIONS, define it in generic code, and force it +on for all architectures exception x86. A recent commit to turn +mitigations off by default if SPECULATION_MITIGATIONS=n kinda sorta +missed that "cpu_mitigations" is completely generic, whereas +SPECULATION_MITIGATIONS is x86-specific. + +Rename x86's SPECULATIVE_MITIGATIONS instead of keeping both and have it +select CPU_MITIGATIONS, as having two configs for the same thing is +unnecessary and confusing. This will also allow x86 to use the knob to +manage mitigations that aren't strictly related to speculative +execution. + +Use another Kconfig to communicate to common code that CPU_MITIGATIONS +is already defined instead of having x86's menu depend on the common +CPU_MITIGATIONS. This allows keeping a single point of contact for all +of x86's mitigations, and it's not clear that other architectures *want* +to allow disabling mitigations at compile-time. + +Fixes: f337a6a21e2f ("x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n") +Closes: https://lkml.kernel.org/r/20240413115324.53303a68%40canb.auug.org.au +Reported-by: Stephen Rothwell <sfr@canb.auug.org.au> +Reported-by: Michael Ellerman <mpe@ellerman.id.au> +Reported-by: Geert Uytterhoeven <geert@linux-m68k.org> +Signed-off-by: Sean Christopherson <seanjc@google.com> +Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> +Acked-by: Josh Poimboeuf <jpoimboe@kernel.org> +Acked-by: Borislav Petkov (AMD) <bp@alien8.de> +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240420000556.2645001-2-seanjc@google.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/Kconfig | 8 ++++++++ + arch/x86/Kconfig | 11 ++++++----- + kernel/cpu.c | 4 ++-- + 3 files changed, 16 insertions(+), 7 deletions(-) + +--- a/arch/Kconfig ++++ b/arch/Kconfig +@@ -9,6 +9,14 @@ + # + source "arch/$(SRCARCH)/Kconfig" + ++config ARCH_CONFIGURES_CPU_MITIGATIONS ++ bool ++ ++if !ARCH_CONFIGURES_CPU_MITIGATIONS ++config CPU_MITIGATIONS ++ def_bool y ++endif ++ + menu "General architecture-dependent options" + + config ARCH_HAS_SUBPAGE_FAULTS +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -62,6 +62,7 @@ config X86 + select ACPI_SYSTEM_POWER_STATES_SUPPORT if ACPI + select ARCH_32BIT_OFF_T if X86_32 + select ARCH_CLOCKSOURCE_INIT ++ select ARCH_CONFIGURES_CPU_MITIGATIONS + select ARCH_CORRECT_STACKTRACE_ON_KRETPROBE + select ARCH_ENABLE_HUGEPAGE_MIGRATION if X86_64 && HUGETLB_PAGE && MIGRATION + select ARCH_ENABLE_MEMORY_HOTPLUG if X86_64 +@@ -2421,17 +2422,17 @@ config PREFIX_SYMBOLS + def_bool y + depends on CALL_PADDING && !CFI_CLANG + +-menuconfig SPECULATION_MITIGATIONS +- bool "Mitigations for speculative execution vulnerabilities" ++menuconfig CPU_MITIGATIONS ++ bool "Mitigations for CPU vulnerabilities" + default y + help +- Say Y here to enable options which enable mitigations for +- speculative execution hardware vulnerabilities. ++ Say Y here to enable options which enable mitigations for hardware ++ vulnerabilities (usually related to speculative execution). + + If you say N, all mitigations will be disabled. You really + should know what you are doing to say so. + +-if SPECULATION_MITIGATIONS ++if CPU_MITIGATIONS + + config PAGE_TABLE_ISOLATION + bool "Remove the kernel mapping in user mode" +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -3208,8 +3208,8 @@ enum cpu_mitigations { + }; + + static enum cpu_mitigations cpu_mitigations __ro_after_init = +- IS_ENABLED(CONFIG_SPECULATION_MITIGATIONS) ? CPU_MITIGATIONS_AUTO : +- CPU_MITIGATIONS_OFF; ++ IS_ENABLED(CONFIG_CPU_MITIGATIONS) ? CPU_MITIGATIONS_AUTO : ++ CPU_MITIGATIONS_OFF; + + static int __init mitigations_parse_cmdline(char *arg) + { diff --git a/queue-6.6/drm-amdgpu-assign-correct-bits-for-sdma-hdp-flush.patch b/queue-6.6/drm-amdgpu-assign-correct-bits-for-sdma-hdp-flush.patch new file mode 100644 index 0000000000..4a1fd71a5a --- /dev/null +++ b/queue-6.6/drm-amdgpu-assign-correct-bits-for-sdma-hdp-flush.patch @@ -0,0 +1,33 @@ +From aebd3eb9d3ae017e6260043f6bcace2f5ef60694 Mon Sep 17 00:00:00 2001 +From: Lijo Lazar <lijo.lazar@amd.com> +Date: Wed, 10 Apr 2024 19:30:46 +0530 +Subject: drm/amdgpu: Assign correct bits for SDMA HDP flush + +From: Lijo Lazar <lijo.lazar@amd.com> + +commit aebd3eb9d3ae017e6260043f6bcace2f5ef60694 upstream. + +HDP Flush request bit can be kept unique per AID, and doesn't need to be +unique SOC-wide. Assign only bits 10-13 for SDMA v4.4.2. + +Signed-off-by: Lijo Lazar <lijo.lazar@amd.com> +Acked-by: Alex Deucher <alexander.deucher@amd.com> +Signed-off-by: Alex Deucher <alexander.deucher@amd.com> +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c ++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c +@@ -365,7 +365,8 @@ static void sdma_v4_4_2_ring_emit_hdp_fl + u32 ref_and_mask = 0; + const struct nbio_hdp_flush_reg *nbio_hf_reg = adev->nbio.hdp_flush_reg; + +- ref_and_mask = nbio_hf_reg->ref_and_mask_sdma0 << ring->me; ++ ref_and_mask = nbio_hf_reg->ref_and_mask_sdma0 ++ << (ring->me % adev->sdma.num_inst_per_aid); + + sdma_v4_4_2_wait_reg_mem(ring, 0, 1, + adev->nbio.funcs->get_hdp_flush_done_offset(adev), diff --git a/queue-6.6/drm-amdgpu-fix-leak-when-gpu-memory-allocation-fails.patch b/queue-6.6/drm-amdgpu-fix-leak-when-gpu-memory-allocation-fails.patch new file mode 100644 index 0000000000..9c0e8cd1f7 --- /dev/null +++ b/queue-6.6/drm-amdgpu-fix-leak-when-gpu-memory-allocation-fails.patch @@ -0,0 +1,31 @@ +From 25e9227c6afd200bed6774c866980b8e36d033af Mon Sep 17 00:00:00 2001 +From: Mukul Joshi <mukul.joshi@amd.com> +Date: Thu, 18 Apr 2024 11:32:34 -0400 +Subject: drm/amdgpu: Fix leak when GPU memory allocation fails + +From: Mukul Joshi <mukul.joshi@amd.com> + +commit 25e9227c6afd200bed6774c866980b8e36d033af upstream. + +Free the sync object if the memory allocation fails for any +reason. + +Signed-off-by: Mukul Joshi <mukul.joshi@amd.com> +Reviewed-by: Alex Deucher <alexander.deucher@amd.com> +Signed-off-by: Alex Deucher <alexander.deucher@amd.com> +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +@@ -1785,6 +1785,7 @@ err_node_allow: + err_bo_create: + amdgpu_amdkfd_unreserve_mem_limit(adev, aligned_size, flags, xcp_id); + err_reserve_limit: ++ amdgpu_sync_free(&(*mem)->sync); + mutex_destroy(&(*mem)->lock); + if (gobj) + drm_gem_object_put(gobj); diff --git a/queue-6.6/drm-amdgpu-sdma5.2-use-legacy-hdp-flush-for-sdma2-3.patch b/queue-6.6/drm-amdgpu-sdma5.2-use-legacy-hdp-flush-for-sdma2-3.patch new file mode 100644 index 0000000000..09e1b029d7 --- /dev/null +++ b/queue-6.6/drm-amdgpu-sdma5.2-use-legacy-hdp-flush-for-sdma2-3.patch @@ -0,0 +1,57 @@ +From 9792b7cc18aaa0c2acae6af5d0acf249bcb1ab0d Mon Sep 17 00:00:00 2001 +From: Alex Deucher <alexander.deucher@amd.com> +Date: Sun, 14 Apr 2024 21:20:56 -0400 +Subject: drm/amdgpu/sdma5.2: use legacy HDP flush for SDMA2/3 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher <alexander.deucher@amd.com> + +commit 9792b7cc18aaa0c2acae6af5d0acf249bcb1ab0d upstream. + +This avoids a potential conflict with firmwares with the newer +HDP flush mechanism. + +Reviewed-by: Christian König <christian.koenig@amd.com> +Signed-off-by: Alex Deucher <alexander.deucher@amd.com> +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c ++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c +@@ -292,17 +292,21 @@ static void sdma_v5_2_ring_emit_hdp_flus + u32 ref_and_mask = 0; + const struct nbio_hdp_flush_reg *nbio_hf_reg = adev->nbio.hdp_flush_reg; + +- ref_and_mask = nbio_hf_reg->ref_and_mask_sdma0 << ring->me; ++ if (ring->me > 1) { ++ amdgpu_asic_flush_hdp(adev, ring); ++ } else { ++ ref_and_mask = nbio_hf_reg->ref_and_mask_sdma0 << ring->me; + +- amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_POLL_REGMEM) | +- SDMA_PKT_POLL_REGMEM_HEADER_HDP_FLUSH(1) | +- SDMA_PKT_POLL_REGMEM_HEADER_FUNC(3)); /* == */ +- amdgpu_ring_write(ring, (adev->nbio.funcs->get_hdp_flush_done_offset(adev)) << 2); +- amdgpu_ring_write(ring, (adev->nbio.funcs->get_hdp_flush_req_offset(adev)) << 2); +- amdgpu_ring_write(ring, ref_and_mask); /* reference */ +- amdgpu_ring_write(ring, ref_and_mask); /* mask */ +- amdgpu_ring_write(ring, SDMA_PKT_POLL_REGMEM_DW5_RETRY_COUNT(0xfff) | +- SDMA_PKT_POLL_REGMEM_DW5_INTERVAL(10)); /* retry count, poll interval */ ++ amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_POLL_REGMEM) | ++ SDMA_PKT_POLL_REGMEM_HEADER_HDP_FLUSH(1) | ++ SDMA_PKT_POLL_REGMEM_HEADER_FUNC(3)); /* == */ ++ amdgpu_ring_write(ring, (adev->nbio.funcs->get_hdp_flush_done_offset(adev)) << 2); ++ amdgpu_ring_write(ring, (adev->nbio.funcs->get_hdp_flush_req_offset(adev)) << 2); ++ amdgpu_ring_write(ring, ref_and_mask); /* reference */ ++ amdgpu_ring_write(ring, ref_and_mask); /* mask */ ++ amdgpu_ring_write(ring, SDMA_PKT_POLL_REGMEM_DW5_RETRY_COUNT(0xfff) | ++ SDMA_PKT_POLL_REGMEM_DW5_INTERVAL(10)); /* retry count, poll interval */ ++ } + } + + /** diff --git a/queue-6.6/hid-i2c-hid-remove-i2c_hid_read_pending-flag-to-prevent-lock-up.patch b/queue-6.6/hid-i2c-hid-remove-i2c_hid_read_pending-flag-to-prevent-lock-up.patch new file mode 100644 index 0000000000..68b81c97a7 --- /dev/null +++ b/queue-6.6/hid-i2c-hid-remove-i2c_hid_read_pending-flag-to-prevent-lock-up.patch @@ -0,0 +1,71 @@ +From 9c0f59e47a90c54d0153f8ddc0f80d7a36207d0e Mon Sep 17 00:00:00 2001 +From: Nam Cao <namcao@linutronix.de> +Date: Mon, 18 Mar 2024 11:59:02 +0100 +Subject: HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up + +From: Nam Cao <namcao@linutronix.de> + +commit 9c0f59e47a90c54d0153f8ddc0f80d7a36207d0e upstream. + +The flag I2C_HID_READ_PENDING is used to serialize I2C operations. +However, this is not necessary, because I2C core already has its own +locking for that. + +More importantly, this flag can cause a lock-up: if the flag is set in +i2c_hid_xfer() and an interrupt happens, the interrupt handler +(i2c_hid_irq) will check this flag and return immediately without doing +anything, then the interrupt handler will be invoked again in an +infinite loop. + +Since interrupt handler is an RT task, it takes over the CPU and the +flag-clearing task never gets scheduled, thus we have a lock-up. + +Delete this unnecessary flag. + +Reported-and-tested-by: Eva Kurchatova <nyandarknessgirl@gmail.com> +Closes: https://lore.kernel.org/r/CA+eeCSPUDpUg76ZO8dszSbAGn+UHjcyv8F1J-CUPVARAzEtW9w@mail.gmail.com +Fixes: 4a200c3b9a40 ("HID: i2c-hid: introduce HID over i2c specification implementation") +Cc: <stable@vger.kernel.org> +Signed-off-by: Nam Cao <namcao@linutronix.de> +Signed-off-by: Jiri Kosina <jkosina@suse.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/hid/i2c-hid/i2c-hid-core.c | 9 --------- + 1 file changed, 9 deletions(-) + +--- a/drivers/hid/i2c-hid/i2c-hid-core.c ++++ b/drivers/hid/i2c-hid/i2c-hid-core.c +@@ -64,7 +64,6 @@ + /* flags */ + #define I2C_HID_STARTED 0 + #define I2C_HID_RESET_PENDING 1 +-#define I2C_HID_READ_PENDING 2 + + #define I2C_HID_PWR_ON 0x00 + #define I2C_HID_PWR_SLEEP 0x01 +@@ -190,15 +189,10 @@ static int i2c_hid_xfer(struct i2c_hid * + msgs[n].len = recv_len; + msgs[n].buf = recv_buf; + n++; +- +- set_bit(I2C_HID_READ_PENDING, &ihid->flags); + } + + ret = i2c_transfer(client->adapter, msgs, n); + +- if (recv_len) +- clear_bit(I2C_HID_READ_PENDING, &ihid->flags); +- + if (ret != n) + return ret < 0 ? ret : -EIO; + +@@ -566,9 +560,6 @@ static irqreturn_t i2c_hid_irq(int irq, + { + struct i2c_hid *ihid = dev_id; + +- if (test_bit(I2C_HID_READ_PENDING, &ihid->flags)) +- return IRQ_HANDLED; +- + i2c_hid_get_input(ihid); + + return IRQ_HANDLED; diff --git a/queue-6.6/irqchip-gic-v3-its-prevent-double-free-on-error.patch b/queue-6.6/irqchip-gic-v3-its-prevent-double-free-on-error.patch new file mode 100644 index 0000000000..2ddc6bd7f2 --- /dev/null +++ b/queue-6.6/irqchip-gic-v3-its-prevent-double-free-on-error.patch @@ -0,0 +1,52 @@ +From c26591afd33adce296c022e3480dea4282b7ef91 Mon Sep 17 00:00:00 2001 +From: Guanrui Huang <guanrui.huang@linux.alibaba.com> +Date: Thu, 18 Apr 2024 14:10:52 +0800 +Subject: irqchip/gic-v3-its: Prevent double free on error + +From: Guanrui Huang <guanrui.huang@linux.alibaba.com> + +commit c26591afd33adce296c022e3480dea4282b7ef91 upstream. + +The error handling path in its_vpe_irq_domain_alloc() causes a double free +when its_vpe_init() fails after successfully allocating at least one +interrupt. This happens because its_vpe_irq_domain_free() frees the +interrupts along with the area bitmap and the vprop_page and +its_vpe_irq_domain_alloc() subsequently frees the area bitmap and the +vprop_page again. + +Fix this by unconditionally invoking its_vpe_irq_domain_free() which +handles all cases correctly and by removing the bitmap/vprop_page freeing +from its_vpe_irq_domain_alloc(). + +[ tglx: Massaged change log ] + +Fixes: 7d75bbb4bc1a ("irqchip/gic-v3-its: Add VPE irq domain allocation/teardown") +Signed-off-by: Guanrui Huang <guanrui.huang@linux.alibaba.com> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Reviewed-by: Marc Zyngier <maz@kernel.org> +Reviewed-by: Zenghui Yu <yuzenghui@huawei.com> +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240418061053.96803-2-guanrui.huang@linux.alibaba.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/irqchip/irq-gic-v3-its.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -4561,13 +4561,8 @@ static int its_vpe_irq_domain_alloc(stru + irqd_set_resend_when_in_progress(irq_get_irq_data(virq + i)); + } + +- if (err) { +- if (i > 0) +- its_vpe_irq_domain_free(domain, virq, i); +- +- its_lpi_free(bitmap, base, nr_ids); +- its_free_prop_table(vprop_page); +- } ++ if (err) ++ its_vpe_irq_domain_free(domain, virq, i); + + return err; + } diff --git a/queue-6.6/kbuild-rust-force-alloc-extern-to-allow-empty-rust-files.patch b/queue-6.6/kbuild-rust-force-alloc-extern-to-allow-empty-rust-files.patch new file mode 100644 index 0000000000..4d7a6ba108 --- /dev/null +++ b/queue-6.6/kbuild-rust-force-alloc-extern-to-allow-empty-rust-files.patch @@ -0,0 +1,67 @@ +From ded103c7eb23753f22597afa500a7c1ad34116ba Mon Sep 17 00:00:00 2001 +From: Miguel Ojeda <ojeda@kernel.org> +Date: Mon, 22 Apr 2024 11:06:44 +0200 +Subject: kbuild: rust: force `alloc` extern to allow "empty" Rust files + +From: Miguel Ojeda <ojeda@kernel.org> + +commit ded103c7eb23753f22597afa500a7c1ad34116ba upstream. + +If one attempts to build an essentially empty file somewhere in the +kernel tree, it leads to a build error because the compiler does not +recognize the `new_uninit` unstable feature: + + error[E0635]: unknown feature `new_uninit` + --> <crate attribute>:1:9 + | + 1 | feature(new_uninit) + | ^^^^^^^^^^ + +The reason is that we pass `-Zcrate-attr='feature(new_uninit)'` (together +with `-Zallow-features=new_uninit`) to let non-`rust/` code use that +unstable feature. + +However, the compiler only recognizes the feature if the `alloc` crate +is resolved (the feature is an `alloc` one). `--extern alloc`, which we +pass, is not enough to resolve the crate. + +Introducing a reference like `use alloc;` or `extern crate alloc;` +solves the issue, thus this is not seen in normal files. For instance, +`use`ing the `kernel` prelude introduces such a reference, since `alloc` +is used inside. + +While normal use of the build system is not impacted by this, it can still +be fairly confusing for kernel developers [1], thus use the unstable +`force` option of `--extern` [2] (added in Rust 1.71 [3]) to force the +compiler to resolve `alloc`. + +This new unstable feature is only needed meanwhile we use the other +unstable feature, since then we will not need `-Zcrate-attr`. + +Cc: stable@vger.kernel.org # v6.6+ +Reported-by: Daniel Almeida <daniel.almeida@collabora.com> +Reported-by: Julian Stecklina <julian.stecklina@cyberus-technology.de> +Closes: https://rust-for-linux.zulipchat.com/#narrow/stream/288089-General/topic/x/near/424096982 [1] +Fixes: 2f7ab1267dc9 ("Kbuild: add Rust support") +Link: https://github.com/rust-lang/rust/issues/111302 [2] +Link: https://github.com/rust-lang/rust/pull/109421 [3] +Reviewed-by: Alice Ryhl <aliceryhl@google.com> +Reviewed-by: Gary Guo <gary@garyguo.net> +Link: https://lore.kernel.org/r/20240422090644.525520-1-ojeda@kernel.org +Signed-off-by: Miguel Ojeda <ojeda@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + scripts/Makefile.build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/scripts/Makefile.build ++++ b/scripts/Makefile.build +@@ -272,7 +272,7 @@ rust_common_cmd = \ + -Zallow-features=$(rust_allowed_features) \ + -Zcrate-attr=no_std \ + -Zcrate-attr='feature($(rust_allowed_features))' \ +- --extern alloc --extern kernel \ ++ -Zunstable-options --extern force:alloc --extern kernel \ + --crate-type rlib -L $(objtree)/rust/ \ + --crate-name $(basename $(notdir $@)) \ + --out-dir $(dir $@) --emit=dep-info=$(depfile) diff --git a/queue-6.6/kbuild-rust-remove-unneeded-rustc_cfg-to-avoid-ice.patch b/queue-6.6/kbuild-rust-remove-unneeded-rustc_cfg-to-avoid-ice.patch new file mode 100644 index 0000000000..e5405a6aba --- /dev/null +++ b/queue-6.6/kbuild-rust-remove-unneeded-rustc_cfg-to-avoid-ice.patch @@ -0,0 +1,46 @@ +From 50cfe93b01475ba36878b65d35d812e1bb48ac71 Mon Sep 17 00:00:00 2001 +From: Miguel Ojeda <ojeda@kernel.org> +Date: Mon, 22 Apr 2024 11:12:15 +0200 +Subject: kbuild: rust: remove unneeded `@rustc_cfg` to avoid ICE + +From: Miguel Ojeda <ojeda@kernel.org> + +commit 50cfe93b01475ba36878b65d35d812e1bb48ac71 upstream. + +When KUnit tests are enabled, under very big kernel configurations +(e.g. `allyesconfig`), we can trigger a `rustdoc` ICE [1]: + + RUSTDOC TK rust/kernel/lib.rs + error: the compiler unexpectedly panicked. this is a bug. + +The reason is that this build step has a duplicated `@rustc_cfg` argument, +which contains the kernel configuration, and thus a lot of arguments. The +factor 2 happens to be enough to reach the ICE. + +Thus remove the unneeded `@rustc_cfg`. By doing so, we clean up the +command and workaround the ICE. + +The ICE has been fixed in the upcoming Rust 1.79 [2]. + +Cc: stable@vger.kernel.org +Fixes: a66d733da801 ("rust: support running Rust documentation tests as KUnit ones") +Link: https://github.com/rust-lang/rust/issues/122722 [1] +Link: https://github.com/rust-lang/rust/pull/122840 [2] +Reviewed-by: Alice Ryhl <aliceryhl@google.com> +Link: https://lore.kernel.org/r/20240422091215.526688-1-ojeda@kernel.org +Signed-off-by: Miguel Ojeda <ojeda@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + rust/Makefile | 1 - + 1 file changed, 1 deletion(-) + +--- a/rust/Makefile ++++ b/rust/Makefile +@@ -173,7 +173,6 @@ quiet_cmd_rustdoc_test_kernel = RUSTDOC + mkdir -p $(objtree)/$(obj)/test/doctests/kernel; \ + OBJTREE=$(abspath $(objtree)) \ + $(RUSTDOC) --test $(rust_flags) \ +- @$(objtree)/include/generated/rustc_cfg \ + -L$(objtree)/$(obj) --extern alloc --extern kernel \ + --extern build_error --extern macros \ + --extern bindings --extern uapi \ diff --git a/queue-6.6/loongarch-fix-access-error-when-read-fault-on-a-write-only-vma.patch b/queue-6.6/loongarch-fix-access-error-when-read-fault-on-a-write-only-vma.patch new file mode 100644 index 0000000000..f3d0df0aca --- /dev/null +++ b/queue-6.6/loongarch-fix-access-error-when-read-fault-on-a-write-only-vma.patch @@ -0,0 +1,42 @@ +From efb44ff64c95340b06331fc48634b99efc9dd77c Mon Sep 17 00:00:00 2001 +From: Jiantao Shan <shanjiantao@loongson.cn> +Date: Wed, 24 Apr 2024 12:36:07 +0800 +Subject: LoongArch: Fix access error when read fault on a write-only VMA + +From: Jiantao Shan <shanjiantao@loongson.cn> + +commit efb44ff64c95340b06331fc48634b99efc9dd77c upstream. + +As with most architectures, allow handling of read faults in VMAs that +have VM_WRITE but without VM_READ (WRITE implies READ). + +Otherwise, reading before writing a write-only memory will error while +reading after writing everything is fine. + +BTW, move the VM_EXEC judgement before VM_READ/VM_WRITE to make logic a +little clearer. + +Cc: stable@vger.kernel.org +Fixes: 09cfefb7fa70c3af01 ("LoongArch: Add memory management") +Signed-off-by: Jiantao Shan <shanjiantao@loongson.cn> +Signed-off-by: Huacai Chen <chenhuacai@loongson.cn> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/loongarch/mm/fault.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/loongarch/mm/fault.c ++++ b/arch/loongarch/mm/fault.c +@@ -202,10 +202,10 @@ good_area: + if (!(vma->vm_flags & VM_WRITE)) + goto bad_area; + } else { +- if (!(vma->vm_flags & VM_READ) && address != exception_era(regs)) +- goto bad_area; + if (!(vma->vm_flags & VM_EXEC) && address == exception_era(regs)) + goto bad_area; ++ if (!(vma->vm_flags & (VM_READ | VM_WRITE)) && address != exception_era(regs)) ++ goto bad_area; + } + + /* diff --git a/queue-6.6/loongarch-fix-callchain-parse-error-with-kernel-tracepoint-events.patch b/queue-6.6/loongarch-fix-callchain-parse-error-with-kernel-tracepoint-events.patch new file mode 100644 index 0000000000..29afea4165 --- /dev/null +++ b/queue-6.6/loongarch-fix-callchain-parse-error-with-kernel-tracepoint-events.patch @@ -0,0 +1,112 @@ +From d3119bc985fb645ad3b2a9cf9952c1d56d9daaa3 Mon Sep 17 00:00:00 2001 +From: Huacai Chen <chenhuacai@loongson.cn> +Date: Wed, 24 Apr 2024 12:36:07 +0800 +Subject: LoongArch: Fix callchain parse error with kernel tracepoint events + +From: Huacai Chen <chenhuacai@loongson.cn> + +commit d3119bc985fb645ad3b2a9cf9952c1d56d9daaa3 upstream. + +In order to fix perf's callchain parse error for LoongArch, we implement +perf_arch_fetch_caller_regs() which fills several necessary registers +used for callchain unwinding, including sp, fp, and era. This is similar +to the following commits. + +commit b3eac0265bf6: +("arm: perf: Fix callchain parse error with kernel tracepoint events") + +commit 5b09a094f2fb: +("arm64: perf: Fix callchain parse error with kernel tracepoint events") + +commit 9a7e8ec0d4cc: +("riscv: perf: Fix callchain parse error with kernel tracepoint events") + +Test with commands: + + perf record -e sched:sched_switch -g --call-graph dwarf + perf report + +Without this patch: + + Children Self Command Shared Object Symbol + ........ ........ ............. ................. .................... + + 43.41% 43.41% swapper [unknown] [k] 0000000000000000 + + 10.94% 10.94% loong-container [unknown] [k] 0000000000000000 + | + |--5.98%--0x12006ba38 + | + |--2.56%--0x12006bb84 + | + --2.40%--0x12006b6b8 + +With this patch, callchain can be parsed correctly: + + Children Self Command Shared Object Symbol + ........ ........ ............. ................. .................... + + 47.57% 47.57% swapper [kernel.vmlinux] [k] __schedule + | + ---__schedule + + 26.76% 26.76% loong-container [kernel.vmlinux] [k] __schedule + | + |--13.78%--0x12006ba38 + | | + | |--9.19%--__schedule + | | + | --4.59%--handle_syscall + | do_syscall + | sys_futex + | do_futex + | futex_wait + | futex_wait_queue_me + | hrtimer_start_range_ns + | __schedule + | + |--8.38%--0x12006bb84 + | handle_syscall + | do_syscall + | sys_epoll_pwait + | do_epoll_wait + | schedule_hrtimeout_range_clock + | hrtimer_start_range_ns + | __schedule + | + --4.59%--0x12006b6b8 + handle_syscall + do_syscall + sys_nanosleep + hrtimer_nanosleep + do_nanosleep + hrtimer_start_range_ns + __schedule + +Cc: stable@vger.kernel.org +Fixes: b37042b2bb7cd751f0 ("LoongArch: Add perf events support") +Reported-by: Youling Tang <tangyouling@kylinos.cn> +Suggested-by: Youling Tang <tangyouling@kylinos.cn> +Signed-off-by: Huacai Chen <chenhuacai@loongson.cn> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/loongarch/include/asm/perf_event.h | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/arch/loongarch/include/asm/perf_event.h ++++ b/arch/loongarch/include/asm/perf_event.h +@@ -7,6 +7,14 @@ + #ifndef __LOONGARCH_PERF_EVENT_H__ + #define __LOONGARCH_PERF_EVENT_H__ + ++#include <asm/ptrace.h> ++ + #define perf_arch_bpf_user_pt_regs(regs) (struct user_pt_regs *)regs + ++#define perf_arch_fetch_caller_regs(regs, __ip) { \ ++ (regs)->csr_era = (__ip); \ ++ (regs)->regs[3] = current_stack_pointer; \ ++ (regs)->regs[22] = (unsigned long) __builtin_frame_address(0); \ ++} ++ + #endif /* __LOONGARCH_PERF_EVENT_H__ */ diff --git a/queue-6.6/mm-create-folio_flag_false-and-folio_type_ops-macros.patch b/queue-6.6/mm-create-folio_flag_false-and-folio_type_ops-macros.patch new file mode 100644 index 0000000000..3040af480a --- /dev/null +++ b/queue-6.6/mm-create-folio_flag_false-and-folio_type_ops-macros.patch @@ -0,0 +1,144 @@ +From 12bbaae7635a56049779db3bef6e7140d9aa5f67 Mon Sep 17 00:00:00 2001 +From: "Matthew Wilcox (Oracle)" <willy@infradead.org> +Date: Thu, 21 Mar 2024 14:24:40 +0000 +Subject: mm: create FOLIO_FLAG_FALSE and FOLIO_TYPE_OPS macros + +From: Matthew Wilcox (Oracle) <willy@infradead.org> + +commit 12bbaae7635a56049779db3bef6e7140d9aa5f67 upstream. + +Following the separation of FOLIO_FLAGS from PAGEFLAGS, separate +FOLIO_FLAG_FALSE from PAGEFLAG_FALSE and FOLIO_TYPE_OPS from +PAGE_TYPE_OPS. + +Link: https://lkml.kernel.org/r/20240321142448.1645400-3-willy@infradead.org +Fixes: 9c5ccf2db04b ("mm: remove HUGETLB_PAGE_DTOR") +Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org> +Reviewed-by: David Hildenbrand <david@redhat.com> +Acked-by: Vlastimil Babka <vbabka@suse.cz> +Cc: Miaohe Lin <linmiaohe@huawei.com> +Cc: Muchun Song <muchun.song@linux.dev> +Cc: Oscar Salvador <osalvador@suse.de> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + include/linux/page-flags.h | 70 ++++++++++++++++++++++++++++++--------------- + 1 file changed, 47 insertions(+), 23 deletions(-) + +--- a/include/linux/page-flags.h ++++ b/include/linux/page-flags.h +@@ -432,30 +432,51 @@ static __always_inline int TestClearPage + TESTSETFLAG(uname, lname, policy) \ + TESTCLEARFLAG(uname, lname, policy) + ++#define FOLIO_TEST_FLAG_FALSE(name) \ ++static inline bool folio_test_##name(const struct folio *folio) \ ++{ return false; } ++#define FOLIO_SET_FLAG_NOOP(name) \ ++static inline void folio_set_##name(struct folio *folio) { } ++#define FOLIO_CLEAR_FLAG_NOOP(name) \ ++static inline void folio_clear_##name(struct folio *folio) { } ++#define __FOLIO_SET_FLAG_NOOP(name) \ ++static inline void __folio_set_##name(struct folio *folio) { } ++#define __FOLIO_CLEAR_FLAG_NOOP(name) \ ++static inline void __folio_clear_##name(struct folio *folio) { } ++#define FOLIO_TEST_SET_FLAG_FALSE(name) \ ++static inline bool folio_test_set_##name(struct folio *folio) \ ++{ return false; } ++#define FOLIO_TEST_CLEAR_FLAG_FALSE(name) \ ++static inline bool folio_test_clear_##name(struct folio *folio) \ ++{ return false; } ++ ++#define FOLIO_FLAG_FALSE(name) \ ++FOLIO_TEST_FLAG_FALSE(name) \ ++FOLIO_SET_FLAG_NOOP(name) \ ++FOLIO_CLEAR_FLAG_NOOP(name) ++ + #define TESTPAGEFLAG_FALSE(uname, lname) \ +-static inline bool folio_test_##lname(const struct folio *folio) { return false; } \ ++FOLIO_TEST_FLAG_FALSE(lname) \ + static inline int Page##uname(const struct page *page) { return 0; } + + #define SETPAGEFLAG_NOOP(uname, lname) \ +-static inline void folio_set_##lname(struct folio *folio) { } \ ++FOLIO_SET_FLAG_NOOP(lname) \ + static inline void SetPage##uname(struct page *page) { } + + #define CLEARPAGEFLAG_NOOP(uname, lname) \ +-static inline void folio_clear_##lname(struct folio *folio) { } \ ++FOLIO_CLEAR_FLAG_NOOP(lname) \ + static inline void ClearPage##uname(struct page *page) { } + + #define __CLEARPAGEFLAG_NOOP(uname, lname) \ +-static inline void __folio_clear_##lname(struct folio *folio) { } \ ++__FOLIO_CLEAR_FLAG_NOOP(lname) \ + static inline void __ClearPage##uname(struct page *page) { } + + #define TESTSETFLAG_FALSE(uname, lname) \ +-static inline bool folio_test_set_##lname(struct folio *folio) \ +-{ return 0; } \ ++FOLIO_TEST_SET_FLAG_FALSE(lname) \ + static inline int TestSetPage##uname(struct page *page) { return 0; } + + #define TESTCLEARFLAG_FALSE(uname, lname) \ +-static inline bool folio_test_clear_##lname(struct folio *folio) \ +-{ return 0; } \ ++FOLIO_TEST_CLEAR_FLAG_FALSE(lname) \ + static inline int TestClearPage##uname(struct page *page) { return 0; } + + #define PAGEFLAG_FALSE(uname, lname) TESTPAGEFLAG_FALSE(uname, lname) \ +@@ -937,35 +958,38 @@ static inline int page_has_type(struct p + return page_type_has_type(page->page_type); + } + ++#define FOLIO_TYPE_OPS(lname, fname) \ ++static __always_inline bool folio_test_##fname(const struct folio *folio)\ ++{ \ ++ return folio_test_type(folio, PG_##lname); \ ++} \ ++static __always_inline void __folio_set_##fname(struct folio *folio) \ ++{ \ ++ VM_BUG_ON_FOLIO(!folio_test_type(folio, 0), folio); \ ++ folio->page.page_type &= ~PG_##lname; \ ++} \ ++static __always_inline void __folio_clear_##fname(struct folio *folio) \ ++{ \ ++ VM_BUG_ON_FOLIO(!folio_test_##fname(folio), folio); \ ++ folio->page.page_type |= PG_##lname; \ ++} ++ + #define PAGE_TYPE_OPS(uname, lname, fname) \ ++FOLIO_TYPE_OPS(lname, fname) \ + static __always_inline int Page##uname(const struct page *page) \ + { \ + return PageType(page, PG_##lname); \ + } \ +-static __always_inline int folio_test_##fname(const struct folio *folio)\ +-{ \ +- return folio_test_type(folio, PG_##lname); \ +-} \ + static __always_inline void __SetPage##uname(struct page *page) \ + { \ + VM_BUG_ON_PAGE(!PageType(page, 0), page); \ + page->page_type &= ~PG_##lname; \ + } \ +-static __always_inline void __folio_set_##fname(struct folio *folio) \ +-{ \ +- VM_BUG_ON_FOLIO(!folio_test_type(folio, 0), folio); \ +- folio->page.page_type &= ~PG_##lname; \ +-} \ + static __always_inline void __ClearPage##uname(struct page *page) \ + { \ + VM_BUG_ON_PAGE(!Page##uname(page), page); \ + page->page_type |= PG_##lname; \ +-} \ +-static __always_inline void __folio_clear_##fname(struct folio *folio) \ +-{ \ +- VM_BUG_ON_FOLIO(!folio_test_##fname(folio), folio); \ +- folio->page.page_type |= PG_##lname; \ +-} \ ++} + + /* + * PageBuddy() indicates that the page is free and in the buddy system diff --git a/queue-6.6/mm-hugetlb-fix-missing-hugetlb_lock-for-resv-uncharge.patch b/queue-6.6/mm-hugetlb-fix-missing-hugetlb_lock-for-resv-uncharge.patch new file mode 100644 index 0000000000..0948a114fb --- /dev/null +++ b/queue-6.6/mm-hugetlb-fix-missing-hugetlb_lock-for-resv-uncharge.patch @@ -0,0 +1,51 @@ +From b76b46902c2d0395488c8412e1116c2486cdfcb2 Mon Sep 17 00:00:00 2001 +From: Peter Xu <peterx@redhat.com> +Date: Wed, 17 Apr 2024 17:18:35 -0400 +Subject: mm/hugetlb: fix missing hugetlb_lock for resv uncharge + +From: Peter Xu <peterx@redhat.com> + +commit b76b46902c2d0395488c8412e1116c2486cdfcb2 upstream. + +There is a recent report on UFFDIO_COPY over hugetlb: + +https://lore.kernel.org/all/000000000000ee06de0616177560@google.com/ + +350: lockdep_assert_held(&hugetlb_lock); + +Should be an issue in hugetlb but triggered in an userfault context, where +it goes into the unlikely path where two threads modifying the resv map +together. Mike has a fix in that path for resv uncharge but it looks like +the locking criteria was overlooked: hugetlb_cgroup_uncharge_folio_rsvd() +will update the cgroup pointer, so it requires to be called with the lock +held. + +Link: https://lkml.kernel.org/r/20240417211836.2742593-3-peterx@redhat.com +Fixes: 79aa925bf239 ("hugetlb_cgroup: fix reservation accounting") +Signed-off-by: Peter Xu <peterx@redhat.com> +Reported-by: syzbot+4b8077a5fccc61c385a1@syzkaller.appspotmail.com +Reviewed-by: Mina Almasry <almasrymina@google.com> +Cc: David Hildenbrand <david@redhat.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + mm/hugetlb.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -3153,9 +3153,12 @@ struct folio *alloc_hugetlb_folio(struct + + rsv_adjust = hugepage_subpool_put_pages(spool, 1); + hugetlb_acct_memory(h, -rsv_adjust); +- if (deferred_reserve) ++ if (deferred_reserve) { ++ spin_lock_irq(&hugetlb_lock); + hugetlb_cgroup_uncharge_folio_rsvd(hstate_index(h), + pages_per_huge_page(h), folio); ++ spin_unlock_irq(&hugetlb_lock); ++ } + } + return folio; + diff --git a/queue-6.6/mm-support-page_mapcount-on-page_has_type-pages.patch b/queue-6.6/mm-support-page_mapcount-on-page_has_type-pages.patch new file mode 100644 index 0000000000..2bed2eab87 --- /dev/null +++ b/queue-6.6/mm-support-page_mapcount-on-page_has_type-pages.patch @@ -0,0 +1,93 @@ +From fd1a745ce03e37945674c14833870a9af0882e2d Mon Sep 17 00:00:00 2001 +From: "Matthew Wilcox (Oracle)" <willy@infradead.org> +Date: Thu, 21 Mar 2024 14:24:42 +0000 +Subject: mm: support page_mapcount() on page_has_type() pages + +From: Matthew Wilcox (Oracle) <willy@infradead.org> + +commit fd1a745ce03e37945674c14833870a9af0882e2d upstream. + +Return 0 for pages which can't be mapped. This matches how page_mapped() +works. It is more convenient for users to not have to filter out these +pages. + +Link: https://lkml.kernel.org/r/20240321142448.1645400-5-willy@infradead.org +Fixes: 9c5ccf2db04b ("mm: remove HUGETLB_PAGE_DTOR") +Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org> +Reviewed-by: David Hildenbrand <david@redhat.com> +Acked-by: Vlastimil Babka <vbabka@suse.cz> +Cc: Miaohe Lin <linmiaohe@huawei.com> +Cc: Muchun Song <muchun.song@linux.dev> +Cc: Oscar Salvador <osalvador@suse.de> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/proc/page.c | 7 ++----- + include/linux/mm.h | 8 +++++--- + include/linux/page-flags.h | 4 ++-- + 3 files changed, 9 insertions(+), 10 deletions(-) + +--- a/fs/proc/page.c ++++ b/fs/proc/page.c +@@ -67,7 +67,7 @@ static ssize_t kpagecount_read(struct fi + */ + ppage = pfn_to_online_page(pfn); + +- if (!ppage || PageSlab(ppage) || page_has_type(ppage)) ++ if (!ppage) + pcount = 0; + else + pcount = page_mapcount(ppage); +@@ -124,11 +124,8 @@ u64 stable_page_flags(struct page *page) + + /* + * pseudo flags for the well known (anonymous) memory mapped pages +- * +- * Note that page->_mapcount is overloaded in SLAB, so the +- * simple test in page_mapped() is not enough. + */ +- if (!PageSlab(page) && page_mapped(page)) ++ if (page_mapped(page)) + u |= 1 << KPF_MMAP; + if (PageAnon(page)) + u |= 1 << KPF_ANON; +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -1184,14 +1184,16 @@ static inline void page_mapcount_reset(s + * a large folio, it includes the number of times this page is mapped + * as part of that folio. + * +- * The result is undefined for pages which cannot be mapped into userspace. +- * For example SLAB or special types of pages. See function page_has_type(). +- * They use this field in struct page differently. ++ * Will report 0 for pages which cannot be mapped into userspace, eg ++ * slab, page tables and similar. + */ + static inline int page_mapcount(struct page *page) + { + int mapcount = atomic_read(&page->_mapcount) + 1; + ++ /* Handle page_has_type() pages */ ++ if (mapcount < 0) ++ mapcount = 0; + if (unlikely(PageCompound(page))) + mapcount += folio_entire_mapcount(page_folio(page)); + +--- a/include/linux/page-flags.h ++++ b/include/linux/page-flags.h +@@ -931,12 +931,12 @@ static inline bool is_page_hwpoison(stru + * page_type may be used. Because it is initialised to -1, we invert the + * sense of the bit, so __SetPageFoo *clears* the bit used for PageFoo, and + * __ClearPageFoo *sets* the bit used for PageFoo. We reserve a few high and +- * low bits so that an underflow or overflow of page_mapcount() won't be ++ * low bits so that an underflow or overflow of _mapcount won't be + * mistaken for a page type value. + */ + + #define PAGE_TYPE_BASE 0xf0000000 +-/* Reserve 0x0000007f to catch underflows of page_mapcount */ ++/* Reserve 0x0000007f to catch underflows of _mapcount */ + #define PAGE_MAPCOUNT_RESERVE -128 + #define PG_buddy 0x00000080 + #define PG_offline 0x00000100 diff --git a/queue-6.6/mmc-sdhci-msm-pervent-access-to-suspended-controller.patch b/queue-6.6/mmc-sdhci-msm-pervent-access-to-suspended-controller.patch new file mode 100644 index 0000000000..ee7a6c58df --- /dev/null +++ b/queue-6.6/mmc-sdhci-msm-pervent-access-to-suspended-controller.patch @@ -0,0 +1,64 @@ +From f8def10f73a516b771051a2f70f2f0446902cb4f Mon Sep 17 00:00:00 2001 +From: Mantas Pucka <mantas@8devices.com> +Date: Thu, 21 Mar 2024 14:30:01 +0000 +Subject: mmc: sdhci-msm: pervent access to suspended controller + +From: Mantas Pucka <mantas@8devices.com> + +commit f8def10f73a516b771051a2f70f2f0446902cb4f upstream. + +Generic sdhci code registers LED device and uses host->runtime_suspended +flag to protect access to it. The sdhci-msm driver doesn't set this flag, +which causes a crash when LED is accessed while controller is runtime +suspended. Fix this by setting the flag correctly. + +Cc: stable@vger.kernel.org +Fixes: 67e6db113c90 ("mmc: sdhci-msm: Add pm_runtime and system PM support") +Signed-off-by: Mantas Pucka <mantas@8devices.com> +Acked-by: Adrian Hunter <adrian.hunter@intel.com> +Link: https://lore.kernel.org/r/20240321-sdhci-mmc-suspend-v1-1-fbc555a64400@8devices.com +Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/mmc/host/sdhci-msm.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci-msm.c ++++ b/drivers/mmc/host/sdhci-msm.c +@@ -2694,6 +2694,11 @@ static __maybe_unused int sdhci_msm_runt + struct sdhci_host *host = dev_get_drvdata(dev); + struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); + struct sdhci_msm_host *msm_host = sdhci_pltfm_priv(pltfm_host); ++ unsigned long flags; ++ ++ spin_lock_irqsave(&host->lock, flags); ++ host->runtime_suspended = true; ++ spin_unlock_irqrestore(&host->lock, flags); + + /* Drop the performance vote */ + dev_pm_opp_set_rate(dev, 0); +@@ -2708,6 +2713,7 @@ static __maybe_unused int sdhci_msm_runt + struct sdhci_host *host = dev_get_drvdata(dev); + struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); + struct sdhci_msm_host *msm_host = sdhci_pltfm_priv(pltfm_host); ++ unsigned long flags; + int ret; + + ret = clk_bulk_prepare_enable(ARRAY_SIZE(msm_host->bulk_clks), +@@ -2726,7 +2732,15 @@ static __maybe_unused int sdhci_msm_runt + + dev_pm_opp_set_rate(dev, msm_host->clk_rate); + +- return sdhci_msm_ice_resume(msm_host); ++ ret = sdhci_msm_ice_resume(msm_host); ++ if (ret) ++ return ret; ++ ++ spin_lock_irqsave(&host->lock, flags); ++ host->runtime_suspended = false; ++ spin_unlock_irqrestore(&host->lock, flags); ++ ++ return ret; + } + + static const struct dev_pm_ops sdhci_msm_pm_ops = { diff --git a/queue-6.6/mtd-rawnand-qcom-fix-broken-op_reset_device-command-in-qcom_misc_cmd_type_exec.patch b/queue-6.6/mtd-rawnand-qcom-fix-broken-op_reset_device-command-in-qcom_misc_cmd_type_exec.patch new file mode 100644 index 0000000000..6a3b12a968 --- /dev/null +++ b/queue-6.6/mtd-rawnand-qcom-fix-broken-op_reset_device-command-in-qcom_misc_cmd_type_exec.patch @@ -0,0 +1,59 @@ +From b61bb5bc2c1cd00bb53db42f705735db6e8700f0 Mon Sep 17 00:00:00 2001 +From: Christian Marangi <ansuelsmth@gmail.com> +Date: Thu, 4 Apr 2024 10:31:55 +0200 +Subject: mtd: rawnand: qcom: Fix broken OP_RESET_DEVICE command in qcom_misc_cmd_type_exec() + +From: Christian Marangi <ansuelsmth@gmail.com> + +commit b61bb5bc2c1cd00bb53db42f705735db6e8700f0 upstream. + +While migrating to exec_ops in commit a82990c8a409 ("mtd: rawnand: qcom: +Add read/read_start ops in exec_op path"), OP_RESET_DEVICE command handling +got broken unintentionally. Right now for the OP_RESET_DEVICE command, +qcom_misc_cmd_type_exec() will simply return 0 without handling it. Even, +if that gets fixed, an unnecessary FLASH_STATUS read descriptor command is +being added in the middle and that seems to be causing the command to fail +on IPQ806x devices. + +So let's fix the above two issues to make OP_RESET_DEVICE command working +again. + +Fixes: a82990c8a409 ("mtd: rawnand: qcom: Add read/read_start ops in exec_op path") +Cc: stable@vger.kernel.org +Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> +Signed-off-by: Christian Marangi <ansuelsmth@gmail.com> +Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com> +Link: https://lore.kernel.org/linux-mtd/20240404083157.940-1-ansuelsmth@gmail.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/mtd/nand/raw/qcom_nandc.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/mtd/nand/raw/qcom_nandc.c b/drivers/mtd/nand/raw/qcom_nandc.c +index b079605c84d3..b8cff9240b28 100644 +--- a/drivers/mtd/nand/raw/qcom_nandc.c ++++ b/drivers/mtd/nand/raw/qcom_nandc.c +@@ -2815,7 +2815,7 @@ static int qcom_misc_cmd_type_exec(struct nand_chip *chip, const struct nand_sub + host->cfg0_raw & ~(7 << CW_PER_PAGE)); + nandc_set_reg(chip, NAND_DEV0_CFG1, host->cfg1_raw); + instrs = 3; +- } else { ++ } else if (q_op.cmd_reg != OP_RESET_DEVICE) { + return 0; + } + +@@ -2830,9 +2830,8 @@ static int qcom_misc_cmd_type_exec(struct nand_chip *chip, const struct nand_sub + nandc_set_reg(chip, NAND_EXEC_CMD, 1); + + write_reg_dma(nandc, NAND_FLASH_CMD, instrs, NAND_BAM_NEXT_SGL); +- (q_op.cmd_reg == OP_BLOCK_ERASE) ? write_reg_dma(nandc, NAND_DEV0_CFG0, +- 2, NAND_BAM_NEXT_SGL) : read_reg_dma(nandc, +- NAND_FLASH_STATUS, 1, NAND_BAM_NEXT_SGL); ++ if (q_op.cmd_reg == OP_BLOCK_ERASE) ++ write_reg_dma(nandc, NAND_DEV0_CFG0, 2, NAND_BAM_NEXT_SGL); + + write_reg_dma(nandc, NAND_EXEC_CMD, 1, NAND_BAM_NEXT_SGL); + read_reg_dma(nandc, NAND_FLASH_STATUS, 1, NAND_BAM_NEXT_SGL); +-- +2.44.0 + diff --git a/queue-6.6/rust-don-t-select-constructors.patch b/queue-6.6/rust-don-t-select-constructors.patch new file mode 100644 index 0000000000..46355c1e63 --- /dev/null +++ b/queue-6.6/rust-don-t-select-constructors.patch @@ -0,0 +1,40 @@ +From 7d49f53af4b988b188d3932deac2c9c80fd7d9ce Mon Sep 17 00:00:00 2001 +From: Alice Ryhl <aliceryhl@google.com> +Date: Fri, 8 Mar 2024 09:36:31 +0000 +Subject: rust: don't select CONSTRUCTORS + +From: Alice Ryhl <aliceryhl@google.com> + +commit 7d49f53af4b988b188d3932deac2c9c80fd7d9ce upstream. + +This was originally part of commit 4b9a68f2e59a0 ("rust: add support for +static synchronisation primitives") from the old Rust branch, which used +module constructors to initialize globals containing various +synchronisation primitives with pin-init. That commit has never been +upstreamed, but the `select CONSTRUCTORS` statement ended up being +included in the patch that initially added Rust support to the Linux +Kernel. + +We are not using module constructors, so let's remove the select. + +Signed-off-by: Alice Ryhl <aliceryhl@google.com> +Reviewed-by: Benno Lossin <benno.lossin@proton.me> +Cc: stable@vger.kernel.org +Fixes: 2f7ab1267dc9 ("Kbuild: add Rust support") +Link: https://lore.kernel.org/r/20240308-constructors-v1-1-4c811342391c@google.com +Signed-off-by: Miguel Ojeda <ojeda@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + init/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1898,7 +1898,6 @@ config RUST + depends on !GCC_PLUGINS + depends on !RANDSTRUCT + depends on !DEBUG_INFO_BTF || PAHOLE_HAS_LANG_EXCLUDE +- select CONSTRUCTORS + help + Enables Rust support in the kernel. + diff --git a/queue-6.6/rust-init-remove-impl-zeroable-for-infallible.patch b/queue-6.6/rust-init-remove-impl-zeroable-for-infallible.patch new file mode 100644 index 0000000000..83e515a78c --- /dev/null +++ b/queue-6.6/rust-init-remove-impl-zeroable-for-infallible.patch @@ -0,0 +1,59 @@ +From 49ceae68a0df9a92617a61e9ce8a0efcf6419585 Mon Sep 17 00:00:00 2001 +From: Laine Taffin Altman <alexanderaltman@me.com> +Date: Wed, 3 Apr 2024 14:06:59 -0700 +Subject: rust: init: remove impl Zeroable for Infallible + +From: Laine Taffin Altman <alexanderaltman@me.com> + +commit 49ceae68a0df9a92617a61e9ce8a0efcf6419585 upstream. + +In Rust, producing an invalid value of any type is immediate undefined +behavior (UB); this includes via zeroing memory. Therefore, since an +uninhabited type has no valid values, producing any values at all for it is +UB. + +The Rust standard library type `core::convert::Infallible` is uninhabited, +by virtue of having been declared as an enum with no cases, which always +produces uninhabited types in Rust. + +The current kernel code allows this UB to be triggered, for example by code +like `Box::<core::convert::Infallible>::init(kernel::init::zeroed())`. + +Thus, remove the implementation of `Zeroable` for `Infallible`, thereby +avoiding the unsoundness (potential for future UB). + +Cc: stable@vger.kernel.org +Fixes: 38cde0bd7b67 ("rust: init: add `Zeroable` trait and `init::zeroed` function") +Closes: https://github.com/Rust-for-Linux/pinned-init/pull/13 +Signed-off-by: Laine Taffin Altman <alexanderaltman@me.com> +Reviewed-by: Alice Ryhl <aliceryhl@google.com> +Reviewed-by: Boqun Feng <boqun.feng@gmail.com> +Reviewed-by: Benno Lossin <benno.lossin@proton.me> +Link: https://lore.kernel.org/r/CA160A4E-561E-4918-837E-3DCEBA74F808@me.com +[ Reformatted the comment slightly. ] +Signed-off-by: Miguel Ojeda <ojeda@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + rust/kernel/init.rs | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/rust/kernel/init.rs ++++ b/rust/kernel/init.rs +@@ -1292,8 +1292,15 @@ impl_zeroable! { + i8, i16, i32, i64, i128, isize, + f32, f64, + +- // SAFETY: These are ZSTs, there is nothing to zero. +- {<T: ?Sized>} PhantomData<T>, core::marker::PhantomPinned, Infallible, (), ++ // Note: do not add uninhabited types (such as `!` or `core::convert::Infallible`) to this list; ++ // creating an instance of an uninhabited type is immediate undefined behavior. For more on ++ // uninhabited/empty types, consult The Rustonomicon: ++ // <https://doc.rust-lang.org/stable/nomicon/exotic-sizes.html#empty-types>. The Rust Reference ++ // also has information on undefined behavior: ++ // <https://doc.rust-lang.org/stable/reference/behavior-considered-undefined.html>. ++ // ++ // SAFETY: These are inhabited ZSTs; there is nothing to zero and a valid value exists. ++ {<T: ?Sized>} PhantomData<T>, core::marker::PhantomPinned, (), + + // SAFETY: Type is allowed to take any value, including all zeros. + {<T>} MaybeUninit<T>, diff --git a/queue-6.6/rust-kernel-require-send-for-module-implementations.patch b/queue-6.6/rust-kernel-require-send-for-module-implementations.patch new file mode 100644 index 0000000000..d201d1ac70 --- /dev/null +++ b/queue-6.6/rust-kernel-require-send-for-module-implementations.patch @@ -0,0 +1,39 @@ +From 323617f649c0966ad5e741e47e27e06d3a680d8f Mon Sep 17 00:00:00 2001 +From: Wedson Almeida Filho <walmeida@microsoft.com> +Date: Thu, 28 Mar 2024 16:54:54 -0300 +Subject: rust: kernel: require `Send` for `Module` implementations + +From: Wedson Almeida Filho <walmeida@microsoft.com> + +commit 323617f649c0966ad5e741e47e27e06d3a680d8f upstream. + +The thread that calls the module initialisation code when a module is +loaded is not guaranteed [in fact, it is unlikely] to be the same one +that calls the module cleanup code on module unload, therefore, `Module` +implementations must be `Send` to account for them moving from one +thread to another implicitly. + +Signed-off-by: Wedson Almeida Filho <walmeida@microsoft.com> +Reviewed-by: Alice Ryhl <aliceryhl@google.com> +Reviewed-by: Benno Lossin <benno.lossin@proton.me> +Cc: stable@vger.kernel.org # 6.8.x: df70d04d5697: rust: phy: implement `Send` for `Registration` +Cc: stable@vger.kernel.org +Fixes: 247b365dc8dc ("rust: add `kernel` crate") +Link: https://lore.kernel.org/r/20240328195457.225001-3-wedsonaf@gmail.com +Signed-off-by: Miguel Ojeda <ojeda@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + rust/kernel/lib.rs | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/rust/kernel/lib.rs ++++ b/rust/kernel/lib.rs +@@ -60,7 +60,7 @@ const __LOG_PREFIX: &[u8] = b"rust_kerne + /// The top level entrypoint to implementing a kernel module. + /// + /// For any teardown or cleanup operations, your type may implement [`Drop`]. +-pub trait Module: Sized + Sync { ++pub trait Module: Sized + Sync + Send { + /// Called at module initialization time. + /// + /// Use this method to perform whatever setup or registration your module diff --git a/queue-6.6/rust-make-mutually-exclusive-with-cfi_clang.patch b/queue-6.6/rust-make-mutually-exclusive-with-cfi_clang.patch new file mode 100644 index 0000000000..fecf32eceb --- /dev/null +++ b/queue-6.6/rust-make-mutually-exclusive-with-cfi_clang.patch @@ -0,0 +1,50 @@ +From 8933cf4651e02853ca679be7b2d978dfcdcc5e0c Mon Sep 17 00:00:00 2001 +From: Conor Dooley <conor.dooley@microchip.com> +Date: Thu, 4 Apr 2024 15:17:02 +0100 +Subject: rust: make mutually exclusive with CFI_CLANG + +From: Conor Dooley <conor.dooley@microchip.com> + +commit 8933cf4651e02853ca679be7b2d978dfcdcc5e0c upstream. + +On RISC-V and arm64, and presumably x86, if CFI_CLANG is enabled, +loading a rust module will trigger a kernel panic. Support for +sanitisers, including kcfi (CFI_CLANG), is in the works, but for now +they're nightly-only options in rustc. Make RUST depend on !CFI_CLANG +to prevent configuring a kernel without symmetrical support for kfi. + +[ Matthew Maurer writes [1]: + + This patch is fine by me - the last patch needed for KCFI to be + functional in Rust just landed upstream last night, so we should + revisit this (in the form of enabling it) once we move to + `rustc-1.79.0` or later. + + Ramon de C Valle also gave feedback [2] on the status of KCFI for + Rust and created a tracking issue [3] in upstream Rust. - Miguel ] + +Fixes: 2f7ab1267dc9 ("Kbuild: add Rust support") +Cc: stable@vger.kernel.org +Signed-off-by: Conor Dooley <conor.dooley@microchip.com> +Acked-by: Nathan Chancellor <nathan@kernel.org> +Link: https://lore.kernel.org/rust-for-linux/CAGSQo024u1gHJgzsO38Xg3c4or+JupoPABQx_+0BLEpPg0cOEA@mail.gmail.com/ [1] +Link: https://lore.kernel.org/rust-for-linux/CAOcBZOS2kPyH0Dm7Fuh4GC3=v7nZhyzBj_-dKu3PfAnrHZvaxg@mail.gmail.com/ [2] +Link: https://github.com/rust-lang/rust/issues/123479 [3] +Link: https://lore.kernel.org/r/20240404-providing-emporium-e652e359c711@spud +[ Added feedback from the list, links, and used Cc for the tag. ] +Signed-off-by: Miguel Ojeda <ojeda@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + init/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1894,6 +1894,7 @@ config RUST + bool "Rust support" + depends on HAVE_RUST + depends on RUST_IS_AVAILABLE ++ depends on !CFI_CLANG + depends on !MODVERSIONS + depends on !GCC_PLUGINS + depends on !RANDSTRUCT diff --git a/queue-6.6/rust-remove-params-from-module-macro-example.patch b/queue-6.6/rust-remove-params-from-module-macro-example.patch new file mode 100644 index 0000000000..b5ce994cd7 --- /dev/null +++ b/queue-6.6/rust-remove-params-from-module-macro-example.patch @@ -0,0 +1,46 @@ +From 19843452dca40e28d6d3f4793d998b681d505c7f Mon Sep 17 00:00:00 2001 +From: Aswin Unnikrishnan <aswinunni01@gmail.com> +Date: Fri, 19 Apr 2024 21:50:13 +0000 +Subject: rust: remove `params` from `module` macro example + +From: Aswin Unnikrishnan <aswinunni01@gmail.com> + +commit 19843452dca40e28d6d3f4793d998b681d505c7f upstream. + +Remove argument `params` from the `module` macro example, because the +macro does not currently support module parameters since it was not sent +with the initial merge. + +Signed-off-by: Aswin Unnikrishnan <aswinunni01@gmail.com> +Reviewed-by: Alice Ryhl <aliceryhl@google.com> +Cc: stable@vger.kernel.org +Fixes: 1fbde52bde73 ("rust: add `macros` crate") +Link: https://lore.kernel.org/r/20240419215015.157258-1-aswinunni01@gmail.com +[ Reworded slightly. ] +Signed-off-by: Miguel Ojeda <ojeda@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + rust/macros/lib.rs | 12 ------------ + 1 file changed, 12 deletions(-) + +--- a/rust/macros/lib.rs ++++ b/rust/macros/lib.rs +@@ -35,18 +35,6 @@ use proc_macro::TokenStream; + /// author: "Rust for Linux Contributors", + /// description: "My very own kernel module!", + /// license: "GPL", +-/// params: { +-/// my_i32: i32 { +-/// default: 42, +-/// permissions: 0o000, +-/// description: "Example of i32", +-/// }, +-/// writeable_i32: i32 { +-/// default: 42, +-/// permissions: 0o644, +-/// description: "Example of i32", +-/// }, +-/// }, + /// } + /// + /// struct MyModule; diff --git a/queue-6.6/series b/queue-6.6/series index a7e041ef67..7ccc829c66 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -109,3 +109,40 @@ selftests-seccomp-change-the-syscall-used-in-kill_thread-test.patch selftests-seccomp-handle-einval-on-unshare-clone_newpid.patch fork-defer-linking-file-vma-until-vma-is-fully-initialized.patch x86-cpu-fix-check-for-rdpkru-in-__show_regs.patch +rust-kernel-require-send-for-module-implementations.patch +rust-don-t-select-constructors.patch +rust-init-remove-impl-zeroable-for-infallible.patch +rust-make-mutually-exclusive-with-cfi_clang.patch +kbuild-rust-remove-unneeded-rustc_cfg-to-avoid-ice.patch +kbuild-rust-force-alloc-extern-to-allow-empty-rust-files.patch +rust-remove-params-from-module-macro-example.patch +bluetooth-fix-type-of-len-in-l2cap-sco-_sock_getsockopt_old.patch +bluetooth-btusb-add-realtek-rtl8852be-support-id-0x0bda-0x4853.patch +bluetooth-qca-fix-null-deref-on-non-serdev-suspend.patch +bluetooth-qca-fix-null-deref-on-non-serdev-setup.patch +mtd-rawnand-qcom-fix-broken-op_reset_device-command-in-qcom_misc_cmd_type_exec.patch +mm-hugetlb-fix-missing-hugetlb_lock-for-resv-uncharge.patch +mmc-sdhci-msm-pervent-access-to-suspended-controller.patch +mm-create-folio_flag_false-and-folio_type_ops-macros.patch +mm-support-page_mapcount-on-page_has_type-pages.patch +smb-client-fix-struct_group-usage-in-__packed-structs.patch +smb3-missing-lock-when-picking-channel.patch +smb3-fix-lock-ordering-potential-deadlock-in-cifs_sync_mid_result.patch +hid-i2c-hid-remove-i2c_hid_read_pending-flag-to-prevent-lock-up.patch +btrfs-fallback-if-compressed-io-fails-for-enospc.patch +btrfs-fix-wrong-block_start-calculation-for-btrfs_drop_extent_map_range.patch +btrfs-scrub-run-relocation-repair-when-only-needed.patch +btrfs-fix-information-leak-in-btrfs_ioctl_logical_to_ino.patch +cpu-re-enable-cpu-mitigations-by-default-for-x86-architectures.patch +loongarch-fix-callchain-parse-error-with-kernel-tracepoint-events.patch +loongarch-fix-access-error-when-read-fault-on-a-write-only-vma.patch +arm64-dts-qcom-sc8280xp-add-missing-pcie-minimum-opp.patch +arm64-dts-qcom-sm8450-fix-the-msi-map-entries.patch +arm64-dts-rockchip-enable-internal-pull-up-for-q7_thrm-on-rk3399-puma.patch +drm-amdgpu-sdma5.2-use-legacy-hdp-flush-for-sdma2-3.patch +drm-amdgpu-assign-correct-bits-for-sdma-hdp-flush.patch +drm-amdgpu-fix-leak-when-gpu-memory-allocation-fails.patch +irqchip-gic-v3-its-prevent-double-free-on-error.patch +acpi-cppc-use-access_width-over-bit_width-for-system-memory-accesses.patch +acpi-cppc-fix-bit_offset-shift-in-mask_val-macro.patch +acpi-cppc-fix-access-width-used-for-pcc-registers.patch diff --git a/queue-6.6/smb-client-fix-struct_group-usage-in-__packed-structs.patch b/queue-6.6/smb-client-fix-struct_group-usage-in-__packed-structs.patch new file mode 100644 index 0000000000..8e5ec699a0 --- /dev/null +++ b/queue-6.6/smb-client-fix-struct_group-usage-in-__packed-structs.patch @@ -0,0 +1,219 @@ +From 9a1f1d04f63c59550a5364858b46eeffdf03e8d6 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" <gustavoars@kernel.org> +Date: Tue, 23 Apr 2024 20:41:22 -0600 +Subject: smb: client: Fix struct_group() usage in __packed structs + +From: Gustavo A. R. Silva <gustavoars@kernel.org> + +commit 9a1f1d04f63c59550a5364858b46eeffdf03e8d6 upstream. + +Use struct_group_attr() in __packed structs, instead of struct_group(). + +Below you can see the pahole output before/after changes: + +pahole -C smb2_file_network_open_info fs/smb/client/smb2ops.o +struct smb2_file_network_open_info { + union { + struct { + __le64 CreationTime; /* 0 8 */ + __le64 LastAccessTime; /* 8 8 */ + __le64 LastWriteTime; /* 16 8 */ + __le64 ChangeTime; /* 24 8 */ + __le64 AllocationSize; /* 32 8 */ + __le64 EndOfFile; /* 40 8 */ + __le32 Attributes; /* 48 4 */ + }; /* 0 56 */ + struct { + __le64 CreationTime; /* 0 8 */ + __le64 LastAccessTime; /* 8 8 */ + __le64 LastWriteTime; /* 16 8 */ + __le64 ChangeTime; /* 24 8 */ + __le64 AllocationSize; /* 32 8 */ + __le64 EndOfFile; /* 40 8 */ + __le32 Attributes; /* 48 4 */ + } network_open_info; /* 0 56 */ + }; /* 0 56 */ + __le32 Reserved; /* 56 4 */ + + /* size: 60, cachelines: 1, members: 2 */ + /* last cacheline: 60 bytes */ +} __attribute__((__packed__)); + +pahole -C smb2_file_network_open_info fs/smb/client/smb2ops.o +struct smb2_file_network_open_info { + union { + struct { + __le64 CreationTime; /* 0 8 */ + __le64 LastAccessTime; /* 8 8 */ + __le64 LastWriteTime; /* 16 8 */ + __le64 ChangeTime; /* 24 8 */ + __le64 AllocationSize; /* 32 8 */ + __le64 EndOfFile; /* 40 8 */ + __le32 Attributes; /* 48 4 */ + } __attribute__((__packed__)); /* 0 52 */ + struct { + __le64 CreationTime; /* 0 8 */ + __le64 LastAccessTime; /* 8 8 */ + __le64 LastWriteTime; /* 16 8 */ + __le64 ChangeTime; /* 24 8 */ + __le64 AllocationSize; /* 32 8 */ + __le64 EndOfFile; /* 40 8 */ + __le32 Attributes; /* 48 4 */ + } __attribute__((__packed__)) network_open_info; /* 0 52 */ + }; /* 0 52 */ + __le32 Reserved; /* 52 4 */ + + /* size: 56, cachelines: 1, members: 2 */ + /* last cacheline: 56 bytes */ +}; + +pahole -C smb_com_open_rsp fs/smb/client/cifssmb.o +struct smb_com_open_rsp { + ... + + union { + struct { + __le64 CreationTime; /* 48 8 */ + __le64 LastAccessTime; /* 56 8 */ + /* --- cacheline 1 boundary (64 bytes) --- */ + __le64 LastWriteTime; /* 64 8 */ + __le64 ChangeTime; /* 72 8 */ + __le32 FileAttributes; /* 80 4 */ + }; /* 48 40 */ + struct { + __le64 CreationTime; /* 48 8 */ + __le64 LastAccessTime; /* 56 8 */ + /* --- cacheline 1 boundary (64 bytes) --- */ + __le64 LastWriteTime; /* 64 8 */ + __le64 ChangeTime; /* 72 8 */ + __le32 FileAttributes; /* 80 4 */ + } common_attributes; /* 48 40 */ + }; /* 48 40 */ + + ... + + /* size: 111, cachelines: 2, members: 14 */ + /* last cacheline: 47 bytes */ +} __attribute__((__packed__)); + +pahole -C smb_com_open_rsp fs/smb/client/cifssmb.o +struct smb_com_open_rsp { + ... + + union { + struct { + __le64 CreationTime; /* 48 8 */ + __le64 LastAccessTime; /* 56 8 */ + /* --- cacheline 1 boundary (64 bytes) --- */ + __le64 LastWriteTime; /* 64 8 */ + __le64 ChangeTime; /* 72 8 */ + __le32 FileAttributes; /* 80 4 */ + } __attribute__((__packed__)); /* 48 36 */ + struct { + __le64 CreationTime; /* 48 8 */ + __le64 LastAccessTime; /* 56 8 */ + /* --- cacheline 1 boundary (64 bytes) --- */ + __le64 LastWriteTime; /* 64 8 */ + __le64 ChangeTime; /* 72 8 */ + __le32 FileAttributes; /* 80 4 */ + } __attribute__((__packed__)) common_attributes; /* 48 36 */ + }; /* 48 36 */ + + ... + + /* size: 107, cachelines: 2, members: 14 */ + /* last cacheline: 43 bytes */ +} __attribute__((__packed__)); + +pahole -C FILE_ALL_INFO fs/smb/client/cifssmb.o +typedef struct { + union { + struct { + __le64 CreationTime; /* 0 8 */ + __le64 LastAccessTime; /* 8 8 */ + __le64 LastWriteTime; /* 16 8 */ + __le64 ChangeTime; /* 24 8 */ + __le32 Attributes; /* 32 4 */ + }; /* 0 40 */ + struct { + __le64 CreationTime; /* 0 8 */ + __le64 LastAccessTime; /* 8 8 */ + __le64 LastWriteTime; /* 16 8 */ + __le64 ChangeTime; /* 24 8 */ + __le32 Attributes; /* 32 4 */ + } common_attributes; /* 0 40 */ + }; /* 0 40 */ + + ... + + /* size: 113, cachelines: 2, members: 17 */ + /* last cacheline: 49 bytes */ +} __attribute__((__packed__)) FILE_ALL_INFO; + +pahole -C FILE_ALL_INFO fs/smb/client/cifssmb.o +typedef struct { + union { + struct { + __le64 CreationTime; /* 0 8 */ + __le64 LastAccessTime; /* 8 8 */ + __le64 LastWriteTime; /* 16 8 */ + __le64 ChangeTime; /* 24 8 */ + __le32 Attributes; /* 32 4 */ + } __attribute__((__packed__)); /* 0 36 */ + struct { + __le64 CreationTime; /* 0 8 */ + __le64 LastAccessTime; /* 8 8 */ + __le64 LastWriteTime; /* 16 8 */ + __le64 ChangeTime; /* 24 8 */ + __le32 Attributes; /* 32 4 */ + } __attribute__((__packed__)) common_attributes; /* 0 36 */ + }; /* 0 36 */ + + ... + + /* size: 109, cachelines: 2, members: 17 */ + /* last cacheline: 45 bytes */ +} __attribute__((__packed__)) FILE_ALL_INFO; + +Fixes: 0015eb6e1238 ("smb: client, common: fix fortify warnings") +Cc: stable@vger.kernel.org +Reviewed-by: Namjae Jeon <linkinjeon@kernel.org> +Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/smb/client/cifspdu.h | 4 ++-- + fs/smb/client/smb2pdu.h | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/smb/client/cifspdu.h ++++ b/fs/smb/client/cifspdu.h +@@ -882,7 +882,7 @@ typedef struct smb_com_open_rsp { + __u8 OplockLevel; + __u16 Fid; + __le32 CreateAction; +- struct_group(common_attributes, ++ struct_group_attr(common_attributes, __packed, + __le64 CreationTime; + __le64 LastAccessTime; + __le64 LastWriteTime; +@@ -2266,7 +2266,7 @@ typedef struct { + /* QueryFileInfo/QueryPathinfo (also for SetPath/SetFile) data buffer formats */ + /******************************************************************************/ + typedef struct { /* data block encoding of response to level 263 QPathInfo */ +- struct_group(common_attributes, ++ struct_group_attr(common_attributes, __packed, + __le64 CreationTime; + __le64 LastAccessTime; + __le64 LastWriteTime; +--- a/fs/smb/client/smb2pdu.h ++++ b/fs/smb/client/smb2pdu.h +@@ -319,7 +319,7 @@ struct smb2_file_reparse_point_info { + } __packed; + + struct smb2_file_network_open_info { +- struct_group(network_open_info, ++ struct_group_attr(network_open_info, __packed, + __le64 CreationTime; + __le64 LastAccessTime; + __le64 LastWriteTime; diff --git a/queue-6.6/smb3-fix-lock-ordering-potential-deadlock-in-cifs_sync_mid_result.patch b/queue-6.6/smb3-fix-lock-ordering-potential-deadlock-in-cifs_sync_mid_result.patch new file mode 100644 index 0000000000..a0203b0b52 --- /dev/null +++ b/queue-6.6/smb3-fix-lock-ordering-potential-deadlock-in-cifs_sync_mid_result.patch @@ -0,0 +1,41 @@ +From 8861fd5180476f45f9e8853db154600469a0284f Mon Sep 17 00:00:00 2001 +From: Steve French <stfrench@microsoft.com> +Date: Thu, 25 Apr 2024 12:49:50 -0500 +Subject: smb3: fix lock ordering potential deadlock in cifs_sync_mid_result + +From: Steve French <stfrench@microsoft.com> + +commit 8861fd5180476f45f9e8853db154600469a0284f upstream. + +Coverity spotted that the cifs_sync_mid_result function could deadlock + +"Thread deadlock (ORDER_REVERSAL) lock_order: Calling spin_lock acquires +lock TCP_Server_Info.srv_lock while holding lock TCP_Server_Info.mid_lock" + +Addresses-Coverity: 1590401 ("Thread deadlock (ORDER_REVERSAL)") +Cc: stable@vger.kernel.org +Reviewed-by: Shyam Prasad N <sprasad@microsoft.com> +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/smb/client/transport.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/smb/client/transport.c ++++ b/fs/smb/client/transport.c +@@ -909,12 +909,15 @@ cifs_sync_mid_result(struct mid_q_entry + list_del_init(&mid->qhead); + mid->mid_flags |= MID_DELETED; + } ++ spin_unlock(&server->mid_lock); + cifs_server_dbg(VFS, "%s: invalid mid state mid=%llu state=%d\n", + __func__, mid->mid, mid->mid_state); + rc = -EIO; ++ goto sync_mid_done; + } + spin_unlock(&server->mid_lock); + ++sync_mid_done: + release_mid(mid); + return rc; + } diff --git a/queue-6.6/smb3-missing-lock-when-picking-channel.patch b/queue-6.6/smb3-missing-lock-when-picking-channel.patch new file mode 100644 index 0000000000..d075526359 --- /dev/null +++ b/queue-6.6/smb3-missing-lock-when-picking-channel.patch @@ -0,0 +1,36 @@ +From 8094a600245e9b28eb36a13036f202ad67c1f887 Mon Sep 17 00:00:00 2001 +From: Steve French <stfrench@microsoft.com> +Date: Thu, 25 Apr 2024 11:30:16 -0500 +Subject: smb3: missing lock when picking channel + +From: Steve French <stfrench@microsoft.com> + +commit 8094a600245e9b28eb36a13036f202ad67c1f887 upstream. + +Coverity spotted a place where we should have been holding the +channel lock when accessing the ses channel index. + +Addresses-Coverity: 1582039 ("Data race condition (MISSING_LOCK)") +Cc: stable@vger.kernel.org +Reviewed-by: Shyam Prasad N <sprasad@microsoft.com> +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/smb/client/transport.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/smb/client/transport.c ++++ b/fs/smb/client/transport.c +@@ -1057,9 +1057,11 @@ struct TCP_Server_Info *cifs_pick_channe + index = (uint)atomic_inc_return(&ses->chan_seq); + index %= ses->chan_count; + } ++ ++ server = ses->chans[index].server; + spin_unlock(&ses->chan_lock); + +- return ses->chans[index].server; ++ return server; + } + + int |