commit b1cbf9151204cd222ac09efa193a02d0dc9f6ce3 Author: Greg Kroah-Hartman Date: Fri Nov 8 16:31:04 2024 +0100 Linux 6.11.7 Link: https://lore.kernel.org/r/20241106120319.234238499@linuxfoundation.org Tested-by: Luna Jernberg Tested-by: Ronald Warsow Tested-by: SeongJae Park Tested-by: Shuah Khan Link: https://lore.kernel.org/r/20241107064547.006019150@linuxfoundation.org Tested-by: Luna Jernberg Tested-by: Pavel Machek (CIP) Tested-by: Jon Hunter Tested-by: Peter Schneider Tested-by: Mark Brown Tested-by: Ronald Warsow Tested-by: Florian Fainelli Tested-by: Salvatore Bonaccorso Tested-by: Ron Economos Tested-by: Hardik Garg Tested-by: Linux Kernel Functional Testing Tested-by: kernelci.org bot Signed-off-by: Greg Kroah-Hartman commit 88a470c6d2c2abc32879d39e7cad749cd47f29f3 Author: Uladzislau Rezki (Sony) Date: Mon Sep 30 13:37:10 2024 +0200 rcu/kvfree: Refactor kvfree_rcu_queue_batch() commit 3c5d61ae919cc377c71118ccc76fa6e8518023f8 upstream. Improve readability of kvfree_rcu_queue_batch() function in away that, after a first batch queuing, the loop is break and success value is returned to a caller. There is no reason to loop and check batches further as all outstanding objects have already been picked and attached to a certain batch to complete an offloading. Fixes: 2b55d6a42d14 ("rcu/kvfree: Add kvfree_rcu_barrier() API") Suggested-by: Linus Torvalds Closes: https://lore.kernel.org/lkml/ZvWUt2oyXRsvJRNc@pc636/T/ Signed-off-by: Uladzislau Rezki (Sony) Signed-off-by: Vlastimil Babka Signed-off-by: Greg Kroah-Hartman commit 24211fb49c9ac1b576470b7e393a5a0b50af2707 Author: Florian Westphal Date: Mon Oct 7 22:52:24 2024 +0200 lib: alloc_tag_module_unload must wait for pending kfree_rcu calls commit dc783ba4b9df3fb3e76e968b2cbeb9960069263c upstream. Ben Greear reports following splat: ------------[ cut here ]------------ net/netfilter/nf_nat_core.c:1114 module nf_nat func:nf_nat_register_fn has 256 allocated at module unload WARNING: CPU: 1 PID: 10421 at lib/alloc_tag.c:168 alloc_tag_module_unload+0x22b/0x3f0 Modules linked in: nf_nat(-) btrfs ufs qnx4 hfsplus hfs minix vfat msdos fat ... Hardware name: Default string Default string/SKYBAY, BIOS 5.12 08/04/2020 RIP: 0010:alloc_tag_module_unload+0x22b/0x3f0 codetag_unload_module+0x19b/0x2a0 ? codetag_load_module+0x80/0x80 nf_nat module exit calls kfree_rcu on those addresses, but the free operation is likely still pending by the time alloc_tag checks for leaks. Wait for outstanding kfree_rcu operations to complete before checking resolves this warning. Reproducer: unshare -n iptables-nft -t nat -A PREROUTING -p tcp grep nf_nat /proc/allocinfo # will list 4 allocations rmmod nft_chain_nat rmmod nf_nat # will WARN. [akpm@linux-foundation.org: add comment] Link: https://lkml.kernel.org/r/20241007205236.11847-1-fw@strlen.de Fixes: a473573964e5 ("lib: code tagging module support") Signed-off-by: Florian Westphal Reported-by: Ben Greear Closes: https://lore.kernel.org/netdev/bdaaef9d-4364-4171-b82b-bcfc12e207eb@candelatech.com/ Cc: Uladzislau Rezki Cc: Vlastimil Babka Cc: Suren Baghdasaryan Cc: Kent Overstreet Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Suren Baghdasaryan commit 3cce0362ee92d089dc93ab1099e1d1c8f0dde7a5 Author: Uladzislau Rezki (Sony) Date: Tue Aug 20 17:59:35 2024 +0200 rcu/kvfree: Add kvfree_rcu_barrier() API commit 2b55d6a42d14c8675e38d6d9adca3014fdf01951 upstream. Add a kvfree_rcu_barrier() function. It waits until all in-flight pointers are freed over RCU machinery. It does not wait any GP completion and it is within its right to return immediately if there are no outstanding pointers. This function is useful when there is a need to guarantee that a memory is fully freed before destroying memory caches. For example, during unloading a kernel module. Signed-off-by: Uladzislau Rezki (Sony) Signed-off-by: Vlastimil Babka Signed-off-by: Suren Baghdasaryan Signed-off-by: Greg Kroah-Hartman commit 0ee23db48fcc1f00122516e0ecb35665dcd6e08e Author: Conor Dooley Date: Tue Oct 1 12:28:13 2024 +0100 RISC-V: disallow gcc + rust builds commit 33549fcf37ec461f398f0a41e1c9948be2e5aca4 upstream. During the discussion before supporting rust on riscv, it was decided not to support gcc yet, due to differences in extension handling compared to llvm (only the version of libclang matching the c compiler is supported). Recently Jason Montleon reported [1] that building with gcc caused build issues, due to unsupported arguments being passed to libclang. After some discussion between myself and Miguel, it is better to disable gcc + rust builds to match the original intent, and subsequently support it when an appropriate set of extensions can be deduced from the version of libclang. Closes: https://lore.kernel.org/all/20240917000848.720765-2-jmontleo@redhat.com/ [1] Link: https://lore.kernel.org/all/20240926-battering-revolt-6c6a7827413e@spud/ [2] Fixes: 70a57b247251a ("RISC-V: enable building 64-bit kernels with rust support") Cc: stable@vger.kernel.org Reported-by: Jason Montleon Signed-off-by: Conor Dooley Acked-by: Miguel Ojeda Reviewed-by: Nathan Chancellor Link: https://lore.kernel.org/r/20241001-playlist-deceiving-16ece2f440f5@spud Signed-off-by: Palmer Dabbelt Signed-off-by: Conor Dooley Signed-off-by: Greg Kroah-Hartman commit 5b3a16ebd5a56cc2f6e9ede2f050761103347e0d Author: David Sterba Date: Tue Oct 22 16:21:05 2024 +0200 MIPS: export __cmpxchg_small() commit 90a88784cdb7757feb8dd520255e6cb861f30943 upstream. Export the symbol __cmpxchg_small() for btrfs.ko that uses it to store blk_status_t, which is u8. Reported by LKP: >> ERROR: modpost: "__cmpxchg_small" [fs/btrfs/btrfs.ko] undefined! Patch using the cmpxchg() https://lore.kernel.org/linux-btrfs/1d4f72f7fee285b2ddf4bf62b0ac0fd89def5417.1728575379.git.naohiro.aota@wdc.com/ Link: https://lore.kernel.org/all/20241016134919.GO1609@suse.cz/ Acked-by: Thomas Bogendoerfer Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 498854c045b30d40b604a1a567f1ef6aa561b05b Author: Alex Deucher Date: Fri Oct 18 12:35:51 2024 -0400 drm/amdgpu: handle default profile on on devices without fullscreen 3D commit 7c210ca5a2d72868e5a052fc533d5dcb7e070f89 upstream. Some devices do not support fullscreen 3D. v2: Make the check generic. Fixes: ec1aab7816b0 ("drm/amdgpu/swsmu: default to fullscreen 3D profile for dGPUs") Reviewed-by: Lijo Lazar Signed-off-by: Alex Deucher Cc: Kenneth Feng Cc: Lijo Lazar (cherry picked from commit 1cdd67510e54e3832f14a885dbf5858584558650) Signed-off-by: Greg Kroah-Hartman commit 7ce1a4053235b087615138c90ba04d1a2ed6a8ed Author: Konstantin Komarov Date: Thu Sep 5 15:03:48 2024 +0300 fs/ntfs3: Sequential field availability check in mi_enum_attr() commit 090f612756a9720ec18b0b130e28be49839d7cb5 upstream. The code is slightly reformatted to consistently check field availability without duplication. Fixes: 556bdf27c2dd ("ntfs3: Add bounds checking to mi_enum_attr()") Signed-off-by: Konstantin Komarov Signed-off-by: Greg Kroah-Hartman commit f3256d60831b5005f0b65714235c24f18343442f Author: Alex Deucher Date: Thu Oct 3 09:57:38 2024 -0400 drm/amdgpu/swsmu: default to fullscreen 3D profile for dGPUs commit ec1aab7816b06c32f42935e34ce3a3040c778afb upstream. This uses more aggressive hueristics than the the bootup default profile. On windows the OS has a special fullscreen 3D mode where this is used. Since we don't have the equivalent on Linux default to this profile for dGPUs. Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3618 Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/1500 Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3131 Reviewed-by: Kenneth Feng Signed-off-by: Alex Deucher (cherry picked from commit 336568de918e08c825b3b1cbe2ec809f2fc26d94) Signed-off-by: Greg Kroah-Hartman commit 6123f7ea06e135bfa5e40ffe571373ef4d0e484c Author: Alex Deucher Date: Thu Aug 22 15:16:11 2024 -0400 drm/amdgpu/swsmu: fix ordering for setting workload_mask commit b932d5ad9257f262a0bfd1bd7146120b0adc11a7 upstream. No change in functionality for the current code, but we need to set the index properly before changing it if we ever use a non-0 index. Reviewed-by: Kenneth Feng Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 3fa8b0b9358c56e2580f16e0963858bdabdab10f Author: Tejas Upadhyay Date: Wed Oct 23 20:38:14 2024 -0700 drm/xe: Write all slices if its mcr register commit f0ffa657e9f3913c7921cbd4d876343401f15f52 upstream. Register GAMREQSTRM_CTRL should be considered mcr register which should write to all slices as per documentation. Bspec: 71185 Fixes: 01570b446939 ("drm/xe/bmg: implement Wa_16023588340") Reviewed-by: Matt Roper Signed-off-by: Tejas Upadhyay Link: https://patchwork.freedesktop.org/patch/msgid/20240814095614.909774-3-tejas.upadhyay@intel.com Signed-off-by: Lucas De Marchi Signed-off-by: Greg Kroah-Hartman commit 3e814d83528b63493b4c0e0f389bfe64c5b2b347 Author: Tejas Upadhyay Date: Wed Oct 23 20:38:13 2024 -0700 drm/xe: Define STATELESS_COMPRESSION_CTRL as mcr register commit 4551d60299b5ddc2655b6b365a4b92634e14e04f upstream. Register STATELESS_COMPRESSION_CTRL should be considered mcr register which should write to all slices as per documentation. Bspec: 71185 Fixes: ecabb5e6ce54 ("drm/xe/xe2: Add performance turning changes") Signed-off-by: Tejas Upadhyay Reviewed-by: Shekhar Chauhan Link: https://patchwork.freedesktop.org/patch/msgid/20240814095614.909774-4-tejas.upadhyay@intel.com Signed-off-by: Lucas De Marchi Signed-off-by: Greg Kroah-Hartman commit 39bccd3a04ca436e045bdbd59ef70e3d939a6bba Author: Shekhar Chauhan Date: Wed Oct 23 20:38:12 2024 -0700 drm/xe/xe2: Add performance turning changes commit ecabb5e6ce54711c28706fc794d77adb3ecd0605 upstream. Update performance tuning according to the hardware spec. Bspec: 72161 Signed-off-by: Shekhar Chauhan Reviewed-by: Sai Teja Pottumuttu Reviewed-by: Akshata Jahagirdar Signed-off-by: Matt Roper Link: https://patchwork.freedesktop.org/patch/msgid/20240805053710.877119-1-shekhar.chauhan@intel.com Signed-off-by: Lucas De Marchi Signed-off-by: Greg Kroah-Hartman commit 3ef4a4606e13d6f01b1ad18f2a9eb5fb5c9bdc36 Author: Akshata Jahagirdar Date: Wed Oct 23 20:38:11 2024 -0700 drm/xe/xe2: Introduce performance changes commit 2009e808bc3e0df6d4d83e2271bc25ae63a4ac05 upstream. Add Compression Performance Improvement Changes in Xe2 v2: Rebase v3: Rebase, updated as per latest changes on bspec, Removed unnecessary default actions (Matt) formatting nits (Tejas) v4: Formatting nits, removed default set action for bit 14 (Matt) Bspec: 72161 Signed-off-by: Akshata Jahagirdar Reviewed-by: Matt Roper Signed-off-by: Matt Roper Link: https://patchwork.freedesktop.org/patch/msgid/c2dd753fdc55df6a6432026f2df9c2684a0d25c1.1722607628.git.akshata.jahagirdar@intel.com Signed-off-by: Lucas De Marchi Signed-off-by: Greg Kroah-Hartman commit 63f093e5efedcee1846540608d4797264f3307e7 Author: Sai Teja Pottumuttu Date: Wed Oct 23 20:38:10 2024 -0700 drm/xe/xe2hpg: Introduce performance tuning changes for Xe2_HPG commit e4ac526c440af8aa94d2bdfe6066339dd93b4db2 upstream. Add performance tuning changes for Xe2_HPG Bspec: 72161 Signed-off-by: Sai Teja Pottumuttu Reviewed-by: Gustavo Sousa Signed-off-by: Matt Roper Link: https://patchwork.freedesktop.org/patch/msgid/20240724121521.2347524-1-sai.teja.pottumuttu@intel.com Signed-off-by: Lucas De Marchi Signed-off-by: Greg Kroah-Hartman commit 171b587b4417034f2cd81b21b626d85e1b82d71e Author: Tejas Upadhyay Date: Wed Oct 23 20:38:09 2024 -0700 drm/xe: Move enable host l2 VRAM post MCR init commit ab0d6ef864c5fa820e894ee1a07f861e63851664 upstream. xe_gt_enable_host_l2_vram() is reading the XE2_GAMREQSTRM_CTRL register that is currently missing the MCR annotation. However, just adding the annotation doesn't work as this function is called before MCR handling is initialized in xe_gt_mcr_init(). xe_gt_enable_host_l2_vram() is used to implement WA 16023588340 that needs to be done as early as possible during initialization in order to be effective since the MMIO writes impact it. In the failure scenario, driver would simply not be able to bind successfully. Moving xe_gt_enable_host_l2_vram() later, after MCR initialization is done, only incurs a few additional HW accesses, particularly when loading GuC for hwconfig. Binding/unbinding the driver 100 times in BMG still works so it should be ok to start handling the WA a little bit later. This is sufficient to allow adding the MCR annotation to XE2_GAMREQSTRM_CTRL. Cc: Lucas De Marchi Signed-off-by: Tejas Upadhyay Reviewed-by: Matt Roper Reviewed-by: Lucas De Marchi Link: https://patchwork.freedesktop.org/patch/msgid/20240814095614.909774-2-tejas.upadhyay@intel.com Signed-off-by: Lucas De Marchi Signed-off-by: Greg Kroah-Hartman commit 9429c1e4062436e0881834efc4347a5419fcbed0 Author: Tejas Upadhyay Date: Wed Oct 23 20:38:07 2024 -0700 drm/xe/xe2hpg: Add Wa_15016589081 commit da9a73b7b25eab574cb9c984fcce0b5e240bdd2c upstream. Wa_15016589081 applies to xe2_hpg renderCS V2(Gustavo) - rename bit macro Signed-off-by: Tejas Upadhyay Reviewed-by: Gustavo Sousa Reviewed-by: Himal Prasad Ghimiray Link: https://patchwork.freedesktop.org/patch/msgid/20240904101333.2049655-1-tejas.upadhyay@intel.com Signed-off-by: Nirmoy Das (cherry picked from commit 9db969b36b2fbca13ad4088aff725ebd5e8142f5) Signed-off-by: Lucas De Marchi Signed-off-by: Greg Kroah-Hartman commit d82a619bb2b4e2cdc5df70a080e65e857907458c Author: Thomas Zimmermann Date: Wed Oct 23 20:38:06 2024 -0700 drm/xe: Support 'nomodeset' kernel command-line option commit 014125c64d09e58e90dde49fbb57d802a13e2559 upstream. Setting 'nomodeset' on the kernel command line disables all graphics drivers with modesetting capabilities, leaving only firmware drivers, such as simpledrm or efifb. Most DRM drivers automatically support 'nomodeset' via DRM's module helper macros. In xe, which uses regular module_init(), manually call drm_firmware_drivers_only() to test for 'nomodeset'. Do not register the driver if set. v2: - use xe's init table (Lucas) - do NULL test for init/exit functions Signed-off-by: Thomas Zimmermann Reviewed-by: Lucas De Marchi Link: https://patchwork.freedesktop.org/patch/msgid/20240827121003.97429-1-tzimmermann@suse.de Signed-off-by: Lucas De Marchi Signed-off-by: Greg Kroah-Hartman commit f0e1e960f4cf23ca7a69fbb86d597eeed1c0b6f0 Author: Juha-Pekka Heikkila Date: Wed Oct 23 20:38:05 2024 -0700 drm/i915/display: Don't enable decompression on Xe2 with Tile4 commit 4cce34b3835b6f7dc52ee2da95c96b6364bb72e5 upstream. >>From now on expect Tile4 not to be using compression Signed-off-by: Juha-Pekka Heikkila Reviewed-by: Mika Kahola Link: https://patchwork.freedesktop.org/patch/msgid/20240816115229.531671-2-juhapekka.heikkila@gmail.com Signed-off-by: Rodrigo Vivi Signed-off-by: Lucas De Marchi Signed-off-by: Greg Kroah-Hartman commit 35b8dc55234a96da25adf37e7ab776dc6054d1ac Author: Jouni Högander Date: Wed Oct 23 20:38:04 2024 -0700 drm/i915/psr: Prevent Panel Replay if CRC calculation is enabled commit a8efd8ce280996fe29f2564f705e96e18da3fa62 upstream. Similarly as for PSR2 CRC calculation seems to timeout when Panel Replay is enabled. Fix this by falling back to PSR if CRC calculation is enabled. Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2266 Signed-off-by: Jouni Högander Reviewed-by: Mika Kahola Link: https://patchwork.freedesktop.org/patch/msgid/20240819092549.1298233-1-jouni.hogander@intel.com Signed-off-by: Lucas De Marchi Signed-off-by: Greg Kroah-Hartman commit a8c732b2492296ca868fcd05a36279b95e172d0b Author: Jani Nikula Date: Wed Oct 23 20:38:03 2024 -0700 drm/xe/display: drop unused rawclk_freq and RUNTIME_INFO() commit f15e5587448989a55cf8b4feaad0df72ca3aa6a0 upstream. With rawclk_freq moved to display runtime info, xe has no users left for them. Reviewed-by: Ville Syrjälä Reviewed-by: Maarten Lankhorst Link: https://patchwork.freedesktop.org/patch/msgid/9f09274bddc14f555c0102f37af6df23b4433102.1724144570.git.jani.nikula@intel.com Signed-off-by: Jani Nikula Signed-off-by: Lucas De Marchi Signed-off-by: Greg Kroah-Hartman commit a02e4094347bf720e5f7fdf0e81e76b156dd5909 Author: Jani Nikula Date: Wed Oct 23 20:38:02 2024 -0700 drm/i915: move rawclk from runtime to display runtime info commit a9556637a23311dea96f27fa3c3e5bfba0b38ae4 upstream. It's mostly about display, so move it under display. This should also fix rawclk freq initialization in the xe driver. v2: Change the init location Link: https://lore.kernel.org/r/20240819133138.147511-2-maarten.lankhorst@linux.intel.com Cc: Maarten Lankhorst Cc: Ville Syrjälä Reviewed-by: Maarten Lankhorst Link: https://patchwork.freedesktop.org/patch/msgid/39330d09c48509e013f01fd0247a9b7c291173e2.1724144570.git.jani.nikula@intel.com Signed-off-by: Jani Nikula Signed-off-by: Lucas De Marchi Signed-off-by: Greg Kroah-Hartman commit d1f12b7959a1fc735b6a85bedaa5cc36ef042377 Author: Suraj Kandpal Date: Wed Oct 23 20:38:01 2024 -0700 drm/i915/pps: Disable DPLS_GATING around pps sequence commit c7085d08c7e53d9aef0cdd4b20798356f6f5d469 upstream. Disable bit 29 of SCLKGATE_DIS register around pps sequence when we turn panel power on. --v2 -Squash two commit together [Jani] -Use IS_DISPLAY_VER [Jani] -Fix multiline comment [Jani] --v3 -Define register in a more appropriate place [Mitul] --v4 -Register is already defined no need to define it again [Ville] -Use correct WA number (lineage no.) [Dnyaneshwar] -Fix the range on which this WA is applied [Dnyaneshwar] Bspec: 49304 Signed-off-by: Suraj Kandpal Reviewed-by: Dnyaneshwar Bhadane Link: https://patchwork.freedesktop.org/patch/msgid/20240813042807.4015214-1-suraj.kandpal@intel.com Signed-off-by: Lucas De Marchi Signed-off-by: Greg Kroah-Hartman commit 8c067cb7c7d3cd087e3d90c323c474950a52c766 Author: Mitul Golani Date: Wed Oct 23 20:38:00 2024 -0700 drm/i915/display/dp: Compute AS SDP when vrr is also enabled commit eb53e5b933b9ff315087305b3dc931af3067d19c upstream. AS SDP should be computed when VRR timing generator is also enabled. Correct the compute condition to compute params of Adaptive sync SDP when VRR timing genrator is enabled along with sink support indication. --v2: Modify if condition (Jani). Fixes: b2013783c445 ("drm/i915/display: Cache adpative sync caps to use it later") Cc: Mitul Golani Cc: Arun R Murthy Cc: Jani Nikula Cc: intel-gfx@lists.freedesktop.org Cc: intel-xe@lists.freedesktop.org Signed-off-by: Mitul Golani Reviewed-by: Ankit Nautiyal Signed-off-by: Ankit Nautiyal (added prefix drm in subject) Link: https://patchwork.freedesktop.org/patch/msgid/20240730040941.396862-1-mitulkumar.ajitkumar.golani@intel.com Signed-off-by: Lucas De Marchi Signed-off-by: Greg Kroah-Hartman commit 1c780bd9df4f523fee2238297e339bcb2385f5f2 Author: Suraj Kandpal Date: Wed Oct 23 20:37:59 2024 -0700 drm/i915/dp: Clear VSC SDP during post ddi disable routine commit 3e307d6c28e7bc7d94b5699d0ed7fe07df6db094 upstream. Clear VSC SDP if intel_dp_set_infoframes is called from post ddi disable routine i.e with the variable of enable as false. This is to avoid an infoframes.enable mismatch issue which is caused when pipe is connected to eDp which has psr then connected to DPMST. In this case eDp's post ddi disable routine does not clear infoframes.enable VSC for the given pipe and DPMST does not recompute VSC SDP and write infoframes.enable which causes a mismatch. --v2 -Make the comment match the code [Jani] Signed-off-by: Suraj Kandpal Reviewed-by: Ankit Nautiyal Link: https://patchwork.freedesktop.org/patch/msgid/20240724163743.3668407-1-suraj.kandpal@intel.com Signed-off-by: Lucas De Marchi Signed-off-by: Greg Kroah-Hartman commit 5b89dcf23575eb5bb95ce8d672cbc2232c2eb096 Author: Suraj Kandpal Date: Wed Oct 23 20:37:58 2024 -0700 drm/i915/hdcp: Add encoder check in hdcp2_get_capability commit d34f4f058edf1235c103ca9c921dc54820d14d40 upstream. Add encoder check in intel_hdcp2_get_capability to avoid null pointer error. Signed-off-by: Suraj Kandpal Reviewed-by: Dnyaneshwar Bhadane Link: https://patchwork.freedesktop.org/patch/msgid/20240722064451.3610512-3-suraj.kandpal@intel.com Signed-off-by: Lucas De Marchi Signed-off-by: Greg Kroah-Hartman commit 4912e8fb3c37fb2dedf48d9c18bbbecd70e720f8 Author: Suraj Kandpal Date: Wed Oct 23 20:37:57 2024 -0700 drm/i915/hdcp: Add encoder check in intel_hdcp_get_capability commit 31b42af516afa1e184d1a9f9dd4096c54044269a upstream. Sometimes during hotplug scenario or suspend/resume scenario encoder is not always initialized when intel_hdcp_get_capability add a check to avoid kernel null pointer dereference. Signed-off-by: Suraj Kandpal Reviewed-by: Dnyaneshwar Bhadane Link: https://patchwork.freedesktop.org/patch/msgid/20240722064451.3610512-2-suraj.kandpal@intel.com Signed-off-by: Lucas De Marchi Signed-off-by: Greg Kroah-Hartman commit d0b83f496ece1bbb0f90ac4ec37e937ebf5d24fa Author: Mitul Golani Date: Wed Oct 23 20:37:56 2024 -0700 drm/i915/display: WA for Re-initialize dispcnlunitt1 xosc clock commit 7fbad577c82c5dd6db7217855c26f51554e53d85 upstream. The dispcnlunit1_cp_xosc_clk should be de-asserted in display off and only asserted in display on. As part of this workaround, Display driver shall execute set-reset sequence at the end of the initialize sequence to ensure clk does not remain active in display OFF. --v2: - Rebase. --v3: - Correct HSD number in commit message. --v4: - Reformat commit message. - Use intel_de_rmw instead of intel_de_write --v5: - Build Fixes. WA: 15013987218 Signed-off-by: Mitul Golani Reviewed-by: Nemesa Garg Reviewed-by: Suraj Kandpal Signed-off-by: Suraj Kandpal Link: https://patchwork.freedesktop.org/patch/msgid/20240708083247.2611258-1-mitulkumar.ajitkumar.golani@intel.com Signed-off-by: Lucas De Marchi Signed-off-by: Greg Kroah-Hartman commit 7976b004248955345e1741e28da9163eeb75242b Author: Mitul Golani Date: Wed Oct 23 20:37:55 2024 -0700 drm/i915/display: Cache adpative sync caps to use it later commit b2013783c4458a1fe8b25c0b249d2e878bcf6999 upstream. Add new member to struct intel_dp to cache support of Adaptive Sync SDP capabilities and use it whenever required to avoid HW access to read capability during each atomic commit. -v2: - Squash both the patches Signed-off-by: Mitul Golani Reviewed-by: Arun R Murthy Link: https://patchwork.freedesktop.org/patch/msgid/20240704082638.2302092-2-mitulkumar.ajitkumar.golani@intel.com Signed-off-by: Rodrigo Vivi Signed-off-by: Lucas De Marchi Signed-off-by: Greg Kroah-Hartman commit 7831ec68987a97acd914acfd0d4d55b1b445d10b Author: Matthew Auld Date: Wed Oct 23 20:37:54 2024 -0700 drm/i915: disable fbc due to Wa_16023588340 commit c55f79f317ab428ae6d005965bc07e37496f209f upstream. On BMG-G21 we need to disable fbc due to complications around the WA. v2: - Try to handle with i915_drv.h and compat layer. (Rodrigo) v3: - For simplicity retreat back to the original design for now. - Drop the extra \ from the Makefile (Jani) Signed-off-by: Matthew Auld Cc: Jonathan Cavitt Cc: Matt Roper Cc: Lucas De Marchi Cc: Vinod Govindapillai Cc: Jani Nikula Cc: intel-gfx@lists.freedesktop.org Reviewed-by: Jonathan Cavitt Acked-by: Rodrigo Vivi Link: https://patchwork.freedesktop.org/patch/msgid/20240703124338.208220-4-matthew.auld@intel.com [ commit dc0f1644c47e ("drm/xe: Generate oob before compiling anything") makes part of the change to the Makefile not needed. Drop that to resolve conflict. ] Signed-off-by: Lucas De Marchi Signed-off-by: Greg Kroah-Hartman commit c431632cb0c0d22684be690eebb1d5228695578b Author: Gustavo Sousa Date: Wed Oct 23 20:37:53 2024 -0700 drm/i915: Skip programming FIA link enable bits for MTL+ commit 9fc97277eb2d17492de636b68cf7d2f5c4f15c1b upstream. Starting with Xe_LPD+, although FIA is still used to readout Type-C pin assignment, part of Type-C support is moved to PICA and programming PORT_TX_DFLEXDPMLE1(*) registers is not applicable anymore like it was for previous display IPs (e.g. see BSpec 49190). v2: - Mention Bspec 49190 as a reference of instructions for previous IPs. (Shekhar Chauhan) - s/Xe_LPDP/Xe_LPD+/ in the commit message. (Matt Roper) - Update commit message to be more accurate to the changes in the IP. (Imre Deak) Bspec: 65750, 65448 Reviewed-by: Shekhar Chauhan Reviewed-by: Imre Deak Link: https://patchwork.freedesktop.org/patch/msgid/20240625202652.315936-1-gustavo.sousa@intel.com Signed-off-by: Gustavo Sousa Signed-off-by: Lucas De Marchi Signed-off-by: Greg Kroah-Hartman commit 570b898ae729f434517f888f7996f387b0c4fb4d Author: Johan Hovold Date: Mon Sep 16 10:23:06 2024 +0200 arm64: dts: qcom: x1e80100: fix PCIe4 and PCIe6a PHY clocks commit 27727cb6604e0998d03d9ec063b517b239d2bb0f upstream. Add the missing clkref enable and pipediv2 clocks to the PCIe4 and PCIe6a PHYs. Fixes: 5eb83fc10289 ("arm64: dts: qcom: x1e80100: Add PCIe nodes") Cc: stable@vger.kernel.org # 6.9 Cc: Abel Vesa Signed-off-by: Johan Hovold Reviewed-by: Abel Vesa Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20240916082307.29393-3-johan+linaro@kernel.org Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit d5e5a2b5cc9aebed75e72c09d53d3f698bdfa8b7 Author: Abel Vesa Date: Mon Oct 14 10:38:20 2024 +0300 arm64: dts: qcom: x1e80100: Add Broadcast_AND region in LLCC block commit 80fe25fcc605209b707583e3337e3cd40b7ed0bf upstream. Add missing Broadcast_AND region to the LLCC block for x1e80100, as the LLCC version on this platform is 4.1 and it provides the region. This also fixes the following error caused by the missing region: [ 3.797768] qcom-llcc 25000000.system-cache-controller: error -EINVAL: invalid resource (null) This error started showing up only after the new regmap region called Broadcast_AND that has been added to the llcc-qcom driver. Cc: stable@vger.kernel.org # 6.11: 055afc34fd21: soc: qcom: llcc: Add regmap for Broadcast_AND region Fixes: af16b00578a7 ("arm64: dts: qcom: Add base X1E80100 dtsi and the QCP dts") Signed-off-by: Abel Vesa Link: https://lore.kernel.org/r/20241014-x1e80100-dts-llcc-add-broadcastand_region-v2-1-5ee6ac128627@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit c3c02fa6a560b3af7999a067cd387970f4b3f1fa Author: Haibo Chen Date: Thu Sep 5 17:43:38 2024 +0800 arm64: dts: imx8ulp: correct the flexspi compatible string commit 409dc5196d5b6eb67468a06bf4d2d07d7225a67b upstream. The flexspi on imx8ulp only has 16 LUTs, and imx8mm flexspi has 32 LUTs, so correct the compatible string here, otherwise will meet below error: [ 1.119072] ------------[ cut here ]------------ [ 1.123926] WARNING: CPU: 0 PID: 1 at drivers/spi/spi-nxp-fspi.c:855 nxp_fspi_exec_op+0xb04/0xb64 [ 1.133239] Modules linked in: [ 1.136448] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.11.0-rc6-next-20240902-00001-g131bf9439dd9 #69 [ 1.146821] Hardware name: NXP i.MX8ULP EVK (DT) [ 1.151647] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 1.158931] pc : nxp_fspi_exec_op+0xb04/0xb64 [ 1.163496] lr : nxp_fspi_exec_op+0xa34/0xb64 [ 1.168060] sp : ffff80008002b2a0 [ 1.171526] x29: ffff80008002b2d0 x28: 0000000000000000 x27: 0000000000000000 [ 1.179002] x26: ffff2eb645542580 x25: ffff800080610014 x24: ffff800080610000 [ 1.186480] x23: ffff2eb645548080 x22: 0000000000000006 x21: ffff2eb6455425e0 [ 1.193956] x20: 0000000000000000 x19: ffff80008002b5e0 x18: ffffffffffffffff [ 1.201432] x17: ffff2eb644467508 x16: 0000000000000138 x15: 0000000000000002 [ 1.208907] x14: 0000000000000000 x13: ffff2eb6400d8080 x12: 00000000ffffff00 [ 1.216378] x11: 0000000000000000 x10: ffff2eb6400d8080 x9 : ffff2eb697adca80 [ 1.223850] x8 : ffff2eb697ad3cc0 x7 : 0000000100000000 x6 : 0000000000000001 [ 1.231324] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 00000000000007a6 [ 1.238795] x2 : 0000000000000000 x1 : 00000000000001ce x0 : 00000000ffffff92 [ 1.246267] Call trace: [ 1.248824] nxp_fspi_exec_op+0xb04/0xb64 [ 1.253031] spi_mem_exec_op+0x3a0/0x430 [ 1.257139] spi_nor_read_id+0x80/0xcc [ 1.261065] spi_nor_scan+0x1ec/0xf10 [ 1.264901] spi_nor_probe+0x108/0x2fc [ 1.268828] spi_mem_probe+0x6c/0xbc [ 1.272574] spi_probe+0x84/0xe4 [ 1.275958] really_probe+0xbc/0x29c [ 1.279713] __driver_probe_device+0x78/0x12c [ 1.284277] driver_probe_device+0xd8/0x15c [ 1.288660] __device_attach_driver+0xb8/0x134 [ 1.293316] bus_for_each_drv+0x88/0xe8 [ 1.297337] __device_attach+0xa0/0x190 [ 1.301353] device_initial_probe+0x14/0x20 [ 1.305734] bus_probe_device+0xac/0xb0 [ 1.309752] device_add+0x5d0/0x790 [ 1.313408] __spi_add_device+0x134/0x204 [ 1.317606] of_register_spi_device+0x3b4/0x590 [ 1.322348] spi_register_controller+0x47c/0x754 [ 1.327181] devm_spi_register_controller+0x4c/0xa4 [ 1.332289] nxp_fspi_probe+0x1cc/0x2b0 [ 1.336307] platform_probe+0x68/0xc4 [ 1.340145] really_probe+0xbc/0x29c [ 1.343893] __driver_probe_device+0x78/0x12c [ 1.348457] driver_probe_device+0xd8/0x15c [ 1.352838] __driver_attach+0x90/0x19c [ 1.356857] bus_for_each_dev+0x7c/0xdc [ 1.360877] driver_attach+0x24/0x30 [ 1.364624] bus_add_driver+0xe4/0x208 [ 1.368552] driver_register+0x5c/0x124 [ 1.372573] __platform_driver_register+0x28/0x34 [ 1.377497] nxp_fspi_driver_init+0x1c/0x28 [ 1.381888] do_one_initcall+0x80/0x1c8 [ 1.385908] kernel_init_freeable+0x1c4/0x28c [ 1.390472] kernel_init+0x20/0x1d8 [ 1.394138] ret_from_fork+0x10/0x20 [ 1.397885] ---[ end trace 0000000000000000 ]--- [ 1.407908] ------------[ cut here ]------------ Fixes: ef89fd56bdfc ("arm64: dts: imx8ulp: add flexspi node") Cc: stable@kernel.org Signed-off-by: Haibo Chen Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit 74542e1ba5bef3e32c0d9349bb13d5ce2f0d2a68 Author: Johan Hovold Date: Wed Oct 16 16:51:08 2024 +0200 arm64: dts: qcom: x1e80100-crd: fix nvme regulator boot glitch commit 37f9477ce9d07ed87f6efe9b99de580bc9d27df5 upstream. The NVMe regulator has been left enabled by the boot firmware. Mark it as such to avoid disabling the regulator temporarily during boot. Fixes: eb57cbe730d1 ("arm64: dts: qcom: x1e80100: Describe the PCIe 6a resources") Cc: stable@vger.kernel.org # 6.11 Cc: Abel Vesa Signed-off-by: Johan Hovold Reviewed-by: Stephan Gerhold Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20241016145112.24785-3-johan+linaro@kernel.org Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit 40700123ada8d4d90fd47f44a9ab8e980cac4f6f Author: Johan Hovold Date: Wed Oct 16 16:51:12 2024 +0200 arm64: dts: qcom: x1e80100-qcp: fix nvme regulator boot glitch commit 717f0637ffc6a6a59f838df94a7d61e643c98d62 upstream. The NVMe regulator has been left enabled by the boot firmware. Mark it as such to avoid disabling the regulator temporarily during boot. Fixes: eb57cbe730d1 ("arm64: dts: qcom: x1e80100: Describe the PCIe 6a resources") Cc: stable@vger.kernel.org # 6.11 Cc: Abel Vesa Signed-off-by: Johan Hovold Reviewed-by: Stephan Gerhold Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20241016145112.24785-7-johan+linaro@kernel.org Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit 69652617513bb7726680ed00e229ea91a488ba2e Author: Johan Hovold Date: Thu Oct 24 15:10:59 2024 +0200 arm64: dts: qcom: x1e80100: fix PCIe4 interconnect commit f3bba5eb46ddb8f460fc808a65050a9bf2f7ef23 upstream. The fourth PCIe controller is connected to the PCIe North ANoC. Fix the corresponding interconnect property so that the OS manages the right path. Fixes: 5eb83fc10289 ("arm64: dts: qcom: x1e80100: Add PCIe nodes") Cc: stable@vger.kernel.org # 6.9 Cc: Abel Vesa Cc: Sibi Sankar Cc: Rajendra Nayak Signed-off-by: Johan Hovold Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20241024131101.13587-2-johan+linaro@kernel.org Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit edccb5c7863e1ce3d1f5d51e2a436e392e36ae06 Author: Johan Hovold Date: Wed Oct 16 16:51:09 2024 +0200 arm64: dts: qcom: x1e80100-vivobook-s15: fix nvme regulator boot glitch commit c6d151f61b6703124e14bc0eae98d05206e36e02 upstream. The NVMe regulator has been left enabled by the boot firmware. Mark it as such to avoid disabling the regulator temporarily during boot. Fixes: d0e2f8f62dff ("arm64: dts: qcom: Add device tree for ASUS Vivobook S 15") Cc: stable@vger.kernel.org # 6.11 Cc: Xilin Wu Signed-off-by: Johan Hovold Reviewed-by: Stephan Gerhold Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20241016145112.24785-4-johan+linaro@kernel.org Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit 94dbd62f3cc33edcdeca36a8da564a6b39c268eb Author: Konrad Dybcio Date: Wed Jul 10 16:07:23 2024 +0200 arm64: dts: qcom: x1e80100: Fix up BAR spaces commit 7af1418500124150f9fd24e1a5b9c288771df271 upstream. The 32-bit BAR spaces are reaching outside their assigned register regions. Shrink them to match their actual sizes. This resolves an issue where the regions overlap and one of the controllers won't come up, which can be seen in the log as: qcom-pcie 1c08000.pci: resource collision: [mem 0x7c300000-0x7fffffff] conflicts with 1c00000.pci dbi [mem 0x7e000000-0x7e000f1c] While at it, unify the style. Fixes: 5eb83fc10289 ("arm64: dts: qcom: x1e80100: Add PCIe nodes") Cc: stable@vger.kernel.org Signed-off-by: Konrad Dybcio Reviewed-by: Abel Vesa Tested-by: Abel Vesa Link: https://lore.kernel.org/r/20240710-topic-barman-v1-1-5f63fca8d0fc@linaro.org [bjorn: Added note about overlapping resource regions] Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit ec14ed227f3b4109b7b3147d3a198802b7035f0a Author: Johan Hovold Date: Wed Oct 16 16:51:10 2024 +0200 arm64: dts: qcom: x1e80100-yoga-slim7x: fix nvme regulator boot glitch commit 1badd07e4c0e1ecfb187dcba05357c0f3e70e797 upstream. The NVMe regulator has been left enabled by the boot firmware. Mark it as such to avoid disabling the regulator temporarily during boot. Fixes: 45247fe17db2 ("arm64: dts: qcom: x1e80100: add Lenovo Thinkpad Yoga slim 7x devicetree") Cc: stable@vger.kernel.org # 6.11 Cc: Srinivas Kandagatla Signed-off-by: Johan Hovold Reviewed-by: Stephan Gerhold Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20241016145112.24785-5-johan+linaro@kernel.org Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit 483f3d4bb103b9fb441ae58a10da4d78e90b83b8 Author: Fabien Parent Date: Wed Sep 4 11:26:55 2024 -0700 arm64: dts: qcom: msm8939: revert use of APCS mbox for RPM commit d92e9ea2f0f918d7b01cbacb838288bffccc8954 upstream. Commit 22e4e43484c4 ("arm64: dts: qcom: msm8939: Use mboxes properties for APCS") broke the boot on msm8939 platforms. The issue comes from the SMD driver failing to request the mbox channel because of circular dependencies: 1. rpm -> apcs1_mbox -> rpmcc (RPM_SMD_XO_CLK_SRC) -> rpm. 2. rpm -> apcs1_mbox -> gcc -> rpmcc (RPM_SMD_XO_CLK_SRC) -> rpm 3. rpm -> apcs1_mbox -> apcs2 -> gcc -> rpmcc (RPM_SMD_XO_CLK_SRC) -> rpm To fix this issue let's switch back to using the deprecated qcom,ipc property for the RPM node. Fixes: 22e4e43484c4 ("arm64: dts: qcom: msm8939: Use mboxes properties for APCS") Signed-off-by: Fabien Parent Link: https://lore.kernel.org/r/20240904-msm8939-rpm-apcs-fix-v1-1-b608e7e48fe1@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit ab286dcbb659628515eea84bc84738be9093375a Author: Conor Dooley Date: Wed Oct 16 21:11:15 2024 +0100 riscv: dts: starfive: disable unused csi/camss nodes commit 2e11e78667db90a9e732fbe42820e734d0658fc7 upstream. Aurelien reported probe failures due to the csi node being enabled without having a camera attached to it. A camera was in the initial submissions, but was removed from the dts, as it had not actually been present on the board, but was from an addon board used by the developer of the relevant drivers. The non-camera pipeline nodes were not disabled when this happened and the probe failures are problematic for Debian. Disable them. CC: stable@vger.kernel.org Fixes: 28ecaaa5af192 ("riscv: dts: starfive: jh7110: Add camera subsystem nodes") Closes: https://lore.kernel.org/all/Zw1-vcN4CoVkfLjU@aurel32.net/ Reported-by: Aurelien Jarno Reviewed-by: Emil Renner Berthing Tested-by: Aurelien Jarno Reviewed-by: Aurelien Jarno Signed-off-by: Conor Dooley Signed-off-by: Greg Kroah-Hartman commit 7d2b59d6f77b525e3c87be40848eaf295eec37c4 Author: E Shattow Date: Mon Oct 21 23:09:51 2024 -0700 riscv: dts: starfive: Update ethernet phy0 delay parameter values for Star64 commit 825bb69228c8ab85637d21cdf4d44207937130b6 upstream. Improve function of Star64 bottom network port phy0 with updated delay values. Initial upstream patches supporting Star64 use the same vendor board support package parameters known to result in an unreliable bottom network port. Success acquiring DHCP lease and no dropped packets to ping LAN address: rx 900: tx 1500 1650 1800 1950 rx 750: tx 1650 1800 1950 rx 600: tx 1800 1950 rx 1050: tx 1650 1800 1950 rx 1200: tx 1500 1650 1800 1950 rx 1350: tx 1500 1650 1800 1950 rx 1500: tx 1500 1650 1800 1950 rx 1650: tx 1500 1650 1800 1950 rx 1800: tx 1500 1650 1800 1950 rx 1900: tx 1950 rx 1950: tx 1950 Failure acquiring DHCP lease or many dropped packets: rx 450: tx 1500 1800 1950 rx 600: tx 1200 1350 1650 rx 750: tx 1350 1500 rx 900: tx 1200 1350 rx 1050: tx 1050 1200 1350 1500 rx 1200: tx 1350 rx 1350: tx 1350 rx 1500: tx 1200 1350 rx 1650: tx 1050 1200 1350 rx 1800: tx 1050 1200 1350 rx 1900: tx 1500 1650 1800 rx 1950: tx 1200 1350 Non-functional: rx 0: tx 0 150 300 450 600 750 900 1050 1200 1350 1500 1650 1800 1950 rx 150: tx 0 150 300 450 600 750 900 1050 1200 1350 1500 1650 1800 1950 rx 300: tx 0 150 300 450 600 750 900 1050 1200 1350 1500 1650 1800 1950 rx 450: tx 0 150 300 450 600 750 900 1050 1200 1350 1650 rx 600: tx 0 150 300 450 600 750 900 1050 rx 750: tx 0 150 300 450 600 750 900 1050 1200 rx 900: tx 0 150 300 450 600 750 900 1050 rx 1050: tx 0 150 300 450 600 750 900 rx 1200: tx 0 150 300 450 600 750 900 1050 1200 rx 1350: tx 0 150 300 450 600 750 900 1050 1200 rx 1500: tx 0 150 300 450 600 750 900 1050 rx 1650: tx 0 150 300 450 600 750 900 rx 1800: tx 0 150 300 450 600 750 900 rx 1900: tx 0 150 300 450 600 750 900 1050 1200 1350 rx 1950: tx 0 150 300 450 600 750 900 1050 Selecting the median of all working rx delay values 1500 combined with tx delay values 1500, 1650, 1800, and 1950 only the tx delay value of 1950 (default) is reliable as tested in both Linux 6.11.2 and U-Boot v2024.10 Signed-off-by: E Shattow CC: stable@vger.kernel.org Fixes: 2606bf583b962 ("riscv: dts: starfive: add Star64 board devicetree") Acked-by: Emil Renner Berthing Signed-off-by: Conor Dooley Signed-off-by: Greg Kroah-Hartman commit 155f9686bd80e5866c1c7f8cfd96fea292b492c4 Author: Yu Zhao Date: Sat Oct 19 01:29:39 2024 +0000 mm: multi-gen LRU: use {ptep,pmdp}_clear_young_notify() [ Upstream commit 1d4832becdc2cdb2cffe2a6050c9d9fd8ff1c58c ] When the MM_WALK capability is enabled, memory that is mostly accessed by a VM appears younger than it really is, therefore this memory will be less likely to be evicted. Therefore, the presence of a running VM can significantly increase swap-outs for non-VM memory, regressing the performance for the rest of the system. Fix this regression by always calling {ptep,pmdp}_clear_young_notify() whenever we clear the young bits on PMDs/PTEs. [jthoughton@google.com: fix link-time error] Link: https://lkml.kernel.org/r/20241019012940.3656292-3-jthoughton@google.com Fixes: bd74fdaea146 ("mm: multi-gen LRU: support page table walks") Signed-off-by: Yu Zhao Signed-off-by: James Houghton Reported-by: David Stevens Cc: Axel Rasmussen Cc: David Matlack Cc: David Rientjes Cc: Oliver Upton Cc: Paolo Bonzini Cc: Sean Christopherson Cc: Wei Xu Cc: Cc: kernel test robot Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 467ea50660a35cbbc6cf19df74c2e2485b4e920d Author: Zhiguo Jiang Date: Wed Jul 10 16:36:41 2024 +0800 mm: shrink skip folio mapped by an exiting process [ Upstream commit c495b97624d0c059b0403e26dadb166d69918409 ] The releasing process of the non-shared anonymous folio mapped solely by an exiting process may go through two flows: 1) the anonymous folio is firstly is swaped-out into swapspace and transformed into a swp_entry in shrink_folio_list; 2) then the swp_entry is released in the process exiting flow. This will result in the high cpu load of releasing a non-shared anonymous folio mapped solely by an exiting process. When the low system memory and the exiting process exist at the same time, it will be likely to happen, because the non-shared anonymous folio mapped solely by an exiting process may be reclaimed by shrink_folio_list. This patch is that shrink skips the non-shared anonymous folio solely mapped by an exting process and this folio is only released directly in the process exiting flow, which will save swap-out time and alleviate the load of the process exiting. Barry provided some effectiveness testing in [1]. "I observed that this patch effectively skipped 6114 folios (either 4KB or 64KB mTHP), potentially reducing the swap-out by up to 92MB (97,300,480 bytes) during the process exit. The working set size is 256MB." Link: https://lkml.kernel.org/r/20240710083641.546-1-justinjiang@vivo.com Link: https://lore.kernel.org/linux-mm/20240710033212.36497-1-21cnbao@gmail.com/ [1] Signed-off-by: Zhiguo Jiang Acked-by: Barry Song Cc: David Hildenbrand Cc: Matthew Wilcox Signed-off-by: Andrew Morton Stable-dep-of: 1d4832becdc2 ("mm: multi-gen LRU: use {ptep,pmdp}_clear_young_notify()") Signed-off-by: Sasha Levin commit 5f856da6fadacec4b43f7f6b889bc48f02b6a202 Author: Yu Zhao Date: Sat Oct 19 01:29:38 2024 +0000 mm: multi-gen LRU: remove MM_LEAF_OLD and MM_NONLEAF_TOTAL stats [ Upstream commit ddd6d8e975b171ea3f63a011a75820883ff0d479 ] Patch series "mm: multi-gen LRU: Have secondary MMUs participate in MM_WALK". Today, the MM_WALK capability causes MGLRU to clear the young bit from PMDs and PTEs during the page table walk before eviction, but MGLRU does not call the clear_young() MMU notifier in this case. By not calling this notifier, the MM walk takes less time/CPU, but it causes pages that are accessed mostly through KVM / secondary MMUs to appear younger than they should be. We do call the clear_young() notifier today, but only when attempting to evict the page, so we end up clearing young/accessed information less frequently for secondary MMUs than for mm PTEs, and therefore they appear younger and are less likely to be evicted. Therefore, memory that is *not* being accessed mostly by KVM will be evicted *more* frequently, worsening performance. ChromeOS observed a tab-open latency regression when enabling MGLRU with a setup that involved running a VM: Tab-open latency histogram (ms) Version p50 mean p95 p99 max base 1315 1198 2347 3454 10319 mglru 2559 1311 7399 12060 43758 fix 1119 926 2470 4211 6947 This series replaces the final non-selftest patchs from this series[1], which introduced a similar change (and a new MMU notifier) with KVM optimizations. I'll send a separate series (to Sean and Paolo) for the KVM optimizations. This series also makes proactive reclaim with MGLRU possible for KVM memory. I have verified that this functions correctly with the selftest from [1], but given that that test is a KVM selftest, I'll send it with the rest of the KVM optimizations later. Andrew, let me know if you'd like to take the test now anyway. [1]: https://lore.kernel.org/linux-mm/20240926013506.860253-18-jthoughton@google.com/ This patch (of 2): The removed stats, MM_LEAF_OLD and MM_NONLEAF_TOTAL, are not very helpful and become more complicated to properly compute when adding test/clear_young() notifiers in MGLRU's mm walk. Link: https://lkml.kernel.org/r/20241019012940.3656292-1-jthoughton@google.com Link: https://lkml.kernel.org/r/20241019012940.3656292-2-jthoughton@google.com Fixes: bd74fdaea146 ("mm: multi-gen LRU: support page table walks") Signed-off-by: Yu Zhao Signed-off-by: James Houghton Cc: Axel Rasmussen Cc: David Matlack Cc: David Rientjes Cc: David Stevens Cc: Oliver Upton Cc: Paolo Bonzini Cc: Sean Christopherson Cc: Wei Xu Cc: Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 87543f38c0a93bb8d9e86f4a9d84cde08f6b48c9 Author: Yuanchu Xie Date: Tue Aug 13 09:37:59 2024 -0700 mm: multi-gen LRU: ignore non-leaf pmd_young for force_scan=true [ Upstream commit bceeeaed4817ba7ad9013b4116c97220a60fcf7c ] When non-leaf pmd accessed bits are available, MGLRU page table walks can clear the non-leaf pmd accessed bit and ignore the accessed bit on the pte if it's on a different node, skipping a generation update as well. If another scan occurs on the same node as said skipped pte. The non-leaf pmd accessed bit might remain cleared and the pte accessed bits won't be checked. While this is sufficient for reclaim-driven aging, where the goal is to select a reasonably cold page, the access can be missed when aging proactively for workingset estimation of a node/memcg. In more detail, get_pfn_folio returns NULL if the folio's nid != node under scanning, so the page table walk skips processing of said pte. Now the pmd_young flag on this pmd is cleared, and if none of the pte's are accessed before another scan occurs on the folio's node, the pmd_young check fails and the pte accessed bit is skipped. Since force_scan disables various other optimizations, we check force_scan to ignore the non-leaf pmd accessed bit. Link: https://lkml.kernel.org/r/20240813163759.742675-1-yuanchu@google.com Signed-off-by: Yuanchu Xie Acked-by: Yu Zhao Cc: "Huang, Ying" Cc: Lance Yang Signed-off-by: Andrew Morton Stable-dep-of: ddd6d8e975b1 ("mm: multi-gen LRU: remove MM_LEAF_OLD and MM_NONLEAF_TOTAL stats") Signed-off-by: Sasha Levin commit 7f471dbbb229f17102ed5cca9fd455ba9818beec Author: Dmitry Torokhov Date: Sun Oct 27 22:31:15 2024 -0700 Input: fix regression when re-registering input handlers [ Upstream commit 071b24b54d2d05fbf39ddbb27dee08abd1d713f3 ] Commit d469647bafd9 ("Input: simplify event handling logic") introduced code that would set handler->events() method to either input_handler_events_filter() or input_handler_events_default() or input_handler_events_null(), depending on the kind of input handler (a filter or a regular one) we are dealing with. Unfortunately this breaks cases when we try to re-register the same filter (as is the case with sysrq handler): after initial registration the handler will have 2 event handling methods defined, and will run afoul of the check in input_handler_check_methods(): input: input_handler_check_methods: only one event processing method can be defined (sysrq) sysrq: Failed to register input handler, error -22 Fix this by adding handle_events() method to input_handle structure and setting it up when registering a new input handle according to event handling methods defined in associated input_handler structure, thus avoiding modifying the input_handler structure. Reported-by: "Ned T. Crigler" Reported-by: Christian Heusel Tested-by: "Ned T. Crigler" Tested-by: Peter Seiderer Fixes: d469647bafd9 ("Input: simplify event handling logic") Link: https://lore.kernel.org/r/Zx2iQp6csn42PJA7@xavtug Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 24eb7e6bcd03ea3cc425de37af81d2e46b0c2707 Author: Vlastimil Babka Date: Thu Oct 24 17:12:29 2024 +0200 mm, mmap: limit THP alignment of anonymous mappings to PMD-aligned sizes [ Upstream commit d4148aeab412432bf928f311eca8a2ba52bb05df ] Since commit efa7df3e3bb5 ("mm: align larger anonymous mappings on THP boundaries") a mmap() of anonymous memory without a specific address hint and of at least PMD_SIZE will be aligned to PMD so that it can benefit from a THP backing page. However this change has been shown to regress some workloads significantly. [1] reports regressions in various spec benchmarks, with up to 600% slowdown of the cactusBSSN benchmark on some platforms. The benchmark seems to create many mappings of 4632kB, which would have merged to a large THP-backed area before commit efa7df3e3bb5 and now they are fragmented to multiple areas each aligned to PMD boundary with gaps between. The regression then seems to be caused mainly due to the benchmark's memory access pattern suffering from TLB or cache aliasing due to the aligned boundaries of the individual areas. Another known regression bisected to commit efa7df3e3bb5 is darktable [2] [3] and early testing suggests this patch fixes the regression there as well. To fix the regression but still try to benefit from THP-friendly anonymous mapping alignment, add a condition that the size of the mapping must be a multiple of PMD size instead of at least PMD size. In case of many odd-sized mapping like the cactusBSSN creates, those will stop being aligned and with gaps between, and instead naturally merge again. Link: https://lkml.kernel.org/r/20241024151228.101841-2-vbabka@suse.cz Fixes: efa7df3e3bb5 ("mm: align larger anonymous mappings on THP boundaries") Signed-off-by: Vlastimil Babka Reported-by: Michael Matz Debugged-by: Gabriel Krisman Bertazi Closes: https://bugzilla.suse.com/show_bug.cgi?id=1229012 [1] Reported-by: Matthias Bodenbinder Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219366 [2] Closes: https://lore.kernel.org/all/2050f0d4-57b0-481d-bab8-05e8d48fed0c@leemhuis.info/ [3] Reviewed-by: Lorenzo Stoakes Reviewed-by: Yang Shi Cc: Rik van Riel Cc: Jann Horn Cc: Liam R. Howlett Cc: Petr Tesarik Cc: Thorsten Leemhuis Cc: Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 5a68bf8ebfc76d6c683026d3e2415644fb33fe9d Author: Gregory Price Date: Fri Oct 25 10:17:24 2024 -0400 vmscan,migrate: fix page count imbalance on node stats when demoting pages [ Upstream commit 35e41024c4c2b02ef8207f61b9004f6956cf037b ] When numa balancing is enabled with demotion, vmscan will call migrate_pages when shrinking LRUs. migrate_pages will decrement the the node's isolated page count, leading to an imbalanced count when invoked from (MG)LRU code. The result is dmesg output like such: $ cat /proc/sys/vm/stat_refresh [77383.088417] vmstat_refresh: nr_isolated_anon -103212 [77383.088417] vmstat_refresh: nr_isolated_file -899642 This negative value may impact compaction and reclaim throttling. The following path produces the decrement: shrink_folio_list demote_folio_list migrate_pages migrate_pages_batch migrate_folio_move migrate_folio_done mod_node_page_state(-ve) <- decrement This path happens for SUCCESSFUL migrations, not failures. Typically callers to migrate_pages are required to handle putback/accounting for failures, but this is already handled in the shrink code. When accounting for migrations, instead do not decrement the count when the migration reason is MR_DEMOTION. As of v6.11, this demotion logic is the only source of MR_DEMOTION. Link: https://lkml.kernel.org/r/20241025141724.17927-1-gourry@gourry.net Fixes: 26aa2d199d6f ("mm/migrate: demote pages during reclaim") Signed-off-by: Gregory Price Reviewed-by: Yang Shi Reviewed-by: Davidlohr Bueso Reviewed-by: Shakeel Butt Reviewed-by: "Huang, Ying" Reviewed-by: Oscar Salvador Cc: Dave Hansen Cc: Wei Xu Cc: Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 3dfd421cecf9d6527176c62695c260bc0633de62 Author: Johan Hovold Date: Mon Oct 28 13:49:59 2024 +0100 gpiolib: fix debugfs dangling chip separator [ Upstream commit 604888f8c3d01fddd9366161efc65cb3182831f1 ] Add the missing newline after entries for recently removed gpio chips so that the chip sections are separated by a newline as intended. Fixes: e348544f7994 ("gpio: protect the list of GPIO devices with SRCU") Cc: stable@vger.kernel.org # 6.9 Cc: Bartosz Golaszewski Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20241028125000.24051-3-johan+linaro@kernel.org Signed-off-by: Bartosz Golaszewski Signed-off-by: Sasha Levin commit 13b2098e108d8f6057256f739bc2f46680ec819e Author: Johan Hovold Date: Mon Oct 28 13:49:58 2024 +0100 gpiolib: fix debugfs newline separators [ Upstream commit 3e8b7238b427e05498034c240451af5f5495afda ] The gpiolib debugfs interface exports a list of all gpio chips in a system and the state of their pins. The gpio chip sections are supposed to be separated by a newline character, but a long-standing bug prevents the separator from being included when output is generated in multiple sessions, making the output inconsistent and hard to read. Make sure to only suppress the newline separator at the beginning of the file as intended. Fixes: f9c4a31f6150 ("gpiolib: Use seq_file's iterator interface") Cc: stable@vger.kernel.org # 3.7 Cc: Thierry Reding Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20241028125000.24051-2-johan+linaro@kernel.org Signed-off-by: Bartosz Golaszewski Signed-off-by: Sasha Levin commit 4529275588215d7d77531c7151c92dc22fc7e1e2 Author: Filipe Manana Date: Tue Oct 29 15:18:45 2024 +0000 btrfs: fix defrag not merging contiguous extents due to merged extent maps [ Upstream commit 77b0d113eec49a7390ff1a08ca1923e89f5f86c6 ] When running defrag (manual defrag) against a file that has extents that are contiguous and we already have the respective extent maps loaded and merged, we end up not defragging the range covered by those contiguous extents. This happens when we have an extent map that was the result of merging multiple extent maps for contiguous extents and the length of the merged extent map is greater than or equals to the defrag threshold length. The script below reproduces this scenario: $ cat test.sh #!/bin/bash DEV=/dev/sdi MNT=/mnt/sdi mkfs.btrfs -f $DEV mount $DEV $MNT # Create a 256K file with 4 extents of 64K each. xfs_io -f -c "falloc 0 64K" \ -c "pwrite 0 64K" \ -c "falloc 64K 64K" \ -c "pwrite 64K 64K" \ -c "falloc 128K 64K" \ -c "pwrite 128K 64K" \ -c "falloc 192K 64K" \ -c "pwrite 192K 64K" \ $MNT/foo umount $MNT echo -n "Initial number of file extent items: " btrfs inspect-internal dump-tree -t 5 $DEV | grep EXTENT_DATA | wc -l mount $DEV $MNT # Read the whole file in order to load and merge extent maps. cat $MNT/foo > /dev/null btrfs filesystem defragment -t 128K $MNT/foo umount $MNT echo -n "Number of file extent items after defrag with 128K threshold: " btrfs inspect-internal dump-tree -t 5 $DEV | grep EXTENT_DATA | wc -l mount $DEV $MNT # Read the whole file in order to load and merge extent maps. cat $MNT/foo > /dev/null btrfs filesystem defragment -t 256K $MNT/foo umount $MNT echo -n "Number of file extent items after defrag with 256K threshold: " btrfs inspect-internal dump-tree -t 5 $DEV | grep EXTENT_DATA | wc -l Running it: $ ./test.sh Initial number of file extent items: 4 Number of file extent items after defrag with 128K threshold: 4 Number of file extent items after defrag with 256K threshold: 4 The 4 extents don't get merged because we have an extent map with a size of 256K that is the result of merging the individual extent maps for each of the four 64K extents and at defrag_lookup_extent() we have a value of zero for the generation threshold ('newer_than' argument) since this is a manual defrag. As a consequence we don't call defrag_get_extent() to get an extent map representing a single file extent item in the inode's subvolume tree, so we end up using the merged extent map at defrag_collect_targets() and decide not to defrag. Fix this by updating defrag_lookup_extent() to always discard extent maps that were merged and call defrag_get_extent() regardless of the minimum generation threshold ('newer_than' argument). A test case for fstests will be sent along soon. CC: stable@vger.kernel.org # 6.1+ Fixes: 199257a78bb0 ("btrfs: defrag: don't use merged extent map for their generation check") Reviewed-by: Qu Wenruo Signed-off-by: Filipe Manana Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit d401d51911ec3b6ef871bc67db7303c6f00e8133 Author: Filipe Manana Date: Mon Oct 28 16:23:00 2024 +0000 btrfs: fix extent map merging not happening for adjacent extents [ Upstream commit a0f0625390858321525c2a8d04e174a546bd19b3 ] If we have 3 or more adjacent extents in a file, that is, consecutive file extent items pointing to adjacent extents, within a contiguous file range and compatible flags, we end up not merging all the extents into a single extent map. For example: $ mkfs.btrfs -f /dev/sdc $ mount /dev/sdc /mnt/sdc $ xfs_io -f -d -c "pwrite -b 64K 0 64K" \ -c "pwrite -b 64K 64K 64K" \ -c "pwrite -b 64K 128K 64K" \ -c "pwrite -b 64K 192K 64K" \ /mnt/sdc/foo After all the ordered extents complete we unpin the extent maps and try to merge them, but instead of getting a single extent map we get two because: 1) When the first ordered extent completes (file range [0, 64K)) we unpin its extent map and attempt to merge it with the extent map for the range [64K, 128K), but we can't because that extent map is still pinned; 2) When the second ordered extent completes (file range [64K, 128K)), we unpin its extent map and merge it with the previous extent map, for file range [0, 64K), but we can't merge with the next extent map, for the file range [128K, 192K), because this one is still pinned. The merged extent map for the file range [0, 128K) gets the flag EXTENT_MAP_MERGED set; 3) When the third ordered extent completes (file range [128K, 192K)), we unpin its extent map and attempt to merge it with the previous extent map, for file range [0, 128K), but we can't because that extent map has the flag EXTENT_MAP_MERGED set (mergeable_maps() returns false due to different flags) while the extent map for the range [128K, 192K) doesn't have that flag set. We also can't merge it with the next extent map, for file range [192K, 256K), because that one is still pinned. At this moment we have 3 extent maps: One for file range [0, 128K), with the flag EXTENT_MAP_MERGED set. One for file range [128K, 192K). One for file range [192K, 256K) which is still pinned; 4) When the fourth and final extent completes (file range [192K, 256K)), we unpin its extent map and attempt to merge it with the previous extent map, for file range [128K, 192K), which succeeds since none of these extent maps have the EXTENT_MAP_MERGED flag set. So we end up with 2 extent maps: One for file range [0, 128K), with the flag EXTENT_MAP_MERGED set. One for file range [128K, 256K), with the flag EXTENT_MAP_MERGED set. Since after merging extent maps we don't attempt to merge again, that is, merge the resulting extent map with the one that is now preceding it (and the one following it), we end up with those two extent maps, when we could have had a single extent map to represent the whole file. Fix this by making mergeable_maps() ignore the EXTENT_MAP_MERGED flag. While this doesn't present any functional issue, it prevents the merging of extent maps which allows to save memory, and can make defrag not merging extents too (that will be addressed in the next patch). Fixes: 199257a78bb0 ("btrfs: defrag: don't use merged extent map for their generation check") CC: stable@vger.kernel.org # 6.1+ Reviewed-by: Qu Wenruo Signed-off-by: Filipe Manana Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 26b8c48f369b7591f5679e0b90612f4862a32929 Author: Jens Axboe Date: Thu Oct 31 08:05:44 2024 -0600 io_uring/rw: fix missing NOWAIT check for O_DIRECT start write [ Upstream commit 1d60d74e852647255bd8e76f5a22dc42531e4389 ] When io_uring starts a write, it'll call kiocb_start_write() to bump the super block rwsem, preventing any freezes from happening while that write is in-flight. The freeze side will grab that rwsem for writing, excluding any new writers from happening and waiting for existing writes to finish. But io_uring unconditionally uses kiocb_start_write(), which will block if someone is currently attempting to freeze the mount point. This causes a deadlock where freeze is waiting for previous writes to complete, but the previous writes cannot complete, as the task that is supposed to complete them is blocked waiting on starting a new write. This results in the following stuck trace showing that dependency with the write blocked starting a new write: task:fio state:D stack:0 pid:886 tgid:886 ppid:876 Call trace: __switch_to+0x1d8/0x348 __schedule+0x8e8/0x2248 schedule+0x110/0x3f0 percpu_rwsem_wait+0x1e8/0x3f8 __percpu_down_read+0xe8/0x500 io_write+0xbb8/0xff8 io_issue_sqe+0x10c/0x1020 io_submit_sqes+0x614/0x2110 __arm64_sys_io_uring_enter+0x524/0x1038 invoke_syscall+0x74/0x268 el0_svc_common.constprop.0+0x160/0x238 do_el0_svc+0x44/0x60 el0_svc+0x44/0xb0 el0t_64_sync_handler+0x118/0x128 el0t_64_sync+0x168/0x170 INFO: task fsfreeze:7364 blocked for more than 15 seconds. Not tainted 6.12.0-rc5-00063-g76aaf945701c #7963 with the attempting freezer stuck trying to grab the rwsem: task:fsfreeze state:D stack:0 pid:7364 tgid:7364 ppid:995 Call trace: __switch_to+0x1d8/0x348 __schedule+0x8e8/0x2248 schedule+0x110/0x3f0 percpu_down_write+0x2b0/0x680 freeze_super+0x248/0x8a8 do_vfs_ioctl+0x149c/0x1b18 __arm64_sys_ioctl+0xd0/0x1a0 invoke_syscall+0x74/0x268 el0_svc_common.constprop.0+0x160/0x238 do_el0_svc+0x44/0x60 el0_svc+0x44/0xb0 el0t_64_sync_handler+0x118/0x128 el0t_64_sync+0x168/0x170 Fix this by having the io_uring side honor IOCB_NOWAIT, and only attempt a blocking grab of the super block rwsem if it isn't set. For normal issue where IOCB_NOWAIT would always be set, this returns -EAGAIN which will have io_uring core issue a blocking attempt of the write. That will in turn also get completions run, ensuring forward progress. Since freezing requires CAP_SYS_ADMIN in the first place, this isn't something that can be triggered by a regular user. Cc: stable@vger.kernel.org # 5.10+ Reported-by: Peter Mann Link: https://lore.kernel.org/io-uring/38c94aec-81c9-4f62-b44e-1d87f5597644@sh.cz Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 588df3561e4b705eb122d8af9bbe172b8c7967b3 Author: Matthew Brost Date: Fri Oct 25 14:43:29 2024 -0700 drm/xe: Don't short circuit TDR on jobs not started [ Upstream commit fe05cee4d9533892210e1ee90147175d87e7c053 ] Short circuiting TDR on jobs not started is an optimization which is not required. On LNL we are facing an issue where jobs do not get scheduled by the GuC if it misses a GGTT page update. When this occurs let the TDR fire, toggle the scheduling which may get the job unstuck, and print a warning message. If the TDR fires twice on job that hasn't started, timeout the job. v2: - Add warning message (Paulo) - Add fixes tag (Paulo) - Timeout job which hasn't started after TDR firing twice v3: - Include local change v4: - Short circuit check_timeout on job not started - use warn level rather than notice (Paulo) Fixes: 7ddb9403dd74 ("drm/xe: Sample ctx timestamp to determine if jobs have timed out") Cc: stable@vger.kernel.org Cc: Paulo Zanoni Signed-off-by: Matthew Brost Reviewed-by: Lucas De Marchi Link: https://patchwork.freedesktop.org/patch/msgid/20241025214330.2010521-2-matthew.brost@intel.com Signed-off-by: Lucas De Marchi (cherry picked from commit 35d25a4a0012e690ef0cc4c5440231176db595cc) Signed-off-by: Lucas De Marchi Signed-off-by: Sasha Levin commit f1316b6ee3f2e52940af7df26f0eb73ccfbedc2f Author: Matthew Brost Date: Wed Oct 23 15:12:00 2024 -0700 drm/xe: Add mmio read before GGTT invalidate [ Upstream commit 993ca0eccec65a2cacc3cefb15d35ffadc6f00fb ] On LNL without a mmio read before a GGTT invalidate the GuC can incorrectly read the GGTT scratch page upon next access leading to jobs not getting scheduled. A mmio read before a GGTT invalidate seems to fix this. Since a GGTT invalidate is not a hot code path, blindly do a mmio read before each GGTT invalidate. Cc: John Harrison Cc: Daniele Ceraolo Spurio Cc: Thomas Hellström Cc: Lucas De Marchi Cc: stable@vger.kernel.org Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Reported-by: Paulo Zanoni Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/3164 Signed-off-by: Matthew Brost Reviewed-by: Lucas De Marchi Link: https://patchwork.freedesktop.org/patch/msgid/20241023221200.1797832-1-matthew.brost@intel.com Signed-off-by: Lucas De Marchi (cherry picked from commit 5a710196883e0ac019ac6df2a6d79c16ad3c32fa) [ Fix conflict with mmio vs gt argument ] Signed-off-by: Lucas De Marchi Signed-off-by: Sasha Levin commit 23709e6f586c3b06169b78d413326b0d39ff121b Author: Michal Wajdeczko Date: Tue Jul 2 20:37:03 2024 +0200 drm/xe: Kill regs/xe_sriov_regs.h [ Upstream commit 466a6c3855cf00653c14a92a6e9f8ae50077b77d ] There is no real benefit to maintain a separate file. The register definitions related to SR-IOV can be placed in existing headers. Signed-off-by: Michal Wajdeczko Reviewed-by: Matt Roper Reviewed-by: Himal Prasad Ghimiray Link: https://patchwork.freedesktop.org/patch/msgid/20240702183704.1022-3-michal.wajdeczko@intel.com Stable-dep-of: 993ca0eccec6 ("drm/xe: Add mmio read before GGTT invalidate") Signed-off-by: Sasha Levin commit 26571eb692f47dd0a99470565da64f95a7b07d8b Author: Michal Wajdeczko Date: Tue Jul 2 20:37:02 2024 +0200 drm/xe: Fix register definition order in xe_regs.h [ Upstream commit 9dae9751c7b0086963f5cbb82424b5e4cf58f123 ] Swap XEHP_CLOCK_GATE_DIS(0x101014) with GU_DEBUG(x101018). Signed-off-by: Michal Wajdeczko Reviewed-by: Matt Roper Reviewed-by: Himal Prasad Ghimiray Link: https://patchwork.freedesktop.org/patch/msgid/20240702183704.1022-2-michal.wajdeczko@intel.com Stable-dep-of: 993ca0eccec6 ("drm/xe: Add mmio read before GGTT invalidate") Signed-off-by: Sasha Levin commit 3bc3fae8a0f22e0e713729b50e2111f6a8c64724 Author: Jinjie Ruan Date: Wed Oct 30 10:35:04 2024 +0800 drm/tests: hdmi: Fix memory leaks in drm_display_mode_from_cea_vic() [ Upstream commit add4163aca0d4a86e9fe4aa513865e4237db8aef ] modprobe drm_hdmi_state_helper_test and then rmmod it, the following memory leak occurs. The `mode` allocated in drm_mode_duplicate() called by drm_display_mode_from_cea_vic() is not freed, which cause the memory leak: unreferenced object 0xffffff80ccd18100 (size 128): comm "kunit_try_catch", pid 1851, jiffies 4295059695 hex dump (first 32 bytes): 57 62 00 00 80 02 90 02 f0 02 20 03 00 00 e0 01 Wb........ ..... ea 01 ec 01 0d 02 00 00 0a 00 00 00 00 00 00 00 ................ backtrace (crc c2f1aa95): [<000000000f10b11b>] kmemleak_alloc+0x34/0x40 [<000000001cd4cf73>] __kmalloc_cache_noprof+0x26c/0x2f4 [<00000000f1f3cffa>] drm_mode_duplicate+0x44/0x19c [<000000008cbeef13>] drm_display_mode_from_cea_vic+0x88/0x98 [<0000000019daaacf>] 0xffffffedc11ae69c [<000000000aad0f85>] kunit_try_run_case+0x13c/0x3ac [<00000000a9210bac>] kunit_generic_run_threadfn_adapter+0x80/0xec [<000000000a0b2e9e>] kthread+0x2e8/0x374 [<00000000bd668858>] ret_from_fork+0x10/0x20 ...... Free `mode` by using drm_kunit_display_mode_from_cea_vic() to fix it. Cc: stable@vger.kernel.org Fixes: 4af70f19e559 ("drm/tests: Add RGB Quantization tests") Acked-by: Maxime Ripard Signed-off-by: Jinjie Ruan Link: https://patchwork.freedesktop.org/patch/msgid/20241030023504.530425-4-ruanjinjie@huawei.com Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin commit df2b00685cd33cd85be8910c7d6d22c4ebbf18bb Author: Jinjie Ruan Date: Wed Oct 30 10:35:03 2024 +0800 drm/connector: hdmi: Fix memory leak in drm_display_mode_from_cea_vic() [ Upstream commit 926163342a2e7595d950e84c17c693b1272bd491 ] modprobe drm_connector_test and then rmmod drm_connector_test, the following memory leak occurs. The `mode` allocated in drm_mode_duplicate() called by drm_display_mode_from_cea_vic() is not freed, which cause the memory leak: unreferenced object 0xffffff80cb0ee400 (size 128): comm "kunit_try_catch", pid 1948, jiffies 4294950339 hex dump (first 32 bytes): 14 44 02 00 80 07 d8 07 04 08 98 08 00 00 38 04 .D............8. 3c 04 41 04 65 04 00 00 05 00 00 00 00 00 00 00 <.A.e........... backtrace (crc 90e9585c): [<00000000ec42e3d7>] kmemleak_alloc+0x34/0x40 [<00000000d0ef055a>] __kmalloc_cache_noprof+0x26c/0x2f4 [<00000000c2062161>] drm_mode_duplicate+0x44/0x19c [<00000000f96c74aa>] drm_display_mode_from_cea_vic+0x88/0x98 [<00000000d8f2c8b4>] 0xffffffdc982a4868 [<000000005d164dbc>] kunit_try_run_case+0x13c/0x3ac [<000000006fb23398>] kunit_generic_run_threadfn_adapter+0x80/0xec [<000000006ea56ca0>] kthread+0x2e8/0x374 [<000000000676063f>] ret_from_fork+0x10/0x20 ...... Free `mode` by using drm_kunit_display_mode_from_cea_vic() to fix it. Cc: stable@vger.kernel.org Fixes: abb6f74973e2 ("drm/tests: Add HDMI TDMS character rate tests") Acked-by: Maxime Ripard Signed-off-by: Jinjie Ruan Link: https://patchwork.freedesktop.org/patch/msgid/20241030023504.530425-3-ruanjinjie@huawei.com Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin commit cafe828b77d8ea3509aab86358406459e0fddc24 Author: Jinjie Ruan Date: Wed Oct 30 10:35:02 2024 +0800 drm/tests: helpers: Add helper for drm_display_mode_from_cea_vic() [ Upstream commit caa714f86699bcfb01aa2d698db12d91af7d0d81 ] As Maxime suggested, add a new helper drm_kunit_display_mode_from_cea_vic(), it can replace the direct call of drm_display_mode_from_cea_vic(), and it will help solving the `mode` memory leaks. Acked-by: Maxime Ripard Suggested-by: Maxime Ripard Signed-off-by: Jinjie Ruan Link: https://patchwork.freedesktop.org/patch/msgid/20241030023504.530425-2-ruanjinjie@huawei.com Signed-off-by: Maxime Ripard Stable-dep-of: 926163342a2e ("drm/connector: hdmi: Fix memory leak in drm_display_mode_from_cea_vic()") Signed-off-by: Sasha Levin commit 9209553e904c501715fef50966d188849ab068c1 Author: Andrey Konovalov Date: Tue Oct 22 18:07:06 2024 +0200 kasan: remove vmalloc_percpu test [ Upstream commit 330d8df81f3673d6fb74550bbc9bb159d81b35f7 ] Commit 1a2473f0cbc0 ("kasan: improve vmalloc tests") added the vmalloc_percpu KASAN test with the assumption that __alloc_percpu always uses vmalloc internally, which is tagged by KASAN. However, __alloc_percpu might allocate memory from the first per-CPU chunk, which is not allocated via vmalloc(). As a result, the test might fail. Remove the test until proper KASAN annotation for the per-CPU allocated are added; tracked in https://bugzilla.kernel.org/show_bug.cgi?id=215019. Link: https://lkml.kernel.org/r/20241022160706.38943-1-andrey.konovalov@linux.dev Fixes: 1a2473f0cbc0 ("kasan: improve vmalloc tests") Signed-off-by: Andrey Konovalov Reported-by: Samuel Holland Link: https://lore.kernel.org/all/4a245fff-cc46-44d1-a5f9-fd2f1c3764ae@sifive.com/ Reported-by: Sabyrzhan Tasbolatov Link: https://lore.kernel.org/all/CACzwLxiWzNqPBp4C1VkaXZ2wDwvY3yZeetCi1TLGFipKW77drA@mail.gmail.com/ Cc: Alexander Potapenko Cc: Andrey Ryabinin Cc: Dmitry Vyukov Cc: Marco Elver Cc: Sabyrzhan Tasbolatov Cc: Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 45cb1e53ea36a9d29c2a3a87d6966e5e3011da52 Author: Keith Busch Date: Mon Oct 28 13:45:46 2024 -0700 nvme: re-fix error-handling for io_uring nvme-passthrough [ Upstream commit 5eed4fb274cd6579f2fb4190b11c4c86c553cd06 ] This was previously fixed with commit 1147dd0503564fa0e0348 ("nvme: fix error-handling for io_uring nvme-passthrough"), but the change was mistakenly undone in a later commit. Fixes: d6aacee9255e7f ("nvme: use bio_integrity_map_user") Cc: stable@vger.kernel.org Reported-by: Jens Axboe Reviewed-by: Christoph Hellwig Reviewed-by: Anuj Gupta Reviewed-by: Kanchan Joshi Signed-off-by: Keith Busch Signed-off-by: Sasha Levin commit e61bd51e44409495d75847e9230736593e4c8710 Author: Vitaliy Shevtsov Date: Mon Sep 16 22:41:37 2024 +0500 nvmet-auth: assign dh_key to NULL after kfree_sensitive [ Upstream commit d2f551b1f72b4c508ab9298419f6feadc3b5d791 ] ctrl->dh_key might be used across multiple calls to nvmet_setup_dhgroup() for the same controller. So it's better to nullify it after release on error path in order to avoid double free later in nvmet_destroy_auth(). Found by Linux Verification Center (linuxtesting.org) with Svace. Fixes: 7a277c37d352 ("nvmet-auth: Diffie-Hellman key exchange support") Cc: stable@vger.kernel.org Signed-off-by: Vitaliy Shevtsov Reviewed-by: Christoph Hellwig Reviewed-by: Hannes Reinecke Signed-off-by: Keith Busch Signed-off-by: Sasha Levin commit cc4e80f047b881a7f44c9adb3f2d2ebec18c2823 Author: Christoffer Sandberg Date: Tue Oct 29 16:16:53 2024 +0100 ALSA: hda/realtek: Fix headset mic on TUXEDO Stellaris 16 Gen6 mb1 [ Upstream commit e49370d769e71456db3fbd982e95bab8c69f73e8 ] Quirk is needed to enable headset microphone on missing pin 0x19. Signed-off-by: Christoffer Sandberg Signed-off-by: Werner Sembach Cc: Link: https://patch.msgid.link/20241029151653.80726-2-wse@tuxedocomputers.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 905560781394f91ff09ad71974ecfb78c9d7cc6e Author: Christoffer Sandberg Date: Tue Oct 29 16:16:52 2024 +0100 ALSA: hda/realtek: Fix headset mic on TUXEDO Gemini 17 Gen3 [ Upstream commit 0b04fbe886b4274c8e5855011233aaa69fec6e75 ] Quirk is needed to enable headset microphone on missing pin 0x19. Signed-off-by: Christoffer Sandberg Signed-off-by: Werner Sembach Cc: Link: https://patch.msgid.link/20241029151653.80726-1-wse@tuxedocomputers.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit a023408925acd64db5c8980373fcb3e28ec6fd29 Author: Christoph Hellwig Date: Wed Oct 23 15:37:22 2024 +0200 xfs: fix finding a last resort AG in xfs_filestream_pick_ag [ Upstream commit dc60992ce76fbc2f71c2674f435ff6bde2108028 ] When the main loop in xfs_filestream_pick_ag fails to find a suitable AG it tries to just pick the online AG. But the loop for that uses args->pag as loop iterator while the later code expects pag to be set. Fix this by reusing the max_pag case for this last resort, and also add a check for impossible case of no AG just to make sure that the uninitialized pag doesn't even escape in theory. Reported-by: syzbot+4125a3c514e3436a02e6@syzkaller.appspotmail.com Signed-off-by: Christoph Hellwig Tested-by: syzbot+4125a3c514e3436a02e6@syzkaller.appspotmail.com Fixes: f8f1ed1ab3baba ("xfs: return a referenced perag from filestreams allocator") Cc: # v6.3 Reviewed-by: Darrick J. Wong Signed-off-by: Carlos Maiolino Signed-off-by: Sasha Levin commit 5f7adcc3f935aa31b552eedd1ffe7b88ae0d8752 Author: Andrzej Kacprowski Date: Thu Oct 17 16:49:58 2024 +0200 accel/ivpu: Fix NOC firewall interrupt handling [ Upstream commit 72f7e16eccddde99386a10eb2d08833e805917c6 ] The NOC firewall interrupt means that the HW prevented unauthorized access to a protected resource, so there is no need to trigger device reset in such case. To facilitate security testing add firewall_irq_counter debugfs file that tracks firewall interrupts. Fixes: 8a27ad81f7d3 ("accel/ivpu: Split IP and buttress code") Cc: stable@vger.kernel.org # v6.11+ Signed-off-by: Andrzej Kacprowski Reviewed-by: Jacek Lawrynowicz Reviewed-by: Jeffrey Hugo Signed-off-by: Jacek Lawrynowicz Link: https://patchwork.freedesktop.org/patch/msgid/20241017144958.79327-1-jacek.lawrynowicz@linux.intel.com Signed-off-by: Sasha Levin commit 47a83f8df39545f3f552bb6a1b6d9c30e37621dd Author: Zhihao Cheng Date: Mon Oct 21 22:02:15 2024 +0800 btrfs: fix use-after-free of block device file in __btrfs_free_extra_devids() [ Upstream commit aec8e6bf839101784f3ef037dcdb9432c3f32343 ] Mounting btrfs from two images (which have the same one fsid and two different dev_uuids) in certain executing order may trigger an UAF for variable 'device->bdev_file' in __btrfs_free_extra_devids(). And following are the details: 1. Attach image_1 to loop0, attach image_2 to loop1, and scan btrfs devices by ioctl(BTRFS_IOC_SCAN_DEV): / btrfs_device_1 → loop0 fs_device \ btrfs_device_2 → loop1 2. mount /dev/loop0 /mnt btrfs_open_devices btrfs_device_1->bdev_file = btrfs_get_bdev_and_sb(loop0) btrfs_device_2->bdev_file = btrfs_get_bdev_and_sb(loop1) btrfs_fill_super open_ctree fail: btrfs_close_devices // -ENOMEM btrfs_close_bdev(btrfs_device_1) fput(btrfs_device_1->bdev_file) // btrfs_device_1->bdev_file is freed btrfs_close_bdev(btrfs_device_2) fput(btrfs_device_2->bdev_file) 3. mount /dev/loop1 /mnt btrfs_open_devices btrfs_get_bdev_and_sb(&bdev_file) // EIO, btrfs_device_1->bdev_file is not assigned, // which points to a freed memory area btrfs_device_2->bdev_file = btrfs_get_bdev_and_sb(loop1) btrfs_fill_super open_ctree btrfs_free_extra_devids if (btrfs_device_1->bdev_file) fput(btrfs_device_1->bdev_file) // UAF ! Fix it by setting 'device->bdev_file' as 'NULL' after closing the btrfs_device in btrfs_close_one_device(). Fixes: 142388194191 ("btrfs: do not background blkdev_put()") CC: stable@vger.kernel.org # 4.19+ Link: https://bugzilla.kernel.org/show_bug.cgi?id=219408 Signed-off-by: Zhihao Cheng Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 8c222adadc1612e4f097688875962a28e3f5ab44 Author: Matt Johnston Date: Tue Oct 22 18:25:14 2024 +0800 mctp i2c: handle NULL header address [ Upstream commit 01e215975fd80af81b5b79f009d49ddd35976c13 ] daddr can be NULL if there is no neighbour table entry present, in that case the tx packet should be dropped. saddr will usually be set by MCTP core, but check for NULL in case a packet is transmitted by a different protocol. Fixes: f5b8abf9fc3d ("mctp i2c: MCTP I2C binding driver") Cc: stable@vger.kernel.org Reported-by: Dung Cao Signed-off-by: Matt Johnston Reviewed-by: Simon Horman Link: https://patch.msgid.link/20241022-mctp-i2c-null-dest-v3-1-e929709956c5@codeconstruct.com.au Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit dc9031b7919bd346514ea9a720f433b8daf3970d Author: Gregory Price Date: Thu Oct 17 15:03:47 2024 -0400 resource,kexec: walk_system_ram_res_rev must retain resource flags [ Upstream commit b125a0def25a082ae944c9615208bf359abdb61c ] walk_system_ram_res_rev() erroneously discards resource flags when passing the information to the callback. This causes systems with IORESOURCE_SYSRAM_DRIVER_MANAGED memory to have these resources selected during kexec to store kexec buffers if that memory happens to be at placed above normal system ram. This leads to undefined behavior after reboot. If the kexec buffer is never touched, nothing happens. If the kexec buffer is touched, it could lead to a crash (like below) or undefined behavior. Tested on a system with CXL memory expanders with driver managed memory, TPM enabled, and CONFIG_IMA_KEXEC=y. Adding printk's showed the flags were being discarded and as a result the check for IORESOURCE_SYSRAM_DRIVER_MANAGED passes. find_next_iomem_res: name(System RAM (kmem)) start(10000000000) end(1034fffffff) flags(83000200) locate_mem_hole_top_down: start(10000000000) end(1034fffffff) flags(0) [.] BUG: unable to handle page fault for address: ffff89834ffff000 [.] #PF: supervisor read access in kernel mode [.] #PF: error_code(0x0000) - not-present page [.] PGD c04c8bf067 P4D c04c8bf067 PUD c04c8be067 PMD 0 [.] Oops: 0000 [#1] SMP [.] RIP: 0010:ima_restore_measurement_list+0x95/0x4b0 [.] RSP: 0018:ffffc900000d3a80 EFLAGS: 00010286 [.] RAX: 0000000000001000 RBX: 0000000000000000 RCX: ffff89834ffff000 [.] RDX: 0000000000000018 RSI: ffff89834ffff000 RDI: ffff89834ffff018 [.] RBP: ffffc900000d3ba0 R08: 0000000000000020 R09: ffff888132b8a900 [.] R10: 4000000000000000 R11: 000000003a616d69 R12: 0000000000000000 [.] R13: ffffffff8404ac28 R14: 0000000000000000 R15: ffff89834ffff000 [.] FS: 0000000000000000(0000) GS:ffff893d44640000(0000) knlGS:0000000000000000 [.] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [.] ata5: SATA link down (SStatus 0 SControl 300) [.] CR2: ffff89834ffff000 CR3: 000001034d00f001 CR4: 0000000000770ef0 [.] PKRU: 55555554 [.] Call Trace: [.] [.] ? __die+0x78/0xc0 [.] ? page_fault_oops+0x2a8/0x3a0 [.] ? exc_page_fault+0x84/0x130 [.] ? asm_exc_page_fault+0x22/0x30 [.] ? ima_restore_measurement_list+0x95/0x4b0 [.] ? template_desc_init_fields+0x317/0x410 [.] ? crypto_alloc_tfm_node+0x9c/0xc0 [.] ? init_ima_lsm+0x30/0x30 [.] ima_load_kexec_buffer+0x72/0xa0 [.] ima_init+0x44/0xa0 [.] __initstub__kmod_ima__373_1201_init_ima7+0x1e/0xb0 [.] ? init_ima_lsm+0x30/0x30 [.] do_one_initcall+0xad/0x200 [.] ? idr_alloc_cyclic+0xaa/0x110 [.] ? new_slab+0x12c/0x420 [.] ? new_slab+0x12c/0x420 [.] ? number+0x12a/0x430 [.] ? sysvec_apic_timer_interrupt+0xa/0x80 [.] ? asm_sysvec_apic_timer_interrupt+0x16/0x20 [.] ? parse_args+0xd4/0x380 [.] ? parse_args+0x14b/0x380 [.] kernel_init_freeable+0x1c1/0x2b0 [.] ? rest_init+0xb0/0xb0 [.] kernel_init+0x16/0x1a0 [.] ret_from_fork+0x2f/0x40 [.] ? rest_init+0xb0/0xb0 [.] ret_from_fork_asm+0x11/0x20 [.] Link: https://lore.kernel.org/all/20231114091658.228030-1-bhe@redhat.com/ Link: https://lkml.kernel.org/r/20241017190347.5578-1-gourry@gourry.net Fixes: 7acf164b259d ("resource: add walk_system_ram_res_rev()") Signed-off-by: Gregory Price Reviewed-by: Dan Williams Acked-by: Baoquan He Cc: AKASHI Takahiro Cc: Andy Shevchenko Cc: Bjorn Helgaas Cc: "Huang, Ying" Cc: Ilpo Järvinen Cc: Mika Westerberg Cc: Thomas Gleixner Cc: Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 0b6b8c2055784261de3fb641c5d0d63964318e8f Author: Edward Adam Davis Date: Wed Oct 16 19:43:47 2024 +0800 ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow [ Upstream commit bc0a2f3a73fcdac651fca64df39306d1e5ebe3b0 ] Syzbot reported a kernel BUG in ocfs2_truncate_inline. There are two reasons for this: first, the parameter value passed is greater than ocfs2_max_inline_data_with_xattr, second, the start and end parameters of ocfs2_truncate_inline are "unsigned int". So, we need to add a sanity check for byte_start and byte_len right before ocfs2_truncate_inline() in ocfs2_remove_inode_range(), if they are greater than ocfs2_max_inline_data_with_xattr return -EINVAL. Link: https://lkml.kernel.org/r/tencent_D48DB5122ADDAEDDD11918CFB68D93258C07@qq.com Fixes: 1afc32b95233 ("ocfs2: Write support for inline data") Signed-off-by: Edward Adam Davis Reported-by: syzbot+81092778aac03460d6b7@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=81092778aac03460d6b7 Reviewed-by: Joseph Qi Cc: Joel Becker Cc: Joseph Qi Cc: Mark Fasheh Cc: Junxiao Bi Cc: Changwei Ge Cc: Gang He Cc: Jun Piao Cc: Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 9f97fb4ce4bea94f921a7ef6eb330c7c33331d55 Author: Sabyrzhan Tasbolatov Date: Wed Oct 16 20:24:07 2024 +0500 x86/traps: move kmsan check after instrumentation_begin [ Upstream commit 1db272864ff250b5e607283eaec819e1186c8e26 ] During x86_64 kernel build with CONFIG_KMSAN, the objtool warns following: AR built-in.a AR vmlinux.a LD vmlinux.o vmlinux.o: warning: objtool: handle_bug+0x4: call to kmsan_unpoison_entry_regs() leaves .noinstr.text section OBJCOPY modules.builtin.modinfo GEN modules.builtin MODPOST Module.symvers CC .vmlinux.export.o Moving kmsan_unpoison_entry_regs() _after_ instrumentation_begin() fixes the warning. There is decode_bug(regs->ip, &imm) is left before KMSAN unpoisoining, but it has the return condition and if we include it after instrumentation_begin() it results the warning "return with instrumentation enabled", hence, I'm concerned that regs will not be KMSAN unpoisoned if `ud_type == BUG_NONE` is true. Link: https://lkml.kernel.org/r/20241016152407.3149001-1-snovitoll@gmail.com Fixes: ba54d194f8da ("x86/traps: avoid KMSAN bugs originating from handle_bug()") Signed-off-by: Sabyrzhan Tasbolatov Reviewed-by: Alexander Potapenko Cc: Borislav Petkov (AMD) Cc: Dave Hansen Cc: Ingo Molnar Cc: Thomas Gleixner Cc: Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 1c46de5046b56509958ede26e76324ed508f39c3 Author: Gatlin Newhouse Date: Wed Jul 24 00:01:55 2024 +0000 x86/traps: Enable UBSAN traps on x86 [ Upstream commit 7424fc6b86c8980a87169e005f5cd4438d18efe6 ] Currently ARM64 extracts which specific sanitizer has caused a trap via encoded data in the trap instruction. Clang on x86 currently encodes the same data in the UD1 instruction but x86 handle_bug() and is_valid_bugaddr() currently only look at UD2. Bring x86 to parity with ARM64, similar to commit 25b84002afb9 ("arm64: Support Clang UBSAN trap codes for better reporting"). See the llvm links for information about the code generation. Enable the reporting of UBSAN sanitizer details on x86 compiled with clang when CONFIG_UBSAN_TRAP=y by analysing UD1 and retrieving the type immediate which is encoded by the compiler after the UD1. [ tglx: Simplified it by moving the printk() into handle_bug() ] Signed-off-by: Gatlin Newhouse Signed-off-by: Thomas Gleixner Acked-by: Peter Zijlstra (Intel) Cc: Kees Cook Link: https://lore.kernel.org/all/20240724000206.451425-1-gatlin.newhouse@gmail.com Link: https://github.com/llvm/llvm-project/commit/c5978f42ec8e9#diff-bb68d7cd885f41cfc35843998b0f9f534adb60b415f647109e597ce448e92d9f Link: https://github.com/llvm/llvm-project/blob/main/llvm/lib/Target/X86/X86InstrSystem.td#L27 Stable-dep-of: 1db272864ff2 ("x86/traps: move kmsan check after instrumentation_begin") Signed-off-by: Sasha Levin commit d0fdacfb85a3e1223b894cc6e60091ec91049e9e Author: Matt Fleming Date: Fri Oct 11 13:07:37 2024 +0100 mm/page_alloc: let GFP_ATOMIC order-0 allocs access highatomic reserves [ Upstream commit 281dd25c1a018261a04d1b8bf41a0674000bfe38 ] Under memory pressure it's possible for GFP_ATOMIC order-0 allocations to fail even though free pages are available in the highatomic reserves. GFP_ATOMIC allocations cannot trigger unreserve_highatomic_pageblock() since it's only run from reclaim. Given that such allocations will pass the watermarks in __zone_watermark_unusable_free(), it makes sense to fallback to highatomic reserves the same way that ALLOC_OOM can. This fixes order-0 page allocation failures observed on Cloudflare's fleet when handling network packets: kswapd1: page allocation failure: order:0, mode:0x820(GFP_ATOMIC), nodemask=(null),cpuset=/,mems_allowed=0-7 CPU: 10 PID: 696 Comm: kswapd1 Kdump: loaded Tainted: G O 6.6.43-CUSTOM #1 Hardware name: MACHINE Call Trace: dump_stack_lvl+0x3c/0x50 warn_alloc+0x13a/0x1c0 __alloc_pages_slowpath.constprop.0+0xc9d/0xd10 __alloc_pages+0x327/0x340 __napi_alloc_skb+0x16d/0x1f0 bnxt_rx_page_skb+0x96/0x1b0 [bnxt_en] bnxt_rx_pkt+0x201/0x15e0 [bnxt_en] __bnxt_poll_work+0x156/0x2b0 [bnxt_en] bnxt_poll+0xd9/0x1c0 [bnxt_en] __napi_poll+0x2b/0x1b0 bpf_trampoline_6442524138+0x7d/0x1000 __napi_poll+0x5/0x1b0 net_rx_action+0x342/0x740 handle_softirqs+0xcf/0x2b0 irq_exit_rcu+0x6c/0x90 sysvec_apic_timer_interrupt+0x72/0x90 [mfleming@cloudflare.com: update comment] Link: https://lkml.kernel.org/r/20241015125158.3597702-1-matt@readmodwrite.com Link: https://lkml.kernel.org/r/20241011120737.3300370-1-matt@readmodwrite.com Link: https://lore.kernel.org/all/CAGis_TWzSu=P7QJmjD58WWiu3zjMTVKSzdOwWE8ORaGytzWJwQ@mail.gmail.com/ Fixes: 1d91df85f399 ("mm/page_alloc: handle a missing case for memalloc_nocma_{save/restore} APIs") Signed-off-by: Matt Fleming Suggested-by: Vlastimil Babka Reviewed-by: Vlastimil Babka Cc: Mel Gorman Cc: Michal Hocko Cc: Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 3b85aa0da8cd01173b9afd1f70080fbb9576c4b0 Author: Lorenzo Stoakes Date: Tue Oct 15 18:56:06 2024 +0100 fork: only invoke khugepaged, ksm hooks if no error [ Upstream commit 985da552a98e27096444508ce5d853244019111f ] There is no reason to invoke these hooks early against an mm that is in an incomplete state. The change in commit d24062914837 ("fork: use __mt_dup() to duplicate maple tree in dup_mmap()") makes this more pertinent as we may be in a state where entries in the maple tree are not yet consistent. Their placement early in dup_mmap() only appears to have been meaningful for early error checking, and since functionally it'd require a very small allocation to fail (in practice 'too small to fail') that'd only occur in the most dire circumstances, meaning the fork would fail or be OOM'd in any case. Since both khugepaged and KSM tracking are there to provide optimisations to memory performance rather than critical functionality, it doesn't really matter all that much if, under such dire memory pressure, we fail to register an mm with these. As a result, we follow the example of commit d2081b2bf819 ("mm: khugepaged: make khugepaged_enter() void function") and make ksm_fork() a void function also. We only expose the mm to these functions once we are done with them and only if no error occurred in the fork operation. Link: https://lkml.kernel.org/r/e0cb8b840c9d1d5a6e84d4f8eff5f3f2022aa10c.1729014377.git.lorenzo.stoakes@oracle.com Fixes: d24062914837 ("fork: use __mt_dup() to duplicate maple tree in dup_mmap()") Signed-off-by: Lorenzo Stoakes Reported-by: Jann Horn Reviewed-by: Liam R. Howlett Reviewed-by: Vlastimil Babka Reviewed-by: Jann Horn Cc: Alexander Viro Cc: Christian Brauner Cc: Jan Kara Cc: Linus Torvalds Cc: Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 92b472945dbf8abc020e9259c0088026f7027dfc Author: Lorenzo Stoakes Date: Tue Oct 15 18:56:05 2024 +0100 fork: do not invoke uffd on fork if error occurs [ Upstream commit f64e67e5d3a45a4a04286c47afade4b518acd47b ] Patch series "fork: do not expose incomplete mm on fork". During fork we may place the virtual memory address space into an inconsistent state before the fork operation is complete. In addition, we may encounter an error during the fork operation that indicates that the virtual memory address space is invalidated. As a result, we should not be exposing it in any way to external machinery that might interact with the mm or VMAs, machinery that is not designed to deal with incomplete state. We specifically update the fork logic to defer khugepaged and ksm to the end of the operation and only to be invoked if no error arose, and disallow uffd from observing fork events should an error have occurred. This patch (of 2): Currently on fork we expose the virtual address space of a process to userland unconditionally if uffd is registered in VMAs, regardless of whether an error arose in the fork. This is performed in dup_userfaultfd_complete() which is invoked unconditionally, and performs two duties - invoking registered handlers for the UFFD_EVENT_FORK event via dup_fctx(), and clearing down userfaultfd_fork_ctx objects established in dup_userfaultfd(). This is problematic, because the virtual address space may not yet be correctly initialised if an error arose. The change in commit d24062914837 ("fork: use __mt_dup() to duplicate maple tree in dup_mmap()") makes this more pertinent as we may be in a state where entries in the maple tree are not yet consistent. We address this by, on fork error, ensuring that we roll back state that we would otherwise expect to clean up through the event being handled by userland and perform the memory freeing duty otherwise performed by dup_userfaultfd_complete(). We do this by implementing a new function, dup_userfaultfd_fail(), which performs the same loop, only decrementing reference counts. Note that we perform mmgrab() on the parent and child mm's, however userfaultfd_ctx_put() will mmdrop() this once the reference count drops to zero, so we will avoid memory leaks correctly here. Link: https://lkml.kernel.org/r/cover.1729014377.git.lorenzo.stoakes@oracle.com Link: https://lkml.kernel.org/r/d3691d58bb58712b6fb3df2be441d175bd3cdf07.1729014377.git.lorenzo.stoakes@oracle.com Fixes: d24062914837 ("fork: use __mt_dup() to duplicate maple tree in dup_mmap()") Signed-off-by: Lorenzo Stoakes Reported-by: Jann Horn Reviewed-by: Jann Horn Reviewed-by: Liam R. Howlett Cc: Alexander Viro Cc: Christian Brauner Cc: Jan Kara Cc: Linus Torvalds Cc: Vlastimil Babka Cc: Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 78b98b6e5686f54846f25b6a182568bdf0d66465 Author: Alexander Usyskin Date: Tue Oct 15 15:31:57 2024 +0300 mei: use kvmalloc for read buffer [ Upstream commit 4adf613e01bf99e1739f6ff3e162ad5b7d578d1a ] Read buffer is allocated according to max message size, reported by the firmware and may reach 64K in systems with pxp client. Contiguous 64k allocation may fail under memory pressure. Read buffer is used as in-driver message storage and not required to be contiguous. Use kvmalloc to allow kernel to allocate non-contiguous memory. Fixes: 3030dc056459 ("mei: add wrapper for queuing control commands.") Cc: stable Reported-by: Rohit Agarwal Closes: https://lore.kernel.org/all/20240813084542.2921300-1-rohiagar@chromium.org/ Tested-by: Brian Geffon Signed-off-by: Alexander Usyskin Acked-by: Tomas Winkler Link: https://lore.kernel.org/r/20241015123157.2337026-1-alexander.usyskin@intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 494eb22f9a7bd03783e60595a57611c209175f1a Author: Matthieu Baerts (NGI0) Date: Mon Oct 21 12:25:26 2024 +0200 mptcp: init: protect sched with rcu_read_lock [ Upstream commit 3deb12c788c385e17142ce6ec50f769852fcec65 ] Enabling CONFIG_PROVE_RCU_LIST with its dependence CONFIG_RCU_EXPERT creates this splat when an MPTCP socket is created: ============================= WARNING: suspicious RCU usage 6.12.0-rc2+ #11 Not tainted ----------------------------- net/mptcp/sched.c:44 RCU-list traversed in non-reader section!! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 no locks held by mptcp_connect/176. stack backtrace: CPU: 0 UID: 0 PID: 176 Comm: mptcp_connect Not tainted 6.12.0-rc2+ #11 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Call Trace: dump_stack_lvl (lib/dump_stack.c:123) lockdep_rcu_suspicious (kernel/locking/lockdep.c:6822) mptcp_sched_find (net/mptcp/sched.c:44 (discriminator 7)) mptcp_init_sock (net/mptcp/protocol.c:2867 (discriminator 1)) ? sock_init_data_uid (arch/x86/include/asm/atomic.h:28) inet_create.part.0.constprop.0 (net/ipv4/af_inet.c:386) ? __sock_create (include/linux/rcupdate.h:347 (discriminator 1)) __sock_create (net/socket.c:1576) __sys_socket (net/socket.c:1671) ? __pfx___sys_socket (net/socket.c:1712) ? do_user_addr_fault (arch/x86/mm/fault.c:1419 (discriminator 1)) __x64_sys_socket (net/socket.c:1728) do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) That's because when the socket is initialised, rcu_read_lock() is not used despite the explicit comment written above the declaration of mptcp_sched_find() in sched.c. Adding the missing lock/unlock avoids the warning. Fixes: 1730b2b2c5a5 ("mptcp: add sched in mptcp_sock") Cc: stable@vger.kernel.org Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/523 Reviewed-by: Geliang Tang Signed-off-by: Matthieu Baerts (NGI0) Reviewed-by: Simon Horman Link: https://patch.msgid.link/20241021-net-mptcp-sched-lock-v1-1-637759cf061c@kernel.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit e693eb002e17ef0444612731f24adc8446ea87d9 Author: Jarkko Sakkinen Date: Mon Oct 28 07:50:01 2024 +0200 tpm: Lazily flush the auth session [ Upstream commit df745e25098dcb2f706399c0d06dd8d1bab6b6ec ] Move the allocation of chip->auth to tpm2_start_auth_session() so that this field can be used as flag to tell whether auth session is active or not. Instead of flushing and reloading the auth session for every transaction separately, keep the session open unless /dev/tpm0 is used. Reported-by: Pengyu Ma Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219229 Cc: stable@vger.kernel.org # v6.10+ Fixes: 7ca110f2679b ("tpm: Address !chip->auth in tpm_buf_append_hmac_session*()") Tested-by: Pengyu Ma Tested-by: Stefan Berger Reviewed-by: Stefan Berger Signed-off-by: Jarkko Sakkinen Signed-off-by: Sasha Levin commit ddb0615a681f19a39477a8f358e2923e5a1df981 Author: Alex Deucher Date: Wed Oct 23 09:13:21 2024 -0400 drm/amdgpu/smu13: fix profile reporting [ Upstream commit 935abb86a95def8c20dbb184ce30051db168e541 ] The following 3 commits landed in parallel: commit d7d2688bf4ea ("drm/amd/pm: update workload mask after the setting") commit 7a1613e47e65 ("drm/amdgpu/smu13: always apply the powersave optimization") commit 7c210ca5a2d7 ("drm/amdgpu: handle default profile on on devices without fullscreen 3D") While everything is set correctly, this caused the profile to be reported incorrectly because both the powersave and fullscreen3d bits were set in the mask and when the driver prints the profile, it looks for the first bit set. Fixes: d7d2688bf4ea ("drm/amd/pm: update workload mask after the setting") Reviewed-by: Kenneth Feng Signed-off-by: Alex Deucher (cherry picked from commit ecfe9b237687a55d596fff0650ccc8cc455edd3f) Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit f8fd9f0d57af4f8f48b383ec28287af85b47cb9f Author: Tvrtko Ursulin Date: Fri Oct 25 15:56:39 2024 +0100 drm/amd/pm: Vangogh: Fix kernel memory out of bounds write [ Upstream commit 4aa923a6e6406b43566ef6ac35a3d9a3197fa3e8 ] KASAN reports that the GPU metrics table allocated in vangogh_tables_init() is not large enough for the memset done in smu_cmn_init_soft_gpu_metrics(). Condensed report follows: [ 33.861314] BUG: KASAN: slab-out-of-bounds in smu_cmn_init_soft_gpu_metrics+0x73/0x200 [amdgpu] [ 33.861799] Write of size 168 at addr ffff888129f59500 by task mangoapp/1067 ... [ 33.861808] CPU: 6 UID: 1000 PID: 1067 Comm: mangoapp Tainted: G W 6.12.0-rc4 #356 1a56f59a8b5182eeaf67eb7cb8b13594dd23b544 [ 33.861816] Tainted: [W]=WARN [ 33.861818] Hardware name: Valve Galileo/Galileo, BIOS F7G0107 12/01/2023 [ 33.861822] Call Trace: [ 33.861826] [ 33.861829] dump_stack_lvl+0x66/0x90 [ 33.861838] print_report+0xce/0x620 [ 33.861853] kasan_report+0xda/0x110 [ 33.862794] kasan_check_range+0xfd/0x1a0 [ 33.862799] __asan_memset+0x23/0x40 [ 33.862803] smu_cmn_init_soft_gpu_metrics+0x73/0x200 [amdgpu 13b1bc364ec578808f676eba412c20eaab792779] [ 33.863306] vangogh_get_gpu_metrics_v2_4+0x123/0xad0 [amdgpu 13b1bc364ec578808f676eba412c20eaab792779] [ 33.864257] vangogh_common_get_gpu_metrics+0xb0c/0xbc0 [amdgpu 13b1bc364ec578808f676eba412c20eaab792779] [ 33.865682] amdgpu_dpm_get_gpu_metrics+0xcc/0x110 [amdgpu 13b1bc364ec578808f676eba412c20eaab792779] [ 33.866160] amdgpu_get_gpu_metrics+0x154/0x2d0 [amdgpu 13b1bc364ec578808f676eba412c20eaab792779] [ 33.867135] dev_attr_show+0x43/0xc0 [ 33.867147] sysfs_kf_seq_show+0x1f1/0x3b0 [ 33.867155] seq_read_iter+0x3f8/0x1140 [ 33.867173] vfs_read+0x76c/0xc50 [ 33.867198] ksys_read+0xfb/0x1d0 [ 33.867214] do_syscall_64+0x90/0x160 ... [ 33.867353] Allocated by task 378 on cpu 7 at 22.794876s: [ 33.867358] kasan_save_stack+0x33/0x50 [ 33.867364] kasan_save_track+0x17/0x60 [ 33.867367] __kasan_kmalloc+0x87/0x90 [ 33.867371] vangogh_init_smc_tables+0x3f9/0x840 [amdgpu] [ 33.867835] smu_sw_init+0xa32/0x1850 [amdgpu] [ 33.868299] amdgpu_device_init+0x467b/0x8d90 [amdgpu] [ 33.868733] amdgpu_driver_load_kms+0x19/0xf0 [amdgpu] [ 33.869167] amdgpu_pci_probe+0x2d6/0xcd0 [amdgpu] [ 33.869608] local_pci_probe+0xda/0x180 [ 33.869614] pci_device_probe+0x43f/0x6b0 Empirically we can confirm that the former allocates 152 bytes for the table, while the latter memsets the 168 large block. Root cause appears that when GPU metrics tables for v2_4 parts were added it was not considered to enlarge the table to fit. The fix in this patch is rather "brute force" and perhaps later should be done in a smarter way, by extracting and consolidating the part version to size logic to a common helper, instead of brute forcing the largest possible allocation. Nevertheless, for now this works and fixes the out of bounds write. v2: * Drop impossible v3_0 case. (Mario) Signed-off-by: Tvrtko Ursulin Fixes: 41cec40bc9ba ("drm/amd/pm: Vangogh: Add new gpu_metrics_v2_4 to acquire gpu_metrics") Cc: Mario Limonciello Cc: Evan Quan Cc: Wenyou Yang Cc: Alex Deucher Reviewed-by: Mario Limonciello Link: https://lore.kernel.org/r/20241025145639.19124-1-tursulin@igalia.com Signed-off-by: Mario Limonciello Signed-off-by: Alex Deucher (cherry picked from commit 0880f58f9609f0200483a49429af0f050d281703) Cc: stable@vger.kernel.org # v6.6+ Signed-off-by: Sasha Levin commit 294984ce51c19c2af3d0d71e1c8bd589bc86b8e2 Author: Jarkko Sakkinen Date: Mon Oct 28 07:50:00 2024 +0200 tpm: Rollback tpm2_load_null() [ Upstream commit cc7d8594342a25693d40fe96f97e5c6c29ee609c ] Do not continue on tpm2_create_primary() failure in tpm2_load_null(). Cc: stable@vger.kernel.org # v6.10+ Fixes: eb24c9788cd9 ("tpm: disable the TPM if NULL name changes") Reviewed-by: Stefan Berger Signed-off-by: Jarkko Sakkinen Signed-off-by: Sasha Levin commit 95284db1ee8abc5f7758be2dbb29d7844cb92051 Author: Jarkko Sakkinen Date: Mon Oct 28 07:49:59 2024 +0200 tpm: Return tpm2_sessions_init() when null key creation fails [ Upstream commit d658d59471ed80c4a8aaf082ccc3e83cdf5ae4c1 ] Do not continue tpm2_sessions_init() further if the null key pair creation fails. Cc: stable@vger.kernel.org # v6.10+ Fixes: d2add27cf2b8 ("tpm: Add NULL primary creation") Reviewed-by: Stefan Berger Signed-off-by: Jarkko Sakkinen Signed-off-by: Sasha Levin commit 3a303409f271dfe0987b8f79595138340497a32d Author: Hugh Dickins Date: Sun Oct 27 15:23:23 2024 -0700 iov_iter: fix copy_page_from_iter_atomic() if KMAP_LOCAL_FORCE_MAP [ Upstream commit c749d9b7ebbc5716af7a95f7768634b30d9446ec ] generic/077 on x86_32 CONFIG_DEBUG_KMAP_LOCAL_FORCE_MAP=y with highmem, on huge=always tmpfs, issues a warning and then hangs (interruptibly): WARNING: CPU: 5 PID: 3517 at mm/highmem.c:622 kunmap_local_indexed+0x62/0xc9 CPU: 5 UID: 0 PID: 3517 Comm: cp Not tainted 6.12.0-rc4 #2 ... copy_page_from_iter_atomic+0xa6/0x5ec generic_perform_write+0xf6/0x1b4 shmem_file_write_iter+0x54/0x67 Fix copy_page_from_iter_atomic() by limiting it in that case (include/linux/skbuff.h skb_frag_must_loop() does similar). But going forward, perhaps CONFIG_DEBUG_KMAP_LOCAL_FORCE_MAP is too surprising, has outlived its usefulness, and should just be removed? Fixes: 908a1ad89466 ("iov_iter: Handle compound highmem pages in copy_page_from_iter_atomic()") Signed-off-by: Hugh Dickins Link: https://lore.kernel.org/r/dd5f0c89-186e-18e1-4f43-19a60f5a9774@google.com Reviewed-by: Christoph Hellwig Cc: stable@vger.kernel.org Signed-off-by: Christian Brauner Signed-off-by: Sasha Levin commit b9cdd9b11916de92221e85379e14882f7f0bfefb Author: Benjamin Segall Date: Fri Oct 25 18:35:35 2024 -0700 posix-cpu-timers: Clear TICK_DEP_BIT_POSIX_TIMER on clone [ Upstream commit b5413156bad91dc2995a5c4eab1b05e56914638a ] When cloning a new thread, its posix_cputimers are not inherited, and are cleared by posix_cputimers_init(). However, this does not clear the tick dependency it creates in tsk->tick_dep_mask, and the handler does not reach the code to clear the dependency if there were no timers to begin with. Thus if a thread has a cputimer running before clone/fork, all descendants will prevent nohz_full unless they create a cputimer of their own. Fix this by entirely clearing the tick_dep_mask in copy_process(). (There is currently no inherited state that needs a tick dependency) Process-wide timers do not have this problem because fork does not copy signal_struct as a baseline, it creates one from scratch. Fixes: b78783000d5c ("posix-cpu-timers: Migrate to use new tick dependency mask model") Signed-off-by: Ben Segall Signed-off-by: Thomas Gleixner Reviewed-by: Frederic Weisbecker Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/xm26o737bq8o.fsf@google.com Signed-off-by: Sasha Levin commit c60d98ef7078fc3e22b48e98eae7a897d88494ee Author: Shawn Wang Date: Fri Oct 25 10:22:08 2024 +0800 sched/numa: Fix the potential null pointer dereference in task_numa_work() [ Upstream commit 9c70b2a33cd2aa6a5a59c5523ef053bd42265209 ] When running stress-ng-vm-segv test, we found a null pointer dereference error in task_numa_work(). Here is the backtrace: [323676.066985] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 ...... [323676.067108] CPU: 35 PID: 2694524 Comm: stress-ng-vm-se ...... [323676.067113] pstate: 23401009 (nzCv daif +PAN -UAO +TCO +DIT +SSBS BTYPE=--) [323676.067115] pc : vma_migratable+0x1c/0xd0 [323676.067122] lr : task_numa_work+0x1ec/0x4e0 [323676.067127] sp : ffff8000ada73d20 [323676.067128] x29: ffff8000ada73d20 x28: 0000000000000000 x27: 000000003e89f010 [323676.067130] x26: 0000000000080000 x25: ffff800081b5c0d8 x24: ffff800081b27000 [323676.067133] x23: 0000000000010000 x22: 0000000104d18cc0 x21: ffff0009f7158000 [323676.067135] x20: 0000000000000000 x19: 0000000000000000 x18: ffff8000ada73db8 [323676.067138] x17: 0001400000000000 x16: ffff800080df40b0 x15: 0000000000000035 [323676.067140] x14: ffff8000ada73cc8 x13: 1fffe0017cc72001 x12: ffff8000ada73cc8 [323676.067142] x11: ffff80008001160c x10: ffff000be639000c x9 : ffff8000800f4ba4 [323676.067145] x8 : ffff000810375000 x7 : ffff8000ada73974 x6 : 0000000000000001 [323676.067147] x5 : 0068000b33e26707 x4 : 0000000000000001 x3 : ffff0009f7158000 [323676.067149] x2 : 0000000000000041 x1 : 0000000000004400 x0 : 0000000000000000 [323676.067152] Call trace: [323676.067153] vma_migratable+0x1c/0xd0 [323676.067155] task_numa_work+0x1ec/0x4e0 [323676.067157] task_work_run+0x78/0xd8 [323676.067161] do_notify_resume+0x1ec/0x290 [323676.067163] el0_svc+0x150/0x160 [323676.067167] el0t_64_sync_handler+0xf8/0x128 [323676.067170] el0t_64_sync+0x17c/0x180 [323676.067173] Code: d2888001 910003fd f9000bf3 aa0003f3 (f9401000) [323676.067177] SMP: stopping secondary CPUs [323676.070184] Starting crashdump kernel... stress-ng-vm-segv in stress-ng is used to stress test the SIGSEGV error handling function of the system, which tries to cause a SIGSEGV error on return from unmapping the whole address space of the child process. Normally this program will not cause kernel crashes. But before the munmap system call returns to user mode, a potential task_numa_work() for numa balancing could be added and executed. In this scenario, since the child process has no vma after munmap, the vma_next() in task_numa_work() will return a null pointer even if the vma iterator restarts from 0. Recheck the vma pointer before dereferencing it in task_numa_work(). Fixes: 214dbc428137 ("sched: convert to vma iterator") Signed-off-by: Shawn Wang Signed-off-by: Peter Zijlstra (Intel) Cc: stable@vger.kernel.org # v6.2+ Link: https://lkml.kernel.org/r/20241025022208.125527-1-shawnwang@linux.alibaba.com Signed-off-by: Sasha Levin commit ed28e3ef03954a8f507aa0755c3818570a9c9daf Author: Dan Williams Date: Tue Oct 22 18:43:40 2024 -0700 cxl/acpi: Ensure ports ready at cxl_acpi_probe() return [ Upstream commit 48f62d38a07d464a499fa834638afcfd2b68f852 ] In order to ensure root CXL ports are enabled upon cxl_acpi_probe() when the 'cxl_port' driver is built as a module, arrange for the module to be pre-loaded or built-in. The "Fixes:" but no "Cc: stable" on this patch reflects that the issue is merely by inspection since the bug that triggered the discovery of this potential problem [1] is fixed by other means. However, a stable backport should do no harm. Fixes: 8dd2bc0f8e02 ("cxl/mem: Add the cxl_mem driver") Link: http://lore.kernel.org/20241004212504.1246-1-gourry@gourry.net [1] Signed-off-by: Dan Williams Tested-by: Gregory Price Reviewed-by: Jonathan Cameron Reviewed-by: Ira Weiny Link: https://patch.msgid.link/172964781969.81806.17276352414854540808.stgit@dwillia2-xfh.jf.intel.com Signed-off-by: Ira Weiny Signed-off-by: Sasha Levin commit 5b31ac3f133cbfd5ca8053797d5fca9c0641d642 Author: Dan Williams Date: Tue Oct 22 18:43:32 2024 -0700 cxl/port: Fix cxl_bus_rescan() vs bus_rescan_devices() [ Upstream commit 3d6ebf16438de5d712030fefbb4182b46373d677 ] It turns out since its original introduction, pre-2.6.12, bus_rescan_devices() has skipped devices that might be in the process of attaching or detaching from their driver. For CXL this behavior is unwanted and expects that cxl_bus_rescan() is a probe barrier. That behavior is simple enough to achieve with bus_for_each_dev() paired with call to device_attach(), and it is unclear why bus_rescan_devices() took the position of lockless consumption of dev->driver which is racy. The "Fixes:" but no "Cc: stable" on this patch reflects that the issue is merely by inspection since the bug that triggered the discovery of this potential problem [1] is fixed by other means. However, a stable backport should do no harm. Fixes: 8dd2bc0f8e02 ("cxl/mem: Add the cxl_mem driver") Link: http://lore.kernel.org/20241004212504.1246-1-gourry@gourry.net [1] Signed-off-by: Dan Williams Tested-by: Gregory Price Reviewed-by: Jonathan Cameron Reviewed-by: Ira Weiny Link: https://patch.msgid.link/172964781104.81806.4277549800082443769.stgit@dwillia2-xfh.jf.intel.com Signed-off-by: Ira Weiny Signed-off-by: Sasha Levin commit a128cfec44709ab1bd1f01d158569bcb2386f54f Author: Peter Wang Date: Thu Oct 24 09:54:53 2024 +0800 scsi: ufs: core: Fix another deadlock during RTC update [ Upstream commit cb7e509c4e0197f63717fee54fb41c4990ba8d3a ] If ufshcd_rtc_work calls ufshcd_rpm_put_sync() and the pm's usage_count is 0, we will enter the runtime suspend callback. However, the runtime suspend callback will wait to flush ufshcd_rtc_work, causing a deadlock. Replace ufshcd_rpm_put_sync() with ufshcd_rpm_put() to avoid the deadlock. Fixes: 6bf999e0eb41 ("scsi: ufs: core: Add UFS RTC support") Cc: stable@vger.kernel.org #6.11.x Signed-off-by: Peter Wang Link: https://lore.kernel.org/r/20241024015453.21684-1-peter.wang@mediatek.com Reviewed-by: Bart Van Assche Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 96d4bf65071b8977d8e35dcdc9bbbd8f9e24022c Author: Chunyan Zhang Date: Tue Oct 8 17:41:39 2024 +0800 riscv: Remove duplicated GET_RM [ Upstream commit 164f66de6bb6ef454893f193c898dc8f1da6d18b ] The macro GET_RM defined twice in this file, one can be removed. Reviewed-by: Alexandre Ghiti Signed-off-by: Chunyan Zhang Fixes: 956d705dd279 ("riscv: Unaligned load/store handling for M_MODE") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20241008094141.549248-3-zhangchunyan@iscas.ac.cn Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit 0d48086046d6129508504d78a4a41f4218298a74 Author: Chunyan Zhang Date: Tue Oct 8 17:41:38 2024 +0800 riscv: Remove unused GENERATING_ASM_OFFSETS [ Upstream commit 46d4e5ac6f2f801f97bcd0ec82365969197dc9b1 ] The macro is not used in the current version of kernel, it looks like can be removed to avoid a build warning: ../arch/riscv/kernel/asm-offsets.c: At top level: ../arch/riscv/kernel/asm-offsets.c:7: warning: macro "GENERATING_ASM_OFFSETS" is not used [-Wunused-macros] 7 | #define GENERATING_ASM_OFFSETS Fixes: 9639a44394b9 ("RISC-V: Provide a cleaner raw_smp_processor_id()") Cc: stable@vger.kernel.org Reviewed-by: Alexandre Ghiti Tested-by: Alexandre Ghiti Signed-off-by: Chunyan Zhang Link: https://lore.kernel.org/r/20241008094141.549248-2-zhangchunyan@iscas.ac.cn Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit 0928bedbeeda4f6c17e6722cb7399083e058621a Author: WangYuli Date: Thu Oct 17 11:20:10 2024 +0800 riscv: Use '%u' to format the output of 'cpu' [ Upstream commit e0872ab72630dada3ae055bfa410bf463ff1d1e0 ] 'cpu' is an unsigned integer, so its conversion specifier should be %u, not %d. Suggested-by: Wentao Guan Suggested-by: Maciej W. Rozycki Link: https://lore.kernel.org/all/alpine.DEB.2.21.2409122309090.40372@angie.orcam.me.uk/ Signed-off-by: WangYuli Reviewed-by: Charlie Jenkins Tested-by: Charlie Jenkins Fixes: f1e58583b9c7 ("RISC-V: Support cpu hotplug") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/4C127DEECDA287C8+20241017032010.96772-1-wangyuli@uniontech.com Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit 303846a3dc275e35fbb556d72f1e356ba669e4f8 Author: Miquel Sabaté Solà Date: Fri Sep 13 10:00:52 2024 +0200 riscv: Prevent a bad reference count on CPU nodes [ Upstream commit 37233169a6ea912020c572f870075a63293b786a ] When populating cache leaves we previously fetched the CPU device node at the very beginning. But when ACPI is enabled we go through a specific branch which returns early and does not call 'of_node_put' for the node that was acquired. Since we are not using a CPU device node for the ACPI code anyways, we can simply move the initialization of it just passed the ACPI block, and we are guaranteed to have an 'of_node_put' call for the acquired node. This prevents a bad reference count of the CPU device node. Moreover, the previous function did not check for errors when acquiring the device node, so a return -ENOENT has been added for that case. Signed-off-by: Miquel Sabaté Solà Reviewed-by: Sudeep Holla Reviewed-by: Sunil V L Reviewed-by: Alexandre Ghiti Fixes: 604f32ea6909 ("riscv: cacheinfo: initialize cacheinfo's level and type from ACPI PPTT") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20240913080053.36636-1-mikisabate@gmail.com Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit 7874e116cb9b14326e235c8feb428864d04cda6d Author: Heinrich Schuchardt Date: Sun Sep 29 16:02:33 2024 +0200 riscv: efi: Set NX compat flag in PE/COFF header [ Upstream commit d41373a4b910961df5a5e3527d7bde6ad45ca438 ] The IMAGE_DLLCHARACTERISTICS_NX_COMPAT informs the firmware that the EFI binary does not rely on pages that are both executable and writable. The flag is used by some distro versions of GRUB to decide if the EFI binary may be executed. As the Linux kernel neither has RWX sections nor needs RWX pages for relocation we should set the flag. Cc: Ard Biesheuvel Cc: Signed-off-by: Heinrich Schuchardt Reviewed-by: Emil Renner Berthing Fixes: cb7d2dd5612a ("RISC-V: Add PE/COFF header for EFI stub") Acked-by: Ard Biesheuvel Link: https://lore.kernel.org/r/20240929140233.211800-1-heinrich.schuchardt@canonical.com Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit abeb03a757e661d39545dda7ec132e9d34e26b79 Author: Kailang Yang Date: Fri Oct 18 13:53:24 2024 +0800 ALSA: hda/realtek: Limit internal Mic boost on Dell platform [ Upstream commit 78e7be018784934081afec77f96d49a2483f9188 ] Dell want to limit internal Mic boost on all Dell platform. Signed-off-by: Kailang Yang Cc: Link: https://lore.kernel.org/561fc5f5eff04b6cbd79ed173cd1c1db@realtek.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 59bed900815c6f61a30f684b0372d80e23f89b78 Author: Dmitry Torokhov Date: Fri Oct 18 17:17:48 2024 -0700 Input: edt-ft5x06 - fix regmap leak when probe fails [ Upstream commit bffdf9d7e51a7be8eeaac2ccf9e54a5fde01ff65 ] The driver neglects to free the instance of I2C regmap constructed at the beginning of the edt_ft5x06_ts_probe() method when probe fails. Additionally edt_ft5x06_ts_remove() is freeing the regmap too early, before the rest of the device resources that are managed by devm are released. Fix this by installing a custom devm action that will ensure that the regmap is released at the right time during normal teardown as well as in case of probe failure. Note that devm_regmap_init_i2c() could not be used because the driver may replace the original regmap with a regmap specific for M06 devices in the middle of the probe, and using devm_regmap_init_i2c() would result in releasing the M06 regmap too early. Reported-by: Li Zetao Fixes: 9dfd9708ffba ("Input: edt-ft5x06 - convert to use regmap API") Cc: stable@vger.kernel.org Reviewed-by: Oliver Graute Link: https://lore.kernel.org/r/ZxL6rIlVlgsAu-Jv@google.com Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit ac9621fe7488504ad73138d2410d15c3192ce911 Author: Alexandre Ghiti Date: Wed Oct 16 10:36:24 2024 +0200 riscv: vdso: Prevent the compiler from inserting calls to memset() [ Upstream commit bf40167d54d55d4b54d0103713d86a8638fb9290 ] The compiler is smart enough to insert a call to memset() in riscv_vdso_get_cpus(), which generates a dynamic relocation. So prevent this by using -fno-builtin option. Fixes: e2c0cdfba7f6 ("RISC-V: User-facing API") Cc: stable@vger.kernel.org Signed-off-by: Alexandre Ghiti Reviewed-by: Guo Ren Link: https://lore.kernel.org/r/20241016083625.136311-2-alexghiti@rivosinc.com Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit 89f74c968319d040739d6238e1c3a4caa16a5a00 Author: Frank Li Date: Wed Oct 23 16:30:32 2024 -0400 spi: spi-fsl-dspi: Fix crash when not using GPIO chip select [ Upstream commit 25f00a13dccf8e45441265768de46c8bf58e08f6 ] Add check for the return value of spi_get_csgpiod() to avoid passing a NULL pointer to gpiod_direction_output(), preventing a crash when GPIO chip select is not used. Fix below crash: [ 4.251960] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 4.260762] Mem abort info: [ 4.263556] ESR = 0x0000000096000004 [ 4.267308] EC = 0x25: DABT (current EL), IL = 32 bits [ 4.272624] SET = 0, FnV = 0 [ 4.275681] EA = 0, S1PTW = 0 [ 4.278822] FSC = 0x04: level 0 translation fault [ 4.283704] Data abort info: [ 4.286583] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 4.292074] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 4.297130] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 4.302445] [0000000000000000] user address but active_mm is swapper [ 4.308805] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 4.315072] Modules linked in: [ 4.318124] CPU: 2 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-rc4-next-20241023-00008-ga20ec42c5fc1 #359 [ 4.328130] Hardware name: LS1046A QDS Board (DT) [ 4.332832] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 4.339794] pc : gpiod_direction_output+0x34/0x5c [ 4.344505] lr : gpiod_direction_output+0x18/0x5c [ 4.349208] sp : ffff80008003b8f0 [ 4.352517] x29: ffff80008003b8f0 x28: 0000000000000000 x27: ffffc96bcc7e9068 [ 4.359659] x26: ffffc96bcc6e00b0 x25: ffffc96bcc598398 x24: ffff447400132810 [ 4.366800] x23: 0000000000000000 x22: 0000000011e1a300 x21: 0000000000020002 [ 4.373940] x20: 0000000000000000 x19: 0000000000000000 x18: ffffffffffffffff [ 4.381081] x17: ffff44740016e600 x16: 0000000500000003 x15: 0000000000000007 [ 4.388221] x14: 0000000000989680 x13: 0000000000020000 x12: 000000000000001e [ 4.395362] x11: 0044b82fa09b5a53 x10: 0000000000000019 x9 : 0000000000000008 [ 4.402502] x8 : 0000000000000002 x7 : 0000000000000007 x6 : 0000000000000000 [ 4.409641] x5 : 0000000000000200 x4 : 0000000002000000 x3 : 0000000000000000 [ 4.416781] x2 : 0000000000022202 x1 : 0000000000000000 x0 : 0000000000000000 [ 4.423921] Call trace: [ 4.426362] gpiod_direction_output+0x34/0x5c (P) [ 4.431067] gpiod_direction_output+0x18/0x5c (L) [ 4.435771] dspi_setup+0x220/0x334 Fixes: 9e264f3f85a5 ("spi: Replace all spi->chip_select and spi->cs_gpiod references with function call") Cc: stable@vger.kernel.org Signed-off-by: Frank Li Link: https://patch.msgid.link/20241023203032.1388491-1-Frank.Li@nxp.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 22833d89b780ba0f9f66e19c477e7decf638edce Author: Naohiro Aota Date: Wed Oct 9 22:52:06 2024 +0900 btrfs: fix error propagation of split bios [ Upstream commit d48e1dea3931de64c26717adc2b89743c7ab6594 ] The purpose of btrfs_bbio_propagate_error() shall be propagating an error of split bio to its original btrfs_bio, and tell the error to the upper layer. However, it's not working well on some cases. * Case 1. Immediate (or quick) end_bio with an error When btrfs sends btrfs_bio to mirrored devices, btrfs calls btrfs_bio_end_io() when all the mirroring bios are completed. If that btrfs_bio was split, it is from btrfs_clone_bioset and its end_io function is btrfs_orig_write_end_io. For this case, btrfs_bbio_propagate_error() accesses the orig_bbio's bio context to increase the error count. That works well in most cases. However, if the end_io is called enough fast, orig_bbio's (remaining part after split) bio context may not be properly set at that time. Since the bio context is set when the orig_bbio (the last btrfs_bio) is sent to devices, that might be too late for earlier split btrfs_bio's completion. That will result in NULL pointer dereference. That bug is easily reproducible by running btrfs/146 on zoned devices [1] and it shows the following trace. [1] You need raid-stripe-tree feature as it create "-d raid0 -m raid1" FS. BUG: kernel NULL pointer dereference, address: 0000000000000020 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 UID: 0 PID: 13 Comm: kworker/u32:1 Not tainted 6.11.0-rc7-BTRFS-ZNS+ #474 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Workqueue: writeback wb_workfn (flush-btrfs-5) RIP: 0010:btrfs_bio_end_io+0xae/0xc0 [btrfs] BTRFS error (device dm-0): bdev /dev/mapper/error-test errs: wr 2, rd 0, flush 0, corrupt 0, gen 0 RSP: 0018:ffffc9000006f248 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888005a7f080 RCX: ffffc9000006f1dc RDX: 0000000000000000 RSI: 000000000000000a RDI: ffff888005a7f080 RBP: ffff888011dfc540 R08: 0000000000000000 R09: 0000000000000001 R10: ffffffff82e508e0 R11: 0000000000000005 R12: ffff88800ddfbe58 R13: ffff888005a7f080 R14: ffff888005a7f158 R15: ffff888005a7f158 FS: 0000000000000000(0000) GS:ffff88803ea80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000020 CR3: 0000000002e22006 CR4: 0000000000370ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? __die_body.cold+0x19/0x26 ? page_fault_oops+0x13e/0x2b0 ? _printk+0x58/0x73 ? do_user_addr_fault+0x5f/0x750 ? exc_page_fault+0x76/0x240 ? asm_exc_page_fault+0x22/0x30 ? btrfs_bio_end_io+0xae/0xc0 [btrfs] ? btrfs_log_dev_io_error+0x7f/0x90 [btrfs] btrfs_orig_write_end_io+0x51/0x90 [btrfs] dm_submit_bio+0x5c2/0xa50 [dm_mod] ? find_held_lock+0x2b/0x80 ? blk_try_enter_queue+0x90/0x1e0 __submit_bio+0xe0/0x130 ? ktime_get+0x10a/0x160 ? lockdep_hardirqs_on+0x74/0x100 submit_bio_noacct_nocheck+0x199/0x410 btrfs_submit_bio+0x7d/0x150 [btrfs] btrfs_submit_chunk+0x1a1/0x6d0 [btrfs] ? lockdep_hardirqs_on+0x74/0x100 ? __folio_start_writeback+0x10/0x2c0 btrfs_submit_bbio+0x1c/0x40 [btrfs] submit_one_bio+0x44/0x60 [btrfs] submit_extent_folio+0x13f/0x330 [btrfs] ? btrfs_set_range_writeback+0xa3/0xd0 [btrfs] extent_writepage_io+0x18b/0x360 [btrfs] extent_write_locked_range+0x17c/0x340 [btrfs] ? __pfx_end_bbio_data_write+0x10/0x10 [btrfs] run_delalloc_cow+0x71/0xd0 [btrfs] btrfs_run_delalloc_range+0x176/0x500 [btrfs] ? find_lock_delalloc_range+0x119/0x260 [btrfs] writepage_delalloc+0x2ab/0x480 [btrfs] extent_write_cache_pages+0x236/0x7d0 [btrfs] btrfs_writepages+0x72/0x130 [btrfs] do_writepages+0xd4/0x240 ? find_held_lock+0x2b/0x80 ? wbc_attach_and_unlock_inode+0x12c/0x290 ? wbc_attach_and_unlock_inode+0x12c/0x290 __writeback_single_inode+0x5c/0x4c0 ? do_raw_spin_unlock+0x49/0xb0 writeback_sb_inodes+0x22c/0x560 __writeback_inodes_wb+0x4c/0xe0 wb_writeback+0x1d6/0x3f0 wb_workfn+0x334/0x520 process_one_work+0x1ee/0x570 ? lock_is_held_type+0xc6/0x130 worker_thread+0x1d1/0x3b0 ? __pfx_worker_thread+0x10/0x10 kthread+0xee/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x30/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 Modules linked in: dm_mod btrfs blake2b_generic xor raid6_pq rapl CR2: 0000000000000020 * Case 2. Earlier completion of orig_bbio for mirrored btrfs_bios btrfs_bbio_propagate_error() assumes the end_io function for orig_bbio is called last among split bios. In that case, btrfs_orig_write_end_io() sets the bio->bi_status to BLK_STS_IOERR by seeing the bioc->error [2]. Otherwise, the increased orig_bio's bioc->error is not checked by anyone and return BLK_STS_OK to the upper layer. [2] Actually, this is not true. Because we only increases orig_bioc->errors by max_errors, the condition "atomic_read(&bioc->error) > bioc->max_errors" is still not met if only one split btrfs_bio fails. * Case 3. Later completion of orig_bbio for un-mirrored btrfs_bios In contrast to the above case, btrfs_bbio_propagate_error() is not working well if un-mirrored orig_bbio is completed last. It sets orig_bbio->bio.bi_status to the btrfs_bio's error. But, that is easily over-written by orig_bbio's completion status. If the status is BLK_STS_OK, the upper layer would not know the failure. * Solution Considering the above cases, we can only save the error status in the orig_bbio (remaining part after split) itself as it is always available. Also, the saved error status should be propagated when all the split btrfs_bios are finished (i.e, bbio->pending_ios == 0). This commit introduces "status" to btrfs_bbio and saves the first error of split bios to original btrfs_bio's "status" variable. When all the split bios are finished, the saved status is loaded into original btrfs_bio's status. With this commit, btrfs/146 on zoned devices does not hit the NULL pointer dereference anymore. Fixes: 852eee62d31a ("btrfs: allow btrfs_submit_bio to split bios") CC: stable@vger.kernel.org # 6.6+ Reviewed-by: Qu Wenruo Reviewed-by: Christoph Hellwig Reviewed-by: Johannes Thumshirn Signed-off-by: Naohiro Aota Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 54a3f1bac8b845fa815bc245eca1f598227e91d6 Author: Qu Wenruo Date: Sat Aug 24 19:36:43 2024 +0930 btrfs: merge btrfs_orig_bbio_end_io() into btrfs_bio_end_io() [ Upstream commit 9ca0e58cb752b09816f56f7a3147a39773d5e831 ] There are only two differences between the two functions: - btrfs_orig_bbio_end_io() does extra error propagation This is mostly to allow tolerance for write errors. - btrfs_orig_bbio_end_io() does extra pending_ios check This check can handle both the original bio, or the cloned one. (All accounting happens in the original one). This makes btrfs_orig_bbio_end_io() a much safer call. In fact we already had a double freeing error due to usage of btrfs_bio_end_io() in the error path of btrfs_submit_chunk(). So just move the whole content of btrfs_orig_bbio_end_io() into btrfs_bio_end_io(). For normal paths this brings no change, because they are already calling btrfs_orig_bbio_end_io() in the first place. For error paths (not only inside bio.c but also external callers), this change will introduce extra checks, especially for external callers, as they will error out without submitting the btrfs bio. But considering it's already in the error path, such slower but much safer checks are still an overall win. Signed-off-by: Qu Wenruo Reviewed-by: David Sterba Signed-off-by: David Sterba Stable-dep-of: d48e1dea3931 ("btrfs: fix error propagation of split bios") Signed-off-by: Sasha Levin commit 5d0c5b54154a5156bbb0a29d6fc3aad8ab0e7ea1 Author: Richard Zhu Date: Mon Oct 21 11:52:41 2024 -0400 phy: freescale: imx8m-pcie: Do CMN_RST just before PHY PLL lock check [ Upstream commit f89263b69731e0144d275fff777ee0dd92069200 ] When enable initcall_debug together with higher debug level below. CONFIG_CONSOLE_LOGLEVEL_DEFAULT=9 CONFIG_CONSOLE_LOGLEVEL_QUIET=9 CONFIG_MESSAGE_LOGLEVEL_DEFAULT=7 The initialization of i.MX8MP PCIe PHY might be timeout failed randomly. To fix this issue, adjust the sequence of the resets refer to the power up sequence listed below. i.MX8MP PCIe PHY power up sequence: /--------------------------------------------- 1.8v supply ---------/ /--------------------------------------------------- 0.8v supply ---/ ---\ /-------------------------------------------------- X REFCLK Valid Reference Clock ---/ \-------------------------------------------------- ------------------------------------------- | i_init_restn -------------- ------------------------------------ | i_cmn_rstn --------------------- ------------------------------- | o_pll_lock_done -------------------------- Logs: imx6q-pcie 33800000.pcie: host bridge /soc@0/pcie@33800000 ranges: imx6q-pcie 33800000.pcie: IO 0x001ff80000..0x001ff8ffff -> 0x0000000000 imx6q-pcie 33800000.pcie: MEM 0x0018000000..0x001fefffff -> 0x0018000000 probe of clk_imx8mp_audiomix.reset.0 returned 0 after 1052 usecs probe of 30e20000.clock-controller returned 0 after 32971 usecs phy phy-32f00000.pcie-phy.4: phy poweron failed --> -110 probe of 30e10000.dma-controller returned 0 after 10235 usecs imx6q-pcie 33800000.pcie: waiting for PHY ready timeout! dwhdmi-imx 32fd8000.hdmi: Detected HDMI TX controller v2.13a with HDCP (samsung_dw_hdmi_phy2) imx6q-pcie 33800000.pcie: probe with driver imx6q-pcie failed with error -110 Fixes: dce9edff16ee ("phy: freescale: imx8m-pcie: Add i.MX8MP PCIe PHY support") Cc: stable@vger.kernel.org Signed-off-by: Richard Zhu Signed-off-by: Frank Li v2 changes: - Rebase to latest fixes branch of linux-phy git repo. - Richard's environment have problem and can't sent out patch. So I help post this fix patch. Link: https://lore.kernel.org/r/20241021155241.943665-1-Frank.Li@nxp.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 6dab3331523ba73db1345d19e6f586dcd5f6efb4 Author: Chen Ridong Date: Tue Oct 8 11:24:56 2024 +0000 cgroup/bpf: use a dedicated workqueue for cgroup bpf destruction [ Upstream commit 117932eea99b729ee5d12783601a4f7f5fd58a23 ] A hung_task problem shown below was found: INFO: task kworker/0:0:8 blocked for more than 327 seconds. "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. Workqueue: events cgroup_bpf_release Call Trace: __schedule+0x5a2/0x2050 ? find_held_lock+0x33/0x100 ? wq_worker_sleeping+0x9e/0xe0 schedule+0x9f/0x180 schedule_preempt_disabled+0x25/0x50 __mutex_lock+0x512/0x740 ? cgroup_bpf_release+0x1e/0x4d0 ? cgroup_bpf_release+0xcf/0x4d0 ? process_scheduled_works+0x161/0x8a0 ? cgroup_bpf_release+0x1e/0x4d0 ? mutex_lock_nested+0x2b/0x40 ? __pfx_delay_tsc+0x10/0x10 mutex_lock_nested+0x2b/0x40 cgroup_bpf_release+0xcf/0x4d0 ? process_scheduled_works+0x161/0x8a0 ? trace_event_raw_event_workqueue_execute_start+0x64/0xd0 ? process_scheduled_works+0x161/0x8a0 process_scheduled_works+0x23a/0x8a0 worker_thread+0x231/0x5b0 ? __pfx_worker_thread+0x10/0x10 kthread+0x14d/0x1c0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x59/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 This issue can be reproduced by the following pressuse test: 1. A large number of cpuset cgroups are deleted. 2. Set cpu on and off repeatly. 3. Set watchdog_thresh repeatly. The scripts can be obtained at LINK mentioned above the signature. The reason for this issue is cgroup_mutex and cpu_hotplug_lock are acquired in different tasks, which may lead to deadlock. It can lead to a deadlock through the following steps: 1. A large number of cpusets are deleted asynchronously, which puts a large number of cgroup_bpf_release works into system_wq. The max_active of system_wq is WQ_DFL_ACTIVE(256). Consequently, all active works are cgroup_bpf_release works, and many cgroup_bpf_release works will be put into inactive queue. As illustrated in the diagram, there are 256 (in the acvtive queue) + n (in the inactive queue) works. 2. Setting watchdog_thresh will hold cpu_hotplug_lock.read and put smp_call_on_cpu work into system_wq. However step 1 has already filled system_wq, 'sscs.work' is put into inactive queue. 'sscs.work' has to wait until the works that were put into the inacvtive queue earlier have executed (n cgroup_bpf_release), so it will be blocked for a while. 3. Cpu offline requires cpu_hotplug_lock.write, which is blocked by step 2. 4. Cpusets that were deleted at step 1 put cgroup_release works into cgroup_destroy_wq. They are competing to get cgroup_mutex all the time. When cgroup_metux is acqured by work at css_killed_work_fn, it will call cpuset_css_offline, which needs to acqure cpu_hotplug_lock.read. However, cpuset_css_offline will be blocked for step 3. 5. At this moment, there are 256 works in active queue that are cgroup_bpf_release, they are attempting to acquire cgroup_mutex, and as a result, all of them are blocked. Consequently, sscs.work can not be executed. Ultimately, this situation leads to four processes being blocked, forming a deadlock. system_wq(step1) WatchDog(step2) cpu offline(step3) cgroup_destroy_wq(step4) ... 2000+ cgroups deleted asyn 256 actives + n inactives __lockup_detector_reconfigure P(cpu_hotplug_lock.read) put sscs.work into system_wq 256 + n + 1(sscs.work) sscs.work wait to be executed warting sscs.work finish percpu_down_write P(cpu_hotplug_lock.write) ...blocking... css_killed_work_fn P(cgroup_mutex) cpuset_css_offline P(cpu_hotplug_lock.read) ...blocking... 256 cgroup_bpf_release mutex_lock(&cgroup_mutex); ..blocking... To fix the problem, place cgroup_bpf_release works on a dedicated workqueue which can break the loop and solve the problem. System wqs are for misc things which shouldn't create a large number of concurrent work items. If something is going to generate >WQ_DFL_ACTIVE(256) concurrent work items, it should use its own dedicated workqueue. Fixes: 4bfc0bb2c60e ("bpf: decouple the lifetime of cgroup_bpf from cgroup itself") Cc: stable@vger.kernel.org # v5.3+ Link: https://lore.kernel.org/cgroups/e90c32d2-2a85-4f28-9154-09c7d320cb60@huawei.com/T/#t Tested-by: Vishal Chourasia Signed-off-by: Chen Ridong Signed-off-by: Tejun Heo Signed-off-by: Sasha Levin commit b1a715ff11e09fa729a1492b2389958936e86e97 Author: Xinyu Zhang Date: Wed Oct 23 15:15:19 2024 -0600 block: fix sanity checks in blk_rq_map_user_bvec [ Upstream commit 2ff949441802a8d076d9013c7761f63e8ae5a9bd ] blk_rq_map_user_bvec contains a check bytes + bv->bv_len > nr_iter which causes unnecessary failures in NVMe passthrough I/O, reproducible as follows: - register a 2 page, page-aligned buffer against a ring - use that buffer to do a 1 page io_uring NVMe passthrough read The second (i = 1) iteration of the loop in blk_rq_map_user_bvec will then have nr_iter == 1 page, bytes == 1 page, bv->bv_len == 1 page, so the check bytes + bv->bv_len > nr_iter will succeed, causing the I/O to fail. This failure is unnecessary, as when the check succeeds, it means we've checked the entire buffer that will be used by the request - i.e. blk_rq_map_user_bvec should complete successfully. Therefore, terminate the loop early and return successfully when the check bytes + bv->bv_len > nr_iter succeeds. While we're at it, also remove the check that all segments in the bvec are single-page. While this seems to be true for all users of the function, it doesn't appear to be required anywhere downstream. CC: stable@vger.kernel.org Signed-off-by: Xinyu Zhang Co-developed-by: Uday Shankar Signed-off-by: Uday Shankar Fixes: 37987547932c ("block: extend functionality to map bvec iterator") Link: https://lore.kernel.org/r/20241023211519.4177873-1-ushankar@purestorage.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit b189cd6a3f264198f0d9cf6d7c8d30c6cd220745 Author: Ben Chuang Date: Fri Oct 25 14:00:17 2024 +0800 mmc: sdhci-pci-gli: GL9767: Fix low power mode in the SD Express process commit c4dedaaeb3f78d3718e9c1b1e4d972a6b99073cd upstream. When starting the SD Express process, the low power negotiation mode will be disabled, so we need to re-enable it after switching back to SD mode. Fixes: 0e92aec2efa0 ("mmc: sdhci-pci-gli: Add support SD Express card for GL9767") Signed-off-by: Ben Chuang Cc: stable@vger.kernel.org Message-ID: <20241025060017.1663697-2-benchuanggli@gmail.com> Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit efd2112164cb3ac1f9e7b15bb9b817d96f1eadda Author: Ben Chuang Date: Fri Oct 25 14:00:16 2024 +0800 mmc: sdhci-pci-gli: GL9767: Fix low power mode on the set clock function commit 8c68b5656e55e9324875881f1000eb4ee3603a87 upstream. On sdhci_gl9767_set_clock(), the vendor header space(VHS) is read-only after calling gl9767_disable_ssc_pll() and gl9767_set_ssc_pll_205mhz(). So the low power negotiation mode cannot be enabled again. Introduce gl9767_set_low_power_negotiation() function to fix it. The explanation process is as below. static void sdhci_gl9767_set_clock() { ... gl9767_vhs_write(); ... value |= PCIE_GLI_9767_CFG_LOW_PWR_OFF; pci_write_config_dword(pdev, PCIE_GLI_9767_CFG, value); <--- (a) gl9767_disable_ssc_pll(); <--- (b) sdhci_writew(host, 0, SDHCI_CLOCK_CONTROL); if (clock == 0) return; <-- (I) ... if (clock == 200000000 && ios->timing == MMC_TIMING_UHS_SDR104) { ... gl9767_set_ssc_pll_205mhz(); <--- (c) } ... value &= ~PCIE_GLI_9767_CFG_LOW_PWR_OFF; pci_write_config_dword(pdev, PCIE_GLI_9767_CFG, value); <-- (II) gl9767_vhs_read(); } (a) disable low power negotiation mode. When return on (I), the low power mode is disabled. After (b) and (c), VHS is read-only, the low power mode cannot be enabled on (II). Reported-by: Georg Gottleuber Fixes: d2754355512e ("mmc: sdhci-pci-gli: Set SDR104's clock to 205MHz and enable SSC for GL9767") Signed-off-by: Ben Chuang Tested-by: Georg Gottleuber Cc: stable@vger.kernel.org Message-ID: <20241025060017.1663697-1-benchuanggli@gmail.com> Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 6dab2b8e424cac65069d8d57c3d759764b007181 Author: Dan Williams Date: Fri Oct 25 12:32:55 2024 -0700 cxl/port: Fix CXL port initialization order when the subsystem is built-in commit 6575b268157f37929948a8d1f3bafb3d7c055bc1 upstream. When the CXL subsystem is built-in the module init order is determined by Makefile order. That order violates expectations. The expectation is that cxl_acpi and cxl_mem can race to attach. If cxl_acpi wins the race, cxl_mem will find the enabled CXL root ports it needs. If cxl_acpi loses the race it will retrigger cxl_mem to attach via cxl_bus_rescan(). That flow only works if cxl_acpi can assume ports are enabled immediately upon cxl_acpi_probe() return. That in turn can only happen in the CONFIG_CXL_ACPI=y case if the cxl_port driver is registered before cxl_acpi_probe() runs. Fix up the order to prevent initialization failures. Ensure that cxl_port is built-in when cxl_acpi is also built-in, arrange for Makefile order to resolve the subsys_initcall() order of cxl_port and cxl_acpi, and arrange for Makefile order to resolve the device_initcall() (module_init()) order of the remaining objects. As for what contributed to this not being found earlier, the CXL regression environment, cxl_test, builds all CXL functionality as a module to allow to symbol mocking and other dynamic reload tests. As a result there is no regression coverage for the built-in case. Reported-by: Gregory Price Closes: http://lore.kernel.org/20241004212504.1246-1-gourry@gourry.net Tested-by: Gregory Price Fixes: 8dd2bc0f8e02 ("cxl/mem: Add the cxl_mem driver") Cc: stable@vger.kernel.org Cc: Davidlohr Bueso Cc: Jonathan Cameron Cc: Dave Jiang Cc: Alison Schofield Cc: Vishal Verma Cc: Ira Weiny Reviewed-by: Jonathan Cameron Reviewed-by: Ira Weiny Tested-by: Alejandro Lucero Reviewed-by: Alejandro Lucero Signed-off-by: Dan Williams Link: https://patch.msgid.link/172988474904.476062.7961350937442459266.stgit@dwillia2-xfh.jf.intel.com Signed-off-by: Ira Weiny Signed-off-by: Greg Kroah-Hartman commit 78c8454fdce0eeee962be004eb6d99860c80dad1 Author: Dan Williams Date: Tue Oct 22 18:43:49 2024 -0700 cxl/port: Fix use-after-free, permit out-of-order decoder shutdown commit 101c268bd2f37e965a5468353e62d154db38838e upstream. In support of investigating an initialization failure report [1], cxl_test was updated to register mock memory-devices after the mock root-port/bus device had been registered. That led to cxl_test crashing with a use-after-free bug with the following signature: cxl_port_attach_region: cxl region3: cxl_host_bridge.0:port3 decoder3.0 add: mem0:decoder7.0 @ 0 next: cxl_switch_uport.0 nr_eps: 1 nr_targets: 1 cxl_port_attach_region: cxl region3: cxl_host_bridge.0:port3 decoder3.0 add: mem4:decoder14.0 @ 1 next: cxl_switch_uport.0 nr_eps: 2 nr_targets: 1 cxl_port_setup_targets: cxl region3: cxl_switch_uport.0:port6 target[0] = cxl_switch_dport.0 for mem0:decoder7.0 @ 0 1) cxl_port_setup_targets: cxl region3: cxl_switch_uport.0:port6 target[1] = cxl_switch_dport.4 for mem4:decoder14.0 @ 1 [..] cxld_unregister: cxl decoder14.0: cxl_region_decode_reset: cxl_region region3: mock_decoder_reset: cxl_port port3: decoder3.0 reset 2) mock_decoder_reset: cxl_port port3: decoder3.0: out of order reset, expected decoder3.1 cxl_endpoint_decoder_release: cxl decoder14.0: [..] cxld_unregister: cxl decoder7.0: 3) cxl_region_decode_reset: cxl_region region3: Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6bc3: 0000 [#1] PREEMPT SMP PTI [..] RIP: 0010:to_cxl_port+0x8/0x60 [cxl_core] [..] Call Trace: cxl_region_decode_reset+0x69/0x190 [cxl_core] cxl_region_detach+0xe8/0x210 [cxl_core] cxl_decoder_kill_region+0x27/0x40 [cxl_core] cxld_unregister+0x5d/0x60 [cxl_core] At 1) a region has been established with 2 endpoint decoders (7.0 and 14.0). Those endpoints share a common switch-decoder in the topology (3.0). At teardown, 2), decoder14.0 is the first to be removed and hits the "out of order reset case" in the switch decoder. The effect though is that region3 cleanup is aborted leaving it in-tact and referencing decoder14.0. At 3) the second attempt to teardown region3 trips over the stale decoder14.0 object which has long since been deleted. The fix here is to recognize that the CXL specification places no mandate on in-order shutdown of switch-decoders, the driver enforces in-order allocation, and hardware enforces in-order commit. So, rather than fail and leave objects dangling, always remove them. In support of making cxl_region_decode_reset() always succeed, cxl_region_invalidate_memregion() failures are turned into warnings. Crashing the kernel is ok there since system integrity is at risk if caches cannot be managed around physical address mutation events like CXL region destruction. A new device_for_each_child_reverse_from() is added to cleanup port->commit_end after all dependent decoders have been disabled. In other words if decoders are allocated 0->1->2 and disabled 1->2->0 then port->commit_end only decrements from 2 after 2 has been disabled, and it decrements all the way to zero since 1 was disabled previously. Link: http://lore.kernel.org/20241004212504.1246-1-gourry@gourry.net [1] Cc: stable@vger.kernel.org Fixes: 176baefb2eb5 ("cxl/hdm: Commit decoder state to hardware") Reviewed-by: Jonathan Cameron Cc: Greg Kroah-Hartman Cc: Davidlohr Bueso Cc: Dave Jiang Cc: Alison Schofield Cc: Ira Weiny Cc: Zijun Hu Signed-off-by: Dan Williams Reviewed-by: Ira Weiny Link: https://patch.msgid.link/172964782781.81806.17902885593105284330.stgit@dwillia2-xfh.jf.intel.com Signed-off-by: Ira Weiny Signed-off-by: Greg Kroah-Hartman commit f8a0e7dc7d8b73076fecc726b00d44a9f704a90f Author: Bjorn Andersson Date: Wed Oct 23 17:24:33 2024 +0000 soc: qcom: pmic_glink: Handle GLINK intent allocation rejections commit f8c879192465d9f328cb0df07208ef077c560bb1 upstream. Some versions of the pmic_glink firmware does not allow dynamic GLINK intent allocations, attempting to send a message before the firmware has allocated its receive buffers and announced these intent allocations will fail. When this happens something like this showns up in the log: pmic_glink_altmode.pmic_glink_altmode pmic_glink.altmode.0: failed to send altmode request: 0x10 (-125) pmic_glink_altmode.pmic_glink_altmode pmic_glink.altmode.0: failed to request altmode notifications: -125 ucsi_glink.pmic_glink_ucsi pmic_glink.ucsi.0: failed to send UCSI read request: -125 qcom_battmgr.pmic_glink_power_supply pmic_glink.power-supply.0: failed to request power notifications GLINK has been updated to distinguish between the cases where the remote is going down (-ECANCELED) and the intent allocation being rejected (-EAGAIN). Retry the send until intent buffers becomes available, or an actual error occur. To avoid infinitely waiting for the firmware in the event that this misbehaves and no intents arrive, an arbitrary 5 second timeout is used. This patch was developed with input from Chris Lew. Reported-by: Johan Hovold Closes: https://lore.kernel.org/all/Zqet8iInnDhnxkT9@hovoldconsulting.com/#t Cc: stable@vger.kernel.org # rpmsg: glink: Handle rejected intent request better Fixes: 58ef4ece1e41 ("soc: qcom: pmic_glink: Introduce base PMIC GLINK driver") Tested-by: Johan Hovold Reviewed-by: Johan Hovold Signed-off-by: Bjorn Andersson Reviewed-by: Chris Lew Link: https://lore.kernel.org/r/20241023-pmic-glink-ecancelled-v2-2-ebc268129407@oss.qualcomm.com Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit a2a268e726f8cb4709bb2e682c1d7e2792feabe9 Author: Gil Fine Date: Thu Oct 10 17:29:42 2024 +0300 thunderbolt: Honor TMU requirements in the domain when setting TMU mode commit 3cea8af2d1a9ae5869b47c3dabe3b20f331f3bbd upstream. Currently, when configuring TMU (Time Management Unit) mode of a given router, we take into account only its own TMU requirements ignoring other routers in the domain. This is problematic if the router we are configuring has lower TMU requirements than what is already configured in the domain. In the scenario below, we have a host router with two USB4 ports: A and B. Port A connected to device router #1 (which supports CL states) and existing DisplayPort tunnel, thus, the TMU mode is HiFi uni-directional. 1. Initial topology [Host] A/ / [Device #1] / Monitor 2. Plug in device #2 (that supports CL states) to downstream port B of the host router [Host] A/ B\ / \ [Device #1] [Device #2] / Monitor The TMU mode on port B and port A will be configured to LowRes which is not what we want and will cause monitor to start flickering. To address this we first scan the domain and search for any router configured to HiFi uni-directional mode, and if found, configure TMU mode of the given router to HiFi uni-directional as well. Cc: stable@vger.kernel.org Signed-off-by: Gil Fine Signed-off-by: Mika Westerberg Signed-off-by: Greg Kroah-Hartman commit 08b2771e9270fbe1ed4fbbe93abe05ac7fe9861d Author: Mika Westerberg Date: Wed Sep 25 12:59:20 2024 +0300 thunderbolt: Fix KASAN reported stack out-of-bounds read in tb_retimer_scan() commit e9e1b20fae7de06ba36dd3f8dba858157bad233d upstream. KASAN reported following issue: BUG: KASAN: stack-out-of-bounds in tb_retimer_scan+0xffe/0x1550 [thunderbolt] Read of size 4 at addr ffff88810111fc1c by task kworker/u56:0/11 CPU: 0 UID: 0 PID: 11 Comm: kworker/u56:0 Tainted: G U 6.11.0+ #1387 Tainted: [U]=USER Workqueue: thunderbolt0 tb_handle_hotplug [thunderbolt] Call Trace: dump_stack_lvl+0x6c/0x90 print_report+0xd1/0x630 kasan_report+0xdb/0x110 __asan_report_load4_noabort+0x14/0x20 tb_retimer_scan+0xffe/0x1550 [thunderbolt] tb_scan_port+0xa6f/0x2060 [thunderbolt] tb_handle_hotplug+0x17b1/0x3080 [thunderbolt] process_one_work+0x626/0x1100 worker_thread+0x6c8/0xfa0 kthread+0x2c8/0x3a0 ret_from_fork+0x3a/0x80 ret_from_fork_asm+0x1a/0x30 This happens because the loop variable still gets incremented by one so max becomes 3 instead of 2, and this makes the second loop read past the the array declared on the stack. Fix this by assigning to max directly in the loop body. Fixes: ff6ab055e070 ("thunderbolt: Add receiver lane margining support for retimers") CC: stable@vger.kernel.org Signed-off-by: Mika Westerberg Signed-off-by: Greg Kroah-Hartman commit 794ba27ea27c3f22a2bdceb6d030cd582aacbfac Author: Conor Dooley Date: Wed Oct 16 17:35:06 2024 +0100 firmware: microchip: auto-update: fix poll_complete() to not report spurious timeout errors commit 83beece5aff75879bdfc6df8ba84ea88fd93050e upstream. fw_upload's poll_complete() is really intended for use with asynchronous write() implementations - or at least those where the write() loop may terminate without the kernel yet being aware of whether or not the firmware upload has succeeded. For auto-update, write() is only ever called once and will only return when uploading has completed, be that by passing or failing. The core fw_upload code only calls poll_complete() after the final call to write() has returned. However, the poll_complete() implementation in the auto-update driver was written to expect poll_complete() to be called from another context, and it waits for a completion signalled from write(). Since poll_complete() is actually called from the same context, after the write() loop has terminated, wait_for_completion() never sees the completion get signalled and always times out, causing programming to always report a failing. Since write() is full synchronous, and its return value will indicate whether or not programming passed or failed, poll_complete() serves no purpose and can be cut down to simply return FW_UPLOAD_ERR_NONE. Cc: stable@vger.kernel.org Fixes: ec5b0f1193ad4 ("firmware: microchip: add PolarFire SoC Auto Update support") Reported-by: Jamie Gibbons Tested-by: Jamie Gibbons Signed-off-by: Conor Dooley Signed-off-by: Greg Kroah-Hartman commit 623848f2b5631fd5ed4ed7aee5ff82d90faedfc4 Author: Chen Ridong Date: Fri Oct 25 06:09:42 2024 +0000 mm: shrinker: avoid memleak in alloc_shrinker_info commit 15e8156713cc38031642fafc8baf7d53f19f2e83 upstream. A memleak was found as below: unreferenced object 0xffff8881010d2a80 (size 32): comm "mkdir", pid 1559, jiffies 4294932666 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 @............... backtrace (crc 2e7ef6fa): [] __kmalloc_node_noprof+0x394/0x470 [] alloc_shrinker_info+0x7b/0x1a0 [] mem_cgroup_css_online+0x11a/0x3b0 [] online_css+0x29/0xa0 [] cgroup_apply_control_enable+0x20d/0x360 [] cgroup_mkdir+0x168/0x5f0 [] kernfs_iop_mkdir+0x5e/0x90 [] vfs_mkdir+0x144/0x220 [] do_mkdirat+0x87/0x130 [] __x64_sys_mkdir+0x49/0x70 [] do_syscall_64+0x68/0x140 [] entry_SYSCALL_64_after_hwframe+0x76/0x7e alloc_shrinker_info(), when shrinker_unit_alloc() returns an errer, the info won't be freed. Just fix it. Link: https://lkml.kernel.org/r/20241025060942.1049263-1-chenridong@huaweicloud.com Fixes: 307bececcd12 ("mm: shrinker: add a secondary array for shrinker_info::{map, nr_deferred}") Signed-off-by: Chen Ridong Acked-by: Qi Zheng Acked-by: Roman Gushchin Acked-by: Vlastimil Babka Acked-by: Kirill A. Shutemov Reviewed-by: Dave Chinner Cc: Anshuman Khandual Cc: Muchun Song Cc: Wang Weiyang Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit f5453ee72f7a1bf19090cd9a93b25e13681a4fb6 Author: Wladislav Wiebe Date: Tue Oct 22 19:21:13 2024 +0200 tools/mm: -Werror fixes in page-types/slabinfo commit ece5897e5a10fcd56a317e32f2dc7219f366a5a8 upstream. Commit e6d2c436ff693 ("tools/mm: allow users to provide additional cflags/ldflags") passes now CFLAGS to Makefile. With this, build systems with default -Werror enabled found: slabinfo.c:1300:25: error: ignoring return value of 'chdir' declared with attribute 'warn_unused_result' [-Werror=unused-result]                          chdir("..");                          ^~~~~~~~~~~ page-types.c:397:35: error: format '%lu' expects argument of type 'long unsigned int', but argument 2 has type 'uint64_t' {aka 'long long unsigned int'} [-Werror=format=]                          printf("%lu\t", mapcnt0);                                  ~~^     ~~~~~~~ .. Fix page-types by using PRIu64 for uint64_t prints and check in slabinfo for return code on chdir(".."). Link: https://lkml.kernel.org/r/c1ceb507-94bc-461c-934d-c19b77edd825@gmail.com Fixes: e6d2c436ff69 ("tools/mm: allow users to provide additional cflags/ldflags") Signed-off-by: Wladislav Wiebe Cc: Vlastimil Babka Cc: Herton R. Krzesinski Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit ffd56612566bc23877c8f45def2801f3324a222a Author: Jeongjun Park Date: Mon Sep 9 21:35:58 2024 +0900 mm: shmem: fix data-race in shmem_getattr() commit d949d1d14fa281ace388b1de978e8f2cd52875cf upstream. I got the following KCSAN report during syzbot testing: ================================================================== BUG: KCSAN: data-race in generic_fillattr / inode_set_ctime_current write to 0xffff888102eb3260 of 4 bytes by task 6565 on cpu 1: inode_set_ctime_to_ts include/linux/fs.h:1638 [inline] inode_set_ctime_current+0x169/0x1d0 fs/inode.c:2626 shmem_mknod+0x117/0x180 mm/shmem.c:3443 shmem_create+0x34/0x40 mm/shmem.c:3497 lookup_open fs/namei.c:3578 [inline] open_last_lookups fs/namei.c:3647 [inline] path_openat+0xdbc/0x1f00 fs/namei.c:3883 do_filp_open+0xf7/0x200 fs/namei.c:3913 do_sys_openat2+0xab/0x120 fs/open.c:1416 do_sys_open fs/open.c:1431 [inline] __do_sys_openat fs/open.c:1447 [inline] __se_sys_openat fs/open.c:1442 [inline] __x64_sys_openat+0xf3/0x120 fs/open.c:1442 x64_sys_call+0x1025/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:258 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e read to 0xffff888102eb3260 of 4 bytes by task 3498 on cpu 0: inode_get_ctime_nsec include/linux/fs.h:1623 [inline] inode_get_ctime include/linux/fs.h:1629 [inline] generic_fillattr+0x1dd/0x2f0 fs/stat.c:62 shmem_getattr+0x17b/0x200 mm/shmem.c:1157 vfs_getattr_nosec fs/stat.c:166 [inline] vfs_getattr+0x19b/0x1e0 fs/stat.c:207 vfs_statx_path fs/stat.c:251 [inline] vfs_statx+0x134/0x2f0 fs/stat.c:315 vfs_fstatat+0xec/0x110 fs/stat.c:341 __do_sys_newfstatat fs/stat.c:505 [inline] __se_sys_newfstatat+0x58/0x260 fs/stat.c:499 __x64_sys_newfstatat+0x55/0x70 fs/stat.c:499 x64_sys_call+0x141f/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:263 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e value changed: 0x2755ae53 -> 0x27ee44d3 Reported by Kernel Concurrency Sanitizer on: CPU: 0 UID: 0 PID: 3498 Comm: udevd Not tainted 6.11.0-rc6-syzkaller-00326-gd1f2d51b711a-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 ================================================================== When calling generic_fillattr(), if you don't hold read lock, data-race will occur in inode member variables, which can cause unexpected behavior. Since there is no special protection when shmem_getattr() calls generic_fillattr(), data-race occurs by functions such as shmem_unlink() or shmem_mknod(). This can cause unexpected results, so commenting it out is not enough. Therefore, when calling generic_fillattr() from shmem_getattr(), it is appropriate to protect the inode using inode_lock_shared() and inode_unlock_shared() to prevent data-race. Link: https://lkml.kernel.org/r/20240909123558.70229-1-aha310510@gmail.com Fixes: 44a30220bc0a ("shmem: recalculate file inode when fstat") Signed-off-by: Jeongjun Park Reported-by: syzbot Cc: Hugh Dickins Cc: Yu Zhao Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit c4caa2d3bd5515755f47ae689e77bf7b3ba67c42 Author: Yunhui Cui Date: Mon Oct 14 21:01:41 2024 +0800 RISC-V: ACPI: fix early_ioremap to early_memremap commit 1966db682f064172891275cb951aa8c98a0a809b upstream. When SVPBMT is enabled, __acpi_map_table() will directly access the data in DDR through the IO attribute, rather than through hardware cache consistency, resulting in incorrect data in the obtained ACPI table. The log: ACPI: [ACPI:0x18] Invalid zero length. We do not assume whether the bootloader flushes or not. We should access in a cacheable way instead of maintaining cache consistency by software. Fixes: 3b426d4b5b14 ("RISC-V: ACPI : Fix for usage of pointers in different address space") Cc: stable@vger.kernel.org Reviewed-by: Alexandre Ghiti Signed-off-by: Yunhui Cui Reviewed-by: Sunil V L Link: https://lore.kernel.org/r/20241014130141.86426-1-cuiyunhui@bytedance.com Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit 9aa5d43ac4cace8fb9bd964ff6c23f599dc3cd24 Author: Ryusuke Konishi Date: Sun Oct 20 13:51:28 2024 +0900 nilfs2: fix potential deadlock with newly created symlinks commit b3a033e3ecd3471248d474ef263aadc0059e516a upstream. Syzbot reported that page_symlink(), called by nilfs_symlink(), triggers memory reclamation involving the filesystem layer, which can result in circular lock dependencies among the reader/writer semaphore nilfs->ns_segctor_sem, s_writers percpu_rwsem (intwrite) and the fs_reclaim pseudo lock. This is because after commit 21fc61c73c39 ("don't put symlink bodies in pagecache into highmem"), the gfp flags of the page cache for symbolic links are overwritten to GFP_KERNEL via inode_nohighmem(). This is not a problem for symlinks read from the backing device, because the __GFP_FS flag is dropped after inode_nohighmem() is called. However, when a new symlink is created with nilfs_symlink(), the gfp flags remain overwritten to GFP_KERNEL. Then, memory allocation called from page_symlink() etc. triggers memory reclamation including the FS layer, which may call nilfs_evict_inode() or nilfs_dirty_inode(). And these can cause a deadlock if they are called while nilfs->ns_segctor_sem is held: Fix this issue by dropping the __GFP_FS flag from the page cache GFP flags of newly created symlinks in the same way that nilfs_new_inode() and __nilfs_read_inode() do, as a workaround until we adopt nofs allocation scope consistently or improve the locking constraints. Link: https://lkml.kernel.org/r/20241020050003.4308-1-konishi.ryusuke@gmail.com Fixes: 21fc61c73c39 ("don't put symlink bodies in pagecache into highmem") Signed-off-by: Ryusuke Konishi Reported-by: syzbot+9ef37ac20608f4836256@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9ef37ac20608f4836256 Tested-by: syzbot+9ef37ac20608f4836256@syzkaller.appspotmail.com Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 56c6171932a7fb267ac6cb4ff8759b93ee1d0e2e Author: Ryusuke Konishi Date: Fri Oct 18 04:33:10 2024 +0900 nilfs2: fix kernel bug due to missing clearing of checked flag commit 41e192ad2779cae0102879612dfe46726e4396aa upstream. Syzbot reported that in directory operations after nilfs2 detects filesystem corruption and degrades to read-only, __block_write_begin_int(), which is called to prepare block writes, may fail the BUG_ON check for accesses exceeding the folio/page size, triggering a kernel bug. This was found to be because the "checked" flag of a page/folio was not cleared when it was discarded by nilfs2's own routine, which causes the sanity check of directory entries to be skipped when the directory page/folio is reloaded. So, fix that. This was necessary when the use of nilfs2's own page discard routine was applied to more than just metadata files. Link: https://lkml.kernel.org/r/20241017193359.5051-1-konishi.ryusuke@gmail.com Fixes: 8c26c4e2694a ("nilfs2: fix issue with flush kernel thread after remount in RO mode because of driver's internal error or metadata corruption") Signed-off-by: Ryusuke Konishi Reported-by: syzbot+d6ca2daf692c7a82f959@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d6ca2daf692c7a82f959 Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 37aba6e268466ccaeb963d6e589ce8d340fb41af Author: Javier Carrasco Date: Wed Oct 16 19:04:31 2024 +0200 iio: light: veml6030: fix microlux value calculation commit 63dd163cd61dda6f38343776b42331cc6b7e56e0 upstream. The raw value conversion to obtain a measurement in lux as INT_PLUS_MICRO does not calculate the decimal part properly to display it as micro (in this case microlux). It only calculates the module to obtain the decimal part from a resolution that is 10000 times the provided in the datasheet (0.5376 lux/cnt for the veml6030). The resulting value must still be multiplied by 100 to make it micro. This bug was introduced with the original implementation of the driver. Only the illuminance channel is fixed becuase the scale is non sensical for the intensity channels anyway. Cc: stable@vger.kernel.org Fixes: 7b779f573c48 ("iio: light: add driver for veml6030 ambient light sensor") Signed-off-by: Javier Carrasco Link: https://patch.msgid.link/20241016-veml6030-fix-processed-micro-v1-1-4a5644796437@gmail.com Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 16e41593825c3044efca0eb34b2d6ffba306e4ec Author: Jinjie Ruan Date: Fri Oct 11 17:55:12 2024 +0800 iio: gts-helper: Fix memory leaks in iio_gts_build_avail_scale_table() commit 691e79ffc42154a9c91dc3b7e96a307037b4be74 upstream. modprobe iio-test-gts and rmmod it, then the following memory leak occurs: unreferenced object 0xffffff80c810be00 (size 64): comm "kunit_try_catch", pid 1654, jiffies 4294913981 hex dump (first 32 bytes): 02 00 00 00 08 00 00 00 20 00 00 00 40 00 00 00 ........ ...@... 80 00 00 00 00 02 00 00 00 04 00 00 00 08 00 00 ................ backtrace (crc a63d875e): [<0000000028c1b3c2>] kmemleak_alloc+0x34/0x40 [<000000001d6ecc87>] __kmalloc_noprof+0x2bc/0x3c0 [<00000000393795c1>] devm_iio_init_iio_gts+0x4b4/0x16f4 [<0000000071bb4b09>] 0xffffffdf052a62e0 [<000000000315bc18>] 0xffffffdf052a6488 [<00000000f9dc55b5>] kunit_try_run_case+0x13c/0x3ac [<00000000175a3fd4>] kunit_generic_run_threadfn_adapter+0x80/0xec [<00000000f505065d>] kthread+0x2e8/0x374 [<00000000bbfb0e5d>] ret_from_fork+0x10/0x20 unreferenced object 0xffffff80cbfe9e70 (size 16): comm "kunit_try_catch", pid 1658, jiffies 4294914015 hex dump (first 16 bytes): 10 00 00 00 40 00 00 00 80 00 00 00 00 00 00 00 ....@........... backtrace (crc 857f0cb4): [<0000000028c1b3c2>] kmemleak_alloc+0x34/0x40 [<000000001d6ecc87>] __kmalloc_noprof+0x2bc/0x3c0 [<00000000393795c1>] devm_iio_init_iio_gts+0x4b4/0x16f4 [<0000000071bb4b09>] 0xffffffdf052a62e0 [<000000007d089d45>] 0xffffffdf052a6864 [<00000000f9dc55b5>] kunit_try_run_case+0x13c/0x3ac [<00000000175a3fd4>] kunit_generic_run_threadfn_adapter+0x80/0xec [<00000000f505065d>] kthread+0x2e8/0x374 [<00000000bbfb0e5d>] ret_from_fork+0x10/0x20 ...... It includes 5*5 times "size 64" memory leaks, which correspond to 5 times test_init_iio_gain_scale() calls with gts_test_gains size 10 (10*size(int)) and gts_test_itimes size 5. It also includes 5*1 times "size 16" memory leak, which correspond to one time __test_init_iio_gain_scale() call with gts_test_gains_gain_low size 3 (3*size(int)) and gts_test_itimes size 5. The reason is that the per_time_gains[i] is not freed which is allocated in the "gts->num_itime" for loop in iio_gts_build_avail_scale_table(). Cc: stable@vger.kernel.org Fixes: 38416c28e168 ("iio: light: Add gain-time-scale helpers") Signed-off-by: Jinjie Ruan Reviewed-by: Matti Vaittinen Link: https://patch.msgid.link/20241011095512.3667549-1-ruanjinjie@huawei.com Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit b304362ce836968b803e5d4c5f84dcb51a7bf0f2 Author: Jinjie Ruan Date: Wed Oct 16 09:24:53 2024 +0800 iio: gts-helper: Fix memory leaks for the error path of iio_gts_build_avail_scale_table() commit 369f05688911b05216cfcd6ca74473bec87948d7 upstream. If per_time_scales[i] or per_time_gains[i] kcalloc fails in the for loop of iio_gts_build_avail_scale_table(), the err_free_out will fail to call kfree() each time when i is reduced to 0, so all the per_time_scales[0] and per_time_gains[0] will not be freed, which will cause memory leaks. Fix it by checking if i >= 0. Cc: stable@vger.kernel.org Fixes: 38416c28e168 ("iio: light: Add gain-time-scale helpers") Reviewed-by: Matti Vaittinen Signed-off-by: Jinjie Ruan Link: https://patch.msgid.link/20241016012453.2013302-1-ruanjinjie@huawei.com Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 0ac0beb4235a9a474f681280a3bd4e2a5bb66569 Author: Zicheng Qu Date: Tue Oct 22 13:43:30 2024 +0000 iio: adc: ad7124: fix division by zero in ad7124_set_channel_odr() commit efa353ae1b0541981bc96dbf2e586387d0392baa upstream. In the ad7124_write_raw() function, parameter val can potentially be zero. This may lead to a division by zero when DIV_ROUND_CLOSEST() is called within ad7124_set_channel_odr(). The ad7124_write_raw() function is invoked through the sequence: iio_write_channel_raw() -> iio_write_channel_attribute() -> iio_channel_write(), with no checks in place to ensure val is non-zero. Cc: stable@vger.kernel.org Fixes: 7b8d045e497a ("iio: adc: ad7124: allow more than 8 channels") Signed-off-by: Zicheng Qu Reviewed-by: Nuno Sa Link: https://patch.msgid.link/20241022134330.574601-1-quzicheng@huawei.com Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 36b992a8e0244bea83b842997054fc7d8fdbf55d Author: Julien Stephan Date: Tue Oct 22 15:22:36 2024 +0200 dt-bindings: iio: adc: ad7380: fix ad7380-4 reference supply commit fbe5956e8809f04e9121923db0b6d1b94f2b93ba upstream. ad7380-4 is the only device from ad738x family that doesn't have an internal reference. Moreover its external reference is called REFIN in the datasheet while all other use REFIO as an optional external reference. If refio-supply is omitted the internal reference is used. Fix the binding by adding refin-supply and makes it required for ad7380-4 only. Fixes: 1a291cc8ee17 ("dt-bindings: iio: adc: ad7380: add support for ad738x-4 4 channels variants") Acked-by: Conor Dooley Reviewed-by: David Lechner Signed-off-by: Julien Stephan Link: https://patch.msgid.link/20241022-ad7380-fix-supplies-v3-1-f0cefe1b7fa6@baylibre.com Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit dd9e1cf619c945f320e686dcaf13e37ef0b05fdd Author: Zicheng Qu Date: Tue Oct 22 13:43:54 2024 +0000 staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg() commit 6bd301819f8f69331a55ae2336c8b111fc933f3d upstream. In the ad9832_write_frequency() function, clk_get_rate() might return 0. This can lead to a division by zero when calling ad9832_calc_freqreg(). The check if (fout > (clk_get_rate(st->mclk) / 2)) does not protect against the case when fout is 0. The ad9832_write_frequency() function is called from ad9832_write(), and fout is derived from a text buffer, which can contain any value. Link: https://lore.kernel.org/all/2024100904-CVE-2024-47663-9bdc@gregkh/ Fixes: ea707584bac1 ("Staging: IIO: DDS: AD9832 / AD9835 driver") Cc: stable@vger.kernel.org Signed-off-by: Zicheng Qu Reviewed-by: Nuno Sa Reviewed-by: Dan Carpenter Link: https://patch.msgid.link/20241022134354.574614-1-quzicheng@huawei.com Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 2ccd5badadab2d586e91546bf5af3deda07fef1f Author: Johannes Berg Date: Wed Oct 23 09:17:44 2024 +0200 wifi: iwlwifi: mvm: fix 6 GHz scan construction commit 7245012f0f496162dd95d888ed2ceb5a35170f1a upstream. If more than 255 colocated APs exist for the set of all APs found during 2.4/5 GHz scanning, then the 6 GHz scan construction will loop forever since the loop variable has type u8, which can never reach the number found when that's bigger than 255, and is stored in a u32 variable. Also move it into the loops to have a smaller scope. Using a u32 there is fine, we limit the number of APs in the scan list and each has a limit on the number of RNR entries due to the frame size. With a limit of 1000 scan results, a frame size upper bound of 4096 (really it's more like ~2300) and a TBTT entry size of at least 11, we get an upper bound for the number of ~372k, well in the bounds of a u32. Cc: stable@vger.kernel.org Fixes: eae94cf82d74 ("iwlwifi: mvm: add support for 6GHz") Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219375 Link: https://patch.msgid.link/20241023091744.f4baed5c08a1.I8b417148bbc8c5d11c101e1b8f5bf372e17bf2a7@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 8af8294d369a871cdbcdbb4d13b87d2d6e490a1f Author: Ville Syrjälä Date: Tue Oct 1 23:07:45 2024 +0300 wifi: iwlegacy: Clear stale interrupts before resuming device commit 07c90acb071b9954e1fecb1e4f4f13d12c544b34 upstream. iwl4965 fails upon resume from hibernation on my laptop. The reason seems to be a stale interrupt which isn't being cleared out before interrupts are enabled. We end up with a race beween the resume trying to bring things back up, and the restart work (queued form the interrupt handler) trying to bring things down. Eventually the whole thing blows up. Fix the problem by clearing out any stale interrupts before interrupts get enabled during resume. Here's a debug log of the indicent: [ 12.042589] ieee80211 phy0: il_isr ISR inta 0x00000080, enabled 0xaa00008b, fh 0x00000000 [ 12.042625] ieee80211 phy0: il4965_irq_tasklet inta 0x00000080, enabled 0x00000000, fh 0x00000000 [ 12.042651] iwl4965 0000:10:00.0: RF_KILL bit toggled to enable radio. [ 12.042653] iwl4965 0000:10:00.0: On demand firmware reload [ 12.042690] ieee80211 phy0: il4965_irq_tasklet End inta 0x00000000, enabled 0xaa00008b, fh 0x00000000, flags 0x00000282 [ 12.052207] ieee80211 phy0: il4965_mac_start enter [ 12.052212] ieee80211 phy0: il_prep_station Add STA to driver ID 31: ff:ff:ff:ff:ff:ff [ 12.052244] ieee80211 phy0: il4965_set_hw_ready hardware ready [ 12.052324] ieee80211 phy0: il_apm_init Init card's basic functions [ 12.052348] ieee80211 phy0: il_apm_init L1 Enabled; Disabling L0S [ 12.055727] ieee80211 phy0: il4965_load_bsm Begin load bsm [ 12.056140] ieee80211 phy0: il4965_verify_bsm Begin verify bsm [ 12.058642] ieee80211 phy0: il4965_verify_bsm BSM bootstrap uCode image OK [ 12.058721] ieee80211 phy0: il4965_load_bsm BSM write complete, poll 1 iterations [ 12.058734] ieee80211 phy0: __il4965_up iwl4965 is coming up [ 12.058737] ieee80211 phy0: il4965_mac_start Start UP work done. [ 12.058757] ieee80211 phy0: __il4965_down iwl4965 is going down [ 12.058761] ieee80211 phy0: il_scan_cancel_timeout Scan cancel timeout [ 12.058762] ieee80211 phy0: il_do_scan_abort Not performing scan to abort [ 12.058765] ieee80211 phy0: il_clear_ucode_stations Clearing ucode stations in driver [ 12.058767] ieee80211 phy0: il_clear_ucode_stations No active stations found to be cleared [ 12.058819] ieee80211 phy0: _il_apm_stop Stop card, put in low power state [ 12.058827] ieee80211 phy0: _il_apm_stop_master stop master [ 12.058864] ieee80211 phy0: il4965_clear_free_frames 0 frames on pre-allocated heap on clear. [ 12.058869] ieee80211 phy0: Hardware restart was requested [ 16.132299] iwl4965 0000:10:00.0: START_ALIVE timeout after 4000ms. [ 16.132303] ------------[ cut here ]------------ [ 16.132304] Hardware became unavailable upon resume. This could be a software issue prior to suspend or a hardware issue. [ 16.132338] WARNING: CPU: 0 PID: 181 at net/mac80211/util.c:1826 ieee80211_reconfig+0x8f/0x14b0 [mac80211] [ 16.132390] Modules linked in: ctr ccm sch_fq_codel xt_tcpudp xt_multiport xt_state iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv4 ip_tables x_tables binfmt_misc joydev mousedev btusb btrtl btintel btbcm bluetooth ecdh_generic ecc iTCO_wdt i2c_dev iwl4965 iwlegacy coretemp snd_hda_codec_analog pcspkr psmouse mac80211 snd_hda_codec_generic libarc4 sdhci_pci cqhci sha256_generic sdhci libsha256 firewire_ohci snd_hda_intel snd_intel_dspcfg mmc_core snd_hda_codec snd_hwdep firewire_core led_class iosf_mbi snd_hda_core uhci_hcd lpc_ich crc_itu_t cfg80211 ehci_pci ehci_hcd snd_pcm usbcore mfd_core rfkill snd_timer snd usb_common soundcore video parport_pc parport intel_agp wmi intel_gtt backlight e1000e agpgart evdev [ 16.132456] CPU: 0 UID: 0 PID: 181 Comm: kworker/u8:6 Not tainted 6.11.0-cl+ #143 [ 16.132460] Hardware name: Hewlett-Packard HP Compaq 6910p/30BE, BIOS 68MCU Ver. F.19 07/06/2010 [ 16.132463] Workqueue: async async_run_entry_fn [ 16.132469] RIP: 0010:ieee80211_reconfig+0x8f/0x14b0 [mac80211] [ 16.132501] Code: da 02 00 00 c6 83 ad 05 00 00 00 48 89 df e8 98 1b fc ff 85 c0 41 89 c7 0f 84 e9 02 00 00 48 c7 c7 a0 e6 48 a0 e8 d1 77 c4 e0 <0f> 0b eb 2d 84 c0 0f 85 8b 01 00 00 c6 87 ad 05 00 00 00 e8 69 1b [ 16.132504] RSP: 0018:ffffc9000029fcf0 EFLAGS: 00010282 [ 16.132507] RAX: 0000000000000000 RBX: ffff8880072008e0 RCX: 0000000000000001 [ 16.132509] RDX: ffffffff81f21a18 RSI: 0000000000000086 RDI: 0000000000000001 [ 16.132510] RBP: ffff8880072003c0 R08: 0000000000000000 R09: 0000000000000003 [ 16.132512] R10: 0000000000000000 R11: ffff88807e5b0000 R12: 0000000000000001 [ 16.132514] R13: 0000000000000000 R14: 0000000000000000 R15: 00000000ffffff92 [ 16.132515] FS: 0000000000000000(0000) GS:ffff88807c200000(0000) knlGS:0000000000000000 [ 16.132517] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 16.132519] CR2: 000055dd43786c08 CR3: 000000000978f000 CR4: 00000000000006f0 [ 16.132521] Call Trace: [ 16.132525] [ 16.132526] ? __warn+0x77/0x120 [ 16.132532] ? ieee80211_reconfig+0x8f/0x14b0 [mac80211] [ 16.132564] ? report_bug+0x15c/0x190 [ 16.132568] ? handle_bug+0x36/0x70 [ 16.132571] ? exc_invalid_op+0x13/0x60 [ 16.132573] ? asm_exc_invalid_op+0x16/0x20 [ 16.132579] ? ieee80211_reconfig+0x8f/0x14b0 [mac80211] [ 16.132611] ? snd_hdac_bus_init_cmd_io+0x24/0x200 [snd_hda_core] [ 16.132617] ? pick_eevdf+0x133/0x1c0 [ 16.132622] ? check_preempt_wakeup_fair+0x70/0x90 [ 16.132626] ? wakeup_preempt+0x4a/0x60 [ 16.132628] ? ttwu_do_activate.isra.0+0x5a/0x190 [ 16.132632] wiphy_resume+0x79/0x1a0 [cfg80211] [ 16.132675] ? wiphy_suspend+0x2a0/0x2a0 [cfg80211] [ 16.132697] dpm_run_callback+0x75/0x1b0 [ 16.132703] device_resume+0x97/0x200 [ 16.132707] async_resume+0x14/0x20 [ 16.132711] async_run_entry_fn+0x1b/0xa0 [ 16.132714] process_one_work+0x13d/0x350 [ 16.132718] worker_thread+0x2be/0x3d0 [ 16.132722] ? cancel_delayed_work_sync+0x70/0x70 [ 16.132725] kthread+0xc0/0xf0 [ 16.132729] ? kthread_park+0x80/0x80 [ 16.132732] ret_from_fork+0x28/0x40 [ 16.132735] ? kthread_park+0x80/0x80 [ 16.132738] ret_from_fork_asm+0x11/0x20 [ 16.132741] [ 16.132742] ---[ end trace 0000000000000000 ]--- [ 16.132930] ------------[ cut here ]------------ [ 16.132932] WARNING: CPU: 0 PID: 181 at net/mac80211/driver-ops.c:41 drv_stop+0xe7/0xf0 [mac80211] [ 16.132957] Modules linked in: ctr ccm sch_fq_codel xt_tcpudp xt_multiport xt_state iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv4 ip_tables x_tables binfmt_misc joydev mousedev btusb btrtl btintel btbcm bluetooth ecdh_generic ecc iTCO_wdt i2c_dev iwl4965 iwlegacy coretemp snd_hda_codec_analog pcspkr psmouse mac80211 snd_hda_codec_generic libarc4 sdhci_pci cqhci sha256_generic sdhci libsha256 firewire_ohci snd_hda_intel snd_intel_dspcfg mmc_core snd_hda_codec snd_hwdep firewire_core led_class iosf_mbi snd_hda_core uhci_hcd lpc_ich crc_itu_t cfg80211 ehci_pci ehci_hcd snd_pcm usbcore mfd_core rfkill snd_timer snd usb_common soundcore video parport_pc parport intel_agp wmi intel_gtt backlight e1000e agpgart evdev [ 16.133014] CPU: 0 UID: 0 PID: 181 Comm: kworker/u8:6 Tainted: G W 6.11.0-cl+ #143 [ 16.133018] Tainted: [W]=WARN [ 16.133019] Hardware name: Hewlett-Packard HP Compaq 6910p/30BE, BIOS 68MCU Ver. F.19 07/06/2010 [ 16.133021] Workqueue: async async_run_entry_fn [ 16.133025] RIP: 0010:drv_stop+0xe7/0xf0 [mac80211] [ 16.133048] Code: 48 85 c0 74 0e 48 8b 78 08 89 ea 48 89 de e8 e0 87 04 00 65 ff 0d d1 de c4 5f 0f 85 42 ff ff ff e8 be 52 c2 e0 e9 38 ff ff ff <0f> 0b 5b 5d c3 0f 1f 40 00 41 54 49 89 fc 55 53 48 89 f3 2e 2e 2e [ 16.133050] RSP: 0018:ffffc9000029fc50 EFLAGS: 00010246 [ 16.133053] RAX: 0000000000000000 RBX: ffff8880072008e0 RCX: ffff88800377f6c0 [ 16.133054] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff8880072008e0 [ 16.133056] RBP: 0000000000000000 R08: ffffffff81f238d8 R09: 0000000000000000 [ 16.133058] R10: ffff8880080520f0 R11: 0000000000000000 R12: ffff888008051c60 [ 16.133060] R13: ffff8880072008e0 R14: 0000000000000000 R15: ffff8880072011d8 [ 16.133061] FS: 0000000000000000(0000) GS:ffff88807c200000(0000) knlGS:0000000000000000 [ 16.133063] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 16.133065] CR2: 000055dd43786c08 CR3: 000000000978f000 CR4: 00000000000006f0 [ 16.133067] Call Trace: [ 16.133069] [ 16.133070] ? __warn+0x77/0x120 [ 16.133075] ? drv_stop+0xe7/0xf0 [mac80211] [ 16.133098] ? report_bug+0x15c/0x190 [ 16.133100] ? handle_bug+0x36/0x70 [ 16.133103] ? exc_invalid_op+0x13/0x60 [ 16.133105] ? asm_exc_invalid_op+0x16/0x20 [ 16.133109] ? drv_stop+0xe7/0xf0 [mac80211] [ 16.133132] ieee80211_do_stop+0x55a/0x810 [mac80211] [ 16.133161] ? fq_codel_reset+0xa5/0xc0 [sch_fq_codel] [ 16.133164] ieee80211_stop+0x4f/0x180 [mac80211] [ 16.133192] __dev_close_many+0xa2/0x120 [ 16.133195] dev_close_many+0x90/0x150 [ 16.133198] dev_close+0x5d/0x80 [ 16.133200] cfg80211_shutdown_all_interfaces+0x40/0xe0 [cfg80211] [ 16.133223] wiphy_resume+0xb2/0x1a0 [cfg80211] [ 16.133247] ? wiphy_suspend+0x2a0/0x2a0 [cfg80211] [ 16.133269] dpm_run_callback+0x75/0x1b0 [ 16.133273] device_resume+0x97/0x200 [ 16.133277] async_resume+0x14/0x20 [ 16.133280] async_run_entry_fn+0x1b/0xa0 [ 16.133283] process_one_work+0x13d/0x350 [ 16.133287] worker_thread+0x2be/0x3d0 [ 16.133290] ? cancel_delayed_work_sync+0x70/0x70 [ 16.133294] kthread+0xc0/0xf0 [ 16.133296] ? kthread_park+0x80/0x80 [ 16.133299] ret_from_fork+0x28/0x40 [ 16.133302] ? kthread_park+0x80/0x80 [ 16.133304] ret_from_fork_asm+0x11/0x20 [ 16.133307] [ 16.133308] ---[ end trace 0000000000000000 ]--- [ 16.133335] ieee80211 phy0: PM: dpm_run_callback(): wiphy_resume [cfg80211] returns -110 [ 16.133360] ieee80211 phy0: PM: failed to restore async: error -110 Cc: stable@vger.kernel.org Cc: Stanislaw Gruszka Cc: Kalle Valo Cc: linux-wireless@vger.kernel.org Signed-off-by: Ville Syrjälä Acked-by: Stanislaw Gruszka Signed-off-by: Kalle Valo Link: https://patch.msgid.link/20241001200745.8276-1-ville.syrjala@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 64e4c45d23cd7f6167f69cc2d2877bc7f54292e5 Author: Johannes Berg Date: Tue Oct 22 16:17:42 2024 +0200 wifi: cfg80211: clear wdev->cqm_config pointer on free commit d5fee261dfd9e17b08b1df8471ac5d5736070917 upstream. When we free wdev->cqm_config when unregistering, we also need to clear out the pointer since the same wdev/netdev may get re-registered in another network namespace, then destroyed later, running this code again, which results in a double-free. Reported-by: syzbot+36218cddfd84b5cc263e@syzkaller.appspotmail.com Fixes: 37c20b2effe9 ("wifi: cfg80211: fix cqm_config access race") Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20241022161742.7c34b2037726.I121b9cdb7eb180802eafc90b493522950d57ee18@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 2f6f1e26ac6d2b38e2198a71f81f0ade14d6b07b Author: Manikanta Pubbisetty Date: Tue Oct 15 12:11:03 2024 +0530 wifi: ath10k: Fix memory leak in management tx commit e15d84b3bba187aa372dff7c58ce1fd5cb48a076 upstream. In the current logic, memory is allocated for storing the MSDU context during management packet TX but this memory is not being freed during management TX completion. Similar leaks are seen in the management TX cleanup logic. Kmemleak reports this problem as below, unreferenced object 0xffffff80b64ed250 (size 16): comm "kworker/u16:7", pid 148, jiffies 4294687130 (age 714.199s) hex dump (first 16 bytes): 00 2b d8 d8 80 ff ff ff c4 74 e9 fd 07 00 00 00 .+.......t...... backtrace: [] __kmem_cache_alloc_node+0x1e4/0x2d8 [] kmalloc_trace+0x48/0x110 [] ath10k_wmi_tlv_op_gen_mgmt_tx_send+0xd4/0x1d8 [ath10k_core] [] ath10k_mgmt_over_wmi_tx_work+0x134/0x298 [ath10k_core] [] process_scheduled_works+0x1ac/0x400 [] worker_thread+0x208/0x328 [] kthread+0x100/0x1c0 [] ret_from_fork+0x10/0x20 Free the memory during completion and cleanup to fix the leak. Protect the mgmt_pending_tx idr_remove() operation in ath10k_wmi_tlv_op_cleanup_mgmt_tx_send() using ar->data_lock similar to other instances. Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1 Fixes: dc405152bb64 ("ath10k: handle mgmt tx completion event") Fixes: c730c477176a ("ath10k: Remove msdu from idr when management pkt send fails") Cc: stable@vger.kernel.org Signed-off-by: Manikanta Pubbisetty Link: https://patch.msgid.link/20241015064103.6060-1-quic_mpubbise@quicinc.com Signed-off-by: Jeff Johnson Signed-off-by: Greg Kroah-Hartman commit 3ccf525a73d48e814634847f6d4a6150c6f0dffc Author: Felix Fietkau Date: Wed Oct 2 11:56:30 2024 +0200 wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower commit 393b6bc174b0dd21bb2a36c13b36e62fc3474a23 upstream. Avoid potentially crashing in the driver because of uninitialized private data Fixes: 5b3dc42b1b0d ("mac80211: add support for driver tx power reporting") Cc: stable@vger.kernel.org Signed-off-by: Felix Fietkau Link: https://patch.msgid.link/20241002095630.22431-1-nbd@nbd.name Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit ab40406051d7c1045c2845a2caca0fd50adbb1d6 Author: Edward Liaw Date: Fri Oct 18 17:17:23 2024 +0000 Revert "selftests/mm: replace atomic_bool with pthread_barrier_t" commit 3673167a3a07f25b3f06754d69f406edea65543a upstream. This reverts commit e61ef21e27e8deed8c474e9f47f4aa7bc37e138c. uffd_poll_thread may be called by other tests that do not initialize the pthread_barrier, so this approach is not correct. This will revert to using atomic_bool instead. Link: https://lkml.kernel.org/r/20241018171734.2315053-3-edliaw@google.com Fixes: e61ef21e27e8 ("selftests/mm: replace atomic_bool with pthread_barrier_t") Signed-off-by: Edward Liaw Cc: Ryan Roberts Cc: Peter Xu Cc: Shuah Khan Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 71080d3032a7be4e4c96fe51a2df22155a140d1f Author: Edward Liaw Date: Fri Oct 18 17:17:22 2024 +0000 Revert "selftests/mm: fix deadlock for fork after pthread_create on ARM" commit 5bb1f4c9340e01003b00b94d539eadb0da88f48e upstream. Patch series "selftests/mm: revert pthread_barrier change" On Android arm, pthread_create followed by a fork caused a deadlock in the case where the fork required work to be completed by the created thread. The previous patches incorrectly assumed that the parent would always initialize the pthread_barrier for the child thread. This reverts the change and replaces the fix for wp-fork-with-event with the original use of atomic_bool. This patch (of 3): This reverts commit e142cc87ac4ec618f2ccf5f68aedcd6e28a59d9d. fork_event_consumer may be called by other tests that do not initialize the pthread_barrier, so this approach is not correct. The subsequent patch will revert to using atomic_bool instead. Link: https://lkml.kernel.org/r/20241018171734.2315053-1-edliaw@google.com Link: https://lkml.kernel.org/r/20241018171734.2315053-2-edliaw@google.com Fixes: e142cc87ac4e ("fix deadlock for fork after pthread_create on ARM") Signed-off-by: Edward Liaw Cc: Ryan Roberts Cc: Peter Xu Cc: Shuah Khan Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 63b0068ff24be9655714f501e0699f8dd6dcf22c Author: Ovidiu Bunea Date: Fri Oct 11 11:12:19 2024 -0400 Revert "drm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35" commit 1b6063a57754eae5705753c01e78dc268b989038 upstream. This reverts commit 9dad21f910fc ("drm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35") [why & how] The offending commit exposes a hang with lid close/open behavior. Both issues seem to be related to ODM 2:1 mode switching, so there is another issue generic to that sequence that needs to be investigated. Cc: Mario Limonciello Cc: Alex Deucher Reviewed-by: Nicholas Kazlauskas Signed-off-by: Ovidiu Bunea Signed-off-by: Tom Chung Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher (cherry picked from commit 68bf95317ebf2cfa7105251e4279e951daceefb7) Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit cfc72b86fa20cbf44d2b6cc27b35eb15080232ab Author: Greg Kroah-Hartman Date: Tue Oct 29 01:23:04 2024 +0100 Revert "driver core: Fix uevent_show() vs driver detach race" commit 9a71892cbcdb9d1459c84f5a4c722b14354158a5 upstream. This reverts commit 15fffc6a5624b13b428bb1c6e9088e32a55eb82c. This commit causes a regression, so revert it for now until it can come back in a way that works for everyone. Link: https://lore.kernel.org/all/172790598832.1168608.4519484276671503678.stgit@dwillia2-xfh.jf.intel.com/ Fixes: 15fffc6a5624 ("driver core: Fix uevent_show() vs driver detach race") Cc: stable Cc: Ashish Sangwan Cc: Namjae Jeon Cc: Dirk Behme Cc: Greg Kroah-Hartman Cc: Rafael J. Wysocki Cc: Dan Williams Signed-off-by: Greg Kroah-Hartman commit 23cb8d8d52b3e9599b8547853767c11b3a750438 Author: Basavaraj Natikar Date: Thu Oct 24 19:07:18 2024 +0530 xhci: Use pm_runtime_get to prevent RPM on unsupported systems commit 31004740e42846a6f0bb255e6348281df3eb8032 upstream. Use pm_runtime_put in the remove function and pm_runtime_get to disable RPM on platforms that don't support runtime D3, as re-enabling it through sysfs auto power control may cause the controller to malfunction. This can lead to issues such as hotplug devices not being detected due to failed interrupt generation. Fixes: a5d6264b638e ("xhci: Enable RPM on controllers that support low-power states") Cc: stable Signed-off-by: Basavaraj Natikar Reviewed-by: Mario Limonciello Link: https://lore.kernel.org/r/20241024133718.723846-1-Basavaraj.Natikar@amd.com Signed-off-by: Greg Kroah-Hartman commit 010e31f522bdf3b783272fd2153e75f729cd7c54 Author: Faisal Hassan Date: Tue Oct 22 21:26:31 2024 +0530 xhci: Fix Link TRB DMA in command ring stopped completion event commit 075919f6df5dd82ad0b1894898b315fbb3c29b84 upstream. During the aborting of a command, the software receives a command completion event for the command ring stopped, with the TRB pointing to the next TRB after the aborted command. If the command we abort is located just before the Link TRB in the command ring, then during the 'command ring stopped' completion event, the xHC gives the Link TRB in the event's cmd DMA, which causes a mismatch in handling command completion event. To address this situation, move the 'command ring stopped' completion event check slightly earlier, since the specific command it stopped on isn't of significant concern. Fixes: 7f84eef0dafb ("USB: xhci: No-op command queueing and irq handler.") Cc: stable@vger.kernel.org Signed-off-by: Faisal Hassan Acked-by: Mathias Nyman Link: https://lore.kernel.org/r/20241022155631.1185-1-quic_faisalh@quicinc.com Signed-off-by: Greg Kroah-Hartman commit c7086dc0539b1b2b61c8c735186698bca4858246 Author: Johan Hovold Date: Wed Sep 11 13:52:52 2024 +0200 phy: qcom: qmp-usbc: fix NULL-deref on runtime suspend commit 34c21f94fa1e147a19b54b6adf0c93a623b70dd8 upstream. Commit 413db06c05e7 ("phy: qcom-qmp-usb: clean up probe initialisation") removed most users of the platform device driver data from the qcom-qmp-usb driver, but mistakenly also removed the initialisation despite the data still being used in the runtime PM callbacks. This bug was later reproduced when the driver was copied to create the qmp-usbc driver. Restore the driver data initialisation at probe to avoid a NULL-pointer dereference on runtime suspend. Apparently no one uses runtime PM, which currently needs to be enabled manually through sysfs, with these drivers. Fixes: 19281571a4d5 ("phy: qcom: qmp-usb: split USB-C PHY driver") Cc: stable@vger.kernel.org # 6.9 Signed-off-by: Johan Hovold Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20240911115253.10920-4-johan+linaro@kernel.org Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit b1cffd00daa9cf499b49a0da698eff5032914f6e Author: Johan Hovold Date: Wed Sep 11 13:52:51 2024 +0200 phy: qcom: qmp-usb-legacy: fix NULL-deref on runtime suspend commit 29240130ab77c80bea1464317ae2a5fd29c16a0c upstream. Commit 413db06c05e7 ("phy: qcom-qmp-usb: clean up probe initialisation") removed most users of the platform device driver data from the qcom-qmp-usb driver, but mistakenly also removed the initialisation despite the data still being used in the runtime PM callbacks. This bug was later reproduced when the driver was copied to create the qmp-usb-legacy driver. Restore the driver data initialisation at probe to avoid a NULL-pointer dereference on runtime suspend. Apparently no one uses runtime PM, which currently needs to be enabled manually through sysfs, with these drivers. Fixes: e464a3180a43 ("phy: qcom-qmp-usb: split off the legacy USB+dp_com support") Cc: stable@vger.kernel.org # 6.6 Signed-off-by: Johan Hovold Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20240911115253.10920-3-johan+linaro@kernel.org Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit 5ebde521fbb9a813b993d4436329a3ca0eeb6574 Author: Johan Hovold Date: Wed Sep 11 13:52:50 2024 +0200 phy: qcom: qmp-usb: fix NULL-deref on runtime suspend commit bd9e4d4a3b127686efc60096271b0a44c3100061 upstream. Commit 413db06c05e7 ("phy: qcom-qmp-usb: clean up probe initialisation") removed most users of the platform device driver data, but mistakenly also removed the initialisation despite the data still being used in the runtime PM callbacks. Restore the driver data initialisation at probe to avoid a NULL-pointer dereference on runtime suspend. Apparently no one uses runtime PM, which currently needs to be enabled manually through sysfs, with this driver. Fixes: 413db06c05e7 ("phy: qcom-qmp-usb: clean up probe initialisation") Cc: stable@vger.kernel.org # 6.2 Signed-off-by: Johan Hovold Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20240911115253.10920-2-johan+linaro@kernel.org Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit 7a97ae31840b7058254fa7297f16ea91439ab1c0 Author: Javier Carrasco Date: Sun Oct 20 14:56:35 2024 +0200 usb: typec: qcom-pmic-typec: fix missing fwnode removal in error path commit b8423a2f5814dbf055ed7c41f25bfe91c2066cbe upstream. If drm_dp_hpd_bridge_register() fails, the probe function returns without removing the fwnode via fwnode_handle_put(), leaking the resource. Jump to fwnode_remove if drm_dp_hpd_bridge_register() fails to remove the fwnode acquired with device_get_named_child_node(). Cc: stable@vger.kernel.org Fixes: 7d9f1b72b296 ("usb: typec: qcom-pmic-typec: switch to DRM_AUX_HPD_BRIDGE") Signed-off-by: Javier Carrasco Reviewed-by: Dmitry Baryshkov Acked-by: Bryan O'Donoghue Reviewed-by: Heikki Krogerus Link: https://lore.kernel.org/r/20241020-qcom_pmic_typec-fwnode_remove-v2-2-7054f3d2e215@gmail.com Signed-off-by: Greg Kroah-Hartman commit 61640b660437f4912b43087bbb1eca8851cde1f3 Author: Javier Carrasco Date: Sun Oct 20 14:56:34 2024 +0200 usb: typec: qcom-pmic-typec: use fwnode_handle_put() to release fwnodes commit 7f02b8a5b602098f2901166e7e4d583acaed872a upstream. The right function to release a fwnode acquired via device_get_named_child_node() is fwnode_handle_put(), and not fwnode_remove_software_node(), as no software node is being handled. Replace the calls to fwnode_remove_software_node() with fwnode_handle_put() in qcom_pmic_typec_probe() and qcom_pmic_typec_remove(). Cc: stable@vger.kernel.org Fixes: a4422ff22142 ("usb: typec: qcom: Add Qualcomm PMIC Type-C driver") Suggested-by: Dmitry Baryshkov Signed-off-by: Javier Carrasco Acked-by: Bryan O'Donoghue Reviewed-by: Heikki Krogerus Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20241020-qcom_pmic_typec-fwnode_remove-v2-1-7054f3d2e215@gmail.com Signed-off-by: Greg Kroah-Hartman commit 1bdb24c9ddffb5be6f4de172f2af1e3f86b86bb2 Author: Amit Sunil Dhamne Date: Wed Oct 23 19:22:30 2024 -0700 usb: typec: tcpm: restrict SNK_WAIT_CAPABILITIES_TIMEOUT transitions to non self-powered devices commit afb92ad8733ef0a2843cc229e4d96aead80bc429 upstream. PD3.1 spec ("8.3.3.3.3 PE_SNK_Wait_for_Capabilities State") mandates that the policy engine perform a hard reset when SinkWaitCapTimer expires. Instead the code explicitly does a GET_SOURCE_CAP when the timer expires as part of SNK_WAIT_CAPABILITIES_TIMEOUT. Due to this the following compliance test failures are reported by the compliance tester (added excerpts from the PD Test Spec): * COMMON.PROC.PD.2#1: The Tester receives a Get_Source_Cap Message from the UUT. This message is valid except the following conditions: [COMMON.PROC.PD.2#1] a. The check fails if the UUT sends this message before the Tester has established an Explicit Contract ... * TEST.PD.PROT.SNK.4: ... 4. The check fails if the UUT does not send a Hard Reset between tTypeCSinkWaitCap min and max. [TEST.PD.PROT.SNK.4#1] The delay is between the VBUS present vSafe5V min and the time of the first bit of Preamble of the Hard Reset sent by the UUT. For the purpose of interoperability, restrict the quirk introduced in https://lore.kernel.org/all/20240523171806.223727-1-sebastian.reichel@collabora.com/ to only non self-powered devices as battery powered devices will not have the issue mentioned in that commit. Cc: stable@vger.kernel.org Fixes: 122968f8dda8 ("usb: typec: tcpm: avoid resets for missing source capability messages") Reported-by: Badhri Jagan Sridharan Closes: https://lore.kernel.org/all/CAPTae5LAwsVugb0dxuKLHFqncjeZeJ785nkY4Jfd+M-tCjHSnQ@mail.gmail.com/ Signed-off-by: Amit Sunil Dhamne Reviewed-by: Badhri Jagan Sridharan Reviewed-by: Heikki Krogerus Tested-by: Xu Yang Reviewed-by: Sebastian Reichel Link: https://lore.kernel.org/r/20241024022233.3276995-1-amitsd@google.com Signed-off-by: Greg Kroah-Hartman commit 966cab9c2ec5a39324d0df059fc6a2214518d66f Author: Javier Carrasco Date: Mon Oct 21 22:45:29 2024 +0200 usb: typec: fix unreleased fwnode_handle in typec_port_register_altmodes() commit 9581acb91eaf5bbe70086bbb6fca808220d358ba upstream. The 'altmodes_node' fwnode_handle is never released after it is no longer required, which leaks the resource. Add the required call to fwnode_handle_put() when 'altmodes_node' is no longer required. Cc: stable@vger.kernel.org Fixes: 7b458a4c5d73 ("usb: typec: Add typec_port_register_altmodes()") Reviewed-by: Heikki Krogerus Signed-off-by: Javier Carrasco Link: https://lore.kernel.org/r/20241021-typec-class-fwnode_handle_put-v2-1-3281225d3d27@gmail.com Signed-off-by: Greg Kroah-Hartman commit 7a7cf0755d3ec16a1e83a9e26637f4bf08905b72 Author: Zijun Hu Date: Sun Oct 20 17:33:42 2024 +0800 usb: phy: Fix API devm_usb_put_phy() can not release the phy commit fdce49b5da6e0fb6d077986dec3e90ef2b094b50 upstream. For devm_usb_put_phy(), its comment says it needs to invoke usb_put_phy() to release the phy, but it does not do that actually, so it can not fully undo what the API devm_usb_get_phy() does, that is wrong, fixed by using devres_release() instead of devres_destroy() within the API. Fixes: cedf8602373a ("usb: phy: move bulk of otg/otg.c to phy/phy.c") Cc: stable@vger.kernel.org Signed-off-by: Zijun Hu Link: https://lore.kernel.org/r/20241020-usb_phy_fix-v1-1-7f79243b8e1e@quicinc.com Signed-off-by: Greg Kroah-Hartman commit 367ab611eccb9b5e1f8c1bfe32da400c3f476100 Author: Zongmin Zhou Date: Thu Oct 24 10:27:00 2024 +0800 usbip: tools: Fix detach_port() invalid port error path commit e7cd4b811c9e019f5acbce85699c622b30194c24 upstream. The detach_port() doesn't return error when detach is attempted on an invalid port. Fixes: 40ecdeb1a187 ("usbip: usbip_detach: fix to check for invalid ports") Cc: stable@vger.kernel.org Reviewed-by: Hongren Zheng Reviewed-by: Shuah Khan Signed-off-by: Zongmin Zhou Link: https://lore.kernel.org/r/20241024022700.1236660-1-min_halo@163.com Signed-off-by: Greg Kroah-Hartman commit 1ab5c371a6415ac7e0c74b01c985c5dea754de46 Author: Bitterblue Smith Date: Thu Oct 10 18:34:43 2024 +0300 wifi: rtlwifi: rtl8192du: Don't claim USB ID 0bda:8171 commit a95d28a8a2f76c591a195c06ea15f5b15c66c3d1 upstream. This ID appears to be RTL8188SU, not RTL8192DU. This is the wrong driver for RTL8188SU. The r8712u driver from staging handles this ID. I think this ID comes from the original rtl8192du driver from Realtek. I don't know if they added it by mistake, or it was actually used for two different chips. RTL8188SU with this ID exists in the wild. RTL8192DU with this ID probably doesn't. Fixes: b5dc8873b6ff ("wifi: rtlwifi: Add rtl8192du/sw.c") Cc: stable@vger.kernel.org # v6.11 Closes: https://github.com/lwfinger/rtl8192du/issues/105 Signed-off-by: Bitterblue Smith Acked-by: Ping-Ke Shih Signed-off-by: Kalle Valo Link: https://patch.msgid.link/40245564-41fe-4a5e-881f-cd517255b20a@gmail.com Signed-off-by: Greg Kroah-Hartman commit 94af35a934b4e07cb1af0a5820c864ccf317f244 Author: Jan Schär Date: Tue Oct 29 23:12:49 2024 +0100 ALSA: usb-audio: Add quirks for Dell WD19 dock commit 4413665dd6c528b31284119e3571c25f371e1c36 upstream. The WD19 family of docks has the same audio chipset as the WD15. This change enables jack detection on the WD19. We don't need the dell_dock_mixer_init quirk for the WD19. It is only needed because of the dell_alc4020_map quirk for the WD15 in mixer_maps.c, which disables the volume controls. Even for the WD15, this quirk was apparently only needed when the dock firmware was not updated. Signed-off-by: Jan Schär Cc: Link: https://patch.msgid.link/20241029221249.15661-1-jan@jschaer.ch Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 36b7f5a4f300d038270324640ff7c1399245159d Author: Chuck Lever Date: Wed Oct 30 16:11:30 2024 -0400 rpcrdma: Always release the rpcrdma_device's xa_array [ Upstream commit 63a81588cd2025e75fbaf30b65930b76825c456f ] Dai pointed out that the xa_init_flags() in rpcrdma_add_one() needs to have a matching xa_destroy() in rpcrdma_remove_one() to release underlying memory that the xarray might have accrued during operation. Reported-by: Dai Ngo Fixes: 7e86845a0346 ("rpcrdma: Implement generic device removal") Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit 1421883aa30c5d26bc3370e2d19cb350f0d5ca28 Author: Chuck Lever Date: Tue Oct 29 15:27:19 2024 -0400 NFSD: Never decrement pending_async_copies on error [ Upstream commit 8286f8b622990194207df9ab852e0f87c60d35e9 ] The error flow in nfsd4_copy() calls cleanup_async_copy(), which already decrements nn->pending_async_copies. Reported-by: Olga Kornievskaia Fixes: aadc3bbea163 ("NFSD: Limit the number of concurrent async COPY operations") Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit e30a9a2f69c34a00a3cb4fd45c5d231929e66fb1 Author: Chuck Lever Date: Sat Oct 26 12:02:38 2024 -0400 NFSD: Initialize struct nfsd4_copy earlier [ Upstream commit 63fab04cbd0f96191b6e5beedc3b643b01c15889 ] Ensure the refcount and async_copies fields are initialized early. cleanup_async_copy() will reference these fields if an error occurs in nfsd4_copy(). If they are not correctly initialized, at the very least, a refcount underflow occurs. Reported-by: Olga Kornievskaia Fixes: aadc3bbea163 ("NFSD: Limit the number of concurrent async COPY operations") Reviewed-by: Jeff Layton Tested-by: Olga Kornievskaia Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit 4301a6db1be14f760e03e7dbd55d1e7b59eb752f Author: Dimitri Sivanich Date: Thu Sep 19 07:34:50 2024 -0500 misc: sgi-gru: Don't disable preemption in GRU driver [ Upstream commit b983b271662bd6104d429b0fd97af3333ba760bf ] Disabling preemption in the GRU driver is unnecessary, and clashes with sleeping locks in several code paths. Remove preempt_disable and preempt_enable from the GRU driver. Signed-off-by: Dimitri Sivanich Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit b9a82e47f897f9e81875c08428d2de1f42256538 Author: Dai Ngo Date: Tue Oct 8 15:58:07 2024 -0700 NFS: remove revoked delegation from server's delegation list [ Upstream commit 7ef60108069b7e3cc66432304e1dd197d5c0a9b5 ] After the delegation is returned to the NFS server remove it from the server's delegations list to reduce the time it takes to scan this list. Network trace captured while running the below script shows the time taken to service the CB_RECALL increases gradually due to the overhead of traversing the delegation list in nfs_delegation_find_inode_server. The NFS server in this test is a Solaris server which issues CB_RECALL when receiving the all-zero stateid in the SETATTR. mount=/mnt/data for i in $(seq 1 20) do echo $i mkdir $mount/testtarfile$i time tar -C $mount/testtarfile$i -xf 5000_files.tar done Signed-off-by: Dai Ngo Reviewed-by: Trond Myklebust Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin commit 0edeb33dbbfa025e8576ab6649127c9cad537035 Author: Daniel Palmer Date: Mon Oct 7 19:43:17 2024 +0900 net: amd: mvme147: Fix probe banner message [ Upstream commit 82c5b53140faf89c31ea2b3a0985a2f291694169 ] Currently this driver prints this line with what looks like a rogue format specifier when the device is probed: [ 2.840000] eth%d: MVME147 at 0xfffe1800, irq 12, Hardware Address xx:xx:xx:xx:xx:xx Change the printk() for netdev_info() and move it after the registration has completed so it prints out the name of the interface properly. Signed-off-by: Daniel Palmer Reviewed-by: Simon Horman Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit d723413c8e56e578730e9d90cc864e7bbc66c3d9 Author: Zhang Rui Date: Mon Sep 30 16:18:01 2024 +0800 thermal: intel: int340x: processor: Add MMIO RAPL PL4 support [ Upstream commit 3fb0eea8a1c4be5884e0731ea76cbd3ce126e1f3 ] Similar to the MSR RAPL interface, MMIO RAPL supports PL4 too, so add MMIO RAPL PL4d support to the processor_thermal driver. As a result, the powercap sysfs for MMIO RAPL will show a new "peak power" constraint. Signed-off-by: Zhang Rui Reviewed-by: Srinivas Pandruvada Link: https://patch.msgid.link/20240930081801.28502-7-rui.zhang@intel.com [ rjw: Subject and changelog edits ] Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit c860bf89e410bbb6643ef888296a43d95f42dfd1 Author: Zhang Rui Date: Mon Sep 30 16:18:00 2024 +0800 thermal: intel: int340x: processor: Remove MMIO RAPL CPU hotplug support [ Upstream commit bfc6819e4bf56a55df6178f93241b5845ad672eb ] CPU0/package0 is always online and the MMIO RAPL driver runs on single package systems only, so there is no need to handle CPU hotplug in it. Always register a RAPL package device for package 0 and remove the unnecessary CPU hotplug support. Signed-off-by: Zhang Rui Reviewed-by: Srinivas Pandruvada Link: https://patch.msgid.link/20240930081801.28502-6-rui.zhang@intel.com [ rjw: Subject edits ] Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 7bef760bf1a7d86ab0013280aac5db26c2d67c00 Author: Sumeet Pawnikar Date: Mon Sep 30 16:17:59 2024 +0800 powercap: intel_rapl_msr: Add PL4 support for Arrowlake-U [ Upstream commit f517ff174ab79dd59f538a9aa2770cd3ee6dd48b ] Add PL4 support for ArrowLake-U platform. Signed-off-by: Sumeet Pawnikar Signed-off-by: Zhang Rui Reviewed-by: Srinivas Pandruvada Link: https://patch.msgid.link/20240930081801.28502-5-rui.zhang@intel.com Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 5f1c6a6baa7cc740de23b645e05a39aea0ceeaf8 Author: Hans de Goede Date: Sat Oct 5 23:28:19 2024 +0200 ACPI: resource: Fold Asus Vivobook Pro N6506M* DMI quirks together [ Upstream commit 1af7e441feb08cdaab8f4a320577ed0bba1f5896 ] Asus Vivobook Pro 15 OLED comes in 3 N6506M* models: N6506MU: Intel Ultra 9 185H, 3K OLED, RTX4060 N6506MV: Intel Ultra 7 155H, 3K OLED, RTX4050 N6506MJ: Intel Ultra 7 155H, FHD OLED, RTX3050 Fold the 3 DMI quirks for these into a single quirk to reduce the number of quirks. Signed-off-by: Hans de Goede Link: https://patch.msgid.link/20241005212819.354681-5-hdegoede@redhat.com Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit c4b370bdef9b1742d1c120fb04fb00e1979171d2 Author: Pali Rohár Date: Sat Oct 5 16:02:56 2024 +0200 cifs: Fix creating native symlinks pointing to current or parent directory [ Upstream commit 63271b7d569fbe924bccc7dadc17d3d07a4e5f7a ] Calling 'ln -s . symlink' or 'ln -s .. symlink' creates symlink pointing to some object name which ends with U+F029 unicode codepoint. This is because trailing dot in the object name is replaced by non-ASCII unicode codepoint. So Linux SMB client currently is not able to create native symlink pointing to current or parent directory on Windows SMB server which can be read by either on local Windows server or by any other SMB client which does not implement compatible-reverse character replacement. Fix this problem in cifsConvertToUTF16() function which is doing that character replacement. Function comment already says that it does not need to handle special cases '.' and '..', but after introduction of native symlinks in reparse point form, this handling is needed. Note that this change depends on the previous change "cifs: Improve creating native symlinks pointing to directory". Signed-off-by: Pali Rohár Signed-off-by: Steve French Signed-off-by: Sasha Levin commit 11dd609f2f162b14975b568baadce3b29f3bbbf4 Author: Pali Rohár Date: Sat Oct 5 16:02:55 2024 +0200 cifs: Improve creating native symlinks pointing to directory [ Upstream commit 3eb40512530e4f64f819d8e723b6f41695dace5a ] SMB protocol for native symlinks distinguish between symlink to directory and symlink to file. These two symlink types cannot be exchanged, which means that symlink of file type pointing to directory cannot be resolved at all (and vice-versa). Windows follows this rule for local filesystems (NTFS) and also for SMB. Linux SMB client currenly creates all native symlinks of file type. Which means that Windows (and some other SMB clients) cannot resolve symlinks pointing to directory created by Linux SMB client. As Linux system does not distinguish between directory and file symlinks, its API does not provide enough information for Linux SMB client during creating of native symlinks. Add some heuristic into the Linux SMB client for choosing the correct symlink type during symlink creation. Check if the symlink target location ends with slash, or last path component is dot or dot-dot, and check if the target location on SMB share exists and is a directory. If at least one condition is truth then create a new SMB symlink of directory type. Otherwise create it as file type symlink. This change improves interoperability with Windows systems. Windows systems would be able to resolve more SMB symlinks created by Linux SMB client which points to existing directory. Signed-off-by: Pali Rohár Signed-off-by: Steve French Signed-off-by: Sasha Levin commit 90d2ab1944cf0fb376940e6a76185db729c8f1f1 Author: Benjamin Marzinski Date: Tue Sep 17 19:06:43 2024 -0400 scsi: scsi_transport_fc: Allow setting rport state to current state [ Upstream commit d539a871ae47a1f27a609a62e06093fa69d7ce99 ] The only input fc_rport_set_marginal_state() currently accepts is "Marginal" when port_state is "Online", and "Online" when the port_state is "Marginal". It should also allow setting port_state to its current state, either "Marginal or "Online". Signed-off-by: Benjamin Marzinski Link: https://lore.kernel.org/r/20240917230643.966768-1-bmarzins@redhat.com Reviewed-by: Ewan D. Milne Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit bc65004fe28f27966a85662b082d40ab3aec6780 Author: Guilherme Giacomo Simoes Date: Tue Oct 1 17:56:03 2024 -0300 rust: device: change the from_raw() function [ Upstream commit cc4332afb5631b0e9d2ce5699b7f4b7caf743526 ] The function Device::from_raw() increments a refcount by a call to bindings::get_device(ptr). This can be confused because usually from_raw() functions don't increment a refcount. Hence, rename Device::from_raw() to avoid confuion with other "from_raw" semantics. The new name of function should be "get_device" to be consistent with the function get_device() already exist in .c files. This function body also changed, because the `into()` will convert the `&'a Device` into `ARef` and also call `inc_ref` from the `AlwaysRefCounted` trait implemented for Device. Signed-off-by: Guilherme Giacomo Simoes Acked-by: Danilo Krummrich Closes: https://github.com/Rust-for-Linux/linux/issues/1088 Reviewed-by: Boqun Feng Link: https://lore.kernel.org/r/20241001205603.106278-1-trintaeoitogc@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 82685eb6ca1db2bd11190451085bcb86ed03aa24 Author: Konstantin Komarov Date: Wed Sep 4 12:57:31 2024 +0300 fs/ntfs3: Additional check in ntfs_file_release [ Upstream commit 031d6f608290c847ba6378322d0986d08d1a645a ] Reported-by: syzbot+8c652f14a0fde76ff11d@syzkaller.appspotmail.com Signed-off-by: Konstantin Komarov Signed-off-by: Sasha Levin commit 8e87c9aa8cf92cfceaff0aab244318bbb8b35137 Author: Konstantin Komarov Date: Fri Aug 30 13:50:18 2024 +0300 fs/ntfs3: Fix general protection fault in run_is_mapped_full [ Upstream commit a33fb016e49e37aafab18dc3c8314d6399cb4727 ] Fixed deleating of a non-resident attribute in ntfs_create_inode() rollback. Reported-by: syzbot+9af29acd8f27fbce94bc@syzkaller.appspotmail.com Signed-off-by: Konstantin Komarov Signed-off-by: Sasha Levin commit 80824967ec714dda02cd79091aa186bbc16c5cf3 Author: Konstantin Komarov Date: Mon Sep 9 15:39:10 2024 +0300 fs/ntfs3: Additional check in ni_clear() [ Upstream commit d178944db36b3369b78a08ba520de109b89bf2a9 ] Checking of NTFS_FLAGS_LOG_REPLAYING added to prevent access to uninitialized bitmap during replay process. Reported-by: syzbot+3bfd2cc059ab93efcdb4@syzkaller.appspotmail.com Signed-off-by: Konstantin Komarov Signed-off-by: Sasha Levin commit f1bc362fe978952a9304bd0286788b0ae7724f14 Author: Konstantin Komarov Date: Wed Aug 28 11:55:53 2024 +0300 fs/ntfs3: Fix possible deadlock in mi_read [ Upstream commit 03b097099eef255fbf85ea6a786ae3c91b11f041 ] Mutex lock with another subclass used in ni_lock_dir(). Reported-by: syzbot+bc7ca0ae4591cb2550f9@syzkaller.appspotmail.com Signed-off-by: Konstantin Komarov Signed-off-by: Sasha Levin commit 2fcae4c2014a40c8ae0fc3d8cca3ba9e168308de Author: Konstantin Komarov Date: Mon Aug 19 16:26:59 2024 +0300 fs/ntfs3: Add rough attr alloc_size check [ Upstream commit c4a8ba334262e9a5c158d618a4820e1b9c12495c ] Reported-by: syzbot+c6d94bedd910a8216d25@syzkaller.appspotmail.com Signed-off-by: Konstantin Komarov Signed-off-by: Sasha Levin commit 13af57e93790baef78528cdbcfb3dbed08ac5312 Author: Konstantin Komarov Date: Thu Aug 22 14:43:32 2024 +0300 fs/ntfs3: Stale inode instead of bad [ Upstream commit 1fd21919de6de245b63066b8ee3cfba92e36f0e9 ] Fixed the logic of processing inode with wrong sequence number. Signed-off-by: Konstantin Komarov Signed-off-by: Sasha Levin commit dac63bea0498951dfd5a4a86e40cdb57ceddc48f Author: Konstantin Komarov Date: Mon Aug 19 16:26:22 2024 +0300 fs/ntfs3: Fix warning possible deadlock in ntfs_set_state [ Upstream commit 5b2db723455a89dc96743d34d8bdaa23a402db2f ] Use non-zero subkey to skip analyzer warnings. Signed-off-by: Konstantin Komarov Reported-by: syzbot+c2ada45c23d98d646118@syzkaller.appspotmail.com Signed-off-by: Sasha Levin commit 4a4727bc582832f354e0d3d49838a401a28ae25e Author: Andrew Ballance Date: Wed May 15 07:38:33 2024 -0500 fs/ntfs3: Check if more than chunk-size bytes are written [ Upstream commit 9931122d04c6d431b2c11b5bb7b10f28584067f0 ] A incorrectly formatted chunk may decompress into more than LZNT_CHUNK_SIZE bytes and a index out of bounds will occur in s_max_off. Signed-off-by: Andrew Ballance Signed-off-by: Konstantin Komarov Signed-off-by: Sasha Levin commit 809f9b419c75f8042c58434d2bfe849140643e9d Author: lei lu Date: Fri Aug 23 21:39:44 2024 +0800 ntfs3: Add bounds checking to mi_enum_attr() [ Upstream commit 556bdf27c2dd5c74a9caacbe524b943a6cd42d99 ] Added bounds checking to make sure that every attr don't stray beyond valid memory region. Signed-off-by: lei lu Signed-off-by: Konstantin Komarov Signed-off-by: Sasha Levin commit 65288f627215b62e9db859e600dff64957582af6 Author: Boris Brezillon Date: Tue Oct 29 16:29:11 2024 +0100 drm/panthor: Report group as timedout when we fail to properly suspend [ Upstream commit 4700fd3e050da8302e60ebd4850d008250fa7204 ] If we don't do that, the group is considered usable by userspace, but all further GROUP_SUBMIT will fail with -EINVAL. Changes in v3: - Add R-bs Changes in v2: - New patch Fixes: de8548813824 ("drm/panthor: Add the scheduler logical block") Signed-off-by: Boris Brezillon Reviewed-by: Steven Price Reviewed-by: Liviu Dudau Link: https://patchwork.freedesktop.org/patch/msgid/20241029152912.270346-3-boris.brezillon@collabora.com Signed-off-by: Sasha Levin commit 06b61bc3acd135aaceda94a7d25057266727487e Author: Boris Brezillon Date: Tue Oct 29 16:29:10 2024 +0100 drm/panthor: Fail job creation when the group is dead [ Upstream commit 412a2a8fdd4eb89b263623c7a59b77dbfcf8f215 ] Userspace can use GROUP_SUBMIT errors as a trigger to check the group state and recreate the group if it became unusable. Make sure we report an error when the group became unusable. Changes in v3: - None Changes in v2: - Add R-bs Fixes: de8548813824 ("drm/panthor: Add the scheduler logical block") Signed-off-by: Boris Brezillon Reviewed-by: Steven Price Reviewed-by: Liviu Dudau Link: https://patchwork.freedesktop.org/patch/msgid/20241029152912.270346-2-boris.brezillon@collabora.com Signed-off-by: Sasha Levin commit 429fd1fb0f34a72e4740a9b428d91c2cca68c240 Author: Boris Brezillon Date: Wed Oct 30 16:02:31 2024 +0100 drm/panthor: Fix firmware initialization on systems with a page size > 4k [ Upstream commit 5d01b56f0518d80211812420a8907ca0b6c6e4e3 ] The system and GPU MMU page size might differ, which becomes a problem for FW sections that need to be mapped at explicit addresses since our PAGE_SIZE alignment might cover a VA range that's expected to be used for another section. Make sure we never map more than we need. Changes in v3: - Add R-bs Changes in v2: - Plan for per-VM page sizes so the MCU VM and user VM can have different pages sizes Fixes: 2718d91816ee ("drm/panthor: Add the FW logical block") Signed-off-by: Boris Brezillon Reviewed-by: Steven Price Reviewed-by: Liviu Dudau Link: https://patchwork.freedesktop.org/patch/msgid/20241030150231.768949-1-boris.brezillon@collabora.com Signed-off-by: Sasha Levin commit 27ef26b8756f1152a5deedad72aa532a3e2122d2 Author: Keith Busch Date: Wed Oct 23 08:40:26 2024 -0700 nvme: module parameter to disable pi with offsets [ Upstream commit 42ab37eaad17aee458489c553a367621ee04e0bc ] A recent commit enables integrity checks for formats the previous kernel versions registered with the "nop" integrity profile. This means namespaces using that format become unreadable when upgrading the kernel past that commit. Introduce a module parameter to restore the "nop" integrity profile so that storage can be readable once again. This could be a boot device, so the setting needs to happen at module load time. Fixes: 921e81db524d17 ("nvme: allow integrity when PI is not in first bytes") Reported-by: David Wei Reviewed-by: Christoph Hellwig Reviewed-by: Kanchan Joshi Reviewed-by: Chaitanya Kulkarni Signed-off-by: Keith Busch Signed-off-by: Sasha Levin commit 8803132f857d1959f99c6ef98cf74776a52987e4 Author: Jason Gunthorpe Date: Wed Oct 16 20:52:33 2024 -0300 PCI: Fix pci_enable_acs() support for the ACS quirks [ Upstream commit f3c3ccc4fe49dbc560b01d16bebd1b116c46c2b4 ] There are ACS quirks that hijack the normal ACS processing and deliver to to special quirk code. The enable path needs to call pci_dev_specific_enable_acs() and then pci_dev_specific_acs_enabled() will report the hidden ACS state controlled by the quirk. The recent rework got this out of order and we should try to call pci_dev_specific_enable_acs() regardless of any actual ACS support in the device. As before command line parameters that effect standard PCI ACS don't interact with the quirk versions, including the new config_acs= option. Link: https://lore.kernel.org/r/0-v1-f96b686c625b+124-pci_acs_quirk_fix_jgg@nvidia.com Fixes: 47c8846a49ba ("PCI: Extend ACS configurability") Reported-by: Jiri Slaby Closes: https://lore.kernel.org/all/e89107da-ac99-4d3a-9527-a4df9986e120@kernel.org Closes: https://bugzilla.suse.com/show_bug.cgi?id=1229019 Tested-by: Steffen Dirkwinkel Signed-off-by: Jason Gunthorpe Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin commit 9038aa25d153253e21887523c54ec4f462473894 Author: Shiju Jose Date: Mon Oct 14 15:30:03 2024 +0100 cxl/events: Fix Trace DRAM Event Record [ Upstream commit 53ab8678e7180834be29cf56cd52825fc3427c02 ] CXL spec rev 3.0 section 8.2.9.2.1.2 defines the DRAM Event Record. Fix decode memory event type field of DRAM Event Record. For e.g. if value is 0x1 it will be reported as an Invalid Address (General Media Event Record - Memory Event Type) instead of Scrub Media ECC Error (DRAM Event Record - Memory Event Type) and so on. Fixes: 2d6c1e6d60ba ("cxl/mem: Trace DRAM Event Record") Signed-off-by: Shiju Jose Link: https://patch.msgid.link/20241014143003.1170-1-shiju.jose@huawei.com Signed-off-by: Ira Weiny Signed-off-by: Sasha Levin commit 6d6c005855b97b8caf6039c1774745ee74c91fa6 Author: Dan Carpenter Date: Fri Sep 13 17:34:54 2024 +0300 drm/tegra: Fix NULL vs IS_ERR() check in probe() [ Upstream commit a85df8c7b5ee2d3d4823befada42c5c41aff4cb0 ] The iommu_paging_domain_alloc() function doesn't return NULL pointers, it returns error pointers. Update the check to match. Fixes: 45c690aea8ee ("drm/tegra: Use iommu_paging_domain_alloc()") Signed-off-by: Dan Carpenter Reviewed-by: Lu Baolu Signed-off-by: Thierry Reding Link: https://patchwork.freedesktop.org/patch/msgid/ba31cf3a-af3d-4ff1-87a8-f05aaf8c780b@stanley.mountain Signed-off-by: Sasha Levin commit c60583a87cb4a85b69d1f448f0be5eb6ec62cbb2 Author: Dan Carpenter Date: Thu Sep 12 11:44:59 2024 +0300 drm/mediatek: Fix potential NULL dereference in mtk_crtc_destroy() [ Upstream commit 4018651ba5c409034149f297d3dd3328b91561fd ] In mtk_crtc_create(), if the call to mbox_request_channel() fails then we set the "mtk_crtc->cmdq_client.chan" pointer to NULL. In that situation, we do not call cmdq_pkt_create(). During the cleanup, we need to check if the "mtk_crtc->cmdq_client.chan" is NULL first before calling cmdq_pkt_destroy(). Calling cmdq_pkt_destroy() is unnecessary if we didn't call cmdq_pkt_create() and it will result in a NULL pointer dereference. Fixes: 7627122fd1c0 ("drm/mediatek: Add cmdq_handle in mtk_crtc") Signed-off-by: Dan Carpenter Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: CK Hu Link: https://patchwork.kernel.org/project/dri-devel/patch/cc537bd6-837f-4c85-a37b-1a007e268310@stanley.mountain/ Signed-off-by: Chun-Kuang Hu Signed-off-by: Sasha Levin commit b616418181c6c1668d939a6dc0d54b682808ee16 Author: Chun-Kuang Hu Date: Sat Aug 10 09:09:15 2024 +0000 drm/mediatek: Use cmdq_pkt_create() and cmdq_pkt_destroy() [ Upstream commit d7c66b5fbc70d09348f3e0414ebf360c3125f3fa ] Use cmdq_pkt_create() and cmdq_pkt_destroy() common function instead of implementing drm version. Signed-off-by: Chun-Kuang Hu Link: https://patchwork.kernel.org/project/dri-devel/patch/20240810090918.7457-3-chunkuang.hu@kernel.org/ Stable-dep-of: 4018651ba5c4 ("drm/mediatek: Fix potential NULL dereference in mtk_crtc_destroy()") Signed-off-by: Sasha Levin commit 5dfde9ada66d181c7f6ca5eff7a9c172d28cb3b9 Author: Liankun Yang Date: Mon Sep 23 21:24:15 2024 +0800 drm/mediatek: Fix get efuse issue for MT8188 DPTX [ Upstream commit 3ded11b5c1b476f6d027d9017aa7deb8ab381ec1 ] Update efuse data for MT8188 displayport. The DP monitor can not display when DUT connected to USB-c to DP dongle. Analysis view is invalid DP efuse data. Fixes: 350c3fe907fb ("drm/mediatek: dp: Add support MT8188 dp/edp function") Reviewed-by: Matthias Brugger Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Liankun Yang Reviewed-by: Fei Shao Tested-by: Fei Shao Reviewed-by: CK Hu Link: https://patchwork.kernel.org/project/dri-devel/patch/20240923132521.22785-1-liankun.yang@mediatek.com/ Signed-off-by: Chun-Kuang Hu Signed-off-by: Sasha Levin commit befdf73cc200b39bd03be184999930df6fd8ada6 Author: Hsin-Te Yuan Date: Wed Oct 16 14:17:14 2024 +0000 drm/mediatek: Fix color format MACROs in OVL [ Upstream commit 655c6c1b7afe6d29f386f415594ee643e5e3d755 ] In commit 9f428b95ac89 ("drm/mediatek: Add new color format MACROs in OVL"), some new color formats are defined in the MACROs to make the switch statement more concise. That commit was intended to be a no-op cleanup. However, there are typos in these formats MACROs, which cause the return value to be incorrect. Fix the typos to ensure the return value remains unchanged. Fixes: 9f428b95ac89 ("drm/mediatek: Add new color format MACROs in OVL") Reviewed-by: Douglas Anderson Reviewed-by: Matthias Brugger Signed-off-by: Hsin-Te Yuan Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: CK Hu Link: https://patchwork.kernel.org/project/dri-devel/patch/20241016-color-v3-1-e0f5f44a72d8@chromium.org/ Signed-off-by: Chun-Kuang Hu Signed-off-by: Sasha Levin commit 83a2056a362f3b26d1a3015c53b40ddc2c745301 Author: Jason-JH.Lin Date: Wed Oct 9 11:46:44 2024 +0800 drm/mediatek: ovl: Remove the color format comment for ovl_fmt_convert() [ Upstream commit 41607c3ceb0e527e0985387bc41bbf291dc9a3d8 ] Since we changed MACROs to be consistent with DRM input color format naming, the comment for ovl_fmt_conver() is no longer needed. Fixes: 9f428b95ac89 ("drm/mediatek: Add new color format MACROs in OVL") Signed-off-by: Jason-JH.Lin Reviewed-by: CK Hu Reviewed-by: AngeloGioacchino Del Regno Link: https://patchwork.kernel.org/project/dri-devel/patch/20241009034646.13143-4-jason-jh.lin@mediatek.com/ Signed-off-by: Chun-Kuang Hu Signed-off-by: Sasha Levin commit 1e74d6f6248847b88f82231054a4aa180681145c Author: Paulo Alcantara Date: Wed Sep 18 21:53:35 2024 -0300 smb: client: set correct device number on nfs reparse points [ Upstream commit a9de67336a4aa3ff2e706ba023fb5f7ff681a954 ] Fix major and minor numbers set on special files created with NFS reparse points. Signed-off-by: Paulo Alcantara (Red Hat) Signed-off-by: Steve French Signed-off-by: Sasha Levin commit 20568b933771645c52b3b4303df6ed8c268873b2 Author: Paulo Alcantara Date: Wed Sep 18 21:57:43 2024 -0300 smb: client: fix parsing of device numbers [ Upstream commit 663f295e35594f4c2584fc68c28546b747b637cd ] Report correct major and minor numbers from special files created with NFS reparse points. Signed-off-by: Paulo Alcantara (Red Hat) Signed-off-by: Steve French Signed-off-by: Sasha Levin commit 0f86bbc4fc5c2d8ec7f0f3a5dbdf33ed4605332a Author: Andy Shevchenko Date: Wed Oct 30 19:36:52 2024 +0200 gpio: sloppy-logic-analyzer: Check for error code from devm_mutex_init() call [ Upstream commit 90bad749858cf88d80af7c2b23f86db4f7ad61c2 ] Even if it's not critical, the avoidance of checking the error code from devm_mutex_init() call today diminishes the point of using devm variant of it. Tomorrow it may even leak something. Add the missed check. Fixes: 7828b7bbbf20 ("gpio: add sloppy logic analyzer using polling") Reviewed-by: Wolfram Sang Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20241030174132.2113286-3-andriy.shevchenko@linux.intel.com Signed-off-by: Bartosz Golaszewski Signed-off-by: Sasha Levin commit 43b1df48d1e7000a214acd1a81b8012ca8a929c8 Author: Pierre Gondois Date: Mon Oct 28 13:56:56 2024 +0100 ACPI: CPPC: Make rmw_lock a raw_spin_lock [ Upstream commit 1c10941e34c5fdc0357e46a25bd130d9cf40b925 ] The following BUG was triggered: ============================= [ BUG: Invalid wait context ] 6.12.0-rc2-XXX #406 Not tainted ----------------------------- kworker/1:1/62 is trying to lock: ffffff8801593030 (&cpc_ptr->rmw_lock){+.+.}-{3:3}, at: cpc_write+0xcc/0x370 other info that might help us debug this: context-{5:5} 2 locks held by kworker/1:1/62: #0: ffffff897ef5ec98 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x2c/0x50 #1: ffffff880154e238 (&sg_policy->update_lock){....}-{2:2}, at: sugov_update_shared+0x3c/0x280 stack backtrace: CPU: 1 UID: 0 PID: 62 Comm: kworker/1:1 Not tainted 6.12.0-rc2-g9654bd3e8806 #406 Workqueue: 0x0 (events) Call trace: dump_backtrace+0xa4/0x130 show_stack+0x20/0x38 dump_stack_lvl+0x90/0xd0 dump_stack+0x18/0x28 __lock_acquire+0x480/0x1ad8 lock_acquire+0x114/0x310 _raw_spin_lock+0x50/0x70 cpc_write+0xcc/0x370 cppc_set_perf+0xa0/0x3a8 cppc_cpufreq_fast_switch+0x40/0xc0 cpufreq_driver_fast_switch+0x4c/0x218 sugov_update_shared+0x234/0x280 update_load_avg+0x6ec/0x7b8 dequeue_entities+0x108/0x830 dequeue_task_fair+0x58/0x408 __schedule+0x4f0/0x1070 schedule+0x54/0x130 worker_thread+0xc0/0x2e8 kthread+0x130/0x148 ret_from_fork+0x10/0x20 sugov_update_shared() locks a raw_spinlock while cpc_write() locks a spinlock. To have a correct wait-type order, update rmw_lock to a raw spinlock and ensure that interrupts will be disabled on the CPU holding it. Fixes: 60949b7b8054 ("ACPI: CPPC: Fix MASK_VAL() usage") Signed-off-by: Pierre Gondois Link: https://patch.msgid.link/20241028125657.1271512-1-pierre.gondois@arm.com [ rjw: Changelog edits ] Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 8e134e7ff818964df5c5dc615ac12871ea4b6e2f Author: David Howells Date: Wed Oct 23 11:40:10 2024 +0100 afs: Fix missing subdir edit when renamed between parent dirs [ Upstream commit 247d65fb122ad560be1c8c4d87d7374fb28b0770 ] When rename moves an AFS subdirectory between parent directories, the subdir also needs a bit of editing: the ".." entry needs updating to point to the new parent (though I don't make use of the info) and the DV needs incrementing by 1 to reflect the change of content. The server also sends a callback break notification on the subdirectory if we have one, but we can take care of recovering the promise next time we access the subdir. This can be triggered by something like: mount -t afs %example.com:xfstest.test20 /xfstest.test/ mkdir /xfstest.test/{aaa,bbb,aaa/ccc} touch /xfstest.test/bbb/ccc/d mv /xfstest.test/{aaa/ccc,bbb/ccc} touch /xfstest.test/bbb/ccc/e When the pathwalk for the second touch hits "ccc", kafs spots that the DV is incorrect and downloads it again (so the fix is not critical). Fix this, if the rename target is a directory and the old and new parents are different, by: (1) Incrementing the DV number of the target locally. (2) Editing the ".." entry in the target to refer to its new parent's vnode ID and uniquifier. Link: https://lore.kernel.org/r/3340431.1729680010@warthog.procyon.org.uk Fixes: 63a4681ff39c ("afs: Locally edit directory data for mkdir/create/unlink/...") cc: David Howells cc: Marc Dionne cc: linux-afs@lists.infradead.org Signed-off-by: David Howells Signed-off-by: Christian Brauner Signed-off-by: Sasha Levin commit 999a07693fd2f2b4072710a419f66c8d14b45b5c Author: Xiongfeng Wang Date: Wed Oct 16 16:47:40 2024 +0800 firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() [ Upstream commit c83212d79be2c9886d3e6039759ecd388fd5fed1 ] In sdei_device_freeze(), the input parameter of cpuhp_remove_state() is passed as 'sdei_entry_point' by mistake. Change it to 'sdei_hp_state'. Fixes: d2c48b2387eb ("firmware: arm_sdei: Fix sleep from invalid context BUG") Signed-off-by: Xiongfeng Wang Reviewed-by: James Morse Link: https://lore.kernel.org/r/20241016084740.183353-1-wangxiongfeng2@huawei.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 7180bbb3b3e397cef9a9f37522636aa73f349eb4 Author: Marco Elver Date: Mon Oct 21 14:00:10 2024 +0200 kasan: Fix Software Tag-Based KASAN with GCC [ Upstream commit 894b00a3350c560990638bdf89bdf1f3d5491950 ] Per [1], -fsanitize=kernel-hwaddress with GCC currently does not disable instrumentation in functions with __attribute__((no_sanitize_address)). However, __attribute__((no_sanitize("hwaddress"))) does correctly disable instrumentation. Use it instead. Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117196 [1] Link: https://lore.kernel.org/r/000000000000f362e80620e27859@google.com Link: https://lore.kernel.org/r/ZvFGwKfoC4yVjN_X@J2N7QTR9R3 Link: https://bugzilla.kernel.org/show_bug.cgi?id=218854 Reported-by: syzbot+908886656a02769af987@syzkaller.appspotmail.com Tested-by: Andrey Konovalov Cc: Andrew Pinski Cc: Mark Rutland Cc: Will Deacon Signed-off-by: Marco Elver Reviewed-by: Andrey Konovalov Fixes: 7b861a53e46b ("kasan: Bump required compiler version") Link: https://lore.kernel.org/r/20241021120013.3209481-1-elver@google.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 89fda1e8b79d1721fd0a2b2bde2fc64fcafe21ce Author: Christoph Hellwig Date: Tue Oct 15 06:13:50 2024 +0200 iomap: turn iomap_want_unshare_iter into an inline function [ Upstream commit 6db388585e486c0261aeef55f8bc63a9b45756c0 ] iomap_want_unshare_iter currently sits in fs/iomap/buffered-io.c, which depends on CONFIG_BLOCK. It is also in used in fs/dax.c whіch has no such dependency. Given that it is a trivial check turn it into an inline in include/linux/iomap.h to fix the DAX && !BLOCK build. Fixes: 6ef6a0e821d3 ("iomap: share iomap_unshare_iter predicate code with fsdax") Reported-by: kernel test robot Signed-off-by: Christoph Hellwig Link: https://lore.kernel.org/r/20241015041350.118403-1-hch@lst.de Reviewed-by: Brian Foster Signed-off-by: Christian Brauner Signed-off-by: Sasha Levin commit 8e9c0f500b42216ef930f5c0d1703989a451913d Author: Darrick J. Wong Date: Thu Oct 3 08:09:48 2024 -0700 fsdax: dax_unshare_iter needs to copy entire blocks [ Upstream commit 50793801fc7f6d08def48754fb0f0706b0cfc394 ] The code that copies data from srcmap to iomap in dax_unshare_iter is very very broken, which bfoster's recent fsx changes have exposed. If the pos and len passed to dax_file_unshare are not aligned to an fsblock boundary, the iter pos and length in the _iter function will reflect this unalignment. dax_iomap_direct_access always returns a pointer to the start of the kmapped fsdax page, even if its pos argument is in the middle of that page. This is catastrophic for data integrity when iter->pos is not aligned to a page, because daddr/saddr do not point to the same byte in the file as iter->pos. Hence we corrupt user data by copying it to the wrong place. If iter->pos + iomap_length() in the _iter function not aligned to a page, then we fail to copy a full block, and only partially populate the destination block. This is catastrophic for data confidentiality because we expose stale pmem contents. Fix both of these issues by aligning copy_pos/copy_len to a page boundary (remember, this is fsdax so 1 fsblock == 1 base page) so that we always copy full blocks. We're not done yet -- there's no call to invalidate_inode_pages2_range, so programs that have the file range mmap'd will continue accessing the old memory mapping after the file metadata updates have completed. Be careful with the return value -- if the unshare succeeds, we still need to return the number of bytes that the iomap iter thinks we're operating on. Cc: ruansy.fnst@fujitsu.com Fixes: d984648e428b ("fsdax,xfs: port unshare to fsdax") Signed-off-by: Darrick J. Wong Link: https://lore.kernel.org/r/172796813328.1131942.16777025316348797355.stgit@frogsfrogsfrogs Reviewed-by: Christoph Hellwig Signed-off-by: Christian Brauner Signed-off-by: Sasha Levin commit 67b6a710b9bad9e832e4ca554e0936761dbe07fe Author: Darrick J. Wong Date: Thu Oct 3 08:09:32 2024 -0700 fsdax: remove zeroing code from dax_unshare_iter [ Upstream commit 95472274b6fed8f2d30fbdda304e12174b3d4099 ] Remove the code in dax_unshare_iter that zeroes the destination memory because it's not necessary. If srcmap is unwritten, we don't have to do anything because that unwritten extent came from the regular file mapping, and unwritten extents cannot be shared. The same applies to holes. Furthermore, zeroing to unshare a mapping is just plain wrong because unsharing means copy on write, and we should be copying data. This is effectively a revert of commit 13dd4e04625f ("fsdax: unshare: zero destination if srcmap is HOLE or UNWRITTEN") Cc: ruansy.fnst@fujitsu.com Signed-off-by: Darrick J. Wong Link: https://lore.kernel.org/r/172796813311.1131942.16033376284752798632.stgit@frogsfrogsfrogs Reviewed-by: Christoph Hellwig Signed-off-by: Christian Brauner Stable-dep-of: 50793801fc7f ("fsdax: dax_unshare_iter needs to copy entire blocks") Signed-off-by: Sasha Levin commit e84223962e24ccb58a19b478e0144a72a0430ca5 Author: Darrick J. Wong Date: Thu Oct 3 08:09:16 2024 -0700 iomap: share iomap_unshare_iter predicate code with fsdax [ Upstream commit 6ef6a0e821d3dad6bf8a5d5508762dba9042c84b ] The predicate code that iomap_unshare_iter uses to decide if it's really needs to unshare a file range mapping should be shared with the fsdax version, because right now they're opencoded and inconsistent. Note that we simplify the predicate logic a bit -- we no longer allow unsharing of inline data mappings, but there aren't any filesystems that allow shared inline data currently. This is a fix in the sense that it should have been ported to fsdax. Fixes: b53fdb215d13 ("iomap: improve shared block detection in iomap_unshare_iter") Signed-off-by: Darrick J. Wong Link: https://lore.kernel.org/r/172796813294.1131942.15762084021076932620.stgit@frogsfrogsfrogs Reviewed-by: Christoph Hellwig Signed-off-by: Christian Brauner Stable-dep-of: 50793801fc7f ("fsdax: dax_unshare_iter needs to copy entire blocks") Signed-off-by: Sasha Levin commit 429ee9c368655e21d865a7727ea9706b90a599cc Author: Darrick J. Wong Date: Wed Oct 2 08:00:40 2024 -0700 iomap: don't bother unsharing delalloc extents [ Upstream commit f7a4874d977bf4202ad575031222e78809a36292 ] If unshare encounters a delalloc reservation in the srcmap, that means that the file range isn't shared because delalloc reservations cannot be reflinked. Therefore, don't try to unshare them. Signed-off-by: Darrick J. Wong Link: https://lore.kernel.org/r/20241002150040.GB21853@frogsfrogsfrogs Reviewed-by: Christoph Hellwig Reviewed-by: Brian Foster Signed-off-by: Christian Brauner Stable-dep-of: 50793801fc7f ("fsdax: dax_unshare_iter needs to copy entire blocks") Signed-off-by: Sasha Levin commit 70cb926ad3286679b6bbe75f860594f910308a2f Author: Christoph Hellwig Date: Tue Sep 10 07:39:04 2024 +0300 iomap: improve shared block detection in iomap_unshare_iter [ Upstream commit b53fdb215d13f8e9c29541434bf2d14dac8bcbdc ] Currently iomap_unshare_iter relies on the IOMAP_F_SHARED flag to detect blocks to unshare. This is reasonable, but IOMAP_F_SHARED is also useful for the file system to do internal book keeping for out of place writes. XFS used to that, until it got removed in commit 72a048c1056a ("xfs: only set IOMAP_F_SHARED when providing a srcmap to a write") because unshare for incorrectly unshare such blocks. Add an extra safeguard by checking the explicitly provided srcmap instead of the fallback to the iomap for valid data, as that catches the case where we'd just copy from the same place we'd write to easily, allowing to reinstate setting IOMAP_F_SHARED for all XFS writes that go to the COW fork. Signed-off-by: Christoph Hellwig Link: https://lore.kernel.org/r/20240910043949.3481298-3-hch@lst.de Reviewed-by: Darrick J. Wong Signed-off-by: Christian Brauner Stable-dep-of: 50793801fc7f ("fsdax: dax_unshare_iter needs to copy entire blocks") Signed-off-by: Sasha Levin commit 776efa87c6f7158811336b8add49dae028ece3d6 Author: Toke Høiland-Jørgensen Date: Wed Oct 30 11:48:26 2024 +0100 bpf, test_run: Fix LIVE_FRAME frame update after a page has been recycled [ Upstream commit c40dd8c4732551605712985bc5b7045094c6458d ] The test_run code detects whether a page has been modified and re-initialises the xdp_frame structure if it has, using xdp_update_frame_from_buff(). However, xdp_update_frame_from_buff() doesn't touch frame->mem, so that wasn't correctly re-initialised, which led to the pages from page_pool not being returned correctly. Syzbot noticed this as a memory leak. Fix this by also copying the frame->mem structure when re-initialising the frame, like we do on initialisation of a new page from page_pool. Fixes: e5995bc7e2ba ("bpf, test_run: fix crashes due to XDP frame overwriting/corruption") Fixes: b530e9e1063e ("bpf: Add "live packet" mode for XDP in BPF_PROG_RUN") Reported-by: syzbot+d121e098da06af416d23@syzkaller.appspotmail.com Signed-off-by: Toke Høiland-Jørgensen Signed-off-by: Daniel Borkmann Tested-by: syzbot+d121e098da06af416d23@syzkaller.appspotmail.com Reviewed-by: Alexander Lobakin Acked-by: Stanislav Fomichev Link: https://lore.kernel.org/bpf/20241030-test-run-mem-fix-v1-1-41e88e8cae43@redhat.com Signed-off-by: Sasha Levin commit c43e0ea848e7b9bef7a682cbc5608022d6d29d7b Author: Pablo Neira Ayuso Date: Wed Oct 30 23:13:48 2024 +0100 netfilter: nft_payload: sanitize offset and length before calling skb_checksum() [ Upstream commit d5953d680f7e96208c29ce4139a0e38de87a57fe ] If access to offset + length is larger than the skbuff length, then skb_checksum() triggers BUG_ON(). skb_checksum() internally subtracts the length parameter while iterating over skbuff, BUG_ON(len) at the end of it checks that the expected length to be included in the checksum calculation is fully consumed. Fixes: 7ec3f7b47b8d ("netfilter: nft_payload: add packet mangling support") Reported-by: Slavin Liu Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 8e9393cfc9c16474db32e3b9022e6c3aedaf9be0 Author: Daniel Golle Date: Sat Oct 26 14:52:25 2024 +0100 net: ethernet: mtk_wed: fix path of MT7988 WO firmware [ Upstream commit 637f41476384c76d3cd7dcf5947caf2c8b8d7a9b ] linux-firmware commit 808cba84 ("mtk_wed: add firmware for mt7988 Wireless Ethernet Dispatcher") added mt7988_wo_{0,1}.bin in the 'mediatek/mt7988' directory while driver current expects the files in the 'mediatek' directory. Change path in the driver header now that the firmware has been added. Fixes: e2f64db13aa1 ("net: ethernet: mtk_wed: introduce WED support for MT7988") Signed-off-by: Daniel Golle Reviewed-by: Andrew Lunn Reviewed-by: AngeloGioacchino Del Regno Link: https://patch.msgid.link/Zxz0GWTR5X5LdWPe@pidgin.makrotopia.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit c1bbdbe07f0bc3bc9f87efe4672d67208c6d6942 Author: Ido Schimmel Date: Fri Oct 25 16:26:28 2024 +0200 mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address [ Upstream commit 12ae97c531fcd3bfd774d4dfeaeac23eafe24280 ] The device stores IPv6 addresses that are used for encapsulation in linear memory that is managed by the driver. Changing the remote address of an ip6gre net device never worked properly, but since cited commit the following reproducer [1] would result in a warning [2] and a memory leak [3]. The problem is that the new remote address is never added by the driver to its hash table (and therefore the device) and the old address is never removed from it. Fix by programming the new address when the configuration of the ip6gre net device changes and removing the old one. If the address did not change, then the above would result in increasing the reference count of the address and then decreasing it. [1] # ip link add name bla up type ip6gre local 2001:db8:1::1 remote 2001:db8:2::1 tos inherit ttl inherit # ip link set dev bla type ip6gre remote 2001:db8:3::1 # ip link del dev bla # devlink dev reload pci/0000:01:00.0 [2] WARNING: CPU: 0 PID: 1682 at drivers/net/ethernet/mellanox/mlxsw/spectrum.c:3002 mlxsw_sp_ipv6_addr_put+0x140/0x1d0 Modules linked in: CPU: 0 UID: 0 PID: 1682 Comm: ip Not tainted 6.12.0-rc3-custom-g86b5b55bc835 #151 Hardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023 RIP: 0010:mlxsw_sp_ipv6_addr_put+0x140/0x1d0 [...] Call Trace: mlxsw_sp_router_netdevice_event+0x55f/0x1240 notifier_call_chain+0x5a/0xd0 call_netdevice_notifiers_info+0x39/0x90 unregister_netdevice_many_notify+0x63e/0x9d0 rtnl_dellink+0x16b/0x3a0 rtnetlink_rcv_msg+0x142/0x3f0 netlink_rcv_skb+0x50/0x100 netlink_unicast+0x242/0x390 netlink_sendmsg+0x1de/0x420 ____sys_sendmsg+0x2bd/0x320 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xd0 do_syscall_64+0x9e/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f [3] unreferenced object 0xffff898081f597a0 (size 32): comm "ip", pid 1626, jiffies 4294719324 hex dump (first 32 bytes): 20 01 0d b8 00 02 00 00 00 00 00 00 00 00 00 01 ............... 21 49 61 83 80 89 ff ff 00 00 00 00 01 00 00 00 !Ia............. backtrace (crc fd9be911): [<00000000df89c55d>] __kmalloc_cache_noprof+0x1da/0x260 [<00000000ff2a1ddb>] mlxsw_sp_ipv6_addr_kvdl_index_get+0x281/0x340 [<000000009ddd445d>] mlxsw_sp_router_netdevice_event+0x47b/0x1240 [<00000000743e7757>] notifier_call_chain+0x5a/0xd0 [<000000007c7b9e13>] call_netdevice_notifiers_info+0x39/0x90 [<000000002509645d>] register_netdevice+0x5f7/0x7a0 [<00000000c2e7d2a9>] ip6gre_newlink_common.isra.0+0x65/0x130 [<0000000087cd6d8d>] ip6gre_newlink+0x72/0x120 [<000000004df7c7cc>] rtnl_newlink+0x471/0xa20 [<0000000057ed632a>] rtnetlink_rcv_msg+0x142/0x3f0 [<0000000032e0d5b5>] netlink_rcv_skb+0x50/0x100 [<00000000908bca63>] netlink_unicast+0x242/0x390 [<00000000cdbe1c87>] netlink_sendmsg+0x1de/0x420 [<0000000011db153e>] ____sys_sendmsg+0x2bd/0x320 [<000000003b6d53eb>] ___sys_sendmsg+0x9a/0xe0 [<00000000cae27c62>] __sys_sendmsg+0x7a/0xd0 Fixes: cf42911523e0 ("mlxsw: spectrum_ipip: Use common hash table for IPv6 address mapping") Reported-by: Maksym Yaremchuk Signed-off-by: Ido Schimmel Reviewed-by: Petr Machata Signed-off-by: Petr Machata Link: https://patch.msgid.link/e91012edc5a6cb9df37b78fd377f669381facfcb.1729866134.git.petrm@nvidia.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 321d697c717b361eb1d12a3f11384c5baf3f64d3 Author: Amit Cohen Date: Fri Oct 25 16:26:27 2024 +0200 mlxsw: pci: Sync Rx buffers for device [ Upstream commit d0fbdc3ae9ecc614ddffde55dccbcacef353da0b ] Non-coherent architectures, like ARM, may require invalidating caches before the device can use the DMA mapped memory, which means that before posting pages to device, drivers should sync the memory for device. Sync for device can be configured as page pool responsibility. Set the relevant flag and define max_len for sync. Cc: Jiri Pirko Fixes: b5b60bb491b2 ("mlxsw: pci: Use page pool for Rx buffers allocation") Signed-off-by: Amit Cohen Reviewed-by: Ido Schimmel Signed-off-by: Petr Machata Link: https://patch.msgid.link/92e01f05c4f506a4f0a9b39c10175dcc01994910.1729866134.git.petrm@nvidia.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit efd946f4ad7e06cfc6543bf62033494fdd1325c0 Author: Amit Cohen Date: Fri Oct 25 16:26:26 2024 +0200 mlxsw: pci: Sync Rx buffers for CPU [ Upstream commit 15f73e601a9c67aa83bde92b2d940a6532d8614d ] When Rx packet is received, drivers should sync the pages for CPU, to ensure the CPU reads the data written by the device and not stale data from its cache. Add the missing sync call in Rx path, sync the actual length of data for each fragment. Cc: Jiri Pirko Fixes: b5b60bb491b2 ("mlxsw: pci: Use page pool for Rx buffers allocation") Signed-off-by: Amit Cohen Reviewed-by: Ido Schimmel Signed-off-by: Petr Machata Link: https://patch.msgid.link/461486fac91755ca4e04c2068c102250026dcd0b.1729866134.git.petrm@nvidia.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 2878ae97918361f2ad8e8c4550eb46020ef6792f Author: Amit Cohen Date: Fri Oct 25 16:26:25 2024 +0200 mlxsw: spectrum_ptp: Add missing verification before pushing Tx header [ Upstream commit 0a66e5582b5102c4d7b866b977ff7c850c1174ce ] Tx header should be pushed for each packet which is transmitted via Spectrum ASICs. The cited commit moved the call to skb_cow_head() from mlxsw_sp_port_xmit() to functions which handle Tx header. In case that mlxsw_sp->ptp_ops->txhdr_construct() is used to handle Tx header, and txhdr_construct() is mlxsw_sp_ptp_txhdr_construct(), there is no call for skb_cow_head() before pushing Tx header size to SKB. This flow is relevant for Spectrum-1 and Spectrum-4, for PTP packets. Add the missing call to skb_cow_head() to make sure that there is both enough room to push the Tx header and that the SKB header is not cloned and can be modified. An additional set will be sent to net-next to centralize the handling of the Tx header by pushing it to every packet just before transmission. Cc: Richard Cochran Fixes: 24157bc69f45 ("mlxsw: Send PTP packets as data packets to overcome a limitation") Signed-off-by: Amit Cohen Signed-off-by: Petr Machata Link: https://patch.msgid.link/5145780b07ebbb5d3b3570f311254a3a2d554a44.1729866134.git.petrm@nvidia.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 705350fbd6ed4b5d89ee045fa57a0594a72b17d7 Author: Benoît Monin Date: Thu Oct 24 16:01:54 2024 +0200 net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension [ Upstream commit 04c20a9356f283da623903e81e7c6d5df7e4dc3c ] As documented in skbuff.h, devices with NETIF_F_IPV6_CSUM capability can only checksum TCP and UDP over IPv6 if the IP header does not contains extension. This is enforced for UDP packets emitted from user-space to an IPv6 address as they go through ip6_make_skb(), which calls __ip6_append_data() where a check is done on the header size before setting CHECKSUM_PARTIAL. But the introduction of UDP encapsulation with fou6 added a code-path where it is possible to get an skb with a partial UDP checksum and an IPv6 header with extension: * fou6 adds a UDP header with a partial checksum if the inner packet does not contains a valid checksum. * ip6_tunnel adds an IPv6 header with a destination option extension header if encap_limit is non-zero (the default value is 4). The thread linked below describes in more details how to reproduce the problem with GRE-in-UDP tunnel. Add a check on the network header size in skb_csum_hwoffload_help() to make sure no IPv6 packet with extension header is handed to a network device with NETIF_F_IPV6_CSUM capability. Link: https://lore.kernel.org/netdev/26548921.1r3eYUQgxm@benoit.monin/T/#u Fixes: aa3463d65e7b ("fou: Add encap ops for IPv6 tunnels") Signed-off-by: Benoît Monin Reviewed-by: Willem de Bruijn Link: https://patch.msgid.link/5fbeecfc311ea182aa1d1c771725ab8b4cac515e.1729778144.git.benoit.monin@gmx.fr Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit c9539e09c67880ecd88b51188c346a2cc078b06c Author: Hou Tao Date: Wed Oct 30 18:05:14 2024 +0800 bpf: Check the validity of nr_words in bpf_iter_bits_new() [ Upstream commit 393397fbdcad7396639d7077c33f86169184ba99 ] Check the validity of nr_words in bpf_iter_bits_new(). Without this check, when multiplication overflow occurs for nr_bits (e.g., when nr_words = 0x0400-0001, nr_bits becomes 64), stack corruption may occur due to bpf_probe_read_kernel_common(..., nr_bytes = 0x2000-0008). Fix it by limiting the maximum value of nr_words to 511. The value is derived from the current implementation of BPF memory allocator. To ensure compatibility if the BPF memory allocator's size limitation changes in the future, use the helper bpf_mem_alloc_check_size() to check whether nr_bytes is too larger. And return -E2BIG instead of -ENOMEM for oversized nr_bytes. Fixes: 4665415975b0 ("bpf: Add bits iterator") Signed-off-by: Hou Tao Link: https://lore.kernel.org/r/20241030100516.3633640-4-houtao@huaweicloud.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 23c39b8659ce9234d57089bf9ecf6753df901f72 Author: Hou Tao Date: Wed Oct 30 18:05:13 2024 +0800 bpf: Add bpf_mem_alloc_check_size() helper [ Upstream commit 62a898b07b83f6f407003d8a70f0827a5af08a59 ] Introduce bpf_mem_alloc_check_size() to check whether the allocation size exceeds the limitation for the kmalloc-equivalent allocator. The upper limit for percpu allocation is LLIST_NODE_SZ bytes larger than non-percpu allocation, so a percpu argument is added to the helper. The helper will be used in the following patch to check whether the size parameter passed to bpf_mem_alloc() is too big. Signed-off-by: Hou Tao Link: https://lore.kernel.org/r/20241030100516.3633640-3-houtao@huaweicloud.com Signed-off-by: Alexei Starovoitov Stable-dep-of: 393397fbdcad ("bpf: Check the validity of nr_words in bpf_iter_bits_new()") Signed-off-by: Sasha Levin commit 9cee266fafaf79fd465314546f637f9a3c215830 Author: Hou Tao Date: Wed Oct 30 18:05:12 2024 +0800 bpf: Free dynamically allocated bits in bpf_iter_bits_destroy() [ Upstream commit 101ccfbabf4738041273ce64e2b116cf440dea13 ] bpf_iter_bits_destroy() uses "kit->nr_bits <= 64" to check whether the bits are dynamically allocated. However, the check is incorrect and may cause a kmemleak as shown below: unreferenced object 0xffff88812628c8c0 (size 32): comm "swapper/0", pid 1, jiffies 4294727320 hex dump (first 32 bytes): b0 c1 55 f5 81 88 ff ff f0 f0 f0 f0 f0 f0 f0 f0 ..U........... f0 f0 f0 f0 f0 f0 f0 f0 00 00 00 00 00 00 00 00 .............. backtrace (crc 781e32cc): [<00000000c452b4ab>] kmemleak_alloc+0x4b/0x80 [<0000000004e09f80>] __kmalloc_node_noprof+0x480/0x5c0 [<00000000597124d6>] __alloc.isra.0+0x89/0xb0 [<000000004ebfffcd>] alloc_bulk+0x2af/0x720 [<00000000d9c10145>] prefill_mem_cache+0x7f/0xb0 [<00000000ff9738ff>] bpf_mem_alloc_init+0x3e2/0x610 [<000000008b616eac>] bpf_global_ma_init+0x19/0x30 [<00000000fc473efc>] do_one_initcall+0xd3/0x3c0 [<00000000ec81498c>] kernel_init_freeable+0x66a/0x940 [<00000000b119f72f>] kernel_init+0x20/0x160 [<00000000f11ac9a7>] ret_from_fork+0x3c/0x70 [<0000000004671da4>] ret_from_fork_asm+0x1a/0x30 That is because nr_bits will be set as zero in bpf_iter_bits_next() after all bits have been iterated. Fix the issue by setting kit->bit to kit->nr_bits instead of setting kit->nr_bits to zero when the iteration completes in bpf_iter_bits_next(). In addition, use "!nr_bits || bits >= nr_bits" to check whether the iteration is complete and still use "nr_bits > 64" to indicate whether bits are dynamically allocated. The "!nr_bits" check is necessary because bpf_iter_bits_new() may fail before setting kit->nr_bits, and this condition will stop the iteration early instead of accessing the zeroed or freed kit->bits. Considering the initial value of kit->bits is -1 and the type of kit->nr_bits is unsigned int, change the type of kit->nr_bits to int. The potential overflow problem will be handled in the following patch. Fixes: 4665415975b0 ("bpf: Add bits iterator") Acked-by: Yafang Shao Signed-off-by: Hou Tao Link: https://lore.kernel.org/r/20241030100516.3633640-2-houtao@huaweicloud.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 48d7c24b7ef6417c68f206566364db1f8087bb23 Author: Sungwoo Kim Date: Tue Oct 29 19:44:41 2024 +0000 Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs [ Upstream commit 1e67d8641813f1876a42eeb4f532487b8a7fb0a8 ] Fix __hci_cmd_sync_sk() to return not NULL for unknown opcodes. __hci_cmd_sync_sk() returns NULL if a command returns a status event. However, it also returns NULL where an opcode doesn't exist in the hci_cc table because hci_cmd_complete_evt() assumes status = skb->data[0] for unknown opcodes. This leads to null-ptr-deref in cmd_sync for HCI_OP_READ_LOCAL_CODECS as there is no hci_cc for HCI_OP_READ_LOCAL_CODECS, which always assumes status = skb->data[0]. KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 1 PID: 2000 Comm: kworker/u9:5 Not tainted 6.9.0-ga6bcb805883c-dirty #10 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci7 hci_power_on RIP: 0010:hci_read_supported_codecs+0xb9/0x870 net/bluetooth/hci_codec.c:138 Code: 08 48 89 ef e8 b8 c1 8f fd 48 8b 75 00 e9 96 00 00 00 49 89 c6 48 ba 00 00 00 00 00 fc ff df 4c 8d 60 70 4c 89 e3 48 c1 eb 03 <0f> b6 04 13 84 c0 0f 85 82 06 00 00 41 83 3c 24 02 77 0a e8 bf 78 RSP: 0018:ffff888120bafac8 EFLAGS: 00010212 RAX: 0000000000000000 RBX: 000000000000000e RCX: ffff8881173f0040 RDX: dffffc0000000000 RSI: ffffffffa58496c0 RDI: ffff88810b9ad1e4 RBP: ffff88810b9ac000 R08: ffffffffa77882a7 R09: 1ffffffff4ef1054 R10: dffffc0000000000 R11: fffffbfff4ef1055 R12: 0000000000000070 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88810b9ac000 FS: 0000000000000000(0000) GS:ffff8881f6c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6ddaa3439e CR3: 0000000139764003 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: hci_read_local_codecs_sync net/bluetooth/hci_sync.c:4546 [inline] hci_init_stage_sync net/bluetooth/hci_sync.c:3441 [inline] hci_init4_sync net/bluetooth/hci_sync.c:4706 [inline] hci_init_sync net/bluetooth/hci_sync.c:4742 [inline] hci_dev_init_sync net/bluetooth/hci_sync.c:4912 [inline] hci_dev_open_sync+0x19a9/0x2d30 net/bluetooth/hci_sync.c:4994 hci_dev_do_open net/bluetooth/hci_core.c:483 [inline] hci_power_on+0x11e/0x560 net/bluetooth/hci_core.c:1015 process_one_work kernel/workqueue.c:3267 [inline] process_scheduled_works+0x8ef/0x14f0 kernel/workqueue.c:3348 worker_thread+0x91f/0xe50 kernel/workqueue.c:3429 kthread+0x2cb/0x360 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Fixes: abfeea476c68 ("Bluetooth: hci_sync: Convert MGMT_OP_START_DISCOVERY") Signed-off-by: Sungwoo Kim Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin commit f85b057e34419e5ec0583a65078a11ccc1d4540a Author: Eric Dumazet Date: Fri Oct 25 08:02:29 2024 +0000 netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6() [ Upstream commit 4ed234fe793f27a3b151c43d2106df2ff0d81aac ] I got a syzbot report without a repro [1] crashing in nf_send_reset6() I think the issue is that dev->hard_header_len is zero, and we attempt later to push an Ethernet header. Use LL_MAX_HEADER, as other functions in net/ipv6/netfilter/nf_reject_ipv6.c. [1] skbuff: skb_under_panic: text:ffffffff89b1d008 len:74 put:14 head:ffff88803123aa00 data:ffff88803123a9f2 tail:0x3c end:0x140 dev:syz_tun kernel BUG at net/core/skbuff.c:206 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 UID: 0 PID: 7373 Comm: syz.1.568 Not tainted 6.12.0-rc2-syzkaller-00631-g6d858708d465 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:skb_panic net/core/skbuff.c:206 [inline] RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216 Code: 0d 8d 48 c7 c6 60 a6 29 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 ba 30 38 02 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 RSP: 0018:ffffc900045269b0 EFLAGS: 00010282 RAX: 0000000000000088 RBX: dffffc0000000000 RCX: cd66dacdc5d8e800 RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000000000000000 RBP: ffff88802d39a3d0 R08: ffffffff8174afec R09: 1ffff920008a4ccc R10: dffffc0000000000 R11: fffff520008a4ccd R12: 0000000000000140 R13: ffff88803123aa00 R14: ffff88803123a9f2 R15: 000000000000003c FS: 00007fdbee5ff6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000005d322000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: skb_push+0xe5/0x100 net/core/skbuff.c:2636 eth_header+0x38/0x1f0 net/ethernet/eth.c:83 dev_hard_header include/linux/netdevice.h:3208 [inline] nf_send_reset6+0xce6/0x1270 net/ipv6/netfilter/nf_reject_ipv6.c:358 nft_reject_inet_eval+0x3b9/0x690 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x418/0x6b0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] br_nf_pre_routing_ipv6+0x63e/0x770 net/bridge/br_netfilter_ipv6.c:184 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_bridge_pre net/bridge/br_input.c:277 [inline] br_handle_frame+0x9fd/0x1530 net/bridge/br_input.c:424 __netif_receive_skb_core+0x13e8/0x4570 net/core/dev.c:5562 __netif_receive_skb_one_core net/core/dev.c:5666 [inline] __netif_receive_skb+0x12f/0x650 net/core/dev.c:5781 netif_receive_skb_internal net/core/dev.c:5867 [inline] netif_receive_skb+0x1e8/0x890 net/core/dev.c:5926 tun_rx_batched+0x1b7/0x8f0 drivers/net/tun.c:1550 tun_get_user+0x3056/0x47e0 drivers/net/tun.c:2007 tun_chr_write_iter+0x10d/0x1f0 drivers/net/tun.c:2053 new_sync_write fs/read_write.c:590 [inline] vfs_write+0xa6d/0xc90 fs/read_write.c:683 ksys_write+0x183/0x2b0 fs/read_write.c:736 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fdbeeb7d1ff Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 c9 8d 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 1c 8e 02 00 48 RSP: 002b:00007fdbee5ff000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fdbeed36058 RCX: 00007fdbeeb7d1ff RDX: 000000000000008e RSI: 0000000020000040 RDI: 00000000000000c8 RBP: 00007fdbeebf12be R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000008e R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fdbeed36058 R15: 00007ffc38de06e8 Fixes: c8d7b98bec43 ("netfilter: move nf_send_resetX() code to nf_reject_ipvX modules") Reported-by: syzbot Signed-off-by: Eric Dumazet Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit bab3bb35c03b263c486833d50d50c081d9e9832b Author: Dong Chenchen Date: Thu Oct 24 09:47:01 2024 +0800 netfilter: Fix use-after-free in get_info() [ Upstream commit f48d258f0ac540f00fa617dac496c4c18b5dc2fa ] ip6table_nat module unload has refcnt warning for UAF. call trace is: WARNING: CPU: 1 PID: 379 at kernel/module/main.c:853 module_put+0x6f/0x80 Modules linked in: ip6table_nat(-) CPU: 1 UID: 0 PID: 379 Comm: ip6tables Not tainted 6.12.0-rc4-00047-gc2ee9f594da8-dirty #205 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:module_put+0x6f/0x80 Call Trace: get_info+0x128/0x180 do_ip6t_get_ctl+0x6a/0x430 nf_getsockopt+0x46/0x80 ipv6_getsockopt+0xb9/0x100 rawv6_getsockopt+0x42/0x190 do_sock_getsockopt+0xaa/0x180 __sys_getsockopt+0x70/0xc0 __x64_sys_getsockopt+0x20/0x30 do_syscall_64+0xa2/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Concurrent execution of module unload and get_info() trigered the warning. The root cause is as follows: cpu0 cpu1 module_exit //mod->state = MODULE_STATE_GOING ip6table_nat_exit xt_unregister_template kfree(t) //removed from templ_list getinfo() t = xt_find_table_lock list_for_each_entry(tmpl, &xt_templates[af]...) if (strcmp(tmpl->name, name)) continue; //table not found try_module_get list_for_each_entry(t, &xt_net->tables[af]...) return t; //not get refcnt module_put(t->me) //uaf unregister_pernet_subsys //remove table from xt_net list While xt_table module was going away and has been removed from xt_templates list, we couldnt get refcnt of xt_table->me. Check module in xt_net->tables list re-traversal to fix it. Fixes: fdacd57c79b7 ("netfilter: x_tables: never register tables by default") Signed-off-by: Dong Chenchen Reviewed-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit e72fd1389a5364bc6aa6312ecf30bdb5891b9486 Author: Wang Liang Date: Wed Oct 23 11:52:13 2024 +0800 net: fix crash when config small gso_max_size/gso_ipv4_max_size [ Upstream commit 9ab5cf19fb0e4680f95e506d6c544259bf1111c4 ] Config a small gso_max_size/gso_ipv4_max_size will lead to an underflow in sk_dst_gso_max_size(), which may trigger a BUG_ON crash, because sk->sk_gso_max_size would be much bigger than device limits. Call Trace: tcp_write_xmit tso_segs = tcp_init_tso_segs(skb, mss_now); tcp_set_skb_tso_segs tcp_skb_pcount_set // skb->len = 524288, mss_now = 8 // u16 tso_segs = 524288/8 = 65535 -> 0 tso_segs = DIV_ROUND_UP(skb->len, mss_now) BUG_ON(!tso_segs) Add check for the minimum value of gso_max_size and gso_ipv4_max_size. Fixes: 46e6b992c250 ("rtnetlink: allow GSO maximums to be set on device creation") Fixes: 9eefedd58ae1 ("net: add gso_ipv4_max_size and gro_ipv4_max_size per device") Signed-off-by: Wang Liang Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/20241023035213.517386-1-wangliang74@huawei.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit c4b4f9a9ab82238cb158fa4fe61a8c0ae21a4980 Author: Byeonguk Jeong Date: Sat Oct 26 14:02:43 2024 +0900 bpf: Fix out-of-bounds write in trie_get_next_key() [ Upstream commit 13400ac8fb80c57c2bfb12ebd35ee121ce9b4d21 ] trie_get_next_key() allocates a node stack with size trie->max_prefixlen, while it writes (trie->max_prefixlen + 1) nodes to the stack when it has full paths from the root to leaves. For example, consider a trie with max_prefixlen is 8, and the nodes with key 0x00/0, 0x00/1, 0x00/2, ... 0x00/8 inserted. Subsequent calls to trie_get_next_key with _key with .prefixlen = 8 make 9 nodes be written on the node stack with size 8. Fixes: b471f2f1de8b ("bpf: implement MAP_GET_NEXT_KEY command for LPM_TRIE map") Signed-off-by: Byeonguk Jeong Reviewed-by: Toke Høiland-Jørgensen Tested-by: Hou Tao Acked-by: Hou Tao Link: https://lore.kernel.org/r/Zxx384ZfdlFYnz6J@localhost.localdomain Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 8966eb69a143b1c032365fe84f2815f3c46f2590 Author: Vladimir Oltean Date: Wed Oct 23 13:05:41 2024 +0300 net/sched: sch_api: fix xa_insert() error path in tcf_block_get_ext() [ Upstream commit a13e690191eafc154b3f60afe9ce35aa9b9128b4 ] This command: $ tc qdisc replace dev eth0 ingress_block 1 egress_block 1 clsact Error: block dev insert failed: -EBUSY. fails because user space requests the same block index to be set for both ingress and egress. [ side note, I don't think it even failed prior to commit 913b47d3424e ("net/sched: Introduce tc block netdev tracking infra"), because this is a command from an old set of notes of mine which used to work, but alas, I did not scientifically bisect this ] The problem is not that it fails, but rather, that the second time around, it fails differently (and irrecoverably): $ tc qdisc replace dev eth0 ingress_block 1 egress_block 1 clsact Error: dsa_core: Flow block cb is busy. [ another note: the extack is added by me for illustration purposes. the context of the problem is that clsact_init() obtains the same &q->ingress_block pointer as &q->egress_block, and since we call tcf_block_get_ext() on both of them, "dev" will be added to the block->ports xarray twice, thus failing the operation: once through the ingress block pointer, and once again through the egress block pointer. the problem itself is that when xa_insert() fails, we have emitted a FLOW_BLOCK_BIND command through ndo_setup_tc(), but the offload never sees a corresponding FLOW_BLOCK_UNBIND. ] Even correcting the bad user input, we still cannot recover: $ tc qdisc replace dev swp3 ingress_block 1 egress_block 2 clsact Error: dsa_core: Flow block cb is busy. Basically the only way to recover is to reboot the system, or unbind and rebind the net device driver. To fix the bug, we need to fill the correct error teardown path which was missed during code movement, and call tcf_block_offload_unbind() when xa_insert() fails. [ last note, fundamentally I blame the label naming convention in tcf_block_get_ext() for the bug. The labels should be named after what they do, not after the error path that jumps to them. This way, it is obviously wrong that two labels pointing to the same code mean something is wrong, and checking the code correctness at the goto site is also easier ] Fixes: 94e2557d086a ("net: sched: move block device tracking into tcf_block_get/put_ext()") Signed-off-by: Vladimir Oltean Reviewed-by: Simon Horman Acked-by: Jamal Hadi Salim Link: https://patch.msgid.link/20241023100541.974362-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 27bd7a742e171362c9eb52ad5d1d71d3321f949f Author: Zichen Xie Date: Tue Oct 22 12:19:08 2024 -0500 netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write() [ Upstream commit 4ce1f56a1eaced2523329bef800d004e30f2f76c ] This was found by a static analyzer. We should not forget the trailing zero after copy_from_user() if we will further do some string operations, sscanf() in this case. Adding a trailing zero will ensure that the function performs properly. Fixes: c6385c0b67c5 ("netdevsim: Allow reporting activity on nexthop buckets") Signed-off-by: Zichen Xie Reviewed-by: Petr Machata Reviewed-by: Ido Schimmel Link: https://patch.msgid.link/20241022171907.8606-1-zichenxie0106@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 5de08049e784f0d944ff13c3de97e066ceab0093 Author: Eduard Zingerman Date: Tue Oct 29 10:26:40 2024 -0700 bpf: Force checkpoint when jmp history is too long [ Upstream commit aa30eb3260b2dea3a68d3c42a39f9a09c5e99cee ] A specifically crafted program might trick verifier into growing very long jump history within a single bpf_verifier_state instance. Very long jump history makes mark_chain_precision() unreasonably slow, especially in case if verifier processes a loop. Mitigate this by forcing new state in is_state_visited() in case if current state's jump history is too long. Use same constant as in `skip_inf_loop_check`, but multiply it by arbitrarily chosen value 2 to account for jump history containing not only information about jumps, but also information about stack access. For an example of problematic program consider the code below, w/o this patch the example is processed by verifier for ~15 minutes, before failing to allocate big-enough chunk for jmp_history. 0: r7 = *(u16 *)(r1 +0);" 1: r7 += 0x1ab064b9;" 2: if r7 & 0x702000 goto 1b; 3: r7 &= 0x1ee60e;" 4: r7 += r1;" 5: if r7 s> 0x37d2 goto +0;" 6: r0 = 0;" 7: exit;" Perf profiling shows that most of the time is spent in mark_chain_precision() ~95%. The easiest way to explain why this program causes problems is to apply the following patch: diff --git a/include/linux/bpf.h b/include/linux/bpf.h index 0c216e71cec7..4b4823961abe 100644 \--- a/include/linux/bpf.h \+++ b/include/linux/bpf.h \@@ -1926,7 +1926,7 @@ struct bpf_array { }; }; -#define BPF_COMPLEXITY_LIMIT_INSNS 1000000 /* yes. 1M insns */ +#define BPF_COMPLEXITY_LIMIT_INSNS 256 /* yes. 1M insns */ #define MAX_TAIL_CALL_CNT 33 /* Maximum number of loops for bpf_loop and bpf_iter_num. diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index f514247ba8ba..75e88be3bb3e 100644 \--- a/kernel/bpf/verifier.c \+++ b/kernel/bpf/verifier.c \@@ -18024,8 +18024,13 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx) skip_inf_loop_check: if (!force_new_state && env->jmps_processed - env->prev_jmps_processed < 20 && - env->insn_processed - env->prev_insn_processed < 100) + env->insn_processed - env->prev_insn_processed < 100) { + verbose(env, "is_state_visited: suppressing checkpoint at %d, %d jmps processed, cur->jmp_history_cnt is %d\n", + env->insn_idx, + env->jmps_processed - env->prev_jmps_processed, + cur->jmp_history_cnt); add_new_state = false; + } goto miss; } /* If sl->state is a part of a loop and this loop's entry is a part of \@@ -18142,6 +18147,9 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx) if (!add_new_state) return 0; + verbose(env, "is_state_visited: new checkpoint at %d, resetting env->jmps_processed\n", + env->insn_idx); + /* There were no equivalent states, remember the current one. * Technically the current state is not proven to be safe yet, * but it will either reach outer most bpf_exit (which means it's safe) And observe verification log: ... is_state_visited: new checkpoint at 5, resetting env->jmps_processed 5: R1=ctx() R7=ctx(...) 5: (65) if r7 s> 0x37d2 goto pc+0 ; R7=ctx(...) 6: (b7) r0 = 0 ; R0_w=0 7: (95) exit from 5 to 6: R1=ctx() R7=ctx(...) R10=fp0 6: R1=ctx() R7=ctx(...) R10=fp0 6: (b7) r0 = 0 ; R0_w=0 7: (95) exit is_state_visited: suppressing checkpoint at 1, 3 jmps processed, cur->jmp_history_cnt is 74 from 2 to 1: R1=ctx() R7_w=scalar(...) R10=fp0 1: R1=ctx() R7_w=scalar(...) R10=fp0 1: (07) r7 += 447767737 is_state_visited: suppressing checkpoint at 2, 3 jmps processed, cur->jmp_history_cnt is 75 2: R7_w=scalar(...) 2: (45) if r7 & 0x702000 goto pc-2 ... mark_precise 152 steps for r7 ... 2: R7_w=scalar(...) is_state_visited: suppressing checkpoint at 1, 4 jmps processed, cur->jmp_history_cnt is 75 1: (07) r7 += 447767737 is_state_visited: suppressing checkpoint at 2, 4 jmps processed, cur->jmp_history_cnt is 76 2: R7_w=scalar(...) 2: (45) if r7 & 0x702000 goto pc-2 ... BPF program is too large. Processed 257 insn The log output shows that checkpoint at label (1) is never created, because it is suppressed by `skip_inf_loop_check` logic: a. When 'if' at (2) is processed it pushes a state with insn_idx (1) onto stack and proceeds to (3); b. At (5) checkpoint is created, and this resets env->{jmps,insns}_processed. c. Verification proceeds and reaches `exit`; d. State saved at step (a) is popped from stack and is_state_visited() considers if checkpoint needs to be added, but because env->{jmps,insns}_processed had been just reset at step (b) the `skip_inf_loop_check` logic forces `add_new_state` to false. e. Verifier proceeds with current state, which slowly accumulates more and more entries in the jump history. The accumulation of entries in the jump history is a problem because of two factors: - it eventually exhausts memory available for kmalloc() allocation; - mark_chain_precision() traverses the jump history of a state, meaning that if `r7` is marked precise, verifier would iterate ever growing jump history until parent state boundary is reached. (note: the log also shows a REG INVARIANTS VIOLATION warning upon jset processing, but that's another bug to fix). With this patch applied, the example above is rejected by verifier under 1s of time, reaching 1M instructions limit. The program is a simplified reproducer from syzbot report. Previous discussion could be found at [1]. The patch does not cause any changes in verification performance, when tested on selftests from veristat.cfg and cilium programs taken from [2]. [1] https://lore.kernel.org/bpf/20241009021254.2805446-1-eddyz87@gmail.com/ [2] https://github.com/anakryiko/cilium Changelog: - v1 -> v2: - moved patch to bpf tree; - moved force_new_state variable initialization after declaration and shortened the comment. v1: https://lore.kernel.org/bpf/20241018020307.1766906-1-eddyz87@gmail.com/ Fixes: 2589726d12a1 ("bpf: introduce bounded loops") Reported-by: syzbot+7e46cdef14bf496a3ab4@syzkaller.appspotmail.com Signed-off-by: Eduard Zingerman Signed-off-by: Andrii Nakryiko Acked-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20241029172641.1042523-1-eddyz87@gmail.com Closes: https://lore.kernel.org/bpf/670429f6.050a0220.49194.0517.GAE@google.com/ Signed-off-by: Sasha Levin commit 9995909615c3431a5304c1210face5f268d24dba Author: Pedro Tammela Date: Thu Oct 24 12:55:47 2024 -0400 net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT [ Upstream commit 2e95c4384438adeaa772caa560244b1a2efef816 ] In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed to be either root or ingress. This assumption is bogus since it's valid to create egress qdiscs with major handle ffff: Budimir Markovic found that for qdiscs like DRR that maintain an active class list, it will cause a UAF with a dangling class pointer. In 066a3b5b2346, the concern was to avoid iterating over the ingress qdisc since its parent is itself. The proper fix is to stop when parent TC_H_ROOT is reached because the only way to retrieve ingress is when a hierarchy which does not contain a ffff: major handle call into qdisc_lookup with TC_H_MAJ(TC_H_ROOT). In the scenario where major ffff: is an egress qdisc in any of the tree levels, the updates will also propagate to TC_H_ROOT, which then the iteration must stop. Fixes: 066a3b5b2346 ("[NET_SCHED] sch_api: fix qdisc_tree_decrease_qlen() loop") Reported-by: Budimir Markovic Suggested-by: Jamal Hadi Salim Tested-by: Victor Nogueira Signed-off-by: Pedro Tammela Signed-off-by: Jamal Hadi Salim net/sched/sch_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Reviewed-by: Simon Horman Link: https://patch.msgid.link/20241024165547.418570-1-jhs@mojatatu.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 2218b9ea246e8a253f5e4e797073fb77d72f65c8 Author: Pablo Neira Ayuso Date: Tue Oct 22 16:48:25 2024 +0200 gtp: allow -1 to be specified as file description from userspace [ Upstream commit 7515e37bce5c428a56a9b04ea7e96b3f53f17150 ] Existing user space applications maintained by the Osmocom project are breaking since a recent fix that addresses incorrect error checking. Restore operation for user space programs that specify -1 as file descriptor to skip GTPv0 or GTPv1 only sockets. Fixes: defd8b3c37b0 ("gtp: fix a potential NULL pointer dereference") Reported-by: Pau Espin Pedrol Signed-off-by: Pablo Neira Ayuso Tested-by: Oliver Smith Reviewed-by: Simon Horman Link: https://patch.msgid.link/20241022144825.66740-1-pablo@netfilter.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit f20fe2cfe06ca1b008b09da4f2b4e0c5547ccef6 Author: Ido Schimmel Date: Wed Oct 23 15:30:09 2024 +0300 ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find() [ Upstream commit 90e0569dd3d32f4f4d2ca691d3fa5a8a14a13c12 ] The per-netns IP tunnel hash table is protected by the RTNL mutex and ip_tunnel_find() is only called from the control path where the mutex is taken. Add a lockdep expression to hlist_for_each_entry_rcu() in ip_tunnel_find() in order to validate that the mutex is held and to silence the suspicious RCU usage warning [1]. [1] WARNING: suspicious RCU usage 6.12.0-rc3-custom-gd95d9a31aceb #139 Not tainted ----------------------------- net/ipv4/ip_tunnel.c:221 RCU-list traversed in non-reader section!! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by ip/362: #0: ffffffff86fc7cb0 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x377/0xf60 stack backtrace: CPU: 12 UID: 0 PID: 362 Comm: ip Not tainted 6.12.0-rc3-custom-gd95d9a31aceb #139 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Call Trace: dump_stack_lvl+0xba/0x110 lockdep_rcu_suspicious.cold+0x4f/0xd6 ip_tunnel_find+0x435/0x4d0 ip_tunnel_newlink+0x517/0x7a0 ipgre_newlink+0x14c/0x170 __rtnl_newlink+0x1173/0x19c0 rtnl_newlink+0x6c/0xa0 rtnetlink_rcv_msg+0x3cc/0xf60 netlink_rcv_skb+0x171/0x450 netlink_unicast+0x539/0x7f0 netlink_sendmsg+0x8c1/0xd80 ____sys_sendmsg+0x8f9/0xc20 ___sys_sendmsg+0x197/0x1e0 __sys_sendmsg+0x122/0x1f0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") Suggested-by: Eric Dumazet Signed-off-by: Ido Schimmel Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/20241023123009.749764-1-idosch@nvidia.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 6dfaa458fe923211c766238a224e0a3c0522935c Author: Ido Schimmel Date: Tue Oct 22 09:38:22 2024 +0300 ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_init_flow() [ Upstream commit ad4a3ca6a8e886f6491910a3ae5d53595e40597d ] There are code paths from which the function is called without holding the RCU read lock, resulting in a suspicious RCU usage warning [1]. Fix by using l3mdev_master_upper_ifindex_by_index() which will acquire the RCU read lock before calling l3mdev_master_upper_ifindex_by_index_rcu(). [1] WARNING: suspicious RCU usage 6.12.0-rc3-custom-gac8f72681cf2 #141 Not tainted ----------------------------- net/core/dev.c:876 RCU-list traversed in non-reader section!! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by ip/361: #0: ffffffff86fc7cb0 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x377/0xf60 stack backtrace: CPU: 3 UID: 0 PID: 361 Comm: ip Not tainted 6.12.0-rc3-custom-gac8f72681cf2 #141 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Call Trace: dump_stack_lvl+0xba/0x110 lockdep_rcu_suspicious.cold+0x4f/0xd6 dev_get_by_index_rcu+0x1d3/0x210 l3mdev_master_upper_ifindex_by_index_rcu+0x2b/0xf0 ip_tunnel_bind_dev+0x72f/0xa00 ip_tunnel_newlink+0x368/0x7a0 ipgre_newlink+0x14c/0x170 __rtnl_newlink+0x1173/0x19c0 rtnl_newlink+0x6c/0xa0 rtnetlink_rcv_msg+0x3cc/0xf60 netlink_rcv_skb+0x171/0x450 netlink_unicast+0x539/0x7f0 netlink_sendmsg+0x8c1/0xd80 ____sys_sendmsg+0x8f9/0xc20 ___sys_sendmsg+0x197/0x1e0 __sys_sendmsg+0x122/0x1f0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: db53cd3d88dc ("net: Handle l3mdev in ip_tunnel_init_flow") Signed-off-by: Ido Schimmel Reviewed-by: David Ahern Link: https://patch.msgid.link/20241022063822.462057-1-idosch@nvidia.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 82b107a27bab29146e159b6b9f21146c97c45a53 Author: Arkadiusz Kubalewski Date: Mon Oct 21 16:26:26 2024 -0700 ice: fix crash on probe for DPLL enabled E810 LOM [ Upstream commit 6e58c33106220c6c0c8fbee9ab63eae76ad8f260 ] The E810 Lan On Motherboard (LOM) design is vendor specific. Intel provides the reference design, but it is up to vendor on the final product design. For some cases, like Linux DPLL support, the static values defined in the driver does not reflect the actual LOM design. Current implementation of dpll pins is causing the crash on probe of the ice driver for such DPLL enabled E810 LOM designs: WARNING: (...) at drivers/dpll/dpll_core.c:495 dpll_pin_get+0x2c4/0x330 ... Call Trace: ? __warn+0x83/0x130 ? dpll_pin_get+0x2c4/0x330 ? report_bug+0x1b7/0x1d0 ? handle_bug+0x42/0x70 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? dpll_pin_get+0x117/0x330 ? dpll_pin_get+0x2c4/0x330 ? dpll_pin_get+0x117/0x330 ice_dpll_get_pins.isra.0+0x52/0xe0 [ice] ... The number of dpll pins enabled by LOM vendor is greater than expected and defined in the driver for Intel designed NICs, which causes the crash. Prevent the crash and allow generic pin initialization within Linux DPLL subsystem for DPLL enabled E810 LOM designs. Newly designed solution for described issue will be based on "per HW design" pin initialization. It requires pin information dynamically acquired from the firmware and is already in progress, planned for next-tree only. Fixes: d7999f5ea64b ("ice: implement dpll interface to control cgu") Reviewed-by: Karol Kolacinski Signed-off-by: Arkadiusz Kubalewski Tested-by: Pucha Himasekhar Reddy Signed-off-by: Jacob Keller Reviewed-by: Simon Horman Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 61b6c0eda832a265eed798ba9499807e71b16c70 Author: Arkadiusz Kubalewski Date: Fri Aug 23 00:25:13 2024 +0200 ice: add callbacks for Embedded SYNC enablement on dpll pins [ Upstream commit 87abc5666ab753e8c31a2d39df3b5233f4e47b43 ] Allow the user to get and set configuration of Embedded SYNC feature on the ice driver dpll pins. Reviewed-by: Aleksandr Loktionov Signed-off-by: Arkadiusz Kubalewski Reviewed-by: Jiri Pirko Link: https://patch.msgid.link/20240822222513.255179-3-arkadiusz.kubalewski@intel.com Signed-off-by: Jakub Kicinski Stable-dep-of: 6e58c3310622 ("ice: fix crash on probe for DPLL enabled E810 LOM") Signed-off-by: Sasha Levin commit 3820fc3eddd62889369ecd3a448eb072ccbb7f32 Author: Arkadiusz Kubalewski Date: Fri Aug 23 00:25:12 2024 +0200 dpll: add Embedded SYNC feature for a pin [ Upstream commit cda1fba15cb2282b3c364805c9767698f11c3b0e ] Implement and document new pin attributes for providing Embedded SYNC capabilities to the DPLL subsystem users through a netlink pin-get do/dump messages. Allow the user to set Embedded SYNC frequency with pin-set do netlink message. Reviewed-by: Aleksandr Loktionov Signed-off-by: Arkadiusz Kubalewski Reviewed-by: Jiri Pirko Link: https://patch.msgid.link/20240822222513.255179-2-arkadiusz.kubalewski@intel.com Signed-off-by: Jakub Kicinski Stable-dep-of: 6e58c3310622 ("ice: fix crash on probe for DPLL enabled E810 LOM") Signed-off-by: Sasha Levin commit 58d23d835eb498336716cca55b5714191a309286 Author: Furong Xu <0x1207@gmail.com> Date: Mon Oct 21 14:10:23 2024 +0800 net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data [ Upstream commit 66600fac7a984dea4ae095411f644770b2561ede ] In case the non-paged data of a SKB carries protocol header and protocol payload to be transmitted on a certain platform that the DMA AXI address width is configured to 40-bit/48-bit, or the size of the non-paged data is bigger than TSO_MAX_BUFF_SIZE on a certain platform that the DMA AXI address width is configured to 32-bit, then this SKB requires at least two DMA transmit descriptors to serve it. For example, three descriptors are allocated to split one DMA buffer mapped from one piece of non-paged data: dma_desc[N + 0], dma_desc[N + 1], dma_desc[N + 2]. Then three elements of tx_q->tx_skbuff_dma[] will be allocated to hold extra information to be reused in stmmac_tx_clean(): tx_q->tx_skbuff_dma[N + 0], tx_q->tx_skbuff_dma[N + 1], tx_q->tx_skbuff_dma[N + 2]. Now we focus on tx_q->tx_skbuff_dma[entry].buf, which is the DMA buffer address returned by DMA mapping call. stmmac_tx_clean() will try to unmap the DMA buffer _ONLY_IF_ tx_q->tx_skbuff_dma[entry].buf is a valid buffer address. The expected behavior that saves DMA buffer address of this non-paged data to tx_q->tx_skbuff_dma[entry].buf is: tx_q->tx_skbuff_dma[N + 0].buf = NULL; tx_q->tx_skbuff_dma[N + 1].buf = NULL; tx_q->tx_skbuff_dma[N + 2].buf = dma_map_single(); Unfortunately, the current code misbehaves like this: tx_q->tx_skbuff_dma[N + 0].buf = dma_map_single(); tx_q->tx_skbuff_dma[N + 1].buf = NULL; tx_q->tx_skbuff_dma[N + 2].buf = NULL; On the stmmac_tx_clean() side, when dma_desc[N + 0] is closed by the DMA engine, tx_q->tx_skbuff_dma[N + 0].buf is a valid buffer address obviously, then the DMA buffer will be unmapped immediately. There may be a rare case that the DMA engine does not finish the pending dma_desc[N + 1], dma_desc[N + 2] yet. Now things will go horribly wrong, DMA is going to access a unmapped/unreferenced memory region, corrupted data will be transmited or iommu fault will be triggered :( In contrast, the for-loop that maps SKB fragments behaves perfectly as expected, and that is how the driver should do for both non-paged data and paged frags actually. This patch corrects DMA map/unmap sequences by fixing the array index for tx_q->tx_skbuff_dma[entry].buf when assigning DMA buffer address. Tested and verified on DWXGMAC CORE 3.20a Reported-by: Suraj Jaiswal Fixes: f748be531d70 ("stmmac: support new GMAC4") Signed-off-by: Furong Xu <0x1207@gmail.com> Reviewed-by: Hariprasad Kelam Reviewed-by: Simon Horman Link: https://patch.msgid.link/20241021061023.2162701-1-0x1207@gmail.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 73f17fbebe43f033d32dd3ef3c6339ea947aab66 Author: Ley Foon Tan Date: Mon Oct 21 13:46:25 2024 +0800 net: stmmac: dwmac4: Fix high address display by updating reg_space[] from register values [ Upstream commit f84ef58e553206b02d06e02158c98fbccba25d19 ] The high address will display as 0 if the driver does not set the reg_space[]. To fix this, read the high address registers and update the reg_space[] accordingly. Fixes: fbf68229ffe7 ("net: stmmac: unify registers dumps methods") Signed-off-by: Ley Foon Tan Reviewed-by: Simon Horman Link: https://patch.msgid.link/20241021054625.1791965-1-leyfoon.tan@starfivetech.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 9afe35fdda16e09d5bd3c49a68ba8c680dd678bd Author: Cong Wang Date: Sat Oct 26 11:55:22 2024 -0700 sock_map: fix a NULL pointer dereference in sock_map_link_update_prog() [ Upstream commit 740be3b9a6d73336f8c7d540842d0831dc7a808b ] The following race condition could trigger a NULL pointer dereference: sock_map_link_detach(): sock_map_link_update_prog(): mutex_lock(&sockmap_mutex); ... sockmap_link->map = NULL; mutex_unlock(&sockmap_mutex); mutex_lock(&sockmap_mutex); ... sock_map_prog_link_lookup(sockmap_link->map); mutex_unlock(&sockmap_mutex); Fix it by adding a NULL pointer check. In this specific case, it makes no sense to update a link which is being released. Reported-by: Ruan Bonan Fixes: 699c23f02c65 ("bpf: Add bpf_link support for sk_msg and sk_skb progs") Cc: Yonghong Song Cc: John Fastabend Cc: Jakub Sitnicki Signed-off-by: Cong Wang Link: https://lore.kernel.org/r/20241026185522.338562-1-xiyou.wangcong@gmail.com Signed-off-by: Martin KaFai Lau Signed-off-by: Sasha Levin commit c549cb66e8de0ba1936fc97a59f0156741d3492a Author: Aleksei Vetrov Date: Mon Oct 28 22:50:30 2024 +0000 ASoC: dapm: fix bounds checker error in dapm_widget_list_create [ Upstream commit 2ef9439f7a19fd3d43b288d38b1c6e55b668a4fe ] The widgets array in the snd_soc_dapm_widget_list has a __counted_by attribute attached to it, which points to the num_widgets variable. This attribute is used in bounds checking, and if it is not set before the array is filled, then the bounds sanitizer will issue a warning or a kernel panic if CONFIG_UBSAN_TRAP is set. This patch sets the size of the widgets list calculated with list_for_each as the initial value for num_widgets as it is used for allocating memory for the array. It is updated with the actual number of added elements after the array is filled. Signed-off-by: Aleksei Vetrov Fixes: 80e698e2df5b ("ASoC: soc-dapm: Annotate struct snd_soc_dapm_widget_list with __counted_by") Link: https://patch.msgid.link/20241028-soc-dapm-bounds-checker-fix-v1-1-262b0394e89e@google.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 4614640f1d5c93c22272117dc256e9940ccac8e8 Author: Jianbo Liu Date: Mon Oct 21 13:03:09 2024 +0300 macsec: Fix use-after-free while sending the offloading packet [ Upstream commit f1e54d11b210b53d418ff1476c6b58a2f434dfc0 ] KASAN reports the following UAF. The metadata_dst, which is used to store the SCI value for macsec offload, is already freed by metadata_dst_free() in macsec_free_netdev(), while driver still use it for sending the packet. To fix this issue, dst_release() is used instead to release metadata_dst. So it is not freed instantly in macsec_free_netdev() if still referenced by skb. BUG: KASAN: slab-use-after-free in mlx5e_xmit+0x1e8f/0x4190 [mlx5_core] Read of size 2 at addr ffff88813e42e038 by task kworker/7:2/714 [...] Workqueue: mld mld_ifc_work Call Trace: dump_stack_lvl+0x51/0x60 print_report+0xc1/0x600 kasan_report+0xab/0xe0 mlx5e_xmit+0x1e8f/0x4190 [mlx5_core] dev_hard_start_xmit+0x120/0x530 sch_direct_xmit+0x149/0x11e0 __qdisc_run+0x3ad/0x1730 __dev_queue_xmit+0x1196/0x2ed0 vlan_dev_hard_start_xmit+0x32e/0x510 [8021q] dev_hard_start_xmit+0x120/0x530 __dev_queue_xmit+0x14a7/0x2ed0 macsec_start_xmit+0x13e9/0x2340 dev_hard_start_xmit+0x120/0x530 __dev_queue_xmit+0x14a7/0x2ed0 ip6_finish_output2+0x923/0x1a70 ip6_finish_output+0x2d7/0x970 ip6_output+0x1ce/0x3a0 NF_HOOK.constprop.0+0x15f/0x190 mld_sendpack+0x59a/0xbd0 mld_ifc_work+0x48a/0xa80 process_one_work+0x5aa/0xe50 worker_thread+0x79c/0x1290 kthread+0x28f/0x350 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x11/0x20 Allocated by task 3922: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0x77/0x90 __kmalloc_noprof+0x188/0x400 metadata_dst_alloc+0x1f/0x4e0 macsec_newlink+0x914/0x1410 __rtnl_newlink+0xe08/0x15b0 rtnl_newlink+0x5f/0x90 rtnetlink_rcv_msg+0x667/0xa80 netlink_rcv_skb+0x12c/0x360 netlink_unicast+0x551/0x770 netlink_sendmsg+0x72d/0xbd0 __sock_sendmsg+0xc5/0x190 ____sys_sendmsg+0x52e/0x6a0 ___sys_sendmsg+0xeb/0x170 __sys_sendmsg+0xb5/0x140 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Freed by task 4011: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x50 poison_slab_object+0x10c/0x190 __kasan_slab_free+0x11/0x30 kfree+0xe0/0x290 macsec_free_netdev+0x3f/0x140 netdev_run_todo+0x450/0xc70 rtnetlink_rcv_msg+0x66f/0xa80 netlink_rcv_skb+0x12c/0x360 netlink_unicast+0x551/0x770 netlink_sendmsg+0x72d/0xbd0 __sock_sendmsg+0xc5/0x190 ____sys_sendmsg+0x52e/0x6a0 ___sys_sendmsg+0xeb/0x170 __sys_sendmsg+0xb5/0x140 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Fixes: 0a28bfd4971f ("net/macsec: Add MACsec skb_metadata_dst Tx Data path support") Signed-off-by: Jianbo Liu Reviewed-by: Patrisious Haddad Reviewed-by: Chris Mi Signed-off-by: Tariq Toukan Reviewed-by: Simon Horman Reviewed-by: Sabrina Dubroca Link: https://patch.msgid.link/20241021100309.234125-1-tariqt@nvidia.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit a883bd7fabc050b9a8d97b1a1c6f2aa44df9a09a Author: Christophe JAILLET Date: Sat Oct 26 22:46:34 2024 +0200 ASoC: cs42l51: Fix some error handling paths in cs42l51_probe() [ Upstream commit d221b844ee79823ffc29b7badc4010bdb0960224 ] If devm_gpiod_get_optional() fails, we need to disable previously enabled regulators, as done in the other error handling path of the function. Also, gpiod_set_value_cansleep(, 1) needs to be called to undo a potential gpiod_set_value_cansleep(, 0). If the "reset" gpio is not defined, this additional call is just a no-op. This behavior is the same as the one already in the .remove() function. Fixes: 11b9cd748e31 ("ASoC: cs42l51: add reset management") Signed-off-by: Christophe JAILLET Reviewed-by: Charles Keepax Link: https://patch.msgid.link/a5e5f4b9fb03f46abd2c93ed94b5c395972ce0d1.1729975570.git.christophe.jaillet@wanadoo.fr Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit e7e675a32ea0a0960f074974337a53802b0aac16 Author: Emmanuel Grumbach Date: Tue Oct 22 09:22:11 2024 +0200 Revert "wifi: iwlwifi: remove retry loops in start" [ Upstream commit bfc0ed73e095cc3858d35731f191fa6e3d813262 ] Revert commit dfdfe4be183b ("wifi: iwlwifi: remove retry loops in start"), it turns out that there's an issue with the PNVM load notification from firmware not getting processed, that this patch has been somewhat successfully papering over. Since this is being reported, revert the loop removal for now. We will later at least clean this up to only attempt to retry if there was a timeout, but currently we don't even bubble up the failure reason to the correct layer, only returning NULL. Fixes: dfdfe4be183b ("wifi: iwlwifi: remove retry loops in start") Signed-off-by: Emmanuel Grumbach Link: https://patch.msgid.link/20241022092212.4aa82a558a00.Ibdeff9c8f0d608bc97fc42024392ae763b6937b7@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 92d2fc69d2e0488a57fc4d484f2869f1c418d697 Author: Emmanuel Grumbach Date: Thu Oct 10 14:05:06 2024 +0300 wifi: iwlwifi: mvm: don't add default link in fw restart flow [ Upstream commit 734a377e1eacc5153bae0ccd4423365726876e93 ] When we add the vif (and its default link) in fw restart we may override the link that already exists. We take care of this but if link 0 is a valid MLO link, then we will re-create a default link on mvmvif->link[0] and we'll loose the real link we had there. In non-MLO, we need to re-create the default link upon the interface creation, this is fine. In MLO, we'll just wait for change_vif_links() to re-build the links. Fixes: bf976c814c86 ("wifi: iwlwifi: mvm: implement link change ops") Signed-off-by: Emmanuel Grumbach Signed-off-by: Miri Korenblit Link: https://patch.msgid.link/20241010140328.385bfea1b2e9.I4a127312285ccb529cc95cc4edf6fbe1e0a136ad@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 9480c3045f302f43f9910d2d556d6cf5a62c1822 Author: Daniel Gabay Date: Thu Oct 10 14:05:05 2024 +0300 wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd() [ Upstream commit 07a6e3b78a65f4b2796a8d0d4adb1a15a81edead ] 1. The size of the response packet is not validated. 2. The response buffer is not freed. Resolve these issues by switching to iwl_mvm_send_cmd_status(), which handles both size validation and frees the buffer. Fixes: f130bb75d881 ("iwlwifi: add FW recovery flow") Signed-off-by: Daniel Gabay Signed-off-by: Miri Korenblit Link: https://patch.msgid.link/20241010140328.76c73185951e.Id3b6ca82ced2081f5ee4f33c997491d0ebda83f7@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit d903059f1ad5fcdd45ba4c53e254c97477c03195 Author: Miri Korenblit Date: Thu Oct 10 14:05:01 2024 +0300 wifi: iwlwifi: mvm: really send iwl_txpower_constraints_cmd [ Upstream commit cbe84e9ad5e28ef083beff7f6edf2e623fac09e4 ] iwl_mvm_send_ap_tx_power_constraint_cmd is a no-op if the link is not active (we need to know the band etc.) However, for the station case it will be called just before we set the link to active (by calling iwl_mvm_link_changed with the LINK_CONTEXT_MODIFY_ACTIVE bit set in the 'changed' flags and active = true), so it will end up doing nothing. Fix this by calling iwl_mvm_send_ap_tx_power_constraint_cmd before iwl_mvm_link_changed. Fixes: 6b82f4e119d1 ("wifi: iwlwifi: mvm: handle TPE advertised by AP") Signed-off-by: Miri Korenblit Link: https://patch.msgid.link/20241010140328.5c235fccd3f1.I2d40dea21e5547eba458565edcb4c354d094d82a@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 70ddf9ce1894c48dbbf10b0de51a95e4fb3dd376 Author: Emmanuel Grumbach Date: Thu Oct 10 14:04:59 2024 +0300 wifi: iwlwifi: mvm: don't leak a link on AP removal [ Upstream commit 3ed092997a004d68a3a5b0eeb94e71b69839d0f7 ] Release the link mapping resource in AP removal. This impacted devices that do not support the MLD API (9260 and down). On those devices, we couldn't start the AP again after the AP has been already started and stopped. Fixes: a8b5d4809b50 ("wifi: iwlwifi: mvm: Configure the link mapping for non-MLD FW") Signed-off-by: Emmanuel Grumbach Signed-off-by: Miri Korenblit Link: https://patch.msgid.link/20241010140328.c54c42779882.Ied79e0d6244dc5a372e8b6ffa8ee9c6e1379ec1d@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 047d192a03f338fbac981ad2ffc67e90187682e7 Author: Selvin Xavier Date: Mon Oct 14 06:36:15 2024 -0700 RDMA/bnxt_re: synchronize the qp-handle table array [ Upstream commit 76d3ddff7153cc0bcc14a63798d19f5d0693ea71 ] There is a race between the CREQ tasklet and destroy qp when accessing the qp-handle table. There is a chance of reading a valid qp-handle in the CREQ tasklet handler while the QP is already moving ahead with the destruction. Fixing this race by implementing a table-lock to synchronize the access. Fixes: f218d67ef004 ("RDMA/bnxt_re: Allow posting when QPs are in error") Fixes: 84cf229f4001 ("RDMA/bnxt_re: Fix the qp table indexing") Link: https://patch.msgid.link/r/1728912975-19346-3-git-send-email-selvin.xavier@broadcom.com Signed-off-by: Kalesh AP Signed-off-by: Selvin Xavier Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 147e1c0b7dd5116f2ba8dcdeaa4fb6b3e6ab4785 Author: Selvin Xavier Date: Mon Oct 14 06:36:14 2024 -0700 RDMA/bnxt_re: Fix the usage of control path spin locks [ Upstream commit d71f4acd584cc861f54b3cb3ac07875f06550a05 ] Control path completion processing always runs in tasklet context. To synchronize with the posting thread, there is no need to use the irq variant of spin lock. Use spin_lock_bh instead. Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") Link: https://patch.msgid.link/r/1728912975-19346-2-git-send-email-selvin.xavier@broadcom.com Signed-off-by: Kalesh AP Signed-off-by: Selvin Xavier Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit a42cdaba38b88bc138440fa149d4c7514ef64767 Author: Patrisious Haddad Date: Thu Oct 10 11:50:23 2024 +0300 RDMA/mlx5: Round max_rd_atomic/max_dest_rd_atomic up instead of down [ Upstream commit 78ed28e08e74da6265e49e19206e1bcb8b9a7f0d ] After the cited commit below max_dest_rd_atomic and max_rd_atomic values are being rounded down to the next power of 2. As opposed to the old behavior and mlx4 driver where they used to be rounded up instead. In order to stay consistent with older code and other drivers, revert to using fls round function which rounds up to the next power of 2. Fixes: f18e26af6aba ("RDMA/mlx5: Convert modify QP to use MLX5_SET macros") Link: https://patch.msgid.link/r/d85515d6ef21a2fa8ef4c8293dce9b58df8a6297.1728550179.git.leon@kernel.org Signed-off-by: Patrisious Haddad Reviewed-by: Maher Sanalla Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit a2c156a2a6d5fec9a68957500a2a5180e65b023c Author: Leon Romanovsky Date: Mon Oct 7 20:55:17 2024 +0300 RDMA/cxgb4: Dump vendor specific QP details [ Upstream commit 89f8c6f197f480fe05edf91eb9359d5425869d04 ] Restore the missing functionality to dump vendor specific QP details, which was mistakenly removed in the commit mentioned in Fixes line. Fixes: 5cc34116ccec ("RDMA: Add dedicated QP resource tracker function") Link: https://patch.msgid.link/r/ed9844829135cfdcac7d64285688195a5cd43f82.1728323026.git.leonro@nvidia.com Reported-by: Dr. David Alan Gilbert Closes: https://lore.kernel.org/all/Zv_4qAxuC0dLmgXP@gallifrey Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 0f56ddff12494982a387aa54988c066b80bba981 Author: Geert Uytterhoeven Date: Tue Sep 24 14:09:32 2024 +0200 wifi: brcm80211: BRCM_TRACING should depend on TRACING [ Upstream commit b73b2069528f90ec49d5fa1010a759baa2c2be05 ] When tracing is disabled, there is no point in asking the user about enabling Broadcom wireless device tracing. Fixes: f5c4f10852d42012 ("brcm80211: Allow trace support to be enabled separately from debug") Signed-off-by: Geert Uytterhoeven Acked-by: Arend van Spriel Signed-off-by: Kalle Valo Link: https://patch.msgid.link/81a29b15eaacc1ac1fb421bdace9ac0c3385f40f.1727179742.git.geert@linux-m68k.org Signed-off-by: Sasha Levin commit 3df5983c823b8f7da84e76d49f4426e37401ac31 Author: Ping-Ke Shih Date: Tue Sep 24 10:16:33 2024 +0800 wifi: rtw89: pci: early chips only enable 36-bit DMA on specific PCI hosts [ Upstream commit aa70ff0945fea2ed14046273609d04725f222616 ] The early chips including RTL8852A, RTL8851B, RTL8852B and RTL8852BT have interoperability problems of 36-bit DMA with some PCI hosts. Rollback to 32-bit DMA by default, and only enable 36-bit DMA for tested platforms. Since all Intel platforms we have can work correctly, add the vendor ID to white list. Otherwise, list vendor/device ID of bridge we have tested. Fixes: 1fd4b3fe52ef ("wifi: rtw89: pci: support 36-bit PCI DMA address") Reported-by: Marcel Weißenbach Closes: https://lore.kernel.org/linux-wireless/20240918073237.Horde.VLueh0_KaiDw-9asEEcdM84@ignaz.org/T/#m07c5694df1acb173a42e1a0bab7ac22bd231a2b8 Signed-off-by: Ping-Ke Shih Tested-by: Marcel Weißenbach Signed-off-by: Kalle Valo Link: https://patch.msgid.link/20240924021633.19861-1-pkshih@realtek.com Signed-off-by: Sasha Levin commit 4ae98ffe545c3ddcdb6da4e0e08c16b0be176018 Author: Remi Pommarel Date: Tue Sep 24 21:41:19 2024 +0200 wifi: ath11k: Fix invalid ring usage in full monitor mode [ Upstream commit befd716ed429b26eca7abde95da6195c548470de ] On full monitor HW the monitor destination rxdma ring does not have the same descriptor format as in the "classical" mode. The full monitor destination entries are of hal_sw_monitor_ring type and fetched using ath11k_dp_full_mon_process_rx while the classical ones are of type hal_reo_entrance_ring and fetched with ath11k_dp_rx_mon_dest_process. Although both hal_sw_monitor_ring and hal_reo_entrance_ring are of same size, the offset to useful info (such as sw_cookie, paddr, etc) are different. Thus if ath11k_dp_rx_mon_dest_process gets called on full monitor destination ring, invalid skb buffer id will be fetched from DMA ring causing issues such as the following rcu_sched stall: rcu: INFO: rcu_sched self-detected stall on CPU rcu: 0-....: (1 GPs behind) idle=c67/0/0x7 softirq=45768/45769 fqs=1012 (t=2100 jiffies g=14817 q=8703) Task dump for CPU 0: task:swapper/0 state:R running task stack: 0 pid: 0 ppid: 0 flags:0x0000000a Call trace: dump_backtrace+0x0/0x160 show_stack+0x14/0x20 sched_show_task+0x158/0x184 dump_cpu_task+0x40/0x4c rcu_dump_cpu_stacks+0xec/0x12c rcu_sched_clock_irq+0x6c8/0x8a0 update_process_times+0x88/0xd0 tick_sched_timer+0x74/0x1e0 __hrtimer_run_queues+0x150/0x204 hrtimer_interrupt+0xe4/0x240 arch_timer_handler_phys+0x30/0x40 handle_percpu_devid_irq+0x80/0x130 handle_domain_irq+0x5c/0x90 gic_handle_irq+0x8c/0xb4 do_interrupt_handler+0x30/0x54 el1_interrupt+0x2c/0x4c el1h_64_irq_handler+0x14/0x1c el1h_64_irq+0x74/0x78 do_raw_spin_lock+0x60/0x100 _raw_spin_lock_bh+0x1c/0x2c ath11k_dp_rx_mon_mpdu_pop.constprop.0+0x174/0x650 ath11k_dp_rx_process_mon_status+0x8b4/0xa80 ath11k_dp_rx_process_mon_rings+0x244/0x510 ath11k_dp_service_srng+0x190/0x300 ath11k_pcic_ext_grp_napi_poll+0x30/0xc0 __napi_poll+0x34/0x174 net_rx_action+0xf8/0x2a0 _stext+0x12c/0x2ac irq_exit+0x94/0xc0 handle_domain_irq+0x60/0x90 gic_handle_irq+0x8c/0xb4 call_on_irq_stack+0x28/0x44 do_interrupt_handler+0x4c/0x54 el1_interrupt+0x2c/0x4c el1h_64_irq_handler+0x14/0x1c el1h_64_irq+0x74/0x78 arch_cpu_idle+0x14/0x20 do_idle+0xf0/0x130 cpu_startup_entry+0x24/0x50 rest_init+0xf8/0x104 arch_call_rest_init+0xc/0x14 start_kernel+0x56c/0x58c __primary_switched+0xa0/0xa8 Thus ath11k_dp_rx_mon_dest_process(), which use classical destination entry format, should no be called on full monitor capable HW. Fixes: 67a9d399fcb0 ("ath11k: enable RX PPDU stats in monitor co-exist mode") Signed-off-by: Remi Pommarel Reviewed-by: Praneesh P Link: https://patch.msgid.link/20240924194119.15942-1-repk@triplefau.lt Signed-off-by: Jeff Johnson Signed-off-by: Sasha Levin commit aec17e706573bd335e57691e1771c2996a20c3a9 Author: Felix Fietkau Date: Sun Oct 6 17:36:30 2024 +0200 wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys [ Upstream commit 52009b419355195912a628d0a9847922e90c348c ] Sync iterator conditions with ieee80211_iter_keys_rcu. Fixes: 830af02f24fb ("mac80211: allow driver to iterate keys") Signed-off-by: Felix Fietkau Link: https://patch.msgid.link/20241006153630.87885-1-nbd@nbd.name Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 729e3c439a0665eb5fb88746c6cbee5a6558cade Author: Geert Uytterhoeven Date: Tue Sep 24 14:08:57 2024 +0200 mac80211: MAC80211_MESSAGE_TRACING should depend on TRACING [ Upstream commit b3e046c31441d182b954fc2f57b2dc38c71ad4bc ] When tracing is disabled, there is no point in asking the user about enabling tracing of all mac80211 debug messages. Fixes: 3fae0273168026ed ("mac80211: trace debug messages") Signed-off-by: Geert Uytterhoeven Link: https://patch.msgid.link/85bbe38ce0df13350f45714e2dc288cc70947a19.1727179690.git.geert@linux-m68k.org Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit e8b09adaba3fc79d5859d5482301f4db67ca16d8 Author: Ben Hutchings Date: Thu Sep 12 01:01:21 2024 +0200 wifi: iwlegacy: Fix "field-spanning write" warning in il_enqueue_hcmd() [ Upstream commit d4cdc46ca16a5c78b36c5b9b6ad8cac09d6130a0 ] iwlegacy uses command buffers with a payload size of 320 bytes (default) or 4092 bytes (huge). The struct il_device_cmd type describes the default buffers and there is no separate type describing the huge buffers. The il_enqueue_hcmd() function works with both default and huge buffers, and has a memcpy() to the buffer payload. The size of this copy may exceed 320 bytes when using a huge buffer, which now results in a run-time warning: memcpy: detected field-spanning write (size 1014) of single field "&out_cmd->cmd.payload" at drivers/net/wireless/intel/iwlegacy/common.c:3170 (size 320) To fix this: - Define a new struct type for huge buffers, with a correctly sized payload field - When using a huge buffer in il_enqueue_hcmd(), cast the command buffer pointer to that type when looking up the payload field Reported-by: Martin-Éric Racine References: https://bugs.debian.org/1062421 References: https://bugzilla.kernel.org/show_bug.cgi?id=219124 Signed-off-by: Ben Hutchings Fixes: 54d9469bc515 ("fortify: Add run-time WARN for cross-field memcpy()") Tested-by: Martin-Éric Racine Tested-by: Brandon Nielsen Acked-by: Stanislaw Gruszka Signed-off-by: Kalle Valo Link: https://patch.msgid.link/ZuIhQRi/791vlUhE@decadent.org.uk Signed-off-by: Sasha Levin commit 85db8fefd5c328a1fbd15656e5d64c52832d9314 Author: John Garry Date: Fri Oct 18 10:16:55 2024 +0000 scsi: scsi_debug: Fix do_device_access() handling of unexpected SG copy length [ Upstream commit d28d17a845600dd9f7de241de9b1528a1b138716 ] If the sg_copy_buffer() call returns less than sdebug_sector_size, then we drop out of the copy loop. However, we still report that we copied the full expected amount, which is not proper. Fix by keeping a running total and return that value. Fixes: 84f3a3c01d70 ("scsi: scsi_debug: Atomic write support") Reported-by: Colin Ian King Suggested-by: Dan Carpenter Signed-off-by: John Garry Link: https://lore.kernel.org/r/20241018101655.4207-1-john.g.garry@oracle.com Reviewed-by: Dan Carpenter Reviewed-by: Colin Ian King Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 9da9ed5203c020610055c9acf47aceab8d9015f6 Author: Arnaldo Carvalho de Melo Date: Wed Oct 23 16:12:57 2024 -0300 perf python: Fix up the build on architectures without HAVE_KVM_STAT_SUPPORT [ Upstream commit 758f18158952a6287ac23679ec04c32d44ca5368 ] Noticed while building on a raspbian arm 32-bit system. There was also this other case, fixed by adding a missing util/stat.h with the prototypes: /tmp/tmp.MbiSHoF3dj/perf-6.12.0-rc3/tools/perf/util/python.c:1396:6: error: no previous prototype for ‘perf_stat__set_no_csv_summary’ [-Werror=missing-prototypes] 1396 | void perf_stat__set_no_csv_summary(int set __maybe_unused) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /tmp/tmp.MbiSHoF3dj/perf-6.12.0-rc3/tools/perf/util/python.c:1400:6: error: no previous prototype for ‘perf_stat__set_big_num’ [-Werror=missing-prototypes] 1400 | void perf_stat__set_big_num(int set __maybe_unused) | ^~~~~~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors In other architectures this must be building due to some lucky indirect inclusion of that header. Fixes: 9dabf4003423c8d3 ("perf python: Switch module to linking libraries from building source") Reviewed-by: Ian Rogers Cc: Adrian Hunter Cc: Jiri Olsa Cc: Kan Liang Cc: Namhyung Kim Link: https://lore.kernel.org/lkml/ZxllAtpmEw5fg9oy@x1 Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 5eb419f55db39d2adbd165e414305f14b5f80c45 Author: Jiri Slaby Date: Tue Oct 22 17:22:36 2024 -0300 perf trace: Fix non-listed archs in the syscalltbl routines [ Upstream commit 5d35634ecc2d2c3938bd7dc23df0ad046da1b303 ] This fixes a build breakage on 32-bit arm, where the syscalltbl__id_at_idx() function was missing. Committer notes: Generating a proper syscall table from a copy of arch/arm/tools/syscall.tbl ends up being too big a patch for this rc stage, I started doing it but while testing noticed some other problems with using BPF to collect pointer args on arm7 (32-bit) will maybe continue trying to make it work on the next cycle... Fixes: 7a2fb5619cc1fb53 ("perf trace: Fix iteration of syscall ids in syscalltbl->entries") Suggested-by: Howard Chu Signed-off-by: Acked-by: Namhyung Kim Cc: Adrian Hunter Cc: Howard Chu Cc: Ian Rogers Cc: Jiri Olsa Link: https://lore.kernel.org/lkml/3a592835-a14f-40be-8961-c0cee7720a94@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 79aea7dfd98fbbf282d1408fc21849fc9a677768 Author: Pei Xiao Date: Wed Oct 23 14:21:17 2024 +0800 slub/kunit: fix a WARNING due to unwrapped __kmalloc_cache_noprof [ Upstream commit 2b059d0d1e624adc6e69a754bc48057f8bf459dc ] 'modprobe slub_kunit' will have a warning as shown below. The root cause is that __kmalloc_cache_noprof was directly used, which resulted in no alloc_tag being allocated. This caused current->alloc_tag to be null, leading to a warning in alloc_tag_add_check. Let's add an alloc_hook layer to __kmalloc_cache_noprof specifically within lib/slub_kunit.c, which is the only user of this internal slub function outside kmalloc implementation itself. [58162.947016] WARNING: CPU: 2 PID: 6210 at ./include/linux/alloc_tag.h:125 alloc_tagging_slab_alloc_hook+0x268/0x27c [58162.957721] Call trace: [58162.957919] alloc_tagging_slab_alloc_hook+0x268/0x27c [58162.958286] __kmalloc_cache_noprof+0x14c/0x344 [58162.958615] test_kmalloc_redzone_access+0x50/0x10c [slub_kunit] [58162.959045] kunit_try_run_case+0x74/0x184 [kunit] [58162.959401] kunit_generic_run_threadfn_adapter+0x2c/0x4c [kunit] [58162.959841] kthread+0x10c/0x118 [58162.960093] ret_from_fork+0x10/0x20 [58162.960363] ---[ end trace 0000000000000000 ]--- Signed-off-by: Pei Xiao Fixes: a0a44d9175b3 ("mm, slab: don't wrap internal functions with alloc_hooks()") Signed-off-by: Vlastimil Babka Signed-off-by: Sasha Levin commit 95d0b16ef7b3ef8d20da376ac3fc05ea8acf2411 Author: Georgi Djakov Date: Wed Oct 9 02:16:15 2024 +0300 spi: geni-qcom: Fix boot warning related to pm_runtime and devres [ Upstream commit d0ccf760a405d243a49485be0a43bd5b66ed17e2 ] During boot, users sometimes observe the following warning: [7.841431] WARNING: CPU: 4 PID: 492 at drivers/interconnect/core.c:685 __icc_enable (drivers/interconnect/core.c:685 (discriminator 7)) [..] [7.841541] Call trace: [7.841542] __icc_enable (drivers/interconnect/core.c:685 (discriminator 7)) [7.841545] icc_disable (drivers/interconnect/core.c:708) [7.841547] geni_icc_disable (drivers/soc/qcom/qcom-geni-se.c:862) [7.841553] spi_geni_runtime_suspend+0x3c/0x4c spi_geni_qcom This occurs when the spi-geni driver receives an -EPROBE_DEFER error from spi_geni_grab_gpi_chan(), causing devres to start releasing all resources as shown below: [7.138679] geni_spi 880000.spi: DEVRES REL ffff800081443800 devm_icc_release (8 bytes) [7.138751] geni_spi 880000.spi: DEVRES REL ffff800081443800 devm_icc_release (8 bytes) [7.138827] geni_spi 880000.spi: DEVRES REL ffff800081443800 pm_runtime_disable_action (16 bytes) [7.139494] geni_spi 880000.spi: DEVRES REL ffff800081443800 devm_pm_opp_config_release (16 bytes) [7.139512] geni_spi 880000.spi: DEVRES REL ffff800081443800 devm_spi_release_controller (8 bytes) [7.139516] geni_spi 880000.spi: DEVRES REL ffff800081443800 devm_clk_release (16 bytes) [7.139519] geni_spi 880000.spi: DEVRES REL ffff800081443800 devm_ioremap_release (8 bytes) [7.139524] geni_spi 880000.spi: DEVRES REL ffff800081443800 devm_region_release (24 bytes) [7.139527] geni_spi 880000.spi: DEVRES REL ffff800081443800 devm_kzalloc_release (22 bytes) [7.139530] geni_spi 880000.spi: DEVRES REL ffff800081443800 devm_pinctrl_release (8 bytes) [7.139539] geni_spi 880000.spi: DEVRES REL ffff800081443800 devm_kzalloc_release (40 bytes) The issue here is that pm_runtime_disable_action() results in a call to spi_geni_runtime_suspend(), which attempts to suspend the device and disable an interconnect path that devm_icc_release() has just released. Resolve this by calling geni_icc_get() before enabling runtime PM. This approach ensures that when devres releases resources in reverse order, it will start with pm_runtime_disable_action(), suspending the device, and then proceed to free the remaining resources. Reported-by: Naresh Kamboju Reported-by: Linux Kernel Functional Testing Closes: https://lore.kernel.org/r/CA+G9fYtsjFtddG8i+k-SpV8U6okL0p4zpsTiwGfNH5GUA8dWAA@mail.gmail.com Fixes: 89e362c883c6 ("spi: geni-qcom: Undo runtime PM changes at driver exit time") Signed-off-by: Georgi Djakov Link: https://patch.msgid.link/20241008231615.430073-1-djakov@kernel.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 7b4c3d366b251d7362ffc6d6da1187f0a66dab3c Author: Xiu Jianfeng Date: Sat Oct 12 07:22:46 2024 +0000 cgroup: Fix potential overflow issue when checking max_depth [ Upstream commit 3cc4e13bb1617f6a13e5e6882465984148743cf4 ] cgroup.max.depth is the maximum allowed descent depth below the current cgroup. If the actual descent depth is equal or larger, an attempt to create a new child cgroup will fail. However due to the cgroup->max_depth is of int type and having the default value INT_MAX, the condition 'level > cgroup->max_depth' will never be satisfied, and it will cause an overflow of the level after it reaches to INT_MAX. Fix it by starting the level from 0 and using '>=' instead. It's worth mentioning that this issue is unlikely to occur in reality, as it's impossible to have a depth of INT_MAX hierarchy, but should be be avoided logically. Fixes: 1a926e0bbab8 ("cgroup: implement hierarchy limits") Signed-off-by: Xiu Jianfeng Reviewed-by: Michal Koutný Signed-off-by: Tejun Heo Signed-off-by: Sasha Levin commit def7d40da0333e6f3afad12c2333cceac1d368b6 Author: Frank Min Date: Thu Oct 10 16:41:32 2024 +0800 drm/amdgpu: fix random data corruption for sdma 7 [ Upstream commit 108bc59fe817686a59d2008f217bad38a5cf4427 ] There is random data corruption caused by const fill, this is caused by write compression mode not correctly configured. So correct compression mode for const fill. Signed-off-by: Frank Min Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher (cherry picked from commit 75400f8d6e36afc88d59db8a1f3e4b7d90d836ad) Cc: stable@vger.kernel.org # 6.11.x Signed-off-by: Sasha Levin