- Linux-stable-mirror - lists.linaro.org

[PATCH] usb: gadget: max3420_udc: Fix out-of-bounds endpoint index access

by Seungjin Bae

In the max3420_set_clear_feature() function, the endpoint index `id` can have a value from 0 to 15. However, the udc->ep array is initialized with a maximum of 4 endpoints in max3420_eps_init(). If host sends a request with a wIndex greater than 3, the access to `udc->ep[id]` will go out-of-bounds, leading to memory corruption or a potential kernel crash. This bug was found by code inspection and has not been tested on hardware. Fixes: 48ba02b2e2b1a ("usb: gadget: add udc driver for max3420") Cc: stable(a)vger.kernel.org Signed-off-by: Seungjin Bae <eeodqql09(a)gmail.com> --- drivers/usb/gadget/udc/max3420_udc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/usb/gadget/udc/max3420_udc.c b/drivers/usb/gadget/udc/max3420_udc.c index 7349ea774adf..e4ecc7f7f3be 100644 --- a/drivers/usb/gadget/udc/max3420_udc.c +++ b/drivers/usb/gadget/udc/max3420_udc.c @@ -596,6 +596,8 @@ static void max3420_set_clear_feature(struct max3420_udc *udc) break; id = udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK; + if (id >= MAX3420_MAX_EPS) + break; ep = &udc->ep[id]; spin_lock_irqsave(&ep->lock, flags); -- 2.43.0

3 days, 5 hours

2
3
0 0

[PATCH v3 1/7] mm/shmem, swap: improve cached mTHP handling and fix potential hung

by Kairui Song

From: Kairui Song <kasong(a)tencent.com> The current swap-in code assumes that, when a swap entry in shmem mapping is order 0, its cached folios (if present) must be order 0 too, which turns out not always correct. The problem is shmem_split_large_entry is called before verifying the folio will eventually be swapped in, one possible race is: CPU1 CPU2 shmem_swapin_folio /* swap in of order > 0 swap entry S1 */ folio = swap_cache_get_folio /* folio = NULL */ order = xa_get_order /* order > 0 */ folio = shmem_swap_alloc_folio /* mTHP alloc failure, folio = NULL */ <... Interrupted ...> shmem_swapin_folio /* S1 is swapped in */ shmem_writeout /* S1 is swapped out, folio cached */ shmem_split_large_entry(..., S1) /* S1 is split, but the folio covering it has order > 0 now */ Now any following swapin of S1 will hang: `xa_get_order` returns 0, and folio lookup will return a folio with order > 0. The `xa_get_order(&mapping->i_pages, index) != folio_order(folio)` will always return false causing swap-in to return -EEXIST. And this looks fragile. So fix this up by allowing seeing a larger folio in swap cache, and check the whole shmem mapping range covered by the swapin have the right swap value upon inserting the folio. And drop the redundant tree walks before the insertion. This will actually improve performance, as it avoids two redundant Xarray tree walks in the hot path, and the only side effect is that in the failure path, shmem may redundantly reallocate a few folios causing temporary slight memory pressure. And worth noting, it may seems the order and value check before inserting might help reducing the lock contention, which is not true. The swap cache layer ensures raced swapin will either see a swap cache folio or failed to do a swapin (we have SWAP_HAS_CACHE bit even if swap cache is bypassed), so holding the folio lock and checking the folio flag is already good enough for avoiding the lock contention. The chance that a folio passes the swap entry value check but the shmem mapping slot has changed should be very low. Fixes: 809bc86517cc ("mm: shmem: support large folio swap out") Signed-off-by: Kairui Song <kasong(a)tencent.com> Reviewed-by: Kemeng Shi <shikemeng(a)huaweicloud.com> Cc: <stable(a)vger.kernel.org> --- mm/shmem.c | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/mm/shmem.c b/mm/shmem.c index 334b7b4a61a0..e3c9a1365ff4 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -884,7 +884,9 @@ static int shmem_add_to_page_cache(struct folio *folio, pgoff_t index, void *expected, gfp_t gfp) { XA_STATE_ORDER(xas, &mapping->i_pages, index, folio_order(folio)); - long nr = folio_nr_pages(folio); + unsigned long nr = folio_nr_pages(folio); + swp_entry_t iter, swap; + void *entry; VM_BUG_ON_FOLIO(index != round_down(index, nr), folio); VM_BUG_ON_FOLIO(!folio_test_locked(folio), folio); @@ -896,14 +898,24 @@ static int shmem_add_to_page_cache(struct folio *folio, gfp &= GFP_RECLAIM_MASK; folio_throttle_swaprate(folio, gfp); + swap = iter = radix_to_swp_entry(expected); do { xas_lock_irq(&xas); - if (expected != xas_find_conflict(&xas)) { - xas_set_err(&xas, -EEXIST); - goto unlock; + xas_for_each_conflict(&xas, entry) { + /* + * The range must either be empty, or filled with + * expected swap entries. Shmem swap entries are never + * partially freed without split of both entry and + * folio, so there shouldn't be any holes. + */ + if (!expected || entry != swp_to_radix_entry(iter)) { + xas_set_err(&xas, -EEXIST); + goto unlock; + } + iter.val += 1 << xas_get_order(&xas); } - if (expected && xas_find_conflict(&xas)) { + if (expected && iter.val - nr != swap.val) { xas_set_err(&xas, -EEXIST); goto unlock; } @@ -2323,7 +2335,7 @@ static int shmem_swapin_folio(struct inode *inode, pgoff_t index, error = -ENOMEM; goto failed; } - } else if (order != folio_order(folio)) { + } else if (order > folio_order(folio)) { /* * Swap readahead may swap in order 0 folios into swapcache * asynchronously, while the shmem mapping can still stores @@ -2348,15 +2360,15 @@ static int shmem_swapin_folio(struct inode *inode, pgoff_t index, swap = swp_entry(swp_type(swap), swp_offset(swap) + offset); } + } else if (order < folio_order(folio)) { + swap.val = round_down(swap.val, 1 << folio_order(folio)); } alloced: /* We have to do this with folio locked to prevent races */ folio_lock(folio); if ((!skip_swapcache && !folio_test_swapcache(folio)) || - folio->swap.val != swap.val || - !shmem_confirm_swap(mapping, index, swap) || - xa_get_order(&mapping->i_pages, index) != folio_order(folio)) { + folio->swap.val != swap.val) { error = -EEXIST; goto unlock; } -- 2.50.0

3 days, 6 hours

2
1
0 0

+ mm-damon-core-handle-damon_call_control-as-normal-under-kdmond-deactivation.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/damon/core: handle damon_call_control as normal under kdmond deactivation has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-damon-core-handle-damon_call_control-as-normal-under-kdmond-deactivation.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/core: handle damon_call_control as normal under kdmond deactivation Date: Sun, 29 Jun 2025 13:49:14 -0700 DAMON sysfs interface internally uses damon_call() to update DAMON parameters as users requested, online. However, DAMON core cancels any damon_call() requests when it is deactivated by DAMOS watermarks. As a result, users cannot change DAMON parameters online while DAMON is deactivated. Note that users can turn DAMON off and on with different watermarks to work around. Since deactivated DAMON is nearly same to stopped DAMON, the work around should have no big problem. Anyway, a bug is a bug. There is no real good reason to cancel the damon_call() request under DAMOS deactivation. Fix it by simply handling the request as normal, rather than cancelling under the situation. Link: https://lkml.kernel.org/r/20250629204914.54114-1-sj@kernel.org Fixes: 42b7491af14c ("mm/damon/core: introduce damon_call()") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> [6.14+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) --- a/mm/damon/core.c~mm-damon-core-handle-damon_call_control-as-normal-under-kdmond-deactivation +++ a/mm/damon/core.c @@ -2355,9 +2355,8 @@ static void kdamond_usleep(unsigned long * * If there is a &struct damon_call_control request that registered via * &damon_call() on @ctx, do or cancel the invocation of the function depending - * on @cancel. @cancel is set when the kdamond is deactivated by DAMOS - * watermarks, or the kdamond is already out of the main loop and therefore - * will be terminated. + * on @cancel. @cancel is set when the kdamond is already out of the main loop + * and therefore will be terminated. */ static void kdamond_call(struct damon_ctx *ctx, bool cancel) { @@ -2405,7 +2404,7 @@ static int kdamond_wait_activation(struc if (ctx->callback.after_wmarks_check && ctx->callback.after_wmarks_check(ctx)) break; - kdamond_call(ctx, true); + kdamond_call(ctx, false); damos_walk_cancel(ctx); } return -EBUSY; _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-core-handle-damon_call_control-as-normal-under-kdmond-deactivation.patch mm-damon-introduce-damon_stat-module.patch mm-damon-introduce-damon_stat-module-fix.patch mm-damon-stat-calculate-and-expose-estimated-memory-bandwidth.patch mm-damon-stat-calculate-and-expose-idle-time-percentiles.patch docs-admin-guide-mm-damon-add-damon_stat-usage-document.patch mm-damon-paddr-use-alloc_migartion_target-with-no-migration-fallback-nodemask.patch revert-mm-rename-alloc_demote_folio-to-alloc_migrate_folio.patch revert-mm-make-alloc_demote_folio-externally-invokable-for-migration.patch selftets-damon-add-a-test-for-memcg_path-leak.patch mm-damon-sysfs-schemes-decouple-from-damos_quota_goal_metric.patch mm-damon-sysfs-schemes-decouple-from-damos_action.patch mm-damon-sysfs-schemes-decouple-from-damos_wmark_metric.patch mm-damon-sysfs-schemes-decouple-from-damos_filter_type.patch mm-damon-sysfs-decouple-from-damon_ops_id.patch

3 days, 12 hours

1
0
0 0

[PATCH] mm/damon/core: handle damon_call_control as normal under kdmond deactivation

by SeongJae Park

DAMON sysfs interface internally uses damon_call() to update DAMON parameters as users requested, online. However, DAMON core cancels any damon_call() requests when it is deactivated by DAMOS watermarks. As a result, users cannot change DAMON parameters online while DAMON is deactivated. Note that users can turn DAMON off and on with different watermarks to work around. Since deactivated DAMON is nearly same to stopped DAMON, the work around should have no big problem. Anyway, a bug is a bug. There is no real good reason to cancel the damon_call() request under DAMOS deactivation. Fix it by simply handling the request as normal, rather than cancelling under the situation. Fixes: 42b7491af14c ("mm/damon/core: introduce damon_call()") Cc: stable(a)vger.kernel.org # 6.14.x Signed-off-by: SeongJae Park <sj(a)kernel.org> --- mm/damon/core.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/mm/damon/core.c b/mm/damon/core.c index b217e0120e09..bc2e58c1222d 100644 --- a/mm/damon/core.c +++ b/mm/damon/core.c @@ -2355,9 +2355,8 @@ static void kdamond_usleep(unsigned long usecs) * * If there is a &struct damon_call_control request that registered via * &damon_call() on @ctx, do or cancel the invocation of the function depending - * on @cancel. @cancel is set when the kdamond is deactivated by DAMOS - * watermarks, or the kdamond is already out of the main loop and therefore - * will be terminated. + * on @cancel. @cancel is set when the kdamond is already out of the main loop + * and therefore will be terminated. */ static void kdamond_call(struct damon_ctx *ctx, bool cancel) { @@ -2405,7 +2404,7 @@ static int kdamond_wait_activation(struct damon_ctx *ctx) if (ctx->callback.after_wmarks_check && ctx->callback.after_wmarks_check(ctx)) break; - kdamond_call(ctx, true); + kdamond_call(ctx, false); damos_walk_cancel(ctx); } return -EBUSY; base-commit: 8f6082b6e60e05f9bcd5c39b19ede995a8975283 -- 2.39.5

3 days, 13 hours

1
0
0 0

FAILED: patch "[PATCH] io_uring/kbuf: flag partial buffer mappings" failed to apply to 6.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.15.y git checkout FETCH_HEAD git cherry-pick -x 178b8ff66ff827c41b4fa105e9aabb99a0b5c537 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025062920-conch-hypnotist-d63d@gregkh' --subject-prefix 'PATCH 6.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 178b8ff66ff827c41b4fa105e9aabb99a0b5c537 Mon Sep 17 00:00:00 2001 From: Jens Axboe <axboe(a)kernel.dk> Date: Thu, 26 Jun 2025 12:17:48 -0600 Subject: [PATCH] io_uring/kbuf: flag partial buffer mappings A previous commit aborted mapping more for a non-incremental ring for bundle peeking, but depending on where in the process this peeking happened, it would not necessarily prevent a retry by the user. That can create gaps in the received/read data. Add struct buf_sel_arg->partial_map, which can pass this information back. The networking side can then map that to internal state and use it to gate retry as well. Since this necessitates a new flag, change io_sr_msg->retry to a retry_flags member, and store both the retry and partial map condition in there. Cc: stable(a)vger.kernel.org Fixes: 26ec15e4b0c1 ("io_uring/kbuf: don't truncate end buffer for multiple buffer peeks") Signed-off-by: Jens Axboe <axboe(a)kernel.dk> diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c index ce95e3af44a9..f2d2cc319faa 100644 --- a/io_uring/kbuf.c +++ b/io_uring/kbuf.c @@ -271,6 +271,7 @@ static int io_ring_buffers_peek(struct io_kiocb *req, struct buf_sel_arg *arg, if (len > arg->max_len) { len = arg->max_len; if (!(bl->flags & IOBL_INC)) { + arg->partial_map = 1; if (iov != arg->iovs) break; buf->len = len; diff --git a/io_uring/kbuf.h b/io_uring/kbuf.h index 5d83c7adc739..723d0361898e 100644 --- a/io_uring/kbuf.h +++ b/io_uring/kbuf.h @@ -58,7 +58,8 @@ struct buf_sel_arg { size_t max_len; unsigned short nr_iovs; unsigned short mode; - unsigned buf_group; + unsigned short buf_group; + unsigned short partial_map; }; void __user *io_buffer_select(struct io_kiocb *req, size_t *len, diff --git a/io_uring/net.c b/io_uring/net.c index 5c1e8c4ba468..43a43522f406 100644 --- a/io_uring/net.c +++ b/io_uring/net.c @@ -75,12 +75,17 @@ struct io_sr_msg { u16 flags; /* initialised and used only by !msg send variants */ u16 buf_group; - bool retry; + unsigned short retry_flags; void __user *msg_control; /* used only for send zerocopy */ struct io_kiocb *notif; }; +enum sr_retry_flags { + IO_SR_MSG_RETRY = 1, + IO_SR_MSG_PARTIAL_MAP = 2, +}; + /* * Number of times we'll try and do receives if there's more data. If we * exceed this limit, then add us to the back of the queue and retry from @@ -187,7 +192,7 @@ static inline void io_mshot_prep_retry(struct io_kiocb *req, req->flags &= ~REQ_F_BL_EMPTY; sr->done_io = 0; - sr->retry = false; + sr->retry_flags = 0; sr->len = 0; /* get from the provided buffer */ } @@ -397,7 +402,7 @@ int io_sendmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe) struct io_sr_msg *sr = io_kiocb_to_cmd(req, struct io_sr_msg); sr->done_io = 0; - sr->retry = false; + sr->retry_flags = 0; sr->len = READ_ONCE(sqe->len); sr->flags = READ_ONCE(sqe->ioprio); if (sr->flags & ~SENDMSG_FLAGS) @@ -751,7 +756,7 @@ int io_recvmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe) struct io_sr_msg *sr = io_kiocb_to_cmd(req, struct io_sr_msg); sr->done_io = 0; - sr->retry = false; + sr->retry_flags = 0; if (unlikely(sqe->file_index || sqe->addr2)) return -EINVAL; @@ -823,7 +828,7 @@ static inline bool io_recv_finish(struct io_kiocb *req, int *ret, cflags |= io_put_kbufs(req, this_ret, io_bundle_nbufs(kmsg, this_ret), issue_flags); - if (sr->retry) + if (sr->retry_flags & IO_SR_MSG_RETRY) cflags = req->cqe.flags | (cflags & CQE_F_MASK); /* bundle with no more immediate buffers, we're done */ if (req->flags & REQ_F_BL_EMPTY) @@ -832,12 +837,12 @@ static inline bool io_recv_finish(struct io_kiocb *req, int *ret, * If more is available AND it was a full transfer, retry and * append to this one */ - if (!sr->retry && kmsg->msg.msg_inq > 1 && this_ret > 0 && + if (!sr->retry_flags && kmsg->msg.msg_inq > 1 && this_ret > 0 && !iov_iter_count(&kmsg->msg.msg_iter)) { req->cqe.flags = cflags & ~CQE_F_MASK; sr->len = kmsg->msg.msg_inq; sr->done_io += this_ret; - sr->retry = true; + sr->retry_flags |= IO_SR_MSG_RETRY; return false; } } else { @@ -1082,6 +1087,8 @@ static int io_recv_buf_select(struct io_kiocb *req, struct io_async_msghdr *kmsg kmsg->vec.iovec = arg.iovs; req->flags |= REQ_F_NEED_CLEANUP; } + if (arg.partial_map) + sr->retry_flags |= IO_SR_MSG_PARTIAL_MAP; /* special case 1 vec, can be a fast path */ if (ret == 1) { @@ -1276,7 +1283,7 @@ int io_send_zc_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe) int ret; zc->done_io = 0; - zc->retry = false; + zc->retry_flags = 0; if (unlikely(READ_ONCE(sqe->__pad2[0]) || READ_ONCE(sqe->addr3))) return -EINVAL;

3 days, 15 hours

2
1
0 0

Re: arch/x86/Makefile REALMODE_CFLAGS needs -std=gnu11 with recent GCC versions

by Borislav Petkov

+ stable folks. On Sun, Jun 29, 2025 at 11:15:13AM -0400, Dennis Clarke wrote: > > Code fix for due to https://bugzilla.kernel.org/show_bug.cgi?id=220294 > > The summary is that recent GCC versions ( 15.1.0 today ) will assume C23 > spec compliance and get upset with ye old A20 address line code bits. > > This problem exists previous to the 6.12.35 release tarballs and is > fixed with commit b3bee1e7c3f2b1b77182302c7b2131c804175870 applied. > > The newer GCC revisions will be quite popular soon enough and this may > bite people when that happens. I don't know what the rules are for building 6.1-stable with gcc-15 but if they do that, then 6.1 will need to pick up the abovementioned commit: b3bee1e7c3f2 ("x86/boot: Compile boot code with -std=gnu11 too") Thx. -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette

3 days, 18 hours

1
0
0 0

Re: Patch "smb: client: make use of common smbdirect_socket_parameters" has been added to the 6.12-stable tree

by Stefan Metzmacher

Hi, if these patches are backported to stable then 1944f6ab4967db7ad8d4db527dceae8c77de76e9 "smb: client: let smbd_post_send_iter() respect the peers max_send_size and transmit all data" can also be backported as is. I just added the "Cc: <stable+noautosel(a)kernel.org> # sp->max_send_size should be info->max_send_size in backports" because I thought they would not be backported. I'm fine with backporting the header changes... @Steve: Do you agree? Thanks! metze Am 29.06.25 um 16:28 schrieb Sasha Levin: > This is a note to let you know that I've just added the patch titled > > smb: client: make use of common smbdirect_socket_parameters > > to the 6.12-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > smb-client-make-use-of-common-smbdirect_socket_param.patch > and it can be found in the queue-6.12 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit a1fa1698297356797d7a0379b7e056744fd133ac > Author: Stefan Metzmacher <metze(a)samba.org> > Date: Wed May 28 18:01:40 2025 +0200 > > smb: client: make use of common smbdirect_socket_parameters > > [ Upstream commit cc55f65dd352bdb7bdf8db1c36fb348c294c3b66 ] > > Cc: Steve French <smfrench(a)gmail.com> > Cc: Tom Talpey <tom(a)talpey.com> > Cc: Long Li <longli(a)microsoft.com> > Cc: Namjae Jeon <linkinjeon(a)kernel.org> > Cc: Hyunchul Lee <hyc.lee(a)gmail.com> > Cc: Meetakshi Setiya <meetakshisetiyaoss(a)gmail.com> > Cc: linux-cifs(a)vger.kernel.org > Cc: samba-technical(a)lists.samba.org > Signed-off-by: Stefan Metzmacher <metze(a)samba.org> > Signed-off-by: Steve French <stfrench(a)microsoft.com> > Stable-dep-of: 43e7e284fc77 ("cifs: Fix the smbd_response slab to allow usercopy") > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/fs/smb/client/cifs_debug.c b/fs/smb/client/cifs_debug.c > index 56b0b5c82dd19..c0196be0e65fc 100644 > --- a/fs/smb/client/cifs_debug.c > +++ b/fs/smb/client/cifs_debug.c > @@ -362,6 +362,10 @@ static int cifs_debug_data_proc_show(struct seq_file *m, void *v) > c = 0; > spin_lock(&cifs_tcp_ses_lock); > list_for_each_entry(server, &cifs_tcp_ses_list, tcp_ses_list) { > +#ifdef CONFIG_CIFS_SMB_DIRECT > + struct smbdirect_socket_parameters *sp; > +#endif > + > /* channel info will be printed as a part of sessions below */ > if (SERVER_IS_CHAN(server)) > continue; > @@ -383,6 +387,7 @@ static int cifs_debug_data_proc_show(struct seq_file *m, void *v) > seq_printf(m, "\nSMBDirect transport not available"); > goto skip_rdma; > } > + sp = &server->smbd_conn->socket.parameters; > > seq_printf(m, "\nSMBDirect (in hex) protocol version: %x " > "transport status: %x", > @@ -390,18 +395,18 @@ static int cifs_debug_data_proc_show(struct seq_file *m, void *v) > server->smbd_conn->socket.status); > seq_printf(m, "\nConn receive_credit_max: %x " > "send_credit_target: %x max_send_size: %x", > - server->smbd_conn->receive_credit_max, > - server->smbd_conn->send_credit_target, > - server->smbd_conn->max_send_size); > + sp->recv_credit_max, > + sp->send_credit_target, > + sp->max_send_size); > seq_printf(m, "\nConn max_fragmented_recv_size: %x " > "max_fragmented_send_size: %x max_receive_size:%x", > - server->smbd_conn->max_fragmented_recv_size, > - server->smbd_conn->max_fragmented_send_size, > - server->smbd_conn->max_receive_size); > + sp->max_fragmented_recv_size, > + sp->max_fragmented_send_size, > + sp->max_recv_size); > seq_printf(m, "\nConn keep_alive_interval: %x " > "max_readwrite_size: %x rdma_readwrite_threshold: %x", > - server->smbd_conn->keep_alive_interval, > - server->smbd_conn->max_readwrite_size, > + sp->keepalive_interval_msec * 1000, > + sp->max_read_write_size, > server->smbd_conn->rdma_readwrite_threshold); > seq_printf(m, "\nDebug count_get_receive_buffer: %x " > "count_put_receive_buffer: %x count_send_empty: %x", > diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c > index 74bcc51ccd32f..e596bc4837b68 100644 > --- a/fs/smb/client/smb2ops.c > +++ b/fs/smb/client/smb2ops.c > @@ -504,6 +504,9 @@ smb3_negotiate_wsize(struct cifs_tcon *tcon, struct smb3_fs_context *ctx) > wsize = min_t(unsigned int, wsize, server->max_write); > #ifdef CONFIG_CIFS_SMB_DIRECT > if (server->rdma) { > + struct smbdirect_socket_parameters *sp = > + &server->smbd_conn->socket.parameters; > + > if (server->sign) > /* > * Account for SMB2 data transfer packet header and > @@ -511,12 +514,12 @@ smb3_negotiate_wsize(struct cifs_tcon *tcon, struct smb3_fs_context *ctx) > */ > wsize = min_t(unsigned int, > wsize, > - server->smbd_conn->max_fragmented_send_size - > + sp->max_fragmented_send_size - > SMB2_READWRITE_PDU_HEADER_SIZE - > sizeof(struct smb2_transform_hdr)); > else > wsize = min_t(unsigned int, > - wsize, server->smbd_conn->max_readwrite_size); > + wsize, sp->max_read_write_size); > } > #endif > if (!(server->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU)) > @@ -552,6 +555,9 @@ smb3_negotiate_rsize(struct cifs_tcon *tcon, struct smb3_fs_context *ctx) > rsize = min_t(unsigned int, rsize, server->max_read); > #ifdef CONFIG_CIFS_SMB_DIRECT > if (server->rdma) { > + struct smbdirect_socket_parameters *sp = > + &server->smbd_conn->socket.parameters; > + > if (server->sign) > /* > * Account for SMB2 data transfer packet header and > @@ -559,12 +565,12 @@ smb3_negotiate_rsize(struct cifs_tcon *tcon, struct smb3_fs_context *ctx) > */ > rsize = min_t(unsigned int, > rsize, > - server->smbd_conn->max_fragmented_recv_size - > + sp->max_fragmented_recv_size - > SMB2_READWRITE_PDU_HEADER_SIZE - > sizeof(struct smb2_transform_hdr)); > else > rsize = min_t(unsigned int, > - rsize, server->smbd_conn->max_readwrite_size); > + rsize, sp->max_read_write_size); > } > #endif > > diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c > index ac489df8151a1..cbc85bca006f7 100644 > --- a/fs/smb/client/smbdirect.c > +++ b/fs/smb/client/smbdirect.c > @@ -320,6 +320,8 @@ static bool process_negotiation_response( > struct smbd_response *response, int packet_length) > { > struct smbd_connection *info = response->info; > + struct smbdirect_socket *sc = &info->socket; > + struct smbdirect_socket_parameters *sp = &sc->parameters; > struct smbdirect_negotiate_resp *packet = smbd_response_payload(response); > > if (packet_length < sizeof(struct smbdirect_negotiate_resp)) { > @@ -349,20 +351,20 @@ static bool process_negotiation_response( > > atomic_set(&info->receive_credits, 0); > > - if (le32_to_cpu(packet->preferred_send_size) > info->max_receive_size) { > + if (le32_to_cpu(packet->preferred_send_size) > sp->max_recv_size) { > log_rdma_event(ERR, "error: preferred_send_size=%d\n", > le32_to_cpu(packet->preferred_send_size)); > return false; > } > - info->max_receive_size = le32_to_cpu(packet->preferred_send_size); > + sp->max_recv_size = le32_to_cpu(packet->preferred_send_size); > > if (le32_to_cpu(packet->max_receive_size) < SMBD_MIN_RECEIVE_SIZE) { > log_rdma_event(ERR, "error: max_receive_size=%d\n", > le32_to_cpu(packet->max_receive_size)); > return false; > } > - info->max_send_size = min_t(int, info->max_send_size, > - le32_to_cpu(packet->max_receive_size)); > + sp->max_send_size = min_t(u32, sp->max_send_size, > + le32_to_cpu(packet->max_receive_size)); > > if (le32_to_cpu(packet->max_fragmented_size) < > SMBD_MIN_FRAGMENTED_SIZE) { > @@ -370,18 +372,18 @@ static bool process_negotiation_response( > le32_to_cpu(packet->max_fragmented_size)); > return false; > } > - info->max_fragmented_send_size = > + sp->max_fragmented_send_size = > le32_to_cpu(packet->max_fragmented_size); > info->rdma_readwrite_threshold = > - rdma_readwrite_threshold > info->max_fragmented_send_size ? > - info->max_fragmented_send_size : > + rdma_readwrite_threshold > sp->max_fragmented_send_size ? > + sp->max_fragmented_send_size : > rdma_readwrite_threshold; > > > - info->max_readwrite_size = min_t(u32, > + sp->max_read_write_size = min_t(u32, > le32_to_cpu(packet->max_readwrite_size), > info->max_frmr_depth * PAGE_SIZE); > - info->max_frmr_depth = info->max_readwrite_size / PAGE_SIZE; > + info->max_frmr_depth = sp->max_read_write_size / PAGE_SIZE; > > return true; > } > @@ -689,6 +691,7 @@ static int smbd_ia_open( > static int smbd_post_send_negotiate_req(struct smbd_connection *info) > { > struct smbdirect_socket *sc = &info->socket; > + struct smbdirect_socket_parameters *sp = &sc->parameters; > struct ib_send_wr send_wr; > int rc = -ENOMEM; > struct smbd_request *request; > @@ -704,11 +707,11 @@ static int smbd_post_send_negotiate_req(struct smbd_connection *info) > packet->min_version = cpu_to_le16(SMBDIRECT_V1); > packet->max_version = cpu_to_le16(SMBDIRECT_V1); > packet->reserved = 0; > - packet->credits_requested = cpu_to_le16(info->send_credit_target); > - packet->preferred_send_size = cpu_to_le32(info->max_send_size); > - packet->max_receive_size = cpu_to_le32(info->max_receive_size); > + packet->credits_requested = cpu_to_le16(sp->send_credit_target); > + packet->preferred_send_size = cpu_to_le32(sp->max_send_size); > + packet->max_receive_size = cpu_to_le32(sp->max_recv_size); > packet->max_fragmented_size = > - cpu_to_le32(info->max_fragmented_recv_size); > + cpu_to_le32(sp->max_fragmented_recv_size); > > request->num_sge = 1; > request->sge[0].addr = ib_dma_map_single( > @@ -800,6 +803,7 @@ static int smbd_post_send(struct smbd_connection *info, > struct smbd_request *request) > { > struct smbdirect_socket *sc = &info->socket; > + struct smbdirect_socket_parameters *sp = &sc->parameters; > struct ib_send_wr send_wr; > int rc, i; > > @@ -831,7 +835,7 @@ static int smbd_post_send(struct smbd_connection *info, > } else > /* Reset timer for idle connection after packet is sent */ > mod_delayed_work(info->workqueue, &info->idle_timer_work, > - info->keep_alive_interval*HZ); > + msecs_to_jiffies(sp->keepalive_interval_msec)); > > return rc; > } > @@ -841,6 +845,7 @@ static int smbd_post_send_iter(struct smbd_connection *info, > int *_remaining_data_length) > { > struct smbdirect_socket *sc = &info->socket; > + struct smbdirect_socket_parameters *sp = &sc->parameters; > int i, rc; > int header_length; > int data_length; > @@ -868,7 +873,7 @@ static int smbd_post_send_iter(struct smbd_connection *info, > > wait_send_queue: > wait_event(info->wait_post_send, > - atomic_read(&info->send_pending) < info->send_credit_target || > + atomic_read(&info->send_pending) < sp->send_credit_target || > sc->status != SMBDIRECT_SOCKET_CONNECTED); > > if (sc->status != SMBDIRECT_SOCKET_CONNECTED) { > @@ -878,7 +883,7 @@ static int smbd_post_send_iter(struct smbd_connection *info, > } > > if (unlikely(atomic_inc_return(&info->send_pending) > > - info->send_credit_target)) { > + sp->send_credit_target)) { > atomic_dec(&info->send_pending); > goto wait_send_queue; > } > @@ -917,7 +922,7 @@ static int smbd_post_send_iter(struct smbd_connection *info, > > /* Fill in the packet header */ > packet = smbd_request_payload(request); > - packet->credits_requested = cpu_to_le16(info->send_credit_target); > + packet->credits_requested = cpu_to_le16(sp->send_credit_target); > > new_credits = manage_credits_prior_sending(info); > atomic_add(new_credits, &info->receive_credits); > @@ -1017,16 +1022,17 @@ static int smbd_post_recv( > struct smbd_connection *info, struct smbd_response *response) > { > struct smbdirect_socket *sc = &info->socket; > + struct smbdirect_socket_parameters *sp = &sc->parameters; > struct ib_recv_wr recv_wr; > int rc = -EIO; > > response->sge.addr = ib_dma_map_single( > sc->ib.dev, response->packet, > - info->max_receive_size, DMA_FROM_DEVICE); > + sp->max_recv_size, DMA_FROM_DEVICE); > if (ib_dma_mapping_error(sc->ib.dev, response->sge.addr)) > return rc; > > - response->sge.length = info->max_receive_size; > + response->sge.length = sp->max_recv_size; > response->sge.lkey = sc->ib.pd->local_dma_lkey; > > response->cqe.done = recv_done; > @@ -1274,6 +1280,8 @@ static void idle_connection_timer(struct work_struct *work) > struct smbd_connection *info = container_of( > work, struct smbd_connection, > idle_timer_work.work); > + struct smbdirect_socket *sc = &info->socket; > + struct smbdirect_socket_parameters *sp = &sc->parameters; > > if (info->keep_alive_requested != KEEP_ALIVE_NONE) { > log_keep_alive(ERR, > @@ -1288,7 +1296,7 @@ static void idle_connection_timer(struct work_struct *work) > > /* Setup the next idle timeout work */ > queue_delayed_work(info->workqueue, &info->idle_timer_work, > - info->keep_alive_interval*HZ); > + msecs_to_jiffies(sp->keepalive_interval_msec)); > } > > /* > @@ -1300,6 +1308,7 @@ void smbd_destroy(struct TCP_Server_Info *server) > { > struct smbd_connection *info = server->smbd_conn; > struct smbdirect_socket *sc; > + struct smbdirect_socket_parameters *sp; > struct smbd_response *response; > unsigned long flags; > > @@ -1308,6 +1317,7 @@ void smbd_destroy(struct TCP_Server_Info *server) > return; > } > sc = &info->socket; > + sp = &sc->parameters; > > log_rdma_event(INFO, "destroying rdma session\n"); > if (sc->status != SMBDIRECT_SOCKET_DISCONNECTED) { > @@ -1349,7 +1359,7 @@ void smbd_destroy(struct TCP_Server_Info *server) > log_rdma_event(INFO, "free receive buffers\n"); > wait_event(info->wait_receive_queues, > info->count_receive_queue + info->count_empty_packet_queue > - == info->receive_credit_max); > + == sp->recv_credit_max); > destroy_receive_buffers(info); > > /* > @@ -1437,6 +1447,8 @@ static void destroy_caches_and_workqueue(struct smbd_connection *info) > #define MAX_NAME_LEN 80 > static int allocate_caches_and_workqueue(struct smbd_connection *info) > { > + struct smbdirect_socket *sc = &info->socket; > + struct smbdirect_socket_parameters *sp = &sc->parameters; > char name[MAX_NAME_LEN]; > int rc; > > @@ -1451,7 +1463,7 @@ static int allocate_caches_and_workqueue(struct smbd_connection *info) > return -ENOMEM; > > info->request_mempool = > - mempool_create(info->send_credit_target, mempool_alloc_slab, > + mempool_create(sp->send_credit_target, mempool_alloc_slab, > mempool_free_slab, info->request_cache); > if (!info->request_mempool) > goto out1; > @@ -1461,13 +1473,13 @@ static int allocate_caches_and_workqueue(struct smbd_connection *info) > kmem_cache_create( > name, > sizeof(struct smbd_response) + > - info->max_receive_size, > + sp->max_recv_size, > 0, SLAB_HWCACHE_ALIGN, NULL); > if (!info->response_cache) > goto out2; > > info->response_mempool = > - mempool_create(info->receive_credit_max, mempool_alloc_slab, > + mempool_create(sp->recv_credit_max, mempool_alloc_slab, > mempool_free_slab, info->response_cache); > if (!info->response_mempool) > goto out3; > @@ -1477,7 +1489,7 @@ static int allocate_caches_and_workqueue(struct smbd_connection *info) > if (!info->workqueue) > goto out4; > > - rc = allocate_receive_buffers(info, info->receive_credit_max); > + rc = allocate_receive_buffers(info, sp->recv_credit_max); > if (rc) { > log_rdma_event(ERR, "failed to allocate receive buffers\n"); > goto out5; > @@ -1505,6 +1517,7 @@ static struct smbd_connection *_smbd_get_connection( > int rc; > struct smbd_connection *info; > struct smbdirect_socket *sc; > + struct smbdirect_socket_parameters *sp; > struct rdma_conn_param conn_param; > struct ib_qp_init_attr qp_attr; > struct sockaddr_in *addr_in = (struct sockaddr_in *) dstaddr; > @@ -1515,6 +1528,7 @@ static struct smbd_connection *_smbd_get_connection( > if (!info) > return NULL; > sc = &info->socket; > + sp = &sc->parameters; > > sc->status = SMBDIRECT_SOCKET_CONNECTING; > rc = smbd_ia_open(info, dstaddr, port); > @@ -1541,12 +1555,12 @@ static struct smbd_connection *_smbd_get_connection( > goto config_failed; > } > > - info->receive_credit_max = smbd_receive_credit_max; > - info->send_credit_target = smbd_send_credit_target; > - info->max_send_size = smbd_max_send_size; > - info->max_fragmented_recv_size = smbd_max_fragmented_recv_size; > - info->max_receive_size = smbd_max_receive_size; > - info->keep_alive_interval = smbd_keep_alive_interval; > + sp->recv_credit_max = smbd_receive_credit_max; > + sp->send_credit_target = smbd_send_credit_target; > + sp->max_send_size = smbd_max_send_size; > + sp->max_fragmented_recv_size = smbd_max_fragmented_recv_size; > + sp->max_recv_size = smbd_max_receive_size; > + sp->keepalive_interval_msec = smbd_keep_alive_interval * 1000; > > if (sc->ib.dev->attrs.max_send_sge < SMBDIRECT_MAX_SEND_SGE || > sc->ib.dev->attrs.max_recv_sge < SMBDIRECT_MAX_RECV_SGE) { > @@ -1561,7 +1575,7 @@ static struct smbd_connection *_smbd_get_connection( > > sc->ib.send_cq = > ib_alloc_cq_any(sc->ib.dev, info, > - info->send_credit_target, IB_POLL_SOFTIRQ); > + sp->send_credit_target, IB_POLL_SOFTIRQ); > if (IS_ERR(sc->ib.send_cq)) { > sc->ib.send_cq = NULL; > goto alloc_cq_failed; > @@ -1569,7 +1583,7 @@ static struct smbd_connection *_smbd_get_connection( > > sc->ib.recv_cq = > ib_alloc_cq_any(sc->ib.dev, info, > - info->receive_credit_max, IB_POLL_SOFTIRQ); > + sp->recv_credit_max, IB_POLL_SOFTIRQ); > if (IS_ERR(sc->ib.recv_cq)) { > sc->ib.recv_cq = NULL; > goto alloc_cq_failed; > @@ -1578,8 +1592,8 @@ static struct smbd_connection *_smbd_get_connection( > memset(&qp_attr, 0, sizeof(qp_attr)); > qp_attr.event_handler = smbd_qp_async_error_upcall; > qp_attr.qp_context = info; > - qp_attr.cap.max_send_wr = info->send_credit_target; > - qp_attr.cap.max_recv_wr = info->receive_credit_max; > + qp_attr.cap.max_send_wr = sp->send_credit_target; > + qp_attr.cap.max_recv_wr = sp->recv_credit_max; > qp_attr.cap.max_send_sge = SMBDIRECT_MAX_SEND_SGE; > qp_attr.cap.max_recv_sge = SMBDIRECT_MAX_RECV_SGE; > qp_attr.cap.max_inline_data = 0; > @@ -1654,7 +1668,7 @@ static struct smbd_connection *_smbd_get_connection( > init_waitqueue_head(&info->wait_send_queue); > INIT_DELAYED_WORK(&info->idle_timer_work, idle_connection_timer); > queue_delayed_work(info->workqueue, &info->idle_timer_work, > - info->keep_alive_interval*HZ); > + msecs_to_jiffies(sp->keepalive_interval_msec)); > > init_waitqueue_head(&info->wait_send_pending); > atomic_set(&info->send_pending, 0); > @@ -1971,6 +1985,7 @@ int smbd_send(struct TCP_Server_Info *server, > { > struct smbd_connection *info = server->smbd_conn; > struct smbdirect_socket *sc = &info->socket; > + struct smbdirect_socket_parameters *sp = &sc->parameters; > struct smb_rqst *rqst; > struct iov_iter iter; > unsigned int remaining_data_length, klen; > @@ -1988,10 +2003,10 @@ int smbd_send(struct TCP_Server_Info *server, > for (i = 0; i < num_rqst; i++) > remaining_data_length += smb_rqst_len(server, &rqst_array[i]); > > - if (unlikely(remaining_data_length > info->max_fragmented_send_size)) { > + if (unlikely(remaining_data_length > sp->max_fragmented_send_size)) { > /* assertion: payload never exceeds negotiated maximum */ > log_write(ERR, "payload size %d > max size %d\n", > - remaining_data_length, info->max_fragmented_send_size); > + remaining_data_length, sp->max_fragmented_send_size); > return -EINVAL; > } > > diff --git a/fs/smb/client/smbdirect.h b/fs/smb/client/smbdirect.h > index 4b559a4147af1..3d552ab27e0f3 100644 > --- a/fs/smb/client/smbdirect.h > +++ b/fs/smb/client/smbdirect.h > @@ -69,15 +69,7 @@ struct smbd_connection { > spinlock_t lock_new_credits_offered; > int new_credits_offered; > > - /* Connection parameters defined in [MS-SMBD] 3.1.1.1 */ > - int receive_credit_max; > - int send_credit_target; > - int max_send_size; > - int max_fragmented_recv_size; > - int max_fragmented_send_size; > - int max_receive_size; > - int keep_alive_interval; > - int max_readwrite_size; > + /* dynamic connection parameters defined in [MS-SMBD] 3.1.1.1 */ > enum keep_alive_status keep_alive_requested; > int protocol; > atomic_t send_credits;

3 days, 19 hours

1
0
0 0

FAILED: patch "[PATCH] drm/xe: move DPT l2 flush to a more sensible place" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x f16873f42a06b620669d48a4b5c3f888cb3653a1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025062931-astride-stoneware-df77@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f16873f42a06b620669d48a4b5c3f888cb3653a1 Mon Sep 17 00:00:00 2001 From: Matthew Auld <matthew.auld(a)intel.com> Date: Fri, 6 Jun 2025 11:45:48 +0100 Subject: [PATCH] drm/xe: move DPT l2 flush to a more sensible place MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Only need the flush for DPT host updates here. Normal GGTT updates don't need special flush. Fixes: 01570b446939 ("drm/xe/bmg: implement Wa_16023588340") Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: stable(a)vger.kernel.org # v6.12+ Reviewed-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Reviewed-by: Lucas De Marchi <lucas.demarchi(a)intel.com> Link: https://lore.kernel.org/r/20250606104546.1996818-4-matthew.auld@intel.com Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> (cherry picked from commit 35db1da40c8cfd7511dc42f342a133601eb45449) Signed-off-by: Thomas Hellström <thomas.hellstrom(a)linux.intel.com> diff --git a/drivers/gpu/drm/xe/display/xe_fb_pin.c b/drivers/gpu/drm/xe/display/xe_fb_pin.c index d918ae1c8061..55259969480b 100644 --- a/drivers/gpu/drm/xe/display/xe_fb_pin.c +++ b/drivers/gpu/drm/xe/display/xe_fb_pin.c @@ -164,6 +164,9 @@ static int __xe_pin_fb_vma_dpt(const struct intel_framebuffer *fb, vma->dpt = dpt; vma->node = dpt->ggtt_node[tile0->id]; + + /* Ensure DPT writes are flushed */ + xe_device_l2_flush(xe); return 0; } @@ -333,8 +336,6 @@ static struct i915_vma *__xe_pin_fb_vma(const struct intel_framebuffer *fb, if (ret) goto err_unpin; - /* Ensure DPT writes are flushed */ - xe_device_l2_flush(xe); return vma; err_unpin:

3 days, 21 hours

1
0
0 0

FAILED: patch "[PATCH] drm/xe: Move DSB l2 flush to a more sensible place" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x a4b1b51ae132ac199412028a2df7b6c267888190 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025062922-dictate-payphone-2af2@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a4b1b51ae132ac199412028a2df7b6c267888190 Mon Sep 17 00:00:00 2001 From: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Date: Fri, 6 Jun 2025 11:45:47 +0100 Subject: [PATCH] drm/xe: Move DSB l2 flush to a more sensible place MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flushing l2 is only needed after all data has been written. Fixes: 01570b446939 ("drm/xe/bmg: implement Wa_16023588340") Signed-off-by: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: Matthew Auld <matthew.auld(a)intel.com> Cc: stable(a)vger.kernel.org # v6.12+ Reviewed-by: Matthew Auld <matthew.auld(a)intel.com> Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Reviewed-by: Lucas De Marchi <lucas.demarchi(a)intel.com> Reviewed-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Link: https://lore.kernel.org/r/20250606104546.1996818-3-matthew.auld@intel.com Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> (cherry picked from commit 0dd2dd0182bc444a62652e89d08c7f0e4fde15ba) Signed-off-by: Thomas Hellström <thomas.hellstrom(a)linux.intel.com> diff --git a/drivers/gpu/drm/xe/display/xe_dsb_buffer.c b/drivers/gpu/drm/xe/display/xe_dsb_buffer.c index f95375451e2f..9f941fc2e36b 100644 --- a/drivers/gpu/drm/xe/display/xe_dsb_buffer.c +++ b/drivers/gpu/drm/xe/display/xe_dsb_buffer.c @@ -17,10 +17,7 @@ u32 intel_dsb_buffer_ggtt_offset(struct intel_dsb_buffer *dsb_buf) void intel_dsb_buffer_write(struct intel_dsb_buffer *dsb_buf, u32 idx, u32 val) { - struct xe_device *xe = dsb_buf->vma->bo->tile->xe; - iosys_map_wr(&dsb_buf->vma->bo->vmap, idx * 4, u32, val); - xe_device_l2_flush(xe); } u32 intel_dsb_buffer_read(struct intel_dsb_buffer *dsb_buf, u32 idx) @@ -30,12 +27,9 @@ u32 intel_dsb_buffer_read(struct intel_dsb_buffer *dsb_buf, u32 idx) void intel_dsb_buffer_memset(struct intel_dsb_buffer *dsb_buf, u32 idx, u32 val, size_t size) { - struct xe_device *xe = dsb_buf->vma->bo->tile->xe; - WARN_ON(idx > (dsb_buf->buf_size - size) / sizeof(*dsb_buf->cmd_buf)); iosys_map_memset(&dsb_buf->vma->bo->vmap, idx * 4, val, size); - xe_device_l2_flush(xe); } bool intel_dsb_buffer_create(struct intel_crtc *crtc, struct intel_dsb_buffer *dsb_buf, size_t size) @@ -74,9 +68,12 @@ void intel_dsb_buffer_cleanup(struct intel_dsb_buffer *dsb_buf) void intel_dsb_buffer_flush_map(struct intel_dsb_buffer *dsb_buf) { + struct xe_device *xe = dsb_buf->vma->bo->tile->xe; + /* * The memory barrier here is to ensure coherency of DSB vs MMIO, * both for weak ordering archs and discrete cards. */ - xe_device_wmb(dsb_buf->vma->bo->tile->xe); + xe_device_wmb(xe); + xe_device_l2_flush(xe); }

3 days, 21 hours

1
0
0 0

FAILED: patch "[PATCH] mm/hugetlb: remove unnecessary holding of hugetlb_lock" failed to apply to 6.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.15.y git checkout FETCH_HEAD git cherry-pick -x 344ef45b03336e7f74658814f66483b5417c9cf1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025062948-cape-pebble-cad9@gregkh' --subject-prefix 'PATCH 6.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 344ef45b03336e7f74658814f66483b5417c9cf1 Mon Sep 17 00:00:00 2001 From: Ge Yang <yangge1116(a)126.com> Date: Tue, 27 May 2025 11:36:50 +0800 Subject: [PATCH] mm/hugetlb: remove unnecessary holding of hugetlb_lock In isolate_or_dissolve_huge_folio(), after acquiring the hugetlb_lock, it is only for the purpose of obtaining the correct hstate, which is then passed to alloc_and_dissolve_hugetlb_folio(). alloc_and_dissolve_hugetlb_folio() itself also acquires the hugetlb_lock. We can have alloc_and_dissolve_hugetlb_folio() obtain the hstate by itself, so that isolate_or_dissolve_huge_folio() no longer needs to acquire the hugetlb_lock. In addition, we keep the folio_test_hugetlb() check within isolate_or_dissolve_huge_folio(). By doing so, we can avoid disrupting the normal path by vainly holding the hugetlb_lock. replace_free_hugepage_folios() has the same issue, and we should address it as well. Addresses a possible performance problem which was added by the hotfix 113ed54ad276 ("mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios"). Link: https://lkml.kernel.org/r/1748317010-16272-1-git-send-email-yangge1116@126.… Fixes: 113ed54ad276 ("mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios") Signed-off-by: Ge Yang <yangge1116(a)126.com> Suggested-by: Oscar Salvador <osalvador(a)suse.de> Reviewed-by: Muchun Song <muchun.song(a)linux.dev> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Barry Song <21cnbao(a)gmail.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 8746ed2fec13..9dc95eac558c 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -2787,20 +2787,24 @@ void restore_reserve_on_error(struct hstate *h, struct vm_area_struct *vma, /* * alloc_and_dissolve_hugetlb_folio - Allocate a new folio and dissolve * the old one - * @h: struct hstate old page belongs to * @old_folio: Old folio to dissolve * @list: List to isolate the page in case we need to * Returns 0 on success, otherwise negated error. */ -static int alloc_and_dissolve_hugetlb_folio(struct hstate *h, - struct folio *old_folio, struct list_head *list) +static int alloc_and_dissolve_hugetlb_folio(struct folio *old_folio, + struct list_head *list) { - gfp_t gfp_mask = htlb_alloc_mask(h) | __GFP_THISNODE; + gfp_t gfp_mask; + struct hstate *h; int nid = folio_nid(old_folio); struct folio *new_folio = NULL; int ret = 0; retry: + /* + * The old_folio might have been dissolved from under our feet, so make sure + * to carefully check the state under the lock. + */ spin_lock_irq(&hugetlb_lock); if (!folio_test_hugetlb(old_folio)) { /* @@ -2829,8 +2833,10 @@ static int alloc_and_dissolve_hugetlb_folio(struct hstate *h, cond_resched(); goto retry; } else { + h = folio_hstate(old_folio); if (!new_folio) { spin_unlock_irq(&hugetlb_lock); + gfp_mask = htlb_alloc_mask(h) | __GFP_THISNODE; new_folio = alloc_buddy_hugetlb_folio(h, gfp_mask, nid, NULL, NULL); if (!new_folio) @@ -2874,35 +2880,24 @@ static int alloc_and_dissolve_hugetlb_folio(struct hstate *h, int isolate_or_dissolve_huge_folio(struct folio *folio, struct list_head *list) { - struct hstate *h; int ret = -EBUSY; - /* - * The page might have been dissolved from under our feet, so make sure - * to carefully check the state under the lock. - * Return success when racing as if we dissolved the page ourselves. - */ - spin_lock_irq(&hugetlb_lock); - if (folio_test_hugetlb(folio)) { - h = folio_hstate(folio); - } else { - spin_unlock_irq(&hugetlb_lock); + /* Not to disrupt normal path by vainly holding hugetlb_lock */ + if (!folio_test_hugetlb(folio)) return 0; - } - spin_unlock_irq(&hugetlb_lock); /* * Fence off gigantic pages as there is a cyclic dependency between * alloc_contig_range and them. Return -ENOMEM as this has the effect * of bailing out right away without further retrying. */ - if (hstate_is_gigantic(h)) + if (folio_order(folio) > MAX_PAGE_ORDER) return -ENOMEM; if (folio_ref_count(folio) && folio_isolate_hugetlb(folio, list)) ret = 0; else if (!folio_ref_count(folio)) - ret = alloc_and_dissolve_hugetlb_folio(h, folio, list); + ret = alloc_and_dissolve_hugetlb_folio(folio, list); return ret; } @@ -2916,7 +2911,6 @@ int isolate_or_dissolve_huge_folio(struct folio *folio, struct list_head *list) */ int replace_free_hugepage_folios(unsigned long start_pfn, unsigned long end_pfn) { - struct hstate *h; struct folio *folio; int ret = 0; @@ -2925,23 +2919,9 @@ int replace_free_hugepage_folios(unsigned long start_pfn, unsigned long end_pfn) while (start_pfn < end_pfn) { folio = pfn_folio(start_pfn); - /* - * The folio might have been dissolved from under our feet, so make sure - * to carefully check the state under the lock. - */ - spin_lock_irq(&hugetlb_lock); - if (folio_test_hugetlb(folio)) { - h = folio_hstate(folio); - } else { - spin_unlock_irq(&hugetlb_lock); - start_pfn++; - continue; - } - spin_unlock_irq(&hugetlb_lock); - - if (!folio_ref_count(folio)) { - ret = alloc_and_dissolve_hugetlb_folio(h, folio, - &isolate_list); + /* Not to disrupt normal path by vainly holding hugetlb_lock */ + if (folio_test_hugetlb(folio) && !folio_ref_count(folio)) { + ret = alloc_and_dissolve_hugetlb_folio(folio, &isolate_list); if (ret) break;

3 days, 21 hours

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror