--- /dev/null
+From 508c1314b342b78591f51c4b5dadee31a88335df Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Thu, 21 Aug 2025 13:23:21 -0600
+Subject: io_uring/futex: ensure io_futex_wait() cleans up properly on failure
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 508c1314b342b78591f51c4b5dadee31a88335df upstream.
+
+The io_futex_data is allocated upfront and assigned to the io_kiocb
+async_data field, but the request isn't marked with REQ_F_ASYNC_DATA
+at that point. Those two should always go together, as the flag tells
+io_uring whether the field is valid or not.
+
+Additionally, on failure cleanup, the futex handler frees the data but
+does not clear ->async_data. Clear the data and the flag in the error
+path as well.
+
+Thanks to Trend Micro Zero Day Initiative and particularly ReDress for
+reporting this.
+
+Cc: stable@vger.kernel.org
+Fixes: 194bb58c6090 ("io_uring: add support for futex wake and wait")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/futex.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/io_uring/futex.c
++++ b/io_uring/futex.c
+@@ -337,6 +337,7 @@ int io_futex_wait(struct io_kiocb *req,
+ goto done_unlock;
+ }
+
++ req->flags |= REQ_F_ASYNC_DATA;
+ req->async_data = ifd;
+ ifd->q = futex_q_init;
+ ifd->q.bitset = iof->futex_mask;
+@@ -359,6 +360,8 @@ done:
+ if (ret < 0)
+ req_set_fail(req);
+ io_req_set_res(req, ret, 0);
++ req->async_data = NULL;
++ req->flags &= ~REQ_F_ASYNC_DATA;
+ kfree(ifd);
+ return IOU_OK;
+ }
--- /dev/null
+From 685ca577b408ffd9c5a4057a2acc0cd3e6978b36 Mon Sep 17 00:00:00 2001
+From: Nicolin Chen <nicolinc@nvidia.com>
+Date: Thu, 31 Jul 2025 20:01:27 -0700
+Subject: iommu/arm-smmu-v3: Fix smmu_domain->nr_ats_masters decrement
+
+From: Nicolin Chen <nicolinc@nvidia.com>
+
+commit 685ca577b408ffd9c5a4057a2acc0cd3e6978b36 upstream.
+
+The arm_smmu_attach_commit() updates master->ats_enabled before calling
+arm_smmu_remove_master_domain() that is supposed to clean up everything
+in the old domain, including the old domain's nr_ats_masters. So, it is
+supposed to use the old ats_enabled state of the device, not an updated
+state.
+
+This isn't a problem if switching between two domains where:
+ - old ats_enabled = false; new ats_enabled = false
+ - old ats_enabled = true; new ats_enabled = true
+but can fail cases where:
+ - old ats_enabled = false; new ats_enabled = true
+ (old domain should keep the counter but incorrectly decreased it)
+ - old ats_enabled = true; new ats_enabled = false
+ (old domain needed to decrease the counter but incorrectly missed it)
+
+Update master->ats_enabled after arm_smmu_remove_master_domain() to fix
+this.
+
+Fixes: 7497f4211f4f ("iommu/arm-smmu-v3: Make changing domains be hitless for ATS")
+Cc: stable@vger.kernel.org
+Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
+Acked-by: Will Deacon <will@kernel.org>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Reviewed-by: Pranjal Shrivastava <praan@google.com>
+Link: https://lore.kernel.org/r/20250801030127.2006979-1-nicolinc@nvidia.com
+Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
++++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
+@@ -2778,9 +2778,9 @@ static void arm_smmu_attach_commit(struc
+ /* ATS is being switched off, invalidate the entire ATC */
+ arm_smmu_atc_inv_master(master, IOMMU_NO_PASID);
+ }
+- master->ats_enabled = state->ats_enabled;
+
+ arm_smmu_remove_master_domain(master, state->old_domain, state->ssid);
++ master->ats_enabled = state->ats_enabled;
+ }
+
+ static int arm_smmu_attach_dev(struct iommu_domain *domain, struct device *dev)
--- /dev/null
+From 808471ddb0fa785559c3e7aee59be20a13b46ef5 Mon Sep 17 00:00:00 2001
+From: Dominique Martinet <asmadeus@codewreck.org>
+Date: Wed, 13 Aug 2025 15:04:55 +0900
+Subject: iov_iter: iterate_folioq: fix handling of offset >= folio size
+
+From: Dominique Martinet <asmadeus@codewreck.org>
+
+commit 808471ddb0fa785559c3e7aee59be20a13b46ef5 upstream.
+
+It's apparently possible to get an iov advanced all the way up to the end
+of the current page we're looking at, e.g.
+
+(gdb) p *iter
+$24 = {iter_type = 4 '\004', nofault = false, data_source = false, iov_offset = 4096, {__ubuf_iovec = {
+ iov_base = 0xffff88800f5bc000, iov_len = 655}, {{__iov = 0xffff88800f5bc000, kvec = 0xffff88800f5bc000,
+ bvec = 0xffff88800f5bc000, folioq = 0xffff88800f5bc000, xarray = 0xffff88800f5bc000,
+ ubuf = 0xffff88800f5bc000}, count = 655}}, {nr_segs = 2, folioq_slot = 2 '\002', xarray_start = 2}}
+
+Where iov_offset is 4k with 4k-sized folios
+
+This should have been fine because we're only in the 2nd slot and there's
+another one after this, but iterate_folioq should not try to map a folio
+that skips the whole size, and more importantly part here does not end up
+zero (because 'PAGE_SIZE - skip % PAGE_SIZE' ends up PAGE_SIZE and not
+zero..), so skip forward to the "advance to next folio" code
+
+Link: https://lkml.kernel.org/r/20250813-iot_iter_folio-v3-0-a0ffad2b665a@codewreck.org
+Link: https://lkml.kernel.org/r/20250813-iot_iter_folio-v3-1-a0ffad2b665a@codewreck.org
+Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
+Fixes: db0aa2e9566f ("mm: Define struct folio_queue and ITER_FOLIOQ to handle a sequence of folios")
+Reported-by: Maximilian Bosch <maximilian@mbosch.me>
+Reported-by: Ryan Lahfa <ryan@lahfa.xyz>
+Reported-by: Christian Theune <ct@flyingcircus.io>
+Reported-by: Arnout Engelen <arnout@bzzt.net>
+Link: https://lkml.kernel.org/r/D4LHHUNLG79Y.12PI0X6BEHRHW@mbosch.me/
+Acked-by: David Howells <dhowells@redhat.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: <stable@vger.kernel.org> [6.12+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/iov_iter.h | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/include/linux/iov_iter.h b/include/linux/iov_iter.h
+index c4aa58032faf..f9a17fbbd398 100644
+--- a/include/linux/iov_iter.h
++++ b/include/linux/iov_iter.h
+@@ -160,7 +160,7 @@ size_t iterate_folioq(struct iov_iter *iter, size_t len, void *priv, void *priv2
+
+ do {
+ struct folio *folio = folioq_folio(folioq, slot);
+- size_t part, remain, consumed;
++ size_t part, remain = 0, consumed;
+ size_t fsize;
+ void *base;
+
+@@ -168,14 +168,16 @@ size_t iterate_folioq(struct iov_iter *iter, size_t len, void *priv, void *priv2
+ break;
+
+ fsize = folioq_folio_size(folioq, slot);
+- base = kmap_local_folio(folio, skip);
+- part = umin(len, PAGE_SIZE - skip % PAGE_SIZE);
+- remain = step(base, progress, part, priv, priv2);
+- kunmap_local(base);
+- consumed = part - remain;
+- len -= consumed;
+- progress += consumed;
+- skip += consumed;
++ if (skip < fsize) {
++ base = kmap_local_folio(folio, skip);
++ part = umin(len, PAGE_SIZE - skip % PAGE_SIZE);
++ remain = step(base, progress, part, priv, priv2);
++ kunmap_local(base);
++ consumed = part - remain;
++ len -= consumed;
++ progress += consumed;
++ skip += consumed;
++ }
+ if (skip >= fsize) {
+ skip = 0;
+ slot++;
+--
+2.50.1
+
--- /dev/null
+From dec8b38be4b35cae5f7fa086daf2631e2cfa09c1 Mon Sep 17 00:00:00 2001
+From: Victor Shih <victor.shih@genesyslogic.com.tw>
+Date: Thu, 31 Jul 2025 14:57:50 +0800
+Subject: mmc: sdhci-pci-gli: Add a new function to simplify the code
+
+From: Victor Shih <victor.shih@genesyslogic.com.tw>
+
+commit dec8b38be4b35cae5f7fa086daf2631e2cfa09c1 upstream.
+
+In preparation to fix replay timer timeout, add
+sdhci_gli_mask_replay_timer_timeout() function
+to simplify some of the code, allowing it to be re-used.
+
+Signed-off-by: Victor Shih <victor.shih@genesyslogic.com.tw>
+Fixes: 1ae1d2d6e555 ("mmc: sdhci-pci-gli: Add Genesys Logic GL9763E support")
+Cc: stable@vger.kernel.org
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/20250731065752.450231-2-victorshihgli@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-pci-gli.c | 30 ++++++++++++++++--------------
+ 1 file changed, 16 insertions(+), 14 deletions(-)
+
+--- a/drivers/mmc/host/sdhci-pci-gli.c
++++ b/drivers/mmc/host/sdhci-pci-gli.c
+@@ -215,6 +215,20 @@
+ #define GLI_MAX_TUNING_LOOP 40
+
+ /* Genesys Logic chipset */
++static void sdhci_gli_mask_replay_timer_timeout(struct pci_dev *pdev)
++{
++ int aer;
++ u32 value;
++
++ /* mask the replay timer timeout of AER */
++ aer = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_ERR);
++ if (aer) {
++ pci_read_config_dword(pdev, aer + PCI_ERR_COR_MASK, &value);
++ value |= PCI_ERR_COR_REP_TIMER;
++ pci_write_config_dword(pdev, aer + PCI_ERR_COR_MASK, value);
++ }
++}
++
+ static inline void gl9750_wt_on(struct sdhci_host *host)
+ {
+ u32 wt_value;
+@@ -535,7 +549,6 @@ static void gl9750_hw_setting(struct sdh
+ {
+ struct sdhci_pci_slot *slot = sdhci_priv(host);
+ struct pci_dev *pdev;
+- int aer;
+ u32 value;
+
+ pdev = slot->chip->pdev;
+@@ -554,12 +567,7 @@ static void gl9750_hw_setting(struct sdh
+ pci_set_power_state(pdev, PCI_D0);
+
+ /* mask the replay timer timeout of AER */
+- aer = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_ERR);
+- if (aer) {
+- pci_read_config_dword(pdev, aer + PCI_ERR_COR_MASK, &value);
+- value |= PCI_ERR_COR_REP_TIMER;
+- pci_write_config_dword(pdev, aer + PCI_ERR_COR_MASK, value);
+- }
++ sdhci_gli_mask_replay_timer_timeout(pdev);
+
+ gl9750_wt_off(host);
+ }
+@@ -734,7 +742,6 @@ static void sdhci_gl9755_set_clock(struc
+ static void gl9755_hw_setting(struct sdhci_pci_slot *slot)
+ {
+ struct pci_dev *pdev = slot->chip->pdev;
+- int aer;
+ u32 value;
+
+ gl9755_wt_on(pdev);
+@@ -769,12 +776,7 @@ static void gl9755_hw_setting(struct sdh
+ pci_set_power_state(pdev, PCI_D0);
+
+ /* mask the replay timer timeout of AER */
+- aer = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_ERR);
+- if (aer) {
+- pci_read_config_dword(pdev, aer + PCI_ERR_COR_MASK, &value);
+- value |= PCI_ERR_COR_REP_TIMER;
+- pci_write_config_dword(pdev, aer + PCI_ERR_COR_MASK, value);
+- }
++ sdhci_gli_mask_replay_timer_timeout(pdev);
+
+ gl9755_wt_off(pdev);
+ }
ata-libata-scsi-return-aborted-command-when-missing-sense-and-result-tf.patch
sched_ext-initialize-built-in-idle-state-before-ops.init.patch
revert-can-ti_hecc-fix-woverflow-compiler-warning.patch
+io_uring-futex-ensure-io_futex_wait-cleans-up-properly-on-failure.patch
+iov_iter-iterate_folioq-fix-handling-of-offset-folio-size.patch
+iommu-arm-smmu-v3-fix-smmu_domain-nr_ats_masters-decrement.patch
+mmc-sdhci-pci-gli-add-a-new-function-to-simplify-the-code.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
