Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- io_uring/io-wq.c | 8 ++++++++
+ io_uring/io-wq.c | 8 ++++++++
1 file changed, 8 insertions(+)
-diff --git a/io_uring/io-wq.c b/io_uring/io-wq.c
-index be91edf34f013..17dfaa0395c46 100644
--- a/io_uring/io-wq.c
+++ b/io_uring/io-wq.c
-@@ -357,6 +357,13 @@ static void create_worker_cb(struct callback_head *cb)
+@@ -357,6 +357,13 @@ static void create_worker_cb(struct call
worker = container_of(cb, struct io_worker, create_work);
wq = worker->wq;
acct = worker->acct;
raw_spin_lock(&acct->workers_lock);
if (acct->nr_workers < acct->max_workers) {
-@@ -367,6 +374,7 @@ static void create_worker_cb(struct callback_head *cb)
+@@ -367,6 +374,7 @@ static void create_worker_cb(struct call
if (do_create) {
create_io_worker(wq, acct);
} else {
atomic_dec(&acct->nr_running);
io_worker_ref_put(wq);
}
---
-2.50.1
-
--- /dev/null
+From a032fe30cf09b6723ab61a05aee057311b00f9e1 Mon Sep 17 00:00:00 2001
+From: Dongcheng Yan <dongcheng.yan@intel.com>
+Date: Fri, 25 Apr 2025 18:43:30 +0800
+Subject: platform/x86: int3472: add hpd pin support
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dongcheng Yan <dongcheng.yan@intel.com>
+
+commit a032fe30cf09b6723ab61a05aee057311b00f9e1 upstream.
+
+Typically HDMI to MIPI CSI-2 bridges have a pin to signal image data is
+being received. On the host side this is wired to a GPIO for polling or
+interrupts. This includes the Lontium HDMI to MIPI CSI-2 bridges
+lt6911uxe and lt6911uxc.
+
+The GPIO "hpd" is used already by other HDMI to CSI-2 bridges, use it
+here as well.
+
+Signed-off-by: Dongcheng Yan <dongcheng.yan@intel.com>
+Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Acked-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Fixes: 20244cbafbd6 ("media: i2c: change lt6911uxe irq_gpio name to "hpd"")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/intel/int3472/discrete.c | 6 ++++++
+ include/linux/platform_data/x86/int3472.h | 1 +
+ 2 files changed, 7 insertions(+)
+
+--- a/drivers/platform/x86/intel/int3472/discrete.c
++++ b/drivers/platform/x86/intel/int3472/discrete.c
+@@ -193,6 +193,10 @@ static void int3472_get_con_id_and_polar
+ *con_id = "privacy-led";
+ *gpio_flags = GPIO_ACTIVE_HIGH;
+ break;
++ case INT3472_GPIO_TYPE_HOTPLUG_DETECT:
++ *con_id = "hpd";
++ *gpio_flags = GPIO_ACTIVE_HIGH;
++ break;
+ case INT3472_GPIO_TYPE_POWER_ENABLE:
+ *con_id = "avdd";
+ *gpio_flags = GPIO_ACTIVE_HIGH;
+@@ -223,6 +227,7 @@ static void int3472_get_con_id_and_polar
+ * 0x0b Power enable
+ * 0x0c Clock enable
+ * 0x0d Privacy LED
++ * 0x13 Hotplug detect
+ *
+ * There are some known platform specific quirks where that does not quite
+ * hold up; for example where a pin with type 0x01 (Power down) is mapped to
+@@ -292,6 +297,7 @@ static int skl_int3472_handle_gpio_resou
+ switch (type) {
+ case INT3472_GPIO_TYPE_RESET:
+ case INT3472_GPIO_TYPE_POWERDOWN:
++ case INT3472_GPIO_TYPE_HOTPLUG_DETECT:
+ ret = skl_int3472_map_gpio_to_sensor(int3472, agpio, con_id, gpio_flags);
+ if (ret)
+ err_msg = "Failed to map GPIO pin to sensor\n";
+--- a/include/linux/platform_data/x86/int3472.h
++++ b/include/linux/platform_data/x86/int3472.h
+@@ -27,6 +27,7 @@
+ #define INT3472_GPIO_TYPE_CLK_ENABLE 0x0c
+ #define INT3472_GPIO_TYPE_PRIVACY_LED 0x0d
+ #define INT3472_GPIO_TYPE_HANDSHAKE 0x12
++#define INT3472_GPIO_TYPE_HOTPLUG_DETECT 0x13
+
+ #define INT3472_PDEV_MAX_NAME_LEN 23
+ #define INT3472_MAX_SENSOR_GPIOS 3
erofs-fallback-to-normal-access-if-dax-is-not-suppor.patch
erofs-fix-atomic-context-detection-when-config_debug.patch
io_uring-io-wq-add-check-free-worker-before-create-n.patch
+platform-x86-int3472-add-hpd-pin-support.patch
+vhost-net-protect-ubufs-with-rcu-read-lock-in-vhost_net_ubuf_put.patch
--- /dev/null
+From dd54bcf86c91a4455b1f95cbc8e9ac91205f3193 Mon Sep 17 00:00:00 2001
+From: Nikolay Kuratov <kniv@yandex-team.ru>
+Date: Tue, 5 Aug 2025 16:09:17 +0300
+Subject: vhost/net: Protect ubufs with rcu read lock in vhost_net_ubuf_put()
+
+From: Nikolay Kuratov <kniv@yandex-team.ru>
+
+commit dd54bcf86c91a4455b1f95cbc8e9ac91205f3193 upstream.
+
+When operating on struct vhost_net_ubuf_ref, the following execution
+sequence is theoretically possible:
+CPU0 is finalizing DMA operation CPU1 is doing VHOST_NET_SET_BACKEND
+ // ubufs->refcount == 2
+vhost_net_ubuf_put() vhost_net_ubuf_put_wait_and_free(oldubufs)
+ vhost_net_ubuf_put_and_wait()
+ vhost_net_ubuf_put()
+ int r = atomic_sub_return(1, &ubufs->refcount);
+ // r = 1
+int r = atomic_sub_return(1, &ubufs->refcount);
+// r = 0
+ wait_event(ubufs->wait, !atomic_read(&ubufs->refcount));
+ // no wait occurs here because condition is already true
+ kfree(ubufs);
+if (unlikely(!r))
+ wake_up(&ubufs->wait); // use-after-free
+
+This leads to use-after-free on ubufs access. This happens because CPU1
+skips waiting for wake_up() when refcount is already zero.
+
+To prevent that use a read-side RCU critical section in vhost_net_ubuf_put(),
+as suggested by Hillf Danton. For this lock to take effect, free ubufs with
+kfree_rcu().
+
+Cc: stable@vger.kernel.org
+Fixes: 0ad8b480d6ee9 ("vhost: fix ref cnt checking deadlock")
+Reported-by: Andrey Ryabinin <arbn@yandex-team.com>
+Suggested-by: Hillf Danton <hdanton@sina.com>
+Signed-off-by: Nikolay Kuratov <kniv@yandex-team.ru>
+Message-Id: <20250805130917.727332-1-kniv@yandex-team.ru>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/net.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/vhost/net.c
++++ b/drivers/vhost/net.c
+@@ -96,6 +96,7 @@ struct vhost_net_ubuf_ref {
+ atomic_t refcount;
+ wait_queue_head_t wait;
+ struct vhost_virtqueue *vq;
++ struct rcu_head rcu;
+ };
+
+ #define VHOST_NET_BATCH 64
+@@ -247,9 +248,13 @@ vhost_net_ubuf_alloc(struct vhost_virtqu
+
+ static int vhost_net_ubuf_put(struct vhost_net_ubuf_ref *ubufs)
+ {
+- int r = atomic_sub_return(1, &ubufs->refcount);
++ int r;
++
++ rcu_read_lock();
++ r = atomic_sub_return(1, &ubufs->refcount);
+ if (unlikely(!r))
+ wake_up(&ubufs->wait);
++ rcu_read_unlock();
+ return r;
+ }
+
+@@ -262,7 +267,7 @@ static void vhost_net_ubuf_put_and_wait(
+ static void vhost_net_ubuf_put_wait_and_free(struct vhost_net_ubuf_ref *ubufs)
+ {
+ vhost_net_ubuf_put_and_wait(ubufs);
+- kfree(ubufs);
++ kfree_rcu(ubufs, rcu);
+ }
+
+ static void vhost_net_clear_ubuf_info(struct vhost_net *n)
projects / thirdparty / kernel / stable-queue.git / commitdiff
