5.10-stable patches

added patches:
	mfd-vexpress-sysreg-check-the-return-value-of-devm_gpiochip_add_data.patch
	uio_hv_generic-let-userspace-take-care-of-interrupt-mask.patch

diff --git a/queue-5.10/mfd-vexpress-sysreg-check-the-return-value-of-devm_gpiochip_add_data.patch b/queue-5.10/mfd-vexpress-sysreg-check-the-return-value-of-devm_gpiochip_add_data.patch
new file mode 100644 (file)
index 0000000..853fc87
--- /dev/null
+++ b/queue-5.10/mfd-vexpress-sysreg-check-the-return-value-of-devm_gpiochip_add_data.patch
@@ -0,0 +1,48 @@
+From 1efbee6852f1ff698a9981bd731308dd027189fb Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Date: Mon, 11 Aug 2025 15:36:16 +0200
+Subject: mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data()
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+commit 1efbee6852f1ff698a9981bd731308dd027189fb upstream.
+
+Commit 974cc7b93441 ("mfd: vexpress: Define the device as MFD cells")
+removed the return value check from the call to gpiochip_add_data() (or
+rather gpiochip_add() back then and later converted to devres) with no
+explanation. This function however can still fail, so check the return
+value and bail-out if it does.
+
+Cc: stable@vger.kernel.org
+Fixes: 974cc7b93441 ("mfd: vexpress: Define the device as MFD cells")
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20250811-gpio-mmio-mfd-conv-v1-1-68c5c958cf80@linaro.org
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mfd/vexpress-sysreg.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/mfd/vexpress-sysreg.c
++++ b/drivers/mfd/vexpress-sysreg.c
+@@ -98,6 +98,7 @@ static int vexpress_sysreg_probe(struct
+       struct resource *mem;
+       void __iomem *base;
+       struct gpio_chip *mmc_gpio_chip;
++      int ret;
+ 
+       mem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+       if (!mem)
+@@ -118,7 +119,10 @@ static int vexpress_sysreg_probe(struct
+       bgpio_init(mmc_gpio_chip, &pdev->dev, 0x4, base + SYS_MCI,
+                       NULL, NULL, NULL, NULL, 0);
+       mmc_gpio_chip->ngpio = 2;
+-      devm_gpiochip_add_data(&pdev->dev, mmc_gpio_chip, NULL);
++
++      ret = devm_gpiochip_add_data(&pdev->dev, mmc_gpio_chip, NULL);
++      if (ret)
++              return ret;
+ 
+       return devm_mfd_add_devices(&pdev->dev, PLATFORM_DEVID_AUTO,
+                       vexpress_sysreg_cells,

diff --git a/queue-5.10/series b/queue-5.10/series
index ff16fc12749f7710e4d06afe3475df53ed76a859..fddd9bb550a0c49bde2b55a0ef68e90f920260d9 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -86,3 +86,5 @@ net-ena-return-0-in-ena_get_rxfh_key_size-when-rss-h.patch
 net-dlink-handle-copy_thresh-allocation-failure.patch
 revert-net-mlx5e-update-and-set-xon-xoff-upon-mtu-se.patch
 squashfs-fix-uninit-value-in-squashfs_get_parent.patch
+uio_hv_generic-let-userspace-take-care-of-interrupt-mask.patch
+mfd-vexpress-sysreg-check-the-return-value-of-devm_gpiochip_add_data.patch

diff --git a/queue-5.10/uio_hv_generic-let-userspace-take-care-of-interrupt-mask.patch b/queue-5.10/uio_hv_generic-let-userspace-take-care-of-interrupt-mask.patch
new file mode 100644 (file)
index 0000000..2ffd512
--- /dev/null
+++ b/queue-5.10/uio_hv_generic-let-userspace-take-care-of-interrupt-mask.patch
@@ -0,0 +1,97 @@
+From b15b7d2a1b09ef5428a8db260251897405a19496 Mon Sep 17 00:00:00 2001
+From: Naman Jain <namjain@linux.microsoft.com>
+Date: Thu, 28 Aug 2025 10:12:00 +0530
+Subject: uio_hv_generic: Let userspace take care of interrupt mask
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Naman Jain <namjain@linux.microsoft.com>
+
+commit b15b7d2a1b09ef5428a8db260251897405a19496 upstream.
+
+Remove the logic to set interrupt mask by default in uio_hv_generic
+driver as the interrupt mask value is supposed to be controlled
+completely by the user space. If the mask bit gets changed
+by the driver, concurrently with user mode operating on the ring,
+the mask bit may be set when it is supposed to be clear, and the
+user-mode driver will miss an interrupt which will cause a hang.
+
+For eg- when the driver sets inbound ring buffer interrupt mask to 1,
+the host does not interrupt the guest on the UIO VMBus channel.
+However, setting the mask does not prevent the host from putting a
+message in the inbound ring buffer. So let’s assume that happens,
+the host puts a message into the ring buffer but does not interrupt.
+
+Subsequently, the user space code in the guest sets the inbound ring
+buffer interrupt mask to 0, saying “Hey, I’m ready for interrupts”.
+User space code then calls pread() to wait for an interrupt.
+Then one of two things happens:
+
+* The host never sends another message. So the pread() waits forever.
+* The host does send another message. But because there’s already a
+  message in the ring buffer, it doesn’t generate an interrupt.
+  This is the correct behavior, because the host should only send an
+  interrupt when the inbound ring buffer transitions from empty to
+  not-empty. Adding an additional message to a ring buffer that is not
+  empty is not supposed to generate an interrupt on the guest.
+  Since the guest is waiting in pread() and not removing messages from
+  the ring buffer, the pread() waits forever.
+
+This could be easily reproduced in hv_fcopy_uio_daemon if we delay
+setting interrupt mask to 0.
+
+Similarly if hv_uio_channel_cb() sets the interrupt_mask to 1,
+there’s a race condition. Once user space empties the inbound ring
+buffer, but before user space sets interrupt_mask to 0, the host could
+put another message in the ring buffer but it wouldn’t interrupt.
+Then the next pread() would hang.
+
+Fix these by removing all instances where interrupt_mask is changed,
+while keeping the one in set_event() unchanged to enable userspace
+control the interrupt mask by writing 0/1 to /dev/uioX.
+
+Fixes: 95096f2fbd10 ("uio-hv-generic: new userspace i/o driver for VMBus")
+Suggested-by: John Starks <jostarks@microsoft.com>
+Signed-off-by: Naman Jain <namjain@linux.microsoft.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Michael Kelley <mhklinux@outlook.com>
+Reviewed-by: Long Li <longli@microsoft.com>
+Reviewed-by: Tianyu Lan <tiala@microsoft.com>
+Tested-by: Tianyu Lan <tiala@microsoft.com>
+Link: https://lore.kernel.org/r/20250828044200.492030-1-namjain@linux.microsoft.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/uio/uio_hv_generic.c |    7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/drivers/uio/uio_hv_generic.c
++++ b/drivers/uio/uio_hv_generic.c
+@@ -96,7 +96,6 @@ static void hv_uio_channel_cb(void *cont
+       struct hv_device *hv_dev = chan->device_obj;
+       struct hv_uio_private_data *pdata = hv_get_drvdata(hv_dev);
+ 
+-      chan->inbound.ring_buffer->interrupt_mask = 1;
+       virt_mb();
+ 
+       uio_event_notify(&pdata->info);
+@@ -173,8 +172,6 @@ hv_uio_new_channel(struct vmbus_channel
+               return;
+       }
+ 
+-      /* Disable interrupts on sub channel */
+-      new_sc->inbound.ring_buffer->interrupt_mask = 1;
+       set_channel_read_mode(new_sc, HV_CALL_ISR);
+ 
+       ret = sysfs_create_bin_file(&new_sc->kobj, &ring_buffer_bin_attr);
+@@ -218,9 +215,7 @@ hv_uio_open(struct uio_info *info, struc
+ 
+       ret = vmbus_connect_ring(dev->channel,
+                                hv_uio_channel_cb, dev->channel);
+-      if (ret == 0)
+-              dev->channel->inbound.ring_buffer->interrupt_mask = 1;
+-      else
++      if (ret)
+               atomic_dec(&pdata->refcnt);
+ 
+       return ret;