--- /dev/null
+From 508c1314b342b78591f51c4b5dadee31a88335df Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Thu, 21 Aug 2025 13:23:21 -0600
+Subject: io_uring/futex: ensure io_futex_wait() cleans up properly on failure
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 508c1314b342b78591f51c4b5dadee31a88335df upstream.
+
+The io_futex_data is allocated upfront and assigned to the io_kiocb
+async_data field, but the request isn't marked with REQ_F_ASYNC_DATA
+at that point. Those two should always go together, as the flag tells
+io_uring whether the field is valid or not.
+
+Additionally, on failure cleanup, the futex handler frees the data but
+does not clear ->async_data. Clear the data and the flag in the error
+path as well.
+
+Thanks to Trend Micro Zero Day Initiative and particularly ReDress for
+reporting this.
+
+Cc: stable@vger.kernel.org
+Fixes: 194bb58c6090 ("io_uring: add support for futex wake and wait")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/futex.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/io_uring/futex.c
++++ b/io_uring/futex.c
+@@ -288,6 +288,7 @@ int io_futex_wait(struct io_kiocb *req,
+ goto done_unlock;
+ }
+
++ req->flags |= REQ_F_ASYNC_DATA;
+ req->async_data = ifd;
+ ifd->q = futex_q_init;
+ ifd->q.bitset = iof->futex_mask;
+@@ -309,6 +310,8 @@ done:
+ if (ret < 0)
+ req_set_fail(req);
+ io_req_set_res(req, ret, 0);
++ req->async_data = NULL;
++ req->flags &= ~REQ_F_ASYNC_DATA;
+ kfree(ifd);
+ return IOU_COMPLETE;
+ }
--- /dev/null
+From 685ca577b408ffd9c5a4057a2acc0cd3e6978b36 Mon Sep 17 00:00:00 2001
+From: Nicolin Chen <nicolinc@nvidia.com>
+Date: Thu, 31 Jul 2025 20:01:27 -0700
+Subject: iommu/arm-smmu-v3: Fix smmu_domain->nr_ats_masters decrement
+
+From: Nicolin Chen <nicolinc@nvidia.com>
+
+commit 685ca577b408ffd9c5a4057a2acc0cd3e6978b36 upstream.
+
+The arm_smmu_attach_commit() updates master->ats_enabled before calling
+arm_smmu_remove_master_domain() that is supposed to clean up everything
+in the old domain, including the old domain's nr_ats_masters. So, it is
+supposed to use the old ats_enabled state of the device, not an updated
+state.
+
+This isn't a problem if switching between two domains where:
+ - old ats_enabled = false; new ats_enabled = false
+ - old ats_enabled = true; new ats_enabled = true
+but can fail cases where:
+ - old ats_enabled = false; new ats_enabled = true
+ (old domain should keep the counter but incorrectly decreased it)
+ - old ats_enabled = true; new ats_enabled = false
+ (old domain needed to decrease the counter but incorrectly missed it)
+
+Update master->ats_enabled after arm_smmu_remove_master_domain() to fix
+this.
+
+Fixes: 7497f4211f4f ("iommu/arm-smmu-v3: Make changing domains be hitless for ATS")
+Cc: stable@vger.kernel.org
+Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
+Acked-by: Will Deacon <will@kernel.org>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Reviewed-by: Pranjal Shrivastava <praan@google.com>
+Link: https://lore.kernel.org/r/20250801030127.2006979-1-nicolinc@nvidia.com
+Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
++++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
+@@ -2997,9 +2997,9 @@ void arm_smmu_attach_commit(struct arm_s
+ /* ATS is being switched off, invalidate the entire ATC */
+ arm_smmu_atc_inv_master(master, IOMMU_NO_PASID);
+ }
+- master->ats_enabled = state->ats_enabled;
+
+ arm_smmu_remove_master_domain(master, state->old_domain, state->ssid);
++ master->ats_enabled = state->ats_enabled;
+ }
+
+ static int arm_smmu_attach_dev(struct iommu_domain *domain, struct device *dev)
--- /dev/null
+From 808471ddb0fa785559c3e7aee59be20a13b46ef5 Mon Sep 17 00:00:00 2001
+From: Dominique Martinet <asmadeus@codewreck.org>
+Date: Wed, 13 Aug 2025 15:04:55 +0900
+Subject: iov_iter: iterate_folioq: fix handling of offset >= folio size
+
+From: Dominique Martinet <asmadeus@codewreck.org>
+
+commit 808471ddb0fa785559c3e7aee59be20a13b46ef5 upstream.
+
+It's apparently possible to get an iov advanced all the way up to the end
+of the current page we're looking at, e.g.
+
+(gdb) p *iter
+$24 = {iter_type = 4 '\004', nofault = false, data_source = false, iov_offset = 4096, {__ubuf_iovec = {
+ iov_base = 0xffff88800f5bc000, iov_len = 655}, {{__iov = 0xffff88800f5bc000, kvec = 0xffff88800f5bc000,
+ bvec = 0xffff88800f5bc000, folioq = 0xffff88800f5bc000, xarray = 0xffff88800f5bc000,
+ ubuf = 0xffff88800f5bc000}, count = 655}}, {nr_segs = 2, folioq_slot = 2 '\002', xarray_start = 2}}
+
+Where iov_offset is 4k with 4k-sized folios
+
+This should have been fine because we're only in the 2nd slot and there's
+another one after this, but iterate_folioq should not try to map a folio
+that skips the whole size, and more importantly part here does not end up
+zero (because 'PAGE_SIZE - skip % PAGE_SIZE' ends up PAGE_SIZE and not
+zero..), so skip forward to the "advance to next folio" code
+
+Link: https://lkml.kernel.org/r/20250813-iot_iter_folio-v3-0-a0ffad2b665a@codewreck.org
+Link: https://lkml.kernel.org/r/20250813-iot_iter_folio-v3-1-a0ffad2b665a@codewreck.org
+Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
+Fixes: db0aa2e9566f ("mm: Define struct folio_queue and ITER_FOLIOQ to handle a sequence of folios")
+Reported-by: Maximilian Bosch <maximilian@mbosch.me>
+Reported-by: Ryan Lahfa <ryan@lahfa.xyz>
+Reported-by: Christian Theune <ct@flyingcircus.io>
+Reported-by: Arnout Engelen <arnout@bzzt.net>
+Link: https://lkml.kernel.org/r/D4LHHUNLG79Y.12PI0X6BEHRHW@mbosch.me/
+Acked-by: David Howells <dhowells@redhat.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: <stable@vger.kernel.org> [6.12+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/iov_iter.h | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+--- a/include/linux/iov_iter.h
++++ b/include/linux/iov_iter.h
+@@ -160,7 +160,7 @@ size_t iterate_folioq(struct iov_iter *i
+
+ do {
+ struct folio *folio = folioq_folio(folioq, slot);
+- size_t part, remain, consumed;
++ size_t part, remain = 0, consumed;
+ size_t fsize;
+ void *base;
+
+@@ -168,14 +168,16 @@ size_t iterate_folioq(struct iov_iter *i
+ break;
+
+ fsize = folioq_folio_size(folioq, slot);
+- base = kmap_local_folio(folio, skip);
+- part = umin(len, PAGE_SIZE - skip % PAGE_SIZE);
+- remain = step(base, progress, part, priv, priv2);
+- kunmap_local(base);
+- consumed = part - remain;
+- len -= consumed;
+- progress += consumed;
+- skip += consumed;
++ if (skip < fsize) {
++ base = kmap_local_folio(folio, skip);
++ part = umin(len, PAGE_SIZE - skip % PAGE_SIZE);
++ remain = step(base, progress, part, priv, priv2);
++ kunmap_local(base);
++ consumed = part - remain;
++ len -= consumed;
++ progress += consumed;
++ skip += consumed;
++ }
+ if (skip >= fsize) {
+ skip = 0;
+ slot++;
--- /dev/null
+From 63f5dec16760f2cd7d3f9034d18fc1fa0d83652f Mon Sep 17 00:00:00 2001
+From: Sang-Heon Jeon <ekffu200098@gmail.com>
+Date: Sun, 10 Aug 2025 21:42:01 +0900
+Subject: mm/damon/core: fix commit_ops_filters by using correct nth function
+
+From: Sang-Heon Jeon <ekffu200098@gmail.com>
+
+commit 63f5dec16760f2cd7d3f9034d18fc1fa0d83652f upstream.
+
+damos_commit_ops_filters() incorrectly uses damos_nth_filter() which
+iterates core_filters. As a result, performing a commit unintentionally
+corrupts ops_filters.
+
+Add damos_nth_ops_filter() which iterates ops_filters. Use this function
+to fix issues caused by wrong iteration.
+
+Link: https://lkml.kernel.org/r/20250810124201.15743-1-ekffu200098@gmail.com
+Fixes: 3607cc590f18 ("mm/damon/core: support committing ops_filters") # 6.15.x
+Signed-off-by: Sang-Heon Jeon <ekffu200098@gmail.com>
+Reviewed-by: SeongJae Park <sj@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/damon/core.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/mm/damon/core.c
++++ b/mm/damon/core.c
+@@ -843,6 +843,18 @@ static struct damos_filter *damos_nth_fi
+ return NULL;
+ }
+
++static struct damos_filter *damos_nth_ops_filter(int n, struct damos *s)
++{
++ struct damos_filter *filter;
++ int i = 0;
++
++ damos_for_each_ops_filter(filter, s) {
++ if (i++ == n)
++ return filter;
++ }
++ return NULL;
++}
++
+ static void damos_commit_filter_arg(
+ struct damos_filter *dst, struct damos_filter *src)
+ {
+@@ -906,7 +918,7 @@ static int damos_commit_ops_filters(stru
+ int i = 0, j = 0;
+
+ damos_for_each_ops_filter_safe(dst_filter, next, dst) {
+- src_filter = damos_nth_filter(i++, src);
++ src_filter = damos_nth_ops_filter(i++, src);
+ if (src_filter)
+ damos_commit_filter(dst_filter, src_filter);
+ else
--- /dev/null
+From e251709aaddb3ee1e8ac1ed5e361a608a1cc92de Mon Sep 17 00:00:00 2001
+From: Sai Krishna Potthuri <sai.krishna.potthuri@amd.com>
+Date: Wed, 30 Jul 2025 11:35:43 +0530
+Subject: mmc: sdhci-of-arasan: Ensure CD logic stabilization before power-up
+
+From: Sai Krishna Potthuri <sai.krishna.potthuri@amd.com>
+
+commit e251709aaddb3ee1e8ac1ed5e361a608a1cc92de upstream.
+
+During SD suspend/resume without a full card rescan (when using
+non-removable SD cards for rootfs), the SD card initialization may fail
+after resume. This occurs because, after a host controller reset, the
+card detect logic may take time to stabilize due to debounce logic.
+Without waiting for stabilization, the host may attempt powering up the
+card prematurely, leading to command timeouts during resume flow.
+Add sdhci_arasan_set_power_and_bus_voltage() to wait for the card detect
+stable bit before power up the card. Since the stabilization time
+is not fixed, a maximum timeout of one second is used to ensure
+sufficient wait time for the card detect signal to stabilize.
+
+Signed-off-by: Sai Krishna Potthuri <sai.krishna.potthuri@amd.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250730060543.1735971-1-sai.krishna.potthuri@amd.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-of-arasan.c | 33 +++++++++++++++++++++++++++++++--
+ 1 file changed, 31 insertions(+), 2 deletions(-)
+
+--- a/drivers/mmc/host/sdhci-of-arasan.c
++++ b/drivers/mmc/host/sdhci-of-arasan.c
+@@ -99,6 +99,9 @@
+ #define HIWORD_UPDATE(val, mask, shift) \
+ ((val) << (shift) | (mask) << ((shift) + 16))
+
++#define CD_STABLE_TIMEOUT_US 1000000
++#define CD_STABLE_MAX_SLEEP_US 10
++
+ /**
+ * struct sdhci_arasan_soc_ctl_field - Field used in sdhci_arasan_soc_ctl_map
+ *
+@@ -206,12 +209,15 @@ struct sdhci_arasan_data {
+ * 19MHz instead
+ */
+ #define SDHCI_ARASAN_QUIRK_CLOCK_25_BROKEN BIT(2)
++/* Enable CD stable check before power-up */
++#define SDHCI_ARASAN_QUIRK_ENSURE_CD_STABLE BIT(3)
+ };
+
+ struct sdhci_arasan_of_data {
+ const struct sdhci_arasan_soc_ctl_map *soc_ctl_map;
+ const struct sdhci_pltfm_data *pdata;
+ const struct sdhci_arasan_clk_ops *clk_ops;
++ u32 quirks;
+ };
+
+ static const struct sdhci_arasan_soc_ctl_map rk3399_soc_ctl_map = {
+@@ -514,6 +520,24 @@ static int sdhci_arasan_voltage_switch(s
+ return -EINVAL;
+ }
+
++static void sdhci_arasan_set_power_and_bus_voltage(struct sdhci_host *host, unsigned char mode,
++ unsigned short vdd)
++{
++ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
++ struct sdhci_arasan_data *sdhci_arasan = sdhci_pltfm_priv(pltfm_host);
++ u32 reg;
++
++ /*
++ * Ensure that the card detect logic has stabilized before powering up, this is
++ * necessary after a host controller reset.
++ */
++ if (mode == MMC_POWER_UP && sdhci_arasan->quirks & SDHCI_ARASAN_QUIRK_ENSURE_CD_STABLE)
++ read_poll_timeout(sdhci_readl, reg, reg & SDHCI_CD_STABLE, CD_STABLE_MAX_SLEEP_US,
++ CD_STABLE_TIMEOUT_US, false, host, SDHCI_PRESENT_STATE);
++
++ sdhci_set_power_and_bus_voltage(host, mode, vdd);
++}
++
+ static const struct sdhci_ops sdhci_arasan_ops = {
+ .set_clock = sdhci_arasan_set_clock,
+ .get_max_clock = sdhci_pltfm_clk_get_max_clock,
+@@ -521,7 +545,7 @@ static const struct sdhci_ops sdhci_aras
+ .set_bus_width = sdhci_set_bus_width,
+ .reset = sdhci_arasan_reset,
+ .set_uhs_signaling = sdhci_set_uhs_signaling,
+- .set_power = sdhci_set_power_and_bus_voltage,
++ .set_power = sdhci_arasan_set_power_and_bus_voltage,
+ .hw_reset = sdhci_arasan_hw_reset,
+ };
+
+@@ -570,7 +594,7 @@ static const struct sdhci_ops sdhci_aras
+ .set_bus_width = sdhci_set_bus_width,
+ .reset = sdhci_arasan_reset,
+ .set_uhs_signaling = sdhci_set_uhs_signaling,
+- .set_power = sdhci_set_power_and_bus_voltage,
++ .set_power = sdhci_arasan_set_power_and_bus_voltage,
+ .irq = sdhci_arasan_cqhci_irq,
+ };
+
+@@ -1447,6 +1471,7 @@ static const struct sdhci_arasan_clk_ops
+ static struct sdhci_arasan_of_data sdhci_arasan_zynqmp_data = {
+ .pdata = &sdhci_arasan_zynqmp_pdata,
+ .clk_ops = &zynqmp_clk_ops,
++ .quirks = SDHCI_ARASAN_QUIRK_ENSURE_CD_STABLE,
+ };
+
+ static const struct sdhci_arasan_clk_ops versal_clk_ops = {
+@@ -1457,6 +1482,7 @@ static const struct sdhci_arasan_clk_ops
+ static struct sdhci_arasan_of_data sdhci_arasan_versal_data = {
+ .pdata = &sdhci_arasan_zynqmp_pdata,
+ .clk_ops = &versal_clk_ops,
++ .quirks = SDHCI_ARASAN_QUIRK_ENSURE_CD_STABLE,
+ };
+
+ static const struct sdhci_arasan_clk_ops versal_net_clk_ops = {
+@@ -1467,6 +1493,7 @@ static const struct sdhci_arasan_clk_ops
+ static struct sdhci_arasan_of_data sdhci_arasan_versal_net_data = {
+ .pdata = &sdhci_arasan_versal_net_pdata,
+ .clk_ops = &versal_net_clk_ops,
++ .quirks = SDHCI_ARASAN_QUIRK_ENSURE_CD_STABLE,
+ };
+
+ static struct sdhci_arasan_of_data intel_keembay_emmc_data = {
+@@ -1945,6 +1972,8 @@ static int sdhci_arasan_probe(struct pla
+ if (of_device_is_compatible(np, "rockchip,rk3399-sdhci-5.1"))
+ sdhci_arasan_update_clockmultiplier(host, 0x0);
+
++ sdhci_arasan->quirks |= data->quirks;
++
+ if (of_device_is_compatible(np, "intel,keembay-sdhci-5.1-emmc") ||
+ of_device_is_compatible(np, "intel,keembay-sdhci-5.1-sd") ||
+ of_device_is_compatible(np, "intel,keembay-sdhci-5.1-sdio")) {
--- /dev/null
+From dec8b38be4b35cae5f7fa086daf2631e2cfa09c1 Mon Sep 17 00:00:00 2001
+From: Victor Shih <victor.shih@genesyslogic.com.tw>
+Date: Thu, 31 Jul 2025 14:57:50 +0800
+Subject: mmc: sdhci-pci-gli: Add a new function to simplify the code
+
+From: Victor Shih <victor.shih@genesyslogic.com.tw>
+
+commit dec8b38be4b35cae5f7fa086daf2631e2cfa09c1 upstream.
+
+In preparation to fix replay timer timeout, add
+sdhci_gli_mask_replay_timer_timeout() function
+to simplify some of the code, allowing it to be re-used.
+
+Signed-off-by: Victor Shih <victor.shih@genesyslogic.com.tw>
+Fixes: 1ae1d2d6e555 ("mmc: sdhci-pci-gli: Add Genesys Logic GL9763E support")
+Cc: stable@vger.kernel.org
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/20250731065752.450231-2-victorshihgli@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-pci-gli.c | 30 ++++++++++++++++--------------
+ 1 file changed, 16 insertions(+), 14 deletions(-)
+
+--- a/drivers/mmc/host/sdhci-pci-gli.c
++++ b/drivers/mmc/host/sdhci-pci-gli.c
+@@ -287,6 +287,20 @@
+ #define GLI_MAX_TUNING_LOOP 40
+
+ /* Genesys Logic chipset */
++static void sdhci_gli_mask_replay_timer_timeout(struct pci_dev *pdev)
++{
++ int aer;
++ u32 value;
++
++ /* mask the replay timer timeout of AER */
++ aer = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_ERR);
++ if (aer) {
++ pci_read_config_dword(pdev, aer + PCI_ERR_COR_MASK, &value);
++ value |= PCI_ERR_COR_REP_TIMER;
++ pci_write_config_dword(pdev, aer + PCI_ERR_COR_MASK, value);
++ }
++}
++
+ static inline void gl9750_wt_on(struct sdhci_host *host)
+ {
+ u32 wt_value;
+@@ -607,7 +621,6 @@ static void gl9750_hw_setting(struct sdh
+ {
+ struct sdhci_pci_slot *slot = sdhci_priv(host);
+ struct pci_dev *pdev;
+- int aer;
+ u32 value;
+
+ pdev = slot->chip->pdev;
+@@ -626,12 +639,7 @@ static void gl9750_hw_setting(struct sdh
+ pci_set_power_state(pdev, PCI_D0);
+
+ /* mask the replay timer timeout of AER */
+- aer = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_ERR);
+- if (aer) {
+- pci_read_config_dword(pdev, aer + PCI_ERR_COR_MASK, &value);
+- value |= PCI_ERR_COR_REP_TIMER;
+- pci_write_config_dword(pdev, aer + PCI_ERR_COR_MASK, value);
+- }
++ sdhci_gli_mask_replay_timer_timeout(pdev);
+
+ gl9750_wt_off(host);
+ }
+@@ -806,7 +814,6 @@ static void sdhci_gl9755_set_clock(struc
+ static void gl9755_hw_setting(struct sdhci_pci_slot *slot)
+ {
+ struct pci_dev *pdev = slot->chip->pdev;
+- int aer;
+ u32 value;
+
+ gl9755_wt_on(pdev);
+@@ -841,12 +848,7 @@ static void gl9755_hw_setting(struct sdh
+ pci_set_power_state(pdev, PCI_D0);
+
+ /* mask the replay timer timeout of AER */
+- aer = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_ERR);
+- if (aer) {
+- pci_read_config_dword(pdev, aer + PCI_ERR_COR_MASK, &value);
+- value |= PCI_ERR_COR_REP_TIMER;
+- pci_write_config_dword(pdev, aer + PCI_ERR_COR_MASK, value);
+- }
++ sdhci_gli_mask_replay_timer_timeout(pdev);
+
+ gl9755_wt_off(pdev);
+ }
erofs-do-not-select-tristate-symbols-from-bool-symbols.patch
crypto-acomp-fix-cfi-failure-due-to-type-punning.patch
iommu-riscv-prevent-null-deref-in-iova_to_phys.patch
+io_uring-futex-ensure-io_futex_wait-cleans-up-properly-on-failure.patch
+iov_iter-iterate_folioq-fix-handling-of-offset-folio-size.patch
+iommu-arm-smmu-v3-fix-smmu_domain-nr_ats_masters-decrement.patch
+mm-damon-core-fix-commit_ops_filters-by-using-correct-nth-function.patch
+mmc-sdhci-of-arasan-ensure-cd-logic-stabilization-before-power-up.patch
+mmc-sdhci-pci-gli-add-a-new-function-to-simplify-the-code.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
