From: Greg Kroah-Hartman Date: Sun, 7 Sep 2025 07:58:20 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v5.4.299~35 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=03a4bc4f44c3e9391b3cdb19eaca14981ada62c5;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: alsa-hda-realtek-add-new-hp-zbook-laptop-with-micmute-led-fixup.patch alsa-hda-realtek-add-support-for-hp-agusta-using-cs35l41-hda.patch btrfs-adjust-subpage-bit-start-based-on-sectorsize.patch cpufreq-intel_pstate-do-not-update-global.turbo_disabled-after-initialization.patch cpufreq-intel_pstate-fold-intel_pstate_max_within_limits-into-caller.patch cpufreq-intel_pstate-revise-global-turbo-disable-check.patch cpufreq-intel_pstate-unchecked-msr-aceess-in-legacy-mode.patch cpufreq-sched-explicitly-synchronize-limits_changed-flag-handling.patch dmaengine-mediatek-fix-a-possible-deadlock-error-in-mtk_cqdma_tx_status.patch i2c-designware-fix-an-error-handling-path-in-i2c_dw_pci_probe.patch iio-chemical-pms7003-use-aligned_s64-for-timestamp.patch iio-light-opt3001-fix-deadlock-due-to-concurrent-flag-access.patch memcg-drain-obj-stock-on-cpu-hotplug-teardown.patch mm-slub-avoid-accessing-metadata-when-pointer-is-invalid-in-object_err.patch net-dsa-microchip-linearize-skb-for-tail-tagging-switches.patch net-dsa-microchip-update-tag_ksz-masks-for-ksz9477-family.patch pci-msi-add-an-option-to-write-msix-entry_data-before-any-reads.patch spi-tegra114-don-t-fail-set_cs_timing-when-delays-are-zero.patch spi-tegra114-remove-unnecessary-null-pointer-checks.patch vmxnet3-update-mtu-after-device-quiesce.patch --- diff --git a/queue-6.1/alsa-hda-realtek-add-new-hp-zbook-laptop-with-micmute-led-fixup.patch b/queue-6.1/alsa-hda-realtek-add-new-hp-zbook-laptop-with-micmute-led-fixup.patch new file mode 100644 index 0000000000..9a758d7c4b --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-add-new-hp-zbook-laptop-with-micmute-led-fixup.patch @@ -0,0 +1,36 @@ +From stable+bounces-177894-greg=kroah.com@vger.kernel.org Fri Sep 5 22:07:09 2025 +From: Sasha Levin +Date: Fri, 5 Sep 2025 16:07:01 -0400 +Subject: ALSA: hda/realtek - Add new HP ZBook laptop with micmute led fixup +To: stable@vger.kernel.org +Cc: Chris Chiu , Takashi Iwai , Sasha Levin +Message-ID: <20250905200701.3390803-1-sashal@kernel.org> + +From: Chris Chiu + +[ Upstream commit f709b78aecab519dbcefa9a6603b94ad18c553e3 ] + +New HP ZBook with Realtek HDA codec ALC3247 needs the quirk +ALC236_FIXUP_HP_GPIO_LED to fix the micmute LED. + +Signed-off-by: Chris Chiu +Cc: +Link: https://patch.msgid.link/20250520132101.120685-1-chris.chiu@canonical.com +Signed-off-by: Takashi Iwai +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10093,6 +10093,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x8e18, "HP ZBook Firefly 14 G12A", ALC285_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8e19, "HP ZBook Firefly 14 G12A", ALC285_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8e1a, "HP ZBook Firefly 14 G12A", ALC285_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8e1d, "HP ZBook X Gli 16 G12", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x103f, "ASUS TX300", ALC282_FIXUP_ASUS_TX300), + SND_PCI_QUIRK(0x1043, 0x1054, "ASUS G614FH/FM/FP", ALC287_FIXUP_CS35L41_I2C_2), diff --git a/queue-6.1/alsa-hda-realtek-add-support-for-hp-agusta-using-cs35l41-hda.patch b/queue-6.1/alsa-hda-realtek-add-support-for-hp-agusta-using-cs35l41-hda.patch new file mode 100644 index 0000000000..3de85c5570 --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-add-support-for-hp-agusta-using-cs35l41-hda.patch @@ -0,0 +1,38 @@ +From stable+bounces-177883-greg=kroah.com@vger.kernel.org Fri Sep 5 21:18:45 2025 +From: Sasha Levin +Date: Fri, 5 Sep 2025 15:16:29 -0400 +Subject: ALSA: hda/realtek: Add support for HP Agusta using CS35L41 HDA +To: stable@vger.kernel.org +Cc: Stefan Binding , Takashi Iwai , Sasha Levin +Message-ID: <20250905191629.3318536-1-sashal@kernel.org> + +From: Stefan Binding + +[ Upstream commit 7150d57c370f9e61b7d0e82c58002f1c5a205ac4 ] + +Add support for HP Agusta. + +Laptops use 2 CS35L41 Amps with HDA, using Internal boost, with I2C + +Signed-off-by: Stefan Binding +Cc: +Link: https://patch.msgid.link/20250520124757.12597-1-sbinding@opensource.cirrus.com +Signed-off-by: Takashi Iwai +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10094,6 +10094,8 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x8e19, "HP ZBook Firefly 14 G12A", ALC285_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8e1a, "HP ZBook Firefly 14 G12A", ALC285_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8e1d, "HP ZBook X Gli 16 G12", ALC236_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8e3a, "HP Agusta", ALC287_FIXUP_CS35L41_I2C_2), ++ SND_PCI_QUIRK(0x103c, 0x8e3b, "HP Agusta", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x103f, "ASUS TX300", ALC282_FIXUP_ASUS_TX300), + SND_PCI_QUIRK(0x1043, 0x1054, "ASUS G614FH/FM/FP", ALC287_FIXUP_CS35L41_I2C_2), diff --git a/queue-6.1/btrfs-adjust-subpage-bit-start-based-on-sectorsize.patch b/queue-6.1/btrfs-adjust-subpage-bit-start-based-on-sectorsize.patch new file mode 100644 index 0000000000..c1786f30e2 --- /dev/null +++ b/queue-6.1/btrfs-adjust-subpage-bit-start-based-on-sectorsize.patch @@ -0,0 +1,93 @@ +From stable+bounces-177961-greg=kroah.com@vger.kernel.org Sat Sep 6 15:35:29 2025 +From: Sasha Levin +Date: Sat, 6 Sep 2025 09:35:21 -0400 +Subject: btrfs: adjust subpage bit start based on sectorsize +To: stable@vger.kernel.org +Cc: Josef Bacik , Boris Burkov , Qu Wenruo , David Sterba , Sasha Levin +Message-ID: <20250906133521.3896995-1-sashal@kernel.org> + +From: Josef Bacik + +[ Upstream commit e08e49d986f82c30f42ad0ed43ebbede1e1e3739 ] + +When running machines with 64k page size and a 16k nodesize we started +seeing tree log corruption in production. This turned out to be because +we were not writing out dirty blocks sometimes, so this in fact affects +all metadata writes. + +When writing out a subpage EB we scan the subpage bitmap for a dirty +range. If the range isn't dirty we do + + bit_start++; + +to move onto the next bit. The problem is the bitmap is based on the +number of sectors that an EB has. So in this case, we have a 64k +pagesize, 16k nodesize, but a 4k sectorsize. This means our bitmap is 4 +bits for every node. With a 64k page size we end up with 4 nodes per +page. + +To make this easier this is how everything looks + +[0 16k 32k 48k ] logical address +[0 4 8 12 ] radix tree offset +[ 64k page ] folio +[ 16k eb ][ 16k eb ][ 16k eb ][ 16k eb ] extent buffers +[ | | | | | | | | | | | | | | | | ] bitmap + +Now we use all of our addressing based on fs_info->sectorsize_bits, so +as you can see the above our 16k eb->start turns into radix entry 4. + +When we find a dirty range for our eb, we correctly do bit_start += +sectors_per_node, because if we start at bit 0, the next bit for the +next eb is 4, to correspond to eb->start 16k. + +However if our range is clean, we will do bit_start++, which will now +put us offset from our radix tree entries. + +In our case, assume that the first time we check the bitmap the block is +not dirty, we increment bit_start so now it == 1, and then we loop +around and check again. This time it is dirty, and we go to find that +start using the following equation + + start = folio_start + bit_start * fs_info->sectorsize; + +so in the case above, eb->start 0 is now dirty, and we calculate start +as + + 0 + 1 * fs_info->sectorsize = 4096 + 4096 >> 12 = 1 + +Now we're looking up the radix tree for 1, and we won't find an eb. +What's worse is now we're using bit_start == 1, so we do bit_start += +sectors_per_node, which is now 5. If that eb is dirty we will run into +the same thing, we will look at an offset that is not populated in the +radix tree, and now we're skipping the writeout of dirty extent buffers. + +The best fix for this is to not use sectorsize_bits to address nodes, +but that's a larger change. Since this is a fs corruption problem fix +it simply by always using sectors_per_node to increment the start bit. + +Fixes: c4aec299fa8f ("btrfs: introduce submit_eb_subpage() to submit a subpage metadata page") +CC: stable@vger.kernel.org # 5.15+ +Reviewed-by: Boris Burkov +Reviewed-by: Qu Wenruo +Signed-off-by: Josef Bacik +Signed-off-by: David Sterba +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/extent_io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -2807,7 +2807,7 @@ static int submit_eb_subpage(struct page + subpage->bitmaps)) { + spin_unlock_irqrestore(&subpage->lock, flags); + spin_unlock(&page->mapping->private_lock); +- bit_start++; ++ bit_start += sectors_per_node; + continue; + } + diff --git a/queue-6.1/cpufreq-intel_pstate-do-not-update-global.turbo_disabled-after-initialization.patch b/queue-6.1/cpufreq-intel_pstate-do-not-update-global.turbo_disabled-after-initialization.patch new file mode 100644 index 0000000000..11b0d98560 --- /dev/null +++ b/queue-6.1/cpufreq-intel_pstate-do-not-update-global.turbo_disabled-after-initialization.patch @@ -0,0 +1,194 @@ +From stable+bounces-177957-greg=kroah.com@vger.kernel.org Sat Sep 6 15:22:26 2025 +From: Sasha Levin +Date: Sat, 6 Sep 2025 09:22:09 -0400 +Subject: cpufreq: intel_pstate: Do not update global.turbo_disabled after initialization +To: stable@vger.kernel.org +Cc: "Rafael J. Wysocki" , Srinivas Pandruvada , Sasha Levin +Message-ID: <20250906132210.3888723-3-sashal@kernel.org> + +From: "Rafael J. Wysocki" + +[ Upstream commit 0940f1a8011fd69be5082015068e0dc31c800c20 ] + +The global.turbo_disabled is updated quite often, especially in the +passive mode in which case it is updated every time the scheduler calls +into the driver. However, this is generally not necessary and it adds +MSR read overhead to scheduler code paths (and that particular MSR is +slow to read). + +For this reason, make the driver read MSR_IA32_MISC_ENABLE_TURBO_DISABLE +just once at the cpufreq driver registration time and remove all of the +in-flight updates of global.turbo_disabled. + +Signed-off-by: Rafael J. Wysocki +Acked-by: Srinivas Pandruvada +Stable-dep-of: ac4e04d9e378 ("cpufreq: intel_pstate: Unchecked MSR aceess in legacy mode") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/intel_pstate.c | 51 ++++++----------------------------------- + 1 file changed, 8 insertions(+), 43 deletions(-) + +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -172,7 +172,6 @@ struct vid_data { + * based on the MSR_IA32_MISC_ENABLE value and whether or + * not the maximum reported turbo P-state is different from + * the maximum reported non-turbo one. +- * @turbo_disabled_mf: The @turbo_disabled value reflected by cpuinfo.max_freq. + * @min_perf_pct: Minimum capacity limit in percent of the maximum turbo + * P-state capacity. + * @max_perf_pct: Maximum capacity limit in percent of the maximum turbo +@@ -181,7 +180,6 @@ struct vid_data { + struct global_params { + bool no_turbo; + bool turbo_disabled; +- bool turbo_disabled_mf; + int max_perf_pct; + int min_perf_pct; + }; +@@ -559,12 +557,13 @@ static void intel_pstate_hybrid_hwp_adju + cpu->pstate.min_pstate = intel_pstate_freq_to_hwp(cpu, freq); + } + +-static inline void update_turbo_state(void) ++static bool turbo_is_disabled(void) + { + u64 misc_en; + + rdmsrl(MSR_IA32_MISC_ENABLE, misc_en); +- global.turbo_disabled = misc_en & MSR_IA32_MISC_ENABLE_TURBO_DISABLE; ++ ++ return !!(misc_en & MSR_IA32_MISC_ENABLE_TURBO_DISABLE); + } + + static int min_perf_pct_min(void) +@@ -1119,40 +1118,16 @@ static void intel_pstate_update_policies + static void __intel_pstate_update_max_freq(struct cpudata *cpudata, + struct cpufreq_policy *policy) + { +- policy->cpuinfo.max_freq = global.turbo_disabled_mf ? ++ policy->cpuinfo.max_freq = global.turbo_disabled ? + cpudata->pstate.max_freq : cpudata->pstate.turbo_freq; + refresh_frequency_limits(policy); + } + +-static void intel_pstate_update_max_freq(unsigned int cpu) +-{ +- struct cpufreq_policy *policy = cpufreq_cpu_acquire(cpu); +- +- if (!policy) +- return; +- +- __intel_pstate_update_max_freq(all_cpu_data[cpu], policy); +- +- cpufreq_cpu_release(policy); +-} +- + static void intel_pstate_update_limits(unsigned int cpu) + { + mutex_lock(&intel_pstate_driver_lock); + +- update_turbo_state(); +- /* +- * If turbo has been turned on or off globally, policy limits for +- * all CPUs need to be updated to reflect that. +- */ +- if (global.turbo_disabled_mf != global.turbo_disabled) { +- global.turbo_disabled_mf = global.turbo_disabled; +- arch_set_max_freq_ratio(global.turbo_disabled); +- for_each_possible_cpu(cpu) +- intel_pstate_update_max_freq(cpu); +- } else { +- cpufreq_update_policy(cpu); +- } ++ cpufreq_update_policy(cpu); + + mutex_unlock(&intel_pstate_driver_lock); + } +@@ -1252,7 +1227,6 @@ static ssize_t show_no_turbo(struct kobj + return -EAGAIN; + } + +- update_turbo_state(); + if (global.turbo_disabled) + ret = sprintf(buf, "%u\n", global.turbo_disabled); + else +@@ -1282,7 +1256,6 @@ static ssize_t store_no_turbo(struct kob + + mutex_lock(&intel_pstate_limits_lock); + +- update_turbo_state(); + if (global.turbo_disabled) { + pr_notice_once("Turbo disabled by BIOS or unavailable on processor\n"); + mutex_unlock(&intel_pstate_limits_lock); +@@ -2253,8 +2226,6 @@ static void intel_pstate_adjust_pstate(s + struct sample *sample; + int target_pstate; + +- update_turbo_state(); +- + target_pstate = get_target_pstate(cpu); + target_pstate = intel_pstate_prepare_request(cpu, target_pstate); + trace_cpu_frequency(target_pstate * cpu->pstate.scaling, cpu->cpu); +@@ -2572,7 +2543,6 @@ static int intel_pstate_set_policy(struc + * be invoked on them. + */ + intel_pstate_clear_update_util_hook(policy->cpu); +- update_turbo_state(); + intel_pstate_set_pstate(cpu, pstate); + } else { + intel_pstate_set_update_util_hook(policy->cpu); +@@ -2616,7 +2586,6 @@ static void intel_pstate_verify_cpu_poli + { + int max_freq; + +- update_turbo_state(); + if (hwp_active) { + intel_pstate_get_hwp_cap(cpu); + max_freq = global.no_turbo || global.turbo_disabled ? +@@ -2713,8 +2682,6 @@ static int __intel_pstate_cpu_init(struc + + /* cpuinfo and default policy values */ + policy->cpuinfo.min_freq = cpu->pstate.min_freq; +- update_turbo_state(); +- global.turbo_disabled_mf = global.turbo_disabled; + policy->cpuinfo.max_freq = global.turbo_disabled ? + cpu->pstate.max_freq : cpu->pstate.turbo_freq; + +@@ -2880,8 +2847,6 @@ static int intel_cpufreq_target(struct c + struct cpufreq_freqs freqs; + int target_pstate; + +- update_turbo_state(); +- + freqs.old = policy->cur; + freqs.new = target_freq; + +@@ -2903,8 +2868,6 @@ static unsigned int intel_cpufreq_fast_s + struct cpudata *cpu = all_cpu_data[policy->cpu]; + int target_pstate; + +- update_turbo_state(); +- + target_pstate = intel_pstate_freq_to_hwp(cpu, target_freq); + + target_pstate = intel_cpufreq_update_pstate(policy, target_pstate, true); +@@ -2922,7 +2885,6 @@ static void intel_cpufreq_adjust_perf(un + int old_pstate = cpu->pstate.current_pstate; + int cap_pstate, min_pstate, max_pstate, target_pstate; + +- update_turbo_state(); + cap_pstate = global.turbo_disabled ? HWP_GUARANTEED_PERF(hwp_cap) : + HWP_HIGHEST_PERF(hwp_cap); + +@@ -3112,6 +3074,9 @@ static int intel_pstate_register_driver( + + memset(&global, 0, sizeof(global)); + global.max_perf_pct = 100; ++ global.turbo_disabled = turbo_is_disabled(); ++ ++ arch_set_max_freq_ratio(global.turbo_disabled); + + intel_pstate_driver = driver; + ret = cpufreq_register_driver(intel_pstate_driver); diff --git a/queue-6.1/cpufreq-intel_pstate-fold-intel_pstate_max_within_limits-into-caller.patch b/queue-6.1/cpufreq-intel_pstate-fold-intel_pstate_max_within_limits-into-caller.patch new file mode 100644 index 0000000000..a4bd3f64b3 --- /dev/null +++ b/queue-6.1/cpufreq-intel_pstate-fold-intel_pstate_max_within_limits-into-caller.patch @@ -0,0 +1,59 @@ +From stable+bounces-177956-greg=kroah.com@vger.kernel.org Sat Sep 6 15:22:20 2025 +From: Sasha Levin +Date: Sat, 6 Sep 2025 09:22:08 -0400 +Subject: cpufreq: intel_pstate: Fold intel_pstate_max_within_limits() into caller +To: stable@vger.kernel.org +Cc: "Rafael J. Wysocki" , Srinivas Pandruvada , Sasha Levin +Message-ID: <20250906132210.3888723-2-sashal@kernel.org> + +From: "Rafael J. Wysocki" + +[ Upstream commit 032c5565eb80edb6f2faeb31939540c897987119 ] + +Fold intel_pstate_max_within_limits() into its only caller. + +No functional impact. + +Signed-off-by: Rafael J. Wysocki +Acked-by: Srinivas Pandruvada +Stable-dep-of: ac4e04d9e378 ("cpufreq: intel_pstate: Unchecked MSR aceess in legacy mode") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/intel_pstate.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -1984,14 +1984,6 @@ static void intel_pstate_set_min_pstate( + intel_pstate_set_pstate(cpu, cpu->pstate.min_pstate); + } + +-static void intel_pstate_max_within_limits(struct cpudata *cpu) +-{ +- int pstate = max(cpu->pstate.min_pstate, cpu->max_perf_ratio); +- +- update_turbo_state(); +- intel_pstate_set_pstate(cpu, pstate); +-} +- + static void intel_pstate_get_cpu_pstates(struct cpudata *cpu) + { + int perf_ctl_max_phys = pstate_funcs.get_max_physical(cpu->cpu); +@@ -2573,12 +2565,15 @@ static int intel_pstate_set_policy(struc + intel_pstate_update_perf_limits(cpu, policy->min, policy->max); + + if (cpu->policy == CPUFREQ_POLICY_PERFORMANCE) { ++ int pstate = max(cpu->pstate.min_pstate, cpu->max_perf_ratio); ++ + /* + * NOHZ_FULL CPUs need this as the governor callback may not + * be invoked on them. + */ + intel_pstate_clear_update_util_hook(policy->cpu); +- intel_pstate_max_within_limits(cpu); ++ update_turbo_state(); ++ intel_pstate_set_pstate(cpu, pstate); + } else { + intel_pstate_set_update_util_hook(policy->cpu); + } diff --git a/queue-6.1/cpufreq-intel_pstate-revise-global-turbo-disable-check.patch b/queue-6.1/cpufreq-intel_pstate-revise-global-turbo-disable-check.patch new file mode 100644 index 0000000000..bdb61ded69 --- /dev/null +++ b/queue-6.1/cpufreq-intel_pstate-revise-global-turbo-disable-check.patch @@ -0,0 +1,68 @@ +From stable+bounces-177955-greg=kroah.com@vger.kernel.org Sat Sep 6 15:22:20 2025 +From: Sasha Levin +Date: Sat, 6 Sep 2025 09:22:07 -0400 +Subject: cpufreq: intel_pstate: Revise global turbo disable check +To: stable@vger.kernel.org +Cc: Srinivas Pandruvada , "Rafael J. Wysocki" , Sasha Levin +Message-ID: <20250906132210.3888723-1-sashal@kernel.org> + +From: Srinivas Pandruvada + +[ Upstream commit 37b6ddba967c601479bea418a7ac6ff16b6232b7 ] + +Setting global turbo flag based on CPU 0 P-state limits is problematic +as it limits max P-state request on every CPU on the system just based +on its P-state limits. + +There are two cases in which global.turbo_disabled flag is set: +- When the MSR_IA32_MISC_ENABLE_TURBO_DISABLE bit is set to 1 +in the MSR MSR_IA32_MISC_ENABLE. This bit can be only changed by +the system BIOS before power up. +- When the max non turbo P-state is same as max turbo P-state for CPU 0. + +The second check is not a valid to decide global turbo state based on +the CPU 0. CPU 0 max turbo P-state can be same as max non turbo P-state, +but for other CPUs this may not be true. + +There is no guarantee that max P-state limits are same for every CPU. This +is possible that during fusing max P-state for a CPU is constrained. Also +with the Intel Speed Select performance profile, CPU 0 may not be present +in all profiles. In this case the max non turbo and turbo P-state can be +set to the lowest possible P-state by the hardware when switched to +such profile. Since max non turbo and turbo P-state is same, +global.turbo_disabled flag will be set. + +Once global.turbo_disabled is set, any scaling max and min frequency +update for any CPU will result in its max P-state constrained to the max +non turbo P-state. + +Hence remove the check of max non turbo P-state equal to max turbo P-state +of CPU 0 to set global turbo disabled flag. + +Signed-off-by: Srinivas Pandruvada +[ rjw: Subject edit ] +Signed-off-by: Rafael J. Wysocki +Stable-dep-of: ac4e04d9e378 ("cpufreq: intel_pstate: Unchecked MSR aceess in legacy mode") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/intel_pstate.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -562,13 +562,9 @@ static void intel_pstate_hybrid_hwp_adju + static inline void update_turbo_state(void) + { + u64 misc_en; +- struct cpudata *cpu; + +- cpu = all_cpu_data[0]; + rdmsrl(MSR_IA32_MISC_ENABLE, misc_en); +- global.turbo_disabled = +- (misc_en & MSR_IA32_MISC_ENABLE_TURBO_DISABLE || +- cpu->pstate.max_pstate == cpu->pstate.turbo_pstate); ++ global.turbo_disabled = misc_en & MSR_IA32_MISC_ENABLE_TURBO_DISABLE; + } + + static int min_perf_pct_min(void) diff --git a/queue-6.1/cpufreq-intel_pstate-unchecked-msr-aceess-in-legacy-mode.patch b/queue-6.1/cpufreq-intel_pstate-unchecked-msr-aceess-in-legacy-mode.patch new file mode 100644 index 0000000000..a6b1534519 --- /dev/null +++ b/queue-6.1/cpufreq-intel_pstate-unchecked-msr-aceess-in-legacy-mode.patch @@ -0,0 +1,64 @@ +From stable+bounces-177958-greg=kroah.com@vger.kernel.org Sat Sep 6 15:22:22 2025 +From: Sasha Levin +Date: Sat, 6 Sep 2025 09:22:10 -0400 +Subject: cpufreq: intel_pstate: Unchecked MSR aceess in legacy mode +To: stable@vger.kernel.org +Cc: Srinivas Pandruvada , "Rafael J. Wysocki" , Sasha Levin +Message-ID: <20250906132210.3888723-4-sashal@kernel.org> + +From: Srinivas Pandruvada + +[ Upstream commit ac4e04d9e378f5aa826c2406ad7871ae1b6a6fb9 ] + +When turbo mode is unavailable on a Skylake-X system, executing the +command: + + # echo 1 > /sys/devices/system/cpu/intel_pstate/no_turbo + +results in an unchecked MSR access error: + + WRMSR to 0x199 (attempted to write 0x0000000100001300). + +This issue was reproduced on an OEM (Original Equipment Manufacturer) +system and is not a common problem across all Skylake-X systems. + +This error occurs because the MSR 0x199 Turbo Engage Bit (bit 32) is set +when turbo mode is disabled. The issue arises when intel_pstate fails to +detect that turbo mode is disabled. Here intel_pstate relies on +MSR_IA32_MISC_ENABLE bit 38 to determine the status of turbo mode. +However, on this system, bit 38 is not set even when turbo mode is +disabled. + +According to the Intel Software Developer's Manual (SDM), the BIOS sets +this bit during platform initialization to enable or disable +opportunistic processor performance operations. Logically, this bit +should be set in such cases. However, the SDM also specifies that "OS +and applications must use CPUID leaf 06H to detect processors with +opportunistic processor performance operations enabled." + +Therefore, in addition to checking MSR_IA32_MISC_ENABLE bit 38, verify +that CPUID.06H:EAX[1] is 0 to accurately determine if turbo mode is +disabled. + +Fixes: 4521e1a0ce17 ("cpufreq: intel_pstate: Reflect current no_turbo state correctly") +Signed-off-by: Srinivas Pandruvada +Cc: All applicable +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/intel_pstate.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -561,6 +561,9 @@ static bool turbo_is_disabled(void) + { + u64 misc_en; + ++ if (!cpu_feature_enabled(X86_FEATURE_IDA)) ++ return true; ++ + rdmsrl(MSR_IA32_MISC_ENABLE, misc_en); + + return !!(misc_en & MSR_IA32_MISC_ENABLE_TURBO_DISABLE); diff --git a/queue-6.1/cpufreq-sched-explicitly-synchronize-limits_changed-flag-handling.patch b/queue-6.1/cpufreq-sched-explicitly-synchronize-limits_changed-flag-handling.patch new file mode 100644 index 0000000000..e691749251 --- /dev/null +++ b/queue-6.1/cpufreq-sched-explicitly-synchronize-limits_changed-flag-handling.patch @@ -0,0 +1,98 @@ +From stable+bounces-177970-greg=kroah.com@vger.kernel.org Sat Sep 6 18:11:19 2025 +From: Sasha Levin +Date: Sat, 6 Sep 2025 12:11:09 -0400 +Subject: cpufreq/sched: Explicitly synchronize limits_changed flag handling +To: stable@vger.kernel.org +Cc: "Rafael J. Wysocki" , Christian Loehle , Sasha Levin +Message-ID: <20250906161109.141162-1-sashal@kernel.org> + +From: "Rafael J. Wysocki" + +[ Upstream commit 79443a7e9da3c9f68290a8653837e23aba0fa89f ] + +The handling of the limits_changed flag in struct sugov_policy needs to +be explicitly synchronized to ensure that cpufreq policy limits updates +will not be missed in some cases. + +Without that synchronization it is theoretically possible that +the limits_changed update in sugov_should_update_freq() will be +reordered with respect to the reads of the policy limits in +cpufreq_driver_resolve_freq() and in that case, if the limits_changed +update in sugov_limits() clobbers the one in sugov_should_update_freq(), +the new policy limits may not take effect for a long time. + +Likewise, the limits_changed update in sugov_limits() may theoretically +get reordered with respect to the updates of the policy limits in +cpufreq_set_policy() and if sugov_should_update_freq() runs between +them, the policy limits change may be missed. + +To ensure that the above situations will not take place, add memory +barriers preventing the reordering in question from taking place and +add READ_ONCE() and WRITE_ONCE() annotations around all of the +limits_changed flag updates to prevent the compiler from messing up +with that code. + +Fixes: 600f5badb78c ("cpufreq: schedutil: Don't skip freq update when limits change") +Cc: 5.3+ # 5.3+ +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Christian Loehle +Link: https://patch.msgid.link/3376719.44csPzL39Z@rjwysocki.net +[ bw_min => bw_dl ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/cpufreq_schedutil.c | 28 ++++++++++++++++++++++++---- + 1 file changed, 24 insertions(+), 4 deletions(-) + +--- a/kernel/sched/cpufreq_schedutil.c ++++ b/kernel/sched/cpufreq_schedutil.c +@@ -82,9 +82,20 @@ static bool sugov_should_update_freq(str + if (!cpufreq_this_cpu_can_update(sg_policy->policy)) + return false; + +- if (unlikely(sg_policy->limits_changed)) { +- sg_policy->limits_changed = false; ++ if (unlikely(READ_ONCE(sg_policy->limits_changed))) { ++ WRITE_ONCE(sg_policy->limits_changed, false); + sg_policy->need_freq_update = true; ++ ++ /* ++ * The above limits_changed update must occur before the reads ++ * of policy limits in cpufreq_driver_resolve_freq() or a policy ++ * limits update might be missed, so use a memory barrier to ++ * ensure it. ++ * ++ * This pairs with the write memory barrier in sugov_limits(). ++ */ ++ smp_mb(); ++ + return true; + } + +@@ -318,7 +329,7 @@ static inline bool sugov_cpu_is_busy(str + static inline void ignore_dl_rate_limit(struct sugov_cpu *sg_cpu) + { + if (cpu_bw_dl(cpu_rq(sg_cpu->cpu)) > sg_cpu->bw_dl) +- sg_cpu->sg_policy->limits_changed = true; ++ WRITE_ONCE(sg_cpu->sg_policy->limits_changed, true); + } + + static inline bool sugov_update_single_common(struct sugov_cpu *sg_cpu, +@@ -825,7 +836,16 @@ static void sugov_limits(struct cpufreq_ + mutex_unlock(&sg_policy->work_lock); + } + +- sg_policy->limits_changed = true; ++ /* ++ * The limits_changed update below must take place before the updates ++ * of policy limits in cpufreq_set_policy() or a policy limits update ++ * might be missed, so use a memory barrier to ensure it. ++ * ++ * This pairs with the memory barrier in sugov_should_update_freq(). ++ */ ++ smp_wmb(); ++ ++ WRITE_ONCE(sg_policy->limits_changed, true); + } + + struct cpufreq_governor schedutil_gov = { diff --git a/queue-6.1/dmaengine-mediatek-fix-a-possible-deadlock-error-in-mtk_cqdma_tx_status.patch b/queue-6.1/dmaengine-mediatek-fix-a-possible-deadlock-error-in-mtk_cqdma_tx_status.patch new file mode 100644 index 0000000000..fce6f37691 --- /dev/null +++ b/queue-6.1/dmaengine-mediatek-fix-a-possible-deadlock-error-in-mtk_cqdma_tx_status.patch @@ -0,0 +1,77 @@ +From stable+bounces-177895-greg=kroah.com@vger.kernel.org Fri Sep 5 22:22:25 2025 +From: Sasha Levin +Date: Fri, 5 Sep 2025 16:22:14 -0400 +Subject: dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() +To: stable@vger.kernel.org +Cc: Qiu-ji Chen , AngeloGioacchino Del Regno , Vinod Koul , Sasha Levin +Message-ID: <20250905202214.3400840-1-sashal@kernel.org> + +From: Qiu-ji Chen + +[ Upstream commit 157ae5ffd76a2857ccb4b7ce40bc5a344ca00395 ] + +Fix a potential deadlock bug. Observe that in the mtk-cqdma.c +file, functions like mtk_cqdma_issue_pending() and +mtk_cqdma_free_active_desc() properly acquire the pc lock before the vc +lock when handling pc and vc fields. However, mtk_cqdma_tx_status() +violates this order by first acquiring the vc lock before invoking +mtk_cqdma_find_active_desc(), which subsequently takes the pc lock. This +reversed locking sequence (vc → pc) contradicts the established +pc → vc order and creates deadlock risks. + +Fix the issue by moving the vc lock acquisition code from +mtk_cqdma_find_active_desc() to mtk_cqdma_tx_status(). Ensure the pc lock +is acquired before the vc lock in the calling function to maintain correct +locking hierarchy. Note that since mtk_cqdma_find_active_desc() is a +static function with only one caller (mtk_cqdma_tx_status()), this +modification safely eliminates the deadlock possibility without affecting +other components. + +This possible bug is found by an experimental static analysis tool +developed by our team. This tool analyzes the locking APIs to extract +function pairs that can be concurrently executed, and then analyzes the +instructions in the paired functions to identify possible concurrency bugs +including deadlocks, data races and atomicity violations. + +Fixes: b1f01e48df5a ("dmaengine: mediatek: Add MediaTek Command-Queue DMA controller for MT6765 SoC") +Cc: stable@vger.kernel.org +Signed-off-by: Qiu-ji Chen +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20250508073634.3719-1-chenqiuji666@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/mediatek/mtk-cqdma.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/dma/mediatek/mtk-cqdma.c ++++ b/drivers/dma/mediatek/mtk-cqdma.c +@@ -421,15 +421,11 @@ static struct virt_dma_desc *mtk_cqdma_f + { + struct mtk_cqdma_vchan *cvc = to_cqdma_vchan(c); + struct virt_dma_desc *vd; +- unsigned long flags; + +- spin_lock_irqsave(&cvc->pc->lock, flags); + list_for_each_entry(vd, &cvc->pc->queue, node) + if (vd->tx.cookie == cookie) { +- spin_unlock_irqrestore(&cvc->pc->lock, flags); + return vd; + } +- spin_unlock_irqrestore(&cvc->pc->lock, flags); + + list_for_each_entry(vd, &cvc->vc.desc_issued, node) + if (vd->tx.cookie == cookie) +@@ -453,9 +449,11 @@ static enum dma_status mtk_cqdma_tx_stat + if (ret == DMA_COMPLETE || !txstate) + return ret; + ++ spin_lock_irqsave(&cvc->pc->lock, flags); + spin_lock_irqsave(&cvc->vc.lock, flags); + vd = mtk_cqdma_find_active_desc(c, cookie); + spin_unlock_irqrestore(&cvc->vc.lock, flags); ++ spin_unlock_irqrestore(&cvc->pc->lock, flags); + + if (vd) { + cvd = to_cqdma_vdesc(vd); diff --git a/queue-6.1/i2c-designware-fix-an-error-handling-path-in-i2c_dw_pci_probe.patch b/queue-6.1/i2c-designware-fix-an-error-handling-path-in-i2c_dw_pci_probe.patch new file mode 100644 index 0000000000..be5aca440a --- /dev/null +++ b/queue-6.1/i2c-designware-fix-an-error-handling-path-in-i2c_dw_pci_probe.patch @@ -0,0 +1,44 @@ +From stable+bounces-177911-greg=kroah.com@vger.kernel.org Sat Sep 6 02:39:11 2025 +From: Sasha Levin +Date: Fri, 5 Sep 2025 20:38:31 -0400 +Subject: i2c: designware: Fix an error handling path in i2c_dw_pci_probe() +To: stable@vger.kernel.org +Cc: Christophe JAILLET , Jarkko Nikula , Andi Shyti , Sasha Levin +Message-ID: <20250906003831.3605274-1-sashal@kernel.org> + +From: Christophe JAILLET + +[ Upstream commit 1cfe51ef07ca3286581d612debfb0430eeccbb65 ] + +If navi_amd_register_client() fails, the previous i2c_dw_probe() call +should be undone by a corresponding i2c_del_adapter() call, as already done +in the remove function. + +Fixes: 17631e8ca2d3 ("i2c: designware: Add driver support for AMD NAVI GPU") +Signed-off-by: Christophe JAILLET +Cc: # v5.13+ +Acked-by: Jarkko Nikula +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/fcd9651835a32979df8802b2db9504c523a8ebbb.1747158983.git.christophe.jaillet@wanadoo.fr +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-designware-pcidrv.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-designware-pcidrv.c ++++ b/drivers/i2c/busses/i2c-designware-pcidrv.c +@@ -337,9 +337,11 @@ static int i2c_dw_pci_probe(struct pci_d + + if ((dev->flags & MODEL_MASK) == MODEL_AMD_NAVI_GPU) { + dev->slave = i2c_new_ccgx_ucsi(&dev->adapter, dev->irq, &dgpu_node); +- if (IS_ERR(dev->slave)) ++ if (IS_ERR(dev->slave)) { ++ i2c_del_adapter(&dev->adapter); + return dev_err_probe(dev->dev, PTR_ERR(dev->slave), + "register UCSI failed\n"); ++ } + } + + pm_runtime_set_autosuspend_delay(&pdev->dev, 1000); diff --git a/queue-6.1/iio-chemical-pms7003-use-aligned_s64-for-timestamp.patch b/queue-6.1/iio-chemical-pms7003-use-aligned_s64-for-timestamp.patch new file mode 100644 index 0000000000..feda9ef0ec --- /dev/null +++ b/queue-6.1/iio-chemical-pms7003-use-aligned_s64-for-timestamp.patch @@ -0,0 +1,60 @@ +From stable+bounces-177929-greg=kroah.com@vger.kernel.org Sat Sep 6 05:00:49 2025 +From: Sasha Levin +Date: Fri, 5 Sep 2025 23:00:42 -0400 +Subject: iio: chemical: pms7003: use aligned_s64 for timestamp +To: stable@vger.kernel.org +Cc: "David Lechner" , "Nuno Sá" , Stable@vger.kernel.org, "Jonathan Cameron" , "Sasha Levin" +Message-ID: <20250906030042.3682560-1-sashal@kernel.org> + +From: David Lechner + +[ Upstream commit 6ffa698674053e82e811520642db2650d00d2c01 ] + +Follow the pattern of other drivers and use aligned_s64 for the +timestamp. This will ensure that the timestamp is correctly aligned on +all architectures. + +Also move the unaligned.h header while touching this since it was the +only one not in alphabetical order. + +Fixes: 13e945631c2f ("iio:chemical:pms7003: Fix timestamp alignment and prevent data leak.") +Signed-off-by: David Lechner +Reviewed-by: Nuno Sá +Link: https://patch.msgid.link/20250417-iio-more-timestamp-alignment-v1-4-eafac1e22318@baylibre.com +Cc: +Signed-off-by: Jonathan Cameron +[ linux/unaligned.h => asm/unaligned.h ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/chemical/pms7003.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/iio/chemical/pms7003.c ++++ b/drivers/iio/chemical/pms7003.c +@@ -5,7 +5,6 @@ + * Copyright (c) Tomasz Duszynski + */ + +-#include + #include + #include + #include +@@ -19,6 +18,8 @@ + #include + #include + #include ++#include ++#include + + #define PMS7003_DRIVER_NAME "pms7003" + +@@ -76,7 +77,7 @@ struct pms7003_state { + /* Used to construct scan to push to the IIO buffer */ + struct { + u16 data[3]; /* PM1, PM2P5, PM10 */ +- s64 ts; ++ aligned_s64 ts; + } scan; + }; + diff --git a/queue-6.1/iio-light-opt3001-fix-deadlock-due-to-concurrent-flag-access.patch b/queue-6.1/iio-light-opt3001-fix-deadlock-due-to-concurrent-flag-access.patch new file mode 100644 index 0000000000..8f081e4e0e --- /dev/null +++ b/queue-6.1/iio-light-opt3001-fix-deadlock-due-to-concurrent-flag-access.patch @@ -0,0 +1,55 @@ +From stable+bounces-177926-greg=kroah.com@vger.kernel.org Sat Sep 6 04:30:46 2025 +From: Sasha Levin +Date: Fri, 5 Sep 2025 22:30:38 -0400 +Subject: iio: light: opt3001: fix deadlock due to concurrent flag access +To: stable@vger.kernel.org +Cc: Luca Ceresoli , Jonathan Cameron , Sasha Levin +Message-ID: <20250906023038.3672089-1-sashal@kernel.org> + +From: Luca Ceresoli + +[ Upstream commit f063a28002e3350088b4577c5640882bf4ea17ea ] + +The threaded IRQ function in this driver is reading the flag twice: once to +lock a mutex and once to unlock it. Even though the code setting the flag +is designed to prevent it, there are subtle cases where the flag could be +true at the mutex_lock stage and false at the mutex_unlock stage. This +results in the mutex not being unlocked, resulting in a deadlock. + +Fix it by making the opt3001_irq() code generally more robust, reading the +flag into a variable and using the variable value at both stages. + +Fixes: 94a9b7b1809f ("iio: light: add support for TI's opt3001 light sensor") +Cc: stable@vger.kernel.org +Signed-off-by: Luca Ceresoli +Link: https://patch.msgid.link/20250321-opt3001-irq-fix-v1-1-6c520d851562@bootlin.com +Signed-off-by: Jonathan Cameron +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/opt3001.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/iio/light/opt3001.c ++++ b/drivers/iio/light/opt3001.c +@@ -692,8 +692,9 @@ static irqreturn_t opt3001_irq(int irq, + struct opt3001 *opt = iio_priv(iio); + int ret; + bool wake_result_ready_queue = false; ++ bool ok_to_ignore_lock = opt->ok_to_ignore_lock; + +- if (!opt->ok_to_ignore_lock) ++ if (!ok_to_ignore_lock) + mutex_lock(&opt->lock); + + ret = i2c_smbus_read_word_swapped(opt->client, OPT3001_CONFIGURATION); +@@ -730,7 +731,7 @@ static irqreturn_t opt3001_irq(int irq, + } + + out: +- if (!opt->ok_to_ignore_lock) ++ if (!ok_to_ignore_lock) + mutex_unlock(&opt->lock); + + if (wake_result_ready_queue) diff --git a/queue-6.1/memcg-drain-obj-stock-on-cpu-hotplug-teardown.patch b/queue-6.1/memcg-drain-obj-stock-on-cpu-hotplug-teardown.patch new file mode 100644 index 0000000000..de98fd8e6d --- /dev/null +++ b/queue-6.1/memcg-drain-obj-stock-on-cpu-hotplug-teardown.patch @@ -0,0 +1,54 @@ +From stable+bounces-177965-greg=kroah.com@vger.kernel.org Sat Sep 6 16:13:42 2025 +From: Sasha Levin +Date: Sat, 6 Sep 2025 10:13:21 -0400 +Subject: memcg: drain obj stock on cpu hotplug teardown +To: stable@vger.kernel.org +Cc: Shakeel Butt , Roman Gushchin , Johannes Weiner , Michal Hocko , Muchun Song , Andrew Morton , Sasha Levin +Message-ID: <20250906141321.25877-1-sashal@kernel.org> + +From: Shakeel Butt + +[ Upstream commit 9f01b4954490d4ccdbcc2b9be34a9921ceee9cbb ] + +Currently on cpu hotplug teardown, only memcg stock is drained but we +need to drain the obj stock as well otherwise we will miss the stats +accumulated on the target cpu as well as the nr_bytes cached. The stats +include MEMCG_KMEM, NR_SLAB_RECLAIMABLE_B & NR_SLAB_UNRECLAIMABLE_B. In +addition we are leaking reference to struct obj_cgroup object. + +Link: https://lkml.kernel.org/r/20250310230934.2913113-1-shakeel.butt@linux.dev +Fixes: bf4f059954dc ("mm: memcg/slab: obj_cgroup API") +Signed-off-by: Shakeel Butt +Reviewed-by: Roman Gushchin +Acked-by: Johannes Weiner +Cc: Michal Hocko +Cc: Muchun Song +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/memcontrol.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -2366,9 +2366,18 @@ static void drain_all_stock(struct mem_c + static int memcg_hotplug_cpu_dead(unsigned int cpu) + { + struct memcg_stock_pcp *stock; ++ struct obj_cgroup *old; ++ unsigned long flags; + + stock = &per_cpu(memcg_stock, cpu); ++ ++ /* drain_obj_stock requires stock_lock */ ++ local_lock_irqsave(&memcg_stock.stock_lock, flags); ++ old = drain_obj_stock(stock); ++ local_unlock_irqrestore(&memcg_stock.stock_lock, flags); ++ + drain_stock(stock); ++ obj_cgroup_put(old); + + return 0; + } diff --git a/queue-6.1/mm-slub-avoid-accessing-metadata-when-pointer-is-invalid-in-object_err.patch b/queue-6.1/mm-slub-avoid-accessing-metadata-when-pointer-is-invalid-in-object_err.patch new file mode 100644 index 0000000000..6eb834683b --- /dev/null +++ b/queue-6.1/mm-slub-avoid-accessing-metadata-when-pointer-is-invalid-in-object_err.patch @@ -0,0 +1,55 @@ +From stable+bounces-178013-greg=kroah.com@vger.kernel.org Sun Sep 7 03:26:50 2025 +From: Sasha Levin +Date: Sat, 6 Sep 2025 21:26:41 -0400 +Subject: mm/slub: avoid accessing metadata when pointer is invalid in object_err() +To: stable@vger.kernel.org +Cc: Li Qiong , Harry Yoo , "Matthew Wilcox (Oracle)" , Vlastimil Babka , Sasha Levin +Message-ID: <20250907012641.385388-1-sashal@kernel.org> + +From: Li Qiong + +[ Upstream commit b4efccec8d06ceb10a7d34d7b1c449c569d53770 ] + +object_err() reports details of an object for further debugging, such as +the freelist pointer, redzone, etc. However, if the pointer is invalid, +attempting to access object metadata can lead to a crash since it does +not point to a valid object. + +One known path to the crash is when alloc_consistency_checks() +determines the pointer to the allocated object is invalid because of a +freelist corruption, and calls object_err() to report it. The debug code +should report and handle the corruption gracefully and not crash in the +process. + +In case the pointer is NULL or check_valid_pointer() returns false for +the pointer, only print the pointer value and skip accessing metadata. + +Fixes: 81819f0fc828 ("SLUB core") +Cc: +Signed-off-by: Li Qiong +Reviewed-by: Harry Yoo +Reviewed-by: Matthew Wilcox (Oracle) +Signed-off-by: Vlastimil Babka +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/slub.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -927,7 +927,12 @@ static void object_err(struct kmem_cache + return; + + slab_bug(s, "%s", reason); +- print_trailer(s, slab, object); ++ if (!object || !check_valid_pointer(s, slab, object)) { ++ print_slab_info(slab); ++ pr_err("Invalid pointer 0x%p\n", object); ++ } else { ++ print_trailer(s, slab, object); ++ } + add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE); + } + diff --git a/queue-6.1/net-dsa-microchip-linearize-skb-for-tail-tagging-switches.patch b/queue-6.1/net-dsa-microchip-linearize-skb-for-tail-tagging-switches.patch new file mode 100644 index 0000000000..33118452aa --- /dev/null +++ b/queue-6.1/net-dsa-microchip-linearize-skb-for-tail-tagging-switches.patch @@ -0,0 +1,97 @@ +From stable+bounces-177872-greg=kroah.com@vger.kernel.org Fri Sep 5 20:15:06 2025 +From: Sasha Levin +Date: Fri, 5 Sep 2025 14:14:36 -0400 +Subject: net: dsa: microchip: linearize skb for tail-tagging switches +To: stable@vger.kernel.org +Cc: Jakob Unterwurzacher , Jakob Unterwurzacher , Vladimir Oltean , Jakub Kicinski , Sasha Levin +Message-ID: <20250905181436.2943036-2-sashal@kernel.org> + +From: Jakob Unterwurzacher + +[ Upstream commit ba54bce747fa9e07896c1abd9b48545f7b4b31d2 ] + +The pointer arithmentic for accessing the tail tag only works +for linear skbs. + +For nonlinear skbs, it reads uninitialized memory inside the +skb headroom, essentially randomizing the tag. I have observed +it gets set to 6 most of the time. + +Example where ksz9477_rcv thinks that the packet from port 1 comes from port 6 +(which does not exist for the ksz9896 that's in use), dropping the packet. +Debug prints added by me (not included in this patch): + + [ 256.645337] ksz9477_rcv:323 tag0=6 + [ 256.645349] skb len=47 headroom=78 headlen=0 tailroom=0 + mac=(64,14) mac_len=14 net=(78,0) trans=78 + shinfo(txflags=0 nr_frags=1 gso(size=0 type=0 segs=0)) + csum(0x0 start=0 offset=0 ip_summed=0 complete_sw=0 valid=0 level=0) + hash(0x0 sw=0 l4=0) proto=0x00f8 pkttype=1 iif=3 + priority=0x0 mark=0x0 alloc_cpu=0 vlan_all=0x0 + encapsulation=0 inner(proto=0x0000, mac=0, net=0, trans=0) + [ 256.645377] dev name=end1 feat=0x0002e10200114bb3 + [ 256.645386] skb headroom: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + [ 256.645395] skb headroom: 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + [ 256.645403] skb headroom: 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + [ 256.645411] skb headroom: 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + [ 256.645420] skb headroom: 00000040: ff ff ff ff ff ff 00 1c 19 f2 e2 db 08 06 + [ 256.645428] skb frag: 00000000: 00 01 08 00 06 04 00 01 00 1c 19 f2 e2 db 0a 02 + [ 256.645436] skb frag: 00000010: 00 83 00 00 00 00 00 00 0a 02 a0 2f 00 00 00 00 + [ 256.645444] skb frag: 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 + [ 256.645452] ksz_common_rcv:92 dsa_conduit_find_user returned NULL + +Call skb_linearize before trying to access the tag. + +This patch fixes ksz9477_rcv which is used by the ksz9896 I have at +hand, and also applies the same fix to ksz8795_rcv which seems to have +the same problem. + +Signed-off-by: Jakob Unterwurzacher +CC: stable@vger.kernel.org +Fixes: 016e43a26bab ("net: dsa: ksz: Add KSZ8795 tag code") +Fixes: 8b8010fb7876 ("dsa: add support for Microchip KSZ tail tagging") +Reviewed-by: Vladimir Oltean +Link: https://patch.msgid.link/20250515072920.2313014-1-jakob.unterwurzacher@cherry.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/dsa/tag_ksz.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/net/dsa/tag_ksz.c ++++ b/net/dsa/tag_ksz.c +@@ -69,7 +69,12 @@ static struct sk_buff *ksz8795_xmit(stru + + static struct sk_buff *ksz8795_rcv(struct sk_buff *skb, struct net_device *dev) + { +- u8 *tag = skb_tail_pointer(skb) - KSZ_EGRESS_TAG_LEN; ++ u8 *tag; ++ ++ if (skb_linearize(skb)) ++ return NULL; ++ ++ tag = skb_tail_pointer(skb) - KSZ_EGRESS_TAG_LEN; + + return ksz_common_rcv(skb, dev, tag[0] & 7, KSZ_EGRESS_TAG_LEN); + } +@@ -136,10 +141,16 @@ static struct sk_buff *ksz9477_xmit(stru + + static struct sk_buff *ksz9477_rcv(struct sk_buff *skb, struct net_device *dev) + { +- /* Tag decoding */ +- u8 *tag = skb_tail_pointer(skb) - KSZ_EGRESS_TAG_LEN; +- unsigned int port = tag[0] & KSZ9477_TAIL_TAG_EG_PORT_M; + unsigned int len = KSZ_EGRESS_TAG_LEN; ++ unsigned int port; ++ u8 *tag; ++ ++ if (skb_linearize(skb)) ++ return NULL; ++ ++ /* Tag decoding */ ++ tag = skb_tail_pointer(skb) - KSZ_EGRESS_TAG_LEN; ++ port = tag[0] & KSZ9477_TAIL_TAG_EG_PORT_M; + + /* Extra 4-bytes PTP timestamp */ + if (tag[0] & KSZ9477_PTP_TAG_INDICATION) diff --git a/queue-6.1/net-dsa-microchip-update-tag_ksz-masks-for-ksz9477-family.patch b/queue-6.1/net-dsa-microchip-update-tag_ksz-masks-for-ksz9477-family.patch new file mode 100644 index 0000000000..112b422543 --- /dev/null +++ b/queue-6.1/net-dsa-microchip-update-tag_ksz-masks-for-ksz9477-family.patch @@ -0,0 +1,48 @@ +From stable+bounces-177871-greg=kroah.com@vger.kernel.org Fri Sep 5 20:15:11 2025 +From: Sasha Levin +Date: Fri, 5 Sep 2025 14:14:35 -0400 +Subject: net: dsa: microchip: update tag_ksz masks for KSZ9477 family +To: stable@vger.kernel.org +Cc: Pieter Van Trappen , Florian Fainelli , Jakub Kicinski , Sasha Levin +Message-ID: <20250905181436.2943036-1-sashal@kernel.org> + +From: Pieter Van Trappen + +[ Upstream commit 3f464b193d40e49299dcd087b10cc3b77cbbea68 ] + +Remove magic number 7 by introducing a GENMASK macro instead. +Remove magic number 0x80 by using the BIT macro instead. + +Signed-off-by: Pieter Van Trappen +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20240909134301.75448-1-vtpieter@gmail.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: ba54bce747fa ("net: dsa: microchip: linearize skb for tail-tagging switches") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/dsa/tag_ksz.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/dsa/tag_ksz.c ++++ b/net/dsa/tag_ksz.c +@@ -103,8 +103,9 @@ MODULE_ALIAS_DSA_TAG_DRIVER(DSA_TAG_PROT + + #define KSZ9477_INGRESS_TAG_LEN 2 + #define KSZ9477_PTP_TAG_LEN 4 +-#define KSZ9477_PTP_TAG_INDICATION 0x80 ++#define KSZ9477_PTP_TAG_INDICATION BIT(7) + ++#define KSZ9477_TAIL_TAG_EG_PORT_M GENMASK(2, 0) + #define KSZ9477_TAIL_TAG_OVERRIDE BIT(9) + #define KSZ9477_TAIL_TAG_LOOKUP BIT(10) + +@@ -137,7 +138,7 @@ static struct sk_buff *ksz9477_rcv(struc + { + /* Tag decoding */ + u8 *tag = skb_tail_pointer(skb) - KSZ_EGRESS_TAG_LEN; +- unsigned int port = tag[0] & 7; ++ unsigned int port = tag[0] & KSZ9477_TAIL_TAG_EG_PORT_M; + unsigned int len = KSZ_EGRESS_TAG_LEN; + + /* Extra 4-bytes PTP timestamp */ diff --git a/queue-6.1/pci-msi-add-an-option-to-write-msix-entry_data-before-any-reads.patch b/queue-6.1/pci-msi-add-an-option-to-write-msix-entry_data-before-any-reads.patch new file mode 100644 index 0000000000..6f3ceed4a5 --- /dev/null +++ b/queue-6.1/pci-msi-add-an-option-to-write-msix-entry_data-before-any-reads.patch @@ -0,0 +1,57 @@ +From stable+bounces-178004-greg=kroah.com@vger.kernel.org Sat Sep 6 22:48:35 2025 +From: Sasha Levin +Date: Sat, 6 Sep 2025 16:48:26 -0400 +Subject: PCI/MSI: Add an option to write MSIX ENTRY_DATA before any reads +To: stable@vger.kernel.org +Cc: Jonathan Currier , Thomas Gleixner , Sasha Levin +Message-ID: <20250906204826.282978-1-sashal@kernel.org> + +From: Jonathan Currier + +[ Upstream commit cf761e3dacc6ad5f65a4886d00da1f9681e6805a ] + +Commit 7d5ec3d36123 ("PCI/MSI: Mask all unused MSI-X entries") introduced a +readl() from ENTRY_VECTOR_CTRL before the writel() to ENTRY_DATA. + +This is correct, however some hardware, like the Sun Neptune chips, the NIU +module, will cause an error and/or fatal trap if any MSIX table entry is +read before the corresponding ENTRY_DATA field is written to. + +Add an optional early writel() in msix_prepare_msi_desc(). + +Fixes: 7d5ec3d36123 ("PCI/MSI: Mask all unused MSI-X entries") +Signed-off-by: Jonathan Currier +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20241117234843.19236-2-dullfire@yahoo.com +[ Applied workaround to msix_setup_msi_descs() instead of msix_prepare_msi_desc() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/msi/msi.c | 3 +++ + include/linux/pci.h | 2 ++ + 2 files changed, 5 insertions(+) + +--- a/drivers/pci/msi/msi.c ++++ b/drivers/pci/msi/msi.c +@@ -534,6 +534,9 @@ static int msix_setup_msi_descs(struct p + + if (desc.pci.msi_attrib.can_mask) { + addr = pci_msix_desc_addr(&desc); ++ /* Workaround for SUN NIU insanity, which requires write before read */ ++ if (dev->dev_flags & PCI_DEV_FLAGS_MSIX_TOUCH_ENTRY_DATA_FIRST) ++ writel(0, addr + PCI_MSIX_ENTRY_DATA); + desc.pci.msix_ctrl = readl(addr + PCI_MSIX_ENTRY_VECTOR_CTRL); + } + +--- a/include/linux/pci.h ++++ b/include/linux/pci.h +@@ -244,6 +244,8 @@ enum pci_dev_flags { + PCI_DEV_FLAGS_NO_RELAXED_ORDERING = (__force pci_dev_flags_t) (1 << 11), + /* Device does honor MSI masking despite saying otherwise */ + PCI_DEV_FLAGS_HAS_MSI_MASKING = (__force pci_dev_flags_t) (1 << 12), ++ /* Device requires write to PCI_MSIX_ENTRY_DATA before any MSIX reads */ ++ PCI_DEV_FLAGS_MSIX_TOUCH_ENTRY_DATA_FIRST = (__force pci_dev_flags_t) (1 << 13), + }; + + enum pci_irq_reroute_variant { diff --git a/queue-6.1/series b/queue-6.1/series index 31bcdacaf5..0a0957fb2e 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -51,3 +51,23 @@ batman-adv-fix-oob-read-write-in-network-coding-decode.patch cifs-prevent-null-pointer-dereference-in-utf16-conversion.patch e1000e-fix-heap-overflow-in-e1000_set_eeprom.patch net-pcs-rzn1-miic-correct-modctrl-register-offset.patch +mm-slub-avoid-accessing-metadata-when-pointer-is-invalid-in-object_err.patch +pci-msi-add-an-option-to-write-msix-entry_data-before-any-reads.patch +cpufreq-sched-explicitly-synchronize-limits_changed-flag-handling.patch +memcg-drain-obj-stock-on-cpu-hotplug-teardown.patch +btrfs-adjust-subpage-bit-start-based-on-sectorsize.patch +iio-chemical-pms7003-use-aligned_s64-for-timestamp.patch +iio-light-opt3001-fix-deadlock-due-to-concurrent-flag-access.patch +i2c-designware-fix-an-error-handling-path-in-i2c_dw_pci_probe.patch +dmaengine-mediatek-fix-a-possible-deadlock-error-in-mtk_cqdma_tx_status.patch +alsa-hda-realtek-add-new-hp-zbook-laptop-with-micmute-led-fixup.patch +net-dsa-microchip-update-tag_ksz-masks-for-ksz9477-family.patch +net-dsa-microchip-linearize-skb-for-tail-tagging-switches.patch +vmxnet3-update-mtu-after-device-quiesce.patch +spi-tegra114-remove-unnecessary-null-pointer-checks.patch +spi-tegra114-don-t-fail-set_cs_timing-when-delays-are-zero.patch +cpufreq-intel_pstate-revise-global-turbo-disable-check.patch +cpufreq-intel_pstate-fold-intel_pstate_max_within_limits-into-caller.patch +cpufreq-intel_pstate-do-not-update-global.turbo_disabled-after-initialization.patch +cpufreq-intel_pstate-unchecked-msr-aceess-in-legacy-mode.patch +alsa-hda-realtek-add-support-for-hp-agusta-using-cs35l41-hda.patch diff --git a/queue-6.1/spi-tegra114-don-t-fail-set_cs_timing-when-delays-are-zero.patch b/queue-6.1/spi-tegra114-don-t-fail-set_cs_timing-when-delays-are-zero.patch new file mode 100644 index 0000000000..4d3063d315 --- /dev/null +++ b/queue-6.1/spi-tegra114-don-t-fail-set_cs_timing-when-delays-are-zero.patch @@ -0,0 +1,43 @@ +From stable+bounces-177935-greg=kroah.com@vger.kernel.org Sat Sep 6 05:37:22 2025 +From: Sasha Levin +Date: Fri, 5 Sep 2025 23:37:10 -0400 +Subject: spi: tegra114: Don't fail set_cs_timing when delays are zero +To: stable@vger.kernel.org +Cc: Aaron Kling , Mark Brown , Sasha Levin +Message-ID: <20250906033710.3692213-2-sashal@kernel.org> + +From: Aaron Kling + +[ Upstream commit 4426e6b4ecf632bb75d973051e1179b8bfac2320 ] + +The original code would skip null delay pointers, but when the pointers +were converted to point within the spi_device struct, the check was not +updated to skip delays of zero. Hence all spi devices that didn't set +delays would fail to probe. + +Fixes: 04e6bb0d6bb1 ("spi: modify set_cs_timing parameter") +Cc: stable@vger.kernel.org +Signed-off-by: Aaron Kling +Link: https://patch.msgid.link/20250423-spi-tegra114-v1-1-2d608bcc12f9@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-tegra114.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/spi/spi-tegra114.c ++++ b/drivers/spi/spi-tegra114.c +@@ -729,9 +729,9 @@ static int tegra_spi_set_hw_cs_timing(st + u32 inactive_cycles; + u8 cs_state; + +- if (setup->unit != SPI_DELAY_UNIT_SCK || +- hold->unit != SPI_DELAY_UNIT_SCK || +- inactive->unit != SPI_DELAY_UNIT_SCK) { ++ if ((setup->unit && setup->unit != SPI_DELAY_UNIT_SCK) || ++ (hold->unit && hold->unit != SPI_DELAY_UNIT_SCK) || ++ (inactive->unit && inactive->unit != SPI_DELAY_UNIT_SCK)) { + dev_err(&spi->dev, + "Invalid delay unit %d, should be SPI_DELAY_UNIT_SCK\n", + SPI_DELAY_UNIT_SCK); diff --git a/queue-6.1/spi-tegra114-remove-unnecessary-null-pointer-checks.patch b/queue-6.1/spi-tegra114-remove-unnecessary-null-pointer-checks.patch new file mode 100644 index 0000000000..522dcd3765 --- /dev/null +++ b/queue-6.1/spi-tegra114-remove-unnecessary-null-pointer-checks.patch @@ -0,0 +1,73 @@ +From stable+bounces-177934-greg=kroah.com@vger.kernel.org Sat Sep 6 05:37:18 2025 +From: Sasha Levin +Date: Fri, 5 Sep 2025 23:37:09 -0400 +Subject: spi: tegra114: Remove unnecessary NULL-pointer checks +To: stable@vger.kernel.org +Cc: Alexander Danilenko , Mark Brown , Sasha Levin +Message-ID: <20250906033710.3692213-1-sashal@kernel.org> + +From: Alexander Danilenko + +[ Upstream commit 373c36bf7914e3198ac2654dede499f340c52950 ] + +cs_setup, cs_hold and cs_inactive points to fields of spi_device struct, +so there is no sense in checking them for NULL. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 04e6bb0d6bb1 ("spi: modify set_cs_timing parameter") +Signed-off-by: Alexander Danilenko +Link: https://lore.kernel.org/r/20230815092058.4083-1-al.b.danilenko@gmail.com +Signed-off-by: Mark Brown +Stable-dep-of: 4426e6b4ecf6 ("spi: tegra114: Don't fail set_cs_timing when delays are zero") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-tegra114.c | 18 +++++++----------- + 1 file changed, 7 insertions(+), 11 deletions(-) + +--- a/drivers/spi/spi-tegra114.c ++++ b/drivers/spi/spi-tegra114.c +@@ -723,27 +723,23 @@ static int tegra_spi_set_hw_cs_timing(st + struct spi_delay *setup = &spi->cs_setup; + struct spi_delay *hold = &spi->cs_hold; + struct spi_delay *inactive = &spi->cs_inactive; +- u8 setup_dly, hold_dly, inactive_dly; ++ u8 setup_dly, hold_dly; + u32 setup_hold; + u32 spi_cs_timing; + u32 inactive_cycles; + u8 cs_state; + +- if ((setup && setup->unit != SPI_DELAY_UNIT_SCK) || +- (hold && hold->unit != SPI_DELAY_UNIT_SCK) || +- (inactive && inactive->unit != SPI_DELAY_UNIT_SCK)) { ++ if (setup->unit != SPI_DELAY_UNIT_SCK || ++ hold->unit != SPI_DELAY_UNIT_SCK || ++ inactive->unit != SPI_DELAY_UNIT_SCK) { + dev_err(&spi->dev, + "Invalid delay unit %d, should be SPI_DELAY_UNIT_SCK\n", + SPI_DELAY_UNIT_SCK); + return -EINVAL; + } + +- setup_dly = setup ? setup->value : 0; +- hold_dly = hold ? hold->value : 0; +- inactive_dly = inactive ? inactive->value : 0; +- +- setup_dly = min_t(u8, setup_dly, MAX_SETUP_HOLD_CYCLES); +- hold_dly = min_t(u8, hold_dly, MAX_SETUP_HOLD_CYCLES); ++ setup_dly = min_t(u8, setup->value, MAX_SETUP_HOLD_CYCLES); ++ hold_dly = min_t(u8, hold->value, MAX_SETUP_HOLD_CYCLES); + if (setup_dly && hold_dly) { + setup_hold = SPI_SETUP_HOLD(setup_dly - 1, hold_dly - 1); + spi_cs_timing = SPI_CS_SETUP_HOLD(tspi->spi_cs_timing1, +@@ -755,7 +751,7 @@ static int tegra_spi_set_hw_cs_timing(st + } + } + +- inactive_cycles = min_t(u8, inactive_dly, MAX_INACTIVE_CYCLES); ++ inactive_cycles = min_t(u8, inactive->value, MAX_INACTIVE_CYCLES); + if (inactive_cycles) + inactive_cycles--; + cs_state = inactive_cycles ? 0 : 1; diff --git a/queue-6.1/vmxnet3-update-mtu-after-device-quiesce.patch b/queue-6.1/vmxnet3-update-mtu-after-device-quiesce.patch new file mode 100644 index 0000000000..f419b40eff --- /dev/null +++ b/queue-6.1/vmxnet3-update-mtu-after-device-quiesce.patch @@ -0,0 +1,64 @@ +From stable+bounces-177866-greg=kroah.com@vger.kernel.org Fri Sep 5 19:46:33 2025 +From: Sasha Levin +Date: Fri, 5 Sep 2025 13:46:24 -0400 +Subject: vmxnet3: update MTU after device quiesce +To: stable@vger.kernel.org +Cc: Ronak Doshi , Guolin Yang , Jakub Kicinski , Sasha Levin +Message-ID: <20250905174625.2222428-1-sashal@kernel.org> + +From: Ronak Doshi + +[ Upstream commit 43f0999af011fba646e015f0bb08b6c3002a0170 ] + +Currently, when device mtu is updated, vmxnet3 updates netdev mtu, quiesces +the device and then reactivates it for the ESXi to know about the new mtu. +So, technically the OS stack can start using the new mtu before ESXi knows +about the new mtu. + +This can lead to issues for TSO packets which use mss as per the new mtu +configured. This patch fixes this issue by moving the mtu write after +device quiesce. + +Cc: stable@vger.kernel.org +Fixes: d1a890fa37f2 ("net: VMware virtual Ethernet NIC driver: vmxnet3") +Signed-off-by: Ronak Doshi +Acked-by: Guolin Yang +Changes v1-> v2: + Moved MTU write after destroy of rx rings +Link: https://patch.msgid.link/20250515190457.8597-1-ronak.doshi@broadcom.com +Signed-off-by: Jakub Kicinski +[ no WRITE_ONCE() in older trees ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vmxnet3/vmxnet3_drv.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/vmxnet3/vmxnet3_drv.c ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c +@@ -3315,8 +3315,6 @@ vmxnet3_change_mtu(struct net_device *ne + struct vmxnet3_adapter *adapter = netdev_priv(netdev); + int err = 0; + +- netdev->mtu = new_mtu; +- + /* + * Reset_work may be in the middle of resetting the device, wait for its + * completion. +@@ -3330,6 +3328,7 @@ vmxnet3_change_mtu(struct net_device *ne + + /* we need to re-create the rx queue based on the new mtu */ + vmxnet3_rq_destroy_all(adapter); ++ netdev->mtu = new_mtu; + vmxnet3_adjust_rx_ring_size(adapter); + err = vmxnet3_rq_create_all(adapter); + if (err) { +@@ -3346,6 +3345,8 @@ vmxnet3_change_mtu(struct net_device *ne + "Closing it\n", err); + goto out; + } ++ } else { ++ netdev->mtu = new_mtu; + } + + out: