From: Sasha Levin Date: Mon, 17 Feb 2025 16:47:40 +0000 (-0500) Subject: Fixes for 6.12 X-Git-Tag: v6.12.15~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=08ac5d7f514c6be0173658c92ac881cdaa39caf3;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.12 Signed-off-by: Sasha Levin --- diff --git a/queue-6.12/8250-microchip-pci1xxxx-add-workaround-for-rts-bit-t.patch b/queue-6.12/8250-microchip-pci1xxxx-add-workaround-for-rts-bit-t.patch new file mode 100644 index 0000000000..7598304de9 --- /dev/null +++ b/queue-6.12/8250-microchip-pci1xxxx-add-workaround-for-rts-bit-t.patch @@ -0,0 +1,128 @@ +From de8e79e6cc7e08d54f2f98b8fe92fae934a61245 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2024 15:10:17 +0530 +Subject: 8250: microchip: pci1xxxx: Add workaround for RTS bit toggle + +From: Rengarajan S + +[ Upstream commit e95cb63e57381f00d9274533ea7fd0ac3bf4e5b0 ] + +In the B0 revision, the RTS pin remains high due to incorrect hardware +mapping. To address this issue, enable auto-direction control with the +RTS bit in ADCL_CFG_REG. This configuration ensures that the RTS pin +goes low when the terminal is opened and high when the terminal is +closed. Additionally, we reset the step counter for Rx and Tx engines +by writing into FRAC_DIV_CFG_REG. + +Signed-off-by: Rengarajan S +Link: https://lore.kernel.org/r/20241218094017.18290-1-rengarajan.s@microchip.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_pci1xxxx.c | 60 ++++++++++++++++++++++++- + 1 file changed, 59 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/8250/8250_pci1xxxx.c b/drivers/tty/serial/8250/8250_pci1xxxx.c +index d3930bf32fe4c..f462b3d1c104c 100644 +--- a/drivers/tty/serial/8250/8250_pci1xxxx.c ++++ b/drivers/tty/serial/8250/8250_pci1xxxx.c +@@ -78,6 +78,12 @@ + #define UART_TX_BYTE_FIFO 0x00 + #define UART_FIFO_CTL 0x02 + ++#define UART_MODEM_CTL_REG 0x04 ++#define UART_MODEM_CTL_RTS_SET BIT(1) ++ ++#define UART_LINE_STAT_REG 0x05 ++#define UART_LINE_XMIT_CHECK_MASK GENMASK(6, 5) ++ + #define UART_ACTV_REG 0x11 + #define UART_BLOCK_SET_ACTIVE BIT(0) + +@@ -94,6 +100,7 @@ + #define UART_BIT_SAMPLE_CNT_16 16 + #define BAUD_CLOCK_DIV_INT_MSK GENMASK(31, 8) + #define ADCL_CFG_RTS_DELAY_MASK GENMASK(11, 8) ++#define FRAC_DIV_TX_END_POINT_MASK GENMASK(23, 20) + + #define UART_WAKE_REG 0x8C + #define UART_WAKE_MASK_REG 0x90 +@@ -134,6 +141,11 @@ + #define UART_BST_STAT_LSR_FRAME_ERR 0x8000000 + #define UART_BST_STAT_LSR_THRE 0x20000000 + ++#define GET_MODEM_CTL_RTS_STATUS(reg) ((reg) & UART_MODEM_CTL_RTS_SET) ++#define GET_RTS_PIN_STATUS(val) (((val) & TIOCM_RTS) >> 1) ++#define RTS_TOGGLE_STATUS_MASK(val, reg) (GET_MODEM_CTL_RTS_STATUS(reg) \ ++ != GET_RTS_PIN_STATUS(val)) ++ + struct pci1xxxx_8250 { + unsigned int nr; + u8 dev_rev; +@@ -254,6 +266,47 @@ static void pci1xxxx_set_divisor(struct uart_port *port, unsigned int baud, + port->membase + UART_BAUD_CLK_DIVISOR_REG); + } + ++static void pci1xxxx_set_mctrl(struct uart_port *port, unsigned int mctrl) ++{ ++ u32 fract_div_cfg_reg; ++ u32 line_stat_reg; ++ u32 modem_ctl_reg; ++ u32 adcl_cfg_reg; ++ ++ adcl_cfg_reg = readl(port->membase + ADCL_CFG_REG); ++ ++ /* HW is responsible in ADCL_EN case */ ++ if ((adcl_cfg_reg & (ADCL_CFG_EN | ADCL_CFG_PIN_SEL))) ++ return; ++ ++ modem_ctl_reg = readl(port->membase + UART_MODEM_CTL_REG); ++ ++ serial8250_do_set_mctrl(port, mctrl); ++ ++ if (RTS_TOGGLE_STATUS_MASK(mctrl, modem_ctl_reg)) { ++ line_stat_reg = readl(port->membase + UART_LINE_STAT_REG); ++ if (line_stat_reg & UART_LINE_XMIT_CHECK_MASK) { ++ fract_div_cfg_reg = readl(port->membase + ++ FRAC_DIV_CFG_REG); ++ ++ writel((fract_div_cfg_reg & ++ ~(FRAC_DIV_TX_END_POINT_MASK)), ++ port->membase + FRAC_DIV_CFG_REG); ++ ++ /* Enable ADC and set the nRTS pin */ ++ writel((adcl_cfg_reg | (ADCL_CFG_EN | ++ ADCL_CFG_PIN_SEL)), ++ port->membase + ADCL_CFG_REG); ++ ++ /* Revert to the original settings */ ++ writel(adcl_cfg_reg, port->membase + ADCL_CFG_REG); ++ ++ writel(fract_div_cfg_reg, port->membase + ++ FRAC_DIV_CFG_REG); ++ } ++ } ++} ++ + static int pci1xxxx_rs485_config(struct uart_port *port, + struct ktermios *termios, + struct serial_rs485 *rs485) +@@ -631,9 +684,14 @@ static int pci1xxxx_setup(struct pci_dev *pdev, + port->port.rs485_config = pci1xxxx_rs485_config; + port->port.rs485_supported = pci1xxxx_rs485_supported; + +- /* From C0 rev Burst operation is supported */ ++ /* ++ * C0 and later revisions support Burst operation. ++ * RTS workaround in mctrl is applicable only to B0. ++ */ + if (rev >= 0xC0) + port->port.handle_irq = pci1xxxx_handle_irq; ++ else if (rev == 0xB0) ++ port->port.set_mctrl = pci1xxxx_set_mctrl; + + ret = serial8250_pci_setup_port(pdev, port, 0, PORT_OFFSET * port_idx, 0); + if (ret < 0) +-- +2.39.5 + diff --git a/queue-6.12/acpi-x86-add-skip-i2c-clients-quirk-for-vexia-edu-at.patch b/queue-6.12/acpi-x86-add-skip-i2c-clients-quirk-for-vexia-edu-at.patch new file mode 100644 index 0000000000..70d9e3f37e --- /dev/null +++ b/queue-6.12/acpi-x86-add-skip-i2c-clients-quirk-for-vexia-edu-at.patch @@ -0,0 +1,54 @@ +From de86ea692d9a701ca4d20429873bd7f43173151c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jan 2025 14:22:02 +0100 +Subject: ACPI: x86: Add skip i2c clients quirk for Vexia EDU ATLA 10 tablet 5V + +From: Hans de Goede + +[ Upstream commit 8f62ca9c338aae4f73e9ce0221c3d4668359ddd8 ] + +The Vexia EDU ATLA 10 tablet comes in 2 different versions with +significantly different mainboards. The only outward difference is that +the charging barrel on one is marked 5V and the other is marked 9V. + +Both ship with Android 4.4 as factory OS and have the usual broken DSDT +issues for x86 Android tablets. + +Add a quirk to skip ACPI I2C client enumeration for the 5V version to +complement the existing quirk for the 9V version. + +Signed-off-by: Hans de Goede +Link: https://patch.msgid.link/20250123132202.18209-1-hdegoede@redhat.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/x86/utils.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/drivers/acpi/x86/utils.c b/drivers/acpi/x86/utils.c +index cb45ef5240dab..068c1612660bc 100644 +--- a/drivers/acpi/x86/utils.c ++++ b/drivers/acpi/x86/utils.c +@@ -407,6 +407,19 @@ static const struct dmi_system_id acpi_quirk_skip_dmi_ids[] = { + .driver_data = (void *)(ACPI_QUIRK_SKIP_I2C_CLIENTS | + ACPI_QUIRK_SKIP_ACPI_AC_AND_BATTERY), + }, ++ { ++ /* Vexia Edu Atla 10 tablet 5V version */ ++ .matches = { ++ /* Having all 3 of these not set is somewhat unique */ ++ DMI_MATCH(DMI_SYS_VENDOR, "To be filled by O.E.M."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "To be filled by O.E.M."), ++ DMI_MATCH(DMI_BOARD_NAME, "To be filled by O.E.M."), ++ /* Above strings are too generic, also match on BIOS date */ ++ DMI_MATCH(DMI_BIOS_DATE, "05/14/2015"), ++ }, ++ .driver_data = (void *)(ACPI_QUIRK_SKIP_I2C_CLIENTS | ++ ACPI_QUIRK_SKIP_ACPI_AC_AND_BATTERY), ++ }, + { + /* Vexia Edu Atla 10 tablet 9V version */ + .matches = { +-- +2.39.5 + diff --git a/queue-6.12/amdkfd-properly-free-gang_ctx_bo-when-failed-to-init.patch b/queue-6.12/amdkfd-properly-free-gang_ctx_bo-when-failed-to-init.patch new file mode 100644 index 0000000000..043dc018b4 --- /dev/null +++ b/queue-6.12/amdkfd-properly-free-gang_ctx_bo-when-failed-to-init.patch @@ -0,0 +1,45 @@ +From dd412b5cafbea84466ccdf4d2d3eded59241a902 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Jan 2025 17:21:10 +0800 +Subject: amdkfd: properly free gang_ctx_bo when failed to init user queue + +From: Zhu Lingshan + +[ Upstream commit a33f7f9660705fb2ecf3467b2c48965564f392ce ] + +The destructor of a gtt bo is declared as +void amdgpu_amdkfd_free_gtt_mem(struct amdgpu_device *adev, void **mem_obj); +Which takes void** as the second parameter. + +GCC allows passing void* to the function because void* can be implicitly +casted to any other types, so it can pass compiling. + +However, passing this void* parameter into the function's +execution process(which expects void** and dereferencing void**) +will result in errors. + +Signed-off-by: Zhu Lingshan +Reviewed-by: Felix Kuehling +Fixes: fb91065851cd ("drm/amdkfd: Refactor queue wptr_bo GART mapping") +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c +index dbb63ce316f11..42fd7669ac7d3 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c +@@ -298,7 +298,7 @@ static int init_user_queue(struct process_queue_manager *pqm, + return 0; + + free_gang_ctx_bo: +- amdgpu_amdkfd_free_gtt_mem(dev->adev, (*q)->gang_ctx_bo); ++ amdgpu_amdkfd_free_gtt_mem(dev->adev, &(*q)->gang_ctx_bo); + cleanup: + uninit_queue(*q); + *q = NULL; +-- +2.39.5 + diff --git a/queue-6.12/arm64-cacheinfo-avoid-out-of-bounds-write-to-cachein.patch b/queue-6.12/arm64-cacheinfo-avoid-out-of-bounds-write-to-cachein.patch new file mode 100644 index 0000000000..18a7ae92de --- /dev/null +++ b/queue-6.12/arm64-cacheinfo-avoid-out-of-bounds-write-to-cachein.patch @@ -0,0 +1,55 @@ +From c4181379d4f2cba5fbcc191c4a4846b9481ac428 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Feb 2025 12:44:20 -0500 +Subject: arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array + +From: Radu Rendec + +[ Upstream commit 875d742cf5327c93cba1f11e12b08d3cce7a88d2 ] + +The loop that detects/populates cache information already has a bounds +check on the array size but does not account for cache levels with +separate data/instructions cache. Fix this by incrementing the index +for any populated leaf (instead of any populated level). + +Fixes: 5d425c186537 ("arm64: kernel: add support for cpu cache information") + +Signed-off-by: Radu Rendec +Link: https://lore.kernel.org/r/20250206174420.2178724-1-rrendec@redhat.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/cacheinfo.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/arch/arm64/kernel/cacheinfo.c b/arch/arm64/kernel/cacheinfo.c +index d9c9218fa1fdd..309942b06c5bc 100644 +--- a/arch/arm64/kernel/cacheinfo.c ++++ b/arch/arm64/kernel/cacheinfo.c +@@ -101,16 +101,18 @@ int populate_cache_leaves(unsigned int cpu) + unsigned int level, idx; + enum cache_type type; + struct cpu_cacheinfo *this_cpu_ci = get_cpu_cacheinfo(cpu); +- struct cacheinfo *this_leaf = this_cpu_ci->info_list; ++ struct cacheinfo *infos = this_cpu_ci->info_list; + + for (idx = 0, level = 1; level <= this_cpu_ci->num_levels && +- idx < this_cpu_ci->num_leaves; idx++, level++) { ++ idx < this_cpu_ci->num_leaves; level++) { + type = get_cache_type(level); + if (type == CACHE_TYPE_SEPARATE) { +- ci_leaf_init(this_leaf++, CACHE_TYPE_DATA, level); +- ci_leaf_init(this_leaf++, CACHE_TYPE_INST, level); ++ if (idx + 1 >= this_cpu_ci->num_leaves) ++ break; ++ ci_leaf_init(&infos[idx++], CACHE_TYPE_DATA, level); ++ ci_leaf_init(&infos[idx++], CACHE_TYPE_INST, level); + } else { +- ci_leaf_init(this_leaf++, type, level); ++ ci_leaf_init(&infos[idx++], type, level); + } + } + return 0; +-- +2.39.5 + diff --git a/queue-6.12/asoc-intel-bytcr_rt5640-add-dmi-quirk-for-vexia-edu-.patch b/queue-6.12/asoc-intel-bytcr_rt5640-add-dmi-quirk-for-vexia-edu-.patch new file mode 100644 index 0000000000..658d50ff40 --- /dev/null +++ b/queue-6.12/asoc-intel-bytcr_rt5640-add-dmi-quirk-for-vexia-edu-.patch @@ -0,0 +1,60 @@ +From 553a53b4e900aaca6a2c319c5dc87707e08500cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jan 2025 14:25:07 +0100 +Subject: ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet + 5V + +From: Hans de Goede + +[ Upstream commit 6917192378c1ce17ba31df51c4e0d8b1c97a453b ] + +The Vexia EDU ATLA 10 tablet comes in 2 different versions with +significantly different mainboards. The only outward difference is that +the charging barrel on one is marked 5V and the other is marked 9V. + +The 5V version mostly works with the BYTCR defaults, except that it is +missing a CHAN package in its ACPI tables and the default of using +SSP0-AIF2 is wrong, instead SSP0-AIF1 must be used. That and its jack +detect signal is not inverted as it usually is. + +Add a DMI quirk for the 5V version to fix sound not working. + +Signed-off-by: Hans de Goede +Link: https://patch.msgid.link/20250123132507.18434-1-hdegoede@redhat.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/bytcr_rt5640.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c +index 54f77f57ec8e2..1148e9498d8e8 100644 +--- a/sound/soc/intel/boards/bytcr_rt5640.c ++++ b/sound/soc/intel/boards/bytcr_rt5640.c +@@ -1132,7 +1132,22 @@ static const struct dmi_system_id byt_rt5640_quirk_table[] = { + BYT_RT5640_SSP0_AIF2 | + BYT_RT5640_MCLK_EN), + }, +- { /* Vexia Edu Atla 10 tablet */ ++ { ++ /* Vexia Edu Atla 10 tablet 5V version */ ++ .matches = { ++ /* Having all 3 of these not set is somewhat unique */ ++ DMI_MATCH(DMI_SYS_VENDOR, "To be filled by O.E.M."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "To be filled by O.E.M."), ++ DMI_MATCH(DMI_BOARD_NAME, "To be filled by O.E.M."), ++ /* Above strings are too generic, also match on BIOS date */ ++ DMI_MATCH(DMI_BIOS_DATE, "05/14/2015"), ++ }, ++ .driver_data = (void *)(BYTCR_INPUT_DEFAULTS | ++ BYT_RT5640_JD_NOT_INV | ++ BYT_RT5640_SSP0_AIF1 | ++ BYT_RT5640_MCLK_EN), ++ }, ++ { /* Vexia Edu Atla 10 tablet 9V version */ + .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "AMI Corporation"), + DMI_MATCH(DMI_BOARD_NAME, "Aptio CRB"), +-- +2.39.5 + diff --git a/queue-6.12/ax25-fix-refcount-leak-caused-by-setting-so_bindtode.patch b/queue-6.12/ax25-fix-refcount-leak-caused-by-setting-so_bindtode.patch new file mode 100644 index 0000000000..dcb4e57a0e --- /dev/null +++ b/queue-6.12/ax25-fix-refcount-leak-caused-by-setting-so_bindtode.patch @@ -0,0 +1,94 @@ +From 824caa5f3630a239665ea0b4b392643bdd30f4e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Feb 2025 12:12:03 +0300 +Subject: ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt + +From: Murad Masimov + +[ Upstream commit bca0902e61731a75fc4860c8720168d9f1bae3b6 ] + +If an AX25 device is bound to a socket by setting the SO_BINDTODEVICE +socket option, a refcount leak will occur in ax25_release(). + +Commit 9fd75b66b8f6 ("ax25: Fix refcount leaks caused by ax25_cb_del()") +added decrement of device refcounts in ax25_release(). In order for that +to work correctly the refcounts must already be incremented when the +device is bound to the socket. An AX25 device can be bound to a socket +by either calling ax25_bind() or setting SO_BINDTODEVICE socket option. +In both cases the refcounts should be incremented, but in fact it is done +only in ax25_bind(). + +This bug leads to the following issue reported by Syzkaller: + +================================================================ +refcount_t: decrement hit 0; leaking memory. +WARNING: CPU: 1 PID: 5932 at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210 lib/refcount.c:31 +Modules linked in: +CPU: 1 UID: 0 PID: 5932 Comm: syz-executor424 Not tainted 6.13.0-rc4-syzkaller-00110-g4099a71718b0 #0 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +RIP: 0010:refcount_warn_saturate+0x1ed/0x210 lib/refcount.c:31 +Call Trace: + + __refcount_dec include/linux/refcount.h:336 [inline] + refcount_dec include/linux/refcount.h:351 [inline] + ref_tracker_free+0x710/0x820 lib/ref_tracker.c:236 + netdev_tracker_free include/linux/netdevice.h:4156 [inline] + netdev_put include/linux/netdevice.h:4173 [inline] + netdev_put include/linux/netdevice.h:4169 [inline] + ax25_release+0x33f/0xa10 net/ax25/af_ax25.c:1069 + __sock_release+0xb0/0x270 net/socket.c:640 + sock_close+0x1c/0x30 net/socket.c:1408 + ... + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + ... + +================================================================ + +Fix the implementation of ax25_setsockopt() by adding increment of +refcounts for the new device bound, and decrement of refcounts for +the old unbound device. + +Fixes: 9fd75b66b8f6 ("ax25: Fix refcount leaks caused by ax25_cb_del()") +Reported-by: syzbot+33841dc6aa3e1d86b78a@syzkaller.appspotmail.com +Signed-off-by: Murad Masimov +Link: https://patch.msgid.link/20250203091203.1744-1-m.masimov@mt-integration.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ax25/af_ax25.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c +index aa6c714892ec9..9f3b8b682adb2 100644 +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -685,6 +685,15 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname, + break; + } + ++ if (ax25->ax25_dev) { ++ if (dev == ax25->ax25_dev->dev) { ++ rcu_read_unlock(); ++ break; ++ } ++ netdev_put(ax25->ax25_dev->dev, &ax25->dev_tracker); ++ ax25_dev_put(ax25->ax25_dev); ++ } ++ + ax25->ax25_dev = ax25_dev_ax25dev(dev); + if (!ax25->ax25_dev) { + rcu_read_unlock(); +@@ -692,6 +701,8 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname, + break; + } + ax25_fillin_cb(ax25, ax25->ax25_dev); ++ netdev_hold(dev, &ax25->dev_tracker, GFP_ATOMIC); ++ ax25_dev_hold(ax25->ax25_dev); + rcu_read_unlock(); + break; + +-- +2.39.5 + diff --git a/queue-6.12/block-cleanup-and-fix-batch-completion-adding-condit.patch b/queue-6.12/block-cleanup-and-fix-batch-completion-adding-condit.patch new file mode 100644 index 0000000000..93db9ed671 --- /dev/null +++ b/queue-6.12/block-cleanup-and-fix-batch-completion-adding-condit.patch @@ -0,0 +1,63 @@ +From cd3828f6497a48467c78225973603a2d689ca8ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Feb 2025 08:18:46 -0700 +Subject: block: cleanup and fix batch completion adding conditions + +From: Jens Axboe + +[ Upstream commit 1f47ed294a2bd577d5ae43e6e28e1c9a3be4a833 ] + +The conditions for whether or not a request is allowed adding to a +completion batch are a bit hard to read, and they also have a few +issues. One is that ioerror may indeed be a random value on passthrough, +and it's being checked unconditionally of whether or not the given +request is a passthrough request or not. + +Rewrite the conditions to be separate for easier reading, and only check +ioerror for non-passthrough requests. This fixes an issue with bio +unmapping on passthrough, where it fails getting added to a batch. This +both leads to suboptimal performance, and may trigger a potential +schedule-under-atomic condition for polled passthrough IO. + +Fixes: f794f3351f26 ("block: add support for blk_mq_end_request_batch()") +Link: https://lore.kernel.org/r/20575f0a-656e-4bb3-9d82-dec6c7e3a35c@kernel.dk +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + include/linux/blk-mq.h | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/include/linux/blk-mq.h b/include/linux/blk-mq.h +index c5063e0a38a05..a53cbe2569104 100644 +--- a/include/linux/blk-mq.h ++++ b/include/linux/blk-mq.h +@@ -880,12 +880,22 @@ static inline bool blk_mq_add_to_batch(struct request *req, + void (*complete)(struct io_comp_batch *)) + { + /* +- * blk_mq_end_request_batch() can't end request allocated from +- * sched tags ++ * Check various conditions that exclude batch processing: ++ * 1) No batch container ++ * 2) Has scheduler data attached ++ * 3) Not a passthrough request and end_io set ++ * 4) Not a passthrough request and an ioerror + */ +- if (!iob || (req->rq_flags & RQF_SCHED_TAGS) || ioerror || +- (req->end_io && !blk_rq_is_passthrough(req))) ++ if (!iob) + return false; ++ if (req->rq_flags & RQF_SCHED_TAGS) ++ return false; ++ if (!blk_rq_is_passthrough(req)) { ++ if (req->end_io) ++ return false; ++ if (ioerror < 0) ++ return false; ++ } + + if (!iob->complete) + iob->complete = complete; +-- +2.39.5 + diff --git a/queue-6.12/bluetooth-btintel_pcie-fix-a-potential-race-conditio.patch b/queue-6.12/bluetooth-btintel_pcie-fix-a-potential-race-conditio.patch new file mode 100644 index 0000000000..6137441ea3 --- /dev/null +++ b/queue-6.12/bluetooth-btintel_pcie-fix-a-potential-race-conditio.patch @@ -0,0 +1,63 @@ +From 8f206a6b567e773866fb4c1f778efdccfa5bea9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Jan 2025 18:30:19 +0530 +Subject: Bluetooth: btintel_pcie: Fix a potential race condition + +From: Kiran K + +[ Upstream commit 872274b992839ff64fe560767fe7ee5f942ccdb1 ] + +On HCI_OP_RESET command, firmware raises alive interrupt. Driver needs +to wait for this before sending other command. This patch fixes the potential +miss of alive interrupt due to which HCI_OP_RESET can timeout. + +Expected flow: +If tx command is HCI_OP_RESET, + 1. set data->gp0_received = false + 2. send HCI_OP_RESET + 3. wait for alive interrupt + +Actual flow having potential race: +If tx command is HCI_OP_RESET, + 1. send HCI_OP_RESET + 1a. Firmware raises alive interrupt here and in ISR + data->gp0_received is set to true + 2. set data->gp0_received = false + 3. wait for alive interrupt + +Signed-off-by: Kiran K +Fixes: 05c200c8f029 ("Bluetooth: btintel_pcie: Add handshake between driver and firmware") +Reported-by: Bjorn Helgaas +Closes: https://patchwork.kernel.org/project/bluetooth/patch/20241001104451.626964-1-kiran.k@intel.com/ +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btintel_pcie.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/btintel_pcie.c b/drivers/bluetooth/btintel_pcie.c +index 8bd663f4bac1b..53f6b4f76bccd 100644 +--- a/drivers/bluetooth/btintel_pcie.c ++++ b/drivers/bluetooth/btintel_pcie.c +@@ -1312,6 +1312,10 @@ static int btintel_pcie_send_frame(struct hci_dev *hdev, + if (opcode == 0xfc01) + btintel_pcie_inject_cmd_complete(hdev, opcode); + } ++ /* Firmware raises alive interrupt on HCI_OP_RESET */ ++ if (opcode == HCI_OP_RESET) ++ data->gp0_received = false; ++ + hdev->stat.cmd_tx++; + break; + case HCI_ACLDATA_PKT: +@@ -1349,7 +1353,6 @@ static int btintel_pcie_send_frame(struct hci_dev *hdev, + opcode, btintel_pcie_alivectxt_state2str(old_ctxt), + btintel_pcie_alivectxt_state2str(data->alive_intr_ctxt)); + if (opcode == HCI_OP_RESET) { +- data->gp0_received = false; + ret = wait_event_timeout(data->gp0_wait_q, + data->gp0_received, + msecs_to_jiffies(BTINTEL_DEFAULT_INTR_TIMEOUT_MS)); +-- +2.39.5 + diff --git a/queue-6.12/cgroup-remove-steal-time-from-usage_usec.patch b/queue-6.12/cgroup-remove-steal-time-from-usage_usec.patch new file mode 100644 index 0000000000..cb6b3b7b1e --- /dev/null +++ b/queue-6.12/cgroup-remove-steal-time-from-usage_usec.patch @@ -0,0 +1,42 @@ +From c9f5884e4506a93d1e20919c20081f94c2c9ff25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Feb 2025 14:24:32 +0000 +Subject: cgroup: Remove steal time from usage_usec +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Muhammad Adeel + +[ Upstream commit db5fd3cf8bf41b84b577b8ad5234ea95f327c9be ] + +The CPU usage time is the time when user, system or both are using the CPU. +Steal time is the time when CPU is waiting to be run by the Hypervisor. It +should not be added to the CPU usage time, hence removing it from the +usage_usec entry. + +Fixes: 936f2a70f2077 ("cgroup: add cpu.stat file to root cgroup") +Acked-by: Axel Busch +Acked-by: Michal Koutný +Signed-off-by: Muhammad Adeel +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/rstat.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/kernel/cgroup/rstat.c b/kernel/cgroup/rstat.c +index a06b452724118..ce295b73c0a36 100644 +--- a/kernel/cgroup/rstat.c ++++ b/kernel/cgroup/rstat.c +@@ -586,7 +586,6 @@ static void root_cgroup_cputime(struct cgroup_base_stat *bstat) + + cputime->sum_exec_runtime += user; + cputime->sum_exec_runtime += sys; +- cputime->sum_exec_runtime += cpustat[CPUTIME_STEAL]; + + #ifdef CONFIG_SCHED_CORE + bstat->forceidle_sum += cpustat[CPUTIME_FORCEIDLE]; +-- +2.39.5 + diff --git a/queue-6.12/documentation-networking-fix-basic-node-example-docu.patch b/queue-6.12/documentation-networking-fix-basic-node-example-docu.patch new file mode 100644 index 0000000000..1df773c038 --- /dev/null +++ b/queue-6.12/documentation-networking-fix-basic-node-example-docu.patch @@ -0,0 +1,41 @@ +From 168c73ae6fc243be90642f176c31b010dae57ff1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Feb 2025 23:47:20 +0100 +Subject: Documentation/networking: fix basic node example document ISO 15765-2 + +From: Reyders Morales + +[ Upstream commit d0b197b6505fe3788860fc2a81b3ce53cbecc69c ] + +In the current struct sockaddr_can tp is member of can_addr. tp is not +member of struct sockaddr_can. + +Signed-off-by: Reyders Morales +Reviewed-by: Simon Horman +Acked-by: Oliver Hartkopp +Link: https://patch.msgid.link/20250203224720.42530-1-reyders1@gmail.com +Fixes: 67711e04254c ("Documentation: networking: document ISO 15765-2") +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + Documentation/networking/iso15765-2.rst | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Documentation/networking/iso15765-2.rst b/Documentation/networking/iso15765-2.rst +index 0e9d960741783..37ebb2c417cb4 100644 +--- a/Documentation/networking/iso15765-2.rst ++++ b/Documentation/networking/iso15765-2.rst +@@ -369,8 +369,8 @@ to their default. + + addr.can_family = AF_CAN; + addr.can_ifindex = if_nametoindex("can0"); +- addr.tp.tx_id = 0x18DA42F1 | CAN_EFF_FLAG; +- addr.tp.rx_id = 0x18DAF142 | CAN_EFF_FLAG; ++ addr.can_addr.tp.tx_id = 0x18DA42F1 | CAN_EFF_FLAG; ++ addr.can_addr.tp.rx_id = 0x18DAF142 | CAN_EFF_FLAG; + + ret = bind(s, (struct sockaddr *)&addr, sizeof(addr)); + if (ret < 0) +-- +2.39.5 + diff --git a/queue-6.12/drm-amdgpu-bail-out-when-failed-to-load-fw-in-psp_in.patch b/queue-6.12/drm-amdgpu-bail-out-when-failed-to-load-fw-in-psp_in.patch new file mode 100644 index 0000000000..86fb3c2e9b --- /dev/null +++ b/queue-6.12/drm-amdgpu-bail-out-when-failed-to-load-fw-in-psp_in.patch @@ -0,0 +1,42 @@ +From b59519362b8386090640ccfe81646912ecfdd239 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Feb 2025 14:28:51 +0800 +Subject: drm/amdgpu: bail out when failed to load fw in + psp_init_cap_microcode() + +From: Jiang Liu + +[ Upstream commit a0a455b4bc7483ad60e8b8a50330c1e05bb7bfcf ] + +In function psp_init_cap_microcode(), it should bail out when failed to +load firmware, otherwise it may cause invalid memory access. + +Fixes: 07dbfc6b102e ("drm/amd: Use `amdgpu_ucode_*` helpers for PSP") +Reviewed-by: Lijo Lazar +Signed-off-by: Jiang Liu +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c +index 0b28b2cf1517d..d70855d7c61c1 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c +@@ -3713,9 +3713,10 @@ int psp_init_cap_microcode(struct psp_context *psp, const char *chip_name) + if (err == -ENODEV) { + dev_warn(adev->dev, "cap microcode does not exist, skip\n"); + err = 0; +- goto out; ++ } else { ++ dev_err(adev->dev, "fail to initialize cap microcode\n"); + } +- dev_err(adev->dev, "fail to initialize cap microcode\n"); ++ goto out; + } + + info = &adev->firmware.ucode[AMDGPU_UCODE_ID_CAP]; +-- +2.39.5 + diff --git a/queue-6.12/drm-fix-dsc-bpp-increment-decoding.patch b/queue-6.12/drm-fix-dsc-bpp-increment-decoding.patch new file mode 100644 index 0000000000..c070ef3e33 --- /dev/null +++ b/queue-6.12/drm-fix-dsc-bpp-increment-decoding.patch @@ -0,0 +1,54 @@ +From 234ba381a7b9a2df61f8126c18d10f38b93f9483 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 18:18:51 +0200 +Subject: drm: Fix DSC BPP increment decoding + +From: Imre Deak + +[ Upstream commit e00a2e5d485faf53c7a24b9d1b575a642227947f ] + +Starting with DPCD version 2.0 bits 6:3 of the DP_DSC_BITS_PER_PIXEL_INC +DPCD register contains the NativeYCbCr422_MAX_bpp_DELTA field, which can +be non-zero as opposed to earlier DPCD versions, hence decoding the +bit_per_pixel increment value at bits 2:0 in the same register requires +applying a mask, do so. + +Cc: Ankit Nautiyal +Fixes: 0c2287c96521 ("drm/display/dp: Add helper function to get DSC bpp precision") +Reviewed-by: Jani Nikula +Signed-off-by: Imre Deak +Link: https://patchwork.freedesktop.org/patch/msgid/20250212161851.4007005-1-imre.deak@intel.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/display/drm_dp_helper.c | 2 +- + include/drm/display/drm_dp.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/display/drm_dp_helper.c b/drivers/gpu/drm/display/drm_dp_helper.c +index 6ee51003de3ce..9fa13da513d24 100644 +--- a/drivers/gpu/drm/display/drm_dp_helper.c ++++ b/drivers/gpu/drm/display/drm_dp_helper.c +@@ -2421,7 +2421,7 @@ u8 drm_dp_dsc_sink_bpp_incr(const u8 dsc_dpcd[DP_DSC_RECEIVER_CAP_SIZE]) + { + u8 bpp_increment_dpcd = dsc_dpcd[DP_DSC_BITS_PER_PIXEL_INC - DP_DSC_SUPPORT]; + +- switch (bpp_increment_dpcd) { ++ switch (bpp_increment_dpcd & DP_DSC_BITS_PER_PIXEL_MASK) { + case DP_DSC_BITS_PER_PIXEL_1_16: + return 16; + case DP_DSC_BITS_PER_PIXEL_1_8: +diff --git a/include/drm/display/drm_dp.h b/include/drm/display/drm_dp.h +index a6f8b098c56f1..3bd9f482f0c3e 100644 +--- a/include/drm/display/drm_dp.h ++++ b/include/drm/display/drm_dp.h +@@ -359,6 +359,7 @@ + # define DP_DSC_BITS_PER_PIXEL_1_4 0x2 + # define DP_DSC_BITS_PER_PIXEL_1_2 0x3 + # define DP_DSC_BITS_PER_PIXEL_1_1 0x4 ++# define DP_DSC_BITS_PER_PIXEL_MASK 0x7 + + #define DP_PSR_SUPPORT 0x070 /* XXX 1.2? */ + # define DP_PSR_IS_SUPPORTED 1 +-- +2.39.5 + diff --git a/queue-6.12/drm-i915-selftests-avoid-using-uninitialized-context.patch b/queue-6.12/drm-i915-selftests-avoid-using-uninitialized-context.patch new file mode 100644 index 0000000000..71458db8ca --- /dev/null +++ b/queue-6.12/drm-i915-selftests-avoid-using-uninitialized-context.patch @@ -0,0 +1,52 @@ +From e9710ea01a3e01996f00f761105c38449e962012 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jan 2025 09:19:31 +0000 +Subject: drm/i915/selftests: avoid using uninitialized context + +From: Krzysztof Karas + +[ Upstream commit 53139b3f9998ea07289e7b70b909fea2264a0de9 ] + +There is an error path in igt_ppgtt_alloc(), which leads +to ww object being passed down to i915_gem_ww_ctx_fini() without +initialization. Correct that by only putting ppgtt->vm and +returning early. + +Fixes: 480ae79537b2 ("drm/i915/selftests: Prepare gtt tests for obj->mm.lock removal") +Signed-off-by: Krzysztof Karas +Reviewed-by: Mikolaj Wasiak +Reviewed-by: Andi Shyti +Signed-off-by: Andi Shyti +Link: https://patchwork.freedesktop.org/patch/msgid/iuaonpjc3rywmvhna6umjlvzilocn2uqsrxfxfob24e2taocbi@lkaivvfp4777 +(cherry picked from commit 8d8334632ea62424233ac6529712868241d0f8df) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/selftests/i915_gem_gtt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c b/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c +index 5c397a2df70e2..5d27e1c733c52 100644 +--- a/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c ++++ b/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c +@@ -168,7 +168,7 @@ static int igt_ppgtt_alloc(void *arg) + return PTR_ERR(ppgtt); + + if (!ppgtt->vm.allocate_va_range) +- goto err_ppgtt_cleanup; ++ goto ppgtt_vm_put; + + /* + * While we only allocate the page tables here and so we could +@@ -236,7 +236,7 @@ static int igt_ppgtt_alloc(void *arg) + goto retry; + } + i915_gem_ww_ctx_fini(&ww); +- ++ppgtt_vm_put: + i915_vm_put(&ppgtt->vm); + return err; + } +-- +2.39.5 + diff --git a/queue-6.12/drm-tests-hdmi-fix-ww_mutex_slowpath-failures.patch b/queue-6.12/drm-tests-hdmi-fix-ww_mutex_slowpath-failures.patch new file mode 100644 index 0000000000..a727547234 --- /dev/null +++ b/queue-6.12/drm-tests-hdmi-fix-ww_mutex_slowpath-failures.patch @@ -0,0 +1,56 @@ +From 80e52f8f4919393a41d9bcdb798a2b267c6a8222 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jan 2025 15:21:53 +0100 +Subject: drm/tests: hdmi: Fix WW_MUTEX_SLOWPATH failures + +From: Maxime Ripard + +[ Upstream commit fb97bc2e47f694f79d6358d981ae0428db8e8088 ] + +The light_up_connector helper function in the HDMI infrastructure unit +tests uses drm_atomic_set_crtc_for_connector(), but fails when it +returns an error. + +This function can return EDEADLK though if the sequence needs to be +restarted, and WW_MUTEX_SLOWPATH is meant to test that we handle it +properly. + +Let's handle EDEADLK and restart the sequence in our tests as well. + +Fixes: eb66d34d793e ("drm/tests: Add output bpc tests") +Reported-by: Dave Airlie +Closes: https://lore.kernel.org/r/CAPM=9tzJ4-ERDxvuwrCyUPY0=+P44orhp1kLWVGL7MCfpQjMEQ@mail.gmail.com/ +Link: https://lore.kernel.org/r/20241031091558.2435850-1-mripard@kernel.org +Reviewed-by: Simona Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20250129-test-kunit-v2-1-fe59c43805d5@kernel.org +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tests/drm_hdmi_state_helper_test.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/gpu/drm/tests/drm_hdmi_state_helper_test.c b/drivers/gpu/drm/tests/drm_hdmi_state_helper_test.c +index 4ba869e0e794c..cbd9584af3299 100644 +--- a/drivers/gpu/drm/tests/drm_hdmi_state_helper_test.c ++++ b/drivers/gpu/drm/tests/drm_hdmi_state_helper_test.c +@@ -70,10 +70,17 @@ static int light_up_connector(struct kunit *test, + state = drm_kunit_helper_atomic_state_alloc(test, drm, ctx); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, state); + ++retry: + conn_state = drm_atomic_get_connector_state(state, connector); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, conn_state); + + ret = drm_atomic_set_crtc_for_connector(conn_state, crtc); ++ if (ret == -EDEADLK) { ++ drm_atomic_state_clear(state); ++ ret = drm_modeset_backoff(ctx); ++ if (!ret) ++ goto retry; ++ } + KUNIT_EXPECT_EQ(test, ret, 0); + + crtc_state = drm_atomic_get_crtc_state(state, crtc); +-- +2.39.5 + diff --git a/queue-6.12/drm-xe-client-bo-client-does-not-need-bos_lock.patch b/queue-6.12/drm-xe-client-bo-client-does-not-need-bos_lock.patch new file mode 100644 index 0000000000..a9b2fa601b --- /dev/null +++ b/queue-6.12/drm-xe-client-bo-client-does-not-need-bos_lock.patch @@ -0,0 +1,43 @@ +From e34b8c4af1922e55b25eed33771290cc2716d19c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Feb 2025 10:40:42 +0530 +Subject: drm/xe/client: bo->client does not need bos_lock + +From: Tejas Upadhyay + +[ Upstream commit fc876c9524e2a9f816f51d533ed31df789cff65a ] + +bos_lock is to protect list of bos used by client, it is +not required to protect bo->client so bring it outside of +bos_lock. + +Fixes: b27970f3e11c ("drm/xe: Add tracking support for bos per client") +Signed-off-by: Tejas Upadhyay +Reviewed-by: Himal Prasad Ghimiray +Reviewed-by: Nirmoy Das +Link: https://patchwork.freedesktop.org/patch/msgid/20250205051042.1991192-1-tejas.upadhyay@intel.com +Signed-off-by: Nirmoy Das +(cherry picked from commit f74fd53ba34551b7626193fb70c17226f06e9bf1) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_drm_client.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/xe/xe_drm_client.c b/drivers/gpu/drm/xe/xe_drm_client.c +index fb52a23e28f84..a89fbfbdab329 100644 +--- a/drivers/gpu/drm/xe/xe_drm_client.c ++++ b/drivers/gpu/drm/xe/xe_drm_client.c +@@ -135,8 +135,8 @@ void xe_drm_client_add_bo(struct xe_drm_client *client, + XE_WARN_ON(bo->client); + XE_WARN_ON(!list_empty(&bo->client_link)); + +- spin_lock(&client->bos_lock); + bo->client = xe_drm_client_get(client); ++ spin_lock(&client->bos_lock); + list_add_tail(&bo->client_link, &client->bos_list); + spin_unlock(&client->bos_lock); + } +-- +2.39.5 + diff --git a/queue-6.12/fbdev-omap-use-threaded-irq-for-lcd-dma.patch b/queue-6.12/fbdev-omap-use-threaded-irq-for-lcd-dma.patch new file mode 100644 index 0000000000..571ea94662 --- /dev/null +++ b/queue-6.12/fbdev-omap-use-threaded-irq-for-lcd-dma.patch @@ -0,0 +1,85 @@ +From 5193e251ad416c858b609d0277b94d3f1befc843 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jan 2025 20:19:51 +0200 +Subject: fbdev: omap: use threaded IRQ for LCD DMA + +From: Aaro Koskinen + +[ Upstream commit e4b6b665df815b4841e71b72f06446884e8aad40 ] + +When using touchscreen and framebuffer, Nokia 770 crashes easily with: + + BUG: scheduling while atomic: irq/144-ads7846/82/0x00010000 + Modules linked in: usb_f_ecm g_ether usb_f_rndis u_ether libcomposite configfs omap_udc ohci_omap ohci_hcd + CPU: 0 UID: 0 PID: 82 Comm: irq/144-ads7846 Not tainted 6.12.7-770 #2 + Hardware name: Nokia 770 + Call trace: + unwind_backtrace from show_stack+0x10/0x14 + show_stack from dump_stack_lvl+0x54/0x5c + dump_stack_lvl from __schedule_bug+0x50/0x70 + __schedule_bug from __schedule+0x4d4/0x5bc + __schedule from schedule+0x34/0xa0 + schedule from schedule_preempt_disabled+0xc/0x10 + schedule_preempt_disabled from __mutex_lock.constprop.0+0x218/0x3b4 + __mutex_lock.constprop.0 from clk_prepare_lock+0x38/0xe4 + clk_prepare_lock from clk_set_rate+0x18/0x154 + clk_set_rate from sossi_read_data+0x4c/0x168 + sossi_read_data from hwa742_read_reg+0x5c/0x8c + hwa742_read_reg from send_frame_handler+0xfc/0x300 + send_frame_handler from process_pending_requests+0x74/0xd0 + process_pending_requests from lcd_dma_irq_handler+0x50/0x74 + lcd_dma_irq_handler from __handle_irq_event_percpu+0x44/0x130 + __handle_irq_event_percpu from handle_irq_event+0x28/0x68 + handle_irq_event from handle_level_irq+0x9c/0x170 + handle_level_irq from generic_handle_domain_irq+0x2c/0x3c + generic_handle_domain_irq from omap1_handle_irq+0x40/0x8c + omap1_handle_irq from generic_handle_arch_irq+0x28/0x3c + generic_handle_arch_irq from call_with_stack+0x1c/0x24 + call_with_stack from __irq_svc+0x94/0xa8 + Exception stack(0xc5255da0 to 0xc5255de8) + 5da0: 00000001 c22fc620 00000000 00000000 c08384a8 c106fc00 00000000 c240c248 + 5dc0: c113a600 c3f6ec30 00000001 00000000 c22fc620 c5255df0 c22fc620 c0279a94 + 5de0: 60000013 ffffffff + __irq_svc from clk_prepare_lock+0x4c/0xe4 + clk_prepare_lock from clk_get_rate+0x10/0x74 + clk_get_rate from uwire_setup_transfer+0x40/0x180 + uwire_setup_transfer from spi_bitbang_transfer_one+0x2c/0x9c + spi_bitbang_transfer_one from spi_transfer_one_message+0x2d0/0x664 + spi_transfer_one_message from __spi_pump_transfer_message+0x29c/0x498 + __spi_pump_transfer_message from __spi_sync+0x1f8/0x2e8 + __spi_sync from spi_sync+0x24/0x40 + spi_sync from ads7846_halfd_read_state+0x5c/0x1c0 + ads7846_halfd_read_state from ads7846_irq+0x58/0x348 + ads7846_irq from irq_thread_fn+0x1c/0x78 + irq_thread_fn from irq_thread+0x120/0x228 + irq_thread from kthread+0xc8/0xe8 + kthread from ret_from_fork+0x14/0x28 + +As a quick fix, switch to a threaded IRQ which provides a stable system. + +Signed-off-by: Aaro Koskinen +Reviewed-by: Linus Walleij +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/omap/lcd_dma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/omap/lcd_dma.c b/drivers/video/fbdev/omap/lcd_dma.c +index f85817635a8c2..0da23c57e4757 100644 +--- a/drivers/video/fbdev/omap/lcd_dma.c ++++ b/drivers/video/fbdev/omap/lcd_dma.c +@@ -432,8 +432,8 @@ static int __init omap_init_lcd_dma(void) + + spin_lock_init(&lcd_dma.lock); + +- r = request_irq(INT_DMA_LCD, lcd_dma_irq_handler, 0, +- "LCD DMA", NULL); ++ r = request_threaded_irq(INT_DMA_LCD, NULL, lcd_dma_irq_handler, ++ IRQF_ONESHOT, "LCD DMA", NULL); + if (r != 0) + pr_err("unable to request IRQ for LCD DMA (error %d)\n", r); + +-- +2.39.5 + diff --git a/queue-6.12/firmware-qcom-scm-smc-handle-missing-scm-device.patch b/queue-6.12/firmware-qcom-scm-smc-handle-missing-scm-device.patch new file mode 100644 index 0000000000..b74ae13df4 --- /dev/null +++ b/queue-6.12/firmware-qcom-scm-smc-handle-missing-scm-device.patch @@ -0,0 +1,39 @@ +From aeec1bd01aa659a2f38e35c6d6e0d3cabf780d52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2024 15:27:58 +0100 +Subject: firmware: qcom: scm: smc: Handle missing SCM device + +From: Krzysztof Kozlowski + +[ Upstream commit 94f48ecf0a538019ca2025e0b0da391f8e7cc58c ] + +Commit ca61d6836e6f ("firmware: qcom: scm: fix a NULL-pointer +dereference") makes it explicit that qcom_scm_get_tzmem_pool() can +return NULL, therefore its users should handle this. + +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Bartosz Golaszewski +Link: https://lore.kernel.org/r/20241209-qcom-scm-missing-barriers-and-all-sort-of-srap-v2-5-9061013c8d92@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/firmware/qcom/qcom_scm-smc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/firmware/qcom/qcom_scm-smc.c b/drivers/firmware/qcom/qcom_scm-smc.c +index 2b4c2826f5725..3f10b23ec941b 100644 +--- a/drivers/firmware/qcom/qcom_scm-smc.c ++++ b/drivers/firmware/qcom/qcom_scm-smc.c +@@ -173,6 +173,9 @@ int __scm_smc_call(struct device *dev, const struct qcom_scm_desc *desc, + smc.args[i + SCM_SMC_FIRST_REG_IDX] = desc->args[i]; + + if (unlikely(arglen > SCM_SMC_N_REG_ARGS)) { ++ if (!mempool) ++ return -EINVAL; ++ + args_virt = qcom_tzmem_alloc(mempool, + SCM_SMC_N_EXT_ARGS * sizeof(u64), + flag); +-- +2.39.5 + diff --git a/queue-6.12/fs-ntfs3-unify-inode-corruption-marking-with-_ntfs_b.patch b/queue-6.12/fs-ntfs3-unify-inode-corruption-marking-with-_ntfs_b.patch new file mode 100644 index 0000000000..bd56fbfb87 --- /dev/null +++ b/queue-6.12/fs-ntfs3-unify-inode-corruption-marking-with-_ntfs_b.patch @@ -0,0 +1,160 @@ +From b7e35e0f444fa96951892b1e57f6751c2aad0ae7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Dec 2024 10:34:08 +0300 +Subject: fs/ntfs3: Unify inode corruption marking with _ntfs_bad_inode() + +From: Konstantin Komarov + +[ Upstream commit 55ad333de0f80bc0caee10c6c27196cdcf8891bb ] + +Also reworked error handling in a couple of places. + +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/attrib.c | 4 ++-- + fs/ntfs3/dir.c | 2 +- + fs/ntfs3/frecord.c | 12 +++++++----- + fs/ntfs3/fsntfs.c | 6 +++++- + fs/ntfs3/index.c | 6 ++---- + fs/ntfs3/inode.c | 3 +++ + 6 files changed, 20 insertions(+), 13 deletions(-) + +diff --git a/fs/ntfs3/attrib.c b/fs/ntfs3/attrib.c +index 8d789b017fa9b..da1a9312e61a0 100644 +--- a/fs/ntfs3/attrib.c ++++ b/fs/ntfs3/attrib.c +@@ -1406,7 +1406,7 @@ int attr_wof_frame_info(struct ntfs_inode *ni, struct ATTRIB *attr, + */ + if (!attr->non_res) { + if (vbo[1] + bytes_per_off > le32_to_cpu(attr->res.data_size)) { +- ntfs_inode_err(&ni->vfs_inode, "is corrupted"); ++ _ntfs_bad_inode(&ni->vfs_inode); + return -EINVAL; + } + addr = resident_data(attr); +@@ -2587,7 +2587,7 @@ int attr_force_nonresident(struct ntfs_inode *ni) + + attr = ni_find_attr(ni, NULL, &le, ATTR_DATA, NULL, 0, NULL, &mi); + if (!attr) { +- ntfs_bad_inode(&ni->vfs_inode, "no data attribute"); ++ _ntfs_bad_inode(&ni->vfs_inode); + return -ENOENT; + } + +diff --git a/fs/ntfs3/dir.c b/fs/ntfs3/dir.c +index fc6a8aa29e3af..b6da80c69ca63 100644 +--- a/fs/ntfs3/dir.c ++++ b/fs/ntfs3/dir.c +@@ -512,7 +512,7 @@ static int ntfs_readdir(struct file *file, struct dir_context *ctx) + ctx->pos = pos; + } else if (err < 0) { + if (err == -EINVAL) +- ntfs_inode_err(dir, "directory corrupted"); ++ _ntfs_bad_inode(dir); + ctx->pos = eod; + } + +diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c +index c33e818b3164c..175662acd5eaf 100644 +--- a/fs/ntfs3/frecord.c ++++ b/fs/ntfs3/frecord.c +@@ -148,8 +148,10 @@ int ni_load_mi_ex(struct ntfs_inode *ni, CLST rno, struct mft_inode **mi) + goto out; + + err = mi_get(ni->mi.sbi, rno, &r); +- if (err) ++ if (err) { ++ _ntfs_bad_inode(&ni->vfs_inode); + return err; ++ } + + ni_add_mi(ni, r); + +@@ -238,8 +240,7 @@ struct ATTRIB *ni_find_attr(struct ntfs_inode *ni, struct ATTRIB *attr, + return attr; + + out: +- ntfs_inode_err(&ni->vfs_inode, "failed to parse mft record"); +- ntfs_set_state(ni->mi.sbi, NTFS_DIRTY_ERROR); ++ _ntfs_bad_inode(&ni->vfs_inode); + return NULL; + } + +@@ -330,6 +331,7 @@ struct ATTRIB *ni_load_attr(struct ntfs_inode *ni, enum ATTR_TYPE type, + vcn <= le64_to_cpu(attr->nres.evcn)) + return attr; + ++ _ntfs_bad_inode(&ni->vfs_inode); + return NULL; + } + +@@ -1604,8 +1606,8 @@ int ni_delete_all(struct ntfs_inode *ni) + roff = le16_to_cpu(attr->nres.run_off); + + if (roff > asize) { +- _ntfs_bad_inode(&ni->vfs_inode); +- return -EINVAL; ++ /* ni_enum_attr_ex checks this case. */ ++ continue; + } + + /* run==1 means unpack and deallocate. */ +diff --git a/fs/ntfs3/fsntfs.c b/fs/ntfs3/fsntfs.c +index 0fa636038b4e4..6c73e93afb478 100644 +--- a/fs/ntfs3/fsntfs.c ++++ b/fs/ntfs3/fsntfs.c +@@ -908,7 +908,11 @@ void ntfs_bad_inode(struct inode *inode, const char *hint) + + ntfs_inode_err(inode, "%s", hint); + make_bad_inode(inode); +- ntfs_set_state(sbi, NTFS_DIRTY_ERROR); ++ /* Avoid recursion if bad inode is $Volume. */ ++ if (inode->i_ino != MFT_REC_VOL && ++ !(sbi->flags & NTFS_FLAGS_LOG_REPLAYING)) { ++ ntfs_set_state(sbi, NTFS_DIRTY_ERROR); ++ } + } + + /* +diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c +index 9089c58a005ce..7eb9fae22f8da 100644 +--- a/fs/ntfs3/index.c ++++ b/fs/ntfs3/index.c +@@ -1094,8 +1094,7 @@ int indx_read(struct ntfs_index *indx, struct ntfs_inode *ni, CLST vbn, + + ok: + if (!index_buf_check(ib, bytes, &vbn)) { +- ntfs_inode_err(&ni->vfs_inode, "directory corrupted"); +- ntfs_set_state(ni->mi.sbi, NTFS_DIRTY_ERROR); ++ _ntfs_bad_inode(&ni->vfs_inode); + err = -EINVAL; + goto out; + } +@@ -1117,8 +1116,7 @@ int indx_read(struct ntfs_index *indx, struct ntfs_inode *ni, CLST vbn, + + out: + if (err == -E_NTFS_CORRUPT) { +- ntfs_inode_err(&ni->vfs_inode, "directory corrupted"); +- ntfs_set_state(ni->mi.sbi, NTFS_DIRTY_ERROR); ++ _ntfs_bad_inode(&ni->vfs_inode); + err = -EINVAL; + } + +diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c +index be04d2845bb7b..a1e11228dafd0 100644 +--- a/fs/ntfs3/inode.c ++++ b/fs/ntfs3/inode.c +@@ -410,6 +410,9 @@ static struct inode *ntfs_read_mft(struct inode *inode, + if (!std5) + goto out; + ++ if (is_bad_inode(inode)) ++ goto out; ++ + if (!is_match && name) { + err = -ENOENT; + goto out; +-- +2.39.5 + diff --git a/queue-6.12/gpio-bcm-kona-add-missing-newline-to-dev_err-format-.patch b/queue-6.12/gpio-bcm-kona-add-missing-newline-to-dev_err-format-.patch new file mode 100644 index 0000000000..bf26af712a --- /dev/null +++ b/queue-6.12/gpio-bcm-kona-add-missing-newline-to-dev_err-format-.patch @@ -0,0 +1,40 @@ +From c9924fcac931bdc37544af73772775d0c831c706 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Feb 2025 18:46:02 +0100 +Subject: gpio: bcm-kona: Add missing newline to dev_err format string + +From: Artur Weber + +[ Upstream commit 615279db222c3ac56d5c93716efd72b843295c1f ] + +Add a missing newline to the format string of the "Couldn't get IRQ +for bank..." error message. + +Fixes: 757651e3d60e ("gpio: bcm281xx: Add GPIO driver") +Reviewed-by: Florian Fainelli +Reviewed-by: Markus Mayer +Signed-off-by: Artur Weber +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20250206-kona-gpio-fixes-v2-3-409135eab780@gmail.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-bcm-kona.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-bcm-kona.c b/drivers/gpio/gpio-bcm-kona.c +index 17f3f210fee9d..64908f1a5e7f9 100644 +--- a/drivers/gpio/gpio-bcm-kona.c ++++ b/drivers/gpio/gpio-bcm-kona.c +@@ -659,7 +659,7 @@ static int bcm_kona_gpio_probe(struct platform_device *pdev) + bank->irq = platform_get_irq(pdev, i); + bank->kona_gpio = kona_gpio; + if (bank->irq < 0) { +- dev_err(dev, "Couldn't get IRQ for bank %d", i); ++ dev_err(dev, "Couldn't get IRQ for bank %d\n", i); + ret = -ENOENT; + goto err_irq_domain; + } +-- +2.39.5 + diff --git a/queue-6.12/gpio-bcm-kona-fix-gpio-lock-unlock-for-banks-above-b.patch b/queue-6.12/gpio-bcm-kona-fix-gpio-lock-unlock-for-banks-above-b.patch new file mode 100644 index 0000000000..aa34ca2f9c --- /dev/null +++ b/queue-6.12/gpio-bcm-kona-fix-gpio-lock-unlock-for-banks-above-b.patch @@ -0,0 +1,64 @@ +From 1106900cc982df17c83c5161f4e51e45edbaacb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Feb 2025 18:46:00 +0100 +Subject: gpio: bcm-kona: Fix GPIO lock/unlock for banks above bank 0 + +From: Artur Weber + +[ Upstream commit de1d0d160f64ee76df1d364d521b2faf465a091c ] + +The GPIO lock/unlock functions clear/write a bit to the relevant +register for each bank. However, due to an oversight the bit that +was being written was based on the total GPIO number, not the index +of the GPIO within the relevant bank, causing it to fail for any +GPIO above 32 (thus any GPIO for banks above bank 0). + +Fix lock/unlock for these banks by using the correct bit. + +Fixes: bdb93c03c550 ("gpio: bcm281xx: Centralize register locking") +Reviewed-by: Florian Fainelli +Reviewed-by: Markus Mayer +Signed-off-by: Artur Weber +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20250206-kona-gpio-fixes-v2-1-409135eab780@gmail.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-bcm-kona.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpio-bcm-kona.c b/drivers/gpio/gpio-bcm-kona.c +index 5321ef98f4427..77bd4ec93a231 100644 +--- a/drivers/gpio/gpio-bcm-kona.c ++++ b/drivers/gpio/gpio-bcm-kona.c +@@ -86,11 +86,12 @@ static void bcm_kona_gpio_lock_gpio(struct bcm_kona_gpio *kona_gpio, + u32 val; + unsigned long flags; + int bank_id = GPIO_BANK(gpio); ++ int bit = GPIO_BIT(gpio); + + raw_spin_lock_irqsave(&kona_gpio->lock, flags); + + val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id)); +- val |= BIT(gpio); ++ val |= BIT(bit); + bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val); + + raw_spin_unlock_irqrestore(&kona_gpio->lock, flags); +@@ -102,11 +103,12 @@ static void bcm_kona_gpio_unlock_gpio(struct bcm_kona_gpio *kona_gpio, + u32 val; + unsigned long flags; + int bank_id = GPIO_BANK(gpio); ++ int bit = GPIO_BIT(gpio); + + raw_spin_lock_irqsave(&kona_gpio->lock, flags); + + val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id)); +- val &= ~BIT(gpio); ++ val &= ~BIT(bit); + bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val); + + raw_spin_unlock_irqrestore(&kona_gpio->lock, flags); +-- +2.39.5 + diff --git a/queue-6.12/gpio-bcm-kona-make-sure-gpio-bits-are-unlocked-when-.patch b/queue-6.12/gpio-bcm-kona-make-sure-gpio-bits-are-unlocked-when-.patch new file mode 100644 index 0000000000..75e10fa7e7 --- /dev/null +++ b/queue-6.12/gpio-bcm-kona-make-sure-gpio-bits-are-unlocked-when-.patch @@ -0,0 +1,160 @@ +From 4f78ead2fc333fcdf57248d742ed20bcf20d7d9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Feb 2025 18:46:01 +0100 +Subject: gpio: bcm-kona: Make sure GPIO bits are unlocked when requesting IRQ + +From: Artur Weber + +[ Upstream commit 57f5db77a915cc29461a679a6bcae7097967be1a ] + +The settings for all GPIOs are locked by default in bcm_kona_gpio_reset. +The settings for a GPIO are unlocked when requesting it as a GPIO, but +not when requesting it as an interrupt, causing the IRQ settings to not +get applied. + +Fix this by making sure to unlock the right bits when an IRQ is requested. +To avoid a situation where an IRQ being released causes a lock despite +the same GPIO being used by a GPIO request or vice versa, add an unlock +counter and only lock if it reaches 0. + +Fixes: 757651e3d60e ("gpio: bcm281xx: Add GPIO driver") +Reviewed-by: Florian Fainelli +Reviewed-by: Markus Mayer +Signed-off-by: Artur Weber +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20250206-kona-gpio-fixes-v2-2-409135eab780@gmail.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-bcm-kona.c | 67 +++++++++++++++++++++++++++++------- + 1 file changed, 55 insertions(+), 12 deletions(-) + +diff --git a/drivers/gpio/gpio-bcm-kona.c b/drivers/gpio/gpio-bcm-kona.c +index 77bd4ec93a231..17f3f210fee9d 100644 +--- a/drivers/gpio/gpio-bcm-kona.c ++++ b/drivers/gpio/gpio-bcm-kona.c +@@ -69,6 +69,22 @@ struct bcm_kona_gpio { + struct bcm_kona_gpio_bank { + int id; + int irq; ++ /* ++ * Used to keep track of lock/unlock operations for each GPIO in the ++ * bank. ++ * ++ * All GPIOs are locked by default (see bcm_kona_gpio_reset), and the ++ * unlock count for all GPIOs is 0 by default. Each unlock increments ++ * the counter, and each lock decrements the counter. ++ * ++ * The lock function only locks the GPIO once its unlock counter is ++ * down to 0. This is necessary because the GPIO is unlocked in two ++ * places in this driver: once for requested GPIOs, and once for ++ * requested IRQs. Since it is possible for a GPIO to be requested ++ * as both a GPIO and an IRQ, we need to ensure that we don't lock it ++ * too early. ++ */ ++ u8 gpio_unlock_count[GPIO_PER_BANK]; + /* Used in the interrupt handler */ + struct bcm_kona_gpio *kona_gpio; + }; +@@ -87,14 +103,23 @@ static void bcm_kona_gpio_lock_gpio(struct bcm_kona_gpio *kona_gpio, + unsigned long flags; + int bank_id = GPIO_BANK(gpio); + int bit = GPIO_BIT(gpio); ++ struct bcm_kona_gpio_bank *bank = &kona_gpio->banks[bank_id]; + +- raw_spin_lock_irqsave(&kona_gpio->lock, flags); ++ if (bank->gpio_unlock_count[bit] == 0) { ++ dev_err(kona_gpio->gpio_chip.parent, ++ "Unbalanced locks for GPIO %u\n", gpio); ++ return; ++ } + +- val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id)); +- val |= BIT(bit); +- bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val); ++ if (--bank->gpio_unlock_count[bit] == 0) { ++ raw_spin_lock_irqsave(&kona_gpio->lock, flags); + +- raw_spin_unlock_irqrestore(&kona_gpio->lock, flags); ++ val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id)); ++ val |= BIT(bit); ++ bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val); ++ ++ raw_spin_unlock_irqrestore(&kona_gpio->lock, flags); ++ } + } + + static void bcm_kona_gpio_unlock_gpio(struct bcm_kona_gpio *kona_gpio, +@@ -104,14 +129,19 @@ static void bcm_kona_gpio_unlock_gpio(struct bcm_kona_gpio *kona_gpio, + unsigned long flags; + int bank_id = GPIO_BANK(gpio); + int bit = GPIO_BIT(gpio); ++ struct bcm_kona_gpio_bank *bank = &kona_gpio->banks[bank_id]; + +- raw_spin_lock_irqsave(&kona_gpio->lock, flags); ++ if (bank->gpio_unlock_count[bit] == 0) { ++ raw_spin_lock_irqsave(&kona_gpio->lock, flags); + +- val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id)); +- val &= ~BIT(bit); +- bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val); ++ val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id)); ++ val &= ~BIT(bit); ++ bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val); + +- raw_spin_unlock_irqrestore(&kona_gpio->lock, flags); ++ raw_spin_unlock_irqrestore(&kona_gpio->lock, flags); ++ } ++ ++ ++bank->gpio_unlock_count[bit]; + } + + static int bcm_kona_gpio_get_dir(struct gpio_chip *chip, unsigned gpio) +@@ -362,6 +392,7 @@ static void bcm_kona_gpio_irq_mask(struct irq_data *d) + + kona_gpio = irq_data_get_irq_chip_data(d); + reg_base = kona_gpio->reg_base; ++ + raw_spin_lock_irqsave(&kona_gpio->lock, flags); + + val = readl(reg_base + GPIO_INT_MASK(bank_id)); +@@ -384,6 +415,7 @@ static void bcm_kona_gpio_irq_unmask(struct irq_data *d) + + kona_gpio = irq_data_get_irq_chip_data(d); + reg_base = kona_gpio->reg_base; ++ + raw_spin_lock_irqsave(&kona_gpio->lock, flags); + + val = readl(reg_base + GPIO_INT_MSKCLR(bank_id)); +@@ -479,15 +511,26 @@ static void bcm_kona_gpio_irq_handler(struct irq_desc *desc) + static int bcm_kona_gpio_irq_reqres(struct irq_data *d) + { + struct bcm_kona_gpio *kona_gpio = irq_data_get_irq_chip_data(d); ++ unsigned int gpio = d->hwirq; ++ ++ /* ++ * We need to unlock the GPIO before any other operations are performed ++ * on the relevant GPIO configuration registers ++ */ ++ bcm_kona_gpio_unlock_gpio(kona_gpio, gpio); + +- return gpiochip_reqres_irq(&kona_gpio->gpio_chip, d->hwirq); ++ return gpiochip_reqres_irq(&kona_gpio->gpio_chip, gpio); + } + + static void bcm_kona_gpio_irq_relres(struct irq_data *d) + { + struct bcm_kona_gpio *kona_gpio = irq_data_get_irq_chip_data(d); ++ unsigned int gpio = d->hwirq; ++ ++ /* Once we no longer use it, lock the GPIO again */ ++ bcm_kona_gpio_lock_gpio(kona_gpio, gpio); + +- gpiochip_relres_irq(&kona_gpio->gpio_chip, d->hwirq); ++ gpiochip_relres_irq(&kona_gpio->gpio_chip, gpio); + } + + static struct irq_chip bcm_gpio_irq_chip = { +-- +2.39.5 + diff --git a/queue-6.12/gpiolib-fix-crash-on-error-in-gpiochip_get_ngpios.patch b/queue-6.12/gpiolib-fix-crash-on-error-in-gpiochip_get_ngpios.patch new file mode 100644 index 0000000000..bd1d00cf22 --- /dev/null +++ b/queue-6.12/gpiolib-fix-crash-on-error-in-gpiochip_get_ngpios.patch @@ -0,0 +1,49 @@ +From e6c7f89cab74951222b6addac79cd22db8126195 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Feb 2025 17:56:46 +0200 +Subject: gpiolib: Fix crash on error in gpiochip_get_ngpios() + +From: Andy Shevchenko + +[ Upstream commit 7b4aebeecbbd5b5fe73e35fad3f62ed21aa7ef44 ] + +The gpiochip_get_ngpios() uses chip_*() macros to print messages. +However these macros rely on gpiodev to be initialised and set, +which is not the case when called via bgpio_init(). In such a case +the printing messages will crash on NULL pointer dereference. +Replace chip_*() macros by the respective dev_*() ones to avoid +such crash. + +Fixes: 55b2395e4e92 ("gpio: mmio: handle "ngpios" properly in bgpio_init()") +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20250213155646.2882324-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c +index 44372f8647d51..1e8f0bdb6ae3b 100644 +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -905,13 +905,13 @@ int gpiochip_get_ngpios(struct gpio_chip *gc, struct device *dev) + } + + if (gc->ngpio == 0) { +- chip_err(gc, "tried to insert a GPIO chip with zero lines\n"); ++ dev_err(dev, "tried to insert a GPIO chip with zero lines\n"); + return -EINVAL; + } + + if (gc->ngpio > FASTPATH_NGPIO) +- chip_warn(gc, "line cnt %u is greater than fast path cnt %u\n", +- gc->ngpio, FASTPATH_NGPIO); ++ dev_warn(dev, "line cnt %u is greater than fast path cnt %u\n", ++ gc->ngpio, FASTPATH_NGPIO); + + return 0; + } +-- +2.39.5 + diff --git a/queue-6.12/gpu-host1x-fix-a-use-of-uninitialized-mutex.patch b/queue-6.12/gpu-host1x-fix-a-use-of-uninitialized-mutex.patch new file mode 100644 index 0000000000..aa206c07b6 --- /dev/null +++ b/queue-6.12/gpu-host1x-fix-a-use-of-uninitialized-mutex.patch @@ -0,0 +1,125 @@ +From 13078327dadf2eacb7adfc07caeb132cc7d6de56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Feb 2025 15:58:03 +0000 +Subject: gpu: host1x: Fix a use of uninitialized mutex + +From: Rupinderjit Singh + +[ Upstream commit 02458fbfaa0170aabf8506f7d4ed054f02414251 ] + +commit c8347f915e67 ("gpu: host1x: Fix boot regression for Tegra") +caused a use of uninitialized mutex leading to below warning when +CONFIG_DEBUG_MUTEXES and CONFIG_DEBUG_LOCK_ALLOC are enabled. + +[ 41.662843] ------------[ cut here ]------------ +[ 41.663012] DEBUG_LOCKS_WARN_ON(lock->magic != lock) +[ 41.663035] WARNING: CPU: 4 PID: 794 at kernel/locking/mutex.c:587 __mutex_lock+0x670/0x878 +[ 41.663458] Modules linked in: rtw88_8822c(+) bluetooth(+) rtw88_pci rtw88_core mac80211 aquantia libarc4 crc_itu_t cfg80211 tegra194_cpufreq dwmac_tegra(+) arm_dsu_pmu stmmac_platform stmmac pcs_xpcs rfkill at24 host1x(+) tegra_bpmp_thermal ramoops reed_solomon fuse loop nfnetlink xfs mmc_block rpmb_core ucsi_ccg ina3221 crct10dif_ce xhci_tegra ghash_ce lm90 sha2_ce sha256_arm64 sha1_ce sdhci_tegra pwm_fan sdhci_pltfm sdhci gpio_keys rtc_tegra cqhci mmc_core phy_tegra_xusb i2c_tegra tegra186_gpc_dma i2c_tegra_bpmp spi_tegra114 dm_mirror dm_region_hash dm_log dm_mod +[ 41.665078] CPU: 4 UID: 0 PID: 794 Comm: (udev-worker) Not tainted 6.11.0-29.31_1538613708.el10.aarch64+debug #1 +[ 41.665838] Hardware name: NVIDIA NVIDIA Jetson AGX Orin Developer Kit/Jetson, BIOS 36.3.0-gcid-35594366 02/26/2024 +[ 41.672555] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 41.679636] pc : __mutex_lock+0x670/0x878 +[ 41.683834] lr : __mutex_lock+0x670/0x878 +[ 41.688035] sp : ffff800084b77090 +[ 41.691446] x29: ffff800084b77160 x28: ffffdd4bebf7b000 x27: ffffdd4be96b1000 +[ 41.698799] x26: 1fffe0002308361c x25: 1ffff0001096ee18 x24: 0000000000000000 +[ 41.706149] x23: 0000000000000000 x22: 0000000000000002 x21: ffffdd4be6e3c7a0 +[ 41.713500] x20: ffff800084b770f0 x19: ffff00011841b1e8 x18: 0000000000000000 +[ 41.720675] x17: 0000000000000000 x16: 0000000000000000 x15: 0720072007200720 +[ 41.728023] x14: 0000000000000000 x13: 0000000000000001 x12: ffff6001a96eaab3 +[ 41.735375] x11: 1fffe001a96eaab2 x10: ffff6001a96eaab2 x9 : ffffdd4be4838bbc +[ 41.742723] x8 : 00009ffe5691554e x7 : ffff000d4b755593 x6 : 0000000000000001 +[ 41.749985] x5 : ffff000d4b755590 x4 : 1fffe0001d88f001 x3 : dfff800000000000 +[ 41.756988] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000ec478000 +[ 41.764251] Call trace: +[ 41.766695] __mutex_lock+0x670/0x878 +[ 41.770373] mutex_lock_nested+0x2c/0x40 +[ 41.774134] host1x_intr_start+0x54/0xf8 [host1x] +[ 41.778863] host1x_runtime_resume+0x150/0x228 [host1x] +[ 41.783935] pm_generic_runtime_resume+0x84/0xc8 +[ 41.788485] __rpm_callback+0xa0/0x478 +[ 41.792422] rpm_callback+0x15c/0x1a8 +[ 41.795922] rpm_resume+0x698/0xc08 +[ 41.799597] __pm_runtime_resume+0xa8/0x140 +[ 41.803621] host1x_probe+0x810/0xbc0 [host1x] +[ 41.807909] platform_probe+0xcc/0x1a8 +[ 41.811845] really_probe+0x188/0x800 +[ 41.815347] __driver_probe_device+0x164/0x360 +[ 41.819810] driver_probe_device+0x64/0x1a8 +[ 41.823834] __driver_attach+0x180/0x490 +[ 41.827773] bus_for_each_dev+0x104/0x1a0 +[ 41.831797] driver_attach+0x44/0x68 +[ 41.835296] bus_add_driver+0x23c/0x4e8 +[ 41.839235] driver_register+0x15c/0x3a8 +[ 41.843170] __platform_register_drivers+0xa4/0x208 +[ 41.848159] tegra_host1x_init+0x4c/0xff8 [host1x] +[ 41.853147] do_one_initcall+0xd4/0x380 +[ 41.856997] do_init_module+0x1dc/0x698 +[ 41.860758] load_module+0xc70/0x1300 +[ 41.864435] __do_sys_init_module+0x1a8/0x1d0 +[ 41.868721] __arm64_sys_init_module+0x74/0xb0 +[ 41.873183] invoke_syscall.constprop.0+0xdc/0x1e8 +[ 41.877997] do_el0_svc+0x154/0x1d0 +[ 41.881671] el0_svc+0x54/0x140 +[ 41.884820] el0t_64_sync_handler+0x120/0x130 +[ 41.889285] el0t_64_sync+0x1a4/0x1a8 +[ 41.892960] irq event stamp: 69737 +[ 41.896370] hardirqs last enabled at (69737): [] _raw_spin_unlock_irqrestore+0x44/0xe8 +[ 41.905739] hardirqs last disabled at (69736): [] clk_enable_lock+0x98/0x198 +[ 41.914314] softirqs last enabled at (68082): [] handle_softirqs+0x4c8/0x890 +[ 41.922977] softirqs last disabled at (67945): [] __do_softirq+0x1c/0x28 +[ 41.931289] ---[ end trace 0000000000000000 ]--- + +Inside the probe function when pm_runtime_enable() is called, +the PM core invokes a resume callback if the device Host1x is +in a suspended state. As it can be seen in the logs above, +this leads to host1x_intr_start() function call which is +trying to acquire a mutex lock. But, the function +host_intr_init() only gets called after the pm_runtime_enable() +where mutex is initialised leading to the use of mutex +prior to its initialisation. + +Fix this by moving the mutex initialisation prior to the runtime +PM enablement function pm_runtime_enable() in probe. + +Fixes: c8347f915e67 ("gpu: host1x: Fix boot regression for Tegra") +Signed-off-by: Rupinderjit Singh +Reviewed-by: Jon Hunter +Tested-by: Jon Hunter +Signed-off-by: Thierry Reding +Link: https://patchwork.ozlabs.org/project/linux-tegra/patch/20250206155803.201942-1-rusingh@redhat.com/ +Signed-off-by: Sasha Levin +--- + drivers/gpu/host1x/dev.c | 2 ++ + drivers/gpu/host1x/intr.c | 2 -- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/host1x/dev.c b/drivers/gpu/host1x/dev.c +index e98528777faae..710674ef40a97 100644 +--- a/drivers/gpu/host1x/dev.c ++++ b/drivers/gpu/host1x/dev.c +@@ -625,6 +625,8 @@ static int host1x_probe(struct platform_device *pdev) + goto free_contexts; + } + ++ mutex_init(&host->intr_mutex); ++ + pm_runtime_enable(&pdev->dev); + + err = devm_tegra_core_dev_init_opp_table_common(&pdev->dev); +diff --git a/drivers/gpu/host1x/intr.c b/drivers/gpu/host1x/intr.c +index b3285dd101804..f77a678949e96 100644 +--- a/drivers/gpu/host1x/intr.c ++++ b/drivers/gpu/host1x/intr.c +@@ -104,8 +104,6 @@ int host1x_intr_init(struct host1x *host) + unsigned int id; + int i, err; + +- mutex_init(&host->intr_mutex); +- + for (id = 0; id < host1x_syncpt_nb_pts(host); ++id) { + struct host1x_syncpt *syncpt = &host->syncpt[id]; + +-- +2.39.5 + diff --git a/queue-6.12/grab-mm-lock-before-grabbing-pt-lock.patch b/queue-6.12/grab-mm-lock-before-grabbing-pt-lock.patch new file mode 100644 index 0000000000..813ac3ce87 --- /dev/null +++ b/queue-6.12/grab-mm-lock-before-grabbing-pt-lock.patch @@ -0,0 +1,156 @@ +From e5646a7b701a23adaa99c0c9695f08661fc78691 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2024 11:35:15 +0100 +Subject: Grab mm lock before grabbing pt lock + +From: Maksym Planeta + +[ Upstream commit 6d002348789bc16e9203e9818b7a3688787e3b29 ] + +Function xen_pin_page calls xen_pte_lock, which in turn grab page +table lock (ptlock). When locking, xen_pte_lock expect mm->page_table_lock +to be held before grabbing ptlock, but this does not happen when pinning +is caused by xen_mm_pin_all. + +This commit addresses lockdep warning below, which shows up when +suspending a Xen VM. + +[ 3680.658422] Freezing user space processes +[ 3680.660156] Freezing user space processes completed (elapsed 0.001 seconds) +[ 3680.660182] OOM killer disabled. +[ 3680.660192] Freezing remaining freezable tasks +[ 3680.661485] Freezing remaining freezable tasks completed (elapsed 0.001 seconds) +[ 3680.685254] +[ 3680.685265] ================================== +[ 3680.685269] WARNING: Nested lock was not taken +[ 3680.685274] 6.12.0+ #16 Tainted: G W +[ 3680.685279] ---------------------------------- +[ 3680.685283] migration/0/19 is trying to lock: +[ 3680.685288] ffff88800bac33c0 (ptlock_ptr(ptdesc)#2){+.+.}-{3:3}, at: xen_pin_page+0x175/0x1d0 +[ 3680.685303] +[ 3680.685303] but this task is not holding: +[ 3680.685308] init_mm.page_table_lock +[ 3680.685311] +[ 3680.685311] stack backtrace: +[ 3680.685316] CPU: 0 UID: 0 PID: 19 Comm: migration/0 Tainted: G W 6.12.0+ #16 +[ 3680.685324] Tainted: [W]=WARN +[ 3680.685328] Stopper: multi_cpu_stop+0x0/0x120 <- __stop_cpus.constprop.0+0x8c/0xd0 +[ 3680.685339] Call Trace: +[ 3680.685344] +[ 3680.685347] dump_stack_lvl+0x77/0xb0 +[ 3680.685356] __lock_acquire+0x917/0x2310 +[ 3680.685364] lock_acquire+0xce/0x2c0 +[ 3680.685369] ? xen_pin_page+0x175/0x1d0 +[ 3680.685373] _raw_spin_lock_nest_lock+0x2f/0x70 +[ 3680.685381] ? xen_pin_page+0x175/0x1d0 +[ 3680.685386] xen_pin_page+0x175/0x1d0 +[ 3680.685390] ? __pfx_xen_pin_page+0x10/0x10 +[ 3680.685394] __xen_pgd_walk+0x233/0x2c0 +[ 3680.685401] ? stop_one_cpu+0x91/0x100 +[ 3680.685405] __xen_pgd_pin+0x5d/0x250 +[ 3680.685410] xen_mm_pin_all+0x70/0xa0 +[ 3680.685415] xen_pv_pre_suspend+0xf/0x280 +[ 3680.685420] xen_suspend+0x57/0x1a0 +[ 3680.685428] multi_cpu_stop+0x6b/0x120 +[ 3680.685432] ? update_cpumasks_hier+0x7c/0xa60 +[ 3680.685439] ? __pfx_multi_cpu_stop+0x10/0x10 +[ 3680.685443] cpu_stopper_thread+0x8c/0x140 +[ 3680.685448] ? smpboot_thread_fn+0x20/0x1f0 +[ 3680.685454] ? __pfx_smpboot_thread_fn+0x10/0x10 +[ 3680.685458] smpboot_thread_fn+0xed/0x1f0 +[ 3680.685462] kthread+0xde/0x110 +[ 3680.685467] ? __pfx_kthread+0x10/0x10 +[ 3680.685471] ret_from_fork+0x2f/0x50 +[ 3680.685478] ? __pfx_kthread+0x10/0x10 +[ 3680.685482] ret_from_fork_asm+0x1a/0x30 +[ 3680.685489] +[ 3680.685491] +[ 3680.685491] other info that might help us debug this: +[ 3680.685497] 1 lock held by migration/0/19: +[ 3680.685500] #0: ffffffff8284df38 (pgd_lock){+.+.}-{3:3}, at: xen_mm_pin_all+0x14/0xa0 +[ 3680.685512] +[ 3680.685512] stack backtrace: +[ 3680.685518] CPU: 0 UID: 0 PID: 19 Comm: migration/0 Tainted: G W 6.12.0+ #16 +[ 3680.685528] Tainted: [W]=WARN +[ 3680.685531] Stopper: multi_cpu_stop+0x0/0x120 <- __stop_cpus.constprop.0+0x8c/0xd0 +[ 3680.685538] Call Trace: +[ 3680.685541] +[ 3680.685544] dump_stack_lvl+0x77/0xb0 +[ 3680.685549] __lock_acquire+0x93c/0x2310 +[ 3680.685554] lock_acquire+0xce/0x2c0 +[ 3680.685558] ? xen_pin_page+0x175/0x1d0 +[ 3680.685562] _raw_spin_lock_nest_lock+0x2f/0x70 +[ 3680.685568] ? xen_pin_page+0x175/0x1d0 +[ 3680.685572] xen_pin_page+0x175/0x1d0 +[ 3680.685578] ? __pfx_xen_pin_page+0x10/0x10 +[ 3680.685582] __xen_pgd_walk+0x233/0x2c0 +[ 3680.685588] ? stop_one_cpu+0x91/0x100 +[ 3680.685592] __xen_pgd_pin+0x5d/0x250 +[ 3680.685596] xen_mm_pin_all+0x70/0xa0 +[ 3680.685600] xen_pv_pre_suspend+0xf/0x280 +[ 3680.685607] xen_suspend+0x57/0x1a0 +[ 3680.685611] multi_cpu_stop+0x6b/0x120 +[ 3680.685615] ? update_cpumasks_hier+0x7c/0xa60 +[ 3680.685620] ? __pfx_multi_cpu_stop+0x10/0x10 +[ 3680.685625] cpu_stopper_thread+0x8c/0x140 +[ 3680.685629] ? smpboot_thread_fn+0x20/0x1f0 +[ 3680.685634] ? __pfx_smpboot_thread_fn+0x10/0x10 +[ 3680.685638] smpboot_thread_fn+0xed/0x1f0 +[ 3680.685642] kthread+0xde/0x110 +[ 3680.685645] ? __pfx_kthread+0x10/0x10 +[ 3680.685649] ret_from_fork+0x2f/0x50 +[ 3680.685654] ? __pfx_kthread+0x10/0x10 +[ 3680.685657] ret_from_fork_asm+0x1a/0x30 +[ 3680.685662] +[ 3680.685267] xen:grant_table: Grant tables using version 1 layout +[ 3680.685921] OOM killer enabled. +[ 3680.685934] Restarting tasks ... done. + +Signed-off-by: Maksym Planeta +Reviewed-by: Juergen Gross +Message-ID: <20241204103516.3309112-1-maksym@exostellar.io> +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + arch/x86/xen/mmu_pv.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/x86/xen/mmu_pv.c b/arch/x86/xen/mmu_pv.c +index ffdf0d299c5d7..d078de2c952b3 100644 +--- a/arch/x86/xen/mmu_pv.c ++++ b/arch/x86/xen/mmu_pv.c +@@ -826,6 +826,7 @@ void xen_mm_pin_all(void) + { + struct page *page; + ++ spin_lock(&init_mm.page_table_lock); + spin_lock(&pgd_lock); + + list_for_each_entry(page, &pgd_list, lru) { +@@ -836,6 +837,7 @@ void xen_mm_pin_all(void) + } + + spin_unlock(&pgd_lock); ++ spin_unlock(&init_mm.page_table_lock); + } + + static void __init xen_mark_pinned(struct mm_struct *mm, struct page *page, +@@ -935,6 +937,7 @@ void xen_mm_unpin_all(void) + { + struct page *page; + ++ spin_lock(&init_mm.page_table_lock); + spin_lock(&pgd_lock); + + list_for_each_entry(page, &pgd_list, lru) { +@@ -946,6 +949,7 @@ void xen_mm_unpin_all(void) + } + + spin_unlock(&pgd_lock); ++ spin_unlock(&init_mm.page_table_lock); + } + + static void xen_enter_mmap(struct mm_struct *mm) +-- +2.39.5 + diff --git a/queue-6.12/hid-hid-steam-don-t-use-cancel_delayed_work_sync-in-.patch b/queue-6.12/hid-hid-steam-don-t-use-cancel_delayed_work_sync-in-.patch new file mode 100644 index 0000000000..e8fd091e5a --- /dev/null +++ b/queue-6.12/hid-hid-steam-don-t-use-cancel_delayed_work_sync-in-.patch @@ -0,0 +1,39 @@ +From b4025ac4e792aa706189b6d5b47d577cee0ea117 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Feb 2025 19:55:29 -0800 +Subject: HID: hid-steam: Don't use cancel_delayed_work_sync in IRQ context + +From: Vicki Pfau + +[ Upstream commit b051ffa2aeb2a60e092387b6fb2af1ad42f51a3c ] + +Lockdep reported that, as steam_do_deck_input_event is called from +steam_raw_event inside of an IRQ context, it can lead to issues if that IRQ +occurs while the work to be cancelled is running. By using cancel_delayed_work, +this issue can be avoided. The exact ordering of the work and the event +processing is not super important, so this is safe. + +Fixes: cd438e57dd05 ("HID: hid-steam: Add gamepad-only mode switched to by holding options") +Signed-off-by: Vicki Pfau +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-steam.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-steam.c b/drivers/hid/hid-steam.c +index bf8b633114be6..9b6aec0733ae6 100644 +--- a/drivers/hid/hid-steam.c ++++ b/drivers/hid/hid-steam.c +@@ -1592,7 +1592,7 @@ static void steam_do_deck_input_event(struct steam_device *steam, + + if (!(b9 & BIT(6)) && steam->did_mode_switch) { + steam->did_mode_switch = false; +- cancel_delayed_work_sync(&steam->mode_switch); ++ cancel_delayed_work(&steam->mode_switch); + } else if (!steam->client_opened && (b9 & BIT(6)) && !steam->did_mode_switch) { + steam->did_mode_switch = true; + schedule_delayed_work(&steam->mode_switch, 45 * HZ / 100); +-- +2.39.5 + diff --git a/queue-6.12/hid-hid-thrustmaster-fix-stack-out-of-bounds-read-in.patch b/queue-6.12/hid-hid-thrustmaster-fix-stack-out-of-bounds-read-in.patch new file mode 100644 index 0000000000..b6d0c7feb8 --- /dev/null +++ b/queue-6.12/hid-hid-thrustmaster-fix-stack-out-of-bounds-read-in.patch @@ -0,0 +1,49 @@ +From 7b28e42b7db7c0fa111f98cb068b6421a12f8cb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Feb 2025 18:50:34 -0300 +Subject: HID: hid-thrustmaster: fix stack-out-of-bounds read in + usb_check_int_endpoints() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tulio Fernandes + +[ Upstream commit 0b43d98ff29be3144e86294486b1373b5df74c0e ] + +Syzbot[1] has detected a stack-out-of-bounds read of the ep_addr array from +hid-thrustmaster driver. This array is passed to usb_check_int_endpoints +function from usb.c core driver, which executes a for loop that iterates +over the elements of the passed array. Not finding a null element at the end of +the array, it tries to read the next, non-existent element, crashing the kernel. + +To fix this, a 0 element was added at the end of the array to break the for +loop. + +[1] https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad + +Reported-by: syzbot+9c9179ac46169c56c1ad@syzkaller.appspotmail.com +Fixes: 50420d7c79c3 ("HID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check") +Signed-off-by: Túlio Fernandes +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-thrustmaster.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-thrustmaster.c b/drivers/hid/hid-thrustmaster.c +index 6c3e758bbb09e..3b81468a1df29 100644 +--- a/drivers/hid/hid-thrustmaster.c ++++ b/drivers/hid/hid-thrustmaster.c +@@ -171,7 +171,7 @@ static void thrustmaster_interrupts(struct hid_device *hdev) + b_ep = ep->desc.bEndpointAddress; + + /* Are the expected endpoints present? */ +- u8 ep_addr[1] = {b_ep}; ++ u8 ep_addr[2] = {b_ep, 0}; + + if (!usb_check_int_endpoints(usbif, ep_addr)) { + hid_err(hdev, "Unexpected non-int endpoint\n"); +-- +2.39.5 + diff --git a/queue-6.12/hid-multitouch-add-null-check-in-mt_input_configured.patch b/queue-6.12/hid-multitouch-add-null-check-in-mt_input_configured.patch new file mode 100644 index 0000000000..cc9d831cf7 --- /dev/null +++ b/queue-6.12/hid-multitouch-add-null-check-in-mt_input_configured.patch @@ -0,0 +1,43 @@ +From a5cc990160136ececd76c1897acc675309f4adfb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Nov 2024 14:26:21 +0800 +Subject: HID: multitouch: Add NULL check in mt_input_configured + +From: Charles Han + +[ Upstream commit 9b8e2220d3a052a690b1d1b23019673e612494c5 ] + +devm_kasprintf() can return a NULL pointer on failure,but this +returned value in mt_input_configured() is not checked. +Add NULL check in mt_input_configured(), to handle kernel NULL +pointer dereference error. + +Fixes: 479439463529 ("HID: multitouch: Correct devm device reference for hidinput input_dev name") +Signed-off-by: Charles Han +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-multitouch.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index 369414c92fccb..93b5c648ef82c 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -1673,9 +1673,12 @@ static int mt_input_configured(struct hid_device *hdev, struct hid_input *hi) + break; + } + +- if (suffix) ++ if (suffix) { + hi->input->name = devm_kasprintf(&hdev->dev, GFP_KERNEL, + "%s %s", hdev->name, suffix); ++ if (!hi->input->name) ++ return -ENOMEM; ++ } + + return 0; + } +-- +2.39.5 + diff --git a/queue-6.12/hid-winwing-add-null-check-in-winwing_init_led.patch b/queue-6.12/hid-winwing-add-null-check-in-winwing_init_led.patch new file mode 100644 index 0000000000..5dd2208bb4 --- /dev/null +++ b/queue-6.12/hid-winwing-add-null-check-in-winwing_init_led.patch @@ -0,0 +1,38 @@ +From 7b6cfb4b43d06149f2c371ad220d8508ba81b5bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2024 17:19:47 +0800 +Subject: HID: winwing: Add NULL check in winwing_init_led() + +From: Charles Han + +[ Upstream commit 45ab5166a82d038c898985b0ad43ead69c1f9573 ] + +devm_kasprintf() can return a NULL pointer on failure,but this +returned value in winwing_init_led() is not checked. +Add NULL check in winwing_init_led(), to handle kernel NULL +pointer dereference error. + +Fixes: 266c990debad ("HID: Add WinWing Orion2 throttle support") +Signed-off-by: Charles Han +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-winwing.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/hid/hid-winwing.c b/drivers/hid/hid-winwing.c +index 831b760c66ea7..d4afbbd278079 100644 +--- a/drivers/hid/hid-winwing.c ++++ b/drivers/hid/hid-winwing.c +@@ -106,6 +106,8 @@ static int winwing_init_led(struct hid_device *hdev, + "%s::%s", + dev_name(&input->dev), + info->led_name); ++ if (!led->cdev.name) ++ return -ENOMEM; + + ret = devm_led_classdev_register(&hdev->dev, &led->cdev); + if (ret) +-- +2.39.5 + diff --git a/queue-6.12/i3c-mipi-i3c-hci-add-intel-specific-quirk-to-ring-re.patch b/queue-6.12/i3c-mipi-i3c-hci-add-intel-specific-quirk-to-ring-re.patch new file mode 100644 index 0000000000..bf5bfcc315 --- /dev/null +++ b/queue-6.12/i3c-mipi-i3c-hci-add-intel-specific-quirk-to-ring-re.patch @@ -0,0 +1,64 @@ +From f595e980f97576630f614be32f2b6ff43f91676e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Dec 2024 13:59:03 +0200 +Subject: i3c: mipi-i3c-hci: Add Intel specific quirk to ring resuming + +From: Jarkko Nikula + +[ Upstream commit ccdb2e0e3b00d13df90ac7a0524dd855173f1171 ] + +MIPI I3C HCI on Intel hardware requires a quirk where ring needs to stop +and set to run again after resuming the halted controller. This is not +expected from the MIPI I3C HCI specification and is Intel specific. + +Add this quirk to generic aborted transfer handling and execute it only +when ring is not in running state after a transfer error and attempted +controller resume. This is the case on Intel hardware. + +It is not fully clear to me what is the ring running state in generic +hardware in such case. I would expect if ring is not running, then stop +request is a no-op and run request is either required or does the same +what controller resume would do. + +Signed-off-by: Jarkko Nikula +Link: https://lore.kernel.org/r/20241231115904.620052-1-jarkko.nikula@linux.intel.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/i3c/master/mipi-i3c-hci/dma.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/drivers/i3c/master/mipi-i3c-hci/dma.c b/drivers/i3c/master/mipi-i3c-hci/dma.c +index 13adc58400942..fe955703e59b5 100644 +--- a/drivers/i3c/master/mipi-i3c-hci/dma.c ++++ b/drivers/i3c/master/mipi-i3c-hci/dma.c +@@ -762,9 +762,26 @@ static bool hci_dma_irq_handler(struct i3c_hci *hci, unsigned int mask) + complete(&rh->op_done); + + if (status & INTR_TRANSFER_ABORT) { ++ u32 ring_status; ++ + dev_notice_ratelimited(&hci->master.dev, + "ring %d: Transfer Aborted\n", i); + mipi_i3c_hci_resume(hci); ++ ring_status = rh_reg_read(RING_STATUS); ++ if (!(ring_status & RING_STATUS_RUNNING) && ++ status & INTR_TRANSFER_COMPLETION && ++ status & INTR_TRANSFER_ERR) { ++ /* ++ * Ring stop followed by run is an Intel ++ * specific required quirk after resuming the ++ * halted controller. Do it only when the ring ++ * is not in running state after a transfer ++ * error. ++ */ ++ rh_reg_write(RING_CONTROL, RING_CTRL_ENABLE); ++ rh_reg_write(RING_CONTROL, RING_CTRL_ENABLE | ++ RING_CTRL_RUN_STOP); ++ } + } + if (status & INTR_WARN_INS_STOP_MODE) + dev_warn_ratelimited(&hci->master.dev, +-- +2.39.5 + diff --git a/queue-6.12/i3c-mipi-i3c-hci-add-support-for-mipi-i3c-hci-on-pci.patch b/queue-6.12/i3c-mipi-i3c-hci-add-support-for-mipi-i3c-hci-on-pci.patch new file mode 100644 index 0000000000..9dfe66ae55 --- /dev/null +++ b/queue-6.12/i3c-mipi-i3c-hci-add-support-for-mipi-i3c-hci-on-pci.patch @@ -0,0 +1,213 @@ +From 22e27cd9719c836e1a72db98cbd7e0ad68ad0588 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Dec 2024 13:59:04 +0200 +Subject: i3c: mipi-i3c-hci: Add support for MIPI I3C HCI on PCI bus + +From: Jarkko Nikula + +[ Upstream commit 30bb1ce71215645fa6a92f4fa8cbb8f58db68f12 ] + +Add a glue code for the MIPI I3C HCI on PCI bus with Intel Panther Lake +I3C controller PCI IDs. + +MIPI I3C HCI on Intel platforms has additional logic around the MIPI I3C +HCI core logic. Those together create so called I3C slice on PCI bus. +Intel specific initialization code does a reset cycle to the I3C slice +before probing the MIPI I3C HCI part. + +Signed-off-by: Jarkko Nikula +Link: https://lore.kernel.org/r/20241231115904.620052-2-jarkko.nikula@linux.intel.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/i3c/master/Kconfig | 11 ++ + drivers/i3c/master/mipi-i3c-hci/Makefile | 1 + + .../master/mipi-i3c-hci/mipi-i3c-hci-pci.c | 148 ++++++++++++++++++ + 3 files changed, 160 insertions(+) + create mode 100644 drivers/i3c/master/mipi-i3c-hci/mipi-i3c-hci-pci.c + +diff --git a/drivers/i3c/master/Kconfig b/drivers/i3c/master/Kconfig +index 90dee3ec55209..77da199c7413e 100644 +--- a/drivers/i3c/master/Kconfig ++++ b/drivers/i3c/master/Kconfig +@@ -57,3 +57,14 @@ config MIPI_I3C_HCI + + This driver can also be built as a module. If so, the module will be + called mipi-i3c-hci. ++ ++config MIPI_I3C_HCI_PCI ++ tristate "MIPI I3C Host Controller Interface PCI support" ++ depends on MIPI_I3C_HCI ++ depends on PCI ++ help ++ Support for MIPI I3C Host Controller Interface compatible hardware ++ on the PCI bus. ++ ++ This driver can also be built as a module. If so, the module will be ++ called mipi-i3c-hci-pci. +diff --git a/drivers/i3c/master/mipi-i3c-hci/Makefile b/drivers/i3c/master/mipi-i3c-hci/Makefile +index 1f8cd5c48fdef..e3d3ef757035f 100644 +--- a/drivers/i3c/master/mipi-i3c-hci/Makefile ++++ b/drivers/i3c/master/mipi-i3c-hci/Makefile +@@ -5,3 +5,4 @@ mipi-i3c-hci-y := core.o ext_caps.o pio.o dma.o \ + cmd_v1.o cmd_v2.o \ + dat_v1.o dct_v1.o \ + hci_quirks.o ++obj-$(CONFIG_MIPI_I3C_HCI_PCI) += mipi-i3c-hci-pci.o +diff --git a/drivers/i3c/master/mipi-i3c-hci/mipi-i3c-hci-pci.c b/drivers/i3c/master/mipi-i3c-hci/mipi-i3c-hci-pci.c +new file mode 100644 +index 0000000000000..c6c3a3ec11eae +--- /dev/null ++++ b/drivers/i3c/master/mipi-i3c-hci/mipi-i3c-hci-pci.c +@@ -0,0 +1,148 @@ ++// SPDX-License-Identifier: GPL-2.0 ++/* ++ * PCI glue code for MIPI I3C HCI driver ++ * ++ * Copyright (C) 2024 Intel Corporation ++ * ++ * Author: Jarkko Nikula ++ */ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++struct mipi_i3c_hci_pci_info { ++ int (*init)(struct pci_dev *pci); ++}; ++ ++#define INTEL_PRIV_OFFSET 0x2b0 ++#define INTEL_PRIV_SIZE 0x28 ++#define INTEL_PRIV_RESETS 0x04 ++#define INTEL_PRIV_RESETS_RESET BIT(0) ++#define INTEL_PRIV_RESETS_RESET_DONE BIT(1) ++ ++static DEFINE_IDA(mipi_i3c_hci_pci_ida); ++ ++static int mipi_i3c_hci_pci_intel_init(struct pci_dev *pci) ++{ ++ unsigned long timeout; ++ void __iomem *priv; ++ ++ priv = devm_ioremap(&pci->dev, ++ pci_resource_start(pci, 0) + INTEL_PRIV_OFFSET, ++ INTEL_PRIV_SIZE); ++ if (!priv) ++ return -ENOMEM; ++ ++ /* Assert reset, wait for completion and release reset */ ++ writel(0, priv + INTEL_PRIV_RESETS); ++ timeout = jiffies + msecs_to_jiffies(10); ++ while (!(readl(priv + INTEL_PRIV_RESETS) & ++ INTEL_PRIV_RESETS_RESET_DONE)) { ++ if (time_after(jiffies, timeout)) ++ break; ++ cpu_relax(); ++ } ++ writel(INTEL_PRIV_RESETS_RESET, priv + INTEL_PRIV_RESETS); ++ ++ return 0; ++} ++ ++static struct mipi_i3c_hci_pci_info intel_info = { ++ .init = mipi_i3c_hci_pci_intel_init, ++}; ++ ++static int mipi_i3c_hci_pci_probe(struct pci_dev *pci, ++ const struct pci_device_id *id) ++{ ++ struct mipi_i3c_hci_pci_info *info; ++ struct platform_device *pdev; ++ struct resource res[2]; ++ int dev_id, ret; ++ ++ ret = pcim_enable_device(pci); ++ if (ret) ++ return ret; ++ ++ pci_set_master(pci); ++ ++ memset(&res, 0, sizeof(res)); ++ ++ res[0].flags = IORESOURCE_MEM; ++ res[0].start = pci_resource_start(pci, 0); ++ res[0].end = pci_resource_end(pci, 0); ++ ++ res[1].flags = IORESOURCE_IRQ; ++ res[1].start = pci->irq; ++ res[1].end = pci->irq; ++ ++ dev_id = ida_alloc(&mipi_i3c_hci_pci_ida, GFP_KERNEL); ++ if (dev_id < 0) ++ return dev_id; ++ ++ pdev = platform_device_alloc("mipi-i3c-hci", dev_id); ++ if (!pdev) ++ return -ENOMEM; ++ ++ pdev->dev.parent = &pci->dev; ++ device_set_node(&pdev->dev, dev_fwnode(&pci->dev)); ++ ++ ret = platform_device_add_resources(pdev, res, ARRAY_SIZE(res)); ++ if (ret) ++ goto err; ++ ++ info = (struct mipi_i3c_hci_pci_info *)id->driver_data; ++ if (info && info->init) { ++ ret = info->init(pci); ++ if (ret) ++ goto err; ++ } ++ ++ ret = platform_device_add(pdev); ++ if (ret) ++ goto err; ++ ++ pci_set_drvdata(pci, pdev); ++ ++ return 0; ++ ++err: ++ platform_device_put(pdev); ++ ida_free(&mipi_i3c_hci_pci_ida, dev_id); ++ return ret; ++} ++ ++static void mipi_i3c_hci_pci_remove(struct pci_dev *pci) ++{ ++ struct platform_device *pdev = pci_get_drvdata(pci); ++ int dev_id = pdev->id; ++ ++ platform_device_unregister(pdev); ++ ida_free(&mipi_i3c_hci_pci_ida, dev_id); ++} ++ ++static const struct pci_device_id mipi_i3c_hci_pci_devices[] = { ++ /* Panther Lake-H */ ++ { PCI_VDEVICE(INTEL, 0xe37c), (kernel_ulong_t)&intel_info}, ++ { PCI_VDEVICE(INTEL, 0xe36f), (kernel_ulong_t)&intel_info}, ++ /* Panther Lake-P */ ++ { PCI_VDEVICE(INTEL, 0xe47c), (kernel_ulong_t)&intel_info}, ++ { PCI_VDEVICE(INTEL, 0xe46f), (kernel_ulong_t)&intel_info}, ++ { }, ++}; ++MODULE_DEVICE_TABLE(pci, mipi_i3c_hci_pci_devices); ++ ++static struct pci_driver mipi_i3c_hci_pci_driver = { ++ .name = "mipi_i3c_hci_pci", ++ .id_table = mipi_i3c_hci_pci_devices, ++ .probe = mipi_i3c_hci_pci_probe, ++ .remove = mipi_i3c_hci_pci_remove, ++}; ++ ++module_pci_driver(mipi_i3c_hci_pci_driver); ++ ++MODULE_AUTHOR("Jarkko Nikula "); ++MODULE_LICENSE("GPL"); ++MODULE_DESCRIPTION("MIPI I3C HCI driver on PCI bus"); +-- +2.39.5 + diff --git a/queue-6.12/idpf-call-set_real_num_queues-in-idpf_open.patch b/queue-6.12/idpf-call-set_real_num_queues-in-idpf_open.patch new file mode 100644 index 0000000000..6a376d3c8c --- /dev/null +++ b/queue-6.12/idpf-call-set_real_num_queues-in-idpf_open.patch @@ -0,0 +1,52 @@ +From 82e65aeeb6e684b77990ea0a4bc7c436501df8af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Feb 2025 18:08:11 -0800 +Subject: idpf: call set_real_num_queues in idpf_open + +From: Joshua Hay + +[ Upstream commit 52c11d31b5a1d1c747bb5f36cc4808e93e2348f4 ] + +On initial driver load, alloc_etherdev_mqs is called with whatever max +queue values are provided by the control plane. However, if the driver +is loaded on a system where num_online_cpus() returns less than the max +queues, the netdev will think there are more queues than are actually +available. Only num_online_cpus() will be allocated, but +skb_get_queue_mapping(skb) could possibly return an index beyond the +range of allocated queues. Consequently, the packet is silently dropped +and it appears as if TX is broken. + +Set the real number of queues during open so the netdev knows how many +queues will be allocated. + +Fixes: 1c325aac10a8 ("idpf: configure resources for TX queues") +Signed-off-by: Joshua Hay +Reviewed-by: Madhu Chittim +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf_lib.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c +index b4fbb99bfad20..a3d6b8f198a86 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c +@@ -2159,8 +2159,13 @@ static int idpf_open(struct net_device *netdev) + idpf_vport_ctrl_lock(netdev); + vport = idpf_netdev_to_vport(netdev); + ++ err = idpf_set_real_num_queues(vport); ++ if (err) ++ goto unlock; ++ + err = idpf_vport_open(vport); + ++unlock: + idpf_vport_ctrl_unlock(netdev); + + return err; +-- +2.39.5 + diff --git a/queue-6.12/idpf-fix-handling-rsc-packet-with-a-single-segment.patch b/queue-6.12/idpf-fix-handling-rsc-packet-with-a-single-segment.patch new file mode 100644 index 0000000000..c546864c6d --- /dev/null +++ b/queue-6.12/idpf-fix-handling-rsc-packet-with-a-single-segment.patch @@ -0,0 +1,42 @@ +From ff24164236ea2bdf3ba29275d11523c3a5f1c9f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jan 2025 16:29:22 -0800 +Subject: idpf: fix handling rsc packet with a single segment + +From: Sridhar Samudrala + +[ Upstream commit 69ab25a74e2df53edc2de4acfce0a484bdb88155 ] + +Handle rsc packet with a single segment same as a multi +segment rsc packet so that CHECKSUM_PARTIAL is set in the +skb->ip_summed field. The current code is passing CHECKSUM_NONE +resulting in TCP GRO layer doing checksum in SW and hiding the +issue. This will fail when using dmabufs as payload buffers as +skb frag would be unreadable. + +Fixes: 3a8845af66ed ("idpf: add RX splitq napi poll support") +Signed-off-by: Sridhar Samudrala +Reviewed-by: Przemek Kitszel +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf_txrx.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +index 60d15b3e6e2fa..cd7c297059aed 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +@@ -3008,8 +3008,6 @@ static int idpf_rx_rsc(struct idpf_rx_queue *rxq, struct sk_buff *skb, + return -EINVAL; + + rsc_segments = DIV_ROUND_UP(skb->data_len, rsc_seg_len); +- if (unlikely(rsc_segments == 1)) +- return 0; + + NAPI_GRO_CB(skb)->count = rsc_segments; + skb_shinfo(skb)->gso_size = rsc_seg_len; +-- +2.39.5 + diff --git a/queue-6.12/idpf-record-rx-queue-in-skb-for-rsc-packets.patch b/queue-6.12/idpf-record-rx-queue-in-skb-for-rsc-packets.patch new file mode 100644 index 0000000000..b5b7fb6fbb --- /dev/null +++ b/queue-6.12/idpf-record-rx-queue-in-skb-for-rsc-packets.patch @@ -0,0 +1,46 @@ +From 6d94b2c5ec9327a83c16b32d973eb5519698c18e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jan 2025 16:29:58 -0800 +Subject: idpf: record rx queue in skb for RSC packets + +From: Sridhar Samudrala + +[ Upstream commit 2ff66c2f9ea4e9311e9a00004348b6c465bd5d3b ] + +Move the call to skb_record_rx_queue in idpf_rx_process_skb_fields() +so that RX queue is recorded for RSC packets too. + +Fixes: 90912f9f4f2d ("idpf: convert header split mode to libeth + napi_build_skb()") +Signed-off-by: Sridhar Samudrala +Reviewed-by: Madhu Chittim +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf_txrx.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +index cd7c297059aed..1e0d1f9b07fbc 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +@@ -3070,6 +3070,7 @@ idpf_rx_process_skb_fields(struct idpf_rx_queue *rxq, struct sk_buff *skb, + idpf_rx_hash(rxq, skb, rx_desc, decoded); + + skb->protocol = eth_type_trans(skb, rxq->netdev); ++ skb_record_rx_queue(skb, rxq->idx); + + if (le16_get_bits(rx_desc->hdrlen_flags, + VIRTCHNL2_RX_FLEX_DESC_ADV_RSC_M)) +@@ -3078,8 +3079,6 @@ idpf_rx_process_skb_fields(struct idpf_rx_queue *rxq, struct sk_buff *skb, + csum_bits = idpf_rx_splitq_extract_csum_bits(rx_desc); + idpf_rx_csum(rxq, skb, csum_bits, decoded); + +- skb_record_rx_queue(skb, rxq->idx); +- + return 0; + } + +-- +2.39.5 + diff --git a/queue-6.12/igc-fix-hw-rx-timestamp-when-passed-by-zc-xdp.patch b/queue-6.12/igc-fix-hw-rx-timestamp-when-passed-by-zc-xdp.patch new file mode 100644 index 0000000000..df096019cf --- /dev/null +++ b/queue-6.12/igc-fix-hw-rx-timestamp-when-passed-by-zc-xdp.patch @@ -0,0 +1,126 @@ +From ba6bcfa67a1089d7690ef17fcfec1f3b1f162bde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jan 2025 13:26:48 +0100 +Subject: igc: Fix HW RX timestamp when passed by ZC XDP + +From: Zdenek Bouska + +[ Upstream commit 7822dd4d6d4bebca5045a395e1784ef09cae2d43 ] + +Fixes HW RX timestamp in the following scenario: +- AF_PACKET socket with enabled HW RX timestamps is created +- AF_XDP socket with enabled zero copy is created +- frame is forwarded to the BPF program, where the timestamp should + still be readable (extracted by igc_xdp_rx_timestamp(), kfunc + behind bpf_xdp_metadata_rx_timestamp()) +- the frame got XDP_PASS from BPF program, redirecting to the stack +- AF_PACKET socket receives the frame with HW RX timestamp + +Moves the skb timestamp setting from igc_dispatch_skb_zc() to +igc_construct_skb_zc() so that igc_construct_skb_zc() is similar to +igc_construct_skb(). + +This issue can also be reproduced by running: + # tools/testing/selftests/bpf/xdp_hw_metadata enp1s0 +When a frame with the wrong port 9092 (instead of 9091) is used: + # echo -n xdp | nc -u -q1 192.168.10.9 9092 +then the RX timestamp is missing and xdp_hw_metadata prints: + skb hwtstamp is not found! + +With this fix or when copy mode is used: + # tools/testing/selftests/bpf/xdp_hw_metadata -c enp1s0 +then RX timestamp is found and xdp_hw_metadata prints: + found skb hwtstamp = 1736509937.852786132 + +Fixes: 069b142f5819 ("igc: Add support for PTP .getcyclesx64()") +Signed-off-by: Zdenek Bouska +Acked-by: Vinicius Costa Gomes +Reviewed-by: Simon Horman +Reviewed-by: Florian Bezdeka +Reviewed-by: Song Yoong Siang +Tested-by: Mor Bar-Gabay +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 6e70bca15db1d..2e4f1bd42f2e4 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -2707,8 +2707,9 @@ static int igc_clean_rx_irq(struct igc_q_vector *q_vector, const int budget) + } + + static struct sk_buff *igc_construct_skb_zc(struct igc_ring *ring, +- struct xdp_buff *xdp) ++ struct igc_xdp_buff *ctx) + { ++ struct xdp_buff *xdp = &ctx->xdp; + unsigned int totalsize = xdp->data_end - xdp->data_meta; + unsigned int metasize = xdp->data - xdp->data_meta; + struct sk_buff *skb; +@@ -2727,27 +2728,28 @@ static struct sk_buff *igc_construct_skb_zc(struct igc_ring *ring, + __skb_pull(skb, metasize); + } + ++ if (ctx->rx_ts) { ++ skb_shinfo(skb)->tx_flags |= SKBTX_HW_TSTAMP_NETDEV; ++ skb_hwtstamps(skb)->netdev_data = ctx->rx_ts; ++ } ++ + return skb; + } + + static void igc_dispatch_skb_zc(struct igc_q_vector *q_vector, + union igc_adv_rx_desc *desc, +- struct xdp_buff *xdp, +- ktime_t timestamp) ++ struct igc_xdp_buff *ctx) + { + struct igc_ring *ring = q_vector->rx.ring; + struct sk_buff *skb; + +- skb = igc_construct_skb_zc(ring, xdp); ++ skb = igc_construct_skb_zc(ring, ctx); + if (!skb) { + ring->rx_stats.alloc_failed++; + set_bit(IGC_RING_FLAG_RX_ALLOC_FAILED, &ring->flags); + return; + } + +- if (timestamp) +- skb_hwtstamps(skb)->hwtstamp = timestamp; +- + if (igc_cleanup_headers(ring, desc, skb)) + return; + +@@ -2783,7 +2785,6 @@ static int igc_clean_rx_irq_zc(struct igc_q_vector *q_vector, const int budget) + union igc_adv_rx_desc *desc; + struct igc_rx_buffer *bi; + struct igc_xdp_buff *ctx; +- ktime_t timestamp = 0; + unsigned int size; + int res; + +@@ -2813,6 +2814,8 @@ static int igc_clean_rx_irq_zc(struct igc_q_vector *q_vector, const int budget) + */ + bi->xdp->data_meta += IGC_TS_HDR_LEN; + size -= IGC_TS_HDR_LEN; ++ } else { ++ ctx->rx_ts = NULL; + } + + bi->xdp->data_end = bi->xdp->data + size; +@@ -2821,7 +2824,7 @@ static int igc_clean_rx_irq_zc(struct igc_q_vector *q_vector, const int budget) + res = __igc_xdp_run_prog(adapter, prog, bi->xdp); + switch (res) { + case IGC_XDP_PASS: +- igc_dispatch_skb_zc(q_vector, desc, bi->xdp, timestamp); ++ igc_dispatch_skb_zc(q_vector, desc, ctx); + fallthrough; + case IGC_XDP_CONSUMED: + xsk_buff_free(bi->xdp); +-- +2.39.5 + diff --git a/queue-6.12/io_uring-uring_cmd-remove-dead-req_has_async_data-ch.patch b/queue-6.12/io_uring-uring_cmd-remove-dead-req_has_async_data-ch.patch new file mode 100644 index 0000000000..b707e81086 --- /dev/null +++ b/queue-6.12/io_uring-uring_cmd-remove-dead-req_has_async_data-ch.patch @@ -0,0 +1,36 @@ +From 28c95b11c6f911bbcda0d98c72e9aaffe081297e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 14:05:11 -0700 +Subject: io_uring/uring_cmd: remove dead req_has_async_data() check + +From: Jens Axboe + +[ Upstream commit 0edf1283a9d1419a2095b4fcdd95c11ac00a191c ] + +Any uring_cmd always has async data allocated now, there's no reason to +check and clear a cached copy of the SQE. + +Fixes: d10f19dff56e ("io_uring/uring_cmd: switch to always allocating async data") +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/uring_cmd.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/io_uring/uring_cmd.c b/io_uring/uring_cmd.c +index 874f9e2defd58..b2ce4b5610027 100644 +--- a/io_uring/uring_cmd.c ++++ b/io_uring/uring_cmd.c +@@ -65,9 +65,6 @@ bool io_uring_try_cancel_uring_cmd(struct io_ring_ctx *ctx, + continue; + + if (cmd->flags & IORING_URING_CMD_CANCELABLE) { +- /* ->sqe isn't available if no async data */ +- if (!req_has_async_data(req)) +- cmd->sqe = NULL; + file->f_op->uring_cmd(cmd, IO_URING_F_CANCEL | + IO_URING_F_COMPLETE_DEFER); + ret = true; +-- +2.39.5 + diff --git a/queue-6.12/io_uring-waitid-don-t-abuse-io_tw_state.patch b/queue-6.12/io_uring-waitid-don-t-abuse-io_tw_state.patch new file mode 100644 index 0000000000..5cf79079a2 --- /dev/null +++ b/queue-6.12/io_uring-waitid-don-t-abuse-io_tw_state.patch @@ -0,0 +1,66 @@ +From b4255fa2682da2665f96e3c382134552c24e7ff5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 13:33:24 +0000 +Subject: io_uring/waitid: don't abuse io_tw_state + +From: Pavel Begunkov + +[ Upstream commit 06521ac0485effdcc9c792cb0b40ed8e6f2f5fb8 ] + +struct io_tw_state is managed by core io_uring, and opcode handling code +must never try to cheat and create their own instances, it's plain +incorrect. + +io_waitid_complete() attempts exactly that outside of the task work +context, and even though the ring is locked, there would be no one to +reap the requests from the defer completion list. It only works now +because luckily it's called before io_uring_try_cancel_uring_cmd(), +which flushes completions. + +Fixes: f31ecf671ddc4 ("io_uring: add IORING_OP_WAITID support") +Signed-off-by: Pavel Begunkov +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/waitid.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/io_uring/waitid.c b/io_uring/waitid.c +index 6362ec20abc0c..2f7b5eeab845e 100644 +--- a/io_uring/waitid.c ++++ b/io_uring/waitid.c +@@ -118,7 +118,6 @@ static int io_waitid_finish(struct io_kiocb *req, int ret) + static void io_waitid_complete(struct io_kiocb *req, int ret) + { + struct io_waitid *iw = io_kiocb_to_cmd(req, struct io_waitid); +- struct io_tw_state ts = {}; + + /* anyone completing better be holding a reference */ + WARN_ON_ONCE(!(atomic_read(&iw->refs) & IO_WAITID_REF_MASK)); +@@ -131,7 +130,6 @@ static void io_waitid_complete(struct io_kiocb *req, int ret) + if (ret < 0) + req_set_fail(req); + io_req_set_res(req, ret, 0); +- io_req_task_complete(req, &ts); + } + + static bool __io_waitid_cancel(struct io_ring_ctx *ctx, struct io_kiocb *req) +@@ -153,6 +151,7 @@ static bool __io_waitid_cancel(struct io_ring_ctx *ctx, struct io_kiocb *req) + list_del_init(&iwa->wo.child_wait.entry); + spin_unlock_irq(&iw->head->lock); + io_waitid_complete(req, -ECANCELED); ++ io_req_queue_tw_complete(req, -ECANCELED); + return true; + } + +@@ -258,6 +257,7 @@ static void io_waitid_cb(struct io_kiocb *req, struct io_tw_state *ts) + } + + io_waitid_complete(req, ret); ++ io_req_task_complete(req, ts); + } + + static int io_waitid_wait(struct wait_queue_entry *wait, unsigned mode, +-- +2.39.5 + diff --git a/queue-6.12/iommu-amd-expicitly-enable-cntrl.ephen-bit-in-resume.patch b/queue-6.12/iommu-amd-expicitly-enable-cntrl.ephen-bit-in-resume.patch new file mode 100644 index 0000000000..11d1309341 --- /dev/null +++ b/queue-6.12/iommu-amd-expicitly-enable-cntrl.ephen-bit-in-resume.patch @@ -0,0 +1,69 @@ +From 0ab776ed17c3faadbc7c745eed85165e396a9972 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Jan 2025 09:44:11 +0000 +Subject: iommu/amd: Expicitly enable CNTRL.EPHEn bit in resume path + +From: Vasant Hegde + +[ Upstream commit ef75966abf950c0539534effa4960caa29fb7167 ] + +With recent kernel, AMDGPU failed to resume after suspend on certain laptop. + +Sample log: +----------- +Nov 14 11:52:19 Thinkbook kernel: iommu ivhd0: AMD-Vi: Event logged [ILLEGAL_DEV_TABLE_ENTRY device=0000:06:00.0 pasid=0x00000 address=0x135300000 flags=0x0080] +Nov 14 11:52:19 Thinkbook kernel: AMD-Vi: DTE[0]: 7d90000000000003 +Nov 14 11:52:19 Thinkbook kernel: AMD-Vi: DTE[1]: 0000100103fc0009 +Nov 14 11:52:19 Thinkbook kernel: AMD-Vi: DTE[2]: 2000000117840013 +Nov 14 11:52:19 Thinkbook kernel: AMD-Vi: DTE[3]: 0000000000000000 + +This is because in resume path, CNTRL[EPHEn] is not set. Fix this by +setting CNTRL[EPHEn] to 1 in resume path if EFR[EPHSUP] is set. + +Note + May be better approach is to save the control register in suspend path + and restore it in resume path instead of trying to set indivisual + bits. We will have separate patch for that. + +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219499 +Fixes: c4cb23111103 ("iommu/amd: Add support for enable/disable IOPF") +Tested-by: Hamish McIntyre-Bhatty +Signed-off-by: Vasant Hegde +Link: https://lore.kernel.org/r/20250127094411.5931-1-vasant.hegde@amd.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd/amd_iommu_types.h | 1 + + drivers/iommu/amd/init.c | 4 ++++ + 2 files changed, 5 insertions(+) + +diff --git a/drivers/iommu/amd/amd_iommu_types.h b/drivers/iommu/amd/amd_iommu_types.h +index 601fb4ee69009..6fb2f2919ab1f 100644 +--- a/drivers/iommu/amd/amd_iommu_types.h ++++ b/drivers/iommu/amd/amd_iommu_types.h +@@ -175,6 +175,7 @@ + #define CONTROL_GAM_EN 25 + #define CONTROL_GALOG_EN 28 + #define CONTROL_GAINT_EN 29 ++#define CONTROL_EPH_EN 45 + #define CONTROL_XT_EN 50 + #define CONTROL_INTCAPXT_EN 51 + #define CONTROL_IRTCACHEDIS 59 +diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c +index 43131c3a21726..dbe2d13972fef 100644 +--- a/drivers/iommu/amd/init.c ++++ b/drivers/iommu/amd/init.c +@@ -2647,6 +2647,10 @@ static void iommu_init_flags(struct amd_iommu *iommu) + + /* Set IOTLB invalidation timeout to 1s */ + iommu_set_inv_tlb_timeout(iommu, CTRL_INV_TO_1S); ++ ++ /* Enable Enhanced Peripheral Page Request Handling */ ++ if (check_feature(FEATURE_EPHSUP)) ++ iommu_feature_enable(iommu, CONTROL_EPH_EN); + } + + static void iommu_apply_resume_quirks(struct amd_iommu *iommu) +-- +2.39.5 + diff --git a/queue-6.12/kbuild-suppress-stdout-from-merge_config-for-silent-.patch b/queue-6.12/kbuild-suppress-stdout-from-merge_config-for-silent-.patch new file mode 100644 index 0000000000..3ac6cc588a --- /dev/null +++ b/queue-6.12/kbuild-suppress-stdout-from-merge_config-for-silent-.patch @@ -0,0 +1,84 @@ +From d7d76769d070931015e1e8798f91d914e825c6d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 19:24:41 +0900 +Subject: kbuild: suppress stdout from merge_config for silent builds + +From: Masahiro Yamada + +[ Upstream commit 1f937a4bcb0472015818f30f4d3c5546d3f09933 ] + +merge_config does not respect the Make's -s (--silent) option. + +Let's sink the stdout from merge_config for silent builds. + +This commit does not cater to the direct invocation of merge_config.sh +(e.g. arch/mips/Makefile). + +Reported-by: Leon Romanovsky +Closes: https://lore.kernel.org/all/e534ce33b0e1060eb85ece8429810f087b034c88.1733234008.git.leonro@nvidia.com/ +Signed-off-by: Masahiro Yamada +Tested-by: Leon Romanovsky +Reviewed-by: Nathan Chancellor +Signed-off-by: Sasha Levin +--- + scripts/Makefile.defconf | 13 +++++++------ + scripts/kconfig/Makefile | 4 +++- + 2 files changed, 10 insertions(+), 7 deletions(-) + +diff --git a/scripts/Makefile.defconf b/scripts/Makefile.defconf +index 226ea3df3b4b4..a44307f08e9d6 100644 +--- a/scripts/Makefile.defconf ++++ b/scripts/Makefile.defconf +@@ -1,6 +1,11 @@ + # SPDX-License-Identifier: GPL-2.0 + # Configuration heplers + ++cmd_merge_fragments = \ ++ $(srctree)/scripts/kconfig/merge_config.sh \ ++ $4 -m -O $(objtree) $(srctree)/arch/$(SRCARCH)/configs/$2 \ ++ $(foreach config,$3,$(srctree)/arch/$(SRCARCH)/configs/$(config).config) ++ + # Creates 'merged defconfigs' + # --------------------------------------------------------------------------- + # Usage: +@@ -8,9 +13,7 @@ + # + # Input config fragments without '.config' suffix + define merge_into_defconfig +- $(Q)$(CONFIG_SHELL) $(srctree)/scripts/kconfig/merge_config.sh \ +- -m -O $(objtree) $(srctree)/arch/$(SRCARCH)/configs/$(1) \ +- $(foreach config,$(2),$(srctree)/arch/$(SRCARCH)/configs/$(config).config) ++ $(call cmd,merge_fragments,$1,$2) + +$(Q)$(MAKE) -f $(srctree)/Makefile olddefconfig + endef + +@@ -22,8 +25,6 @@ endef + # + # Input config fragments without '.config' suffix + define merge_into_defconfig_override +- $(Q)$(CONFIG_SHELL) $(srctree)/scripts/kconfig/merge_config.sh \ +- -Q -m -O $(objtree) $(srctree)/arch/$(SRCARCH)/configs/$(1) \ +- $(foreach config,$(2),$(srctree)/arch/$(SRCARCH)/configs/$(config).config) ++ $(call cmd,merge_fragments,$1,$2,-Q) + +$(Q)$(MAKE) -f $(srctree)/Makefile olddefconfig + endef +diff --git a/scripts/kconfig/Makefile b/scripts/kconfig/Makefile +index a0a0be38cbdc1..fb50bd4f4103f 100644 +--- a/scripts/kconfig/Makefile ++++ b/scripts/kconfig/Makefile +@@ -105,9 +105,11 @@ configfiles = $(wildcard $(srctree)/kernel/configs/$(1) $(srctree)/arch/$(SRCARC + all-config-fragments = $(call configfiles,*.config) + config-fragments = $(call configfiles,$@) + ++cmd_merge_fragments = $(srctree)/scripts/kconfig/merge_config.sh -m $(KCONFIG_CONFIG) $(config-fragments) ++ + %.config: $(obj)/conf + $(if $(config-fragments),, $(error $@ fragment does not exists on this architecture)) +- $(Q)$(CONFIG_SHELL) $(srctree)/scripts/kconfig/merge_config.sh -m $(KCONFIG_CONFIG) $(config-fragments) ++ $(call cmd,merge_fragments) + $(Q)$(MAKE) -f $(srctree)/Makefile olddefconfig + + PHONY += tinyconfig +-- +2.39.5 + diff --git a/queue-6.12/kbuild-use-fzero-init-padding-bits-all.patch b/queue-6.12/kbuild-use-fzero-init-padding-bits-all.patch new file mode 100644 index 0000000000..d4a59c62ae --- /dev/null +++ b/queue-6.12/kbuild-use-fzero-init-padding-bits-all.patch @@ -0,0 +1,89 @@ +From 5903b91213144ee2d26966e8d88f7092a28df8d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Jan 2025 11:10:28 -0800 +Subject: kbuild: Use -fzero-init-padding-bits=all + +From: Kees Cook + +[ Upstream commit dce4aab8441d285b9a78b33753e0bf583c1320ee ] + +GCC 15 introduces a regression in "= { 0 }" style initialization of +unions that Linux has depended on for eliminating uninitialized variable +contents. GCC does not seem likely to fix it[1], instead suggesting[2] +that affected projects start using -fzero-init-padding-bits=unions. + +To avoid future surprises beyond just the current situation with unions, +enable -fzero-init-padding-bits=all when available (GCC 15+). This will +correctly zero padding bits in unions and structs that might have been +left uninitialized, and will make sure there is no immediate regression +in union initializations. As seen in the stackinit KUnit selftest union +cases, which were passing before, were failing under GCC 15: + + not ok 18 test_small_start_old_zero + ok 29 test_small_start_dynamic_partial # SKIP XFAIL uninit bytes: 63 + ok 32 test_small_start_assigned_dynamic_partial # SKIP XFAIL uninit bytes: 63 + ok 67 test_small_start_static_partial # SKIP XFAIL uninit bytes: 63 + ok 70 test_small_start_static_all # SKIP XFAIL uninit bytes: 56 + ok 73 test_small_start_dynamic_all # SKIP XFAIL uninit bytes: 56 + ok 82 test_small_start_assigned_static_partial # SKIP XFAIL uninit bytes: 63 + ok 85 test_small_start_assigned_static_all # SKIP XFAIL uninit bytes: 56 + ok 88 test_small_start_assigned_dynamic_all # SKIP XFAIL uninit bytes: 56 + +The above all now pass again with -fzero-init-padding-bits=all added. + +This also fixes the following cases for struct initialization that had +been XFAIL until now because there was no compiler support beyond the +larger "-ftrivial-auto-var-init=zero" option: + + ok 38 test_small_hole_static_all # SKIP XFAIL uninit bytes: 3 + ok 39 test_big_hole_static_all # SKIP XFAIL uninit bytes: 124 + ok 40 test_trailing_hole_static_all # SKIP XFAIL uninit bytes: 7 + ok 42 test_small_hole_dynamic_all # SKIP XFAIL uninit bytes: 3 + ok 43 test_big_hole_dynamic_all # SKIP XFAIL uninit bytes: 124 + ok 44 test_trailing_hole_dynamic_all # SKIP XFAIL uninit bytes: 7 + ok 58 test_small_hole_assigned_static_all # SKIP XFAIL uninit bytes: 3 + ok 59 test_big_hole_assigned_static_all # SKIP XFAIL uninit bytes: 124 + ok 60 test_trailing_hole_assigned_static_all # SKIP XFAIL uninit bytes: 7 + ok 62 test_small_hole_assigned_dynamic_all # SKIP XFAIL uninit bytes: 3 + ok 63 test_big_hole_assigned_dynamic_all # SKIP XFAIL uninit bytes: 124 + ok 64 test_trailing_hole_assigned_dynamic_all # SKIP XFAIL uninit bytes: 7 + +All of the above now pass when built under GCC 15. Tests can be seen +with: + + ./tools/testing/kunit/kunit.py run stackinit --arch=x86_64 \ + --make_option CC=gcc-15 + +Clang continues to fully initialize these kinds of variables[3] without +additional flags. + +Suggested-by: Jakub Jelinek +Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=118403 [1] +Link: https://lore.kernel.org/linux-toolchains/Z0hRrrNU3Q+ro2T7@tucnak/ [2] +Link: https://github.com/llvm/llvm-project/commit/7a086e1b2dc05f54afae3591614feede727601fa [3] +Reviewed-by: Nathan Chancellor +Acked-by: Masahiro Yamada +Link: https://lore.kernel.org/r/20250127191031.245214-3-kees@kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + scripts/Makefile.extrawarn | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/scripts/Makefile.extrawarn b/scripts/Makefile.extrawarn +index d75897559d184..dc081cf46d211 100644 +--- a/scripts/Makefile.extrawarn ++++ b/scripts/Makefile.extrawarn +@@ -82,6 +82,9 @@ KBUILD_CFLAGS += $(call cc-option,-Werror=designated-init) + # Warn if there is an enum types mismatch + KBUILD_CFLAGS += $(call cc-option,-Wenum-conversion) + ++# Explicitly clear padding bits during variable initialization ++KBUILD_CFLAGS += $(call cc-option,-fzero-init-padding-bits=all) ++ + KBUILD_CFLAGS += -Wextra + KBUILD_CFLAGS += -Wunused + +-- +2.39.5 + diff --git a/queue-6.12/kunit-platform-resolve-struct-completion-warning.patch b/queue-6.12/kunit-platform-resolve-struct-completion-warning.patch new file mode 100644 index 0000000000..aa3c5d10a2 --- /dev/null +++ b/queue-6.12/kunit-platform-resolve-struct-completion-warning.patch @@ -0,0 +1,50 @@ +From cb24c05041b9c1f7cbef0ff7425d49ba3fb247eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Dec 2024 10:08:23 -0800 +Subject: kunit: platform: Resolve 'struct completion' warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Brian Norris + +[ Upstream commit 7687c66c18c66d4ccd9949c6f641c0e7b5773483 ] + +If the header is included in a test without +certain other headers, it produces compiler warnings like: + +In file included from [...] +../include/kunit/platform_device.h:15:57: warning: ‘struct completion’ +declared inside parameter list will not be visible outside of this +definition or declaration + 15 | struct completion *x); + | ^~~~~~~~~~ + +Add a 'struct completion' forward declaration to resolve this. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202412241958.dbAImJsA-lkp@intel.com/ +Signed-off-by: Brian Norris +Reviewed-by: David Gow +Link: https://lore.kernel.org/r/20241213180841.3023843-1-briannorris@chromium.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + include/kunit/platform_device.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/kunit/platform_device.h b/include/kunit/platform_device.h +index 0fc0999d2420a..f8236a8536f7e 100644 +--- a/include/kunit/platform_device.h ++++ b/include/kunit/platform_device.h +@@ -2,6 +2,7 @@ + #ifndef _KUNIT_PLATFORM_DRIVER_H + #define _KUNIT_PLATFORM_DRIVER_H + ++struct completion; + struct kunit; + struct platform_device; + struct platform_driver; +-- +2.39.5 + diff --git a/queue-6.12/loongarch-csum-fix-oob-access-in-ip-checksum-code-fo.patch b/queue-6.12/loongarch-csum-fix-oob-access-in-ip-checksum-code-fo.patch new file mode 100644 index 0000000000..0689af3d7b --- /dev/null +++ b/queue-6.12/loongarch-csum-fix-oob-access-in-ip-checksum-code-fo.patch @@ -0,0 +1,42 @@ +From e0f125aa7f5390d3a150b687ae1c13dad96828a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Feb 2025 12:02:40 +0800 +Subject: LoongArch: csum: Fix OoB access in IP checksum code for negative + lengths + +From: Yuli Wang + +[ Upstream commit 6287f1a8c16138c2ec750953e35039634018c84a ] + +Commit 69e3a6aa6be2 ("LoongArch: Add checksum optimization for 64-bit +system") would cause an undefined shift and an out-of-bounds read. + +Commit 8bd795fedb84 ("arm64: csum: Fix OoB access in IP checksum code +for negative lengths") fixes the same issue on ARM64. + +Fixes: 69e3a6aa6be2 ("LoongArch: Add checksum optimization for 64-bit system") +Co-developed-by: Wentao Guan +Signed-off-by: Wentao Guan +Signed-off-by: Yuli Wang +Signed-off-by: Huacai Chen +Signed-off-by: Sasha Levin +--- + arch/loongarch/lib/csum.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/loongarch/lib/csum.c b/arch/loongarch/lib/csum.c +index a5e84b403c3b3..df309ae4045de 100644 +--- a/arch/loongarch/lib/csum.c ++++ b/arch/loongarch/lib/csum.c +@@ -25,7 +25,7 @@ unsigned int __no_sanitize_address do_csum(const unsigned char *buff, int len) + const u64 *ptr; + u64 data, sum64 = 0; + +- if (unlikely(len == 0)) ++ if (unlikely(len <= 0)) + return 0; + + offset = (unsigned long)buff & 7; +-- +2.39.5 + diff --git a/queue-6.12/loongarch-fix-idle-vs-timer-enqueue.patch b/queue-6.12/loongarch-fix-idle-vs-timer-enqueue.patch new file mode 100644 index 0000000000..28e0af0566 --- /dev/null +++ b/queue-6.12/loongarch-fix-idle-vs-timer-enqueue.patch @@ -0,0 +1,133 @@ +From eab71c4854639570e5197de55885bbccaa899d56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Feb 2025 12:02:35 +0800 +Subject: LoongArch: Fix idle VS timer enqueue + +From: Marco Crivellari + +[ Upstream commit edb1942542bc538707cea221e9c7923a6270465f ] + +LoongArch re-enables interrupts on its idle routine and performs a +TIF_NEED_RESCHED check afterwards before putting the CPU to sleep. + +The IRQs firing between the check and the idle instruction may set the +TIF_NEED_RESCHED flag. In order to deal with such a race, IRQs +interrupting __arch_cpu_idle() rollback their return address to the +beginning of __arch_cpu_idle() so that TIF_NEED_RESCHED is checked +again before going back to sleep. + +However idle IRQs can also queue timers that may require a tick +reprogramming through a new generic idle loop iteration but those timers +would go unnoticed here because __arch_cpu_idle() only checks +TIF_NEED_RESCHED. It doesn't check for pending timers. + +Fix this with fast-forwarding idle IRQs return address to the end of the +idle routine instead of the beginning, so that the generic idle loop can +handle both TIF_NEED_RESCHED and pending timers. + +Fixes: 0603839b18f4 ("LoongArch: Add exception/interrupt handling") +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Frederic Weisbecker +Signed-off-by: Marco Crivellari +Signed-off-by: Huacai Chen +Signed-off-by: Sasha Levin +--- + arch/loongarch/kernel/genex.S | 28 +++++++++++++++------------- + arch/loongarch/kernel/idle.c | 3 +-- + arch/loongarch/kernel/reset.c | 6 +++--- + 3 files changed, 19 insertions(+), 18 deletions(-) + +diff --git a/arch/loongarch/kernel/genex.S b/arch/loongarch/kernel/genex.S +index 86d5d90ebefe5..4f09121417818 100644 +--- a/arch/loongarch/kernel/genex.S ++++ b/arch/loongarch/kernel/genex.S +@@ -18,16 +18,19 @@ + + .align 5 + SYM_FUNC_START(__arch_cpu_idle) +- /* start of rollback region */ +- LONG_L t0, tp, TI_FLAGS +- nop +- andi t0, t0, _TIF_NEED_RESCHED +- bnez t0, 1f +- nop +- nop +- nop ++ /* start of idle interrupt region */ ++ ori t0, zero, CSR_CRMD_IE ++ /* idle instruction needs irq enabled */ ++ csrxchg t0, t0, LOONGARCH_CSR_CRMD ++ /* ++ * If an interrupt lands here; between enabling interrupts above and ++ * going idle on the next instruction, we must *NOT* go idle since the ++ * interrupt could have set TIF_NEED_RESCHED or caused an timer to need ++ * reprogramming. Fall through -- see handle_vint() below -- and have ++ * the idle loop take care of things. ++ */ + idle 0 +- /* end of rollback region */ ++ /* end of idle interrupt region */ + 1: jr ra + SYM_FUNC_END(__arch_cpu_idle) + +@@ -35,11 +38,10 @@ SYM_CODE_START(handle_vint) + UNWIND_HINT_UNDEFINED + BACKUP_T0T1 + SAVE_ALL +- la_abs t1, __arch_cpu_idle ++ la_abs t1, 1b + LONG_L t0, sp, PT_ERA +- /* 32 byte rollback region */ +- ori t0, t0, 0x1f +- xori t0, t0, 0x1f ++ /* 3 instructions idle interrupt region */ ++ ori t0, t0, 0b1100 + bne t0, t1, 1f + LONG_S t0, sp, PT_ERA + 1: move a0, sp +diff --git a/arch/loongarch/kernel/idle.c b/arch/loongarch/kernel/idle.c +index 0b5dd2faeb90b..54b247d8cdb69 100644 +--- a/arch/loongarch/kernel/idle.c ++++ b/arch/loongarch/kernel/idle.c +@@ -11,7 +11,6 @@ + + void __cpuidle arch_cpu_idle(void) + { +- raw_local_irq_enable(); +- __arch_cpu_idle(); /* idle instruction needs irq enabled */ ++ __arch_cpu_idle(); + raw_local_irq_disable(); + } +diff --git a/arch/loongarch/kernel/reset.c b/arch/loongarch/kernel/reset.c +index 1ef8c63835351..de8fa5a8a825c 100644 +--- a/arch/loongarch/kernel/reset.c ++++ b/arch/loongarch/kernel/reset.c +@@ -33,7 +33,7 @@ void machine_halt(void) + console_flush_on_panic(CONSOLE_FLUSH_PENDING); + + while (true) { +- __arch_cpu_idle(); ++ __asm__ __volatile__("idle 0" : : : "memory"); + } + } + +@@ -53,7 +53,7 @@ void machine_power_off(void) + #endif + + while (true) { +- __arch_cpu_idle(); ++ __asm__ __volatile__("idle 0" : : : "memory"); + } + } + +@@ -74,6 +74,6 @@ void machine_restart(char *command) + acpi_reboot(); + + while (true) { +- __arch_cpu_idle(); ++ __asm__ __volatile__("idle 0" : : : "memory"); + } + } +-- +2.39.5 + diff --git a/queue-6.12/loongarch-kvm-fix-typo-issue-about-gcfg-feature-dete.patch b/queue-6.12/loongarch-kvm-fix-typo-issue-about-gcfg-feature-dete.patch new file mode 100644 index 0000000000..fce188e337 --- /dev/null +++ b/queue-6.12/loongarch-kvm-fix-typo-issue-about-gcfg-feature-dete.patch @@ -0,0 +1,40 @@ +From 5b4707704f59e58edd90e59783dd9b9514e55818 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Feb 2025 12:02:56 +0800 +Subject: LoongArch: KVM: Fix typo issue about GCFG feature detection + +From: Bibo Mao + +[ Upstream commit bdb13252e5d1518823b81f458d9975c85d5240c2 ] + +This is typo issue and misusage about GCFG feature macro. The code +is wrong, only that it does not cause obvious problem since GCFG is +set again on vCPU context switch. + +Fixes: 0d0df3c99d4f ("LoongArch: KVM: Implement kvm hardware enable, disable interface") +Signed-off-by: Bibo Mao +Signed-off-by: Huacai Chen +Signed-off-by: Sasha Levin +--- + arch/loongarch/kvm/main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/loongarch/kvm/main.c b/arch/loongarch/kvm/main.c +index 27e9b94c0a0b6..7e8f5d6829ef0 100644 +--- a/arch/loongarch/kvm/main.c ++++ b/arch/loongarch/kvm/main.c +@@ -283,9 +283,9 @@ int kvm_arch_enable_virtualization_cpu(void) + * TOE=0: Trap on Exception. + * TIT=0: Trap on Timer. + */ +- if (env & CSR_GCFG_GCIP_ALL) ++ if (env & CSR_GCFG_GCIP_SECURE) + gcfg |= CSR_GCFG_GCI_SECURE; +- if (env & CSR_GCFG_MATC_ROOT) ++ if (env & CSR_GCFG_MATP_ROOT) + gcfg |= CSR_GCFG_MATC_ROOT; + + write_csr_gcfg(gcfg); +-- +2.39.5 + diff --git a/queue-6.12/media-bcm2835-unicam-disable-trigger-mode-operation.patch b/queue-6.12/media-bcm2835-unicam-disable-trigger-mode-operation.patch new file mode 100644 index 0000000000..a64c101e75 --- /dev/null +++ b/queue-6.12/media-bcm2835-unicam-disable-trigger-mode-operation.patch @@ -0,0 +1,57 @@ +From 6162f425245179521d26a40827676b30fed102f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2024 11:15:14 +0000 +Subject: media: bcm2835-unicam: Disable trigger mode operation + +From: Naushir Patuck + +[ Upstream commit 697a252bb2ea414cc1c0b4cf4e3d94a879eaf162 ] + +The imx219/imx708 sensors frequently generate a single corrupt frame +(image or embedded data) when the sensor first starts. This can either +be a missing line, or invalid samples within the line. This only occurrs +using the upstream Unicam kernel driver. + +Disabling trigger mode elimiates this corruption. Since trigger mode is +a legacy feature copied from the firmware driver and not expected to be +needed, remove it. Tested on the Raspberry Pi cameras and shows no ill +effects. + +Signed-off-by: Naushir Patuck +Reviewed-by: Jacopo Mondi +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/broadcom/bcm2835-unicam.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/drivers/media/platform/broadcom/bcm2835-unicam.c b/drivers/media/platform/broadcom/bcm2835-unicam.c +index a1d93c14553d8..9f81e1582a300 100644 +--- a/drivers/media/platform/broadcom/bcm2835-unicam.c ++++ b/drivers/media/platform/broadcom/bcm2835-unicam.c +@@ -816,11 +816,6 @@ static irqreturn_t unicam_isr(int irq, void *dev) + } + } + +- if (unicam_reg_read(unicam, UNICAM_ICTL) & UNICAM_FCM) { +- /* Switch out of trigger mode if selected */ +- unicam_reg_write_field(unicam, UNICAM_ICTL, 1, UNICAM_TFC); +- unicam_reg_write_field(unicam, UNICAM_ICTL, 0, UNICAM_FCM); +- } + return IRQ_HANDLED; + } + +@@ -984,8 +979,7 @@ static void unicam_start_rx(struct unicam_device *unicam, + + unicam_reg_write_field(unicam, UNICAM_ANA, 0, UNICAM_DDL); + +- /* Always start in trigger frame capture mode (UNICAM_FCM set) */ +- val = UNICAM_FSIE | UNICAM_FEIE | UNICAM_FCM | UNICAM_IBOB; ++ val = UNICAM_FSIE | UNICAM_FEIE | UNICAM_IBOB; + line_int_freq = max(fmt->height >> 2, 128); + unicam_set_field(&val, line_int_freq, UNICAM_LCIE_MASK); + unicam_reg_write(unicam, UNICAM_ICTL, val); +-- +2.39.5 + diff --git a/queue-6.12/media-cxd2841er-fix-64-bit-division-on-gcc-9.patch b/queue-6.12/media-cxd2841er-fix-64-bit-division-on-gcc-9.patch new file mode 100644 index 0000000000..abfd914027 --- /dev/null +++ b/queue-6.12/media-cxd2841er-fix-64-bit-division-on-gcc-9.patch @@ -0,0 +1,53 @@ +From 62a6629b3a49a7bccb11cb467aca9dd78b5e8a79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Nov 2024 11:41:42 +0100 +Subject: media: cxd2841er: fix 64-bit division on gcc-9 + +From: Arnd Bergmann + +[ Upstream commit 8d46603eeeb4c6abff1d2e49f2a6ae289dac765e ] + +It appears that do_div() once more gets confused by a complex +expression that ends up not quite being constant despite +__builtin_constant_p() thinking it is: + +ERROR: modpost: "__aeabi_uldivmod" [drivers/media/dvb-frontends/cxd2841er.ko] undefined! + +Use div_u64() instead, forcing the expression to be evaluated +first, and making it a bit more readable. + +Cc: Dan Carpenter +Reported-by: Naresh Kamboju +Closes: https://lore.kernel.org/linux-media/CA+G9fYvvNm-aYodLaAwwTjEGtX0YxR-1R14FOA5aHKt0sSVsYg@mail.gmail.com/ +Reported-by: Linux Kernel Functional Testing +Closes: https://lore.kernel.org/linux-media/CA+G9fYvvNm-aYodLaAwwTjEGtX0YxR-1R14FOA5aHKt0sSVsYg@mail.gmail.com/ +Signed-off-by: Arnd Bergmann +Signed-off-by: Hans Verkuil +[hverkuil: added Closes tags] +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/cxd2841er.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/drivers/media/dvb-frontends/cxd2841er.c b/drivers/media/dvb-frontends/cxd2841er.c +index d925ca24183b5..415f1f91cc307 100644 +--- a/drivers/media/dvb-frontends/cxd2841er.c ++++ b/drivers/media/dvb-frontends/cxd2841er.c +@@ -311,12 +311,8 @@ static int cxd2841er_set_reg_bits(struct cxd2841er_priv *priv, + + static u32 cxd2841er_calc_iffreq_xtal(enum cxd2841er_xtal xtal, u32 ifhz) + { +- u64 tmp; +- +- tmp = (u64) ifhz * 16777216; +- do_div(tmp, ((xtal == SONY_XTAL_24000) ? 48000000 : 41000000)); +- +- return (u32) tmp; ++ return div_u64(ifhz * 16777216ull, ++ (xtal == SONY_XTAL_24000) ? 48000000 : 41000000); + } + + static u32 cxd2841er_calc_iffreq(u32 ifhz) +-- +2.39.5 + diff --git a/queue-6.12/media-i2c-ds90ub913-add-error-handling-to-ub913_hw_i.patch b/queue-6.12/media-i2c-ds90ub913-add-error-handling-to-ub913_hw_i.patch new file mode 100644 index 0000000000..782d36aa2f --- /dev/null +++ b/queue-6.12/media-i2c-ds90ub913-add-error-handling-to-ub913_hw_i.patch @@ -0,0 +1,76 @@ +From ad74750ed98327e044bff48e222924a6e6a3c470 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 10:26:49 +0200 +Subject: media: i2c: ds90ub913: Add error handling to ub913_hw_init() + +From: Tomi Valkeinen + +[ Upstream commit acd8f58d7a3bce0fbd3263961cd09555c00464ba ] + +Add error handling to ub913_hw_init() using a new helper function, +ub913_update_bits(). + +Reported-by: Sakari Ailus +Closes: https://lore.kernel.org/all/Zv40EQSR__JDN_0M@kekkonen.localdomain/ +Reviewed-by: Jai Luthra +Signed-off-by: Tomi Valkeinen +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ds90ub913.c | 25 +++++++++++++++++++++---- + 1 file changed, 21 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/i2c/ds90ub913.c b/drivers/media/i2c/ds90ub913.c +index b5375d7366299..7670d6c82d923 100644 +--- a/drivers/media/i2c/ds90ub913.c ++++ b/drivers/media/i2c/ds90ub913.c +@@ -8,6 +8,7 @@ + * Copyright (c) 2023 Tomi Valkeinen + */ + ++#include + #include + #include + #include +@@ -146,6 +147,19 @@ static int ub913_write(const struct ub913_data *priv, u8 reg, u8 val) + return ret; + } + ++static int ub913_update_bits(const struct ub913_data *priv, u8 reg, u8 mask, ++ u8 val) ++{ ++ int ret; ++ ++ ret = regmap_update_bits(priv->regmap, reg, mask, val); ++ if (ret < 0) ++ dev_err(&priv->client->dev, ++ "Cannot update register 0x%02x %d!\n", reg, ret); ++ ++ return ret; ++} ++ + /* + * GPIO chip + */ +@@ -733,10 +747,13 @@ static int ub913_hw_init(struct ub913_data *priv) + if (ret) + return dev_err_probe(dev, ret, "i2c master init failed\n"); + +- ub913_read(priv, UB913_REG_GENERAL_CFG, &v); +- v &= ~UB913_REG_GENERAL_CFG_PCLK_RISING; +- v |= priv->pclk_polarity_rising ? UB913_REG_GENERAL_CFG_PCLK_RISING : 0; +- ub913_write(priv, UB913_REG_GENERAL_CFG, v); ++ ret = ub913_update_bits(priv, UB913_REG_GENERAL_CFG, ++ UB913_REG_GENERAL_CFG_PCLK_RISING, ++ FIELD_PREP(UB913_REG_GENERAL_CFG_PCLK_RISING, ++ priv->pclk_polarity_rising)); ++ ++ if (ret) ++ return ret; + + return 0; + } +-- +2.39.5 + diff --git a/queue-6.12/media-i2c-ds90ub953-add-error-handling-for-i2c-reads.patch b/queue-6.12/media-i2c-ds90ub953-add-error-handling-for-i2c-reads.patch new file mode 100644 index 0000000000..718796ca84 --- /dev/null +++ b/queue-6.12/media-i2c-ds90ub953-add-error-handling-for-i2c-reads.patch @@ -0,0 +1,119 @@ +From 12956bdabfa937b4bede5ddf83bdc7c3fc93fa5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 10:26:50 +0200 +Subject: media: i2c: ds90ub953: Add error handling for i2c reads/writes + +From: Tomi Valkeinen + +[ Upstream commit 0794c43ea1e451007e80246e1288ebbf44139397 ] + +Add error handling for i2c reads/writes in various places. + +Reported-by: Sakari Ailus +Closes: https://lore.kernel.org/all/Zv40EQSR__JDN_0M@kekkonen.localdomain/ +Reviewed-by: Jai Luthra +Signed-off-by: Tomi Valkeinen +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ds90ub953.c | 46 ++++++++++++++++++++++++----------- + 1 file changed, 32 insertions(+), 14 deletions(-) + +diff --git a/drivers/media/i2c/ds90ub953.c b/drivers/media/i2c/ds90ub953.c +index 10daecf6f4579..f0bad3e64f23d 100644 +--- a/drivers/media/i2c/ds90ub953.c ++++ b/drivers/media/i2c/ds90ub953.c +@@ -398,8 +398,13 @@ static int ub953_gpiochip_probe(struct ub953_data *priv) + int ret; + + /* Set all GPIOs to local input mode */ +- ub953_write(priv, UB953_REG_LOCAL_GPIO_DATA, 0); +- ub953_write(priv, UB953_REG_GPIO_INPUT_CTRL, 0xf); ++ ret = ub953_write(priv, UB953_REG_LOCAL_GPIO_DATA, 0); ++ if (ret) ++ return ret; ++ ++ ret = ub953_write(priv, UB953_REG_GPIO_INPUT_CTRL, 0xf); ++ if (ret) ++ return ret; + + gc->label = dev_name(dev); + gc->parent = dev; +@@ -961,10 +966,11 @@ static void ub953_calc_clkout_params(struct ub953_data *priv, + clkout_data->rate = clkout_rate; + } + +-static void ub953_write_clkout_regs(struct ub953_data *priv, +- const struct ub953_clkout_data *clkout_data) ++static int ub953_write_clkout_regs(struct ub953_data *priv, ++ const struct ub953_clkout_data *clkout_data) + { + u8 clkout_ctrl0, clkout_ctrl1; ++ int ret; + + if (priv->hw_data->is_ub971) + clkout_ctrl0 = clkout_data->m; +@@ -974,8 +980,15 @@ static void ub953_write_clkout_regs(struct ub953_data *priv, + + clkout_ctrl1 = clkout_data->n; + +- ub953_write(priv, UB953_REG_CLKOUT_CTRL0, clkout_ctrl0); +- ub953_write(priv, UB953_REG_CLKOUT_CTRL1, clkout_ctrl1); ++ ret = ub953_write(priv, UB953_REG_CLKOUT_CTRL0, clkout_ctrl0); ++ if (ret) ++ return ret; ++ ++ ret = ub953_write(priv, UB953_REG_CLKOUT_CTRL1, clkout_ctrl1); ++ if (ret) ++ return ret; ++ ++ return 0; + } + + static unsigned long ub953_clkout_recalc_rate(struct clk_hw *hw, +@@ -1055,9 +1068,7 @@ static int ub953_clkout_set_rate(struct clk_hw *hw, unsigned long rate, + dev_dbg(&priv->client->dev, "%s %lu (requested %lu)\n", __func__, + clkout_data.rate, rate); + +- ub953_write_clkout_regs(priv, &clkout_data); +- +- return 0; ++ return ub953_write_clkout_regs(priv, &clkout_data); + } + + static const struct clk_ops ub953_clkout_ops = { +@@ -1082,7 +1093,9 @@ static int ub953_register_clkout(struct ub953_data *priv) + + /* Initialize clkout to 25MHz by default */ + ub953_calc_clkout_params(priv, UB953_DEFAULT_CLKOUT_RATE, &clkout_data); +- ub953_write_clkout_regs(priv, &clkout_data); ++ ret = ub953_write_clkout_regs(priv, &clkout_data); ++ if (ret) ++ return ret; + + priv->clkout_clk_hw.init = &init; + +@@ -1229,10 +1242,15 @@ static int ub953_hw_init(struct ub953_data *priv) + if (ret) + return dev_err_probe(dev, ret, "i2c init failed\n"); + +- ub953_write(priv, UB953_REG_GENERAL_CFG, +- (priv->non_continous_clk ? 0 : UB953_REG_GENERAL_CFG_CONT_CLK) | +- ((priv->num_data_lanes - 1) << UB953_REG_GENERAL_CFG_CSI_LANE_SEL_SHIFT) | +- UB953_REG_GENERAL_CFG_CRC_TX_GEN_ENABLE); ++ v = 0; ++ v |= priv->non_continous_clk ? 0 : UB953_REG_GENERAL_CFG_CONT_CLK; ++ v |= (priv->num_data_lanes - 1) << ++ UB953_REG_GENERAL_CFG_CSI_LANE_SEL_SHIFT; ++ v |= UB953_REG_GENERAL_CFG_CRC_TX_GEN_ENABLE; ++ ++ ret = ub953_write(priv, UB953_REG_GENERAL_CFG, v); ++ if (ret) ++ return ret; + + return 0; + } +-- +2.39.5 + diff --git a/queue-6.12/media-uvcvideo-add-kurokesu-c1-pro-camera.patch b/queue-6.12/media-uvcvideo-add-kurokesu-c1-pro-camera.patch new file mode 100644 index 0000000000..f688cb87d0 --- /dev/null +++ b/queue-6.12/media-uvcvideo-add-kurokesu-c1-pro-camera.patch @@ -0,0 +1,46 @@ +From 558e0d84640421c1ff790ba47f83860e9c035e1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2024 11:13:51 +0000 +Subject: media: uvcvideo: Add Kurokesu C1 PRO camera + +From: Isaac Scott + +[ Upstream commit 2762eab6d4140781840f253f9a04b8627017248b ] + +Add support for the Kurokesu C1 PRO camera. This camera experiences the +same issues faced by the Sonix Technology Co. 292A IPC AR0330. As such, +enable the UVC_QUIRK_MJPEG_NO_EOF quirk for this device to prevent +frames from being erroneously dropped. + +Signed-off-by: Isaac Scott +Reviewed-by: Laurent Pinchart +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_driver.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c +index 250c118e01bd4..4d8e00b425f44 100644 +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -2846,6 +2846,15 @@ static const struct usb_device_id uvc_ids[] = { + .bInterfaceSubClass = 1, + .bInterfaceProtocol = 0, + .driver_info = (kernel_ulong_t)&uvc_quirk_probe_minmax }, ++ /* Kurokesu C1 PRO */ ++ { .match_flags = USB_DEVICE_ID_MATCH_DEVICE ++ | USB_DEVICE_ID_MATCH_INT_INFO, ++ .idVendor = 0x16d0, ++ .idProduct = 0x0ed1, ++ .bInterfaceClass = USB_CLASS_VIDEO, ++ .bInterfaceSubClass = 1, ++ .bInterfaceProtocol = 0, ++ .driver_info = UVC_INFO_QUIRK(UVC_QUIRK_MJPEG_NO_EOF) }, + /* Syntek (HP Spartan) */ + { .match_flags = USB_DEVICE_ID_MATCH_DEVICE + | USB_DEVICE_ID_MATCH_INT_INFO, +-- +2.39.5 + diff --git a/queue-6.12/media-uvcvideo-add-new-quirk-definition-for-the-soni.patch b/queue-6.12/media-uvcvideo-add-new-quirk-definition-for-the-soni.patch new file mode 100644 index 0000000000..6ce77fefa5 --- /dev/null +++ b/queue-6.12/media-uvcvideo-add-new-quirk-definition-for-the-soni.patch @@ -0,0 +1,49 @@ +From 446fe9a81039e91d5b983b0f6a34ab0e9895b6f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Nov 2024 14:51:44 +0000 +Subject: media: uvcvideo: Add new quirk definition for the Sonix Technology + Co. 292a camera + +From: Isaac Scott + +[ Upstream commit 81f8c0e138c43610cf09b8d2a533068aa58e538e ] + +The Sonix Technology Co. 292A camera (which uses an AR0330 sensor), can +produce MJPEG and H.264 streams concurrently. When doing so, it drops +the last packets of MJPEG frames every time the H.264 stream generates a +key frame. Set the UVC_QUIRK_MJPEG_NO_EOF quirk to work around the +issue. + +Reviewed-by: Laurent Pinchart +Signed-off-by: Isaac Scott +Link: https://lore.kernel.org/r/20241128145144.61475-3-isaac.scott@ideasonboard.com +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_driver.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c +index d832aa55056f3..250c118e01bd4 100644 +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -2809,6 +2809,15 @@ static const struct usb_device_id uvc_ids[] = { + .bInterfaceSubClass = 1, + .bInterfaceProtocol = 0, + .driver_info = (kernel_ulong_t)&uvc_quirk_probe_minmax }, ++ /* Sonix Technology Co. Ltd. - 292A IPC AR0330 */ ++ { .match_flags = USB_DEVICE_ID_MATCH_DEVICE ++ | USB_DEVICE_ID_MATCH_INT_INFO, ++ .idVendor = 0x0c45, ++ .idProduct = 0x6366, ++ .bInterfaceClass = USB_CLASS_VIDEO, ++ .bInterfaceSubClass = 1, ++ .bInterfaceProtocol = 0, ++ .driver_info = UVC_INFO_QUIRK(UVC_QUIRK_MJPEG_NO_EOF) }, + /* MT6227 */ + { .match_flags = USB_DEVICE_ID_MATCH_DEVICE + | USB_DEVICE_ID_MATCH_INT_INFO, +-- +2.39.5 + diff --git a/queue-6.12/media-uvcvideo-implement-dual-stream-quirk-to-fix-lo.patch b/queue-6.12/media-uvcvideo-implement-dual-stream-quirk-to-fix-lo.patch new file mode 100644 index 0000000000..4ab739ffb6 --- /dev/null +++ b/queue-6.12/media-uvcvideo-implement-dual-stream-quirk-to-fix-lo.patch @@ -0,0 +1,106 @@ +From 5bdaab1217679ba9cf3d03a34479e878d9639fb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Nov 2024 14:51:43 +0000 +Subject: media: uvcvideo: Implement dual stream quirk to fix loss of usb + packets + +From: Isaac Scott + +[ Upstream commit c2eda35e675b6ea4a0a21a4b1167b121571a9036 ] + +Some cameras, such as the Sonix Technology Co. 292A, exhibit issues when +running two parallel streams, causing USB packets to be dropped when an +H.264 stream posts a keyframe while an MJPEG stream is running +simultaneously. This occasionally causes the driver to erroneously +output two consecutive JPEG images as a single frame. + +To fix this, we inspect the buffer, and trigger a new frame when we +find an SOI. + +Signed-off-by: Isaac Scott +Reviewed-by: Ricardo Ribalda +Link: https://lore.kernel.org/r/20241128145144.61475-2-isaac.scott@ideasonboard.com +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_video.c | 27 ++++++++++++++++++++++++++- + drivers/media/usb/uvc/uvcvideo.h | 1 + + 2 files changed, 27 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c +index d2fe01bcd209e..eab7b8f557305 100644 +--- a/drivers/media/usb/uvc/uvc_video.c ++++ b/drivers/media/usb/uvc/uvc_video.c +@@ -20,6 +20,7 @@ + #include + #include + ++#include + #include + + #include "uvcvideo.h" +@@ -1137,6 +1138,7 @@ static void uvc_video_stats_stop(struct uvc_streaming *stream) + static int uvc_video_decode_start(struct uvc_streaming *stream, + struct uvc_buffer *buf, const u8 *data, int len) + { ++ u8 header_len; + u8 fid; + + /* +@@ -1150,6 +1152,7 @@ static int uvc_video_decode_start(struct uvc_streaming *stream, + return -EINVAL; + } + ++ header_len = data[0]; + fid = data[1] & UVC_STREAM_FID; + + /* +@@ -1231,9 +1234,31 @@ static int uvc_video_decode_start(struct uvc_streaming *stream, + return -EAGAIN; + } + ++ /* ++ * Some cameras, when running two parallel streams (one MJPEG alongside ++ * another non-MJPEG stream), are known to lose the EOF packet for a frame. ++ * We can detect the end of a frame by checking for a new SOI marker, as ++ * the SOI always lies on the packet boundary between two frames for ++ * these devices. ++ */ ++ if (stream->dev->quirks & UVC_QUIRK_MJPEG_NO_EOF && ++ (stream->cur_format->fcc == V4L2_PIX_FMT_MJPEG || ++ stream->cur_format->fcc == V4L2_PIX_FMT_JPEG)) { ++ const u8 *packet = data + header_len; ++ ++ if (len >= header_len + 2 && ++ packet[0] == 0xff && packet[1] == JPEG_MARKER_SOI && ++ buf->bytesused != 0) { ++ buf->state = UVC_BUF_STATE_READY; ++ buf->error = 1; ++ stream->last_fid ^= UVC_STREAM_FID; ++ return -EAGAIN; ++ } ++ } ++ + stream->last_fid = fid; + +- return data[0]; ++ return header_len; + } + + static inline enum dma_data_direction uvc_stream_dir( +diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvideo.h +index 272dc9cf01ee7..74ac2106f08e2 100644 +--- a/drivers/media/usb/uvc/uvcvideo.h ++++ b/drivers/media/usb/uvc/uvcvideo.h +@@ -76,6 +76,7 @@ + #define UVC_QUIRK_NO_RESET_RESUME 0x00004000 + #define UVC_QUIRK_DISABLE_AUTOSUSPEND 0x00008000 + #define UVC_QUIRK_INVALID_DEVICE_SOF 0x00010000 ++#define UVC_QUIRK_MJPEG_NO_EOF 0x00020000 + + /* Format flags */ + #define UVC_FMT_FLAG_COMPRESSED 0x00000001 +-- +2.39.5 + diff --git a/queue-6.12/media-vidtv-fix-a-null-ptr-deref-in-vidtv_mux_stop_t.patch b/queue-6.12/media-vidtv-fix-a-null-ptr-deref-in-vidtv_mux_stop_t.patch new file mode 100644 index 0000000000..d3657a23b9 --- /dev/null +++ b/queue-6.12/media-vidtv-fix-a-null-ptr-deref-in-vidtv_mux_stop_t.patch @@ -0,0 +1,96 @@ +From 8a9dc3c95714ecefe9948535bd3ef394ef73e44a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Dec 2024 18:50:39 +0800 +Subject: media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread + +From: Edward Adam Davis + +[ Upstream commit 1221989555db711578a327a9367f1be46500cb48 ] + +syzbot report a null-ptr-deref in vidtv_mux_stop_thread. [1] + +If dvb->mux is not initialized successfully by vidtv_mux_init() in the +vidtv_start_streaming(), it will trigger null pointer dereference about mux +in vidtv_mux_stop_thread(). + +Adjust the timing of streaming initialization and check it before +stopping it. + +[1] +KASAN: null-ptr-deref in range [0x0000000000000128-0x000000000000012f] +CPU: 0 UID: 0 PID: 5842 Comm: syz-executor248 Not tainted 6.13.0-rc4-syzkaller-00012-g9b2ffa6148b1 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 +RIP: 0010:vidtv_mux_stop_thread+0x26/0x80 drivers/media/test-drivers/vidtv/vidtv_mux.c:471 +Code: 90 90 90 90 66 0f 1f 00 55 53 48 89 fb e8 82 2e c8 f9 48 8d bb 28 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 02 7e 3b 0f b6 ab 28 01 00 00 31 ff 89 ee e8 +RSP: 0018:ffffc90003f2faa8 EFLAGS: 00010202 +RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87cfb125 +RDX: 0000000000000025 RSI: ffffffff87d120ce RDI: 0000000000000128 +RBP: ffff888029b8d220 R08: 0000000000000005 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000003 R12: ffff888029b8d188 +R13: ffffffff8f590aa0 R14: ffffc9000581c5c8 R15: ffff888029a17710 +FS: 00007f7eef5156c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f7eef5e635c CR3: 0000000076ca6000 CR4: 00000000003526f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + vidtv_stop_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:209 [inline] + vidtv_stop_feed+0x151/0x250 drivers/media/test-drivers/vidtv/vidtv_bridge.c:252 + dmx_section_feed_stop_filtering+0x90/0x160 drivers/media/dvb-core/dvb_demux.c:1000 + dvb_dmxdev_feed_stop.isra.0+0x1ee/0x270 drivers/media/dvb-core/dmxdev.c:486 + dvb_dmxdev_filter_stop+0x22a/0x3a0 drivers/media/dvb-core/dmxdev.c:559 + dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline] + dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 + __fput+0x3f8/0xb60 fs/file_table.c:450 + task_work_run+0x14e/0x250 kernel/task_work.c:239 + get_signal+0x1d3/0x2610 kernel/signal.c:2790 + arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337 + exit_to_user_mode_loop kernel/entry/common.c:111 [inline] + exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] + __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] + syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218 + do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Reported-by: syzbot+5e248227c80a3be8e96a@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=5e248227c80a3be8e96a +Signed-off-by: Edward Adam Davis +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/test-drivers/vidtv/vidtv_bridge.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/test-drivers/vidtv/vidtv_bridge.c b/drivers/media/test-drivers/vidtv/vidtv_bridge.c +index 613949df897d3..6d964e392d313 100644 +--- a/drivers/media/test-drivers/vidtv/vidtv_bridge.c ++++ b/drivers/media/test-drivers/vidtv/vidtv_bridge.c +@@ -191,10 +191,11 @@ static int vidtv_start_streaming(struct vidtv_dvb *dvb) + + mux_args.mux_buf_sz = mux_buf_sz; + +- dvb->streaming = true; + dvb->mux = vidtv_mux_init(dvb->fe[0], dev, &mux_args); + if (!dvb->mux) + return -ENOMEM; ++ ++ dvb->streaming = true; + vidtv_mux_start_thread(dvb->mux); + + dev_dbg_ratelimited(dev, "Started streaming\n"); +@@ -205,6 +206,11 @@ static int vidtv_stop_streaming(struct vidtv_dvb *dvb) + { + struct device *dev = &dvb->pdev->dev; + ++ if (!dvb->streaming) { ++ dev_warn_ratelimited(dev, "No streaming. Skipping.\n"); ++ return 0; ++ } ++ + dvb->streaming = false; + vidtv_mux_stop_thread(dvb->mux); + vidtv_mux_destroy(dvb->mux); +-- +2.39.5 + diff --git a/queue-6.12/ndisc-ndisc_send_redirect-must-use-dev_get_by_index_.patch b/queue-6.12/ndisc-ndisc_send_redirect-must-use-dev_get_by_index_.patch new file mode 100644 index 0000000000..2a57f108eb --- /dev/null +++ b/queue-6.12/ndisc-ndisc_send_redirect-must-use-dev_get_by_index_.patch @@ -0,0 +1,41 @@ +From ff51bd6fc989b151f0e2669ac994ff8959f78467 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Feb 2025 13:58:33 +0000 +Subject: ndisc: ndisc_send_redirect() must use dev_get_by_index_rcu() + +From: Eric Dumazet + +[ Upstream commit 48145a57d4bbe3496e8e4880b23ea6b511e6e519 ] + +ndisc_send_redirect() is called under RCU protection, not RTNL. + +It must use dev_get_by_index_rcu() instead of __dev_get_by_index() + +Fixes: 2f17becfbea5 ("vrf: check the original netdevice for generating redirect") +Signed-off-by: Eric Dumazet +Cc: Stephen Suryaputra +Reviewed-by: David Ahern +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250207135841.1948589-2-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ndisc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c +index d044c67019de6..264b10a947577 100644 +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -1694,7 +1694,7 @@ void ndisc_send_redirect(struct sk_buff *skb, const struct in6_addr *target) + bool ret; + + if (netif_is_l3_master(skb->dev)) { +- dev = __dev_get_by_index(dev_net(skb->dev), IPCB(skb)->iif); ++ dev = dev_get_by_index_rcu(dev_net(skb->dev), IPCB(skb)->iif); + if (!dev) + return; + } +-- +2.39.5 + diff --git a/queue-6.12/net-ethernet-ti-am65-cpsw-fix-memleak-in-certain-xdp.patch b/queue-6.12/net-ethernet-ti-am65-cpsw-fix-memleak-in-certain-xdp.patch new file mode 100644 index 0000000000..fa53d56620 --- /dev/null +++ b/queue-6.12/net-ethernet-ti-am65-cpsw-fix-memleak-in-certain-xdp.patch @@ -0,0 +1,94 @@ +From ca03c9526ce582513659793a256e477e17e709f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Feb 2025 16:52:15 +0200 +Subject: net: ethernet: ti: am65-cpsw: fix memleak in certain XDP cases + +From: Roger Quadros + +[ Upstream commit 5db843258de1e4e6b1ef1cbd1797923c9e3de548 ] + +If the XDP program doesn't result in XDP_PASS then we leak the +memory allocated by am65_cpsw_build_skb(). + +It is pointless to allocate SKB memory before running the XDP +program as we would be wasting CPU cycles for cases other than XDP_PASS. +Move the SKB allocation after evaluating the XDP program result. + +This fixes the memleak. A performance boost is seen for XDP_DROP test. + +XDP_DROP test: +Before: 460256 rx/s 0 err/s +After: 784130 rx/s 0 err/s + +Fixes: 8acacc40f733 ("net: ethernet: ti: am65-cpsw: Add minimal XDP support") +Signed-off-by: Roger Quadros +Link: https://patch.msgid.link/20250210-am65-cpsw-xdp-fixes-v1-1-ec6b1f7f1aca@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/am65-cpsw-nuss.c | 26 ++++++++++++------------ + 1 file changed, 13 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +index 3c0d067c36099..14df3c0141679 100644 +--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c ++++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +@@ -599,7 +599,8 @@ static void am65_cpsw_nuss_tx_cleanup(void *data, dma_addr_t desc_dma) + + static struct sk_buff *am65_cpsw_build_skb(void *page_addr, + struct net_device *ndev, +- unsigned int len) ++ unsigned int len, ++ unsigned int headroom) + { + struct sk_buff *skb; + +@@ -609,7 +610,7 @@ static struct sk_buff *am65_cpsw_build_skb(void *page_addr, + if (unlikely(!skb)) + return NULL; + +- skb_reserve(skb, AM65_CPSW_HEADROOM); ++ skb_reserve(skb, headroom); + skb->dev = ndev; + + return skb; +@@ -1191,16 +1192,8 @@ static int am65_cpsw_nuss_rx_packets(struct am65_cpsw_rx_flow *flow, + dev_dbg(dev, "%s rx csum_info:%#x\n", __func__, csum_info); + + dma_unmap_single(rx_chn->dma_dev, buf_dma, buf_dma_len, DMA_FROM_DEVICE); +- + k3_cppi_desc_pool_free(rx_chn->desc_pool, desc_rx); + +- skb = am65_cpsw_build_skb(page_addr, ndev, +- AM65_CPSW_MAX_PACKET_SIZE); +- if (unlikely(!skb)) { +- new_page = page; +- goto requeue; +- } +- + if (port->xdp_prog) { + xdp_init_buff(&xdp, PAGE_SIZE, &port->xdp_rxq[flow->id]); + xdp_prepare_buff(&xdp, page_addr, AM65_CPSW_HEADROOM, +@@ -1210,9 +1203,16 @@ static int am65_cpsw_nuss_rx_packets(struct am65_cpsw_rx_flow *flow, + if (*xdp_state != AM65_CPSW_XDP_PASS) + goto allocate; + +- /* Compute additional headroom to be reserved */ +- headroom = (xdp.data - xdp.data_hard_start) - skb_headroom(skb); +- skb_reserve(skb, headroom); ++ headroom = xdp.data - xdp.data_hard_start; ++ } else { ++ headroom = AM65_CPSW_HEADROOM; ++ } ++ ++ skb = am65_cpsw_build_skb(page_addr, ndev, ++ AM65_CPSW_MAX_PACKET_SIZE, headroom); ++ if (unlikely(!skb)) { ++ new_page = page; ++ goto requeue; + } + + ndev_priv = netdev_priv(ndev); +-- +2.39.5 + diff --git a/queue-6.12/net-ethernet-ti-am65_cpsw-fix-tx_cleanup-for-xdp-cas.patch b/queue-6.12/net-ethernet-ti-am65_cpsw-fix-tx_cleanup-for-xdp-cas.patch new file mode 100644 index 0000000000..df292ab77b --- /dev/null +++ b/queue-6.12/net-ethernet-ti-am65_cpsw-fix-tx_cleanup-for-xdp-cas.patch @@ -0,0 +1,57 @@ +From 4d639b976f99f9b3891fd022cf2c33d0b4d888a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Feb 2025 16:52:17 +0200 +Subject: net: ethernet: ti: am65_cpsw: fix tx_cleanup for XDP case + +From: Roger Quadros + +[ Upstream commit 4542536f664f752db5feba2c5998b165933c34f2 ] + +For XDP transmit case, swdata doesn't contain SKB but the +XDP Frame. Infer the correct swdata based on buffer type +and return the XDP Frame for XDP transmit case. + +Signed-off-by: Roger Quadros +Fixes: 8acacc40f733 ("net: ethernet: ti: am65-cpsw: Add minimal XDP support") +Link: https://patch.msgid.link/20250210-am65-cpsw-xdp-fixes-v1-3-ec6b1f7f1aca@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/am65-cpsw-nuss.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +index 14df3c0141679..3e090f87f97eb 100644 +--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c ++++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +@@ -585,16 +585,24 @@ static void am65_cpsw_nuss_xmit_free(struct am65_cpsw_tx_chn *tx_chn, + static void am65_cpsw_nuss_tx_cleanup(void *data, dma_addr_t desc_dma) + { + struct am65_cpsw_tx_chn *tx_chn = data; ++ enum am65_cpsw_tx_buf_type buf_type; + struct cppi5_host_desc_t *desc_tx; ++ struct xdp_frame *xdpf; + struct sk_buff *skb; + void **swdata; + + desc_tx = k3_cppi_desc_pool_dma2virt(tx_chn->desc_pool, desc_dma); + swdata = cppi5_hdesc_get_swdata(desc_tx); +- skb = *(swdata); +- am65_cpsw_nuss_xmit_free(tx_chn, desc_tx); ++ buf_type = am65_cpsw_nuss_buf_type(tx_chn, desc_dma); ++ if (buf_type == AM65_CPSW_TX_BUF_TYPE_SKB) { ++ skb = *(swdata); ++ dev_kfree_skb_any(skb); ++ } else { ++ xdpf = *(swdata); ++ xdp_return_frame(xdpf); ++ } + +- dev_kfree_skb_any(skb); ++ am65_cpsw_nuss_xmit_free(tx_chn, desc_tx); + } + + static struct sk_buff *am65_cpsw_build_skb(void *page_addr, +-- +2.39.5 + diff --git a/queue-6.12/net-fib_rules-annotate-data-races-around-rule-io-ifi.patch b/queue-6.12/net-fib_rules-annotate-data-races-around-rule-io-ifi.patch new file mode 100644 index 0000000000..debfcb159e --- /dev/null +++ b/queue-6.12/net-fib_rules-annotate-data-races-around-rule-io-ifi.patch @@ -0,0 +1,102 @@ +From 123d246f4eb0a58e88620901dd7a46a6a822b71c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Feb 2025 08:30:51 +0000 +Subject: net: fib_rules: annotate data-races around rule->[io]ifindex + +From: Eric Dumazet + +[ Upstream commit cb827db50a88aebec516151681adb6db10b688ee ] + +rule->iifindex and rule->oifindex can be read without holding RTNL. + +Add READ_ONCE()/WRITE_ONCE() annotations where needed. + +Fixes: 32affa5578f0 ("fib: rules: no longer hold RTNL in fib_nl_dumprule()") +Signed-off-by: Eric Dumazet +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20250206083051.2494877-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/fib_rules.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c +index 154a2681f55cc..388ff1d6d86b7 100644 +--- a/net/core/fib_rules.c ++++ b/net/core/fib_rules.c +@@ -37,8 +37,8 @@ static const struct fib_kuid_range fib_kuid_range_unset = { + + bool fib_rule_matchall(const struct fib_rule *rule) + { +- if (rule->iifindex || rule->oifindex || rule->mark || rule->tun_id || +- rule->flags) ++ if (READ_ONCE(rule->iifindex) || READ_ONCE(rule->oifindex) || ++ rule->mark || rule->tun_id || rule->flags) + return false; + if (rule->suppress_ifgroup != -1 || rule->suppress_prefixlen != -1) + return false; +@@ -260,12 +260,14 @@ static int fib_rule_match(struct fib_rule *rule, struct fib_rules_ops *ops, + struct flowi *fl, int flags, + struct fib_lookup_arg *arg) + { +- int ret = 0; ++ int iifindex, oifindex, ret = 0; + +- if (rule->iifindex && (rule->iifindex != fl->flowi_iif)) ++ iifindex = READ_ONCE(rule->iifindex); ++ if (iifindex && (iifindex != fl->flowi_iif)) + goto out; + +- if (rule->oifindex && (rule->oifindex != fl->flowi_oif)) ++ oifindex = READ_ONCE(rule->oifindex); ++ if (oifindex && (oifindex != fl->flowi_oif)) + goto out; + + if ((rule->mark ^ fl->flowi_mark) & rule->mark_mask) +@@ -1038,14 +1040,14 @@ static int fib_nl_fill_rule(struct sk_buff *skb, struct fib_rule *rule, + if (rule->iifname[0]) { + if (nla_put_string(skb, FRA_IIFNAME, rule->iifname)) + goto nla_put_failure; +- if (rule->iifindex == -1) ++ if (READ_ONCE(rule->iifindex) == -1) + frh->flags |= FIB_RULE_IIF_DETACHED; + } + + if (rule->oifname[0]) { + if (nla_put_string(skb, FRA_OIFNAME, rule->oifname)) + goto nla_put_failure; +- if (rule->oifindex == -1) ++ if (READ_ONCE(rule->oifindex) == -1) + frh->flags |= FIB_RULE_OIF_DETACHED; + } + +@@ -1217,10 +1219,10 @@ static void attach_rules(struct list_head *rules, struct net_device *dev) + list_for_each_entry(rule, rules, list) { + if (rule->iifindex == -1 && + strcmp(dev->name, rule->iifname) == 0) +- rule->iifindex = dev->ifindex; ++ WRITE_ONCE(rule->iifindex, dev->ifindex); + if (rule->oifindex == -1 && + strcmp(dev->name, rule->oifname) == 0) +- rule->oifindex = dev->ifindex; ++ WRITE_ONCE(rule->oifindex, dev->ifindex); + } + } + +@@ -1230,9 +1232,9 @@ static void detach_rules(struct list_head *rules, struct net_device *dev) + + list_for_each_entry(rule, rules, list) { + if (rule->iifindex == dev->ifindex) +- rule->iifindex = -1; ++ WRITE_ONCE(rule->iifindex, -1); + if (rule->oifindex == dev->ifindex) +- rule->oifindex = -1; ++ WRITE_ONCE(rule->oifindex, -1); + } + } + +-- +2.39.5 + diff --git a/queue-6.12/nfs-fix-potential-buffer-overflowin-nfs_sysfs_link_r.patch b/queue-6.12/nfs-fix-potential-buffer-overflowin-nfs_sysfs_link_r.patch new file mode 100644 index 0000000000..06d766736b --- /dev/null +++ b/queue-6.12/nfs-fix-potential-buffer-overflowin-nfs_sysfs_link_r.patch @@ -0,0 +1,42 @@ +From 89a31977b2f35ca494ae471f8b39456fb75e4b11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2024 00:13:12 +0800 +Subject: NFS: Fix potential buffer overflowin nfs_sysfs_link_rpc_client() + +From: Zichen Xie + +[ Upstream commit 49fd4e34751e90e6df009b70cd0659dc839e7ca8 ] + +name is char[64] where the size of clnt->cl_program->name remains +unknown. Invoking strcat() directly will also lead to potential buffer +overflow. Change them to strscpy() and strncat() to fix potential +issues. + +Signed-off-by: Zichen Xie +Reviewed-by: Benjamin Coddington +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/sysfs.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/nfs/sysfs.c b/fs/nfs/sysfs.c +index bf378ecd5d9fd..7b59a40d40c06 100644 +--- a/fs/nfs/sysfs.c ++++ b/fs/nfs/sysfs.c +@@ -280,9 +280,9 @@ void nfs_sysfs_link_rpc_client(struct nfs_server *server, + char name[RPC_CLIENT_NAME_SIZE]; + int ret; + +- strcpy(name, clnt->cl_program->name); +- strcat(name, uniq ? uniq : ""); +- strcat(name, "_client"); ++ strscpy(name, clnt->cl_program->name, sizeof(name)); ++ strncat(name, uniq ? uniq : "", sizeof(name) - strlen(name) - 1); ++ strncat(name, "_client", sizeof(name) - strlen(name) - 1); + + ret = sysfs_create_link_nowarn(&server->kobj, + &clnt->cl_sysfs->kobject, name); +-- +2.39.5 + diff --git a/queue-6.12/orangefs-fix-a-oob-in-orangefs_debug_write.patch b/queue-6.12/orangefs-fix-a-oob-in-orangefs_debug_write.patch new file mode 100644 index 0000000000..0c85de9a2c --- /dev/null +++ b/queue-6.12/orangefs-fix-a-oob-in-orangefs_debug_write.patch @@ -0,0 +1,39 @@ +From 7b4d8ced07a7cbc2a21ec3748c8de25cd4557190 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jan 2025 14:21:08 -0500 +Subject: orangefs: fix a oob in orangefs_debug_write + +From: Mike Marshall + +[ Upstream commit f7c848431632598ff9bce57a659db6af60d75b39 ] + +I got a syzbot report: slab-out-of-bounds Read in +orangefs_debug_write... several people suggested fixes, +I tested Al Viro's suggestion and made this patch. + +Signed-off-by: Mike Marshall +Reported-by: syzbot+fc519d7875f2d9186c1f@syzkaller.appspotmail.com +Signed-off-by: Sasha Levin +--- + fs/orangefs/orangefs-debugfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c +index 1b508f5433846..fa41db0884880 100644 +--- a/fs/orangefs/orangefs-debugfs.c ++++ b/fs/orangefs/orangefs-debugfs.c +@@ -393,9 +393,9 @@ static ssize_t orangefs_debug_write(struct file *file, + * Thwart users who try to jamb a ridiculous number + * of bytes into the debug file... + */ +- if (count > ORANGEFS_MAX_DEBUG_STRING_LEN + 1) { ++ if (count > ORANGEFS_MAX_DEBUG_STRING_LEN) { + silly = count; +- count = ORANGEFS_MAX_DEBUG_STRING_LEN + 1; ++ count = ORANGEFS_MAX_DEBUG_STRING_LEN; + } + + buf = kzalloc(ORANGEFS_MAX_DEBUG_STRING_LEN, GFP_KERNEL); +-- +2.39.5 + diff --git a/queue-6.12/pci-dpc-quirk-pio-log-size-for-intel-raptor-lake-p.patch b/queue-6.12/pci-dpc-quirk-pio-log-size-for-intel-raptor-lake-p.patch new file mode 100644 index 0000000000..a89f0c171a --- /dev/null +++ b/queue-6.12/pci-dpc-quirk-pio-log-size-for-intel-raptor-lake-p.patch @@ -0,0 +1,53 @@ +From e75170ff0d5b92258f426a45f4c187beb44c24a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jan 2025 17:43:13 +0100 +Subject: PCI/DPC: Quirk PIO log size for Intel Raptor Lake-P +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Takashi Iwai + +[ Upstream commit b198499c7d2508a76243b98e7cca992f6fd2b7f7 ] + +Apparently the Raptor Lake-P reference firmware configures the PIO log size +correctly, but some vendor BIOSes, including at least ASUSTeK COMPUTER INC. +Zenbook UX3402VA_UX3402VA, do not. + +Apply the quirk for Raptor Lake-P. This prevents kernel complaints like: + + DPC: RP PIO log size 0 is invalid + +and also enables the DPC driver to dump the RP PIO Log registers when DPC +is triggered. + +Note that the bug report also mentions 8086:a76e, which has been already +added by 627c6db20703 ("PCI/DPC: Quirk PIO log size for Intel Raptor Lake +Root Ports"). + +Link: https://lore.kernel.org/r/20250102164315.7562-1-tiwai@suse.de +Link: https://bugzilla.suse.com/show_bug.cgi?id=1234623 +Signed-off-by: Takashi Iwai +[bhelgaas: commit log] +Signed-off-by: Bjorn Helgaas +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 8103bc24a54ea..11fe6869ec3ab 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -6254,6 +6254,7 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x9a2b, dpc_log_size); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x9a2d, dpc_log_size); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x9a2f, dpc_log_size); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x9a31, dpc_log_size); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0xa72f, dpc_log_size); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0xa73f, dpc_log_size); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0xa76e, dpc_log_size); + #endif +-- +2.39.5 + diff --git a/queue-6.12/pci-switchtec-add-microchip-pci100x-device-ids.patch b/queue-6.12/pci-switchtec-add-microchip-pci100x-device-ids.patch new file mode 100644 index 0000000000..0f61bcbd07 --- /dev/null +++ b/queue-6.12/pci-switchtec-add-microchip-pci100x-device-ids.patch @@ -0,0 +1,112 @@ +From 48fdf609557fddadaabd74f9651e0e876e1f4f64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jan 2025 15:25:24 +0530 +Subject: PCI: switchtec: Add Microchip PCI100X device IDs + +From: Rakesh Babu Saladi + +[ Upstream commit a3282f84b2151d254dc4abf24d1255c6382be774 ] + +Add Microchip parts to the Device ID table so the driver supports PCI100x +devices. + +Add a new macro to quirk the Microchip Switchtec PCI100x parts to allow DMA +access via NTB to work when the IOMMU is turned on. + +PCI100x family has 6 variants; each variant is designed for different +application usages, different port counts and lane counts: + + PCI1001 has 1 x4 upstream port and 3 x4 downstream ports + PCI1002 has 1 x4 upstream port and 4 x2 downstream ports + PCI1003 has 2 x4 upstream ports, 2 x2 upstream ports, and 2 x2 + downstream ports + PCI1004 has 4 x4 upstream ports + PCI1005 has 1 x4 upstream port and 6 x2 downstream ports + PCI1006 has 6 x2 upstream ports and 2 x2 downstream ports + +[Historical note: these parts use PCI_VENDOR_ID_EFAR (0x1055), from EFAR +Microsystems, which was acquired in 1996 by Standard Microsystems Corp, +which was acquired by Microchip Technology in 2012. The PCI-SIG confirms +that Vendor ID 0x1055 is assigned to Microchip even though it's not +visible via https://pcisig.com/membership/member-companies] + +Link: https://lore.kernel.org/r/20250120095524.243103-1-Saladi.Rakeshbabu@microchip.com +Signed-off-by: Rakesh Babu Saladi +[bhelgaas: Vendor ID history] +Signed-off-by: Bjorn Helgaas +Acked-By: Logan Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 11 +++++++++++ + drivers/pci/switch/switchtec.c | 26 ++++++++++++++++++++++++++ + 2 files changed, 37 insertions(+) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 11fe6869ec3ab..af6cfd88f4b64 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -5985,6 +5985,17 @@ SWITCHTEC_QUIRK(0x5552); /* PAXA 52XG5 */ + SWITCHTEC_QUIRK(0x5536); /* PAXA 36XG5 */ + SWITCHTEC_QUIRK(0x5528); /* PAXA 28XG5 */ + ++#define SWITCHTEC_PCI100X_QUIRK(vid) \ ++ DECLARE_PCI_FIXUP_CLASS_FINAL(PCI_VENDOR_ID_EFAR, vid, \ ++ PCI_CLASS_BRIDGE_OTHER, 8, quirk_switchtec_ntb_dma_alias) ++SWITCHTEC_PCI100X_QUIRK(0x1001); /* PCI1001XG4 */ ++SWITCHTEC_PCI100X_QUIRK(0x1002); /* PCI1002XG4 */ ++SWITCHTEC_PCI100X_QUIRK(0x1003); /* PCI1003XG4 */ ++SWITCHTEC_PCI100X_QUIRK(0x1004); /* PCI1004XG4 */ ++SWITCHTEC_PCI100X_QUIRK(0x1005); /* PCI1005XG4 */ ++SWITCHTEC_PCI100X_QUIRK(0x1006); /* PCI1006XG4 */ ++ ++ + /* + * The PLX NTB uses devfn proxy IDs to move TLPs between NT endpoints. + * These IDs are used to forward responses to the originator on the other +diff --git a/drivers/pci/switch/switchtec.c b/drivers/pci/switch/switchtec.c +index c7e1089ffdafc..b14dfab04d846 100644 +--- a/drivers/pci/switch/switchtec.c ++++ b/drivers/pci/switch/switchtec.c +@@ -1739,6 +1739,26 @@ static void switchtec_pci_remove(struct pci_dev *pdev) + .driver_data = gen, \ + } + ++#define SWITCHTEC_PCI100X_DEVICE(device_id, gen) \ ++ { \ ++ .vendor = PCI_VENDOR_ID_EFAR, \ ++ .device = device_id, \ ++ .subvendor = PCI_ANY_ID, \ ++ .subdevice = PCI_ANY_ID, \ ++ .class = (PCI_CLASS_MEMORY_OTHER << 8), \ ++ .class_mask = 0xFFFFFFFF, \ ++ .driver_data = gen, \ ++ }, \ ++ { \ ++ .vendor = PCI_VENDOR_ID_EFAR, \ ++ .device = device_id, \ ++ .subvendor = PCI_ANY_ID, \ ++ .subdevice = PCI_ANY_ID, \ ++ .class = (PCI_CLASS_BRIDGE_OTHER << 8), \ ++ .class_mask = 0xFFFFFFFF, \ ++ .driver_data = gen, \ ++ } ++ + static const struct pci_device_id switchtec_pci_tbl[] = { + SWITCHTEC_PCI_DEVICE(0x8531, SWITCHTEC_GEN3), /* PFX 24xG3 */ + SWITCHTEC_PCI_DEVICE(0x8532, SWITCHTEC_GEN3), /* PFX 32xG3 */ +@@ -1833,6 +1853,12 @@ static const struct pci_device_id switchtec_pci_tbl[] = { + SWITCHTEC_PCI_DEVICE(0x5552, SWITCHTEC_GEN5), /* PAXA 52XG5 */ + SWITCHTEC_PCI_DEVICE(0x5536, SWITCHTEC_GEN5), /* PAXA 36XG5 */ + SWITCHTEC_PCI_DEVICE(0x5528, SWITCHTEC_GEN5), /* PAXA 28XG5 */ ++ SWITCHTEC_PCI100X_DEVICE(0x1001, SWITCHTEC_GEN4), /* PCI1001 16XG4 */ ++ SWITCHTEC_PCI100X_DEVICE(0x1002, SWITCHTEC_GEN4), /* PCI1002 12XG4 */ ++ SWITCHTEC_PCI100X_DEVICE(0x1003, SWITCHTEC_GEN4), /* PCI1003 16XG4 */ ++ SWITCHTEC_PCI100X_DEVICE(0x1004, SWITCHTEC_GEN4), /* PCI1004 16XG4 */ ++ SWITCHTEC_PCI100X_DEVICE(0x1005, SWITCHTEC_GEN4), /* PCI1005 16XG4 */ ++ SWITCHTEC_PCI100X_DEVICE(0x1006, SWITCHTEC_GEN4), /* PCI1006 16XG4 */ + {0} + }; + MODULE_DEVICE_TABLE(pci, switchtec_pci_tbl); +-- +2.39.5 + diff --git a/queue-6.12/perf-x86-intel-clean-up-pebs-via-pt-on-hybrid.patch b/queue-6.12/perf-x86-intel-clean-up-pebs-via-pt-on-hybrid.patch new file mode 100644 index 0000000000..4f2ac356aa --- /dev/null +++ b/queue-6.12/perf-x86-intel-clean-up-pebs-via-pt-on-hybrid.patch @@ -0,0 +1,104 @@ +From 6a10ae7d24894a1564f61aa4bae361378b8b36a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jan 2025 07:48:18 -0800 +Subject: perf/x86/intel: Clean up PEBS-via-PT on hybrid + +From: Kan Liang + +[ Upstream commit 0a5561501397e2bbd0fb0e300eb489f72a90597a ] + +The PEBS-via-PT feature is exposed for the e-core of some hybrid +platforms, e.g., ADL and MTL. But it never works. + +$ dmesg | grep PEBS +[ 1.793888] core: cpu_atom PMU driver: PEBS-via-PT + +$ perf record -c 1000 -e '{intel_pt/branch=0/, +cpu_atom/cpu-cycles,aux-output/pp}' -C8 +Error: +The sys_perf_event_open() syscall returned with 22 (Invalid argument) +for event (cpu_atom/cpu-cycles,aux-output/pp). +"dmesg | grep -i perf" may provide additional information. + +The "PEBS-via-PT" is printed if the corresponding bit of per-PMU +capabilities is set. Since the feature is supported by the e-core HW, +perf sets the bit for e-core. However, for Intel PT, if a feature is not +supported on all CPUs, it is not supported at all. The PEBS-via-PT event +cannot be created successfully. + +The PEBS-via-PT is no longer enumerated on the latest hybrid platform. It +will be deprecated on future platforms with Arch PEBS. Let's remove it +from the existing hybrid platforms. + +Fixes: d9977c43bff8 ("perf/x86: Register hybrid PMUs") +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20250129154820.3755948-2-kan.liang@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/core.c | 10 ---------- + arch/x86/events/intel/ds.c | 10 +++++++++- + 2 files changed, 9 insertions(+), 11 deletions(-) + +diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c +index f558be868a50b..412b8ecce522f 100644 +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -4901,11 +4901,6 @@ static void intel_pmu_check_hybrid_pmus(struct x86_hybrid_pmu *pmu) + else + pmu->intel_ctrl &= ~(1ULL << GLOBAL_CTRL_EN_PERF_METRICS); + +- if (pmu->intel_cap.pebs_output_pt_available) +- pmu->pmu.capabilities |= PERF_PMU_CAP_AUX_OUTPUT; +- else +- pmu->pmu.capabilities &= ~PERF_PMU_CAP_AUX_OUTPUT; +- + intel_pmu_check_event_constraints(pmu->event_constraints, + pmu->cntr_mask64, + pmu->fixed_cntr_mask64, +@@ -4974,9 +4969,6 @@ static bool init_hybrid_pmu(int cpu) + + pr_info("%s PMU driver: ", pmu->name); + +- if (pmu->intel_cap.pebs_output_pt_available) +- pr_cont("PEBS-via-PT "); +- + pr_cont("\n"); + + x86_pmu_show_pmu_cap(&pmu->pmu); +@@ -6284,11 +6276,9 @@ static __always_inline int intel_pmu_init_hybrid(enum hybrid_pmu_type pmus) + pmu->intel_cap.capabilities = x86_pmu.intel_cap.capabilities; + if (pmu->pmu_type & hybrid_small) { + pmu->intel_cap.perf_metrics = 0; +- pmu->intel_cap.pebs_output_pt_available = 1; + pmu->mid_ack = true; + } else if (pmu->pmu_type & hybrid_big) { + pmu->intel_cap.perf_metrics = 1; +- pmu->intel_cap.pebs_output_pt_available = 0; + pmu->late_ack = true; + } + } +diff --git a/arch/x86/events/intel/ds.c b/arch/x86/events/intel/ds.c +index 19a9fd974e3e1..b6303b0224531 100644 +--- a/arch/x86/events/intel/ds.c ++++ b/arch/x86/events/intel/ds.c +@@ -2523,7 +2523,15 @@ void __init intel_ds_init(void) + } + pr_cont("PEBS fmt4%c%s, ", pebs_type, pebs_qual); + +- if (!is_hybrid() && x86_pmu.intel_cap.pebs_output_pt_available) { ++ /* ++ * The PEBS-via-PT is not supported on hybrid platforms, ++ * because not all CPUs of a hybrid machine support it. ++ * The global x86_pmu.intel_cap, which only contains the ++ * common capabilities, is used to check the availability ++ * of the feature. The per-PMU pebs_output_pt_available ++ * in a hybrid machine should be ignored. ++ */ ++ if (x86_pmu.intel_cap.pebs_output_pt_available) { + pr_cont("PEBS-via-PT, "); + x86_get_pmu(smp_processor_id())->capabilities |= PERF_PMU_CAP_AUX_OUTPUT; + } +-- +2.39.5 + diff --git a/queue-6.12/pinctrl-cy8c95x0-avoid-accessing-reserved-registers.patch b/queue-6.12/pinctrl-cy8c95x0-avoid-accessing-reserved-registers.patch new file mode 100644 index 0000000000..d31087913a --- /dev/null +++ b/queue-6.12/pinctrl-cy8c95x0-avoid-accessing-reserved-registers.patch @@ -0,0 +1,71 @@ +From a66de532bfbc6deef8f8b4dbb4764ab49573bb3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Feb 2025 15:10:28 +0200 +Subject: pinctrl: cy8c95x0: Avoid accessing reserved registers + +From: Andy Shevchenko + +[ Upstream commit 3fbe3fe28764455e4fc3578afb9765f46f9ce93d ] + +The checks for vrtual registers in the cy8c95x0_readable_register() +and cy8c95x0_writeable_register() are not aligned and broken. + +Fix that by explicitly avoiding reserved registers to be accessed. + +Fixes: 71e4001a0455 ("pinctrl: pinctrl-cy8c95x0: Fix regcache") +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/20250203131506.3318201-3-andriy.shevchenko@linux.intel.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-cy8c95x0.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/pinctrl/pinctrl-cy8c95x0.c b/drivers/pinctrl/pinctrl-cy8c95x0.c +index 5096ccdd459ea..05224808d92be 100644 +--- a/drivers/pinctrl/pinctrl-cy8c95x0.c ++++ b/drivers/pinctrl/pinctrl-cy8c95x0.c +@@ -330,14 +330,14 @@ static int cypress_get_pin_mask(struct cy8c95x0_pinctrl *chip, unsigned int pin) + static bool cy8c95x0_readable_register(struct device *dev, unsigned int reg) + { + /* +- * Only 12 registers are present per port (see Table 6 in the +- * datasheet). ++ * Only 12 registers are present per port (see Table 6 in the datasheet). + */ +- if (reg >= CY8C95X0_VIRTUAL && (reg % MUXED_STRIDE) < 12) +- return true; ++ if (reg >= CY8C95X0_VIRTUAL && (reg % MUXED_STRIDE) >= 12) ++ return false; + + switch (reg) { + case 0x24 ... 0x27: ++ case 0x31 ... 0x3f: + return false; + default: + return true; +@@ -346,8 +346,11 @@ static bool cy8c95x0_readable_register(struct device *dev, unsigned int reg) + + static bool cy8c95x0_writeable_register(struct device *dev, unsigned int reg) + { +- if (reg >= CY8C95X0_VIRTUAL) +- return true; ++ /* ++ * Only 12 registers are present per port (see Table 6 in the datasheet). ++ */ ++ if (reg >= CY8C95X0_VIRTUAL && (reg % MUXED_STRIDE) >= 12) ++ return false; + + switch (reg) { + case CY8C95X0_INPUT_(0) ... CY8C95X0_INPUT_(7): +@@ -355,6 +358,7 @@ static bool cy8c95x0_writeable_register(struct device *dev, unsigned int reg) + case CY8C95X0_DEVID: + return false; + case 0x24 ... 0x27: ++ case 0x31 ... 0x3f: + return false; + default: + return true; +-- +2.39.5 + diff --git a/queue-6.12/pinctrl-cy8c95x0-enable-regmap-locking-for-debug.patch b/queue-6.12/pinctrl-cy8c95x0-enable-regmap-locking-for-debug.patch new file mode 100644 index 0000000000..de88d5d400 --- /dev/null +++ b/queue-6.12/pinctrl-cy8c95x0-enable-regmap-locking-for-debug.patch @@ -0,0 +1,40 @@ +From 92ec7914de5ec61711ac015976999b9d0a550898 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Feb 2025 15:10:29 +0200 +Subject: pinctrl: cy8c95x0: Enable regmap locking for debug + +From: Andy Shevchenko + +[ Upstream commit aac4470fa6e695e4d6ac94cc77d4690b57f1d2bc ] + +When regmap locking is disabled, debugfs is also disabled. +Enable locking for debug when CONFIG_DEBUG_PINCTRL is set. + +Fixes: f71aba339a66 ("pinctrl: cy8c95x0: Use single I2C lock") +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/20250203131506.3318201-4-andriy.shevchenko@linux.intel.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-cy8c95x0.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/pinctrl/pinctrl-cy8c95x0.c b/drivers/pinctrl/pinctrl-cy8c95x0.c +index 05224808d92be..c0f094f51da84 100644 +--- a/drivers/pinctrl/pinctrl-cy8c95x0.c ++++ b/drivers/pinctrl/pinctrl-cy8c95x0.c +@@ -472,7 +472,11 @@ static const struct regmap_config cy8c9520_i2c_regmap = { + .max_register = 0, /* Updated at runtime */ + .num_reg_defaults_raw = 0, /* Updated at runtime */ + .use_single_read = true, /* Workaround for regcache bug */ ++#if IS_ENABLED(CONFIG_DEBUG_PINCTRL) ++ .disable_locking = false, ++#else + .disable_locking = true, ++#endif + }; + + static inline int cy8c95x0_regmap_update_bits_base(struct cy8c95x0_pinctrl *chip, +-- +2.39.5 + diff --git a/queue-6.12/pinctrl-cy8c95x0-rename-pwmsel-to-selpwm.patch b/queue-6.12/pinctrl-cy8c95x0-rename-pwmsel-to-selpwm.patch new file mode 100644 index 0000000000..b9a0ff7277 --- /dev/null +++ b/queue-6.12/pinctrl-cy8c95x0-rename-pwmsel-to-selpwm.patch @@ -0,0 +1,95 @@ +From 60a8f78cfef958dccb96f4632be8d3d60ce7ea74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Feb 2025 15:10:30 +0200 +Subject: pinctrl: cy8c95x0: Rename PWMSEL to SELPWM + +From: Andy Shevchenko + +[ Upstream commit 0a7404fc5399e1100b14e7e2a4af2e4fd5e3b602 ] + +There are two registers in the hardware, one, "Select PWM", +is per-port configuration enabling PWM function instead of GPIO. +The other one is "PWM Select" is per-PWM selector to configure +PWM itself. Original code uses abbreviation of the latter +to describe the former. Rename it to follow the datasheet. + +Fixes: e6cbbe42944d ("pinctrl: Add Cypress cy8c95x0 support") +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/20250203131506.3318201-5-andriy.shevchenko@linux.intel.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-cy8c95x0.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/pinctrl/pinctrl-cy8c95x0.c b/drivers/pinctrl/pinctrl-cy8c95x0.c +index c0f094f51da84..8e65797192abc 100644 +--- a/drivers/pinctrl/pinctrl-cy8c95x0.c ++++ b/drivers/pinctrl/pinctrl-cy8c95x0.c +@@ -42,7 +42,7 @@ + #define CY8C95X0_PORTSEL 0x18 + /* Port settings, write PORTSEL first */ + #define CY8C95X0_INTMASK 0x19 +-#define CY8C95X0_PWMSEL 0x1A ++#define CY8C95X0_SELPWM 0x1A + #define CY8C95X0_INVERT 0x1B + #define CY8C95X0_DIRECTION 0x1C + /* Drive mode register change state on writing '1' */ +@@ -371,8 +371,8 @@ static bool cy8c95x0_volatile_register(struct device *dev, unsigned int reg) + case CY8C95X0_INPUT_(0) ... CY8C95X0_INPUT_(7): + case CY8C95X0_INTSTATUS_(0) ... CY8C95X0_INTSTATUS_(7): + case CY8C95X0_INTMASK: ++ case CY8C95X0_SELPWM: + case CY8C95X0_INVERT: +- case CY8C95X0_PWMSEL: + case CY8C95X0_DIRECTION: + case CY8C95X0_DRV_PU: + case CY8C95X0_DRV_PD: +@@ -401,7 +401,7 @@ static bool cy8c95x0_muxed_register(unsigned int reg) + { + switch (reg) { + case CY8C95X0_INTMASK: +- case CY8C95X0_PWMSEL: ++ case CY8C95X0_SELPWM: + case CY8C95X0_INVERT: + case CY8C95X0_DIRECTION: + case CY8C95X0_DRV_PU: +@@ -807,7 +807,7 @@ static int cy8c95x0_gpio_get_pincfg(struct cy8c95x0_pinctrl *chip, + reg = CY8C95X0_DIRECTION; + break; + case PIN_CONFIG_MODE_PWM: +- reg = CY8C95X0_PWMSEL; ++ reg = CY8C95X0_SELPWM; + break; + case PIN_CONFIG_OUTPUT: + reg = CY8C95X0_OUTPUT; +@@ -889,7 +889,7 @@ static int cy8c95x0_gpio_set_pincfg(struct cy8c95x0_pinctrl *chip, + reg = CY8C95X0_DRV_PP_FAST; + break; + case PIN_CONFIG_MODE_PWM: +- reg = CY8C95X0_PWMSEL; ++ reg = CY8C95X0_SELPWM; + break; + case PIN_CONFIG_OUTPUT_ENABLE: + ret = cy8c95x0_pinmux_direction(chip, off, !arg); +@@ -1179,7 +1179,7 @@ static void cy8c95x0_pin_dbg_show(struct pinctrl_dev *pctldev, struct seq_file * + bitmap_zero(mask, MAX_LINE); + __set_bit(pin, mask); + +- if (cy8c95x0_read_regs_mask(chip, CY8C95X0_PWMSEL, pwm, mask)) { ++ if (cy8c95x0_read_regs_mask(chip, CY8C95X0_SELPWM, pwm, mask)) { + seq_puts(s, "not available"); + return; + } +@@ -1224,7 +1224,7 @@ static int cy8c95x0_set_mode(struct cy8c95x0_pinctrl *chip, unsigned int off, bo + u8 port = cypress_get_port(chip, off); + u8 bit = cypress_get_pin_mask(chip, off); + +- return cy8c95x0_regmap_write_bits(chip, CY8C95X0_PWMSEL, port, bit, mode ? bit : 0); ++ return cy8c95x0_regmap_write_bits(chip, CY8C95X0_SELPWM, port, bit, mode ? bit : 0); + } + + static int cy8c95x0_pinmux_mode(struct cy8c95x0_pinctrl *chip, +-- +2.39.5 + diff --git a/queue-6.12/pinctrl-cy8c95x0-respect-irq-trigger-settings-from-f.patch b/queue-6.12/pinctrl-cy8c95x0-respect-irq-trigger-settings-from-f.patch new file mode 100644 index 0000000000..d22d2b5783 --- /dev/null +++ b/queue-6.12/pinctrl-cy8c95x0-respect-irq-trigger-settings-from-f.patch @@ -0,0 +1,49 @@ +From 539bd7e726aa125778c3441f4701ead70cc3955a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jan 2025 16:21:45 +0200 +Subject: pinctrl: cy8c95x0: Respect IRQ trigger settings from firmware + +From: Andy Shevchenko + +[ Upstream commit 1ddee69108d305bbc059cbf31c0b47626796be77 ] + +Some of the platforms may connect the INT pin via inversion logic +effectively make the triggering to be active-low. +Remove explicit trigger flag to respect the settings from firmware. + +Without this change even idling chip produces spurious interrupts +and kernel disables the line in the result: + + irq 33: nobody cared (try booting with the "irqpoll" option) + CPU: 0 UID: 0 PID: 125 Comm: irq/33-i2c-INT3 Not tainted 6.12.0-00236-g8b874ed11dae #64 + Hardware name: Intel Corp. QUARK/Galileo, BIOS 0x01000900 01/01/2014 + ... + handlers: + [<86e86bea>] irq_default_primary_handler threaded [] cy8c95x0_irq_handler [pinctrl_cy8c95x0] + Disabling IRQ #33 + +Fixes: e6cbbe42944d ("pinctrl: Add Cypress cy8c95x0 support") +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/20250117142304.596106-2-andriy.shevchenko@linux.intel.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-cy8c95x0.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/pinctrl-cy8c95x0.c b/drivers/pinctrl/pinctrl-cy8c95x0.c +index 8e65797192abc..7a6a1434ae7f4 100644 +--- a/drivers/pinctrl/pinctrl-cy8c95x0.c ++++ b/drivers/pinctrl/pinctrl-cy8c95x0.c +@@ -1373,7 +1373,7 @@ static int cy8c95x0_irq_setup(struct cy8c95x0_pinctrl *chip, int irq) + + ret = devm_request_threaded_irq(chip->dev, irq, + NULL, cy8c95x0_irq_handler, +- IRQF_ONESHOT | IRQF_SHARED | IRQF_TRIGGER_HIGH, ++ IRQF_ONESHOT | IRQF_SHARED, + dev_name(chip->dev), chip); + if (ret) { + dev_err(chip->dev, "failed to request irq %d\n", irq); +-- +2.39.5 + diff --git a/queue-6.12/pinctrl-pinconf-generic-print-unsigned-value-if-a-fo.patch b/queue-6.12/pinctrl-pinconf-generic-print-unsigned-value-if-a-fo.patch new file mode 100644 index 0000000000..e1484bc392 --- /dev/null +++ b/queue-6.12/pinctrl-pinconf-generic-print-unsigned-value-if-a-fo.patch @@ -0,0 +1,55 @@ +From 42f756ada9d76a0539e9288cd13ded9a79d2f664 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Feb 2025 12:10:58 +0200 +Subject: pinctrl: pinconf-generic: Print unsigned value if a format is + registered + +From: Claudiu Beznea + +[ Upstream commit 0af4c120f5e7a1ea70aff7da2dfb65b6148a3e84 ] + +Commit 3ba11e684d16 ("pinctrl: pinconf-generic: print hex value") +unconditionally switched to printing hex values in +pinconf_generic_dump_one(). However, if a dump format is registered for the +dumped pin, the hex value is printed as well. This hex value does not +necessarily correspond 1:1 with the hardware register value (as noted by +commit 3ba11e684d16 ("pinctrl: pinconf-generic: print hex value")). As a +result, user-facing output may include information like: +output drive strength (0x100 uA). + +To address this, check if a dump format is registered for the dumped +property, and print the unsigned value instead when applicable. + +Fixes: 3ba11e684d16 ("pinctrl: pinconf-generic: print hex value") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/20250205101058.2034860-1-claudiu.beznea.uj@bp.renesas.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinconf-generic.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/pinctrl/pinconf-generic.c b/drivers/pinctrl/pinconf-generic.c +index 0b13d7f17b325..42547f64453e8 100644 +--- a/drivers/pinctrl/pinconf-generic.c ++++ b/drivers/pinctrl/pinconf-generic.c +@@ -89,12 +89,12 @@ static void pinconf_generic_dump_one(struct pinctrl_dev *pctldev, + seq_puts(s, items[i].display); + /* Print unit if available */ + if (items[i].has_arg) { +- seq_printf(s, " (0x%x", +- pinconf_to_config_argument(config)); ++ u32 val = pinconf_to_config_argument(config); ++ + if (items[i].format) +- seq_printf(s, " %s)", items[i].format); ++ seq_printf(s, " (%u %s)", val, items[i].format); + else +- seq_puts(s, ")"); ++ seq_printf(s, " (0x%x)", val); + } + } + } +-- +2.39.5 + diff --git a/queue-6.12/rdma-efa-reset-device-on-probe-failure.patch b/queue-6.12/rdma-efa-reset-device-on-probe-failure.patch new file mode 100644 index 0000000000..06ab3e24c5 --- /dev/null +++ b/queue-6.12/rdma-efa-reset-device-on-probe-failure.patch @@ -0,0 +1,73 @@ +From 818521808f87d396d58c4b86354ef88d964c870e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Dec 2024 13:15:48 +0000 +Subject: RDMA/efa: Reset device on probe failure + +From: Michael Margolin + +[ Upstream commit 123c13f10ed3627ba112172d8bd122a72cae226d ] + +Make sure the device is being reset on driver exit whatever the reason +is, to keep the device aligned and allow it to close shared resources +(e.g. admin queue). + +Reviewed-by: Firas Jahjah +Reviewed-by: Yonatan Nachum +Signed-off-by: Michael Margolin +Link: https://patch.msgid.link/20241225131548.15155-1-mrgolin@amazon.com +Reviewed-by: Gal Pressman +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/efa/efa_main.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/hw/efa/efa_main.c b/drivers/infiniband/hw/efa/efa_main.c +index ad225823e6f2f..45a4564c670c0 100644 +--- a/drivers/infiniband/hw/efa/efa_main.c ++++ b/drivers/infiniband/hw/efa/efa_main.c +@@ -470,7 +470,6 @@ static void efa_ib_device_remove(struct efa_dev *dev) + ibdev_info(&dev->ibdev, "Unregister ib device\n"); + ib_unregister_device(&dev->ibdev); + efa_destroy_eqs(dev); +- efa_com_dev_reset(&dev->edev, EFA_REGS_RESET_NORMAL); + efa_release_doorbell_bar(dev); + } + +@@ -643,12 +642,14 @@ static struct efa_dev *efa_probe_device(struct pci_dev *pdev) + return ERR_PTR(err); + } + +-static void efa_remove_device(struct pci_dev *pdev) ++static void efa_remove_device(struct pci_dev *pdev, ++ enum efa_regs_reset_reason_types reset_reason) + { + struct efa_dev *dev = pci_get_drvdata(pdev); + struct efa_com_dev *edev; + + edev = &dev->edev; ++ efa_com_dev_reset(edev, reset_reason); + efa_com_admin_destroy(edev); + efa_free_irq(dev, &dev->admin_irq); + efa_disable_msix(dev); +@@ -676,7 +677,7 @@ static int efa_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + return 0; + + err_remove_device: +- efa_remove_device(pdev); ++ efa_remove_device(pdev, EFA_REGS_RESET_INIT_ERR); + return err; + } + +@@ -685,7 +686,7 @@ static void efa_remove(struct pci_dev *pdev) + struct efa_dev *dev = pci_get_drvdata(pdev); + + efa_ib_device_remove(dev); +- efa_remove_device(pdev); ++ efa_remove_device(pdev, EFA_REGS_RESET_NORMAL); + } + + static void efa_shutdown(struct pci_dev *pdev) +-- +2.39.5 + diff --git a/queue-6.12/rtla-timerlat_hist-abort-event-processing-on-second-.patch b/queue-6.12/rtla-timerlat_hist-abort-event-processing-on-second-.patch new file mode 100644 index 0000000000..11579f0ce2 --- /dev/null +++ b/queue-6.12/rtla-timerlat_hist-abort-event-processing-on-second-.patch @@ -0,0 +1,50 @@ +From 5be07d8a95614a2dc4ff2ca6022f6b45ccf45b99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jan 2025 15:49:30 +0100 +Subject: rtla/timerlat_hist: Abort event processing on second signal + +From: Tomas Glozar + +[ Upstream commit d6899e560366e10141189697502bc5521940c588 ] + +If either SIGINT is received twice, or after a SIGALRM (that is, after +timerlat was supposed to stop), abort processing events currently left +in the tracefs buffer and exit immediately. + +This allows the user to exit rtla without waiting for processing all +events, should that take longer than wanted, at the cost of not +processing all samples. + +Cc: John Kacur +Cc: Luis Goncalves +Cc: Gabriele Monaco +Link: https://lore.kernel.org/20250116144931.649593-5-tglozar@redhat.com +Signed-off-by: Tomas Glozar +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + tools/tracing/rtla/src/timerlat_hist.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/tools/tracing/rtla/src/timerlat_hist.c b/tools/tracing/rtla/src/timerlat_hist.c +index 4cbd2d8ebb046..397dc962f5e2a 100644 +--- a/tools/tracing/rtla/src/timerlat_hist.c ++++ b/tools/tracing/rtla/src/timerlat_hist.c +@@ -1143,6 +1143,14 @@ static int stop_tracing; + static struct trace_instance *hist_inst = NULL; + static void stop_hist(int sig) + { ++ if (stop_tracing) { ++ /* ++ * Stop requested twice in a row; abort event processing and ++ * exit immediately ++ */ ++ tracefs_iterate_stop(hist_inst->inst); ++ return; ++ } + stop_tracing = 1; + if (hist_inst) + trace_instance_stop(hist_inst); +-- +2.39.5 + diff --git a/queue-6.12/rtla-timerlat_top-abort-event-processing-on-second-s.patch b/queue-6.12/rtla-timerlat_top-abort-event-processing-on-second-s.patch new file mode 100644 index 0000000000..677bb013e6 --- /dev/null +++ b/queue-6.12/rtla-timerlat_top-abort-event-processing-on-second-s.patch @@ -0,0 +1,50 @@ +From f3a92b7d3e69176aa2d7fd5359d058be7e9fb367 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jan 2025 15:49:31 +0100 +Subject: rtla/timerlat_top: Abort event processing on second signal + +From: Tomas Glozar + +[ Upstream commit 80967b354a76b360943af384c10d807d98bea5c4 ] + +If either SIGINT is received twice, or after a SIGALRM (that is, after +timerlat was supposed to stop), abort processing events currently left +in the tracefs buffer and exit immediately. + +This allows the user to exit rtla without waiting for processing all +events, should that take longer than wanted, at the cost of not +processing all samples. + +Cc: John Kacur +Cc: Luis Goncalves +Cc: Gabriele Monaco +Link: https://lore.kernel.org/20250116144931.649593-6-tglozar@redhat.com +Signed-off-by: Tomas Glozar +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + tools/tracing/rtla/src/timerlat_top.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/tools/tracing/rtla/src/timerlat_top.c b/tools/tracing/rtla/src/timerlat_top.c +index d13be28dacd59..0def5fec51ed7 100644 +--- a/tools/tracing/rtla/src/timerlat_top.c ++++ b/tools/tracing/rtla/src/timerlat_top.c +@@ -897,6 +897,14 @@ static int stop_tracing; + static struct trace_instance *top_inst = NULL; + static void stop_top(int sig) + { ++ if (stop_tracing) { ++ /* ++ * Stop requested twice in a row; abort event processing and ++ * exit immediately ++ */ ++ tracefs_iterate_stop(top_inst->inst); ++ return; ++ } + stop_tracing = 1; + if (top_inst) + trace_instance_stop(top_inst); +-- +2.39.5 + diff --git a/queue-6.12/sched_ext-fix-lock-imbalance-in-dispatch_to_local_ds.patch b/queue-6.12/sched_ext-fix-lock-imbalance-in-dispatch_to_local_ds.patch new file mode 100644 index 0000000000..bd1edc09ed --- /dev/null +++ b/queue-6.12/sched_ext-fix-lock-imbalance-in-dispatch_to_local_ds.patch @@ -0,0 +1,109 @@ +From 2f88dff9f4ba7d954031137f9881d70ee8c8c666 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Jan 2025 23:06:16 +0100 +Subject: sched_ext: Fix lock imbalance in dispatch_to_local_dsq() + +From: Andrea Righi + +[ Upstream commit 1626e5ef0b00386a4fd083fa7c46c8edbd75f9b4 ] + +While performing the rq locking dance in dispatch_to_local_dsq(), we may +trigger the following lock imbalance condition, in particular when +multiple tasks are rapidly changing CPU affinity (i.e., running a +`stress-ng --race-sched 0`): + +[ 13.413579] ===================================== +[ 13.413660] WARNING: bad unlock balance detected! +[ 13.413729] 6.13.0-virtme #15 Not tainted +[ 13.413792] ------------------------------------- +[ 13.413859] kworker/1:1/80 is trying to release lock (&rq->__lock) at: +[ 13.413954] [] dispatch_to_local_dsq+0x108/0x1a0 +[ 13.414111] but there are no more locks to release! +[ 13.414176] +[ 13.414176] other info that might help us debug this: +[ 13.414258] 1 lock held by kworker/1:1/80: +[ 13.414318] #0: ffff8b66feb41698 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x20/0x90 +[ 13.414612] +[ 13.414612] stack backtrace: +[ 13.415255] CPU: 1 UID: 0 PID: 80 Comm: kworker/1:1 Not tainted 6.13.0-virtme #15 +[ 13.415505] Workqueue: 0x0 (events) +[ 13.415567] Sched_ext: dsp_local_on (enabled+all), task: runnable_at=-2ms +[ 13.415570] Call Trace: +[ 13.415700] +[ 13.415744] dump_stack_lvl+0x78/0xe0 +[ 13.415806] ? dispatch_to_local_dsq+0x108/0x1a0 +[ 13.415884] print_unlock_imbalance_bug+0x11b/0x130 +[ 13.415965] ? dispatch_to_local_dsq+0x108/0x1a0 +[ 13.416226] lock_release+0x231/0x2c0 +[ 13.416326] _raw_spin_unlock+0x1b/0x40 +[ 13.416422] dispatch_to_local_dsq+0x108/0x1a0 +[ 13.416554] flush_dispatch_buf+0x199/0x1d0 +[ 13.416652] balance_one+0x194/0x370 +[ 13.416751] balance_scx+0x61/0x1e0 +[ 13.416848] prev_balance+0x43/0xb0 +[ 13.416947] __pick_next_task+0x6b/0x1b0 +[ 13.417052] __schedule+0x20d/0x1740 + +This happens because dispatch_to_local_dsq() is racing with +dispatch_dequeue() and, when the latter wins, we incorrectly assume that +the task has been moved to dst_rq. + +Fix by properly tracking the currently locked rq. + +Fixes: 4d3ca89bdd31 ("sched_ext: Refactor consume_remote_task()") +Signed-off-by: Andrea Righi +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/sched/ext.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c +index 4c4681cb9337b..45e7461fd4c94 100644 +--- a/kernel/sched/ext.c ++++ b/kernel/sched/ext.c +@@ -2458,6 +2458,9 @@ static void dispatch_to_local_dsq(struct rq *rq, struct scx_dispatch_q *dst_dsq, + { + struct rq *src_rq = task_rq(p); + struct rq *dst_rq = container_of(dst_dsq, struct rq, scx.local_dsq); ++#ifdef CONFIG_SMP ++ struct rq *locked_rq = rq; ++#endif + + /* + * We're synchronized against dequeue through DISPATCHING. As @p can't +@@ -2494,8 +2497,9 @@ static void dispatch_to_local_dsq(struct rq *rq, struct scx_dispatch_q *dst_dsq, + atomic_long_set_release(&p->scx.ops_state, SCX_OPSS_NONE); + + /* switch to @src_rq lock */ +- if (rq != src_rq) { +- raw_spin_rq_unlock(rq); ++ if (locked_rq != src_rq) { ++ raw_spin_rq_unlock(locked_rq); ++ locked_rq = src_rq; + raw_spin_rq_lock(src_rq); + } + +@@ -2513,6 +2517,8 @@ static void dispatch_to_local_dsq(struct rq *rq, struct scx_dispatch_q *dst_dsq, + } else { + move_remote_task_to_local_dsq(p, enq_flags, + src_rq, dst_rq); ++ /* task has been moved to dst_rq, which is now locked */ ++ locked_rq = dst_rq; + } + + /* if the destination CPU is idle, wake it up */ +@@ -2521,8 +2527,8 @@ static void dispatch_to_local_dsq(struct rq *rq, struct scx_dispatch_q *dst_dsq, + } + + /* switch back to @rq lock */ +- if (rq != dst_rq) { +- raw_spin_rq_unlock(dst_rq); ++ if (locked_rq != rq) { ++ raw_spin_rq_unlock(locked_rq); + raw_spin_rq_lock(rq); + } + #else /* CONFIG_SMP */ +-- +2.39.5 + diff --git a/queue-6.12/sched_ext-fix-the-incorrect-bpf_list-kfunc-api-in-co.patch b/queue-6.12/sched_ext-fix-the-incorrect-bpf_list-kfunc-api-in-co.patch new file mode 100644 index 0000000000..2671117476 --- /dev/null +++ b/queue-6.12/sched_ext-fix-the-incorrect-bpf_list-kfunc-api-in-co.patch @@ -0,0 +1,56 @@ +From 0a750ec45f7de08aff587a16389e396037459cdf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 15:19:36 +0800 +Subject: sched_ext: Fix the incorrect bpf_list kfunc API in common.bpf.h. + +From: Chuyi Zhou + +[ Upstream commit 2e2006c91c842c551521434466f9b4324719c9a7 ] + +Now BPF only supports bpf_list_push_{front,back}_impl kfunc, not bpf_list_ +push_{front,back}. + +This patch fix this issue. Without this patch, if we use bpf_list kfunc +in scx, the BPF verifier would complain: + +libbpf: extern (func ksym) 'bpf_list_push_back': not found in kernel or +module BTFs +libbpf: failed to load object 'scx_foo' +libbpf: failed to load BPF skeleton 'scx_foo': -EINVAL + +With this patch, the bpf list kfunc will work as expected. + +Signed-off-by: Chuyi Zhou +Fixes: 2a52ca7c98960 ("sched_ext: Add scx_simple and scx_example_qmap example schedulers") +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + tools/sched_ext/include/scx/common.bpf.h | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/tools/sched_ext/include/scx/common.bpf.h b/tools/sched_ext/include/scx/common.bpf.h +index 248ab790d143e..f7206374a73dd 100644 +--- a/tools/sched_ext/include/scx/common.bpf.h ++++ b/tools/sched_ext/include/scx/common.bpf.h +@@ -251,8 +251,16 @@ void bpf_obj_drop_impl(void *kptr, void *meta) __ksym; + #define bpf_obj_new(type) ((type *)bpf_obj_new_impl(bpf_core_type_id_local(type), NULL)) + #define bpf_obj_drop(kptr) bpf_obj_drop_impl(kptr, NULL) + +-void bpf_list_push_front(struct bpf_list_head *head, struct bpf_list_node *node) __ksym; +-void bpf_list_push_back(struct bpf_list_head *head, struct bpf_list_node *node) __ksym; ++int bpf_list_push_front_impl(struct bpf_list_head *head, ++ struct bpf_list_node *node, ++ void *meta, __u64 off) __ksym; ++#define bpf_list_push_front(head, node) bpf_list_push_front_impl(head, node, NULL, 0) ++ ++int bpf_list_push_back_impl(struct bpf_list_head *head, ++ struct bpf_list_node *node, ++ void *meta, __u64 off) __ksym; ++#define bpf_list_push_back(head, node) bpf_list_push_back_impl(head, node, NULL, 0) ++ + struct bpf_list_node *bpf_list_pop_front(struct bpf_list_head *head) __ksym; + struct bpf_list_node *bpf_list_pop_back(struct bpf_list_head *head) __ksym; + struct bpf_rb_node *bpf_rbtree_remove(struct bpf_rb_root *root, +-- +2.39.5 + diff --git a/queue-6.12/sched_ext-use-scx_call_op_task-in-task_tick_scx.patch b/queue-6.12/sched_ext-use-scx_call_op_task-in-task_tick_scx.patch new file mode 100644 index 0000000000..fe83b6cba6 --- /dev/null +++ b/queue-6.12/sched_ext-use-scx_call_op_task-in-task_tick_scx.patch @@ -0,0 +1,70 @@ +From 7e1d991a521798e0e274cb5a8d33ed28d38409ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 21:09:35 +0800 +Subject: sched_ext: Use SCX_CALL_OP_TASK in task_tick_scx + +From: Chuyi Zhou + +[ Upstream commit f5717c93a1b999970f3a64d771a1a9ee68cc37d0 ] + +Now when we use scx_bpf_task_cgroup() in ops.tick() to get the cgroup of +the current task, the following error will occur: + +scx_foo[3795244] triggered exit kind 1024: + runtime error (called on a task not being operated on) + +The reason is that we are using SCX_CALL_OP() instead of SCX_CALL_OP_TASK() +when calling ops.tick(), which triggers the error during the subsequent +scx_kf_allowed_on_arg_tasks() check. + +SCX_CALL_OP_TASK() was first introduced in commit 36454023f50b ("sched_ext: +Track tasks that are subjects of the in-flight SCX operation") to ensure +task's rq lock is held when accessing task's sched_group. Since ops.tick() +is marked as SCX_KF_TERMINAL and task_tick_scx() is protected by the rq +lock, we can use SCX_CALL_OP_TASK() to avoid the above issue. Similarly, +the same changes should be made for ops.disable() and ops.exit_task(), as +they are also protected by task_rq_lock() and it's safe to access the +task's task_group. + +Fixes: 36454023f50b ("sched_ext: Track tasks that are subjects of the in-flight SCX operation") +Signed-off-by: Chuyi Zhou +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/sched/ext.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c +index 45e7461fd4c94..b88fa640325e5 100644 +--- a/kernel/sched/ext.c ++++ b/kernel/sched/ext.c +@@ -3447,7 +3447,7 @@ static void task_tick_scx(struct rq *rq, struct task_struct *curr, int queued) + curr->scx.slice = 0; + touch_core_sched(rq, curr); + } else if (SCX_HAS_OP(tick)) { +- SCX_CALL_OP(SCX_KF_REST, tick, curr); ++ SCX_CALL_OP_TASK(SCX_KF_REST, tick, curr); + } + + if (!curr->scx.slice) +@@ -3594,7 +3594,7 @@ static void scx_ops_disable_task(struct task_struct *p) + WARN_ON_ONCE(scx_get_task_state(p) != SCX_TASK_ENABLED); + + if (SCX_HAS_OP(disable)) +- SCX_CALL_OP(SCX_KF_REST, disable, p); ++ SCX_CALL_OP_TASK(SCX_KF_REST, disable, p); + scx_set_task_state(p, SCX_TASK_READY); + } + +@@ -3623,7 +3623,7 @@ static void scx_ops_exit_task(struct task_struct *p) + } + + if (SCX_HAS_OP(exit_task)) +- SCX_CALL_OP(SCX_KF_REST, exit_task, p, &args); ++ SCX_CALL_OP_TASK(SCX_KF_REST, exit_task, p, &args); + scx_set_task_state(p, SCX_TASK_NONE); + } + +-- +2.39.5 + diff --git a/queue-6.12/scripts-makefile.extrawarn-do-not-show-clang-s-non-k.patch b/queue-6.12/scripts-makefile.extrawarn-do-not-show-clang-s-non-k.patch new file mode 100644 index 0000000000..d973e1d3ba --- /dev/null +++ b/queue-6.12/scripts-makefile.extrawarn-do-not-show-clang-s-non-k.patch @@ -0,0 +1,63 @@ +From 0da28ce0c422f572e1120d2f0ed8ffcfa873a8a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Jan 2025 15:55:28 -0700 +Subject: scripts/Makefile.extrawarn: Do not show clang's non-kprintf warnings + at W=1 + +From: Nathan Chancellor + +[ Upstream commit 738fc998b639407346a9e026514f0562301462cd ] + +Clang's -Wformat-overflow and -Wformat-truncation have chosen to check +'%p' unlike GCC but it does not know about the kernel's pointer +extensions in lib/vsprintf.c, so the developers split that part of the +warning out for the kernel to disable because there will always be false +positives. + +Commit 908dd508276d ("kbuild: enable -Wformat-truncation on clang") did +disabled these warnings but only in a block that would be called when +W=1 was not passed, so they would appear with W=1. Move the disabling of +the non-kprintf warnings to a block that always runs so that they are +never seen, regardless of warning level. + +Fixes: 908dd508276d ("kbuild: enable -Wformat-truncation on clang") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202501291646.VtwF98qd-lkp@intel.com/ +Signed-off-by: Nathan Chancellor +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/Makefile.extrawarn | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/scripts/Makefile.extrawarn b/scripts/Makefile.extrawarn +index 04faf15ed316a..d75897559d184 100644 +--- a/scripts/Makefile.extrawarn ++++ b/scripts/Makefile.extrawarn +@@ -31,6 +31,11 @@ KBUILD_CFLAGS-$(CONFIG_CC_NO_ARRAY_BOUNDS) += -Wno-array-bounds + ifdef CONFIG_CC_IS_CLANG + # The kernel builds with '-std=gnu11' so use of GNU extensions is acceptable. + KBUILD_CFLAGS += -Wno-gnu ++ ++# Clang checks for overflow/truncation with '%p', while GCC does not: ++# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111219 ++KBUILD_CFLAGS += $(call cc-disable-warning, format-overflow-non-kprintf) ++KBUILD_CFLAGS += $(call cc-disable-warning, format-truncation-non-kprintf) + else + + # gcc inanely warns about local variables called 'main' +@@ -102,11 +107,6 @@ KBUILD_CFLAGS += $(call cc-disable-warning, packed-not-aligned) + KBUILD_CFLAGS += $(call cc-disable-warning, format-overflow) + ifdef CONFIG_CC_IS_GCC + KBUILD_CFLAGS += $(call cc-disable-warning, format-truncation) +-else +-# Clang checks for overflow/truncation with '%p', while GCC does not: +-# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111219 +-KBUILD_CFLAGS += $(call cc-disable-warning, format-overflow-non-kprintf) +-KBUILD_CFLAGS += $(call cc-disable-warning, format-truncation-non-kprintf) + endif + KBUILD_CFLAGS += $(call cc-disable-warning, stringop-truncation) + +-- +2.39.5 + diff --git a/queue-6.12/scsi-ufs-bsg-set-bsg_queue-to-null-after-removal.patch b/queue-6.12/scsi-ufs-bsg-set-bsg_queue-to-null-after-removal.patch new file mode 100644 index 0000000000..bc96443a5e --- /dev/null +++ b/queue-6.12/scsi-ufs-bsg-set-bsg_queue-to-null-after-removal.patch @@ -0,0 +1,37 @@ +From 79c325d07469f4b1a7d3e41dcdfdb4b2c99b2217 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2024 09:42:14 +0800 +Subject: scsi: ufs: bsg: Set bsg_queue to NULL after removal + +From: Guixin Liu + +[ Upstream commit 1e95c798d8a7f70965f0f88d4657b682ff0ec75f ] + +Currently, this does not cause any issues, but I believe it is necessary to +set bsg_queue to NULL after removing it to prevent potential use-after-free +(UAF) access. + +Signed-off-by: Guixin Liu +Link: https://lore.kernel.org/r/20241218014214.64533-3-kanie@linux.alibaba.com +Reviewed-by: Avri Altman +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/core/ufs_bsg.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/ufs/core/ufs_bsg.c b/drivers/ufs/core/ufs_bsg.c +index 58023f735c195..8d4ad0a3f2cf0 100644 +--- a/drivers/ufs/core/ufs_bsg.c ++++ b/drivers/ufs/core/ufs_bsg.c +@@ -216,6 +216,7 @@ void ufs_bsg_remove(struct ufs_hba *hba) + return; + + bsg_remove_queue(hba->bsg_queue); ++ hba->bsg_queue = NULL; + + device_del(bsg_dev); + put_device(bsg_dev); +-- +2.39.5 + diff --git a/queue-6.12/selftests-gpio-gpio-sim-fix-missing-chip-disablement.patch b/queue-6.12/selftests-gpio-gpio-sim-fix-missing-chip-disablement.patch new file mode 100644 index 0000000000..06c6049d1d --- /dev/null +++ b/queue-6.12/selftests-gpio-gpio-sim-fix-missing-chip-disablement.patch @@ -0,0 +1,203 @@ +From 3ff066ba9067670c0e41fb4fd67dec70bf63f02f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jan 2025 13:33:09 +0900 +Subject: selftests: gpio: gpio-sim: Fix missing chip disablements + +From: Koichiro Den + +[ Upstream commit f8524ac33cd452aef5384504b3264db6039a455e ] + +Since upstream commit 8bd76b3d3f3a ("gpio: sim: lock up configfs that an +instantiated device depends on"), rmdir for an active virtual devices +been prohibited. + +Update gpio-sim selftest to align with the change. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202501221006.a1ca5dfa-lkp@intel.com +Signed-off-by: Koichiro Den +Link: https://lore.kernel.org/r/20250122043309.304621-1-koichiro.den@canonical.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/gpio/gpio-sim.sh | 31 +++++++++++++++++++----- + 1 file changed, 25 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/gpio/gpio-sim.sh b/tools/testing/selftests/gpio/gpio-sim.sh +index 6fb66a687f173..bbc29ed9c60a9 100755 +--- a/tools/testing/selftests/gpio/gpio-sim.sh ++++ b/tools/testing/selftests/gpio/gpio-sim.sh +@@ -46,12 +46,6 @@ remove_chip() { + rmdir $CONFIGFS_DIR/$CHIP || fail "Unable to remove the chip" + } + +-configfs_cleanup() { +- for CHIP in `ls $CONFIGFS_DIR/`; do +- remove_chip $CHIP +- done +-} +- + create_chip() { + local CHIP=$1 + +@@ -105,6 +99,13 @@ disable_chip() { + echo 0 > $CONFIGFS_DIR/$CHIP/live || fail "Unable to disable the chip" + } + ++configfs_cleanup() { ++ for CHIP in `ls $CONFIGFS_DIR/`; do ++ disable_chip $CHIP ++ remove_chip $CHIP ++ done ++} ++ + configfs_chip_name() { + local CHIP=$1 + local BANK=$2 +@@ -181,6 +182,7 @@ create_chip chip + create_bank chip bank + enable_chip chip + test -n `cat $CONFIGFS_DIR/chip/bank/chip_name` || fail "chip_name doesn't work" ++disable_chip chip + remove_chip chip + + echo "1.2. chip_name returns 'none' if the chip is still pending" +@@ -195,6 +197,7 @@ create_chip chip + create_bank chip bank + enable_chip chip + test -n `cat $CONFIGFS_DIR/chip/dev_name` || fail "dev_name doesn't work" ++disable_chip chip + remove_chip chip + + echo "2. Creating and configuring simulated chips" +@@ -204,6 +207,7 @@ create_chip chip + create_bank chip bank + enable_chip chip + test "`get_chip_num_lines chip bank`" = "1" || fail "default number of lines is not 1" ++disable_chip chip + remove_chip chip + + echo "2.2. Number of lines can be specified" +@@ -212,6 +216,7 @@ create_bank chip bank + set_num_lines chip bank 16 + enable_chip chip + test "`get_chip_num_lines chip bank`" = "16" || fail "number of lines is not 16" ++disable_chip chip + remove_chip chip + + echo "2.3. Label can be set" +@@ -220,6 +225,7 @@ create_bank chip bank + set_label chip bank foobar + enable_chip chip + test "`get_chip_label chip bank`" = "foobar" || fail "label is incorrect" ++disable_chip chip + remove_chip chip + + echo "2.4. Label can be left empty" +@@ -227,6 +233,7 @@ create_chip chip + create_bank chip bank + enable_chip chip + test -z "`cat $CONFIGFS_DIR/chip/bank/label`" || fail "label is not empty" ++disable_chip chip + remove_chip chip + + echo "2.5. Line names can be configured" +@@ -238,6 +245,7 @@ set_line_name chip bank 2 bar + enable_chip chip + test "`get_line_name chip bank 0`" = "foo" || fail "line name is incorrect" + test "`get_line_name chip bank 2`" = "bar" || fail "line name is incorrect" ++disable_chip chip + remove_chip chip + + echo "2.6. Line config can remain unused if offset is greater than number of lines" +@@ -248,6 +256,7 @@ set_line_name chip bank 5 foobar + enable_chip chip + test "`get_line_name chip bank 0`" = "" || fail "line name is incorrect" + test "`get_line_name chip bank 1`" = "" || fail "line name is incorrect" ++disable_chip chip + remove_chip chip + + echo "2.7. Line configfs directory names are sanitized" +@@ -267,6 +276,7 @@ for CHIP in $CHIPS; do + enable_chip $CHIP + done + for CHIP in $CHIPS; do ++ disable_chip $CHIP + remove_chip $CHIP + done + +@@ -278,6 +288,7 @@ echo foobar > $CONFIGFS_DIR/chip/bank/label 2> /dev/null && \ + fail "Setting label of a live chip should fail" + echo 8 > $CONFIGFS_DIR/chip/bank/num_lines 2> /dev/null && \ + fail "Setting number of lines of a live chip should fail" ++disable_chip chip + remove_chip chip + + echo "2.10. Can't create line items when chip is live" +@@ -285,6 +296,7 @@ create_chip chip + create_bank chip bank + enable_chip chip + mkdir $CONFIGFS_DIR/chip/bank/line0 2> /dev/null && fail "Creating line item should fail" ++disable_chip chip + remove_chip chip + + echo "2.11. Probe errors are propagated to user-space" +@@ -316,6 +328,7 @@ mkdir -p $CONFIGFS_DIR/chip/bank/line4/hog + enable_chip chip + $BASE_DIR/gpio-mockup-cdev -s 1 /dev/`configfs_chip_name chip bank` 4 2> /dev/null && \ + fail "Setting the value of a hogged line shouldn't succeed" ++disable_chip chip + remove_chip chip + + echo "3. Controlling simulated chips" +@@ -331,6 +344,7 @@ test "$?" = "1" || fail "pull set incorrectly" + sysfs_set_pull chip bank 0 pull-down + $BASE_DIR/gpio-mockup-cdev /dev/`configfs_chip_name chip bank` 1 + test "$?" = "0" || fail "pull set incorrectly" ++disable_chip chip + remove_chip chip + + echo "3.2. Pull can be read from sysfs" +@@ -344,6 +358,7 @@ SYSFS_PATH=/sys/devices/platform/$DEVNAME/$CHIPNAME/sim_gpio0/pull + test `cat $SYSFS_PATH` = "pull-down" || fail "reading the pull failed" + sysfs_set_pull chip bank 0 pull-up + test `cat $SYSFS_PATH` = "pull-up" || fail "reading the pull failed" ++disable_chip chip + remove_chip chip + + echo "3.3. Incorrect input in sysfs is rejected" +@@ -355,6 +370,7 @@ DEVNAME=`configfs_dev_name chip` + CHIPNAME=`configfs_chip_name chip bank` + SYSFS_PATH="/sys/devices/platform/$DEVNAME/$CHIPNAME/sim_gpio0/pull" + echo foobar > $SYSFS_PATH 2> /dev/null && fail "invalid input not detected" ++disable_chip chip + remove_chip chip + + echo "3.4. Can't write to value" +@@ -365,6 +381,7 @@ DEVNAME=`configfs_dev_name chip` + CHIPNAME=`configfs_chip_name chip bank` + SYSFS_PATH="/sys/devices/platform/$DEVNAME/$CHIPNAME/sim_gpio0/value" + echo 1 > $SYSFS_PATH 2> /dev/null && fail "writing to 'value' succeeded unexpectedly" ++disable_chip chip + remove_chip chip + + echo "4. Simulated GPIO chips are functional" +@@ -382,6 +399,7 @@ $BASE_DIR/gpio-mockup-cdev -s 1 /dev/`configfs_chip_name chip bank` 0 & + sleep 0.1 # FIXME Any better way? + test `cat $SYSFS_PATH` = "1" || fail "incorrect value read from sysfs" + kill $! ++disable_chip chip + remove_chip chip + + echo "4.2. Bias settings work correctly" +@@ -394,6 +412,7 @@ CHIPNAME=`configfs_chip_name chip bank` + SYSFS_PATH="/sys/devices/platform/$DEVNAME/$CHIPNAME/sim_gpio0/value" + $BASE_DIR/gpio-mockup-cdev -b pull-up /dev/`configfs_chip_name chip bank` 0 + test `cat $SYSFS_PATH` = "1" || fail "bias setting does not work" ++disable_chip chip + remove_chip chip + + echo "GPIO $MODULE test PASS" +-- +2.39.5 + diff --git a/queue-6.12/serial-8250_pci-resolve-wch-vendor-id-ambiguity.patch b/queue-6.12/serial-8250_pci-resolve-wch-vendor-id-ambiguity.patch new file mode 100644 index 0000000000..38ada82daa --- /dev/null +++ b/queue-6.12/serial-8250_pci-resolve-wch-vendor-id-ambiguity.patch @@ -0,0 +1,217 @@ +From f3fabdbf5928057760b5a470a046569fa912c8e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2024 05:09:21 +0200 +Subject: serial: 8250_pci: Resolve WCH vendor ID ambiguity + +From: Andy Shevchenko + +[ Upstream commit 16076ca3a1565491bcb28689e555d569a39391c7 ] + +There are two sites of the same brand: wch.cn and wch-ic.com. +They are property of the same company, but it appears that they +managed to get two different PCI vendor IDs. Rename them accordingly +using standard pattern, i.e. PCI_VENDOR_ID_... + +While at it, move to PCI_VDEVICE() in the ID tables. + +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20241204031114.1029882-2-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_pci.c | 82 +++++++++++++++--------------- + 1 file changed, 41 insertions(+), 41 deletions(-) + +diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c +index 6709b6a5f3011..82fba431a95cf 100644 +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -64,23 +64,23 @@ + #define PCIE_DEVICE_ID_NEO_2_OX_IBM 0x00F6 + #define PCI_DEVICE_ID_PLX_CRONYX_OMEGA 0xc001 + #define PCI_DEVICE_ID_INTEL_PATSBURG_KT 0x1d3d +-#define PCI_VENDOR_ID_WCH 0x4348 +-#define PCI_DEVICE_ID_WCH_CH352_2S 0x3253 +-#define PCI_DEVICE_ID_WCH_CH353_4S 0x3453 +-#define PCI_DEVICE_ID_WCH_CH353_2S1PF 0x5046 +-#define PCI_DEVICE_ID_WCH_CH353_1S1P 0x5053 +-#define PCI_DEVICE_ID_WCH_CH353_2S1P 0x7053 +-#define PCI_DEVICE_ID_WCH_CH355_4S 0x7173 ++#define PCI_VENDOR_ID_WCHCN 0x4348 ++#define PCI_DEVICE_ID_WCHCN_CH352_2S 0x3253 ++#define PCI_DEVICE_ID_WCHCN_CH353_4S 0x3453 ++#define PCI_DEVICE_ID_WCHCN_CH353_2S1PF 0x5046 ++#define PCI_DEVICE_ID_WCHCN_CH353_1S1P 0x5053 ++#define PCI_DEVICE_ID_WCHCN_CH353_2S1P 0x7053 ++#define PCI_DEVICE_ID_WCHCN_CH355_4S 0x7173 + #define PCI_VENDOR_ID_AGESTAR 0x5372 + #define PCI_DEVICE_ID_AGESTAR_9375 0x6872 + #define PCI_DEVICE_ID_BROADCOM_TRUMANAGE 0x160a + #define PCI_DEVICE_ID_AMCC_ADDIDATA_APCI7800 0x818e + +-#define PCIE_VENDOR_ID_WCH 0x1c00 +-#define PCIE_DEVICE_ID_WCH_CH382_2S1P 0x3250 +-#define PCIE_DEVICE_ID_WCH_CH384_4S 0x3470 +-#define PCIE_DEVICE_ID_WCH_CH384_8S 0x3853 +-#define PCIE_DEVICE_ID_WCH_CH382_2S 0x3253 ++#define PCI_VENDOR_ID_WCHIC 0x1c00 ++#define PCI_DEVICE_ID_WCHIC_CH382_2S1P 0x3250 ++#define PCI_DEVICE_ID_WCHIC_CH384_4S 0x3470 ++#define PCI_DEVICE_ID_WCHIC_CH384_8S 0x3853 ++#define PCI_DEVICE_ID_WCHIC_CH382_2S 0x3253 + + #define PCI_DEVICE_ID_MOXA_CP102E 0x1024 + #define PCI_DEVICE_ID_MOXA_CP102EL 0x1025 +@@ -2777,80 +2777,80 @@ static struct pci_serial_quirk pci_serial_quirks[] = { + }, + /* WCH CH353 1S1P card (16550 clone) */ + { +- .vendor = PCI_VENDOR_ID_WCH, +- .device = PCI_DEVICE_ID_WCH_CH353_1S1P, ++ .vendor = PCI_VENDOR_ID_WCHCN, ++ .device = PCI_DEVICE_ID_WCHCN_CH353_1S1P, + .subvendor = PCI_ANY_ID, + .subdevice = PCI_ANY_ID, + .setup = pci_wch_ch353_setup, + }, + /* WCH CH353 2S1P card (16550 clone) */ + { +- .vendor = PCI_VENDOR_ID_WCH, +- .device = PCI_DEVICE_ID_WCH_CH353_2S1P, ++ .vendor = PCI_VENDOR_ID_WCHCN, ++ .device = PCI_DEVICE_ID_WCHCN_CH353_2S1P, + .subvendor = PCI_ANY_ID, + .subdevice = PCI_ANY_ID, + .setup = pci_wch_ch353_setup, + }, + /* WCH CH353 4S card (16550 clone) */ + { +- .vendor = PCI_VENDOR_ID_WCH, +- .device = PCI_DEVICE_ID_WCH_CH353_4S, ++ .vendor = PCI_VENDOR_ID_WCHCN, ++ .device = PCI_DEVICE_ID_WCHCN_CH353_4S, + .subvendor = PCI_ANY_ID, + .subdevice = PCI_ANY_ID, + .setup = pci_wch_ch353_setup, + }, + /* WCH CH353 2S1PF card (16550 clone) */ + { +- .vendor = PCI_VENDOR_ID_WCH, +- .device = PCI_DEVICE_ID_WCH_CH353_2S1PF, ++ .vendor = PCI_VENDOR_ID_WCHCN, ++ .device = PCI_DEVICE_ID_WCHCN_CH353_2S1PF, + .subvendor = PCI_ANY_ID, + .subdevice = PCI_ANY_ID, + .setup = pci_wch_ch353_setup, + }, + /* WCH CH352 2S card (16550 clone) */ + { +- .vendor = PCI_VENDOR_ID_WCH, +- .device = PCI_DEVICE_ID_WCH_CH352_2S, ++ .vendor = PCI_VENDOR_ID_WCHCN, ++ .device = PCI_DEVICE_ID_WCHCN_CH352_2S, + .subvendor = PCI_ANY_ID, + .subdevice = PCI_ANY_ID, + .setup = pci_wch_ch353_setup, + }, + /* WCH CH355 4S card (16550 clone) */ + { +- .vendor = PCI_VENDOR_ID_WCH, +- .device = PCI_DEVICE_ID_WCH_CH355_4S, ++ .vendor = PCI_VENDOR_ID_WCHCN, ++ .device = PCI_DEVICE_ID_WCHCN_CH355_4S, + .subvendor = PCI_ANY_ID, + .subdevice = PCI_ANY_ID, + .setup = pci_wch_ch355_setup, + }, + /* WCH CH382 2S card (16850 clone) */ + { +- .vendor = PCIE_VENDOR_ID_WCH, +- .device = PCIE_DEVICE_ID_WCH_CH382_2S, ++ .vendor = PCI_VENDOR_ID_WCHIC, ++ .device = PCI_DEVICE_ID_WCHIC_CH382_2S, + .subvendor = PCI_ANY_ID, + .subdevice = PCI_ANY_ID, + .setup = pci_wch_ch38x_setup, + }, + /* WCH CH382 2S1P card (16850 clone) */ + { +- .vendor = PCIE_VENDOR_ID_WCH, +- .device = PCIE_DEVICE_ID_WCH_CH382_2S1P, ++ .vendor = PCI_VENDOR_ID_WCHIC, ++ .device = PCI_DEVICE_ID_WCHIC_CH382_2S1P, + .subvendor = PCI_ANY_ID, + .subdevice = PCI_ANY_ID, + .setup = pci_wch_ch38x_setup, + }, + /* WCH CH384 4S card (16850 clone) */ + { +- .vendor = PCIE_VENDOR_ID_WCH, +- .device = PCIE_DEVICE_ID_WCH_CH384_4S, ++ .vendor = PCI_VENDOR_ID_WCHIC, ++ .device = PCI_DEVICE_ID_WCHIC_CH384_4S, + .subvendor = PCI_ANY_ID, + .subdevice = PCI_ANY_ID, + .setup = pci_wch_ch38x_setup, + }, + /* WCH CH384 8S card (16850 clone) */ + { +- .vendor = PCIE_VENDOR_ID_WCH, +- .device = PCIE_DEVICE_ID_WCH_CH384_8S, ++ .vendor = PCI_VENDOR_ID_WCHIC, ++ .device = PCI_DEVICE_ID_WCHIC_CH384_8S, + .subvendor = PCI_ANY_ID, + .subdevice = PCI_ANY_ID, + .init = pci_wch_ch38x_init, +@@ -3927,11 +3927,11 @@ static const struct pci_device_id blacklist[] = { + + /* multi-io cards handled by parport_serial */ + /* WCH CH353 2S1P */ +- { PCI_DEVICE(0x4348, 0x7053), 0, 0, REPORT_CONFIG(PARPORT_SERIAL), }, ++ { PCI_VDEVICE(WCHCN, 0x7053), REPORT_CONFIG(PARPORT_SERIAL), }, + /* WCH CH353 1S1P */ +- { PCI_DEVICE(0x4348, 0x5053), 0, 0, REPORT_CONFIG(PARPORT_SERIAL), }, ++ { PCI_VDEVICE(WCHCN, 0x5053), REPORT_CONFIG(PARPORT_SERIAL), }, + /* WCH CH382 2S1P */ +- { PCI_DEVICE(0x1c00, 0x3250), 0, 0, REPORT_CONFIG(PARPORT_SERIAL), }, ++ { PCI_VDEVICE(WCHIC, 0x3250), REPORT_CONFIG(PARPORT_SERIAL), }, + + /* Intel platforms with MID UART */ + { PCI_VDEVICE(INTEL, 0x081b), REPORT_8250_CONFIG(MID), }, +@@ -6004,27 +6004,27 @@ static const struct pci_device_id serial_pci_tbl[] = { + * WCH CH353 series devices: The 2S1P is handled by parport_serial + * so not listed here. + */ +- { PCI_VENDOR_ID_WCH, PCI_DEVICE_ID_WCH_CH353_4S, ++ { PCI_VENDOR_ID_WCHCN, PCI_DEVICE_ID_WCHCN_CH353_4S, + PCI_ANY_ID, PCI_ANY_ID, + 0, 0, pbn_b0_bt_4_115200 }, + +- { PCI_VENDOR_ID_WCH, PCI_DEVICE_ID_WCH_CH353_2S1PF, ++ { PCI_VENDOR_ID_WCHCN, PCI_DEVICE_ID_WCHCN_CH353_2S1PF, + PCI_ANY_ID, PCI_ANY_ID, + 0, 0, pbn_b0_bt_2_115200 }, + +- { PCI_VENDOR_ID_WCH, PCI_DEVICE_ID_WCH_CH355_4S, ++ { PCI_VENDOR_ID_WCHCN, PCI_DEVICE_ID_WCHCN_CH355_4S, + PCI_ANY_ID, PCI_ANY_ID, + 0, 0, pbn_b0_bt_4_115200 }, + +- { PCIE_VENDOR_ID_WCH, PCIE_DEVICE_ID_WCH_CH382_2S, ++ { PCI_VENDOR_ID_WCHIC, PCI_DEVICE_ID_WCHIC_CH382_2S, + PCI_ANY_ID, PCI_ANY_ID, + 0, 0, pbn_wch382_2 }, + +- { PCIE_VENDOR_ID_WCH, PCIE_DEVICE_ID_WCH_CH384_4S, ++ { PCI_VENDOR_ID_WCHIC, PCI_DEVICE_ID_WCHIC_CH384_4S, + PCI_ANY_ID, PCI_ANY_ID, + 0, 0, pbn_wch384_4 }, + +- { PCIE_VENDOR_ID_WCH, PCIE_DEVICE_ID_WCH_CH384_8S, ++ { PCI_VENDOR_ID_WCHIC, PCI_DEVICE_ID_WCHIC_CH384_8S, + PCI_ANY_ID, PCI_ANY_ID, + 0, 0, pbn_wch384_8 }, + /* +-- +2.39.5 + diff --git a/queue-6.12/serial-8250_pci-share-wch-ids-with-parport_serial-dr.patch b/queue-6.12/serial-8250_pci-share-wch-ids-with-parport_serial-dr.patch new file mode 100644 index 0000000000..b6a7cd1292 --- /dev/null +++ b/queue-6.12/serial-8250_pci-share-wch-ids-with-parport_serial-dr.patch @@ -0,0 +1,107 @@ +From ce157ba73ac9fa566c3335f7b751c9de9158aab2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2024 05:09:22 +0200 +Subject: serial: 8250_pci: Share WCH IDs with parport_serial driver + +From: Andy Shevchenko + +[ Upstream commit 535a07698b8b3e6f305673102d297262cae2360a ] + +parport_serial driver uses subset of WCH IDs that are present in 8250_pci. +Share them via pci_ids.h and switch parport_serial to use defined constants. + +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20241204031114.1029882-3-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/parport/parport_serial.c | 12 ++++++++---- + drivers/tty/serial/8250/8250_pci.c | 10 ++-------- + include/linux/pci_ids.h | 11 +++++++++++ + 3 files changed, 21 insertions(+), 12 deletions(-) + +diff --git a/drivers/parport/parport_serial.c b/drivers/parport/parport_serial.c +index 3644997a83425..24d4f3a3ec3d0 100644 +--- a/drivers/parport/parport_serial.c ++++ b/drivers/parport/parport_serial.c +@@ -266,10 +266,14 @@ static struct pci_device_id parport_serial_pci_tbl[] = { + { 0x1409, 0x7168, 0x1409, 0xd079, 0, 0, timedia_9079c }, + + /* WCH CARDS */ +- { 0x4348, 0x5053, PCI_ANY_ID, PCI_ANY_ID, 0, 0, wch_ch353_1s1p}, +- { 0x4348, 0x7053, 0x4348, 0x3253, 0, 0, wch_ch353_2s1p}, +- { 0x1c00, 0x3050, 0x1c00, 0x3050, 0, 0, wch_ch382_0s1p}, +- { 0x1c00, 0x3250, 0x1c00, 0x3250, 0, 0, wch_ch382_2s1p}, ++ { PCI_VENDOR_ID_WCHCN, PCI_DEVICE_ID_WCHCN_CH353_1S1P, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, wch_ch353_1s1p }, ++ { PCI_VENDOR_ID_WCHCN, PCI_DEVICE_ID_WCHCN_CH353_2S1P, ++ 0x4348, 0x3253, 0, 0, wch_ch353_2s1p }, ++ { PCI_VENDOR_ID_WCHIC, PCI_DEVICE_ID_WCHIC_CH382_0S1P, ++ 0x1c00, 0x3050, 0, 0, wch_ch382_0s1p }, ++ { PCI_VENDOR_ID_WCHIC, PCI_DEVICE_ID_WCHIC_CH382_2S1P, ++ 0x1c00, 0x3250, 0, 0, wch_ch382_2s1p }, + + /* BrainBoxes PX272/PX306 MIO card */ + { PCI_VENDOR_ID_INTASHIELD, 0x4100, +diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c +index 82fba431a95cf..de6d90bf0d70a 100644 +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -64,23 +64,17 @@ + #define PCIE_DEVICE_ID_NEO_2_OX_IBM 0x00F6 + #define PCI_DEVICE_ID_PLX_CRONYX_OMEGA 0xc001 + #define PCI_DEVICE_ID_INTEL_PATSBURG_KT 0x1d3d +-#define PCI_VENDOR_ID_WCHCN 0x4348 ++ + #define PCI_DEVICE_ID_WCHCN_CH352_2S 0x3253 +-#define PCI_DEVICE_ID_WCHCN_CH353_4S 0x3453 +-#define PCI_DEVICE_ID_WCHCN_CH353_2S1PF 0x5046 +-#define PCI_DEVICE_ID_WCHCN_CH353_1S1P 0x5053 +-#define PCI_DEVICE_ID_WCHCN_CH353_2S1P 0x7053 + #define PCI_DEVICE_ID_WCHCN_CH355_4S 0x7173 ++ + #define PCI_VENDOR_ID_AGESTAR 0x5372 + #define PCI_DEVICE_ID_AGESTAR_9375 0x6872 + #define PCI_DEVICE_ID_BROADCOM_TRUMANAGE 0x160a + #define PCI_DEVICE_ID_AMCC_ADDIDATA_APCI7800 0x818e + +-#define PCI_VENDOR_ID_WCHIC 0x1c00 +-#define PCI_DEVICE_ID_WCHIC_CH382_2S1P 0x3250 + #define PCI_DEVICE_ID_WCHIC_CH384_4S 0x3470 + #define PCI_DEVICE_ID_WCHIC_CH384_8S 0x3853 +-#define PCI_DEVICE_ID_WCHIC_CH382_2S 0x3253 + + #define PCI_DEVICE_ID_MOXA_CP102E 0x1024 + #define PCI_DEVICE_ID_MOXA_CP102EL 0x1025 +diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h +index 4cf6aaed5f35d..22f6b018cff8d 100644 +--- a/include/linux/pci_ids.h ++++ b/include/linux/pci_ids.h +@@ -2589,6 +2589,11 @@ + + #define PCI_VENDOR_ID_REDHAT 0x1b36 + ++#define PCI_VENDOR_ID_WCHIC 0x1c00 ++#define PCI_DEVICE_ID_WCHIC_CH382_0S1P 0x3050 ++#define PCI_DEVICE_ID_WCHIC_CH382_2S1P 0x3250 ++#define PCI_DEVICE_ID_WCHIC_CH382_2S 0x3253 ++ + #define PCI_VENDOR_ID_SILICOM_DENMARK 0x1c2c + + #define PCI_VENDOR_ID_AMAZON_ANNAPURNA_LABS 0x1c36 +@@ -2643,6 +2648,12 @@ + #define PCI_VENDOR_ID_AKS 0x416c + #define PCI_DEVICE_ID_AKS_ALADDINCARD 0x0100 + ++#define PCI_VENDOR_ID_WCHCN 0x4348 ++#define PCI_DEVICE_ID_WCHCN_CH353_4S 0x3453 ++#define PCI_DEVICE_ID_WCHCN_CH353_2S1PF 0x5046 ++#define PCI_DEVICE_ID_WCHCN_CH353_1S1P 0x5053 ++#define PCI_DEVICE_ID_WCHCN_CH353_2S1P 0x7053 ++ + #define PCI_VENDOR_ID_ACCESSIO 0x494f + #define PCI_DEVICE_ID_ACCESSIO_WDG_CSM 0x22c0 + +-- +2.39.5 + diff --git a/queue-6.12/series b/queue-6.12/series index ed3a7aabf5..a470fc6288 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -2,3 +2,92 @@ nfsd-clear-acl_access-acl_default-after-releasing-them.patch nfsd-fix-hang-in-nfsd4_shutdown_callback.patch nfsd-validate-the-nfsd_serv-pointer-before-calling-svc_wake_up.patch x86-cpu-kvm-srso-fix-possible-missing-ibpb-on-vm-exit.patch +pinctrl-cy8c95x0-avoid-accessing-reserved-registers.patch +pinctrl-cy8c95x0-enable-regmap-locking-for-debug.patch +pinctrl-cy8c95x0-rename-pwmsel-to-selpwm.patch +pinctrl-cy8c95x0-respect-irq-trigger-settings-from-f.patch +hid-winwing-add-null-check-in-winwing_init_led.patch +hid-multitouch-add-null-check-in-mt_input_configured.patch +scripts-makefile.extrawarn-do-not-show-clang-s-non-k.patch +pinctrl-pinconf-generic-print-unsigned-value-if-a-fo.patch +hid-hid-thrustmaster-fix-stack-out-of-bounds-read-in.patch +hid-hid-steam-don-t-use-cancel_delayed_work_sync-in-.patch +spi-sn-f-ospi-fix-division-by-zero.patch +ax25-fix-refcount-leak-caused-by-setting-so_bindtode.patch +net-fib_rules-annotate-data-races-around-rule-io-ifi.patch +documentation-networking-fix-basic-node-example-docu.patch +ndisc-ndisc_send_redirect-must-use-dev_get_by_index_.patch +vrf-use-rcu-protection-in-l3mdev_l3_out.patch +idpf-fix-handling-rsc-packet-with-a-single-segment.patch +idpf-record-rx-queue-in-skb-for-rsc-packets.patch +idpf-call-set_real_num_queues-in-idpf_open.patch +igc-fix-hw-rx-timestamp-when-passed-by-zc-xdp.patch +vxlan-check-vxlan_vnigroup_init-return-value.patch +loongarch-fix-idle-vs-timer-enqueue.patch +loongarch-csum-fix-oob-access-in-ip-checksum-code-fo.patch +loongarch-kvm-fix-typo-issue-about-gcfg-feature-dete.patch +net-ethernet-ti-am65-cpsw-fix-memleak-in-certain-xdp.patch +net-ethernet-ti-am65_cpsw-fix-tx_cleanup-for-xdp-cas.patch +bluetooth-btintel_pcie-fix-a-potential-race-conditio.patch +team-better-team_option_type_string-validation.patch +workqueue-put-the-pwq-after-detaching-the-rescuer-fr.patch +sched_ext-fix-lock-imbalance-in-dispatch_to_local_ds.patch +drm-tests-hdmi-fix-ww_mutex_slowpath-failures.patch +arm64-cacheinfo-avoid-out-of-bounds-write-to-cachein.patch +gpu-host1x-fix-a-use-of-uninitialized-mutex.patch +cgroup-remove-steal-time-from-usage_usec.patch +perf-x86-intel-clean-up-pebs-via-pt-on-hybrid.patch +drm-xe-client-bo-client-does-not-need-bos_lock.patch +drm-i915-selftests-avoid-using-uninitialized-context.patch +gpio-bcm-kona-fix-gpio-lock-unlock-for-banks-above-b.patch +gpio-bcm-kona-make-sure-gpio-bits-are-unlocked-when-.patch +gpio-bcm-kona-add-missing-newline-to-dev_err-format-.patch +io_uring-waitid-don-t-abuse-io_tw_state.patch +io_uring-uring_cmd-remove-dead-req_has_async_data-ch.patch +amdkfd-properly-free-gang_ctx_bo-when-failed-to-init.patch +drm-amdgpu-bail-out-when-failed-to-load-fw-in-psp_in.patch +drm-fix-dsc-bpp-increment-decoding.patch +xen-swiotlb-relax-alignment-requirements.patch +x86-xen-allow-larger-contiguous-memory-regions-in-pv.patch +block-cleanup-and-fix-batch-completion-adding-condit.patch +sched_ext-fix-the-incorrect-bpf_list-kfunc-api-in-co.patch +sched_ext-use-scx_call_op_task-in-task_tick_scx.patch +gpiolib-fix-crash-on-error-in-gpiochip_get_ngpios.patch +iommu-amd-expicitly-enable-cntrl.ephen-bit-in-resume.patch +tools-fix-annoying-mkdir-p-.-logs-when-building-tool.patch +rdma-efa-reset-device-on-probe-failure.patch +firmware-qcom-scm-smc-handle-missing-scm-device.patch +fbdev-omap-use-threaded-irq-for-lcd-dma.patch +soc-tegra-fuse-update-tegra234-nvmem-keepout-list.patch +i3c-mipi-i3c-hci-add-intel-specific-quirk-to-ring-re.patch +i3c-mipi-i3c-hci-add-support-for-mipi-i3c-hci-on-pci.patch +media-cxd2841er-fix-64-bit-division-on-gcc-9.patch +media-i2c-ds90ub913-add-error-handling-to-ub913_hw_i.patch +media-i2c-ds90ub953-add-error-handling-for-i2c-reads.patch +media-bcm2835-unicam-disable-trigger-mode-operation.patch +media-uvcvideo-implement-dual-stream-quirk-to-fix-lo.patch +media-uvcvideo-add-new-quirk-definition-for-the-soni.patch +media-uvcvideo-add-kurokesu-c1-pro-camera.patch +media-vidtv-fix-a-null-ptr-deref-in-vidtv_mux_stop_t.patch +pci-dpc-quirk-pio-log-size-for-intel-raptor-lake-p.patch +pci-switchtec-add-microchip-pci100x-device-ids.patch +scsi-ufs-bsg-set-bsg_queue-to-null-after-removal.patch +rtla-timerlat_hist-abort-event-processing-on-second-.patch +rtla-timerlat_top-abort-event-processing-on-second-s.patch +serial-8250_pci-resolve-wch-vendor-id-ambiguity.patch +serial-8250_pci-share-wch-ids-with-parport_serial-dr.patch +8250-microchip-pci1xxxx-add-workaround-for-rts-bit-t.patch +kunit-platform-resolve-struct-completion-warning.patch +vfio-pci-enable-iowrite64-and-ioread64-for-vfio-pci.patch +nfs-fix-potential-buffer-overflowin-nfs_sysfs_link_r.patch +vfio-nvgrace-gpu-read-dvsec-register-to-determine-ne.patch +vfio-nvgrace-gpu-expose-the-blackwell-device-pf-bar1.patch +fs-ntfs3-unify-inode-corruption-marking-with-_ntfs_b.patch +grab-mm-lock-before-grabbing-pt-lock.patch +selftests-gpio-gpio-sim-fix-missing-chip-disablement.patch +acpi-x86-add-skip-i2c-clients-quirk-for-vexia-edu-at.patch +x86-mm-tlb-only-trim-the-mm_cpumask-once-a-second.patch +orangefs-fix-a-oob-in-orangefs_debug_write.patch +kbuild-suppress-stdout-from-merge_config-for-silent-.patch +asoc-intel-bytcr_rt5640-add-dmi-quirk-for-vexia-edu-.patch +kbuild-use-fzero-init-padding-bits-all.patch diff --git a/queue-6.12/soc-tegra-fuse-update-tegra234-nvmem-keepout-list.patch b/queue-6.12/soc-tegra-fuse-update-tegra234-nvmem-keepout-list.patch new file mode 100644 index 0000000000..d0c02cd4c2 --- /dev/null +++ b/queue-6.12/soc-tegra-fuse-update-tegra234-nvmem-keepout-list.patch @@ -0,0 +1,81 @@ +From 53aba599ea1a50746f98a233aaa87723ac077f81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2024 11:40:53 +0530 +Subject: soc/tegra: fuse: Update Tegra234 nvmem keepout list + +From: Kartik Rajput + +[ Upstream commit 836b341cc8dab680acc06a7883bfeea89680b689 ] + +Various Nvidia userspace applications and tests access following fuse +via Fuse nvmem interface: + + * odmid + * odminfo + * boot_security_info + * public_key_hash + * reserved_odm0 + * reserved_odm1 + * reserved_odm2 + * reserved_odm3 + * reserved_odm4 + * reserved_odm5 + * reserved_odm6 + * reserved_odm7 + * odm_lock + * pk_h1 + * pk_h2 + * revoke_pk_h0 + * revoke_pk_h1 + * security_mode + * system_fw_field_ratchet0 + * system_fw_field_ratchet1 + * system_fw_field_ratchet2 + * system_fw_field_ratchet3 + * optin_enable + +Update tegra234_fuse_keepouts list to allow reading these fuse from +nvmem sysfs interface. + +Signed-off-by: Kartik Rajput +Link: https://lore.kernel.org/r/20241127061053.16775-1-kkartik@nvidia.com +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/soc/tegra/fuse/fuse-tegra30.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/drivers/soc/tegra/fuse/fuse-tegra30.c b/drivers/soc/tegra/fuse/fuse-tegra30.c +index eb14e5ff5a0aa..e24ab5f7d2bf1 100644 +--- a/drivers/soc/tegra/fuse/fuse-tegra30.c ++++ b/drivers/soc/tegra/fuse/fuse-tegra30.c +@@ -647,15 +647,20 @@ static const struct nvmem_cell_lookup tegra234_fuse_lookups[] = { + }; + + static const struct nvmem_keepout tegra234_fuse_keepouts[] = { +- { .start = 0x01c, .end = 0x0c8 }, +- { .start = 0x12c, .end = 0x184 }, ++ { .start = 0x01c, .end = 0x064 }, ++ { .start = 0x084, .end = 0x0a0 }, ++ { .start = 0x0a4, .end = 0x0c8 }, ++ { .start = 0x12c, .end = 0x164 }, ++ { .start = 0x16c, .end = 0x184 }, + { .start = 0x190, .end = 0x198 }, + { .start = 0x1a0, .end = 0x204 }, +- { .start = 0x21c, .end = 0x250 }, +- { .start = 0x25c, .end = 0x2f0 }, ++ { .start = 0x21c, .end = 0x2f0 }, + { .start = 0x310, .end = 0x3d8 }, +- { .start = 0x400, .end = 0x4f0 }, +- { .start = 0x4f8, .end = 0x7e8 }, ++ { .start = 0x400, .end = 0x420 }, ++ { .start = 0x444, .end = 0x490 }, ++ { .start = 0x4bc, .end = 0x4f0 }, ++ { .start = 0x4f8, .end = 0x54c }, ++ { .start = 0x57c, .end = 0x7e8 }, + { .start = 0x8d0, .end = 0x8d8 }, + { .start = 0xacc, .end = 0xf00 } + }; +-- +2.39.5 + diff --git a/queue-6.12/spi-sn-f-ospi-fix-division-by-zero.patch b/queue-6.12/spi-sn-f-ospi-fix-division-by-zero.patch new file mode 100644 index 0000000000..c6d6805f76 --- /dev/null +++ b/queue-6.12/spi-sn-f-ospi-fix-division-by-zero.patch @@ -0,0 +1,42 @@ +From 7d3a39898090d263e387db1e34397f2690245f24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Feb 2025 17:57:47 +0900 +Subject: spi: sn-f-ospi: Fix division by zero + +From: Kunihiko Hayashi + +[ Upstream commit 3588b1c0fde2f58d166e3f94a5a58d64b893526c ] + +When there is no dummy cycle in the spi-nor commands, both dummy bus cycle +bytes and width are zero. Because of the cpu's warning when divided by +zero, the warning should be avoided. Return just zero to avoid such +calculations. + +Fixes: 1b74dd64c861 ("spi: Add Socionext F_OSPI SPI flash controller driver") +Co-developed-by: Kohei Ito +Signed-off-by: Kohei Ito +Signed-off-by: Kunihiko Hayashi +Link: https://patch.msgid.link/20250206085747.3834148-1-hayashi.kunihiko@socionext.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-sn-f-ospi.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/spi/spi-sn-f-ospi.c b/drivers/spi/spi-sn-f-ospi.c +index a7c3b3923b4af..fd8c8eb37d01d 100644 +--- a/drivers/spi/spi-sn-f-ospi.c ++++ b/drivers/spi/spi-sn-f-ospi.c +@@ -116,6 +116,9 @@ struct f_ospi { + + static u32 f_ospi_get_dummy_cycle(const struct spi_mem_op *op) + { ++ if (!op->dummy.nbytes) ++ return 0; ++ + return (op->dummy.nbytes * 8) / op->dummy.buswidth; + } + +-- +2.39.5 + diff --git a/queue-6.12/team-better-team_option_type_string-validation.patch b/queue-6.12/team-better-team_option_type_string-validation.patch new file mode 100644 index 0000000000..c269c538fa --- /dev/null +++ b/queue-6.12/team-better-team_option_type_string-validation.patch @@ -0,0 +1,76 @@ +From 702c2df8925401f2a807a7710149430beec659f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 13:49:28 +0000 +Subject: team: better TEAM_OPTION_TYPE_STRING validation + +From: Eric Dumazet + +[ Upstream commit 5bef3ac184b5626ea62385d6b82a1992b89d7940 ] + +syzbot reported following splat [1] + +Make sure user-provided data contains one nul byte. + +[1] + BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:633 [inline] + BUG: KMSAN: uninit-value in string+0x3ec/0x5f0 lib/vsprintf.c:714 + string_nocheck lib/vsprintf.c:633 [inline] + string+0x3ec/0x5f0 lib/vsprintf.c:714 + vsnprintf+0xa5d/0x1960 lib/vsprintf.c:2843 + __request_module+0x252/0x9f0 kernel/module/kmod.c:149 + team_mode_get drivers/net/team/team_core.c:480 [inline] + team_change_mode drivers/net/team/team_core.c:607 [inline] + team_mode_option_set+0x437/0x970 drivers/net/team/team_core.c:1401 + team_option_set drivers/net/team/team_core.c:375 [inline] + team_nl_options_set_doit+0x1339/0x1f90 drivers/net/team/team_core.c:2662 + genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] + genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] + genl_rcv_msg+0x1214/0x12c0 net/netlink/genetlink.c:1210 + netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2543 + genl_rcv+0x40/0x60 net/netlink/genetlink.c:1219 + netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] + netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1348 + netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1892 + sock_sendmsg_nosec net/socket.c:718 [inline] + __sock_sendmsg+0x30f/0x380 net/socket.c:733 + ____sys_sendmsg+0x877/0xb60 net/socket.c:2573 + ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2627 + __sys_sendmsg net/socket.c:2659 [inline] + __do_sys_sendmsg net/socket.c:2664 [inline] + __se_sys_sendmsg net/socket.c:2662 [inline] + __x64_sys_sendmsg+0x212/0x3c0 net/socket.c:2662 + x64_sys_call+0x2ed6/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:47 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device") +Reported-by: syzbot+1fcd957a82e3a1baa94d@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=1fcd957a82e3a1baa94d +Signed-off-by: Eric Dumazet +Reviewed-by: Jiri Pirko +Link: https://patch.msgid.link/20250212134928.1541609-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/team/team_core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/team/team_core.c b/drivers/net/team/team_core.c +index 7f4ef219eee44..6cfafaac1b4fb 100644 +--- a/drivers/net/team/team_core.c ++++ b/drivers/net/team/team_core.c +@@ -2640,7 +2640,9 @@ int team_nl_options_set_doit(struct sk_buff *skb, struct genl_info *info) + ctx.data.u32_val = nla_get_u32(attr_data); + break; + case TEAM_OPTION_TYPE_STRING: +- if (nla_len(attr_data) > TEAM_STRING_MAX_LEN) { ++ if (nla_len(attr_data) > TEAM_STRING_MAX_LEN || ++ !memchr(nla_data(attr_data), '\0', ++ nla_len(attr_data))) { + err = -EINVAL; + goto team_put; + } +-- +2.39.5 + diff --git a/queue-6.12/tools-fix-annoying-mkdir-p-.-logs-when-building-tool.patch b/queue-6.12/tools-fix-annoying-mkdir-p-.-logs-when-building-tool.patch new file mode 100644 index 0000000000..12781b0b07 --- /dev/null +++ b/queue-6.12/tools-fix-annoying-mkdir-p-.-logs-when-building-tool.patch @@ -0,0 +1,83 @@ +From 126dfb70383f2086822d11d5df51b022204c3b0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Feb 2025 09:29:06 +0900 +Subject: tools: fix annoying "mkdir -p ..." logs when building tools in + parallel + +From: Masahiro Yamada + +[ Upstream commit d1d0963121769d8d16150b913fe886e48efefa51 ] + +When CONFIG_OBJTOOL=y or CONFIG_DEBUG_INFO_BTF=y, parallel builds +show awkward "mkdir -p ..." logs. + + $ make -j16 + [ snip ] + mkdir -p /home/masahiro/ref/linux/tools/objtool && make O=/home/masahiro/ref/linux subdir=tools/objtool --no-print-directory -C objtool + mkdir -p /home/masahiro/ref/linux/tools/bpf/resolve_btfids && make O=/home/masahiro/ref/linux subdir=tools/bpf/resolve_btfids --no-print-directory -C bpf/resolve_btfids + +Defining MAKEFLAGS= on the command line wipes out command line +switches from the resultant MAKEFLAGS definition, even though the command +line switches are active. [1] + +MAKEFLAGS puts all single-letter options into the first word, and that +word will be empty if no single-letter options were given. [2] +However, this breaks if MAKEFLAGS= is given on the command line. + +The tools/ and tools/% targets set MAKEFLAGS= on the command +line, which breaks the following code in tools/scripts/Makefile.include: + + short-opts := $(firstword -$(MAKEFLAGS)) + +If MAKEFLAGS really needs modification, it should be done through the +environment variable, as follows: + + MAKEFLAGS= $(MAKE) ... + +That said, I question whether modifying MAKEFLAGS is necessary here. +The only flag we might want to exclude is --no-print-directory, as the +tools build system changes the working directory. However, people might +find the "Entering/Leaving directory" logs annoying. + +I simply removed the offending MAKEFLAGS=. + +[1]: https://savannah.gnu.org/bugs/?62469 +[2]: https://www.gnu.org/software/make/manual/make.html#Testing-Flags + +Fixes: ea01fa9f63ae ("tools: Connect to the kernel build system") +Fixes: a50e43332756 ("perf tools: Honor parallel jobs") +Signed-off-by: Masahiro Yamada +Tested-by: Daniel Xu +Signed-off-by: Sasha Levin +--- + Makefile | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/Makefile b/Makefile +index 26a471dbed62a..40c97774c4e4b 100644 +--- a/Makefile ++++ b/Makefile +@@ -1357,18 +1357,13 @@ ifneq ($(wildcard $(resolve_btfids_O)),) + $(Q)$(MAKE) -sC $(srctree)/tools/bpf/resolve_btfids O=$(resolve_btfids_O) clean + endif + +-# Clear a bunch of variables before executing the submake +-ifeq ($(quiet),silent_) +-tools_silent=s +-endif +- + tools/: FORCE + $(Q)mkdir -p $(objtree)/tools +- $(Q)$(MAKE) LDFLAGS= MAKEFLAGS="$(tools_silent) $(filter --j% -j,$(MAKEFLAGS))" O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/ ++ $(Q)$(MAKE) LDFLAGS= O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/ + + tools/%: FORCE + $(Q)mkdir -p $(objtree)/tools +- $(Q)$(MAKE) LDFLAGS= MAKEFLAGS="$(tools_silent) $(filter --j% -j,$(MAKEFLAGS))" O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/ $* ++ $(Q)$(MAKE) LDFLAGS= O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/ $* + + # --------------------------------------------------------------------------- + # Kernel selftest +-- +2.39.5 + diff --git a/queue-6.12/vfio-nvgrace-gpu-expose-the-blackwell-device-pf-bar1.patch b/queue-6.12/vfio-nvgrace-gpu-expose-the-blackwell-device-pf-bar1.patch new file mode 100644 index 0000000000..5e6fb74964 --- /dev/null +++ b/queue-6.12/vfio-nvgrace-gpu-expose-the-blackwell-device-pf-bar1.patch @@ -0,0 +1,164 @@ +From d0b643e5d54916fa448019e2952f9721b346ddc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jan 2025 18:31:00 +0000 +Subject: vfio/nvgrace-gpu: Expose the blackwell device PF BAR1 to the VM + +From: Ankit Agrawal + +[ Upstream commit 6a9eb2d125ba90d13b45bcfabcddf9f61268f6a8 ] + +There is a HW defect on Grace Hopper (GH) to support the +Multi-Instance GPU (MIG) feature [1] that necessiated the presence +of a 1G region carved out from the device memory and mapped as +uncached. The 1G region is shown as a fake BAR (comprising region 2 and 3) +to workaround the issue. + +The Grace Blackwell systems (GB) differ from GH systems in the following +aspects: +1. The aforementioned HW defect is fixed on GB systems. +2. There is a usable BAR1 (region 2 and 3) on GB systems for the +GPUdirect RDMA feature [2]. + +This patch accommodate those GB changes by showing the 64b physical +device BAR1 (region2 and 3) to the VM instead of the fake one. This +takes care of both the differences. + +Moreover, the entire device memory is exposed on GB as cacheable to +the VM as there is no carveout required. + +Link: https://www.nvidia.com/en-in/technologies/multi-instance-gpu/ [1] +Link: https://docs.nvidia.com/cuda/gpudirect-rdma/ [2] + +Cc: Kevin Tian +CC: Jason Gunthorpe +Suggested-by: Alex Williamson +Signed-off-by: Ankit Agrawal +Link: https://lore.kernel.org/r/20250124183102.3976-3-ankita@nvidia.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/nvgrace-gpu/main.c | 67 +++++++++++++++++++---------- + 1 file changed, 45 insertions(+), 22 deletions(-) + +diff --git a/drivers/vfio/pci/nvgrace-gpu/main.c b/drivers/vfio/pci/nvgrace-gpu/main.c +index 178ee4180d5c4..9e1c57baab64a 100644 +--- a/drivers/vfio/pci/nvgrace-gpu/main.c ++++ b/drivers/vfio/pci/nvgrace-gpu/main.c +@@ -17,9 +17,6 @@ + #define RESMEM_REGION_INDEX VFIO_PCI_BAR2_REGION_INDEX + #define USEMEM_REGION_INDEX VFIO_PCI_BAR4_REGION_INDEX + +-/* Memory size expected as non cached and reserved by the VM driver */ +-#define RESMEM_SIZE SZ_1G +- + /* A hardwired and constant ABI value between the GPU FW and VFIO driver. */ + #define MEMBLK_SIZE SZ_512M + +@@ -72,7 +69,7 @@ nvgrace_gpu_memregion(int index, + if (index == USEMEM_REGION_INDEX) + return &nvdev->usemem; + +- if (index == RESMEM_REGION_INDEX) ++ if (nvdev->resmem.memlength && index == RESMEM_REGION_INDEX) + return &nvdev->resmem; + + return NULL; +@@ -757,40 +754,67 @@ nvgrace_gpu_init_nvdev_struct(struct pci_dev *pdev, + u64 memphys, u64 memlength) + { + int ret = 0; ++ u64 resmem_size = 0; + + /* +- * The VM GPU device driver needs a non-cacheable region to support +- * the MIG feature. Since the device memory is mapped as NORMAL cached, +- * carve out a region from the end with a different NORMAL_NC +- * property (called as reserved memory and represented as resmem). This +- * region then is exposed as a 64b BAR (region 2 and 3) to the VM, while +- * exposing the rest (termed as usable memory and represented using usemem) +- * as cacheable 64b BAR (region 4 and 5). ++ * On Grace Hopper systems, the VM GPU device driver needs a non-cacheable ++ * region to support the MIG feature owing to a hardware bug. Since the ++ * device memory is mapped as NORMAL cached, carve out a region from the end ++ * with a different NORMAL_NC property (called as reserved memory and ++ * represented as resmem). This region then is exposed as a 64b BAR ++ * (region 2 and 3) to the VM, while exposing the rest (termed as usable ++ * memory and represented using usemem) as cacheable 64b BAR (region 4 and 5). + * + * devmem (memlength) + * |-------------------------------------------------| + * | | + * usemem.memphys resmem.memphys ++ * ++ * This hardware bug is fixed on the Grace Blackwell platforms and the ++ * presence of the bug can be determined through nvdev->has_mig_hw_bug. ++ * Thus on systems with the hardware fix, there is no need to partition ++ * the GPU device memory and the entire memory is usable and mapped as ++ * NORMAL cached (i.e. resmem size is 0). + */ ++ if (nvdev->has_mig_hw_bug) ++ resmem_size = SZ_1G; ++ + nvdev->usemem.memphys = memphys; + + /* + * The device memory exposed to the VM is added to the kernel by the +- * VM driver module in chunks of memory block size. Only the usable +- * memory (usemem) is added to the kernel for usage by the VM +- * workloads. Make the usable memory size memblock aligned. ++ * VM driver module in chunks of memory block size. Note that only the ++ * usable memory (usemem) is added to the kernel for usage by the VM ++ * workloads. + */ +- if (check_sub_overflow(memlength, RESMEM_SIZE, ++ if (check_sub_overflow(memlength, resmem_size, + &nvdev->usemem.memlength)) { + ret = -EOVERFLOW; + goto done; + } + + /* +- * The USEMEM part of the device memory has to be MEMBLK_SIZE +- * aligned. This is a hardwired ABI value between the GPU FW and +- * VFIO driver. The VM device driver is also aware of it and make +- * use of the value for its calculation to determine USEMEM size. ++ * The usemem region is exposed as a 64B Bar composed of region 4 and 5. ++ * Calculate and save the BAR size for the region. ++ */ ++ nvdev->usemem.bar_size = roundup_pow_of_two(nvdev->usemem.memlength); ++ ++ /* ++ * If the hardware has the fix for MIG, there is no requirement ++ * for splitting the device memory to create RESMEM. The entire ++ * device memory is usable and will be USEMEM. Return here for ++ * such case. ++ */ ++ if (!nvdev->has_mig_hw_bug) ++ goto done; ++ ++ /* ++ * When the device memory is split to workaround the MIG bug on ++ * Grace Hopper, the USEMEM part of the device memory has to be ++ * MEMBLK_SIZE aligned. This is a hardwired ABI value between the ++ * GPU FW and VFIO driver. The VM device driver is also aware of it ++ * and make use of the value for its calculation to determine USEMEM ++ * size. Note that the device memory may not be 512M aligned. + */ + nvdev->usemem.memlength = round_down(nvdev->usemem.memlength, + MEMBLK_SIZE); +@@ -809,10 +833,9 @@ nvgrace_gpu_init_nvdev_struct(struct pci_dev *pdev, + } + + /* +- * The memory regions are exposed as BARs. Calculate and save +- * the BAR size for them. ++ * The resmem region is exposed as a 64b BAR composed of region 2 and 3 ++ * for Grace Hopper. Calculate and save the BAR size for the region. + */ +- nvdev->usemem.bar_size = roundup_pow_of_two(nvdev->usemem.memlength); + nvdev->resmem.bar_size = roundup_pow_of_two(nvdev->resmem.memlength); + done: + return ret; +-- +2.39.5 + diff --git a/queue-6.12/vfio-nvgrace-gpu-read-dvsec-register-to-determine-ne.patch b/queue-6.12/vfio-nvgrace-gpu-read-dvsec-register-to-determine-ne.patch new file mode 100644 index 0000000000..021f74e556 --- /dev/null +++ b/queue-6.12/vfio-nvgrace-gpu-read-dvsec-register-to-determine-ne.patch @@ -0,0 +1,104 @@ +From b1308c0802761796cf54d90451aa658713a4218f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jan 2025 18:30:59 +0000 +Subject: vfio/nvgrace-gpu: Read dvsec register to determine need for uncached + resmem + +From: Ankit Agrawal + +[ Upstream commit bd53764a60ad586ad5b6ed339423ad5e67824464 ] + +NVIDIA's recently introduced Grace Blackwell (GB) Superchip is a +continuation with the Grace Hopper (GH) superchip that provides a +cache coherent access to CPU and GPU to each other's memory with +an internal proprietary chip-to-chip cache coherent interconnect. + +There is a HW defect on GH systems to support the Multi-Instance +GPU (MIG) feature [1] that necessiated the presence of a 1G region +with uncached mapping carved out from the device memory. The 1G +region is shown as a fake BAR (comprising region 2 and 3) to +workaround the issue. This is fixed on the GB systems. + +The presence of the fix for the HW defect is communicated by the +device firmware through the DVSEC PCI config register with ID 3. +The module reads this to take a different codepath on GB vs GH. + +Scan through the DVSEC registers to identify the correct one and use +it to determine the presence of the fix. Save the value in the device's +nvgrace_gpu_pci_core_device structure. + +Link: https://www.nvidia.com/en-in/technologies/multi-instance-gpu/ [1] + +CC: Jason Gunthorpe +CC: Kevin Tian +Signed-off-by: Ankit Agrawal +Link: https://lore.kernel.org/r/20250124183102.3976-2-ankita@nvidia.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/nvgrace-gpu/main.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +diff --git a/drivers/vfio/pci/nvgrace-gpu/main.c b/drivers/vfio/pci/nvgrace-gpu/main.c +index a7fd018aa5483..178ee4180d5c4 100644 +--- a/drivers/vfio/pci/nvgrace-gpu/main.c ++++ b/drivers/vfio/pci/nvgrace-gpu/main.c +@@ -23,6 +23,11 @@ + /* A hardwired and constant ABI value between the GPU FW and VFIO driver. */ + #define MEMBLK_SIZE SZ_512M + ++#define DVSEC_BITMAP_OFFSET 0xA ++#define MIG_SUPPORTED_WITH_CACHED_RESMEM BIT(0) ++ ++#define GPU_CAP_DVSEC_REGISTER 3 ++ + /* + * The state of the two device memory region - resmem and usemem - is + * saved as struct mem_region. +@@ -46,6 +51,7 @@ struct nvgrace_gpu_pci_core_device { + struct mem_region resmem; + /* Lock to control device memory kernel mapping */ + struct mutex remap_lock; ++ bool has_mig_hw_bug; + }; + + static void nvgrace_gpu_init_fake_bar_emu_regs(struct vfio_device *core_vdev) +@@ -812,6 +818,26 @@ nvgrace_gpu_init_nvdev_struct(struct pci_dev *pdev, + return ret; + } + ++static bool nvgrace_gpu_has_mig_hw_bug(struct pci_dev *pdev) ++{ ++ int pcie_dvsec; ++ u16 dvsec_ctrl16; ++ ++ pcie_dvsec = pci_find_dvsec_capability(pdev, PCI_VENDOR_ID_NVIDIA, ++ GPU_CAP_DVSEC_REGISTER); ++ ++ if (pcie_dvsec) { ++ pci_read_config_word(pdev, ++ pcie_dvsec + DVSEC_BITMAP_OFFSET, ++ &dvsec_ctrl16); ++ ++ if (dvsec_ctrl16 & MIG_SUPPORTED_WITH_CACHED_RESMEM) ++ return false; ++ } ++ ++ return true; ++} ++ + static int nvgrace_gpu_probe(struct pci_dev *pdev, + const struct pci_device_id *id) + { +@@ -832,6 +858,8 @@ static int nvgrace_gpu_probe(struct pci_dev *pdev, + dev_set_drvdata(&pdev->dev, &nvdev->core_device); + + if (ops == &nvgrace_gpu_pci_ops) { ++ nvdev->has_mig_hw_bug = nvgrace_gpu_has_mig_hw_bug(pdev); ++ + /* + * Device memory properties are identified in the host ACPI + * table. Set the nvgrace_gpu_pci_core_device structure. +-- +2.39.5 + diff --git a/queue-6.12/vfio-pci-enable-iowrite64-and-ioread64-for-vfio-pci.patch b/queue-6.12/vfio-pci-enable-iowrite64-and-ioread64-for-vfio-pci.patch new file mode 100644 index 0000000000..48b3d6aea8 --- /dev/null +++ b/queue-6.12/vfio-pci-enable-iowrite64-and-ioread64-for-vfio-pci.patch @@ -0,0 +1,49 @@ +From e6f091dbfb8915f6dc58120b5f79b0f0591ca480 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 05:19:37 -0800 +Subject: vfio/pci: Enable iowrite64 and ioread64 for vfio pci + +From: Ramesh Thomas + +[ Upstream commit 2b938e3db335e3670475e31a722c2bee34748c5a ] + +Definitions of ioread64 and iowrite64 macros in asm/io.h called by vfio +pci implementations are enclosed inside check for CONFIG_GENERIC_IOMAP. +They don't get defined if CONFIG_GENERIC_IOMAP is defined. Include +linux/io-64-nonatomic-lo-hi.h to define iowrite64 and ioread64 macros +when they are not defined. io-64-nonatomic-lo-hi.h maps the macros to +generic implementation in lib/iomap.c. The generic implementation does +64 bit rw if readq/writeq is defined for the architecture, otherwise it +would do 32 bit back to back rw. + +Note that there are two versions of the generic implementation that +differs in the order the 32 bit words are written if 64 bit support is +not present. This is not the little/big endian ordering, which is +handled separately. This patch uses the lo followed by hi word ordering +which is consistent with current back to back implementation in the +vfio/pci code. + +Signed-off-by: Ramesh Thomas +Reviewed-by: Jason Gunthorpe +Link: https://lore.kernel.org/r/20241210131938.303500-2-ramesh.thomas@intel.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/vfio_pci_rdwr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/vfio/pci/vfio_pci_rdwr.c b/drivers/vfio/pci/vfio_pci_rdwr.c +index 66b72c2892841..a0595c745732a 100644 +--- a/drivers/vfio/pci/vfio_pci_rdwr.c ++++ b/drivers/vfio/pci/vfio_pci_rdwr.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + + #include "vfio_pci_priv.h" + +-- +2.39.5 + diff --git a/queue-6.12/vrf-use-rcu-protection-in-l3mdev_l3_out.patch b/queue-6.12/vrf-use-rcu-protection-in-l3mdev_l3_out.patch new file mode 100644 index 0000000000..3b3b6866c0 --- /dev/null +++ b/queue-6.12/vrf-use-rcu-protection-in-l3mdev_l3_out.patch @@ -0,0 +1,52 @@ +From b16ffea55b8b047834fef455171acfd019d7bf79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Feb 2025 13:58:38 +0000 +Subject: vrf: use RCU protection in l3mdev_l3_out() + +From: Eric Dumazet + +[ Upstream commit 6d0ce46a93135d96b7fa075a94a88fe0da8e8773 ] + +l3mdev_l3_out() can be called without RCU being held: + +raw_sendmsg() + ip_push_pending_frames() + ip_send_skb() + ip_local_out() + __ip_local_out() + l3mdev_ip_out() + +Add rcu_read_lock() / rcu_read_unlock() pair to avoid +a potential UAF. + +Fixes: a8e3e1a9f020 ("net: l3mdev: Add hook to output path") +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250207135841.1948589-7-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/l3mdev.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/net/l3mdev.h b/include/net/l3mdev.h +index 031c661aa14df..bdfa9d414360c 100644 +--- a/include/net/l3mdev.h ++++ b/include/net/l3mdev.h +@@ -198,10 +198,12 @@ struct sk_buff *l3mdev_l3_out(struct sock *sk, struct sk_buff *skb, u16 proto) + if (netif_is_l3_slave(dev)) { + struct net_device *master; + ++ rcu_read_lock(); + master = netdev_master_upper_dev_get_rcu(dev); + if (master && master->l3mdev_ops->l3mdev_l3_out) + skb = master->l3mdev_ops->l3mdev_l3_out(master, sk, + skb, proto); ++ rcu_read_unlock(); + } + + return skb; +-- +2.39.5 + diff --git a/queue-6.12/vxlan-check-vxlan_vnigroup_init-return-value.patch b/queue-6.12/vxlan-check-vxlan_vnigroup_init-return-value.patch new file mode 100644 index 0000000000..1ac396debc --- /dev/null +++ b/queue-6.12/vxlan-check-vxlan_vnigroup_init-return-value.patch @@ -0,0 +1,75 @@ +From 0e2f91d27a3718859378800a26d0cce00c7da7b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Feb 2025 10:52:42 +0000 +Subject: vxlan: check vxlan_vnigroup_init() return value + +From: Eric Dumazet + +[ Upstream commit 5805402dcc56241987bca674a1b4da79a249bab7 ] + +vxlan_init() must check vxlan_vnigroup_init() success +otherwise a crash happens later, spotted by syzbot. + +Oops: general protection fault, probably for non-canonical address 0xdffffc000000002c: 0000 [#1] PREEMPT SMP KASAN NOPTI +KASAN: null-ptr-deref in range [0x0000000000000160-0x0000000000000167] +CPU: 0 UID: 0 PID: 7313 Comm: syz-executor147 Not tainted 6.14.0-rc1-syzkaller-00276-g69b54314c975 #0 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 + RIP: 0010:vxlan_vnigroup_uninit+0x89/0x500 drivers/net/vxlan/vxlan_vnifilter.c:912 +Code: 00 48 8b 44 24 08 4c 8b b0 98 41 00 00 49 8d 86 60 01 00 00 48 89 c2 48 89 44 24 10 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 4d 04 00 00 49 8b 86 60 01 00 00 48 ba 00 00 00 +RSP: 0018:ffffc9000cc1eea8 EFLAGS: 00010202 +RAX: dffffc0000000000 RBX: 0000000000000001 RCX: ffffffff8672effb +RDX: 000000000000002c RSI: ffffffff8672ecb9 RDI: ffff8880461b4f18 +RBP: ffff8880461b4ef4 R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000020000 +R13: ffff8880461b0d80 R14: 0000000000000000 R15: dffffc0000000000 +FS: 00007fecfa95d6c0(0000) GS:ffff88806a600000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fecfa95cfb8 CR3: 000000004472c000 CR4: 0000000000352ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + vxlan_uninit+0x1ab/0x200 drivers/net/vxlan/vxlan_core.c:2942 + unregister_netdevice_many_notify+0x12d6/0x1f30 net/core/dev.c:11824 + unregister_netdevice_many net/core/dev.c:11866 [inline] + unregister_netdevice_queue+0x307/0x3f0 net/core/dev.c:11736 + register_netdevice+0x1829/0x1eb0 net/core/dev.c:10901 + __vxlan_dev_create+0x7c6/0xa30 drivers/net/vxlan/vxlan_core.c:3981 + vxlan_newlink+0xd1/0x130 drivers/net/vxlan/vxlan_core.c:4407 + rtnl_newlink_create net/core/rtnetlink.c:3795 [inline] + __rtnl_newlink net/core/rtnetlink.c:3906 [inline] + +Fixes: f9c4bb0b245c ("vxlan: vni filtering support on collect metadata device") +Reported-by: syzbot+6a9624592218c2c5e7aa@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/67a9d9b4.050a0220.110943.002d.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Roopa Prabhu +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20250210105242.883482-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/vxlan/vxlan_core.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c +index 6e9a3795846aa..5e7cdd1b806fb 100644 +--- a/drivers/net/vxlan/vxlan_core.c ++++ b/drivers/net/vxlan/vxlan_core.c +@@ -2871,8 +2871,11 @@ static int vxlan_init(struct net_device *dev) + struct vxlan_dev *vxlan = netdev_priv(dev); + int err; + +- if (vxlan->cfg.flags & VXLAN_F_VNIFILTER) +- vxlan_vnigroup_init(vxlan); ++ if (vxlan->cfg.flags & VXLAN_F_VNIFILTER) { ++ err = vxlan_vnigroup_init(vxlan); ++ if (err) ++ return err; ++ } + + err = gro_cells_init(&vxlan->gro_cells, dev); + if (err) +-- +2.39.5 + diff --git a/queue-6.12/workqueue-put-the-pwq-after-detaching-the-rescuer-fr.patch b/queue-6.12/workqueue-put-the-pwq-after-detaching-the-rescuer-fr.patch new file mode 100644 index 0000000000..07426cb42b --- /dev/null +++ b/queue-6.12/workqueue-put-the-pwq-after-detaching-the-rescuer-fr.patch @@ -0,0 +1,66 @@ +From a5d149e42528cc3abe225ac5c27a926e48d4ea32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jan 2025 16:25:35 +0800 +Subject: workqueue: Put the pwq after detaching the rescuer from the pool +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lai Jiangshan + +[ Upstream commit e76946110137703c16423baf6ee177b751a34b7e ] + +The commit 68f83057b913("workqueue: Reap workers via kthread_stop() and +remove detach_completion") adds code to reap the normal workers but +mistakenly does not handle the rescuer and also removes the code waiting +for the rescuer in put_unbound_pool(), which caused a use-after-free bug +reported by Cheung Wall. + +To avoid the use-after-free bug, the pool’s reference must be held until +the detachment is complete. Therefore, move the code that puts the pwq +after detaching the rescuer from the pool. + +Reported-by: cheung wall +Cc: cheung wall +Link: https://lore.kernel.org/lkml/CAKHoSAvP3iQW+GwmKzWjEAOoPvzeWeoMO0Gz7Pp3_4kxt-RMoA@mail.gmail.com/ +Fixes: 68f83057b913("workqueue: Reap workers via kthread_stop() and remove detach_completion") +Signed-off-by: Lai Jiangshan +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/workqueue.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/kernel/workqueue.c b/kernel/workqueue.c +index cee65cb431081..a9d64e08dffc7 100644 +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -3509,12 +3509,6 @@ static int rescuer_thread(void *__rescuer) + } + } + +- /* +- * Put the reference grabbed by send_mayday(). @pool won't +- * go away while we're still attached to it. +- */ +- put_pwq(pwq); +- + /* + * Leave this pool. Notify regular workers; otherwise, we end up + * with 0 concurrency and stalling the execution. +@@ -3525,6 +3519,12 @@ static int rescuer_thread(void *__rescuer) + + worker_detach_from_pool(rescuer); + ++ /* ++ * Put the reference grabbed by send_mayday(). @pool might ++ * go away any time after it. ++ */ ++ put_pwq_unlocked(pwq); ++ + raw_spin_lock_irq(&wq_mayday_lock); + } + +-- +2.39.5 + diff --git a/queue-6.12/x86-mm-tlb-only-trim-the-mm_cpumask-once-a-second.patch b/queue-6.12/x86-mm-tlb-only-trim-the-mm_cpumask-once-a-second.patch new file mode 100644 index 0000000000..4b07a69808 --- /dev/null +++ b/queue-6.12/x86-mm-tlb-only-trim-the-mm_cpumask-once-a-second.patch @@ -0,0 +1,152 @@ +From 2181f3ff0eb00749769436175dfdd6a51bdc1f2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2024 21:03:16 -0500 +Subject: x86/mm/tlb: Only trim the mm_cpumask once a second + +From: Rik van Riel + +[ Upstream commit 6db2526c1d694c91c6e05e2f186c085e9460f202 ] + +Setting and clearing CPU bits in the mm_cpumask is only ever done +by the CPU itself, from the context switch code or the TLB flush +code. + +Synchronization is handled by switch_mm_irqs_off() blocking interrupts. + +Sending TLB flush IPIs to CPUs that are in the mm_cpumask, but no +longer running the program causes a regression in the will-it-scale +tlbflush2 test. This test is contrived, but a large regression here +might cause a small regression in some real world workload. + +Instead of always sending IPIs to CPUs that are in the mm_cpumask, +but no longer running the program, send these IPIs only once a second. + +The rest of the time we can skip over CPUs where the loaded_mm is +different from the target mm. + +Reported-by: kernel test roboto +Signed-off-by: Rik van Riel +Signed-off-by: Ingo Molnar +Cc: Dave Hansen +Cc: Andy Lutomirski +Cc: Mathieu Desnoyers +Cc: Peter Zijlstra +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/20241204210316.612ee573@fangorn +Closes: https://lore.kernel.org/oe-lkp/202411282207.6bd28eae-lkp@intel.com/ +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/mmu.h | 2 ++ + arch/x86/include/asm/mmu_context.h | 1 + + arch/x86/include/asm/tlbflush.h | 1 + + arch/x86/mm/tlb.c | 35 +++++++++++++++++++++++++++--- + 4 files changed, 36 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/include/asm/mmu.h b/arch/x86/include/asm/mmu.h +index ce4677b8b7356..3b496cdcb74b3 100644 +--- a/arch/x86/include/asm/mmu.h ++++ b/arch/x86/include/asm/mmu.h +@@ -37,6 +37,8 @@ typedef struct { + */ + atomic64_t tlb_gen; + ++ unsigned long next_trim_cpumask; ++ + #ifdef CONFIG_MODIFY_LDT_SYSCALL + struct rw_semaphore ldt_usr_sem; + struct ldt_struct *ldt; +diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h +index 2886cb668d7fa..795fdd53bd0a6 100644 +--- a/arch/x86/include/asm/mmu_context.h ++++ b/arch/x86/include/asm/mmu_context.h +@@ -151,6 +151,7 @@ static inline int init_new_context(struct task_struct *tsk, + + mm->context.ctx_id = atomic64_inc_return(&last_mm_ctx_id); + atomic64_set(&mm->context.tlb_gen, 0); ++ mm->context.next_trim_cpumask = jiffies + HZ; + + #ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS + if (cpu_feature_enabled(X86_FEATURE_OSPKE)) { +diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h +index 69e79fff41b80..02fc2aa06e9e0 100644 +--- a/arch/x86/include/asm/tlbflush.h ++++ b/arch/x86/include/asm/tlbflush.h +@@ -222,6 +222,7 @@ struct flush_tlb_info { + unsigned int initiating_cpu; + u8 stride_shift; + u8 freed_tables; ++ u8 trim_cpumask; + }; + + void flush_tlb_local(void); +diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c +index b0678d59ebdb4..00ffa74d0dd0b 100644 +--- a/arch/x86/mm/tlb.c ++++ b/arch/x86/mm/tlb.c +@@ -893,9 +893,36 @@ static void flush_tlb_func(void *info) + nr_invalidate); + } + +-static bool tlb_is_not_lazy(int cpu, void *data) ++static bool should_flush_tlb(int cpu, void *data) + { +- return !per_cpu(cpu_tlbstate_shared.is_lazy, cpu); ++ struct flush_tlb_info *info = data; ++ ++ /* Lazy TLB will get flushed at the next context switch. */ ++ if (per_cpu(cpu_tlbstate_shared.is_lazy, cpu)) ++ return false; ++ ++ /* No mm means kernel memory flush. */ ++ if (!info->mm) ++ return true; ++ ++ /* The target mm is loaded, and the CPU is not lazy. */ ++ if (per_cpu(cpu_tlbstate.loaded_mm, cpu) == info->mm) ++ return true; ++ ++ /* In cpumask, but not the loaded mm? Periodically remove by flushing. */ ++ if (info->trim_cpumask) ++ return true; ++ ++ return false; ++} ++ ++static bool should_trim_cpumask(struct mm_struct *mm) ++{ ++ if (time_after(jiffies, READ_ONCE(mm->context.next_trim_cpumask))) { ++ WRITE_ONCE(mm->context.next_trim_cpumask, jiffies + HZ); ++ return true; ++ } ++ return false; + } + + DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state_shared, cpu_tlbstate_shared); +@@ -929,7 +956,7 @@ STATIC_NOPV void native_flush_tlb_multi(const struct cpumask *cpumask, + if (info->freed_tables) + on_each_cpu_mask(cpumask, flush_tlb_func, (void *)info, true); + else +- on_each_cpu_cond_mask(tlb_is_not_lazy, flush_tlb_func, ++ on_each_cpu_cond_mask(should_flush_tlb, flush_tlb_func, + (void *)info, 1, cpumask); + } + +@@ -980,6 +1007,7 @@ static struct flush_tlb_info *get_flush_tlb_info(struct mm_struct *mm, + info->freed_tables = freed_tables; + info->new_tlb_gen = new_tlb_gen; + info->initiating_cpu = smp_processor_id(); ++ info->trim_cpumask = 0; + + return info; + } +@@ -1022,6 +1050,7 @@ void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start, + * flush_tlb_func_local() directly in this case. + */ + if (cpumask_any_but(mm_cpumask(mm), cpu) < nr_cpu_ids) { ++ info->trim_cpumask = should_trim_cpumask(mm); + flush_tlb_multi(mm_cpumask(mm), info); + } else if (mm == this_cpu_read(cpu_tlbstate.loaded_mm)) { + lockdep_assert_irqs_enabled(); +-- +2.39.5 + diff --git a/queue-6.12/x86-xen-allow-larger-contiguous-memory-regions-in-pv.patch b/queue-6.12/x86-xen-allow-larger-contiguous-memory-regions-in-pv.patch new file mode 100644 index 0000000000..de4251a026 --- /dev/null +++ b/queue-6.12/x86-xen-allow-larger-contiguous-memory-regions-in-pv.patch @@ -0,0 +1,171 @@ +From df7c3f433537ab535c9575a380023cd50ef78e0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Feb 2025 11:16:28 +0100 +Subject: x86/xen: allow larger contiguous memory regions in PV guests + +From: Juergen Gross + +[ Upstream commit e93ec87286bd1fd30b7389e7a387cfb259f297e3 ] + +Today a PV guest (including dom0) can create 2MB contiguous memory +regions for DMA buffers at max. This has led to problems at least +with the megaraid_sas driver, which wants to allocate a 2.3MB DMA +buffer. + +The limiting factor is the frame array used to do the hypercall for +making the memory contiguous, which has 512 entries and is just a +static array in mmu_pv.c. + +In order to not waste memory for non-PV guests, put the initial +frame array into .init.data section and dynamically allocate an array +from the .init_after_bootmem hook of PV guests. + +In case a contiguous memory area larger than the initially supported +2MB is requested, allocate a larger buffer for the frame list. Note +that such an allocation is tried only after memory management has been +initialized properly, which is tested via a flag being set in the +.init_after_bootmem hook. + +Fixes: 9f40ec84a797 ("xen/swiotlb: add alignment check for dma buffers") +Signed-off-by: Juergen Gross +Tested-by: Alan Robinson +Reviewed-by: Jan Beulich +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + arch/x86/xen/mmu_pv.c | 71 +++++++++++++++++++++++++++++++++++++------ + 1 file changed, 62 insertions(+), 9 deletions(-) + +diff --git a/arch/x86/xen/mmu_pv.c b/arch/x86/xen/mmu_pv.c +index 55a4996d0c04f..ffdf0d299c5d7 100644 +--- a/arch/x86/xen/mmu_pv.c ++++ b/arch/x86/xen/mmu_pv.c +@@ -111,6 +111,51 @@ static pud_t level3_user_vsyscall[PTRS_PER_PUD] __page_aligned_bss; + */ + static DEFINE_SPINLOCK(xen_reservation_lock); + ++/* Protected by xen_reservation_lock. */ ++#define MIN_CONTIG_ORDER 9 /* 2MB */ ++static unsigned int discontig_frames_order = MIN_CONTIG_ORDER; ++static unsigned long discontig_frames_early[1UL << MIN_CONTIG_ORDER] __initdata; ++static unsigned long *discontig_frames __refdata = discontig_frames_early; ++static bool discontig_frames_dyn; ++ ++static int alloc_discontig_frames(unsigned int order) ++{ ++ unsigned long *new_array, *old_array; ++ unsigned int old_order; ++ unsigned long flags; ++ ++ BUG_ON(order < MIN_CONTIG_ORDER); ++ BUILD_BUG_ON(sizeof(discontig_frames_early) != PAGE_SIZE); ++ ++ new_array = (unsigned long *)__get_free_pages(GFP_KERNEL, ++ order - MIN_CONTIG_ORDER); ++ if (!new_array) ++ return -ENOMEM; ++ ++ spin_lock_irqsave(&xen_reservation_lock, flags); ++ ++ old_order = discontig_frames_order; ++ ++ if (order > discontig_frames_order || !discontig_frames_dyn) { ++ if (!discontig_frames_dyn) ++ old_array = NULL; ++ else ++ old_array = discontig_frames; ++ ++ discontig_frames = new_array; ++ discontig_frames_order = order; ++ discontig_frames_dyn = true; ++ } else { ++ old_array = new_array; ++ } ++ ++ spin_unlock_irqrestore(&xen_reservation_lock, flags); ++ ++ free_pages((unsigned long)old_array, old_order - MIN_CONTIG_ORDER); ++ ++ return 0; ++} ++ + /* + * Note about cr3 (pagetable base) values: + * +@@ -812,6 +857,9 @@ static void __init xen_after_bootmem(void) + SetPagePinned(virt_to_page(level3_user_vsyscall)); + #endif + xen_pgd_walk(&init_mm, xen_mark_pinned, FIXADDR_TOP); ++ ++ if (alloc_discontig_frames(MIN_CONTIG_ORDER)) ++ BUG(); + } + + static void xen_unpin_page(struct mm_struct *mm, struct page *page, +@@ -2199,10 +2247,6 @@ void __init xen_init_mmu_ops(void) + memset(dummy_mapping, 0xff, PAGE_SIZE); + } + +-/* Protected by xen_reservation_lock. */ +-#define MAX_CONTIG_ORDER 9 /* 2MB */ +-static unsigned long discontig_frames[1< MAX_CONTIG_ORDER)) +- return -ENOMEM; ++ if (unlikely(order > discontig_frames_order)) { ++ if (!discontig_frames_dyn) ++ return -ENOMEM; ++ ++ if (alloc_discontig_frames(order)) ++ return -ENOMEM; ++ } + + memset((void *) vstart, 0, PAGE_SIZE << order); + + spin_lock_irqsave(&xen_reservation_lock, flags); + ++ in_frames = discontig_frames; ++ + /* 1. Zap current PTEs, remembering MFNs. */ + xen_zap_pfn_range(vstart, order, in_frames, NULL); + +@@ -2354,12 +2405,12 @@ int xen_create_contiguous_region(phys_addr_t pstart, unsigned int order, + + void xen_destroy_contiguous_region(phys_addr_t pstart, unsigned int order) + { +- unsigned long *out_frames = discontig_frames, in_frame; ++ unsigned long *out_frames, in_frame; + unsigned long flags; + int success; + unsigned long vstart; + +- if (unlikely(order > MAX_CONTIG_ORDER)) ++ if (unlikely(order > discontig_frames_order)) + return; + + vstart = (unsigned long)phys_to_virt(pstart); +@@ -2367,6 +2418,8 @@ void xen_destroy_contiguous_region(phys_addr_t pstart, unsigned int order) + + spin_lock_irqsave(&xen_reservation_lock, flags); + ++ out_frames = discontig_frames; ++ + /* 1. Find start MFN of contiguous extent. */ + in_frame = virt_to_mfn((void *)vstart); + +-- +2.39.5 + diff --git a/queue-6.12/xen-swiotlb-relax-alignment-requirements.patch b/queue-6.12/xen-swiotlb-relax-alignment-requirements.patch new file mode 100644 index 0000000000..3758cf8493 --- /dev/null +++ b/queue-6.12/xen-swiotlb-relax-alignment-requirements.patch @@ -0,0 +1,84 @@ +From 1fcdc1ab81cc31180b0c3907188075a31e219878 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Feb 2025 08:43:39 +0100 +Subject: xen/swiotlb: relax alignment requirements + +From: Juergen Gross + +[ Upstream commit 85fcb57c983f423180ba6ec5d0034242da05cc54 ] + +When mapping a buffer for DMA via .map_page or .map_sg DMA operations, +there is no need to check the machine frames to be aligned according +to the mapped areas size. All what is needed in these cases is that the +buffer is contiguous at machine level. + +So carve out the alignment check from range_straddles_page_boundary() +and move it to a helper called by xen_swiotlb_alloc_coherent() and +xen_swiotlb_free_coherent() directly. + +Fixes: 9f40ec84a797 ("xen/swiotlb: add alignment check for dma buffers") +Reported-by: Jan Vejvalka +Tested-by: Jan Vejvalka +Signed-off-by: Juergen Gross +Reviewed-by: Stefano Stabellini +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/swiotlb-xen.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c +index a337edcf8faf7..26c62e0d34e98 100644 +--- a/drivers/xen/swiotlb-xen.c ++++ b/drivers/xen/swiotlb-xen.c +@@ -74,19 +74,21 @@ static inline phys_addr_t xen_dma_to_phys(struct device *dev, + return xen_bus_to_phys(dev, dma_to_phys(dev, dma_addr)); + } + ++static inline bool range_requires_alignment(phys_addr_t p, size_t size) ++{ ++ phys_addr_t algn = 1ULL << (get_order(size) + PAGE_SHIFT); ++ phys_addr_t bus_addr = pfn_to_bfn(XEN_PFN_DOWN(p)) << XEN_PAGE_SHIFT; ++ ++ return IS_ALIGNED(p, algn) && !IS_ALIGNED(bus_addr, algn); ++} ++ + static inline int range_straddles_page_boundary(phys_addr_t p, size_t size) + { + unsigned long next_bfn, xen_pfn = XEN_PFN_DOWN(p); + unsigned int i, nr_pages = XEN_PFN_UP(xen_offset_in_page(p) + size); +- phys_addr_t algn = 1ULL << (get_order(size) + PAGE_SHIFT); + + next_bfn = pfn_to_bfn(xen_pfn); + +- /* If buffer is physically aligned, ensure DMA alignment. */ +- if (IS_ALIGNED(p, algn) && +- !IS_ALIGNED((phys_addr_t)next_bfn << XEN_PAGE_SHIFT, algn)) +- return 1; +- + for (i = 1; i < nr_pages; i++) + if (pfn_to_bfn(++xen_pfn) != ++next_bfn) + return 1; +@@ -156,7 +158,8 @@ xen_swiotlb_alloc_coherent(struct device *dev, size_t size, + + *dma_handle = xen_phys_to_dma(dev, phys); + if (*dma_handle + size - 1 > dma_mask || +- range_straddles_page_boundary(phys, size)) { ++ range_straddles_page_boundary(phys, size) || ++ range_requires_alignment(phys, size)) { + if (xen_create_contiguous_region(phys, order, fls64(dma_mask), + dma_handle) != 0) + goto out_free_pages; +@@ -182,7 +185,8 @@ xen_swiotlb_free_coherent(struct device *dev, size_t size, void *vaddr, + size = ALIGN(size, XEN_PAGE_SIZE); + + if (WARN_ON_ONCE(dma_handle + size - 1 > dev->coherent_dma_mask) || +- WARN_ON_ONCE(range_straddles_page_boundary(phys, size))) ++ WARN_ON_ONCE(range_straddles_page_boundary(phys, size) || ++ range_requires_alignment(phys, size))) + return; + + if (TestClearPageXenRemapped(virt_to_page(vaddr))) +-- +2.39.5 +