From: Sasha Levin Date: Tue, 10 Jun 2025 11:54:35 +0000 (-0400) Subject: Fixes for 6.1 X-Git-Tag: v6.6.94~76 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=09d42ddef6c8ad5fab61952c4a3ec28e74c993a1;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/acpi-osi-stop-advertising-support-for-3.0-_scp-exten.patch b/queue-6.1/acpi-osi-stop-advertising-support-for-3.0-_scp-exten.patch new file mode 100644 index 0000000000..77be0d9b62 --- /dev/null +++ b/queue-6.1/acpi-osi-stop-advertising-support-for-3.0-_scp-exten.patch @@ -0,0 +1,44 @@ +From 2427182abf4d5865a725e47e44667edb49953a4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Apr 2025 18:54:54 +0200 +Subject: ACPI: OSI: Stop advertising support for "3.0 _SCP Extensions" + +From: Armin Wolf + +[ Upstream commit 8cf4fdac9bdead7bca15fc56fdecdf78d11c3ec6 ] + +As specified in section 5.7.2 of the ACPI specification the feature +group string "3.0 _SCP Extensions" implies that the operating system +evaluates the _SCP control method with additional parameters. + +However the ACPI thermal driver evaluates the _SCP control method +without those additional parameters, conflicting with the above +feature group string advertised to the firmware thru _OSI. + +Stop advertising support for this feature string to avoid confusing +the ACPI firmware. + +Fixes: e5f660ebef68 ("ACPI / osi: Collect _OSI handling into one single file") +Signed-off-by: Armin Wolf +Link: https://patch.msgid.link/20250410165456.4173-2-W_Armin@gmx.de +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/osi.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/acpi/osi.c b/drivers/acpi/osi.c +index d4405e1ca9b97..ae9620757865b 100644 +--- a/drivers/acpi/osi.c ++++ b/drivers/acpi/osi.c +@@ -42,7 +42,6 @@ static struct acpi_osi_entry + osi_setup_entries[OSI_STRING_ENTRIES_MAX] __initdata = { + {"Module Device", true}, + {"Processor Device", true}, +- {"3.0 _SCP Extensions", true}, + {"Processor Aggregator Device", true}, + }; + +-- +2.39.5 + diff --git a/queue-6.1/arm-aspeed-don-t-select-sram.patch b/queue-6.1/arm-aspeed-don-t-select-sram.patch new file mode 100644 index 0000000000..537914c342 --- /dev/null +++ b/queue-6.1/arm-aspeed-don-t-select-sram.patch @@ -0,0 +1,37 @@ +From fa75ddbfa9dd5d1383ad1fdc000e13f701ce8593 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 16:00:42 +0930 +Subject: ARM: aspeed: Don't select SRAM + +From: Joel Stanley + +[ Upstream commit e4f59f873c3ffe2a0150e11115a83e2dfb671dbf ] + +The ASPEED devices have SRAM, but don't require it for basic function +(or any function; there's no known users of the driver). + +Fixes: 8c2ed9bcfbeb ("arm: Add Aspeed machine") +Signed-off-by: Joel Stanley +Link: https://patch.msgid.link/20250115103942.421429-1-joel@jms.id.au +Signed-off-by: Andrew Jeffery +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/mach-aspeed/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm/mach-aspeed/Kconfig b/arch/arm/mach-aspeed/Kconfig +index 080019aa6fcd8..fcf287edd0e5e 100644 +--- a/arch/arm/mach-aspeed/Kconfig ++++ b/arch/arm/mach-aspeed/Kconfig +@@ -2,7 +2,6 @@ + menuconfig ARCH_ASPEED + bool "Aspeed BMC architectures" + depends on (CPU_LITTLE_ENDIAN && ARCH_MULTI_V5) || ARCH_MULTI_V6 || ARCH_MULTI_V7 +- select SRAM + select WATCHDOG + select ASPEED_WATCHDOG + select MFD_SYSCON +-- +2.39.5 + diff --git a/queue-6.1/arm-dts-at91-at91sam9263-fix-nand-chip-selects.patch b/queue-6.1/arm-dts-at91-at91sam9263-fix-nand-chip-selects.patch new file mode 100644 index 0000000000..fee7ccf57c --- /dev/null +++ b/queue-6.1/arm-dts-at91-at91sam9263-fix-nand-chip-selects.patch @@ -0,0 +1,67 @@ +From 6057e0d599efc8cd5c99cc077a9203d8f9e23288 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 23:04:46 +0200 +Subject: ARM: dts: at91: at91sam9263: fix NAND chip selects + +From: Wolfram Sang + +[ Upstream commit c72ede1c24be689733bcd2233a3a56f2478429c8 ] + +NAND did not work on my USB-A9263. I discovered that the offending +commit converted the PIO bank for chip selects wrongly, so all A9263 +boards need to be fixed. + +Fixes: 1004a2977bdc ("ARM: dts: at91: Switch to the new NAND bindings") +Signed-off-by: Wolfram Sang +Reviewed-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20250402210446.5972-2-wsa+renesas@sang-engineering.com +Signed-off-by: Claudiu Beznea +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/at91sam9263ek.dts | 2 +- + arch/arm/boot/dts/tny_a9263.dts | 2 +- + arch/arm/boot/dts/usb_a9263.dts | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/at91sam9263ek.dts b/arch/arm/boot/dts/at91sam9263ek.dts +index ce8baff6a9f4e..e42e1a75a715d 100644 +--- a/arch/arm/boot/dts/at91sam9263ek.dts ++++ b/arch/arm/boot/dts/at91sam9263ek.dts +@@ -152,7 +152,7 @@ + nand@3 { + reg = <0x3 0x0 0x800000>; + rb-gpios = <&pioA 22 GPIO_ACTIVE_HIGH>; +- cs-gpios = <&pioA 15 GPIO_ACTIVE_HIGH>; ++ cs-gpios = <&pioD 15 GPIO_ACTIVE_HIGH>; + nand-bus-width = <8>; + nand-ecc-mode = "soft"; + nand-on-flash-bbt; +diff --git a/arch/arm/boot/dts/tny_a9263.dts b/arch/arm/boot/dts/tny_a9263.dts +index 62b7d9f9a926c..c8b6318aaa838 100644 +--- a/arch/arm/boot/dts/tny_a9263.dts ++++ b/arch/arm/boot/dts/tny_a9263.dts +@@ -64,7 +64,7 @@ + nand@3 { + reg = <0x3 0x0 0x800000>; + rb-gpios = <&pioA 22 GPIO_ACTIVE_HIGH>; +- cs-gpios = <&pioA 15 GPIO_ACTIVE_HIGH>; ++ cs-gpios = <&pioD 15 GPIO_ACTIVE_HIGH>; + nand-bus-width = <8>; + nand-ecc-mode = "soft"; + nand-on-flash-bbt; +diff --git a/arch/arm/boot/dts/usb_a9263.dts b/arch/arm/boot/dts/usb_a9263.dts +index c9d0058e90813..83d0b98dd287b 100644 +--- a/arch/arm/boot/dts/usb_a9263.dts ++++ b/arch/arm/boot/dts/usb_a9263.dts +@@ -84,7 +84,7 @@ + nand@3 { + reg = <0x3 0x0 0x800000>; + rb-gpios = <&pioA 22 GPIO_ACTIVE_HIGH>; +- cs-gpios = <&pioA 15 GPIO_ACTIVE_HIGH>; ++ cs-gpios = <&pioD 15 GPIO_ACTIVE_HIGH>; + nand-bus-width = <8>; + nand-ecc-mode = "soft"; + nand-on-flash-bbt; +-- +2.39.5 + diff --git a/queue-6.1/arm-dts-at91-usb_a9263-fix-gpio-for-dataflash-chip-s.patch b/queue-6.1/arm-dts-at91-usb_a9263-fix-gpio-for-dataflash-chip-s.patch new file mode 100644 index 0000000000..bc4f28a0ea --- /dev/null +++ b/queue-6.1/arm-dts-at91-usb_a9263-fix-gpio-for-dataflash-chip-s.patch @@ -0,0 +1,39 @@ +From 2e9a7e6afaa7efc8e23f7b0c4ac3553470ed0aa7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Apr 2025 13:27:43 +0200 +Subject: ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select + +From: Wolfram Sang + +[ Upstream commit 67ba341e57ab158423818ed33bfa1c40eb0e5e7e ] + +Dataflash did not work on my board. After checking schematics and using +the proper GPIO, it works now. Also, make it active low to avoid: + +flash@0 enforce active low on GPIO handle + +Fixes: 2432d201468d ("ARM: at91: dt: usb-a9263: add dataflash support") +Signed-off-by: Wolfram Sang +Link: https://lore.kernel.org/r/20250404112742.67416-2-wsa+renesas@sang-engineering.com +Signed-off-by: Claudiu Beznea +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/usb_a9263.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/usb_a9263.dts b/arch/arm/boot/dts/usb_a9263.dts +index b6cb9cdf81973..c9d0058e90813 100644 +--- a/arch/arm/boot/dts/usb_a9263.dts ++++ b/arch/arm/boot/dts/usb_a9263.dts +@@ -58,7 +58,7 @@ + }; + + spi0: spi@fffa4000 { +- cs-gpios = <&pioB 15 GPIO_ACTIVE_HIGH>; ++ cs-gpios = <&pioA 5 GPIO_ACTIVE_LOW>; + status = "okay"; + flash@0 { + compatible = "atmel,at45", "atmel,dataflash"; +-- +2.39.5 + diff --git a/queue-6.1/arm-dts-qcom-apq8064-merge-hw-splinlock-into-corresp.patch b/queue-6.1/arm-dts-qcom-apq8064-merge-hw-splinlock-into-corresp.patch new file mode 100644 index 0000000000..210baf23fd --- /dev/null +++ b/queue-6.1/arm-dts-qcom-apq8064-merge-hw-splinlock-into-corresp.patch @@ -0,0 +1,58 @@ +From c9efc1d6d71889d72683625f5af79c8a1a59cdb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 15:22:00 +0200 +Subject: ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon + device + +From: Dmitry Baryshkov + +[ Upstream commit 325c6a441ae1f8fcb1db9bb945b8bdbd3142141e ] + +Follow up the expected way of describing the SFPB hwspinlock and merge +hwspinlock node into corresponding syscon node, fixing several dt-schema +warnings. + +Fixes: 24a9baf933dc ("ARM: dts: qcom: apq8064: Add hwmutex and SMEM nodes") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20250318-fix-nexus-4-v2-7-bcedd1406790@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/qcom-apq8064.dtsi | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +diff --git a/arch/arm/boot/dts/qcom-apq8064.dtsi b/arch/arm/boot/dts/qcom-apq8064.dtsi +index 2b3927a829b70..da7e780dc3351 100644 +--- a/arch/arm/boot/dts/qcom-apq8064.dtsi ++++ b/arch/arm/boot/dts/qcom-apq8064.dtsi +@@ -212,12 +212,6 @@ + }; + }; + +- sfpb_mutex: hwmutex { +- compatible = "qcom,sfpb-mutex"; +- syscon = <&sfpb_wrapper_mutex 0x604 0x4>; +- #hwlock-cells = <1>; +- }; +- + smem { + compatible = "qcom,smem"; + memory-region = <&smem_region>; +@@ -361,9 +355,10 @@ + pinctrl-0 = <&ps_hold>; + }; + +- sfpb_wrapper_mutex: syscon@1200000 { +- compatible = "syscon"; +- reg = <0x01200000 0x8000>; ++ sfpb_mutex: hwmutex@1200600 { ++ compatible = "qcom,sfpb-mutex"; ++ reg = <0x01200600 0x100>; ++ #hwlock-cells = <1>; + }; + + intc: interrupt-controller@2000000 { +-- +2.39.5 + diff --git a/queue-6.1/arm64-defconfig-mediatek-enable-phy-drivers.patch b/queue-6.1/arm64-defconfig-mediatek-enable-phy-drivers.patch new file mode 100644 index 0000000000..d6107a051e --- /dev/null +++ b/queue-6.1/arm64-defconfig-mediatek-enable-phy-drivers.patch @@ -0,0 +1,52 @@ +From e9e76ca3a53a2ab669c7976ee0ee4fb5dc4fdd62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 May 2025 18:49:24 +0530 +Subject: arm64: defconfig: mediatek: enable PHY drivers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Vignesh Raman + +[ Upstream commit f52cd248d844f9451858992f924988ac413fdc7e ] + +The mediatek display driver fails to probe on mt8173-elm-hana and +mt8183-kukui-jacuzzi-juniper-sku16 in v6.14-rc4 due to missing PHY +configurations. + +Commit 924d66011f24 ("drm/mediatek: stop selecting foreign drivers") +stopped selecting the MediaTek PHY drivers, requiring them to be +explicitly enabled in defconfig. + +Enable the following PHY drivers for MediaTek platforms: +CONFIG_PHY_MTK_HDMI=m for HDMI display +CONFIG_PHY_MTK_MIPI_DSI=m for DSI display +CONFIG_PHY_MTK_DP=m for DP display + +Fixes: 924d66011f24 ("drm/mediatek: stop selecting foreign drivers") +Reviewed-by: Nícolas F. R. A. Prado +Signed-off-by: Vignesh Raman +Link: https://lore.kernel.org/r/20250512131933.1247830-1-vignesh.raman@collabora.com +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Sasha Levin +--- + arch/arm64/configs/defconfig | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm64/configs/defconfig b/arch/arm64/configs/defconfig +index 623e9f308f38a..4543b292b50b4 100644 +--- a/arch/arm64/configs/defconfig ++++ b/arch/arm64/configs/defconfig +@@ -1230,6 +1230,9 @@ CONFIG_PHY_HISTB_COMBPHY=y + CONFIG_PHY_HISI_INNO_USB2=y + CONFIG_PHY_MVEBU_CP110_COMPHY=y + CONFIG_PHY_MTK_TPHY=y ++CONFIG_PHY_MTK_HDMI=m ++CONFIG_PHY_MTK_MIPI_DSI=m ++CONFIG_PHY_MTK_DP=m + CONFIG_PHY_QCOM_EDP=m + CONFIG_PHY_QCOM_PCIE2=m + CONFIG_PHY_QCOM_QMP=m +-- +2.39.5 + diff --git a/queue-6.1/arm64-dts-imx8mm-beacon-fix-rtc-capacitive-load.patch b/queue-6.1/arm64-dts-imx8mm-beacon-fix-rtc-capacitive-load.patch new file mode 100644 index 0000000000..6d5c14e4e4 --- /dev/null +++ b/queue-6.1/arm64-dts-imx8mm-beacon-fix-rtc-capacitive-load.patch @@ -0,0 +1,37 @@ +From cdf52f6429f15c5dbae3584535b5ec01f6c4c564 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 20:01:27 -0500 +Subject: arm64: dts: imx8mm-beacon: Fix RTC capacitive load + +From: Adam Ford + +[ Upstream commit 2e98d456666d63f897ba153210bcef9d78ba0f3a ] + +Although not noticeable when used every day, the RTC appears to drift when +left to sit over time. This is due to the capacitive load not being +properly set. Fix RTC drift by correcting the capacitive load setting +from 7000 to 12500, which matches the actual hardware configuration. + +Fixes: 593816fa2f35 ("arm64: dts: imx: Add Beacon i.MX8m-Mini development kit") +Signed-off-by: Adam Ford +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi +index cf07987ccc10b..140e251094fa4 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi +@@ -231,6 +231,7 @@ + rtc: rtc@51 { + compatible = "nxp,pcf85263"; + reg = <0x51>; ++ quartz-load-femtofarads = <12500>; + }; + }; + +-- +2.39.5 + diff --git a/queue-6.1/arm64-dts-imx8mn-beacon-fix-rtc-capacitive-load.patch b/queue-6.1/arm64-dts-imx8mn-beacon-fix-rtc-capacitive-load.patch new file mode 100644 index 0000000000..2ec91365da --- /dev/null +++ b/queue-6.1/arm64-dts-imx8mn-beacon-fix-rtc-capacitive-load.patch @@ -0,0 +1,38 @@ +From fa879707910c3d8105c73783ac867adbb70b4baf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 20:01:28 -0500 +Subject: arm64: dts: imx8mn-beacon: Fix RTC capacitive load + +From: Adam Ford + +[ Upstream commit c3f03bec30efd5082b55876846d57b5d17dae7b9 ] + +Although not noticeable when used every day, the RTC appears to drift when +left to sit over time. This is due to the capacitive load not being +properly set. Fix RTC drift by correcting the capacitive load setting +from 7000 to 12500, which matches the actual hardware configuration. + +Fixes: 36ca3c8ccb53 ("arm64: dts: imx: Add Beacon i.MX8M Nano development kit") +Signed-off-by: Adam Ford +Reviewed-by: Frank Li +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi +index 1133cded9be2f..c4b1c6029c9a9 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi +@@ -240,6 +240,7 @@ + rtc: rtc@51 { + compatible = "nxp,pcf85263"; + reg = <0x51>; ++ quartz-load-femtofarads = <12500>; + }; + }; + +-- +2.39.5 + diff --git a/queue-6.1/arm64-dts-mediatek-mt8195-reparent-vdec1-2-and-venc1.patch b/queue-6.1/arm64-dts-mediatek-mt8195-reparent-vdec1-2-and-venc1.patch new file mode 100644 index 0000000000..216aea390a --- /dev/null +++ b/queue-6.1/arm64-dts-mediatek-mt8195-reparent-vdec1-2-and-venc1.patch @@ -0,0 +1,110 @@ +From 89d19e14aa08bec8062d8d810ede640fde8d97a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 11:06:15 +0200 +Subject: arm64: dts: mediatek: mt8195: Reparent vdec1/2 and venc1 power + domains + +From: AngeloGioacchino Del Regno + +[ Upstream commit 394f29033324e2317bfd6a7ed99b9a60832b36a2 ] + +By hardware, the first and second core of the video decoder IP +need the VDEC_SOC to be powered up in order to be able to be +accessed (both internally, by firmware, and externally, by the +kernel). +Similarly, for the video encoder IP, the second core needs the +first core to be powered up in order to be accessible. + +Fix that by reparenting the VDEC1/2 power domains to be children +of VDEC0 (VDEC_SOC), and the VENC1 to be a child of VENC0. + +Fixes: 2b515194bf0c ("arm64: dts: mt8195: Add power domains controller") +Reviewed-by: Chen-Yu Tsai +Link: https://lore.kernel.org/r/20250402090615.25871-3-angelogioacchino.delregno@collabora.com +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt8195.dtsi | 50 +++++++++++++----------- + 1 file changed, 27 insertions(+), 23 deletions(-) + +diff --git a/arch/arm64/boot/dts/mediatek/mt8195.dtsi b/arch/arm64/boot/dts/mediatek/mt8195.dtsi +index 274edce5d5e6e..6f92451671355 100644 +--- a/arch/arm64/boot/dts/mediatek/mt8195.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt8195.dtsi +@@ -461,22 +461,6 @@ + #size-cells = <0>; + #power-domain-cells = <1>; + +- power-domain@MT8195_POWER_DOMAIN_VDEC1 { +- reg = ; +- clocks = <&vdecsys CLK_VDEC_LARB1>; +- clock-names = "vdec1-0"; +- mediatek,infracfg = <&infracfg_ao>; +- #power-domain-cells = <0>; +- }; +- +- power-domain@MT8195_POWER_DOMAIN_VENC_CORE1 { +- reg = ; +- clocks = <&vencsys_core1 CLK_VENC_CORE1_LARB>; +- clock-names = "venc1-larb"; +- mediatek,infracfg = <&infracfg_ao>; +- #power-domain-cells = <0>; +- }; +- + power-domain@MT8195_POWER_DOMAIN_VDOSYS0 { + reg = ; + clocks = <&topckgen CLK_TOP_CFG_VDO0>, +@@ -522,15 +506,25 @@ + clocks = <&vdecsys_soc CLK_VDEC_SOC_LARB1>; + clock-names = "vdec0-0"; + mediatek,infracfg = <&infracfg_ao>; ++ #address-cells = <1>; ++ #size-cells = <0>; + #power-domain-cells = <0>; +- }; + +- power-domain@MT8195_POWER_DOMAIN_VDEC2 { +- reg = ; +- clocks = <&vdecsys_core1 CLK_VDEC_CORE1_LARB1>; +- clock-names = "vdec2-0"; +- mediatek,infracfg = <&infracfg_ao>; +- #power-domain-cells = <0>; ++ power-domain@MT8195_POWER_DOMAIN_VDEC1 { ++ reg = ; ++ clocks = <&vdecsys CLK_VDEC_LARB1>; ++ clock-names = "vdec1-0"; ++ mediatek,infracfg = <&infracfg_ao>; ++ #power-domain-cells = <0>; ++ }; ++ ++ power-domain@MT8195_POWER_DOMAIN_VDEC2 { ++ reg = ; ++ clocks = <&vdecsys_core1 CLK_VDEC_CORE1_LARB1>; ++ clock-names = "vdec2-0"; ++ mediatek,infracfg = <&infracfg_ao>; ++ #power-domain-cells = <0>; ++ }; + }; + + power-domain@MT8195_POWER_DOMAIN_VENC { +@@ -538,7 +532,17 @@ + clocks = <&vencsys CLK_VENC_LARB>; + clock-names = "venc0-larb"; + mediatek,infracfg = <&infracfg_ao>; ++ #address-cells = <1>; ++ #size-cells = <0>; + #power-domain-cells = <0>; ++ ++ power-domain@MT8195_POWER_DOMAIN_VENC_CORE1 { ++ reg = ; ++ clocks = <&vencsys_core1 CLK_VENC_CORE1_LARB>; ++ clock-names = "venc1-larb"; ++ mediatek,infracfg = <&infracfg_ao>; ++ #power-domain-cells = <0>; ++ }; + }; + + power-domain@MT8195_POWER_DOMAIN_VDOSYS1 { +-- +2.39.5 + diff --git a/queue-6.1/arm64-dts-mt6359-add-missing-compatible-property-to-.patch b/queue-6.1/arm64-dts-mt6359-add-missing-compatible-property-to-.patch new file mode 100644 index 0000000000..5f91a73d32 --- /dev/null +++ b/queue-6.1/arm64-dts-mt6359-add-missing-compatible-property-to-.patch @@ -0,0 +1,41 @@ +From 858e91d3a6c38a92781ad0ce14fc48d477c912f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 May 2025 15:23:39 +0200 +Subject: arm64: dts: mt6359: Add missing 'compatible' property to regulators + node + +From: Julien Massot + +[ Upstream commit 1fe38d2a19950fa6dbc384ee8967c057aef9faf4 ] + +The 'compatible' property is required by the +'mfd/mediatek,mt6397.yaml' binding. Add it to fix the following +dtb-check error: +mediatek/mt8395-radxa-nio-12l.dtb: pmic: regulators: +'compatible' is a required property + +Fixes: 3b7d143be4b7 ("arm64: dts: mt6359: add PMIC MT6359 related nodes") +Signed-off-by: Julien Massot +Link: https://lore.kernel.org/r/20250505-mt8395-dtb-errors-v1-3-9c4714dcdcdb@collabora.com +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt6359.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/boot/dts/mediatek/mt6359.dtsi b/arch/arm64/boot/dts/mediatek/mt6359.dtsi +index df3e822232d34..ef6ab90b99f93 100644 +--- a/arch/arm64/boot/dts/mediatek/mt6359.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt6359.dtsi +@@ -13,6 +13,8 @@ + }; + + regulators { ++ compatible = "mediatek,mt6359-regulator"; ++ + mt6359_vs1_buck_reg: buck_vs1 { + regulator-name = "vs1"; + regulator-min-microvolt = <800000>; +-- +2.39.5 + diff --git a/queue-6.1/arm64-dts-mt6359-rename-rtc-node-to-match-binding-ex.patch b/queue-6.1/arm64-dts-mt6359-rename-rtc-node-to-match-binding-ex.patch new file mode 100644 index 0000000000..4243262b08 --- /dev/null +++ b/queue-6.1/arm64-dts-mt6359-rename-rtc-node-to-match-binding-ex.patch @@ -0,0 +1,42 @@ +From f65262c97838b206c9a5159e744a20574939467a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 10:19:58 +0200 +Subject: arm64: dts: mt6359: Rename RTC node to match binding expectations + +From: Julien Massot + +[ Upstream commit cfe035d8662cfbd6edff9bd89c4b516bbb34c350 ] + +Rename the node 'mt6359rtc' to 'rtc', as required by the binding. + +Fix the following dtb-check error: + +mediatek/mt8395-radxa-nio-12l.dtb: pmic: 'mt6359rtc' do not match +any of the regexes: 'pinctrl-[0-9]+' + +Fixes: 3b7d143be4b7 ("arm64: dts: mt6359: add PMIC MT6359 related nodes") +Signed-off-by: Julien Massot +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20250514-mt8395-dtb-errors-v2-3-d67b9077c59a@collabora.com +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt6359.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/mediatek/mt6359.dtsi b/arch/arm64/boot/dts/mediatek/mt6359.dtsi +index ef6ab90b99f93..29e784bebb69e 100644 +--- a/arch/arm64/boot/dts/mediatek/mt6359.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt6359.dtsi +@@ -293,7 +293,7 @@ + }; + }; + +- mt6359rtc: mt6359rtc { ++ mt6359rtc: rtc { + compatible = "mediatek,mt6358-rtc"; + }; + }; +-- +2.39.5 + diff --git a/queue-6.1/arm64-dts-qcom-sda660-ifc6560-fix-dt-validate-warnin.patch b/queue-6.1/arm64-dts-qcom-sda660-ifc6560-fix-dt-validate-warnin.patch new file mode 100644 index 0000000000..7e95baef49 --- /dev/null +++ b/queue-6.1/arm64-dts-qcom-sda660-ifc6560-fix-dt-validate-warnin.patch @@ -0,0 +1,47 @@ +From edf85b902e598a5e1f2f33deb4ba4697c7762071 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 May 2025 14:51:20 +0300 +Subject: arm64: dts: qcom: sda660-ifc6560: Fix dt-validate warning + +From: Alexey Minnekhanov + +[ Upstream commit f5110806b41eaa0eb0ab1bf2787876a580c6246c ] + +If you remove clocks property, you should remove clock-names, too. +Fixes warning with dtbs check: + + 'clocks' is a dependency of 'clock-names' + +Fixes: 34279d6e3f32c ("arm64: dts: qcom: sdm660: Add initial Inforce IFC6560 board support") +Signed-off-by: Alexey Minnekhanov +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250504115120.1432282-4-alexeymin@postmarketos.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts b/arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts +index 28050bc5f0813..502a3481ba284 100644 +--- a/arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts ++++ b/arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts +@@ -155,6 +155,7 @@ + * BAM DMA interconnects support is in place. + */ + /delete-property/ clocks; ++ /delete-property/ clock-names; + }; + + &blsp1_uart2 { +@@ -167,6 +168,7 @@ + * BAM DMA interconnects support is in place. + */ + /delete-property/ clocks; ++ /delete-property/ clock-names; + }; + + &blsp2_uart1 { +-- +2.39.5 + diff --git a/queue-6.1/arm64-dts-qcom-sdm660-lavender-add-missing-usb-phy-s.patch b/queue-6.1/arm64-dts-qcom-sdm660-lavender-add-missing-usb-phy-s.patch new file mode 100644 index 0000000000..5c3b3911f6 --- /dev/null +++ b/queue-6.1/arm64-dts-qcom-sdm660-lavender-add-missing-usb-phy-s.patch @@ -0,0 +1,38 @@ +From c0eee5307e41d8aeed65e027f60ace25dce56be8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 May 2025 14:51:19 +0300 +Subject: arm64: dts: qcom: sdm660-lavender: Add missing USB phy supply + +From: Alexey Minnekhanov + +[ Upstream commit dbf62a117a1b7f605a98dd1fd1fd6c85ec324ea0 ] + +Fixes the following dtbs check error: + + phy@c012000: 'vdda-pll-supply' is a required property + +Fixes: e5d3e752b050e ("arm64: dts: qcom: sdm660-xiaomi-lavender: Add USB") +Signed-off-by: Alexey Minnekhanov +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250504115120.1432282-3-alexeymin@postmarketos.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts b/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts +index 9612671dc5afa..6166099aa0c32 100644 +--- a/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts ++++ b/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts +@@ -107,6 +107,7 @@ + status = "okay"; + + vdd-supply = <&vreg_l1b_0p925>; ++ vdda-pll-supply = <&vreg_l10a_1p8>; + vdda-phy-dpdm-supply = <&vreg_l7b_3p125>; + }; + +-- +2.39.5 + diff --git a/queue-6.1/arm64-dts-qcom-sdm660-xiaomi-lavender-add-missing-sd.patch b/queue-6.1/arm64-dts-qcom-sdm660-xiaomi-lavender-add-missing-sd.patch new file mode 100644 index 0000000000..d6be91e338 --- /dev/null +++ b/queue-6.1/arm64-dts-qcom-sdm660-xiaomi-lavender-add-missing-sd.patch @@ -0,0 +1,40 @@ +From b3c792de117865f8ff16247e10c1fe4a73330ffa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 16:01:01 +0300 +Subject: arm64: dts: qcom: sdm660-xiaomi-lavender: Add missing SD card detect + GPIO + +From: Alexey Minnekhanov + +[ Upstream commit 2eca6af66709de0d1ba14cdf8b6d200a1337a3a2 ] + +During initial porting these cd-gpios were missed. Having card detect is +beneficial because driver does not need to do polling every second and it +can just use IRQ. SD card detection in U-Boot is also fixed by this. + +Fixes: cf85e9aee210 ("arm64: dts: qcom: sdm660-xiaomi-lavender: Add eMMC and SD") +Signed-off-by: Alexey Minnekhanov +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250415130101.1429281-1-alexeymin@postmarketos.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts b/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts +index a3559f6e34a5e..9612671dc5afa 100644 +--- a/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts ++++ b/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts +@@ -402,6 +402,8 @@ + &sdhc_2 { + status = "okay"; + ++ cd-gpios = <&tlmm 54 GPIO_ACTIVE_HIGH>; ++ + vmmc-supply = <&vreg_l5b_2p95>; + vqmmc-supply = <&vreg_l2b_2p95>; + }; +-- +2.39.5 + diff --git a/queue-6.1/arm64-dts-qcom-sm8250-fix-cpu7-opp-table.patch b/queue-6.1/arm64-dts-qcom-sm8250-fix-cpu7-opp-table.patch new file mode 100644 index 0000000000..3ece2c8d96 --- /dev/null +++ b/queue-6.1/arm64-dts-qcom-sm8250-fix-cpu7-opp-table.patch @@ -0,0 +1,41 @@ +From 2167c31246d0eb1327c60ca1b5d9bdb54f7dddb4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Mar 2025 18:27:51 +0800 +Subject: arm64: dts: qcom: sm8250: Fix CPU7 opp table + +From: Xilin Wu + +[ Upstream commit 28f997b89967afdc0855d8aa7538b251fb44f654 ] + +There is a typo in cpu7_opp9. Fix it to get rid of the following +errors. + +[ 0.198043] cpu cpu7: Voltage update failed freq=1747200 +[ 0.198052] cpu cpu7: failed to update OPP for freq=1747200 + +Fixes: 8e0e8016cb79 ("arm64: dts: qcom: sm8250: Add CPU opp tables") +Signed-off-by: Xilin Wu +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20250308-fix-sm8250-cpufreq-v1-1-8a0226721399@gmail.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sm8250.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/sm8250.dtsi b/arch/arm64/boot/dts/qcom/sm8250.dtsi +index eb500cb67c86c..72ab4ca129459 100644 +--- a/arch/arm64/boot/dts/qcom/sm8250.dtsi ++++ b/arch/arm64/boot/dts/qcom/sm8250.dtsi +@@ -569,7 +569,7 @@ + }; + + cpu7_opp9: opp-1747200000 { +- opp-hz = /bits/ 64 <1708800000>; ++ opp-hz = /bits/ 64 <1747200000>; + opp-peak-kBps = <5412000 42393600>; + }; + +-- +2.39.5 + diff --git a/queue-6.1/arm64-dts-rockchip-disable-unrouted-usb-controllers-.patch b/queue-6.1/arm64-dts-rockchip-disable-unrouted-usb-controllers-.patch new file mode 100644 index 0000000000..b24e6d3582 --- /dev/null +++ b/queue-6.1/arm64-dts-rockchip-disable-unrouted-usb-controllers-.patch @@ -0,0 +1,67 @@ +From e0e8c0c86b0b58007a8deb33deedeb8cf36048c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 17:18:10 +0200 +Subject: arm64: dts: rockchip: disable unrouted USB controllers and PHY on + RK3399 Puma with Haikou + +From: Quentin Schulz + +[ Upstream commit febd8c6ab52c683b447fe22fc740918c86feae43 ] + +The u2phy0_host port is the part of the USB PHY0 (namely the +HOST0_DP/DM lanes) which routes directly to the USB2.0 HOST +controller[1]. The other lanes of the PHY are routed to the USB3.0 OTG +controller (dwc3), which we do use. + +The HOST0_DP/DM lanes aren't routed on RK3399 Puma so let's simply +disable the USB2.0 controllers. + +USB3 OTG has been known to be unstable on RK3399 Puma Haikou for a +while, one of the recurring issues being that only USB2 is detected and +not USB3 in host mode. Reading the justification above and seeing that +we are keeping u2phy0_host in the Haikou carrierboard DTS probably may +have bothered you since it should be changed to u2phy0_otg. The issue is +that if it's switched to that, USB OTG on Haikou is entirely broken. I +have checked the routing in the Gerber file, the lanes are going to the +expected ball pins (that is, NOT HOST0_DP/DM). +u2phy0_host is for sure the wrong part of the PHY to use, but it's the +only one that works at the moment for that board so keep it until we +figure out what exactly is broken. + +No intended functional change. + +[1] https://rockchip.fr/Rockchip%20RK3399%20TRM%20V1.3%20Part2.pdf + Chapter 2 USB2.0 PHY + +Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM") +Signed-off-by: Quentin Schulz +Signed-off-by: Lukasz Czechowski +Link: https://lore.kernel.org/r/20250425-onboard_usb_dev-v2-5-4a76a474a010@thaumatec.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts b/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts +index 115c14c0a3c68..396a6636073b5 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts +@@ -251,14 +251,6 @@ + status = "okay"; + }; + +-&usb_host0_ehci { +- status = "okay"; +-}; +- +-&usb_host0_ohci { +- status = "okay"; +-}; +- + &vopb { + status = "okay"; + }; +-- +2.39.5 + diff --git a/queue-6.1/arm64-fpsimd-discard-stale-cpu-state-when-handling-s.patch b/queue-6.1/arm64-fpsimd-discard-stale-cpu-state-when-handling-s.patch new file mode 100644 index 0000000000..9dfa5a67d7 --- /dev/null +++ b/queue-6.1/arm64-fpsimd-discard-stale-cpu-state-when-handling-s.patch @@ -0,0 +1,101 @@ +From 59022304224e2b36e526c0c6f290fe127fd75c58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 17:40:02 +0100 +Subject: arm64/fpsimd: Discard stale CPU state when handling SME traps + +From: Mark Brown + +[ Upstream commit d3eaab3c70905c5467e5c4ea403053d67505adeb ] + +The logic for handling SME traps manipulates saved FPSIMD/SVE/SME state +incorrectly, and a race with preemption can result in a task having +TIF_SME set and TIF_FOREIGN_FPSTATE clear even though the live CPU state +is stale (e.g. with SME traps enabled). This can result in warnings from +do_sme_acc() where SME traps are not expected while TIF_SME is set: + +| /* With TIF_SME userspace shouldn't generate any traps */ +| if (test_and_set_thread_flag(TIF_SME)) +| WARN_ON(1); + +This is very similar to the SVE issue we fixed in commit: + + 751ecf6afd6568ad ("arm64/sve: Discard stale CPU state when handling SVE traps") + +The race can occur when the SME trap handler is preempted before and +after manipulating the saved FPSIMD/SVE/SME state, starting and ending on +the same CPU, e.g. + +| void do_sme_acc(unsigned long esr, struct pt_regs *regs) +| { +| // Trap on CPU 0 with TIF_SME clear, SME traps enabled +| // task->fpsimd_cpu is 0. +| // per_cpu_ptr(&fpsimd_last_state, 0) is task. +| +| ... +| +| // Preempted; migrated from CPU 0 to CPU 1. +| // TIF_FOREIGN_FPSTATE is set. +| +| get_cpu_fpsimd_context(); +| +| /* With TIF_SME userspace shouldn't generate any traps */ +| if (test_and_set_thread_flag(TIF_SME)) +| WARN_ON(1); +| +| if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) { +| unsigned long vq_minus_one = +| sve_vq_from_vl(task_get_sme_vl(current)) - 1; +| sme_set_vq(vq_minus_one); +| +| fpsimd_bind_task_to_cpu(); +| } +| +| put_cpu_fpsimd_context(); +| +| // Preempted; migrated from CPU 1 to CPU 0. +| // task->fpsimd_cpu is still 0 +| // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then: +| // - Stale HW state is reused (with SME traps enabled) +| // - TIF_FOREIGN_FPSTATE is cleared +| // - A return to userspace skips HW state restore +| } + +Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set +by calling fpsimd_flush_task_state() to detach from the saved CPU +state. This ensures that a subsequent context switch will not reuse the +stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the +new state to be reloaded from memory prior to a return to userspace. + +Note: this was originallly posted as [1]. + +Fixes: 8bd7f91c03d8 ("arm64/sme: Implement traps and syscall handling for SME") +Reported-by: Mark Rutland +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/linux-arm-kernel/20241204-arm64-sme-reenable-v2-1-bae87728251d@kernel.org/ +[ Rutland: rewrite commit message ] +Signed-off-by: Mark Rutland +Cc: Marc Zyngier +Cc: Will Deacon +Link: https://lore.kernel.org/r/20250409164010.3480271-6-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/fpsimd.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c +index b3e101a7d04f8..235131db8b8db 100644 +--- a/arch/arm64/kernel/fpsimd.c ++++ b/arch/arm64/kernel/fpsimd.c +@@ -1504,6 +1504,8 @@ void do_sme_acc(unsigned long esr, struct pt_regs *regs) + sme_set_vq(vq_minus_one); + + fpsimd_bind_task_to_cpu(); ++ } else { ++ fpsimd_flush_task_state(current); + } + + put_cpu_fpsimd_context(); +-- +2.39.5 + diff --git a/queue-6.1/arm64-fpsimd-fix-merging-of-fpsimd-state-during-sign.patch b/queue-6.1/arm64-fpsimd-fix-merging-of-fpsimd-state-during-sign.patch new file mode 100644 index 0000000000..099bb4097a --- /dev/null +++ b/queue-6.1/arm64-fpsimd-fix-merging-of-fpsimd-state-during-sign.patch @@ -0,0 +1,105 @@ +From d5e56fff82e61f16458e43b8ada8ccef1edc5696 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 17:40:06 +0100 +Subject: arm64/fpsimd: Fix merging of FPSIMD state during signal return + +From: Mark Rutland + +[ Upstream commit c94f2f326146a34066a0070ed90b8bc656b1842f ] + +For backwards compatibility reasons, when a signal return occurs which +restores SVE state, the effective lower 128 bits of each of the SVE +vector registers are restored from the corresponding FPSIMD vector +register in the FPSIMD signal frame, overriding the values in the SVE +signal frame. This is intended to be the case regardless of streaming +mode. + +To make this happen, restore_sve_fpsimd_context() uses +fpsimd_update_current_state() to merge the lower 128 bits from the +FPSIMD signal frame into the SVE register state. Unfortunately, +fpsimd_update_current_state() performs this merging dependent upon +TIF_SVE, which is not always correct for streaming SVE register state: + +* When restoring non-streaming SVE register state there is no observable + problem, as the signal return code configures TIF_SVE and the saved + fp_type to match before calling fpsimd_update_current_state(), which + observes either: + + - TIF_SVE set AND fp_type == FP_STATE_SVE + - TIF_SVE clear AND fp_type == FP_STATE_FPSIMD + +* On systems which have SME but not SVE, TIF_SVE cannot be set. Thus the + merging will never happen for the streaming SVE register state. + +* On systems which have SVE and SME, TIF_SVE can be set and cleared + independently of PSTATE.SM. Thus the merging may or may not happen for + streaming SVE register state. + + As TIF_SVE can be cleared non-deterministically during syscalls + (including at the start of sigreturn()), the merging may occur + non-deterministically from the perspective of userspace. + +This logic has been broken since its introduction in commit: + + 85ed24dad2904f7c ("arm64/sme: Implement streaming SVE signal handling") + +... at which point both fpsimd_signal_preserve_current_state() and +fpsimd_update_current_state() only checked TIF SVE. When PSTATE.SM==1 +and TIF_SVE was clear, signal delivery would place stale FPSIMD state +into the FPSIMD signal frame, and signal return would not merge this +into the restored register state. + +Subsequently, signal delivery was fixed as part of commit: + + 61da7c8e2a602f66 ("arm64/signal: Don't assume that TIF_SVE means we saved SVE state") + +... but signal restore was not given a corresponding fix, and when +TIF_SVE was clear, signal restore would still fail to merge the FPSIMD +state into the restored SVE register state. The 'Fixes' tag did not +indicate that this had been broken since its introduction. + +Fix this by merging the FPSIMD state dependent upon the saved fp_type, +matching what we (currently) do during signal delivery. + +As described above, when backporting this commit, it will also be +necessary to backport commit: + + 61da7c8e2a602f66 ("arm64/signal: Don't assume that TIF_SVE means we saved SVE state") + +... and prior to commit: + + baa8515281b30861 ("arm64/fpsimd: Track the saved FPSIMD state type separately to TIF_SVE") + +... it will be necessary for fpsimd_signal_preserve_current_state() and +fpsimd_update_current_state() to consider both TIF_SVE and +thread_sm_enabled(¤t->thread), in place of the saved fp_type. + +Fixes: 85ed24dad290 ("arm64/sme: Implement streaming SVE signal handling") +Signed-off-by: Mark Rutland +Cc: Marc Zyngier +Cc: Mark Brown +Cc: Will Deacon +Reviewed-by: Mark Brown +Link: https://lore.kernel.org/r/20250409164010.3480271-10-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/fpsimd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c +index 235131db8b8db..837d1937300a5 100644 +--- a/arch/arm64/kernel/fpsimd.c ++++ b/arch/arm64/kernel/fpsimd.c +@@ -1783,7 +1783,7 @@ void fpsimd_update_current_state(struct user_fpsimd_state const *state) + get_cpu_fpsimd_context(); + + current->thread.uw.fpsimd_state = *state; +- if (test_thread_flag(TIF_SVE)) ++ if (current->thread.fp_type == FP_STATE_SVE) + fpsimd_to_sve(current); + + task_fpsimd_load(); +-- +2.39.5 + diff --git a/queue-6.1/arm64-support-arm64_va_bits-52-when-setting-arch_mma.patch b/queue-6.1/arm64-support-arm64_va_bits-52-when-setting-arch_mma.patch new file mode 100644 index 0000000000..a47516334c --- /dev/null +++ b/queue-6.1/arm64-support-arm64_va_bits-52-when-setting-arch_mma.patch @@ -0,0 +1,56 @@ +From 6452689bd17146154ad6ad3d0ecae343fc7aaabc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 11:47:54 +0000 +Subject: arm64: Support ARM64_VA_BITS=52 when setting ARCH_MMAP_RND_BITS_MAX +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kornel Dulęba + +[ Upstream commit f101c56447717c595d803894ba0e215f56c6fba4 ] + +When the 52-bit virtual addressing was introduced the select like +ARCH_MMAP_RND_BITS_MAX logic was never updated to account for it. +Because of that the rnd max bits knob is set to the default value of 18 +when ARM64_VA_BITS=52. +Fix this by setting ARCH_MMAP_RND_BITS_MAX to the same value that would +be used if 48-bit addressing was used. Higher values can't used here +because 52-bit addressing is used only if the caller provides a hint to +mmap, with a fallback to 48-bit. The knob in question is an upper bound +for what the user can set in /proc/sys/vm/mmap_rnd_bits, which in turn +is used to determine how many random bits can be inserted into the base +address used for mmap allocations. Since 48-bit allocations are legal +with ARM64_VA_BITS=52, we need to make sure that the base address is +small enough to facilitate this. + +Fixes: b6d00d47e81a ("arm64: mm: Introduce 52-bit Kernel VAs") +Signed-off-by: Kornel Dulęba +Reviewed-by: Anshuman Khandual +Link: https://lore.kernel.org/r/20250417114754.3238273-1-korneld@google.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/Kconfig | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index 57b437ed09747..6bb23a041e328 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -280,9 +280,9 @@ config ARCH_MMAP_RND_BITS_MAX + default 24 if ARM64_VA_BITS=39 + default 27 if ARM64_VA_BITS=42 + default 30 if ARM64_VA_BITS=47 +- default 29 if ARM64_VA_BITS=48 && ARM64_64K_PAGES +- default 31 if ARM64_VA_BITS=48 && ARM64_16K_PAGES +- default 33 if ARM64_VA_BITS=48 ++ default 29 if (ARM64_VA_BITS=48 || ARM64_VA_BITS=52) && ARM64_64K_PAGES ++ default 31 if (ARM64_VA_BITS=48 || ARM64_VA_BITS=52) && ARM64_16K_PAGES ++ default 33 if (ARM64_VA_BITS=48 || ARM64_VA_BITS=52) + default 14 if ARM64_64K_PAGES + default 16 if ARM64_16K_PAGES + default 18 +-- +2.39.5 + diff --git a/queue-6.1/asoc-apple-mca-constrain-channels-according-to-tdm-m.patch b/queue-6.1/asoc-apple-mca-constrain-channels-according-to-tdm-m.patch new file mode 100644 index 0000000000..32b3cc1cc1 --- /dev/null +++ b/queue-6.1/asoc-apple-mca-constrain-channels-according-to-tdm-m.patch @@ -0,0 +1,70 @@ +From be7c0e274f241319128c94c3f8c4d2284cf8e685 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 May 2025 20:50:46 +1000 +Subject: ASoC: apple: mca: Constrain channels according to TDM mask +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Martin PoviÅ¡er + +[ Upstream commit e717c661e2d1a660e96c40b0fe9933e23a1d7747 ] + +We don't (and can't) configure the hardware correctly if the number of +channels exceeds the weight of the TDM mask. Report that constraint in +startup of FE. + +Fixes: 3df5d0d97289 ("ASoC: apple: mca: Start new platform driver") +Signed-off-by: Martin PoviÅ¡er +Signed-off-by: James Calligeros +Link: https://patch.msgid.link/20250518-mca-fixes-v1-1-ee1015a695f6@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/apple/mca.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/sound/soc/apple/mca.c b/sound/soc/apple/mca.c +index 64750db9b9639..409b3a716ccbc 100644 +--- a/sound/soc/apple/mca.c ++++ b/sound/soc/apple/mca.c +@@ -464,6 +464,28 @@ static int mca_configure_serdes(struct mca_cluster *cl, int serdes_unit, + return -EINVAL; + } + ++static int mca_fe_startup(struct snd_pcm_substream *substream, ++ struct snd_soc_dai *dai) ++{ ++ struct mca_cluster *cl = mca_dai_to_cluster(dai); ++ unsigned int mask, nchannels; ++ ++ if (cl->tdm_slots) { ++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) ++ mask = cl->tdm_tx_mask; ++ else ++ mask = cl->tdm_rx_mask; ++ ++ nchannels = hweight32(mask); ++ } else { ++ nchannels = 2; ++ } ++ ++ return snd_pcm_hw_constraint_minmax(substream->runtime, ++ SNDRV_PCM_HW_PARAM_CHANNELS, ++ 1, nchannels); ++} ++ + static int mca_fe_set_tdm_slot(struct snd_soc_dai *dai, unsigned int tx_mask, + unsigned int rx_mask, int slots, int slot_width) + { +@@ -680,6 +702,7 @@ static int mca_fe_hw_params(struct snd_pcm_substream *substream, + } + + static const struct snd_soc_dai_ops mca_fe_ops = { ++ .startup = mca_fe_startup, + .set_fmt = mca_fe_set_fmt, + .set_bclk_ratio = mca_set_bclk_ratio, + .set_tdm_slot = mca_fe_set_tdm_slot, +-- +2.39.5 + diff --git a/queue-6.1/asoc-codecs-hda-fix-rpm-usage-count-underflow.patch b/queue-6.1/asoc-codecs-hda-fix-rpm-usage-count-underflow.patch new file mode 100644 index 0000000000..8c3d34cc3d --- /dev/null +++ b/queue-6.1/asoc-codecs-hda-fix-rpm-usage-count-underflow.patch @@ -0,0 +1,60 @@ +From a657c7550be559ae49970fbf863ce059f091c1ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 May 2025 16:10:17 +0200 +Subject: ASoC: codecs: hda: Fix RPM usage count underflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cezary Rojewski + +[ Upstream commit ff0045de4ee0288dec683690f66f2f369b7d3466 ] + +RPM manipulation in hda_codec_probe_complete()'s error path is +superfluous and leads to RPM usage count underflow if the +build-controls operation fails. + +hda_codec_probe_complete() is called in: + +1) hda_codec_probe() for all non-HDMI codecs +2) in card->late_probe() for HDMI codecs + +Error path for hda_codec_probe() takes care of bus' RPM already. +For 2) if late_probe() fails, ASoC performs card cleanup what +triggers hda_codec_remote() - same treatment is in 1). + +Fixes: b5df2a7dca1c ("ASoC: codecs: Add HD-Audio codec driver") +Reviewed-by: Amadeusz Sławiński +Signed-off-by: Cezary Rojewski +Link: https://patch.msgid.link/20250530141025.2942936-2-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/hda.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/hda.c b/sound/soc/codecs/hda.c +index 61e8e9be6b8d7..bd81572a6775b 100644 +--- a/sound/soc/codecs/hda.c ++++ b/sound/soc/codecs/hda.c +@@ -149,7 +149,7 @@ int hda_codec_probe_complete(struct hda_codec *codec) + ret = snd_hda_codec_build_controls(codec); + if (ret < 0) { + dev_err(&hdev->dev, "unable to create controls %d\n", ret); +- goto out; ++ return ret; + } + + /* Bus suspended codecs as it does not manage their pm */ +@@ -157,7 +157,7 @@ int hda_codec_probe_complete(struct hda_codec *codec) + /* rpm was forbidden in snd_hda_codec_device_new() */ + snd_hda_codec_set_power_save(codec, 2000); + snd_hda_codec_register(codec); +-out: ++ + /* Complement pm_runtime_get_sync(bus) in probe */ + pm_runtime_mark_last_busy(bus->dev); + pm_runtime_put_autosuspend(bus->dev); +-- +2.39.5 + diff --git a/queue-6.1/asoc-intel-avs-fix-deadlock-when-the-failing-ipc-is-.patch b/queue-6.1/asoc-intel-avs-fix-deadlock-when-the-failing-ipc-is-.patch new file mode 100644 index 0000000000..22a7f0762c --- /dev/null +++ b/queue-6.1/asoc-intel-avs-fix-deadlock-when-the-failing-ipc-is-.patch @@ -0,0 +1,45 @@ +From 27c822220bdaebd19874afd1c689733a19fc7d0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 May 2025 16:10:18 +0200 +Subject: ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cezary Rojewski + +[ Upstream commit 9ad1f3cd0d60444c69948854c7e50d2a61b63755 ] + +The procedure handling IPC timeouts and EXCEPTION_CAUGHT notification +shall cancel any D0IX work before proceeding with DSP recovery. If +SET_D0IX called from delayed_work is the failing IPC the procedure will +deadlock. Conditionally skip cancelling the work to fix that. + +Fixes: 335c4cbd201d ("ASoC: Intel: avs: D0ix power state support") +Reviewed-by: Amadeusz Sławiński +Signed-off-by: Cezary Rojewski +Link: https://patch.msgid.link/20250530141025.2942936-3-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/avs/ipc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/intel/avs/ipc.c b/sound/soc/intel/avs/ipc.c +index 306f0dc4eaf58..2e76aba7338e8 100644 +--- a/sound/soc/intel/avs/ipc.c ++++ b/sound/soc/intel/avs/ipc.c +@@ -169,7 +169,9 @@ static void avs_dsp_exception_caught(struct avs_dev *adev, union avs_notify_msg + + dev_crit(adev->dev, "communication severed, rebooting dsp..\n"); + +- cancel_delayed_work_sync(&ipc->d0ix_work); ++ /* Avoid deadlock as the exception may be the response to SET_D0IX. */ ++ if (current_work() != &ipc->d0ix_work.work) ++ cancel_delayed_work_sync(&ipc->d0ix_work); + ipc->in_d0ix = false; + /* Re-enabled on recovery completion. */ + pm_runtime_disable(adev->dev); +-- +2.39.5 + diff --git a/queue-6.1/asoc-tas2764-enable-main-irqs.patch b/queue-6.1/asoc-tas2764-enable-main-irqs.patch new file mode 100644 index 0000000000..b3e27205b1 --- /dev/null +++ b/queue-6.1/asoc-tas2764-enable-main-irqs.patch @@ -0,0 +1,41 @@ +From 1d036d490b5407d26c95eab7976b761f863f5bc6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Apr 2025 09:15:08 +1000 +Subject: ASoC: tas2764: Enable main IRQs + +From: Hector Martin + +[ Upstream commit dd50f0e38563f15819059c923bf142200453e003 ] + +IRQ handling was added in commit dae191fb957f ("ASoC: tas2764: Add IRQ +handling") however that same commit masks all interrupts coming from +the chip. Unmask the "main" interrupts so that we can see and +deal with a number of errors including clock, voltage, and current. + +Fixes: dae191fb957f ("ASoC: tas2764: Add IRQ handling") +Reviewed-by: Neal Gompa +Signed-off-by: Hector Martin +Signed-off-by: James Calligeros +Link: https://patch.msgid.link/20250406-apple-codec-changes-v5-4-50a00ec850a3@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tas2764.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/tas2764.c b/sound/soc/codecs/tas2764.c +index 10f0f07b90ff2..8baf92abcf000 100644 +--- a/sound/soc/codecs/tas2764.c ++++ b/sound/soc/codecs/tas2764.c +@@ -542,7 +542,7 @@ static int tas2764_codec_probe(struct snd_soc_component *component) + tas2764_reset(tas2764); + + if (tas2764->irq) { +- ret = snd_soc_component_write(tas2764->component, TAS2764_INT_MASK0, 0xff); ++ ret = snd_soc_component_write(tas2764->component, TAS2764_INT_MASK0, 0x00); + if (ret < 0) + return ret; + +-- +2.39.5 + diff --git a/queue-6.1/backlight-pm8941-add-null-check-in-wled_configure.patch b/queue-6.1/backlight-pm8941-add-null-check-in-wled_configure.patch new file mode 100644 index 0000000000..b962516d9a --- /dev/null +++ b/queue-6.1/backlight-pm8941-add-null-check-in-wled_configure.patch @@ -0,0 +1,47 @@ +From 12fbe0a94583e53999d7dce554c7647ab68b3bd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 17:16:47 +0800 +Subject: backlight: pm8941: Add NULL check in wled_configure() + +From: Henry Martin + +[ Upstream commit e12d3e1624a02706cdd3628bbf5668827214fa33 ] + +devm_kasprintf() returns NULL when memory allocation fails. Currently, +wled_configure() does not check for this case, which results in a NULL +pointer dereference. + +Add NULL check after devm_kasprintf() to prevent this issue. + +Fixes: f86b77583d88 ("backlight: pm8941: Convert to using %pOFn instead of device_node.name") +Signed-off-by: Henry Martin +Reviewed-by: Dmitry Baryshkov +Reviewed-by: "Daniel Thompson (RISCstar)" +Link: https://lore.kernel.org/r/20250401091647.22784-1-bsdhenrymartin@gmail.com +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/video/backlight/qcom-wled.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/backlight/qcom-wled.c b/drivers/video/backlight/qcom-wled.c +index 527210e857959..434c6c499fdef 100644 +--- a/drivers/video/backlight/qcom-wled.c ++++ b/drivers/video/backlight/qcom-wled.c +@@ -1406,9 +1406,11 @@ static int wled_configure(struct wled *wled) + wled->ctrl_addr = be32_to_cpu(*prop_addr); + + rc = of_property_read_string(dev->of_node, "label", &wled->name); +- if (rc) ++ if (rc) { + wled->name = devm_kasprintf(dev, GFP_KERNEL, "%pOFn", dev->of_node); +- ++ if (!wled->name) ++ return -ENOMEM; ++ } + switch (wled->version) { + case 3: + u32_opts = wled3_opts; +-- +2.39.5 + diff --git a/queue-6.1/bluetooth-l2cap-fix-not-responding-with-l2cap_cr_le_.patch b/queue-6.1/bluetooth-l2cap-fix-not-responding-with-l2cap_cr_le_.patch new file mode 100644 index 0000000000..10a5195d74 --- /dev/null +++ b/queue-6.1/bluetooth-l2cap-fix-not-responding-with-l2cap_cr_le_.patch @@ -0,0 +1,40 @@ +From 3c59dcacd331fa916fd3e360b2f70ba9297806fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 May 2025 14:53:11 -0400 +Subject: Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION + +From: Luiz Augusto von Dentz + +[ Upstream commit 03dba9cea72f977e873e4e60e220fa596959dd8f ] + +Depending on the security set the response to L2CAP_LE_CONN_REQ shall be +just L2CAP_CR_LE_ENCRYPTION if only encryption when BT_SECURITY_MEDIUM +is selected since that means security mode 2 which doesn't require +authentication which is something that is covered in the qualification +test L2CAP/LE/CFC/BV-25-C. + +Link: https://github.com/bluez/bluez/issues/1270 +Fixes: 27e2d4c8d28b ("Bluetooth: Add basic LE L2CAP connect request receiving support") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index cb9b1edfcea2a..550c3da6f3910 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -5883,7 +5883,8 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn, + + if (!smp_sufficient_security(conn->hcon, pchan->sec_level, + SMP_ALLOW_STK)) { +- result = L2CAP_CR_LE_AUTHENTICATION; ++ result = pchan->sec_level == BT_SECURITY_MEDIUM ? ++ L2CAP_CR_LE_ENCRYPTION : L2CAP_CR_LE_AUTHENTICATION; + chan = NULL; + goto response_unlock; + } +-- +2.39.5 + diff --git a/queue-6.1/bluetooth-mgmt-iterate-over-mesh-commands-in-mgmt_me.patch b/queue-6.1/bluetooth-mgmt-iterate-over-mesh-commands-in-mgmt_me.patch new file mode 100644 index 0000000000..2c1deb8148 --- /dev/null +++ b/queue-6.1/bluetooth-mgmt-iterate-over-mesh-commands-in-mgmt_me.patch @@ -0,0 +1,36 @@ +From d6bd6b1809da36f705a67abb5061807d11fe8d0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 May 2025 11:42:30 +0300 +Subject: Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach() + +From: Dmitry Antipov + +[ Upstream commit 3bb88524b7d030160bb3c9b35f928b2778092111 ] + +In 'mgmt_mesh_foreach()', iterate over mesh commands +rather than generic mgmt ones. Compile tested only. + +Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh") +Signed-off-by: Dmitry Antipov +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/mgmt_util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c +index 0115f783bde80..17e32605d9b00 100644 +--- a/net/bluetooth/mgmt_util.c ++++ b/net/bluetooth/mgmt_util.c +@@ -321,7 +321,7 @@ void mgmt_mesh_foreach(struct hci_dev *hdev, + { + struct mgmt_mesh_tx *mesh_tx, *tmp; + +- list_for_each_entry_safe(mesh_tx, tmp, &hdev->mgmt_pending, list) { ++ list_for_each_entry_safe(mesh_tx, tmp, &hdev->mesh_pending, list) { + if (!sk || mesh_tx->sk == sk) + cb(mesh_tx, data); + } +-- +2.39.5 + diff --git a/queue-6.1/bpf-avoid-__bpf_prog_ret0_warn-when-jit-fails.patch b/queue-6.1/bpf-avoid-__bpf_prog_ret0_warn-when-jit-fails.patch new file mode 100644 index 0000000000..0950ca1d85 --- /dev/null +++ b/queue-6.1/bpf-avoid-__bpf_prog_ret0_warn-when-jit-fails.patch @@ -0,0 +1,57 @@ +From b7f7cab7e9aa03a34b171eabb4efc2aeeec126af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 May 2025 21:33:58 +0800 +Subject: bpf: Avoid __bpf_prog_ret0_warn when jit fails + +From: KaFai Wan + +[ Upstream commit 86bc9c742426a16b52a10ef61f5b721aecca2344 ] + +syzkaller reported an issue: + +WARNING: CPU: 3 PID: 217 at kernel/bpf/core.c:2357 __bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357 +Modules linked in: +CPU: 3 UID: 0 PID: 217 Comm: kworker/u32:6 Not tainted 6.15.0-rc4-syzkaller-00040-g8bac8898fe39 +RIP: 0010:__bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357 +Call Trace: + + bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline] + __bpf_prog_run include/linux/filter.h:718 [inline] + bpf_prog_run include/linux/filter.h:725 [inline] + cls_bpf_classify+0x74a/0x1110 net/sched/cls_bpf.c:105 + ... + +When creating bpf program, 'fp->jit_requested' depends on bpf_jit_enable. +This issue is triggered because of CONFIG_BPF_JIT_ALWAYS_ON is not set +and bpf_jit_enable is set to 1, causing the arch to attempt JIT the prog, +but jit failed due to FAULT_INJECTION. As a result, incorrectly +treats the program as valid, when the program runs it calls +`__bpf_prog_ret0_warn` and triggers the WARN_ON_ONCE(1). + +Reported-by: syzbot+0903f6d7f285e41cdf10@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/bpf/6816e34e.a70a0220.254cdc.002c.GAE@google.com +Fixes: fa9dd599b4da ("bpf: get rid of pure_initcall dependency to enable jits") +Signed-off-by: KaFai Wan +Link: https://lore.kernel.org/r/20250526133358.2594176-1-mannkafai@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index c281f5b8705e1..2ed1d00bede0b 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -2209,7 +2209,7 @@ struct bpf_prog *bpf_prog_select_runtime(struct bpf_prog *fp, int *err) + /* In case of BPF to BPF calls, verifier did all the prep + * work with regards to JITing, etc. + */ +- bool jit_needed = false; ++ bool jit_needed = fp->jit_requested; + + if (fp->bpf_func) + goto finalize; +-- +2.39.5 + diff --git a/queue-6.1/bpf-fix-ktls-panic-with-sockmap.patch b/queue-6.1/bpf-fix-ktls-panic-with-sockmap.patch new file mode 100644 index 0000000000..6e98263458 --- /dev/null +++ b/queue-6.1/bpf-fix-ktls-panic-with-sockmap.patch @@ -0,0 +1,123 @@ +From 9d07e9a4cf14fe7d95270f818f0a60e77ac776df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Feb 2025 13:20:14 +0800 +Subject: bpf: fix ktls panic with sockmap + +From: Jiayuan Chen + +[ Upstream commit 54a3ecaeeeae8176da8badbd7d72af1017032c39 ] + +[ 2172.936997] ------------[ cut here ]------------ +[ 2172.936999] kernel BUG at lib/iov_iter.c:629! +...... +[ 2172.944996] PKRU: 55555554 +[ 2172.945155] Call Trace: +[ 2172.945299] +[ 2172.945428] ? die+0x36/0x90 +[ 2172.945601] ? do_trap+0xdd/0x100 +[ 2172.945795] ? iov_iter_revert+0x178/0x180 +[ 2172.946031] ? iov_iter_revert+0x178/0x180 +[ 2172.946267] ? do_error_trap+0x7d/0x110 +[ 2172.946499] ? iov_iter_revert+0x178/0x180 +[ 2172.946736] ? exc_invalid_op+0x50/0x70 +[ 2172.946961] ? iov_iter_revert+0x178/0x180 +[ 2172.947197] ? asm_exc_invalid_op+0x1a/0x20 +[ 2172.947446] ? iov_iter_revert+0x178/0x180 +[ 2172.947683] ? iov_iter_revert+0x5c/0x180 +[ 2172.947913] tls_sw_sendmsg_locked.isra.0+0x794/0x840 +[ 2172.948206] tls_sw_sendmsg+0x52/0x80 +[ 2172.948420] ? inet_sendmsg+0x1f/0x70 +[ 2172.948634] __sys_sendto+0x1cd/0x200 +[ 2172.948848] ? find_held_lock+0x2b/0x80 +[ 2172.949072] ? syscall_trace_enter+0x140/0x270 +[ 2172.949330] ? __lock_release.isra.0+0x5e/0x170 +[ 2172.949595] ? find_held_lock+0x2b/0x80 +[ 2172.949817] ? syscall_trace_enter+0x140/0x270 +[ 2172.950211] ? lockdep_hardirqs_on_prepare+0xda/0x190 +[ 2172.950632] ? ktime_get_coarse_real_ts64+0xc2/0xd0 +[ 2172.951036] __x64_sys_sendto+0x24/0x30 +[ 2172.951382] do_syscall_64+0x90/0x170 +...... + +After calling bpf_exec_tx_verdict(), the size of msg_pl->sg may increase, +e.g., when the BPF program executes bpf_msg_push_data(). + +If the BPF program sets cork_bytes and sg.size is smaller than cork_bytes, +it will return -ENOSPC and attempt to roll back to the non-zero copy +logic. However, during rollback, msg->msg_iter is reset, but since +msg_pl->sg.size has been increased, subsequent executions will exceed the +actual size of msg_iter. +''' +iov_iter_revert(&msg->msg_iter, msg_pl->sg.size - orig_size); +''' + +The changes in this commit are based on the following considerations: + +1. When cork_bytes is set, rolling back to non-zero copy logic is +pointless and can directly go to zero-copy logic. + +2. We can not calculate the correct number of bytes to revert msg_iter. + +Assume the original data is "abcdefgh" (8 bytes), and after 3 pushes +by the BPF program, it becomes 11-byte data: "abc?de?fgh?". +Then, we set cork_bytes to 6, which means the first 6 bytes have been +processed, and the remaining 5 bytes "?fgh?" will be cached until the +length meets the cork_bytes requirement. + +However, some data in "?fgh?" is not within 'sg->msg_iter' +(but in msg_pl instead), especially the data "?" we pushed. + +So it doesn't seem as simple as just reverting through an offset of +msg_iter. + +3. For non-TLS sockets in tcp_bpf_sendmsg, when a "cork" situation occurs, +the user-space send() doesn't return an error, and the returned length is +the same as the input length parameter, even if some data is cached. + +Additionally, I saw that the current non-zero-copy logic for handling +corking is written as: +''' +line 1177 +else if (ret != -EAGAIN) { + if (ret == -ENOSPC) + ret = 0; + goto send_end; +''' + +So it's ok to just return 'copied' without error when a "cork" situation +occurs. + +Fixes: fcb14cb1bdac ("new iov_iter flavour - ITER_UBUF") +Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling") +Signed-off-by: Jiayuan Chen +Acked-by: John Fastabend +Link: https://lore.kernel.org/r/20250219052015.274405-2-jiayuan.chen@linux.dev +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + net/tls/tls_sw.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index 5310441240e70..af820ae9b1a52 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -1075,9 +1075,13 @@ int tls_sw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size) + num_async++; + else if (ret == -ENOMEM) + goto wait_for_memory; +- else if (ctx->open_rec && ret == -ENOSPC) ++ else if (ctx->open_rec && ret == -ENOSPC) { ++ if (msg_pl->cork_bytes) { ++ ret = 0; ++ goto send_end; ++ } + goto rollback_iter; +- else if (ret != -EAGAIN) ++ } else if (ret != -EAGAIN) + goto send_end; + } + continue; +-- +2.39.5 + diff --git a/queue-6.1/bpf-fix-uninitialized-values-in-bpf_-core-probe-_rea.patch b/queue-6.1/bpf-fix-uninitialized-values-in-bpf_-core-probe-_rea.patch new file mode 100644 index 0000000000..877c42a508 --- /dev/null +++ b/queue-6.1/bpf-fix-uninitialized-values-in-bpf_-core-probe-_rea.patch @@ -0,0 +1,58 @@ +From 49ad319bae9bf6630ef97b8ada146119f28fece4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 May 2025 19:30:31 +0000 +Subject: bpf: Fix uninitialized values in BPF_{CORE,PROBE}_READ + +From: Anton Protopopov + +[ Upstream commit 41d4ce6df3f4945341ec509a840cc002a413b6cc ] + +With the latest LLVM bpf selftests build will fail with +the following error message: + + progs/profiler.inc.h:710:31: error: default initialization of an object of type 'typeof ((parent_task)->real_cred->uid.val)' (aka 'const unsigned int') leaves the object uninitialized and is incompatible with C++ [-Werror,-Wdefault-const-init-unsafe] + 710 | proc_exec_data->parent_uid = BPF_CORE_READ(parent_task, real_cred, uid.val); + | ^ + tools/testing/selftests/bpf/tools/include/bpf/bpf_core_read.h:520:35: note: expanded from macro 'BPF_CORE_READ' + 520 | ___type((src), a, ##__VA_ARGS__) __r; \ + | ^ + +This happens because BPF_CORE_READ (and other macro) declare the +variable __r using the ___type macro which can inherit const modifier +from intermediate types. + +Fix this by using __typeof_unqual__, when supported. (And when it +is not supported, the problem shouldn't appear, as older compilers +haven't complained.) + +Fixes: 792001f4f7aa ("libbpf: Add user-space variants of BPF_CORE_READ() family of macros") +Fixes: a4b09a9ef945 ("libbpf: Add non-CO-RE variants of BPF_CORE_READ() macro family") +Signed-off-by: Anton Protopopov +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20250502193031.3522715-1-a.s.protopopov@gmail.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/bpf_core_read.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/tools/lib/bpf/bpf_core_read.h b/tools/lib/bpf/bpf_core_read.h +index 41740ae8aad73..18c2ab57a9bff 100644 +--- a/tools/lib/bpf/bpf_core_read.h ++++ b/tools/lib/bpf/bpf_core_read.h +@@ -312,7 +312,13 @@ enum bpf_enum_value_kind { + #define ___arrow10(a, b, c, d, e, f, g, h, i, j) a->b->c->d->e->f->g->h->i->j + #define ___arrow(...) ___apply(___arrow, ___narg(__VA_ARGS__))(__VA_ARGS__) + ++#if defined(__clang__) && (__clang_major__ >= 19) ++#define ___type(...) __typeof_unqual__(___arrow(__VA_ARGS__)) ++#elif defined(__GNUC__) && (__GNUC__ >= 14) ++#define ___type(...) __typeof_unqual__(___arrow(__VA_ARGS__)) ++#else + #define ___type(...) typeof(___arrow(__VA_ARGS__)) ++#endif + + #define ___read(read_fn, dst, src_type, src, accessor) \ + read_fn((void *)(dst), sizeof(*(dst)), &((src_type)(src))->accessor) +-- +2.39.5 + diff --git a/queue-6.1/bpf-fix-warn-in-get_bpf_raw_tp_regs.patch b/queue-6.1/bpf-fix-warn-in-get_bpf_raw_tp_regs.patch new file mode 100644 index 0000000000..44541dc21a --- /dev/null +++ b/queue-6.1/bpf-fix-warn-in-get_bpf_raw_tp_regs.patch @@ -0,0 +1,86 @@ +From 6ad9cfe2dc691bc726a950da36f3a083d2970ffa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 12:27:47 +0800 +Subject: bpf: Fix WARN() in get_bpf_raw_tp_regs + +From: Tao Chen + +[ Upstream commit 3880cdbed1c4607e378f58fa924c5d6df900d1d3 ] + +syzkaller reported an issue: + +WARNING: CPU: 3 PID: 5971 at kernel/trace/bpf_trace.c:1861 get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861 +Modules linked in: +CPU: 3 UID: 0 PID: 5971 Comm: syz-executor205 Not tainted 6.15.0-rc5-syzkaller-00038-g707df3375124 #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +RIP: 0010:get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861 +RSP: 0018:ffffc90003636fa8 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff81c6bc4c +RDX: ffff888032efc880 RSI: ffffffff81c6bc83 RDI: 0000000000000005 +RBP: ffff88806a730860 R08: 0000000000000005 R09: 0000000000000003 +R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000004 +R13: 0000000000000001 R14: ffffc90003637008 R15: 0000000000000900 +FS: 0000000000000000(0000) GS:ffff8880d6cdf000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f7baee09130 CR3: 0000000029f5a000 CR4: 0000000000352ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1934 [inline] + bpf_get_stack_raw_tp+0x24/0x160 kernel/trace/bpf_trace.c:1931 + bpf_prog_ec3b2eefa702d8d3+0x43/0x47 + bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline] + __bpf_prog_run include/linux/filter.h:718 [inline] + bpf_prog_run include/linux/filter.h:725 [inline] + __bpf_trace_run kernel/trace/bpf_trace.c:2363 [inline] + bpf_trace_run3+0x23f/0x5a0 kernel/trace/bpf_trace.c:2405 + __bpf_trace_mmap_lock_acquire_returned+0xfc/0x140 include/trace/events/mmap_lock.h:47 + __traceiter_mmap_lock_acquire_returned+0x79/0xc0 include/trace/events/mmap_lock.h:47 + __do_trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline] + trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline] + __mmap_lock_do_trace_acquire_returned+0x138/0x1f0 mm/mmap_lock.c:35 + __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] + mmap_read_trylock include/linux/mmap_lock.h:204 [inline] + stack_map_get_build_id_offset+0x535/0x6f0 kernel/bpf/stackmap.c:157 + __bpf_get_stack+0x307/0xa10 kernel/bpf/stackmap.c:483 + ____bpf_get_stack kernel/bpf/stackmap.c:499 [inline] + bpf_get_stack+0x32/0x40 kernel/bpf/stackmap.c:496 + ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1941 [inline] + bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1931 + bpf_prog_ec3b2eefa702d8d3+0x43/0x47 + +Tracepoint like trace_mmap_lock_acquire_returned may cause nested call +as the corner case show above, which will be resolved with more general +method in the future. As a result, WARN_ON_ONCE will be triggered. As +Alexei suggested, remove the WARN_ON_ONCE first. + +Fixes: 9594dc3c7e71 ("bpf: fix nested bpf tracepoints with per-cpu data") +Reported-by: syzbot+45b0c89a0fc7ae8dbadc@syzkaller.appspotmail.com +Suggested-by: Alexei Starovoitov +Signed-off-by: Tao Chen +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20250513042747.757042-1-chen.dylane@linux.dev + +Closes: https://lore.kernel.org/bpf/8bc2554d-1052-4922-8832-e0078a033e1d@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/trace/bpf_trace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c +index 7254c808b27c1..243122ca56793 100644 +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -1797,7 +1797,7 @@ static struct pt_regs *get_bpf_raw_tp_regs(void) + struct bpf_raw_tp_regs *tp_regs = this_cpu_ptr(&bpf_raw_tp_regs); + int nest_level = this_cpu_inc_return(bpf_raw_tp_nest_level); + +- if (WARN_ON_ONCE(nest_level > ARRAY_SIZE(tp_regs->regs))) { ++ if (nest_level > ARRAY_SIZE(tp_regs->regs)) { + this_cpu_dec(bpf_raw_tp_nest_level); + return ERR_PTR(-EBUSY); + } +-- +2.39.5 + diff --git a/queue-6.1/bpf-sockmap-avoid-using-sk_socket-after-free-when-se.patch b/queue-6.1/bpf-sockmap-avoid-using-sk_socket-after-free-when-se.patch new file mode 100644 index 0000000000..b6e0819726 --- /dev/null +++ b/queue-6.1/bpf-sockmap-avoid-using-sk_socket-after-free-when-se.patch @@ -0,0 +1,125 @@ +From 18594c69c73441af90e7fffb2020c9efb1cbd65d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 May 2025 22:17:12 +0800 +Subject: bpf, sockmap: Avoid using sk_socket after free when sending + +From: Jiayuan Chen + +[ Upstream commit 8259eb0e06d8f64c700f5fbdb28a5c18e10de291 ] + +The sk->sk_socket is not locked or referenced in backlog thread, and +during the call to skb_send_sock(), there is a race condition with +the release of sk_socket. All types of sockets(tcp/udp/unix/vsock) +will be affected. + +Race conditions: +''' +CPU0 CPU1 + +backlog::skb_send_sock + sendmsg_unlocked + sock_sendmsg + sock_sendmsg_nosec + close(fd): + ... + ops->release() -> sock_map_close() + sk_socket->ops = NULL + free(socket) + sock->ops->sendmsg + ^ + panic here +''' + +The ref of psock become 0 after sock_map_close() executed. +''' +void sock_map_close() +{ + ... + if (likely(psock)) { + ... + // !! here we remove psock and the ref of psock become 0 + sock_map_remove_links(sk, psock) + psock = sk_psock_get(sk); + if (unlikely(!psock)) + goto no_psock; <=== Control jumps here via goto + ... + cancel_delayed_work_sync(&psock->work); <=== not executed + sk_psock_put(sk, psock); + ... +} +''' + +Based on the fact that we already wait for the workqueue to finish in +sock_map_close() if psock is held, we simply increase the psock +reference count to avoid race conditions. + +With this patch, if the backlog thread is running, sock_map_close() will +wait for the backlog thread to complete and cancel all pending work. + +If no backlog running, any pending work that hasn't started by then will +fail when invoked by sk_psock_get(), as the psock reference count have +been zeroed, and sk_psock_drop() will cancel all jobs via +cancel_delayed_work_sync(). + +In summary, we require synchronization to coordinate the backlog thread +and close() thread. + +The panic I catched: +''' +Workqueue: events sk_psock_backlog +RIP: 0010:sock_sendmsg+0x21d/0x440 +RAX: 0000000000000000 RBX: ffffc9000521fad8 RCX: 0000000000000001 +... +Call Trace: + + ? die_addr+0x40/0xa0 + ? exc_general_protection+0x14c/0x230 + ? asm_exc_general_protection+0x26/0x30 + ? sock_sendmsg+0x21d/0x440 + ? sock_sendmsg+0x3e0/0x440 + ? __pfx_sock_sendmsg+0x10/0x10 + __skb_send_sock+0x543/0xb70 + sk_psock_backlog+0x247/0xb80 +... +''' + +Fixes: 4b4647add7d3 ("sock_map: avoid race between sock_map_close and sk_psock_put") +Reported-by: Michal Luczaj +Signed-off-by: Jiayuan Chen +Signed-off-by: Martin KaFai Lau +Reviewed-by: John Fastabend +Link: https://lore.kernel.org/r/20250516141713.291150-1-jiayuan.chen@linux.dev +Signed-off-by: Sasha Levin +--- + net/core/skmsg.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index 0613f9a2543bb..e5ba57a5db126 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -654,6 +654,13 @@ static void sk_psock_backlog(struct work_struct *work) + bool ingress; + int ret; + ++ /* Increment the psock refcnt to synchronize with close(fd) path in ++ * sock_map_close(), ensuring we wait for backlog thread completion ++ * before sk_socket freed. If refcnt increment fails, it indicates ++ * sock_map_close() completed with sk_socket potentially already freed. ++ */ ++ if (!sk_psock_get(psock->sk)) ++ return; + mutex_lock(&psock->work_mutex); + while ((skb = skb_peek(&psock->ingress_skb))) { + len = skb->len; +@@ -705,6 +712,7 @@ static void sk_psock_backlog(struct work_struct *work) + } + end: + mutex_unlock(&psock->work_mutex); ++ sk_psock_put(psock->sk, psock); + } + + struct sk_psock *sk_psock_init(struct sock *sk, int node) +-- +2.39.5 + diff --git a/queue-6.1/bpf-sockmap-fix-duplicated-data-transmission.patch b/queue-6.1/bpf-sockmap-fix-duplicated-data-transmission.patch new file mode 100644 index 0000000000..f877f04f79 --- /dev/null +++ b/queue-6.1/bpf-sockmap-fix-duplicated-data-transmission.patch @@ -0,0 +1,68 @@ +From bb1589f3f285f78ff099dea188ba964cb604f153 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Apr 2025 22:21:21 +0800 +Subject: bpf, sockmap: fix duplicated data transmission + +From: Jiayuan Chen + +[ Upstream commit 3b4f14b794287be137ea2c6158765d1ea1e018a4 ] + +In the !ingress path under sk_psock_handle_skb(), when sending data to the +remote under snd_buf limitations, partial skb data might be transmitted. + +Although we preserved the partial transmission state (offset/length), the +state wasn't properly consumed during retries. This caused the retry path +to resend the entire skb data instead of continuing from the previous +offset, resulting in data overlap at the receiver side. + +Fixes: 405df89dd52c ("bpf, sockmap: Improved check for empty queue") +Signed-off-by: Jiayuan Chen +Link: https://lore.kernel.org/r/20250407142234.47591-3-jiayuan.chen@linux.dev +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + net/core/skmsg.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index 5a790cd1121b1..72f4949cbb70f 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -654,11 +654,6 @@ static void sk_psock_backlog(struct work_struct *work) + int ret; + + mutex_lock(&psock->work_mutex); +- if (unlikely(state->len)) { +- len = state->len; +- off = state->off; +- } +- + while ((skb = skb_peek(&psock->ingress_skb))) { + len = skb->len; + off = 0; +@@ -668,6 +663,13 @@ static void sk_psock_backlog(struct work_struct *work) + off = stm->offset; + len = stm->full_len; + } ++ ++ /* Resume processing from previous partial state */ ++ if (unlikely(state->len)) { ++ len = state->len; ++ off = state->off; ++ } ++ + ingress = skb_bpf_ingress(skb); + skb_bpf_redirect_clear(skb); + do { +@@ -695,6 +697,8 @@ static void sk_psock_backlog(struct work_struct *work) + len -= ret; + } while (len); + ++ /* The entire skb sent, clear state */ ++ sk_psock_skb_state(psock, state, 0, 0); + skb = skb_dequeue(&psock->ingress_skb); + kfree_skb(skb); + } +-- +2.39.5 + diff --git a/queue-6.1/bpf-sockmap-fix-panic-when-calling-skb_linearize.patch b/queue-6.1/bpf-sockmap-fix-panic-when-calling-skb_linearize.patch new file mode 100644 index 0000000000..be4ef8f0d3 --- /dev/null +++ b/queue-6.1/bpf-sockmap-fix-panic-when-calling-skb_linearize.patch @@ -0,0 +1,198 @@ +From 5e808cc8ab1d3e2c76b98739a99718d3391d0902 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Apr 2025 22:21:22 +0800 +Subject: bpf, sockmap: Fix panic when calling skb_linearize +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jiayuan Chen + +[ Upstream commit 5ca2e29f6834c64c0e5a9ccf1278c21fb49b827e ] + +The panic can be reproduced by executing the command: +./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress --rx-strp 100000 + +Then a kernel panic was captured: +''' +[ 657.460555] kernel BUG at net/core/skbuff.c:2178! +[ 657.462680] Tainted: [W]=WARN +[ 657.463287] Workqueue: events sk_psock_backlog +... +[ 657.469610] +[ 657.469738] ? die+0x36/0x90 +[ 657.469916] ? do_trap+0x1d0/0x270 +[ 657.470118] ? pskb_expand_head+0x612/0xf40 +[ 657.470376] ? pskb_expand_head+0x612/0xf40 +[ 657.470620] ? do_error_trap+0xa3/0x170 +[ 657.470846] ? pskb_expand_head+0x612/0xf40 +[ 657.471092] ? handle_invalid_op+0x2c/0x40 +[ 657.471335] ? pskb_expand_head+0x612/0xf40 +[ 657.471579] ? exc_invalid_op+0x2d/0x40 +[ 657.471805] ? asm_exc_invalid_op+0x1a/0x20 +[ 657.472052] ? pskb_expand_head+0xd1/0xf40 +[ 657.472292] ? pskb_expand_head+0x612/0xf40 +[ 657.472540] ? lock_acquire+0x18f/0x4e0 +[ 657.472766] ? find_held_lock+0x2d/0x110 +[ 657.472999] ? __pfx_pskb_expand_head+0x10/0x10 +[ 657.473263] ? __kmalloc_cache_noprof+0x5b/0x470 +[ 657.473537] ? __pfx___lock_release.isra.0+0x10/0x10 +[ 657.473826] __pskb_pull_tail+0xfd/0x1d20 +[ 657.474062] ? __kasan_slab_alloc+0x4e/0x90 +[ 657.474707] sk_psock_skb_ingress_enqueue+0x3bf/0x510 +[ 657.475392] ? __kasan_kmalloc+0xaa/0xb0 +[ 657.476010] sk_psock_backlog+0x5cf/0xd70 +[ 657.476637] process_one_work+0x858/0x1a20 +''' + +The panic originates from the assertion BUG_ON(skb_shared(skb)) in +skb_linearize(). A previous commit(see Fixes tag) introduced skb_get() +to avoid race conditions between skb operations in the backlog and skb +release in the recvmsg path. However, this caused the panic to always +occur when skb_linearize is executed. + +The "--rx-strp 100000" parameter forces the RX path to use the strparser +module which aggregates data until it reaches 100KB before calling sockmap +logic. The 100KB payload exceeds MAX_MSG_FRAGS, triggering skb_linearize. + +To fix this issue, just move skb_get into sk_psock_skb_ingress_enqueue. + +''' +sk_psock_backlog: + sk_psock_handle_skb + skb_get(skb) <== we move it into 'sk_psock_skb_ingress_enqueue' + sk_psock_skb_ingress____________ + ↓ + | + | → sk_psock_skb_ingress_self + | sk_psock_skb_ingress_enqueue +sk_psock_verdict_apply_________________↑ skb_linearize +''' + +Note that for verdict_apply path, the skb_get operation is unnecessary so +we add 'take_ref' param to control it's behavior. + +Fixes: a454d84ee20b ("bpf, sockmap: Fix skb refcnt race after locking changes") +Signed-off-by: Jiayuan Chen +Link: https://lore.kernel.org/r/20250407142234.47591-4-jiayuan.chen@linux.dev +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + net/core/skmsg.c | 31 ++++++++++++++++--------------- + 1 file changed, 16 insertions(+), 15 deletions(-) + +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index 72f4949cbb70f..0613f9a2543bb 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -528,16 +528,22 @@ static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb, + u32 off, u32 len, + struct sk_psock *psock, + struct sock *sk, +- struct sk_msg *msg) ++ struct sk_msg *msg, ++ bool take_ref) + { + int num_sge, copied; + ++ /* skb_to_sgvec will fail when the total number of fragments in ++ * frag_list and frags exceeds MAX_MSG_FRAGS. For example, the ++ * caller may aggregate multiple skbs. ++ */ + num_sge = skb_to_sgvec(skb, msg->sg.data, off, len); + if (num_sge < 0) { + /* skb linearize may fail with ENOMEM, but lets simply try again + * later if this happens. Under memory pressure we don't want to + * drop the skb. We need to linearize the skb so that the mapping + * in skb_to_sgvec can not error. ++ * Note that skb_linearize requires the skb not to be shared. + */ + if (skb_linearize(skb)) + return -EAGAIN; +@@ -554,7 +560,7 @@ static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb, + msg->sg.start = 0; + msg->sg.size = copied; + msg->sg.end = num_sge; +- msg->skb = skb; ++ msg->skb = take_ref ? skb_get(skb) : skb; + + sk_psock_queue_msg(psock, msg); + sk_psock_data_ready(sk, psock); +@@ -562,7 +568,7 @@ static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb, + } + + static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb, +- u32 off, u32 len); ++ u32 off, u32 len, bool take_ref); + + static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb, + u32 off, u32 len) +@@ -576,7 +582,7 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb, + * correctly. + */ + if (unlikely(skb->sk == sk)) +- return sk_psock_skb_ingress_self(psock, skb, off, len); ++ return sk_psock_skb_ingress_self(psock, skb, off, len, true); + msg = sk_psock_create_ingress_msg(sk, skb); + if (!msg) + return -EAGAIN; +@@ -588,7 +594,7 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb, + * into user buffers. + */ + skb_set_owner_r(skb, sk); +- err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg); ++ err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg, true); + if (err < 0) + kfree(msg); + return err; +@@ -599,7 +605,7 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb, + * because the skb is already accounted for here. + */ + static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb, +- u32 off, u32 len) ++ u32 off, u32 len, bool take_ref) + { + struct sk_msg *msg = alloc_sk_msg(GFP_ATOMIC); + struct sock *sk = psock->sk; +@@ -608,7 +614,7 @@ static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb + if (unlikely(!msg)) + return -EAGAIN; + skb_set_owner_r(skb, sk); +- err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg); ++ err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg, take_ref); + if (err < 0) + kfree(msg); + return err; +@@ -617,18 +623,13 @@ static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb + static int sk_psock_handle_skb(struct sk_psock *psock, struct sk_buff *skb, + u32 off, u32 len, bool ingress) + { +- int err = 0; +- + if (!ingress) { + if (!sock_writeable(psock->sk)) + return -EAGAIN; + return skb_send_sock(psock->sk, skb, off, len); + } +- skb_get(skb); +- err = sk_psock_skb_ingress(psock, skb, off, len); +- if (err < 0) +- kfree_skb(skb); +- return err; ++ ++ return sk_psock_skb_ingress(psock, skb, off, len); + } + + static void sk_psock_skb_state(struct sk_psock *psock, +@@ -1016,7 +1017,7 @@ static int sk_psock_verdict_apply(struct sk_psock *psock, struct sk_buff *skb, + off = stm->offset; + len = stm->full_len; + } +- err = sk_psock_skb_ingress_self(psock, skb, off, len); ++ err = sk_psock_skb_ingress_self(psock, skb, off, len, false); + } + if (err < 0) { + spin_lock_bh(&psock->ingress_lock); +-- +2.39.5 + diff --git a/queue-6.1/bus-fsl-mc-fix-double-free-on-mc_dev.patch b/queue-6.1/bus-fsl-mc-fix-double-free-on-mc_dev.patch new file mode 100644 index 0000000000..87dfcf6b65 --- /dev/null +++ b/queue-6.1/bus-fsl-mc-fix-double-free-on-mc_dev.patch @@ -0,0 +1,52 @@ +From 5ded99dc49b086207281276886a3eac804ba71e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 13:58:09 +0300 +Subject: bus: fsl-mc: fix double-free on mc_dev + +From: Ioana Ciornei + +[ Upstream commit d694bf8a9acdbd061596f3e7549bc8cb70750a60 ] + +The blamed commit tried to simplify how the deallocations are done but, +in the process, introduced a double-free on the mc_dev variable. + +In case the MC device is a DPRC, a new mc_bus is allocated and the +mc_dev variable is just a reference to one of its fields. In this +circumstance, on the error path only the mc_bus should be freed. + +This commit introduces back the following checkpatch warning which is a +false-positive. + +WARNING: kfree(NULL) is safe and this check is probably not required ++ if (mc_bus) ++ kfree(mc_bus); + +Fixes: a042fbed0290 ("staging: fsl-mc: simplify couple of deallocations") +Signed-off-by: Ioana Ciornei +Link: https://lore.kernel.org/r/20250408105814.2837951-2-ioana.ciornei@nxp.com +Signed-off-by: Christophe Leroy +Signed-off-by: Sasha Levin +--- + drivers/bus/fsl-mc/fsl-mc-bus.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/bus/fsl-mc/fsl-mc-bus.c b/drivers/bus/fsl-mc/fsl-mc-bus.c +index 6143dbf31f311..6e4556530df58 100644 +--- a/drivers/bus/fsl-mc/fsl-mc-bus.c ++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c +@@ -910,8 +910,10 @@ int fsl_mc_device_add(struct fsl_mc_obj_desc *obj_desc, + + error_cleanup_dev: + kfree(mc_dev->regions); +- kfree(mc_bus); +- kfree(mc_dev); ++ if (mc_bus) ++ kfree(mc_bus); ++ else ++ kfree(mc_dev); + + return error; + } +-- +2.39.5 + diff --git a/queue-6.1/calipso-don-t-call-calipso-functions-for-af_inet-sk.patch b/queue-6.1/calipso-don-t-call-calipso-functions-for-af_inet-sk.patch new file mode 100644 index 0000000000..3b0bd4901b --- /dev/null +++ b/queue-6.1/calipso-don-t-call-calipso-functions-for-af_inet-sk.patch @@ -0,0 +1,108 @@ +From 0ed2fcb77a5272b90423b42b1a1747fe26d8c286 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 May 2025 15:18:56 -0700 +Subject: calipso: Don't call calipso functions for AF_INET sk. + +From: Kuniyuki Iwashima + +[ Upstream commit 6e9f2df1c550ead7cecb3e450af1105735020c92 ] + +syzkaller reported a null-ptr-deref in txopt_get(). [0] + +The offset 0x70 was of struct ipv6_txoptions in struct ipv6_pinfo, +so struct ipv6_pinfo was NULL there. + +However, this never happens for IPv6 sockets as inet_sk(sk)->pinet6 +is always set in inet6_create(), meaning the socket was not IPv6 one. + +The root cause is missing validation in netlbl_conn_setattr(). + +netlbl_conn_setattr() switches branches based on struct +sockaddr.sa_family, which is passed from userspace. However, +netlbl_conn_setattr() does not check if the address family matches +the socket. + +The syzkaller must have called connect() for an IPv6 address on +an IPv4 socket. + +We have a proper validation in tcp_v[46]_connect(), but +security_socket_connect() is called in the earlier stage. + +Let's copy the validation to netlbl_conn_setattr(). + +[0]: +Oops: general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN NOPTI +KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] +CPU: 2 UID: 0 PID: 12928 Comm: syz.9.1677 Not tainted 6.12.0 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +RIP: 0010:txopt_get include/net/ipv6.h:390 [inline] +RIP: 0010: +Code: 02 00 00 49 8b ac 24 f8 02 00 00 e8 84 69 2a fd e8 ff 00 16 fd 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 53 02 00 00 48 8b 6d 70 48 85 ed 0f 84 ab 01 00 +RSP: 0018:ffff88811b8afc48 EFLAGS: 00010212 +RAX: dffffc0000000000 RBX: 1ffff11023715f8a RCX: ffffffff841ab00c +RDX: 000000000000000e RSI: ffffc90007d9e000 RDI: 0000000000000070 +RBP: 0000000000000000 R08: ffffed1023715f9d R09: ffffed1023715f9e +R10: ffffed1023715f9d R11: 0000000000000003 R12: ffff888123075f00 +R13: ffff88810245bd80 R14: ffff888113646780 R15: ffff888100578a80 +FS: 00007f9019bd7640(0000) GS:ffff8882d2d00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f901b927bac CR3: 0000000104788003 CR4: 0000000000770ef0 +PKRU: 80000000 +Call Trace: + + calipso_sock_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:557 + netlbl_conn_setattr+0x10c/0x280 net/netlabel/netlabel_kapi.c:1177 + selinux_netlbl_socket_connect_helper+0xd3/0x1b0 security/selinux/netlabel.c:569 + selinux_netlbl_socket_connect_locked security/selinux/netlabel.c:597 [inline] + selinux_netlbl_socket_connect+0xb6/0x100 security/selinux/netlabel.c:615 + selinux_socket_connect+0x5f/0x80 security/selinux/hooks.c:4931 + security_socket_connect+0x50/0xa0 security/security.c:4598 + __sys_connect_file+0xa4/0x190 net/socket.c:2067 + __sys_connect+0x12c/0x170 net/socket.c:2088 + __do_sys_connect net/socket.c:2098 [inline] + __se_sys_connect net/socket.c:2095 [inline] + __x64_sys_connect+0x73/0xb0 net/socket.c:2095 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f901b61a12d +Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f9019bd6fa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a +RAX: ffffffffffffffda RBX: 00007f901b925fa0 RCX: 00007f901b61a12d +RDX: 000000000000001c RSI: 0000200000000140 RDI: 0000000000000003 +RBP: 00007f901b701505 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 0000000000000000 R14: 00007f901b5b62a0 R15: 00007f9019bb7000 + +Modules linked in: + +Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the secattr.") +Reported-by: syzkaller +Reported-by: John Cheung +Closes: https://lore.kernel.org/netdev/CAP=Rh=M1LzunrcQB1fSGauMrJrhL6GGps5cPAKzHJXj6GQV+-g@mail.gmail.com/ +Signed-off-by: Kuniyuki Iwashima +Acked-by: Paul Moore +Link: https://patch.msgid.link/20250522221858.91240-1-kuniyu@amazon.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/netlabel/netlabel_kapi.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c +index 27511c90a26f4..75b645c1928db 100644 +--- a/net/netlabel/netlabel_kapi.c ++++ b/net/netlabel/netlabel_kapi.c +@@ -1140,6 +1140,9 @@ int netlbl_conn_setattr(struct sock *sk, + break; + #if IS_ENABLED(CONFIG_IPV6) + case AF_INET6: ++ if (sk->sk_family != AF_INET6) ++ return -EAFNOSUPPORT; ++ + addr6 = (struct sockaddr_in6 *)addr; + entry = netlbl_domhsh_getentry_af6(secattr->domain, + &addr6->sin6_addr); +-- +2.39.5 + diff --git a/queue-6.1/clk-bcm-rpi-add-null-check-in-raspberrypi_clk_regist.patch b/queue-6.1/clk-bcm-rpi-add-null-check-in-raspberrypi_clk_regist.patch new file mode 100644 index 0000000000..7f073f17ff --- /dev/null +++ b/queue-6.1/clk-bcm-rpi-add-null-check-in-raspberrypi_clk_regist.patch @@ -0,0 +1,42 @@ +From c4562cb57d92ad4124817b8b84f023e8690c01c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 10:05:13 +0800 +Subject: clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() + +From: Henry Martin + +[ Upstream commit 73c46d9a93d071ca69858dea3f569111b03e549e ] + +devm_kasprintf() returns NULL when memory allocation fails. Currently, +raspberrypi_clk_register() does not check for this case, which results +in a NULL pointer dereference. + +Add NULL check after devm_kasprintf() to prevent this issue. + +Fixes: 93d2725affd6 ("clk: bcm: rpi: Discover the firmware clocks") +Signed-off-by: Henry Martin +Reviewed-by: Dave Stevenson +Link: https://lore.kernel.org/r/20250402020513.42628-1-bsdhenrymartin@gmail.com +Reviewed-by: Stefan Wahren +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/bcm/clk-raspberrypi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/clk/bcm/clk-raspberrypi.c b/drivers/clk/bcm/clk-raspberrypi.c +index 278f845572813..a7e18789839fe 100644 +--- a/drivers/clk/bcm/clk-raspberrypi.c ++++ b/drivers/clk/bcm/clk-raspberrypi.c +@@ -290,6 +290,8 @@ static struct clk_hw *raspberrypi_clk_register(struct raspberrypi_clk *rpi, + init.name = devm_kasprintf(rpi->dev, GFP_KERNEL, + "fw-clk-%s", + rpi_firmware_clk_names[id]); ++ if (!init.name) ++ return ERR_PTR(-ENOMEM); + init.ops = &raspberrypi_firmware_clk_ops; + init.flags = CLK_GET_RATE_NOCACHE; + +-- +2.39.5 + diff --git a/queue-6.1/clk-qcom-dispcc-sm6350-add-_wait_val-values-for-gdsc.patch b/queue-6.1/clk-qcom-dispcc-sm6350-add-_wait_val-values-for-gdsc.patch new file mode 100644 index 0000000000..d9dd0f1e87 --- /dev/null +++ b/queue-6.1/clk-qcom-dispcc-sm6350-add-_wait_val-values-for-gdsc.patch @@ -0,0 +1,45 @@ +From 8a0278dee8d1f8369947e79f2620fff288d1f26a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 14:12:56 +0200 +Subject: clk: qcom: dispcc-sm6350: Add *_wait_val values for GDSCs + +From: Luca Weiss + +[ Upstream commit 673989d27123618afab56df1143a75454178b4ae ] + +Compared to the msm-4.19 driver the mainline GDSC driver always sets the +bits for en_rest, en_few & clk_dis, and if those values are not set +per-GDSC in the respective driver then the default value from the GDSC +driver is used. The downstream driver only conditionally sets +clk_dis_wait_val if qcom,clk-dis-wait-val is given in devicetree. + +Correct this situation by explicitly setting those values. For all GDSCs +the reset value of those bits are used. + +Fixes: 837519775f1d ("clk: qcom: Add display clock controller driver for SM6350") +Signed-off-by: Luca Weiss +Reviewed-by: Taniya Das +Link: https://lore.kernel.org/r/20250425-sm6350-gdsc-val-v1-2-1f252d9c5e4e@fairphone.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/dispcc-sm6350.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/clk/qcom/dispcc-sm6350.c b/drivers/clk/qcom/dispcc-sm6350.c +index ddacb4f76eca5..ea98a63746f0f 100644 +--- a/drivers/clk/qcom/dispcc-sm6350.c ++++ b/drivers/clk/qcom/dispcc-sm6350.c +@@ -680,6 +680,9 @@ static struct clk_branch disp_cc_xo_clk = { + + static struct gdsc mdss_gdsc = { + .gdscr = 0x1004, ++ .en_rest_wait_val = 0x2, ++ .en_few_wait_val = 0x2, ++ .clk_dis_wait_val = 0xf, + .pd = { + .name = "mdss_gdsc", + }, +-- +2.39.5 + diff --git a/queue-6.1/clk-qcom-gcc-msm8939-fix-mclk0-mclk1-for-24-mhz.patch b/queue-6.1/clk-qcom-gcc-msm8939-fix-mclk0-mclk1-for-24-mhz.patch new file mode 100644 index 0000000000..b767b0ced3 --- /dev/null +++ b/queue-6.1/clk-qcom-gcc-msm8939-fix-mclk0-mclk1-for-24-mhz.patch @@ -0,0 +1,49 @@ +From ec8292632b4046cd403d0e7aee282b62b235e365 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Apr 2025 18:45:12 +0200 +Subject: clk: qcom: gcc-msm8939: Fix mclk0 & mclk1 for 24 MHz + +From: Vincent Knecht + +[ Upstream commit 9e7acf70cf6aa7b22f67d911f50a8cd510e8fb00 ] + +Fix mclk0 & mclk1 parent map to use correct GPLL6 configuration and +freq_tbl to use GPLL6 instead of GPLL0 so that they tick at 24 MHz. + +Fixes: 1664014e4679 ("clk: qcom: gcc-msm8939: Add MSM8939 Generic Clock Controller") +Suggested-by: Stephan Gerhold +Reviewed-by: Konrad Dybcio +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Vincent Knecht +Link: https://lore.kernel.org/r/20250414-gcc-msm8939-fixes-mclk-v2-resend2-v2-1-5ddcf572a6de@mailoo.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-msm8939.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/qcom/gcc-msm8939.c b/drivers/clk/qcom/gcc-msm8939.c +index af608f1658967..ecf1c29a1f0e1 100644 +--- a/drivers/clk/qcom/gcc-msm8939.c ++++ b/drivers/clk/qcom/gcc-msm8939.c +@@ -433,7 +433,7 @@ static const struct parent_map gcc_xo_gpll0_gpll1a_gpll6_sleep_map[] = { + { P_XO, 0 }, + { P_GPLL0, 1 }, + { P_GPLL1_AUX, 2 }, +- { P_GPLL6, 2 }, ++ { P_GPLL6, 3 }, + { P_SLEEP_CLK, 6 }, + }; + +@@ -1088,7 +1088,7 @@ static struct clk_rcg2 jpeg0_clk_src = { + }; + + static const struct freq_tbl ftbl_gcc_camss_mclk0_1_clk[] = { +- F(24000000, P_GPLL0, 1, 1, 45), ++ F(24000000, P_GPLL6, 1, 1, 45), + F(66670000, P_GPLL0, 12, 0, 0), + { } + }; +-- +2.39.5 + diff --git a/queue-6.1/clk-qcom-gcc-sm6350-add-_wait_val-values-for-gdscs.patch b/queue-6.1/clk-qcom-gcc-sm6350-add-_wait_val-values-for-gdscs.patch new file mode 100644 index 0000000000..14663d68ff --- /dev/null +++ b/queue-6.1/clk-qcom-gcc-sm6350-add-_wait_val-values-for-gdscs.patch @@ -0,0 +1,55 @@ +From 3178bcd98ee45bf7b3286c7a592a7a7dce2c8a43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 14:12:57 +0200 +Subject: clk: qcom: gcc-sm6350: Add *_wait_val values for GDSCs + +From: Luca Weiss + +[ Upstream commit afdfd829a99e467869e3ca1955fb6c6e337c340a ] + +Compared to the msm-4.19 driver the mainline GDSC driver always sets the +bits for en_rest, en_few & clk_dis, and if those values are not set +per-GDSC in the respective driver then the default value from the GDSC +driver is used. The downstream driver only conditionally sets +clk_dis_wait_val if qcom,clk-dis-wait-val is given in devicetree. + +Correct this situation by explicitly setting those values. For all GDSCs +the reset value of those bits are used. + +Fixes: 131abae905df ("clk: qcom: Add SM6350 GCC driver") +Signed-off-by: Luca Weiss +Reviewed-by: Taniya Das +Link: https://lore.kernel.org/r/20250425-sm6350-gdsc-val-v1-3-1f252d9c5e4e@fairphone.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-sm6350.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/clk/qcom/gcc-sm6350.c b/drivers/clk/qcom/gcc-sm6350.c +index 428cd99dcdcbe..4031613c6236f 100644 +--- a/drivers/clk/qcom/gcc-sm6350.c ++++ b/drivers/clk/qcom/gcc-sm6350.c +@@ -2320,6 +2320,9 @@ static struct clk_branch gcc_video_xo_clk = { + + static struct gdsc usb30_prim_gdsc = { + .gdscr = 0x1a004, ++ .en_rest_wait_val = 0x2, ++ .en_few_wait_val = 0x2, ++ .clk_dis_wait_val = 0xf, + .pd = { + .name = "usb30_prim_gdsc", + }, +@@ -2328,6 +2331,9 @@ static struct gdsc usb30_prim_gdsc = { + + static struct gdsc ufs_phy_gdsc = { + .gdscr = 0x3a004, ++ .en_rest_wait_val = 0x2, ++ .en_few_wait_val = 0x2, ++ .clk_dis_wait_val = 0xf, + .pd = { + .name = "ufs_phy_gdsc", + }, +-- +2.39.5 + diff --git a/queue-6.1/clk-qcom-gpucc-sm6350-add-_wait_val-values-for-gdscs.patch b/queue-6.1/clk-qcom-gpucc-sm6350-add-_wait_val-values-for-gdscs.patch new file mode 100644 index 0000000000..2f4c5b4381 --- /dev/null +++ b/queue-6.1/clk-qcom-gpucc-sm6350-add-_wait_val-values-for-gdscs.patch @@ -0,0 +1,56 @@ +From c5d21de8e387d76dcb4df8f050e022c4b6ef99d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 14:12:58 +0200 +Subject: clk: qcom: gpucc-sm6350: Add *_wait_val values for GDSCs + +From: Luca Weiss + +[ Upstream commit d988b0b866c2aeb23aa74022b5bbd463165a7a33 ] + +Compared to the msm-4.19 driver the mainline GDSC driver always sets the +bits for en_rest, en_few & clk_dis, and if those values are not set +per-GDSC in the respective driver then the default value from the GDSC +driver is used. The downstream driver only conditionally sets +clk_dis_wait_val if qcom,clk-dis-wait-val is given in devicetree. + +Correct this situation by explicitly setting those values. For all GDSCs +the reset value of those bits are used, with the exception of +gpu_cx_gdsc which has an explicit value (qcom,clk-dis-wait-val = <8>). + +Fixes: 013804a727a0 ("clk: qcom: Add GPU clock controller driver for SM6350") +Signed-off-by: Luca Weiss +Reviewed-by: Taniya Das +Link: https://lore.kernel.org/r/20250425-sm6350-gdsc-val-v1-4-1f252d9c5e4e@fairphone.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gpucc-sm6350.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/clk/qcom/gpucc-sm6350.c b/drivers/clk/qcom/gpucc-sm6350.c +index 0bcbba2a29436..86c8ad5b55bac 100644 +--- a/drivers/clk/qcom/gpucc-sm6350.c ++++ b/drivers/clk/qcom/gpucc-sm6350.c +@@ -412,6 +412,9 @@ static struct clk_branch gpu_cc_gx_vsense_clk = { + static struct gdsc gpu_cx_gdsc = { + .gdscr = 0x106c, + .gds_hw_ctrl = 0x1540, ++ .en_rest_wait_val = 0x2, ++ .en_few_wait_val = 0x2, ++ .clk_dis_wait_val = 0x8, + .pd = { + .name = "gpu_cx_gdsc", + }, +@@ -422,6 +425,9 @@ static struct gdsc gpu_cx_gdsc = { + static struct gdsc gpu_gx_gdsc = { + .gdscr = 0x100c, + .clamp_io_ctrl = 0x1508, ++ .en_rest_wait_val = 0x2, ++ .en_few_wait_val = 0x2, ++ .clk_dis_wait_val = 0x2, + .pd = { + .name = "gpu_gx_gdsc", + .power_on = gdsc_gx_do_nothing_enable, +-- +2.39.5 + diff --git a/queue-6.1/coresight-prevent-deactivate-active-config-while-ena.patch b/queue-6.1/coresight-prevent-deactivate-active-config-while-ena.patch new file mode 100644 index 0000000000..911cd718e5 --- /dev/null +++ b/queue-6.1/coresight-prevent-deactivate-active-config-while-ena.patch @@ -0,0 +1,179 @@ +From c5511a208c24a9fe68dbed861a024a42135bb385 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 17:19:51 +0100 +Subject: coresight: prevent deactivate active config while enabling the config + +From: Yeoreum Yun + +[ Upstream commit 408c97c4a5e0b634dcd15bf8b8808b382e888164 ] + +While enable active config via cscfg_csdev_enable_active_config(), +active config could be deactivated via configfs' sysfs interface. +This could make UAF issue in below scenario: + +CPU0 CPU1 +(sysfs enable) load module + cscfg_load_config_sets() + activate config. // sysfs + (sys_active_cnt == 1) +... +cscfg_csdev_enable_active_config() +lock(csdev->cscfg_csdev_lock) +// here load config activate by CPU1 +unlock(csdev->cscfg_csdev_lock) + + deactivate config // sysfs + (sys_activec_cnt == 0) + cscfg_unload_config_sets() + unload module + +// access to config_desc which freed +// while unloading module. +cscfg_csdev_enable_config + +To address this, use cscfg_config_desc's active_cnt as a reference count + which will be holded when + - activate the config. + - enable the activated config. +and put the module reference when config_active_cnt == 0. + +Fixes: f8cce2ff3c04 ("coresight: syscfg: Add API to activate and enable configurations") +Suggested-by: Suzuki K Poulose +Signed-off-by: Yeoreum Yun +Reviewed-by: Leo Yan +Signed-off-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/20250514161951.3427590-4-yeoreum.yun@arm.com +Signed-off-by: Sasha Levin +--- + .../hwtracing/coresight/coresight-config.h | 2 +- + .../hwtracing/coresight/coresight-syscfg.c | 49 +++++++++++++------ + 2 files changed, 35 insertions(+), 16 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight-config.h b/drivers/hwtracing/coresight/coresight-config.h +index 6ba0139757418..84cdde6f0e4db 100644 +--- a/drivers/hwtracing/coresight/coresight-config.h ++++ b/drivers/hwtracing/coresight/coresight-config.h +@@ -228,7 +228,7 @@ struct cscfg_feature_csdev { + * @feats_csdev:references to the device features to enable. + */ + struct cscfg_config_csdev { +- const struct cscfg_config_desc *config_desc; ++ struct cscfg_config_desc *config_desc; + struct coresight_device *csdev; + bool enabled; + struct list_head node; +diff --git a/drivers/hwtracing/coresight/coresight-syscfg.c b/drivers/hwtracing/coresight/coresight-syscfg.c +index 11138a9762b01..30a561d874819 100644 +--- a/drivers/hwtracing/coresight/coresight-syscfg.c ++++ b/drivers/hwtracing/coresight/coresight-syscfg.c +@@ -867,6 +867,25 @@ void cscfg_csdev_reset_feats(struct coresight_device *csdev) + } + EXPORT_SYMBOL_GPL(cscfg_csdev_reset_feats); + ++static bool cscfg_config_desc_get(struct cscfg_config_desc *config_desc) ++{ ++ if (!atomic_fetch_inc(&config_desc->active_cnt)) { ++ /* must ensure that config cannot be unloaded in use */ ++ if (unlikely(cscfg_owner_get(config_desc->load_owner))) { ++ atomic_dec(&config_desc->active_cnt); ++ return false; ++ } ++ } ++ ++ return true; ++} ++ ++static void cscfg_config_desc_put(struct cscfg_config_desc *config_desc) ++{ ++ if (!atomic_dec_return(&config_desc->active_cnt)) ++ cscfg_owner_put(config_desc->load_owner); ++} ++ + /* + * This activate configuration for either perf or sysfs. Perf can have multiple + * active configs, selected per event, sysfs is limited to one. +@@ -890,22 +909,17 @@ static int _cscfg_activate_config(unsigned long cfg_hash) + if (config_desc->available == false) + return -EBUSY; + +- /* must ensure that config cannot be unloaded in use */ +- err = cscfg_owner_get(config_desc->load_owner); +- if (err) ++ if (!cscfg_config_desc_get(config_desc)) { ++ err = -EINVAL; + break; ++ } ++ + /* + * increment the global active count - control changes to + * active configurations + */ + atomic_inc(&cscfg_mgr->sys_active_cnt); + +- /* +- * mark the descriptor as active so enable config on a +- * device instance will use it +- */ +- atomic_inc(&config_desc->active_cnt); +- + err = 0; + dev_dbg(cscfg_device(), "Activate config %s.\n", config_desc->name); + break; +@@ -920,9 +934,8 @@ static void _cscfg_deactivate_config(unsigned long cfg_hash) + + list_for_each_entry(config_desc, &cscfg_mgr->config_desc_list, item) { + if ((unsigned long)config_desc->event_ea->var == cfg_hash) { +- atomic_dec(&config_desc->active_cnt); + atomic_dec(&cscfg_mgr->sys_active_cnt); +- cscfg_owner_put(config_desc->load_owner); ++ cscfg_config_desc_put(config_desc); + dev_dbg(cscfg_device(), "Deactivate config %s.\n", config_desc->name); + break; + } +@@ -1047,7 +1060,7 @@ int cscfg_csdev_enable_active_config(struct coresight_device *csdev, + unsigned long cfg_hash, int preset) + { + struct cscfg_config_csdev *config_csdev_active = NULL, *config_csdev_item; +- const struct cscfg_config_desc *config_desc; ++ struct cscfg_config_desc *config_desc; + unsigned long flags; + int err = 0; + +@@ -1062,8 +1075,8 @@ int cscfg_csdev_enable_active_config(struct coresight_device *csdev, + spin_lock_irqsave(&csdev->cscfg_csdev_lock, flags); + list_for_each_entry(config_csdev_item, &csdev->config_csdev_list, node) { + config_desc = config_csdev_item->config_desc; +- if ((atomic_read(&config_desc->active_cnt)) && +- ((unsigned long)config_desc->event_ea->var == cfg_hash)) { ++ if (((unsigned long)config_desc->event_ea->var == cfg_hash) && ++ cscfg_config_desc_get(config_desc)) { + config_csdev_active = config_csdev_item; + csdev->active_cscfg_ctxt = (void *)config_csdev_active; + break; +@@ -1097,7 +1110,11 @@ int cscfg_csdev_enable_active_config(struct coresight_device *csdev, + err = -EBUSY; + spin_unlock_irqrestore(&csdev->cscfg_csdev_lock, flags); + } ++ ++ if (err) ++ cscfg_config_desc_put(config_desc); + } ++ + return err; + } + EXPORT_SYMBOL_GPL(cscfg_csdev_enable_active_config); +@@ -1136,8 +1153,10 @@ void cscfg_csdev_disable_active_config(struct coresight_device *csdev) + spin_unlock_irqrestore(&csdev->cscfg_csdev_lock, flags); + + /* true if there was an enabled active config */ +- if (config_csdev) ++ if (config_csdev) { + cscfg_csdev_disable_config(config_csdev); ++ cscfg_config_desc_put(config_csdev->config_desc); ++ } + } + EXPORT_SYMBOL_GPL(cscfg_csdev_disable_active_config); + +-- +2.39.5 + diff --git a/queue-6.1/counter-interrupt-cnt-protect-enable-disable-ops-wit.patch b/queue-6.1/counter-interrupt-cnt-protect-enable-disable-ops-wit.patch new file mode 100644 index 0000000000..25e2d1bb03 --- /dev/null +++ b/queue-6.1/counter-interrupt-cnt-protect-enable-disable-ops-wit.patch @@ -0,0 +1,109 @@ +From 15a5dcbb703f3a0fd90a7d09a9eb764fec587972 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Mar 2025 18:36:40 +0200 +Subject: counter: interrupt-cnt: Protect enable/disable OPs with mutex + +From: Alexander Sverdlin + +[ Upstream commit 7351312632e831e51383f48957d47712fae791ef ] + +Enable/disable seems to be racy on SMP, consider the following scenario: + +CPU0 CPU1 + +interrupt_cnt_enable_write(true) +{ + if (priv->enabled == enable) + return 0; + + if (enable) { + priv->enabled = true; + interrupt_cnt_enable_write(false) + { + if (priv->enabled == enable) + return 0; + + if (enable) { + priv->enabled = true; + enable_irq(priv->irq); + } else { + disable_irq(priv->irq) + priv->enabled = false; + } + enable_irq(priv->irq); + } else { + disable_irq(priv->irq); + priv->enabled = false; + } + +The above would result in priv->enabled == false, but IRQ left enabled. +Protect both write (above race) and read (to propagate the value on SMP) +callbacks with a mutex. + +Signed-off-by: Alexander Sverdlin +Fixes: a55ebd47f21f ("counter: add IRQ or GPIO based counter") +Acked-by: Oleksij Rempel +Link: https://lore.kernel.org/r/20250331163642.2382651-1-alexander.sverdlin@siemens.com +Signed-off-by: William Breathitt Gray +Signed-off-by: Sasha Levin +--- + drivers/counter/interrupt-cnt.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/counter/interrupt-cnt.c b/drivers/counter/interrupt-cnt.c +index 229473855c5b3..bc762ba87a19b 100644 +--- a/drivers/counter/interrupt-cnt.c ++++ b/drivers/counter/interrupt-cnt.c +@@ -3,12 +3,14 @@ + * Copyright (c) 2021 Pengutronix, Oleksij Rempel + */ + ++#include + #include + #include + #include + #include + #include + #include ++#include + #include + #include + +@@ -19,6 +21,7 @@ struct interrupt_cnt_priv { + struct gpio_desc *gpio; + int irq; + bool enabled; ++ struct mutex lock; + struct counter_signal signals; + struct counter_synapse synapses; + struct counter_count cnts; +@@ -41,6 +44,8 @@ static int interrupt_cnt_enable_read(struct counter_device *counter, + { + struct interrupt_cnt_priv *priv = counter_priv(counter); + ++ guard(mutex)(&priv->lock); ++ + *enable = priv->enabled; + + return 0; +@@ -51,6 +56,8 @@ static int interrupt_cnt_enable_write(struct counter_device *counter, + { + struct interrupt_cnt_priv *priv = counter_priv(counter); + ++ guard(mutex)(&priv->lock); ++ + if (priv->enabled == enable) + return 0; + +@@ -227,6 +234,8 @@ static int interrupt_cnt_probe(struct platform_device *pdev) + if (ret) + return ret; + ++ mutex_init(&priv->lock); ++ + ret = devm_counter_add(dev, counter); + if (ret < 0) + return dev_err_probe(dev, ret, "Failed to add counter\n"); +-- +2.39.5 + diff --git a/queue-6.1/crypto-lrw-only-add-ecb-if-it-is-not-already-there.patch b/queue-6.1/crypto-lrw-only-add-ecb-if-it-is-not-already-there.patch new file mode 100644 index 0000000000..3dcfca1d13 --- /dev/null +++ b/queue-6.1/crypto-lrw-only-add-ecb-if-it-is-not-already-there.patch @@ -0,0 +1,48 @@ +From 00a7f048f677765ee662e8250e8e1d62bc63923e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 16:28:08 +0800 +Subject: crypto: lrw - Only add ecb if it is not already there + +From: Herbert Xu + +[ Upstream commit 3d73909bddc2ebb3224a8bc2e5ce00e9df70c15d ] + +Only add ecb to the cipher name if it isn't already ecb. + +Also use memcmp instead of strncmp since these strings are all +stored in an array of length CRYPTO_MAX_ALG_NAME. + +Fixes: 700cb3f5fe75 ("crypto: lrw - Convert to skcipher") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202505151503.d8a6cf10-lkp@intel.com +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/lrw.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/crypto/lrw.c b/crypto/lrw.c +index fb8892ed179f5..99d9eb67e1827 100644 +--- a/crypto/lrw.c ++++ b/crypto/lrw.c +@@ -322,7 +322,7 @@ static int lrw_create(struct crypto_template *tmpl, struct rtattr **tb) + + err = crypto_grab_skcipher(spawn, skcipher_crypto_instance(inst), + cipher_name, 0, mask); +- if (err == -ENOENT) { ++ if (err == -ENOENT && memcmp(cipher_name, "ecb(", 4)) { + err = -ENAMETOOLONG; + if (snprintf(ecb_name, CRYPTO_MAX_ALG_NAME, "ecb(%s)", + cipher_name) >= CRYPTO_MAX_ALG_NAME) +@@ -356,7 +356,7 @@ static int lrw_create(struct crypto_template *tmpl, struct rtattr **tb) + /* Alas we screwed up the naming so we have to mangle the + * cipher name. + */ +- if (!strncmp(cipher_name, "ecb(", 4)) { ++ if (!memcmp(cipher_name, "ecb(", 4)) { + int len; + + len = strscpy(ecb_name, cipher_name + 4, sizeof(ecb_name)); +-- +2.39.5 + diff --git a/queue-6.1/crypto-marvell-cesa-avoid-empty-transfer-descriptor.patch b/queue-6.1/crypto-marvell-cesa-avoid-empty-transfer-descriptor.patch new file mode 100644 index 0000000000..6a06d30a6c --- /dev/null +++ b/queue-6.1/crypto-marvell-cesa-avoid-empty-transfer-descriptor.patch @@ -0,0 +1,36 @@ +From f9346a4c7cf783c4699477fc4a39007bc3f6385d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 18:43:33 +0800 +Subject: crypto: marvell/cesa - Avoid empty transfer descriptor + +From: Herbert Xu + +[ Upstream commit 1bafd82d9a40cf09c6c40f1c09cc35b7050b1a9f ] + +The user may set req->src even if req->nbytes == 0. If there +is no data to hash from req->src, do not generate an empty TDMA +descriptor. + +Fixes: db509a45339f ("crypto: marvell/cesa - add TDMA support") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/marvell/cesa/hash.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/marvell/cesa/hash.c b/drivers/crypto/marvell/cesa/hash.c +index 84c1065092796..72b0f863dee07 100644 +--- a/drivers/crypto/marvell/cesa/hash.c ++++ b/drivers/crypto/marvell/cesa/hash.c +@@ -663,7 +663,7 @@ static int mv_cesa_ahash_dma_req_init(struct ahash_request *req) + if (ret) + goto err_free_tdma; + +- if (iter.src.sg) { ++ if (iter.base.len > iter.src.op_offset) { + /* + * Add all the new data, inserting an operation block and + * launch command between each full SRAM block-worth of +-- +2.39.5 + diff --git a/queue-6.1/crypto-marvell-cesa-handle-zero-length-skcipher-requ.patch b/queue-6.1/crypto-marvell-cesa-handle-zero-length-skcipher-requ.patch new file mode 100644 index 0000000000..19fd252e11 --- /dev/null +++ b/queue-6.1/crypto-marvell-cesa-handle-zero-length-skcipher-requ.patch @@ -0,0 +1,36 @@ +From 67bb926259e965dd859afcd5ae7f15fdd852fb22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 18:41:31 +0800 +Subject: crypto: marvell/cesa - Handle zero-length skcipher requests + +From: Herbert Xu + +[ Upstream commit 8a4e047c6cc07676f637608a9dd675349b5de0a7 ] + +Do not access random memory for zero-length skcipher requests. +Just return 0. + +Fixes: f63601fd616a ("crypto: marvell/cesa - add a new driver for Marvell's CESA") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/marvell/cesa/cipher.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/crypto/marvell/cesa/cipher.c b/drivers/crypto/marvell/cesa/cipher.c +index 0f37dfd42d850..3876e3ce822f4 100644 +--- a/drivers/crypto/marvell/cesa/cipher.c ++++ b/drivers/crypto/marvell/cesa/cipher.c +@@ -459,6 +459,9 @@ static int mv_cesa_skcipher_queue_req(struct skcipher_request *req, + struct mv_cesa_skcipher_req *creq = skcipher_request_ctx(req); + struct mv_cesa_engine *engine; + ++ if (!req->cryptlen) ++ return 0; ++ + ret = mv_cesa_skcipher_req_init(req, tmpl); + if (ret) + return ret; +-- +2.39.5 + diff --git a/queue-6.1/crypto-sun8i-ce-cipher-fix-error-handling-in-sun8i_c.patch b/queue-6.1/crypto-sun8i-ce-cipher-fix-error-handling-in-sun8i_c.patch new file mode 100644 index 0000000000..635390daf3 --- /dev/null +++ b/queue-6.1/crypto-sun8i-ce-cipher-fix-error-handling-in-sun8i_c.patch @@ -0,0 +1,77 @@ +From b691b4579b4c1dab0e7c181f0ba4b981d00ddfd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 15:45:14 +0300 +Subject: crypto: sun8i-ce-cipher - fix error handling in + sun8i_ce_cipher_prepare() + +From: Ovidiu Panait + +[ Upstream commit f31adc3e356f7350d4a4d68c98d3f60f2f6e26b3 ] + +Fix two DMA cleanup issues on the error path in sun8i_ce_cipher_prepare(): + +1] If dma_map_sg() fails for areq->dst, the device driver would try to free + DMA memory it has not allocated in the first place. To fix this, on the + "theend_sgs" error path, call dma unmap only if the corresponding dma + map was successful. + +2] If the dma_map_single() call for the IV fails, the device driver would + try to free an invalid DMA memory address on the "theend_iv" path: + ------------[ cut here ]------------ + DMA-API: sun8i-ce 1904000.crypto: device driver tries to free an invalid DMA memory address + WARNING: CPU: 2 PID: 69 at kernel/dma/debug.c:968 check_unmap+0x123c/0x1b90 + Modules linked in: skcipher_example(O+) + CPU: 2 UID: 0 PID: 69 Comm: 1904000.crypto- Tainted: G O 6.15.0-rc3+ #24 PREEMPT + Tainted: [O]=OOT_MODULE + Hardware name: OrangePi Zero2 (DT) + pc : check_unmap+0x123c/0x1b90 + lr : check_unmap+0x123c/0x1b90 + ... + Call trace: + check_unmap+0x123c/0x1b90 (P) + debug_dma_unmap_page+0xac/0xc0 + dma_unmap_page_attrs+0x1f4/0x5fc + sun8i_ce_cipher_do_one+0x1bd4/0x1f40 + crypto_pump_work+0x334/0x6e0 + kthread_worker_fn+0x21c/0x438 + kthread+0x374/0x664 + ret_from_fork+0x10/0x20 + ---[ end trace 0000000000000000 ]--- + +To fix this, check for !dma_mapping_error() before calling +dma_unmap_single() on the "theend_iv" path. + +Fixes: 06f751b61329 ("crypto: allwinner - Add sun8i-ce Crypto Engine") +Signed-off-by: Ovidiu Panait +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c +index 74b4e910a38d7..4c6afc7367235 100644 +--- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c ++++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c +@@ -270,13 +270,16 @@ static int sun8i_ce_cipher_prepare(struct crypto_engine *engine, void *async_req + } else { + if (nr_sgs > 0) + dma_unmap_sg(ce->dev, areq->src, ns, DMA_TO_DEVICE); +- dma_unmap_sg(ce->dev, areq->dst, nd, DMA_FROM_DEVICE); ++ ++ if (nr_sgd > 0) ++ dma_unmap_sg(ce->dev, areq->dst, nd, DMA_FROM_DEVICE); + } + + theend_iv: + if (areq->iv && ivsize > 0) { +- if (rctx->addr_iv) ++ if (!dma_mapping_error(ce->dev, rctx->addr_iv)) + dma_unmap_single(ce->dev, rctx->addr_iv, rctx->ivlen, DMA_TO_DEVICE); ++ + offset = areq->cryptlen - ivsize; + if (rctx->op_dir & CE_DECRYPTION) { + memcpy(areq->iv, chan->backup_iv, ivsize); +-- +2.39.5 + diff --git a/queue-6.1/crypto-sun8i-ce-move-fallback-ahash_request-to-the-e.patch b/queue-6.1/crypto-sun8i-ce-move-fallback-ahash_request-to-the-e.patch new file mode 100644 index 0000000000..37dcd11f83 --- /dev/null +++ b/queue-6.1/crypto-sun8i-ce-move-fallback-ahash_request-to-the-e.patch @@ -0,0 +1,41 @@ +From ade5461d4f39b74160c23f11a28dcc20957ddea6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 May 2025 15:06:56 +0300 +Subject: crypto: sun8i-ce - move fallback ahash_request to the end of the + struct + +From: Ovidiu Panait + +[ Upstream commit c822831b426307a6ca426621504d3c7f99765a39 ] + +'struct ahash_request' has a flexible array at the end, so it must be the +last member in a struct, to avoid overwriting other struct members. + +Therefore, move 'fallback_req' to the end of the 'sun8i_ce_hash_reqctx' +struct. + +Fixes: 56f6d5aee88d ("crypto: sun8i-ce - support hash algorithms") +Signed-off-by: Ovidiu Panait +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h +index 8177aaba44349..a1658722d886d 100644 +--- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h ++++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h +@@ -297,8 +297,8 @@ struct sun8i_ce_hash_tfm_ctx { + * @flow: the flow to use for this request + */ + struct sun8i_ce_hash_reqctx { +- struct ahash_request fallback_req; + int flow; ++ struct ahash_request fallback_req; // keep at the end + }; + + /* +-- +2.39.5 + diff --git a/queue-6.1/crypto-sun8i-ss-do-not-use-sg_dma_len-before-calling.patch b/queue-6.1/crypto-sun8i-ss-do-not-use-sg_dma_len-before-calling.patch new file mode 100644 index 0000000000..c8942b2461 --- /dev/null +++ b/queue-6.1/crypto-sun8i-ss-do-not-use-sg_dma_len-before-calling.patch @@ -0,0 +1,39 @@ +From 5bd0735cf24806903abae77bab65678d80f775ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Apr 2025 13:12:36 +0200 +Subject: crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions + +From: Corentin Labbe + +[ Upstream commit 2dfc7cd74a5e062a5405560447517e7aab1c7341 ] + +When testing sun8i-ss with multi_v7_defconfig, all CBC algorithm fail crypto +selftests. +This is strange since on sunxi_defconfig, everything was ok. +The problem was in the IV setup loop which never run because sg_dma_len +was 0. + +Fixes: 359e893e8af4 ("crypto: sun8i-ss - rework handling of IV") +Signed-off-by: Corentin Labbe +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c +index e97fb203690ae..5a864a71efa11 100644 +--- a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c ++++ b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c +@@ -136,7 +136,7 @@ static int sun8i_ss_setup_ivs(struct skcipher_request *areq) + + /* we need to copy all IVs from source in case DMA is bi-directionnal */ + while (sg && len) { +- if (sg_dma_len(sg) == 0) { ++ if (sg->length == 0) { + sg = sg_next(sg); + continue; + } +-- +2.39.5 + diff --git a/queue-6.1/crypto-xts-only-add-ecb-if-it-is-not-already-there.patch b/queue-6.1/crypto-xts-only-add-ecb-if-it-is-not-already-there.patch new file mode 100644 index 0000000000..5b676de34a --- /dev/null +++ b/queue-6.1/crypto-xts-only-add-ecb-if-it-is-not-already-there.patch @@ -0,0 +1,46 @@ +From 8238a306da49167e9453f2259d2e3e7371bfd93d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 16:34:04 +0800 +Subject: crypto: xts - Only add ecb if it is not already there + +From: Herbert Xu + +[ Upstream commit 270b6f13454cb7f2f7058c50df64df409c5dcf55 ] + +Only add ecb to the cipher name if it isn't already ecb. + +Also use memcmp instead of strncmp since these strings are all +stored in an array of length CRYPTO_MAX_ALG_NAME. + +Fixes: f1c131b45410 ("crypto: xts - Convert to skcipher") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/xts.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/crypto/xts.c b/crypto/xts.c +index b05020657cdc8..1972f40333f04 100644 +--- a/crypto/xts.c ++++ b/crypto/xts.c +@@ -361,7 +361,7 @@ static int xts_create(struct crypto_template *tmpl, struct rtattr **tb) + + err = crypto_grab_skcipher(&ctx->spawn, skcipher_crypto_instance(inst), + cipher_name, 0, mask); +- if (err == -ENOENT) { ++ if (err == -ENOENT && memcmp(cipher_name, "ecb(", 4)) { + err = -ENAMETOOLONG; + if (snprintf(ctx->name, CRYPTO_MAX_ALG_NAME, "ecb(%s)", + cipher_name) >= CRYPTO_MAX_ALG_NAME) +@@ -395,7 +395,7 @@ static int xts_create(struct crypto_template *tmpl, struct rtattr **tb) + /* Alas we screwed up the naming so we have to mangle the + * cipher name. + */ +- if (!strncmp(cipher_name, "ecb(", 4)) { ++ if (!memcmp(cipher_name, "ecb(", 4)) { + int len; + + len = strscpy(ctx->name, cipher_name + 4, sizeof(ctx->name)); +-- +2.39.5 + diff --git a/queue-6.1/dm-don-t-change-md-if-dm_table_set_restrictions-fail.patch b/queue-6.1/dm-don-t-change-md-if-dm_table_set_restrictions-fail.patch new file mode 100644 index 0000000000..ff317e8dc3 --- /dev/null +++ b/queue-6.1/dm-don-t-change-md-if-dm_table_set_restrictions-fail.patch @@ -0,0 +1,81 @@ +From 00607c37e4feb0c273be694ea39832197fc7fde0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Apr 2025 15:49:38 -0400 +Subject: dm: don't change md if dm_table_set_restrictions() fails + +From: Benjamin Marzinski + +[ Upstream commit 9eb7109a5bfc5b8226e9517e9f3cc6d414391884 ] + +__bind was changing the disk capacity, geometry and mempools of the +mapped device before calling dm_table_set_restrictions() which could +fail, forcing dm to drop the new table. Failing here would leave the +device using the old table but with the wrong capacity and mempools. + +Move dm_table_set_restrictions() earlier in __bind(). Since it needs the +capacity to be set, save the old version and restore it on failure. + +Fixes: bb37d77239af2 ("dm: introduce zone append emulation") +Reviewed-by: Damien Le Moal +Tested-by: Damien Le Moal +Signed-off-by: Benjamin Marzinski +Signed-off-by: Mikulas Patocka +Signed-off-by: Sasha Levin +--- + drivers/md/dm.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/drivers/md/dm.c b/drivers/md/dm.c +index 4767265793de7..2b8fe98c515ed 100644 +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -2165,21 +2165,29 @@ static struct dm_table *__bind(struct mapped_device *md, struct dm_table *t, + struct queue_limits *limits) + { + struct dm_table *old_map; +- sector_t size; ++ sector_t size, old_size; + int ret; + + lockdep_assert_held(&md->suspend_lock); + + size = dm_table_get_size(t); + ++ old_size = dm_get_size(md); ++ set_capacity(md->disk, size); ++ ++ ret = dm_table_set_restrictions(t, md->queue, limits); ++ if (ret) { ++ set_capacity(md->disk, old_size); ++ old_map = ERR_PTR(ret); ++ goto out; ++ } ++ + /* + * Wipe any geometry if the size of the table changed. + */ +- if (size != dm_get_size(md)) ++ if (size != old_size) + memset(&md->geometry, 0, sizeof(md->geometry)); + +- set_capacity(md->disk, size); +- + dm_table_event_callback(t, event_callback, md); + + if (dm_table_request_based(t)) { +@@ -2212,12 +2220,6 @@ static struct dm_table *__bind(struct mapped_device *md, struct dm_table *t, + t->mempools = NULL; + } + +- ret = dm_table_set_restrictions(t, md->queue, limits); +- if (ret) { +- old_map = ERR_PTR(ret); +- goto out; +- } +- + old_map = rcu_dereference_protected(md->map, lockdep_is_held(&md->suspend_lock)); + rcu_assign_pointer(md->map, (void *)t); + md->immutable_target_type = dm_table_get_immutable_target_type(t); +-- +2.39.5 + diff --git a/queue-6.1/dm-free-table-mempools-if-not-used-in-__bind.patch b/queue-6.1/dm-free-table-mempools-if-not-used-in-__bind.patch new file mode 100644 index 0000000000..364d1089c3 --- /dev/null +++ b/queue-6.1/dm-free-table-mempools-if-not-used-in-__bind.patch @@ -0,0 +1,54 @@ +From 6f4ee438ba31634a0a07b79b52be9f8dde6f9180 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Apr 2025 15:49:39 -0400 +Subject: dm: free table mempools if not used in __bind + +From: Benjamin Marzinski + +[ Upstream commit e8819e7f03470c5b468720630d9e4e1d5b99159e ] + +With request-based dm, the mempools don't need reloading when switching +tables, but the unused table mempools are not freed until the active +table is finally freed. Free them immediately if they are not needed. + +Fixes: 29dec90a0f1d9 ("dm: fix bio_set allocation") +Reviewed-by: Damien Le Moal +Tested-by: Damien Le Moal +Signed-off-by: Benjamin Marzinski +Signed-off-by: Mikulas Patocka +Signed-off-by: Sasha Levin +--- + drivers/md/dm.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/md/dm.c b/drivers/md/dm.c +index 2b8fe98c515ed..cf7520551b63b 100644 +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -2205,10 +2205,10 @@ static struct dm_table *__bind(struct mapped_device *md, struct dm_table *t, + * requests in the queue may refer to bio from the old bioset, + * so you must walk through the queue to unprep. + */ +- if (!md->mempools) { ++ if (!md->mempools) + md->mempools = t->mempools; +- t->mempools = NULL; +- } ++ else ++ dm_free_md_mempools(t->mempools); + } else { + /* + * The md may already have mempools that need changing. +@@ -2217,8 +2217,8 @@ static struct dm_table *__bind(struct mapped_device *md, struct dm_table *t, + */ + dm_free_md_mempools(md->mempools); + md->mempools = t->mempools; +- t->mempools = NULL; + } ++ t->mempools = NULL; + + old_map = rcu_dereference_protected(md->map, lockdep_is_held(&md->suspend_lock)); + rcu_assign_pointer(md->map, (void *)t); +-- +2.39.5 + diff --git a/queue-6.1/dmaengine-ti-add-null-check-in-udma_probe.patch b/queue-6.1/dmaengine-ti-add-null-check-in-udma_probe.patch new file mode 100644 index 0000000000..1f0e00d6a2 --- /dev/null +++ b/queue-6.1/dmaengine-ti-add-null-check-in-udma_probe.patch @@ -0,0 +1,43 @@ +From 06cdf8861cc6b2a2700e6e9a2c818fdf6bdae81e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 10:39:00 +0800 +Subject: dmaengine: ti: Add NULL check in udma_probe() + +From: Henry Martin + +[ Upstream commit fd447415e74bccd7362f760d4ea727f8e1ebfe91 ] + +devm_kasprintf() returns NULL when memory allocation fails. Currently, +udma_probe() does not check for this case, which results in a NULL +pointer dereference. + +Add NULL check after devm_kasprintf() to prevent this issue. + +Fixes: 25dcb5dd7b7c ("dmaengine: ti: New driver for K3 UDMA") +Signed-off-by: Henry Martin +Reviewed-by: Nathan Lynch +Acked-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20250402023900.43440-1-bsdhenrymartin@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/ti/k3-udma.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/ti/k3-udma.c b/drivers/dma/ti/k3-udma.c +index edad538928dd7..1d12dc141070a 100644 +--- a/drivers/dma/ti/k3-udma.c ++++ b/drivers/dma/ti/k3-udma.c +@@ -5490,7 +5490,8 @@ static int udma_probe(struct platform_device *pdev) + uc->config.dir = DMA_MEM_TO_MEM; + uc->name = devm_kasprintf(dev, GFP_KERNEL, "%s chan%d", + dev_name(dev), i); +- ++ if (!uc->name) ++ return -ENOMEM; + vchan_init(&uc->vc, &ud->ddev); + /* Use custom vchan completion handling */ + tasklet_setup(&uc->vc.task, udma_vchan_complete); +-- +2.39.5 + diff --git a/queue-6.1/do_change_type-refuse-to-operate-on-unmounted-not-ou.patch b/queue-6.1/do_change_type-refuse-to-operate-on-unmounted-not-ou.patch new file mode 100644 index 0000000000..1c701b7382 --- /dev/null +++ b/queue-6.1/do_change_type-refuse-to-operate-on-unmounted-not-ou.patch @@ -0,0 +1,40 @@ +From 0f51684694d37ba03ea09665d44787057ae3e861 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jun 2025 12:27:08 -0400 +Subject: do_change_type(): refuse to operate on unmounted/not ours mounts + +From: Al Viro + +[ Upstream commit 12f147ddd6de7382dad54812e65f3f08d05809fc ] + +Ensure that propagation settings can only be changed for mounts located +in the caller's mount namespace. This change aligns permission checking +with the rest of mount(2). + +Reviewed-by: Christian Brauner +Fixes: 07b20889e305 ("beginning of the shared-subtree proper") +Reported-by: "Orlando, Noah" +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/namespace.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/namespace.c b/fs/namespace.c +index 65aa3495db6a1..aae1a77ac2d3f 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -2371,6 +2371,10 @@ static int do_change_type(struct path *path, int ms_flags) + return -EINVAL; + + namespace_lock(); ++ if (!check_mnt(mnt)) { ++ err = -EINVAL; ++ goto out_unlock; ++ } + if (type == MS_SHARED) { + err = invent_group_ids(mnt, recurse); + if (err) +-- +2.39.5 + diff --git a/queue-6.1/driver-net-ethernet-mtk_star_emac-fix-suspend-resume.patch b/queue-6.1/driver-net-ethernet-mtk_star_emac-fix-suspend-resume.patch new file mode 100644 index 0000000000..6aa27e63bc --- /dev/null +++ b/queue-6.1/driver-net-ethernet-mtk_star_emac-fix-suspend-resume.patch @@ -0,0 +1,53 @@ +From 163b7425e39e6e0f42c31a3871efc2a0dc555aa7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 May 2025 15:53:51 +0800 +Subject: driver: net: ethernet: mtk_star_emac: fix suspend/resume issue + +From: Yanqing Wang + +[ Upstream commit ba99c627aac85bc746fb4a6e2d79edb3ad100326 ] + +Identify the cause of the suspend/resume hang: netif_carrier_off() +is called during link state changes and becomes stuck while +executing linkwatch_work(). + +To resolve this issue, call netif_device_detach() during the Ethernet +suspend process to temporarily detach the network device from the +kernel and prevent the suspend/resume hang. + +Fixes: 8c7bd5a454ff ("net: ethernet: mtk-star-emac: new driver") +Signed-off-by: Yanqing Wang +Signed-off-by: Macpaul Lin +Signed-off-by: Biao Huang +Link: https://patch.msgid.link/20250528075351.593068-1-macpaul.lin@mediatek.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_star_emac.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/mediatek/mtk_star_emac.c b/drivers/net/ethernet/mediatek/mtk_star_emac.c +index c42e9f741f959..a631491a19da1 100644 +--- a/drivers/net/ethernet/mediatek/mtk_star_emac.c ++++ b/drivers/net/ethernet/mediatek/mtk_star_emac.c +@@ -1475,6 +1475,8 @@ static __maybe_unused int mtk_star_suspend(struct device *dev) + if (netif_running(ndev)) + mtk_star_disable(ndev); + ++ netif_device_detach(ndev); ++ + clk_bulk_disable_unprepare(MTK_STAR_NCLKS, priv->clks); + + return 0; +@@ -1499,6 +1501,8 @@ static __maybe_unused int mtk_star_resume(struct device *dev) + clk_bulk_disable_unprepare(MTK_STAR_NCLKS, priv->clks); + } + ++ netif_device_attach(ndev); ++ + return ret; + } + +-- +2.39.5 + diff --git a/queue-6.1/drm-amd-pp-fix-potential-null-pointer-dereference-in.patch b/queue-6.1/drm-amd-pp-fix-potential-null-pointer-dereference-in.patch new file mode 100644 index 0000000000..216bac856e --- /dev/null +++ b/queue-6.1/drm-amd-pp-fix-potential-null-pointer-dereference-in.patch @@ -0,0 +1,54 @@ +From 865aafe682fe208b8de671a7c195ed6c6155a2ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Mar 2025 12:04:35 +0800 +Subject: drm/amd/pp: Fix potential NULL pointer dereference in + atomctrl_initialize_mc_reg_table + +From: Charles Han + +[ Upstream commit 820116a39f96bdc7d426c33a804b52f53700a919 ] + +The function atomctrl_initialize_mc_reg_table() and +atomctrl_initialize_mc_reg_table_v2_2() does not check the return +value of smu_atom_get_data_table(). If smu_atom_get_data_table() +fails to retrieve vram_info, it returns NULL which is later +dereferenced. + +Fixes: b3892e2bb519 ("drm/amd/pp: Use atombios api directly in powerplay (v2)") +Fixes: 5f92b48cf62c ("drm/amd/pm: add mc register table initialization") +Signed-off-by: Charles Han +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c +index 1fbd23922082a..7e37354a03411 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c +@@ -144,6 +144,10 @@ int atomctrl_initialize_mc_reg_table( + vram_info = (ATOM_VRAM_INFO_HEADER_V2_1 *) + smu_atom_get_data_table(hwmgr->adev, + GetIndexIntoMasterTable(DATA, VRAM_Info), &size, &frev, &crev); ++ if (!vram_info) { ++ pr_err("Could not retrieve the VramInfo table!"); ++ return -EINVAL; ++ } + + if (module_index >= vram_info->ucNumOfVRAMModule) { + pr_err("Invalid VramInfo table."); +@@ -181,6 +185,10 @@ int atomctrl_initialize_mc_reg_table_v2_2( + vram_info = (ATOM_VRAM_INFO_HEADER_V2_2 *) + smu_atom_get_data_table(hwmgr->adev, + GetIndexIntoMasterTable(DATA, VRAM_Info), &size, &frev, &crev); ++ if (!vram_info) { ++ pr_err("Could not retrieve the VramInfo table!"); ++ return -EINVAL; ++ } + + if (module_index >= vram_info->ucNumOfVRAMModule) { + pr_err("Invalid VramInfo table."); +-- +2.39.5 + diff --git a/queue-6.1/drm-bridge-lt9611uxc-fix-an-error-handling-path-in-l.patch b/queue-6.1/drm-bridge-lt9611uxc-fix-an-error-handling-path-in-l.patch new file mode 100644 index 0000000000..c21b191364 --- /dev/null +++ b/queue-6.1/drm-bridge-lt9611uxc-fix-an-error-handling-path-in-l.patch @@ -0,0 +1,45 @@ +From 256cd40e8a0eea682b75223a5cf53129bebef3d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Apr 2025 08:48:16 +0200 +Subject: drm/bridge: lt9611uxc: Fix an error handling path in + lt9611uxc_probe() + +From: Christophe JAILLET + +[ Upstream commit b848cd418aebdb313364b4843f41fae82281a823 ] + +If lt9611uxc_audio_init() fails, some resources still need to be released +before returning the error code. + +Use the existing error handling path. + +Fixes: 0cbbd5b1a012 ("drm: bridge: add support for lontium LT9611UXC bridge") +Signed-off-by: Christophe JAILLET +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/f167608e392c6b4d7d7f6e45e3c21878feb60cbd.1744958833.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/lontium-lt9611uxc.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/lontium-lt9611uxc.c b/drivers/gpu/drm/bridge/lontium-lt9611uxc.c +index cb75da940b890..e9162125382f5 100644 +--- a/drivers/gpu/drm/bridge/lontium-lt9611uxc.c ++++ b/drivers/gpu/drm/bridge/lontium-lt9611uxc.c +@@ -961,7 +961,11 @@ static int lt9611uxc_probe(struct i2c_client *client, + } + } + +- return lt9611uxc_audio_init(dev, lt9611uxc); ++ ret = lt9611uxc_audio_init(dev, lt9611uxc); ++ if (ret) ++ goto err_remove_bridge; ++ ++ return 0; + + err_remove_bridge: + free_irq(client->irq, lt9611uxc); +-- +2.39.5 + diff --git a/queue-6.1/drm-rcar-du-fix-memory-leak-in-rcar_du_vsps_init.patch b/queue-6.1/drm-rcar-du-fix-memory-leak-in-rcar_du_vsps_init.patch new file mode 100644 index 0000000000..71e7239ec7 --- /dev/null +++ b/queue-6.1/drm-rcar-du-fix-memory-leak-in-rcar_du_vsps_init.patch @@ -0,0 +1,61 @@ +From dcfce079b17685ee19fac5915c672d6283c196db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Nov 2023 12:24:24 +0000 +Subject: drm: rcar-du: Fix memory leak in rcar_du_vsps_init() + +From: Biju Das + +[ Upstream commit 91e3bf09a90bb4340c0c3c51396e7531555efda4 ] + +The rcar_du_vsps_init() doesn't free the np allocated by +of_parse_phandle_with_fixed_args() for the non-error case. + +Fix memory leak for the non-error case. + +While at it, replace the label 'error'->'done' as it applies to non-error +case as well and update the error check condition for rcar_du_vsp_init() +to avoid breakage in future, if it returns positive value. + +Fixes: 3e81374e2014 ("drm: rcar-du: Support multiple sources from the same VSP") +Signed-off-by: Biju Das +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/r/20231116122424.80136-1-biju.das.jz@bp.renesas.com +Signed-off-by: Tomi Valkeinen +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rcar-du/rcar_du_kms.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/rcar-du/rcar_du_kms.c b/drivers/gpu/drm/rcar-du/rcar_du_kms.c +index 8c2719efda2a2..b64f62ad8dbd7 100644 +--- a/drivers/gpu/drm/rcar-du/rcar_du_kms.c ++++ b/drivers/gpu/drm/rcar-du/rcar_du_kms.c +@@ -673,7 +673,7 @@ static int rcar_du_vsps_init(struct rcar_du_device *rcdu) + ret = of_parse_phandle_with_fixed_args(np, vsps_prop_name, + cells, i, &args); + if (ret < 0) +- goto error; ++ goto done; + + /* + * Add the VSP to the list or update the corresponding existing +@@ -711,13 +711,11 @@ static int rcar_du_vsps_init(struct rcar_du_device *rcdu) + vsp->dev = rcdu; + + ret = rcar_du_vsp_init(vsp, vsps[i].np, vsps[i].crtcs_mask); +- if (ret < 0) +- goto error; ++ if (ret) ++ goto done; + } + +- return 0; +- +-error: ++done: + for (i = 0; i < ARRAY_SIZE(vsps); ++i) + of_node_put(vsps[i].np); + +-- +2.39.5 + diff --git a/queue-6.1/drm-tegra-rgb-fix-the-unbound-reference-count.patch b/queue-6.1/drm-tegra-rgb-fix-the-unbound-reference-count.patch new file mode 100644 index 0000000000..c13b0db46a --- /dev/null +++ b/queue-6.1/drm-tegra-rgb-fix-the-unbound-reference-count.patch @@ -0,0 +1,57 @@ +From 276083d8091b049f27bbce3e81b6f8f0e61eb7fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Feb 2025 11:21:35 +0000 +Subject: drm/tegra: rgb: Fix the unbound reference count + +From: Biju Das + +[ Upstream commit 3c3642335065c3bde0742b0edc505b6ea8fdc2b3 ] + +The of_get_child_by_name() increments the refcount in tegra_dc_rgb_probe, +but the driver does not decrement the refcount during unbind. Fix the +unbound reference count using devm_add_action_or_reset() helper. + +Fixes: d8f4a9eda006 ("drm: Add NVIDIA Tegra20 support") +Signed-off-by: Biju Das +Signed-off-by: Thierry Reding +Link: https://lore.kernel.org/r/20250205112137.36055-1-biju.das.jz@bp.renesas.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/rgb.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/tegra/rgb.c b/drivers/gpu/drm/tegra/rgb.c +index 86e55e5d12b39..20ac30673ed53 100644 +--- a/drivers/gpu/drm/tegra/rgb.c ++++ b/drivers/gpu/drm/tegra/rgb.c +@@ -189,6 +189,11 @@ static const struct drm_encoder_helper_funcs tegra_rgb_encoder_helper_funcs = { + .atomic_check = tegra_rgb_encoder_atomic_check, + }; + ++static void tegra_dc_of_node_put(void *data) ++{ ++ of_node_put(data); ++} ++ + int tegra_dc_rgb_probe(struct tegra_dc *dc) + { + struct device_node *np; +@@ -196,7 +201,14 @@ int tegra_dc_rgb_probe(struct tegra_dc *dc) + int err; + + np = of_get_child_by_name(dc->dev->of_node, "rgb"); +- if (!np || !of_device_is_available(np)) ++ if (!np) ++ return -ENODEV; ++ ++ err = devm_add_action_or_reset(dc->dev, tegra_dc_of_node_put, np); ++ if (err < 0) ++ return err; ++ ++ if (!of_device_is_available(np)) + return -ENODEV; + + rgb = devm_kzalloc(dc->dev, sizeof(*rgb), GFP_KERNEL); +-- +2.39.5 + diff --git a/queue-6.1/drm-vkms-adjust-vkms_state-active_planes-allocation-.patch b/queue-6.1/drm-vkms-adjust-vkms_state-active_planes-allocation-.patch new file mode 100644 index 0000000000..cf12bdeae0 --- /dev/null +++ b/queue-6.1/drm-vkms-adjust-vkms_state-active_planes-allocation-.patch @@ -0,0 +1,44 @@ +From b6429dbd9cb2ef449ebdcdf3b8115becc3c5e798 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 23:14:32 -0700 +Subject: drm/vkms: Adjust vkms_state->active_planes allocation type + +From: Kees Cook + +[ Upstream commit 258aebf100540d36aba910f545d4d5ddf4ecaf0b ] + +In preparation for making the kmalloc family of allocators type aware, +we need to make sure that the returned type from the allocation matches +the type of the variable being assigned. (Before, the allocator would +always return "void *", which can be implicitly cast to any pointer type.) + +The assigned type is "struct vkms_plane_state **", but the returned type +will be "struct drm_plane **". These are the same size (pointer size), but +the types don't match. Adjust the allocation type to match the assignment. + +Signed-off-by: Kees Cook +Reviewed-by: Louis Chauvet +Fixes: 8b1865873651 ("drm/vkms: totally reworked crc data tracking") +Link: https://lore.kernel.org/r/20250426061431.work.304-kees@kernel.org +Signed-off-by: Louis Chauvet +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vkms/vkms_crtc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vkms/vkms_crtc.c b/drivers/gpu/drm/vkms/vkms_crtc.c +index 57bbd32e9bebb..de8c2d5cc89c0 100644 +--- a/drivers/gpu/drm/vkms/vkms_crtc.c ++++ b/drivers/gpu/drm/vkms/vkms_crtc.c +@@ -202,7 +202,7 @@ static int vkms_crtc_atomic_check(struct drm_crtc *crtc, + i++; + } + +- vkms_state->active_planes = kcalloc(i, sizeof(plane), GFP_KERNEL); ++ vkms_state->active_planes = kcalloc(i, sizeof(*vkms_state->active_planes), GFP_KERNEL); + if (!vkms_state->active_planes) + return -ENOMEM; + vkms_state->num_active_planes = i; +-- +2.39.5 + diff --git a/queue-6.1/drm-vmwgfx-add-seqno-waiter-for-sync_files.patch b/queue-6.1/drm-vmwgfx-add-seqno-waiter-for-sync_files.patch new file mode 100644 index 0000000000..f6435a90d2 --- /dev/null +++ b/queue-6.1/drm-vmwgfx-add-seqno-waiter-for-sync_files.patch @@ -0,0 +1,89 @@ +From 0ea4cfda0bcf7584f6cde304b764981e4f05986b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Feb 2025 14:06:33 -0600 +Subject: drm/vmwgfx: Add seqno waiter for sync_files + +From: Ian Forbes + +[ Upstream commit 0039a3b35b10d9c15d3d26320532ab56cc566750 ] + +Because sync_files are passive waiters they do not participate in +the processing of fences like the traditional vmw_fence_wait IOCTL. +If userspace exclusively uses sync_files for synchronization then +nothing in the kernel actually processes fence updates as interrupts +for fences are masked and ignored if the kernel does not indicate to the +SVGA device that there are active waiters. + +This oversight results in a bug where the entire GUI can freeze waiting +on a sync_file that will never be signalled as we've masked the interrupts +to signal its completion. This bug is incredibly racy as any process which +interacts with the fencing code via the 3D stack can process the stuck +fences on behalf of the stuck process causing it to run again. Even a +simple app like eglinfo is enough to resume the stuck process. Usually +this bug is seen at a login screen like GDM because there are no other +3D apps running. + +By adding a seqno waiter we re-enable interrupt based processing of the +dma_fences associated with the sync_file which is signalled as part of a +dma_fence_callback. + +This has likely been broken since it was initially added to the kernel in +2017 but has gone unnoticed until mutter recently started using sync_files +heavily over the course of 2024 as part of their explicit sync support. + +Fixes: c906965dee22 ("drm/vmwgfx: Add export fence to file descriptor support") +Signed-off-by: Ian Forbes +Signed-off-by: Zack Rusin +Link: https://patchwork.freedesktop.org/patch/msgid/20250228200633.642417-1-ian.forbes@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 26 +++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +index 2f7ac91149fc0..0d12d6af67c09 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +@@ -4077,6 +4077,23 @@ static int vmw_execbuf_tie_context(struct vmw_private *dev_priv, + return 0; + } + ++/* ++ * DMA fence callback to remove a seqno_waiter ++ */ ++struct seqno_waiter_rm_context { ++ struct dma_fence_cb base; ++ struct vmw_private *dev_priv; ++}; ++ ++static void seqno_waiter_rm_cb(struct dma_fence *f, struct dma_fence_cb *cb) ++{ ++ struct seqno_waiter_rm_context *ctx = ++ container_of(cb, struct seqno_waiter_rm_context, base); ++ ++ vmw_seqno_waiter_remove(ctx->dev_priv); ++ kfree(ctx); ++} ++ + int vmw_execbuf_process(struct drm_file *file_priv, + struct vmw_private *dev_priv, + void __user *user_commands, void *kernel_commands, +@@ -4257,6 +4274,15 @@ int vmw_execbuf_process(struct drm_file *file_priv, + } else { + /* Link the fence with the FD created earlier */ + fd_install(out_fence_fd, sync_file->file); ++ struct seqno_waiter_rm_context *ctx = ++ kmalloc(sizeof(*ctx), GFP_KERNEL); ++ ctx->dev_priv = dev_priv; ++ vmw_seqno_waiter_add(dev_priv); ++ if (dma_fence_add_callback(&fence->base, &ctx->base, ++ seqno_waiter_rm_cb) < 0) { ++ vmw_seqno_waiter_remove(dev_priv); ++ kfree(ctx); ++ } + } + } + +-- +2.39.5 + diff --git a/queue-6.1/dt-bindings-vendor-prefixes-add-liontron-name.patch b/queue-6.1/dt-bindings-vendor-prefixes-add-liontron-name.patch new file mode 100644 index 0000000000..0bb4f54e85 --- /dev/null +++ b/queue-6.1/dt-bindings-vendor-prefixes-add-liontron-name.patch @@ -0,0 +1,40 @@ +From d849bba706f4aba1ad3c2acc67b35c6bb9f0743e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 May 2025 17:47:27 +0100 +Subject: dt-bindings: vendor-prefixes: Add Liontron name + +From: Andre Przywara + +[ Upstream commit 9baa27a2e9fc746143ab686b6dbe2d515284a4c5 ] + +Liontron is a company based in Shenzen, China, making industrial +development boards and embedded computers, mostly using Rockchip and +Allwinner SoCs. + +Add their name to the list of vendors. + +Signed-off-by: Andre Przywara +Acked-by: Rob Herring (Arm) +Link: https://patch.msgid.link/20250505164729.18175-2-andre.przywara@arm.com +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Sasha Levin +--- + Documentation/devicetree/bindings/vendor-prefixes.yaml | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/Documentation/devicetree/bindings/vendor-prefixes.yaml b/Documentation/devicetree/bindings/vendor-prefixes.yaml +index 77e9413cdee07..f955db429f55a 100644 +--- a/Documentation/devicetree/bindings/vendor-prefixes.yaml ++++ b/Documentation/devicetree/bindings/vendor-prefixes.yaml +@@ -725,6 +725,8 @@ patternProperties: + description: Linux-specific binding + "^linx,.*": + description: Linx Technologies ++ "^liontron,.*": ++ description: Shenzhen Liontron Technology Co., Ltd + "^liteon,.*": + description: LITE-ON Technology Corp. + "^litex,.*": +-- +2.39.5 + diff --git a/queue-6.1/edac-skx_common-fix-general-protection-fault.patch b/queue-6.1/edac-skx_common-fix-general-protection-fault.patch new file mode 100644 index 0000000000..89928ca069 --- /dev/null +++ b/queue-6.1/edac-skx_common-fix-general-protection-fault.patch @@ -0,0 +1,68 @@ +From d1db366b7a118b9817c1be28d9b2666ae2947036 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 23:07:18 +0800 +Subject: EDAC/skx_common: Fix general protection fault + +From: Qiuxu Zhuo + +[ Upstream commit 20d2d476b3ae18041be423671a8637ed5ffd6958 ] + +After loading i10nm_edac (which automatically loads skx_edac_common), if +unload only i10nm_edac, then reload it and perform error injection testing, +a general protection fault may occur: + + mce: [Hardware Error]: Machine check events logged + Oops: general protection fault ... + ... + Workqueue: events mce_gen_pool_process + RIP: 0010:string+0x53/0xe0 + ... + Call Trace: + + ? die_addr+0x37/0x90 + ? exc_general_protection+0x1e7/0x3f0 + ? asm_exc_general_protection+0x26/0x30 + ? string+0x53/0xe0 + vsnprintf+0x23e/0x4c0 + snprintf+0x4d/0x70 + skx_adxl_decode+0x16a/0x330 [skx_edac_common] + skx_mce_check_error.part.0+0xf8/0x220 [skx_edac_common] + skx_mce_check_error+0x17/0x20 [skx_edac_common] + ... + +The issue arose was because the variable 'adxl_component_count' (inside +skx_edac_common), which counts the ADXL components, was not reset. During +the reloading of i10nm_edac, the count was incremented by the actual number +of ADXL components again, resulting in a count that was double the real +number of ADXL components. This led to an out-of-bounds reference to the +ADXL component array, causing the general protection fault above. + +Fix this issue by resetting the 'adxl_component_count' in adxl_put(), +which is called during the unloading of {skx,i10nm}_edac. + +Fixes: 123b15863550 ("EDAC, i10nm: make skx_common.o a separate module") +Reported-by: Feng Xu +Signed-off-by: Qiuxu Zhuo +Signed-off-by: Tony Luck +Tested-by: Feng Xu +Link: https://lore.kernel.org/r/20250417150724.1170168-2-qiuxu.zhuo@intel.com +Signed-off-by: Sasha Levin +--- + drivers/edac/skx_common.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/edac/skx_common.c b/drivers/edac/skx_common.c +index e218909f9f9e8..c11870ac1b3c7 100644 +--- a/drivers/edac/skx_common.c ++++ b/drivers/edac/skx_common.c +@@ -114,6 +114,7 @@ EXPORT_SYMBOL_GPL(skx_adxl_get); + + void skx_adxl_put(void) + { ++ adxl_component_count = 0; + kfree(adxl_values); + kfree(adxl_msg); + } +-- +2.39.5 + diff --git a/queue-6.1/efi-libstub-describe-missing-out-parameter-in-efi_lo.patch b/queue-6.1/efi-libstub-describe-missing-out-parameter-in-efi_lo.patch new file mode 100644 index 0000000000..1960b26841 --- /dev/null +++ b/queue-6.1/efi-libstub-describe-missing-out-parameter-in-efi_lo.patch @@ -0,0 +1,40 @@ +From f828d41ebabf578d52cfb9026e83918af0ac19ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 May 2025 00:31:11 +0800 +Subject: efi/libstub: Describe missing 'out' parameter in efi_load_initrd + +From: Hans Zhang <18255117159@163.com> + +[ Upstream commit c8e1927e7f7d63721e32ec41d27ccb0eb1a1b0fc ] + +The function efi_load_initrd() had a documentation warning due to +the missing description for the 'out' parameter. Add the parameter +description to the kernel-doc comment to resolve the warning and +improve API documentation. + +Fixes the following compiler warning: +drivers/firmware/efi/libstub/efi-stub-helper.c:611: warning: Function parameter or struct member 'out' not described in 'efi_load_initrd' + +Fixes: f4dc7fffa987 ("efi: libstub: unify initrd loading between architectures") +Signed-off-by: Hans Zhang <18255117159@163.com> +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/libstub/efi-stub-helper.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c +index 97744822dd951..587ba946ba9d8 100644 +--- a/drivers/firmware/efi/libstub/efi-stub-helper.c ++++ b/drivers/firmware/efi/libstub/efi-stub-helper.c +@@ -697,6 +697,7 @@ efi_status_t efi_load_initrd_cmdline(efi_loaded_image_t *image, + * @image: EFI loaded image protocol + * @soft_limit: preferred address for loading the initrd + * @hard_limit: upper limit address for loading the initrd ++ * @out: pointer to store the address of the initrd table + * + * Return: status code + */ +-- +2.39.5 + diff --git a/queue-6.1/f2fs-clean-up-w-fscrypt_is_bounce_page.patch b/queue-6.1/f2fs-clean-up-w-fscrypt_is_bounce_page.patch new file mode 100644 index 0000000000..5e596762ca --- /dev/null +++ b/queue-6.1/f2fs-clean-up-w-fscrypt_is_bounce_page.patch @@ -0,0 +1,34 @@ +From b68a2e34876597e12f15426a5cd8fc7bf256ddef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Apr 2025 18:52:36 +0800 +Subject: f2fs: clean up w/ fscrypt_is_bounce_page() + +From: Chao Yu + +[ Upstream commit 0c708e35cf26449ca317fcbfc274704660b6d269 ] + +Just cleanup, no logic changes. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/data.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c +index 0b0e3d44e158e..2ae682f8d0c8e 100644 +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -56,7 +56,7 @@ bool f2fs_is_cp_guaranteed(struct page *page) + struct inode *inode; + struct f2fs_sb_info *sbi; + +- if (!mapping) ++ if (fscrypt_is_bounce_page(page)) + return false; + + inode = mapping->host; +-- +2.39.5 + diff --git a/queue-6.1/f2fs-fix-to-correct-check-conditions-in-f2fs_cross_r.patch b/queue-6.1/f2fs-fix-to-correct-check-conditions-in-f2fs_cross_r.patch new file mode 100644 index 0000000000..56391a3e88 --- /dev/null +++ b/queue-6.1/f2fs-fix-to-correct-check-conditions-in-f2fs_cross_r.patch @@ -0,0 +1,36 @@ +From e441f0e094c81ce8a651c6ebe5b29df46616802b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 16:45:49 +0800 +Subject: f2fs: fix to correct check conditions in f2fs_cross_rename + +From: Zhiguo Niu + +[ Upstream commit 9883494c45a13dc88d27dde4f988c04823b42a2f ] + +Should be "old_dir" here. + +Fixes: 5c57132eaf52 ("f2fs: support project quota") +Signed-off-by: Zhiguo Niu +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/namei.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c +index 77fa3c639ba38..7bfa3249d9cc1 100644 +--- a/fs/f2fs/namei.c ++++ b/fs/f2fs/namei.c +@@ -1086,7 +1086,7 @@ static int f2fs_cross_rename(struct inode *old_dir, struct dentry *old_dentry, + if ((is_inode_flag_set(new_dir, FI_PROJ_INHERIT) && + !projid_eq(F2FS_I(new_dir)->i_projid, + F2FS_I(old_inode)->i_projid)) || +- (is_inode_flag_set(new_dir, FI_PROJ_INHERIT) && ++ (is_inode_flag_set(old_dir, FI_PROJ_INHERIT) && + !projid_eq(F2FS_I(old_dir)->i_projid, + F2FS_I(new_inode)->i_projid))) + return -EXDEV; +-- +2.39.5 + diff --git a/queue-6.1/f2fs-fix-to-detect-gcing-page-in-f2fs_is_cp_guarante.patch b/queue-6.1/f2fs-fix-to-detect-gcing-page-in-f2fs_is_cp_guarante.patch new file mode 100644 index 0000000000..6fc8211af0 --- /dev/null +++ b/queue-6.1/f2fs-fix-to-detect-gcing-page-in-f2fs_is_cp_guarante.patch @@ -0,0 +1,91 @@ +From 0591197ec0465bf6f81a8f570b028c5497166058 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Apr 2025 18:52:37 +0800 +Subject: f2fs: fix to detect gcing page in f2fs_is_cp_guaranteed() + +From: Chao Yu + +[ Upstream commit aa1be8dd64163eca4dde7fd2557eb19927a06a47 ] + +Jan Prusakowski reported a f2fs bug as below: + +f2fs/007 will hang kernel during testing w/ below configs: + +kernel 6.12.18 (from pixel-kernel/android16-6.12) +export MKFS_OPTIONS="-O encrypt -O extra_attr -O project_quota -O quota" +export F2FS_MOUNT_OPTIONS="test_dummy_encryption,discard,fsync_mode=nobarrier,reserve_root=32768,checkpoint_merge,atgc" + +cat /proc//stack +f2fs_wait_on_all_pages+0xa3/0x130 +do_checkpoint+0x40c/0x5d0 +f2fs_write_checkpoint+0x258/0x550 +kill_f2fs_super+0x14f/0x190 +deactivate_locked_super+0x30/0xb0 +cleanup_mnt+0xba/0x150 +task_work_run+0x59/0xa0 +syscall_exit_to_user_mode+0x12d/0x130 +do_syscall_64+0x57/0x110 +entry_SYSCALL_64_after_hwframe+0x76/0x7e + +cat /sys/kernel/debug/f2fs/status + + - IO_W (CP: -256, Data: 256, Flush: ( 0 0 1), Discard: ( 0 0)) cmd: 0 undiscard: 0 + +CP IOs reference count becomes negative. + +The root cause is: + +After 4961acdd65c9 ("f2fs: fix to tag gcing flag on page during block +migration"), we will tag page w/ gcing flag for raw page of cluster +during its migration. + +However, if the inode is both encrypted and compressed, during +ioc_decompress(), it will tag page w/ gcing flag, and it increase +F2FS_WB_DATA reference count: +- f2fs_write_multi_page + - f2fs_write_raw_page + - f2fs_write_single_page + - do_write_page + - f2fs_submit_page_write + - WB_DATA_TYPE(bio_page, fio->compressed_page) + : bio_page is encrypted, so mapping is NULL, and fio->compressed_page + is NULL, it returns F2FS_WB_DATA + - inc_page_count(.., F2FS_WB_DATA) + +Then, during end_io(), it decrease F2FS_WB_CP_DATA reference count: +- f2fs_write_end_io + - f2fs_compress_write_end_io + - fscrypt_pagecache_folio + : get raw page from encrypted page + - WB_DATA_TYPE(&folio->page, false) + : raw page has gcing flag, it returns F2FS_WB_CP_DATA + - dec_page_count(.., F2FS_WB_CP_DATA) + +In order to fix this issue, we need to detect gcing flag in raw page +in f2fs_is_cp_guaranteed(). + +Fixes: 4961acdd65c9 ("f2fs: fix to tag gcing flag on page during block migration") +Reported-by: Jan Prusakowski +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/data.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c +index 2ae682f8d0c8e..7b65766d365f1 100644 +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -57,7 +57,7 @@ bool f2fs_is_cp_guaranteed(struct page *page) + struct f2fs_sb_info *sbi; + + if (fscrypt_is_bounce_page(page)) +- return false; ++ return page_private_gcing(fscrypt_pagecache_page(page)); + + inode = mapping->host; + sbi = F2FS_I_SB(inode); +-- +2.39.5 + diff --git a/queue-6.1/f2fs-fix-to-do-sanity-check-on-sbi-total_valid_block.patch b/queue-6.1/f2fs-fix-to-do-sanity-check-on-sbi-total_valid_block.patch new file mode 100644 index 0000000000..1a484e2f29 --- /dev/null +++ b/queue-6.1/f2fs-fix-to-do-sanity-check-on-sbi-total_valid_block.patch @@ -0,0 +1,76 @@ +From cf6186b70c2234f1776a7c7403fe4cbc52009a43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 20:22:08 +0800 +Subject: f2fs: fix to do sanity check on sbi->total_valid_block_count + +From: Chao Yu + +[ Upstream commit 05872a167c2cab80ef186ef23cc34a6776a1a30c ] + +syzbot reported a f2fs bug as below: + +------------[ cut here ]------------ +kernel BUG at fs/f2fs/f2fs.h:2521! +RIP: 0010:dec_valid_block_count+0x3b2/0x3c0 fs/f2fs/f2fs.h:2521 +Call Trace: + f2fs_truncate_data_blocks_range+0xc8c/0x11a0 fs/f2fs/file.c:695 + truncate_dnode+0x417/0x740 fs/f2fs/node.c:973 + truncate_nodes+0x3ec/0xf50 fs/f2fs/node.c:1014 + f2fs_truncate_inode_blocks+0x8e3/0x1370 fs/f2fs/node.c:1197 + f2fs_do_truncate_blocks+0x840/0x12b0 fs/f2fs/file.c:810 + f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:838 + f2fs_truncate+0x417/0x720 fs/f2fs/file.c:888 + f2fs_setattr+0xc4f/0x12f0 fs/f2fs/file.c:1112 + notify_change+0xbca/0xe90 fs/attr.c:552 + do_truncate+0x222/0x310 fs/open.c:65 + handle_truncate fs/namei.c:3466 [inline] + do_open fs/namei.c:3849 [inline] + path_openat+0x2e4f/0x35d0 fs/namei.c:4004 + do_filp_open+0x284/0x4e0 fs/namei.c:4031 + do_sys_openat2+0x12b/0x1d0 fs/open.c:1429 + do_sys_open fs/open.c:1444 [inline] + __do_sys_creat fs/open.c:1522 [inline] + __se_sys_creat fs/open.c:1516 [inline] + __x64_sys_creat+0x124/0x170 fs/open.c:1516 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94 + +The reason is: in fuzzed image, sbi->total_valid_block_count is +inconsistent w/ mapped blocks indexed by inode, so, we should +not trigger panic for such case, instead, let's print log and +set fsck flag. + +Fixes: 39a53e0ce0df ("f2fs: add superblock and major in-memory structure") +Reported-by: syzbot+8b376a77b2f364097fbe@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-f2fs-devel/67f3c0b2.050a0220.396535.0547.GAE@google.com +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 840a458554517..ef9149bd398ae 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -2387,8 +2387,14 @@ static inline void dec_valid_block_count(struct f2fs_sb_info *sbi, + blkcnt_t sectors = count << F2FS_LOG_SECTORS_PER_BLOCK; + + spin_lock(&sbi->stat_lock); +- f2fs_bug_on(sbi, sbi->total_valid_block_count < (block_t) count); +- sbi->total_valid_block_count -= (block_t)count; ++ if (unlikely(sbi->total_valid_block_count < count)) { ++ f2fs_warn(sbi, "Inconsistent total_valid_block_count:%u, ino:%lu, count:%u", ++ sbi->total_valid_block_count, inode->i_ino, count); ++ sbi->total_valid_block_count = 0; ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ } else { ++ sbi->total_valid_block_count -= count; ++ } + if (sbi->reserved_blocks && + sbi->current_reserved_blocks < sbi->reserved_blocks) + sbi->current_reserved_blocks = min(sbi->reserved_blocks, +-- +2.39.5 + diff --git a/queue-6.1/f2fs-use-d_inode-dentry-cleanup-dentry-d_inode.patch b/queue-6.1/f2fs-use-d_inode-dentry-cleanup-dentry-d_inode.patch new file mode 100644 index 0000000000..1ba9e6c500 --- /dev/null +++ b/queue-6.1/f2fs-use-d_inode-dentry-cleanup-dentry-d_inode.patch @@ -0,0 +1,74 @@ +From c3606485970d50cc71acb6c355431d107f29e491 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 16:45:48 +0800 +Subject: f2fs: use d_inode(dentry) cleanup dentry->d_inode + +From: Zhiguo Niu + +[ Upstream commit a6c397a31f58a1d577c2c8d04b624e9baa31951c ] + +no logic changes. + +Signed-off-by: Zhiguo Niu +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/namei.c | 8 ++++---- + fs/f2fs/super.c | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c +index 9da104c0743c4..77fa3c639ba38 100644 +--- a/fs/f2fs/namei.c ++++ b/fs/f2fs/namei.c +@@ -401,7 +401,7 @@ static int f2fs_link(struct dentry *old_dentry, struct inode *dir, + + if (is_inode_flag_set(dir, FI_PROJ_INHERIT) && + (!projid_eq(F2FS_I(dir)->i_projid, +- F2FS_I(old_dentry->d_inode)->i_projid))) ++ F2FS_I(inode)->i_projid))) + return -EXDEV; + + err = f2fs_dquot_initialize(dir); +@@ -896,7 +896,7 @@ static int f2fs_rename(struct user_namespace *mnt_userns, struct inode *old_dir, + + if (is_inode_flag_set(new_dir, FI_PROJ_INHERIT) && + (!projid_eq(F2FS_I(new_dir)->i_projid, +- F2FS_I(old_dentry->d_inode)->i_projid))) ++ F2FS_I(old_inode)->i_projid))) + return -EXDEV; + + /* +@@ -1085,10 +1085,10 @@ static int f2fs_cross_rename(struct inode *old_dir, struct dentry *old_dentry, + + if ((is_inode_flag_set(new_dir, FI_PROJ_INHERIT) && + !projid_eq(F2FS_I(new_dir)->i_projid, +- F2FS_I(old_dentry->d_inode)->i_projid)) || ++ F2FS_I(old_inode)->i_projid)) || + (is_inode_flag_set(new_dir, FI_PROJ_INHERIT) && + !projid_eq(F2FS_I(old_dir)->i_projid, +- F2FS_I(new_dentry->d_inode)->i_projid))) ++ F2FS_I(new_inode)->i_projid))) + return -EXDEV; + + err = f2fs_dquot_initialize(old_dir); +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 72160b906f4b3..c1738820a8f0d 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1830,9 +1830,9 @@ static int f2fs_statfs(struct dentry *dentry, struct kstatfs *buf) + buf->f_fsid = u64_to_fsid(id); + + #ifdef CONFIG_QUOTA +- if (is_inode_flag_set(dentry->d_inode, FI_PROJ_INHERIT) && ++ if (is_inode_flag_set(d_inode(dentry), FI_PROJ_INHERIT) && + sb_has_quota_limits_enabled(sb, PRJQUOTA)) { +- f2fs_statfs_project(sb, F2FS_I(dentry->d_inode)->i_projid, buf); ++ f2fs_statfs_project(sb, F2FS_I(d_inode(dentry))->i_projid, buf); + } + #endif + return 0; +-- +2.39.5 + diff --git a/queue-6.1/fbdev-core-fbcvt-avoid-division-by-0-in-fb_cvt_hperi.patch b/queue-6.1/fbdev-core-fbcvt-avoid-division-by-0-in-fb_cvt_hperi.patch new file mode 100644 index 0000000000..0f8508e394 --- /dev/null +++ b/queue-6.1/fbdev-core-fbcvt-avoid-division-by-0-in-fb_cvt_hperi.patch @@ -0,0 +1,42 @@ +From 11d64cb37ba823a846ce2f664bca4bb21c9f113c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 23:35:58 +0300 +Subject: fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() + +From: Sergey Shtylyov + +[ Upstream commit 3f6dae09fc8c306eb70fdfef70726e1f154e173a ] + +In fb_find_mode_cvt(), iff mode->refresh somehow happens to be 0x80000000, +cvt.f_refresh will become 0 when multiplying it by 2 due to overflow. It's +then passed to fb_cvt_hperiod(), where it's used as a divider -- division +by 0 will result in kernel oops. Add a sanity check for cvt.f_refresh to +avoid such overflow... + +Found by Linux Verification Center (linuxtesting.org) with the Svace static +analysis tool. + +Fixes: 96fe6a2109db ("[PATCH] fbdev: Add VESA Coordinated Video Timings (CVT) support") +Signed-off-by: Sergey Shtylyov +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/core/fbcvt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/core/fbcvt.c b/drivers/video/fbdev/core/fbcvt.c +index 64843464c6613..cd3821bd82e56 100644 +--- a/drivers/video/fbdev/core/fbcvt.c ++++ b/drivers/video/fbdev/core/fbcvt.c +@@ -312,7 +312,7 @@ int fb_find_mode_cvt(struct fb_videomode *mode, int margins, int rb) + cvt.f_refresh = cvt.refresh; + cvt.interlace = 1; + +- if (!cvt.xres || !cvt.yres || !cvt.refresh) { ++ if (!cvt.xres || !cvt.yres || !cvt.refresh || cvt.f_refresh > INT_MAX) { + printk(KERN_INFO "fbcvt: Invalid input parameters\n"); + return 1; + } +-- +2.39.5 + diff --git a/queue-6.1/firmware-psci-fix-refcount-leak-in-psci_dt_init.patch b/queue-6.1/firmware-psci-fix-refcount-leak-in-psci_dt_init.patch new file mode 100644 index 0000000000..c2bc6e6e68 --- /dev/null +++ b/queue-6.1/firmware-psci-fix-refcount-leak-in-psci_dt_init.patch @@ -0,0 +1,42 @@ +From f0a5d76f59ada74f8f455079c6e5262890082449 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 23:17:12 +0800 +Subject: firmware: psci: Fix refcount leak in psci_dt_init + +From: Miaoqian Lin + +[ Upstream commit 7ff37d29fd5c27617b9767e1b8946d115cf93a1e ] + +Fix a reference counter leak in psci_dt_init() where of_node_put(np) was +missing after of_find_matching_node_and_match() when np is unavailable. + +Fixes: d09a0011ec0d ("drivers: psci: Allow PSCI node to be disabled") +Signed-off-by: Miaoqian Lin +Reviewed-by: Gavin Shan +Acked-by: Mark Rutland +Link: https://lore.kernel.org/r/20250318151712.28763-1-linmq006@gmail.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/firmware/psci/psci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/firmware/psci/psci.c b/drivers/firmware/psci/psci.c +index a44ba09e49d9c..7eddf0912f96c 100644 +--- a/drivers/firmware/psci/psci.c ++++ b/drivers/firmware/psci/psci.c +@@ -747,8 +747,10 @@ int __init psci_dt_init(void) + + np = of_find_matching_node_and_match(NULL, psci_of_match, &matched_np); + +- if (!np || !of_device_is_available(np)) ++ if (!np || !of_device_is_available(np)) { ++ of_node_put(np); + return -ENODEV; ++ } + + init_fn = (psci_initcall_t)matched_np->data; + ret = init_fn(np); +-- +2.39.5 + diff --git a/queue-6.1/firmware-sdei-allow-sdei-initialization-without-acpi.patch b/queue-6.1/firmware-sdei-allow-sdei-initialization-without-acpi.patch new file mode 100644 index 0000000000..185aa28697 --- /dev/null +++ b/queue-6.1/firmware-sdei-allow-sdei-initialization-without-acpi.patch @@ -0,0 +1,136 @@ +From e8d5044c65037f4454317726cd241cea6dcb3d43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 May 2025 12:57:57 +0800 +Subject: firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES + +From: Huang Yiwei + +[ Upstream commit 59529bbe642de4eb2191a541d9b4bae7eb73862e ] + +SDEI usually initialize with the ACPI table, but on platforms where +ACPI is not used, the SDEI feature can still be used to handle +specific firmware calls or other customized purposes. Therefore, it +is not necessary for ARM_SDE_INTERFACE to depend on ACPI_APEI_GHES. + +In commit dc4e8c07e9e2 ("ACPI: APEI: explicit init of HEST and GHES +in acpi_init()"), to make APEI ready earlier, sdei_init was moved +into acpi_ghes_init instead of being a standalone initcall, adding +ACPI_APEI_GHES dependency to ARM_SDE_INTERFACE. This restricts the +flexibility and usability of SDEI. + +This patch corrects the dependency in Kconfig and splits sdei_init() +into two separate functions: sdei_init() and acpi_sdei_init(). +sdei_init() will be called by arch_initcall and will only initialize +the platform driver, while acpi_sdei_init() will initialize the +device from acpi_ghes_init() when ACPI is ready. This allows the +initialization of SDEI without ACPI_APEI_GHES enabled. + +Fixes: dc4e8c07e9e2 ("ACPI: APEI: explicit init of HEST and GHES in apci_init()") +Cc: Shuai Xue +Signed-off-by: Huang Yiwei +Reviewed-by: Shuai Xue +Reviewed-by: Gavin Shan +Acked-by: Rafael J. Wysocki +Link: https://lore.kernel.org/r/20250507045757.2658795-1-quic_hyiwei@quicinc.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/acpi/apei/Kconfig | 1 + + drivers/acpi/apei/ghes.c | 2 +- + drivers/firmware/Kconfig | 1 - + drivers/firmware/arm_sdei.c | 11 ++++++++--- + include/linux/arm_sdei.h | 4 ++-- + 5 files changed, 12 insertions(+), 7 deletions(-) + +diff --git a/drivers/acpi/apei/Kconfig b/drivers/acpi/apei/Kconfig +index 6b18f8bc7be35..71e0d64a7792e 100644 +--- a/drivers/acpi/apei/Kconfig ++++ b/drivers/acpi/apei/Kconfig +@@ -23,6 +23,7 @@ config ACPI_APEI_GHES + select ACPI_HED + select IRQ_WORK + select GENERIC_ALLOCATOR ++ select ARM_SDE_INTERFACE if ARM64 + help + Generic Hardware Error Source provides a way to report + platform hardware errors (such as that from chipset). It +diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c +index 83a4b417b27b9..1f327ec4c30b3 100644 +--- a/drivers/acpi/apei/ghes.c ++++ b/drivers/acpi/apei/ghes.c +@@ -1478,7 +1478,7 @@ void __init acpi_ghes_init(void) + { + int rc; + +- sdei_init(); ++ acpi_sdei_init(); + + if (acpi_disabled) + return; +diff --git a/drivers/firmware/Kconfig b/drivers/firmware/Kconfig +index 5583ae61f214b..bffdf735ef781 100644 +--- a/drivers/firmware/Kconfig ++++ b/drivers/firmware/Kconfig +@@ -40,7 +40,6 @@ config ARM_SCPI_POWER_DOMAIN + config ARM_SDE_INTERFACE + bool "ARM Software Delegated Exception Interface (SDEI)" + depends on ARM64 +- depends on ACPI_APEI_GHES + help + The Software Delegated Exception Interface (SDEI) is an ARM + standard for registering callbacks from the platform firmware +diff --git a/drivers/firmware/arm_sdei.c b/drivers/firmware/arm_sdei.c +index 3e8051fe82965..71e2a9a89f6ad 100644 +--- a/drivers/firmware/arm_sdei.c ++++ b/drivers/firmware/arm_sdei.c +@@ -1062,13 +1062,12 @@ static bool __init sdei_present_acpi(void) + return true; + } + +-void __init sdei_init(void) ++void __init acpi_sdei_init(void) + { + struct platform_device *pdev; + int ret; + +- ret = platform_driver_register(&sdei_driver); +- if (ret || !sdei_present_acpi()) ++ if (!sdei_present_acpi()) + return; + + pdev = platform_device_register_simple(sdei_driver.driver.name, +@@ -1081,6 +1080,12 @@ void __init sdei_init(void) + } + } + ++static int __init sdei_init(void) ++{ ++ return platform_driver_register(&sdei_driver); ++} ++arch_initcall(sdei_init); ++ + int sdei_event_handler(struct pt_regs *regs, + struct sdei_registered_event *arg) + { +diff --git a/include/linux/arm_sdei.h b/include/linux/arm_sdei.h +index 255701e1251b4..f652a5028b590 100644 +--- a/include/linux/arm_sdei.h ++++ b/include/linux/arm_sdei.h +@@ -46,12 +46,12 @@ int sdei_unregister_ghes(struct ghes *ghes); + /* For use by arch code when CPU hotplug notifiers are not appropriate. */ + int sdei_mask_local_cpu(void); + int sdei_unmask_local_cpu(void); +-void __init sdei_init(void); ++void __init acpi_sdei_init(void); + void sdei_handler_abort(void); + #else + static inline int sdei_mask_local_cpu(void) { return 0; } + static inline int sdei_unmask_local_cpu(void) { return 0; } +-static inline void sdei_init(void) { } ++static inline void acpi_sdei_init(void) { } + static inline void sdei_handler_abort(void) { } + #endif /* CONFIG_ARM_SDE_INTERFACE */ + +-- +2.39.5 + diff --git a/queue-6.1/fix-propagation-graph-breakage-by-move_mount_set_gro.patch b/queue-6.1/fix-propagation-graph-breakage-by-move_mount_set_gro.patch new file mode 100644 index 0000000000..1ccbbbb4e8 --- /dev/null +++ b/queue-6.1/fix-propagation-graph-breakage-by-move_mount_set_gro.patch @@ -0,0 +1,60 @@ +From f68719f7645c09659e32dca10f4d5e90a966ca48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Jun 2025 17:57:27 -0400 +Subject: fix propagation graph breakage by MOVE_MOUNT_SET_GROUP move_mount(2) + +From: Al Viro + +[ Upstream commit d8cc0362f918d020ca1340d7694f07062dc30f36 ] + +9ffb14ef61ba "move_mount: allow to add a mount into an existing group" +breaks assertions on ->mnt_share/->mnt_slave. For once, the data structures +in question are actually documented. + +Documentation/filesystem/sharedsubtree.rst: + All vfsmounts in a peer group have the same ->mnt_master. If it is + non-NULL, they form a contiguous (ordered) segment of slave list. + +do_set_group() puts a mount into the same place in propagation graph +as the old one. As the result, if old mount gets events from somewhere +and is not a pure event sink, new one needs to be placed next to the +old one in the slave list the old one's on. If it is a pure event +sink, we only need to make sure the new one doesn't end up in the +middle of some peer group. + +"move_mount: allow to add a mount into an existing group" ends up putting +the new one in the beginning of list; that's definitely not going to be +in the middle of anything, so that's fine for case when old is not marked +shared. In case when old one _is_ marked shared (i.e. is not a pure event +sink), that breaks the assumptions of propagation graph iterators. + +Put the new mount next to the old one on the list - that does the right thing +in "old is marked shared" case and is just as correct as the current behaviour +if old is not marked shared (kudos to Pavel for pointing that out - my original +suggested fix changed behaviour in the "nor marked" case, which complicated +things for no good reason). + +Reviewed-by: Christian Brauner +Fixes: 9ffb14ef61ba ("move_mount: allow to add a mount into an existing group") +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/namespace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/namespace.c b/fs/namespace.c +index 211a81240680d..65aa3495db6a1 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -2809,7 +2809,7 @@ static int do_set_group(struct path *from_path, struct path *to_path) + if (IS_MNT_SLAVE(from)) { + struct mount *m = from->mnt_master; + +- list_add(&to->mnt_slave, &m->mnt_slave_list); ++ list_add(&to->mnt_slave, &from->mnt_slave); + to->mnt_master = m; + } + +-- +2.39.5 + diff --git a/queue-6.1/fs-ntfs3-handle-hdr_first_de-return-value.patch b/queue-6.1/fs-ntfs3-handle-hdr_first_de-return-value.patch new file mode 100644 index 0000000000..7445eb1b10 --- /dev/null +++ b/queue-6.1/fs-ntfs3-handle-hdr_first_de-return-value.patch @@ -0,0 +1,56 @@ +From b32f452568b16a5fd1bb54cd1081d242826f5015 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 13:42:18 +0000 +Subject: fs/ntfs3: handle hdr_first_de() return value + +From: Andrey Vatoropin + +[ Upstream commit af5cab0e5b6f8edb0be51a9f47f3f620e0b4fd70 ] + +The hdr_first_de() function returns a pointer to a struct NTFS_DE. This +pointer may be NULL. To handle the NULL error effectively, it is important +to implement an error handler. This will help manage potential errors +consistently. + +Additionally, error handling for the return value already exists at other +points where this function is called. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block") +Signed-off-by: Andrey Vatoropin +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/index.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c +index 139bdaececd72..ee6de53d2ad12 100644 +--- a/fs/ntfs3/index.c ++++ b/fs/ntfs3/index.c +@@ -2166,6 +2166,10 @@ static int indx_get_entry_to_replace(struct ntfs_index *indx, + + e = hdr_first_de(&n->index->ihdr); + fnd_push(fnd, n, e); ++ if (!e) { ++ err = -EINVAL; ++ goto out; ++ } + + if (!de_is_last(e)) { + /* +@@ -2187,6 +2191,10 @@ static int indx_get_entry_to_replace(struct ntfs_index *indx, + + n = fnd->nodes[level]; + te = hdr_first_de(&n->index->ihdr); ++ if (!te) { ++ err = -EINVAL; ++ goto out; ++ } + /* Copy the candidate entry into the replacement entry buffer. */ + re = kmalloc(le16_to_cpu(te->size) + sizeof(u64), GFP_NOFS); + if (!re) { +-- +2.39.5 + diff --git a/queue-6.1/gfs2-gfs2_create_inode-error-handling-fix.patch b/queue-6.1/gfs2-gfs2_create_inode-error-handling-fix.patch new file mode 100644 index 0000000000..7162dedc0b --- /dev/null +++ b/queue-6.1/gfs2-gfs2_create_inode-error-handling-fix.patch @@ -0,0 +1,35 @@ +From 47a2f972bb03e73ffa65879ec8e87ba400d1af93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Apr 2025 16:40:58 +0200 +Subject: gfs2: gfs2_create_inode error handling fix + +From: Andreas Gruenbacher + +[ Upstream commit af4044fd0b77e915736527dd83011e46e6415f01 ] + +When gfs2_create_inode() finds a directory, make sure to return -EISDIR. + +Fixes: 571a4b57975a ("GFS2: bugger off early if O_CREAT open finds a directory") +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/inode.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c +index 04fc3e72a96e4..06629aeefbe6f 100644 +--- a/fs/gfs2/inode.c ++++ b/fs/gfs2/inode.c +@@ -631,7 +631,8 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry, + if (!IS_ERR(inode)) { + if (S_ISDIR(inode->i_mode)) { + iput(inode); +- inode = ERR_PTR(-EISDIR); ++ inode = NULL; ++ error = -EISDIR; + goto fail_gunlock; + } + d_instantiate(dentry, inode); +-- +2.39.5 + diff --git a/queue-6.1/gve-add-missing-null-check-for-gve_alloc_pending_pac.patch b/queue-6.1/gve-add-missing-null-check-for-gve_alloc_pending_pac.patch new file mode 100644 index 0000000000..e3a2e7e6b1 --- /dev/null +++ b/queue-6.1/gve-add-missing-null-check-for-gve_alloc_pending_pac.patch @@ -0,0 +1,44 @@ +From eec3ed64e819bc442c3233c2f07c71447b97f58e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Jun 2025 03:34:29 -0700 +Subject: gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO + +From: Alok Tiwari + +[ Upstream commit 12c331b29c7397ac3b03584e12902990693bc248 ] + +gve_alloc_pending_packet() can return NULL, but gve_tx_add_skb_dqo() +did not check for this case before dereferencing the returned pointer. + +Add a missing NULL check to prevent a potential NULL pointer +dereference when allocation fails. + +This improves robustness in low-memory scenarios. + +Fixes: a57e5de476be ("gve: DQO: Add TX path") +Signed-off-by: Alok Tiwari +Reviewed-by: Mina Almasry +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/google/gve/gve_tx_dqo.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/google/gve/gve_tx_dqo.c b/drivers/net/ethernet/google/gve/gve_tx_dqo.c +index eabed3deca763..e32d9967966bc 100644 +--- a/drivers/net/ethernet/google/gve/gve_tx_dqo.c ++++ b/drivers/net/ethernet/google/gve/gve_tx_dqo.c +@@ -452,6 +452,9 @@ static int gve_tx_add_skb_no_copy_dqo(struct gve_tx_ring *tx, + int i; + + pkt = gve_alloc_pending_packet(tx); ++ if (!pkt) ++ return -ENOMEM; ++ + pkt->skb = skb; + pkt->num_bufs = 0; + completion_tag = pkt - tx->dqo.pending_packets; +-- +2.39.5 + diff --git a/queue-6.1/gve-fix-rx_buffers_posted-stat-to-report-per-queue-f.patch b/queue-6.1/gve-fix-rx_buffers_posted-stat-to-report-per-queue-f.patch new file mode 100644 index 0000000000..29f9f9eb08 --- /dev/null +++ b/queue-6.1/gve-fix-rx_buffers_posted-stat-to-report-per-queue-f.patch @@ -0,0 +1,39 @@ +From 589cdbae6c9a34280ea0c7ca80f7ca06c61a5bf2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 May 2025 06:08:16 -0700 +Subject: gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt + +From: Alok Tiwari + +[ Upstream commit f41a94aade120dc60322865f363cee7865f2df01 ] + +Previously, the RX_BUFFERS_POSTED stat incorrectly reported the +fill_cnt from RX queue 0 for all queues, resulting in inaccurate +per-queue statistics. +Fix this by correctly indexing priv->rx[idx].fill_cnt for each RX queue. + +Fixes: 24aeb56f2d38 ("gve: Add Gvnic stats AQ command and ethtool show/set-priv-flags.") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20250527130830.1812903-1-alok.a.tiwari@oracle.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/google/gve/gve_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c +index 8771ccfc69b42..7e7890334ff60 100644 +--- a/drivers/net/ethernet/google/gve/gve_main.c ++++ b/drivers/net/ethernet/google/gve/gve_main.c +@@ -1312,7 +1312,7 @@ void gve_handle_report_stats(struct gve_priv *priv) + }; + stats[stats_idx++] = (struct stats) { + .stat_name = cpu_to_be32(RX_BUFFERS_POSTED), +- .value = cpu_to_be64(priv->rx[0].fill_cnt), ++ .value = cpu_to_be64(priv->rx[idx].fill_cnt), + .queue_id = cpu_to_be32(idx), + }; + } +-- +2.39.5 + diff --git a/queue-6.1/hisi_acc_vfio_pci-add-eq-and-aeq-interruption-restor.patch b/queue-6.1/hisi_acc_vfio_pci-add-eq-and-aeq-interruption-restor.patch new file mode 100644 index 0000000000..e5caf160f5 --- /dev/null +++ b/queue-6.1/hisi_acc_vfio_pci-add-eq-and-aeq-interruption-restor.patch @@ -0,0 +1,65 @@ +From 86089891b298cb5f5f419cca30e385079b2778df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 16:11:51 +0800 +Subject: hisi_acc_vfio_pci: add eq and aeq interruption restore + +From: Longfang Liu + +[ Upstream commit 3495cec0787721ba7a9d5c19d0bbb66d182de584 ] + +In order to ensure that the task packets of the accelerator +device are not lost during the migration process, it is necessary +to send an EQ and AEQ command to the device after the live migration +is completed and to update the completion position of the task queue. + +Let the device recheck the completed tasks data and if there are +uncollected packets, device resend a task completion interrupt +to the software. + +Fixes: b0eed085903e ("hisi_acc_vfio_pci: Add support for VFIO live migration") +Signed-off-by: Longfang Liu +Reviewed-by: Shameer Kolothum +Link: https://lore.kernel.org/r/20250510081155.55840-3-liulongfang@huawei.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c +index b5efb37712d5e..de3e1a148ddab 100644 +--- a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c ++++ b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c +@@ -469,6 +469,19 @@ static int vf_qm_get_match_data(struct hisi_acc_vf_core_device *hisi_acc_vdev, + return 0; + } + ++static void vf_qm_xeqc_save(struct hisi_qm *qm, ++ struct hisi_acc_vf_migration_file *migf) ++{ ++ struct acc_vf_data *vf_data = &migf->vf_data; ++ u16 eq_head, aeq_head; ++ ++ eq_head = vf_data->qm_eqc_dw[0] & 0xFFFF; ++ qm_db(qm, 0, QM_DOORBELL_CMD_EQ, eq_head, 0); ++ ++ aeq_head = vf_data->qm_aeqc_dw[0] & 0xFFFF; ++ qm_db(qm, 0, QM_DOORBELL_CMD_AEQ, aeq_head, 0); ++} ++ + static int vf_qm_load_data(struct hisi_acc_vf_core_device *hisi_acc_vdev, + struct hisi_acc_vf_migration_file *migf) + { +@@ -569,6 +582,9 @@ static int vf_qm_state_save(struct hisi_acc_vf_core_device *hisi_acc_vdev, + } + + migf->total_length = sizeof(struct acc_vf_data); ++ /* Save eqc and aeqc interrupt information */ ++ vf_qm_xeqc_save(vf_qm, migf); ++ + return 0; + } + +-- +2.39.5 + diff --git a/queue-6.1/hisi_acc_vfio_pci-fix-xqe-dma-address-error.patch b/queue-6.1/hisi_acc_vfio_pci-fix-xqe-dma-address-error.patch new file mode 100644 index 0000000000..559ee64fa1 --- /dev/null +++ b/queue-6.1/hisi_acc_vfio_pci-fix-xqe-dma-address-error.patch @@ -0,0 +1,155 @@ +From b32f0c6c7ee4ac0f6c5aa018aea0418bcccc79b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 16:11:50 +0800 +Subject: hisi_acc_vfio_pci: fix XQE dma address error + +From: Longfang Liu + +[ Upstream commit 8bb7170c5a055ea17c6857c256ee73c10ff872eb ] + +The dma addresses of EQE and AEQE are wrong after migration and +results in guest kernel-mode encryption services failure. +Comparing the definition of hardware registers, we found that +there was an error when the data read from the register was +combined into an address. Therefore, the address combination +sequence needs to be corrected. + +Even after fixing the above problem, we still have an issue +where the Guest from an old kernel can get migrated to +new kernel and may result in wrong data. + +In order to ensure that the address is correct after migration, +if an old magic number is detected, the dma address needs to be +updated. + +Fixes: b0eed085903e ("hisi_acc_vfio_pci: Add support for VFIO live migration") +Signed-off-by: Longfang Liu +Reviewed-by: Shameer Kolothum +Link: https://lore.kernel.org/r/20250510081155.55840-2-liulongfang@huawei.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + .../vfio/pci/hisilicon/hisi_acc_vfio_pci.c | 41 ++++++++++++++++--- + .../vfio/pci/hisilicon/hisi_acc_vfio_pci.h | 14 ++++++- + 2 files changed, 47 insertions(+), 8 deletions(-) + +diff --git a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c +index 39eeca18a0f7c..b5efb37712d5e 100644 +--- a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c ++++ b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c +@@ -350,6 +350,32 @@ static int vf_qm_func_stop(struct hisi_qm *qm) + return hisi_qm_mb(qm, QM_MB_CMD_PAUSE_QM, 0, 0, 0); + } + ++static int vf_qm_version_check(struct acc_vf_data *vf_data, struct device *dev) ++{ ++ switch (vf_data->acc_magic) { ++ case ACC_DEV_MAGIC_V2: ++ if (vf_data->major_ver != ACC_DRV_MAJOR_VER) { ++ dev_info(dev, "migration driver version<%u.%u> not match!\n", ++ vf_data->major_ver, vf_data->minor_ver); ++ return -EINVAL; ++ } ++ break; ++ case ACC_DEV_MAGIC_V1: ++ /* Correct dma address */ ++ vf_data->eqe_dma = vf_data->qm_eqc_dw[QM_XQC_ADDR_HIGH]; ++ vf_data->eqe_dma <<= QM_XQC_ADDR_OFFSET; ++ vf_data->eqe_dma |= vf_data->qm_eqc_dw[QM_XQC_ADDR_LOW]; ++ vf_data->aeqe_dma = vf_data->qm_aeqc_dw[QM_XQC_ADDR_HIGH]; ++ vf_data->aeqe_dma <<= QM_XQC_ADDR_OFFSET; ++ vf_data->aeqe_dma |= vf_data->qm_aeqc_dw[QM_XQC_ADDR_LOW]; ++ break; ++ default: ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++ + static int vf_qm_check_match(struct hisi_acc_vf_core_device *hisi_acc_vdev, + struct hisi_acc_vf_migration_file *migf) + { +@@ -363,7 +389,8 @@ static int vf_qm_check_match(struct hisi_acc_vf_core_device *hisi_acc_vdev, + if (migf->total_length < QM_MATCH_SIZE) + return -EINVAL; + +- if (vf_data->acc_magic != ACC_DEV_MAGIC) { ++ ret = vf_qm_version_check(vf_data, dev); ++ if (ret) { + dev_err(dev, "failed to match ACC_DEV_MAGIC\n"); + return -EINVAL; + } +@@ -417,7 +444,9 @@ static int vf_qm_get_match_data(struct hisi_acc_vf_core_device *hisi_acc_vdev, + int vf_id = hisi_acc_vdev->vf_id; + int ret; + +- vf_data->acc_magic = ACC_DEV_MAGIC; ++ vf_data->acc_magic = ACC_DEV_MAGIC_V2; ++ vf_data->major_ver = ACC_DRV_MAJOR_VER; ++ vf_data->minor_ver = ACC_DRV_MINOR_VER; + /* Save device id */ + vf_data->dev_id = hisi_acc_vdev->vf_dev->device; + +@@ -519,12 +548,12 @@ static int vf_qm_state_save(struct hisi_acc_vf_core_device *hisi_acc_vdev, + return -EINVAL; + + /* Every reg is 32 bit, the dma address is 64 bit. */ +- vf_data->eqe_dma = vf_data->qm_eqc_dw[1]; ++ vf_data->eqe_dma = vf_data->qm_eqc_dw[QM_XQC_ADDR_HIGH]; + vf_data->eqe_dma <<= QM_XQC_ADDR_OFFSET; +- vf_data->eqe_dma |= vf_data->qm_eqc_dw[0]; +- vf_data->aeqe_dma = vf_data->qm_aeqc_dw[1]; ++ vf_data->eqe_dma |= vf_data->qm_eqc_dw[QM_XQC_ADDR_LOW]; ++ vf_data->aeqe_dma = vf_data->qm_aeqc_dw[QM_XQC_ADDR_HIGH]; + vf_data->aeqe_dma <<= QM_XQC_ADDR_OFFSET; +- vf_data->aeqe_dma |= vf_data->qm_aeqc_dw[0]; ++ vf_data->aeqe_dma |= vf_data->qm_aeqc_dw[QM_XQC_ADDR_LOW]; + + /* Through SQC_BT/CQC_BT to get sqc and cqc address */ + ret = qm_get_sqc(vf_qm, &vf_data->sqc_dma); +diff --git a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h +index 67343325b3201..f62247d0adf9a 100644 +--- a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h ++++ b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h +@@ -38,6 +38,9 @@ + #define QM_REG_ADDR_OFFSET 0x0004 + + #define QM_XQC_ADDR_OFFSET 32U ++#define QM_XQC_ADDR_LOW 0x1 ++#define QM_XQC_ADDR_HIGH 0x2 ++ + #define QM_VF_AEQ_INT_MASK 0x0004 + #define QM_VF_EQ_INT_MASK 0x000c + #define QM_IFC_INT_SOURCE_V 0x0020 +@@ -49,10 +52,15 @@ + #define QM_EQC_DW0 0X8000 + #define QM_AEQC_DW0 0X8020 + ++#define ACC_DRV_MAJOR_VER 1 ++#define ACC_DRV_MINOR_VER 0 ++ ++#define ACC_DEV_MAGIC_V1 0XCDCDCDCDFEEDAACC ++#define ACC_DEV_MAGIC_V2 0xAACCFEEDDECADEDE ++ + struct acc_vf_data { + #define QM_MATCH_SIZE offsetofend(struct acc_vf_data, qm_rsv_state) + /* QM match information */ +-#define ACC_DEV_MAGIC 0XCDCDCDCDFEEDAACC + u64 acc_magic; + u32 qp_num; + u32 dev_id; +@@ -60,7 +68,9 @@ struct acc_vf_data { + u32 qp_base; + u32 vf_qm_state; + /* QM reserved match information */ +- u32 qm_rsv_state[3]; ++ u16 major_ver; ++ u16 minor_ver; ++ u32 qm_rsv_state[2]; + + /* QM RW regs */ + u32 aeq_int_mask; +-- +2.39.5 + diff --git a/queue-6.1/hwmon-asus-ec-sensors-check-sensor-index-in-read_str.patch b/queue-6.1/hwmon-asus-ec-sensors-check-sensor-index-in-read_str.patch new file mode 100644 index 0000000000..9219c35aeb --- /dev/null +++ b/queue-6.1/hwmon-asus-ec-sensors-check-sensor-index-in-read_str.patch @@ -0,0 +1,48 @@ +From e74026e7fcd42e4c82b3b292cee2b76ab272fc69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Apr 2025 23:26:54 +0300 +Subject: hwmon: (asus-ec-sensors) check sensor index in read_string() + +From: Alexei Safin + +[ Upstream commit 25be318324563c63cbd9cb53186203a08d2f83a1 ] + +Prevent a potential invalid memory access when the requested sensor +is not found. + +find_ec_sensor_index() may return a negative value (e.g. -ENOENT), +but its result was used without checking, which could lead to +undefined behavior when passed to get_sensor_info(). + +Add a proper check to return -EINVAL if sensor_index is negative. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: d0ddfd241e57 ("hwmon: (asus-ec-sensors) add driver for ASUS EC") +Signed-off-by: Alexei Safin +Link: https://lore.kernel.org/r/20250424202654.5902-1-a.safin@rosa.ru +[groeck: Return error code returned from find_ec_sensor_index] +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/asus-ec-sensors.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hwmon/asus-ec-sensors.c b/drivers/hwmon/asus-ec-sensors.c +index d893cfd1cb829..6f20b55f41f2e 100644 +--- a/drivers/hwmon/asus-ec-sensors.c ++++ b/drivers/hwmon/asus-ec-sensors.c +@@ -839,6 +839,10 @@ static int asus_ec_hwmon_read_string(struct device *dev, + { + struct ec_sensors_data *state = dev_get_drvdata(dev); + int sensor_index = find_ec_sensor_index(state, type, channel); ++ ++ if (sensor_index < 0) ++ return sensor_index; ++ + *str = get_sensor_info(state, sensor_index)->label; + + return 0; +-- +2.39.5 + diff --git a/queue-6.1/ib-cm-use-rwlock-for-mad-agent-lock.patch b/queue-6.1/ib-cm-use-rwlock-for-mad-agent-lock.patch new file mode 100644 index 0000000000..0cf9194d8a --- /dev/null +++ b/queue-6.1/ib-cm-use-rwlock-for-mad-agent-lock.patch @@ -0,0 +1,117 @@ +From 1e9e059dd081c73d2119e3026a0600064afd5cce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Feb 2025 17:56:12 +0000 +Subject: IB/cm: use rwlock for MAD agent lock + +From: Jacob Moroni + +[ Upstream commit 4dab26bed543584577b64b36aadb8b5b165bf44f ] + +In workloads where there are many processes establishing connections using +RDMA CM in parallel (large scale MPI), there can be heavy contention for +mad_agent_lock in cm_alloc_msg. + +This contention can occur while inside of a spin_lock_irq region, leading +to interrupts being disabled for extended durations on many +cores. Furthermore, it leads to the serialization of rdma_create_ah calls, +which has negative performance impacts for NICs which are capable of +processing multiple address handle creations in parallel. + +The end result is the machine becoming unresponsive, hung task warnings, +netdev TX timeouts, etc. + +Since the lock appears to be only for protection from cm_remove_one, it +can be changed to a rwlock to resolve these issues. + +Reproducer: + +Server: + for i in $(seq 1 512); do + ucmatose -c 32 -p $((i + 5000)) & + done + +Client: + for i in $(seq 1 512); do + ucmatose -c 32 -p $((i + 5000)) -s 10.2.0.52 & + done + +Fixes: 76039ac9095f ("IB/cm: Protect cm_dev, cm_ports and mad_agent with kref and lock") +Link: https://patch.msgid.link/r/20250220175612.2763122-1-jmoroni@google.com +Signed-off-by: Jacob Moroni +Acked-by: Eric Dumazet +Reviewed-by: Zhu Yanjun +Reviewed-by: Jason Gunthorpe +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cm.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c +index 950fe205995b7..0a113d0d6b08f 100644 +--- a/drivers/infiniband/core/cm.c ++++ b/drivers/infiniband/core/cm.c +@@ -166,7 +166,7 @@ struct cm_port { + struct cm_device { + struct kref kref; + struct list_head list; +- spinlock_t mad_agent_lock; ++ rwlock_t mad_agent_lock; + struct ib_device *ib_device; + u8 ack_delay; + int going_down; +@@ -284,7 +284,7 @@ static struct ib_mad_send_buf *cm_alloc_msg(struct cm_id_private *cm_id_priv) + if (!cm_id_priv->av.port) + return ERR_PTR(-EINVAL); + +- spin_lock(&cm_id_priv->av.port->cm_dev->mad_agent_lock); ++ read_lock(&cm_id_priv->av.port->cm_dev->mad_agent_lock); + mad_agent = cm_id_priv->av.port->mad_agent; + if (!mad_agent) { + m = ERR_PTR(-EINVAL); +@@ -315,7 +315,7 @@ static struct ib_mad_send_buf *cm_alloc_msg(struct cm_id_private *cm_id_priv) + m->context[0] = cm_id_priv; + + out: +- spin_unlock(&cm_id_priv->av.port->cm_dev->mad_agent_lock); ++ read_unlock(&cm_id_priv->av.port->cm_dev->mad_agent_lock); + return m; + } + +@@ -1294,10 +1294,10 @@ static __be64 cm_form_tid(struct cm_id_private *cm_id_priv) + if (!cm_id_priv->av.port) + return cpu_to_be64(low_tid); + +- spin_lock(&cm_id_priv->av.port->cm_dev->mad_agent_lock); ++ read_lock(&cm_id_priv->av.port->cm_dev->mad_agent_lock); + if (cm_id_priv->av.port->mad_agent) + hi_tid = ((u64)cm_id_priv->av.port->mad_agent->hi_tid) << 32; +- spin_unlock(&cm_id_priv->av.port->cm_dev->mad_agent_lock); ++ read_unlock(&cm_id_priv->av.port->cm_dev->mad_agent_lock); + return cpu_to_be64(hi_tid | low_tid); + } + +@@ -4365,7 +4365,7 @@ static int cm_add_one(struct ib_device *ib_device) + return -ENOMEM; + + kref_init(&cm_dev->kref); +- spin_lock_init(&cm_dev->mad_agent_lock); ++ rwlock_init(&cm_dev->mad_agent_lock); + cm_dev->ib_device = ib_device; + cm_dev->ack_delay = ib_device->attrs.local_ca_ack_delay; + cm_dev->going_down = 0; +@@ -4481,9 +4481,9 @@ static void cm_remove_one(struct ib_device *ib_device, void *client_data) + * The above ensures no call paths from the work are running, + * the remaining paths all take the mad_agent_lock. + */ +- spin_lock(&cm_dev->mad_agent_lock); ++ write_lock(&cm_dev->mad_agent_lock); + port->mad_agent = NULL; +- spin_unlock(&cm_dev->mad_agent_lock); ++ write_unlock(&cm_dev->mad_agent_lock); + ib_unregister_mad_agent(mad_agent); + ib_port_unregister_client_groups(ib_device, i, + cm_counter_groups); +-- +2.39.5 + diff --git a/queue-6.1/ice-create-new-tx-scheduler-nodes-for-new-queues-onl.patch b/queue-6.1/ice-create-new-tx-scheduler-nodes-for-new-queues-onl.patch new file mode 100644 index 0000000000..e3245ae161 --- /dev/null +++ b/queue-6.1/ice-create-new-tx-scheduler-nodes-for-new-queues-onl.patch @@ -0,0 +1,72 @@ +From ea0e9c5d1f4a39729d50510928409d3d8e34720b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 12:55:28 +0200 +Subject: ice: create new Tx scheduler nodes for new queues only + +From: Michal Kubiak + +[ Upstream commit 6fa2942578472c9cab13a8fc1dae0d830193e0a1 ] + +The current implementation of the Tx scheduler tree attempts +to create nodes for all Tx queues, ignoring the fact that some +queues may already exist in the tree. For example, if the VSI +already has 128 Tx queues and the user requests for 16 new queues, +the Tx scheduler will compute the tree for 272 queues (128 existing +queues + 144 new queues), instead of 144 queues (128 existing queues +and 16 new queues). +Fix that by modifying the node count calculation algorithm to skip +the queues that already exist in the tree. + +Fixes: 5513b920a4f7 ("ice: Update Tx scheduler tree for VSI multi-Tx queue support") +Reviewed-by: Dawid Osuchowski +Reviewed-by: Przemek Kitszel +Reviewed-by: Jacob Keller +Signed-off-by: Michal Kubiak +Reviewed-by: Simon Horman +Tested-by: Jesse Brandeburg +Tested-by: Saritha Sanigani (A Contingent Worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_sched.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_sched.c b/drivers/net/ethernet/intel/ice/ice_sched.c +index b07bd0c059f75..3baa9d161a0bf 100644 +--- a/drivers/net/ethernet/intel/ice/ice_sched.c ++++ b/drivers/net/ethernet/intel/ice/ice_sched.c +@@ -1591,16 +1591,16 @@ ice_sched_get_agg_node(struct ice_port_info *pi, struct ice_sched_node *tc_node, + /** + * ice_sched_calc_vsi_child_nodes - calculate number of VSI child nodes + * @hw: pointer to the HW struct +- * @num_qs: number of queues ++ * @num_new_qs: number of new queues that will be added to the tree + * @num_nodes: num nodes array + * + * This function calculates the number of VSI child nodes based on the + * number of queues. + */ + static void +-ice_sched_calc_vsi_child_nodes(struct ice_hw *hw, u16 num_qs, u16 *num_nodes) ++ice_sched_calc_vsi_child_nodes(struct ice_hw *hw, u16 num_new_qs, u16 *num_nodes) + { +- u16 num = num_qs; ++ u16 num = num_new_qs; + u8 i, qgl, vsil; + + qgl = ice_sched_get_qgrp_layer(hw); +@@ -1848,8 +1848,9 @@ ice_sched_update_vsi_child_nodes(struct ice_port_info *pi, u16 vsi_handle, + return status; + } + +- if (new_numqs) +- ice_sched_calc_vsi_child_nodes(hw, new_numqs, new_num_nodes); ++ ice_sched_calc_vsi_child_nodes(hw, new_numqs - prev_numqs, ++ new_num_nodes); ++ + /* Keep the max number of queue configuration all the time. Update the + * tree only if number of queues > previous number of queues. This may + * leave some extra nodes in the tree if number of queues < previous +-- +2.39.5 + diff --git a/queue-6.1/ice-fix-rebuilding-the-tx-scheduler-tree-for-large-q.patch b/queue-6.1/ice-fix-rebuilding-the-tx-scheduler-tree-for-large-q.patch new file mode 100644 index 0000000000..7c7c6f0cf4 --- /dev/null +++ b/queue-6.1/ice-fix-rebuilding-the-tx-scheduler-tree-for-large-q.patch @@ -0,0 +1,313 @@ +From 48bea9dd5347e540f3e822fc91ce5f9bd222b90c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 12:55:29 +0200 +Subject: ice: fix rebuilding the Tx scheduler tree for large queue counts + +From: Michal Kubiak + +[ Upstream commit 73145e6d81070d34a21431c9e0d7aaf2f29ca048 ] + +The current implementation of the Tx scheduler allows the tree to be +rebuilt as the user adds more Tx queues to the VSI. In such a case, +additional child nodes are added to the tree to support the new number +of queues. +Unfortunately, this algorithm does not take into account that the limit +of the VSI support node may be exceeded, so an additional node in the +VSI layer may be required to handle all the requested queues. + +Such a scenario occurs when adding XDP Tx queues on machines with many +CPUs. Although the driver still respects the queue limit returned by +the FW, the Tx scheduler was unable to add those queues to its tree +and returned one of the errors below. + +Such a scenario occurs when adding XDP Tx queues on machines with many +CPUs (e.g. at least 321 CPUs, if there is already 128 Tx/Rx queue pairs). +Although the driver still respects the queue limit returned by the FW, +the Tx scheduler was unable to add those queues to its tree and returned +the following errors: + + Failed VSI LAN queue config for XDP, error: -5 +or: + Failed to set LAN Tx queue context, error: -22 + +Fix this problem by extending the tree rebuild algorithm to check if the +current VSI node can support the requested number of queues. If it +cannot, create as many additional VSI support nodes as necessary to +handle all the required Tx queues. Symmetrically, adjust the VSI node +removal algorithm to remove all nodes associated with the given VSI. +Also, make the search for the next free VSI node more restrictive. That is, +add queue group nodes only to the VSI support nodes that have a matching +VSI handle. +Finally, fix the comment describing the tree update algorithm to better +reflect the current scenario. + +Fixes: b0153fdd7e8a ("ice: update VSI config dynamically") +Reviewed-by: Dawid Osuchowski +Reviewed-by: Przemek Kitszel +Signed-off-by: Michal Kubiak +Reviewed-by: Simon Horman +Tested-by: Jesse Brandeburg +Tested-by: Saritha Sanigani (A Contingent Worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_sched.c | 170 +++++++++++++++++---- + 1 file changed, 142 insertions(+), 28 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_sched.c b/drivers/net/ethernet/intel/ice/ice_sched.c +index 3baa9d161a0bf..f8f2f657bf9b6 100644 +--- a/drivers/net/ethernet/intel/ice/ice_sched.c ++++ b/drivers/net/ethernet/intel/ice/ice_sched.c +@@ -84,6 +84,27 @@ ice_sched_find_node_by_teid(struct ice_sched_node *start_node, u32 teid) + return NULL; + } + ++/** ++ * ice_sched_find_next_vsi_node - find the next node for a given VSI ++ * @vsi_node: VSI support node to start search with ++ * ++ * Return: Next VSI support node, or NULL. ++ * ++ * The function returns a pointer to the next node from the VSI layer ++ * assigned to the given VSI, or NULL if there is no such a node. ++ */ ++static struct ice_sched_node * ++ice_sched_find_next_vsi_node(struct ice_sched_node *vsi_node) ++{ ++ unsigned int vsi_handle = vsi_node->vsi_handle; ++ ++ while ((vsi_node = vsi_node->sibling) != NULL) ++ if (vsi_node->vsi_handle == vsi_handle) ++ break; ++ ++ return vsi_node; ++} ++ + /** + * ice_aqc_send_sched_elem_cmd - send scheduling elements cmd + * @hw: pointer to the HW struct +@@ -1073,8 +1094,10 @@ ice_sched_add_nodes_to_layer(struct ice_port_info *pi, + if (parent->num_children < max_child_nodes) { + new_num_nodes = max_child_nodes - parent->num_children; + } else { +- /* This parent is full, try the next sibling */ +- parent = parent->sibling; ++ /* This parent is full, ++ * try the next available sibling. ++ */ ++ parent = ice_sched_find_next_vsi_node(parent); + /* Don't modify the first node TEID memory if the + * first node was added already in the above call. + * Instead send some temp memory for all other +@@ -1515,12 +1538,23 @@ ice_sched_get_free_qparent(struct ice_port_info *pi, u16 vsi_handle, u8 tc, + /* get the first queue group node from VSI sub-tree */ + qgrp_node = ice_sched_get_first_node(pi, vsi_node, qgrp_layer); + while (qgrp_node) { ++ struct ice_sched_node *next_vsi_node; ++ + /* make sure the qgroup node is part of the VSI subtree */ + if (ice_sched_find_node_in_subtree(pi->hw, vsi_node, qgrp_node)) + if (qgrp_node->num_children < max_children && + qgrp_node->owner == owner) + break; + qgrp_node = qgrp_node->sibling; ++ if (qgrp_node) ++ continue; ++ ++ next_vsi_node = ice_sched_find_next_vsi_node(vsi_node); ++ if (!next_vsi_node) ++ break; ++ ++ vsi_node = next_vsi_node; ++ qgrp_node = ice_sched_get_first_node(pi, vsi_node, qgrp_layer); + } + + /* Select the best queue group */ +@@ -1764,7 +1798,11 @@ ice_sched_add_vsi_support_nodes(struct ice_port_info *pi, u16 vsi_handle, + if (!parent) + return -EIO; + +- if (i == vsil) ++ /* Do not modify the VSI handle for already existing VSI nodes, ++ * (if no new VSI node was added to the tree). ++ * Assign the VSI handle only to newly added VSI nodes. ++ */ ++ if (i == vsil && num_added) + parent->vsi_handle = vsi_handle; + } + +@@ -1797,6 +1835,41 @@ ice_sched_add_vsi_to_topo(struct ice_port_info *pi, u16 vsi_handle, u8 tc) + num_nodes); + } + ++/** ++ * ice_sched_recalc_vsi_support_nodes - recalculate VSI support nodes count ++ * @hw: pointer to the HW struct ++ * @vsi_node: pointer to the leftmost VSI node that needs to be extended ++ * @new_numqs: new number of queues that has to be handled by the VSI ++ * @new_num_nodes: pointer to nodes count table to modify the VSI layer entry ++ * ++ * This function recalculates the number of supported nodes that need to ++ * be added after adding more Tx queues for a given VSI. ++ * The number of new VSI support nodes that shall be added will be saved ++ * to the @new_num_nodes table for the VSI layer. ++ */ ++static void ++ice_sched_recalc_vsi_support_nodes(struct ice_hw *hw, ++ struct ice_sched_node *vsi_node, ++ unsigned int new_numqs, u16 *new_num_nodes) ++{ ++ u32 vsi_nodes_cnt = 1; ++ u32 max_queue_cnt = 1; ++ u32 qgl, vsil; ++ ++ qgl = ice_sched_get_qgrp_layer(hw); ++ vsil = ice_sched_get_vsi_layer(hw); ++ ++ for (u32 i = vsil; i <= qgl; i++) ++ max_queue_cnt *= hw->max_children[i]; ++ ++ while ((vsi_node = ice_sched_find_next_vsi_node(vsi_node)) != NULL) ++ vsi_nodes_cnt++; ++ ++ if (new_numqs > (max_queue_cnt * vsi_nodes_cnt)) ++ new_num_nodes[vsil] = DIV_ROUND_UP(new_numqs, max_queue_cnt) - ++ vsi_nodes_cnt; ++} ++ + /** + * ice_sched_update_vsi_child_nodes - update VSI child nodes + * @pi: port information structure +@@ -1848,16 +1921,25 @@ ice_sched_update_vsi_child_nodes(struct ice_port_info *pi, u16 vsi_handle, + return status; + } + ++ ice_sched_recalc_vsi_support_nodes(hw, vsi_node, ++ new_numqs, new_num_nodes); + ice_sched_calc_vsi_child_nodes(hw, new_numqs - prev_numqs, + new_num_nodes); + +- /* Keep the max number of queue configuration all the time. Update the +- * tree only if number of queues > previous number of queues. This may ++ /* Never decrease the number of queues in the tree. Update the tree ++ * only if number of queues > previous number of queues. This may + * leave some extra nodes in the tree if number of queues < previous + * number but that wouldn't harm anything. Removing those extra nodes + * may complicate the code if those nodes are part of SRL or + * individually rate limited. ++ * Also, add the required VSI support nodes if the existing ones cannot ++ * handle the requested new number of queues. + */ ++ status = ice_sched_add_vsi_support_nodes(pi, vsi_handle, tc_node, ++ new_num_nodes); ++ if (status) ++ return status; ++ + status = ice_sched_add_vsi_child_nodes(pi, vsi_handle, tc_node, + new_num_nodes, owner); + if (status) +@@ -1998,6 +2080,58 @@ static bool ice_sched_is_leaf_node_present(struct ice_sched_node *node) + return (node->info.data.elem_type == ICE_AQC_ELEM_TYPE_LEAF); + } + ++/** ++ * ice_sched_rm_vsi_subtree - remove all nodes assigned to a given VSI ++ * @pi: port information structure ++ * @vsi_node: pointer to the leftmost node of the VSI to be removed ++ * @owner: LAN or RDMA ++ * @tc: TC number ++ * ++ * Return: Zero in case of success, or -EBUSY if the VSI has leaf nodes in TC. ++ * ++ * This function removes all the VSI support nodes associated with a given VSI ++ * and its LAN or RDMA children nodes from the scheduler tree. ++ */ ++static int ++ice_sched_rm_vsi_subtree(struct ice_port_info *pi, ++ struct ice_sched_node *vsi_node, u8 owner, u8 tc) ++{ ++ u16 vsi_handle = vsi_node->vsi_handle; ++ bool all_vsi_nodes_removed = true; ++ int j = 0; ++ ++ while (vsi_node) { ++ struct ice_sched_node *next_vsi_node; ++ ++ if (ice_sched_is_leaf_node_present(vsi_node)) { ++ ice_debug(pi->hw, ICE_DBG_SCHED, "VSI has leaf nodes in TC %d\n", tc); ++ return -EBUSY; ++ } ++ while (j < vsi_node->num_children) { ++ if (vsi_node->children[j]->owner == owner) ++ ice_free_sched_node(pi, vsi_node->children[j]); ++ else ++ j++; ++ } ++ ++ next_vsi_node = ice_sched_find_next_vsi_node(vsi_node); ++ ++ /* remove the VSI if it has no children */ ++ if (!vsi_node->num_children) ++ ice_free_sched_node(pi, vsi_node); ++ else ++ all_vsi_nodes_removed = false; ++ ++ vsi_node = next_vsi_node; ++ } ++ ++ /* clean up aggregator related VSI info if any */ ++ if (all_vsi_nodes_removed) ++ ice_sched_rm_agg_vsi_info(pi, vsi_handle); ++ ++ return 0; ++} ++ + /** + * ice_sched_rm_vsi_cfg - remove the VSI and its children nodes + * @pi: port information structure +@@ -2024,7 +2158,6 @@ ice_sched_rm_vsi_cfg(struct ice_port_info *pi, u16 vsi_handle, u8 owner) + + ice_for_each_traffic_class(i) { + struct ice_sched_node *vsi_node, *tc_node; +- u8 j = 0; + + tc_node = ice_sched_get_tc_node(pi, i); + if (!tc_node) +@@ -2034,31 +2167,12 @@ ice_sched_rm_vsi_cfg(struct ice_port_info *pi, u16 vsi_handle, u8 owner) + if (!vsi_node) + continue; + +- if (ice_sched_is_leaf_node_present(vsi_node)) { +- ice_debug(pi->hw, ICE_DBG_SCHED, "VSI has leaf nodes in TC %d\n", i); +- status = -EBUSY; ++ status = ice_sched_rm_vsi_subtree(pi, vsi_node, owner, i); ++ if (status) + goto exit_sched_rm_vsi_cfg; +- } +- while (j < vsi_node->num_children) { +- if (vsi_node->children[j]->owner == owner) { +- ice_free_sched_node(pi, vsi_node->children[j]); + +- /* reset the counter again since the num +- * children will be updated after node removal +- */ +- j = 0; +- } else { +- j++; +- } +- } +- /* remove the VSI if it has no children */ +- if (!vsi_node->num_children) { +- ice_free_sched_node(pi, vsi_node); +- vsi_ctx->sched.vsi_node[i] = NULL; ++ vsi_ctx->sched.vsi_node[i] = NULL; + +- /* clean up aggregator related VSI info if any */ +- ice_sched_rm_agg_vsi_info(pi, vsi_handle); +- } + if (owner == ICE_SCHED_NODE_OWNER_LAN) + vsi_ctx->sched.max_lanq[i] = 0; + else +-- +2.39.5 + diff --git a/queue-6.1/iio-adc-ad7124-fix-3db-filter-frequency-reading.patch b/queue-6.1/iio-adc-ad7124-fix-3db-filter-frequency-reading.patch new file mode 100644 index 0000000000..02c8189bca --- /dev/null +++ b/queue-6.1/iio-adc-ad7124-fix-3db-filter-frequency-reading.patch @@ -0,0 +1,45 @@ +From 69768313091bccf473bcc3eeb39c89d1234e538c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Mar 2025 12:52:47 +0100 +Subject: iio: adc: ad7124: Fix 3dB filter frequency reading +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 8712e4986e7ce42a14c762c4c350f290989986a5 ] + +The sinc4 filter has a factor 0.23 between Output Data Rate and f_{3dB} +and for sinc3 the factor is 0.272 according to the data sheets for +ad7124-4 (Rev. E.) and ad7124-8 (Rev. F). + +Fixes: cef2760954cf ("iio: adc: ad7124: add 3db filter") +Signed-off-by: Uwe Kleine-König +Reviewed-by: Marcelo Schmitt +Link: https://patch.msgid.link/20250317115247.3735016-6-u.kleine-koenig@baylibre.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad7124.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/adc/ad7124.c b/drivers/iio/adc/ad7124.c +index 307a607bf56c7..1e0af424f34f6 100644 +--- a/drivers/iio/adc/ad7124.c ++++ b/drivers/iio/adc/ad7124.c +@@ -299,9 +299,9 @@ static int ad7124_get_3db_filter_freq(struct ad7124_state *st, + + switch (st->channels[channel].cfg.filter_type) { + case AD7124_SINC3_FILTER: +- return DIV_ROUND_CLOSEST(fadc * 230, 1000); ++ return DIV_ROUND_CLOSEST(fadc * 272, 1000); + case AD7124_SINC4_FILTER: +- return DIV_ROUND_CLOSEST(fadc * 262, 1000); ++ return DIV_ROUND_CLOSEST(fadc * 230, 1000); + default: + return -EINVAL; + } +-- +2.39.5 + diff --git a/queue-6.1/iio-filter-admv8818-fix-band-4-state-15.patch b/queue-6.1/iio-filter-admv8818-fix-band-4-state-15.patch new file mode 100644 index 0000000000..e27e616805 --- /dev/null +++ b/queue-6.1/iio-filter-admv8818-fix-band-4-state-15.patch @@ -0,0 +1,37 @@ +From 8aed13500c5ef1963913bd07233538dade380de5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Mar 2025 13:48:27 -0400 +Subject: iio: filter: admv8818: fix band 4, state 15 + +From: Sam Winchenbach + +[ Upstream commit ef0ce24f590ac075d5eda11f2d6434b303333ed6 ] + +Corrects the upper range of LPF Band 4 from 18.5 GHz to 18.85 GHz per +the ADMV8818 datasheet + +Fixes: f34fe888ad05 ("iio:filter:admv8818: add support for ADMV8818") +Signed-off-by: Sam Winchenbach +Link: https://patch.msgid.link/20250328174831.227202-3-sam.winchenbach@framepointer.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/filter/admv8818.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iio/filter/admv8818.c b/drivers/iio/filter/admv8818.c +index c7f5911f9040d..a50a8ea2f8dda 100644 +--- a/drivers/iio/filter/admv8818.c ++++ b/drivers/iio/filter/admv8818.c +@@ -102,7 +102,7 @@ static const unsigned long long freq_range_lpf[4][2] = { + {2050000000ULL, 3850000000ULL}, + {3350000000ULL, 7250000000ULL}, + {7000000000, 13000000000}, +- {12550000000, 18500000000} ++ {12550000000, 18850000000} + }; + + static const struct regmap_config admv8818_regmap_config = { +-- +2.39.5 + diff --git a/queue-6.1/iio-filter-admv8818-fix-integer-overflow.patch b/queue-6.1/iio-filter-admv8818-fix-integer-overflow.patch new file mode 100644 index 0000000000..459642de08 --- /dev/null +++ b/queue-6.1/iio-filter-admv8818-fix-integer-overflow.patch @@ -0,0 +1,37 @@ +From 931d8bef48b46185529fb2d93feef85c8f1f27dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Mar 2025 13:48:28 -0400 +Subject: iio: filter: admv8818: fix integer overflow + +From: Sam Winchenbach + +[ Upstream commit fb6009a28d77edec4eb548b5875dae8c79b88467 ] + +HZ_PER_MHZ is only unsigned long. This math overflows, leading to +incorrect results. + +Fixes: f34fe888ad05 ("iio:filter:admv8818: add support for ADMV8818") +Signed-off-by: Sam Winchenbach +Link: https://patch.msgid.link/20250328174831.227202-4-sam.winchenbach@framepointer.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/filter/admv8818.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iio/filter/admv8818.c b/drivers/iio/filter/admv8818.c +index a50a8ea2f8dda..831427aa89d83 100644 +--- a/drivers/iio/filter/admv8818.c ++++ b/drivers/iio/filter/admv8818.c +@@ -152,7 +152,7 @@ static int __admv8818_hpf_select(struct admv8818_state *st, u64 freq) + } + + /* Close HPF frequency gap between 12 and 12.5 GHz */ +- if (freq >= 12000 * HZ_PER_MHZ && freq <= 12500 * HZ_PER_MHZ) { ++ if (freq >= 12000ULL * HZ_PER_MHZ && freq < 12500ULL * HZ_PER_MHZ) { + hpf_band = 3; + hpf_step = 15; + } +-- +2.39.5 + diff --git a/queue-6.1/iio-filter-admv8818-fix-range-calculation.patch b/queue-6.1/iio-filter-admv8818-fix-range-calculation.patch new file mode 100644 index 0000000000..2ed5c5f859 --- /dev/null +++ b/queue-6.1/iio-filter-admv8818-fix-range-calculation.patch @@ -0,0 +1,550 @@ +From 7086109620c4afb4fcddc9e7438ce60391fcd2fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Mar 2025 13:48:29 -0400 +Subject: iio: filter: admv8818: fix range calculation + +From: Sam Winchenbach + +[ Upstream commit d542db7095d322bfcdc8e306db6f8c48358c9619 ] + +Search for the minimum error while ensuring that the LPF corner +frequency is greater than the target, and the HPF corner frequency +is lower than the target + +This fixes issues where the range calculations were suboptimal. + +Add two new DTS properties to set the margin between the input frequency +and the calculated corner frequency + +Below is a generated table of the differences between the old algorithm +and the new. This is a sweep from 0 to 20 GHz in 10 MHz steps. +=== HPF === +freq = 1750 MHz, 3db: bypass => 1750 MHz +freq = 3400 MHz, 3db: 3310 => 3400 MHz +freq = 3410 MHz, 3db: 3310 => 3400 MHz +freq = 3420 MHz, 3db: 3310 => 3400 MHz +freq = 3660 MHz, 3db: 3550 => 3656 MHz +freq = 6600 MHz, 3db: 6479 => 6600 MHz +freq = 6610 MHz, 3db: 6479 => 6600 MHz +freq = 6620 MHz, 3db: 6479 => 6600 MHz +freq = 6630 MHz, 3db: 6479 => 6600 MHz +freq = 6640 MHz, 3db: 6479 => 6600 MHz +freq = 6650 MHz, 3db: 6479 => 6600 MHz +freq = 6660 MHz, 3db: 6479 => 6600 MHz +freq = 6670 MHz, 3db: 6479 => 6600 MHz +freq = 6680 MHz, 3db: 6479 => 6600 MHz +freq = 6690 MHz, 3db: 6479 => 6600 MHz +freq = 6700 MHz, 3db: 6479 => 6600 MHz +freq = 6710 MHz, 3db: 6479 => 6600 MHz +freq = 6720 MHz, 3db: 6479 => 6600 MHz +freq = 6730 MHz, 3db: 6479 => 6600 MHz +freq = 6960 MHz, 3db: 6736 => 6960 MHz +freq = 6970 MHz, 3db: 6736 => 6960 MHz +freq = 6980 MHz, 3db: 6736 => 6960 MHz +freq = 6990 MHz, 3db: 6736 => 6960 MHz +freq = 7320 MHz, 3db: 7249 => 7320 MHz +freq = 7330 MHz, 3db: 7249 => 7320 MHz +freq = 7340 MHz, 3db: 7249 => 7320 MHz +freq = 7350 MHz, 3db: 7249 => 7320 MHz +freq = 7360 MHz, 3db: 7249 => 7320 MHz +freq = 7370 MHz, 3db: 7249 => 7320 MHz +freq = 7380 MHz, 3db: 7249 => 7320 MHz +freq = 7390 MHz, 3db: 7249 => 7320 MHz +freq = 7400 MHz, 3db: 7249 => 7320 MHz +freq = 7410 MHz, 3db: 7249 => 7320 MHz +freq = 7420 MHz, 3db: 7249 => 7320 MHz +freq = 7430 MHz, 3db: 7249 => 7320 MHz +freq = 7440 MHz, 3db: 7249 => 7320 MHz +freq = 7450 MHz, 3db: 7249 => 7320 MHz +freq = 7460 MHz, 3db: 7249 => 7320 MHz +freq = 7470 MHz, 3db: 7249 => 7320 MHz +freq = 7480 MHz, 3db: 7249 => 7320 MHz +freq = 7490 MHz, 3db: 7249 => 7320 MHz +freq = 7500 MHz, 3db: 7249 => 7320 MHz +freq = 12500 MHz, 3db: 12000 => 12500 MHz + +=== LPF === +freq = 2050 MHz, 3db: bypass => 2050 MHz +freq = 2170 MHz, 3db: 2290 => 2170 MHz +freq = 2290 MHz, 3db: 2410 => 2290 MHz +freq = 2410 MHz, 3db: 2530 => 2410 MHz +freq = 2530 MHz, 3db: 2650 => 2530 MHz +freq = 2650 MHz, 3db: 2770 => 2650 MHz +freq = 2770 MHz, 3db: 2890 => 2770 MHz +freq = 2890 MHz, 3db: 3010 => 2890 MHz +freq = 3010 MHz, 3db: 3130 => 3010 MHz +freq = 3130 MHz, 3db: 3250 => 3130 MHz +freq = 3250 MHz, 3db: 3370 => 3250 MHz +freq = 3260 MHz, 3db: 3370 => 3350 MHz +freq = 3270 MHz, 3db: 3370 => 3350 MHz +freq = 3280 MHz, 3db: 3370 => 3350 MHz +freq = 3290 MHz, 3db: 3370 => 3350 MHz +freq = 3300 MHz, 3db: 3370 => 3350 MHz +freq = 3310 MHz, 3db: 3370 => 3350 MHz +freq = 3320 MHz, 3db: 3370 => 3350 MHz +freq = 3330 MHz, 3db: 3370 => 3350 MHz +freq = 3340 MHz, 3db: 3370 => 3350 MHz +freq = 3350 MHz, 3db: 3370 => 3350 MHz +freq = 3370 MHz, 3db: 3490 => 3370 MHz +freq = 3490 MHz, 3db: 3610 => 3490 MHz +freq = 3610 MHz, 3db: 3730 => 3610 MHz +freq = 3730 MHz, 3db: 3850 => 3730 MHz +freq = 3850 MHz, 3db: 3870 => 3850 MHz +freq = 3870 MHz, 3db: 4130 => 3870 MHz +freq = 4130 MHz, 3db: 4390 => 4130 MHz +freq = 4390 MHz, 3db: 4650 => 4390 MHz +freq = 4650 MHz, 3db: 4910 => 4650 MHz +freq = 4910 MHz, 3db: 5170 => 4910 MHz +freq = 5170 MHz, 3db: 5430 => 5170 MHz +freq = 5430 MHz, 3db: 5690 => 5430 MHz +freq = 5690 MHz, 3db: 5950 => 5690 MHz +freq = 5950 MHz, 3db: 6210 => 5950 MHz +freq = 6210 MHz, 3db: 6470 => 6210 MHz +freq = 6470 MHz, 3db: 6730 => 6470 MHz +freq = 6730 MHz, 3db: 6990 => 6730 MHz +freq = 6990 MHz, 3db: 7250 => 6990 MHz +freq = 7000 MHz, 3db: 7250 => 7000 MHz +freq = 7250 MHz, 3db: 7400 => 7250 MHz +freq = 7400 MHz, 3db: 7800 => 7400 MHz +freq = 7800 MHz, 3db: 8200 => 7800 MHz +freq = 8200 MHz, 3db: 8600 => 8200 MHz +freq = 8600 MHz, 3db: 9000 => 8600 MHz +freq = 9000 MHz, 3db: 9400 => 9000 MHz +freq = 9400 MHz, 3db: 9800 => 9400 MHz +freq = 9800 MHz, 3db: 10200 => 9800 MHz +freq = 10200 MHz, 3db: 10600 => 10200 MHz +freq = 10600 MHz, 3db: 11000 => 10600 MHz +freq = 11000 MHz, 3db: 11400 => 11000 MHz +freq = 11400 MHz, 3db: 11800 => 11400 MHz +freq = 11800 MHz, 3db: 12200 => 11800 MHz +freq = 12200 MHz, 3db: 12600 => 12200 MHz +freq = 12210 MHz, 3db: 12600 => 12550 MHz +freq = 12220 MHz, 3db: 12600 => 12550 MHz +freq = 12230 MHz, 3db: 12600 => 12550 MHz +freq = 12240 MHz, 3db: 12600 => 12550 MHz +freq = 12250 MHz, 3db: 12600 => 12550 MHz +freq = 12260 MHz, 3db: 12600 => 12550 MHz +freq = 12270 MHz, 3db: 12600 => 12550 MHz +freq = 12280 MHz, 3db: 12600 => 12550 MHz +freq = 12290 MHz, 3db: 12600 => 12550 MHz +freq = 12300 MHz, 3db: 12600 => 12550 MHz +freq = 12310 MHz, 3db: 12600 => 12550 MHz +freq = 12320 MHz, 3db: 12600 => 12550 MHz +freq = 12330 MHz, 3db: 12600 => 12550 MHz +freq = 12340 MHz, 3db: 12600 => 12550 MHz +freq = 12350 MHz, 3db: 12600 => 12550 MHz +freq = 12360 MHz, 3db: 12600 => 12550 MHz +freq = 12370 MHz, 3db: 12600 => 12550 MHz +freq = 12380 MHz, 3db: 12600 => 12550 MHz +freq = 12390 MHz, 3db: 12600 => 12550 MHz +freq = 12400 MHz, 3db: 12600 => 12550 MHz +freq = 12410 MHz, 3db: 12600 => 12550 MHz +freq = 12420 MHz, 3db: 12600 => 12550 MHz +freq = 12430 MHz, 3db: 12600 => 12550 MHz +freq = 12440 MHz, 3db: 12600 => 12550 MHz +freq = 12450 MHz, 3db: 12600 => 12550 MHz +freq = 12460 MHz, 3db: 12600 => 12550 MHz +freq = 12470 MHz, 3db: 12600 => 12550 MHz +freq = 12480 MHz, 3db: 12600 => 12550 MHz +freq = 12490 MHz, 3db: 12600 => 12550 MHz +freq = 12500 MHz, 3db: 12600 => 12550 MHz +freq = 12510 MHz, 3db: 12600 => 12550 MHz +freq = 12520 MHz, 3db: 12600 => 12550 MHz +freq = 12530 MHz, 3db: 12600 => 12550 MHz +freq = 12540 MHz, 3db: 12600 => 12550 MHz +freq = 12550 MHz, 3db: 12600 => 12550 MHz +freq = 12600 MHz, 3db: 13000 => 12600 MHz +freq = 12610 MHz, 3db: 13000 => 12970 MHz +freq = 12620 MHz, 3db: 13000 => 12970 MHz +freq = 12630 MHz, 3db: 13000 => 12970 MHz +freq = 12640 MHz, 3db: 13000 => 12970 MHz +freq = 12650 MHz, 3db: 13000 => 12970 MHz +freq = 12660 MHz, 3db: 13000 => 12970 MHz +freq = 12670 MHz, 3db: 13000 => 12970 MHz +freq = 12680 MHz, 3db: 13000 => 12970 MHz +freq = 12690 MHz, 3db: 13000 => 12970 MHz +freq = 12700 MHz, 3db: 13000 => 12970 MHz +freq = 12710 MHz, 3db: 13000 => 12970 MHz +freq = 12720 MHz, 3db: 13000 => 12970 MHz +freq = 12730 MHz, 3db: 13000 => 12970 MHz +freq = 12740 MHz, 3db: 13000 => 12970 MHz +freq = 12750 MHz, 3db: 13000 => 12970 MHz +freq = 12760 MHz, 3db: 13000 => 12970 MHz +freq = 12770 MHz, 3db: 13000 => 12970 MHz +freq = 12780 MHz, 3db: 13000 => 12970 MHz +freq = 12790 MHz, 3db: 13000 => 12970 MHz +freq = 12800 MHz, 3db: 13000 => 12970 MHz +freq = 12810 MHz, 3db: 13000 => 12970 MHz +freq = 12820 MHz, 3db: 13000 => 12970 MHz +freq = 12830 MHz, 3db: 13000 => 12970 MHz +freq = 12840 MHz, 3db: 13000 => 12970 MHz +freq = 12850 MHz, 3db: 13000 => 12970 MHz +freq = 12860 MHz, 3db: 13000 => 12970 MHz +freq = 12870 MHz, 3db: 13000 => 12970 MHz +freq = 12880 MHz, 3db: 13000 => 12970 MHz +freq = 12890 MHz, 3db: 13000 => 12970 MHz +freq = 12900 MHz, 3db: 13000 => 12970 MHz +freq = 12910 MHz, 3db: 13000 => 12970 MHz +freq = 12920 MHz, 3db: 13000 => 12970 MHz +freq = 12930 MHz, 3db: 13000 => 12970 MHz +freq = 12940 MHz, 3db: 13000 => 12970 MHz +freq = 12950 MHz, 3db: 13000 => 12970 MHz +freq = 12960 MHz, 3db: 13000 => 12970 MHz +freq = 12970 MHz, 3db: 13000 => 12970 MHz +freq = 13000 MHz, 3db: 13390 => 13000 MHz +freq = 13390 MHz, 3db: 13810 => 13390 MHz +freq = 13810 MHz, 3db: 14230 => 13810 MHz +freq = 14230 MHz, 3db: 14650 => 14230 MHz +freq = 14650 MHz, 3db: 15070 => 14650 MHz +freq = 15070 MHz, 3db: 15490 => 15070 MHz +freq = 15490 MHz, 3db: 15910 => 15490 MHz +freq = 15910 MHz, 3db: 16330 => 15910 MHz +freq = 16330 MHz, 3db: 16750 => 16330 MHz +freq = 16750 MHz, 3db: 17170 => 16750 MHz +freq = 17170 MHz, 3db: 17590 => 17170 MHz +freq = 17590 MHz, 3db: 18010 => 17590 MHz +freq = 18010 MHz, 3db: 18430 => 18010 MHz +freq = 18430 MHz, 3db: 18850 => 18430 MHz +freq = 18850 MHz, 3db: bypass => 18850 MHz + +Fixes: f34fe888ad05 ("iio:filter:admv8818: add support for ADMV8818") +Signed-off-by: Sam Winchenbach +Link: https://patch.msgid.link/20250328174831.227202-5-sam.winchenbach@framepointer.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/filter/admv8818.c | 205 +++++++++++++++++++++++++--------- + 1 file changed, 152 insertions(+), 53 deletions(-) + +diff --git a/drivers/iio/filter/admv8818.c b/drivers/iio/filter/admv8818.c +index 831427aa89d83..2dfa92e052af8 100644 +--- a/drivers/iio/filter/admv8818.c ++++ b/drivers/iio/filter/admv8818.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -70,6 +71,16 @@ + #define ADMV8818_HPF_WR0_MSK GENMASK(7, 4) + #define ADMV8818_LPF_WR0_MSK GENMASK(3, 0) + ++#define ADMV8818_BAND_BYPASS 0 ++#define ADMV8818_BAND_MIN 1 ++#define ADMV8818_BAND_MAX 4 ++#define ADMV8818_BAND_CORNER_LOW 0 ++#define ADMV8818_BAND_CORNER_HIGH 1 ++ ++#define ADMV8818_STATE_MIN 0 ++#define ADMV8818_STATE_MAX 15 ++#define ADMV8818_NUM_STATES 16 ++ + enum { + ADMV8818_BW_FREQ, + ADMV8818_CENTER_FREQ +@@ -89,16 +100,20 @@ struct admv8818_state { + struct mutex lock; + unsigned int filter_mode; + u64 cf_hz; ++ u64 lpf_margin_hz; ++ u64 hpf_margin_hz; + }; + +-static const unsigned long long freq_range_hpf[4][2] = { ++static const unsigned long long freq_range_hpf[5][2] = { ++ {0ULL, 0ULL}, /* bypass */ + {1750000000ULL, 3550000000ULL}, + {3400000000ULL, 7250000000ULL}, + {6600000000, 12000000000}, + {12500000000, 19900000000} + }; + +-static const unsigned long long freq_range_lpf[4][2] = { ++static const unsigned long long freq_range_lpf[5][2] = { ++ {U64_MAX, U64_MAX}, /* bypass */ + {2050000000ULL, 3850000000ULL}, + {3350000000ULL, 7250000000ULL}, + {7000000000, 13000000000}, +@@ -119,44 +134,59 @@ static const char * const admv8818_modes[] = { + + static int __admv8818_hpf_select(struct admv8818_state *st, u64 freq) + { +- unsigned int hpf_step = 0, hpf_band = 0, i, j; +- u64 freq_step; +- int ret; ++ int band, state, ret; ++ unsigned int hpf_state = ADMV8818_STATE_MIN, hpf_band = ADMV8818_BAND_BYPASS; ++ u64 freq_error, min_freq_error, freq_corner, freq_step; + +- if (freq < freq_range_hpf[0][0]) ++ if (freq < freq_range_hpf[ADMV8818_BAND_MIN][ADMV8818_BAND_CORNER_LOW]) + goto hpf_write; + +- if (freq > freq_range_hpf[3][1]) { +- hpf_step = 15; +- hpf_band = 4; +- ++ if (freq >= freq_range_hpf[ADMV8818_BAND_MAX][ADMV8818_BAND_CORNER_HIGH]) { ++ hpf_state = ADMV8818_STATE_MAX; ++ hpf_band = ADMV8818_BAND_MAX; + goto hpf_write; + } + +- for (i = 0; i < 4; i++) { +- freq_step = div_u64((freq_range_hpf[i][1] - +- freq_range_hpf[i][0]), 15); ++ /* Close HPF frequency gap between 12 and 12.5 GHz */ ++ if (freq >= 12000ULL * HZ_PER_MHZ && freq < 12500ULL * HZ_PER_MHZ) { ++ hpf_state = ADMV8818_STATE_MAX; ++ hpf_band = 3; ++ goto hpf_write; ++ } + +- if (freq > freq_range_hpf[i][0] && +- (freq < freq_range_hpf[i][1] + freq_step)) { +- hpf_band = i + 1; ++ min_freq_error = U64_MAX; ++ for (band = ADMV8818_BAND_MIN; band <= ADMV8818_BAND_MAX; band++) { ++ /* ++ * This (and therefore all other ranges) have a corner ++ * frequency higher than the target frequency. ++ */ ++ if (freq_range_hpf[band][ADMV8818_BAND_CORNER_LOW] > freq) ++ break; + +- for (j = 1; j <= 16; j++) { +- if (freq < (freq_range_hpf[i][0] + (freq_step * j))) { +- hpf_step = j - 1; +- break; +- } ++ freq_step = freq_range_hpf[band][ADMV8818_BAND_CORNER_HIGH] - ++ freq_range_hpf[band][ADMV8818_BAND_CORNER_LOW]; ++ freq_step = div_u64(freq_step, ADMV8818_NUM_STATES - 1); ++ ++ for (state = ADMV8818_STATE_MIN; state <= ADMV8818_STATE_MAX; state++) { ++ freq_corner = freq_range_hpf[band][ADMV8818_BAND_CORNER_LOW] + ++ freq_step * state; ++ ++ /* ++ * This (and therefore all other states) have a corner ++ * frequency higher than the target frequency. ++ */ ++ if (freq_corner > freq) ++ break; ++ ++ freq_error = freq - freq_corner; ++ if (freq_error < min_freq_error) { ++ min_freq_error = freq_error; ++ hpf_state = state; ++ hpf_band = band; + } +- break; + } + } + +- /* Close HPF frequency gap between 12 and 12.5 GHz */ +- if (freq >= 12000ULL * HZ_PER_MHZ && freq < 12500ULL * HZ_PER_MHZ) { +- hpf_band = 3; +- hpf_step = 15; +- } +- + hpf_write: + ret = regmap_update_bits(st->regmap, ADMV8818_REG_WR0_SW, + ADMV8818_SW_IN_SET_WR0_MSK | +@@ -168,7 +198,7 @@ static int __admv8818_hpf_select(struct admv8818_state *st, u64 freq) + + return regmap_update_bits(st->regmap, ADMV8818_REG_WR0_FILTER, + ADMV8818_HPF_WR0_MSK, +- FIELD_PREP(ADMV8818_HPF_WR0_MSK, hpf_step)); ++ FIELD_PREP(ADMV8818_HPF_WR0_MSK, hpf_state)); + } + + static int admv8818_hpf_select(struct admv8818_state *st, u64 freq) +@@ -184,31 +214,52 @@ static int admv8818_hpf_select(struct admv8818_state *st, u64 freq) + + static int __admv8818_lpf_select(struct admv8818_state *st, u64 freq) + { +- unsigned int lpf_step = 0, lpf_band = 0, i, j; +- u64 freq_step; +- int ret; ++ int band, state, ret; ++ unsigned int lpf_state = ADMV8818_STATE_MIN, lpf_band = ADMV8818_BAND_BYPASS; ++ u64 freq_error, min_freq_error, freq_corner, freq_step; + +- if (freq > freq_range_lpf[3][1]) ++ if (freq > freq_range_lpf[ADMV8818_BAND_MAX][ADMV8818_BAND_CORNER_HIGH]) + goto lpf_write; + +- if (freq < freq_range_lpf[0][0]) { +- lpf_band = 1; +- ++ if (freq < freq_range_lpf[ADMV8818_BAND_MIN][ADMV8818_BAND_CORNER_LOW]) { ++ lpf_state = ADMV8818_STATE_MIN; ++ lpf_band = ADMV8818_BAND_MIN; + goto lpf_write; + } + +- for (i = 0; i < 4; i++) { +- if (freq > freq_range_lpf[i][0] && freq < freq_range_lpf[i][1]) { +- lpf_band = i + 1; +- freq_step = div_u64((freq_range_lpf[i][1] - freq_range_lpf[i][0]), 15); ++ min_freq_error = U64_MAX; ++ for (band = ADMV8818_BAND_MAX; band >= ADMV8818_BAND_MIN; --band) { ++ /* ++ * At this point the highest corner frequency of ++ * all remaining ranges is below the target. ++ * LPF corner should be >= the target. ++ */ ++ if (freq > freq_range_lpf[band][ADMV8818_BAND_CORNER_HIGH]) ++ break; ++ ++ freq_step = freq_range_lpf[band][ADMV8818_BAND_CORNER_HIGH] - ++ freq_range_lpf[band][ADMV8818_BAND_CORNER_LOW]; ++ freq_step = div_u64(freq_step, ADMV8818_NUM_STATES - 1); ++ ++ for (state = ADMV8818_STATE_MAX; state >= ADMV8818_STATE_MIN; --state) { + +- for (j = 0; j <= 15; j++) { +- if (freq < (freq_range_lpf[i][0] + (freq_step * j))) { +- lpf_step = j; +- break; +- } ++ freq_corner = freq_range_lpf[band][ADMV8818_BAND_CORNER_LOW] + ++ state * freq_step; ++ ++ /* ++ * At this point all other states in range will ++ * place the corner frequency below the target ++ * LPF corner should >= the target. ++ */ ++ if (freq > freq_corner) ++ break; ++ ++ freq_error = freq_corner - freq; ++ if (freq_error < min_freq_error) { ++ min_freq_error = freq_error; ++ lpf_state = state; ++ lpf_band = band; + } +- break; + } + } + +@@ -223,7 +274,7 @@ static int __admv8818_lpf_select(struct admv8818_state *st, u64 freq) + + return regmap_update_bits(st->regmap, ADMV8818_REG_WR0_FILTER, + ADMV8818_LPF_WR0_MSK, +- FIELD_PREP(ADMV8818_LPF_WR0_MSK, lpf_step)); ++ FIELD_PREP(ADMV8818_LPF_WR0_MSK, lpf_state)); + } + + static int admv8818_lpf_select(struct admv8818_state *st, u64 freq) +@@ -240,16 +291,28 @@ static int admv8818_lpf_select(struct admv8818_state *st, u64 freq) + static int admv8818_rfin_band_select(struct admv8818_state *st) + { + int ret; ++ u64 hpf_corner_target, lpf_corner_target; + + st->cf_hz = clk_get_rate(st->clkin); + ++ /* Check for underflow */ ++ if (st->cf_hz > st->hpf_margin_hz) ++ hpf_corner_target = st->cf_hz - st->hpf_margin_hz; ++ else ++ hpf_corner_target = 0; ++ ++ /* Check for overflow */ ++ lpf_corner_target = st->cf_hz + st->lpf_margin_hz; ++ if (lpf_corner_target < st->cf_hz) ++ lpf_corner_target = U64_MAX; ++ + mutex_lock(&st->lock); + +- ret = __admv8818_hpf_select(st, st->cf_hz); ++ ret = __admv8818_hpf_select(st, hpf_corner_target); + if (ret) + goto exit; + +- ret = __admv8818_lpf_select(st, st->cf_hz); ++ ret = __admv8818_lpf_select(st, lpf_corner_target); + exit: + mutex_unlock(&st->lock); + return ret; +@@ -276,8 +339,11 @@ static int __admv8818_read_hpf_freq(struct admv8818_state *st, u64 *hpf_freq) + + hpf_state = FIELD_GET(ADMV8818_HPF_WR0_MSK, data); + +- *hpf_freq = div_u64(freq_range_hpf[hpf_band - 1][1] - freq_range_hpf[hpf_band - 1][0], 15); +- *hpf_freq = freq_range_hpf[hpf_band - 1][0] + (*hpf_freq * hpf_state); ++ *hpf_freq = freq_range_hpf[hpf_band][ADMV8818_BAND_CORNER_HIGH] - ++ freq_range_hpf[hpf_band][ADMV8818_BAND_CORNER_LOW]; ++ *hpf_freq = div_u64(*hpf_freq, ADMV8818_NUM_STATES - 1); ++ *hpf_freq = freq_range_hpf[hpf_band][ADMV8818_BAND_CORNER_LOW] + ++ (*hpf_freq * hpf_state); + + return ret; + } +@@ -314,8 +380,11 @@ static int __admv8818_read_lpf_freq(struct admv8818_state *st, u64 *lpf_freq) + + lpf_state = FIELD_GET(ADMV8818_LPF_WR0_MSK, data); + +- *lpf_freq = div_u64(freq_range_lpf[lpf_band - 1][1] - freq_range_lpf[lpf_band - 1][0], 15); +- *lpf_freq = freq_range_lpf[lpf_band - 1][0] + (*lpf_freq * lpf_state); ++ *lpf_freq = freq_range_lpf[lpf_band][ADMV8818_BAND_CORNER_HIGH] - ++ freq_range_lpf[lpf_band][ADMV8818_BAND_CORNER_LOW]; ++ *lpf_freq = div_u64(*lpf_freq, ADMV8818_NUM_STATES - 1); ++ *lpf_freq = freq_range_lpf[lpf_band][ADMV8818_BAND_CORNER_LOW] + ++ (*lpf_freq * lpf_state); + + return ret; + } +@@ -594,6 +663,32 @@ static int admv8818_clk_setup(struct admv8818_state *st) + return devm_add_action_or_reset(&spi->dev, admv8818_clk_notifier_unreg, st); + } + ++static int admv8818_read_properties(struct admv8818_state *st) ++{ ++ struct spi_device *spi = st->spi; ++ u32 mhz; ++ int ret; ++ ++ ret = device_property_read_u32(&spi->dev, "adi,lpf-margin-mhz", &mhz); ++ if (ret == 0) ++ st->lpf_margin_hz = (u64)mhz * HZ_PER_MHZ; ++ else if (ret == -EINVAL) ++ st->lpf_margin_hz = 0; ++ else ++ return ret; ++ ++ ++ ret = device_property_read_u32(&spi->dev, "adi,hpf-margin-mhz", &mhz); ++ if (ret == 0) ++ st->hpf_margin_hz = (u64)mhz * HZ_PER_MHZ; ++ else if (ret == -EINVAL) ++ st->hpf_margin_hz = 0; ++ else if (ret < 0) ++ return ret; ++ ++ return 0; ++} ++ + static int admv8818_probe(struct spi_device *spi) + { + struct iio_dev *indio_dev; +@@ -625,6 +720,10 @@ static int admv8818_probe(struct spi_device *spi) + + mutex_init(&st->lock); + ++ ret = admv8818_read_properties(st); ++ if (ret) ++ return ret; ++ + ret = admv8818_init(st); + if (ret) + return ret; +-- +2.39.5 + diff --git a/queue-6.1/iio-filter-admv8818-support-frequencies-2-32.patch b/queue-6.1/iio-filter-admv8818-support-frequencies-2-32.patch new file mode 100644 index 0000000000..15d9ab56f6 --- /dev/null +++ b/queue-6.1/iio-filter-admv8818-support-frequencies-2-32.patch @@ -0,0 +1,71 @@ +From 8cc88e732571fbb8e1561c96fe127721a4867e35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Mar 2025 13:48:31 -0400 +Subject: iio: filter: admv8818: Support frequencies >= 2^32 + +From: Brian Pellegrino + +[ Upstream commit 9016776f1301627de78a633bda7c898425a56572 ] + +This patch allows writing u64 values to the ADMV8818's high and low-pass +filter frequencies. It includes the following changes: + +- Rejects negative frequencies in admv8818_write_raw. +- Adds a write_raw_get_fmt function to admv8818's iio_info, returning + IIO_VAL_INT_64 for the high and low-pass filter 3dB frequency channels. + +Fixes: f34fe888ad05 ("iio:filter:admv8818: add support for ADMV8818") +Signed-off-by: Brian Pellegrino +Signed-off-by: Sam Winchenbach +Link: https://patch.msgid.link/20250328174831.227202-7-sam.winchenbach@framepointer.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/filter/admv8818.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/drivers/iio/filter/admv8818.c b/drivers/iio/filter/admv8818.c +index 2dfa92e052af8..b83d655274325 100644 +--- a/drivers/iio/filter/admv8818.c ++++ b/drivers/iio/filter/admv8818.c +@@ -400,6 +400,19 @@ static int admv8818_read_lpf_freq(struct admv8818_state *st, u64 *lpf_freq) + return ret; + } + ++static int admv8818_write_raw_get_fmt(struct iio_dev *indio_dev, ++ struct iio_chan_spec const *chan, ++ long mask) ++{ ++ switch (mask) { ++ case IIO_CHAN_INFO_LOW_PASS_FILTER_3DB_FREQUENCY: ++ case IIO_CHAN_INFO_HIGH_PASS_FILTER_3DB_FREQUENCY: ++ return IIO_VAL_INT_64; ++ default: ++ return -EINVAL; ++ } ++} ++ + static int admv8818_write_raw(struct iio_dev *indio_dev, + struct iio_chan_spec const *chan, + int val, int val2, long info) +@@ -408,6 +421,9 @@ static int admv8818_write_raw(struct iio_dev *indio_dev, + + u64 freq = ((u64)val2 << 32 | (u32)val); + ++ if ((s64)freq < 0) ++ return -EINVAL; ++ + switch (info) { + case IIO_CHAN_INFO_LOW_PASS_FILTER_3DB_FREQUENCY: + return admv8818_lpf_select(st, freq); +@@ -524,6 +540,7 @@ static int admv8818_set_mode(struct iio_dev *indio_dev, + + static const struct iio_info admv8818_info = { + .write_raw = admv8818_write_raw, ++ .write_raw_get_fmt = admv8818_write_raw_get_fmt, + .read_raw = admv8818_read_raw, + .debugfs_reg_access = &admv8818_reg_access, + }; +-- +2.39.5 + diff --git a/queue-6.1/iommu-protect-against-overflow-in-iommu_pgsize.patch b/queue-6.1/iommu-protect-against-overflow-in-iommu_pgsize.patch new file mode 100644 index 0000000000..8e0f46bb63 --- /dev/null +++ b/queue-6.1/iommu-protect-against-overflow-in-iommu_pgsize.patch @@ -0,0 +1,56 @@ +From 599c28ce4d80968e61b931734c5609a87e3a6b8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 10:08:37 -0300 +Subject: iommu: Protect against overflow in iommu_pgsize() + +From: Jason Gunthorpe + +[ Upstream commit e586e22974d2b7acbef3c6c3e01b2d5ce69efe33 ] + +On a 32 bit system calling: + iommu_map(0, 0x40000000) + +When using the AMD V1 page table type with a domain->pgsize of 0xfffff000 +causes iommu_pgsize() to miscalculate a result of: + size=0x40000000 count=2 + +count should be 1. This completely corrupts the mapping process. + +This is because the final test to adjust the pagesize malfunctions when +the addition overflows. Use check_add_overflow() to prevent this. + +Fixes: b1d99dc5f983 ("iommu: Hook up '->unmap_pages' driver callback") +Signed-off-by: Jason Gunthorpe +Reviewed-by: Lu Baolu +Link: https://lore.kernel.org/r/0-v1-3ad28fc2e3a3+163327-iommu_overflow_pgsize_jgg@nvidia.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/iommu.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c +index 83736824f17d1..ae9ca0700ad22 100644 +--- a/drivers/iommu/iommu.c ++++ b/drivers/iommu/iommu.c +@@ -2202,6 +2202,7 @@ static size_t iommu_pgsize(struct iommu_domain *domain, unsigned long iova, + unsigned int pgsize_idx, pgsize_idx_next; + unsigned long pgsizes; + size_t offset, pgsize, pgsize_next; ++ size_t offset_end; + unsigned long addr_merge = paddr | iova; + + /* Page sizes supported by the hardware and small enough for @size */ +@@ -2242,7 +2243,8 @@ static size_t iommu_pgsize(struct iommu_domain *domain, unsigned long iova, + * If size is big enough to accommodate the larger page, reduce + * the number of smaller pages. + */ +- if (offset + pgsize_next <= size) ++ if (!check_add_overflow(offset, pgsize_next, &offset_end) && ++ offset_end <= size) + size = offset; + + out_set_count: +-- +2.39.5 + diff --git a/queue-6.1/iommu-remove-duplicate-selection-of-dmar_table.patch b/queue-6.1/iommu-remove-duplicate-selection-of-dmar_table.patch new file mode 100644 index 0000000000..cedc34d666 --- /dev/null +++ b/queue-6.1/iommu-remove-duplicate-selection-of-dmar_table.patch @@ -0,0 +1,36 @@ +From 484a356efb39b2013c78b8aa502bb63e9cac0cef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 May 2025 15:10:44 +0200 +Subject: iommu: remove duplicate selection of DMAR_TABLE + +From: Rolf Eike Beer + +[ Upstream commit 9548feff840a05d61783e6316d08ed37e115f3b1 ] + +This is already done in intel/Kconfig. + +Fixes: 70bad345e622 ("iommu: Fix compilation without CONFIG_IOMMU_INTEL") +Signed-off-by: Rolf Eike Beer +Reviewed-by: Lu Baolu +Link: https://lore.kernel.org/r/2232605.Mh6RI2rZIc@devpool92.emlix.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/iommu/Kconfig b/drivers/iommu/Kconfig +index dc19e7fb07cfe..fad36f0a4d14b 100644 +--- a/drivers/iommu/Kconfig ++++ b/drivers/iommu/Kconfig +@@ -192,7 +192,6 @@ source "drivers/iommu/intel/Kconfig" + config IRQ_REMAP + bool "Support for Interrupt Remapping" + depends on X86_64 && X86_IO_APIC && PCI_MSI && ACPI +- select DMAR_TABLE if INTEL_IOMMU + help + Supports Interrupt remapping for IO-APIC and MSI devices. + To use x2apic mode in the CPU's which support x2APIC enhancements or +-- +2.39.5 + diff --git a/queue-6.1/kernfs-relax-constraint-in-draining-guard.patch b/queue-6.1/kernfs-relax-constraint-in-draining-guard.patch new file mode 100644 index 0000000000..54d145d390 --- /dev/null +++ b/queue-6.1/kernfs-relax-constraint-in-draining-guard.patch @@ -0,0 +1,88 @@ +From 803fa1577ff9d51a02e335d409c62b571867b2c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 May 2025 14:12:00 +0200 +Subject: kernfs: Relax constraint in draining guard +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michal Koutný + +[ Upstream commit 071d8e4c2a3b0999a9b822e2eb8854784a350f8a ] + +The active reference lifecycle provides the break/unbreak mechanism but +the active reference is not truly active after unbreak -- callers don't +use it afterwards but it's important for proper pairing of kn->active +counting. Assuming this mechanism is in place, the WARN check in +kernfs_should_drain_open_files() is too sensitive -- it may transiently +catch those (rightful) callers between +kernfs_unbreak_active_protection() and kernfs_put_active() as found out by Chen +Ridong: + + kernfs_remove_by_name_ns kernfs_get_active // active=1 + __kernfs_remove // active=0x80000002 + kernfs_drain ... + wait_event + //waiting (active == 0x80000001) + kernfs_break_active_protection + // active = 0x80000001 + // continue + kernfs_unbreak_active_protection + // active = 0x80000002 + ... + kernfs_should_drain_open_files + // warning occurs + kernfs_put_active + +To avoid the false positives (mind panic_on_warn) remove the check altogether. +(This is meant as quick fix, I think active reference break/unbreak may be +simplified with larger rework.) + +Fixes: bdb2fd7fc56e1 ("kernfs: Skip kernfs_drain_open_files() more aggressively") +Link: https://lore.kernel.org/r/kmmrseckjctb4gxcx2rdminrjnq2b4ipf7562nvfd432ld5v5m@2byj5eedkb2o/ + +Cc: Chen Ridong +Signed-off-by: Michal Koutný +Acked-by: Tejun Heo +Link: https://lore.kernel.org/r/20250505121201.879823-1-mkoutny@suse.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + fs/kernfs/dir.c | 5 +++-- + fs/kernfs/file.c | 3 ++- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c +index 2c74b24fc22aa..a259fe3471a98 100644 +--- a/fs/kernfs/dir.c ++++ b/fs/kernfs/dir.c +@@ -1532,8 +1532,9 @@ void kernfs_break_active_protection(struct kernfs_node *kn) + * invoked before finishing the kernfs operation. Note that while this + * function restores the active reference, it doesn't and can't actually + * restore the active protection - @kn may already or be in the process of +- * being removed. Once kernfs_break_active_protection() is invoked, that +- * protection is irreversibly gone for the kernfs operation instance. ++ * being drained and removed. Once kernfs_break_active_protection() is ++ * invoked, that protection is irreversibly gone for the kernfs operation ++ * instance. + * + * While this function may be called at any point after + * kernfs_break_active_protection() is invoked, its most useful location +diff --git a/fs/kernfs/file.c b/fs/kernfs/file.c +index adf3536cfec81..cf57b7cc3a430 100644 +--- a/fs/kernfs/file.c ++++ b/fs/kernfs/file.c +@@ -820,8 +820,9 @@ bool kernfs_should_drain_open_files(struct kernfs_node *kn) + /* + * @kn being deactivated guarantees that @kn->attr.open can't change + * beneath us making the lockless test below safe. ++ * Callers post kernfs_unbreak_active_protection may be counted in ++ * kn->active by now, do not WARN_ON because of them. + */ +- WARN_ON_ONCE(atomic_read(&kn->active) != KN_DEACTIVATED_BIAS); + + rcu_read_lock(); + on = rcu_dereference(kn->attr.open); +-- +2.39.5 + diff --git a/queue-6.1/ktls-sockmap-fix-missing-uncharge-operation.patch b/queue-6.1/ktls-sockmap-fix-missing-uncharge-operation.patch new file mode 100644 index 0000000000..283f607d64 --- /dev/null +++ b/queue-6.1/ktls-sockmap-fix-missing-uncharge-operation.patch @@ -0,0 +1,59 @@ +From 6bc5b4acf1a14236085b9d4e5ca3bb9944244e18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 13:59:57 +0800 +Subject: ktls, sockmap: Fix missing uncharge operation + +From: Jiayuan Chen + +[ Upstream commit 79f0c39ae7d3dc628c01b02f23ca5d01f9875040 ] + +When we specify apply_bytes, we divide the msg into multiple segments, +each with a length of 'send', and every time we send this part of the data +using tcp_bpf_sendmsg_redir(), we use sk_msg_return_zero() to uncharge the +memory of the specified 'send' size. + +However, if the first segment of data fails to send, for example, the +peer's buffer is full, we need to release all of the msg. When releasing +the msg, we haven't uncharged the memory of the subsequent segments. + +This modification does not make significant logical changes, but only +fills in the missing uncharge places. + +This issue has existed all along, until it was exposed after we added the +apply test in test_sockmap: +commit 3448ad23b34e ("selftests/bpf: Add apply_bytes test to test_txmsg_redir_wait_sndmem in test_sockmap") + +Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling") +Reported-by: Cong Wang +Closes: https://lore.kernel.org/bpf/aAmIi0vlycHtbXeb@pop-os.localdomain/T/#t +Signed-off-by: Jiayuan Chen +Signed-off-by: Martin KaFai Lau +Acked-by: John Fastabend +Reviewed-by: Cong Wang +Link: https://lore.kernel.org/r/20250425060015.6968-2-jiayuan.chen@linux.dev +Signed-off-by: Sasha Levin +--- + net/tls/tls_sw.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index af820ae9b1a52..5f95f837dfc7f 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -904,6 +904,13 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk, + &msg_redir, send, flags); + lock_sock(sk); + if (err < 0) { ++ /* Regardless of whether the data represented by ++ * msg_redir is sent successfully, we have already ++ * uncharged it via sk_msg_return_zero(). The ++ * msg->sg.size represents the remaining unprocessed ++ * data, which needs to be uncharged here. ++ */ ++ sk_mem_uncharge(sk, msg->sg.size); + *copied -= sk_msg_free_nocharge(sk, &msg_redir); + msg->sg.size = 0; + } +-- +2.39.5 + diff --git a/queue-6.1/libbpf-fix-buffer-overflow-in-bpf_object__init_prog.patch b/queue-6.1/libbpf-fix-buffer-overflow-in-bpf_object__init_prog.patch new file mode 100644 index 0000000000..32b07dec2c --- /dev/null +++ b/queue-6.1/libbpf-fix-buffer-overflow-in-bpf_object__init_prog.patch @@ -0,0 +1,106 @@ +From 313ffe397745e6132e9c88e05f1f07c3e6cf6d51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 17:50:14 +0200 +Subject: libbpf: Fix buffer overflow in bpf_object__init_prog + +From: Viktor Malik + +[ Upstream commit ee684de5c1b0ac01821320826baec7da93f3615b ] + +As shown in [1], it is possible to corrupt a BPF ELF file such that +arbitrary BPF instructions are loaded by libbpf. This can be done by +setting a symbol (BPF program) section offset to a large (unsigned) +number such that
overflows and points +before the section data in the memory. + +Consider the situation below where: +- prog_start = sec_start + symbol_offset <-- size_t overflow here +- prog_end = prog_start + prog_size + + prog_start sec_start prog_end sec_end + | | | | + v v v v + .....................|################################|............ + +The report in [1] also provides a corrupted BPF ELF which can be used as +a reproducer: + + $ readelf -S crash + Section Headers: + [Nr] Name Type Address Offset + Size EntSize Flags Link Info Align + ... + [ 2] uretprobe.mu[...] PROGBITS 0000000000000000 00000040 + 0000000000000068 0000000000000000 AX 0 0 8 + + $ readelf -s crash + Symbol table '.symtab' contains 8 entries: + Num: Value Size Type Bind Vis Ndx Name + ... + 6: ffffffffffffffb8 104 FUNC GLOBAL DEFAULT 2 handle_tp + +Here, the handle_tp prog has section offset ffffffffffffffb8, i.e. will +point before the actual memory where section 2 is allocated. + +This is also reported by AddressSanitizer: + + ================================================================= + ==1232==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7c7302fe0000 at pc 0x7fc3046e4b77 bp 0x7ffe64677cd0 sp 0x7ffe64677490 + READ of size 104 at 0x7c7302fe0000 thread T0 + #0 0x7fc3046e4b76 in memcpy (/lib64/libasan.so.8+0xe4b76) + #1 0x00000040df3e in bpf_object__init_prog /src/libbpf/src/libbpf.c:856 + #2 0x00000040df3e in bpf_object__add_programs /src/libbpf/src/libbpf.c:928 + #3 0x00000040df3e in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3930 + #4 0x00000040df3e in bpf_object_open /src/libbpf/src/libbpf.c:8067 + #5 0x00000040f176 in bpf_object__open_file /src/libbpf/src/libbpf.c:8090 + #6 0x000000400c16 in main /poc/poc.c:8 + #7 0x7fc3043d25b4 in __libc_start_call_main (/lib64/libc.so.6+0x35b4) + #8 0x7fc3043d2667 in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x3667) + #9 0x000000400b34 in _start (/poc/poc+0x400b34) + + 0x7c7302fe0000 is located 64 bytes before 104-byte region [0x7c7302fe0040,0x7c7302fe00a8) + allocated by thread T0 here: + #0 0x7fc3046e716b in malloc (/lib64/libasan.so.8+0xe716b) + #1 0x7fc3045ee600 in __libelf_set_rawdata_wrlock (/lib64/libelf.so.1+0xb600) + #2 0x7fc3045ef018 in __elf_getdata_rdlock (/lib64/libelf.so.1+0xc018) + #3 0x00000040642f in elf_sec_data /src/libbpf/src/libbpf.c:3740 + +The problem here is that currently, libbpf only checks that the program +end is within the section bounds. There used to be a check +`while (sec_off < sec_sz)` in bpf_object__add_programs, however, it was +removed by commit 6245947c1b3c ("libbpf: Allow gaps in BPF program +sections to support overriden weak functions"). + +Add a check for detecting the overflow of `sec_off + prog_sz` to +bpf_object__init_prog to fix this issue. + +[1] https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md + +Fixes: 6245947c1b3c ("libbpf: Allow gaps in BPF program sections to support overriden weak functions") +Reported-by: lmarch2 <2524158037@qq.com> +Signed-off-by: Viktor Malik +Signed-off-by: Andrii Nakryiko +Reviewed-by: Shung-Hsi Yu +Link: https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md +Link: https://lore.kernel.org/bpf/20250415155014.397603-1-vmalik@redhat.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index 98d5e566e0582..2fb66ca0f50a5 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -818,7 +818,7 @@ bpf_object__add_programs(struct bpf_object *obj, Elf_Data *sec_data, + return -LIBBPF_ERRNO__FORMAT; + } + +- if (sec_off + prog_sz > sec_sz) { ++ if (sec_off + prog_sz > sec_sz || sec_off + prog_sz < sec_off) { + pr_warn("sec '%s': program at offset %zu crosses section boundary\n", + sec_name, sec_off); + return -LIBBPF_ERRNO__FORMAT; +-- +2.39.5 + diff --git a/queue-6.1/libbpf-use-proper-errno-value-in-linker.patch b/queue-6.1/libbpf-use-proper-errno-value-in-linker.patch new file mode 100644 index 0000000000..2bdf6d1b06 --- /dev/null +++ b/queue-6.1/libbpf-use-proper-errno-value-in-linker.patch @@ -0,0 +1,49 @@ +From e08672e88a999a48f2545313ec7b096a5b30d9b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Apr 2025 12:08:20 +0000 +Subject: libbpf: Use proper errno value in linker + +From: Anton Protopopov + +[ Upstream commit 358b1c0f56ebb6996fcec7dcdcf6bae5dcbc8b6c ] + +Return values of the linker_append_sec_data() and the +linker_append_elf_relos() functions are propagated all the +way up to users of libbpf API. In some error cases these +functions return -1 which will be seen as -EPERM from user's +point of view. Instead, return a more reasonable -EINVAL. + +Fixes: faf6ed321cf6 ("libbpf: Add BPF static linker APIs") +Signed-off-by: Anton Protopopov +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20250430120820.2262053-1-a.s.protopopov@gmail.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/linker.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/lib/bpf/linker.c b/tools/lib/bpf/linker.c +index 752ef88c9fd97..0bee018a6a6c0 100644 +--- a/tools/lib/bpf/linker.c ++++ b/tools/lib/bpf/linker.c +@@ -1175,7 +1175,7 @@ static int linker_append_sec_data(struct bpf_linker *linker, struct src_obj *obj + } else { + if (!secs_match(dst_sec, src_sec)) { + pr_warn("ELF sections %s are incompatible\n", src_sec->sec_name); +- return -1; ++ return -EINVAL; + } + + /* "license" and "version" sections are deduped */ +@@ -2023,7 +2023,7 @@ static int linker_append_elf_relos(struct bpf_linker *linker, struct src_obj *ob + } + } else if (!secs_match(dst_sec, src_sec)) { + pr_warn("sections %s are not compatible\n", src_sec->sec_name); +- return -1; ++ return -EINVAL; + } + + /* add_dst_sec() above could have invalidated linker->secs */ +-- +2.39.5 + diff --git a/queue-6.1/libbpf-use-proper-errno-value-in-nlattr.patch b/queue-6.1/libbpf-use-proper-errno-value-in-nlattr.patch new file mode 100644 index 0000000000..cc8b18a267 --- /dev/null +++ b/queue-6.1/libbpf-use-proper-errno-value-in-nlattr.patch @@ -0,0 +1,75 @@ +From 7e1a6c7a4dc05b1794fa86ad35ace9fb2e58f999 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 18:20:11 +0000 +Subject: libbpf: Use proper errno value in nlattr + +From: Anton Protopopov + +[ Upstream commit fd5fd538a1f4b34cee6823ba0ddda2f7a55aca96 ] + +Return value of the validate_nla() function can be propagated all the +way up to users of libbpf API. In case of error this libbpf version +of validate_nla returns -1 which will be seen as -EPERM from user's +point of view. Instead, return a more reasonable -EINVAL. + +Fixes: bbf48c18ee0c ("libbpf: add error reporting in XDP") +Suggested-by: Andrii Nakryiko +Signed-off-by: Anton Protopopov +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20250510182011.2246631-1-a.s.protopopov@gmail.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/nlattr.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/tools/lib/bpf/nlattr.c b/tools/lib/bpf/nlattr.c +index 975e265eab3bf..06663f9ea581f 100644 +--- a/tools/lib/bpf/nlattr.c ++++ b/tools/lib/bpf/nlattr.c +@@ -63,16 +63,16 @@ static int validate_nla(struct nlattr *nla, int maxtype, + minlen = nla_attr_minlen[pt->type]; + + if (libbpf_nla_len(nla) < minlen) +- return -1; ++ return -EINVAL; + + if (pt->maxlen && libbpf_nla_len(nla) > pt->maxlen) +- return -1; ++ return -EINVAL; + + if (pt->type == LIBBPF_NLA_STRING) { + char *data = libbpf_nla_data(nla); + + if (data[libbpf_nla_len(nla) - 1] != '\0') +- return -1; ++ return -EINVAL; + } + + return 0; +@@ -118,19 +118,18 @@ int libbpf_nla_parse(struct nlattr *tb[], int maxtype, struct nlattr *head, + if (policy) { + err = validate_nla(nla, maxtype, policy); + if (err < 0) +- goto errout; ++ return err; + } + +- if (tb[type]) ++ if (tb[type]) { + pr_warn("Attribute of type %#x found multiple times in message, " + "previous attribute is being ignored.\n", type); ++ } + + tb[type] = nla; + } + +- err = 0; +-errout: +- return err; ++ return 0; + } + + /** +-- +2.39.5 + diff --git a/queue-6.1/m68k-mac-fix-macintosh_config-for-mac-ii.patch b/queue-6.1/m68k-mac-fix-macintosh_config-for-mac-ii.patch new file mode 100644 index 0000000000..015a6ac2e9 --- /dev/null +++ b/queue-6.1/m68k-mac-fix-macintosh_config-for-mac-ii.patch @@ -0,0 +1,46 @@ +From c6cf4613a96bda43b678619a3cbc2353680c5ee1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Apr 2025 10:07:26 +1000 +Subject: m68k: mac: Fix macintosh_config for Mac II + +From: Finn Thain + +[ Upstream commit 52ae3f5da7e5adbe3d1319573b55dac470abb83c ] + +When booted on my Mac II, the kernel prints this: + + Detected Macintosh model: 6 + Apple Macintosh Unknown + +The catch-all entry ("Unknown") is mac_data_table[0] which is only needed +in the unlikely event that the bootinfo model ID can't be matched. +When model ID is 6, the search should begin and end at mac_data_table[1]. +Fix the off-by-one error that causes this problem. + +Cc: Joshua Thompson +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/d0f30a551064ca4810b1c48d5a90954be80634a9.1745453246.git.fthain@linux-m68k.org +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/mac/config.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/m68k/mac/config.c b/arch/m68k/mac/config.c +index 382f656c29eae..9f5603e01a688 100644 +--- a/arch/m68k/mac/config.c ++++ b/arch/m68k/mac/config.c +@@ -801,7 +801,7 @@ static void __init mac_identify(void) + } + + macintosh_config = mac_data_table; +- for (m = macintosh_config; m->ident != -1; m++) { ++ for (m = &mac_data_table[1]; m->ident != -1; m++) { + if (m->ident == model) { + macintosh_config = m; + break; +-- +2.39.5 + diff --git a/queue-6.1/media-rkvdec-fix-frame-size-enumeration.patch b/queue-6.1/media-rkvdec-fix-frame-size-enumeration.patch new file mode 100644 index 0000000000..660a81eabb --- /dev/null +++ b/queue-6.1/media-rkvdec-fix-frame-size-enumeration.patch @@ -0,0 +1,56 @@ +From dba8e0698db0b777377765be1d3104096e5fdb37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Feb 2025 10:40:33 +0100 +Subject: media: rkvdec: Fix frame size enumeration + +From: Jonas Karlman + +[ Upstream commit f270005b99fa19fee9a6b4006e8dee37c10f1944 ] + +The VIDIOC_ENUM_FRAMESIZES ioctl should return all frame sizes (i.e. +width and height in pixels) that the device supports for the given pixel +format. + +It doesn't make a lot of sense to return the frame-sizes in a stepwise +manner, which is used to enforce hardware alignments requirements for +CAPTURE buffers, for coded formats. + +Instead, applications should receive an indication, about the maximum +supported frame size for that hardware decoder, via a continuous +frame-size enumeration. + +Fixes: cd33c830448b ("media: rkvdec: Add the rkvdec driver") +Suggested-by: Alex Bee +Signed-off-by: Jonas Karlman +Reviewed-by: Nicolas Dufresne +Signed-off-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/staging/media/rkvdec/rkvdec.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/staging/media/rkvdec/rkvdec.c b/drivers/staging/media/rkvdec/rkvdec.c +index d16cf4115d03a..b5847259f4541 100644 +--- a/drivers/staging/media/rkvdec/rkvdec.c ++++ b/drivers/staging/media/rkvdec/rkvdec.c +@@ -213,8 +213,14 @@ static int rkvdec_enum_framesizes(struct file *file, void *priv, + if (!fmt) + return -EINVAL; + +- fsize->type = V4L2_FRMSIZE_TYPE_STEPWISE; +- fsize->stepwise = fmt->frmsize; ++ fsize->type = V4L2_FRMSIZE_TYPE_CONTINUOUS; ++ fsize->stepwise.min_width = 1; ++ fsize->stepwise.max_width = fmt->frmsize.max_width; ++ fsize->stepwise.step_width = 1; ++ fsize->stepwise.min_height = 1; ++ fsize->stepwise.max_height = fmt->frmsize.max_height; ++ fsize->stepwise.step_height = 1; ++ + return 0; + } + +-- +2.39.5 + diff --git a/queue-6.1/mfd-exynos-lpass-avoid-calling-exynos_lpass_disable-.patch b/queue-6.1/mfd-exynos-lpass-avoid-calling-exynos_lpass_disable-.patch new file mode 100644 index 0000000000..43196f0a05 --- /dev/null +++ b/queue-6.1/mfd-exynos-lpass-avoid-calling-exynos_lpass_disable-.patch @@ -0,0 +1,38 @@ +From a2211a14aa833342de9800c7de2df79796aef285 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Apr 2025 17:00:34 +0200 +Subject: mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in + exynos_lpass_remove() + +From: Christophe JAILLET + +[ Upstream commit b70b84556eeca5262d290e8619fe0af5b7664a52 ] + +exynos_lpass_disable() is called twice in the remove function. Remove +one of these calls. + +Fixes: 90f447170c6f ("mfd: exynos-lpass: Add runtime PM support") +Signed-off-by: Christophe JAILLET +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/74d69e8de10308c9855db6d54155a3de4b11abfd.1745247209.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/exynos-lpass.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/mfd/exynos-lpass.c b/drivers/mfd/exynos-lpass.c +index 166cd21088cdd..5ee00f86e39c7 100644 +--- a/drivers/mfd/exynos-lpass.c ++++ b/drivers/mfd/exynos-lpass.c +@@ -143,7 +143,6 @@ static int exynos_lpass_remove(struct platform_device *pdev) + { + struct exynos_lpass *lpass = platform_get_drvdata(pdev); + +- exynos_lpass_disable(lpass); + pm_runtime_disable(&pdev->dev); + if (!pm_runtime_status_suspended(&pdev->dev)) + exynos_lpass_disable(lpass); +-- +2.39.5 + diff --git a/queue-6.1/mfd-stmpe-spi-correct-the-name-used-in-module_device.patch b/queue-6.1/mfd-stmpe-spi-correct-the-name-used-in-module_device.patch new file mode 100644 index 0000000000..6c221c996c --- /dev/null +++ b/queue-6.1/mfd-stmpe-spi-correct-the-name-used-in-module_device.patch @@ -0,0 +1,40 @@ +From 90b18a1ed623c641a770d18bb992b8e4c3cc7bf4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Apr 2025 18:16:32 +0200 +Subject: mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE + +From: Alexey Gladkov + +[ Upstream commit 59d60c16ed41475f3b5f7b605e75fbf8e3628720 ] + +The name used in the macro does not exist. + +drivers/mfd/stmpe-spi.c:132:26: error: use of undeclared identifier 'stmpe_id' + 132 | MODULE_DEVICE_TABLE(spi, stmpe_id); + +Fixes: e789995d5c61 ("mfd: Add support for STMPE SPI interface") +Signed-off-by: Alexey Gladkov +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/79d5a847303e45a46098f2d827d3d8a249a32be3.1745591072.git.legion@kernel.org +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/stmpe-spi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mfd/stmpe-spi.c b/drivers/mfd/stmpe-spi.c +index ad8055a0e2869..6791a53689777 100644 +--- a/drivers/mfd/stmpe-spi.c ++++ b/drivers/mfd/stmpe-spi.c +@@ -129,7 +129,7 @@ static const struct spi_device_id stmpe_spi_id[] = { + { "stmpe2403", STMPE2403 }, + { } + }; +-MODULE_DEVICE_TABLE(spi, stmpe_id); ++MODULE_DEVICE_TABLE(spi, stmpe_spi_id); + + static struct spi_driver stmpe_spi_driver = { + .driver = { +-- +2.39.5 + diff --git a/queue-6.1/mips-loongson64-add-missing-interrupt-cells-for-loon.patch b/queue-6.1/mips-loongson64-add-missing-interrupt-cells-for-loon.patch new file mode 100644 index 0000000000..8a4882ce03 --- /dev/null +++ b/queue-6.1/mips-loongson64-add-missing-interrupt-cells-for-loon.patch @@ -0,0 +1,43 @@ +From bde34f05a3339dfc234ae23ce40ec0f9412aa66b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Apr 2025 11:45:48 +0800 +Subject: MIPS: Loongson64: Add missing '#interrupt-cells' for loongson64c_ls7a +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: WangYuli + +[ Upstream commit 6d223b8ffcd1593d032b71875def2daa71c53111 ] + +Similar to commit 98a9e2ac3755 ("MIPS: Loongson64: DTS: Fix msi node for ls7a"). + +Fix follow warnings: + arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts:28.31-36.4: Warning (interrupt_provider): /bus@10000000/msi-controller@2ff00000: Missing '#interrupt-cells' in interrupt provider + arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dtb: Warning (interrupt_map): Failed prerequisite 'interrupt_provider' + +Fixes: 24af105962c8 ("MIPS: Loongson64: DeviceTree for LS7A PCH") +Tested-by: WangYuli +Signed-off-by: WangYuli +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts b/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts +index c7ea4f1c0bb21..6c277ab83d4b9 100644 +--- a/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts ++++ b/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts +@@ -29,6 +29,7 @@ + compatible = "loongson,pch-msi-1.0"; + reg = <0 0x2ff00000 0 0x8>; + interrupt-controller; ++ #interrupt-cells = <1>; + msi-controller; + loongson,msi-base-vec = <64>; + loongson,msi-num-vecs = <64>; +-- +2.39.5 + diff --git a/queue-6.1/mtd-nand-ecc-mxic-fix-use-of-uninitialized-variable-.patch b/queue-6.1/mtd-nand-ecc-mxic-fix-use-of-uninitialized-variable-.patch new file mode 100644 index 0000000000..b9a972a8fc --- /dev/null +++ b/queue-6.1/mtd-nand-ecc-mxic-fix-use-of-uninitialized-variable-.patch @@ -0,0 +1,47 @@ +From 4cb81dc276b39745fd3865955d141870b6faade2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 00:39:06 +0300 +Subject: mtd: nand: ecc-mxic: Fix use of uninitialized variable ret + +From: Mikhail Arkhipov + +[ Upstream commit d95846350aac72303036a70c4cdc69ae314aa26d ] + +If ctx->steps is zero, the loop processing ECC steps is skipped, +and the variable ret remains uninitialized. It is later checked +and returned, which leads to undefined behavior and may cause +unpredictable results in user space or kernel crashes. + +This scenario can be triggered in edge cases such as misconfigured +geometry, ECC engine misuse, or if ctx->steps is not validated +after initialization. + +Initialize ret to zero before the loop to ensure correct and safe +behavior regardless of the ctx->steps value. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 48e6633a9fa2 ("mtd: nand: mxic-ecc: Add Macronix external ECC engine support") +Signed-off-by: Mikhail Arkhipov +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/ecc-mxic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/nand/ecc-mxic.c b/drivers/mtd/nand/ecc-mxic.c +index 6b487ffe2f2dc..e8bbe009c04e8 100644 +--- a/drivers/mtd/nand/ecc-mxic.c ++++ b/drivers/mtd/nand/ecc-mxic.c +@@ -614,7 +614,7 @@ static int mxic_ecc_finish_io_req_external(struct nand_device *nand, + { + struct mxic_ecc_engine *mxic = nand_to_mxic(nand); + struct mxic_ecc_ctx *ctx = nand_to_ecc_ctx(nand); +- int nents, step, ret; ++ int nents, step, ret = 0; + + if (req->mode == MTD_OPS_RAW) + return 0; +-- +2.39.5 + diff --git a/queue-6.1/net-dsa-tag_brcm-legacy-fix-pskb_may_pull-length.patch b/queue-6.1/net-dsa-tag_brcm-legacy-fix-pskb_may_pull-length.patch new file mode 100644 index 0000000000..80725d6465 --- /dev/null +++ b/queue-6.1/net-dsa-tag_brcm-legacy-fix-pskb_may_pull-length.patch @@ -0,0 +1,41 @@ +From c3877156c696623b1cb7fec4aedec25ee6f09c20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 May 2025 14:44:06 +0200 +Subject: net: dsa: tag_brcm: legacy: fix pskb_may_pull length +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit efdddc4484859082da6c7877ed144c8121c8ea55 ] + +BRCM_LEG_PORT_ID was incorrectly used for pskb_may_pull length. +The correct check is BRCM_LEG_TAG_LEN + VLAN_HLEN, or 10 bytes. + +Fixes: 964dbf186eaa ("net: dsa: tag_brcm: add support for legacy tags") +Signed-off-by: Álvaro Fernández Rojas +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20250529124406.2513779-1-noltari@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/dsa/tag_brcm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/dsa/tag_brcm.c b/net/dsa/tag_brcm.c +index a65d62fb90094..04b57534fe4de 100644 +--- a/net/dsa/tag_brcm.c ++++ b/net/dsa/tag_brcm.c +@@ -253,7 +253,7 @@ static struct sk_buff *brcm_leg_tag_rcv(struct sk_buff *skb, + int source_port; + u8 *brcm_tag; + +- if (unlikely(!pskb_may_pull(skb, BRCM_LEG_PORT_ID))) ++ if (unlikely(!pskb_may_pull(skb, BRCM_LEG_TAG_LEN + VLAN_HLEN))) + return NULL; + + brcm_tag = dsa_etype_header_pos_rx(skb); +-- +2.39.5 + diff --git a/queue-6.1/net-fix-checksum-update-for-ila-adj-transport.patch b/queue-6.1/net-fix-checksum-update-for-ila-adj-transport.patch new file mode 100644 index 0000000000..95270413e0 --- /dev/null +++ b/queue-6.1/net-fix-checksum-update-for-ila-adj-transport.patch @@ -0,0 +1,167 @@ +From 67586a97ed89a18cf0032c2ea9fa094760422662 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 May 2025 12:28:05 +0200 +Subject: net: Fix checksum update for ILA adj-transport + +From: Paul Chaignon + +[ Upstream commit 6043b794c7668c19dabc4a93c75b924a19474d59 ] + +During ILA address translations, the L4 checksums can be handled in +different ways. One of them, adj-transport, consist in parsing the +transport layer and updating any found checksum. This logic relies on +inet_proto_csum_replace_by_diff and produces an incorrect skb->csum when +in state CHECKSUM_COMPLETE. + +This bug can be reproduced with a simple ILA to SIR mapping, assuming +packets are received with CHECKSUM_COMPLETE: + + $ ip a show dev eth0 + 14: eth0@if15: mtu 1500 qdisc noqueue state UP group default qlen 1000 + link/ether 62:ae:35:9e:0f:8d brd ff:ff:ff:ff:ff:ff link-netnsid 0 + inet6 3333:0:0:1::c078/64 scope global + valid_lft forever preferred_lft forever + inet6 fd00:10:244:1::c078/128 scope global nodad + valid_lft forever preferred_lft forever + inet6 fe80::60ae:35ff:fe9e:f8d/64 scope link proto kernel_ll + valid_lft forever preferred_lft forever + $ ip ila add loc_match fd00:10:244:1 loc 3333:0:0:1 \ + csum-mode adj-transport ident-type luid dev eth0 + +Then I hit [fd00:10:244:1::c078]:8000 with a server listening only on +[3333:0:0:1::c078]:8000. With the bug, the SYN packet is dropped with +SKB_DROP_REASON_TCP_CSUM after inet_proto_csum_replace_by_diff changed +skb->csum. The translation and drop are visible on pwru [1] traces: + + IFACE TUPLE FUNC + eth0:9 [fd00:10:244:3::3d8]:51420->[fd00:10:244:1::c078]:8000(tcp) ipv6_rcv + eth0:9 [fd00:10:244:3::3d8]:51420->[fd00:10:244:1::c078]:8000(tcp) ip6_rcv_core + eth0:9 [fd00:10:244:3::3d8]:51420->[fd00:10:244:1::c078]:8000(tcp) nf_hook_slow + eth0:9 [fd00:10:244:3::3d8]:51420->[fd00:10:244:1::c078]:8000(tcp) inet_proto_csum_replace_by_diff + eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) tcp_v6_early_demux + eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ip6_route_input + eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ip6_input + eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ip6_input_finish + eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ip6_protocol_deliver_rcu + eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) raw6_local_deliver + eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ipv6_raw_deliver + eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) tcp_v6_rcv + eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) __skb_checksum_complete + eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) kfree_skb_reason(SKB_DROP_REASON_TCP_CSUM) + eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) skb_release_head_state + eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) skb_release_data + eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) skb_free_head + eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) kfree_skbmem + +This is happening because inet_proto_csum_replace_by_diff is updating +skb->csum when it shouldn't. The L4 checksum is updated such that it +"cancels" the IPv6 address change in terms of checksum computation, so +the impact on skb->csum is null. + +Note this would be different for an IPv4 packet since three fields +would be updated: the IPv4 address, the IP checksum, and the L4 +checksum. Two would cancel each other and skb->csum would still need +to be updated to take the L4 checksum change into account. + +This patch fixes it by passing an ipv6 flag to +inet_proto_csum_replace_by_diff, to skip the skb->csum update if we're +in the IPv6 case. Note the behavior of the only other user of +inet_proto_csum_replace_by_diff, the BPF subsystem, is left as is in +this patch and fixed in the subsequent patch. + +With the fix, using the reproduction from above, I can confirm +skb->csum is not touched by inet_proto_csum_replace_by_diff and the TCP +SYN proceeds to the application after the ILA translation. + +Link: https://github.com/cilium/pwru [1] +Fixes: 65d7ab8de582 ("net: Identifier Locator Addressing module") +Signed-off-by: Paul Chaignon +Acked-by: Daniel Borkmann +Link: https://patch.msgid.link/b5539869e3550d46068504feb02d37653d939c0b.1748509484.git.paul.chaignon@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/checksum.h | 2 +- + net/core/filter.c | 2 +- + net/core/utils.c | 4 ++-- + net/ipv6/ila/ila_common.c | 6 +++--- + 4 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/include/net/checksum.h b/include/net/checksum.h +index 6bc783b7a06c2..a3d1bde322c98 100644 +--- a/include/net/checksum.h ++++ b/include/net/checksum.h +@@ -156,7 +156,7 @@ void inet_proto_csum_replace16(__sum16 *sum, struct sk_buff *skb, + const __be32 *from, const __be32 *to, + bool pseudohdr); + void inet_proto_csum_replace_by_diff(__sum16 *sum, struct sk_buff *skb, +- __wsum diff, bool pseudohdr); ++ __wsum diff, bool pseudohdr, bool ipv6); + + static __always_inline + void inet_proto_csum_replace2(__sum16 *sum, struct sk_buff *skb, +diff --git a/net/core/filter.c b/net/core/filter.c +index 497b41ac399da..e58cd1dfa6b19 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -1977,7 +1977,7 @@ BPF_CALL_5(bpf_l4_csum_replace, struct sk_buff *, skb, u32, offset, + if (unlikely(from != 0)) + return -EINVAL; + +- inet_proto_csum_replace_by_diff(ptr, skb, to, is_pseudo); ++ inet_proto_csum_replace_by_diff(ptr, skb, to, is_pseudo, false); + break; + case 2: + inet_proto_csum_replace2(ptr, skb, from, to, is_pseudo); +diff --git a/net/core/utils.c b/net/core/utils.c +index 938495bc1d348..1eeb9131e2cf7 100644 +--- a/net/core/utils.c ++++ b/net/core/utils.c +@@ -473,11 +473,11 @@ void inet_proto_csum_replace16(__sum16 *sum, struct sk_buff *skb, + EXPORT_SYMBOL(inet_proto_csum_replace16); + + void inet_proto_csum_replace_by_diff(__sum16 *sum, struct sk_buff *skb, +- __wsum diff, bool pseudohdr) ++ __wsum diff, bool pseudohdr, bool ipv6) + { + if (skb->ip_summed != CHECKSUM_PARTIAL) { + csum_replace_by_diff(sum, diff); +- if (skb->ip_summed == CHECKSUM_COMPLETE && pseudohdr) ++ if (skb->ip_summed == CHECKSUM_COMPLETE && pseudohdr && !ipv6) + skb->csum = ~csum_sub(diff, skb->csum); + } else if (pseudohdr) { + *sum = ~csum_fold(csum_add(diff, csum_unfold(*sum))); +diff --git a/net/ipv6/ila/ila_common.c b/net/ipv6/ila/ila_common.c +index 95e9146918cc6..b8d43ed4689db 100644 +--- a/net/ipv6/ila/ila_common.c ++++ b/net/ipv6/ila/ila_common.c +@@ -86,7 +86,7 @@ static void ila_csum_adjust_transport(struct sk_buff *skb, + + diff = get_csum_diff(ip6h, p); + inet_proto_csum_replace_by_diff(&th->check, skb, +- diff, true); ++ diff, true, true); + } + break; + case NEXTHDR_UDP: +@@ -97,7 +97,7 @@ static void ila_csum_adjust_transport(struct sk_buff *skb, + if (uh->check || skb->ip_summed == CHECKSUM_PARTIAL) { + diff = get_csum_diff(ip6h, p); + inet_proto_csum_replace_by_diff(&uh->check, skb, +- diff, true); ++ diff, true, true); + if (!uh->check) + uh->check = CSUM_MANGLED_0; + } +@@ -111,7 +111,7 @@ static void ila_csum_adjust_transport(struct sk_buff *skb, + + diff = get_csum_diff(ip6h, p); + inet_proto_csum_replace_by_diff(&ih->icmp6_cksum, skb, +- diff, true); ++ diff, true, true); + } + break; + } +-- +2.39.5 + diff --git a/queue-6.1/net-fix-udp-gso-skb_segment-after-pull-from-frag_lis.patch b/queue-6.1/net-fix-udp-gso-skb_segment-after-pull-from-frag_lis.patch new file mode 100644 index 0000000000..cf0d5209b2 --- /dev/null +++ b/queue-6.1/net-fix-udp-gso-skb_segment-after-pull-from-frag_lis.patch @@ -0,0 +1,107 @@ +From 87254b44bfab1f3b06717110207ad6bae0284566 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 May 2025 09:26:08 +0800 +Subject: net: fix udp gso skb_segment after pull from frag_list + +From: Shiming Cheng + +[ Upstream commit 3382a1ed7f778db841063f5d7e317ac55f9e7f72 ] + +Commit a1e40ac5b5e9 ("net: gso: fix udp gso fraglist segmentation after +pull from frag_list") detected invalid geometry in frag_list skbs and +redirects them from skb_segment_list to more robust skb_segment. But some +packets with modified geometry can also hit bugs in that code. We don't +know how many such cases exist. Addressing each one by one also requires +touching the complex skb_segment code, which risks introducing bugs for +other types of skbs. Instead, linearize all these packets that fail the +basic invariants on gso fraglist skbs. That is more robust. + +If only part of the fraglist payload is pulled into head_skb, it will +always cause exception when splitting skbs by skb_segment. For detailed +call stack information, see below. + +Valid SKB_GSO_FRAGLIST skbs +- consist of two or more segments +- the head_skb holds the protocol headers plus first gso_size +- one or more frag_list skbs hold exactly one segment +- all but the last must be gso_size + +Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can +modify fraglist skbs, breaking these invariants. + +In extreme cases they pull one part of data into skb linear. For UDP, +this causes three payloads with lengths of (11,11,10) bytes were +pulled tail to become (12,10,10) bytes. + +The skbs no longer meets the above SKB_GSO_FRAGLIST conditions because +payload was pulled into head_skb, it needs to be linearized before pass +to regular skb_segment. + + skb_segment+0xcd0/0xd14 + __udp_gso_segment+0x334/0x5f4 + udp4_ufo_fragment+0x118/0x15c + inet_gso_segment+0x164/0x338 + skb_mac_gso_segment+0xc4/0x13c + __skb_gso_segment+0xc4/0x124 + validate_xmit_skb+0x9c/0x2c0 + validate_xmit_skb_list+0x4c/0x80 + sch_direct_xmit+0x70/0x404 + __dev_queue_xmit+0x64c/0xe5c + neigh_resolve_output+0x178/0x1c4 + ip_finish_output2+0x37c/0x47c + __ip_finish_output+0x194/0x240 + ip_finish_output+0x20/0xf4 + ip_output+0x100/0x1a0 + NF_HOOK+0xc4/0x16c + ip_forward+0x314/0x32c + ip_rcv+0x90/0x118 + __netif_receive_skb+0x74/0x124 + process_backlog+0xe8/0x1a4 + __napi_poll+0x5c/0x1f8 + net_rx_action+0x154/0x314 + handle_softirqs+0x154/0x4b8 + + [118.376811] [C201134] rxq0_pus: [name:bug&]kernel BUG at net/core/skbuff.c:4278! + [118.376829] [C201134] rxq0_pus: [name:traps&]Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP + [118.470774] [C201134] rxq0_pus: [name:mrdump&]Kernel Offset: 0x178cc00000 from 0xffffffc008000000 + [118.470810] [C201134] rxq0_pus: [name:mrdump&]PHYS_OFFSET: 0x40000000 + [118.470827] [C201134] rxq0_pus: [name:mrdump&]pstate: 60400005 (nZCv daif +PAN -UAO) + [118.470848] [C201134] rxq0_pus: [name:mrdump&]pc : [0xffffffd79598aefc] skb_segment+0xcd0/0xd14 + [118.470900] [C201134] rxq0_pus: [name:mrdump&]lr : [0xffffffd79598a5e8] skb_segment+0x3bc/0xd14 + [118.470928] [C201134] rxq0_pus: [name:mrdump&]sp : ffffffc008013770 + +Fixes: a1e40ac5b5e9 ("gso: fix udp gso fraglist segmentation after pull from frag_list") +Signed-off-by: Shiming Cheng +Reviewed-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/udp_offload.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c +index d415b4fb2f1f4..1a51c4b44c006 100644 +--- a/net/ipv4/udp_offload.c ++++ b/net/ipv4/udp_offload.c +@@ -331,6 +331,7 @@ struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb, + bool copy_dtor; + __sum16 check; + __be16 newlen; ++ int ret = 0; + + mss = skb_shinfo(gso_skb)->gso_size; + if (gso_skb->len <= sizeof(*uh) + mss) +@@ -353,6 +354,10 @@ struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb, + if (skb_pagelen(gso_skb) - sizeof(*uh) == skb_shinfo(gso_skb)->gso_size) + return __udp_gso_segment_list(gso_skb, features, is_ipv6); + ++ ret = __skb_linearize(gso_skb); ++ if (ret) ++ return ERR_PTR(ret); ++ + /* Setup csum, as fraglist skips this in udp4_gro_receive. */ + gso_skb->csum_start = skb_transport_header(gso_skb) - gso_skb->head; + gso_skb->csum_offset = offsetof(struct udphdr, check); +-- +2.39.5 + diff --git a/queue-6.1/net-lan743x-rename-lan743x_reset_phy-to-lan743x_hw_r.patch b/queue-6.1/net-lan743x-rename-lan743x_reset_phy-to-lan743x_hw_r.patch new file mode 100644 index 0000000000..3d1da88857 --- /dev/null +++ b/queue-6.1/net-lan743x-rename-lan743x_reset_phy-to-lan743x_hw_r.patch @@ -0,0 +1,47 @@ +From cb8f197a349ef98574c65e75af39ad6daa7d640a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 May 2025 11:00:47 +0530 +Subject: net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy + +From: Thangaraj Samynathan + +[ Upstream commit 68927eb52d0af04863584930db06075d2610e194 ] + +rename the function to lan743x_hw_reset_phy to better describe it +operation. + +Fixes: 23f0703c125be ("lan743x: Add main source files for new lan743x driver") +Signed-off-by: Thangaraj Samynathan +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20250526053048.287095-2-thangaraj.s@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/lan743x_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/lan743x_main.c b/drivers/net/ethernet/microchip/lan743x_main.c +index fd35554191793..0f456d389e53a 100644 +--- a/drivers/net/ethernet/microchip/lan743x_main.c ++++ b/drivers/net/ethernet/microchip/lan743x_main.c +@@ -1389,7 +1389,7 @@ static int lan743x_mac_set_mtu(struct lan743x_adapter *adapter, int new_mtu) + } + + /* PHY */ +-static int lan743x_phy_reset(struct lan743x_adapter *adapter) ++static int lan743x_hw_reset_phy(struct lan743x_adapter *adapter) + { + u32 data; + +@@ -1423,7 +1423,7 @@ static void lan743x_phy_update_flowcontrol(struct lan743x_adapter *adapter, + + static int lan743x_phy_init(struct lan743x_adapter *adapter) + { +- return lan743x_phy_reset(adapter); ++ return lan743x_hw_reset_phy(adapter); + } + + static void lan743x_phy_link_status_change(struct net_device *netdev) +-- +2.39.5 + diff --git a/queue-6.1/net-lan966x-make-sure-to-insert-the-vlan-tags-also-i.patch b/queue-6.1/net-lan966x-make-sure-to-insert-the-vlan-tags-also-i.patch new file mode 100644 index 0000000000..6db0a3fe78 --- /dev/null +++ b/queue-6.1/net-lan966x-make-sure-to-insert-the-vlan-tags-also-i.patch @@ -0,0 +1,112 @@ +From 90cb02311a07f81c79417f813221f59004369d6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 May 2025 11:36:19 +0200 +Subject: net: lan966x: Make sure to insert the vlan tags also in host mode + +From: Horatiu Vultur + +[ Upstream commit 27eab4c644236a9324084a70fe79e511cbd07393 ] + +When running these commands on DUT (and similar at the other end) +ip link set dev eth0 up +ip link add link eth0 name eth0.10 type vlan id 10 +ip addr add 10.0.0.1/24 dev eth0.10 +ip link set dev eth0.10 up +ping 10.0.0.2 + +The ping will fail. + +The reason why is failing is because, the network interfaces for lan966x +have a flag saying that the HW can insert the vlan tags into the +frames(NETIF_F_HW_VLAN_CTAG_TX). Meaning that the frames that are +transmitted don't have the vlan tag inside the skb data, but they have +it inside the skb. We already get that vlan tag and put it in the IFH +but the problem is that we don't configure the HW to rewrite the frame +when the interface is in host mode. +The fix consists in actually configuring the HW to insert the vlan tag +if it is different than 0. + +Reviewed-by: Maxime Chevallier +Fixes: 6d2c186afa5d ("net: lan966x: Add vlan support.") +Signed-off-by: Horatiu Vultur +Link: https://patch.msgid.link/20250528093619.3738998-1-horatiu.vultur@microchip.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../ethernet/microchip/lan966x/lan966x_main.c | 1 + + .../ethernet/microchip/lan966x/lan966x_main.h | 1 + + .../microchip/lan966x/lan966x_switchdev.c | 1 + + .../ethernet/microchip/lan966x/lan966x_vlan.c | 21 +++++++++++++++++++ + 4 files changed, 24 insertions(+) + +diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c +index 9ce46588aaf03..8c048ffde23d6 100644 +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c +@@ -811,6 +811,7 @@ static int lan966x_probe_port(struct lan966x *lan966x, u32 p, + lan966x_vlan_port_set_vlan_aware(port, 0); + lan966x_vlan_port_set_vid(port, HOST_PVID, false, false); + lan966x_vlan_port_apply(port); ++ lan966x_vlan_port_rew_host(port); + + return 0; + } +diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_main.h b/drivers/net/ethernet/microchip/lan966x/lan966x_main.h +index 4ec33999e4df6..ff5736d2c7a6b 100644 +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.h ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.h +@@ -388,6 +388,7 @@ void lan966x_vlan_port_apply(struct lan966x_port *port); + bool lan966x_vlan_cpu_member_cpu_vlan_mask(struct lan966x *lan966x, u16 vid); + void lan966x_vlan_port_set_vlan_aware(struct lan966x_port *port, + bool vlan_aware); ++void lan966x_vlan_port_rew_host(struct lan966x_port *port); + int lan966x_vlan_port_set_vid(struct lan966x_port *port, + u16 vid, + bool pvid, +diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_switchdev.c b/drivers/net/ethernet/microchip/lan966x/lan966x_switchdev.c +index 1c88120eb291a..bcb4db76b75cd 100644 +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_switchdev.c ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_switchdev.c +@@ -297,6 +297,7 @@ static void lan966x_port_bridge_leave(struct lan966x_port *port, + lan966x_vlan_port_set_vlan_aware(port, false); + lan966x_vlan_port_set_vid(port, HOST_PVID, false, false); + lan966x_vlan_port_apply(port); ++ lan966x_vlan_port_rew_host(port); + } + + int lan966x_port_changeupper(struct net_device *dev, +diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_vlan.c b/drivers/net/ethernet/microchip/lan966x/lan966x_vlan.c +index 3c44660128dae..ffb245fb7d678 100644 +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_vlan.c ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_vlan.c +@@ -149,6 +149,27 @@ void lan966x_vlan_port_set_vlan_aware(struct lan966x_port *port, + port->vlan_aware = vlan_aware; + } + ++/* When the interface is in host mode, the interface should not be vlan aware ++ * but it should insert all the tags that it gets from the network stack. ++ * The tags are not in the data of the frame but actually in the skb and the ifh ++ * is configured already to get this tag. So what we need to do is to update the ++ * rewriter to insert the vlan tag for all frames which have a vlan tag ++ * different than 0. ++ */ ++void lan966x_vlan_port_rew_host(struct lan966x_port *port) ++{ ++ struct lan966x *lan966x = port->lan966x; ++ u32 val; ++ ++ /* Tag all frames except when VID=0*/ ++ val = REW_TAG_CFG_TAG_CFG_SET(2); ++ ++ /* Update only some bits in the register */ ++ lan_rmw(val, ++ REW_TAG_CFG_TAG_CFG, ++ lan966x, REW_TAG_CFG(port->chip_port)); ++} ++ + void lan966x_vlan_port_apply(struct lan966x_port *port) + { + struct lan966x *lan966x = port->lan966x; +-- +2.39.5 + diff --git a/queue-6.1/net-mlx4_en-prevent-potential-integer-overflow-calcu.patch b/queue-6.1/net-mlx4_en-prevent-potential-integer-overflow-calcu.patch new file mode 100644 index 0000000000..13029bb930 --- /dev/null +++ b/queue-6.1/net-mlx4_en-prevent-potential-integer-overflow-calcu.patch @@ -0,0 +1,41 @@ +From 9623be6343ff2b89eb69f1b72ee7ec1602a56992 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 May 2025 11:11:09 +0300 +Subject: net/mlx4_en: Prevent potential integer overflow calculating Hz + +From: Dan Carpenter + +[ Upstream commit 54d34165b4f786d7fea8412a18fb4a54c1eab623 ] + +The "freq" variable is in terms of MHz and "max_val_cycles" is in terms +of Hz. The fact that "max_val_cycles" is a u64 suggests that support +for high frequency is intended but the "freq_khz * 1000" would overflow +the u32 type if we went above 4GHz. Use unsigned long long type for the +mutliplication to prevent that. + +Fixes: 31c128b66e5b ("net/mlx4_en: Choose time-stamping shift value according to HW frequency") +Signed-off-by: Dan Carpenter +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/aDbFHe19juIJKjsb@stanley.mountain +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx4/en_clock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_clock.c b/drivers/net/ethernet/mellanox/mlx4/en_clock.c +index 024788549c256..060698b0c65cc 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_clock.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_clock.c +@@ -251,7 +251,7 @@ static const struct ptp_clock_info mlx4_en_ptp_clock_info = { + static u32 freq_to_shift(u16 freq) + { + u32 freq_khz = freq * 1000; +- u64 max_val_cycles = freq_khz * 1000 * MLX4_EN_WRAP_AROUND_SEC; ++ u64 max_val_cycles = freq_khz * 1000ULL * MLX4_EN_WRAP_AROUND_SEC; + u64 max_val_cycles_rounded = 1ULL << fls64(max_val_cycles - 1); + /* calculate max possible multiplier in order to fit in 64bit */ + u64 max_mul = div64_u64(ULLONG_MAX, max_val_cycles_rounded); +-- +2.39.5 + diff --git a/queue-6.1/net-ncsi-fix-gcps-64-bit-member-variables.patch b/queue-6.1/net-ncsi-fix-gcps-64-bit-member-variables.patch new file mode 100644 index 0000000000..c4bf75e4c4 --- /dev/null +++ b/queue-6.1/net-ncsi-fix-gcps-64-bit-member-variables.patch @@ -0,0 +1,161 @@ +From 096555c48de38fe978b8ac030fc4309a6eb6bfc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 18:23:08 -0700 +Subject: net: ncsi: Fix GCPS 64-bit member variables + +From: Hari Kalavakunta + +[ Upstream commit e8a1bd8344054ce27bebf59f48e3f6bc10bc419b ] + +Correct Get Controller Packet Statistics (GCPS) 64-bit wide member +variables, as per DSP0222 v1.0.0 and forward specs. The Driver currently +collects these stats, but they are yet to be exposed to the user. +Therefore, no user impact. + +Statistics fixes: +Total Bytes Received (byte range 28..35) +Total Bytes Transmitted (byte range 36..43) +Total Unicast Packets Received (byte range 44..51) +Total Multicast Packets Received (byte range 52..59) +Total Broadcast Packets Received (byte range 60..67) +Total Unicast Packets Transmitted (byte range 68..75) +Total Multicast Packets Transmitted (byte range 76..83) +Total Broadcast Packets Transmitted (byte range 84..91) +Valid Bytes Received (byte range 204..11) + +Signed-off-by: Hari Kalavakunta +Reviewed-by: Paul Fertser +Link: https://patch.msgid.link/20250410012309.1343-1-kalavakunta.hari.prasad@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ncsi/internal.h | 21 ++++++++++----------- + net/ncsi/ncsi-pkt.h | 23 +++++++++++------------ + net/ncsi/ncsi-rsp.c | 21 ++++++++++----------- + 3 files changed, 31 insertions(+), 34 deletions(-) + +diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h +index 4e0842df5234e..2c260f33b55cc 100644 +--- a/net/ncsi/internal.h ++++ b/net/ncsi/internal.h +@@ -143,16 +143,15 @@ struct ncsi_channel_vlan_filter { + }; + + struct ncsi_channel_stats { +- u32 hnc_cnt_hi; /* Counter cleared */ +- u32 hnc_cnt_lo; /* Counter cleared */ +- u32 hnc_rx_bytes; /* Rx bytes */ +- u32 hnc_tx_bytes; /* Tx bytes */ +- u32 hnc_rx_uc_pkts; /* Rx UC packets */ +- u32 hnc_rx_mc_pkts; /* Rx MC packets */ +- u32 hnc_rx_bc_pkts; /* Rx BC packets */ +- u32 hnc_tx_uc_pkts; /* Tx UC packets */ +- u32 hnc_tx_mc_pkts; /* Tx MC packets */ +- u32 hnc_tx_bc_pkts; /* Tx BC packets */ ++ u64 hnc_cnt; /* Counter cleared */ ++ u64 hnc_rx_bytes; /* Rx bytes */ ++ u64 hnc_tx_bytes; /* Tx bytes */ ++ u64 hnc_rx_uc_pkts; /* Rx UC packets */ ++ u64 hnc_rx_mc_pkts; /* Rx MC packets */ ++ u64 hnc_rx_bc_pkts; /* Rx BC packets */ ++ u64 hnc_tx_uc_pkts; /* Tx UC packets */ ++ u64 hnc_tx_mc_pkts; /* Tx MC packets */ ++ u64 hnc_tx_bc_pkts; /* Tx BC packets */ + u32 hnc_fcs_err; /* FCS errors */ + u32 hnc_align_err; /* Alignment errors */ + u32 hnc_false_carrier; /* False carrier detection */ +@@ -181,7 +180,7 @@ struct ncsi_channel_stats { + u32 hnc_tx_1023_frames; /* Tx 512-1023 bytes frames */ + u32 hnc_tx_1522_frames; /* Tx 1024-1522 bytes frames */ + u32 hnc_tx_9022_frames; /* Tx 1523-9022 bytes frames */ +- u32 hnc_rx_valid_bytes; /* Rx valid bytes */ ++ u64 hnc_rx_valid_bytes; /* Rx valid bytes */ + u32 hnc_rx_runt_pkts; /* Rx error runt packets */ + u32 hnc_rx_jabber_pkts; /* Rx error jabber packets */ + u32 ncsi_rx_cmds; /* Rx NCSI commands */ +diff --git a/net/ncsi/ncsi-pkt.h b/net/ncsi/ncsi-pkt.h +index f2f3b5c1b9412..24edb27379724 100644 +--- a/net/ncsi/ncsi-pkt.h ++++ b/net/ncsi/ncsi-pkt.h +@@ -252,16 +252,15 @@ struct ncsi_rsp_gp_pkt { + /* Get Controller Packet Statistics */ + struct ncsi_rsp_gcps_pkt { + struct ncsi_rsp_pkt_hdr rsp; /* Response header */ +- __be32 cnt_hi; /* Counter cleared */ +- __be32 cnt_lo; /* Counter cleared */ +- __be32 rx_bytes; /* Rx bytes */ +- __be32 tx_bytes; /* Tx bytes */ +- __be32 rx_uc_pkts; /* Rx UC packets */ +- __be32 rx_mc_pkts; /* Rx MC packets */ +- __be32 rx_bc_pkts; /* Rx BC packets */ +- __be32 tx_uc_pkts; /* Tx UC packets */ +- __be32 tx_mc_pkts; /* Tx MC packets */ +- __be32 tx_bc_pkts; /* Tx BC packets */ ++ __be64 cnt; /* Counter cleared */ ++ __be64 rx_bytes; /* Rx bytes */ ++ __be64 tx_bytes; /* Tx bytes */ ++ __be64 rx_uc_pkts; /* Rx UC packets */ ++ __be64 rx_mc_pkts; /* Rx MC packets */ ++ __be64 rx_bc_pkts; /* Rx BC packets */ ++ __be64 tx_uc_pkts; /* Tx UC packets */ ++ __be64 tx_mc_pkts; /* Tx MC packets */ ++ __be64 tx_bc_pkts; /* Tx BC packets */ + __be32 fcs_err; /* FCS errors */ + __be32 align_err; /* Alignment errors */ + __be32 false_carrier; /* False carrier detection */ +@@ -290,11 +289,11 @@ struct ncsi_rsp_gcps_pkt { + __be32 tx_1023_frames; /* Tx 512-1023 bytes frames */ + __be32 tx_1522_frames; /* Tx 1024-1522 bytes frames */ + __be32 tx_9022_frames; /* Tx 1523-9022 bytes frames */ +- __be32 rx_valid_bytes; /* Rx valid bytes */ ++ __be64 rx_valid_bytes; /* Rx valid bytes */ + __be32 rx_runt_pkts; /* Rx error runt packets */ + __be32 rx_jabber_pkts; /* Rx error jabber packets */ + __be32 checksum; /* Checksum */ +-}; ++} __packed __aligned(4); + + /* Get NCSI Statistics */ + struct ncsi_rsp_gns_pkt { +diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c +index 4a8ce2949faea..8668888c5a2f9 100644 +--- a/net/ncsi/ncsi-rsp.c ++++ b/net/ncsi/ncsi-rsp.c +@@ -926,16 +926,15 @@ static int ncsi_rsp_handler_gcps(struct ncsi_request *nr) + + /* Update HNC's statistics */ + ncs = &nc->stats; +- ncs->hnc_cnt_hi = ntohl(rsp->cnt_hi); +- ncs->hnc_cnt_lo = ntohl(rsp->cnt_lo); +- ncs->hnc_rx_bytes = ntohl(rsp->rx_bytes); +- ncs->hnc_tx_bytes = ntohl(rsp->tx_bytes); +- ncs->hnc_rx_uc_pkts = ntohl(rsp->rx_uc_pkts); +- ncs->hnc_rx_mc_pkts = ntohl(rsp->rx_mc_pkts); +- ncs->hnc_rx_bc_pkts = ntohl(rsp->rx_bc_pkts); +- ncs->hnc_tx_uc_pkts = ntohl(rsp->tx_uc_pkts); +- ncs->hnc_tx_mc_pkts = ntohl(rsp->tx_mc_pkts); +- ncs->hnc_tx_bc_pkts = ntohl(rsp->tx_bc_pkts); ++ ncs->hnc_cnt = be64_to_cpu(rsp->cnt); ++ ncs->hnc_rx_bytes = be64_to_cpu(rsp->rx_bytes); ++ ncs->hnc_tx_bytes = be64_to_cpu(rsp->tx_bytes); ++ ncs->hnc_rx_uc_pkts = be64_to_cpu(rsp->rx_uc_pkts); ++ ncs->hnc_rx_mc_pkts = be64_to_cpu(rsp->rx_mc_pkts); ++ ncs->hnc_rx_bc_pkts = be64_to_cpu(rsp->rx_bc_pkts); ++ ncs->hnc_tx_uc_pkts = be64_to_cpu(rsp->tx_uc_pkts); ++ ncs->hnc_tx_mc_pkts = be64_to_cpu(rsp->tx_mc_pkts); ++ ncs->hnc_tx_bc_pkts = be64_to_cpu(rsp->tx_bc_pkts); + ncs->hnc_fcs_err = ntohl(rsp->fcs_err); + ncs->hnc_align_err = ntohl(rsp->align_err); + ncs->hnc_false_carrier = ntohl(rsp->false_carrier); +@@ -964,7 +963,7 @@ static int ncsi_rsp_handler_gcps(struct ncsi_request *nr) + ncs->hnc_tx_1023_frames = ntohl(rsp->tx_1023_frames); + ncs->hnc_tx_1522_frames = ntohl(rsp->tx_1522_frames); + ncs->hnc_tx_9022_frames = ntohl(rsp->tx_9022_frames); +- ncs->hnc_rx_valid_bytes = ntohl(rsp->rx_valid_bytes); ++ ncs->hnc_rx_valid_bytes = be64_to_cpu(rsp->rx_valid_bytes); + ncs->hnc_rx_runt_pkts = ntohl(rsp->rx_runt_pkts); + ncs->hnc_rx_jabber_pkts = ntohl(rsp->rx_jabber_pkts); + +-- +2.39.5 + diff --git a/queue-6.1/net-openvswitch-fix-the-dead-loop-of-mpls-parse.patch b/queue-6.1/net-openvswitch-fix-the-dead-loop-of-mpls-parse.patch new file mode 100644 index 0000000000..58c032a39b --- /dev/null +++ b/queue-6.1/net-openvswitch-fix-the-dead-loop-of-mpls-parse.patch @@ -0,0 +1,75 @@ +From a45568cafdd14618a36fb359fe2c7de4660d3587 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 May 2025 03:41:43 +0000 +Subject: net: openvswitch: Fix the dead loop of MPLS parse + +From: Faicker Mo + +[ Upstream commit 0bdc924bfb319fb10d1113cbf091fc26fb7b1f99 ] + +The unexpected MPLS packet may not end with the bottom label stack. +When there are many stacks, The label count value has wrapped around. +A dead loop occurs, soft lockup/CPU stuck finally. + +stack backtrace: +UBSAN: array-index-out-of-bounds in /build/linux-0Pa0xK/linux-5.15.0/net/openvswitch/flow.c:662:26 +index -1 is out of range for type '__be32 [3]' +CPU: 34 PID: 0 Comm: swapper/34 Kdump: loaded Tainted: G OE 5.15.0-121-generic #131-Ubuntu +Hardware name: Dell Inc. PowerEdge C6420/0JP9TF, BIOS 2.12.2 07/14/2021 +Call Trace: + + show_stack+0x52/0x5c + dump_stack_lvl+0x4a/0x63 + dump_stack+0x10/0x16 + ubsan_epilogue+0x9/0x36 + __ubsan_handle_out_of_bounds.cold+0x44/0x49 + key_extract_l3l4+0x82a/0x840 [openvswitch] + ? kfree_skbmem+0x52/0xa0 + key_extract+0x9c/0x2b0 [openvswitch] + ovs_flow_key_extract+0x124/0x350 [openvswitch] + ovs_vport_receive+0x61/0xd0 [openvswitch] + ? kernel_init_free_pages.part.0+0x4a/0x70 + ? get_page_from_freelist+0x353/0x540 + netdev_port_receive+0xc4/0x180 [openvswitch] + ? netdev_port_receive+0x180/0x180 [openvswitch] + netdev_frame_hook+0x1f/0x40 [openvswitch] + __netif_receive_skb_core.constprop.0+0x23a/0xf00 + __netif_receive_skb_list_core+0xfa/0x240 + netif_receive_skb_list_internal+0x18e/0x2a0 + napi_complete_done+0x7a/0x1c0 + bnxt_poll+0x155/0x1c0 [bnxt_en] + __napi_poll+0x30/0x180 + net_rx_action+0x126/0x280 + ? bnxt_msix+0x67/0x80 [bnxt_en] + handle_softirqs+0xda/0x2d0 + irq_exit_rcu+0x96/0xc0 + common_interrupt+0x8e/0xa0 + + +Fixes: fbdcdd78da7c ("Change in Openvswitch to support MPLS label depth of 3 in ingress direction") +Signed-off-by: Faicker Mo +Acked-by: Ilya Maximets +Reviewed-by: Aaron Conole +Link: https://patch.msgid.link/259D3404-575D-4A6D-B263-1DF59A67CF89@zenlayer.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/openvswitch/flow.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c +index 78960a8a38925..60ebc42a20e7e 100644 +--- a/net/openvswitch/flow.c ++++ b/net/openvswitch/flow.c +@@ -785,7 +785,7 @@ static int key_extract_l3l4(struct sk_buff *skb, struct sw_flow_key *key) + memset(&key->ipv4, 0, sizeof(key->ipv4)); + } + } else if (eth_p_mpls(key->eth.type)) { +- u8 label_count = 1; ++ size_t label_count = 1; + + memset(&key->mpls, 0, sizeof(key->mpls)); + skb_set_inner_network_header(skb, skb->mac_len); +-- +2.39.5 + diff --git a/queue-6.1/net-phy-mscc-fix-memory-leak-when-using-one-step-tim.patch b/queue-6.1/net-phy-mscc-fix-memory-leak-when-using-one-step-tim.patch new file mode 100644 index 0000000000..1651de005d --- /dev/null +++ b/queue-6.1/net-phy-mscc-fix-memory-leak-when-using-one-step-tim.patch @@ -0,0 +1,62 @@ +From 1f885134454d6a5462eee080d23642c0335f0574 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 May 2025 13:57:22 +0200 +Subject: net: phy: mscc: Fix memory leak when using one step timestamping + +From: Horatiu Vultur + +[ Upstream commit 846992645b25ec4253167e3f931e4597eb84af56 ] + +Fix memory leak when running one-step timestamping. When running +one-step sync timestamping, the HW is configured to insert the TX time +into the frame, so there is no reason to keep the skb anymore. As in +this case the HW will never generate an interrupt to say that the frame +was timestamped, then the frame will never released. +Fix this by freeing the frame in case of one-step timestamping. + +Fixes: 7d272e63e0979d ("net: phy: mscc: timestamping and PHC support") +Signed-off-by: Horatiu Vultur +Link: https://patch.msgid.link/20250522115722.2827199-1-horatiu.vultur@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mscc/mscc_ptp.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c +index cf728bfd83e22..af44b01f3d383 100644 +--- a/drivers/net/phy/mscc/mscc_ptp.c ++++ b/drivers/net/phy/mscc/mscc_ptp.c +@@ -1165,18 +1165,24 @@ static void vsc85xx_txtstamp(struct mii_timestamper *mii_ts, + container_of(mii_ts, struct vsc8531_private, mii_ts); + + if (!vsc8531->ptp->configured) +- return; ++ goto out; + +- if (vsc8531->ptp->tx_type == HWTSTAMP_TX_OFF) { +- kfree_skb(skb); +- return; +- } ++ if (vsc8531->ptp->tx_type == HWTSTAMP_TX_OFF) ++ goto out; ++ ++ if (vsc8531->ptp->tx_type == HWTSTAMP_TX_ONESTEP_SYNC) ++ if (ptp_msg_is_sync(skb, type)) ++ goto out; + + skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS; + + mutex_lock(&vsc8531->ts_lock); + __skb_queue_tail(&vsc8531->ptp->tx_queue, skb); + mutex_unlock(&vsc8531->ts_lock); ++ return; ++ ++out: ++ kfree_skb(skb); + } + + static bool vsc85xx_rxtstamp(struct mii_timestamper *mii_ts, +-- +2.39.5 + diff --git a/queue-6.1/net-phy-mscc-stop-clearing-the-the-udpv4-checksum-fo.patch b/queue-6.1/net-phy-mscc-stop-clearing-the-the-udpv4-checksum-fo.patch new file mode 100644 index 0000000000..24234bd8d9 --- /dev/null +++ b/queue-6.1/net-phy-mscc-stop-clearing-the-the-udpv4-checksum-fo.patch @@ -0,0 +1,47 @@ +From 0a996ea25114008869b6e4b67881631a2cb94843 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 May 2025 10:27:16 +0200 +Subject: net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames + +From: Horatiu Vultur + +[ Upstream commit 57a92d14659df3e7e7e0052358c8cc68bbbc3b5e ] + +We have noticed that when PHY timestamping is enabled, L2 frames seems +to be modified by changing two 2 bytes with a value of 0. The place were +these 2 bytes seems to be random(or I couldn't find a pattern). In most +of the cases the userspace can ignore these frames but if for example +those 2 bytes are in the correction field there is nothing to do. This +seems to happen when configuring the HW for IPv4 even that the flow is +not enabled. +These 2 bytes correspond to the UDPv4 checksum and once we don't enable +clearing the checksum when using L2 frames then the frame doesn't seem +to be changed anymore. + +Fixes: 7d272e63e0979d ("net: phy: mscc: timestamping and PHC support") +Signed-off-by: Horatiu Vultur +Link: https://patch.msgid.link/20250523082716.2935895-1-horatiu.vultur@microchip.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mscc/mscc_ptp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c +index af44b01f3d383..7e7ce79eadffb 100644 +--- a/drivers/net/phy/mscc/mscc_ptp.c ++++ b/drivers/net/phy/mscc/mscc_ptp.c +@@ -943,7 +943,9 @@ static int vsc85xx_ip1_conf(struct phy_device *phydev, enum ts_blk blk, + /* UDP checksum offset in IPv4 packet + * according to: https://tools.ietf.org/html/rfc768 + */ +- val |= IP1_NXT_PROT_UDP_CHKSUM_OFF(26) | IP1_NXT_PROT_UDP_CHKSUM_CLEAR; ++ val |= IP1_NXT_PROT_UDP_CHKSUM_OFF(26); ++ if (enable) ++ val |= IP1_NXT_PROT_UDP_CHKSUM_CLEAR; + vsc85xx_ts_write_csr(phydev, blk, MSCC_ANA_IP1_NXT_PROT_UDP_CHKSUM, + val); + +-- +2.39.5 + diff --git a/queue-6.1/net-stmmac-make-sure-that-ptp_rate-is-not-0-before-c.patch b/queue-6.1/net-stmmac-make-sure-that-ptp_rate-is-not-0-before-c.patch new file mode 100644 index 0000000000..b5aca8e280 --- /dev/null +++ b/queue-6.1/net-stmmac-make-sure-that-ptp_rate-is-not-0-before-c.patch @@ -0,0 +1,88 @@ +From 3b4346047e1f2f7e3d7a5f16cd548bbfc303f9ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 May 2025 11:07:23 +0200 +Subject: net: stmmac: make sure that ptp_rate is not 0 before configuring + timestamping +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alexis Lothoré + +[ Upstream commit 030ce919e114a111e83b7976ecb3597cefd33f26 ] + +The stmmac platform drivers that do not open-code the clk_ptp_rate value +after having retrieved the default one from the device-tree can end up +with 0 in clk_ptp_rate (as clk_get_rate can return 0). It will +eventually propagate up to PTP initialization when bringing up the +interface, leading to a divide by 0: + + Division by zero in kernel. + CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.30-00001-g48313bd5768a #22 + Hardware name: STM32 (Device Tree Support) + Call trace: + unwind_backtrace from show_stack+0x18/0x1c + show_stack from dump_stack_lvl+0x6c/0x8c + dump_stack_lvl from Ldiv0_64+0x8/0x18 + Ldiv0_64 from stmmac_init_tstamp_counter+0x190/0x1a4 + stmmac_init_tstamp_counter from stmmac_hw_setup+0xc1c/0x111c + stmmac_hw_setup from __stmmac_open+0x18c/0x434 + __stmmac_open from stmmac_open+0x3c/0xbc + stmmac_open from __dev_open+0xf4/0x1ac + __dev_open from __dev_change_flags+0x1cc/0x224 + __dev_change_flags from dev_change_flags+0x24/0x60 + dev_change_flags from ip_auto_config+0x2e8/0x11a0 + ip_auto_config from do_one_initcall+0x84/0x33c + do_one_initcall from kernel_init_freeable+0x1b8/0x214 + kernel_init_freeable from kernel_init+0x24/0x140 + kernel_init from ret_from_fork+0x14/0x28 + Exception stack(0xe0815fb0 to 0xe0815ff8) + +Prevent this division by 0 by adding an explicit check and error log +about the actual issue. While at it, remove the same check from +stmmac_ptp_register, which then becomes duplicate + +Fixes: 19d857c9038e ("stmmac: Fix calculations for ptp counters when clock input = 50Mhz.") +Signed-off-by: Alexis Lothoré +Reviewed-by: Yanteng Si +Reviewed-by: Maxime Chevallier +Link: https://patch.msgid.link/20250529-stmmac_tstamp_div-v4-1-d73340a794d5@bootlin.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 5 +++++ + drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 14e5b94b0b5ab..948e35c405a84 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -841,6 +841,11 @@ int stmmac_init_tstamp_counter(struct stmmac_priv *priv, u32 systime_flags) + if (!(priv->dma_cap.time_stamp || priv->dma_cap.atime_stamp)) + return -EOPNOTSUPP; + ++ if (!priv->plat->clk_ptp_rate) { ++ netdev_err(priv->dev, "Invalid PTP clock rate"); ++ return -EINVAL; ++ } ++ + stmmac_config_hw_tstamping(priv, priv->ptpaddr, systime_flags); + priv->systime_flags = systime_flags; + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c +index 9c91a3dc8e385..cc223fe086484 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c +@@ -301,7 +301,7 @@ void stmmac_ptp_register(struct stmmac_priv *priv) + + /* Calculate the clock domain crossing (CDC) error if necessary */ + priv->plat->cdc_error_adj = 0; +- if (priv->plat->has_gmac4 && priv->plat->clk_ptp_rate) ++ if (priv->plat->has_gmac4) + priv->plat->cdc_error_adj = (2 * NSEC_PER_SEC) / priv->plat->clk_ptp_rate; + + stmmac_ptp_clock_ops.n_per_out = priv->dma_cap.pps_out_num; +-- +2.39.5 + diff --git a/queue-6.1/net-stmmac-platform-guarantee-uniqueness-of-bus_id.patch b/queue-6.1/net-stmmac-platform-guarantee-uniqueness-of-bus_id.patch new file mode 100644 index 0000000000..7c94a83a12 --- /dev/null +++ b/queue-6.1/net-stmmac-platform-guarantee-uniqueness-of-bus_id.patch @@ -0,0 +1,68 @@ +From bd60175b341ba01fabd25e4455ed21ea4f0175c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 May 2025 13:56:23 +0200 +Subject: net: stmmac: platform: guarantee uniqueness of bus_id + +From: Quentin Schulz + +[ Upstream commit eb7fd7aa35bfcc1e1fda4ecc42ccfcb526cdc780 ] + +bus_id is currently derived from the ethernetX alias. If one is missing +for the device, 0 is used. If ethernet0 points to another stmmac device +or if there are 2+ stmmac devices without an ethernet alias, then bus_id +will be 0 for all of those. + +This is an issue because the bus_id is used to generate the mdio bus id +(new_bus->id in drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c +stmmac_mdio_register) and this needs to be unique. + +This allows to avoid needing to define ethernet aliases for devices with +multiple stmmac controllers (such as the Rockchip RK3588) for multiple +stmmac devices to probe properly. + +Obviously, the bus_id isn't guaranteed to be stable across reboots if no +alias is set for the device but that is easily fixed by simply adding an +alias if this is desired. + +Fixes: 25c83b5c2e82 ("dt:net:stmmac: Add support to dwmac version 3.610 and 3.710") +Signed-off-by: Quentin Schulz +Reviewed-by: Maxime Chevallier +Link: https://patch.msgid.link/20250527-stmmac-mdio-bus_id-v2-1-a5ca78454e3c@cherry.de +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +index c368ef3cd9cb4..e81f54a4ac9b1 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +@@ -417,6 +417,7 @@ stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac) + struct device_node *np = pdev->dev.of_node; + struct plat_stmmacenet_data *plat; + struct stmmac_dma_cfg *dma_cfg; ++ static int bus_id = -ENODEV; + int phy_mode; + void *ret; + int rc; +@@ -453,8 +454,14 @@ stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac) + of_property_read_u32(np, "max-speed", &plat->max_speed); + + plat->bus_id = of_alias_get_id(np, "ethernet"); +- if (plat->bus_id < 0) +- plat->bus_id = 0; ++ if (plat->bus_id < 0) { ++ if (bus_id < 0) ++ bus_id = of_alias_get_highest_id("ethernet"); ++ /* No ethernet alias found, init at -1 so first bus_id is 0 */ ++ if (bus_id < 0) ++ bus_id = -1; ++ plat->bus_id = ++bus_id; ++ } + + /* Default to phy auto-detection */ + plat->phy_addr = -1; +-- +2.39.5 + diff --git a/queue-6.1/net-tipc-fix-refcount-warning-in-tipc_aead_encrypt.patch b/queue-6.1/net-tipc-fix-refcount-warning-in-tipc_aead_encrypt.patch new file mode 100644 index 0000000000..bdd5b37e61 --- /dev/null +++ b/queue-6.1/net-tipc-fix-refcount-warning-in-tipc_aead_encrypt.patch @@ -0,0 +1,57 @@ +From 144d058b6895fc438d441dfead275da6d76e44ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 May 2025 16:35:44 +0000 +Subject: net: tipc: fix refcount warning in tipc_aead_encrypt + +From: Charalampos Mitrodimas + +[ Upstream commit f29ccaa07cf3d35990f4d25028cc55470d29372b ] + +syzbot reported a refcount warning [1] caused by calling get_net() on +a network namespace that is being destroyed (refcount=0). This happens +when a TIPC discovery timer fires during network namespace cleanup. + +The recently added get_net() call in commit e279024617134 ("net/tipc: +fix slab-use-after-free Read in tipc_aead_encrypt_done") attempts to +hold a reference to the network namespace. However, if the namespace +is already being destroyed, its refcount might be zero, leading to the +use-after-free warning. + +Replace get_net() with maybe_get_net(), which safely checks if the +refcount is non-zero before incrementing it. If the namespace is being +destroyed, return -ENODEV early, after releasing the bearer reference. + +[1]: https://lore.kernel.org/all/68342b55.a70a0220.253bc2.0091.GAE@google.com/T/#m12019cf9ae77e1954f666914640efa36d52704a2 + +Reported-by: syzbot+f0c4a4aba757549ae26c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/68342b55.a70a0220.253bc2.0091.GAE@google.com/T/#m12019cf9ae77e1954f666914640efa36d52704a2 +Fixes: e27902461713 ("net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done") +Signed-off-by: Charalampos Mitrodimas +Reviewed-by: Tung Nguyen +Link: https://patch.msgid.link/20250527-net-tipc-warning-v2-1-df3dc398a047@posteo.net +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/tipc/crypto.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c +index a9c02fac039b5..17e2b09002853 100644 +--- a/net/tipc/crypto.c ++++ b/net/tipc/crypto.c +@@ -818,7 +818,11 @@ static int tipc_aead_encrypt(struct tipc_aead *aead, struct sk_buff *skb, + } + + /* Get net to avoid freed tipc_crypto when delete namespace */ +- get_net(aead->crypto->net); ++ if (!maybe_get_net(aead->crypto->net)) { ++ tipc_bearer_put(b); ++ rc = -ENODEV; ++ goto exit; ++ } + + /* Now, do encrypt */ + rc = crypto_aead_encrypt(req); +-- +2.39.5 + diff --git a/queue-6.1/net-usb-aqc111-fix-error-handling-of-usbnet-read-cal.patch b/queue-6.1/net-usb-aqc111-fix-error-handling-of-usbnet-read-cal.patch new file mode 100644 index 0000000000..97036ee103 --- /dev/null +++ b/queue-6.1/net-usb-aqc111-fix-error-handling-of-usbnet-read-cal.patch @@ -0,0 +1,106 @@ +From 87afcd63895e6bd84e76fc8eaa1231eb8c0bec50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 May 2025 14:32:39 +0300 +Subject: net: usb: aqc111: fix error handling of usbnet read calls + +From: Nikita Zhandarovich + +[ Upstream commit 405b0d610745fb5e84fc2961d9b960abb9f3d107 ] + +Syzkaller, courtesy of syzbot, identified an error (see report [1]) in +aqc111 driver, caused by incomplete sanitation of usb read calls' +results. This problem is quite similar to the one fixed in commit +920a9fa27e78 ("net: asix: add proper error handling of usb read errors"). + +For instance, usbnet_read_cmd() may read fewer than 'size' bytes, +even if the caller expected the full amount, and aqc111_read_cmd() +will not check its result properly. As [1] shows, this may lead +to MAC address in aqc111_bind() being only partly initialized, +triggering KMSAN warnings. + +Fix the issue by verifying that the number of bytes read is +as expected and not less. + +[1] Partial syzbot report: +BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:208 [inline] +BUG: KMSAN: uninit-value in usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830 + is_valid_ether_addr include/linux/etherdevice.h:208 [inline] + usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830 + usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 + call_driver_probe drivers/base/dd.c:-1 [inline] + really_probe+0x4d1/0xd90 drivers/base/dd.c:658 + __driver_probe_device+0x268/0x380 drivers/base/dd.c:800 +... + +Uninit was stored to memory at: + dev_addr_mod+0xb0/0x550 net/core/dev_addr_lists.c:582 + __dev_addr_set include/linux/netdevice.h:4874 [inline] + eth_hw_addr_set include/linux/etherdevice.h:325 [inline] + aqc111_bind+0x35f/0x1150 drivers/net/usb/aqc111.c:717 + usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772 + usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 +... + +Uninit was stored to memory at: + ether_addr_copy include/linux/etherdevice.h:305 [inline] + aqc111_read_perm_mac drivers/net/usb/aqc111.c:663 [inline] + aqc111_bind+0x794/0x1150 drivers/net/usb/aqc111.c:713 + usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772 + usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 + call_driver_probe drivers/base/dd.c:-1 [inline] +... + +Local variable buf.i created at: + aqc111_read_perm_mac drivers/net/usb/aqc111.c:656 [inline] + aqc111_bind+0x221/0x1150 drivers/net/usb/aqc111.c:713 + usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772 + +Reported-by: syzbot+3b6b9ff7b80430020c7b@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=3b6b9ff7b80430020c7b +Tested-by: syzbot+3b6b9ff7b80430020c7b@syzkaller.appspotmail.com +Fixes: df2d59a2ab6c ("net: usb: aqc111: Add support for getting and setting of MAC address") +Signed-off-by: Nikita Zhandarovich +Link: https://patch.msgid.link/20250520113240.2369438-1-n.zhandarovich@fintech.ru +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/aqc111.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c +index 284375f662f1e..04d5573123bec 100644 +--- a/drivers/net/usb/aqc111.c ++++ b/drivers/net/usb/aqc111.c +@@ -30,10 +30,13 @@ static int aqc111_read_cmd_nopm(struct usbnet *dev, u8 cmd, u16 value, + ret = usbnet_read_cmd_nopm(dev, cmd, USB_DIR_IN | USB_TYPE_VENDOR | + USB_RECIP_DEVICE, value, index, data, size); + +- if (unlikely(ret < 0)) ++ if (unlikely(ret < size)) { ++ ret = ret < 0 ? ret : -ENODATA; ++ + netdev_warn(dev->net, + "Failed to read(0x%x) reg index 0x%04x: %d\n", + cmd, index, ret); ++ } + + return ret; + } +@@ -46,10 +49,13 @@ static int aqc111_read_cmd(struct usbnet *dev, u8 cmd, u16 value, + ret = usbnet_read_cmd(dev, cmd, USB_DIR_IN | USB_TYPE_VENDOR | + USB_RECIP_DEVICE, value, index, data, size); + +- if (unlikely(ret < 0)) ++ if (unlikely(ret < size)) { ++ ret = ret < 0 ? ret : -ENODATA; ++ + netdev_warn(dev->net, + "Failed to read(0x%x) reg index 0x%04x: %d\n", + cmd, index, ret); ++ } + + return ret; + } +-- +2.39.5 + diff --git a/queue-6.1/netfilter-bridge-move-specific-fragmented-packet-to-.patch b/queue-6.1/netfilter-bridge-move-specific-fragmented-packet-to-.patch new file mode 100644 index 0000000000..f4f13bd29d --- /dev/null +++ b/queue-6.1/netfilter-bridge-move-specific-fragmented-packet-to-.patch @@ -0,0 +1,96 @@ +From 30ec1477e36b3b66b3f9ddd9573c946ebff4221b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 17:29:53 +0800 +Subject: netfilter: bridge: Move specific fragmented packet to slow_path + instead of dropping it + +From: Huajian Yang + +[ Upstream commit aa04c6f45b9224b949aa35d4fa5f8d0ba07b23d4 ] + +The config NF_CONNTRACK_BRIDGE will change the bridge forwarding for +fragmented packets. + +The original bridge does not know that it is a fragmented packet and +forwards it directly, after NF_CONNTRACK_BRIDGE is enabled, function +nf_br_ip_fragment and br_ip6_fragment will check the headroom. + +In original br_forward, insufficient headroom of skb may indeed exist, +but there's still a way to save the skb in the device driver after +dev_queue_xmit.So droping the skb will change the original bridge +forwarding in some cases. + +Fixes: 3c171f496ef5 ("netfilter: bridge: add connection tracking system") +Signed-off-by: Huajian Yang +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/bridge/netfilter/nf_conntrack_bridge.c | 12 ++++++------ + net/ipv6/netfilter.c | 12 ++++++------ + 2 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c +index e60c38670f220..e7df2911d2be7 100644 +--- a/net/bridge/netfilter/nf_conntrack_bridge.c ++++ b/net/bridge/netfilter/nf_conntrack_bridge.c +@@ -60,19 +60,19 @@ static int nf_br_ip_fragment(struct net *net, struct sock *sk, + struct ip_fraglist_iter iter; + struct sk_buff *frag; + +- if (first_len - hlen > mtu || +- skb_headroom(skb) < ll_rs) ++ if (first_len - hlen > mtu) + goto blackhole; + +- if (skb_cloned(skb)) ++ if (skb_cloned(skb) || ++ skb_headroom(skb) < ll_rs) + goto slow_path; + + skb_walk_frags(skb, frag) { +- if (frag->len > mtu || +- skb_headroom(frag) < hlen + ll_rs) ++ if (frag->len > mtu) + goto blackhole; + +- if (skb_shared(frag)) ++ if (skb_shared(frag) || ++ skb_headroom(frag) < hlen + ll_rs) + goto slow_path; + } + +diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c +index 857713d7a38a5..d873658fc821f 100644 +--- a/net/ipv6/netfilter.c ++++ b/net/ipv6/netfilter.c +@@ -163,20 +163,20 @@ int br_ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, + struct ip6_fraglist_iter iter; + struct sk_buff *frag2; + +- if (first_len - hlen > mtu || +- skb_headroom(skb) < (hroom + sizeof(struct frag_hdr))) ++ if (first_len - hlen > mtu) + goto blackhole; + +- if (skb_cloned(skb)) ++ if (skb_cloned(skb) || ++ skb_headroom(skb) < (hroom + sizeof(struct frag_hdr))) + goto slow_path; + + skb_walk_frags(skb, frag2) { +- if (frag2->len > mtu || +- skb_headroom(frag2) < (hlen + hroom + sizeof(struct frag_hdr))) ++ if (frag2->len > mtu) + goto blackhole; + + /* Partially cloned skb? */ +- if (skb_shared(frag2)) ++ if (skb_shared(frag2) || ++ skb_headroom(frag2) < (hlen + hroom + sizeof(struct frag_hdr))) + goto slow_path; + } + +-- +2.39.5 + diff --git a/queue-6.1/netfilter-nf_set_pipapo_avx2-fix-initial-map-fill.patch b/queue-6.1/netfilter-nf_set_pipapo_avx2-fix-initial-map-fill.patch new file mode 100644 index 0000000000..cd8f6a4846 --- /dev/null +++ b/queue-6.1/netfilter-nf_set_pipapo_avx2-fix-initial-map-fill.patch @@ -0,0 +1,68 @@ +From 5a3fe89278140952d35f068dd2148877a336ba78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 May 2025 14:20:44 +0200 +Subject: netfilter: nf_set_pipapo_avx2: fix initial map fill + +From: Florian Westphal + +[ Upstream commit ea77c397bff8b6d59f6d83dae1425b08f465e8b5 ] + +If the first field doesn't cover the entire start map, then we must zero +out the remainder, else we leak those bits into the next match round map. + +The early fix was incomplete and did only fix up the generic C +implementation. + +A followup patch adds a test case to nft_concat_range.sh. + +Fixes: 791a615b7ad2 ("netfilter: nf_set_pipapo: fix initial map fill") +Signed-off-by: Florian Westphal +Reviewed-by: Stefano Brivio +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo_avx2.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c +index c15db28c5ebc4..be7c16c79f711 100644 +--- a/net/netfilter/nft_set_pipapo_avx2.c ++++ b/net/netfilter/nft_set_pipapo_avx2.c +@@ -1113,6 +1113,25 @@ bool nft_pipapo_avx2_estimate(const struct nft_set_desc *desc, u32 features, + return true; + } + ++/** ++ * pipapo_resmap_init_avx2() - Initialise result map before first use ++ * @m: Matching data, including mapping table ++ * @res_map: Result map ++ * ++ * Like pipapo_resmap_init() but do not set start map bits covered by the first field. ++ */ ++static inline void pipapo_resmap_init_avx2(const struct nft_pipapo_match *m, unsigned long *res_map) ++{ ++ const struct nft_pipapo_field *f = m->f; ++ int i; ++ ++ /* Starting map doesn't need to be set to all-ones for this implementation, ++ * but we do need to zero the remaining bits, if any. ++ */ ++ for (i = f->bsize; i < m->bsize_max; i++) ++ res_map[i] = 0ul; ++} ++ + /** + * nft_pipapo_avx2_lookup() - Lookup function for AVX2 implementation + * @net: Network namespace +@@ -1171,7 +1190,7 @@ bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set, + res = scratch->map + (map_index ? m->bsize_max : 0); + fill = scratch->map + (map_index ? 0 : m->bsize_max); + +- /* Starting map doesn't need to be set for this implementation */ ++ pipapo_resmap_init_avx2(m, res); + + nft_pipapo_avx2_prepare(); + +-- +2.39.5 + diff --git a/queue-6.1/netfilter-nf_tables-nft_fib_ipv6-fix-vrf-ipv4-ipv6-r.patch b/queue-6.1/netfilter-nf_tables-nft_fib_ipv6-fix-vrf-ipv4-ipv6-r.patch new file mode 100644 index 0000000000..4a30088f86 --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-nft_fib_ipv6-fix-vrf-ipv4-ipv6-r.patch @@ -0,0 +1,80 @@ +From 92c641d2b8f03eea29f947e60e37d68f8ca0ee9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 May 2025 11:38:47 +0200 +Subject: netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result + discrepancy + +From: Florian Westphal + +[ Upstream commit 8b53f46eb430fe5b42d485873b85331d2de2c469 ] + +With a VRF, ipv4 and ipv6 FIB expression behave differently. + + fib daddr . iif oif + +Will return the input interface name for ipv4, but the real device +for ipv6. Example: + +If VRF device name is tvrf and real (incoming) device is veth0. +First round is ok, both ipv4 and ipv6 will yield 'veth0'. + +But in the second round (incoming device will be set to "tvrf"), ipv4 +will yield "tvrf" whereas ipv6 returns "veth0" for the second round too. + +This makes ipv6 behave like ipv4. + +A followup patch will add a test case for this, without this change +it will fail with: + get element inet t fibif6iif { tvrf . dead:1::99 . tvrf } + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + FAIL: did not find tvrf . dead:1::99 . tvrf in fibif6iif + +Alternatively we could either not do anything at all or change +ipv4 to also return the lower/real device, however, nft (userspace) +doc says "iif: if fib lookup provides a route then check its output +interface is identical to the packets input interface." which is what +the nft fib ipv4 behaviour is. + +Fixes: f6d0cbcf09c5 ("netfilter: nf_tables: add fib expression") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv6/netfilter/nft_fib_ipv6.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/net/ipv6/netfilter/nft_fib_ipv6.c b/net/ipv6/netfilter/nft_fib_ipv6.c +index c9f1634b3838a..a89ce0fbfe4b1 100644 +--- a/net/ipv6/netfilter/nft_fib_ipv6.c ++++ b/net/ipv6/netfilter/nft_fib_ipv6.c +@@ -158,6 +158,7 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, + { + const struct nft_fib *priv = nft_expr_priv(expr); + int noff = skb_network_offset(pkt->skb); ++ const struct net_device *found = NULL; + const struct net_device *oif = NULL; + u32 *dest = ®s->data[priv->dreg]; + struct ipv6hdr *iph, _iph; +@@ -202,11 +203,15 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, + if (rt->rt6i_flags & (RTF_REJECT | RTF_ANYCAST | RTF_LOCAL)) + goto put_rt_err; + +- if (oif && oif != rt->rt6i_idev->dev && +- l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) != oif->ifindex) +- goto put_rt_err; ++ if (!oif) { ++ found = rt->rt6i_idev->dev; ++ } else { ++ if (oif == rt->rt6i_idev->dev || ++ l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) == oif->ifindex) ++ found = oif; ++ } + +- nft_fib_store_result(dest, priv, rt->rt6i_idev->dev); ++ nft_fib_store_result(dest, priv, found); + put_rt_err: + ip6_rt_put(rt); + } +-- +2.39.5 + diff --git a/queue-6.1/netfilter-nft_quota-match-correctly-when-the-quota-j.patch b/queue-6.1/netfilter-nft_quota-match-correctly-when-the-quota-j.patch new file mode 100644 index 0000000000..f786093764 --- /dev/null +++ b/queue-6.1/netfilter-nft_quota-match-correctly-when-the-quota-j.patch @@ -0,0 +1,78 @@ +From 8a419237c16aab7057a215b7c3e3a3f94c3621d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 15:49:30 +0000 +Subject: netfilter: nft_quota: match correctly when the quota just depleted + +From: Zhongqiu Duan + +[ Upstream commit bfe7cfb65c753952735c3eed703eba9a8b96a18d ] + +The xt_quota compares skb length with remaining quota, but the nft_quota +compares it with consumed bytes. + +The xt_quota can match consumed bytes up to quota at maximum. But the +nft_quota break match when consumed bytes equal to quota. + +i.e., nft_quota match consumed bytes in [0, quota - 1], not [0, quota]. + +Fixes: 795595f68d6c ("netfilter: nft_quota: dump consumed quota") +Signed-off-by: Zhongqiu Duan +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_quota.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/net/netfilter/nft_quota.c b/net/netfilter/nft_quota.c +index ef8e7cdbd0e6a..60e6d0c5f04ec 100644 +--- a/net/netfilter/nft_quota.c ++++ b/net/netfilter/nft_quota.c +@@ -19,10 +19,16 @@ struct nft_quota { + }; + + static inline bool nft_overquota(struct nft_quota *priv, +- const struct sk_buff *skb) ++ const struct sk_buff *skb, ++ bool *report) + { +- return atomic64_add_return(skb->len, priv->consumed) >= +- atomic64_read(&priv->quota); ++ u64 consumed = atomic64_add_return(skb->len, priv->consumed); ++ u64 quota = atomic64_read(&priv->quota); ++ ++ if (report) ++ *report = consumed >= quota; ++ ++ return consumed > quota; + } + + static inline bool nft_quota_invert(struct nft_quota *priv) +@@ -34,7 +40,7 @@ static inline void nft_quota_do_eval(struct nft_quota *priv, + struct nft_regs *regs, + const struct nft_pktinfo *pkt) + { +- if (nft_overquota(priv, pkt->skb) ^ nft_quota_invert(priv)) ++ if (nft_overquota(priv, pkt->skb, NULL) ^ nft_quota_invert(priv)) + regs->verdict.code = NFT_BREAK; + } + +@@ -51,13 +57,13 @@ static void nft_quota_obj_eval(struct nft_object *obj, + const struct nft_pktinfo *pkt) + { + struct nft_quota *priv = nft_obj_data(obj); +- bool overquota; ++ bool overquota, report; + +- overquota = nft_overquota(priv, pkt->skb); ++ overquota = nft_overquota(priv, pkt->skb, &report); + if (overquota ^ nft_quota_invert(priv)) + regs->verdict.code = NFT_BREAK; + +- if (overquota && ++ if (report && + !test_and_set_bit(NFT_QUOTA_DEPLETED_BIT, &priv->flags)) + nft_obj_notify(nft_net(pkt), obj->key.table, obj, 0, 0, + NFT_MSG_NEWOBJ, 0, nft_pf(pkt), 0, GFP_ATOMIC); +-- +2.39.5 + diff --git a/queue-6.1/netfilter-nft_tunnel-fix-geneve_opt-dump.patch b/queue-6.1/netfilter-nft_tunnel-fix-geneve_opt-dump.patch new file mode 100644 index 0000000000..b26526544c --- /dev/null +++ b/queue-6.1/netfilter-nft_tunnel-fix-geneve_opt-dump.patch @@ -0,0 +1,71 @@ +From a887de237e05f947d65dece2e1b09cb4f87e106a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 May 2025 11:41:08 +0200 +Subject: netfilter: nft_tunnel: fix geneve_opt dump + +From: Fernando Fernandez Mancera + +[ Upstream commit 22a9613de4c29d7d0770bfb8a5a9d73eb8df7dad ] + +When dumping a nft_tunnel with more than one geneve_opt configured the +netlink attribute hierarchy should be as follow: + + NFTA_TUNNEL_KEY_OPTS + | + |--NFTA_TUNNEL_KEY_OPTS_GENEVE + | | + | |--NFTA_TUNNEL_KEY_GENEVE_CLASS + | |--NFTA_TUNNEL_KEY_GENEVE_TYPE + | |--NFTA_TUNNEL_KEY_GENEVE_DATA + | + |--NFTA_TUNNEL_KEY_OPTS_GENEVE + | | + | |--NFTA_TUNNEL_KEY_GENEVE_CLASS + | |--NFTA_TUNNEL_KEY_GENEVE_TYPE + | |--NFTA_TUNNEL_KEY_GENEVE_DATA + | + |--NFTA_TUNNEL_KEY_OPTS_GENEVE + ... + +Otherwise, userspace tools won't be able to fetch the geneve options +configured correctly. + +Fixes: 925d844696d9 ("netfilter: nft_tunnel: add support for geneve opts") +Signed-off-by: Fernando Fernandez Mancera +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_tunnel.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c +index d026982a00fc4..be741db50ffae 100644 +--- a/net/netfilter/nft_tunnel.c ++++ b/net/netfilter/nft_tunnel.c +@@ -617,10 +617,10 @@ static int nft_tunnel_opts_dump(struct sk_buff *skb, + struct geneve_opt *opt; + int offset = 0; + +- inner = nla_nest_start_noflag(skb, NFTA_TUNNEL_KEY_OPTS_GENEVE); +- if (!inner) +- goto failure; + while (opts->len > offset) { ++ inner = nla_nest_start_noflag(skb, NFTA_TUNNEL_KEY_OPTS_GENEVE); ++ if (!inner) ++ goto failure; + opt = (struct geneve_opt *)(opts->u.data + offset); + if (nla_put_be16(skb, NFTA_TUNNEL_KEY_GENEVE_CLASS, + opt->opt_class) || +@@ -630,8 +630,8 @@ static int nft_tunnel_opts_dump(struct sk_buff *skb, + opt->length * 4, opt->opt_data)) + goto inner_failure; + offset += sizeof(*opt) + opt->length * 4; ++ nla_nest_end(skb, inner); + } +- nla_nest_end(skb, inner); + } + nla_nest_end(skb, nest); + return 0; +-- +2.39.5 + diff --git a/queue-6.1/nfs-clear-sb_rdonly-before-getting-superblock.patch b/queue-6.1/nfs-clear-sb_rdonly-before-getting-superblock.patch new file mode 100644 index 0000000000..c944c8407d --- /dev/null +++ b/queue-6.1/nfs-clear-sb_rdonly-before-getting-superblock.patch @@ -0,0 +1,68 @@ +From b1bd8b0ad821d0987d27e8f1470f4e408e6eabc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Mar 2025 21:05:32 +0800 +Subject: nfs: clear SB_RDONLY before getting superblock + +From: Li Lingfeng + +[ Upstream commit 8cd9b785943c57a136536250da80ba1eb6f8eb18 ] + +As described in the link, commit 52cb7f8f1778 ("nfs: ignore SB_RDONLY when +mounting nfs") removed the check for the ro flag when determining whether +to share the superblock, which caused issues when mounting different +subdirectories under the same export directory via NFSv3. However, this +change did not affect NFSv4. + +For NFSv3: +1) A single superblock is created for the initial mount. +2) When mounted read-only, this superblock carries the SB_RDONLY flag. +3) Before commit 52cb7f8f1778 ("nfs: ignore SB_RDONLY when mounting nfs"): +Subsequent rw mounts would not share the existing ro superblock due to +flag mismatch, creating a new superblock without SB_RDONLY. +After the commit: + The SB_RDONLY flag is ignored during superblock comparison, and this leads + to sharing the existing superblock even for rw mounts. + Ultimately results in write operations being rejected at the VFS layer. + +For NFSv4: +1) Multiple superblocks are created and the last one will be kept. +2) The actually used superblock for ro mounts doesn't carry SB_RDONLY flag. +Therefore, commit 52cb7f8f1778 doesn't affect NFSv4 mounts. + +Clear SB_RDONLY before getting superblock when NFS_MOUNT_UNSHARED is not +set to fix it. + +Fixes: 52cb7f8f1778 ("nfs: ignore SB_RDONLY when mounting nfs") +Closes: https://lore.kernel.org/all/12d7ea53-1202-4e21-a7ef-431c94758ce5@app.fastmail.com/T/ +Signed-off-by: Li Lingfeng +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 3dffeb1d17b9c..a4679cd75f70a 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1273,8 +1273,17 @@ int nfs_get_tree_common(struct fs_context *fc) + if (IS_ERR(server)) + return PTR_ERR(server); + ++ /* ++ * When NFS_MOUNT_UNSHARED is not set, NFS forces the sharing of a ++ * superblock among each filesystem that mounts sub-directories ++ * belonging to a single exported root path. ++ * To prevent interference between different filesystems, the ++ * SB_RDONLY flag should be removed from the superblock. ++ */ + if (server->flags & NFS_MOUNT_UNSHARED) + compare_super = NULL; ++ else ++ fc->sb_flags &= ~SB_RDONLY; + + /* -o noac implies -o sync */ + if (server->flags & NFS_MOUNT_NOAC) +-- +2.39.5 + diff --git a/queue-6.1/nfs-ignore-sb_rdonly-when-remounting-nfs.patch b/queue-6.1/nfs-ignore-sb_rdonly-when-remounting-nfs.patch new file mode 100644 index 0000000000..855d8ec725 --- /dev/null +++ b/queue-6.1/nfs-ignore-sb_rdonly-when-remounting-nfs.patch @@ -0,0 +1,72 @@ +From 59c25e20012be97e2e2b2a18fd76a628b78e316b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Mar 2025 21:05:33 +0800 +Subject: nfs: ignore SB_RDONLY when remounting nfs + +From: Li Lingfeng + +[ Upstream commit 80c4de6ab44c14e910117a02f2f8241ffc6ec54a ] + +In some scenarios, when mounting NFS, more than one superblock may be +created. The final superblock used is the last one created, but only the +first superblock carries the ro flag passed from user space. If a ro flag +is added to the superblock via remount, it will trigger the issue +described in Link[1]. + +Link[2] attempted to address this by marking the superblock as ro during +the initial mount. However, this introduced a new problem in scenarios +where multiple mount points share the same superblock: +[root@a ~]# mount /dev/sdb /mnt/sdb +[root@a ~]# echo "/mnt/sdb *(rw,no_root_squash)" > /etc/exports +[root@a ~]# echo "/mnt/sdb/test_dir2 *(ro,no_root_squash)" >> /etc/exports +[root@a ~]# systemctl restart nfs-server +[root@a ~]# mount -t nfs -o rw 127.0.0.1:/mnt/sdb/test_dir1 /mnt/test_mp1 +[root@a ~]# mount | grep nfs4 +127.0.0.1:/mnt/sdb/test_dir1 on /mnt/test_mp1 type nfs4 (rw,relatime,... +[root@a ~]# mount -t nfs -o ro 127.0.0.1:/mnt/sdb/test_dir2 /mnt/test_mp2 +[root@a ~]# mount | grep nfs4 +127.0.0.1:/mnt/sdb/test_dir1 on /mnt/test_mp1 type nfs4 (ro,relatime,... +127.0.0.1:/mnt/sdb/test_dir2 on /mnt/test_mp2 type nfs4 (ro,relatime,... +[root@a ~]# + +When mounting the second NFS, the shared superblock is marked as ro, +causing the previous NFS mount to become read-only. + +To resolve both issues, the ro flag is no longer applied to the superblock +during remount. Instead, the ro flag on the mount is used to control +whether the mount point is read-only. + +Fixes: 281cad46b34d ("NFS: Create a submount rpc_op") +Link[1]: https://lore.kernel.org/all/20240604112636.236517-3-lilingfeng@huaweicloud.com/ +Link[2]: https://lore.kernel.org/all/20241130035818.1459775-1-lilingfeng3@huawei.com/ +Signed-off-by: Li Lingfeng +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index a4679cd75f70a..2dca011da034e 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1017,6 +1017,16 @@ int nfs_reconfigure(struct fs_context *fc) + + sync_filesystem(sb); + ++ /* ++ * The SB_RDONLY flag has been removed from the superblock during ++ * mounts to prevent interference between different filesystems. ++ * Similarly, it is also necessary to ignore the SB_RDONLY flag ++ * during reconfiguration; otherwise, it may also result in the ++ * creation of redundant superblocks when mounting a directory with ++ * different rw and ro flags multiple times. ++ */ ++ fc->sb_flags_mask &= ~SB_RDONLY; ++ + /* + * Userspace mount programs that send binary options generally send + * them populated with default values. We have no way to know which +-- +2.39.5 + diff --git a/queue-6.1/nilfs2-add-pointer-check-for-nilfs_direct_propagate.patch b/queue-6.1/nilfs2-add-pointer-check-for-nilfs_direct_propagate.patch new file mode 100644 index 0000000000..289c9db683 --- /dev/null +++ b/queue-6.1/nilfs2-add-pointer-check-for-nilfs_direct_propagate.patch @@ -0,0 +1,56 @@ +From e814aec211a7d87059b669138962f6dde17c9dca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Apr 2025 02:37:07 +0900 +Subject: nilfs2: add pointer check for nilfs_direct_propagate() + +From: Wentao Liang + +[ Upstream commit f43f02429295486059605997bc43803527d69791 ] + +Patch series "nilfs2: improve sanity checks in dirty state propagation". + +This fixes one missed check for block mapping anomalies and one improper +return of an error code during a preparation step for log writing, thereby +improving checking for filesystem corruption on writeback. + +This patch (of 2): + +In nilfs_direct_propagate(), the printer get from nilfs_direct_get_ptr() +need to be checked to ensure it is not an invalid pointer. + +If the pointer value obtained by nilfs_direct_get_ptr() is +NILFS_BMAP_INVALID_PTR, means that the metadata (in this case, i_bmap in +the nilfs_inode_info struct) that should point to the data block at the +buffer head of the argument is corrupted and the data block is orphaned, +meaning that the file system has lost consistency. + +Add a value check and return -EINVAL when it is an invalid pointer. + +Link: https://lkml.kernel.org/r/20250428173808.6452-1-konishi.ryusuke@gmail.com +Link: https://lkml.kernel.org/r/20250428173808.6452-2-konishi.ryusuke@gmail.com +Fixes: 36a580eb489f ("nilfs2: direct block mapping") +Signed-off-by: Wentao Liang +Signed-off-by: Ryusuke Konishi +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/nilfs2/direct.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/nilfs2/direct.c b/fs/nilfs2/direct.c +index 893ab36824cc2..2d8dc6b35b547 100644 +--- a/fs/nilfs2/direct.c ++++ b/fs/nilfs2/direct.c +@@ -273,6 +273,9 @@ static int nilfs_direct_propagate(struct nilfs_bmap *bmap, + dat = nilfs_bmap_get_dat(bmap); + key = nilfs_bmap_data_get_key(bmap, bh); + ptr = nilfs_direct_get_ptr(bmap, key); ++ if (ptr == NILFS_BMAP_INVALID_PTR) ++ return -EINVAL; ++ + if (!buffer_nilfs_volatile(bh)) { + oldreq.pr_entry_nr = ptr; + newreq.pr_entry_nr = ptr; +-- +2.39.5 + diff --git a/queue-6.1/nilfs2-do-not-propagate-enoent-error-from-nilfs_btre.patch b/queue-6.1/nilfs2-do-not-propagate-enoent-error-from-nilfs_btre.patch new file mode 100644 index 0000000000..a0715130fc --- /dev/null +++ b/queue-6.1/nilfs2-do-not-propagate-enoent-error-from-nilfs_btre.patch @@ -0,0 +1,55 @@ +From 048b83ff9a143781eebb0bd2a7c78c58c9e0f588 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Apr 2025 02:37:08 +0900 +Subject: nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() + +From: Ryusuke Konishi + +[ Upstream commit 8e39fbb1edbb4ec9d7c1124f403877fc167fcecd ] + +In preparation for writing logs, in nilfs_btree_propagate(), which makes +parent and ancestor node blocks dirty starting from a modified data block +or b-tree node block, if the starting block does not belong to the b-tree, +i.e. is isolated, nilfs_btree_do_lookup() called within the function +fails with -ENOENT. + +In this case, even though -ENOENT is an internal code, it is propagated to +the log writer via nilfs_bmap_propagate() and may be erroneously returned +to system calls such as fsync(). + +Fix this issue by changing the error code to -EINVAL in this case, and +having the bmap layer detect metadata corruption and convert the error +code appropriately. + +Link: https://lkml.kernel.org/r/20250428173808.6452-3-konishi.ryusuke@gmail.com +Fixes: 1f5abe7e7dbc ("nilfs2: replace BUG_ON and BUG calls triggerable from ioctl") +Signed-off-by: Ryusuke Konishi +Cc: Wentao Liang +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/nilfs2/btree.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c +index 3139a1863751b..29cb1236e1a9b 100644 +--- a/fs/nilfs2/btree.c ++++ b/fs/nilfs2/btree.c +@@ -2094,11 +2094,13 @@ static int nilfs_btree_propagate(struct nilfs_bmap *btree, + + ret = nilfs_btree_do_lookup(btree, path, key, NULL, level + 1, 0); + if (ret < 0) { +- if (unlikely(ret == -ENOENT)) ++ if (unlikely(ret == -ENOENT)) { + nilfs_crit(btree->b_inode->i_sb, + "writing node/leaf block does not appear in b-tree (ino=%lu) at key=%llu, level=%d", + btree->b_inode->i_ino, + (unsigned long long)key, level); ++ ret = -EINVAL; ++ } + goto out; + } + +-- +2.39.5 + diff --git a/queue-6.1/ocfs2-fix-possible-memory-leak-in-ocfs2_finish_quota.patch b/queue-6.1/ocfs2-fix-possible-memory-leak-in-ocfs2_finish_quota.patch new file mode 100644 index 0000000000..e3467337e8 --- /dev/null +++ b/queue-6.1/ocfs2-fix-possible-memory-leak-in-ocfs2_finish_quota.patch @@ -0,0 +1,50 @@ +From 10003f872f26d8b55226a7a9f5b4d4b7aa6321ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 09:56:27 +0300 +Subject: ocfs2: fix possible memory leak in ocfs2_finish_quota_recovery + +From: Murad Masimov + +[ Upstream commit cdc3ed3035d0fe934aa1d9b78ce256752fd3bb7d ] + +If ocfs2_finish_quota_recovery() exits due to an error before passing all +rc_list elements to ocfs2_recover_local_quota_file() then it can lead to a +memory leak as rc_list may still contain elements that have to be freed. + +Release all memory allocated by ocfs2_add_recovery_chunk() using +ocfs2_free_quota_recovery() instead of kfree(). + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Link: https://lkml.kernel.org/r/20250402065628.706359-2-m.masimov@mt-integration.ru +Fixes: 2205363dce74 ("ocfs2: Implement quota recovery") +Signed-off-by: Murad Masimov +Reviewed-by: Jan Kara +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/ocfs2/quota_local.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c +index 0ca8975a1df47..c7bda48b5fb21 100644 +--- a/fs/ocfs2/quota_local.c ++++ b/fs/ocfs2/quota_local.c +@@ -671,7 +671,7 @@ int ocfs2_finish_quota_recovery(struct ocfs2_super *osb, + break; + } + out: +- kfree(rec); ++ ocfs2_free_quota_recovery(rec); + return status; + } + +-- +2.39.5 + diff --git a/queue-6.1/pci-apple-use-gpiod_set_value_cansleep-in-probe-flow.patch b/queue-6.1/pci-apple-use-gpiod_set_value_cansleep-in-probe-flow.patch new file mode 100644 index 0000000000..7f75cc2e00 --- /dev/null +++ b/queue-6.1/pci-apple-use-gpiod_set_value_cansleep-in-probe-flow.patch @@ -0,0 +1,52 @@ +From 7649c4c3b3327888b99a6d27ec0080c8753a2d81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 10:17:11 +0100 +Subject: PCI: apple: Use gpiod_set_value_cansleep in probe flow + +From: Hector Martin + +[ Upstream commit 7334364f9de79a9a236dd0243ba574b8d2876e89 ] + +We're allowed to sleep here, so tell the GPIO core by using +gpiod_set_value_cansleep instead of gpiod_set_value. + +Fixes: 1e33888fbe44 ("PCI: apple: Add initial hardware bring-up") +Signed-off-by: Hector Martin +Signed-off-by: Alyssa Rosenzweig +Signed-off-by: Marc Zyngier +Signed-off-by: Manivannan Sadhasivam +Tested-by: Janne Grunau +Reviewed-by: Rob Herring (Arm) +Reviewed-by: Manivannan Sadhasivam +Acked-by: Alyssa Rosenzweig +Link: https://patch.msgid.link/20250401091713.2765724-12-maz@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pcie-apple.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/controller/pcie-apple.c b/drivers/pci/controller/pcie-apple.c +index 2340dab6cd5bd..487d01f6b4f56 100644 +--- a/drivers/pci/controller/pcie-apple.c ++++ b/drivers/pci/controller/pcie-apple.c +@@ -541,7 +541,7 @@ static int apple_pcie_setup_port(struct apple_pcie *pcie, + rmw_set(PORT_APPCLK_EN, port->base + PORT_APPCLK); + + /* Assert PERST# before setting up the clock */ +- gpiod_set_value(reset, 1); ++ gpiod_set_value_cansleep(reset, 1); + + ret = apple_pcie_setup_refclk(pcie, port); + if (ret < 0) +@@ -552,7 +552,7 @@ static int apple_pcie_setup_port(struct apple_pcie *pcie, + + /* Deassert PERST# */ + rmw_set(PORT_PERST_OFF, port->base + PORT_PERST); +- gpiod_set_value(reset, 0); ++ gpiod_set_value_cansleep(reset, 0); + + /* Wait for 100ms after PERST# deassertion (PCIe r5.0, 6.6.1) */ + msleep(100); +-- +2.39.5 + diff --git a/queue-6.1/pci-cadence-fix-runtime-atomic-count-underflow.patch b/queue-6.1/pci-cadence-fix-runtime-atomic-count-underflow.patch new file mode 100644 index 0000000000..11b87554e3 --- /dev/null +++ b/queue-6.1/pci-cadence-fix-runtime-atomic-count-underflow.patch @@ -0,0 +1,53 @@ +From 2280f7335557662cca769904089b770b20fd797c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Apr 2025 21:30:58 +0800 +Subject: PCI: cadence: Fix runtime atomic count underflow + +From: Hans Zhang <18255117159@163.com> + +[ Upstream commit 8805f32a96d3b97cef07999fa6f52112678f7e65 ] + +If the call to pci_host_probe() in cdns_pcie_host_setup() fails, PM +runtime count is decremented in the error path using pm_runtime_put_sync(). +But the runtime count is not incremented by this driver, but only by the +callers (cdns_plat_pcie_probe/j721e_pcie_probe). And the callers also +decrement the runtime PM count in their error path. So this leads to the +below warning from the PM core: + + "runtime PM usage count underflow!" + +So fix it by getting rid of pm_runtime_put_sync() in the error path and +directly return the errno. + +Fixes: 49e427e6bdd1 ("Merge branch 'pci/host-probe-refactor'") +Signed-off-by: Hans Zhang <18255117159@163.com> +Signed-off-by: Manivannan Sadhasivam +Link: https://patch.msgid.link/20250419133058.162048-1-18255117159@163.com +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/cadence/pcie-cadence-host.c | 11 +---------- + 1 file changed, 1 insertion(+), 10 deletions(-) + +diff --git a/drivers/pci/controller/cadence/pcie-cadence-host.c b/drivers/pci/controller/cadence/pcie-cadence-host.c +index 5b14f7ee3c798..0a1b11d41a38a 100644 +--- a/drivers/pci/controller/cadence/pcie-cadence-host.c ++++ b/drivers/pci/controller/cadence/pcie-cadence-host.c +@@ -558,14 +558,5 @@ int cdns_pcie_host_setup(struct cdns_pcie_rc *rc) + if (!bridge->ops) + bridge->ops = &cdns_pcie_host_ops; + +- ret = pci_host_probe(bridge); +- if (ret < 0) +- goto err_init; +- +- return 0; +- +- err_init: +- pm_runtime_put_sync(dev); +- +- return ret; ++ return pci_host_probe(bridge); + } +-- +2.39.5 + diff --git a/queue-6.1/pci-dpc-initialize-aer_err_info-before-using-it.patch b/queue-6.1/pci-dpc-initialize-aer_err_info-before-using-it.patch new file mode 100644 index 0000000000..5f755ad1fb --- /dev/null +++ b/queue-6.1/pci-dpc-initialize-aer_err_info-before-using-it.patch @@ -0,0 +1,46 @@ +From bf7c216639230adab93b0d2237de2a150fd239cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 May 2025 18:21:07 -0500 +Subject: PCI/DPC: Initialize aer_err_info before using it +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bjorn Helgaas + +[ Upstream commit a424b598e6a6c1e69a2bb801d6fd16e805ab2c38 ] + +Previously the struct aer_err_info "info" was allocated on the stack +without being initialized, so it contained junk except for the fields we +explicitly set later. + +Initialize "info" at declaration so it starts as all zeros. + +Fixes: 8aefa9b0d910 ("PCI/DPC: Print AER status in DPC event handling") +Signed-off-by: Bjorn Helgaas +Tested-by: Krzysztof Wilczyński +Reviewed-by: Kuppuswamy Sathyanarayanan +Reviewed-by: Ilpo Järvinen +Reviewed-by: Jonathan Cameron +Link: https://patch.msgid.link/20250522232339.1525671-2-helgaas@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/pci/pcie/dpc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/pcie/dpc.c b/drivers/pci/pcie/dpc.c +index a5cec2a4e057d..3c3ecb9cf57af 100644 +--- a/drivers/pci/pcie/dpc.c ++++ b/drivers/pci/pcie/dpc.c +@@ -263,7 +263,7 @@ static int dpc_get_aer_uncorrect_severity(struct pci_dev *dev, + void dpc_process_error(struct pci_dev *pdev) + { + u16 cap = pdev->dpc_cap, status, source, reason, ext_reason; +- struct aer_err_info info; ++ struct aer_err_info info = {}; + + pci_read_config_word(pdev, cap + PCI_EXP_DPC_STATUS, &status); + pci_read_config_word(pdev, cap + PCI_EXP_DPC_SOURCE_ID, &source); +-- +2.39.5 + diff --git a/queue-6.1/pci-explicitly-put-devices-into-d0-when-initializing.patch b/queue-6.1/pci-explicitly-put-devices-into-d0-when-initializing.patch new file mode 100644 index 0000000000..28ce03e38a --- /dev/null +++ b/queue-6.1/pci-explicitly-put-devices-into-d0-when-initializing.patch @@ -0,0 +1,108 @@ +From ba579d1bb72e6271cf354970db53b9f20d2f1ae7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Apr 2025 23:31:32 -0500 +Subject: PCI: Explicitly put devices into D0 when initializing + +From: Mario Limonciello + +[ Upstream commit 4d4c10f763d7808fbade28d83d237411603bca05 ] + +AMD BIOS team has root caused an issue that NVMe storage failed to come +back from suspend to a lack of a call to _REG when NVMe device was probed. + +112a7f9c8edbf ("PCI/ACPI: Call _REG when transitioning D-states") added +support for calling _REG when transitioning D-states, but this only works +if the device actually "transitions" D-states. + +967577b062417 ("PCI/PM: Keep runtime PM enabled for unbound PCI devices") +added support for runtime PM on PCI devices, but never actually +'explicitly' sets the device to D0. + +To make sure that devices are in D0 and that platform methods such as +_REG are called, explicitly set all devices into D0 during initialization. + +Fixes: 967577b062417 ("PCI/PM: Keep runtime PM enabled for unbound PCI devices") +Signed-off-by: Mario Limonciello +Signed-off-by: Bjorn Helgaas +Tested-by: Denis Benato +Tested-By: Yijun Shen +Tested-By: David Perry +Reviewed-by: Rafael J. Wysocki +Link: https://patch.msgid.link/20250424043232.1848107-1-superm1@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/pci/pci-driver.c | 6 ------ + drivers/pci/pci.c | 13 ++++++++++--- + drivers/pci/pci.h | 1 + + 3 files changed, 11 insertions(+), 9 deletions(-) + +diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c +index 18e973a91a979..2b04d2d6c116a 100644 +--- a/drivers/pci/pci-driver.c ++++ b/drivers/pci/pci-driver.c +@@ -564,12 +564,6 @@ static void pci_pm_default_resume(struct pci_dev *pci_dev) + pci_enable_wake(pci_dev, PCI_D0, false); + } + +-static void pci_pm_power_up_and_verify_state(struct pci_dev *pci_dev) +-{ +- pci_power_up(pci_dev); +- pci_update_current_state(pci_dev, PCI_D0); +-} +- + static void pci_pm_default_resume_early(struct pci_dev *pci_dev) + { + pci_pm_power_up_and_verify_state(pci_dev); +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index 10436a193b3b6..19c9214acfb81 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -3181,6 +3181,12 @@ void pci_d3cold_disable(struct pci_dev *dev) + } + EXPORT_SYMBOL_GPL(pci_d3cold_disable); + ++void pci_pm_power_up_and_verify_state(struct pci_dev *pci_dev) ++{ ++ pci_power_up(pci_dev); ++ pci_update_current_state(pci_dev, PCI_D0); ++} ++ + /** + * pci_pm_init - Initialize PM functions of given PCI device + * @dev: PCI device to handle. +@@ -3191,9 +3197,6 @@ void pci_pm_init(struct pci_dev *dev) + u16 status; + u16 pmc; + +- pm_runtime_forbid(&dev->dev); +- pm_runtime_set_active(&dev->dev); +- pm_runtime_enable(&dev->dev); + device_enable_async_suspend(&dev->dev); + dev->wakeup_prepared = false; + +@@ -3255,6 +3258,10 @@ void pci_pm_init(struct pci_dev *dev) + pci_read_config_word(dev, PCI_STATUS, &status); + if (status & PCI_STATUS_IMM_READY) + dev->imm_ready = 1; ++ pci_pm_power_up_and_verify_state(dev); ++ pm_runtime_forbid(&dev->dev); ++ pm_runtime_set_active(&dev->dev); ++ pm_runtime_enable(&dev->dev); + } + + static unsigned long pci_ea_flags(struct pci_dev *dev, u8 prop) +diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h +index 38ad75ce52c32..70b7fd7a0fc7c 100644 +--- a/drivers/pci/pci.h ++++ b/drivers/pci/pci.h +@@ -87,6 +87,7 @@ void pci_dev_adjust_pme(struct pci_dev *dev); + void pci_dev_complete_resume(struct pci_dev *pci_dev); + void pci_config_pm_runtime_get(struct pci_dev *dev); + void pci_config_pm_runtime_put(struct pci_dev *dev); ++void pci_pm_power_up_and_verify_state(struct pci_dev *pci_dev); + void pci_pm_init(struct pci_dev *dev); + void pci_ea_init(struct pci_dev *dev); + void pci_msi_init(struct pci_dev *dev); +-- +2.39.5 + diff --git a/queue-6.1/perf-build-warn-when-libdebuginfod-devel-files-are-n.patch b/queue-6.1/perf-build-warn-when-libdebuginfod-devel-files-are-n.patch new file mode 100644 index 0000000000..69e79d0b87 --- /dev/null +++ b/queue-6.1/perf-build-warn-when-libdebuginfod-devel-files-are-n.patch @@ -0,0 +1,111 @@ +From 49b378c0fdfb416eacbac1025bb5b02d5e97d424 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 11:37:20 -0300 +Subject: perf build: Warn when libdebuginfod devel files are not available + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 4fce4b91fd1aabb326c46e237eb4b19ab72598f8 ] + +While working on 'perf version --build-options' I noticed that: + + $ perf version --build-options + perf version 6.15.rc1.g312a07a00d31 + aio: [ on ] # HAVE_AIO_SUPPORT + bpf: [ on ] # HAVE_LIBBPF_SUPPORT + bpf_skeletons: [ on ] # HAVE_BPF_SKEL + debuginfod: [ OFF ] # HAVE_DEBUGINFOD_SUPPORT + + +And looking at tools/perf/Makefile.config I also noticed that it is not +opt-in, meaning we will attempt to build with it in all normal cases. + +So add the usual warning at build time to let the user know that +something recommended is missing, now we see: + + Makefile.config:563: No elfutils/debuginfod.h found, no debuginfo server support, please install elfutils-debuginfod-client-devel or equivalent + +And after following the recommendation: + + $ perf check feature debuginfod + debuginfod: [ on ] # HAVE_DEBUGINFOD_SUPPORT + $ ldd ~/bin/perf | grep debuginfo + libdebuginfod.so.1 => /lib64/libdebuginfod.so.1 (0x00007fee5cf5f000) + $ + +With this feature on several perf tools will fetch what is needed and +not require all the contents of the debuginfo packages, for instance: + + # rpm -qa | grep kernel-debuginfo + # pahole --running_kernel_vmlinux + pahole: couldn't find a vmlinux that matches the running kernel + HINT: Maybe you're inside a container or missing a debuginfo package? + # + # perf trace -e open* perf probe --vars icmp_rcv + 0.000 ( 0.005 ms): perf/97391 openat(dfd: CWD, filename: "/etc/ld.so.cache", flags: RDONLY|CLOEXEC) = 3 + 0.014 ( 0.004 ms): perf/97391 openat(dfd: CWD, filename: "/lib64/libm.so.6", flags: RDONLY|CLOEXEC) = 3 + + 32130.100 ( 0.008 ms): perf/97391 openat(dfd: CWD, filename: "/root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo") = 3 + + Available variables at icmp_rcv + @ + struct sk_buff* skb + + # + # pahole --running_kernel_vmlinux + /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo + # file /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo + /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=aa3c82b4a13f9c0e0301bebb20fe958c4db6f362, with debug_info, not stripped + # ls -la /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo + -r--------. 1 root root 475401512 Mar 27 21:00 /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo + # + +Then, cached: + + # perf stat --null perf probe --vars icmp_rcv + Available variables at icmp_rcv + @ + struct sk_buff* skb + + Performance counter stats for 'perf probe --vars icmp_rcv': + + 0.671389041 seconds time elapsed + + 0.519176000 seconds user + 0.150860000 seconds sys + +Fixes: c7a14fdcb3fa7736 ("perf build-ids: Fall back to debuginfod query if debuginfo not found") +Tested-by: Ingo Molnar +Cc: Adrian Hunter +Cc: Dmitriy Vyukov +Cc: Howard Chu +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Frank Ch. Eigler +Link: https://lore.kernel.org/r/Z_dkNDj9EPFwPqq1@gmail.com +[ Folded patch from Ingo to have the debian/ubuntu devel package added build warning message ] +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/Makefile.config | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config +index fac6ba07eacdb..249f3d8415634 100644 +--- a/tools/perf/Makefile.config ++++ b/tools/perf/Makefile.config +@@ -545,6 +545,8 @@ ifndef NO_LIBELF + ifeq ($(feature-libdebuginfod), 1) + CFLAGS += -DHAVE_DEBUGINFOD_SUPPORT + EXTLIBS += -ldebuginfod ++ else ++ $(warning No elfutils/debuginfod.h found, no debuginfo server support, please install libdebuginfod-dev/elfutils-debuginfod-client-devel or equivalent) + endif + endif + +-- +2.39.5 + diff --git a/queue-6.1/perf-core-fix-broken-throttling-when-max_samples_per.patch b/queue-6.1/perf-core-fix-broken-throttling-when-max_samples_per.patch new file mode 100644 index 0000000000..7f8a671c9e --- /dev/null +++ b/queue-6.1/perf-core-fix-broken-throttling-when-max_samples_per.patch @@ -0,0 +1,64 @@ +From e198704d2b433465662705f45ac3c7c759873da3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Apr 2025 22:16:35 +0800 +Subject: perf/core: Fix broken throttling when max_samples_per_tick=1 + +From: Qing Wang + +[ Upstream commit f51972e6f8b9a737b2b3eb588069acb538fa72de ] + +According to the throttling mechanism, the pmu interrupts number can not +exceed the max_samples_per_tick in one tick. But this mechanism is +ineffective when max_samples_per_tick=1, because the throttling check is +skipped during the first interrupt and only performed when the second +interrupt arrives. + +Perhaps this bug may cause little influence in one tick, but if in a +larger time scale, the problem can not be underestimated. + +When max_samples_per_tick = 1: +Allowed-interrupts-per-second max-samples-per-second default-HZ ARCH +200 100 100 X86 +500 250 250 ARM64 +... +Obviously, the pmu interrupt number far exceed the user's expect. + +Fixes: e050e3f0a71b ("perf: Fix broken interrupt rate throttling") +Signed-off-by: Qing Wang +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20250405141635.243786-3-wangqing7171@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 552bb00bfceb0..3544f26b58060 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -9359,14 +9359,14 @@ __perf_event_account_interrupt(struct perf_event *event, int throttle) + hwc->interrupts = 1; + } else { + hwc->interrupts++; +- if (unlikely(throttle && +- hwc->interrupts > max_samples_per_tick)) { +- __this_cpu_inc(perf_throttled_count); +- tick_dep_set_cpu(smp_processor_id(), TICK_DEP_BIT_PERF_EVENTS); +- hwc->interrupts = MAX_INTERRUPTS; +- perf_log_throttle(event, 0); +- ret = 1; +- } ++ } ++ ++ if (unlikely(throttle && hwc->interrupts >= max_samples_per_tick)) { ++ __this_cpu_inc(perf_throttled_count); ++ tick_dep_set_cpu(smp_processor_id(), TICK_DEP_BIT_PERF_EVENTS); ++ hwc->interrupts = MAX_INTERRUPTS; ++ perf_log_throttle(event, 0); ++ ret = 1; + } + + if (event->attr.freq) { +-- +2.39.5 + diff --git a/queue-6.1/perf-intel-pt-fix-pebs-via-pt-data_src.patch b/queue-6.1/perf-intel-pt-fix-pebs-via-pt-data_src.patch new file mode 100644 index 0000000000..dc00b73edf --- /dev/null +++ b/queue-6.1/perf-intel-pt-fix-pebs-via-pt-data_src.patch @@ -0,0 +1,334 @@ +From 5741a39aa45a67661f2f49bccc921cf4afde4b0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 May 2025 12:39:30 +0300 +Subject: perf intel-pt: Fix PEBS-via-PT data_src + +From: Adrian Hunter + +[ Upstream commit e00eac6b5b6d956f38d8880c44bf7fd9954063c3 ] + +The Fixes commit did not add support for decoding PEBS-via-PT data_src. +Fix by adding support. + +PEBS-via-PT is a feature of some E-core processors, starting with +processors based on Tremont microarchitecture. Because the kernel only +supports Intel PT features that are on all processors, there is no support +for PEBS-via-PT on hybrids. + +Currently that leaves processors based on Tremont, Gracemont and Crestmont, +however there are no events on Tremont that produce data_src information, +and for Gracemont and Crestmont there are only: + + mem-loads event=0xd0,umask=0x5,ldlat=3 + mem-stores event=0xd0,umask=0x6 + +Affected processors include Alder Lake N (Gracemont), Sierra Forest +(Crestmont) and Grand Ridge (Crestmont). + +Example: + + # perf record -d -e intel_pt/branch=0/ -e mem-loads/aux-output/pp uname + + Before: + + # perf.before script --itrace=o -Fdata_src + 0 |OP No|LVL N/A|SNP N/A|TLB N/A|LCK No|BLK N/A + 0 |OP No|LVL N/A|SNP N/A|TLB N/A|LCK No|BLK N/A + + After: + + # perf script --itrace=o -Fdata_src + 10268100142 |OP LOAD|LVL L1 hit|SNP None|TLB L1 or L2 hit|LCK No|BLK N/A + 10450100442 |OP LOAD|LVL L2 hit|SNP None|TLB L2 miss|LCK No|BLK N/A + +Fixes: 975846eddf907297 ("perf intel-pt: Add memory information to synthesized PEBS sample") +Reviewed-by: Kan Liang +Signed-off-by: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: https://lore.kernel.org/r/20250512093932.79854-2-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/intel-pt.c | 205 ++++++++++++++++++++++++++++++++++++- + 1 file changed, 202 insertions(+), 3 deletions(-) + +diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c +index bd09af447eb0d..018eaddd4e6af 100644 +--- a/tools/perf/util/intel-pt.c ++++ b/tools/perf/util/intel-pt.c +@@ -122,6 +122,7 @@ struct intel_pt { + + bool single_pebs; + bool sample_pebs; ++ int pebs_data_src_fmt; + struct evsel *pebs_evsel; + + u64 evt_sample_type; +@@ -170,6 +171,7 @@ enum switch_state { + struct intel_pt_pebs_event { + struct evsel *evsel; + u64 id; ++ int data_src_fmt; + }; + + struct intel_pt_queue { +@@ -2176,7 +2178,146 @@ static void intel_pt_add_lbrs(struct branch_stack *br_stack, + } + } + +-static int intel_pt_do_synth_pebs_sample(struct intel_pt_queue *ptq, struct evsel *evsel, u64 id) ++#define P(a, b) PERF_MEM_S(a, b) ++#define OP_LH (P(OP, LOAD) | P(LVL, HIT)) ++#define LEVEL(x) P(LVLNUM, x) ++#define REM P(REMOTE, REMOTE) ++#define SNOOP_NONE_MISS (P(SNOOP, NONE) | P(SNOOP, MISS)) ++ ++#define PERF_PEBS_DATA_SOURCE_GRT_MAX 0x10 ++#define PERF_PEBS_DATA_SOURCE_GRT_MASK (PERF_PEBS_DATA_SOURCE_GRT_MAX - 1) ++ ++/* Based on kernel __intel_pmu_pebs_data_source_grt() and pebs_data_source */ ++static const u64 pebs_data_source_grt[PERF_PEBS_DATA_SOURCE_GRT_MAX] = { ++ P(OP, LOAD) | P(LVL, MISS) | LEVEL(L3) | P(SNOOP, NA), /* L3 miss|SNP N/A */ ++ OP_LH | P(LVL, L1) | LEVEL(L1) | P(SNOOP, NONE), /* L1 hit|SNP None */ ++ OP_LH | P(LVL, LFB) | LEVEL(LFB) | P(SNOOP, NONE), /* LFB/MAB hit|SNP None */ ++ OP_LH | P(LVL, L2) | LEVEL(L2) | P(SNOOP, NONE), /* L2 hit|SNP None */ ++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, NONE), /* L3 hit|SNP None */ ++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HIT), /* L3 hit|SNP Hit */ ++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HITM), /* L3 hit|SNP HitM */ ++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HITM), /* L3 hit|SNP HitM */ ++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOPX, FWD), /* L3 hit|SNP Fwd */ ++ OP_LH | P(LVL, REM_CCE1) | REM | LEVEL(L3) | P(SNOOP, HITM), /* Remote L3 hit|SNP HitM */ ++ OP_LH | P(LVL, LOC_RAM) | LEVEL(RAM) | P(SNOOP, HIT), /* RAM hit|SNP Hit */ ++ OP_LH | P(LVL, REM_RAM1) | REM | LEVEL(L3) | P(SNOOP, HIT), /* Remote L3 hit|SNP Hit */ ++ OP_LH | P(LVL, LOC_RAM) | LEVEL(RAM) | SNOOP_NONE_MISS, /* RAM hit|SNP None or Miss */ ++ OP_LH | P(LVL, REM_RAM1) | LEVEL(RAM) | REM | SNOOP_NONE_MISS, /* Remote RAM hit|SNP None or Miss */ ++ OP_LH | P(LVL, IO) | LEVEL(NA) | P(SNOOP, NONE), /* I/O hit|SNP None */ ++ OP_LH | P(LVL, UNC) | LEVEL(NA) | P(SNOOP, NONE), /* Uncached hit|SNP None */ ++}; ++ ++/* Based on kernel __intel_pmu_pebs_data_source_cmt() and pebs_data_source */ ++static const u64 pebs_data_source_cmt[PERF_PEBS_DATA_SOURCE_GRT_MAX] = { ++ P(OP, LOAD) | P(LVL, MISS) | LEVEL(L3) | P(SNOOP, NA), /* L3 miss|SNP N/A */ ++ OP_LH | P(LVL, L1) | LEVEL(L1) | P(SNOOP, NONE), /* L1 hit|SNP None */ ++ OP_LH | P(LVL, LFB) | LEVEL(LFB) | P(SNOOP, NONE), /* LFB/MAB hit|SNP None */ ++ OP_LH | P(LVL, L2) | LEVEL(L2) | P(SNOOP, NONE), /* L2 hit|SNP None */ ++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, NONE), /* L3 hit|SNP None */ ++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, MISS), /* L3 hit|SNP Hit */ ++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HIT), /* L3 hit|SNP HitM */ ++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOPX, FWD), /* L3 hit|SNP HitM */ ++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HITM), /* L3 hit|SNP Fwd */ ++ OP_LH | P(LVL, REM_CCE1) | REM | LEVEL(L3) | P(SNOOP, HITM), /* Remote L3 hit|SNP HitM */ ++ OP_LH | P(LVL, LOC_RAM) | LEVEL(RAM) | P(SNOOP, NONE), /* RAM hit|SNP Hit */ ++ OP_LH | LEVEL(RAM) | REM | P(SNOOP, NONE), /* Remote L3 hit|SNP Hit */ ++ OP_LH | LEVEL(RAM) | REM | P(SNOOPX, FWD), /* RAM hit|SNP None or Miss */ ++ OP_LH | LEVEL(RAM) | REM | P(SNOOP, HITM), /* Remote RAM hit|SNP None or Miss */ ++ OP_LH | P(LVL, IO) | LEVEL(NA) | P(SNOOP, NONE), /* I/O hit|SNP None */ ++ OP_LH | P(LVL, UNC) | LEVEL(NA) | P(SNOOP, NONE), /* Uncached hit|SNP None */ ++}; ++ ++/* Based on kernel pebs_set_tlb_lock() */ ++static inline void pebs_set_tlb_lock(u64 *val, bool tlb, bool lock) ++{ ++ /* ++ * TLB access ++ * 0 = did not miss 2nd level TLB ++ * 1 = missed 2nd level TLB ++ */ ++ if (tlb) ++ *val |= P(TLB, MISS) | P(TLB, L2); ++ else ++ *val |= P(TLB, HIT) | P(TLB, L1) | P(TLB, L2); ++ ++ /* locked prefix */ ++ if (lock) ++ *val |= P(LOCK, LOCKED); ++} ++ ++/* Based on kernel __grt_latency_data() */ ++static u64 intel_pt_grt_latency_data(u8 dse, bool tlb, bool lock, bool blk, ++ const u64 *pebs_data_source) ++{ ++ u64 val; ++ ++ dse &= PERF_PEBS_DATA_SOURCE_GRT_MASK; ++ val = pebs_data_source[dse]; ++ ++ pebs_set_tlb_lock(&val, tlb, lock); ++ ++ if (blk) ++ val |= P(BLK, DATA); ++ else ++ val |= P(BLK, NA); ++ ++ return val; ++} ++ ++/* Default value for data source */ ++#define PERF_MEM_NA (PERF_MEM_S(OP, NA) |\ ++ PERF_MEM_S(LVL, NA) |\ ++ PERF_MEM_S(SNOOP, NA) |\ ++ PERF_MEM_S(LOCK, NA) |\ ++ PERF_MEM_S(TLB, NA) |\ ++ PERF_MEM_S(LVLNUM, NA)) ++ ++enum DATA_SRC_FORMAT { ++ DATA_SRC_FORMAT_ERR = -1, ++ DATA_SRC_FORMAT_NA = 0, ++ DATA_SRC_FORMAT_GRT = 1, ++ DATA_SRC_FORMAT_CMT = 2, ++}; ++ ++/* Based on kernel grt_latency_data() and cmt_latency_data */ ++static u64 intel_pt_get_data_src(u64 mem_aux_info, int data_src_fmt) ++{ ++ switch (data_src_fmt) { ++ case DATA_SRC_FORMAT_GRT: { ++ union { ++ u64 val; ++ struct { ++ unsigned int dse:4; ++ unsigned int locked:1; ++ unsigned int stlb_miss:1; ++ unsigned int fwd_blk:1; ++ unsigned int reserved:25; ++ }; ++ } x = {.val = mem_aux_info}; ++ return intel_pt_grt_latency_data(x.dse, x.stlb_miss, x.locked, x.fwd_blk, ++ pebs_data_source_grt); ++ } ++ case DATA_SRC_FORMAT_CMT: { ++ union { ++ u64 val; ++ struct { ++ unsigned int dse:5; ++ unsigned int locked:1; ++ unsigned int stlb_miss:1; ++ unsigned int fwd_blk:1; ++ unsigned int reserved:24; ++ }; ++ } x = {.val = mem_aux_info}; ++ return intel_pt_grt_latency_data(x.dse, x.stlb_miss, x.locked, x.fwd_blk, ++ pebs_data_source_cmt); ++ } ++ default: ++ return PERF_MEM_NA; ++ } ++} ++ ++static int intel_pt_do_synth_pebs_sample(struct intel_pt_queue *ptq, struct evsel *evsel, ++ u64 id, int data_src_fmt) + { + const struct intel_pt_blk_items *items = &ptq->state->items; + struct perf_sample sample = { .ip = 0, }; +@@ -2294,6 +2435,18 @@ static int intel_pt_do_synth_pebs_sample(struct intel_pt_queue *ptq, struct evse + } + } + ++ if (sample_type & PERF_SAMPLE_DATA_SRC) { ++ if (items->has_mem_aux_info && data_src_fmt) { ++ if (data_src_fmt < 0) { ++ pr_err("Intel PT missing data_src info\n"); ++ return -1; ++ } ++ sample.data_src = intel_pt_get_data_src(items->mem_aux_info, data_src_fmt); ++ } else { ++ sample.data_src = PERF_MEM_NA; ++ } ++ } ++ + if (sample_type & PERF_SAMPLE_TRANSACTION && items->has_tsx_aux_info) { + u64 ax = items->has_rax ? items->rax : 0; + /* Refer kernel's intel_hsw_transaction() */ +@@ -2312,9 +2465,10 @@ static int intel_pt_synth_single_pebs_sample(struct intel_pt_queue *ptq) + { + struct intel_pt *pt = ptq->pt; + struct evsel *evsel = pt->pebs_evsel; ++ int data_src_fmt = pt->pebs_data_src_fmt; + u64 id = evsel->core.id[0]; + +- return intel_pt_do_synth_pebs_sample(ptq, evsel, id); ++ return intel_pt_do_synth_pebs_sample(ptq, evsel, id, data_src_fmt); + } + + static int intel_pt_synth_pebs_sample(struct intel_pt_queue *ptq) +@@ -2339,7 +2493,7 @@ static int intel_pt_synth_pebs_sample(struct intel_pt_queue *ptq) + hw_id); + return intel_pt_synth_single_pebs_sample(ptq); + } +- err = intel_pt_do_synth_pebs_sample(ptq, pe->evsel, pe->id); ++ err = intel_pt_do_synth_pebs_sample(ptq, pe->evsel, pe->id, pe->data_src_fmt); + if (err) + return err; + } +@@ -3290,6 +3444,49 @@ static int intel_pt_process_itrace_start(struct intel_pt *pt, + event->itrace_start.tid); + } + ++/* ++ * Events with data_src are identified by L1_Hit_Indication ++ * refer https://github.com/intel/perfmon ++ */ ++static int intel_pt_data_src_fmt(struct intel_pt *pt, struct evsel *evsel) ++{ ++ struct perf_env *env = pt->machine->env; ++ int fmt = DATA_SRC_FORMAT_NA; ++ ++ if (!env->cpuid) ++ return DATA_SRC_FORMAT_ERR; ++ ++ /* ++ * PEBS-via-PT is only supported on E-core non-hybrid. Of those only ++ * Gracemont and Crestmont have data_src. Check for: ++ * Alderlake N (Gracemont) ++ * Sierra Forest (Crestmont) ++ * Grand Ridge (Crestmont) ++ */ ++ ++ if (!strncmp(env->cpuid, "GenuineIntel,6,190,", 19)) ++ fmt = DATA_SRC_FORMAT_GRT; ++ ++ if (!strncmp(env->cpuid, "GenuineIntel,6,175,", 19) || ++ !strncmp(env->cpuid, "GenuineIntel,6,182,", 19)) ++ fmt = DATA_SRC_FORMAT_CMT; ++ ++ if (fmt == DATA_SRC_FORMAT_NA) ++ return fmt; ++ ++ /* ++ * Only data_src events are: ++ * mem-loads event=0xd0,umask=0x5 ++ * mem-stores event=0xd0,umask=0x6 ++ */ ++ if (evsel->core.attr.type == PERF_TYPE_RAW && ++ ((evsel->core.attr.config & 0xffff) == 0x5d0 || ++ (evsel->core.attr.config & 0xffff) == 0x6d0)) ++ return fmt; ++ ++ return DATA_SRC_FORMAT_NA; ++} ++ + static int intel_pt_process_aux_output_hw_id(struct intel_pt *pt, + union perf_event *event, + struct perf_sample *sample) +@@ -3310,6 +3507,7 @@ static int intel_pt_process_aux_output_hw_id(struct intel_pt *pt, + + ptq->pebs[hw_id].evsel = evsel; + ptq->pebs[hw_id].id = sample->id; ++ ptq->pebs[hw_id].data_src_fmt = intel_pt_data_src_fmt(pt, evsel); + + return 0; + } +@@ -3855,6 +4053,7 @@ static void intel_pt_setup_pebs_events(struct intel_pt *pt) + } + pt->single_pebs = true; + pt->sample_pebs = true; ++ pt->pebs_data_src_fmt = intel_pt_data_src_fmt(pt, evsel); + pt->pebs_evsel = evsel; + } + } +-- +2.39.5 + diff --git a/queue-6.1/perf-record-fix-incorrect-user-regs-comments.patch b/queue-6.1/perf-record-fix-incorrect-user-regs-comments.patch new file mode 100644 index 0000000000..4be1352f1d --- /dev/null +++ b/queue-6.1/perf-record-fix-incorrect-user-regs-comments.patch @@ -0,0 +1,46 @@ +From 78fb0050d76ba9ccb3ae5524dfc0e585201627b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 06:08:10 +0000 +Subject: perf record: Fix incorrect --user-regs comments + +From: Dapeng Mi + +[ Upstream commit a4a859eb6704a8aa46aa1cec5396c8d41383a26b ] + +The comment of "--user-regs" option is not correct, fix it. + +"on interrupt," -> "in user space," + +Fixes: 84c417422798c897 ("perf record: Support direct --user-regs arguments") +Reviewed-by: Ian Rogers +Signed-off-by: Dapeng Mi +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Ingo Molnar +Cc: Kan Liang +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20250403060810.196028-1-dapeng1.mi@linux.intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-record.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/builtin-record.c b/tools/perf/builtin-record.c +index ee3a5c4b8251e..a257a30a42efd 100644 +--- a/tools/perf/builtin-record.c ++++ b/tools/perf/builtin-record.c +@@ -3438,7 +3438,7 @@ static struct option __record_options[] = { + "sample selected machine registers on interrupt," + " use '-I?' to list register names", parse_intr_regs), + OPT_CALLBACK_OPTARG(0, "user-regs", &record.opts.sample_user_regs, NULL, "any register", +- "sample selected machine registers on interrupt," ++ "sample selected machine registers in user space," + " use '--user-regs=?' to list register names", parse_user_regs), + OPT_BOOLEAN(0, "running-time", &record.opts.running_time, + "Record running/enabled time of read (:S) events"), +-- +2.39.5 + diff --git a/queue-6.1/perf-scripts-python-exported-sql-viewer.py-fix-patte.patch b/queue-6.1/perf-scripts-python-exported-sql-viewer.py-fix-patte.patch new file mode 100644 index 0000000000..7de3b4000c --- /dev/null +++ b/queue-6.1/perf-scripts-python-exported-sql-viewer.py-fix-patte.patch @@ -0,0 +1,53 @@ +From 1b1554bb33211f9c729f5b4ddb2a300318866026 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 May 2025 12:39:32 +0300 +Subject: perf scripts python: exported-sql-viewer.py: Fix pattern matching + with Python 3 + +From: Adrian Hunter + +[ Upstream commit 17e548405a81665fd14cee960db7d093d1396400 ] + +The script allows the user to enter patterns to find symbols. + +The pattern matching characters are converted for use in SQL. + +For PostgreSQL the conversion involves using the Python maketrans() +method which is slightly different in Python 3 compared with Python 2. + +Fix to work in Python 3. + +Fixes: beda0e725e5f06ac ("perf script python: Add Python3 support to exported-sql-viewer.py") +Signed-off-by: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Namhyung Kim +Cc: Tony Jones +Link: https://lore.kernel.org/r/20250512093932.79854-4-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/scripts/python/exported-sql-viewer.py | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/scripts/python/exported-sql-viewer.py b/tools/perf/scripts/python/exported-sql-viewer.py +index 13f2d8a816109..99742013676b3 100755 +--- a/tools/perf/scripts/python/exported-sql-viewer.py ++++ b/tools/perf/scripts/python/exported-sql-viewer.py +@@ -680,7 +680,10 @@ class CallGraphModelBase(TreeModel): + s = value.replace("%", "\%") + s = s.replace("_", "\_") + # Translate * and ? into SQL LIKE pattern characters % and _ +- trans = string.maketrans("*?", "%_") ++ if sys.version_info[0] == 3: ++ trans = str.maketrans("*?", "%_") ++ else: ++ trans = string.maketrans("*?", "%_") + match = " LIKE '" + str(s).translate(trans) + "'" + else: + match = " GLOB '" + str(value) + "'" +-- +2.39.5 + diff --git a/queue-6.1/perf-tests-switch-tracking-fix-timestamp-comparison.patch b/queue-6.1/perf-tests-switch-tracking-fix-timestamp-comparison.patch new file mode 100644 index 0000000000..79cb798cd7 --- /dev/null +++ b/queue-6.1/perf-tests-switch-tracking-fix-timestamp-comparison.patch @@ -0,0 +1,102 @@ +From aada34959608d9493d54ab15296eacf00a8b782f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Mar 2025 18:27:59 +0100 +Subject: perf tests switch-tracking: Fix timestamp comparison + +From: Leo Yan + +[ Upstream commit 628e124404b3db5e10e17228e680a2999018ab33 ] + +The test might fail on the Arm64 platform with the error: + + # perf test -vvv "Track with sched_switch" + Missing sched_switch events + # + +The issue is caused by incorrect handling of timestamp comparisons. The +comparison result, a signed 64-bit value, was being directly cast to an +int, leading to incorrect sorting for sched events. + +The case does not fail everytime, usually I can trigger the failure +after run 20 ~ 30 times: + + # while true; do perf test "Track with sched_switch"; done + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : FAILED! + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : FAILED! + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + +I used cross compiler to build Perf tool on my host machine and tested on +Debian / Juno board. Generally, I think this issue is not very specific +to GCC versions. As both internal CI and my local env can reproduce the +issue. + +My Host Build compiler: + + # aarch64-linux-gnu-gcc --version + aarch64-linux-gnu-gcc (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0 + +Juno Board: + + # lsb_release -a + No LSB modules are available. + Distributor ID: Debian + Description: Debian GNU/Linux 12 (bookworm) + Release: 12 + Codename: bookworm + +Fix this by explicitly returning 0, 1, or -1 based on whether the result +is zero, positive, or negative. + +Fixes: d44bc558297222d9 ("perf tests: Add a test for tracking with sched_switch") +Reviewed-by: Ian Rogers +Signed-off-by: Leo Yan +Cc: Adrian Hunter +Cc: James Clark +Cc: Kan Liang +Cc: Namhyung Kim +Link: https://lore.kernel.org/r/20250331172759.115604-1-leo.yan@arm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/switch-tracking.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/tests/switch-tracking.c b/tools/perf/tests/switch-tracking.c +index 87f565c7f650d..db6c61424badf 100644 +--- a/tools/perf/tests/switch-tracking.c ++++ b/tools/perf/tests/switch-tracking.c +@@ -257,7 +257,7 @@ static int compar(const void *a, const void *b) + const struct event_node *nodeb = b; + s64 cmp = nodea->event_time - nodeb->event_time; + +- return cmp; ++ return cmp < 0 ? -1 : (cmp > 0 ? 1 : 0); + } + + static int process_events(struct evlist *evlist, +-- +2.39.5 + diff --git a/queue-6.1/perf-ui-browser-hists-set-actions-thread-before-call.patch b/queue-6.1/perf-ui-browser-hists-set-actions-thread-before-call.patch new file mode 100644 index 0000000000..c2af7385bd --- /dev/null +++ b/queue-6.1/perf-ui-browser-hists-set-actions-thread-before-call.patch @@ -0,0 +1,62 @@ +From 08bb21bfd931b13b377cbb2d5fde18c7d69bf0a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 21:58:19 -0300 +Subject: perf ui browser hists: Set actions->thread before calling + do_zoom_thread() + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 1741189d843a1d5ef38538bc52a3760e2e46cb2e ] + +In 7cecb7fe8388d5c3 ("perf hists: Move sort__has_comm into struct +perf_hpp_list") it assumes that act->thread is set prior to calling +do_zoom_thread(). + +This doesn't happen when we use ESC or the Left arrow key to Zoom out of +a specific thread, making this operation not to work and we get stuck +into the thread zoom. + +In 6422184b087ff435 ("perf hists browser: Simplify zooming code using +pstack_peek()") it says no need to set actions->thread, and at that +point that was true, but in 7cecb7fe8388d5c3 a actions->thread == NULL +check was added before the zoom out of thread could kick in. + +We can zoom out using the alternative 't' thread zoom toggle hotkey to +finally set actions->thread before calling do_zoom_thread() and zoom +out, but lets also fix the ESC/Zoom out of thread case. + +Fixes: 7cecb7fe8388d5c3 ("perf hists: Move sort__has_comm into struct perf_hpp_list") +Reported-by: Ingo Molnar +Tested-by: Ingo Molnar +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: James Clark +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Namhyung Kim +Link: https://lore.kernel.org/r/Z_TYux5fUg2pW-pF@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/ui/browsers/hists.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/ui/browsers/hists.c b/tools/perf/ui/browsers/hists.c +index fd3e67d2c6bdd..a68d3ee1769d6 100644 +--- a/tools/perf/ui/browsers/hists.c ++++ b/tools/perf/ui/browsers/hists.c +@@ -3238,10 +3238,10 @@ static int evsel__hists_browse(struct evsel *evsel, int nr_events, const char *h + /* + * No need to set actions->dso here since + * it's just to remove the current filter. +- * Ditto for thread below. + */ + do_zoom_dso(browser, actions); + } else if (top == &browser->hists->thread_filter) { ++ actions->thread = thread; + do_zoom_thread(browser, actions); + } else if (top == &browser->hists->socket_filter) { + do_zoom_socket(browser, actions); +-- +2.39.5 + diff --git a/queue-6.1/phy-qcom-qmp-usb-fix-an-null-vs-is_err-bug.patch b/queue-6.1/phy-qcom-qmp-usb-fix-an-null-vs-is_err-bug.patch new file mode 100644 index 0000000000..638677c366 --- /dev/null +++ b/queue-6.1/phy-qcom-qmp-usb-fix-an-null-vs-is_err-bug.patch @@ -0,0 +1,56 @@ +From 264435c1ed9375b812224150b618149f2b178ae6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Apr 2025 07:50:50 -0500 +Subject: phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug + +From: Chenyuan Yang + +[ Upstream commit d14402a38c2d868cacb1facaf9be908ca6558e59 ] + +The qmp_usb_iomap() helper function currently returns the raw result of +devm_ioremap() for non-exclusive mappings. Since devm_ioremap() may return +a NULL pointer and the caller only checks error pointers with IS_ERR(), +NULL could bypass the check and lead to an invalid dereference. + +Fix the issue by checking if devm_ioremap() returns NULL. When it does, +qmp_usb_iomap() now returns an error pointer via IOMEM_ERR_PTR(-ENOMEM), +ensuring safe and consistent error handling. + +Signed-off-by: Chenyuan Yang +Fixes: a5d6b1ac56cb ("phy: qcom-qmp-usb: fix memleak on probe deferral") +CC: Johan Hovold +CC: Krzysztof Kozlowski +Reviewed-by: Johan Hovold +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250414125050.2118619-1-chenyuan0y@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-usb.c b/drivers/phy/qualcomm/phy-qcom-qmp-usb.c +index 605591314f256..a85bb0e1cd8c8 100644 +--- a/drivers/phy/qualcomm/phy-qcom-qmp-usb.c ++++ b/drivers/phy/qualcomm/phy-qcom-qmp-usb.c +@@ -2428,12 +2428,16 @@ static void __iomem *qmp_usb_iomap(struct device *dev, struct device_node *np, + int index, bool exclusive) + { + struct resource res; ++ void __iomem *mem; + + if (!exclusive) { + if (of_address_to_resource(np, index, &res)) + return IOMEM_ERR_PTR(-EINVAL); + +- return devm_ioremap(dev, res.start, resource_size(&res)); ++ mem = devm_ioremap(dev, res.start, resource_size(&res)); ++ if (!mem) ++ return IOMEM_ERR_PTR(-ENOMEM); ++ return mem; + } + + return devm_of_iomap(dev, np, index, NULL); +-- +2.39.5 + diff --git a/queue-6.1/pinctrl-at91-fix-possible-out-of-boundary-access.patch b/queue-6.1/pinctrl-at91-fix-possible-out-of-boundary-access.patch new file mode 100644 index 0000000000..af46f5c06c --- /dev/null +++ b/queue-6.1/pinctrl-at91-fix-possible-out-of-boundary-access.patch @@ -0,0 +1,50 @@ +From 5cdc5d434aebcbb69fe07bdccc24ea833c8fd95a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 May 2025 23:08:07 +0300 +Subject: pinctrl: at91: Fix possible out-of-boundary access + +From: Andy Shevchenko + +[ Upstream commit 762ef7d1e6eefad9896560bfcb9bcf7f1b6df9c1 ] + +at91_gpio_probe() doesn't check that given OF alias is not available or +something went wrong when trying to get it. This might have consequences +when accessing gpio_chips array with that value as an index. Note, that +BUG() can be compiled out and hence won't actually perform the required +checks. + +Fixes: 6732ae5cb47c ("ARM: at91: add pinctrl support") +Signed-off-by: Andy Shevchenko +Closes: https://lore.kernel.org/r/202505052343.UHF1Zo93-lkp@intel.com/ +Link: https://lore.kernel.org/20250508200807.1384558-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-at91.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/pinctrl-at91.c b/drivers/pinctrl/pinctrl-at91.c +index 333f9d70c7f48..b82368ec59f4c 100644 +--- a/drivers/pinctrl/pinctrl-at91.c ++++ b/drivers/pinctrl/pinctrl-at91.c +@@ -1812,12 +1812,16 @@ static int at91_gpio_probe(struct platform_device *pdev) + struct at91_gpio_chip *at91_chip = NULL; + struct gpio_chip *chip; + struct pinctrl_gpio_range *range; ++ int alias_idx; + int ret = 0; + int irq, i; +- int alias_idx = of_alias_get_id(np, "gpio"); + uint32_t ngpio; + char **names; + ++ alias_idx = of_alias_get_id(np, "gpio"); ++ if (alias_idx < 0) ++ return alias_idx; ++ + BUG_ON(alias_idx >= ARRAY_SIZE(gpio_chips)); + if (gpio_chips[alias_idx]) { + ret = -EBUSY; +-- +2.39.5 + diff --git a/queue-6.1/pm-sleep-fix-power.is_suspended-cleanup-for-direct-c.patch b/queue-6.1/pm-sleep-fix-power.is_suspended-cleanup-for-direct-c.patch new file mode 100644 index 0000000000..39bf5338d7 --- /dev/null +++ b/queue-6.1/pm-sleep-fix-power.is_suspended-cleanup-for-direct-c.patch @@ -0,0 +1,60 @@ +From ab9669a23472145a621bb6bacfbe47a0ab0762fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Jun 2025 18:19:27 +0200 +Subject: PM: sleep: Fix power.is_suspended cleanup for direct-complete devices + +From: Rafael J. Wysocki + +[ Upstream commit d46c4c839c20a599a0eb8d73708ce401f9c7d06d ] + +Commit 03f1444016b7 ("PM: sleep: Fix handling devices with direct_complete +set on errors") caused power.is_suspended to be set for devices with +power.direct_complete set, but it forgot to ensure the clearing of that +flag for them in device_resume(), so power.is_suspended is still set for +them during the next system suspend-resume cycle. + +If that cycle is aborted in dpm_suspend(), the subsequent invocation of +dpm_resume() will trigger a device_resume() call for every device and +because power.is_suspended is set for the devices in question, they will +not be skipped by device_resume() as expected which causes scary error +messages to be logged (as appropriate). + +To address this issue, move the clearing of power.is_suspended in +device_resume() immediately after the power.is_suspended check so it +will be always cleared for all devices processed by that function. + +Fixes: 03f1444016b7 ("PM: sleep: Fix handling devices with direct_complete set on errors") +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4280 +Reported-and-tested-by: Chris Bainbridge +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Mario Limonciello +Link: https://patch.msgid.link/4990586.GXAFRqVoOG@rjwysocki.net +Signed-off-by: Sasha Levin +--- + drivers/base/power/main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c +index 343d3c966e7a7..baa31194cf20d 100644 +--- a/drivers/base/power/main.c ++++ b/drivers/base/power/main.c +@@ -897,6 +897,8 @@ static void __device_resume(struct device *dev, pm_message_t state, bool async) + if (!dev->power.is_suspended) + goto Complete; + ++ dev->power.is_suspended = false; ++ + if (dev->power.direct_complete) { + /* Match the pm_runtime_disable() in __device_suspend(). */ + pm_runtime_enable(dev); +@@ -952,7 +954,6 @@ static void __device_resume(struct device *dev, pm_message_t state, bool async) + + End: + error = dpm_run_callback(callback, dev, state, info); +- dev->power.is_suspended = false; + + device_unlock(dev); + dpm_watchdog_clear(&wd); +-- +2.39.5 + diff --git a/queue-6.1/pm-wakeup-delete-space-in-the-end-of-string-shown-by.patch b/queue-6.1/pm-wakeup-delete-space-in-the-end-of-string-shown-by.patch new file mode 100644 index 0000000000..6409f5243a --- /dev/null +++ b/queue-6.1/pm-wakeup-delete-space-in-the-end-of-string-shown-by.patch @@ -0,0 +1,45 @@ +From b45d7d0873f8ae9fd61ebb8f04cf23fad3b062e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 May 2025 17:26:51 +0800 +Subject: PM: wakeup: Delete space in the end of string shown by + pm_show_wakelocks() + +From: Zijun Hu + +[ Upstream commit f0050a3e214aa941b78ad4caf122a735a24d81a6 ] + +pm_show_wakelocks() is called to generate a string when showing +attributes /sys/power/wake_(lock|unlock), but the string ends +with an unwanted space that was added back by mistake by commit +c9d967b2ce40 ("PM: wakeup: simplify the output logic of +pm_show_wakelocks()"). + +Remove the unwanted space. + +Fixes: c9d967b2ce40 ("PM: wakeup: simplify the output logic of pm_show_wakelocks()") +Signed-off-by: Zijun Hu +Link: https://patch.msgid.link/20250505-fix_power-v1-1-0f7f2c2f338c@quicinc.com +[ rjw: Changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/power/wakelock.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/power/wakelock.c b/kernel/power/wakelock.c +index 52571dcad768b..4e941999a53ba 100644 +--- a/kernel/power/wakelock.c ++++ b/kernel/power/wakelock.c +@@ -49,6 +49,9 @@ ssize_t pm_show_wakelocks(char *buf, bool show_active) + len += sysfs_emit_at(buf, len, "%s ", wl->name); + } + ++ if (len > 0) ++ --len; ++ + len += sysfs_emit_at(buf, len, "\n"); + + mutex_unlock(&wakelocks_lock); +-- +2.39.5 + diff --git a/queue-6.1/power-reset-at91-reset-optimize-at91_reset.patch b/queue-6.1/power-reset-at91-reset-optimize-at91_reset.patch new file mode 100644 index 0000000000..cdf6a173c0 --- /dev/null +++ b/queue-6.1/power-reset-at91-reset-optimize-at91_reset.patch @@ -0,0 +1,56 @@ +From 8d13e4ae4adeb6aefa19111e28b44c8b12b08111 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Mar 2025 08:38:09 +0300 +Subject: power: reset: at91-reset: Optimize at91_reset() + +From: Alexander Shiyan + +[ Upstream commit 62d48983f215bf1dd48665913318101fa3414dcf ] + +This patch adds a small optimization to the low-level at91_reset() +function, which includes: +- Removes the extra branch, since the following store operations + already have proper condition checks. +- Removes the definition of the clobber register r4, since it is + no longer used in the code. + +Fixes: fcd0532fac2a ("power: reset: at91-reset: make at91sam9g45_restart() generic") +Signed-off-by: Alexander Shiyan +Reviewed-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20250307053809.20245-1-eagle.alexander923@gmail.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/reset/at91-reset.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/power/reset/at91-reset.c b/drivers/power/reset/at91-reset.c +index 741e44a017c3f..f47346a0f099f 100644 +--- a/drivers/power/reset/at91-reset.c ++++ b/drivers/power/reset/at91-reset.c +@@ -128,12 +128,11 @@ static int at91_reset(struct notifier_block *this, unsigned long mode, + " str %4, [%0, %6]\n\t" + /* Disable SDRAM1 accesses */ + "1: tst %1, #0\n\t" +- " beq 2f\n\t" + " strne %3, [%1, #" __stringify(AT91_DDRSDRC_RTR) "]\n\t" + /* Power down SDRAM1 */ + " strne %4, [%1, %6]\n\t" + /* Reset CPU */ +- "2: str %5, [%2, #" __stringify(AT91_RSTC_CR) "]\n\t" ++ " str %5, [%2, #" __stringify(AT91_RSTC_CR) "]\n\t" + + " b .\n\t" + : +@@ -144,7 +143,7 @@ static int at91_reset(struct notifier_block *this, unsigned long mode, + "r" cpu_to_le32(AT91_DDRSDRC_LPCB_POWER_DOWN), + "r" (reset->data->reset_args), + "r" (reset->ramc_lpr) +- : "r4"); ++ ); + + return NOTIFY_DONE; + } +-- +2.39.5 + diff --git a/queue-6.1/powerpc-crash-fix-non-smp-kexec-preparation.patch b/queue-6.1/powerpc-crash-fix-non-smp-kexec-preparation.patch new file mode 100644 index 0000000000..86124095f9 --- /dev/null +++ b/queue-6.1/powerpc-crash-fix-non-smp-kexec-preparation.patch @@ -0,0 +1,43 @@ +From a64b900de15ea2a0746a95875b18366c9c471fb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Feb 2025 10:20:54 -0600 +Subject: powerpc/crash: Fix non-smp kexec preparation + +From: Eddie James + +[ Upstream commit 882b25af265de8e05c66f72b9a29f6047102958f ] + +In non-smp configurations, crash_kexec_prepare is never called in +the crash shutdown path. One result of this is that the crashing_cpu +variable is never set, preventing crash_save_cpu from storing the +NT_PRSTATUS elf note in the core dump. + +Fixes: c7255058b543 ("powerpc/crash: save cpu register data in crash_smp_send_stop()") +Signed-off-by: Eddie James +Reviewed-by: Hari Bathini +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20250211162054.857762-1-eajames@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kexec/crash.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/kexec/crash.c b/arch/powerpc/kexec/crash.c +index 252724ed666a3..14abe7046cd74 100644 +--- a/arch/powerpc/kexec/crash.c ++++ b/arch/powerpc/kexec/crash.c +@@ -356,7 +356,10 @@ void default_machine_crash_shutdown(struct pt_regs *regs) + if (TRAP(regs) == INTERRUPT_SYSTEM_RESET) + is_via_system_reset = 1; + +- crash_smp_send_stop(); ++ if (IS_ENABLED(CONFIG_SMP)) ++ crash_smp_send_stop(); ++ else ++ crash_kexec_prepare(); + + crash_save_cpu(regs, crashing_cpu); + +-- +2.39.5 + diff --git a/queue-6.1/randstruct-gcc-plugin-fix-attribute-addition.patch b/queue-6.1/randstruct-gcc-plugin-fix-attribute-addition.patch new file mode 100644 index 0000000000..1ad31fbdba --- /dev/null +++ b/queue-6.1/randstruct-gcc-plugin-fix-attribute-addition.patch @@ -0,0 +1,134 @@ +From 29feced5e1e91c349718f36fe610142522263b61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 May 2025 15:18:28 -0700 +Subject: randstruct: gcc-plugin: Fix attribute addition + +From: Kees Cook + +[ Upstream commit f39f18f3c3531aa802b58a20d39d96e82eb96c14 ] + +Based on changes in the 2021 public version of the randstruct +out-of-tree GCC plugin[1], more carefully update the attributes on +resulting decls, to avoid tripping checks in GCC 15's +comptypes_check_enum_int() when it has been configured with +"--enable-checking=misc": + +arch/arm64/kernel/kexec_image.c:132:14: internal compiler error: in comptypes_check_enum_int, at c/c-typeck.cc:1519 + 132 | const struct kexec_file_ops kexec_image_ops = { + | ^~~~~~~~~~~~~~ + internal_error(char const*, ...), at gcc/gcc/diagnostic-global-context.cc:517 + fancy_abort(char const*, int, char const*), at gcc/gcc/diagnostic.cc:1803 + comptypes_check_enum_int(tree_node*, tree_node*, bool*), at gcc/gcc/c/c-typeck.cc:1519 + ... + +Link: https://archive.org/download/grsecurity/grsecurity-3.1-5.10.41-202105280954.patch.gz [1] +Reported-by: Thiago Jung Bauermann +Closes: https://github.com/KSPP/linux/issues/367 +Closes: https://lore.kernel.org/lkml/20250530000646.104457-1-thiago.bauermann@linaro.org/ +Reported-by: Ingo Saitz +Closes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104745 +Fixes: 313dd1b62921 ("gcc-plugins: Add the randstruct plugin") +Tested-by: Thiago Jung Bauermann +Link: https://lore.kernel.org/r/20250530221824.work.623-kees@kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + scripts/gcc-plugins/gcc-common.h | 32 +++++++++++++++++++ + scripts/gcc-plugins/randomize_layout_plugin.c | 22 ++++++------- + 2 files changed, 43 insertions(+), 11 deletions(-) + +diff --git a/scripts/gcc-plugins/gcc-common.h b/scripts/gcc-plugins/gcc-common.h +index 1ae39b9f4a95e..90e83d62adb54 100644 +--- a/scripts/gcc-plugins/gcc-common.h ++++ b/scripts/gcc-plugins/gcc-common.h +@@ -128,6 +128,38 @@ static inline tree build_const_char_string(int len, const char *str) + return cstr; + } + ++static inline void __add_type_attr(tree type, const char *attr, tree args) ++{ ++ tree oldattr; ++ ++ if (type == NULL_TREE) ++ return; ++ oldattr = lookup_attribute(attr, TYPE_ATTRIBUTES(type)); ++ if (oldattr != NULL_TREE) { ++ gcc_assert(TREE_VALUE(oldattr) == args || TREE_VALUE(TREE_VALUE(oldattr)) == TREE_VALUE(args)); ++ return; ++ } ++ ++ TYPE_ATTRIBUTES(type) = copy_list(TYPE_ATTRIBUTES(type)); ++ TYPE_ATTRIBUTES(type) = tree_cons(get_identifier(attr), args, TYPE_ATTRIBUTES(type)); ++} ++ ++static inline void add_type_attr(tree type, const char *attr, tree args) ++{ ++ tree main_variant = TYPE_MAIN_VARIANT(type); ++ ++ __add_type_attr(TYPE_CANONICAL(type), attr, args); ++ __add_type_attr(TYPE_CANONICAL(main_variant), attr, args); ++ __add_type_attr(main_variant, attr, args); ++ ++ for (type = TYPE_NEXT_VARIANT(main_variant); type; type = TYPE_NEXT_VARIANT(type)) { ++ if (!lookup_attribute(attr, TYPE_ATTRIBUTES(type))) ++ TYPE_ATTRIBUTES(type) = TYPE_ATTRIBUTES(main_variant); ++ ++ __add_type_attr(TYPE_CANONICAL(type), attr, args); ++ } ++} ++ + #define PASS_INFO(NAME, REF, ID, POS) \ + struct register_pass_info NAME##_pass_info = { \ + .pass = make_##NAME##_pass(), \ +diff --git a/scripts/gcc-plugins/randomize_layout_plugin.c b/scripts/gcc-plugins/randomize_layout_plugin.c +index 2b93dd14bd7b6..b00681ad3e383 100644 +--- a/scripts/gcc-plugins/randomize_layout_plugin.c ++++ b/scripts/gcc-plugins/randomize_layout_plugin.c +@@ -77,6 +77,9 @@ static tree handle_randomize_layout_attr(tree *node, tree name, tree args, int f + + if (TYPE_P(*node)) { + type = *node; ++ } else if (TREE_CODE(*node) == FIELD_DECL) { ++ *no_add_attrs = false; ++ return NULL_TREE; + } else { + gcc_assert(TREE_CODE(*node) == TYPE_DECL); + type = TREE_TYPE(*node); +@@ -363,15 +366,14 @@ static int relayout_struct(tree type) + TREE_CHAIN(newtree[i]) = newtree[i+1]; + TREE_CHAIN(newtree[num_fields - 1]) = NULL_TREE; + ++ add_type_attr(type, "randomize_performed", NULL_TREE); ++ add_type_attr(type, "designated_init", NULL_TREE); ++ if (has_flexarray) ++ add_type_attr(type, "has_flexarray", NULL_TREE); ++ + main_variant = TYPE_MAIN_VARIANT(type); +- for (variant = main_variant; variant; variant = TYPE_NEXT_VARIANT(variant)) { ++ for (variant = main_variant; variant; variant = TYPE_NEXT_VARIANT(variant)) + TYPE_FIELDS(variant) = newtree[0]; +- TYPE_ATTRIBUTES(variant) = copy_list(TYPE_ATTRIBUTES(variant)); +- TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("randomize_performed"), NULL_TREE, TYPE_ATTRIBUTES(variant)); +- TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("designated_init"), NULL_TREE, TYPE_ATTRIBUTES(variant)); +- if (has_flexarray) +- TYPE_ATTRIBUTES(type) = tree_cons(get_identifier("has_flexarray"), NULL_TREE, TYPE_ATTRIBUTES(type)); +- } + + /* + * force a re-layout of the main variant +@@ -439,10 +441,8 @@ static void randomize_type(tree type) + if (lookup_attribute("randomize_layout", TYPE_ATTRIBUTES(TYPE_MAIN_VARIANT(type))) || is_pure_ops_struct(type)) + relayout_struct(type); + +- for (variant = TYPE_MAIN_VARIANT(type); variant; variant = TYPE_NEXT_VARIANT(variant)) { +- TYPE_ATTRIBUTES(type) = copy_list(TYPE_ATTRIBUTES(type)); +- TYPE_ATTRIBUTES(type) = tree_cons(get_identifier("randomize_considered"), NULL_TREE, TYPE_ATTRIBUTES(type)); +- } ++ add_type_attr(type, "randomize_considered", NULL_TREE); ++ + #ifdef __DEBUG_PLUGIN + fprintf(stderr, "Marking randomize_considered on struct %s\n", ORIG_TYPE_NAME(type)); + #ifdef __DEBUG_VERBOSE +-- +2.39.5 + diff --git a/queue-6.1/randstruct-gcc-plugin-remove-bogus-void-member.patch b/queue-6.1/randstruct-gcc-plugin-remove-bogus-void-member.patch new file mode 100644 index 0000000000..620367441d --- /dev/null +++ b/queue-6.1/randstruct-gcc-plugin-remove-bogus-void-member.patch @@ -0,0 +1,119 @@ +From eb4c767332af414238f66120f0e46db0568e6de5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Apr 2025 00:37:52 -0700 +Subject: randstruct: gcc-plugin: Remove bogus void member +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kees Cook + +[ Upstream commit e136a4062174a9a8d1c1447ca040ea81accfa6a8 ] + +When building the randomized replacement tree of struct members, the +randstruct GCC plugin would insert, as the first member, a 0-sized void +member. This appears as though it was done to catch non-designated +("unnamed") static initializers, which wouldn't be stable since they +depend on the original struct layout order. + +This was accomplished by having the side-effect of the "void member" +tripping an assert in GCC internals (count_type_elements) if the member +list ever needed to be counted (e.g. for figuring out the order of members +during a non-designated initialization), which would catch impossible type +(void) in the struct: + +security/landlock/fs.c: In function ‘hook_file_ioctl_common’: +security/landlock/fs.c:1745:61: internal compiler error: in count_type_elements, at expr.cc:7075 + 1745 | .u.op = &(struct lsm_ioctlop_audit) { + | ^ + +static HOST_WIDE_INT +count_type_elements (const_tree type, bool for_ctor_p) +{ + switch (TREE_CODE (type)) +... + case VOID_TYPE: + default: + gcc_unreachable (); + } +} + +However this is a redundant safety measure since randstruct uses the +__designated_initializer attribute both internally and within the +__randomized_layout attribute macro so that this would be enforced +by the compiler directly even when randstruct was not enabled (via +-Wdesignated-init). + +A recent change in Landlock ended up tripping the same member counting +routine when using a full-struct copy initializer as part of an anonymous +initializer. This, however, is a false positive as the initializer is +copying between identical structs (and hence identical layouts). The +"path" member is "struct path", a randomized struct, and is being copied +to from another "struct path", the "f_path" member: + + landlock_log_denial(landlock_cred(file->f_cred), &(struct landlock_request) { + .type = LANDLOCK_REQUEST_FS_ACCESS, + .audit = { + .type = LSM_AUDIT_DATA_IOCTL_OP, + .u.op = &(struct lsm_ioctlop_audit) { + .path = file->f_path, + .cmd = cmd, + }, + }, + ... + +As can be seen with the coming randstruct KUnit test, there appears to +be no behavioral problems with this kind of initialization when the void +member is removed from the randstruct GCC plugin, so remove it. + +Reported-by: "Dr. David Alan Gilbert" +Closes: https://lore.kernel.org/lkml/Z_PRaKx7q70MKgCA@gallifrey/ +Reported-by: Mark Brown +Closes: https://lore.kernel.org/lkml/20250407-kbuild-disable-gcc-plugins-v1-1-5d46ae583f5e@kernel.org/ +Reported-by: WangYuli +Closes: https://lore.kernel.org/lkml/337D5D4887277B27+3c677db3-a8b9-47f0-93a4-7809355f1381@uniontech.com/ +Fixes: 313dd1b62921 ("gcc-plugins: Add the randstruct plugin") +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + scripts/gcc-plugins/randomize_layout_plugin.c | 18 +----------------- + 1 file changed, 1 insertion(+), 17 deletions(-) + +diff --git a/scripts/gcc-plugins/randomize_layout_plugin.c b/scripts/gcc-plugins/randomize_layout_plugin.c +index 366395cab490d..2b93dd14bd7b6 100644 +--- a/scripts/gcc-plugins/randomize_layout_plugin.c ++++ b/scripts/gcc-plugins/randomize_layout_plugin.c +@@ -359,29 +359,13 @@ static int relayout_struct(tree type) + + shuffle(type, (tree *)newtree, shuffle_length); + +- /* +- * set up a bogus anonymous struct field designed to error out on unnamed struct initializers +- * as gcc provides no other way to detect such code +- */ +- list = make_node(FIELD_DECL); +- TREE_CHAIN(list) = newtree[0]; +- TREE_TYPE(list) = void_type_node; +- DECL_SIZE(list) = bitsize_zero_node; +- DECL_NONADDRESSABLE_P(list) = 1; +- DECL_FIELD_BIT_OFFSET(list) = bitsize_zero_node; +- DECL_SIZE_UNIT(list) = size_zero_node; +- DECL_FIELD_OFFSET(list) = size_zero_node; +- DECL_CONTEXT(list) = type; +- // to satisfy the constify plugin +- TREE_READONLY(list) = 1; +- + for (i = 0; i < num_fields - 1; i++) + TREE_CHAIN(newtree[i]) = newtree[i+1]; + TREE_CHAIN(newtree[num_fields - 1]) = NULL_TREE; + + main_variant = TYPE_MAIN_VARIANT(type); + for (variant = main_variant; variant; variant = TYPE_NEXT_VARIANT(variant)) { +- TYPE_FIELDS(variant) = list; ++ TYPE_FIELDS(variant) = newtree[0]; + TYPE_ATTRIBUTES(variant) = copy_list(TYPE_ATTRIBUTES(variant)); + TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("randomize_performed"), NULL_TREE, TYPE_ATTRIBUTES(variant)); + TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("designated_init"), NULL_TREE, TYPE_ATTRIBUTES(variant)); +-- +2.39.5 + diff --git a/queue-6.1/rdma-cma-fix-hang-when-cma_netevent_callback-fails-t.patch b/queue-6.1/rdma-cma-fix-hang-when-cma_netevent_callback-fails-t.patch new file mode 100644 index 0000000000..2b6d20e597 --- /dev/null +++ b/queue-6.1/rdma-cma-fix-hang-when-cma_netevent_callback-fails-t.patch @@ -0,0 +1,52 @@ +From 16d7b39b4d0860621c68c1f45821deaae3d9a416 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 May 2025 14:36:02 +0300 +Subject: RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work + +From: Jack Morgenstein + +[ Upstream commit 92a251c3df8ea1991cd9fe00f1ab0cfce18d7711 ] + +The cited commit fixed a crash when cma_netevent_callback was called for +a cma_id while work on that id from a previous call had not yet started. +The work item was re-initialized in the second call, which corrupted the +work item currently in the work queue. + +However, it left a problem when queue_work fails (because the item is +still pending in the work queue from a previous call). In this case, +cma_id_put (which is called in the work handler) is therefore not +called. This results in a userspace process hang (zombie process). + +Fix this by calling cma_id_put() if queue_work fails. + +Fixes: 45f5dcdd0497 ("RDMA/cma: Fix workqueue crash in cma_netevent_work_handler") +Link: https://patch.msgid.link/r/4f3640b501e48d0166f312a64fdadf72b059bd04.1747827103.git.leon@kernel.org +Signed-off-by: Jack Morgenstein +Signed-off-by: Feng Liu +Reviewed-by: Vlad Dumitrescu +Signed-off-by: Leon Romanovsky +Reviewed-by: Sharath Srinivasan +Reviewed-by: Kalesh AP +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cma.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index bb3c361bd8d45..0b2cb31d0f999 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -5190,7 +5190,8 @@ static int cma_netevent_callback(struct notifier_block *self, + neigh->ha, ETH_ALEN)) + continue; + cma_id_get(current_id); +- queue_work(cma_wq, ¤t_id->id.net_work); ++ if (!queue_work(cma_wq, ¤t_id->id.net_work)) ++ cma_id_put(current_id); + } + out: + spin_unlock_irqrestore(&id_table_lock, flags); +-- +2.39.5 + diff --git a/queue-6.1/rdma-hns-include-hnae3.h-in-hns_roce_hw_v2.h.patch b/queue-6.1/rdma-hns-include-hnae3.h-in-hns_roce_hw_v2.h.patch new file mode 100644 index 0000000000..e1d1e32c93 --- /dev/null +++ b/queue-6.1/rdma-hns-include-hnae3.h-in-hns_roce_hw_v2.h.patch @@ -0,0 +1,93 @@ +From b0b02c74eebb1e49e9d9670b184b26adbf4c569a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Apr 2025 21:27:49 +0800 +Subject: RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h + +From: Junxian Huang + +[ Upstream commit 2b11d33de23262cb20d1dcb24b586dbb8f54d463 ] + +hns_roce_hw_v2.h has a direct dependency on hnae3.h due to the +inline function hns_roce_write64(), but it doesn't include this +header currently. This leads to that files including +hns_roce_hw_v2.h must also include hnae3.h to avoid compilation +errors, even if they themselves don't really rely on hnae3.h. +This doesn't make sense, hns_roce_hw_v2.h should include hnae3.h +directly. + +Fixes: d3743fa94ccd ("RDMA/hns: Fix the chip hanging caused by sending doorbell during reset") +Signed-off-by: Junxian Huang +Link: https://patch.msgid.link/20250421132750.1363348-6-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_ah.c | 1 - + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 1 - + drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 1 + + drivers/infiniband/hw/hns/hns_roce_main.c | 1 - + drivers/infiniband/hw/hns/hns_roce_restrack.c | 1 - + 5 files changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_ah.c b/drivers/infiniband/hw/hns/hns_roce_ah.c +index 103a7787b3712..3a6a1f2430571 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_ah.c ++++ b/drivers/infiniband/hw/hns/hns_roce_ah.c +@@ -33,7 +33,6 @@ + #include + #include + #include +-#include "hnae3.h" + #include "hns_roce_device.h" + #include "hns_roce_hw_v2.h" + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index ab0dca9d199ab..be5d7a8ab4d43 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -42,7 +42,6 @@ + #include + #include + +-#include "hnae3.h" + #include "hns_roce_common.h" + #include "hns_roce_device.h" + #include "hns_roce_cmd.h" +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +index a9eff72f10c62..e032db5e3dbf3 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +@@ -34,6 +34,7 @@ + #define _HNS_ROCE_HW_V2_H + + #include ++#include "hnae3.h" + + #define HNS_ROCE_V2_MAX_QP_NUM 0x1000 + #define HNS_ROCE_V2_MAX_WQE_NUM 0x8000 +diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c +index eae22ac42e05d..3a35f1fb84db9 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_main.c ++++ b/drivers/infiniband/hw/hns/hns_roce_main.c +@@ -37,7 +37,6 @@ + #include + #include + #include +-#include "hnae3.h" + #include "hns_roce_common.h" + #include "hns_roce_device.h" + #include "hns_roce_hem.h" +diff --git a/drivers/infiniband/hw/hns/hns_roce_restrack.c b/drivers/infiniband/hw/hns/hns_roce_restrack.c +index 989a2af2e9382..6ba064899bf14 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_restrack.c ++++ b/drivers/infiniband/hw/hns/hns_roce_restrack.c +@@ -4,7 +4,6 @@ + #include + #include + #include +-#include "hnae3.h" + #include "hns_roce_common.h" + #include "hns_roce_device.h" + #include "hns_roce_hw_v2.h" +-- +2.39.5 + diff --git a/queue-6.1/rdma-mlx5-fix-error-flow-upon-firmware-failure-for-r.patch b/queue-6.1/rdma-mlx5-fix-error-flow-upon-firmware-failure-for-r.patch new file mode 100644 index 0000000000..003a7510b6 --- /dev/null +++ b/queue-6.1/rdma-mlx5-fix-error-flow-upon-firmware-failure-for-r.patch @@ -0,0 +1,140 @@ +From 77343cf97e915a58ce9a7cb75c9faed83dd08ba8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Apr 2025 14:34:07 +0300 +Subject: RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction + +From: Patrisious Haddad + +[ Upstream commit 5d2ea5aebbb2f3ebde4403f9c55b2b057e5dd2d6 ] + +Upon RQ destruction if the firmware command fails which is the +last resource to be destroyed some SW resources were already cleaned +regardless of the failure. + +Now properly rollback the object to its original state upon such failure. + +In order to avoid a use-after free in case someone tries to destroy the +object again, which results in the following kernel trace: +refcount_t: underflow; use-after-free. +WARNING: CPU: 0 PID: 37589 at lib/refcount.c:28 refcount_warn_saturate+0xf4/0x148 +Modules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) rfkill mlx5_core(OE) mlxdevm(OE) ib_uverbs(OE) ib_core(OE) psample mlxfw(OE) mlx_compat(OE) macsec tls pci_hyperv_intf sunrpc vfat fat virtio_net net_failover failover fuse loop nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_console virtio_gpu virtio_blk virtio_dma_buf virtio_mmio dm_mirror dm_region_hash dm_log dm_mod xpmem(OE) +CPU: 0 UID: 0 PID: 37589 Comm: python3 Kdump: loaded Tainted: G OE ------- --- 6.12.0-54.el10.aarch64 #1 +Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE +Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 +pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : refcount_warn_saturate+0xf4/0x148 +lr : refcount_warn_saturate+0xf4/0x148 +sp : ffff80008b81b7e0 +x29: ffff80008b81b7e0 x28: ffff000133d51600 x27: 0000000000000001 +x26: 0000000000000000 x25: 00000000ffffffea x24: ffff00010ae80f00 +x23: ffff00010ae80f80 x22: ffff0000c66e5d08 x21: 0000000000000000 +x20: ffff0000c66e0000 x19: ffff00010ae80340 x18: 0000000000000006 +x17: 0000000000000000 x16: 0000000000000020 x15: ffff80008b81b37f +x14: 0000000000000000 x13: 2e656572662d7265 x12: ffff80008283ef78 +x11: ffff80008257efd0 x10: ffff80008283efd0 x9 : ffff80008021ed90 +x8 : 0000000000000001 x7 : 00000000000bffe8 x6 : c0000000ffff7fff +x5 : ffff0001fb8e3408 x4 : 0000000000000000 x3 : ffff800179993000 +x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000133d51600 +Call trace: + refcount_warn_saturate+0xf4/0x148 + mlx5_core_put_rsc+0x88/0xa0 [mlx5_ib] + mlx5_core_destroy_rq_tracked+0x64/0x98 [mlx5_ib] + mlx5_ib_destroy_wq+0x34/0x80 [mlx5_ib] + ib_destroy_wq_user+0x30/0xc0 [ib_core] + uverbs_free_wq+0x28/0x58 [ib_uverbs] + destroy_hw_idr_uobject+0x34/0x78 [ib_uverbs] + uverbs_destroy_uobject+0x48/0x240 [ib_uverbs] + __uverbs_cleanup_ufile+0xd4/0x1a8 [ib_uverbs] + uverbs_destroy_ufile_hw+0x48/0x120 [ib_uverbs] + ib_uverbs_close+0x2c/0x100 [ib_uverbs] + __fput+0xd8/0x2f0 + __fput_sync+0x50/0x70 + __arm64_sys_close+0x40/0x90 + invoke_syscall.constprop.0+0x74/0xd0 + do_el0_svc+0x48/0xe8 + el0_svc+0x44/0x1d0 + el0t_64_sync_handler+0x120/0x130 + el0t_64_sync+0x1a4/0x1a8 + +Fixes: e2013b212f9f ("net/mlx5_core: Add RQ and SQ event handling") +Signed-off-by: Patrisious Haddad +Link: https://patch.msgid.link/3181433ccdd695c63560eeeb3f0c990961732101.1745839855.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/qpc.c | 30 ++++++++++++++++++++++++++++-- + include/linux/mlx5/driver.h | 1 + + 2 files changed, 29 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/qpc.c b/drivers/infiniband/hw/mlx5/qpc.c +index d4e7864c56f18..d75ec5e57c5fd 100644 +--- a/drivers/infiniband/hw/mlx5/qpc.c ++++ b/drivers/infiniband/hw/mlx5/qpc.c +@@ -21,8 +21,10 @@ mlx5_get_rsc(struct mlx5_qp_table *table, u32 rsn) + spin_lock_irqsave(&table->lock, flags); + + common = radix_tree_lookup(&table->tree, rsn); +- if (common) ++ if (common && !common->invalid) + refcount_inc(&common->refcount); ++ else ++ common = NULL; + + spin_unlock_irqrestore(&table->lock, flags); + +@@ -172,6 +174,18 @@ static int create_resource_common(struct mlx5_ib_dev *dev, + return 0; + } + ++static void modify_resource_common_state(struct mlx5_ib_dev *dev, ++ struct mlx5_core_qp *qp, ++ bool invalid) ++{ ++ struct mlx5_qp_table *table = &dev->qp_table; ++ unsigned long flags; ++ ++ spin_lock_irqsave(&table->lock, flags); ++ qp->common.invalid = invalid; ++ spin_unlock_irqrestore(&table->lock, flags); ++} ++ + static void destroy_resource_common(struct mlx5_ib_dev *dev, + struct mlx5_core_qp *qp) + { +@@ -584,8 +598,20 @@ int mlx5_core_create_rq_tracked(struct mlx5_ib_dev *dev, u32 *in, int inlen, + int mlx5_core_destroy_rq_tracked(struct mlx5_ib_dev *dev, + struct mlx5_core_qp *rq) + { ++ int ret; ++ ++ /* The rq destruction can be called again in case it fails, hence we ++ * mark the common resource as invalid and only once FW destruction ++ * is completed successfully we actually destroy the resources. ++ */ ++ modify_resource_common_state(dev, rq, true); ++ ret = destroy_rq_tracked(dev, rq->qpn, rq->uid); ++ if (ret) { ++ modify_resource_common_state(dev, rq, false); ++ return ret; ++ } + destroy_resource_common(dev, rq); +- return destroy_rq_tracked(dev, rq->qpn, rq->uid); ++ return 0; + } + + static void destroy_sq_tracked(struct mlx5_ib_dev *dev, u32 sqn, u16 uid) +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h +index 3c3e0f26c2446..b05f69a8306c9 100644 +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -385,6 +385,7 @@ struct mlx5_core_rsc_common { + enum mlx5_res_type res; + refcount_t refcount; + struct completion free; ++ bool invalid; + }; + + struct mlx5_uars_page { +-- +2.39.5 + diff --git a/queue-6.1/remoteproc-k3-r5-drop-check-performed-in-k3_r5_rproc.patch b/queue-6.1/remoteproc-k3-r5-drop-check-performed-in-k3_r5_rproc.patch new file mode 100644 index 0000000000..2d980dbfab --- /dev/null +++ b/queue-6.1/remoteproc-k3-r5-drop-check-performed-in-k3_r5_rproc.patch @@ -0,0 +1,64 @@ +From ea913e1f35f6d4d08b00e06f1bf27cb63e0d7103 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 11:14:35 +0530 +Subject: remoteproc: k3-r5: Drop check performed in + k3_r5_rproc_{mbox_callback/kick} + +From: Siddharth Vadapalli + +[ Upstream commit 9995dbfc2235efabdb3759606d522e1a7ec3bdcb ] + +Commit f3f11cfe8907 ("remoteproc: k3-r5: Acquire mailbox handle during +probe routine") introduced a check in the "k3_r5_rproc_mbox_callback()" +and "k3_r5_rproc_kick()" callbacks, causing them to exit if the remote +core's state is "RPROC_DETACHED". However, the "__rproc_attach()" +function that is responsible for attaching to a remote core, updates +the state of the remote core to "RPROC_ATTACHED" only after invoking +"rproc_start_subdevices()". + +The "rproc_start_subdevices()" function triggers the probe of the Virtio +RPMsg devices associated with the remote core, which require that the +"k3_r5_rproc_kick()" and "k3_r5_rproc_mbox_callback()" callbacks are +functional. Hence, drop the check in the callbacks. + +Fixes: f3f11cfe8907 ("remoteproc: k3-r5: Acquire mailbox handle during probe routine") +Signed-off-by: Siddharth Vadapalli +Signed-off-by: Beleswar Padhi +Tested-by: Judith Mendez +Reviewed-by: Andrew Davis +Link: https://lore.kernel.org/r/20250513054510.3439842-2-b-padhi@ti.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/ti_k3_r5_remoteproc.c | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/drivers/remoteproc/ti_k3_r5_remoteproc.c b/drivers/remoteproc/ti_k3_r5_remoteproc.c +index 580f86de654f2..75f0b8c99e0b1 100644 +--- a/drivers/remoteproc/ti_k3_r5_remoteproc.c ++++ b/drivers/remoteproc/ti_k3_r5_remoteproc.c +@@ -189,10 +189,6 @@ static void k3_r5_rproc_mbox_callback(struct mbox_client *client, void *data) + const char *name = kproc->rproc->name; + u32 msg = omap_mbox_message(data); + +- /* Do not forward message from a detached core */ +- if (kproc->rproc->state == RPROC_DETACHED) +- return; +- + dev_dbg(dev, "mbox msg: 0x%x\n", msg); + + switch (msg) { +@@ -228,10 +224,6 @@ static void k3_r5_rproc_kick(struct rproc *rproc, int vqid) + mbox_msg_t msg = (mbox_msg_t)vqid; + int ret; + +- /* Do not forward message to a detached core */ +- if (kproc->rproc->state == RPROC_DETACHED) +- return; +- + /* send the index of the triggered virtqueue in the mailbox payload */ + ret = mbox_send_message(kproc->mbox, (void *)msg); + if (ret < 0) +-- +2.39.5 + diff --git a/queue-6.1/remoteproc-qcom_wcnss_iris-add-missing-put_device-on.patch b/queue-6.1/remoteproc-qcom_wcnss_iris-add-missing-put_device-on.patch new file mode 100644 index 0000000000..c623ffb84f --- /dev/null +++ b/queue-6.1/remoteproc-qcom_wcnss_iris-add-missing-put_device-on.patch @@ -0,0 +1,44 @@ +From 4f0008e6081b0e0a2c2c1c5267fdc59a8ea5bda3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 13:59:51 +0300 +Subject: remoteproc: qcom_wcnss_iris: Add missing put_device() on error in + probe + +From: Dan Carpenter + +[ Upstream commit 0cb4b1b97041d8a1f773425208ded253c1cb5869 ] + +The device_del() call matches with the device_add() but we also need +to call put_device() to trigger the qcom_iris_release(). + +Fixes: 1fcef985c8bd ("remoteproc: qcom: wcnss: Fix race with iris probe") +Signed-off-by: Dan Carpenter +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/4604f7e0-3217-4095-b28a-3ff8b5afad3a@stanley.mountain +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/qcom_wcnss_iris.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/remoteproc/qcom_wcnss_iris.c b/drivers/remoteproc/qcom_wcnss_iris.c +index 09720ddddc857..7c7b688eda1d9 100644 +--- a/drivers/remoteproc/qcom_wcnss_iris.c ++++ b/drivers/remoteproc/qcom_wcnss_iris.c +@@ -196,6 +196,7 @@ struct qcom_iris *qcom_iris_probe(struct device *parent, bool *use_48mhz_xo) + + err_device_del: + device_del(&iris->dev); ++ put_device(&iris->dev); + + return ERR_PTR(ret); + } +@@ -203,4 +204,5 @@ struct qcom_iris *qcom_iris_probe(struct device *parent, bool *use_48mhz_xo) + void qcom_iris_remove(struct qcom_iris *iris) + { + device_del(&iris->dev); ++ put_device(&iris->dev); + } +-- +2.39.5 + diff --git a/queue-6.1/rpmsg-qcom_smd-fix-uninitialized-return-variable-in-.patch b/queue-6.1/rpmsg-qcom_smd-fix-uninitialized-return-variable-in-.patch new file mode 100644 index 0000000000..5f801c953d --- /dev/null +++ b/queue-6.1/rpmsg-qcom_smd-fix-uninitialized-return-variable-in-.patch @@ -0,0 +1,38 @@ +From ca6ce682e90f4e779b239720b352baa7c62867cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Apr 2025 20:22:05 +0300 +Subject: rpmsg: qcom_smd: Fix uninitialized return variable in + __qcom_smd_send() + +From: Dan Carpenter + +[ Upstream commit 5de775df3362090a6e90046d1f2d83fe62489aa0 ] + +The "ret" variable isn't initialized if we don't enter the loop. For +example, if "channel->state" is not SMD_CHANNEL_OPENED. + +Fixes: 33e3820dda88 ("rpmsg: smd: Use spinlock in tx path") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/aAkhvV0nSbrsef1P@stanley.mountain +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/rpmsg/qcom_smd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rpmsg/qcom_smd.c b/drivers/rpmsg/qcom_smd.c +index 1044cf03c5422..eb2e66f5ca7b5 100644 +--- a/drivers/rpmsg/qcom_smd.c ++++ b/drivers/rpmsg/qcom_smd.c +@@ -746,7 +746,7 @@ static int __qcom_smd_send(struct qcom_smd_channel *channel, const void *data, + __le32 hdr[5] = { cpu_to_le32(len), }; + int tlen = sizeof(hdr) + len; + unsigned long flags; +- int ret; ++ int ret = 0; + + /* Word aligned channels only accept word size aligned data */ + if (channel->info_word && len % 4) +-- +2.39.5 + diff --git a/queue-6.1/rtc-sh-assign-correct-interrupts-with-dt.patch b/queue-6.1/rtc-sh-assign-correct-interrupts-with-dt.patch new file mode 100644 index 0000000000..2127f61ec6 --- /dev/null +++ b/queue-6.1/rtc-sh-assign-correct-interrupts-with-dt.patch @@ -0,0 +1,51 @@ +From 99b11bb7cd73be467b9137b22d87deaf86718556 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Feb 2025 14:42:56 +0100 +Subject: rtc: sh: assign correct interrupts with DT + +From: Wolfram Sang + +[ Upstream commit 8f2efdbc303fe7baa83843d3290dd6ea5ba3276c ] + +The DT bindings for this driver define the interrupts in the order as +they are numbered in the interrupt controller. The old platform_data, +however, listed them in a different order. So, for DT based platforms, +they are mixed up. Assign them specifically for DT, so we can keep the +bindings stable. After the fix, 'rtctest' passes again on the Renesas +Genmai board (RZ-A1 / R7S72100). + +Fixes: dab5aec64bf5 ("rtc: sh: add support for rza series") +Signed-off-by: Wolfram Sang +Link: https://lore.kernel.org/r/20250227134256.9167-11-wsa+renesas@sang-engineering.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-sh.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/rtc/rtc-sh.c b/drivers/rtc/rtc-sh.c +index cd146b5741431..341b1b776e1a3 100644 +--- a/drivers/rtc/rtc-sh.c ++++ b/drivers/rtc/rtc-sh.c +@@ -485,9 +485,15 @@ static int __init sh_rtc_probe(struct platform_device *pdev) + return -ENOENT; + } + +- rtc->periodic_irq = ret; +- rtc->carry_irq = platform_get_irq(pdev, 1); +- rtc->alarm_irq = platform_get_irq(pdev, 2); ++ if (!pdev->dev.of_node) { ++ rtc->periodic_irq = ret; ++ rtc->carry_irq = platform_get_irq(pdev, 1); ++ rtc->alarm_irq = platform_get_irq(pdev, 2); ++ } else { ++ rtc->alarm_irq = ret; ++ rtc->periodic_irq = platform_get_irq(pdev, 1); ++ rtc->carry_irq = platform_get_irq(pdev, 2); ++ } + + res = platform_get_resource(pdev, IORESOURCE_IO, 0); + if (!res) +-- +2.39.5 + diff --git a/queue-6.1/s390-bpf-store-backchain-even-for-leaf-progs.patch b/queue-6.1/s390-bpf-store-backchain-even-for-leaf-progs.patch new file mode 100644 index 0000000000..68c1f0701e --- /dev/null +++ b/queue-6.1/s390-bpf-store-backchain-even-for-leaf-progs.patch @@ -0,0 +1,68 @@ +From c0735192d208aeffa31f84090ff39a7c9a016b99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 May 2025 14:26:15 +0200 +Subject: s390/bpf: Store backchain even for leaf progs + +From: Ilya Leoshkevich + +[ Upstream commit 5f55f2168432298f5a55294831ab6a76a10cb3c3 ] + +Currently a crash in a leaf prog (caused by a bug) produces the +following call trace: + + [<000003ff600ebf00>] bpf_prog_6df0139e1fbf2789_fentry+0x20/0x78 + [<0000000000000000>] 0x0 + +This is because leaf progs do not store backchain. Fix by making all +progs do it. This is what GCC and Clang-generated code does as well. +Now the call trace looks like this: + + [<000003ff600eb0f2>] bpf_prog_6df0139e1fbf2789_fentry+0x2a/0x80 + [<000003ff600ed096>] bpf_trampoline_201863462940+0x96/0xf4 + [<000003ff600e3a40>] bpf_prog_05f379658fdd72f2_classifier_0+0x58/0xc0 + [<000003ffe0aef070>] bpf_test_run+0x210/0x390 + [<000003ffe0af0dc2>] bpf_prog_test_run_skb+0x25a/0x668 + [<000003ffe038a90e>] __sys_bpf+0xa46/0xdb0 + [<000003ffe038ad0c>] __s390x_sys_bpf+0x44/0x50 + [<000003ffe0defea8>] __do_syscall+0x150/0x280 + [<000003ffe0e01d5c>] system_call+0x74/0x98 + +Fixes: 054623105728 ("s390/bpf: Add s390x eBPF JIT compiler backend") +Signed-off-by: Ilya Leoshkevich +Link: https://lore.kernel.org/r/20250512122717.54878-1-iii@linux.ibm.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/s390/net/bpf_jit_comp.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c +index 8623863935576..a9dbf74752586 100644 +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -543,17 +543,15 @@ static void bpf_jit_prologue(struct bpf_jit *jit, u32 stack_depth) + } + /* Setup stack and backchain */ + if (is_first_pass(jit) || (jit->seen & SEEN_STACK)) { +- if (is_first_pass(jit) || (jit->seen & SEEN_FUNC)) +- /* lgr %w1,%r15 (backchain) */ +- EMIT4(0xb9040000, REG_W1, REG_15); ++ /* lgr %w1,%r15 (backchain) */ ++ EMIT4(0xb9040000, REG_W1, REG_15); + /* la %bfp,STK_160_UNUSED(%r15) (BPF frame pointer) */ + EMIT4_DISP(0x41000000, BPF_REG_FP, REG_15, STK_160_UNUSED); + /* aghi %r15,-STK_OFF */ + EMIT4_IMM(0xa70b0000, REG_15, -(STK_OFF + stack_depth)); +- if (is_first_pass(jit) || (jit->seen & SEEN_FUNC)) +- /* stg %w1,152(%r15) (backchain) */ +- EMIT6_DISP_LH(0xe3000000, 0x0024, REG_W1, REG_0, +- REG_15, 152); ++ /* stg %w1,152(%r15) (backchain) */ ++ EMIT6_DISP_LH(0xe3000000, 0x0024, REG_W1, REG_0, ++ REG_15, 152); + } + } + +-- +2.39.5 + diff --git a/queue-6.1/scsi-hisi_sas-call-i_t_nexus-after-soft-reset-for-sa.patch b/queue-6.1/scsi-hisi_sas-call-i_t_nexus-after-soft-reset-for-sa.patch new file mode 100644 index 0000000000..f4d88f5bf8 --- /dev/null +++ b/queue-6.1/scsi-hisi_sas-call-i_t_nexus-after-soft-reset-for-sa.patch @@ -0,0 +1,79 @@ +From c92625ca5f05da7e6227ac33b64ab78702bf4725 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Apr 2025 16:08:44 +0800 +Subject: scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk + +From: Yihang Li + +[ Upstream commit e4d953ca557e02edd3aed7390043e1b8ad1c9723 ] + +In commit 21c7e972475e ("scsi: hisi_sas: Disable SATA disk phy for severe +I_T nexus reset failure"), if the softreset fails upon certain +conditions, the PHY connected to the disk is disabled directly. Manual +recovery is required, which is inconvenient for users in actual use. + +In addition, SATA disks do not support simultaneous connection of multiple +hosts. Therefore, when multiple controllers are connected to a SATA disk +at the same time, the controller which is connected later failed to issue +an ATA softreset to the SATA disk. As a result, the PHY associated with +the disk is disabled and cannot be automatically recovered. + +Now that, we will not focus on the execution result of softreset. No +matter whether the execution is successful or not, we will directly carry +out I_T_nexus_reset. + +Fixes: 21c7e972475e ("scsi: hisi_sas: Disable SATA disk phy for severe I_T nexus reset failure") +Signed-off-by: Yihang Li +Link: https://lore.kernel.org/r/20250414080845.1220997-4-liyihang9@huawei.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hisi_sas/hisi_sas_main.c | 29 +++++---------------------- + 1 file changed, 5 insertions(+), 24 deletions(-) + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c +index 02855164bf28d..360f2799f2a13 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_main.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_main.c +@@ -1758,33 +1758,14 @@ static int hisi_sas_I_T_nexus_reset(struct domain_device *device) + } + hisi_sas_dereg_device(hisi_hba, device); + +- rc = hisi_sas_debug_I_T_nexus_reset(device); +- if (rc == TMF_RESP_FUNC_COMPLETE && dev_is_sata(device)) { +- struct sas_phy *local_phy; +- ++ if (dev_is_sata(device)) { + rc = hisi_sas_softreset_ata_disk(device); +- switch (rc) { +- case -ECOMM: +- rc = -ENODEV; +- break; +- case TMF_RESP_FUNC_FAILED: +- case -EMSGSIZE: +- case -EIO: +- local_phy = sas_get_local_phy(device); +- rc = sas_phy_enable(local_phy, 0); +- if (!rc) { +- local_phy->enabled = 0; +- dev_err(dev, "Disabled local phy of ATA disk %016llx due to softreset fail (%d)\n", +- SAS_ADDR(device->sas_addr), rc); +- rc = -ENODEV; +- } +- sas_put_local_phy(local_phy); +- break; +- default: +- break; +- } ++ if (rc == TMF_RESP_FUNC_FAILED) ++ dev_err(dev, "ata disk %016llx reset (%d)\n", ++ SAS_ADDR(device->sas_addr), rc); + } + ++ rc = hisi_sas_debug_I_T_nexus_reset(device); + if ((rc == TMF_RESP_FUNC_COMPLETE) || (rc == -ENODEV)) + hisi_sas_release_task(hisi_hba, device); + +-- +2.39.5 + diff --git a/queue-6.1/scsi-qedf-use-designated-initializer-for-struct-qed_.patch b/queue-6.1/scsi-qedf-use-designated-initializer-for-struct-qed_.patch new file mode 100644 index 0000000000..3b235e3671 --- /dev/null +++ b/queue-6.1/scsi-qedf-use-designated-initializer-for-struct-qed_.patch @@ -0,0 +1,43 @@ +From ffdc6c9dd7b47a87dd665082e4e932a388ea63c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 May 2025 15:41:57 -0700 +Subject: scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops + +From: Kees Cook + +[ Upstream commit d8720235d5b5cad86c1f07f65117ef2a96f8bec7 ] + +Recent fixes to the randstruct GCC plugin allowed it to notice +that this structure is entirely function pointers and is therefore +subject to randomization, but doing so requires that it always use +designated initializers. Explicitly specify the "common" member as being +initialized. Silences: + +drivers/scsi/qedf/qedf_main.c:702:9: error: positional initialization of field in 'struct' declared with 'designated_init' attribute [-Werror=designated-init] + 702 | { + | ^ + +Fixes: 035f7f87b729 ("randstruct: Enable Clang support") +Link: https://lore.kernel.org/r/20250502224156.work.617-kees@kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedf/qedf_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c +index 288c96e7bc39f..a6f53cfff9383 100644 +--- a/drivers/scsi/qedf/qedf_main.c ++++ b/drivers/scsi/qedf/qedf_main.c +@@ -699,7 +699,7 @@ static u32 qedf_get_login_failures(void *cookie) + } + + static struct qed_fcoe_cb_ops qedf_cb_ops = { +- { ++ .common = { + .link_update = qedf_link_update, + .bw_update = qedf_bw_update, + .schedule_recovery_handler = qedf_schedule_recovery_handler, +-- +2.39.5 + diff --git a/queue-6.1/seg6-fix-validation-of-nexthop-addresses.patch b/queue-6.1/seg6-fix-validation-of-nexthop-addresses.patch new file mode 100644 index 0000000000..d3bb546d65 --- /dev/null +++ b/queue-6.1/seg6-fix-validation-of-nexthop-addresses.patch @@ -0,0 +1,48 @@ +From 818c39ec5b2f799a29b27ba031215eb20c697409 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jun 2025 14:32:52 +0300 +Subject: seg6: Fix validation of nexthop addresses + +From: Ido Schimmel + +[ Upstream commit 7632fedb266d93ed0ed9f487133e6c6314a9b2d1 ] + +The kernel currently validates that the length of the provided nexthop +address does not exceed the specified length. This can lead to the +kernel reading uninitialized memory if user space provided a shorter +length than the specified one. + +Fix by validating that the provided length exactly matches the specified +one. + +Fixes: d1df6fd8a1d2 ("ipv6: sr: define core operations for seg6local lightweight tunnel") +Reviewed-by: Petr Machata +Signed-off-by: Ido Schimmel +Reviewed-by: David Ahern +Link: https://patch.msgid.link/20250604113252.371528-1-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/seg6_local.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/net/ipv6/seg6_local.c b/net/ipv6/seg6_local.c +index 33cb0381b5749..b7d9a68a265d7 100644 +--- a/net/ipv6/seg6_local.c ++++ b/net/ipv6/seg6_local.c +@@ -1250,10 +1250,8 @@ static const struct nla_policy seg6_local_policy[SEG6_LOCAL_MAX + 1] = { + [SEG6_LOCAL_SRH] = { .type = NLA_BINARY }, + [SEG6_LOCAL_TABLE] = { .type = NLA_U32 }, + [SEG6_LOCAL_VRFTABLE] = { .type = NLA_U32 }, +- [SEG6_LOCAL_NH4] = { .type = NLA_BINARY, +- .len = sizeof(struct in_addr) }, +- [SEG6_LOCAL_NH6] = { .type = NLA_BINARY, +- .len = sizeof(struct in6_addr) }, ++ [SEG6_LOCAL_NH4] = NLA_POLICY_EXACT_LEN(sizeof(struct in_addr)), ++ [SEG6_LOCAL_NH6] = NLA_POLICY_EXACT_LEN(sizeof(struct in6_addr)), + [SEG6_LOCAL_IIF] = { .type = NLA_U32 }, + [SEG6_LOCAL_OIF] = { .type = NLA_U32 }, + [SEG6_LOCAL_BPF] = { .type = NLA_NESTED }, +-- +2.39.5 + diff --git a/queue-6.1/selftests-seccomp-fix-syscall_restart-test-for-arm-c.patch b/queue-6.1/selftests-seccomp-fix-syscall_restart-test-for-arm-c.patch new file mode 100644 index 0000000000..16a88595c3 --- /dev/null +++ b/queue-6.1/selftests-seccomp-fix-syscall_restart-test-for-arm-c.patch @@ -0,0 +1,53 @@ +From dd0a267e20664ecfad75ada336a5def11cd02636 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Apr 2025 09:40:58 +0000 +Subject: selftests/seccomp: fix syscall_restart test for arm compat + +From: Neill Kapron + +[ Upstream commit 797002deed03491215a352ace891749b39741b69 ] + +The inconsistencies in the systcall ABI between arm and arm-compat can +can cause a failure in the syscall_restart test due to the logic +attempting to work around the differences. The 'machine' field for an +ARM64 device running in compat mode can report 'armv8l' or 'armv8b' +which matches with the string 'arm' when only examining the first three +characters of the string. + +This change adds additional validation to the workaround logic to make +sure we only take the arm path when running natively, not in arm-compat. + +Fixes: 256d0afb11d6 ("selftests/seccomp: build and pass on arm64") +Signed-off-by: Neill Kapron +Link: https://lore.kernel.org/r/20250427094103.3488304-2-nkapron@google.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/seccomp/seccomp_bpf.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c +index 4ae6c89913074..b300e87404d8e 100644 +--- a/tools/testing/selftests/seccomp/seccomp_bpf.c ++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c +@@ -3136,12 +3136,15 @@ TEST(syscall_restart) + ret = get_syscall(_metadata, child_pid); + #if defined(__arm__) + /* +- * FIXME: + * - native ARM registers do NOT expose true syscall. + * - compat ARM registers on ARM64 DO expose true syscall. ++ * - values of utsbuf.machine include 'armv8l' or 'armb8b' ++ * for ARM64 running in compat mode. + */ + ASSERT_EQ(0, uname(&utsbuf)); +- if (strncmp(utsbuf.machine, "arm", 3) == 0) { ++ if ((strncmp(utsbuf.machine, "arm", 3) == 0) && ++ (strncmp(utsbuf.machine, "armv8l", 6) != 0) && ++ (strncmp(utsbuf.machine, "armv8b", 6) != 0)) { + EXPECT_EQ(__NR_nanosleep, ret); + } else + #endif +-- +2.39.5 + diff --git a/queue-6.1/serial-fix-potential-null-ptr-deref-in-mlb_usio_prob.patch b/queue-6.1/serial-fix-potential-null-ptr-deref-in-mlb_usio_prob.patch new file mode 100644 index 0000000000..a8ecfd54d8 --- /dev/null +++ b/queue-6.1/serial-fix-potential-null-ptr-deref-in-mlb_usio_prob.patch @@ -0,0 +1,43 @@ +From 26db8566908fdb673c967114290b3ba06b86e135 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 15:03:39 +0800 +Subject: serial: Fix potential null-ptr-deref in mlb_usio_probe() + +From: Henry Martin + +[ Upstream commit 86bcae88c9209e334b2f8c252f4cc66beb261886 ] + +devm_ioremap() can return NULL on error. Currently, mlb_usio_probe() +does not check for this case, which could result in a NULL pointer +dereference. + +Add NULL check after devm_ioremap() to prevent this issue. + +Fixes: ba44dc043004 ("serial: Add Milbeaut serial control") +Signed-off-by: Henry Martin +Link: https://lore.kernel.org/r/20250403070339.64990-1-bsdhenrymartin@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/milbeaut_usio.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/milbeaut_usio.c b/drivers/tty/serial/milbeaut_usio.c +index c15e0d84dc7e3..c604c21e7fa33 100644 +--- a/drivers/tty/serial/milbeaut_usio.c ++++ b/drivers/tty/serial/milbeaut_usio.c +@@ -524,7 +524,10 @@ static int mlb_usio_probe(struct platform_device *pdev) + } + port->membase = devm_ioremap(&pdev->dev, res->start, + resource_size(res)); +- ++ if (!port->membase) { ++ ret = -ENOMEM; ++ goto failed; ++ } + ret = platform_get_irq_byname(pdev, "rx"); + mlb_usio_irq[index][RX] = ret; + +-- +2.39.5 + diff --git a/queue-6.1/series b/queue-6.1/series index b7f71f965a..89fbee2166 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -11,3 +11,184 @@ usb-serial-pl2303-add-new-chip-pl2303gc-q20-and-pl2303gt-2ab.patch bluetooth-hci_qca-move-the-soc-type-check-to-the-right-place.patch usb-usbtmc-fix-timeout-value-in-get_stb.patch thunderbolt-do-not-double-dequeue-a-configuration-request.patch +gfs2-gfs2_create_inode-error-handling-fix.patch +perf-core-fix-broken-throttling-when-max_samples_per.patch +crypto-sun8i-ce-cipher-fix-error-handling-in-sun8i_c.patch +crypto-sun8i-ss-do-not-use-sg_dma_len-before-calling.patch +powerpc-crash-fix-non-smp-kexec-preparation.patch +x86-cpu-sanitize-cpuid-0x80000000-output.patch +crypto-marvell-cesa-handle-zero-length-skcipher-requ.patch +crypto-marvell-cesa-avoid-empty-transfer-descriptor.patch +crypto-lrw-only-add-ecb-if-it-is-not-already-there.patch +crypto-xts-only-add-ecb-if-it-is-not-already-there.patch +crypto-sun8i-ce-move-fallback-ahash_request-to-the-e.patch +tools-nolibc-types.h-fix-mismatched-parenthesis-in-m.patch +asoc-tas2764-enable-main-irqs.patch +edac-skx_common-fix-general-protection-fault.patch +tools-nolibc-fix-integer-overflow-in-i-64-toa_r-and.patch +spi-tegra210-quad-fix-x1_x2_x4-encoding-and-support-.patch +spi-tegra210-quad-remove-redundant-error-handling-co.patch +spi-tegra210-quad-modify-chip-select-cs-deactivation.patch +power-reset-at91-reset-optimize-at91_reset.patch +pm-wakeup-delete-space-in-the-end-of-string-shown-by.patch +x86-mtrr-check-if-fixed-range-mtrrs-exist-in-mtrr_sa.patch +acpi-osi-stop-advertising-support-for-3.0-_scp-exten.patch +spi-sh-msiof-fix-maximum-dma-transfer-size.patch +asoc-apple-mca-constrain-channels-according-to-tdm-m.patch +drm-vmwgfx-add-seqno-waiter-for-sync_files.patch +drm-amd-pp-fix-potential-null-pointer-dereference-in.patch +media-rkvdec-fix-frame-size-enumeration.patch +arm64-fpsimd-discard-stale-cpu-state-when-handling-s.patch +arm64-fpsimd-fix-merging-of-fpsimd-state-during-sign.patch +drm-bridge-lt9611uxc-fix-an-error-handling-path-in-l.patch +fs-ntfs3-handle-hdr_first_de-return-value.patch +watchdog-exar-shorten-identity-name-to-fit-correctly.patch +m68k-mac-fix-macintosh_config-for-mac-ii.patch +firmware-psci-fix-refcount-leak-in-psci_dt_init.patch +arm64-support-arm64_va_bits-52-when-setting-arch_mma.patch +selftests-seccomp-fix-syscall_restart-test-for-arm-c.patch +drm-rcar-du-fix-memory-leak-in-rcar_du_vsps_init.patch +drm-vkms-adjust-vkms_state-active_planes-allocation-.patch +drm-tegra-rgb-fix-the-unbound-reference-count.patch +firmware-sdei-allow-sdei-initialization-without-acpi.patch +scsi-qedf-use-designated-initializer-for-struct-qed_.patch +wifi-ath11k-fix-node-corruption-in-ar-arvifs-list.patch +ib-cm-use-rwlock-for-mad-agent-lock.patch +bpf-fix-ktls-panic-with-sockmap.patch +bpf-sockmap-fix-duplicated-data-transmission.patch +bpf-sockmap-fix-panic-when-calling-skb_linearize.patch +f2fs-fix-to-do-sanity-check-on-sbi-total_valid_block.patch +net-ncsi-fix-gcps-64-bit-member-variables.patch +libbpf-fix-buffer-overflow-in-bpf_object__init_prog.patch +wifi-rtw88-do-not-ignore-hardware-read-error-during-.patch +rdma-hns-include-hnae3.h-in-hns_roce_hw_v2.h.patch +scsi-hisi_sas-call-i_t_nexus-after-soft-reset-for-sa.patch +iommu-protect-against-overflow-in-iommu_pgsize.patch +f2fs-clean-up-w-fscrypt_is_bounce_page.patch +f2fs-fix-to-detect-gcing-page-in-f2fs_is_cp_guarante.patch +libbpf-use-proper-errno-value-in-linker.patch +netfilter-bridge-move-specific-fragmented-packet-to-.patch +netfilter-nft_quota-match-correctly-when-the-quota-j.patch +rdma-mlx5-fix-error-flow-upon-firmware-failure-for-r.patch +bpf-fix-uninitialized-values-in-bpf_-core-probe-_rea.patch +clk-qcom-dispcc-sm6350-add-_wait_val-values-for-gdsc.patch +clk-qcom-gcc-sm6350-add-_wait_val-values-for-gdscs.patch +clk-qcom-gpucc-sm6350-add-_wait_val-values-for-gdscs.patch +clk-bcm-rpi-add-null-check-in-raspberrypi_clk_regist.patch +efi-libstub-describe-missing-out-parameter-in-efi_lo.patch +tracing-rename-event_trigger_alloc-to-trigger_data_a.patch +tracing-fix-error-handling-in-event_trigger_parse.patch +ktls-sockmap-fix-missing-uncharge-operation.patch +libbpf-use-proper-errno-value-in-nlattr.patch +pinctrl-at91-fix-possible-out-of-boundary-access.patch +bpf-fix-warn-in-get_bpf_raw_tp_regs.patch +clk-qcom-gcc-msm8939-fix-mclk0-mclk1-for-24-mhz.patch +s390-bpf-store-backchain-even-for-leaf-progs.patch +wifi-rtw88-fix-the-para-buffer-size-to-avoid-reading.patch +iommu-remove-duplicate-selection-of-dmar_table.patch +hisi_acc_vfio_pci-fix-xqe-dma-address-error.patch +hisi_acc_vfio_pci-add-eq-and-aeq-interruption-restor.patch +wifi-ath9k_htc-abort-software-beacon-handling-if-dis.patch +kernfs-relax-constraint-in-draining-guard.patch +netfilter-nf_tables-nft_fib_ipv6-fix-vrf-ipv4-ipv6-r.patch +vfio-type1-fix-error-unwind-in-migration-dirty-bitma.patch +bluetooth-mgmt-iterate-over-mesh-commands-in-mgmt_me.patch +bpf-sockmap-avoid-using-sk_socket-after-free-when-se.patch +netfilter-nft_tunnel-fix-geneve_opt-dump.patch +net-usb-aqc111-fix-error-handling-of-usbnet-read-cal.patch +rdma-cma-fix-hang-when-cma_netevent_callback-fails-t.patch +bpf-avoid-__bpf_prog_ret0_warn-when-jit-fails.patch +net-lan743x-rename-lan743x_reset_phy-to-lan743x_hw_r.patch +net-phy-mscc-fix-memory-leak-when-using-one-step-tim.patch +calipso-don-t-call-calipso-functions-for-af_inet-sk.patch +net-openvswitch-fix-the-dead-loop-of-mpls-parse.patch +net-phy-mscc-stop-clearing-the-the-udpv4-checksum-fo.patch +f2fs-use-d_inode-dentry-cleanup-dentry-d_inode.patch +f2fs-fix-to-correct-check-conditions-in-f2fs_cross_r.patch +arm64-dts-qcom-sm8250-fix-cpu7-opp-table.patch +arm-dts-at91-usb_a9263-fix-gpio-for-dataflash-chip-s.patch +arm-dts-at91-at91sam9263-fix-nand-chip-selects.patch +arm64-dts-mediatek-mt8195-reparent-vdec1-2-and-venc1.patch +arm64-dts-qcom-sdm660-xiaomi-lavender-add-missing-sd.patch +arm64-dts-imx8mm-beacon-fix-rtc-capacitive-load.patch +arm64-dts-imx8mn-beacon-fix-rtc-capacitive-load.patch +arm64-dts-mt6359-add-missing-compatible-property-to-.patch +arm64-dts-qcom-sdm660-lavender-add-missing-usb-phy-s.patch +arm64-dts-qcom-sda660-ifc6560-fix-dt-validate-warnin.patch +squashfs-check-return-result-of-sb_min_blocksize.patch +ocfs2-fix-possible-memory-leak-in-ocfs2_finish_quota.patch +nilfs2-add-pointer-check-for-nilfs_direct_propagate.patch +nilfs2-do-not-propagate-enoent-error-from-nilfs_btre.patch +bus-fsl-mc-fix-double-free-on-mc_dev.patch +dt-bindings-vendor-prefixes-add-liontron-name.patch +arm-dts-qcom-apq8064-merge-hw-splinlock-into-corresp.patch +arm64-defconfig-mediatek-enable-phy-drivers.patch +arm64-dts-rockchip-disable-unrouted-usb-controllers-.patch +arm64-dts-mt6359-rename-rtc-node-to-match-binding-ex.patch +arm-aspeed-don-t-select-sram.patch +soc-aspeed-lpc-fix-impossible-judgment-condition.patch +soc-aspeed-add-null-check-in-aspeed_lpc_enable_snoop.patch +fbdev-core-fbcvt-avoid-division-by-0-in-fb_cvt_hperi.patch +randstruct-gcc-plugin-remove-bogus-void-member.patch +randstruct-gcc-plugin-fix-attribute-addition.patch +perf-build-warn-when-libdebuginfod-devel-files-are-n.patch +perf-ui-browser-hists-set-actions-thread-before-call.patch +dm-don-t-change-md-if-dm_table_set_restrictions-fail.patch +dm-free-table-mempools-if-not-used-in-__bind.patch +backlight-pm8941-add-null-check-in-wled_configure.patch +mtd-nand-ecc-mxic-fix-use-of-uninitialized-variable-.patch +hwmon-asus-ec-sensors-check-sensor-index-in-read_str.patch +perf-intel-pt-fix-pebs-via-pt-data_src.patch +perf-scripts-python-exported-sql-viewer.py-fix-patte.patch +remoteproc-qcom_wcnss_iris-add-missing-put_device-on.patch +remoteproc-k3-r5-drop-check-performed-in-k3_r5_rproc.patch +rpmsg-qcom_smd-fix-uninitialized-return-variable-in-.patch +mfd-exynos-lpass-avoid-calling-exynos_lpass_disable-.patch +mfd-stmpe-spi-correct-the-name-used-in-module_device.patch +perf-tests-switch-tracking-fix-timestamp-comparison.patch +perf-record-fix-incorrect-user-regs-comments.patch +nfs-clear-sb_rdonly-before-getting-superblock.patch +nfs-ignore-sb_rdonly-when-remounting-nfs.patch +rtc-sh-assign-correct-interrupts-with-dt.patch +pci-cadence-fix-runtime-atomic-count-underflow.patch +pci-apple-use-gpiod_set_value_cansleep-in-probe-flow.patch +pci-explicitly-put-devices-into-d0-when-initializing.patch +phy-qcom-qmp-usb-fix-an-null-vs-is_err-bug.patch +dmaengine-ti-add-null-check-in-udma_probe.patch +pci-dpc-initialize-aer_err_info-before-using-it.patch +usb-renesas_usbhs-reorder-clock-handling-and-power-m.patch +serial-fix-potential-null-ptr-deref-in-mlb_usio_prob.patch +iio-filter-admv8818-fix-band-4-state-15.patch +iio-filter-admv8818-fix-integer-overflow.patch +iio-filter-admv8818-fix-range-calculation.patch +iio-filter-admv8818-support-frequencies-2-32.patch +iio-adc-ad7124-fix-3db-filter-frequency-reading.patch +mips-loongson64-add-missing-interrupt-cells-for-loon.patch +counter-interrupt-cnt-protect-enable-disable-ops-wit.patch +coresight-prevent-deactivate-active-config-while-ena.patch +vt-remove-vt_resize-and-vt_resizex-from-vt_compat_io.patch +net-stmmac-platform-guarantee-uniqueness-of-bus_id.patch +gve-fix-rx_buffers_posted-stat-to-report-per-queue-f.patch +net-tipc-fix-refcount-warning-in-tipc_aead_encrypt.patch +driver-net-ethernet-mtk_star_emac-fix-suspend-resume.patch +net-mlx4_en-prevent-potential-integer-overflow-calcu.patch +net-lan966x-make-sure-to-insert-the-vlan-tags-also-i.patch +spi-bcm63xx-spi-fix-shared-reset.patch +spi-bcm63xx-hsspi-fix-shared-reset.patch +bluetooth-l2cap-fix-not-responding-with-l2cap_cr_le_.patch +ice-create-new-tx-scheduler-nodes-for-new-queues-onl.patch +ice-fix-rebuilding-the-tx-scheduler-tree-for-large-q.patch +net-dsa-tag_brcm-legacy-fix-pskb_may_pull-length.patch +net-stmmac-make-sure-that-ptp_rate-is-not-0-before-c.patch +net-fix-checksum-update-for-ila-adj-transport.patch +net-fix-udp-gso-skb_segment-after-pull-from-frag_lis.patch +vmxnet3-correctly-report-gso-type-for-udp-tunnels.patch +pm-sleep-fix-power.is_suspended-cleanup-for-direct-c.patch +gve-add-missing-null-check-for-gve_alloc_pending_pac.patch +netfilter-nf_set_pipapo_avx2-fix-initial-map-fill.patch +wireguard-device-enable-threaded-napi.patch +seg6-fix-validation-of-nexthop-addresses.patch +asoc-codecs-hda-fix-rpm-usage-count-underflow.patch +asoc-intel-avs-fix-deadlock-when-the-failing-ipc-is-.patch +fix-propagation-graph-breakage-by-move_mount_set_gro.patch +do_change_type-refuse-to-operate-on-unmounted-not-ou.patch diff --git a/queue-6.1/soc-aspeed-add-null-check-in-aspeed_lpc_enable_snoop.patch b/queue-6.1/soc-aspeed-add-null-check-in-aspeed_lpc_enable_snoop.patch new file mode 100644 index 0000000000..24c8bf51e1 --- /dev/null +++ b/queue-6.1/soc-aspeed-add-null-check-in-aspeed_lpc_enable_snoop.patch @@ -0,0 +1,73 @@ +From 254c575986f27ac5e25fbbeab00511aada06b57d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 16:00:44 +0930 +Subject: soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() + +From: Henry Martin + +[ Upstream commit f1706e0e1a74b095cbc60375b9b1e6205f5f4c98 ] + +devm_kasprintf() returns NULL when memory allocation fails. Currently, +aspeed_lpc_enable_snoop() does not check for this case, which results in a +NULL pointer dereference. + +Add NULL check after devm_kasprintf() to prevent this issue. + +Fixes: 3772e5da4454 ("drivers/misc: Aspeed LPC snoop output using misc chardev") +Signed-off-by: Henry Martin +Link: https://patch.msgid.link/20250401074647.21300-1-bsdhenrymartin@gmail.com +[arj: Fix Fixes: tag to use subject from 3772e5da4454] +Signed-off-by: Andrew Jeffery +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + drivers/soc/aspeed/aspeed-lpc-snoop.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/aspeed/aspeed-lpc-snoop.c b/drivers/soc/aspeed/aspeed-lpc-snoop.c +index d9bdc2e084086..22619b853f449 100644 +--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c ++++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c +@@ -201,11 +201,15 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop, + lpc_snoop->chan[channel].miscdev.minor = MISC_DYNAMIC_MINOR; + lpc_snoop->chan[channel].miscdev.name = + devm_kasprintf(dev, GFP_KERNEL, "%s%d", DEVICE_NAME, channel); ++ if (!lpc_snoop->chan[channel].miscdev.name) { ++ rc = -ENOMEM; ++ goto err_free_fifo; ++ } + lpc_snoop->chan[channel].miscdev.fops = &snoop_fops; + lpc_snoop->chan[channel].miscdev.parent = dev; + rc = misc_register(&lpc_snoop->chan[channel].miscdev); + if (rc) +- return rc; ++ goto err_free_fifo; + + /* Enable LPC snoop channel at requested port */ + switch (channel) { +@@ -222,7 +226,8 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop, + hicrb_en = HICRB_ENSNP1D; + break; + default: +- return -EINVAL; ++ rc = -EINVAL; ++ goto err_misc_deregister; + } + + regmap_update_bits(lpc_snoop->regmap, HICR5, hicr5_en, hicr5_en); +@@ -232,6 +237,12 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop, + regmap_update_bits(lpc_snoop->regmap, HICRB, + hicrb_en, hicrb_en); + ++ return 0; ++ ++err_misc_deregister: ++ misc_deregister(&lpc_snoop->chan[channel].miscdev); ++err_free_fifo: ++ kfifo_free(&lpc_snoop->chan[channel].fifo); + return rc; + } + +-- +2.39.5 + diff --git a/queue-6.1/soc-aspeed-lpc-fix-impossible-judgment-condition.patch b/queue-6.1/soc-aspeed-lpc-fix-impossible-judgment-condition.patch new file mode 100644 index 0000000000..1596d5292f --- /dev/null +++ b/queue-6.1/soc-aspeed-lpc-fix-impossible-judgment-condition.patch @@ -0,0 +1,46 @@ +From 072b30af5835a85a645c18d77e11cb121f60efda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 16:00:43 +0930 +Subject: soc: aspeed: lpc: Fix impossible judgment condition +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Su Hui + +[ Upstream commit d9f0a97e859bdcef51f9c187b1eb712eb13fd3ff ] + +smatch error: +drivers/soc/aspeed/aspeed-lpc-snoop.c:169 +aspeed_lpc_snoop_config_irq() warn: platform_get_irq() does not return zero + +platform_get_irq() return non-zero IRQ number or negative error code, +change '!lpc_snoop->irq' to 'lpc_snoop->irq < 0' to fix this. + +Fixes: 9f4f9ae81d0a ("drivers/misc: add Aspeed LPC snoop driver") +Signed-off-by: Su Hui +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/20231027020703.1231875-1-suhui@nfschina.com +Signed-off-by: Andrew Jeffery +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + drivers/soc/aspeed/aspeed-lpc-snoop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/aspeed/aspeed-lpc-snoop.c b/drivers/soc/aspeed/aspeed-lpc-snoop.c +index eceeaf8dfbeba..d9bdc2e084086 100644 +--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c ++++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c +@@ -167,7 +167,7 @@ static int aspeed_lpc_snoop_config_irq(struct aspeed_lpc_snoop *lpc_snoop, + int rc; + + lpc_snoop->irq = platform_get_irq(pdev, 0); +- if (!lpc_snoop->irq) ++ if (lpc_snoop->irq < 0) + return -ENODEV; + + rc = devm_request_irq(dev, lpc_snoop->irq, +-- +2.39.5 + diff --git a/queue-6.1/spi-bcm63xx-hsspi-fix-shared-reset.patch b/queue-6.1/spi-bcm63xx-hsspi-fix-shared-reset.patch new file mode 100644 index 0000000000..2052dd9b86 --- /dev/null +++ b/queue-6.1/spi-bcm63xx-hsspi-fix-shared-reset.patch @@ -0,0 +1,42 @@ +From 0a426938f3d19932eb3f5732a70d1b8c231c2892 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 May 2025 15:09:15 +0200 +Subject: spi: bcm63xx-hsspi: fix shared reset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit 3d6d84c8f2f66d3fd6a43a1e2ce8e6b54c573960 ] + +Some bmips SoCs (bcm6362, bcm63268) share the same SPI reset for both SPI +and HSSPI controllers, so reset shouldn't be exclusive. + +Fixes: 0eeadddbf09a ("spi: bcm63xx-hsspi: add reset support") +Reported-by: Jonas Gorski +Signed-off-by: Álvaro Fernández Rojas +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20250529130915.2519590-3-noltari@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm63xx-hsspi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-bcm63xx-hsspi.c b/drivers/spi/spi-bcm63xx-hsspi.c +index 02f56fc001b47..7d8e5c66f6d17 100644 +--- a/drivers/spi/spi-bcm63xx-hsspi.c ++++ b/drivers/spi/spi-bcm63xx-hsspi.c +@@ -357,7 +357,7 @@ static int bcm63xx_hsspi_probe(struct platform_device *pdev) + if (IS_ERR(clk)) + return PTR_ERR(clk); + +- reset = devm_reset_control_get_optional_exclusive(dev, NULL); ++ reset = devm_reset_control_get_optional_shared(dev, NULL); + if (IS_ERR(reset)) + return PTR_ERR(reset); + +-- +2.39.5 + diff --git a/queue-6.1/spi-bcm63xx-spi-fix-shared-reset.patch b/queue-6.1/spi-bcm63xx-spi-fix-shared-reset.patch new file mode 100644 index 0000000000..7ac9bb36ac --- /dev/null +++ b/queue-6.1/spi-bcm63xx-spi-fix-shared-reset.patch @@ -0,0 +1,42 @@ +From ac2ae8f581858361d3027d6e49712f0b552867e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 May 2025 15:09:14 +0200 +Subject: spi: bcm63xx-spi: fix shared reset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit 5ad20e3d8cfe3b2e42bbddc7e0ebaa74479bb589 ] + +Some bmips SoCs (bcm6362, bcm63268) share the same SPI reset for both SPI +and HSSPI controllers, so reset shouldn't be exclusive. + +Fixes: 38807adeaf1e ("spi: bcm63xx-spi: add reset support") +Reported-by: Jonas Gorski +Signed-off-by: Álvaro Fernández Rojas +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20250529130915.2519590-2-noltari@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm63xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-bcm63xx.c b/drivers/spi/spi-bcm63xx.c +index 695ac74571286..2f2a130464651 100644 +--- a/drivers/spi/spi-bcm63xx.c ++++ b/drivers/spi/spi-bcm63xx.c +@@ -533,7 +533,7 @@ static int bcm63xx_spi_probe(struct platform_device *pdev) + return PTR_ERR(clk); + } + +- reset = devm_reset_control_get_optional_exclusive(dev, NULL); ++ reset = devm_reset_control_get_optional_shared(dev, NULL); + if (IS_ERR(reset)) + return PTR_ERR(reset); + +-- +2.39.5 + diff --git a/queue-6.1/spi-sh-msiof-fix-maximum-dma-transfer-size.patch b/queue-6.1/spi-sh-msiof-fix-maximum-dma-transfer-size.patch new file mode 100644 index 0000000000..dff78e9b73 --- /dev/null +++ b/queue-6.1/spi-sh-msiof-fix-maximum-dma-transfer-size.patch @@ -0,0 +1,71 @@ +From a7e5996353c3ce56f5d9f2351dbeee0940364cda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 May 2025 15:32:06 +0200 +Subject: spi: sh-msiof: Fix maximum DMA transfer size + +From: Geert Uytterhoeven + +[ Upstream commit 0941d5166629cb766000530945e54b4e49680c68 ] + +The maximum amount of data to transfer in a single DMA request is +calculated from the FIFO sizes (which is technically not 100% correct, +but a simplification, as it is limited by the maximum word count values +in the Transmit and Control Data Registers). However, in case there is +both data to transmit and to receive, the transmit limit is overwritten +by the receive limit. + +Fix this by using the minimum applicable FIFO size instead. Move the +calculation outside the loop, so it is not repeated for each individual +DMA transfer. + +As currently tx_fifo_size is always equal to rx_fifo_size, this bug had +no real impact. + +Fixes: fe78d0b7691c0274 ("spi: sh-msiof: Fix FIFO size to 64 word from 256 word") +Signed-off-by: Geert Uytterhoeven +Link: https://patch.msgid.link/d9961767a97758b2614f2ee8afe1bd56dc900a60.1747401908.git.geert+renesas@glider.be +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-sh-msiof.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/spi/spi-sh-msiof.c b/drivers/spi/spi-sh-msiof.c +index ec3a4939ee984..374697b2d6061 100644 +--- a/drivers/spi/spi-sh-msiof.c ++++ b/drivers/spi/spi-sh-msiof.c +@@ -919,6 +919,7 @@ static int sh_msiof_transfer_one(struct spi_controller *ctlr, + void *rx_buf = t->rx_buf; + unsigned int len = t->len; + unsigned int bits = t->bits_per_word; ++ unsigned int max_wdlen = 256; + unsigned int bytes_per_word; + unsigned int words; + int n; +@@ -932,17 +933,17 @@ static int sh_msiof_transfer_one(struct spi_controller *ctlr, + if (!spi_controller_is_slave(p->ctlr)) + sh_msiof_spi_set_clk_regs(p, t); + ++ if (tx_buf) ++ max_wdlen = min(max_wdlen, p->tx_fifo_size); ++ if (rx_buf) ++ max_wdlen = min(max_wdlen, p->rx_fifo_size); ++ + while (ctlr->dma_tx && len > 15) { + /* + * DMA supports 32-bit words only, hence pack 8-bit and 16-bit + * words, with byte resp. word swapping. + */ +- unsigned int l = 0; +- +- if (tx_buf) +- l = min(round_down(len, 4), p->tx_fifo_size * 4); +- if (rx_buf) +- l = min(round_down(len, 4), p->rx_fifo_size * 4); ++ unsigned int l = min(round_down(len, 4), max_wdlen * 4); + + if (bits <= 8) { + copy32 = copy_bswap32; +-- +2.39.5 + diff --git a/queue-6.1/spi-tegra210-quad-fix-x1_x2_x4-encoding-and-support-.patch b/queue-6.1/spi-tegra210-quad-fix-x1_x2_x4-encoding-and-support-.patch new file mode 100644 index 0000000000..e1313cd091 --- /dev/null +++ b/queue-6.1/spi-tegra210-quad-fix-x1_x2_x4-encoding-and-support-.patch @@ -0,0 +1,85 @@ +From 8b80135d2804e5a0680dae0e9cd781cf78401e0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Apr 2025 11:06:01 +0000 +Subject: spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers + +From: Vishwaroop A + +[ Upstream commit dcb06c638a1174008a985849fa30fc0da7d08904 ] + +This patch corrects the QSPI_COMMAND_X1_X2_X4 and QSPI_ADDRESS_X1_X2_X4 +macros to properly encode the bus width for x1, x2, and x4 transfers. +Although these macros were previously incorrect, they were not being +used in the driver, so no functionality was affected. + +The patch updates tegra_qspi_cmd_config() and tegra_qspi_addr_config() +function calls to use the actual bus width from the transfer, instead of +hardcoding it to 0 (which implied x1 mode). This change enables proper +support for x1, x2, and x4 data transfers by correctly configuring the +interface width for commands and addresses. + +These modifications improve the QSPI driver's flexibility and prepare it +for future use cases that may require different bus widths for commands +and addresses. + +Fixes: 1b8342cc4a38 ("spi: tegra210-quad: combined sequence mode") +Signed-off-by: Vishwaroop A +Link: https://patch.msgid.link/20250416110606.2737315-2-va@nvidia.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-tegra210-quad.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c +index 442d42130ec87..b84dc830c4333 100644 +--- a/drivers/spi/spi-tegra210-quad.c ++++ b/drivers/spi/spi-tegra210-quad.c +@@ -135,7 +135,7 @@ + #define QSPI_COMMAND_VALUE_SET(X) (((x) & 0xFF) << 0) + + #define QSPI_CMB_SEQ_CMD_CFG 0x1a0 +-#define QSPI_COMMAND_X1_X2_X4(x) (((x) & 0x3) << 13) ++#define QSPI_COMMAND_X1_X2_X4(x) ((((x) >> 1) & 0x3) << 13) + #define QSPI_COMMAND_X1_X2_X4_MASK (0x03 << 13) + #define QSPI_COMMAND_SDR_DDR BIT(12) + #define QSPI_COMMAND_SIZE_SET(x) (((x) & 0xFF) << 0) +@@ -147,7 +147,7 @@ + #define QSPI_ADDRESS_VALUE_SET(X) (((x) & 0xFFFF) << 0) + + #define QSPI_CMB_SEQ_ADDR_CFG 0x1ac +-#define QSPI_ADDRESS_X1_X2_X4(x) (((x) & 0x3) << 13) ++#define QSPI_ADDRESS_X1_X2_X4(x) ((((x) >> 1) & 0x3) << 13) + #define QSPI_ADDRESS_X1_X2_X4_MASK (0x03 << 13) + #define QSPI_ADDRESS_SDR_DDR BIT(12) + #define QSPI_ADDRESS_SIZE_SET(x) (((x) & 0xFF) << 0) +@@ -1035,10 +1035,6 @@ static u32 tegra_qspi_addr_config(bool is_ddr, u8 bus_width, u8 len) + { + u32 addr_config = 0; + +- /* Extract Address configuration and value */ +- is_ddr = 0; //Only SDR mode supported +- bus_width = 0; //X1 mode +- + if (is_ddr) + addr_config |= QSPI_ADDRESS_SDR_DDR; + else +@@ -1072,13 +1068,13 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi, + switch (transfer_phase) { + case CMD_TRANSFER: + /* X1 SDR mode */ +- cmd_config = tegra_qspi_cmd_config(false, 0, ++ cmd_config = tegra_qspi_cmd_config(false, xfer->tx_nbits, + xfer->len); + cmd_value = *((const u8 *)(xfer->tx_buf)); + break; + case ADDR_TRANSFER: + /* X1 SDR mode */ +- addr_config = tegra_qspi_addr_config(false, 0, ++ addr_config = tegra_qspi_addr_config(false, xfer->tx_nbits, + xfer->len); + address_value = *((const u32 *)(xfer->tx_buf)); + break; +-- +2.39.5 + diff --git a/queue-6.1/spi-tegra210-quad-modify-chip-select-cs-deactivation.patch b/queue-6.1/spi-tegra210-quad-modify-chip-select-cs-deactivation.patch new file mode 100644 index 0000000000..dfb7c3ac75 --- /dev/null +++ b/queue-6.1/spi-tegra210-quad-modify-chip-select-cs-deactivation.patch @@ -0,0 +1,51 @@ +From bea255193e6e93cf7e7162fc9aa191c5740250d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Apr 2025 11:06:03 +0000 +Subject: spi: tegra210-quad: modify chip select (CS) deactivation + +From: Vishwaroop A + +[ Upstream commit d8966b65413390d1b5b706886987caac05fbe024 ] + +Modify the chip select (CS) deactivation and inter-transfer delay +execution only during the DATA_TRANSFER phase when the cs_change +flag is not set. This ensures proper CS handling and timing between +transfers while eliminating redundant operations. + +Fixes: 1b8342cc4a38 ("spi: tegra210-quad: combined sequence mode") +Signed-off-by: Vishwaroop A +Link: https://patch.msgid.link/20250416110606.2737315-4-va@nvidia.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-tegra210-quad.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c +index d09e0b9ac18c4..f2a4743efcb47 100644 +--- a/drivers/spi/spi-tegra210-quad.c ++++ b/drivers/spi/spi-tegra210-quad.c +@@ -1152,16 +1152,16 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi, + ret = -EIO; + goto exit; + } +- if (!xfer->cs_change) { +- tegra_qspi_transfer_end(spi); +- spi_transfer_delay_exec(xfer); +- } + break; + default: + ret = -EINVAL; + goto exit; + } + msg->actual_length += xfer->len; ++ if (!xfer->cs_change && transfer_phase == DATA_TRANSFER) { ++ tegra_qspi_transfer_end(spi); ++ spi_transfer_delay_exec(xfer); ++ } + transfer_phase++; + } + ret = 0; +-- +2.39.5 + diff --git a/queue-6.1/spi-tegra210-quad-remove-redundant-error-handling-co.patch b/queue-6.1/spi-tegra210-quad-remove-redundant-error-handling-co.patch new file mode 100644 index 0000000000..ce2bcc65c6 --- /dev/null +++ b/queue-6.1/spi-tegra210-quad-remove-redundant-error-handling-co.patch @@ -0,0 +1,40 @@ +From 025d70ae3f8f78a5d2813e6dcefd964b1a0c8c30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Apr 2025 11:06:02 +0000 +Subject: spi: tegra210-quad: remove redundant error handling code + +From: Vishwaroop A + +[ Upstream commit 400d9f1a27cc2fceabdb1ed93eaf0b89b6d32ba5 ] + +Remove unnecessary error handling code that terminated transfers and +executed delay on errors. This code was redundant as error handling is +already done at a higher level in the SPI core. + +Fixes: 1b8342cc4a38 ("spi: tegra210-quad: combined sequence mode") +Signed-off-by: Vishwaroop A +Link: https://patch.msgid.link/20250416110606.2737315-3-va@nvidia.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-tegra210-quad.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c +index b84dc830c4333..d09e0b9ac18c4 100644 +--- a/drivers/spi/spi-tegra210-quad.c ++++ b/drivers/spi/spi-tegra210-quad.c +@@ -1168,10 +1168,6 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi, + + exit: + msg->status = ret; +- if (ret < 0) { +- tegra_qspi_transfer_end(spi); +- spi_transfer_delay_exec(xfer); +- } + + return ret; + } +-- +2.39.5 + diff --git a/queue-6.1/squashfs-check-return-result-of-sb_min_blocksize.patch b/queue-6.1/squashfs-check-return-result-of-sb_min_blocksize.patch new file mode 100644 index 0000000000..8cf2f8010b --- /dev/null +++ b/queue-6.1/squashfs-check-return-result-of-sb_min_blocksize.patch @@ -0,0 +1,66 @@ +From 86b67752a4a4b742e6fbaf1a76e667abd8059d6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 03:47:47 +0100 +Subject: Squashfs: check return result of sb_min_blocksize + +From: Phillip Lougher + +[ Upstream commit 734aa85390ea693bb7eaf2240623d41b03705c84 ] + +Syzkaller reports an "UBSAN: shift-out-of-bounds in squashfs_bio_read" bug. + +Syzkaller forks multiple processes which after mounting the Squashfs +filesystem, issues an ioctl("/dev/loop0", LOOP_SET_BLOCK_SIZE, 0x8000). +Now if this ioctl occurs at the same time another process is in the +process of mounting a Squashfs filesystem on /dev/loop0, the failure +occurs. When this happens the following code in squashfs_fill_super() +fails. + +---- +msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE); +msblk->devblksize_log2 = ffz(~msblk->devblksize); +---- + +sb_min_blocksize() returns 0, which means msblk->devblksize is set to 0. + +As a result, ffz(~msblk->devblksize) returns 64, and msblk->devblksize_log2 +is set to 64. + +This subsequently causes the + +UBSAN: shift-out-of-bounds in fs/squashfs/block.c:195:36 +shift exponent 64 is too large for 64-bit type 'u64' (aka +'unsigned long long') + +This commit adds a check for a 0 return by sb_min_blocksize(). + +Link: https://lkml.kernel.org/r/20250409024747.876480-1-phillip@squashfs.org.uk +Fixes: 0aa666190509 ("Squashfs: super block operations") +Reported-by: syzbot+65761fc25a137b9c8c6e@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/67f0dd7a.050a0220.0a13.0230.GAE@google.com/ +Signed-off-by: Phillip Lougher +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/squashfs/super.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/squashfs/super.c b/fs/squashfs/super.c +index 32565dafa7f3b..37579c07f6fde 100644 +--- a/fs/squashfs/super.c ++++ b/fs/squashfs/super.c +@@ -137,6 +137,11 @@ static int squashfs_fill_super(struct super_block *sb, struct fs_context *fc) + msblk->panic_on_errors = (opts->errors == Opt_errors_panic); + + msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE); ++ if (!msblk->devblksize) { ++ errorf(fc, "squashfs: unable to set blocksize\n"); ++ return -EINVAL; ++ } ++ + msblk->devblksize_log2 = ffz(~msblk->devblksize); + + mutex_init(&msblk->meta_index_mutex); +-- +2.39.5 + diff --git a/queue-6.1/tools-nolibc-fix-integer-overflow-in-i-64-toa_r-and.patch b/queue-6.1/tools-nolibc-fix-integer-overflow-in-i-64-toa_r-and.patch new file mode 100644 index 0000000000..452b6de739 --- /dev/null +++ b/queue-6.1/tools-nolibc-fix-integer-overflow-in-i-64-toa_r-and.patch @@ -0,0 +1,49 @@ +From 5ad3e4c516aec9ef9a33a5d9ef804102a667a473 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Apr 2025 12:46:22 +0200 +Subject: tools/nolibc: fix integer overflow in i{64,}toa_r() and +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit 4d231a7df1a85c7572b67a4666cb73adb977fbf6 ] + +In twos complement the most negative number can not be negated. + +Fixes: b1c21e7d99cd ("tools/nolibc/stdlib: add i64toa() and u64toa()") +Fixes: 66c397c4d2e1 ("tools/nolibc/stdlib: replace the ltoa() function with more efficient ones") +Signed-off-by: Thomas Weißschuh +Acked-by: Willy Tarreau +Link: https://lore.kernel.org/r/20250419-nolibc-ubsan-v2-5-060b8a016917@weissschuh.net +Signed-off-by: Sasha Levin +--- + tools/include/nolibc/stdlib.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/include/nolibc/stdlib.h b/tools/include/nolibc/stdlib.h +index c0c3854b3f35b..cbed8a12d99e9 100644 +--- a/tools/include/nolibc/stdlib.h ++++ b/tools/include/nolibc/stdlib.h +@@ -255,7 +255,7 @@ int itoa_r(long in, char *buffer) + int len = 0; + + if (in < 0) { +- in = -in; ++ in = -(unsigned long)in; + *(ptr++) = '-'; + len++; + } +@@ -391,7 +391,7 @@ int i64toa_r(int64_t in, char *buffer) + int len = 0; + + if (in < 0) { +- in = -in; ++ in = -(uint64_t)in; + *(ptr++) = '-'; + len++; + } +-- +2.39.5 + diff --git a/queue-6.1/tools-nolibc-types.h-fix-mismatched-parenthesis-in-m.patch b/queue-6.1/tools-nolibc-types.h-fix-mismatched-parenthesis-in-m.patch new file mode 100644 index 0000000000..9d3eb48d77 --- /dev/null +++ b/queue-6.1/tools-nolibc-types.h-fix-mismatched-parenthesis-in-m.patch @@ -0,0 +1,40 @@ +From cc506448cb52cfc994a0a184b6540a4890b06ee7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Apr 2025 15:36:24 +0800 +Subject: tools/nolibc/types.h: fix mismatched parenthesis in minor() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jemmy Wong + +[ Upstream commit 9c138ac9392228835b520fd4dbb07e636b34a867 ] + +Fix an imbalance where opening parentheses exceed closing ones. + +Fixes: eba6d00d38e7c ("tools/nolibc/types: move makedev to types.h and make it a macro") +Signed-off-by: Jemmy Wong +Acked-by: Willy Tarreau +Link: https://lore.kernel.org/r/20250411073624.22153-1-jemmywong512@gmail.com +Signed-off-by: Thomas Weißschuh +Signed-off-by: Sasha Levin +--- + tools/include/nolibc/types.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/include/nolibc/types.h b/tools/include/nolibc/types.h +index fbbc0e68c001b..598d1ef811859 100644 +--- a/tools/include/nolibc/types.h ++++ b/tools/include/nolibc/types.h +@@ -196,7 +196,7 @@ struct stat { + /* WARNING, it only deals with the 4096 first majors and 256 first minors */ + #define makedev(major, minor) ((dev_t)((((major) & 0xfff) << 8) | ((minor) & 0xff))) + #define major(dev) ((unsigned int)(((dev) >> 8) & 0xfff)) +-#define minor(dev) ((unsigned int)(((dev) & 0xff)) ++#define minor(dev) ((unsigned int)((dev) & 0xff)) + + #ifndef offsetof + #define offsetof(TYPE, FIELD) ((size_t) &((TYPE *)0)->FIELD) +-- +2.39.5 + diff --git a/queue-6.1/tracing-fix-error-handling-in-event_trigger_parse.patch b/queue-6.1/tracing-fix-error-handling-in-event_trigger_parse.patch new file mode 100644 index 0000000000..3081b9a2bb --- /dev/null +++ b/queue-6.1/tracing-fix-error-handling-in-event_trigger_parse.patch @@ -0,0 +1,55 @@ +From 9c464a08281caabc410174ef9ca3cc762ba0a133 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 May 2025 10:53:07 -0400 +Subject: tracing: Fix error handling in event_trigger_parse() + +From: Miaoqian Lin + +[ Upstream commit c5dd28e7fb4f63475b50df4f58311df92939d011 ] + +According to trigger_data_alloc() doc, trigger_data_free() should be +used to free an event_trigger_data object. This fixes a mismatch introduced +when kzalloc was replaced with trigger_data_alloc without updating +the corresponding deallocation calls. + +Cc: Masami Hiramatsu +Cc: Mark Rutland +Cc: Andrew Morton +Cc: Mathieu Desnoyers +Cc: Tom Zanussi +Link: https://lore.kernel.org/20250507145455.944453325@goodmis.org +Link: https://lore.kernel.org/20250318112737.4174-1-linmq006@gmail.com +Fixes: e1f187d09e11 ("tracing: Have existing event_command.parse() implementations use helpers") +Signed-off-by: Miaoqian Lin +[ SDR: Changed event_trigger_alloc/free() to trigger_data_alloc/free() ] +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_events_trigger.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c +index 22bee3eae7cc3..782ccb2433bb4 100644 +--- a/kernel/trace/trace_events_trigger.c ++++ b/kernel/trace/trace_events_trigger.c +@@ -998,7 +998,7 @@ event_trigger_parse(struct event_command *cmd_ops, + + if (remove) { + event_trigger_unregister(cmd_ops, file, glob+1, trigger_data); +- kfree(trigger_data); ++ trigger_data_free(trigger_data); + ret = 0; + goto out; + } +@@ -1025,7 +1025,7 @@ event_trigger_parse(struct event_command *cmd_ops, + + out_free: + event_trigger_reset_filter(cmd_ops, trigger_data); +- kfree(trigger_data); ++ trigger_data_free(trigger_data); + goto out; + } + +-- +2.39.5 + diff --git a/queue-6.1/tracing-rename-event_trigger_alloc-to-trigger_data_a.patch b/queue-6.1/tracing-rename-event_trigger_alloc-to-trigger_data_a.patch new file mode 100644 index 0000000000..632c45a112 --- /dev/null +++ b/queue-6.1/tracing-rename-event_trigger_alloc-to-trigger_data_a.patch @@ -0,0 +1,126 @@ +From 35748b49c05bf05bdcaf31a8f8cc1525978a03fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 May 2025 10:53:06 -0400 +Subject: tracing: Rename event_trigger_alloc() to trigger_data_alloc() + +From: Steven Rostedt + +[ Upstream commit f2947c4b7d0f235621c5daf78aecfbd6e22c05e5 ] + +The function event_trigger_alloc() creates an event_trigger_data +descriptor and states that it needs to be freed via event_trigger_free(). +This is incorrect, it needs to be freed by trigger_data_free() as +event_trigger_free() adds ref counting. + +Rename event_trigger_alloc() to trigger_data_alloc() and state that it +needs to be freed via trigger_data_free(). This naming convention +was introducing bugs. + +Cc: Masami Hiramatsu +Cc: Mark Rutland +Cc: Mathieu Desnoyers +Cc: Andrew Morton +Cc: Tom Zanussi +Link: https://lore.kernel.org/20250507145455.776436410@goodmis.org +Fixes: 86599dbe2c527 ("tracing: Add helper functions to simplify event_command.parse() callback handling") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace.h | 8 +++----- + kernel/trace/trace_events_hist.c | 2 +- + kernel/trace/trace_events_trigger.c | 16 ++++++++-------- + 3 files changed, 12 insertions(+), 14 deletions(-) + +diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h +index 49b297ca7fc72..950782b0ab1cb 100644 +--- a/kernel/trace/trace.h ++++ b/kernel/trace/trace.h +@@ -1586,6 +1586,9 @@ extern int event_enable_register_trigger(char *glob, + extern void event_enable_unregister_trigger(char *glob, + struct event_trigger_data *test, + struct trace_event_file *file); ++extern struct event_trigger_data * ++trigger_data_alloc(struct event_command *cmd_ops, char *cmd, char *param, ++ void *private_data); + extern void trigger_data_free(struct event_trigger_data *data); + extern int event_trigger_init(struct event_trigger_data *data); + extern int trace_event_trigger_enable_disable(struct trace_event_file *file, +@@ -1612,11 +1615,6 @@ extern bool event_trigger_check_remove(const char *glob); + extern bool event_trigger_empty_param(const char *param); + extern int event_trigger_separate_filter(char *param_and_filter, char **param, + char **filter, bool param_required); +-extern struct event_trigger_data * +-event_trigger_alloc(struct event_command *cmd_ops, +- char *cmd, +- char *param, +- void *private_data); + extern int event_trigger_parse_num(char *trigger, + struct event_trigger_data *trigger_data); + extern int event_trigger_set_filter(struct event_command *cmd_ops, +diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c +index a11392596a365..c53be68bcd111 100644 +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -6520,7 +6520,7 @@ static int event_hist_trigger_parse(struct event_command *cmd_ops, + return PTR_ERR(hist_data); + } + +- trigger_data = event_trigger_alloc(cmd_ops, cmd, param, hist_data); ++ trigger_data = trigger_data_alloc(cmd_ops, cmd, param, hist_data); + if (!trigger_data) { + ret = -ENOMEM; + goto out_free; +diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c +index afdbad16d00a6..22bee3eae7cc3 100644 +--- a/kernel/trace/trace_events_trigger.c ++++ b/kernel/trace/trace_events_trigger.c +@@ -807,7 +807,7 @@ int event_trigger_separate_filter(char *param_and_filter, char **param, + } + + /** +- * event_trigger_alloc - allocate and init event_trigger_data for a trigger ++ * trigger_data_alloc - allocate and init event_trigger_data for a trigger + * @cmd_ops: The event_command operations for the trigger + * @cmd: The cmd string + * @param: The param string +@@ -818,14 +818,14 @@ int event_trigger_separate_filter(char *param_and_filter, char **param, + * trigger_ops to assign to the event_trigger_data. @private_data can + * also be passed in and associated with the event_trigger_data. + * +- * Use event_trigger_free() to free an event_trigger_data object. ++ * Use trigger_data_free() to free an event_trigger_data object. + * + * Return: The trigger_data object success, NULL otherwise + */ +-struct event_trigger_data *event_trigger_alloc(struct event_command *cmd_ops, +- char *cmd, +- char *param, +- void *private_data) ++struct event_trigger_data *trigger_data_alloc(struct event_command *cmd_ops, ++ char *cmd, ++ char *param, ++ void *private_data) + { + struct event_trigger_data *trigger_data; + struct event_trigger_ops *trigger_ops; +@@ -992,7 +992,7 @@ event_trigger_parse(struct event_command *cmd_ops, + return ret; + + ret = -ENOMEM; +- trigger_data = event_trigger_alloc(cmd_ops, cmd, param, file); ++ trigger_data = trigger_data_alloc(cmd_ops, cmd, param, file); + if (!trigger_data) + goto out; + +@@ -1772,7 +1772,7 @@ int event_enable_trigger_parse(struct event_command *cmd_ops, + enable_data->enable = enable; + enable_data->file = event_enable_file; + +- trigger_data = event_trigger_alloc(cmd_ops, cmd, param, enable_data); ++ trigger_data = trigger_data_alloc(cmd_ops, cmd, param, enable_data); + if (!trigger_data) { + kfree(enable_data); + goto out; +-- +2.39.5 + diff --git a/queue-6.1/usb-renesas_usbhs-reorder-clock-handling-and-power-m.patch b/queue-6.1/usb-renesas_usbhs-reorder-clock-handling-and-power-m.patch new file mode 100644 index 0000000000..bad83b5647 --- /dev/null +++ b/queue-6.1/usb-renesas_usbhs-reorder-clock-handling-and-power-m.patch @@ -0,0 +1,192 @@ +From 05f19bb4cf6873679ba8ad635cf8b371b23f821d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Apr 2025 11:50:02 +0100 +Subject: usb: renesas_usbhs: Reorder clock handling and power management in + probe + +From: Lad Prabhakar + +[ Upstream commit ffb34a60ce86656ba12d46e91f1ccc71dd221251 ] + +Reorder the initialization sequence in `usbhs_probe()` to enable runtime +PM before accessing registers, preventing potential crashes due to +uninitialized clocks. + +Currently, in the probe path, registers are accessed before enabling the +clocks, leading to a synchronous external abort on the RZ/V2H SoC. +The problematic call flow is as follows: + + usbhs_probe() + usbhs_sys_clock_ctrl() + usbhs_bset() + usbhs_write() + iowrite16() <-- Register access before enabling clocks + +Since `iowrite16()` is performed without ensuring the required clocks are +enabled, this can lead to access errors. To fix this, enable PM runtime +early in the probe function and ensure clocks are acquired before register +access, preventing crashes like the following on RZ/V2H: + +[13.272640] Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP +[13.280814] Modules linked in: cec renesas_usbhs(+) drm_kms_helper fuse drm backlight ipv6 +[13.289088] CPU: 1 UID: 0 PID: 195 Comm: (udev-worker) Not tainted 6.14.0-rc7+ #98 +[13.296640] Hardware name: Renesas RZ/V2H EVK Board based on r9a09g057h44 (DT) +[13.303834] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[13.310770] pc : usbhs_bset+0x14/0x4c [renesas_usbhs] +[13.315831] lr : usbhs_probe+0x2e4/0x5ac [renesas_usbhs] +[13.321138] sp : ffff8000827e3850 +[13.324438] x29: ffff8000827e3860 x28: 0000000000000000 x27: ffff8000827e3ca0 +[13.331554] x26: ffff8000827e3ba0 x25: ffff800081729668 x24: 0000000000000025 +[13.338670] x23: ffff0000c0f08000 x22: 0000000000000000 x21: ffff0000c0f08010 +[13.345783] x20: 0000000000000000 x19: ffff0000c3b52080 x18: 00000000ffffffff +[13.352895] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000827e36ce +[13.360009] x14: 00000000000003d7 x13: 00000000000003d7 x12: 0000000000000000 +[13.367122] x11: 0000000000000000 x10: 0000000000000aa0 x9 : ffff8000827e3750 +[13.374235] x8 : ffff0000c1850b00 x7 : 0000000003826060 x6 : 000000000000001c +[13.381347] x5 : 000000030d5fcc00 x4 : ffff8000825c0000 x3 : 0000000000000000 +[13.388459] x2 : 0000000000000400 x1 : 0000000000000000 x0 : ffff0000c3b52080 +[13.395574] Call trace: +[13.398013] usbhs_bset+0x14/0x4c [renesas_usbhs] (P) +[13.403076] platform_probe+0x68/0xdc +[13.406738] really_probe+0xbc/0x2c0 +[13.410306] __driver_probe_device+0x78/0x120 +[13.414653] driver_probe_device+0x3c/0x154 +[13.418825] __driver_attach+0x90/0x1a0 +[13.422647] bus_for_each_dev+0x7c/0xe0 +[13.426470] driver_attach+0x24/0x30 +[13.430032] bus_add_driver+0xe4/0x208 +[13.433766] driver_register+0x68/0x130 +[13.437587] __platform_driver_register+0x24/0x30 +[13.442273] renesas_usbhs_driver_init+0x20/0x1000 [renesas_usbhs] +[13.448450] do_one_initcall+0x60/0x1d4 +[13.452276] do_init_module+0x54/0x1f8 +[13.456014] load_module+0x1754/0x1c98 +[13.459750] init_module_from_file+0x88/0xcc +[13.464004] __arm64_sys_finit_module+0x1c4/0x328 +[13.468689] invoke_syscall+0x48/0x104 +[13.472426] el0_svc_common.constprop.0+0xc0/0xe0 +[13.477113] do_el0_svc+0x1c/0x28 +[13.480415] el0_svc+0x30/0xcc +[13.483460] el0t_64_sync_handler+0x10c/0x138 +[13.487800] el0t_64_sync+0x198/0x19c +[13.491453] Code: 2a0103e1 12003c42 12003c63 8b010084 (79400084) +[13.497522] ---[ end trace 0000000000000000 ]--- + +Fixes: f1407d5c66240 ("usb: renesas_usbhs: Add Renesas USBHS common code") +Signed-off-by: Lad Prabhakar +Reviewed-by: Yoshihiro Shimoda +Tested-by: Yoshihiro Shimoda +Link: https://lore.kernel.org/r/20250407105002.107181-4-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/renesas_usbhs/common.c | 50 +++++++++++++++++++++++------- + 1 file changed, 38 insertions(+), 12 deletions(-) + +diff --git a/drivers/usb/renesas_usbhs/common.c b/drivers/usb/renesas_usbhs/common.c +index 9af61f17dfc75..6343ef4e184b5 100644 +--- a/drivers/usb/renesas_usbhs/common.c ++++ b/drivers/usb/renesas_usbhs/common.c +@@ -674,10 +674,29 @@ static int usbhs_probe(struct platform_device *pdev) + INIT_DELAYED_WORK(&priv->notify_hotplug_work, usbhsc_notify_hotplug); + spin_lock_init(usbhs_priv_to_lock(priv)); + ++ /* ++ * Acquire clocks and enable power management (PM) early in the ++ * probe process, as the driver accesses registers during ++ * initialization. Ensure the device is active before proceeding. ++ */ ++ pm_runtime_enable(dev); ++ ++ ret = usbhsc_clk_get(dev, priv); ++ if (ret) ++ goto probe_pm_disable; ++ ++ ret = pm_runtime_resume_and_get(dev); ++ if (ret) ++ goto probe_clk_put; ++ ++ ret = usbhsc_clk_prepare_enable(priv); ++ if (ret) ++ goto probe_pm_put; ++ + /* call pipe and module init */ + ret = usbhs_pipe_probe(priv); + if (ret < 0) +- return ret; ++ goto probe_clk_dis_unprepare; + + ret = usbhs_fifo_probe(priv); + if (ret < 0) +@@ -694,10 +713,6 @@ static int usbhs_probe(struct platform_device *pdev) + if (ret) + goto probe_fail_rst; + +- ret = usbhsc_clk_get(dev, priv); +- if (ret) +- goto probe_fail_clks; +- + /* + * deviece reset here because + * USB device might be used in boot loader. +@@ -710,7 +725,7 @@ static int usbhs_probe(struct platform_device *pdev) + if (ret) { + dev_warn(dev, "USB function not selected (GPIO)\n"); + ret = -ENOTSUPP; +- goto probe_end_mod_exit; ++ goto probe_assert_rest; + } + } + +@@ -724,14 +739,19 @@ static int usbhs_probe(struct platform_device *pdev) + ret = usbhs_platform_call(priv, hardware_init, pdev); + if (ret < 0) { + dev_err(dev, "platform init failed.\n"); +- goto probe_end_mod_exit; ++ goto probe_assert_rest; + } + + /* reset phy for connection */ + usbhs_platform_call(priv, phy_reset, pdev); + +- /* power control */ +- pm_runtime_enable(dev); ++ /* ++ * Disable the clocks that were enabled earlier in the probe path, ++ * and let the driver handle the clocks beyond this point. ++ */ ++ usbhsc_clk_disable_unprepare(priv); ++ pm_runtime_put(dev); ++ + if (!usbhs_get_dparam(priv, runtime_pwctrl)) { + usbhsc_power_ctrl(priv, 1); + usbhs_mod_autonomy_mode(priv); +@@ -748,9 +768,7 @@ static int usbhs_probe(struct platform_device *pdev) + + return ret; + +-probe_end_mod_exit: +- usbhsc_clk_put(priv); +-probe_fail_clks: ++probe_assert_rest: + reset_control_assert(priv->rsts); + probe_fail_rst: + usbhs_mod_remove(priv); +@@ -758,6 +776,14 @@ static int usbhs_probe(struct platform_device *pdev) + usbhs_fifo_remove(priv); + probe_end_pipe_exit: + usbhs_pipe_remove(priv); ++probe_clk_dis_unprepare: ++ usbhsc_clk_disable_unprepare(priv); ++probe_pm_put: ++ pm_runtime_put(dev); ++probe_clk_put: ++ usbhsc_clk_put(priv); ++probe_pm_disable: ++ pm_runtime_disable(dev); + + dev_info(dev, "probe failed (%d)\n", ret); + +-- +2.39.5 + diff --git a/queue-6.1/vfio-type1-fix-error-unwind-in-migration-dirty-bitma.patch b/queue-6.1/vfio-type1-fix-error-unwind-in-migration-dirty-bitma.patch new file mode 100644 index 0000000000..34cb17dc4b --- /dev/null +++ b/queue-6.1/vfio-type1-fix-error-unwind-in-migration-dirty-bitma.patch @@ -0,0 +1,45 @@ +From a40ed3185e4ba59bc6e22c91ffe8791652d9c0d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 May 2025 11:46:47 +0800 +Subject: vfio/type1: Fix error unwind in migration dirty bitmap allocation + +From: Li RongQing + +[ Upstream commit 4518e5a60c7fbf0cdff393c2681db39d77b4f87e ] + +When setting up dirty page tracking at the vfio IOMMU backend for +device migration, if an error is encountered allocating a tracking +bitmap, the unwind loop fails to free previously allocated tracking +bitmaps. This occurs because the wrong loop index is used to +generate the tracking object. This results in unintended memory +usage for the life of the current DMA mappings where bitmaps were +successfully allocated. + +Use the correct loop index to derive the tracking object for +freeing during unwind. + +Fixes: d6a4c185660c ("vfio iommu: Implementation of ioctl for dirty pages tracking") +Signed-off-by: Li RongQing +Link: https://lore.kernel.org/r/20250521034647.2877-1-lirongqing@baidu.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/vfio_iommu_type1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c +index 18a2dbbc77799..26fac124231f5 100644 +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -299,7 +299,7 @@ static int vfio_dma_bitmap_alloc_all(struct vfio_iommu *iommu, size_t pgsize) + struct rb_node *p; + + for (p = rb_prev(n); p; p = rb_prev(p)) { +- struct vfio_dma *dma = rb_entry(n, ++ struct vfio_dma *dma = rb_entry(p, + struct vfio_dma, node); + + vfio_dma_bitmap_free(dma); +-- +2.39.5 + diff --git a/queue-6.1/vmxnet3-correctly-report-gso-type-for-udp-tunnels.patch b/queue-6.1/vmxnet3-correctly-report-gso-type-for-udp-tunnels.patch new file mode 100644 index 0000000000..2752b465f5 --- /dev/null +++ b/queue-6.1/vmxnet3-correctly-report-gso-type-for-udp-tunnels.patch @@ -0,0 +1,82 @@ +From 9f6c6532d34c84ffd098f2de80d572b976a0c2b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 May 2025 15:27:00 +0000 +Subject: vmxnet3: correctly report gso type for UDP tunnels + +From: Ronak Doshi + +[ Upstream commit 982d30c30eaa2ec723df42e3bf526c014c1dbb88 ] + +Commit 3d010c8031e3 ("udp: do not accept non-tunnel GSO skbs landing +in a tunnel") added checks in linux stack to not accept non-tunnel +GRO packets landing in a tunnel. This exposed an issue in vmxnet3 +which was not correctly reporting GRO packets for tunnel packets. + +This patch fixes this issue by setting correct GSO type for the +tunnel packets. + +Currently, vmxnet3 does not support reporting inner fields for LRO +tunnel packets. The issue is not seen for egress drivers that do not +use skb inner fields. The workaround is to enable tnl-segmentation +offload on the egress interfaces if the driver supports it. This +problem pre-exists this patch fix and can be addressed as a separate +future patch. + +Fixes: dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload support") +Signed-off-by: Ronak Doshi +Acked-by: Guolin Yang +Link: https://patch.msgid.link/20250530152701.70354-1-ronak.doshi@broadcom.com +[pabeni@redhat.com: dropped the changelog] +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/vmxnet3/vmxnet3_drv.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c +index da488cbb05428..8714e49004842 100644 +--- a/drivers/net/vmxnet3/vmxnet3_drv.c ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c +@@ -1407,6 +1407,30 @@ vmxnet3_get_hdr_len(struct vmxnet3_adapter *adapter, struct sk_buff *skb, + return (hlen + (hdr.tcp->doff << 2)); + } + ++static void ++vmxnet3_lro_tunnel(struct sk_buff *skb, __be16 ip_proto) ++{ ++ struct udphdr *uh = NULL; ++ ++ if (ip_proto == htons(ETH_P_IP)) { ++ struct iphdr *iph = (struct iphdr *)skb->data; ++ ++ if (iph->protocol == IPPROTO_UDP) ++ uh = (struct udphdr *)(iph + 1); ++ } else { ++ struct ipv6hdr *iph = (struct ipv6hdr *)skb->data; ++ ++ if (iph->nexthdr == IPPROTO_UDP) ++ uh = (struct udphdr *)(iph + 1); ++ } ++ if (uh) { ++ if (uh->check) ++ skb_shinfo(skb)->gso_type |= SKB_GSO_UDP_TUNNEL_CSUM; ++ else ++ skb_shinfo(skb)->gso_type |= SKB_GSO_UDP_TUNNEL; ++ } ++} ++ + static int + vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq, + struct vmxnet3_adapter *adapter, int quota) +@@ -1663,6 +1687,8 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq, + if (segCnt != 0 && mss != 0) { + skb_shinfo(skb)->gso_type = rcd->v4 ? + SKB_GSO_TCPV4 : SKB_GSO_TCPV6; ++ if (encap_lro) ++ vmxnet3_lro_tunnel(skb, skb->protocol); + skb_shinfo(skb)->gso_size = mss; + skb_shinfo(skb)->gso_segs = segCnt; + } else if ((segCnt != 0 || skb->len > mtu) && !encap_lro) { +-- +2.39.5 + diff --git a/queue-6.1/vt-remove-vt_resize-and-vt_resizex-from-vt_compat_io.patch b/queue-6.1/vt-remove-vt_resize-and-vt_resizex-from-vt_compat_io.patch new file mode 100644 index 0000000000..df72bbbd15 --- /dev/null +++ b/queue-6.1/vt-remove-vt_resize-and-vt_resizex-from-vt_compat_io.patch @@ -0,0 +1,39 @@ +From aaa09baec9d38eb599cff5704c947d10cd9314b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 11:30:52 -0400 +Subject: vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl() + +From: Nicolas Pitre + +[ Upstream commit c4c7ead7b86c1e7f11c64915b7e5bb6d2e242691 ] + +They are listed amon those cmd values that "treat 'arg' as an integer" +which is wrong. They should instead fall into the default case. Probably +nobody ever relied on that code since 2009 but still. + +Fixes: e92166517e3c ("tty: handle VT specific compat ioctls in vt driver") +Signed-off-by: Nicolas Pitre +Reviewed-by: Jiri Slaby +Link: https://lore.kernel.org/r/pr214s15-36r8-6732-2pop-159nq85o48r7@syhkavp.arg +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/vt/vt_ioctl.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c +index 8c685b5014044..5b21b60547da1 100644 +--- a/drivers/tty/vt/vt_ioctl.c ++++ b/drivers/tty/vt/vt_ioctl.c +@@ -1105,8 +1105,6 @@ long vt_compat_ioctl(struct tty_struct *tty, + case VT_WAITACTIVE: + case VT_RELDISP: + case VT_DISALLOCATE: +- case VT_RESIZE: +- case VT_RESIZEX: + return vt_ioctl(tty, cmd, arg); + + /* +-- +2.39.5 + diff --git a/queue-6.1/watchdog-exar-shorten-identity-name-to-fit-correctly.patch b/queue-6.1/watchdog-exar-shorten-identity-name-to-fit-correctly.patch new file mode 100644 index 0000000000..ca88fa9adf --- /dev/null +++ b/queue-6.1/watchdog-exar-shorten-identity-name-to-fit-correctly.patch @@ -0,0 +1,44 @@ +From cf371abc33e8ca9ccaf755ba2cd1c42e7c44b7c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 15:52:49 -0700 +Subject: watchdog: exar: Shorten identity name to fit correctly + +From: Kees Cook + +[ Upstream commit 8e28276a569addb8a2324439ae473848ee52b056 ] + +The static initializer for struct watchdog_info::identity is too long +and gets initialized without a trailing NUL byte. Since the length +of "identity" is part of UAPI and tied to ioctls, just shorten +the name of the device. Avoids the warning seen with GCC 15's +-Wunterminated-string-initialization option: + +drivers/watchdog/exar_wdt.c:224:27: warning: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (33 chars into 32 available) [-Wunterminated-string-initialization] + 224 | .identity = "Exar/MaxLinear XR28V38x Watchdog", + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Fixes: 81126222bd3a ("watchdog: Exar/MaxLinear XR28V38x driver") +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20250415225246.work.458-kees@kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + drivers/watchdog/exar_wdt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/watchdog/exar_wdt.c b/drivers/watchdog/exar_wdt.c +index 7c61ff3432711..c2e3bb08df899 100644 +--- a/drivers/watchdog/exar_wdt.c ++++ b/drivers/watchdog/exar_wdt.c +@@ -221,7 +221,7 @@ static const struct watchdog_info exar_wdt_info = { + .options = WDIOF_KEEPALIVEPING | + WDIOF_SETTIMEOUT | + WDIOF_MAGICCLOSE, +- .identity = "Exar/MaxLinear XR28V38x Watchdog", ++ .identity = "Exar XR28V38x Watchdog", + }; + + static const struct watchdog_ops exar_wdt_ops = { +-- +2.39.5 + diff --git a/queue-6.1/wifi-ath11k-fix-node-corruption-in-ar-arvifs-list.patch b/queue-6.1/wifi-ath11k-fix-node-corruption-in-ar-arvifs-list.patch new file mode 100644 index 0000000000..02a803a9f2 --- /dev/null +++ b/queue-6.1/wifi-ath11k-fix-node-corruption-in-ar-arvifs-list.patch @@ -0,0 +1,83 @@ +From 9acd9dd04df1eea60306352d32e544b34dce5e95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Mar 2025 13:31:45 +0800 +Subject: wifi: ath11k: fix node corruption in ar->arvifs list + +From: Stone Zhang + +[ Upstream commit 31e98e277ae47f56632e4d663b1d4fd12ba33ea8 ] + +In current WLAN recovery code flow, ath11k_core_halt() only +reinitializes the "arvifs" list head. This will cause the +list node immediately following the list head to become an +invalid list node. Because the prev of that node still points +to the list head "arvifs", but the next of the list head "arvifs" +no longer points to that list node. + +When a WLAN recovery occurs during the execution of a vif +removal, and it happens before the spin_lock_bh(&ar->data_lock) +in ath11k_mac_op_remove_interface(), list_del() will detect the +previously mentioned situation, thereby triggering a kernel panic. + +The fix is to remove and reinitialize all vif list nodes from the +list head "arvifs" during WLAN halt. The reinitialization is to make +the list nodes valid, ensuring that the list_del() in +ath11k_mac_op_remove_interface() can execute normally. + +Call trace: +__list_del_entry_valid_or_report+0xb8/0xd0 +ath11k_mac_op_remove_interface+0xb0/0x27c [ath11k] +drv_remove_interface+0x48/0x194 [mac80211] +ieee80211_do_stop+0x6e0/0x844 [mac80211] +ieee80211_stop+0x44/0x17c [mac80211] +__dev_close_many+0xac/0x150 +__dev_change_flags+0x194/0x234 +dev_change_flags+0x24/0x6c +devinet_ioctl+0x3a0/0x670 +inet_ioctl+0x200/0x248 +sock_do_ioctl+0x60/0x118 +sock_ioctl+0x274/0x35c +__arm64_sys_ioctl+0xac/0xf0 +invoke_syscall+0x48/0x114 +... + +Tested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04591-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1 + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Signed-off-by: Stone Zhang +Link: https://patch.msgid.link/20250320053145.3445187-1-quic_stonez@quicinc.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/core.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c +index 893fefadbba96..ef269244fe495 100644 +--- a/drivers/net/wireless/ath/ath11k/core.c ++++ b/drivers/net/wireless/ath/ath11k/core.c +@@ -1621,6 +1621,7 @@ static int ath11k_core_reconfigure_on_crash(struct ath11k_base *ab) + void ath11k_core_halt(struct ath11k *ar) + { + struct ath11k_base *ab = ar->ab; ++ struct list_head *pos, *n; + + lockdep_assert_held(&ar->conf_mutex); + +@@ -1635,7 +1636,12 @@ void ath11k_core_halt(struct ath11k *ar) + + rcu_assign_pointer(ab->pdevs_active[ar->pdev_idx], NULL); + synchronize_rcu(); +- INIT_LIST_HEAD(&ar->arvifs); ++ ++ spin_lock_bh(&ar->data_lock); ++ list_for_each_safe(pos, n, &ar->arvifs) ++ list_del_init(pos); ++ spin_unlock_bh(&ar->data_lock); ++ + idr_init(&ar->txmgmt_idr); + } + +-- +2.39.5 + diff --git a/queue-6.1/wifi-ath9k_htc-abort-software-beacon-handling-if-dis.patch b/queue-6.1/wifi-ath9k_htc-abort-software-beacon-handling-if-dis.patch new file mode 100644 index 0000000000..8248e9c89f --- /dev/null +++ b/queue-6.1/wifi-ath9k_htc-abort-software-beacon-handling-if-dis.patch @@ -0,0 +1,48 @@ +From b1fcdd2a0a014d1eb3e379dfb8be85647dc0f7b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 13:22:16 +0200 +Subject: wifi: ath9k_htc: Abort software beacon handling if disabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit ac4e317a95a1092b5da5b9918b7118759342641c ] + +A malicious USB device can send a WMI_SWBA_EVENTID event from an +ath9k_htc-managed device before beaconing has been enabled. This causes +a device-by-zero error in the driver, leading to either a crash or an +out of bounds read. + +Prevent this by aborting the handling in ath9k_htc_swba() if beacons are +not enabled. + +Reported-by: Robert Morris +Closes: https://lore.kernel.org/r/88967.1743099372@localhost +Fixes: 832f6a18fc2a ("ath9k_htc: Add beacon slots") +Signed-off-by: Toke Høiland-Jørgensen +Link: https://patch.msgid.link/20250402112217.58533-1-toke@toke.dk +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_drv_beacon.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c b/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c +index 533471e694007..18c7654bc539d 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c +@@ -290,6 +290,9 @@ void ath9k_htc_swba(struct ath9k_htc_priv *priv, + struct ath_common *common = ath9k_hw_common(priv->ah); + int slot; + ++ if (!priv->cur_beacon_conf.enable_beacon) ++ return; ++ + if (swba->beacon_pending != 0) { + priv->beacon.bmisscnt++; + if (priv->beacon.bmisscnt > BSTUCK_THRESHOLD) { +-- +2.39.5 + diff --git a/queue-6.1/wifi-rtw88-do-not-ignore-hardware-read-error-during-.patch b/queue-6.1/wifi-rtw88-do-not-ignore-hardware-read-error-during-.patch new file mode 100644 index 0000000000..b899aab70c --- /dev/null +++ b/queue-6.1/wifi-rtw88-do-not-ignore-hardware-read-error-during-.patch @@ -0,0 +1,42 @@ +From db0c31649c0386d82e53ec570c6879e47a980f1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 12:07:20 +0300 +Subject: wifi: rtw88: do not ignore hardware read error during DPK + +From: Dmitry Antipov + +[ Upstream commit 20d3c19bd8f9b498173c198eadf54580c8caa336 ] + +In 'rtw8822c_dpk_cal_coef1()', do not ignore error returned +by 'check_hw_ready()' but issue a warning to denote possible +DPK issue. Compile tested only. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 5227c2ee453d ("rtw88: 8822c: add SW DPK support") +Suggested-by: Ping-Ke Shih +Signed-off-by: Dmitry Antipov +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250415090720.194048-1-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/rtw8822c.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/rtw8822c.c b/drivers/net/wireless/realtek/rtw88/rtw8822c.c +index c6dacfde92005..d1b9031536496 100644 +--- a/drivers/net/wireless/realtek/rtw88/rtw8822c.c ++++ b/drivers/net/wireless/realtek/rtw88/rtw8822c.c +@@ -3973,7 +3973,8 @@ static void rtw8822c_dpk_cal_coef1(struct rtw_dev *rtwdev) + rtw_write32(rtwdev, REG_NCTL0, 0x00001148); + rtw_write32(rtwdev, REG_NCTL0, 0x00001149); + +- check_hw_ready(rtwdev, 0x2d9c, MASKBYTE0, 0x55); ++ if (!check_hw_ready(rtwdev, 0x2d9c, MASKBYTE0, 0x55)) ++ rtw_warn(rtwdev, "DPK stuck, performance may be suboptimal"); + + rtw_write8(rtwdev, 0x1b10, 0x0); + rtw_write32_mask(rtwdev, REG_NCTL0, BIT_SUBPAGE, 0x0000000c); +-- +2.39.5 + diff --git a/queue-6.1/wifi-rtw88-fix-the-para-buffer-size-to-avoid-reading.patch b/queue-6.1/wifi-rtw88-fix-the-para-buffer-size-to-avoid-reading.patch new file mode 100644 index 0000000000..55bfd05cb8 --- /dev/null +++ b/queue-6.1/wifi-rtw88-fix-the-para-buffer-size-to-avoid-reading.patch @@ -0,0 +1,48 @@ +From 83903ae59986a9b094b5d2f05aecd3dd022debb4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 12:13:04 +0000 +Subject: wifi: rtw88: fix the 'para' buffer size to avoid reading out of + bounds + +From: Alexey Kodanev + +[ Upstream commit 4c2c372de2e108319236203cce6de44d70ae15cd ] + +Set the size to 6 instead of 2, since 'para' array is passed to +'rtw_fw_bt_wifi_control(rtwdev, para[0], ¶[1])', which reads +5 bytes: + +void rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data) +{ + ... + SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, *data); + SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, *(data + 1)); + ... + SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4)); + +Detected using the static analysis tool - Svace. +Fixes: 4136214f7c46 ("rtw88: add BT co-existence support") +Signed-off-by: Alexey Kodanev +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250513121304.124141-1-aleksei.kodanev@bell-sw.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/coex.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/coex.c b/drivers/net/wireless/realtek/rtw88/coex.c +index 8627ab0ce3bdf..1a9336c595c12 100644 +--- a/drivers/net/wireless/realtek/rtw88/coex.c ++++ b/drivers/net/wireless/realtek/rtw88/coex.c +@@ -309,7 +309,7 @@ static void rtw_coex_tdma_timer_base(struct rtw_dev *rtwdev, u8 type) + { + struct rtw_coex *coex = &rtwdev->coex; + struct rtw_coex_stat *coex_stat = &coex->stat; +- u8 para[2] = {0}; ++ u8 para[6] = {}; + u8 times; + u16 tbtt_interval = coex_stat->wl_beacon_interval; + +-- +2.39.5 + diff --git a/queue-6.1/wireguard-device-enable-threaded-napi.patch b/queue-6.1/wireguard-device-enable-threaded-napi.patch new file mode 100644 index 0000000000..4a8a8a30ea --- /dev/null +++ b/queue-6.1/wireguard-device-enable-threaded-napi.patch @@ -0,0 +1,79 @@ +From cde9c494aae2de55cf49268984c56bd62fe81a8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Jun 2025 14:06:16 +0200 +Subject: wireguard: device: enable threaded NAPI +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mirco Barone + +[ Upstream commit db9ae3b6b43c79b1ba87eea849fd65efa05b4b2e ] + +Enable threaded NAPI by default for WireGuard devices in response to low +performance behavior that we observed when multiple tunnels (and thus +multiple wg devices) are deployed on a single host. This affects any +kind of multi-tunnel deployment, regardless of whether the tunnels share +the same endpoints or not (i.e., a VPN concentrator type of gateway +would also be affected). + +The problem is caused by the fact that, in case of a traffic surge that +involves multiple tunnels at the same time, the polling of the NAPI +instance of all these wg devices tends to converge onto the same core, +causing underutilization of the CPU and bottlenecking performance. + +This happens because NAPI polling is hosted by default in softirq +context, but the WireGuard driver only raises this softirq after the rx +peer queue has been drained, which doesn't happen during high traffic. +In this case, the softirq already active on a core is reused instead of +raising a new one. + +As a result, once two or more tunnel softirqs have been scheduled on +the same core, they remain pinned there until the surge ends. + +In our experiments, this almost always leads to all tunnel NAPIs being +handled on a single core shortly after a surge begins, limiting +scalability to less than 3× the performance of a single tunnel, despite +plenty of unused CPU cores being available. + +The proposed mitigation is to enable threaded NAPI for all WireGuard +devices. This moves the NAPI polling context to a dedicated per-device +kernel thread, allowing the scheduler to balance the load across all +available cores. + +On our 32-core gateways, enabling threaded NAPI yields a ~4× performance +improvement with 16 tunnels, increasing throughput from ~13 Gbps to +~48 Gbps. Meanwhile, CPU usage on the receiver (which is the bottleneck) +jumps from 20% to 100%. + +We have found no performance regressions in any scenario we tested. +Single-tunnel throughput remains unchanged. + +More details are available in our Netdev paper. + +Link: https://netdevconf.info/0x18/docs/netdev-0x18-paper23-talk-paper.pdf +Signed-off-by: Mirco Barone +Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") +Signed-off-by: Jason A. Donenfeld +Link: https://patch.msgid.link/20250605120616.2808744-1-Jason@zx2c4.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wireguard/device.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireguard/device.c b/drivers/net/wireguard/device.c +index 895a621c9e267..531332e169df8 100644 +--- a/drivers/net/wireguard/device.c ++++ b/drivers/net/wireguard/device.c +@@ -368,6 +368,7 @@ static int wg_newlink(struct net *src_net, struct net_device *dev, + if (ret < 0) + goto err_free_handshake_queue; + ++ dev_set_threaded(dev, true); + ret = register_netdevice(dev); + if (ret < 0) + goto err_uninit_ratelimiter; +-- +2.39.5 + diff --git a/queue-6.1/x86-cpu-sanitize-cpuid-0x80000000-output.patch b/queue-6.1/x86-cpu-sanitize-cpuid-0x80000000-output.patch new file mode 100644 index 0000000000..4c442172dd --- /dev/null +++ b/queue-6.1/x86-cpu-sanitize-cpuid-0x80000000-output.patch @@ -0,0 +1,92 @@ +From edeab20c4cf1ab27b25a930e1908f55a0a78cffa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 May 2025 07:04:13 +0200 +Subject: x86/cpu: Sanitize CPUID(0x80000000) output + +From: Ahmed S. Darwish + +[ Upstream commit cc663ba3fe383a628a812f893cc98aafff39ab04 ] + +CPUID(0x80000000).EAX returns the max extended CPUID leaf available. On +x86-32 machines without an extended CPUID range, a CPUID(0x80000000) +query will just repeat the output of the last valid standard CPUID leaf +on the CPU; i.e., a garbage values. Current tip:x86/cpu code protects against +this by doing: + + eax = cpuid_eax(0x80000000); + c->extended_cpuid_level = eax; + + if ((eax & 0xffff0000) == 0x80000000) { + // CPU has an extended CPUID range. Check for 0x80000001 + if (eax >= 0x80000001) { + cpuid(0x80000001, ...); + } + } + +This is correct so far. Afterwards though, the same possibly broken EAX +value is used to check the availability of other extended CPUID leaves: + + if (c->extended_cpuid_level >= 0x80000007) + ... + if (c->extended_cpuid_level >= 0x80000008) + ... + if (c->extended_cpuid_level >= 0x8000000a) + ... + if (c->extended_cpuid_level >= 0x8000001f) + ... + +which is invalid. Fix this by immediately setting the CPU's max extended +CPUID leaf to zero if CPUID(0x80000000).EAX doesn't indicate a valid +CPUID extended range. + +While at it, add a comment, similar to kernel/head_32.S, clarifying the +CPUID(0x80000000) sanity check. + +References: 8a50e5135af0 ("x86-32: Use symbolic constants, safer CPUID when enabling EFER.NX") +Fixes: 3da99c977637 ("x86: make (early)_identify_cpu more the same between 32bit and 64 bit") +Signed-off-by: Ahmed S. Darwish +Signed-off-by: Ingo Molnar +Cc: Andrew Cooper +Cc: H. Peter Anvin +Cc: John Ogness +Cc: x86-cpuid@lists.linux.dev +Link: https://lore.kernel.org/r/20250506050437.10264-3-darwi@linutronix.de +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/common.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index 48cc1612df49f..722eac51beae6 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -1045,17 +1045,18 @@ void get_cpu_cap(struct cpuinfo_x86 *c) + c->x86_capability[CPUID_D_1_EAX] = eax; + } + +- /* AMD-defined flags: level 0x80000001 */ ++ /* ++ * Check if extended CPUID leaves are implemented: Max extended ++ * CPUID leaf must be in the 0x80000001-0x8000ffff range. ++ */ + eax = cpuid_eax(0x80000000); +- c->extended_cpuid_level = eax; ++ c->extended_cpuid_level = ((eax & 0xffff0000) == 0x80000000) ? eax : 0; + +- if ((eax & 0xffff0000) == 0x80000000) { +- if (eax >= 0x80000001) { +- cpuid(0x80000001, &eax, &ebx, &ecx, &edx); ++ if (c->extended_cpuid_level >= 0x80000001) { ++ cpuid(0x80000001, &eax, &ebx, &ecx, &edx); + +- c->x86_capability[CPUID_8000_0001_ECX] = ecx; +- c->x86_capability[CPUID_8000_0001_EDX] = edx; +- } ++ c->x86_capability[CPUID_8000_0001_ECX] = ecx; ++ c->x86_capability[CPUID_8000_0001_EDX] = edx; + } + + if (c->extended_cpuid_level >= 0x80000007) { +-- +2.39.5 + diff --git a/queue-6.1/x86-mtrr-check-if-fixed-range-mtrrs-exist-in-mtrr_sa.patch b/queue-6.1/x86-mtrr-check-if-fixed-range-mtrrs-exist-in-mtrr_sa.patch new file mode 100644 index 0000000000..55ac79c165 --- /dev/null +++ b/queue-6.1/x86-mtrr-check-if-fixed-range-mtrrs-exist-in-mtrr_sa.patch @@ -0,0 +1,47 @@ +From f7ecb9d2b22dd56d878043f4b455015bdb576286 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 May 2025 17:06:33 +0000 +Subject: x86/mtrr: Check if fixed-range MTRRs exist in + mtrr_save_fixed_ranges() + +From: Jiaqing Zhao + +[ Upstream commit 824c6384e8d9275d4ec7204f3f79a4ac6bc10379 ] + +When suspending, save_processor_state() calls mtrr_save_fixed_ranges() +to save fixed-range MTRRs. + +On platforms without fixed-range MTRRs like the ACRN hypervisor which +has removed fixed-range MTRR emulation, accessing these MSRs will +trigger an unchecked MSR access error. Make sure fixed-range MTRRs are +supported before access to prevent such error. + +Since mtrr_state.have_fixed is only set when MTRRs are present and +enabled, checking the CPU feature flag in mtrr_save_fixed_ranges() is +unnecessary. + +Fixes: 3ebad5905609 ("[PATCH] x86: Save and restore the fixed-range MTRRs of the BSP when suspending") +Signed-off-by: Jiaqing Zhao +Signed-off-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/20250509170633.3411169-2-jiaqing.zhao@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/mtrr/generic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/cpu/mtrr/generic.c b/arch/x86/kernel/cpu/mtrr/generic.c +index 558108296f3cf..31549e7f6b7c6 100644 +--- a/arch/x86/kernel/cpu/mtrr/generic.c ++++ b/arch/x86/kernel/cpu/mtrr/generic.c +@@ -349,7 +349,7 @@ static void get_fixed_ranges(mtrr_type *frs) + + void mtrr_save_fixed_ranges(void *info) + { +- if (boot_cpu_has(X86_FEATURE_MTRR)) ++ if (mtrr_state.have_fixed) + get_fixed_ranges(mtrr_state.fixed_ranges); + } + +-- +2.39.5 +