From: Greg Kroah-Hartman Date: Fri, 20 Jun 2025 09:21:18 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v5.4.295~150 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=09e6e7c3f01178cb881e1879f85c807b1609590c;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: dm-mirror-fix-a-tiny-race-condition.patch ftrace-fix-uaf-when-lookup-kallsym-after-ftrace-disabled.patch mips-add-std-flag-specified-in-kbuild_cflags-to-vdso-cflags.patch mtd-nand-sunxi-add-randomizer-configuration-before-randomizer-enable.patch mtd-rawnand-sunxi-add-randomizer-configuration-in-sunxi_nfc_hw_ecc_write_chunk.patch net-ch9200-fix-uninitialised-access-during-mii_nway_restart.patch pci-add-acs-quirk-for-loongson-pcie.patch pci-cadence-ep-correct-pba-offset-in-.set_msix-callback.patch pci-dw-rockchip-fix-phy-function-call-sequence-in-rockchip_pcie_phy_deinit.patch pci-fix-lock-symmetry-in-pci_slot_unlock.patch regulator-max14577-add-error-check-for-max14577_read_reg.patch remoteproc-core-cleanup-acquired-resources-when-rproc_handle_resources-fails-in-rproc_attach.patch remoteproc-core-release-rproc-clean_table-after-rproc_attach-fails.patch staging-iio-ad5933-correct-settling-cycles-encoding-per-datasheet.patch uio_hv_generic-use-correct-size-for-interrupt-and-monitor-pages.patch --- diff --git a/queue-5.15/dm-mirror-fix-a-tiny-race-condition.patch b/queue-5.15/dm-mirror-fix-a-tiny-race-condition.patch new file mode 100644 index 0000000000..e843e8bc46 --- /dev/null +++ b/queue-5.15/dm-mirror-fix-a-tiny-race-condition.patch @@ -0,0 +1,53 @@ +From 829451beaed6165eb11d7a9fb4e28eb17f489980 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 3 Jun 2025 18:53:17 +0200 +Subject: dm-mirror: fix a tiny race condition + +From: Mikulas Patocka + +commit 829451beaed6165eb11d7a9fb4e28eb17f489980 upstream. + +There's a tiny race condition in dm-mirror. The functions queue_bio and +write_callback grab a spinlock, add a bio to the list, drop the spinlock +and wake up the mirrord thread that processes bios in the list. + +It may be possible that the mirrord thread processes the bio just after +spin_unlock_irqrestore is called, before wakeup_mirrord. This spurious +wake-up is normally harmless, however if the device mapper device is +unloaded just after the bio was processed, it may be possible that +wakeup_mirrord(ms) uses invalid "ms" pointer. + +Fix this bug by moving wakeup_mirrord inside the spinlock. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-raid1.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/md/dm-raid1.c ++++ b/drivers/md/dm-raid1.c +@@ -128,10 +128,9 @@ static void queue_bio(struct mirror_set + spin_lock_irqsave(&ms->lock, flags); + should_wake = !(bl->head); + bio_list_add(bl, bio); +- spin_unlock_irqrestore(&ms->lock, flags); +- + if (should_wake) + wakeup_mirrord(ms); ++ spin_unlock_irqrestore(&ms->lock, flags); + } + + static void dispatch_bios(void *context, struct bio_list *bio_list) +@@ -638,9 +637,9 @@ static void write_callback(unsigned long + if (!ms->failures.head) + should_wake = 1; + bio_list_add(&ms->failures, bio); +- spin_unlock_irqrestore(&ms->lock, flags); + if (should_wake) + wakeup_mirrord(ms); ++ spin_unlock_irqrestore(&ms->lock, flags); + } + + static void do_write(struct mirror_set *ms, struct bio *bio) diff --git a/queue-5.15/ftrace-fix-uaf-when-lookup-kallsym-after-ftrace-disabled.patch b/queue-5.15/ftrace-fix-uaf-when-lookup-kallsym-after-ftrace-disabled.patch new file mode 100644 index 0000000000..633192f378 --- /dev/null +++ b/queue-5.15/ftrace-fix-uaf-when-lookup-kallsym-after-ftrace-disabled.patch @@ -0,0 +1,112 @@ +From f914b52c379c12288b7623bb814d0508dbe7481d Mon Sep 17 00:00:00 2001 +From: Ye Bin +Date: Thu, 29 May 2025 19:19:54 +0800 +Subject: ftrace: Fix UAF when lookup kallsym after ftrace disabled + +From: Ye Bin + +commit f914b52c379c12288b7623bb814d0508dbe7481d upstream. + +The following issue happens with a buggy module: + +BUG: unable to handle page fault for address: ffffffffc05d0218 +PGD 1bd66f067 P4D 1bd66f067 PUD 1bd671067 PMD 101808067 PTE 0 +Oops: Oops: 0000 [#1] SMP KASAN PTI +Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +RIP: 0010:sized_strscpy+0x81/0x2f0 +RSP: 0018:ffff88812d76fa08 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: ffffffffc0601010 RCX: dffffc0000000000 +RDX: 0000000000000038 RSI: dffffc0000000000 RDI: ffff88812608da2d +RBP: 8080808080808080 R08: ffff88812608da2d R09: ffff88812608da68 +R10: ffff88812608d82d R11: ffff88812608d810 R12: 0000000000000038 +R13: ffff88812608da2d R14: ffffffffc05d0218 R15: fefefefefefefeff +FS: 00007fef552de740(0000) GS:ffff8884251c7000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffc05d0218 CR3: 00000001146f0000 CR4: 00000000000006f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + ftrace_mod_get_kallsym+0x1ac/0x590 + update_iter_mod+0x239/0x5b0 + s_next+0x5b/0xa0 + seq_read_iter+0x8c9/0x1070 + seq_read+0x249/0x3b0 + proc_reg_read+0x1b0/0x280 + vfs_read+0x17f/0x920 + ksys_read+0xf3/0x1c0 + do_syscall_64+0x5f/0x2e0 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +The above issue may happen as follows: +(1) Add kprobe tracepoint; +(2) insmod test.ko; +(3) Module triggers ftrace disabled; +(4) rmmod test.ko; +(5) cat /proc/kallsyms; --> Will trigger UAF as test.ko already removed; +ftrace_mod_get_kallsym() +... +strscpy(module_name, mod_map->mod->name, MODULE_NAME_LEN); +... + +The problem is when a module triggers an issue with ftrace and +sets ftrace_disable. The ftrace_disable is set when an anomaly is +discovered and to prevent any more damage, ftrace stops all text +modification. The issue that happened was that the ftrace_disable stops +more than just the text modification. + +When a module is loaded, its init functions can also be traced. Because +kallsyms deletes the init functions after a module has loaded, ftrace +saves them when the module is loaded and function tracing is enabled. This +allows the output of the function trace to show the init function names +instead of just their raw memory addresses. + +When a module is removed, ftrace_release_mod() is called, and if +ftrace_disable is set, it just returns without doing anything more. The +problem here is that it leaves the mod_list still around and if kallsyms +is called, it will call into this code and access the module memory that +has already been freed as it will return: + + strscpy(module_name, mod_map->mod->name, MODULE_NAME_LEN); + +Where the "mod" no longer exists and triggers a UAF bug. + +Link: https://lore.kernel.org/all/20250523135452.626d8dcd@gandalf.local.home/ + +Cc: stable@vger.kernel.org +Fixes: aba4b5c22cba ("ftrace: Save module init functions kallsyms symbols for tracing") +Link: https://lore.kernel.org/20250529111955.2349189-2-yebin@huaweicloud.com +Signed-off-by: Ye Bin +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -6468,9 +6468,10 @@ void ftrace_release_mod(struct module *m + + mutex_lock(&ftrace_lock); + +- if (ftrace_disabled) +- goto out_unlock; +- ++ /* ++ * To avoid the UAF problem after the module is unloaded, the ++ * 'mod_map' resource needs to be released unconditionally. ++ */ + list_for_each_entry_safe(mod_map, n, &ftrace_mod_maps, list) { + if (mod_map->mod == mod) { + list_del_rcu(&mod_map->list); +@@ -6479,6 +6480,9 @@ void ftrace_release_mod(struct module *m + } + } + ++ if (ftrace_disabled) ++ goto out_unlock; ++ + /* + * Each module has its own ftrace_pages, remove + * them from the list. diff --git a/queue-5.15/mips-add-std-flag-specified-in-kbuild_cflags-to-vdso-cflags.patch b/queue-5.15/mips-add-std-flag-specified-in-kbuild_cflags-to-vdso-cflags.patch new file mode 100644 index 0000000000..078fd6e3a1 --- /dev/null +++ b/queue-5.15/mips-add-std-flag-specified-in-kbuild_cflags-to-vdso-cflags.patch @@ -0,0 +1,47 @@ +From 0f4ae7c6ecb89bfda026d210dcf8216fb67d2333 Mon Sep 17 00:00:00 2001 +From: Khem Raj +Date: Sat, 29 Mar 2025 08:39:03 -0700 +Subject: mips: Add -std= flag specified in KBUILD_CFLAGS to vdso CFLAGS + +From: Khem Raj + +commit 0f4ae7c6ecb89bfda026d210dcf8216fb67d2333 upstream. + +GCC 15 changed the default C standard dialect from gnu17 to gnu23, +which should not have impacted the kernel because it explicitly requests +the gnu11 standard in the main Makefile. However, mips/vdso code uses +its own CFLAGS without a '-std=' value, which break with this dialect +change because of the kernel's own definitions of bool, false, and true +conflicting with the C23 reserved keywords. + + include/linux/stddef.h:11:9: error: cannot use keyword 'false' as enumeration constant + 11 | false = 0, + | ^~~~~ + include/linux/stddef.h:11:9: note: 'false' is a keyword with '-std=c23' onwards + include/linux/types.h:35:33: error: 'bool' cannot be defined via 'typedef' + 35 | typedef _Bool bool; + | ^~~~ + include/linux/types.h:35:33: note: 'bool' is a keyword with '-std=c23' onwards + +Add -std as specified in KBUILD_CFLAGS to the decompressor and purgatory +CFLAGS to eliminate these errors and make the C standard version of these +areas match the rest of the kernel. + +Signed-off-by: Khem Raj +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/vdso/Makefile | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/mips/vdso/Makefile ++++ b/arch/mips/vdso/Makefile +@@ -29,6 +29,7 @@ endif + # offsets. + cflags-vdso := $(ccflags-vdso) \ + $(filter -W%,$(filter-out -Wa$(comma)%,$(KBUILD_CFLAGS))) \ ++ $(filter -std=%,$(KBUILD_CFLAGS)) \ + -O3 -g -fPIC -fno-strict-aliasing -fno-common -fno-builtin -G 0 \ + -mrelax-pic-calls $(call cc-option, -mexplicit-relocs) \ + -fno-stack-protector -fno-jump-tables -DDISABLE_BRANCH_PROFILING \ diff --git a/queue-5.15/mtd-nand-sunxi-add-randomizer-configuration-before-randomizer-enable.patch b/queue-5.15/mtd-nand-sunxi-add-randomizer-configuration-before-randomizer-enable.patch new file mode 100644 index 0000000000..f8d63827ce --- /dev/null +++ b/queue-5.15/mtd-nand-sunxi-add-randomizer-configuration-before-randomizer-enable.patch @@ -0,0 +1,34 @@ +From 4a5a99bc79cdc4be63933653682b0261a67a0c9f Mon Sep 17 00:00:00 2001 +From: Wentao Liang +Date: Mon, 19 May 2025 23:42:24 +0800 +Subject: mtd: nand: sunxi: Add randomizer configuration before randomizer enable + +From: Wentao Liang + +commit 4a5a99bc79cdc4be63933653682b0261a67a0c9f upstream. + +In sunxi_nfc_hw_ecc_read_chunk(), the sunxi_nfc_randomizer_enable() is +called without the config of randomizer. A proper implementation can be +found in sunxi_nfc_hw_ecc_read_chunks_dma(). + +Add sunxi_nfc_randomizer_config() before the start of randomization. + +Fixes: 4be4e03efc7f ("mtd: nand: sunxi: add randomizer support") +Cc: stable@vger.kernel.org # v4.6 +Signed-off-by: Wentao Liang +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/sunxi_nand.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mtd/nand/raw/sunxi_nand.c ++++ b/drivers/mtd/nand/raw/sunxi_nand.c +@@ -829,6 +829,7 @@ static int sunxi_nfc_hw_ecc_read_chunk(s + if (ret) + return ret; + ++ sunxi_nfc_randomizer_config(nand, page, false); + sunxi_nfc_randomizer_enable(nand); + writel(NFC_DATA_TRANS | NFC_DATA_SWAP_METHOD | NFC_ECC_OP, + nfc->regs + NFC_REG_CMD); diff --git a/queue-5.15/mtd-rawnand-sunxi-add-randomizer-configuration-in-sunxi_nfc_hw_ecc_write_chunk.patch b/queue-5.15/mtd-rawnand-sunxi-add-randomizer-configuration-in-sunxi_nfc_hw_ecc_write_chunk.patch new file mode 100644 index 0000000000..afcf1c597f --- /dev/null +++ b/queue-5.15/mtd-rawnand-sunxi-add-randomizer-configuration-in-sunxi_nfc_hw_ecc_write_chunk.patch @@ -0,0 +1,36 @@ +From 44ed1f5ff73e9e115b6f5411744d5a22ea1c855b Mon Sep 17 00:00:00 2001 +From: Wentao Liang +Date: Mon, 26 May 2025 11:43:44 +0800 +Subject: mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk + +From: Wentao Liang + +commit 44ed1f5ff73e9e115b6f5411744d5a22ea1c855b upstream. + +The function sunxi_nfc_hw_ecc_write_chunk() calls the +sunxi_nfc_hw_ecc_write_chunk(), but does not call the configuration +function sunxi_nfc_randomizer_config(). Consequently, the randomization +might not conduct correctly, which will affect the lifespan of NAND flash. +A proper implementation can be found in sunxi_nfc_hw_ecc_write_page_dma(). + +Add the sunxi_nfc_randomizer_config() to config randomizer. + +Fixes: 4be4e03efc7f ("mtd: nand: sunxi: add randomizer support") +Cc: stable@vger.kernel.org # v4.6 +Signed-off-by: Wentao Liang +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/sunxi_nand.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mtd/nand/raw/sunxi_nand.c ++++ b/drivers/mtd/nand/raw/sunxi_nand.c +@@ -1061,6 +1061,7 @@ static int sunxi_nfc_hw_ecc_write_chunk( + if (ret) + return ret; + ++ sunxi_nfc_randomizer_config(nand, page, false); + sunxi_nfc_randomizer_enable(nand); + sunxi_nfc_hw_ecc_set_prot_oob_bytes(nand, oob, 0, bbm, page); + diff --git a/queue-5.15/net-ch9200-fix-uninitialised-access-during-mii_nway_restart.patch b/queue-5.15/net-ch9200-fix-uninitialised-access-during-mii_nway_restart.patch new file mode 100644 index 0000000000..9e90f4ca4e --- /dev/null +++ b/queue-5.15/net-ch9200-fix-uninitialised-access-during-mii_nway_restart.patch @@ -0,0 +1,69 @@ +From 9ad0452c0277b816a435433cca601304cfac7c21 Mon Sep 17 00:00:00 2001 +From: Qasim Ijaz +Date: Mon, 26 May 2025 19:36:07 +0100 +Subject: net: ch9200: fix uninitialised access during mii_nway_restart + +From: Qasim Ijaz + +commit 9ad0452c0277b816a435433cca601304cfac7c21 upstream. + +In mii_nway_restart() the code attempts to call +mii->mdio_read which is ch9200_mdio_read(). ch9200_mdio_read() +utilises a local buffer called "buff", which is initialised +with control_read(). However "buff" is conditionally +initialised inside control_read(): + + if (err == size) { + memcpy(data, buf, size); + } + +If the condition of "err == size" is not met, then +"buff" remains uninitialised. Once this happens the +uninitialised "buff" is accessed and returned during +ch9200_mdio_read(): + + return (buff[0] | buff[1] << 8); + +The problem stems from the fact that ch9200_mdio_read() +ignores the return value of control_read(), leading to +uinit-access of "buff". + +To fix this we should check the return value of +control_read() and return early on error. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=3361c2d6f78a3e0892f9 +Tested-by: syzbot +Fixes: 4a476bd6d1d9 ("usbnet: New driver for QinHeng CH9200 devices") +Cc: stable@vger.kernel.org +Signed-off-by: Qasim Ijaz +Link: https://patch.msgid.link/20250526183607.66527-1-qasdev00@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/ch9200.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/net/usb/ch9200.c ++++ b/drivers/net/usb/ch9200.c +@@ -178,6 +178,7 @@ static int ch9200_mdio_read(struct net_d + { + struct usbnet *dev = netdev_priv(netdev); + unsigned char buff[2]; ++ int ret; + + netdev_dbg(netdev, "%s phy_id:%02x loc:%02x\n", + __func__, phy_id, loc); +@@ -185,8 +186,10 @@ static int ch9200_mdio_read(struct net_d + if (phy_id != 0) + return -ENODEV; + +- control_read(dev, REQUEST_READ, 0, loc * 2, buff, 0x02, +- CONTROL_TIMEOUT_MS); ++ ret = control_read(dev, REQUEST_READ, 0, loc * 2, buff, 0x02, ++ CONTROL_TIMEOUT_MS); ++ if (ret < 0) ++ return ret; + + return (buff[0] | buff[1] << 8); + } diff --git a/queue-5.15/pci-add-acs-quirk-for-loongson-pcie.patch b/queue-5.15/pci-add-acs-quirk-for-loongson-pcie.patch new file mode 100644 index 0000000000..6d7d9f10d6 --- /dev/null +++ b/queue-5.15/pci-add-acs-quirk-for-loongson-pcie.patch @@ -0,0 +1,62 @@ +From 1f3303aa92e15fa273779acac2d0023609de30f1 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Thu, 3 Apr 2025 12:07:56 +0800 +Subject: PCI: Add ACS quirk for Loongson PCIe + +From: Huacai Chen + +commit 1f3303aa92e15fa273779acac2d0023609de30f1 upstream. + +Loongson PCIe Root Ports don't advertise an ACS capability, but they do not +allow peer-to-peer transactions between Root Ports. Add an ACS quirk so +each Root Port can be in a separate IOMMU group. + +Signed-off-by: Xianglai Li +Signed-off-by: Huacai Chen +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250403040756.720409-1-chenhuacai@loongson.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/quirks.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4854,6 +4854,18 @@ static int pci_quirk_brcm_acs(struct pci + PCI_ACS_SV | PCI_ACS_RR | PCI_ACS_CR | PCI_ACS_UF); + } + ++static int pci_quirk_loongson_acs(struct pci_dev *dev, u16 acs_flags) ++{ ++ /* ++ * Loongson PCIe Root Ports don't advertise an ACS capability, but ++ * they do not allow peer-to-peer transactions between Root Ports. ++ * Allow each Root Port to be in a separate IOMMU group by masking ++ * SV/RR/CR/UF bits. ++ */ ++ return pci_acs_ctrl_enabled(acs_flags, ++ PCI_ACS_SV | PCI_ACS_RR | PCI_ACS_CR | PCI_ACS_UF); ++} ++ + /* + * Wangxun 40G/25G/10G/1G NICs have no ACS capability, but on + * multi-function devices, the hardware isolates the functions by +@@ -4987,6 +4999,17 @@ static const struct pci_dev_acs_enabled + { PCI_VENDOR_ID_BROADCOM, 0x1762, pci_quirk_mf_endpoint_acs }, + { PCI_VENDOR_ID_BROADCOM, 0x1763, pci_quirk_mf_endpoint_acs }, + { PCI_VENDOR_ID_BROADCOM, 0xD714, pci_quirk_brcm_acs }, ++ /* Loongson PCIe Root Ports */ ++ { PCI_VENDOR_ID_LOONGSON, 0x3C09, pci_quirk_loongson_acs }, ++ { PCI_VENDOR_ID_LOONGSON, 0x3C19, pci_quirk_loongson_acs }, ++ { PCI_VENDOR_ID_LOONGSON, 0x3C29, pci_quirk_loongson_acs }, ++ { PCI_VENDOR_ID_LOONGSON, 0x7A09, pci_quirk_loongson_acs }, ++ { PCI_VENDOR_ID_LOONGSON, 0x7A19, pci_quirk_loongson_acs }, ++ { PCI_VENDOR_ID_LOONGSON, 0x7A29, pci_quirk_loongson_acs }, ++ { PCI_VENDOR_ID_LOONGSON, 0x7A39, pci_quirk_loongson_acs }, ++ { PCI_VENDOR_ID_LOONGSON, 0x7A49, pci_quirk_loongson_acs }, ++ { PCI_VENDOR_ID_LOONGSON, 0x7A59, pci_quirk_loongson_acs }, ++ { PCI_VENDOR_ID_LOONGSON, 0x7A69, pci_quirk_loongson_acs }, + /* Amazon Annapurna Labs */ + { PCI_VENDOR_ID_AMAZON_ANNAPURNA_LABS, 0x0031, pci_quirk_al_acs }, + /* Zhaoxin multi-function devices */ diff --git a/queue-5.15/pci-cadence-ep-correct-pba-offset-in-.set_msix-callback.patch b/queue-5.15/pci-cadence-ep-correct-pba-offset-in-.set_msix-callback.patch new file mode 100644 index 0000000000..484b402f83 --- /dev/null +++ b/queue-5.15/pci-cadence-ep-correct-pba-offset-in-.set_msix-callback.patch @@ -0,0 +1,62 @@ +From c8bcb01352a86bc5592403904109c22b66bd916e Mon Sep 17 00:00:00 2001 +From: Niklas Cassel +Date: Wed, 14 May 2025 09:43:15 +0200 +Subject: PCI: cadence-ep: Correct PBA offset in .set_msix() callback + +From: Niklas Cassel + +commit c8bcb01352a86bc5592403904109c22b66bd916e upstream. + +While cdns_pcie_ep_set_msix() writes the Table Size field correctly (N-1), +the calculation of the PBA offset is wrong because it calculates space for +(N-1) entries instead of N. + +This results in the following QEMU error when using PCI passthrough on a +device which relies on the PCI endpoint subsystem: + + failed to add PCI capability 0x11[0x50]@0xb0: table & pba overlap, or they don't fit in BARs, or don't align + +Fix the calculation of PBA offset in the MSI-X capability. + +[bhelgaas: more specific subject and commit log] + +Fixes: 3ef5d16f50f8 ("PCI: cadence: Add MSI-X support to Endpoint driver") +Signed-off-by: Niklas Cassel +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Bjorn Helgaas +Reviewed-by: Wilfred Mallawa +Reviewed-by: Damien Le Moal +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250514074313.283156-10-cassel@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/cadence/pcie-cadence-ep.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/pci/controller/cadence/pcie-cadence-ep.c ++++ b/drivers/pci/controller/cadence/pcie-cadence-ep.c +@@ -294,13 +294,14 @@ static int cdns_pcie_ep_set_msix(struct + struct cdns_pcie *pcie = &ep->pcie; + u32 cap = CDNS_PCIE_EP_FUNC_MSIX_CAP_OFFSET; + u32 val, reg; ++ u16 actual_interrupts = interrupts + 1; + + fn = cdns_pcie_get_fn_from_vfn(pcie, fn, vfn); + + reg = cap + PCI_MSIX_FLAGS; + val = cdns_pcie_ep_fn_readw(pcie, fn, reg); + val &= ~PCI_MSIX_FLAGS_QSIZE; +- val |= interrupts; ++ val |= interrupts; /* 0's based value */ + cdns_pcie_ep_fn_writew(pcie, fn, reg, val); + + /* Set MSIX BAR and offset */ +@@ -310,7 +311,7 @@ static int cdns_pcie_ep_set_msix(struct + + /* Set PBA BAR and offset. BAR must match MSIX BAR */ + reg = cap + PCI_MSIX_PBA; +- val = (offset + (interrupts * PCI_MSIX_ENTRY_SIZE)) | bir; ++ val = (offset + (actual_interrupts * PCI_MSIX_ENTRY_SIZE)) | bir; + cdns_pcie_ep_fn_writel(pcie, fn, reg, val); + + return 0; diff --git a/queue-5.15/pci-dw-rockchip-fix-phy-function-call-sequence-in-rockchip_pcie_phy_deinit.patch b/queue-5.15/pci-dw-rockchip-fix-phy-function-call-sequence-in-rockchip_pcie_phy_deinit.patch new file mode 100644 index 0000000000..d09d942d36 --- /dev/null +++ b/queue-5.15/pci-dw-rockchip-fix-phy-function-call-sequence-in-rockchip_pcie_phy_deinit.patch @@ -0,0 +1,40 @@ +From 286ed198b899739862456f451eda884558526a9d Mon Sep 17 00:00:00 2001 +From: Diederik de Haas +Date: Thu, 17 Apr 2025 16:21:18 +0200 +Subject: PCI: dw-rockchip: Fix PHY function call sequence in rockchip_pcie_phy_deinit() + +From: Diederik de Haas + +commit 286ed198b899739862456f451eda884558526a9d upstream. + +The documentation for the phy_power_off() function explicitly says that it +must be called before phy_exit(). + +Hence, follow the same rule in rockchip_pcie_phy_deinit(). + +Fixes: 0e898eb8df4e ("PCI: rockchip-dwc: Add Rockchip RK356X host controller driver") +Signed-off-by: Diederik de Haas +[mani: commit message change] +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Niklas Cassel +Reviewed-by: Dragan Simic +Acked-by: Shawn Lin +Cc: stable@vger.kernel.org # v5.15+ +Link: https://patch.msgid.link/20250417142138.1377451-1-didi.debian@cknow.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pcie-dw-rockchip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/controller/dwc/pcie-dw-rockchip.c ++++ b/drivers/pci/controller/dwc/pcie-dw-rockchip.c +@@ -178,8 +178,8 @@ static int rockchip_pcie_phy_init(struct + + static void rockchip_pcie_phy_deinit(struct rockchip_pcie *rockchip) + { +- phy_exit(rockchip->phy); + phy_power_off(rockchip->phy); ++ phy_exit(rockchip->phy); + } + + static int rockchip_pcie_reset_control_release(struct rockchip_pcie *rockchip) diff --git a/queue-5.15/pci-fix-lock-symmetry-in-pci_slot_unlock.patch b/queue-5.15/pci-fix-lock-symmetry-in-pci_slot_unlock.patch new file mode 100644 index 0000000000..58166097a2 --- /dev/null +++ b/queue-5.15/pci-fix-lock-symmetry-in-pci_slot_unlock.patch @@ -0,0 +1,48 @@ +From f3efb9569b4a21354ef2caf7ab0608a3e14cc6e4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= +Date: Mon, 5 May 2025 14:54:12 +0300 +Subject: PCI: Fix lock symmetry in pci_slot_unlock() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +commit f3efb9569b4a21354ef2caf7ab0608a3e14cc6e4 upstream. + +The commit a4e772898f8b ("PCI: Add missing bridge lock to pci_bus_lock()") +made the lock function to call depend on dev->subordinate but left +pci_slot_unlock() unmodified creating locking asymmetry compared with +pci_slot_lock(). + +Because of the asymmetric lock handling, the same bridge device is unlocked +twice. First pci_bus_unlock() unlocks bus->self and then pci_slot_unlock() +will unconditionally unlock the same bridge device. + +Move pci_dev_unlock() inside an else branch to match the logic in +pci_slot_lock(). + +Fixes: a4e772898f8b ("PCI: Add missing bridge lock to pci_bus_lock()") +Signed-off-by: Ilpo Järvinen +Signed-off-by: Bjorn Helgaas +Reviewed-by: Lukas Wunner +Reviewed-by: Dave Jiang +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250505115412.37628-1-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -5593,7 +5593,8 @@ static void pci_slot_unlock(struct pci_s + continue; + if (dev->subordinate) + pci_bus_unlock(dev->subordinate); +- pci_dev_unlock(dev); ++ else ++ pci_dev_unlock(dev); + } + } + diff --git a/queue-5.15/regulator-max14577-add-error-check-for-max14577_read_reg.patch b/queue-5.15/regulator-max14577-add-error-check-for-max14577_read_reg.patch new file mode 100644 index 0000000000..9f497e0f34 --- /dev/null +++ b/queue-5.15/regulator-max14577-add-error-check-for-max14577_read_reg.patch @@ -0,0 +1,44 @@ +From 65271f868cb1dca709ff69e45939bbef8d6d0b70 Mon Sep 17 00:00:00 2001 +From: Wentao Liang +Date: Mon, 26 May 2025 10:56:27 +0800 +Subject: regulator: max14577: Add error check for max14577_read_reg() + +From: Wentao Liang + +commit 65271f868cb1dca709ff69e45939bbef8d6d0b70 upstream. + +The function max14577_reg_get_current_limit() calls the function +max14577_read_reg(), but does not check its return value. A proper +implementation can be found in max14577_get_online(). + +Add a error check for the max14577_read_reg() and return error code +if the function fails. + +Fixes: b0902bbeb768 ("regulator: max14577: Add regulator driver for Maxim 14577") +Cc: stable@vger.kernel.org # v3.14 +Signed-off-by: Wentao Liang +Link: https://patch.msgid.link/20250526025627.407-1-vulab@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/regulator/max14577-regulator.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/regulator/max14577-regulator.c ++++ b/drivers/regulator/max14577-regulator.c +@@ -40,11 +40,14 @@ static int max14577_reg_get_current_limi + struct max14577 *max14577 = rdev_get_drvdata(rdev); + const struct maxim_charger_current *limits = + &maxim_charger_currents[max14577->dev_type]; ++ int ret; + + if (rdev_get_id(rdev) != MAX14577_CHARGER) + return -EINVAL; + +- max14577_read_reg(rmap, MAX14577_CHG_REG_CHG_CTRL4, ®_data); ++ ret = max14577_read_reg(rmap, MAX14577_CHG_REG_CHG_CTRL4, ®_data); ++ if (ret < 0) ++ return ret; + + if ((reg_data & CHGCTRL4_MBCICHWRCL_MASK) == 0) + return limits->min; diff --git a/queue-5.15/remoteproc-core-cleanup-acquired-resources-when-rproc_handle_resources-fails-in-rproc_attach.patch b/queue-5.15/remoteproc-core-cleanup-acquired-resources-when-rproc_handle_resources-fails-in-rproc_attach.patch new file mode 100644 index 0000000000..993b4c4ef3 --- /dev/null +++ b/queue-5.15/remoteproc-core-cleanup-acquired-resources-when-rproc_handle_resources-fails-in-rproc_attach.patch @@ -0,0 +1,83 @@ +From 7692c9fbedd9087dc9050903f58095915458d9b1 Mon Sep 17 00:00:00 2001 +From: Xiaolei Wang +Date: Wed, 30 Apr 2025 17:20:42 +0800 +Subject: remoteproc: core: Cleanup acquired resources when rproc_handle_resources() fails in rproc_attach() + +From: Xiaolei Wang + +commit 7692c9fbedd9087dc9050903f58095915458d9b1 upstream. + +When rproc->state = RPROC_DETACHED and rproc_attach() is used +to attach to the remote processor, if rproc_handle_resources() +returns a failure, the resources allocated by imx_rproc_prepare() +should be released, otherwise the following memory leak will occur. + +Since almost the same thing is done in imx_rproc_prepare() and +rproc_resource_cleanup(), Function rproc_resource_cleanup() is able +to deal with empty lists so it is better to fix the "goto" statements +in rproc_attach(). replace the "unprepare_device" goto statement with +"clean_up_resources" and get rid of the "unprepare_device" label. + +unreferenced object 0xffff0000861c5d00 (size 128): +comm "kworker/u12:3", pid 59, jiffies 4294893509 (age 149.220s) +hex dump (first 32 bytes): +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +00 00 02 88 00 00 00 00 00 00 10 00 00 00 00 00 ............ +backtrace: + [<00000000f949fe18>] slab_post_alloc_hook+0x98/0x37c + [<00000000adbfb3e7>] __kmem_cache_alloc_node+0x138/0x2e0 + [<00000000521c0345>] kmalloc_trace+0x40/0x158 + [<000000004e330a49>] rproc_mem_entry_init+0x60/0xf8 + [<000000002815755e>] imx_rproc_prepare+0xe0/0x180 + [<0000000003f61b4e>] rproc_boot+0x2ec/0x528 + [<00000000e7e994ac>] rproc_add+0x124/0x17c + [<0000000048594076>] imx_rproc_probe+0x4ec/0x5d4 + [<00000000efc298a1>] platform_probe+0x68/0xd8 + [<00000000110be6fe>] really_probe+0x110/0x27c + [<00000000e245c0ae>] __driver_probe_device+0x78/0x12c + [<00000000f61f6f5e>] driver_probe_device+0x3c/0x118 + [<00000000a7874938>] __device_attach_driver+0xb8/0xf8 + [<0000000065319e69>] bus_for_each_drv+0x84/0xe4 + [<00000000db3eb243>] __device_attach+0xfc/0x18c + [<0000000072e4e1a4>] device_initial_probe+0x14/0x20 + +Fixes: 10a3d4079eae ("remoteproc: imx_rproc: move memory parsing to rproc_ops") +Suggested-by: Mathieu Poirier +Signed-off-by: Xiaolei Wang +Reviewed-by: Peng Fan +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250430092043.1819308-2-xiaolei.wang@windriver.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +--- + drivers/remoteproc/remoteproc_core.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/remoteproc/remoteproc_core.c ++++ b/drivers/remoteproc/remoteproc_core.c +@@ -1726,7 +1726,7 @@ static int rproc_attach(struct rproc *rp + ret = rproc_set_rsc_table(rproc); + if (ret) { + dev_err(dev, "can't load resource table: %d\n", ret); +- goto unprepare_device; ++ goto clean_up_resources; + } + + /* reset max_notifyid */ +@@ -1743,7 +1743,7 @@ static int rproc_attach(struct rproc *rp + ret = rproc_handle_resources(rproc, rproc_loading_handlers); + if (ret) { + dev_err(dev, "Failed to process resources: %d\n", ret); +- goto unprepare_device; ++ goto clean_up_resources; + } + + /* Allocate carveout resources associated to rproc */ +@@ -1762,7 +1762,6 @@ static int rproc_attach(struct rproc *rp + + clean_up_resources: + rproc_resource_cleanup(rproc); +-unprepare_device: + /* release HW resources if needed */ + rproc_unprepare_device(rproc); + disable_iommu: diff --git a/queue-5.15/remoteproc-core-release-rproc-clean_table-after-rproc_attach-fails.patch b/queue-5.15/remoteproc-core-release-rproc-clean_table-after-rproc_attach-fails.patch new file mode 100644 index 0000000000..2bb76f9248 --- /dev/null +++ b/queue-5.15/remoteproc-core-release-rproc-clean_table-after-rproc_attach-fails.patch @@ -0,0 +1,59 @@ +From bcd241230fdbc6005230f80a4f8646ff5a84f15b Mon Sep 17 00:00:00 2001 +From: Xiaolei Wang +Date: Wed, 30 Apr 2025 17:20:43 +0800 +Subject: remoteproc: core: Release rproc->clean_table after rproc_attach() fails + +From: Xiaolei Wang + +commit bcd241230fdbc6005230f80a4f8646ff5a84f15b upstream. + +When rproc->state = RPROC_DETACHED is attached to remote processor +through rproc_attach(), if rproc_handle_resources() returns failure, +then the clean table should be released, otherwise the following +memory leak will occur. + +unreferenced object 0xffff000086a99800 (size 1024): +comm "kworker/u12:3", pid 59, jiffies 4294893670 (age 121.140s) +hex dump (first 32 bytes): +00 00 00 00 00 80 00 00 00 00 00 00 00 00 10 00 ............ +00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 ............ +backtrace: + [<000000008bbe4ca8>] slab_post_alloc_hook+0x98/0x3fc + [<000000003b8a272b>] __kmem_cache_alloc_node+0x13c/0x230 + [<000000007a507c51>] __kmalloc_node_track_caller+0x5c/0x260 + [<0000000037818dae>] kmemdup+0x34/0x60 + [<00000000610f7f57>] rproc_boot+0x35c/0x56c + [<0000000065f8871a>] rproc_add+0x124/0x17c + [<00000000497416ee>] imx_rproc_probe+0x4ec/0x5d4 + [<000000003bcaa37d>] platform_probe+0x68/0xd8 + [<00000000771577f9>] really_probe+0x110/0x27c + [<00000000531fea59>] __driver_probe_device+0x78/0x12c + [<0000000080036a04>] driver_probe_device+0x3c/0x118 + [<000000007e0bddcb>] __device_attach_driver+0xb8/0xf8 + [<000000000cf1fa33>] bus_for_each_drv+0x84/0xe4 + [<000000001a53b53e>] __device_attach+0xfc/0x18c + [<00000000d1a2a32c>] device_initial_probe+0x14/0x20 + [<00000000d8f8b7ae>] bus_probe_device+0xb0/0xb4 + unreferenced object 0xffff0000864c9690 (size 16): + +Fixes: 9dc9507f1880 ("remoteproc: Properly deal with the resource table when detaching") +Signed-off-by: Xiaolei Wang +Reviewed-by: Peng Fan +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250430092043.1819308-3-xiaolei.wang@windriver.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +--- + drivers/remoteproc/remoteproc_core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/remoteproc/remoteproc_core.c ++++ b/drivers/remoteproc/remoteproc_core.c +@@ -1764,6 +1764,7 @@ clean_up_resources: + rproc_resource_cleanup(rproc); + /* release HW resources if needed */ + rproc_unprepare_device(rproc); ++ kfree(rproc->clean_table); + disable_iommu: + rproc_disable_iommu(rproc); + return ret; diff --git a/queue-5.15/series b/queue-5.15/series index b76e8dbe30..f2ed5c7e64 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -240,3 +240,18 @@ clk-meson-g12a-add-missing-fclk_div2-to-spicc.patch ipc-fix-to-protect-ipcs-lookups-using-rcu.patch rdma-iwcm-fix-use-after-free-of-work-objects-after-cm_id-destruction.patch mm-fix-ratelimit_pages-update-error-in-dirty_ratio_handler.patch +mtd-rawnand-sunxi-add-randomizer-configuration-in-sunxi_nfc_hw_ecc_write_chunk.patch +mtd-nand-sunxi-add-randomizer-configuration-before-randomizer-enable.patch +dm-mirror-fix-a-tiny-race-condition.patch +ftrace-fix-uaf-when-lookup-kallsym-after-ftrace-disabled.patch +net-ch9200-fix-uninitialised-access-during-mii_nway_restart.patch +staging-iio-ad5933-correct-settling-cycles-encoding-per-datasheet.patch +mips-add-std-flag-specified-in-kbuild_cflags-to-vdso-cflags.patch +regulator-max14577-add-error-check-for-max14577_read_reg.patch +remoteproc-core-cleanup-acquired-resources-when-rproc_handle_resources-fails-in-rproc_attach.patch +remoteproc-core-release-rproc-clean_table-after-rproc_attach-fails.patch +uio_hv_generic-use-correct-size-for-interrupt-and-monitor-pages.patch +pci-cadence-ep-correct-pba-offset-in-.set_msix-callback.patch +pci-add-acs-quirk-for-loongson-pcie.patch +pci-fix-lock-symmetry-in-pci_slot_unlock.patch +pci-dw-rockchip-fix-phy-function-call-sequence-in-rockchip_pcie_phy_deinit.patch diff --git a/queue-5.15/staging-iio-ad5933-correct-settling-cycles-encoding-per-datasheet.patch b/queue-5.15/staging-iio-ad5933-correct-settling-cycles-encoding-per-datasheet.patch new file mode 100644 index 0000000000..bf3d1685ea --- /dev/null +++ b/queue-5.15/staging-iio-ad5933-correct-settling-cycles-encoding-per-datasheet.patch @@ -0,0 +1,36 @@ +From 60638e2a2d4bc03798f00d5ab65ce9b83cb8b03b Mon Sep 17 00:00:00 2001 +From: Gabriel Shahrouzi +Date: Sat, 19 Apr 2025 21:30:09 -0400 +Subject: staging: iio: ad5933: Correct settling cycles encoding per datasheet + +From: Gabriel Shahrouzi + +commit 60638e2a2d4bc03798f00d5ab65ce9b83cb8b03b upstream. + +The AD5933 datasheet (Table 13) lists the maximum cycles to be 0x7FC +(2044). + +Clamp the user input to the maximum effective value of 0x7FC cycles. + +Fixes: f94aa354d676 ("iio: impedance-analyzer: New driver for AD5933/4 Impedance Converter, Network Analyzer") +Cc: stable@vger.kernel.org +Signed-off-by: Gabriel Shahrouzi +Reviewed-by: Marcelo Schmitt +Link: https://patch.msgid.link/20250420013009.847851-1-gshahrouzi@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/iio/impedance-analyzer/ad5933.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/iio/impedance-analyzer/ad5933.c ++++ b/drivers/staging/iio/impedance-analyzer/ad5933.c +@@ -412,7 +412,7 @@ static ssize_t ad5933_store(struct devic + ret = ad5933_cmd(st, 0); + break; + case AD5933_OUT_SETTLING_CYCLES: +- val = clamp(val, (u16)0, (u16)0x7FF); ++ val = clamp(val, (u16)0, (u16)0x7FC); + st->settling_cycles = val; + + /* 2x, 4x handling, see datasheet */ diff --git a/queue-5.15/uio_hv_generic-use-correct-size-for-interrupt-and-monitor-pages.patch b/queue-5.15/uio_hv_generic-use-correct-size-for-interrupt-and-monitor-pages.patch new file mode 100644 index 0000000000..f164f37fa2 --- /dev/null +++ b/queue-5.15/uio_hv_generic-use-correct-size-for-interrupt-and-monitor-pages.patch @@ -0,0 +1,46 @@ +From c951ab8fd3589cf6991ed4111d2130816f2e3ac2 Mon Sep 17 00:00:00 2001 +From: Long Li +Date: Mon, 5 May 2025 17:56:34 -0700 +Subject: uio_hv_generic: Use correct size for interrupt and monitor pages + +From: Long Li + +commit c951ab8fd3589cf6991ed4111d2130816f2e3ac2 upstream. + +Interrupt and monitor pages should be in Hyper-V page size (4k bytes). +This can be different from the system page size. + +This size is read and used by the user-mode program to determine the +mapped data region. An example of such user-mode program is the VMBus +driver in DPDK. + +Cc: stable@vger.kernel.org +Fixes: 95096f2fbd10 ("uio-hv-generic: new userspace i/o driver for VMBus") +Signed-off-by: Long Li +Reviewed-by: Michael Kelley +Link: https://lore.kernel.org/r/1746492997-4599-3-git-send-email-longli@linuxonhyperv.com +Signed-off-by: Wei Liu +Message-ID: <1746492997-4599-3-git-send-email-longli@linuxonhyperv.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/uio/uio_hv_generic.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/uio/uio_hv_generic.c ++++ b/drivers/uio/uio_hv_generic.c +@@ -288,13 +288,13 @@ hv_uio_probe(struct hv_device *dev, + pdata->info.mem[INT_PAGE_MAP].name = "int_page"; + pdata->info.mem[INT_PAGE_MAP].addr + = (uintptr_t)vmbus_connection.int_page; +- pdata->info.mem[INT_PAGE_MAP].size = PAGE_SIZE; ++ pdata->info.mem[INT_PAGE_MAP].size = HV_HYP_PAGE_SIZE; + pdata->info.mem[INT_PAGE_MAP].memtype = UIO_MEM_LOGICAL; + + pdata->info.mem[MON_PAGE_MAP].name = "monitor_page"; + pdata->info.mem[MON_PAGE_MAP].addr + = (uintptr_t)vmbus_connection.monitor_pages[1]; +- pdata->info.mem[MON_PAGE_MAP].size = PAGE_SIZE; ++ pdata->info.mem[MON_PAGE_MAP].size = HV_HYP_PAGE_SIZE; + pdata->info.mem[MON_PAGE_MAP].memtype = UIO_MEM_LOGICAL; + + pdata->recv_buf = vzalloc(RECV_BUFFER_SIZE);