From: Greg Kroah-Hartman Date: Mon, 19 May 2025 16:01:03 +0000 (+0200) Subject: 6.12-stable patches X-Git-Tag: v5.15.184~41 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=16e8f447b86b47726628a3e95b226e53fb6acb39;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: alsa-es1968-add-error-handling-for-snd_pcm_hw_constraint_pow2.patch alsa-usb-audio-add-sample-rate-quirk-for-audioengine-d1.patch alsa-usb-audio-add-sample-rate-quirk-for-microdia-jp001-usb-camera.patch arm64-dts-amlogic-dreambox-fix-missing-clkc_audio-node.patch arm64-dts-rockchip-remove-overdrive-mode-opps-from-rk3588j-soc-dtsi.patch dma-buf-insert-memory-barrier-before-updating-num_fences.patch dmaengine-idxd-add-missing-cleanup-for-early-error-out-in-idxd_setup_internals.patch dmaengine-idxd-add-missing-cleanups-in-cleanup-internals.patch dmaengine-idxd-add-missing-idxd-cleanup-to-fix-memory-leak-in-remove-call.patch dmaengine-idxd-fix-memory-leak-in-error-handling-path-of-idxd_alloc.patch dmaengine-idxd-fix-memory-leak-in-error-handling-path-of-idxd_pci_probe.patch dmaengine-idxd-fix-memory-leak-in-error-handling-path-of-idxd_setup_engines.patch dmaengine-idxd-fix-memory-leak-in-error-handling-path-of-idxd_setup_groups.patch dmaengine-idxd-fix-memory-leak-in-error-handling-path-of-idxd_setup_wqs.patch dmaengine-idxd-refactor-remove-call-with-idxd_cleanup-helper.patch dmaengine-ti-k3-udma-add-missing-locking.patch dmaengine-ti-k3-udma-use-cap_mask-directly-from-dma_device-structure-instead-of-a-local-copy.patch drivers-hv-allow-vmbus_sendpacket_mpb_desc-to-create-multiple-ranges.patch drivers-hv-vmbus-remove-vmbus_sendpacket_pagebuffer.patch ftrace-fix-preemption-accounting-for-stacktrace-filter-command.patch ftrace-fix-preemption-accounting-for-stacktrace-trigger-command.patch hv_netvsc-preserve-contiguous-pfn-grouping-in-the-page-buffer-array.patch hv_netvsc-remove-rmsg_pgcnt.patch hv_netvsc-use-vmbus_sendpacket_mpb_desc-to-send-vmbus-messages.patch kbuild-disable-wdefault-const-init-unsafe.patch mm-userfaultfd-correct-dirty-flags-set-for-both-present-and-swap-pte.patch net-qede-initialize-qede_ll_ops-with-designated-initializer.patch phy-fix-error-handling-in-tegra_xusb_port_init.patch phy-renesas-rcar-gen3-usb2-fix-role-detection-on-unbind-bind.patch phy-renesas-rcar-gen3-usb2-set-timing-registers-only-once.patch phy-tegra-xusb-use-a-bitmask-for-utmi-pad-power-state-tracking.patch ring-buffer-fix-persistent-buffer-when-commit-page-is-the-reader-page.patch scsi-sd_zbc-block-respect-bio-vector-limits-for-report-zones-buffer.patch smb-client-fix-memory-leak-during-error-handling-for-posix-mkdir.patch spi-tegra114-use-value-to-check-for-invalid-delays.patch tpm-mask-tpm-rc-in-tpm2_start_auth_session.patch tracing-samples-initialize-trace_array_printk-with-the-correct-function.patch wifi-mt76-disable-napi-on-driver-removal.patch --- diff --git a/queue-6.12/alsa-es1968-add-error-handling-for-snd_pcm_hw_constraint_pow2.patch b/queue-6.12/alsa-es1968-add-error-handling-for-snd_pcm_hw_constraint_pow2.patch new file mode 100644 index 0000000000..4b315ca8d5 --- /dev/null +++ b/queue-6.12/alsa-es1968-add-error-handling-for-snd_pcm_hw_constraint_pow2.patch @@ -0,0 +1,48 @@ +From 9e000f1b7f31684cc5927e034360b87ac7919593 Mon Sep 17 00:00:00 2001 +From: Wentao Liang +Date: Wed, 14 May 2025 17:24:44 +0800 +Subject: ALSA: es1968: Add error handling for snd_pcm_hw_constraint_pow2() + +From: Wentao Liang + +commit 9e000f1b7f31684cc5927e034360b87ac7919593 upstream. + +The function snd_es1968_capture_open() calls the function +snd_pcm_hw_constraint_pow2(), but does not check its return +value. A proper implementation can be found in snd_cx25821_pcm_open(). + +Add error handling for snd_pcm_hw_constraint_pow2() and propagate its +error code. + +Fixes: b942cf815b57 ("[ALSA] es1968 - Fix stuttering capture") +Cc: stable@vger.kernel.org # v2.6.22 +Signed-off-by: Wentao Liang +Link: https://patch.msgid.link/20250514092444.331-1-vulab@iscas.ac.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/es1968.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/sound/pci/es1968.c ++++ b/sound/pci/es1968.c +@@ -1561,7 +1561,7 @@ static int snd_es1968_capture_open(struc + struct snd_pcm_runtime *runtime = substream->runtime; + struct es1968 *chip = snd_pcm_substream_chip(substream); + struct esschan *es; +- int apu1, apu2; ++ int err, apu1, apu2; + + apu1 = snd_es1968_alloc_apu_pair(chip, ESM_APU_PCM_CAPTURE); + if (apu1 < 0) +@@ -1605,7 +1605,9 @@ static int snd_es1968_capture_open(struc + runtime->hw = snd_es1968_capture; + runtime->hw.buffer_bytes_max = runtime->hw.period_bytes_max = + calc_available_memory_size(chip) - 1024; /* keep MIXBUF size */ +- snd_pcm_hw_constraint_pow2(runtime, 0, SNDRV_PCM_HW_PARAM_BUFFER_BYTES); ++ err = snd_pcm_hw_constraint_pow2(runtime, 0, SNDRV_PCM_HW_PARAM_BUFFER_BYTES); ++ if (err < 0) ++ return err; + + spin_lock_irq(&chip->substream_lock); + list_add(&es->list, &chip->substream_list); diff --git a/queue-6.12/alsa-usb-audio-add-sample-rate-quirk-for-audioengine-d1.patch b/queue-6.12/alsa-usb-audio-add-sample-rate-quirk-for-audioengine-d1.patch new file mode 100644 index 0000000000..2a6db2f2b8 --- /dev/null +++ b/queue-6.12/alsa-usb-audio-add-sample-rate-quirk-for-audioengine-d1.patch @@ -0,0 +1,43 @@ +From 2b24eb060c2bb9ef79e1d3bcf633ba1bc95215d6 Mon Sep 17 00:00:00 2001 +From: Christian Heusel +Date: Mon, 12 May 2025 22:23:37 +0200 +Subject: ALSA: usb-audio: Add sample rate quirk for Audioengine D1 + +From: Christian Heusel + +commit 2b24eb060c2bb9ef79e1d3bcf633ba1bc95215d6 upstream. + +A user reported on the Arch Linux Forums that their device is emitting +the following message in the kernel journal, which is fixed by adding +the quirk as submitted in this patch: + + > kernel: usb 1-2: current rate 8436480 is different from the runtime rate 48000 + +There also is an entry for this product line added long time ago. +Their specific device has the following ID: + + $ lsusb | grep Audio + Bus 001 Device 002: ID 1101:0003 EasyPass Industrial Co., Ltd Audioengine D1 + +Link: https://bbs.archlinux.org/viewtopic.php?id=305494 +Fixes: 93f9d1a4ac593 ("ALSA: usb-audio: Apply sample rate quirk for Audioengine D1") +Cc: stable@vger.kernel.org +Signed-off-by: Christian Heusel +Link: https://patch.msgid.link/20250512-audioengine-quirk-addition-v1-1-4c370af6eff7@heusel.eu +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -2248,6 +2248,8 @@ static const struct usb_audio_quirk_flag + QUIRK_FLAG_FIXED_RATE), + DEVICE_FLG(0x0fd9, 0x0008, /* Hauppauge HVR-950Q */ + QUIRK_FLAG_SHARE_MEDIA_DEVICE | QUIRK_FLAG_ALIGN_TRANSFER), ++ DEVICE_FLG(0x1101, 0x0003, /* Audioengine D1 */ ++ QUIRK_FLAG_GET_SAMPLE_RATE), + DEVICE_FLG(0x1224, 0x2a25, /* Jieli Technology USB PHY 2.0 */ + QUIRK_FLAG_GET_SAMPLE_RATE | QUIRK_FLAG_MIC_RES_16), + DEVICE_FLG(0x1395, 0x740a, /* Sennheiser DECT */ diff --git a/queue-6.12/alsa-usb-audio-add-sample-rate-quirk-for-microdia-jp001-usb-camera.patch b/queue-6.12/alsa-usb-audio-add-sample-rate-quirk-for-microdia-jp001-usb-camera.patch new file mode 100644 index 0000000000..29eafbae6c --- /dev/null +++ b/queue-6.12/alsa-usb-audio-add-sample-rate-quirk-for-microdia-jp001-usb-camera.patch @@ -0,0 +1,40 @@ +From 7b9938a14460e8ec7649ca2e80ac0aae9815bf02 Mon Sep 17 00:00:00 2001 +From: Nicolas Chauvet +Date: Thu, 15 May 2025 12:21:32 +0200 +Subject: ALSA: usb-audio: Add sample rate quirk for Microdia JP001 USB Camera + +From: Nicolas Chauvet + +commit 7b9938a14460e8ec7649ca2e80ac0aae9815bf02 upstream. + +Microdia JP001 does not support reading the sample rate which leads to +many lines of "cannot get freq at ep 0x84". +This patch adds the USB ID to quirks.c and avoids those error messages. + +usb 7-4: New USB device found, idVendor=0c45, idProduct=636b, bcdDevice= 1.00 +usb 7-4: New USB device strings: Mfr=2, Product=1, SerialNumber=3 +usb 7-4: Product: JP001 +usb 7-4: Manufacturer: JP001 +usb 7-4: SerialNumber: JP001 +usb 7-4: 3:1: cannot get freq at ep 0x84 + +Cc: +Signed-off-by: Nicolas Chauvet +Link: https://patch.msgid.link/20250515102132.73062-1-kwizart@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -2240,6 +2240,8 @@ static const struct usb_audio_quirk_flag + QUIRK_FLAG_CTL_MSG_DELAY_1M), + DEVICE_FLG(0x0c45, 0x6340, /* Sonix HD USB Camera */ + QUIRK_FLAG_GET_SAMPLE_RATE), ++ DEVICE_FLG(0x0c45, 0x636b, /* Microdia JP001 USB Camera */ ++ QUIRK_FLAG_GET_SAMPLE_RATE), + DEVICE_FLG(0x0d8c, 0x0014, /* USB Audio Device */ + QUIRK_FLAG_CTL_MSG_DELAY_1M), + DEVICE_FLG(0x0ecb, 0x205c, /* JBL Quantum610 Wireless */ diff --git a/queue-6.12/arm64-dts-amlogic-dreambox-fix-missing-clkc_audio-node.patch b/queue-6.12/arm64-dts-amlogic-dreambox-fix-missing-clkc_audio-node.patch new file mode 100644 index 0000000000..b9511f453a --- /dev/null +++ b/queue-6.12/arm64-dts-amlogic-dreambox-fix-missing-clkc_audio-node.patch @@ -0,0 +1,36 @@ +From 0f67578587bb9e5a8eecfcdf6b8a501b5bd90526 Mon Sep 17 00:00:00 2001 +From: Christian Hewitt +Date: Sat, 3 May 2025 08:44:43 +0000 +Subject: arm64: dts: amlogic: dreambox: fix missing clkc_audio node + +From: Christian Hewitt + +commit 0f67578587bb9e5a8eecfcdf6b8a501b5bd90526 upstream. + +Add the clkc_audio node to fix audio support on Dreambox One/Two. + +Fixes: 83a6f4c62cb1 ("arm64: dts: meson: add initial support for Dreambox One/Two") +CC: stable@vger.kernel.org +Suggested-by: Emanuel Strobel +Signed-off-by: Christian Hewitt +Reviewed-by: Martin Blumenstingl +Link: https://lore.kernel.org/r/20250503084443.3704866-1-christianshewitt@gmail.com +Signed-off-by: Neil Armstrong +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/amlogic/meson-g12b-dreambox.dtsi | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/arm64/boot/dts/amlogic/meson-g12b-dreambox.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-g12b-dreambox.dtsi +@@ -116,6 +116,10 @@ + status = "okay"; + }; + ++&clkc_audio { ++ status = "okay"; ++}; ++ + &frddr_a { + status = "okay"; + }; diff --git a/queue-6.12/arm64-dts-rockchip-remove-overdrive-mode-opps-from-rk3588j-soc-dtsi.patch b/queue-6.12/arm64-dts-rockchip-remove-overdrive-mode-opps-from-rk3588j-soc-dtsi.patch new file mode 100644 index 0000000000..c604e5270b --- /dev/null +++ b/queue-6.12/arm64-dts-rockchip-remove-overdrive-mode-opps-from-rk3588j-soc-dtsi.patch @@ -0,0 +1,204 @@ +From e0bd7ecf6b2dc71215af699dffbf14bf0bc3d978 Mon Sep 17 00:00:00 2001 +From: Dragan Simic +Date: Mon, 24 Mar 2025 12:00:43 +0100 +Subject: arm64: dts: rockchip: Remove overdrive-mode OPPs from RK3588J SoC dtsi + +From: Dragan Simic + +commit e0bd7ecf6b2dc71215af699dffbf14bf0bc3d978 upstream. + +The differences in the vendor-approved CPU and GPU OPPs for the standard +Rockchip RK3588 variant [1] and the industrial Rockchip RK3588J variant [2] +come from the latter, presumably, supporting an extended temperature range +that's usually associated with industrial applications, despite the two SoC +variant datasheets specifying the same upper limit for the allowed ambient +temperature for both variants. However, the lower temperature limit is +specified much lower for the RK3588J variant. [1][2] + +To be on the safe side and to ensure maximum longevity of the RK3588J SoCs, +only the CPU and GPU OPPs that are declared by the vendor to be always safe +for this SoC variant may be provided. As explained by the vendor [3] and +according to the RK3588J datasheet, [2] higher-frequency/higher-voltage +CPU and GPU OPPs can be used as well, but at the risk of reducing the SoC +lifetime expectancy. Presumably, using the higher OPPs may be safe only +when not enjoying the assumed extended temperature range that the RK3588J, +as an SoC variant targeted specifically at higher-temperature, industrial +applications, is made (or binned) for. + +Anyone able to keep their RK3588J-based board outside the above-presumed +extended temperature range at all times, and willing to take the associated +risk of possibly reducing the SoC lifetime expectancy, is free to apply +a DT overlay that adds the higher CPU and GPU OPPs. + +With all this and the downstream RK3588(J) DT definitions [4][5] in mind, +let's delete the RK3588J CPU and GPU OPPs that are not considered belonging +to the normal operation mode for this SoC variant. To quote the RK3588J +datasheet [2], "normal mode means the chipset works under safety voltage +and frequency; for the industrial environment, highly recommend to keep in +normal mode, the lifetime is reasonably guaranteed", while "overdrive mode +brings higher frequency, and the voltage will increase accordingly; under +the overdrive mode for a long time, the chipset may shorten the lifetime, +especially in high-temperature condition". + +To sum the RK3588J datasheet [2] and the vendor-provided DTs up, [4][5] +the maximum allowed CPU core, GPU and NPU frequencies are as follows: + + IP core | Normal mode | Overdrive mode + ------------+-------------+---------------- + Cortex-A55 | 1,296 MHz | 1,704 MHz + Cortex-A76 | 1,608 MHz | 2,016 MHz + GPU | 700 MHz | 850 MHz + NPU | 800 MHz | 950 MHz + +Unfortunately, when it comes to the actual voltages for the RK3588J CPU and +GPU OPPs, there's a discrepancy between the RK3588J datasheet [2] and the +downstream kernel code. [4][5] The RK3588J datasheet states that "the max. +working voltage of CPU/GPU/NPU is 0.75 V under the normal mode", while the +downstream kernel code actually allows voltage ranges that go up to 0.95 V, +which is still within the voltage range allowed by the datasheet. However, +the RK3588J datasheet also tells us to "strictly refer to the software +configuration of SDK and the hardware reference design", so let's embrace +the voltage ranges provided by the downstream kernel code, which also +prevents the undesirable theoretical outcome of ending up with no usable +OPPs on a particular board, as a result of the board's voltage regulator(s) +being unable to deliver the exact voltages, for whatever reason. + +The above-described voltage ranges for the RK3588J CPU OPPs remain taken +from the downstream kernel code [4][5] by picking the highest, worst-bin +values, which ensure that all RK3588J bins will work reliably. Yes, with +some power inevitably wasted as unnecessarily generated heat, but the +reliability is paramount, together with the longevity. This deficiency +may be revisited separately at some point in the future. + +The provided RK3588J CPU OPPs follow the slightly debatable "provide only +the highest-frequency OPP from the same-voltage group" approach that's been +established earlier, [6] as a result of the "same-voltage, lower-frequency" +OPPs being considered inefficient from the IPA governor's standpoint, which +may also be revisited separately at some point in the future. + +[1] https://wiki.friendlyelec.com/wiki/images/e/ee/Rockchip_RK3588_Datasheet_V1.6-20231016.pdf +[2] https://wmsc.lcsc.com/wmsc/upload/file/pdf/v2/lcsc/2403201054_Rockchip-RK3588J_C22364189.pdf +[3] https://lore.kernel.org/linux-rockchip/e55125ed-64fb-455e-b1e4-cebe2cf006e4@cherry.de/T/#u +[4] https://raw.githubusercontent.com/rockchip-linux/kernel/604cec4004abe5a96c734f2fab7b74809d2d742f/arch/arm64/boot/dts/rockchip/rk3588s.dtsi +[5] https://raw.githubusercontent.com/rockchip-linux/kernel/604cec4004abe5a96c734f2fab7b74809d2d742f/arch/arm64/boot/dts/rockchip/rk3588j.dtsi +[6] https://lore.kernel.org/all/20240229-rk-dts-additions-v3-5-6afe8473a631@gmail.com/ + +Fixes: 667885a68658 ("arm64: dts: rockchip: Add OPP data for CPU cores on RK3588j") +Fixes: a7b2070505a2 ("arm64: dts: rockchip: Split GPU OPPs of RK3588 and RK3588j") +Cc: stable@vger.kernel.org +Cc: Heiko Stuebner +Cc: Alexey Charkov +Helped-by: Quentin Schulz +Reviewed-by: Quentin Schulz +Signed-off-by: Dragan Simic +Link: https://lore.kernel.org/r/eeec0d30d79b019d111b3f0aa2456e69896b2caa.1742813866.git.dsimic@manjaro.org +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3588j.dtsi | 53 +++++++++--------------------- + 1 file changed, 17 insertions(+), 36 deletions(-) + +--- a/arch/arm64/boot/dts/rockchip/rk3588j.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3588j.dtsi +@@ -11,20 +11,15 @@ + compatible = "operating-points-v2"; + opp-shared; + +- opp-1416000000 { +- opp-hz = /bits/ 64 <1416000000>; ++ opp-1200000000 { ++ opp-hz = /bits/ 64 <1200000000>; + opp-microvolt = <750000 750000 950000>; + clock-latency-ns = <40000>; + opp-suspend; + }; +- opp-1608000000 { +- opp-hz = /bits/ 64 <1608000000>; +- opp-microvolt = <887500 887500 950000>; +- clock-latency-ns = <40000>; +- }; +- opp-1704000000 { +- opp-hz = /bits/ 64 <1704000000>; +- opp-microvolt = <937500 937500 950000>; ++ opp-1296000000 { ++ opp-hz = /bits/ 64 <1296000000>; ++ opp-microvolt = <775000 775000 950000>; + clock-latency-ns = <40000>; + }; + }; +@@ -33,9 +28,14 @@ + compatible = "operating-points-v2"; + opp-shared; + ++ opp-1200000000{ ++ opp-hz = /bits/ 64 <1200000000>; ++ opp-microvolt = <750000 750000 950000>; ++ clock-latency-ns = <40000>; ++ }; + opp-1416000000 { + opp-hz = /bits/ 64 <1416000000>; +- opp-microvolt = <750000 750000 950000>; ++ opp-microvolt = <762500 762500 950000>; + clock-latency-ns = <40000>; + }; + opp-1608000000 { +@@ -43,25 +43,20 @@ + opp-microvolt = <787500 787500 950000>; + clock-latency-ns = <40000>; + }; +- opp-1800000000 { +- opp-hz = /bits/ 64 <1800000000>; +- opp-microvolt = <875000 875000 950000>; +- clock-latency-ns = <40000>; +- }; +- opp-2016000000 { +- opp-hz = /bits/ 64 <2016000000>; +- opp-microvolt = <950000 950000 950000>; +- clock-latency-ns = <40000>; +- }; + }; + + cluster2_opp_table: opp-table-cluster2 { + compatible = "operating-points-v2"; + opp-shared; + ++ opp-1200000000{ ++ opp-hz = /bits/ 64 <1200000000>; ++ opp-microvolt = <750000 750000 950000>; ++ clock-latency-ns = <40000>; ++ }; + opp-1416000000 { + opp-hz = /bits/ 64 <1416000000>; +- opp-microvolt = <750000 750000 950000>; ++ opp-microvolt = <762500 762500 950000>; + clock-latency-ns = <40000>; + }; + opp-1608000000 { +@@ -69,16 +64,6 @@ + opp-microvolt = <787500 787500 950000>; + clock-latency-ns = <40000>; + }; +- opp-1800000000 { +- opp-hz = /bits/ 64 <1800000000>; +- opp-microvolt = <875000 875000 950000>; +- clock-latency-ns = <40000>; +- }; +- opp-2016000000 { +- opp-hz = /bits/ 64 <2016000000>; +- opp-microvolt = <950000 950000 950000>; +- clock-latency-ns = <40000>; +- }; + }; + + gpu_opp_table: opp-table { +@@ -104,10 +89,6 @@ + opp-hz = /bits/ 64 <700000000>; + opp-microvolt = <750000 750000 850000>; + }; +- opp-850000000 { +- opp-hz = /bits/ 64 <800000000>; +- opp-microvolt = <787500 787500 850000>; +- }; + }; + }; + diff --git a/queue-6.12/dma-buf-insert-memory-barrier-before-updating-num_fences.patch b/queue-6.12/dma-buf-insert-memory-barrier-before-updating-num_fences.patch new file mode 100644 index 0000000000..ffc5ea2405 --- /dev/null +++ b/queue-6.12/dma-buf-insert-memory-barrier-before-updating-num_fences.patch @@ -0,0 +1,41 @@ +From 72c7d62583ebce7baeb61acce6057c361f73be4a Mon Sep 17 00:00:00 2001 +From: Hyejeong Choi +Date: Mon, 12 May 2025 21:06:38 -0500 +Subject: dma-buf: insert memory barrier before updating num_fences +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hyejeong Choi + +commit 72c7d62583ebce7baeb61acce6057c361f73be4a upstream. + +smp_store_mb() inserts memory barrier after storing operation. +It is different with what the comment is originally aiming so Null +pointer dereference can be happened if memory update is reordered. + +Signed-off-by: Hyejeong Choi +Fixes: a590d0fdbaa5 ("dma-buf: Update reservation shared_count after adding the new fence") +CC: stable@vger.kernel.org +Reviewed-by: Christian König +Link: https://lore.kernel.org/r/20250513020638.GA2329653@au1-maretx-p37.eng.sarc.samsung.com +Signed-off-by: Christian König +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma-buf/dma-resv.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/dma-buf/dma-resv.c ++++ b/drivers/dma-buf/dma-resv.c +@@ -320,8 +320,9 @@ void dma_resv_add_fence(struct dma_resv + count++; + + dma_resv_list_set(fobj, i, fence, usage); +- /* pointer update must be visible before we extend the num_fences */ +- smp_store_mb(fobj->num_fences, count); ++ /* fence update must be visible before we extend the num_fences */ ++ smp_wmb(); ++ fobj->num_fences = count; + } + EXPORT_SYMBOL(dma_resv_add_fence); + diff --git a/queue-6.12/dmaengine-idxd-add-missing-cleanup-for-early-error-out-in-idxd_setup_internals.patch b/queue-6.12/dmaengine-idxd-add-missing-cleanup-for-early-error-out-in-idxd_setup_internals.patch new file mode 100644 index 0000000000..8097ce8137 --- /dev/null +++ b/queue-6.12/dmaengine-idxd-add-missing-cleanup-for-early-error-out-in-idxd_setup_internals.patch @@ -0,0 +1,130 @@ +From 61259fb96e023f7299c442c48b13e72c441fc0f2 Mon Sep 17 00:00:00 2001 +From: Shuai Xue +Date: Fri, 4 Apr 2025 20:02:12 +0800 +Subject: dmaengine: idxd: Add missing cleanup for early error out in idxd_setup_internals + +From: Shuai Xue + +commit 61259fb96e023f7299c442c48b13e72c441fc0f2 upstream. + +The idxd_setup_internals() is missing some cleanup when things fail in +the middle. + +Add the appropriate cleanup routines: + +- cleanup groups +- cleanup enginces +- cleanup wqs + +to make sure it exits gracefully. + +Fixes: defe49f96012 ("dmaengine: idxd: fix group conf_dev lifetime") +Cc: stable@vger.kernel.org +Suggested-by: Fenghua Yu +Signed-off-by: Shuai Xue +Reviewed-by: Fenghua Yu +Reviewed-by: Dave Jiang +Link: https://lore.kernel.org/r/20250404120217.48772-5-xueshuai@linux.alibaba.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/idxd/init.c | 58 ++++++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 51 insertions(+), 7 deletions(-) + +--- a/drivers/dma/idxd/init.c ++++ b/drivers/dma/idxd/init.c +@@ -153,6 +153,25 @@ static void idxd_cleanup_interrupts(stru + pci_free_irq_vectors(pdev); + } + ++static void idxd_clean_wqs(struct idxd_device *idxd) ++{ ++ struct idxd_wq *wq; ++ struct device *conf_dev; ++ int i; ++ ++ for (i = 0; i < idxd->max_wqs; i++) { ++ wq = idxd->wqs[i]; ++ if (idxd->hw.wq_cap.op_config) ++ bitmap_free(wq->opcap_bmap); ++ kfree(wq->wqcfg); ++ conf_dev = wq_confdev(wq); ++ put_device(conf_dev); ++ kfree(wq); ++ } ++ bitmap_free(idxd->wq_enable_map); ++ kfree(idxd->wqs); ++} ++ + static int idxd_setup_wqs(struct idxd_device *idxd) + { + struct device *dev = &idxd->pdev->dev; +@@ -243,6 +262,21 @@ err_bitmap: + return rc; + } + ++static void idxd_clean_engines(struct idxd_device *idxd) ++{ ++ struct idxd_engine *engine; ++ struct device *conf_dev; ++ int i; ++ ++ for (i = 0; i < idxd->max_engines; i++) { ++ engine = idxd->engines[i]; ++ conf_dev = engine_confdev(engine); ++ put_device(conf_dev); ++ kfree(engine); ++ } ++ kfree(idxd->engines); ++} ++ + static int idxd_setup_engines(struct idxd_device *idxd) + { + struct idxd_engine *engine; +@@ -294,6 +328,19 @@ static int idxd_setup_engines(struct idx + return rc; + } + ++static void idxd_clean_groups(struct idxd_device *idxd) ++{ ++ struct idxd_group *group; ++ int i; ++ ++ for (i = 0; i < idxd->max_groups; i++) { ++ group = idxd->groups[i]; ++ put_device(group_confdev(group)); ++ kfree(group); ++ } ++ kfree(idxd->groups); ++} ++ + static int idxd_setup_groups(struct idxd_device *idxd) + { + struct device *dev = &idxd->pdev->dev; +@@ -408,7 +455,7 @@ static int idxd_init_evl(struct idxd_dev + static int idxd_setup_internals(struct idxd_device *idxd) + { + struct device *dev = &idxd->pdev->dev; +- int rc, i; ++ int rc; + + init_waitqueue_head(&idxd->cmd_waitq); + +@@ -439,14 +486,11 @@ static int idxd_setup_internals(struct i + err_evl: + destroy_workqueue(idxd->wq); + err_wkq_create: +- for (i = 0; i < idxd->max_groups; i++) +- put_device(group_confdev(idxd->groups[i])); ++ idxd_clean_groups(idxd); + err_group: +- for (i = 0; i < idxd->max_engines; i++) +- put_device(engine_confdev(idxd->engines[i])); ++ idxd_clean_engines(idxd); + err_engine: +- for (i = 0; i < idxd->max_wqs; i++) +- put_device(wq_confdev(idxd->wqs[i])); ++ idxd_clean_wqs(idxd); + err_wqs: + return rc; + } diff --git a/queue-6.12/dmaengine-idxd-add-missing-cleanups-in-cleanup-internals.patch b/queue-6.12/dmaengine-idxd-add-missing-cleanups-in-cleanup-internals.patch new file mode 100644 index 0000000000..43d906aec1 --- /dev/null +++ b/queue-6.12/dmaengine-idxd-add-missing-cleanups-in-cleanup-internals.patch @@ -0,0 +1,48 @@ +From 61d651572b6c4fe50c7b39a390760f3a910c7ccf Mon Sep 17 00:00:00 2001 +From: Shuai Xue +Date: Fri, 4 Apr 2025 20:02:13 +0800 +Subject: dmaengine: idxd: Add missing cleanups in cleanup internals + +From: Shuai Xue + +commit 61d651572b6c4fe50c7b39a390760f3a910c7ccf upstream. + +The idxd_cleanup_internals() function only decreases the reference count +of groups, engines, and wqs but is missing the step to release memory +resources. + +To fix this, use the cleanup helper to properly release the memory +resources. + +Fixes: ddf742d4f3f1 ("dmaengine: idxd: Add missing cleanup for early error out in probe call") +Cc: stable@vger.kernel.org +Signed-off-by: Shuai Xue +Reviewed-by: Fenghua Yu +Reviewed-by: Dave Jiang +Link: https://lore.kernel.org/r/20250404120217.48772-6-xueshuai@linux.alibaba.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/idxd/init.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +--- a/drivers/dma/idxd/init.c ++++ b/drivers/dma/idxd/init.c +@@ -405,14 +405,9 @@ static int idxd_setup_groups(struct idxd + + static void idxd_cleanup_internals(struct idxd_device *idxd) + { +- int i; +- +- for (i = 0; i < idxd->max_groups; i++) +- put_device(group_confdev(idxd->groups[i])); +- for (i = 0; i < idxd->max_engines; i++) +- put_device(engine_confdev(idxd->engines[i])); +- for (i = 0; i < idxd->max_wqs; i++) +- put_device(wq_confdev(idxd->wqs[i])); ++ idxd_clean_groups(idxd); ++ idxd_clean_engines(idxd); ++ idxd_clean_wqs(idxd); + destroy_workqueue(idxd->wq); + } + diff --git a/queue-6.12/dmaengine-idxd-add-missing-idxd-cleanup-to-fix-memory-leak-in-remove-call.patch b/queue-6.12/dmaengine-idxd-add-missing-idxd-cleanup-to-fix-memory-leak-in-remove-call.patch new file mode 100644 index 0000000000..b9f112e03d --- /dev/null +++ b/queue-6.12/dmaengine-idxd-add-missing-idxd-cleanup-to-fix-memory-leak-in-remove-call.patch @@ -0,0 +1,36 @@ +From d5449ff1b04dfe9ed8e455769aa01e4c2ccf6805 Mon Sep 17 00:00:00 2001 +From: Shuai Xue +Date: Fri, 4 Apr 2025 20:02:16 +0800 +Subject: dmaengine: idxd: Add missing idxd cleanup to fix memory leak in remove call + +From: Shuai Xue + +commit d5449ff1b04dfe9ed8e455769aa01e4c2ccf6805 upstream. + +The remove call stack is missing idxd cleanup to free bitmap, ida and +the idxd_device. Call idxd_free() helper routines to make sure we exit +gracefully. + +Fixes: bfe1d56091c1 ("dmaengine: idxd: Init and probe for Intel data accelerators") +Cc: stable@vger.kernel.org +Suggested-by: Vinicius Costa Gomes +Signed-off-by: Shuai Xue +Reviewed-by: Fenghua Yu +Reviewed-by: Dave Jiang +Link: https://lore.kernel.org/r/20250404120217.48772-9-xueshuai@linux.alibaba.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/idxd/init.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/dma/idxd/init.c ++++ b/drivers/dma/idxd/init.c +@@ -915,6 +915,7 @@ static void idxd_remove(struct pci_dev * + destroy_workqueue(idxd->wq); + perfmon_pmu_remove(idxd); + put_device(idxd_confdev(idxd)); ++ idxd_free(idxd); + } + + static struct pci_driver idxd_pci_driver = { diff --git a/queue-6.12/dmaengine-idxd-fix-memory-leak-in-error-handling-path-of-idxd_alloc.patch b/queue-6.12/dmaengine-idxd-fix-memory-leak-in-error-handling-path-of-idxd_alloc.patch new file mode 100644 index 0000000000..7a2aa22ab7 --- /dev/null +++ b/queue-6.12/dmaengine-idxd-fix-memory-leak-in-error-handling-path-of-idxd_alloc.patch @@ -0,0 +1,71 @@ +From 46a5cca76c76c86063000a12936f8e7875295838 Mon Sep 17 00:00:00 2001 +From: Shuai Xue +Date: Fri, 4 Apr 2025 20:02:14 +0800 +Subject: dmaengine: idxd: fix memory leak in error handling path of idxd_alloc + +From: Shuai Xue + +commit 46a5cca76c76c86063000a12936f8e7875295838 upstream. + +Memory allocated for idxd is not freed if an error occurs during +idxd_alloc(). To fix it, free the allocated memory in the reverse order +of allocation before exiting the function in case of an error. + +Fixes: a8563a33a5e2 ("dmanegine: idxd: reformat opcap output to match bitmap_parse() input") +Cc: stable@vger.kernel.org +Signed-off-by: Shuai Xue +Reviewed-by: Dave Jiang +Reviewed-by: Fenghua Yu +Link: https://lore.kernel.org/r/20250404120217.48772-7-xueshuai@linux.alibaba.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/idxd/init.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +--- a/drivers/dma/idxd/init.c ++++ b/drivers/dma/idxd/init.c +@@ -602,28 +602,34 @@ static struct idxd_device *idxd_alloc(st + idxd_dev_set_type(&idxd->idxd_dev, idxd->data->type); + idxd->id = ida_alloc(&idxd_ida, GFP_KERNEL); + if (idxd->id < 0) +- return NULL; ++ goto err_ida; + + idxd->opcap_bmap = bitmap_zalloc_node(IDXD_MAX_OPCAP_BITS, GFP_KERNEL, dev_to_node(dev)); +- if (!idxd->opcap_bmap) { +- ida_free(&idxd_ida, idxd->id); +- return NULL; +- } ++ if (!idxd->opcap_bmap) ++ goto err_opcap; + + device_initialize(conf_dev); + conf_dev->parent = dev; + conf_dev->bus = &dsa_bus_type; + conf_dev->type = idxd->data->dev_type; + rc = dev_set_name(conf_dev, "%s%d", idxd->data->name_prefix, idxd->id); +- if (rc < 0) { +- put_device(conf_dev); +- return NULL; +- } ++ if (rc < 0) ++ goto err_name; + + spin_lock_init(&idxd->dev_lock); + spin_lock_init(&idxd->cmd_lock); + + return idxd; ++ ++err_name: ++ put_device(conf_dev); ++ bitmap_free(idxd->opcap_bmap); ++err_opcap: ++ ida_free(&idxd_ida, idxd->id); ++err_ida: ++ kfree(idxd); ++ ++ return NULL; + } + + static int idxd_enable_system_pasid(struct idxd_device *idxd) diff --git a/queue-6.12/dmaengine-idxd-fix-memory-leak-in-error-handling-path-of-idxd_pci_probe.patch b/queue-6.12/dmaengine-idxd-fix-memory-leak-in-error-handling-path-of-idxd_pci_probe.patch new file mode 100644 index 0000000000..b0976c79e2 --- /dev/null +++ b/queue-6.12/dmaengine-idxd-fix-memory-leak-in-error-handling-path-of-idxd_pci_probe.patch @@ -0,0 +1,54 @@ +From 90022b3a6981ec234902be5dbf0f983a12c759fc Mon Sep 17 00:00:00 2001 +From: Shuai Xue +Date: Fri, 4 Apr 2025 20:02:15 +0800 +Subject: dmaengine: idxd: fix memory leak in error handling path of idxd_pci_probe + +From: Shuai Xue + +commit 90022b3a6981ec234902be5dbf0f983a12c759fc upstream. + +Memory allocated for idxd is not freed if an error occurs during +idxd_pci_probe(). To fix it, free the allocated memory in the reverse +order of allocation before exiting the function in case of an error. + +Fixes: bfe1d56091c1 ("dmaengine: idxd: Init and probe for Intel data accelerators") +Cc: stable@vger.kernel.org +Signed-off-by: Shuai Xue +Reviewed-by: Dave Jiang +Reviewed-by: Fenghua Yu +Link: https://lore.kernel.org/r/20250404120217.48772-8-xueshuai@linux.alibaba.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/idxd/init.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/dma/idxd/init.c ++++ b/drivers/dma/idxd/init.c +@@ -585,6 +585,17 @@ static void idxd_read_caps(struct idxd_d + idxd->hw.iaa_cap.bits = ioread64(idxd->reg_base + IDXD_IAACAP_OFFSET); + } + ++static void idxd_free(struct idxd_device *idxd) ++{ ++ if (!idxd) ++ return; ++ ++ put_device(idxd_confdev(idxd)); ++ bitmap_free(idxd->opcap_bmap); ++ ida_free(&idxd_ida, idxd->id); ++ kfree(idxd); ++} ++ + static struct idxd_device *idxd_alloc(struct pci_dev *pdev, struct idxd_driver_data *data) + { + struct device *dev = &pdev->dev; +@@ -857,7 +868,7 @@ static int idxd_pci_probe(struct pci_dev + err: + pci_iounmap(pdev, idxd->reg_base); + err_iomap: +- put_device(idxd_confdev(idxd)); ++ idxd_free(idxd); + err_idxd_alloc: + pci_disable_device(pdev); + return rc; diff --git a/queue-6.12/dmaengine-idxd-fix-memory-leak-in-error-handling-path-of-idxd_setup_engines.patch b/queue-6.12/dmaengine-idxd-fix-memory-leak-in-error-handling-path-of-idxd_setup_engines.patch new file mode 100644 index 0000000000..43647ea5ce --- /dev/null +++ b/queue-6.12/dmaengine-idxd-fix-memory-leak-in-error-handling-path-of-idxd_setup_engines.patch @@ -0,0 +1,47 @@ +From 817bced19d1dbdd0b473580d026dc0983e30e17b Mon Sep 17 00:00:00 2001 +From: Shuai Xue +Date: Fri, 4 Apr 2025 20:02:10 +0800 +Subject: dmaengine: idxd: fix memory leak in error handling path of idxd_setup_engines + +From: Shuai Xue + +commit 817bced19d1dbdd0b473580d026dc0983e30e17b upstream. + +Memory allocated for engines is not freed if an error occurs during +idxd_setup_engines(). To fix it, free the allocated memory in the +reverse order of allocation before exiting the function in case of an +error. + +Fixes: 75b911309060 ("dmaengine: idxd: fix engine conf_dev lifetime") +Cc: stable@vger.kernel.org +Signed-off-by: Shuai Xue +Reviewed-by: Dave Jiang +Reviewed-by: Fenghua Yu +Link: https://lore.kernel.org/r/20250404120217.48772-3-xueshuai@linux.alibaba.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/idxd/init.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/dma/idxd/init.c ++++ b/drivers/dma/idxd/init.c +@@ -273,6 +273,7 @@ static int idxd_setup_engines(struct idx + rc = dev_set_name(conf_dev, "engine%d.%d", idxd->id, engine->id); + if (rc < 0) { + put_device(conf_dev); ++ kfree(engine); + goto err; + } + +@@ -286,7 +287,10 @@ static int idxd_setup_engines(struct idx + engine = idxd->engines[i]; + conf_dev = engine_confdev(engine); + put_device(conf_dev); ++ kfree(engine); + } ++ kfree(idxd->engines); ++ + return rc; + } + diff --git a/queue-6.12/dmaengine-idxd-fix-memory-leak-in-error-handling-path-of-idxd_setup_groups.patch b/queue-6.12/dmaengine-idxd-fix-memory-leak-in-error-handling-path-of-idxd_setup_groups.patch new file mode 100644 index 0000000000..60d060448f --- /dev/null +++ b/queue-6.12/dmaengine-idxd-fix-memory-leak-in-error-handling-path-of-idxd_setup_groups.patch @@ -0,0 +1,46 @@ +From aa6f4f945b10eac57aed46154ae7d6fada7fccc7 Mon Sep 17 00:00:00 2001 +From: Shuai Xue +Date: Fri, 4 Apr 2025 20:02:11 +0800 +Subject: dmaengine: idxd: fix memory leak in error handling path of idxd_setup_groups + +From: Shuai Xue + +commit aa6f4f945b10eac57aed46154ae7d6fada7fccc7 upstream. + +Memory allocated for groups is not freed if an error occurs during +idxd_setup_groups(). To fix it, free the allocated memory in the reverse +order of allocation before exiting the function in case of an error. + +Fixes: defe49f96012 ("dmaengine: idxd: fix group conf_dev lifetime") +Cc: stable@vger.kernel.org +Signed-off-by: Shuai Xue +Reviewed-by: Dave Jiang +Reviewed-by: Fenghua Yu +Link: https://lore.kernel.org/r/20250404120217.48772-4-xueshuai@linux.alibaba.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/idxd/init.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/dma/idxd/init.c ++++ b/drivers/dma/idxd/init.c +@@ -324,6 +324,7 @@ static int idxd_setup_groups(struct idxd + rc = dev_set_name(conf_dev, "group%d.%d", idxd->id, group->id); + if (rc < 0) { + put_device(conf_dev); ++ kfree(group); + goto err; + } + +@@ -348,7 +349,10 @@ static int idxd_setup_groups(struct idxd + while (--i >= 0) { + group = idxd->groups[i]; + put_device(group_confdev(group)); ++ kfree(group); + } ++ kfree(idxd->groups); ++ + return rc; + } + diff --git a/queue-6.12/dmaengine-idxd-fix-memory-leak-in-error-handling-path-of-idxd_setup_wqs.patch b/queue-6.12/dmaengine-idxd-fix-memory-leak-in-error-handling-path-of-idxd_setup_wqs.patch new file mode 100644 index 0000000000..83297c08bc --- /dev/null +++ b/queue-6.12/dmaengine-idxd-fix-memory-leak-in-error-handling-path-of-idxd_setup_wqs.patch @@ -0,0 +1,102 @@ +From 3fd2f4bc010cdfbc07dd21018dc65bd9370eb7a4 Mon Sep 17 00:00:00 2001 +From: Shuai Xue +Date: Fri, 4 Apr 2025 20:02:09 +0800 +Subject: dmaengine: idxd: fix memory leak in error handling path of idxd_setup_wqs + +From: Shuai Xue + +commit 3fd2f4bc010cdfbc07dd21018dc65bd9370eb7a4 upstream. + +Memory allocated for wqs is not freed if an error occurs during +idxd_setup_wqs(). To fix it, free the allocated memory in the reverse +order of allocation before exiting the function in case of an error. + +Fixes: 7c5dd23e57c1 ("dmaengine: idxd: fix wq conf_dev 'struct device' lifetime") +Fixes: 700af3a0a26c ("dmaengine: idxd: add 'struct idxd_dev' as wrapper for conf_dev") +Fixes: de5819b99489 ("dmaengine: idxd: track enabled workqueues in bitmap") +Fixes: b0325aefd398 ("dmaengine: idxd: add WQ operation cap restriction support") +Cc: stable@vger.kernel.org +Signed-off-by: Shuai Xue +Reviewed-by: Dave Jiang +Reviewed-by: Fenghua Yu +Link: https://lore.kernel.org/r/20250404120217.48772-2-xueshuai@linux.alibaba.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/idxd/init.c | 30 +++++++++++++++++++++--------- + 1 file changed, 21 insertions(+), 9 deletions(-) + +--- a/drivers/dma/idxd/init.c ++++ b/drivers/dma/idxd/init.c +@@ -167,8 +167,8 @@ static int idxd_setup_wqs(struct idxd_de + + idxd->wq_enable_map = bitmap_zalloc_node(idxd->max_wqs, GFP_KERNEL, dev_to_node(dev)); + if (!idxd->wq_enable_map) { +- kfree(idxd->wqs); +- return -ENOMEM; ++ rc = -ENOMEM; ++ goto err_bitmap; + } + + for (i = 0; i < idxd->max_wqs; i++) { +@@ -187,10 +187,8 @@ static int idxd_setup_wqs(struct idxd_de + conf_dev->bus = &dsa_bus_type; + conf_dev->type = &idxd_wq_device_type; + rc = dev_set_name(conf_dev, "wq%d.%d", idxd->id, wq->id); +- if (rc < 0) { +- put_device(conf_dev); ++ if (rc < 0) + goto err; +- } + + mutex_init(&wq->wq_lock); + init_waitqueue_head(&wq->err_queue); +@@ -201,7 +199,6 @@ static int idxd_setup_wqs(struct idxd_de + wq->enqcmds_retries = IDXD_ENQCMDS_RETRIES; + wq->wqcfg = kzalloc_node(idxd->wqcfg_size, GFP_KERNEL, dev_to_node(dev)); + if (!wq->wqcfg) { +- put_device(conf_dev); + rc = -ENOMEM; + goto err; + } +@@ -209,9 +206,8 @@ static int idxd_setup_wqs(struct idxd_de + if (idxd->hw.wq_cap.op_config) { + wq->opcap_bmap = bitmap_zalloc(IDXD_MAX_OPCAP_BITS, GFP_KERNEL); + if (!wq->opcap_bmap) { +- put_device(conf_dev); + rc = -ENOMEM; +- goto err; ++ goto err_opcap_bmap; + } + bitmap_copy(wq->opcap_bmap, idxd->opcap_bmap, IDXD_MAX_OPCAP_BITS); + } +@@ -222,12 +218,28 @@ static int idxd_setup_wqs(struct idxd_de + + return 0; + +- err: ++err_opcap_bmap: ++ kfree(wq->wqcfg); ++ ++err: ++ put_device(conf_dev); ++ kfree(wq); ++ + while (--i >= 0) { + wq = idxd->wqs[i]; ++ if (idxd->hw.wq_cap.op_config) ++ bitmap_free(wq->opcap_bmap); ++ kfree(wq->wqcfg); + conf_dev = wq_confdev(wq); + put_device(conf_dev); ++ kfree(wq); ++ + } ++ bitmap_free(idxd->wq_enable_map); ++ ++err_bitmap: ++ kfree(idxd->wqs); ++ + return rc; + } + diff --git a/queue-6.12/dmaengine-idxd-refactor-remove-call-with-idxd_cleanup-helper.patch b/queue-6.12/dmaengine-idxd-refactor-remove-call-with-idxd_cleanup-helper.patch new file mode 100644 index 0000000000..a5cbb2885c --- /dev/null +++ b/queue-6.12/dmaengine-idxd-refactor-remove-call-with-idxd_cleanup-helper.patch @@ -0,0 +1,61 @@ +From a409e919ca321cc0e28f8abf96fde299f0072a81 Mon Sep 17 00:00:00 2001 +From: Shuai Xue +Date: Fri, 4 Apr 2025 20:02:17 +0800 +Subject: dmaengine: idxd: Refactor remove call with idxd_cleanup() helper + +From: Shuai Xue + +commit a409e919ca321cc0e28f8abf96fde299f0072a81 upstream. + +The idxd_cleanup() helper cleans up perfmon, interrupts, internals and +so on. Refactor remove call with the idxd_cleanup() helper to avoid code +duplication. Note, this also fixes the missing put_device() for idxd +groups, enginces and wqs. + +Fixes: bfe1d56091c1 ("dmaengine: idxd: Init and probe for Intel data accelerators") +Cc: stable@vger.kernel.org +Suggested-by: Vinicius Costa Gomes +Signed-off-by: Shuai Xue +Reviewed-by: Fenghua Yu +Reviewed-by: Dave Jiang +Link: https://lore.kernel.org/r/20250404120217.48772-10-xueshuai@linux.alibaba.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/idxd/init.c | 14 ++------------ + 1 file changed, 2 insertions(+), 12 deletions(-) + +--- a/drivers/dma/idxd/init.c ++++ b/drivers/dma/idxd/init.c +@@ -905,7 +905,6 @@ static void idxd_shutdown(struct pci_dev + static void idxd_remove(struct pci_dev *pdev) + { + struct idxd_device *idxd = pci_get_drvdata(pdev); +- struct idxd_irq_entry *irq_entry; + + idxd_unregister_devices(idxd); + /* +@@ -918,21 +917,12 @@ static void idxd_remove(struct pci_dev * + get_device(idxd_confdev(idxd)); + device_unregister(idxd_confdev(idxd)); + idxd_shutdown(pdev); +- if (device_pasid_enabled(idxd)) +- idxd_disable_system_pasid(idxd); + idxd_device_remove_debugfs(idxd); +- +- irq_entry = idxd_get_ie(idxd, 0); +- free_irq(irq_entry->vector, irq_entry); +- pci_free_irq_vectors(pdev); ++ idxd_cleanup(idxd); + pci_iounmap(pdev, idxd->reg_base); +- if (device_user_pasid_enabled(idxd)) +- idxd_disable_sva(pdev); +- pci_disable_device(pdev); +- destroy_workqueue(idxd->wq); +- perfmon_pmu_remove(idxd); + put_device(idxd_confdev(idxd)); + idxd_free(idxd); ++ pci_disable_device(pdev); + } + + static struct pci_driver idxd_pci_driver = { diff --git a/queue-6.12/dmaengine-ti-k3-udma-add-missing-locking.patch b/queue-6.12/dmaengine-ti-k3-udma-add-missing-locking.patch new file mode 100644 index 0000000000..e9f4b75ebd --- /dev/null +++ b/queue-6.12/dmaengine-ti-k3-udma-add-missing-locking.patch @@ -0,0 +1,94 @@ +From fca280992af8c2fbd511bc43f65abb4a17363f2f Mon Sep 17 00:00:00 2001 +From: Ronald Wahl +Date: Mon, 14 Apr 2025 19:31:13 +0200 +Subject: dmaengine: ti: k3-udma: Add missing locking + +From: Ronald Wahl + +commit fca280992af8c2fbd511bc43f65abb4a17363f2f upstream. + +Recent kernels complain about a missing lock in k3-udma.c when the lock +validator is enabled: + +[ 4.128073] WARNING: CPU: 0 PID: 746 at drivers/dma/ti/../virt-dma.h:169 udma_start.isra.0+0x34/0x238 +[ 4.137352] CPU: 0 UID: 0 PID: 746 Comm: kworker/0:3 Not tainted 6.12.9-arm64 #28 +[ 4.144867] Hardware name: pp-v12 (DT) +[ 4.148648] Workqueue: events udma_check_tx_completion +[ 4.153841] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 4.160834] pc : udma_start.isra.0+0x34/0x238 +[ 4.165227] lr : udma_start.isra.0+0x30/0x238 +[ 4.169618] sp : ffffffc083cabcf0 +[ 4.172963] x29: ffffffc083cabcf0 x28: 0000000000000000 x27: ffffff800001b005 +[ 4.180167] x26: ffffffc0812f0000 x25: 0000000000000000 x24: 0000000000000000 +[ 4.187370] x23: 0000000000000001 x22: 00000000e21eabe9 x21: ffffff8000fa0670 +[ 4.194571] x20: ffffff8001b6bf00 x19: ffffff8000fa0430 x18: ffffffc083b95030 +[ 4.201773] x17: 0000000000000000 x16: 00000000f0000000 x15: 0000000000000048 +[ 4.208976] x14: 0000000000000048 x13: 0000000000000000 x12: 0000000000000001 +[ 4.216179] x11: ffffffc08151a240 x10: 0000000000003ea1 x9 : ffffffc08046ab68 +[ 4.223381] x8 : ffffffc083cabac0 x7 : ffffffc081df3718 x6 : 0000000000029fc8 +[ 4.230583] x5 : ffffffc0817ee6d8 x4 : 0000000000000bc0 x3 : 0000000000000000 +[ 4.237784] x2 : 0000000000000000 x1 : 00000000001fffff x0 : 0000000000000000 +[ 4.244986] Call trace: +[ 4.247463] udma_start.isra.0+0x34/0x238 +[ 4.251509] udma_check_tx_completion+0xd0/0xdc +[ 4.256076] process_one_work+0x244/0x3fc +[ 4.260129] process_scheduled_works+0x6c/0x74 +[ 4.264610] worker_thread+0x150/0x1dc +[ 4.268398] kthread+0xd8/0xe8 +[ 4.271492] ret_from_fork+0x10/0x20 +[ 4.275107] irq event stamp: 220 +[ 4.278363] hardirqs last enabled at (219): [] _raw_spin_unlock_irq+0x38/0x50 +[ 4.287183] hardirqs last disabled at (220): [] el1_dbg+0x24/0x50 +[ 4.294879] softirqs last enabled at (182): [] handle_softirqs+0x1c0/0x3cc +[ 4.303437] softirqs last disabled at (177): [] __do_softirq+0x1c/0x28 +[ 4.311559] ---[ end trace 0000000000000000 ]--- + +This commit adds the missing locking. + +Fixes: 25dcb5dd7b7c ("dmaengine: ti: New driver for K3 UDMA") +Cc: Peter Ujfalusi +Cc: Vignesh Raghavendra +Cc: Vinod Koul +Cc: dmaengine@vger.kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Ronald Wahl +Acked-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20250414173113.80677-1-rwahl@gmx.de +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/ti/k3-udma.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/dma/ti/k3-udma.c ++++ b/drivers/dma/ti/k3-udma.c +@@ -1091,8 +1091,11 @@ static void udma_check_tx_completion(str + u32 residue_diff; + ktime_t time_diff; + unsigned long delay; ++ unsigned long flags; + + while (1) { ++ spin_lock_irqsave(&uc->vc.lock, flags); ++ + if (uc->desc) { + /* Get previous residue and time stamp */ + residue_diff = uc->tx_drain.residue; +@@ -1127,6 +1130,8 @@ static void udma_check_tx_completion(str + break; + } + ++ spin_unlock_irqrestore(&uc->vc.lock, flags); ++ + usleep_range(ktime_to_us(delay), + ktime_to_us(delay) + 10); + continue; +@@ -1143,6 +1148,8 @@ static void udma_check_tx_completion(str + + break; + } ++ ++ spin_unlock_irqrestore(&uc->vc.lock, flags); + } + + static irqreturn_t udma_ring_irq_handler(int irq, void *data) diff --git a/queue-6.12/dmaengine-ti-k3-udma-use-cap_mask-directly-from-dma_device-structure-instead-of-a-local-copy.patch b/queue-6.12/dmaengine-ti-k3-udma-use-cap_mask-directly-from-dma_device-structure-instead-of-a-local-copy.patch new file mode 100644 index 0000000000..5728c56461 --- /dev/null +++ b/queue-6.12/dmaengine-ti-k3-udma-use-cap_mask-directly-from-dma_device-structure-instead-of-a-local-copy.patch @@ -0,0 +1,49 @@ +From 8ca9590c39b69b55a8de63d2b21b0d44f523b43a Mon Sep 17 00:00:00 2001 +From: Yemike Abhilash Chandra +Date: Thu, 17 Apr 2025 13:25:21 +0530 +Subject: dmaengine: ti: k3-udma: Use cap_mask directly from dma_device structure instead of a local copy + +From: Yemike Abhilash Chandra + +commit 8ca9590c39b69b55a8de63d2b21b0d44f523b43a upstream. + +Currently, a local dma_cap_mask_t variable is used to store device +cap_mask within udma_of_xlate(). However, the DMA_PRIVATE flag in +the device cap_mask can get cleared when the last channel is released. +This can happen right after storing the cap_mask locally in +udma_of_xlate(), and subsequent dma_request_channel() can fail due to +mismatch in the cap_mask. Fix this by removing the local dma_cap_mask_t +variable and directly using the one from the dma_device structure. + +Fixes: 25dcb5dd7b7c ("dmaengine: ti: New driver for K3 UDMA") +Cc: stable@vger.kernel.org +Signed-off-by: Vaishnav Achath +Acked-by: Peter Ujfalusi +Reviewed-by: Udit Kumar +Signed-off-by: Yemike Abhilash Chandra +Link: https://lore.kernel.org/r/20250417075521.623651-1-y-abhilashchandra@ti.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/ti/k3-udma.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/dma/ti/k3-udma.c ++++ b/drivers/dma/ti/k3-udma.c +@@ -4253,7 +4253,6 @@ static struct dma_chan *udma_of_xlate(st + struct of_dma *ofdma) + { + struct udma_dev *ud = ofdma->of_dma_data; +- dma_cap_mask_t mask = ud->ddev.cap_mask; + struct udma_filter_param filter_param; + struct dma_chan *chan; + +@@ -4285,7 +4284,7 @@ static struct dma_chan *udma_of_xlate(st + } + } + +- chan = __dma_request_channel(&mask, udma_dma_filter_fn, &filter_param, ++ chan = __dma_request_channel(&ud->ddev.cap_mask, udma_dma_filter_fn, &filter_param, + ofdma->of_node); + if (!chan) { + dev_err(ud->dev, "get channel fail in %s.\n", __func__); diff --git a/queue-6.12/drivers-hv-allow-vmbus_sendpacket_mpb_desc-to-create-multiple-ranges.patch b/queue-6.12/drivers-hv-allow-vmbus_sendpacket_mpb_desc-to-create-multiple-ranges.patch new file mode 100644 index 0000000000..3ebef47871 --- /dev/null +++ b/queue-6.12/drivers-hv-allow-vmbus_sendpacket_mpb_desc-to-create-multiple-ranges.patch @@ -0,0 +1,60 @@ +From 380b75d3078626aadd0817de61f3143f5db6e393 Mon Sep 17 00:00:00 2001 +From: Michael Kelley +Date: Mon, 12 May 2025 17:06:00 -0700 +Subject: Drivers: hv: Allow vmbus_sendpacket_mpb_desc() to create multiple ranges + +From: Michael Kelley + +commit 380b75d3078626aadd0817de61f3143f5db6e393 upstream. + +vmbus_sendpacket_mpb_desc() is currently used only by the storvsc driver +and is hardcoded to create a single GPA range. To allow it to also be +used by the netvsc driver to create multiple GPA ranges, no longer +hardcode as having a single GPA range. Allow the calling driver to +specify the rangecount in the supplied descriptor. + +Update the storvsc driver to reflect this new approach. + +Cc: # 6.1.x +Signed-off-by: Michael Kelley +Link: https://patch.msgid.link/20250513000604.1396-2-mhklinux@outlook.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hv/channel.c | 6 +++--- + drivers/scsi/storvsc_drv.c | 1 + + 2 files changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/hv/channel.c ++++ b/drivers/hv/channel.c +@@ -1136,9 +1136,10 @@ int vmbus_sendpacket_pagebuffer(struct v + EXPORT_SYMBOL_GPL(vmbus_sendpacket_pagebuffer); + + /* +- * vmbus_sendpacket_multipagebuffer - Send a multi-page buffer packet ++ * vmbus_sendpacket_mpb_desc - Send one or more multi-page buffer packets + * using a GPADL Direct packet type. +- * The buffer includes the vmbus descriptor. ++ * The desc argument must include space for the VMBus descriptor. The ++ * rangecount field must already be set. + */ + int vmbus_sendpacket_mpb_desc(struct vmbus_channel *channel, + struct vmbus_packet_mpb_array *desc, +@@ -1160,7 +1161,6 @@ int vmbus_sendpacket_mpb_desc(struct vmb + desc->length8 = (u16)(packetlen_aligned >> 3); + desc->transactionid = VMBUS_RQST_ERROR; /* will be updated in hv_ringbuffer_write() */ + desc->reserved = 0; +- desc->rangecount = 1; + + bufferlist[0].iov_base = desc; + bufferlist[0].iov_len = desc_size; +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -1819,6 +1819,7 @@ static int storvsc_queuecommand(struct S + return SCSI_MLQUEUE_DEVICE_BUSY; + } + ++ payload->rangecount = 1; + payload->range.len = length; + payload->range.offset = offset_in_hvpg; + diff --git a/queue-6.12/drivers-hv-vmbus-remove-vmbus_sendpacket_pagebuffer.patch b/queue-6.12/drivers-hv-vmbus-remove-vmbus_sendpacket_pagebuffer.patch new file mode 100644 index 0000000000..982b0ce3a0 --- /dev/null +++ b/queue-6.12/drivers-hv-vmbus-remove-vmbus_sendpacket_pagebuffer.patch @@ -0,0 +1,107 @@ +From 45a442fe369e6c4e0b4aa9f63b31c3f2f9e2090e Mon Sep 17 00:00:00 2001 +From: Michael Kelley +Date: Mon, 12 May 2025 17:06:04 -0700 +Subject: Drivers: hv: vmbus: Remove vmbus_sendpacket_pagebuffer() + +From: Michael Kelley + +commit 45a442fe369e6c4e0b4aa9f63b31c3f2f9e2090e upstream. + +With the netvsc driver changed to use vmbus_sendpacket_mpb_desc() +instead of vmbus_sendpacket_pagebuffer(), the latter has no remaining +callers. Remove it. + +Cc: # 6.1.x +Signed-off-by: Michael Kelley +Link: https://patch.msgid.link/20250513000604.1396-6-mhklinux@outlook.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hv/channel.c | 59 ------------------------------------------------- + include/linux/hyperv.h | 7 ----- + 2 files changed, 66 deletions(-) + +--- a/drivers/hv/channel.c ++++ b/drivers/hv/channel.c +@@ -1077,65 +1077,6 @@ int vmbus_sendpacket(struct vmbus_channe + EXPORT_SYMBOL(vmbus_sendpacket); + + /* +- * vmbus_sendpacket_pagebuffer - Send a range of single-page buffer +- * packets using a GPADL Direct packet type. This interface allows you +- * to control notifying the host. This will be useful for sending +- * batched data. Also the sender can control the send flags +- * explicitly. +- */ +-int vmbus_sendpacket_pagebuffer(struct vmbus_channel *channel, +- struct hv_page_buffer pagebuffers[], +- u32 pagecount, void *buffer, u32 bufferlen, +- u64 requestid) +-{ +- int i; +- struct vmbus_channel_packet_page_buffer desc; +- u32 descsize; +- u32 packetlen; +- u32 packetlen_aligned; +- struct kvec bufferlist[3]; +- u64 aligned_data = 0; +- +- if (pagecount > MAX_PAGE_BUFFER_COUNT) +- return -EINVAL; +- +- /* +- * Adjust the size down since vmbus_channel_packet_page_buffer is the +- * largest size we support +- */ +- descsize = sizeof(struct vmbus_channel_packet_page_buffer) - +- ((MAX_PAGE_BUFFER_COUNT - pagecount) * +- sizeof(struct hv_page_buffer)); +- packetlen = descsize + bufferlen; +- packetlen_aligned = ALIGN(packetlen, sizeof(u64)); +- +- /* Setup the descriptor */ +- desc.type = VM_PKT_DATA_USING_GPA_DIRECT; +- desc.flags = VMBUS_DATA_PACKET_FLAG_COMPLETION_REQUESTED; +- desc.dataoffset8 = descsize >> 3; /* in 8-bytes granularity */ +- desc.length8 = (u16)(packetlen_aligned >> 3); +- desc.transactionid = VMBUS_RQST_ERROR; /* will be updated in hv_ringbuffer_write() */ +- desc.reserved = 0; +- desc.rangecount = pagecount; +- +- for (i = 0; i < pagecount; i++) { +- desc.range[i].len = pagebuffers[i].len; +- desc.range[i].offset = pagebuffers[i].offset; +- desc.range[i].pfn = pagebuffers[i].pfn; +- } +- +- bufferlist[0].iov_base = &desc; +- bufferlist[0].iov_len = descsize; +- bufferlist[1].iov_base = buffer; +- bufferlist[1].iov_len = bufferlen; +- bufferlist[2].iov_base = &aligned_data; +- bufferlist[2].iov_len = (packetlen_aligned - packetlen); +- +- return hv_ringbuffer_write(channel, bufferlist, 3, requestid, NULL); +-} +-EXPORT_SYMBOL_GPL(vmbus_sendpacket_pagebuffer); +- +-/* + * vmbus_sendpacket_mpb_desc - Send one or more multi-page buffer packets + * using a GPADL Direct packet type. + * The desc argument must include space for the VMBus descriptor. The +--- a/include/linux/hyperv.h ++++ b/include/linux/hyperv.h +@@ -1232,13 +1232,6 @@ extern int vmbus_sendpacket(struct vmbus + enum vmbus_packet_type type, + u32 flags); + +-extern int vmbus_sendpacket_pagebuffer(struct vmbus_channel *channel, +- struct hv_page_buffer pagebuffers[], +- u32 pagecount, +- void *buffer, +- u32 bufferlen, +- u64 requestid); +- + extern int vmbus_sendpacket_mpb_desc(struct vmbus_channel *channel, + struct vmbus_packet_mpb_array *mpb, + u32 desc_size, diff --git a/queue-6.12/ftrace-fix-preemption-accounting-for-stacktrace-filter-command.patch b/queue-6.12/ftrace-fix-preemption-accounting-for-stacktrace-filter-command.patch new file mode 100644 index 0000000000..e141702561 --- /dev/null +++ b/queue-6.12/ftrace-fix-preemption-accounting-for-stacktrace-filter-command.patch @@ -0,0 +1,61 @@ +From 11aff32439df6ca5b3b891b43032faf88f4a6a29 Mon Sep 17 00:00:00 2001 +From: pengdonglin +Date: Mon, 12 May 2025 17:42:46 +0800 +Subject: ftrace: Fix preemption accounting for stacktrace filter command + +From: pengdonglin + +commit 11aff32439df6ca5b3b891b43032faf88f4a6a29 upstream. + +The preemption count of the stacktrace filter command to trace ksys_read +is consistently incorrect: + +$ echo ksys_read:stacktrace > set_ftrace_filter + + <...>-453 [004] ...1. 38.308956: +=> ksys_read +=> do_syscall_64 +=> entry_SYSCALL_64_after_hwframe + +The root cause is that the trace framework disables preemption when +invoking the filter command callback in function_trace_probe_call: + + preempt_disable_notrace(); + probe_ops->func(ip, parent_ip, probe_opsbe->tr, probe_ops, probe->data); + preempt_enable_notrace(); + +Use tracing_gen_ctx_dec() to account for the preempt_disable_notrace(), +which will output the correct preemption count: + +$ echo ksys_read:stacktrace > set_ftrace_filter + + <...>-410 [006] ..... 31.420396: +=> ksys_read +=> do_syscall_64 +=> entry_SYSCALL_64_after_hwframe + +Cc: stable@vger.kernel.org +Fixes: 36590c50b2d07 ("tracing: Merge irqflags + preempt counter.") +Link: https://lore.kernel.org/20250512094246.1167956-2-dolinux.peng@gmail.com +Signed-off-by: pengdonglin +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_functions.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/kernel/trace/trace_functions.c ++++ b/kernel/trace/trace_functions.c +@@ -574,11 +574,7 @@ ftrace_traceoff(unsigned long ip, unsign + + static __always_inline void trace_stack(struct trace_array *tr) + { +- unsigned int trace_ctx; +- +- trace_ctx = tracing_gen_ctx(); +- +- __trace_stack(tr, trace_ctx, FTRACE_STACK_SKIP); ++ __trace_stack(tr, tracing_gen_ctx_dec(), FTRACE_STACK_SKIP); + } + + static void diff --git a/queue-6.12/ftrace-fix-preemption-accounting-for-stacktrace-trigger-command.patch b/queue-6.12/ftrace-fix-preemption-accounting-for-stacktrace-trigger-command.patch new file mode 100644 index 0000000000..09928252b9 --- /dev/null +++ b/queue-6.12/ftrace-fix-preemption-accounting-for-stacktrace-trigger-command.patch @@ -0,0 +1,61 @@ +From e333332657f615ac2b55aa35565c4a882018bbe9 Mon Sep 17 00:00:00 2001 +From: pengdonglin +Date: Mon, 12 May 2025 17:42:45 +0800 +Subject: ftrace: Fix preemption accounting for stacktrace trigger command + +From: pengdonglin + +commit e333332657f615ac2b55aa35565c4a882018bbe9 upstream. + +When using the stacktrace trigger command to trace syscalls, the +preemption count was consistently reported as 1 when the system call +event itself had 0 ("."). + +For example: + +root@ubuntu22-vm:/sys/kernel/tracing/events/syscalls/sys_enter_read +$ echo stacktrace > trigger +$ echo 1 > enable + + sshd-416 [002] ..... 232.864910: sys_read(fd: a, buf: 556b1f3221d0, count: 8000) + sshd-416 [002] ...1. 232.864913: + => ftrace_syscall_enter + => syscall_trace_enter + => do_syscall_64 + => entry_SYSCALL_64_after_hwframe + +The root cause is that the trace framework disables preemption in __DO_TRACE before +invoking the trigger callback. + +Use the tracing_gen_ctx_dec() that will accommodate for the increase of +the preemption count in __DO_TRACE when calling the callback. The result +is the accurate reporting of: + + sshd-410 [004] ..... 210.117660: sys_read(fd: 4, buf: 559b725ba130, count: 40000) + sshd-410 [004] ..... 210.117662: + => ftrace_syscall_enter + => syscall_trace_enter + => do_syscall_64 + => entry_SYSCALL_64_after_hwframe + +Cc: stable@vger.kernel.org +Fixes: ce33c845b030c ("tracing: Dump stacktrace trigger to the corresponding instance") +Link: https://lore.kernel.org/20250512094246.1167956-1-dolinux.peng@gmail.com +Signed-off-by: pengdonglin +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_trigger.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/trace_events_trigger.c ++++ b/kernel/trace/trace_events_trigger.c +@@ -1581,7 +1581,7 @@ stacktrace_trigger(struct event_trigger_ + struct trace_event_file *file = data->private_data; + + if (file) +- __trace_stack(file->tr, tracing_gen_ctx(), STACK_SKIP); ++ __trace_stack(file->tr, tracing_gen_ctx_dec(), STACK_SKIP); + else + trace_dump_stack(STACK_SKIP); + } diff --git a/queue-6.12/hv_netvsc-preserve-contiguous-pfn-grouping-in-the-page-buffer-array.patch b/queue-6.12/hv_netvsc-preserve-contiguous-pfn-grouping-in-the-page-buffer-array.patch new file mode 100644 index 0000000000..bc4e6d5eac --- /dev/null +++ b/queue-6.12/hv_netvsc-preserve-contiguous-pfn-grouping-in-the-page-buffer-array.patch @@ -0,0 +1,253 @@ +From 41a6328b2c55276f89ea3812069fd7521e348bbf Mon Sep 17 00:00:00 2001 +From: Michael Kelley +Date: Mon, 12 May 2025 17:06:02 -0700 +Subject: hv_netvsc: Preserve contiguous PFN grouping in the page buffer array + +From: Michael Kelley + +commit 41a6328b2c55276f89ea3812069fd7521e348bbf upstream. + +Starting with commit dca5161f9bd0 ("hv_netvsc: Check status in +SEND_RNDIS_PKT completion message") in the 6.3 kernel, the Linux +driver for Hyper-V synthetic networking (netvsc) occasionally reports +"nvsp_rndis_pkt_complete error status: 2".[1] This error indicates +that Hyper-V has rejected a network packet transmit request from the +guest, and the outgoing network packet is dropped. Higher level +network protocols presumably recover and resend the packet so there is +no functional error, but performance is slightly impacted. Commit +dca5161f9bd0 is not the cause of the error -- it only added reporting +of an error that was already happening without any notice. The error +has presumably been present since the netvsc driver was originally +introduced into Linux. + +The root cause of the problem is that the netvsc driver in Linux may +send an incorrectly formatted VMBus message to Hyper-V when +transmitting the network packet. The incorrect formatting occurs when +the rndis header of the VMBus message crosses a page boundary due to +how the Linux skb head memory is aligned. In such a case, two PFNs are +required to describe the location of the rndis header, even though +they are contiguous in guest physical address (GPA) space. Hyper-V +requires that two rndis header PFNs be in a single "GPA range" data +struture, but current netvsc code puts each PFN in its own GPA range, +which Hyper-V rejects as an error. + +The incorrect formatting occurs only for larger packets that netvsc +must transmit via a VMBus "GPA Direct" message. There's no problem +when netvsc transmits a smaller packet by copying it into a pre- +allocated send buffer slot because the pre-allocated slots don't have +page crossing issues. + +After commit 14ad6ed30a10 ("net: allow small head cache usage with +large MAX_SKB_FRAGS values") in the 6.14-rc4 kernel, the error occurs +much more frequently in VMs with 16 or more vCPUs. It may occur every +few seconds, or even more frequently, in an ssh session that outputs a +lot of text. Commit 14ad6ed30a10 subtly changes how skb head memory is +allocated, making it much more likely that the rndis header will cross +a page boundary when the vCPU count is 16 or more. The changes in +commit 14ad6ed30a10 are perfectly valid -- they just had the side +effect of making the netvsc bug more prominent. + +Current code in init_page_array() creates a separate page buffer array +entry for each PFN required to identify the data to be transmitted. +Contiguous PFNs get separate entries in the page buffer array, and any +information about contiguity is lost. + +Fix the core issue by having init_page_array() construct the page +buffer array to represent contiguous ranges rather than individual +pages. When these ranges are subsequently passed to +netvsc_build_mpb_array(), it can build GPA ranges that contain +multiple PFNs, as required to avoid the error "nvsp_rndis_pkt_complete +error status: 2". If instead the network packet is sent by copying +into a pre-allocated send buffer slot, the copy proceeds using the +contiguous ranges rather than individual pages, but the result of the +copying is the same. Also fix rndis_filter_send_request() to construct +a contiguous range, since it has its own page buffer array. + +This change has a side benefit in CoCo VMs in that netvsc_dma_map() +calls dma_map_single() on each contiguous range instead of on each +page. This results in fewer calls to dma_map_single() but on larger +chunks of memory, which should reduce contention on the swiotlb. + +Since the page buffer array now contains one entry for each contiguous +range instead of for each individual page, the number of entries in +the array can be reduced, saving 208 bytes of stack space in +netvsc_xmit() when MAX_SKG_FRAGS has the default value of 17. + +[1] https://bugzilla.kernel.org/show_bug.cgi?id=217503 + +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217503 +Cc: # 6.1.x +Signed-off-by: Michael Kelley +Link: https://patch.msgid.link/20250513000604.1396-4-mhklinux@outlook.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/hyperv_net.h | 12 +++++++ + drivers/net/hyperv/netvsc_drv.c | 65 +++++++++----------------------------- + drivers/net/hyperv/rndis_filter.c | 24 ++------------ + 3 files changed, 33 insertions(+), 68 deletions(-) + +--- a/drivers/net/hyperv/hyperv_net.h ++++ b/drivers/net/hyperv/hyperv_net.h +@@ -893,6 +893,18 @@ struct nvsp_message { + sizeof(struct nvsp_message)) + #define NETVSC_MIN_IN_MSG_SIZE sizeof(struct vmpacket_descriptor) + ++/* Maximum # of contiguous data ranges that can make up a trasmitted packet. ++ * Typically it's the max SKB fragments plus 2 for the rndis packet and the ++ * linear portion of the SKB. But if MAX_SKB_FRAGS is large, the value may ++ * need to be limited to MAX_PAGE_BUFFER_COUNT, which is the max # of entries ++ * in a GPA direct packet sent to netvsp over VMBus. ++ */ ++#if MAX_SKB_FRAGS + 2 < MAX_PAGE_BUFFER_COUNT ++#define MAX_DATA_RANGES (MAX_SKB_FRAGS + 2) ++#else ++#define MAX_DATA_RANGES MAX_PAGE_BUFFER_COUNT ++#endif ++ + /* Estimated requestor size: + * out_ring_size/min_out_msg_size + in_ring_size/min_in_msg_size + */ +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -325,43 +325,10 @@ static u16 netvsc_select_queue(struct ne + return txq; + } + +-static u32 fill_pg_buf(unsigned long hvpfn, u32 offset, u32 len, +- struct hv_page_buffer *pb) +-{ +- int j = 0; +- +- hvpfn += offset >> HV_HYP_PAGE_SHIFT; +- offset = offset & ~HV_HYP_PAGE_MASK; +- +- while (len > 0) { +- unsigned long bytes; +- +- bytes = HV_HYP_PAGE_SIZE - offset; +- if (bytes > len) +- bytes = len; +- pb[j].pfn = hvpfn; +- pb[j].offset = offset; +- pb[j].len = bytes; +- +- offset += bytes; +- len -= bytes; +- +- if (offset == HV_HYP_PAGE_SIZE && len) { +- hvpfn++; +- offset = 0; +- j++; +- } +- } +- +- return j + 1; +-} +- + static u32 init_page_array(void *hdr, u32 len, struct sk_buff *skb, + struct hv_netvsc_packet *packet, + struct hv_page_buffer *pb) + { +- u32 slots_used = 0; +- char *data = skb->data; + int frags = skb_shinfo(skb)->nr_frags; + int i; + +@@ -370,28 +337,28 @@ static u32 init_page_array(void *hdr, u3 + * 2. skb linear data + * 3. skb fragment data + */ +- slots_used += fill_pg_buf(virt_to_hvpfn(hdr), +- offset_in_hvpage(hdr), +- len, +- &pb[slots_used]); + ++ pb[0].offset = offset_in_hvpage(hdr); ++ pb[0].len = len; ++ pb[0].pfn = virt_to_hvpfn(hdr); + packet->rmsg_size = len; +- packet->rmsg_pgcnt = slots_used; ++ packet->rmsg_pgcnt = 1; + +- slots_used += fill_pg_buf(virt_to_hvpfn(data), +- offset_in_hvpage(data), +- skb_headlen(skb), +- &pb[slots_used]); ++ pb[1].offset = offset_in_hvpage(skb->data); ++ pb[1].len = skb_headlen(skb); ++ pb[1].pfn = virt_to_hvpfn(skb->data); + + for (i = 0; i < frags; i++) { + skb_frag_t *frag = skb_shinfo(skb)->frags + i; +- +- slots_used += fill_pg_buf(page_to_hvpfn(skb_frag_page(frag)), +- skb_frag_off(frag), +- skb_frag_size(frag), +- &pb[slots_used]); ++ struct hv_page_buffer *cur_pb = &pb[i + 2]; ++ u64 pfn = page_to_hvpfn(skb_frag_page(frag)); ++ u32 offset = skb_frag_off(frag); ++ ++ cur_pb->offset = offset_in_hvpage(offset); ++ cur_pb->len = skb_frag_size(frag); ++ cur_pb->pfn = pfn + (offset >> HV_HYP_PAGE_SHIFT); + } +- return slots_used; ++ return frags + 2; + } + + static int count_skb_frag_slots(struct sk_buff *skb) +@@ -482,7 +449,7 @@ static int netvsc_xmit(struct sk_buff *s + struct net_device *vf_netdev; + u32 rndis_msg_size; + u32 hash; +- struct hv_page_buffer pb[MAX_PAGE_BUFFER_COUNT]; ++ struct hv_page_buffer pb[MAX_DATA_RANGES]; + + /* If VF is present and up then redirect packets to it. + * Skip the VF if it is marked down or has no carrier. +--- a/drivers/net/hyperv/rndis_filter.c ++++ b/drivers/net/hyperv/rndis_filter.c +@@ -225,8 +225,7 @@ static int rndis_filter_send_request(str + struct rndis_request *req) + { + struct hv_netvsc_packet *packet; +- struct hv_page_buffer page_buf[2]; +- struct hv_page_buffer *pb = page_buf; ++ struct hv_page_buffer pb; + int ret; + + /* Setup the packet to send it */ +@@ -235,27 +234,14 @@ static int rndis_filter_send_request(str + packet->total_data_buflen = req->request_msg.msg_len; + packet->page_buf_cnt = 1; + +- pb[0].pfn = virt_to_phys(&req->request_msg) >> +- HV_HYP_PAGE_SHIFT; +- pb[0].len = req->request_msg.msg_len; +- pb[0].offset = offset_in_hvpage(&req->request_msg); +- +- /* Add one page_buf when request_msg crossing page boundary */ +- if (pb[0].offset + pb[0].len > HV_HYP_PAGE_SIZE) { +- packet->page_buf_cnt++; +- pb[0].len = HV_HYP_PAGE_SIZE - +- pb[0].offset; +- pb[1].pfn = virt_to_phys((void *)&req->request_msg +- + pb[0].len) >> HV_HYP_PAGE_SHIFT; +- pb[1].offset = 0; +- pb[1].len = req->request_msg.msg_len - +- pb[0].len; +- } ++ pb.pfn = virt_to_phys(&req->request_msg) >> HV_HYP_PAGE_SHIFT; ++ pb.len = req->request_msg.msg_len; ++ pb.offset = offset_in_hvpage(&req->request_msg); + + trace_rndis_send(dev->ndev, 0, &req->request_msg); + + rcu_read_lock_bh(); +- ret = netvsc_send(dev->ndev, packet, NULL, pb, NULL, false); ++ ret = netvsc_send(dev->ndev, packet, NULL, &pb, NULL, false); + rcu_read_unlock_bh(); + + return ret; diff --git a/queue-6.12/hv_netvsc-remove-rmsg_pgcnt.patch b/queue-6.12/hv_netvsc-remove-rmsg_pgcnt.patch new file mode 100644 index 0000000000..47c439afcd --- /dev/null +++ b/queue-6.12/hv_netvsc-remove-rmsg_pgcnt.patch @@ -0,0 +1,76 @@ +From 5bbc644bbf4e97a05bc0cb052189004588ff8a09 Mon Sep 17 00:00:00 2001 +From: Michael Kelley +Date: Mon, 12 May 2025 17:06:03 -0700 +Subject: hv_netvsc: Remove rmsg_pgcnt + +From: Michael Kelley + +commit 5bbc644bbf4e97a05bc0cb052189004588ff8a09 upstream. + +init_page_array() now always creates a single page buffer array entry +for the rndis message, even if the rndis message crosses a page +boundary. As such, the number of page buffer array entries used for +the rndis message must no longer be tracked -- it is always just 1. +Remove the rmsg_pgcnt field and use "1" where the value is needed. + +Cc: # 6.1.x +Signed-off-by: Michael Kelley +Link: https://patch.msgid.link/20250513000604.1396-5-mhklinux@outlook.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/hyperv_net.h | 1 - + drivers/net/hyperv/netvsc.c | 7 +++---- + drivers/net/hyperv/netvsc_drv.c | 1 - + 3 files changed, 3 insertions(+), 6 deletions(-) + +--- a/drivers/net/hyperv/hyperv_net.h ++++ b/drivers/net/hyperv/hyperv_net.h +@@ -158,7 +158,6 @@ struct hv_netvsc_packet { + u8 cp_partial; /* partial copy into send buffer */ + + u8 rmsg_size; /* RNDIS header and PPI size */ +- u8 rmsg_pgcnt; /* page count of RNDIS header and PPI */ + u8 page_buf_cnt; + + u16 q_idx; +--- a/drivers/net/hyperv/netvsc.c ++++ b/drivers/net/hyperv/netvsc.c +@@ -947,8 +947,7 @@ static void netvsc_copy_to_send_buf(stru + + pend_size; + int i; + u32 padding = 0; +- u32 page_count = packet->cp_partial ? packet->rmsg_pgcnt : +- packet->page_buf_cnt; ++ u32 page_count = packet->cp_partial ? 1 : packet->page_buf_cnt; + u32 remain; + + /* Add padding */ +@@ -1131,7 +1130,7 @@ static inline int netvsc_send_pkt( + u32 desc_size; + + if (packet->cp_partial) +- pb += packet->rmsg_pgcnt; ++ pb++; + + ret = netvsc_dma_map(ndev_ctx->device_ctx, packet, pb); + if (ret) { +@@ -1293,7 +1292,7 @@ int netvsc_send(struct net_device *ndev, + packet->send_buf_index = section_index; + + if (packet->cp_partial) { +- packet->page_buf_cnt -= packet->rmsg_pgcnt; ++ packet->page_buf_cnt--; + packet->total_data_buflen = msd_len + packet->rmsg_size; + } else { + packet->page_buf_cnt = 0; +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -342,7 +342,6 @@ static u32 init_page_array(void *hdr, u3 + pb[0].len = len; + pb[0].pfn = virt_to_hvpfn(hdr); + packet->rmsg_size = len; +- packet->rmsg_pgcnt = 1; + + pb[1].offset = offset_in_hvpage(skb->data); + pb[1].len = skb_headlen(skb); diff --git a/queue-6.12/hv_netvsc-use-vmbus_sendpacket_mpb_desc-to-send-vmbus-messages.patch b/queue-6.12/hv_netvsc-use-vmbus_sendpacket_mpb_desc-to-send-vmbus-messages.patch new file mode 100644 index 0000000000..516de63b24 --- /dev/null +++ b/queue-6.12/hv_netvsc-use-vmbus_sendpacket_mpb_desc-to-send-vmbus-messages.patch @@ -0,0 +1,109 @@ +From 4f98616b855cb0e3b5917918bb07b44728eb96ea Mon Sep 17 00:00:00 2001 +From: Michael Kelley +Date: Mon, 12 May 2025 17:06:01 -0700 +Subject: hv_netvsc: Use vmbus_sendpacket_mpb_desc() to send VMBus messages + +From: Michael Kelley + +commit 4f98616b855cb0e3b5917918bb07b44728eb96ea upstream. + +netvsc currently uses vmbus_sendpacket_pagebuffer() to send VMBus +messages. This function creates a series of GPA ranges, each of which +contains a single PFN. However, if the rndis header in the VMBus +message crosses a page boundary, the netvsc protocol with the host +requires that both PFNs for the rndis header must be in a single "GPA +range" data structure, which isn't possible with +vmbus_sendpacket_pagebuffer(). As the first step in fixing this, add a +new function netvsc_build_mpb_array() to build a VMBus message with +multiple GPA ranges, each of which may contain multiple PFNs. Use +vmbus_sendpacket_mpb_desc() to send this VMBus message to the host. + +There's no functional change since higher levels of netvsc don't +maintain or propagate knowledge of contiguous PFNs. Based on its +input, netvsc_build_mpb_array() still produces a separate GPA range +for each PFN and the behavior is the same as with +vmbus_sendpacket_pagebuffer(). But the groundwork is laid for a +subsequent patch to provide the necessary grouping. + +Cc: # 6.1.x +Signed-off-by: Michael Kelley +Link: https://patch.msgid.link/20250513000604.1396-3-mhklinux@outlook.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/netvsc.c | 50 +++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 45 insertions(+), 5 deletions(-) + +--- a/drivers/net/hyperv/netvsc.c ++++ b/drivers/net/hyperv/netvsc.c +@@ -1049,6 +1049,42 @@ static int netvsc_dma_map(struct hv_devi + return 0; + } + ++/* Build an "array" of mpb entries describing the data to be transferred ++ * over VMBus. After the desc header fields, each "array" entry is variable ++ * size, and each entry starts after the end of the previous entry. The ++ * "offset" and "len" fields for each entry imply the size of the entry. ++ * ++ * The pfns are in HV_HYP_PAGE_SIZE, because all communication with Hyper-V ++ * uses that granularity, even if the system page size of the guest is larger. ++ * Each entry in the input "pb" array must describe a contiguous range of ++ * guest physical memory so that the pfns are sequential if the range crosses ++ * a page boundary. The offset field must be < HV_HYP_PAGE_SIZE. ++ */ ++static inline void netvsc_build_mpb_array(struct hv_page_buffer *pb, ++ u32 page_buffer_count, ++ struct vmbus_packet_mpb_array *desc, ++ u32 *desc_size) ++{ ++ struct hv_mpb_array *mpb_entry = &desc->range; ++ int i, j; ++ ++ for (i = 0; i < page_buffer_count; i++) { ++ u32 offset = pb[i].offset; ++ u32 len = pb[i].len; ++ ++ mpb_entry->offset = offset; ++ mpb_entry->len = len; ++ ++ for (j = 0; j < HVPFN_UP(offset + len); j++) ++ mpb_entry->pfn_array[j] = pb[i].pfn + j; ++ ++ mpb_entry = (struct hv_mpb_array *)&mpb_entry->pfn_array[j]; ++ } ++ ++ desc->rangecount = page_buffer_count; ++ *desc_size = (char *)mpb_entry - (char *)desc; ++} ++ + static inline int netvsc_send_pkt( + struct hv_device *device, + struct hv_netvsc_packet *packet, +@@ -1091,6 +1127,9 @@ static inline int netvsc_send_pkt( + + packet->dma_range = NULL; + if (packet->page_buf_cnt) { ++ struct vmbus_channel_packet_page_buffer desc; ++ u32 desc_size; ++ + if (packet->cp_partial) + pb += packet->rmsg_pgcnt; + +@@ -1100,11 +1139,12 @@ static inline int netvsc_send_pkt( + goto exit; + } + +- ret = vmbus_sendpacket_pagebuffer(out_channel, +- pb, packet->page_buf_cnt, +- &nvmsg, sizeof(nvmsg), +- req_id); +- ++ netvsc_build_mpb_array(pb, packet->page_buf_cnt, ++ (struct vmbus_packet_mpb_array *)&desc, ++ &desc_size); ++ ret = vmbus_sendpacket_mpb_desc(out_channel, ++ (struct vmbus_packet_mpb_array *)&desc, ++ desc_size, &nvmsg, sizeof(nvmsg), req_id); + if (ret) + netvsc_dma_unmap(ndev_ctx->device_ctx, packet); + } else { diff --git a/queue-6.12/kbuild-disable-wdefault-const-init-unsafe.patch b/queue-6.12/kbuild-disable-wdefault-const-init-unsafe.patch new file mode 100644 index 0000000000..de9b5695ec --- /dev/null +++ b/queue-6.12/kbuild-disable-wdefault-const-init-unsafe.patch @@ -0,0 +1,109 @@ +From d0afcfeb9e3810ec89d1ffde1a0e36621bb75dca Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Tue, 6 May 2025 14:02:01 -0700 +Subject: kbuild: Disable -Wdefault-const-init-unsafe + +From: Nathan Chancellor + +commit d0afcfeb9e3810ec89d1ffde1a0e36621bb75dca upstream. + +A new on by default warning in clang [1] aims to flags instances where +const variables without static or thread local storage or const members +in aggregate types are not initialized because it can lead to an +indeterminate value. This is quite noisy for the kernel due to +instances originating from header files such as: + + drivers/gpu/drm/i915/gt/intel_ring.h:62:2: error: default initialization of an object of type 'typeof (ring->size)' (aka 'const unsigned int') leaves the object uninitialized [-Werror,-Wdefault-const-init-var-unsafe] + 62 | typecheck(typeof(ring->size), next); + | ^ + include/linux/typecheck.h:10:9: note: expanded from macro 'typecheck' + 10 | ({ type __dummy; \ + | ^ + + include/net/ip.h:478:14: error: default initialization of an object of type 'typeof (rt->dst.expires)' (aka 'const unsigned long') leaves the object uninitialized [-Werror,-Wdefault-const-init-var-unsafe] + 478 | if (mtu && time_before(jiffies, rt->dst.expires)) + | ^ + include/linux/jiffies.h:138:26: note: expanded from macro 'time_before' + 138 | #define time_before(a,b) time_after(b,a) + | ^ + include/linux/jiffies.h:128:3: note: expanded from macro 'time_after' + 128 | (typecheck(unsigned long, a) && \ + | ^ + include/linux/typecheck.h:11:12: note: expanded from macro 'typecheck' + 11 | typeof(x) __dummy2; \ + | ^ + + include/linux/list.h:409:27: warning: default initialization of an object of type 'union (unnamed union at include/linux/list.h:409:27)' with const member leaves the object uninitialized [-Wdefault-const-init-field-unsafe] + 409 | struct list_head *next = smp_load_acquire(&head->next); + | ^ + include/asm-generic/barrier.h:176:29: note: expanded from macro 'smp_load_acquire' + 176 | #define smp_load_acquire(p) __smp_load_acquire(p) + | ^ + arch/arm64/include/asm/barrier.h:164:59: note: expanded from macro '__smp_load_acquire' + 164 | union { __unqual_scalar_typeof(*p) __val; char __c[1]; } __u; \ + | ^ + include/linux/list.h:409:27: note: member '__val' declared 'const' here + + crypto/scatterwalk.c:66:22: error: default initialization of an object of type 'struct scatter_walk' with const member leaves the object uninitialized [-Werror,-Wdefault-const-init-field-unsafe] + 66 | struct scatter_walk walk; + | ^ + include/crypto/algapi.h:112:15: note: member 'addr' declared 'const' here + 112 | void *const addr; + | ^ + + fs/hugetlbfs/inode.c:733:24: error: default initialization of an object of type 'struct vm_area_struct' with const member leaves the object uninitialized [-Werror,-Wdefault-const-init-field-unsafe] + 733 | struct vm_area_struct pseudo_vma; + | ^ + include/linux/mm_types.h:803:20: note: member 'vm_flags' declared 'const' here + 803 | const vm_flags_t vm_flags; + | ^ + +Silencing the instances from typecheck.h is difficult because '= {}' is +not available in older but supported compilers and '= {0}' would cause +warnings about a literal 0 being treated as NULL. While it might be +possible to come up with a local hack to silence the warning for +clang-21+, it may not be worth it since -Wuninitialized will still +trigger if an uninitialized const variable is actually used. + +In all audited cases of the "field" variant of the warning, the members +are either not used in the particular call path, modified through other +means such as memset() / memcpy() because the containing object is not +const, or are within a union with other non-const members. + +Since this warning does not appear to have a high signal to noise ratio, +just disable it. + +Cc: stable@vger.kernel.org +Link: https://github.com/llvm/llvm-project/commit/576161cb6069e2c7656a8ef530727a0f4aefff30 [1] +Reported-by: Linux Kernel Functional Testing +Closes: https://lore.kernel.org/CA+G9fYuNjKcxFKS_MKPRuga32XbndkLGcY-PVuoSwzv6VWbY=w@mail.gmail.com/ +Reported-by: Marcus Seyfarth +Closes: https://github.com/ClangBuiltLinux/linux/issues/2088 +Signed-off-by: Nathan Chancellor +Signed-off-by: Masahiro Yamada +Signed-off-by: Greg Kroah-Hartman +--- + scripts/Makefile.extrawarn | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/scripts/Makefile.extrawarn ++++ b/scripts/Makefile.extrawarn +@@ -36,6 +36,18 @@ KBUILD_CFLAGS += -Wno-gnu + # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111219 + KBUILD_CFLAGS += $(call cc-disable-warning, format-overflow-non-kprintf) + KBUILD_CFLAGS += $(call cc-disable-warning, format-truncation-non-kprintf) ++ ++# Clang may emit a warning when a const variable, such as the dummy variables ++# in typecheck(), or const member of an aggregate type are not initialized, ++# which can result in unexpected behavior. However, in many audited cases of ++# the "field" variant of the warning, this is intentional because the field is ++# never used within a particular call path, the field is within a union with ++# other non-const members, or the containing object is not const so the field ++# can be modified via memcpy() / memset(). While the variable warning also gets ++# disabled with this same switch, there should not be too much coverage lost ++# because -Wuninitialized will still flag when an uninitialized const variable ++# is used. ++KBUILD_CFLAGS += $(call cc-disable-warning, default-const-init-unsafe) + else + + # gcc inanely warns about local variables called 'main' diff --git a/queue-6.12/mm-userfaultfd-correct-dirty-flags-set-for-both-present-and-swap-pte.patch b/queue-6.12/mm-userfaultfd-correct-dirty-flags-set-for-both-present-and-swap-pte.patch new file mode 100644 index 0000000000..c46c6b9b5c --- /dev/null +++ b/queue-6.12/mm-userfaultfd-correct-dirty-flags-set-for-both-present-and-swap-pte.patch @@ -0,0 +1,65 @@ +From 75cb1cca2c880179a11c7dd9380b6f14e41a06a4 Mon Sep 17 00:00:00 2001 +From: Barry Song +Date: Fri, 9 May 2025 10:09:12 +1200 +Subject: mm: userfaultfd: correct dirty flags set for both present and swap pte +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Barry Song + +commit 75cb1cca2c880179a11c7dd9380b6f14e41a06a4 upstream. + +As David pointed out, what truly matters for mremap and userfaultfd move +operations is the soft dirty bit. The current comment and +implementation—which always sets the dirty bit for present PTEs and +fails to set the soft dirty bit for swap PTEs—are incorrect. This could +break features like Checkpoint-Restore in Userspace (CRIU). + +This patch updates the behavior to correctly set the soft dirty bit for +both present and swap PTEs in accordance with mremap. + +Link: https://lkml.kernel.org/r/20250508220912.7275-1-21cnbao@gmail.com +Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") +Signed-off-by: Barry Song +Reported-by: David Hildenbrand +Closes: https://lore.kernel.org/linux-mm/02f14ee1-923f-47e3-a994-4950afb9afcc@redhat.com/ +Acked-by: Peter Xu +Reviewed-by: Suren Baghdasaryan +Cc: Lokesh Gidra +Cc: Andrea Arcangeli +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/userfaultfd.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/mm/userfaultfd.c ++++ b/mm/userfaultfd.c +@@ -1059,8 +1059,13 @@ static int move_present_pte(struct mm_st + src_folio->index = linear_page_index(dst_vma, dst_addr); + + orig_dst_pte = mk_pte(&src_folio->page, dst_vma->vm_page_prot); +- /* Follow mremap() behavior and treat the entry dirty after the move */ +- orig_dst_pte = pte_mkwrite(pte_mkdirty(orig_dst_pte), dst_vma); ++ /* Set soft dirty bit so userspace can notice the pte was moved */ ++#ifdef CONFIG_MEM_SOFT_DIRTY ++ orig_dst_pte = pte_mksoft_dirty(orig_dst_pte); ++#endif ++ if (pte_dirty(orig_src_pte)) ++ orig_dst_pte = pte_mkdirty(orig_dst_pte); ++ orig_dst_pte = pte_mkwrite(orig_dst_pte, dst_vma); + + set_pte_at(mm, dst_addr, dst_pte, orig_dst_pte); + out: +@@ -1094,6 +1099,9 @@ static int move_swap_pte(struct mm_struc + } + + orig_src_pte = ptep_get_and_clear(mm, src_addr, src_pte); ++#ifdef CONFIG_MEM_SOFT_DIRTY ++ orig_src_pte = pte_swp_mksoft_dirty(orig_src_pte); ++#endif + set_pte_at(mm, dst_addr, dst_pte, orig_src_pte); + double_pt_unlock(dst_ptl, src_ptl); + diff --git a/queue-6.12/net-qede-initialize-qede_ll_ops-with-designated-initializer.patch b/queue-6.12/net-qede-initialize-qede_ll_ops-with-designated-initializer.patch new file mode 100644 index 0000000000..871458ae90 --- /dev/null +++ b/queue-6.12/net-qede-initialize-qede_ll_ops-with-designated-initializer.patch @@ -0,0 +1,43 @@ +From 6b3ab7f2cbfaeb6580709cd8ef4d72cfd01bfde4 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 7 May 2025 21:47:45 +0100 +Subject: net: qede: Initialize qede_ll_ops with designated initializer + +From: Nathan Chancellor + +commit 6b3ab7f2cbfaeb6580709cd8ef4d72cfd01bfde4 upstream. + +After a recent change [1] in clang's randstruct implementation to +randomize structures that only contain function pointers, there is an +error because qede_ll_ops get randomized but does not use a designated +initializer for the first member: + + drivers/net/ethernet/qlogic/qede/qede_main.c:206:2: error: a randomized struct can only be initialized with a designated initializer + 206 | { + | ^ + +Explicitly initialize the common member using a designated initializer +to fix the build. + +Cc: stable@vger.kernel.org +Fixes: 035f7f87b729 ("randstruct: Enable Clang support") +Link: https://github.com/llvm/llvm-project/commit/04364fb888eea6db9811510607bed4b200bcb082 [1] +Signed-off-by: Nathan Chancellor +Link: https://patch.msgid.link/20250507-qede-fix-clang-randstruct-v1-1-5ccc15626fba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qede/qede_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/qlogic/qede/qede_main.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_main.c +@@ -203,7 +203,7 @@ static struct pci_driver qede_pci_driver + }; + + static struct qed_eth_cb_ops qede_ll_ops = { +- { ++ .common = { + #ifdef CONFIG_RFS_ACCEL + .arfs_filter_op = qede_arfs_filter_op, + #endif diff --git a/queue-6.12/phy-fix-error-handling-in-tegra_xusb_port_init.patch b/queue-6.12/phy-fix-error-handling-in-tegra_xusb_port_init.patch new file mode 100644 index 0000000000..3bd08aaa64 --- /dev/null +++ b/queue-6.12/phy-fix-error-handling-in-tegra_xusb_port_init.patch @@ -0,0 +1,56 @@ +From b2ea5f49580c0762d17d80d8083cb89bc3acf74f Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Mon, 3 Mar 2025 15:27:39 +0800 +Subject: phy: Fix error handling in tegra_xusb_port_init + +From: Ma Ke + +commit b2ea5f49580c0762d17d80d8083cb89bc3acf74f upstream. + +If device_add() fails, do not use device_unregister() for error +handling. device_unregister() consists two functions: device_del() and +put_device(). device_unregister() should only be called after +device_add() succeeded because device_del() undoes what device_add() +does if successful. Change device_unregister() to put_device() call +before returning from the function. + +As comment of device_add() says, 'if device_add() succeeds, you should +call device_del() when you want to get rid of it. If device_add() has +not succeeded, use only put_device() to drop the reference count'. + +Found by code review. + +Cc: stable@vger.kernel.org +Fixes: 53d2a715c240 ("phy: Add Tegra XUSB pad controller support") +Signed-off-by: Ma Ke +Acked-by: Thierry Reding +Link: https://lore.kernel.org/r/20250303072739.3874987-1-make24@iscas.ac.cn +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/tegra/xusb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/phy/tegra/xusb.c ++++ b/drivers/phy/tegra/xusb.c +@@ -548,16 +548,16 @@ static int tegra_xusb_port_init(struct t + + err = dev_set_name(&port->dev, "%s-%u", name, index); + if (err < 0) +- goto unregister; ++ goto put_device; + + err = device_add(&port->dev); + if (err < 0) +- goto unregister; ++ goto put_device; + + return 0; + +-unregister: +- device_unregister(&port->dev); ++put_device: ++ put_device(&port->dev); + return err; + } + diff --git a/queue-6.12/phy-renesas-rcar-gen3-usb2-fix-role-detection-on-unbind-bind.patch b/queue-6.12/phy-renesas-rcar-gen3-usb2-fix-role-detection-on-unbind-bind.patch new file mode 100644 index 0000000000..12ce11943a --- /dev/null +++ b/queue-6.12/phy-renesas-rcar-gen3-usb2-fix-role-detection-on-unbind-bind.patch @@ -0,0 +1,122 @@ +From 54c4c58713aaff76c2422ff5750e557ab3b100d7 Mon Sep 17 00:00:00 2001 +From: Claudiu Beznea +Date: Wed, 7 May 2025 15:50:28 +0300 +Subject: phy: renesas: rcar-gen3-usb2: Fix role detection on unbind/bind + +From: Claudiu Beznea + +commit 54c4c58713aaff76c2422ff5750e557ab3b100d7 upstream. + +It has been observed on the Renesas RZ/G3S SoC that unbinding and binding +the PHY driver leads to role autodetection failures. This issue occurs when +PHY 3 is the first initialized PHY. PHY 3 does not have an interrupt +associated with the USB2_INT_ENABLE register (as +rcar_gen3_int_enable[3] = 0). As a result, rcar_gen3_init_otg() is called +to initialize OTG without enabling PHY interrupts. + +To resolve this, add rcar_gen3_is_any_otg_rphy_initialized() and call it in +role_store(), role_show(), and rcar_gen3_init_otg(). At the same time, +rcar_gen3_init_otg() is only called when initialization for a PHY with +interrupt bits is in progress. As a result, the +struct rcar_gen3_phy::otg_initialized is no longer needed. + +Fixes: 549b6b55b005 ("phy: renesas: rcar-gen3-usb2: enable/disable independent irqs") +Cc: stable@vger.kernel.org +Reviewed-by: Yoshihiro Shimoda +Tested-by: Yoshihiro Shimoda +Reviewed-by: Lad Prabhakar +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20250507125032.565017-2-claudiu.beznea.uj@bp.renesas.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/renesas/phy-rcar-gen3-usb2.c | 33 +++++++++++++------------------ + 1 file changed, 14 insertions(+), 19 deletions(-) + +--- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c ++++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c +@@ -107,7 +107,6 @@ struct rcar_gen3_phy { + struct rcar_gen3_chan *ch; + u32 int_enable_bits; + bool initialized; +- bool otg_initialized; + bool powered; + }; + +@@ -320,16 +319,15 @@ static bool rcar_gen3_is_any_rphy_initia + return false; + } + +-static bool rcar_gen3_needs_init_otg(struct rcar_gen3_chan *ch) ++static bool rcar_gen3_is_any_otg_rphy_initialized(struct rcar_gen3_chan *ch) + { +- int i; +- +- for (i = 0; i < NUM_OF_PHYS; i++) { +- if (ch->rphys[i].otg_initialized) +- return false; ++ for (enum rcar_gen3_phy_index i = PHY_INDEX_BOTH_HC; i <= PHY_INDEX_EHCI; ++ i++) { ++ if (ch->rphys[i].initialized) ++ return true; + } + +- return true; ++ return false; + } + + static bool rcar_gen3_are_all_rphys_power_off(struct rcar_gen3_chan *ch) +@@ -351,7 +349,7 @@ static ssize_t role_store(struct device + bool is_b_device; + enum phy_mode cur_mode, new_mode; + +- if (!ch->is_otg_channel || !rcar_gen3_is_any_rphy_initialized(ch)) ++ if (!ch->is_otg_channel || !rcar_gen3_is_any_otg_rphy_initialized(ch)) + return -EIO; + + if (sysfs_streq(buf, "host")) +@@ -389,7 +387,7 @@ static ssize_t role_show(struct device * + { + struct rcar_gen3_chan *ch = dev_get_drvdata(dev); + +- if (!ch->is_otg_channel || !rcar_gen3_is_any_rphy_initialized(ch)) ++ if (!ch->is_otg_channel || !rcar_gen3_is_any_otg_rphy_initialized(ch)) + return -EIO; + + return sprintf(buf, "%s\n", rcar_gen3_is_host(ch) ? "host" : +@@ -402,6 +400,9 @@ static void rcar_gen3_init_otg(struct rc + void __iomem *usb2_base = ch->base; + u32 val; + ++ if (!ch->is_otg_channel || rcar_gen3_is_any_otg_rphy_initialized(ch)) ++ return; ++ + /* Should not use functions of read-modify-write a register */ + val = readl(usb2_base + USB2_LINECTRL1); + val = (val & ~USB2_LINECTRL1_DP_RPD) | USB2_LINECTRL1_DPRPD_EN | +@@ -465,12 +466,9 @@ static int rcar_gen3_phy_usb2_init(struc + writel(USB2_SPD_RSM_TIMSET_INIT, usb2_base + USB2_SPD_RSM_TIMSET); + writel(USB2_OC_TIMSET_INIT, usb2_base + USB2_OC_TIMSET); + +- /* Initialize otg part */ +- if (channel->is_otg_channel) { +- if (rcar_gen3_needs_init_otg(channel)) +- rcar_gen3_init_otg(channel); +- rphy->otg_initialized = true; +- } ++ /* Initialize otg part (only if we initialize a PHY with IRQs). */ ++ if (rphy->int_enable_bits) ++ rcar_gen3_init_otg(channel); + + rphy->initialized = true; + +@@ -486,9 +484,6 @@ static int rcar_gen3_phy_usb2_exit(struc + + rphy->initialized = false; + +- if (channel->is_otg_channel) +- rphy->otg_initialized = false; +- + val = readl(usb2_base + USB2_INT_ENABLE); + val &= ~rphy->int_enable_bits; + if (!rcar_gen3_is_any_rphy_initialized(channel)) diff --git a/queue-6.12/phy-renesas-rcar-gen3-usb2-set-timing-registers-only-once.patch b/queue-6.12/phy-renesas-rcar-gen3-usb2-set-timing-registers-only-once.patch new file mode 100644 index 0000000000..c65dd5d327 --- /dev/null +++ b/queue-6.12/phy-renesas-rcar-gen3-usb2-set-timing-registers-only-once.patch @@ -0,0 +1,42 @@ +From 86e70849f4b2b4597ac9f7c7931f2a363774be25 Mon Sep 17 00:00:00 2001 +From: Claudiu Beznea +Date: Wed, 7 May 2025 15:50:32 +0300 +Subject: phy: renesas: rcar-gen3-usb2: Set timing registers only once + +From: Claudiu Beznea + +commit 86e70849f4b2b4597ac9f7c7931f2a363774be25 upstream. + +phy-rcar-gen3-usb2 driver exports 4 PHYs. The timing registers are common +to all PHYs. There is no need to set them every time a PHY is initialized. +Set timing register only when the 1st PHY is initialized. + +Fixes: f3b5a8d9b50d ("phy: rcar-gen3-usb2: Add R-Car Gen3 USB2 PHY driver") +Cc: stable@vger.kernel.org +Reviewed-by: Yoshihiro Shimoda +Tested-by: Yoshihiro Shimoda +Reviewed-by: Lad Prabhakar +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20250507125032.565017-6-claudiu.beznea.uj@bp.renesas.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/renesas/phy-rcar-gen3-usb2.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c ++++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c +@@ -463,8 +463,11 @@ static int rcar_gen3_phy_usb2_init(struc + val = readl(usb2_base + USB2_INT_ENABLE); + val |= USB2_INT_ENABLE_UCOM_INTEN | rphy->int_enable_bits; + writel(val, usb2_base + USB2_INT_ENABLE); +- writel(USB2_SPD_RSM_TIMSET_INIT, usb2_base + USB2_SPD_RSM_TIMSET); +- writel(USB2_OC_TIMSET_INIT, usb2_base + USB2_OC_TIMSET); ++ ++ if (!rcar_gen3_is_any_rphy_initialized(channel)) { ++ writel(USB2_SPD_RSM_TIMSET_INIT, usb2_base + USB2_SPD_RSM_TIMSET); ++ writel(USB2_OC_TIMSET_INIT, usb2_base + USB2_OC_TIMSET); ++ } + + /* Initialize otg part (only if we initialize a PHY with IRQs). */ + if (rphy->int_enable_bits) diff --git a/queue-6.12/phy-tegra-xusb-use-a-bitmask-for-utmi-pad-power-state-tracking.patch b/queue-6.12/phy-tegra-xusb-use-a-bitmask-for-utmi-pad-power-state-tracking.patch new file mode 100644 index 0000000000..e305c1e393 --- /dev/null +++ b/queue-6.12/phy-tegra-xusb-use-a-bitmask-for-utmi-pad-power-state-tracking.patch @@ -0,0 +1,191 @@ +From b47158fb42959c417ff2662075c0d46fb783d5d1 Mon Sep 17 00:00:00 2001 +From: Wayne Chang +Date: Tue, 8 Apr 2025 11:09:05 +0800 +Subject: phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking + +From: Wayne Chang + +commit b47158fb42959c417ff2662075c0d46fb783d5d1 upstream. + +The current implementation uses bias_pad_enable as a reference count to +manage the shared bias pad for all UTMI PHYs. However, during system +suspension with connected USB devices, multiple power-down requests for +the UTMI pad result in a mismatch in the reference count, which in turn +produces warnings such as: + +[ 237.762967] WARNING: CPU: 10 PID: 1618 at tegra186_utmi_pad_power_down+0x160/0x170 +[ 237.763103] Call trace: +[ 237.763104] tegra186_utmi_pad_power_down+0x160/0x170 +[ 237.763107] tegra186_utmi_phy_power_off+0x10/0x30 +[ 237.763110] phy_power_off+0x48/0x100 +[ 237.763113] tegra_xusb_enter_elpg+0x204/0x500 +[ 237.763119] tegra_xusb_suspend+0x48/0x140 +[ 237.763122] platform_pm_suspend+0x2c/0xb0 +[ 237.763125] dpm_run_callback.isra.0+0x20/0xa0 +[ 237.763127] __device_suspend+0x118/0x330 +[ 237.763129] dpm_suspend+0x10c/0x1f0 +[ 237.763130] dpm_suspend_start+0x88/0xb0 +[ 237.763132] suspend_devices_and_enter+0x120/0x500 +[ 237.763135] pm_suspend+0x1ec/0x270 + +The root cause was traced back to the dynamic power-down changes +introduced in commit a30951d31b25 ("xhci: tegra: USB2 pad power controls"), +where the UTMI pad was being powered down without verifying its current +state. This unbalanced behavior led to discrepancies in the reference +count. + +To rectify this issue, this patch replaces the single reference counter +with a bitmask, renamed to utmi_pad_enabled. Each bit in the mask +corresponds to one of the four USB2 PHYs, allowing us to track each pad's +enablement status individually. + +With this change: + - The bias pad is powered on only when the mask is clear. + - Each UTMI pad is powered on or down based on its corresponding bit + in the mask, preventing redundant operations. + - The overall power state of the shared bias pad is maintained + correctly during suspend/resume cycles. + +The mutex used to prevent race conditions during UTMI pad enable/disable +operations has been moved from the tegra186_utmi_bias_pad_power_on/off +functions to the parent functions tegra186_utmi_pad_power_on/down. This +change ensures that there are no race conditions when updating the bitmask. + +Cc: stable@vger.kernel.org +Fixes: a30951d31b25 ("xhci: tegra: USB2 pad power controls") +Signed-off-by: Wayne Chang +Reviewed-by: Jon Hunter +Tested-by: Jon Hunter +Link: https://lore.kernel.org/r/20250408030905.990474-1-waynec@nvidia.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/tegra/xusb-tegra186.c | 44 +++++++++++++++++++++++--------------- + 1 file changed, 27 insertions(+), 17 deletions(-) + +--- a/drivers/phy/tegra/xusb-tegra186.c ++++ b/drivers/phy/tegra/xusb-tegra186.c +@@ -237,6 +237,8 @@ + #define DATA0_VAL_PD BIT(1) + #define USE_XUSB_AO BIT(4) + ++#define TEGRA_UTMI_PAD_MAX 4 ++ + #define TEGRA186_LANE(_name, _offset, _shift, _mask, _type) \ + { \ + .name = _name, \ +@@ -269,7 +271,7 @@ struct tegra186_xusb_padctl { + + /* UTMI bias and tracking */ + struct clk *usb2_trk_clk; +- unsigned int bias_pad_enable; ++ DECLARE_BITMAP(utmi_pad_enabled, TEGRA_UTMI_PAD_MAX); + + /* padctl context */ + struct tegra186_xusb_padctl_context context; +@@ -603,12 +605,8 @@ static void tegra186_utmi_bias_pad_power + u32 value; + int err; + +- mutex_lock(&padctl->lock); +- +- if (priv->bias_pad_enable++ > 0) { +- mutex_unlock(&padctl->lock); ++ if (!bitmap_empty(priv->utmi_pad_enabled, TEGRA_UTMI_PAD_MAX)) + return; +- } + + err = clk_prepare_enable(priv->usb2_trk_clk); + if (err < 0) +@@ -667,17 +665,8 @@ static void tegra186_utmi_bias_pad_power + struct tegra186_xusb_padctl *priv = to_tegra186_xusb_padctl(padctl); + u32 value; + +- mutex_lock(&padctl->lock); +- +- if (WARN_ON(priv->bias_pad_enable == 0)) { +- mutex_unlock(&padctl->lock); +- return; +- } +- +- if (--priv->bias_pad_enable > 0) { +- mutex_unlock(&padctl->lock); ++ if (!bitmap_empty(priv->utmi_pad_enabled, TEGRA_UTMI_PAD_MAX)) + return; +- } + + value = padctl_readl(padctl, XUSB_PADCTL_USB2_BIAS_PAD_CTL1); + value |= USB2_PD_TRK; +@@ -690,13 +679,13 @@ static void tegra186_utmi_bias_pad_power + clk_disable_unprepare(priv->usb2_trk_clk); + } + +- mutex_unlock(&padctl->lock); + } + + static void tegra186_utmi_pad_power_on(struct phy *phy) + { + struct tegra_xusb_lane *lane = phy_get_drvdata(phy); + struct tegra_xusb_padctl *padctl = lane->pad->padctl; ++ struct tegra186_xusb_padctl *priv = to_tegra186_xusb_padctl(padctl); + struct tegra_xusb_usb2_port *port; + struct device *dev = padctl->dev; + unsigned int index = lane->index; +@@ -705,9 +694,16 @@ static void tegra186_utmi_pad_power_on(s + if (!phy) + return; + ++ mutex_lock(&padctl->lock); ++ if (test_bit(index, priv->utmi_pad_enabled)) { ++ mutex_unlock(&padctl->lock); ++ return; ++ } ++ + port = tegra_xusb_find_usb2_port(padctl, index); + if (!port) { + dev_err(dev, "no port found for USB2 lane %u\n", index); ++ mutex_unlock(&padctl->lock); + return; + } + +@@ -724,18 +720,28 @@ static void tegra186_utmi_pad_power_on(s + value = padctl_readl(padctl, XUSB_PADCTL_USB2_OTG_PADX_CTL1(index)); + value &= ~USB2_OTG_PD_DR; + padctl_writel(padctl, value, XUSB_PADCTL_USB2_OTG_PADX_CTL1(index)); ++ ++ set_bit(index, priv->utmi_pad_enabled); ++ mutex_unlock(&padctl->lock); + } + + static void tegra186_utmi_pad_power_down(struct phy *phy) + { + struct tegra_xusb_lane *lane = phy_get_drvdata(phy); + struct tegra_xusb_padctl *padctl = lane->pad->padctl; ++ struct tegra186_xusb_padctl *priv = to_tegra186_xusb_padctl(padctl); + unsigned int index = lane->index; + u32 value; + + if (!phy) + return; + ++ mutex_lock(&padctl->lock); ++ if (!test_bit(index, priv->utmi_pad_enabled)) { ++ mutex_unlock(&padctl->lock); ++ return; ++ } ++ + dev_dbg(padctl->dev, "power down UTMI pad %u\n", index); + + value = padctl_readl(padctl, XUSB_PADCTL_USB2_OTG_PADX_CTL0(index)); +@@ -748,7 +754,11 @@ static void tegra186_utmi_pad_power_down + + udelay(2); + ++ clear_bit(index, priv->utmi_pad_enabled); ++ + tegra186_utmi_bias_pad_power_off(padctl); ++ ++ mutex_unlock(&padctl->lock); + } + + static int tegra186_xusb_padctl_vbus_override(struct tegra_xusb_padctl *padctl, diff --git a/queue-6.12/ring-buffer-fix-persistent-buffer-when-commit-page-is-the-reader-page.patch b/queue-6.12/ring-buffer-fix-persistent-buffer-when-commit-page-is-the-reader-page.patch new file mode 100644 index 0000000000..bec69bdc20 --- /dev/null +++ b/queue-6.12/ring-buffer-fix-persistent-buffer-when-commit-page-is-the-reader-page.patch @@ -0,0 +1,91 @@ +From 1d6c39c89f617c9fec6bbae166e25b16a014f7c8 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Tue, 13 May 2025 11:50:32 -0400 +Subject: ring-buffer: Fix persistent buffer when commit page is the reader page + +From: Steven Rostedt + +commit 1d6c39c89f617c9fec6bbae166e25b16a014f7c8 upstream. + +The ring buffer is made up of sub buffers (sometimes called pages as they +are by default PAGE_SIZE). It has the following "pages": + + "tail page" - this is the page that the next write will write to + "head page" - this is the page that the reader will swap the reader page with. + "reader page" - This belongs to the reader, where it will swap the head + page from the ring buffer so that the reader does not + race with the writer. + +The writer may end up on the "reader page" if the ring buffer hasn't +written more than one page, where the "tail page" and the "head page" are +the same. + +The persistent ring buffer has meta data that points to where these pages +exist so on reboot it can re-create the pointers to the cpu_buffer +descriptor. But when the commit page is on the reader page, the logic is +incorrect. + +The check to see if the commit page is on the reader page checked if the +head page was the reader page, which would never happen, as the head page +is always in the ring buffer. The correct check would be to test if the +commit page is on the reader page. If that's the case, then it can exit +out early as the commit page is only on the reader page when there's only +one page of data in the buffer. There's no reason to iterate the ring +buffer pages to find the "commit page" as it is already found. + +To trigger this bug: + + # echo 1 > /sys/kernel/tracing/instances/boot_mapped/events/syscalls/sys_enter_fchownat/enable + # touch /tmp/x + # chown sshd /tmp/x + # reboot + +On boot up, the dmesg will have: + Ring buffer meta [0] is from previous boot! + Ring buffer meta [1] is from previous boot! + Ring buffer meta [2] is from previous boot! + Ring buffer meta [3] is from previous boot! + Ring buffer meta [4] commit page not found + Ring buffer meta [5] is from previous boot! + Ring buffer meta [6] is from previous boot! + Ring buffer meta [7] is from previous boot! + +Where the buffer on CPU 4 had a "commit page not found" error and that +buffer is cleared and reset causing the output to be empty and the data lost. + +When it works correctly, it has: + + # cat /sys/kernel/tracing/instances/boot_mapped/trace_pipe + <...>-1137 [004] ..... 998.205323: sys_enter_fchownat: __syscall_nr=0x104 (260) dfd=0xffffff9c (4294967196) filename=(0xffffc90000a0002c) user=0x3e8 (1000) group=0xffffffff (4294967295) flag=0x0 (0 + +Cc: stable@vger.kernel.org +Cc: Mathieu Desnoyers +Link: https://lore.kernel.org/20250513115032.3e0b97f7@gandalf.local.home +Fixes: 5f3b6e839f3ce ("ring-buffer: Validate boot range memory events") +Reported-by: Tasos Sahanidis +Tested-by: Tasos Sahanidis +Reviewed-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ring_buffer.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -1832,10 +1832,12 @@ static void rb_meta_validate_events(stru + + head_page = cpu_buffer->head_page; + +- /* If both the head and commit are on the reader_page then we are done. */ +- if (head_page == cpu_buffer->reader_page && +- head_page == cpu_buffer->commit_page) ++ /* If the commit_buffer is the reader page, update the commit page */ ++ if (meta->commit_buffer == (unsigned long)cpu_buffer->reader_page->page) { ++ cpu_buffer->commit_page = cpu_buffer->reader_page; ++ /* Nothing more to do, the only page is the reader page */ + goto done; ++ } + + /* Iterate until finding the commit page */ + for (i = 0; i < meta->nr_subbufs + 1; i++, rb_inc_page(&head_page)) { diff --git a/queue-6.12/scsi-sd_zbc-block-respect-bio-vector-limits-for-report-zones-buffer.patch b/queue-6.12/scsi-sd_zbc-block-respect-bio-vector-limits-for-report-zones-buffer.patch new file mode 100644 index 0000000000..c4f640c74b --- /dev/null +++ b/queue-6.12/scsi-sd_zbc-block-respect-bio-vector-limits-for-report-zones-buffer.patch @@ -0,0 +1,81 @@ +From e8007fad5457ea547ca63bb011fdb03213571c7e Mon Sep 17 00:00:00 2001 +From: Steve Siwinski +Date: Thu, 8 May 2025 16:01:22 -0400 +Subject: scsi: sd_zbc: block: Respect bio vector limits for REPORT ZONES buffer + +From: Steve Siwinski + +commit e8007fad5457ea547ca63bb011fdb03213571c7e upstream. + +The REPORT ZONES buffer size is currently limited by the HBA's maximum +segment count to ensure the buffer can be mapped. However, the block +layer further limits the number of iovec entries to 1024 when allocating +a bio. + +To avoid allocation of buffers too large to be mapped, further restrict +the maximum buffer size to BIO_MAX_INLINE_VECS. + +Replace the UIO_MAXIOV symbolic name with the more contextually +appropriate BIO_MAX_INLINE_VECS. + +Fixes: b091ac616846 ("sd_zbc: Fix report zones buffer allocation") +Cc: stable@vger.kernel.org +Signed-off-by: Steve Siwinski +Link: https://lore.kernel.org/r/20250508200122.243129-1-ssiwinski@atto.com +Reviewed-by: Damien Le Moal +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + block/bio.c | 2 +- + drivers/scsi/sd_zbc.c | 6 +++++- + include/linux/bio.h | 1 + + 3 files changed, 7 insertions(+), 2 deletions(-) + +--- a/block/bio.c ++++ b/block/bio.c +@@ -611,7 +611,7 @@ struct bio *bio_kmalloc(unsigned short n + { + struct bio *bio; + +- if (nr_vecs > UIO_MAXIOV) ++ if (nr_vecs > BIO_MAX_INLINE_VECS) + return NULL; + return kmalloc(struct_size(bio, bi_inline_vecs, nr_vecs), gfp_mask); + } +--- a/drivers/scsi/sd_zbc.c ++++ b/drivers/scsi/sd_zbc.c +@@ -169,6 +169,7 @@ static void *sd_zbc_alloc_report_buffer( + unsigned int nr_zones, size_t *buflen) + { + struct request_queue *q = sdkp->disk->queue; ++ unsigned int max_segments; + size_t bufsize; + void *buf; + +@@ -180,12 +181,15 @@ static void *sd_zbc_alloc_report_buffer( + * Furthermore, since the report zone command cannot be split, make + * sure that the allocated buffer can always be mapped by limiting the + * number of pages allocated to the HBA max segments limit. ++ * Since max segments can be larger than the max inline bio vectors, ++ * further limit the allocated buffer to BIO_MAX_INLINE_VECS. + */ + nr_zones = min(nr_zones, sdkp->zone_info.nr_zones); + bufsize = roundup((nr_zones + 1) * 64, SECTOR_SIZE); + bufsize = min_t(size_t, bufsize, + queue_max_hw_sectors(q) << SECTOR_SHIFT); +- bufsize = min_t(size_t, bufsize, queue_max_segments(q) << PAGE_SHIFT); ++ max_segments = min(BIO_MAX_INLINE_VECS, queue_max_segments(q)); ++ bufsize = min_t(size_t, bufsize, max_segments << PAGE_SHIFT); + + while (bufsize >= SECTOR_SIZE) { + buf = kvzalloc(bufsize, GFP_KERNEL | __GFP_NORETRY); +--- a/include/linux/bio.h ++++ b/include/linux/bio.h +@@ -11,6 +11,7 @@ + #include + + #define BIO_MAX_VECS 256U ++#define BIO_MAX_INLINE_VECS UIO_MAXIOV + + struct queue_limits; + diff --git a/queue-6.12/series b/queue-6.12/series index 864aff2144..3428c6af64 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -95,3 +95,41 @@ drm-amd-display-avoid-flooding-unnecessary-info-messages.patch maintainers-update-alexey-makhalov-s-email-address.patch gpio-pca953x-fix-irq-storm-on-system-wake-up.patch acpi-pptt-fix-processor-subtable-walk.patch +alsa-es1968-add-error-handling-for-snd_pcm_hw_constraint_pow2.patch +alsa-usb-audio-add-sample-rate-quirk-for-audioengine-d1.patch +alsa-usb-audio-add-sample-rate-quirk-for-microdia-jp001-usb-camera.patch +dma-buf-insert-memory-barrier-before-updating-num_fences.patch +hv_netvsc-use-vmbus_sendpacket_mpb_desc-to-send-vmbus-messages.patch +hv_netvsc-preserve-contiguous-pfn-grouping-in-the-page-buffer-array.patch +hv_netvsc-remove-rmsg_pgcnt.patch +arm64-dts-amlogic-dreambox-fix-missing-clkc_audio-node.patch +arm64-dts-rockchip-remove-overdrive-mode-opps-from-rk3588j-soc-dtsi.patch +drivers-hv-allow-vmbus_sendpacket_mpb_desc-to-create-multiple-ranges.patch +drivers-hv-vmbus-remove-vmbus_sendpacket_pagebuffer.patch +kbuild-disable-wdefault-const-init-unsafe.patch +ftrace-fix-preemption-accounting-for-stacktrace-trigger-command.patch +ftrace-fix-preemption-accounting-for-stacktrace-filter-command.patch +tracing-samples-initialize-trace_array_printk-with-the-correct-function.patch +phy-tegra-xusb-use-a-bitmask-for-utmi-pad-power-state-tracking.patch +phy-fix-error-handling-in-tegra_xusb_port_init.patch +phy-renesas-rcar-gen3-usb2-fix-role-detection-on-unbind-bind.patch +phy-renesas-rcar-gen3-usb2-set-timing-registers-only-once.patch +scsi-sd_zbc-block-respect-bio-vector-limits-for-report-zones-buffer.patch +smb-client-fix-memory-leak-during-error-handling-for-posix-mkdir.patch +spi-tegra114-use-value-to-check-for-invalid-delays.patch +tpm-mask-tpm-rc-in-tpm2_start_auth_session.patch +wifi-mt76-disable-napi-on-driver-removal.patch +ring-buffer-fix-persistent-buffer-when-commit-page-is-the-reader-page.patch +net-qede-initialize-qede_ll_ops-with-designated-initializer.patch +mm-userfaultfd-correct-dirty-flags-set-for-both-present-and-swap-pte.patch +dmaengine-ti-k3-udma-add-missing-locking.patch +dmaengine-ti-k3-udma-use-cap_mask-directly-from-dma_device-structure-instead-of-a-local-copy.patch +dmaengine-idxd-fix-memory-leak-in-error-handling-path-of-idxd_setup_wqs.patch +dmaengine-idxd-fix-memory-leak-in-error-handling-path-of-idxd_setup_engines.patch +dmaengine-idxd-fix-memory-leak-in-error-handling-path-of-idxd_setup_groups.patch +dmaengine-idxd-add-missing-cleanup-for-early-error-out-in-idxd_setup_internals.patch +dmaengine-idxd-add-missing-cleanups-in-cleanup-internals.patch +dmaengine-idxd-add-missing-idxd-cleanup-to-fix-memory-leak-in-remove-call.patch +dmaengine-idxd-fix-memory-leak-in-error-handling-path-of-idxd_alloc.patch +dmaengine-idxd-fix-memory-leak-in-error-handling-path-of-idxd_pci_probe.patch +dmaengine-idxd-refactor-remove-call-with-idxd_cleanup-helper.patch diff --git a/queue-6.12/smb-client-fix-memory-leak-during-error-handling-for-posix-mkdir.patch b/queue-6.12/smb-client-fix-memory-leak-during-error-handling-for-posix-mkdir.patch new file mode 100644 index 0000000000..6e169fa7b7 --- /dev/null +++ b/queue-6.12/smb-client-fix-memory-leak-during-error-handling-for-posix-mkdir.patch @@ -0,0 +1,40 @@ +From 1fe4a44b7fa3955bcb7b4067c07b778fe90d8ee7 Mon Sep 17 00:00:00 2001 +From: Jethro Donaldson +Date: Thu, 15 May 2025 01:23:23 +1200 +Subject: smb: client: fix memory leak during error handling for POSIX mkdir + +From: Jethro Donaldson + +commit 1fe4a44b7fa3955bcb7b4067c07b778fe90d8ee7 upstream. + +The response buffer for the CREATE request handled by smb311_posix_mkdir() +is leaked on the error path (goto err_free_rsp_buf) because the structure +pointer *rsp passed to free_rsp_buf() is not assigned until *after* the +error condition is checked. + +As *rsp is initialised to NULL, free_rsp_buf() becomes a no-op and the leak +is instead reported by __kmem_cache_shutdown() upon subsequent rmmod of +cifs.ko if (and only if) the error path has been hit. + +Pass rsp_iov.iov_base to free_rsp_buf() instead, similar to the code in +other functions in smb2pdu.c for which *rsp is assigned late. + +Cc: stable@vger.kernel.org +Signed-off-by: Jethro Donaldson +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2pdu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -2985,7 +2985,7 @@ replay_again: + /* Eventually save off posix specific response info and timestamps */ + + err_free_rsp_buf: +- free_rsp_buf(resp_buftype, rsp); ++ free_rsp_buf(resp_buftype, rsp_iov.iov_base); + kfree(pc_buf); + err_free_req: + cifs_small_buf_release(req); diff --git a/queue-6.12/spi-tegra114-use-value-to-check-for-invalid-delays.patch b/queue-6.12/spi-tegra114-use-value-to-check-for-invalid-delays.patch new file mode 100644 index 0000000000..f3b5cbbfb1 --- /dev/null +++ b/queue-6.12/spi-tegra114-use-value-to-check-for-invalid-delays.patch @@ -0,0 +1,39 @@ +From e979a7c79fbc706f6dac913af379ef4caa04d3d5 Mon Sep 17 00:00:00 2001 +From: Aaron Kling +Date: Tue, 6 May 2025 13:36:59 -0500 +Subject: spi: tegra114: Use value to check for invalid delays + +From: Aaron Kling + +commit e979a7c79fbc706f6dac913af379ef4caa04d3d5 upstream. + +A delay unit of 0 is a valid entry, thus it is not valid to check for +unused delays. Instead, check the value field; if that is zero, the +given delay is unset. + +Fixes: 4426e6b4ecf6 ("spi: tegra114: Don't fail set_cs_timing when delays are zero") +Cc: stable@vger.kernel.org +Signed-off-by: Aaron Kling +Reviewed-by: Jon Hunter +Link: https://patch.msgid.link/20250506-spi-tegra114-fixup-v1-1-136dc2f732f3@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-tegra114.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/spi/spi-tegra114.c ++++ b/drivers/spi/spi-tegra114.c +@@ -728,9 +728,9 @@ static int tegra_spi_set_hw_cs_timing(st + u32 inactive_cycles; + u8 cs_state; + +- if ((setup->unit && setup->unit != SPI_DELAY_UNIT_SCK) || +- (hold->unit && hold->unit != SPI_DELAY_UNIT_SCK) || +- (inactive->unit && inactive->unit != SPI_DELAY_UNIT_SCK)) { ++ if ((setup->value && setup->unit != SPI_DELAY_UNIT_SCK) || ++ (hold->value && hold->unit != SPI_DELAY_UNIT_SCK) || ++ (inactive->value && inactive->unit != SPI_DELAY_UNIT_SCK)) { + dev_err(&spi->dev, + "Invalid delay unit %d, should be SPI_DELAY_UNIT_SCK\n", + SPI_DELAY_UNIT_SCK); diff --git a/queue-6.12/tpm-mask-tpm-rc-in-tpm2_start_auth_session.patch b/queue-6.12/tpm-mask-tpm-rc-in-tpm2_start_auth_session.patch new file mode 100644 index 0000000000..3d2d508eda --- /dev/null +++ b/queue-6.12/tpm-mask-tpm-rc-in-tpm2_start_auth_session.patch @@ -0,0 +1,115 @@ +From 539fbab37881e32ba6a708a100de6db19e1e7e7d Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Mon, 7 Apr 2025 15:28:05 +0300 +Subject: tpm: Mask TPM RC in tpm2_start_auth_session() + +From: Jarkko Sakkinen + +commit 539fbab37881e32ba6a708a100de6db19e1e7e7d upstream. + +tpm2_start_auth_session() does not mask TPM RC correctly from the callers: + +[ 28.766528] tpm tpm0: A TPM error (2307) occurred start auth session + +Process TPM RCs inside tpm2_start_auth_session(), and map them to POSIX +error codes. + +Cc: stable@vger.kernel.org # v6.10+ +Fixes: 699e3efd6c64 ("tpm: Add HMAC session start and end functions") +Reported-by: Herbert Xu +Closes: https://lore.kernel.org/linux-integrity/Z_NgdRHuTKP6JK--@gondor.apana.org.au/ +Reviewed-by: Stefano Garzarella +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm2-sessions.c | 20 ++++++-------------- + include/linux/tpm.h | 19 +++++++++++++++++++ + 2 files changed, 25 insertions(+), 14 deletions(-) + +diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c +index 3f89635ba5e8..7b5049b3d476 100644 +--- a/drivers/char/tpm/tpm2-sessions.c ++++ b/drivers/char/tpm/tpm2-sessions.c +@@ -40,11 +40,6 @@ + * + * These are the usage functions: + * +- * tpm2_start_auth_session() which allocates the opaque auth structure +- * and gets a session from the TPM. This must be called before +- * any of the following functions. The session is protected by a +- * session_key which is derived from a random salt value +- * encrypted to the NULL seed. + * tpm2_end_auth_session() kills the session and frees the resources. + * Under normal operation this function is done by + * tpm_buf_check_hmac_response(), so this is only to be used on +@@ -963,16 +958,13 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) + } + + /** +- * tpm2_start_auth_session() - create a HMAC authentication session with the TPM +- * @chip: the TPM chip structure to create the session with ++ * tpm2_start_auth_session() - Create an a HMAC authentication session ++ * @chip: A TPM chip + * +- * This function loads the NULL seed from its saved context and starts +- * an authentication session on the null seed, fills in the +- * @chip->auth structure to contain all the session details necessary +- * for performing the HMAC, encrypt and decrypt operations and +- * returns. The NULL seed is flushed before this function returns. ++ * Loads the ephemeral key (null seed), and starts an HMAC authenticated ++ * session. The null seed is flushed before the return. + * +- * Return: zero on success or actual error encountered. ++ * Returns zero on success, or a POSIX error code. + */ + int tpm2_start_auth_session(struct tpm_chip *chip) + { +@@ -1024,7 +1016,7 @@ int tpm2_start_auth_session(struct tpm_chip *chip) + /* hash algorithm for session */ + tpm_buf_append_u16(&buf, TPM_ALG_SHA256); + +- rc = tpm_transmit_cmd(chip, &buf, 0, "start auth session"); ++ rc = tpm_ret_to_err(tpm_transmit_cmd(chip, &buf, 0, "StartAuthSession")); + tpm2_flush_context(chip, null_key); + + if (rc == TPM2_RC_SUCCESS) +diff --git a/include/linux/tpm.h b/include/linux/tpm.h +index 6c3125300c00..9ac9768cc8f7 100644 +--- a/include/linux/tpm.h ++++ b/include/linux/tpm.h +@@ -257,6 +257,7 @@ enum tpm2_return_codes { + TPM2_RC_TESTING = 0x090A, /* RC_WARN */ + TPM2_RC_REFERENCE_H0 = 0x0910, + TPM2_RC_RETRY = 0x0922, ++ TPM2_RC_SESSION_MEMORY = 0x0903, + }; + + enum tpm2_command_codes { +@@ -437,6 +438,24 @@ static inline u32 tpm2_rc_value(u32 rc) + return (rc & BIT(7)) ? rc & 0xbf : rc; + } + ++/* ++ * Convert a return value from tpm_transmit_cmd() to POSIX error code. ++ */ ++static inline ssize_t tpm_ret_to_err(ssize_t ret) ++{ ++ if (ret < 0) ++ return ret; ++ ++ switch (tpm2_rc_value(ret)) { ++ case TPM2_RC_SUCCESS: ++ return 0; ++ case TPM2_RC_SESSION_MEMORY: ++ return -ENOMEM; ++ default: ++ return -EFAULT; ++ } ++} ++ + #if defined(CONFIG_TCG_TPM) || defined(CONFIG_TCG_TPM_MODULE) + + extern int tpm_is_tpm2(struct tpm_chip *chip); +-- +2.49.0 + diff --git a/queue-6.12/tracing-samples-initialize-trace_array_printk-with-the-correct-function.patch b/queue-6.12/tracing-samples-initialize-trace_array_printk-with-the-correct-function.patch new file mode 100644 index 0000000000..d882b53d1b --- /dev/null +++ b/queue-6.12/tracing-samples-initialize-trace_array_printk-with-the-correct-function.patch @@ -0,0 +1,45 @@ +From 1b0c192c92ea1fe2dcb178f84adf15fe37c3e7c8 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Fri, 9 May 2025 15:26:57 -0400 +Subject: tracing: samples: Initialize trace_array_printk() with the correct function + +From: Steven Rostedt + +commit 1b0c192c92ea1fe2dcb178f84adf15fe37c3e7c8 upstream. + +When using trace_array_printk() on a created instance, the correct +function to use to initialize it is: + + trace_array_init_printk() + +Not + + trace_printk_init_buffer() + +The former is a proper function to use, the latter is for initializing +trace_printk() and causes the NOTICE banner to be displayed. + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Cc: Divya Indi +Link: https://lore.kernel.org/20250509152657.0f6744d9@gandalf.local.home +Fixes: 89ed42495ef4a ("tracing: Sample module to demonstrate kernel access to Ftrace instances.") +Fixes: 38ce2a9e33db6 ("tracing: Add trace_array_init_printk() to initialize instance trace_printk() buffers") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + samples/ftrace/sample-trace-array.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/samples/ftrace/sample-trace-array.c ++++ b/samples/ftrace/sample-trace-array.c +@@ -112,7 +112,7 @@ static int __init sample_trace_array_ini + /* + * If context specific per-cpu buffers havent already been allocated. + */ +- trace_printk_init_buffers(); ++ trace_array_init_printk(tr); + + simple_tsk = kthread_run(simple_thread, NULL, "sample-instance"); + if (IS_ERR(simple_tsk)) { diff --git a/queue-6.12/wifi-mt76-disable-napi-on-driver-removal.patch b/queue-6.12/wifi-mt76-disable-napi-on-driver-removal.patch new file mode 100644 index 0000000000..ddd55b8ede --- /dev/null +++ b/queue-6.12/wifi-mt76-disable-napi-on-driver-removal.patch @@ -0,0 +1,59 @@ +From 78ab4be549533432d97ea8989d2f00b508fa68d8 Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Tue, 6 May 2025 14:55:39 +0300 +Subject: wifi: mt76: disable napi on driver removal + +From: Fedor Pchelkin + +commit 78ab4be549533432d97ea8989d2f00b508fa68d8 upstream. + +A warning on driver removal started occurring after commit 9dd05df8403b +("net: warn if NAPI instance wasn't shut down"). Disable tx napi before +deleting it in mt76_dma_cleanup(). + + WARNING: CPU: 4 PID: 18828 at net/core/dev.c:7288 __netif_napi_del_locked+0xf0/0x100 + CPU: 4 UID: 0 PID: 18828 Comm: modprobe Not tainted 6.15.0-rc4 #4 PREEMPT(lazy) + Hardware name: ASUS System Product Name/PRIME X670E-PRO WIFI, BIOS 3035 09/05/2024 + RIP: 0010:__netif_napi_del_locked+0xf0/0x100 + Call Trace: + + mt76_dma_cleanup+0x54/0x2f0 [mt76] + mt7921_pci_remove+0xd5/0x190 [mt7921e] + pci_device_remove+0x47/0xc0 + device_release_driver_internal+0x19e/0x200 + driver_detach+0x48/0x90 + bus_remove_driver+0x6d/0xf0 + pci_unregister_driver+0x2e/0xb0 + __do_sys_delete_module.isra.0+0x197/0x2e0 + do_syscall_64+0x7b/0x160 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Tested with mt7921e but the same pattern can be actually applied to other +mt76 drivers calling mt76_dma_cleanup() during removal. Tx napi is enabled +in their *_dma_init() functions and only toggled off and on again inside +their suspend/resume/reset paths. So it should be okay to disable tx +napi in such a generic way. + +Found by Linux Verification Center (linuxtesting.org). + +Fixes: 2ac515a5d74f ("mt76: mt76x02: use napi polling for tx cleanup") +Cc: stable@vger.kernel.org +Signed-off-by: Fedor Pchelkin +Tested-by: Ming Yen Hsieh +Link: https://patch.msgid.link/20250506115540.19045-1-pchelkin@ispras.ru +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/dma.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/mediatek/mt76/dma.c ++++ b/drivers/net/wireless/mediatek/mt76/dma.c +@@ -999,6 +999,7 @@ void mt76_dma_cleanup(struct mt76_dev *d + int i; + + mt76_worker_disable(&dev->tx_worker); ++ napi_disable(&dev->tx_napi); + netif_napi_del(&dev->tx_napi); + + for (i = 0; i < ARRAY_SIZE(dev->phys); i++) {